@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.js

@@ -5,15 +5,18 @@
  * Sends only the first 5 hex chars of the SHA-1 hash — the full hash
  * never leaves the server.
  */
-export async function checkBreachedPassword(password, config) {
+export async function checkBreachedPassword(password, config, context, eventBus) {
     const timeout = config?.timeout ?? 3000;
     const minCount = config?.minBreachCount ?? 1;
     // SHA-1 the password
     const encoder = new TextEncoder();
     const data = encoder.encode(password);
-    const hashBuffer = await crypto.subtle.digest("SHA-1", data);
+    const hashBuffer = await crypto.subtle.digest('SHA-1', data);
     const hashArray = Array.from(new Uint8Array(hashBuffer));
-    const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("").toUpperCase();
+    const hashHex = hashArray
+        .map(b => b.toString(16).padStart(2, '0'))
+        .join('')
+        .toUpperCase();
     const prefix = hashHex.slice(0, 5);
     const suffix = hashHex.slice(5);
     let responseText;
@@ -22,7 +25,7 @@ export async function checkBreachedPassword(password, config) {
         const timer = setTimeout(() => controller.abort(), timeout);
         const res = await fetch(`https://api.pwnedpasswords.com/range/${prefix}`, {
             signal: controller.signal,
-            headers: { "Add-Padding": "true" },
+            headers: { 'Add-Padding': 'true' },
         });
         clearTimeout(timer);
         if (!res.ok)
@@ -30,18 +33,28 @@ export async function checkBreachedPassword(password, config) {
         responseText = await res.text();
     }
     catch {
-        // API failure — apply onApiFailure policy
-        if (config?.onApiFailure === "block") {
+        // API failure — emit an observable event regardless of which policy applies,
+        // then apply onApiFailure policy (default: 'allow', i.e. fail-open).
+        eventBus?.emit('security.breached_password.api_failure', {
+            meta: { userId: context?.userId, ip: context?.ip },
+        });
+        if (config?.onApiFailure === 'block') {
             return { breached: true, count: -1 };
         }
         return { breached: false, count: 0 };
     }
     // Parse response: each line is "SUFFIX:COUNT"
-    for (const line of responseText.split("\n")) {
-        const [lineSuffix, countStr] = line.trim().split(":");
+    for (const line of responseText.split('\n')) {
+        const [lineSuffix, countStr] = line.trim().split(':');
         if (lineSuffix === suffix) {
             const count = parseInt(countStr, 10);
-            return { breached: count >= minCount, count };
+            const breached = count >= minCount;
+            if (breached) {
+                eventBus?.emit('security.breached_password.detected', {
+                    meta: { count, userId: context?.userId },
+                });
+            }
+            return { breached, count };
         }
     }
     return { breached: false, count: 0 };

package/dist/packages/bunshot-auth/src/lib/cache.d.ts

@@ -0,0 +1,12 @@
+import type { RedisLike } from '../types/redis';
+export interface ICacheAdapter {
+    name: string;
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string, ttl?: number): Promise<void>;
+    del(key: string): Promise<void>;
+    delPattern(pattern: string): Promise<void>;
+    isReady(): boolean;
+}
+export declare function createMemoryCacheAdapter(): ICacheAdapter;
+export declare function createSqliteCacheAdapter(db: import('bun:sqlite').Database): ICacheAdapter;
+export declare function createRedisCacheAdapter(getRedis: () => RedisLike, appName: string): ICacheAdapter;

