@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/src/framework/createInfrastructure.js

@@ -0,0 +1,221 @@
+/**
+ * Infrastructure creation — extracted from createApp().
+ *
+ * Handles database connections, store resolution, trust-proxy configuration,
+ * and the frameworkConfig object that is passed to all plugin lifecycle methods.
+ *
+ * Phase 1 singleton elimination: connect functions return connections directly.
+ * No module-level state is read or set.
+ */
+import { createAuditLogFactories } from './lib/auditLog';
+import { cronRegistryFactories } from './persistence/cronRegistry';
+import { idempotencyFactories } from './persistence/idempotency';
+import { createUploadRegistryFactories } from './persistence/uploadRegistry';
+import { wsMessageFactories } from './persistence/wsMessages';
+import { connectAppMongo, connectAuthMongo, connectMongo } from '../lib/mongo';
+import { connectRedis } from '../lib/redis';
+import { getDataEncryptionKeys } from '../lib/signingConfig';
+import { resolveRepo } from '../../packages/bunshot-core/src/index.js';
+import { connectPostgres } from '@lastshotlabs/bunshot-postgres';
+/**
+ * Connect databases, resolve store preferences, configure trust-proxy,
+ * and assemble the frameworkConfig object that plugins receive.
+ */
+export async function createInfrastructure(options) {
+    const { db, securitySigning, cors: corsOpt, captcha, trustProxy, registrar, secrets, uploadRegistryTtlSeconds, auditLogTtlDays, } = options;
+    const { sqlite, mongo = 'single', redis: enableRedis = true } = db;
+    const corsOrigins = corsOpt ?? '*';
+    // Smart fallback: pick the best available store rather than blindly defaulting to "redis"
+    const defaultStore = enableRedis
+        ? 'redis'
+        : db.postgres
+            ? 'postgres'
+            : sqlite
+                ? 'sqlite'
+                : mongo !== false
+                    ? 'mongo'
+                    : 'memory';
+    const sessions = db.sessions ?? defaultStore;
+    const oauthState = db.oauthState ?? sessions;
+    const cache = db.cache ?? defaultStore;
+    const authStore = db.auth ?? (mongo !== false ? 'mongo' : sessions);
+    // Build credential objects from resolved secrets — no process.env fallback
+    const mongoCreds = {
+        user: secrets.mongoUser,
+        password: secrets.mongoPassword,
+        host: secrets.mongoHost,
+        db: secrets.mongoDb,
+    };
+    const mongoAuthCreds = {
+        user: secrets.mongoAuthUser,
+        password: secrets.mongoAuthPassword,
+        host: secrets.mongoAuthHost,
+        db: secrets.mongoAuthDb,
+    };
+    const redisCreds = {
+        host: secrets.redisHost,
+        user: secrets.redisUser,
+        password: secrets.redisPassword,
+    };
+    // Connect databases — connect functions return connections directly (no module-level state)
+    let authConn = null;
+    let appConn = null;
+    let mongooseModule = null;
+    if (mongo === 'single') {
+        const result = await connectMongo(mongoCreds);
+        authConn = result.authConn;
+        appConn = result.appConn;
+        mongooseModule = result.mongoose;
+    }
+    else if (mongo === 'separate') {
+        const [authResult, appResult] = await Promise.all([
+            connectAuthMongo(mongoAuthCreds),
+            connectAppMongo(mongoCreds),
+        ]);
+        authConn = authResult.authConn;
+        appConn = appResult.appConn;
+        mongooseModule = authResult.mongoose;
+    }
+    let redisClient = null;
+    if (enableRedis) {
+        redisClient = await connectRedis(redisCreds);
+    }
+    let postgresDb = null;
+    if (db.postgres) {
+        postgresDb = await connectPostgres(db.postgres);
+    }
+    function getMongooseOrThrow() {
+        if (!mongooseModule)
+            throw new Error('[framework] Mongoose module not initialized');
+        return mongooseModule;
+    }
+    const dataEncryptionKeys = getDataEncryptionKeys(secrets.dataEncryptionKey || undefined);
+    const resolvedStores = {
+        sessions,
