@lastshotlabs/bunshot 0.0.21 → 0.0.25

package/dist/app.js

@@ -1,14 +1,16 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
 import { cors } from "hono/cors";
-import { logger } from "hono/logger";
 import { secureHeaders } from "hono/secure-headers";
 import { Scalar } from "@scalar/hono-api-reference";
-import { HttpError } from "./lib/HttpError";
+import { HttpError, ValidationError } from "./lib/HttpError";
 import { rateLimit } from "./middleware/rateLimit";
 import { bearerAuth } from "./middleware/bearerAuth";
 import { identify } from "./middleware/identify";
-import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
-import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled } from "./lib/appConfig";
+import { defaultValidationErrorFormatter } from "./lib/context";
+import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID } from "./lib/constants";
+import { requestId } from "./middleware/requestId";
+import { requestLogger } from "./middleware/requestLogger";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled, setSigningConfig } from "./lib/appConfig";
 import { setEmailVerificationStore } from "./lib/emailVerification";
 import { setPasswordResetStore } from "./lib/resetPassword";
 import { setAuthRateLimitStore } from "./lib/authRateLimit";
@@ -22,6 +24,7 @@ import { connectRedis } from "./lib/redis";
 import { setSessionStore } from "./lib/session";
 import { setCacheStore } from "./middleware/cacheResponse";
 import { maybeAutoRegister } from "./lib/createRoute";
+import { setStorageAdapter, setUploadConfig } from "./lib/upload";
 export const createApp = async (config) => {
     const { routesDir, app: appConfig = {}, auth: authConfig = {}, security: securityConfig = {}, middleware = [], db = {}, } = config;
     const appName = appConfig.name ?? "Bun Core API";
@@ -136,6 +139,8 @@ export const createApp = async (config) => {
     setPasswordResetConfig(passwordReset ?? null);
     setPasswordPolicy(authConfig.passwordPolicy ?? {});
     setPasswordResetStore(sessions);
+    const { setDeletionCancelTokenStore } = await import("./lib/deletionCancelToken");
+    setDeletionCancelTokenStore(sessions);
     setAuthRateLimitStore(authRateLimit?.store ?? (enableRedis ? "redis" : "memory"));
     setMaxSessions(sessionPolicy.maxSessions ?? 6);
     setPersistSessionMetadata(sessionPolicy.persistSessionMetadata ?? true);
@@ -146,6 +151,31 @@ export const createApp = async (config) => {
     if (oauthProviders)
         initOAuthProviders(oauthProviders);
     const configuredOAuth = getConfiguredOAuthProviders();
+    // Start the account deletion worker when queued deletion is configured.
+    // The worker runs in-process alongside the API server.
+    if (authConfig.accountDeletion?.queued && enableAuthRoutes) {
+        try {
+            const { createWorker } = await import("./lib/queue");
+            const appName_ = appName;
+            const accountDeletion_ = authConfig.accountDeletion;
+            createWorker(`${appName_}:account-deletions`, async (job) => {
+                const { userId } = job.data;
+                const adapter_ = authAdapter;
+                if (accountDeletion_.onBeforeDelete)
+                    await accountDeletion_.onBeforeDelete(userId);
+                if (adapter_.deleteUser)
+                    await adapter_.deleteUser(userId);
+                if (accountDeletion_.onAfterDelete)
+                    await accountDeletion_.onAfterDelete(userId);
+            }, { concurrency: 1 });
+        }
+        catch (err) {
+            if (err?.message?.includes("bullmq is not installed")) {
+                throw new Error("createApp: accountDeletion.queued requires BullMQ. Run: bun add bullmq");
+            }
+            throw err;
+        }
+    }
     // OAuth paths must bypass bearer auth — initiation and link routes are browser redirects,
     // callbacks come from external providers; none can send a bearer token header.
     const oauthBypass = configuredOAuth.flatMap((p) => [
@@ -153,10 +183,42 @@ export const createApp = async (config) => {
         `/auth/${p}/callback`,
         `/auth/${p}/link`,
     ]);
-    const DEFAULT_BYPASS = ["/docs", "/openapi.json", "/sw.js", "/health", "/"];
-    const bearerAuthBypass = [...DEFAULT_BYPASS, ...oauthBypass, ...extraBypass];
+    const DEFAULT_BYPASS = ["/docs", "/openapi.json", "/sw.js", "/health", "/", "/metrics"];
+    // Add per-version docs/spec paths when versioning is configured
+    const versionBypass = config.versioning
+        ? config.versioning.versions.flatMap((v) => [`/${v}/docs`, `/${v}/openapi.json`])
+        : [];
+    const bearerAuthBypass = [...DEFAULT_BYPASS, ...versionBypass, ...oauthBypass, ...extraBypass];
     const app = new OpenAPIHono();
-    app.use(logger());
+    app.use(requestId);
+    // Set the validation error formatter on context so defaultHook and onError both pick it up
+    const validationFormatter = config.validation?.formatError ?? defaultValidationErrorFormatter;
+    app.use("*", async (c, next) => {
+        c.set("validationErrorFormatter", validationFormatter);
+        await next();
+    });
+    // Metrics collection middleware (before requestLogger so it captures all requests)
+    if (config.metrics?.enabled) {
+        if (!config.metrics.auth || config.metrics.auth === "none") {
+            if (process.env.NODE_ENV === "production") {
+                console.warn("[security] /metrics endpoint is enabled without auth. Configure metrics.auth to restrict access in production.");
+            }
+        }
+        const { metricsCollector } = await import("./middleware/metrics");
+        app.use(metricsCollector({
+            excludePaths: config.metrics.excludePaths,
+            normalizePath: config.metrics.normalizePath,
+        }));
+    }
+    const loggingConfig = config.logging ?? {};
+    if (loggingConfig.enabled !== false) {
+        app.use(requestLogger({
+            onLog: loggingConfig.onLog,
+            level: loggingConfig.level,
+            excludePaths: loggingConfig.excludePaths,
+            excludeMethods: loggingConfig.excludeMethods,
+        }));
+    }
     const headerOpts = {};
     if (securityConfig.headers?.contentSecurityPolicy) {
