@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/src/framework/routes/jobs.js

@@ -0,0 +1,315 @@
+import { createRoute, withSecurity } from '../lib/createRoute';
+import { z } from 'zod';
+import { createRouter, getBunshotCtx, getRouteAuth } from '../../../packages/bunshot-core/src/index.js';
+const tags = ['Jobs'];
+const ErrorResponse = z.object({ error: z.string() });
+const JobStatusResponse = z
+    .object({
+    id: z.string().describe('Job ID.'),
+    state: z.string().describe('Job state: waiting, active, completed, failed, delayed, paused.'),
+    progress: z.union([z.number(), z.record(z.string(), z.unknown())]).describe('Job progress.'),
+    result: z.unknown().optional().describe('Job result (when completed).'),
+    failedReason: z.string().optional().describe('Failure reason (when failed).'),
+    attemptsMade: z.number().describe('Number of attempts made.'),
+    timestamp: z.number().describe('Unix timestamp (ms) when the job was created.'),
+    finishedOn: z.number().optional().describe('Unix timestamp (ms) when the job finished.'),
+})
+    .openapi('JobStatus');
+export const createJobsRouter = (config, queueFactory) => {
+    const router = createRouter();
+    const allowedQueues = new Set(config.allowedQueues ?? []);
+    const authConfig = config.auth ?? 'none';
+    const scopeToUser = config.scopeToUser ?? false;
+    if (process.env.NODE_ENV === 'production' && authConfig === 'none' && !config.unsafePublic) {
+        throw new Error('[security] jobs.auth is required in production. Set jobs.auth or set unsafePublic: true.');
+    }
+    // Determine if userAuth is involved (for scopeToUser and OpenAPI security schemes)
+    const hasUserAuth = authConfig === 'userAuth' || Array.isArray(authConfig);
+    // Apply middleware based on config
+    if (authConfig === 'userAuth') {
+        router.use('/jobs/*', async (c, next) => getRouteAuth(getBunshotCtx(c)).userAuth(c, next));
+        if (config.roles?.length) {
+            router.use('/jobs/*', async (c, next) => getRouteAuth(getBunshotCtx(c)).requireRole(...config.roles)(c, next));
+        }
+    }
+    else if (Array.isArray(authConfig)) {
+        for (const mw of authConfig) {
+            router.use('/jobs/*', mw);
+        }
+    }
+    // "none" requires no middleware
+    function isQueueAllowed(queueName) {
+        return allowedQueues.has(queueName);
+    }
+    /** Determine OpenAPI security for a route */
+    function applyRouteSecurity(route) {
+        if (authConfig === 'userAuth') {
+            return withSecurity(route, { cookieAuth: [] }, { userToken: [] });
+        }
+        if (Array.isArray(authConfig)) {
+            // Custom middleware — mark as cookieAuth/userToken if it likely includes userAuth
+            return withSecurity(route, { cookieAuth: [] }, { userToken: [] });
+        }
+        return route;
+    }
+    /** Map a BullMQ job to the response shape */
+    async function jobToResponse(job) {
+        const state = await job.getState();
+        return {
+            id: job.id,
+            state,
+            progress: job.progress,
+            result: job.returnvalue,
+            failedReason: job.failedReason ?? undefined,
+            attemptsMade: job.attemptsMade,
+            timestamp: job.timestamp,
+            finishedOn: job.finishedOn ?? undefined,
+        };
+    }
+    // ─── List available queues ──────────────────────────────────────────────
+    const listQueuesRoute = createRoute({
+        method: 'get',
+        path: '/jobs',
+        summary: 'List available queues',
+        description: 'Returns the list of queue names exposed via the API.',
+        tags,
+        responses: {
+            200: {
+                content: {
+                    'application/json': {
+                        schema: z.object({
+                            queues: z.array(z.string()).describe('Available queue names.'),
+                        }),
+                    },
+                },
+                description: 'Available queues.',
+            },
+        },
+    });
+    router.openapi(applyRouteSecurity(listQueuesRoute), async (c) => {
+        return c.json({ queues: [...allowedQueues] }, 200);
+    });
+    // ─── List jobs in a queue ─────────────────────────────────────────────
+    const listJobsRoute = createRoute({
+        method: 'get',
+        path: '/jobs/{queue}',
+        summary: 'List jobs in a queue',
+        description: 'Returns a paginated list of jobs in a queue, optionally filtered by state.',
+        tags,
+        request: {
+            params: z.object({
+                queue: z.string().describe('Queue name.'),
+            }),
+            query: z.object({
+                state: z
+                    .enum(['waiting', 'active', 'completed', 'failed', 'delayed', 'paused'])
+                    .optional()
