@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/schemas/auth.js

@@ -1,30 +0,0 @@
-import { z } from "zod";
-import { getPasswordPolicy } from "../lib/appConfig";
-/** Build a Zod schema for the password field based on the configured policy.
- *  Applied to registration and reset-password. Login uses min(1) intentionally
- *  to avoid locking out users registered under older/weaker policies. */
-const passwordSchema = () => {
-    const policy = getPasswordPolicy();
-    const minLen = policy.minLength ?? 8;
-    let schema = z.string().min(minLen, `Password must be at least ${minLen} characters`);
-    if (policy.requireLetter !== false) {
-        schema = schema.regex(/[a-zA-Z]/, "Password must contain at least one letter");
-    }
-    if (policy.requireDigit !== false) {
-        schema = schema.regex(/\d/, "Password must contain at least one digit");
-    }
-    if (policy.requireSpecial) {
-        schema = schema.regex(/[^a-zA-Z0-9]/, "Password must contain at least one special character");
-    }
-    return schema;
-};
-export const makeRegisterSchema = (primaryField) => z.object({
-    [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(3),
-    password: passwordSchema(),
-});
-export const makeLoginSchema = (primaryField) => z.object({
-    [primaryField]: primaryField === "email" ? z.string().email() : z.string().min(1),
-    password: z.string().min(1),
-});
-/** Password schema for reset-password — same policy as registration. */
-export const resetPasswordSchema = () => passwordSchema();

package/dist/server.d.ts

@@ -1,57 +0,0 @@
-import type { Server, ServerWebSocket, WebSocketHandler } from "bun";
-import { type CreateAppConfig } from "./app";
-import { type SocketData } from "./ws/index";
-import { type HeartbeatConfig } from "./lib/wsHeartbeat";
-import { type WsMessageStore, type WsMessageDefaults } from "./lib/wsMessages";
-export interface WsConfig<T extends object = object> {
-    /** Override or extend the default WebSocket handler */
-    handler?: WebSocketHandler<SocketData<T>>;
-    /** Override the default /ws upgrade handler (auth + upgrade logic) */
-    upgradeHandler?: (req: Request, server: Server<SocketData<T>>) => Promise<Response | undefined>;
-    /**
-     * Guard called before a socket joins a room via the subscribe action.
-     * Return true to allow, false to deny (client receives { event: "subscribe_denied", room }).
-     * ws.data.userId is available for auth checks.
-     */
-    onRoomSubscribe?: (ws: ServerWebSocket<SocketData<T>>, room: string) => boolean | Promise<boolean>;
-    /**
-     * Maximum allowed WebSocket message size in bytes.
-     * Messages exceeding this limit will cause the connection to be closed with code 1009.
-     * Defaults to 65536 (64 KB).
-     */
-    maxMessageSize?: number;
-    /**
-     * Heartbeat / ping-pong keepalive. Set `true` for defaults (30s interval, 10s timeout)
-     * or provide an object to customize intervals.
-     */
-    heartbeat?: boolean | HeartbeatConfig;
-    /**
-     * Presence tracking. Set `true` for defaults or provide config.
-     * When enabled, `presence_join`/`presence_leave` events are broadcast to rooms.
-     */
-    presence?: boolean | {
-        broadcastEvents?: boolean;
-    };
-    /**
-     * Message persistence. Opt rooms in via `configureRoom()`.
-     */
-    persistence?: {
-        store?: WsMessageStore;
-        defaults?: WsMessageDefaults;
-    };
-}
-export interface CreateServerConfig<T extends object = object> extends CreateAppConfig {
-    port?: number;
-    /** Absolute path to the service's workers directory — auto-imports all .ts files */
-    workersDir?: string;
-    /** Set false to disable auto-loading workers. Defaults to true */
-    enableWorkers?: boolean;
-    /** WebSocket configuration */
-    ws?: WsConfig<T>;
-    /**
-     * Maximum request body size in bytes. Defaults to the upload config limit when present
-     * (maxFileSize * maxFiles), otherwise Bun's default (128 MB).
-     */
-    maxRequestBodySize?: number;
-}
-export declare const createServer: <T extends object = object>(config: CreateServerConfig<T>) => Promise<Server<SocketData<T>>>;

