@nilejs/nile 0.0.6 → 0.0.7

package/dist/index.js

@@ -1,3 +1,74 @@
+// auth/jwt-handler.ts
+import { verify } from "hono/jwt";
+import { Err, Ok } from "slang-ts";
+function extractUserId(claims) {
+  const value = claims.userId ?? claims.id ?? claims.sub;
+  return typeof value === "string" ? value : null;
+}
+function extractOrganizationId(claims) {
+  const value = claims.organizationId ?? claims.organization_id ?? claims.orgId;
+  return typeof value === "string" ? value : null;
+}
+function extractTokenFromHeader(headers, headerName) {
+  if (!headers) {
+    return Ok(null);
+  }
+  const authHeader = headers.get(headerName);
+  if (!authHeader) {
+    return Ok(null);
+  }
+  if (!authHeader.startsWith("Bearer ")) {
+    return Err("Authorization header must use Bearer scheme");
+  }
+  return Ok(authHeader.substring(7));
+}
+function extractTokenFromCookie(cookies, cookieName) {
+  if (!cookies) {
+    return null;
+  }
+  return cookies[cookieName] ?? null;
+}
+function extractToken(context, config) {
+  const method = config.method ?? "header";
+  if (method === "header") {
+    const headerName = config.headerName ?? "authorization";
+    return extractTokenFromHeader(context.headers, headerName);
+  }
+  const cookieName = config.cookieName ?? "auth_token";
+  return Ok(extractTokenFromCookie(context.cookies, cookieName));
+}
+async function verifyJWT(context, config) {
+  const tokenResult = extractToken(context, config);
+  if (tokenResult.isErr) {
+    return Err(tokenResult.error);
+  }
+  const token = tokenResult.value;
+  if (!token) {
+    return Err(`No JWT token found in ${config.method ?? "header"}`);
+  }
+  try {
+    const claims = await verify(token, config.secret, "HS256");
+    if (!claims) {
+      return Err("Invalid JWT token");
+    }
+    const userId = extractUserId(claims);
+    const organizationId = extractOrganizationId(
+      claims
+    );
+    if (!(userId && organizationId)) {
+      return Err("Missing userId or organizationId in JWT token");
+    }
+    return Ok({
+      userId,
+      organizationId,
+      claims
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "JWT verification failed";
+    return Err(`JWT authentication failed: ${message}`);
+  }
+}
+
 // engine/create-action.ts
 function createAction(config) {
   return config;
@@ -276,14 +347,14 @@ var createLogger = (appName, config) => {
 import { safeTry as safeTry4 } from "slang-ts";
 
 // engine/engine.ts
-import { Err as Err3, Ok as Ok3 } from "slang-ts";
+import { Err as Err4, Ok as Ok4 } from "slang-ts";
 
 // utils/db/create-model.ts
 import { count, desc, eq, lt } from "drizzle-orm";
-import { Ok, safeTry } from "slang-ts";
+import { Ok as Ok2, safeTry } from "slang-ts";
 
 // utils/handle-error.ts
-import { Err } from "slang-ts";
+import { Err as Err2 } from "slang-ts";
 var CALLER_LINE_REGEX = /at\s+(\S+)\s+/;
 function inferCallerName() {
   const _err = new Error("capture stack trace");
@@ -315,7 +386,7 @@ function handleError(params) {
     message: params.message,
     data: params.data
   });
-  return Err(`[${logId}] ${params.message}`);
+  return Err2(`[${logId}] ${params.message}`);
 }
 
 // utils/db/create-transaction-variant.ts
@@ -437,7 +508,7 @@ function createModel(table, options) {
         atFunction: `${name}.create`
       });
     }
-    return Ok(row);
+    return Ok2(row);
   };
   const update = async ({ id, data, dbx }) => {
     const parsed = schemas.update.safeParse(data);
@@ -468,7 +539,7 @@ function createModel(table, options) {
         atFunction: `${name}.update`
       });
     }
-    return Ok(row);
+    return Ok2(row);
   };
   const createTx = createTransactionVariant(
     create
@@ -497,7 +568,7 @@ function createModel(table, options) {
