@hypequery/serve 0.1.0 → 0.2.0

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,UAAU,CAAC;AACzB,cAAc,YAAY,CAAC"}

package/dist/index.js

@@ -6,9 +6,13 @@ export * from "./endpoint.js";
 export * from "./openapi.js";
 export * from "./docs-ui.js";
 export * from "./auth.js";
+export * from "./cors.js";
+export * from "./errors.js";
+export * from "./rate-limit.js";
 export * from "./client-config.js";
 export * from "./utils.js";
 export * from "./adapters/node.js";
 export * from "./adapters/fetch.js";
 export * from "./adapters/vercel.js";
 export * from "./dev.js";
+export * from "./serve.js";

package/dist/pipeline.d.ts

@@ -1,6 +1,7 @@
 import { z } from 'zod';
 import type { AuthContext, AuthStrategy, DocsOptions, OpenApiOptions, ServeContextFactory, ServeEndpoint, ServeHandler, ServeLifecycleHooks, ServeMiddleware, ServeRequest, ServeResponse, TenantConfig } from './types.js';
 import { ServeQueryLogger } from './query-logger.js';
+import { type ResolvedCorsConfig } from './cors.js';
 export interface ExecuteEndpointOptions<TContext extends Record<string, unknown>, TAuth extends AuthContext> {
     endpoint: ServeEndpoint<any, any, TContext, TAuth>;
     request: ServeRequest;
@@ -13,6 +14,11 @@ export interface ExecuteEndpointOptions<TContext extends Record<string, unknown>
     queryLogger?: ServeQueryLogger;
     additionalContext?: Partial<TContext>;
     verboseAuthErrors?: boolean;
+    /**
+     * When true (the default), internal error details are hidden from responses.
+     * Set to false for in-process execution where the caller is trusted.
+     */
+    sanitizeErrors?: boolean;
 }
 export declare const executeEndpoint: <TContext extends Record<string, unknown>, TAuth extends AuthContext>(options: ExecuteEndpointOptions<TContext, TAuth>) => Promise<ServeResponse>;
 interface HandlerOptions<TContext extends Record<string, unknown>, TAuth extends AuthContext> {
@@ -24,8 +30,9 @@ interface HandlerOptions<TContext extends Record<string, unknown>, TAuth extends
     hooks?: ServeLifecycleHooks<TAuth>;
     queryLogger?: ServeQueryLogger;
     verboseAuthErrors?: boolean;
+    corsConfig?: ResolvedCorsConfig | null;
 }
-export declare const createServeHandler: <TContext extends Record<string, unknown>, TAuth extends AuthContext>({ router, globalMiddlewares, authStrategies, tenantConfig, contextFactory, hooks, queryLogger, verboseAuthErrors, }: HandlerOptions<TContext, TAuth>) => ServeHandler;
+export declare const createServeHandler: <TContext extends Record<string, unknown>, TAuth extends AuthContext>({ router, globalMiddlewares, authStrategies, tenantConfig, contextFactory, hooks, queryLogger, verboseAuthErrors, corsConfig, }: HandlerOptions<TContext, TAuth>) => ServeHandler;
 export declare const createOpenApiEndpoint: (path: string, getEndpoints: () => ServeEndpoint<any, any, any, any>[], options?: OpenApiOptions) => {
     key: string;
     method: "GET";