package/dist/server.js

@@ -1,112 +0,0 @@
-import { createApp } from "./app";
-import { websocket as defaultWebsocket, createWsUpgradeHandler } from "./ws/index";
-import { setWsServer, handleRoomActions, cleanupSocket, setPresenceEnabled } from "./lib/ws";
-import { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat } from "./lib/wsHeartbeat";
-import { trackSocket, untrackSocket } from "./lib/wsPresence";
-import { setWsMessageStore, setWsMessageDefaults } from "./lib/wsMessages";
-import { log } from "./lib/logger";
-export const createServer = async (config) => {
-    const app = await createApp(config);
-    const port = Number(process.env.PORT ?? config.port ?? 3000);
-    const { workersDir, enableWorkers = true, ws: wsConfig = {} } = config;
-    // Compute maxRequestBodySize: explicit config wins, else derive from upload config
-    let maxRequestBodySize = config.maxRequestBodySize;
-    if (maxRequestBodySize === undefined && config.upload) {
-        const maxFileSize = config.upload.maxFileSize ?? 10 * 1024 * 1024;
-        const maxFiles = config.upload.maxFiles ?? 10;
-        maxRequestBodySize = maxFileSize * maxFiles;
-    }
-    const { handler: userWs, upgradeHandler: wsUpgradeHandler, onRoomSubscribe, maxMessageSize = 65_536, heartbeat: heartbeatConfig, presence: presenceConfig, persistence: persistenceConfig, } = wsConfig;
-    // Configure presence
-    if (presenceConfig)
-        setPresenceEnabled(true);
-    // Configure message persistence
-    if (persistenceConfig) {
-        if (persistenceConfig.store)
-            setWsMessageStore(persistenceConfig.store);
-        if (persistenceConfig.defaults)
-            setWsMessageDefaults(persistenceConfig.defaults);
-    }
-    const defaultOpen = defaultWebsocket.open;
-    const defaultClose = defaultWebsocket.close;
-    const defaultDrain = defaultWebsocket.drain;
-    const heartbeatEnabled = !!heartbeatConfig;
-    const ws = {
-        open(socket) {
-            if (heartbeatEnabled)
-                registerSocket(socket, socket.data.id);
-            if (presenceConfig)
-                trackSocket(socket.data.id, socket.data.userId);
-            (userWs?.open ?? defaultOpen)(socket);
-        },
-        async message(socket, message) {
-            const size = typeof message === "string" ? message.length : message.byteLength;
-            if (size > maxMessageSize) {
-                socket.close(1009, "Message too large");
-                return;
-            }
-            if (!await handleRoomActions(socket, message, onRoomSubscribe)) {
-                if (userWs?.message) {
-                    userWs.message(socket, message);
-                }
-                // No default echo — without a custom handler, non-room messages are silently dropped
-            }
-        },
-        close(socket, code, reason) {
-            if (heartbeatEnabled)
-                deregisterSocket(socket.data.id);
-            if (presenceConfig)
-                untrackSocket(socket.data.id);
-            cleanupSocket(socket.data.id, socket.data.rooms);
-            socket.data.rooms.clear();
-            (userWs?.close ?? defaultClose)(socket, code, reason);
-        },
-        pong(socket) {
-            if (heartbeatEnabled)
-                handlePong(socket.data.id);
-        },
-        drain: userWs?.drain ?? defaultDrain,
-    };
-    let server;
-    server = Bun.serve({
-        port,
-        routes: {
-            "/ws": (req) => wsUpgradeHandler
-                ? wsUpgradeHandler(req, server)
-                : createWsUpgradeHandler(server)(req),
-        },
-        fetch: app.fetch,
-        websocket: ws,
-        ...(maxRequestBodySize !== undefined ? { maxRequestBodySize } : {}),
-        error(err) {
-            console.error(err);
-            return Response.json({ error: "Internal Server Error" }, { status: 500 });
-        },
-    });
-    setWsServer(server);
-    // Start heartbeat after server is ready
-    if (heartbeatEnabled)
-        startHeartbeat(heartbeatConfig);
-    // Graceful shutdown — stop heartbeat alongside existing cleanup
-    const gracefulShutdown = () => { stopHeartbeat(); };
-    process.on("SIGTERM", gracefulShutdown);
-    process.on("SIGINT", gracefulShutdown);
-    if (enableWorkers && workersDir) {
-        const glob = new Bun.Glob("**/*.ts");
-        for await (const file of glob.scan({ cwd: workersDir })) {
-            await import(`${workersDir}/${file}`);
-        }
-        // Clean up ghost cron schedulers after all workers are loaded
-        try {
-            const { getRegisteredCronNames, cleanupStaleSchedulers } = await import("./lib/queue");
-            const activeNames = [...getRegisteredCronNames()];
-            if (activeNames.length > 0) {
-                await cleanupStaleSchedulers(activeNames);
-            }
-        }
-        catch { /* bullmq not installed or no cron workers */ }
-    }
-    log(`[server] running at http://localhost:${server.port}`);
-    log(`[server] API docs at http://localhost:${server.port}/docs`);
-    return server;
-};