         atFunction: `${name}.findById`
       });
     }
-    return Ok(row);
+    return Ok2(row);
   };
   const deleteFn = async (id) => {
     const db = getDb();
@@ -520,7 +591,7 @@ function createModel(table, options) {
         atFunction: `${name}.delete`
       });
     }
-    return Ok(row);
+    return Ok2(row);
   };
   const findAll = async () => {
     const db = getDb();
@@ -539,7 +610,7 @@ function createModel(table, options) {
         atFunction: `${name}.findAll`
       });
     }
-    return Ok(result.value ?? []);
+    return Ok2(result.value ?? []);
   };
   const findOffsetPage = async (limit, offset) => {
     const db = getDb();
@@ -568,7 +639,7 @@ function createModel(table, options) {
     }
     const items = itemsResult.value ?? [];
     const total = countResult.value?.[0]?.total ?? 0;
-    return Ok({
+    return Ok2({
       items,
       total,
       hasMore: offset + items.length < total
@@ -599,7 +670,7 @@ function createModel(table, options) {
     const items = hasMore ? rows.slice(0, limit) : rows;
     const lastItem = items.at(-1);
     const nextCursor = lastItem ? String(lastItem[colName] ?? "") || null : null;
-    return Ok({
+    return Ok2({
       items,
       nextCursor,
       hasMore
@@ -656,7 +727,7 @@ function createDiagnosticsLog(prefix, params) {
 }
 
 // engine/pipeline.ts
-import { Err as Err2, Ok as Ok2, safeTry as safeTry2 } from "slang-ts";
+import { Err as Err3, Ok as Ok3, safeTry as safeTry2 } from "slang-ts";
 import { prettifyError } from "zod";
 async function runHook(hookDef, hookAction, input, nileContext) {
   const result = await safeTry2(
@@ -681,7 +752,7 @@ async function processHooks(hooks, initialValue, getAction, nileContext, logTarg
       log(errorMsg);
       if (hookDef.isCritical) {
         nileContext.setHookError(errorMsg);
-        return Err2(errorMsg);
+        return Err3(errorMsg);
       }
       continue;
     }
@@ -700,57 +771,57 @@ async function processHooks(hooks, initialValue, getAction, nileContext, logTarg
       );
       if (hookDef.isCritical) {
         nileContext.setHookError(errorMsg);
-        return Err2(errorMsg);
+        return Err3(errorMsg);
       }
       continue;
     }
     currentValue = result.value;
   }
-  return Ok2(currentValue);
+  return Ok3(currentValue);
 }
 async function runGlobalBeforeHook(handler, nileContext, action, payload, log) {
   if (!handler) {
-    return Ok2(true);
+    return Ok3(true);
   }
   const result = await safeTry2(() => handler({ nileContext, action, payload }));
   if (result.isErr) {
     log(`Global before hook failed for ${action.name}`);
     nileContext.setHookError(result.error);
-    return Err2(result.error);
+    return Err3(result.error);
   }
-  return Ok2(true);
+  return Ok3(true);
 }
 async function runGlobalAfterHook(handler, nileContext, action, payload, currentResult, log) {
   if (!handler) {
-    return Ok2(currentResult);
+    return Ok3(currentResult);
   }
   const result = await safeTry2(
     () => handler({
       nileContext,
       action,
       payload,
-      result: Ok2(currentResult)
+      result: Ok3(currentResult)
     })
   );
   if (result.isErr) {
     log(`Global after hook failed for ${action.name}`);
     nileContext.setHookError(result.error);
-    return Err2(result.error);
+    return Err3(result.error);
   }
-  return Ok2(result.value);
+  return Ok3(result.value);
 }
 function validatePayload(action, payload, nileContext, log) {
   if (!action.validation) {
-    return Ok2(payload);
+    return Ok3(payload);
   }
   const parseResult = action.validation.safeParse(payload);
   if (!parseResult.success) {
     const validationError = prettifyError(parseResult.error);
     log(`Validation failed for ${action.name}`, validationError);
