@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/app.js

@@ -1,14 +1,16 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
 import { cors } from "hono/cors";
-import { logger } from "hono/logger";
 import { secureHeaders } from "hono/secure-headers";
 import { Scalar } from "@scalar/hono-api-reference";
-import { HttpError } from "./lib/HttpError";
+import { HttpError, ValidationError } from "./lib/HttpError";
 import { rateLimit } from "./middleware/rateLimit";
 import { bearerAuth } from "./middleware/bearerAuth";
 import { identify } from "./middleware/identify";
-import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
-import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled } from "./lib/appConfig";
+import { defaultValidationErrorFormatter } from "./lib/context";
+import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID } from "./lib/constants";
+import { requestId } from "./middleware/requestId";
+import { requestLogger } from "./middleware/requestLogger";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled, setSigningConfig, setJwtConfig, setCheckSuspensionOnIdentify, setBreachedPasswordConfig, setCaptchaConfig, setStepUpConfig, setM2MConfig, setOidcConfig, setSamlConfig, setScimConfig } from "./lib/appConfig";
 import { setEmailVerificationStore } from "./lib/emailVerification";
 import { setPasswordResetStore } from "./lib/resetPassword";
 import { setAuthRateLimitStore } from "./lib/authRateLimit";
@@ -22,10 +24,18 @@ import { connectRedis } from "./lib/redis";
 import { setSessionStore } from "./lib/session";
 import { setCacheStore } from "./middleware/cacheResponse";
 import { maybeAutoRegister } from "./lib/createRoute";
+import { setStorageAdapter, setUploadConfig } from "./lib/upload";
+import { validateJwtSecrets } from "./lib/jwt";
 export const createApp = async (config) => {
     const { routesDir, app: appConfig = {}, auth: authConfig = {}, security: securityConfig = {}, middleware = [], db = {}, } = config;
+    if (config.securityEvents) {
+        const { setSecurityEventConfig } = await import("./lib/securityEvents");
+        setSecurityEventConfig(config.securityEvents);
+    }
     const appName = appConfig.name ?? "Bun Core API";
     const openApiVersion = appConfig.version ?? "1.0.0";
+    // Validate JWT secrets eagerly so misconfiguration is caught at startup
+    validateJwtSecrets();
     // Trust-proxy for IP extraction
     const { setTrustProxy } = await import("./lib/clientIp");
     setTrustProxy(securityConfig.trustProxy ?? false);
@@ -33,6 +43,13 @@ export const createApp = async (config) => {
     if (corsOrigins === "*" && process.env.NODE_ENV === "production") {
         console.warn("[security] CORS is set to wildcard (*) in production. Configure security.cors with specific origins to restrict cross-origin access.");
     }
+    if (securityConfig.csrf?.enabled && corsOrigins === "*") {
+        if (process.env.NODE_ENV === "production") {
+            throw new Error("[security] CSRF protection with wildcard CORS (*) is unsafe. " +
+                "Set security.cors to specific origins when using CSRF.");
+        }
+        console.warn("[security] CSRF is enabled with wildcard CORS. This will be rejected in production.");
+    }
     const rlConfig = securityConfig.rateLimit ?? { windowMs: 60_000, max: 100 };
     const botCfg = securityConfig.botProtection ?? {};
     const enableBearerAuth = securityConfig.bearerAuth !== false;
@@ -136,16 +153,76 @@ export const createApp = async (config) => {
     setPasswordResetConfig(passwordReset ?? null);
     setPasswordPolicy(authConfig.passwordPolicy ?? {});
     setPasswordResetStore(sessions);
+    const { setDeletionCancelTokenStore } = await import("./lib/deletionCancelToken");
+    setDeletionCancelTokenStore(sessions);
     setAuthRateLimitStore(authRateLimit?.store ?? (enableRedis ? "redis" : "memory"));
+    if (authRateLimit?.credentialStuffing) {
+        const { setCredentialStuffingConfig } = await import("./lib/credentialStuffing");
