@lastshotlabs/bunshot 0.0.20 → 0.0.25

package/dist/lib/session.js

@@ -1,8 +1,8 @@
 import { getRedis } from "./redis";
 import { appConnection, mongoose } from "./mongo";
 import { getAppName, getPersistSessionMetadata, getIncludeInactiveSessions, getRotationGraceSeconds, getRefreshTokenExpiry } from "./appConfig";
-import { sqliteCreateSession, sqliteGetSession, sqliteDeleteSession, sqliteGetUserSessions, sqliteGetActiveSessionCount, sqliteEvictOldestSession, sqliteUpdateSessionLastActive, sqliteSetRefreshToken, sqliteGetSessionByRefreshToken, sqliteRotateRefreshToken, } from "../adapters/sqliteAuth";
-import { memoryCreateSession, memoryGetSession, memoryDeleteSession, memoryGetUserSessions, memoryGetActiveSessionCount, memoryEvictOldestSession, memoryUpdateSessionLastActive, memorySetRefreshToken, memoryGetSessionByRefreshToken, memoryRotateRefreshToken, } from "../adapters/memoryAuth";
+import { sqliteCreateSession, sqliteGetSession, sqliteDeleteSession, sqliteGetUserSessions, sqliteGetActiveSessionCount, sqliteEvictOldestSession, sqliteUpdateSessionLastActive, sqliteSetRefreshToken, sqliteGetSessionByRefreshToken, sqliteRotateRefreshToken, sqliteGetSessionFingerprint, sqliteSetSessionFingerprint, } from "../adapters/sqliteAuth";
+import { memoryCreateSession, memoryGetSession, memoryDeleteSession, memoryGetUserSessions, memoryGetActiveSessionCount, memoryEvictOldestSession, memoryUpdateSessionLastActive, memorySetRefreshToken, memoryGetSessionByRefreshToken, memoryRotateRefreshToken, memoryGetSessionFingerprint, memorySetSessionFingerprint, } from "../adapters/memoryAuth";
 function getSessionModel() {
     if (appConnection.models["Session"])
         return appConnection.models["Session"];
@@ -19,6 +19,7 @@ function getSessionModel() {
         refreshToken: { type: String, default: null },
         prevRefreshToken: { type: String, default: null },
         prevTokenExpiresAt: { type: Date, default: null },
+        fingerprint: { type: String, default: null },
     }, { collection: "sessions", timestamps: false });
     sessionSchema.index({ refreshToken: 1 }, { unique: true, partialFilterExpression: { refreshToken: { $type: "string" } } });
     // Add TTL index only when metadata is not persisted — docs auto-delete at expiresAt.
@@ -479,3 +480,56 @@ export const rotateRefreshToken = async (sessionId, newRefreshToken, newAccessTo
     }
     await mongoRotateRefreshToken(sessionId, newRefreshToken, newAccessToken);
 };
+// ---------------------------------------------------------------------------
+// Session fingerprint API (session binding feature)
+// ---------------------------------------------------------------------------
+/** Read the stored fingerprint for a session. Returns null if not yet set. */
+export const getSessionFingerprint = async (sessionId) => {
+    if (_store === "memory")
+        return memoryGetSessionFingerprint(sessionId);
+    if (_store === "sqlite")
+        return sqliteGetSessionFingerprint(sessionId);
+    if (_store === "redis") {
+        const redis = getRedis();
+        const raw = await redis.get(redisSessionKey(sessionId));
+        if (!raw)
+            return null;
+        const rec = JSON.parse(raw);
+        return rec.fingerprint ?? null;
+    }
+    // mongo
+    const doc = await getSessionModel().findOne({ sessionId }, "fingerprint").lean();
+    return doc?.fingerprint ?? null;
+};
+/** Store a fingerprint on an existing session. No-op if the session does not exist. */
+export const setSessionFingerprint = async (sessionId, fingerprint) => {
+    if (_store === "memory") {
+        memorySetSessionFingerprint(sessionId, fingerprint);
+        return;
+    }
+    if (_store === "sqlite") {
+        sqliteSetSessionFingerprint(sessionId, fingerprint);
+        return;
+    }
+    if (_store === "redis") {
+        const redis = getRedis();
+        const raw = await redis.get(redisSessionKey(sessionId));
+        if (!raw)
+            return;
+        const rec = JSON.parse(raw);
+        rec.fingerprint = fingerprint;
+        if (getPersistSessionMetadata()) {
+            await redis.set(redisSessionKey(sessionId), JSON.stringify(rec));
+        }
+        else {
+            const now = Date.now();
+            if (rec.expiresAt <= now)
+                return;
+            const ttlRemaining = Math.max(1, Math.ceil((rec.expiresAt - now) / 1000));
+            await redis.set(redisSessionKey(sessionId), JSON.stringify(rec), "EX", ttlRemaining);
+        }
+        return;
+    }
+    // mongo
+    await getSessionModel().updateOne({ sessionId }, { $set: { fingerprint } });
+};

