npm - @beignet/core - Versions diffs - 0.0.3 → 0.0.4 - Mend

@beignet/core 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (360) hide show

package/CHANGELOG.md +157 -0
package/README.md +785 -43
package/dist/application/index.d.ts +28 -2
package/dist/application/index.d.ts.map +1 -1
package/dist/application/index.js +140 -12
package/dist/application/index.js.map +1 -1
package/dist/client/client.d.ts +2 -2
package/dist/client/client.d.ts.map +1 -1
package/dist/client/client.js +136 -48
package/dist/client/client.js.map +1 -1
package/dist/client/error-messages.d.ts +14 -0
package/dist/client/error-messages.d.ts.map +1 -0
package/dist/client/error-messages.js +23 -0
package/dist/client/error-messages.js.map +1 -0
package/dist/client/index.d.ts +8 -4
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +6 -2
package/dist/client/index.js.map +1 -1
package/dist/client/types.d.ts +35 -5
package/dist/client/types.d.ts.map +1 -1
package/dist/client-only.d.ts +8 -0
package/dist/client-only.d.ts.map +1 -0
package/dist/client-only.js +8 -0
package/dist/client-only.js.map +1 -0
package/dist/config/index.d.ts +5 -5
package/dist/config/index.d.ts.map +1 -1
package/dist/config/index.js +2 -2
package/dist/config/index.js.map +1 -1
package/dist/contracts/catalog-errors.d.ts +27 -0
package/dist/contracts/catalog-errors.d.ts.map +1 -0
package/dist/contracts/catalog-errors.js +69 -0
package/dist/contracts/catalog-errors.js.map +1 -0
package/dist/contracts/contract-builder.d.ts +15 -12
package/dist/contracts/contract-builder.d.ts.map +1 -1
package/dist/contracts/contract-builder.js +15 -41
package/dist/contracts/contract-builder.js.map +1 -1
package/dist/contracts/contract-group.d.ts +11 -8
package/dist/contracts/contract-group.d.ts.map +1 -1
package/dist/contracts/contract-group.js +13 -40
package/dist/contracts/contract-group.js.map +1 -1
package/dist/contracts/contract-like.d.ts +1 -1
package/dist/contracts/contract-like.d.ts.map +1 -1
package/dist/contracts/index.d.ts +13 -9
package/dist/contracts/index.d.ts.map +1 -1
package/dist/contracts/index.js +9 -5
package/dist/contracts/index.js.map +1 -1
package/dist/contracts/openapi-meta.d.ts +48 -0
package/dist/contracts/openapi-meta.d.ts.map +1 -1
package/dist/contracts/openapi-meta.js +3 -0
package/dist/contracts/openapi-meta.js.map +1 -1
package/dist/contracts/path-template.d.ts +1 -1
package/dist/contracts/path-template.js +2 -2
package/dist/contracts/path-template.js.map +1 -1
package/dist/contracts/schema-shape.d.ts +37 -0
package/dist/contracts/schema-shape.d.ts.map +1 -0
package/dist/contracts/schema-shape.js +61 -0
package/dist/contracts/schema-shape.js.map +1 -0
package/dist/contracts/success-status.d.ts +32 -0
package/dist/contracts/success-status.d.ts.map +1 -0
package/dist/contracts/success-status.js +18 -0
package/dist/contracts/success-status.js.map +1 -0
package/dist/contracts/types.d.ts +25 -5
package/dist/contracts/types.d.ts.map +1 -1
package/dist/contracts/types.js.map +1 -1
package/dist/contracts/utils.d.ts +1 -1
package/dist/contracts/utils.d.ts.map +1 -1
package/dist/contracts/utils.js +1 -1
package/dist/contracts/utils.js.map +1 -1
package/dist/domain/events.d.ts +1 -1
package/dist/domain/events.d.ts.map +1 -1
package/dist/domain/events.js +1 -1
package/dist/domain/events.js.map +1 -1
package/dist/domain/index.d.ts +3 -3
package/dist/domain/index.d.ts.map +1 -1
package/dist/domain/index.js +3 -3
package/dist/domain/index.js.map +1 -1
package/dist/errors/catalog.d.ts +9 -1
package/dist/errors/catalog.d.ts.map +1 -1
package/dist/errors/catalog.js +7 -1
package/dist/errors/catalog.js.map +1 -1
package/dist/errors/http.d.ts +10 -0
package/dist/errors/http.d.ts.map +1 -1
package/dist/errors/http.js +11 -1
package/dist/errors/http.js.map +1 -1
package/dist/errors/index.d.ts +4 -4
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +4 -4
package/dist/errors/index.js.map +1 -1
package/dist/errors/response.d.ts +4 -1
