@nilejs/nile 0.0.6 → 0.0.7

package/dist/index.cjs

@@ -42,10 +42,84 @@ __export(index_exports, {
   getContext: () => getContext,
   getLogs: () => getLogs,
   getZodSchema: () => getZodSchema,
-  handleError: () => handleError
+  handleError: () => handleError,
+  handleFormDataRequest: () => handleFormDataRequest,
+  validateFiles: () => validateFiles,
+  verifyJWT: () => verifyJWT
 });
 module.exports = __toCommonJS(index_exports);
 
+// auth/jwt-handler.ts
+var import_jwt = require("hono/jwt");
+var import_slang_ts = require("slang-ts");
+function extractUserId(claims) {
+  const value = claims.userId ?? claims.id ?? claims.sub;
+  return typeof value === "string" ? value : null;
+}
+function extractOrganizationId(claims) {
+  const value = claims.organizationId ?? claims.organization_id ?? claims.orgId;
+  return typeof value === "string" ? value : null;
+}
+function extractTokenFromHeader(headers, headerName) {
+  if (!headers) {
+    return (0, import_slang_ts.Ok)(null);
+  }
+  const authHeader = headers.get(headerName);
+  if (!authHeader) {
+    return (0, import_slang_ts.Ok)(null);
+  }
+  if (!authHeader.startsWith("Bearer ")) {
+    return (0, import_slang_ts.Err)("Authorization header must use Bearer scheme");
+  }
+  return (0, import_slang_ts.Ok)(authHeader.substring(7));
+}
+function extractTokenFromCookie(cookies, cookieName) {
+  if (!cookies) {
+    return null;
+  }
+  return cookies[cookieName] ?? null;
+}
+function extractToken(context, config) {
+  const method = config.method ?? "header";
+  if (method === "header") {
+    const headerName = config.headerName ?? "authorization";
+    return extractTokenFromHeader(context.headers, headerName);
+  }
+  const cookieName = config.cookieName ?? "auth_token";
+  return (0, import_slang_ts.Ok)(extractTokenFromCookie(context.cookies, cookieName));
+}
+async function verifyJWT(context, config) {
+  const tokenResult = extractToken(context, config);
+  if (tokenResult.isErr) {
+    return (0, import_slang_ts.Err)(tokenResult.error);
+  }
+  const token = tokenResult.value;
+  if (!token) {
+    return (0, import_slang_ts.Err)(`No JWT token found in ${config.method ?? "header"}`);
+  }
+  try {
+    const claims = await (0, import_jwt.verify)(token, config.secret, "HS256");
+    if (!claims) {
+      return (0, import_slang_ts.Err)("Invalid JWT token");
+    }
+    const userId = extractUserId(claims);
+    const organizationId = extractOrganizationId(
+      claims
+    );
+    if (!(userId && organizationId)) {
+      return (0, import_slang_ts.Err)("Missing userId or organizationId in JWT token");
+    }
+    return (0, import_slang_ts.Ok)({
+      userId,
+      organizationId,
+      claims
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "JWT verification failed";
+    return (0, import_slang_ts.Err)(`JWT authentication failed: ${message}`);
+  }
+}
+
 // engine/create-action.ts
 function createAction(config) {
   return config;
@@ -315,17 +389,17 @@ var createLogger = (appName, config) => {
 };
 
 // nile/server.ts
-var import_slang_ts7 = require("slang-ts");
+var import_slang_ts8 = require("slang-ts");
 
 // engine/engine.ts
-var import_slang_ts4 = require("slang-ts");
+var import_slang_ts5 = require("slang-ts");
 
 // utils/db/create-model.ts
 var import_drizzle_orm = require("drizzle-orm");
-var import_slang_ts2 = require("slang-ts");
+var import_slang_ts3 = require("slang-ts");
 
 // utils/handle-error.ts
-var import_slang_ts = require("slang-ts");
+var import_slang_ts2 = require("slang-ts");
 var CALLER_LINE_REGEX = /at\s+(\S+)\s+/;
 function inferCallerName() {
   const _err = new Error("capture stack trace");
@@ -357,7 +431,7 @@ function handleError(params) {
     message: params.message,
     data: params.data
   });
-  return (0, import_slang_ts.Err)(`[${logId}] ${params.message}`);
+  return (0, import_slang_ts2.Err)(`[${logId}] ${params.message}`);
 }
 
