@lunora/server 1.0.0-alpha.14 → 1.0.0-alpha.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -604,6 +604,15 @@ interface ContextWithStorage {
604
604
  storage: StorageDownloader;
605
605
  }
606
606
  /**
607
+ * True when `value` is safe to use as an HTTP header field-value: no CR, LF, or
608
+ * NUL. Guards against response-header injection / `Headers`-construction throws
609
+ * when reflecting attacker-influenced object metadata (e.g. a stored
610
+ * `Content-Type`). Exported (see the `export {}` at the file end) so an `httpAction`
611
+ * handler can guard a request-derived header value before writing it — the fix the
612
+ * `http_action_response_header_injection` advisor lint points to.
613
+ */
614
+ declare const isSafeHeaderValue: (value: string) => boolean;
615
+ /**
607
616
  * Stream a stored object as an HTTP {@link Response} from an `httpAction`
608
617
  * handler, with correct `Content-Type`, `ETag`, and `Accept-Ranges: bytes`.
609
618
  * Honors a single-range `Range` request → **206 Partial Content** with
@@ -1982,4 +1991,4 @@ interface StorageContextIn {
1982
1991
  }
1983
1992
  declare const storageRules: <Context extends StorageContextIn = StorageContextIn>(rules: ReadonlyArray<StorageRule<Context>>, options?: StorageRulesOptions) => Middleware<Context, Context>;
1984
1993
  declare const VERSION = "0.0.0";
1985
- export { type ActionBuilder, type ActionCtx, type AggregateIndexDefinition, type AggregateIndexOptions, type AggregateOp, type ArgsValidator, type Component, type ComponentFunctions, type CreateOptions, type DataModelInit, type DefineComponentOptions, type DefineIdentityOptions, type DefinePluginOptions, type DefinePolicyInput, type DefinePresenceOptions, type DefineStorageRuleInput, type DurableObjectJurisdiction, type EmptyArgs, type EnvAccessor, type EnvKeyFailure, type EnvShape, type ExtendableSchema, type FacadeEntry, type FacadeWriterLike, type FunctionKind, type HttpActionCtx, type HttpActionHandler, type HttpMethod, type HttpRoute, type HttpRouteBuilder, type HttpRouteFactory, type HttpRouteHandlerOptions, type HttpStreamHandlerOptions, type IdentityContract, type IdentityRejectMode, type IdentityValidation, type InferArgs, type InferEnv, type InferIdentity, type InlineAggregateIndexOptions, type InlineRankIndexOptions, type InternalActionBuilder, type InternalMutationBuilder, type InternalQueryBuilder, type LifecycleEvent, type LifecycleHandler, type LunoraBuilders, LunoraEnvError, LunoraError, type LunoraHttpApp, type LunoraHttpEnv, type LunoraRouteHandler, type ManyRelation, type MaskColumns, type MaskContext, type MaskFn, type MaskOptions, type MaskPolicies, type MaskStrategy, type Middleware, type MiddlewareNext, type MigrationDefinition, type MigrationDocument, type MigrationTransform, type MutationBuilder, type MutationCtx, type MutatorDefinition, type OnDeleteAction, type OneRelation, type OrmLike, DEFAULT_TTL_MS as PRESENCE_DEFAULT_TTL_MS, PRESENCE_TABLE, type Permission, type Plugin, type Policy, type PrefixedTables, type PresenceComponent, type PresenceFunctions, type PresenceMember, type ProtectPublicOptions, type QueryBuilder, type QueryCtx, type RankIndexDefinition, type RankIndexOptions, type RegisteredAction, type RegisteredFunction, type RegisteredLifecycleHook, type RegisteredMigration, type RegisteredMutation, type RegisteredMutator, type RegisteredQuery, type RegisteredShape, type RegisteredStream, type RelationBuilder, type RelationDefinition, type RlsOptions, type RlsReadRegistry, type Role, type Schema, type SchemaExtension, type ShapeDefinition, type ShapeReadWhereRequest, type StorageOperation, type StorageRule, type StorageRuleContext, type StorageRuleDecision, type StorageRulesOptions, type TableBuilder, type TableDefinition, type TerminalKind, type TriggerBuilder, type TriggerDefinition, type TypedDefinePolicyInput, VERSION, type VectorEmbedder, type VectorIndexDefinition, type VectorIndexOptions, type VectorMetric, type VectorizeOptions, type WhereInput, asBucketStorage, bindOrm, bindTableFacade, buildRlsReadRegistry, composePluginMiddleware, composeShapeReadWhere, createPolicyDsl, createSecrets, defineAggregateIndex, defineComponent, defineEnv, defineIdentity, defineMigration, defineMutator, definePermission, definePlugin, definePolicies, definePolicy, definePresence, defineRankIndex, defineRole, defineSchema, defineSchemaExtension, defineShape, defineStorageRule, defineStorageRules, defineTable, defineVectorIndex, httpAction, httpRoute, httpRouter, initLunora, installPlugins, mask, mergeSchemaExtension, onConnect, onDisconnect, presenceExtension, protectPublic, redactSecrets, rls, serveStorageObject, storageRules };