+        oauthState,
+        cache,
+        authStore,
+        sqlite,
+    };
+    // Build the config object passed to all plugin phase methods
+    const frameworkConfig = {
+        resolvedStores,
+        security: { cors: corsOrigins },
+        signing: securitySigning ?? null,
+        dataEncryptionKeys,
+        redis: redisClient ?? undefined,
+        mongo: mongo !== false ? { auth: authConn, app: appConn } : undefined,
+        captcha: captcha ?? null,
+        trustProxy: trustProxy ?? false,
+        registrar,
+    };
+    // Resolve persistence repositories based on the default store selection
+    const { persistence, sqliteDb } = resolveFrameworkPersistence({
+        defaultStore,
+        redis: redisClient,
+        mongo: mongo !== false ? { conn: appConn, mongoose: getMongooseOrThrow() } : null,
+        sqlite,
+        postgres: postgresDb,
+        appName: '', // set later — not needed for persistence key prefixing at this level
+        uploadRegistryTtlSeconds,
+        auditLogTtlDays,
+    });
+    return {
+        frameworkConfig,
+        resolvedStores,
+        redisEnabled: enableRedis,
+        mongoMode: mongo,
+        dataEncryptionKeys,
+        corsOrigins,
+        persistence,
+        sqliteDb,
+        redis: redisClient,
+        mongo: mongo !== false ? { auth: authConn, app: appConn, mongoose: getMongooseOrThrow() } : null,
+        postgres: postgresDb,
+    };
+}
+/**
+ * Create the appropriate repository implementations based on the default store
+ * selection. Each repository uses the same store-selection logic as sessions/cache:
+ * redis > postgres > sqlite > mongo > memory.
+ */
+function resolveFrameworkPersistence(opts) {
+    const { defaultStore, redis, mongo, sqlite, postgres, appName, uploadRegistryTtlSeconds, auditLogTtlDays, } = opts;
+    // Default room config state — owned by the persistence closure, instance-scoped
+    const DEFAULT_MAX_COUNT = 100;
+    const DEFAULT_TTL_SECONDS = 86_400;
+    let defaults = {
+        maxCount: DEFAULT_MAX_COUNT,
+        ttlSeconds: DEFAULT_TTL_SECONDS,
+    };
+    const roomConfigs = new Map();
+    const sqliteDb = sqlite
+        ? new (require('bun:sqlite').Database)(sqlite)
+        : null;
+    const storeInfra = {
+        appName: appName || 'bunshot',
+        getRedis: () => {
+            if (!redis)
+                throw new Error('[framework/persistence] Redis store selected but Redis is unavailable');
+            return redis;
+        },
+        getMongo: () => {
+            if (!mongo)
+                throw new Error('[framework/persistence] Mongo store selected but Mongo is unavailable');
+            return { conn: mongo.conn, mg: mongo.mongoose };
+        },
+        getSqliteDb: () => {
+            if (!sqliteDb)
+                throw new Error('[framework/persistence] SQLite store selected but SQLite is unavailable');
+            return sqliteDb;
+        },
+        getPostgres: () => {
+            if (!postgres)
+                throw new Error('[framework/persistence] Postgres store selected but Postgres is unavailable. Set db.postgres in your config.');
+            return postgres;
+        },
+    };
+    const uploadRegistry = resolveRepo(createUploadRegistryFactories(uploadRegistryTtlSeconds), defaultStore, storeInfra);
+    const idempotency = resolveRepo(idempotencyFactories, defaultStore, storeInfra);
+    const wsMessages = resolveRepo(wsMessageFactories, defaultStore, storeInfra);
+    const cronRegistry = resolveRepo(cronRegistryFactories, defaultStore, storeInfra);
+    const auditLogStoreMap = {
+        memory: 'memory',
+        redis: 'memory',
+        sqlite: 'sqlite',
+        mongo: 'mongo',
+        postgres: 'postgres',
+    };
+    const auditLogStore = auditLogStoreMap[defaultStore];
+    const auditLog = resolveRepo(createAuditLogFactories(auditLogTtlDays), auditLogStore, storeInfra);
+    return {
+        persistence: {
+            uploadRegistry,
+            idempotency,
+            wsMessages,
+            auditLog,