+                    .describe('Filter by job state.'),
+                start: z.string().optional().describe('Start index. Default: 0.'),
+                end: z.string().optional().describe('End index. Default: 19.'),
+            }),
+        },
+        responses: {
+            200: {
+                content: {
+                    'application/json': {
+                        schema: z.object({
+                            jobs: z.array(JobStatusResponse),
+                            total: z.number().describe('Total jobs matching the filter.'),
+                        }),
+                    },
+                },
+                description: 'Jobs list.',
+            },
+            403: {
+                content: { 'application/json': { schema: ErrorResponse } },
+                description: 'Queue not allowed.',
+            },
+        },
+    });
+    router.openapi(applyRouteSecurity(listJobsRoute), async (c) => {
+        const { queue: queueName } = c.req.valid('param');
+        if (!isQueueAllowed(queueName)) {
+            return c.json({ error: 'Queue not allowed' }, 403);
+        }
+        const { state, start: startStr, end: endStr } = c.req.valid('query');
+        const start = startStr ? parseInt(startStr) : 0;
+        const end = endStr ? parseInt(endStr) : 19;
+        const queue = queueFactory.createQueue(queueName);
+        // Get jobs by state or all jobs
+        const stateFilter = state ?? 'waiting';
+        const jobs = await queue.getJobs([stateFilter], start, end);
+        // Get total count for the filtered state
+        const counts = await queue.getJobCounts(stateFilter);
+        const total = counts[stateFilter] ?? 0;
+        // Optionally filter by userId
+        let filteredJobs = jobs;
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get('authUserId');
+            filteredJobs = jobs.filter(job => job.data?.userId === userId);
+        }
+        const result = await Promise.all(filteredJobs.map(jobToResponse));
+        // NOTE: When scopeToUser is active, total is a page-local filtered count, not a
+        // globally accurate total. BullMQ does not support server-side user filtering.
+        return c.json({ jobs: result, total: scopeToUser && hasUserAuth ? filteredJobs.length : total }, 200);
+    });
+    // ─── Dead letter queue ────────────────────────────────────────────────
+    // Must be registered BEFORE getJobRoute so that the literal path segment
+    // "dead-letters" is matched before the parameterised {id} segment.
+    const getDlqRoute = createRoute({
+        method: 'get',
+        path: '/jobs/{queue}/dead-letters',
+        summary: 'List dead letter queue jobs',
+        description: 'Returns paginated list of jobs in the dead letter queue for a given source queue.',
+        tags,
+        request: {
+            params: z.object({
+                queue: z.string().describe('Source queue name (DLQ name is {queue}-dlq).'),
+            }),
+            query: z.object({
+                start: z.string().optional().describe('Start index. Default: 0.'),
+                end: z.string().optional().describe('End index. Default: 19.'),
+            }),
+        },
+        responses: {
+            200: {
+                content: {
+                    'application/json': {
+                        schema: z.object({
+                            jobs: z.array(JobStatusResponse),
+                            total: z.number().describe('Total jobs in DLQ.'),
+                        }),
+                    },
+                },
+                description: 'DLQ jobs.',
+            },
+            403: {
+                content: { 'application/json': { schema: ErrorResponse } },
+                description: 'Queue not allowed.',
+            },
+        },
+    });
+    router.openapi(applyRouteSecurity(getDlqRoute), async (c) => {
+        const { queue: queueName } = c.req.valid('param');
+        if (!isQueueAllowed(queueName)) {
+            return c.json({ error: 'Queue not allowed' }, 403);
+        }
+        const { start: startStr, end: endStr } = c.req.valid('query');
+        const start = startStr ? parseInt(startStr) : 0;
+        const end = endStr ? parseInt(endStr) : 19;
+        const dlqQueue = queueFactory.createQueue(`${queueName}-dlq`);
+        const [jobs, total] = await Promise.all([
+            dlqQueue.getWaiting(start, end),
+            dlqQueue.getWaitingCount(),
+        ]);
+        let filteredJobs = jobs;
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get('authUserId');
+            filteredJobs = jobs.filter(job => job.data?.userId === userId);
+        }
+        const result = await Promise.all(filteredJobs.map(jobToResponse));
+        // NOTE: When scopeToUser is active, total is a page-local filtered count, not a
+        // globally accurate total. BullMQ does not support server-side user filtering.
