npm - @edge-base/server - Versions diffs - 0.1.1 - Mend

@edge-base/server 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (309) hide show

package/admin-build/.gitkeep +0 -0
package/admin-build/_app/env.js +1 -0
package/admin-build/_app/immutable/assets/0.Bm6cF078.css +1 -0
package/admin-build/_app/immutable/assets/1.BfW3pUNa.css +1 -0
package/admin-build/_app/immutable/assets/11.CVmQOewb.css +1 -0
package/admin-build/_app/immutable/assets/12.B1EhbRZT.css +1 -0
package/admin-build/_app/immutable/assets/13.BvwYeuwE.css +1 -0
package/admin-build/_app/immutable/assets/14.CdVfcO0R.css +1 -0
package/admin-build/_app/immutable/assets/15.2yeZ66b-.css +1 -0
package/admin-build/_app/immutable/assets/17.BVg0JEVu.css +1 -0
package/admin-build/_app/immutable/assets/18.Rwnl3x_i.css +1 -0
package/admin-build/_app/immutable/assets/20.DsPWA9AV.css +1 -0
package/admin-build/_app/immutable/assets/21.Dz2RJ56c.css +1 -0
package/admin-build/_app/immutable/assets/22.DwNLk5Ai.css +1 -0
package/admin-build/_app/immutable/assets/23.CFpu0gOO.css +1 -0
package/admin-build/_app/immutable/assets/24.Cy5LBeoJ.css +1 -0
package/admin-build/_app/immutable/assets/25.pUyLVf-h.css +1 -0
package/admin-build/_app/immutable/assets/26.DBcGrlXa.css +1 -0
package/admin-build/_app/immutable/assets/27.BswYyAJD.css +1 -0
package/admin-build/_app/immutable/assets/28.B4ueB1Kf.css +1 -0
package/admin-build/_app/immutable/assets/29.B-qU6PdF.css +1 -0
package/admin-build/_app/immutable/assets/3.Dg81Pgmd.css +1 -0
package/admin-build/_app/immutable/assets/30.CsdWum94.css +1 -0
package/admin-build/_app/immutable/assets/31.U6OwIp50.css +1 -0
package/admin-build/_app/immutable/assets/4.CyawCCux.css +1 -0
package/admin-build/_app/immutable/assets/5.C0YO2HTk.css +1 -0
package/admin-build/_app/immutable/assets/8.Br5jd6kD.css +1 -0
package/admin-build/_app/immutable/assets/Badge.EMYLHBxE.css +1 -0
package/admin-build/_app/immutable/assets/Button.DpzMRTjK.css +1 -0
package/admin-build/_app/immutable/assets/ConfirmDialog.DAnaWRRk.css +1 -0
package/admin-build/_app/immutable/assets/EmptyState.CwKsu57Y.css +1 -0
package/admin-build/_app/immutable/assets/Input.BDUSenmU.css +1 -0
package/admin-build/_app/immutable/assets/Modal.Dm5B0Xie.css +1 -0
package/admin-build/_app/immutable/assets/PageShell.CmU-Xh-b.css +1 -0
package/admin-build/_app/immutable/assets/SchemaFieldEditor.g4NsCdno.css +1 -0
package/admin-build/_app/immutable/assets/Select.BW4Keufm.css +1 -0
package/admin-build/_app/immutable/assets/Skeleton.KWUulTKJ.css +1 -0
package/admin-build/_app/immutable/assets/Tabs.CniGYb67.css +1 -0
package/admin-build/_app/immutable/assets/TimeChart.BTCDAvmT.css +1 -0
package/admin-build/_app/immutable/assets/Toggle.Cy_K12OM.css +1 -0
package/admin-build/_app/immutable/assets/TopList.ClFzmPlA.css +1 -0
package/admin-build/_app/immutable/chunks/7B47DvSx.js +1 -0
package/admin-build/_app/immutable/chunks/7f08Id8e.js +1 -0
package/admin-build/_app/immutable/chunks/8wJeQ7LN.js +1 -0
package/admin-build/_app/immutable/chunks/B-h2afW5.js +1 -0
package/admin-build/_app/immutable/chunks/B8vJP3wz.js +1 -0
package/admin-build/_app/immutable/chunks/BR_fL5Yv.js +1 -0
package/admin-build/_app/immutable/chunks/BY92tFS2.js +1 -0
package/admin-build/_app/immutable/chunks/BcR-Rdj9.js +1 -0
package/admin-build/_app/immutable/chunks/BdrwyZv8.js +1 -0
package/admin-build/_app/immutable/chunks/Bh56EfQ_.js +1 -0
package/admin-build/_app/immutable/chunks/BkrCkgYp.js +1 -0
package/admin-build/_app/immutable/chunks/BmRjiP5k.js +1 -0
package/admin-build/_app/immutable/chunks/BsokvhWC.js +1 -0
package/admin-build/_app/immutable/chunks/C4D51vTW.js +1 -0
package/admin-build/_app/immutable/chunks/C6puvcoR.js +2 -0
package/admin-build/_app/immutable/chunks/CCKNu7m7.js +1 -0
package/admin-build/_app/immutable/chunks/CWj6FrbW.js +1 -0
package/admin-build/_app/immutable/chunks/Ce-ngf4p.js +5 -0
package/admin-build/_app/immutable/chunks/Cs0GwzJA.js +1 -0
package/admin-build/_app/immutable/chunks/CwROoZK0.js +1 -0
package/admin-build/_app/immutable/chunks/CxCPv_Ut.js +1 -0
