@lastshotlabs/bunshot 0.0.13 → 0.0.16

package/docs/sections/response-caching/full.md

@@ -0,0 +1,115 @@
+## Response Caching
+
+Cache GET responses and bust them from mutation endpoints. Supports Redis, MongoDB, SQLite, and memory stores. The cache key is automatically namespaced by `appName` (`cache:{appName}:{key}`), so shared instances across tenant apps never collide.
+
+### Basic usage
+
+```ts
+import { cacheResponse, bustCache } from "@lastshotlabs/bunshot";
+
+// GET — cache the response for 60 seconds in Redis (default)
+router.use("/products", cacheResponse({ ttl: 60, key: "products" }));
+
+// indefinite — cached until busted
+router.use("/config", cacheResponse({ key: "config" }));
+
+router.get("/products", async (c) => {
+  const items = await Product.find();
+  return c.json({ items });
+});
+
+// POST — write data, then bust the shared key (hits all connected stores)
+router.post("/products", userAuth, async (c) => {
+  const body = await c.req.json();
+  await Product.create(body);
+  await bustCache("products");
+  return c.json({ ok: true }, 201);
+});
+```
+
+The `key` string is the shared contract — `cacheResponse` stores under it, `bustCache` deletes it. Responses include an `x-cache: HIT` or `x-cache: MISS` header.
+
+### Choosing a cache store
+
+Pass `store` to select where the response is cached. Defaults to `"redis"`.
+
+```ts
+// Redis (default)
+cacheResponse({ key: "products", ttl: 60 })
+
+// MongoDB — uses appConnection, stores in the `cache_entries` collection
+// TTL is handled natively via a MongoDB expiry index on the expiresAt field
+cacheResponse({ key: "products", ttl: 300, store: "mongo" })
+
+// SQLite — uses the same .db file as sqliteAuthAdapter; requires setSqliteDb or sqliteDb config
+cacheResponse({ key: "products", ttl: 60, store: "sqlite" })
+
+// Memory — in-process Map, ephemeral (cleared on restart), no external dependencies
+cacheResponse({ key: "products", ttl: 60, store: "memory" })
+```
+
+Use SQLite when running without Redis or MongoDB. Use MongoDB when you want cache entries co-located with your app data. Use Redis for lower-latency hot caches. Use Memory for tests or single-process apps where persistence isn't needed.
+
+**Connection requirements:** The chosen store must be initialized when the route is first hit. If `store: "sqlite"` is used but `setSqliteDb` has not been called (e.g. `sqliteDb` was not passed to `createServer`), the middleware throws a clear error on the first request. The same applies to the other stores.
+
+### Busting cached entries
+
+`bustCache` always attempts all four stores (Redis, Mongo, SQLite, Memory), skipping any that aren't connected. This means it works correctly regardless of which `store` option your routes use, and is safe to call in apps that don't use all stores:
+
+```ts
+await bustCache("products"); // hits whichever stores are connected
+```
+
+### Per-user caching
+
+The `key` function receives the full Hono context, so you can scope cache entries to the authenticated user:
+
+```ts
+router.use("/feed", userAuth, cacheResponse({
+  ttl: 60,
+  key: (c) => `feed:${c.get("authUserId")}`,
+}));
+```
+
+`authUserId` is populated by `identify`, which always runs before route middleware, so it's safe to use here.
+
+### Per-resource caching
+
+For routes with dynamic segments, use the function form of `key`. Produce the same string in `bustCache`:
+
+```ts
+// GET /products/:id
+router.use("/products/:id", cacheResponse({
+  ttl: 60,
+  key: (c) => `product:${c.req.param("id")}`,
+}));
+
+router.get("/products/:id", async (c) => {
+  const item = await Product.findById(c.req.param("id"));
+  return c.json(item);
+});
+
+// PUT /products/:id
+router.put("/products/:id", userAuth, async (c) => {
+  const id = c.req.param("id");
+  await Product.findByIdAndUpdate(id, await c.req.json());
+  await bustCache(`product:${id}`);
+  return c.json({ ok: true });
+});
+```
+
+Only 2xx responses are cached. Non-2xx responses pass through uncached. Omit `ttl` to cache indefinitely — the entry will persist until explicitly busted with `bustCache`.
+
+### Busting by pattern
+
+When cache keys include variable parts (e.g. query params), use `bustCachePattern` to invalidate an entire logical group at once. It runs against all four stores — Redis (via SCAN), Mongo (via regex), SQLite (via LIKE), and Memory (via regex) — in parallel:
+
+```ts
+import { bustCachePattern } from "@lastshotlabs/bunshot";
+
+// key includes query params: `balance:${userId}:${from}:${to}:${groupBy}`
+// bust all balance entries for this user regardless of params
+await bustCachePattern(`balance:${userId}:*`);
+```
+
+The `*` wildcard is translated to a Redis glob, a Mongo/Memory regex, and a SQLite LIKE pattern automatically. Like `bustCache`, it silently skips any store that isn't connected, so it's safe to call in apps that only use one store.

