@hypequery/serve 0.1.1 → 0.2.0

package/dist/pipeline.js

@@ -3,7 +3,9 @@ import { createTenantScope, warnTenantMisconfiguration } from './tenant.js';
 import { generateRequestId } from './utils.js';
 import { buildOpenApiDocument } from './openapi.js';
 import { buildDocsHtml } from './docs-ui.js';
+import { ServeHttpError } from './errors.js';
 import { checkRoleAuthorization, checkScopeAuthorization, AuthError, } from './auth.js';
+import { handleCorsRequest } from './cors.js';
 const safeInvokeHook = async (name, hook, payload) => {
     if (!hook)
         return;
@@ -16,7 +18,7 @@ const safeInvokeHook = async (name, hook, payload) => {
 };
 const createErrorResponse = (status, type, message, details, headers) => ({
     status,
-    headers,
+    headers: headers ?? {},
     body: { error: { type, message, ...(details ? { details } : {}) } },
 });
 const buildContextInput = (request) => {
@@ -37,7 +39,7 @@ const resolveTenantConfig = (globalConfig, override) => {
     }
     const merged = { ...(globalConfig ?? {}), ...(override ?? {}) };
     if (!merged.extract) {
-        throw new Error('[hypequery/serve] Tenant override requires an extract function when no global tenant config is set. ' +
+        throw new ServeHttpError(500, 'INTERNAL_SERVER_ERROR', '[hypequery/serve] Tenant override requires an extract function when no global tenant config is set. ' +
             'If you are using tenantOptional(), define a global tenant config with extract or pass extract in the per-query override.');
     }
     return merged;
@@ -142,6 +144,7 @@ const resolveContext = async (factory, request, auth) => {
 const resolveRequestId = (request, provided) => provided ?? request.headers['x-request-id'] ?? request.headers['x-trace-id'] ?? generateRequestId();
 export const executeEndpoint = async (options) => {
     const { endpoint, request, requestId: explicitRequestId, authStrategies, contextFactory, globalMiddlewares, tenantConfig, hooks = {}, queryLogger, additionalContext, verboseAuthErrors = false, // Default to secure mode for production safety
+    sanitizeErrors = true, // Default to secure mode for HTTP requests
      } = options;
     const requestId = resolveRequestId(request, explicitRequestId);
     const locals = {};
@@ -382,18 +385,39 @@ export const executeEndpoint = async (options) => {
                 error: error instanceof Error ? error : new Error(String(error)),
             });
         }
-        const message = error instanceof Error ? error.message : 'Unexpected error';
-        return createErrorResponse(500, 'INTERNAL_SERVER_ERROR', message, undefined, { 'x-request-id': requestId });
+        // Structured errors thrown by middleware (rate limiter, custom middleware, etc.)
+        if (error &&
+            typeof error === 'object' &&
+            'status' in error &&
+            'payload' in error) {
+            const structured = error;
+            const response = createErrorResponse(structured.status, structured.payload.type, structured.payload.message, undefined, { 'x-request-id': requestId, ...(structured.headers ?? {}) });
+            return response;
+        }
+        // When sanitizeErrors is enabled (default for HTTP), hide internal error
+        // details to prevent leaking stack traces, paths, or SQL to clients.
+        // The raw error is still available in the onError hook above.
+        const errorMessage = sanitizeErrors
+            ? 'An unexpected error occurred'
+            : (error instanceof Error ? error.message : String(error));
+        return createErrorResponse(500, 'INTERNAL_SERVER_ERROR', errorMessage, undefined, { 'x-request-id': requestId });
     }
 };
-export const createServeHandler = ({ router, globalMiddlewares, authStrategies, tenantConfig, contextFactory, hooks, queryLogger, verboseAuthErrors = false, }) => {
+export const createServeHandler = ({ router, globalMiddlewares, authStrategies, tenantConfig, contextFactory, hooks, queryLogger, verboseAuthErrors = false, corsConfig, }) => {
     return async (request) => {
+        // Handle CORS preflight and compute headers for actual requests
+        const { preflightResponse, corsHeaders } = handleCorsRequest(corsConfig ?? null, request);
+        if (preflightResponse) {
+            return preflightResponse;
+        }
         const requestId = resolveRequestId(request);
         const endpoint = router.match(request.method, request.path);
         if (!endpoint) {
-            return createErrorResponse(404, 'NOT_FOUND', `No endpoint registered for ${request.method} ${request.path}`, undefined, { 'x-request-id': requestId });
+            const response = createErrorResponse(404, 'NOT_FOUND', `No endpoint registered for ${request.method} ${request.path}`, undefined, { 'x-request-id': requestId });
+            response.headers = { ...response.headers, ...corsHeaders };
+            return response;
         }
-        return executeEndpoint({
+        const response = await executeEndpoint({
             endpoint,
             request,
             requestId,
@@ -405,6 +429,11 @@ export const createServeHandler = ({ router, globalMiddlewares, authStrategies,
             queryLogger,
             verboseAuthErrors,
         });
+        // Inject CORS headers into every response
+        if (Object.keys(corsHeaders).length > 0) {
+            response.headers = { ...response.headers, ...corsHeaders };
+        }
+        return response;
     };
 };
 export const createOpenApiEndpoint = (path, getEndpoints, options) => {

