npm - @lastshotlabs/bunshot - Versions diffs - 0.0.27 → 0.0.28 - Mend

@lastshotlabs/bunshot 0.0.27 → 0.0.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (742) hide show

package/.oclif.manifest.json +39 -0
package/README.md +8282 -2147
package/dist/cli/commands/init.js +690 -0
package/dist/cli/index.js +6 -0
package/dist/cli.js +4 -4
package/dist/packages/bunshot-admin/src/index.d.ts +15 -0
package/dist/packages/bunshot-admin/src/index.js +11 -0
package/dist/packages/bunshot-admin/src/lib/resourceTypes.d.ts +8 -0
package/dist/packages/bunshot-admin/src/lib/resourceTypes.js +33 -0
package/dist/packages/bunshot-admin/src/lib/typedRoute.d.ts +14 -0
package/dist/packages/bunshot-admin/src/lib/typedRoute.js +17 -0
package/dist/packages/bunshot-admin/src/plugin.d.ts +4 -0
package/dist/packages/bunshot-admin/src/plugin.js +46 -0
package/dist/packages/bunshot-admin/src/providers/auth0Access.d.ts +6 -0
package/dist/packages/bunshot-admin/src/providers/auth0Access.js +32 -0
package/dist/packages/bunshot-admin/src/routes/admin.d.ts +10 -0
package/dist/packages/bunshot-admin/src/routes/admin.js +923 -0
package/dist/packages/bunshot-admin/src/routes/mail.d.ts +6 -0
package/dist/packages/bunshot-admin/src/routes/mail.js +114 -0
package/dist/packages/bunshot-admin/src/routes/permissions.d.ts +8 -0
package/dist/packages/bunshot-admin/src/routes/permissions.js +315 -0
package/dist/packages/bunshot-admin/src/types/config.d.ts +16 -0
package/dist/packages/bunshot-admin/src/types/config.js +37 -0
package/dist/packages/bunshot-admin/src/types/env.d.ts +14 -0
package/dist/packages/bunshot-admin/src/types/provider.d.ts +1 -0
package/dist/packages/bunshot-admin/src/types/provider.js +4 -0
package/dist/packages/bunshot-auth/src/adapters/memoryAuth.d.ts +66 -0
package/dist/packages/bunshot-auth/src/adapters/memoryAuth.js +1063 -0
package/dist/packages/bunshot-auth/src/adapters/mongoAuth.d.ts +2 -0
package/dist/packages/bunshot-auth/src/adapters/mongoAuth.js +536 -0
package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.d.ts +88 -0
package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.js +1366 -0
package/dist/packages/bunshot-auth/src/admin/bunshotAccess.d.ts +2 -0
package/dist/packages/bunshot-auth/src/admin/bunshotAccess.js +23 -0
package/dist/packages/bunshot-auth/src/admin/bunshotUsers.d.ts +5 -0
package/dist/packages/bunshot-auth/src/admin/bunshotUsers.js +131 -0
package/dist/packages/bunshot-auth/src/bootstrap.d.ts +38 -0
package/dist/packages/bunshot-auth/src/bootstrap.js +384 -0
package/dist/packages/bunshot-auth/src/config/appConfig.d.ts +3 -0
package/dist/packages/bunshot-auth/src/config/appConfig.js +4 -0
package/dist/packages/bunshot-auth/src/config/authConfig.d.ts +478 -0
package/dist/packages/bunshot-auth/src/config/authConfig.js +46 -0
package/dist/packages/bunshot-auth/src/config/configLock.d.ts +2 -0
package/dist/packages/bunshot-auth/src/config/configLock.js +10 -0
package/dist/packages/bunshot-auth/src/index.d.ts +25 -0
package/dist/packages/bunshot-auth/src/index.js +23 -0
package/dist/packages/bunshot-auth/src/infra/mongo.d.ts +15 -0
package/dist/packages/bunshot-auth/src/infra/mongo.js +44 -0
package/dist/packages/bunshot-auth/src/infra/queue.d.ts +14 -0
package/dist/packages/bunshot-auth/src/infra/queue.js +27 -0
package/dist/packages/bunshot-auth/src/infra/redis.d.ts +5 -0
package/dist/packages/bunshot-auth/src/infra/redis.js +15 -0
package/dist/packages/bunshot-auth/src/infra/signing.d.ts +7 -0
package/dist/packages/bunshot-auth/src/infra/signing.js +8 -0
package/dist/packages/bunshot-auth/src/lib/accountLockout.d.ts +34 -0
package/dist/packages/bunshot-auth/src/lib/accountLockout.js +244 -0
package/dist/packages/bunshot-auth/src/lib/adapterTiers.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/adapterTiers.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authAdapter.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/authAdapter.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authContext.d.ts +15 -0
package/dist/packages/bunshot-auth/src/lib/authContext.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authEventBus.d.ts +4 -0
package/dist/packages/bunshot-auth/src/lib/authEventBus.js +15 -0
package/dist/packages/bunshot-auth/src/lib/authRateLimit.d.ts +28 -0
package/dist/packages/bunshot-auth/src/lib/authRateLimit.js +205 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.d.ts +8 -2
package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.js +22 -9
package/dist/packages/bunshot-auth/src/lib/cache.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/cache.js +120 -0
package/dist/packages/bunshot-auth/src/lib/clientIp.d.ts +4 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/clientIp.js +14 -7
package/dist/packages/bunshot-auth/src/lib/cookieOptions.d.ts +27 -0
package/dist/packages/bunshot-auth/src/lib/cookieOptions.js +33 -0
package/dist/packages/bunshot-auth/src/lib/credentialStuffing.d.ts +40 -0
package/dist/packages/bunshot-auth/src/lib/credentialStuffing.js +221 -0
package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.js +148 -0
package/dist/packages/bunshot-auth/src/lib/emailTemplates.d.ts +23 -0
package/dist/packages/bunshot-auth/src/lib/emailTemplates.js +265 -0
package/dist/packages/bunshot-auth/src/lib/emailVerification.d.ts +30 -0
package/dist/packages/bunshot-auth/src/lib/emailVerification.js +200 -0
package/dist/packages/bunshot-auth/src/lib/env.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/env.js +3 -0
package/dist/packages/bunshot-auth/src/lib/fingerprint.js +36 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/groups.d.ts +15 -16
package/dist/{lib → packages/bunshot-auth/src/lib}/groups.js +22 -34
package/dist/packages/bunshot-auth/src/lib/jwks.d.ts +28 -0
package/dist/packages/bunshot-auth/src/lib/jwks.js +79 -0
package/dist/packages/bunshot-auth/src/lib/jwt.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/jwt.js +86 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/logger.js +3 -3
package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.d.ts +5 -4
package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.js +6 -10
package/dist/packages/bunshot-auth/src/lib/magicLink.d.ts +13 -0
package/dist/packages/bunshot-auth/src/lib/magicLink.js +145 -0
package/dist/packages/bunshot-auth/src/lib/mfaChallenge.d.ts +60 -0
package/dist/packages/bunshot-auth/src/lib/mfaChallenge.js +419 -0
package/dist/packages/bunshot-auth/src/lib/oauth.d.ts +82 -0
package/dist/packages/bunshot-auth/src/lib/oauth.js +177 -0
package/dist/packages/bunshot-auth/src/lib/oauthCode.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/oauthCode.js +182 -0
package/dist/packages/bunshot-auth/src/lib/oauthReauth.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/oauthReauth.js +255 -0
package/dist/packages/bunshot-auth/src/lib/organization.d.ts +66 -0
package/dist/packages/bunshot-auth/src/lib/organization.js +225 -0
package/dist/packages/bunshot-auth/src/lib/passwordHistory.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/passwordHistory.js +31 -0
package/dist/packages/bunshot-auth/src/lib/resetPassword.d.ts +20 -0
package/dist/packages/bunshot-auth/src/lib/resetPassword.js +148 -0
package/dist/packages/bunshot-auth/src/lib/roles.d.ts +9 -0
package/dist/packages/bunshot-auth/src/lib/roles.js +93 -0
package/dist/packages/bunshot-auth/src/lib/saml.d.ts +29 -0
package/dist/packages/bunshot-auth/src/lib/saml.js +73 -0
package/dist/packages/bunshot-auth/src/lib/samlRequestId.d.ts +13 -0
package/dist/packages/bunshot-auth/src/lib/samlRequestId.js +129 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/scim.d.ts +7 -7
package/dist/{lib → packages/bunshot-auth/src/lib}/scim.js +15 -13
package/dist/packages/bunshot-auth/src/lib/securityEventWiring.d.ts +22 -0
package/dist/packages/bunshot-auth/src/lib/securityEventWiring.js +65 -0
package/dist/packages/bunshot-auth/src/lib/session.d.ts +45 -0
package/dist/packages/bunshot-auth/src/lib/session.js +1211 -0
package/dist/packages/bunshot-auth/src/lib/storeInfra.d.ts +26 -0
package/dist/packages/bunshot-auth/src/lib/storeInfra.js +18 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.d.ts +3 -2
package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.js +2 -5
package/dist/packages/bunshot-auth/src/lib/validateAdapter.d.ts +16 -0
package/dist/packages/bunshot-auth/src/lib/validateAdapter.js +161 -0
package/dist/packages/bunshot-auth/src/middleware/bearerAuth.d.ts +13 -0
package/dist/packages/bunshot-auth/src/middleware/bearerAuth.js +58 -0
package/dist/{middleware → packages/bunshot-auth/src/middleware}/csrf.d.ts +5 -4
package/dist/packages/bunshot-auth/src/middleware/csrf.js +138 -0
package/dist/packages/bunshot-auth/src/middleware/identify.d.ts +4 -0
package/dist/packages/bunshot-auth/src/middleware/identify.js +124 -0
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.js +10 -8
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.js +20 -16
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.js +6 -6
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.js +8 -7
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.js +7 -6
package/dist/packages/bunshot-auth/src/middleware/scimAuth.d.ts +8 -0
package/dist/packages/bunshot-auth/src/middleware/scimAuth.js +29 -0
package/dist/packages/bunshot-auth/src/middleware/userAuth.d.ts +3 -0
package/dist/packages/bunshot-auth/src/middleware/userAuth.js +6 -0
package/dist/{models → packages/bunshot-auth/src/models}/AuthUser.d.ts +12 -8
package/dist/packages/bunshot-auth/src/models/AuthUser.js +53 -0
package/dist/packages/bunshot-auth/src/models/Group.d.ts +19 -0
package/dist/packages/bunshot-auth/src/models/Group.js +22 -0
package/dist/{models → packages/bunshot-auth/src/models}/GroupMembership.d.ts +6 -8
package/dist/packages/bunshot-auth/src/models/GroupMembership.js +19 -0
package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.d.ts +1 -1
package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.js +5 -5
package/dist/packages/bunshot-auth/src/models/TenantRole.d.ts +13 -0
package/dist/packages/bunshot-auth/src/models/TenantRole.js +17 -0
package/dist/packages/bunshot-auth/src/plugin.d.ts +4 -0
package/dist/packages/bunshot-auth/src/plugin.js +274 -0
package/dist/packages/bunshot-auth/src/routes/auth.d.ts +15 -0
package/dist/packages/bunshot-auth/src/routes/auth.js +1624 -0
package/dist/packages/bunshot-auth/src/routes/groups.d.ts +4 -0
