@lastshotlabs/bunshot 0.0.13 → 0.0.16

package/dist/entrypoints/queue.js

@@ -1 +1 @@
-export { createQueue, createWorker } from "../lib/queue";
+export { createQueue, createWorker, createCronWorker, cleanupStaleSchedulers, getRegisteredCronNames, createDLQHandler } from "../lib/queue";

package/dist/index.d.ts

@@ -1,21 +1,27 @@
 export { createApp } from "./app";
 export { createServer } from "./server";
-export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, OAuthConfig, SecurityConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig } from "./app";
+export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, JobsConfig, TenancyConfig, TenantConfig } from "./app";
 export type { CreateServerConfig, WsConfig } from "./server";
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
 export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { zodToMongoose } from "./lib/zodToMongoose";
+export type { ZodToMongooseConfig, ZodToMongooseRefConfig } from "./lib/zodToMongoose";
+export { createDtoMapper } from "./lib/createDtoMapper";
+export type { DtoMapperConfig } from "./lib/createDtoMapper";
 export type { AppEnv, AppVariables } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore } from "./lib/session";
-export type { SessionMetadata, SessionInfo } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
+export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore } from "./lib/mfaChallenge";
+export type { MfaChallengeData } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
 export type { LimitOpts } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
@@ -32,9 +38,12 @@ export { cacheResponse, bustCache, bustCachePattern, setCacheStore } from "./mid
 export { buildFingerprint } from "./lib/fingerprint";
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole } from "./lib/roles";
+export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
 export type { AuthAdapter, OAuthProfile } from "./lib/authAdapter";
 export type { OAuthProviderConfig } from "./lib/oauth";
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export type { SocketData } from "./ws/index";
 export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
+export type { TenantInfo, CreateTenantOptions } from "./lib/tenant";
+export { invalidateTenantCache } from "./middleware/tenant";

package/dist/index.js

@@ -7,14 +7,17 @@ export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 // Lib utilities
 export { getAppRoles } from "./lib/appConfig";
 export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN } from "./lib/constants";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN } from "./lib/constants";
 export { createRouter } from "./lib/context";
 export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { zodToMongoose } from "./lib/zodToMongoose";
+export { createDtoMapper } from "./lib/createDtoMapper";
 export { signToken, verifyToken } from "./lib/jwt";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
+export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited } from "./lib/authRateLimit";
 export { validate } from "./lib/validate";
 // Middleware
@@ -31,7 +34,10 @@ export { buildFingerprint } from "./lib/fingerprint";
 // Models
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole } from "./lib/roles";
+export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
 // WebSocket
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+// Tenancy
+export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
+export { invalidateTenantCache } from "./middleware/tenant";

package/dist/lib/appConfig.d.ts

@@ -35,3 +35,49 @@ export declare const setIncludeInactiveSessions: (v: boolean) => void;
 export declare const getIncludeInactiveSessions: () => boolean;
 export declare const setTrackLastActive: (v: boolean) => void;
 export declare const getTrackLastActive: () => boolean;
+export interface RefreshTokenConfig {
+    /** Access token expiry in seconds. Default: 900 (15 min). */
+    accessTokenExpiry?: number;
+    /** Refresh token expiry in seconds. Default: 2_592_000 (30 days). */
+    refreshTokenExpiry?: number;
+    /** Grace window in seconds where the old refresh token still works after rotation.
+     *  Prevents lockout when the client's network drops mid-refresh. Default: 30. */
+    rotationGraceSeconds?: number;
+}
+export declare const setRefreshTokenConfig: (config: RefreshTokenConfig | null) => void;
+export declare const getRefreshTokenConfig: () => RefreshTokenConfig | null;
+export declare const getAccessTokenExpiry: () => number;
+export declare const getRefreshTokenExpiry: () => number;
+export declare const getRotationGraceSeconds: () => number;
+export interface MfaEmailOtpConfig {
+    /** Called with the user's email and the OTP code. Use to send the email. */
+    onSend: (email: string, code: string) => Promise<void>;
+    /** OTP code length. Default: 6. */
+    codeLength?: number;
+}
+export interface MfaConfig {
+    /** Issuer name shown in authenticator apps. Defaults to app name. */
+    issuer?: string;
+    /** TOTP algorithm. Default: "SHA1" (most compatible). */
+    algorithm?: "SHA1" | "SHA256" | "SHA512";
+    /** TOTP digits. Default: 6. */
+    digits?: number;
+    /** TOTP period in seconds. Default: 30. */
+    period?: number;
+    /** Number of recovery codes to generate. Default: 10. */
+    recoveryCodes?: number;
+    /** MFA challenge window in seconds. Default: 300 (5 min). */
+    challengeTtlSeconds?: number;
+    /** Email OTP configuration. When set, enables email-based MFA as an option. */
+    emailOtp?: MfaEmailOtpConfig;
+}
+export declare const setMfaConfig: (config: MfaConfig | null) => void;
+export declare const getMfaConfig: () => MfaConfig | null;
+export declare const getMfaIssuer: () => string;
+export declare const getMfaAlgorithm: () => string;
+export declare const getMfaDigits: () => number;
+export declare const getMfaPeriod: () => number;
+export declare const getMfaRecoveryCodeCount: () => number;
+export declare const getMfaChallengeTtl: () => number;
+export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
+export declare const getMfaEmailOtpCodeLength: () => number;

