@hypersonic-js/core 0.1.2 → 0.2.1

package/README.md

@@ -0,0 +1,13 @@
+# @hypersonic-js/core
+
+The core of Hypersonic.js — a modern Django-inspired full-stack TypeScript framework
+
+📖 **[Full documentation → hypersonic-js.com](https://hypersonic-js.com)**
+
+## Install
+
+npm install @hypersonic-js/core
+
+## License
+
+MIT

package/dist/auth/setup.d.ts

@@ -4,6 +4,19 @@ export type AuthInstance = ReturnType<typeof betterAuth>;
 /**
  * Creates and returns a configured Better Auth instance.
  * OAuth social providers are only wired in when credentials are supplied.
+ * The rateLimit option is only forwarded when explicitly provided, allowing
+ * test environments to pass `{ enabled: false }` to suppress the in-process
+ * rate limiter and avoid 429s across shared test suites.
+ *
+ * Three targeted casts remain:
+ *  - `prisma as PrismaAdapterClient`: our public API keeps `prisma: unknown`
+ *    to stay agnostic of the generated PrismaClient types; the adapter's own
+ *    PrismaClient is an empty interface so the cast is safe at runtime.
+ *  - `socialProviders as BetterAuthOptions['socialProviders']`: our plain record
+ *    satisfies the runtime contract but TypeScript cannot verify it against the
+ *    `SocialProviders` mapped type without a cast.
+ *  - `rateLimit as BetterAuthOptions['rateLimit']`: our `{ enabled?: boolean }`
+ *    subset is a valid runtime value for Better Auth's rateLimit field.
  */
 export declare function createAuth(options: AuthSetupOptions): AuthInstance;
 //# sourceMappingURL=setup.d.ts.map

package/dist/auth/setup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAKxC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAElD,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAA;AAExD;;;GAGG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,gBAAgB,GAAG,YAAY,CA2BlE"}
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAIxC,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAElD,MAAM,MAAM,YAAY,GAAG,UAAU,CAAC,OAAO,UAAU,CAAC,CAAA;AAUxD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,gBAAgB,GAAG,YAAY,CA8BlE"}

package/dist/auth/setup.js

@@ -1,27 +1,45 @@
 import { betterAuth } from 'better-auth';
 import { prismaAdapter } from 'better-auth/adapters/prisma';
-import { detectProvider } from '../utils/detect-provider.js';
+import { admin } from 'better-auth/plugins';
 /**
  * Creates and returns a configured Better Auth instance.
  * OAuth social providers are only wired in when credentials are supplied.
+ * The rateLimit option is only forwarded when explicitly provided, allowing
+ * test environments to pass `{ enabled: false }` to suppress the in-process
+ * rate limiter and avoid 429s across shared test suites.
+ *
+ * Three targeted casts remain:
+ *  - `prisma as PrismaAdapterClient`: our public API keeps `prisma: unknown`
+ *    to stay agnostic of the generated PrismaClient types; the adapter's own
+ *    PrismaClient is an empty interface so the cast is safe at runtime.
+ *  - `socialProviders as BetterAuthOptions['socialProviders']`: our plain record
+ *    satisfies the runtime contract but TypeScript cannot verify it against the
+ *    `SocialProviders` mapped type without a cast.
+ *  - `rateLimit as BetterAuthOptions['rateLimit']`: our `{ enabled?: boolean }`
+ *    subset is a valid runtime value for Better Auth's rateLimit field.
  */
 export function createAuth(options) {
-    const provider = detectProvider(options.databaseUrl);
     const socialProviders = {};
     if (options.providers?.github !== undefined) {
-        socialProviders.github = options.providers.github;
+        socialProviders['github'] = options.providers.github;
     }
     if (options.providers?.google !== undefined) {
-        socialProviders.google = options.providers.google;
+        socialProviders['google'] = options.providers.google;
     }
     const hasSocialProviders = Object.keys(socialProviders).length > 0;
     const authOptions = {
         secret: options.secret,
         trustedOrigins: options.trustedOrigins,
-        database: prismaAdapter(options.prisma, { provider }),
+        database: prismaAdapter(options.prisma, { provider: options.provider }),
         emailAndPassword: { enabled: true },
-        ...(hasSocialProviders ? { socialProviders } : {}),
+        plugins: [admin()],
     };
+    if (hasSocialProviders) {
+        authOptions.socialProviders = socialProviders;
+    }
+    if (options.rateLimit !== undefined) {
+        authOptions.rateLimit = options.rateLimit;
+    }
     return betterAuth(authOptions);
 }
 //# sourceMappingURL=setup.js.map

package/dist/auth/setup.js.map

@@ -1 +1 @@
-{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAG3D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAA;AAK5D;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,OAAyB;IAClD,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;IAEpD,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,eAAe,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,MAAmC,CAAA;IAChF,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,eAAe,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,MAAmC,CAAA;IAChF,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,GAAG,CAAC,CAAA;IAElE,MAAM,WAAW,GAAsB;QACrC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,QAAQ,EAAE,aAAa,CACrB,OAAO,CAAC,MAA6C,EACrD,EAAE,QAAQ,EAAE,CACb;QACD,gBAAgB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;QACnC,GAAG,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACnD,CAAA;IAED,OAAO,UAAU,CAAC,WAAW,CAAC,CAAA;AAChC,CAAC"}
+{"version":3,"file":"setup.js","sourceRoot":"","sources":["../../src/auth/setup.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAc3C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,UAAU,CAAC,OAAyB;IAClD,MAAM,eAAe,GAA+D,EAAE,CAAA;IAEtF,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,eAAe,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAA;IACtD,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,eAAe,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC,MAAM,CAAA;IACtD,CAAC;IAED,MAAM,kBAAkB,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,GAAG,CAAC,CAAA;IAElE,MAAM,WAAW,GAAsB;QACrC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,cAAc,EAAE,OAAO,CAAC,cAAc;QACtC,QAAQ,EAAE,aAAa,CAAC,OAAO,CAAC,MAA6B,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC;QAC9F,gBAAgB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;QACnC,OAAO,EAAE,CAAC,KAAK,EAAE,CAAC;KACnB,CAAA;IAED,IAAI,kBAAkB,EAAE,CAAC;QACvB,WAAW,CAAC,eAAe,GAAG,eAAuD,CAAA;IACvF,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,WAAW,CAAC,SAAS,GAAG,OAAO,CAAC,SAA2C,CAAA;IAC7E,CAAC;IAED,OAAO,UAAU,CAAC,WAAW,CAAiB,CAAA;AAChD,CAAC"}