package/dist/rate-limit.d.ts

@@ -0,0 +1,86 @@
+import type { AuthContext, ServeMiddleware, EndpointContext } from './types.js';
+/**
+ * Rate limit store interface.
+ * Implement this for custom backends (Redis, Memcached, etc.).
+ */
+export interface RateLimitStore {
+    /**
+     * Increment the hit count for a key within the given window.
+     * @returns The current hit count after incrementing.
+     */
+    increment(key: string, windowMs: number): Promise<number>;
+    /**
+     * Get the remaining TTL in milliseconds for a key.
+     * Returns 0 if the key has no active window.
+     */
+    getTtl(key: string): Promise<number>;
+    /**
+     * Reset the counter for a key.
+     */
+    reset(key: string): Promise<void>;
+}
+export interface RateLimitConfig<TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext> {
+    /**
+     * Time window in milliseconds.
+     * @default 60000 (1 minute)
+     */
+    windowMs?: number;
+    /**
+     * Maximum number of requests allowed per window.
+     * @default 100
+     */
+    max?: number;
+    /**
+     * Function to derive the rate limit key from the request context.
+     * Defaults to IP-based limiting (from x-forwarded-for or x-real-ip).
+     */
+    keyBy?: (ctx: EndpointContext<unknown, TContext, TAuth>) => string | null;
+    /**
+     * Custom store implementation. Defaults to an in-memory store.
+     */
+    store?: RateLimitStore;
+    /**
+     * Whether to include rate limit headers in the response.
+     * @default true
+     */
+    headers?: boolean;
+    /**
+     * Custom message to return when rate limited.
+     * @default "Too many requests, please try again later"
+     */
+    message?: string;
+    /**
+     * If true, skip rate limiting instead of rejecting when the store fails.
+     * @default true
+     */
+    failOpen?: boolean;
+}
+export declare class MemoryRateLimitStore implements RateLimitStore {
+    private entries;
+    private cleanupTimer;
+    constructor(cleanupIntervalMs?: number);
+    increment(key: string, windowMs: number): Promise<number>;
+    getTtl(key: string): Promise<number>;
+    reset(key: string): Promise<void>;
+    destroy(): void;
+}
+/**
+ * Creates a rate-limiting middleware.
+ *
+ * @example Global rate limit:
+ * ```ts
+ * const api = defineServe({
+ *   queries: { ... },
+ *   middlewares: [rateLimit({ windowMs: 60_000, max: 100 })],
+ * });
+ * ```
+ *
+ * @example Per-tenant rate limit on a single query:
+ * ```ts
+ * query
+ *   .use(rateLimit({ max: 50, keyBy: (ctx) => ctx.auth?.tenantId ?? null }))
+ *   .query(async ({ ctx, input }) => { ... })
+ * ```
+ */
+export declare const rateLimit: <TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext>(config?: RateLimitConfig<TContext, TAuth>) => ServeMiddleware<any, any, TContext, TAuth>;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../src/rate-limit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAEhF;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1D;;;OAGG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACrC;;OAEG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,eAAe,CAC9B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW;IAEvC;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,KAAK,CAAC,EAAE,CAAC,GAAG,EAAE,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,KAAK,MAAM,GAAG,IAAI,CAAC;IAC1E;;OAEG;IACH,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAWD,qBAAa,oBAAqB,YAAW,cAAc;IACzD,OAAO,CAAC,OAAO,CAAkC;IACjD,OAAO,CAAC,YAAY,CAAiC;gBAEzC,iBAAiB,SAAS;IAgBhC,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAczD,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOpC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,OAAO,IAAI,IAAI;CAIhB;AAmBD;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,SAAS,GACpB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EAEvC,SAAQ,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAM,KAC5C,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAwE3C,CAAC"}