 // utils/db/create-transaction-variant.ts
@@ -458,7 +532,7 @@ function createModel(table, options) {
       });
     }
     const db = dbx ? asDb(dbx) : getDb();
-    const result = await (0, import_slang_ts2.safeTry)(
+    const result = await (0, import_slang_ts3.safeTry)(
       () => db.insert(table).values(data).returning()
     );
     if (result.isErr) {
@@ -475,7 +549,7 @@ function createModel(table, options) {
         atFunction: `${name}.create`
       });
     }
-    return (0, import_slang_ts2.Ok)(row);
+    return (0, import_slang_ts3.Ok)(row);
   };
   const update = async ({ id, data, dbx }) => {
     const parsed = schemas.update.safeParse(data);
@@ -488,7 +562,7 @@ function createModel(table, options) {
     }
     const db = dbx ? asDb(dbx) : getDb();
     const idCol = tableRef.id;
-    const result = await (0, import_slang_ts2.safeTry)(
+    const result = await (0, import_slang_ts3.safeTry)(
       () => db.update(table).set(data).where((0, import_drizzle_orm.eq)(idCol, id)).returning()
     );
     if (result.isErr) {
@@ -506,7 +580,7 @@ function createModel(table, options) {
         atFunction: `${name}.update`
       });
     }
-    return (0, import_slang_ts2.Ok)(row);
+    return (0, import_slang_ts3.Ok)(row);
   };
   const createTx = createTransactionVariant(
     create
@@ -517,7 +591,7 @@ function createModel(table, options) {
   const findById = async (id) => {
     const db = getDb();
     const idCol = tableRef.id;
-    const result = await (0, import_slang_ts2.safeTry)(
+    const result = await (0, import_slang_ts3.safeTry)(
       () => db.select().from(table).where((0, import_drizzle_orm.eq)(idCol, id))
     );
     if (result.isErr) {
@@ -535,12 +609,12 @@ function createModel(table, options) {
         atFunction: `${name}.findById`
       });
     }
-    return (0, import_slang_ts2.Ok)(row);
+    return (0, import_slang_ts3.Ok)(row);
   };
   const deleteFn = async (id) => {
     const db = getDb();
     const idCol = tableRef.id;
-    const result = await (0, import_slang_ts2.safeTry)(
+    const result = await (0, import_slang_ts3.safeTry)(
       () => db.delete(table).where((0, import_drizzle_orm.eq)(idCol, id)).returning()
     );
     if (result.isErr) {
@@ -558,12 +632,12 @@ function createModel(table, options) {
         atFunction: `${name}.delete`
       });
     }
-    return (0, import_slang_ts2.Ok)(row);
+    return (0, import_slang_ts3.Ok)(row);
   };
   const findAll = async () => {
     const db = getDb();
     const tsCol = findTimestampColumn(tableRef);
-    const result = await (0, import_slang_ts2.safeTry)(() => {
+    const result = await (0, import_slang_ts3.safeTry)(() => {
       const query = db.select().from(table);
       if (!tsCol) {
         return query;
@@ -577,12 +651,12 @@ function createModel(table, options) {
         atFunction: `${name}.findAll`
       });
     }
-    return (0, import_slang_ts2.Ok)(result.value ?? []);
+    return (0, import_slang_ts3.Ok)(result.value ?? []);
   };
   const findOffsetPage = async (limit, offset) => {
     const db = getDb();
     const tsCol = findTimestampColumn(tableRef);
-    const itemsResult = await (0, import_slang_ts2.safeTry)(() => {
+    const itemsResult = await (0, import_slang_ts3.safeTry)(() => {
       const query = db.select().from(table);
       const ordered = tsCol ? query.orderBy((0, import_drizzle_orm.desc)(tableRef[tsCol])) : query;
       return ordered.limit(limit).offset(offset);
@@ -594,7 +668,7 @@ function createModel(table, options) {
         atFunction: `${name}.findPaginated`
       });
     }
-    const countResult = await (0, import_slang_ts2.safeTry)(
+    const countResult = await (0, import_slang_ts3.safeTry)(
       () => db.select({ total: (0, import_drizzle_orm.count)() }).from(table)
     );
     if (countResult.isErr) {
@@ -606,7 +680,7 @@ function createModel(table, options) {
     }
     const items = itemsResult.value ?? [];
     const total = countResult.value?.[0]?.total ?? 0;
-    return (0, import_slang_ts2.Ok)({
+    return (0, import_slang_ts3.Ok)({
       items,
       total,
       hasMore: offset + items.length < total
@@ -622,7 +696,7 @@ function createModel(table, options) {
       });
     }
     const typedColumn = column;
-    const result = await (0, import_slang_ts2.safeTry)(
+    const result = await (0, import_slang_ts3.safeTry)(
       () => db.select().from(table).where((0, import_drizzle_orm.lt)(typedColumn, cursor)).orderBy((0, import_drizzle_orm.desc)(typedColumn)).limit(limit + 1)
     );
     if (result.isErr) {
@@ -637,7 +711,7 @@ function createModel(table, options) {
     const items = hasMore ? rows.slice(0, limit) : rows;
     const lastItem = items.at(-1);
     const nextCursor = lastItem ? String(lastItem[colName] ?? "") || null : null;
-    return (0, import_slang_ts2.Ok)({
+    return (0, import_slang_ts3.Ok)({
       items,
       nextCursor,
       hasMore
@@ -694,10 +768,10 @@ function createDiagnosticsLog(prefix, params) {
 }
 
