@lastshotlabs/bunshot 0.0.21 → 0.0.27

package/dist/cli.js

@@ -1,21 +1,96 @@
 #!/usr/bin/env bun
 // @bun
-var D=import.meta.require;import{existsSync as N,mkdirSync as X,writeFileSync as q,readSync as b,rmSync as h}from"fs";import{join as B}from"path";import{spawnSync as M}from"child_process";function w(z){process.stdout.write(z);let H=Buffer.alloc(1024),Q=b(0,H,0,H.length,null);return H.subarray(0,Q).toString().trim().replace(/\r/g,"")}function E(z,H,Q=0){let J=Q;function Z($=!1){if(!$)process.stdout.write(`\x1B[${H.length}A`);for(let A=0;A<H.length;A++){let V=A===J,R=V?"\x1B[36m>\x1B[0m":" ",g=V?`\x1B[1m${H[A]}\x1B[0m`:`\x1B[2m${H[A]}\x1B[0m`;process.stdout.write(`\x1B[2K  ${R} ${g}
-`)}}if(!process.stdin.isTTY){console.log(z),H.forEach((V,R)=>console.log(`  ${R+1}) ${V}`));let $=w(`  Choose [${Q+1}]: `);if(!$)return Q;let A=parseInt($);if(A>=1&&A<=H.length)return A-1;return Q}console.log(z),process.stdout.write("\x1B[?25l"),Z(!0),process.stdin.setRawMode(!0);let _=Buffer.alloc(16);try{while(!0){let $=b(0,_,0,_.length,null),A=_.subarray(0,$).toString();if(A==="\r"||A===`
-`)break;else if(A==="\x1B[A"||A==="\x1BOA")J=(J-1+H.length)%H.length,Z();else if(A==="\x1B[B"||A==="\x1BOB")J=(J+1)%H.length,Z();else if(A==="\x03")process.stdout.write(`\x1B[?25h
-`),process.stdin.setRawMode(!1),process.exit(0);else{let V=parseInt(A);if(V>=1&&V<=H.length){J=V-1,Z();break}}}}finally{process.stdin.setRawMode(!1),process.stdout.write("\x1B[?25h")}return J}var f=process.argv[2],m=process.argv[3],O=f||w("App name: ");if(!O)console.error("App name is required."),process.exit(1);var I=O.toLowerCase().replace(/\s+/g,"-").replace(/[^a-z0-9-]/g,""),G=m||(f?I:w(`Directory (${I}): `))||I,K=!1,W=!1,P="mongo",v="redis",T="redis",F="redis";console.log("");var x=E("Database setup:",["Full stack        (MongoDB + Redis \u2014 production ready)","SQLite            (single file, no external services)","Memory            (ephemeral, great for prototyping/tests)","Custom            (choose each store individually)"]);if(x===0)K=E("MongoDB connection mode:",["Single   (auth + app data share one connection)","Separate (auth on its own cluster)"])===0?"single":"separate",W=!0,P="mongo",v="redis",T="redis",F="redis";else if(x===1)K=!1,W=!1,P="sqlite",v="sqlite",T="sqlite",F="sqlite";else if(x===2)K=!1,W=!1,P="memory",v="memory",T="memory",F="memory";else{console.log(`
+var a=import.meta.require;import{existsSync as D,mkdirSync as E,writeFileSync as I,readSync as g,rmSync as r}from"fs";import{join as K}from"path";import{spawnSync as w}from"child_process";function b(z){process.stdout.write(z);let G=Buffer.alloc(1024),U=g(0,G,0,G.length,null);return G.subarray(0,U).toString().trim().replace(/\r/g,"")}function Q(z,G,U=0){let J=U;function $(_=!1){if(!_)process.stdout.write(`\x1B[${G.length}A`);for(let H=0;H<G.length;H++){let Z=H===J,F=Z?"\x1B[36m>\x1B[0m":" ",L=Z?`\x1B[1m${G[H]}\x1B[0m`:`\x1B[2m${G[H]}\x1B[0m`;process.stdout.write(`\x1B[2K  ${F} ${L}
+`)}}if(!process.stdin.isTTY){console.log(z),G.forEach((Z,F)=>console.log(`  ${F+1}) ${Z}`));let _=b(`  Choose [${U+1}]: `);if(!_)return U;let H=parseInt(_);if(H>=1&&H<=G.length)return H-1;return U}console.log(z),process.stdout.write("\x1B[?25l"),$(!0),process.stdin.setRawMode(!0);let W=Buffer.alloc(16);try{while(!0){let _=g(0,W,0,W.length,null),H=W.subarray(0,_).toString();if(H==="\r"||H===`
+`)break;else if(H==="\x1B[A"||H==="\x1BOA")J=(J-1+G.length)%G.length,$();else if(H==="\x1B[B"||H==="\x1BOB")J=(J+1)%G.length,$();else if(H==="\x03")process.stdout.write(`\x1B[?25h
+`),process.stdin.setRawMode(!1),process.exit(0);else{let Z=parseInt(H);if(Z>=1&&Z<=G.length){J=Z-1,$();break}}}}finally{process.stdin.setRawMode(!1),process.stdout.write("\x1B[?25h")}return J}var y=process.argv[2],n=process.argv[3],N=y||b("App name: ");if(!N)console.error("App name is required."),process.exit(1);var x=N.toLowerCase().replace(/\s+/g,"-").replace(/[^a-z0-9-]/g,""),X=n||(y?x:b(`Directory (${x}): `))||x,Y=!1,B=!1,T="mongo",q="redis",v="redis",O="redis";console.log("");var C=Q("Database setup:",["Full stack        (MongoDB + Redis \u2014 production ready)","SQLite            (single file, no external services)","Memory            (ephemeral, great for prototyping/tests)","Custom            (choose each store individually)"]);if(C===0)Y=Q("MongoDB connection mode:",["Single   (auth + app data share one connection)","Separate (auth on its own cluster)"])===0?"single":"separate",B=!0,T="mongo",q="redis",v="redis",O="redis";else if(C===1)Y=!1,B=!1,T="sqlite",q="sqlite",v="sqlite",O="sqlite";else if(C===2)Y=!1,B=!1,T="memory",q="memory",v="memory",O="memory";else{console.log(`