1994
+ export { type ActionBuilder, type ActionCtx, type AggregateIndexDefinition, type AggregateIndexOptions, type AggregateOp, type ArgsValidator, type Component, type ComponentFunctions, type CreateOptions, type DataModelInit, type DefineComponentOptions, type DefineIdentityOptions, type DefinePluginOptions, type DefinePolicyInput, type DefinePresenceOptions, type DefineStorageRuleInput, type DurableObjectJurisdiction, type EmptyArgs, type EnvAccessor, type EnvKeyFailure, type EnvShape, type ExtendableSchema, type FacadeEntry, type FacadeWriterLike, type FunctionKind, type HttpActionCtx, type HttpActionHandler, type HttpMethod, type HttpRoute, type HttpRouteBuilder, type HttpRouteFactory, type HttpRouteHandlerOptions, type HttpStreamHandlerOptions, type IdentityContract, type IdentityRejectMode, type IdentityValidation, type InferArgs, type InferEnv, type InferIdentity, type InlineAggregateIndexOptions, type InlineRankIndexOptions, type InternalActionBuilder, type InternalMutationBuilder, type InternalQueryBuilder, type LifecycleEvent, type LifecycleHandler, type LunoraBuilders, LunoraEnvError, LunoraError, type LunoraHttpApp, type LunoraHttpEnv, type LunoraRouteHandler, type ManyRelation, type MaskColumns, type MaskContext, type MaskFn, type MaskOptions, type MaskPolicies, type MaskStrategy, type Middleware, type MiddlewareNext, type MigrationDefinition, type MigrationDocument, type MigrationTransform, type MutationBuilder, type MutationCtx, type MutatorDefinition, type OnDeleteAction, type OneRelation, type OrmLike, DEFAULT_TTL_MS as PRESENCE_DEFAULT_TTL_MS, PRESENCE_TABLE, type Permission, type Plugin, type Policy, type PrefixedTables, type PresenceComponent, type PresenceFunctions, type PresenceMember, type ProtectPublicOptions, type QueryBuilder, type QueryCtx, type RankIndexDefinition, type RankIndexOptions, type RegisteredAction, type RegisteredFunction, type RegisteredLifecycleHook, type RegisteredMigration, type RegisteredMutation, type RegisteredMutator, type RegisteredQuery, type RegisteredShape, type RegisteredStream, type RelationBuilder, type RelationDefinition, type RlsOptions, type RlsReadRegistry, type Role, type Schema, type SchemaExtension, type ShapeDefinition, type ShapeReadWhereRequest, type StorageOperation, type StorageRule, type StorageRuleContext, type StorageRuleDecision, type StorageRulesOptions, type TableBuilder, type TableDefinition, type TerminalKind, type TriggerBuilder, type TriggerDefinition, type TypedDefinePolicyInput, VERSION, type VectorEmbedder, type VectorIndexDefinition, type VectorIndexOptions, type VectorMetric, type VectorizeOptions, type WhereInput, asBucketStorage, bindOrm, bindTableFacade, buildRlsReadRegistry, composePluginMiddleware, composeShapeReadWhere, createPolicyDsl, createSecrets, defineAggregateIndex, defineComponent, defineEnv, defineIdentity, defineMigration, defineMutator, definePermission, definePlugin, definePolicies, definePolicy, definePresence, defineRankIndex, defineRole, defineSchema, defineSchemaExtension, defineShape, defineStorageRule, defineStorageRules, defineTable, defineVectorIndex, httpAction, httpRoute, httpRouter, initLunora, installPlugins, isSafeHeaderValue, mask, mergeSchemaExtension, onConnect, onDisconnect, presenceExtension, protectPublic, redactSecrets, rls, serveStorageObject, storageRules };
package/dist/index.d.ts CHANGED
@@ -604,6 +604,15 @@ interface ContextWithStorage {
604
604
  storage: StorageDownloader;
605
605
  }
606
606
  /**
607
+ * True when `value` is safe to use as an HTTP header field-value: no CR, LF, or
608
+ * NUL. Guards against response-header injection / `Headers`-construction throws
609
+ * when reflecting attacker-influenced object metadata (e.g. a stored
610
+ * `Content-Type`). Exported (see the `export {}` at the file end) so an `httpAction`
611
+ * handler can guard a request-derived header value before writing it — the fix the
612
+ * `http_action_response_header_injection` advisor lint points to.