package/docs/sections/response-caching/overview.md

@@ -0,0 +1,13 @@
+## Response Caching
+
+Cache GET responses with `cacheResponse({ ttl, key })` and bust them with `bustCache(key)`. Supports Redis, MongoDB, SQLite, and memory stores. Cache keys are auto-namespaced by app name and tenant (when multi-tenancy is active).
+
+```ts
+import { cacheResponse, bustCache } from "@lastshotlabs/bunshot";
+
+router.use("/products", cacheResponse({ ttl: 60, key: "products" }));
+// ...
+await bustCache("products"); // hits all connected stores
+```
+
+Supports per-user caching via `key: (c) => ...`, per-resource caching, and wildcard invalidation via `bustCachePattern("products:*")`.

package/docs/sections/roles/full.md

@@ -0,0 +1,136 @@
+## Roles
+
+### Setup
+
+Declare the valid roles for your app in `createServer` / `createApp`:
+
+```ts
+await createServer({
+  auth: {
+    roles: ["admin", "editor", "user"],
+    defaultRole: "user",  // automatically assigned on /auth/register
+  },
+  // ...
+});
+```
+
+`roles` makes the list available anywhere via `getAppRoles()`. `defaultRole` is assigned to every new user that registers via `POST /auth/register` — no extra code needed.
+
+### Assigning roles to a user
+
+Three helpers are available depending on what you need:
+
+| Helper | Behaviour |
+|---|---|
+| `setUserRoles(userId, roles)` | Replace all roles — pass the full desired set |
+| `addUserRole(userId, role)` | Add a single role, leaving others unchanged |
+| `removeUserRole(userId, role)` | Remove a single role, leaving others unchanged |
+
+```ts
+import { setUserRoles, addUserRole, removeUserRole, userAuth, requireRole } from "@lastshotlabs/bunshot";
+
+// promote a user to admin
+router.post("/admin/users/:id/promote", userAuth, requireRole("admin"), async (c) => {
+  await addUserRole(c.req.param("id"), "admin");
+  return c.json({ ok: true });
+});
+
+// revoke a role
+router.post("/admin/users/:id/demote", userAuth, requireRole("admin"), async (c) => {
+  await removeUserRole(c.req.param("id"), "admin");
+  return c.json({ ok: true });
+});
+
+// replace all roles at once
+router.put("/admin/users/:id/roles", userAuth, requireRole("admin"), async (c) => {
+  const { roles } = await c.req.json();
+  await setUserRoles(c.req.param("id"), roles);
+  return c.json({ ok: true });
+});
+```
+
+### Protecting routes by role
+
+`requireRole` is a middleware factory. It lazy-fetches roles on the first role-checked request and caches them on the Hono context, so multiple `requireRole` calls in a middleware chain only hit the DB once.
+
+```ts
+import { userAuth, requireRole } from "@lastshotlabs/bunshot";
+
+router.use("/admin", userAuth, requireRole("admin"));
+router.use("/content", userAuth, requireRole("admin", "editor")); // allow either role
+```
+
+| Scenario | Response |
+|---|---|
+| No session | `401 Unauthorized` |
+| Authenticated, wrong role | `403 Forbidden` |
+| Authenticated, correct role | passes through |
+
+### Custom adapter with roles
+