package/dist/lib/signing.d.ts

@@ -0,0 +1,52 @@
+/**
+ * Sign `data` with the active key (first element of `secret`).
+ * Normalizes string | string[] so that an array is never passed directly to
+ * createHmac() — which would silently call .toString() and produce
+ * "[object Array]" as the key.
+ */
+export declare function hmacSign(data: string, secret: string | string[]): string;
+/**
+ * Verify `sig` against `data` using one of the provided keys.
+ * Keys are tried newest-first (index 0 is the active signing key).
+ *
+ * Key ordering convention: put the current (newest) key first; rotated keys
+ * after. The common case (valid current-key signature) succeeds on the first
+ * comparison; old rotated keys only matter for in-flight tokens.
+ *
+ * MUST use timingSafeEqual — never === — to prevent timing side-channel leaks.
+ * This is the most common HMAC implementation mistake.
+ */
+export declare function hmacVerify(data: string, sig: string, secret: string | string[]): boolean;
+/** Returns `"base64url(value).hmac"`. */
+export declare function signCookieValue(value: string, secret: string | string[]): string;
+/** Returns the original value or `null` if the signature is invalid. */
+export declare function verifyCookieValue(signed: string, secret: string | string[]): string | null;
+/** Returns `"base64url(payload).hmac"`. */
+export declare function signCursor(payload: string, secret: string | string[]): string;
+/** Returns the original payload or `null` if the signature is invalid. */
+export declare function verifyCursor(cursor: string, secret: string | string[]): string | null;
+/**
+ * Create a stateless HMAC-signed URL. The signature covers the HTTP method,
+ * storage key, and expiry timestamp so that:
+ *  - Expired URLs are rejected (replay prevention)
+ *  - URLs are method-bound (a GET URL can't be replayed as a PUT)
+ *  - Tampering with the key or expiry invalidates the signature
+ *
+ * @param base   Base URL string (e.g. "https://api.example.com/uploads/presign")
+ * @param key    Storage object key
+ * @param opts   Method, expiry in seconds from now, optional extra query params
+ * @param secret HMAC secret (supports key rotation via string[])
+ */
+export declare function createPresignedUrl(base: string, key: string, opts: {
+    method: string;
+    expiry: number;
+    extra?: Record<string, string>;
+}, secret: string | string[]): string;
+/**
+ * Verify an HMAC-signed URL. Returns the key and any extra params, or null
+ * if the URL is expired, tampered, or method-mismatched.
+ */
+export declare function verifyPresignedUrl(url: string, method: string, secret: string | string[]): {
+    key: string;
+    extra?: Record<string, string>;
+} | null;

