@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/packages/bunshot-auth/src/lib/resetPassword.js

@@ -0,0 +1,148 @@
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest, sha256 as hashToken, } from '../../../bunshot-core/src/index.js';
+export function createMemoryResetTokenRepository() {
+    const tokens = new Map();
+    return {
+        async create(hash, userId, email, ttl) {
+            evictExpired(tokens);
+            evictOldest(tokens, DEFAULT_MAX_ENTRIES);
+            tokens.set(hash, { userId, email, expiresAt: Date.now() + ttl * 1000 });
+        },
+        async consume(hash) {
+            const entry = tokens.get(hash);
+            if (!entry || entry.expiresAt <= Date.now()) {
+                tokens.delete(hash);
+                return null;
+            }
+            tokens.delete(hash);
+            return { userId: entry.userId, email: entry.email };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteResetTokenRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_reset_tokens (
+      tokenHash TEXT PRIMARY KEY,
+      userId    TEXT NOT NULL,
+      email     TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_reset_tokens_expiresAt ON auth_reset_tokens(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async create(hash, userId, email, ttl) {
+            init();
+            const expiresAt = Date.now() + ttl * 1000;
+            db.run(`INSERT INTO auth_reset_tokens (tokenHash, userId, email, expiresAt)
+         VALUES (?, ?, ?, ?)
+         ON CONFLICT(tokenHash) DO UPDATE SET userId = excluded.userId, email = excluded.email, expiresAt = excluded.expiresAt`, [hash, userId, email, expiresAt]);
+        },
+        async consume(hash) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT userId, email FROM auth_reset_tokens WHERE tokenHash = ? AND expiresAt > ?')
+                .get(hash, now);
+            db.run('DELETE FROM auth_reset_tokens WHERE tokenHash = ?', [hash]);
+            if (!row)
+                return null;
+            return { userId: row.userId, email: row.email };
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+async function redisGetDel(redis, key) {
+    if (typeof redis.getdel === 'function') {
+        try {
+            return await redis.getdel(key);
+        }
+        catch (err) {
+            const msg = err?.message ?? '';
+            if (!/unknown command|ERR unknown command/i.test(msg))
+                throw err;
+        }
+    }
+    const result = await redis.eval("local v = redis.call('GET', KEYS[1])\nif v then redis.call('DEL', KEYS[1]) end\nreturn v", 1, key);
+    return result ?? null;
+}
+export function createRedisResetTokenRepository(getRedis, appName) {
+    return {
+        async create(hash, userId, email, ttl) {
+            await getRedis().set(`reset:${appName}:${hash}`, JSON.stringify({ userId, email }), 'EX', ttl);
+        },
+        async consume(hash) {
+            const raw = await redisGetDel(getRedis(), `reset:${appName}:${hash}`);
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        },
+    };
+}
+export function createMongoResetTokenRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['PasswordReset'])
+            return conn.models['PasswordReset'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            token: { type: String, required: true, unique: true },
+            userId: { type: String, required: true },
+            email: { type: String, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'password_resets' });
+        return conn.model('PasswordReset', schema);
+    }
+    return {
+        async create(hash, userId, email, ttl) {
+            await getModel().create({
+                token: hash,
+                userId,
+                email,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async consume(hash) {
+            const doc = await getModel()
+                .findOneAndDelete({ token: hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            if (!doc)
+                return null;
+            return { userId: doc.userId, email: doc.email };
+        },
+    };
+}
+export const resetTokenFactories = {
+    memory: () => createMemoryResetTokenRepository(),
+    sqlite: infra => createSqliteResetTokenRepository(infra.getSqliteDb()),
+    redis: infra => createRedisResetTokenRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoResetTokenRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for resetToken repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+export const createResetToken = async (repo, userId, email, config) => {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    const token = Buffer.from(bytes).toString('base64url');
+    const hash = hashToken(token);
+    const ttl = config.passwordReset?.tokenExpiry ?? 3600;
+    await repo.create(hash, userId, email, ttl);
+    return token;
+};
+export const consumeResetToken = async (repo, token) => {
+    const hash = hashToken(token);
+    return repo.consume(hash);
+};

