@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.js

@@ -1,5 +1,6 @@
-import { getAuthAdapter } from "../lib/authAdapter";
-const EXEMPT_PREFIXES = ["/auth/", "/health", "/docs", "/openapi.json"];
+import { HttpError } from '../../../bunshot-core/src/index.js';
+import { getAuthRuntimeFromRequest } from '../runtime';
+const EXEMPT_PREFIXES = ['/auth/', '/health', '/docs', '/openapi.json'];
 /**
  * Middleware that blocks authenticated users who have not completed MFA setup.
  *
@@ -14,23 +15,25 @@ const EXEMPT_PREFIXES = ["/auth/", "/health", "/docs", "/openapi.json"];
  * Unauthenticated requests pass through — use `userAuth` to block those.
  */
 export const requireMfaSetup = async (c, next) => {
-    const path = c.req.path;
+    const rawPath = c.req.path;
+    // Strip version prefix if present (e.g., /v1/auth/... → /auth/...)
+    const path = rawPath.replace(/^\/v\d+/, '');
     // Exempt paths — auth routes (including MFA setup), health, docs, root
-    if (path === "/" || EXEMPT_PREFIXES.some((p) => path.startsWith(p))) {
+    if (path === '/' || EXEMPT_PREFIXES.some(p => path.startsWith(p))) {
         return next();
     }
     // Only applies to authenticated users — unauthenticated requests pass through
-    const userId = c.get("authUserId");
+    const userId = c.get('authUserId');
     if (!userId) {
         return next();
     }
-    const adapter = getAuthAdapter();
+    const adapter = getAuthRuntimeFromRequest(c).adapter;
     if (!adapter.isMfaEnabled) {
         return next();
     }
     const enabled = await adapter.isMfaEnabled(userId);
     if (!enabled) {
-        return c.json({ error: "MFA setup required", code: "MFA_SETUP_REQUIRED" }, 403);
+        throw new HttpError(403, 'MFA setup required', 'MFA_SETUP_REQUIRED');
     }
     return next();
 };

package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.d.ts

@@ -1,5 +1,5 @@
-import type { MiddlewareHandler } from "hono";
-import type { AppEnv } from "../lib/context";
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
 /**
  * Middleware factory that enforces role-based access.
  * Requires `identify` to have run first (authUserId must be set).

package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.js

@@ -1,4 +1,6 @@
-import { getEffectiveRoles } from "../lib/groups";
+import { getEffectiveRoles } from '../lib/groups';
+import { isProd } from '../lib/env';
+import { getAuthRuntimeFromRequest } from '../runtime';
 /**
  * Middleware factory that enforces role-based access.
  * Requires `identify` to have run first (authUserId must be set).
@@ -17,15 +19,16 @@ import { getEffectiveRoles } from "../lib/groups";
  * app.get("/mod", userAuth, requireRole("admin", "moderator"), handler)
  */
 export const requireRole = Object.assign((...roles) => async (c, next) => {
-    const userId = c.get("authUserId");
+    const userId = c.get('authUserId');
     if (!userId) {
-        return c.json({ error: "Unauthorized" }, 401);
+        return c.json({ error: 'Unauthorized' }, 401);
     }
-    const tenantId = c.get("tenantId") ?? null;
-    const effective = await getEffectiveRoles(userId, tenantId);
-    c.set("roles", effective);
-    if (!roles.some((r) => effective.includes(r))) {
-        return c.json({ error: "Forbidden" }, 403);
+    const runtime = getAuthRuntimeFromRequest(c);
+    const tenantId = c.get('tenantId') ?? null;
+    const effective = await getEffectiveRoles(runtime.adapter, userId, tenantId);
+    c.set('roles', effective);
+    if (!roles.some(r => effective.includes(r))) {
+        return c.json({ error: 'Forbidden' }, 403);
     }
     await next();
 }, {
@@ -42,21 +45,22 @@ export const requireRole = Object.assign((...roles) => async (c, next) => {
      * app.get("/super-admin", userAuth, requireRole.global("superadmin"), handler)
      */
     global: (...roles) => async (c, next) => {
-        const userId = c.get("authUserId");
+        const userId = c.get('authUserId');
         if (!userId) {
-            return c.json({ error: "Unauthorized" }, 401);
+            return c.json({ error: 'Unauthorized' }, 401);
         }
+        const runtime = getAuthRuntimeFromRequest(c);
         // In development, log when tenant context is present but intentionally ignored.
         // console.info is used deliberately: console.debug is suppressed by default in most
         // runtimes, so info gives reliably visible output during development without being
         // noisy in production (this branch never executes there).
-        if (process.env.NODE_ENV !== "production" && c.get("tenantId")) {
-            console.info("[requireRole.global] tenant context present but intentionally ignored — checking app-wide roles only");
+        if (!isProd() && c.get('tenantId')) {
+            console.info('[requireRole.global] tenant context present but intentionally ignored — checking app-wide roles only');
         }
-        const effective = await getEffectiveRoles(userId, null);
-        c.set("roles", effective);
-        if (!roles.some((r) => effective.includes(r))) {
-            return c.json({ error: "Forbidden" }, 403);
+        const effective = await getEffectiveRoles(runtime.adapter, userId, null);
+        c.set('roles', effective);
+        if (!roles.some(r => effective.includes(r))) {
+            return c.json({ error: 'Forbidden' }, 403);
         }
         await next();
     },

