@dotdo/do 0.1.0

package/dist/api/mcp/index.js

@@ -0,0 +1,141 @@
+/**
+ * MCP (Model Context Protocol) Module
+ *
+ * Implements the Model Context Protocol for AI tool integration.
+ * Allows AI agents (Claude, GPT, etc.) to interact with Digital Objects.
+ *
+ * MCP Spec: https://modelcontextprotocol.io/
+ */
+import { Hono } from 'hono';
+import { getTools, handleListTools, handleToolCall, handleInitialize } from './handlers';
+// =============================================================================
+// MCP Routes
+// =============================================================================
+/**
+ * Create MCP routes
+ */
+export function createMCPRoutes() {
+    const router = new Hono();
+    /**
+     * GET /mcp - MCP server discovery
+     */
+    router.get('/mcp', (c) => {
+        const url = new URL(c.req.url);
+        const info = {
+            protocolVersion: '2024-11-05',
+            capabilities: {
+                tools: { listChanged: false },
+                resources: { subscribe: false, listChanged: false },
+                prompts: { listChanged: false },
+                logging: {},
+            },
+            serverInfo: {
+                name: url.hostname,
+                version: '1.0.0',
+            },
+        };
+        return c.json({
+            ...info,
+            endpoints: {
+                discovery: `${url.origin}/mcp`,
+                tools: `${url.origin}/mcp`,
+                rpc: `${url.origin}/rpc`,
+            },
+            links: {
+                self: `${url.origin}/mcp`,
+                api: `${url.origin}/.do`,
+                docs: 'https://do.md/mcp',
+            },
+        }, 200, {
+            'Access-Control-Allow-Origin': '*',
+        });
+    });
+    /**
+     * POST /mcp - MCP JSON-RPC requests
+     */
+    router.post('/mcp', async (c) => {
+        const url = new URL(c.req.url);
+        try {
+            const body = await c.req.json();
+            let response;
+            switch (body.method) {
+                case 'initialize':
+                    response = handleInitialize(url.hostname, body.id);
+                    break;
+                case 'tools/list':
+                    response = await handleListTools(body.id);
+                    break;
+                case 'tools/call': {
+                    const params = body.params;
+                    response = await handleToolCall(c.env, url.hostname, body.id, params.name, params.arguments || {});
+                    break;
+                }
+                default:
+                    response = {
+                        jsonrpc: '2.0',
+                        id: body.id,
+                        error: {
+                            code: -32601,
+                            message: `Method not found: ${body.method}`,
+                        },
+                    };
+            }
+            return c.json(response, 200, {
+                'Access-Control-Allow-Origin': '*',
+            });
+        }
+        catch (error) {
+            return c.json({
+                jsonrpc: '2.0',
+                id: null,
+                error: {
+                    code: -32700,
+                    message: 'Parse error',
+                    data: error instanceof Error ? error.message : undefined,
+                },
+            }, 400, {
+                'Access-Control-Allow-Origin': '*',
+            });
+        }
+    });
+    /**
+     * OPTIONS /mcp - CORS preflight
+     */
+    router.options('/mcp', (c) => {
+        return new Response(null, {
+            status: 204,
+            headers: {
+                'Access-Control-Allow-Origin': '*',
+                'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
+                'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+                'Access-Control-Max-Age': '86400',
+            },
+        });
+    });
+    /**
+     * GET /mcp/tools - List available tools
+     */
+    router.get('/mcp/tools', (c) => {
+        const url = new URL(c.req.url);
+        const colo = c.req.header('CF-Ray')?.split('-')[1];
+        const tools = getTools();
+        return c.json({
+            api: url.hostname,
+            data: { tools },
+            links: {
+                self: `${url.origin}/mcp/tools`,