package/dist/services/auth.d.ts

@@ -1,27 +0,0 @@
-import type { SessionMetadata } from "../lib/session";
-export interface AuthResult {
-    token: string;
-    userId: string;
-    email?: string;
-    emailVerified?: boolean;
-    googleLinked?: boolean;
-    refreshToken?: string;
-    mfaRequired?: boolean;
-    mfaToken?: string;
-    mfaMethods?: string[];
-    webauthnOptions?: Record<string, unknown>;
-}
-/** Create a session for a user (used internally and by MFA verify). */
-export declare const createSessionForUser: (userId: string, metadata?: SessionMetadata) => Promise<{
-    token: string;
-    refreshToken?: string;
-}>;
-export declare const register: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
-export declare const login: (identifier: string, password: string, metadata?: SessionMetadata) => Promise<AuthResult>;
-export declare const refresh: (refreshTokenValue: string) => Promise<{
-    token: string;
-    refreshToken: string;
-    userId: string;
-}>;
-export declare const deleteAccount: (userId: string, password?: string) => Promise<void>;
-export declare const logout: (token: string | null) => Promise<void>;

package/dist/services/auth.js

@@ -1,159 +0,0 @@
-import { getAuthAdapter } from "../lib/authAdapter";
-import { HttpError } from "../lib/HttpError";
-import { signToken, verifyToken } from "../lib/jwt";
-import { createSession, deleteSession, getActiveSessionCount, evictOldestSession, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken } from "../lib/session";
-import { getDefaultRole, getPrimaryField, getEmailVerificationConfig, getMaxSessions, getRefreshTokenConfig, getAccessTokenExpiry, getMfaConfig, getMfaEmailOtpConfig, getMfaWebAuthnConfig } from "../lib/appConfig";
-import { createVerificationToken } from "../lib/emailVerification";
-import { createMfaChallenge } from "../lib/mfaChallenge";
-import { generateEmailOtpCode, generateWebAuthnAuthenticationOptions } from "./mfa";
-async function createSessionWithRefreshToken(userId, sessionId, metadata) {
-    const rtConfig = getRefreshTokenConfig();
-    const expirySeconds = rtConfig ? getAccessTokenExpiry() : undefined;
-    const token = await signToken(userId, sessionId, expirySeconds);
-    while (await getActiveSessionCount(userId) >= getMaxSessions()) {
-        await evictOldestSession(userId);
-    }
-    await createSession(userId, token, sessionId, metadata);
-    let refreshToken;
-    if (rtConfig) {
-        refreshToken = crypto.randomUUID();
-        await setRefreshToken(sessionId, refreshToken);
-    }
-    return { token, refreshToken, sessionId };
-}
-/** Create a session for a user (used internally and by MFA verify). */
-export const createSessionForUser = async (userId, metadata) => {
-    const sessionId = crypto.randomUUID();
-    return createSessionWithRefreshToken(userId, sessionId, metadata);
-};
-export const register = async (identifier, password, metadata) => {
-    const hashed = await Bun.password.hash(password);
-    const adapter = getAuthAdapter();
-    const user = await adapter.create(identifier, hashed);
-    const role = getDefaultRole();
-    if (role)
-        await adapter.setRoles(user.id, [role]);
-    const sessionId = crypto.randomUUID();
-    const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
-    const evConfig = getEmailVerificationConfig();
-    if (evConfig && getPrimaryField() === "email") {
-        try {
-            const verificationToken = await createVerificationToken(user.id, identifier);
-            await evConfig.onSend(identifier, verificationToken);
-        }
-        catch (e) {
-            console.error("[email-verification] Failed to send verification email:", e);
-        }
-    }
-    return { token, userId: user.id, email: identifier, refreshToken };
-};
-// Pre-computed dummy hash so non-existent-user login takes the same time as wrong-password login
-const DUMMY_HASH = await Bun.password.hash("dummy-timing-safe-placeholder");
-export const login = async (identifier, password, metadata) => {
-    const adapter = getAuthAdapter();
-    const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
-    const user = await findFn(identifier);
-    // Always verify against a hash to prevent timing-based user enumeration
-    const hashToVerify = user?.passwordHash ?? DUMMY_HASH;
-    const passwordValid = await Bun.password.verify(password, hashToVerify);
-    if (!user || !passwordValid) {
-        throw new HttpError(401, "Invalid credentials");
-    }
-    // Check email verification before MFA to avoid leaking MFA status to unverified users
-    const fullUser = adapter.getUser ? await adapter.getUser(user.id) : null;