   Configure each store:
-`);let z=E("MongoDB:",["Single   (one connection for auth + app data)","Separate (auth on its own cluster)","None     (no MongoDB)"]);if(z===0)K="single";else if(z===1)K="separate";else K=!1;W=E("Redis:",["Yes","No"])===0;let Q=[],J=[];if(W)Q.push("redis"),J.push("Redis");if(K)Q.push("mongo"),J.push("MongoDB");Q.push("sqlite","memory"),J.push("SQLite","Memory");let Z=[],_=[];if(K)Z.push("mongo"),_.push("MongoDB");Z.push("sqlite","memory"),_.push("SQLite","Memory");let $=E("Auth store:",_);P=Z[$];let A=E("Sessions store:",J);v=Q[A];let V=E("Cache store:",J);T=Q[V];let R=E("OAuth state store:",J);F=Q[R]}var S=P==="sqlite"||v==="sqlite"||T==="sqlite"||F==="sqlite",U=B(process.cwd(),G),Y=B(U,"src"),k=B(Y,"config"),j=B(Y,"lib"),p=B(Y,"routes"),l=B(Y,"workers"),u=B(Y,"queues"),d=B(Y,"ws"),c=B(Y,"services"),a=B(Y,"middleware"),r=B(Y,"models");if(N(U))console.error(`Directory "${G}" already exists.`),process.exit(1);function n(){let z=[];if(K)z.push(`  mongo: "${K}",`);else z.push("  mongo: false,");if(z.push(`  redis: ${W},`),z.push(`  auth: "${P}",`),z.push(`  sessions: "${v}",`),z.push(`  oauthState: "${F}",`),z.push(`  cache: "${T}",`),S)z.push('  sqlite: path.join(import.meta.dir, "../../data.db"),');return`{
+`);let z=Q("MongoDB:",["Single   (one connection for auth + app data)","Separate (auth on its own cluster)","None     (no MongoDB)"]);if(z===0)Y="single";else if(z===1)Y="separate";else Y=!1;B=Q("Redis:",["Yes","No"])===0;let U=[],J=[];if(B)U.push("redis"),J.push("Redis");if(Y)U.push("mongo"),J.push("MongoDB");U.push("sqlite","memory"),J.push("SQLite","Memory");let $=[],W=[];if(Y)$.push("mongo"),W.push("MongoDB");$.push("sqlite","memory"),W.push("SQLite","Memory");let _=Q("Auth store:",W);T=$[_];let H=Q("Sessions store:",J);q=U[H];let Z=Q("Cache store:",J);v=U[Z];let F=Q("OAuth state store:",J);O=U[F]}var s=T==="sqlite"||q==="sqlite"||v==="sqlite"||O==="sqlite";console.log("");var R="web-saas",m=null,t=Q("How would you like to configure auth?",["Use a preset     (pick a security posture, get sensible defaults)","Step by step     (choose features individually)"]);if(t===0){let z=Q("Which best describes your app?",["Web app / SaaS       (CSRF, refresh tokens, botProtection)","Internal / admin     (MFA required, no refresh tokens, tight limits)",'Mobile / API only    (no CSRF, cors: "*", header auth)',"Dev / prototype      (permissive \u2014 iterate fast, no rate limits)"]);R=["web-saas","internal","mobile-api","dev"][z]}else{R="custom";let z=Q("Password policy:",["Relaxed (8 chars)","Strong (12+ chars, special required)","Minimal (dev only)"]),G=["relaxed","strong","minimal"][z],J=Q("Email verification:",["Yes","No"])===0,W=Q("Password reset:",["Yes","No"])===0,H=Q("Refresh tokens:",["Yes","No"])===0,Z=Q("MFA:",["None","Optional (users opt in)","Required (all users)"]),F=["none","optional","required"][Z],h=Q("CSRF protection:",["Yes","No"])===0,P=[],d=["Google","GitHub","Apple","Microsoft"];while(!0){let j=[...d.filter((c)=>!P.includes(c)),"None (done)"],u=Q("OAuth providers (select all that apply):",j),f=j[u];if(f==="None (done)")break;P.push(f)}m={passwordPolicy:G,emailVerification:J,passwordReset:W,refreshTokens:H,mfa:F,csrf:h,oauthProviders:P}}var A=K(process.cwd(),X),V=K(A,"src"),S=K(V,"config"),l=K(V,"lib"),i=K(V,"routes"),o=K(V,"workers"),e=K(V,"queues"),zz=K(V,"ws"),Gz=K(V,"services"),Hz=K(V,"middleware"),Jz=K(V,"models");if(D(A))console.error(`Directory "${X}" already exists.`),process.exit(1);function Kz(){let z=[];if(Y)z.push(`  mongo: "${Y}",`);else z.push("  mongo: false,");if(z.push(`  redis: ${B},`),z.push(`  auth: "${T}",`),z.push(`  sessions: "${q}",`),z.push(`  oauthState: "${O}",`),z.push(`  cache: "${v}",`),s)z.push('  sqlite: path.join(import.meta.dir, "../../data.db"),');return`{
