npm - @lastshotlabs/bunshot - Versions diffs - 0.0.27 → 0.0.28 - Mend

@lastshotlabs/bunshot 0.0.27 → 0.0.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (742) hide show

package/.oclif.manifest.json +39 -0
package/README.md +8282 -2147
package/dist/cli/commands/init.js +690 -0
package/dist/cli/index.js +6 -0
package/dist/cli.js +4 -4
package/dist/packages/bunshot-admin/src/index.d.ts +15 -0
package/dist/packages/bunshot-admin/src/index.js +11 -0
package/dist/packages/bunshot-admin/src/lib/resourceTypes.d.ts +8 -0
package/dist/packages/bunshot-admin/src/lib/resourceTypes.js +33 -0
package/dist/packages/bunshot-admin/src/lib/typedRoute.d.ts +14 -0
package/dist/packages/bunshot-admin/src/lib/typedRoute.js +17 -0
package/dist/packages/bunshot-admin/src/plugin.d.ts +4 -0
package/dist/packages/bunshot-admin/src/plugin.js +46 -0
package/dist/packages/bunshot-admin/src/providers/auth0Access.d.ts +6 -0
package/dist/packages/bunshot-admin/src/providers/auth0Access.js +32 -0
package/dist/packages/bunshot-admin/src/routes/admin.d.ts +10 -0
package/dist/packages/bunshot-admin/src/routes/admin.js +923 -0
package/dist/packages/bunshot-admin/src/routes/mail.d.ts +6 -0
package/dist/packages/bunshot-admin/src/routes/mail.js +114 -0
package/dist/packages/bunshot-admin/src/routes/permissions.d.ts +8 -0
package/dist/packages/bunshot-admin/src/routes/permissions.js +315 -0
package/dist/packages/bunshot-admin/src/types/config.d.ts +16 -0
package/dist/packages/bunshot-admin/src/types/config.js +37 -0
package/dist/packages/bunshot-admin/src/types/env.d.ts +14 -0
package/dist/packages/bunshot-admin/src/types/provider.d.ts +1 -0
package/dist/packages/bunshot-admin/src/types/provider.js +4 -0
package/dist/packages/bunshot-auth/src/adapters/memoryAuth.d.ts +66 -0
package/dist/packages/bunshot-auth/src/adapters/memoryAuth.js +1063 -0
package/dist/packages/bunshot-auth/src/adapters/mongoAuth.d.ts +2 -0
package/dist/packages/bunshot-auth/src/adapters/mongoAuth.js +536 -0
package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.d.ts +88 -0
package/dist/packages/bunshot-auth/src/adapters/sqliteAuth.js +1366 -0
package/dist/packages/bunshot-auth/src/admin/bunshotAccess.d.ts +2 -0
package/dist/packages/bunshot-auth/src/admin/bunshotAccess.js +23 -0
package/dist/packages/bunshot-auth/src/admin/bunshotUsers.d.ts +5 -0
package/dist/packages/bunshot-auth/src/admin/bunshotUsers.js +131 -0
package/dist/packages/bunshot-auth/src/bootstrap.d.ts +38 -0
package/dist/packages/bunshot-auth/src/bootstrap.js +384 -0
package/dist/packages/bunshot-auth/src/config/appConfig.d.ts +3 -0
package/dist/packages/bunshot-auth/src/config/appConfig.js +4 -0
package/dist/packages/bunshot-auth/src/config/authConfig.d.ts +478 -0
package/dist/packages/bunshot-auth/src/config/authConfig.js +46 -0
package/dist/packages/bunshot-auth/src/config/configLock.d.ts +2 -0
package/dist/packages/bunshot-auth/src/config/configLock.js +10 -0
package/dist/packages/bunshot-auth/src/index.d.ts +25 -0
package/dist/packages/bunshot-auth/src/index.js +23 -0
package/dist/packages/bunshot-auth/src/infra/mongo.d.ts +15 -0
package/dist/packages/bunshot-auth/src/infra/mongo.js +44 -0
package/dist/packages/bunshot-auth/src/infra/queue.d.ts +14 -0
package/dist/packages/bunshot-auth/src/infra/queue.js +27 -0
package/dist/packages/bunshot-auth/src/infra/redis.d.ts +5 -0
package/dist/packages/bunshot-auth/src/infra/redis.js +15 -0
package/dist/packages/bunshot-auth/src/infra/signing.d.ts +7 -0
package/dist/packages/bunshot-auth/src/infra/signing.js +8 -0
package/dist/packages/bunshot-auth/src/lib/accountLockout.d.ts +34 -0
package/dist/packages/bunshot-auth/src/lib/accountLockout.js +244 -0
package/dist/packages/bunshot-auth/src/lib/adapterTiers.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/adapterTiers.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authAdapter.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/authAdapter.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authContext.d.ts +15 -0
package/dist/packages/bunshot-auth/src/lib/authContext.js +1 -0
package/dist/packages/bunshot-auth/src/lib/authEventBus.d.ts +4 -0
package/dist/packages/bunshot-auth/src/lib/authEventBus.js +15 -0
package/dist/packages/bunshot-auth/src/lib/authRateLimit.d.ts +28 -0
package/dist/packages/bunshot-auth/src/lib/authRateLimit.js +205 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.d.ts +8 -2
package/dist/{lib → packages/bunshot-auth/src/lib}/breachedPassword.js +22 -9
package/dist/packages/bunshot-auth/src/lib/cache.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/cache.js +120 -0
package/dist/packages/bunshot-auth/src/lib/clientIp.d.ts +4 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/clientIp.js +14 -7
package/dist/packages/bunshot-auth/src/lib/cookieOptions.d.ts +27 -0
package/dist/packages/bunshot-auth/src/lib/cookieOptions.js +33 -0
package/dist/packages/bunshot-auth/src/lib/credentialStuffing.d.ts +40 -0
package/dist/packages/bunshot-auth/src/lib/credentialStuffing.js +221 -0
package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/deletionCancelToken.js +148 -0
package/dist/packages/bunshot-auth/src/lib/emailTemplates.d.ts +23 -0
package/dist/packages/bunshot-auth/src/lib/emailTemplates.js +265 -0
package/dist/packages/bunshot-auth/src/lib/emailVerification.d.ts +30 -0
package/dist/packages/bunshot-auth/src/lib/emailVerification.js +200 -0
package/dist/packages/bunshot-auth/src/lib/env.d.ts +1 -0
package/dist/packages/bunshot-auth/src/lib/env.js +3 -0
package/dist/packages/bunshot-auth/src/lib/fingerprint.js +36 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/groups.d.ts +15 -16
package/dist/{lib → packages/bunshot-auth/src/lib}/groups.js +22 -34
package/dist/packages/bunshot-auth/src/lib/jwks.d.ts +28 -0
package/dist/packages/bunshot-auth/src/lib/jwks.js +79 -0
package/dist/packages/bunshot-auth/src/lib/jwt.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/jwt.js +86 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/logger.js +3 -3
package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.d.ts +5 -4
package/dist/{lib → packages/bunshot-auth/src/lib}/m2m.js +6 -10
package/dist/packages/bunshot-auth/src/lib/magicLink.d.ts +13 -0
package/dist/packages/bunshot-auth/src/lib/magicLink.js +145 -0
package/dist/packages/bunshot-auth/src/lib/mfaChallenge.d.ts +60 -0
package/dist/packages/bunshot-auth/src/lib/mfaChallenge.js +419 -0
package/dist/packages/bunshot-auth/src/lib/oauth.d.ts +82 -0
package/dist/packages/bunshot-auth/src/lib/oauth.js +177 -0
package/dist/packages/bunshot-auth/src/lib/oauthCode.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/oauthCode.js +182 -0
package/dist/packages/bunshot-auth/src/lib/oauthReauth.d.ts +19 -0
package/dist/packages/bunshot-auth/src/lib/oauthReauth.js +255 -0
package/dist/packages/bunshot-auth/src/lib/organization.d.ts +66 -0
package/dist/packages/bunshot-auth/src/lib/organization.js +225 -0
package/dist/packages/bunshot-auth/src/lib/passwordHistory.d.ts +12 -0
package/dist/packages/bunshot-auth/src/lib/passwordHistory.js +31 -0
package/dist/packages/bunshot-auth/src/lib/resetPassword.d.ts +20 -0
package/dist/packages/bunshot-auth/src/lib/resetPassword.js +148 -0
package/dist/packages/bunshot-auth/src/lib/roles.d.ts +9 -0
package/dist/packages/bunshot-auth/src/lib/roles.js +93 -0
package/dist/packages/bunshot-auth/src/lib/saml.d.ts +29 -0
package/dist/packages/bunshot-auth/src/lib/saml.js +73 -0
package/dist/packages/bunshot-auth/src/lib/samlRequestId.d.ts +13 -0
package/dist/packages/bunshot-auth/src/lib/samlRequestId.js +129 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/scim.d.ts +7 -7
package/dist/{lib → packages/bunshot-auth/src/lib}/scim.js +15 -13
package/dist/packages/bunshot-auth/src/lib/securityEventWiring.d.ts +22 -0
package/dist/packages/bunshot-auth/src/lib/securityEventWiring.js +65 -0
package/dist/packages/bunshot-auth/src/lib/session.d.ts +45 -0
package/dist/packages/bunshot-auth/src/lib/session.js +1211 -0
package/dist/packages/bunshot-auth/src/lib/storeInfra.d.ts +26 -0
package/dist/packages/bunshot-auth/src/lib/storeInfra.js +18 -0
package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.d.ts +3 -2
package/dist/{lib → packages/bunshot-auth/src/lib}/suspension.js +2 -5
package/dist/packages/bunshot-auth/src/lib/validateAdapter.d.ts +16 -0
package/dist/packages/bunshot-auth/src/lib/validateAdapter.js +161 -0
package/dist/packages/bunshot-auth/src/middleware/bearerAuth.d.ts +13 -0
package/dist/packages/bunshot-auth/src/middleware/bearerAuth.js +58 -0
package/dist/{middleware → packages/bunshot-auth/src/middleware}/csrf.d.ts +5 -4
package/dist/packages/bunshot-auth/src/middleware/csrf.js +138 -0
package/dist/packages/bunshot-auth/src/middleware/identify.d.ts +4 -0
package/dist/packages/bunshot-auth/src/middleware/identify.js +124 -0
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireMfaSetup.js +10 -8
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireRole.js +20 -16
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireScope.js +6 -6
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireStepUp.js +8 -7
