@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/src/framework/secrets/providers/ssmProvider.js

@@ -0,0 +1,127 @@
+export function createSsmSecretRepository(opts) {
+    const { pathPrefix, region, withDecryption = true } = opts;
+    const cacheTtl = opts.cacheTtlMs ?? 300_000;
+    // Closure-owned state — no module globals
+    const cache = new Map();
+    let ssmClient = null;
+    async function requireSsm() {
+        try {
+            // eslint-disable-next-line @typescript-eslint/no-implied-eval
+            return await new Function('specifier', 'return import(specifier)')('@aws-sdk/client-ssm');
+        }
+        catch {
+            throw new Error('SSM secret repository requires @aws-sdk/client-ssm to be installed');
+        }
+    }
+    async function getClient() {
+        if (ssmClient)
+            return ssmClient;
+        const { SSMClient } = await requireSsm();
+        ssmClient = new SSMClient({ region: region ?? process.env.AWS_REGION ?? 'us-east-1' });
+        return ssmClient;
+    }
+    function stripPrefix(name) {
+        return name.startsWith(pathPrefix) ? name.slice(pathPrefix.length) : name;
+    }
+    function getCached(key) {
+        const entry = cache.get(key);
+        if (!entry)
+            return null;
+        if (entry.expiresAt <= Date.now()) {
+            cache.delete(key);
+            return null;
+        }
+        return entry.value;
+    }
+    function setCache(key, value) {
+        cache.set(key, { value, expiresAt: Date.now() + cacheTtl });
+    }
+    return {
+        name: 'ssm',
+        async initialize() {
+            const client = await getClient();
+            const { GetParametersByPathCommand } = await requireSsm();
+            let nextToken;
+            do {
+                const cmd = new GetParametersByPathCommand({
+                    Path: pathPrefix,
+                    Recursive: true,
+                    WithDecryption: withDecryption,
+                    NextToken: nextToken,
+                });
+                const resp = await client.send(cmd);
+                for (const param of resp.Parameters ?? []) {
+                    if (param.Name && param.Value) {
+                        setCache(stripPrefix(param.Name), param.Value);
+                    }
+                }
+                nextToken = resp.NextToken;
+            } while (nextToken);
+        },
+        async get(key) {
+            const cached = getCached(key);
+            if (cached !== null)
+                return cached;
+            const client = await getClient();
+            const { GetParameterCommand } = await requireSsm();
+            try {
+                const cmd = new GetParameterCommand({
+                    Name: pathPrefix + key,
+                    WithDecryption: withDecryption,
+                });
+                const resp = await client.send(cmd);
+                const value = resp.Parameter?.Value ?? null;
+                if (value !== null)
+                    setCache(key, value);
+                return value;
+            }
+            catch (err) {
+                if (err.name === 'ParameterNotFound')
+                    return null;
+                throw err;
+            }
+        },
+        async getMany(keys) {
+            const result = new Map();
+            const uncached = [];
+            for (const key of keys) {
+                const cached = getCached(key);
+                if (cached !== null) {
+                    result.set(key, cached);
+                }
+                else {
+                    uncached.push(key);
+                }
+            }
+            if (uncached.length > 0) {
+                const client = await getClient();
+                const { GetParametersCommand } = await requireSsm();
+                // GetParameters supports max 10 names per call
+                for (let i = 0; i < uncached.length; i += 10) {
+                    const batch = uncached.slice(i, i + 10);
+                    const cmd = new GetParametersCommand({
+                        Names: batch.map(k => pathPrefix + k),
+                        WithDecryption: withDecryption,
+                    });
+                    const resp = await client.send(cmd);
+                    for (const param of resp.Parameters ?? []) {
+                        if (param.Name && param.Value) {
+                            const key = stripPrefix(param.Name);
+                            setCache(key, param.Value);
+                            result.set(key, param.Value);
+                        }
+                    }
+                }
+            }
+            return result;
+        },
+        async refresh() {
+            cache.clear();
+            await this.initialize?.();
+        },
+        async destroy() {
+            cache.clear();
+            ssmClient = null;
+        },
+    };
+}

