@lastshotlabs/bunshot 0.0.13 → 0.0.18

package/dist/lib/mfaChallenge.js

@@ -0,0 +1,293 @@
+import { getRedis } from "./redis";
+import { appConnection, mongoose } from "./mongo";
+import { getAppName, getMfaChallengeTtl } from "./appConfig";
+import { sha256 } from "./crypto";
+const MAX_RESENDS = 3;
+function getMfaChallengeModel() {
+    if (appConnection.models["MfaChallenge"])
+        return appConnection.models["MfaChallenge"];
+    const { Schema } = mongoose;
+    const schema = new Schema({
+        token: { type: String, required: true, unique: true },
+        userId: { type: String, required: true },
+        purpose: { type: String, required: true, default: "login" },
+        emailOtpHash: { type: String },
+        webauthnChallenge: { type: String },
+        createdAt: { type: Date, required: true },
+        resendCount: { type: Number, required: true, default: 0 },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "mfa_challenges" });
+    return appConnection.model("MfaChallenge", schema);
+}
+// ---------------------------------------------------------------------------
+// In-memory store
+// ---------------------------------------------------------------------------
+const _memoryChallenges = new Map();
+/** Reset all in-memory MFA challenge state. Called by clearMemoryStore(). */
+export const clearMemoryMfaChallenges = () => { _memoryChallenges.clear(); };
+// ---------------------------------------------------------------------------
+// SQLite store (reuses the existing SQLite DB instance)
+// ---------------------------------------------------------------------------
+let _sqliteDb = null;
+let _sqliteTableCreated = false;
+/** Must be called when store is "sqlite" to inject the db instance. */
+export const setMfaChallengeSqliteDb = (db) => { _sqliteDb = db; };
+function ensureSqliteMfaTable() {
+    if (_sqliteTableCreated || !_sqliteDb)
+        return;
+    _sqliteDb.run(`CREATE TABLE IF NOT EXISTS mfa_challenges (
+    token             TEXT PRIMARY KEY,
+    userId            TEXT NOT NULL,
+    purpose           TEXT NOT NULL DEFAULT 'login',
+    emailOtpHash      TEXT,
+    webauthnChallenge TEXT,
+    createdAt         INTEGER NOT NULL,
+    resendCount       INTEGER NOT NULL DEFAULT 0,
+    expiresAt         INTEGER NOT NULL
+  )`);
+    // Migrate pre-existing tables that lack newer columns
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN emailOtpHash TEXT");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN createdAt INTEGER NOT NULL DEFAULT 0");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN resendCount INTEGER NOT NULL DEFAULT 0");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN purpose TEXT NOT NULL DEFAULT 'login'");
+    }
+    catch { /* already exists */ }
+    try {
+        _sqliteDb.run("ALTER TABLE mfa_challenges ADD COLUMN webauthnChallenge TEXT");
+    }
+    catch { /* already exists */ }
+    _sqliteTableCreated = true;
+}
+let _store = "redis";
+export const setMfaChallengeStore = (store) => { _store = store; };
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createMfaChallenge = async (userId, options) => {
+    const token = crypto.randomUUID();
+    const hash = sha256(token);
+    const ttl = getMfaChallengeTtl();
+    const now = Date.now();
+    const purpose = "login";
+    const emailOtpHash = options?.emailOtpHash;
+    const webauthnChallenge = options?.webauthnChallenge;
+    if (_store === "memory") {
+        _memoryChallenges.set(hash, { userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        return token;
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, emailOtpHash, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, emailOtpHash ?? null, webauthnChallenge ?? null, now, now + ttl * 1000]);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getMfaChallengeModel().create({
+            token: hash,
+            userId,
+            purpose,
+            emailOtpHash,
+            webauthnChallenge,
+            createdAt: new Date(now),
+            resendCount: 0,
+            expiresAt: new Date(now + ttl * 1000),
+        });
+        return token;
+    }
+    // redis
