@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/index.d.ts

@@ -1,98 +0,0 @@
-export { createApp } from "./app";
-export { createServer } from "./server";
-export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig, LoggingConfig, MetricsConfig, ValidationConfig, VersioningConfig, SigningConfig } from "./app";
-export type { PasswordPolicyConfig } from "./lib/appConfig";
-export type { CreateServerConfig, WsConfig } from "./server";
-export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
-export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
-export { getAppRoles } from "./lib/appConfig";
-export { HttpError, ValidationError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP } from "./lib/constants";
-export { createRouter } from "./lib/context";
-export { createRoute, withSecurity, registerSchema, registerSchemas, setVersionPrefix, clearVersionPrefix } from "./lib/createRoute";
-export { stripUnreferencedSchemas } from "./lib/stripUnreferencedSchemas";
-export { zodToMongoose } from "./lib/zodToMongoose";
-export type { ZodToMongooseConfig, ZodToMongooseRefConfig } from "./lib/zodToMongoose";
-export { createDtoMapper } from "./lib/createDtoMapper";
-export type { DtoMapperConfig } from "./lib/createDtoMapper";
-export type { AppEnv, AppVariables, ValidationErrorFormatter, DefaultValidationErrorBody, ValidationErrorDetail } from "./lib/context";
-export { defaultValidationErrorFormatter } from "./lib/context";
-export { signToken, verifyToken } from "./lib/jwt";
-export { log } from "./lib/logger";
-export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
-export { timingSafeEqual, sha256 } from "./lib/crypto";
-export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl } from "./lib/signing";
-export { idempotent, setIdempotencyStore, clearIdempotencyMemoryStore } from "./lib/idempotency";
-export type { IdempotencyOptions } from "./lib/idempotency";
-export { getClientIp, setTrustProxy } from "./lib/clientIp";
-export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
-export type { OAuthCodePayload } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint } from "./lib/session";
-export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
-export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
-export type { MfaChallengeData, MfaChallengeOptions, MfaChallengePurpose } from "./lib/mfaChallenge";
-export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
-export type { LimitOpts } from "./lib/authRateLimit";
-export { validate } from "./lib/validate";
-export { bearerAuth } from "./middleware/bearerAuth";
-export { botProtection } from "./middleware/botProtection";
-export type { BotProtectionOptions } from "./middleware/botProtection";
-export { identify } from "./middleware/identify";
-export { rateLimit } from "./middleware/rateLimit";
-export type { RateLimitOptions } from "./middleware/rateLimit";
-export { userAuth } from "./middleware/userAuth";
-export { requireRole } from "./middleware/requireRole";
-export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { requireMfaSetup } from "./middleware/requireMfaSetup";
-export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
-export type { CsrfMiddlewareOptions } from "./middleware/csrf";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
-export { webhookAuth } from "./middleware/webhookAuth";
-export type { WebhookAuthOptions, WebhookTimestampOptions } from "./middleware/webhookAuth";
-export { requireSignedRequest } from "./middleware/requestSigning";
-export type { RequestSigningOptions } from "./middleware/requestSigning";
-export { auditLog } from "./middleware/auditLog";
-export type { AuditLogMiddlewareOptions } from "./middleware/auditLog";
-export { requestId } from "./middleware/requestId";
-export { requestLogger } from "./middleware/requestLogger";
-export type { RequestLogEntry, RequestLoggerOptions, LogLevel } from "./middleware/requestLogger";
-export { metricsCollector } from "./middleware/metrics";
-export type { MetricsMiddlewareOptions } from "./middleware/metrics";
-export { buildFingerprint } from "./lib/fingerprint";
-export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
-export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues } from "./lib/metrics";
-export type { AuditLogEntry, AuditLogOptions, AuditLogQuery } from "./lib/auditLog";
-export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
-export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
-export type { AuthAdapter, OAuthProfile, WebAuthnCredential } from "./lib/authAdapter";
-export type { OAuthProviderConfig } from "./lib/oauth";
-export { websocket, createWsUpgradeHandler } from "./ws/index";
-export type { SocketData } from "./ws/index";
-export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers, setPresenceEnabled } from "./lib/ws";
-export { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat, clearHeartbeatState } from "./lib/wsHeartbeat";
-export type { HeartbeatConfig } from "./lib/wsHeartbeat";
-export { trackSocket, untrackSocket, addPresence, removePresence, cleanupPresence, getRoomPresence, getUserPresence, clearPresenceStore } from "./lib/wsPresence";
-export { persistMessage, getMessageHistory, configureRoom, setWsMessageStore, setWsMessageDefaults, clearWsMessageMemoryStore } from "./lib/wsMessages";
-export type { StoredMessage, WsMessageStore, WsMessageDefaults, RoomPersistenceConfig } from "./lib/wsMessages";
-export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
-export type { TenantInfo, CreateTenantOptions } from "./lib/tenant";
-export { invalidateTenantCache } from "./middleware/tenant";
-export { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, getEffectiveRoles, } from "./lib/groups";
-export type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult } from "./lib/groups";
-export type { GroupsConfig, GroupsManagementConfig } from "./routes/groups";
-export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from "./lib/pagination";
-export type { OffsetParamDefaults, ParsedOffsetParams, CursorParamDefaults, ParsedCursorParams, CursorResult, } from "./lib/pagination";
-export { handleUpload } from "./middleware/upload";
-export type { UploadMiddlewareOptions } from "./middleware/upload";
-export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig } from "./lib/upload";
-export type { UploadOpts } from "./lib/upload";
-export type { StorageAdapter, UploadResult } from "./lib/storageAdapter";
-export type { UploadConfig, PresignedUrlConfig } from "./app";
-export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";
-export { localStorage } from "./adapters/localStorage";
-export type { LocalStorageConfig } from "./adapters/localStorage";
-export { s3Storage } from "./adapters/s3Storage";
-export type { S3StorageConfig } from "./adapters/s3Storage";