         headerOpts["Content-Security-Policy"] = securityConfig.headers.contentSecurityPolicy;
@@ -176,7 +238,7 @@ export const createApp = async (config) => {
     const corsAllowHeaders = ["Content-Type", "Authorization", HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN];
     if (securityConfig.csrf?.enabled)
         corsAllowHeaders.push(HEADER_CSRF_TOKEN);
-    app.use(cors({ origin: corsOrigins, allowHeaders: corsAllowHeaders, exposeHeaders: ["x-cache"], credentials: true }));
+    app.use(cors({ origin: corsOrigins, allowHeaders: corsAllowHeaders, exposeHeaders: ["x-cache", HEADER_REQUEST_ID], credentials: true }));
     if ((botCfg.blockList?.length ?? 0) > 0) {
         const { botProtection } = await import("./middleware/botProtection");
         app.use(botProtection({ blockList: botCfg.blockList }));
@@ -192,6 +254,10 @@ export const createApp = async (config) => {
         });
     }
     app.use(identify);
+    // Signing config — make available to pagination, identify, and other lib modules
+    if (securityConfig.signing) {
+        setSigningConfig(securityConfig.signing);
+    }
     // CSRF protection (after identify so we can check for auth cookie presence)
     if (securityConfig.csrf?.enabled) {
         setCsrfEnabled(true);
@@ -224,6 +290,10 @@ export const createApp = async (config) => {
     }
     for (const mw of middleware)
         app.use(mw);
+    if (authConfig.mfa?.required) {
+        const { requireMfaSetup } = await import("./middleware/requireMfaSetup");
+        app.use(requireMfaSetup);
+    }
     setAppName(appName);
     // Schema pre-loading — import shared schema files before routes so registerSchema /
     // registerSchemas calls run first, guaranteeing $ref instead of inline shapes.
@@ -299,49 +369,180 @@ export const createApp = async (config) => {
         const { createJobsRouter } = await import(`${coreRoutesDir}/jobs`);
         app.route("/", createJobsRouter(config.jobs));
     }
-    // Service routes — collect all, sort by optional exported `priority`, then mount
-    const serviceGlob = new Bun.Glob("**/*.ts");
-    const serviceFiles = [];
-    for await (const file of serviceGlob.scan({ cwd: routesDir })) {
-        serviceFiles.push(file);
-    }
-    const serviceMods = await Promise.all(serviceFiles.map(async (file) => ({
-        file,
-        mod: await import(`${routesDir}/${file}`),
-    })));
-    serviceMods
-        .sort((a, b) => (a.mod.priority ?? Infinity) - (b.mod.priority ?? Infinity))
-        .forEach(({ mod }) => {
-        if (mod.router)
-            app.route("/", mod.router);
-    });
+    if (config.metrics?.enabled) {
+        const { createMetricsRouter } = await import(`${coreRoutesDir}/metrics`);
+        app.route("/", createMetricsRouter({
+            auth: config.metrics.auth,
+            queues: config.metrics.queues,
+        }));
+    }
+    if (config.groups?.managementRoutes) {
+        const { createGroupsRouter } = await import(`${coreRoutesDir}/groups`);
+        app.route("/", createGroupsRouter(config.groups));
+    }
+    if (config.upload) {
+        const { storage, presignedUrls, ...uploadOpts } = config.upload;
+        setStorageAdapter(storage);
+        setUploadConfig(uploadOpts);
+        if (presignedUrls) {
+            const { createUploadsRouter } = await import(`${coreRoutesDir}/uploads`);
+            const presignConfig = presignedUrls === true ? {} : presignedUrls;
+            app.route("/", createUploadsRouter(presignConfig));
+        }
+    }
+    // Helper to register standard security schemes on an OpenAPI registry
+    const registerSecuritySchemes = (registry) => {
+        registry.registerComponent("securitySchemes", "cookieAuth", {
+            type: "apiKey",
+            in: "cookie",
+            name: "token",
+            description: "Session cookie set automatically on login/register.",
+        });
+        registry.registerComponent("securitySchemes", "userToken", {
+            type: "apiKey",
+            in: "header",
+            name: "x-user-token",
+            description: "JWT session token passed as the x-user-token request header (alternative to the session cookie).",
+        });
+        registry.registerComponent("securitySchemes", "bearerAuth", {
+            type: "http",
+            scheme: "bearer",
+            description: "API key passed as Authorization: Bearer <token>. Required on all endpoints unless bearer auth is disabled in CreateAppConfig or the path is in the bypass list.",
+        });
+    };
+    if (config.versioning) {
+        // Version-aware route discovery — each version gets its own OpenAPIHono instance
+        const { versions, sharedDir = "shared", defaultVersion = versions[versions.length - 1] } = config.versioning;
+        const { setVersionPrefix, clearVersionPrefix, getVersionToken, drainCapturedTokens, assertCapturedTokens } = await import("./lib/createRoute");
+        const { defaultHook } = await import("./lib/context");
+        const { stripUnreferencedSchemas } = await import("./lib/stripUnreferencedSchemas");
+        // Import shared routes with no prefix — schemas stay unprefixed (version-agnostic)
+        let sharedMods = [];
+        if (sharedDir !== false) {
+            const sharedRoutesDir = `${routesDir}/${sharedDir}`;
+            try {
+                const sharedGlob = new Bun.Glob("**/*.ts");
+                const sharedFiles = [];
+                for await (const file of sharedGlob.scan({ cwd: sharedRoutesDir })) {
+                    sharedFiles.push(file);
+                }
+                sharedMods = await Promise.all(sharedFiles.map(async (file) => ({ file, mod: await import(`${sharedRoutesDir}/${file}`) })));
+            }
+            catch {
+                // sharedDir doesn't exist — fine
+            }
+        }
+        // Drain any tokens captured during shared route imports (token=null, correct since no prefix was set)
+        // to prevent null tokens from bleeding into per-version assertions below.
+        drainCapturedTokens();
+        // For each version sequentially: set prefix, import routes, mount on isolated OpenAPIHono
+        for (const version of versions) {
+            setVersionPrefix(version);