+    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, emailOtpHash, webauthnChallenge, createdAt: now, resendCount: 0 }), "EX", ttl);
+    return token;
+};
+export const consumeMfaChallenge = async (token) => {
+    const hash = sha256(token);
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(hash);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(hash);
+            return null;
+        }
+        _memoryChallenges.delete(hash);
+        if (entry.purpose !== "login")
+            return null;
+        return { userId: entry.userId, purpose: entry.purpose, emailOtpHash: entry.emailOtpHash, webauthnChallenge: entry.webauthnChallenge };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, emailOtpHash, webauthnChallenge").get(hash, Date.now());
+        if (!row || row.purpose !== "login")
+            return null;
+        return { userId: row.userId, purpose: "login", emailOtpHash: row.emailOtpHash ?? undefined, webauthnChallenge: row.webauthnChallenge ?? undefined };
+    }
+    if (_store === "mongo") {
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
+        if (!doc || doc.purpose !== "login")
+            return null;
+        return { userId: doc.userId, purpose: "login", emailOtpHash: doc.emailOtpHash, webauthnChallenge: doc.webauthnChallenge };
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${hash}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    await getRedis().del(key);
+    const data = JSON.parse(raw);
+    if (data.purpose !== "login")
+        return null;
+    return { userId: data.userId, purpose: "login", emailOtpHash: data.emailOtpHash, webauthnChallenge: data.webauthnChallenge };
+};
+/**
+ * Replace the email OTP hash on an existing challenge without consuming it.
+ * Used for the resend flow. Increments resendCount and caps the challenge lifetime.
+ * Returns { userId, resendCount } on success, null if challenge not found/expired/max resends reached.
+ */
+export const replaceMfaChallengeOtp = async (token, newEmailOtpHash) => {
+    const hash = sha256(token);
+    const ttl = getMfaChallengeTtl();
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(hash);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(hash);
+            return null;
+        }
+        if (entry.resendCount >= MAX_RESENDS)
+            return null;
+        entry.emailOtpHash = newEmailOtpHash;
+        entry.resendCount++;
+        // Cap lifetime: min(now + ttl, createdAt + ttl * 3)
+        const maxExpiry = entry.createdAt + ttl * 3 * 1000;
+        entry.expiresAt = Math.min(Date.now() + ttl * 1000, maxExpiry);
+        return { userId: entry.userId, resendCount: entry.resendCount };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const now = Date.now();
+        const existing = _sqliteDb.query("SELECT createdAt, resendCount FROM mfa_challenges WHERE token = ? AND expiresAt > ?").get(hash, now);
+        if (!existing || existing.resendCount >= MAX_RESENDS)
+            return null;
+        const newExpiry = Math.min(now + ttl * 1000, existing.createdAt + ttl * 3 * 1000);
+        const newCount = existing.resendCount + 1;
+        const row = _sqliteDb.query("UPDATE mfa_challenges SET emailOtpHash = ?, resendCount = ?, expiresAt = ? WHERE token = ? RETURNING userId").get(newEmailOtpHash, newCount, newExpiry, hash);
+        return row ? { userId: row.userId, resendCount: newCount } : null;
+    }
+    if (_store === "mongo") {
+        const now = new Date();
+        const existing = await getMfaChallengeModel().findOne({
+            token: hash,
+            expiresAt: { $gt: now },
+            resendCount: { $lt: MAX_RESENDS },
+        });
+        if (!existing)
+            return null;
+        const newCount = existing.resendCount + 1;
+        const newExpiry = new Date(Math.min(Date.now() + ttl * 1000, existing.createdAt.getTime() + ttl * 3 * 1000));
+        existing.emailOtpHash = newEmailOtpHash;
+        existing.resendCount = newCount;
+        existing.expiresAt = newExpiry;
+        await existing.save();
+        return { userId: existing.userId, resendCount: newCount };