package/dist/src/framework/secrets/resolveSecretBundle.d.ts

@@ -0,0 +1,53 @@
+import type { ISecretRepository, ResolvedSecrets, SecretSchema, SecretStoreType } from '../../../packages/bunshot-core/src/index.js';
+import { frameworkSecretSchema } from './frameworkSecretSchema';
+/** Infrastructure options for secret store resolution — equivalent to StoreInfra */
+export interface SecretStoreInfra {
+    readonly prefix?: string;
+    readonly pathPrefix?: string;
+    readonly region?: string;
+    readonly directory?: string;
+    readonly extension?: string;
+    readonly cacheTtlMs?: number;
+    readonly withDecryption?: boolean;
+}
+export type SecretRepoFactories<T> = Record<SecretStoreType, (infra: SecretStoreInfra) => T | Promise<T>>;
+export declare function resolveSecretRepo<T>(factories: SecretRepoFactories<T>, storeType: SecretStoreType, infra: SecretStoreInfra): T | Promise<T>;
+export interface EnvSecretStoreConfig {
+    provider: 'env';
+    prefix?: string;
+    schema?: SecretSchema;
+}
+export interface SsmSecretStoreConfig {
+    provider: 'ssm';
+    pathPrefix: string;
+    region?: string;
+    schema?: SecretSchema;
+}
+export interface FileSecretStoreConfig {
+    provider: 'file';
+    directory: string;
+    schema?: SecretSchema;
+}
+export interface RegisteredSecretRepository {
+    provider: ISecretRepository;
+    schema?: SecretSchema;
+}
+export type SecretStoreConfig = EnvSecretStoreConfig | SsmSecretStoreConfig | FileSecretStoreConfig;
+export type SecretStoreInput = ISecretRepository | SecretStoreConfig | RegisteredSecretRepository | undefined;
+type MergeSchemas<A extends SecretSchema, B extends SecretSchema | undefined> = B extends SecretSchema ? A & B : A;
+type SecretRepoFactory<K extends SecretStoreType> = (config: Extract<SecretStoreConfig, {
+    provider: K;
+}>) => Promise<ISecretRepository> | ISecretRepository;
+export type SecretRepositoryFactories = {
+    [K in SecretStoreType]: SecretRepoFactory<K>;
+};
+export declare const secretRepositoryFactories: SecretRepositoryFactories;
+export interface ResolvedSecretBundle<S extends SecretSchema | undefined = undefined> {
+    readonly provider: ISecretRepository;
+    readonly framework: ResolvedSecrets<typeof frameworkSecretSchema>;
+    readonly app: S extends SecretSchema ? ResolvedSecrets<S> : null;
+    readonly merged: ResolvedSecrets<MergeSchemas<typeof frameworkSecretSchema, S>>;
+}
+export declare function resolveSecretRepo_fromInput(input: SecretStoreInput): Promise<ISecretRepository>;
+export declare function resolveSecretBundle<S extends SecretSchema | undefined = undefined>(input: SecretStoreInput): Promise<ResolvedSecretBundle<S>>;
+export {};