package/dist/packages/bunshot-auth/src/routes/groups.js +481 -0
package/dist/packages/bunshot-auth/src/routes/m2m.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/m2m.js +145 -0
package/dist/packages/bunshot-auth/src/routes/mfa.d.ts +6 -0
package/dist/packages/bunshot-auth/src/routes/mfa.js +991 -0
package/dist/packages/bunshot-auth/src/routes/oauth.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/oauth.js +1727 -0
package/dist/packages/bunshot-auth/src/routes/oidc.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/oidc.js +84 -0
package/dist/packages/bunshot-auth/src/routes/organizations.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/organizations.js +741 -0
package/dist/packages/bunshot-auth/src/routes/passkey.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/passkey.js +199 -0
package/dist/packages/bunshot-auth/src/routes/saml.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/saml.js +226 -0
package/dist/packages/bunshot-auth/src/routes/scim.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/scim.js +588 -0
package/dist/packages/bunshot-auth/src/runtime.d.ts +52 -0
package/dist/packages/bunshot-auth/src/runtime.js +11 -0
package/dist/{schemas → packages/bunshot-auth/src/schemas}/auth.d.ts +4 -5
package/dist/packages/bunshot-auth/src/schemas/auth.js +24 -0
package/dist/packages/bunshot-auth/src/schemas/error.d.ts +10 -0
package/dist/packages/bunshot-auth/src/schemas/error.js +10 -0
package/dist/packages/bunshot-auth/src/schemas/success.d.ts +10 -0
package/dist/packages/bunshot-auth/src/schemas/success.js +10 -0
package/dist/packages/bunshot-auth/src/services/auth.d.ts +39 -0
package/dist/packages/bunshot-auth/src/services/auth.js +378 -0
package/dist/{services → packages/bunshot-auth/src/services}/mfa.d.ts +41 -17
package/dist/{services → packages/bunshot-auth/src/services}/mfa.js +259 -183
package/dist/packages/bunshot-auth/src/testing.d.ts +31 -0
package/dist/packages/bunshot-auth/src/testing.js +23 -0
package/dist/packages/bunshot-auth/src/types/adapter.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/adapter.js +1 -0
package/dist/packages/bunshot-auth/src/types/config.d.ts +152 -0
package/dist/packages/bunshot-auth/src/types/config.js +179 -0
package/dist/{routes → packages/bunshot-auth/src/types}/groups.d.ts +2 -3
package/dist/packages/bunshot-auth/src/types/groups.js +1 -0
package/dist/packages/bunshot-auth/src/types/oauthCode.d.ts +6 -0
package/dist/packages/bunshot-auth/src/types/oauthCode.js +1 -0
package/dist/packages/bunshot-auth/src/types/oauthReauth.d.ts +13 -0
package/dist/packages/bunshot-auth/src/types/oauthReauth.js +1 -0
package/dist/packages/bunshot-auth/src/types/redis.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/redis.js +1 -0
package/dist/packages/bunshot-auth/src/types/saml.d.ts +10 -0
package/dist/packages/bunshot-auth/src/types/saml.js +1 -0
package/dist/packages/bunshot-auth/src/types/session.d.ts +18 -0
package/dist/packages/bunshot-auth/src/types/session.js +1 -0
package/dist/packages/bunshot-auth/src/types/store.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/store.js +1 -0
package/dist/packages/bunshot-core/src/adminProvider.d.ts +95 -0
package/dist/packages/bunshot-core/src/adminProvider.js +1 -0
package/dist/packages/bunshot-core/src/auditLog.d.ts +34 -0
package/dist/packages/bunshot-core/src/auditLog.js +1 -0
package/dist/packages/bunshot-core/src/auth-adapter.d.ts +227 -0
package/dist/packages/bunshot-core/src/auth-adapter.js +4 -0
package/dist/packages/bunshot-core/src/authVariables.d.ts +14 -0
package/dist/packages/bunshot-core/src/authVariables.js +4 -0
package/dist/packages/bunshot-core/src/cache.d.ts +12 -0
package/dist/packages/bunshot-core/src/cache.js +21 -0
package/dist/{lib → packages/bunshot-core/src}/captcha.d.ts +1 -10
package/dist/packages/bunshot-core/src/captcha.js +1 -0
package/dist/packages/bunshot-core/src/clearRegistry.d.ts +6 -0
package/dist/packages/bunshot-core/src/clearRegistry.js +17 -0
package/dist/packages/bunshot-core/src/clientIp.d.ts +3 -0
package/dist/packages/bunshot-core/src/clientIp.js +45 -0
package/dist/packages/bunshot-core/src/configLock.d.ts +4 -0
package/dist/packages/bunshot-core/src/configLock.js +7 -0
package/dist/packages/bunshot-core/src/configValidation.d.ts +22 -0
package/dist/packages/bunshot-core/src/configValidation.js +39 -0
package/dist/packages/bunshot-core/src/constants.js +10 -0
package/dist/packages/bunshot-core/src/context/bunshotContext.d.ts +232 -0
package/dist/packages/bunshot-core/src/context/bunshotContext.js +1 -0
package/dist/packages/bunshot-core/src/context/contextAccess.d.ts +3 -0
package/dist/packages/bunshot-core/src/context/contextAccess.js +16 -0
package/dist/packages/bunshot-core/src/context/contextStore.d.ts +16 -0
package/dist/packages/bunshot-core/src/context/contextStore.js +31 -0
package/dist/packages/bunshot-core/src/context/frameworkConfig.d.ts +38 -0
package/dist/packages/bunshot-core/src/context/frameworkConfig.js +1 -0
package/dist/packages/bunshot-core/src/context/index.d.ts +4 -0
package/dist/packages/bunshot-core/src/context/index.js +2 -0
package/dist/packages/bunshot-core/src/context.d.ts +40 -0
package/dist/packages/bunshot-core/src/context.js +35 -0
package/dist/packages/bunshot-core/src/coreContracts.d.ts +47 -0
package/dist/packages/bunshot-core/src/coreContracts.js +1 -0
package/dist/packages/bunshot-core/src/coreRegistrar.d.ts +6 -0
package/dist/packages/bunshot-core/src/coreRegistrar.js +42 -0
package/dist/{lib → packages/bunshot-core/src}/createRoute.d.ts +4 -30
package/dist/{lib → packages/bunshot-core/src}/createRoute.js +39 -88
package/dist/packages/bunshot-core/src/cronRegistry.d.ts +11 -0
package/dist/packages/bunshot-core/src/cronRegistry.js +1 -0
package/dist/packages/bunshot-core/src/crypto.d.ts +43 -0
package/dist/packages/bunshot-core/src/crypto.js +74 -0
package/dist/packages/bunshot-core/src/csrf.d.ts +8 -0
package/dist/packages/bunshot-core/src/csrf.js +1 -0
package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.d.ts +7 -0
package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.js +19 -0
package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.d.ts +6 -0
package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.js +40 -0
package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.d.ts +6 -0
package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.js +24 -0
package/dist/packages/bunshot-core/src/emailTemplates.d.ts +5 -0
package/dist/packages/bunshot-core/src/emailTemplates.js +10 -0
package/dist/{lib/HttpError.d.ts → packages/bunshot-core/src/errors.d.ts} +4 -1
package/dist/{lib/HttpError.js → packages/bunshot-core/src/errors.js} +7 -1
package/dist/packages/bunshot-core/src/eventBus.d.ts +270 -0
package/dist/packages/bunshot-core/src/eventBus.js +143 -0
package/dist/packages/bunshot-core/src/idempotency.d.ts +18 -0
package/dist/packages/bunshot-core/src/idempotency.js +1 -0
package/dist/packages/bunshot-core/src/index.d.ts +60 -0
package/dist/packages/bunshot-core/src/index.js +34 -0
package/dist/packages/bunshot-core/src/mail.d.ts +14 -0
package/dist/packages/bunshot-core/src/mail.js +8 -0
package/dist/packages/bunshot-core/src/memoryEviction.d.ts +24 -0
package/dist/packages/bunshot-core/src/memoryEviction.js +52 -0
package/dist/packages/bunshot-core/src/pagination.d.ts +45 -0
package/dist/packages/bunshot-core/src/pagination.js +61 -0
package/dist/packages/bunshot-core/src/permissions.d.ts +64 -0
package/dist/packages/bunshot-core/src/permissions.js +27 -0
package/dist/packages/bunshot-core/src/plugin.d.ts +44 -0
package/dist/packages/bunshot-core/src/plugin.js +1 -0
package/dist/packages/bunshot-core/src/rateLimit.d.ts +5 -0
package/dist/packages/bunshot-core/src/rateLimit.js +18 -0
package/dist/packages/bunshot-core/src/redis.d.ts +21 -0
package/dist/packages/bunshot-core/src/redis.js +1 -0
package/dist/packages/bunshot-core/src/routeAuth.d.ts +5 -0
package/dist/packages/bunshot-core/src/routeAuth.js +11 -0
package/dist/packages/bunshot-core/src/routeOverrides.d.ts +24 -0
package/dist/packages/bunshot-core/src/routeOverrides.js +25 -0
package/dist/packages/bunshot-core/src/routerAdapter.d.ts +6 -0
package/dist/packages/bunshot-core/src/routerAdapter.js +56 -0
package/dist/packages/bunshot-core/src/secrets.d.ts +48 -0
package/dist/packages/bunshot-core/src/secrets.js +8 -0
package/dist/packages/bunshot-core/src/signing.d.ts +41 -0
package/dist/packages/bunshot-core/src/signing.js +1 -0
package/dist/packages/bunshot-core/src/sse.d.ts +36 -0
package/dist/packages/bunshot-core/src/sse.js +1 -0
package/dist/packages/bunshot-core/src/storageAdapter.js +1 -0
package/dist/packages/bunshot-core/src/storeInfra.d.ts +44 -0
package/dist/packages/bunshot-core/src/storeInfra.js +18 -0
package/dist/packages/bunshot-core/src/storeType.d.ts +7 -0
package/dist/packages/bunshot-core/src/storeType.js +1 -0
package/dist/packages/bunshot-core/src/testing.d.ts +1 -0
package/dist/packages/bunshot-core/src/testing.js +1 -0
package/dist/packages/bunshot-core/src/uploadRegistry.d.ts +23 -0
package/dist/packages/bunshot-core/src/uploadRegistry.js +4 -0
package/dist/packages/bunshot-core/src/userResolver.d.ts +5 -0
package/dist/packages/bunshot-core/src/userResolver.js +14 -0
package/dist/packages/bunshot-core/src/wsMessages.d.ts +42 -0
package/dist/packages/bunshot-core/src/wsMessages.js +4 -0
package/dist/packages/bunshot-permissions/src/adapters/memory.d.ts +7 -0
package/dist/packages/bunshot-permissions/src/adapters/memory.js +73 -0
package/dist/packages/bunshot-permissions/src/index.d.ts +10 -0
package/dist/packages/bunshot-permissions/src/index.js +5 -0
package/dist/packages/bunshot-permissions/src/lib/bootstrap.d.ts +7 -0
package/dist/packages/bunshot-permissions/src/lib/bootstrap.js +12 -0
package/dist/packages/bunshot-permissions/src/lib/evaluator.d.ts +10 -0
package/dist/packages/bunshot-permissions/src/lib/evaluator.js +165 -0
package/dist/packages/bunshot-permissions/src/lib/registry.d.ts +2 -0
package/dist/packages/bunshot-permissions/src/lib/registry.js +31 -0
package/dist/packages/bunshot-permissions/src/lib/validation.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/lib/validation.js +1 -0
package/dist/packages/bunshot-permissions/src/types/adapter.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/adapter.js +1 -0