-    const googleLinked = fullUser?.providerIds?.some((id) => id.startsWith("google:")) ?? false;
-    const evConfig = getEmailVerificationConfig();
-    if (evConfig && getPrimaryField() === "email" && adapter.getEmailVerified) {
-        const verified = await adapter.getEmailVerified(user.id);
-        if (evConfig.required && !verified) {
-            throw new HttpError(403, "Email not verified");
-        }
-    }
-    // Check MFA — if enabled, return challenge token instead of session
-    if (getMfaConfig() && adapter.isMfaEnabled && await adapter.isMfaEnabled(user.id)) {
-        const methods = adapter.getMfaMethods
-            ? await adapter.getMfaMethods(user.id)
-            : ["totp"];
-        // Auto-send email OTP if enabled
-        let emailOtpHash;
-        const emailOtpConfig = getMfaEmailOtpConfig();
-        if (methods.includes("emailOtp") && emailOtpConfig) {
-            const { code, hash } = generateEmailOtpCode();
-            emailOtpHash = hash;
-            const email = fullUser?.email;
-            if (email)
-                await emailOtpConfig.onSend(email, code);
-        }
-        // Generate WebAuthn authentication options if enabled
-        let webauthnChallenge;
-        let webauthnOptions;
-        const webauthnConfig = getMfaWebAuthnConfig();
-        if (methods.includes("webauthn") && webauthnConfig && adapter.getWebAuthnCredentials) {
-            const result = await generateWebAuthnAuthenticationOptions(user.id);
-            if (result) {
-                webauthnChallenge = result.challenge;
-                webauthnOptions = result.options;
-            }
-        }
-        const mfaToken = await createMfaChallenge(user.id, { emailOtpHash, webauthnChallenge });
-        return { token: "", userId: user.id, mfaRequired: true, mfaToken, mfaMethods: methods, webauthnOptions };
-    }
-    const sessionId = crypto.randomUUID();
-    const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, metadata);
-    if (evConfig && getPrimaryField() === "email" && adapter.getEmailVerified) {
-        const verified = await adapter.getEmailVerified(user.id);
-        return { token, userId: user.id, email: fullUser?.email, emailVerified: verified, googleLinked, refreshToken };
-    }
-    return { token, userId: user.id, email: fullUser?.email, googleLinked, refreshToken };
-};
-export const refresh = async (refreshTokenValue) => {
-    const result = await getSessionByRefreshToken(refreshTokenValue);
-    if (!result) {
-        throw new HttpError(401, "Invalid or expired refresh token");
-    }
-    const { sessionId, userId, newRefreshToken } = result;
-    // If the returned newRefreshToken differs from what was sent, we're in a grace window replay.
-    // Return the current tokens without rotating again.
-    if (newRefreshToken !== refreshTokenValue) {
-        const accessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
-        return { token: accessToken, refreshToken: newRefreshToken, userId };
-    }
-    // Normal rotation: generate new refresh + access tokens
-    const newRT = crypto.randomUUID();
-    const newAccessToken = await signToken(userId, sessionId, getAccessTokenExpiry());
-    await rotateRefreshToken(sessionId, newRT, newAccessToken);
-    return { token: newAccessToken, refreshToken: newRT, userId };
-};
-export const deleteAccount = async (userId, password) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.deleteUser) {
-        throw new HttpError(501, "Auth adapter does not support deleteUser");
-    }
-    // Verify password for credential accounts
-    if (password) {
-        const user = adapter.getUser ? await adapter.getUser(userId) : null;
-        const email = user?.email;
-        if (email) {
-            const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
-            const found = await findFn(email);
-            if (found && !(await Bun.password.verify(password, found.passwordHash))) {
-                throw new HttpError(401, "Invalid password");
-            }
-        }
-    }
-    else if (adapter.hasPassword && await adapter.hasPassword(userId)) {
-        throw new HttpError(400, "Password is required to delete a credential account");
-    }
-    // Revoke all sessions
-    await deleteUserSessions(userId);
-    // Delete the user
-    await adapter.deleteUser(userId);
-};
-export const logout = async (token) => {
-    if (token) {
-        const payload = await verifyToken(token);
-        const sessionId = payload.sid;
-        if (sessionId)
-            await deleteSession(sessionId);
-    }
-};

