@emmett-community/emmett-expressjs-with-openapi 0.1.0 → 0.3.0

package/README.md

@@ -2,6 +2,17 @@
 
 Express.js utilities for Emmett applications that want OpenAPI 3.x validation without pulling the whole Emmett core. This package wires [`express-openapi-validator`](https://github.com/cdimascio/express-openapi-validator) into the Emmett application builder so you can validate requests, responses, security handlers, file uploads, and formats from a single OpenAPI document.
 
+[![npm version](https://img.shields.io/npm/v/@emmett-community/emmett-expressjs-with-openapi.svg)](https://www.npmjs.com/package/@emmett-community/emmett-expressjs-with-openapi) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Build and test](https://github.com/emmett-community/emmett-expressjs-with-openapi/actions/workflows/build_and_test.yml/badge.svg)](https://github.com/emmett-community/emmett-expressjs-with-openapi/actions/workflows/build_and_test.yml)
+
+## Features
+
+- ✅ **OpenAPI 3.x validation** - Validate requests, responses, security, and file uploads.
+- ✅ **Operation handlers** - Auto-wire handlers from `operationId` or `x-eov-operation-handler`.
+- ✅ **Problem Details middleware** - RFC 7807 error responses out of the box.
+- ✅ **ETag helpers** - Built-in optimistic concurrency utilities.
+- ✅ **Testing helpers** - `ApiSpecification` and `ApiE2ESpecification` for tests.
+- ✅ **Optional add-ons** - Firebase Auth security handlers and Pino HTTP logging.
+
 ## Why this package?
 
 - Built as a standalone module extracted from the original `@event-driven-io/emmett` repo so it can evolve independently.
@@ -12,10 +23,30 @@ Express.js utilities for Emmett applications that want OpenAPI 3.x validation wi
 
 ```bash
 npm install @emmett-community/emmett-expressjs-with-openapi
-npm install express-openapi-validator   # optional peer dependency
+npm install express-openapi-validator            # optional: OpenAPI validation
+npm install pino-http                            # optional: HTTP logging
+npm install @my-f-startup/firebase-auth-express  # optional: Firebase Auth handlers
 ```
 
-Other peer requirements (`express`, `@event-driven-io/emmett`, etc.) follow the versions listed in `package.json`.
+### Peer Dependencies
+
+Required:
+- `@event-driven-io/emmett` ^0.39.1
+- `express` ^4.19.2
+- `express-async-errors` ^3.1.1
+- `http-problem-details` ^0.1.5
+
+TypeScript types:
+- `@types/express` ^4.17.21
+- `@types/supertest` ^6.0.2 (if using testing helpers)
+
+Optional (feature-gated):
+- `express-openapi-validator` ^5.3.7 (OpenAPI validation)
+- `pino-http` ^9.0.0 (HTTP logging)
+- `@my-f-startup/firebase-auth-express` 0.1.0 (Firebase Auth handlers)
+- `supertest` ^7.0.0 (required by testing helpers)
+
+Versions follow what is listed in `package.json`.
 
 ## Quick start
 
@@ -23,15 +54,33 @@ Other peer requirements (`express`, `@event-driven-io/emmett`, etc.) follow the
 import {
   getApplication,
   createOpenApiValidatorOptions,
+  startAPI,
 } from '@emmett-community/emmett-expressjs-with-openapi';
 
-const app = getApplication({
+const app = await getApplication({
   apis: [myApi],
   openApiValidator: createOpenApiValidatorOptions('./openapi.yaml', {
     validateRequests: true,
     validateResponses: process.env.NODE_ENV === 'development',
   }),
 });
+
+startAPI(app, { port: 3000 });
+```
+
+## Configuration
+
+### OpenAPI validation
+
+```typescript
+const app = await getApplication({
+  apis: [myApi],
+  openApiValidator: createOpenApiValidatorOptions('./openapi.yaml', {
+    validateRequests: true,
+    validateResponses: true,
+    operationHandlers: './handlers',
+  }),
+});
 ```
 
 Prefer to parse the spec once and share it? Load the `.yml` document manually and reuse it for routing, validation, and automatic `operationHandlers`.
@@ -41,9 +90,11 @@ import path from 'node:path';
 import { readFileSync } from 'node:fs';
 import { parse } from 'yaml';
 
-const spec = parse(readFileSync(new URL('./openapi.yml', import.meta.url), 'utf-8'));
+const spec = parse(
+  readFileSync(new URL('./openapi.yml', import.meta.url), 'utf-8'),
+);
 
-const app = getApplication({
+const app = await getApplication({
   apis: [usersApi],
   openApiValidator: createOpenApiValidatorOptions(spec, {
     operationHandlers: path.join(path.dirname(import.meta.url), './handlers'),
@@ -51,28 +102,85 @@ const app = getApplication({
 });
 ```
 
-## Configuration highlights
-
-`createOpenApiValidatorOptions` forwards every option from `express-openapi-validator`, so you can:
-
+Highlights:
 - Enable/disable request or response validation, including per-field tweaks (coercion, unknown query params, removing additional fields, etc.).
 - Register custom security handlers with `validateSecurity.handlers`.
 - Serve the parsed spec via `serveSpec`, configure file upload limits, ignore health-check routes, or validate the spec itself.
 - Reuse `$ref` parsing, custom formats, and file upload middleware exactly as in the upstream validator.
 