package/dist/auth/types.d.ts

@@ -1,3 +1,4 @@
+import type { DatabaseProvider } from '../config/types.js';
 export interface SocialProviderCredentials {
     clientId: string;
     clientSecret: string;
@@ -5,12 +6,19 @@ export interface SocialProviderCredentials {
 export interface AuthSetupOptions {
     secret: string;
     trustedOrigins: string[];
-    databaseUrl: string;
+    /** Database provider — used to configure the Better Auth Prisma adapter. */
+    provider: DatabaseProvider;
     prisma: unknown;
     providers?: {
         github?: SocialProviderCredentials;
         google?: SocialProviderCredentials;
     };
+    /**
+     * Better Auth rate-limit settings.
+     */
+    rateLimit?: {
+        enabled?: boolean;
+    };
 }
 export type { betterAuth as BetterAuth } from 'better-auth';
 //# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,OAAO,CAAA;IACf,SAAS,CAAC,EAAE;QACV,MAAM,CAAC,EAAE,yBAAyB,CAAA;QAClC,MAAM,CAAC,EAAE,yBAAyB,CAAA;KACnC,CAAA;CACF;AAGD,YAAY,EAAE,UAAU,IAAI,UAAU,EAAE,MAAM,aAAa,CAAA"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAE1D,MAAM,WAAW,yBAAyB;IACxC,QAAQ,EAAE,MAAM,CAAA;IAChB,YAAY,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,4EAA4E;IAC5E,QAAQ,EAAE,gBAAgB,CAAA;IAC1B,MAAM,EAAE,OAAO,CAAA;IACf,SAAS,CAAC,EAAE;QACV,MAAM,CAAC,EAAE,yBAAyB,CAAA;QAClC,MAAM,CAAC,EAAE,yBAAyB,CAAA;KACnC,CAAA;IACD;;OAEG;IACH,SAAS,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;CAClC;AAGD,YAAY,EAAE,UAAU,IAAI,UAAU,EAAE,MAAM,aAAa,CAAA"}

package/dist/config/types.d.ts

@@ -1,3 +1,7 @@
+export type DatabaseProvider = 'postgresql' | 'sqlite';
+export interface DatabaseConfig {
+    provider: DatabaseProvider;
+}
 export interface ServerConfig {
     port: number;
     host: string;
@@ -6,17 +10,45 @@ export interface AuthProviders {
     github?: boolean;
     google?: boolean;
 }
+export interface AuthRateLimit {
+    /** Set to false to disable Better Auth's built-in rate limiting (useful in test environments). */
+    enabled?: boolean;
+}
 export interface AuthConfig {
     trustedOrigins: string[];
     providers?: AuthProviders;
+    /**
+     * Better Auth rate-limit settings.
+     * Pass `{ enabled: false }` in test environments to prevent the in-process
+     * rate limiter from triggering 429 errors across shared test suites.
+     */
+    rateLimit?: AuthRateLimit;
 }
 export interface InertiaConfig {
     ssr: boolean;
     version?: string;
 }
+/**
+ * Pino log levels in order of increasing severity.
+ * 'silent' disables all output.
+ */
+export type LogLevel = 'trace' | 'debug' | 'info' | 'warn' | 'error' | 'fatal' | 'silent';
+export interface LoggingConfig {
+    /**
+     * Minimum log level emitted by the framework's Pino logger.
+     * Defaults to 'error' when the logging block is omitted.
+     */
+    level: LogLevel;
+}
 export interface HypersonicConfig {
     server: ServerConfig;
     auth: AuthConfig;
     inertia: InertiaConfig;
+    database: DatabaseConfig;
+    /**
+     * Server-side logging configuration.
+     * Omit to use the framework default (level: 'error').
+     */
+    logging?: LoggingConfig;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/config/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/config/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,SAAS,CAAC,EAAE,aAAa,CAAA;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,OAAO,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,YAAY,CAAA;IACpB,IAAI,EAAE,UAAU,CAAA;IAChB,OAAO,EAAE,aAAa,CAAA;CACvB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/config/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,gBAAgB,GAAG,YAAY,GAAG,QAAQ,CAAA;AAEtD,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,gBAAgB,CAAA;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,MAAM,CAAC,EAAE,OAAO,CAAA;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,kGAAkG;IAClG,OAAO,CAAC,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,cAAc,EAAE,MAAM,EAAE,CAAA;IACxB,SAAS,CAAC,EAAE,aAAa,CAAA;IACzB;;;;OAIG;IACH,SAAS,CAAC,EAAE,aAAa,CAAA;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,OAAO,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED;;;GAGG;AACH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,CAAA;AAEzF,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,KAAK,EAAE,QAAQ,CAAA;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,YAAY,CAAA;IACpB,IAAI,EAAE,UAAU,CAAA;IAChB,OAAO,EAAE,aAAa,CAAA;IACtB,QAAQ,EAAE,cAAc,CAAA;IACxB;;;OAGG;IACH,OAAO,CAAC,EAAE,aAAa,CAAA;CACxB"}

package/dist/database/adapter.d.ts

@@ -0,0 +1,13 @@
+import type { DatabaseProvider } from '../config/types.js';
+/**
+ * Creates the Prisma v7 driver adapter for the given provider and DATABASE_URL.
+ *
+ * Adapter packages are dynamic-imported so only the one matching the user's
+ * installed driver is loaded at runtime — no unused adapter is bundled.
+ *
+ * Supported providers and their required packages:
+ *  - postgresql → @prisma/adapter-pg
+ *  - sqlite     → @prisma/adapter-better-sqlite3 + better-sqlite3
+ */
+export declare function createDatabaseAdapter(provider: DatabaseProvider, databaseUrl: string): Promise<unknown>;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/database/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../../src/database/adapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAE1D;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,gBAAgB,EAC1B,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC,CAiBlB"}

