@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/entrypoints/redis.js

@@ -1 +0,0 @@
-export { connectRedis, disconnectRedis, getRedis } from "../lib/redis";

package/dist/index.d.ts

@@ -1,117 +0,0 @@
-export { createApp } from "./app";
-export { createServer } from "./server";
-export type { SecurityEvent, SecurityEventType, SecurityEventConfig } from "./lib/securityEvents";
-export { emitSecurityEvent, setSecurityEventConfig, getSecurityEventConfig } from "./lib/securityEvents";
-export type { CreateAppConfig, ModelSchemasConfig, DbConfig, AppMeta, AuthConfig, AuthRateLimitConfig, AccountDeletionConfig, OAuthConfig, SecurityConfig, CsrfConfig, BotProtectionConfig, PrimaryField, EmailVerificationConfig, PasswordResetConfig, RefreshTokenConfig, MfaConfig, MfaEmailOtpConfig, MfaWebAuthnConfig, JobsConfig, TenancyConfig, TenantConfig, LoggingConfig, MetricsConfig, ValidationConfig, VersioningConfig, SigningConfig, JwtConfig, BreachedPasswordConfig, StepUpConfig, OidcConfig, SamlConfig, ScimConfig } from "./app";
-export { setScimTokens } from "./middleware/scimAuth";
-export type { PasswordPolicyConfig } from "./lib/appConfig";
-export type { SamlProfile } from "./lib/saml";
-export type { CreateServerConfig, WsConfig } from "./server";
-export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
-export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
-export { getAppRoles } from "./lib/appConfig";
-export { HttpError, ValidationError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP } from "./lib/constants";
-export { createRouter } from "./lib/context";
-export { createRoute, withSecurity, registerSchema, registerSchemas, setVersionPrefix, clearVersionPrefix } from "./lib/createRoute";
-export { stripUnreferencedSchemas } from "./lib/stripUnreferencedSchemas";
-export { zodToMongoose } from "./lib/zodToMongoose";
-export type { ZodToMongooseConfig, ZodToMongooseRefConfig } from "./lib/zodToMongoose";
-export { createDtoMapper } from "./lib/createDtoMapper";
-export type { DtoMapperConfig } from "./lib/createDtoMapper";
-export type { AppEnv, AppVariables, ValidationErrorFormatter, DefaultValidationErrorBody, ValidationErrorDetail } from "./lib/context";
-export { defaultValidationErrorFormatter } from "./lib/context";
-export { signToken, verifyToken } from "./lib/jwt";
-export { getJwks, loadJwksKey, generateAndLoadKeyPair, isJwksLoaded } from "./lib/jwks";
-export { log } from "./lib/logger";
-export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
-export { timingSafeEqual, sha256 } from "./lib/crypto";
-export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl } from "./lib/signing";
-export { idempotent, setIdempotencyStore, clearIdempotencyMemoryStore } from "./lib/idempotency";
-export type { IdempotencyOptions } from "./lib/idempotency";
-export { getClientIp, setTrustProxy } from "./lib/clientIp";
-export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
-export type { OAuthCodePayload } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint, setMfaVerifiedAt, getMfaVerifiedAt } from "./lib/session";
-export type { SessionMetadata, SessionInfo, RefreshResult } from "./lib/session";
-export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
-export type { MfaChallengeData, MfaChallengeOptions, MfaChallengePurpose } from "./lib/mfaChallenge";
-export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
-export type { LimitOpts } from "./lib/authRateLimit";
-export { trackFailedLogin, isStuffingBlocked, setCredentialStuffingConfig, clearCredentialStuffingStore } from "./lib/credentialStuffing";
-export type { CredentialStuffingConfig } from "./lib/credentialStuffing";
-export { validate } from "./lib/validate";
-export { bearerAuth } from "./middleware/bearerAuth";
-export { botProtection } from "./middleware/botProtection";