package/dist/packages/bunshot-auth/src/lib/cache.js

@@ -0,0 +1,120 @@
+import { DEFAULT_MAX_ENTRIES, evictOldest } from '../../../bunshot-core/src/index.js';
+export function createMemoryCacheAdapter() {
+    const store = new Map();
+    return {
+        name: 'memory',
+        async get(key) {
+            const entry = store.get(key);
+            if (!entry)
+                return null;
+            if (entry.expiresAt > 0 && entry.expiresAt <= Date.now()) {
+                store.delete(key);
+                return null;
+            }
+            return entry.value;
+        },
+        async set(key, value, ttl) {
+            evictOldest(store, DEFAULT_MAX_ENTRIES);
+            const expiresAt = ttl ? Date.now() + ttl * 1000 : 0;
+            store.set(key, { value, expiresAt });
+        },
+        async del(key) {
+            store.delete(key);
+        },
+        async delPattern(pattern) {
+            const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
+            for (const key of store.keys()) {
+                if (regex.test(key))
+                    store.delete(key);
+            }
+        },
+        isReady() {
+            return true;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite cache factory
+// ---------------------------------------------------------------------------
+export function createSqliteCacheAdapter(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_cache (
+      key       TEXT PRIMARY KEY,
+      value     TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_cache_expiresAt ON auth_cache(expiresAt)');
+        initialized = true;
+    }
+    return {
+        name: 'sqlite',
+        async get(key) {
+            init();
+            const now = Date.now();
+            const row = db
+                .query('SELECT value FROM auth_cache WHERE key = ? AND (expiresAt = 0 OR expiresAt > ?)')
+                .get(key, now);
+            return row?.value ?? null;
+        },
+        async set(key, value, ttl) {
+            init();
+            const expiresAt = ttl ? Date.now() + ttl * 1000 : 0;
+            db.run(`INSERT INTO auth_cache (key, value, expiresAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(key) DO UPDATE SET value = excluded.value, expiresAt = excluded.expiresAt`, [key, value, expiresAt]);
+        },
+        async del(key) {
+            init();
+            db.run('DELETE FROM auth_cache WHERE key = ?', [key]);
+        },
+        async delPattern(pattern) {
+            init();
+            const likePattern = pattern.replace(/\*/g, '%');
+            db.run('DELETE FROM auth_cache WHERE key LIKE ?', [likePattern]);
+        },
+        isReady() {
+            return true;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis cache factory
+// ---------------------------------------------------------------------------
+export function createRedisCacheAdapter(getRedis, appName) {
+    return {
+        name: 'redis',
+        async get(key) {
+            return getRedis().get(`cache:${appName}:${key}`);
+        },
+        async set(key, value, ttl) {
+            if (ttl) {
+                await getRedis().set(`cache:${appName}:${key}`, value, 'EX', ttl);
+            }
+            else {
+                await getRedis().set(`cache:${appName}:${key}`, value);
+            }
+        },
+        async del(key) {
+            await getRedis().del(`cache:${appName}:${key}`);
+        },
+        async delPattern(pattern) {
+            const redis = getRedis();
+            const fullPattern = `cache:${appName}:${pattern.replace(/\*/g, '*')}`;
+            const keys = await redis.keys(fullPattern);
+            if (keys.length > 0)
+                await redis.del(...keys);
+        },
+        isReady() {
+            try {
+                getRedis();
+                return true;
+            }
+            catch {
+                return false;
+            }
+        },
+    };
+}

package/dist/packages/bunshot-auth/src/lib/clientIp.d.ts

@@ -0,0 +1,4 @@
+import type { Context } from "hono";
+export declare const setTrustProxy: (value: false | number) => void;
+export declare const isTrustProxyConfigured: () => boolean;
+export declare const getClientIp: (c: Context<any>) => string;