-Head to [`docs/openapi-validation.md`](docs/openapi-validation.md) for the full matrix of options, extended explanations, and complete examples. Keeping that document allows us to document advanced scenarios without bloating the README.
+### Logging (optional)
 
-## Examples
+Install the optional peer to enable HTTP request/response logging:
 
-Working examples live under `examples/`:
+```bash
+npm install pino-http
+```
 
-- `examples/shopping-cart` – feature-complete Emmett sample (business logic, memory store/publisher, security handlers, OpenAPI file, unit/int/e2e tests, `.http` scripts).
-- Legacy quick starts:
-  - `examples/basic` – manual routes + validation (minimal scaffolding).
-  - `examples/with-security` – standalone security handler demo.
-  - `examples/operation-handlers` – barebones `operationHandlers` showcase.
+```typescript
+const app = await getApplication({
+  pinoHttp: true, // defaults
+  // or:
+  pinoHttp: { autoLogging: false },
+});
+```
+
+See the full options in the [`pino-http` docs](https://github.com/pinojs/pino-http).
 
-## Tests
+### Firebase Auth (optional)
+
+If you use Firebase Authentication, install the optional peer and plug it into OpenAPI security handlers:
+
+```bash
+npm install @my-f-startup/firebase-auth-express
+```
+
+```typescript
+import admin from 'firebase-admin';
+import {
+  createFirebaseAuthSecurityHandlers,
+  createOpenApiValidatorOptions,
+  getApplication,
+} from '@emmett-community/emmett-expressjs-with-openapi';
+
+admin.initializeApp();
+
+const app = await getApplication({
+  apis: [myApi],
+  openApiValidator: createOpenApiValidatorOptions('./openapi.yaml', {
+    validateSecurity: {
+      handlers: createFirebaseAuthSecurityHandlers(),
+    },
+  }),
+});
+```
+
+`@my-f-startup/firebase-auth-express` relies on `firebase-admin`. Make sure the Admin SDK is installed, initialized, and configured for your environment (credentials or emulator).
+
+## API Reference
+
+### Application
+- `getApplication(options)` - Creates and configures the Express app.
+- `startAPI(app, options)` - Starts the HTTP server.
+
+### OpenAPI
+- `createOpenApiValidatorOptions(apiSpec, options)` - Helper to assemble OpenAPI validator config.
+- `isOpenApiValidatorAvailable()` - Type guard for optional validator dependency.
+- `createFirebaseAuthSecurityHandlers(options)` - Firebase Auth security handlers.
+- `registerHandlerModule(handlersPath, module)` - Manual registration for operation handlers.
+
+### HTTP helpers
+- `send`, `sendCreated`, `sendAccepted`, `sendProblem` - Standard HTTP responses.
+
+### ETag helpers
+- `toWeakETag`, `getETagFromIfMatch`, `getETagFromIfNotMatch`, `getETagValueFromIfMatch`, `setETag`.
+
+### Testing helpers
+- `ApiSpecification`, `ApiE2ESpecification`
+- `expect`, `expectNewEvents`, `expectResponse`, `expectError`
+
+See [`docs/openapi-validation.md`](docs/openapi-validation.md) for the full matrix of options and extended examples.
+
+## Testing
 
 The package includes comprehensive test coverage:
 
@@ -80,21 +188,96 @@ The package includes comprehensive test coverage:
 - **Integration tests** (`test/integration/`) - Basic routing, OpenAPI validation, operation handlers, optimistic concurrency
 - **E2E tests** (`test/e2e/`) - End-to-end workflows for all features
 
-Run `npm test` to execute the whole suite (unit + integration + e2e) or use:
+### Running tests
 
-- `npm run test:unit` - Unit tests only
-- `npm run test:int` - Integration tests only
-- `npm run test:e2e` - E2E tests only
+```bash
+# Unit tests
+npm run test:unit
+
+# Integration tests
+npm run test:int
+
+# E2E tests
+npm run test:e2e
+
+# All tests
+npm test
+```
+
+## Examples
+
+Working examples live under `examples/`:
+
+- `examples/shopping-cart` – feature-complete Emmett sample (business logic, memory store/publisher, security handlers, OpenAPI file, unit/int/e2e tests, `.http` scripts).
+- Legacy quick starts:
+  - `examples/basic` – manual routes + validation (minimal scaffolding).
+  - `examples/with-security` – standalone security handler demo.
+  - `examples/operation-handlers` – barebones `operationHandlers` showcase.
+  - `examples/firebase-auth` – Firebase Auth security handlers with operation handlers.
 
 ## Documentation
 
 - **Guide:** [`docs/openapi-validation.md`](docs/openapi-validation.md) – authoritative reference for configuration, advanced usage, and troubleshooting.
 - **Emmett docs:** <https://event-driven-io.github.io/emmett/>
 
+## Compatibility
+
+- **Node.js**: tested in CI with 24.x
+- **Emmett**: ^0.39.1
+- **Express**: ^4.19.2
+
 ## Contributing
 
-Issues and PRs are welcome! Please open a discussion or ticket if you are unsure about the direction of a change before coding.
+Contributions are welcome! Please:
+
+1. Fork the repository
+2. Create a feature branch
+3. Add tests for new functionality
+4. Ensure all tests pass
+5. Submit a pull request
+
+## Development
+
+```bash
+# Install dependencies
+npm install
+
+# Build
+npm run build
+
+# Type-check
+npm run build:ts
+
+# Run tests
+npm test
+
+# Run unit tests only
+npm run test:unit
+
+# Run integration tests
+npm run test:int
+
+# Run E2E tests
+npm run test:e2e
+```
 