package/dist/packages/bunshot-permissions/src/types/evaluator.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/evaluator.js +1 -0
package/dist/packages/bunshot-permissions/src/types/models.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/models.js +1 -0
package/dist/packages/bunshot-permissions/src/types/registry.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/registry.js +1 -0
package/dist/packages/bunshot-postgres/src/adapter.d.ts +6 -0
package/dist/packages/bunshot-postgres/src/adapter.js +794 -0
package/dist/packages/bunshot-postgres/src/connection.d.ts +15 -0
package/dist/packages/bunshot-postgres/src/connection.js +16 -0
package/dist/packages/bunshot-postgres/src/index.d.ts +4 -0
package/dist/packages/bunshot-postgres/src/index.js +2 -0
package/dist/packages/bunshot-postgres/src/schema.d.ts +997 -0
package/dist/packages/bunshot-postgres/src/schema.js +105 -0
package/dist/src/app.d.ts +230 -0
package/dist/src/app.js +182 -0
package/dist/src/cli/commands/init.d.ts +10 -0
package/dist/src/cli/commands/init.js +709 -0
package/dist/src/cli/index.d.ts +1 -0
package/dist/src/cli/index.js +3 -0
package/dist/src/entrypoints/mongo.d.ts +6 -0
package/dist/src/entrypoints/mongo.js +4 -0
package/dist/src/entrypoints/queue.d.ts +2 -0
package/dist/src/entrypoints/queue.js +1 -0
package/dist/src/entrypoints/redis.d.ts +1 -0
package/dist/src/entrypoints/redis.js +1 -0
package/dist/{adapters → src/framework/adapters}/localStorage.d.ts +1 -1
package/dist/{adapters → src/framework/adapters}/localStorage.js +10 -10
package/dist/src/framework/adapters/memoryStorage.d.ts +2 -0
package/dist/src/framework/adapters/memoryStorage.js +45 -0
package/dist/{adapters → src/framework/adapters}/s3Storage.d.ts +1 -1
package/dist/{adapters → src/framework/adapters}/s3Storage.js +12 -12
package/dist/src/framework/admin/bunshotAccess.d.ts +2 -0
package/dist/src/framework/admin/bunshotAccess.js +23 -0
package/dist/src/framework/admin/bunshotUsers.d.ts +2 -0
package/dist/src/framework/admin/bunshotUsers.js +103 -0
package/dist/src/framework/admin/index.d.ts +7 -0
package/dist/src/framework/admin/index.js +21 -0
package/dist/src/framework/boundaryAdapters/cacheFactories.d.ts +13 -0
package/dist/src/framework/boundaryAdapters/cacheFactories.js +86 -0
package/dist/src/framework/boundaryAdapters/index.d.ts +2 -0
package/dist/src/framework/boundaryAdapters/index.js +1 -0
package/dist/src/framework/boundaryAdapters.d.ts +17 -0
package/dist/src/framework/boundaryAdapters.js +62 -0
package/dist/src/framework/buildContext.d.ts +33 -0
package/dist/src/framework/buildContext.js +119 -0
package/dist/src/framework/config/schema.d.ts +447 -0
package/dist/src/framework/config/schema.js +528 -0
package/dist/src/framework/createInfrastructure.d.ts +76 -0
package/dist/src/framework/createInfrastructure.js +221 -0
package/dist/src/framework/lib/auditLog.d.ts +23 -0
package/dist/src/framework/lib/auditLog.js +416 -0
package/dist/src/framework/lib/captcha.d.ts +11 -0
package/dist/{lib → src/framework/lib}/captcha.js +13 -10
package/dist/{lib → src/framework/lib}/createDtoMapper.js +4 -4
package/dist/src/framework/lib/createRoute.d.ts +1 -0
package/dist/src/framework/lib/createRoute.js +2 -0
package/dist/{lib → src/framework/lib}/idempotency.d.ts +2 -6
package/dist/src/framework/lib/idempotency.js +74 -0
package/dist/src/framework/lib/logger.d.ts +3 -0
package/dist/src/framework/lib/logger.js +14 -0
package/dist/src/framework/lib/metrics.d.ts +34 -0
package/dist/{lib → src/framework/lib}/metrics.js +49 -57
package/dist/src/framework/lib/pagination.d.ts +42 -0
package/dist/src/framework/lib/pagination.js +51 -0
package/dist/src/framework/lib/redisTransport.d.ts +38 -0
package/dist/src/framework/lib/redisTransport.js +107 -0
package/dist/src/framework/lib/resolveUserId.d.ts +2 -0
package/dist/src/framework/lib/resolveUserId.js +5 -0
package/dist/src/framework/lib/sseCollision.d.ts +6 -0
package/dist/src/framework/lib/sseCollision.js +26 -0
package/dist/src/framework/lib/storageAdapter.d.ts +1 -0
package/dist/src/framework/lib/storageAdapter.js +1 -0
package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.js +4 -4
package/dist/src/framework/lib/tenant.d.ts +21 -0
package/dist/src/framework/lib/tenant.js +70 -0
package/dist/{lib → src/framework/lib}/upload.d.ts +11 -10
package/dist/src/framework/lib/upload.js +132 -0
package/dist/src/framework/lib/uploadRegistry.d.ts +23 -0
package/dist/src/framework/lib/uploadRegistry.js +34 -0
package/dist/{lib → src/framework/lib}/validate.d.ts +1 -1
package/dist/{lib → src/framework/lib}/validate.js +2 -2
package/dist/src/framework/lib/ws.d.ts +19 -0
package/dist/src/framework/lib/ws.js +130 -0
package/dist/src/framework/lib/wsHeartbeat.d.ts +12 -0
package/dist/src/framework/lib/wsHeartbeat.js +53 -0
package/dist/src/framework/lib/wsMessages.d.ts +25 -0
package/dist/src/framework/lib/wsMessages.js +45 -0
package/dist/src/framework/lib/wsNamespace.d.ts +17 -0
package/dist/src/framework/lib/wsNamespace.js +19 -0
package/dist/src/framework/lib/wsPresence.d.ts +17 -0
package/dist/src/framework/lib/wsPresence.js +84 -0
package/dist/src/framework/lib/wsTransport.d.ts +38 -0
package/dist/src/framework/lib/wsTransport.js +9 -0
package/dist/{lib → src/framework/lib}/zodToMongoose.d.ts +1 -1
package/dist/{lib → src/framework/lib}/zodToMongoose.js +11 -11
package/dist/{middleware → src/framework/middleware}/auditLog.d.ts +4 -3
package/dist/src/framework/middleware/auditLog.js +42 -0
package/dist/{middleware → src/framework/middleware}/botProtection.d.ts +2 -2
package/dist/{middleware → src/framework/middleware}/botProtection.js +8 -9
package/dist/src/framework/middleware/cacheResponse.d.ts +35 -0
package/dist/src/framework/middleware/cacheResponse.js +126 -0
package/dist/{middleware → src/framework/middleware}/captcha.d.ts +2 -3
package/dist/src/framework/middleware/captcha.js +37 -0
package/dist/{middleware → src/framework/middleware}/errorHandler.d.ts +1 -1
package/dist/{middleware → src/framework/middleware}/errorHandler.js +2 -2
package/dist/src/framework/middleware/index.js +1 -0
package/dist/{middleware → src/framework/middleware}/logger.d.ts +1 -1
package/dist/src/framework/middleware/metrics.d.ts +12 -0
package/dist/src/framework/middleware/metrics.js +26 -0
package/dist/{middleware → src/framework/middleware}/rateLimit.d.ts +2 -2
package/dist/src/framework/middleware/rateLimit.js +22 -0
package/dist/src/framework/middleware/requestId.d.ts +3 -0
package/dist/{middleware → src/framework/middleware}/requestId.js +2 -2
package/dist/{middleware → src/framework/middleware}/requestLogger.d.ts +3 -3
package/dist/{middleware → src/framework/middleware}/requestLogger.js +17 -12
package/dist/{middleware → src/framework/middleware}/requestSigning.d.ts +2 -2
package/dist/{middleware → src/framework/middleware}/requestSigning.js +18 -20
package/dist/src/framework/middleware/tenant.d.ts +14 -0
package/dist/{middleware → src/framework/middleware}/tenant.js +31 -27
package/dist/src/framework/middleware/upload.d.ts +5 -0
package/dist/{middleware → src/framework/middleware}/upload.js +4 -4
package/dist/{middleware → src/framework/middleware}/webhookAuth.d.ts +3 -3
package/dist/{middleware → src/framework/middleware}/webhookAuth.js +11 -12
package/dist/src/framework/models/AuditLog.d.ts +21 -0
package/dist/src/framework/models/AuditLog.js +31 -0
package/dist/src/framework/mountMiddleware.d.ts +91 -0
package/dist/src/framework/mountMiddleware.js +128 -0
package/dist/src/framework/mountOptionalEndpoints.d.ts +103 -0
package/dist/src/framework/mountOptionalEndpoints.js +47 -0
package/dist/src/framework/mountRoutes.d.ts +21 -0
package/dist/src/framework/mountRoutes.js +144 -0
package/dist/src/framework/persistence/cronRegistry.d.ts +28 -0
package/dist/src/framework/persistence/cronRegistry.js +139 -0
package/dist/src/framework/persistence/idempotency.d.ts +26 -0
package/dist/src/framework/persistence/idempotency.js +178 -0
package/dist/src/framework/persistence/index.d.ts +6 -0
package/dist/src/framework/persistence/index.js +8 -0
package/dist/src/framework/persistence/storeInfra.d.ts +9 -0
package/dist/src/framework/persistence/storeInfra.js +1 -0
package/dist/src/framework/persistence/uploadRegistry.d.ts +35 -0
package/dist/src/framework/persistence/uploadRegistry.js +235 -0
package/dist/src/framework/persistence/wsMessages.d.ts +22 -0
package/dist/src/framework/persistence/wsMessages.js +296 -0
package/dist/src/framework/preloadSchemas.d.ts +24 -0
package/dist/src/framework/preloadSchemas.js +42 -0
package/dist/src/framework/registerBoundaryAdapters.d.ts +23 -0
package/dist/src/framework/registerBoundaryAdapters.js +46 -0
package/dist/src/framework/routes/admin.d.ts +9 -0
package/dist/src/framework/routes/admin.js +361 -0
package/dist/src/framework/routes/health.d.ts +1 -0
package/dist/src/framework/routes/health.js +21 -0
package/dist/src/framework/routes/home.d.ts +1 -0
package/dist/src/framework/routes/home.js +18 -0
package/dist/src/framework/routes/jobs.d.ts +3 -0
package/dist/{routes → src/framework/routes}/jobs.js +128 -103
package/dist/src/framework/routes/metrics.d.ts +10 -0
package/dist/src/framework/routes/metrics.js +57 -0
package/dist/{routes → src/framework/routes}/uploads.d.ts +3 -3
package/dist/src/framework/routes/uploads.js +262 -0
package/dist/src/framework/runPluginLifecycle.d.ts +27 -0
package/dist/src/framework/runPluginLifecycle.js +121 -0
package/dist/src/framework/secrets/frameworkSecretSchema.d.ts +58 -0
package/dist/src/framework/secrets/frameworkSecretSchema.js +20 -0
package/dist/src/framework/secrets/index.d.ts +9 -0
package/dist/src/framework/secrets/index.js +7 -0
package/dist/src/framework/secrets/providers/envProvider.d.ts +15 -0
package/dist/src/framework/secrets/providers/envProvider.js +18 -0
package/dist/src/framework/secrets/providers/fileProvider.d.ts +8 -0
package/dist/src/framework/secrets/providers/fileProvider.js +82 -0
package/dist/src/framework/secrets/providers/ssmProvider.d.ts +20 -0
package/dist/src/framework/secrets/providers/ssmProvider.js +127 -0
package/dist/src/framework/secrets/resolveSecretBundle.d.ts +53 -0
package/dist/src/framework/secrets/resolveSecretBundle.js +84 -0
package/dist/src/framework/secrets/resolveSecrets.d.ts +18 -0
package/dist/src/framework/secrets/resolveSecrets.js +34 -0
package/dist/src/framework/sse/index.d.ts +21 -0