package/dist/errors/response.d.ts.map +1 -1
package/dist/errors/response.js.map +1 -1
package/dist/events/index.d.ts +10 -12
package/dist/events/index.d.ts.map +1 -1
package/dist/events/index.js +10 -10
package/dist/events/index.js.map +1 -1
package/dist/idempotency/index.d.ts +5 -3
package/dist/idempotency/index.d.ts.map +1 -1
package/dist/idempotency/index.js.map +1 -1
package/dist/jobs/index.d.ts +12 -14
package/dist/jobs/index.d.ts.map +1 -1
package/dist/jobs/index.js +13 -13
package/dist/jobs/index.js.map +1 -1
package/dist/notifications/index.d.ts +14 -16
package/dist/notifications/index.d.ts.map +1 -1
package/dist/notifications/index.js +14 -14
package/dist/notifications/index.js.map +1 -1
package/dist/openapi/index.d.ts +8 -3
package/dist/openapi/index.d.ts.map +1 -1
package/dist/openapi/index.js +41 -29
package/dist/openapi/index.js.map +1 -1
package/dist/openapi/schema-introspector.d.ts +37 -0
package/dist/openapi/schema-introspector.d.ts.map +1 -1
package/dist/openapi/schema-introspector.js +23 -17
package/dist/openapi/schema-introspector.js.map +1 -1
package/dist/outbox/index.d.ts +15 -6
package/dist/outbox/index.d.ts.map +1 -1
package/dist/outbox/index.js +60 -16
package/dist/outbox/index.js.map +1 -1
package/dist/ports/audit.d.ts +56 -10
package/dist/ports/audit.d.ts.map +1 -1
package/dist/ports/audit.js +71 -3
package/dist/ports/audit.js.map +1 -1
package/dist/ports/auth.d.ts +92 -0
package/dist/ports/auth.d.ts.map +1 -1
package/dist/ports/auth.js +92 -0
package/dist/ports/auth.js.map +1 -1
package/dist/ports/events.d.ts +2 -2
package/dist/ports/events.d.ts.map +1 -1
package/dist/ports/index.d.ts +62 -33
package/dist/ports/index.d.ts.map +1 -1
package/dist/ports/index.js +28 -34
package/dist/ports/index.js.map +1 -1
package/dist/ports/policy.d.ts +32 -3
package/dist/ports/policy.d.ts.map +1 -1
package/dist/ports/policy.js +13 -2
package/dist/ports/policy.js.map +1 -1
package/dist/ports/testing.d.ts +1030 -2
package/dist/ports/testing.d.ts.map +1 -1
package/dist/ports/testing.js +1031 -1
package/dist/ports/testing.js.map +1 -1
package/dist/ports/unbound.d.ts +21 -0
package/dist/ports/unbound.d.ts.map +1 -0
package/dist/ports/unbound.js +57 -0
package/dist/ports/unbound.js.map +1 -0
package/dist/ports/unit-of-work.d.ts +1 -1
package/dist/ports/unit-of-work.d.ts.map +1 -1
package/dist/ports/unit-of-work.js +1 -1
package/dist/ports/unit-of-work.js.map +1 -1
package/dist/providers/index.d.ts +3 -2
package/dist/providers/index.d.ts.map +1 -1
package/dist/providers/index.js +3 -2
package/dist/providers/index.js.map +1 -1
package/dist/providers/instrumentation.d.ts +45 -4
package/dist/providers/instrumentation.d.ts.map +1 -1
package/dist/providers/instrumentation.js +25 -6
package/dist/providers/instrumentation.js.map +1 -1
package/dist/providers/metadata.d.ts +39 -0
package/dist/providers/metadata.d.ts.map +1 -0
package/dist/providers/metadata.js +169 -0
package/dist/providers/metadata.js.map +1 -0
package/dist/providers/provider.d.ts +114 -9
package/dist/providers/provider.d.ts.map +1 -1
package/dist/providers/provider.js +3 -20
package/dist/providers/provider.js.map +1 -1
package/dist/schedules/index.d.ts +94 -13
package/dist/schedules/index.d.ts.map +1 -1
package/dist/schedules/index.js +66 -12
package/dist/schedules/index.js.map +1 -1
package/dist/server/audit-context.d.ts +29 -0
package/dist/server/audit-context.d.ts.map +1 -0
package/dist/server/audit-context.js +44 -0
package/dist/server/audit-context.js.map +1 -0
package/dist/server/context.d.ts +141 -0
package/dist/server/context.d.ts.map +1 -0
package/dist/server/context.js +39 -0
package/dist/server/context.js.map +1 -0
package/dist/server/contract-like.d.ts +1 -1
package/dist/server/contract-like.d.ts.map +1 -1
package/dist/server/contract-like.js +1 -1
package/dist/server/contract-like.js.map +1 -1
package/dist/server/health.d.ts +2 -2
package/dist/server/health.d.ts.map +1 -1