package/dist/packages/bunshot-auth/src/lib/roles.d.ts

@@ -0,0 +1,9 @@
+import type { BunshotEventBus } from '../../../bunshot-core/src/index.js';
+import type { AuthAdapter } from './authAdapter';
+export declare const setUserRoles: (userId: string, roles: string[], changedBy?: string, adapter?: AuthAdapter, eventBus?: BunshotEventBus) => Promise<void>;
+export declare const addUserRole: (userId: string, role: string, changedBy?: string, adapter?: AuthAdapter, eventBus?: BunshotEventBus) => Promise<void>;
+export declare const removeUserRole: (userId: string, role: string, changedBy?: string, adapter?: AuthAdapter, eventBus?: BunshotEventBus) => Promise<void>;
+export declare const getTenantRoles: (userId: string, tenantId: string, adapter?: AuthAdapter) => Promise<string[]>;
+export declare const setTenantRoles: (userId: string, tenantId: string, roles: string[], changedBy?: string, adapter?: AuthAdapter, eventBus?: BunshotEventBus) => Promise<void>;
+export declare const addTenantRole: (userId: string, tenantId: string, role: string, changedBy?: string, adapter?: AuthAdapter, eventBus?: BunshotEventBus) => Promise<void>;
+export declare const removeTenantRole: (userId: string, tenantId: string, role: string, changedBy?: string, adapter?: AuthAdapter, eventBus?: BunshotEventBus) => Promise<void>;

package/dist/packages/bunshot-auth/src/lib/roles.js

@@ -0,0 +1,93 @@
+const requireMethod = (method) => {
+    throw new Error(`Auth adapter does not implement ${method} — add it to your adapter to manage roles`);
+};
+export const setUserRoles = async (userId, roles, changedBy, adapter, eventBus) => {
+    if (!adapter)
+        throw new Error('Auth adapter is required');
+    if (!adapter.setRoles)
+        requireMethod('setRoles');
+    await adapter.setRoles(userId, roles);
+    eventBus?.emit('security.admin.role.changed', {
+        userId,
+        meta: { targetUserId: userId, changedBy, scope: 'app', roles, action: 'set' },
+    });
+};
+export const addUserRole = async (userId, role, changedBy, adapter, eventBus) => {
+    if (!adapter)
+        throw new Error('Auth adapter is required');
+    if (!adapter.addRole)
+        requireMethod('addRole');
+    await adapter.addRole(userId, role);
+    eventBus?.emit('security.admin.role.changed', {
+        userId,
+        meta: { targetUserId: userId, changedBy, scope: 'app', roles: [role], action: 'add' },
+    });
+};
+export const removeUserRole = async (userId, role, changedBy, adapter, eventBus) => {
+    if (!adapter)
+        throw new Error('Auth adapter is required');
+    if (!adapter.removeRole)
+        requireMethod('removeRole');
+    await adapter.removeRole(userId, role);
+    eventBus?.emit('security.admin.role.changed', {
+        userId,
+        meta: { targetUserId: userId, changedBy, scope: 'app', roles: [role], action: 'remove' },
+    });
+};
+// ---------------------------------------------------------------------------
+// Tenant-scoped role helpers
+// ---------------------------------------------------------------------------
+export const getTenantRoles = async (userId, tenantId, adapter) => {
+    if (!adapter)
+        throw new Error('Auth adapter is required');
+    if (!adapter.getTenantRoles)
+        requireMethod('getTenantRoles');
+    return adapter.getTenantRoles(userId, tenantId);
+};
+export const setTenantRoles = async (userId, tenantId, roles, changedBy, adapter, eventBus) => {
+    if (!adapter)
+        throw new Error('Auth adapter is required');
+    if (!adapter.setTenantRoles)
+        requireMethod('setTenantRoles');
+    await adapter.setTenantRoles(userId, tenantId, roles);
+    eventBus?.emit('security.admin.role.changed', {
+        userId,
+        meta: { targetUserId: userId, changedBy, scope: 'tenant', tenantId, roles, action: 'set' },
+    });
+};
+export const addTenantRole = async (userId, tenantId, role, changedBy, adapter, eventBus) => {
+    if (!adapter)
+        throw new Error('Auth adapter is required');
+    if (!adapter.addTenantRole)
+        requireMethod('addTenantRole');
+    await adapter.addTenantRole(userId, tenantId, role);
+    eventBus?.emit('security.admin.role.changed', {
+        userId,
+        meta: {
+            targetUserId: userId,
+            changedBy,
+            scope: 'tenant',
+            tenantId,
+            roles: [role],
+            action: 'add',
+        },
+    });
+};
+export const removeTenantRole = async (userId, tenantId, role, changedBy, adapter, eventBus) => {
+    if (!adapter)
+        throw new Error('Auth adapter is required');
+    if (!adapter.removeTenantRole)
+        requireMethod('removeTenantRole');
+    await adapter.removeTenantRole(userId, tenantId, role);
+    eventBus?.emit('security.admin.role.changed', {
+        userId,
+        meta: {
+            targetUserId: userId,
+            changedBy,
+            scope: 'tenant',
+            tenantId,
+            roles: [role],
+            action: 'remove',
+        },
+    });
+};

