@lastshotlabs/bunshot 0.0.21 → 0.0.25

package/dist/routes/groups.js

@@ -0,0 +1,346 @@
+import { z } from "zod";
+import { createRoute, withSecurity } from "../lib/createRoute";
+import { createRouter } from "../lib/context";
+import { userAuth } from "../middleware/userAuth";
+import { requireRole } from "../middleware/requireRole";
+import { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, } from "../lib/groups";
+import { HttpError } from "../lib/HttpError";
+// ---------------------------------------------------------------------------
+// Zod schemas
+// ---------------------------------------------------------------------------
+const SLUG_REGEX = /^[a-z0-9_-]+$/;
+const GroupBody = z.object({
+    name: z.string().min(1).max(100).regex(SLUG_REGEX, "name must be a slug: lowercase letters, digits, underscores, or hyphens"),
+    displayName: z.string().max(200).optional(),
+    description: z.string().max(1000).optional(),
+    roles: z.array(z.string()).default([]),
+    tenantId: z.string().nullable().optional().default(null),
+});
+const GroupUpdateBody = z.object({
+    name: z.string().min(1).max(100).regex(SLUG_REGEX, "name must be a slug").optional(),
+    displayName: z.string().max(200).nullable().optional(),
+    description: z.string().max(1000).nullable().optional(),
+    roles: z.array(z.string()).optional(),
+});
+const MemberBody = z.object({
+    userId: z.string().min(1),
+    roles: z.array(z.string()).default([]),
+});
+const MemberRolesBody = z.object({
+    roles: z.array(z.string()),
+});
+const GroupResponse = z.object({
+    id: z.string(),
+    name: z.string(),
+    displayName: z.string().optional(),
+    description: z.string().optional(),
+    roles: z.array(z.string()),
+    tenantId: z.string().nullable(),
+    createdAt: z.number(),
+    updatedAt: z.number(),
+}).openapi("Group");
+const MemberResponse = z.object({
+    userId: z.string(),
+    roles: z.array(z.string()),
+}).openapi("GroupMember");
+const PaginatedGroupsResponse = z.object({
+    items: z.array(GroupResponse),
+    total: z.number(),
+    limit: z.number(),
+    offset: z.number(),
+}).openapi("PaginatedGroups");
+const PaginatedMembersResponse = z.object({
+    items: z.array(MemberResponse),
+    total: z.number(),
+    limit: z.number(),
+    offset: z.number(),
+}).openapi("PaginatedGroupMembers");
+const UserGroupEntry = z.object({
+    group: GroupResponse,
+    membershipRoles: z.array(z.string()),
+}).openapi("UserGroupEntry");
+const ErrorResponse = z.object({ error: z.string() });
+const PaginationParams = {
+    limit: z.string().optional().openapi({ description: "Max results (default 50, max 200)" }),
+    offset: z.string().optional().openapi({ description: "Skip this many results (default 0)" }),
+};
+const tags = ["Groups"];
+// ---------------------------------------------------------------------------
+// Router factory
+// ---------------------------------------------------------------------------
+export const createGroupsRouter = (config) => {
+    const router = createRouter();
+    // Normalize: managementRoutes: true is equivalent to managementRoutes: {}
+    const mgmt = config.managementRoutes === true ? {} : (config.managementRoutes ?? {});
+    const guard = mgmt.middleware ?? [userAuth, requireRole.global(mgmt.adminRole ?? "admin")];
+    // Defensive guard warning
+    if (guard.length === 0 && process.env.NODE_ENV !== "production") {
+        console.warn("[bunshot] groups.managementRoutes: resolved auth middleware is empty — management routes are unprotected");
+    }
+    // Apply auth guard to all group management routes
+    router.use("/groups/*", ...guard);
+    router.use("/users/:userId/groups", ...guard);
+    // ---------------------------------------------------------------------------
+    // GET /groups — list groups
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/groups",
+        tags,
+        summary: "List groups",
+        description: "List groups. Returns tenant-scoped groups when tenantId is in context, app-wide groups otherwise.",
+        request: { query: z.object(PaginationParams) },
+        responses: {
+            200: { content: { "application/json": { schema: PaginatedGroupsResponse } }, description: "Groups list" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const tenantId = c.get("tenantId") ?? null;
+        const { limit, offset } = c.req.valid("query");
