@lastshotlabs/bunshot 0.0.25 → 0.0.27

package/dist/app.d.ts

@@ -2,10 +2,12 @@ import { OpenAPIHono } from "@hono/zod-openapi";
 import type { MiddlewareHandler } from "hono";
 import type { AppEnv, ValidationErrorFormatter } from "./lib/context";
 import type { RequestLogEntry, LogLevel } from "./middleware/requestLogger";
-import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, PasswordPolicyConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, SigningConfig } from "./lib/appConfig";
+import type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, PasswordPolicyConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, SigningConfig, JwtConfig, BreachedPasswordConfig, StepUpConfig, M2MConfig, OidcConfig, SamlConfig, ScimConfig } from "./lib/appConfig";
+import type { CaptchaConfig } from "./lib/captcha";
 import type { AuthAdapter } from "./lib/authAdapter";
 import type { OAuthProviderConfig } from "./lib/oauth";
 type StoreType = "redis" | "mongo" | "sqlite" | "memory";
+export type { BreachedPasswordConfig } from "./lib/appConfig";
 export interface DbConfig {
     /**
      * Absolute path to the SQLite database file.
@@ -117,6 +119,22 @@ export interface AuthRateLimitConfig {
      * Use "redis" for multi-instance deployments so limits are shared across servers.
      */
     store?: "memory" | "redis";
+    /** Credential stuffing detection. Tracks distinct accounts per IP and IPs per account. */
+    credentialStuffing?: {
+        maxAccountsPerIp?: {
+            count: number;
+            windowMs: number;
+        };
+        maxIpsPerAccount?: {
+            count: number;
+            windowMs: number;
+        };
+        onDetected?: (signal: {
+            type: "ip" | "account";
+            key: string;
+            count: number;
+        }) => void;
+    };
 }
 export interface AuthConfig {
     /** Set false to skip mounting /auth/* routes. Defaults to true */
@@ -173,6 +191,49 @@ export interface AuthConfig {
      * OAuth logins skip MFA (the OAuth provider is treated as the second factor).
      */
     mfa?: MfaConfig;
+    /**
+     * JWT claims configuration. When set, `iss`, `aud`, and `iat` are included in all tokens.
+     * Tokens with a non-matching issuer or audience will fail verification.
+     *
+     * - **`iss`** (issuer) and **`aud`** (audience) are validated on every token verification when
+     *   configured. A token issued for a different issuer or intended for a different audience is
+     *   rejected outright.
+     * - **`iat`** (issued-at) is always included in tokens once this config is set. Use it to detect
+     *   token reuse or implement absolute expiry windows independent of `exp`.
+     *
+     * Recommended for fintech and multi-service deployments where tokens from one service should
+     * never be accepted by another.
+     * Use `algorithm: "RS256"` to enable OIDC mode.
+     */
+    jwt?: JwtConfig;
+    /**
+     * When true, suspension status is checked on every authenticated request (via identify middleware).
+     * This adds one adapter call per request. Default: false.
+     * Suspension is always enforced at login time regardless of this setting.
+     */
+    checkSuspensionOnIdentify?: boolean;
+    /**
+     * Breached password detection using the HaveIBeenPwned k-Anonymity API.
+     * Checks passwords at registration and reset. No full hash leaves the server.
+     */
+    breachedPasswordCheck?: BreachedPasswordConfig;
+    /**
+     * Step-up MFA configuration. When set, the requireStepUp() middleware and
+     * POST /auth/step-up endpoint are available. Requires auth.mfa to be configured.
+     */
+    stepUp?: StepUpConfig;
+    /** M2M client credentials configuration. Enables POST /oauth/token with client_credentials grant. */
+    m2m?: M2MConfig;
+    /**
+     * OIDC discovery and RS256 JWT signing configuration.
+     * When set, mounts /.well-known/openid-configuration and /.well-known/jwks.json.
+     * Auto-generates an RSA-2048 key pair on startup if signingKey is not provided.