 ${z.join(`
 `)}
-}`}var s=`export const APP_NAME = "${O}";
+}`}function Qz(){if(R==="web-saas")return`export const auth: AuthConfig = {
+  roles: Object.values(USER_ROLES),
+  defaultRole: USER_ROLES.USER,
+  passwordPolicy: { minLength: 8, requireLetter: true, requireDigit: true },
+  // Uncomment to require email verification before login:
+  // emailVerification: {
+  //   required: true,
+  //   onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },
+  // },
+  // Uncomment to enable password reset:
+  // passwordReset: {
+  //   onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },
+  // },
+  refreshTokens: { accessTokenExpiry: 900, refreshTokenExpiry: 2_592_000 },
+  sessionPolicy: { trackLastActive: true },
+  // Uncomment to enable opt-in MFA (TOTP + email OTP):
+  // mfa: { issuer: APP_NAME },
+};
+
+export const security: SecurityConfig = {
+  cors: ["https://myapp.com"],   // TODO: replace with your domain
+  trustProxy: 1,
+  csrf: { enabled: true },
+  botProtection: { fingerprintRateLimit: true },
+};`;if(R==="internal")return`export const auth: AuthConfig = {
+  roles: ["superadmin", "admin", "viewer"],
+  defaultRole: "viewer",
+  passwordPolicy: { minLength: 14, requireLetter: true, requireDigit: true, requireSpecial: true },
+  mfa: { issuer: APP_NAME, required: true },
+  sessionPolicy: {
+    maxSessions: 2,
+    trackLastActive: true,
+    persistSessionMetadata: true,
+    includeInactiveSessions: true,
+  },
+  rateLimit: { login: { windowMs: 15 * 60 * 1000, max: 5 } },
+};
+
+export const security: SecurityConfig = {
+  cors: ["https://admin.myapp.com"],  // TODO: replace with your domain
+  trustProxy: 1,
+  csrf: { enabled: true },
+  rateLimit: { windowMs: 60_000, max: 30 },
+};`;if(R==="mobile-api")return`export const auth: AuthConfig = {
+  roles: Object.values(USER_ROLES),
+  defaultRole: USER_ROLES.USER,
+  refreshTokens: { accessTokenExpiry: 900, refreshTokenExpiry: 2_592_000, rotationGraceSeconds: 60 },
+  sessionPolicy: { maxSessions: 5 },
+};
+
+export const security: SecurityConfig = {
+  cors: "*",
+  trustProxy: 1,
+  botProtection: { fingerprintRateLimit: true },
+};`;if(R==="dev")return`export const auth: AuthConfig = {
+  roles: Object.values(USER_ROLES),
+  defaultRole: USER_ROLES.USER,
+  passwordPolicy: { minLength: 1, requireLetter: false, requireDigit: false, requireSpecial: false },
+  rateLimit: {
+    login: { windowMs: 60_000, max: 10_000 },
+    register: { windowMs: 60_000, max: 10_000 },
+  },
+};
+
+export const security: SecurityConfig = {
+  cors: "*",
+  bearerAuth: false,
+};`;let z=m,G=["  roles: Object.values(USER_ROLES),","  defaultRole: USER_ROLES.USER,"];if(z.passwordPolicy==="relaxed")G.push("  passwordPolicy: { minLength: 8, requireLetter: true, requireDigit: true },");else if(z.passwordPolicy==="strong")G.push("  passwordPolicy: { minLength: 12, requireLetter: true, requireDigit: true, requireSpecial: true },");else G.push("  passwordPolicy: { minLength: 1, requireLetter: false, requireDigit: false, requireSpecial: false },");if(z.emailVerification)G.push("  emailVerification: {"),G.push("    required: true,"),G.push("    onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },"),G.push("  },");if(z.passwordReset)G.push("  passwordReset: {"),G.push("    onSend: async (email, token) => { /* send via Resend, SendGrid, etc. */ },"),G.push("  },");if(z.refreshTokens)G.push("  refreshTokens: { accessTokenExpiry: 900, refreshTokenExpiry: 2_592_000 },");if(z.mfa==="optional")G.push("  mfa: { issuer: APP_NAME },");else if(z.mfa==="required")G.push("  mfa: { issuer: APP_NAME, required: true },");G.push("  sessionPolicy: { trackLastActive: true },");let U=`export const auth: AuthConfig = {
+${G.join(`
+`)}
+};`,J=['  cors: "*",'];if(z.csrf)J.push("  csrf: { enabled: true },");let $=`export const security: SecurityConfig = {
+${J.join(`
+`)}
+};`;return`${U}
+
+${$}`}var Uz=`export const APP_NAME = "${N}";
 export const APP_VERSION = "1.0.0";
 