package/dist/src/framework/sse/index.js +109 -0
package/dist/src/framework/ws/index.d.ts +11 -0
package/dist/src/framework/ws/index.js +8 -0
package/dist/src/index.d.ts +87 -0
package/dist/src/index.js +58 -0
package/dist/src/lib/appConfig.d.ts +7 -0
package/dist/src/lib/appConfig.js +27 -0
package/dist/src/lib/appMeta.d.ts +7 -0
package/dist/src/lib/appMeta.js +3 -0
package/dist/src/lib/authConfig.d.ts +532 -0
package/dist/{lib/appConfig.js → src/lib/authConfig.js} +75 -17
package/dist/{lib → src/lib}/context.d.ts +6 -12
package/dist/{lib → src/lib}/context.js +5 -5
package/dist/src/lib/logger.d.ts +1 -0
package/dist/src/lib/logger.js +1 -0
package/dist/src/lib/mongo.d.ts +58 -0
package/dist/src/lib/mongo.js +96 -0
package/dist/src/lib/queue.d.ts +72 -0
package/dist/src/lib/queue.js +152 -0
package/dist/src/lib/redis.d.ts +28 -0
package/dist/src/lib/redis.js +72 -0
package/dist/{lib → src/lib}/signing.d.ts +2 -2
package/dist/src/lib/signing.js +210 -0
package/dist/src/lib/signingConfig.d.ts +40 -0
package/dist/src/lib/signingConfig.js +28 -0
package/dist/src/server.d.ts +146 -0
package/dist/src/server.js +469 -0
package/dist/src/shared/lib/HttpError.d.ts +1 -0
package/dist/src/shared/lib/HttpError.js +2 -0
package/dist/src/shared/lib/constants.d.ts +10 -0
package/dist/src/shared/lib/crypto.d.ts +43 -0
package/dist/src/shared/lib/crypto.js +74 -0
package/dist/src/shared/lib/signing.d.ts +52 -0
package/dist/{lib → src/shared/lib}/signing.js +35 -8
package/dist/src/testing.d.ts +34 -0
package/dist/src/testing.js +93 -0
package/package.json +60 -24
package/dist/adapters/memoryAuth.d.ts +0 -52
package/dist/adapters/memoryAuth.js +0 -749
package/dist/adapters/memoryStorage.d.ts +0 -3
package/dist/adapters/memoryStorage.js +0 -44
package/dist/adapters/mongoAuth.d.ts +0 -2
package/dist/adapters/mongoAuth.js +0 -403
package/dist/adapters/sqliteAuth.d.ts +0 -72
package/dist/adapters/sqliteAuth.js +0 -858
package/dist/app.d.ts +0 -559
package/dist/app.js +0 -651
package/dist/entrypoints/mongo.d.ts +0 -5
package/dist/entrypoints/mongo.js +0 -4
package/dist/entrypoints/queue.d.ts +0 -2
package/dist/entrypoints/queue.js +0 -1
package/dist/entrypoints/redis.d.ts +0 -1
package/dist/entrypoints/redis.js +0 -1
package/dist/index.d.ts +0 -117
package/dist/index.js +0 -88
package/dist/lib/appConfig.d.ts +0 -275
package/dist/lib/auditLog.d.ts +0 -58
package/dist/lib/auditLog.js +0 -218
package/dist/lib/authAdapter.d.ts +0 -246
package/dist/lib/authAdapter.js +0 -7
package/dist/lib/authRateLimit.d.ts +0 -13
package/dist/lib/authRateLimit.js +0 -117
package/dist/lib/clientIp.d.ts +0 -14
package/dist/lib/credentialStuffing.d.ts +0 -31
package/dist/lib/credentialStuffing.js +0 -77
package/dist/lib/crypto.d.ts +0 -11
package/dist/lib/crypto.js +0 -22
package/dist/lib/deletionCancelToken.d.ts +0 -12
package/dist/lib/deletionCancelToken.js +0 -88
package/dist/lib/emailVerification.d.ts +0 -19
package/dist/lib/emailVerification.js +0 -129
package/dist/lib/fingerprint.js +0 -36
package/dist/lib/idempotency.js +0 -182
package/dist/lib/jwks.d.ts +0 -25
package/dist/lib/jwks.js +0 -51
package/dist/lib/jwt.d.ts +0 -15
package/dist/lib/jwt.js +0 -111
package/dist/lib/metrics.d.ts +0 -14
package/dist/lib/mfaChallenge.d.ts +0 -55
package/dist/lib/mfaChallenge.js +0 -398
package/dist/lib/mongo.d.ts +0 -39
package/dist/lib/mongo.js +0 -124
package/dist/lib/oauth.d.ts +0 -40
package/dist/lib/oauth.js +0 -101
package/dist/lib/oauthCode.d.ts +0 -15
package/dist/lib/oauthCode.js +0 -95
package/dist/lib/pagination.d.ts +0 -119
package/dist/lib/pagination.js +0 -166
package/dist/lib/queue.d.ts +0 -37
package/dist/lib/queue.js +0 -117
package/dist/lib/redis.d.ts +0 -9
package/dist/lib/redis.js +0 -61
package/dist/lib/resetPassword.d.ts +0 -12
package/dist/lib/resetPassword.js +0 -93
package/dist/lib/roles.d.ts +0 -7
package/dist/lib/roles.js +0 -49
package/dist/lib/saml.d.ts +0 -25
package/dist/lib/saml.js +0 -64
package/dist/lib/securityEvents.d.ts +0 -28
package/dist/lib/securityEvents.js +0 -26
package/dist/lib/session.d.ts +0 -49
package/dist/lib/session.js +0 -597
package/dist/lib/tenant.d.ts +0 -15
package/dist/lib/tenant.js +0 -65
package/dist/lib/upload.js +0 -112
package/dist/lib/uploadRegistry.d.ts +0 -18
package/dist/lib/uploadRegistry.js +0 -83
package/dist/lib/ws.d.ts +0 -22
package/dist/lib/ws.js +0 -96
package/dist/lib/wsHeartbeat.d.ts +0 -12
package/dist/lib/wsHeartbeat.js +0 -57
package/dist/lib/wsMessages.d.ts +0 -40
package/dist/lib/wsMessages.js +0 -330
package/dist/lib/wsPresence.d.ts +0 -25
package/dist/lib/wsPresence.js +0 -99
package/dist/middleware/auditLog.js +0 -39
package/dist/middleware/bearerAuth.d.ts +0 -2
package/dist/middleware/bearerAuth.js +0 -11
package/dist/middleware/cacheResponse.d.ts +0 -15
package/dist/middleware/cacheResponse.js +0 -178
package/dist/middleware/captcha.js +0 -36
package/dist/middleware/csrf.js +0 -129
package/dist/middleware/identify.d.ts +0 -3
package/dist/middleware/identify.js +0 -122
package/dist/middleware/index.js +0 -1
package/dist/middleware/metrics.d.ts +0 -9
package/dist/middleware/metrics.js +0 -26
package/dist/middleware/rateLimit.js +0 -22
package/dist/middleware/requestId.d.ts +0 -3
package/dist/middleware/scimAuth.d.ts +0 -8
package/dist/middleware/scimAuth.js +0 -29
package/dist/middleware/tenant.d.ts +0 -5
package/dist/middleware/upload.d.ts +0 -5
package/dist/middleware/userAuth.d.ts +0 -3
package/dist/middleware/userAuth.js +0 -6
package/dist/models/AuditLog.d.ts +0 -30
package/dist/models/AuditLog.js +0 -39
package/dist/models/AuthUser.js +0 -55
package/dist/models/Group.d.ts +0 -21
package/dist/models/Group.js +0 -28
package/dist/models/GroupMembership.js +0 -25
package/dist/models/TenantRole.d.ts +0 -15
package/dist/models/TenantRole.js +0 -23
package/dist/routes/auth.d.ts +0 -12
package/dist/routes/auth.js +0 -744
package/dist/routes/groups.js +0 -346
package/dist/routes/health.d.ts +0 -1
package/dist/routes/health.js +0 -22
package/dist/routes/home.d.ts +0 -1
package/dist/routes/home.js +0 -16
package/dist/routes/jobs.d.ts +0 -2
package/dist/routes/m2m.d.ts +0 -2
package/dist/routes/m2m.js +0 -72
package/dist/routes/metrics.d.ts +0 -8
package/dist/routes/metrics.js +0 -55
package/dist/routes/mfa.d.ts +0 -5
package/dist/routes/mfa.js +0 -628
package/dist/routes/oauth.d.ts +0 -2
package/dist/routes/oauth.js +0 -520
package/dist/routes/oidc.d.ts +0 -2
package/dist/routes/oidc.js +0 -29
package/dist/routes/passkey.d.ts +0 -1
package/dist/routes/passkey.js +0 -157
package/dist/routes/saml.d.ts +0 -2
package/dist/routes/saml.js +0 -86
package/dist/routes/scim.d.ts +0 -2
package/dist/routes/scim.js +0 -255
package/dist/routes/uploads.js +0 -227
package/dist/schemas/auth.js +0 -30
package/dist/server.d.ts +0 -57
package/dist/server.js +0 -112
package/dist/services/auth.d.ts +0 -29
package/dist/services/auth.js +0 -238
package/dist/ws/index.d.ts +0 -10
package/dist/ws/index.js +0 -39
package/docs/sections/adding-middleware/full.md +0 -35
package/docs/sections/adding-models/full.md +0 -125
package/docs/sections/adding-models/overview.md +0 -13
package/docs/sections/adding-routes/full.md +0 -182
package/docs/sections/adding-routes/overview.md +0 -23
package/docs/sections/auth-flow/full.md +0 -790
package/docs/sections/auth-flow/overview.md +0 -10
package/docs/sections/auth-security-examples/full.md +0 -388
package/docs/sections/authentication/full.md +0 -130
package/docs/sections/authentication/overview.md +0 -5
package/docs/sections/cli/full.md +0 -42
package/docs/sections/configuration/full.md +0 -172
package/docs/sections/configuration/overview.md +0 -18
package/docs/sections/configuration-example/full.md +0 -117
package/docs/sections/configuration-example/overview.md +0 -30
package/docs/sections/documentation/full.md +0 -171
package/docs/sections/environment-variables/full.md +0 -55
package/docs/sections/exports/full.md +0 -123
package/docs/sections/extending-context/full.md +0 -59
package/docs/sections/header.md +0 -3
package/docs/sections/installation/full.md +0 -6
package/docs/sections/jobs/full.md +0 -140
package/docs/sections/jobs/overview.md +0 -15
package/docs/sections/logging/full.md +0 -83
package/docs/sections/metrics/full.md +0 -131
package/docs/sections/mongodb-connections/full.md +0 -45
package/docs/sections/mongodb-connections/overview.md +0 -7
package/docs/sections/multi-tenancy/full.md +0 -66
package/docs/sections/multi-tenancy/overview.md +0 -15
package/docs/sections/oauth/full.md +0 -189
package/docs/sections/oauth/overview.md +0 -16
package/docs/sections/package-development/full.md +0 -7
package/docs/sections/pagination/full.md +0 -93
package/docs/sections/passkey-login/full.md +0 -90
package/docs/sections/passkey-login/overview.md +0 -1
package/docs/sections/peer-dependencies/full.md +0 -47
package/docs/sections/quick-start/full.md +0 -43
package/docs/sections/response-caching/full.md +0 -117
package/docs/sections/response-caching/overview.md +0 -13
package/docs/sections/roles/full.md +0 -225
package/docs/sections/roles/overview.md +0 -14
package/docs/sections/running-without-redis/full.md +0 -16
package/docs/sections/running-without-redis-or-mongodb/full.md +0 -60
package/docs/sections/signing/full.md +0 -203
package/docs/sections/stack/full.md +0 -10
package/docs/sections/uploads/full.md +0 -208
package/docs/sections/versioning/full.md +0 -85
package/docs/sections/webhook-auth/full.md +0 -100
package/docs/sections/websocket/full.md +0 -196
package/docs/sections/websocket/overview.md +0 -5
package/docs/sections/websocket-rooms/full.md +0 -102
package/docs/sections/websocket-rooms/overview.md +0 -5
/package/dist/{lib/storageAdapter.js → packages/bunshot-admin/src/types/env.js} +0 -0
/package/dist/{lib → packages/bunshot-auth/src/lib}/fingerprint.d.ts +0 -0
/package/dist/{lib → packages/bunshot-auth/src/lib}/logger.d.ts +0 -0
/package/dist/{lib → packages/bunshot-core/src}/constants.d.ts +0 -0
/package/dist/{lib → packages/bunshot-core/src}/storageAdapter.d.ts +0 -0
/package/dist/{lib → src/framework/lib}/createDtoMapper.d.ts +0 -0
/package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/cors.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/cors.js +0 -0
/package/dist/{middleware → src/framework/middleware}/index.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/logger.js +0 -0
/package/dist/{lib → src/shared/lib}/constants.js +0 -0

