@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/docs/sections/multi-tenancy/full.md

@@ -1,66 +0,0 @@
-## Multi-Tenancy
-
-Add multi-tenancy to your app by configuring tenant resolution. Bunshot resolves the tenant on each request and attaches `tenantId` + `tenantConfig` to the Hono context.
-
-```ts
-await createServer({
-  tenancy: {
-    resolution: "header",               // "header" | "subdomain" | "path"
-    headerName: "x-tenant-id",          // default for "header" strategy
-    onResolve: async (tenantId) => {     // validate + load tenant config — return null to reject
-      const tenant = await getTenant(tenantId);
-      return tenant?.config ?? null;
-    },
-    cacheTtlMs: 60_000,                 // LRU cache TTL for onResolve (default: 60s, 0 to disable)
-    cacheMaxSize: 500,                  // max cached entries (default: 500)
-    exemptPaths: ["/webhooks"],          // additional paths that skip tenant resolution
-    rejectionStatus: 403,               // 403 (default) or 404 when onResolve returns null
-  },
-});
-```
-
-### Resolution strategies
-
-| Strategy | How it extracts tenant ID | Example |
-|---|---|---|
-| `"header"` | From request header (default `x-tenant-id`) | `x-tenant-id: acme` |
-| `"subdomain"` | From first subdomain | `acme.myapp.com` → `"acme"` |
-| `"path"` | From URL path segment (does **not** strip prefix) | `/acme/api/users` → `"acme"` |
-
-### Default exempt paths
-
-These paths skip tenant resolution by default: `/health`, `/docs`, `/openapi.json`, `/auth/` (auth is global — all tenants share a user pool). Add more via `exemptPaths`.
-
-### `onResolve` is required in production
-
-When `tenancy` is configured without an `onResolve` callback, tenant IDs from headers/subdomains/paths are trusted without validation — a cross-tenant access risk. **In production (`NODE_ENV=production`), the server will refuse to start** if `onResolve` is missing. In development, a warning is logged instead.
-
-### Accessing tenant in routes
-
-```ts
-router.openapi(myRoute, async (c) => {
-  const tenantId = c.get("tenantId");         // string | null
-  const tenantConfig = c.get("tenantConfig"); // Record<string, unknown> | null
-  // Filter queries by tenantId, apply tenant-specific settings, etc.
-});
-```
-
-### Tenant provisioning helpers
-
-CRUD utilities for managing tenants (stored in the auth database via MongoDB):
-
-```ts
-import { createTenant, getTenant, listTenants, deleteTenant } from "@lastshotlabs/bunshot";
-
-await createTenant("acme", { displayName: "Acme Corp", config: { maxUsers: 100 } });
-const tenant = await getTenant("acme");      // { tenantId, displayName, config, createdAt }
-const all = await listTenants();             // active tenants only
-await deleteTenant("acme");                  // soft-delete + invalidates resolution cache
-```
-
-### Per-tenant namespacing
-
-When tenant context is present, rate limits and cache keys are automatically namespaced per-tenant — no code changes needed. Each tenant gets independent rate limit buckets and cache entries.
-
-- Rate limit keys: `t:${tenantId}:ip:${ip}` (instead of `ip:${ip}`)
-- Cache keys: `cache:${appName}:${tenantId}:${key}` (instead of `cache:${appName}:${key}`)

package/docs/sections/multi-tenancy/overview.md

@@ -1,15 +0,0 @@
-## Multi-Tenancy
-
-Opt-in via `tenancy` config. Resolves tenant ID from header, subdomain, or path segment on each request.
-
-```ts
-await createServer({
-  tenancy: {
-    resolution: "header",
-    headerName: "x-tenant-id",
-    onResolve: async (tenantId) => { /* validate, return config or null */ },
-  },
-});
-```
-
-Auth routes are exempt (global user pool). Rate limits and cache keys are auto-namespaced per-tenant. CRUD helpers: `createTenant`, `getTenant`, `listTenants`, `deleteTenant`.

