@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/packages/bunshot-auth/src/infra/queue.js

@@ -0,0 +1,27 @@
+function requireBullMQ() {
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-require-imports
+        return require('bullmq');
+    }
+    catch {
+        throw new Error('bullmq is not installed. Run: bun add bullmq');
+    }
+}
+/**
+ * Create a queue factory that captures Redis connection info once.
+ * All queues and workers created from this factory share the same connection.
+ */
+export function createQueueFactory(getRedis) {
+    const client = getRedis();
+    if (!client)
+        throw new Error('[bunshot-auth] Redis not available for queue connection.');
+    const { Queue, Worker } = requireBullMQ();
+    return {
+        createQueue(name, options) {
+            return new Queue(name, { connection: client, ...options });
+        },
+        createWorker(name, processor, options) {
+            return new Worker(name, processor, { connection: client, ...options });
+        },
+    };
+}

package/dist/packages/bunshot-auth/src/infra/redis.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Resolve the Redis client from BunshotContext.
+ * Throws if no redis client is available.
+ */
+export declare function getRedisFromContext(app?: object): any;

package/dist/packages/bunshot-auth/src/infra/redis.js

@@ -0,0 +1,15 @@
+// Auth-internal Redis accessor.
+// Redis client is resolved from BunshotContext — no module-level state.
+import { getContextOrNull } from '../../../bunshot-core/src/index.js';
+/**
+ * Resolve the Redis client from BunshotContext.
+ * Throws if no redis client is available.
+ */
+export function getRedisFromContext(app) {
+    if (app) {
+        const ctx = getContextOrNull(app);
+        if (ctx?.redis)
+            return ctx.redis;
+    }
+    throw new Error('[bunshot-auth] Redis not available. Ensure redis is configured in BunshotContext.');
+}

package/dist/packages/bunshot-auth/src/infra/signing.d.ts

@@ -0,0 +1,7 @@
+import type { SigningConfig } from '../../../bunshot-core/src/index.js';
+/**
+ * Get the signing secret from the resolved SigningConfig.
+ * No process.env fallback — the secret provider injects JWT_SECRET
+ * into SigningConfig.secret during bootstrap.
+ */
+export declare function getSigningSecret(signing?: SigningConfig | null): string | string[] | null;

package/dist/packages/bunshot-auth/src/infra/signing.js

@@ -0,0 +1,8 @@
+/**
+ * Get the signing secret from the resolved SigningConfig.
+ * No process.env fallback — the secret provider injects JWT_SECRET
+ * into SigningConfig.secret during bootstrap.
+ */
+export function getSigningSecret(signing) {
+    return signing?.secret ?? null;
+}

package/dist/packages/bunshot-auth/src/lib/accountLockout.d.ts

@@ -0,0 +1,34 @@
+import { RedisLike } from '../../../bunshot-core/src/index.js';
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+export interface LockoutConfig {
+    /** Failed attempts before account lockout. */
+    maxAttempts: number;
+    /** Duration to stay locked in seconds. */
+    lockoutDuration: number;
+    /** Reset failure counter on successful login. Default: true. */
+    resetOnSuccess?: boolean;
+    /** Called when an account is locked. Non-blocking - errors are swallowed. */
+    onLocked?: (userId: string, identifier: string) => Promise<void>;
+}
+export interface ILockoutRepository {
+    getAttempts(key: string): Promise<number>;
+    setAttempts(key: string, count: number, ttlMs: number): Promise<void>;
+    deleteAttempts(key: string): Promise<void>;
+    setLocked(key: string, ttlMs: number): Promise<void>;
+    isLocked(key: string): Promise<boolean>;
+    deleteLocked(key: string): Promise<void>;
+}
+export interface LockoutService {
+    recordFailedAttempt(userId: string): Promise<number>;
+    isAccountLocked(userId: string): Promise<boolean>;
+    lockAccount(userId: string): Promise<void>;
+    unlockAccount(userId: string): Promise<void>;
+    resetFailureCount(userId: string): Promise<void>;
+    readonly config: LockoutConfig;
+}
+export declare function createMemoryLockoutRepository(): ILockoutRepository;
+export declare function createSqliteLockoutRepository(db: import('bun:sqlite').Database): ILockoutRepository;
+export declare function createRedisLockoutRepository(getRedis: () => RedisLike, appName: string): ILockoutRepository;
+export declare function createMongoLockoutRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): ILockoutRepository;
+export declare const lockoutRepositoryFactories: RepoFactories<ILockoutRepository>;
+export declare function createLockoutService(config: LockoutConfig, repo: ILockoutRepository): LockoutService;