 ## License
 
 MIT
+
+## Related Packages
+
+- [@event-driven-io/emmett](https://github.com/event-driven-io/emmett) - Core Emmett framework
+- [@emmett-community/emmett-google-firestore](https://github.com/emmett-community/emmett-google-firestore) - Firestore event store
+- [@emmett-community/emmett-google-realtime-db](https://github.com/emmett-community/emmett-google-realtime-db) - Realtime Database inline projections
+- [@emmett-community/emmett-google-pubsub](https://github.com/emmett-community/emmett-google-pubsub) - Pub/Sub message bus
+- [@event-driven-io/emmett-mongodb](https://github.com/event-driven-io/emmett/tree/main/src/packages/emmett-mongodb) - MongoDB event store
+
+## Support
+
+- [GitHub Issues](https://github.com/emmett-community/emmett-expressjs-with-openapi/issues)
+- [Emmett Documentation](https://event-driven-io.github.io/emmett/)
+
+---
+
+Made with ❤️ by the Emmett Community

package/dist/chunk-GS7T56RP.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/chunk-GS7T56RP.cjs","../node_modules/tsup/assets/cjs_shims.js"],"names":[],"mappings":"AAAA;ACKA,IAAM,iBAAA,EAAmB,CAAA,EAAA,GACvB,OAAO,SAAA,IAAa,YAAA,EAChB,IAAI,GAAA,CAAI,CAAA,KAAA,EAAQ,UAAU,CAAA,CAAA;AAK8B;ADT4B;AACA;AACA;AACA","file":"/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/chunk-GS7T56RP.cjs","sourcesContent":[null,"// Shim globals in cjs bundle\n// There's a weird bug that esbuild will always inject importMetaUrl\n// if we export it as `const importMetaUrl = ... __filename ...`\n// But using a function will not cause this issue\n\nconst getImportMetaUrl = () => \n  typeof document === \"undefined\" \n    ? new URL(`file:${__filename}`).href \n    : (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') \n      ? document.currentScript.src \n      : new URL(\"main.js\", document.baseURI).href;\n\nexport const importMetaUrl = /* @__PURE__ */ getImportMetaUrl()\n"]}
+{"version":3,"sources":["/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/chunk-GS7T56RP.cjs","../node_modules/tsup/assets/cjs_shims.js"],"names":[],"mappings":"AAAA;ACKA,IAAM,iBAAA,EAAmB,CAAA,EAAA,GACvB,OAAO,SAAA,IAAa,YAAA,EAChB,IAAI,GAAA,CAAI,CAAA,KAAA,EAAQ,UAAU,CAAA,CAAA;AAK8B;ADT4B;AACA;AACA;AACA","file":"/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/chunk-GS7T56RP.cjs","sourcesContent":[null,"// Shim globals in cjs bundle\n// There's a weird bug that esbuild will always inject importMetaUrl\n// if we export it as `const importMetaUrl = ... __filename ...`\n// But using a function will not cause this issue\n\nconst getImportMetaUrl = () => \n  typeof document === \"undefined\" \n    ? new URL(`file:${__filename}`).href \n    : (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT') \n      ? document.currentScript.src \n      : new URL(\"main.js\", document.baseURI).href;\n\nexport const importMetaUrl = /* @__PURE__ */ getImportMetaUrl()\n"]}