package/dist/packages/bunshot-auth/src/middleware/requireScope.d.ts

@@ -0,0 +1,10 @@
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
+/**
+ * Middleware that requires the JWT to contain all specified scopes.
+ * Reads scope from `tokenPayload.scope` (set by identify middleware).
+ *
+ * @example
+ * router.get("/data", requireScope("read:data"), handler);
+ */
+export declare const requireScope: (...requiredScopes: string[]) => MiddlewareHandler<AppEnv>;

package/dist/packages/bunshot-auth/src/middleware/requireScope.js

@@ -0,0 +1,25 @@
+import { HttpError } from '../../../bunshot-core/src/index.js';
+/**
+ * Middleware that requires the JWT to contain all specified scopes.
+ * Reads scope from `tokenPayload.scope` (set by identify middleware).
+ *
+ * @example
+ * router.get("/data", requireScope("read:data"), handler);
+ */
+export const requireScope = (...requiredScopes) => async (c, next) => {
+    const payload = c.get('tokenPayload');
+    if (!payload) {
+        throw new HttpError(401, 'Authentication required');
+    }
+    const scope = payload.scope;
+    if (!scope) {
+        throw new HttpError(403, 'Insufficient scope', 'INSUFFICIENT_SCOPE');
+    }
+    const grantedScopes = scope.split(' ');
+    for (const required of requiredScopes) {
+        if (!grantedScopes.includes(required)) {
+            throw new HttpError(403, 'Insufficient scope', 'INSUFFICIENT_SCOPE');
+        }
+    }
+    await next();
+};

package/dist/packages/bunshot-auth/src/middleware/requireStepUp.d.ts

@@ -0,0 +1,18 @@
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
+export interface StepUpOptions {
+    /** Max age in seconds since last MFA verification. Default: 300 (5 min). */
+    maxAge?: number;
+}
+/**
+ * Middleware that requires the user to have recently completed step-up MFA.
+ *
+ * Attach to sensitive routes that require fresh MFA verification:
+ * ```
+ * router.post("/transfer", userAuth, requireStepUp(), transferHandler);
+ * ```
+ *
+ * The user completes step-up via POST /auth/step-up.
+ * After successful step-up, mfaVerifiedAt is stored in their session.
+ */
+export declare const requireStepUp: (opts?: StepUpOptions) => MiddlewareHandler<AppEnv>;