package/dist/database/adapter.js

@@ -0,0 +1,25 @@
+/**
+ * Creates the Prisma v7 driver adapter for the given provider and DATABASE_URL.
+ *
+ * Adapter packages are dynamic-imported so only the one matching the user's
+ * installed driver is loaded at runtime — no unused adapter is bundled.
+ *
+ * Supported providers and their required packages:
+ *  - postgresql → @prisma/adapter-pg
+ *  - sqlite     → @prisma/adapter-better-sqlite3 + better-sqlite3
+ */
+export async function createDatabaseAdapter(provider, databaseUrl) {
+    if (provider === 'postgresql') {
+        const { PrismaPg } = await import('@prisma/adapter-pg');
+        return new PrismaPg({ connectionString: databaseUrl });
+    }
+    if (provider === 'sqlite') {
+        const { PrismaBetterSqlite3 } = await import('@prisma/adapter-better-sqlite3');
+        return new PrismaBetterSqlite3({ url: databaseUrl });
+    }
+    // TypeScript makes this unreachable for well-typed callers, but keep as a
+    // runtime safety net for any JS callers or future provider additions.
+    throw new Error(`Hypersonic: unsupported database provider "${provider}". ` +
+        `Supported providers are: postgresql, sqlite.`);
+}
+//# sourceMappingURL=adapter.js.map

package/dist/database/adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.js","sourceRoot":"","sources":["../../src/database/adapter.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAA0B,EAC1B,WAAmB;IAEnB,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC9B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAA;QACvD,OAAO,IAAI,QAAQ,CAAC,EAAE,gBAAgB,EAAE,WAAW,EAAE,CAAC,CAAA;IACxD,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAA;QAC9E,OAAO,IAAI,mBAAmB,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAA;IACtD,CAAC;IAED,0EAA0E;IAC1E,sEAAsE;IACtE,MAAM,IAAI,KAAK,CACb,8CAA8C,QAAkB,KAAK;QACnE,8CAA8C,CACjD,CAAA;AACH,CAAC"}

package/dist/index.d.ts

@@ -1,12 +1,13 @@
 export { defineConfig } from './config/define-config.js';
 export { loadConfig, importConfigFile } from './config/loader.js';
 export { validateEnv, buildEnvSchema } from './config/env.js';
-export type { HypersonicConfig, ServerConfig, AuthConfig, InertiaConfig, AuthProviders } from './config/types.js';
+export type { HypersonicConfig, ServerConfig, AuthConfig, InertiaConfig, AuthProviders, DatabaseConfig, DatabaseProvider, } from './config/types.js';
 export type { Env } from './config/env.js';
 export type { LoadedConfig } from './config/loader.js';
 export { createApp } from './server/app.js';
 export type { CreateAppOptions, HypersonicApp } from './server/types.js';
 export { getPrismaClient, setPrismaClient, disconnectPrismaClient } from './database/client.js';
+export { createDatabaseAdapter } from './database/adapter.js';
 export type { PrismaClientLike } from './database/client.js';
 export { createAuth } from './auth/setup.js';
 export { mountAuth } from './auth/middleware.js';
@@ -15,6 +16,4 @@ export { createInertiaMiddleware, createInertiaErrorHandler } from './inertia/mi
 export { createViteSetup } from './inertia/vite.js';
 export type { InertiaPage, InertiaOptions, ViteSetup } from './inertia/types.js';
 export { HttpError, NotFoundError, UnauthorizedError, ForbiddenError, ValidationError } from './utils/errors.js';
-export { detectProvider } from './utils/detect-provider.js';
-export type { DatabaseProvider } from './utils/detect-provider.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACjE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAC7D,YAAY,EAAE,gBAAgB,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AACjH,YAAY,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAC1C,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAGtD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAGxE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAA;AAC/F,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAG5D,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,YAAY,EAAE,gBAAgB,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAA;AAGlF,OAAO,EAAE,uBAAuB,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAA;AAC5F,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAGhF,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,iBAAiB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAChH,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAC3D,YAAY,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACjE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAC7D,YAAY,EACV,gBAAgB,EAChB,YAAY,EACZ,UAAU,EACV,aAAa,EACb,aAAa,EACb,cAAc,EACd,gBAAgB,GACjB,MAAM,mBAAmB,CAAA;AAC1B,YAAY,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAC1C,YAAY,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAGtD,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAGxE,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAA;AAC/F,OAAO,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAC7D,YAAY,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAG5D,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAChD,YAAY,EAAE,gBAAgB,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAA;AAGlF,OAAO,EAAE,uBAAuB,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAA;AAC5F,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,YAAY,EAAE,WAAW,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAGhF,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,iBAAiB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA"}

package/dist/index.js

@@ -6,6 +6,7 @@ export { validateEnv, buildEnvSchema } from './config/env.js';
 export { createApp } from './server/app.js';
 // Database
 export { getPrismaClient, setPrismaClient, disconnectPrismaClient } from './database/client.js';
+export { createDatabaseAdapter } from './database/adapter.js';
 // Auth
 export { createAuth } from './auth/setup.js';
 export { mountAuth } from './auth/middleware.js';
@@ -14,5 +15,4 @@ export { createInertiaMiddleware, createInertiaErrorHandler } from './inertia/mi
 export { createViteSetup } from './inertia/vite.js';
 // Utils
 export { HttpError, NotFoundError, UnauthorizedError, ForbiddenError, ValidationError } from './utils/errors.js';
-export { detectProvider } from './utils/detect-provider.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,SAAS;AACT,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACjE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAK7D,SAAS;AACT,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAG3C,WAAW;AACX,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAA;AAG/F,OAAO;AACP,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAGhD,UAAU;AACV,OAAO,EAAE,uBAAuB,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAA;AAC5F,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAGnD,QAAQ;AACR,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,iBAAiB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAChH,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,SAAS;AACT,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAA;AACxD,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACjE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAa7D,SAAS;AACT,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAG3C,WAAW;AACX,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAA;AAC/F,OAAO,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAG7D,OAAO;AACP,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAA;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAA;AAGhD,UAAU;AACV,OAAO,EAAE,uBAAuB,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAA;AAC5F,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAGnD,QAAQ;AACR,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,iBAAiB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA"}