+            const expectedToken = getVersionToken();
+            const vApp = new OpenAPIHono({ defaultHook });
+            const versionRoutesDir = `${routesDir}/${version}`;
+            const versionFiles = [];
+            try {
+                const versionGlob = new Bun.Glob("**/*.ts");
+                for await (const file of versionGlob.scan({ cwd: versionRoutesDir })) {
+                    versionFiles.push(file);
+                }
+            }
+            catch {
+                // version dir doesn't exist — fine
+            }
+            // Import all version route files in parallel
+            const versionMods = await Promise.all(versionFiles.map(async (file) => ({ file, mod: await import(`${versionRoutesDir}/${file}`) })));
+            // Assert version token to catch top-level await interleaving bugs at startup
+            assertCapturedTokens(drainCapturedTokens(), expectedToken);
+            // Mount version-specific routes (sorted by priority)
+            versionMods
+                .sort((a, b) => (a.mod.priority ?? Infinity) - (b.mod.priority ?? Infinity))
+                .forEach(({ mod }) => {
+                if (mod.router)
+                    vApp.route("/", mod.router);
+            });
+            // Mount shared routes on this versioned app
+            for (const { mod } of sharedMods) {
+                if (mod.router)
+                    vApp.route("/", mod.router);
+            }
+            registerSecuritySchemes(vApp.openAPIRegistry);
+            // Serve per-version spec stripped of schemas from other versions
+            vApp.get("/openapi.json", (c) => {
+                const spec = vApp.getOpenAPIDocument({
+                    openapi: "3.0.0",
+                    info: { title: `${appName} ${version.toUpperCase()}`, version: openApiVersion },
+                });
+                return c.json(stripUnreferencedSchemas(spec));
+            });
+            // Per-version Scalar docs
+            vApp.get("/docs", Scalar({ url: `/${version}/openapi.json` }));
+            clearVersionPrefix();
+            // Mount versioned app under /v1, /v2, etc.
+            app.route(`/${version}`, vApp);
+        }
+        // Root /docs → version selector page
+        app.get("/docs", (c) => {
+            const links = versions
+                .map((v) => `<li><a href="/${v}/docs" style="font-size:1.1em">${v.toUpperCase()}</a></li>`)
+                .join("\n");
+            const html = `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="utf-8"><title>${appName} — API Docs</title>
+<style>body{font-family:sans-serif;padding:2rem}ul{list-style:none;padding:0}li{margin:.5rem 0}</style>
+</head>
+<body>
+<h1>${appName}</h1>
+<h2>API Documentation</h2>
+<ul>${links}</ul>
+</body></html>`;
+            return c.html(html);
+        });
+        // Root /openapi.json → 302 to default version (no merged spec exists)
+        app.get("/openapi.json", (c) => c.redirect(`/${defaultVersion}/openapi.json`, 302));
+    }
+    else {
+        // Non-versioned path — existing behavior unchanged
+        // Service routes — collect all, sort by optional exported `priority`, then mount
+        const serviceGlob = new Bun.Glob("**/*.ts");
+        const serviceFiles = [];
+        for await (const file of serviceGlob.scan({ cwd: routesDir })) {
+            serviceFiles.push(file);
+        }
+        const serviceMods = await Promise.all(serviceFiles.map(async (file) => ({
+            file,
+            mod: await import(`${routesDir}/${file}`),
+        })));
+        serviceMods
+            .sort((a, b) => (a.mod.priority ?? Infinity) - (b.mod.priority ?? Infinity))
+            .forEach(({ mod }) => {
+            if (mod.router)
+                app.route("/", mod.router);
+        });
+        registerSecuritySchemes(app.openAPIRegistry);
+        app.doc("/openapi.json", { openapi: "3.0.0", info: { title: appName, version: openApiVersion } });
+        app.get("/docs", Scalar({ url: "/openapi.json" }));
+    }
     app.onError((err, c) => {
+        const reqId = c.get("requestId") ?? "unknown";
+        // ValidationError extends HttpError — must check first or the details payload is lost
+        if (err instanceof ValidationError) {
+            const fmt = c.get("validationErrorFormatter") ?? defaultValidationErrorFormatter;
+            try {
+                return c.json(fmt(err.issues, reqId), 400);
+            }
+            catch {
+                return c.json(defaultValidationErrorFormatter(err.issues, reqId), 400);
+            }
+        }
         if (err instanceof HttpError) {
-            return c.json({ error: err.message }, err.status);
+            return c.json({ error: err.message, requestId: reqId }, err.status);
         }
         console.error(err);
-        return c.json({ error: "Internal Server Error" }, 500);
-    });
-    app.notFound((c) => c.json({ error: "Not Found" }, 404));
-    app.openAPIRegistry.registerComponent("securitySchemes", "cookieAuth", {
-        type: "apiKey",
-        in: "cookie",
-        name: "token",
-        description: "Session cookie set automatically on login/register.",
-    });
-    app.openAPIRegistry.registerComponent("securitySchemes", "userToken", {
-        type: "apiKey",
-        in: "header",
-        name: "x-user-token",
-        description: "JWT session token passed as the x-user-token request header (alternative to the session cookie).",
-    });
-    app.openAPIRegistry.registerComponent("securitySchemes", "bearerAuth", {
-        type: "http",
-        scheme: "bearer",
-        description: "API key passed as Authorization: Bearer <token>. Required on all endpoints unless bearer auth is disabled in CreateAppConfig or the path is in the bypass list.",
+        return c.json({ error: "Internal Server Error", requestId: reqId }, 500);
     });
-    app.doc("/openapi.json", { openapi: "3.0.0", info: { title: appName, version: openApiVersion } });
-    app.get("/docs", Scalar({ url: "/openapi.json" }));
+    app.notFound((c) => c.json({ error: "Not Found", requestId: c.get("requestId") ?? "unknown" }, 404));
     app.get("/sw.js", (c) => c.body("", 200, { "Content-Type": "application/javascript" }));
     return app;
 };