package/dist/{lib → packages/bunshot-auth/src/lib}/clientIp.js

@@ -2,9 +2,12 @@
 // Trust-proxy configuration (set once at startup via setTrustProxy)
 // ---------------------------------------------------------------------------
 let _trustProxy = false;
+let _trustProxyConfigured = false;
 export const setTrustProxy = (value) => {
     _trustProxy = value;
+    _trustProxyConfigured = true;
 };
+export const isTrustProxyConfigured = () => _trustProxyConfigured;
 // ---------------------------------------------------------------------------
 // Centralized client IP extraction
 // ---------------------------------------------------------------------------
@@ -19,6 +22,8 @@ export const setTrustProxy = (value) => {
  *
  * Returns `"unknown"` if no IP can be determined.
  */
+/** Strip the IPv4-mapped IPv6 prefix added by Node.js/Bun (e.g. "::ffff:127.0.0.1" → "127.0.0.1"). */
+const normalizeIp = (ip) => ip.startsWith("::ffff:") ? ip.slice(7) : ip;
 export const getClientIp = (c) => {
     // Socket-level IP via Bun's server (passed as c.env by Bun.serve)
     let socketIp;
@@ -32,7 +37,7 @@ export const getClientIp = (c) => {
     }
     catch { /* not running under Bun.serve — e.g. test environment */ }
     if (_trustProxy === false) {
-        return socketIp ?? "unknown";
+        return normalizeIp(socketIp ?? "unknown");
     }
     // Trust N proxy hops: take the Nth-from-right in XFF
     const xff = c.req.header("x-forwarded-for");
@@ -41,12 +46,14 @@ export const getClientIp = (c) => {
         // Index from the right: trustProxy=1 means 1 proxy, so take ips[length - 2]
         const idx = ips.length - _trustProxy - 1;
         if (idx >= 0 && ips[idx]) {
-            return ips[idx];
+            return normalizeIp(ips[idx]);
         }
-        // If fewer entries than expected, fall back to leftmost (or socket IP)
-        if (ips.length > 0)
-            return ips[0];
+        // If fewer entries than expected, fall back to socket IP (not leftmost/attacker-controlled)
+        return normalizeIp(socketIp ?? "unknown");
     }
-    // Fallback: X-Real-IP header, then socket IP
-    return c.req.header("x-real-ip") ?? socketIp ?? "unknown";
+    // Fallback: X-Real-IP header (only when proxies are configured), then socket IP
+    // At this point _trustProxy is narrowed to number (not false, since we returned early above)
+    const realIp = c.req.header("x-real-ip");
+    const ip = realIp ?? socketIp ?? "unknown";
+    return normalizeIp(ip);
 };

package/dist/packages/bunshot-auth/src/lib/cookieOptions.d.ts

@@ -0,0 +1,27 @@
+import type { AuthResolvedConfig } from '../config/authConfig';
+/**
+ * Returns cookie options for the HttpOnly session/auth cookie.
+ * httpOnly is always true — not configurable.
+ * Defaults match the previously hardcoded values in each route file.
+ */
+export declare function getAuthCookieOptions(isProduction: boolean, config: AuthResolvedConfig, maxAge?: number): {
+    httpOnly: true;
+    secure: boolean;
+    sameSite: "Strict" | "Lax" | "None";
+    path: string;
+    domain: string | undefined;
+    maxAge: number;
+};
+/**
+ * Returns cookie options for the CSRF double-submit cookie.
+ * httpOnly is always false — JS must read it to set the x-csrf-token header.
+ * Defaults match the previously hardcoded values in csrf.ts.
+ */
+export declare function getCsrfCookieOptions(isProduction: boolean, config: AuthResolvedConfig): {
+    httpOnly: false;
+    secure: boolean;
+    sameSite: "Strict" | "Lax" | "None";
+    path: string;
+    domain: string | undefined;
+    maxAge: number;
+};

package/dist/packages/bunshot-auth/src/lib/cookieOptions.js

@@ -0,0 +1,33 @@
+const DEFAULT_SESSION_TTL_SECONDS = 60 * 60 * 24 * 7; // 7 days
+/**
+ * Returns cookie options for the HttpOnly session/auth cookie.
+ * httpOnly is always true — not configurable.
+ * Defaults match the previously hardcoded values in each route file.
+ */
+export function getAuthCookieOptions(isProduction, config, maxAge) {
+    const c = config.authCookie;
+    return {
+        httpOnly: true, // always true for auth cookies
+        secure: c.secure ?? isProduction,
+        sameSite: (c.sameSite ?? 'Lax'),
+        path: c.path ?? '/',
+        domain: c.domain,
+        maxAge: maxAge ?? c.maxAge ?? DEFAULT_SESSION_TTL_SECONDS,
+    };
+}
+/**
+ * Returns cookie options for the CSRF double-submit cookie.
+ * httpOnly is always false — JS must read it to set the x-csrf-token header.
+ * Defaults match the previously hardcoded values in csrf.ts.
+ */
+export function getCsrfCookieOptions(isProduction, config) {
+    const c = config.csrfCookie;
+    return {
+        httpOnly: false, // always false — JS must read it
+        secure: c.secure ?? isProduction,
+        sameSite: (c.sameSite ?? 'Lax'),
+        path: c.path ?? '/',
+        domain: c.domain,
+        maxAge: c.maxAge ?? 60 * 60 * 24 * 365, // 1 year — tied to browser, not session
+    };
+}