package/dist/packages/bunshot-auth/src/lib/saml.d.ts

@@ -0,0 +1,29 @@
+import type { IdentityProfile } from '../lib/authAdapter';
+export interface SamlProfile {
+    nameId: string;
+    nameIdFormat?: string;
+    email?: string;
+    firstName?: string;
+    lastName?: string;
+    displayName?: string;
+    groups?: string[];
+    attributes: Record<string, string | string[]>;
+}
+export interface SamlAttributeMapping {
+    email?: string;
+    firstName?: string;
+    lastName?: string;
+    groups?: string;
+}
+export interface SamlInstances {
+    sp: any;
+    idp: any;
+}
+export declare function initSaml(config: import('../config/authConfig').SamlConfig): Promise<SamlInstances>;
+export declare function createAuthnRequest(sp: any, idp: any): {
+    redirectUrl: string;
+    id: string;
+};
+export declare function validateSamlResponse(sp: any, idp: any, body: string, config: import('../config/authConfig').SamlConfig, requestId?: string): Promise<SamlProfile>;
+export declare function samlProfileToIdentityProfile(profile: SamlProfile): IdentityProfile;
+export declare function getSamlSpMetadata(sp: any): string;

package/dist/packages/bunshot-auth/src/lib/saml.js

@@ -0,0 +1,73 @@
+import { isProd } from '../lib/env';
+export async function initSaml(config) {
+    // Guard before loading the optional peer dependency so the error/warning is
+    // unambiguous even if samlify's own SP constructor throws.
+    if (config.idpMetadata.startsWith('http://')) {
+        if (isProd()) {
+            throw new Error('SAML IdP metadata URL must use HTTPS in production');
+        }
+        console.warn('[saml] WARNING: IdP metadata over HTTP — do not use in production');
+    }
+    const samlify = await import('samlify');
+    const sp = samlify.ServiceProvider({
+        entityID: config.entityId,
+        assertionConsumerService: [
+            {
+                Binding: samlify.Constants.BindingNamespace.Post,
+                Location: config.acsUrl,
+            },
+        ],
+        signingCert: config.signingCert,
+        privateKey: config.signingKey,
+        allowCreate: true,
+    });
+    let idp;
+    // Load IdP metadata
+    if (config.idpMetadata.startsWith('http://') || config.idpMetadata.startsWith('https://')) {
+        // URL — fetch it
+        const res = await fetch(config.idpMetadata);
+        const xml = await res.text();
+        idp = samlify.IdentityProvider({ metadata: xml });
+    }
+    else {
+        // XML string
+        idp = samlify.IdentityProvider({ metadata: config.idpMetadata });
+    }
+    return { sp, idp };
+}
+export function createAuthnRequest(sp, idp) {
+    const { id, context, entityEndpoint } = sp.createLoginRequest(idp, 'redirect');
