npm - @geekmidas/constructs - Versions diffs - 0.0.22 → 0.2.0 - Mend

@geekmidas/constructs 0.0.22 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (210) hide show

package/dist/{EndpointBuilder-CYkeYpsL.cjs → EndpointBuilder-DeswNQdG.cjs} RENAMED Viewed

@@ -1,7 +1,9 @@
 const require_chunk = require('./chunk-CUT6urMc.cjs');
 const require_Construct = require('./Construct-BYSPikVm.cjs');
 const require_BaseFunctionBuilder = require('./BaseFunctionBuilder-C5Se7pdL.cjs');
-const require_Endpoint = require('./Endpoint-CA-byrDr.cjs');
+const require_Endpoint = require('./Endpoint-BJo9Hhwm.cjs');
+const require_Authorizer = require('./Authorizer-C0ge_tc8.cjs');
+const require_rls = require('./rls-CmJ7bRsz.cjs');
 const lodash_uniqby = require_chunk.__toESM(require("lodash.uniqby"));
 //#region src/endpoints/EndpointBuilder.ts
@@ -18,6 +20,9 @@ var EndpointBuilder = class extends require_BaseFunctionBuilder.BaseFunctionBuil
 	_authorizerName;
 	_actorExtractor;
 	_audits = [];
+	_customSecuritySchemes = {};
+	_rlsConfig;
+	_rlsBypass;
 	constructor(route, method) {
 		super(require_Construct.ConstructType.Endpoint);
 		this.route = route;
@@ -157,11 +162,69 @@ var EndpointBuilder = class extends require_BaseFunctionBuilder.BaseFunctionBuil
 		this._databaseService = service;
 		return this;
 	}
+	/**
+	* Configure RLS (Row-Level Security) context for this endpoint.
+	* Pass `false` or `RLS_BYPASS` to explicitly bypass RLS for this endpoint.
+	*
+	* @example
+	* ```typescript
+	* // Custom RLS config for this endpoint
+	* .rls({
+	*   extractor: ({ session }) => ({
+	*     user_id: session.userId,
+	*     tenant_id: session.tenantId,
+	*   }),
+	*   prefix: 'app',
+	* })
+	*
+	* // Bypass RLS (for admin endpoints)
+	* .rls(false)
+	* ```
+	*/
+	rls(config) {
+		if (config === false || config === require_rls.RLS_BYPASS) {
+			this._rlsBypass = true;
+			this._rlsConfig = void 0;
+		} else {
+			this._rlsConfig = config;
+			this._rlsBypass = false;
+		}
+		return this;
+	}
+	/**
+	* Explicitly bypass RLS for this endpoint.
+	* Useful for admin operations that need unrestricted database access.
+	*
+	* @example
+	* ```typescript
+	* .rlsBypass()
+	* .handle(async ({ db }) => {
+	*   // Full access, no RLS filtering
+	*   return db.selectFrom('orders').selectAll().execute();
+	* })
+	* ```
+	*/
+	rlsBypass() {
+		this._rlsBypass = true;
+		this._rlsConfig = void 0;
+		return this;
+	}
 	input(_schema) {
 		throw new Error("EndpointBuilder does not support generic input. Use body(), query(), or params() instead.");
 	}
 	handle(fn) {
-		const authorizer = this._authorizerName ? this._availableAuthorizers.find((a) => a.name === this._authorizerName) ?? { name: this._authorizerName } : void 0;
+		let authorizer;
+		if (this._authorizerName) {
+			const existingAuthorizer = this._availableAuthorizers.find((a) => a.name === this._authorizerName);
+			if (existingAuthorizer) authorizer = existingAuthorizer;
+			else {
+				const securityScheme = require_Authorizer.getSecurityScheme(this._authorizerName, this._customSecuritySchemes);
+				authorizer = {
+					name: this._authorizerName,
+					securityScheme
+				};
+			}
+		}
 		return new require_Endpoint.Endpoint({
 			fn,
 			method: this.method,
@@ -184,7 +247,9 @@ var EndpointBuilder = class extends require_BaseFunctionBuilder.BaseFunctionBuil
 			auditorStorageService: this._auditorStorage,
 			actorExtractor: this._actorExtractor,
 			audits: this._audits,
-			databaseService: this._databaseService
+			databaseService: this._databaseService,
+			rlsConfig: this._rlsConfig,
+			rlsBypass: this._rlsBypass
 		});
 	}
 };
@@ -196,4 +261,4 @@ Object.defineProperty(exports, 'EndpointBuilder', {
     return EndpointBuilder;
   }
 });
-//# sourceMappingURL=EndpointBuilder-CYkeYpsL.cjs.map
+//# sourceMappingURL=EndpointBuilder-DeswNQdG.cjs.map

package/dist/EndpointBuilder-DeswNQdG.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"EndpointBuilder-DeswNQdG.cjs","names":["BaseFunctionBuilder","route: TRoute","method: TMethod","ConstructType","publisher: Service<TEventPublisherServiceName, TEventPublisher>","storage: Service<TAuditStorageServiceName, TAuditStorage>","service: Service<TDatabaseServiceName, TDatabase>","description: string","status: SuccessStatus","event: TEvent","tags: string[]","memorySize: number","publisher: Service<TName, T>","schema: T","config: RateLimitConfig","name: TAuthorizers[number] | 'none'","services: T","logger: T","storage: Service<TName, T>","extractor: ActorExtractor<TServices, TSession, TLogger>","audits: MappedAudit<TAuditAction, OutSchema>[]","service: Service<TName, T>","config: RlsConfig<TServices, TSession, TLogger> | false | RlsBypass","RLS_BYPASS","_schema: any","fn: EndpointHandler<\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TDatabase,\n TAuditStorage,\n TAuditAction\n >","authorizer: Authorizer | undefined","Endpoint"],"sources":["../src/endpoints/EndpointBuilder.ts"],"sourcesContent":["import type {\n AuditStorage,\n AuditableAction,\n ExtractStorageAuditAction,\n} from '@geekmidas/audit';\nimport type { EventPublisher, MappedEvent } from '@geekmidas/events';\nimport type { Logger } from '@geekmidas/logger';\nimport type { RateLimitConfig } from '@geekmidas/rate-limit';\nimport type { Service } from '@geekmidas/services';\nimport type { StandardSchemaV1 } from '@standard-schema/spec';\nimport uniqBy from 'lodash.uniqby';\nimport { ConstructType } from '../Construct';\nimport { BaseFunctionBuilder } from '../functions';\nimport type { HttpMethod } from '../types';\nimport type { Authorizer, SecurityScheme } from './Authorizer';\nimport { getSecurityScheme } from './Authorizer';\nimport { Endpoint, type EndpointSchemas } from './Endpoint';\nimport type {\n AuthorizeFn,\n EndpointHandler,\n SessionFn,\n SuccessStatus,\n} from './Endpoint';\nimport type { ActorExtractor, MappedAudit } from './audit';\nimport type { RlsBypass, RlsConfig } from './rls';\nimport { RLS_BYPASS } from './rls';\n\nexport class EndpointBuilder<\n TRoute extends string,\n TMethod extends HttpMethod,\n TInput extends EndpointSchemas = {},\n TServices extends Service[] = [],\n TLogger extends Logger = Logger,\n OutSchema extends StandardSchemaV1 | undefined = undefined,\n TSession = unknown,\n TEventPublisher extends EventPublisher<any> | undefined = undefined,\n TEventPublisherServiceName extends string = string,\n TAuthorizers extends readonly string[] = readonly string[],\n TAuditStorage extends AuditStorage | undefined = undefined,\n TAuditStorageServiceName extends string = string,\n TAuditAction extends AuditableAction<string, unknown> = AuditableAction<\n string,\n unknown\n >,\n TDatabase = undefined,\n TDatabaseServiceName extends string = string,\n> extends BaseFunctionBuilder<\n TInput,\n OutSchema,\n TServices,\n TLogger,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuditStorage,\n TAuditStorageServiceName,\n TDatabase,\n TDatabaseServiceName\n> {\n protected schemas: TInput = {} as TInput;\n protected _description?: string;\n