package/admin-build/_app/immutable/chunks/CxbRue-5.js +1 -0
package/admin-build/_app/immutable/chunks/CyqB6g-D.js +1 -0
package/admin-build/_app/immutable/chunks/D5h5A1cc.js +2 -0
package/admin-build/_app/immutable/chunks/DnyL7Zq-.js +1 -0
package/admin-build/_app/immutable/chunks/DoPXzH7F.js +1 -0
package/admin-build/_app/immutable/chunks/DrQSgw-f.js +1 -0
package/admin-build/_app/immutable/chunks/DttM2zNO.js +1 -0
package/admin-build/_app/immutable/chunks/DuXuUBWN.js +1 -0
package/admin-build/_app/immutable/chunks/MdeqaOQx.js +10 -0
package/admin-build/_app/immutable/chunks/NuUjtcO2.js +1 -0
package/admin-build/_app/immutable/chunks/Q2nPFxS6.js +1 -0
package/admin-build/_app/immutable/chunks/R6arueIl.js +1 -0
package/admin-build/_app/immutable/chunks/UUazaC_N.js +1 -0
package/admin-build/_app/immutable/chunks/cOYbrQxx.js +1 -0
package/admin-build/_app/immutable/chunks/eFQHTGwA.js +1 -0
package/admin-build/_app/immutable/chunks/ehbppgYb.js +1 -0
package/admin-build/_app/immutable/chunks/glwixJlP.js +1 -0
package/admin-build/_app/immutable/chunks/vApWTCBs.js +1 -0
package/admin-build/_app/immutable/chunks/w89G9Xpi.js +1 -0
package/admin-build/_app/immutable/chunks/wJsUhbfZ.js +1 -0
package/admin-build/_app/immutable/chunks/zfauFM8P.js +1 -0
package/admin-build/_app/immutable/entry/app.CcO-Uos3.js +2 -0
package/admin-build/_app/immutable/entry/start.COebYq3I.js +1 -0
package/admin-build/_app/immutable/nodes/0.CjtHKU-6.js +1 -0
package/admin-build/_app/immutable/nodes/1.DEisjlM0.js +1 -0
package/admin-build/_app/immutable/nodes/10.CvhdyWVB.js +1 -0
package/admin-build/_app/immutable/nodes/11.DjHqcOvy.js +1 -0
package/admin-build/_app/immutable/nodes/12.mQLz4Mj_.js +1 -0
package/admin-build/_app/immutable/nodes/13.CBonZZyP.js +110 -0
package/admin-build/_app/immutable/nodes/14.d-oiZL0j.js +3 -0
package/admin-build/_app/immutable/nodes/15.CKPQsUYF.js +1 -0
package/admin-build/_app/immutable/nodes/16.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/17.DayhKyEZ.js +1 -0
package/admin-build/_app/immutable/nodes/18.DKwS0Ir0.js +1 -0
package/admin-build/_app/immutable/nodes/19.wPzAPQGx.js +1 -0
package/admin-build/_app/immutable/nodes/2.BKoKrw1i.js +1 -0
package/admin-build/_app/immutable/nodes/20.BvIkkkrW.js +1 -0
package/admin-build/_app/immutable/nodes/21.DMaFhdHk.js +128 -0
package/admin-build/_app/immutable/nodes/22.3xdgwuK1.js +1 -0
package/admin-build/_app/immutable/nodes/23.8Bvgjbsl.js +112 -0
package/admin-build/_app/immutable/nodes/24.DzSSzRhG.js +2 -0
package/admin-build/_app/immutable/nodes/25.9KKYBnAE.js +2 -0
package/admin-build/_app/immutable/nodes/26.Bhn9dfhY.js +1 -0
package/admin-build/_app/immutable/nodes/27.kRLiC24G.js +1 -0
package/admin-build/_app/immutable/nodes/28.BVIN1-7N.js +1 -0
package/admin-build/_app/immutable/nodes/29.3yabZWj4.js +1 -0
package/admin-build/_app/immutable/nodes/3.BFtSOkX7.js +2 -0
package/admin-build/_app/immutable/nodes/30.CyCQlwaP.js +1 -0
package/admin-build/_app/immutable/nodes/31.C4LDXjES.js +1 -0
package/admin-build/_app/immutable/nodes/4.CvbiMlCa.js +1 -0
package/admin-build/_app/immutable/nodes/5.C6BLv2eM.js +1 -0
package/admin-build/_app/immutable/nodes/6.BcXvfl2P.js +1 -0
package/admin-build/_app/immutable/nodes/7.CIuqhPiK.js +1 -0
package/admin-build/_app/immutable/nodes/8.BQOR_JfO.js +1 -0
package/admin-build/_app/immutable/nodes/9.NZqXQxPy.js +1 -0
package/admin-build/_app/version.json +1 -0
package/admin-build/favicon.svg +26 -0
package/admin-build/index.html +45 -0
package/openapi.json +19543 -0
package/package.json +66 -0
package/src/__tests__/admin-assets.test.ts +55 -0
package/src/__tests__/admin-data-routes.test.ts +488 -0
package/src/__tests__/admin-db-target.test.ts +103 -0
package/src/__tests__/admin-routing.test.ts +31 -0
package/src/__tests__/admin-user-management.test.ts +311 -0
package/src/__tests__/analytics-query.test.ts +75 -0
package/src/__tests__/auth-d1.test.ts +749 -0
package/src/__tests__/auth-db-adapter.test.ts +73 -0
package/src/__tests__/auth-jwt.test.ts +440 -0
package/src/__tests__/auth-oauth.test.ts +389 -0
