@c15t/backend 2.0.0-rc.4 → 2.0.0-rc.5

package/src/db/tenant-scope.ts

@@ -1,103 +0,0 @@
-import type { InferFumaDB } from 'fumadb';
-import type { LatestDB } from './schema';
-
-type ORM = ReturnType<InferFumaDB<typeof LatestDB>['orm']>;
-
-const SCOPED_METHODS = new Set([
-	'create',
-	'createMany',
-	'findFirst',
-	'findMany',
-	'count',
-	'updateMany',
-	'deleteMany',
-	'upsert',
-	'transaction',
-]);
-
-/**
- * Wraps a FumaDB ORM instance to automatically scope all queries to a specific tenant.
- *
- * Uses a Proxy so that any ORM method not explicitly handled will throw,
- * preventing future methods from silently bypassing tenant scoping.
- *
- * - `create`/`createMany`: Injects `tenantId` into the data
- * - `findFirst`/`findMany`/`count`: Adds `tenantId` filter to the `where` clause
- * - `updateMany`/`deleteMany`: Adds `tenantId` filter to the `where` clause
- * - `upsert`: Adds `tenantId` filter to the `where` clause and injects into create data
- * - `transaction`: Returns a tenant-scoped transaction
- *
- * When `tenantId` is not set, this function should not be called — the raw ORM is used directly.
- */
-export function withTenantScope(db: ORM, tenantId: string): ORM {
-	const scopeWhere = (originalWhere: ((b: any) => any) | undefined, b: any) => {
-		const tenantFilter = b('tenantId', '=', tenantId);
-		return originalWhere ? b.and(originalWhere(b), tenantFilter) : tenantFilter;
-	};
-
-	const scopedMethods: Record<string, (...args: any[]) => any> = {
-		create: (table: any, data: any) => db.create(table, { ...data, tenantId }),
-
-		createMany: (table: any, items: any[]) =>
-			db.createMany(
-				table,
-				items.map((d: any) => ({ ...d, tenantId }))
-			),
-
-		findFirst: (table: any, opts: any) =>
-			db.findFirst(table, {
-				...opts,
-				where: (b: any) => scopeWhere(opts?.where, b),
-			}),
-
-		findMany: (table: any, opts?: any) =>
-			db.findMany(table, {
-				...opts,
-				where: (b: any) => scopeWhere(opts?.where, b),
-			}),
-
-		count: (table: any, opts?: any) =>
-			db.count(table, {
-				...opts,
-				where: (b: any) => scopeWhere(opts?.where, b),
-			}),
-
-		updateMany: (table: any, opts: any) =>
-			db.updateMany(table, {
-				...opts,
-				where: (b: any) => scopeWhere(opts?.where, b),
-			}),
-
-		deleteMany: (table: any, opts: any) =>
-			db.deleteMany(table, {
-				...opts,
-				where: (b: any) => scopeWhere(opts?.where, b),
-			}),
-
-		upsert: (table: any, opts: any) =>
-			db.upsert(table, {
-				...opts,
-				where: (b: any) => scopeWhere(opts?.where, b),
-				create: { ...opts.create, tenantId },
-			}),
-
-		transaction: (fn: any) =>
-			db.transaction((tx: any) => fn(withTenantScope(tx, tenantId))),
-	};
-
-	return new Proxy(db, {
-		get(_target, prop, _receiver) {
-			if (typeof prop === 'string' && SCOPED_METHODS.has(prop)) {
-				return scopedMethods[prop];
-			}
-			// Allow symbol access (e.g. Symbol.toStringTag) and standard object props
-			if (typeof prop === 'symbol') {
-				return Reflect.get(db, prop);
-			}
-			throw new Error(
-				`withTenantScope: method "${prop}" is not tenant-scoped. ` +
-					'Add an explicit scoped wrapper before using it.'
-			);
-		},
-	}) as ORM;
-}

package/src/define-config.ts

@@ -1,19 +0,0 @@
-import type { C15TOptions } from './types';
-
-/**
- * c15t backend config accepted by `defineConfig`.
- *
- * Keep this as an intersection with `C15TOptions` (instead of `Omit`) so
- * TypeScript preserves property-level JSDoc in editor completions.
- */
-export type C15TConfig = C15TOptions & {
-	/**
-	 * Logger config is managed internally and is not supported via config files.
-	 */
-	logger?: never;
-};
-
-/**
- * Helper for typed backend configuration in `c15t-backend.config.ts`.
- */
-export const defineConfig = (config: C15TConfig) => config;