 export const USER_ROLES = {
   ADMIN: "admin",
   USER: "user",
 };
-`,t=`import path from "path";
+`,Xz=`import path from "path";
 import {
   type AppMeta,
   type AuthConfig,
@@ -36,16 +111,9 @@ export const workersDir = path.join(import.meta.dir, "../workers");
 
 export const port = process.env.PORT ? parseInt(process.env.PORT) : 3000;
 
-export const db: DbConfig = ${n()};
-
-export const auth: AuthConfig = {
-  roles: Object.values(USER_ROLES),
-  defaultRole: USER_ROLES.USER,
-};
+export const db: DbConfig = ${Kz()};
 
-export const security: SecurityConfig = {
-  cors: ["*"],
-};
+${Qz()}
 
 export const appConfig: CreateServerConfig = {
   app,
@@ -56,11 +124,11 @@ export const appConfig: CreateServerConfig = {
   auth,
   security,
 };
-`,i=`import { createServer } from "@lastshotlabs/bunshot";
+`,Yz=`import { createServer } from "@lastshotlabs/bunshot";
 import { appConfig } from "@config/index";
 
 await createServer(appConfig);
-`,o=`# ${O}
+`,Zz=`# ${N}
 
 Built with [@lastshotlabs/bunshot](https://github.com/Last-Shot-Labs/bunshot).
 
@@ -105,7 +173,7 @@ export const router = createRouter();
 
 router.get("/products", (c) => c.json({ products: [] }));
 \`\`\`
-${K?`
+${Y?`
 ## Adding models
 
 \`\`\`ts
@@ -123,7 +191,7 @@ export const Product = appConnection.model("Product", ProductSchema);
 ## Environment variables
 
 See \`.env\` \u2014 fill in the values before running.
-`;function e(){let z=["NODE_ENV=development","PORT=3000"];if(K==="single")z.push(`
+`;function $z(){let z=["NODE_ENV=development","PORT=3000"];if(Y==="single")z.push(`
 # MongoDB
 MONGO_USER_DEV=
 MONGO_PW_DEV=
@@ -132,7 +200,7 @@ MONGO_DB_DEV=
 MONGO_USER_PROD=
 MONGO_PW_PROD=
 MONGO_HOST_PROD=
-MONGO_DB_PROD=`);else if(K==="separate")z.push(`
+MONGO_DB_PROD=`);else if(Y==="separate")z.push(`
 # MongoDB (app data)
 MONGO_USER_DEV=
 MONGO_PW_DEV=
@@ -151,7 +219,7 @@ MONGO_AUTH_DB_DEV=
 MONGO_AUTH_USER_PROD=
 MONGO_AUTH_PW_PROD=
 MONGO_AUTH_HOST_PROD=
-MONGO_AUTH_DB_PROD=`);if(W)z.push(`
+MONGO_AUTH_DB_PROD=`);if(B)z.push(`
 # Redis
 REDIS_HOST_DEV=
 REDIS_USER_DEV=
@@ -168,26 +236,38 @@ BEARER_TOKEN_DEV=
 BEARER_TOKEN_PROD=
 
 # OAuth \u2014 Google (optional)
-GOOGLE_CLIENT_ID=
-GOOGLE_CLIENT_SECRET=
-GOOGLE_REDIRECT_URI=
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
+# GOOGLE_REDIRECT_URI=
 