package/dist/inertia/middleware.d.ts

@@ -19,6 +19,24 @@ export declare function createInertiaErrorHandler(): (err: unknown, req: Request
 /**
  * Mounts the Inertia middleware + Vite integration onto the Express app.
  * This must be called before routes are registered.
+ *
+ * Also installs two CSRF middlewares that apply to every route:
+ *
+ * - **csrfSetter** — sets the `XSRF-TOKEN` cookie only when the incoming
+ *   request does not already carry one. Skipping rotation on subsequent
+ *   requests prevents concurrent-tab races where a fresh token issued for
+ *   Tab B would invalidate an in-flight form submission from Tab A.
+ *
+ * - **csrfValidator** — on POST/PUT/PATCH/DELETE requests, verifies that the
+ *   `X-XSRF-TOKEN` request header matches the `XSRF-TOKEN` request cookie.
+ *   Returns 419 if they are absent or do not match. Exception: when both the
+ *   cookie AND the header are absent the client has not yet received a CSRF
+ *   cookie (a completely unauthenticated request with no prior GET). In that
+ *   case validation is skipped and downstream auth middleware is responsible
+ *   for redirecting or rejecting the request.
+ *
+ * Note: `/api/auth/*` routes are handled by Better Auth before reaching this
+ * middleware, so they are naturally excluded from CSRF validation.
  */
 export declare function createInertiaMiddleware(app: Application, options: InertiaOptions): Promise<void>;
 //# sourceMappingURL=middleware.d.ts.map

package/dist/inertia/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/inertia/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAkB,MAAM,SAAS,CAAA;AAC3F,OAAO,KAAK,EAAe,cAAc,EAAE,MAAM,YAAY,CAAA;AA+B7D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,yBAAyB,IAAI,CAC3C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,KACf,IAAI,CAWR;AAED;;;GAGG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CAkDf"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/inertia/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAkB,MAAM,SAAS,CAAA;AAC3F,OAAO,KAAK,EAAe,cAAc,EAAE,MAAM,YAAY,CAAA;AAgE7D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,yBAAyB,IAAI,CAC3C,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,KACf,IAAI,CAWR;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CAoHf"}

package/dist/inertia/middleware.js

@@ -1,7 +1,41 @@
+import { randomBytes } from 'node:crypto';
 import { createViteSetup } from './vite.js';
 import { HttpError } from '../utils/errors.js';
 const INERTIA_HEADER = 'x-inertia';
 const INERTIA_VERSION_HEADER = 'x-inertia-version';
+const CSRF_COOKIE = 'XSRF-TOKEN';
+const CSRF_HEADER = 'x-xsrf-token';
+const CSRF_MUTATION_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+function generateCsrfToken() {
+    return randomBytes(32).toString('hex');
+}
+/**
+ * Parses the raw Cookie request header into a key→value map.
+ * Splits on ';', finds the first '=' in each pair, and URL-decodes the value.
+ * Falls back to the raw value if decoding throws a URIError so that a single
+ * malformed cookie cannot crash the middleware before CSRF validation runs.
+ */
+function parseCookieHeader(cookieHeader) {
+    if (!cookieHeader)
+        return {};
+    const result = {};
+    for (const pair of cookieHeader.split(';')) {
+        const eqIdx = pair.indexOf('=');
+        if (eqIdx === -1)
+            continue;
+        const key = pair.slice(0, eqIdx).trim();
+        const raw = pair.slice(eqIdx + 1).trim();
+        let value;
+        try {
+            value = decodeURIComponent(raw);
+        }
+        catch {
+            value = raw;
+        }
+        result[key] = value;
+    }
+    return result;
+}
 function escapeJson(str) {
     return str
         .replace(/&/g, '\\u0026')
@@ -53,18 +87,94 @@ export function createInertiaErrorHandler() {
 /**
  * Mounts the Inertia middleware + Vite integration onto the Express app.
  * This must be called before routes are registered.
+ *
+ * Also installs two CSRF middlewares that apply to every route:
+ *
+ * - **csrfSetter** — sets the `XSRF-TOKEN` cookie only when the incoming
+ *   request does not already carry one. Skipping rotation on subsequent
+ *   requests prevents concurrent-tab races where a fresh token issued for
+ *   Tab B would invalidate an in-flight form submission from Tab A.
+ *
+ * - **csrfValidator** — on POST/PUT/PATCH/DELETE requests, verifies that the
+ *   `X-XSRF-TOKEN` request header matches the `XSRF-TOKEN` request cookie.
+ *   Returns 419 if they are absent or do not match. Exception: when both the
+ *   cookie AND the header are absent the client has not yet received a CSRF
+ *   cookie (a completely unauthenticated request with no prior GET). In that
+ *   case validation is skipped and downstream auth middleware is responsible
+ *   for redirecting or rejecting the request.
+ *
+ * Note: `/api/auth/*` routes are handled by Better Auth before reaching this
+ * middleware, so they are naturally excluded from CSRF validation.
  */
 export async function createInertiaMiddleware(app, options) {
     const version = options.version ?? '1';
     const vite = await createViteSetup(options.ssr);
     // Mount Vite dev server or static file serving
     app.use(vite.middleware);
+    // CSRF token setter — writes the XSRF-TOKEN cookie only when the request
+    // carries no existing token. This keeps the token stable across multiple
+    // concurrent tabs / in-flight requests for the same session.
+    // httpOnly must be false so the Inertia JS client can read it.
+    const csrfSetter = (req, res, next) => {
+        const cookies = parseCookieHeader(req.headers.cookie);
+        if (!cookies[CSRF_COOKIE]) {
+            res.cookie(CSRF_COOKIE, generateCsrfToken(), {
+                httpOnly: false,
+                sameSite: 'strict',
+                secure: process.env['NODE_ENV'] === 'production',
+                path: '/',
+            });
+        }
+        next();
+    };
+    // CSRF validator — rejects mutation requests where the X-XSRF-TOKEN header
+    // does not match the XSRF-TOKEN cookie that was set on a prior response.
+    //
+    // Special case: when neither token is present the client has not yet
+    // received a CSRF cookie (e.g. a completely unauthenticated browser request
+    // with no prior GET). Returning 419 in that case would mask the auth-guard
+    // redirect to /login with a confusing error. Downstream auth middleware
+    // handles these requests. 419 is only appropriate when a cookie exists but
+    // the header is wrong or missing — i.e. when there is something concrete to
+    // validate against.
+    const csrfValidator = (req, res, next) => {
+        if (!CSRF_MUTATION_METHODS.has(req.method)) {
+            next();
+            return;
+        }
+        const cookies = parseCookieHeader(req.headers.cookie);
+        const cookieToken = cookies[CSRF_COOKIE];
+        const rawHeaderToken = req.headers[CSRF_HEADER];
+        // The header value is always a plain string for custom headers; normalise
+        // to string | undefined so the comparison below is type-safe.
+        const headerToken = Array.isArray(rawHeaderToken) ? rawHeaderToken[0] : rawHeaderToken;
+        const hasCookie = typeof cookieToken === 'string' && cookieToken.length > 0;
+        const hasHeader = typeof headerToken === 'string' && headerToken.length > 0;
+        // Both absent — no CSRF context; defer to downstream auth middleware.
+        if (!hasCookie && !hasHeader) {
+            next();
+            return;
+        }
+        // Cookie present but header wrong/missing, or header present but no cookie.
+        if (!hasCookie || cookieToken !== headerToken) {
+            res.status(419).json({ error: 'CSRF token mismatch' });
+            return;
+        }
+        next();
+    };
+    app.use(csrfSetter);
+    app.use(csrfValidator);
     // Inertia protocol middleware
     const inertiaMiddleware = (req, res, next) => {
         const isInertiaRequest = Boolean(req.headers[INERTIA_HEADER]);
-        // Asset version mismatch — force a full page reload
+        // Asset version mismatch — force a full page reload.
+        // Only fires when the client sends X-Inertia-Version AND it doesn't match
+        // the server version. Requests without the header (e.g. test clients that
+        // set X-Inertia but omit the version) are let through so they receive the
+        // normal JSON response rather than a 409.
         if (isInertiaRequest &&
             req.method === 'GET' &&
+            req.headers[INERTIA_VERSION_HEADER] !== undefined &&
             req.headers[INERTIA_VERSION_HEADER] !== version) {
             res.setHeader('X-Inertia-Location', req.url);
             res.status(409).end();

