@emeryld/rrroutes-openapi 2.3.0 → 2.3.2

package/dist/index.cjs

@@ -31,8 +31,10 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  introspectSchema: () => introspectSchema,
   mountRRRoutesDocs: () => mountRRRoutesDocs,
   renderLeafDocsHTML: () => renderLeafDocsHTML2,
+  requiredRoutes: () => leaves,
   serializeLeaf: () => serializeLeaf
 });
 module.exports = __toCommonJS(index_exports);
@@ -45,6 +47,9 @@ var import_node_url = require("url");
 // src/docs/LeafDocsPage.tsx
 var import_server = require("react-dom/server");
 
+// src/docs/serializer.ts
+var import_rrroutes_contract = require("@emeryld/rrroutes-contract");
+
 // src/docs/schemaIntrospection.ts
 var z = __toESM(require("zod"), 1);
 function getDef(schema) {
@@ -190,10 +195,10 @@ function serializeLeaf(leaf) {
       hasQuery: !!cfg.querySchema,
       hasParams: !!cfg.paramsSchema,
       hasOutput: !!cfg.outputSchema,
-      bodySchema: introspectSchema(cfg.bodySchema),
-      querySchema: introspectSchema(cfg.querySchema),
-      paramsSchema: introspectSchema(cfg.paramsSchema),
-      outputSchema: introspectSchema(cfg.outputSchema)
+      bodySchema: cfg.bodySchema ? introspectSchema((0, import_rrroutes_contract.routeSchemaParse)(cfg.bodySchema)) : void 0,
+      querySchema: cfg.querySchema ? introspectSchema((0, import_rrroutes_contract.routeSchemaParse)(cfg.querySchema)) : void 0,
+      paramsSchema: cfg.paramsSchema ? introspectSchema((0, import_rrroutes_contract.routeSchemaParse)(cfg.paramsSchema)) : void 0,
+      outputSchema: cfg.outputSchema ? introspectSchema((0, import_rrroutes_contract.routeSchemaParse)(cfg.outputSchema)) : void 0
     }
   };
 }
@@ -210,25 +215,17 @@ function normalizeDocsBase(base) {
   if (base === "/") return "/";
   return base.endsWith("/") && base.length > 1 ? base.slice(0, -1) : base;
 }
-function normalizeBaseUrlSuffix(suffix) {
-  if (!suffix) return "";
-  const trimmed = suffix.endsWith("/") && suffix.length > 1 ? suffix.slice(0, -1) : suffix;
-  return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
-}
 var DocsDocument = ({
   leavesJson,
-  presetsJson,
   assetBase,
   docsBase,
-  historyJson,
-  logsJson,
-  baseUrlSuffix,
-  webhooks,
   cspNonce
 }) => {
   const cssHref = `${assetBase}/docs.css`;
   const jsSrc = `${assetBase}/docs.js`;
-  const configJson = serializeConfig({ docsBasePath: docsBase, baseUrlSuffix, webhooks });
+  const configJson = serializeConfig({
+    docsBasePath: docsBase
+  });
   return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("html", { lang: "en", children: [
     /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("head", { children: [
       /* @__PURE__ */ (0, import_jsx_runtime.jsx)("meta", { charSet: "UTF-8" }),
@@ -247,33 +244,6 @@ var DocsDocument = ({
           dangerouslySetInnerHTML: { __html: leavesJson }
         }
       ),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
-        "script",
-        {
-          id: "preset-data",
-          type: "application/json",
-          nonce: cspNonce,
-          dangerouslySetInnerHTML: { __html: presetsJson }
-        }
-      ),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
-        "script",
-        {
-          id: "history-data",
-          type: "application/json",
-          nonce: cspNonce,
-          dangerouslySetInnerHTML: { __html: historyJson }
-        }
-      ),
-      /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
-        "script",
-        {
-          id: "logs-data",
-          type: "application/json",
-          nonce: cspNonce,
-          dangerouslySetInnerHTML: { __html: logsJson }
-        }
-      ),
       /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
         "script",
         {
@@ -287,298 +257,481 @@ var DocsDocument = ({
     ] })
   ] });
 };
-function serializeLeaves(leaves) {
-  return JSON.stringify(leaves.map(serializeLeaf)).replace(/<\//g, "<\\/");
-}
-function serializePresets(presets) {
-  return JSON.stringify(Array.isArray(presets) ? presets : []).replace(/<\//g, "<\\/");
-}
-function serializeHistorySeeds(historySeeds) {
-  return JSON.stringify(Array.isArray(historySeeds) ? historySeeds : []).replace(/<\//g, "<\\/");
-}
-function serializeLogSeeds(logSeeds) {
-  return JSON.stringify(Array.isArray(logSeeds) ? logSeeds : []).replace(/<\//g, "<\\/");
+function serializeLeaves(leaves2) {
+  return JSON.stringify(leaves2.map(serializeLeaf)).replace(/<\//g, "<\\/");
 }
 function serializeConfig(config) {
   return JSON.stringify(config).replace(/<\//g, "<\\/");
 }
-function createLeafDocsDocument(leaves, options = {}) {
+function createLeafDocsDocument(leaves2, options = {}) {
   const assetBase = normalizeBase(options.assetBasePath ?? DEFAULT_ASSET_BASE);
-  const leavesJson = serializeLeaves(leaves);
-  const presetsJson = serializePresets(options.presets);
+  const leavesJson = serializeLeaves(leaves2);
   const docsBase = normalizeDocsBase(options.docsBasePath);
-  const historyJson = serializeHistorySeeds(options.historySeeds);
-  const logsJson = serializeLogSeeds(options.logSeeds);
-  const baseUrlSuffix = normalizeBaseUrlSuffix(options.baseUrlSuffix);
-  const webhooks = options.webhooks;
   return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
     DocsDocument,
     {
       leavesJson,
-      presetsJson,
       assetBase,