package/dist/server/hooks/auth.d.ts +49 -10
package/dist/server/hooks/auth.d.ts.map +1 -1
package/dist/server/hooks/auth.js +77 -37
package/dist/server/hooks/auth.js.map +1 -1
package/dist/server/hooks/cors.d.ts +1 -1
package/dist/server/hooks/cors.d.ts.map +1 -1
package/dist/server/hooks/errors.d.ts +2 -2
package/dist/server/hooks/errors.d.ts.map +1 -1
package/dist/server/hooks/errors.js +2 -2
package/dist/server/hooks/errors.js.map +1 -1
package/dist/server/hooks/idempotency.d.ts +78 -0
package/dist/server/hooks/idempotency.d.ts.map +1 -0
package/dist/server/hooks/idempotency.js +154 -0
package/dist/server/hooks/idempotency.js.map +1 -0
package/dist/server/hooks/index.d.ts +8 -7
package/dist/server/hooks/index.d.ts.map +1 -1
package/dist/server/hooks/index.js +6 -5
package/dist/server/hooks/index.js.map +1 -1
package/dist/server/hooks/logging.d.ts +2 -2
package/dist/server/hooks/logging.d.ts.map +1 -1
package/dist/server/hooks/logging.js +1 -1
package/dist/server/hooks/logging.js.map +1 -1
package/dist/server/hooks/rate-limit.d.ts +25 -7
package/dist/server/hooks/rate-limit.d.ts.map +1 -1
package/dist/server/hooks/rate-limit.js +47 -12
package/dist/server/hooks/rate-limit.js.map +1 -1
package/dist/server/hooks.d.ts +1 -1
package/dist/server/hooks.d.ts.map +1 -1
package/dist/server/hooks.js +1 -1
package/dist/server/hooks.js.map +1 -1
package/dist/server/http.d.ts +61 -35
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +1 -20
package/dist/server/http.js.map +1 -1
package/dist/server/index.d.ts +36 -12
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +24 -8
package/dist/server/index.js.map +1 -1
package/dist/server/instrumentation.d.ts +108 -0
package/dist/server/instrumentation.d.ts.map +1 -0
package/dist/server/instrumentation.js +297 -0
package/dist/server/instrumentation.js.map +1 -0
package/dist/server/openapi.d.ts +3 -3
package/dist/server/openapi.d.ts.map +1 -1
package/dist/server/openapi.js +1 -1
package/dist/server/openapi.js.map +1 -1
package/dist/server/providers/index.d.ts +3 -3
package/dist/server/providers/index.d.ts.map +1 -1
package/dist/server/providers/index.js +3 -3
package/dist/server/providers/index.js.map +1 -1
package/dist/server/providers/loadProviderConfig.d.ts +2 -2
package/dist/server/providers/loadProviderConfig.d.ts.map +1 -1
package/dist/server/providers/loadProviderConfig.js +2 -2
package/dist/server/providers/loadProviderConfig.js.map +1 -1
package/dist/server/request-context.d.ts +67 -0
package/dist/server/request-context.d.ts.map +1 -0
package/dist/server/request-context.js +79 -0
package/dist/server/request-context.js.map +1 -0
package/dist/server/server-context.d.ts +38 -0
package/dist/server/server-context.d.ts.map +1 -0
package/dist/server/server-context.js +38 -0
package/dist/server/server-context.js.map +1 -0
package/dist/server/server.d.ts +105 -33
package/dist/server/server.d.ts.map +1 -1
package/dist/server/server.js +434 -118
package/dist/server/server.js.map +1 -1
package/dist/server/types.d.ts +2 -2
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +2 -2
package/dist/server/types.js.map +1 -1
package/dist/server/use-case-route.d.ts +263 -0
package/dist/server/use-case-route.d.ts.map +1 -0
package/dist/server/use-case-route.js +77 -0
package/dist/server/use-case-route.js.map +1 -0
package/dist/server-only.d.ts +8 -0
package/dist/server-only.d.ts.map +1 -0
package/dist/server-only.js +8 -0
package/dist/server-only.js.map +1 -0
package/dist/tasks/index.d.ts +139 -0
package/dist/tasks/index.d.ts.map +1 -0
package/dist/tasks/index.js +98 -0
package/dist/tasks/index.js.map +1 -0
package/dist/testing/index.d.ts +607 -5
package/dist/testing/index.d.ts.map +1 -1
package/dist/testing/index.js +426 -4
package/dist/testing/index.js.map +1 -1
package/dist/tracing/index.d.ts +89 -0
package/dist/tracing/index.d.ts.map +1 -0
package/dist/tracing/index.js +101 -0
package/dist/tracing/index.js.map +1 -0