 // engine/pipeline.ts
-var import_slang_ts3 = require("slang-ts");
+var import_slang_ts4 = require("slang-ts");
 var import_zod = require("zod");
 async function runHook(hookDef, hookAction, input, nileContext) {
-  const result = await (0, import_slang_ts3.safeTry)(
+  const result = await (0, import_slang_ts4.safeTry)(
     () => hookAction.handler(input, nileContext)
   );
   return {
@@ -719,7 +793,7 @@ async function processHooks(hooks, initialValue, getAction, nileContext, logTarg
       log(errorMsg);
       if (hookDef.isCritical) {
         nileContext.setHookError(errorMsg);
-        return (0, import_slang_ts3.Err)(errorMsg);
+        return (0, import_slang_ts4.Err)(errorMsg);
       }
       continue;
     }
@@ -738,72 +812,90 @@ async function processHooks(hooks, initialValue, getAction, nileContext, logTarg
       );
       if (hookDef.isCritical) {
         nileContext.setHookError(errorMsg);
-        return (0, import_slang_ts3.Err)(errorMsg);
+        return (0, import_slang_ts4.Err)(errorMsg);
       }
       continue;
     }
     currentValue = result.value;
   }
-  return (0, import_slang_ts3.Ok)(currentValue);
+  return (0, import_slang_ts4.Ok)(currentValue);
 }
 async function runGlobalBeforeHook(handler, nileContext, action, payload, log) {
   if (!handler) {
-    return (0, import_slang_ts3.Ok)(true);
+    return (0, import_slang_ts4.Ok)(true);
   }
-  const result = await (0, import_slang_ts3.safeTry)(() => handler({ nileContext, action, payload }));
+  const result = await (0, import_slang_ts4.safeTry)(() => handler({ nileContext, action, payload }));
   if (result.isErr) {
     log(`Global before hook failed for ${action.name}`);
     nileContext.setHookError(result.error);
-    return (0, import_slang_ts3.Err)(result.error);
+    return (0, import_slang_ts4.Err)(result.error);
   }
-  return (0, import_slang_ts3.Ok)(true);
+  return (0, import_slang_ts4.Ok)(true);
 }
 async function runGlobalAfterHook(handler, nileContext, action, payload, currentResult, log) {
   if (!handler) {
-    return (0, import_slang_ts3.Ok)(currentResult);
+    return (0, import_slang_ts4.Ok)(currentResult);
   }
-  const result = await (0, import_slang_ts3.safeTry)(
+  const result = await (0, import_slang_ts4.safeTry)(
     () => handler({
       nileContext,
       action,
       payload,
-      result: (0, import_slang_ts3.Ok)(currentResult)
+      result: (0, import_slang_ts4.Ok)(currentResult)
     })
   );
   if (result.isErr) {
     log(`Global after hook failed for ${action.name}`);
     nileContext.setHookError(result.error);
-    return (0, import_slang_ts3.Err)(result.error);
+    return (0, import_slang_ts4.Err)(result.error);
   }
-  return (0, import_slang_ts3.Ok)(result.value);
+  return (0, import_slang_ts4.Ok)(result.value);
 }
 function validatePayload(action, payload, nileContext, log) {
   if (!action.validation) {
-    return (0, import_slang_ts3.Ok)(payload);
+    return (0, import_slang_ts4.Ok)(payload);
   }
   const parseResult = action.validation.safeParse(payload);
   if (!parseResult.success) {
     const validationError = (0, import_zod.prettifyError)(parseResult.error);
     log(`Validation failed for ${action.name}`, validationError);
     nileContext.setHookError(validationError);
-    return (0, import_slang_ts3.Err)(`Validation failed: ${validationError}`);
+    return (0, import_slang_ts4.Err)(`Validation failed: ${validationError}`);
   }
-  return (0, import_slang_ts3.Ok)(parseResult.data);
+  return (0, import_slang_ts4.Ok)(parseResult.data);
 }
 async function runHandler(action, payload, nileContext, log) {
-  const result = await (0, import_slang_ts3.safeTry)(
+  const result = await (0, import_slang_ts4.safeTry)(
     () => action.handler(payload, nileContext)
   );
   if (result.isErr) {
     log(`Handler failed for ${action.name}`, result.error);
     nileContext.setHookError(result.error);
-    return (0, import_slang_ts3.Err)(result.error);
+    return (0, import_slang_ts4.Err)(result.error);
   }
   nileContext.setHookOutput(result.value);
-  return (0, import_slang_ts3.Ok)(result.value);
+  return (0, import_slang_ts4.Ok)(result.value);
 }
 