+        return c.json({ jobs: result, total: scopeToUser && hasUserAuth ? filteredJobs.length : total }, 200);
+    });
+    // ─── Get job status ─────────────────────────────────────────────────────
+    const getJobRoute = createRoute({
+        method: 'get',
+        path: '/jobs/{queue}/{id}',
+        summary: 'Get job status',
+        description: 'Returns the current state, progress, result, or failure reason for a job.',
+        tags,
+        request: {
+            params: z.object({
+                queue: z.string().describe('Queue name.'),
+                id: z.string().describe('Job ID.'),
+            }),
+        },
+        responses: {
+            200: {
+                content: { 'application/json': { schema: JobStatusResponse } },
+                description: 'Job status.',
+            },
+            403: {
+                content: { 'application/json': { schema: ErrorResponse } },
+                description: 'Queue not in allowedQueues.',
+            },
+            404: {
+                content: { 'application/json': { schema: ErrorResponse } },
+                description: 'Job not found.',
+            },
+        },
+    });
+    router.openapi(applyRouteSecurity(getJobRoute), async (c) => {
+        const { queue: queueName, id } = c.req.valid('param');
+        if (!isQueueAllowed(queueName)) {
+            return c.json({ error: 'Queue not allowed' }, 403);
+        }
+        const queue = queueFactory.createQueue(queueName);
+        const job = await queue.getJob(id);
+        if (!job)
+            return c.json({ error: 'Job not found' }, 404);
+        // Scope to user if configured
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get('authUserId');
+            if (job.data?.userId !== userId) {
+                return c.json({ error: 'Job not found' }, 404);
+            }
+        }
+        return c.json(await jobToResponse(job), 200);
+    });
+    // ─── Get job logs ───────────────────────────────────────────────────────
+    const getJobLogsRoute = createRoute({
+        method: 'get',
+        path: '/jobs/{queue}/{id}/logs',
+        summary: 'Get job logs',
+        description: 'Returns logs for a specific job.',
+        tags,
+        request: {
+            params: z.object({
+                queue: z.string().describe('Queue name.'),
+                id: z.string().describe('Job ID.'),
+            }),
+        },
+        responses: {
+            200: {
+                content: {
+                    'application/json': {
+                        schema: z.object({
+                            logs: z.array(z.string()).describe('Log entries.'),
+                            count: z.number().describe('Total log count.'),
+                        }),
+                    },
+                },
+                description: 'Job logs.',
+            },
+            403: {
+                content: { 'application/json': { schema: ErrorResponse } },
+                description: 'Queue not allowed.',
+            },
+            404: {
+                content: { 'application/json': { schema: ErrorResponse } },
+                description: 'Job not found.',
+            },
+        },
+    });
+    router.openapi(applyRouteSecurity(getJobLogsRoute), async (c) => {
+        const { queue: queueName, id } = c.req.valid('param');
+        if (!isQueueAllowed(queueName)) {
+            return c.json({ error: 'Queue not allowed' }, 403);
+        }
+        const queue = queueFactory.createQueue(queueName);
+        const job = await queue.getJob(id);
+        if (!job)
+            return c.json({ error: 'Job not found' }, 404);
+        if (scopeToUser && hasUserAuth) {
+            const userId = c.get('authUserId');
+            if (job.data?.userId !== userId) {
+                return c.json({ error: 'Job not found' }, 404);
+            }
+        }
+        const { logs, count } = await queue.getJobLogs(id);
+        return c.json({ logs, count }, 200);
+    });
+    return router;
+};

package/dist/src/framework/routes/metrics.d.ts

@@ -0,0 +1,10 @@
+import type { MetricsState } from '../lib/metrics';
+import type { QueueFactory } from '../../lib/queue';
+import type { MiddlewareHandler } from 'hono';
+import type { AppEnv } from '../../../packages/bunshot-core/src/index.js';
+export interface MetricsRouteConfig {
+    auth?: 'userAuth' | 'none' | MiddlewareHandler<AppEnv>[];