package/src/handlers/consent/check.handler.ts

@@ -1,126 +0,0 @@
-/**
- * GET /consents/check handler - Pre-banner cross-device consent check.
- *
- * @packageDocumentation
- */
-
-import type { Context } from 'hono';
-import { HTTPException } from 'hono/http-exception';
-import type { C15TContext } from '~/types';
-import { extractErrorMessage } from '~/utils/extract-error-message';
-import { getMetrics } from '~/utils/metrics';
-import { resolveConsentPolicies } from '../utils/consent-enrichment';
-
-/**
- * Handles checking if an externalId has consented to specific policies.
- *
- * Use this endpoint BEFORE showing consent banners to check if the user
- * has already consented on another device.
- *
- * Returns minimal data (just booleans) for privacy - no subject IDs,
- * no consent details, no PII.
- */
-export const checkConsentHandler = async (c: Context) => {
-	const ctx = c.get('c15tContext') as C15TContext;
-	const logger = ctx.logger;
-	logger.info('Handling GET /consents/check request');
-
-	const { db, registry } = ctx;
-
-	const externalId = c.req.query('externalId');
-	const type = c.req.query('type');
-
-	if (!externalId) {
-		throw new HTTPException(422, {
-			message: 'externalId query parameter is required',
-			cause: { code: 'EXTERNAL_ID_REQUIRED' },
-		});
-	}
-
-	if (!type) {
-		throw new HTTPException(422, {
-			message: 'type query parameter is required',
-			cause: { code: 'TYPE_REQUIRED' },
-		});
-	}
-
-	const types = type.split(',').map((t) => t.trim());
-
-	logger.debug('Request parameters', { externalId, types });
-
-	try {
-		// Find all subjects with this externalId
-		const subjects = await db.findMany('subject', {
-			where: (b) => b('externalId', '=', externalId),
-		});
-
-		const subjectIds = subjects.map((s) => s.id);
-
-		// Initialize results
-		const results: Record<
-			string,
-			{ hasConsent: boolean; isLatestPolicy: boolean }
-		> = {};
-		for (const t of types) {
-			results[t] = { hasConsent: false, isLatestPolicy: false };
-		}
-
-		// If no subjects found, return all false
-		if (subjectIds.length === 0) {
-			logger.debug('No subjects found for externalId', { externalId });
-			return c.json({ results });
-		}
-
-		// Get all consents for these subjects
-		const allConsents = await Promise.all(
-			subjectIds.map((subjectId) =>
-				db.findMany('consent', {
-					where: (b) => b('subjectId', '=', subjectId),
-				})
-			)
-		);
-
-		const consents = allConsents.flat();
-
-		const policyInfos = await resolveConsentPolicies(consents, {
-			db,
-			registry,
-		});
-		for (const info of policyInfos) {
-			if (!types.includes(info.policyType)) continue;
-			const entry = results[info.policyType];
-			if (entry) {
-				entry.hasConsent = true;
-				if (info.isLatestPolicy) {
-					entry.isLatestPolicy = true;
-				}
-			}
-		}
-
-		logger.debug('Consent check results', { externalId, results });
-
-		// Record consent check metrics
-		const metrics = getMetrics();
-		if (metrics) {
-			for (const [type, result] of Object.entries(results)) {
-				metrics.recordConsentCheck(type, result.hasConsent);
-			}
-		}
-
-		return c.json({ results });
-	} catch (error) {
-		logger.error('Error in GET /consents/check handler', {
-			error: extractErrorMessage(error),
-			errorType: error instanceof Error ? error.constructor.name : typeof error,
-		});
-
-		if (error instanceof HTTPException) {
-			throw error;
-		}
-
-		throw new HTTPException(500, {
-			message: 'Internal server error',
-			cause: { code: 'INTERNAL_SERVER_ERROR' },
-		});
-	}
-};