 # OAuth \u2014 Apple (optional)
-APPLE_CLIENT_ID=
-APPLE_TEAM_ID=
-APPLE_KEY_ID=
-APPLE_PRIVATE_KEY=
-APPLE_REDIRECT_URI=`),z.join(`
+# APPLE_CLIENT_ID=
+# APPLE_TEAM_ID=
+# APPLE_KEY_ID=
+# APPLE_PRIVATE_KEY=
+# APPLE_REDIRECT_URI=
+
+# OAuth \u2014 GitHub (optional)
+# GITHUB_CLIENT_ID=
+# GITHUB_CLIENT_SECRET=
+# GITHUB_REDIRECT_URI=
+
+# OAuth \u2014 Microsoft (optional)
+# MICROSOFT_TENANT_ID=
+# MICROSOFT_CLIENT_ID=
+# MICROSOFT_CLIENT_SECRET=
+# MICROSOFT_REDIRECT_URI=`),z.join(`
 `)+`
 `}console.log(`
-@lastshotlabs/bunshot \u2014 creating ${G}
-`);X(U,{recursive:!0});console.log("  Running bun init...");M("bun",["init","-y"],{cwd:U,stdio:"inherit"});var C=B(U,"index.ts");if(N(C))h(C);var y=B(U,"package.json"),L=JSON.parse(D("fs").readFileSync(y,"utf-8"));L.module="src/index.ts";L.scripts={dev:"bun --watch src/index.ts",start:"bun src/index.ts"};L.dependencies={...L.dependencies,"@lastshotlabs/bunshot":"*"};q(y,JSON.stringify(L,null,2)+`
-`,"utf-8");var zz=B(U,"tsconfig.json"),Az={compilerOptions:{lib:["ESNext"],target:"ESNext",module:"Preserve",moduleDetection:"force",jsx:"react-jsx",allowJs:!0,moduleResolution:"bundler",allowImportingTsExtensions:!0,verbatimModuleSyntax:!0,noEmit:!0,strict:!0,skipLibCheck:!0,noFallthroughCasesInSwitch:!0,noUncheckedIndexedAccess:!0,noImplicitOverride:!0,noUnusedLocals:!1,noUnusedParameters:!1,noPropertyAccessFromIndexSignature:!1,paths:{"@lib/*":["./src/lib/*"],"@middleware/*":["./src/middleware/*"],"@models/*":["./src/models/*"],"@queues/*":["./src/queues/*"],"@routes/*":["./src/routes/*"],"@scripts/*":["./src/scripts/*"],"@services/*":["./src/services/*"],"@workers/*":["./src/workers/*"],"@service-facades/*":["./src/service-facades/*"],"@config/*":["./src/config/*"],"@constants/*":["./src/lib/constants/*"]}}};q(zz,JSON.stringify(Az,null,2)+`
-`,"utf-8");X(k,{recursive:!0});X(j,{recursive:!0});X(p,{recursive:!0});X(l,{recursive:!0});X(u,{recursive:!0});X(d,{recursive:!0});X(c,{recursive:!0});X(a,{recursive:!0});X(r,{recursive:!0});q(B(j,"constants.ts"),s,"utf-8");q(B(k,"index.ts"),t,"utf-8");q(B(Y,"index.ts"),i,"utf-8");q(B(U,".env"),e(),"utf-8");q(B(U,"README.md"),o,"utf-8");console.log("  Created:");console.log(`    + ${G}/src/index.ts`);console.log(`    + ${G}/src/config/index.ts`);console.log(`    + ${G}/src/lib/constants.ts`);console.log(`    + ${G}/src/routes/`);console.log(`    + ${G}/src/workers/`);console.log(`    + ${G}/src/queues/`);console.log(`    + ${G}/src/ws/`);console.log(`    + ${G}/src/services/`);console.log(`    + ${G}/src/middleware/`);console.log(`    + ${G}/src/models/`);console.log(`    + ${G}/.env`);console.log(`    + ${G}/README.md`);console.log(`
-  DB config:`);console.log(`    mongo: ${K||"none"} | redis: ${W}`);console.log(`    auth: ${P} | sessions: ${v} | cache: ${T} | oauthState: ${F}`);console.log(`
-  Initializing git...`);var Bz=M("git",["init"],{cwd:U,stdio:"inherit"});if(Bz.status!==0)console.error("  git init failed \u2014 skipping.");console.log(`
