@hypequery/serve 0.2.1 → 0.3.0

package/dist/auth.js

@@ -1,3 +1,4 @@
+import { SignJWT, createRemoteJWKSet, jwtVerify, } from "jose";
 const resolveHeaderValue = (value) => {
     if (Array.isArray(value)) {
         const first = value.find((item) => typeof item === "string");
@@ -28,6 +29,8 @@ export const getHeader = (request, name) => {
     return trimmed.length > 0 ? trimmed : undefined;
 };
 export class AuthError extends Error {
+    reason;
+    details;
     constructor(reason, message, details) {
         super(message);
         this.name = "AuthError";
@@ -92,6 +95,131 @@ export const createBearerTokenStrategy = (options) => {
         return options.validate(token, request);
     };
 };
+export const fromContext = (extract) => async (context) => extract(context);
+const defaultJwtClaimMapper = (payload) => {
+    const scopeClaim = payload.scope ?? payload.scopes;
+    const scopes = typeof scopeClaim === "string"
+        ? scopeClaim.split(" ").filter(Boolean)
+        : Array.isArray(scopeClaim)
+            ? scopeClaim.filter((scope) => typeof scope === "string")
+            : undefined;
+    const roles = Array.isArray(payload.roles)
+        ? payload.roles.filter((role) => typeof role === "string")
+        : undefined;
+    return {
+        userId: typeof payload.sub === "string" ? payload.sub : undefined,
+        tenantId: typeof payload.org_id === "string" ? payload.org_id : undefined,
+        roles,
+        scopes,
+        metadata: payload,
+    };
+};
+/**
+ * Verifies JWT bearer tokens with either a shared secret (HS256 by default) or
+ * a remote JWKS (RS256 by default). Use shared secrets when you mint the token
+ * yourself, and JWKS when a provider such as Auth0, Clerk, or Cognito mints it.
+ *
+ * @example
+ * ```ts
+ * const api = createAPI({
+ *   auth: createJwtStrategy({
+ *     jwksUri: 'https://example.auth0.com/.well-known/jwks.json',
+ *     issuer: 'https://example.auth0.com/',
+ *     audience: 'https://api.example.com',
+ *   }),
+ *   queries: { ... },
+ * });
+ * ```
+ */
+const resolveSecretKey = (secret, helperName) => {
+    if (typeof secret === "string") {
+        if (secret.length === 0) {
+            throw new Error(`${helperName}: \`secret\` must not be empty.`);
+        }
+        return new TextEncoder().encode(secret);
+    }
+    if (secret.byteLength === 0) {
+        throw new Error(`${helperName}: \`secret\` must not be empty.`);
+    }
+    return secret;
+};
+const isSecretJwtOptions = (options) => "secret" in options && options.secret != null;
+const isJwksJwtOptions = (options) => "jwksUri" in options && options.jwksUri != null;
+export function createJwtStrategy(options) {
+    const hasSecret = isSecretJwtOptions(options);
+    const hasJwksUri = isJwksJwtOptions(options);
+    if (hasSecret === hasJwksUri) {
+        throw new Error("createJwtStrategy: provide exactly one of `secret` or `jwksUri`.");
+    }
+    const headerName = options.header ?? "authorization";
+    const prefix = options.prefix ?? "Bearer ";
+    const mapClaims = options.mapClaims
+        ?? defaultJwtClaimMapper;
+    let verify;
+    if (hasSecret) {
+        const key = resolveSecretKey(options.secret, "createJwtStrategy");
+        verify = (token) => jwtVerify(token, key, {
+            issuer: options.issuer,
+            audience: options.audience,
+            algorithms: options.algorithms ?? ["HS256"],
+        });
+    }
+    else {
+        if (options.jwksUri.trim().length === 0) {
+            throw new Error("createJwtStrategy: `jwksUri` must not be empty.");
+        }
+        const jwks = createRemoteJWKSet(new URL(options.jwksUri));