     nileContext.setHookError(validationError);
-    return Err2(`Validation failed: ${validationError}`);
+    return Err3(`Validation failed: ${validationError}`);
   }
-  return Ok2(parseResult.data);
+  return Ok3(parseResult.data);
 }
 async function runHandler(action, payload, nileContext, log) {
   const result = await safeTry2(
@@ -759,13 +830,31 @@ async function runHandler(action, payload, nileContext, log) {
   if (result.isErr) {
     log(`Handler failed for ${action.name}`, result.error);
     nileContext.setHookError(result.error);
-    return Err2(result.error);
+    return Err3(result.error);
   }
   nileContext.setHookOutput(result.value);
-  return Ok2(result.value);
+  return Ok3(result.value);
 }
 
 // engine/engine.ts
+async function authenticateAction(action, auth, authContext, nileContext, serviceName, actionName, log) {
+  if (!(action.isProtected && auth)) {
+    return Ok4(void 0);
+  }
+  if (!authContext) {
+    return Err4("Authentication required: no auth context provided");
+  }
+  const authResult = await verifyJWT(authContext, auth);
+  if (authResult.isErr) {
+    log(`Auth failed for ${serviceName}.${actionName}: ${authResult.error}`);
+    return Err4(authResult.error);
+  }
+  nileContext.authResult = authResult.value;
+  log(
+    `Auth OK for ${serviceName}.${actionName} (user: ${authResult.value.userId})`
+  );
+  return Ok4(void 0);
+}
 function createEngine(options) {
   const { diagnostics, services, logger } = options;
   const log = createDiagnosticsLog("Engine", {
@@ -776,11 +865,25 @@ function createEngine(options) {
   const serviceActionsStore = {};
   const actionStore = {};
   const initStartTime = performance.now();
+  const seenServiceNames = /* @__PURE__ */ new Set();
   for (const service of services) {
+    if (seenServiceNames.has(service.name)) {
+      throw new Error(
+        `Duplicate service name '${service.name}'. Service names must be unique.`
+      );
+    }
+    seenServiceNames.add(service.name);
+    const seenActionNames = /* @__PURE__ */ new Set();
     const actionNames = [];
     serviceActionsStore[service.name] = [];
     actionStore[service.name] = {};
     for (const action of service.actions) {
+      if (seenActionNames.has(action.name)) {
+        throw new Error(
+          `Duplicate action name '${action.name}' in service '${service.name}'. Action names must be unique within a service.`
+        );
+      }
+      seenActionNames.add(action.name);
       actionNames.push(action.name);
       serviceActionsStore[service.name]?.push({
         name: action.name,
@@ -804,27 +907,39 @@ function createEngine(options) {
   log(
     `Initialized in ${performance.now() - initStartTime}ms. Loaded ${services.length} services.`
   );
-  const getServices = () => Ok3(serviceSummaries);
+  const getServices = () => Ok4(serviceSummaries);
   const getServiceActions = (serviceName) => {
     const actions = serviceActionsStore[serviceName];
-    return actions ? Ok3(actions) : Err3(`Service '${serviceName}' not found`);
+    return actions ? Ok4(actions) : Err4(`Service '${serviceName}' not found`);
   };
   const getAction = (serviceName, actionName) => {
     const serviceMap = actionStore[serviceName];
     if (!serviceMap) {
-      return Err3(`Service '${serviceName}' not found`);
+      return Err4(`Service '${serviceName}' not found`);
     }
     const action = serviceMap[actionName];
-    return action ? Ok3(action) : Err3(`Action '${actionName}' not found in service '${serviceName}'`);
+    return action ? Ok4(action) : Err4(`Action '${actionName}' not found in service '${serviceName}'`);
   };
-  const executeAction = async (serviceName, actionName, payload, nileContext) => {
+  const executeAction = async (serviceName, actionName, payload, nileContext, authContext) => {