protected _status?: SuccessStatus;\n protected _tags?: string[];\n protected _memorySize?: number;\n _getSession: SessionFn<TServices, TLogger, TSession, TDatabase> = () =>\n ({}) as TSession;\n _authorize: AuthorizeFn<TServices, TLogger, TSession> = () => true;\n _rateLimit?: RateLimitConfig;\n _availableAuthorizers: Authorizer[] = [];\n _authorizerName?: TAuthorizers[number];\n _actorExtractor?: ActorExtractor<TServices, TSession, TLogger>;\n _audits: MappedAudit<TAuditAction, OutSchema>[] = [];\n _customSecuritySchemes: Record<string, SecurityScheme> = {};\n _rlsConfig?: RlsConfig<TServices, TSession, TLogger>;\n _rlsBypass?: boolean;\n\n constructor(\n readonly route: TRoute,\n readonly method: TMethod,\n ) {\n super(ConstructType.Endpoint);\n }\n\n // Internal setter for EndpointFactory to set default publisher\n _setPublisher(\n publisher: Service<TEventPublisherServiceName, TEventPublisher>,\n ) {\n this._publisher = publisher;\n }\n\n // Internal setter for EndpointFactory to set default auditor storage\n _setAuditorStorage(\n storage: Service<TAuditStorageServiceName, TAuditStorage>,\n ) {\n this._auditorStorage = storage;\n }\n\n // Internal setter for EndpointFactory to set default database service\n _setDatabaseService(service: Service<TDatabaseServiceName, TDatabase>) {\n this._databaseService = service;\n }\n\n description(description: string): this {\n this._description = description;\n return this;\n }\n\n status(status: SuccessStatus): this {\n this._status = status;\n return this;\n }\n\n event<TEvent extends MappedEvent<TEventPublisher, OutSchema>>(\n event: TEvent,\n ): this {\n this._events.push(event);\n return this;\n }\n\n tags(tags: string[]): this {\n this._tags = tags;\n return this;\n }\n\n memorySize(memorySize: number): this {\n this._memorySize = memorySize;\n return this;\n }\n\n publisher<T extends EventPublisher<any>, TName extends string>(\n publisher: Service<TName, T>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n T,\n TName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._publisher = publisher as unknown as Service<\n TEventPublisherServiceName,\n TEventPublisher\n >;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n T,\n TName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n body<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'body'> & { body: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.schemas.body = schema as unknown as T;\n // @ts-ignore\n return this;\n }\n\n search<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'query'> & { query: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.schemas.query = schema as unknown as T;\n // @ts-ignore\n return this;\n }\n\n query<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'query'> & { query: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n return this.search(schema);\n }\n\n params<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'params'> & { params: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.schemas.params = schema as unknown as T;\n // @ts-ignore\n return this;\n }\n\n rateLimit(config: RateLimitConfig): this {\n this._rateLimit = config;\n return this;\n }\n\n authorizer(\n name: TAuthorizers[number] | 'none',\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n // Special case: 'none' explicitly marks endpoint as having no authorizer\n if (name === 'none') {\n this._authorizerName = undefined;\n return this;\n }\n\n // Validate that the authorizer exists in available authorizers\n const authorizerExists = this._availableAuthorizers.some(\n (a) => a.name === name,\n );\n if (!authorizerExists && this._availableAuthorizers.length > 0) {\n const available = this._availableAuthorizers\n .map((a) => a.name)\n .join(', ');\n throw new Error(\n `Authorizer \"${name as string}\" not found in available authorizers: ${available}`,\n );\n }\n this._authorizerName = name;\n return this;\n }\n\n services<T extends Service[]>(\n services: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n [...TServices, ...T],\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._services = uniqBy(\n [...this._services, ...services],\n (s) => s.serviceName,\n ) as TServices;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n [...TServices, ...T],\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n logger<T extends Logger>(\n logger: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n T,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._logger = logger as unknown as TLogger;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n T,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n output<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n T,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.outputSchema = schema as unknown as OutSchema;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n T,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n /**\n * Set the auditor storage service for this endpoint.\n * This enables audit functionality and makes `auditor` available in the handler context.\n * The audit action type is automatically inferred from the storage's generic parameter.\n */\n auditor<T extends AuditStorage<any>, TName extends string>(\n storage: Service<TName, T>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n T,\n TName,\n ExtractStorageAuditAction<T>,\n TDatabase,\n TDatabaseServiceName\n > {\n this._auditorStorage = storage as unknown as Service<\n TAuditStorageServiceName,\n TAuditStorage\n >;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n T,\n TName,\n ExtractStorageAuditAction<T>,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n /**\n * Set the actor extractor function for audit records.\n * The actor is extracted from the request context and attached to all audits.\n */\n actor(\n extractor: ActorExtractor<TServices, TSession, TLogger>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._actorExtractor = extractor;\n return this;\n }\n\n /**\n * Add declarative audit definitions that are processed after the handler executes.\n * Similar to `.event()` for events, but for audits.\n *\n * @example\n * ```typescript\n * .audit<AppAuditAction>([\n * {\n * type: 'user.created',\n * payload: (response) => ({ userId: response.id, email: response.email }),\n * when: (response) => response.active,\n * entityId: (response) => response.id,\n * table: 'users',\n * },\n * ])\n * ```\n */\n audit(audits: MappedAudit<TAuditAction, OutSchema>[]): this {\n this._audits = audits;\n return this;\n }\n\n /**\n * Set the database service for this endpoint.\n * The database will be available in the handler context as `db`.\n * When audit storage is configured and uses the same database,\n * `db` will automatically be the transaction for ACID compliance.