package/dist/chunk-MRSGTROW.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/chunk-MRSGTROW.cjs","../src/internal/esm-resolver.ts"],"names":["require"],"mappings":"AAAA;AACE;AACF,wDAA6B;AAC7B;AACA;AC6BA,gCAA8B;AAC9B,wEAAiB;AAEjB,IAAI,UAAA,EAAY,KAAA;AAChB,IAAM,YAAA,kBAAc,IAAI,GAAA,CAAiB,CAAA;AAMlC,IAAM,sBAAA,EAAwB,CAAC,UAAA,EAAoB,aAAA,EAAA,GAA6B;AACrF,EAAA,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,aAAa,CAAA;AAC3C,CAAA;AAKO,IAAM,oBAAA,EAAsB,CAAA,EAAA,GAAY;AAC7C,EAAA,GAAA,CAAI,SAAA,EAAW;AACb,IAAA,MAAA;AAAA,EACF;AAEA,EAAA,MAAMA,SAAAA,EAAU,mCAAA,+BAA6B,CAAA;AAC7C,EAAA,MAAM,OAAA,EAASA,QAAAA,CAAQ,QAAQ,CAAA;AAC/B,EAAA,MAAM,aAAA,EAAe,MAAA,CAAO,KAAA;AAE5B,EAAA,MAAA,CAAO,MAAA,EAAQ,QAAA,CAAU,OAAA,EAAiB,MAAA,EAAa,MAAA,EAAiB;AACtE,IAAA,MAAM,OAAA,kBAAS,MAAA,2BAAQ,UAAA;AACvB,IAAA,MAAM,mBAAA,kBAAqB,MAAA,6BAAQ,QAAA,mBAAS,2BAA2B,GAAA;AACvE,IAAA,MAAM,gBAAA,EAAkB,OAAA,CAAQ,QAAA,CAAS,UAAU,CAAA;AAEnD,IAAA,GAAA,CAAI,mBAAA,GAAsB,eAAA,EAAiB;AACzC,MAAA,MAAM,aAAA,EAAe,cAAA,CAAK,UAAA,CAAW,OAAO,EAAA,EACxC,QAAA,EACA,cAAA,CAAK,OAAA,CAAQ,cAAA,CAAK,OAAA,CAAQ,MAAM,CAAA,EAAG,OAAO,CAAA;AAG9C,MAAA,GAAA,CAAI,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA,EAAG;AACjC,QAAA,OAAO,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA;AAAA,MACrC;AAEA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,+BAAA,EAAkC,YAAY,CAAA,gEAAA;AAAA,MAEhD,CAAA;AAAA,IACF;AAEA,IAAA,OAAO,YAAA,CAAa,IAAA,CAAK,IAAA,EAAM,OAAA,EAAS,MAAA,EAAQ,MAAM,CAAA;AAAA,EACxD,CAAA;AAEA,EAAA,UAAA,EAAY,IAAA;AACd,CAAA;ADhDA;AACA;AACE;AACA;AACF,yGAAC","file":"/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/chunk-MRSGTROW.cjs","sourcesContent":[null,"/**\n * ESM Resolver for express-openapi-validator operation handlers.\n *\n * INTERNAL MODULE - Not part of public API.\n *\n * PROBLEM:\n * When using TypeScript runtime (tsx) with express-openapi-validator's operationHandlers:\n * - Our code uses `import()` to load handlers (ESM)\n * - express-openapi-validator uses `require()` to load handlers (CJS)\n * - Node.js maintains separate module caches for ESM and CJS\n * - This creates TWO separate instances of the same handler module\n * - Dependencies injected via module-level variables in one instance don't reach the other\n *\n * SOLUTION:\n * This module monkey-patches Module.prototype.require to intercept when\n * express-openapi-validator loads operation handlers and forces it to use\n * dynamic import() instead of require(). This ensures both sides share the\n * same ESM module instance, allowing module-level variables to work correctly.\n *\n * USAGE:\n * This module is automatically activated by getApplication() when operationHandlers\n * are configured. Applications don't need to import or configure anything.\n *\n * LIMITATIONS:\n * - Relies on heuristic detection (caller path includes 'express-openapi-validator')\n * - May break if express-openapi-validator changes its internal loading mechanism\n * - Adds \"magic\" behavior that may not be immediately obvious to developers\n *\n * FUTURE:\n * If express-openapi-validator migrates to native ESM, this resolver becomes\n * unnecessary and will safely become a no-op.\n */\n\nimport { createRequire } from 'node:module';\nimport path from 'node:path';\n\nlet isPatched = false;\nconst moduleCache = new Map<string, any>();\n\n/**\n * Registers a pre-loaded ESM module so it can be returned synchronously\n * when express-openapi-validator tries to require() it.\n */\nexport const registerHandlerModule = (modulePath: string, moduleExports: any): void => {\n  moduleCache.set(modulePath, moduleExports);\n};\n\n/**\n * Activates the ESM resolver for express-openapi-validator handler loading.\n */\nexport const activateESMResolver = (): void => {\n  if (isPatched) {\n    return;\n  }\n\n  const require = createRequire(import.meta.url);\n  const Module = require('module');\n  const originalLoad = Module._load;\n\n  Module._load = function (request: string, parent: any, isMain: boolean) {\n    const caller = parent?.filename;\n    const isValidatorLoading = caller?.includes('express-openapi-validator');\n    const isHandlerModule = request.includes('handlers');\n\n    if (isValidatorLoading && isHandlerModule) {\n      const absolutePath = path.isAbsolute(request)\n        ? request\n        : path.resolve(path.dirname(caller), request);\n\n      // Check if we have this module pre-registered\n      if (moduleCache.has(absolutePath)) {\n        return moduleCache.get(absolutePath);\n      }\n\n      throw new Error(\n        `Handler module not registered: ${absolutePath}. ` +\n        `Make sure initializeHandlers imports and registers the module.`\n      );\n    }\n\n    return originalLoad.call(this, request, parent, isMain);\n  };\n\n  isPatched = true;\n};\n"]}