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.d.ts +2 -2
package/dist/{middleware → packages/bunshot-auth/src/middleware}/requireVerifiedEmail.js +7 -6
package/dist/packages/bunshot-auth/src/middleware/scimAuth.d.ts +8 -0
package/dist/packages/bunshot-auth/src/middleware/scimAuth.js +29 -0
package/dist/packages/bunshot-auth/src/middleware/userAuth.d.ts +3 -0
package/dist/packages/bunshot-auth/src/middleware/userAuth.js +6 -0
package/dist/{models → packages/bunshot-auth/src/models}/AuthUser.d.ts +12 -8
package/dist/packages/bunshot-auth/src/models/AuthUser.js +53 -0
package/dist/packages/bunshot-auth/src/models/Group.d.ts +19 -0
package/dist/packages/bunshot-auth/src/models/Group.js +22 -0
package/dist/{models → packages/bunshot-auth/src/models}/GroupMembership.d.ts +6 -8
package/dist/packages/bunshot-auth/src/models/GroupMembership.js +19 -0
package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.d.ts +1 -1
package/dist/{models → packages/bunshot-auth/src/models}/M2MClient.js +5 -5
package/dist/packages/bunshot-auth/src/models/TenantRole.d.ts +13 -0
package/dist/packages/bunshot-auth/src/models/TenantRole.js +17 -0
package/dist/packages/bunshot-auth/src/plugin.d.ts +4 -0
package/dist/packages/bunshot-auth/src/plugin.js +274 -0
package/dist/packages/bunshot-auth/src/routes/auth.d.ts +15 -0
package/dist/packages/bunshot-auth/src/routes/auth.js +1624 -0
package/dist/packages/bunshot-auth/src/routes/groups.d.ts +4 -0
package/dist/packages/bunshot-auth/src/routes/groups.js +481 -0
package/dist/packages/bunshot-auth/src/routes/m2m.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/m2m.js +145 -0
package/dist/packages/bunshot-auth/src/routes/mfa.d.ts +6 -0
package/dist/packages/bunshot-auth/src/routes/mfa.js +991 -0
package/dist/packages/bunshot-auth/src/routes/oauth.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/oauth.js +1727 -0
package/dist/packages/bunshot-auth/src/routes/oidc.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/oidc.js +84 -0
package/dist/packages/bunshot-auth/src/routes/organizations.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/organizations.js +741 -0
package/dist/packages/bunshot-auth/src/routes/passkey.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/passkey.js +199 -0
package/dist/packages/bunshot-auth/src/routes/saml.d.ts +2 -0
package/dist/packages/bunshot-auth/src/routes/saml.js +226 -0
package/dist/packages/bunshot-auth/src/routes/scim.d.ts +3 -0
package/dist/packages/bunshot-auth/src/routes/scim.js +588 -0
package/dist/packages/bunshot-auth/src/runtime.d.ts +52 -0
package/dist/packages/bunshot-auth/src/runtime.js +11 -0
package/dist/{schemas → packages/bunshot-auth/src/schemas}/auth.d.ts +4 -5
package/dist/packages/bunshot-auth/src/schemas/auth.js +24 -0
package/dist/packages/bunshot-auth/src/schemas/error.d.ts +10 -0
package/dist/packages/bunshot-auth/src/schemas/error.js +10 -0
package/dist/packages/bunshot-auth/src/schemas/success.d.ts +10 -0
package/dist/packages/bunshot-auth/src/schemas/success.js +10 -0
package/dist/packages/bunshot-auth/src/services/auth.d.ts +39 -0
package/dist/packages/bunshot-auth/src/services/auth.js +378 -0
package/dist/{services → packages/bunshot-auth/src/services}/mfa.d.ts +41 -17
package/dist/{services → packages/bunshot-auth/src/services}/mfa.js +259 -183
package/dist/packages/bunshot-auth/src/testing.d.ts +31 -0
package/dist/packages/bunshot-auth/src/testing.js +23 -0
package/dist/packages/bunshot-auth/src/types/adapter.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/adapter.js +1 -0
package/dist/packages/bunshot-auth/src/types/config.d.ts +152 -0
package/dist/packages/bunshot-auth/src/types/config.js +179 -0
package/dist/{routes → packages/bunshot-auth/src/types}/groups.d.ts +2 -3
package/dist/packages/bunshot-auth/src/types/groups.js +1 -0
package/dist/packages/bunshot-auth/src/types/oauthCode.d.ts +6 -0
package/dist/packages/bunshot-auth/src/types/oauthCode.js +1 -0
package/dist/packages/bunshot-auth/src/types/oauthReauth.d.ts +13 -0
package/dist/packages/bunshot-auth/src/types/oauthReauth.js +1 -0
package/dist/packages/bunshot-auth/src/types/redis.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/redis.js +1 -0
package/dist/packages/bunshot-auth/src/types/saml.d.ts +10 -0
package/dist/packages/bunshot-auth/src/types/saml.js +1 -0
package/dist/packages/bunshot-auth/src/types/session.d.ts +18 -0
package/dist/packages/bunshot-auth/src/types/session.js +1 -0
package/dist/packages/bunshot-auth/src/types/store.d.ts +1 -0
package/dist/packages/bunshot-auth/src/types/store.js +1 -0
package/dist/packages/bunshot-core/src/adminProvider.d.ts +95 -0
package/dist/packages/bunshot-core/src/adminProvider.js +1 -0
package/dist/packages/bunshot-core/src/auditLog.d.ts +34 -0
package/dist/packages/bunshot-core/src/auditLog.js +1 -0
package/dist/packages/bunshot-core/src/auth-adapter.d.ts +227 -0
package/dist/packages/bunshot-core/src/auth-adapter.js +4 -0
package/dist/packages/bunshot-core/src/authVariables.d.ts +14 -0
package/dist/packages/bunshot-core/src/authVariables.js +4 -0
package/dist/packages/bunshot-core/src/cache.d.ts +12 -0
package/dist/packages/bunshot-core/src/cache.js +21 -0
package/dist/{lib → packages/bunshot-core/src}/captcha.d.ts +1 -10
package/dist/packages/bunshot-core/src/captcha.js +1 -0
package/dist/packages/bunshot-core/src/clearRegistry.d.ts +6 -0
package/dist/packages/bunshot-core/src/clearRegistry.js +17 -0
package/dist/packages/bunshot-core/src/clientIp.d.ts +3 -0
package/dist/packages/bunshot-core/src/clientIp.js +45 -0
package/dist/packages/bunshot-core/src/configLock.d.ts +4 -0
package/dist/packages/bunshot-core/src/configLock.js +7 -0
package/dist/packages/bunshot-core/src/configValidation.d.ts +22 -0
package/dist/packages/bunshot-core/src/configValidation.js +39 -0
package/dist/packages/bunshot-core/src/constants.js +10 -0
package/dist/packages/bunshot-core/src/context/bunshotContext.d.ts +232 -0
package/dist/packages/bunshot-core/src/context/bunshotContext.js +1 -0
package/dist/packages/bunshot-core/src/context/contextAccess.d.ts +3 -0
package/dist/packages/bunshot-core/src/context/contextAccess.js +16 -0
package/dist/packages/bunshot-core/src/context/contextStore.d.ts +16 -0
package/dist/packages/bunshot-core/src/context/contextStore.js +31 -0
package/dist/packages/bunshot-core/src/context/frameworkConfig.d.ts +38 -0
package/dist/packages/bunshot-core/src/context/frameworkConfig.js +1 -0
package/dist/packages/bunshot-core/src/context/index.d.ts +4 -0
package/dist/packages/bunshot-core/src/context/index.js +2 -0
package/dist/packages/bunshot-core/src/context.d.ts +40 -0
package/dist/packages/bunshot-core/src/context.js +35 -0
package/dist/packages/bunshot-core/src/coreContracts.d.ts +47 -0
package/dist/packages/bunshot-core/src/coreContracts.js +1 -0
package/dist/packages/bunshot-core/src/coreRegistrar.d.ts +6 -0
package/dist/packages/bunshot-core/src/coreRegistrar.js +42 -0
package/dist/{lib → packages/bunshot-core/src}/createRoute.d.ts +4 -30
package/dist/{lib → packages/bunshot-core/src}/createRoute.js +39 -88
package/dist/packages/bunshot-core/src/cronRegistry.d.ts +11 -0
package/dist/packages/bunshot-core/src/cronRegistry.js +1 -0
package/dist/packages/bunshot-core/src/crypto.d.ts +43 -0
package/dist/packages/bunshot-core/src/crypto.js +74 -0
package/dist/packages/bunshot-core/src/csrf.d.ts +8 -0
package/dist/packages/bunshot-core/src/csrf.js +1 -0
package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.d.ts +7 -0
package/dist/packages/bunshot-core/src/defaults/defaultFingerprint.js +19 -0
package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.d.ts +6 -0
package/dist/packages/bunshot-core/src/defaults/memoryCacheAdapter.js +40 -0
package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.d.ts +6 -0
package/dist/packages/bunshot-core/src/defaults/memoryRateLimit.js +24 -0
package/dist/packages/bunshot-core/src/emailTemplates.d.ts +5 -0
package/dist/packages/bunshot-core/src/emailTemplates.js +10 -0
package/dist/{lib/HttpError.d.ts → packages/bunshot-core/src/errors.d.ts} +4 -1
package/dist/{lib/HttpError.js → packages/bunshot-core/src/errors.js} +7 -1
package/dist/packages/bunshot-core/src/eventBus.d.ts +270 -0
package/dist/packages/bunshot-core/src/eventBus.js +143 -0
package/dist/packages/bunshot-core/src/idempotency.d.ts +18 -0
package/dist/packages/bunshot-core/src/idempotency.js +1 -0
package/dist/packages/bunshot-core/src/index.d.ts +60 -0
package/dist/packages/bunshot-core/src/index.js +34 -0
package/dist/packages/bunshot-core/src/mail.d.ts +14 -0
package/dist/packages/bunshot-core/src/mail.js +8 -0
package/dist/packages/bunshot-core/src/memoryEviction.d.ts +24 -0
package/dist/packages/bunshot-core/src/memoryEviction.js +52 -0
package/dist/packages/bunshot-core/src/pagination.d.ts +45 -0
package/dist/packages/bunshot-core/src/pagination.js +61 -0
package/dist/packages/bunshot-core/src/permissions.d.ts +64 -0
package/dist/packages/bunshot-core/src/permissions.js +27 -0
package/dist/packages/bunshot-core/src/plugin.d.ts +44 -0
package/dist/packages/bunshot-core/src/plugin.js +1 -0