package/dist/rate-limit.js

@@ -0,0 +1,137 @@
+export class MemoryRateLimitStore {
+    constructor(cleanupIntervalMs = 60000) {
+        this.entries = new Map();
+        // Periodic cleanup of expired entries to prevent memory leaks
+        this.cleanupTimer = setInterval(() => {
+            const now = Date.now();
+            for (const [key, entry] of this.entries) {
+                if (entry.expiresAt <= now) {
+                    this.entries.delete(key);
+                }
+            }
+        }, cleanupIntervalMs);
+        // Unref so the timer doesn't keep the process alive
+        if (typeof this.cleanupTimer === 'object' && 'unref' in this.cleanupTimer) {
+            this.cleanupTimer.unref();
+        }
+    }
+    async increment(key, windowMs) {
+        const now = Date.now();
+        const existing = this.entries.get(key);
+        if (existing && existing.expiresAt > now) {
+            existing.count++;
+            return existing.count;
+        }
+        // New window
+        this.entries.set(key, { count: 1, expiresAt: now + windowMs });
+        return 1;
+    }
+    async getTtl(key) {
+        const entry = this.entries.get(key);
+        if (!entry)
+            return 0;
+        const remaining = entry.expiresAt - Date.now();
+        return remaining > 0 ? remaining : 0;
+    }
+    async reset(key) {
+        this.entries.delete(key);
+    }
+    destroy() {
+        clearInterval(this.cleanupTimer);
+        this.entries.clear();
+    }
+}
+// ---------------------------------------------------------------------------
+// Key extraction helpers
+// ---------------------------------------------------------------------------
+const defaultKeyExtractor = (ctx) => {
+    const req = ctx.request;
+    return (req.headers['x-forwarded-for']?.split(',')[0]?.trim() ??
+        req.headers['x-real-ip'] ??
+        'unknown');
+};
+// ---------------------------------------------------------------------------
+// Middleware factory
+// ---------------------------------------------------------------------------
+/**
+ * Creates a rate-limiting middleware.
+ *
+ * @example Global rate limit:
+ * ```ts
+ * const api = defineServe({
+ *   queries: { ... },
+ *   middlewares: [rateLimit({ windowMs: 60_000, max: 100 })],
+ * });
+ * ```
+ *
+ * @example Per-tenant rate limit on a single query:
+ * ```ts
+ * query
+ *   .use(rateLimit({ max: 50, keyBy: (ctx) => ctx.auth?.tenantId ?? null }))
+ *   .query(async ({ ctx, input }) => { ... })
+ * ```
+ */
+export const rateLimit = (config = {}) => {
+    const windowMs = config.windowMs ?? 60000;
+    const max = config.max ?? 100;
+    const keyBy = config.keyBy ?? defaultKeyExtractor;
+    const store = config.store ?? new MemoryRateLimitStore();
+    const includeHeaders = config.headers !== false;
+    const message = config.message ?? 'Too many requests, please try again later';
+    const failOpen = config.failOpen !== false;
+    return async (ctx, next) => {
+        const key = keyBy(ctx);
+        // If we can't derive a key, skip rate limiting
+        if (!key) {
+            return next();
+        }
+        const rateLimitKey = `rl:${ctx.metadata.path}:${key}`;
+        let current;
+        let ttl;
+        try {
+            current = await store.increment(rateLimitKey, windowMs);
+            ttl = await store.getTtl(rateLimitKey);
+        }
+        catch {
+            if (failOpen) {
+                return next();
+            }
+            throw Object.assign(new Error('Rate limiter unavailable'), {
+                status: 503,
+                payload: {
+                    type: 'SERVICE_UNAVAILABLE',
+                    message: 'Rate limiter unavailable',
+                },
+            });
+        }
+        // Attach rate limit info to locals so hooks/handlers can inspect it
+        ctx.locals._rateLimit = { limit: max, remaining: Math.max(0, max - current), resetMs: ttl };
+        if (current > max) {
+            const retryAfterSec = Math.ceil(ttl / 1000);
+            const error = Object.assign(new Error(message), {
+                status: 429,
+                headers: {
+                    'retry-after': String(retryAfterSec),
+                    ...(includeHeaders
+                        ? {
+                            'x-ratelimit-limit': String(max),
+                            'x-ratelimit-remaining': '0',
+                            'x-ratelimit-reset': String(retryAfterSec),
+                        }
+                        : {}),
+                },
+                payload: {
+                    type: 'RATE_LIMITED',
+                    message,
+                },
+            });
+            throw error;
+        }
+        // Execute downstream handler
+        const result = await next();
+        // We can't directly set headers from middleware in the current architecture,
+        // but the rate limit info is available via ctx.locals._rateLimit
+        // for the lifecycle hooks or future header injection.
+        return result;
+    };
+};