package/dist/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAmB,MAAM,KAAK,CAAC;AAEzC,OAAO,KAAK,EACV,WAAW,EAEX,YAAY,EACZ,WAAW,EAKX,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,YAAY,EACZ,aAAa,EACb,YAAY,EAGb,MAAM,YAAY,CAAC;AAKpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AA8LrD,MAAM,WAAW,sBAAsB,CACrC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,QAAQ,EAAE,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,eAAO,MAAM,eAAe,GAC1B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,SAAS,sBAAsB,CAAC,QAAQ,EAAE,KAAK,CAAC,KAC/C,OAAO,CAAC,aAAa,CAqRvB,CAAC;AAEF,UAAU,cAAc,CACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,MAAM,EAAE,OAAO,aAAa,EAAE,WAAW,CAAC;IAC1C,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EACzB,qHASC,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAG,YA2BpC,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAChC,MAAM,MAAM,EACZ,cAAc,MAAM,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,EACvD,UAAU,cAAc;;;;;;;;;;;;;;;;;;;;;CA8BzB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,MAAM,MAAM,EACZ,aAAa,MAAM,EACnB,UAAU,WAAW;;;;;;;;;;;;;;;;;;;;;;;;CAyBmD,CAAC"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAmB,MAAM,KAAK,CAAC;AAEzC,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,WAAW,EAKX,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,YAAY,EACZ,aAAa,EACb,YAAY,EAGb,MAAM,YAAY,CAAC;AAKpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAOrD,OAAO,EAAE,KAAK,kBAAkB,EAAqB,MAAM,WAAW,CAAC;AA4MvE,MAAM,WAAW,sBAAsB,CACrC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,QAAQ,EAAE,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,eAAO,MAAM,eAAe,GAC1B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,SAAS,sBAAsB,CAAC,QAAQ,EAAE,KAAK,CAAC,KAC/C,OAAO,CAAC,aAAa,CAkUvB,CAAC;AAEF,UAAU,cAAc,CACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,MAAM,EAAE,OAAO,aAAa,EAAE,WAAW,CAAC;IAC1C,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,UAAU,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACxC;AAED,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EACzB,iIAUC,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAG,YA0CpC,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAChC,MAAM,MAAM,EACZ,cAAc,MAAM,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,EACvD,UAAU,cAAc;;;;;;;;;;;;;;;;;;;;;CA8BzB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,MAAM,MAAM,EACZ,aAAa,MAAM,EACnB,UAAU,WAAW;;;;;;;;;;;;;;;;;;;;;;;;CAyBmD,CAAC"}