     const { onBeforeActionHandler, onAfterActionHandler } = options;
     const actionResult = getAction(serviceName, actionName);
     if (actionResult.isErr) {
-      return Err3(actionResult.error);
+      return Err4(actionResult.error);
     }
     const action = actionResult.value;
     nileContext.resetHookContext(`${serviceName}.${actionName}`, payload);
+    const authStep = await authenticateAction(
+      action,
+      options.auth,
+      authContext,
+      nileContext,
+      serviceName,
+      actionName,
+      log
+    );
+    if (authStep.isErr) {
+      return Err4(authStep.error);
+    }
     const globalBeforeResult = await runGlobalBeforeHook(
       onBeforeActionHandler,
       nileContext,
@@ -833,7 +948,7 @@ function createEngine(options) {
       log
     );
     if (globalBeforeResult.isErr) {
-      return Err3(globalBeforeResult.error);
+      return Err4(globalBeforeResult.error);
     }
     const beforeHooksResult = await processHooks(
       action.hooks?.before ?? [],
@@ -844,7 +959,7 @@ function createEngine(options) {
       log
     );
     if (beforeHooksResult.isErr) {
-      return Err3(beforeHooksResult.error);
+      return Err4(beforeHooksResult.error);
     }
     const validationResult = validatePayload(
       action,
@@ -853,7 +968,7 @@ function createEngine(options) {
       log
     );
     if (validationResult.isErr) {
-      return Err3(validationResult.error);
+      return Err4(validationResult.error);
     }
     const handlerResult = await runHandler(
       action,
@@ -862,7 +977,7 @@ function createEngine(options) {
       log
     );
     if (handlerResult.isErr) {
-      return Err3(handlerResult.error);
+      return Err4(handlerResult.error);
     }
     const afterHooksResult = await processHooks(
       action.hooks?.after ?? [],
@@ -873,7 +988,7 @@ function createEngine(options) {
       log
     );
     if (afterHooksResult.isErr) {
-      return Err3(afterHooksResult.error);
+      return Err4(afterHooksResult.error);
     }
     const globalAfterResult = await runGlobalAfterHook(
       onAfterActionHandler,
@@ -884,12 +999,12 @@ function createEngine(options) {
       log
     );
     if (globalAfterResult.isErr) {
-      return Err3(globalAfterResult.error);
+      return Err4(globalAfterResult.error);
     }
-    return action.result?.pipeline ? Ok3({
+    return action.result?.pipeline ? Ok4({
       data: globalAfterResult.value,
       pipeline: nileContext.hookContext.log
-    }) : Ok3(globalAfterResult.value);
+    }) : Ok4(globalAfterResult.value);
   };
   return {
     getServices,
@@ -901,6 +1016,7 @@ function createEngine(options) {
 
 // rest/rest.ts
 import { Hono } from "hono";
+import { getCookie } from "hono/cookie";
 import z2 from "zod";
 
 // cors/cors.ts
@@ -986,7 +1102,7 @@ var evaluateResolver = (resolver, origin, c, defaultOpts) => {
 };
 
 // rest/intent-handlers.ts
-import { Ok as Ok4 } from "slang-ts";
+import { Ok as Ok5 } from "slang-ts";
 import z from "zod";
 function toExternalResponse(result, successMessage) {
   if (result.isOk) {
@@ -1013,7 +1129,7 @@ function handleExplore(engine, request) {
   }
   const act = actionResult.value;
   return toExternalResponse(
-    Ok4({
+    Ok5({
       name: act.name,
       description: act.description,
       isProtected: act.isProtected ?? false,
@@ -1024,7 +1140,7 @@ function handleExplore(engine, request) {
     `Details for '${service}.${action}'`
   );
 }
-async function handleExecute(engine, request, nileContext) {
+async function handleExecute(engine, request, nileContext, authContext) {
   const { service, action, payload } = request;
   if (service === "*" || action === "*") {
     return {
