@enderworld/onlyapi 1.5.1

package/CHANGELOG.md

@@ -0,0 +1,201 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2.0.0] - 2026-02-16
+
+### Added
+
+- **PostgreSQL adapter** — zero-dep Postgres support via `Bun.sql`; 9 repository implementations (user, token blacklist, account lockout, audit log, verification tokens, refresh token store, API keys, password history, OAuth accounts); automatic DDL migration runner (`pgMigrateUp` / `pgMigrateDown`); config-driven adapter selection (`DATABASE_DRIVER=sqlite|postgres`)
+- **Redis cache adapter** — zero-dep Redis client over raw RESP protocol via `Bun.connect()` TCP; `Cache` port with `get`, `set`, `del`, `has`, `incr`, `delPattern`, `close` operations; in-memory fallback cache with TTL and auto-prune; config-driven selection (`REDIS_ENABLED=true|false`)
+- **API versioning** — URL-based version negotiation (`/api/v1/...` and `/api/v2/...`); v2 paths normalized to v1 for shared handler lookup; v1 responses include `Deprecation: true`, `Sunset`, and `Link` headers; v2 responses include clean `API-Version: v2` header; `Accept-Version` header support
+- **Internationalization (i18n)** — 5 language catalogs (en, es, fr, de, ja) with 33 message keys; RFC 7231 `Accept-Language` quality-value parsing; `Content-Language` response header; `resolveLocale`, `t()` translator, `createI18nContext` helpers; config via `I18N_DEFAULT_LOCALE` and `I18N_SUPPORTED_LOCALES`
+- **Kubernetes manifests** — production-ready K8s resources: Namespace, ConfigMap, Secret, Deployment (2 replicas, rolling update, liveness/readiness/startup probes, resource limits), Service (ClusterIP), Ingress (nginx, TLS, cert-manager), HPA (CPU 70% / memory 80%, min 2 max 10), PodDisruptionBudget, NetworkPolicy (DNS, Postgres, Redis egress)
+- **Helm chart** — full `helm/onlyapi/` chart with Chart.yaml (appVersion 2.0.0), values.yaml, and 8 templates (deployment, service, configmap, secret, ingress, HPA, serviceaccount, PDB); configurable replicas, probes, autoscaling, and secrets
+- **CD pipeline** — `.github/workflows/deploy.yml` continuous deployment: Docker Buildx multi-arch builds (amd64 + arm64), push to GHCR, staging deploy with Helm + smoke test, production deploy with Helm + GitHub Release; triggered by `v*` tags or manual dispatch
+- **E2E test suite** — 28 end-to-end tests in `tests/e2e/journey.test.ts` spawning a real server with isolated database; complete user journey (register → login → refresh → update → logout); API versioning headers; i18n Content-Language; security headers; ETag/304 conditional GET; CORS preflight; OpenAPI + Metrics
+- **Load test harness** — `tests/load/harness.ts` automated performance regression detection; CLI-driven (--url, --duration, --concurrency, --max-p99, --min-rps); concurrent worker pool; latency percentile computation (p50/p90/p95/p99); 4 scenarios (health, register, login, metrics); threshold pass/fail
+- **Postman collection** — `postman/onlyapi-v2.postman_collection.json` with all endpoints (health, auth, users, API keys, admin, webhooks, SSE, docs, metrics, v2 endpoints); auto-extraction scripts for tokens; variables for baseUrl, credentials, token management
+
+### Changed
+
+- Config schema extended with `database.driver` (sqlite | postgres), `redis.*` (enabled, host, port, password, db), `i18n.*` (defaultLocale, supportedLocales)
+- `main.ts` bootstrap conditionally selects SQLite or Postgres adapters and in-memory or Redis cache based on config
+- DI container expanded with `Cache` token
+- Server context includes `apiVersion` and `i18n` fields; responses include `Content-Language` and version headers
+- Test count: 282 → 351 (267 unit + 56 integration + 28 E2E) across 36 files
+- Version bumped to 2.0.0
+
+---
+
+## [1.5.0] - 2026-02-16
+
+### Added
+
+- **WebSocket support** — Bun-native WebSocket upgrade at `/ws` with JSON protocol; authentication via JWT, pub/sub event subscriptions, broadcast domain events to connected clients; `WebSocketManager` with connection tracking, auth state, per-client event filtering
+- **Server-Sent Events (SSE)** — `GET /api/v1/events/stream` streaming endpoint for real-time updates; auth via `?token=` query param or `Authorization` header; event type filtering via `?events=` param; 30s heartbeat keep-alive; `X-Accel-Buffering: no` for Nginx compatibility
+- **Domain events** — 15 typed event types (`USER_REGISTERED`, `USER_DELETED`, `USER_UPDATED`, `LOGIN_SUCCESS`, `LOGIN_FAILED`, `LOGOUT`, `PASSWORD_CHANGED`, `PASSWORD_RESET`, `EMAIL_VERIFIED`, `MFA_ENABLED`, `MFA_DISABLED`, `API_KEY_CREATED`, `API_KEY_REVOKED`, `ACCOUNT_LOCKED`, `ACCOUNT_UNLOCKED`); `DomainEvent<T>` type with id, type, timestamp, optional userId/payload/ip; `DomainEventFactory` for event creation
+- **Event bus** — in-memory pub/sub with fire-and-forget semantics; type-specific and wildcard (`subscribeAll`) subscriptions; error isolation (throwing handlers don't crash publisher); `EventBus` port ready to swap for Redis Pub/Sub or NATS
+- **Webhooks** — admin-only CRUD API (`POST /api/v1/webhooks`, `GET /api/v1/webhooks`, `DELETE /api/v1/webhooks/:id`); HMAC-SHA256 signed delivery with `X-Webhook-Signature` header; event-type filtering per subscription; `WebhookRegistry` port + in-memory adapter; `WebhookDispatcher` with fire-and-forget delivery and AbortController timeout
+- **Background job queue** — polling-based in-memory job processor with configurable interval; exponential backoff retry (`min(1000 * 2^attempts, 60000)` ms); dead letter queue for exhausted retries; job lifecycle (PENDING → RUNNING → COMPLETED / FAILED → DEAD); `JobQueue` port ready to swap for Redis/SQLite-backed adapter
+- 3 new core ports: `EventBus`, `WebhookRegistry`, `JobQueue`
+- 7 new DI container tokens: `EventBus`, `EventFactory`, `WebhookRegistry`, `WebhookDispatcher`, `JobQueue`, `WebSocketManager`, `SseHandler`
+- WebSocket JSON protocol: `auth`, `subscribe`, `unsubscribe`, `ping` client messages; `connected`, `auth_result`, `subscribed`, `event`, `pong`, `error` server messages
+- 36 new tests across 4 new test files + expanded integration tests (246 → 282 total, 32 files, 667 expect() calls)
+
+### Changed
+
+- Router extended with webhook routes and SSE endpoint; new parametric matcher for `DELETE /api/v1/webhooks/:id`