       docsBase,
-      historyJson,
-      logsJson,
-      baseUrlSuffix,
-      webhooks,
       cspNonce: options.cspNonce
     }
   );
 }
-function renderLeafDocsHTML(leaves, options = {}) {
-  const doc = createLeafDocsDocument(leaves, options);
+function renderLeafDocsHTML(leaves2, options = {}) {
+  const doc = createLeafDocsDocument(leaves2, options);
   const html = (0, import_server.renderToStaticMarkup)(doc);
   return `<!DOCTYPE html>${html}`;
 }
 
 // src/docs/docs.ts
-function renderLeafDocsHTML2(leaves, options = {}) {
-  return renderLeafDocsHTML(leaves, options);
+function renderLeafDocsHTML2(leaves2, options = {}) {
+  return renderLeafDocsHTML(leaves2, options);
 }
 
-// src/webhooks.ts
-var import_zod = require("zod");
-var logTypeSchema = import_zod.z.enum(["debug", "info", "warn", "error", "system"]);
-var historyFeedEntrySchema = import_zod.z.object({
-  id: import_zod.z.string(),
-  requestId: import_zod.z.string().optional(),
-  timestamp: import_zod.z.number(),
-  method: import_zod.z.string(),
-  path: import_zod.z.string(),
-  fullUrl: import_zod.z.string().optional(),
-  params: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).optional(),
-  query: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).optional(),
-  body: import_zod.z.string().optional(),
-  output: import_zod.z.string().optional(),
-  status: import_zod.z.number().optional(),
-  durationMs: import_zod.z.number(),
-  error: import_zod.z.string().optional()
+// src/web/utils/security.ts
+var import_node_net = __toESM(require("net"), 1);
+function createPasswordGuard(password, realm) {
+  const trimmed = password.trim();
+  return (req, res, next) => {
+    const provided = extractPassword(req.headers.authorization);
+    if (provided && provided === trimmed) {
+      return next();
+    }
+    applyDocsSecurityHeaders(res);
+    res.setHeader("WWW-Authenticate", `Basic realm="${realm}"`);
+    res.status(401).send(
+      renderAuthErrorPage(
+        "Docs are password protected. Provide the configured password."
+      )
+    );
+  };
+}
+function createCookieGuard(cookieName, cookieSecret) {
+  return (req, res, next) => {
+    const cookies = req.cookies;
+    const value = cookies?.[cookieName];
+    const valid = cookieSecret ? value === cookieSecret : Boolean(value);
+    if (valid) {
+      return next();
+    }
+    applyDocsSecurityHeaders(res);
+    res.status(401).send(
+      renderAuthErrorPage(
+        "Docs are protected. You must be authenticated to access this page."
+      )
+    );
+  };
+}
+function createMissingPasswordGuard() {
+  return (_req, res) => {
+    applyDocsSecurityHeaders(res);
+    res.status(500).send(renderAuthErrorPage("Provide auth configuration to mounted docs"));
+  };
+}
+function extractPassword(authHeader) {
+  if (!authHeader) return void 0;
+  const header = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+  if (typeof header !== "string" || !header.startsWith("Basic "))
+    return void 0;
+  const token = header.slice("Basic ".length);
+  try {
+    const decoded = Buffer.from(token, "base64").toString("utf8");
+    const parts = decoded.split(":");
+    parts.shift();
+    return parts.join(":");
+  } catch {
+    return void 0;
+  }
+}
+function createIpAllowListGuard(allowed) {
+  const ranges = allowed.map((raw) => raw.trim()).filter(Boolean).map(parseIpPattern).filter((r) => r !== null);
+  return (req, res, next) => {
+    const rawIp = req.ip || req.connection && req.connection.remoteAddress || "";
+    const ip = normalizeIp(rawIp);
+    if (!ip || !isIpAllowed(ip, ranges)) {
+      applyDocsSecurityHeaders(res);
+      res.status(403).send(
+        renderAuthErrorPage(
+          "Access to docs is restricted from this IP address."
+        )
+      );
+      return;
+    }
+    next();
+  };
+}
+function normalizeIp(ip) {
+  if (!ip) return "";
+  if (ip.startsWith("::ffff:")) return ip.slice(7);
+  if (ip === "::1") return "127.0.0.1";
+  return ip;
+}
+function parseIpPattern(raw) {
+  if (raw.includes("/")) {
+    const cidr = parseCidr(raw);
+    if (!cidr) return null;
+    return { kind: "cidr", base: cidr.base, mask: cidr.mask };
+  }
+  return { kind: "exact", value: normalizeIp(raw) };
+}
+function parseCidr(raw) {
+  const [baseIp, bitsStr] = raw.split("/");
+  const bits = Number(bitsStr);
+  if (!Number.isInteger(bits) || bits < 0 || bits > 32) return null;
+  if (import_node_net.default.isIP(baseIp) !== 4) return null;
+  const baseLong = ipToLong(baseIp);
+  if (baseLong == null) return null;
+  const mask = bits === 0 ? 0 : ~0 << 32 - bits >>> 0;
+  return { base: (baseLong & mask) >>> 0, mask };
+}
+function ipToLong(ip) {
+  const parts = ip.split(".").map((n) => Number(n));
+  if (parts.length !== 4) return null;
+  if (parts.some((n) => !Number.isInteger(n) || n < 0 || n > 255)) return null;
+  return (parts[0] << 24 >>> 0) + (parts[1] << 16 >>> 0) + (parts[2] << 8 >>> 0) + parts[3];
+}
+function isIpAllowed(ip, ranges) {
+  const ipv4 = import_node_net.default.isIP(ip) === 4 ? ipToLong(ip) : null;
+  for (const r of ranges) {
+    if (r.kind === "exact") {
+      if (ip === r.value) return true;
+    } else if (r.kind === "cidr" && ipv4 != null) {
+      if ((ipv4 & r.mask) === r.base) return true;
+    }
+  }
+  return false;
+}
