@medyll/idae-api 0.137.0 → 0.139.0

package/dist/config/routeDefinitions.js

@@ -1,56 +1,104 @@
 // packages\idae-api\src\lib\config\routeDefinitions.ts
+import { z } from "zod";
+import { createValidationMiddleware } from "../server/middleware/validationMiddleware.js";
+const allowedQueryCommands = new Set([
+    "find",
+    "findById",
+    "findOne",
+    "create",
+    "update",
+    "updateWhere",
+    "deleteById",
+    "deleteWhere",
+    "transaction",
+]);
 export const routes = [
     {
         method: "get",
         path: "/:collectionName",
+        validation: {
+            paramsSchema: z.object({ collectionName: z.string().min(1) }),
+            querySchema: z.record(z.any()).optional(),
+        },
         handler: async (service, params, body, query) => service.find({ query }),
     },
     {
         method: "get",
         path: "/:collectionName/:id",
+        validation: {
+            paramsSchema: z.object({ collectionName: z.string().min(1), id: z.string().min(1) }),
+        },
         handler: async (service, params) => service.findById(params.id),
     },
     {
         method: "post",
         path: "/:collectionName",
+        validation: {
+            paramsSchema: z.object({ collectionName: z.string().min(1) }),
+            bodySchema: z.record(z.any()),
+        },
         handler: async (service, params, body) => service.create(body),
     },
     {
         method: "put",
         path: "/:collectionName/:id",
+        validation: {
+            paramsSchema: z.object({ collectionName: z.string().min(1), id: z.string().min(1) }),
+            bodySchema: z.record(z.any()),
+        },
         handler: async (service, params, body) => service.update(params.id, body),
     },
     {
         method: "delete",
         path: "/:collectionName/:id",
+        validation: {
+            paramsSchema: z.object({ collectionName: z.string().min(1), id: z.string().min(1) }),
+        },
         handler: async (service, params) => service.deleteById(params.id),
     },
     {
         method: "delete",
         path: "/:collectionName",
+        validation: {
+            paramsSchema: z.object({ collectionName: z.string().min(1) }),
+        },
         handler: async (service, params) => service.deleteWhere(params),
     },
     {
-        method: [
-            "find",
-            "findById",
-            "findOne",
-            "create",
-            "update",
-            "updateWhere",
-            "deleteById",
-            "deleteWhere",
-            "transaction",
-        ], // default method is then GET or OPTIONS (set further)
-        path: "/query/:collectionName/:command/:parameters?",
+        method: "post",
+        path: "/query/:collectionName/:command/:parameters",
+        requiresAuth: true,
+        validation: {
+            paramsSchema: z.object({
+                collectionName: z.string().min(1),
+                command: z.string().min(1),
+                parameters: z.string().optional(),
+            }),
+            bodySchema: z.record(z.any()).optional(),
+        },
         handler: async (service, params, body) => {
-            console.log(params.command, "params --- ", { body });
-            return service?.[params.command]?.({ query: body });
+            const command = params.command;
+            if (!allowedQueryCommands.has(command)) {
+                const error = new Error("Query command not allowed");
+                error.status = 400;
+                throw error;
+            }
+            const payload = body && typeof body === "object" ? body : {};
+            const method = service?.[command];
+            if (typeof method !== "function") {
+                const error = new Error("Query command not implemented");
+                error.status = 400;
+                throw error;
+            }
+            return method({ query: payload });
         },
     },
     {
         method: ["dbs", "collections"], // default method is then GET or OPTIONS (set further)
-        path: "/methods/:methodName/:params?",
+        path: "/methods/:methodName/:params",
+        validation: {
+            paramsSchema: z.object({ methodName: z.string().min(1), params: z.string().optional() }),
+        },
         handler: async (service, params) => { },
     },
 ];