+- Server now conditionally enables Bun.serve() WebSocket config when `WebSocketManager` is provided
+- `main.ts` bootstrap wires event bus, webhook dispatcher, job queue; webhook dispatcher auto-subscribed as wildcard event listener; WebSocket broadcast wired as wildcard subscriber; job queue starts after server and stops on graceful shutdown
+- Version bumped to 1.5.0
+
+---
+
+## [1.4.0] - 2026-02-16
+
+### Added
+
+- **Email verification** — `POST /api/v1/auth/verify-email` with SHA-256 hashed, time-limited tokens (24h TTL); `VerificationTokenRepository` port + SQLite adapter; supports email-verification and password-reset token types
+- **Password reset** — `POST /api/v1/auth/forgot-password` (non-enumerable, always returns 200) + `POST /api/v1/auth/reset-password` with secure token-based flow (1h TTL); prevents information disclosure about registered emails
+- **Refresh token rotation** — one-time-use refresh tokens with family-based reuse detection; `RefreshTokenStore` port + SQLite adapter; token reuse revokes entire family to mitigate stolen token replay attacks
+- **MFA / 2FA (TOTP)** — RFC 6238 TOTP implementation using `Bun.CryptoHasher` HMAC-SHA1; setup/enable/disable/verify endpoints; Google Authenticator-compatible `otpauth://` URI generation; base32 encoding (zero-dep); time-step window of ±1 for clock drift tolerance
+- **OAuth2 / SSO** — Google and GitHub provider adapters with authorization URL generation and token exchange; `OAuthProvider` port + `OAuthAccountRepository` for provider-account linking; conditional registration based on `OAUTH_GOOGLE_CLIENT_ID` / `OAUTH_GITHUB_CLIENT_ID` environment variables
+- **API key auth** — `POST /api/v1/api-keys` (create), `GET /api/v1/api-keys` (list), `DELETE /api/v1/api-keys/:id` (revoke); `oapi_` prefixed keys with SHA-256 hashed storage; `X-API-Key` header authentication; configurable scopes and expiry; `ApiKeyRepository` port + SQLite adapter
+- **Password policy** — configurable complexity rules (min length, uppercase, lowercase, digit, special character); password history checking to prevent reuse of last N passwords; password expiry detection; `PasswordPolicy` service + `PasswordHistory` port + SQLite adapter
+- Migration 004: `auth_platform` — creates `verification_tokens`, `refresh_tokens`, `api_keys`, `password_history`, `oauth_accounts` tables with appropriate indexes
+- `TotpService` port + infrastructure adapter (RFC 6238, HMAC-SHA1 via Bun.CryptoHasher, base32 codec)
+- 9 new DI container tokens: `VerificationTokenRepository`, `RefreshTokenStore`, `ApiKeyRepository`, `PasswordHistory`, `PasswordPolicy`, `TotpService`, `OAuthProviders`, `OAuthAccountRepository`, `ApiKeyService`
+- Password policy config section: `PASSWORD_MIN_LENGTH`, `PASSWORD_REQUIRE_UPPERCASE`, `PASSWORD_REQUIRE_LOWERCASE`, `PASSWORD_REQUIRE_DIGIT`, `PASSWORD_REQUIRE_SPECIAL`, `PASSWORD_HISTORY_COUNT`, `PASSWORD_MAX_AGE_DAYS`
+- OAuth config section: `OAUTH_GOOGLE_CLIENT_ID`, `OAUTH_GOOGLE_CLIENT_SECRET`, `OAUTH_GITHUB_CLIENT_ID`, `OAUTH_GITHUB_CLIENT_SECRET`
+- 68 new tests across 7 new test files + expanded integration tests (178 → 246 total, 28 files, 589 expect() calls)
+
+### Changed
+
+- `AuthService` now accepts 13 dependencies (was 6): adds verification tokens, refresh token store, TOTP service, OAuth providers, OAuth accounts, API key repository, password history, password policy
+- `User` entity extended with `emailVerified`, `mfaEnabled`, `mfaSecret`, `passwordChangedAt` fields
+- `InMemoryUserRepository` updated to initialize and handle all new user fields
+- Router now supports OAuth, MFA, API key, and email verification route groups
+- Startup banner displays v1.4.0; pruning interval covers verification tokens and refresh tokens in addition to blacklisted JWT tokens
+- Version bumped to 1.4.0
+
+---
+
+## [1.3.0] - 2026-02-15
+
+### Added
+
+- **Prometheus metrics** — `GET /metrics` endpoint serving Prometheus text exposition format (v0.0.4) with counters, histograms, and gauges: `http_requests_total`, `http_request_duration_ms`, `http_active_connections`, `http_errors_total`, `circuit_breaker_state`, `alerts_sent_total`
+- **OpenTelemetry traces** — W3C Trace Context propagation (`traceparent` header), 128-bit trace IDs + 64-bit span IDs generated per request, trace context included in structured JSON logs and response headers
+- **Circuit breaker** — resilience pattern for external service calls with configurable failure threshold, reset timeout, and half-open success threshold; state machine (CLOSED → OPEN → HALF_OPEN → CLOSED); `CircuitBreaker` port + infrastructure adapter
+- **Retry with backoff** — configurable retry policy with exponential backoff, jitter, max delay cap, retryable predicate, and per-attempt callbacks; `RetryPolicy` port + infrastructure adapter
+- **Graceful degradation** — health service now monitors circuit breaker states; reports `degraded` status when downstream services fail; `GET /readiness` reflects circuit breaker health in component checks
+- **Alerting hooks** — `AlertSink` port with webhook adapter (`ALERT_WEBHOOK_URL`); fires on circuit breaker OPEN/recovery, unhandled rejections; `createNoopAlertSink` when no URL configured; retry with backoff on webhook delivery failures
+- `MetricsCollector` port with zero-dependency Prometheus adapter (counters, histograms with configurable buckets, gauges with label support)
+- `CircuitBreakerOptions` config section (`CB_FAILURE_THRESHOLD`, `CB_RESET_TIMEOUT_MS`, `CB_HALF_OPEN_SUCCESS_THRESHOLD`)
+- `AlertSink` config section (`ALERT_WEBHOOK_URL`, `ALERT_TIMEOUT_MS`)
+- `TraceContext` type with `traceId`, `spanId`, `parentSpanId`, `flags`
+- `RequestContext` extended with `trace: TraceContext` field
+- Child loggers now include `traceId` and `spanId` bindings for structured log correlation
+- New DI tokens: `MetricsCollector`, `AlertSink`
+- 58 new tests (120 → 178 total across 21 files)
+
+### Changed
+
+- `ComponentHealth.status` now supports `"degraded"` in addition to `"ok"` | `"down"`
+- `HealthService` accepts optional `circuitBreakers` array for graceful degradation monitoring
+- Server hot path now tracks metrics (request count, duration, active connections, errors) without measurable latency impact
+- All responses now include `traceparent` header for distributed tracing correlation