+function renderAuthErrorPage(message) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>RRRoutes docs locked</title>
+  <style>
+    body { margin:0; font-family: system-ui, -apple-system, Segoe UI, sans-serif; background: #0f172a; color: #e2e8f0; display:flex; align-items:center; justify-content:center; min-height:100vh; }
+    .card { padding:32px; border:1px solid #1e293b; border-radius:12px; max-width:420px; background: rgba(15,23,42,0.8); box-shadow:0 15px 45px rgba(0,0,0,0.35); }
+    h1 { margin:0 0 12px; font-size:22px; }
+    p { margin:0; line-height:1.5; color:#cbd5e1; }
+    code { background: rgba(226,232,240,0.1); padding: 2px 4px; border-radius: 4px; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Docs locked</h1>
+    <p>${message}</p>
+  </div>
+</body>
+</html>`;
+}
+function applyDocsSecurityHeaders(res) {
+  res.setHeader("X-Content-Type-Options", "nosniff");
+  res.setHeader("Referrer-Policy", "same-origin");
+  res.setHeader("X-Frame-Options", "SAMEORIGIN");
+  res.setHeader("Cache-Control", "no-store");
+  res.setHeader(
+    "Strict-Transport-Security",
+    "max-age=31536000; includeSubDomains"
+  );
+}
+
+// src/web/utils/types.ts
+var import_rrroutes_contract7 = require("@emeryld/rrroutes-contract");
+
+// src/web/v2/types/types.cacheLog.ts
+var import_rrroutes_contract2 = require("@emeryld/rrroutes-contract");
+var import_zod2 = __toESM(require("zod"), 1);
+
+// src/web/v2/types/types.base.ts
+var import_zod = __toESM(require("zod"), 1);
+var METHODS = ["get", "post", "put", "patch", "delete"];
+var baseEntitySchema = import_zod.default.object({
+  id: import_zod.default.string(),
+  name: import_zod.default.string(),
+  description: import_zod.default.string().optional(),
+  groupId: import_zod.default.string().optional(),
+  tags: import_zod.default.string().array().optional(),
+  createdAt: import_zod.default.number(),
+  updatedAt: import_zod.default.number()
 });
-var logFeedEntrySchema = import_zod.z.object({
-  id: import_zod.z.string(),
-  type: logTypeSchema,
-  message: import_zod.z.string(),
-  timestamp: import_zod.z.number(),
-  requestId: import_zod.z.string().optional(),
-  tags: import_zod.z.array(import_zod.z.string()).optional(),
-  metadata: import_zod.z.string().optional()
+var baseQuerySchema = import_zod.default.object({
+  beforeDate: import_zod.default.string().optional(),
+  afterDate: import_zod.default.string().optional(),
+  orderBy: import_zod.default.enum(["timestamp", "duration", "level", "path"]).default("timestamp"),
+  orderDirection: import_zod.default.enum(["asc", "desc"]).default("desc"),
+  searchQuery: import_zod.default.string().optional(),
+  groups: import_zod.default.string().array().optional(),
+  tags: import_zod.default.string().array().optional(),
+  cursor: import_zod.default.string().optional()
 });
-var historyFeedQuerySchema = import_zod.z.object({
-  cursor: import_zod.z.string().optional(),
-  limit: import_zod.z.number().int().positive().optional(),
-  methods: import_zod.z.array(import_zod.z.string()).optional(),
-  path: import_zod.z.string().optional(),
-  status: import_zod.z.string().optional(),
-  text: import_zod.z.string().optional(),
-  from: import_zod.z.number().optional(),
-  to: import_zod.z.number().optional(),
-  sortBy: import_zod.z.enum(["timestamp", "path", "duration"]).optional(),
-  sortDir: import_zod.z.enum(["asc", "desc"]).optional()
+
+// src/web/v2/types/types.cacheLog.ts
+var operationEnum = import_zod2.default.enum(["hit", "miss", "set", "delete"]);
+var cacheLogSchema = baseEntitySchema.extend({
+  operation: operationEnum,
+  // on hit, value = value retrieved
+  // on miss, value = null
+  // on set, value = value set
+  // on delete, value = value deleted
+  value: import_zod2.default.any().nullable(),
+  size: import_zod2.default.number().optional()
 });
-var logFeedQuerySchema = import_zod.z.object({
-  cursor: import_zod.z.string().optional(),
-  limit: import_zod.z.number().int().positive().optional(),
-  types: import_zod.z.array(logTypeSchema).optional(),
-  tags: import_zod.z.array(import_zod.z.string()).optional(),
-  requestId: import_zod.z.string().optional(),
-  text: import_zod.z.string().optional(),
-  from: import_zod.z.number().optional(),
-  to: import_zod.z.number().optional(),
-  sortDir: import_zod.z.enum(["asc", "desc"]).optional()
+var cacheLogQuerySchema = baseQuerySchema.extend({
+  operations: operationEnum.array().optional()
 });
-var webhookPageSchema = (itemSchema) => import_zod.z.object({
-  items: import_zod.z.array(itemSchema).default([]),
-  nextCursor: import_zod.z.string().optional(),
-  prevCursor: import_zod.z.string().optional(),
-  total: import_zod.z.number().optional()
+var cacheLeaves = (0, import_rrroutes_contract2.resource)("cache").get({
+  feed: true,
+  outputSchema: cacheLogSchema.array(),
+  querySchema: cacheLogQuerySchema,
+  outputMetaSchema: import_zod2.default.object({
+    totalCount: import_zod2.default.number().optional()
+  })
+}).post({
+  querySchema: cacheLogQuerySchema
+}).done();
+
+// src/web/v2/types/types.endpoint.ts
+var import_rrroutes_contract5 = require("@emeryld/rrroutes-contract");
+var import_zod5 = __toESM(require("zod"), 1);
+
+// src/web/v2/types/types.requestLog.ts
+var import_rrroutes_contract4 = require("@emeryld/rrroutes-contract");