package/dist/packages/bunshot-auth/src/lib/credentialStuffing.d.ts

@@ -0,0 +1,40 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { RedisLike } from '../types/redis';
+export interface CredentialStuffingConfig {
+    /** Block when an IP attempts login against this many distinct accounts. Default: 5 per 15 min. */
+    maxAccountsPerIp?: {
+        count: number;
+        windowMs: number;
+    };
+    /** Block when an account is attempted from this many distinct IPs. Default: 10 per 15 min. */
+    maxIpsPerAccount?: {
+        count: number;
+        windowMs: number;
+    };
+    /** Called when stuffing is detected. Non-blocking, errors swallowed. */
+    onDetected?: (signal: {
+        type: 'ip' | 'account';
+        key: string;
+        count: number;
+    }) => void;
+}
+export interface CredentialStuffingService {
+    /**
+     * Records a failed login attempt and checks whether the thresholds are now
+     * exceeded. Returns `true` if the IP or account is now blocked so callers
+     * can gate the response immediately — treat the return value as a blocking
+     * decision, not a fire-and-forget side-effect.
+     */
+    trackFailedLogin(ip: string, identifier: string): Promise<boolean>;
+    isStuffingBlocked(ip: string, identifier: string): Promise<boolean>;
+}
+export interface ICredentialStuffingRepository {
+    addToSet(key: string, member: string, windowMs: number): Promise<number>;
+    getSetSize(key: string, windowMs: number): Promise<number>;
+}
+export declare function createMemoryCredentialStuffingRepository(): ICredentialStuffingRepository;
+export declare function createSqliteCredentialStuffingRepository(db: import('bun:sqlite').Database): ICredentialStuffingRepository;
+export declare function createRedisCredentialStuffingRepository(getRedis: () => RedisLike, appName: string): ICredentialStuffingRepository;
+export declare function createMongoCredentialStuffingRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): ICredentialStuffingRepository;
+export declare const credentialStuffingFactories: RepoFactories<ICredentialStuffingRepository>;
+export declare function createCredentialStuffingService(config: CredentialStuffingConfig, repo: ICredentialStuffingRepository): CredentialStuffingService;