package/dist/index.js

@@ -1,77 +0,0 @@
-// App factory
-export { createApp } from "./app";
-export { createServer } from "./server";
-// Database
-export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
-export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
-// Lib utilities
-export { getAppRoles } from "./lib/appConfig";
-export { HttpError, ValidationError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP } from "./lib/constants";
-export { createRouter } from "./lib/context";
-export { createRoute, withSecurity, registerSchema, registerSchemas, setVersionPrefix, clearVersionPrefix } from "./lib/createRoute";
-export { stripUnreferencedSchemas } from "./lib/stripUnreferencedSchemas";
-export { zodToMongoose } from "./lib/zodToMongoose";
-export { createDtoMapper } from "./lib/createDtoMapper";
-export { defaultValidationErrorFormatter } from "./lib/context";
-export { signToken, verifyToken } from "./lib/jwt";
-export { log } from "./lib/logger";
-export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
-export { timingSafeEqual, sha256 } from "./lib/crypto";
-export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl } from "./lib/signing";
-export { idempotent, setIdempotencyStore, clearIdempotencyMemoryStore } from "./lib/idempotency";
-export { getClientIp, setTrustProxy } from "./lib/clientIp";
-export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint } from "./lib/session";
-export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
-export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
-export { validate } from "./lib/validate";
-// Middleware
-export { bearerAuth } from "./middleware/bearerAuth";
-export { botProtection } from "./middleware/botProtection";
-export { identify } from "./middleware/identify";
-export { rateLimit } from "./middleware/rateLimit";
-export { userAuth } from "./middleware/userAuth";
-export { requireRole } from "./middleware/requireRole";
-export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { requireMfaSetup } from "./middleware/requireMfaSetup";
-export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
-export { webhookAuth } from "./middleware/webhookAuth";
-export { requireSignedRequest } from "./middleware/requestSigning";
-export { auditLog } from "./middleware/auditLog";
-export { requestId } from "./middleware/requestId";
-export { requestLogger } from "./middleware/requestLogger";
-export { metricsCollector } from "./middleware/metrics";
-// Lib utilities (bot protection)
-export { buildFingerprint } from "./lib/fingerprint";
-export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
-export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues } from "./lib/metrics";
-// Models
-export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
-export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
-// WebSocket
-export { websocket, createWsUpgradeHandler } from "./ws/index";
-export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers, setPresenceEnabled } from "./lib/ws";
-// WebSocket — Heartbeat
-export { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat, clearHeartbeatState } from "./lib/wsHeartbeat";
-// WebSocket — Presence
-export { trackSocket, untrackSocket, addPresence, removePresence, cleanupPresence, getRoomPresence, getUserPresence, clearPresenceStore } from "./lib/wsPresence";
-// WebSocket — Message Persistence
-export { persistMessage, getMessageHistory, configureRoom, setWsMessageStore, setWsMessageDefaults, clearWsMessageMemoryStore } from "./lib/wsMessages";
-// Tenancy
-export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
-export { invalidateTenantCache } from "./middleware/tenant";
-// Groups
-export { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, getEffectiveRoles, } from "./lib/groups";
-// Pagination helpers
-export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from "./lib/pagination";
-// Upload
-export { handleUpload } from "./middleware/upload";
-export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig } from "./lib/upload";
-export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";
-export { localStorage } from "./adapters/localStorage";
-export { s3Storage } from "./adapters/s3Storage";