+var import_zod4 = __toESM(require("zod"), 1);
+
+// src/web/v2/types/types.log.ts
+var import_rrroutes_contract3 = require("@emeryld/rrroutes-contract");
+var import_zod3 = __toESM(require("zod"), 1);
+var levelSchema = import_zod3.default.enum(["info", "warning", "error", "debug", "trace"]);
+var logSchema = baseEntitySchema.extend({
+  level: levelSchema,
+  meta: import_zod3.default.json()
+});
+var logQuerySchema = baseQuerySchema.extend({
+  level: levelSchema.array().optional()
 });
-var historyWebhookResponseSchema = webhookPageSchema(historyFeedEntrySchema);
-var logWebhookResponseSchema = webhookPageSchema(logFeedEntrySchema);
+var logLeaves = (0, import_rrroutes_contract3.resource)("logs").get({
+  feed: true,
+  outputSchema: logSchema.array(),
+  querySchema: logQuerySchema,
+  outputMetaSchema: import_zod3.default.object({
+    totalCount: import_zod3.default.number().optional()
+  })
+}).done();
+
+// src/web/v2/types/types.requestLog.ts
+var requestSchema = baseEntitySchema.extend({
+  status: import_zod4.default.number(),
+  body: import_zod4.default.any().optional(),
+  fullUrl: import_zod4.default.string(),
+  path: import_zod4.default.string(),
+  method: import_zod4.default.enum(METHODS),
+  query: import_zod4.default.record(import_zod4.default.string(), import_zod4.default.any()).optional(),
+  params: import_zod4.default.record(import_zod4.default.string(), import_zod4.default.any()).optional(),
+  output: import_zod4.default.any().optional(),
+  headers: import_zod4.default.record(import_zod4.default.string(), import_zod4.default.any()).optional(),
+  error: import_zod4.default.string().optional(),
+  durationMs: import_zod4.default.number()
+});
+var requestQuerySchema = baseQuerySchema.extend({
+  methods: import_zod4.default.enum(METHODS).array().default([]),
+  statuses: import_zod4.default.number().array().default([]),
+  path: import_zod4.default.string().optional()
+});
+var requestLogLeaves = (0, import_rrroutes_contract4.resource)("requests").get({
+  feed: true,
+  outputSchema: requestSchema.array(),
+  querySchema: requestQuerySchema,
+  outputMetaSchema: import_zod4.default.object({
+    totalCount: import_zod4.default.number().optional()
+  })
+}).sub(
+  (0, import_rrroutes_contract4.resource)(":requestId", void 0, import_zod4.default.string()).get({
+    outputSchema: requestSchema.extend({
+      // Related by groupId
+      // Do I just use the existing feed endpoints with filter: groupId=?
+      logs: import_zod4.default.array(logSchema),
+      caches: import_zod4.default.array(cacheLogSchema)
+    })
+  }).done()
+).done();
+
+// src/web/v2/types/types.endpoint.ts
+var nodeKind = [
+  "object",
+  "string",
+  "number",
+  "array",
+  "enum",
+  "literal",
+  "union"
+];
+var serializableSchemaSchema = import_zod5.default.lazy(
+  () => import_zod5.default.object({
+    kind: import_zod5.default.enum(nodeKind),
+    optional: import_zod5.default.boolean().optional(),
+    nullable: import_zod5.default.boolean().optional(),
+    description: import_zod5.default.string().optional(),
+    // object
+    properties: import_zod5.default.record(import_zod5.default.string(), serializableSchemaSchema).optional(),
+    // array
+    element: serializableSchemaSchema.optional(),
+    // union
+    union: import_zod5.default.array(serializableSchemaSchema).optional(),
+    // literal
+    literal: import_zod5.default.unknown().optional(),
+    // enum
+    enumValues: import_zod5.default.array(import_zod5.default.string()).optional()
+  })
+);
+var STABILITIES = [
+  "experimental",
+  "beta",
+  "stable",
+  "deprecated"
+];
+var stabilityEnum = import_zod5.default.enum(STABILITIES);
+var endpointSchema = baseEntitySchema.extend({
+  method: import_zod5.default.enum(METHODS),
+  path: import_zod5.default.string(),
+  contract: import_zod5.default.object({
+    body: serializableSchemaSchema.optional(),
+    query: serializableSchemaSchema.optional(),
+    output: serializableSchemaSchema.optional(),
+    params: serializableSchemaSchema.optional(),
+    bodyFiles: import_zod5.default.object({ name: import_zod5.default.string(), maxCount: import_zod5.default.number() })
+  }),
+  feed: import_zod5.default.boolean().optional(),
+  summary: import_zod5.default.string().optional(),
+  stability: stabilityEnum,
+  hidden: import_zod5.default.boolean().optional(),
+  meta: import_zod5.default.record(import_zod5.default.string(), import_zod5.default.string())
+});
+var endpointFilterSchema = baseQuerySchema.extend({
+  methods: import_zod5.default.enum(METHODS).array().optional(),
+  path: import_zod5.default.string().optional(),
+  stability: stabilityEnum.array().optional()
+});
+var endpointLeaves = (0, import_rrroutes_contract5.resource)("endpoints").get({
+  feed: true,
+  querySchema: endpointFilterSchema,
+  outputSchema: endpointSchema.array(),
+  outputMetaSchema: import_zod5.default.object({
+    totalCount: import_zod5.default.number().optional()
+  })
+}).sub(
+  (0, import_rrroutes_contract5.resource)(":endpointId", void 0, import_zod5.default.string()).get({
+    outputSchema: endpointSchema.extend({
+      // Related by groupId. Just use the existing feed endpoints with filter: groupId=?
+      requests: import_zod5.default.array(requestSchema),
+      // Summary stats: return with the feed?