+{"version":3,"sources":["/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/chunk-MRSGTROW.cjs","../src/internal/esm-resolver.ts"],"names":["require"],"mappings":"AAAA;AACE;AACF,wDAA6B;AAC7B;AACA;AC6BA,gCAA8B;AAC9B,wEAAiB;AAEjB,IAAI,UAAA,EAAY,KAAA;AAChB,IAAM,YAAA,kBAAc,IAAI,GAAA,CAAiB,CAAA;AAMlC,IAAM,sBAAA,EAAwB,CAAC,UAAA,EAAoB,aAAA,EAAA,GAA6B;AACrF,EAAA,WAAA,CAAY,GAAA,CAAI,UAAA,EAAY,aAAa,CAAA;AAC3C,CAAA;AAKO,IAAM,oBAAA,EAAsB,CAAA,EAAA,GAAY;AAC7C,EAAA,GAAA,CAAI,SAAA,EAAW;AACb,IAAA,MAAA;AAAA,EACF;AAEA,EAAA,MAAMA,SAAAA,EAAU,mCAAA,+BAA6B,CAAA;AAC7C,EAAA,MAAM,OAAA,EAASA,QAAAA,CAAQ,QAAQ,CAAA;AAC/B,EAAA,MAAM,aAAA,EAAe,MAAA,CAAO,KAAA;AAE5B,EAAA,MAAA,CAAO,MAAA,EAAQ,QAAA,CAAU,OAAA,EAAiB,MAAA,EAAa,MAAA,EAAiB;AACtE,IAAA,MAAM,OAAA,kBAAS,MAAA,2BAAQ,UAAA;AACvB,IAAA,MAAM,mBAAA,kBAAqB,MAAA,6BAAQ,QAAA,mBAAS,2BAA2B,GAAA;AACvE,IAAA,MAAM,gBAAA,EAAkB,OAAA,CAAQ,QAAA,CAAS,UAAU,CAAA;AAEnD,IAAA,GAAA,CAAI,mBAAA,GAAsB,eAAA,EAAiB;AACzC,MAAA,MAAM,aAAA,EAAe,cAAA,CAAK,UAAA,CAAW,OAAO,EAAA,EACxC,QAAA,EACA,cAAA,CAAK,OAAA,CAAQ,cAAA,CAAK,OAAA,CAAQ,MAAM,CAAA,EAAG,OAAO,CAAA;AAG9C,MAAA,GAAA,CAAI,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA,EAAG;AACjC,QAAA,OAAO,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA;AAAA,MACrC;AAEA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,+BAAA,EAAkC,YAAY,CAAA,gEAAA;AAAA,MAEhD,CAAA;AAAA,IACF;AAEA,IAAA,OAAO,YAAA,CAAa,IAAA,CAAK,IAAA,EAAM,OAAA,EAAS,MAAA,EAAQ,MAAM,CAAA;AAAA,EACxD,CAAA;AAEA,EAAA,UAAA,EAAY,IAAA;AACd,CAAA;ADhDA;AACA;AACE;AACA;AACF,yGAAC","file":"/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/chunk-MRSGTROW.cjs","sourcesContent":[null,"/**\n * ESM Resolver for express-openapi-validator operation handlers.\n *\n * INTERNAL MODULE - Not part of public API.\n *\n * PROBLEM:\n * When using TypeScript runtime (tsx) with express-openapi-validator's operationHandlers:\n * - Our code uses `import()` to load handlers (ESM)\n * - express-openapi-validator uses `require()` to load handlers (CJS)\n * - Node.js maintains separate module caches for ESM and CJS\n * - This creates TWO separate instances of the same handler module\n * - Dependencies injected via module-level variables in one instance don't reach the other\n *\n * SOLUTION:\n * This module monkey-patches Module.prototype.require to intercept when\n * express-openapi-validator loads operation handlers and forces it to use\n * dynamic import() instead of require(). This ensures both sides share the\n * same ESM module instance, allowing module-level variables to work correctly.\n *\n * USAGE:\n * This module is automatically activated by getApplication() when operationHandlers\n * are configured. Applications don't need to import or configure anything.\n *\n * LIMITATIONS:\n * - Relies on heuristic detection (caller path includes 'express-openapi-validator')\n * - May break if express-openapi-validator changes its internal loading mechanism\n * - Adds \"magic\" behavior that may not be immediately obvious to developers\n *\n * FUTURE:\n * If express-openapi-validator migrates to native ESM, this resolver becomes\n * unnecessary and will safely become a no-op.\n */\n\nimport { createRequire } from 'node:module';\nimport path from 'node:path';\n\nlet isPatched = false;\nconst moduleCache = new Map<string, any>();\n\n/**\n * Registers a pre-loaded ESM module so it can be returned synchronously\n * when express-openapi-validator tries to require() it.\n */\nexport const registerHandlerModule = (modulePath: string, moduleExports: any): void => {\n  moduleCache.set(modulePath, moduleExports);\n};\n\n/**\n * Activates the ESM resolver for express-openapi-validator handler loading.\n */\nexport const activateESMResolver = (): void => {\n  if (isPatched) {\n    return;\n  }\n\n  const require = createRequire(import.meta.url);\n  const Module = require('module');\n  const originalLoad = Module._load;\n\n  Module._load = function (request: string, parent: any, isMain: boolean) {\n    const caller = parent?.filename;\n    const isValidatorLoading = caller?.includes('express-openapi-validator');\n    const isHandlerModule = request.includes('handlers');\n\n    if (isValidatorLoading && isHandlerModule) {\n      const absolutePath = path.isAbsolute(request)\n        ? request\n        : path.resolve(path.dirname(caller), request);\n\n      // Check if we have this module pre-registered\n      if (moduleCache.has(absolutePath)) {\n        return moduleCache.get(absolutePath);\n      }\n\n      throw new Error(\n        `Handler module not registered: ${absolutePath}. ` +\n        `Make sure initializeHandlers imports and registers the module.`\n      );\n    }\n\n    return originalLoad.call(this, request, parent, isMain);\n  };\n\n  isPatched = true;\n};\n"]}