 // engine/engine.ts
+async function authenticateAction(action, auth, authContext, nileContext, serviceName, actionName, log) {
+  if (!(action.isProtected && auth)) {
+    return (0, import_slang_ts5.Ok)(void 0);
+  }
+  if (!authContext) {
+    return (0, import_slang_ts5.Err)("Authentication required: no auth context provided");
+  }
+  const authResult = await verifyJWT(authContext, auth);
+  if (authResult.isErr) {
+    log(`Auth failed for ${serviceName}.${actionName}: ${authResult.error}`);
+    return (0, import_slang_ts5.Err)(authResult.error);
+  }
+  nileContext.authResult = authResult.value;
+  log(
+    `Auth OK for ${serviceName}.${actionName} (user: ${authResult.value.userId})`
+  );
+  return (0, import_slang_ts5.Ok)(void 0);
+}
 function createEngine(options) {
   const { diagnostics, services, logger } = options;
   const log = createDiagnosticsLog("Engine", {
@@ -814,11 +906,25 @@ function createEngine(options) {
   const serviceActionsStore = {};
   const actionStore = {};
   const initStartTime = performance.now();
+  const seenServiceNames = /* @__PURE__ */ new Set();
   for (const service of services) {
+    if (seenServiceNames.has(service.name)) {
+      throw new Error(
+        `Duplicate service name '${service.name}'. Service names must be unique.`
+      );
+    }
+    seenServiceNames.add(service.name);
+    const seenActionNames = /* @__PURE__ */ new Set();
     const actionNames = [];
     serviceActionsStore[service.name] = [];
     actionStore[service.name] = {};
     for (const action of service.actions) {
+      if (seenActionNames.has(action.name)) {
+        throw new Error(
+          `Duplicate action name '${action.name}' in service '${service.name}'. Action names must be unique within a service.`
+        );
+      }
+      seenActionNames.add(action.name);
       actionNames.push(action.name);
       serviceActionsStore[service.name]?.push({
         name: action.name,
@@ -842,27 +948,39 @@ function createEngine(options) {
   log(
     `Initialized in ${performance.now() - initStartTime}ms. Loaded ${services.length} services.`
   );
-  const getServices = () => (0, import_slang_ts4.Ok)(serviceSummaries);
+  const getServices = () => (0, import_slang_ts5.Ok)(serviceSummaries);
   const getServiceActions = (serviceName) => {
     const actions = serviceActionsStore[serviceName];
-    return actions ? (0, import_slang_ts4.Ok)(actions) : (0, import_slang_ts4.Err)(`Service '${serviceName}' not found`);
+    return actions ? (0, import_slang_ts5.Ok)(actions) : (0, import_slang_ts5.Err)(`Service '${serviceName}' not found`);
   };
   const getAction = (serviceName, actionName) => {
     const serviceMap = actionStore[serviceName];
     if (!serviceMap) {
-      return (0, import_slang_ts4.Err)(`Service '${serviceName}' not found`);
+      return (0, import_slang_ts5.Err)(`Service '${serviceName}' not found`);
     }
     const action = serviceMap[actionName];
-    return action ? (0, import_slang_ts4.Ok)(action) : (0, import_slang_ts4.Err)(`Action '${actionName}' not found in service '${serviceName}'`);
+    return action ? (0, import_slang_ts5.Ok)(action) : (0, import_slang_ts5.Err)(`Action '${actionName}' not found in service '${serviceName}'`);
   };
-  const executeAction = async (serviceName, actionName, payload, nileContext) => {
+  const executeAction = async (serviceName, actionName, payload, nileContext, authContext) => {
     const { onBeforeActionHandler, onAfterActionHandler } = options;
     const actionResult = getAction(serviceName, actionName);
     if (actionResult.isErr) {
-      return (0, import_slang_ts4.Err)(actionResult.error);
+      return (0, import_slang_ts5.Err)(actionResult.error);
     }
     const action = actionResult.value;
     nileContext.resetHookContext(`${serviceName}.${actionName}`, payload);
+    const authStep = await authenticateAction(
+      action,
+      options.auth,
+      authContext,
+      nileContext,
+      serviceName,
+      actionName,
+      log
+    );
+    if (authStep.isErr) {
+      return (0, import_slang_ts5.Err)(authStep.error);
+    }
     const globalBeforeResult = await runGlobalBeforeHook(
       onBeforeActionHandler,
       nileContext,
@@ -871,7 +989,7 @@ function createEngine(options) {
       log
     );
     if (globalBeforeResult.isErr) {
-      return (0, import_slang_ts4.Err)(globalBeforeResult.error);
+      return (0, import_slang_ts5.Err)(globalBeforeResult.error);
     }
     const beforeHooksResult = await processHooks(
       action.hooks?.before ?? [],
@@ -882,7 +1000,7 @@ function createEngine(options) {
       log
     );
     if (beforeHooksResult.isErr) {
-      return (0, import_slang_ts4.Err)(beforeHooksResult.error);
+      return (0, import_slang_ts5.Err)(beforeHooksResult.error);
     }
     const validationResult = validatePayload(
       action,
@@ -891,7 +1009,7 @@ function createEngine(options) {
       log
     );
     if (validationResult.isErr) {
-      return (0, import_slang_ts4.Err)(validationResult.error);
+      return (0, import_slang_ts5.Err)(validationResult.error);
     }
     const handlerResult = await runHandler(
       action,
@@ -900,7 +1018,7 @@ function createEngine(options) {
       log
     );
     if (handlerResult.isErr) {
-      return (0, import_slang_ts4.Err)(handlerResult.error);
+      return (0, import_slang_ts5.Err)(handlerResult.error);
     }
     const afterHooksResult = await processHooks(
       action.hooks?.after ?? [],
@@ -911,7 +1029,7 @@ function createEngine(options) {
       log
     );
     if (afterHooksResult.isErr) {
-      return (0, import_slang_ts4.Err)(afterHooksResult.error);
+      return (0, import_slang_ts5.Err)(afterHooksResult.error);
     }
     const globalAfterResult = await runGlobalAfterHook(
       onAfterActionHandler,
@@ -922,12 +1040,12 @@ function createEngine(options) {
       log
     );
     if (globalAfterResult.isErr) {
-      return (0, import_slang_ts4.Err)(globalAfterResult.error);
+      return (0, import_slang_ts5.Err)(globalAfterResult.error);
     }
-    return action.result?.pipeline ? (0, import_slang_ts4.Ok)({
+    return action.result?.pipeline ? (0, import_slang_ts5.Ok)({
       data: globalAfterResult.value,
       pipeline: nileContext.hookContext.log
-    }) : (0, import_slang_ts4.Ok)(globalAfterResult.value);
+    }) : (0, import_slang_ts5.Ok)(globalAfterResult.value);
   };
   return {
     getServices,
@@ -939,6 +1057,7 @@ function createEngine(options) {
 