package/dist/index.d.ts

@@ -6,9 +6,19 @@ export * from './client/IdaeApiClientCollection.js';
 export * from './client/IdaeApiClient.js';
 export * from './@types/types.js';
 export * from './server/services/AuthService.js';
+export * from './server/middleware/validationMiddleware.js';
+export * from './server/middleware/validationLayer.js';
+export * from './server/middleware/tenantContextMiddleware.js';
+export * from './server/middleware/openApiMiddleware.js';
+export * from './server/middleware/mcpMiddleware.js';
+export * from './server/middleware/healthMiddleware.js';
+export * from './server/middleware/docsMiddleware.js';
 export * from './server/middleware/databaseMiddleware.js';
+export * from './server/middleware/authorizationMiddleware.js';
 export * from './server/middleware/authMiddleware.js';
 export * from './server/engine/types.js';
 export * from './server/engine/routeManager.js';
 export * from './server/engine/requestDatabaseManager.js';
 export * from './server/engine/mongooseConnectionManager.js';
+export * from './__tests__/helpers/testUtils.js';
+export * from './__tests__/fixtures/mockData.js';

package/dist/index.js

@@ -7,9 +7,19 @@ export * from './client/IdaeApiClientCollection.js';
 export * from './client/IdaeApiClient.js';
 export * from './@types/types.js';
 export * from './server/services/AuthService.js';
+export * from './server/middleware/validationMiddleware.js';
+export * from './server/middleware/validationLayer.js';
+export * from './server/middleware/tenantContextMiddleware.js';
+export * from './server/middleware/openApiMiddleware.js';
+export * from './server/middleware/mcpMiddleware.js';
+export * from './server/middleware/healthMiddleware.js';
+export * from './server/middleware/docsMiddleware.js';
 export * from './server/middleware/databaseMiddleware.js';
+export * from './server/middleware/authorizationMiddleware.js';
 export * from './server/middleware/authMiddleware.js';
 export * from './server/engine/types.js';
 export * from './server/engine/routeManager.js';
 export * from './server/engine/requestDatabaseManager.js';
 export * from './server/engine/mongooseConnectionManager.js';
+export * from './__tests__/helpers/testUtils.js';
+export * from './__tests__/fixtures/mockData.js';

package/dist/openApi/redoc.html

@@ -0,0 +1,12 @@
+<!-- Minimal Redoc HTML, loads /openapi.json -->
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Redoc</title>
+  <script src="https://cdn.jsdelivr.net/npm/redoc@next/bundles/redoc.standalone.js"></script>
+</head>
+<body>
+  <redoc spec-url="/openapi.json"></redoc>
+</body>
+</html>

package/dist/openApi/swagger-ui.html

@@ -0,0 +1,23 @@
+<!-- Minimal Swagger UI HTML, loads /openapi.json -->
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Swagger UI</title>
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist/swagger-ui.css">
+</head>
+<body>
+  <div id="swagger-ui"></div>
+  <script src="https://unpkg.com/swagger-ui-dist/swagger-ui-bundle.js"></script>
+  <script>
+    window.onload = function() {
+      window.ui = SwaggerUIBundle({
+        url: '/openapi.json',
+        dom_id: '#swagger-ui',
+        presets: [SwaggerUIBundle.presets.apis],
+        layout: "BaseLayout"
+      });
+    };
+  </script>
+</body>
+</html>

package/dist/server/IdaeApi.d.ts

@@ -1,7 +1,16 @@
+import '../../app.js';
 import { type IdaeDbOptions } from "@medyll/idae-db";
 import express from "express";
+import { type CorsOptions } from "cors";
 import { type RouteDefinition } from "../config/routeDefinitions.js";
 import { RouteManager } from "./engine/routeManager.js";
+type RateLimitOptions = {
+    windowMs?: number;
+    max?: number;
+    standardHeaders?: boolean | "draft-7" | "draft-6" | "draft-8";
+    legacyHeaders?: boolean;
+    [key: string]: any;
+};
 interface IdaeApiOptions {
     port?: number;
     routes?: RouteDefinition[];
@@ -10,6 +19,12 @@ interface IdaeApiOptions {
     jwtSecret?: string;
     tokenExpiration?: string;
     idaeDbOptions?: IdaeDbOptions;
+    useMemoryDb?: boolean;
+    cors?: boolean | CorsOptions;
+    rateLimit?: false | RateLimitOptions;
+    payloadLimit?: string;
+    enableCompression?: boolean;
+    trustProxy?: boolean | number | string;
 }
 declare class IdaeApi {
     #private;