-export type { BotProtectionOptions } from "./middleware/botProtection";
-export { identify } from "./middleware/identify";
-export { rateLimit } from "./middleware/rateLimit";
-export type { RateLimitOptions } from "./middleware/rateLimit";
-export { userAuth } from "./middleware/userAuth";
-export { requireRole } from "./middleware/requireRole";
-export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { requireMfaSetup } from "./middleware/requireMfaSetup";
-export { requireStepUp } from "./middleware/requireStepUp";
-export type { StepUpOptions } from "./middleware/requireStepUp";
-export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
-export type { CsrfMiddlewareOptions } from "./middleware/csrf";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
-export { webhookAuth } from "./middleware/webhookAuth";
-export type { WebhookAuthOptions, WebhookTimestampOptions } from "./middleware/webhookAuth";
-export { requireSignedRequest } from "./middleware/requestSigning";
-export type { RequestSigningOptions } from "./middleware/requestSigning";
-export { auditLog } from "./middleware/auditLog";
-export type { AuditLogMiddlewareOptions } from "./middleware/auditLog";
-export { requestId } from "./middleware/requestId";
-export { requestLogger } from "./middleware/requestLogger";
-export type { RequestLogEntry, RequestLoggerOptions, LogLevel } from "./middleware/requestLogger";
-export { metricsCollector } from "./middleware/metrics";
-export type { MetricsMiddlewareOptions } from "./middleware/metrics";
-export { requireCaptcha } from "./middleware/captcha";
-export type { CaptchaConfig, CaptchaProvider } from "./lib/captcha";
-export { verifyCaptcha } from "./lib/captcha";
-export { requireScope } from "./middleware/requireScope";
-export { createM2MClient, deleteM2MClient, listM2MClients, getM2MClient } from "./lib/m2m";
-export type { M2MClientRecord } from "./lib/authAdapter";
-export type { M2MConfig } from "./lib/appConfig";
-export { buildFingerprint } from "./lib/fingerprint";
-export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
-export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues } from "./lib/metrics";
-export type { AuditLogEntry, AuditLogOptions, AuditLogQuery } from "./lib/auditLog";
-export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
-export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
-export { setSuspended, getSuspended } from "./lib/suspension";
-export type { AuthAdapter, OAuthProfile, IdentityProfile, UserRecord, UserQuery, WebAuthnCredential } from "./lib/authAdapter";
-export type { OAuthProviderConfig } from "./lib/oauth";
-export { websocket, createWsUpgradeHandler } from "./ws/index";
-export type { SocketData } from "./ws/index";
-export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers, setPresenceEnabled } from "./lib/ws";
-export { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat, clearHeartbeatState } from "./lib/wsHeartbeat";
-export type { HeartbeatConfig } from "./lib/wsHeartbeat";
-export { trackSocket, untrackSocket, addPresence, removePresence, cleanupPresence, getRoomPresence, getUserPresence, clearPresenceStore } from "./lib/wsPresence";
-export { persistMessage, getMessageHistory, configureRoom, setWsMessageStore, setWsMessageDefaults, clearWsMessageMemoryStore } from "./lib/wsMessages";
-export type { StoredMessage, WsMessageStore, WsMessageDefaults, RoomPersistenceConfig } from "./lib/wsMessages";
-export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
-export type { TenantInfo, CreateTenantOptions } from "./lib/tenant";
-export { invalidateTenantCache } from "./middleware/tenant";
-export { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, getEffectiveRoles, } from "./lib/groups";
-export type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult } from "./lib/groups";