+      volumeTS: import_zod5.default.array(
+        import_zod5.default.object({
+          timestamp: import_zod5.default.string(),
+          count: import_zod5.default.number()
+        })
+      ),
+      averageDurationMs: import_zod5.default.number(),
+      successRate: import_zod5.default.number(),
+      // Add id as query param to the existing feed endpoints? This way "requests" field can also be only Ids
+      latestErrorRequestIds: import_zod5.default.array(import_zod5.default.string())
+    })
+  }).done()
+).done();
+
+// src/web/v2/types/types.preset.ts
+var import_rrroutes_contract6 = require("@emeryld/rrroutes-contract");
+var import_zod6 = __toESM(require("zod"), 1);
+var presetSchema = baseEntitySchema.extend({
+  operations: import_zod6.default.array(
+    import_zod6.default.object({
+      endpointId: import_zod6.default.string().optional(),
+      method: import_zod6.default.enum(METHODS),
+      path: import_zod6.default.string(),
+      body: import_zod6.default.json().optional(),
+      extraHeaders: import_zod6.default.record(import_zod6.default.string(), import_zod6.default.any()).optional(),
+      query: import_zod6.default.record(import_zod6.default.string(), import_zod6.default.any()).optional()
+    })
+  )
+});
+var presetQuerySchema = baseQuerySchema.extend({
+  name: import_zod6.default.string().optional(),
+  tags: import_zod6.default.string().array().optional(),
+  group: import_zod6.default.string().optional()
+});
+var presetLeaves = (0, import_rrroutes_contract6.resource)("presets").get({
+  feed: true,
+  querySchema: presetQuerySchema.array(),
+  outputMetaSchema: import_zod6.default.object({
+    totalCount: import_zod6.default.number().optional()
+  }),
+  outputSchema: presetSchema
+}).post({
+  bodySchema: presetSchema,
+  outputSchema: presetSchema
+}).put({
+  bodySchema: presetSchema,
+  outputSchema: presetSchema
+}).done();
+
+// src/web/utils/types.ts
+var allLeaves = (0, import_rrroutes_contract7.resource)().sub(
+  (0, import_rrroutes_contract7.resource)("___rrroutes").sub(
+    endpointLeaves,
+    requestLogLeaves,
+    logLeaves,
+    cacheLeaves,
+    presetLeaves
+  ).done()
+).done();
+var leaves = (0, import_rrroutes_contract7.finalize)(allLeaves);
 
 // src/index.ts
-var trimTrailingSlash = (value) => value.endsWith("/") && value.length > 1 ? value.slice(0, -1) : value;
+function resolvePublicDir() {
+  const moduleDir = typeof __dirname !== "undefined" ? __dirname : import_node_path.default.dirname((0, import_node_url.fileURLToPath)(__import_meta_url));
+  const fromModule = import_node_path.default.resolve(moduleDir, "../public");
+  if (import_node_fs.default.existsSync(fromModule)) return fromModule;
+  const fallback = import_node_path.default.resolve(moduleDir, "../dist/public");
+  if (import_node_fs.default.existsSync(fallback)) return fallback;
+  return fromModule;
+}
 function mountRRRoutesDocs({
   router,
-  leaves,
-  presets = [],
-  options = {}
+  leaves: leaves2,
+  auth = {}
 }) {
-  const prefix = options.prefix ? trimTrailingSlash(options.prefix) : "";
-  const docsPath = options.path ?? "/__rrroutes/docs";
-  const normalizedDocsPath = trimTrailingSlash(docsPath);
-  const assetsMountPath = trimTrailingSlash(
-    options.assetBasePath ?? `${normalizedDocsPath}/assets`
-  );
-  const webhookBaseInput = options.logWebhook?.basePath ?? `${normalizedDocsPath}/webhooks`;
-  const webhookBasePath = trimTrailingSlash(
-    webhookBaseInput.startsWith("/") ? webhookBaseInput : `/${webhookBaseInput}`
-  );
-  const defaultHistoryLimit = 200;
-  const defaultLogLimit = 400;
-  const inMemoryHistory = normalizeHistorySeeds(options.historySeeds, defaultHistoryLimit);
-  const inMemoryLogs = normalizeLogSeeds(options.logSeeds, defaultLogLimit);
-  const webhookPaths = {
-    history: `${webhookBasePath}/history`,
-    logs: `${webhookBasePath}/logs`
-  };
-  const webhookSchemas = {
-    history: {
-      query: historyFeedQuerySchema,
-      response: historyWebhookResponseSchema,
-      entry: historyFeedEntrySchema
-    },
-    logs: {
-      query: logFeedQuerySchema,
-      response: logWebhookResponseSchema,
-      entry: logFeedEntrySchema
-    }
-  };
-  const webhookLeaves = {
-    history: {
-      method: "get",
-      path: webhookPaths.history,
-      cfg: {
-        summary: "RRRoutes docs history feed",
-        description: "Returns request history for the docs UI.",
-        querySchema: historyFeedQuerySchema,
-        outputSchema: historyWebhookResponseSchema,
-        tags: ["rrroutes", "docs"]
-      }
-    },
-    logs: {
-      method: "get",
-      path: webhookPaths.logs,
-      cfg: {
-        summary: "RRRoutes docs request logs",
-        description: "Returns request logs for the docs UI.",
-        querySchema: logFeedQuerySchema,
-        outputSchema: logWebhookResponseSchema,
-        tags: ["rrroutes", "docs"]
-      }
-    }
-  };
+  const docsPath = "/__rrroutes/docs";
   const publicDir = resolvePublicDir();
   const assetsDir = import_node_path.default.join(publicDir, "assets");
-  const cspEnabled = options.csp !== false;
-  router.use(assetsMountPath, (0, import_express.static)(assetsDir, { immutable: true, maxAge: "365d" }));
-  const usingFakeHistory = !options.logWebhook?.history;
-  const usingFakeLogs = !options.logWebhook?.logs;
-  if (usingFakeHistory || usingFakeLogs) {
-    router.use((req, res, next) => {
-      if (req.path.startsWith(webhookBasePath) || req.path.startsWith(assetsMountPath) || req.path.startsWith(normalizedDocsPath)) {
-        return next();
-      }
-      const start = Date.now();
-      const requestIdHeader = req.headers["x-request-id"] || req.headers["x-requestid"] || req.headers["x-request_id"];