package/dist/packages/bunshot-auth/src/lib/accountLockout.js

@@ -0,0 +1,244 @@
+import { DEFAULT_MAX_ENTRIES, evictExpired, evictOldest, } from '../../../bunshot-core/src/index.js';
+export function createMemoryLockoutRepository() {
+    const attempts = new Map();
+    const locked = new Map();
+    return {
+        async getAttempts(key) {
+            const entry = attempts.get(key);
+            if (!entry)
+                return 0;
+            if (entry.expiresAt <= Date.now()) {
+                attempts.delete(key);
+                return 0;
+            }
+            return entry.count;
+        },
+        async setAttempts(key, count, ttlMs) {
+            evictExpired(attempts);
+            evictOldest(attempts, DEFAULT_MAX_ENTRIES);
+            attempts.set(key, { count, expiresAt: Date.now() + ttlMs });
+        },
+        async deleteAttempts(key) {
+            attempts.delete(key);
+        },
+        async setLocked(key, ttlMs) {
+            evictOldest(locked, DEFAULT_MAX_ENTRIES);
+            locked.set(key, Date.now() + ttlMs);
+        },
+        async isLocked(key) {
+            const expiresAt = locked.get(key);
+            if (!expiresAt)
+                return false;
+            if (expiresAt <= Date.now()) {
+                locked.delete(key);
+                return false;
+            }
+            return true;
+        },
+        async deleteLocked(key) {
+            locked.delete(key);
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteLockoutRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_lockout_attempts (
+      subjectKey TEXT PRIMARY KEY,
+      count      INTEGER NOT NULL,
+      expiresAt  INTEGER NOT NULL
+    )`);
+        db.run(`CREATE TABLE IF NOT EXISTS auth_locked_accounts (
+      subjectKey TEXT PRIMARY KEY,
+      expiresAt  INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_lockout_attempts_expiresAt ON auth_lockout_attempts(expiresAt)');
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_locked_accounts_expiresAt ON auth_locked_accounts(expiresAt)');
+        initialized = true;
+    }
+    return {
+        async getAttempts(key) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT count FROM auth_lockout_attempts WHERE subjectKey = ? AND expiresAt > ?')
+                .get(key, now);
+            if (row)
+                return row.count;
+            db.run('DELETE FROM auth_lockout_attempts WHERE subjectKey = ? AND expiresAt <= ?', [
+                key,
+                now,
+            ]);
+            return 0;
+        },
+        async setAttempts(key, count, ttlMs) {
+            init();
+            const expiresAt = Date.now() + ttlMs;
+            db.run(`INSERT INTO auth_lockout_attempts (subjectKey, count, expiresAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(subjectKey) DO UPDATE SET count = excluded.count, expiresAt = excluded.expiresAt`, [key, count, expiresAt]);
+        },
+        async deleteAttempts(key) {
+            init();
+            db.run('DELETE FROM auth_lockout_attempts WHERE subjectKey = ?', [key]);
+        },
+        async setLocked(key, ttlMs) {
+            init();
+            const expiresAt = Date.now() + ttlMs;
+            db.run(`INSERT INTO auth_locked_accounts (subjectKey, expiresAt)
+         VALUES (?, ?)
+         ON CONFLICT(subjectKey) DO UPDATE SET expiresAt = excluded.expiresAt`, [key, expiresAt]);
+        },
+        async isLocked(key) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT expiresAt FROM auth_locked_accounts WHERE subjectKey = ? AND expiresAt > ?')
+                .get(key, now);
+            if (row)
+                return true;
+            db.run('DELETE FROM auth_locked_accounts WHERE subjectKey = ? AND expiresAt <= ?', [
+                key,
+                now,
+            ]);
+            return false;
+        },
+        async deleteLocked(key) {
+            init();
+            db.run('DELETE FROM auth_locked_accounts WHERE subjectKey = ?', [key]);
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+export function createRedisLockoutRepository(getRedis, appName) {
+    const redis = getRedis();
+    return {
+        async getAttempts(key) {
+            const raw = await redis.get(`lockout:attempts:${appName}:${key}`);
+            if (!raw)
+                return 0;