package/dist/server/IdaeApi.js

@@ -9,15 +9,32 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _a, _IdaeApi_instance, _IdaeApi_app, _IdaeApi_idaeApiOptions, _IdaeApi_routeManager, _IdaeApi_serverInstance, _IdaeApi_state, _IdaeApi_authMiddleware;
+var _a, _IdaeApi_instance, _IdaeApi_app, _IdaeApi_idaeApiOptions, _IdaeApi_routeManager, _IdaeApi_serverInstance, _IdaeApi_state, _IdaeApi_authMiddleware, _IdaeApi_configured;
+// Force l'import des types globaux (Express.Request.user)
+import '../../app.js';
+import { createValidationMiddleware } from "./middleware/validationMiddleware.js";
+import { openApiJsonHandler } from "./middleware/openApiMiddleware.js";
+import { swaggerUiHandler, redocHandler } from "./middleware/docsMiddleware.js";
+import { tenantContextMiddleware } from "./middleware/tenantContextMiddleware.js";
 // packages\idae-api\src\lib\server\IdaeApi.ts
 import {} from "@medyll/idae-db";
 import express, {} from "express";
+import compression from "compression";
+import cors, {} from "cors";
 import { idaeDbMiddleware } from "./middleware/databaseMiddleware.js";
 import { routes as defaultRoutes, } from "../config/routeDefinitions.js";
 import { AuthMiddleWare } from "./middleware/authMiddleware.js";
+import helmet from "helmet";
 import { RouteManager } from "./engine/routeManager.js";
+import rateLimit from "express-rate-limit";
 import qs from "qs";
+import { healthHandler, readinessHandler } from "./middleware/healthMiddleware.js";
+class HttpError extends Error {
+    constructor(status, message) {
+        super(message);
+        this.status = status;
+    }
+}
 class IdaeApi {
     constructor() {
         _IdaeApi_app.set(this, void 0);
@@ -26,6 +43,7 @@ class IdaeApi {
         _IdaeApi_serverInstance.set(this, void 0);
         _IdaeApi_state.set(this, "stopped");
         _IdaeApi_authMiddleware.set(this, null);
+        _IdaeApi_configured.set(this, false);
         __classPrivateFieldSet(this, _IdaeApi_app, express(), "f");
         __classPrivateFieldSet(this, _IdaeApi_idaeApiOptions, {}, "f");
         __classPrivateFieldSet(this, _IdaeApi_routeManager, RouteManager.getInstance(), "f");
@@ -37,8 +55,6 @@ class IdaeApi {
                 parameterLimit: 1000,
             });
         });
-        this.initializeAuth();
-        this.configureIdaeApi();
     }
     static getInstance() {
         if (!__classPrivateFieldGet(_a, _a, "f", _IdaeApi_instance)) {
@@ -53,7 +69,14 @@ class IdaeApi {
         return __classPrivateFieldGet(this, _IdaeApi_app, "f");
     }
     setOptions(options) {
+        if (__classPrivateFieldGet(this, _IdaeApi_state, "f") === "running") {
+            throw new Error("Cannot change options while server is running");
+        }
         __classPrivateFieldSet(this, _IdaeApi_idaeApiOptions, { ...__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f"), ...options }, "f");
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").locals.idaeDbOptions = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").idaeDbOptions;
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").locals.useMemoryDb = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").useMemoryDb;
+        this.initializeAuth();
+        __classPrivateFieldSet(this, _IdaeApi_configured, false, "f");
     }
     initializeAuth() {
         if (__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").enableAuth &&
@@ -66,30 +89,71 @@ class IdaeApi {
         this.configureMiddleware();
         this.configureRoutes();
         this.configureErrorHandling();
+        __classPrivateFieldSet(this, _IdaeApi_configured, true, "f");
     }
     configureMiddleware() {
-        __classPrivateFieldGet(this, _IdaeApi_app, "f").use("/:collectionName", idaeDbMiddleware);
-        __classPrivateFieldGet(this, _IdaeApi_app, "f").use(express.json());
-        __classPrivateFieldGet(this, _IdaeApi_app, "f").use(express.urlencoded({ extended: true }));
-        if (__classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f")) {
-            __classPrivateFieldGet(this, _IdaeApi_app, "f").use(__classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f").createMiddleware());
+        const jsonLimit = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").payloadLimit ?? "1mb";
+        const urlEncodedLimit = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").payloadLimit ?? "1mb";
+        if (__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").trustProxy) {
+            __classPrivateFieldGet(this, _IdaeApi_app, "f").set("trust proxy", __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").trustProxy);
+        }
+        if (__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").enableCompression !== false) {
+            __classPrivateFieldGet(this, _IdaeApi_app, "f").use(compression());
         }
+        if (__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").cors !== false) {
+            const corsOptions = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").cors === true || __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").cors === undefined
+                ? {}
+                : __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").cors;
+            __classPrivateFieldGet(this, _IdaeApi_app, "f").use(cors(corsOptions));
+        }
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").use(helmet());
+        if (__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").rateLimit !== false) {
+            const limiterOptions = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").rateLimit ?? {
+                windowMs: 60000,
+                max: 100,
+                standardHeaders: "draft-7",
+                legacyHeaders: false,
+            };
+            __classPrivateFieldGet(this, _IdaeApi_app, "f").use(rateLimit(limiterOptions));
+        }
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").use(express.json({ limit: jsonLimit }));
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").use(express.urlencoded({ extended: true, limit: urlEncodedLimit }));