package/dist/ws/index.d.ts

@@ -1,10 +0,0 @@
-import type { Server, WebSocketHandler } from "bun";
-export type SocketData<T extends object = object> = {
-    id: string;
-    userId: string | null;
-    rooms: Set<string>;
-} & T;
-type BaseSocketData = SocketData<object>;
-export declare const createWsUpgradeHandler: (server: Server<BaseSocketData>) => (req: Request) => Promise<Response | undefined>;
-export declare const websocket: WebSocketHandler<BaseSocketData>;
-export {};

package/dist/ws/index.js

@@ -1,38 +0,0 @@
-import { verifyToken } from "../lib/jwt";
-import { getSession } from "../lib/session";
-import { COOKIE_TOKEN } from "../lib/constants";
-import { trackSocket, untrackSocket } from "../lib/wsPresence";
-export const createWsUpgradeHandler = (server) => async (req) => {
-    let userId = null;
-    try {
-        const token = req.headers.get("cookie")
-            ?.match(new RegExp(`(?:^|;\\s*)${COOKIE_TOKEN}=([^;]+)`))?.[1] ?? null;
-        if (token) {
-            const payload = await verifyToken(token);
-            const sessionId = payload.sid;
-            if (sessionId) {
-                const stored = await getSession(sessionId);
-                if (stored === token)
-                    userId = payload.sub;
-            }
-        }
-    }
-    catch { /* unauthenticated — userId stays null */ }
-    const upgraded = server.upgrade(req, { data: { id: crypto.randomUUID(), userId, rooms: new Set() } });
-    return upgraded ? undefined : Response.json({ error: "Upgrade failed" }, { status: 400 });
-};
-export const websocket = {
-    open(ws) {
-        trackSocket(ws.data.id, ws.data.userId);
-        console.log(`[ws] connected: ${ws.data.id}`);
-        ws.send(JSON.stringify({ event: "connected", id: ws.data.id }));
-    },
-    message(_ws, _message) {
-        // No-op: room actions are handled by server.ts via handleRoomActions.
-        // Override ws.handler.message in WsConfig for custom message handling.
-    },
-    close(ws) {
-        untrackSocket(ws.data.id);
-        console.log(`[ws] disconnected: ${ws.data.id}`);
-    },
-};