+            cronRegistry,
+            configureRoom(endpoint, room, options) {
+                const key = `${endpoint}\0${room}`;
+                if (!options.persist) {
+                    roomConfigs.delete(key);
+                    return;
+                }
+                roomConfigs.set(key, {
+                    maxCount: options.maxCount ?? defaults.maxCount,
+                    ttlSeconds: options.ttlSeconds ?? defaults.ttlSeconds,
+                });
+            },
+            getRoomConfig(endpoint, room) {
+                return roomConfigs.get(`${endpoint}\0${room}`) ?? null;
+            },
+            setDefaults(newDefaults) {
+                defaults = {
+                    maxCount: newDefaults.maxCount ?? DEFAULT_MAX_COUNT,
+                    ttlSeconds: newDefaults.ttlSeconds ?? DEFAULT_TTL_SECONDS,
+                };
+            },
+        },
+        sqliteDb,
+    };
+}

package/dist/src/framework/lib/auditLog.d.ts

@@ -0,0 +1,23 @@
+import type { Database } from 'bun:sqlite';
+import type { Connection } from 'mongoose';
+import type { AuditLogProvider, RepoFactories } from '../../../packages/bunshot-core/src/index.js';
+export type AuditLogStore = 'mongo' | 'sqlite' | 'memory' | 'postgres';
+export interface AuditLogOptions {
+    store: AuditLogStore;
+    db?: Database;
+    mongoConnection?: Connection | null;
+    /** Retention in days. SQLite: prunes on write. MongoDB: sets expiresAt for the TTL index. */
+    ttlDays?: number;
+}
+export interface AuditLogQuery {
+    userId?: string;
+    tenantId?: string;
+    after?: Date | string;
+    before?: Date | string;
+    limit?: number;
+    cursor?: string;
+}
+export declare function createAuditLogProvider(options: AuditLogOptions): AuditLogProvider;
+export declare function createAuditLogFactories(ttlDays?: number): RepoFactories<AuditLogProvider>;
+/** @deprecated Use createAuditLogFactories() instead. */
+export declare const auditLogFactories: RepoFactories<AuditLogProvider>;

package/dist/src/framework/lib/auditLog.js

@@ -0,0 +1,416 @@
+import { getAuditLogModel } from '../models/AuditLog';
+import { DEFAULT_MAX_ENTRIES, HttpError, evictOldestArray } from '../../../packages/bunshot-core/src/index.js';
+function encodeCursor(createdAt, id) {
+    return btoa(JSON.stringify({ t: createdAt, id }));
+}
+function decodeCursor(cursor) {
+    try {
+        const parsed = JSON.parse(atob(cursor));
+        if (typeof parsed?.t === 'string' &&
+            parsed.t.length > 0 &&
+            !isNaN(Date.parse(parsed.t)) &&
+            typeof parsed?.id === 'string' &&
+            parsed.id.length > 0) {
+            return parsed;
+        }
+    }
+    catch {
+        // malformed base64 or JSON
+    }
+    return null;
+}
+// ---------------------------------------------------------------------------
+// SQLite table setup
+// ---------------------------------------------------------------------------
+function ensureSqliteTable(db) {
+    db.run(`
+    CREATE TABLE IF NOT EXISTS audit_logs (
+      id         TEXT PRIMARY KEY,
+      userId     TEXT,
+      sessionId  TEXT,
+      tenantId   TEXT,
+      method     TEXT NOT NULL,
+      path       TEXT NOT NULL,
+      status     INTEGER NOT NULL,
+      ip         TEXT,
+      userAgent  TEXT,
+      action     TEXT,
+      resource   TEXT,
+      resourceId TEXT,
+      meta       TEXT,
+      createdAt  TEXT NOT NULL
+    )
+  `);
+    db.run('CREATE INDEX IF NOT EXISTS idx_al_user   ON audit_logs(userId,   createdAt)');
+    db.run('CREATE INDEX IF NOT EXISTS idx_al_tenant ON audit_logs(tenantId, createdAt)');
+    db.run('CREATE INDEX IF NOT EXISTS idx_al_path   ON audit_logs(path)');
+}
+function createMemoryAuditLogProvider() {
+    const memoryLogs = [];
+    let evictedEntries = 0;
+    let hasWarnedAboutTruncation = false;
+    console.warn(`[bunshot] Memory adapter for audit log is capped at ${DEFAULT_MAX_ENTRIES} entries and has no TTL-based eviction - for development/testing only`);
+    return {