package/dist/uploads/client.d.ts +1 -1
package/dist/uploads/client.d.ts.map +1 -1
package/dist/uploads/index.d.ts +2 -2
package/dist/uploads/index.d.ts.map +1 -1
package/dist/uploads/index.js +1 -1
package/dist/uploads/index.js.map +1 -1
package/package.json +24 -2
package/src/application/index.ts +193 -10
package/src/client/client.ts +148 -150
package/src/client/error-messages.ts +35 -0
package/src/client/index.ts +12 -4
package/src/client/types.ts +44 -5
package/src/client-only.ts +7 -0
package/src/config/index.ts +6 -6
package/src/contracts/catalog-errors.ts +115 -0
package/src/contracts/contract-builder.ts +39 -76
package/src/contracts/contract-group.ts +33 -68
package/src/contracts/contract-like.ts +1 -1
package/src/contracts/index.ts +24 -11
package/src/contracts/openapi-meta.ts +55 -0
package/src/contracts/path-template.ts +2 -2
package/src/contracts/schema-shape.ts +75 -0
package/src/contracts/success-status.ts +68 -0
package/src/contracts/types.ts +32 -5
package/src/contracts/utils.ts +5 -2
package/src/domain/events.ts +6 -2
package/src/domain/index.ts +3 -3
package/src/errors/catalog.ts +9 -1
package/src/errors/http.ts +11 -1
package/src/errors/index.ts +4 -4
package/src/errors/response.ts +4 -1
package/src/events/index.ts +12 -26
package/src/idempotency/index.ts +5 -3
package/src/jobs/index.ts +14 -24
package/src/notifications/index.ts +17 -27
package/src/openapi/index.ts +73 -38
package/src/openapi/schema-introspector.ts +68 -17
package/src/outbox/index.ts +84 -19
package/src/ports/audit.ts +120 -11
package/src/ports/auth.ts +132 -0
package/src/ports/events.ts +2 -2
package/src/ports/index.ts +104 -35
package/src/ports/policy.ts +50 -3
package/src/ports/testing.ts +2220 -33
package/src/ports/unbound.ts +64 -0
package/src/ports/unit-of-work.ts +6 -2
package/src/providers/index.ts +16 -3
package/src/providers/instrumentation.ts +86 -7
package/src/providers/metadata.ts +234 -0
package/src/providers/provider.ts +168 -9
package/src/schedules/index.ts +173 -23
package/src/server/audit-context.ts +45 -0
package/src/server/context.ts +224 -0
package/src/server/contract-like.ts +1 -1
package/src/server/health.ts +2 -2
package/src/server/hooks/auth.ts +141 -51
package/src/server/hooks/cors.ts +1 -1
package/src/server/hooks/errors.ts +7 -4
package/src/server/hooks/idempotency.ts +263 -0
package/src/server/hooks/index.ts +14 -7
package/src/server/hooks/logging.ts +3 -3
package/src/server/hooks/rate-limit.ts +85 -17
package/src/server/hooks.ts +1 -1
package/src/server/http.ts +78 -51
package/src/server/index.ts +62 -12
package/src/server/instrumentation.ts +470 -0
package/src/server/openapi.ts +4 -4
package/src/server/providers/index.ts +6 -3
package/src/server/providers/loadProviderConfig.ts +4 -4
package/src/server/request-context.ts +116 -0
package/src/server/server-context.ts +44 -0
package/src/server/server.ts +886 -238
package/src/server/types.ts +2 -2
package/src/server/use-case-route.ts +430 -0
package/src/server-only.ts +7 -0
package/src/tasks/index.ts +275 -0
package/src/testing/index.ts +1142 -6
package/src/tracing/index.ts +176 -0
package/src/uploads/client.ts +1 -1
package/src/uploads/index.ts +7 -3
package/dist/ports/mailer.d.ts +0 -6
package/dist/ports/mailer.d.ts.map +0 -1
package/dist/ports/mailer.js +0 -2
package/dist/ports/mailer.js.map +0 -1
package/dist/ports/schedules.d.ts +0 -9
package/dist/ports/schedules.d.ts.map +0 -1
package/dist/ports/schedules.js +0 -2
package/dist/ports/schedules.js.map +0 -1

package/src/server/context.ts ADDED Viewed

@@ -0,0 +1,224 @@
+import type { HttpContractConfig } from "../contracts/index.js";
+import type {
+  AnyPorts,
+  BoundGate,
+  GatePort,
+  PolicyDefinition,
+} from "../ports/index.js";
+import type { TraceContext } from "../tracing/index.js";
+import type { HttpRequestLike, MaybePromise } from "./http.js";
+/**
+ * Arguments passed to the `context.request` factory after a route is matched.