package/docs/sections/oauth/full.md

@@ -1,189 +0,0 @@
-### Social Login (OAuth)
-
-Pass `auth.oauth.providers` to `createServer` to enable Google, Apple, Microsoft, and/or GitHub sign-in. Routes are mounted automatically for each configured provider.
-
-```ts
-await createServer({
-  routesDir: import.meta.dir + "/routes",
-  app: { name: "My App", version: "1.0.0" },
-  auth: {
-    oauth: {
-      postRedirect: "/lobby",  // where to redirect after login (default: "/")
-      providers: {
-        google: {
-          clientId: process.env.GOOGLE_CLIENT_ID!,
-          clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-          redirectUri: "https://myapp.com/auth/google/callback",
-        },
-        apple: {
-          clientId: process.env.APPLE_CLIENT_ID!,       // Services ID, e.g. "com.myapp.auth"
-          teamId: process.env.APPLE_TEAM_ID!,
-          keyId: process.env.APPLE_KEY_ID!,
-          privateKey: process.env.APPLE_PRIVATE_KEY!,   // PEM string
-          redirectUri: "https://myapp.com/auth/apple/callback",
-        },
-        microsoft: {
-          tenantId: process.env.MICROSOFT_TENANT_ID!,   // "common", "organizations", "consumers", or tenant GUID
-          clientId: process.env.MICROSOFT_CLIENT_ID!,
-          clientSecret: process.env.MICROSOFT_CLIENT_SECRET!,
-          redirectUri: "https://myapp.com/auth/microsoft/callback",
-        },
-        github: {
-          clientId: process.env.GITHUB_CLIENT_ID!,
-          clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-          redirectUri: "https://myapp.com/auth/github/callback",
-        },
-      },
-    },
-  },
-});
-```
-
-#### Routes mounted automatically
-
-| Provider | Initiate login | Callback | Link to existing account | Unlink |
-|---|---|---|---|---|
-| Google | `GET /auth/google` | `GET /auth/google/callback` | `GET /auth/google/link` | `DELETE /auth/google/link` |
-| Apple | `GET /auth/apple` | `POST /auth/apple/callback` | `GET /auth/apple/link` | — |
-| Microsoft | `GET /auth/microsoft` | `GET /auth/microsoft/callback` | `GET /auth/microsoft/link` | `DELETE /auth/microsoft/link` |
-| GitHub | `GET /auth/github` | `GET /auth/github/callback` | `GET /auth/github/link` | `DELETE /auth/github/link` |
-
-> Apple sends its callback as a **POST** with form data. Your server must be publicly reachable and the redirect URI must be registered in the Apple developer console.
-
-> **Microsoft `tenantId` options:** `"common"` accepts any Microsoft account (personal + work/school), `"organizations"` accepts work/school accounts only, `"consumers"` accepts personal accounts only, or pass a specific tenant GUID to restrict to a single Azure AD tenant (recommended for company SSO).
-
-> **GitHub:** Create an OAuth App (not a GitHub App) at [github.com/settings/developers](https://github.com/settings/developers). The `user:email` scope is requested to retrieve the user's verified email address, since the primary `/user` endpoint may not return it for users with private email settings.
-
-Additionally, a shared code exchange endpoint is always mounted:
-
-| Endpoint | Purpose |
-|---|---|
-| `POST /auth/oauth/exchange` | Exchange one-time authorization code for session token |
-
-#### Flow
-
-1. Client navigates to `GET /auth/google` (or `/auth/apple`, `/auth/microsoft`, `/auth/github`)
-2. Package redirects to the provider's OAuth page
-3. Provider redirects (or POSTs) back to the callback URL
-4. Package exchanges the code, fetches the user profile, and calls `authAdapter.findOrCreateByProvider`
-5. A session is created and a **one-time authorization code** is generated
-6. User is redirected to `auth.oauth.postRedirect?code=<one-time-code>`
-7. Client exchanges the code for a session token via `POST /auth/oauth/exchange`
-
-> **Security:** The JWT is never exposed in the redirect URL. The one-time code expires after 60 seconds and can only be used once, preventing token leakage via browser history, server logs, or referrer headers.
-
-##### Code exchange
-
-After the OAuth redirect, the client must exchange the one-time code for a session token:
-
-```ts
-// Client-side
-const res = await fetch("/auth/oauth/exchange", {
-  method: "POST",
-  headers: { "Content-Type": "application/json" },
-  body: JSON.stringify({ code: new URLSearchParams(location.search).get("code") }),
-});