+        async logEntry(entry) {
+            try {
+                memoryLogs.push(entry);
+                if (memoryLogs.length > DEFAULT_MAX_ENTRIES) {
+                    evictedEntries += memoryLogs.length - DEFAULT_MAX_ENTRIES;
+                    console.warn(`[auditLog] Memory audit log reached ${DEFAULT_MAX_ENTRIES} entries — evicting oldest. Tests relying on audit log completeness may see missing entries.`);
+                }
+                evictOldestArray(memoryLogs, DEFAULT_MAX_ENTRIES);
+            }
+            catch (err) {
+                console.error('[auditLog] failed to write entry:', err);
+            }
+        },
+        async getLogs(query) {
+            const limit = Math.min(query.limit ?? 50, 200);
+            const after = query.after ? new Date(query.after).toISOString() : undefined;
+            const before = query.before ? new Date(query.before).toISOString() : undefined;
+            if (evictedEntries > 0 && !hasWarnedAboutTruncation) {
+                hasWarnedAboutTruncation = true;
+                console.warn(`[auditLog] Memory audit log query is reading a truncated store. ${evictedEntries} oldest entr${evictedEntries === 1 ? 'y was' : 'ies were'} evicted after hitting the ${DEFAULT_MAX_ENTRIES}-entry cap.`);
+            }
+            let filtered = memoryLogs.slice();
+            if (query.userId !== undefined)
+                filtered = filtered.filter(e => e.userId === query.userId);
+            if (query.tenantId !== undefined)
+                filtered = filtered.filter(e => e.tenantId === query.tenantId);
+            if (after)
+                filtered = filtered.filter(e => e.createdAt >= after);
+            if (before)
+                filtered = filtered.filter(e => e.createdAt < before);
+            filtered.sort((a, b) => a.createdAt < b.createdAt
+                ? 1
+                : a.createdAt > b.createdAt
+                    ? -1
+                    : a.id < b.id
+                        ? 1
+                        : a.id > b.id
+                            ? -1
+                            : 0);
+            if (query.cursor) {
+                const c = decodeCursor(query.cursor);
+                if (!c)
+                    throw new HttpError(400, 'Invalid pagination cursor');
+                filtered = filtered.filter(e => e.createdAt < c.t || (e.createdAt === c.t && e.id < c.id));
+            }
+            const page = filtered.slice(0, limit + 1);
+            const hasMore = page.length > limit;
+            const items = hasMore ? page.slice(0, limit) : page;
+            const last = items[items.length - 1];
+            const nextCursor = hasMore ? encodeCursor(last.createdAt, last.id) : undefined;
+            return { items, nextCursor };
+        },
+    };
+}
+function createSqliteAuditLogProvider(db, ttlDays) {
+    return {
+        async logEntry(entry) {
+            try {
+                ensureSqliteTable(db);
+                db.run(`INSERT INTO audit_logs
+             (id, userId, sessionId, tenantId, method, path, status,
+              ip, userAgent, action, resource, resourceId, meta, createdAt)
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`, [
+                    entry.id,
+                    entry.userId ?? null,
+                    entry.sessionId ?? null,
+                    entry.tenantId ?? null,
+                    entry.method,
+                    entry.path,
+                    entry.status,
+                    entry.ip ?? null,
+                    entry.userAgent ?? null,
+                    entry.action ?? null,
+                    entry.resource ?? null,
+                    entry.resourceId ?? null,
+                    entry.meta !== undefined ? JSON.stringify(entry.meta) : null,
+                    entry.createdAt,
+                ]);
+                if (ttlDays !== undefined) {
+                    const cutoff = new Date(Date.now() - ttlDays * 86_400_000).toISOString();
+                    db.run('DELETE FROM audit_logs WHERE createdAt < ?', [cutoff]);