package/dist/packages/bunshot-auth/src/middleware/requireStepUp.js

@@ -0,0 +1,30 @@
+import { HttpError } from '../../../bunshot-core/src/index.js';
+import { getAuthRuntimeFromRequest } from '../runtime';
+/**
+ * Middleware that requires the user to have recently completed step-up MFA.
+ *
+ * Attach to sensitive routes that require fresh MFA verification:
+ * ```
+ * router.post("/transfer", userAuth, requireStepUp(), transferHandler);
+ * ```
+ *
+ * The user completes step-up via POST /auth/step-up.
+ * After successful step-up, mfaVerifiedAt is stored in their session.
+ */
+export const requireStepUp = (opts) => async (c, next) => {
+    const sessionId = c.get('sessionId');
+    if (!sessionId) {
+        throw new HttpError(401, 'Authentication required');
+    }
+    const maxAge = opts?.maxAge ?? 300;
+    const runtime = getAuthRuntimeFromRequest(c);
+    const verifiedAt = await runtime.repos.session.getMfaVerifiedAt(sessionId);
+    if (verifiedAt === null) {
+        throw new HttpError(403, 'Step-up authentication required', 'STEP_UP_REQUIRED');
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (now - verifiedAt > maxAge) {
+        throw new HttpError(403, 'Step-up authentication expired', 'STEP_UP_REQUIRED');
+    }
+    await next();
+};

package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.d.ts

@@ -1,5 +1,5 @@
-import type { MiddlewareHandler } from "hono";
-import type { AppEnv } from "../lib/context";
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
 /**
  * Middleware that blocks access for users whose email address has not been verified.
  * Must run after `userAuth` (requires `authUserId` to be set on context).

package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.js

@@ -1,4 +1,5 @@
-import { getAuthAdapter } from "../lib/authAdapter";
+import { HttpError } from '../../../bunshot-core/src/index.js';
+import { getAuthRuntimeFromRequest } from '../runtime';
 /**
  * Middleware that blocks access for users whose email address has not been verified.
  * Must run after `userAuth` (requires `authUserId` to be set on context).
@@ -9,17 +10,17 @@ import { getAuthAdapter } from "../lib/authAdapter";
  * router.use("/dashboard", userAuth, requireVerifiedEmail);
  */
 export const requireVerifiedEmail = async (c, next) => {
-    const userId = c.get("authUserId");
+    const userId = c.get('authUserId');
     if (!userId) {
-        return c.json({ error: "Unauthorized" }, 401);
+        return c.json({ error: 'Unauthorized' }, 401);
     }
-    const adapter = getAuthAdapter();
+    const adapter = getAuthRuntimeFromRequest(c).adapter;
     if (!adapter.getEmailVerified) {
-        throw new Error("requireVerifiedEmail used but auth adapter does not implement getEmailVerified");
+        throw new HttpError(500, 'Internal server error');
     }
     const verified = await adapter.getEmailVerified(userId);
     if (!verified) {
-        return c.json({ error: "Email not verified" }, 403);
+        return c.json({ error: 'Email not verified' }, 403);
     }
     await next();
 };

package/dist/packages/bunshot-auth/src/middleware/scimAuth.d.ts

@@ -0,0 +1,8 @@
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
+import type { AuthRuntimeContext } from '../runtime';
+/**
+ * Middleware that validates SCIM bearer tokens.
+ * Tokens are checked with timingSafeEqual to prevent timing attacks.
+ */
+export declare const createScimAuth: (runtime: AuthRuntimeContext) => MiddlewareHandler<AppEnv>;

package/dist/packages/bunshot-auth/src/middleware/scimAuth.js

@@ -0,0 +1,29 @@
+import { HttpError, timingSafeEqual } from '../../../bunshot-core/src/index.js';
+/**
+ * Middleware that validates SCIM bearer tokens.
+ * Tokens are checked with timingSafeEqual to prevent timing attacks.
+ */
+export const createScimAuth = (runtime) => async (c, next) => {
+    const tokens = runtime.config.scim?.bearerTokens;
+    const configuredTokens = (Array.isArray(tokens) ? tokens : tokens ? [tokens] : []).filter(token => token.length > 0);
+    if (configuredTokens.length === 0) {
+        throw new Error('[bunshot-auth] SCIM auth middleware mounted without configured bearer tokens');
+    }
+    const authHeader = c.req.header('authorization') ?? '';
+    if (!authHeader.startsWith('Bearer ')) {
+        throw new HttpError(401, 'SCIM bearer token required');
+    }
+    const provided = authHeader.slice(7);
+    const valid = configuredTokens.some(token => {
+        try {
+            return timingSafeEqual(provided, token);
+        }
+        catch {
+            return false;
+        }
+    });
+    if (!valid) {
+        throw new HttpError(401, 'Invalid SCIM token');
+    }
+    await next();
+};