package/dist/pipeline.js

@@ -3,7 +3,9 @@ import { createTenantScope, warnTenantMisconfiguration } from './tenant.js';
 import { generateRequestId } from './utils.js';
 import { buildOpenApiDocument } from './openapi.js';
 import { buildDocsHtml } from './docs-ui.js';
-import { checkRoleAuthorization, checkScopeAuthorization, } from './auth.js';
+import { ServeHttpError } from './errors.js';
+import { checkRoleAuthorization, checkScopeAuthorization, AuthError, } from './auth.js';
+import { handleCorsRequest } from './cors.js';
 const safeInvokeHook = async (name, hook, payload) => {
     if (!hook)
         return;
@@ -16,7 +18,7 @@ const safeInvokeHook = async (name, hook, payload) => {
 };
 const createErrorResponse = (status, type, message, details, headers) => ({
     status,
-    headers,
+    headers: headers ?? {},
     body: { error: { type, message, ...(details ? { details } : {}) } },
 });
 const buildContextInput = (request) => {
@@ -37,7 +39,7 @@ const resolveTenantConfig = (globalConfig, override) => {
     }
     const merged = { ...(globalConfig ?? {}), ...(override ?? {}) };
     if (!merged.extract) {
-        throw new Error('[hypequery/serve] Tenant override requires an extract function when no global tenant config is set. ' +
+        throw new ServeHttpError(500, 'INTERNAL_SERVER_ERROR', '[hypequery/serve] Tenant override requires an extract function when no global tenant config is set. ' +
             'If you are using tenantOptional(), define a global tenant config with extract or pass extract in the per-query override.');
     }
     return merged;
@@ -52,13 +54,29 @@ const runMiddlewares = async (middlewares, ctx, handler) => {
     return current();
 };
 const authenticateRequest = async (strategies, request, metadata) => {
+    let missingError;
+    let invalidError;
     for (const strategy of strategies) {
-        const result = await strategy({ request, endpoint: metadata });
-        if (result) {
-            return result;
+        try {
+            const result = await strategy({ request, endpoint: metadata });
+            if (result) {
+                return { auth: result };
+            }
+        }
+        catch (error) {
+            if (error instanceof AuthError) {
+                if (error.reason === 'INVALID') {
+                    invalidError = invalidError ?? error;
+                }
+                else {
+                    missingError = missingError ?? error;
+                }
+                continue;
+            }
+            throw error;
         }
     }
-    return null;
+    return { auth: null, error: invalidError ?? missingError };
 };
 const gatherAuthStrategies = (endpointStrategy, globalStrategies) => {
     const combined = [];
@@ -126,6 +144,7 @@ const resolveContext = async (factory, request, auth) => {
 const resolveRequestId = (request, provided) => provided ?? request.headers['x-request-id'] ?? request.headers['x-trace-id'] ?? generateRequestId();
 export const executeEndpoint = async (options) => {
     const { endpoint, request, requestId: explicitRequestId, authStrategies, contextFactory, globalMiddlewares, tenantConfig, hooks = {}, queryLogger, additionalContext, verboseAuthErrors = false, // Default to secure mode for production safety
+    sanitizeErrors = true, // Default to secure mode for HTTP requests
      } = options;
     const requestId = resolveRequestId(request, explicitRequestId);
     const locals = {};
@@ -170,19 +189,29 @@ export const executeEndpoint = async (options) => {
             requiresAuth,
         };
         context.metadata = metadataWithAuth;
-        const authContext = await authenticateRequest(strategies, request, metadataWithAuth);
+        const authResult = await authenticateRequest(strategies, request, metadataWithAuth);
+        const authContext = authResult.auth;
         if (!authContext && requiresAuth) {
+            const authErrorInfo = authResult.error
+                ? {
+                    reason: authResult.error.reason,
+                    message: authResult.error.message,
+                    details: authResult.error.details,
+                }
+                : undefined;
             await safeInvokeHook('onAuthFailure', hooks.onAuthFailure, {
                 requestId,
                 queryKey: endpoint.key,
                 metadata: metadataWithAuth,
                 request,
                 auth: context.auth,
-                reason: 'MISSING',
+                reason: authErrorInfo?.reason ?? 'MISSING',
+                error: authErrorInfo,
             });
-            return createErrorResponse(401, 'UNAUTHORIZED', verboseAuthErrors ? 'Authentication required' : 'Access denied', {
-                reason: 'missing_credentials',
+            return createErrorResponse(401, 'UNAUTHORIZED', verboseAuthErrors ? authErrorInfo?.message ?? 'Authentication required' : 'Access denied', {
+                reason: authErrorInfo?.reason === 'INVALID' ? 'invalid_credentials' : 'missing_credentials',
                 ...(verboseAuthErrors && { strategies_attempted: strategies.length }),
+                ...(verboseAuthErrors && authErrorInfo?.details ? { auth_error: authErrorInfo.details } : {}),
                 endpoint: endpoint.metadata.path,
             }, { 'x-request-id': requestId });
         }
@@ -356,18 +385,39 @@ export const executeEndpoint = async (options) => {
                 error: error instanceof Error ? error : new Error(String(error)),
             });
         }
-        const message = error instanceof Error ? error.message : 'Unexpected error';
-        return createErrorResponse(500, 'INTERNAL_SERVER_ERROR', message, undefined, { 'x-request-id': requestId });
+        // Structured errors thrown by middleware (rate limiter, custom middleware, etc.)
+        if (error &&
+            typeof error === 'object' &&
+            'status' in error &&
+            'payload' in error) {
+            const structured = error;
+            const response = createErrorResponse(structured.status, structured.payload.type, structured.payload.message, undefined, { 'x-request-id': requestId, ...(structured.headers ?? {}) });
+            return response;
+        }
+        // When sanitizeErrors is enabled (default for HTTP), hide internal error
+        // details to prevent leaking stack traces, paths, or SQL to clients.
+        // The raw error is still available in the onError hook above.
+        const errorMessage = sanitizeErrors
+            ? 'An unexpected error occurred'
+            : (error instanceof Error ? error.message : String(error));
+        return createErrorResponse(500, 'INTERNAL_SERVER_ERROR', errorMessage, undefined, { 'x-request-id': requestId });
     }
 };
-export const createServeHandler = ({ router, globalMiddlewares, authStrategies, tenantConfig, contextFactory, hooks, queryLogger, verboseAuthErrors = false, }) => {
+export const createServeHandler = ({ router, globalMiddlewares, authStrategies, tenantConfig, contextFactory, hooks, queryLogger, verboseAuthErrors = false, corsConfig, }) => {
     return async (request) => {
+        // Handle CORS preflight and compute headers for actual requests
+        const { preflightResponse, corsHeaders } = handleCorsRequest(corsConfig ?? null, request);
+        if (preflightResponse) {
+            return preflightResponse;
+        }
         const requestId = resolveRequestId(request);
         const endpoint = router.match(request.method, request.path);
         if (!endpoint) {
-            return createErrorResponse(404, 'NOT_FOUND', `No endpoint registered for ${request.method} ${request.path}`, undefined, { 'x-request-id': requestId });
+            const response = createErrorResponse(404, 'NOT_FOUND', `No endpoint registered for ${request.method} ${request.path}`, undefined, { 'x-request-id': requestId });
+            response.headers = { ...response.headers, ...corsHeaders };
+            return response;
         }
-        return executeEndpoint({
+        const response = await executeEndpoint({
             endpoint,
             request,
             requestId,
@@ -379,6 +429,11 @@ export const createServeHandler = ({ router, globalMiddlewares, authStrategies,
             queryLogger,
             verboseAuthErrors,
         });
+        // Inject CORS headers into every response
+        if (Object.keys(corsHeaders).length > 0) {
+            response.headers = { ...response.headers, ...corsHeaders };
+        }
+        return response;
     };
 };
 export const createOpenApiEndpoint = (path, getEndpoints, options) => {