package/dist/packages/bunshot-auth/src/schemas/auth.js ADDED Viewed

@@ -0,0 +1,24 @@
+import { z } from 'zod';
+const passwordSchema = (policy) => {
+    const minLen = policy.minLength ?? 8;
+    let schema = z.string().min(minLen, `Password must be at least ${minLen} characters`);
+    if (policy.requireLetter !== false) {
+        schema = schema.regex(/[a-zA-Z]/, 'Password must contain at least one letter');
+    }
+    if (policy.requireDigit !== false) {
+        schema = schema.regex(/\d/, 'Password must contain at least one digit');
+    }
+    if (policy.requireSpecial) {
+        schema = schema.regex(/[^a-zA-Z0-9]/, 'Password must contain at least one special character');
+    }
+    return schema;
+};
+export const makeRegisterSchema = (primaryField, policy) => z.object({
+    [primaryField]: primaryField === 'email' ? z.string().email().max(256) : z.string().min(3).max(256),
+    password: passwordSchema(policy).max(128),
+});
+export const makeLoginSchema = (primaryField) => z.object({
+    [primaryField]: primaryField === 'email' ? z.string().email().max(256) : z.string().min(1).max(256),
+    password: z.string().min(1).max(128),
+});
+export const resetPasswordSchema = (policy) => passwordSchema(policy);