+If you're using a custom `authAdapter`, implement the role methods to back role operations with your own store:
+
+| Method | Required for |
+|---|---|
+| `getRoles(userId)` | `requireRole` middleware |
+| `setRoles(userId, roles)` | `defaultRole` assignment on registration, full replace |
+| `addRole(userId, role)` | Granular role addition |
+| `removeRole(userId, role)` | Granular role removal |
+
+All are optional — only implement what your app uses. `setRoles` is **required** if you configure `defaultRole` (the app will throw at startup if this combination is misconfigured). The exported helpers `setUserRoles`, `addUserRole`, and `removeUserRole` route through your adapter, so they work regardless of which store you use.
+
+```ts
+const myAdapter: AuthAdapter = {
+  findByEmail: ...,
+  create: ...,
+  async getRoles(userId) {
+    const user = await db.query.users.findFirst({ where: eq(users.id, userId) });
+    return user?.roles ?? [];
+  },
+  async setRoles(userId, roles) {
+    await db.update(users).set({ roles }).where(eq(users.id, userId));
+  },
+  async addRole(userId, role) {
+    const user = await db.query.users.findFirst({ where: eq(users.id, userId) });
+    if (user && !user.roles.includes(role)) {
+      await db.update(users).set({ roles: [...user.roles, role] }).where(eq(users.id, userId));
+    }
+  },
+  async removeRole(userId, role) {
+    const user = await db.query.users.findFirst({ where: eq(users.id, userId) });
+    if (user) {
+      await db.update(users).set({ roles: user.roles.filter((r: string) => r !== role) }).where(eq(users.id, userId));
+    }
+  },
+};
+```
+
+### Tenant-scoped roles
+
+When multi-tenancy is enabled (see below), `requireRole` automatically checks **tenant-scoped roles** instead of app-wide roles when a `tenantId` is present in the request context.
+
+```ts
+// Assign a tenant-scoped role
+import { addTenantRole, setTenantRoles, removeTenantRole, getTenantRoles } from "@lastshotlabs/bunshot";
+
+await addTenantRole(userId, "acme", "admin");
+await setTenantRoles(userId, "acme", ["admin", "editor"]);
+await removeTenantRole(userId, "acme", "editor");
+const roles = await getTenantRoles(userId, "acme"); // ["admin"]
+```
+
+`requireRole("admin")` checks tenant-scoped roles when `tenantId` is in context, and falls back to app-wide roles when there is no tenant context. Use `requireRole.global("superadmin")` to always check app-wide roles regardless of tenant.
+
+```ts
+router.use("/tenant-admin", userAuth, requireRole("admin"));           // checks tenant roles when in tenant context
+router.use("/super-admin", userAuth, requireRole.global("superadmin")); // always checks app-wide roles
+```
+
+If you're using a custom `authAdapter`, implement the tenant role methods:
+
+| Method | Purpose |
+|---|---|
+| `getTenantRoles(userId, tenantId)` | Required for tenant-scoped `requireRole` |
+| `setTenantRoles(userId, tenantId, roles)` | Full replace |
+| `addTenantRole(userId, tenantId, role)` | Granular addition |
+| `removeTenantRole(userId, tenantId, role)` | Granular removal |