package/dist/lib/appConfig.js

@@ -35,3 +35,23 @@ export const setIncludeInactiveSessions = (v) => { _includeInactiveSessions = v;
 export const getIncludeInactiveSessions = () => _includeInactiveSessions;
 export const setTrackLastActive = (v) => { _trackLastActive = v; };
 export const getTrackLastActive = () => _trackLastActive;
+let _refreshTokenConfig = null;
+export const setRefreshTokenConfig = (config) => { _refreshTokenConfig = config; };
+export const getRefreshTokenConfig = () => _refreshTokenConfig;
+const DEFAULT_ACCESS_TOKEN_EXPIRY = 900; // 15 min
+const DEFAULT_REFRESH_TOKEN_EXPIRY = 2_592_000; // 30 days
+const DEFAULT_ROTATION_GRACE_SECONDS = 30;
+export const getAccessTokenExpiry = () => _refreshTokenConfig?.accessTokenExpiry ?? DEFAULT_ACCESS_TOKEN_EXPIRY;
+export const getRefreshTokenExpiry = () => _refreshTokenConfig?.refreshTokenExpiry ?? DEFAULT_REFRESH_TOKEN_EXPIRY;
+export const getRotationGraceSeconds = () => _refreshTokenConfig?.rotationGraceSeconds ?? DEFAULT_ROTATION_GRACE_SECONDS;
+let _mfaConfig = null;
+export const setMfaConfig = (config) => { _mfaConfig = config; };
+export const getMfaConfig = () => _mfaConfig;
+export const getMfaIssuer = () => _mfaConfig?.issuer ?? getAppName();
+export const getMfaAlgorithm = () => _mfaConfig?.algorithm ?? "SHA1";
+export const getMfaDigits = () => _mfaConfig?.digits ?? 6;
+export const getMfaPeriod = () => _mfaConfig?.period ?? 30;
+export const getMfaRecoveryCodeCount = () => _mfaConfig?.recoveryCodes ?? 10;
+export const getMfaChallengeTtl = () => _mfaConfig?.challengeTtlSeconds ?? 300;
+export const getMfaEmailOtpConfig = () => _mfaConfig?.emailOtp ?? null;
+export const getMfaEmailOtpCodeLength = () => _mfaConfig?.emailOtp?.codeLength ?? 6;