package/dist/serve.d.ts

@@ -0,0 +1,16 @@
+import type { AuthContext, QueryObjectConfig, SchemaOutput, ServeBuilder, ServeConfig, ServeContextFactory, ServeEndpointMap, ServeQueriesMap, StandaloneQueryDefinition } from "./types.js";
+import type { ZodTypeAny } from "zod";
+export declare const createQueryFactory: <TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext>(contextFactory?: ServeContextFactory<TContext, TAuth>) => <TInputSchema extends ZodTypeAny | undefined = undefined, TOutputSchema extends ZodTypeAny | undefined = undefined, TResult = TOutputSchema extends ZodTypeAny ? SchemaOutput<TOutputSchema> : unknown>(config: QueryObjectConfig<TInputSchema, TOutputSchema, TContext, TAuth, TResult>) => StandaloneQueryDefinition<TInputSchema, TOutputSchema extends ZodTypeAny ? TOutputSchema : ZodTypeAny, TContext, TAuth, TResult>;
+/**
+ * Create a reusable query definition that can execute in-process or be served via HTTP.
+ *
+ * Use `initServe()` when you want shared context passed once for both local execution and HTTP wiring.
+ */
+export declare const query: <TInputSchema extends ZodTypeAny | undefined = undefined, TOutputSchema extends ZodTypeAny | undefined = undefined, TResult = TOutputSchema extends ZodTypeAny ? SchemaOutput<TOutputSchema> : unknown>(config: QueryObjectConfig<TInputSchema, TOutputSchema, Record<string, unknown>, AuthContext, TResult>) => StandaloneQueryDefinition<TInputSchema, TOutputSchema extends ZodTypeAny ? TOutputSchema : ZodTypeAny, Record<string, unknown>, AuthContext, TResult>;
+/**
+ * Create a Serve API from a queries map.
+ *
+ * This is the unbound version. Use `initServe().serve(...)` when you want shared context and config.
+ */
+export declare function serve<TContext extends Record<string, unknown> = Record<string, unknown>, TAuth extends AuthContext = AuthContext, TQueries extends ServeQueriesMap<TContext, TAuth> = ServeQueriesMap<TContext, TAuth>>(config: ServeConfig<TContext, TAuth, TQueries>): ServeBuilder<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>;
+//# sourceMappingURL=serve.d.ts.map

package/dist/serve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serve.d.ts","sourceRoot":"","sources":["../src/serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAEX,iBAAiB,EAGjB,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EAEf,yBAAyB,EAC1B,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,KAAK,CAAC;AAgGtC,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EAEvC,iBAAiB,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,MAGnD,YAAY,SAAS,UAAU,GAAG,SAAS,GAAG,SAAS,EACvD,aAAa,SAAS,UAAU,GAAG,SAAS,GAAG,SAAS,EACxD,OAAO,GAAG,aAAa,SAAS,UAAU,GAAG,YAAY,CAAC,aAAa,CAAC,GAAG,OAAO,EAElF,QAAQ,iBAAiB,CAAC,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,KAC/E,yBAAyB,CAC1B,YAAY,EACZ,aAAa,SAAS,UAAU,GAAG,aAAa,GAAG,UAAU,EAC7D,QAAQ,EACR,KAAK,EACL,OAAO,CAIV,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,KAAK,GArBd,YAAY,SAAS,UAAU,GAAG,SAAS,cAC3C,aAAa,SAAS,UAAU,GAAG,SAAS,cAC5C,OAAO,4UAmB8B,CAAC;AAE1C;;;;GAIG;AACH,wBAAgB,KAAK,CACnB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EACpF,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,CAE5H"}