+        verify = (token) => jwtVerify(token, jwks, {
+            issuer: options.issuer,
+            audience: options.audience,
+            algorithms: options.algorithms ?? ["RS256"],
+        });
+    }
+    return async ({ request }) => {
+        const raw = getHeader(request, headerName);
+        if (typeof raw !== "string" || !raw.startsWith(prefix)) {
+            if (options.optional)
+                return null;
+            throw new AuthError("MISSING", `Missing bearer token in "${headerName}" header`, { header: headerName });
+        }
+        const token = raw.slice(prefix.length).trim();
+        if (!token) {
+            if (options.optional)
+                return null;
+            throw new AuthError("MISSING", `Empty bearer token in "${headerName}" header`, { header: headerName });
+        }
+        let payload;
+        try {
+            const verified = await verify(token);
+            payload = verified.payload;
+        }
+        catch (error) {
+            throw new AuthError("INVALID", "JWT verification failed", {
+                reason: error instanceof Error ? error.message : String(error),
+            });
+        }
+        return mapClaims(payload, request);
+    };
+}
+export const createAnalyticsTokenIssuer = (options) => {
+    const key = resolveSecretKey(options.secret, "createAnalyticsTokenIssuer");
+    const algorithm = options.algorithm ?? "HS256";
+    return async (claims) => {
+        let jwt = new SignJWT({
+            ...(claims.tenantId ? { org_id: claims.tenantId } : {}),
+            ...(claims.roles ? { roles: claims.roles } : {}),
+        })
+            .setProtectedHeader({ alg: algorithm })
+            .setSubject(claims.userId)
+            .setIssuedAt()
+            .setExpirationTime(options.expiresIn ?? "15m");
+        if (options.issuer)
+            jwt = jwt.setIssuer(options.issuer);
+        if (options.audience)
+            jwt = jwt.setAudience(options.audience);
+        return jwt.sign(key);
+    };
+};
 /**
  * Check if the authenticated user has at least one of the required roles (OR semantics).
  *
@@ -146,65 +274,15 @@ export const checkScopeAuthorization = (auth, requiredScopes) => {
         ? { ok: true }
         : { ok: false, missing: requiredScopes, reason: 'MISSING_SCOPE' };
 };
-/**
- * Middleware that requires the user to be authenticated.
- * Returns 401 if no auth context is present.
- *
- * @deprecated Use `query.requireAuth()` instead for per-endpoint authentication.
- *             This middleware is kept for complex use cases where guards aren't suitable.
- *             See: https://hypequery.com/docs/authentication#middleware-helpers
- *
- * Use this as a global middleware via `api.use(requireAuthMiddleware())`.
- * For per-query guards, prefer `query.requireAuth()`.
- */
-export const requireAuthMiddleware = () => async (ctx, next) => {
-    if (!ctx.auth) {
-        throw Object.assign(new Error("Authentication required"), {
-            status: 401,
-            type: "UNAUTHORIZED",
-        });
-    }
-    return next();
-};
-/**
- * Middleware that requires the user to have at least one of the specified roles.
- * Returns 403 if the user lacks the required role.
- *
- * @deprecated Use `query.requireRole(...)` instead for per-endpoint authorization.
- *             This middleware is kept for complex use cases where guards aren't suitable.
- *             See: https://hypequery.com/docs/authentication#middleware-helpers
- *
- * Use this as a global or per-query middleware via `api.use(requireRoleMiddleware('admin'))`.