+                mcp: `${url.origin}/mcp`,
+                api: `${url.origin}/.do`,
+            },
+            colo,
+            timestamp: Date.now(),
+        });
+    });
+    return router;
+}
+// =============================================================================
+// Exports
+// =============================================================================
+export { getTools, handleListTools, handleToolCall, handleInitialize } from './handlers';
+export default createMCPRoutes;
+//# sourceMappingURL=index.js.map

package/dist/api/mcp/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../api/mcp/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAE3B,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AA+FxF,gFAAgF;AAChF,aAAa;AACb,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,MAAM,GAAG,IAAI,IAAI,EAA2C,CAAA;IAElE;;OAEG;IACH,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE;QACvB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAE9B,MAAM,IAAI,GAAkB;YAC1B,eAAe,EAAE,YAAY;YAC7B,YAAY,EAAE;gBACZ,KAAK,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE;gBAC7B,SAAS,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE;gBACnD,OAAO,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE;gBAC/B,OAAO,EAAE,EAAE;aACZ;YACD,UAAU,EAAE;gBACV,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,OAAO,EAAE,OAAO;aACjB;SACF,CAAA;QAED,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,GAAG,IAAI;YACP,SAAS,EAAE;gBACT,SAAS,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM;gBAC9B,KAAK,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM;gBAC1B,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM;aACzB;YACD,KAAK,EAAE;gBACL,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM;gBACzB,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM;gBACxB,IAAI,EAAE,mBAAmB;aAC1B;SACF,EAAE,GAAG,EAAE;YACN,6BAA6B,EAAE,GAAG;SACnC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF;;OAEG;IACH,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;QAC9B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAE9B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI,EAAgB,CAAA;YAE7C,IAAI,QAAoD,CAAA;YAExD,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;gBACpB,KAAK,YAAY;oBACf,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAA;oBAClD,MAAK;gBAEP,KAAK,YAAY;oBACf,QAAQ,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;oBACzC,MAAK;gBAEP,KAAK,YAAY,CAAC,CAAC,CAAC;oBAClB,MAAM,MAAM,GAAG,IAAI,CAAC,MAA+D,CAAA;oBACnF,QAAQ,GAAG,MAAM,cAAc,CAC7B,CAAC,CAAC,GAAG,EACL,GAAG,CAAC,QAAQ,EACZ,IAAI,CAAC,EAAE,EACP,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,SAAS,IAAI,EAAE,CACvB,CAAA;oBACD,MAAK;gBACP,CAAC;gBAED;oBACE,QAAQ,GAAG;wBACT,OAAO,EAAE,KAAK;wBACd,EAAE,EAAE,IAAI,CAAC,EAAE;wBACX,KAAK,EAAE;4BACL,IAAI,EAAE,CAAC,KAAK;4BACZ,OAAO,EAAE,qBAAqB,IAAI,CAAC,MAAM,EAAE;yBAC5C;qBACF,CAAA;YACL,CAAC;YAED,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE;gBAC3B,6BAA6B,EAAE,GAAG;aACnC,CAAC,CAAA;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,CAAC,IAAI,CAAC;gBACZ,OAAO,EAAE,KAAK;gBACd,EAAE,EAAE,IAAI;gBACR,KAAK,EAAE;oBACL,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,aAAa;oBACtB,IAAI,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;iBACzD;aACF,EAAE,GAAG,EAAE;gBACN,6BAA6B,EAAE,GAAG;aACnC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE;QAC3B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,6BAA6B,EAAE,GAAG;gBAClC,8BAA8B,EAAE,oBAAoB;gBACpD,8BAA8B,EAAE,6BAA6B;gBAC7D,wBAAwB,EAAE,OAAO;aAClC;SACF,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF;;OAEG;IACH,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAC9B,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QAElD,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAA;QAExB,OAAO,CAAC,CAAC,IAAI,CAAC;YACZ,GAAG,EAAE,GAAG,CAAC,QAAQ;YACjB,IAAI,EAAE,EAAE,KAAK,EAAE;YACf,KAAK,EAAE;gBACL,IAAI,EAAE,GAAG,GAAG,CAAC,MAAM,YAAY;gBAC/B,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM;gBACxB,GAAG,EAAE,GAAG,GAAG,CAAC,MAAM,MAAM;aACzB;YACD,IAAI;YACJ,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACe,CAAC,CAAA;IACzC,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC;AAED,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AACxF,eAAe,eAAe,CAAA"}

package/dist/api/middleware/auth.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Authentication Middleware
+ *
+ * Handles JWT-based authentication and authorization.