package/dist/esm-resolver-I5MW2PIQ.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/esm-resolver-I5MW2PIQ.cjs"],"names":[],"mappings":"AAAA;AACE;AACA;AACF,wDAA6B;AAC7B,gCAA6B;AAC7B;AACE;AACA;AACF,6IAAC","file":"/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/esm-resolver-I5MW2PIQ.cjs"}
+{"version":3,"sources":["/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/esm-resolver-I5MW2PIQ.cjs"],"names":[],"mappings":"AAAA;AACE;AACA;AACF,wDAA6B;AAC7B,gCAA6B;AAC7B;AACE;AACA;AACF,6IAAC","file":"/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/esm-resolver-I5MW2PIQ.cjs"}

package/dist/handler-importer-4BVBIZX3.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/handler-importer-4BVBIZX3.cjs","../src/internal/handler-importer.ts"],"names":[],"mappings":"AAAA;AACE;AACF,wDAA6B;AAC7B,gCAA6B;AAC7B;AACA;ACIA,0BAA8B;AAY9B,MAAA,SAAsB,yBAAA,CACpB,OAAA,EACiC;AACjC,EAAA,MAAM,iBAAA,EAA2C,CAAC,CAAA;AAElD,EAAA,IAAA,CAAA,MAAW,OAAA,GAAU,OAAA,EAAS;AAC5B,IAAA,IAAI;AAEF,MAAA,MAAM,QAAA,EAAU,gCAAA,MAAc,CAAO,YAAY,CAAA,CAAE,IAAA;AAGnD,MAAA,MAAM,eAAA,EAAiB,MAAM,4DAAA,CAAO,OAAA,GAAA;AAGpC,MAAA,qDAAA,MAAsB,CAAO,YAAA,EAAc,cAAc,CAAA;AAGzD,MAAA,gBAAA,CAAiB,MAAA,CAAO,UAAU,EAAA,EAAI,cAAA;AAAA,IACxC,EAAA,MAAA,CAAS,KAAA,EAAO;AACd,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,iCAAA,EAAoC,MAAA,CAAO,UAAU,CAAA,OAAA,EAAU,MAAA,CAAO,YAAY,CAAA,EAAA,EAC/E,KAAA,CAAgB,OACnB,CAAA;AAAA,MAAA;AACF,IAAA;AACF,EAAA;AAGF,EAAA;AACF;AD1BA;AACA;AACA","file":"/Users/axcosta/Git/pessoal/oss/emmett-community/emmett-expressjs-with-openapi/dist/handler-importer-4BVBIZX3.cjs","sourcesContent":[null,"/**\n * Handler module importer.\n *\n * INTERNAL MODULE - Not part of public API.\n *\n * Dynamically imports handler modules and registers them in the ESM resolver cache,\n * enabling automatic handler discovery without manual registration.\n */\n\nimport { pathToFileURL } from 'node:url';\nimport { registerHandlerModule } from './esm-resolver.js';\nimport type { HandlerModuleInfo } from './openapi-parser.js';\n\nexport type ImportedHandlerModules = Record<string, any>;\n\n/**\n * Dynamically import and register all handler modules.\n *\n * @param modules - Handler module information from OpenAPI parser\n * @returns Object containing all imported modules, keyed by module name\n */\nexport async function importAndRegisterHandlers(\n  modules: HandlerModuleInfo[],\n): Promise<ImportedHandlerModules> {\n  const importedHandlers: ImportedHandlerModules = {};\n\n  for (const module of modules) {\n    try {\n      // Convert to file:// URL for dynamic import\n      const fileUrl = pathToFileURL(module.absolutePath).href;\n\n      // Dynamically import the handler module\n      const importedModule = await import(fileUrl);\n\n      // Register in ESM resolver cache\n      registerHandlerModule(module.absolutePath, importedModule);\n\n      // Store in result object keyed by module name\n      importedHandlers[module.moduleName] = importedModule;\n    } catch (error) {\n      throw new Error(\n        `Failed to import handler module \"${module.moduleName}\" from ${module.absolutePath}: ${\n          (error as Error).message\n        }`,\n      );\n    }\n  }\n\n  return importedHandlers;\n}\n"]}
+{"version":3,"sources":["/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/handler-importer-4BVBIZX3.cjs","../src/internal/handler-importer.ts"],"names":[],"mappings":"AAAA;AACE;AACF,wDAA6B;AAC7B,gCAA6B;AAC7B;AACA;ACIA,0BAA8B;AAY9B,MAAA,SAAsB,yBAAA,CACpB,OAAA,EACiC;AACjC,EAAA,MAAM,iBAAA,EAA2C,CAAC,CAAA;AAElD,EAAA,IAAA,CAAA,MAAW,OAAA,GAAU,OAAA,EAAS;AAC5B,IAAA,IAAI;AAEF,MAAA,MAAM,QAAA,EAAU,gCAAA,MAAc,CAAO,YAAY,CAAA,CAAE,IAAA;AAGnD,MAAA,MAAM,eAAA,EAAiB,MAAM,4DAAA,CAAO,OAAA,GAAA;AAGpC,MAAA,qDAAA,MAAsB,CAAO,YAAA,EAAc,cAAc,CAAA;AAGzD,MAAA,gBAAA,CAAiB,MAAA,CAAO,UAAU,EAAA,EAAI,cAAA;AAAA,IACxC,EAAA,MAAA,CAAS,KAAA,EAAO;AACd,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,iCAAA,EAAoC,MAAA,CAAO,UAAU,CAAA,OAAA,EAAU,MAAA,CAAO,YAAY,CAAA,EAAA,EAC/E,KAAA,CAAgB,OACnB,CAAA;AAAA,MAAA;AACF,IAAA;AACF,EAAA;AAGF,EAAA;AACF;AD1BA;AACA;AACA","file":"/home/runner/work/emmett-expressjs-with-openapi/emmett-expressjs-with-openapi/dist/handler-importer-4BVBIZX3.cjs","sourcesContent":[null,"/**\n * Handler module importer.\n *\n * INTERNAL MODULE - Not part of public API.\n *\n * Dynamically imports handler modules and registers them in the ESM resolver cache,\n * enabling automatic handler discovery without manual registration.\n */\n\nimport { pathToFileURL } from 'node:url';\nimport { registerHandlerModule } from './esm-resolver.js';\nimport type { HandlerModuleInfo } from './openapi-parser.js';\n\nexport type ImportedHandlerModules = Record<string, any>;\n\n/**\n * Dynamically import and register all handler modules.\n *\n * @param modules - Handler module information from OpenAPI parser\n * @returns Object containing all imported modules, keyed by module name\n */\nexport async function importAndRegisterHandlers(\n  modules: HandlerModuleInfo[],\n): Promise<ImportedHandlerModules> {\n  const importedHandlers: ImportedHandlerModules = {};\n\n  for (const module of modules) {\n    try {\n      // Convert to file:// URL for dynamic import\n      const fileUrl = pathToFileURL(module.absolutePath).href;\n\n      // Dynamically import the handler module\n      const importedModule = await import(fileUrl);\n\n      // Register in ESM resolver cache\n      registerHandlerModule(module.absolutePath, importedModule);\n\n      // Store in result object keyed by module name\n      importedHandlers[module.moduleName] = importedModule;\n    } catch (error) {\n      throw new Error(\n        `Failed to import handler module \"${module.moduleName}\" from ${module.absolutePath}: ${\n          (error as Error).message\n        }`,\n      );\n    }\n  }\n\n  return importedHandlers;\n}\n"]}