package/dist/packages/bunshot-auth/src/middleware/userAuth.d.ts

@@ -0,0 +1,3 @@
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../bunshot-core/src/index.js';
+export declare const userAuth: MiddlewareHandler<AppEnv>;

package/dist/packages/bunshot-auth/src/middleware/userAuth.js

@@ -0,0 +1,6 @@
+export const userAuth = async (c, next) => {
+    if (!c.get('authUserId')) {
+        return c.json({ error: 'Unauthorized' }, 401);
+    }
+    await next();
+};

package/dist/{models → packages/bunshot-auth/src/models}/AuthUser.d.ts

@@ -1,6 +1,8 @@
-import type { Document, Model } from "mongoose";
+import type { Connection, Document, Model, Mongoose } from 'mongoose';
 interface IAuthUser {
     email?: string | null;
+    /** Primary login identifier — equals email when primaryField="email", username or phone otherwise. */
+    identifier?: string | null;
     password?: string | null;
     /** Compound provider keys: ["google:123456", "apple:000111"] */
     providerIds: string[];
@@ -25,13 +27,22 @@ interface IAuthUser {
         name?: string;
         createdAt: Date;
     }>;
+    displayName?: string;
+    firstName?: string;
+    lastName?: string;
+    externalId?: string;
+    suspended: boolean;
+    suspendedAt?: Date;
+    suspendedReason?: string;
+    /** Previous bcrypt password hashes for reuse prevention. Oldest-first; max length = preventReuse config. */
+    passwordHistory?: string[];
+    userMetadata?: Record<string, unknown>;
+    appMetadata?: Record<string, unknown>;
 }
 type AuthUserDocument = IAuthUser & Document;
-export declare const AuthUser: Model<AuthUserDocument, {}, {}, {}, Document<unknown, {}, AuthUserDocument, {}, import("mongoose").DefaultSchemaOptions> & IAuthUser & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
-    _id: import("mongoose").Types.ObjectId;
-}> & {
-    __v: number;
-} & {
-    id: string;
-}, any, AuthUserDocument>;
+/**
+ * Create (or retrieve cached) AuthUser model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export declare function createAuthUserModel(conn: Connection, mongooseInstance: Mongoose): Model<AuthUserDocument>;
 export {};

package/dist/packages/bunshot-auth/src/models/AuthUser.js

@@ -0,0 +1,53 @@
+/**
+ * Create (or retrieve cached) AuthUser model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export function createAuthUserModel(conn, mongooseInstance) {
+    if (conn.models['AuthUser'])
+        return conn.models['AuthUser'];
+    const { Schema } = mongooseInstance;
+    const schema = new Schema({
+        email: { type: String, unique: true, sparse: true, lowercase: true },
+        /** Primary login identifier — equals email when primaryField="email", username or phone otherwise. */
+        identifier: { type: String, unique: true, sparse: true, lowercase: true },
+        password: { type: String },
+        /** Compound provider keys: ["google:123456", "apple:000111"] */
+        providerIds: [{ type: String }],
+        /** App-defined roles assigned to this user: ["admin", "editor", ...] */
+        roles: [{ type: String }],
+        /** Whether the user's email address has been verified. */
+        emailVerified: { type: Boolean, default: false },
+        /** TOTP secret for MFA. */
+        mfaSecret: { type: String, default: null },
+        /** Whether MFA is enabled. */
+        mfaEnabled: { type: Boolean, default: false },
+        /** SHA-256 hashed recovery codes for MFA. */
+        recoveryCodes: [{ type: String }],
+        /** MFA methods enabled for this user. */
+        mfaMethods: [{ type: String }],
+        /** WebAuthn credentials (security keys / platform authenticators). */
+        webauthnCredentials: [
+            {
+                credentialId: { type: String, required: true },
+                publicKey: { type: String, required: true },
+                signCount: { type: Number, required: true, default: 0 },
+                transports: [{ type: String }],
+                name: { type: String },
+                createdAt: { type: Date, default: Date.now },
+            },
+        ],
+        displayName: { type: String, default: null },
+        firstName: { type: String, default: null },
+        lastName: { type: String, default: null },
+        externalId: { type: String, default: null, index: true, sparse: true },
+        suspended: { type: Boolean, default: false },
+        suspendedAt: { type: Date, default: null },
+        suspendedReason: { type: String, default: null },
+        /** Previous bcrypt password hashes for reuse prevention. */
+        passwordHistory: [{ type: String }],
+        userMetadata: { type: Schema.Types.Mixed, default: {} },
+        appMetadata: { type: Schema.Types.Mixed, default: {} },
+    }, { timestamps: true });
+    schema.index({ providerIds: 1 });
+    return conn.model('AuthUser', schema);
+}