package/dist/rate-limit.d.ts

@@ -0,0 +1,86 @@
+import type { AuthContext, ServeMiddleware, EndpointContext } from './types.js';
+/**
+ * Rate limit store interface.
+ * Implement this for custom backends (Redis, Memcached, etc.).
+ */
+export interface RateLimitStore {
+    /**
+     * Increment the hit count for a key within the given window.
+     * @returns The current hit count after incrementing.
+     */
+    increment(key: string, windowMs: number): Promise<number>;
+    /**
+     * Get the remaining TTL in milliseconds for a key.
+     * Returns 0 if the key has no active window.
+     */
+    getTtl(key: string): Promise<number>;
+    /**
+     * Reset the counter for a key.
+     */
+    reset(key: string): Promise<void>;
+}
+export interface RateLimitConfig<TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext> {
+    /**
+     * Time window in milliseconds.
+     * @default 60000 (1 minute)
+     */
+    windowMs?: number;
+    /**
+     * Maximum number of requests allowed per window.
+     * @default 100
+     */
+    max?: number;
+    /**
+     * Function to derive the rate limit key from the request context.
+     * Defaults to IP-based limiting (from x-forwarded-for or x-real-ip).
+     */
+    keyBy?: (ctx: EndpointContext<unknown, TContext, TAuth>) => string | null;
+    /**
+     * Custom store implementation. Defaults to an in-memory store.
+     */
+    store?: RateLimitStore;
+    /**
+     * Whether to include rate limit headers in the response.
+     * @default true
+     */
+    headers?: boolean;
+    /**
+     * Custom message to return when rate limited.
+     * @default "Too many requests, please try again later"
+     */
+    message?: string;
+    /**
+     * If true, skip rate limiting instead of rejecting when the store fails.
+     * @default true
+     */
+    failOpen?: boolean;
+}
+export declare class MemoryRateLimitStore implements RateLimitStore {
+    private entries;
+    private cleanupTimer;
+    constructor(cleanupIntervalMs?: number);
+    increment(key: string, windowMs: number): Promise<number>;
+    getTtl(key: string): Promise<number>;
+    reset(key: string): Promise<void>;
+    destroy(): void;
+}
+/**
+ * Creates a rate-limiting middleware.
+ *
+ * @example Global rate limit:
+ * ```ts
+ * const api = defineServe({
+ *   queries: { ... },
+ *   middlewares: [rateLimit({ windowMs: 60_000, max: 100 })],
+ * });
+ * ```
+ *
+ * @example Per-tenant rate limit on a single query:
+ * ```ts
+ * query
+ *   .use(rateLimit({ max: 50, keyBy: (ctx) => ctx.auth?.tenantId ?? null }))
+ *   .query(async ({ ctx, input }) => { ... })
+ * ```
+ */
+export declare const rateLimit: <TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext>(config?: RateLimitConfig<TContext, TAuth>) => ServeMiddleware<any, any, TContext, TAuth>;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../src/rate-limit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAEhF;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1D;;;OAGG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACrC;;OAEG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,eAAe,CAC9B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW;IAEvC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,KAAK,MAAM,GAAG,IAAI,CAAC;IAC1E;;OAEG;IACH,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAWD,qBAAa,oBAAqB,YAAW,cAAc;IACzD,OAAO,CAAC,OAAO,CAAkC;IACjD,OAAO,CAAC,YAAY,CAAiC;gBAEzC,iBAAiB,SAAS;IAgBhC,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAczD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOpC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,OAAO,IAAI,IAAI;CAIhB;AAmBD;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,SAAS,GACpB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EAEvC,SAAQ,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAM,KAC5C,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAwE3C,CAAC"}