package/dist/index.cjs

@@ -51,10 +51,31 @@ var getApplication = async (options) => {
     disableJsonMiddleware,
     disableUrlEncodingMiddleware,
     disableProblemDetailsMiddleware,
+    pinoHttp,
     openApiValidator
   } = options;
   const router = _express.Router.call(void 0, );
   app.set("etag", _nullishCoalesce(enableDefaultExpressEtag, () => ( false)));
+  if (pinoHttp !== void 0 && pinoHttp !== false) {
+    try {
+      const require2 = _module.createRequire.call(void 0, _chunkGS7T56RPcjs.importMetaUrl);
+      const mod = require2("pino-http");
+      const provider = _nullishCoalesce(mod.default, () => ( mod));
+      if (typeof provider !== "function") {
+        throw new Error("Invalid pino-http module: missing default export");
+      }
+      const options2 = pinoHttp === true ? void 0 : pinoHttp;
+      const middleware = provider(options2);
+      app.use(middleware);
+    } catch (e) {
+      console.warn(
+        "Pino HTTP configuration provided but pino-http package is not installed. Install it with: npm install pino-http"
+      );
+      throw new Error(
+        "pino-http package is required when pinoHttp option is used"
+      );
+    }
+  }
   if (!disableJsonMiddleware) app.use(_express2.default.json());
   if (!disableUrlEncodingMiddleware)
     app.use(
@@ -68,7 +89,7 @@ var getApplication = async (options) => {
       activateESMResolver();
       const handlersBasePath = typeof openApiValidator.operationHandlers === "string" ? openApiValidator.operationHandlers : openApiValidator.operationHandlers.basePath;
       if (handlersBasePath) {
-        const { extractHandlerModules } = await Promise.resolve().then(() => _interopRequireWildcard(require("./openapi-parser-KI7BS3DC.cjs")));
+        const { extractHandlerModules } = await Promise.resolve().then(() => _interopRequireWildcard(require("./openapi-parser-NFUD7ZGZ.cjs")));
         const { importAndRegisterHandlers } = await Promise.resolve().then(() => _interopRequireWildcard(require("./handler-importer-4BVBIZX3.cjs")));
         try {
           const modules = await extractHandlerModules(
@@ -117,7 +138,7 @@ var getApplication = async (options) => {
       } else {
         app.use(middleware);
       }
-    } catch (e) {
+    } catch (e2) {
       console.warn(
         "OpenAPI validator configuration provided but express-openapi-validator package is not installed. Install it with: npm install express-openapi-validator"
       );
@@ -220,28 +241,86 @@ var HttpProblem = (statusCode, options) => (response) => {
   sendProblem(response, statusCode, options);
 };
 
+// src/openapi/firebase-auth.ts
+var loadFirebaseAuth = async () => {
+  try {
+    const mod = await Promise.resolve().then(() => _interopRequireWildcard(require("@my-f-startup/firebase-auth-express")));
+    const provider = _nullishCoalesce(mod.default, () => ( mod));
+    const firebaseAuthMiddleware = provider.firebaseAuthMiddleware;
+    if (typeof firebaseAuthMiddleware !== "function") {
+      throw new Error(
+        "Invalid @my-f-startup/firebase-auth-express module: missing firebaseAuthMiddleware export"
+      );
+    }
+    return provider;
+  } catch (error) {
+    const message = "@my-f-startup/firebase-auth-express is required for createFirebaseAuthSecurityHandlers. Install it with: npm install @my-f-startup/firebase-auth-express";
+    throw new Error(message, { cause: error });
+  }
+};
+var createNullResponse = () => {
+  const res = {};
+  res.status = () => res;
+  res.json = () => res;
+  res.send = () => res;
+  res.end = () => res;
+  res.set = () => res;
+  return res;
+};
+var runMiddleware = async (middleware, req) => {
+  return new Promise((resolve) => {
+    let nextCalled = false;
+    const res = createNullResponse();
+    const next = () => {
+      nextCalled = true;
+      resolve(true);
+    };
+    Promise.resolve(middleware(req, res, next)).then(() => {
+      if (!nextCalled) resolve(false);
+    }).catch(() => resolve(false));
+  });
+};
+var createFirebaseAuthSecurityHandlers = (options = {}) => {
+  const securitySchemeName = _nullishCoalesce(options.securitySchemeName, () => ( "bearerAuth"));
+  const roleClaim = _nullishCoalesce(options.roleClaim, () => ( "roles"));
+  return {
+    [securitySchemeName]: async (req, scopes, _schema) => {
+      const { firebaseAuthMiddleware } = await loadFirebaseAuth();
+      const middleware = firebaseAuthMiddleware({
+        authClient: options.authClient
+      });
+      const isAuthenticated = await runMiddleware(middleware, req);
+      if (!isAuthenticated) return false;
+      if (!scopes.length) return true;
+      const roles = _optionalChain([req, 'optionalAccess', _ => _.auth, 'optionalAccess', _2 => _2.token, 'optionalAccess', _3 => _3[roleClaim]]);
+      if (!Array.isArray(roles)) return false;
+      return scopes.every((scope) => roles.includes(scope));
+    }
+  };
+};
+
 // src/openapi/index.ts
 var createOpenApiValidatorOptions = (apiSpec, options) => {
   return {
     apiSpec,
-    validateRequests: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _ => _.validateRequests]), () => ( true)),
-    validateResponses: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _2 => _2.validateResponses]), () => ( false)),
-    validateSecurity: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _3 => _3.validateSecurity]), () => ( true)),
-    validateFormats: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _4 => _4.validateFormats]), () => ( true)),
-    operationHandlers: _optionalChain([options, 'optionalAccess', _5 => _5.operationHandlers]),
-    ignorePaths: _optionalChain([options, 'optionalAccess', _6 => _6.ignorePaths]),
-    validateApiSpec: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _7 => _7.validateApiSpec]), () => ( true)),
-    $refParser: _optionalChain([options, 'optionalAccess', _8 => _8.$refParser]),
-    serveSpec: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _9 => _9.serveSpec]), () => ( false)),
-    fileUploader: _optionalChain([options, 'optionalAccess', _10 => _10.fileUploader]),
-    initializeHandlers: _optionalChain([options, 'optionalAccess', _11 => _11.initializeHandlers])
+    validateRequests: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _4 => _4.validateRequests]), () => ( true)),
+    validateResponses: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _5 => _5.validateResponses]), () => ( false)),
+    validateSecurity: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _6 => _6.validateSecurity]), () => ( true)),
+    validateFormats: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _7 => _7.validateFormats]), () => ( true)),
+    operationHandlers: _optionalChain([options, 'optionalAccess', _8 => _8.operationHandlers]),
+    ignorePaths: _optionalChain([options, 'optionalAccess', _9 => _9.ignorePaths]),
+    validateApiSpec: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _10 => _10.validateApiSpec]), () => ( true)),
+    $refParser: _optionalChain([options, 'optionalAccess', _11 => _11.$refParser]),
+    serveSpec: _nullishCoalesce(_optionalChain([options, 'optionalAccess', _12 => _12.serveSpec]), () => ( false)),
+    fileUploader: _optionalChain([options, 'optionalAccess', _13 => _13.fileUploader]),
+    initializeHandlers: _optionalChain([options, 'optionalAccess', _14 => _14.initializeHandlers])
   };
 };
 var isOpenApiValidatorAvailable = async () => {
   try {
     await Promise.resolve().then(() => _interopRequireWildcard(require("express-openapi-validator")));
     return true;
-  } catch (e2) {
+  } catch (e3) {
     return false;
   }
 };
@@ -424,5 +503,6 @@ var ApiSpecification = {
 