package/docs/sections/roles/overview.md

@@ -0,0 +1,12 @@
+## Roles
+
+Declare roles in `createServer({ auth: { roles: ["admin", "editor", "user"], defaultRole: "user" } })`. The default role is auto-assigned on registration.
+
+```ts
+import { userAuth, requireRole, addUserRole } from "@lastshotlabs/bunshot";
+
+router.use("/admin", userAuth, requireRole("admin"));
+await addUserRole(userId, "admin"); // also: setUserRoles, removeUserRole
+```
+
+Tenant-scoped roles are supported when multi-tenancy is enabled — `requireRole` checks tenant roles when `tenantId` is in context, falls back to app-wide roles otherwise. Use `requireRole.global("superadmin")` to always check app-wide roles.

package/docs/sections/running-without-redis/full.md

@@ -0,0 +1,16 @@
+## Running without Redis
+
+Set `db.redis: false` and `db.sessions: "mongo"` to run the entire auth flow on MongoDB only. Sessions, OAuth state, and response caching (when `store: "mongo"`) all work without Redis. The only feature that still requires Redis is BullMQ queues.
+
+```ts
+await createServer({
+  db: {
+    mongo: "single",
+    redis: false,
+    sessions: "mongo",   // sessions + OAuth state → MongoDB
+    cache: "mongo",      // or omit cacheResponse entirely if not using it
+  },
+});
+```
+
+Redis key namespacing: when Redis is used, all keys are prefixed with `appName` (`session:{appName}:{sessionId}`, `usersessions:{appName}:{userId}`, `oauth:{appName}:state:{state}`, `cache:{appName}:{key}`) so multiple apps sharing one Redis instance never collide.

package/docs/sections/running-without-redis-or-mongodb/full.md

@@ -0,0 +1,60 @@
+## Running without Redis or MongoDB
+
+Two lightweight options for local dev, tests, or small projects with no external services:
+
+### SQLite — persisted to disk
+
+Uses `bun:sqlite` (built into Bun, zero npm deps). A single `.db` file holds all users, sessions, OAuth state, and cache.
+
+```ts
+await createServer({
+  routesDir: import.meta.dir + "/routes",
+  app: { name: "My App", version: "1.0.0" },
+  db: {
+    auth: "sqlite",
+    sqlite: import.meta.dir + "/../data.db",  // created automatically on first run
+    mongo: false,
+    redis: false,
+    sessions: "sqlite",
+    cache: "sqlite",
+  },
+});
+```
+
+#### Optional: periodic cleanup of expired rows
+
+Expired rows are filtered out lazily on read. For long-running servers, sweep them periodically:
+
+```ts
+import { startSqliteCleanup } from "@lastshotlabs/bunshot";
+
+startSqliteCleanup();           // default: every hour
+startSqliteCleanup(5 * 60_000); // custom interval (ms)
+```
+
+### Memory — ephemeral, great for tests
+
+Pure in-memory Maps. No files, no external services. All state is lost on process restart.
+
+```ts
+import { createServer, clearMemoryStore } from "@lastshotlabs/bunshot";
+
+await createServer({
+  routesDir: import.meta.dir + "/routes",
+  app: { name: "My App", version: "1.0.0" },
+  db: {
+    auth: "memory",
+    mongo: false,
+    redis: false,
+    sessions: "memory",
+    cache: "memory",
+  },
+});
+
+// In tests — reset all state between test cases:
+clearMemoryStore();
+```
+
+### Limitations (both sqlite and memory)
+
+- BullMQ queues still require Redis