@@ -1037,7 +1153,8 @@ async function handleExecute(engine, request, nileContext) {
     service,
     action,
     payload,
-    nileContext
+    nileContext,
+    authContext
   );
   return toExternalResponse(result, `Action '${service}.${action}' executed`);
 }
@@ -1060,7 +1177,7 @@ function handleSchema(engine, request) {
         actionsResult.value.map((a) => a.name)
       );
     }
-    return toExternalResponse(Ok4(schemas), "All service schemas");
+    return toExternalResponse(Ok5(schemas), "All service schemas");
   }
   if (action === "*") {
     const actionsResult = engine.getServiceActions(service);
@@ -1072,7 +1189,7 @@ function handleSchema(engine, request) {
       service,
       actionsResult.value.map((a) => a.name)
     );
-    return toExternalResponse(Ok4(schemas), `Schemas for '${service}'`);
+    return toExternalResponse(Ok5(schemas), `Schemas for '${service}'`);
   }
   const actionResult = engine.getAction(service, action);
   if (actionResult.isErr) {
@@ -1080,7 +1197,7 @@ function handleSchema(engine, request) {
   }
   const schema = extractActionSchema(actionResult.value);
   return toExternalResponse(
-    Ok4({ [action]: schema }),
+    Ok5({ [action]: schema }),
     `Schema for '${service}.${action}'`
   );
 }
@@ -1114,7 +1231,7 @@ function safeTrySync(fn) {
 }
 var intentHandlers = {
   explore: (engine, request) => handleExplore(engine, request),
-  execute: (engine, request, nileContext) => handleExecute(engine, request, nileContext),
+  execute: (engine, request, nileContext, authContext) => handleExecute(engine, request, nileContext, authContext),
   schema: (engine, request) => handleSchema(engine, request)
 };
 
@@ -1152,12 +1269,17 @@ function applyRateLimiting(app, config, log) {
     `Rate limiting enabled: ${rateLimiting.limit ?? DEFAULT_RATE_LIMIT_MAX} requests per ${rateLimiting.windowMs ?? DEFAULT_RATE_LIMIT_WINDOW_MS}ms window`
   );
 }
+var STATIC_ADAPTER_MODULES = {
+  bun: "hono/bun",
+  node: "@hono/node-server/serve-static"
+};
 function applyStaticServing(app, config, runtime, log) {
   if (!config.enableStatic) {
     return;
   }
-  if (runtime !== "bun") {
-    log(`Static file serving not yet supported for runtime: ${runtime}`);
+  const adapterModule = STATIC_ADAPTER_MODULES[runtime];
+  if (!adapterModule) {
+    log(`Static file serving not supported for runtime: ${runtime}`);
     return;
   }
   let cachedHandler = null;
@@ -1168,14 +1290,17 @@ function applyStaticServing(app, config, runtime, log) {
     }
     if (!cachedHandler) {
       const importResult = await safeTry3(async () => {
-        const mod = await import("hono/bun");
+        const mod = await import(adapterModule);
         return mod.serveStatic({
           root: "./assets",
           rewriteRequestPath: (path) => path.replace(ASSETS_REGEX, "")
         });
       });
       if (importResult.isErr) {
-        log("Failed to load static file adapter", importResult.error);
+        log(
+          `Failed to load static file adapter for ${runtime}`,
+          importResult.error
+        );
         importFailed = true;
         return next();
       }
@@ -1185,7 +1310,255 @@ function applyStaticServing(app, config, runtime, log) {
       return cachedHandler(c, next);
     }
   });
-  log("Static file serving enabled at /assets/*");
+  log(`Static file serving enabled at /assets/* (runtime: ${runtime})`);
+}
+
+// rest/uploads/validate-files.ts
+var DEFAULT_MAX_FILES = 10;
+var DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_MIN_FILE_SIZE = 1;
+var DEFAULT_MAX_TOTAL_SIZE = 20 * 1024 * 1024;
+var DEFAULT_MAX_FILENAME_LENGTH = 128;
+var DEFAULT_ALLOWED_MIMES = ["image/png", "image/jpeg", "application/pdf"];
+var DEFAULT_ALLOWED_EXTENSIONS = [".png", ".jpg", ".jpeg", ".pdf"];