package/dist/serve.js

@@ -0,0 +1,88 @@
+import { defineServe } from "./server/define-serve.js";
+const defaultRequest = {
+    method: "POST",
+    path: "/__query/execute",
+    query: {},
+    headers: {},
+};
+const resolveContext = async (contextFactory, request) => {
+    if (!contextFactory) {
+        return {};
+    }
+    if (typeof contextFactory === "function") {
+        return await contextFactory({ request, auth: null });
+    }
+    return contextFactory;
+};
+const parseMaybe = (schema, value) => {
+    if (!schema) {
+        return value;
+    }
+    return schema.parse(value);
+};
+const createStandaloneQuery = (config, contextFactory) => {
+    const run = config.query;
+    const definition = {
+        query: run,
+        run,
+        execute: async (options) => {
+            const request = {
+                method: options?.request?.method ?? config.method ?? "POST",
+                path: options?.request?.path ?? defaultRequest.path,
+                query: options?.request?.query ?? defaultRequest.query,
+                headers: options?.request?.headers ?? defaultRequest.headers,
+                body: options?.request?.body ?? options?.input,
+                raw: options?.request?.raw,
+            };
+            const resolvedContext = await resolveContext(contextFactory, request);
+            const input = parseMaybe(config.input, options?.input);
+            const runtimeContext = {
+                request,
+                auth: null,
+                locals: {},
+                setCacheTtl: () => undefined,
+                ...resolvedContext,
+                ...(options?.context ?? {}),
+            };
+            const result = await run({
+                input,
+                ctx: runtimeContext,
+            });
+            return parseMaybe(config.output, result);
+        },
+        ...(config.input && { inputSchema: config.input }),
+        ...(config.output && { outputSchema: config.output }),
+        ...(config.method && { method: config.method }),
+        ...(config.name && { name: config.name }),
+        ...(config.description && { description: config.description }),
+        ...(config.summary && { summary: config.summary }),
+        ...(config.tags && { tags: config.tags }),
+        ...(typeof config.auth !== "undefined" && { auth: config.auth }),
+        ...(typeof config.requiresAuth !== "undefined" && { requiresAuth: config.requiresAuth }),
+        ...(typeof config.tenant !== "undefined" && { tenant: config.tenant }),
+        ...(typeof config.cacheTtlMs !== "undefined" && { cacheTtlMs: config.cacheTtlMs }),
+        ...(config.requiredRoles && { requiredRoles: config.requiredRoles }),
+        ...(config.requiredScopes && { requiredScopes: config.requiredScopes }),
+        ...(config.custom && { custom: config.custom }),
+    };
+    return definition;
+};
+export const createQueryFactory = (contextFactory) => {
+    return (config) => {
+        return createStandaloneQuery(config, contextFactory);
+    };
+};
+/**
+ * Create a reusable query definition that can execute in-process or be served via HTTP.
+ *
+ * Use `initServe()` when you want shared context passed once for both local execution and HTTP wiring.
+ */
+export const query = createQueryFactory();
+/**
+ * Create a Serve API from a queries map.
+ *
+ * This is the unbound version. Use `initServe().serve(...)` when you want shared context and config.
+ */
+export function serve(config) {
+    return defineServe(config);
+}

package/dist/server/builder.d.ts

@@ -3,5 +3,5 @@ import type { ServeRouter } from "../router.js";
 import { ServeQueryLogger } from "../query-logger.js";
 export declare const createBuilderMethods: <TQueries extends ServeQueriesMap<TContext, TAuth>, TContext extends Record<string, unknown>, TAuth extends AuthContext>(queryEntries: ServeEndpointMap<TQueries, TContext, TAuth>, queryLogger: ServeQueryLogger, routeConfig: Record<string, {
     method: HttpMethod;
-}>, router: ServeRouter, authStrategies: AuthStrategy<TAuth>[], globalMiddlewares: ServeMiddleware<any, any, TContext, TAuth>[], executeQuery: ExecuteQueryFunction<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>, handler: ServeHandler, basePath: string) => ServeBuilder<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>;
+}>, router: ServeRouter, authStrategies: AuthStrategy<TAuth>[], globalMiddlewares: ServeMiddleware<any, any, TContext, TAuth>[], executeQuery: ExecuteQueryFunction<ServeEndpointMap<TQueries, TContext, TAuth>, TContext>, handler: ServeHandler, basePath: string) => ServeBuilder<ServeEndpointMap<TQueries, TContext, TAuth>, TContext, TAuth>;
 //# sourceMappingURL=builder.d.ts.map