 // rest/rest.ts
 var import_hono = require("hono");
+var import_cookie = require("hono/cookie");
 var import_zod3 = __toESM(require("zod"), 1);
 
 // cors/cors.ts
@@ -1024,7 +1143,7 @@ var evaluateResolver = (resolver, origin, c, defaultOpts) => {
 };
 
 // rest/intent-handlers.ts
-var import_slang_ts5 = require("slang-ts");
+var import_slang_ts6 = require("slang-ts");
 var import_zod2 = __toESM(require("zod"), 1);
 function toExternalResponse(result, successMessage) {
   if (result.isOk) {
@@ -1051,7 +1170,7 @@ function handleExplore(engine, request) {
   }
   const act = actionResult.value;
   return toExternalResponse(
-    (0, import_slang_ts5.Ok)({
+    (0, import_slang_ts6.Ok)({
       name: act.name,
       description: act.description,
       isProtected: act.isProtected ?? false,
@@ -1062,7 +1181,7 @@ function handleExplore(engine, request) {
     `Details for '${service}.${action}'`
   );
 }
-async function handleExecute(engine, request, nileContext) {
+async function handleExecute(engine, request, nileContext, authContext) {
   const { service, action, payload } = request;
   if (service === "*" || action === "*") {
     return {
@@ -1075,7 +1194,8 @@ async function handleExecute(engine, request, nileContext) {
     service,
     action,
     payload,
-    nileContext
+    nileContext,
+    authContext
   );
   return toExternalResponse(result, `Action '${service}.${action}' executed`);
 }
@@ -1098,7 +1218,7 @@ function handleSchema(engine, request) {
         actionsResult.value.map((a) => a.name)
       );
     }
-    return toExternalResponse((0, import_slang_ts5.Ok)(schemas), "All service schemas");
+    return toExternalResponse((0, import_slang_ts6.Ok)(schemas), "All service schemas");
   }
   if (action === "*") {
     const actionsResult = engine.getServiceActions(service);
@@ -1110,7 +1230,7 @@ function handleSchema(engine, request) {
       service,
       actionsResult.value.map((a) => a.name)
     );
-    return toExternalResponse((0, import_slang_ts5.Ok)(schemas), `Schemas for '${service}'`);
+    return toExternalResponse((0, import_slang_ts6.Ok)(schemas), `Schemas for '${service}'`);
   }
   const actionResult = engine.getAction(service, action);
   if (actionResult.isErr) {
@@ -1118,7 +1238,7 @@ function handleSchema(engine, request) {
   }
   const schema = extractActionSchema(actionResult.value);
   return toExternalResponse(
-    (0, import_slang_ts5.Ok)({ [action]: schema }),
+    (0, import_slang_ts6.Ok)({ [action]: schema }),
     `Schema for '${service}.${action}'`
   );
 }
@@ -1152,13 +1272,13 @@ function safeTrySync(fn) {
 }
 var intentHandlers = {
   explore: (engine, request) => handleExplore(engine, request),
-  execute: (engine, request, nileContext) => handleExecute(engine, request, nileContext),
+  execute: (engine, request, nileContext, authContext) => handleExecute(engine, request, nileContext, authContext),
   schema: (engine, request) => handleSchema(engine, request)
 };
 