\n *\n * @example\n * ```typescript\n * .database(databaseService)\n * .handle(async ({ db }) => {\n * // db is the raw database or transaction (when auditor uses same db)\n * return await db.selectFrom('users').selectAll().execute();\n * })\n * ```\n */\n database<T, TName extends string>(\n service: Service<TName, T>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n T,\n TName\n > {\n this._databaseService = service as unknown as Service<\n TDatabaseServiceName,\n TDatabase\n >;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n T,\n TName\n >;\n }\n\n /**\n * Configure RLS (Row-Level Security) context for this endpoint.\n * Pass `false` or `RLS_BYPASS` to explicitly bypass RLS for this endpoint.\n *\n * @example\n * ```typescript\n * // Custom RLS config for this endpoint\n * .rls({\n * extractor: ({ session }) => ({\n * user_id: session.userId,\n * tenant_id: session.tenantId,\n * }),\n * prefix: 'app',\n * })\n *\n * // Bypass RLS (for admin endpoints)\n * .rls(false)\n * ```\n */\n rls(\n config: RlsConfig<TServices, TSession, TLogger> | false | RlsBypass,\n ): this {\n if (config === false || config === RLS_BYPASS) {\n this._rlsBypass = true;\n this._rlsConfig = undefined;\n } else {\n this._rlsConfig = config;\n this._rlsBypass = false;\n }\n return this;\n }\n\n /**\n * Explicitly bypass RLS for this endpoint.\n * Useful for admin operations that need unrestricted database access.\n *\n * @example\n * ```typescript\n * .rlsBypass()\n * .handle(async ({ db }) => {\n * // Full access, no RLS filtering\n * return db.selectFrom('orders').selectAll().execute();\n * })\n * ```\n */\n rlsBypass(): this {\n this._rlsBypass = true;\n this._rlsConfig = undefined;\n return this;\n }\n\n // EndpointBuilder doesn't have a generic input method - it uses body, query, params instead\n input(_schema: any): any {\n throw new Error(\n 'EndpointBuilder does not support generic input. Use body(), query(), or params() instead.',\n );\n }\n\n handle(\n fn: EndpointHandler<\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TDatabase,\n TAuditStorage,\n TAuditAction\n >,\n ): Endpoint<\n TRoute,\n TMethod,\n TInput,\n OutSchema,\n TServices,\n TLogger,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n // Find authorizer metadata if name is set\n // If the authorizer name is set but not in availableAuthorizers, create a simple authorizer object\n let authorizer: Authorizer | undefined;\n if (this._authorizerName) {\n const existingAuthorizer = this._availableAuthorizers.find(\n (a) => a.name === this._authorizerName,\n );\n\n if (existingAuthorizer) {\n authorizer = existingAuthorizer;\n } else {\n // Create authorizer with security scheme if available (built-in or custom)\n const securityScheme = getSecurityScheme(\n this._authorizerName as string,\n this._customSecuritySchemes,\n );\n authorizer = {\n name: this._authorizerName as string,\n securityScheme,\n };\n }\n }\n\n return new Endpoint({\n fn,\n method: this.method,\n route: this.route,\n description: this._description,\n tags: this._tags,\n input: this.schemas,\n output: this.outputSchema,\n services: this._services,\n logger: this._logger,\n timeout: this._timeout,\n memorySize: this._memorySize,\n authorize: this._authorize,\n status: this._status,\n getSession: this._getSession,\n rateLimit: this._rateLimit,\n publisherService: this._publisher,\n events: this._events,\n authorizer,\n auditorStorageService: this._auditorStorage,\n actorExtractor: this._actorExtractor,\n audits: this._audits,\n databaseService: this._databaseService,\n rlsConfig: this._rlsConfig,\n rlsBypass: this._rlsBypass,\n });\n }\n}\n"],"mappings":";;;;;;;;;AA2BA,IAAa,kBAAb,cAmBUA,gDAWR;CACA,AAAU,UAAkB,CAAE;CAC9B,AAAU;CACV,AAAU;CACV,AAAU;CACV,AAAU;CACV,cAAkE,OAC/D,CAAE;CACL,aAAwD,MAAM;CAC9D;CACA,wBAAsC,CAAE;CACxC;CACA;CACA,UAAkD,CAAE;CACpD,yBAAyD,CAAE;CAC3D;CACA;CAEA,YACWC,OACAC,QACT;AACA,QAAMC,gCAAc,SAAS;EAHpB;EACA;CAGV;CAGD,cACEC,WACA;AACA,OAAK,aAAa;CACnB;CAGD,mBACEC,SACA;AACA,OAAK,kBAAkB;CACxB;CAGD,oBAAoBC,SAAmD;AACrE,OAAK,mBAAmB;CACzB;CAED,YAAYC,aAA2B;AACrC,OAAK,eAAe;AACpB,SAAO;CACR;CAED,OAAOC,QAA6B;AAClC,OAAK,UAAU;AACf,SAAO;CACR;CAED,MACEC,OACM;AACN,OAAK,QAAQ,KAAK,MAAM;AACxB,SAAO;CACR;CAED,KAAKC,MAAsB;AACzB,OAAK,QAAQ;AACb,SAAO;CACR;CAED,WAAWC,YAA0B;AACnC,OAAK,cAAc;AACnB,SAAO;CACR;CAED,UACEC,WAiBA;AACA,OAAK,aAAa;AAKlB,SAAO;CAiBR;CAED,KACEC,QAiBA;AACA,OAAK,QAAQ,OAAO;AAEpB,SAAO;CACR;CAED,OACEA,QAiBA;AACA,OAAK,QAAQ,QAAQ;AAErB,SAAO;CACR;CAED,MACEA,QAiBA;AACA,SAAO,KAAK,OAAO,OAAO;CAC3B;CAED,OACEA,QAiBA;AACA,OAAK,QAAQ,SAAS;AAEtB,SAAO;CACR;CAED,UAAUC,QAA+B;AACvC,OAAK,aAAa;AAClB,SAAO;CACR;CAED,WACEC,MAiBA;AAEA,MAAI,SAAS,QAAQ;AACnB,QAAK;AACL,UAAO;EACR;EAGD,MAAM,mBAAmB,KAAK,sBAAsB,KAClD,CAAC,MAAM,EAAE,SAAS,KACnB;AACD,OAAK,oBAAoB,KAAK,sBAAsB,SAAS,GAAG;GAC9D,MAAM,YAAY,KAAK,sBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,CAClB,KAAK,KAAK;AACb,SAAM,IAAI,OACP,cAAc,KAAe,wCAAwC,UAAU;EAEnF;AACD,OAAK,kBAAkB;AACvB,SAAO;CACR;CAED,SACEC,UAiBA;AACA,OAAK,YAAY,2BACf,CAAC,GAAG,KAAK,WAAW,GAAG,QAAS,GAChC,CAAC,MAAM,EAAE,YACV;AAED,SAAO;CAiBR;CAED,OACEC,QAiBA;AACA,OAAK,UAAU;AAEf,SAAO;CAiBR;CAED,OACEJ,QAiBA;AACA,OAAK,eAAe;AAEpB,SAAO;CAiBR;;;;;;CAOD,QACEK,SAiBA;AACA,OAAK,kBAAkB;AAKvB,SAAO;CAiBR;;;;;CAMD,MACEC,WAiBA;AACA,OAAK,kBAAkB;AACvB,SAAO;CACR;;;;;;;;;;;;;;;;;;CAmBD,MAAMC,QAAsD;AAC1D,OAAK,UAAU;AACf,SAAO;CACR;;;;;;;;;;;;;;;;CAiBD,SACEC,SAiBA;AACA,OAAK,mBAAmB;AAKxB,SAAO;CAiBR;;;;;;;;;;;;;;;;;;;;CAqBD,IACEC,QACM;AACN,MAAI,WAAW,SAAS,WAAWC,wBAAY;AAC7C,QAAK,aAAa;AAClB,QAAK;EACN,OAAM;AACL,QAAK,aAAa;AAClB,QAAK,aAAa;EACnB;AACD,SAAO;CACR;;;;;;;;;;;;;;CAeD,YAAkB;AAChB,OAAK,aAAa;AAClB,OAAK;AACL,SAAO;CACR;CAGD,MAAMC,SAAmB;AACvB,QAAM,IAAI,MACR;CAEH;CAED,OACEC,IAyBA;EAGA,IAAIC;AACJ,MAAI,KAAK,iBAAiB;GACxB,MAAM,qBAAqB,KAAK,sBAAsB,KACpD,CAAC,MAAM,EAAE,SAAS,KAAK,gBACxB;AAED,OAAI,mBACF,cAAa;QACR;IAEL,MAAM,iBAAiB,qCACrB,KAAK,iBACL,KAAK,uBACN;AACD,iBAAa;KACX,MAAM,KAAK;KACX;IACD;GACF;EACF;AAED,SAAO,IAAIC,0BAAS;GAClB;GACA,QAAQ,KAAK;GACb,OAAO,KAAK;GACZ,aAAa,KAAK;GAClB,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,QAAQ,KAAK;GACb,UAAU,KAAK;GACf,QAAQ,KAAK;GACb,SAAS,KAAK;GACd,YAAY,KAAK;GACjB,WAAW,KAAK;GAChB,QAAQ,KAAK;GACb,YAAY,KAAK;GACjB,WAAW,KAAK;GAChB,kBAAkB,KAAK;GACvB,QAAQ,KAAK;GACb;GACA,uBAAuB,KAAK;GAC5B,gBAAgB,KAAK;GACrB,QAAQ,KAAK;GACb,iBAAiB,KAAK;GACtB,WAAW,KAAK;GAChB,WAAW,KAAK;EACjB;CACF;AACF"}

package/dist/{EndpointBuilder-W5fdXxYQ.mjs → EndpointBuilder-FyyoFTJ5.mjs} RENAMED Viewed

@@ -1,6 +1,8 @@
 import { ConstructType } from "./Construct-LWeB1rSQ.mjs";
 import { BaseFunctionBuilder } from "./BaseFunctionBuilder-B5gkW0Kt.mjs";
-import { Endpoint } from "./Endpoint-DbPsw13b.mjs";
+import { Endpoint } from "./Endpoint-B70_KKhu.mjs";
+import { getSecurityScheme } from "./Authorizer-r9U3y_ms.mjs";
+import { RLS_BYPASS } from "./rls-Bf3FRwto.mjs";
 import uniqBy from "lodash.uniqby";
 //#region src/endpoints/EndpointBuilder.ts
@@ -17,6 +19,9 @@ var EndpointBuilder = class extends BaseFunctionBuilder {
 	_authorizerName;
 	_actorExtractor;
 	_audits = [];
+	_customSecuritySchemes = {};
+	_rlsConfig;
+	_rlsBypass;
 	constructor(route, method) {
 		super(ConstructType.Endpoint);
 		this.route = route;
@@ -156,11 +161,69 @@ var EndpointBuilder = class extends BaseFunctionBuilder {
 		this._databaseService = service;
 		return this;
 	}
+	/**
+	* Configure RLS (Row-Level Security) context for this endpoint.