package/dist/lib/signing.js

@@ -0,0 +1,180 @@
+import { createHmac } from "crypto";
+import { timingSafeEqual } from "./crypto";
+// ---------------------------------------------------------------------------
+// Core HMAC primitives
+// ---------------------------------------------------------------------------
+/**
+ * Sign `data` with the active key (first element of `secret`).
+ * Normalizes string | string[] so that an array is never passed directly to
+ * createHmac() — which would silently call .toString() and produce
+ * "[object Array]" as the key.
+ */
+export function hmacSign(data, secret) {
+    const key = Array.isArray(secret) ? secret[0] : secret;
+    return createHmac("sha256", key).update(data).digest("hex");
+}
+/**
+ * Verify `sig` against `data` using one of the provided keys.
+ * Keys are tried newest-first (index 0 is the active signing key).
+ *
+ * Key ordering convention: put the current (newest) key first; rotated keys
+ * after. The common case (valid current-key signature) succeeds on the first
+ * comparison; old rotated keys only matter for in-flight tokens.
+ *
+ * MUST use timingSafeEqual — never === — to prevent timing side-channel leaks.
+ * This is the most common HMAC implementation mistake.
+ */
+export function hmacVerify(data, sig, secret) {
+    const keys = Array.isArray(secret) ? secret : [secret];
+    for (const key of keys) {
+        const expected = createHmac("sha256", key).update(data).digest("hex");
+        try {
+            if (timingSafeEqual(expected, sig))
+                return true;
+        }
+        catch {
+            // timingSafeEqual can throw on length mismatch with multi-byte chars
+        }
+    }
+    return false;
+}
+// ---------------------------------------------------------------------------
+// Cookie signing
+//
+// Value is base64url-encoded before appending ".sig" to avoid delimiter
+// collision — raw values may contain "." which would break naive
+// split-on-last-dot parsing.
+//
+// Edge case: base64url("") === "" so the signed form for an empty value is
+// ".sig". Split uses lastIndexOf("."), not indexOf("."), and dotIdx === 0
+// is treated as a valid (empty) value, not a parse error.
+// ---------------------------------------------------------------------------
+function toBase64url(s) {
+    return Buffer.from(s).toString("base64url");
+}
+function fromBase64url(s) {
+    return Buffer.from(s, "base64url").toString("utf8");
+}
+/** Returns `"base64url(value).hmac"`. */
+export function signCookieValue(value, secret) {
+    const encoded = toBase64url(value);
+    const sig = hmacSign(encoded, secret);
+    return `${encoded}.${sig}`;
+}
+/** Returns the original value or `null` if the signature is invalid. */
+export function verifyCookieValue(signed, secret) {
+    const dotIdx = signed.lastIndexOf(".");
+    // dotIdx === 0 is valid: empty encoded value (signed form ".sig")
+    if (dotIdx < 0)
+        return null;
+    const encoded = signed.slice(0, dotIdx);
+    const sig = signed.slice(dotIdx + 1);
+    if (!hmacVerify(encoded, sig, secret))
+        return null;
+    try {
+        return fromBase64url(encoded);
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Cursor signing (same structure as cookie signing)
+// ---------------------------------------------------------------------------
+/** Returns `"base64url(payload).hmac"`. */
+export function signCursor(payload, secret) {
+    const encoded = toBase64url(payload);
+    const sig = hmacSign(encoded, secret);
+    return `${encoded}.${sig}`;
+}
+/** Returns the original payload or `null` if the signature is invalid. */
+export function verifyCursor(cursor, secret) {
+    const dotIdx = cursor.lastIndexOf(".");
+    if (dotIdx < 0)
+        return null;
+    const encoded = cursor.slice(0, dotIdx);
+    const sig = cursor.slice(dotIdx + 1);
+    if (!hmacVerify(encoded, sig, secret))
+        return null;
+    try {
+        return fromBase64url(encoded);
+    }
+    catch {
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Presigned URLs
+//
+// Signing data = method + "\n" + key + "\n" + exp
+// Newline delimiter is safe: keys like "uploads/2024/photo.jpg" contain dots
+// but cannot contain newlines; method and exp never contain newlines.
+// Using "." would create ambiguity with keys containing dots.
+// ---------------------------------------------------------------------------
+/**
+ * Create a stateless HMAC-signed URL. The signature covers the HTTP method,
+ * storage key, and expiry timestamp so that:
+ *  - Expired URLs are rejected (replay prevention)
+ *  - URLs are method-bound (a GET URL can't be replayed as a PUT)
+ *  - Tampering with the key or expiry invalidates the signature
+ *
+ * @param base   Base URL string (e.g. "https://api.example.com/uploads/presign")
+ * @param key    Storage object key
+ * @param opts   Method, expiry in seconds from now, optional extra query params
+ * @param secret HMAC secret (supports key rotation via string[])
+ */
+export function createPresignedUrl(base, key, opts, secret) {
+    const exp = Math.floor(Date.now() / 1000) + opts.expiry;
+    const method = opts.method.toUpperCase();
+    const data = `${method}\n${key}\n${exp}`;
+    const sig = hmacSign(data, secret);
+    const url = new URL(base);
+    url.searchParams.set("key", key);
+    url.searchParams.set("exp", String(exp));
+    url.searchParams.set("method", method);
+    url.searchParams.set("sig", sig);
+    if (opts.extra) {
+        for (const [k, v] of Object.entries(opts.extra)) {
+            url.searchParams.set(k, v);
+        }
+    }
+    return url.toString();
+}
+/**
+ * Verify an HMAC-signed URL. Returns the key and any extra params, or null
+ * if the URL is expired, tampered, or method-mismatched.
+ */
+export function verifyPresignedUrl(url, method, secret) {
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(url);
+    }
+    catch {
+        return null;
+    }
+    const key = parsedUrl.searchParams.get("key");
+    const exp = parsedUrl.searchParams.get("exp");
+    const sig = parsedUrl.searchParams.get("sig");
+    const urlMethod = parsedUrl.searchParams.get("method");
+    if (!key || !exp || !sig || !urlMethod)
+        return null;
+    // Method binding check
+    if (urlMethod !== method.toUpperCase())
+        return null;
+    // Expiry check
+    const expNum = parseInt(exp, 10);
+    if (isNaN(expNum) || expNum < Math.floor(Date.now() / 1000))
+        return null;
+    // Signature check
+    const data = `${urlMethod}\n${key}\n${exp}`;
+    if (!hmacVerify(data, sig, secret))
+        return null;
+    // Collect extra params (all except reserved ones)
+    const reserved = new Set(["key", "exp", "sig", "method"]);
+    const extra = {};
+    for (const [k, v] of parsedUrl.searchParams.entries()) {
+        if (!reserved.has(k))
+            extra[k] = v;
+    }
+    return Object.keys(extra).length > 0 ? { key, extra } : { key };
+}