package/dist/packages/bunshot-auth/src/models/Group.d.ts

@@ -0,0 +1,19 @@
+import type { Connection, Document, Model, Mongoose } from 'mongoose';
+interface IGroup {
+    name: string;
+    displayName?: string;
+    description?: string;
+    roles: string[];
+    /**
+     * null = app-wide group, string = tenant-scoped group.
+     * Immutable after creation — adapters must reject updates that include tenantId.
+     */
+    tenantId: string | null;
+}
+type GroupDocument = IGroup & Document;
+/**
+ * Create (or retrieve cached) Group model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export declare function createGroupModel(conn: Connection, mongooseInstance: Mongoose): Model<GroupDocument>;
+export {};

package/dist/packages/bunshot-auth/src/models/Group.js

@@ -0,0 +1,22 @@
+/**
+ * Create (or retrieve cached) Group model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export function createGroupModel(conn, mongooseInstance) {
+    if (conn.models['Group'])
+        return conn.models['Group'];
+    const { Schema } = mongooseInstance;
+    const schema = new Schema({
+        name: { type: String, required: true },
+        displayName: { type: String },
+        description: { type: String },
+        roles: [{ type: String }],
+        tenantId: { type: String, default: null },
+    }, { timestamps: true });
+    // Name is unique within scope (app-wide or per-tenant).
+    // MongoDB treats null as a value, so this compound index correctly enforces uniqueness
+    // for app-wide groups (both have tenantId: null) and per-tenant groups separately.
+    schema.index({ name: 1, tenantId: 1 }, { unique: true });
+    schema.index({ tenantId: 1 });
+    return conn.model('Group', schema);
+}

package/dist/{models → packages/bunshot-auth/src/models}/GroupMembership.d.ts

@@ -1,4 +1,4 @@
-import type { Document, Model } from "mongoose";
+import type { Connection, Document, Model, Mongoose } from 'mongoose';
 interface IGroupMembership {
     userId: string;
     groupId: string;
@@ -11,11 +11,9 @@ interface IGroupMembership {
     tenantId: string | null;
 }
 type GroupMembershipDocument = IGroupMembership & Document;
-export declare const GroupMembership: Model<GroupMembershipDocument, {}, {}, {}, Document<unknown, {}, GroupMembershipDocument, {}, import("mongoose").DefaultSchemaOptions> & IGroupMembership & Document<import("mongoose").Types.ObjectId, any, any, Record<string, any>, {}> & Required<{
-    _id: import("mongoose").Types.ObjectId;
-}> & {
-    __v: number;
-} & {
-    id: string;
-}, any, GroupMembershipDocument>;
+/**
+ * Create (or retrieve cached) GroupMembership model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export declare function createGroupMembershipModel(conn: Connection, mongooseInstance: Mongoose): Model<GroupMembershipDocument>;
 export {};