-export type { GroupsConfig, GroupsManagementConfig } from "./routes/groups";
-export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from "./lib/pagination";
-export type { OffsetParamDefaults, ParsedOffsetParams, CursorParamDefaults, ParsedCursorParams, CursorResult, } from "./lib/pagination";
-export { handleUpload } from "./middleware/upload";
-export type { UploadMiddlewareOptions } from "./middleware/upload";
-export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig, generateUploadKeyFromFilename } from "./lib/upload";
-export type { UploadOpts } from "./lib/upload";
-export { setUploadRegistryStore, clearUploadRegistry, registerUpload, getUploadRecord, deleteUploadRecord } from "./lib/uploadRegistry";
-export type { UploadRecord } from "./lib/uploadRegistry";
-export type { StorageAdapter, UploadResult } from "./lib/storageAdapter";
-export type { UploadConfig, PresignedUrlConfig } from "./app";
-export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";
-export { localStorage } from "./adapters/localStorage";
-export type { LocalStorageConfig } from "./adapters/localStorage";
-export { s3Storage } from "./adapters/s3Storage";
-export type { S3StorageConfig } from "./adapters/s3Storage";

package/dist/index.js

@@ -1,88 +0,0 @@
-// App factory
-export { createApp } from "./app";
-export { createServer } from "./server";
-export { emitSecurityEvent, setSecurityEventConfig, getSecurityEventConfig } from "./lib/securityEvents";
-export { setScimTokens } from "./middleware/scimAuth";
-// Database
-export { appConnection, authConnection, mongoose, connectMongo, connectAuthMongo, connectAppMongo, disconnectMongo } from "./lib/mongo";
-export { connectRedis, disconnectRedis, getRedis } from "./lib/redis";
-// Lib utilities
-export { getAppRoles } from "./lib/appConfig";
-export { HttpError, ValidationError } from "./lib/HttpError";
-export { COOKIE_TOKEN, HEADER_USER_TOKEN, COOKIE_REFRESH_TOKEN, HEADER_REFRESH_TOKEN, COOKIE_CSRF_TOKEN, HEADER_CSRF_TOKEN, HEADER_REQUEST_ID, HEADER_IDEMPOTENCY_KEY, HEADER_SIGNATURE, HEADER_TIMESTAMP } from "./lib/constants";
-export { createRouter } from "./lib/context";
-export { createRoute, withSecurity, registerSchema, registerSchemas, setVersionPrefix, clearVersionPrefix } from "./lib/createRoute";
-export { stripUnreferencedSchemas } from "./lib/stripUnreferencedSchemas";
-export { zodToMongoose } from "./lib/zodToMongoose";
-export { createDtoMapper } from "./lib/createDtoMapper";
-export { defaultValidationErrorFormatter } from "./lib/context";
-export { signToken, verifyToken } from "./lib/jwt";
-export { getJwks, loadJwksKey, generateAndLoadKeyPair, isJwksLoaded } from "./lib/jwks";
-export { log } from "./lib/logger";
-export { createResetToken, consumeResetToken, setPasswordResetStore } from "./lib/resetPassword";
-export { createDeletionCancelToken, consumeDeletionCancelToken, setDeletionCancelTokenStore } from "./lib/deletionCancelToken";
-export { timingSafeEqual, sha256 } from "./lib/crypto";
-export { hmacSign, hmacVerify, signCookieValue, verifyCookieValue, signCursor, verifyCursor, createPresignedUrl, verifyPresignedUrl } from "./lib/signing";
-export { idempotent, setIdempotencyStore, clearIdempotencyMemoryStore } from "./lib/idempotency";
-export { getClientIp, setTrustProxy } from "./lib/clientIp";
-export { storeOAuthCode, consumeOAuthCode, setOAuthCodeStore } from "./lib/oauthCode";
-export { createSession, getSession, deleteSession, getUserSessions, getActiveSessionCount, evictOldestSession, updateSessionLastActive, setSessionStore, deleteUserSessions, setRefreshToken, getSessionByRefreshToken, rotateRefreshToken, getSessionFingerprint, setSessionFingerprint, setMfaVerifiedAt, getMfaVerifiedAt } from "./lib/session";
-export { createVerificationToken, getVerificationToken, deleteVerificationToken } from "./lib/emailVerification";