package/dist/inertia/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/inertia/middleware.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAE9C,MAAM,cAAc,GAAG,WAAW,CAAA;AAClC,MAAM,sBAAsB,GAAG,mBAAmB,CAAA;AAElD,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,GAAG;SACP,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC;SACxB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC;SACxB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC;SACxB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,SAAS,CAAC,IAAiB,EAAE,SAAiB;IACrD,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAA;IACjD,OAAO;;;;;MAKH,SAAS;;;sDAGuC,QAAQ;;;QAGtD,CAAA;AACR,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,yBAAyB;IAMvC,OAAO,CAAC,GAAY,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7E,IAAI,CAAC,CAAC,GAAG,YAAY,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAChE,IAAI,CAAC,GAAG,CAAC,CAAA;YACT,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QACtC,MAAM,WAAW,GAAG,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAA;QACrF,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IAChC,CAAC,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAgB,EAChB,OAAuB;IAEvB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,GAAG,CAAA;IACtC,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAE/C,+CAA+C;IAC/C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,UAA4B,CAAC,CAAA;IAE1C,8BAA8B;IAC9B,MAAM,iBAAiB,GAAmB,CACxC,GAAY,EACZ,GAAa,EACb,IAAkB,EACZ,EAAE;QACR,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAA;QAE7D,oDAAoD;QACpD,IACE,gBAAgB;YAChB,GAAG,CAAC,MAAM,KAAK,KAAK;YACpB,GAAG,CAAC,OAAO,CAAC,sBAAsB,CAAC,KAAK,OAAO,EAC/C,CAAC;YACD,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,GAAG,CAAC,GAAG,CAAC,CAAA;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAA;YACrB,OAAM;QACR,CAAC;QAED,GAAG,CAAC,OAAO,GAAG,CAAC,SAAiB,EAAE,QAAiC,EAAE,EAAQ,EAAE;YAC7E,MAAM,IAAI,GAAgB;gBACxB,SAAS;gBACT,KAAK;gBACL,GAAG,EAAE,GAAG,CAAC,WAAW;gBACpB,OAAO;aACR,CAAA;YAED,IAAI,gBAAgB,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC,CAAA;gBAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,WAAW,CAAC,CAAA;gBAClC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBAC1B,OAAM;YACR,CAAC;YAED,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAA;YAC9C,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAA;YACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC5B,CAAC,CAAA;QAED,IAAI,EAAE,CAAA;IACR,CAAC,CAAA;IAED,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;AAC5B,CAAC"}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/inertia/middleware.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAA;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAE9C,MAAM,cAAc,GAAG,WAAW,CAAA;AAClC,MAAM,sBAAsB,GAAG,mBAAmB,CAAA;AAClD,MAAM,WAAW,GAAG,YAAY,CAAA;AAChC,MAAM,WAAW,GAAG,cAAc,CAAA;AAClC,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAA;AAEzE,SAAS,iBAAiB;IACxB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACxC,CAAC;AAED;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,YAAgC;IACzD,IAAI,CAAC,YAAY;QAAE,OAAO,EAAE,CAAA;IAC5B,MAAM,MAAM,GAA2B,EAAE,CAAA;IACzC,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAC/B,IAAI,KAAK,KAAK,CAAC,CAAC;YAAE,SAAQ;QAC1B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,EAAE,CAAA;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACxC,IAAI,KAAa,CAAA;QACjB,IAAI,CAAC;YACH,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,KAAK,GAAG,GAAG,CAAA;QACb,CAAC;QACD,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;IACrB,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,GAAG;SACP,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC;SACxB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC;SACxB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC;SACxB,OAAO,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;AAC7B,CAAC;AAED,SAAS,SAAS,CAAC,IAAiB,EAAE,SAAiB;IACrD,MAAM,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAA;IACjD,OAAO;;;;;MAKH,SAAS;;;sDAGuC,QAAQ;;;QAGtD,CAAA;AACR,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,yBAAyB;IAMvC,OAAO,CAAC,GAAY,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC7E,IAAI,CAAC,CAAC,GAAG,YAAY,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAChE,IAAI,CAAC,GAAG,CAAC,CAAA;YACT,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QACtC,MAAM,WAAW,GAAG,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAA;QACrF,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,WAAW,CAAC,CAAA;IAChC,CAAC,CAAA;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAgB,EAChB,OAAuB;IAEvB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,GAAG,CAAA;IACtC,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAE/C,+CAA+C;IAC/C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,UAA4B,CAAC,CAAA;IAE1C,yEAAyE;IACzE,yEAAyE;IACzE,6DAA6D;IAC7D,+DAA+D;IAC/D,MAAM,UAAU,GAAmB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC3F,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACrD,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1B,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,iBAAiB,EAAE,EAAE;gBAC3C,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY;gBAChD,IAAI,EAAE,GAAG;aACV,CAAC,CAAA;QACJ,CAAC;QACD,IAAI,EAAE,CAAA;IACR,CAAC,CAAA;IAED,2EAA2E;IAC3E,yEAAyE;IACzE,EAAE;IACF,qEAAqE;IACrE,4EAA4E;IAC5E,2EAA2E;IAC3E,wEAAwE;IACxE,2EAA2E;IAC3E,4EAA4E;IAC5E,oBAAoB;IACpB,MAAM,aAAa,GAAmB,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC9F,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3C,IAAI,EAAE,CAAA;YACN,OAAM;QACR,CAAC;QAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;QACrD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAAA;QACxC,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QAC/C,0EAA0E;QAC1E,8DAA8D;QAC9D,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,CAAA;QAEtF,MAAM,SAAS,GAAG,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,CAAA;QAC3E,MAAM,SAAS,GAAG,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,CAAA;QAE3E,sEAAsE;QACtE,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,IAAI,EAAE,CAAA;YACN,OAAM;QACR,CAAC;QAED,4EAA4E;QAC5E,IAAI,CAAC,SAAS,IAAI,WAAW,KAAK,WAAW,EAAE,CAAC;YAC9C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAA;YACtD,OAAM;QACR,CAAC;QAED,IAAI,EAAE,CAAA;IACR,CAAC,CAAA;IAED,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;IACnB,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAEtB,8BAA8B;IAC9B,MAAM,iBAAiB,GAAmB,CACxC,GAAY,EACZ,GAAa,EACb,IAAkB,EACZ,EAAE;QACR,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAA;QAE7D,qDAAqD;QACrD,0EAA0E;QAC1E,0EAA0E;QAC1E,0EAA0E;QAC1E,0CAA0C;QAC1C,IACE,gBAAgB;YAChB,GAAG,CAAC,MAAM,KAAK,KAAK;YACpB,GAAG,CAAC,OAAO,CAAC,sBAAsB,CAAC,KAAK,SAAS;YACjD,GAAG,CAAC,OAAO,CAAC,sBAAsB,CAAC,KAAK,OAAO,EAC/C,CAAC;YACD,GAAG,CAAC,SAAS,CAAC,oBAAoB,EAAE,GAAG,CAAC,GAAG,CAAC,CAAA;YAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAA;YACrB,OAAM;QACR,CAAC;QAED,GAAG,CAAC,OAAO,GAAG,CAAC,SAAiB,EAAE,QAAiC,EAAE,EAAQ,EAAE;YAC7E,MAAM,IAAI,GAAgB;gBACxB,SAAS;gBACT,KAAK;gBACL,GAAG,EAAE,GAAG,CAAC,WAAW;gBACpB,OAAO;aACR,CAAA;YAED,IAAI,gBAAgB,EAAE,CAAC;gBACrB,GAAG,CAAC,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC,CAAA;gBAClC,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,WAAW,CAAC,CAAA;gBAClC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBAC1B,OAAM;YACR,CAAC;YAED,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAA;YAC9C,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAA;YACzD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC5B,CAAC,CAAA;QAED,IAAI,EAAE,CAAA;IACR,CAAC,CAAA;IAED,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;AAC5B,CAAC"}