- * For per-query guards, prefer `query.requireRole('admin')`.
- */
-export const requireRoleMiddleware = (...roles) => async (ctx, next) => {
-    const result = checkRoleAuthorization(ctx.auth, roles);
-    if (!result.ok) {
-        throw Object.assign(new Error(`Missing required role. Required one of: ${roles.join(", ")}`), { status: 403, type: "FORBIDDEN" });
-    }
-    return next();
-};
-/**
- * Middleware that requires the user to have all of the specified scopes.
- * Returns 403 if the user lacks a required scope.
- *
- * @deprecated Use `query.requireScope(...)` instead for per-endpoint authorization.
- *             This middleware is kept for complex use cases where guards aren't suitable.
- *             See: https://hypequery.com/docs/authentication#middleware-helpers
- *
- * Use this as a global or per-query middleware via `api.use(requireScopeMiddleware('read:metrics'))`.
- * For per-query guards, prefer `query.requireScope('read:metrics')`.
- */
-export const requireScopeMiddleware = (...scopes) => async (ctx, next) => {
-    const result = checkScopeAuthorization(ctx.auth, scopes);
-    if (!result.ok) {
-        throw Object.assign(new Error(`Missing required scopes: ${result.missing.join(", ")}`), { status: 403, type: "FORBIDDEN" });
-    }
-    return next();
-};
 /**
  * Creates a typed auth system with compile-time role and scope safety.
  *
+ * @deprecated Prefer typing your auth context directly and passing it to
+ *             `initServe<TContext, TAuth>(...)`. Define roles/scopes as a
+ *             union on your auth type and use `query.requireRole(...)` /
+ *             `query.requireScope(...)` guards. This helper is kept for
+ *             backwards compatibility and will be removed in a future release.
+ *
  * This helper provides:
  * - Type-safe auth context (combines AuthContextWithRoles and AuthContextWithScopes)
  * - A `useAuth` wrapper for auth strategies
@@ -221,32 +299,11 @@ export const requireScopeMiddleware = (...scopes) => async (ctx, next) => {
  * });
  *
  * // Extract the typed auth type for use with initServe
- * type AppAuth = TypedAuth;
+ * type AppAuth = typeof TypedAuth;
  *
  * const { query, serve } = initServe<Record<string, never>, AppAuth>({
  *   auth: useAuth(jwtStrategy),
  * });
- *
- * const adminOnly = query({
- *   requiredRoles: ['admin'],
- *   query: async () => {
- *     // ✅ TypeScript autocomplete for 'admin'
- *     // ❌ Compile error on typo like 'admn'
- *     return { secret: true };
- *   },
- * });
- *
- * const writeData = query({
- *   requiredScopes: ['write:metrics'],
- *   query: async () => {
- *     // ✅ TypeScript autocomplete for 'write:metrics'
- *     return { success: true };
- *   },
- * });
- *
- * const api = serve({
- *   queries: { adminOnly, writeData },
- * });
  * ```
  */
 export const createAuthSystem = () => {
@@ -254,34 +311,11 @@ export const createAuthSystem = () => {
         /**
          * Type-safe wrapper for auth strategies.
          * Ensures the strategy returns auth context with the correct role/scope types.
-         *
-         * @example
-         * ```ts
-         * const jwtStrategy: AuthStrategy<AppAuth> = async ({ request }) => {
-         *   const token = request.headers.authorization?.slice(7);
-         *   const payload = await verifyJwt(token);
-         *   return {
-         *     userId: payload.sub,
-         *     roles: payload.roles, // ✅ Type-checked against ['admin', 'editor', 'viewer']
-         *     scopes: payload.scopes, // ✅ Type-checked against ['read:metrics', 'write:metrics']
-         *   };
-         * };
-         *