package/src/handlers/init/geo.test.ts

@@ -1,317 +0,0 @@
-import { describe, expect, it } from 'vitest';
-import { checkJurisdiction } from './geo';
-
-describe('checkJurisdiction', () => {
-	describe('GDPR jurisdiction (EU countries)', () => {
-		const euCountries = [
-			'AT',
-			'BE',
-			'BG',
-			'HR',
-			'CY',
-			'CZ',
-			'DK',
-			'EE',
-			'FI',
-			'FR',
-			'DE',
-			'GR',
-			'HU',
-			'IE',
-			'IT',
-			'LV',
-			'LT',
-			'LU',
-			'MT',
-			'NL',
-			'PL',
-			'PT',
-			'RO',
-			'SK',
-			'SI',
-			'ES',
-			'SE',
-		];
-
-		it.each(
-			euCountries
-		)('should identify %s as GDPR jurisdiction', (countryCode) => {
-			const jurisdiction = checkJurisdiction(countryCode);
-
-			expect(jurisdiction).toBe('GDPR');
-		});
-	});
-
-	describe('GDPR jurisdiction (EEA countries)', () => {
-		const eeaCountries = ['IS', 'NO', 'LI'];
-
-		it.each(
-			eeaCountries
-		)('should identify %s as GDPR jurisdiction', (countryCode) => {
-			const jurisdiction = checkJurisdiction(countryCode);
-
-			expect(jurisdiction).toBe('GDPR');
-		});
-	});
-
-	describe('GDPR jurisdiction (UK)', () => {
-		it('should identify GB as GDPR jurisdiction', () => {
-			const jurisdiction = checkJurisdiction('GB');
-
-			expect(jurisdiction).toBe('UK_GDPR');
-		});
-	});
-
-	describe('Other specific jurisdictions', () => {
-		const jurisdictionCases = [
-			{ country: 'CH', code: 'CH' },
-			{ country: 'BR', code: 'BR' },
-			{ country: 'CA', code: 'PIPEDA' },
-			{ country: 'AU', code: 'AU' },
-			{ country: 'JP', code: 'APPI' },
-			{ country: 'KR', code: 'PIPA' },
-		] as const;
-
-		it.each(
-			jurisdictionCases
-		)('should identify $country as $code jurisdiction', ({ country, code }) => {
-			const jurisdiction = checkJurisdiction(country);
-
-			expect(jurisdiction).toBe(code);
-		});
-	});
-
-	describe('Non-regulated countries', () => {
-		const nonRegulatedCountries = [
-			'US', // United States (outside CCPA regions)
-			'RU', // Russia
-			'CN', // China
-			'IN', // India
-			'MX', // Mexico
-			'AR', // Argentina
-			'EG', // Egypt
-			'ZA', // South Africa
-			'TH', // Thailand
-			'PH', // Philippines
-		];
-
-		it.each(
-			nonRegulatedCountries
-		)('should identify %s as non-regulated (NONE jurisdiction)', (countryCode) => {
-			const jurisdiction = checkJurisdiction(countryCode);
-
-			expect(jurisdiction).toBe('NONE');
-		});
-	});
-
-	describe('Edge cases', () => {
-		it('should handle null country code by defaulting to show banner with NONE jurisdiction', () => {
-			const jurisdiction = checkJurisdiction(null);
-
-			expect(jurisdiction).toBe('NONE');
-		});
-
-		it('should handle empty string country code by defaulting to show banner with NONE jurisdiction', () => {
-			const jurisdiction = checkJurisdiction('');
-
-			expect(jurisdiction).toBe('NONE');
-		});
-
-		it('should handle lowercase country codes correctly', () => {
-			const jurisdiction = checkJurisdiction('de');
-
-			// Should now match because we normalize to uppercase
-			expect(jurisdiction).toBe('GDPR');
-		});
-
-		it('should handle mixed case country codes across different jurisdictions', () => {
-			const testCases = [
-				{ input: 'de', expectedJurisdiction: 'GDPR' },
-				{ input: 'De', expectedJurisdiction: 'GDPR' },
-				{ input: 'DE', expectedJurisdiction: 'GDPR' },
-				{ input: 'ch', expectedJurisdiction: 'CH' },
-				{ input: 'Ch', expectedJurisdiction: 'CH' },
-				{ input: 'CH', expectedJurisdiction: 'CH' },
-				{ input: 'ca', expectedJurisdiction: 'PIPEDA' },
-				{ input: 'Ca', expectedJurisdiction: 'PIPEDA' },
-				{ input: 'CA', expectedJurisdiction: 'PIPEDA' },
-			] as const;
-
-			for (const { input, expectedJurisdiction } of testCases) {
-				const jurisdiction = checkJurisdiction(input);
-
-				expect(jurisdiction).toBe(expectedJurisdiction);
-			}
-		});
-
-		it('should handle invalid country codes', () => {
-			const invalidCodes = ['XX', 'ZZ', '123', 'ABC'];
-
-			for (const code of invalidCodes) {
-				const jurisdiction = checkJurisdiction(code);
-
-				expect(jurisdiction).toBe('NONE');
-			}
-		});
-	});
-
-	describe('Return value structure', () => {