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${hash}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    const data = JSON.parse(raw);
+    if (data.resendCount >= MAX_RESENDS)
+        return null;
+    data.emailOtpHash = newEmailOtpHash;
+    data.resendCount++;
+    // Cap lifetime
+    const maxExpiry = data.createdAt + ttl * 3 * 1000;
+    const newExpiry = Math.min(Date.now() + ttl * 1000, maxExpiry);
+    const remainingTtl = Math.max(1, Math.ceil((newExpiry - Date.now()) / 1000));
+    await getRedis().set(key, JSON.stringify(data), "EX", remainingTtl);
+    return { userId: data.userId, resendCount: data.resendCount };
+};
+// ---------------------------------------------------------------------------
+// WebAuthn registration challenge helpers
+// ---------------------------------------------------------------------------
+/**
+ * Create a WebAuthn registration challenge token. Separate from the login flow —
+ * uses `purpose: "webauthn-registration"` so it cannot be consumed by `consumeMfaChallenge`.
+ */
+export const createWebAuthnRegistrationChallenge = async (userId, challenge) => {
+    const token = crypto.randomUUID();
+    const hash = sha256(token);
+    const ttl = getMfaChallengeTtl();
+    const now = Date.now();
+    const purpose = "webauthn-registration";
+    if (_store === "memory") {
+        _memoryChallenges.set(hash, { userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0, expiresAt: now + ttl * 1000 });
+        return token;
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        _sqliteDb.run("INSERT INTO mfa_challenges (token, userId, purpose, webauthnChallenge, createdAt, resendCount, expiresAt) VALUES (?, ?, ?, ?, ?, 0, ?)", [hash, userId, purpose, challenge, now, now + ttl * 1000]);
+        return token;
+    }
+    if (_store === "mongo") {
+        await getMfaChallengeModel().create({
+            token: hash,
+            userId,
+            purpose,
+            webauthnChallenge: challenge,
+            createdAt: new Date(now),
+            resendCount: 0,
+            expiresAt: new Date(now + ttl * 1000),
+        });
+        return token;
+    }
+    // redis
+    await getRedis().set(`mfachallenge:${getAppName()}:${hash}`, JSON.stringify({ userId, purpose, webauthnChallenge: challenge, createdAt: now, resendCount: 0 }), "EX", ttl);
+    return token;
+};
+/**
+ * Consume a WebAuthn registration challenge token.
+ * Only accepts tokens with `purpose: "webauthn-registration"`.
+ */
+export const consumeWebAuthnRegistrationChallenge = async (token) => {
+    const hash = sha256(token);
+    if (_store === "memory") {
+        const entry = _memoryChallenges.get(hash);
+        if (!entry || entry.expiresAt <= Date.now()) {
+            _memoryChallenges.delete(hash);
+            return null;
+        }
+        _memoryChallenges.delete(hash);
+        if (entry.purpose !== "webauthn-registration" || !entry.webauthnChallenge)
+            return null;
+        return { userId: entry.userId, challenge: entry.webauthnChallenge };
+    }
+    if (_store === "sqlite") {
+        ensureSqliteMfaTable();
+        const row = _sqliteDb.query("DELETE FROM mfa_challenges WHERE token = ? AND expiresAt > ? RETURNING userId, purpose, webauthnChallenge").get(hash, Date.now());
+        if (!row || row.purpose !== "webauthn-registration" || !row.webauthnChallenge)
+            return null;
+        return { userId: row.userId, challenge: row.webauthnChallenge };
+    }
+    if (_store === "mongo") {
+        const doc = await getMfaChallengeModel().findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } });
+        if (!doc || doc.purpose !== "webauthn-registration" || !doc.webauthnChallenge)
+            return null;
+        return { userId: doc.userId, challenge: doc.webauthnChallenge };
+    }
+    // redis
+    const key = `mfachallenge:${getAppName()}:${hash}`;
+    const raw = await getRedis().get(key);
+    if (!raw)
+        return null;
+    await getRedis().del(key);
+    const data = JSON.parse(raw);
+    if (data.purpose !== "webauthn-registration" || !data.webauthnChallenge)
+        return null;
+    return { userId: data.userId, challenge: data.webauthnChallenge };
+};