+ */
+export type RequestContextArgs<Ports extends AnyPorts = AnyPorts> = {
+  /**
+   * Framework-neutral request.
+   */
+  req: HttpRequestLike;
+  /**
+   * Final app ports, including ports contributed by providers.
+   */
+  ports: Ports;
+  /**
+   * Matched contract, when the request resolved to a registered route.
+   */
+  contract?: HttpContractConfig;
+  /**
+   * Request correlation ID resolved by the server from the configured request
+   * ID header, or generated when the request did not send one.
+   */
+  requestId: string;
+  /**
+   * W3C trace context resolved by the server from the incoming `traceparent`
+   * header, or generated when the request did not send one. Spread this into
+   * the context (`...trace`) to correlate downstream activity.
+   */
+  trace: TraceContext;
+};
+/**
+ * Arguments passed to the `context.service` factory.
+ */
+export type ServiceContextArgs<
+  Ports extends AnyPorts = AnyPorts,
+  ServiceInput = void,
+> = {
+  /**
+   * Final app ports, including ports contributed by providers.
+   */
+  ports: Ports;
+  /**
+   * Caller-provided input such as the service actor or tenant.
+   */
+  input: ServiceInput;
+  /**
+   * Fresh correlation ID generated for this service context.
+   */
+  requestId: string;
+  /**
+   * Fresh W3C trace context generated for this service context. Spread this
+   * into the context (`...trace`) to correlate downstream activity.
+   */
+  trace: TraceContext;
+};
+/**
+ * App context without its `gate` property.
+ *
+ * Context factories return seeds; the server attaches the gate declared by
+ * the blueprint's `gate` selector, so hand-binding `gate` in a factory is a
+ * type error.
+ */
+export type ContextSeed<Ctx> = Omit<Ctx, "gate"> & { gate?: never };
+type ContextGateOption<Ctx, Ports extends AnyPorts> = [Ctx] extends [
+  { gate: BoundGate<infer TPolicies extends readonly PolicyDefinition[]> },
+]
+  ? {
+      /**
+       * Select the gate port the server attaches to every context it builds.
+       */
+      gate: (ports: Ports) => GatePort<ContextSeed<Ctx>, TPolicies>;
+    }
+  : {
+      /**
+       * Gate selection is only available when the context type declares a
+       * `gate` property.
+       */
+      gate?: never;
+    };
+/**
+ * Context blueprint accepted by `createServer(...)`.
+ *
+ * The server owns context assembly: `request` and `service` return context
+ * seeds, and the server attaches the gate declared by `gate` so identity
+ * changes can never authorize against a stale context.
+ */
+export type ServerContextOptions<
+  Ctx,
+  Ports extends AnyPorts = AnyPorts,
+  ServiceInput = void,
+> = {
+  /**
+   * Build the per-request context seed.
+   */
+  request: (args: RequestContextArgs<Ports>) => MaybePromise<ContextSeed<Ctx>>;
+  /**
+   * Build a service context seed for schedules, outbox drains, tasks, and
+   * background work. Required before `server.createServiceContext(...)` can
+   * be called.
+   */
+  service?: (
+    args: ServiceContextArgs<Ports, ServiceInput>,
+  ) => MaybePromise<ContextSeed<Ctx>>;
+} & ContextGateOption<Ctx, Ports>;
+/**
+ * Context configuration accepted by `createServer(...)`.
+ *
+ * Contexts without a `gate` property may use the plain request-factory
+ * shorthand. Contexts with a `gate` must use the blueprint form so the server
+ * owns gate attachment.