613
+ */
614
+ declare const isSafeHeaderValue: (value: string) => boolean;
615
+ /**
607
616
  * Stream a stored object as an HTTP {@link Response} from an `httpAction`
608
617
  * handler, with correct `Content-Type`, `ETag`, and `Accept-Ranges: bytes`.
609
618
  * Honors a single-range `Range` request → **206 Partial Content** with
@@ -1982,4 +1991,4 @@ interface StorageContextIn {
1982
1991
  }
1983
1992
  declare const storageRules: <Context extends StorageContextIn = StorageContextIn>(rules: ReadonlyArray<StorageRule<Context>>, options?: StorageRulesOptions) => Middleware<Context, Context>;
1984
1993
  declare const VERSION = "0.0.0";
1985
- export { type ActionBuilder, type ActionCtx, type AggregateIndexDefinition, type AggregateIndexOptions, type AggregateOp, type ArgsValidator, type Component, type ComponentFunctions, type CreateOptions, type DataModelInit, type DefineComponentOptions, type DefineIdentityOptions, type DefinePluginOptions, type DefinePolicyInput, type DefinePresenceOptions, type DefineStorageRuleInput, type DurableObjectJurisdiction, type EmptyArgs, type EnvAccessor, type EnvKeyFailure, type EnvShape, type ExtendableSchema, type FacadeEntry, type FacadeWriterLike, type FunctionKind, type HttpActionCtx, type HttpActionHandler, type HttpMethod, type HttpRoute, type HttpRouteBuilder, type HttpRouteFactory, type HttpRouteHandlerOptions, type HttpStreamHandlerOptions, type IdentityContract, type IdentityRejectMode, type IdentityValidation, type InferArgs, type InferEnv, type InferIdentity, type InlineAggregateIndexOptions, type InlineRankIndexOptions, type InternalActionBuilder, type InternalMutationBuilder, type InternalQueryBuilder, type LifecycleEvent, type LifecycleHandler, type LunoraBuilders, LunoraEnvError, LunoraError, type LunoraHttpApp, type LunoraHttpEnv, type LunoraRouteHandler, type ManyRelation, type MaskColumns, type MaskContext, type MaskFn, type MaskOptions, type MaskPolicies, type MaskStrategy, type Middleware, type MiddlewareNext, type MigrationDefinition, type MigrationDocument, type MigrationTransform, type MutationBuilder, type MutationCtx, type MutatorDefinition, type OnDeleteAction, type OneRelation, type OrmLike, DEFAULT_TTL_MS as PRESENCE_DEFAULT_TTL_MS, PRESENCE_TABLE, type Permission, type Plugin, type Policy, type PrefixedTables, type PresenceComponent, type PresenceFunctions, type PresenceMember, type ProtectPublicOptions, type QueryBuilder, type QueryCtx, type RankIndexDefinition, type RankIndexOptions, type RegisteredAction, type RegisteredFunction, type RegisteredLifecycleHook, type RegisteredMigration, type RegisteredMutation, type RegisteredMutator, type RegisteredQuery, type RegisteredShape, type RegisteredStream, type RelationBuilder, type RelationDefinition, type RlsOptions, type RlsReadRegistry, type Role, type Schema, type SchemaExtension, type ShapeDefinition, type ShapeReadWhereRequest, type StorageOperation, type StorageRule, type StorageRuleContext, type StorageRuleDecision, type StorageRulesOptions, type TableBuilder, type TableDefinition, type TerminalKind, type TriggerBuilder, type TriggerDefinition, type TypedDefinePolicyInput, VERSION, type VectorEmbedder, type VectorIndexDefinition, type VectorIndexOptions, type VectorMetric, type VectorizeOptions, type