+var PASS = { status: true };
+function validateFilenameLength(files, maxLength) {
+  const tooLong = files.filter((file) => file.name.length > maxLength);
+  if (tooLong.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "file name too long",
+    data: {
+      error_category: "validation",
+      files: tooLong.map((f) => f.name),
+      maxLength
+    }
+  };
+}
+function validateZeroByteFiles(files) {
+  const emptyFiles = files.filter((file) => file.size === 0);
+  if (emptyFiles.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "empty file not allowed",
+    data: {
+      error_category: "validation",
+      files: emptyFiles.map((f) => f.name)
+    }
+  };
+}
+function validateMinFileSize(files, minFileSize) {
+  const tooSmall = files.filter((file) => file.size < minFileSize);
+  if (tooSmall.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "file too small",
+    data: {
+      error_category: "validation",
+      limit: "minFileSize",
+      min: minFileSize,
+      files: tooSmall.map((f) => ({ name: f.name, size: f.size }))
+    }
+  };
+}
+function validateFileCount(files, maxFiles) {
+  if (files.length <= maxFiles) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "upload limit exceeded",
+    data: {
+      error_category: "validation",
+      limit: "maxFiles",
+      max: maxFiles,
+      received: files.length
+    }
+  };
+}
+function validateFileSize(files, maxFileSize) {
+  const oversized = files.filter((file) => file.size > maxFileSize);
+  if (oversized.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "upload limit exceeded",
+    data: {
+      error_category: "validation",
+      limit: "maxFileSize",
+      max: maxFileSize,
+      files: oversized.map((f) => ({ name: f.name, size: f.size }))
+    }
+  };
+}
+function validateTotalSize(files, maxTotalSize) {
+  const totalSize = files.reduce((sum, file) => sum + file.size, 0);
+  if (totalSize <= maxTotalSize) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "upload limit exceeded",
+    data: {
+      error_category: "validation",
+      limit: "maxTotalSize",
+      max: maxTotalSize,
+      total: totalSize
+    }
+  };
+}
+function validateAllowlist(files, allowedMimes, allowedExtensions) {
+  const rejected = files.filter((file) => {
+    const matchesMime = allowedMimes.includes(file.type);
+    const matchesExt = allowedExtensions.some(
+      (ext) => file.name.toLowerCase().endsWith(ext.toLowerCase())
+    );
+    return !(matchesMime && matchesExt);
+  });
+  if (rejected.length === 0) {
+    return PASS;
+  }
+  return {
+    status: false,
+    message: "file type not allowed",
+    data: {
+      error_category: "validation",
+      rejected: rejected.map((f) => ({ name: f.name, type: f.type })),
+      allowed: { mimeTypes: allowedMimes, extensions: allowedExtensions }
+    }
+  };
+}
+function validateFiles(files, config) {
+  if (files.length === 0) {
+    return PASS;
+  }
+  const maxFiles = config.limits?.maxFiles ?? DEFAULT_MAX_FILES;
+  const maxFileSize = config.limits?.maxFileSize ?? DEFAULT_MAX_FILE_SIZE;
+  const minFileSize = config.limits?.minFileSize ?? DEFAULT_MIN_FILE_SIZE;
+  const maxTotalSize = config.limits?.maxTotalSize ?? DEFAULT_MAX_TOTAL_SIZE;
+  const maxFilenameLength = config.limits?.maxFilenameLength ?? DEFAULT_MAX_FILENAME_LENGTH;
+  const allowedMimes = config.allow?.mimeTypes ?? DEFAULT_ALLOWED_MIMES;
+  const allowedExtensions = config.allow?.extensions ?? DEFAULT_ALLOWED_EXTENSIONS;
+  const checks = [
+    validateFilenameLength(files, maxFilenameLength),
+    validateZeroByteFiles(files),
+    validateMinFileSize(files, minFileSize),
+    validateFileCount(files, maxFiles),
+    validateFileSize(files, maxFileSize),
+    validateTotalSize(files, maxTotalSize),
