@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/lib/auditLog.js

@@ -1,218 +0,0 @@
-// ---------------------------------------------------------------------------
-// Memory store
-// ---------------------------------------------------------------------------
-let _auditLogs = [];
-export function clearAuditLogMemoryStore() {
-    _auditLogs = [];
-}
-// ---------------------------------------------------------------------------
-// SQLite helpers
-// ---------------------------------------------------------------------------
-function ensureSqliteTable(db) {
-    // No module-level flag — CREATE IF NOT EXISTS is idempotent and cheap.
-    // A flag would break when multiple Database instances are used (e.g. in tests).
-    db.run(`
-    CREATE TABLE IF NOT EXISTS audit_logs (
-      id         TEXT PRIMARY KEY,
-      userId     TEXT,
-      sessionId  TEXT,
-      tenantId   TEXT,
-      method     TEXT NOT NULL,
-      path       TEXT NOT NULL,
-      status     INTEGER NOT NULL,
-      ip         TEXT,
-      userAgent  TEXT,
-      action     TEXT,
-      resource   TEXT,
-      resourceId TEXT,
-      meta       TEXT,
-      createdAt  TEXT NOT NULL
-    )
-  `);
-    db.run("CREATE INDEX IF NOT EXISTS idx_al_user   ON audit_logs(userId,   createdAt)");
-    db.run("CREATE INDEX IF NOT EXISTS idx_al_tenant ON audit_logs(tenantId, createdAt)");
-    db.run("CREATE INDEX IF NOT EXISTS idx_al_path   ON audit_logs(path)");
-}
-// ---------------------------------------------------------------------------
-// logAuditEntry
-// ---------------------------------------------------------------------------
-/**
- * Persist an audit log entry to the configured store.
- * Errors are caught internally — this function never throws, to ensure
- * storage failures never fail the HTTP request.
- */
-export async function logAuditEntry(entry, options) {
-    try {
-        if (options.store === "memory") {
-            _auditLogs.push(entry);
-            return;
-        }
-        if (options.store === "sqlite") {
-            const db = options.db;
-            if (!db)
-                throw new Error("AuditLog: store is 'sqlite' but no db instance was provided");
-            ensureSqliteTable(db);
-            db.run(`INSERT INTO audit_logs
-           (id, userId, sessionId, tenantId, method, path, status,
-            ip, userAgent, action, resource, resourceId, meta, createdAt)
-         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`, [
-                entry.id,
-                entry.userId ?? null,
-                entry.sessionId ?? null,
-                entry.tenantId ?? null,
-                entry.method,
-                entry.path,
-                entry.status,
-                entry.ip ?? null,
-                entry.userAgent ?? null,
-                entry.action ?? null,
-                entry.resource ?? null,
-                entry.resourceId ?? null,
-                entry.meta !== undefined ? JSON.stringify(entry.meta) : null,
-                entry.createdAt,
-            ]);
-            return;
-        }
-        if (options.store === "mongo") {
-            // Lazy import to avoid bundling mongoose when not used
-            const { AuditLog } = await import("../models/AuditLog");
-            await AuditLog.create({
-                ...entry,
-                createdAt: new Date(entry.createdAt),
-            });
-            return;
-        }
-    }
-    catch (err) {
-        console.error("[auditLog] failed to write entry:", err);
-    }
-}
-// ---------------------------------------------------------------------------
-// logAuditEntryBlocking
-// ---------------------------------------------------------------------------
-/**
- * Blocking variant of logAuditEntry for critical events (e.g. account deletion,
- * password changes). Awaits the write and logs errors, but never rethrows —
- * a logging failure must not break the HTTP response.
- */
-export async function logAuditEntryBlocking(entry, options) {
-    try {
-        await logAuditEntry(entry, options);
-    }
-    catch (err) {
-        console.error("[auditLog] CRITICAL: blocking audit write failed:", err);
-        // Don't rethrow — we never want a logging failure to break the response
-    }
-}
-// ---------------------------------------------------------------------------
-// getAuditLogs
-// ---------------------------------------------------------------------------