-  Installing dependencies...`);var Gz=M("bun",["install"],{cwd:U,stdio:"inherit"});if(Gz.status!==0)console.error(`
+@lastshotlabs/bunshot \u2014 creating ${X}
+`);E(A,{recursive:!0});console.log("  Running bun init...");w("bun",["init","-y"],{cwd:A,stdio:"inherit"});var k=K(A,"index.ts");if(D(k))r(k);var p=K(A,"package.json"),M=JSON.parse(a("fs").readFileSync(p,"utf-8"));M.module="src/index.ts";M.scripts={dev:"bun --watch src/index.ts",start:"bun src/index.ts"};M.dependencies={...M.dependencies,"@lastshotlabs/bunshot":"*"};I(p,JSON.stringify(M,null,2)+`
+`,"utf-8");var Az=K(A,"tsconfig.json"),Ez={compilerOptions:{lib:["ESNext"],target:"ESNext",module:"Preserve",moduleDetection:"force",jsx:"react-jsx",allowJs:!0,moduleResolution:"bundler",allowImportingTsExtensions:!0,verbatimModuleSyntax:!0,noEmit:!0,strict:!0,skipLibCheck:!0,noFallthroughCasesInSwitch:!0,noUncheckedIndexedAccess:!0,noImplicitOverride:!0,noUnusedLocals:!1,noUnusedParameters:!1,noPropertyAccessFromIndexSignature:!1,paths:{"@lib/*":["./src/lib/*"],"@middleware/*":["./src/middleware/*"],"@models/*":["./src/models/*"],"@queues/*":["./src/queues/*"],"@routes/*":["./src/routes/*"],"@scripts/*":["./src/scripts/*"],"@services/*":["./src/services/*"],"@workers/*":["./src/workers/*"],"@service-facades/*":["./src/service-facades/*"],"@config/*":["./src/config/*"],"@constants/*":["./src/lib/constants/*"]}}};I(Az,JSON.stringify(Ez,null,2)+`
+`,"utf-8");E(S,{recursive:!0});E(l,{recursive:!0});E(i,{recursive:!0});E(o,{recursive:!0});E(e,{recursive:!0});E(zz,{recursive:!0});E(Gz,{recursive:!0});E(Hz,{recursive:!0});E(Jz,{recursive:!0});I(K(l,"constants.ts"),Uz,"utf-8");I(K(S,"index.ts"),Xz,"utf-8");I(K(V,"index.ts"),Yz,"utf-8");I(K(A,".env"),$z(),"utf-8");I(K(A,"README.md"),Zz,"utf-8");console.log("  Created:");console.log(`    + ${X}/src/index.ts`);console.log(`    + ${X}/src/config/index.ts`);console.log(`    + ${X}/src/lib/constants.ts`);console.log(`    + ${X}/src/routes/`);console.log(`    + ${X}/src/workers/`);console.log(`    + ${X}/src/queues/`);console.log(`    + ${X}/src/ws/`);console.log(`    + ${X}/src/services/`);console.log(`    + ${X}/src/middleware/`);console.log(`    + ${X}/src/models/`);console.log(`    + ${X}/.env`);console.log(`    + ${X}/README.md`);console.log(`
+  DB config:`);console.log(`    mongo: ${Y||"none"} | redis: ${B}`);console.log(`    auth: ${T} | sessions: ${q} | cache: ${v} | oauthState: ${O}`);console.log(`
+  Auth config:`);console.log(`    posture: ${R}`);console.log(`
+  Initializing git...`);var Vz=w("git",["init"],{cwd:A,stdio:"inherit"});if(Vz.status!==0)console.error("  git init failed \u2014 skipping.");console.log(`
+  Installing dependencies...`);var Wz=w("bun",["install"],{cwd:A,stdio:"inherit"});if(Wz.status!==0)console.error(`
   bun install failed. Run it manually inside the directory.`),process.exit(1);console.log(`
 Done! Next steps:
-`);console.log(`  cd ${G}`);console.log("  # fill in .env");console.log(`  bun dev
+`);console.log(`  cd ${X}`);console.log("  # fill in .env");console.log(`  bun dev
 `);