+- Unhandled promise rejections now fire alerting hooks in addition to logging
+
+---
+
+## [1.2.0] - 2026-02-15
+
+### Added
+
+- **Admin endpoints** — `GET /api/v1/admin/users` (list, search, filter by role), `GET /api/v1/admin/users/:id`, `PATCH /api/v1/admin/users/:id/role`, `POST /api/v1/admin/users/:id/ban`, `POST /api/v1/admin/users/:id/unban`
+- **Cursor-based pagination** — opaque base64 cursor, `?cursor=X&limit=20` on list endpoints, `PaginatedResult<T>` type
+- **OpenAPI 3.1 specification** — auto-generated from Zod schemas at `GET /docs` (JSON) and `GET /docs/html` (embedded Swagger UI)
+- **ETag / conditional requests** — MD5-based ETag on GET 200 responses, `If-None-Match` → 304 Not Modified
+- **Request ID tracing** — per-request child logger with `requestId` binding, propagated via `X-Request-Id` header
+- **Structured JSON log mode** — `LOG_FORMAT=json` for production log aggregators (Datadog, ELK, CloudWatch)
+- **Audit log** — append-only ledger of significant system events (who, what, when, IP), SQLite-backed with `AuditLog` port
+- `AdminService` with role-based authorization, self-action prevention
+- `AuditLog` port + SQLite adapter with query filters (userId, action, since, limit)
+- Migration 003: `audit_log` table with indexes
+- Parametric route matching for admin endpoints (prefix-based, O(1) static + O(n) parametric)
+- Admin DTOs: `listUsersDto`, `changeRoleDto`, `banUserDto` validated via Zod
+- `UserRepository` extended with `list(options)` and `count()` methods
+- 30 new tests (90 unit + 30 integration = 120 total)
+- `LOG_FORMAT` config option (`pretty` | `json`)
+
+### Changed
+
+- `authorise()` middleware now returns 403 Forbidden (was incorrectly 401) for role mismatches
+- Logger `createLogger()` accepts optional `format` parameter (`"pretty"` | `"json"`)
+- `RequestContext` includes request-scoped `logger` field
+- Router supports both static O(1) map and parametric admin route matching
+- Version bumped to 1.2.0 in package.json and startup banner
+- CLI startup banner displays new admin + docs routes and log format
+- Biome config: `useLiteralKeys` disabled globally (incompatible with TS `noPropertyAccessFromIndexSignature`)
+- Migration tests updated for 3-migration schema
+
+## [1.1.0] - 2026-02-15
+
+### Added
+
+- **SQLite persistence** via `bun:sqlite` — zero external dependencies, WAL mode, prepared statements
+- **Database migrations** — versioned TypeScript migrations with up/down, tracked in `_migrations` table
+- **Logout endpoint** — `POST /api/v1/auth/logout` with token blacklist (in-memory + SQLite adapters)
+- **Token blacklist** — SHA-256 hashed tokens, auto-pruning expired entries, Redis-ready port
+- **Account lockout** — configurable max attempts + lockout duration, resets on successful login
+- **Dockerfile** — multi-stage build with `distroless` base, health check, non-root user
+- **docker-compose.yml** — app + SQLite volume, all env vars configurable
+- **Test coverage** — `bun test --coverage` script, 67 tests (up from 41)
+- `AccountLockout` port + in-memory and SQLite adapters
+- `TokenBlacklist` port + in-memory and SQLite adapters
+- `SqliteUserRepository` adapter with prepared statements
+- New unit tests: SQLite user repository, migrations, token blacklist, account lockout
+- New integration tests: logout flow, blacklisted token rejection, account lockout
+- `DATABASE_PATH`, `LOCKOUT_MAX_ATTEMPTS`, `LOCKOUT_DURATION_MS` config options
+
+### Changed
+
+- `AuthService` now requires `TokenBlacklist` and `AccountLockout` dependencies
+- `main.ts` bootstrap is now async, initializes SQLite + runs migrations at boot
+- Auth handler receives `TokenService` for logout authentication
+- Version bumped to 1.1.0 in package.json and startup banner
+- Refresh token rotation now blacklists the old refresh token
+- Login flow checks account lockout before credential verification
+
+## [1.0.0] - 2026-02-11
+
+### Added
+
+- Clean Architecture project structure (core / application / infrastructure / presentation)
+- Bun.serve() HTTP server with inlined hot-path optimizations
+- O(1) Map-based router — no regex, no radix tree
+- `Result<T, E>` monad for error handling (no throw-based control flow)
+- Branded types: `UserId`, `RequestId`, `Timestamp`
+- Auth endpoints: register, login, refresh
+- User endpoints: get profile, update, delete
+- Health endpoints: shallow (`/health`) and deep (`/readiness`)
+- Argon2id password hashing via Bun.password (native)
+- HMAC-SHA256 JWT via Web Crypto API (zero external deps)
+- Zod-validated environment config with fail-fast on boot
+- Structured JSON logger with batched async writes
+- Per-IP sliding-window rate limiter (inlined on hot path)
+- Security headers middleware (CSP, HSTS, X-Frame-Options, etc.)
+- CORS middleware with configurable origin allowlist
+- Request validation middleware using Zod schemas
+- Bearer token auth middleware
+- Multi-process clustering with SO_REUSEPORT (`src/cluster.ts`)
+- DI container with symbol tokens (no decorators, no reflect-metadata)
+- 41 tests (unit + integration) — all passing
+- Biome linting with strict rules (no `any`, no `!`, cognitive complexity cap)
+- TypeScript strict mode with 22+ compiler flags
+- Benchmarking setup with bombardier

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 onlyApi Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,338 @@
+<div align="center">
+
+# onlyApi
+
+**Production-ready REST API foundation built on [Bun](https://bun.sh)**
+
+Zero unnecessary dependencies. Strictest TypeScript. Clean architecture. Enterprise security.
+
+[![CI](https://github.com/lysari/onlyapi/actions/workflows/ci.yml/badge.svg)](https://github.com/lysari/onlyapi/actions/workflows/ci.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![Bun](https://img.shields.io/badge/runtime-Bun_1.3-f472b6)](https://bun.sh)
+[![TypeScript](https://img.shields.io/badge/TypeScript-strict-3178c6)](tsconfig.json)
+[![Tests](https://img.shields.io/badge/tests-351_passing-brightgreen)]()
+
+</div>
+
+---
+
+## Overview
+
+onlyApi is a batteries-included API starter that ships everything you need to go from `git clone` to production — authentication, database, caching, observability, deployment — without pulling in a single framework or ORM. One runtime dependency (`zod`). ~78 KB minified.