package/dist/lib/storageAdapter.d.ts

@@ -0,0 +1,30 @@
+export interface StorageAdapter {
+    put(key: string, data: Blob | Buffer | ReadableStream, meta: {
+        mimeType: string;
+        size: number;
+        bucket?: string;
+    }): Promise<{
+        url?: string;
+    }>;
+    get(key: string): Promise<{
+        stream: ReadableStream;
+        mimeType?: string;
+        size?: number;
+    } | null>;
+    delete(key: string): Promise<void>;
+    presignPut?(key: string, opts: {
+        expirySeconds: number;
+        mimeType?: string;
+        maxSize?: number;
+    }): Promise<string>;
+    presignGet?(key: string, opts: {
+        expirySeconds: number;
+    }): Promise<string>;
+}
+export interface UploadResult {
+    key: string;
+    originalName: string;
+    mimeType: string;
+    size: number;
+    url?: string;
+}

package/dist/lib/storageAdapter.js

@@ -0,0 +1 @@
+export {};

package/dist/lib/stripUnreferencedSchemas.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Post-processes an OpenAPI 3.x spec object to remove `components/schemas` entries
+ * not directly or transitively referenced by any path operation.
+ *
+ * Prevents phantom types in generated TypeScript clients (openapi-typescript, orval)
+ * when multiple versioned specs share a single OpenAPI registry.
+ *
+ * @param spec - The OpenAPI spec document (from `app.getOpenAPIDocument()`).
+ * @returns A shallow-cloned spec with unreferenced schemas removed.
+ */
+export declare function stripUnreferencedSchemas(spec: Record<string, any>): Record<string, any>;