package/dist/logger/index.d.ts

@@ -0,0 +1,11 @@
+import { type Logger } from 'pino';
+import type { LogLevel } from '../config/types.js';
+export type { Logger };
+/**
+ * Creates a configured Pino logger for the Hypersonic server.
+ * Defaults to 'error' level so production deployments are quiet by default —
+ * only genuine errors reach the log stream unless the developer explicitly
+ * lowers the level in hypersonic.config.ts.
+ */
+export declare function createLogger(level?: LogLevel): Logger;
+//# sourceMappingURL=index.d.ts.map

package/dist/logger/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/logger/index.ts"],"names":[],"mappings":"AAAA,OAAa,EAAE,KAAK,MAAM,EAAE,MAAM,MAAM,CAAA;AACxC,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAElD,YAAY,EAAE,MAAM,EAAE,CAAA;AAEtB;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,GAAE,QAAkB,GAAG,MAAM,CAE9D"}

package/dist/logger/index.js

@@ -0,0 +1,11 @@
+import pino from 'pino';
+/**
+ * Creates a configured Pino logger for the Hypersonic server.
+ * Defaults to 'error' level so production deployments are quiet by default —
+ * only genuine errors reach the log stream unless the developer explicitly
+ * lowers the level in hypersonic.config.ts.
+ */
+export function createLogger(level = 'error') {
+    return pino({ level });
+}
+//# sourceMappingURL=index.js.map

package/dist/logger/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/logger/index.ts"],"names":[],"mappings":"AAAA,OAAO,IAAqB,MAAM,MAAM,CAAA;AAKxC;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,QAAkB,OAAO;IACpD,OAAO,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAA;AACxB,CAAC"}

package/dist/server/app.d.ts

@@ -3,17 +3,8 @@ import type { CreateAppOptions, HypersonicApp } from './types.js';
  * Creates and returns a fully wired Hypersonic application.
  * The auth instance created internally is returned on `app.auth` so
  * callers can pass it to route registration without creating a second instance.
- *
- * @example
- * ```ts
- * import { PrismaClient } from '@prisma/client'
- * import { createApp, loadConfig } from '@hypersonic/core'
- *
- * const { config, env } = await loadConfig()
- * const app = await createApp({ config, env, prisma: new PrismaClient() })
- * registerRoutes(app.express, prisma, app.auth)
- * await app.start()
- * ```
+ * The Pino logger is returned on `app.logger` and can be passed to mountAdmin
+ * or used directly in route handlers.
  */
 export declare function createApp(options: CreateAppOptions): Promise<HypersonicApp>;
 //# sourceMappingURL=app.d.ts.map