package/dist/packages/bunshot-core/src/rateLimit.d.ts +5 -0
package/dist/packages/bunshot-core/src/rateLimit.js +18 -0
package/dist/packages/bunshot-core/src/redis.d.ts +21 -0
package/dist/packages/bunshot-core/src/redis.js +1 -0
package/dist/packages/bunshot-core/src/routeAuth.d.ts +5 -0
package/dist/packages/bunshot-core/src/routeAuth.js +11 -0
package/dist/packages/bunshot-core/src/routeOverrides.d.ts +24 -0
package/dist/packages/bunshot-core/src/routeOverrides.js +25 -0
package/dist/packages/bunshot-core/src/routerAdapter.d.ts +6 -0
package/dist/packages/bunshot-core/src/routerAdapter.js +56 -0
package/dist/packages/bunshot-core/src/secrets.d.ts +48 -0
package/dist/packages/bunshot-core/src/secrets.js +8 -0
package/dist/packages/bunshot-core/src/signing.d.ts +41 -0
package/dist/packages/bunshot-core/src/signing.js +1 -0
package/dist/packages/bunshot-core/src/sse.d.ts +36 -0
package/dist/packages/bunshot-core/src/sse.js +1 -0
package/dist/packages/bunshot-core/src/storageAdapter.js +1 -0
package/dist/packages/bunshot-core/src/storeInfra.d.ts +44 -0
package/dist/packages/bunshot-core/src/storeInfra.js +18 -0
package/dist/packages/bunshot-core/src/storeType.d.ts +7 -0
package/dist/packages/bunshot-core/src/storeType.js +1 -0
package/dist/packages/bunshot-core/src/testing.d.ts +1 -0
package/dist/packages/bunshot-core/src/testing.js +1 -0
package/dist/packages/bunshot-core/src/uploadRegistry.d.ts +23 -0
package/dist/packages/bunshot-core/src/uploadRegistry.js +4 -0
package/dist/packages/bunshot-core/src/userResolver.d.ts +5 -0
package/dist/packages/bunshot-core/src/userResolver.js +14 -0
package/dist/packages/bunshot-core/src/wsMessages.d.ts +42 -0
package/dist/packages/bunshot-core/src/wsMessages.js +4 -0
package/dist/packages/bunshot-permissions/src/adapters/memory.d.ts +7 -0
package/dist/packages/bunshot-permissions/src/adapters/memory.js +73 -0
package/dist/packages/bunshot-permissions/src/index.d.ts +10 -0
package/dist/packages/bunshot-permissions/src/index.js +5 -0
package/dist/packages/bunshot-permissions/src/lib/bootstrap.d.ts +7 -0
package/dist/packages/bunshot-permissions/src/lib/bootstrap.js +12 -0
package/dist/packages/bunshot-permissions/src/lib/evaluator.d.ts +10 -0
package/dist/packages/bunshot-permissions/src/lib/evaluator.js +165 -0
package/dist/packages/bunshot-permissions/src/lib/registry.d.ts +2 -0
package/dist/packages/bunshot-permissions/src/lib/registry.js +31 -0
package/dist/packages/bunshot-permissions/src/lib/validation.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/lib/validation.js +1 -0
package/dist/packages/bunshot-permissions/src/types/adapter.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/adapter.js +1 -0
package/dist/packages/bunshot-permissions/src/types/evaluator.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/evaluator.js +1 -0
package/dist/packages/bunshot-permissions/src/types/models.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/models.js +1 -0
package/dist/packages/bunshot-permissions/src/types/registry.d.ts +1 -0
package/dist/packages/bunshot-permissions/src/types/registry.js +1 -0
package/dist/packages/bunshot-postgres/src/adapter.d.ts +6 -0
package/dist/packages/bunshot-postgres/src/adapter.js +794 -0
package/dist/packages/bunshot-postgres/src/connection.d.ts +15 -0
package/dist/packages/bunshot-postgres/src/connection.js +16 -0
package/dist/packages/bunshot-postgres/src/index.d.ts +4 -0
package/dist/packages/bunshot-postgres/src/index.js +2 -0
package/dist/packages/bunshot-postgres/src/schema.d.ts +997 -0
package/dist/packages/bunshot-postgres/src/schema.js +105 -0
package/dist/src/app.d.ts +230 -0
package/dist/src/app.js +182 -0
package/dist/src/cli/commands/init.d.ts +10 -0
package/dist/src/cli/commands/init.js +709 -0
package/dist/src/cli/index.d.ts +1 -0
package/dist/src/cli/index.js +3 -0
package/dist/src/entrypoints/mongo.d.ts +6 -0
package/dist/src/entrypoints/mongo.js +4 -0
package/dist/src/entrypoints/queue.d.ts +2 -0
package/dist/src/entrypoints/queue.js +1 -0
package/dist/src/entrypoints/redis.d.ts +1 -0
package/dist/src/entrypoints/redis.js +1 -0
package/dist/{adapters → src/framework/adapters}/localStorage.d.ts +1 -1
package/dist/{adapters → src/framework/adapters}/localStorage.js +10 -10
package/dist/src/framework/adapters/memoryStorage.d.ts +2 -0
package/dist/src/framework/adapters/memoryStorage.js +45 -0
package/dist/{adapters → src/framework/adapters}/s3Storage.d.ts +1 -1
package/dist/{adapters → src/framework/adapters}/s3Storage.js +12 -12
package/dist/src/framework/admin/bunshotAccess.d.ts +2 -0
package/dist/src/framework/admin/bunshotAccess.js +23 -0
package/dist/src/framework/admin/bunshotUsers.d.ts +2 -0
package/dist/src/framework/admin/bunshotUsers.js +103 -0
package/dist/src/framework/admin/index.d.ts +7 -0
package/dist/src/framework/admin/index.js +21 -0
package/dist/src/framework/boundaryAdapters/cacheFactories.d.ts +13 -0
package/dist/src/framework/boundaryAdapters/cacheFactories.js +86 -0
package/dist/src/framework/boundaryAdapters/index.d.ts +2 -0
package/dist/src/framework/boundaryAdapters/index.js +1 -0
package/dist/src/framework/boundaryAdapters.d.ts +17 -0
package/dist/src/framework/boundaryAdapters.js +62 -0
package/dist/src/framework/buildContext.d.ts +33 -0
package/dist/src/framework/buildContext.js +119 -0
package/dist/src/framework/config/schema.d.ts +447 -0
package/dist/src/framework/config/schema.js +528 -0
package/dist/src/framework/createInfrastructure.d.ts +76 -0
package/dist/src/framework/createInfrastructure.js +221 -0
package/dist/src/framework/lib/auditLog.d.ts +23 -0
package/dist/src/framework/lib/auditLog.js +416 -0
package/dist/src/framework/lib/captcha.d.ts +11 -0
package/dist/{lib → src/framework/lib}/captcha.js +13 -10
package/dist/{lib → src/framework/lib}/createDtoMapper.js +4 -4
package/dist/src/framework/lib/createRoute.d.ts +1 -0
package/dist/src/framework/lib/createRoute.js +2 -0
package/dist/{lib → src/framework/lib}/idempotency.d.ts +2 -6
package/dist/src/framework/lib/idempotency.js +74 -0
package/dist/src/framework/lib/logger.d.ts +3 -0
package/dist/src/framework/lib/logger.js +14 -0
package/dist/src/framework/lib/metrics.d.ts +34 -0
package/dist/{lib → src/framework/lib}/metrics.js +49 -57
package/dist/src/framework/lib/pagination.d.ts +42 -0
package/dist/src/framework/lib/pagination.js +51 -0
package/dist/src/framework/lib/redisTransport.d.ts +38 -0
package/dist/src/framework/lib/redisTransport.js +107 -0
package/dist/src/framework/lib/resolveUserId.d.ts +2 -0
package/dist/src/framework/lib/resolveUserId.js +5 -0
package/dist/src/framework/lib/sseCollision.d.ts +6 -0
package/dist/src/framework/lib/sseCollision.js +26 -0
package/dist/src/framework/lib/storageAdapter.d.ts +1 -0
package/dist/src/framework/lib/storageAdapter.js +1 -0
package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.js +4 -4
package/dist/src/framework/lib/tenant.d.ts +21 -0
package/dist/src/framework/lib/tenant.js +70 -0
package/dist/{lib → src/framework/lib}/upload.d.ts +11 -10
package/dist/src/framework/lib/upload.js +132 -0
package/dist/src/framework/lib/uploadRegistry.d.ts +23 -0
package/dist/src/framework/lib/uploadRegistry.js +34 -0
package/dist/{lib → src/framework/lib}/validate.d.ts +1 -1
package/dist/{lib → src/framework/lib}/validate.js +2 -2
package/dist/src/framework/lib/ws.d.ts +19 -0
package/dist/src/framework/lib/ws.js +130 -0
package/dist/src/framework/lib/wsHeartbeat.d.ts +12 -0
package/dist/src/framework/lib/wsHeartbeat.js +53 -0
package/dist/src/framework/lib/wsMessages.d.ts +25 -0
package/dist/src/framework/lib/wsMessages.js +45 -0
package/dist/src/framework/lib/wsNamespace.d.ts +17 -0
package/dist/src/framework/lib/wsNamespace.js +19 -0
package/dist/src/framework/lib/wsPresence.d.ts +17 -0
package/dist/src/framework/lib/wsPresence.js +84 -0
package/dist/src/framework/lib/wsTransport.d.ts +38 -0
package/dist/src/framework/lib/wsTransport.js +9 -0
package/dist/{lib → src/framework/lib}/zodToMongoose.d.ts +1 -1
package/dist/{lib → src/framework/lib}/zodToMongoose.js +11 -11
package/dist/{middleware → src/framework/middleware}/auditLog.d.ts +4 -3
package/dist/src/framework/middleware/auditLog.js +42 -0
package/dist/{middleware → src/framework/middleware}/botProtection.d.ts +2 -2
package/dist/{middleware → src/framework/middleware}/botProtection.js +8 -9
package/dist/src/framework/middleware/cacheResponse.d.ts +35 -0
package/dist/src/framework/middleware/cacheResponse.js +126 -0
package/dist/{middleware → src/framework/middleware}/captcha.d.ts +2 -3
package/dist/src/framework/middleware/captcha.js +37 -0
package/dist/{middleware → src/framework/middleware}/errorHandler.d.ts +1 -1
package/dist/{middleware → src/framework/middleware}/errorHandler.js +2 -2
package/dist/src/framework/middleware/index.js +1 -0
package/dist/{middleware → src/framework/middleware}/logger.d.ts +1 -1
package/dist/src/framework/middleware/metrics.d.ts +12 -0
package/dist/src/framework/middleware/metrics.js +26 -0
package/dist/{middleware → src/framework/middleware}/rateLimit.d.ts +2 -2
package/dist/src/framework/middleware/rateLimit.js +22 -0