+    queues?: string[];
+    unsafePublic?: boolean;
+}
+export declare const createMetricsRouter: (config: MetricsRouteConfig, state: MetricsState, queueFactory?: QueueFactory) => import("@hono/zod-openapi").OpenAPIHono<AppEnv, {}, "/">;

package/dist/src/framework/routes/metrics.js

@@ -0,0 +1,57 @@
+import { registerGaugeCallback, serializeMetrics, setMetricsQueues } from '../lib/metrics';
+import { createRouter, getBunshotCtx, getRouteAuth } from '../../../packages/bunshot-core/src/index.js';
+export const createMetricsRouter = (config, state, queueFactory) => {
+    const router = createRouter();
+    const authConfig = config.auth ?? 'none';
+    if (process.env.NODE_ENV === 'production' && authConfig === 'none' && !config.unsafePublic) {
+        throw new Error('[security] metrics.auth is required in production. Set metrics.auth or set unsafePublic: true.');
+    }
+    // Apply auth middleware
+    if (authConfig === 'userAuth') {
+        router.use('/metrics', async (c, next) => getRouteAuth(getBunshotCtx(c)).userAuth(c, next));
+    }
+    else if (Array.isArray(authConfig)) {
+        for (const mw of authConfig) {
+            router.use('/metrics', mw);
+        }
+    }
+    // Register BullMQ queue depth gauges if configured
+    if (config.queues?.length) {
+        if (!queueFactory) {
+            throw new Error('[queue] Metrics queue gauges require startup-resolved Redis queue configuration.');
+        }
+        const queueNames = config.queues;
+        const cachedQueues = new Map();
+        setMetricsQueues(state, cachedQueues);
+        registerGaugeCallback(state, 'bullmq_queue_depth', async () => {
+            const { createQueue } = await import('../../lib/queue');
+            const results = [];
+            for (const name of queueNames) {
+                let queue = cachedQueues.get(name);
+                try {
+                    if (!queue) {
+                        queue = queueFactory.createQueue(name);
+                        cachedQueues.set(name, queue);
+                    }
+                    const counts = await queue.getJobCounts('waiting', 'active', 'delayed', 'failed');
+                    for (const [state, count] of Object.entries(counts)) {
+                        results.push({ labels: { queue: name, state }, value: count });
+                    }
+                }
+                catch {
+                    // Discard cached instance on error so it's recreated next scrape
+                    cachedQueues.delete(name);
+                }
+            }
+            return results;
+        });
+    }
+    // Plain GET /metrics (not OpenAPI — infrastructure endpoint)
+    router.get('/metrics', async (c) => {
+        const body = await serializeMetrics(state);
+        return c.body(body, 200, {
+            'Content-Type': 'text/plain; version=0.0.4; charset=utf-8',
+        });
+    });
+    return router;
+};

package/dist/src/framework/routes/uploads.d.ts

@@ -0,0 +1,14 @@
+import type { PresignedUrlConfig } from '../../app';
+interface UploadsRouterConfig extends PresignedUrlConfig {
+    authorization?: {
+        authorize?: (input: {
+            action: 'read' | 'delete';
+            key: string;
+            userId?: string;
+            tenantId?: string;
+        }) => boolean | Promise<boolean>;
+    };
+    allowExternalKeys?: boolean;
+}
+export declare const createUploadsRouter: (config: UploadsRouterConfig) => import("@hono/zod-openapi").OpenAPIHono<import("../../../packages/bunshot-core/src/index.js").AppEnv, {}, "/">;
+export {};

package/dist/src/framework/routes/uploads.js

@@ -0,0 +1,262 @@
+import { createRoute } from '../lib/createRoute';
+import { generateUploadKeyFromFilename, getStorageAdapter } from '../lib/upload';
+import { deleteUploadRecord, getUploadRecord, registerUpload } from '../lib/uploadRegistry';
+import { createPresignedUrl } from '../../lib/signing';
+import { z } from 'zod';
+import { createRouter, getBunshotCtx, getRouteAuth } from '../../../packages/bunshot-core/src/index.js';
+const tags = ['Uploads'];
+async function checkUploadAccess(action, key, userId, tenantId, config, app) {
+    const record = await getUploadRecord(key, app);
+    const authorize = config.authorization?.authorize;
+    const allowExternalKeys = config.allowExternalKeys ?? false;
+    if (record) {
+        // If the registry record has a tenantId, the requester must match — period.