package/dist/server/app.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../src/server/app.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AA4BjE;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC,CA2BjF"}
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../src/server/app.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AA4BjE;;;;;;GAMG;AACH,wBAAsB,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC,CAsDjF"}

package/dist/server/app.js

@@ -1,9 +1,12 @@
 import express from 'express';
+import helmet from 'helmet';
+import { pinoHttp } from 'pino-http';
 import { setPrismaClient } from '../database/client.js';
 import { createAuth } from '../auth/setup.js';
 import { mountAuth } from '../auth/middleware.js';
 import { createInertiaMiddleware } from '../inertia/middleware.js';
 import { createLifecycle } from './lifecycle.js';
+import { createLogger } from '../logger/index.js';
 function resolveProviders(config, env) {
     const providers = {};
     const e = env;
@@ -25,30 +28,40 @@ function resolveProviders(config, env) {
  * Creates and returns a fully wired Hypersonic application.
  * The auth instance created internally is returned on `app.auth` so
  * callers can pass it to route registration without creating a second instance.
- *
- * @example
- * ```ts
- * import { PrismaClient } from '@prisma/client'
- * import { createApp, loadConfig } from '@hypersonic/core'
- *
- * const { config, env } = await loadConfig()
- * const app = await createApp({ config, env, prisma: new PrismaClient() })
- * registerRoutes(app.express, prisma, app.auth)
- * await app.start()
- * ```
+ * The Pino logger is returned on `app.logger` and can be passed to mountAdmin
+ * or used directly in route handlers.
  */
 export async function createApp(options) {
     const { config, env, prisma } = options;
+    if (!config.database) {
+        throw new Error('Hypersonic: config.database is required. ' +
+            'Add a database block to your hypersonic.config.ts:\n' +
+            '  database: { provider: "yourdbname" }');
+    }
+    const logger = createLogger(config.logging?.level ?? 'error');
     const app = express();
+    // Security headers.
+    // - CSP omitted — requires app-specific configuration; see docs.
+    // - referrerPolicy: same-origin preserves the Referer header for
+    //   same-origin requests so error handlers can redirect back to the
+    //   originating form. The Helmet default (no-referrer) strips the header
+    //   entirely, breaking Inertia's redirect-on-error behaviour.
+    app.use(helmet({
+        contentSecurityPolicy: false,
+        referrerPolicy: { policy: 'same-origin' },
+    }));
+    // HTTP request / response logging via pino-http.
+    app.use(pinoHttp({ logger }));
     app.use(express.json());
     app.use(express.urlencoded({ extended: true }));
     setPrismaClient(prisma);
     const auth = createAuth({
         secret: env.BETTER_AUTH_SECRET,
         trustedOrigins: config.auth.trustedOrigins,
-        databaseUrl: env.DATABASE_URL,
+        provider: config.database.provider,
         prisma,
         providers: resolveProviders(config, env),
+        rateLimit: config.auth.rateLimit,
     });
     mountAuth(app, auth);
     await createInertiaMiddleware(app, {
@@ -56,6 +69,6 @@ export async function createApp(options) {
         version: config.inertia.version,
     });
     const { start, stop } = createLifecycle(app, config);
-    return { express: app, auth, start, stop };
+    return { express: app, auth, logger, start, stop };
 }
 //# sourceMappingURL=app.js.map

package/dist/server/app.js.map

@@ -1 +1 @@
-{"version":3,"file":"app.js","sourceRoot":"","sources":["../../src/server/app.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AACjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAKhD,SAAS,gBAAgB,CACvB,MAAwB,EACxB,GAAQ;IAER,MAAM,SAAS,GAA+D,EAAE,CAAA;IAChF,MAAM,CAAC,GAAG,GAAyC,CAAA;IAEnD,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,SAAS,CAAC,QAAQ,CAAC,GAAG;YACpB,QAAQ,EAAE,CAAC,CAAC,kBAAkB,CAAW;YACzC,YAAY,EAAE,CAAC,CAAC,sBAAsB,CAAW;SAClD,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,SAAS,CAAC,QAAQ,CAAC,GAAG;YACpB,QAAQ,EAAE,CAAC,CAAC,kBAAkB,CAAW;YACzC,YAAY,EAAE,CAAC,CAAC,sBAAsB,CAAW;SAClD,CAAA;IACH,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAA;AAClE,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAyB;IACvD,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAEvC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAA;IAErB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;IACvB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAA;IAE/C,eAAe,CAAC,MAAM,CAAC,CAAA;IAEvB,MAAM,IAAI,GAAG,UAAU,CAAC;QACtB,MAAM,EAAE,GAAG,CAAC,kBAAkB;QAC9B,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,cAAc;QAC1C,WAAW,EAAE,GAAG,CAAC,YAAY;QAC7B,MAAM;QACN,SAAS,EAAE,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC;KACzC,CAAC,CAAA;IACF,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IAEpB,MAAM,uBAAuB,CAAC,GAAG,EAAE;QACnC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;QACvB,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO;KAC9B,CAAC,CAAA;IAEF,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAEpD,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;AAC5C,CAAC"}
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../../src/server/app.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAA;AAC7B,OAAO,MAAM,MAAM,QAAQ,CAAA;AAC3B,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AAEpC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAA;AACjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAKjD,SAAS,gBAAgB,CACvB,MAAwB,EACxB,GAAQ;IAER,MAAM,SAAS,GAA+D,EAAE,CAAA;IAChF,MAAM,CAAC,GAAG,GAAyC,CAAA;IAEnD,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,SAAS,CAAC,QAAQ,CAAC,GAAG;YACpB,QAAQ,EAAE,CAAC,CAAC,kBAAkB,CAAW;YACzC,YAAY,EAAE,CAAC,CAAC,sBAAsB,CAAW;SAClD,CAAA;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,EAAE,CAAC;QAC3C,SAAS,CAAC,QAAQ,CAAC,GAAG;YACpB,QAAQ,EAAE,CAAC,CAAC,kBAAkB,CAAW;YACzC,YAAY,EAAE,CAAC,CAAC,sBAAsB,CAAW;SAClD,CAAA;IACH,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAA;AAClE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAyB;IACvD,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IAEvC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,2CAA2C;YACzC,sDAAsD;YACtD,wCAAwC,CAC3C,CAAA;IACH,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,IAAI,OAAO,CAAC,CAAA;IAE7D,MAAM,GAAG,GAAG,OAAO,EAAE,CAAA;IAErB,oBAAoB;IACpB,iEAAiE;IACjE,iEAAiE;IACjE,oEAAoE;IACpE,yEAAyE;IACzE,8DAA8D;IAC9D,GAAG,CAAC,GAAG,CACL,MAAM,CAAC;QACL,qBAAqB,EAAE,KAAK;QAC5B,cAAc,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;KAC1C,CAAC,CACH,CAAA;IAED,iDAAiD;IACjD,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAA8B,CAAC,CAAA;IAE1D,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;IACvB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAA;IAE/C,eAAe,CAAC,MAAM,CAAC,CAAA;IAEvB,MAAM,IAAI,GAAG,UAAU,CAAC;QACtB,MAAM,EAAE,GAAG,CAAC,kBAAkB;QAC9B,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,cAAc;QAC1C,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ;QAClC,MAAM;QACN,SAAS,EAAE,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC;QACxC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS;KACjC,CAAC,CAAA;IACF,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;IAEpB,MAAM,uBAAuB,CAAC,GAAG,EAAE;QACjC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG;QACvB,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO;KAChC,CAAC,CAAA;IAEF,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IAEpD,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;AACpD,CAAC"}