package/dist/src/framework/middleware/requestId.d.ts +3 -0
package/dist/{middleware → src/framework/middleware}/requestId.js +2 -2
package/dist/{middleware → src/framework/middleware}/requestLogger.d.ts +3 -3
package/dist/{middleware → src/framework/middleware}/requestLogger.js +17 -12
package/dist/{middleware → src/framework/middleware}/requestSigning.d.ts +2 -2
package/dist/{middleware → src/framework/middleware}/requestSigning.js +18 -20
package/dist/src/framework/middleware/tenant.d.ts +14 -0
package/dist/{middleware → src/framework/middleware}/tenant.js +31 -27
package/dist/src/framework/middleware/upload.d.ts +5 -0
package/dist/{middleware → src/framework/middleware}/upload.js +4 -4
package/dist/{middleware → src/framework/middleware}/webhookAuth.d.ts +3 -3
package/dist/{middleware → src/framework/middleware}/webhookAuth.js +11 -12
package/dist/src/framework/models/AuditLog.d.ts +21 -0
package/dist/src/framework/models/AuditLog.js +31 -0
package/dist/src/framework/mountMiddleware.d.ts +91 -0
package/dist/src/framework/mountMiddleware.js +128 -0
package/dist/src/framework/mountOptionalEndpoints.d.ts +103 -0
package/dist/src/framework/mountOptionalEndpoints.js +47 -0
package/dist/src/framework/mountRoutes.d.ts +21 -0
package/dist/src/framework/mountRoutes.js +144 -0
package/dist/src/framework/persistence/cronRegistry.d.ts +28 -0
package/dist/src/framework/persistence/cronRegistry.js +139 -0
package/dist/src/framework/persistence/idempotency.d.ts +26 -0
package/dist/src/framework/persistence/idempotency.js +178 -0
package/dist/src/framework/persistence/index.d.ts +6 -0
package/dist/src/framework/persistence/index.js +8 -0
package/dist/src/framework/persistence/storeInfra.d.ts +9 -0
package/dist/src/framework/persistence/storeInfra.js +1 -0
package/dist/src/framework/persistence/uploadRegistry.d.ts +35 -0
package/dist/src/framework/persistence/uploadRegistry.js +235 -0
package/dist/src/framework/persistence/wsMessages.d.ts +22 -0
package/dist/src/framework/persistence/wsMessages.js +296 -0
package/dist/src/framework/preloadSchemas.d.ts +24 -0
package/dist/src/framework/preloadSchemas.js +42 -0
package/dist/src/framework/registerBoundaryAdapters.d.ts +23 -0
package/dist/src/framework/registerBoundaryAdapters.js +46 -0
package/dist/src/framework/routes/admin.d.ts +9 -0
package/dist/src/framework/routes/admin.js +361 -0
package/dist/src/framework/routes/health.d.ts +1 -0
package/dist/src/framework/routes/health.js +21 -0
package/dist/src/framework/routes/home.d.ts +1 -0
package/dist/src/framework/routes/home.js +18 -0
package/dist/src/framework/routes/jobs.d.ts +3 -0
package/dist/{routes → src/framework/routes}/jobs.js +128 -103
package/dist/src/framework/routes/metrics.d.ts +10 -0
package/dist/src/framework/routes/metrics.js +57 -0
package/dist/{routes → src/framework/routes}/uploads.d.ts +3 -3
package/dist/src/framework/routes/uploads.js +262 -0
package/dist/src/framework/runPluginLifecycle.d.ts +27 -0
package/dist/src/framework/runPluginLifecycle.js +121 -0
package/dist/src/framework/secrets/frameworkSecretSchema.d.ts +58 -0
package/dist/src/framework/secrets/frameworkSecretSchema.js +20 -0
package/dist/src/framework/secrets/index.d.ts +9 -0
package/dist/src/framework/secrets/index.js +7 -0
package/dist/src/framework/secrets/providers/envProvider.d.ts +15 -0
package/dist/src/framework/secrets/providers/envProvider.js +18 -0
package/dist/src/framework/secrets/providers/fileProvider.d.ts +8 -0
package/dist/src/framework/secrets/providers/fileProvider.js +82 -0
package/dist/src/framework/secrets/providers/ssmProvider.d.ts +20 -0
package/dist/src/framework/secrets/providers/ssmProvider.js +127 -0
package/dist/src/framework/secrets/resolveSecretBundle.d.ts +53 -0
package/dist/src/framework/secrets/resolveSecretBundle.js +84 -0
package/dist/src/framework/secrets/resolveSecrets.d.ts +18 -0
package/dist/src/framework/secrets/resolveSecrets.js +34 -0
package/dist/src/framework/sse/index.d.ts +21 -0
package/dist/src/framework/sse/index.js +109 -0
package/dist/src/framework/ws/index.d.ts +11 -0
package/dist/src/framework/ws/index.js +8 -0
package/dist/src/index.d.ts +87 -0
package/dist/src/index.js +58 -0
package/dist/src/lib/appConfig.d.ts +7 -0
package/dist/src/lib/appConfig.js +27 -0
package/dist/src/lib/appMeta.d.ts +7 -0
package/dist/src/lib/appMeta.js +3 -0
package/dist/src/lib/authConfig.d.ts +532 -0
package/dist/{lib/appConfig.js → src/lib/authConfig.js} +75 -17
package/dist/{lib → src/lib}/context.d.ts +6 -12
package/dist/{lib → src/lib}/context.js +5 -5
package/dist/src/lib/logger.d.ts +1 -0
package/dist/src/lib/logger.js +1 -0
package/dist/src/lib/mongo.d.ts +58 -0
package/dist/src/lib/mongo.js +96 -0
package/dist/src/lib/queue.d.ts +72 -0
package/dist/src/lib/queue.js +152 -0
package/dist/src/lib/redis.d.ts +28 -0
package/dist/src/lib/redis.js +72 -0
package/dist/{lib → src/lib}/signing.d.ts +2 -2
package/dist/src/lib/signing.js +210 -0
package/dist/src/lib/signingConfig.d.ts +40 -0
package/dist/src/lib/signingConfig.js +28 -0
package/dist/src/server.d.ts +146 -0
package/dist/src/server.js +469 -0
package/dist/src/shared/lib/HttpError.d.ts +1 -0
package/dist/src/shared/lib/HttpError.js +2 -0
package/dist/src/shared/lib/constants.d.ts +10 -0
package/dist/src/shared/lib/crypto.d.ts +43 -0
package/dist/src/shared/lib/crypto.js +74 -0
package/dist/src/shared/lib/signing.d.ts +52 -0
package/dist/{lib → src/shared/lib}/signing.js +35 -8
package/dist/src/testing.d.ts +34 -0
package/dist/src/testing.js +93 -0
package/package.json +60 -24
package/dist/adapters/memoryAuth.d.ts +0 -52
package/dist/adapters/memoryAuth.js +0 -749
package/dist/adapters/memoryStorage.d.ts +0 -3
package/dist/adapters/memoryStorage.js +0 -44
package/dist/adapters/mongoAuth.d.ts +0 -2
package/dist/adapters/mongoAuth.js +0 -403
package/dist/adapters/sqliteAuth.d.ts +0 -72
package/dist/adapters/sqliteAuth.js +0 -858
package/dist/app.d.ts +0 -559
package/dist/app.js +0 -651
package/dist/entrypoints/mongo.d.ts +0 -5
package/dist/entrypoints/mongo.js +0 -4
package/dist/entrypoints/queue.d.ts +0 -2
package/dist/entrypoints/queue.js +0 -1
package/dist/entrypoints/redis.d.ts +0 -1
package/dist/entrypoints/redis.js +0 -1
package/dist/index.d.ts +0 -117
package/dist/index.js +0 -88
package/dist/lib/appConfig.d.ts +0 -275
package/dist/lib/auditLog.d.ts +0 -58
package/dist/lib/auditLog.js +0 -218
package/dist/lib/authAdapter.d.ts +0 -246
package/dist/lib/authAdapter.js +0 -7
package/dist/lib/authRateLimit.d.ts +0 -13
package/dist/lib/authRateLimit.js +0 -117
package/dist/lib/clientIp.d.ts +0 -14
package/dist/lib/credentialStuffing.d.ts +0 -31
package/dist/lib/credentialStuffing.js +0 -77
package/dist/lib/crypto.d.ts +0 -11
package/dist/lib/crypto.js +0 -22
package/dist/lib/deletionCancelToken.d.ts +0 -12
package/dist/lib/deletionCancelToken.js +0 -88
package/dist/lib/emailVerification.d.ts +0 -19
package/dist/lib/emailVerification.js +0 -129
package/dist/lib/fingerprint.js +0 -36
package/dist/lib/idempotency.js +0 -182
package/dist/lib/jwks.d.ts +0 -25
package/dist/lib/jwks.js +0 -51
package/dist/lib/jwt.d.ts +0 -15
package/dist/lib/jwt.js +0 -111
package/dist/lib/metrics.d.ts +0 -14
package/dist/lib/mfaChallenge.d.ts +0 -55
package/dist/lib/mfaChallenge.js +0 -398
package/dist/lib/mongo.d.ts +0 -39
package/dist/lib/mongo.js +0 -124
package/dist/lib/oauth.d.ts +0 -40
package/dist/lib/oauth.js +0 -101
package/dist/lib/oauthCode.d.ts +0 -15
package/dist/lib/oauthCode.js +0 -95
package/dist/lib/pagination.d.ts +0 -119
package/dist/lib/pagination.js +0 -166
package/dist/lib/queue.d.ts +0 -37
package/dist/lib/queue.js +0 -117
package/dist/lib/redis.d.ts +0 -9
package/dist/lib/redis.js +0 -61
package/dist/lib/resetPassword.d.ts +0 -12
package/dist/lib/resetPassword.js +0 -93
package/dist/lib/roles.d.ts +0 -7
package/dist/lib/roles.js +0 -49
package/dist/lib/saml.d.ts +0 -25
package/dist/lib/saml.js +0 -64
package/dist/lib/securityEvents.d.ts +0 -28
package/dist/lib/securityEvents.js +0 -26
package/dist/lib/session.d.ts +0 -49
package/dist/lib/session.js +0 -597
package/dist/lib/tenant.d.ts +0 -15
package/dist/lib/tenant.js +0 -65
package/dist/lib/upload.js +0 -112
package/dist/lib/uploadRegistry.d.ts +0 -18
package/dist/lib/uploadRegistry.js +0 -83
package/dist/lib/ws.d.ts +0 -22
package/dist/lib/ws.js +0 -96
package/dist/lib/wsHeartbeat.d.ts +0 -12
package/dist/lib/wsHeartbeat.js +0 -57
package/dist/lib/wsMessages.d.ts +0 -40
package/dist/lib/wsMessages.js +0 -330
package/dist/lib/wsPresence.d.ts +0 -25
package/dist/lib/wsPresence.js +0 -99
package/dist/middleware/auditLog.js +0 -39
package/dist/middleware/bearerAuth.d.ts +0 -2
package/dist/middleware/bearerAuth.js +0 -11
package/dist/middleware/cacheResponse.d.ts +0 -15
package/dist/middleware/cacheResponse.js +0 -178
package/dist/middleware/captcha.js +0 -36
package/dist/middleware/csrf.js +0 -129
package/dist/middleware/identify.d.ts +0 -3
package/dist/middleware/identify.js +0 -122
package/dist/middleware/index.js +0 -1
package/dist/middleware/metrics.d.ts +0 -9
package/dist/middleware/metrics.js +0 -26
package/dist/middleware/rateLimit.js +0 -22