+	* Pass `false` or `RLS_BYPASS` to explicitly bypass RLS for this endpoint.
+	*
+	* @example
+	* ```typescript
+	* // Custom RLS config for this endpoint
+	* .rls({
+	*   extractor: ({ session }) => ({
+	*     user_id: session.userId,
+	*     tenant_id: session.tenantId,
+	*   }),
+	*   prefix: 'app',
+	* })
+	*
+	* // Bypass RLS (for admin endpoints)
+	* .rls(false)
+	* ```
+	*/
+	rls(config) {
+		if (config === false || config === RLS_BYPASS) {
+			this._rlsBypass = true;
+			this._rlsConfig = void 0;
+		} else {
+			this._rlsConfig = config;
+			this._rlsBypass = false;
+		}
+		return this;
+	}
+	/**
+	* Explicitly bypass RLS for this endpoint.
+	* Useful for admin operations that need unrestricted database access.
+	*
+	* @example
+	* ```typescript
+	* .rlsBypass()
+	* .handle(async ({ db }) => {
+	*   // Full access, no RLS filtering
+	*   return db.selectFrom('orders').selectAll().execute();
+	* })
+	* ```
+	*/
+	rlsBypass() {
+		this._rlsBypass = true;
+		this._rlsConfig = void 0;
+		return this;
+	}
 	input(_schema) {
 		throw new Error("EndpointBuilder does not support generic input. Use body(), query(), or params() instead.");
 	}
 	handle(fn) {
-		const authorizer = this._authorizerName ? this._availableAuthorizers.find((a) => a.name === this._authorizerName) ?? { name: this._authorizerName } : void 0;
+		let authorizer;
+		if (this._authorizerName) {
+			const existingAuthorizer = this._availableAuthorizers.find((a) => a.name === this._authorizerName);
+			if (existingAuthorizer) authorizer = existingAuthorizer;
+			else {
+				const securityScheme = getSecurityScheme(this._authorizerName, this._customSecuritySchemes);
+				authorizer = {
+					name: this._authorizerName,
+					securityScheme
+				};
+			}
+		}
 		return new Endpoint({
 			fn,
 			method: this.method,
@@ -183,11 +246,13 @@ var EndpointBuilder = class extends BaseFunctionBuilder {
 			auditorStorageService: this._auditorStorage,
 			actorExtractor: this._actorExtractor,
 			audits: this._audits,
-			databaseService: this._databaseService
+			databaseService: this._databaseService,
+			rlsConfig: this._rlsConfig,
+			rlsBypass: this._rlsBypass
 		});
 	}
 };
 //#endregion
 export { EndpointBuilder };
-//# sourceMappingURL=EndpointBuilder-W5fdXxYQ.mjs.map
+//# sourceMappingURL=EndpointBuilder-FyyoFTJ5.mjs.map

package/dist/EndpointBuilder-FyyoFTJ5.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"EndpointBuilder-FyyoFTJ5.mjs","names":["route: TRoute","method: TMethod","publisher: Service<TEventPublisherServiceName, TEventPublisher>","storage: Service<TAuditStorageServiceName, TAuditStorage>","service: Service<TDatabaseServiceName, TDatabase>","description: string","status: SuccessStatus","event: TEvent","tags: string[]","memorySize: number","publisher: Service<TName, T>","schema: T","config: RateLimitConfig","name: TAuthorizers[number] | 'none'","services: T","logger: T","storage: Service<TName, T>","extractor: ActorExtractor<TServices, TSession, TLogger>","audits: MappedAudit<TAuditAction, OutSchema>[]","service: Service<TName, T>","config: RlsConfig<TServices, TSession, TLogger> | false | RlsBypass","_schema: any","fn: EndpointHandler<\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TDatabase,\n TAuditStorage,\n TAuditAction\n >","authorizer: Authorizer | undefined"],"sources":["../src/endpoints/EndpointBuilder.ts"],"sourcesContent":["import type {\n AuditStorage,\n AuditableAction,\n ExtractStorageAuditAction,\n} from '@geekmidas/audit';\nimport type { EventPublisher, MappedEvent } from '@geekmidas/events';\nimport type { Logger } from '@geekmidas/logger';\nimport type { RateLimitConfig } from '@geekmidas/rate-limit';\nimport type { Service } from '@geekmidas/services';\nimport type { StandardSchemaV1 } from '@standard-schema/spec';\nimport uniqBy from 'lodash.uniqby';\nimport { ConstructType } from '../Construct';\nimport { BaseFunctionBuilder } from '../functions';\nimport type { HttpMethod } from '../types';\nimport type { Authorizer, SecurityScheme } from './Authorizer';\nimport { getSecurityScheme } from './Authorizer';\nimport { Endpoint, type EndpointSchemas } from './Endpoint';\nimport type {\n AuthorizeFn,\n EndpointHandler,\n SessionFn,\n SuccessStatus,\n} from './Endpoint';\nimport type { ActorExtractor, MappedAudit } from './audit';\nimport type { RlsBypass, RlsConfig } from './rls';\nimport { RLS_BYPASS } from './rls';\n\nexport class EndpointBuilder<\n TRoute extends string,\n TMethod extends HttpMethod,\n TInput extends EndpointSchemas = {},\n TServices extends Service[] = [],\n TLogger extends Logger = Logger,\n OutSchema extends StandardSchemaV1 | undefined = undefined,\n TSession = unknown,\n TEventPublisher extends EventPublisher<any> | undefined = undefined,\n TEventPublisherServiceName extends string = string,\n TAuthorizers extends readonly string[] = readonly string[],\n TAuditStorage extends AuditStorage | undefined = undefined,\n TAuditStorageServiceName extends string = string,\n TAuditAction extends AuditableAction<string, unknown> = AuditableAction<\n string,\n unknown\n >,\n TDatabase = undefined,\n TDatabaseServiceName extends string = string,\n> extends BaseFunctionBuilder<\n TInput,\n OutSchema,\n TServices,\n TLogger,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuditStorage,\n TAuditStorageServiceName,\n TDatabase,\n TDatabaseServiceName\n> {\n protected schemas: TInput = {} as TInput;\n protected _description?: string;\n protected _status?: SuccessStatus;\n protected _tags?: string[];\n protected _memorySize?: number;\n _getSession: SessionFn<TServices, TLogger, TSession, TDatabase> = () =>\n ({}) as TSession;\n _authorize: AuthorizeFn<TServices, TLogger, TSession> = () => true;\n _rateLimit?: RateLimitConfig;\n _availableAuthorizers: Authorizer[] = [];\n _authorizerName?: TAuthorizers[number];\n _actorExtractor?: ActorExtractor<TServices, TSession, TLogger>;\n _audits: MappedAudit<TAuditAction, OutSchema>[] = [];\n _customSecuritySchemes: Record<string, SecurityScheme> = {};\n _rlsConfig?: RlsConfig<TServices, TSession, TLogger>;\n _rlsBypass?: boolean;\n\n constructor(\n readonly route: TRoute,\n readonly method: TMethod,\n ) {\n super(ConstructType.Endpoint);\n }\n\n // Internal setter for EndpointFactory to set default publisher\n _setPublisher(\n publisher: Service<TEventPublisherServiceName, TEventPublisher>,\n ) {\n this._publisher = publisher;\n }\n\n // Internal setter for EndpointFactory to set default auditor storage\n _setAuditorStorage(\n storage: Service<TAuditStorageServiceName, TAuditStorage>,\n ) {\n this._auditorStorage = storage;\n }\n\n // Internal setter for EndpointFactory to set default database service\n _setDatabaseService(service: Service<TDatabaseServiceName, TDatabase>) {\n this._databaseService = service;\n }\n\n description(description: string): this {\n this._description = description;\n return this;\n }\n\n status(status: SuccessStatus): this {\n this._status = status;\n return this;\n }\n\n event<TEvent extends MappedEvent<TEventPublisher, OutSchema>>(\n event: TEvent,\n ): this {\n this._events.push(event);\n return this;\n }\n\n tags(tags: string[]): this {\n this._tags = tags;\n return this;\n }\n\n memorySize(memorySize: number): this {\n this._memorySize = memorySize;\n return this;\n }\n\n publisher<T extends EventPublisher<any>, TName extends string>(\n publisher: Service<TName, T>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n T,\n TName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._publisher = publisher as unknown as Service<\n TEventPublisherServiceName,\n TEventPublisher\n >;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n T,\n TName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n body<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'body'> & { body: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.schemas.body = schema as unknown as T;\n // @ts-ignore\n return this;\n }\n\n search<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'query'> & { query: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.schemas.query = schema as unknown as T;\n // @ts-ignore\n return this;\n }\n\n query<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'query'> & { query: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n return this.search(schema);\n }\n\n params<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n Omit<TInput, 'params'> & { params: T },\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.schemas.params = schema as unknown as T;\n // @ts-ignore\n return this;\n }\n\n rateLimit(config: RateLimitConfig): this {\n this._rateLimit = config;\n return this;\n }\n\n authorizer(\n name: TAuthorizers[number] | 'none',\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n // Special case: 'none' explicitly marks endpoint as having no authorizer\n if (name === 'none') {\n this._authorizerName = undefined;\n return this;\n }\n\n // Validate that the authorizer exists in available authorizers\n const authorizerExists = this._availableAuthorizers.some(\n (a) => a.name === name,\n );\n if (!authorizerExists && this._availableAuthorizers.length > 0) {\n const available = this._availableAuthorizers\n .map((a) => a.name)\n .join(', ');\n throw new Error(\n `Authorizer \"${name as string}\" not found in available authorizers: ${available}`,\n );\n }\n this._authorizerName = name;\n return this;\n }\n\n services<T extends Service[]>(\n services: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n [...TServices, ...T],\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._services = uniqBy(\n [...this._services, ...services],\n (s) => s.serviceName,\n ) as TServices;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n [...TServices, ...T],\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n logger<T extends Logger>(\n logger: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n T,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._logger = logger as unknown as TLogger;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n T,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n output<T extends StandardSchemaV1>(\n schema: T,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n T,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this.outputSchema = schema as unknown as OutSchema;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n T,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n /**\n * Set the auditor storage service for this endpoint.\n * This enables audit functionality and makes `auditor` available in the handler context.\n * The audit action type is automatically inferred from the storage's generic parameter.\n */\n auditor<T extends AuditStorage<any>, TName extends string>(\n storage: Service<TName, T>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n T,\n TName,\n ExtractStorageAuditAction<T>,\n TDatabase,\n TDatabaseServiceName\n > {\n this._auditorStorage = storage as unknown as Service<\n TAuditStorageServiceName,\n TAuditStorage\n >;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n T,\n TName,\n ExtractStorageAuditAction<T>,\n TDatabase,\n TDatabaseServiceName\n >;\n }\n\n /**\n * Set the actor extractor function for audit records.\n * The actor is extracted from the request context and attached to all audits.\n */\n actor(\n extractor: ActorExtractor<TServices, TSession, TLogger>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n this._actorExtractor = extractor;\n return this;\n }\n\n /**\n * Add declarative audit definitions that are processed after the handler executes.\n * Similar to `.event()` for events, but for audits.\n *\n * @example\n * ```typescript\n * .audit<AppAuditAction>([\n * {\n * type: 'user.created',\n * payload: (response) => ({ userId: response.id, email: response.email }),\n * when: (response) => response.active,\n * entityId: (response) => response.id,\n * table: 'users',\n * },\n * ])\n * ```\n */\n audit(audits: MappedAudit<TAuditAction, OutSchema>[]): this {\n this._audits = audits;\n return this;\n }\n\n /**\n * Set the database service for this endpoint.\n * The database will be available in the handler context as `db`.\n * When audit storage is configured and uses the same database,\n * `db` will automatically be the transaction for ACID compliance.\n *\n * @example\n * ```typescript\n * .database(databaseService)\n * .handle(async ({ db }) => {\n * // db is the raw database or transaction (when auditor uses same db)\n * return await db.selectFrom('users').selectAll().execute();\n * })\n * ```\n */\n database<T, TName extends string>(\n service: Service<TName, T>,\n ): EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n T,\n TName\n > {\n this._databaseService = service as unknown as Service<\n TDatabaseServiceName,\n TDatabase\n >;\n\n return this as unknown as EndpointBuilder<\n TRoute,\n TMethod,\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuthorizers,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n T,\n TName\n >;\n }\n\n /**\n * Configure RLS (Row-Level Security) context for this endpoint.\n * Pass `false` or `RLS_BYPASS` to explicitly bypass RLS for this endpoint.\n *\n * @example\n * ```typescript\n * // Custom RLS config for this endpoint\n * .rls({\n * extractor: ({ session }) => ({\n * user_id: session.userId,\n * tenant_id: session.tenantId,\n * }),\n * prefix: 'app',\n * })\n *\n * // Bypass RLS (for admin endpoints)\n * .rls(false)\n * ```\n */\n rls(\n config: RlsConfig<TServices, TSession, TLogger> | false | RlsBypass,\n ): this {\n if (config === false || config === RLS_BYPASS) {\n this._rlsBypass = true;\n this._rlsConfig = undefined;\n } else {\n this._rlsConfig = config;\n this._rlsBypass = false;\n }\n return this;\n }\n\n /**\n * Explicitly bypass RLS for this endpoint.\n * Useful for admin operations that need unrestricted database access.