-/**
- * Query audit log entries from the configured store.
- * Returns `{ items, total }` where `total` is the filtered count before pagination.
- */
-export async function getAuditLogs(query, options) {
-    const limit = Math.min(query.limit ?? 50, 200);
-    const offset = query.offset ?? 0;
-    const after = query.after ? new Date(query.after).toISOString() : undefined;
-    const before = query.before ? new Date(query.before).toISOString() : undefined;
-    // --- Memory ---
-    if (options.store === "memory") {
-        let filtered = _auditLogs.slice();
-        if (query.userId !== undefined)
-            filtered = filtered.filter(e => e.userId === query.userId);
-        if (query.tenantId !== undefined)
-            filtered = filtered.filter(e => e.tenantId === query.tenantId);
-        if (after)
-            filtered = filtered.filter(e => e.createdAt >= after);
-        if (before)
-            filtered = filtered.filter(e => e.createdAt < before);
-        return { items: filtered.slice(offset, offset + limit), total: filtered.length };
-    }
-    // --- SQLite ---
-    if (options.store === "sqlite") {
-        const db = options.db;
-        if (!db)
-            throw new Error("AuditLog: store is 'sqlite' but no db instance was provided");
-        ensureSqliteTable(db);
-        const conditions = [];
-        const params = [];
-        if (query.userId !== undefined) {
-            conditions.push("userId = ?");
-            params.push(query.userId);
-        }
-        if (query.tenantId !== undefined) {
-            conditions.push("tenantId = ?");
-            params.push(query.tenantId);
-        }
-        if (after) {
-            conditions.push("createdAt >= ?");
-            params.push(after);
-        }
-        if (before) {
-            conditions.push("createdAt < ?");
-            params.push(before);
-        }
-        const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
-        const { count } = db.query(`SELECT COUNT(*) as count FROM audit_logs ${where}`).get(...params) ?? { count: 0 };
-        const rows = db.query(`SELECT * FROM audit_logs ${where} ORDER BY createdAt DESC LIMIT ? OFFSET ?`).all(...params, limit, offset);
-        const items = rows.map(row => ({
-            id: row.id,
-            userId: row.userId ?? null,
-            sessionId: row.sessionId ?? null,
-            tenantId: row.tenantId ?? null,
-            method: row.method,
-            path: row.path,
-            status: row.status,
-            ip: row.ip ?? null,
-            userAgent: row.userAgent ?? null,
-            action: row.action ?? undefined,
-            resource: row.resource ?? undefined,
-            resourceId: row.resourceId ?? undefined,
-            meta: row.meta ? JSON.parse(row.meta) : undefined,
-            createdAt: row.createdAt,
-        }));
-        return { items, total: count };
-    }
-    // --- MongoDB ---
-    if (options.store === "mongo") {
-        const { AuditLog } = await import("../models/AuditLog");
-        const filter = {};
-        if (query.userId !== undefined)
-            filter.userId = query.userId;
-        if (query.tenantId !== undefined)
-            filter.tenantId = query.tenantId;
-        if (after || before) {
-            filter.createdAt = {
-                ...(after ? { $gte: new Date(after) } : {}),
-                ...(before ? { $lt: new Date(before) } : {}),
-            };
-        }
-        const [total, docs] = await Promise.all([
-            AuditLog.countDocuments(filter),
-            AuditLog.find(filter)
-                .sort({ createdAt: -1 })
-                .skip(offset)
-                .limit(limit)
-                .lean(),
-        ]);
-        const items = docs.map(doc => ({
-            id: doc.id,
-            userId: doc.userId ?? null,
-            sessionId: doc.sessionId ?? null,
-            tenantId: doc.tenantId ?? null,
-            method: doc.method,
-            path: doc.path,
-            status: doc.status,
-            ip: doc.ip ?? null,
-            userAgent: doc.userAgent ?? null,
-            action: doc.action,
-            resource: doc.resource,
-            resourceId: doc.resourceId,
-            meta: doc.meta,
-            createdAt: doc.createdAt.toISOString(),
-        }));
-        return { items, total };
-    }
-    return { items: [], total: 0 };
-}