package/dist/lib/stripUnreferencedSchemas.js

@@ -0,0 +1,79 @@
+/**
+ * Post-processes an OpenAPI 3.x spec object to remove `components/schemas` entries
+ * not directly or transitively referenced by any path operation.
+ *
+ * Prevents phantom types in generated TypeScript clients (openapi-typescript, orval)
+ * when multiple versioned specs share a single OpenAPI registry.
+ *
+ * @param spec - The OpenAPI spec document (from `app.getOpenAPIDocument()`).
+ * @returns A shallow-cloned spec with unreferenced schemas removed.
+ */
+export function stripUnreferencedSchemas(spec) {
+    const schemas = spec?.components?.schemas;
+    if (!schemas || typeof schemas !== "object")
+        return spec;
+    // Collect all $ref strings from an arbitrary JSON node
+    function collectRefs(node, refs) {
+        if (!node || typeof node !== "object")
+            return;
+        if (Array.isArray(node)) {
+            for (const item of node)
+                collectRefs(item, refs);
+            return;
+        }
+        for (const [key, val] of Object.entries(node)) {
+            if (key === "$ref" && typeof val === "string") {
+                refs.add(val);
+            }
+            else {
+                collectRefs(val, refs);
+            }
+        }
+    }
+    // Extract schema name from a $ref like "#/components/schemas/Foo"
+    function schemaNameFromRef(ref) {
+        const prefix = "#/components/schemas/";
+        return ref.startsWith(prefix) ? ref.slice(prefix.length) : null;
+    }
+    // Collect initial refs from paths (not from components to avoid circular bootstrapping)
+    const pathRefs = new Set();
+    collectRefs(spec.paths, pathRefs);
+    // BFS to transitively follow refs within referenced schemas
+    const referenced = new Set();
+    const queue = [];
+    for (const ref of pathRefs) {
+        const name = schemaNameFromRef(ref);
+        if (name && schemas[name] && !referenced.has(name)) {
+            referenced.add(name);
+            queue.push(name);
+        }
+    }
+    while (queue.length > 0) {
+        const name = queue.pop();
+        const inner = new Set();
+        collectRefs(schemas[name], inner);
+        for (const ref of inner) {
+            const refName = schemaNameFromRef(ref);
+            if (refName && schemas[refName] && !referenced.has(refName)) {
+                referenced.add(refName);
+                queue.push(refName);
+            }
+        }
+    }
+    // Build cleaned spec — shallow clone, then rebuild components/schemas with only referenced entries
+    const cleaned = { ...spec };
+    cleaned.components = { ...spec.components };
+    if (referenced.size === 0) {
+        delete cleaned.components.schemas;
+    }
+    else {
+        cleaned.components.schemas = {};
+        for (const name of referenced) {
+            cleaned.components.schemas[name] = schemas[name];
+        }
+    }
+    if (Object.keys(cleaned.components).length === 0) {
+        delete cleaned.components;
+    }
+    return cleaned;
+}

package/dist/lib/tenant.js

@@ -28,7 +28,7 @@ export const createTenant = async (tenantId, options) => {
     }
     if (existing && existing.deletedAt) {
         // Reactivate soft-deleted tenant
-        await Tenant.findOneAndUpdate({ tenantId }, { deletedAt: null, displayName: options?.displayName, config: options?.config });
+        await Tenant.findOneAndUpdate({ tenantId }, { $set: { deletedAt: null, displayName: options?.displayName, config: options?.config } });
         return;
     }
     await Tenant.create({
@@ -40,7 +40,7 @@ export const createTenant = async (tenantId, options) => {
 export const deleteTenant = async (tenantId) => {
     const { invalidateTenantCache } = await import("../middleware/tenant");
     // Soft-delete
-    await Tenant.findOneAndUpdate({ tenantId }, { deletedAt: new Date() });
+    await Tenant.findOneAndUpdate({ tenantId }, { $set: { deletedAt: new Date() } });
     invalidateTenantCache(tenantId);
 };
 export const getTenant = async (tenantId) => {