package/docs/sections/stack/full.md

@@ -0,0 +1,10 @@
+## Stack
+
+- **Runtime**: [Bun](https://bun.sh)
+- **Framework**: [Hono](https://hono.dev) + [@hono/zod-openapi](https://github.com/honojs/middleware/tree/main/packages/zod-openapi)
+- **Docs UI**: [Scalar](https://scalar.com)
+- **Data / Auth**: MongoDB, SQLite, or in-memory — configurable via `db.auth` (default: MongoDB via [Mongoose](https://mongoosejs.com))
+- **Cache / Sessions**: Redis, MongoDB, SQLite, or in-memory — configurable via `db.sessions` / `db.cache` (default: Redis via [ioredis](https://github.com/redis/ioredis))
+- **Auth**: JWT via [jose](https://github.com/panva/jose), HttpOnly cookies + `x-user-token` header
+- **Queues**: [BullMQ](https://docs.bullmq.io) (requires Redis with `noeviction` policy)
+- **Validation**: [Zod v4](https://zod.dev)

package/docs/sections/websocket/full.md

@@ -0,0 +1,100 @@
+## WebSocket
+
+The `/ws` endpoint is mounted automatically by `createServer`. No extra setup needed.
+
+### Default behaviour
+
+| What | Default |
+|---|---|
+| Upgrade / auth | Reads `auth-token` cookie → verifies JWT → checks session → sets `ws.data.userId` |
+| `open` | Logs connection, sends `{ event: "connected", id }` |
+| `message` | Handles room actions (see below), echoes everything else |
+| `close` | Clears `ws.data.rooms`, logs disconnection |
+
+### Socket data (`SocketData`)
+
+`SocketData` is generic — pass a type parameter to add your own fields:
+
+```ts
+type SocketData<T extends object = object> = {
+  id: string;            // unique connection ID (UUID)
+  userId: string | null; // null if unauthenticated
+  rooms: Set<string>;    // rooms this socket is subscribed to
+} & T;
+```
+
+**Extending with custom fields:**
+
+```ts
+import { createServer, type SocketData } from "@lastshotlabs/bunshot";
+
+type MyData = { tenantId: string; role: "admin" | "user" };
+
+await createServer<MyData>({
+  ws: {
+    upgradeHandler: async (req, server) => {
+      const tenantId = req.headers.get("x-tenant-id") ?? "default";
+      const upgraded = server.upgrade(req, {
+        data: { id: crypto.randomUUID(), userId: null, rooms: new Set(), tenantId, role: "user" },
+      });
+      return upgraded ? undefined : Response.json({ error: "Upgrade failed" }, { status: 400 });
+    },
+    handler: {
+      open(ws) {
+        // ws.data.tenantId and ws.data.role are fully typed
+        console.log(ws.data.tenantId, ws.data.role);
+      },
+    },
+    onRoomSubscribe(ws, room) {
+      return ws.data.role === "admin" || !room.startsWith("admin:");
+    },
+  },
+});
+```
+
+With no type parameter, `SocketData` defaults to `{ id, userId, rooms }` — the base shape used by the default upgrade handler.
+
+### Overriding the message handler
+
+Pass `ws.handler` to `createServer` to replace the default echo. Room action handling always runs first — your handler only receives non-room messages:
+
+```ts
+await createServer({
+  ws: {
+    handler: {
+      open(ws) {
+        ws.send(JSON.stringify({ event: "connected", id: ws.data.id }));
+      },
+      message(ws, message) {
+        // room subscribe/unsubscribe already handled — put your logic here
+        const parsed = JSON.parse(message as string);
+        if (parsed.action === "ping") ws.send(JSON.stringify({ event: "pong" }));
+      },
+      close(ws, code, reason) {
+        // ws.data.rooms already cleared
+      },
+    },
+  },
+});
+```
+
+You can supply any subset of `open`, `message`, `close`, `drain` — unset handlers fall back to the defaults.
+
+### Overriding the upgrade / auth handler
+
+Replace the default cookie-JWT handshake entirely via `ws.upgradeHandler`. You must call `server.upgrade()` yourself and include `rooms: new Set()` in data:
+
+```ts
+await createServer({
+  ws: {
+    upgradeHandler: async (req, server) => {
+      const token = req.headers.get("x-my-token");
+      const userId = token ? await verifyMyToken(token) : null;
+      const upgraded = server.upgrade(req, {
+        data: { id: crypto.randomUUID(), userId, rooms: new Set() },
+      });
+      return upgraded ? undefined : Response.json({ error: "Upgrade failed" }, { status: 400 });
+    },
+  },
+});
+```