package/dist/server/types.d.ts

@@ -1,4 +1,5 @@
 import type { Application } from 'express';
+import type { Logger } from '../logger/index.js';
 import type { HypersonicConfig } from '../config/types.js';
 import type { Env } from '../config/env.js';
 import type { PrismaClientLike } from '../database/client.js';
@@ -11,6 +12,8 @@ export interface CreateAppOptions {
 export interface HypersonicApp {
     express: Application;
     auth: AuthInstance;
+    /** Pino logger configured from hypersonic.config.ts — defaults to 'error' level. */
+    logger: Logger;
     start: () => Promise<void>;
     stop: () => Promise<void>;
 }

package/dist/server/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/server/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AAC1C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAC1D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAA;AAC3C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AAC7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAEpD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,GAAG,EAAE,GAAG,CAAA;IACR,MAAM,EAAE,gBAAgB,CAAA;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,WAAW,CAAA;IACpB,IAAI,EAAE,YAAY,CAAA;IAClB,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;IAC1B,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC1B"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/server/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AAC1C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAChD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAC1D,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAA;AAC3C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AAC7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAEpD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,gBAAgB,CAAA;IACxB,GAAG,EAAE,GAAG,CAAA;IACR,MAAM,EAAE,gBAAgB,CAAA;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,WAAW,CAAA;IACpB,IAAI,EAAE,YAAY,CAAA;IAClB,oFAAoF;IACpF,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;IAC1B,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC1B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hypersonic-js/core",
-  "version": "0.1.2",
+  "version": "0.2.1",
   "description": "The core of Hypersonic.js — a modern Django-inspired full-stack TypeScript framework",
   "type": "module",
   "main": "./dist/index.js",
@@ -25,37 +25,50 @@
     "access": "public"
   },
   "engines": {
-    "node": "^24.0.0"
+    "node": ">=24.0.0"
   },
   "dependencies": {
-    "@inertiajs/core": "3.3.0",
-    "@inertiajs/react": "3.3.0",
-    "@tailwindcss/vite": "4.3.0",
+    "@inertiajs/core": "3.4.0",
+    "@inertiajs/react": "3.4.0",
+    "@tailwindcss/vite": "4.3.1",
     "@vitejs/plugin-react": "6.0.2",
-    "better-auth": "1.6.11",
+    "better-auth": "1.6.19",
     "express": "5.2.1",
-    "react": "19.2.6",
-    "react-dom": "19.2.6",
-    "tailwindcss": "4.3.0",
-    "vite": "8.0.14",
+    "helmet": "8.2.0",
+    "pino": "10.3.1",
+    "pino-http": "11.0.0",
+    "react": "19.2.7",
+    "react-dom": "19.2.7",
+    "tailwindcss": "4.3.1",
+    "vite": "8.0.16",
     "zod": "4.4.3"
   },
   "peerDependencies": {
     "@prisma/client": "7.8.0",
-    "prisma": "7.8.0"
+    "prisma": "7.8.0",
+    "@prisma/adapter-pg": "7.8.0",
+    "@prisma/adapter-better-sqlite3": "7.8.0"
+  },
+  "peerDependenciesMeta": {
+    "@prisma/adapter-pg": {
+      "optional": true
+    },
+    "@prisma/adapter-better-sqlite3": {
+      "optional": true
+    }
   },
   "devDependencies": {
     "@prisma/client": "7.8.0",
     "@types/express": "5.0.6",
-    "@types/node": "25.9.1",
-    "@types/react": "19.2.15",
+    "@types/node": "25.9.3",
+    "@types/react": "19.2.17",
     "@types/react-dom": "19.2.3",
     "@types/supertest": "7.2.0",
-    "@vitest/coverage-v8": "4.1.7",
+    "@vitest/coverage-v8": "4.1.9",
     "prisma": "7.8.0",
     "supertest": "7.2.2",
     "typescript": "6.0.3",
-    "vitest": "4.1.7"
+    "vitest": "4.1.9"
   },
   "scripts": {
     "build": "tsc",

package/Readme.md

@@ -1,30 +0,0 @@
-# @hypersonic-js/complete
-
-**Hypersonic.js** — everything in one installation. This package re-exports the full public API of every Hypersonic package so you don't have to manage individual package versions.
-
-📖 **[hypersonic-js.com](https://hypersonic-js.com)**
-
-## Install
-
-```bash
-npm install @hypersonic-js/complete
-npm install --save-dev prisma @prisma/client
-```
-
-## When to use this
-
-Use `@hypersonic-js/complete` if you want a single dependency that tracks the full framework. Use the individual packages (e.g. `@hypersonic-js/core`) if you need fine-grained control over which parts of the framework you include.
-
-## Quick start
-
-```ts
-import { defineConfig, createApp, loadConfig } from '@hypersonic-js/complete'
-```
-
-Everything exported by `@hypersonic-js/complete` is identical to the same export from its source package — no wrappers, no overhead.
-
-Full documentation at **[hypersonic-js.com](https://hypersonic-js.com)**.
-
-## License
-
-MIT © [Joaquim Dalton-Pereira](https://github.com/Zesuperaker)