+
+```bash
+bunx onlyapi init my-api && cd my-api && bun run dev
+```
+
+---
+
+## Features
+
+### Performance
+
+- **~30K req/s** single-core on a MacBook; scales linearly via `SO_REUSEPORT` clustering
+- O(1) Map-based routing — no regex matching, no radix tree traversal
+- Pathname extracted with string slicing — no `new URL()` allocation (~12x faster)
+- Pre-serialized static responses — `/health` avoids `JSON.stringify` entirely
+- Batched async access logging — one `write()` syscall per 100ms flush window
+- Inlined rate limiter on the hot path — zero function-call overhead
+
+### Authentication & Authorization
+
+- **JWT** — HMAC-SHA256 via Web Crypto API; access + refresh token pair
+- **Refresh token rotation** — one-time-use tokens with family-based reuse detection
+- **MFA / TOTP** — RFC 6238 implementation, Google Authenticator compatible
+- **OAuth2 / SSO** — Google and GitHub provider adapters
+- **API key auth** — `X-API-Key` header for service-to-service communication
+- **Email verification** — SHA-256 hashed, time-limited verification tokens
+- **Password reset** — secure token-based flow with non-enumerable responses
+- **Password policy** — configurable complexity, history tracking, reuse prevention, expiry
+- **Account lockout** — automatic lock after N consecutive failed login attempts
+- **Token blacklist** — logout invalidates both access and refresh tokens
+
+### Database
+
+- **SQLite** — `bun:sqlite` with WAL mode, zero-dep, built-in migrations
+- **PostgreSQL** — `Bun.sql` with 9 repository implementations and DDL migration runner
+- **SQL Server** — `mssql` (tedious TDS) with 9 repository adapters, T-SQL migrations, and stored procedure support
+- **In-memory** — testing adapter with full repository interface compliance
+- Config-driven adapter selection via `DATABASE_DRIVER=sqlite|postgres|mssql`
+
+### Caching
+
+- **In-memory cache** — Map-based with TTL and automatic prune interval
+- **Redis cache** — zero-dep implementation over raw RESP protocol via `Bun.connect()` TCP
+- Unified `Cache` port — `get`, `set`, `del`, `has`, `incr`, `delPattern`, `close`
+
+### Real-time
+
+- **WebSocket** — Bun-native upgrade at `/ws` with JSON protocol, JWT auth, pub/sub subscriptions
+- **Server-Sent Events** — `GET /api/v1/events/stream` with auth, event filtering, 30s heartbeat
+- **Domain events** — 15 typed events (`USER_REGISTERED`, `LOGIN_FAILED`, `MFA_ENABLED`, etc.)
+- **Event bus** — in-memory pub/sub with type-specific and wildcard subscriptions
+- **Webhooks** — outbound HTTP with HMAC-SHA256 signatures, event-type filtering per subscription
+- **Background job queue** — async processing with exponential backoff retry and dead letter queue
+
+### Observability
+
+- **Prometheus metrics** — `GET /metrics` with request count, latency histogram, error rate, active connections
+- **OpenTelemetry traces** — distributed tracing with W3C `traceparent` propagation
+- **Structured logging** — JSON mode for Datadog / ELK; batched async writes in production
+- **Audit log** — append-only record of user actions with IP, timestamp, and user ID
+- **Health checks** — shallow `/health` (instant) and deep `/readiness` (service connectivity)
+- **Alerting hooks** — webhook notifications on fatal errors and health degradation
+
+### API Design
+
+- **OpenAPI 3.1** — auto-generated spec served at `GET /docs`; Swagger UI at `GET /docs/html`
+- **API versioning** — `/api/v1/` and `/api/v2/` coexist; v1 returns `Deprecation` + `Sunset` headers
+- **ETag / conditional GET** — `If-None-Match` support with `304 Not Modified` responses
+- **Cursor-based pagination** — `?cursor=X&limit=20` on list endpoints
+- **Request ID tracing** — `X-Request-Id` propagated through loggers and echoed in responses
+- **i18n** — 5 languages (en, es, fr, de, ja), 33 message keys, RFC 7231 `Accept-Language` negotiation
+
+### Security
+
+- **Argon2id** — Bun-native password hashing, no C bindings
+- **CORS** — configurable origin allowlist with preflight caching
+- **Rate limiting** — per-IP sliding window with `Retry-After` headers
+- **Security headers** — `X-Content-Type-Options`, `X-Frame-Options`, `Strict-Transport-Security`, and more
+- **`Result<T, E>` monad** — no thrown exceptions; errors never leak internal state
+
+### Infrastructure & Deployment
+
+- **Dockerfile** — multi-stage build with distroless base, <20 MB image
+- **docker-compose** — app + SQLite volume, ready to run
+- **Kubernetes manifests** — Namespace, ConfigMap, Secret, Deployment, Service, Ingress, HPA, PDB, NetworkPolicy
+- **Helm chart** — parameterized deployment with 8 templates
+- **CI pipeline** — GitHub Actions: lint, type-check, test, build
+- **CD pipeline** — multi-arch Docker build (amd64 + arm64), staging deploy with smoke test, production deploy with GitHub Release
+- **Postman collection** — all endpoints with auto-token extraction scripts
+
+### Developer Experience
+
+- **CLI scaffolding** — `bunx onlyapi init my-api` creates a full project in seconds
+- **CLI upgrade** — `onlyapi upgrade` updates framework internals while preserving custom code
+- **Hot reload** — `bun run dev` with `--watch` mode
+- **351 tests** — unit, integration, E2E, and load testing across 36 files
+- **Biome** — fast linter and formatter, zero-config
+- **22+ strict TypeScript flags** — branded types, `exactOptionalPropertyTypes`, `noUncheckedIndexedAccess`
+
+---
+
+## Architecture
+
+```
+src/
+├── core/                 # Domain — zero dependencies
+│   ├── entities/         # User, UserRole
+│   ├── errors/           # AppError, canonical error codes
+│   ├── ports/            # Interfaces: repos, services, cache, events
+│   └── types/            # Branded types, Result<T,E> monad
+├── application/          # Use cases
+│   ├── dtos/             # Zod request schemas
+│   └── services/         # Auth, User, Health
+├── infrastructure/       # Adapters
+│   ├── config/           # Zod-validated env config
+│   ├── database/         # SQLite, PostgreSQL, SQL Server, in-memory