 // rest/middleware.ts
 var import_hono_rate_limiter = require("hono-rate-limiter");
-var import_slang_ts6 = require("slang-ts");
+var import_slang_ts7 = require("slang-ts");
 var ASSETS_REGEX = /^\/assets\//;
 var DEFAULT_RATE_LIMIT_WINDOW_MS = 15 * 60 * 1e3;
 var DEFAULT_RATE_LIMIT_MAX = 100;
@@ -1190,12 +1310,17 @@ function applyRateLimiting(app, config, log) {
     `Rate limiting enabled: ${rateLimiting.limit ?? DEFAULT_RATE_LIMIT_MAX} requests per ${rateLimiting.windowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS}ms window`
   );
 }
+var STATIC_ADAPTER_MODULES = {
+  bun: "hono/bun",
+  node: "@hono/node-server/serve-static"
+};
 function applyStaticServing(app, config, runtime, log) {
   if (!config.enableStatic) {
     return;
   }
-  if (runtime !== "bun") {
-    log(`Static file serving not yet supported for runtime: ${runtime}`);
+  const adapterModule = STATIC_ADAPTER_MODULES[runtime];
+  if (!adapterModule) {
+    log(`Static file serving not supported for runtime: ${runtime}`);
     return;
   }
   let cachedHandler = null;
@@ -1205,15 +1330,18 @@ function applyStaticServing(app, config, runtime, log) {
       return next();
     }
     if (!cachedHandler) {
-      const importResult = await (0, import_slang_ts6.safeTry)(async () => {
-        const mod = await import("hono/bun");
+      const importResult = await (0, import_slang_ts7.safeTry)(async () => {
+        const mod = await import(adapterModule);
         return mod.serveStatic({
           root: "./assets",
           rewriteRequestPath: (path) => path.replace(ASSETS_REGEX, "")
         });
       });
       if (importResult.isErr) {
-        log("Failed to load static file adapter", importResult.error);
+        log(
+          `Failed to load static file adapter for ${runtime}`,
+          importResult.error
+        );
         importFailed = true;
         return next();
       }
@@ -1223,7 +1351,255 @@ function applyStaticServing(app, config, runtime, log) {
       return cachedHandler(c, next);
     }
   });
-  log("Static file serving enabled at /assets/*");
+  log(`Static file serving enabled at /assets/* (runtime: ${runtime})`);
+}
+
+// rest/uploads/validate-files.ts
+var DEFAULT_MAX_FILES = 10;
+var DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_MIN_FILE_SIZE = 1;
+var DEFAULT_MAX_TOTAL_SIZE = 20 * 1024 * 1024;
+var DEFAULT_MAX_FILENAME_LENGTH = 128;
+var DEFAULT_ALLOWED_MIMES = ["image/png", "image/jpeg", "application/pdf"];
+var DEFAULT_ALLOWED_EXTENSIONS = [".png", ".jpg", ".jpeg", ".pdf"];
+var PASS = { status: true };
+function validateFilenameLength(files, maxLength) {
+  const tooLong = files.filter((file) => file.name.length > maxLength);
+  if (tooLong.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "file name too long",
+    data: {
+      error_category: "validation",
+      files: tooLong.map((f) => f.name),
+      maxLength
+    }
+  };
+}
+function validateZeroByteFiles(files) {
+  const emptyFiles = files.filter((file) => file.size === 0);
+  if (emptyFiles.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "empty file not allowed",
+    data: {
+      error_category: "validation",
+      files: emptyFiles.map((f) => f.name)
+    }
+  };
+}
+function validateMinFileSize(files, minFileSize) {
+  const tooSmall = files.filter((file) => file.size < minFileSize);
+  if (tooSmall.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "file too small",
+    data: {
+      error_category: "validation",
+      limit: "minFileSize",
+      min: minFileSize,
+      files: tooSmall.map((f) => ({ name: f.name, size: f.size }))
+    }
+  };
+}
+function validateFileCount(files, maxFiles) {
+  if (files.length <= maxFiles) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "upload limit exceeded",
+    data: {
+      error_category: "validation",
+      limit: "maxFiles",
+      max: maxFiles,
+      received: files.length
+    }
+  };
+}
+function validateFileSize(files, maxFileSize) {
+  const oversized = files.filter((file) => file.size > maxFileSize);
+  if (oversized.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "upload limit exceeded",
+    data: {
+      error_category: "validation",
+      limit: "maxFileSize",
+      max: maxFileSize,
+      files: oversized.map((f) => ({ name: f.name, size: f.size }))
+    }
+  };
+}
+function validateTotalSize(files, maxTotalSize) {
+  const totalSize = files.reduce((sum, file) => sum + file.size, 0);
+  if (totalSize <= maxTotalSize) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "upload limit exceeded",
+    data: {
+      error_category: "validation",
+      limit: "maxTotalSize",
+      max: maxTotalSize,