package/src/__tests__/auth-password.test.ts +367 -0
package/src/__tests__/auth-redirect.test.ts +87 -0
package/src/__tests__/backup-restore.test.ts +711 -0
package/src/__tests__/broadcast.test.ts +128 -0
package/src/__tests__/cli.test.ts +178 -0
package/src/__tests__/cloudflare-realtime.test.ts +113 -0
package/src/__tests__/config.test.ts +469 -0
package/src/__tests__/cors.test.ts +154 -0
package/src/__tests__/cron.test.ts +302 -0
package/src/__tests__/d1-handler.test.ts +402 -0
package/src/__tests__/d1-sql.test.ts +120 -0
package/src/__tests__/database-live-config.test.ts +42 -0
package/src/__tests__/database-live-emitter.test.ts +56 -0
package/src/__tests__/database-live-filters.test.ts +63 -0
package/src/__tests__/database-live-route.test.ts +113 -0
package/src/__tests__/db-sql.test.ts +163 -0
package/src/__tests__/do-lifecycle.test.ts +263 -0
package/src/__tests__/do-router.test.ts +729 -0
package/src/__tests__/email-provider.test.ts +128 -0
package/src/__tests__/email-templates.test.ts +528 -0
package/src/__tests__/error-format.test.ts +250 -0
package/src/__tests__/field-ops.test.ts +242 -0
package/src/__tests__/functions-context.test.ts +334 -0
package/src/__tests__/functions-d1-proxy.test.ts +229 -0
package/src/__tests__/functions-registry-runtime-config.test.ts +17 -0
package/src/__tests__/functions-route.test.ts +139 -0
package/src/__tests__/internal-request.test.ts +77 -0
package/src/__tests__/log-writer.test.ts +44 -0
package/src/__tests__/logger.test.ts +58 -0
package/src/__tests__/meta-admin-proxy.test.ts +48 -0
package/src/__tests__/meta-export-coverage.test.ts +191 -0
package/src/__tests__/meta-route-registration.test.ts +47 -0
package/src/__tests__/namespace-dump.test.ts +28 -0
package/src/__tests__/oauth-providers.test.ts +337 -0
package/src/__tests__/openapi-coverage.test.ts +144 -0
package/src/__tests__/pagination.test.ts +59 -0
package/src/__tests__/password-policy.test.ts +191 -0
package/src/__tests__/plugin-migrations.test.ts +379 -0
package/src/__tests__/postgres-batch-compat.test.ts +133 -0
package/src/__tests__/postgres-dialect.test.ts +328 -0
package/src/__tests__/postgres-executor.test.ts +79 -0
package/src/__tests__/postgres-field-ops-compat.test.ts +222 -0
package/src/__tests__/postgres-schema-init.test.ts +105 -0
package/src/__tests__/postgres-table-utils.test.ts +107 -0
package/src/__tests__/presence.test.ts +199 -0
package/src/__tests__/provider.test.ts +550 -0
package/src/__tests__/public-user-profile.test.ts +339 -0
package/src/__tests__/push-handlers.test.ts +179 -0
package/src/__tests__/push-provider.test.ts +80 -0
package/src/__tests__/push-token.test.ts +418 -0
package/src/__tests__/query.test.ts +771 -0
package/src/__tests__/rate-limit.test.ts +260 -0
package/src/__tests__/room-access-policy.test.ts +101 -0
package/src/__tests__/room-handler-context.test.ts +130 -0
package/src/__tests__/room-monitoring.test.ts +138 -0
package/src/__tests__/room-runtime-routing.test.ts +222 -0
package/src/__tests__/room.test.ts +254 -0
package/src/__tests__/route-parser.test.ts +490 -0
package/src/__tests__/rules.test.ts +234 -0
package/src/__tests__/runtime-surface-accounting.test.ts +120 -0
package/src/__tests__/scheduled.test.ts +80 -0
package/src/__tests__/schema.test.ts +1273 -0
package/src/__tests__/security-hardening.test.ts +312 -0
package/src/__tests__/server.unit.test.ts +333 -0
package/src/__tests__/service-key-db-proxy.test.ts +650 -0
package/src/__tests__/service-key-provider-bypass.test.ts +138 -0
package/src/__tests__/service-key.test.ts +757 -0
package/src/__tests__/smoke-skip-report.test.ts +72 -0
package/src/__tests__/sms-provider.test.ts +39 -0
package/src/__tests__/sql-route.test.ts +218 -0
package/src/__tests__/storage-hook-context.test.ts +115 -0
package/src/__tests__/totp.test.ts +200 -0
package/src/__tests__/uuid.test.ts +144 -0
package/src/__tests__/validation.test.ts +773 -0
package/src/__tests__/websocket-pending.test.ts +163 -0
package/src/_functions-registry.ts +51 -0
package/src/bench-entry.ts +9 -0
package/src/cloudflare-test.d.ts +1 -0