-export { createMfaChallenge, consumeMfaChallenge, replaceMfaChallengeOtp, setMfaChallengeStore, createWebAuthnRegistrationChallenge, consumeWebAuthnRegistrationChallenge, clearMemoryMfaChallenges } from "./lib/mfaChallenge";
-export { bustAuthLimit, trackAttempt, isLimited, clearMemoryRateLimitStore } from "./lib/authRateLimit";
-export { trackFailedLogin, isStuffingBlocked, setCredentialStuffingConfig, clearCredentialStuffingStore } from "./lib/credentialStuffing";
-export { validate } from "./lib/validate";
-// Middleware
-export { bearerAuth } from "./middleware/bearerAuth";
-export { botProtection } from "./middleware/botProtection";
-export { identify } from "./middleware/identify";
-export { rateLimit } from "./middleware/rateLimit";
-export { userAuth } from "./middleware/userAuth";
-export { requireRole } from "./middleware/requireRole";
-export { requireVerifiedEmail } from "./middleware/requireVerifiedEmail";
-export { requireMfaSetup } from "./middleware/requireMfaSetup";
-export { requireStepUp } from "./middleware/requireStepUp";
-export { csrfProtection, refreshCsrfToken, clearCsrfToken } from "./middleware/csrf";
-export { cacheResponse, bustCache, bustCachePattern, setCacheStore, getCacheModel } from "./middleware/cacheResponse";
-export { webhookAuth } from "./middleware/webhookAuth";
-export { requireSignedRequest } from "./middleware/requestSigning";
-export { auditLog } from "./middleware/auditLog";
-export { requestId } from "./middleware/requestId";
-export { requestLogger } from "./middleware/requestLogger";
-export { metricsCollector } from "./middleware/metrics";
-export { requireCaptcha } from "./middleware/captcha";
-export { verifyCaptcha } from "./lib/captcha";
-export { requireScope } from "./middleware/requireScope";
-export { createM2MClient, deleteM2MClient, listM2MClients, getM2MClient } from "./lib/m2m";
-// Lib utilities (bot protection)
-export { buildFingerprint } from "./lib/fingerprint";
-export { logAuditEntry, getAuditLogs, clearAuditLogMemoryStore } from "./lib/auditLog";
-export { resetMetrics, incrementCounter, observeHistogram, registerGaugeCallback, serializeMetrics, closeMetricsQueues } from "./lib/metrics";
-// Models
-export { sqliteAuthAdapter, setSqliteDb, startSqliteCleanup } from "./adapters/sqliteAuth";
-export { memoryAuthAdapter, clearMemoryStore } from "./adapters/memoryAuth";
-export { setUserRoles, addUserRole, removeUserRole, getTenantRoles, setTenantRoles, addTenantRole, removeTenantRole } from "./lib/roles";
-export { setSuspended, getSuspended } from "./lib/suspension";
-// WebSocket
-export { websocket, createWsUpgradeHandler } from "./ws/index";
-export { publish, subscribe, unsubscribe, getSubscriptions, handleRoomActions, getRooms, getRoomSubscribers, setPresenceEnabled } from "./lib/ws";
-// WebSocket — Heartbeat
-export { registerSocket, deregisterSocket, handlePong, startHeartbeat, stopHeartbeat, clearHeartbeatState } from "./lib/wsHeartbeat";
-// WebSocket — Presence
-export { trackSocket, untrackSocket, addPresence, removePresence, cleanupPresence, getRoomPresence, getUserPresence, clearPresenceStore } from "./lib/wsPresence";
-// WebSocket — Message Persistence
-export { persistMessage, getMessageHistory, configureRoom, setWsMessageStore, setWsMessageDefaults, clearWsMessageMemoryStore } from "./lib/wsMessages";
-// Tenancy
-export { createTenant, deleteTenant, getTenant, listTenants } from "./lib/tenant";
-export { invalidateTenantCache } from "./middleware/tenant";
-// Groups
-export { createGroup, deleteGroup, getGroup, listGroups, updateGroup, addGroupMember, updateGroupMembership, removeGroupMember, getGroupMembers, getUserGroups, getEffectiveRoles, } from "./lib/groups";
-// Pagination helpers
-export { offsetParams, parseOffsetParams, paginatedResponse, cursorParams, parseCursorParams, cursorResponse, maybeSignCursor, } from "./lib/pagination";