package/dist/server/builder.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../src/server/builder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,UAAU,EACV,YAAY,EAEZ,gBAAgB,EAChB,eAAe,EAEf,eAAe,EACf,YAAY,EACZ,oBAAoB,EAGrB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYtD,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EACjD,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EACzD,aAAa,gBAAgB,EAC7B,aAAa,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,EACnD,QAAQ,WAAW,EACnB,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,oBAAoB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,EAChG,SAAS,YAAY,EACrB,UAAU,MAAM,KACf,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAqF3E,CAAC"}
+{"version":3,"file":"builder.d.ts","sourceRoot":"","sources":["../../src/server/builder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,UAAU,EACV,YAAY,EAEZ,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,oBAAoB,EAGrB,MAAM,aAAa,CAAC;AACrB,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAYtD,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EACjD,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EACzD,aAAa,gBAAgB,EAC7B,aAAa,MAAM,CAAC,MAAM,EAAE;IAAE,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,EACnD,QAAQ,WAAW,EACnB,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,oBAAoB,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,CAAC,EACzF,SAAS,YAAY,EACrB,UAAU,MAAM,KACf,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAsF3E,CAAC"}

package/dist/server/builder.js

@@ -10,6 +10,7 @@ const loadNodeAdapter = async () => {
 export const createBuilderMethods = (queryEntries, queryLogger, routeConfig, router, authStrategies, globalMiddlewares, executeQuery, handler, basePath) => {
     const builder = {
         queries: queryEntries,
+        basePath: basePath || undefined,
         queryLogger,
         _routeConfig: routeConfig,
         route: (path, endpoint, options = {}) => {

package/dist/server/define-serve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"define-serve.d.ts","sourceRoot":"","sources":["../../src/server/define-serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAGX,YAAY,EACZ,WAAW,EAGX,gBAAgB,EAIhB,eAAe,EAChB,MAAM,aAAa,CAAC;AAUrB,eAAO,MAAM,WAAW,GACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EAEpF,QAAQ,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAC7C,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAiH3E,CAAC"}
+{"version":3,"file":"define-serve.d.ts","sourceRoot":"","sources":["../../src/server/define-serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAGX,YAAY,EACZ,WAAW,EAEX,gBAAgB,EAIhB,eAAe,EAEhB,MAAM,aAAa,CAAC;AAWrB,eAAO,MAAM,WAAW,GACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAClE,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,QAAQ,SAAS,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAAC,QAAQ,EAAE,KAAK,CAAC,EAEpF,QAAQ,WAAW,CAAC,QAAQ,EAAE,KAAK,EAAE,QAAQ,CAAC,KAC7C,YAAY,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAoH3E,CAAC"}

package/dist/server/define-serve.js

@@ -4,6 +4,7 @@ import { ensureArray } from "../utils.js";
 import { ServeQueryLogger, formatQueryEvent, formatQueryEventJSON } from "../query-logger.js";
 import { createServeHandler } from "../pipeline.js";
 import { createDocsEndpoint, createOpenApiEndpoint } from "../pipeline.js";
+import { resolveCorsConfig } from "../cors.js";
 import { createExecuteQuery } from "./execute-query.js";
 import { createBuilderMethods } from "./builder.js";
 export const defineServe = (config) => {
@@ -62,6 +63,7 @@ export const defineServe = (config) => {
     for (const key of Object.keys(configuredQueries)) {
         registerQuery(key, configuredQueries[key]);
     }
+    const corsConfig = resolveCorsConfig(config.cors);
     const handler = createServeHandler({
         router,
         globalMiddlewares,
@@ -71,6 +73,7 @@ export const defineServe = (config) => {
         hooks,
         queryLogger,
         verboseAuthErrors: config.security?.verboseAuthErrors ?? false,
+        corsConfig,
     });
     // Track route configuration for client config extraction
     const routeConfig = {};