package/src/durable-objects/auth-do.ts +49 -0
package/src/durable-objects/database-do.ts +2240 -0
package/src/durable-objects/database-live-do.ts +949 -0
package/src/durable-objects/logs-do.ts +1200 -0
package/src/durable-objects/room-runtime-base.ts +1604 -0
package/src/durable-objects/rooms-do.ts +2191 -0
package/src/generated-config.ts +6 -0
package/src/index.ts +382 -0
package/src/lib/admin-assets.ts +54 -0
package/src/lib/admin-db-target.ts +301 -0
package/src/lib/admin-routing.ts +35 -0
package/src/lib/admin-user-management.ts +464 -0
package/src/lib/analytics-adapter.ts +103 -0
package/src/lib/analytics-query.ts +579 -0
package/src/lib/auth-d1-service.ts +1193 -0
package/src/lib/auth-d1.ts +1056 -0
package/src/lib/auth-db-adapter.ts +289 -0
package/src/lib/auth-redirect.ts +116 -0
package/src/lib/cidr.ts +115 -0
package/src/lib/client-ip.ts +51 -0
package/src/lib/cloudflare-realtime.ts +251 -0
package/src/lib/control-db.ts +36 -0
package/src/lib/cron.ts +163 -0
package/src/lib/d1-handler.ts +1425 -0
package/src/lib/d1-schema-init.ts +255 -0
package/src/lib/d1-sql.ts +33 -0
package/src/lib/database-live-config.ts +24 -0
package/src/lib/database-live-emitter.ts +111 -0
package/src/lib/db-sql.ts +66 -0
package/src/lib/do-retry.ts +36 -0
package/src/lib/do-router.ts +270 -0
package/src/lib/do-sql.ts +73 -0
package/src/lib/email-provider.ts +379 -0
package/src/lib/email-templates.ts +285 -0
package/src/lib/email-translations.ts +422 -0
package/src/lib/errors.ts +151 -0
package/src/lib/functions.ts +2091 -0
package/src/lib/hono.ts +56 -0
package/src/lib/internal-request.ts +56 -0
package/src/lib/jwt.ts +354 -0
package/src/lib/log-writer.ts +272 -0
package/src/lib/namespace-dump.ts +125 -0
package/src/lib/oauth-providers.ts +1225 -0
package/src/lib/op-parser.ts +99 -0
package/src/lib/openapi.ts +146 -0
package/src/lib/pagination.ts +19 -0
package/src/lib/password-policy.ts +102 -0
package/src/lib/password.ts +145 -0
package/src/lib/plugin-migrations.ts +612 -0
package/src/lib/postgres-executor.ts +203 -0
package/src/lib/postgres-handler.ts +1102 -0
package/src/lib/postgres-schema-init.ts +341 -0
package/src/lib/postgres-table-utils.ts +87 -0
package/src/lib/public-user-profile.ts +187 -0
package/src/lib/push-provider.ts +409 -0
package/src/lib/push-token.ts +294 -0
package/src/lib/query-engine.ts +768 -0
package/src/lib/room-monitoring.ts +97 -0
package/src/lib/room-runtime.ts +14 -0
package/src/lib/route-parser.ts +434 -0
package/src/lib/schema.ts +538 -0
package/src/lib/schemas.ts +152 -0
package/src/lib/service-key.ts +419 -0
package/src/lib/sms-provider.ts +230 -0
package/src/lib/startup-config.ts +99 -0
package/src/lib/totp.ts +242 -0
package/src/lib/uuid.ts +87 -0
package/src/lib/validation.ts +205 -0
package/src/lib/version.ts +2 -0
package/src/lib/websocket-pending.ts +40 -0
package/src/middleware/auth.ts +169 -0
package/src/middleware/captcha-verify.ts +217 -0
package/src/middleware/cors.ts +159 -0
package/src/middleware/error-handler.ts +54 -0
package/src/middleware/internal-guard.ts +26 -0
package/src/middleware/logger.ts +126 -0
package/src/middleware/rate-limit.ts +283 -0
package/src/middleware/rules.ts +475 -0
package/src/routes/admin-auth.ts +447 -0
package/src/routes/admin.ts +3501 -0
package/src/routes/analytics-api.ts +290 -0
package/src/routes/auth.ts +4222 -0
package/src/routes/backup.ts +1466 -0
package/src/routes/config.ts +53 -0
package/src/routes/d1.ts +109 -0
package/src/routes/database-live.ts +281 -0
package/src/routes/functions.ts +155 -0
package/src/routes/health.ts +32 -0
package/src/routes/kv.ts +167 -0
package/src/routes/oauth.ts +1055 -0
package/src/routes/push.ts +1465 -0
package/src/routes/room.ts +639 -0
package/src/routes/schema-endpoint.ts +76 -0
package/src/routes/sql.ts +176 -0
package/src/routes/storage.ts +1674 -0
package/src/routes/tables.ts +699 -0
package/src/routes/users.ts +21 -0
package/src/routes/vectorize.ts +372 -0
package/src/types.ts +99 -0

package/src/__tests__/rules.test.ts ADDED Viewed

@@ -0,0 +1,234 @@
+/**