+ */
+export type ServerContextConfig<
+  Ctx,
+  Ports extends AnyPorts = AnyPorts,
+  ServiceInput = void,
+> = [Ctx] extends [{ gate: unknown }]
+  ? ServerContextOptions<Ctx, Ports, ServiceInput>
+  :
+      | ((args: RequestContextArgs<Ports>) => MaybePromise<Ctx>)
+      | ServerContextOptions<Ctx, Ports, ServiceInput>;
+/**
+ * Argument tuple for `createServiceContext(...)`.
+ *
+ * Servers without a declared service input are callable with no arguments;
+ * optional inputs stay optional at the call site.
+ */
+export type ServiceContextInputArgs<ServiceInput> = [ServiceInput] extends [
+  // biome-ignore lint/suspicious/noConfusingVoidType: void marks "no declared service input" here
+  void,
+]
+  ? []
+  : undefined extends ServiceInput
+    ? [input?: ServiceInput]
+    : [input: ServiceInput];
+type AnyGateSelector<Ports extends AnyPorts> = (
+  ports: Ports,
+) => Pick<GatePort<unknown>, "attach">;
+/**
+ * Normalized runtime view of a server context configuration.
+ */
+export type ResolvedServerContext<Ctx, Ports extends AnyPorts, ServiceInput> = {
+  request: (
+    args: RequestContextArgs<Ports>,
+  ) => MaybePromise<ContextSeed<Ctx> | Ctx>;
+  service?: (
+    args: ServiceContextArgs<Ports, ServiceInput>,
+  ) => MaybePromise<ContextSeed<Ctx>>;
+  gate?: AnyGateSelector<Ports>;
+};
+/**
+ * Normalize a server context configuration into its runtime parts.
+ */
+export function resolveServerContext<Ctx, Ports extends AnyPorts, ServiceInput>(
+  config: ServerContextConfig<Ctx, Ports, ServiceInput>,
+): ResolvedServerContext<Ctx, Ports, ServiceInput> {
+  const value = config as
+    | ((args: RequestContextArgs<Ports>) => MaybePromise<Ctx>)
+    | (ResolvedServerContext<Ctx, Ports, ServiceInput> & {
+        gate?: AnyGateSelector<Ports>;
+      });
+  if (typeof value === "function") {
+    return { request: value };
+  }
+  return {
+    request: value.request,
+    service: value.service,
+    gate: value.gate,
+  };
+}
+/**
+ * Create the context finalizer for a resolved server context.
+ *
+ * When the blueprint declares a gate, the finalizer strips hand-assigned
+ * `gate` values from seeds and attaches the live gate. Without a gate
+ * declaration the seed is the context.
+ */
+export function createContextFinalizer<
+  Ctx,
+  Ports extends AnyPorts,
+  ServiceInput,
+>(
+  resolved: ResolvedServerContext<Ctx, Ports, ServiceInput>,
+  getPorts: () => Ports,
+): (seed: ContextSeed<Ctx> | Ctx) => Ctx {
+  const gateSelector = resolved.gate;
+  if (!gateSelector) {
+    return (seed) => seed as Ctx;
+  }
+  return (seed) => {
+    const target = seed as object;
+    const existing = Object.getOwnPropertyDescriptor(target, "gate");
+    if (existing && existing.get === undefined) {
+      if (process.env.NODE_ENV !== "production") {
+        console.warn(
+          "[beignet] Ignoring a hand-assigned ctx.gate value. The server context blueprint owns gate attachment; remove `gate` from context factories and hook additions.",
+        );
+      }
+      delete (target as { gate?: unknown }).gate;
+    }
+    return gateSelector(getPorts()).attach(target) as Ctx;
+  };
+}

package/src/server/contract-like.ts CHANGED Viewed

@@ -5,4 +5,4 @@ export {
   type ContractLike,
   type ResolveContract,
   resolveContract,
-} from "../contracts";
+} from "../contracts/index.js";

package/src/server/health.ts CHANGED Viewed

@@ -3,8 +3,8 @@
  * Health check handler for Beignet server adapters.
  */
-import type { AnyPorts } from "../ports";
-import type { HttpRequestLike, HttpResponseLike } from "./types";
+import type { AnyPorts } from "../ports/index.js";
+import type { HttpRequestLike, HttpResponseLike } from "./types.js";
 /**
  * Health check result returned by health handlers.

package/src/server/hooks/auth.ts CHANGED Viewed

@@ -1,12 +1,16 @@
-import { AuthUnauthorizedError } from "../../ports";
-import type { HttpRequestLike, RouteHook } from "../types";
+import type { InferOutput, StandardSchema } from "../../contracts/index.js";
+import { AuthUnauthorizedError } from "../../ports/index.js";
+import type { HttpRequestLike, RouteHook } from "../types.js";
 type MaybePromise<T> = T | Promise<T>;
 /**
  * Arguments passed to auth route-hook callbacks.