+│   ├── cache/            # In-memory, Redis (raw RESP)
+│   ├── logging/          # Structured JSON logger
+│   └── security/         # Argon2id, HMAC-SHA256 JWT
+├── presentation/         # HTTP
+│   ├── handlers/         # Route handlers
+│   ├── middleware/        # CORS, auth, rate-limit, versioning
+│   ├── i18n/             # Language catalogs
+│   ├── routes/           # O(1) Map router
+│   └── server.ts         # Bun.serve() hot-path
+├── shared/               # DI container, utilities
+├── cluster.ts            # SO_REUSEPORT multi-process
+└── main.ts               # Bootstrap + graceful shutdown
+```
+
+---
+
+## Quick Start
+
+### Prerequisites
+
+- [Bun](https://bun.sh) >= 1.1
+
+### Scaffold a Project
+
+```bash
+bunx onlyapi init my-api
+cd my-api
+bun run dev
+```
+
+### Or Clone Manually
+
+```bash
+git clone https://github.com/lysari/onlyapi.git
+cd onlyApi
+bun install
+cp .env.example .env
+bun run dev
+```
+
+### Production
+
+```bash
+# Single process
+bun run start
+
+# Multi-process cluster (1 worker per CPU core)
+bun run start:cluster
+```
+
+---
+
+## API Endpoints
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| `GET` | `/health` | — | Shallow health check |
+| `GET` | `/readiness` | — | Deep readiness check |
+| `GET` | `/docs` | — | OpenAPI 3.1 JSON |
+| `GET` | `/docs/html` | — | Swagger UI |
+| `GET` | `/metrics` | — | Prometheus metrics |
+| `POST` | `/api/v1/auth/register` | — | Register user |
+| `POST` | `/api/v1/auth/login` | — | Login, returns JWT pair |
+| `POST` | `/api/v1/auth/refresh` | — | Refresh access token |
+| `POST` | `/api/v1/auth/logout` | Bearer | Logout + blacklist tokens |
+| `POST` | `/api/v1/auth/verify-email` | — | Verify email token |
+| `POST` | `/api/v1/auth/forgot-password` | — | Request password reset |
+| `POST` | `/api/v1/auth/reset-password` | — | Reset password with token |
+| `POST` | `/api/v1/auth/mfa/setup` | Bearer | Generate TOTP secret |
+| `POST` | `/api/v1/auth/mfa/enable` | Bearer | Enable MFA |
+| `POST` | `/api/v1/auth/mfa/disable` | Bearer | Disable MFA |
+| `POST` | `/api/v1/auth/mfa/verify` | Bearer | Verify TOTP code |
+| `GET` | `/api/v1/auth/oauth/:provider` | — | OAuth2 redirect |
+| `GET` | `/api/v1/auth/oauth/:provider/callback` | — | OAuth2 callback |
+| `GET` | `/api/v1/users/me` | Bearer | Current user profile |
+| `PATCH` | `/api/v1/users/me` | Bearer | Update profile |
+| `DELETE` | `/api/v1/users/me` | Bearer | Delete account |
+| `POST` | `/api/v1/api-keys` | Bearer | Create API key |
+| `GET` | `/api/v1/api-keys` | Bearer | List API keys |
+| `DELETE` | `/api/v1/api-keys/:id` | Bearer | Revoke API key |
+| `POST` | `/api/v1/webhooks` | Admin | Create webhook |
+| `GET` | `/api/v1/webhooks` | Admin | List webhooks |
+| `DELETE` | `/api/v1/webhooks/:id` | Admin | Remove webhook |
+| `GET` | `/api/v1/events/stream` | Bearer | SSE event stream |
+| `WS` | `/ws` | JWT | WebSocket connection |
+
+All v1 endpoints are also available under `/api/v2/` with clean version headers.
+
+### Usage
+
+```bash
+# Register
+curl -s -X POST http://localhost:3000/api/v1/auth/register \
+  -H "Content-Type: application/json" \
+  -d '{"email":"user@example.com","password":"Str0ngP@ss!"}'
+
+# Login
+curl -s -X POST http://localhost:3000/api/v1/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"email":"user@example.com","password":"Str0ngP@ss!"}'
+
+# Authenticated request
+curl -s http://localhost:3000/api/v1/users/me \
+  -H "Authorization: Bearer <token>"
+```
+
+---
+
+## Configuration
+
+Environment variables are validated with Zod at startup. Invalid config crashes immediately — not at 3 AM in production.
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `PORT` | `3000` | Server port |
+| `HOST` | `0.0.0.0` | Bind address |
+| `NODE_ENV` | `development` | Environment mode |
+| `JWT_SECRET` | — | **Required.** Min 32 characters |
+| `JWT_EXPIRES_IN` | `15m` | Access token TTL |
+| `JWT_REFRESH_EXPIRES_IN` | `7d` | Refresh token TTL |
+| `DATABASE_DRIVER` | `sqlite` | `sqlite`, `postgres`, or `mssql` |
+| `DATABASE_URL` | — | PostgreSQL or SQL Server connection string |
+| `REDIS_ENABLED` | `false` | Enable Redis cache layer |
+| `REDIS_HOST` | `127.0.0.1` | Redis hostname |
+| `REDIS_PORT` | `6379` | Redis port |
+| `REDIS_PASSWORD` | — | Redis password |
+| `CORS_ORIGINS` | `*` | Comma-separated allowed origins |
+| `RATE_LIMIT_WINDOW_MS` | `60000` | Rate limit window (ms) |
+| `RATE_LIMIT_MAX_REQUESTS` | `100` | Max requests per window |
+| `LOG_LEVEL` | `debug` | `debug` \| `info` \| `warn` \| `error` \| `fatal` |
+| `WORKERS` | CPU count | Cluster worker count |
+| `I18N_DEFAULT_LOCALE` | `en` | Default response locale |
+| `I18N_SUPPORTED_LOCALES` | `en` | Comma-separated supported locales |
+| `PASSWORD_MIN_LENGTH` | `8` | Minimum password length |
+| `PASSWORD_HISTORY_COUNT` | `5` | Previous passwords blocked from reuse |
+| `OAUTH_GOOGLE_CLIENT_ID` | — | Google OAuth2 client ID |
+| `OAUTH_GOOGLE_CLIENT_SECRET` | — | Google OAuth2 client secret |
+| `OAUTH_GITHUB_CLIENT_ID` | — | GitHub OAuth2 client ID |
+| `OAUTH_GITHUB_CLIENT_SECRET` | — | GitHub OAuth2 client secret |
+
+---
+
+## Scripts
+
+| Script | Description |
+|--------|-------------|
+| `bun run dev` | Development server with hot-reload |
+| `bun run start` | Production single-process |
+| `bun run start:cluster` | Production multi-process |
+| `bun run build` | Bundle and minify to `dist/` |
+| `bun run check` | TypeScript type-check |
+| `bun test` | Run all 351 tests |
+| `bun run lint` | Lint with Biome |
+| `bun run lint:fix` | Auto-fix lint issues |
+
+---
+
+## Performance
+
+Benchmarked on MacBook Pro (Intel i7-9750H, 12 threads) with [bombardier](https://github.com/codesenberg/bombardier):
+
+| Mode | Connections | Requests/sec | Avg Latency |
+|------|-------------|-------------|-------------|
+| Single process | 512 | **29,525** | 17.3ms |
+| Cluster (12 workers) | 512 | **32,415** | 15.8ms |
+
+> Localhost-constrained (server + load generator share CPU). Expect 5–10x on dedicated hardware.