package/dist/lib/authAdapter.d.ts

@@ -48,6 +48,36 @@ export interface AuthAdapter {
     setEmailVerified?(userId: string, verified: boolean): Promise<void>;
     /** Optional. Return whether a user's email address has been verified. */
     getEmailVerified?(userId: string): Promise<boolean>;
+    /** Optional. Permanently delete a user account. Used by DELETE /auth/me. */
+    deleteUser?(userId: string): Promise<void>;
+    /** Optional. Check whether a user has a password set (credential account vs OAuth-only). */
+    hasPassword?(userId: string): Promise<boolean>;
+    /** Optional. Store the TOTP secret for MFA setup (encrypted or plaintext, adapter decides). */
+    setMfaSecret?(userId: string, secret: string | null): Promise<void>;
+    /** Optional. Retrieve the TOTP secret for MFA verification. */
+    getMfaSecret?(userId: string): Promise<string | null>;
+    /** Optional. Check whether MFA is enabled for a user. */
+    isMfaEnabled?(userId: string): Promise<boolean>;
+    /** Optional. Enable or disable MFA for a user. */
+    setMfaEnabled?(userId: string, enabled: boolean): Promise<void>;
+    /** Optional. Store hashed recovery codes for MFA. */
+    setRecoveryCodes?(userId: string, codes: string[]): Promise<void>;
+    /** Optional. Retrieve hashed recovery codes for MFA. */
+    getRecoveryCodes?(userId: string): Promise<string[]>;
+    /** Optional. Remove a single recovery code after use. */
+    removeRecoveryCode?(userId: string, code: string): Promise<void>;
+    /** Optional. Get the MFA methods enabled for a user (e.g., ["totp"], ["emailOtp"], ["totp", "emailOtp"]). */
+    getMfaMethods?(userId: string): Promise<string[]>;
+    /** Optional. Set the MFA methods enabled for a user. */
+    setMfaMethods?(userId: string, methods: string[]): Promise<void>;
+    /** Optional. Get roles for a user within a specific tenant. */
+    getTenantRoles?(userId: string, tenantId: string): Promise<string[]>;
+    /** Optional. Set roles for a user within a specific tenant (replaces existing). */
+    setTenantRoles?(userId: string, tenantId: string, roles: string[]): Promise<void>;
+    /** Optional. Add a single role to a user within a specific tenant. */
+    addTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
+    /** Optional. Remove a single role from a user within a specific tenant. */
+    removeTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
 }
 export declare const setAuthAdapter: (adapter: AuthAdapter) => void;
 export declare const getAuthAdapter: () => AuthAdapter;

package/dist/lib/constants.d.ts

@@ -1,2 +1,4 @@
 export declare const COOKIE_TOKEN = "token";
 export declare const HEADER_USER_TOKEN = "x-user-token";
+export declare const COOKIE_REFRESH_TOKEN = "refresh_token";
+export declare const HEADER_REFRESH_TOKEN = "x-refresh-token";

package/dist/lib/constants.js

@@ -1,2 +1,4 @@
 export const COOKIE_TOKEN = "token";
 export const HEADER_USER_TOKEN = "x-user-token";
+export const COOKIE_REFRESH_TOKEN = "refresh_token";
+export const HEADER_REFRESH_TOKEN = "x-refresh-token";

package/dist/lib/context.d.ts

@@ -3,6 +3,8 @@ export type AppVariables = {
     authUserId: string | null;
     roles: string[] | null;
     sessionId: string | null;
+    tenantId: string | null;
+    tenantConfig: Record<string, unknown> | null;
 };
 export type AppEnv = {
     Variables: AppVariables;

package/dist/lib/createDtoMapper.d.ts

@@ -0,0 +1,33 @@
+type ZodSchema = any;
+export type DtoMapperConfig = {
+    /** DB field name → API field name for ObjectId refs (e.g., { account: "accountId" }) */
+    refs?: Record<string, string>;
+    /** API field names that are Date in DB, string in DTO */
+    dates?: string[];
+    /** Subdocument array fields mapped with a sub-mapper: { items: itemMapper } */
+    subdocs?: Record<string, (item: any) => any>;
+};
+/**
+ * Create a toDto mapper function from a Zod schema.
+ *
+ * The Zod schema defines which fields exist in the DTO. The config declares
+ * how to transform DB-specific types (ObjectId refs, Dates, subdocuments).
+ *
+ * Handles automatically:
+ * - `_id` → `id` (toString)
+ * - ObjectId refs → string (toString), with field renaming via `refs`
+ * - Date fields → ISO string via `dates`
+ * - Subdocument arrays via `subdocs`
+ * - Nullable/optional fields → `null` coercion (from `undefined`)
+ * - All other fields → passthrough
+ *
+ * @example
+ * ```ts
+ * const toDto = createDtoMapper<LedgerItemDto>(LedgerItemSchema, {
+ *   refs: { account: "accountId" },
+ *   dates: ["date"],
+ * });
+ * ```
+ */
+export declare function createDtoMapper<TDto>(zodSchema: ZodSchema, config?: DtoMapperConfig): (doc: any) => TDto;
+export {};