+     */
+    oidc?: OidcConfig;
+    /** SAML 2.0 SSO configuration. Enables /auth/saml/* routes. Requires samlify peer dependency. */
+    saml?: SamlConfig;
+    /** SCIM 2.0 user provisioning. Enables /scim/v2/* endpoints with its own bearer token. */
+    scim?: ScimConfig;
 }
 export interface AccountDeletionConfig {
     /** Called before deletion. Throw to abort (e.g., active subscription check). */
@@ -205,7 +266,8 @@ export interface AuthSessionPolicyConfig {
      */
     trackLastActive?: boolean;
 }
-export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, SigningConfig };
+export type { PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, SigningConfig, JwtConfig, StepUpConfig, OidcConfig, SamlConfig, ScimConfig };
+export type { CaptchaConfig, CaptchaProvider } from "./lib/captcha";
 export interface BotProtectionConfig {
     /**
      * List of IPv4 CIDRs (e.g. "198.51.100.0/24"), IPv4 addresses, or IPv6 addresses to block outright.
@@ -273,6 +335,11 @@ export interface SecurityConfig {
      * idempotency key hashing, and session binding. All features are opt-in.
      */
     signing?: SigningConfig;
+    /**
+     * Global CAPTCHA configuration. When set, use requireCaptcha() middleware on specific routes,
+     * or enable adaptive mode to auto-require CAPTCHA after rate limit thresholds.
+     */
+    captcha?: CaptchaConfig;
 }
 export interface ModelSchemasConfig {
     /**
@@ -315,6 +382,12 @@ export interface JobsConfig {
     allowedQueues?: string[];
     /** When using userAuth, restrict job visibility to the user who created it. Default: false. */
     scopeToUser?: boolean;
+    /**
+     * Explicitly acknowledge that jobs endpoint is public in production.
+     * Set to true only when auth is "none" and you understand the risk.
+     * Without this, createApp throws in production when auth is "none".
+     */
+    unsafePublic?: boolean;
 }
 export interface TenantConfig {
     [key: string]: unknown;
@@ -368,6 +441,12 @@ export interface MetricsConfig {
     normalizePath?: (path: string) => string;
     /** BullMQ queue names to report depth gauges for. */
     queues?: string[];
+    /**
+     * Explicitly acknowledge that metrics endpoint is public in production.
+     * Set to true only when auth is "none" and you understand the risk.
+     * Without this, createApp throws in production when auth is "none".
+     */
+    unsafePublic?: boolean;
 }
 export interface ValidationConfig {
     /** Custom formatter for Zod validation errors. Receives issues + requestId, returns the JSON body. */
@@ -407,6 +486,24 @@ export interface UploadConfig {
     }) => string;
     tenantScopedKeys?: boolean;
     presignedUrls?: boolean | PresignedUrlConfig;
+    /**
+     * Authorization callback for upload read/delete operations.
+     * Called when registry ownership check fails or key is not in registry.
+     */
+    authorization?: {
+        authorize?: (input: {
+            action: "read" | "delete";
+            key: string;
+            userId?: string;
+            tenantId?: string;
+        }) => boolean | Promise<boolean>;
+    };
+    /**
+     * Allow operations on keys not in the upload registry.
+     * When false (default), operations on unknown keys return 404.
+     * When true, requires an authorize callback — denies if absent.
+     */
+    allowExternalKeys?: boolean;
 }
 export interface CreateAppConfig {
     /** Absolute path to the service's routes directory (use import.meta.dir + "/routes") */
@@ -452,5 +549,11 @@ export interface CreateAppConfig {
      * `/{version}/docs`. Root `/docs` becomes a version selector.
      */
     versioning?: VersioningConfig;
+    /**
+     * Security event streaming (SIEM integration). When set, auth and security events
+     * are emitted to the provided onEvent callback. Non-blocking — errors are swallowed.
+     * Use include/exclude to filter event types.