package/dist/rate-limit.js

@@ -0,0 +1,137 @@
+export class MemoryRateLimitStore {
+    constructor(cleanupIntervalMs = 60000) {
+        this.entries = new Map();
+        // Periodic cleanup of expired entries to prevent memory leaks
+        this.cleanupTimer = setInterval(() => {
+            const now = Date.now();
+            for (const [key, entry] of this.entries) {
+                if (entry.expiresAt <= now) {
+                    this.entries.delete(key);
+                }
+            }
+        }, cleanupIntervalMs);
+        // Unref so the timer doesn't keep the process alive
+        if (typeof this.cleanupTimer === 'object' && 'unref' in this.cleanupTimer) {
+            this.cleanupTimer.unref();
+        }
+    }
+    async increment(key, windowMs) {
+        const now = Date.now();
+        const existing = this.entries.get(key);
+        if (existing && existing.expiresAt > now) {
+            existing.count++;
+            return existing.count;
+        }
+        // New window
+        this.entries.set(key, { count: 1, expiresAt: now + windowMs });
+        return 1;
+    }
+    async getTtl(key) {
+        const entry = this.entries.get(key);
+        if (!entry)
+            return 0;
+        const remaining = entry.expiresAt - Date.now();
+        return remaining > 0 ? remaining : 0;
+    }
+    async reset(key) {
+        this.entries.delete(key);
+    }
+    destroy() {
+        clearInterval(this.cleanupTimer);
+        this.entries.clear();
+    }
+}
+// ---------------------------------------------------------------------------
+// Key extraction helpers
+// ---------------------------------------------------------------------------
+const defaultKeyExtractor = (ctx) => {
+    const req = ctx.request;
+    return (req.headers['x-forwarded-for']?.split(',')[0]?.trim() ??
+        req.headers['x-real-ip'] ??
+        'unknown');
+};
+// ---------------------------------------------------------------------------
+// Middleware factory
+// ---------------------------------------------------------------------------
+/**
+ * Creates a rate-limiting middleware.
+ *
+ * @example Global rate limit:
+ * ```ts
+ * const api = defineServe({
+ *   queries: { ... },
+ *   middlewares: [rateLimit({ windowMs: 60_000, max: 100 })],
+ * });
+ * ```
+ *
+ * @example Per-tenant rate limit on a single query:
+ * ```ts
+ * query
+ *   .use(rateLimit({ max: 50, keyBy: (ctx) => ctx.auth?.tenantId ?? null }))
+ *   .query(async ({ ctx, input }) => { ... })
+ * ```
+ */
+export const rateLimit = (config = {}) => {
+    const windowMs = config.windowMs ?? 60000;
+    const max = config.max ?? 100;
+    const keyBy = config.keyBy ?? defaultKeyExtractor;
+    const store = config.store ?? new MemoryRateLimitStore();
+    const includeHeaders = config.headers !== false;
+    const message = config.message ?? 'Too many requests, please try again later';
+    const failOpen = config.failOpen !== false;
+    return async (ctx, next) => {
+        const key = keyBy(ctx);
+        // If we can't derive a key, skip rate limiting
+        if (!key) {
+            return next();
+        }
+        const rateLimitKey = `rl:${ctx.metadata.path}:${key}`;
+        let current;
+        let ttl;
+        try {
+            current = await store.increment(rateLimitKey, windowMs);
+            ttl = await store.getTtl(rateLimitKey);
+        }
+        catch {
+            if (failOpen) {
+                return next();
+            }
+            throw Object.assign(new Error('Rate limiter unavailable'), {
+                status: 503,
+                payload: {
+                    type: 'SERVICE_UNAVAILABLE',
+                    message: 'Rate limiter unavailable',
+                },
+            });
+        }
+        // Attach rate limit info to locals so hooks/handlers can inspect it
+        ctx.locals._rateLimit = { limit: max, remaining: Math.max(0, max - current), resetMs: ttl };
+        if (current > max) {
+            const retryAfterSec = Math.ceil(ttl / 1000);
+            const error = Object.assign(new Error(message), {
+                status: 429,
+                headers: {
+                    'retry-after': String(retryAfterSec),
+                    ...(includeHeaders
+                        ? {
+                            'x-ratelimit-limit': String(max),
+                            'x-ratelimit-remaining': '0',
+                            'x-ratelimit-reset': String(retryAfterSec),
+                        }
+                        : {}),
+                },
+                payload: {
+                    type: 'RATE_LIMITED',
+                    message,
+                },
+            });
+            throw error;
+        }
+        // Execute downstream handler
+        const result = await next();
+        // We can't directly set headers from middleware in the current architecture,
+        // but the rate limit info is available via ctx.locals._rateLimit
+        // for the lifecycle hooks or future header injection.
+        return result;
+    };
+};