package/dist/lib/createDtoMapper.js

@@ -0,0 +1,69 @@
+/** Check if a Zod type is nullable or optional */
+function isNullable(zodType) {
+    const defType = zodType?._zod?.def?.type;
+    if (defType === "nullable")
+        return true;
+    if (defType === "optional")
+        return true;
+    if (defType === "default")
+        return isNullable(zodType._zod.def.innerType);
+    return false;
+}
+/**
+ * Create a toDto mapper function from a Zod schema.
+ *
+ * The Zod schema defines which fields exist in the DTO. The config declares
+ * how to transform DB-specific types (ObjectId refs, Dates, subdocuments).
+ *
+ * Handles automatically:
+ * - `_id` → `id` (toString)
+ * - ObjectId refs → string (toString), with field renaming via `refs`
+ * - Date fields → ISO string via `dates`
+ * - Subdocument arrays via `subdocs`
+ * - Nullable/optional fields → `null` coercion (from `undefined`)
+ * - All other fields → passthrough
+ *
+ * @example
+ * ```ts
+ * const toDto = createDtoMapper<LedgerItemDto>(LedgerItemSchema, {
+ *   refs: { account: "accountId" },
+ *   dates: ["date"],
+ * });
+ * ```
+ */
+export function createDtoMapper(zodSchema, config = {}) {
+    const apiFields = Object.keys(zodSchema.shape);
+    const shape = zodSchema.shape;
+    // Build reverse lookup: apiField → dbField for refs
+    const refByApiField = new Map();
+    if (config.refs) {
+        for (const [dbField, apiField] of Object.entries(config.refs)) {
+            refByApiField.set(apiField, dbField);
+        }
+    }
+    const dateSet = new Set(config.dates ?? []);
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    return (doc) => {
+        const dto = {};
+        for (const field of apiFields) {
+            if (field === "id") {
+                dto.id = doc._id.toString();
+                continue;
+            }
+            if (refByApiField.has(field)) {
+                dto[field] = doc[refByApiField.get(field)].toString();
+                continue;
+            }
+            if (dateSet.has(field)) {
+                dto[field] = doc[field].toISOString();
+                continue;
+            }
+            if (config.subdocs?.[field]) {
+                dto[field] = (doc[field] ?? []).map(config.subdocs[field]);
+                continue;
+            }
+            dto[field] = isNullable(shape[field]) ? (doc[field] ?? null) : doc[field];
+        }
+        return dto;
+    };
+}

package/dist/lib/jwt.d.ts

@@ -1,2 +1,2 @@
-export declare const signToken: (userId: string, sessionId: string) => Promise<string>;
+export declare const signToken: (userId: string, sessionId: string, expirySeconds?: number) => Promise<string>;
 export declare const verifyToken: (token: string) => Promise<import("jose").JWTPayload>;

package/dist/lib/jwt.js

@@ -1,9 +1,9 @@
 import { SignJWT, jwtVerify } from "jose";
 const isProd = process.env.NODE_ENV === "production";
 const secret = new TextEncoder().encode(isProd ? process.env.JWT_SECRET_PROD : process.env.JWT_SECRET_DEV);
-export const signToken = async (userId, sessionId) => new SignJWT({ sub: userId, sid: sessionId })
+export const signToken = async (userId, sessionId, expirySeconds) => new SignJWT({ sub: userId, sid: sessionId })
     .setProtectedHeader({ alg: "HS256" })
-    .setExpirationTime("7d")
+    .setExpirationTime(expirySeconds ? `${expirySeconds}s` : "7d")
     .sign(secret);
 export const verifyToken = async (token) => {
     const { payload } = await jwtVerify(token, secret);

package/dist/lib/mfaChallenge.d.ts

@@ -0,0 +1,20 @@
+export interface MfaChallengeData {
+    userId: string;
+    emailOtpHash?: string;
+}
+/** Must be called when store is "sqlite" to inject the db instance. */
+export declare const setMfaChallengeSqliteDb: (db: any) => void;
+type MfaChallengeStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setMfaChallengeStore: (store: MfaChallengeStore) => void;
+export declare const createMfaChallenge: (userId: string, emailOtpHash?: string) => Promise<string>;
+export declare const consumeMfaChallenge: (token: string) => Promise<MfaChallengeData | null>;
+/**
+ * Replace the email OTP hash on an existing challenge without consuming it.
+ * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
+ * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
+ */
+export declare const replaceMfaChallengeOtp: (token: string, newEmailOtpHash: string) => Promise<{
+    userId: string;
+    resendCount: number;
+} | null>;
+export {};