+        const result = await listGroups(tenantId, {
+            limit: limit ? Math.min(parseInt(limit, 10), 200) : 50,
+            offset: offset ? parseInt(offset, 10) : 0,
+        });
+        return c.json(result, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // POST /groups — create group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "post",
+        path: "/groups",
+        tags,
+        summary: "Create group",
+        request: { body: { content: { "application/json": { schema: GroupBody } }, required: true } },
+        responses: {
+            201: { content: { "application/json": { schema: z.object({ id: z.string() }) } }, description: "Group created" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            409: { content: { "application/json": { schema: ErrorResponse } }, description: "Name already exists in scope" },
+            422: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const body = c.req.valid("json");
+        const result = await createGroup({
+            name: body.name,
+            displayName: body.displayName,
+            description: body.description,
+            roles: body.roles,
+            tenantId: body.tenantId ?? null,
+        });
+        return c.json(result, 201);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /groups/:groupId — get group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/groups/:groupId",
+        tags,
+        summary: "Get group",
+        request: { params: z.object({ groupId: z.string() }) },
+        responses: {
+            200: { content: { "application/json": { schema: GroupResponse } }, description: "Group" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Not found" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        return c.json(group, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // PATCH /groups/:groupId — update group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "patch",
+        path: "/groups/:groupId",
+        tags,
+        summary: "Update group",
+        request: {
+            params: z.object({ groupId: z.string() }),
+            body: { content: { "application/json": { schema: GroupUpdateBody } }, required: true },
+        },
+        responses: {
+            204: { description: "Updated" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Not found" },
+            409: { content: { "application/json": { schema: ErrorResponse } }, description: "Name conflict" },
+            422: { content: { "application/json": { schema: ErrorResponse } }, description: "Validation error" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const body = c.req.valid("json");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        const updates = {};
+        if (body.name !== undefined)
+            updates.name = body.name;
+        if ("displayName" in body)
+            updates.displayName = body.displayName ?? undefined;
+        if ("description" in body)
+            updates.description = body.description ?? undefined;
+        if (body.roles !== undefined)
+            updates.roles = body.roles;
+        await updateGroup(groupId, updates);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // DELETE /groups/:groupId — delete group
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "delete",
+        path: "/groups/:groupId",
+        tags,
+        summary: "Delete group",
+        description: "Delete a group. All memberships are cascade-deleted.",
+        request: { params: z.object({ groupId: z.string() }) },
+        responses: {
+            204: { description: "Deleted" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Not found" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        await deleteGroup(groupId);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /groups/:groupId/members — list members
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/groups/:groupId/members",
+        tags,
+        summary: "List group members",
+        request: {
+            params: z.object({ groupId: z.string() }),
+            query: z.object(PaginationParams),
+        },
+        responses: {
+            200: { content: { "application/json": { schema: PaginatedMembersResponse } }, description: "Members list" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Group not found" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const { limit, offset } = c.req.valid("query");