package/dist/lib/HttpError.d.ts

@@ -1,9 +0,0 @@
-export declare class HttpError extends Error {
-    status: number;
-    constructor(status: number, message: string);
-}
-import type { ZodIssue } from "zod";
-export declare class ValidationError extends HttpError {
-    readonly issues: ZodIssue[];
-    constructor(issues: ZodIssue[]);
-}

package/dist/lib/HttpError.js

@@ -1,14 +0,0 @@
-export class HttpError extends Error {
-    status;
-    constructor(status, message) {
-        super(message);
-        this.status = status;
-    }
-}
-export class ValidationError extends HttpError {
-    issues;
-    constructor(issues) {
-        super(400, "Validation failed");
-        this.issues = issues;
-    }
-}

package/dist/lib/appConfig.d.ts

@@ -1,162 +0,0 @@
-export type PrimaryField = "email" | "username" | "phone";
-export interface EmailVerificationConfig {
-    /** Block login until email is verified. Defaults to false (soft gate — emailVerified returned in login response). */
-    required?: boolean;
-    /** Token time-to-live in seconds. Defaults to 86 400 (24 hours). */
-    tokenExpiry?: number;
-    /** Called after registration with the identifier and verification token. Use to send the email. */
-    onSend: (email: string, token: string) => Promise<void>;
-}
-export interface PasswordResetConfig {
-    /** Token time-to-live in seconds. Defaults to 3 600 (1 hour). */
-    tokenExpiry?: number;
-    /** Called with the user's email and the reset token. Use to send the reset email. */
-    onSend: (email: string, token: string) => Promise<void>;
-}
-export interface PasswordPolicyConfig {
-    /** Minimum password length. Defaults to 8. */
-    minLength?: number;
-    /** Require at least one letter (a–z or A–Z). Defaults to true. */
-    requireLetter?: boolean;
-    /** Require at least one digit (0–9). Defaults to true. */
-    requireDigit?: boolean;
-    /** Require at least one special character. Defaults to false. */
-    requireSpecial?: boolean;
-}
-export declare const setAppName: (name: string) => void;
-export declare const getAppName: () => string;
-export declare const setAppRoles: (roles: string[]) => void;
-export declare const getAppRoles: () => string[];
-export declare const setDefaultRole: (role: string | null) => void;
-export declare const getDefaultRole: () => string | null;
-export declare const setPrimaryField: (field: PrimaryField) => void;
-export declare const getPrimaryField: () => PrimaryField;
-export declare const setEmailVerificationConfig: (config: EmailVerificationConfig | null) => void;
-export declare const getEmailVerificationConfig: () => EmailVerificationConfig | null;
-export declare const getTokenExpiry: () => number;
-export declare const setPasswordResetConfig: (config: PasswordResetConfig | null) => void;
-export declare const getPasswordResetConfig: () => PasswordResetConfig | null;
-export declare const setPasswordPolicy: (config: PasswordPolicyConfig) => void;
-export declare const getPasswordPolicy: () => PasswordPolicyConfig;
-export declare const getResetTokenExpiry: () => number;
-export declare const setMaxSessions: (n: number) => void;
-export declare const getMaxSessions: () => number;
-export declare const setPersistSessionMetadata: (v: boolean) => void;
-export declare const getPersistSessionMetadata: () => boolean;
-export declare const setIncludeInactiveSessions: (v: boolean) => void;
-export declare const getIncludeInactiveSessions: () => boolean;
-export declare const setTrackLastActive: (v: boolean) => void;
-export declare const getTrackLastActive: () => boolean;
-export interface RefreshTokenConfig {
-    /** Access token expiry in seconds. Default: 900 (15 min). */
-    accessTokenExpiry?: number;
-    /** Refresh token expiry in seconds. Default: 2_592_000 (30 days). */
-    refreshTokenExpiry?: number;
-    /** Grace window in seconds where the old refresh token still works after rotation.
-     *  Prevents lockout when the client's network drops mid-refresh. Default: 30. */
-    rotationGraceSeconds?: number;
-}
-export declare const setRefreshTokenConfig: (config: RefreshTokenConfig | null) => void;
-export declare const getRefreshTokenConfig: () => RefreshTokenConfig | null;
-export declare const getAccessTokenExpiry: () => number;
-export declare const getRefreshTokenExpiry: () => number;
-export declare const getRotationGraceSeconds: () => number;
-export interface MfaEmailOtpConfig {
-    /** Called with the user's email and the OTP code. Use to send the email. */
-    onSend: (email: string, code: string) => Promise<void>;
-    /** OTP code length. Default: 6. */
-    codeLength?: number;
-}
-export interface MfaWebAuthnConfig {