+      total: totalSize
+    }
+  };
+}
+function validateAllowlist(files, allowedMimes, allowedExtensions) {
+  const rejected = files.filter((file) => {
+    const matchesMime = allowedMimes.includes(file.type);
+    const matchesExt = allowedExtensions.some(
+      (ext) => file.name.toLowerCase().endsWith(ext.toLowerCase())
+    );
+    return !(matchesMime && matchesExt);
+  });
+  if (rejected.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "file type not allowed",
+    data: {
+      error_category: "validation",
+      rejected: rejected.map((f) => ({ name: f.name, type: f.type })),
+      allowed: { mimeTypes: allowedMimes, extensions: allowedExtensions }
+    }
+  };
+}
+function validateFiles(files, config) {
+  if (files.length === 0) {
+    return PASS;
+  }
+  const maxFiles = config.limits?.maxFiles ?? DEFAULT_MAX_FILES;
+  const maxFileSize = config.limits?.maxFileSize ?? DEFAULT_MAX_FILE_SIZE;
+  const minFileSize = config.limits?.minFileSize ?? DEFAULT_MIN_FILE_SIZE;
+  const maxTotalSize = config.limits?.maxTotalSize ?? DEFAULT_MAX_TOTAL_SIZE;
+  const maxFilenameLength = config.limits?.maxFilenameLength ?? DEFAULT_MAX_FILENAME_LENGTH;
+  const allowedMimes = config.allow?.mimeTypes ?? DEFAULT_ALLOWED_MIMES;
+  const allowedExtensions = config.allow?.extensions ?? DEFAULT_ALLOWED_EXTENSIONS;
+  const checks = [
+    validateFilenameLength(files, maxFilenameLength),
+    validateZeroByteFiles(files),
+    validateMinFileSize(files, minFileSize),
+    validateFileCount(files, maxFiles),
+    validateFileSize(files, maxFileSize),
+    validateTotalSize(files, maxTotalSize),
+    validateAllowlist(files, allowedMimes, allowedExtensions)
+  ];
+  for (const check of checks) {
+    if (!check.status) {
+      return check;
+    }
+  }
+  return PASS;
+}
+
+// rest/uploads/parse-formdata.ts
+async function parseBodyToStructured(c) {
+  try {
+    const body = await c.req.parseBody({ all: true });
+    const fields = {};
+    const files = {};
+    const conflicts = [];
+    for (const [key, value] of Object.entries(body)) {
+      if (key === "action") {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        const hasFiles = value.some((v) => v instanceof File);
+        const hasStrings = value.some((v) => typeof v === "string");
+        if (hasFiles && hasStrings) {
+          conflicts.push(key);
+          continue;
+        }
+        if (hasFiles) {
+          files[key] = value.filter((v) => v instanceof File);
+        } else {
+          fields[key] = value.map((v) => String(v));
+        }
+      } else if (value instanceof File) {
+        files[key] = value;
+      } else {
+        fields[key] = String(value);
+      }
+    }
+    if (conflicts.length > 0) {
+      return {
+        status: false,
+        message: "mixed key types not allowed",
+        errorData: {
+          error_category: "validation",
+          conflicts,
+          hint: "Same key cannot be used for both files and fields"
+        }
+      };
+    }
+    return { status: true, data: { fields, files } };
+  } catch (error) {
+    return {
+      status: false,
+      message: "failed to parse request body",
+      errorData: {
+        error_category: "parsing",
+        error: error instanceof Error ? error.message : String(error)
+      }
+    };
+  }
+}
+function enforceActionContentType(action, contentType, enforceContentType) {
+  if (!(enforceContentType && action.isSpecial?.contentType)) {
+    return { status: true };
+  }
+  const expected = action.isSpecial.contentType;
+  const matches = contentType.toLowerCase().includes(expected.toLowerCase());
+  if (!matches) {
+    return {
+      status: false,
+      statusCode: 415,
+      message: "unsupported content type",
+      data: {
+        error_category: "validation",
+        expected,
+        received: contentType
+      }
+    };
+  }
+  return { status: true };
+}
+async function handleFormDataRequest(c, config, _uploadMode = "flat") {
+  const parseResult = await parseBodyToStructured(c);
+  if (!(parseResult.status && parseResult.data)) {
+    return parseResult;
+  }
+  const payload = parseResult.data;
+  const allFiles = [];
+  for (const value of Object.values(payload.files)) {
+    if (Array.isArray(value)) {
+      allFiles.push(...value);
+    } else {
+      allFiles.push(value);
+    }
+  }
+  const validationResult = validateFiles(allFiles, config);
+  if (!validationResult.status) {
+    return {
+      status: false,
+      message: validationResult.message,
+      errorData: validationResult.data,
+      statusCode: validationResult.statusCode
+    };
+  }
+  return { status: true, data: payload };
 }
 