+     */
+    securityEvents?: import("./lib/securityEvents").SecurityEventConfig;
 }
 export declare const createApp: (config: CreateAppConfig) => Promise<OpenAPIHono<AppEnv>>;

package/dist/app.js

@@ -10,7 +10,7 @@ import { defaultValidationErrorFormatter } from "./lib/context";
 import { HEADER_USER_TOKEN, HEADER_REFRESH_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID } from "./lib/constants";
 import { requestId } from "./middleware/requestId";
 import { requestLogger } from "./middleware/requestLogger";
-import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled, setSigningConfig } from "./lib/appConfig";
+import { setAppName, setAppRoles, setDefaultRole, setPrimaryField, setEmailVerificationConfig, setPasswordResetConfig, setPasswordPolicy, setMaxSessions, setPersistSessionMetadata, setIncludeInactiveSessions, setTrackLastActive, setRefreshTokenConfig, setMfaConfig, setCsrfEnabled, setSigningConfig, setJwtConfig, setCheckSuspensionOnIdentify, setBreachedPasswordConfig, setCaptchaConfig, setStepUpConfig, setM2MConfig, setOidcConfig, setSamlConfig, setScimConfig } from "./lib/appConfig";
 import { setEmailVerificationStore } from "./lib/emailVerification";
 import { setPasswordResetStore } from "./lib/resetPassword";
 import { setAuthRateLimitStore } from "./lib/authRateLimit";
@@ -25,10 +25,17 @@ import { setSessionStore } from "./lib/session";
 import { setCacheStore } from "./middleware/cacheResponse";
 import { maybeAutoRegister } from "./lib/createRoute";
 import { setStorageAdapter, setUploadConfig } from "./lib/upload";
+import { validateJwtSecrets } from "./lib/jwt";
 export const createApp = async (config) => {
     const { routesDir, app: appConfig = {}, auth: authConfig = {}, security: securityConfig = {}, middleware = [], db = {}, } = config;
+    if (config.securityEvents) {
+        const { setSecurityEventConfig } = await import("./lib/securityEvents");
+        setSecurityEventConfig(config.securityEvents);
+    }
     const appName = appConfig.name ?? "Bun Core API";
     const openApiVersion = appConfig.version ?? "1.0.0";
+    // Validate JWT secrets eagerly so misconfiguration is caught at startup
+    validateJwtSecrets();
     // Trust-proxy for IP extraction
     const { setTrustProxy } = await import("./lib/clientIp");
     setTrustProxy(securityConfig.trustProxy ?? false);
@@ -36,6 +43,13 @@ export const createApp = async (config) => {
     if (corsOrigins === "*" && process.env.NODE_ENV === "production") {
         console.warn("[security] CORS is set to wildcard (*) in production. Configure security.cors with specific origins to restrict cross-origin access.");
     }
+    if (securityConfig.csrf?.enabled && corsOrigins === "*") {
+        if (process.env.NODE_ENV === "production") {
+            throw new Error("[security] CSRF protection with wildcard CORS (*) is unsafe. " +
+                "Set security.cors to specific origins when using CSRF.");
+        }
+        console.warn("[security] CSRF is enabled with wildcard CORS. This will be rejected in production.");
+    }
     const rlConfig = securityConfig.rateLimit ?? { windowMs: 60_000, max: 100 };
     const botCfg = securityConfig.botProtection ?? {};
     const enableBearerAuth = securityConfig.bearerAuth !== false;
@@ -142,12 +156,45 @@ export const createApp = async (config) => {
     const { setDeletionCancelTokenStore } = await import("./lib/deletionCancelToken");
     setDeletionCancelTokenStore(sessions);
     setAuthRateLimitStore(authRateLimit?.store ?? (enableRedis ? "redis" : "memory"));
+    if (authRateLimit?.credentialStuffing) {
+        const { setCredentialStuffingConfig } = await import("./lib/credentialStuffing");
+        setCredentialStuffingConfig(authRateLimit.credentialStuffing);
+    }
     setMaxSessions(sessionPolicy.maxSessions ?? 6);
     setPersistSessionMetadata(sessionPolicy.persistSessionMetadata ?? true);
     setIncludeInactiveSessions(sessionPolicy.includeInactiveSessions ?? false);
     setTrackLastActive(sessionPolicy.trackLastActive ?? false);
     setRefreshTokenConfig(authConfig.refreshTokens ?? null);
     setMfaConfig(authConfig.mfa ?? null);
+    if (authConfig.jwt)
+        setJwtConfig(authConfig.jwt);
+    if (authConfig.checkSuspensionOnIdentify)
+        setCheckSuspensionOnIdentify(true);
+    if (authConfig.breachedPasswordCheck)
+        setBreachedPasswordConfig(authConfig.breachedPasswordCheck);
+    if (authConfig.stepUp)
+        setStepUpConfig(authConfig.stepUp);
+    // JWT config
+    if (authConfig.jwt)
+        setJwtConfig(authConfig.jwt);
+    // OIDC: load keys, set RS256, mount discovery routes
+    if (authConfig.oidc) {
+        setOidcConfig(authConfig.oidc);
+        // Override JWT config with OIDC issuer and RS256