-// Upload
-export { handleUpload } from "./middleware/upload";
-export { parseUpload, setStorageAdapter, getStorageAdapter, setUploadConfig, getUploadConfig, generateUploadKeyFromFilename } from "./lib/upload";
-export { setUploadRegistryStore, clearUploadRegistry, registerUpload, getUploadRecord, deleteUploadRecord } from "./lib/uploadRegistry";
-export { memoryStorage, clearMemoryUploadStore } from "./adapters/memoryStorage";
-export { localStorage } from "./adapters/localStorage";
-export { s3Storage } from "./adapters/s3Storage";

package/dist/lib/appConfig.d.ts

@@ -1,275 +0,0 @@
-export type PrimaryField = "email" | "username" | "phone";
-export interface EmailVerificationConfig {
-    /** Block login until email is verified. Defaults to false (soft gate — emailVerified returned in login response). */
-    required?: boolean;
-    /** Token time-to-live in seconds. Defaults to 86 400 (24 hours). */
-    tokenExpiry?: number;
-    /** Called after registration with the identifier and verification token. Use to send the email. */
-    onSend: (email: string, token: string) => Promise<void>;
-}
-export interface PasswordResetConfig {
-    /** Token time-to-live in seconds. Defaults to 3 600 (1 hour). */
-    tokenExpiry?: number;
-    /** Called with the user's email and the reset token. Use to send the reset email. */
-    onSend: (email: string, token: string) => Promise<void>;
-}
-export interface PasswordPolicyConfig {
-    /** Minimum password length. Defaults to 8. */
-    minLength?: number;
-    /** Require at least one letter (a–z or A–Z). Defaults to true. */
-    requireLetter?: boolean;
-    /** Require at least one digit (0–9). Defaults to true. */
-    requireDigit?: boolean;
-    /** Require at least one special character. Defaults to false. */
-    requireSpecial?: boolean;
-}
-export declare const setAppName: (name: string) => void;
-export declare const getAppName: () => string;
-export declare const setAppRoles: (roles: string[]) => void;
-export declare const getAppRoles: () => string[];
-export declare const setDefaultRole: (role: string | null) => void;
-export declare const getDefaultRole: () => string | null;
-export declare const setPrimaryField: (field: PrimaryField) => void;
-export declare const getPrimaryField: () => PrimaryField;
-export declare const setEmailVerificationConfig: (config: EmailVerificationConfig | null) => void;
-export declare const getEmailVerificationConfig: () => EmailVerificationConfig | null;
-export declare const getTokenExpiry: () => number;
-export declare const setPasswordResetConfig: (config: PasswordResetConfig | null) => void;
-export declare const getPasswordResetConfig: () => PasswordResetConfig | null;
-export declare const setPasswordPolicy: (config: PasswordPolicyConfig) => void;
-export declare const getPasswordPolicy: () => PasswordPolicyConfig;
-export declare const getResetTokenExpiry: () => number;
-export declare const setMaxSessions: (n: number) => void;
-export declare const getMaxSessions: () => number;
-export declare const setPersistSessionMetadata: (v: boolean) => void;
-export declare const getPersistSessionMetadata: () => boolean;
-export declare const setIncludeInactiveSessions: (v: boolean) => void;
-export declare const getIncludeInactiveSessions: () => boolean;
-export declare const setTrackLastActive: (v: boolean) => void;
-export declare const getTrackLastActive: () => boolean;
-export interface RefreshTokenConfig {
-    /** Access token expiry in seconds. Default: 900 (15 min). */
-    accessTokenExpiry?: number;
-    /** Refresh token expiry in seconds. Default: 2_592_000 (30 days). */
-    refreshTokenExpiry?: number;
-    /** Grace window in seconds where the old refresh token still works after rotation.