package/dist/lib/mfaChallenge.js

@@ -0,0 +1,184 @@
+import { getRedis } from "./redis";
+import { appConnection, mongoose } from "./mongo";
+import { getAppName, getMfaChallengeTtl } from "./appConfig";
+const MAX_RESENDS = 3;
+function getMfaChallengeModel() {
+    if (appConnection.models["MfaChallenge"])
+        return appConnection.models["MfaChallenge"];
+    const { Schema } = mongoose;
+    const schema = new Schema({
+        token: { type: String, required: true, unique: true },
+        userId: { type: String, required: true },
+        emailOtpHash: { type: String },
+        createdAt: { type: Date, required: true },
+        resendCount: { type: Number, required: true, default: 0 },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "mfa_challenges" });
+    return appConnection.model("MfaChallenge", schema);
+}
+// ---------------------------------------------------------------------------
+// In-memory store
+// ---------------------------------------------------------------------------
+const _memoryChallenges = new Map();
+// ---------------------------------------------------------------------------
+// SQLite store (reuses the existing SQLite DB instance)
+// ---------------------------------------------------------------------------
+let _sqliteDb = null;
+let _sqliteTableCreated = false;
+/** Must be called when store is "sqlite" to inject the db instance. */
+export const setMfaChallengeSqliteDb = (db) => { _sqliteDb = db; };
+function ensureSqliteMfaTable() {
+    if (_sqliteTableCreated || !_sqliteDb)
+        return;
+    _sqliteDb.run(`CREATE TABLE IF NOT EXISTS mfa_challenges (
+    token        TEXT PRIMARY KEY,
+    userId       TEXT NOT NULL,
+    emailOtpHash TEXT,
+    createdAt    INTEGER NOT NULL,
+    resendCount  INTEGER NOT NULL DEFAULT 0,
+    expiresAt    INTEGER NOT NULL
+  )`);
+    // Migrate pre-existing tables that lack the new columns
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN emailOtpHash TEXT");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN createdAt INTEGER NOT NULL DEFAULT 0");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN resendCount INTEGER NOT NULL DEFAULT 0");
+    }
+    catch { /* already exists */ }
+    _sqliteTableCreated = true;
+}
+let _store = "redis";
+export const setMfaChallengeStore = (store) => { _store = store; };
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createMfaChallenge = async (userId, emailOtpHash) => {
+    const token = crypto.randomUUID();
+    const ttl = getMfaChallengeTtl();
+    const now = Date.now();
+    if (_store === "memory") {
+        _memoryChallenges.set(token, { userId, emailOtpHash, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        return token;
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, emailOtpHash, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, 0, ?)", [token, userId, emailOtpHash ?? null, now, now + ttl * 1000]);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getMfaChallengeModel().create({
+            token,
+            userId,
+            emailOtpHash,
+            createdAt: new Date(now),
+            resendCount: 0,
+            expiresAt: new Date(now + ttl * 1000),
+        });
+        return token;
+    }
+    // redis
+    await getRedis().set(`mfachallenge:${getAppName()}:${token}`, JSON.stringify({ userId, emailOtpHash, createdAt: now, resendCount: 0 }), "EX", ttl);
+    return token;
+};
+export const consumeMfaChallenge = async (token) => {
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(token);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(token);
+            return null;
+        }
+        _memoryChallenges.delete(token);
+        return { userId: entry.userId, emailOtpHash: entry.emailOtpHash };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, emailOtpHash").get(token, Date.now());
+        return row ? { userId: row.userId, emailOtpHash: row.emailOtpHash ?? undefined } : null;
+    }
+    if (_store === "mongo") {
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token, expiresAt: { $gt: new Date() } });
+        return doc ? { userId: doc.userId, emailOtpHash: doc.emailOtpHash } : null;
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${token}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    await getRedis().del(key);
+    const data = JSON.parse(raw);
+    return { userId: data.userId, emailOtpHash: data.emailOtpHash };
+};
+/**
+ * Replace the email OTP hash on an existing challenge without consuming it.
+ * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
+ * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
+ */
+export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
+    const ttl = getMfaChallengeTtl();
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(token);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(token);
+            return null;
+        }
+        if (entry.resendCount >= MAX_RESENDS)
+            return null;
+        entry.emailOtpHash = newEmailOtpHash;
+        entry.resendCount++;
+        // Cap lifetime: min(now + ttl, createdAt + ttl * 3)
+        const maxExpiry = entry.createdAt + ttl * 3 * 1000;
+        entry.expiresAt = Math.min(Date.now() + ttl * 1000, maxExpiry);
+        return { userId: entry.userId, resendCount: entry.resendCount };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const now = Date.now();
+        const existing = _sqliteDb.query("SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?").get(token, now);
+        if (!existing || existing.resendCount >= MAX_RESENDS)
+            return null;
+        const newExpiry = Math.min(now + ttl * 1000, existing.createdAt + ttl * 3 * 1000);
+        const newCount = existing.resendCount + 1;
+        const row = _sqliteDb.query("UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId").get(newEmailOtpHash, newCount, newExpiry, token);
+        return row ? { userId: row.userId, resendCount: newCount } : null;
+    }
+    if (_store === "mongo") {
+        const now = new Date();
+        const doc = await getMfaChallengeModel().findOneAndUpdate({ token, expiresAt: { $gt: now }, resendCount: { $lt: MAX_RESENDS } }, [
+            {
+                $set: {
+                    emailOtpHash: newEmailOtpHash,
+                    resendCount: { $add: ["$resendCount", 1] },
+                    expiresAt: {
+                        $min: [
+                            new Date(Date.now() + ttl * 1000),
+                            { $add: ["$createdAt", ttl * 3 * 1000] },
+                        ],
+                    },
+                },
+            },
+        ], { new: true });
+        return doc ? { userId: doc.userId, resendCount: doc.resendCount } : null;
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${token}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    const data = JSON.parse(raw);
+    if (data.resendCount >= MAX_RESENDS)
+        return null;
+    data.emailOtpHash = newEmailOtpHash;
+    data.resendCount++;
+    // Cap lifetime
+    const maxExpiry = data.createdAt + ttl * 3 * 1000;
+    const newExpiry = Math.min(Date.now() + ttl * 1000, maxExpiry);
+    const remainingTtl = Math.max(1, Math.ceil((newExpiry - Date.now()) / 1000));
+    await getRedis().set(key, JSON.stringify(data), "EX", remainingTtl);
+    return { userId: data.userId, resendCount: data.resendCount };
+};