package/dist/packages/bunshot-auth/src/lib/credentialStuffing.js

@@ -0,0 +1,221 @@
+import { DEFAULT_MAX_ENTRIES, evictOldest } from '../../../bunshot-core/src/index.js';
+// ---------------------------------------------------------------------------
+// Redis scripts
+// ---------------------------------------------------------------------------
+const REDIS_ADD_TO_SET_LUA = `
+local key = KEYS[1]
+local member = ARGV[1]
+local now = tonumber(ARGV[2])
+local windowStart = tonumber(ARGV[3])
+local windowMs = tonumber(ARGV[4])
+redis.call('ZADD', key, now, member)
+redis.call('ZREMRANGEBYSCORE', key, '-inf', windowStart)
+redis.call('PEXPIRE', key, windowMs)
+return redis.call('ZCARD', key)
+`;
+const REDIS_GET_SET_SIZE_LUA = `
+local key = KEYS[1]
+local windowStart = tonumber(ARGV[1])
+redis.call('ZREMRANGEBYSCORE', key, '-inf', windowStart)
+return redis.call('ZCARD', key)
+`;
+export function createMemoryCredentialStuffingRepository() {
+    const store = new Map();
+    function cleanExpired() {
+        const now = Date.now();
+        for (const [key, entry] of store.entries()) {
+            if (entry.expiresAt < now)
+                store.delete(key);
+        }
+    }
+    return {
+        async addToSet(key, member, windowMs) {
+            cleanExpired();
+            const now = Date.now();
+            let entry = store.get(key);
+            if (!entry || entry.expiresAt < now) {
+                entry = { members: new Set(), expiresAt: now + windowMs };
+                evictOldest(store, DEFAULT_MAX_ENTRIES);
+                store.set(key, entry);
+            }
+            entry.members.add(member);
+            return entry.members.size;
+        },
+        async getSetSize(key) {
+            cleanExpired();
+            const now = Date.now();
+            const entry = store.get(key);
+            if (!entry || entry.expiresAt < now)
+                return 0;
+            return entry.members.size;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// SQLite repository factory
+// ---------------------------------------------------------------------------
+export function createSqliteCredentialStuffingRepository(db) {
+    let initialized = false;
+    function init() {
+        if (initialized)
+            return;
+        db.run(`CREATE TABLE IF NOT EXISTS auth_credential_stuffing (
+      bucketKey TEXT NOT NULL,
+      member    TEXT NOT NULL,
+      expiresAt INTEGER NOT NULL,
+      PRIMARY KEY (bucketKey, member)
+    )`);
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_credential_stuffing_expiresAt ON auth_credential_stuffing(expiresAt)');
+        db.run('CREATE INDEX IF NOT EXISTS idx_auth_credential_stuffing_bucketKey ON auth_credential_stuffing(bucketKey)');
+        initialized = true;
+    }
+    return {
+        async addToSet(key, member, windowMs) {
+            init();
+            const now = Date.now();
+            const expiresAt = now + windowMs;
+            db.run('DELETE FROM auth_credential_stuffing WHERE bucketKey = ? AND expiresAt <= ?', [
+                key,
+                now,
+            ]);
+            db.run(`INSERT INTO auth_credential_stuffing (bucketKey, member, expiresAt)
+         VALUES (?, ?, ?)
+         ON CONFLICT(bucketKey, member) DO UPDATE SET expiresAt = excluded.expiresAt`, [key, member, expiresAt]);
+            const row = db
+                .query('SELECT COUNT(*) AS count FROM auth_credential_stuffing WHERE bucketKey = ? AND expiresAt > ?')
+                .get(key, now);
+            return row?.count ?? 0;
+        },
+        async getSetSize(key) {
+            init();
+            const now = Date.now();
+            db.run('DELETE FROM auth_credential_stuffing WHERE bucketKey = ? AND expiresAt <= ?', [
+                key,
+                now,
+            ]);
+            const row = db
+                .query('SELECT COUNT(*) AS count FROM auth_credential_stuffing WHERE bucketKey = ? AND expiresAt > ?')
+                .get(key, now);
+            return row?.count ?? 0;
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Redis repository factory
+// ---------------------------------------------------------------------------
+export function createRedisCredentialStuffingRepository(getRedis, appName) {
+    const redis = getRedis();
+    return {
+        async addToSet(key, member, windowMs) {
+            const now = Date.now();
+            const windowStart = now - windowMs;
+            const fullKey = `credstuffing:${appName}:${key}`;
+            return redis.eval(REDIS_ADD_TO_SET_LUA, 1, fullKey, member, now, windowStart, windowMs);
+        },
+        async getSetSize(key, windowMs) {
+            const now = Date.now();
+            const windowStart = now - windowMs;
+            const fullKey = `credstuffing:${appName}:${key}`;
+            return redis.eval(REDIS_GET_SET_SIZE_LUA, 1, fullKey, windowStart);
+        },
+    };
+}
+export function createMongoCredentialStuffingRepository(conn, mg) {
+    function getModel() {
+        if (conn.models['CredentialStuffing']) {
+            return conn.models['CredentialStuffing'];
+        }
+        const { Schema } = mg;
+        const schema = new Schema({
+            bucketKey: { type: String, required: true, index: true },
+            member: { type: String, required: true },
+            expiresAt: { type: Date, required: true, index: { expireAfterSeconds: 0 } },
+        }, { collection: 'credential_stuffing' });
+        schema.index({ bucketKey: 1, member: 1 }, { unique: true });
+        return conn.model('CredentialStuffing', schema);
+    }
+    return {
+        async addToSet(key, member, windowMs) {
+            const expiresAt = new Date(Date.now() + windowMs);
+            await getModel().updateOne({ bucketKey: key, member }, { $set: { expiresAt } }, { upsert: true });
+            return getModel().countDocuments({
+                bucketKey: key,
+                expiresAt: { $gt: new Date() },
+            });
+        },
+        async getSetSize(key) {
+            return getModel().countDocuments({
+                bucketKey: key,
+                expiresAt: { $gt: new Date() },
+            });
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Factory map
+// ---------------------------------------------------------------------------
+export const credentialStuffingFactories = {
+    memory: () => createMemoryCredentialStuffingRepository(),
+    sqlite: infra => createSqliteCredentialStuffingRepository(infra.getSqliteDb()),
+    redis: infra => createRedisCredentialStuffingRepository(infra.getRedis, infra.appName),
+    mongo: infra => {
+        const { conn, mg } = infra.getMongo();
+        return createMongoCredentialStuffingRepository(conn, mg);
+    },
+    postgres: () => {
+        throw new Error('[bunshot-auth] postgres store is not yet supported for credentialStuffing repository');
+    },
+};
+// ---------------------------------------------------------------------------
+// Service factory
+// ---------------------------------------------------------------------------
+export function createCredentialStuffingService(config, repo) {
+    return {
+        async trackFailedLogin(ip, identifier) {
+            const ipMax = config.maxAccountsPerIp?.count ?? 5;
+            const accountMax = config.maxIpsPerAccount?.count ?? 10;
+            const ipWindowMs = config.maxAccountsPerIp?.windowMs ?? 15 * 60 * 1000;
+            const accountWindowMs = config.maxIpsPerAccount?.windowMs ?? 15 * 60 * 1000;
+            const ipCount = await repo.addToSet(`ip:${ip}`, identifier, ipWindowMs);
+            if (ipCount >= ipMax) {
+                try {
+                    config.onDetected?.({ type: 'ip', key: ip, count: ipCount });
+                }
+                catch { }
+                return true;
+            }
+            const accountCount = await repo.addToSet(`account:${identifier}`, ip, accountWindowMs);
+            if (accountCount >= accountMax) {
+                try {
+                    config.onDetected?.({ type: 'account', key: identifier, count: accountCount });
+                }
+                catch { }
+                return true;
+            }
+            return false;
+        },
+        async isStuffingBlocked(ip, identifier) {
+            const ipMax = config.maxAccountsPerIp?.count ?? 5;
+            const accountMax = config.maxIpsPerAccount?.count ?? 10;
+            const ipWindowMs = config.maxAccountsPerIp?.windowMs ?? 15 * 60 * 1000;
+            const accountWindowMs = config.maxIpsPerAccount?.windowMs ?? 15 * 60 * 1000;
+            const ipCount = await repo.getSetSize(`ip:${ip}`, ipWindowMs);
+            if (ipCount >= ipMax) {
+                try {
+                    config.onDetected?.({ type: 'ip', key: ip, count: ipCount });
+                }
+                catch { }
+                return true;
+            }
+            const accountCount = await repo.getSetSize(`account:${identifier}`, accountWindowMs);
+            if (accountCount >= accountMax) {
+                try {
+                    config.onDetected?.({ type: 'account', key: identifier, count: accountCount });
+                }
+                catch { }
+                return true;
+            }
+            return false;
+        },
+    };
+}