-const { token, userId, email, refreshToken } = await res.json();
-```
-
-The exchange endpoint sets session cookies automatically for browser clients. Mobile/SPA clients can use the JSON response directly. Rate limited to 20 requests per minute per IP.
-
-| Field | Description |
-|---|---|
-| `token` | Session JWT |
-| `userId` | Authenticated user ID |
-| `email` | User email (if available) |
-| `refreshToken` | Refresh token (only when `auth.refreshTokens` is configured) |
-
-#### Redirect URL validation
-
-Pass `auth.oauth.allowedRedirectUrls` to restrict where OAuth callbacks can redirect:
-
-```ts
-auth: {
-  oauth: {
-    postRedirect: "/dashboard",
-    allowedRedirectUrls: ["https://myapp.com", "https://staging.myapp.com"],
-    providers: { ... },
-  },
-}
-```
-
-When configured, the `postRedirect` value is validated against the allowlist at startup. If omitted, any redirect URL is accepted (not recommended for production).
-
-#### User storage
-
-The default `mongoAuthAdapter` stores social users in `AuthUser` with a `providerIds` field (e.g. `["google:1234567890"]`). If no existing provider key is found, a new account is created — emails are never auto-linked. To connect a social identity to an existing credential account the user must explicitly use the link flow below.
-
-**Email conflict handling:** If a user attempts to sign in via Google (or Apple/Microsoft/GitHub) and the email returned by the provider already belongs to a credential-based account, `findOrCreateByProvider` throws `HttpError(409, ...)`. The OAuth callback catches this and redirects to `auth.oauth.postRedirect?error=<message>` so the client can display a helpful prompt (e.g. "An account with this email already exists — sign in with your password, then link Google from your account settings.").
-
-To support social login with a custom adapter, implement `findOrCreateByProvider`:
-
-```ts
-const myAdapter: AuthAdapter = {
-  findByEmail: ...,
-  create: ...,
-  async findOrCreateByProvider(provider, providerId, profile) {
-    // find or upsert user by provider + providerId
-    // return { id: string }
-  },
-};
-```
-
-#### Linking a provider to an existing account
-
-A logged-in user can link their account to a Google, Apple, Microsoft, or GitHub identity by navigating to the link route. This is the only way to associate a social login with an existing credential account — email matching is intentionally not done automatically.
-
-```
-GET /auth/google/link      (requires active session via cookie)
-GET /auth/apple/link       (requires active session via cookie)
-GET /auth/microsoft/link   (requires active session via cookie)
-GET /auth/github/link      (requires active session via cookie)
-```
-
-The link flow:
-1. User is already logged in (session cookie set)
-2. Client navigates to `/auth/google/link`
-3. User completes Google OAuth as normal
-4. On callback, instead of creating a new session, the Google identity is added to their existing account
-5. User is redirected to `auth.oauth.postRedirect?linked=google`
-
-To support linking with a custom adapter, implement `linkProvider`:
-
-```ts
-const myAdapter: AuthAdapter = {
-  // ...
-  async linkProvider(userId, provider, providerId) {
-    const key = `${provider}:${providerId}`;
-    await db.update(users)
-      .set({ providerIds: sql`array_append(provider_ids, ${key})` })
-      .where(eq(users.id, userId));
-  },
-};
-```
-
-#### Unlinking a provider
-
-A logged-in user can remove a linked Google, Microsoft, or GitHub identity via:
-
-```
-DELETE /auth/google/link      (requires active session via cookie)
-DELETE /auth/microsoft/link   (requires active session via cookie)
-DELETE /auth/github/link      (requires active session via cookie)
-```
-
-Returns `204 No Content` on success. All `google:*` entries are removed from the user's `providerIds`.
-
-To support unlinking with a custom adapter, implement `unlinkProvider`:
-
-```ts
-const myAdapter: AuthAdapter = {
-  // ...
-  async unlinkProvider(userId, provider) {
-    const user = await db.query.users.findFirst({ where: eq(users.id, userId) });
-    if (!user) throw new HttpError(404, "User not found");
-    const filtered = user.providerIds.filter((id: string) => !id.startsWith(`${provider}:`));
-    await db.update(users).set({ providerIds: filtered }).where(eq(users.id, userId));
-  },
-};
-```