+    return { redirectUrl: entityEndpoint + '?' + context, id };
+}
+export async function validateSamlResponse(sp, idp, body, config, requestId) {
+    const parseArgs = [idp, 'post', { body: { SAMLResponse: body } }];
+    // When requestId is provided, samlify validates InResponseTo in the SAML response
+    const { extract } = requestId
+        ? await sp.parseLoginResponse(...parseArgs, requestId)
+        : await sp.parseLoginResponse(...parseArgs);
+    const mapping = config.attributeMapping ?? {};
+    const attrs = extract.attributes ?? {};
+    const emailKey = mapping.email ?? 'email';
+    const firstNameKey = mapping.firstName ?? 'firstName';
+    const lastNameKey = mapping.lastName ?? 'lastName';
+    const groupsKey = mapping.groups ?? 'groups';
+    const nameId = extract.nameID;
+    const email = attrs[emailKey] ?? nameId;
+    const firstName = attrs[firstNameKey];
+    const lastName = attrs[lastNameKey];
+    const displayName = firstName && lastName ? `${firstName} ${lastName}` : undefined;
+    const rawGroups = attrs[groupsKey];
+    const groups = rawGroups ? (Array.isArray(rawGroups) ? rawGroups : [rawGroups]) : undefined;
+    return { nameId, email, firstName, lastName, displayName, groups, attributes: attrs };
+}
+export function samlProfileToIdentityProfile(profile) {
+    return {
+        email: profile.email,
+        displayName: profile.displayName,
+        firstName: profile.firstName,
+        lastName: profile.lastName,
+    };
+}
+export function getSamlSpMetadata(sp) {
+    return sp.getMetadata();
+}

package/dist/packages/bunshot-auth/src/lib/samlRequestId.d.ts

@@ -0,0 +1,13 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { RedisLike } from '../types/redis';
+export interface ISamlRequestIdRepository {
+    store(hash: string, ttl: number): Promise<void>;
+    exists(hash: string): Promise<boolean>;
+}
+export declare function createMemorySamlRequestIdRepository(): ISamlRequestIdRepository;
+export declare function createSqliteSamlRequestIdRepository(db: import('bun:sqlite').Database): ISamlRequestIdRepository;
+export declare function createRedisSamlRequestIdRepository(getRedis: () => RedisLike, appName: string): ISamlRequestIdRepository;
+export declare function createMongoSamlRequestIdRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): ISamlRequestIdRepository;
+export declare const samlRequestIdFactories: RepoFactories<ISamlRequestIdRepository>;
+export declare const storeSamlRequestId: (repo: ISamlRequestIdRepository, requestId: string) => Promise<void>;
+export declare const consumeSamlRequestId: (repo: ISamlRequestIdRepository, requestId: string) => Promise<boolean>;