-     *  Prevents lockout when the client's network drops mid-refresh. Default: 30. */
-    rotationGraceSeconds?: number;
-}
-export declare const setRefreshTokenConfig: (config: RefreshTokenConfig | null) => void;
-export declare const getRefreshTokenConfig: () => RefreshTokenConfig | null;
-export declare const getAccessTokenExpiry: () => number;
-export declare const getRefreshTokenExpiry: () => number;
-export declare const getRotationGraceSeconds: () => number;
-export interface MfaEmailOtpConfig {
-    /** Called with the user's email and the OTP code. Use to send the email. */
-    onSend: (email: string, code: string) => Promise<void>;
-    /** OTP code length. Default: 6. */
-    codeLength?: number;
-}
-export interface MfaWebAuthnConfig {
-    /** Relying Party ID — typically the domain (e.g. "example.com"). Required. */
-    rpId: string;
-    /** Relying Party name shown in browser prompts. Defaults to app name. */
-    rpName?: string;
-    /** Expected origin(s) — full origin URL(s) like "https://example.com". Required. */
-    origin: string | string[];
-    /** Supported attestation conveyance preference. Default: "none". */
-    attestationType?: "none" | "direct" | "enterprise";
-    /** Authenticator attachment preference. Default: undefined (allows both platform + cross-platform). */
-    authenticatorAttachment?: "platform" | "cross-platform";
-    /** User verification requirement. Default: "preferred". */
-    userVerification?: "required" | "preferred" | "discouraged";
-    /** Timeout for ceremonies in milliseconds. Default: 60000 (60s). */
-    timeout?: number;
-    /** Reject authentication when sign count goes backward (cloned key detection). Default: false (accept + warn). */
-    strictSignCount?: boolean;
-    /** Allow passwordless (first-factor) passkey login. When true, mounts POST /auth/passkey/login-options and POST /auth/passkey/login. Default: false. */
-    allowPasswordlessLogin?: boolean;
-    /** When true (default), a verified passkey login satisfies MFA — no subsequent TOTP/OTP prompt even if the user has MFA enabled. Set false to require MFA after passkey login. */
-    passkeyMfaBypass?: boolean;
-}
-export interface MfaConfig {
-    /** Issuer name shown in authenticator apps. Defaults to app name. */
-    issuer?: string;
-    /** TOTP algorithm. Default: "SHA1" (most compatible). */
-    algorithm?: "SHA1" | "SHA256" | "SHA512";
-    /** TOTP digits. Default: 6. */
-    digits?: number;
-    /** TOTP period in seconds. Default: 30. */
-    period?: number;
-    /** Number of recovery codes to generate. Default: 10. */
-    recoveryCodes?: number;
-    /** MFA challenge window in seconds. Default: 300 (5 min). */
-    challengeTtlSeconds?: number;
-    /** Email OTP configuration. When set, enables email-based MFA as an option. */
-    emailOtp?: MfaEmailOtpConfig;
-    /** WebAuthn/FIDO2 configuration. When set, enables security key MFA routes. */
-    webauthn?: MfaWebAuthnConfig;
-    /** When true, authenticated users must complete MFA setup before accessing non-auth endpoints. Default: false. */
-    required?: boolean;
-}
-export declare const setMfaConfig: (config: MfaConfig | null) => void;
-export declare const getMfaConfig: () => MfaConfig | null;
-export declare const getMfaIssuer: () => string;
-export declare const getMfaAlgorithm: () => string;
-export declare const getMfaDigits: () => number;
-export declare const getMfaPeriod: () => number;
-export declare const getMfaRecoveryCodeCount: () => number;
-export declare const getMfaChallengeTtl: () => number;
-export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
-export declare const getMfaEmailOtpCodeLength: () => number;
-export declare const getMfaWebAuthnConfig: () => MfaWebAuthnConfig | null;
-export declare const getMfaRequired: () => boolean;
-export declare const getMfaWebAuthnAllowPasswordlessLogin: () => boolean;
-export declare const getMfaWebAuthnPasskeyMfaBypass: () => boolean;
-export declare const setCsrfEnabled: (v: boolean) => void;
-export declare const getCsrfEnabled: () => boolean;
-export interface SigningConfig {
-    /**
-     * HMAC secret. Defaults to JWT_SECRET_DEV/JWT_SECRET_PROD env var if omitted.
-     * Pass string[] to support key rotation — first element signs, all elements verify.
-     */
-    secret?: string | string[];
-    /** Sign/verify cookie values set via exported helpers. Default: false. */
-    cookies?: boolean;
-    /** Sign pagination cursor tokens to prevent client tampering. Default: false. */
-    cursors?: boolean;
-    /** HMAC-based stateless presigned URLs (no DB lookup). Default: false. */
-    presignedUrls?: boolean | {
-        defaultExpiry?: number;
-    };
-    /** Require clients to HMAC-sign requests (method+path+timestamp+body). Default: false. */
-    requestSigning?: boolean | {
-        tolerance?: number;
-        header?: string;
-        timestampHeader?: string;
-    };
-    /** Hash idempotency keys before storage. Default: false. */
-    idempotencyKeys?: boolean;
-    /** Bind sessions to client IP+UA fingerprint. Default: false. */
-    sessionBinding?: boolean | {
-        fields?: Array<"ip" | "ua" | "accept-language">;
-        /**
-         * What to do when fingerprint doesn't match.