+        setCredentialStuffingConfig(authRateLimit.credentialStuffing);
+    }
     setMaxSessions(sessionPolicy.maxSessions ?? 6);
     setPersistSessionMetadata(sessionPolicy.persistSessionMetadata ?? true);
     setIncludeInactiveSessions(sessionPolicy.includeInactiveSessions ?? false);
     setTrackLastActive(sessionPolicy.trackLastActive ?? false);
     setRefreshTokenConfig(authConfig.refreshTokens ?? null);
     setMfaConfig(authConfig.mfa ?? null);
+    if (authConfig.jwt)
+        setJwtConfig(authConfig.jwt);
+    if (authConfig.checkSuspensionOnIdentify)
+        setCheckSuspensionOnIdentify(true);
+    if (authConfig.breachedPasswordCheck)
+        setBreachedPasswordConfig(authConfig.breachedPasswordCheck);
+    if (authConfig.stepUp)
+        setStepUpConfig(authConfig.stepUp);
+    // JWT config
+    if (authConfig.jwt)
+        setJwtConfig(authConfig.jwt);
+    // OIDC: load keys, set RS256, mount discovery routes
+    if (authConfig.oidc) {
+        setOidcConfig(authConfig.oidc);
+        // Override JWT config with OIDC issuer and RS256
+        setJwtConfig({ ...(authConfig.jwt ?? {}), issuer: authConfig.oidc.issuer, algorithm: "RS256" });
+        const { loadJwksKey, generateAndLoadKeyPair, loadPreviousKey } = await import("./lib/jwks");
+        const { _setAlgorithm } = await import("./lib/jwt");
+        if (authConfig.oidc.signingKey) {
+            await loadJwksKey(authConfig.oidc.signingKey);
+        }
+        else {
+            await generateAndLoadKeyPair();
+        }
+        for (const prev of authConfig.oidc.previousKeys ?? []) {
+            await loadPreviousKey(prev);
+        }
+        _setAlgorithm("RS256");
+    }
     if (oauthProviders)
         initOAuthProviders(oauthProviders);
     const configuredOAuth = getConfiguredOAuthProviders();
+    // Start the account deletion worker when queued deletion is configured.
+    // The worker runs in-process alongside the API server.
+    if (authConfig.accountDeletion?.queued && enableAuthRoutes) {
+        try {
+            const { createWorker } = await import("./lib/queue");
+            const appName_ = appName;
+            const accountDeletion_ = authConfig.accountDeletion;
+            createWorker(`${appName_}:account-deletions`, async (job) => {
+                const { userId } = job.data;
+                const adapter_ = authAdapter;
+                if (accountDeletion_.onBeforeDelete)
+                    await accountDeletion_.onBeforeDelete(userId);
+                if (adapter_.deleteUser)
+                    await adapter_.deleteUser(userId);
+                if (accountDeletion_.onAfterDelete)
+                    await accountDeletion_.onAfterDelete(userId);
+            }, { concurrency: 1 });
+        }
+        catch (err) {
+            if (err?.message?.includes("bullmq is not installed")) {
+                throw new Error("createApp: accountDeletion.queued requires BullMQ. Run: bun add bullmq");
+            }
+            throw err;
+        }
+    }
     // OAuth paths must bypass bearer auth — initiation and link routes are browser redirects,
     // callbacks come from external providers; none can send a bearer token header.
     const oauthBypass = configuredOAuth.flatMap((p) => [
@@ -153,10 +230,44 @@ export const createApp = async (config) => {
         `/auth/${p}/callback`,
         `/auth/${p}/link`,
     ]);
-    const DEFAULT_BYPASS = ["/docs", "/openapi.json", "/sw.js", "/health", "/"];
-    const bearerAuthBypass = [...DEFAULT_BYPASS, ...oauthBypass, ...extraBypass];
+    const DEFAULT_BYPASS = ["/docs", "/openapi.json", "/sw.js", "/health", "/", "/metrics", "/oauth/token", "/.well-known/openid-configuration", "/.well-known/jwks.json", "/auth/saml/*", "/scim/v2/*"];
+    // Add per-version docs/spec paths when versioning is configured
+    const versionBypass = config.versioning
+        ? config.versioning.versions.flatMap((v) => [`/${v}/docs`, `/${v}/openapi.json`])
+        : [];
+    const bearerAuthBypass = [...DEFAULT_BYPASS, ...versionBypass, ...oauthBypass, ...extraBypass];