package/dist/lib/oauth.d.ts

@@ -1,4 +1,4 @@
-import { Google, Apple, generateState, generateCodeVerifier } from "arctic";
+import { Google, Apple, MicrosoftEntraId, GitHub, generateState, generateCodeVerifier } from "arctic";
 export type OAuthProviderConfig = {
     google?: {
         clientId: string;
@@ -12,10 +12,23 @@ export type OAuthProviderConfig = {
         privateKey: string;
         redirectUri: string;
     };
+    microsoft?: {
+        tenantId: string;
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
+    github?: {
+        clientId: string;
+        clientSecret: string;
+        redirectUri: string;
+    };
 };
 export declare const initOAuthProviders: (config: OAuthProviderConfig) => void;
 export declare const getGoogle: () => Google;
 export declare const getApple: () => Apple;
+export declare const getMicrosoft: () => MicrosoftEntraId;
+export declare const getGitHub: () => GitHub;
 export declare const getConfiguredOAuthProviders: () => string[];
 type OAuthStateStore = "redis" | "mongo" | "sqlite" | "memory";
 export declare const setOAuthStateStore: (store: OAuthStateStore) => void;

package/dist/lib/oauth.js

@@ -1,4 +1,4 @@
-import { Google, Apple, generateState, generateCodeVerifier } from "arctic";
+import { Google, Apple, MicrosoftEntraId, GitHub, generateState, generateCodeVerifier } from "arctic";
 import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
 import { getAppName } from "./appConfig";
@@ -14,6 +14,14 @@ export const initOAuthProviders = (config) => {
         const { clientId, teamId, keyId, privateKey, redirectUri } = config.apple;
         _providers.apple = new Apple(clientId, teamId, keyId, new TextEncoder().encode(privateKey), redirectUri);
     }
+    if (config.microsoft) {
+        const { tenantId, clientId, clientSecret, redirectUri } = config.microsoft;
+        _providers.microsoft = new MicrosoftEntraId(tenantId, clientId, clientSecret, redirectUri);
+    }
+    if (config.github) {
+        const { clientId, clientSecret, redirectUri } = config.github;
+        _providers.github = new GitHub(clientId, clientSecret, redirectUri);
+    }
 };
 export const getGoogle = () => {
     if (!_providers.google)
@@ -25,6 +33,16 @@ export const getApple = () => {
         throw new Error("Apple OAuth not configured");
     return _providers.apple;
 };
+export const getMicrosoft = () => {
+    if (!_providers.microsoft)
+        throw new Error("Microsoft Entra ID OAuth not configured");
+    return _providers.microsoft;
+};
+export const getGitHub = () => {
+    if (!_providers.github)
+        throw new Error("GitHub OAuth not configured");
+    return _providers.github;
+};
 export const getConfiguredOAuthProviders = () => Object.entries(_providers)
     .filter(([, v]) => v != null)
     .map(([k]) => k);

package/dist/lib/oauthCode.d.ts

@@ -0,0 +1,15 @@
+type OAuthCodeStore = "redis" | "mongo" | "sqlite" | "memory";
+export declare const setOAuthCodeStore: (store: OAuthCodeStore) => void;
+export interface OAuthCodePayload {
+    token: string;
+    userId: string;
+    email?: string;
+    refreshToken?: string;
+}
+/** Store a one-time authorization code. Returns the raw code (for the redirect URL).
+ *  Only the SHA-256 hash is persisted. */
+export declare const storeOAuthCode: (payload: OAuthCodePayload) => Promise<string>;
+/** Atomically consume an authorization code — returns its payload and deletes it.
+ *  Returns null if invalid, expired, or already used. */
+export declare const consumeOAuthCode: (code: string) => Promise<OAuthCodePayload | null>;
+export {};