+        if (record.tenantId && record.tenantId !== tenantId) {
+            return { allowed: false, notFound: false };
+        }
+        // Owner match → allow
+        if (record.ownerUserId && record.ownerUserId === userId) {
+            return { allowed: true, notFound: false };
+        }
+        // No owner or owner mismatch → try callback
+        if (authorize) {
+            const ok = await authorize({
+                action,
+                key,
+                userId: userId ?? undefined,
+                tenantId: tenantId ?? undefined,
+            });
+            return { allowed: ok, notFound: false };
+        }
+        return { allowed: false, notFound: false };
+    }
+    // Record not in registry
+    if (allowExternalKeys) {
+        if (authorize) {
+            const ok = await authorize({
+                action,
+                key,
+                userId: userId ?? undefined,
+                tenantId: tenantId ?? undefined,
+            });
+            return { allowed: ok, notFound: false };
+        }
+        return { allowed: false, notFound: false };
+    }
+    return { allowed: false, notFound: true };
+}
+export const createUploadsRouter = (config) => {
+    const router = createRouter();
+    const basePath = (config.path ?? '/uploads').replace(/\/$/, '');
+    router.use(`${basePath}/*`, async (c, next) => getRouteAuth(getBunshotCtx(c)).userAuth(c, next));
+    const BLOCKED_MIME_TYPES = new Set([
+        'application/x-executable',
+        'application/x-sh',
+        'application/x-msdownload',
+        'text/html',
+        'application/x-httpd-php',
+        'application/javascript',
+        'text/javascript',
+    ]);
+    const presignRoute = createRoute({
+        method: 'post',
+        path: `${basePath}/presign`,
+        tags,
+        summary: 'Generate presigned upload URL',
+        request: {
+            body: {
+                content: {
+                    'application/json': {
+                        schema: z.object({
+                            filename: z
+                                .string()
+                                .optional()
+                                .describe('Original filename (used to derive the storage key extension)'),
+                            mimeType: z.string().optional().describe('MIME type of the file'),
+                            expirySeconds: z
+                                .number()
+                                .int()
+                                .positive()
+                                .optional()
+                                .describe('URL expiry in seconds'),
+                            maxBytes: z
+                                .number()
+                                .int()
+                                .positive()
+                                .max(100 * 1024 * 1024)
+                                .optional()
+                                .describe('Maximum allowed file size in bytes (client-enforced via Content-Length header). Defaults to 10MB. Maximum: 100MB.'),
+                        }),
+                    },
+                },
+            },
+        },
+        responses: {
+            200: {
+                description: 'Presigned URL generated',
+                content: {
+                    'application/json': {
+                        schema: z.object({ url: z.string(), key: z.string(), maxBytes: z.number().optional() }),
+                    },
+                },
+            },
+            400: {
+                description: 'File type not allowed',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+            501: {
+                description: 'Not implemented by adapter',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(presignRoute, async (c) => {
+        const bunshotCtx = c.get('bunshotCtx');
+        const adapter = getStorageAdapter(bunshotCtx);
+        if (!adapter?.presignPut) {
+            return c.json({ error: 'Presigned URLs not supported by the configured storage adapter' }, 501);
+        }
+        const { filename, mimeType, expirySeconds, maxBytes } = c.req.valid('json');
+        if (mimeType && BLOCKED_MIME_TYPES.has(mimeType)) {
+            return c.json({ error: 'File type not allowed.' }, 400);
+        }
+        const app = bunshotCtx.app;
+        const userId = c.get('authUserId') ?? undefined;
+        const tenantId = c.get('tenantId') ?? undefined;
+        // Server-generates the key — client cannot control the storage path
+        const key = generateUploadKeyFromFilename(filename, { userId, tenantId }, undefined, bunshotCtx);
+        const expiry = expirySeconds ?? (typeof config.expirySeconds === 'number' ? config.expirySeconds : 3600);
+        const url = await adapter.presignPut(key, { expirySeconds: expiry, mimeType });
+        // Register the upload for ownership tracking
+        await registerUpload({
+            key,
+            ownerUserId: userId,
+            tenantId,
+            mimeType,
+            bucket: c.get('uploadBucket') ?? undefined,
+            createdAt: Date.now(),
+        }, app);