package/dist/index.d.ts

@@ -1,34 +1,47 @@
 export { createApp } from "./app";
 export { createServer } from "./server";
-export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig } from "./app";
+export type { SecurityEvent, SecurityEventType, SecurityEventConfig } from "./lib/securityEvents";
+export { emitSecurityEvent, setSecurityEventConfig, getSecurityEventConfig } from "./lib/securityEvents";
+export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig, LoggingConfig, MetricsConfig, ValidationConfig, VersioningConfig, SigningConfig, JwtConfig, BreachedPasswordConfig, StepUpConfig, OidcConfig, SamlConfig, ScimConfig } from "./app";
+export { setScimTokens } from "./middleware/scimAuth";
 export type { PasswordPolicyConfig } from "./lib/appConfig";
+export type { SamlProfile } from "./lib/saml";
 export type { CreateServerConfig, WsConfig } from "./server";
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 export { getAppRoles } from "./lib/appConfig";
-export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
+export { HttpError, ValidationError } from "./lib/HttpError";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP } from "./lib/constants";
 export { createRouter } from "./lib/context";
-export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { createRoute, withSecurity, registerSchema, registerSchemas, setVersionPrefix, clearVersionPrefix } from "./lib/createRoute";
+export { stripUnreferencedSchemas } from "./lib/stripUnreferencedSchemas";
 export { zodToMongoose } from "./lib/zodToMongoose";
 export type { ZodToMongooseConfig, ZodToMongooseRefConfig } from "./lib/zodToMongoose";
 export { createDtoMapper } from "./lib/createDtoMapper";
 export type { DtoMapperConfig } from "./lib/createDtoMapper";
-export type { AppEnv, AppVariables } from "./lib/context";
+export type { AppEnv, AppVariables, ValidationErrorFormatter, DefaultValidationErrorBody, ValidationErrorDetail } from "./lib/context";
+export { defaultValidationErrorFormatter } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
+export { getJwks, loadJwksKey, generateAndLoadKeyPair, isJwksLoaded } from "./lib/jwks";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
+export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
 export { timingSafeEqual, sha256 } from "./lib/crypto";
+export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl } from "./lib/signing";
+export { idempotent, setIdempotencyStore, clearIdempotencyMemoryStore } from "./lib/idempotency";
+export type { IdempotencyOptions } from "./lib/idempotency";
 export { getClientIp, setTrustProxy } from "./lib/clientIp";
 export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
 export type { OAuthCodePayload } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint, setMfaVerifiedAt, getMfaVerifiedAt } from "./lib/session";
 export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
 export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
 export type { MfaChallengeData, MfaChallengeOptions, MfaChallengePurpose } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
 export type { LimitOpts } from "./lib/authRateLimit";
+export { trackFailedLogin, isStuffingBlocked, setCredentialStuffingConfig, clearCredentialStuffingStore } from "./lib/credentialStuffing";
+export type { CredentialStuffingConfig } from "./lib/credentialStuffing";
 export { validate } from "./lib/validate";
 export { bearerAuth } from "./middleware/bearerAuth";
 export { botProtection } from "./middleware/botProtection";
@@ -39,18 +52,66 @@ export type { RateLimitOptions } from "./middleware/rateLimit";
 export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
+export { requireMfaSetup } from "./middleware/requireMfaSetup";
+export { requireStepUp } from "./middleware/requireStepUp";
+export type { StepUpOptions } from "./middleware/requireStepUp";
 export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
 export type { CsrfMiddlewareOptions } from "./middleware/csrf";
 export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
+export { webhookAuth } from "./middleware/webhookAuth";
+export type { WebhookAuthOptions, WebhookTimestampOptions } from "./middleware/webhookAuth";
+export { requireSignedRequest } from "./middleware/requestSigning";
+export type { RequestSigningOptions } from "./middleware/requestSigning";
+export { auditLog } from "./middleware/auditLog";
+export type { AuditLogMiddlewareOptions } from "./middleware/auditLog";
+export { requestId } from "./middleware/requestId";
+export { requestLogger } from "./middleware/requestLogger";
+export type { RequestLogEntry, RequestLoggerOptions, LogLevel } from "./middleware/requestLogger";
+export { metricsCollector } from "./middleware/metrics";
+export type { MetricsMiddlewareOptions } from "./middleware/metrics";
+export { requireCaptcha } from "./middleware/captcha";
+export type { CaptchaConfig, CaptchaProvider } from "./lib/captcha";
+export { verifyCaptcha } from "./lib/captcha";
+export { requireScope } from "./middleware/requireScope";
+export { createM2MClient, deleteM2MClient, listM2MClients, getM2MClient } from "./lib/m2m";
+export type { M2MClientRecord } from "./lib/authAdapter";
+export type { M2MConfig } from "./lib/appConfig";
 export { buildFingerprint } from "./lib/fingerprint";
+export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
+export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues } from "./lib/metrics";
+export type { AuditLogEntry, AuditLogOptions, AuditLogQuery } from "./lib/auditLog";
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
 export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
-export type { AuthAdapter, OAuthProfile, WebAuthnCredential } from "./lib/authAdapter";
+export { setSuspended, getSuspended } from "./lib/suspension";
+export type { AuthAdapter, OAuthProfile, IdentityProfile, UserRecord, UserQuery, WebAuthnCredential } from "./lib/authAdapter";
 export type { OAuthProviderConfig } from "./lib/oauth";
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export type { SocketData } from "./ws/index";
-export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers, setPresenceEnabled } from "./lib/ws";
+export { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat, clearHeartbeatState } from "./lib/wsHeartbeat";
+export type { HeartbeatConfig } from "./lib/wsHeartbeat";
+export { trackSocket, untrackSocket, addPresence, removePresence, cleanupPresence, getRoomPresence, getUserPresence, clearPresenceStore } from "./lib/wsPresence";
+export { persistMessage, getMessageHistory, configureRoom, setWsMessageStore, setWsMessageDefaults, clearWsMessageMemoryStore } from "./lib/wsMessages";
+export type { StoredMessage, WsMessageStore, WsMessageDefaults, RoomPersistenceConfig } from "./lib/wsMessages";
 export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
 export type { TenantInfo, CreateTenantOptions } from "./lib/tenant";
 export { invalidateTenantCache } from "./middleware/tenant";
+export { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, getEffectiveRoles, } from "./lib/groups";
+export type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult } from "./lib/groups";
+export type { GroupsConfig, GroupsManagementConfig } from "./routes/groups";
+export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from "./lib/pagination";
+export type { OffsetParamDefaults, ParsedOffsetParams, CursorParamDefaults, ParsedCursorParams, CursorResult, } from "./lib/pagination";
+export { handleUpload } from "./middleware/upload";
+export type { UploadMiddlewareOptions } from "./middleware/upload";
+export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig, generateUploadKeyFromFilename } from "./lib/upload";
+export type { UploadOpts } from "./lib/upload";
+export { setUploadRegistryStore, clearUploadRegistry, registerUpload, getUploadRecord, deleteUploadRecord } from "./lib/uploadRegistry";
+export type { UploadRecord } from "./lib/uploadRegistry";
+export type { StorageAdapter, UploadResult } from "./lib/storageAdapter";
+export type { UploadConfig, PresignedUrlConfig } from "./app";
+export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";
+export { localStorage } from "./adapters/localStorage";
+export type { LocalStorageConfig } from "./adapters/localStorage";
+export { s3Storage } from "./adapters/s3Storage";
+export type { S3StorageConfig } from "./adapters/s3Storage";