package/dist/middleware/requestId.d.ts +0 -3
package/dist/middleware/scimAuth.d.ts +0 -8
package/dist/middleware/scimAuth.js +0 -29
package/dist/middleware/tenant.d.ts +0 -5
package/dist/middleware/upload.d.ts +0 -5
package/dist/middleware/userAuth.d.ts +0 -3
package/dist/middleware/userAuth.js +0 -6
package/dist/models/AuditLog.d.ts +0 -30
package/dist/models/AuditLog.js +0 -39
package/dist/models/AuthUser.js +0 -55
package/dist/models/Group.d.ts +0 -21
package/dist/models/Group.js +0 -28
package/dist/models/GroupMembership.js +0 -25
package/dist/models/TenantRole.d.ts +0 -15
package/dist/models/TenantRole.js +0 -23
package/dist/routes/auth.d.ts +0 -12
package/dist/routes/auth.js +0 -744
package/dist/routes/groups.js +0 -346
package/dist/routes/health.d.ts +0 -1
package/dist/routes/health.js +0 -22
package/dist/routes/home.d.ts +0 -1
package/dist/routes/home.js +0 -16
package/dist/routes/jobs.d.ts +0 -2
package/dist/routes/m2m.d.ts +0 -2
package/dist/routes/m2m.js +0 -72
package/dist/routes/metrics.d.ts +0 -8
package/dist/routes/metrics.js +0 -55
package/dist/routes/mfa.d.ts +0 -5
package/dist/routes/mfa.js +0 -628
package/dist/routes/oauth.d.ts +0 -2
package/dist/routes/oauth.js +0 -520
package/dist/routes/oidc.d.ts +0 -2
package/dist/routes/oidc.js +0 -29
package/dist/routes/passkey.d.ts +0 -1
package/dist/routes/passkey.js +0 -157
package/dist/routes/saml.d.ts +0 -2
package/dist/routes/saml.js +0 -86
package/dist/routes/scim.d.ts +0 -2
package/dist/routes/scim.js +0 -255
package/dist/routes/uploads.js +0 -227
package/dist/schemas/auth.js +0 -30
package/dist/server.d.ts +0 -57
package/dist/server.js +0 -112
package/dist/services/auth.d.ts +0 -29
package/dist/services/auth.js +0 -238
package/dist/ws/index.d.ts +0 -10
package/dist/ws/index.js +0 -39
package/docs/sections/adding-middleware/full.md +0 -35
package/docs/sections/adding-models/full.md +0 -125
package/docs/sections/adding-models/overview.md +0 -13
package/docs/sections/adding-routes/full.md +0 -182
package/docs/sections/adding-routes/overview.md +0 -23
package/docs/sections/auth-flow/full.md +0 -790
package/docs/sections/auth-flow/overview.md +0 -10
package/docs/sections/auth-security-examples/full.md +0 -388
package/docs/sections/authentication/full.md +0 -130
package/docs/sections/authentication/overview.md +0 -5
package/docs/sections/cli/full.md +0 -42
package/docs/sections/configuration/full.md +0 -172
package/docs/sections/configuration/overview.md +0 -18
package/docs/sections/configuration-example/full.md +0 -117
package/docs/sections/configuration-example/overview.md +0 -30
package/docs/sections/documentation/full.md +0 -171
package/docs/sections/environment-variables/full.md +0 -55
package/docs/sections/exports/full.md +0 -123
package/docs/sections/extending-context/full.md +0 -59
package/docs/sections/header.md +0 -3
package/docs/sections/installation/full.md +0 -6
package/docs/sections/jobs/full.md +0 -140
package/docs/sections/jobs/overview.md +0 -15
package/docs/sections/logging/full.md +0 -83
package/docs/sections/metrics/full.md +0 -131
package/docs/sections/mongodb-connections/full.md +0 -45
package/docs/sections/mongodb-connections/overview.md +0 -7
package/docs/sections/multi-tenancy/full.md +0 -66
package/docs/sections/multi-tenancy/overview.md +0 -15
package/docs/sections/oauth/full.md +0 -189
package/docs/sections/oauth/overview.md +0 -16
package/docs/sections/package-development/full.md +0 -7
package/docs/sections/pagination/full.md +0 -93
package/docs/sections/passkey-login/full.md +0 -90
package/docs/sections/passkey-login/overview.md +0 -1
package/docs/sections/peer-dependencies/full.md +0 -47
package/docs/sections/quick-start/full.md +0 -43
package/docs/sections/response-caching/full.md +0 -117
package/docs/sections/response-caching/overview.md +0 -13
package/docs/sections/roles/full.md +0 -225
package/docs/sections/roles/overview.md +0 -14
package/docs/sections/running-without-redis/full.md +0 -16
package/docs/sections/running-without-redis-or-mongodb/full.md +0 -60
package/docs/sections/signing/full.md +0 -203
package/docs/sections/stack/full.md +0 -10
package/docs/sections/uploads/full.md +0 -208
package/docs/sections/versioning/full.md +0 -85
package/docs/sections/webhook-auth/full.md +0 -100
package/docs/sections/websocket/full.md +0 -196
package/docs/sections/websocket/overview.md +0 -5
package/docs/sections/websocket-rooms/full.md +0 -102
package/docs/sections/websocket-rooms/overview.md +0 -5
/package/dist/{lib/storageAdapter.js → packages/bunshot-admin/src/types/env.js} +0 -0
/package/dist/{lib → packages/bunshot-auth/src/lib}/fingerprint.d.ts +0 -0
/package/dist/{lib → packages/bunshot-auth/src/lib}/logger.d.ts +0 -0
/package/dist/{lib → packages/bunshot-core/src}/constants.d.ts +0 -0
/package/dist/{lib → packages/bunshot-core/src}/storageAdapter.d.ts +0 -0
/package/dist/{lib → src/framework/lib}/createDtoMapper.d.ts +0 -0
/package/dist/{lib → src/framework/lib}/stripUnreferencedSchemas.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/cors.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/cors.js +0 -0
/package/dist/{middleware → src/framework/middleware}/index.d.ts +0 -0
/package/dist/{middleware → src/framework/middleware}/logger.js +0 -0
/package/dist/{lib → src/shared/lib}/constants.js +0 -0

package/dist/{services → packages/bunshot-auth/src/services}/mfa.js RENAMED Viewed

@@ -1,26 +1,27 @@
-import { getAuthAdapter } from "../lib/authAdapter";
-import { HttpError } from "../lib/HttpError";
-import { getMfaIssuer, getMfaAlgorithm, getMfaDigits, getMfaPeriod, getMfaRecoveryCodeCount, getMfaEmailOtpConfig, getMfaEmailOtpCodeLength, getMfaWebAuthnConfig, getAppName } from "../lib/appConfig";
-import { createMfaChallenge } from "../lib/mfaChallenge";
+import { createMfaChallenge } from '../lib/mfaChallenge';
+import { HttpError } from '../../../bunshot-core/src/index.js';
+import { decryptField, encryptField, isEncryptedField, sha256, timingSafeEqual, } from '../../../bunshot-core/src/index.js';
 // Lazy-load otpauth to keep it as an optional peer dependency
-let _otpauth = null;
 async function getOtpAuth() {
-    if (!_otpauth)
-        _otpauth = await import("otpauth");
-    return _otpauth;
+    return import('otpauth');
 }
-import { sha256, timingSafeEqual } from "../lib/crypto";
 function generateRandomCode(length) {
-    const chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"; // no ambiguous chars: I/1/O/0
-    let code = "";
+    const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789'; // no ambiguous chars: I/1/O/0
+    const charLen = chars.length; // 31
+    const maxUnbiased = 248; // largest multiple of 31 below 256 (31 * 8 = 248)
+    let code = '';
     const bytes = crypto.getRandomValues(new Uint8Array(length));
     for (let i = 0; i < length; i++) {
-        code += chars[bytes[i] % chars.length];
+        let byte = bytes[i];
+        while (byte >= maxUnbiased) {
+            byte = crypto.getRandomValues(new Uint8Array(1))[0];
+        }
+        code += chars[byte % charLen];
     }
     return code;
 }
-function generateRecoveryCodes() {
-    const count = getMfaRecoveryCodeCount();
+function generateRecoveryCodes(runtime) {
+    const count = runtime.config.mfa?.recoveryCodes ?? 10;
     const plainCodes = [];
     const hashedCodes = [];
     for (let i = 0; i < count; i++) {
@@ -30,96 +31,118 @@ function generateRecoveryCodes() {
     }
     return { plainCodes, hashedCodes };
 }
-export const setupMfa = async (userId) => {
-    const adapter = getAuthAdapter();
+export const setupMfa = async (userId, runtime) => {
+    const { adapter, config } = runtime;
     if (!adapter.setMfaSecret)
-        throw new HttpError(501, "Auth adapter does not support MFA");
+        throw new HttpError(501, 'Auth adapter does not support MFA');
     const otpauth = await getOtpAuth();
     const secret = new otpauth.Secret();
+    const mfaCfg = config.mfa;
     const totp = new otpauth.TOTP({
-        issuer: getMfaIssuer(),
+        issuer: mfaCfg?.issuer ?? config.appName,
         label: userId,
-        algorithm: getMfaAlgorithm(),
-        digits: getMfaDigits(),
-        period: getMfaPeriod(),
+        algorithm: mfaCfg?.algorithm ?? 'SHA1',
+        digits: mfaCfg?.digits ?? 6,
+        period: mfaCfg?.period ?? 30,
         secret,
     });
     // Store the secret but don't enable MFA yet — user must confirm with a code
-    await adapter.setMfaSecret(userId, secret.base32);
+    // Encrypt at rest when encryption keys are available; store plaintext in dev otherwise.
+    const deks = [...runtime.dataEncryptionKeys];
+    const storedSecret = deks.length > 0 ? await encryptField(secret.base32, deks) : secret.base32;
+    await adapter.setMfaSecret(userId, storedSecret);
     return {
         secret: secret.base32,
         uri: totp.toString(),
     };
 };
-export const verifySetup = async (userId, code) => {
-    const adapter = getAuthAdapter();
+/**
+ * Resolve a stored MFA secret: decrypt it if it looks like an encrypted ciphertext
+ * (produced by encryptField), otherwise return as-is (plaintext — allowed in dev).