+        return c.json({ url, key, ...(maxBytes !== undefined ? { maxBytes } : {}) }, 200);
+    });
+    const presignGetRoute = createRoute({
+        method: 'get',
+        path: `${basePath}/presign/:key{.+}`,
+        tags,
+        summary: 'Generate presigned download URL',
+        request: {
+            params: z.object({ key: z.string() }),
+            query: z.object({
+                expiry: z.string().optional().describe('URL expiry in seconds (default: 3600)'),
+            }),
+        },
+        responses: {
+            200: {
+                description: 'Presigned download URL',
+                content: {
+                    'application/json': {
+                        schema: z.object({
+                            url: z.string(),
+                            expiresAt: z.number().describe('Unix timestamp (seconds) when the URL expires'),
+                        }),
+                    },
+                },
+            },
+            403: {
+                description: 'Forbidden — not the owner or unauthorized',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+            404: {
+                description: 'Key not found in upload registry',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+            501: {
+                description: 'Not implemented',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(presignGetRoute, async (c) => {
+        const { key } = c.req.valid('param');
+        const { expiry: expiryStr } = c.req.valid('query');
+        const userId = c.get('authUserId');
+        const tenantId = c.get('tenantId');
+        const app = c.get('bunshotCtx').app;
+        const { allowed, notFound } = await checkUploadAccess('read', key, userId, tenantId, config, app);
+        if (notFound)
+            return c.json({ error: 'Not found' }, 404);
+        if (!allowed)
+            return c.json({ error: 'Forbidden' }, 403);
+        const expirySeconds = expiryStr
+            ? parseInt(expiryStr, 10)
+            : typeof config.expirySeconds === 'number'
+                ? config.expirySeconds
+                : 3600;
+        const signingCfg = c.get('bunshotCtx').signing;
+        if (signingCfg?.presignedUrls) {
+            const secret = signingCfg.secret ?? null;
+            if (!secret)
+                return c.json({ error: 'Signing secret not configured' }, 501);
+            const defaultExpiry = typeof signingCfg.presignedUrls === 'object'
+                ? (signingCfg.presignedUrls.defaultExpiry ?? expirySeconds)
+                : expirySeconds;
+            const base = new URL(c.req.url);
+            base.pathname = `${basePath}/download/${key}`;
+            base.search = '';
+            const url = createPresignedUrl(base.toString(), key, { method: 'GET', expiry: defaultExpiry }, secret);
+            const expiresAt = Math.floor(Date.now() / 1000) + defaultExpiry;
+            return c.json({ url, expiresAt }, 200);
+        }
+        // Fallback: adapter.presignGet (S3 only)
+        const adapter = getStorageAdapter(c.get('bunshotCtx'));
+        if (!adapter?.presignGet) {
+            return c.json({
+                error: 'Presigned download URLs not supported. Enable signing.presignedUrls or use an S3 adapter.',
+            }, 501);
+        }
+        const url = await adapter.presignGet(key, { expirySeconds });
+        const expiresAt = Math.floor(Date.now() / 1000) + expirySeconds;
+        return c.json({ url, expiresAt }, 200);
+    });
+    const deleteRoute = createRoute({
+        method: 'delete',
+        path: `${basePath}/:key{.+}`,
+        tags,
+        summary: 'Delete an uploaded file',
+        request: {
+            params: z.object({ key: z.string() }),
+        },
+        responses: {
+            204: { description: 'Deleted' },
+            403: {
+                description: 'Forbidden — not the owner or unauthorized',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+            404: {
+                description: 'Key not found in upload registry',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+            500: {
+                description: 'No storage adapter configured',
+                content: { 'application/json': { schema: z.object({ error: z.string() }) } },
+            },
+        },
+    });
+    router.openapi(deleteRoute, async (c) => {
+        const adapter = getStorageAdapter(c.get('bunshotCtx'));
+        if (!adapter)
+            return c.json({ error: 'No storage adapter configured' }, 500);
+        const { key } = c.req.valid('param');
+        const userId = c.get('authUserId');
+        const tenantId = c.get('tenantId');
+        const app = c.get('bunshotCtx').app;
+        const { allowed, notFound } = await checkUploadAccess('delete', key, userId, tenantId, config, app);
+        if (notFound)
+            return c.json({ error: 'Not found' }, 404);
+        if (!allowed)
+            return c.json({ error: 'Forbidden' }, 403);
+        await adapter.delete(key);
+        await deleteUploadRecord(key, app);
+        return c.body(null, 204);
+    });
+    return router;
+};