package/dist/lib/authAdapter.d.ts

@@ -1,246 +0,0 @@
-import type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult } from "./groups";
-export type { GroupRecord, GroupMembershipRecord, PaginationOpts, PaginatedResult };
-export interface M2MClientRecord {
-    id: string;
-    clientId: string;
-    name: string;
-    scopes: string[];
-    active: boolean;
-}
-export interface IdentityProfile {
-    email?: string;
-    name?: string;
-    firstName?: string;
-    lastName?: string;
-    displayName?: string;
-    avatarUrl?: string;
-    externalId?: string;
-}
-/** @deprecated Use IdentityProfile */
-export type OAuthProfile = IdentityProfile;
-export interface WebAuthnCredential {
-    /** Base64url-encoded credential ID. */
-    credentialId: string;
-    /** Base64url-encoded public key. */
-    publicKey: string;
-    /** Counter for signature verification (replay protection). */
-    signCount: number;
-    /** Transport hints from the authenticator (usb, ble, nfc, internal). */
-    transports?: string[];
-    /** User-assigned name for the key (e.g. "YubiKey 5"). */
-    name?: string;
-    /** When the credential was registered (epoch ms). */
-    createdAt: number;
-}
-export interface AuthAdapter {
-    findByEmail(email: string): Promise<{
-        id: string;
-        passwordHash: string;
-    } | null>;
-    create(email: string, passwordHash: string): Promise<{
-        id: string;
-    }>;
-    /** Required when using OAuth providers. Find or create a user by provider + provider user ID. */
-    findOrCreateByProvider?(provider: string, providerId: string, profile: OAuthProfile): Promise<{
-        id: string;
-        created: boolean;
-    }>;
-    /** Optional. Set or update the password hash for a user (used by /auth/set-password). */
-    setPassword?(userId: string, passwordHash: string): Promise<void>;
-    /** Optional. Link a provider identity to an existing user (used by /auth/:provider/link). */
-    linkProvider?(userId: string, provider: string, providerId: string): Promise<void>;
-    /** Optional. Return the roles assigned to a user (used by requireRole middleware). */
-    getRoles?(userId: string): Promise<string[]>;
-    /** Optional. Set the roles for a user, replacing any existing roles. */
-    setRoles?(userId: string, roles: string[]): Promise<void>;
-    /** Optional. Add a single role to a user without affecting their other roles. */
-    addRole?(userId: string, role: string): Promise<void>;
-    /** Optional. Remove a single role from a user without affecting their other roles. */
-    removeRole?(userId: string, role: string): Promise<void>;
-    /** Optional. Return basic profile info for a user by ID (used by GET /auth/me). */
-    getUser?(userId: string): Promise<{
-        email?: string;
-        providerIds?: string[];
-        emailVerified?: boolean;
-        displayName?: string;
-        firstName?: string;
-        lastName?: string;
-        externalId?: string;
-        suspended?: boolean;
-        suspendedReason?: string;
-    } | null>;
-    /** Optional. Unlink a provider identity from a user (used by DELETE /auth/:provider/link). */
-    unlinkProvider?(userId: string, provider: string): Promise<void>;
-    /**
-     * Optional. Look up a user by their primary identifier (email, username, or phone depending on config).
-     * When provided, used instead of findByEmail for credential login/register flows.
-     */
-    findByIdentifier?(value: string): Promise<{
-        id: string;
-        passwordHash: string;
-    } | null>;
-    /** Optional. Mark a user's email address as verified (used by POST /auth/verify-email). */
-    setEmailVerified?(userId: string, verified: boolean): Promise<void>;
-    /** Optional. Return whether a user's email address has been verified. */
-    getEmailVerified?(userId: string): Promise<boolean>;
-    /** Optional. Permanently delete a user account. Used by DELETE /auth/me. */
-    deleteUser?(userId: string): Promise<void>;
-    /** Optional. Check whether a user has a password set (credential account vs OAuth-only). */