package/docs/sections/oauth/overview.md

@@ -1,16 +0,0 @@
-### Social Login (OAuth)
-
-Pass `auth.oauth.providers` to enable Google, Apple, Microsoft, and/or GitHub sign-in. Routes are mounted automatically for each configured provider.
-
-```ts
-auth: {
-  oauth: {
-    postRedirect: "/dashboard",
-    providers: {
-      google: { clientId: "...", clientSecret: "...", redirectUri: "..." },
-    },
-  },
-}
-```
-
-Auto-mounted routes per provider: initiate (`GET /auth/{provider}`), callback, link to existing account (`GET /auth/{provider}/link`), and unlink (`DELETE /auth/{provider}/link`). After OAuth redirect, the client exchanges a one-time authorization code via `POST /auth/oauth/exchange` to receive the session token (the JWT is never exposed in the redirect URL). Supports custom adapters via `findOrCreateByProvider`, `linkProvider`, and `unlinkProvider`. Optionally restrict redirect URLs with `allowedRedirectUrls`.

package/docs/sections/package-development/full.md

@@ -1,7 +0,0 @@
-## Package Development
-
-To test changes locally, install the package from the local path in a sibling project:
-
-```bash
-bun add @lastshotlabs/bunshot@file:../bunshot
-```

package/docs/sections/pagination/full.md

@@ -1,93 +0,0 @@
-## Pagination Helpers
-
-Shared Zod schema factories and parse utilities for offset and cursor pagination. Both patterns produce named OpenAPI components and eliminate repeated `parseInt`/clamping boilerplate in route files.
-
-### Offset pagination
-
-```ts
-import {
-  offsetParams, parseOffsetParams, paginatedResponse,
-} from "@lastshotlabs/bunshot";
-
-const ItemSchema = z.object({ id: z.string(), name: z.string() });
-
-// Schema factories — call once at module scope
-const querySchema = offsetParams({ limit: 20, maxLimit: 100 });
-const responseSchema = paginatedResponse(ItemSchema, "PaginatedItems");
-
-router.openapi(
-  createRoute({
-    method: "get",
-    path: "/items",
-    request: { query: querySchema },
-    responses: { 200: { content: { "application/json": { schema: responseSchema } }, description: "ok" } },
-  }),
-  async (c) => {
-    const { limit, offset } = parseOffsetParams(c.req.query(), { maxLimit: 100 });
-    const [items, total] = await Promise.all([
-      Item.find().skip(offset).limit(limit),
-      Item.countDocuments(),
-    ]);
-    return c.json({ items, total, limit, offset });
-  }
-);
-```
-
-`paginatedResponse(itemSchema, name)` wraps the item schema in `{ items: T[], total: number, limit: number, offset: number }` and registers the result as a named OpenAPI component. Calling it with the same name and schema instance is idempotent; calling it with the same name but a different schema throws at startup.
-
-`parseOffsetParams` clamps `limit` to `[1, maxLimit]` and `offset` to `[0, ∞)`. Non-numeric values fall back to defaults. Floats are truncated via `parseInt`.
-
-### Cursor pagination
-
-```ts
-import {
-  cursorParams, parseCursorParams, cursorResponse,
-  type CursorResult,
-} from "@lastshotlabs/bunshot";
-
-const postQuerySchema = cursorParams({ limit: 25 });
-const postResponseSchema = cursorResponse(PostSchema, "PostsPage");
-
-router.openapi(
-  createRoute({
-    method: "get",
-    path: "/posts",
-    request: { query: postQuerySchema },
-    responses: { 200: { content: { "application/json": { schema: postResponseSchema } }, description: "ok" } },
-  }),
-  async (c) => {
-    const { limit, cursor } = parseCursorParams(c.req.query(), { limit: 25 });
-    const filter = cursor ? { _id: { $lt: cursor } } : {};
-    const items = await Post.find(filter).sort({ _id: -1 }).limit(limit + 1);
-    const hasMore = items.length > limit;
-    const page = hasMore ? items.slice(0, limit) : items;
-    return c.json({
-      items: page,
-      nextCursor: hasMore ? page[page.length - 1].id : null,
-      hasMore,
-    });
-  }
-);
-```
-
-`cursorResponse(itemSchema, name)` wraps the item schema in `{ items: T[], nextCursor: string | null, hasMore: boolean }`. The `cursor` field is opaque — the service layer decides encoding (ID, timestamp, base64 composite key). An empty cursor string is normalized to `undefined` by `parseCursorParams`.
-
-### TypeScript result type
-
-Use `CursorResult<T>` to type the return value of cursor-paginated service functions:
-
-```ts
-import type { CursorResult } from "@lastshotlabs/bunshot";
-
-async function listPosts(limit: number, cursor?: string): Promise<CursorResult<Post>> {
-  // ...
-}
-```
-
-### Defaults reference
-
-| Parameter | Default | Notes |
-|-----------|---------|-------|
-| `limit` | `50` | Override via `defaults.limit` |
-| `maxLimit` | `200` | Limit clamped to this ceiling |
-| `offset` | `0` | Offset pagination only |