+                }
+            }
+            catch (err) {
+                console.error('[auditLog] failed to write entry:', err);
+            }
+        },
+        async getLogs(query) {
+            ensureSqliteTable(db);
+            const limit = Math.min(query.limit ?? 50, 200);
+            const after = query.after ? new Date(query.after).toISOString() : undefined;
+            const before = query.before ? new Date(query.before).toISOString() : undefined;
+            const conditions = [];
+            const params = [];
+            if (query.userId !== undefined) {
+                conditions.push('userId = ?');
+                params.push(query.userId);
+            }
+            if (query.tenantId !== undefined) {
+                conditions.push('tenantId = ?');
+                params.push(query.tenantId);
+            }
+            if (after) {
+                conditions.push('createdAt >= ?');
+                params.push(after);
+            }
+            if (before) {
+                conditions.push('createdAt < ?');
+                params.push(before);
+            }
+            if (query.cursor) {
+                const c = decodeCursor(query.cursor);
+                if (!c)
+                    throw new HttpError(400, 'Invalid pagination cursor');
+                conditions.push('(createdAt < ? OR (createdAt = ? AND id < ?))');
+                params.push(c.t, c.t, c.id);
+            }
+            const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+            const rows = db
+                .query(`SELECT * FROM audit_logs ${where} ORDER BY createdAt DESC, id DESC LIMIT ?`)
+                .all(...params, limit + 1);
+            const hasMore = rows.length > limit;
+            const pageRows = hasMore ? rows.slice(0, limit) : rows;
+            const items = pageRows.map(row => ({
+                id: row.id,
+                userId: row.userId ?? null,
+                sessionId: row.sessionId ?? null,
+                tenantId: row.tenantId ?? null,
+                method: row.method,
+                path: row.path,
+                status: row.status,
+                ip: row.ip ?? null,
+                userAgent: row.userAgent ?? null,
+                action: row.action ?? undefined,
+                resource: row.resource ?? undefined,
+                resourceId: row.resourceId ?? undefined,
+                meta: row.meta ? JSON.parse(row.meta) : undefined,
+                createdAt: row.createdAt,
+            }));
+            const last = items[items.length - 1];
+            const nextCursor = hasMore ? encodeCursor(last.createdAt, last.id) : undefined;
+            return { items, nextCursor };
+        },
+    };
+}
+function createMongoAuditLogProvider(conn, ttlDays) {
+    const AuditLog = getAuditLogModel(conn);
+    return {
+        async logEntry(entry) {
+            try {
+                const expiresAt = ttlDays !== undefined ? new Date(Date.now() + ttlDays * 86_400_000) : undefined;
+                await AuditLog.create({
+                    ...entry,
+                    createdAt: new Date(entry.createdAt),
+                    ...(expiresAt !== undefined ? { expiresAt } : {}),
+                });
+            }
+            catch (err) {
+                console.error('[auditLog] failed to write entry:', err);
+            }
+        },
+        async getLogs(query) {
+            const limit = Math.min(query.limit ?? 50, 200);
+            const after = query.after ? new Date(query.after).toISOString() : undefined;
+            const before = query.before ? new Date(query.before).toISOString() : undefined;
+            const filter = {};
+            if (query.userId !== undefined)
+                filter.userId = query.userId;
+            if (query.tenantId !== undefined)
+                filter.tenantId = query.tenantId;
+            // Build date constraints as independent $and clauses so before and cursor
+            // can coexist without one silently overwriting the other.