-         * const api = defineServe<AppAuth>({
-         *   auth: useAuth(jwtStrategy),
-         *   // ...
-         * });
-         * ```
          */
         useAuth: (strategy) => strategy,
         /**
          * The combined typed auth context type.
-         * Use this to type your defineServe generic parameter.
-         *
-         * @example
-         * ```ts
-         * type AppAuth = typeof TypedAuth;
-         * ```
+         * Use this to type your initServe generic parameter.
          */
         TypedAuth: null,
     };

package/dist/client-config.d.ts

@@ -4,6 +4,7 @@ import type { ServeBuilder, HttpMethod, AuthContext } from "./types.js";
  */
 export interface QueryClientConfig {
     method: HttpMethod;
+    path?: string;
 }
 /**
  * Map of query names to their client configurations
@@ -36,8 +37,8 @@ export declare function extractClientConfig<TQueries extends Record<string, any>
  *
  * @example
  * const config = defineClientConfig({
- *   hello: { method: 'GET' },
- *   createUser: { method: 'POST' },
+ *   hello: { method: 'GET', path: '/api/analytics/queries/hello' },
+ *   createUser: { method: 'POST', path: '/api/analytics/queries/createUser' },
  * });
  */
 export declare function defineClientConfig<T extends ApiClientConfig>(config: T): T;

package/dist/client-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client-config.d.ts","sourceRoot":"","sources":["../src/client-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAExE;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,UAAU,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACpC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EACzB,GAAG,EAAE,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAoB/D;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,eAAe,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAE1E"}
+{"version":3,"file":"client-config.d.ts","sourceRoot":"","sources":["../src/client-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAExE;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,UAAU,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACpC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EACzB,GAAG,EAAE,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,GAAG,eAAe,CAsB/D;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,eAAe,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAE1E"}

package/dist/client-config.js

@@ -25,6 +25,7 @@ export function extractClientConfig(api) {
         for (const [key, routeConfig] of Object.entries(api._routeConfig)) {
             config[key] = {
                 method: routeConfig.method,
+                path: api.queries[key]?.metadata?.path,
             };
         }
     }
@@ -33,6 +34,7 @@ export function extractClientConfig(api) {
         for (const [key, endpoint] of Object.entries(api.queries)) {
             config[key] = {
                 method: endpoint.method,
+                path: endpoint.metadata?.path,
             };
         }
     }
@@ -44,8 +46,8 @@ export function extractClientConfig(api) {
  *
  * @example
  * const config = defineClientConfig({
- *   hello: { method: 'GET' },
- *   createUser: { method: 'POST' },
+ *   hello: { method: 'GET', path: '/api/analytics/queries/hello' },
+ *   createUser: { method: 'POST', path: '/api/analytics/queries/createUser' },
  * });
  */
 export function defineClientConfig(config) {

package/dist/errors.js

@@ -12,6 +12,9 @@
  * ```
  */
 export class ServeHttpError extends Error {
+    status;
+    payload;
+    headers;
     constructor(status, type, message, headers) {
         super(message);
         this.name = 'ServeHttpError';