+ * Supports optional auth (for public routes) and required auth.
+ */
+import type { Context, Next } from 'hono';
+import type { Env, DOContext, AuthUser, AuthOptions } from '../types';
+/**
+ * Create authentication middleware
+ *
+ * @example
+ * // Optional auth - sets user if token present
+ * app.use('*', createAuthMiddleware())
+ *
+ * @example
+ * // Required auth - returns 401 if no valid token
+ * app.use('/api/*', createAuthMiddleware({ required: true }))
+ *
+ * @example
+ * // Role-based auth
+ * app.use('/admin/*', createAuthMiddleware({ required: true, roles: ['admin'] }))
+ */
+export declare function createAuthMiddleware(options?: AuthOptions): (c: Context<{
+    Bindings: Env;
+    Variables: DOContext;
+}>, next: Next) => Promise<Response | void>;
+/**
+ * Get the authenticated user from context
+ */
+export declare function getUser(c: Context<{
+    Variables: DOContext;
+}>): AuthUser | undefined;
+/**
+ * Require authentication (throws if not authenticated)
+ */
+export declare function requireUser(c: Context<{
+    Variables: DOContext;
+}>): AuthUser;
+/**
+ * Check if user has a specific role
+ */
+export declare function hasRole(c: Context<{
+    Variables: DOContext;
+}>, role: string): boolean;
+/**
+ * Check if user has a specific permission
+ */
+export declare function hasPermission(c: Context<{
+    Variables: DOContext;
+}>, permission: string): boolean;
+/**
+ * Create API key authentication middleware
+ *
+ * @example
+ * app.use('/api/*', createApiKeyMiddleware({ required: true }))
+ */
+export declare function createApiKeyMiddleware(options?: {
+    required?: boolean;
+    headerName?: string;
+}): (c: Context<{
+    Bindings: Env;
+    Variables: DOContext;
+}>, next: Next) => Promise<Response | void>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/api/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../api/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,EAAc,MAAM,UAAU,CAAA;AAqFjF;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,WAAgB,IAC9C,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,GAAG,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,EAAE,MAAM,IAAI,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA6FzG;AAMD;;GAEG;AACH,wBAAgB,OAAO,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,GAAG,QAAQ,GAAG,SAAS,CAElF;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,GAAG,QAAQ,CAM1E;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAGnF;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC;IAAE,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAG/F;AAMD;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,GAAE;IAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAO,IAGhF,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,GAAG,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,EAAE,MAAM,IAAI,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAqDzG"}

package/dist/api/middleware/auth.js

@@ -0,0 +1,271 @@
+/**
+ * Authentication Middleware
+ *
+ * Handles JWT-based authentication and authorization.
+ * Supports optional auth (for public routes) and required auth.