     const app = new OpenAPIHono();
-    app.use(logger());
+    app.use(requestId);
+    // Set the validation error formatter on context so defaultHook and onError both pick it up
+    const validationFormatter = config.validation?.formatError ?? defaultValidationErrorFormatter;
+    app.use("*", async (c, next) => {
+        c.set("validationErrorFormatter", validationFormatter);
+        await next();
+    });
+    // Metrics collection middleware (before requestLogger so it captures all requests)
+    if (config.metrics?.enabled) {
+        const metricsAuth = config.metrics.auth ?? "none";
+        if (metricsAuth === "none" && !config.metrics.unsafePublic) {
+            if (process.env.NODE_ENV === "production") {
+                throw new Error("[security] metrics.auth is required in production. Set metrics.auth or explicitly set unsafePublic: true with auth: \"none\".");
+            }
+            console.warn("[security] /metrics is enabled without auth. Configure metrics.auth for production.");
+        }
+        const { metricsCollector } = await import("./middleware/metrics");
+        app.use(metricsCollector({
+            excludePaths: config.metrics.excludePaths,
+            normalizePath: config.metrics.normalizePath,
+        }));
+    }
+    const loggingConfig = config.logging ?? {};
+    if (loggingConfig.enabled !== false) {
+        app.use(requestLogger({
+            onLog: loggingConfig.onLog,
+            level: loggingConfig.level,
+            excludePaths: loggingConfig.excludePaths,
+            excludeMethods: loggingConfig.excludeMethods,
+        }));
+    }
     const headerOpts = {};
     if (securityConfig.headers?.contentSecurityPolicy) {
         headerOpts["Content-Security-Policy"] = securityConfig.headers.contentSecurityPolicy;
@@ -176,7 +287,7 @@ export const createApp = async (config) => {
     const corsAllowHeaders = ["Content-Type", "Authorization", HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN];
     if (securityConfig.csrf?.enabled)
         corsAllowHeaders.push(HEADER_CSRF_TOKEN);
-    app.use(cors({ origin: corsOrigins, allowHeaders: corsAllowHeaders, exposeHeaders: ["x-cache"], credentials: true }));
+    app.use(cors({ origin: corsOrigins, allowHeaders: corsAllowHeaders, exposeHeaders: ["x-cache", HEADER_REQUEST_ID], credentials: true }));
     if ((botCfg.blockList?.length ?? 0) > 0) {
         const { botProtection } = await import("./middleware/botProtection");
         app.use(botProtection({ blockList: botCfg.blockList }));
@@ -185,13 +296,22 @@ export const createApp = async (config) => {
     if (enableBearerAuth) {
         app.use(async (c, next) => {
             const path = c.req.path;
-            if (bearerAuthBypass.includes(path)) {
+            const bypassed = bearerAuthBypass.some((entry) => entry.endsWith("*") ? path.startsWith(entry.slice(0, -1)) : path === entry);
+            if (bypassed) {
                 return next();
             }
             return bearerAuth(c, next);
         });
     }
     app.use(identify);
+    // Signing config — make available to pagination, identify, and other lib modules
+    if (securityConfig.signing) {
+        setSigningConfig(securityConfig.signing);
+    }
+    // CAPTCHA config — store globally so requireCaptcha() can read it without explicit param
+    if (securityConfig.captcha) {
+        setCaptchaConfig(securityConfig.captcha);
+    }
     // CSRF protection (after identify so we can check for auth cookie presence)
     if (securityConfig.csrf?.enabled) {
         setCsrfEnabled(true);
@@ -224,6 +344,10 @@ export const createApp = async (config) => {
     }
     for (const mw of middleware)
         app.use(mw);
+    if (authConfig.mfa?.required) {
+        const { requireMfaSetup } = await import("./middleware/requireMfaSetup");
+        app.use(requireMfaSetup);
+    }
     setAppName(appName);
     // Schema pre-loading — import shared schema files before routes so registerSchema /
     // registerSchemas calls run first, guaranteeing $ref instead of inline shapes.