package/dist/index.d.ts

@@ -14,6 +14,8 @@ export * from "./utils.js";
 export * from "./adapters/node.js";
 export * from "./adapters/fetch.js";
 export * from "./adapters/vercel.js";
+export { startServer, toNodeHandler, toFetchHandler } from "./adapters/standalone.js";
 export * from "./dev.js";
 export * from "./serve.js";
+export * from "./semantic/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,UAAU,CAAC;AACzB,cAAc,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,mBAAmB,CAAC;AAClC,cAAc,mBAAmB,CAAC;AAClC,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,cAAc,CAAC;AAC7B,cAAc,WAAW,CAAC;AAC1B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAChC,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AACtF,cAAc,UAAU,CAAC;AACzB,cAAc,YAAY,CAAC;AAC3B,cAAc,qBAAqB,CAAC"}

package/dist/index.js

@@ -14,5 +14,7 @@ export * from "./utils.js";
 export * from "./adapters/node.js";
 export * from "./adapters/fetch.js";
 export * from "./adapters/vercel.js";
+export { startServer, toNodeHandler, toFetchHandler } from "./adapters/standalone.js";
 export * from "./dev.js";
 export * from "./serve.js";
+export * from "./semantic/index.js";

package/dist/openapi.js

@@ -168,7 +168,6 @@ const normalizeInfo = (options) => {
     };
 };
 export const buildOpenApiDocument = (endpoints, options) => {
-    var _a;
     const document = {
         openapi: "3.1.0",
         info: normalizeInfo(options),
@@ -182,7 +181,7 @@ export const buildOpenApiDocument = (endpoints, options) => {
         }
         const path = endpoint.metadata.path || "/";
         const method = endpoint.method.toLowerCase();
-        const pathItem = ((_a = document.paths)[path] ?? (_a[path] = {}));
+        const pathItem = (document.paths[path] ??= {});
         const operation = toOperation(endpoint, "Response");
         if (endpoint.metadata.requiresAuth) {
             needsSecurityScheme = true;

package/dist/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAmB,MAAM,KAAK,CAAC;AAEzC,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,WAAW,EAKX,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,YAAY,EACZ,aAAa,EACb,YAAY,EAGb,MAAM,YAAY,CAAC;AAKpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAOrD,OAAO,EAAE,KAAK,kBAAkB,EAAqB,MAAM,WAAW,CAAC;AA4MvE,MAAM,WAAW,sBAAsB,CACrC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,QAAQ,EAAE,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,eAAO,MAAM,eAAe,GAC1B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,SAAS,sBAAsB,CAAC,QAAQ,EAAE,KAAK,CAAC,KAC/C,OAAO,CAAC,aAAa,CAkUvB,CAAC;AAEF,UAAU,cAAc,CACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,MAAM,EAAE,OAAO,aAAa,EAAE,WAAW,CAAC;IAC1C,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,UAAU,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACxC;AAED,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EACzB,iIAUC,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAG,YA0CpC,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAChC,MAAM,MAAM,EACZ,cAAc,MAAM,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,EACvD,UAAU,cAAc;;;;;;;;;;;;;;;;;;;;;CA8BzB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,MAAM,MAAM,EACZ,aAAa,MAAM,EACnB,UAAU,WAAW;;;;;;;;;;;;;;;;;;;;;;;;CAyBmD,CAAC"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../src/pipeline.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAmB,MAAM,KAAK,CAAC;AAEzC,OAAO,KAAK,EACV,WAAW,EACX,YAAY,EACZ,WAAW,EAKX,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,YAAY,EACZ,mBAAmB,EACnB,eAAe,EACf,YAAY,EACZ,aAAa,EACb,YAAY,EAGb,MAAM,YAAY,CAAC;AAMpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAOrD,OAAO,EAAE,KAAK,kBAAkB,EAAqB,MAAM,WAAW,CAAC;AA4MvE,MAAM,WAAW,sBAAsB,CACrC,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,QAAQ,EAAE,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,eAAO,MAAM,eAAe,GAC1B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EAEzB,SAAS,sBAAsB,CAAC,QAAQ,EAAE,KAAK,CAAC,KAC/C,OAAO,CAAC,aAAa,CAqTvB,CAAC;AAEF,UAAU,cAAc,CACtB,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW;IAEzB,MAAM,EAAE,OAAO,aAAa,EAAE,WAAW,CAAC;IAC1C,iBAAiB,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,EAAE,CAAC;IAChE,cAAc,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;IACtC,YAAY,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACnC,cAAc,CAAC,EAAE,mBAAmB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACtD,KAAK,CAAC,EAAE,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,WAAW,CAAC,EAAE,gBAAgB,CAAC;IAC/B,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,UAAU,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CACxC;AAED,eAAO,MAAM,kBAAkB,GAC7B,QAAQ,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACxC,KAAK,SAAS,WAAW,EACzB,iIAUC,cAAc,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAG,YA0CpC,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAChC,MAAM,MAAM,EACZ,cAAc,MAAM,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,EAAE,EACvD,UAAU,cAAc;;;;;;;;;;;;;;;;;;;;;CA8BzB,CAAC;AAEF,eAAO,MAAM,kBAAkB,GAC7B,MAAM,MAAM,EACZ,aAAa,MAAM,EACnB,UAAU,WAAW;;;;;;;;;;;;;;;;;;;;;;;;CAyBmD,CAAC"}