package/dist/packages/bunshot-auth/src/schemas/error.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+/**
+ * Canonical error response schema shared across all auth routes.
+ *
+ * M2M and SCIM routes intentionally use spec-compliant error shapes
+ * (RFC 6749 and SCIM RFC 7644 respectively) and do not use this schema.
+ */
+export declare const ErrorResponse: z.ZodObject<{
+    error: z.ZodString;
+}, z.core.$strip>;

package/dist/packages/bunshot-auth/src/schemas/error.js ADDED Viewed

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+/**
+ * Canonical error response schema shared across all auth routes.
+ *
+ * M2M and SCIM routes intentionally use spec-compliant error shapes
+ * (RFC 6749 and SCIM RFC 7644 respectively) and do not use this schema.
+ */
+export const ErrorResponse = z
+    .object({ error: z.string().describe('Human-readable error message.') })
+    .openapi('ErrorResponse');

package/dist/packages/bunshot-auth/src/schemas/success.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+/**
+ * Canonical generic success response for auth routes.
+ *
+ * Use this for acknowledgement-style successes. Routes with domain data
+ * should extend this shape or return their domain object directly.
+ */
+export declare const SuccessResponse: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+}, z.core.$strip>;

package/dist/packages/bunshot-auth/src/schemas/success.js ADDED Viewed

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+/**
+ * Canonical generic success response for auth routes.
+ *
+ * Use this for acknowledgement-style successes. Routes with domain data
+ * should extend this shape or return their domain object directly.
+ */
+export const SuccessResponse = z
+    .object({ ok: z.literal(true).describe('Operation completed successfully.') })
+    .openapi('AuthSuccessResponse');

package/dist/packages/bunshot-auth/src/services/auth.d.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import type { SessionMetadata } from '../lib/session';
+import type { HookContext } from '../config/authConfig';
+import type { AuthRuntimeContext } from '../runtime';
+export interface AuthResult {
+    token: string;
+    userId: string;
+    email?: string;
+    emailVerified?: boolean;
+    googleLinked?: boolean;
+    refreshToken?: string;
+    mfaRequired?: boolean;
+    mfaToken?: string;
+    mfaMethods?: string[];
+    webauthnOptions?: Record<string, unknown>;
+}
+export declare const runPreLoginHook: (identifier: string, runtime: AuthRuntimeContext, hookContext?: HookContext) => Promise<void>;
+export declare const emitLoginSuccess: (userId: string, sessionId: string, runtime: AuthRuntimeContext) => void;
+/** Create a session for a user (used internally and by MFA verify). */
+export declare const createSessionForUser: (userId: string, runtime: AuthRuntimeContext, metadata?: SessionMetadata, hookContext?: HookContext) => Promise<{
+    token: string;
+    refreshToken?: string;
+    sessionId: string;
+}>;
+export interface RegisterOptions {
+    metadata?: SessionMetadata;
+    /** When true, skip session creation. Returns { userId } without a token. */
+    skipSession?: boolean;
+    hookContext?: HookContext;
+}
+export declare const register: (identifier: string, password: string, runtime: AuthRuntimeContext, metadataOrOptions?: SessionMetadata | RegisterOptions) => Promise<AuthResult>;
+export declare const login: (identifier: string, password: string, runtime: AuthRuntimeContext, metadata?: SessionMetadata, hookContext?: HookContext) => Promise<AuthResult>;
+export declare const refresh: (refreshTokenValue: string, runtime: AuthRuntimeContext) => Promise<{
+    token: string;
+    refreshToken: string;
+    userId: string;
+}>;
+export declare const deleteAccount: (userId: string, runtime: AuthRuntimeContext, password?: string) => Promise<void>;
+export declare const logout: (token: string | null, runtime: AuthRuntimeContext) => Promise<void>;
+export declare const passkeyLogin: (passkeyToken: string, assertionResponse: any, runtime: AuthRuntimeContext, metadata?: SessionMetadata, hookContext?: HookContext) => Promise<AuthResult>;