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").use("/:collectionName", idaeDbMiddleware);
+        // Do not inject tenant context middleware globally; it will be added per-route for protected routes
     }
     configureRoutes() {
+        // Health and readiness endpoints (always unprotected)
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").get("/health", healthHandler);
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").get("/ready", readinessHandler);
+        // OpenAPI and docs endpoints (always unprotected)
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").get("/openapi.json", openApiJsonHandler);
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").get("/docs", swaggerUiHandler);
+        __classPrivateFieldGet(this, _IdaeApi_app, "f").get("/redoc", redocHandler);
+        if (__classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f")) {
+            __classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f").configureAuthRoutes(__classPrivateFieldGet(this, _IdaeApi_app, "f"));
+        }
         __classPrivateFieldGet(this, _IdaeApi_routeManager, "f").addRoutes(defaultRoutes);
         if (__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").routes) {
             __classPrivateFieldGet(this, _IdaeApi_routeManager, "f").addRoutes(__classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").routes);
         }
         __classPrivateFieldGet(this, _IdaeApi_routeManager, "f").getRoutes().forEach(this.addRouteToExpress.bind(this));
-        if (__classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f")) {
-            __classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f").configureAuthRoutes(__classPrivateFieldGet(this, _IdaeApi_app, "f"));
-        }
     }
     // Add a route to Express
     addRouteToExpress(route) {
         const handlers = [];
+        // Add validation middleware if present
+        if (route.validation) {
+            handlers.push(createValidationMiddleware(route.validation));
+        }
+        // Add auth and tenant context middleware for protected routes
         if (route.requiresAuth && __classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f")) {
             handlers.push(__classPrivateFieldGet(this, _IdaeApi_authMiddleware, "f").createMiddleware());
+            handlers.push(tenantContextMiddleware({ required: true }));
+        }
+        // Add RBAC/ABAC authorization middleware if specified
+        if (route.authorization) {
+            const { authorize } = require("./middleware/authorizationMiddleware.js");
+            handlers.push(authorize(route.authorization));
         }
         handlers.push(this.handleRequest(route.handler));
         if (Array.isArray(route.method)) {
@@ -101,8 +165,15 @@ class IdaeApi {
     }
     configureErrorHandling() {
         __classPrivateFieldGet(this, _IdaeApi_app, "f").use((err, req, res, next) => {
-            console.error(err.stack);
-            res.status(500).json({ error: err.message });
+            const status = err?.status && Number.isInteger(err.status)
+                ? err.status
+                : 500;
+            const isServerError = status >= 500;
+            const message = isServerError ? "Internal Server Error" : err.message;
+            if (isServerError) {
+                console.error(err.stack ?? err.message);
+            }
+            res.status(status).json({ error: message });
         });
     }
     start() {
@@ -110,7 +181,11 @@ class IdaeApi {
             console.log("Server is already running.");
             return;
         }
-        const port = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").port || 3000;
+        if (!__classPrivateFieldGet(this, _IdaeApi_configured, "f")) {
+            this.initializeAuth();
+            this.configureIdaeApi();
+        }
+        const port = __classPrivateFieldGet(this, _IdaeApi_idaeApiOptions, "f").port ?? 3000;
         __classPrivateFieldSet(this, _IdaeApi_serverInstance, __classPrivateFieldGet(this, _IdaeApi_app, "f").listen(port, () => {
             console.log(`Server is running on port: ${port}`);
             __classPrivateFieldSet(this, _IdaeApi_state, "running", "f");
@@ -157,18 +232,15 @@ class IdaeApi {
             try {
                 const connectedCollection = req.connectedCollection;
                 if (!connectedCollection) {
-                    throw new Error("Database connection not established");
+                    throw new HttpError(500, "Database connection not established");
                 }
-                console.log("----------------------------------------------");
-                console.log("body", req.body);
-                console.log("params", req.params);
-                console.log("query", req.query);
-                console.log("dbName", req.dbName);
-                // const result = await action(databaseService, req.params, req.body);
                 const result = await action(connectedCollection, req.params, req.body, req.query.params ?? req.query);
                 res.json(result);
             }
             catch (error) {
+                if (!error?.status) {
+                    error.status = 500;
+                }
                 next(error);
             }
         };
@@ -178,7 +250,7 @@ class IdaeApi {
         return __classPrivateFieldGet(this, _IdaeApi_routeManager, "f");
     }
 }
-_a = IdaeApi, _IdaeApi_app = new WeakMap(), _IdaeApi_idaeApiOptions = new WeakMap(), _IdaeApi_routeManager = new WeakMap(), _IdaeApi_serverInstance = new WeakMap(), _IdaeApi_state = new WeakMap(), _IdaeApi_authMiddleware = new WeakMap();
+_a = IdaeApi, _IdaeApi_app = new WeakMap(), _IdaeApi_idaeApiOptions = new WeakMap(), _IdaeApi_routeManager = new WeakMap(), _IdaeApi_serverInstance = new WeakMap(), _IdaeApi_state = new WeakMap(), _IdaeApi_authMiddleware = new WeakMap(), _IdaeApi_configured = new WeakMap();
 _IdaeApi_instance = { value: null };
 // Export a single instance of ApiServer
 const idaeApi = IdaeApi.getInstance();