@@ -273,13 +397,15 @@ export const createApp = async (config) => {
             continue; // mounted separately below when mfa is configured
         if (file === "jobs.ts")
             continue; // mounted separately below when jobs.statusEndpoint is true
+        if (file === "oidc.ts")
+            continue; // mounted separately below when oidc is configured
         const mod = await import(`${coreRoutesDir}/${file}`);
         if (mod.router)
             app.route("/", mod.router);
     }
     if (enableAuthRoutes) {
         const { createAuthRouter } = await import(`${coreRoutesDir}/auth`);
-        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit, accountDeletion: authConfig.accountDeletion, refreshTokens: authConfig.refreshTokens }));
+        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit, accountDeletion: authConfig.accountDeletion, refreshTokens: authConfig.refreshTokens, stepUp: authConfig.stepUp }));
     }
     if (configuredOAuth.length > 0) {
         const { createOAuthRouter } = await import(`${coreRoutesDir}/oauth`);
@@ -295,53 +421,231 @@ export const createApp = async (config) => {
         const { createMfaRouter } = await import(`${coreRoutesDir}/mfa`);
         app.route("/", createMfaRouter({ rateLimit: authRateLimit }));
     }
+    if (authConfig.mfa?.webauthn?.allowPasswordlessLogin && enableAuthRoutes) {
+        const { assertWebAuthnDependency } = await import("./services/mfa");
+        await assertWebAuthnDependency();
+        const { createPasskeyRouter } = await import(`${coreRoutesDir}/passkey`);
+        app.route("/", createPasskeyRouter());
+    }
+    if (authConfig.m2m?.enabled !== false && authConfig.m2m) {
+        setM2MConfig(authConfig.m2m);
+        const { createM2MRouter } = await import(`${coreRoutesDir}/m2m`);
+        app.route("/", createM2MRouter());
+    }
+    if (config.jobs?.statusEndpoint) {
+        const jobsAuth = config.jobs.auth ?? "none";
+        if (jobsAuth === "none" && !config.jobs.unsafePublic) {
+            if (process.env.NODE_ENV === "production") {
+                throw new Error("[security] jobs.auth is required in production. Set jobs.auth or explicitly set unsafePublic: true with auth: \"none\".");
+            }
+            console.warn("[security] /jobs is enabled without auth. Configure jobs.auth for production.");
+        }
+    }
     if (config.jobs?.statusEndpoint) {
         const { createJobsRouter } = await import(`${coreRoutesDir}/jobs`);
         app.route("/", createJobsRouter(config.jobs));
     }
-    // Service routes — collect all, sort by optional exported `priority`, then mount
-    const serviceGlob = new Bun.Glob("**/*.ts");
-    const serviceFiles = [];
-    for await (const file of serviceGlob.scan({ cwd: routesDir })) {
-        serviceFiles.push(file);
-    }
-    const serviceMods = await Promise.all(serviceFiles.map(async (file) => ({
-        file,
-        mod: await import(`${routesDir}/${file}`),
-    })));
-    serviceMods
-        .sort((a, b) => (a.mod.priority ?? Infinity) - (b.mod.priority ?? Infinity))
-        .forEach(({ mod }) => {
-        if (mod.router)
-            app.route("/", mod.router);
-    });
+    if (config.metrics?.enabled) {
+        const { createMetricsRouter } = await import(`${coreRoutesDir}/metrics`);
+        app.route("/", createMetricsRouter({
+            auth: config.metrics.auth,
+            queues: config.metrics.queues,
+            unsafePublic: config.metrics.unsafePublic,
+        }));
+    }
+    if (config.groups?.managementRoutes) {
+        const { createGroupsRouter } = await import(`${coreRoutesDir}/groups`);
+        app.route("/", createGroupsRouter(config.groups));
+    }
+    if (authConfig.oidc) {
+        const { createOidcRouter } = await import(`${coreRoutesDir}/oidc`);
+        app.route("/", createOidcRouter());
+    }
+    if (authConfig.saml) {
+        setSamlConfig(authConfig.saml);
+        const { createSamlRouter } = await import(`${coreRoutesDir}/saml`);
+        app.route("/", createSamlRouter());
+    }
+    if (authConfig.scim) {
+        const { setScimTokens } = await import("./middleware/scimAuth");
+        setScimConfig(authConfig.scim);
+        setScimTokens(authConfig.scim.bearerTokens);
+        const { createScimRouter } = await import(`${coreRoutesDir}/scim`);
+        app.route("/", createScimRouter());
+    }
+    if (config.upload) {
+        const { storage, presignedUrls, authorization, allowExternalKeys, ...uploadOpts } = config.upload;
+        setStorageAdapter(storage);
+        setUploadConfig(uploadOpts);
+        // Wire upload registry store to match session store backend
+        const { setUploadRegistryStore } = await import("./lib/uploadRegistry");
+        setUploadRegistryStore(sessions);
+        if (presignedUrls) {
+            const { createUploadsRouter } = await import(`${coreRoutesDir}/uploads`);
+            const presignConfig = presignedUrls === true ? {} : presignedUrls;
+            app.route("/", createUploadsRouter({