-    hasPassword?(userId: string): Promise<boolean>;
-    /** Optional. Store the TOTP secret for MFA setup (encrypted or plaintext, adapter decides). */
-    setMfaSecret?(userId: string, secret: string | null): Promise<void>;
-    /** Optional. Retrieve the TOTP secret for MFA verification. */
-    getMfaSecret?(userId: string): Promise<string | null>;
-    /** Optional. Check whether MFA is enabled for a user. */
-    isMfaEnabled?(userId: string): Promise<boolean>;
-    /** Optional. Enable or disable MFA for a user. */
-    setMfaEnabled?(userId: string, enabled: boolean): Promise<void>;
-    /** Optional. Store hashed recovery codes for MFA. */
-    setRecoveryCodes?(userId: string, codes: string[]): Promise<void>;
-    /** Optional. Retrieve hashed recovery codes for MFA. */
-    getRecoveryCodes?(userId: string): Promise<string[]>;
-    /** Optional. Remove a single recovery code after use. */
-    removeRecoveryCode?(userId: string, code: string): Promise<void>;
-    /** Optional. Get the MFA methods enabled for a user (e.g., ["totp"], ["emailOtp"], ["totp", "emailOtp"]). */
-    getMfaMethods?(userId: string): Promise<string[]>;
-    /** Optional. Set the MFA methods enabled for a user. */
-    setMfaMethods?(userId: string, methods: string[]): Promise<void>;
-    /** Optional. Get roles for a user within a specific tenant. */
-    getTenantRoles?(userId: string, tenantId: string): Promise<string[]>;
-    /** Optional. Set roles for a user within a specific tenant (replaces existing). */
-    setTenantRoles?(userId: string, tenantId: string, roles: string[]): Promise<void>;
-    /** Optional. Add a single role to a user within a specific tenant. */
-    addTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
-    /** Optional. Remove a single role from a user within a specific tenant. */
-    removeTenantRole?(userId: string, tenantId: string, role: string): Promise<void>;
-    /** Optional. Get all WebAuthn credentials for a user. */
-    getWebAuthnCredentials?(userId: string): Promise<WebAuthnCredential[]>;
-    /** Optional. Add a WebAuthn credential for a user. */
-    addWebAuthnCredential?(userId: string, credential: WebAuthnCredential): Promise<void>;
-    /** Optional. Remove a WebAuthn credential by its credential ID. */
-    removeWebAuthnCredential?(userId: string, credentialId: string): Promise<void>;
-    /** Optional. Update the sign count for a WebAuthn credential after successful authentication. */
-    updateWebAuthnCredentialSignCount?(userId: string, credentialId: string, signCount: number): Promise<void>;
-    /** Optional. Find the user who owns a WebAuthn credential. Returns userId or null. Used for cross-user uniqueness checks. */
-    findUserByWebAuthnCredentialId?(credentialId: string): Promise<string | null>;
-    /** Suspend or unsuspend a user. */
-    setSuspended?(userId: string, suspended: boolean, reason?: string): Promise<void>;
-    /** Get suspension status. Returns false if adapter doesn't track it. */
-    getSuspended?(userId: string): Promise<{
-        suspended: boolean;
-        suspendedReason?: string;
-    } | null>;
-    /** Update profile fields. */
-    updateProfile?(userId: string, fields: Partial<Pick<IdentityProfile, "displayName" | "firstName" | "lastName" | "externalId">>): Promise<void>;
-    /** List users matching a normalized query. */
-    listUsers?(query: UserQuery): Promise<{
-        users: UserRecord[];
-        totalResults: number;
-    }>;
-    /**
-     * Create a new group. Returns the new group's id.
-     * The name must be a slug (/^[a-z0-9_-]+$/) and unique within its scope.
-     * tenantId: null = app-wide group, string = tenant-scoped group.
-     */
-    createGroup?(group: Omit<GroupRecord, "id" | "createdAt" | "updatedAt">): Promise<{
-        id: string;
-    }>;
-    /**
-     * Delete a group and cascade-delete all its memberships.
-     * Cascade behavior is adapter-specific (MongoDB: manual deleteMany, SQLite: ON DELETE CASCADE).
-     */
-    deleteGroup?(groupId: string): Promise<void>;
-    /** Get a group by ID. Returns null if not found. */