+ */
+// =============================================================================
+// JWT Utilities
+// =============================================================================
+/**
+ * Decode a JWT token (without verification for quick parsing)
+ */
+function decodeJWT(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3)
+            return null;
+        const header = JSON.parse(atob(parts[0]));
+        const payload = JSON.parse(atob(parts[1]));
+        return { header, payload };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Verify a JWT token
+ * In production, this would use proper crypto verification
+ */
+async function verifyJWT(token, secret) {
+    const decoded = decodeJWT(token);
+    if (!decoded) {
+        return { success: false, error: 'Invalid token format' };
+    }
+    const payload = decoded.payload;
+    // Check expiration
+    if (payload.exp && typeof payload.exp === 'number') {
+        if (Date.now() / 1000 > payload.exp) {
+            return { success: false, error: 'Token expired' };
+        }
+    }
+    // Build user from payload
+    const user = {
+        id: String(payload.sub || payload.id || 'unknown'),
+        email: payload.email,
+        orgId: payload.orgId,
+        roles: payload.roles || [],
+        permissions: payload.permissions || [],
+        exp: payload.exp,
+    };
+    return { success: true, user };
+}
+/**
+ * Extract token from request
+ * Checks Authorization header and cookies
+ */
+function extractToken(c) {
+    // Check Authorization header
+    const authHeader = c.req.header('Authorization');
+    if (authHeader?.startsWith('Bearer ')) {
+        return authHeader.slice(7);
+    }
+    // Check cookie
+    const cookie = c.req.header('Cookie');
+    if (cookie) {
+        const match = cookie.match(/auth_token=([^;]+)/);
+        if (match)
+            return match[1];
+    }
+    // Check query param (for WebSocket connections)
+    const url = new URL(c.req.url);
+    const queryToken = url.searchParams.get('token');
+    if (queryToken)
+        return queryToken;
+    return null;
+}
+// =============================================================================
+// Auth Middleware Factory
+// =============================================================================
+/**
+ * Create authentication middleware
+ *
+ * @example
+ * // Optional auth - sets user if token present
+ * app.use('*', createAuthMiddleware())
+ *
+ * @example
+ * // Required auth - returns 401 if no valid token
+ * app.use('/api/*', createAuthMiddleware({ required: true }))
+ *
+ * @example
+ * // Role-based auth
+ * app.use('/admin/*', createAuthMiddleware({ required: true, roles: ['admin'] }))
+ */
+export function createAuthMiddleware(options = {}) {
+    return async (c, next) => {
+        const secret = options.secret || c.env.AUTH_SECRET || 'dev-secret';
+        const tokenExtractor = options.extractToken || extractToken;
+        // Extract token
+        const token = tokenExtractor(c);
+        if (!token) {
+            if (options.required) {
+                return c.json({
+                    api: new URL(c.req.url).hostname,
+                    error: {
+                        code: 'UNAUTHORIZED',
+                        message: 'Authentication required',
+                    },
+                    links: {
+                        auth: 'https://do.md/auth',
+                    },
+                    timestamp: Date.now(),
+                }, 401);
+            }
+            // No token, continue without user
+            await next();
+            return;
+        }
+        // Verify token
+        const result = await verifyJWT(token, secret);
+        if (!result.success) {
+            if (options.required) {
+                return c.json({
+                    api: new URL(c.req.url).hostname,
+                    error: {
+                        code: 'INVALID_TOKEN',
+                        message: result.error || 'Invalid authentication token',
+                    },
+                    links: {
+                        auth: 'https://do.md/auth',
+                    },
+                    timestamp: Date.now(),
+                }, 401);
+            }
+            // Invalid token but not required, continue without user
+            await next();
+            return;
+        }
+        const user = result.user;
+        // Check roles if specified
+        if (options.roles && options.roles.length > 0) {
+            const hasRole = options.roles.some(role => user.roles.includes(role));
+            if (!hasRole) {
+                return c.json({
+                    api: new URL(c.req.url).hostname,
+                    error: {
+                        code: 'FORBIDDEN',
+                        message: `Required role: ${options.roles.join(' or ')}`,
+                    },
+                    links: {
+                        self: c.req.url,
+                    },
+                    timestamp: Date.now(),
+                }, 403);
+            }