package/dist/lib/oauthCode.js

@@ -0,0 +1,90 @@
+import { getRedis } from "./redis";
+import { appConnection, mongoose } from "./mongo";
+import { getAppName } from "./appConfig";
+import { sha256 } from "./crypto";
+import { memoryStoreOAuthCode, memoryConsumeOAuthCode, } from "../adapters/memoryAuth";
+import { sqliteStoreOAuthCode, sqliteConsumeOAuthCode, } from "../adapters/sqliteAuth";
+function getOAuthCodeModel() {
+    if (appConnection.models["OAuthCode"])
+        return appConnection.models["OAuthCode"];
+    const { Schema } = mongoose;
+    const schema = new Schema({
+        codeHash: { type: String, required: true, unique: true },
+        token: { type: String, required: true },
+        userId: { type: String, required: true },
+        email: { type: String },
+        refreshToken: { type: String },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "oauth_codes" });
+    return appConnection.model("OAuthCode", schema);
+}
+let _store = "redis";
+export const setOAuthCodeStore = (store) => { _store = store; };
+const CODE_TTL = 60; // 60 seconds
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+/** Store a one-time authorization code. Returns the raw code (for the redirect URL).
+ *  Only the SHA-256 hash is persisted. */
+export const storeOAuthCode = async (payload) => {
+    const code = crypto.randomUUID();
+    const hash = sha256(code);
+    if (_store === "memory") {
+        memoryStoreOAuthCode(hash, payload, CODE_TTL);
+        return code;
+    }
+    if (_store === "sqlite") {
+        sqliteStoreOAuthCode(hash, payload, CODE_TTL);
+        return code;
+    }
+    if (_store === "mongo") {
+        await getOAuthCodeModel().create({
+            codeHash: hash,
+            ...payload,
+            expiresAt: new Date(Date.now() + CODE_TTL * 1000),
+        });
+        return code;
+    }
+    // Redis
+    await getRedis().set(`oauthcode:${getAppName()}:${hash}`, JSON.stringify(payload), "EX", CODE_TTL);
+    return code;
+};
+/** Atomically consume an authorization code — returns its payload and deletes it.
+ *  Returns null if invalid, expired, or already used. */
+export const consumeOAuthCode = async (code) => {
+    const hash = sha256(code);
+    if (_store === "memory")
+        return memoryConsumeOAuthCode(hash);
+    if (_store === "sqlite")
+        return sqliteConsumeOAuthCode(hash);
+    if (_store === "mongo") {
+        const doc = await getOAuthCodeModel()
+            .findOneAndDelete({ codeHash: hash, expiresAt: { $gt: new Date() } })
+            .lean();
+        if (!doc)
+            return null;
+        return { token: doc.token, userId: doc.userId, email: doc.email, refreshToken: doc.refreshToken };
+    }
+    // Redis
+    const key = `oauthcode:${getAppName()}:${hash}`;
+    const redis = getRedis();
+    let raw = null;
+    if (typeof redis.getdel === "function") {
+        try {
+            raw = await redis.getdel(key);
+        }
+        catch {
+            raw = await redis.get(key);
+            if (raw)
+                await redis.del(key);
+        }
+    }
+    else {
+        raw = await redis.get(key);
+        if (raw)
+            await redis.del(key);
+    }
+    if (!raw)
+        return null;
+    return JSON.parse(raw);
+};