package/dist/cli.js

@@ -1,21 +1,96 @@
 #!/usr/bin/env bun
 // @bun
-var D=import.meta.require;import{existsSync as N,mkdirSync as X,writeFileSync as q,readSync as b,rmSync as h}from"fs";import{join as B}from"path";import{spawnSync as M}from"child_process";function w(z){process.stdout.write(z);let H=Buffer.alloc(1024),Q=b(0,H,0,H.length,null);return H.subarray(0,Q).toString().trim().replace(/\r/g,"")}function E(z,H,Q=0){let J=Q;function Z($=!1){if(!$)process.stdout.write(`\x1B[${H.length}A`);for(let A=0;A<H.length;A++){let V=A===J,R=V?"\x1B[36m>\x1B[0m":" ",g=V?`\x1B[1m${H[A]}\x1B[0m`:`\x1B[2m${H[A]}\x1B[0m`;process.stdout.write(`\x1B[2K  ${R} ${g}
-`)}}if(!process.stdin.isTTY){console.log(z),H.forEach((V,R)=>console.log(`  ${R+1}) ${V}`));let $=w(`  Choose [${Q+1}]: `);if(!$)return Q;let A=parseInt($);if(A>=1&&A<=H.length)return A-1;return Q}console.log(z),process.stdout.write("\x1B[?25l"),Z(!0),process.stdin.setRawMode(!0);let _=Buffer.alloc(16);try{while(!0){let $=b(0,_,0,_.length,null),A=_.subarray(0,$).toString();if(A==="\r"||A===`
-`)break;else if(A==="\x1B[A"||A==="\x1BOA")J=(J-1+H.length)%H.length,Z();else if(A==="\x1B[B"||A==="\x1BOB")J=(J+1)%H.length,Z();else if(A==="\x03")process.stdout.write(`\x1B[?25h
-`),process.stdin.setRawMode(!1),process.exit(0);else{let V=parseInt(A);if(V>=1&&V<=H.length){J=V-1,Z();break}}}}finally{process.stdin.setRawMode(!1),process.stdout.write("\x1B[?25h")}return J}var f=process.argv[2],m=process.argv[3],O=f||w("App name: ");if(!O)console.error("App name is required."),process.exit(1);var I=O.toLowerCase().replace(/\s+/g,"-").replace(/[^a-z0-9-]/g,""),G=m||(f?I:w(`Directory (${I}): `))||I,K=!1,W=!1,P="mongo",v="redis",T="redis",F="redis";console.log("");var x=E("Database setup:",["Full stack        (MongoDB + Redis \u2014 production ready)","SQLite            (single file, no external services)","Memory            (ephemeral, great for prototyping/tests)","Custom            (choose each store individually)"]);if(x===0)K=E("MongoDB connection mode:",["Single   (auth + app data share one connection)","Separate (auth on its own cluster)"])===0?"single":"separate",W=!0,P="mongo",v="redis",T="redis",F="redis";else if(x===1)K=!1,W=!1,P="sqlite",v="sqlite",T="sqlite",F="sqlite";else if(x===2)K=!1,W=!1,P="memory",v="memory",T="memory",F="memory";else{console.log(`
+var a=import.meta.require;import{existsSync as D,mkdirSync as E,writeFileSync as I,readSync as g,rmSync as r}from"fs";import{join as K}from"path";import{spawnSync as w}from"child_process";function b(z){process.stdout.write(z);let G=Buffer.alloc(1024),U=g(0,G,0,G.length,null);return G.subarray(0,U).toString().trim().replace(/\r/g,"")}function Q(z,G,U=0){let J=U;function $(_=!1){if(!_)process.stdout.write(`\x1B[${G.length}A`);for(let H=0;H<G.length;H++){let Z=H===J,F=Z?"\x1B[36m>\x1B[0m":" ",L=Z?`\x1B[1m${G[H]}\x1B[0m`:`\x1B[2m${G[H]}\x1B[0m`;process.stdout.write(`\x1B[2K  ${F} ${L}
+`)}}if(!process.stdin.isTTY){console.log(z),G.forEach((Z,F)=>console.log(`  ${F+1}) ${Z}`));let _=b(`  Choose [${U+1}]: `);if(!_)return U;let H=parseInt(_);if(H>=1&&H<=G.length)return H-1;return U}console.log(z),process.stdout.write("\x1B[?25l"),$(!0),process.stdin.setRawMode(!0);let W=Buffer.alloc(16);try{while(!0){let _=g(0,W,0,W.length,null),H=W.subarray(0,_).toString();if(H==="\r"||H===`
+`)break;else if(H==="\x1B[A"||H==="\x1BOA")J=(J-1+G.length)%G.length,$();else if(H==="\x1B[B"||H==="\x1BOB")J=(J+1)%G.length,$();else if(H==="\x03")process.stdout.write(`\x1B[?25h
+`),process.stdin.setRawMode(!1),process.exit(0);else{let Z=parseInt(H);if(Z>=1&&Z<=G.length){J=Z-1,$();break}}}}finally{process.stdin.setRawMode(!1),process.stdout.write("\x1B[?25h")}return J}var y=process.argv[2],n=process.argv[3],N=y||b("App name: ");if(!N)console.error("App name is required."),process.exit(1);var x=N.toLowerCase().replace(/\s+/g,"-").replace(/[^a-z0-9-]/g,""),X=n||(y?x:b(`Directory (${x}): `))||x,Y=!1,B=!1,T="mongo",q="redis",v="redis",O="redis";console.log("");var C=Q("Database setup:",["Full stack        (MongoDB + Redis \u2014 production ready)","SQLite            (single file, no external services)","Memory            (ephemeral, great for prototyping/tests)","Custom            (choose each store individually)"]);if(C===0)Y=Q("MongoDB connection mode:",["Single   (auth + app data share one connection)","Separate (auth on its own cluster)"])===0?"single":"separate",B=!0,T="mongo",q="redis",v="redis",O="redis";else if(C===1)Y=!1,B=!1,T="sqlite",q="sqlite",v="sqlite",O="sqlite";else if(C===2)Y=!1,B=!1,T="memory",q="memory",v="memory",O="memory";else{console.log(`