package/docs/sections/websocket/overview.md

@@ -0,0 +1,5 @@
+## WebSocket
+
+The `/ws` endpoint is mounted automatically by `createServer`. Default behavior: cookie-JWT auth on upgrade, room action handling, and echo for other messages.
+
+`SocketData` carries `id`, `userId`, and `rooms` per connection. Pass a type parameter to `createServer<T>` to extend with custom fields. Override `ws.handler` (open/message/close) and `ws.upgradeHandler` for custom behavior.

package/docs/sections/websocket-rooms/full.md

@@ -0,0 +1,97 @@
+## WebSocket Rooms / Channels
+
+Rooms are built on Bun's native pub/sub. `createServer` always intercepts room action messages first via `handleRoomActions` — so room subscribe/unsubscribe works regardless of whether you provide a custom `websocket.message`.
+
+### WS utilities
+
+| Export | Description |
+|---|---|
+| `publish(room, data)` | Broadcast `data` to all sockets subscribed to `room` |
+| `subscribe(ws, room)` | Subscribe a socket to a room and track it in `ws.data.rooms` |
+| `unsubscribe(ws, room)` | Unsubscribe a socket from a room |
+| `getSubscriptions(ws)` | Returns `string[]` of rooms the socket is currently in |
+| `getRooms()` | Returns `string[]` of all rooms with at least one active subscriber |
+| `getRoomSubscribers(room)` | Returns `string[]` of socket IDs currently subscribed to `room` |
+| `handleRoomActions(ws, message, onSubscribe?)` | Parses and dispatches subscribe/unsubscribe actions. Returns `true` if the message was a room action (consumed), `false` otherwise. Pass an optional async guard as the third argument. |
+
+### Client → server: join or leave a room
+
+Send a JSON message with `action: "subscribe"` or `action: "unsubscribe"`:
+
+```ts
+ws.send(JSON.stringify({ action: "subscribe",   room: "chat:general" }));
+ws.send(JSON.stringify({ action: "unsubscribe", room: "chat:general" }));
+```
+
+Server responses:
+
+| Event | Meaning |
+|---|---|
+| `{ event: "subscribed", room }` | Successfully joined |
+| `{ event: "unsubscribed", room }` | Successfully left |
+| `{ event: "subscribe_denied", room }` | Blocked by `onRoomSubscribe` guard |
+
+Any non-room message is passed through to your `websocket.message` handler unchanged.
+
+### Server → room: broadcast
+
+```ts
+import { publish } from "@lastshotlabs/bunshot";
+
+publish("chat:general", { text: "Hello room!", from: "system" });
+```
+
+All sockets subscribed to `"chat:general"` receive the message. Works from anywhere — routes, workers, anywhere after `createServer` resolves.
+
+### Server-side: manage subscriptions in code
+
+Use `subscribe` / `unsubscribe` anywhere you have a `ws` reference (e.g. in `ws.handler.open` to auto-join personal rooms):
+
+```ts
+import { subscribe, unsubscribe, getSubscriptions } from "@lastshotlabs/bunshot";
+
+await createServer({
+  ws: {
+    handler: {
+      open(ws) {
+        // auto-subscribe authenticated users to their personal room
+        if (ws.data.userId) subscribe(ws, `user:${ws.data.userId}`);
+      },
+      message(ws, message) {
+        // handleRoomActions already ran — only non-room messages reach here
+        const rooms = getSubscriptions(ws); // current room list
+      },
+      close(ws) {
+        // ws.data.rooms is cleared automatically — no cleanup needed
+      },
+    },
+  },
+});
+```
+
+### Room permission guard
+
+Pass `ws.onRoomSubscribe` to `createServer` to gate which rooms a socket can join. Return `true` to allow, `false` to deny. Uses `ws.data.userId` for auth-based checks. Can be async.
+
+```ts
+await createServer({
+  ws: {
+    onRoomSubscribe(ws, room) {
+      if (!ws.data.userId) return false;                              // must be logged in
+      if (room.startsWith("admin:")) return isAdmin(ws.data.userId); // role check
+      if (room.startsWith("user:")) return room === `user:${ws.data.userId}`; // ownership
+      return true;
+    },
+  },
+});
+
+// async guard — query DB or cache
+await createServer({
+  ws: {
+    onRoomSubscribe: async (ws, room) => {
+      const ok = await db.roomMembers.findOne({ room, userId: ws.data.userId });
+      return !!ok;
+    },
+  },
+});
+```