+                ...presignConfig,
+                authorization,
+                allowExternalKeys,
+            }));
+        }
+    }
+    // Helper to register standard security schemes on an OpenAPI registry
+    const registerSecuritySchemes = (registry) => {
+        registry.registerComponent("securitySchemes", "cookieAuth", {
+            type: "apiKey",
+            in: "cookie",
+            name: "token",
+            description: "Session cookie set automatically on login/register.",
+        });
+        registry.registerComponent("securitySchemes", "userToken", {
+            type: "apiKey",
+            in: "header",
+            name: "x-user-token",
+            description: "JWT session token passed as the x-user-token request header (alternative to the session cookie).",
+        });
+        registry.registerComponent("securitySchemes", "bearerAuth", {
+            type: "http",
+            scheme: "bearer",
+            description: "API key passed as Authorization: Bearer <token>. Required on all endpoints unless bearer auth is disabled in CreateAppConfig or the path is in the bypass list.",
+        });
+    };
+    if (config.versioning) {
+        // Version-aware route discovery — each version gets its own OpenAPIHono instance
+        const { versions, sharedDir = "shared", defaultVersion = versions[versions.length - 1] } = config.versioning;
+        const { setVersionPrefix, clearVersionPrefix, getVersionToken, drainCapturedTokens, assertCapturedTokens } = await import("./lib/createRoute");
+        const { defaultHook } = await import("./lib/context");
+        const { stripUnreferencedSchemas } = await import("./lib/stripUnreferencedSchemas");
+        // Import shared routes with no prefix — schemas stay unprefixed (version-agnostic)
+        let sharedMods = [];
+        if (sharedDir !== false) {
+            const sharedRoutesDir = `${routesDir}/${sharedDir}`;
+            try {
+                const sharedGlob = new Bun.Glob("**/*.ts");
+                const sharedFiles = [];
+                for await (const file of sharedGlob.scan({ cwd: sharedRoutesDir })) {
+                    sharedFiles.push(file);
+                }
+                sharedMods = await Promise.all(sharedFiles.map(async (file) => ({ file, mod: await import(`${sharedRoutesDir}/${file}`) })));
+            }
+            catch {
+                // sharedDir doesn't exist — fine
+            }
+        }
+        // Drain any tokens captured during shared route imports (token=null, correct since no prefix was set)
+        // to prevent null tokens from bleeding into per-version assertions below.
+        drainCapturedTokens();
+        // For each version sequentially: set prefix, import routes, mount on isolated OpenAPIHono
+        for (const version of versions) {
+            setVersionPrefix(version);
+            const expectedToken = getVersionToken();
+            const vApp = new OpenAPIHono({ defaultHook });
+            const versionRoutesDir = `${routesDir}/${version}`;
+            const versionFiles = [];
+            try {
+                const versionGlob = new Bun.Glob("**/*.ts");
+                for await (const file of versionGlob.scan({ cwd: versionRoutesDir })) {
+                    versionFiles.push(file);
+                }
+            }
+            catch {
+                // version dir doesn't exist — fine
+            }
+            // Import all version route files in parallel
+            const versionMods = await Promise.all(versionFiles.map(async (file) => ({ file, mod: await import(`${versionRoutesDir}/${file}`) })));
+            // Assert version token to catch top-level await interleaving bugs at startup
+            assertCapturedTokens(drainCapturedTokens(), expectedToken);
+            // Mount version-specific routes (sorted by priority)
+            versionMods
+                .sort((a, b) => (a.mod.priority ?? Infinity) - (b.mod.priority ?? Infinity))
+                .forEach(({ mod }) => {
+                if (mod.router)
+                    vApp.route("/", mod.router);
+            });
+            // Mount shared routes on this versioned app
+            for (const { mod } of sharedMods) {
+                if (mod.router)
+                    vApp.route("/", mod.router);
+            }
+            registerSecuritySchemes(vApp.openAPIRegistry);
+            // Serve per-version spec stripped of schemas from other versions
+            vApp.get("/openapi.json", (c) => {
+                const spec = vApp.getOpenAPIDocument({
+                    openapi: "3.0.0",
+                    info: { title: `${appName} ${version.toUpperCase()}`, version: openApiVersion },
+                });
+                return c.json(stripUnreferencedSchemas(spec));
+            });
+            // Per-version Scalar docs
+            vApp.get("/docs", Scalar({ url: `/${version}/openapi.json` }));
+            clearVersionPrefix();
+            // Mount versioned app under /v1, /v2, etc.