+        }
+        // Check permissions if specified
+        if (options.permissions && options.permissions.length > 0) {
+            const hasPermission = options.permissions.some(perm => user.permissions.includes(perm));
+            if (!hasPermission) {
+                return c.json({
+                    api: new URL(c.req.url).hostname,
+                    error: {
+                        code: 'FORBIDDEN',
+                        message: `Required permission: ${options.permissions.join(' or ')}`,
+                    },
+                    links: {
+                        self: c.req.url,
+                    },
+                    timestamp: Date.now(),
+                }, 403);
+            }
+        }
+        // Set user in context
+        c.set('user', user);
+        await next();
+    };
+}
+// =============================================================================
+// Helper Functions
+// =============================================================================
+/**
+ * Get the authenticated user from context
+ */
+export function getUser(c) {
+    return c.get('user');
+}
+/**
+ * Require authentication (throws if not authenticated)
+ */
+export function requireUser(c) {
+    const user = c.get('user');
+    if (!user) {
+        throw new Error('Authentication required');
+    }
+    return user;
+}
+/**
+ * Check if user has a specific role
+ */
+export function hasRole(c, role) {
+    const user = c.get('user');
+    return user?.roles.includes(role) ?? false;
+}
+/**
+ * Check if user has a specific permission
+ */
+export function hasPermission(c, permission) {
+    const user = c.get('user');
+    return user?.permissions.includes(permission) ?? false;
+}
+// =============================================================================
+// API Key Auth
+// =============================================================================
+/**
+ * Create API key authentication middleware
+ *
+ * @example
+ * app.use('/api/*', createApiKeyMiddleware({ required: true }))
+ */
+export function createApiKeyMiddleware(options = {}) {
+    const headerName = options.headerName || 'X-API-Key';
+    return async (c, next) => {
+        const apiKey = c.req.header(headerName);
+        if (!apiKey) {
+            if (options.required) {
+                return c.json({
+                    api: new URL(c.req.url).hostname,
+                    error: {
+                        code: 'UNAUTHORIZED',
+                        message: `API key required (${headerName} header)`,
+                    },
+                    links: {
+                        docs: 'https://do.md/api-keys',
+                    },
+                    timestamp: Date.now(),
+                }, 401);
+            }
+            await next();
+            return;
+        }
+        // Validate API key against KV store
+        // In production, this would check KV for the key
+        // For now, accept any key that looks valid
+        if (!/^do_[a-zA-Z0-9]{32,}$/.test(apiKey)) {
+            if (options.required) {
+                return c.json({
+                    api: new URL(c.req.url).hostname,
+                    error: {
+                        code: 'INVALID_API_KEY',
+                        message: 'Invalid API key format',
+                    },
+                    links: {
+                        docs: 'https://do.md/api-keys',
+                    },
+                    timestamp: Date.now(),
+                }, 401);
+            }
+            await next();
+            return;
+        }
+        // Set a basic user for API key auth
+        c.set('user', {
+            id: `api:${apiKey.slice(0, 16)}`,
+            roles: ['api'],
+            permissions: ['api:read', 'api:write'],
+        });
+        await next();
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/api/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../api/middleware/auth.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,gFAAgF;AAChF,gBAAgB;AAChB,gFAAgF;AAEhF;;GAEG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAA;QAEnC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QACzC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QAE1C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,SAAS,CAAC,KAAa,EAAE,MAAc;IACpD,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAA;IAChC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAA;IAC1D,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAkC,CAAA;IAE1D,mBAAmB;IACnB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACnD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,CAAA;QACnD,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,MAAM,IAAI,GAAa;QACrB,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC;QAClD,KAAK,EAAE,OAAO,CAAC,KAA2B;QAC1C,KAAK,EAAE,OAAO,CAAC,KAA2B;QAC1C,KAAK,EAAG,OAAO,CAAC,KAAkB,IAAI,EAAE;QACxC,WAAW,EAAG,OAAO,CAAC,WAAwB,IAAI,EAAE;QACpD,GAAG,EAAE,OAAO,CAAC,GAAyB;KACvC,CAAA;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;AAChC,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