+ * 서버 단위 테스트 — rules 평가 로직 + database-live broadcast
+ * 1-14 rules.test.ts — 80개 (순수 로직 파트)
+ * 1-19 broadcast.test.ts — 20개
+ *
+ * 실행: cd packages/server && npx vitest run src/__tests__/rules.test.ts
+ *
+ * NOTE: DB 규칙 평가는 DatabaseDO 내부에서 이루어지지만,
+ *       규칙 함수 자체(JS 함수)의 동작 로직은 여기서 순수 테스트
+ */
+import { describe, it, expect } from 'vitest';
+// ─── 규칙 평가 로직 (DatabaseDO rules 동일 패턴) ─────────────────────────────
+type AuthCtx = { id: string; role: string | null; email: string | null } | null;
+type ResourceCtx = Record<string, unknown>;
+type ContextCtx = Record<string, unknown>;
+type RuleValue = boolean | string | ((auth: AuthCtx, resource: ResourceCtx, ctx: ContextCtx) => boolean);
+function evaluateRule(
+  rule: RuleValue,
+  auth: AuthCtx,
+  resource: ResourceCtx,
+  ctx: ContextCtx,
+): boolean {
+  if (rule === true) return true;
+  if (rule === false) return false;
+  if (typeof rule === 'function') {
+    try {
+      return Boolean(rule(auth, resource, ctx));
+    } catch {
+      return false; // 규칙 평가 오류 → 거부
+    }
+  }
+  // 문자열 규칙은 DB 레벨에서 평가; 여기선 다루지 않음
+  return false;
+}
+// ─── A. true / false 규칙 ────────────────────────────────────────────────────
+describe('evaluateRule — boolean', () => {
+  it('true → always allow', () => {
+    expect(evaluateRule(true, null, {}, {})).toBe(true);
+  });
+  it('false → always deny', () => {
+    expect(evaluateRule(false, null, {}, {})).toBe(false);
+  });
+  it('true with authenticated user → allow', () => {
+    const auth: AuthCtx = { id: 'user-1', role: null, email: null };
+    expect(evaluateRule(true, auth, {}, {})).toBe(true);
+  });
+  it('false with authenticated user → deny', () => {
+    const auth: AuthCtx = { id: 'user-1', role: null, email: null };
+    expect(evaluateRule(false, auth, {}, {})).toBe(false);
+  });
+});
+// ─── B. auth!=null (인증 여부) ────────────────────────────────────────────────
+describe('evaluateRule — auth != null', () => {
+  const rule: RuleValue = (auth) => auth !== null;
+  it('no auth → deny', () => {
+    expect(evaluateRule(rule, null, {}, {})).toBe(false);
+  });
+  it('with valid auth → allow', () => {
+    const auth: AuthCtx = { id: 'user-1', role: null, email: null };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(true);
+  });
+});
+// ─── C. auth.id == resource.authorId (소유자 확인) ───────────────────────────
+describe('evaluateRule — ownership check', () => {
+  const rule: RuleValue = (auth, resource) => auth !== null && auth.id === resource['authorId'];
+  it('owner → allow', () => {
+    const auth: AuthCtx = { id: 'user-1', role: null, email: null };
+    expect(evaluateRule(rule, auth, { authorId: 'user-1' }, {})).toBe(true);
+  });
+  it('non-owner → deny', () => {
+    const auth: AuthCtx = { id: 'user-2', role: null, email: null };
+    expect(evaluateRule(rule, auth, { authorId: 'user-1' }, {})).toBe(false);
+  });
+  it('no auth → deny for any resource', () => {
+    expect(evaluateRule(rule, null, { authorId: 'user-1' }, {})).toBe(false);
+  });
+  it('resource without authorId → deny', () => {
+    const auth: AuthCtx = { id: 'user-1', role: null, email: null };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(false);
+  });
+});
+// ─── D. auth.role 비교 ───────────────────────────────────────────────────────
+describe('evaluateRule — role check', () => {
+  const adminOnlyRule: RuleValue = (auth) => auth?.role === 'admin';
+  it('admin role → allow', () => {
+    const auth: AuthCtx = { id: 'u-1', role: 'admin', email: null };
+    expect(evaluateRule(adminOnlyRule, auth, {}, {})).toBe(true);
+  });
+  it('user role → deny', () => {
+    const auth: AuthCtx = { id: 'u-1', role: 'user', email: null };
+    expect(evaluateRule(adminOnlyRule, auth, {}, {})).toBe(false);
+  });
+  it('null role → deny', () => {
+    const auth: AuthCtx = { id: 'u-1', role: null, email: null };
+    expect(evaluateRule(adminOnlyRule, auth, {}, {})).toBe(false);
+  });
+  it('no auth → deny', () => {
+    expect(evaluateRule(adminOnlyRule, null, {}, {})).toBe(false);
+  });
+});