-         * - "unauthenticate": treat as logged-out (default — graceful but masks attacks)
-         * - "reject": return 401 (strict — recommended for security-conscious apps)
-         * - "log-only": allow through but log the mismatch (useful during rollout)
-         */
-        onMismatch?: "unauthenticate" | "reject" | "log-only";
-    };
-}
-export declare const setSigningConfig: (config: SigningConfig | null) => void;
-export declare const getSigningConfig: () => SigningConfig | null;
-/**
- * Returns the active signing secret: signing.secret → JWT_SECRET_PROD/DEV env var.
- * Returns null when neither is configured — callers must handle this gracefully.
- */
-export declare const getSigningSecret: () => string | string[] | null;
-export interface JwtConfig {
-    /** JWT issuer claim (`iss`). When set, added to all tokens and validated on verify. */
-    issuer?: string;
-    /** JWT audience claim (`aud`). When set, added to all tokens and validated on verify. */
-    audience?: string | string[];
-    /** JWT signing algorithm. Default: "HS256". Use "RS256" for OIDC. Requires OidcConfig when set to "RS256". */
-    algorithm?: "HS256" | "RS256";
-}
-export declare const setJwtConfig: (config: JwtConfig | null) => void;
-export declare const getJwtConfig: () => JwtConfig | null;
-export declare const getJwtIssuer: () => string | undefined;
-export declare const getJwtAudience: () => string | string[] | undefined;
-export interface BreachedPasswordConfig {
-    /** Block registration/reset when password is breached. Default: true. */
-    block?: boolean;
-    /** Minimum breach count to consider breached. Default: 1. */
-    minBreachCount?: number;
-    /** Request timeout in ms. Default: 3000. */
-    timeout?: number;
-    /** What to do when the HIBP API is unavailable. Default: "allow". */
-    onApiFailure?: "allow" | "block";
-}
-export declare const setBreachedPasswordConfig: (config: BreachedPasswordConfig | null) => void;
-export declare const getBreachedPasswordConfig: () => BreachedPasswordConfig | null;
-export interface StepUpConfig {
-    /** Max age in seconds since last MFA verification. Default: 300 (5 min). */
-    maxAge?: number;
-}
-export declare const setStepUpConfig: (config: StepUpConfig | null) => void;
-export declare const getStepUpConfig: () => StepUpConfig | null;
-export declare const setCheckSuspensionOnIdentify: (v: boolean) => void;
-export declare const getCheckSuspensionOnIdentify: () => boolean;
-export declare const setCaptchaConfig: (config: import("./captcha").CaptchaConfig | null) => void;
-export declare const getCaptchaConfig: () => import("./captcha").CaptchaConfig | null;
-export interface M2MConfig {
-    enabled?: boolean;
-    /** Access token expiry in seconds. Default: 3600 (1 hour). */
-    tokenExpiry?: number;
-    /** Allowed scopes for M2M clients. */
-    scopes?: string[];
-}
-export declare const setM2MConfig: (config: M2MConfig | null) => void;
-export declare const getM2MConfig: () => M2MConfig | null;
-export declare const getM2MTokenExpiry: () => number;
-export interface SamlConfig {
-    /** Service Provider entity ID (e.g. "https://yourapp.com/auth/saml"). */
-    entityId: string;
-    /** Assertion Consumer Service URL. */
-    acsUrl: string;
-    /** IdP metadata — XML string or URL. */
-    idpMetadata: string;
-    /** SP signing private key PEM. Optional. */
-    signingKey?: string;
-    /** SP signing certificate PEM. Optional. */
-    signingCert?: string;
-    /** Map IdP attribute names to profile fields. */
-    attributeMapping?: {
-        email?: string;
-        firstName?: string;
-        lastName?: string;
-        groups?: string;
-    };
-    /** Custom user lookup/creation. When provided, takes precedence over findOrCreateByProvider. */
-    onLogin?: (profile: SamlProfile) => Promise<{