package/dist/packages/bunshot-auth/src/lib/samlRequestId.js

@@ -0,0 +1,129 @@
+import { DEFAULT_MAX_ENTRIES, evictOldest, sha256 } from '../../../bunshot-core/src/index.js';
+// ---------------------------------------------------------------------------
+// Memory repository factory
+// ---------------------------------------------------------------------------
+export function createMemorySamlRequestIdRepository() {
+    const memoryStore = new Map(); // hash -> expiresAt (epoch ms)
+    return {
+        async store(hash, ttl) {
+            evictOldest(memoryStore, DEFAULT_MAX_ENTRIES);
+            memoryStore.set(hash, Date.now() + ttl * 1000);
+        },
+        async exists(hash) {
+            const expiresAt = memoryStore.get(hash);
+            if (expiresAt === undefined)
+                return false;
+            memoryStore.delete(hash);
+            if (Date.now() > expiresAt)
+                return false;
+            return true;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteSamlRequestIdRepository(db) {
+    let tableCreated = false;
+    function ensureTable() {
+        if (tableCreated || !db)
+            return;
+        db.run(`
+      CREATE TABLE IF NOT EXISTS saml_request_ids (
+        hash TEXT PRIMARY KEY,
+        expires_at INTEGER NOT NULL
+      )
+    `);
+        tableCreated = true;
+    }
+    return {
+        async store(hash, ttl) {
+            if (!db)
+                return;
+            ensureTable();
+            const expiresAt = Math.floor(Date.now() / 1000) + ttl;
+            db.run('INSERT OR REPLACE INTO saml_request_ids (hash, expires_at) VALUES (?, ?)', [
+                hash,
+                expiresAt,
+            ]);
+        },
+        async exists(hash) {
+            if (!db)
+                return false;
+            ensureTable();
+            const now = Math.floor(Date.now() / 1000);
+            const row = db
+                .query('SELECT hash FROM saml_request_ids WHERE hash = ? AND expires_at > ?')
+                .get(hash, now);
+            if (!row)
+                return false;
+            db.run('DELETE FROM saml_request_ids WHERE hash = ?', [hash]);
+            return true;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+export function createRedisSamlRequestIdRepository(getRedis, appName) {
+    return {
+        async store(hash, ttl) {
+            await getRedis().set(`samlreqid:${appName}:${hash}`, '1', 'EX', ttl);
+        },
+        async exists(hash) {
+            const key = `samlreqid:${appName}:${hash}`;
+            const deleted = await getRedis().del(key);
+            return deleted === 1;
+        },
+    };
+}
+export function createMongoSamlRequestIdRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['SamlRequestId'])
+            return conn.models['SamlRequestId'];
+        const { Schema } = mg;
+        const schema = new Schema({
+            hash: { type: String, required: true, unique: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'saml_request_ids' });
+        return conn.model('SamlRequestId', schema);
+    }
+    return {
+        async store(hash, ttl) {
+            await getModel().create({
+                hash,
+                expiresAt: new Date(Date.now() + ttl * 1000),
+            });
+        },
+        async exists(hash) {
+            const doc = await getModel()
+                .findOneAndDelete({ hash, expiresAt: { $gt: new Date() } })
+                .lean();
+            return doc !== null;
+        },
+    };
+}
+export const samlRequestIdFactories = {
+    memory: () => createMemorySamlRequestIdRepository(),
+    sqlite: infra => createSqliteSamlRequestIdRepository(infra.getSqliteDb()),
+    redis: infra => createRedisSamlRequestIdRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoSamlRequestIdRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for samlRequestId repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+const REQUEST_ID_TTL = 300; // 5 minutes
+export const storeSamlRequestId = async (repo, requestId) => {
+    const hash = sha256(requestId);
+    await repo.store(hash, REQUEST_ID_TTL);
+};
+export const consumeSamlRequestId = async (repo, requestId) => {
+    const hash = sha256(requestId);
+    return repo.exists(hash);
+};