+            app.route(`/${version}`, vApp);
+        }
+        // Root /docs → version selector page
+        app.get("/docs", (c) => {
+            const links = versions
+                .map((v) => `<li><a href="/${v}/docs" style="font-size:1.1em">${v.toUpperCase()}</a></li>`)
+                .join("\n");
+            const html = `<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="utf-8"><title>${appName} — API Docs</title>
+<style>body{font-family:sans-serif;padding:2rem}ul{list-style:none;padding:0}li{margin:.5rem 0}</style>
+</head>
+<body>
+<h1>${appName}</h1>
+<h2>API Documentation</h2>
+<ul>${links}</ul>
+</body></html>`;
+            return c.html(html);
+        });
+        // Root /openapi.json → 302 to default version (no merged spec exists)
+        app.get("/openapi.json", (c) => c.redirect(`/${defaultVersion}/openapi.json`, 302));
+    }
+    else {
+        // Non-versioned path — existing behavior unchanged
+        // Service routes — collect all, sort by optional exported `priority`, then mount
+        const serviceGlob = new Bun.Glob("**/*.ts");
+        const serviceFiles = [];
+        for await (const file of serviceGlob.scan({ cwd: routesDir })) {
+            serviceFiles.push(file);
+        }
+        const serviceMods = await Promise.all(serviceFiles.map(async (file) => ({
+            file,
+            mod: await import(`${routesDir}/${file}`),
+        })));
+        serviceMods
+            .sort((a, b) => (a.mod.priority ?? Infinity) - (b.mod.priority ?? Infinity))
+            .forEach(({ mod }) => {
+            if (mod.router)
+                app.route("/", mod.router);
+        });
+        registerSecuritySchemes(app.openAPIRegistry);
+        app.doc("/openapi.json", { openapi: "3.0.0", info: { title: appName, version: openApiVersion } });
+        app.get("/docs", Scalar({ url: "/openapi.json" }));
+    }
     app.onError((err, c) => {
+        const reqId = c.get("requestId") ?? "unknown";
+        // ValidationError extends HttpError — must check first or the details payload is lost
+        if (err instanceof ValidationError) {
+            const fmt = c.get("validationErrorFormatter") ?? defaultValidationErrorFormatter;
+            try {
+                return c.json(fmt(err.issues, reqId), 400);
+            }
+            catch {
+                return c.json(defaultValidationErrorFormatter(err.issues, reqId), 400);
+            }
+        }
         if (err instanceof HttpError) {
-            return c.json({ error: err.message }, err.status);
+            const body = { error: err.message, requestId: reqId };
+            if (err.code !== undefined)
+                body.code = err.code;
+            return c.json(body, err.status);
         }
         console.error(err);
-        return c.json({ error: "Internal Server Error" }, 500);
-    });
-    app.notFound((c) => c.json({ error: "Not Found" }, 404));
-    app.openAPIRegistry.registerComponent("securitySchemes", "cookieAuth", {
-        type: "apiKey",
-        in: "cookie",
-        name: "token",
-        description: "Session cookie set automatically on login/register.",
-    });
-    app.openAPIRegistry.registerComponent("securitySchemes", "userToken", {
-        type: "apiKey",
-        in: "header",
-        name: "x-user-token",
-        description: "JWT session token passed as the x-user-token request header (alternative to the session cookie).",
-    });
-    app.openAPIRegistry.registerComponent("securitySchemes", "bearerAuth", {
-        type: "http",
-        scheme: "bearer",
-        description: "API key passed as Authorization: Bearer <token>. Required on all endpoints unless bearer auth is disabled in CreateAppConfig or the path is in the bypass list.",
+        return c.json({ error: "Internal Server Error", requestId: reqId }, 500);
     });
-    app.doc("/openapi.json", { openapi: "3.0.0", info: { title: appName, version: openApiVersion } });
-    app.get("/docs", Scalar({ url: "/openapi.json" }));
+    app.notFound((c) => c.json({ error: "Not Found", requestId: c.get("requestId") ?? "unknown" }, 404));
     app.get("/sw.js", (c) => c.body("", 200, { "Content-Type": "application/javascript" }));
     return app;
 };