-      const requestId = Array.isArray(requestIdHeader) ? requestIdHeader[0] : requestIdHeader;
-      res.once("finish", () => {
-        const timestamp = Date.now();
-        const durationMs = Math.max(timestamp - start, 0);
-        const methodUpper = String(req.method || "GET").toUpperCase();
-        const pathOnly = req.path || req.originalUrl || "";
-        const status = res.statusCode;
-        const errorMsg = status >= 400 ? `${status}` : void 0;
-        if (usingFakeHistory) {
-          inMemoryHistory.unshift({
-            id: (0, import_crypto.randomBytes)(8).toString("hex"),
-            requestId: requestId ? String(requestId) : void 0,
-            timestamp,
-            method: methodUpper,
-            path: pathOnly,
-            fullUrl: req.originalUrl || pathOnly,
-            params: {},
-            query: coerceQueryRecord(req.query),
-            body: coercePayload(req.body),
-            output: "",
-            status,
-            durationMs,
-            error: errorMsg
-          });
-          if (inMemoryHistory.length > defaultHistoryLimit) inMemoryHistory.length = defaultHistoryLimit;
-        }
-        if (usingFakeLogs) {
-          const logType = status >= 500 ? "error" : status >= 400 ? "warn" : "info";
-          const metadata = JSON.stringify({
-            query: req.query,
-            durationMs
-          });
-          inMemoryLogs.unshift({
-            id: (0, import_crypto.randomBytes)(8).toString("hex"),
-            type: logType,
-            message: `${methodUpper} ${pathOnly} -> ${status}`,
-            timestamp,
-            requestId: requestId ? String(requestId) : void 0,
-            tags: [],
-            metadata
-          });
-          if (inMemoryLogs.length > defaultLogLimit) inMemoryLogs.length = defaultLogLimit;
-        }
-      });
-      next();
-    });
-  }
-  router.get(webhookPaths.history, async (req, res) => {
-    const handler = options.logWebhook?.history;
-    try {
-      const query = parseHistoryWebhookQuery(req);
-      if (!handler) {
-        const filtered2 = applyHistoryQuery(inMemoryHistory, query, defaultHistoryLimit);
-        res.json(filtered2);
-        return;
-      }
-      const result = await handler({ query, req, res });
-      const normalized = normalizeWebhookPage(result);
-      const filtered = applyHistoryQuery(normalized.items, query, defaultHistoryLimit);
-      res.json(filtered);
-    } catch (err) {
-      console.error("Failed to serve history webhook", err);
-      res.status(500).json({ error: "Failed to load history feed" });
-    }
-  });
-  router.get(webhookPaths.logs, async (req, res) => {
-    const handler = options.logWebhook?.logs;
-    try {
-      const query = parseLogWebhookQuery(req);
-      if (!handler) {
-        const filtered2 = applyLogsQuery(inMemoryLogs, query, defaultLogLimit);
-        res.json(filtered2);
-        return;
-      }
-      const result = await handler({ query, req, res });
-      const normalized = normalizeWebhookPage(result);
-      const filtered = applyLogsQuery(normalized.items, query, defaultLogLimit);
-      res.json(filtered);
-    } catch (err) {
-      console.error("Failed to serve log webhook", err);
-      res.status(500).json({ error: "Failed to load logs feed" });
-    }
+  const cspEnabled = auth.csp !== false;
+  const authEnabled = auth.enabled !== false;
+  const docsPassword = auth.password;
+  const authRealm = auth.realm || "RRRoutes Docs";
+  const allowedIps = auth.allowedIps ?? [];
+  const cookieName = auth.cookieName;
+  const cookieSecret = auth?.cookieSecret;
+  const customGuard = auth?.guardMiddleware;
+  const ipGuard = allowedIps.length > 0 ? createIpAllowListGuard(allowedIps) : void 0;
+  const authGuard = !authEnabled ? (_req, _res, next) => next() : customGuard ? customGuard : cookieName ? createCookieGuard(cookieName, cookieSecret) : docsPassword ? createPasswordGuard(docsPassword, authRealm) : createMissingPasswordGuard();
+  [docsPath, `${docsPath}/assets`, `__rrroutes/`].forEach((p) => {
+    if (ipGuard) router.use(p, ipGuard);
+    router.use(p, authGuard);
   });
-  const docsRoutePaths = [normalizedDocsPath, `${normalizedDocsPath}/`, `${normalizedDocsPath}/*id`];
-  router.get(docsRoutePaths, (req, res) => {
-    const preparedLeaves = Array.isArray(leaves) ? leaves.filter((leaf) => leaf.cfg.docsHidden !== true) : [];
-    const preparedPresets = Array.isArray(presets) ? presets : [];
-    const onRequestResult = options.onRequest?.({ req, res, leaves: preparedLeaves, presets: preparedPresets }) ?? {};
-    const finalLeaves = onRequestResult.leaves ?? preparedLeaves;
-    const finalPresets = onRequestResult.presets ?? preparedPresets;
-    const hasCustomHtml = typeof onRequestResult.html === "string";
-    let nonce = onRequestResult.nonce;
-    if (!nonce && cspEnabled && !hasCustomHtml) {
-      nonce = (0, import_crypto.randomBytes)(16).toString("base64");
-    }
-    const html = hasCustomHtml ? onRequestResult.html : renderLeafDocsHTML2(finalLeaves, {
-      cspNonce: nonce,
-      assetBasePath: `${prefix}${assetsMountPath}`,
-      docsBasePath: `${prefix}${normalizedDocsPath}`,
-      baseUrlSuffix: prefix,
-      historySeeds: options.historySeeds,
-      logSeeds: options.logSeeds,
-      presets: normalizePresets(finalPresets),
-      webhooks: {
-        history: `${prefix}${webhookPaths.history}`,
-        logs: `${prefix}${webhookPaths.logs}`
+  router.use(
+    `${docsPath}/assets`,
+    (0, import_express.static)(assetsDir, { immutable: true, maxAge: "365d" })
+  );
+  const docsRoutePaths = [docsPath, `${docsPath}/`, `${docsPath}/*id`];