+        setJwtConfig({ ...(authConfig.jwt ?? {}), issuer: authConfig.oidc.issuer, algorithm: "RS256" });
+        const { loadJwksKey, generateAndLoadKeyPair, loadPreviousKey } = await import("./lib/jwks");
+        const { _setAlgorithm } = await import("./lib/jwt");
+        if (authConfig.oidc.signingKey) {
+            await loadJwksKey(authConfig.oidc.signingKey);
+        }
+        else {
+            await generateAndLoadKeyPair();
+        }
+        for (const prev of authConfig.oidc.previousKeys ?? []) {
+            await loadPreviousKey(prev);
+        }
+        _setAlgorithm("RS256");
+    }
     if (oauthProviders)
         initOAuthProviders(oauthProviders);
     const configuredOAuth = getConfiguredOAuthProviders();
@@ -183,7 +230,7 @@ export const createApp = async (config) => {
         `/auth/${p}/callback`,
         `/auth/${p}/link`,
     ]);
-    const DEFAULT_BYPASS = ["/docs", "/openapi.json", "/sw.js", "/health", "/", "/metrics"];
+    const DEFAULT_BYPASS = ["/docs", "/openapi.json", "/sw.js", "/health", "/", "/metrics", "/oauth/token", "/.well-known/openid-configuration", "/.well-known/jwks.json", "/auth/saml/*", "/scim/v2/*"];
     // Add per-version docs/spec paths when versioning is configured
     const versionBypass = config.versioning
         ? config.versioning.versions.flatMap((v) => [`/${v}/docs`, `/${v}/openapi.json`])
@@ -199,10 +246,12 @@ export const createApp = async (config) => {
     });
     // Metrics collection middleware (before requestLogger so it captures all requests)
     if (config.metrics?.enabled) {
-        if (!config.metrics.auth || config.metrics.auth === "none") {
+        const metricsAuth = config.metrics.auth ?? "none";
+        if (metricsAuth === "none" && !config.metrics.unsafePublic) {
             if (process.env.NODE_ENV === "production") {
-                console.warn("[security] /metrics endpoint is enabled without auth. Configure metrics.auth to restrict access in production.");
+                throw new Error("[security] metrics.auth is required in production. Set metrics.auth or explicitly set unsafePublic: true with auth: \"none\".");
             }
+            console.warn("[security] /metrics is enabled without auth. Configure metrics.auth for production.");
         }
         const { metricsCollector } = await import("./middleware/metrics");
         app.use(metricsCollector({
@@ -247,7 +296,8 @@ export const createApp = async (config) => {
     if (enableBearerAuth) {
         app.use(async (c, next) => {
             const path = c.req.path;
-            if (bearerAuthBypass.includes(path)) {
+            const bypassed = bearerAuthBypass.some((entry) => entry.endsWith("*") ? path.startsWith(entry.slice(0, -1)) : path === entry);
+            if (bypassed) {
                 return next();
             }
             return bearerAuth(c, next);
@@ -258,6 +308,10 @@ export const createApp = async (config) => {
     if (securityConfig.signing) {
         setSigningConfig(securityConfig.signing);
     }
+    // CAPTCHA config — store globally so requireCaptcha() can read it without explicit param
+    if (securityConfig.captcha) {
+        setCaptchaConfig(securityConfig.captcha);
+    }
     // CSRF protection (after identify so we can check for auth cookie presence)
     if (securityConfig.csrf?.enabled) {
         setCsrfEnabled(true);
@@ -343,13 +397,15 @@ export const createApp = async (config) => {
             continue; // mounted separately below when mfa is configured
         if (file === "jobs.ts")
             continue; // mounted separately below when jobs.statusEndpoint is true
+        if (file === "oidc.ts")
+            continue; // mounted separately below when oidc is configured
         const mod = await import(`${coreRoutesDir}/${file}`);
         if (mod.router)
             app.route("/", mod.router);
     }
     if (enableAuthRoutes) {
         const { createAuthRouter } = await import(`${coreRoutesDir}/auth`);
-        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit, accountDeletion: authConfig.accountDeletion, refreshTokens: authConfig.refreshTokens }));
+        app.route("/", createAuthRouter({ primaryField, emailVerification, passwordReset, rateLimit: authRateLimit, accountDeletion: authConfig.accountDeletion, refreshTokens: authConfig.refreshTokens, stepUp: authConfig.stepUp }));
     }
     if (configuredOAuth.length > 0) {
         const { createOAuthRouter } = await import(`${coreRoutesDir}/oauth`);
@@ -365,6 +421,26 @@ export const createApp = async (config) => {
         const { createMfaRouter } = await import(`${coreRoutesDir}/mfa`);
         app.route("/", createMfaRouter({ rateLimit: authRateLimit }));
     }
+    if (authConfig.mfa?.webauthn?.allowPasswordlessLogin && enableAuthRoutes) {