package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.d.ts

@@ -0,0 +1,19 @@
+import type { RepoFactories } from '../../../bunshot-core/src/index.js';
+import type { RedisLike } from '../types/redis';
+export interface IDeletionCancelTokenRepository {
+    store(hash: string, userId: string, jobId: string, ttl: number): Promise<void>;
+    consume(hash: string): Promise<{
+        userId: string;
+        jobId: string;
+    } | null>;
+}
+export declare function createMemoryDeletionCancelTokenRepository(): IDeletionCancelTokenRepository;
+export declare function createSqliteDeletionCancelTokenRepository(db: import('bun:sqlite').Database): IDeletionCancelTokenRepository;
+export declare function createRedisDeletionCancelTokenRepository(getRedis: () => RedisLike, appName: string): IDeletionCancelTokenRepository;
+export declare function createMongoDeletionCancelTokenRepository(conn: import('mongoose').Connection, mg: typeof import('mongoose')): IDeletionCancelTokenRepository;
+export declare const deletionCancelTokenFactories: RepoFactories<IDeletionCancelTokenRepository>;
+export declare const createDeletionCancelToken: (repo: IDeletionCancelTokenRepository, userId: string, jobId: string, gracePeriodSeconds: number) => Promise<string>;
+export declare const consumeDeletionCancelToken: (repo: IDeletionCancelTokenRepository, token: string) => Promise<{
+    userId: string;
+    jobId: string;
+} | null>;