package/dist/server/engine/requestDatabaseManager.d.ts

@@ -19,4 +19,4 @@ declare class RequestDatabaseManager {
 }
 declare const requestDatabaseManager: RequestDatabaseManager;
 export default requestDatabaseManager;
-export { RequestDatabaseManager as DatabaseManager, requestDatabaseManager };
+export { RequestDatabaseManager, RequestDatabaseManager as DatabaseManager, requestDatabaseManager };

package/dist/server/engine/requestDatabaseManager.js

@@ -18,23 +18,19 @@ class RequestDatabaseManager {
         return RequestDatabaseManager.instance;
     }
     fromReq(req) {
-        const collectionName = req.params.collectionName || "default";
-        const dbName = getDbNameFromCollectionName(collectionName, this.config.defaultDbName);
-        const collectionNames = collectionName.split(".")?.[1] ?? collectionName.split(".")?.[0];
+        const rawCollectionName = req.params?.collectionName ?? "default";
+        const [dbPart, ...rest] = rawCollectionName.split(".");
+        const dbName = rest.length > 0 ? dbPart || this.config.defaultDbName : this.config.defaultDbName;
+        const collectionName = rest.length > 0 ? rest.join(".") || "default" : rawCollectionName || "default";
         const dbUri = `${this.config.connectionPrefix}${this.config.host}:${this.config.port}/${dbName}`;
         return {
             dbName,
-            collectionName: collectionNames,
+            collectionName,
             dbUri,
         };
-        function getDbNameFromCollectionName(collectionName, defaultDbName) {
-            return collectionName.includes(".")
-                ? collectionName.split(".")[0]
-                : defaultDbName;
-        }
     }
     async closeAllConnections() { }
 }
 const requestDatabaseManager = RequestDatabaseManager.getInstance();
 export default requestDatabaseManager;
-export { RequestDatabaseManager as DatabaseManager, requestDatabaseManager };
+export { RequestDatabaseManager, RequestDatabaseManager as DatabaseManager, requestDatabaseManager };

package/dist/server/engine/routeManager.d.ts

@@ -9,4 +9,5 @@ export declare class RouteManager {
     getRoutes(): RouteDefinition[];
     enableRoute(path: string, method: string | string[]): void;
     disableRoute(path: string, method: string | string[]): void;
+    clearRoutes(): void;
 }