+            const value = parseInt(raw, 10);
+            return Number.isFinite(value) ? value : 0;
+        },
+        async setAttempts(key, count, ttlMs) {
+            await redis.set(`lockout:attempts:${appName}:${key}`, String(count), 'PX', ttlMs);
+        },
+        async deleteAttempts(key) {
+            await redis.del(`lockout:attempts:${appName}:${key}`);
+        },
+        async setLocked(key, ttlMs) {
+            await redis.set(`lockout:locked:${appName}:${key}`, '1', 'PX', ttlMs);
+        },
+        async isLocked(key) {
+            const raw = await redis.get(`lockout:locked:${appName}:${key}`);
+            return raw !== null;
+        },
+        async deleteLocked(key) {
+            await redis.del(`lockout:locked:${appName}:${key}`);
+        },
+    };
+}
+export function createMongoLockoutRepository(conn, mg) {
+    function getAttemptsModel() {
+        if (conn.models['AuthLockoutAttempt']) {
+            return conn.models['AuthLockoutAttempt'];
+        }
+        const { Schema } = mg;
+        const schema = new Schema({
+            subjectKey: { type: String, required: true, unique: true },
+            count: { type: Number, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'auth_lockout_attempts' });
+        return conn.model('AuthLockoutAttempt', schema);
+    }
+    function getLockedModel() {
+        if (conn.models['AuthLockedAccount']) {
+            return conn.models['AuthLockedAccount'];
+        }
+        const { Schema } = mg;
+        const schema = new Schema({
+            subjectKey: { type: String, required: true, unique: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'auth_locked_accounts' });
+        return conn.model('AuthLockedAccount', schema);
+    }
+    return {
+        async getAttempts(key) {
+            const doc = await getAttemptsModel()
+                .findOne({
+                subjectKey: key,
+                expiresAt: { $gt: new Date() },
+            })
+                .lean();
+            return doc?.count ?? 0;
+        },
+        async setAttempts(key, count, ttlMs) {
+            await getAttemptsModel().updateOne({ subjectKey: key }, { $set: { count, expiresAt: new Date(Date.now() + ttlMs) } }, { upsert: true });
+        },
+        async deleteAttempts(key) {
+            await getAttemptsModel().deleteOne({ subjectKey: key });
+        },
+        async setLocked(key, ttlMs) {
+            await getLockedModel().updateOne({ subjectKey: key }, { $set: { expiresAt: new Date(Date.now() + ttlMs) } }, { upsert: true });
+        },
+        async isLocked(key) {
+            const doc = await getLockedModel()
+                .findOne({
+                subjectKey: key,
+                expiresAt: { $gt: new Date() },
+            })
+                .lean();
+            return doc !== null;
+        },
+        async deleteLocked(key) {
+            await getLockedModel().deleteOne({ subjectKey: key });
+        },
+    };
+}
+export const lockoutRepositoryFactories = {
+    memory: () => createMemoryLockoutRepository(),
+    sqlite: infra => createSqliteLockoutRepository(infra.getSqliteDb()),
+    redis: infra => createRedisLockoutRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoLockoutRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for lockout repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Service factory
+// ---------------------------------------------------------------------------
+export function createLockoutService(config, repo) {
+    return {
+        config,
+        async recordFailedAttempt(userId) {
+            const ttlMs = config.lockoutDuration * 2 * 1000;
+            const current = await repo.getAttempts(userId);
+            const next = current + 1;
+            await repo.setAttempts(userId, next, ttlMs);
+            return next;
+        },
+        async isAccountLocked(userId) {
+            return repo.isLocked(userId);
+        },
+        async lockAccount(userId) {
+            await repo.setLocked(userId, config.lockoutDuration * 1000);
+        },
+        async unlockAccount(userId) {
+            await repo.deleteLocked(userId);
+            await repo.deleteAttempts(userId);
+        },
+        async resetFailureCount(userId) {
+            await repo.deleteAttempts(userId);
+        },
+    };
+}