package/dist/lib/queue.d.ts

@@ -1,4 +1,37 @@
 import type { Queue as QueueType, Worker as WorkerType, Processor, QueueOptions, WorkerOptions, Job } from "bullmq";
 export declare const createQueue: <T = unknown, R = unknown>(name: string, options?: Omit<QueueOptions, "connection">) => QueueType<T, R>;
 export declare const createWorker: <T = unknown, R = unknown>(name: string, processor: Processor<T, R>, options?: Omit<WorkerOptions, "connection">) => WorkerType<T, R>;
+export declare const getRegisteredCronNames: () => ReadonlySet<string>;
+export interface CronSchedule {
+    /** Cron expression. Mutually exclusive with `every`. */
+    cron?: string;
+    /** Interval in milliseconds. Mutually exclusive with `cron`. */
+    every?: number;
+    /** Timezone for cron expressions. */
+    timezone?: string;
+}
+export declare const createCronWorker: <T = void, R = unknown>(name: string, processor: Processor<T, R>, schedule: CronSchedule, options?: Omit<WorkerOptions, "connection">) => {
+    worker: WorkerType<T, R>;
+    queue: QueueType<T, R>;
+};
+/**
+ * Remove job schedulers that are no longer registered.
+ * Called automatically after worker discovery in createServer.
+ * Can also be called manually for workers managed outside workersDir.
+ */
+export declare const cleanupStaleSchedulers: (activeNames: string[]) => Promise<void>;
+export interface DLQOptions<T = unknown> {
+    /** Max jobs to keep in the DLQ. Default: 1000. */
+    maxSize?: number;
+    /** Called when a job is moved to the DLQ. */
+    onDeadLetter?: (job: Job<T>, error: Error) => Promise<void>;
+    /** Auto-retry delay in ms. No auto-retry by default. */
+    retryAfter?: number;
+    /** Preserve original job options on retry. Default: true. */
+    preserveJobOptions?: boolean;
+}
+export declare const createDLQHandler: <T = unknown>(sourceWorker: WorkerType<T>, sourceQueueName: string, options?: DLQOptions<T>) => {
+    dlqQueue: QueueType<T>;
+    retryJob: (jobId: string) => Promise<void>;
+};
 export type { Job };

package/dist/lib/queue.js

@@ -17,3 +17,101 @@ export const createWorker = (name, processor, options) => {
     const { Worker } = requireBullMQ();
     return new Worker(name, processor, { connection: getRedisConnectionOptions(), ...options });
 };
+// ---------------------------------------------------------------------------
+// Cron worker
+// ---------------------------------------------------------------------------
+/** Tracks all registered cron scheduler names for ghost job cleanup. */
+const _registeredCronNames = new Set();
+export const getRegisteredCronNames = () => _registeredCronNames;
+export const createCronWorker = (name, processor, schedule, options) => {
+    const { Queue, Worker } = requireBullMQ();
+    const connection = getRedisConnectionOptions();
+    const queue = new Queue(name, { connection });
+    const worker = new Worker(name, processor, { connection, ...options });
+    _registeredCronNames.add(name);
+    // Use upsertJobScheduler — idempotent across restarts
+    if (schedule.cron) {
+        queue.upsertJobScheduler(name, { pattern: schedule.cron, tz: schedule.timezone }, { name });
+    }
+    else if (schedule.every) {
+        queue.upsertJobScheduler(name, { every: schedule.every }, { name });
+    }
+    return { worker, queue };
+};
+/**
+ * Remove job schedulers that are no longer registered.
+ * Called automatically after worker discovery in createServer.
+ * Can also be called manually for workers managed outside workersDir.
+ */
+export const cleanupStaleSchedulers = async (activeNames) => {
+    const { Queue } = requireBullMQ();
+    const connection = getRedisConnectionOptions();
+    const activeSet = new Set(activeNames);
+    // Check all known queue names for stale schedulers
+    for (const name of _registeredCronNames) {
+        if (activeSet.has(name))
+            continue;
+        const queue = new Queue(name, { connection });
+        try {
+            await queue.removeJobScheduler(name);
+        }
+        catch { /* scheduler may not exist */ }
+        await queue.close();
+    }
+};
+export const createDLQHandler = (sourceWorker, sourceQueueName, options) => {
+    const { Queue } = requireBullMQ();
+    const connection = getRedisConnectionOptions();
+    const dlqName = `${sourceQueueName}-dlq`;
+    const dlqQueue = new Queue(dlqName, { connection });
+    const maxSize = options?.maxSize ?? 1000;
+    const preserveJobOptions = options?.preserveJobOptions ?? true;
+    sourceWorker.on("failed", async (job, error) => {
+        if (!job)
+            return;
+        // Only move to DLQ when all attempts are exhausted
+        if (job.attemptsMade < (job.opts?.attempts ?? 1))
+            return;
+        await dlqQueue.add(`dlq:${job.name}`, job.data, {
+            ...(preserveJobOptions ? {
+                delay: job.opts?.delay,
+                priority: job.opts?.priority,
+                attempts: job.opts?.attempts,
+                backoff: job.opts?.backoff,
+            } : {}),
+            jobId: `dlq:${job.id}`,
+        });
+        if (options?.onDeadLetter) {
+            try {
+                await options.onDeadLetter(job, error);
+            }
+            catch (e) {
+                console.error(`[dlq:${sourceQueueName}] onDeadLetter callback error:`, e);
+            }
+        }
+        // Trim DLQ to maxSize
+        const waitingCount = await dlqQueue.getWaitingCount();
+        if (waitingCount > maxSize) {
+            const excess = waitingCount - maxSize;
+            const jobs = await dlqQueue.getWaiting(0, excess - 1);
+            for (const j of jobs) {
+                await j.remove();
+            }
+        }
+    });
+    const sourceQueue = new Queue(sourceQueueName, { connection });
+    const retryJob = async (jobId) => {
+        const job = await dlqQueue.getJob(jobId);
+        if (!job)
+            throw new Error(`Job ${jobId} not found in DLQ`);
+        const opts = preserveJobOptions ? {
+            delay: job.opts?.delay,
+            priority: job.opts?.priority,
+            attempts: job.opts?.attempts,
+            backoff: job.opts?.backoff,
+        } : {};
+        await sourceQueue.add(job.name, job.data, opts);
+        await job.remove();
+    };
+    return { dlqQueue, retryJob };
+};