+        const group = await getGroup(groupId);
+        if (!group)
+            return c.json({ error: "Group not found" }, 404);
+        const result = await getGroupMembers(groupId, {
+            limit: limit ? Math.min(parseInt(limit, 10), 200) : 50,
+            offset: offset ? parseInt(offset, 10) : 0,
+        });
+        return c.json(result, 200);
+    });
+    // ---------------------------------------------------------------------------
+    // POST /groups/:groupId/members — add member
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "post",
+        path: "/groups/:groupId/members",
+        tags,
+        summary: "Add group member",
+        request: {
+            params: z.object({ groupId: z.string() }),
+            body: { content: { "application/json": { schema: MemberBody } }, required: true },
+        },
+        responses: {
+            201: { description: "Member added" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+            404: { content: { "application/json": { schema: ErrorResponse } }, description: "Group not found" },
+            409: { content: { "application/json": { schema: ErrorResponse } }, description: "User already a member" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId } = c.req.valid("param");
+        const body = c.req.valid("json");
+        try {
+            await addGroupMember(groupId, body.userId, body.roles);
+        }
+        catch (err) {
+            if (err instanceof HttpError) {
+                return c.json({ error: err.message }, err.status);
+            }
+            throw err;
+        }
+        return c.body(null, 201);
+    });
+    // ---------------------------------------------------------------------------
+    // PATCH /groups/:groupId/members/:userId — update member roles
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "patch",
+        path: "/groups/:groupId/members/:userId",
+        tags,
+        summary: "Update member roles",
+        description: "Update the per-membership roles for an existing group member.",
+        request: {
+            params: z.object({ groupId: z.string(), userId: z.string() }),
+            body: { content: { "application/json": { schema: MemberRolesBody } }, required: true },
+        },
+        responses: {
+            204: { description: "Updated" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId, userId } = c.req.valid("param");
+        const { roles } = c.req.valid("json");
+        await updateGroupMembership(groupId, userId, roles);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // DELETE /groups/:groupId/members/:userId — remove member
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "delete",
+        path: "/groups/:groupId/members/:userId",
+        tags,
+        summary: "Remove group member",
+        request: { params: z.object({ groupId: z.string(), userId: z.string() }) },
+        responses: {
+            204: { description: "Removed" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { groupId, userId } = c.req.valid("param");
+        await removeGroupMember(groupId, userId);
+        return c.body(null, 204);
+    });
+    // ---------------------------------------------------------------------------
+    // GET /users/:userId/groups — list user's groups
+    // ---------------------------------------------------------------------------
+    router.openapi(withSecurity(createRoute({
+        method: "get",
+        path: "/users/:userId/groups",
+        tags,
+        summary: "List user's groups",
+        description: "List groups a user belongs to. Scoped to tenant context when present, app-wide otherwise.",
+        request: { params: z.object({ userId: z.string() }) },
+        responses: {
+            200: { content: { "application/json": { schema: z.array(UserGroupEntry) } }, description: "User's groups" },
+            401: { content: { "application/json": { schema: ErrorResponse } }, description: "Unauthorized" },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Forbidden" },
+        },
+    }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
+        const { userId } = c.req.valid("param");
+        const tenantId = c.get("tenantId") ?? null;
+        const groups = await getUserGroups(userId, tenantId);
+        return c.json(groups, 200);
+    });
+    return router;
+};