+  router.get(docsRoutePaths, (_req, res) => {
+    const nonce = cspEnabled ? (0, import_crypto.randomBytes)(16).toString("base64") : void 0;
+    const html = renderLeafDocsHTML2(
+      leaves2.filter((leaf) => leaf.cfg.docsHidden !== true),
+      {
+        cspNonce: nonce,
+        assetBasePath: `${`${docsPath}/assets`}`,
+        docsBasePath: `${docsPath}`
       }
-    });
+    );
+    applyDocsSecurityHeaders(res);
     if (cspEnabled && nonce) {
       res.setHeader(
         "Content-Security-Policy",
@@ -589,280 +742,24 @@ function mountRRRoutesDocs({
           "img-src 'self' data:",
           "connect-src 'self'",
           "font-src 'self'",
-          "frame-ancestors 'self'"
+          "frame-ancestors 'self'",
+          "object-src 'none'",
+          "base-uri 'self'"
         ].join("; ")
       );
     }
     res.send(html);
   });
-  return { path: docsPath, webhooks: webhookPaths, webhookLeaves, webhookSchemas };
-}
-function resolvePublicDir() {
-  const moduleDir = typeof __dirname !== "undefined" ? __dirname : import_node_path.default.dirname((0, import_node_url.fileURLToPath)(__import_meta_url));
-  const fromModule = import_node_path.default.resolve(moduleDir, "../public");
-  if (import_node_fs.default.existsSync(fromModule)) return fromModule;
-  const fallback = import_node_path.default.resolve(moduleDir, "../dist/public");
-  if (import_node_fs.default.existsSync(fallback)) return fallback;
-  return fromModule;
-}
-function normalizePresets(presets) {
-  if (!Array.isArray(presets)) return [];
-  return presets.map((preset) => ({
-    name: preset.name,
-    description: preset.description,
-    tags: Array.isArray(preset.tags) ? preset.tags.slice() : [],
-    docsGroup: preset.docsGroup,
-    ops: Array.isArray(preset.ops) ? preset.ops.map((op) => ({
-      method: typeof op.method === "string" ? op.method.toUpperCase() : "",
-      path: typeof op.path === "string" ? op.path : "",
-      body: op.body,
-      query: op.query,
-      params: op.params
-    })) : []
-  }));
-}
-function parseHistoryWebhookQuery(req) {
-  const query = req.query || {};
-  const methods = parseStringList(query.methods);
-  const path2 = typeof query.path === "string" ? query.path : void 0;
-  const status = typeof query.status === "string" ? query.status : void 0;
-  const text = typeof query.text === "string" ? query.text : void 0;
-  const cursor = typeof query.cursor === "string" ? query.cursor : void 0;
-  const sortBy = isSortKey(query.sortBy) ? query.sortBy : void 0;
-  const sortDir = isSortDir(query.sortDir) ? query.sortDir : void 0;
-  const limit = parseLimit(query.limit);
-  const from = parseDateInput(query.from);
-  const to = parseDateInput(query.to);
   return {
-    cursor,
-    methods,
-    path: path2,
-    status,
-    text,
-    limit,
-    from,
-    to,
-    sortBy,
-    sortDir
+    path: docsPath
   };
 }
-function parseLogWebhookQuery(req) {
-  const query = req.query || {};
-  const types = parseStringList(query.types);
-  const tags = parseStringList(query.tags);
-  const requestId = typeof query.requestId === "string" ? query.requestId : void 0;
-  const text = typeof query.text === "string" ? query.text : void 0;
-  const cursor = typeof query.cursor === "string" ? query.cursor : void 0;
-  const limit = parseLimit(query.limit);
-  const from = parseDateInput(query.from);
-  const to = parseDateInput(query.to);
-  const sortDir = isSortDir(query.sortDir) ? query.sortDir : void 0;
-  return {
-    cursor,
-    types,
-    tags,
-    requestId,
-    text,
-    limit,
-    from,
-    to,
-    sortDir
-  };
-}
-function parseStringList(value) {
-  if (typeof value !== "string") return void 0;
-  const parts = value.split(",").map((p) => p.trim()).filter(Boolean);
-  return parts.length ? parts : void 0;
-}
-function parseLimit(value) {
-  if (value === void 0) return void 0;
-  const num = Number(value);
-  if (!Number.isFinite(num) || num <= 0) return void 0;
-  return num;
-}
-function parseDateInput(value) {
-  if (typeof value !== "string") return void 0;
-  const numeric = Number(value);
-  if (Number.isFinite(numeric)) return numeric;
-  const timestamp = Date.parse(value);
-  if (Number.isNaN(timestamp)) return void 0;
-  return timestamp;
-}
-function isSortKey(value) {
-  return value === "timestamp" || value === "path" || value === "duration";
-}
-function isSortDir(value) {
-  return value === "asc" || value === "desc";
-}
-function normalizeWebhookPage(page) {
-  if (!page || typeof page !== "object") return { items: [] };
-  return {
-    items: Array.isArray(page.items) ? page.items : [],
-    nextCursor: page.nextCursor,
-    prevCursor: page.prevCursor,
-    total: page.total
-  };
-}
-function applyHistoryQuery(items, query, hardLimit) {
-  const fromTs = typeof query.from === "number" ? query.from : void 0;
-  const toTs = typeof query.to === "number" ? query.to : void 0;
-  const methods = query.methods ? new Set(query.methods.map((m) => m.toUpperCase())) : void 0;
-  const pathNeedle = (query.path || "").toLowerCase();
-  const textNeedle = (query.text || "").toLowerCase();
-  const statusNeedle = (query.status || "").trim();
-  const filtered = (Array.isArray(items) ? items : []).filter((entry) => {
-    if (methods?.size && !methods.has(String(entry.method || "").toUpperCase())) return false;
-    if (pathNeedle && !String(entry.path || "").toLowerCase().includes(pathNeedle)) return false;
-    if (statusNeedle) {
-      const statusStr = entry.status !== void 0 && entry.status !== null ? String(entry.status) : "ERR";
-      if (!statusStr.startsWith(statusNeedle)) return false;
-    }