package/dist/src/framework/secrets/resolveSecretBundle.js

@@ -0,0 +1,84 @@
+import { frameworkSecretSchema } from './frameworkSecretSchema';
+import { createEnvSecretRepository } from './providers/envProvider';
+import { resolveSecrets } from './resolveSecrets';
+export function resolveSecretRepo(factories, storeType, infra) {
+    const factory = factories[storeType];
+    if (!factory)
+        throw new Error(`[secrets] Unsupported store type: ${storeType}`);
+    return factory(infra);
+}
+export const secretRepositoryFactories = {
+    env: config => createEnvSecretRepository({ prefix: config.prefix }),
+    ssm: async (config) => {
+        const { createSsmSecretRepository } = await import('./providers/ssmProvider');
+        return createSsmSecretRepository({
+            pathPrefix: config.pathPrefix,
+            region: config.region,
+        });
+    },
+    file: async (config) => {
+        const { createFileSecretRepository } = await import('./providers/fileProvider');
+        return createFileSecretRepository({ directory: config.directory });
+    },
+};
+function isSecretRepository(value) {
+    if (!value || typeof value !== 'object')
+        return false;
+    return 'name' in value && 'get' in value && 'getMany' in value;
+}
+function isRegisteredSecretRepository(value) {
+    if (!value || typeof value !== 'object' || !('provider' in value))
+        return false;
+    const provider = value.provider;
+    return !!provider && isSecretRepository(provider);
+}
+function getAppSecretSchema(input) {
+    if (!input || isSecretRepository(input))
+        return undefined;
+    if (isRegisteredSecretRepository(input))
+        return input.schema;
+    return input.schema;
+}
+function mergeSecretSchemas(frameworkSchema, appSchema) {
+    if (!appSchema) {
+        return frameworkSchema;
+    }
+    return {
+        ...frameworkSchema,
+        ...appSchema,
+    };
+}
+function pickResolvedSecrets(resolved, schema) {
+    const picked = {};
+    for (const key of Object.keys(schema)) {
+        picked[key] = resolved[key];
+    }
+    return Object.freeze(picked);
+}
+export async function resolveSecretRepo_fromInput(input) {
+    if (!input)
+        return createEnvSecretRepository();
+    if (isSecretRepository(input))
+        return input;
+    if (isRegisteredSecretRepository(input))
+        return input.provider;
+    const factory = secretRepositoryFactories[input.provider];
+    if (!factory) {
+        throw new Error(`[secrets] Unsupported provider type: ${input.provider}`);
+    }
+    return await factory(input);
+}
+export async function resolveSecretBundle(input) {
+    const provider = await resolveSecretRepo_fromInput(input);
+    const appSchema = getAppSecretSchema(input);
+    const mergedSchema = mergeSecretSchemas(frameworkSecretSchema, appSchema);
+    const merged = await resolveSecrets(provider, mergedSchema);
+    return {
+        provider,
+        framework: pickResolvedSecrets(merged, frameworkSecretSchema),
+        app: (appSchema
+            ? pickResolvedSecrets(merged, appSchema)
+            : null),
+        merged,
+    };
+}

package/dist/src/framework/secrets/resolveSecrets.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Secret resolution — validates a SecretSchema against an ISecretRepository
+ * and returns a frozen, typed object of resolved secret values.
+ *
+ * Called once at startup before database connections are established.
+ */
+import type { ISecretRepository, ResolvedSecrets, SecretSchema } from '../../../packages/bunshot-core/src/index.js';
+/**
+ * Resolve all secrets declared in a schema from the given repository.
+ *
+ * 1. Calls repository.initialize() if present (batch prefetch).
+ * 2. Batch-fetches all declared paths via repository.getMany().
+ * 3. Validates required secrets are present, applies defaults.
+ * 4. Returns a frozen object keyed by schema field names.
+ *
+ * Throws at startup if a required secret is missing — fail-fast, not at first use.
+ */
+export declare function resolveSecrets<S extends SecretSchema>(repository: ISecretRepository, schema: S): Promise<ResolvedSecrets<S>>;