+        const { assertWebAuthnDependency } = await import("./services/mfa");
+        await assertWebAuthnDependency();
+        const { createPasskeyRouter } = await import(`${coreRoutesDir}/passkey`);
+        app.route("/", createPasskeyRouter());
+    }
+    if (authConfig.m2m?.enabled !== false && authConfig.m2m) {
+        setM2MConfig(authConfig.m2m);
+        const { createM2MRouter } = await import(`${coreRoutesDir}/m2m`);
+        app.route("/", createM2MRouter());
+    }
+    if (config.jobs?.statusEndpoint) {
+        const jobsAuth = config.jobs.auth ?? "none";
+        if (jobsAuth === "none" && !config.jobs.unsafePublic) {
+            if (process.env.NODE_ENV === "production") {
+                throw new Error("[security] jobs.auth is required in production. Set jobs.auth or explicitly set unsafePublic: true with auth: \"none\".");
+            }
+            console.warn("[security] /jobs is enabled without auth. Configure jobs.auth for production.");
+        }
+    }
     if (config.jobs?.statusEndpoint) {
         const { createJobsRouter } = await import(`${coreRoutesDir}/jobs`);
         app.route("/", createJobsRouter(config.jobs));
@@ -374,20 +450,44 @@ export const createApp = async (config) => {
         app.route("/", createMetricsRouter({
             auth: config.metrics.auth,
             queues: config.metrics.queues,
+            unsafePublic: config.metrics.unsafePublic,
         }));
     }
     if (config.groups?.managementRoutes) {
         const { createGroupsRouter } = await import(`${coreRoutesDir}/groups`);
         app.route("/", createGroupsRouter(config.groups));
     }
+    if (authConfig.oidc) {
+        const { createOidcRouter } = await import(`${coreRoutesDir}/oidc`);
+        app.route("/", createOidcRouter());
+    }
+    if (authConfig.saml) {
+        setSamlConfig(authConfig.saml);
+        const { createSamlRouter } = await import(`${coreRoutesDir}/saml`);
+        app.route("/", createSamlRouter());
+    }
+    if (authConfig.scim) {
+        const { setScimTokens } = await import("./middleware/scimAuth");
+        setScimConfig(authConfig.scim);
+        setScimTokens(authConfig.scim.bearerTokens);
+        const { createScimRouter } = await import(`${coreRoutesDir}/scim`);
+        app.route("/", createScimRouter());
+    }
     if (config.upload) {
-        const { storage, presignedUrls, ...uploadOpts } = config.upload;
+        const { storage, presignedUrls, authorization, allowExternalKeys, ...uploadOpts } = config.upload;
         setStorageAdapter(storage);
         setUploadConfig(uploadOpts);
+        // Wire upload registry store to match session store backend
+        const { setUploadRegistryStore } = await import("./lib/uploadRegistry");
+        setUploadRegistryStore(sessions);
         if (presignedUrls) {
             const { createUploadsRouter } = await import(`${coreRoutesDir}/uploads`);
             const presignConfig = presignedUrls === true ? {} : presignedUrls;
-            app.route("/", createUploadsRouter(presignConfig));
+            app.route("/", createUploadsRouter({
+                ...presignConfig,
+                authorization,
+                allowExternalKeys,
+            }));
         }
     }
     // Helper to register standard security schemes on an OpenAPI registry
@@ -537,7 +637,10 @@ export const createApp = async (config) => {
             }
         }
         if (err instanceof HttpError) {
-            return c.json({ error: err.message, requestId: reqId }, err.status);
+            const body = { error: err.message, requestId: reqId };
+            if (err.code !== undefined)
+                body.code = err.code;
+            return c.json(body, err.status);
         }
         console.error(err);
         return c.json({ error: "Internal Server Error", requestId: reqId }, 500);

package/dist/index.d.ts

@@ -1,7 +1,11 @@
 export { createApp } from "./app";
 export { createServer } from "./server";
-export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig, LoggingConfig, MetricsConfig, ValidationConfig, VersioningConfig, SigningConfig } from "./app";
+export type { SecurityEvent, SecurityEventType, SecurityEventConfig } from "./lib/securityEvents";
+export { emitSecurityEvent, setSecurityEventConfig, getSecurityEventConfig } from "./lib/securityEvents";
+export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig, LoggingConfig, MetricsConfig, ValidationConfig, VersioningConfig, SigningConfig, JwtConfig, BreachedPasswordConfig, StepUpConfig, OidcConfig, SamlConfig, ScimConfig } from "./app";
+export { setScimTokens } from "./middleware/scimAuth";
 export type { PasswordPolicyConfig } from "./lib/appConfig";
+export type { SamlProfile } from "./lib/saml";
 export type { CreateServerConfig, WsConfig } from "./server";