+ */
+async function resolveStoredSecret(stored, runtime) {
+    if (isEncryptedField(stored)) {
+        const deks = [...runtime.dataEncryptionKeys];
+        if (deks.length === 0) {
+            throw new HttpError(500, 'TOTP secret is encrypted but BUNSHOT_DATA_ENCRYPTION_KEY is not set');
+        }
+        return decryptField(stored, deks);
+    }
+    return stored;
+}
+export const verifySetup = async (userId, code, runtime) => {
+    const { adapter, config } = runtime;
     if (!adapter.getMfaSecret || !adapter.setMfaEnabled || !adapter.setRecoveryCodes) {
-        throw new HttpError(501, "Auth adapter does not support MFA");
+        throw new HttpError(501, 'Auth adapter does not support MFA');
     }
-    const secretStr = await adapter.getMfaSecret(userId);
-    if (!secretStr)
-        throw new HttpError(400, "MFA setup not initiated. Call POST /auth/mfa/setup first.");
+    const storedSecretStr = await adapter.getMfaSecret(userId);
+    if (!storedSecretStr)
+        throw new HttpError(400, 'MFA setup not initiated. Call POST /auth/mfa/setup first.');
+    const secretStr = await resolveStoredSecret(storedSecretStr, runtime);
+    const mfaCfg = config.mfa;
     const otpauth = await getOtpAuth();
     const totp = new otpauth.TOTP({
-        issuer: getMfaIssuer(),
-        algorithm: getMfaAlgorithm(),
-        digits: getMfaDigits(),
-        period: getMfaPeriod(),
+        issuer: mfaCfg?.issuer ?? config.appName,
+        algorithm: mfaCfg?.algorithm ?? 'SHA1',
+        digits: mfaCfg?.digits ?? 6,
+        period: mfaCfg?.period ?? 30,
         secret: otpauth.Secret.fromBase32(secretStr),
     });
     const delta = totp.validate({ token: code, window: 1 });
     if (delta === null)
-        throw new HttpError(401, "Invalid TOTP code");
+        throw new HttpError(401, 'Invalid TOTP code');
     // Generate recovery codes (regenerates if enabling a second method)
-    const { plainCodes, hashedCodes } = generateRecoveryCodes();
+    const { plainCodes, hashedCodes } = generateRecoveryCodes(runtime);
     await adapter.setRecoveryCodes(userId, hashedCodes);
     await adapter.setMfaEnabled(userId, true);
     // Add "totp" to mfaMethods
     if (adapter.getMfaMethods && adapter.setMfaMethods) {
         const methods = await adapter.getMfaMethods(userId);
-        if (!methods.includes("totp")) {
-            await adapter.setMfaMethods(userId, [...methods, "totp"]);
+        if (!methods.includes('totp')) {
+            await adapter.setMfaMethods(userId, [...methods, 'totp']);
         }
     }
     return plainCodes;
 };
-export const verifyTotp = async (userId, code) => {
-    const adapter = getAuthAdapter();
+export const verifyTotp = async (userId, code, runtime) => {
+    const { adapter, config } = runtime;
     if (!adapter.getMfaSecret)
-        throw new HttpError(501, "Auth adapter does not support MFA");
-    const secretStr = await adapter.getMfaSecret(userId);
-    if (!secretStr)
+        throw new HttpError(501, 'Auth adapter does not support MFA');
+    const storedSecretStr = await adapter.getMfaSecret(userId);
+    if (!storedSecretStr)
         return false;
+    const secretStr = await resolveStoredSecret(storedSecretStr, runtime);
+    const mfaCfg = config.mfa;
     const otpauth = await getOtpAuth();
     const totp = new otpauth.TOTP({
-        issuer: getMfaIssuer(),
-        algorithm: getMfaAlgorithm(),
-        digits: getMfaDigits(),
-        period: getMfaPeriod(),
+        issuer: mfaCfg?.issuer ?? config.appName,
+        algorithm: mfaCfg?.algorithm ?? 'SHA1',
+        digits: mfaCfg?.digits ?? 6,
+        period: mfaCfg?.period ?? 30,
         secret: otpauth.Secret.fromBase32(secretStr),
     });
     return totp.validate({ token: code, window: 1 }) !== null;
 };
-export const verifyRecoveryCode = async (userId, code) => {
-    const adapter = getAuthAdapter();
-    if (!adapter.getRecoveryCodes || !adapter.removeRecoveryCode)
-        return false;
-    const hashedCodes = await adapter.getRecoveryCodes(userId);
+export const verifyRecoveryCode = async (userId, code, runtime) => {
+    const { adapter } = runtime;
+    // consumeRecoveryCode is a required method on all adapters that support MFA.
+    // It atomically finds and removes the code in a single operation, eliminating the race
+    // condition where two concurrent requests could both match the same code.
+    // Note: timing is now at the DB level rather than using timingSafeEqual in application code.
+    // This is acceptable — the code is SHA-256 hashed before storage, so constant-time
+    // comparison in app code was only preventing hash enumeration, not timing-based attacks
+    // on the plaintext (which is already protected by the hash itself).
     const hashedInput = sha256(code.toUpperCase());
-    const match = hashedCodes.find((h) => timingSafeEqual(h, hashedInput));
-    if (!match)
-        return false;
-    await adapter.removeRecoveryCode(userId, match);
-    return true;
+    return adapter.consumeRecoveryCode(userId, hashedInput);
 };
-export const disableMfa = async (userId, code) => {
-    const adapter = getAuthAdapter();
+export const disableMfa = async (userId, code, runtime) => {
+    const { adapter } = runtime;
     if (!adapter.setMfaEnabled || !adapter.setMfaSecret || !adapter.setRecoveryCodes) {
-        throw new HttpError(501, "Auth adapter does not support MFA");
+        throw new HttpError(501, 'Auth adapter does not support MFA');
     }
-    const valid = await verifyTotp(userId, code);
+    const valid = await verifyTotp(userId, code, runtime);
     if (!valid)
-        throw new HttpError(401, "Invalid TOTP code");
+        throw new HttpError(401, 'Invalid TOTP code');
     await adapter.setMfaEnabled(userId, false);
     await adapter.setMfaSecret(userId, null);
     await adapter.setRecoveryCodes(userId, []);
@@ -128,14 +151,14 @@ export const disableMfa = async (userId, code) => {
         await adapter.setMfaMethods(userId, []);
     }
 };
-export const regenerateRecoveryCodes = async (userId, code) => {
-    const adapter = getAuthAdapter();
+export const regenerateRecoveryCodes = async (userId, code, runtime) => {
+    const { adapter } = runtime;
     if (!adapter.setRecoveryCodes)
-        throw new HttpError(501, "Auth adapter does not support MFA");
-    const valid = await verifyTotp(userId, code);
+        throw new HttpError(501, 'Auth adapter does not support MFA');
+    const valid = await verifyTotp(userId, code, runtime);
     if (!valid)
-        throw new HttpError(401, "Invalid TOTP code");
-    const { plainCodes, hashedCodes } = generateRecoveryCodes();
+        throw new HttpError(401, 'Invalid TOTP code');
+    const { plainCodes, hashedCodes } = generateRecoveryCodes(runtime);
     await adapter.setRecoveryCodes(userId, hashedCodes);
     return plainCodes;
 };
@@ -143,12 +166,17 @@ export const regenerateRecoveryCodes = async (userId, code) => {
 // Email OTP
 // ---------------------------------------------------------------------------
 /** Generate a cryptographically random numeric OTP code. Returns { code, hash }. */
-export const generateEmailOtpCode = (length) => {
-    const len = length ?? getMfaEmailOtpCodeLength();
+export const generateEmailOtpCode = (runtime, length) => {
+    const len = length ?? runtime.config.mfa?.emailOtp?.codeLength ?? 6;
+    const maxUnbiased = 250; // largest multiple of 10 below 256 (10 * 25 = 250)
     const bytes = crypto.getRandomValues(new Uint8Array(len));
-    let code = "";
+    let code = '';
     for (let i = 0; i < len; i++) {
-        code += (bytes[i] % 10).toString();
+        let byte = bytes[i];
+        while (byte >= maxUnbiased) {
+            byte = crypto.getRandomValues(new Uint8Array(1))[0];
+        }
+        code += (byte % 10).toString();
     }
     return { code, hash: sha256(code) };
 };
@@ -160,59 +188,59 @@ export const verifyEmailOtp = (emailOtpHash, code) => {
  * Initiate email OTP setup: sends a verification code to the user's email.
  * Returns a setup challenge token that must be confirmed via confirmEmailOtp.
  */
-export const initiateEmailOtp = async (userId) => {
-    const adapter = getAuthAdapter();
-    const emailOtpConfig = getMfaEmailOtpConfig();
+export const initiateEmailOtp = async (userId, runtime) => {
+    const { adapter, eventBus, config } = runtime;
+    const emailOtpConfig = config.mfa?.emailOtp ?? null;
     if (!emailOtpConfig)
-        throw new HttpError(501, "Email OTP is not configured");
+        throw new HttpError(501, 'Email OTP is not configured');
     const user = adapter.getUser ? await adapter.getUser(userId) : null;
     if (!user?.email)
-        throw new HttpError(400, "No email address on account");
-    const { code, hash } = generateEmailOtpCode();
-    await emailOtpConfig.onSend(user.email, code);
+        throw new HttpError(400, 'No email address on account');
+    const { code, hash } = generateEmailOtpCode(runtime);
+    eventBus.emit('auth:delivery.email_otp', { email: user.email, code });
     // Store the hash in a challenge token for verification
-    const setupToken = await createMfaChallenge(userId, { emailOtpHash: hash });
+    const setupToken = await createMfaChallenge(runtime.repos.mfaChallenge, userId, { emailOtpHash: hash }, config);
     return setupToken;
 };
 /**
  * Confirm email OTP setup: verifies the code sent during initiateEmailOtp.
  * Enables email OTP as an MFA method. Returns recovery codes if MFA was not previously active.