package/dist/src/framework/secrets/resolveSecrets.js

@@ -0,0 +1,34 @@
+/**
+ * Resolve all secrets declared in a schema from the given repository.
+ *
+ * 1. Calls repository.initialize() if present (batch prefetch).
+ * 2. Batch-fetches all declared paths via repository.getMany().
+ * 3. Validates required secrets are present, applies defaults.
+ * 4. Returns a frozen object keyed by schema field names.
+ *
+ * Throws at startup if a required secret is missing — fail-fast, not at first use.
+ */
+export async function resolveSecrets(repository, schema) {
+    await repository.initialize?.();
+    const paths = Object.values(schema).map(def => def.path);
+    const values = await repository.getMany(paths);
+    const result = {};
+    const missing = [];
+    for (const [name, def] of Object.entries(schema)) {
+        const value = values.get(def.path) ?? def.default;
+        const isRequired = def.required !== false;
+        if (value === undefined) {
+            if (isRequired) {
+                missing.push(`"${name}" (path: ${def.path})`);
+            }
+            result[name] = '';
+        }
+        else {
+            result[name] = value;
+        }
+    }
+    if (missing.length > 0) {
+        throw new Error(`[secrets] Missing required secrets: ${missing.join(', ')}`);
+    }
+    return Object.freeze(result);
+}

package/dist/src/framework/sse/index.d.ts

@@ -0,0 +1,21 @@
+import type { ClientSafeEventKey, SseClientData, SseFilter, UserResolver } from '../../../packages/bunshot-core/src/index.js';
+export type { SseClientData, SseFilter };
+export interface SseRegistry {
+    createClientStream<T extends object = object>(endpoint: string, client: SseClientData<T>, heartbeatMs: number | false): ReadableStream<Uint8Array>;
+    fanout(endpoint: string, key: ClientSafeEventKey, payload: unknown, filter: SseFilter<any> | undefined): void;
+    closeAll(): void;
+}
+export declare function createSseRegistry(): SseRegistry;
+/**
+ * Default SSE upgrade handler. Mirrors createWsUpgradeHandler() — resolves userId
+ * from cookie/token, returns SseClientData<T>. Never rejects on auth failure;
+ * unauthenticated connections get userId: null.
+ *
+ * Custom upgrade handlers can call this to build on the default flow and add extra fields:
+ *   const upgrade = createSseUpgradeHandler<{ tenantId: string }>(endpoint)
+ *   return async (req) => ({ ...await upgrade(req), tenantId: resolveTenant(req) })
+ *
+ * To reject connections, return a Response directly from your own upgrade function
+ * without calling this helper, or wrap and gate on the result.
+ */
+export declare function createSseUpgradeHandler<T extends object = object>(endpoint: string, userResolver?: UserResolver | null): (req: Request) => Promise<SseClientData<T>>;