,CAAU;IAC9B,6BAA6B;IAC7B,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;IAChD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC5B,CAAC;IAED,eAAe;IACf,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACrC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;QAChD,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAA;IAC5B,CAAC;IAED,gDAAgD;IAChD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAC9B,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;IAChD,IAAI,UAAU;QAAE,OAAO,UAAU,CAAA;IAEjC,OAAO,IAAI,CAAA;AACb,CAAC;AAED,gFAAgF;AAChF,0BAA0B;AAC1B,gFAAgF;AAEhF;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAAuB,EAAE;IAC5D,OAAO,KAAK,EAAE,CAAmD,EAAE,IAAU,EAA4B,EAAE;QACzG,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,WAAW,IAAI,YAAY,CAAA;QAClE,MAAM,cAAc,GAAG,OAAO,CAAC,YAAY,IAAI,YAAY,CAAA;QAE3D,gBAAgB;QAChB,MAAM,KAAK,GAAG,cAAc,CAAC,CAAC,CAAC,CAAA;QAE/B,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,OAAO,CAAC,CAAC,IAAI,CAAC;oBACZ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,cAAc;wBACpB,OAAO,EAAE,yBAAyB;qBACnC;oBACD,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;qBAC3B;oBACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,EAAE,GAAG,CAAC,CAAA;YACT,CAAC;YAED,kCAAkC;YAClC,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,eAAe;QACf,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QAE7C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,OAAO,CAAC,CAAC,IAAI,CAAC;oBACZ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,eAAe;wBACrB,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,8BAA8B;qBACxD;oBACD,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;qBAC3B;oBACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,EAAE,GAAG,CAAC,CAAA;YACT,CAAC;YAED,wDAAwD;YACxD,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAK,CAAA;QAEzB,2BAA2B;QAC3B,IAAI,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAA;YACrE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,CAAC,CAAC,IAAI,CAAC;oBACZ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,kBAAkB,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;qBACxD;oBACD,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;qBAChB;oBACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,EAAE,GAAG,CAAC,CAAA;YACT,CAAC;QACH,CAAC;QAED,iCAAiC;QACjC,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1D,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAA;YACvF,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,OAAO,CAAC,CAAC,IAAI,CAAC;oBACZ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,wBAAwB,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE;qBACpE;oBACD,KAAK,EAAE;wBACL,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG;qBAChB;oBACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,EAAE,GAAG,CAAC,CAAA;YACT,CAAC;QACH,CAAC;QAED,sBAAsB;QACtB,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;QAEnB,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,CAAoC;IAC1D,OAAO,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,CAAoC;IAC9D,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAA;IAC5C,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,CAAoC,EAAE,IAAY;IACxE,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IAC1B,OAAO,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,KAAK,CAAA;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,CAAoC,EAAE,UAAkB;IACpF,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IAC1B,OAAO,IAAI,EAAE,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAA;AACxD,CAAC;AAED,gFAAgF;AAChF,eAAe;AACf,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,UAAU,sBAAsB,CAAC,UAAuD,EAAE;IAC9F,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,WAAW,CAAA;IAEpD,OAAO,KAAK,EAAE,CAAmD,EAAE,IAAU,EAA4B,EAAE;QACzG,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;QAEvC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,OAAO,CAAC,CAAC,IAAI,CAAC;oBACZ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,cAAc;wBACpB,OAAO,EAAE,qBAAqB,UAAU,UAAU;qBACnD;oBACD,KAAK,EAAE;wBACL,IAAI,EAAE,wBAAwB;qBAC/B;oBACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,EAAE,GAAG,CAAC,CAAA;YACT,CAAC;YAED,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,oCAAoC;QACpC,iDAAiD;QACjD,2CAA2C;QAC3C,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1C,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,OAAO,CAAC,CAAC,IAAI,CAAC;oBACZ,GAAG,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,iBAAiB;wBACvB,OAAO,EAAE,wBAAwB;qBAClC;oBACD,KAAK,EAAE;wBACL,IAAI,EAAE,wBAAwB;qBAC/B;oBACD,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;iBACtB,EAAE,GAAG,CAAC,CAAA;YACT,CAAC;YAED,MAAM,IAAI,EAAE,CAAA;YACZ,OAAM;QACR,CAAC;QAED,oCAAoC;QACpC,CAAC,CAAC,GAAG,CAAC,MAAM,EAAE;YACZ,EAAE,EAAE,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;YAChC,KAAK,EAAE,CAAC,KAAK,CAAC;YACd,WAAW,EAAE,CAAC,UAAU,EAAE,WAAW,CAAC;SACvC,CAAC,CAAA;QAEF,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC"}

package/dist/api/middleware/cors.d.ts

@@ -0,0 +1,62 @@
+/**
+ * CORS Middleware
+ *
+ * Handles Cross-Origin Resource Sharing with configurable options.