package/dist/pipeline.js

@@ -1,5 +1,6 @@
 import { z } from 'zod';
-import { createTenantScope, warnTenantMisconfiguration } from './tenant.js';
+import { warnTenantMisconfiguration } from './tenant.js';
+import { applySemanticTenantRuntime } from './semantic/utils/tenant-runtime.js';
 import { generateRequestId } from './utils.js';
 import { buildOpenApiDocument } from './openapi.js';
 import { buildDocsHtml } from './docs-ui.js';
@@ -259,7 +260,7 @@ export const executeEndpoint = async (options) => {
                     durationMs: Date.now() - startedAt,
                     error: new Error(errorMessage),
                 });
-                return createErrorResponse(403, 'UNAUTHORIZED', errorMessage, {
+                return createErrorResponse(403, 'FORBIDDEN', errorMessage, {
                     reason: 'missing_tenant_context',
                     tenant_required: true,
                 }, { 'x-request-id': requestId });
@@ -268,26 +269,13 @@ export const executeEndpoint = async (options) => {
                 context.tenantId = tenantId;
                 const mode = activeTenantConfig.mode ?? 'manual';
                 const column = activeTenantConfig.column;
-                if (mode === 'auto-inject' && column) {
-                    const contextValues = context;
-                    for (const key of Object.keys(contextValues)) {
-                        const value = contextValues[key];
-                        if (value && typeof value === 'object' && 'table' in value && typeof value.table === 'function') {
-                            contextValues[key] = createTenantScope(value, {
-                                tenantId,
-                                column,
-                            });
-                        }
-                    }
-                }
-                else if (mode === 'manual') {
-                    warnTenantMisconfiguration({
-                        queryKey: endpoint.key,
-                        hasTenantConfig: true,
-                        hasTenantId: true,
-                        mode: 'manual',
-                    });
-                }
+                applySemanticTenantRuntime(context, {
+                    queryKey: endpoint.key,
+                    metadata: metadataWithAuth,
+                    tenantId,
+                    mode,
+                    column,
+                });
             }
             else if (!tenantRequired) {
                 warnTenantMisconfiguration({

package/dist/query-logger.js

@@ -12,9 +12,7 @@
  * logging, and analytics work with any query backend.
  */
 export class ServeQueryLogger {
-    constructor() {
-        this.listeners = new Set();
-    }
+    listeners = new Set();
     /**
      * Subscribe to query events.
      * @returns Unsubscribe function.