package/docs/sections/peer-dependencies/full.md

@@ -1,47 +0,0 @@
-## Peer Dependencies
-
-Bunshot declares the following as peer dependencies so you control their versions and avoid duplicate installs in your app.
-
-### Required
-
-These must be installed in every consuming app:
-
-```bash
-bun add hono zod
-```
-
-| Package | Required version |
-|---|---|
-| `hono` | `>=4.12 <5` |
-| `zod` | `>=4.0 <5` |
-
-### Optional
-
-Install only what your app actually uses:
-
-```bash
-# MongoDB auth / sessions / cache
-bun add mongoose
-
-# Redis sessions, cache, rate limiting, or BullMQ
-bun add ioredis
-
-# Background job queues
-bun add bullmq
-
-# MFA / TOTP
-bun add otpauth
-
-# MFA / WebAuthn (security keys, Touch ID, Windows Hello)
-bun add @simplewebauthn/server
-```
-
-| Package | Required version | When you need it |
-|---|---|---|
-| `mongoose` | `>=9.0 <10` | `db.auth: "mongo"`, `db.sessions: "mongo"`, or `db.cache: "mongo"` |
-| `ioredis` | `>=5.0 <6` | `db.redis: true` (the default), or any store set to `"redis"` |
-| `bullmq` | `>=5.0 <6` | Workers / queues |
-| `otpauth` | `>=9.0 <10` | `auth.mfa` configuration (TOTP) |
-| `@simplewebauthn/server` | `>=10.0.0` | `auth.mfa.webauthn` configuration |
-
-If you're running fully on SQLite or memory (no Redis, no MongoDB), none of the optional peers are needed.

package/docs/sections/quick-start/full.md

@@ -1,43 +0,0 @@
-## Quick Start
-
-```bash
-bun add @lastshotlabs/bunshot hono zod
-```
-
-```ts
-// src/index.ts
-import { createServer } from "@lastshotlabs/bunshot";
-
-await createServer({
-  routesDir: import.meta.dir + "/routes",
-  db: { auth: "memory", mongo: false, redis: false, sessions: "memory", cache: "memory" },
-});
-```
-
-```ts
-// src/routes/hello.ts
-import { z } from "zod";
-import { createRoute, createRouter } from "@lastshotlabs/bunshot";
-
-export const router = createRouter();
-
-router.openapi(
-  createRoute({
-    method: "get",
-    path: "/hello",
-    responses: {
-      200: {
-        content: { "application/json": { schema: z.object({ message: z.string() }) } },
-        description: "Hello",
-      },
-    },
-  }),
-  (c) => c.json({ message: "Hello world!" }, 200)
-);
-```
-
-```bash
-bun run src/index.ts
-```
-
-Auth, OpenAPI docs (`/docs`), health check, and WebSocket are all live. No databases required — swap `"memory"` for `"redis"` / `"mongo"` / `"sqlite"` when you're ready.