package/dist/index.js

@@ -1,27 +1,36 @@
 // App factory
 export { createApp } from "./app";
 export { createServer } from "./server";
+export { emitSecurityEvent, setSecurityEventConfig, getSecurityEventConfig } from "./lib/securityEvents";
+export { setScimTokens } from "./middleware/scimAuth";
 // Database
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
 // Lib utilities
 export { getAppRoles } from "./lib/appConfig";
-export { HttpError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN } from "./lib/constants";
+export { HttpError, ValidationError } from "./lib/HttpError";
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP } from "./lib/constants";
 export { createRouter } from "./lib/context";
-export { createRoute, withSecurity, registerSchema, registerSchemas } from "./lib/createRoute";
+export { createRoute, withSecurity, registerSchema, registerSchemas, setVersionPrefix, clearVersionPrefix } from "./lib/createRoute";
+export { stripUnreferencedSchemas } from "./lib/stripUnreferencedSchemas";
 export { zodToMongoose } from "./lib/zodToMongoose";
 export { createDtoMapper } from "./lib/createDtoMapper";
+export { defaultValidationErrorFormatter } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
+export { getJwks, loadJwksKey, generateAndLoadKeyPair, isJwksLoaded } from "./lib/jwks";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
+export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
 export { timingSafeEqual, sha256 } from "./lib/crypto";
+export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl } from "./lib/signing";
+export { idempotent, setIdempotencyStore, clearIdempotencyMemoryStore } from "./lib/idempotency";
 export { getClientIp, setTrustProxy } from "./lib/clientIp";
 export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint, setMfaVerifiedAt, getMfaVerifiedAt } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
 export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
+export { trackFailedLogin, isStuffingBlocked, setCredentialStuffingConfig, clearCredentialStuffingStore } from "./lib/credentialStuffing";
 export { validate } from "./lib/validate";
 // Middleware
 export { bearerAuth } from "./middleware/bearerAuth";
@@ -31,17 +40,49 @@ export { rateLimit } from "./middleware/rateLimit";
 export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
+export { requireMfaSetup } from "./middleware/requireMfaSetup";
+export { requireStepUp } from "./middleware/requireStepUp";
 export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
 export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
+export { webhookAuth } from "./middleware/webhookAuth";
+export { requireSignedRequest } from "./middleware/requestSigning";
+export { auditLog } from "./middleware/auditLog";
+export { requestId } from "./middleware/requestId";
+export { requestLogger } from "./middleware/requestLogger";
+export { metricsCollector } from "./middleware/metrics";
+export { requireCaptcha } from "./middleware/captcha";
+export { verifyCaptcha } from "./lib/captcha";
+export { requireScope } from "./middleware/requireScope";
+export { createM2MClient, deleteM2MClient, listM2MClients, getM2MClient } from "./lib/m2m";
 // Lib utilities (bot protection)
 export { buildFingerprint } from "./lib/fingerprint";
+export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
+export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues } from "./lib/metrics";
 // Models
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
 export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
+export { setSuspended, getSuspended } from "./lib/suspension";
 // WebSocket
 export { websocket, createWsUpgradeHandler } from "./ws/index";
-export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers } from "./lib/ws";
+export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers, setPresenceEnabled } from "./lib/ws";
+// WebSocket — Heartbeat
+export { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat, clearHeartbeatState } from "./lib/wsHeartbeat";
+// WebSocket — Presence
+export { trackSocket, untrackSocket, addPresence, removePresence, cleanupPresence, getRoomPresence, getUserPresence, clearPresenceStore } from "./lib/wsPresence";
+// WebSocket — Message Persistence
+export { persistMessage, getMessageHistory, configureRoom, setWsMessageStore, setWsMessageDefaults, clearWsMessageMemoryStore } from "./lib/wsMessages";
 // Tenancy
 export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
 export { invalidateTenantCache } from "./middleware/tenant";
+// Groups
+export { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, getEffectiveRoles, } from "./lib/groups";
+// Pagination helpers
+export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from "./lib/pagination";
+// Upload
+export { handleUpload } from "./middleware/upload";
+export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig, generateUploadKeyFromFilename } from "./lib/upload";
+export { setUploadRegistryStore, clearUploadRegistry, registerUpload, getUploadRecord, deleteUploadRecord } from "./lib/uploadRegistry";
+export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";
+export { localStorage } from "./adapters/localStorage";
+export { s3Storage } from "./adapters/s3Storage";

package/dist/lib/HttpError.d.ts

@@ -1,4 +1,10 @@
 export declare class HttpError extends Error {
     status: number;
-    constructor(status: number, message: string);
+    code?: string | undefined;
+    constructor(status: number, message: string, code?: string | undefined);
+}
+import type { ZodIssue } from "zod";
+export declare class ValidationError extends HttpError {
+    readonly issues: ZodIssue[];
+    constructor(issues: ZodIssue[]);
 }

package/dist/lib/HttpError.js

@@ -1,7 +1,16 @@
 export class HttpError extends Error {
     status;
-    constructor(status, message) {
+    code;
+    constructor(status, message, code) {
         super(message);
         this.status = status;
+        this.code = code;
+    }
+}
+export class ValidationError extends HttpError {
+    issues;
+    constructor(issues) {
+        super(400, "Validation failed");
+        this.issues = issues;
     }
 }