package/dist/src/framework/sse/index.js

@@ -0,0 +1,109 @@
+import { resolveUserId } from '../lib/resolveUserId';
+export function createSseRegistry() {
+    const map = new Map();
+    const enc = new TextEncoder();
+    function evict(entry) {
+        entry.closeHeartbeat();
+        const clients = map.get(entry.data.endpoint);
+        if (clients) {
+            clients.delete(entry.data.id);
+            if (!clients.size)
+                map.delete(entry.data.endpoint);
+        }
+    }
+    function enqueue(entry, chunk) {
+        try {
+            entry.controller.enqueue(enc.encode(chunk));
+            return true;
+        }
+        catch {
+            evict(entry);
+            return false;
+        }
+    }
+    return {
+        createClientStream(endpoint, client, heartbeatMs) {
+            return new ReadableStream({
+                start(controller) {
+                    // Initial comment flushes intermediaries and makes smoke tests feel immediate
+                    try {
+                        controller.enqueue(enc.encode(': connected\n\n'));
+                    }
+                    catch { }
+                    let heartbeatTimer;
+                    const entry = {
+                        data: client,
+                        controller,
+                        closeHeartbeat: () => clearInterval(heartbeatTimer),
+                    };
+                    if (heartbeatMs !== false) {
+                        heartbeatTimer = setInterval(() => {
+                            if (!enqueue(entry, ': keep-alive\n\n'))
+                                clearInterval(heartbeatTimer);
+                        }, heartbeatMs);
+                    }
+                    if (!map.has(endpoint))
+                        map.set(endpoint, new Map());
+                    map.get(endpoint).set(client.id, entry);
+                },
+                cancel() {
+                    const entry = map.get(endpoint)?.get(client.id);
+                    if (!entry)
+                        return;
+                    evict(entry);
+                },
+            });
+        },
+        fanout(endpoint, key, payload, filter) {
+            const clients = map.get(endpoint);
+            if (!clients?.size)
+                return;
+            const text = `event: ${key}\ndata: ${JSON.stringify(payload)}\n\n`;
+            for (const entry of clients.values()) {
+                if (filter) {
+                    Promise.resolve(filter(entry.data, key, payload))
+                        .then(allow => {
+                        if (allow)
+                            enqueue(entry, text);
+                    })
+                        .catch(err => {
+                        console.error('[sse] filter error for client', entry.data.id, '(event dropped, not denied):', err);
+                    });
+                }
+                else {
+                    enqueue(entry, text);
+                }
+            }
+        },
+        closeAll() {
+            for (const clients of map.values()) {
+                for (const entry of clients.values()) {
+                    entry.closeHeartbeat();
+                    try {
+                        entry.controller.close();
+                    }
+                    catch { }
+                }
+            }
+            map.clear();
+        },
+    };
+}
+/**
+ * Default SSE upgrade handler. Mirrors createWsUpgradeHandler() — resolves userId
+ * from cookie/token, returns SseClientData<T>. Never rejects on auth failure;
+ * unauthenticated connections get userId: null.
+ *
+ * Custom upgrade handlers can call this to build on the default flow and add extra fields:
+ *   const upgrade = createSseUpgradeHandler<{ tenantId: string }>(endpoint)
+ *   return async (req) => ({ ...await upgrade(req), tenantId: resolveTenant(req) })
+ *
+ * To reject connections, return a Response directly from your own upgrade function
+ * without calling this helper, or wrap and gate on the result.
+ */
+export function createSseUpgradeHandler(endpoint, userResolver) {
+    return async (req) => {
+        const userId = await resolveUserId(req, userResolver ?? null);
+        return { id: crypto.randomUUID(), userId, endpoint };
+    };
+}

package/dist/src/framework/ws/index.d.ts

@@ -0,0 +1,11 @@
+import type { Server } from 'bun';
+import type { UserResolver } from '../../../packages/bunshot-core/src/index.js';
+export type SocketData<T extends object = object> = {
+    id: string;
+    userId: string | null;
+    rooms: Set<string>;
+    endpoint: string;
+} & T;
+type BaseSocketData = SocketData<object>;
+export declare const createWsUpgradeHandler: (server: Server<BaseSocketData>, endpoint: string, userResolver?: UserResolver | null) => (req: Request) => Promise<Response | undefined>;
+export {};

package/dist/src/framework/ws/index.js

@@ -0,0 +1,8 @@
+import { resolveUserId } from '../lib/resolveUserId';
+export const createWsUpgradeHandler = (server, endpoint, userResolver) => async (req) => {
+    const userId = await resolveUserId(req, userResolver ?? null);
+    const upgraded = server.upgrade(req, {
+        data: { id: crypto.randomUUID(), userId, rooms: new Set(), endpoint },
+    });
+    return upgraded ? undefined : Response.json({ error: 'Upgrade failed' }, { status: 400 });
+};