  */
-export const confirmEmailOtp = async (userId, setupToken, code) => {
-    const adapter = getAuthAdapter();
+export const confirmEmailOtp = async (userId, setupToken, code, runtime) => {
+    const { adapter } = runtime;
     if (!adapter.setMfaEnabled || !adapter.setRecoveryCodes) {
-        throw new HttpError(501, "Auth adapter does not support MFA");
+        throw new HttpError(501, 'Auth adapter does not support MFA');
     }
     // Import consumeMfaChallenge here to avoid circular dependency issues at module level
-    const { consumeMfaChallenge } = await import("../lib/mfaChallenge");
-    const challenge = await consumeMfaChallenge(setupToken);
+    const { consumeMfaChallenge } = await import('../lib/mfaChallenge');
+    const challenge = await consumeMfaChallenge(runtime.repos.mfaChallenge, setupToken);
     if (!challenge)
-        throw new HttpError(401, "Invalid or expired setup token");
+        throw new HttpError(401, 'Invalid or expired setup token');
     if (challenge.userId !== userId)
-        throw new HttpError(401, "Token does not match user");
+        throw new HttpError(401, 'Token does not match user');
     if (!challenge.emailOtpHash)
-        throw new HttpError(400, "Invalid setup token — no OTP hash");
+        throw new HttpError(400, 'Invalid setup token — no OTP hash');
     if (!verifyEmailOtp(challenge.emailOtpHash, code)) {
-        throw new HttpError(401, "Invalid verification code");
+        throw new HttpError(401, 'Invalid verification code');
     }
     // Check if MFA was already active
     const wasEnabled = adapter.isMfaEnabled ? await adapter.isMfaEnabled(userId) : false;
     // Add "emailOtp" to mfaMethods
     if (adapter.getMfaMethods && adapter.setMfaMethods) {
         const methods = await adapter.getMfaMethods(userId);
-        if (!methods.includes("emailOtp")) {
-            await adapter.setMfaMethods(userId, [...methods, "emailOtp"]);
+        if (!methods.includes('emailOtp')) {
+            await adapter.setMfaMethods(userId, [...methods, 'emailOtp']);
         }
     }
     await adapter.setMfaEnabled(userId, true);
     // Generate recovery codes if MFA was not previously active
     if (!wasEnabled) {
-        const { plainCodes, hashedCodes } = generateRecoveryCodes();
+        const { plainCodes, hashedCodes } = generateRecoveryCodes(runtime);
         await adapter.setRecoveryCodes(userId, hashedCodes);
         return plainCodes;
     }
     // Regenerate recovery codes when adding a second method
-    const { plainCodes, hashedCodes } = generateRecoveryCodes();
+    const { plainCodes, hashedCodes } = generateRecoveryCodes(runtime);
     await adapter.setRecoveryCodes(userId, hashedCodes);
     return plainCodes;
 };
@@ -220,37 +248,31 @@ export const confirmEmailOtp = async (userId, setupToken, code) => {
  * Disable email OTP for a user.
  * If TOTP is also enabled, requires a TOTP code. Otherwise requires password.
  */
-export const disableEmailOtp = async (userId, params) => {
-    const adapter = getAuthAdapter();
+export const disableEmailOtp = async (userId, params, runtime) => {
+    const { adapter } = runtime;
     if (!adapter.setMfaEnabled)
-        throw new HttpError(501, "Auth adapter does not support MFA");
+        throw new HttpError(501, 'Auth adapter does not support MFA');
     // Get current methods
     const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : [];
-    const hasTotpEnabled = methods.includes("totp");
+    const hasTotpEnabled = methods.includes('totp');
     // Verify identity
     if (hasTotpEnabled) {
         if (!params.code)
-            throw new HttpError(400, "TOTP code required to disable email OTP");
-        const valid = await verifyTotp(userId, params.code);
+            throw new HttpError(400, 'TOTP code required to disable email OTP');
+        const valid = await verifyTotp(userId, params.code, runtime);
         if (!valid)
-            throw new HttpError(401, "Invalid TOTP code");
+            throw new HttpError(401, 'Invalid TOTP code');
     }
     else {
         if (!params.password)
-            throw new HttpError(400, "Password required to disable email OTP");
-        // Verify password — look up the user's hash and compare
-        const user = adapter.findByIdentifier
-            ? await adapter.findByIdentifier((await adapter.getUser?.(userId))?.email ?? "")
-            : await adapter.findByEmail((await adapter.getUser?.(userId))?.email ?? "");
-        if (!user)
-            throw new HttpError(404, "User not found");
-        const valid = await Bun.password.verify(params.password, user.passwordHash);
+            throw new HttpError(400, 'Password required to disable email OTP');
+        const valid = await adapter.verifyPassword(userId, params.password);
         if (!valid)
-            throw new HttpError(401, "Invalid password");
+            throw new HttpError(401, 'Invalid password');
     }
     // Remove "emailOtp" from methods
     if (adapter.setMfaMethods) {
-        const updated = methods.filter((m) => m !== "emailOtp");
+        const updated = methods.filter(m => m !== 'emailOtp');
         await adapter.setMfaMethods(userId, updated);
         // If no methods remain, disable MFA entirely
         if (updated.length === 0) {
@@ -261,45 +283,39 @@ export const disableEmailOtp = async (userId, params) => {
     }
 };
 /** Get the MFA methods enabled for a user. */
-export const getMfaMethods = async (userId) => {
-    const adapter = getAuthAdapter();
+export const getMfaMethods = async (userId, runtime) => {
+    const { adapter } = runtime;
     if (adapter.getMfaMethods)
         return adapter.getMfaMethods(userId);
-    // Backward compat
-    if (adapter.isMfaEnabled && await adapter.isMfaEnabled(userId))
-        return ["totp"];
     return [];
 };
 // ---------------------------------------------------------------------------
 // WebAuthn / FIDO2
 // ---------------------------------------------------------------------------
 // Lazy-load @simplewebauthn/server to keep it as an optional peer dependency
-let _simplewebauthn = null;
 async function getSimpleWebAuthn() {
-    if (!_simplewebauthn)
-        _simplewebauthn = await import("@simplewebauthn/server");
-    return _simplewebauthn;
+    return import('@simplewebauthn/server');
 }
 /**
  * Eager startup check — call at route mount time to fail fast if the peer dependency is missing.
  */
 export const assertWebAuthnDependency = async () => {
     try {
-        await import("@simplewebauthn/server");
+        await import('@simplewebauthn/server');
     }
     catch {
-        throw new Error("@simplewebauthn/server is required when mfa.webauthn is configured. Install it: bun add @simplewebauthn/server");
+        throw new Error('@simplewebauthn/server is required when mfa.webauthn is configured. Install it: bun add @simplewebauthn/server');
     }
 };
 /**
  * Generate WebAuthn authentication options for the login MFA flow.
  * Called from auth.ts login when the user has "webauthn" in their methods.
  */
-export const generateWebAuthnAuthenticationOptions = async (userId) => {
-    const config = getMfaWebAuthnConfig();
+export const generateWebAuthnAuthenticationOptions = async (userId, runtime) => {
+    const config = runtime.config.mfa?.webauthn ?? null;
     if (!config)
         return null;
-    const adapter = getAuthAdapter();
+    const { adapter } = runtime;
     if (!adapter.getWebAuthnCredentials)
         return null;
     const credentials = await adapter.getWebAuthnCredentials(userId);
@@ -308,11 +324,11 @@ export const generateWebAuthnAuthenticationOptions = async (userId) => {
     const { generateAuthenticationOptions } = await getSimpleWebAuthn();
     const options = await generateAuthenticationOptions({
         rpID: config.rpId,
-        allowCredentials: credentials.map((c) => ({
+        allowCredentials: credentials.map(c => ({
             id: c.credentialId,
             transports: c.transports,
         })),
-        userVerification: config.userVerification ?? "preferred",
+        userVerification: config.userVerification ?? 'preferred',
         timeout: config.timeout ?? 60000,
     });
     return { challenge: options.challenge, options: options };
@@ -321,55 +337,55 @@ export const generateWebAuthnAuthenticationOptions = async (userId) => {
  * Initiate WebAuthn registration: generates registration options for the client.
  * Returns options + a registration challenge token.
  */
-export const initiateWebAuthnRegistration = async (userId) => {
-    const config = getMfaWebAuthnConfig();
+export const initiateWebAuthnRegistration = async (userId, runtime) => {
+    const config = runtime.config.mfa?.webauthn ?? null;
     if (!config)
-        throw new HttpError(501, "WebAuthn is not configured");
-    const adapter = getAuthAdapter();
+        throw new HttpError(501, 'WebAuthn is not configured');
+    const { adapter } = runtime;
     if (!adapter.getWebAuthnCredentials)
-        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+        throw new HttpError(501, 'Auth adapter does not support WebAuthn');
     const user = adapter.getUser ? await adapter.getUser(userId) : null;
     // Get existing credentials to exclude (prevent re-registration)
     const existingCreds = await adapter.getWebAuthnCredentials(userId);
     const { generateRegistrationOptions } = await getSimpleWebAuthn();
     const options = await generateRegistrationOptions({
-        rpName: config.rpName ?? getAppName(),
+        rpName: config.rpName ?? runtime.config.appName,
         rpID: config.rpId,
         userName: user?.email ?? userId,
-        attestationType: config.attestationType ?? "none",
-        excludeCredentials: existingCreds.map((c) => ({
+        attestationType: config.attestationType ?? 'none',
+        excludeCredentials: existingCreds.map(c => ({
             id: c.credentialId,
             transports: c.transports,
         })),
         authenticatorSelection: {
             authenticatorAttachment: config.authenticatorAttachment,
-            userVerification: config.userVerification ?? "required",
-            residentKey: "required",
+            userVerification: config.userVerification ?? 'required',
+            residentKey: 'required',
         },
         timeout: config.timeout ?? 60000,
     });
-    const { createWebAuthnRegistrationChallenge } = await import("../lib/mfaChallenge");
-    const registrationToken = await createWebAuthnRegistrationChallenge(userId, options.challenge);
+    const { createWebAuthnRegistrationChallenge } = await import('../lib/mfaChallenge');
+    const registrationToken = await createWebAuthnRegistrationChallenge(runtime.repos.mfaChallenge, userId, options.challenge, runtime.config);
     return { options: options, registrationToken };
 };
 /**
  * Complete WebAuthn registration: verifies attestation and stores the credential.
  * Returns recovery codes if this is the first MFA method.