-    if (Number.isFinite(fromTs) && entry.timestamp < fromTs) return false;
-    if (Number.isFinite(toTs) && entry.timestamp > toTs) return false;
-    if (textNeedle) {
-      const haystack = [
-        entry.path,
-        entry.fullUrl,
-        entry.body,
-        entry.output,
-        entry.error,
-        JSON.stringify(entry.params || {}),
-        JSON.stringify(entry.query || {})
-      ].filter(Boolean).join(" ").toLowerCase();
-      if (!haystack.includes(textNeedle)) return false;
-    }
-    return true;
-  });
-  const sortBy = query.sortBy || "timestamp";
-  const direction = query.sortDir === "asc" ? 1 : -1;
-  const sorted = filtered.slice().sort((a, b) => {
-    let delta = 0;
-    if (sortBy === "path") {
-      delta = String(a.path || "").localeCompare(String(b.path || ""));
-    } else if (sortBy === "duration") {
-      delta = (a.durationMs || 0) - (b.durationMs || 0);
-    } else {
-      delta = (a.timestamp || 0) - (b.timestamp || 0);
-    }
-    return delta * direction;
-  });
-  return paginateItems(sorted, query.cursor, query.limit, hardLimit, 25);
-}
-function applyLogsQuery(items, query, hardLimit) {
-  const fromTs = typeof query.from === "number" ? query.from : void 0;
-  const toTs = typeof query.to === "number" ? query.to : void 0;
-  const textNeedle = (query.text || "").toLowerCase();
-  const requestIdNeedle = (query.requestId || "").toLowerCase();
-  const types = query.types ? new Set(query.types) : void 0;
-  const tags = query.tags ? new Set(query.tags) : void 0;
-  const filtered = (Array.isArray(items) ? items : []).filter((entry) => {
-    if (types?.size && !types.has(entry.type)) return false;
-    const entryTags = Array.isArray(entry.tags) ? entry.tags : [];
-    if (tags?.size && !entryTags.some((tag) => tags.has(tag))) return false;
-    if (requestIdNeedle && !(entry.requestId || "").toLowerCase().includes(requestIdNeedle))
-      return false;
-    if (Number.isFinite(fromTs) && entry.timestamp < fromTs) return false;
-    if (Number.isFinite(toTs) && entry.timestamp > toTs) return false;
-    if (textNeedle) {
-      const haystack = [
-        entry.message,
-        entry.requestId,
-        entryTags.join(" "),
-        typeof entry.metadata === "string" ? entry.metadata : JSON.stringify(entry.metadata || "")
-      ].filter(Boolean).join(" ").toLowerCase();
-      if (!haystack.includes(textNeedle)) return false;
-    }
-    return true;
-  });
-  const direction = query.sortDir === "asc" ? 1 : -1;
-  const sorted = filtered.slice().sort((a, b) => (a.timestamp - b.timestamp) * direction);
-  return paginateItems(sorted, query.cursor, query.limit, hardLimit, 50);
-}
-function paginateItems(items, cursor, limit, hardLimit, fallbackLimit) {
-  const safeLimit = clampLimit(limit, hardLimit, fallbackLimit);
-  const start = parseCursor(cursor);
-  const end = start + safeLimit;
-  const slice = items.slice(start, end);
-  const nextCursor = end < items.length ? String(end) : void 0;
-  const prevCursor = start > 0 ? String(Math.max(start - safeLimit, 0)) : void 0;
-  return {
-    items: slice,
-    nextCursor,
-    prevCursor,
-    total: items.length
-  };
-}
-function clampLimit(value, hardLimit, fallback) {
-  if (!Number.isFinite(value)) return Math.min(hardLimit, fallback);
-  const safe = Math.max(1, Math.min(hardLimit, value));
-  return safe;
-}
-function parseCursor(cursor) {
-  const num = Number(cursor);
-  if (Number.isFinite(num) && num >= 0) return Math.floor(num);
-  return 0;
-}
-function normalizeHistorySeeds(seeds, hardLimit) {
-  if (!Array.isArray(seeds)) return [];
-  return seeds.slice(0, hardLimit).map((entry, idx) => ({
-    id: entry.id || (0, import_crypto.randomBytes)(8).toString("hex"),
-    requestId: typeof entry.requestId === "string" ? entry.requestId : void 0,
-    timestamp: entry.timestamp ?? Date.now() - idx * 1e3,
-    method: entry.method || "GET",
-    path: entry.path || "/",
-    fullUrl: entry.fullUrl || entry.path || "/",
-    params: entry.params || {},
-    query: entry.query || {},
-    body: entry.body || "",
-    output: entry.output || "",
-    status: entry.status,
-    durationMs: entry.durationMs ?? 0,
-    error: entry.error
-  })).filter((entry) => entry.method && entry.path);
-}
-function normalizeLogSeeds(seeds, hardLimit) {
-  if (!Array.isArray(seeds)) return [];
-  return seeds.slice(0, hardLimit).map((entry, idx) => ({
-    id: entry.id || (0, import_crypto.randomBytes)(8).toString("hex"),
-    type: entry.type || "info",
-    message: entry.message || "",
-    timestamp: entry.timestamp ?? Date.now() - idx * 1e3,
-    requestId: entry.requestId,
-    tags: Array.isArray(entry.tags) ? entry.tags : [],
-    metadata: entry.metadata
-  })).filter((entry) => entry.message);
-}
-function coerceQueryRecord(query) {
-  if (!query || typeof query !== "object") return {};
-  return Object.fromEntries(
-    Object.entries(query).map(([key, value]) => [key, coerceValue(value)])
-  );
-}
-function coercePayload(body) {
-  if (body === void 0 || body === null) return "";
-  if (typeof body === "string") return body;
-  try {
-    return JSON.stringify(body);
-  } catch {
-    return String(body);
-  }
-}
-function coerceValue(value) {
-  if (value === void 0 || value === null) return "";
-  if (Array.isArray(value)) return value.map(coerceValue).join(",");
-  if (typeof value === "object") {
-    try {
-      return JSON.stringify(value);
-    } catch {
-      return String(value);
-    }
-  }
-  return String(value);
-}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  introspectSchema,
   mountRRRoutesDocs,
   renderLeafDocsHTML,
+  requiredRoutes,
   serializeLeaf
 });
 //# sourceMappingURL=index.cjs.map