  */
-export type AuthHookArgs<Ctx> = {
+export type AuthHookArgs<
+  Ctx,
+  HeadersSchema extends StandardSchema | undefined = undefined,
+> = {
   /**
    * Framework-neutral request.
    */
@@ -30,9 +34,16 @@ export type AuthHookArgs<Ctx> = {
    */
   query: unknown;
   /**
-   * Parsed request headers.
+   * Hook-owned request headers.
+   *
+   * When the auth hooks declare a `headers` schema, this is that schema's
+   * output parsed from the raw lowercase request header record. Without a
+   * schema it is the raw lowercase header record itself, so auth resolution
+   * never depends on each route's contract header schema.
    */
-  headers: unknown;
+  headers: HeadersSchema extends StandardSchema
+    ? InferOutput<HeadersSchema>
+    : Record<string, string>;
   /**
    * Parsed request body.
    */
@@ -41,25 +52,44 @@ export type AuthHookArgs<Ctx> = {
 /**
  * Options for route-scoped auth hooks.
+ *
+ * Auth additions must not include `gate`: the server re-attaches the gate
+ * declared by the context blueprint after every hook, so elevated identities
+ * are authorized against the updated context automatically.
  */
-export type AuthHooksOptions<Ctx, AddedCtx extends object> = {
+export type AuthHooksOptions<
+  Ctx,
+  AddedCtx extends object & { gate?: never },
+  HeadersSchema extends StandardSchema | undefined = undefined,
+> = {
   /**
    * Hook name prefix used in diagnostics.
    */
   name?: string;
+  /**
+   * Optional Standard Schema for the credential headers this hook reads.
+   *
+   * The schema is validated against the raw lowercase request header record
+   * before `resolve` runs. On `required()` hooks a schema failure rejects the
+   * request with a framework-owned 401; on `optional()` hooks a schema failure
+   * skips auth resolution; `public()` hooks never parse headers.
+   */
+  headers?: HeadersSchema;
   /**
    * Resolve authenticated context additions for the current request.
    *
    * Return `null` when the request is unauthenticated. Required hooks will
    * reject that request; optional hooks will add no auth context.
    */
-  resolve: (args: AuthHookArgs<Ctx>) => MaybePromise<AddedCtx | null>;
+  resolve: (
+    args: AuthHookArgs<Ctx, HeadersSchema>,
+  ) => MaybePromise<AddedCtx | null>;
 };
 /**
  * Route-scoped auth hook set.
  */
-export type AuthRouteHooks<Ctx, AddedCtx extends object> = {
+export type AuthRouteHooks<Ctx, AddedCtx extends object & { gate?: never }> = {
   /**
    * Mark a route as intentionally public.
    */
@@ -74,59 +104,119 @@ export type AuthRouteHooks<Ctx, AddedCtx extends object> = {
   required: () => RouteHook<Ctx, AddedCtx>;
 };
-function toAuthArgs<Ctx>(
-  args: Parameters<RouteHook<Ctx, object>["resolve"]>[0],
-): AuthHookArgs<Ctx> {
-  return {
-    req: args.req,
-    ctx: args.ctx,
-    contract: args.contract,
-    path: args.path,
-    query: args.query,
-    headers: args.headers,
-    body: args.body,
-  };
+function rawRequestHeaders(req: HttpRequestLike): Record<string, string> {
+  const record: Record<string, string> = {};
+  req.headers.forEach((value, key) => {
+    record[key.toLowerCase()] = value;
+  });
+  return record;
+}
+type ParsedAuthHeaders = { ok: true; headers: unknown } | { ok: false };
+async function parseAuthHeaders(
+  schema: StandardSchema | undefined,
+  req: HttpRequestLike,
+): Promise<ParsedAuthHeaders> {
+  const raw = rawRequestHeaders(req);
+  if (!schema) {
+    return { ok: true, headers: raw };
+  }
+  const result = await schema["~standard"].validate(raw);
+  if (result.issues) {
+    return { ok: false };
+  }
+  return { ok: true, headers: result.value };
 }
 /**
  * Create route-scoped authentication hooks.
  *
+ * The outer call binds the app context; the inner call takes auth options and
+ * infers the added context from `resolve`:
+ *
+ * ```ts
+ * const auth = createAuthHooks<AppContext>()({
+ *   resolve: ({ ctx }) => (ctx.auth ? { user: ctx.auth.user } : null),
+ * });
+ * ```
+ *
  * Use `auth.required()` on routes that require an authenticated actor and
  * `auth.optional()` where handlers can use auth when present. The returned
  * route hooks enrich handler `ctx`; business authorization still belongs in
  * feature policies or use cases.