WhereInput, asBucketStorage, bindOrm, bindTableFacade, buildRlsReadRegistry, composePluginMiddleware, composeShapeReadWhere, createPolicyDsl, createSecrets, defineAggregateIndex, defineComponent, defineEnv, defineIdentity, defineMigration, defineMutator, definePermission, definePlugin, definePolicies, definePolicy, definePresence, defineRankIndex, defineRole, defineSchema, defineSchemaExtension, defineShape, defineStorageRule, defineStorageRules, defineTable, defineVectorIndex, httpAction, httpRoute, httpRouter, initLunora, installPlugins, mask, mergeSchemaExtension, onConnect, onDisconnect, presenceExtension, protectPublic, redactSecrets, rls, serveStorageObject, storageRules };
1994
+ export { type ActionBuilder, type ActionCtx, type AggregateIndexDefinition, type AggregateIndexOptions, type AggregateOp, type ArgsValidator, type Component, type ComponentFunctions, type CreateOptions, type DataModelInit, type DefineComponentOptions, type DefineIdentityOptions, type DefinePluginOptions, type DefinePolicyInput, type DefinePresenceOptions, type DefineStorageRuleInput, type DurableObjectJurisdiction, type EmptyArgs, type EnvAccessor, type EnvKeyFailure, type EnvShape, type ExtendableSchema, type FacadeEntry, type FacadeWriterLike, type FunctionKind, type HttpActionCtx, type HttpActionHandler, type HttpMethod, type HttpRoute, type HttpRouteBuilder, type HttpRouteFactory, type HttpRouteHandlerOptions, type HttpStreamHandlerOptions, type IdentityContract, type IdentityRejectMode, type IdentityValidation, type InferArgs, type InferEnv, type InferIdentity, type InlineAggregateIndexOptions, type InlineRankIndexOptions, type InternalActionBuilder, type InternalMutationBuilder, type InternalQueryBuilder, type LifecycleEvent, type LifecycleHandler, type LunoraBuilders, LunoraEnvError, LunoraError, type LunoraHttpApp, type LunoraHttpEnv, type LunoraRouteHandler, type ManyRelation, type MaskColumns, type MaskContext, type MaskFn, type MaskOptions, type MaskPolicies, type MaskStrategy, type Middleware, type MiddlewareNext, type MigrationDefinition, type MigrationDocument, type MigrationTransform, type MutationBuilder, type MutationCtx, type MutatorDefinition, type OnDeleteAction, type OneRelation, type OrmLike, DEFAULT_TTL_MS as PRESENCE_DEFAULT_TTL_MS, PRESENCE_TABLE, type Permission, type Plugin, type Policy, type PrefixedTables, type PresenceComponent, type PresenceFunctions, type PresenceMember, type ProtectPublicOptions, type QueryBuilder, type QueryCtx, type RankIndexDefinition, type RankIndexOptions, type RegisteredAction, type RegisteredFunction, type RegisteredLifecycleHook, type RegisteredMigration, type RegisteredMutation, type RegisteredMutator, type RegisteredQuery, type RegisteredShape, type RegisteredStream, type RelationBuilder, type RelationDefinition, type RlsOptions, type RlsReadRegistry, type Role, type Schema, type SchemaExtension, type ShapeDefinition, type ShapeReadWhereRequest, type StorageOperation, type StorageRule, type StorageRuleContext, type StorageRuleDecision, type StorageRulesOptions, type TableBuilder, type TableDefinition, type TerminalKind, type TriggerBuilder, type TriggerDefinition, type TypedDefinePolicyInput, VERSION, type VectorEmbedder, type VectorIndexDefinition, type VectorIndexOptions, type VectorMetric, type