   Configure each store:
-`);let z=E("MongoDB:",["Single   (one connection for auth + app data)","Separate (auth on its own cluster)","None     (no MongoDB)"]);if(z===0)K="single";else if(z===1)K="separate";else K=!1;W=E("Redis:",["Yes","No"])===0;let Q=[],J=[];if(W)Q.push("redis"),J.push("Redis");if(K)Q.push("mongo"),J.push("MongoDB");Q.push("sqlite","memory"),J.push("SQLite","Memory");let Z=[],_=[];if(K)Z.push("mongo"),_.push("MongoDB");Z.push("sqlite","memory"),_.push("SQLite","Memory");let $=E("Auth store:",_);P=Z[$];let A=E("Sessions store:",J);v=Q[A];let V=E("Cache store:",J);T=Q[V];let R=E("OAuth state store:",J);F=Q[R]}var S=P==="sqlite"||v==="sqlite"||T==="sqlite"||F==="sqlite",U=B(process.cwd(),G),Y=B(U,"src"),k=B(Y,"config"),j=B(Y,"lib"),p=B(Y,"routes"),l=B(Y,"workers"),u=B(Y,"queues"),d=B(Y,"ws"),c=B(Y,"services"),a=B(Y,"middleware"),r=B(Y,"models");if(N(U))console.error(`Directory "${G}" already exists.`),process.exit(1);function n(){let z=[];if(K)z.push(`  mongo: "${K}",`);else z.push("  mongo: false,");if(z.push(`  redis: ${W},`),z.push(`  auth: "${P}",`),z.push(`  sessions: "${v}",`),z.push(`  oauthState: "${F}",`),z.push(`  cache: "${T}",`),S)z.push('  sqlite: path.join(import.meta.dir, "../../data.db"),');return`{
+`);let z=Q("MongoDB:",["Single   (one connection for auth + app data)","Separate (auth on its own cluster)","None     (no MongoDB)"]);if(z===0)Y="single";else if(z===1)Y="separate";else Y=!1;B=Q("Redis:",["Yes","No"])===0;let U=[],J=[];if(B)U.push("redis"),J.push("Redis");if(Y)U.push("mongo"),J.push("MongoDB");U.push("sqlite","memory"),J.push("SQLite","Memory");let $=[],W=[];if(Y)$.push("mongo"),W.push("MongoDB");$.push("sqlite","memory"),W.push("SQLite","Memory");let _=Q("Auth store:",W);T=$[_];let H=Q("Sessions store:",J);q=U[H];let Z=Q("Cache store:",J);v=U[Z];let F=Q("OAuth state store:",J);O=U[F]}var s=T==="sqlite"||q==="sqlite"||v==="sqlite"||O==="sqlite";console.log("");var R="web-saas",m=null,t=Q("How would you like to configure auth?",["Use a preset     (pick a security posture, get sensible defaults)","Step by step     (choose features individually)"]);if(t===0){let z=Q("Which best describes your app?",["Web app / SaaS       (CSRF, refresh tokens, botProtection)","Internal / admin     (MFA required, no refresh tokens, tight limits)",'Mobile / API only    (no CSRF, cors: "*", header auth)',"Dev / prototype      (permissive \u2014 iterate fast, no rate limits)"]);R=["web-saas","internal","mobile-api","dev"][z]}else{R="custom";let z=Q("Password policy:",["Relaxed (8 chars)","Strong (12+ chars, special required)","Minimal (dev only)"]),G=["relaxed","strong","minimal"][z],J=Q("Email verification:",["Yes","No"])===0,W=Q("Password reset:",["Yes","No"])===0,H=Q("Refresh tokens:",["Yes","No"])===0,Z=Q("MFA:",["None","Optional (users opt in)","Required (all users)"]),F=["none","optional","required"][Z],h=Q("CSRF protection:",["Yes","No"])===0,P=[],d=["Google","GitHub","Apple","Microsoft"];while(!0){let j=[...d.filter((c)=>!P.includes(c)),"None (done)"],u=Q("OAuth providers (select all that apply):",j),f=j[u];if(f==="None (done)")break;P.push(f)}m={passwordPolicy:G,emailVerification:J,passwordReset:W,refreshTokens:H,mfa:F,csrf:h,oauthProviders:P}}var A=K(process.cwd(),X),V=K(A,"src"),S=K(V,"config"),l=K(V,"lib"),i=K(V,"routes"),o=K(V,"workers"),e=K(V,"queues"),zz=K(V,"ws"),Gz=K(V,"services"),Hz=K(V,"middleware"),Jz=K(V,"models");if(D(A))console.error(`Directory "${X}" already exists.`),process.exit(1);function Kz(){let z=[];if(Y)z.push(`  mongo: "${Y}",`);else z.push("  mongo: false,");if(z.push(`  redis: ${B},`),z.push(`  auth: "${T}",`),z.push(`  sessions: "${q}",`),z.push(`  oauthState: "${O}",`),z.push(`  cache: "${v}",`),s)z.push('  sqlite: path.join(import.meta.dir, "../../data.db"),');return`{