+// ─── E. in 연산자 (배열 포함 여부) ───────────────────────────────────────────
+describe('evaluateRule — in operator', () => {
+  const allowedRoles = ['admin', 'editor', 'moderator'];
+  const rule: RuleValue = (auth) => auth !== null && allowedRoles.includes(auth.role ?? '');
+  it('admin → allow', () => {
+    const auth: AuthCtx = { id: 'u', role: 'admin', email: null };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(true);
+  });
+  it('editor → allow', () => {
+    const auth: AuthCtx = { id: 'u', role: 'editor', email: null };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(true);
+  });
+  it('viewer → deny', () => {
+    const auth: AuthCtx = { id: 'u', role: 'viewer', email: null };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(false);
+  });
+});
+// ─── F. contains (문자열 포함) ───────────────────────────────────────────────
+describe('evaluateRule — contains', () => {
+  const rule: RuleValue = (auth) => auth?.email?.includes('@company.com') ?? false;
+  it('company email → allow', () => {
+    const auth: AuthCtx = { id: 'u', role: null, email: 'user@company.com' };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(true);
+  });
+  it('personal email → deny', () => {
+    const auth: AuthCtx = { id: 'u', role: null, email: 'user@gmail.com' };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(false);
+  });
+  it('null email → deny', () => {
+    const auth: AuthCtx = { id: 'u', role: null, email: null };
+    expect(evaluateRule(rule, auth, {}, {})).toBe(false);
+  });
+});
+// ─── G. null-safety sentinel (#109) ─────────────────────────────────────────
+describe('evaluateRule — null-safety', () => {
+  it('rule with nested null propagation (safe)', () => {
+    // auth?.metadata?.tier === 'pro' pattern
+    const rule: RuleValue = (auth) => {
+      const tier = (auth as any)?.metadata?.tier;
+      return tier === 'pro';
+    };
+    const auth: AuthCtx = { id: 'u', role: null, email: null };
+    // metadata undefined → safe false
+    expect(evaluateRule(rule, auth, {}, {})).toBe(false);
+  });
+  it('rule throwing exception → deny (graceful)', () => {
+    const badRule: RuleValue = () => { throw new Error('Rule error'); };
+    expect(evaluateRule(badRule, null, {}, {})).toBe(false);
+  });
+  it('rule returning null → deny (falsy)', () => {
+    const nullRule: RuleValue = () => null as any;
+    expect(evaluateRule(nullRule, null, {}, {})).toBe(false);
+  });
+  it('rule returning undefined → deny (falsy)', () => {
+    const undefinedRule: RuleValue = () => undefined as any;
+    expect(evaluateRule(undefinedRule, null, {}, {})).toBe(false);
+  });
+});
+// ─── H. context.workspaceId 참조 ─────────────────────────────────────────────
+describe('evaluateRule — context access', () => {
+  it('ctx.workspaceId match → allow', () => {
+    const rule: RuleValue = (auth, resource, ctx) =>
+      ctx['workspaceId'] === resource['workspaceId'];
+    const ctx = { workspaceId: 'ws-1' };
+    expect(evaluateRule(rule, null, { workspaceId: 'ws-1' }, ctx)).toBe(true);
+  });
+  it('ctx.workspaceId mismatch → deny', () => {
+    const rule: RuleValue = (auth, resource, ctx) =>
+      ctx['workspaceId'] === resource['workspaceId'];
+    const ctx = { workspaceId: 'ws-1' };
+    expect(evaluateRule(rule, null, { workspaceId: 'ws-2' }, ctx)).toBe(false);
+  });
+});
+// ─── I. 규칙 미정의 → false (default deny) ───────────────────────────────────
+describe('evaluateRule — default deny', () => {
+  it('string rule (non-boolean, non-function) → deny by default', () => {
+    // String rules are DB-evaluated; here we treat as deny
+    expect(evaluateRule('auth!=null' as any, null, {}, {})).toBe(false);
+  });
+  it('undefined rule → treated as false', () => {
+    expect(evaluateRule(undefined as any, null, {}, {})).toBe(false);
+  });
+  it('null rule → treated as false', () => {
+    expect(evaluateRule(null as any, null, {}, {})).toBe(false);
+  });
+});

package/src/__tests__/runtime-surface-accounting.test.ts ADDED Viewed

@@ -0,0 +1,120 @@
+/**
+ * Runtime surface accounting.