-    /** Relying Party ID — typically the domain (e.g. "example.com"). Required. */
-    rpId: string;
-    /** Relying Party name shown in browser prompts. Defaults to app name. */
-    rpName?: string;
-    /** Expected origin(s) — full origin URL(s) like "https://example.com". Required. */
-    origin: string | string[];
-    /** Supported attestation conveyance preference. Default: "none". */
-    attestationType?: "none" | "direct" | "enterprise";
-    /** Authenticator attachment preference. Default: undefined (allows both platform + cross-platform). */
-    authenticatorAttachment?: "platform" | "cross-platform";
-    /** User verification requirement. Default: "preferred". */
-    userVerification?: "required" | "preferred" | "discouraged";
-    /** Timeout for ceremonies in milliseconds. Default: 60000 (60s). */
-    timeout?: number;
-    /** Reject authentication when sign count goes backward (cloned key detection). Default: false (accept + warn). */
-    strictSignCount?: boolean;
-}
-export interface MfaConfig {
-    /** Issuer name shown in authenticator apps. Defaults to app name. */
-    issuer?: string;
-    /** TOTP algorithm. Default: "SHA1" (most compatible). */
-    algorithm?: "SHA1" | "SHA256" | "SHA512";
-    /** TOTP digits. Default: 6. */
-    digits?: number;
-    /** TOTP period in seconds. Default: 30. */
-    period?: number;
-    /** Number of recovery codes to generate. Default: 10. */
-    recoveryCodes?: number;
-    /** MFA challenge window in seconds. Default: 300 (5 min). */
-    challengeTtlSeconds?: number;
-    /** Email OTP configuration. When set, enables email-based MFA as an option. */
-    emailOtp?: MfaEmailOtpConfig;
-    /** WebAuthn/FIDO2 configuration. When set, enables security key MFA routes. */
-    webauthn?: MfaWebAuthnConfig;
-    /** When true, authenticated users must complete MFA setup before accessing non-auth endpoints. Default: false. */
-    required?: boolean;
-}
-export declare const setMfaConfig: (config: MfaConfig | null) => void;
-export declare const getMfaConfig: () => MfaConfig | null;
-export declare const getMfaIssuer: () => string;
-export declare const getMfaAlgorithm: () => string;
-export declare const getMfaDigits: () => number;
-export declare const getMfaPeriod: () => number;
-export declare const getMfaRecoveryCodeCount: () => number;
-export declare const getMfaChallengeTtl: () => number;
-export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
-export declare const getMfaEmailOtpCodeLength: () => number;
-export declare const getMfaWebAuthnConfig: () => MfaWebAuthnConfig | null;
-export declare const getMfaRequired: () => boolean;
-export declare const setCsrfEnabled: (v: boolean) => void;
-export declare const getCsrfEnabled: () => boolean;
-export interface SigningConfig {
-    /**
-     * HMAC secret. Defaults to JWT_SECRET_DEV/JWT_SECRET_PROD env var if omitted.
-     * Pass string[] to support key rotation — first element signs, all elements verify.
-     */
-    secret?: string | string[];
-    /** Sign/verify cookie values set via exported helpers. Default: false. */
-    cookies?: boolean;
-    /** Sign pagination cursor tokens to prevent client tampering. Default: false. */
-    cursors?: boolean;
-    /** HMAC-based stateless presigned URLs (no DB lookup). Default: false. */
-    presignedUrls?: boolean | {
-        defaultExpiry?: number;
-    };
-    /** Require clients to HMAC-sign requests (method+path+timestamp+body). Default: false. */
-    requestSigning?: boolean | {
-        tolerance?: number;
-        header?: string;
-        timestampHeader?: string;
-    };
-    /** Hash idempotency keys before storage. Default: false. */
-    idempotencyKeys?: boolean;
-    /** Bind sessions to client IP+UA fingerprint. Default: false. */
-    sessionBinding?: boolean | {
-        fields?: Array<"ip" | "ua" | "accept-language">;
-        /**
-         * What to do when fingerprint doesn't match.
-         * - "unauthenticate": treat as logged-out (default — graceful but masks attacks)
-         * - "reject": return 401 (strict — recommended for security-conscious apps)
-         * - "log-only": allow through but log the mismatch (useful during rollout)
-         */
-        onMismatch?: "unauthenticate" | "reject" | "log-only";
-    };
-}
-export declare const setSigningConfig: (config: SigningConfig | null) => void;
-export declare const getSigningConfig: () => SigningConfig | null;
-/**
- * Returns the active signing secret: signing.secret → JWT_SECRET_PROD/DEV env var.
- * Returns null when neither is configured — callers must handle this gracefully.
- */
-export declare const getSigningSecret: () => string | string[] | null;