-    getGroup?(groupId: string): Promise<GroupRecord | null>;
-    /**
-     * List groups scoped to a tenant (tenantId string) or app-wide (tenantId null).
-     * Results are paginated (default limit 50, max 200).
-     */
-    listGroups?(tenantId: string | null, opts?: PaginationOpts): Promise<PaginatedResult<GroupRecord>>;
-    /**
-     * Update mutable group fields: name, displayName, description, roles.
-     * tenantId is intentionally excluded — it is immutable after creation.
-     */
-    updateGroup?(groupId: string, updates: Partial<Pick<GroupRecord, "roles" | "name" | "displayName" | "description">>): Promise<void>;
-    /**
-     * Add a user to a group with optional per-membership roles.
-     *
-     * CONTRACT: throws if the user is already a member (unique constraint violation).
-     * All adapters must surface this as a thrown error, not a silent no-op.
-     * Use updateGroupMembership to change roles on an existing membership.
-     */
-    addGroupMember?(groupId: string, userId: string, roles?: string[]): Promise<void>;
-    /**
-     * Update the per-membership roles for an existing group member.
-     * Replaces the member's roles[] in place (not additive).
-     * No updatedAt is tracked — intentional, see GroupMembershipRecord.
-     */
-    updateGroupMembership?(groupId: string, userId: string, roles: string[]): Promise<void>;
-    /** Remove a user from a group. No-op if the user is not a member. */
-    removeGroupMember?(groupId: string, userId: string): Promise<void>;
-    /** List members of a group with their per-membership roles. Paginated. */
-    getGroupMembers?(groupId: string, opts?: PaginationOpts): Promise<PaginatedResult<{
-        userId: string;
-        roles: string[];
-    }>>;
-    /**
-     * List all groups a user belongs to in the given scope, with their per-membership roles.
-     * tenantId = null → app-wide groups; tenantId = string → tenant-scoped groups.
-     */
-    getUserGroups?(userId: string, tenantId: string | null): Promise<Array<{
-        group: GroupRecord;
-        membershipRoles: string[];
-    }>>;
-    /**
-     * Return all roles a user effectively has in the given scope, combining:
-     *   1. Direct roles (app-wide or tenant-scoped)
-     *   2. Group baseline roles (from all groups the user belongs to in that scope)
-     *   3. Per-membership roles (user-specific extras within each group)
-     *
-     * SCOPE CONTRACT (matches requireRole behavior):
-     *   - tenantId = null  → app-wide direct roles + app-wide group roles only
-     *   - tenantId = string → tenant-scoped direct roles + tenant-scoped group roles only
-     *
-     * Tenant-scoped group roles NEVER satisfy app-wide role checks and vice versa.
-     */
-    getEffectiveRoles?(userId: string, tenantId: string | null): Promise<string[]>;
-    /** Optional. Look up an active M2M client by clientId (includes clientSecretHash for verification). */
-    getM2MClient?(clientId: string): Promise<(M2MClientRecord & {
-        clientSecretHash: string;
-    }) | null>;
-    /** Optional. Create a new M2M client. Returns the new client's id. */
-    createM2MClient?(client: {
-        clientId: string;
-        clientSecretHash: string;
-        name: string;
-        scopes: string[];
-    }): Promise<{
-        id: string;
-    }>;
-    /** Optional. Delete an M2M client by clientId. */
-    deleteM2MClient?(clientId: string): Promise<void>;
-    /** Optional. List all M2M clients (without secrets). */
-    listM2MClients?(): Promise<M2MClientRecord[]>;
-}
-export interface UserQuery {
-    email?: string;
-    externalId?: string;
-    suspended?: boolean;
-    startIndex?: number;
-    count?: number;
-}
-export interface UserRecord {
-    id: string;
-    email?: string;
-    displayName?: string;
-    firstName?: string;
-    lastName?: string;
-    externalId?: string;
-    suspended: boolean;
-    suspendedAt?: Date;
-    suspendedReason?: string;
-    emailVerified?: boolean;
-    providerIds?: string[];
-}
-export declare const setAuthAdapter: (adapter: AuthAdapter) => void;
-export declare const getAuthAdapter: () => AuthAdapter;