+ *
+ * Guards against route / middleware / durable object files silently drifting
+ * outside the test suite's field of view. A runtime file must either be
+ * mentioned in unit/integration tests or be explicitly tracked here as
+ * indirectly covered.
+ */
+import { readFileSync, readdirSync } from 'fs';
+import { resolve } from 'path';
+import { describe, expect, it } from 'vitest';
+const SRC_ROOT = resolve(new URL('..', import.meta.url).pathname);
+const PACKAGE_ROOT = resolve(SRC_ROOT, '..');
+const RUNTIME_DIRS = [
+  resolve(SRC_ROOT, 'routes'),
+  resolve(SRC_ROOT, 'durable-objects'),
+  resolve(SRC_ROOT, 'middleware'),
+];
+const TEST_DIRS = [
+  resolve(SRC_ROOT, '__tests__'),
+  resolve(PACKAGE_ROOT, 'test/integration'),
+];
+const THIS_TEST_PATH = resolve(new URL(import.meta.url).pathname);
+// Files below are exercised indirectly, but the test sources do not mention the
+// exact filename/stem yet. Tracking them here keeps the gap reviewable.
+const KNOWN_INDIRECT_RUNTIME_COVERAGE = new Map<string, string>([
+  [
+    'routes/schema-endpoint.ts',
+    'Covered via /api/schema integration tests and OpenAPI/spec checks, but the file name is not referenced directly.',
+  ],
+  [
+    'durable-objects/logs-do.ts',
+    'Covered indirectly via analytics/logging flows; keep explicit until a direct file reference lands in tests.',
+  ],
+  [
+    'durable-objects/room-runtime-base.ts',
+    'Covered through RoomsDO and room protocol/state tests, but the shared runtime base is not referenced by filename.',
+  ],
+]);
+function collectFiles(dir: string, predicate: (path: string) => boolean): string[] {
+  const results: string[] = [];
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    const entryPath = resolve(dir, entry.name);
+    if (entry.isDirectory()) {
+      results.push(...collectFiles(entryPath, predicate));
+      continue;
+    }
+    if (predicate(entryPath)) {
+      results.push(entryPath);
+    }
+  }
+  return results;
+}
+function toRuntimeKey(absPath: string): string {
+  for (const dir of RUNTIME_DIRS) {
+    if (absPath.startsWith(dir)) {
+      return absPath.slice(dir.length + 1).replace(/^/, `${dir.split('/').at(-1)}/`);
+    }
+  }
+  throw new Error(`Unexpected runtime path: ${absPath}`);
+}
+function fileMentionsRuntime(testSource: string, runtimeKey: string): boolean {
+  const fileName = runtimeKey.split('/').at(-1) ?? runtimeKey;
+  const stem = fileName.replace(/\.ts$/, '');
+  return testSource.includes(fileName) || testSource.includes(stem);
+}
+describe('runtime surface accounting', () => {
+  const runtimeFiles = RUNTIME_DIRS
+    .flatMap((dir) => collectFiles(dir, (path) => path.endsWith('.ts')))
+    .map(toRuntimeKey)
+    .sort();
+  const allTestSource = TEST_DIRS
+    .flatMap((dir) => collectFiles(dir, (path) => path.endsWith('.test.ts')))
+    .filter((path) => path !== THIS_TEST_PATH)
+    .map((path) => readFileSync(path, 'utf-8'))
+    .join('\n');
+  it('every runtime file is referenced by tests or tracked as indirect coverage', () => {
+    const unaccounted = runtimeFiles.filter((runtimeKey) => (
+      !fileMentionsRuntime(allTestSource, runtimeKey)
+      && !KNOWN_INDIRECT_RUNTIME_COVERAGE.has(runtimeKey)
+    ));
+    if (unaccounted.length > 0) {
+      expect.fail(
+        `Found runtime files that are not referenced by tests.\n` +
+        `Mention them in a test (comment/import/assertion) or add them to KNOWN_INDIRECT_RUNTIME_COVERAGE with a reason.\n\n` +
+        unaccounted.map((file) => `  - ${file}`).join('\n'),
+      );
+    }
+  });