package/docs/sections/adding-middleware/full.md

@@ -1,35 +0,0 @@
-## Adding Middleware
-
-### Global (runs on every request)
-
-Pass via `middleware` config — injected after `identify`, before route matching:
-
-```ts
-await createServer({
-  routesDir: import.meta.dir + "/routes",
-  app: { name: "My App", version: "1.0.0" },
-  middleware: [myMiddleware],
-});
-```
-
-Write it using core's exported types:
-
-```ts
-// src/middleware/tenant.ts
-import type { MiddlewareHandler } from "hono";
-import type { AppEnv } from "@lastshotlabs/bunshot";
-
-export const tenantMiddleware: MiddlewareHandler<AppEnv> = async (c, next) => {
-  // c.get("userId") is available — identify has already run
-  await next();
-};
-```
-
-### Per-route
-
-```ts
-import { userAuth, rateLimit } from "@lastshotlabs/bunshot";
-
-router.use("/admin", userAuth);
-router.use("/admin", rateLimit({ windowMs: 60_000, max: 10 }));
-```

package/docs/sections/adding-models/full.md

@@ -1,125 +0,0 @@
-## Adding Models
-
-Import `appConnection` and register models on it. This ensures your models use the correct connection whether you're on a single DB or a separate tenant DB.
-
-`appConnection` is a lazy proxy — calling `.model()` at the top level works fine even before `connectMongo()` has been called. Mongoose buffers any queries until the connection is established.
-
-```ts
-// src/models/Product.ts
-import { appConnection } from "@lastshotlabs/bunshot";
-import { Schema } from "mongoose";
-import type { HydratedDocument } from "mongoose";
-
-interface IProduct {
-  name: string;
-  price: number;
-}
-
-export type ProductDocument = HydratedDocument<IProduct>;
-
-const ProductSchema = new Schema<IProduct>({
-  name: { type: String, required: true },
-  price: { type: Number, required: true },
-}, { timestamps: true });
-
-export const Product = appConnection.model<IProduct>("Product", ProductSchema);
-```
-
-> **Note:** Import types (`HydratedDocument`, `Schema`, etc.) directly from `"mongoose"` — the `appConnection` and `mongoose` exports from bunshot are runtime proxies and cannot be used as TypeScript namespaces.
-
-### Zod as Single Source of Truth
-
-If you use Zod schemas for your OpenAPI spec (via `createRoute` or `modelSchemas`), you can derive your Mongoose schemas and DTO mappers from those same Zod definitions — so each entity is defined **once**.
-
-#### `zodToMongoose` — Zod → Mongoose SchemaDefinition
-
-Converts a Zod object schema into a Mongoose field definition. Business fields are auto-converted; DB-specific concerns (ObjectId refs, type overrides, subdocuments) are declared via config. The `id` field is automatically excluded since Mongoose provides `_id`.
-
-```ts
-import { appConnection, zodToMongoose } from "@lastshotlabs/bunshot";
-import { Schema, type HydratedDocument } from "mongoose";
-import { ProductSchema } from "../schemas/product"; // your Zod schema
-import type { ProductDto } from "../schemas/product";
-
-// DB interface derives from Zod DTO type
-interface IProduct extends Omit<ProductDto, "id" | "categoryId"> {
-  user: Types.ObjectId;
-  category: Types.ObjectId;
-}
-
-const ProductMongoSchema = new Schema<IProduct>(
-  zodToMongoose(ProductSchema, {
-    dbFields: {