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
@@ -18,6 +22,7 @@ export type { DtoMapperConfig } from "./lib/createDtoMapper";
 export type { AppEnv, AppVariables, ValidationErrorFormatter, DefaultValidationErrorBody, ValidationErrorDetail } from "./lib/context";
 export { defaultValidationErrorFormatter } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
+export { getJwks, loadJwksKey, generateAndLoadKeyPair, isJwksLoaded } from "./lib/jwks";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
 export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
@@ -28,13 +33,15 @@ export type { IdempotencyOptions } from "./lib/idempotency";
 export { getClientIp, setTrustProxy } from "./lib/clientIp";
 export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
 export type { OAuthCodePayload } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint, setMfaVerifiedAt, getMfaVerifiedAt } from "./lib/session";
 export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
 export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
 export type { MfaChallengeData, MfaChallengeOptions, MfaChallengePurpose } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
 export type { LimitOpts } from "./lib/authRateLimit";
+export { trackFailedLogin, isStuffingBlocked, setCredentialStuffingConfig, clearCredentialStuffingStore } from "./lib/credentialStuffing";
+export type { CredentialStuffingConfig } from "./lib/credentialStuffing";
 export { validate } from "./lib/validate";
 export { bearerAuth } from "./middleware/bearerAuth";
 export { botProtection } from "./middleware/botProtection";
@@ -46,6 +53,8 @@ export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
 export { requireMfaSetup } from "./middleware/requireMfaSetup";
+export { requireStepUp } from "./middleware/requireStepUp";
+export type { StepUpOptions } from "./middleware/requireStepUp";
 export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
 export type { CsrfMiddlewareOptions } from "./middleware/csrf";
 export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
@@ -60,6 +69,13 @@ export { requestLogger } from "./middleware/requestLogger";
 export type { RequestLogEntry, RequestLoggerOptions, LogLevel } from "./middleware/requestLogger";
 export { metricsCollector } from "./middleware/metrics";
 export type { MetricsMiddlewareOptions } from "./middleware/metrics";
+export { requireCaptcha } from "./middleware/captcha";
+export type { CaptchaConfig, CaptchaProvider } from "./lib/captcha";
+export { verifyCaptcha } from "./lib/captcha";
+export { requireScope } from "./middleware/requireScope";
+export { createM2MClient, deleteM2MClient, listM2MClients, getM2MClient } from "./lib/m2m";
+export type { M2MClientRecord } from "./lib/authAdapter";
+export type { M2MConfig } from "./lib/appConfig";
 export { buildFingerprint } from "./lib/fingerprint";
 export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
 export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues } from "./lib/metrics";
@@ -67,7 +83,8 @@ export type { AuditLogEntry, AuditLogOptions, AuditLogQuery } from "./lib/auditL
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
 export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
-export type { AuthAdapter, OAuthProfile, WebAuthnCredential } from "./lib/authAdapter";
+export { setSuspended, getSuspended } from "./lib/suspension";
+export type { AuthAdapter, OAuthProfile, IdentityProfile, UserRecord, UserQuery, WebAuthnCredential } from "./lib/authAdapter";
 export type { OAuthProviderConfig } from "./lib/oauth";
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export type { SocketData } from "./ws/index";
@@ -87,8 +104,10 @@ export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parse
 export type { OffsetParamDefaults, ParsedOffsetParams, CursorParamDefaults, ParsedCursorParams, CursorResult, } from "./lib/pagination";
 export { handleUpload } from "./middleware/upload";
 export type { UploadMiddlewareOptions } from "./middleware/upload";
-export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig } from "./lib/upload";
+export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig, generateUploadKeyFromFilename } from "./lib/upload";
 export type { UploadOpts } from "./lib/upload";
+export { setUploadRegistryStore, clearUploadRegistry, registerUpload, getUploadRecord, deleteUploadRecord } from "./lib/uploadRegistry";
+export type { UploadRecord } from "./lib/uploadRegistry";
 export type { StorageAdapter, UploadResult } from "./lib/storageAdapter";
 export type { UploadConfig, PresignedUrlConfig } from "./app";
 export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";

package/dist/index.js

@@ -1,6 +1,8 @@
 // App factory
 export { createApp } from "./app";
 export { createServer } from "./server";