package/dist/server/execute-query.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"execute-query.d.ts","sourceRoot":"","sources":["../../src/server/execute-query.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EAEZ,WAAW,EACX,mBAAmB,EAEnB,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,EAEf,YAAY,EACZ,YAAY,EACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGtD,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EACpD,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,gBAAgB,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,SAAS,EAChE,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,YAAY,CAAC,KAAK,CAAC,GAAG,SAAS,EAC7C,OAAO,mBAAmB,CAAC,KAAK,CAAC,EACjC,aAAa,gBAAgB,EAC7B,mBAAmB,OAAO,MAEZ,IAAI,SAAS,MAAM,OAAO,YAAY,EAClD,KAAK,IAAI,EACT,UAAU;IACR,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;CACjC,KACA,OAAO,CAAC,mBAAmB,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,CAwC5D,CAAC"}
+{"version":3,"file":"execute-query.d.ts","sourceRoot":"","sources":["../../src/server/execute-query.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EAEZ,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,mBAAmB,EACnB,mBAAmB,EACnB,eAAe,EACf,YAAY,EACZ,YAAY,EACb,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGtD,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,cAAc,gBAAgB,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EACpD,gBAAgB,YAAY,CAAC,KAAK,CAAC,EAAE,EACrC,gBAAgB,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,GAAG,SAAS,EAChE,mBAAmB,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,EAC/D,cAAc,YAAY,CAAC,KAAK,CAAC,GAAG,SAAS,EAC7C,OAAO,mBAAmB,CAAC,KAAK,CAAC,EACjC,aAAa,gBAAgB,EAC7B,mBAAmB,OAAO,MAEZ,IAAI,SAAS,MAAM,OAAO,YAAY,EAClD,KAAK,IAAI,EACT,UAAU;IACR,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5B,OAAO,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;CACjC,KACA,OAAO,CAAC,mBAAmB,CAAC,CAAC,OAAO,YAAY,EAAE,IAAI,CAAC,CAAC,CA8C5D,CAAC"}

package/dist/server/execute-query.js

@@ -3,7 +3,11 @@ export const createExecuteQuery = (queryEntries, authStrategies, contextFactory,
     return async (key, options) => {
         const endpoint = queryEntries[key];
         if (!endpoint) {
-            throw new Error(`No query registered for key ${String(key)}`);
+            const availableQueries = Object.keys(queryEntries);
+            const availableMessage = availableQueries.length > 0
+                ? ` Available queries: ${availableQueries.join(", ")}.`
+                : " No queries are currently registered.";
+            throw new Error(`Query '${String(key)}' not found.${availableMessage}`);
         }
         const request = {
             method: endpoint.method,
@@ -24,6 +28,7 @@ export const createExecuteQuery = (queryEntries, authStrategies, contextFactory,
             queryLogger,
             additionalContext: options?.context,
             verboseAuthErrors,
+            sanitizeErrors: false, // In-process callers can see raw error messages
         });
         if (response.status !== 200) {
             const errorBody = response.body;

package/dist/server/init-serve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init-serve.d.ts","sourceRoot":"","sources":["../../src/server/init-serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,WAAW,EACZ,MAAM,aAAa,CAAC;AAIrB,KAAK,uBAAuB,CAC1B,QAAQ,EACR,KAAK,SAAS,WAAW,IACvB,QAAQ,SAAS,mBAAmB,CAAC,MAAM,QAAQ,EAAE,KAAK,CAAC,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEnF,KAAK,uBAAuB,CAC1B,QAAQ,SAAS,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,EAChD,KAAK,SAAS,WAAW,IACvB,IAAI,CACN,WAAW,CACT,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,EACxC,KAAK,EACL,eAAe,CAAC,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,CACjE,EACD,SAAS,GAAG,SAAS,CACtB,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAA;CAAE,CAAC;AAQ1B,eAAO,MAAM,SAAS,GACpB,QAAQ,SAAS,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,EAChD,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,SAAS,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAG,gBAAgB,CACpE,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,EACxC,KAAK,CAsBN,CAAC"}
+{"version":3,"file":"init-serve.d.ts","sourceRoot":"","sources":["../../src/server/init-serve.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EAEX,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,WAAW,EACZ,MAAM,aAAa,CAAC;AAKrB,KAAK,uBAAuB,CAC1B,QAAQ,EACR,KAAK,SAAS,WAAW,IACvB,QAAQ,SAAS,mBAAmB,CAAC,MAAM,QAAQ,EAAE,KAAK,CAAC,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEnF,KAAK,uBAAuB,CAC1B,QAAQ,SAAS,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,EAChD,KAAK,SAAS,WAAW,IACvB,IAAI,CACN,WAAW,CACT,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,EACxC,KAAK,EACL,eAAe,CAAC,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,KAAK,CAAC,CACjE,EACD,SAAS,GAAG,SAAS,CACtB,GAAG;IAAE,OAAO,EAAE,QAAQ,CAAA;CAAE,CAAC;AAQ1B,eAAO,MAAM,SAAS,GACpB,QAAQ,SAAS,mBAAmB,CAAC,GAAG,EAAE,KAAK,CAAC,EAChD,KAAK,SAAS,WAAW,GAAG,WAAW,EACvC,SAAS,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAG,gBAAgB,CACpE,uBAAuB,CAAC,QAAQ,EAAE,KAAK,CAAC,EACxC,KAAK,CAqCN,CAAC"}