\n *\n * @example\n * ```typescript\n * .rlsBypass()\n * .handle(async ({ db }) => {\n * // Full access, no RLS filtering\n * return db.selectFrom('orders').selectAll().execute();\n * })\n * ```\n */\n rlsBypass(): this {\n this._rlsBypass = true;\n this._rlsConfig = undefined;\n return this;\n }\n\n // EndpointBuilder doesn't have a generic input method - it uses body, query, params instead\n input(_schema: any): any {\n throw new Error(\n 'EndpointBuilder does not support generic input. Use body(), query(), or params() instead.',\n );\n }\n\n handle(\n fn: EndpointHandler<\n TInput,\n TServices,\n TLogger,\n OutSchema,\n TSession,\n TDatabase,\n TAuditStorage,\n TAuditAction\n >,\n ): Endpoint<\n TRoute,\n TMethod,\n TInput,\n OutSchema,\n TServices,\n TLogger,\n TSession,\n TEventPublisher,\n TEventPublisherServiceName,\n TAuditStorage,\n TAuditStorageServiceName,\n TAuditAction,\n TDatabase,\n TDatabaseServiceName\n > {\n // Find authorizer metadata if name is set\n // If the authorizer name is set but not in availableAuthorizers, create a simple authorizer object\n let authorizer: Authorizer | undefined;\n if (this._authorizerName) {\n const existingAuthorizer = this._availableAuthorizers.find(\n (a) => a.name === this._authorizerName,\n );\n\n if (existingAuthorizer) {\n authorizer = existingAuthorizer;\n } else {\n // Create authorizer with security scheme if available (built-in or custom)\n const securityScheme = getSecurityScheme(\n this._authorizerName as string,\n this._customSecuritySchemes,\n );\n authorizer = {\n name: this._authorizerName as string,\n securityScheme,\n };\n }\n }\n\n return new Endpoint({\n fn,\n method: this.method,\n route: this.route,\n description: this._description,\n tags: this._tags,\n input: this.schemas,\n output: this.outputSchema,\n services: this._services,\n logger: this._logger,\n timeout: this._timeout,\n memorySize: this._memorySize,\n authorize: this._authorize,\n status: this._status,\n getSession: this._getSession,\n rateLimit: this._rateLimit,\n publisherService: this._publisher,\n events: this._events,\n authorizer,\n auditorStorageService: this._auditorStorage,\n actorExtractor: this._actorExtractor,\n audits: this._audits,\n databaseService: this._databaseService,\n rlsConfig: this._rlsConfig,\n rlsBypass: this._rlsBypass,\n });\n }\n}\n"],"mappings":";;;;;;;;AA2BA,IAAa,kBAAb,cAmBU,oBAWR;CACA,AAAU,UAAkB,CAAE;CAC9B,AAAU;CACV,AAAU;CACV,AAAU;CACV,AAAU;CACV,cAAkE,OAC/D,CAAE;CACL,aAAwD,MAAM;CAC9D;CACA,wBAAsC,CAAE;CACxC;CACA;CACA,UAAkD,CAAE;CACpD,yBAAyD,CAAE;CAC3D;CACA;CAEA,YACWA,OACAC,QACT;AACA,QAAM,cAAc,SAAS;EAHpB;EACA;CAGV;CAGD,cACEC,WACA;AACA,OAAK,aAAa;CACnB;CAGD,mBACEC,SACA;AACA,OAAK,kBAAkB;CACxB;CAGD,oBAAoBC,SAAmD;AACrE,OAAK,mBAAmB;CACzB;CAED,YAAYC,aAA2B;AACrC,OAAK,eAAe;AACpB,SAAO;CACR;CAED,OAAOC,QAA6B;AAClC,OAAK,UAAU;AACf,SAAO;CACR;CAED,MACEC,OACM;AACN,OAAK,QAAQ,KAAK,MAAM;AACxB,SAAO;CACR;CAED,KAAKC,MAAsB;AACzB,OAAK,QAAQ;AACb,SAAO;CACR;CAED,WAAWC,YAA0B;AACnC,OAAK,cAAc;AACnB,SAAO;CACR;CAED,UACEC,WAiBA;AACA,OAAK,aAAa;AAKlB,SAAO;CAiBR;CAED,KACEC,QAiBA;AACA,OAAK,QAAQ,OAAO;AAEpB,SAAO;CACR;CAED,OACEA,QAiBA;AACA,OAAK,QAAQ,QAAQ;AAErB,SAAO;CACR;CAED,MACEA,QAiBA;AACA,SAAO,KAAK,OAAO,OAAO;CAC3B;CAED,OACEA,QAiBA;AACA,OAAK,QAAQ,SAAS;AAEtB,SAAO;CACR;CAED,UAAUC,QAA+B;AACvC,OAAK,aAAa;AAClB,SAAO;CACR;CAED,WACEC,MAiBA;AAEA,MAAI,SAAS,QAAQ;AACnB,QAAK;AACL,UAAO;EACR;EAGD,MAAM,mBAAmB,KAAK,sBAAsB,KAClD,CAAC,MAAM,EAAE,SAAS,KACnB;AACD,OAAK,oBAAoB,KAAK,sBAAsB,SAAS,GAAG;GAC9D,MAAM,YAAY,KAAK,sBACpB,IAAI,CAAC,MAAM,EAAE,KAAK,CAClB,KAAK,KAAK;AACb,SAAM,IAAI,OACP,cAAc,KAAe,wCAAwC,UAAU;EAEnF;AACD,OAAK,kBAAkB;AACvB,SAAO;CACR;CAED,SACEC,UAiBA;AACA,OAAK,YAAY,OACf,CAAC,GAAG,KAAK,WAAW,GAAG,QAAS,GAChC,CAAC,MAAM,EAAE,YACV;AAED,SAAO;CAiBR;CAED,OACEC,QAiBA;AACA,OAAK,UAAU;AAEf,SAAO;CAiBR;CAED,OACEJ,QAiBA;AACA,OAAK,eAAe;AAEpB,SAAO;CAiBR;;;;;;CAOD,QACEK,SAiBA;AACA,OAAK,kBAAkB;AAKvB,SAAO;CAiBR;;;;;CAMD,MACEC,WAiBA;AACA,OAAK,kBAAkB;AACvB,SAAO;CACR;;;;;;;;;;;;;;;;;;CAmBD,MAAMC,QAAsD;AAC1D,OAAK,UAAU;AACf,SAAO;CACR;;;;;;;;;;;;;;;;CAiBD,SACEC,SAiBA;AACA,OAAK,mBAAmB;AAKxB,SAAO;CAiBR;;;;;;;;;;;;;;;;;;;;CAqBD,IACEC,QACM;AACN,MAAI,WAAW,SAAS,WAAW,YAAY;AAC7C,QAAK,aAAa;AAClB,QAAK;EACN,OAAM;AACL,QAAK,aAAa;AAClB,QAAK,aAAa;EACnB;AACD,SAAO;CACR;;;;;;;;;;;;;;CAeD,YAAkB;AAChB,OAAK,aAAa;AAClB,OAAK;AACL,SAAO;CACR;CAGD,MAAMC,SAAmB;AACvB,QAAM,IAAI,MACR;CAEH;CAED,OACEC,IAyBA;EAGA,IAAIC;AACJ,MAAI,KAAK,iBAAiB;GACxB,MAAM,qBAAqB,KAAK,sBAAsB,KACpD,CAAC,MAAM,EAAE,SAAS,KAAK,gBACxB;AAED,OAAI,mBACF,cAAa;QACR;IAEL,MAAM,iBAAiB,kBACrB,KAAK,iBACL,KAAK,uBACN;AACD,iBAAa;KACX,MAAM,KAAK;KACX;IACD;GACF;EACF;AAED,SAAO,IAAI,SAAS;GAClB;GACA,QAAQ,KAAK;GACb,OAAO,KAAK;GACZ,aAAa,KAAK;GAClB,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,QAAQ,KAAK;GACb,UAAU,KAAK;GACf,QAAQ,KAAK;GACb,SAAS,KAAK;GACd,YAAY,KAAK;GACjB,WAAW,KAAK;GAChB,QAAQ,KAAK;GACb,YAAY,KAAK;GACjB,WAAW,KAAK;GAChB,kBAAkB,KAAK;GACvB,QAAQ,KAAK;GACb;GACA,uBAAuB,KAAK;GAC5B,gBAAgB,KAAK;GACrB,QAAQ,KAAK;GACb,iBAAiB,KAAK;GACtB,WAAW,KAAK;GAChB,WAAW,KAAK;EACjB;CACF;AACF"}

package/dist/{EndpointBuilder-TApJQhtG.d.cts → EndpointBuilder-vXk6eIJk.d.cts} RENAMED Viewed

@@ -1,7 +1,7 @@
 import { HttpMethod } from "./types-Bp9ysFXd.cjs";
 import { BaseFunctionBuilder } from "./BaseFunctionBuilder-DaQA0uKE.cjs";
-import { Authorizer } from "./Authorizer-BTmly8ps.cjs";
-import { ActorExtractor, AuthorizeFn, Endpoint, EndpointHandler, EndpointSchemas, MappedAudit, SessionFn, SuccessStatus } from "./Endpoint-D2Imgihs.cjs";
+import { Authorizer, SecurityScheme } from "./Authorizer-CpSUMTIs.cjs";
+import { ActorExtractor, AuthorizeFn, Endpoint, EndpointHandler, EndpointSchemas, MappedAudit, RlsBypass, RlsConfig, SessionFn, SuccessStatus } from "./Endpoint-CC2RGjkl.cjs";
 import { AuditStorage, AuditableAction, ExtractStorageAuditAction } from "@geekmidas/audit";
 import { EventPublisher, MappedEvent } from "@geekmidas/events";
 import { Logger } from "@geekmidas/logger";
@@ -10,6 +10,7 @@ import { StandardSchemaV1 } from "@standard-schema/spec";
 import { RateLimitConfig } from "@geekmidas/rate-limit";
 //#region src/endpoints/EndpointBuilder.d.ts
 declare class EndpointBuilder<TRoute extends string, TMethod extends HttpMethod, TInput extends EndpointSchemas = {}, TServices extends Service[] = [], TLogger extends Logger = Logger, OutSchema extends StandardSchemaV1 | undefined = undefined, TSession = unknown, TEventPublisher extends EventPublisher<any> | undefined = undefined, TEventPublisherServiceName extends string = string, TAuthorizers extends readonly string[] = readonly string[], TAuditStorage extends AuditStorage | undefined = undefined, TAuditStorageServiceName extends string = string, TAuditAction extends AuditableAction<string, unknown> = AuditableAction<string, unknown>, TDatabase = undefined, TDatabaseServiceName extends string = string> extends BaseFunctionBuilder<TInput, OutSchema, TServices, TLogger, TEventPublisher, TEventPublisherServiceName, TAuditStorage, TAuditStorageServiceName, TDatabase, TDatabaseServiceName> {
   readonly route: TRoute;
   readonly method: TMethod;
@@ -25,6 +26,9 @@ declare class EndpointBuilder<TRoute extends string, TMethod extends HttpMethod,
   _authorizerName?: TAuthorizers[number];
   _actorExtractor?: ActorExtractor<TServices, TSession, TLogger>;
   _audits: MappedAudit<TAuditAction, OutSchema>[];
+  _customSecuritySchemes: Record<string, SecurityScheme>;
+  _rlsConfig?: RlsConfig<TServices, TSession, TLogger>;
+  _rlsBypass?: boolean;
   constructor(route: TRoute, method: TMethod);
   _setPublisher(publisher: Service<TEventPublisherServiceName, TEventPublisher>): void;
   _setAuditorStorage(storage: Service<TAuditStorageServiceName, TAuditStorage>): void;
@@ -97,9 +101,43 @@ declare class EndpointBuilder<TRoute extends string, TMethod extends HttpMethod,
    * ```
    */
   database<T, TName extends string>(service: Service<TName, T>): EndpointBuilder<TRoute, TMethod, TInput, TServices, TLogger, OutSchema, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, T, TName>;
+  /**
+   * Configure RLS (Row-Level Security) context for this endpoint.