package/dist/serve.d.ts

@@ -0,0 +1,16 @@
+import type { AuthContext, QueryObjectConfig, SchemaOutput, ServeBuilder, ServeConfig, ServeContextFactory, ServeEndpointMap, ServeQueriesMap, StandaloneQueryDefinition } from "./types.js";
+import type { ZodTypeAny } from "zod";
+export declare const createQueryFactory: <TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext>(contextFactory?: ServeContextFactory<TContext, TAuth>) => <TInputSchema extends ZodTypeAny | undefined = undefined, TOutputSchema extends ZodTypeAny | undefined = undefined, TResult = TOutputSchema extends ZodTypeAny ? SchemaOutput<TOutputSchema> : unknown>(config: QueryObjectConfig<TInputSchema, TOutputSchema, TContext, TAuth, TResult>) => StandaloneQueryDefinition<TInputSchema, TOutputSchema extends ZodTypeAny ? TOutputSchema : ZodTypeAny, TContext, TAuth, TResult>;
+/**
+ * Create a reusable query definition that can execute in-process or be served via HTTP.
+ *
+ * Use `initServe()` when you want shared context passed once for both local execution and HTTP wiring.
+ */
+export declare const query: <TInputSchema extends ZodTypeAny | undefined = undefined, TOutputSchema extends ZodTypeAny | undefined = undefined, TResult = TOutputSchema extends ZodTypeAny ? SchemaOutput<TOutputSchema> : unknown>(config: QueryObjectConfig<TInputSchema, TOutputSchema, Record<string, unknown>, AuthContext, TResult>) => StandaloneQueryDefinition<TInputSchema, TOutputSchema extends ZodTypeAny ? TOutputSchema : ZodTypeAny, Record<string, unknown>, AuthContext, TResult>;
+/**
+ * Create a Serve API from a queries map.
+ *
+ * This is the unbound version. Use `initServe().serve(...)` when you want shared context and config.
+ */
+export declare function serve<TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext, TQueries extends ServeQueriesMap<TContext, TAuth> = ServeQueriesMap<TContext, TAuth>>(config: ServeConfig<TContext, TAuth, TQueries>): ServeBuilder<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>;
+//# sourceMappingURL=serve.d.ts.map

package/dist/serve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../src/serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAEX,iBAAiB,EAGjB,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EAEf,yBAAyB,EAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AAgGtC,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EAEvC,iBAAiB,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,MAGnD,YAAY,SAAS,UAAU,GAAG,SAAS,GAAG,SAAS,EACvD,aAAa,SAAS,UAAU,GAAG,SAAS,GAAG,SAAS,EACxD,OAAO,GAAG,aAAa,SAAS,UAAU,GAAG,YAAY,CAAC,aAAa,CAAC,GAAG,OAAO,EAElF,QAAQ,iBAAiB,CAAC,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,KAC/E,yBAAyB,CAC1B,YAAY,EACZ,aAAa,SAAS,UAAU,GAAG,aAAa,GAAG,UAAU,EAC7D,QAAQ,EACR,KAAK,EACL,OAAO,CAIV,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,KAAK,GArBd,YAAY,SAAS,UAAU,GAAG,SAAS,cAC3C,aAAa,SAAS,UAAU,GAAG,SAAS,cAC5C,OAAO,4UAmB8B,CAAC;AAE1C;;;;GAIG;AACH,wBAAgB,KAAK,CACnB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EACpF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAE5H"}