 ${z.join(`
 `)}
-}`}var s=`export const APP_NAME = "${O}";
+}`}function Qz(){if(R==="web-saas")return`export const auth: AuthConfig = {
+  roles: Object.values(USER_ROLES),
+  defaultRole: USER_ROLES.USER,
+  passwordPolicy: { minLength: 8, requireLetter: true, requireDigit: true },
+  // Uncomment to require email verification before login:
+  // emailVerification: {
+  //   required: true,
+  //   onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },
+  // },
+  // Uncomment to enable password reset:
+  // passwordReset: {
+  //   onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },
+  // },
+  refreshTokens: { accessTokenExpiry: 900, refreshTokenExpiry: 2_592_000 },
+  sessionPolicy: { trackLastActive: true },
+  // Uncomment to enable opt-in MFA (TOTP + email OTP):
+  // mfa: { issuer: APP_NAME },
+};
+
+export const security: SecurityConfig = {
+  cors: ["https://myapp.com"],   // TODO: replace with your domain
+  trustProxy: 1,
+  csrf: { enabled: true },
+  botProtection: { fingerprintRateLimit: true },
+};`;if(R==="internal")return`export const auth: AuthConfig = {
+  roles: ["superadmin", "admin", "viewer"],
+  defaultRole: "viewer",
+  passwordPolicy: { minLength: 14, requireLetter: true, requireDigit: true, requireSpecial: true },
+  mfa: { issuer: APP_NAME, required: true },
+  sessionPolicy: {
+    maxSessions: 2,
+    trackLastActive: true,
+    persistSessionMetadata: true,
+    includeInactiveSessions: true,
+  },
+  rateLimit: { login: { windowMs: 15 * 60 * 1000, max: 5 } },
+};
+
+export const security: SecurityConfig = {
+  cors: ["https://admin.myapp.com"],  // TODO: replace with your domain
+  trustProxy: 1,
+  csrf: { enabled: true },
+  rateLimit: { windowMs: 60_000, max: 30 },
+};`;if(R==="mobile-api")return`export const auth: AuthConfig = {
+  roles: Object.values(USER_ROLES),
+  defaultRole: USER_ROLES.USER,
+  refreshTokens: { accessTokenExpiry: 900, refreshTokenExpiry: 2_592_000, rotationGraceSeconds: 60 },
+  sessionPolicy: { maxSessions: 5 },
+};
+
+export const security: SecurityConfig = {
+  cors: "*",
+  trustProxy: 1,
+  botProtection: { fingerprintRateLimit: true },
+};`;if(R==="dev")return`export const auth: AuthConfig = {
+  roles: Object.values(USER_ROLES),
+  defaultRole: USER_ROLES.USER,
+  passwordPolicy: { minLength: 1, requireLetter: false, requireDigit: false, requireSpecial: false },
+  rateLimit: {
+    login: { windowMs: 60_000, max: 10_000 },
+    register: { windowMs: 60_000, max: 10_000 },
+  },
+};
+
+export const security: SecurityConfig = {
+  cors: "*",
+  bearerAuth: false,
+};`;let z=m,G=["  roles: Object.values(USER_ROLES),","  defaultRole: USER_ROLES.USER,"];if(z.passwordPolicy==="relaxed")G.push("  passwordPolicy: { minLength: 8, requireLetter: true, requireDigit: true },");else if(z.passwordPolicy==="strong")G.push("  passwordPolicy: { minLength: 12, requireLetter: true, requireDigit: true, requireSpecial: true },");else G.push("  passwordPolicy: { minLength: 1, requireLetter: false, requireDigit: false, requireSpecial: false },");if(z.emailVerification)G.push("  emailVerification: {"),G.push("    required: true,"),G.push("    onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },"),G.push("  },");if(z.passwordReset)G.push("  passwordReset: {"),G.push("    onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },"),G.push("  },");if(z.refreshTokens)G.push("  refreshTokens: { accessTokenExpiry: 900, refreshTokenExpiry: 2_592_000 },");if(z.mfa==="optional")G.push("  mfa: { issuer: APP_NAME },");else if(z.mfa==="required")G.push("  mfa: { issuer: APP_NAME, required: true },");G.push("  sessionPolicy: { trackLastActive: true },");let U=`export const auth: AuthConfig = {
+${G.join(`
+`)}
+};`,J=['  cors: "*",'];if(z.csrf)J.push("  csrf: { enabled: true },");let $=`export const security: SecurityConfig = {
+${J.join(`
+`)}
+};`;return`${U}
+
+${$}`}var Uz=`export const APP_NAME = "${N}";
 export const APP_VERSION = "1.0.0";
 