package/dist/routes/jobs.js

@@ -143,6 +143,53 @@ export const createJobsRouter = (config) => {
         const result = await Promise.all(filteredJobs.map(jobToResponse));
         return c.json({ jobs: result, total }, 200);
     });
+    // ─── Dead letter queue ────────────────────────────────────────────────
+    // Must be registered BEFORE getJobRoute so that the literal path segment
+    // "dead-letters" is matched before the parameterised {id} segment.
+    const getDlqRoute = createRoute({
+        method: "get",
+        path: "/jobs/{queue}/dead-letters",
+        summary: "List dead letter queue jobs",
+        description: "Returns paginated list of jobs in the dead letter queue for a given source queue.",
+        tags,
+        request: {
+            params: z.object({ queue: z.string().describe("Source queue name (DLQ name is {queue}-dlq).") }),
+            query: z.object({
+                start: z.string().optional().describe("Start index. Default: 0."),
+                end: z.string().optional().describe("End index. Default: 19."),
+            }),
+        },
+        responses: {
+            200: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            jobs: z.array(JobStatusResponse),
+                            total: z.number().describe("Total jobs in DLQ."),
+                        }),
+                    },
+                },
+                description: "DLQ jobs.",
+            },
+            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Queue not allowed." },
+        },
+    });
+    router.openapi(applyRouteSecurity(getDlqRoute), async (c) => {
+        const { queue: queueName } = c.req.valid("param");
+        if (!isQueueAllowed(queueName)) {
+            return c.json({ error: "Queue not allowed" }, 403);
+        }
+        const { start: startStr, end: endStr } = c.req.valid("query");
+        const start = startStr ? parseInt(startStr) : 0;
+        const end = endStr ? parseInt(endStr) : 19;
+        const dlqQueue = createQueue(`${queueName}-dlq`);
+        const [jobs, total] = await Promise.all([
+            dlqQueue.getWaiting(start, end),
+            dlqQueue.getWaitingCount(),
+        ]);
+        const result = await Promise.all(jobs.map(jobToResponse));
+        return c.json({ jobs: result, total }, 200);
+    });
     // ─── Get job status ─────────────────────────────────────────────────────
     const getJobRoute = createRoute({
         method: "get",
@@ -221,50 +268,5 @@ export const createJobsRouter = (config) => {
         const { logs, count } = await queue.getJobLogs(id);
         return c.json({ logs, count }, 200);
     });
-    // ─── Dead letter queue ────────────────────────────────────────────────
-    const getDlqRoute = createRoute({
-        method: "get",
-        path: "/jobs/{queue}/dead-letters",
-        summary: "List dead letter queue jobs",
-        description: "Returns paginated list of jobs in the dead letter queue for a given source queue.",
-        tags,
-        request: {
-            params: z.object({ queue: z.string().describe("Source queue name (DLQ name is {queue}-dlq).") }),
-            query: z.object({
-                start: z.string().optional().describe("Start index. Default: 0."),
-                end: z.string().optional().describe("End index. Default: 19."),
-            }),
-        },
-        responses: {
-            200: {
-                content: {
-                    "application/json": {
-                        schema: z.object({
-                            jobs: z.array(JobStatusResponse),
-                            total: z.number().describe("Total jobs in DLQ."),
-                        }),
-                    },
-                },
-                description: "DLQ jobs.",
-            },
-            403: { content: { "application/json": { schema: ErrorResponse } }, description: "Queue not allowed." },
-        },
-    });
-    router.openapi(applyRouteSecurity(getDlqRoute), async (c) => {
-        const { queue: queueName } = c.req.valid("param");
-        if (!isQueueAllowed(queueName)) {
-            return c.json({ error: "Queue not allowed" }, 403);
-        }
-        const { start: startStr, end: endStr } = c.req.valid("query");
-        const start = startStr ? parseInt(startStr) : 0;
-        const end = endStr ? parseInt(endStr) : 19;
-        const dlqQueue = createQueue(`${queueName}-dlq`);
-        const [jobs, total] = await Promise.all([
-            dlqQueue.getWaiting(start, end),
-            dlqQueue.getWaitingCount(),
-        ]);
-        const result = await Promise.all(jobs.map(jobToResponse));
-        return c.json({ jobs: result, total }, 200);
-    });
     return router;
 };

package/dist/routes/metrics.d.ts

@@ -0,0 +1,7 @@
+import type { MiddlewareHandler } from "hono";
+import type { AppEnv } from "../lib/context";
+export interface MetricsRouteConfig {
+    auth?: "userAuth" | "none" | MiddlewareHandler<AppEnv>[];
+    queues?: string[];
+}
+export declare const createMetricsRouter: (config: MetricsRouteConfig) => import("@hono/zod-openapi").OpenAPIHono<AppEnv, {}, "/">;