VectorizeOptions, type WhereInput, asBucketStorage, bindOrm, bindTableFacade, buildRlsReadRegistry, composePluginMiddleware, composeShapeReadWhere, createPolicyDsl, createSecrets, defineAggregateIndex, defineComponent, defineEnv, defineIdentity, defineMigration, defineMutator, definePermission, definePlugin, definePolicies, definePolicy, definePresence, defineRankIndex, defineRole, defineSchema, defineSchemaExtension, defineShape, defineStorageRule, defineStorageRules, defineTable, defineVectorIndex, httpAction, httpRoute, httpRouter, initLunora, installPlugins, isSafeHeaderValue, mask, mergeSchemaExtension, onConnect, onDisconnect, presenceExtension, protectPublic, redactSecrets, rls, serveStorageObject, storageRules };
package/dist/index.mjs CHANGED
@@ -4,7 +4,7 @@ export { createSecrets } from './packem_shared/createSecrets-DwaR2rNG.mjs';
4
4
  export { LunoraEnvError, defineEnv, redactSecrets } from './packem_shared/LunoraEnvError-BGmd1Qs0.mjs';
5
5
  export { LunoraError } from './packem_shared/LunoraError-WbxmrpxR.mjs';
6
6
  export { bindOrm, bindTableFacade } from './packem_shared/bindOrm-CNXKgfUa.mjs';
7
- export { httpAction, httpRoute, httpRouter, serveStorageObject } from './packem_shared/httpAction-CluBy5F5.mjs';
7
+ export { httpAction, httpRoute, httpRouter, isSafeHeaderValue, serveStorageObject } from './packem_shared/httpAction-B_16WzMO.mjs';
8
8
  export { defineIdentity } from './packem_shared/defineIdentity-DiX4zM9x.mjs';
9
9
  export { onConnect, onDisconnect } from './packem_shared/onConnect-CIPXKPyw.mjs';
10
10
  export { defineMigration } from './packem_shared/defineMigration-Hx01yIht.mjs';
@@ -328,4 +328,4 @@ const serveStorageObject = async (context, key, request) => {
328
328
  });
329
329
  };
330
330
 
331
- export { httpAction, httpRoute, httpRouter, serveStorageObject };
331
+ export { httpAction, httpRoute, httpRouter, isSafeHeaderValue, serveStorageObject };
package/dist/types.d.mts CHANGED
@@ -1044,6 +1044,14 @@ interface QueryCtx {
1044
1044
  readonly auth: AuthState;
1045
1045
  readonly db: DatabaseReader;
1046
1046
  /**
1047
+ * The validated, typed environment. Populated only when the project declares
1048
+ * a `defineEnv(...)` contract in `lunora/env.ts`; codegen then narrows this to
1049
+ * the validated `InferEnv` shape so `ctx.env.STRIPE_KEY` is parsed and
1050
+ * coercion-aware. Absent (optional) without a contract — declare
1051
+ * `lunora/env.ts` to populate and type it.
1052
+ */
1053
+ readonly env?: Record<string, unknown>;
1054
+ /**
1047
1055
  * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
1048
1056
  * forwarded server-side (never read from a client header). `undefined` when
1049
1057
  * unknown: a live-subscription re-run, a server-initiated dispatch, or
@@ -1078,6 +1086,14 @@ interface MutationCtx {
1078
1086
  readonly auth: AuthState;
1079
1087
  readonly db: DatabaseWriter;
1080
1088
  /**
1089
+ * The validated, typed environment. Populated only when the project declares
1090
+ * a `defineEnv(...)` contract in `lunora/env.ts`; codegen then narrows this to
1091
+ * the validated `InferEnv` shape so `ctx.env.STRIPE_KEY` is parsed and
1092
+ * coercion-aware. Absent (optional) without a contract — declare
1093
+ * `lunora/env.ts` to populate and type it.