package/dist/lib/resetPassword.js

@@ -1,24 +1,20 @@
-import { createHash } from "crypto";
 import { getRedis } from "./redis";
-import { appConnection } from "./mongo";
+import { appConnection, mongoose } from "./mongo";
 import { getAppName, getResetTokenExpiry } from "./appConfig";
-import { Schema } from "mongoose";
 import { sqliteCreateResetToken, sqliteConsumeResetToken, } from "../adapters/sqliteAuth";
 import { memoryCreateResetToken, memoryConsumeResetToken, } from "../adapters/memoryAuth";
-// ---------------------------------------------------------------------------
-// Token hashing — store SHA-256(token); raw token is only in the email link.
-// If the store is ever leaked, outstanding tokens cannot be replayed directly.
-// ---------------------------------------------------------------------------
-const hashToken = (token) => createHash("sha256").update(token).digest("hex");
-const resetSchema = new Schema({
-    token: { type: String, required: true, unique: true },
-    userId: { type: String, required: true },
-    email: { type: String, required: true },
-    expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
-}, { collection: "password_resets" });
+import { sha256 as hashToken } from "./crypto";
 function getResetModel() {
-    return appConnection.models["PasswordReset"] ??
-        appConnection.model("PasswordReset", resetSchema);
+    if (appConnection.models["PasswordReset"])
+        return appConnection.models["PasswordReset"];
+    const { Schema } = mongoose;
+    const resetSchema = new Schema({
+        token: { type: String, required: true, unique: true },
+        userId: { type: String, required: true },
+        email: { type: String, required: true },
+        expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+    }, { collection: "password_resets" });
+    return appConnection.model("PasswordReset", resetSchema);
 }
 // ---------------------------------------------------------------------------
 // Redis helpers

package/dist/lib/roles.d.ts

@@ -1,3 +1,7 @@
 export declare const setUserRoles: (userId: string, roles: string[]) => Promise<void>;
 export declare const addUserRole: (userId: string, role: string) => Promise<void>;
 export declare const removeUserRole: (userId: string, role: string) => Promise<void>;
+export declare const getTenantRoles: (userId: string, tenantId: string) => Promise<string[]>;
+export declare const setTenantRoles: (userId: string, tenantId: string, roles: string[]) => Promise<void>;
+export declare const addTenantRole: (userId: string, tenantId: string, role: string) => Promise<void>;
+export declare const removeTenantRole: (userId: string, tenantId: string, role: string) => Promise<void>;