+ * Includes smart defaults for the DO platform.
+ */
+import type { Context, Next } from 'hono';
+import type { Env, DOContext, CORSConfig } from '../types';
+/**
+ * Default CORS configuration for DO APIs
+ */
+export declare const DEFAULT_CORS_CONFIG: CORSConfig;
+/**
+ * Restrictive CORS for sensitive endpoints
+ */
+export declare const RESTRICTIVE_CORS_CONFIG: CORSConfig;
+/**
+ * Create CORS middleware with custom configuration
+ *
+ * @example
+ * // Use default config
+ * app.use('*', createCorsMiddleware())
+ *
+ * @example
+ * // Custom origins
+ * app.use('*', createCorsMiddleware({
+ *   origin: ['https://app.example.com', 'https://admin.example.com']
+ * }))
+ *
+ * @example
+ * // Restrictive config for admin routes
+ * app.use('/admin/*', createCorsMiddleware(RESTRICTIVE_CORS_CONFIG))
+ */
+export declare function createCorsMiddleware(config?: CORSConfig): import("hono").MiddlewareHandler;
+/**
+ * Create dynamic CORS middleware that checks allowed origins from KV
+ *
+ * This allows runtime configuration of CORS without redeployment
+ *
+ * @example
+ * app.use('*', createDynamicCorsMiddleware('cors:allowed-origins'))
+ */
+export declare function createDynamicCorsMiddleware(kvKey?: string): (c: Context<{
+    Bindings: Env;
+    Variables: DOContext;
+}>, next: Next) => Promise<Response | void>;
+/**
+ * Create a dedicated preflight handler for specific routes
+ *
+ * @example
+ * app.options('/api/*', createPreflightHandler())
+ */
+export declare function createPreflightHandler(config?: CORSConfig): (c: Context) => Response;
+/**
+ * Add CORS headers to an existing response
+ */
+export declare function addCorsHeaders(response: Response, origin: string, config?: CORSConfig): Response;
+/**
+ * Check if an origin is allowed
+ */
+export declare function isOriginAllowed(origin: string, config?: CORSConfig): boolean;
+//# sourceMappingURL=cors.d.ts.map

package/dist/api/middleware/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../../api/middleware/cors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEzC,OAAO,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAA;AAM1D;;GAEG;AACH,eAAO,MAAM,mBAAmB,EAAE,UAmBjC,CAAA;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,UAgBrC,CAAA;AAMD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,GAAE,UAAe,oCAY3D;AAMD;;;;;;;GAOG;AACH,wBAAgB,2BAA2B,CAAC,KAAK,GAAE,MAAsB,IACzD,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,GAAG,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC,EAAE,MAAM,IAAI,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA8CzG;AAMD;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,GAAE,UAAgC,IACrE,GAAG,OAAO,cA8BnB;AAMD;;GAEG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,QAAQ,EAClB,MAAM,EAAE,MAAM,EACd,MAAM,GAAE,UAAgC,GACvC,QAAQ,CA4BV;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,GAAE,UAAgC,GAAG,OAAO,CAgBjG"}