package/dist/lib/authAdapter.js

@@ -1,7 +0,0 @@
-let _adapter = null;
-export const setAuthAdapter = (adapter) => { _adapter = adapter; };
-export const getAuthAdapter = () => {
-    if (!_adapter)
-        throw new Error("No auth adapter set — pass authAdapter to createApp/createServer, or call setAuthAdapter()");
-    return _adapter;
-};

package/dist/lib/authRateLimit.d.ts

@@ -1,13 +0,0 @@
-export declare const setAuthRateLimitStore: (store: "memory" | "redis") => void;
-export interface LimitOpts {
-    windowMs: number;
-    max: number;
-}
-/** Returns true if the key is currently over the limit (read-only, no increment). */
-export declare const isLimited: (key: string, opts: LimitOpts) => Promise<boolean>;
-/** Increments the counter and returns true if now over the limit. */
-export declare const trackAttempt: (key: string, opts: LimitOpts) => Promise<boolean>;
-/** Resets a rate limit key. Use on login success or for admin unlock. */
-export declare const bustAuthLimit: (key: string) => Promise<void>;
-/** Clears all in-memory rate limit entries. Called by clearMemoryStore(). */
-export declare const clearMemoryRateLimitStore: () => void;

package/dist/lib/authRateLimit.js

@@ -1,117 +0,0 @@
-import { getAppName } from "./appConfig";
-// ---------------------------------------------------------------------------
-// Memory implementation
-// ---------------------------------------------------------------------------
-const _memoryStore = new Map();
-const memoryStore = {
-    async get(key) {
-        const entry = _memoryStore.get(key);
-        if (!entry)
-            return null;
-        if (entry.resetAt <= Date.now()) {
-            _memoryStore.delete(key);
-            return null;
-        }
-        return entry;
-    },
-    async set(key, entry) {
-        _memoryStore.set(key, entry);
-    },
-    async delete(key) {
-        _memoryStore.delete(key);
-    },
-    // No increment — memory store uses the read-modify-write fallback (single-process, acceptable)
-};
-// ---------------------------------------------------------------------------
-// Redis implementation
-// ---------------------------------------------------------------------------
-// Lua script: atomically read + increment + write JSON entry, preserving { count, resetAt } format.
-// Returns the new count as a number.
-const TRACK_SCRIPT = `
-local key = KEYS[1]
-local windowMs = tonumber(ARGV[1])
-local now = tonumber(ARGV[2])
-local raw = redis.call("GET", key)
-local count, resetAt
-
-if raw then
-  local entry = cjson.decode(raw)
-  count = entry.count + 1
-  resetAt = entry.resetAt
-else
-  count = 1
-  resetAt = now + windowMs
-end
-
-local ttl = math.max(1, resetAt - now)
-local payload = cjson.encode({count = count, resetAt = resetAt})
-redis.call("SET", key, payload, "PX", ttl)
-return count
-`;
-const redisStore = {
-    async get(key) {
-        const { getRedis } = await import("./redis");
-        const raw = await getRedis().get(`rl:${getAppName()}:${key}`);
-        if (!raw)
-            return null;
-        const entry = JSON.parse(raw);
-        if (entry.resetAt <= Date.now())
-            return null;
-        return entry;
-    },
-    async set(key, entry, ttlMs) {
-        const { getRedis } = await import("./redis");
-        await getRedis().set(`rl:${getAppName()}:${key}`, JSON.stringify(entry), "PX", ttlMs);
-    },
-    async delete(key) {
-        const { getRedis } = await import("./redis");
-        await getRedis().del(`rl:${getAppName()}:${key}`);
-    },
-    async increment(key, windowMs) {
-        const { getRedis } = await import("./redis");
-        const fullKey = `rl:${getAppName()}:${key}`;
-        const now = Date.now();
-        const count = await getRedis().eval(TRACK_SCRIPT, 1, fullKey, windowMs, now);
-        return count;
-    },
-};
-// ---------------------------------------------------------------------------
-// Active store + setter
-// ---------------------------------------------------------------------------
-let _store = memoryStore;
-export const setAuthRateLimitStore = (store) => {
-    _store = store === "redis" ? redisStore : memoryStore;
-};
-/** Returns true if the key is currently over the limit (read-only, no increment). */
-export const isLimited = async (key, opts) => {
-    const entry = await _store.get(key);
-    if (!entry)
-        return false;
-    return entry.count >= opts.max;
-};
-/** Increments the counter and returns true if now over the limit. */
-export const trackAttempt = async (key, opts) => {
-    if (_store.increment) {
-        const count = await _store.increment(key, opts.windowMs);
-        return count >= opts.max;
-    }
-    // Read-modify-write fallback for memory store (single-process — no lost increments)
-    const now = Date.now();
-    const existing = await _store.get(key);
-    if (!existing) {
-        await _store.set(key, { count: 1, resetAt: now + opts.windowMs }, opts.windowMs);
-        return 1 >= opts.max;
-    }
-    const updated = { count: existing.count + 1, resetAt: existing.resetAt };
-    const remaining = Math.max(1, existing.resetAt - now);
-    await _store.set(key, updated, remaining);
-    return updated.count >= opts.max;
-};
-/** Resets a rate limit key. Use on login success or for admin unlock. */
-export const bustAuthLimit = async (key) => {
-    await _store.delete(key);
-};
-/** Clears all in-memory rate limit entries. Called by clearMemoryStore(). */
-export const clearMemoryRateLimitStore = () => {
-    _memoryStore.clear();
-};