package/dist/serve.js

@@ -0,0 +1,88 @@
+import { defineServe } from "./server/define-serve.js";
+const defaultRequest = {
+    method: "POST",
+    path: "/__query/execute",
+    query: {},
+    headers: {},
+};
+const resolveContext = async (contextFactory, request) => {
+    if (!contextFactory) {
+        return {};
+    }
+    if (typeof contextFactory === "function") {
+        return await contextFactory({ request, auth: null });
+    }
+    return contextFactory;
+};
+const parseMaybe = (schema, value) => {
+    if (!schema) {
+        return value;
+    }
+    return schema.parse(value);
+};
+const createStandaloneQuery = (config, contextFactory) => {
+    const run = config.query;
+    const definition = {
+        query: run,
+        run,
+        execute: async (options) => {
+            const request = {
+                method: options?.request?.method ?? config.method ?? "POST",
+                path: options?.request?.path ?? defaultRequest.path,
+                query: options?.request?.query ?? defaultRequest.query,
+                headers: options?.request?.headers ?? defaultRequest.headers,
+                body: options?.request?.body ?? options?.input,
+                raw: options?.request?.raw,
+            };
+            const resolvedContext = await resolveContext(contextFactory, request);
+            const input = parseMaybe(config.input, options?.input);
+            const runtimeContext = {
+                request,
+                auth: null,
+                locals: {},
+                setCacheTtl: () => undefined,
+                ...resolvedContext,
+                ...(options?.context ?? {}),
+            };
+            const result = await run({
+                input,
+                ctx: runtimeContext,
+            });
+            return parseMaybe(config.output, result);
+        },
+        ...(config.input && { inputSchema: config.input }),
+        ...(config.output && { outputSchema: config.output }),
+        ...(config.method && { method: config.method }),
+        ...(config.name && { name: config.name }),
+        ...(config.description && { description: config.description }),
+        ...(config.summary && { summary: config.summary }),
+        ...(config.tags && { tags: config.tags }),
+        ...(typeof config.auth !== "undefined" && { auth: config.auth }),
+        ...(typeof config.requiresAuth !== "undefined" && { requiresAuth: config.requiresAuth }),
+        ...(typeof config.tenant !== "undefined" && { tenant: config.tenant }),
+        ...(typeof config.cacheTtlMs !== "undefined" && { cacheTtlMs: config.cacheTtlMs }),
+        ...(config.requiredRoles && { requiredRoles: config.requiredRoles }),
+        ...(config.requiredScopes && { requiredScopes: config.requiredScopes }),
+        ...(config.custom && { custom: config.custom }),
+    };
+    return definition;
+};
+export const createQueryFactory = (contextFactory) => {
+    return (config) => {
+        return createStandaloneQuery(config, contextFactory);
+    };
+};
+/**
+ * Create a reusable query definition that can execute in-process or be served via HTTP.
+ *
+ * Use `initServe()` when you want shared context passed once for both local execution and HTTP wiring.
+ */
+export const query = createQueryFactory();
+/**
+ * Create a Serve API from a queries map.
+ *
+ * This is the unbound version. Use `initServe().serve(...)` when you want shared context and config.
+ */
+export function serve(config) {
+    return defineServe(config);
+}

package/dist/server/builder.d.ts

@@ -3,5 +3,5 @@ import type { ServeRouter } from "../router.js";
 import { ServeQueryLogger } from "../query-logger.js";
 export declare const createBuilderMethods: <TQueries extends ServeQueriesMap<TContext, TAuth>, TContext extends Record<string, unknown>, TAuth extends AuthContext>(queryEntries: ServeEndpointMap<TQueries, TContext, TAuth>, queryLogger: ServeQueryLogger, routeConfig: Record<string, {
     method: HttpMethod;
-}>, router: ServeRouter, authStrategies: AuthStrategy<TAuth>[], globalMiddlewares: ServeMiddleware<any, any, TContext, TAuth>[], executeQuery: ExecuteQueryFunction<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>, handler: ServeHandler, basePath: string) => ServeBuilder<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>;
+}>, router: ServeRouter, authStrategies: AuthStrategy<TAuth>[], globalMiddlewares: ServeMiddleware<any, any, TContext, TAuth>[], executeQuery: ExecuteQueryFunction<ServeEndpointMap<TQueries, TContext, TAuth>, TContext>, handler: ServeHandler, basePath: string) => ServeBuilder<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>;
 //# sourceMappingURL=builder.d.ts.map

package/dist/server/builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../src/server/builder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,UAAU,EACV,YAAY,EAEZ,gBAAgB,EAChB,eAAe,EAEf,eAAe,EACf,YAAY,EACZ,oBAAoB,EAGrB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYtD,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EACjD,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EACzD,aAAa,gBAAgB,EAC7B,aAAa,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,EACnD,QAAQ,WAAW,EACnB,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,oBAAoB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,EAChG,SAAS,YAAY,EACrB,UAAU,MAAM,KACf,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAqF3E,CAAC"}
+{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../src/server/builder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,UAAU,EACV,YAAY,EAEZ,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,oBAAoB,EAGrB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYtD,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EACjD,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EACzD,aAAa,gBAAgB,EAC7B,aAAa,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,EACnD,QAAQ,WAAW,EACnB,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,oBAAoB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,CAAC,EACzF,SAAS,YAAY,EACrB,UAAU,MAAM,KACf,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAsF3E,CAAC"}