+            const andConditions = [];
+            if (after)
+                andConditions.push({ createdAt: { $gte: new Date(after) } });
+            if (before)
+                andConditions.push({ createdAt: { $lt: new Date(before) } });
+            if (query.cursor) {
+                const c = decodeCursor(query.cursor);
+                if (!c)
+                    throw new HttpError(400, 'Invalid pagination cursor');
+                const cursorDate = new Date(c.t);
+                andConditions.push({
+                    $or: [{ createdAt: { $lt: cursorDate } }, { createdAt: cursorDate, id: { $lt: c.id } }],
+                });
+            }
+            if (andConditions.length > 0)
+                filter.$and = andConditions;
+            const docs = await AuditLog.find(filter)
+                .sort({ createdAt: -1, id: -1 })
+                .limit(limit + 1)
+                .lean();
+            const hasMore = docs.length > limit;
+            const pageDocs = hasMore ? docs.slice(0, limit) : docs;
+            const items = pageDocs.map(doc => ({
+                id: doc.id,
+                userId: doc.userId ?? null,
+                sessionId: doc.sessionId ?? null,
+                tenantId: doc.tenantId ?? null,
+                method: doc.method,
+                path: doc.path,
+                status: doc.status,
+                ip: doc.ip ?? null,
+                userAgent: doc.userAgent ?? null,
+                action: doc.action,
+                resource: doc.resource,
+                resourceId: doc.resourceId,
+                meta: doc.meta,
+                createdAt: doc.createdAt.toISOString(),
+            }));
+            const last = items[items.length - 1];
+            const nextCursor = hasMore ? encodeCursor(last.createdAt, last.id) : undefined;
+            return { items, nextCursor };
+        },
+    };
+}
+export function createAuditLogProvider(options) {
+    const providers = {
+        memory: () => createMemoryAuditLogProvider(),
+        sqlite: () => {
+            if (!options.db)
+                throw new Error("AuditLog: store is 'sqlite' but no db instance was provided");
+            return createSqliteAuditLogProvider(options.db, options.ttlDays);
+        },
+        mongo: () => {
+            if (!options.mongoConnection)
+                throw new Error("AuditLog: store is 'mongo' but no connection was provided");
+            return createMongoAuditLogProvider(options.mongoConnection, options.ttlDays);
+        },
+        postgres: () => {
+            throw new Error('AuditLog: use createAuditLogFactories() instead of createAuditLogProvider() for postgres');
+        },
+    };
+    return providers[options.store]();
+}
+function createPostgresAuditLogProvider(pool, ttlDays) {
+    let initialized = false;
+    async function ensureTable() {
+        if (initialized)
+            return;
+        await pool.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_audit_logs (
+        id          TEXT PRIMARY KEY,
+        user_id     TEXT,
+        session_id  TEXT,
+        tenant_id   TEXT,
+        method      TEXT NOT NULL,
+        path        TEXT NOT NULL,
+        status      INTEGER NOT NULL,
+        ip          TEXT,
+        user_agent  TEXT,
+        action      TEXT,
+        resource    TEXT,
+        resource_id TEXT,
+        meta        JSONB,
+        created_at  TIMESTAMPTZ NOT NULL
+      )
+    `);
+        await pool.query('CREATE INDEX IF NOT EXISTS idx_bal_user   ON bunshot_audit_logs(user_id,   created_at)');
+        await pool.query('CREATE INDEX IF NOT EXISTS idx_bal_tenant ON bunshot_audit_logs(tenant_id, created_at)');
+        await pool.query('CREATE INDEX IF NOT EXISTS idx_bal_path   ON bunshot_audit_logs(path)');
+        initialized = true;
+    }
+    return {
+        async logEntry(entry) {
+            try {
+                await ensureTable();
+                await pool.query(`INSERT INTO bunshot_audit_logs
+             (id, user_id, session_id, tenant_id, method, path, status,
+              ip, user_agent, action, resource, resource_id, meta, created_at)
+           VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
+           ON CONFLICT (id) DO NOTHING`, [
+                    entry.id,
+                    entry.userId ?? null,
+                    entry.sessionId ?? null,
+                    entry.tenantId ?? null,
+                    entry.method,
+                    entry.path,