package/dist/packages/bunshot-auth/src/models/GroupMembership.js

@@ -0,0 +1,19 @@
+/**
+ * Create (or retrieve cached) GroupMembership model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export function createGroupMembershipModel(conn, mongooseInstance) {
+    if (conn.models['GroupMembership'])
+        return conn.models['GroupMembership'];
+    const { Schema } = mongooseInstance;
+    const schema = new Schema({
+        userId: { type: String, required: true },
+        groupId: { type: String, required: true },
+        roles: [{ type: String }],
+        tenantId: { type: String, default: null },
+    }, { timestamps: { createdAt: true, updatedAt: false } });
+    schema.index({ userId: 1, groupId: 1 }, { unique: true });
+    schema.index({ groupId: 1 });
+    schema.index({ userId: 1, tenantId: 1 });
+    return conn.model('GroupMembership', schema);
+}

package/dist/packages/bunshot-auth/src/models/M2MClient.d.ts

@@ -0,0 +1,18 @@
+import mongoose from 'mongoose';
+export interface IM2MClient {
+    _id: string;
+    clientId: string;
+    clientSecretHash: string;
+    name: string;
+    scopes: string[];
+    active: boolean;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export declare const M2MClient: mongoose.Model<IM2MClient, {}, {}, {}, mongoose.Document<unknown, {}, IM2MClient, {}, mongoose.DefaultSchemaOptions> & IM2MClient & Required<{
+    _id: string;
+}> & {
+    __v: number;
+} & {
+    id: string;
+}, any, IM2MClient>;

package/dist/packages/bunshot-auth/src/models/M2MClient.js

@@ -0,0 +1,18 @@
+import mongoose from 'mongoose';
+const m2mClientSchema = new mongoose.Schema({
+    clientId: { type: String, required: true, unique: true },
+    clientSecretHash: { type: String, required: true },
+    name: { type: String, required: true },
+    scopes: { type: [String], default: [] },
+    active: { type: Boolean, default: true },
+}, { timestamps: true });
+// Lazy proxy pattern (same as AuthUser.ts)
+export const M2MClient = new Proxy({}, {
+    get(_, prop) {
+        const { authConnection } = require('../infra/mongo');
+        if (!authConnection)
+            throw new Error('authConnection not initialized — call connectAuthMongo() or connectMongo() first');
+        const model = authConnection.models['M2MClient'] ?? authConnection.model('M2MClient', m2mClientSchema);
+        return Reflect.get(model, prop);
+    },
+});

package/dist/packages/bunshot-auth/src/models/TenantRole.d.ts

@@ -0,0 +1,13 @@
+import type { Connection, Document, Model, Mongoose } from 'mongoose';
+interface ITenantRole {
+    userId: string;
+    tenantId: string;
+    roles: string[];
+}
+type TenantRoleDocument = ITenantRole & Document;
+/**
+ * Create (or retrieve cached) TenantRole model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export declare function createTenantRoleModel(conn: Connection, mongooseInstance: Mongoose): Model<TenantRoleDocument>;
+export {};

package/dist/packages/bunshot-auth/src/models/TenantRole.js

@@ -0,0 +1,17 @@
+/**
+ * Create (or retrieve cached) TenantRole model on the given connection.
+ * Model caching is handled by Mongoose's connection.models registry.
+ */
+export function createTenantRoleModel(conn, mongooseInstance) {
+    if (conn.models['TenantRole'])
+        return conn.models['TenantRole'];
+    const { Schema } = mongooseInstance;
+    const schema = new Schema({
+        userId: { type: String, required: true },
+        tenantId: { type: String, required: true },
+        roles: [{ type: String }],
+    }, { timestamps: true });
+    schema.index({ userId: 1, tenantId: 1 }, { unique: true });
+    schema.index({ tenantId: 1 });
+    return conn.model('TenantRole', schema);
+}

package/dist/packages/bunshot-auth/src/plugin.d.ts

@@ -0,0 +1,4 @@
+import type { StandalonePlugin } from '../../bunshot-core/src/index.js';
+import type { AuthPluginConfig } from './types/config';
+export type { AuthPluginConfig };
+export declare function createAuthPlugin(rawConfig: AuthPluginConfig): StandalonePlugin;