package/dist/src/index.d.ts

@@ -0,0 +1,87 @@
+export { createApp } from './app';
+export type { CreateAppResult } from './app';
+export { createServer } from './server';
+export type { BunshotContext, BunshotResolvedConfig, WsState, WsTransportHandle, ResolvedPersistence, } from '../packages/bunshot-core/src/index.js';
+export type { UploadRegistryRepository, WsMessageRepository } from '../packages/bunshot-core/src/index.js';
+export type { IdempotencyAdapter } from '../packages/bunshot-core/src/index.js';
+export { getContext, getContextOrNull } from '../packages/bunshot-core/src/index.js';
+export { getRedisFromApp } from './lib/redis';
+export type { RedisCredentials } from './lib/redis';
+export { getMongoFromApp, getMongooseModule } from './lib/mongo';
+export type { MongoCredentials } from './lib/mongo';
+export { createBunshotAdminPlugin } from './framework/admin/index';
+export type { BunshotAdminPluginConfig } from './framework/admin/index';
+export type { BunshotPlugin, StandalonePlugin, BunshotEventBus, BunshotEventMap, SecurityEventKey, } from '../packages/bunshot-core/src/index.js';
+export { createInProcessAdapter, SECURITY_EVENT_TYPES } from '../packages/bunshot-core/src/index.js';
+export { createAuthPlugin } from '../packages/bunshot-auth/src/index.js';
+export type { AuthPluginConfig, AuthDbConfig, AuthSecurityConfig, } from '../packages/bunshot-auth/src/index.js';
+export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig, LoggingConfig, MetricsConfig, ValidationConfig, VersioningConfig, SigningConfig, JwtConfig, BreachedPasswordConfig, StepUpConfig, OidcConfig, SamlConfig, ScimConfig, MagicLinkConfig, } from './app';
+export type { CreateServerConfig, WsConfig, SseConfig, SseEndpointConfig } from './server';
+export type { SseClientData, SseFilter } from './framework/sse/index';
+export { createSseUpgradeHandler } from './framework/sse/index';
+export { HttpError, ValidationError } from '../packages/bunshot-core/src/index.js';
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP, } from '../packages/bunshot-core/src/index.js';
+export { createRouter } from '../packages/bunshot-core/src/index.js';
+export { createRoute, withSecurity, registerSchema, registerSchemas, } from './framework/lib/createRoute';
+export { zodToMongoose } from './framework/lib/zodToMongoose';
+export type { ZodToMongooseConfig, ZodToMongooseRefConfig } from './framework/lib/zodToMongoose';
+export { createDtoMapper } from './framework/lib/createDtoMapper';
+export type { DtoMapperConfig } from './framework/lib/createDtoMapper';
+export type { AppEnv, AppVariables, ValidationErrorFormatter, DefaultValidationErrorBody, ValidationErrorDetail, } from '../packages/bunshot-core/src/index.js';
+export { defaultValidationErrorFormatter } from '../packages/bunshot-core/src/index.js';
+export { timingSafeEqual, sha256 } from '../packages/bunshot-core/src/index.js';
+export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl, } from './lib/signing';
+export { log } from './framework/lib/logger';
+export { validate } from './framework/lib/validate';
+export { getClientIp } from '../packages/bunshot-core/src/index.js';
+export { idempotent } from './framework/lib/idempotency';
+export type { IdempotencyOptions } from './framework/lib/idempotency';
+export { botProtection } from './framework/middleware/botProtection';
+export type { BotProtectionOptions } from './framework/middleware/botProtection';
+export { rateLimit } from './framework/middleware/rateLimit';
+export type { RateLimitOptions } from './framework/middleware/rateLimit';