package/dist/routes/metrics.js

@@ -0,0 +1,52 @@
+import { createRouter } from "../lib/context";
+import { serializeMetrics, registerGaugeCallback, setMetricsQueues } from "../lib/metrics";
+import { userAuth } from "../middleware/userAuth";
+export const createMetricsRouter = (config) => {
+    const router = createRouter();
+    const authConfig = config.auth ?? "none";
+    // Apply auth middleware
+    if (authConfig === "userAuth") {
+        router.use("/metrics", userAuth);
+    }
+    else if (Array.isArray(authConfig)) {
+        for (const mw of authConfig) {
+            router.use("/metrics", mw);
+        }
+    }
+    // Register BullMQ queue depth gauges if configured
+    if (config.queues?.length) {
+        const queueNames = config.queues;
+        const cachedQueues = new Map();
+        setMetricsQueues(cachedQueues);
+        registerGaugeCallback("bullmq_queue_depth", async () => {
+            const { createQueue } = await import("../lib/queue");
+            const results = [];
+            for (const name of queueNames) {
+                let queue = cachedQueues.get(name);
+                try {
+                    if (!queue) {
+                        queue = createQueue(name);
+                        cachedQueues.set(name, queue);
+                    }
+                    const counts = await queue.getJobCounts("waiting", "active", "delayed", "failed");
+                    for (const [state, count] of Object.entries(counts)) {
+                        results.push({ labels: { queue: name, state }, value: count });
+                    }
+                }
+                catch {
+                    // Discard cached instance on error so it's recreated next scrape
+                    cachedQueues.delete(name);
+                }
+            }
+            return results;
+        });
+    }
+    // Plain GET /metrics (not OpenAPI — infrastructure endpoint)
+    router.get("/metrics", async (c) => {
+        const body = await serializeMetrics();
+        return c.body(body, 200, {
+            "Content-Type": "text/plain; version=0.0.4; charset=utf-8",
+        });
+    });
+    return router;
+};

package/dist/routes/mfa.js

@@ -56,10 +56,14 @@ export const createMfaRouter = ({ rateLimit } = {}) => {
                 description: "TOTP secret generated. Scan the QR code with an authenticator app.",
             },
             401: { content: { "application/json": { schema: ErrorResponse } }, description: "No valid session." },
+            429: { content: { "application/json": { schema: ErrorResponse } }, description: "Too many MFA setup attempts. Try again later." },
             501: { content: { "application/json": { schema: ErrorResponse } }, description: "Auth adapter does not support MFA." },
         },
     }), { cookieAuth: [] }, { userToken: [] }), async (c) => {
         const userId = c.get("authUserId");
+        if (await trackAttempt(`mfa-setup:${userId}`, { windowMs: 15 * 60 * 1000, max: 5 })) {
+            return c.json({ error: "Too many MFA setup attempts. Try again later." }, 429);
+        }
         const result = await MfaService.setupMfa(userId);
         return c.json(result, 200);
     });

package/dist/routes/uploads.d.ts

@@ -0,0 +1,2 @@
+import type { PresignedUrlConfig } from "../app";
+export declare const createUploadsRouter: (config: PresignedUrlConfig) => import("@hono/zod-openapi").OpenAPIHono<import("../lib/context").AppEnv, {}, "/">;