+    validateAllowlist(files, allowedMimes, allowedExtensions)
+  ];
+  for (const check of checks) {
+    if (!check.status) {
+      return check;
+    }
+  }
+  return PASS;
+}
+
+// rest/uploads/parse-formdata.ts
+async function parseBodyToStructured(c) {
+  try {
+    const body = await c.req.parseBody({ all: true });
+    const fields = {};
+    const files = {};
+    const conflicts = [];
+    for (const [key, value] of Object.entries(body)) {
+      if (key === "action") {
+        continue;
+      }
+      if (Array.isArray(value)) {
+        const hasFiles = value.some((v) => v instanceof File);
+        const hasStrings = value.some((v) => typeof v === "string");
+        if (hasFiles && hasStrings) {
+          conflicts.push(key);
+          continue;
+        }
+        if (hasFiles) {
+          files[key] = value.filter((v) => v instanceof File);
+        } else {
+          fields[key] = value.map((v) => String(v));
+        }
+      } else if (value instanceof File) {
+        files[key] = value;
+      } else {
+        fields[key] = String(value);
+      }
+    }
+    if (conflicts.length > 0) {
+      return {
+        status: false,
+        message: "mixed key types not allowed",
+        errorData: {
+          error_category: "validation",
+          conflicts,
+          hint: "Same key cannot be used for both files and fields"
+        }
+      };
+    }
+    return { status: true, data: { fields, files } };
+  } catch (error) {
+    return {
+      status: false,
+      message: "failed to parse request body",
+      errorData: {
+        error_category: "parsing",
+        error: error instanceof Error ? error.message : String(error)
+      }
+    };
+  }
+}
+function enforceActionContentType(action, contentType, enforceContentType) {
+  if (!(enforceContentType && action.isSpecial?.contentType)) {
+    return { status: true };
+  }
+  const expected = action.isSpecial.contentType;
+  const matches = contentType.toLowerCase().includes(expected.toLowerCase());
+  if (!matches) {
+    return {
+      status: false,
+      statusCode: 415,
+      message: "unsupported content type",
+      data: {
+        error_category: "validation",
+        expected,
+        received: contentType
+      }
+    };
+  }
+  return { status: true };
+}
+async function handleFormDataRequest(c, config, _uploadMode = "flat") {
+  const parseResult = await parseBodyToStructured(c);
+  if (!(parseResult.status && parseResult.data)) {
+    return parseResult;
+  }
+  const payload = parseResult.data;
+  const allFiles = [];
+  for (const value of Object.values(payload.files)) {
+    if (Array.isArray(value)) {
+      allFiles.push(...value);
+    } else {
+      allFiles.push(value);
+    }
+  }
+  const validationResult = validateFiles(allFiles, config);
+  if (!validationResult.status) {
+    return {
+      status: false,
+      message: validationResult.message,
+      errorData: validationResult.data,
+      statusCode: validationResult.statusCode
+    };
+  }
+  return { status: true, data: payload };
 }
 
 // rest/rest.ts
@@ -1195,6 +1568,87 @@ var externalRequestSchema = z2.object({
   action: z2.string().min(1),
   payload: z2.record(z2.string(), z2.unknown())
 });
+var formDataRoutingSchema = z2.object({
+  intent: z2.enum(["explore", "execute", "schema"]),
+  service: z2.string().min(1),
+  action: z2.string().min(1)
+});
+async function handleFormDataPath(c, config, engine, nileContext, authContext, log) {
+  const rawBody = await c.req.parseBody({ all: true }).catch(() => null);
+  if (!rawBody) {
+    return c.json(
+      {
+        status: false,
+        message: "Failed to parse multipart form data",
+        data: {}
+      },
+      400
+    );
+  }
+  const routing = formDataRoutingSchema.safeParse({