 
 
-exports.Accepted = Accepted; exports.ApiE2ESpecification = ApiE2ESpecification; exports.ApiSpecification = ApiSpecification; exports.BadRequest = BadRequest; exports.Conflict = Conflict; exports.Created = Created; exports.DefaultHttpProblemResponseOptions = DefaultHttpProblemResponseOptions; exports.DefaultHttpResponseOptions = DefaultHttpResponseOptions; exports.ETagErrors = ETagErrors; exports.Forbidden = Forbidden; exports.HeaderNames = HeaderNames; exports.HttpProblem = HttpProblem; exports.HttpResponse = HttpResponse; exports.NoContent = NoContent; exports.NotFound = NotFound; exports.OK = OK; exports.PreconditionFailed = PreconditionFailed; exports.WeakETagRegex = WeakETagRegex; exports.createOpenApiValidatorOptions = createOpenApiValidatorOptions; exports.existingStream = existingStream; exports.expect = expect; exports.expectError = expectError; exports.expectNewEvents = expectNewEvents; exports.expectResponse = expectResponse; exports.getApplication = getApplication; exports.getETagFromIfMatch = getETagFromIfMatch; exports.getETagFromIfNotMatch = getETagFromIfNotMatch; exports.getETagValueFromIfMatch = getETagValueFromIfMatch; exports.getWeakETagValue = getWeakETagValue; exports.isOpenApiValidatorAvailable = isOpenApiValidatorAvailable; exports.isWeakETag = isWeakETag; exports.on = on; exports.registerHandlerModule = _chunkMRSGTROWcjs.registerHandlerModule; exports.send = send; exports.sendAccepted = sendAccepted; exports.sendCreated = sendCreated; exports.sendProblem = sendProblem; exports.setETag = setETag; exports.startAPI = startAPI; exports.toWeakETag = toWeakETag;
+
+exports.Accepted = Accepted; exports.ApiE2ESpecification = ApiE2ESpecification; exports.ApiSpecification = ApiSpecification; exports.BadRequest = BadRequest; exports.Conflict = Conflict; exports.Created = Created; exports.DefaultHttpProblemResponseOptions = DefaultHttpProblemResponseOptions; exports.DefaultHttpResponseOptions = DefaultHttpResponseOptions; exports.ETagErrors = ETagErrors; exports.Forbidden = Forbidden; exports.HeaderNames = HeaderNames; exports.HttpProblem = HttpProblem; exports.HttpResponse = HttpResponse; exports.NoContent = NoContent; exports.NotFound = NotFound; exports.OK = OK; exports.PreconditionFailed = PreconditionFailed; exports.WeakETagRegex = WeakETagRegex; exports.createFirebaseAuthSecurityHandlers = createFirebaseAuthSecurityHandlers; exports.createOpenApiValidatorOptions = createOpenApiValidatorOptions; exports.existingStream = existingStream; exports.expect = expect; exports.expectError = expectError; exports.expectNewEvents = expectNewEvents; exports.expectResponse = expectResponse; exports.getApplication = getApplication; exports.getETagFromIfMatch = getETagFromIfMatch; exports.getETagFromIfNotMatch = getETagFromIfNotMatch; exports.getETagValueFromIfMatch = getETagValueFromIfMatch; exports.getWeakETagValue = getWeakETagValue; exports.isOpenApiValidatorAvailable = isOpenApiValidatorAvailable; exports.isWeakETag = isWeakETag; exports.on = on; exports.registerHandlerModule = _chunkMRSGTROWcjs.registerHandlerModule; exports.send = send; exports.sendAccepted = sendAccepted; exports.sendCreated = sendCreated; exports.sendProblem = sendProblem; exports.setETag = setETag; exports.startAPI = startAPI; exports.toWeakETag = toWeakETag;
 //# sourceMappingURL=index.cjs.map