package/dist/lib/upload.d.ts

@@ -0,0 +1,35 @@
+import type { Context } from "hono";
+import type { AppEnv } from "./context";
+import type { StorageAdapter, UploadResult } from "./storageAdapter";
+export interface UploadOpts {
+    field?: string | string[];
+    maxFileSize?: number;
+    maxFiles?: number;
+    allowedMimeTypes?: string[];
+    keyPrefix?: string;
+    generateKey?: (file: File, ctx: {
+        userId?: string;
+        tenantId?: string;
+    }) => string;
+    tenantScopedKeys?: boolean;
+}
+export declare const setStorageAdapter: (adapter: StorageAdapter) => void;
+export declare const getStorageAdapter: () => StorageAdapter | null;
+export declare const setUploadConfig: (config: UploadOpts) => void;
+export declare const getUploadConfig: () => UploadOpts;
+export declare const generateUploadKey: (file: File, ctx: {
+    userId?: string;
+    tenantId?: string;
+}, opts?: UploadOpts) => string;
+export declare const validateFile: (file: File, opts: {
+    maxFileSize?: number;
+    allowedMimeTypes?: string[];
+}) => string | null;
+export declare const processUpload: (file: File, opts: UploadOpts & {
+    ctx?: {
+        userId?: string;
+        tenantId?: string;
+    };
+    bucket?: string;
+}) => Promise<UploadResult>;
+export declare const parseUpload: (c: Context<AppEnv>, opts?: UploadOpts) => Promise<UploadResult[]>;

package/dist/lib/upload.js

@@ -0,0 +1,87 @@
+import { HttpError } from "./HttpError";
+import { extname } from "node:path";
+let _adapter = null;
+let _config = {};
+export const setStorageAdapter = (adapter) => { _adapter = adapter; };
+export const getStorageAdapter = () => _adapter;
+export const setUploadConfig = (config) => { _config = config; };
+export const getUploadConfig = () => _config;
+export const generateUploadKey = (file, ctx, opts) => {
+    const merged = { ..._config, ...opts };
+    if (merged.generateKey)
+        return merged.generateKey(file, ctx);
+    const ext = extname(file.name);
+    const uuid = crypto.randomUUID();
+    const prefix = merged.keyPrefix ?? "uploads/";
+    const tenantPrefix = merged.tenantScopedKeys && ctx.tenantId ? `${ctx.tenantId}/` : "";
+    return `${prefix}${tenantPrefix}${uuid}${ext}`;
+};
+const mimeMatches = (mimeType, pattern) => {
+    if (pattern.endsWith("/*")) {
+        return mimeType.startsWith(pattern.slice(0, -1));
+    }
+    return mimeType === pattern;
+};
+export const validateFile = (file, opts) => {
+    const maxFileSize = opts.maxFileSize ?? _config.maxFileSize ?? 10 * 1024 * 1024;
+    if (file.size > maxFileSize) {
+        return `File "${file.name}" exceeds maximum size of ${maxFileSize} bytes`;
+    }
+    const allowedMimeTypes = opts.allowedMimeTypes ?? _config.allowedMimeTypes;
+    if (allowedMimeTypes && allowedMimeTypes.length > 0) {
+        const allowed = allowedMimeTypes.some((pattern) => mimeMatches(file.type, pattern));
+        if (!allowed) {
+            return `File "${file.name}" has disallowed MIME type "${file.type}"`;
+        }
+    }
+    return null;
+};
+export const processUpload = async (file, opts) => {
+    const adapter = _adapter;
+    if (!adapter)
+        throw new HttpError(500, "No storage adapter configured");
+    const validationError = validateFile(file, opts);
+    if (validationError)
+        throw new HttpError(400, validationError);
+    const key = generateUploadKey(file, opts.ctx ?? {}, opts);
+    const { url } = await adapter.put(key, file, {
+        mimeType: file.type,
+        size: file.size,
+        bucket: opts.bucket,
+    });
+    return {
+        key,
+        originalName: file.name,
+        mimeType: file.type,
+        size: file.size,
+        ...(url !== undefined ? { url } : {}),
+    };
+};
+export const parseUpload = async (c, opts) => {
+    const merged = { ..._config, ...opts };
+    const fields = merged.field
+        ? (Array.isArray(merged.field) ? merged.field : [merged.field])
+        : ["file"];
+    const maxFiles = merged.maxFiles ?? 10;
+    const body = await c.req.parseBody({ all: true });
+    const results = [];
+    const userId = c.get("authUserId") ?? undefined;
+    const tenantId = c.get("tenantId") ?? undefined;
+    const bucket = c.get("uploadBucket");
+    for (const field of fields) {
+        const raw = body[field];
+        if (!raw)
+            continue;
+        const files = Array.isArray(raw) ? raw : [raw];
+        for (const f of files) {
+            if (!(f instanceof File))
+                continue;
+            if (results.length >= maxFiles) {
+                throw new HttpError(400, `Too many files. Maximum is ${maxFiles}`);
+            }
+            const result = await processUpload(f, { ...merged, ctx: { userId, tenantId }, bucket: bucket ?? undefined });
+            results.push(result);
+        }
+    }
+    return results;
+};