package/dist/packages/bunshot-auth/src/lib/adapterTiers.d.ts

@@ -0,0 +1 @@
+export type { CoreAuthAdapter, OAuthAdapter, MfaAdapter, WebAuthnAdapter, RolesAdapter, GroupsAdapter, SuspensionAdapter, EnterpriseAdapter, } from '../../../bunshot-core/src/index.js';

package/dist/packages/bunshot-auth/src/lib/adapterTiers.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/lib/authAdapter.d.ts

@@ -0,0 +1 @@
+export type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult, M2MClientRecord, IdentityProfile, WebAuthnCredential, UserQuery, UserRecord, AuthAdapter, } from '../../../bunshot-core/src/index.js';

package/dist/packages/bunshot-auth/src/lib/authAdapter.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/lib/authContext.d.ts

@@ -0,0 +1,15 @@
+import type { JWTPayload } from 'jose';
+export interface AuthVariables {
+    /** Authenticated user ID from the JWT sid claim. Null when unauthenticated. */
+    authUserId: string | null;
+    /** Session ID from the JWT sid claim. Null when unauthenticated. */
+    sessionId: string | null;
+    /** Effective roles for the authenticated user. Null when unauthenticated. */
+    roles: string[] | null;
+    /** Set by identify when a scope-bearing M2M token (no sid) is verified. */
+    authClientId: string | null;
+    /** Set by bearerAuth when a BearerAuthClient match is found (clientId from the matched entry). */
+    bearerClientId: string | null;
+    /** Raw verified JWT payload stashed by identify for downstream middleware. Null when unauthenticated. */
+    tokenPayload: JWTPayload | null;
+}

package/dist/packages/bunshot-auth/src/lib/authContext.js

@@ -0,0 +1 @@
+export {};

package/dist/packages/bunshot-auth/src/lib/authEventBus.d.ts

@@ -0,0 +1,4 @@
+import type { BunshotEventBus } from '../../../bunshot-core/src/index.js';
+export declare function setAuthEventBus(bus: BunshotEventBus): void;
+/** Returns the active event bus, or a no-op bus if not set (safe for pre-plugin-setup calls). */
+export declare function getAuthEventBus(): BunshotEventBus;

package/dist/packages/bunshot-auth/src/lib/authEventBus.js

@@ -0,0 +1,15 @@
+let _bus = null;
+export function setAuthEventBus(bus) {
+    _bus = bus;
+}
+/** Returns the active event bus, or a no-op bus if not set (safe for pre-plugin-setup calls). */
+export function getAuthEventBus() {
+    if (!_bus) {
+        return {
+            emit: () => { },
+            on: () => { },
+            off: () => { },
+        };
+    }
+    return _bus;
+}