package/dist/routes/uploads.js

@@ -0,0 +1,135 @@
+import { z } from "zod";
+import { createRouter } from "../lib/context";
+import { createRoute } from "../lib/createRoute";
+import { userAuth } from "../middleware/userAuth";
+import { getStorageAdapter, getUploadConfig } from "../lib/upload";
+import { getSigningConfig, getSigningSecret } from "../lib/appConfig";
+import { createPresignedUrl } from "../lib/signing";
+const tags = ["Uploads"];
+export const createUploadsRouter = (config) => {
+    const router = createRouter();
+    const basePath = (config.path ?? "/uploads").replace(/\/$/, "");
+    router.use(`${basePath}/*`, userAuth);
+    const presignRoute = createRoute({
+        method: "post",
+        path: `${basePath}/presign`,
+        tags,
+        summary: "Generate presigned upload URL",
+        request: {
+            body: {
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            key: z.string().describe("Storage key for the upload"),
+                            mimeType: z.string().optional().describe("MIME type of the file"),
+                            expirySeconds: z.number().int().positive().optional().describe("URL expiry in seconds"),
+                        }),
+                    },
+                },
+            },
+        },
+        responses: {
+            200: {
+                description: "Presigned URL generated",
+                content: { "application/json": { schema: z.object({ url: z.string(), key: z.string() }) } },
+            },
+            501: {
+                description: "Not implemented by adapter",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(presignRoute, async (c) => {
+        const adapter = getStorageAdapter();
+        if (!adapter?.presignPut) {
+            return c.json({ error: "Presigned URLs not supported by the configured storage adapter" }, 501);
+        }
+        const { key, mimeType, expirySeconds } = c.req.valid("json");
+        const _uploadConfig = getUploadConfig();
+        const expiry = expirySeconds ?? (typeof config.expirySeconds === "number" ? config.expirySeconds : 3600);
+        const url = await adapter.presignPut(key, { expirySeconds: expiry, mimeType });
+        return c.json({ url, key }, 200);
+    });
+    const presignGetRoute = createRoute({
+        method: "get",
+        path: `${basePath}/presign/:key{.+}`,
+        tags,
+        summary: "Generate presigned download URL",
+        request: {
+            params: z.object({ key: z.string() }),
+            query: z.object({
+                expiry: z.string().optional().describe("URL expiry in seconds (default: 3600)"),
+            }),
+        },
+        responses: {
+            200: {
+                description: "Presigned download URL",
+                content: {
+                    "application/json": {
+                        schema: z.object({
+                            url: z.string(),
+                            expiresAt: z.number().describe("Unix timestamp (seconds) when the URL expires"),
+                        }),
+                    },
+                },
+            },
+            501: {
+                description: "Not implemented",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(presignGetRoute, async (c) => {
+        const { key } = c.req.valid("param");
+        const { expiry: expiryStr } = c.req.valid("query");
+        const expirySeconds = expiryStr ? parseInt(expiryStr, 10) : (typeof config.expirySeconds === "number" ? config.expirySeconds : 3600);
+        const signingCfg = getSigningConfig();
+        if (signingCfg?.presignedUrls) {
+            const secret = getSigningSecret();
+            if (!secret)
+                return c.json({ error: "Signing secret not configured" }, 501);
+            const defaultExpiry = typeof signingCfg.presignedUrls === "object"
+                ? (signingCfg.presignedUrls.defaultExpiry ?? expirySeconds)
+                : expirySeconds;
+            const base = new URL(c.req.url);
+            base.pathname = `${basePath}/download/${key}`;
+            base.search = "";
+            const url = createPresignedUrl(base.toString(), key, { method: "GET", expiry: defaultExpiry }, secret);
+            const expiresAt = Math.floor(Date.now() / 1000) + defaultExpiry;
+            return c.json({ url, expiresAt }, 200);
+        }
+        // Fallback: adapter.presignGet (S3 only)
+        const adapter = getStorageAdapter();
+        if (!adapter?.presignGet) {
+            return c.json({ error: "Presigned download URLs not supported. Enable signing.presignedUrls or use an S3 adapter." }, 501);
+        }
+        const url = await adapter.presignGet(key, { expirySeconds });
+        const expiresAt = Math.floor(Date.now() / 1000) + expirySeconds;
+        return c.json({ url, expiresAt }, 200);
+    });
+    const deleteRoute = createRoute({
+        method: "delete",
+        path: `${basePath}/:key{.+}`,
+        tags,
+        summary: "Delete an uploaded file",
+        request: {
+            params: z.object({ key: z.string() }),
+        },
+        responses: {
+            204: { description: "Deleted" },
+            500: {
+                description: "No storage adapter configured",
+                content: { "application/json": { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(deleteRoute, async (c) => {
+        const adapter = getStorageAdapter();
+        if (!adapter)
+            return c.json({ error: "No storage adapter configured" }, 500);
+        const { key } = c.req.valid("param");
+        await adapter.delete(key);
+        return c.body(null, 204);
+    });
+    return router;
+};