package/dist/packages/bunshot-auth/src/services/auth.js ADDED Viewed

@@ -0,0 +1,378 @@
+import { createVerificationToken } from '../lib/emailVerification';
+import { signToken, verifyToken } from '../lib/jwt';
+import { createMfaChallenge } from '../lib/mfaChallenge';
+import { getSuspended } from '../lib/suspension';
+import { generateEmailOtpCode, generateWebAuthnAuthenticationOptions } from '../services/mfa';
+import { HttpError } from '../../../bunshot-core/src/index.js';
+export const runPreLoginHook = async (identifier, runtime, hookContext) => {
+    const hooks = runtime.config.hooks;
+    if (hooks.preLogin)
+        await hooks.preLogin({ identifier, ...hookContext });
+};
+export const emitLoginSuccess = (userId, sessionId, runtime) => {
+    runtime.eventBus.emit('security.auth.login.success', { userId });
+    runtime.eventBus.emit('auth:login', { userId, sessionId });
+};
+async function createSessionWithRefreshToken(userId, sessionId, runtime, metadata, hookContext) {
+    const { config, eventBus } = runtime;
+    const hooks = config.hooks;
+    // Fire postLogin before signing the token so customClaims can be injected
+    let customClaims;
+    if (hooks.postLogin) {
+        try {
+            const result = await hooks.postLogin({ userId, sessionId, ...hookContext });
+            if (result && typeof result === 'object' && result.customClaims) {
+                customClaims = result.customClaims;
+            }
+        }
+        catch (e) {
+            console.error('[lifecycle] postLogin hook error:', e instanceof Error ? e.message : String(e));
+        }
+    }
+    const rtConfig = config.refreshToken;
+    // When refresh tokens are disabled the JWT is the sole credential, so it must carry an explicit
+    // expiry. Tie it to the configured session absolute timeout so the two stay in sync; fall back
+    // to 604 800 s (7 days) to preserve the historic default for deployments that haven't set
+    // absoluteTimeout. Operators who want shorter-lived tokens should configure absoluteTimeout.
+    const expirySeconds = rtConfig
+        ? (rtConfig.accessTokenExpiry ?? 900)
+        : (config.sessionPolicy?.absoluteTimeout ?? 604800);
+    // Strip JOSE-managed claims and the code-owned identity claims from customClaims so
+    // that a postLogin hook returning { exp: 0 } or { sub: "attacker" } cannot override them.
+    // The setter methods (setExpirationTime, setIssuedAt, setIssuer, setAudience) always win
+    // at the jose level, but stripping here keeps the payload object trustworthy before signing.
+    const RESERVED_CLAIMS = new Set(['exp', 'iat', 'nbf', 'iss', 'aud', 'jti', 'sub', 'sid']);
+    const safeClaims = customClaims
+        ? Object.fromEntries(Object.entries(customClaims).filter(([k]) => !RESERVED_CLAIMS.has(k)))
+        : undefined;
+    const claims = { sub: userId, sid: sessionId, ...safeClaims };
+    const token = await signToken(claims, expirySeconds, config, runtime.signing);
+    const sessionRepo = runtime.repos.session;
+    await sessionRepo.atomicCreateSession(userId, token, sessionId, config.maxSessions, metadata, config);
+    let refreshToken;
+    if (rtConfig) {
+        refreshToken = crypto.randomUUID();
+        await sessionRepo.setRefreshToken(sessionId, refreshToken, config);
+    }
+    eventBus.emit('security.auth.session.created', { userId, sessionId });
+    return { token, refreshToken, sessionId };
+}
+/** Create a session for a user (used internally and by MFA verify). */
+export const createSessionForUser = async (userId, runtime, metadata, hookContext) => {
+    const sessionId = crypto.randomUUID();
+    return createSessionWithRefreshToken(userId, sessionId, runtime, metadata, hookContext);
+};
+export const register = async (identifier, password, runtime, metadataOrOptions) => {
+    // Accept both old-style SessionMetadata and new RegisterOptions
+    let metadata;
+    let skipSession = false;
+    let hookContext;
+    if (metadataOrOptions &&
+        ('skipSession' in metadataOrOptions ||
+            'metadata' in metadataOrOptions ||
+            'hookContext' in metadataOrOptions)) {
+        const opts = metadataOrOptions;
+        metadata = opts.metadata;
+        skipSession = opts.skipSession ?? false;
+        hookContext = opts.hookContext;
+    }
+    else {
+        metadata = metadataOrOptions;
+    }
+    const { config, adapter, eventBus } = runtime;
+    const hooks = config.hooks;
+    if (hooks.preRegister)
+        await hooks.preRegister({ identifier, ...hookContext });
+    try {
+        const hashed = await Bun.password.hash(password);
+        const user = await adapter.create(identifier, hashed);
+        const role = config.defaultRole;
+        if (role)
+            await adapter.setRoles(user.id, [role]);
+        let token = '';
+        let refreshToken;
+        if (!skipSession) {
+            const sessionId = crypto.randomUUID();
+            const session = await createSessionWithRefreshToken(user.id, sessionId, runtime, metadata, hookContext);
+            token = session.token;
+            refreshToken = session.refreshToken;
+        }
+        const evConfig = config.emailVerification;
+        if (evConfig && config.primaryField === 'email') {
+            try {
+                const verificationToken = await createVerificationToken(runtime.repos.verificationToken, user.id, identifier, config);
+                eventBus.emit('auth:delivery.email_verification', {
+                    email: identifier,
+                    token: verificationToken,
+                    userId: user.id,
+                });
+                eventBus.emit('auth:delivery.welcome', { email: identifier, identifier });
+            }
+            catch (e) {
+                console.error('[email-verification] Failed to send verification email:', e instanceof Error ? e.message : String(e));
+            }
+        }
+        eventBus.emit('security.auth.register.success', { userId: user.id });
+        eventBus.emit('auth:user.created', { userId: user.id, email: identifier });
+        if (hooks.postRegister) {
+            Promise.resolve()
+                .then(() => hooks.postRegister({ userId: user.id, identifier, ...hookContext }))
+                .catch(e => console.error('[lifecycle] postRegister hook error:', e instanceof Error ? e.message : String(e)));
+        }
+        return { token, userId: user.id, email: identifier, refreshToken };
+    }
+    catch (err) {
+        eventBus.emit('security.auth.register.failure', {});
+        throw err;
+    }
+};
+// Pre-computed dummy hash so non-existent-user login takes the same time as wrong-password login
+const DUMMY_HASH = await Bun.password.hash('dummy-timing-safe-placeholder');
+export const login = async (identifier, password, runtime, metadata, hookContext) => {
+    const { config, adapter, eventBus } = runtime;
+    await runPreLoginHook(identifier, runtime, hookContext);
+    const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
+    const user = await findFn(identifier);
+    // Always verify against a hash to prevent timing-based user enumeration.
+    // Lockout check is intentionally AFTER bcrypt to prevent timing leaks —
+    // locked accounts must take the same bcrypt time as non-existent users.
+    const hashToVerify = user?.passwordHash ?? DUMMY_HASH;
+    const passwordValid = await Bun.password.verify(password, hashToVerify);
+    // Check lockout after bcrypt so locked and non-existent users are indistinguishable by timing
+    const lockoutSvc = runtime.lockout;
+    if (user && lockoutSvc && (await lockoutSvc.isAccountLocked(user.id))) {
+        eventBus.emit('security.auth.login.blocked', {
+            userId: user.id,
+            reason: 'lockout',
+            meta: { reason: 'account_locked' },
+        });
+        throw new HttpError(423, 'Account is locked due to too many failed login attempts', 'ACCOUNT_LOCKED');
+    }
+    if (!user || !passwordValid) {
+        eventBus.emit('security.auth.login.failure', { identifier, meta: { identifier } });
+        // Track failed attempts for lockout (only when user exists — can't lock unknown accounts)
+        if (user && lockoutSvc) {
+            const count = await lockoutSvc.recordFailedAttempt(user.id);
+            if (count >= lockoutSvc.config.maxAttempts) {
+                await lockoutSvc.lockAccount(user.id);
+                eventBus.emit('security.auth.account.locked', {
+                    userId: user.id,
+                    meta: { identifier, attempts: count },
+                });
+                if (lockoutSvc.config.onLocked) {
+                    Promise.resolve()
+                        .then(() => lockoutSvc.config.onLocked(user.id, identifier))
+                        .catch(() => {
+                        /* swallow — notification must never crash login */
+                    });
+                }
+            }
+        }
+        throw new HttpError(401, 'Invalid credentials');
+    }
+    // Check suspension
+    const suspensionStatus = await getSuspended(adapter, user.id);
+    if (suspensionStatus.suspended) {
+        eventBus.emit('security.auth.login.blocked', {
+            reason: 'suspended',
+            meta: { reason: 'suspended' },
+        });
+        throw new HttpError(403, 'Account suspended', 'ACCOUNT_SUSPENDED');
+    }
+    // Check email verification before MFA to avoid leaking MFA status to unverified users
+    const fullUser = adapter.getUser ? await adapter.getUser(user.id) : null;
+    const googleLinked = fullUser?.providerIds?.some(id => id.startsWith('google:')) ?? false;
+    const evConfig = config.emailVerification;
+    if (evConfig && config.primaryField === 'email' && adapter.getEmailVerified) {
+        const verified = await adapter.getEmailVerified(user.id);
+        if (evConfig.required && !verified) {
+            throw new HttpError(403, 'Email not verified');
+        }
+    }
+    // Check MFA — if enabled, return challenge token instead of session
+    if (config.mfa && adapter.isMfaEnabled && (await adapter.isMfaEnabled(user.id))) {
+        const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(user.id) : ['totp'];
+        // Auto-send email OTP if enabled
+        let emailOtpHash;
+        const emailOtpConfig = config.mfa?.emailOtp ?? null;
+        if (methods.includes('emailOtp') && emailOtpConfig) {
+            const { code, hash } = generateEmailOtpCode(runtime);
+            emailOtpHash = hash;
+            const email = fullUser?.email;
+            if (email)
+                eventBus.emit('auth:delivery.email_otp', { email, code });
+        }
+        // Generate WebAuthn authentication options if enabled
+        let webauthnChallenge;
+        let webauthnOptions;
+        const webauthnConfig = config.mfa?.webauthn ?? null;
+        if (methods.includes('webauthn') && webauthnConfig && adapter.getWebAuthnCredentials) {
+            const result = await generateWebAuthnAuthenticationOptions(user.id, runtime);
+            if (result) {
+                webauthnChallenge = result.challenge;
+                webauthnOptions = result.options;
+            }
+        }
+        const mfaToken = await createMfaChallenge(runtime.repos.mfaChallenge, user.id, { emailOtpHash, webauthnChallenge }, config);
+        return {
+            token: '',
+            userId: user.id,
+            mfaRequired: true,
+            mfaToken,
+            mfaMethods: methods,
+            webauthnOptions,
+        };
+    }
+    const sessionId = crypto.randomUUID();
+    const { token, refreshToken } = await createSessionWithRefreshToken(user.id, sessionId, runtime, metadata, hookContext);
+    // Reset failure counter on successful login (opt-out via resetOnSuccess: false)
+    if (lockoutSvc && lockoutSvc.config.resetOnSuccess !== false) {
+        await lockoutSvc.resetFailureCount(user.id);
+    }
+    emitLoginSuccess(user.id, sessionId, runtime);
+    if (evConfig && config.primaryField === 'email' && adapter.getEmailVerified) {
+        const verified = await adapter.getEmailVerified(user.id);
+        return {
+            token,
+            userId: user.id,
+            email: fullUser?.email,
+            emailVerified: verified,
+            googleLinked,
+            refreshToken,
+        };
+    }
+    return { token, userId: user.id, email: fullUser?.email, googleLinked, refreshToken };
+};
+export const refresh = async (refreshTokenValue, runtime) => {
+    const sessionRepo = runtime.repos.session;
+    const result = await sessionRepo.getSessionByRefreshToken(refreshTokenValue, runtime.config);
+    if (!result) {
+        throw new HttpError(401, 'Invalid or expired refresh token');
+    }
+    const { sessionId, userId } = result;
+    // Always rotate: generate new refresh + access tokens.
+    // Refresh tokens are stored as hashes — we can never return a stored plaintext token.
+    // Even in the grace window case (old token used after rotation), we issue fresh tokens.
+    // This is safe because the old token's hash was found in the prev slot, not the current slot,
+    // so the session is valid and the client just missed the previous rotation response.
+    const newRT = crypto.randomUUID();
+    const newAccessToken = await signToken({ sub: userId, sid: sessionId }, runtime.config.refreshToken?.accessTokenExpiry ?? 900, runtime.config, runtime.signing);
+    await sessionRepo.rotateRefreshToken(sessionId, newRT, newAccessToken, runtime.config);
+    await sessionRepo.updateSessionLastActive(sessionId, runtime.config);
+    return { token: newAccessToken, refreshToken: newRT, userId };
+};
+export const deleteAccount = async (userId, runtime, password) => {
+    const { adapter, config, eventBus } = runtime;
+    const hooks = config.hooks;
+    if (hooks.preDeleteAccount)
+        await hooks.preDeleteAccount({ userId });
+    if (!adapter.deleteUser) {
+        throw new HttpError(501, 'Auth adapter does not support deleteUser');
+    }
+    // Verify password for credential accounts
+    if (password) {
+        const user = adapter.getUser ? await adapter.getUser(userId) : null;
+        const email = user?.email;
+        if (email) {
+            const findFn = adapter.findByIdentifier ?? adapter.findByEmail.bind(adapter);
+            const found = await findFn(email);
+            if (found && !(await Bun.password.verify(password, found.passwordHash))) {
+                throw new HttpError(401, 'Invalid password');
+            }
+        }
+    }
+    else if (adapter.hasPassword && (await adapter.hasPassword(userId))) {
+        throw new HttpError(400, 'Password is required to delete a credential account');
+    }
+    // Revoke all sessions
+    const sessionRepo = runtime.repos.session;
+    const sessions = await sessionRepo.getUserSessions(userId, config);
+    await Promise.all(sessions.map(s => sessionRepo.deleteSession(s.sessionId, config)));
+    // Delete the user
+    await adapter.deleteUser(userId);
+    eventBus.emit('security.auth.account.deleted', { userId });
+    eventBus.emit('auth:user.deleted', { userId });
+    if (hooks.postDeleteAccount) {
+        Promise.resolve()
+            .then(() => hooks.postDeleteAccount({ userId }))
+            .catch(e => console.error('[lifecycle] postDeleteAccount hook error:', e instanceof Error ? e.message : String(e)));
+    }
+};
+export const logout = async (token, runtime) => {
+    if (token) {
+        const payload = await verifyToken(token, runtime.config, runtime.signing);
+        const sessionId = payload.sid;
+        const userId = payload.sub;
+        if (sessionId) {
+            await runtime.repos.session.deleteSession(sessionId, runtime.config);
+            runtime.eventBus.emit('security.auth.logout', { sessionId, userId });
+            if (userId) {
+                runtime.eventBus.emit('auth:logout', { userId, sessionId });
+            }
+        }
+    }
+};
+export const passkeyLogin = async (passkeyToken, assertionResponse, runtime, metadata, hookContext) => {
+    const { adapter, config, eventBus } = runtime;
+    if (!adapter.findUserByWebAuthnCredentialId || !adapter.getWebAuthnCredentials) {
+        throw new HttpError(501, 'Auth adapter does not support passkey login');
+    }
+    const { consumePasskeyLoginChallenge } = await import('../lib/mfaChallenge');
+    const challengeData = await consumePasskeyLoginChallenge(runtime.repos.mfaChallenge, passkeyToken);
+    if (!challengeData) {
+        throw new HttpError(401, 'Invalid or expired passkey token');
+    }
+    const credentialId = assertionResponse?.id;
+    if (!credentialId ||
+        typeof credentialId !== 'string' ||
+        credentialId.length === 0 ||
+        credentialId.length > 2048) {
+        throw new HttpError(401, 'Invalid assertion response');
+    }
+    const userId = await adapter.findUserByWebAuthnCredentialId(credentialId);
+    if (!userId) {
+        throw new HttpError(401, 'Invalid credentials');
+    }
+    const { verifyWebAuthn } = await import('../services/mfa');
+    const verified = await verifyWebAuthn(userId, assertionResponse, challengeData.webauthnChallenge, runtime);
+    if (!verified) {
+        throw new HttpError(401, 'WebAuthn verification failed');
+    }
+    const fullUser = adapter.getUser ? await adapter.getUser(userId) : null;
+    await runPreLoginHook(fullUser?.email ?? userId, runtime, hookContext);
+    // Check suspension
+    const suspensionStatus = await getSuspended(adapter, userId);
+    if (suspensionStatus.suspended) {
+        throw new HttpError(403, 'Account suspended', 'ACCOUNT_SUSPENDED');
+    }
+    // passkeyMfaBypass=true (default): passkey with userVerification=required satisfies both factors
+    const mfaBypass = config.mfa?.webauthn?.passkeyMfaBypass ?? true;
+    if (!mfaBypass && config.mfa && adapter.isMfaEnabled && (await adapter.isMfaEnabled(userId))) {
+        const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : ['totp'];
+        let emailOtpHash;
+        const emailOtpConfig = config.mfa?.emailOtp ?? null;
+        if (methods.includes('emailOtp') && emailOtpConfig) {
+            const { generateEmailOtpCode } = await import('../services/mfa');
+            const { code, hash } = generateEmailOtpCode(runtime);
+            emailOtpHash = hash;
+            const fullUser = adapter.getUser ? await adapter.getUser(userId) : null;
+            if (fullUser?.email)
+                eventBus.emit('auth:delivery.email_otp', { email: fullUser.email, code });
+        }
+        let webauthnChallenge2;
+        let webauthnOptions;
+        if (methods.includes('webauthn') && (config.mfa?.webauthn ?? null)) {
+            const { generateWebAuthnAuthenticationOptions } = await import('../services/mfa');
+            const result = await generateWebAuthnAuthenticationOptions(userId, runtime);
+            if (result) {
+                webauthnChallenge2 = result.challenge;
+                webauthnOptions = result.options;
+            }
+        }
+        const mfaToken = await createMfaChallenge(runtime.repos.mfaChallenge, userId, { emailOtpHash, webauthnChallenge: webauthnChallenge2 }, config);
+        return { token: '', userId, mfaRequired: true, mfaToken, mfaMethods: methods, webauthnOptions };
+    }
+    const { token, refreshToken, sessionId } = await createSessionForUser(userId, runtime, metadata, hookContext);
+    emitLoginSuccess(userId, sessionId, runtime);
+    return { token, userId, email: fullUser?.email, refreshToken };
+};