+export { cacheResponse, bustCache, bustCachePattern } from './framework/middleware/cacheResponse';
+export { webhookAuth } from './framework/middleware/webhookAuth';
+export type { WebhookAuthOptions, WebhookTimestampOptions, } from './framework/middleware/webhookAuth';
+export { requireSignedRequest } from './framework/middleware/requestSigning';
+export type { RequestSigningOptions } from './framework/middleware/requestSigning';
+export { auditLog } from './framework/middleware/auditLog';
+export type { AuditLogMiddlewareOptions } from './framework/middleware/auditLog';
+export { requestId } from './framework/middleware/requestId';
+export { requestLogger } from './framework/middleware/requestLogger';
+export type { RequestLogEntry, RequestLoggerOptions, LogLevel, } from './framework/middleware/requestLogger';
+export { metricsCollector } from './framework/middleware/metrics';
+export type { MetricsMiddlewareOptions } from './framework/middleware/metrics';
+export { requireCaptcha } from './framework/middleware/captcha';
+export type { CaptchaConfig, CaptchaProvider } from './framework/lib/captcha';
+export { createAuditLogProvider } from './framework/lib/auditLog';
+export { createMetricsState, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues, } from './framework/lib/metrics';
+export type { AuditLogEntry } from '../packages/bunshot-core/src/index.js';
+export type { AuditLogOptions, AuditLogQuery } from './framework/lib/auditLog';
+export { createWsUpgradeHandler } from './framework/ws/index';
+export type { SocketData } from './framework/ws/index';
+export { publish, getSubscriptions, getRooms, getRoomSubscribers } from './framework/lib/ws';
+export type { WsTransportAdapter } from './framework/lib/wsTransport';
+export { InMemoryTransport } from './framework/lib/wsTransport';
+export { createRedisTransport } from './framework/lib/redisTransport';
+export type { RedisTransportOptions } from './framework/lib/redisTransport';
+export type { HeartbeatConfig } from './framework/lib/wsHeartbeat';
+export { getRoomPresence, getUserPresence } from './framework/lib/wsPresence';
+export { createTenantService } from './framework/lib/tenant';
+export type { TenantInfo, CreateTenantOptions, TenantService } from './framework/lib/tenant';
+export { invalidateTenantCache } from './framework/middleware/tenant';
+export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from './framework/lib/pagination';
+export type { OffsetParamDefaults, ParsedOffsetParams, CursorParamDefaults, ParsedCursorParams, CursorResult, } from './framework/lib/pagination';
+export { handleUpload } from './framework/middleware/upload';
+export type { UploadMiddlewareOptions } from './framework/middleware/upload';
+export { parseUpload } from './framework/lib/upload';
+export type { UploadOpts } from './framework/lib/upload';
+export { registerUpload, getUploadRecord, deleteUploadRecord, } from './framework/lib/uploadRegistry';
+export type { UploadRecord } from './framework/lib/uploadRegistry';
+export type { StorageAdapter, UploadResult } from './framework/lib/storageAdapter';
+export type { UploadConfig, PresignedUrlConfig } from './app';
+export { memoryStorage } from './framework/adapters/memoryStorage';
+export { localStorage } from './framework/adapters/localStorage';
+export type { LocalStorageConfig } from './framework/adapters/localStorage';
+export { s3Storage } from './framework/adapters/s3Storage';
+export type { S3StorageConfig } from './framework/adapters/s3Storage';