+export { emitSecurityEvent, setSecurityEventConfig, getSecurityEventConfig } from "./lib/securityEvents";
+export { setScimTokens } from "./middleware/scimAuth";
 // Database
 export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
 export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
@@ -15,6 +17,7 @@ export { zodToMongoose } from "./lib/zodToMongoose";
 export { createDtoMapper } from "./lib/createDtoMapper";
 export { defaultValidationErrorFormatter } from "./lib/context";
 export { signToken, verifyToken } from "./lib/jwt";
+export { getJwks, loadJwksKey, generateAndLoadKeyPair, isJwksLoaded } from "./lib/jwks";
 export { log } from "./lib/logger";
 export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
 export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
@@ -23,10 +26,11 @@ export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, v
 export { idempotent, setIdempotencyStore, clearIdempotencyMemoryStore } from "./lib/idempotency";
 export { getClientIp, setTrustProxy } from "./lib/clientIp";
 export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint } from "./lib/session";
+export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint, setMfaVerifiedAt, getMfaVerifiedAt } from "./lib/session";
 export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
 export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
 export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
+export { trackFailedLogin, isStuffingBlocked, setCredentialStuffingConfig, clearCredentialStuffingStore } from "./lib/credentialStuffing";
 export { validate } from "./lib/validate";
 // Middleware
 export { bearerAuth } from "./middleware/bearerAuth";
@@ -37,6 +41,7 @@ export { userAuth } from "./middleware/userAuth";
 export { requireRole } from "./middleware/requireRole";
 export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
 export { requireMfaSetup } from "./middleware/requireMfaSetup";
+export { requireStepUp } from "./middleware/requireStepUp";
 export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
 export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
 export { webhookAuth } from "./middleware/webhookAuth";
@@ -45,6 +50,10 @@ export { auditLog } from "./middleware/auditLog";
 export { requestId } from "./middleware/requestId";
 export { requestLogger } from "./middleware/requestLogger";
 export { metricsCollector } from "./middleware/metrics";
+export { requireCaptcha } from "./middleware/captcha";
+export { verifyCaptcha } from "./lib/captcha";
+export { requireScope } from "./middleware/requireScope";
+export { createM2MClient, deleteM2MClient, listM2MClients, getM2MClient } from "./lib/m2m";
 // Lib utilities (bot protection)
 export { buildFingerprint } from "./lib/fingerprint";
 export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
@@ -53,6 +62,7 @@ export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback
 export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
 export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
 export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
+export { setSuspended, getSuspended } from "./lib/suspension";
 // WebSocket
 export { websocket, createWsUpgradeHandler } from "./ws/index";
 export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers, setPresenceEnabled } from "./lib/ws";
@@ -71,7 +81,8 @@ export { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMe
 export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from "./lib/pagination";
 // Upload
 export { handleUpload } from "./middleware/upload";
-export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig } from "./lib/upload";
+export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig, generateUploadKeyFromFilename } from "./lib/upload";
+export { setUploadRegistryStore, clearUploadRegistry, registerUpload, getUploadRecord, deleteUploadRecord } from "./lib/uploadRegistry";
 export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";
 export { localStorage } from "./adapters/localStorage";
 export { s3Storage } from "./adapters/s3Storage";

package/dist/lib/HttpError.d.ts

@@ -1,6 +1,7 @@
 export declare class HttpError extends Error {
     status: number;
-    constructor(status: number, message: string);
+    code?: string | undefined;
+    constructor(status: number, message: string, code?: string | undefined);
 }
 import type { ZodIssue } from "zod";
 export declare class ValidationError extends HttpError {

package/dist/lib/HttpError.js

@@ -1,8 +1,10 @@
 export class HttpError extends Error {
     status;
-    constructor(status, message) {
+    code;
+    constructor(status, message, code) {
         super(message);
         this.status = status;
+        this.code = code;
     }
 }
 export class ValidationError extends HttpError {