+
+---
+
+## Testing
+
+```bash
+bun test                           # All 351 tests
+bun test --watch                   # Watch mode
+bun test tests/unit/               # Unit only
+bun test tests/integration/        # Integration only
+bun test tests/e2e/                # End-to-end only
+bun run tests/load/harness.ts      # Load test with threshold checks
+```
+
+| Layer | Coverage |
+|-------|----------|
+| **Unit** | Result monad, AppError, password hashing, JWT, repositories, TOTP, password policy, cache, i18n, versioning, event bus, webhooks, job queue |
+| **Integration** | Full HTTP lifecycle — health, auth flow, email verification, MFA, API keys, password policy, webhooks, SSE, CORS |
+| **E2E** | Complete user journey against a live server — register through logout, versioning headers, i18n, ETag/304, security headers |
+| **Load** | Automated regression detection — p50/p90/p95/p99 latency, throughput thresholds, error rate checks |
+
+---
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+## Security
+
+See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
+
+## License
+
+[MIT](LICENSE)

package/dist/cli.js

@@ -0,0 +1,14 @@
+#!/usr/bin/env bun
+// @bun
+var Lz=Object.create;var{getPrototypeOf:Mz,defineProperty:Qz,getOwnPropertyNames:Az}=Object;var vz=Object.prototype.hasOwnProperty;var g=(z,$,H)=>{H=z!=null?Lz(Mz(z)):{};let J=$||!z||!z.__esModule?Qz(H,"default",{value:z,enumerable:!0}):H;for(let T of Az(z))if(!vz.call(J,T))Qz(J,T,{get:()=>z[T],enumerable:!0});return J};var m=import.meta.require;var N=(z)=>`\x1B[${z}m`,w=N("0"),K=(z)=>`${N("1")}${z}${w}`,X=(z)=>`${N("2")}${z}${w}`,q=(z)=>`${N("36")}${z}${w}`,R=(z)=>`${N("32")}${z}${w}`,k=(z)=>`${N("33")}${z}${w}`,Wz=(z)=>`${N("35")}${z}${w}`,Cz=(z)=>`${N("34")}${z}${w}`,Zz=(z)=>`${N("31")}${z}${w}`,v=(z)=>`${N("90")}${z}${w}`,L=(z)=>`${N("97")}${z}${w}`;var _={success:R("\u2714"),error:Zz("\u2717"),warning:k("\u26A0"),info:q("\u2139"),arrow:q("\u2192"),chevron:q("\u203A"),sparkle:Wz("\u2726"),bolt:k("\u26A1"),folder:Cz("\uD83D\uDCC1"),file:v("\uD83D\uDCC4"),gear:v("\u2699"),rocket:Wz("\uD83D\uDE80"),package:q("\uD83D\uDCE6")},d=(z)=>{return[`${K(q("  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"))}`,`${K(q("  \u2502"))}                                           ${K(q("\u2502"))}`,`${K(q("  \u2502"))}   ${K(L("\u26A1 onlyApi CLI"))}  ${X(v(`v${z}`))}                  ${K(q("\u2502"))}`,`${K(q("  \u2502"))}   ${X(v("Zero-dep enterprise REST API on Bun"))}    ${K(q("\u2502"))}`,`${K(q("  \u2502"))}                                           ${K(q("\u2502"))}`,`${K(q("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"))}`].join(`
+`)},Q=(z)=>process.stdout.write(`${z}
+`),Z=()=>process.stdout.write(`
+`),M=(z)=>process.stderr.write(`  ${_.error} ${Zz(z)}
+`),h=(z)=>process.stdout.write(`  ${_.warning} ${k(z)}
+`),C=(z)=>process.stdout.write(`  ${_.info} ${z}
+`),e=(z)=>process.stdout.write(`  ${_.success} ${R(z)}
+`),D=(z)=>process.stdout.write(`  ${_.chevron} ${z}
+`),Xz=["\u280B","\u2819","\u2839","\u2838","\u283C","\u2834","\u2826","\u2827","\u2807","\u280F"],y=(z)=>{let $=0,H=null,J=z,T=()=>{process.stdout.write("\r\x1B[K")};return{start(){H=setInterval(()=>{T();let W=Xz[$%Xz.length]??"\u280B";process.stdout.write(`  ${q(W)} ${J}`),$++},80)},update(W){J=W},stop(W){if(H)clearInterval(H);if(T(),W)process.stdout.write(`  ${_.success} ${R(W)}
+`)}}},$z=async(z,$)=>{let H=$?` ${X(`(${$})`)}`:"";process.stdout.write(`  ${_.chevron} ${z}${H}: `);let J=Bun.stdin.stream().getReader(),{value:T}=await J.read();return J.releaseLock(),(T?new TextDecoder().decode(T).trim():"")||$||""},c=async(z,$=!0)=>{let H=$?`${K("Y")}/n`:`y/${K("N")}`;process.stdout.write(`  ${_.chevron} ${z} ${X(`[${H}]`)}: `);let J=Bun.stdin.stream().getReader(),{value:T}=await J.read();J.releaseLock();let W=T?new TextDecoder().decode(T).trim().toLowerCase():"";if(W==="")return $;return W==="y"||W==="yes"},zz=(z)=>{let $=Math.max(...z.map(([H])=>H.length));for(let[H,J]of z)Q(`  ${v("\u2502")} ${X(H.padEnd($))}  ${L(J)}`)},b=(z)=>{Z(),Q(`  ${K(L(z))}`),Q(`  ${v("\u2500".repeat(50))}`)};var s=(z)=>{if(z<1000)return`${Math.round(z)}ms`;if(z<60000)return`${(z/1000).toFixed(1)}s`;return`${Math.floor(z/60000)}m ${Math.round(z%60000/1000)}s`},Hz=(z=64)=>{let H=crypto.getRandomValues(new Uint8Array(z));return Array.from(H,(J)=>"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"[J%62]).join("")};var Jz=(z)=>{Z(),Q(d(z)),Z(),Q(`  ${K(L("USAGE"))}`),Q(`  ${v("\u2500".repeat(50))}`),Q(`  ${X("$")} ${q("onlyapi")} ${R("<command>")} ${X("[options]")}`),Z(),Q(`  ${K(L("COMMANDS"))}`),Q(`  ${v("\u2500".repeat(50))}`);let $=[["init <name>","Create a new onlyApi project"],["upgrade","Upgrade current project to latest version"],["version","Show CLI version"],["help","Show this help message"]],H=Math.max(...$.map(([B])=>B.length));for(let[B,E]of $)Q(`  ${R(B.padEnd(H+2))} ${X(E)}`);Z(),Q(`  ${K(L("INIT OPTIONS"))}`),Q(`  ${v("\u2500".repeat(50))}`);let J=[[".","Initialize in the current directory"],["--cwd","Same as '.' \u2014 use current directory"]],T=Math.max(...J.map(([B])=>B.length));for(let[B,E]of J)Q(`  ${k(B.padEnd(T+2))} ${X(E)}`);Z(),Q(`  ${K(L("UPGRADE OPTIONS"))}`),Q(`  ${v("\u2500".repeat(50))}`);let W=[["--force, -f","Force upgrade even if on latest version"],["--dry-run","Preview changes without applying them"]],P=Math.max(...W.map(([B])=>B.length));for(let[B,E]of W)Q(`  ${k(B.padEnd(P+2))} ${X(E)}`);Z(),Q(`  ${K(L("EXAMPLES"))}`),Q(`  ${v("\u2500".repeat(50))}`);let I=[["onlyapi init my-api","Create project in ./my-api"],["onlyapi init .","Initialize in current directory"],["onlyapi upgrade","Upgrade to latest version"],["onlyapi