  */
-export const completeWebAuthnRegistration = async (userId, registrationToken, attestationResponse, name) => {
-    const config = getMfaWebAuthnConfig();
+export const completeWebAuthnRegistration = async (userId, registrationToken, attestationResponse, runtime, name) => {
+    const config = runtime.config.mfa?.webauthn ?? null;
     if (!config)
-        throw new HttpError(501, "WebAuthn is not configured");
-    const adapter = getAuthAdapter();
+        throw new HttpError(501, 'WebAuthn is not configured');
+    const { adapter } = runtime;
     if (!adapter.addWebAuthnCredential || !adapter.setMfaEnabled || !adapter.setRecoveryCodes) {
-        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+        throw new HttpError(501, 'Auth adapter does not support WebAuthn');
     }
-    const { consumeWebAuthnRegistrationChallenge } = await import("../lib/mfaChallenge");
-    const challenge = await consumeWebAuthnRegistrationChallenge(registrationToken);
+    const { consumeWebAuthnRegistrationChallenge } = await import('../lib/mfaChallenge');
+    const challenge = await consumeWebAuthnRegistrationChallenge(runtime.repos.mfaChallenge, registrationToken);
     if (!challenge)
-        throw new HttpError(401, "Invalid or expired registration token");
+        throw new HttpError(401, 'Invalid or expired registration token');
     if (challenge.userId !== userId)
-        throw new HttpError(401, "Token does not match user");
+        throw new HttpError(401, 'Token does not match user');
     const { verifyRegistrationResponse } = await getSimpleWebAuthn();
     const verification = await verifyRegistrationResponse({
         response: attestationResponse,
@@ -378,7 +394,7 @@ export const completeWebAuthnRegistration = async (userId, registrationToken, at
         expectedRPID: config.rpId,
     });
     if (!verification.verified || !verification.registrationInfo) {
-        throw new HttpError(401, "WebAuthn registration verification failed");
+        throw new HttpError(401, 'WebAuthn registration verification failed');
     }
     const { credential } = verification.registrationInfo;
     const credentialId = credential.id;
@@ -386,12 +402,12 @@ export const completeWebAuthnRegistration = async (userId, registrationToken, at
     if (adapter.findUserByWebAuthnCredentialId) {
         const existingOwner = await adapter.findUserByWebAuthnCredentialId(credentialId);
         if (existingOwner && existingOwner !== userId) {
-            throw new HttpError(409, "This security key is already registered to another account");
+            throw new HttpError(409, 'This security key is already registered to another account');
         }
     }
     const newCredential = {
         credentialId,
-        publicKey: Buffer.from(credential.publicKey).toString("base64url"),
+        publicKey: Buffer.from(credential.publicKey).toString('base64url'),
         signCount: credential.counter,
         transports: attestationResponse.response?.transports ?? [],
         name: name ?? undefined,
@@ -401,29 +417,29 @@ export const completeWebAuthnRegistration = async (userId, registrationToken, at
     // Add "webauthn" to methods
     if (adapter.getMfaMethods && adapter.setMfaMethods) {
         const methods = await adapter.getMfaMethods(userId);
-        if (!methods.includes("webauthn")) {
-            await adapter.setMfaMethods(userId, [...methods, "webauthn"]);
+        if (!methods.includes('webauthn')) {
+            await adapter.setMfaMethods(userId, [...methods, 'webauthn']);
         }
     }
     // Enable MFA + generate/regenerate recovery codes
     await adapter.setMfaEnabled(userId, true);
-    const { plainCodes, hashedCodes } = generateRecoveryCodes();
+    const { plainCodes, hashedCodes } = generateRecoveryCodes(runtime);
     await adapter.setRecoveryCodes(userId, hashedCodes);
     return { credentialId, recoveryCodes: plainCodes };
 };
 /**
  * Verify a WebAuthn authentication assertion during login MFA.
  */
-export const verifyWebAuthn = async (userId, assertionResponse, expectedChallenge) => {
-    const config = getMfaWebAuthnConfig();
+export const verifyWebAuthn = async (userId, assertionResponse, expectedChallenge, runtime) => {
+    const config = runtime.config.mfa?.webauthn ?? null;
     if (!config)
         return false;
-    const adapter = getAuthAdapter();
+    const { adapter } = runtime;
     if (!adapter.getWebAuthnCredentials || !adapter.updateWebAuthnCredentialSignCount)
         return false;
     const credentials = await adapter.getWebAuthnCredentials(userId);
     const credentialId = assertionResponse.id;
-    const matchedCred = credentials.find((c) => c.credentialId === credentialId);
+    const matchedCred = credentials.find(c => c.credentialId === credentialId);
     if (!matchedCred)
         return false;
     const { verifyAuthenticationResponse } = await getSimpleWebAuthn();
@@ -435,7 +451,7 @@ export const verifyWebAuthn = async (userId, assertionResponse, expectedChalleng
             expectedRPID: config.rpId,
             credential: {
                 id: matchedCred.credentialId,
-                publicKey: new Uint8Array(Buffer.from(matchedCred.publicKey, "base64url")),
+                publicKey: new Uint8Array(Buffer.from(matchedCred.publicKey, 'base64url')),
                 counter: matchedCred.signCount,
                 transports: matchedCred.transports,
             },
@@ -462,26 +478,26 @@ export const verifyWebAuthn = async (userId, assertionResponse, expectedChalleng
  * Remove a single WebAuthn credential.
  * Only requires identity verification when removing the last credential of the last MFA method.
  */
-export const removeWebAuthnCredential = async (userId, credentialId, params) => {
-    const adapter = getAuthAdapter();
+export const removeWebAuthnCredential = async (userId, credentialId, params, runtime) => {
+    const { adapter } = runtime;
     if (!adapter.getWebAuthnCredentials || !adapter.removeWebAuthnCredential) {
-        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+        throw new HttpError(501, 'Auth adapter does not support WebAuthn');
     }
     const credentials = await adapter.getWebAuthnCredentials(userId);
-    if (!credentials.some((c) => c.credentialId === credentialId)) {
-        throw new HttpError(404, "Credential not found");
+    if (!credentials.some(c => c.credentialId === credentialId)) {
+        throw new HttpError(404, 'Credential not found');
     }
     const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : [];
-    const otherMethodsExist = methods.some((m) => m !== "webauthn");
+    const otherMethodsExist = methods.some(m => m !== 'webauthn');
     const otherCredsExist = credentials.length > 1;
     // Only require verification when removing the last credential of the last method
     if (!otherMethodsExist && !otherCredsExist) {
-        await verifyIdentity(userId, params);
+        await verifyIdentity(userId, params, runtime);
     }
     await adapter.removeWebAuthnCredential(userId, credentialId);
     // If that was the last credential, remove "webauthn" from methods
     if (!otherCredsExist && adapter.setMfaMethods) {
-        const updated = methods.filter((m) => m !== "webauthn");
+        const updated = methods.filter(m => m !== 'webauthn');
         await adapter.setMfaMethods(userId, updated);
         // If no methods remain, disable MFA entirely
         if (updated.length === 0 && adapter.setMfaEnabled) {
@@ -494,12 +510,12 @@ export const removeWebAuthnCredential = async (userId, credentialId, params) =>
 /**
  * Disable WebAuthn entirely: removes all credentials and the method.
  */
-export const disableWebAuthn = async (userId, params) => {
-    const adapter = getAuthAdapter();
+export const disableWebAuthn = async (userId, params, runtime) => {
+    const { adapter } = runtime;
     if (!adapter.getWebAuthnCredentials || !adapter.removeWebAuthnCredential) {
-        throw new HttpError(501, "Auth adapter does not support WebAuthn");
+        throw new HttpError(501, 'Auth adapter does not support WebAuthn');
     }
-    await verifyIdentity(userId, params);
+    await verifyIdentity(userId, params, runtime);
     const credentials = await adapter.getWebAuthnCredentials(userId);
     for (const cred of credentials) {
         await adapter.removeWebAuthnCredential(userId, cred.credentialId);
@@ -507,7 +523,7 @@ export const disableWebAuthn = async (userId, params) => {
     // Remove "webauthn" from methods
     if (adapter.getMfaMethods && adapter.setMfaMethods) {
         const methods = await adapter.getMfaMethods(userId);
-        const updated = methods.filter((m) => m !== "webauthn");
+        const updated = methods.filter(m => m !== 'webauthn');
         await adapter.setMfaMethods(userId, updated);
         if (updated.length === 0 && adapter.setMfaEnabled) {
             await adapter.setMfaEnabled(userId, false);
@@ -516,28 +532,88 @@ export const disableWebAuthn = async (userId, params) => {
         }
     }
 };
+// ---------------------------------------------------------------------------
+// verifyAnyFactor — unified factor verification for reauth / destructive actions
+// ---------------------------------------------------------------------------
+/**
+ * Verify any supported authentication factor for a given user + session.
+ * Used by step-up, account deletion, and MFA disable flows.
+ *
+ * - "totp": TOTP code
+ * - "recovery": recovery code (only when method is explicitly "recovery")
+ * - "password": account password
+ * - "emailOtp": email OTP via reauth challenge token
+ * - "webauthn": WebAuthn assertion via reauth challenge token
+ *
+ * Hard boundaries:
+ *  - "recovery" is ONLY checked when method is explicitly "recovery"
+ *  - emailOtp / webauthn consume a reauth challenge bound to sessionId
+ *
+ * Returns false (never throws) when required params are missing.
+ */
+export async function verifyAnyFactor(userId, sessionId, runtime, params) {
+    const { method, code, password, reauthToken, webauthnResponse } = params;
+    if (!method)
+        return false;
+    const { adapter } = runtime;
+    try {
+        if (method === 'totp') {
+            if (!code)
+                return false;
+            return verifyTotp(userId, code, runtime);
+        }
+        if (method === 'recovery') {
+            if (!code)
+                return false;
+            const hashedInput = sha256(code.toUpperCase());
+            return adapter.consumeRecoveryCode(userId, hashedInput);
+        }
+        if (method === 'password') {
+            if (!password)
+                return false;
+            return adapter.verifyPassword(userId, password);
+        }
+        if (method === 'emailOtp') {
+            if (!reauthToken || !code)
+                return false;
+            const { consumeReauthChallenge } = await import('../lib/mfaChallenge');
+            const challenge = await consumeReauthChallenge(runtime.repos.mfaChallenge, reauthToken, sessionId);
+            if (!challenge || !challenge.emailOtpHash)
+                return false;
+            return timingSafeEqual(sha256(code), challenge.emailOtpHash);
+        }
+        if (method === 'webauthn') {
+            if (!reauthToken || !webauthnResponse)
+                return false;
+            const { consumeReauthChallenge } = await import('../lib/mfaChallenge');
+            const challenge = await consumeReauthChallenge(runtime.repos.mfaChallenge, reauthToken, sessionId);
+            if (!challenge || !challenge.webauthnChallenge)
+                return false;
+            return verifyWebAuthn(userId, webauthnResponse, challenge.webauthnChallenge, runtime);
+        }
+        return false;
+    }
+    catch {
+        return false;
+    }
+}
 /** Internal: verify identity via TOTP code or password. */
-async function verifyIdentity(userId, params) {
-    const adapter = getAuthAdapter();
+async function verifyIdentity(userId, params, runtime) {
+    const { adapter } = runtime;
     const methods = adapter.getMfaMethods ? await adapter.getMfaMethods(userId) : [];
-    const hasTotpEnabled = methods.includes("totp");
+    const hasTotpEnabled = methods.includes('totp');
     if (hasTotpEnabled) {
         if (!params.code)
-            throw new HttpError(400, "TOTP code required");
-        const valid = await verifyTotp(userId, params.code);
+            throw new HttpError(400, 'TOTP code required');
+        const valid = await verifyTotp(userId, params.code, runtime);
         if (!valid)
-            throw new HttpError(401, "Invalid TOTP code");
+            throw new HttpError(401, 'Invalid TOTP code');
     }
     else {
         if (!params.password)
-            throw new HttpError(400, "Password required");
-        const user = adapter.findByIdentifier
-            ? await adapter.findByIdentifier((await adapter.getUser?.(userId))?.email ?? "")
-            : await adapter.findByEmail((await adapter.getUser?.(userId))?.email ?? "");
-        if (!user)
-            throw new HttpError(404, "User not found");
-        const valid = await Bun.password.verify(params.password, user.passwordHash);
+            throw new HttpError(400, 'Password required');
+        const valid = await adapter.verifyPassword(userId, params.password);
         if (!valid)
-            throw new HttpError(401, "Invalid password");
+            throw new HttpError(401, 'Invalid password');
     }
 }