 export const USER_ROLES = {
   ADMIN: "admin",
   USER: "user",
 };
-`,t=`import path from "path";
+`,Xz=`import path from "path";
 import {
   type AppMeta,
   type AuthConfig,
@@ -36,16 +111,9 @@ export const workersDir = path.join(import.meta.dir, "../workers");
 
 export const port = process.env.PORT ? parseInt(process.env.PORT) : 3000;
 
-export const db: DbConfig = ${n()};
-
-export const auth: AuthConfig = {
-  roles: Object.values(USER_ROLES),
-  defaultRole: USER_ROLES.USER,
-};
+export const db: DbConfig = ${Kz()};
 
-export const security: SecurityConfig = {
-  cors: ["*"],
-};
+${Qz()}
 
 export const appConfig: CreateServerConfig = {
   app,
@@ -56,11 +124,11 @@ export const appConfig: CreateServerConfig = {
   auth,
   security,
 };
-`,i=`import { createServer } from "@lastshotlabs/bunshot";
+`,Yz=`import { createServer } from "@lastshotlabs/bunshot";
 import { appConfig } from "@config/index";
 
 await createServer(appConfig);
-`,o=`# ${O}
+`,Zz=`# ${N}
 
 Built with [@lastshotlabs/bunshot](https://github.com/Last-Shot-Labs/bunshot).
 
@@ -105,7 +173,7 @@ export const router = createRouter();
 
 router.get("/products", (c) => c.json({ products: [] }));
 \`\`\`
-${K?`
+${Y?`
 ## Adding models
 
 \`\`\`ts
@@ -123,7 +191,7 @@ export const Product = appConnection.model("Product", ProductSchema);
 ## Environment variables
 
 See \`.env\` \u2014 fill in the values before running.
-`;function e(){let z=["NODE_ENV=development","PORT=3000"];if(K==="single")z.push(`
+`;function $z(){let z=["NODE_ENV=development","PORT=3000"];if(Y==="single")z.push(`
 # MongoDB
 MONGO_USER_DEV=
 MONGO_PW_DEV=
@@ -132,7 +200,7 @@ MONGO_DB_DEV=
 MONGO_USER_PROD=
 MONGO_PW_PROD=
 MONGO_HOST_PROD=
-MONGO_DB_PROD=`);else if(K==="separate")z.push(`
+MONGO_DB_PROD=`);else if(Y==="separate")z.push(`
 # MongoDB (app data)
 MONGO_USER_DEV=
 MONGO_PW_DEV=
@@ -151,7 +219,7 @@ MONGO_AUTH_DB_DEV=
 MONGO_AUTH_USER_PROD=
 MONGO_AUTH_PW_PROD=
 MONGO_AUTH_HOST_PROD=
-MONGO_AUTH_DB_PROD=`);if(W)z.push(`
+MONGO_AUTH_DB_PROD=`);if(B)z.push(`
 # Redis
 REDIS_HOST_DEV=
 REDIS_USER_DEV=
@@ -168,26 +236,38 @@ BEARER_TOKEN_DEV=
 BEARER_TOKEN_PROD=
 
 # OAuth \u2014 Google (optional)
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-GOOGLE_REDIRECT_URI=
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
+# GOOGLE_REDIRECT_URI=
 