package/dist/server/builder.js

@@ -10,6 +10,7 @@ const loadNodeAdapter = async () => {
 export const createBuilderMethods = (queryEntries, queryLogger, routeConfig, router, authStrategies, globalMiddlewares, executeQuery, handler, basePath) => {
     const builder = {
         queries: queryEntries,
+        basePath: basePath || undefined,
         queryLogger,
         _routeConfig: routeConfig,
         route: (path, endpoint, options = {}) => {

package/dist/server/define-serve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"define-serve.d.ts","sourceRoot":"","sources":["../../src/server/define-serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAGX,YAAY,EACZ,WAAW,EAGX,gBAAgB,EAIhB,eAAe,EAChB,MAAM,aAAa,CAAC;AAUrB,eAAO,MAAM,WAAW,GACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EAEpF,QAAQ,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAC7C,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAiH3E,CAAC"}
+{"version":3,"file":"define-serve.d.ts","sourceRoot":"","sources":["../../src/server/define-serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAGX,YAAY,EACZ,WAAW,EAEX,gBAAgB,EAIhB,eAAe,EAEhB,MAAM,aAAa,CAAC;AAWrB,eAAO,MAAM,WAAW,GACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EAEpF,QAAQ,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAC7C,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAoH3E,CAAC"}

package/dist/server/define-serve.js

@@ -4,6 +4,7 @@ import { ensureArray } from "../utils.js";
 import { ServeQueryLogger, formatQueryEvent, formatQueryEventJSON } from "../query-logger.js";
 import { createServeHandler } from "../pipeline.js";
 import { createDocsEndpoint, createOpenApiEndpoint } from "../pipeline.js";
+import { resolveCorsConfig } from "../cors.js";
 import { createExecuteQuery } from "./execute-query.js";
 import { createBuilderMethods } from "./builder.js";
 export const defineServe = (config) => {
@@ -62,6 +63,7 @@ export const defineServe = (config) => {
     for (const key of Object.keys(configuredQueries)) {
         registerQuery(key, configuredQueries[key]);
     }
+    const corsConfig = resolveCorsConfig(config.cors);
     const handler = createServeHandler({
         router,
         globalMiddlewares,
@@ -71,6 +73,7 @@ export const defineServe = (config) => {
         hooks,
         queryLogger,
         verboseAuthErrors: config.security?.verboseAuthErrors ?? false,
+        corsConfig,
     });
     // Track route configuration for client config extraction
     const routeConfig = {};

package/dist/server/execute-query.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"execute-query.d.ts","sourceRoot":"","sources":["../../src/server/execute-query.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EAEZ,WAAW,EACX,mBAAmB,EAEnB,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,EAEf,YAAY,EACZ,YAAY,EACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGtD,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EACpD,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,gBAAgB,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,SAAS,EAChE,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,YAAY,CAAC,KAAK,CAAC,GAAG,SAAS,EAC7C,OAAO,mBAAmB,CAAC,KAAK,CAAC,EACjC,aAAa,gBAAgB,EAC7B,mBAAmB,OAAO,MAEZ,IAAI,SAAS,MAAM,OAAO,YAAY,EAClD,KAAK,IAAI,EACT,UAAU;IACR,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;CACjC,KACA,OAAO,CAAC,mBAAmB,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,CAwC5D,CAAC"}
+{"version":3,"file":"execute-query.d.ts","sourceRoot":"","sources":["../../src/server/execute-query.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EAEZ,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,EACf,YAAY,EACZ,YAAY,EACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGtD,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EACpD,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,gBAAgB,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,SAAS,EAChE,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,YAAY,CAAC,KAAK,CAAC,GAAG,SAAS,EAC7C,OAAO,mBAAmB,CAAC,KAAK,CAAC,EACjC,aAAa,gBAAgB,EAC7B,mBAAmB,OAAO,MAEZ,IAAI,SAAS,MAAM,OAAO,YAAY,EAClD,KAAK,IAAI,EACT,UAAU;IACR,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;CACjC,KACA,OAAO,CAAC,mBAAmB,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,CA8C5D,CAAC"}