upgrade --dry-run","Preview upgrade without changes"],["onlyapi upgrade --force","Force re-apply latest version"]];for(let[B,E]of I)Q(`  ${X("$")} ${q(B)}`),Q(`    ${X(E)}`);Z(),Q(`  ${X("Docs:")}   ${q("https://github.com/lysari/onlyapi#readme")}`),Q(`  ${X("Issues:")} ${q("https://github.com/lysari/onlyapi/issues")}`),Z()};import{existsSync as l,mkdirSync as Nz,rmSync as Kz}from"fs";import{join as o,resolve as Rz}from"path";var qz="https://github.com/lysari/onlyapi.git",Vz="https://github.com/lysari/onlyapi/archive/refs/heads/main.tar.gz",wz=/^[a-zA-Z0-9_-]+$/,Dz=(z)=>{if(!z)return"Project name is required.";if(!wz.test(z))return"Project name can only contain letters, numbers, hyphens, and underscores.";if(z.length>214)return"Project name is too long (max 214 chars).";return null},u=async(z,$=process.cwd())=>{let H=Bun.spawn(z,{cwd:$,stdout:"pipe",stderr:"pipe"}),[J,T]=await Promise.all([new Response(H.stdout).text(),new Response(H.stderr).text()]),W=await H.exited;return{stdout:J.trim(),stderr:T.trim(),exitCode:W}},xz=async(z)=>{try{let{exitCode:$}=await u(["which",z]);return $===0}catch{return!1}},Yz=async(z,$)=>{let H=performance.now();Z(),Q(d($)),Z();let J=z[0]??"",T=z.includes("--cwd")||z.includes(".");if(!J&&!T)J=await $z("Project name","my-api");if(T)J=".";if(J!=="."){let Y=Dz(J);if(Y)M(Y),process.exit(1)}let W=J==="."?process.cwd():Rz(process.cwd(),J);if(J!=="."&&l(W)){if((await Array.fromAsync(new Bun.Glob("*").scan({cwd:W}))).length>0){if(!await c(`Directory ${K(L(J))} already exists and is not empty. Continue?`,!1))C("Aborted."),process.exit(0)}}if(b("Creating project"),J!==".")Nz(W,{recursive:!0}),D(`Created directory ${K(q(J))}`);let P=await xz("git"),I=y("Downloading template...");I.start();let B=!1;if(P){I.update("Cloning from GitHub...");let{exitCode:Y}=await u(["git","clone","--depth=1","--single-branch",qz,J==="."?".":J],J==="."?W:process.cwd());B=Y===0}if(!B){I.update("Downloading release archive...");try{let Y=await fetch(Vz);if(!Y.ok)throw Error(`HTTP ${Y.status}`);let G=o(W,"__onlyapi.tar.gz");await Bun.write(G,Y),I.update("Extracting..."),await u(["tar","xzf",G,"--strip-components=1"],W),Kz(G,{force:!0}),B=!0}catch(Y){I.stop(),M(`Failed to download template: ${Y instanceof Error?Y.message:String(Y)}`),M("Please check your network connection and try again."),Z(),C(`You can also clone manually: ${X(`git clone ${qz} ${J}`)}`),process.exit(1)}}I.stop("Template downloaded");let E=o(W,".git");if(l(E))Kz(E,{recursive:!0,force:!0});if(P)await u(["git","init"],W),D("Initialized fresh git repository");let f=o(W,"package.json");if(l(f))try{let Y=await Bun.file(f).text(),G=JSON.parse(Y);if(J!==".")G.name=J;G.version="0.1.0",G.description="",G.author="",G.repository=void 0,G.bugs=void 0,G.homepage=void 0,await Bun.write(f,`${JSON.stringify(G,null,2)}
+`),D(`Updated ${K(q("package.json"))}`)}catch{h("Could not update package.json \u2014 you can edit it manually")}let O=o(W,".env.example"),S=o(W,".env");if(l(O)&&!l(S))try{let Y=await Bun.file(O).text(),G=Hz(64);Y=Y.replace("change-me-to-a-64-char-random-string",G),await Bun.write(S,Y),D(`Generated ${K(q(".env"))} with secure JWT_SECRET`)}catch{h("Could not generate .env \u2014 copy .env.example manually")}b("Installing dependencies");let p=y("Running bun install...");p.start();let{exitCode:j,stderr:t}=await u(["bun","install"],W);if(j!==0)p.stop(),M("Failed to install dependencies:"),Q(`  ${X(t)}`),Z(),C(`Run ${K(q("bun install"))} manually in the project directory.`);else p.stop("Dependencies installed");if(P)await u(["git","add","-A"],W),await u(["git","commit","-m","Initial commit from onlyApi CLI","--no-verify"],W),D("Created initial commit");let r=performance.now()-H;Z(),Q(`  ${_.rocket} ${K(R("Project created successfully!"))} ${X(`(${s(r)})`)}`),Z(),b("Next steps"),Z();let F=J!=="."?`cd ${J}`:null,U=[...F?[F]:[],"bun run dev          # Start dev server (hot-reload)","bun test             # Run tests","bun run check        # Type-check"];for(let Y of U)Q(`  ${X("$")} ${K(q(Y))}`);Z(),Q(`  ${X("Docs:")}  ${q("https://github.com/lysari/onlyapi#readme")}`),Q(`  ${X("Issues:")} ${q("https://github.com/lysari/onlyapi/issues")}`),Z(),Q(`  ${X("Happy hacking!")} ${_.bolt}`),Z()};import{existsSync as V}from"fs";import{join as x,resolve as Pz}from"path";var Bz="https://api.github.com/repos/lysari/onlyapi",fz=(z)=>`https://github.com/lysari/onlyapi/archive/refs/tags/${z}.tar.gz`,Fz="https://github.com/lysari/onlyapi/archive/refs/heads/main.tar.gz",Sz="https://registry.npmjs.org/only-api",jz=["src/core/errors/app-error.ts","src/core/types/brand.ts","src/core/types/result.ts","src/infrastructure/logging/logger.ts","src/infrastructure/security/password-hasher.ts","src/infrastructure/security/token-service.ts","src/presentation/middleware/cors.ts","src/presentation/middleware/rate-limit.ts","src/presentation/middleware/security-headers.ts","src/presentation/server.ts","src/presentation/context.ts","src/shared/cli.ts","src/shared/container.ts","src/shared/utils/id.ts","src/shared/utils/timing-safe.ts","src/shared/log-format.ts","src/cluster.ts","tsconfig.json","biome.json"],i=async(z,$=process.cwd())=>{let H=Bun.spawn(z,{cwd:$,stdout:"pipe",stderr:"pipe"}),[J,T]=await Promise.all([new Response(H.stdout).text(),new Response(H.stderr).text()]),W=await H.exited;return{stdout:J.trim(),stderr:T.trim(),exitCode:W}},Gz=(z)=>{let $=z.replace(/^v/,"").split(".").map(Number);return[$[0]??0,$[1]??0,$[2]??0]},Tz=(z,$)=>{let[H,J,T]=Gz(z),[W,P,I]=Gz($);if(H!==W)return H>W;if(J!