package/docs/sections/websocket-rooms/overview.md

@@ -0,0 +1,5 @@
+## WebSocket Rooms / Channels
+
+Rooms are built on Bun's native pub/sub. Clients send `{ action: "subscribe", room: "chat:general" }` to join; servers broadcast via `publish("chat:general", data)`.
+
+Utilities: `publish`, `subscribe`, `unsubscribe`, `getSubscriptions`, `getRooms`, `getRoomSubscribers`. Gate room access with `ws.onRoomSubscribe` (sync or async guard).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lastshotlabs/bunshot",
-  "version": "0.0.13",
+  "version": "0.0.16",
   "description": "Batteries-included Bun + Hono API framework — auth, sessions, rate limiting, WebSocket, queues, and OpenAPI docs out of the box",
   "repository": {
     "type": "git",
@@ -34,20 +34,24 @@
     "./queue": {
       "import": "./dist/entrypoints/queue.js",
       "types": "./dist/entrypoints/queue.d.ts"
-    }
+    },
+    "./docs/*": "./docs/sections/*"
   },
   "bin": {
     "bunshot": "./dist/cli.js"
   },
   "files": [
-    "dist"
+    "dist",
+    "docs/sections"
   ],
   "scripts": {
     "build": "tsc -p tsconfig.build.json && tsc-alias -p tsconfig.build.json && bun build src/cli.ts --outdir dist --minify --target bun",
     "prepublishOnly": "bun run build",
     "release": "npm version patch && npm publish",
     "dev": "bun --watch src/index.ts",
-    "start": "bun src/index.ts"
+    "start": "bun src/index.ts",
+    "readme": "bun docs/build-readme.ts",
+    "readme:npm": "bun docs/build-readme.ts npm"
   },
   "dependencies": {
     "@hono/zod-openapi": "1.2.2",
@@ -60,7 +64,8 @@
     "zod": ">=4.0 <5",
     "mongoose": ">=9.0 <10",
     "ioredis": ">=5.0 <6",
-    "bullmq": ">=5.0 <6"
+    "bullmq": ">=5.0 <6",
+    "otpauth": ">=9.0 <10"
   },
   "peerDependenciesMeta": {
     "mongoose": {
@@ -71,17 +76,21 @@
     },
     "bullmq": {
       "optional": true
+    },
+    "otpauth": {
+      "optional": true
     }
   },
   "devDependencies": {
     "@types/bun": "1.3.10",
-    "tsc-alias": "^1.8.16",
-    "typescript": "^5.9.3",
+    "bullmq": "^5.70.4",
     "hono": ">=4.12",
-    "zod": ">=4.0",
-    "mongoose": "9.2.4",
     "ioredis": "5.10.0",
-    "bullmq": "^5.70.4"
+    "mongoose": "9.2.4",
+    "otpauth": "^9.5.0",
+    "tsc-alias": "^1.8.16",
+    "typescript": "^5.9.3",
+    "zod": ">=4.0"
   },
   "publishConfig": {
     "access": "public"