package/dist/lib/appConfig.js

@@ -1,83 +0,0 @@
-let appName = "Core API";
-let appRoles = [];
-let defaultRole = null;
-let _primaryField = "email";
-let _emailVerificationConfig = null;
-let _passwordResetConfig = null;
-let _passwordPolicy = {};
-export const setAppName = (name) => { appName = name; };
-export const getAppName = () => appName;
-export const setAppRoles = (roles) => { appRoles = roles; };
-export const getAppRoles = () => appRoles;
-export const setDefaultRole = (role) => { defaultRole = role; };
-export const getDefaultRole = () => defaultRole;
-export const setPrimaryField = (field) => { _primaryField = field; };
-export const getPrimaryField = () => _primaryField;
-export const setEmailVerificationConfig = (config) => { _emailVerificationConfig = config; };
-export const getEmailVerificationConfig = () => _emailVerificationConfig;
-const DEFAULT_TOKEN_EXPIRY = 60 * 60 * 24; // 24 hours
-export const getTokenExpiry = () => _emailVerificationConfig?.tokenExpiry ?? DEFAULT_TOKEN_EXPIRY;
-export const setPasswordResetConfig = (config) => { _passwordResetConfig = config; };
-export const getPasswordResetConfig = () => _passwordResetConfig;
-export const setPasswordPolicy = (config) => { _passwordPolicy = config; };
-export const getPasswordPolicy = () => _passwordPolicy;
-const DEFAULT_RESET_TOKEN_EXPIRY = 60 * 60; // 1 hour
-export const getResetTokenExpiry = () => _passwordResetConfig?.tokenExpiry ?? DEFAULT_RESET_TOKEN_EXPIRY;
-// ---------------------------------------------------------------------------
-// Session policy
-// ---------------------------------------------------------------------------
-let _maxSessions = 6;
-let _persistSessionMetadata = true;
-let _includeInactiveSessions = false;
-let _trackLastActive = false;
-export const setMaxSessions = (n) => { _maxSessions = Number.isFinite(n) && n >= 1 ? Math.floor(n) : 1; };
-export const getMaxSessions = () => _maxSessions;
-export const setPersistSessionMetadata = (v) => { _persistSessionMetadata = v; };
-export const getPersistSessionMetadata = () => _persistSessionMetadata;
-export const setIncludeInactiveSessions = (v) => { _includeInactiveSessions = v; };
-export const getIncludeInactiveSessions = () => _includeInactiveSessions;
-export const setTrackLastActive = (v) => { _trackLastActive = v; };
-export const getTrackLastActive = () => _trackLastActive;
-let _refreshTokenConfig = null;
-export const setRefreshTokenConfig = (config) => { _refreshTokenConfig = config; };
-export const getRefreshTokenConfig = () => _refreshTokenConfig;
-const DEFAULT_ACCESS_TOKEN_EXPIRY = 900; // 15 min
-const DEFAULT_REFRESH_TOKEN_EXPIRY = 2_592_000; // 30 days
-const DEFAULT_ROTATION_GRACE_SECONDS = 30;
-export const getAccessTokenExpiry = () => _refreshTokenConfig?.accessTokenExpiry ?? DEFAULT_ACCESS_TOKEN_EXPIRY;
-export const getRefreshTokenExpiry = () => _refreshTokenConfig?.refreshTokenExpiry ?? DEFAULT_REFRESH_TOKEN_EXPIRY;
-export const getRotationGraceSeconds = () => _refreshTokenConfig?.rotationGraceSeconds ?? DEFAULT_ROTATION_GRACE_SECONDS;
-let _mfaConfig = null;
-export const setMfaConfig = (config) => { _mfaConfig = config; };
-export const getMfaConfig = () => _mfaConfig;
-export const getMfaIssuer = () => _mfaConfig?.issuer ?? getAppName();
-export const getMfaAlgorithm = () => _mfaConfig?.algorithm ?? "SHA1";
-export const getMfaDigits = () => _mfaConfig?.digits ?? 6;
-export const getMfaPeriod = () => _mfaConfig?.period ?? 30;
-export const getMfaRecoveryCodeCount = () => _mfaConfig?.recoveryCodes ?? 10;
-export const getMfaChallengeTtl = () => _mfaConfig?.challengeTtlSeconds ?? 300;
-export const getMfaEmailOtpConfig = () => _mfaConfig?.emailOtp ?? null;
-export const getMfaEmailOtpCodeLength = () => _mfaConfig?.emailOtp?.codeLength ?? 6;
-export const getMfaWebAuthnConfig = () => _mfaConfig?.webauthn ?? null;
-export const getMfaRequired = () => _mfaConfig?.required ?? false;
-// ---------------------------------------------------------------------------
-// CSRF config
-// ---------------------------------------------------------------------------
-let _csrfEnabled = false;
-export const setCsrfEnabled = (v) => { _csrfEnabled = v; };
-export const getCsrfEnabled = () => _csrfEnabled;
-let _signingConfig = null;
-export const setSigningConfig = (config) => { _signingConfig = config; };
-export const getSigningConfig = () => _signingConfig;
-/**
- * Returns the active signing secret: signing.secret → JWT_SECRET_PROD/DEV env var.
- * Returns null when neither is configured — callers must handle this gracefully.
- */
-export const getSigningSecret = () => {
-    if (_signingConfig?.secret)
-        return _signingConfig.secret;
-    const isProd = process.env.NODE_ENV === "production";
-    const envKey = isProd ? "JWT_SECRET_PROD" : "JWT_SECRET_DEV";
-    const rawSecret = process.env[envKey];
-    return rawSecret ?? null;
-};