package/dist/src/index.js

@@ -0,0 +1,58 @@
+// App factory
+export { createApp } from './app';
+export { createServer } from './server';
+export { getContext, getContextOrNull } from '../packages/bunshot-core/src/index.js';
+export { getRedisFromApp } from './lib/redis';
+export { getMongoFromApp, getMongooseModule } from './lib/mongo';
+// Admin — framework convenience wrapper (bunshot-auth-backed defaults)
+export { createBunshotAdminPlugin } from './framework/admin/index';
+export { createInProcessAdapter, SECURITY_EVENT_TYPES } from '../packages/bunshot-core/src/index.js';
+export { createAuthPlugin } from '../packages/bunshot-auth/src/index.js';
+export { createSseUpgradeHandler } from './framework/sse/index';
+// Core utilities
+export { HttpError, ValidationError } from '../packages/bunshot-core/src/index.js';
+export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP, } from '../packages/bunshot-core/src/index.js';
+export { createRouter } from '../packages/bunshot-core/src/index.js';
+export { createRoute, withSecurity, registerSchema, registerSchemas, } from './framework/lib/createRoute';
+export { zodToMongoose } from './framework/lib/zodToMongoose';
+export { createDtoMapper } from './framework/lib/createDtoMapper';
+export { defaultValidationErrorFormatter } from '../packages/bunshot-core/src/index.js';
+export { timingSafeEqual, sha256 } from '../packages/bunshot-core/src/index.js';
+export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl, } from './lib/signing';
+export { log } from './framework/lib/logger';
+export { validate } from './framework/lib/validate';
+export { getClientIp } from '../packages/bunshot-core/src/index.js';
+// Framework middleware
+export { idempotent } from './framework/lib/idempotency';
+export { botProtection } from './framework/middleware/botProtection';
+export { rateLimit } from './framework/middleware/rateLimit';
+export { cacheResponse, bustCache, bustCachePattern } from './framework/middleware/cacheResponse';
+export { webhookAuth } from './framework/middleware/webhookAuth';
+export { requireSignedRequest } from './framework/middleware/requestSigning';
+export { auditLog } from './framework/middleware/auditLog';
+export { requestId } from './framework/middleware/requestId';
+export { requestLogger } from './framework/middleware/requestLogger';
+export { metricsCollector } from './framework/middleware/metrics';
+export { requireCaptcha } from './framework/middleware/captcha';
+// Audit log
+export { createAuditLogProvider } from './framework/lib/auditLog';
+export { createMetricsState, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues, } from './framework/lib/metrics';
+// WebSocket — consumer API
+export { createWsUpgradeHandler } from './framework/ws/index';
+export { publish, getSubscriptions, getRooms, getRoomSubscribers } from './framework/lib/ws';
+export { InMemoryTransport } from './framework/lib/wsTransport';
+export { createRedisTransport } from './framework/lib/redisTransport';
+// WebSocket — Presence (consumer API)
+export { getRoomPresence, getUserPresence } from './framework/lib/wsPresence';
+// Tenancy
+export { createTenantService } from './framework/lib/tenant';
+export { invalidateTenantCache } from './framework/middleware/tenant';
+// Pagination helpers
+export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from './framework/lib/pagination';
+// Upload — consumer API
+export { handleUpload } from './framework/middleware/upload';
+export { parseUpload } from './framework/lib/upload';
+export { registerUpload, getUploadRecord, deleteUploadRecord, } from './framework/lib/uploadRegistry';
+export { memoryStorage } from './framework/adapters/memoryStorage';
+export { localStorage } from './framework/adapters/localStorage';
+export { s3Storage } from './framework/adapters/s3Storage';

package/dist/src/lib/appConfig.d.ts

@@ -0,0 +1,7 @@
+/** Deep-freeze an object and all nested objects. */
+export declare function deepFreeze<T extends object>(obj: T): Readonly<T>;
+/**
+ * Context-aware app name getter. Returns the instance-scoped app name from
+ * BunshotContext. Throws if no BunshotContext is attached to the app.
+ */
+export declare const getAppNameFromApp: (app: object) => string;

package/dist/src/lib/appConfig.js

@@ -0,0 +1,27 @@
+// Framework-only runtime configuration — context-aware access only.
+// Auth-specific config (primary field, MFA, sessions, JWT, etc.) lives in authConfig.ts.
+//
+// Phase 1 singleton elimination: all module-level mutable state removed.
+// App name, roles, and default role are available on BunshotContext.config.
+import { getContext } from '../../packages/bunshot-core/src/index.js';
+/** Deep-freeze an object and all nested objects. */
+export function deepFreeze(obj) {
+    Object.freeze(obj);
+    for (const value of Object.values(obj)) {
+        if (value !== null && typeof value === 'object' && !Object.isFrozen(value)) {
+            deepFreeze(value);
+        }
+    }
+    return obj;
+}
+// ---------------------------------------------------------------------------
+// Context-aware getters
+// ---------------------------------------------------------------------------
+/**
+ * Context-aware app name getter. Returns the instance-scoped app name from
+ * BunshotContext. Throws if no BunshotContext is attached to the app.
+ */
+export const getAppNameFromApp = (app) => {
+    const ctx = getContext(app);
+    return ctx.config.appName;
+};