package/dist/server/engine/routeManager.js

@@ -3,12 +3,22 @@ export class RouteManager {
         this.routes = [];
     }
     static getInstance() {
-        if (!RouteManager.instance) {
-            RouteManager.instance = new RouteManager();
+        const instance = RouteManager.instance ?? new RouteManager();
+        // In test runs we want isolated state between cases
+        if (process.env.NODE_ENV === "test") {
+            instance.clearRoutes();
         }
-        return RouteManager.instance;
+        RouteManager.instance = instance;
+        return instance;
     }
     addRoute(route) {
+        // Remove any existing route with the same path/method to avoid stale handlers
+        this.routes = this.routes.filter((r) => r.path !== route.path ||
+            (Array.isArray(r.method)
+                ? !Array.isArray(route.method) || !route.method.some((m) => r.method.includes(m))
+                : Array.isArray(route.method)
+                    ? !route.method.includes(r.method)
+                    : r.method !== route.method));
         this.routes.push({ ...route, disabled: route.disabled || false });
     }
     addRoutes(routes) {
@@ -18,21 +28,27 @@ export class RouteManager {
         return this.routes.filter((route) => !route.disabled);
     }
     enableRoute(path, method) {
-        const route = this.routes.find((r) => r.path === path &&
-            (Array.isArray(r.method)
-                ? r.method.includes(method)
-                : r.method === method));
-        if (route) {
-            route.disabled = false;
-        }
+        this.routes.forEach((r) => {
+            if (r.path === path &&
+                (Array.isArray(r.method)
+                    ? r.method.includes(method)
+                    : r.method === method)) {
+                r.disabled = false;
+            }
+        });
     }
     disableRoute(path, method) {
-        const route = this.routes.find((r) => r.path === path &&
-            (Array.isArray(r.method)
-                ? r.method.includes(method)
-                : r.method === method));
-        if (route) {
-            route.disabled = true;
-        }
+        this.routes.forEach((r) => {
+            if (r.path === path &&
+                (Array.isArray(r.method)
+                    ? r.method.includes(method)
+                    : r.method === method)) {
+                r.disabled = true;
+            }
+        });
+    }
+    // Utility primarily for tests to reset state safely
+    clearRoutes() {
+        this.routes = [];
     }
 }

package/dist/server/middleware/README.md

@@ -0,0 +1,46 @@
+# Middleware Documentation
+
+This document describes all middleware available in the `@medyll/idae-api` package, their purpose, usage, and integration order.
+
+## Overview
+
+Middleware in this project is located in `src/lib/server/middleware/`. Each middleware serves a specific purpose (validation, authentication, multi-tenancy, docs, health, etc.) and is applied in a specific order in the Express app lifecycle.
+
+## List of Middleware
+
+- **authMiddleware**: Handles JWT authentication and attaches user context to requests.
+- **authorizationMiddleware**: Enforces RBAC/ABAC policies per route.
+- **databaseMiddleware**: Injects `req.idaeDb` and manages per-request DB/collection context.
+- **tenantContextMiddleware**: Extracts tenant context from JWT/user and enforces multi-tenancy.
+- **validationMiddleware**: Validates request bodies/queries using Zod schemas.
+- **validationLayer**: (Advanced) Layered validation, supports Zod and future OpenAPI/ajv.
+- **docsMiddleware**: Serves Swagger UI and Redoc API docs.
+- **openApiMiddleware**: Serves OpenAPI JSON spec.
+- **healthMiddleware**: Provides health and readiness endpoints.
+- **mcpMiddleware**: Placeholder for MCP-specific logic (future extension).
+
+## Middleware Application Order
+
+The recommended order (see `IdaeApi.ts`):
+1. Express body/URL parsers
+2. `authMiddleware` (if enabled)
+3. `tenantContextMiddleware` (if multi-tenancy enabled)
+4. `databaseMiddleware`
+5. `validationMiddleware`/`validationLayer`
+6. Custom routes
+7. `docsMiddleware`, `openApiMiddleware`, `healthMiddleware`
+8. Error handler
+
+## Usage Example
+
+```
+import { authMiddleware, tenantContextMiddleware, databaseMiddleware } from './middleware';
+app.use(authMiddleware(...));
+app.use(tenantContextMiddleware(...));
+app.use(databaseMiddleware);
+```
+
+## Notes
+- Always apply `authMiddleware` before `databaseMiddleware` if using per-user DB context.
+- `tenantContextMiddleware` is required for strict multi-tenancy.
+- See each middleware file for detailed JSDoc and options.