-        userId: string;
-    }>;
-    /** Where to redirect after successful SAML login. Default: "/". */
-    postLoginRedirect?: string;
-}
-import type { SamlProfile } from "./saml";
-export declare const setSamlConfig: (config: SamlConfig | null) => void;
-export declare const getSamlConfig: () => SamlConfig | null;
-export interface OidcConfig {
-    enabled?: boolean;
-    /** JWT issuer — included in all tokens and OIDC discovery doc. Required. */
-    issuer: string;
-    /** RSA signing key. If not provided, a key pair is auto-generated on startup. */
-    signingKey?: {
-        privateKey: string;
-        publicKey: string;
-        kid?: string;
-    };
-    /** Previous signing keys for rotation (verification only). */
-    previousKeys?: Array<{
-        publicKey: string;
-        kid?: string;
-    }>;
-    /** Scopes advertised in the discovery document. Default: ["openid"]. */
-    scopes?: string[];
-    /** Token endpoint URL. Defaults to `${issuer}/oauth/token`. */
-    tokenEndpoint?: string;
-}
-export declare const setOidcConfig: (config: OidcConfig | null) => void;
-export declare const getOidcConfig: () => OidcConfig | null;
-export interface ScimConfig {
-    enabled?: boolean;
-    /** Bearer token(s) for SCIM endpoint authentication. Required. */
-    bearerTokens: string | string[];
-    /** Username mapping strategy. Default: "email". */
-    userMapping?: {
-        userName?: "email" | "username";
-    };
-    /** What to do when a user is deleted via SCIM. Default: "suspend". */
-    onDeprovision?: "suspend" | "delete" | ((userId: string) => Promise<void>);
-}
-export declare const setScimConfig: (config: ScimConfig | null) => void;
-export declare const getScimConfig: () => ScimConfig | null;

package/dist/lib/auditLog.d.ts

@@ -1,58 +0,0 @@
-import type { Database } from "bun:sqlite";
-export interface AuditLogEntry {
-    id: string;
-    userId: string | null;
-    sessionId: string | null;
-    tenantId: string | null;
-    method: string;
-    path: string;
-    status: number;
-    ip: string | null;
-    userAgent: string | null;
-    action?: string;
-    resource?: string;
-    resourceId?: string;
-    meta?: Record<string, unknown>;
-    requestId?: string;
-    /** ISO 8601 string across all backends. */
-    createdAt: string;
-    /** MongoDB TTL only — silently ignored by SQLite and memory stores. */
-    expiresAt?: Date;
-}
-export type AuditLogStore = "mongo" | "sqlite" | "memory";
-export interface AuditLogOptions {
-    store: AuditLogStore;
-    /** Required when `store === "sqlite"`. */
-    db?: Database;
-}
-export interface AuditLogQuery {
-    userId?: string;
-    tenantId?: string;
-    after?: Date | string;
-    before?: Date | string;
-    /** Default 50, max 200. */
-    limit?: number;
-    /** Default 0. */
-    offset?: number;
-}
-export declare function clearAuditLogMemoryStore(): void;
-/**
- * Persist an audit log entry to the configured store.
- * Errors are caught internally — this function never throws, to ensure
- * storage failures never fail the HTTP request.
- */
-export declare function logAuditEntry(entry: AuditLogEntry, options: AuditLogOptions): Promise<void>;
-/**
- * Blocking variant of logAuditEntry for critical events (e.g. account deletion,
- * password changes). Awaits the write and logs errors, but never rethrows —
- * a logging failure must not break the HTTP response.
- */
-export declare function logAuditEntryBlocking(entry: AuditLogEntry, options: AuditLogOptions): Promise<void>;
-/**
- * Query audit log entries from the configured store.
- * Returns `{ items, total }` where `total` is the filtered count before pagination.
- */
-export declare function getAuditLogs(query: AuditLogQuery, options: AuditLogOptions): Promise<{
-    items: AuditLogEntry[];
-    total: number;
-}>;