package/dist/rate-limit.js

@@ -1,6 +1,7 @@
 export class MemoryRateLimitStore {
-    constructor(cleanupIntervalMs = 60000) {
-        this.entries = new Map();
+    entries = new Map();
+    cleanupTimer;
+    constructor(cleanupIntervalMs = 60_000) {
         // Periodic cleanup of expired entries to prevent memory leaks
         this.cleanupTimer = setInterval(() => {
             const now = Date.now();
@@ -72,7 +73,7 @@ const defaultKeyExtractor = (ctx) => {
  * ```
  */
 export const rateLimit = (config = {}) => {
-    const windowMs = config.windowMs ?? 60000;
+    const windowMs = config.windowMs ?? 60_000;
     const max = config.max ?? 100;
     const keyBy = config.keyBy ?? defaultKeyExtractor;
     const store = config.store ?? new MemoryRateLimitStore();

package/dist/router.js

@@ -11,9 +11,10 @@ export const applyBasePath = (basePath, path) => {
     return combined.replace(/\/+/g, "/").replace(/\/$/, combined === "/" ? "/" : "");
 };
 export class ServeRouter {
+    basePath;
+    routes = [];
     constructor(basePath = "") {
         this.basePath = basePath;
-        this.routes = [];
     }
     list() {
         return [...this.routes];

package/dist/semantic/datasets/dataset-endpoint.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Converts a DatasetInstance into a standard ServeEndpoint for semantic queries.
+ *
+ * The generated endpoint is a POST handler that:
+ * - Accepts dimensions, measures, filters, orderBy, limit, offset, by
+ * - Validates requested dimensions/measures/filters against the dataset contract
+ * - Executes via QueryBuilderFactoryLike
+ * - Applies Serve-managed tenant filtering when configured
+ * - Returns { data } or { data, meta } based on headers
+ */
+import { z } from 'zod';
+import type { AuthContext, ServeEndpoint } from '../../types.js';
+import type { QueryBuilderFactoryLike } from '@hypequery/datasets';
+import { type DatasetEntry } from './utils/dataset-entry.js';
+export type { DatasetEntry } from './utils/dataset-entry.js';
+declare const datasetResultSchema: z.ZodObject<{
+    data: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>, "many">;
+    meta: z.ZodOptional<z.ZodObject<{
+        timingMs: z.ZodOptional<z.ZodNumber>;
+        sql: z.ZodOptional<z.ZodString>;
+        tenant: z.ZodOptional<z.ZodString>;
+        rowCount: z.ZodOptional<z.ZodNumber>;
+        pagination: z.ZodOptional<z.ZodObject<{
+            limit: z.ZodNumber;
+            offset: z.ZodNumber;
+            hasMore: z.ZodBoolean;
+        }, "strip", z.ZodTypeAny, {
+            limit: number;
+            offset: number;
+            hasMore: boolean;
+        }, {
+            limit: number;
+            offset: number;
+            hasMore: boolean;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        tenant?: string | undefined;
+        timingMs?: number | undefined;
+        sql?: string | undefined;
+        rowCount?: number | undefined;
+        pagination?: {
+            limit: number;
+            offset: number;
+            hasMore: boolean;
+        } | undefined;
+    }, {
+        tenant?: string | undefined;
+        timingMs?: number | undefined;
+        sql?: string | undefined;
+        rowCount?: number | undefined;
+        pagination?: {
+            limit: number;
+            offset: number;
+            hasMore: boolean;
+        } | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    data: Record<string, unknown>[];
+    meta?: {
+        tenant?: string | undefined;
+        timingMs?: number | undefined;
+        sql?: string | undefined;
+        rowCount?: number | undefined;
+        pagination?: {
+            limit: number;
+            offset: number;
+            hasMore: boolean;
+        } | undefined;
+    } | undefined;
+}, {
+    data: Record<string, unknown>[];
+    meta?: {
+        tenant?: string | undefined;
+        timingMs?: number | undefined;
+        sql?: string | undefined;
+        rowCount?: number | undefined;
+        pagination?: {
+            limit: number;
+            offset: number;
+            hasMore: boolean;
+        } | undefined;
+    } | undefined;
+}>;
+export declare function createDatasetEndpoint<TAuth extends AuthContext>(name: string, entry: DatasetEntry<TAuth>, builderFactory: QueryBuilderFactoryLike): ServeEndpoint<z.ZodTypeAny, typeof datasetResultSchema, any, TAuth, any>;
+//# sourceMappingURL=dataset-endpoint.d.ts.map

package/dist/semantic/datasets/dataset-endpoint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dataset-endpoint.d.ts","sourceRoot":"","sources":["../../../src/semantic/datasets/dataset-endpoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,KAAK,EACV,WAAW,EAGX,aAAa,EAEd,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EACV,uBAAuB,EACxB,MAAM,qBAAqB,CAAC;AAY7B,OAAO,EAAuB,KAAK,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAGlF,YAAY,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAkB7D,QAAA,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAGvB,CAAC;AAMH,wBAAgB,qBAAqB,CAAC,KAAK,SAAS,WAAW,EAC7D,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,YAAY,CAAC,KAAK,CAAC,EAC1B,cAAc,EAAE,uBAAuB,GACtC,aAAa,CAAC,CAAC,CAAC,UAAU,EAAE,OAAO,mBAAmB,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,CAoG1E"}