package/dist/lib/queue.d.ts

@@ -1,4 +1,37 @@
 import type { Queue as QueueType, Worker as WorkerType, Processor, QueueOptions, WorkerOptions, Job } from "bullmq";
 export declare const createQueue: <T = unknown, R = unknown>(name: string, options?: Omit<QueueOptions, "connection">) => QueueType<T, R>;
 export declare const createWorker: <T = unknown, R = unknown>(name: string, processor: Processor<T, R>, options?: Omit<WorkerOptions, "connection">) => WorkerType<T, R>;
+export declare const getRegisteredCronNames: () => ReadonlySet<string>;
+export interface CronSchedule {
+    /** Cron expression. Mutually exclusive with `every`. */
+    cron?: string;
+    /** Interval in milliseconds. Mutually exclusive with `cron`. */
+    every?: number;
+    /** Timezone for cron expressions. */
+    timezone?: string;
+}
+export declare const createCronWorker: <T = void, R = unknown>(name: string, processor: Processor<T, R>, schedule: CronSchedule, options?: Omit<WorkerOptions, "connection">) => {
+    worker: WorkerType<T, R>;
+    queue: QueueType<T, R>;
+};
+/**
+ * Remove job schedulers that are no longer registered.
+ * Called automatically after worker discovery in createServer.
+ * Can also be called manually for workers managed outside workersDir.
+ */
+export declare const cleanupStaleSchedulers: (activeNames: string[]) => Promise<void>;
+export interface DLQOptions<T = unknown> {
+    /** Max jobs to keep in the DLQ. Default: 1000. */
+    maxSize?: number;
+    /** Called when a job is moved to the DLQ. */
+    onDeadLetter?: (job: Job<T>, error: Error) => Promise<void>;
+    /** Auto-retry delay in ms. No auto-retry by default. */
+    retryAfter?: number;
+    /** Preserve original job options on retry. Default: true. */
+    preserveJobOptions?: boolean;
+}
+export declare const createDLQHandler: <T = unknown>(sourceWorker: WorkerType<T>, sourceQueueName: string, options?: DLQOptions<T>) => {
+    dlqQueue: QueueType<T>;
+    retryJob: (jobId: string) => Promise<void>;
+};
 export type { Job };