 # OAuth \u2014 Apple (optional)
-APPLE_CLIENT_ID=
-APPLE_TEAM_ID=
-APPLE_KEY_ID=
-APPLE_PRIVATE_KEY=
-APPLE_REDIRECT_URI=`),z.join(`
+# APPLE_CLIENT_ID=
+# APPLE_TEAM_ID=
+# APPLE_KEY_ID=
+# APPLE_PRIVATE_KEY=
+# APPLE_REDIRECT_URI=
+
+# OAuth \u2014 GitHub (optional)
+# GITHUB_CLIENT_ID=
+# GITHUB_CLIENT_SECRET=
+# GITHUB_REDIRECT_URI=
+
+# OAuth \u2014 Microsoft (optional)
+# MICROSOFT_TENANT_ID=
+# MICROSOFT_CLIENT_ID=
+# MICROSOFT_CLIENT_SECRET=
+# MICROSOFT_REDIRECT_URI=`),z.join(`
 `)+`
 `}console.log(`
-@lastshotlabs/bunshot \u2014 creating ${G}
-`);X(U,{recursive:!0});console.log("  Running bun init...");M("bun",["init","-y"],{cwd:U,stdio:"inherit"});var C=B(U,"index.ts");if(N(C))h(C);var y=B(U,"package.json"),L=JSON.parse(D("fs").readFileSync(y,"utf-8"));L.module="src/index.ts";L.scripts={dev:"bun --watch src/index.ts",start:"bun src/index.ts"};L.dependencies={...L.dependencies,"@lastshotlabs/bunshot":"*"};q(y,JSON.stringify(L,null,2)+`
-`,"utf-8");var zz=B(U,"tsconfig.json"),Az={compilerOptions:{lib:["ESNext"],target:"ESNext",module:"Preserve",moduleDetection:"force",jsx:"react-jsx",allowJs:!0,moduleResolution:"bundler",allowImportingTsExtensions:!0,verbatimModuleSyntax:!0,noEmit:!0,strict:!0,skipLibCheck:!0,noFallthroughCasesInSwitch:!0,noUncheckedIndexedAccess:!0,noImplicitOverride:!0,noUnusedLocals:!1,noUnusedParameters:!1,noPropertyAccessFromIndexSignature:!1,paths:{"@lib/*":["./src/lib/*"],"@middleware/*":["./src/middleware/*"],"@models/*":["./src/models/*"],"@queues/*":["./src/queues/*"],"@routes/*":["./src/routes/*"],"@scripts/*":["./src/scripts/*"],"@services/*":["./src/services/*"],"@workers/*":["./src/workers/*"],"@service-facades/*":["./src/service-facades/*"],"@config/*":["./src/config/*"],"@constants/*":["./src/lib/constants/*"]}}};q(zz,JSON.stringify(Az,null,2)+`
-`,"utf-8");X(k,{recursive:!0});X(j,{recursive:!0});X(p,{recursive:!0});X(l,{recursive:!0});X(u,{recursive:!0});X(d,{recursive:!0});X(c,{recursive:!0});X(a,{recursive:!0});X(r,{recursive:!0});q(B(j,"constants.ts"),s,"utf-8");q(B(k,"index.ts"),t,"utf-8");q(B(Y,"index.ts"),i,"utf-8");q(B(U,".env"),e(),"utf-8");q(B(U,"README.md"),o,"utf-8");console.log("  Created:");console.log(`    + ${G}/src/index.ts`);console.log(`    + ${G}/src/config/index.ts`);console.log(`    + ${G}/src/lib/constants.ts`);console.log(`    + ${G}/src/routes/`);console.log(`    + ${G}/src/workers/`);console.log(`    + ${G}/src/queues/`);console.log(`    + ${G}/src/ws/`);console.log(`    + ${G}/src/services/`);console.log(`    + ${G}/src/middleware/`);console.log(`    + ${G}/src/models/`);console.log(`    + ${G}/.env`);console.log(`    + ${G}/README.md`);console.log(`
-  DB config:`);console.log(`    mongo: ${K||"none"} | redis: ${W}`);console.log(`    auth: ${P} | sessions: ${v} | cache: ${T} | oauthState: ${F}`);console.log(`
-  Initializing git...`);var Bz=M("git",["init"],{cwd:U,stdio:"inherit"});if(Bz.status!==0)console.error("  git init failed \u2014 skipping.");console.log(`
-  Installing dependencies...`);var Gz=M("bun",["install"],{cwd:U,stdio:"inherit"});if(Gz.status!==0)console.error(`
+@lastshotlabs/bunshot \u2014 creating ${X}
+`);E(A,{recursive:!0});console.log("  Running bun init...");w("bun",["init","-y"],{cwd:A,stdio:"inherit"});var k=K(A,"index.ts");if(D(k))r(k);var p=K(A,"package.json"),M=JSON.parse(a("fs").readFileSync(p,"utf-8"));M.module="src/index.ts";M.scripts={dev:"bun --watch src/index.ts",start:"bun src/index.ts"};M.dependencies={...M.dependencies,"@lastshotlabs/bunshot":"*"};I(p,JSON.stringify(M,null,2)+`
+`,"utf-8");var Az=K(A,"tsconfig.json"),Ez={compilerOptions:{lib:["ESNext"],target:"ESNext",module:"Preserve",moduleDetection:"force",jsx:"react-jsx",allowJs:!0,moduleResolution:"bundler",allowImportingTsExtensions:!0,verbatimModuleSyntax:!0,noEmit:!0,strict:!0,skipLibCheck:!0,noFallthroughCasesInSwitch:!0,noUncheckedIndexedAccess:!0,noImplicitOverride:!0,noUnusedLocals:!1,noUnusedParameters:!1,noPropertyAccessFromIndexSignature:!1,paths:{"@lib/*":["./src/lib/*"],"@middleware/*":["./src/middleware/*"],"@models/*":["./src/models/*"],"@queues/*":["./src/queues/*"],"@routes/*":["./src/routes/*"],"@scripts/*":["./src/scripts/*"],"@services/*":["./src/services/*"],"@workers/*":["./src/workers/*"],"@service-facades/*":["./src/service-facades/*"],"@config/*":["./src/config/*"],"@constants/*":["./src/lib/constants/*"]}}};I(Az,JSON.stringify(Ez,null,2)+`
+`,"utf-8");E(S,{recursive:!0});E(l,{recursive:!0});E(i,{recursive:!0});E(o,{recursive:!0});E(e,{recursive:!0});E(zz,{recursive:!0});E(Gz,{recursive:!0});E(Hz,{recursive:!0});E(Jz,{recursive:!0});I(K(l,"constants.ts"),Uz,"utf-8");I(K(S,"index.ts"),Xz,"utf-8");I(K(V,"index.ts"),Yz,"utf-8");I(K(A,".env"),$z(),"utf-8");I(K(A,"README.md"),Zz,"utf-8");console.log("  Created:");console.log(`    + ${X}/src/index.ts`);console.log(`    + ${X}/src/config/index.ts`);console.log(`    + ${X}/src/lib/constants.ts`);console.log(`    + ${X}/src/routes/`);console.log(`    + ${X}/src/workers/`);console.log(`    + ${X}/src/queues/`);console.log(`    + ${X}/src/ws/`);console.log(`    + ${X}/src/services/`);console.log(`    + ${X}/src/middleware/`);console.log(`    + ${X}/src/models/`);console.log(`    + ${X}/.env`);console.log(`    + ${X}/README.md`);console.log(`
+  DB config:`);console.log(`    mongo: ${Y||"none"} | redis: ${B}`);console.log(`    auth: ${T} | sessions: ${q} | cache: ${v} | oauthState: ${O}`);console.log(`
+  Auth config:`);console.log(`    posture: ${R}`);console.log(`
+  Initializing git...`);var Vz=w("git",["init"],{cwd:A,stdio:"inherit"});if(Vz.status!==0)console.error("  git init failed \u2014 skipping.");console.log(`
+  Installing dependencies...`);var Wz=w("bun",["install"],{cwd:A,stdio:"inherit"});if(Wz.status!==0)console.error(`
   bun install failed. Run it manually inside the directory.`),process.exit(1);console.log(`
 Done! Next steps:
-`);console.log(`  cd ${G}`);console.log("  # fill in .env");console.log(`  bun dev
+`);console.log(`  cd ${X}`);console.log("  # fill in .env");console.log(`  bun dev
 `);