package/dist/packages/bunshot-auth/src/lib/scim.d.ts

@@ -0,0 +1,44 @@
+import type { UserRecord } from '../lib/authAdapter';
+export interface ScimUser {
+    schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'];
+    id: string;
+    externalId?: string;
+    userName: string;
+    displayName?: string;
+    name?: {
+        givenName?: string;
+        familyName?: string;
+        formatted?: string;
+    };
+    emails?: Array<{
+        value: string;
+        primary: boolean;
+    }>;
+    active: boolean;
+    meta: {
+        resourceType: 'User';
+        created?: string;
+        lastModified?: string;
+    };
+}
+export interface ScimListResponse {
+    schemas: ['urn:ietf:params:scim:api:messages:2.0:ListResponse'];
+    totalResults: number;
+    startIndex: number;
+    itemsPerPage: number;
+    Resources: ScimUser[];
+}
+export interface ScimError {
+    schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'];
+    status: string;
+    detail: string;
+}
+export declare function userRecordToScim(user: UserRecord, config?: {
+    userName?: 'email' | 'username';
+}): ScimUser;
+/**
+ * Parse a simple SCIM filter string into a UserQuery object.
+ * Supports: userName eq "val", email eq "val", externalId eq "val", active eq true/false
+ */
+export declare function parseScimFilter(filter?: string): import('../lib/authAdapter').UserQuery;
+export declare function scimError(status: number, detail: string): Response;

package/dist/packages/bunshot-auth/src/lib/scim.js

@@ -0,0 +1,56 @@
+export function userRecordToScim(user, config) {
+    const userName = user.email ?? user.id;
+    return {
+        schemas: ['urn:ietf:params:scim:schemas:core:2.0:User'],
+        id: user.id,
+        externalId: user.externalId,
+        userName,
+        displayName: user.displayName,
+        name: user.firstName || user.lastName
+            ? {
+                givenName: user.firstName,
+                familyName: user.lastName,
+                formatted: [user.firstName, user.lastName].filter(Boolean).join(' ') || undefined,
+            }
+            : undefined,
+        emails: user.email ? [{ value: user.email, primary: true }] : undefined,
+        active: !user.suspended,
+        meta: { resourceType: 'User' },
+    };
+}
+/**
+ * Parse a simple SCIM filter string into a UserQuery object.
+ * Supports: userName eq "val", email eq "val", externalId eq "val", active eq true/false
+ */
+export function parseScimFilter(filter) {
+    if (!filter)
+        return {};
+    const query = {};
+    // Simple single-clause filter: `attr op "value"`
+    const match = filter.trim().match(/^(\w+)\s+eq\s+"?([^"]*)"?$/i);
+    if (!match)
+        return {};
+    const [, attr, value] = match;
+    const attrLower = attr.toLowerCase();
+    if (attrLower === 'username' || attrLower === 'email') {
+        query.email = value;
+    }
+    else if (attrLower === 'externalid') {
+        query.externalId = value;
+    }
+    else if (attrLower === 'active') {
+        query.suspended = value.toLowerCase() !== 'true'; // active=true means suspended=false
+    }
+    return query;
+}
+export function scimError(status, detail) {
+    const body = {
+        schemas: ['urn:ietf:params:scim:api:messages:2.0:Error'],
+        status: String(status),
+        detail,
+    };
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: { 'Content-Type': 'application/scim+json' },
+    });
+}

package/dist/packages/bunshot-auth/src/lib/securityEventWiring.d.ts

@@ -0,0 +1,22 @@
+import type { BunshotEventBus } from '../../../bunshot-core/src/index.js';
+import { type SecurityEventKey } from '../../../bunshot-core/src/index.js';
+export interface SecurityEventsConfig {
+    onEvent: (event: SecurityEvent) => void;
+    onEventError?: (err: unknown) => void;
+    include?: SecurityEventKey[];
+    exclude?: SecurityEventKey[];
+}
+export interface SecurityEvent {
+    eventType: SecurityEventKey;
+    severity: 'info' | 'warn' | 'critical';
+    timestamp: string;
+    requestId?: string;
+    userId?: string;
+    sessionId?: string;
+    tenantId?: string;
+    ip?: string;
+    userAgent?: string;
+    meta?: Record<string, unknown>;
+    [key: string]: unknown;
+}
+export declare function wireSecurityEventConfig(bus: BunshotEventBus, cfg?: SecurityEventsConfig): void;