+   * Pass `false` or `RLS_BYPASS` to explicitly bypass RLS for this endpoint.
+   *
+   * @example
+   * ```typescript
+   * // Custom RLS config for this endpoint
+   * .rls({
+   *   extractor: ({ session }) => ({
+   *     user_id: session.userId,
+   *     tenant_id: session.tenantId,
+   *   }),
+   *   prefix: 'app',
+   * })
+   *
+   * // Bypass RLS (for admin endpoints)
+   * .rls(false)
+   * ```
+   */
+  rls(config: RlsConfig<TServices, TSession, TLogger> | false | RlsBypass): this;
+  /**
+   * Explicitly bypass RLS for this endpoint.
+   * Useful for admin operations that need unrestricted database access.
+   *
+   * @example
+   * ```typescript
+   * .rlsBypass()
+   * .handle(async ({ db }) => {
+   *   // Full access, no RLS filtering
+   *   return db.selectFrom('orders').selectAll().execute();
+   * })
+   * ```
+   */
+  rlsBypass(): this;
   input(_schema: any): any;
   handle(fn: EndpointHandler<TInput, TServices, TLogger, OutSchema, TSession, TDatabase, TAuditStorage, TAuditAction>): Endpoint<TRoute, TMethod, TInput, OutSchema, TServices, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
 }
 //#endregion
 export { EndpointBuilder };
-//# sourceMappingURL=EndpointBuilder-TApJQhtG.d.cts.map
+//# sourceMappingURL=EndpointBuilder-vXk6eIJk.d.cts.map

package/dist/{EndpointFactory-CNlfBDuD.d.mts → EndpointFactory-3g-7Rznt.d.cts} RENAMED Viewed

@@ -1,13 +1,13 @@
-import { Authorizer } from "./Authorizer-pmPvIVgv.mjs";
-import { ActorExtractor, AuthorizeFn, SessionFn } from "./Endpoint-PtQ-wLIS.mjs";
-import { EndpointBuilder } from "./EndpointBuilder-BPHpUekp.mjs";
-import { Service } from "@geekmidas/services";
+import { Authorizer, BuiltInSecuritySchemeId, SecurityScheme } from "./Authorizer-CpSUMTIs.cjs";
+import { ActorExtractor, AuthorizeFn, RlsConfig, SessionFn } from "./Endpoint-CC2RGjkl.cjs";
+import { EndpointBuilder } from "./EndpointBuilder-vXk6eIJk.cjs";
 import { AuditStorage, AuditableAction, ExtractStorageAuditAction } from "@geekmidas/audit";
 import { EventPublisher, MappedEvent } from "@geekmidas/events";
 import { Logger } from "@geekmidas/logger";
+import { Service } from "@geekmidas/services";
 //#region src/endpoints/EndpointFactory.d.ts
-declare class EndpointFactory<TServices extends Service[] = [], TBasePath extends string = '', TLogger extends Logger = Logger, TSession = unknown, TEventPublisher extends EventPublisher<any> | undefined = undefined, TEventPublisherServiceName extends string = string, TAuthorizers extends readonly string[] = readonly string[], TAuditStorage extends AuditStorage<any> | undefined = undefined, TAuditStorageServiceName extends string = string, TAuditAction extends AuditableAction<string, unknown> = ExtractStorageAuditAction<NonNullable<TAuditStorage>>, TDatabase = undefined, TDatabaseServiceName extends string = string> {
+declare class EndpointFactory<TServices extends Service[] = [], TBasePath extends string = '', TLogger extends Logger = Logger, TSession = unknown, TEventPublisher extends EventPublisher<any> | undefined = undefined, TEventPublisherServiceName extends string = string, TAuthorizers extends readonly string[] = readonly string[], TAuditStorage extends AuditStorage<any> | undefined = undefined, TAuditStorageServiceName extends string = string, TAuditAction extends AuditableAction<string, unknown> = ExtractStorageAuditAction<NonNullable<TAuditStorage>>, TDatabase = undefined, TDatabaseServiceName extends string = string, TSecuritySchemes extends Record<string, SecurityScheme> = Record<string, SecurityScheme>, TRlsConfig extends RlsConfig<TServices, TSession, TLogger> | undefined = undefined> {
   private defaultServices;
   private basePath;
   private defaultAuthorizeFn?;
@@ -19,6 +19,8 @@ declare class EndpointFactory<TServices extends Service[] = [], TBasePath extend
   private defaultAuditorStorage;
   private defaultDatabaseService;
   private defaultActorExtractor?;
+  private customSecuritySchemes;
+  private defaultRlsConfig?;
   constructor({
     basePath,
     defaultAuthorizeFn,
@@ -30,38 +32,81 @@ declare class EndpointFactory<TServices extends Service[] = [], TBasePath extend
     defaultAuthorizerName,
     defaultAuditorStorage,
     defaultDatabaseService,
-    defaultActorExtractor
-  }?: EndpointFactoryOptions<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TDatabase, TDatabaseServiceName>);
+    defaultActorExtractor,
+    customSecuritySchemes,
+    defaultRlsConfig
+  }?: EndpointFactoryOptions<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TDatabase, TDatabaseServiceName, TSecuritySchemes, TRlsConfig>);
   static joinPaths<TBasePath extends string, P extends string>(path: P, basePath?: TBasePath): JoinPaths<TBasePath, P>;
-  authorizers<const T extends readonly string[]>(authorizers: T): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, T, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
+  authorizers<const T extends readonly string[]>(authorizers: T): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, T, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  /**
+   * Define custom security schemes for this factory.
+   * These extend the built-in schemes (jwt, bearer, apiKey, oauth2, oidc).
+   *
+   * @example
+   * ```typescript
+   * const router = e.securitySchemes({
+   *   awsIamSigV4: {
+   *     type: 'apiKey',
+   *     in: 'header',
+   *     name: 'Authorization',
+   *     'x-amazon-apigateway-authtype': 'awsSigv4',
+   *   },
+   * });
+   * ```
+   */
+  securitySchemes<T extends Record<string, SecurityScheme>>(schemes: T): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes & T>;
   /**
    * Set the default authorizer for all endpoints created from this factory.
    * Individual endpoints can override this by calling `.authorizer()` on the builder.
    * Use `'none'` to explicitly disable authorization for all endpoints.