package/dist/server/init-serve.js

@@ -1,18 +1,33 @@
 import { createProcedureBuilder } from "../builder.js";
 import { defineServe } from "./define-serve.js";
+import { createQueryFactory } from "../serve.js";
 export const initServe = (options) => {
     const { context, ...staticOptions } = options;
     const procedure = createProcedureBuilder();
+    const define = (config) => {
+        return defineServe({
+            ...staticOptions,
+            ...config,
+            context: (context ?? {}),
+        });
+    };
+    const queryFactory = createQueryFactory((context ?? {}));
+    const query = new Proxy(queryFactory, {
+        apply(target, thisArg, argArray) {
+            return Reflect.apply(target, thisArg, argArray);
+        },
+        get(target, property, receiver) {
+            if (property in procedure) {
+                return Reflect.get(procedure, property);
+            }
+            return Reflect.get(target, property, receiver);
+        },
+    });
     return {
         procedure,
-        query: procedure,
+        query,
         queries: (definitions) => definitions,
-        define: (config) => {
-            return defineServe({
-                ...staticOptions,
-                ...config,
-                context: (context ?? {}),
-            });
-        },
+        serve: define,
+        define,
     };
 };

package/dist/type-tests/builder.test-d.d.ts

@@ -6,8 +6,14 @@ export declare const api: import("../types.js").ServeBuilder<import("../types.js
         plan?: string | undefined;
     }, {
         plan?: string | undefined;
-    }>, z.ZodTypeAny, {}, import("../types.js").AuthContext, {
+    }>, z.ZodTypeAny, {
+        db: {};
+    }, import("../types.js").AuthContext, {
         plan: string;
     }[]>;
-}, {}, import("../types.js").AuthContext>, {}, import("../types.js").AuthContext>;
+}, {
+    db: {};
+}, import("../types.js").AuthContext>, {
+    db: {};
+}, import("../types.js").AuthContext>;
 //# sourceMappingURL=builder.test-d.d.ts.map

package/dist/type-tests/builder.test-d.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"builder.test-d.d.ts","sourceRoot":"","sources":["../../src/type-tests/builder.test-d.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAUxB,eAAO,MAAM,GAAG;;;;;;;;;;iFAUd,CAAC"}
+{"version":3,"file":"builder.test-d.d.ts","sourceRoot":"","sources":["../../src/type-tests/builder.test-d.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAYxB,eAAO,MAAM,GAAG;;;;;;;;;;;;;;;;qCAUd,CAAC"}

package/dist/type-tests/builder.test-d.js

@@ -1,7 +1,9 @@
 import { initServe } from '../index.js';
 import { z } from 'zod';
 const serve = initServe({
-    context: () => ({}),
+    context: () => ({
+        db: {},
+    }),
 });
 const { query } = serve;
 export const api = serve.define({
@@ -18,3 +20,17 @@ export const api = serve.define({
 const _resultIsTyped = [{ plan: 'starter' }];
 // @ts-expect-error plan must be string
 const _resultRejectsNumber = [{ plan: 123 }];
+const executableQuery = query({
+    input: z.object({ startDate: z.string() }),
+    output: z.object({ total: z.number() }),
+    query: async ({ input, ctx }) => {
+        ctx.db;
+        return { total: Number(input.startDate.length) };
+    },
+});
+const executableResultPromise = executableQuery.execute({
+    input: { startDate: '2024-01-01' },
+});
+const _executableResultIsTyped = { total: 10 };
+// @ts-expect-error total must be number
+const _executableResultRejectsString = { total: '10' };