package/dist/lib/auditLog.d.ts

@@ -1,52 +0,0 @@
-import type { Database } from "bun:sqlite";
-export interface AuditLogEntry {
-    id: string;
-    userId: string | null;
-    sessionId: string | null;
-    tenantId: string | null;
-    method: string;
-    path: string;
-    status: number;
-    ip: string | null;
-    userAgent: string | null;
-    action?: string;
-    resource?: string;
-    resourceId?: string;
-    meta?: Record<string, unknown>;
-    requestId?: string;
-    /** ISO 8601 string across all backends. */
-    createdAt: string;
-    /** MongoDB TTL only — silently ignored by SQLite and memory stores. */
-    expiresAt?: Date;
-}
-export type AuditLogStore = "mongo" | "sqlite" | "memory";
-export interface AuditLogOptions {
-    store: AuditLogStore;
-    /** Required when `store === "sqlite"`. */
-    db?: Database;
-}
-export interface AuditLogQuery {
-    userId?: string;
-    tenantId?: string;
-    after?: Date | string;
-    before?: Date | string;
-    /** Default 50, max 200. */
-    limit?: number;
-    /** Default 0. */
-    offset?: number;
-}
-export declare function clearAuditLogMemoryStore(): void;
-/**
- * Persist an audit log entry to the configured store.
- * Errors are caught internally — this function never throws, to ensure
- * storage failures never fail the HTTP request.
- */
-export declare function logAuditEntry(entry: AuditLogEntry, options: AuditLogOptions): Promise<void>;
-/**
- * Query audit log entries from the configured store.
- * Returns `{ items, total }` where `total` is the filtered count before pagination.
- */
-export declare function getAuditLogs(query: AuditLogQuery, options: AuditLogOptions): Promise<{
-    items: AuditLogEntry[];
-    total: number;
-}>;