  *
- * @param options - Auth resolution callback and optional diagnostic name.
- * @returns Public, optional, and required route-hook factories.
+ * Declare a `headers` schema when credentials live in request headers. The
+ * hook validates the raw lowercase header record itself, so `resolve` receives
+ * typed headers without contract casts and a `required()` hook rejects
+ * missing or malformed credentials with a framework-owned 401.
+ *
+ * @returns A function that takes auth options and returns public, optional,
+ * and required route-hook factories.
  */
-export function createAuthHooks<Ctx, AddedCtx extends object>(
-  options: AuthHooksOptions<Ctx, AddedCtx>,
-): AuthRouteHooks<Ctx, AddedCtx> {
-  const name = options.name ?? "auth";
-  return {
-    public: () => ({
-      name: `${name}.public`,
-      resolve: () => undefined,
-    }),
-    optional: () => ({
-      name: `${name}.optional`,
-      resolve: async (args) => {
-        const additions = await options.resolve(toAuthArgs(args));
-        return additions ?? undefined;
-      },
-    }),
-    required: () => ({
-      name: `${name}.required`,
-      resolve: async (args) => {
-        const additions = await options.resolve(toAuthArgs(args));
-        if (!additions) {
-          throw new AuthUnauthorizedError();
-        }
-        return additions;
-      },
-    }),
+export function createAuthHooks<Ctx>() {
+  return <
+    AddedCtx extends object & { gate?: never },
+    HeadersSchema extends StandardSchema | undefined = undefined,
+  >(
+    options: AuthHooksOptions<Ctx, AddedCtx, HeadersSchema>,
+  ): AuthRouteHooks<Ctx, AddedCtx> => {
+    const name = options.name ?? "auth";
+    const toAuthArgs = (
+      args: Parameters<RouteHook<Ctx, object>["resolve"]>[0],
+      headers: unknown,
+    ): AuthHookArgs<Ctx, HeadersSchema> =>
+      ({
+        req: args.req,
+        ctx: args.ctx,
+        contract: args.contract,
+        path: args.path,
+        query: args.query,
+        headers,
+        body: args.body,
+      }) as AuthHookArgs<Ctx, HeadersSchema>;
+    return {
+      public: () => ({
+        name: `${name}.public`,
+        resolve: () => undefined,
+      }),
+      optional: () => ({
+        name: `${name}.optional`,
+        resolve: async (args) => {
+          const parsed = await parseAuthHeaders(options.headers, args.req);
+          if (!parsed.ok) {
+            return undefined;
+          }
+          const additions = await options.resolve(
+            toAuthArgs(args, parsed.headers),
+          );
+          return additions ?? undefined;
+        },
+      }),
+      required: () => ({
+        name: `${name}.required`,
+        resolve: async (args) => {
+          const parsed = await parseAuthHeaders(options.headers, args.req);
+          if (!parsed.ok) {
+            throw new AuthUnauthorizedError();
+          }
+          const additions = await options.resolve(
+            toAuthArgs(args, parsed.headers),
+          );
+          if (!additions) {
+            throw new AuthUnauthorizedError();
+          }
+          return additions;
+        },
+      }),
+    };
   };
 }

package/src/server/hooks/cors.ts CHANGED Viewed

@@ -2,7 +2,7 @@
  * CORS hook utilities for @beignet/core/server
  */
-import type { HttpRequestLike, ServerHook } from "../types";
+import type { HttpRequestLike, ServerHook } from "../types.js";
 /**
  * CORS configuration for `createCorsHooks(...)`.

package/src/server/hooks/errors.ts CHANGED Viewed

@@ -2,14 +2,17 @@
  * Framework-agnostic error mapping utilities for @beignet/core/server
  */
-import { createErrorResponseBody, type ErrorResponseBody } from "../../errors";
-import type { AppEnvironment } from "../health";
-import { getRequestIdFromContext } from "./utils";
+import {
+  createErrorResponseBody,
+  type ErrorResponseBody,
+} from "../../errors/index.js";
+import type { AppEnvironment } from "../health.js";
+import { getRequestIdFromContext } from "./utils.js";
 /**
  * Re-export `AppEnvironment` for convenience.
  */
-export type { AppEnvironment } from "../health";
+export type { AppEnvironment } from "../health.js";
 /**
  * Framework-neutral response produced by an error mapper.