+                    entry.status,
+                    entry.ip ?? null,
+                    entry.userAgent ?? null,
+                    entry.action ?? null,
+                    entry.resource ?? null,
+                    entry.resourceId ?? null,
+                    entry.meta !== undefined ? entry.meta : null,
+                    entry.createdAt,
+                ]);
+                if (ttlDays !== undefined) {
+                    const cutoff = new Date(Date.now() - ttlDays * 86_400_000).toISOString();
+                    await pool.query('DELETE FROM bunshot_audit_logs WHERE created_at < $1', [cutoff]);
+                }
+            }
+            catch (err) {
+                console.error('[auditLog] failed to write entry:', err);
+            }
+        },
+        async getLogs(query) {
+            await ensureTable();
+            const limit = Math.min(query.limit ?? 50, 200);
+            const conditions = [];
+            const params = [];
+            let n = 1;
+            if (query.userId !== undefined) {
+                conditions.push(`user_id = $${n++}`);
+                params.push(query.userId);
+            }
+            if (query.tenantId !== undefined) {
+                conditions.push(`tenant_id = $${n++}`);
+                params.push(query.tenantId);
+            }
+            if (query.after) {
+                conditions.push(`created_at >= $${n++}`);
+                params.push(new Date(query.after).toISOString());
+            }
+            if (query.before) {
+                conditions.push(`created_at < $${n++}`);
+                params.push(new Date(query.before).toISOString());
+            }
+            if (query.cursor) {
+                const c = decodeCursor(query.cursor);
+                if (!c)
+                    throw new HttpError(400, 'Invalid pagination cursor');
+                conditions.push(`(created_at < $${n} OR (created_at = $${n + 1} AND id < $${n + 2}))`);
+                params.push(c.t, c.t, c.id);
+                n += 3;
+            }
+            const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : '';
+            const result = await pool.query(`SELECT * FROM bunshot_audit_logs ${where} ORDER BY created_at DESC, id DESC LIMIT $${n}`, [...params, limit + 1]);
+            const hasMore = result.rows.length > limit;
+            const pageRows = hasMore ? result.rows.slice(0, limit) : result.rows;
+            const items = pageRows.map(row => ({
+                id: row.id,
+                userId: row.user_id ?? null,
+                sessionId: row.session_id ?? null,
+                tenantId: row.tenant_id ?? null,
+                method: row.method,
+                path: row.path,
+                status: row.status,
+                ip: row.ip ?? null,
+                userAgent: row.user_agent ?? null,
+                action: row.action ?? undefined,
+                resource: row.resource ?? undefined,
+                resourceId: row.resource_id ?? undefined,
+                meta: row.meta ?? undefined,
+                createdAt: row.created_at.toISOString(),
+            }));
+            const last = items[items.length - 1];
+            const nextCursor = hasMore ? encodeCursor(last.createdAt, last.id) : undefined;
+            return { items, nextCursor };
+        },
+    };
+}
+export function createAuditLogFactories(ttlDays) {
+    return {
+        memory: () => createMemoryAuditLogProvider(),
+        sqlite: infra => createSqliteAuditLogProvider(infra.getSqliteDb(), ttlDays),
+        redis: () => createMemoryAuditLogProvider(),
+        mongo: infra => createMongoAuditLogProvider(infra.getMongo().conn, ttlDays),
+        postgres: infra => createPostgresAuditLogProvider(infra.getPostgres().pool, ttlDays),
+    };
+}
+/** @deprecated Use createAuditLogFactories() instead. */
+export const auditLogFactories = createAuditLogFactories();

package/dist/src/framework/lib/captcha.d.ts

@@ -0,0 +1,11 @@
+import type { CaptchaConfig } from '../../../packages/bunshot-core/src/index.js';
+export type { CaptchaProvider, CaptchaConfig } from '../../../packages/bunshot-core/src/index.js';
+/**
+ * Verify a CAPTCHA token with the provider's API.
+ * Returns { success: true } on pass, { success: false, error } on fail.
+ */
+export declare function verifyCaptcha(token: string, config: CaptchaConfig, ip?: string): Promise<{
+    success: boolean;
+    score?: number;
+    error?: string;
+}>;