+   *
+   * Accepts:
+   * - Built-in security scheme names: 'jwt', 'bearer', 'apiKey', 'oauth2', 'oidc'
+   * - Custom security scheme names defined via `.securitySchemes()`
+   * - 'none' to disable authorization
    */
-  authorizer(name: TAuthorizers[number] | 'none'): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
-  route<TPath extends string>(path: TPath): EndpointFactory<TServices, JoinPaths<TBasePath, TPath>, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
-  authorize(fn: AuthorizeFn<TServices, TLogger, TSession>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
-  services<S extends Service[]>(services: S): EndpointFactory<[...S, ...TServices], TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
-  logger<L extends Logger>(logger: L): EndpointFactory<TServices, TBasePath, L, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
-  publisher<T extends EventPublisher<any>, TServiceName extends string = string>(publisher: Service<TServiceName, T>): EndpointFactory<TServices, TBasePath, TLogger, TSession, T, TServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
-  session<T>(session: SessionFn<TServices, TLogger, T, TDatabase>): EndpointFactory<TServices, TBasePath, TLogger, T, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
+  authorizer(name: BuiltInSecuritySchemeId | keyof TSecuritySchemes | TAuthorizers[number] | 'none'): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  route<TPath extends string>(path: TPath): EndpointFactory<TServices, JoinPaths<TBasePath, TPath>, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  authorize(fn: AuthorizeFn<TServices, TLogger, TSession>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  services<S extends Service[]>(services: S): EndpointFactory<[...S, ...TServices], TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  logger<L extends Logger>(logger: L): EndpointFactory<TServices, TBasePath, L, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  publisher<T extends EventPublisher<any>, TServiceName extends string = string>(publisher: Service<TServiceName, T>): EndpointFactory<TServices, TBasePath, TLogger, TSession, T, TServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  session<T>(session: SessionFn<TServices, TLogger, T, TDatabase>): EndpointFactory<TServices, TBasePath, TLogger, T, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
   /**
    * Set the database service for endpoints created from this factory.
    * The database will be available in handler context as `db`.
    */
-  database<T, TName extends string>(service: Service<TName, T>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, T, TName>;
+  database<T, TName extends string>(service: Service<TName, T>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, T, TName, TSecuritySchemes>;
   /**
    * Set the auditor storage service for endpoints created from this factory.
    * This enables audit functionality and makes `auditor` available in handler context.
    * The audit action type is automatically inferred from the storage's generic parameter.
    */
-  auditor<T extends AuditStorage<any>, TName extends string>(storage: Service<TName, T>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, T, TName, ExtractStorageAuditAction<T>, TDatabase, TDatabaseServiceName>;
+  auditor<T extends AuditStorage<any>, TName extends string>(storage: Service<TName, T>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, T, TName, ExtractStorageAuditAction<T>, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
   /**
    * Set the actor extractor function for endpoints created from this factory.
    * The actor is extracted from the request context and attached to all audits.
    */
-  actor(extractor: ActorExtractor<TServices, TSession, TLogger>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
+  actor(extractor: ActorExtractor<TServices, TSession, TLogger>): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes>;
+  /**
+   * Set the RLS (Row-Level Security) configuration for endpoints created from this factory.
+   * This enables automatic PostgreSQL session variable setting for RLS policies.
+   *
+   * @example
+   * ```typescript
+   * const api = new EndpointFactory()
+   *   .database(databaseService)
+   *   .session(extractSession)
+   *   .rls({
+   *     extractor: ({ session }) => ({
+   *       user_id: session.userId,
+   *       tenant_id: session.tenantId,
+   *     }),
+   *     prefix: 'app',
+   *   });
+   * ```
+   */
+  rls<TConfig extends RlsConfig<TServices, TSession, TLogger>>(config: TConfig): EndpointFactory<TServices, TBasePath, TLogger, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName, TSecuritySchemes, TConfig>;
   private createBuilder;
   post<TPath extends string>(path: TPath): EndpointBuilder<RemoveTrailingSlash<TBasePath extends "" ? TPath : TPath extends "" ? TBasePath : TBasePath extends "/" ? TPath extends `/${string}` ? TPath : `/${TPath}` : TBasePath extends `${infer Base}/` ? TPath extends `/${infer Rest}` ? `${Base}/${Rest}` : `${Base}/${TPath}` : TPath extends `/${infer Rest_1}` ? `${TBasePath}/${Rest_1}` : `${TBasePath}/${TPath}`>, "POST", {}, TServices, TLogger, undefined, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
   get<TPath extends string>(path: TPath): EndpointBuilder<RemoveTrailingSlash<TBasePath extends "" ? TPath : TPath extends "" ? TBasePath : TBasePath extends "/" ? TPath extends `/${string}` ? TPath : `/${TPath}` : TBasePath extends `${infer Base}/` ? TPath extends `/${infer Rest}` ? `${Base}/${Rest}` : `${Base}/${TPath}` : TPath extends `/${infer Rest_1}` ? `${TBasePath}/${Rest_1}` : `${TBasePath}/${TPath}`>, "GET", {}, TServices, TLogger, undefined, TSession, TEventPublisher, TEventPublisherServiceName, TAuthorizers, TAuditStorage, TAuditStorageServiceName, TAuditAction, TDatabase, TDatabaseServiceName>;
@@ -72,7 +117,7 @@ declare class EndpointFactory<TServices extends Service[] = [], TBasePath extend
 }
 type RemoveTrailingSlash<T extends string> = T extends `${infer Rest}/` ? Rest extends '' ? T : Rest : T;
 type JoinPaths<TBasePath extends string, TPath extends string> = RemoveTrailingSlash<TBasePath extends '' ? TPath : TPath extends '' ? TBasePath : TBasePath extends '/' ? TPath extends `/${string}` ? TPath : `/${TPath}` : TBasePath extends `${infer Base}/` ? TPath extends `/${infer Rest}` ? `${Base}/${Rest}` : `${Base}/${TPath}` : TPath extends `/${infer Rest}` ? `${TBasePath}/${Rest}` : `${TBasePath}/${TPath}`>;
-interface EndpointFactoryOptions<TServices extends Service[] = [], TBasePath extends string = '', TLogger extends Logger = Logger, TSession = unknown, TEventPublisher extends EventPublisher<any> | undefined = undefined, TEventPublisherServiceName extends string = string, TAuthorizers extends readonly string[] = readonly string[], TAuditStorage extends AuditStorage | undefined = undefined, TAuditStorageServiceName extends string = string, TDatabase = undefined, TDatabaseServiceName extends string = string> {
+interface EndpointFactoryOptions<TServices extends Service[] = [], TBasePath extends string = '', TLogger extends Logger = Logger, TSession = unknown, TEventPublisher extends EventPublisher<any> | undefined = undefined, TEventPublisherServiceName extends string = string, TAuthorizers extends readonly string[] = readonly string[], TAuditStorage extends AuditStorage | undefined = undefined, TAuditStorageServiceName extends string = string, TDatabase = undefined, TDatabaseServiceName extends string = string, TSecuritySchemes extends Record<string, SecurityScheme> = Record<string, SecurityScheme>, TRlsConfig extends RlsConfig<TServices, TSession, TLogger> | undefined = undefined> {
   defaultServices?: TServices;
   basePath?: TBasePath;
   defaultAuthorizeFn?: AuthorizeFn<TServices, TLogger, TSession>;
@@ -85,8 +130,10 @@ interface EndpointFactoryOptions<TServices extends Service[] = [], TBasePath ext
   defaultAuditorStorage?: Service<TAuditStorageServiceName, TAuditStorage>;
   defaultDatabaseService?: Service<TDatabaseServiceName, TDatabase>;
   defaultActorExtractor?: ActorExtractor<TServices, TSession, TLogger>;
+  customSecuritySchemes?: TSecuritySchemes;
+  defaultRlsConfig?: TRlsConfig;
 }
-declare const e: EndpointFactory<[], "", Logger, unknown, undefined, string, readonly string[], undefined, string, never, undefined, string>;
+declare const e: EndpointFactory<[], "", Logger, unknown, undefined, string, readonly string[], undefined, string, never, undefined, string, Record<string, SecurityScheme>, undefined>;
 //#endregion
 export { EndpointFactory, EndpointFactoryOptions, JoinPaths, RemoveTrailingSlash, e };
-//# sourceMappingURL=EndpointFactory-CNlfBDuD.d.mts.map
+//# sourceMappingURL=EndpointFactory-3g-7Rznt.d.cts.map