package/dist/{services → packages/bunshot-auth/src/services}/mfa.d.ts RENAMED Viewed

@@ -1,15 +1,16 @@
+import type { AuthRuntimeContext } from '../runtime';
 export interface MfaSetupResult {
     secret: string;
     uri: string;
 }
-export declare const setupMfa: (userId: string) => Promise<MfaSetupResult>;
-export declare const verifySetup: (userId: string, code: string) => Promise<string[]>;
-export declare const verifyTotp: (userId: string, code: string) => Promise<boolean>;
-export declare const verifyRecoveryCode: (userId: string, code: string) => Promise<boolean>;
-export declare const disableMfa: (userId: string, code: string) => Promise<void>;
-export declare const regenerateRecoveryCodes: (userId: string, code: string) => Promise<string[]>;
+export declare const setupMfa: (userId: string, runtime: AuthRuntimeContext) => Promise<MfaSetupResult>;
+export declare const verifySetup: (userId: string, code: string, runtime: AuthRuntimeContext) => Promise<string[]>;
+export declare const verifyTotp: (userId: string, code: string, runtime: AuthRuntimeContext) => Promise<boolean>;
+export declare const verifyRecoveryCode: (userId: string, code: string, runtime: AuthRuntimeContext) => Promise<boolean>;
+export declare const disableMfa: (userId: string, code: string, runtime: AuthRuntimeContext) => Promise<void>;
+export declare const regenerateRecoveryCodes: (userId: string, code: string, runtime: AuthRuntimeContext) => Promise<string[]>;
 /** Generate a cryptographically random numeric OTP code. Returns { code, hash }. */
-export declare const generateEmailOtpCode: (length?: number) => {
+export declare const generateEmailOtpCode: (runtime: AuthRuntimeContext, length?: number) => {
     code: string;
     hash: string;
 };
@@ -19,12 +20,12 @@ export declare const verifyEmailOtp: (emailOtpHash: string, code: string) => boo
  * Initiate email OTP setup: sends a verification code to the user's email.
  * Returns a setup challenge token that must be confirmed via confirmEmailOtp.
  */
-export declare const initiateEmailOtp: (userId: string) => Promise<string>;
+export declare const initiateEmailOtp: (userId: string, runtime: AuthRuntimeContext) => Promise<string>;
 /**
  * Confirm email OTP setup: verifies the code sent during initiateEmailOtp.
  * Enables email OTP as an MFA method. Returns recovery codes if MFA was not previously active.
  */
-export declare const confirmEmailOtp: (userId: string, setupToken: string, code: string) => Promise<string[] | null>;
+export declare const confirmEmailOtp: (userId: string, setupToken: string, code: string, runtime: AuthRuntimeContext) => Promise<string[] | null>;
 /**
  * Disable email OTP for a user.
  * If TOTP is also enabled, requires a TOTP code. Otherwise requires password.
@@ -32,9 +33,9 @@ export declare const confirmEmailOtp: (userId: string, setupToken: string, code:
 export declare const disableEmailOtp: (userId: string, params: {
     code?: string;
     password?: string;
-}) => Promise<void>;
+}, runtime: AuthRuntimeContext) => Promise<void>;
 /** Get the MFA methods enabled for a user. */
-export declare const getMfaMethods: (userId: string) => Promise<string[]>;
+export declare const getMfaMethods: (userId: string, runtime: AuthRuntimeContext) => Promise<string[]>;
 /**
  * Eager startup check — call at route mount time to fail fast if the peer dependency is missing.
  */
@@ -43,7 +44,7 @@ export declare const assertWebAuthnDependency: () => Promise<void>;
  * Generate WebAuthn authentication options for the login MFA flow.
  * Called from auth.ts login when the user has "webauthn" in their methods.
  */
-export declare const generateWebAuthnAuthenticationOptions: (userId: string) => Promise<{
+export declare const generateWebAuthnAuthenticationOptions: (userId: string, runtime: AuthRuntimeContext) => Promise<{
     challenge: string;
     options: Record<string, unknown>;
 } | null>;
@@ -51,7 +52,7 @@ export declare const generateWebAuthnAuthenticationOptions: (userId: string) =>
  * Initiate WebAuthn registration: generates registration options for the client.
  * Returns options + a registration challenge token.
  */
-export declare const initiateWebAuthnRegistration: (userId: string) => Promise<{
+export declare const initiateWebAuthnRegistration: (userId: string, runtime: AuthRuntimeContext) => Promise<{
     options: Record<string, unknown>;
     registrationToken: string;
 }>;
@@ -59,14 +60,14 @@ export declare const initiateWebAuthnRegistration: (userId: string) => Promise<{
  * Complete WebAuthn registration: verifies attestation and stores the credential.
  * Returns recovery codes if this is the first MFA method.
  */
-export declare const completeWebAuthnRegistration: (userId: string, registrationToken: string, attestationResponse: any, name?: string) => Promise<{
+export declare const completeWebAuthnRegistration: (userId: string, registrationToken: string, attestationResponse: any, runtime: AuthRuntimeContext, name?: string) => Promise<{
     credentialId: string;
     recoveryCodes: string[] | null;
 }>;
 /**
  * Verify a WebAuthn authentication assertion during login MFA.
  */
-export declare const verifyWebAuthn: (userId: string, assertionResponse: any, expectedChallenge: string) => Promise<boolean>;
+export declare const verifyWebAuthn: (userId: string, assertionResponse: any, expectedChallenge: string, runtime: AuthRuntimeContext) => Promise<boolean>;
 /**
  * Remove a single WebAuthn credential.
  * Only requires identity verification when removing the last credential of the last MFA method.
@@ -74,11 +75,34 @@ export declare const verifyWebAuthn: (userId: string, assertionResponse: any, ex
 export declare const removeWebAuthnCredential: (userId: string, credentialId: string, params: {
     code?: string;
     password?: string;
-}) => Promise<void>;
+}, runtime: AuthRuntimeContext) => Promise<void>;
 /**
  * Disable WebAuthn entirely: removes all credentials and the method.
  */
 export declare const disableWebAuthn: (userId: string, params: {
     code?: string;
     password?: string;
-}) => Promise<void>;
+}, runtime: AuthRuntimeContext) => Promise<void>;
+/**
+ * Verify any supported authentication factor for a given user + session.
+ * Used by step-up, account deletion, and MFA disable flows.
+ *
+ * - "totp": TOTP code
+ * - "recovery": recovery code (only when method is explicitly "recovery")
+ * - "password": account password
+ * - "emailOtp": email OTP via reauth challenge token
+ * - "webauthn": WebAuthn assertion via reauth challenge token
+ *
+ * Hard boundaries:
+ *  - "recovery" is ONLY checked when method is explicitly "recovery"
+ *  - emailOtp / webauthn consume a reauth challenge bound to sessionId
+ *
+ * Returns false (never throws) when required params are missing.
+ */
+export declare function verifyAnyFactor(userId: string, sessionId: string, runtime: AuthRuntimeContext, params: {
+    method?: 'totp' | 'emailOtp' | 'webauthn' | 'password' | 'recovery';
+    code?: string;
+    password?: string;
+    reauthToken?: string;
+    webauthnResponse?: object;
+}): Promise<boolean>;