1094
+ */
1095
+ readonly env?: Record<string, unknown>;
1096
+ /**
1081
1097
  * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
1082
1098
  * forwarded server-side (never read from a client header). `undefined` when
1083
1099
  * unknown: a live-subscription re-run, a server-initiated dispatch, or
@@ -1121,6 +1137,14 @@ interface MutationCtx {
1121
1137
  interface ActionCtx {
1122
1138
  readonly auth: AuthState;
1123
1139
  readonly db: DatabaseWriter;
1140
+ /**
1141
+ * The validated, typed environment. Populated only when the project declares
1142
+ * a `defineEnv(...)` contract in `lunora/env.ts`; codegen then narrows this to
1143
+ * the validated `InferEnv` shape so `ctx.env.STRIPE_KEY` is parsed and
1144
+ * coercion-aware. Absent (optional) without a contract — declare
1145
+ * `lunora/env.ts` to populate and type it.
1146
+ */
1147
+ readonly env?: Record<string, unknown>;
1124
1148
  readonly fetch: typeof globalThis.fetch;
1125
1149
  /**
1126
1150
  * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
package/dist/types.d.ts CHANGED
@@ -1044,6 +1044,14 @@ interface QueryCtx {
1044
1044
  readonly auth: AuthState;
1045
1045
  readonly db: DatabaseReader;
1046
1046
  /**
1047
+ * The validated, typed environment. Populated only when the project declares
1048
+ * a `defineEnv(...)` contract in `lunora/env.ts`; codegen then narrows this to
1049
+ * the validated `InferEnv` shape so `ctx.env.STRIPE_KEY` is parsed and
1050
+ * coercion-aware. Absent (optional) without a contract — declare
1051
+ * `lunora/env.ts` to populate and type it.
1052
+ */
1053
+ readonly env?: Record<string, unknown>;
1054
+ /**
1047
1055
  * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
1048
1056
  * forwarded server-side (never read from a client header). `undefined` when
1049
1057
  * unknown: a live-subscription re-run, a server-initiated dispatch, or
@@ -1078,6 +1086,14 @@ interface MutationCtx {
1078
1086
  readonly auth: AuthState;
1079
1087
  readonly db: DatabaseWriter;
1080
1088
  /**
1089
+ * The validated, typed environment. Populated only when the project declares
1090
+ * a `defineEnv(...)` contract in `lunora/env.ts`; codegen then narrows this to
1091
+ * the validated `InferEnv` shape so `ctx.env.STRIPE_KEY` is parsed and
1092
+ * coercion-aware. Absent (optional) without a contract — declare
1093
+ * `lunora/env.ts` to populate and type it.
1094
+ */
1095
+ readonly env?: Record<string, unknown>;
1096
+ /**
1081
1097
  * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
1082
1098
  * forwarded server-side (never read from a client header). `undefined` when
1083
1099
  * unknown: a live-subscription re-run, a server-initiated dispatch, or
@@ -1121,6 +1137,14 @@ interface MutationCtx {
1121
1137
  interface ActionCtx {
1122
1138
  readonly auth: AuthState;
1123
1139
  readonly db: DatabaseWriter;
1140
+ /**
1141
+ * The validated, typed environment. Populated only when the project declares
1142
+ * a `defineEnv(...)` contract in `lunora/env.ts`; codegen then narrows this to
1143
+ * the validated `InferEnv` shape so `ctx.env.STRIPE_KEY` is parsed and
1144
+ * coercion-aware. Absent (optional) without a contract — declare
1145
+ * `lunora/env.ts` to populate and type it.
1146
+ */
1147
+ readonly env?: Record<string, unknown>;
1124
1148
  readonly fetch: typeof globalThis.fetch;
1125
1149
  /**
1126
1150
  * The caller's IP for this request — Cloudflare's trusted `CF-Connecting-IP`,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lunora/server",
3
- "version": "1.0.0-alpha.14",
3
+ "version": "1.0.0-alpha.16",
4
4
  "description": "Server primitives for Lunora: defineSchema, defineTable, query, mutation, and action",
5
5
  "keywords": [
6
6
  "backend",