package/dist/lib/clientIp.d.ts

@@ -1,14 +0,0 @@
-import type { Context } from "hono";
-export declare const setTrustProxy: (value: false | number) => void;
-/**
- * Returns the client IP address, respecting the `trustProxy` setting.
- *
- * - When `trustProxy` is `false`: returns the socket-level IP (via Bun's
- *   `server.requestIP()`), ignoring `X-Forwarded-For` entirely.
- * - When `trustProxy` is a number N: takes the Nth-from-right entry in the
- *   `X-Forwarded-For` chain (skipping N trusted proxy hops), falling back to
- *   the socket-level IP.
- *
- * Returns `"unknown"` if no IP can be determined.
- */
-export declare const getClientIp: (c: Context<any>) => string;

package/dist/lib/credentialStuffing.d.ts

@@ -1,31 +0,0 @@
-export interface CredentialStuffingConfig {
-    /** Block when an IP attempts login against this many distinct accounts. Default: 5 per 15 min. */
-    maxAccountsPerIp?: {
-        count: number;
-        windowMs: number;
-    };
-    /** Block when an account is attempted from this many distinct IPs. Default: 10 per 15 min. */
-    maxIpsPerAccount?: {
-        count: number;
-        windowMs: number;
-    };
-    /** Called when stuffing is detected. Non-blocking, errors swallowed. */
-    onDetected?: (signal: {
-        type: "ip" | "account";
-        key: string;
-        count: number;
-    }) => void;
-}
-export declare function setCredentialStuffingConfig(config: CredentialStuffingConfig | null): void;
-export declare function getCredentialStuffingConfig(): CredentialStuffingConfig | null;
-/**
- * Track a failed login attempt. Call this AFTER confirming the login failed.
- */
-export declare function trackFailedLogin(ip: string, identifier: string): void;
-/**
- * Check whether this login attempt should be blocked.
- * Call this BEFORE verifying credentials.
- */
-export declare function isStuffingBlocked(ip: string, identifier: string): boolean;
-/** Clear the in-memory store (for testing). */
-export declare function clearCredentialStuffingStore(): void;