package/dist/packages/bunshot-auth/src/lib/authRateLimit.d.ts

@@ -0,0 +1,28 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { RedisLike } from '../types/redis';
+export interface AuthRateLimitEntry {
+    count: number;
+    resetAt: number;
+}
+export interface LimitOpts {
+    windowMs: number;
+    max: number;
+}
+export interface AuthRateLimitService {
+    isLimited(key: string, opts: LimitOpts): Promise<boolean>;
+    trackAttempt(key: string, opts: LimitOpts): Promise<boolean>;
+    bustAuthLimit(key: string): Promise<void>;
+}
+export interface IAuthRateLimitRepository {
+    get(key: string): Promise<AuthRateLimitEntry | null>;
+    set(key: string, entry: AuthRateLimitEntry, ttlMs: number): Promise<void>;
+    delete(key: string): Promise<void>;
+    /** Atomically increment and return the new count. Optional — falls back to read-modify-write. */
+    increment?(key: string, windowMs: number): Promise<number>;
+}
+export declare function createMemoryAuthRateLimitRepository(): IAuthRateLimitRepository;
+export declare function createSqliteAuthRateLimitRepository(db: import('bun:sqlite').Database): IAuthRateLimitRepository;
+export declare function createRedisAuthRateLimitRepository(getRedis: () => RedisLike, appName: string): IAuthRateLimitRepository;
+export declare function createMongoAuthRateLimitRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): IAuthRateLimitRepository;
+export declare const authRateLimitFactories: RepoFactories<IAuthRateLimitRepository>;
+export declare function createAuthRateLimitService(repo: IAuthRateLimitRepository): AuthRateLimitService;

package/dist/packages/bunshot-auth/src/lib/authRateLimit.js

@@ -0,0 +1,205 @@
+import { DEFAULT_MAX_ENTRIES, evictOldest } from '../../../bunshot-core/src/index.js';
+// ---------------------------------------------------------------------------
+// Memory repository factory
+// ---------------------------------------------------------------------------
+export function createMemoryAuthRateLimitRepository() {
+    const store = new Map();
+    return {
+        async get(key) {
+            const entry = store.get(key);
+            if (!entry)
+                return null;
+            if (entry.resetAt <= Date.now()) {
+                store.delete(key);
+                return null;
+            }
+            return entry;
+        },
+        async set(key, entry) {
+            evictOldest(store, DEFAULT_MAX_ENTRIES);
+            store.set(key, entry);
+        },
+        async delete(key) {
+            store.delete(key);
+        },
+        // No increment — memory store uses the read-modify-write fallback (single-process, acceptable)
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteAuthRateLimitRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_rate_limit (
+      subjectKey TEXT PRIMARY KEY,
+      count      INTEGER NOT NULL,
+      resetAt    INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_rate_limit_resetAt ON auth_rate_limit(resetAt)');
+        initialized = true;
+    }
+    return {
+        async get(key) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT count, resetAt FROM auth_rate_limit WHERE subjectKey = ? AND resetAt > ?')
+                .get(key, now);
+            if (row)
+                return { count: row.count, resetAt: row.resetAt };
+            db.run('DELETE FROM auth_rate_limit WHERE subjectKey = ? AND resetAt <= ?', [key, now]);
+            return null;
+        },
+        async set(key, entry) {
+            init();
+            db.run(`INSERT INTO auth_rate_limit (subjectKey, count, resetAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(subjectKey) DO UPDATE SET count = excluded.count, resetAt = excluded.resetAt`, [key, entry.count, entry.resetAt]);
+        },
+        async delete(key) {
+            init();
+            db.run('DELETE FROM auth_rate_limit WHERE subjectKey = ?', [key]);
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+// Lua script: atomically read + increment + write JSON entry, preserving { count, resetAt } format.
+// Returns the new count as a number.
+const TRACK_SCRIPT = `
+local key = KEYS[1]
+local windowMs = tonumber(ARGV[1])
+local now = tonumber(ARGV[2])
+local raw = redis.call("GET", key)
+local count, resetAt
+
+if raw then
+  local entry = cjson.decode(raw)
+  count = entry.count + 1
+  resetAt = entry.resetAt
+else
+  count = 1
+  resetAt = now + windowMs
+end
+
+local ttl = math.max(1, resetAt - now)
+local payload = cjson.encode({count = count, resetAt = resetAt})
+redis.call("SET", key, payload, "PX", ttl)
+return count
+`;
+export function createRedisAuthRateLimitRepository(getRedis, appName) {
+    const redis = getRedis();
+    return {
+        async get(key) {
+            const raw = await redis.get(`rl:${appName}:${key}`);