package/dist/lib/validate.js

@@ -1,5 +1,5 @@
 import { z } from "zod";
-import { HttpError } from "./HttpError";
+import { ValidationError } from "./HttpError";
 export const validate = async (schema, req) => {
     try {
         const body = await req.json();
@@ -7,7 +7,7 @@ export const validate = async (schema, req) => {
     }
     catch (err) {
         if (err instanceof z.ZodError) {
-            throw new HttpError(400, err.issues.map((i) => i.message).join(", "));
+            throw new ValidationError(err.issues);
         }
         throw err;
     }

package/dist/lib/ws.d.ts

@@ -6,6 +6,7 @@ type WithSocketId = {
     id: string;
 } & WithRooms;
 export declare const setWsServer: (server: Server<any>) => void;
+export declare const setPresenceEnabled: (enabled: boolean) => void;
 export declare const publish: (topic: string, data: unknown) => void;
 /** All rooms that currently have at least one subscriber */
 export declare const getRooms: () => string[];

package/dist/lib/ws.js

@@ -1,7 +1,10 @@
+import { addPresence, removePresence, cleanupPresence } from "./wsPresence";
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 let _server = null;
+let _presenceEnabled = false;
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export const setWsServer = (server) => { _server = server; };
+export const setPresenceEnabled = (enabled) => { _presenceEnabled = enabled; };
 export const publish = (topic, data) => {
     _server?.publish(topic, JSON.stringify(data));
 };
@@ -43,6 +46,12 @@ export const subscribe = (ws, room) => {
     if (!_roomRegistry.has(room))
         _roomRegistry.set(room, new Set());
     _roomRegistry.get(room).add(ws.data.id);
+    if (_presenceEnabled) {
+        const result = addPresence(ws.data.id, room);
+        if (result?.isNewUser) {
+            publish(room, { event: "presence_join", room, userId: result.userId });
+        }
+    }
 };
 export const unsubscribe = (ws, room) => {
     ws.unsubscribe(room);
@@ -53,10 +62,22 @@ export const unsubscribe = (ws, room) => {
         if (ids.size === 0)
             _roomRegistry.delete(room);
     }
+    if (_presenceEnabled) {
+        const result = removePresence(ws.data.id, room);
+        if (result?.isLastSocket) {
+            publish(room, { event: "presence_leave", room, userId: result.userId });
+        }
+    }
 };
 export const getSubscriptions = (ws) => [...ws.data.rooms];
 /** Called on socket close to prune the registry. Internal use only. */
 export const cleanupSocket = (socketId, rooms) => {
+    if (_presenceEnabled) {
+        const departed = cleanupPresence(socketId, rooms);
+        for (const { room, userId } of departed) {
+            publish(room, { event: "presence_leave", room, userId });
+        }
+    }
     for (const room of rooms) {
         const ids = _roomRegistry.get(room);
         if (ids) {

package/dist/lib/wsHeartbeat.d.ts

@@ -0,0 +1,12 @@
+import type { ServerWebSocket } from "bun";
+export interface HeartbeatConfig {
+    intervalMs?: number;
+    timeoutMs?: number;
+}
+export declare const registerSocket: (ws: ServerWebSocket<any>, id: string) => void;
+export declare const deregisterSocket: (id: string) => void;
+export declare const handlePong: (id: string) => void;
+export declare const startHeartbeat: (config?: HeartbeatConfig | boolean) => void;
+export declare const stopHeartbeat: () => void;
+/** Reset all heartbeat state. Useful for test isolation. */
+export declare const clearHeartbeatState: () => void;