-		it('should always return an object with required properties', () => {
-			const jurisdiction = checkJurisdiction('DE');
-
-			expect(jurisdiction).toBe('GDPR');
-		});
-
-		it('should return consistent types regardless of input', () => {
-			const inputs = ['DE', 'US', 'GB', 'XX', '', null];
-
-			for (const input of inputs) {
-				const jurisdiction = checkJurisdiction(input);
-
-				expect(typeof jurisdiction).toBe('string');
-			}
-		});
-	});
-
-	describe('Comprehensive jurisdiction mapping', () => {
-		it('should correctly map all supported jurisdictions', () => {
-			// Test one representative from each jurisdiction group
-			const testCases = [
-				{
-					input: 'DE',
-					expectedJurisdiction: 'GDPR' as const,
-				},
-				{
-					input: 'NO',
-					expectedJurisdiction: 'GDPR' as const,
-				},
-				{
-					input: 'GB',
-					expectedJurisdiction: 'UK_GDPR' as const,
-				},
-				{
-					input: 'CH',
-					expectedJurisdiction: 'CH' as const,
-				},
-				{
-					input: 'BR',
-					expectedJurisdiction: 'BR' as const,
-				},
-				{
-					input: 'CA',
-					expectedJurisdiction: 'PIPEDA' as const,
-				},
-				{
-					input: 'AU',
-					expectedJurisdiction: 'AU' as const,
-				},
-				{
-					input: 'JP',
-					expectedJurisdiction: 'APPI' as const,
-				},
-				{
-					input: 'KR',
-					expectedJurisdiction: 'PIPA' as const,
-				},
-				{
-					input: 'US',
-					expectedJurisdiction: 'NONE' as const,
-				},
-				{
-					input: null,
-					expectedJurisdiction: 'NONE' as const,
-				},
-			];
-
-			for (const { input, expectedJurisdiction } of testCases) {
-				const jurisdiction = checkJurisdiction(input);
-
-				expect(jurisdiction).toBe(expectedJurisdiction);
-			}
-		});
-	});
-
-	describe('Quebec Law 25 jurisdiction (CA regions)', () => {
-		it('should identify CA-QC as QC_LAW25 jurisdiction (case-insensitive)', () => {
-			const cases = ['QC', 'qc', 'Qc'];
-
-			for (const region of cases) {
-				const jurisdiction = checkJurisdiction('CA', region);
-
-				expect(jurisdiction).toBe('QC_LAW25');
-			}
-		});
-
-		it('should handle dash-separated region codes for Quebec', () => {
-			const cases = ['CA-QC', 'ca-qc', 'Ca-Qc'];
-
-			for (const region of cases) {
-				const jurisdiction = checkJurisdiction('CA', region);
-
-				expect(jurisdiction).toBe('QC_LAW25');
-			}
-		});
-
-		it('should return PIPEDA for non-Quebec Canadian provinces', () => {
-			const nonQuebecRegions = ['ON', 'BC', 'AB', null];
-
-			for (const region of nonQuebecRegions) {
-				const jurisdiction = checkJurisdiction('CA', region as string | null);
-
-				expect(jurisdiction).toBe('PIPEDA');
-			}
-		});
-
-		it('should return PIPEDA for dash-separated non-Quebec Canadian provinces', () => {
-			const nonQuebecRegions = ['CA-ON', 'CA-BC', 'CA-AB'];
-
-			for (const region of nonQuebecRegions) {
-				const jurisdiction = checkJurisdiction('CA', region);
-
-				expect(jurisdiction).toBe('PIPEDA');
-			}
-		});
-	});
-
-	describe('CCPA jurisdiction (US regions)', () => {
-		it('should identify US-CA as CCPA jurisdiction (case-insensitive)', () => {
-			const cases = ['CA', 'ca', 'Ca'];
-
-			for (const region of cases) {
-				const jurisdiction = checkJurisdiction('US', region);
-
-				expect(jurisdiction).toBe('CCPA');
-			}
-		});
-
-		it('should handle dash-separated region codes for California', () => {
-			const cases = ['US-CA', 'us-ca', 'Us-Ca'];
-
-			for (const region of cases) {
-				const jurisdiction = checkJurisdiction('US', region);
-
-				expect(jurisdiction).toBe('CCPA');
-			}
-		});
-
-		it('should not apply CCPA for non-CCPA US regions', () => {
-			const nonCcpaRegions = ['NY', 'TX', 'WA', 'FL', null];
-
-			for (const region of nonCcpaRegions) {
-				const jurisdiction = checkJurisdiction('US', region as string | null);
-
-				expect(jurisdiction).toBe('NONE');
-			}
-		});
-
-		it('should not apply CCPA for dash-separated non-CCPA US regions', () => {
-			const nonCcpaRegions = ['US-NY', 'US-TX', 'US-WA'];
-
-			for (const region of nonCcpaRegions) {
-				const jurisdiction = checkJurisdiction('US', region);
-
-				expect(jurisdiction).toBe('NONE');
-			}
-		});
-	});
-});