package/docs/sections/response-caching/full.md

@@ -1,117 +0,0 @@
-## Response Caching
-
-Cache GET responses and bust them from mutation endpoints. Supports Redis, MongoDB, SQLite, and memory stores. The cache key is automatically namespaced by `appName` (`cache:{appName}:{key}`), so shared instances across tenant apps never collide.
-
-### Basic usage
-
-```ts
-import { cacheResponse, bustCache } from "@lastshotlabs/bunshot";
-
-// GET — cache the response for 60 seconds in Redis (default)
-router.use("/products", cacheResponse({ ttl: 60, key: "products" }));
-
-// indefinite — cached until busted
-router.use("/config", cacheResponse({ key: "config" }));
-
-router.get("/products", async (c) => {
-  const items = await Product.find();
-  return c.json({ items });
-});
-
-// POST — write data, then bust the shared key (hits all connected stores)
-router.post("/products", userAuth, async (c) => {
-  const body = await c.req.json();
-  await Product.create(body);
-  await bustCache("products");
-  return c.json({ ok: true }, 201);
-});
-```
-
-The `key` string is the shared contract — `cacheResponse` stores under it, `bustCache` deletes it. Responses include an `x-cache: HIT` or `x-cache: MISS` header.
-
-### Choosing a cache store
-
-Pass `store` to select where the response is cached. Defaults to `"redis"`.
-
-```ts
-// Redis (default)
-cacheResponse({ key: "products", ttl: 60 })
-
-// MongoDB — uses appConnection, stores in the `cache_entries` collection
-// TTL is handled natively via a MongoDB expiry index on the expiresAt field
-cacheResponse({ key: "products", ttl: 300, store: "mongo" })
-
-// SQLite — uses the same .db file as sqliteAuthAdapter; requires setSqliteDb or sqliteDb config
-cacheResponse({ key: "products", ttl: 60, store: "sqlite" })
-
-// Memory — in-process Map, ephemeral (cleared on restart), no external dependencies
-cacheResponse({ key: "products", ttl: 60, store: "memory" })
-```
-
-Use SQLite when running without Redis or MongoDB. Use MongoDB when you want cache entries co-located with your app data. Use Redis for lower-latency hot caches. Use Memory for tests or single-process apps where persistence isn't needed.
-
-**Connection requirements:** The chosen store must be initialized when the route is first hit. If `store: "sqlite"` is used but `setSqliteDb` has not been called (e.g. `sqliteDb` was not passed to `createServer`), the middleware throws a clear error on the first request. The same applies to the other stores.
-
-### Busting cached entries
-
-`bustCache` always attempts all four stores (Redis, Mongo, SQLite, Memory), skipping any that aren't connected. This means it works correctly regardless of which `store` option your routes use, and is safe to call in apps that don't use all stores:
-
-```ts
-await bustCache("products"); // hits whichever stores are connected
-```
-
-### Per-user caching
-
-The `key` function receives the full Hono context, so you can scope cache entries to the authenticated user:
-
-```ts
-router.use("/feed", userAuth, cacheResponse({
-  ttl: 60,
-  key: (c) => `feed:${c.get("authUserId")}`,
-}));
-```
-
-`authUserId` is populated by `identify`, which always runs before route middleware, so it's safe to use here.
-
-### Per-resource caching
-
-For routes with dynamic segments, use the function form of `key`. Produce the same string in `bustCache`:
-
-```ts
-// GET /products/:id
-router.use("/products/:id", cacheResponse({
-  ttl: 60,
-  key: (c) => `product:${c.req.param("id")}`,
-}));
-
-router.get("/products/:id", async (c) => {
-  const item = await Product.findById(c.req.param("id"));
-  return c.json(item);
-});
-
-// PUT /products/:id
-router.put("/products/:id", userAuth, async (c) => {
-  const id = c.req.param("id");
-  await Product.findByIdAndUpdate(id, await c.req.json());
-  await bustCache(`product:${id}`);
-  return c.json({ ok: true });
-});
-```
-
-Only 2xx responses are cached. Non-2xx responses pass through uncached. Omit `ttl` to cache indefinitely — the entry will persist until explicitly busted with `bustCache`.
-
-**Header sanitization:** Security-sensitive response headers (`set-cookie`, `www-authenticate`, `authorization`, `x-csrf-token`, `proxy-authenticate`) are automatically stripped before caching to prevent session fixation or auth bypass via cached responses.
-
-### Busting by pattern
-
-When cache keys include variable parts (e.g. query params), use `bustCachePattern` to invalidate an entire logical group at once. It runs against all four stores — Redis (via SCAN), Mongo (via regex), SQLite (via LIKE), and Memory (via regex) — in parallel:
-
-```ts
-import { bustCachePattern } from "@lastshotlabs/bunshot";
-
-// key includes query params: `balance:${userId}:${from}:${to}:${groupBy}`
-// bust all balance entries for this user regardless of params
-await bustCachePattern(`balance:${userId}:*`);
-```
-
-The `*` wildcard is translated to a Redis glob, a Mongo/Memory regex, and a SQLite LIKE pattern automatically. Like `bustCache`, it silently skips any store that isn't connected, so it's safe to call in apps that only use one store.

package/docs/sections/response-caching/overview.md

@@ -1,13 +0,0 @@
-## Response Caching
-
-Cache GET responses with `cacheResponse({ ttl, key })` and bust them with `bustCache(key)`. Supports Redis, MongoDB, SQLite, and memory stores. Cache keys are auto-namespaced by app name and tenant (when multi-tenancy is active).
-
-```ts
-import { cacheResponse, bustCache } from "@lastshotlabs/bunshot";
-
-router.use("/products", cacheResponse({ ttl: 60, key: "products" }));
-// ...
-await bustCache("products"); // hits all connected stores
-```
-
-Supports per-user caching via `key: (c) => ...`, per-resource caching, and wildcard invalidation via `bustCachePattern("products:*")`.