==P)return J>P;return T>I},hz=async()=>{try{let z=await fetch(`${Bz}/releases/latest`,{headers:{Accept:"application/vnd.github.v3+json"}});if(z.ok)return(await z.json()).tag_name.replace(/^v/,"")}catch{}try{let z=await fetch(`${Bz}/tags?per_page=1`,{headers:{Accept:"application/vnd.github.v3+json"}});if(z.ok){let $=await z.json();if($.length>0){let H=$[0];return H?H.name.replace(/^v/,""):null}}}catch{}try{let z=await fetch(Sz);if(z.ok)return(await z.json())["dist-tags"].latest}catch{}return null},Uz=async(z,$)=>{let H=performance.now(),J=Pz(process.cwd());Z(),Q(d($)),Z();let T=x(J,"package.json");if(!V(T))M("No package.json found in current directory."),C("Run this command from the root of your onlyApi project."),process.exit(1);let W;try{W=JSON.parse(await Bun.file(T).text()).version??"0.0.0"}catch{M("Could not read package.json."),process.exit(1)}if(!(V(x(J,"src/main.ts"))&&V(x(J,"src/core"))&&V(x(J,"src/presentation"))))M("This doesn't appear to be an onlyApi project."),C("Expected to find src/main.ts, src/core/, and src/presentation/"),process.exit(1);b("Checking for updates");let I=y("Fetching latest version...");I.start();let B=await hz();if(!B){if(I.stop(),h("Could not determine the latest version."),C("This may be due to network issues or API rate limits."),Z(),!(z.includes("--force")||z.includes("-f"))){if(!await c("Continue with upgrade from main branch?",!1))C("Aborted."),process.exit(0)}}else{if(I.stop("Version check complete"),Z(),zz([["Current version",W],["Latest version",B]]),Z(),!Tz(B,W)&&!z.includes("--force")&&!z.includes("-f"))e("You're already on the latest version!"),Z(),process.exit(0);if(Tz(B,W))C(`Update available: ${K(k(W))} ${X("\u2192")} ${K(R(B))}`);else C(`Re-applying latest version ${X("(--force)")}`)}let E=V(x(J,".git"));if(E){let{stdout:F}=await i(["git","status","--porcelain"],J);if(F){if(Z(),h("You have uncommitted changes."),!await c("Continue anyway?",!1))C("Commit your changes first, then retry."),process.exit(0)}}b("Downloading update");let f=y("Downloading latest source...");f.start();let O=x(J,".onlyapi-upgrade-tmp");try{if(V(O)){let{rmSync:Ez}=await import("fs");Ez(O,{recursive:!0,force:!0})}let{mkdirSync:F}=await import("fs");F(O,{recursive:!0});let U=B?fz(`v${B}`):Fz,Y=await fetch(U),G=Y;if(!Y.ok&&B)f.update("Tag not found, trying main branch..."),G=await fetch(Fz);if(!G.ok)throw Error(`HTTP ${G.status}`);let A=x(O,"update.tar.gz");await Bun.write(A,G),f.update("Extracting..."),await i(["tar","xzf",A,"--strip-components=1"],O);let{rmSync:n}=await import("fs");n(A,{force:!0}),f.stop("Download complete")}catch(F){if(f.stop(),M(`Failed to download update: ${F instanceof Error?F.message:String(F)}`),V(O)){let{rmSync:U}=await import("fs");U(O,{recursive:!0,force:!0})}process.exit(1)}b("Applying updates");let S=0,p=0,j=z.includes("--dry-run");for(let F of jz){let U=x(O,F),Y=x(J,F);if(!V(U))continue;try{let G=await Bun.file(U).text();if(V(Y)){if(await Bun.file(Y).text()===G){p++;continue}}if(!j){let A=Y.substring(0,Y.lastIndexOf("/")),{mkdirSync:n}=await import("fs");n(A,{recursive:!0}),await Bun.write(Y,G)}D(`${j?`${X("[dry-run]")} `:""}Updated ${K(q(F))}`),S++}catch{h(`Could not update ${F}`)}}let t=x(O,"package.json");if(V(t))try{let F=JSON.parse(await Bun.file(t).text()),U=JSON.parse(await Bun.file(T).text()),Y=!1;if(F.dependencies){U.dependencies=U.dependencies??{};for(let[G,A]of Object.entries(F.dependencies))if(U.dependencies[G]!==A)U.dependencies[G]=A,Y=!0}if(F.devDependencies){U.devDependencies=U.devDependencies??{};for(let[G,A]of Object.entries(F.devDependencies))if(U.devDependencies[G]!==A)U.devDependencies[G]=A,Y=!0}if(B)U.version=B;if(!j)await Bun.write(T,`${JSON.stringify(U,null,2)}
+`);if(Y)D(`${j?`${X("[dry-run]")} `:""}Updated dependencies in ${K(q("package.json"))}`)}catch{h("Could not merge package.json dependencies")}if(V(O)){let{rmSync:F}=await import("fs");F(O,{recursive:!0,force:!0})}if(!j&&S>0){b("Installing dependencies");let F=y("Running bun install...");F.start();let{exitCode:U}=await i(["bun","install"],J);if(U!==0)F.stop(),h("bun install failed \u2014 run it manually.");else F.stop("Dependencies installed")}if(E&&!j&&S>0){if(await c("Create a git commit for this upgrade?")){let U=B?`chore: upgrade onlyApi to v${B}`:"chore: upgrade onlyApi to latest";await i(["git","add","-A"],J),await i(["git","commit","-m",U,"--no-verify"],J),D("Created upgrade commit")}}let r=performance.now()-H;if(Z(),S>0)Q(`  ${_.rocket} ${K(R("Upgrade complete!"))} ${X(`(${s(r)})`)}`),Z(),zz([["Files updated",String(S)],["Files unchanged",String(p)]]);else if(j)Q(`  ${_.info} ${K(q("Dry run complete"))} \u2014 no files were modified.`);else e("All files are already up to date!");if(Z(),S>0)Q(`  ${X("Note: The following files are NOT auto-upgraded (your custom code):")}`),Q(`  ${X("  - src/application/     (your services & DTOs)")}`),Q(`  ${X("  - src/core/entities/   (your domain entities)")}`),Q(`  ${X("  - src/core/ports/      (your port interfaces)")}`),Q(`  ${X("  - src/presentation/handlers/  (your route handlers)")}`),Q(`  ${X("  - src/presentation/routes/    (your routes)")}`),Q(`  ${X("  - src/main.ts          (your bootstrap)")}`),Z(),Q(`  ${X("Review the")} ${q("CHANGELOG.md")} ${X("for breaking changes.")}`),Z()};var a="1.5.1",_z=process.argv.slice(2),Iz=_z[0]?.toLowerCase()??"",Oz=_z.slice(1),bz=async()=>{try{switch(Iz){case"init":case"create":case"new":await Yz(Oz,a);break;case"upgrade":case"update":await Uz(Oz,a);break;case"version":case"-v":case"--version":Q(`onlyapi v${a}`);break;case"help":case"-h":case"--help":Jz(a);break;case"":Jz(a);break;default:Z(),M(`Unknown command: ${K(L(Iz))}`),Z(),Q(`  ${X("Run")} ${q("onlyapi help")} ${X("to see available commands.")}`),Z(),process.exit(1)}}catch(z){Z(),M(z instanceof Error?z.message:String(z)),Z(),process.exit(1)}};bz();