 // rest/rest.ts
@@ -1233,6 +1609,87 @@ var externalRequestSchema = import_zod3.default.object({
   action: import_zod3.default.string().min(1),
   payload: import_zod3.default.record(import_zod3.default.string(), import_zod3.default.unknown())
 });
+var formDataRoutingSchema = import_zod3.default.object({
+  intent: import_zod3.default.enum(["explore", "execute", "schema"]),
+  service: import_zod3.default.string().min(1),
+  action: import_zod3.default.string().min(1)
+});
+async function handleFormDataPath(c, config, engine, nileContext, authContext, log) {
+  const rawBody = await c.req.parseBody({ all: true }).catch(() => null);
+  if (!rawBody) {
+    return c.json(
+      {
+        status: false,
+        message: "Failed to parse multipart form data",
+        data: {}
+      },
+      400
+    );
+  }
+  const routing = formDataRoutingSchema.safeParse({
+    intent: rawBody.intent,
+    service: rawBody.service,
+    action: rawBody.action
+  });
+  if (!routing.success) {
+    return c.json(
+      {
+        status: false,
+        message: "Form-data must include 'intent', 'service', and 'action' fields",
+        data: { errors: routing.error.issues }
+      },
+      400
+    );
+  }
+  const { intent, service, action } = routing.data;
+  log(`${intent} -> ${service}.${action} (form-data)`);
+  const actionResult = engine.getAction(service, action);
+  if (actionResult.isOk && config.uploads?.enforceContentType) {
+    const contentTypeCheck = enforceActionContentType(
+      actionResult.value,
+      "multipart/form-data",
+      true
+    );
+    if (!contentTypeCheck.status) {
+      return c.json(
+        {
+          status: false,
+          message: contentTypeCheck.message ?? "Unsupported content type",
+          data: contentTypeCheck.data ?? {}
+        },
+        contentTypeCheck.statusCode ?? 415
+      );
+    }
+  }
+  const uploadConfig = config.uploads ?? {};
+  const uploadMode = actionResult.isOk ? actionResult.value.isSpecial?.uploadMode ?? "flat" : "flat";
+  const uploadResult = await handleFormDataRequest(c, uploadConfig, uploadMode);
+  if (!(uploadResult.status && uploadResult.data)) {
+    return c.json(
+      {
+        status: false,
+        message: uploadResult.message ?? "Upload validation failed",
+        data: uploadResult.errorData ?? {}
+      },
+      uploadResult.statusCode ?? 400
+    );
+  }
+  const request = {
+    intent,
+    service,
+    action,
+    payload: uploadResult.data
+  };
+  const handler = intentHandlers[request.intent];
+  const response = await handler(
+    engine,
+    request,
+    nileContext,
+    authContext
+  );
+  const statusCode = response.status ? 200 : 400;
+  return c.json(response, statusCode);
+}
 function createRestApp(params) {
   const { config, engine, nileContext, serverName, runtime } = params;
   const app = new import_hono.Hono();
@@ -1245,6 +1702,22 @@ function createRestApp(params) {
   applyStaticServing(app, config, runtime, log);
   const servicesPath = `${config.baseUrl}/services`;
   app.post(servicesPath, async (c) => {
+    const contentType = c.req.header("content-type") ?? "";
+    const isFormData = contentType.includes("multipart/form-data");
+    const authContext = {
+      headers: c.req.raw.headers,
+      cookies: (0, import_cookie.getCookie)(c)
+    };
+    if (isFormData) {
+      return handleFormDataPath(
+        c,
+        config,
+        engine,
+        nileContext,
+        authContext,
+        log
+      );
+    }
     const body = await c.req.json().catch(() => null);
     if (!body) {
       return c.json(
@@ -1270,7 +1743,12 @@ function createRestApp(params) {
     const request = parsed.data;
     log(`${request.intent} -> ${request.service}.${request.action}`);
     const handler = intentHandlers[request.intent];
-    const response = await handler(engine, request, nileContext);
+    const response = await handler(
+      engine,
+      request,
+      nileContext,
+      authContext
+    );
     const statusCode = response.status ? 200 : 400;
     return c.json(response, statusCode);
   });
@@ -1321,6 +1799,20 @@ function createNileContext(params) {
     setSession(name, data) {
       sessions[name] = data;
     },
+    authResult: void 0,
+    getAuth() {
+      return context.authResult;
+    },
+    getUser() {
+      if (!context.authResult) {
+        return void 0;
+      }
+      return {
+        userId: context.authResult.userId,
+        organizationId: context.authResult.organizationId,
+        ...context.authResult.claims
+      };
+    },
     hookContext: {
       actionName: "",
       input: null,
@@ -1379,6 +1871,7 @@ function createNileServer(config) {
     services: config.services,
     diagnostics: config.diagnostics,
     logger: config.resources?.logger,
+    auth: config.auth,
     onBeforeActionHandler: config.onBeforeActionHandler,
     onAfterActionHandler: config.onAfterActionHandler
   });
@@ -1421,7 +1914,7 @@ function createNileServer(config) {
   if (config.onBoot) {
     const { fn } = config.onBoot;
     const _boot = (async () => {
-      const result = await (0, import_slang_ts7.safeTry)(() => fn(nileContext));
+      const result = await (0, import_slang_ts8.safeTry)(() => fn(nileContext));
       if (result.isErr) {
         console.error("[NileServer] onBoot failed:", result.error);
       }
@@ -1445,6 +1938,9 @@ function createNileServer(config) {
   getContext,
   getLogs,
   getZodSchema,
-  handleError
+  handleError,
+  handleFormDataRequest,
+  validateFiles,
+  verifyJWT
 });
 //# sourceMappingURL=index.cjs.map