+  it('indirect coverage entries still point to real runtime files', () => {
+    for (const runtimeKey of KNOWN_INDIRECT_RUNTIME_COVERAGE.keys()) {
+      expect(
+        runtimeFiles.includes(runtimeKey),
+        `KNOWN_INDIRECT_RUNTIME_COVERAGE contains '${runtimeKey}' but that runtime file no longer exists.`,
+      ).toBe(true);
+    }
+  });
+  it('indirect coverage entries are removed once tests mention the runtime file', () => {
+    for (const [runtimeKey, reason] of KNOWN_INDIRECT_RUNTIME_COVERAGE.entries()) {
+      expect(reason.trim().length, `Provide a reason for '${runtimeKey}'.`).toBeGreaterThan(0);
+      expect(
+        fileMentionsRuntime(allTestSource, runtimeKey),
+        `Tests now mention '${runtimeKey}'. Remove it from KNOWN_INDIRECT_RUNTIME_COVERAGE.`,
+      ).toBe(false);
+    }
+  });
+});

package/src/__tests__/scheduled.test.ts ADDED Viewed

@@ -0,0 +1,80 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+const {
+  cleanExpiredSessionsMock,
+  cleanStaleAnonymousAccountsMock,
+  ensureAuthSchemaMock,
+  deleteAnonMock,
+  resolveAuthDbMock,
+} = vi.hoisted(() => ({
+  cleanExpiredSessionsMock: vi.fn(),
+  cleanStaleAnonymousAccountsMock: vi.fn(),
+  ensureAuthSchemaMock: vi.fn(),
+  deleteAnonMock: vi.fn(),
+  resolveAuthDbMock: vi.fn(),
+}));
+vi.mock('cloudflare:workers', () => ({
+  DurableObject: class DurableObject {},
+}));
+vi.mock('../lib/auth-d1-service.js', async () => {
+  const actual = await vi.importActual<typeof import('../lib/auth-d1-service.js')>('../lib/auth-d1-service.js');
+  return {
+    ...actual,
+    cleanExpiredSessions: cleanExpiredSessionsMock,
+    cleanStaleAnonymousAccounts: cleanStaleAnonymousAccountsMock,
+  };
+});
+vi.mock('../lib/auth-d1.js', async () => {
+  const actual = await vi.importActual<typeof import('../lib/auth-d1.js')>('../lib/auth-d1.js');
+  return {
+    ...actual,
+    ensureAuthSchema: ensureAuthSchemaMock,
+    deleteAnon: deleteAnonMock,
+  };
+});
+vi.mock('../lib/auth-db-adapter.js', async () => {
+  const actual = await vi.importActual<typeof import('../lib/auth-db-adapter.js')>('../lib/auth-db-adapter.js');
+  return {
+    ...actual,
+    resolveAuthDb: resolveAuthDbMock,
+  };
+});
+describe('scheduled handler', () => {
+  beforeEach(() => {
+    vi.resetModules();
+    cleanExpiredSessionsMock.mockReset().mockResolvedValue(undefined);
+    cleanStaleAnonymousAccountsMock.mockReset().mockResolvedValue([]);
+    ensureAuthSchemaMock.mockReset().mockResolvedValue(undefined);
+    deleteAnonMock.mockReset().mockResolvedValue(undefined);
+    resolveAuthDbMock.mockReset().mockReturnValue({ kind: 'auth-db' });
+  });
+  it('runs system cleanup even when no user schedule functions are registered', async () => {
+    const worker = (await import('../index.js')).default;
+    const pending: Promise<unknown>[] = [];
+    const ctx = {
+      waitUntil: vi.fn((promise: Promise<unknown>) => {
+        pending.push(Promise.resolve(promise));
+      }),
+    };
+    await worker.scheduled(
+      { scheduledTime: Date.parse('2026-03-07T03:00:00Z') } as never,
+      {} as never,
+      ctx as never,
+    );
+    expect(ctx.waitUntil).toHaveBeenCalledTimes(1);
+    await Promise.all(pending);
+    expect(resolveAuthDbMock).toHaveBeenCalledTimes(1);
+    expect(ensureAuthSchemaMock).toHaveBeenCalledWith({ kind: 'auth-db' });
+    expect(cleanExpiredSessionsMock).toHaveBeenCalledWith({ kind: 'auth-db' });
+    expect(cleanStaleAnonymousAccountsMock.mock.calls[0]?.[0]).toEqual({ kind: 'auth-db' });
+    expect(deleteAnonMock).not.toHaveBeenCalled();
+  }, 15_000);
+});