+            if (!raw)
+                return null;
+            const entry = JSON.parse(raw);
+            if (entry.resetAt <= Date.now())
+                return null;
+            return entry;
+        },
+        async set(key, entry, ttlMs) {
+            await redis.set(`rl:${appName}:${key}`, JSON.stringify(entry), 'PX', ttlMs);
+        },
+        async delete(key) {
+            await redis.del(`rl:${appName}:${key}`);
+        },
+        async increment(key, windowMs) {
+            const fullKey = `rl:${appName}:${key}`;
+            const now = Date.now();
+            const count = (await redis.eval(TRACK_SCRIPT, 1, fullKey, windowMs, now));
+            return count;
+        },
+    };
+}
+export function createMongoAuthRateLimitRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['AuthRateLimit']) {
+            return conn.models['AuthRateLimit'];
+        }
+        const { Schema } = mg;
+        const schema = new Schema({
+            subjectKey: { type: String, required: true, unique: true },
+            count: { type: Number, required: true },
+            resetAt: { type: Number, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'auth_rate_limits' });
+        return conn.model('AuthRateLimit', schema);
+    }
+    return {
+        async get(key) {
+            const now = Date.now();
+            const doc = await getModel()
+                .findOne({
+                subjectKey: key,
+                resetAt: { $gt: now },
+            })
+                .lean();
+            if (!doc)
+                return null;
+            return { count: doc.count, resetAt: doc.resetAt };
+        },
+        async set(key, entry) {
+            await getModel().updateOne({ subjectKey: key }, {
+                $set: {
+                    count: entry.count,
+                    resetAt: entry.resetAt,
+                    expiresAt: new Date(entry.resetAt),
+                },
+            }, { upsert: true });
+        },
+        async delete(key) {
+            await getModel().deleteOne({ subjectKey: key });
+        },
+    };
+}
+export const authRateLimitFactories = {
+    memory: () => createMemoryAuthRateLimitRepository(),
+    sqlite: infra => createSqliteAuthRateLimitRepository(infra.getSqliteDb()),
+    redis: infra => createRedisAuthRateLimitRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoAuthRateLimitRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for authRateLimit repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Service factory
+// ---------------------------------------------------------------------------
+export function createAuthRateLimitService(repo) {
+    return {
+        async isLimited(key, opts) {
+            const entry = await repo.get(key);
+            if (!entry)
+                return false;
+            return entry.count >= opts.max;
+        },
+        async trackAttempt(key, opts) {
+            if (repo.increment) {
+                const count = await repo.increment(key, opts.windowMs);
+                return count >= opts.max;
+            }
+            // Read-modify-write fallback for memory store (single-process — no lost increments)
+            const now = Date.now();
+            const existing = await repo.get(key);
+            if (!existing) {
+                await repo.set(key, { count: 1, resetAt: now + opts.windowMs }, opts.windowMs);
+                return 1 >= opts.max;
+            }
+            const updated = { count: existing.count + 1, resetAt: existing.resetAt };
+            const remaining = Math.max(1, existing.resetAt - now);
+            await repo.set(key, updated, remaining);
+            return updated.count >= opts.max;
+        },
+        async bustAuthLimit(key) {
+            await repo.delete(key);
+        },
+    };
+}

package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.d.ts

@@ -1,4 +1,5 @@
-import type { BreachedPasswordConfig } from "./appConfig";
+import type { BunshotEventBus } from '../../../bunshot-core/src/index.js';
+import type { BreachedPasswordConfig } from '../config/authConfig';
 export type { BreachedPasswordConfig };
 /**
  * Check whether a password has appeared in a data breach using the
@@ -7,7 +8,12 @@ export type { BreachedPasswordConfig };
  * Sends only the first 5 hex chars of the SHA-1 hash — the full hash
  * never leaves the server.
  */
-export declare function checkBreachedPassword(password: string, config?: BreachedPasswordConfig): Promise<{
+export declare function checkBreachedPassword(password: string, config?: BreachedPasswordConfig, context?: {
+    userId?: string;
+    ip?: string;
+    requestId?: string;
+    sessionId?: string;
+}, eventBus?: BunshotEventBus): Promise<{
     breached: boolean;
     count: number;
 }>;