-      user: { type: Schema.Types.ObjectId, ref: "UserProfile", required: true },
-    },
-    refs: {
-      categoryId: { dbField: "category", ref: "Category" },
-    },
-    typeOverrides: {
-      createdAt: { type: Date, required: true },
-    },
-  }) as Record<string, unknown>,
-  { timestamps: true }
-);
-
-export type ProductDocument = HydratedDocument<IProduct>;
-export const Product = appConnection.model<IProduct>("Product", ProductMongoSchema);
-```
-
-**Config options:**
-
-| Option | Description |
-|---|---|
-| `dbFields` | Fields that exist only in the DB, not in the API schema (e.g., `user` ObjectId ref) |
-| `refs` | API fields that map to ObjectId refs: `{ accountId: { dbField: "account", ref: "Account" } }` |
-| `typeOverrides` | Override the auto-converted Mongoose type for a field (e.g., Zod `z.string()` for dates → Mongoose `Date`) |
-| `subdocSchemas` | Subdocument array fields: `{ items: mongooseSubSchema }` |
-
-**Auto-conversion mapping:**
-
-| Zod type | Mongoose type |
-|---|---|
-| `z.string()` | `String` |
-| `z.number()` | `Number` |
-| `z.boolean()` | `Boolean` |
-| `z.date()` | `Date` |
-| `z.enum([...])` | `String` with `enum` |
-| `.nullable()` / `.optional()` | `required: false` |
-
-#### `createDtoMapper` — Zod → toDto mapper
-
-Creates a generic `toDto` function from a Zod schema. The schema defines which fields exist in the DTO; the config declares how to transform DB-specific types.
-
-```ts
-import { createDtoMapper } from "@lastshotlabs/bunshot";
-import { ProductSchema, type ProductDto } from "../schemas/product";
-
-const toDto = createDtoMapper<ProductDto>(ProductSchema, {
-  refs: { category: "categoryId" },   // ObjectId ref → string, with rename
-  dates: ["createdAt"],               // Date → ISO string
-});
-
-// Use it
-const product = await Product.findOne({ _id: id });
-return product ? toDto(product) : null;
-```
-
-**Auto-handled transforms:**
-
-| Transform | Description |
-|---|---|
-| `_id` → `id` | Always converted via `.toString()` |
-| `refs` | ObjectId fields → string (`.toString()`), with DB→API field renaming |
-| `dates` | `Date` objects → ISO strings (`.toISOString()`) |
-| `subdocs` | Array fields mapped with a sub-mapper (for nested documents) |
-| nullable/optional | `undefined` → `null` coercion (based on Zod schema) |
-| everything else | Passthrough |
-
-**Subdocument example:**
-
-```ts
-const itemToDto = createDtoMapper<TemplateItemDto>(TemplateItemSchema);
-const toDto = createDtoMapper<TemplateDto>(TemplateSchema, {
-  subdocs: { items: itemToDto },
-});
-```

package/docs/sections/adding-models/overview.md

@@ -1,13 +0,0 @@
-## Adding Models
-
-Import `appConnection` and register Mongoose models on it. `appConnection` is a lazy proxy — `.model()` works before `connectMongo()` has been called.
-
-```ts
-import { appConnection } from "@lastshotlabs/bunshot";
-import { Schema, type HydratedDocument } from "mongoose";
-
-const ProductSchema = new Schema({ name: String, price: Number }, { timestamps: true });
-export const Product = appConnection.model("Product", ProductSchema);
-```
-
-Bunshot also provides `zodToMongoose` (Zod -> Mongoose schema conversion) and `createDtoMapper` (DB document -> API DTO) to use Zod as the single source of truth for your models and OpenAPI spec.