+    intent: rawBody.intent,
+    service: rawBody.service,
+    action: rawBody.action
+  });
+  if (!routing.success) {
+    return c.json(
+      {
+        status: false,
+        message: "Form-data must include 'intent', 'service', and 'action' fields",
+        data: { errors: routing.error.issues }
+      },
+      400
+    );
+  }
+  const { intent, service, action } = routing.data;
+  log(`${intent} -> ${service}.${action} (form-data)`);
+  const actionResult = engine.getAction(service, action);
+  if (actionResult.isOk && config.uploads?.enforceContentType) {
+    const contentTypeCheck = enforceActionContentType(
+      actionResult.value,
+      "multipart/form-data",
+      true
+    );
+    if (!contentTypeCheck.status) {
+      return c.json(
+        {
+          status: false,
+          message: contentTypeCheck.message ?? "Unsupported content type",
+          data: contentTypeCheck.data ?? {}
+        },
+        contentTypeCheck.statusCode ?? 415
+      );
+    }
+  }
+  const uploadConfig = config.uploads ?? {};
+  const uploadMode = actionResult.isOk ? actionResult.value.isSpecial?.uploadMode ?? "flat" : "flat";
+  const uploadResult = await handleFormDataRequest(c, uploadConfig, uploadMode);
+  if (!(uploadResult.status && uploadResult.data)) {
+    return c.json(
+      {
+        status: false,
+        message: uploadResult.message ?? "Upload validation failed",
+        data: uploadResult.errorData ?? {}
+      },
+      uploadResult.statusCode ?? 400
+    );
+  }
+  const request = {
+    intent,
+    service,
+    action,
+    payload: uploadResult.data
+  };
+  const handler = intentHandlers[request.intent];
+  const response = await handler(
+    engine,
+    request,
+    nileContext,
+    authContext
+  );
+  const statusCode = response.status ? 200 : 400;
+  return c.json(response, statusCode);
+}
 function createRestApp(params) {
   const { config, engine, nileContext, serverName, runtime } = params;
   const app = new Hono();
@@ -1207,6 +1661,22 @@ function createRestApp(params) {
   applyStaticServing(app, config, runtime, log);
   const servicesPath = `${config.baseUrl}/services`;
   app.post(servicesPath, async (c) => {
+    const contentType = c.req.header("content-type") ?? "";
+    const isFormData = contentType.includes("multipart/form-data");
+    const authContext = {
+      headers: c.req.raw.headers,
+      cookies: getCookie(c)
+    };
+    if (isFormData) {
+      return handleFormDataPath(
+        c,
+        config,
+        engine,
+        nileContext,
+        authContext,
+        log
+      );
+    }
     const body = await c.req.json().catch(() => null);
     if (!body) {
       return c.json(
@@ -1232,7 +1702,12 @@ function createRestApp(params) {
     const request = parsed.data;
     log(`${request.intent} -> ${request.service}.${request.action}`);
     const handler = intentHandlers[request.intent];
-    const response = await handler(engine, request, nileContext);
+    const response = await handler(
+      engine,
+      request,
+      nileContext,
+      authContext
+    );
     const statusCode = response.status ? 200 : 400;
     return c.json(response, statusCode);
   });
@@ -1283,6 +1758,20 @@ function createNileContext(params) {
     setSession(name, data) {
       sessions[name] = data;
     },
+    authResult: void 0,
+    getAuth() {
+      return context.authResult;
+    },
+    getUser() {
+      if (!context.authResult) {
+        return void 0;
+      }
+      return {
+        userId: context.authResult.userId,
+        organizationId: context.authResult.organizationId,
+        ...context.authResult.claims
+      };
+    },
     hookContext: {
       actionName: "",
       input: null,
@@ -1341,6 +1830,7 @@ function createNileServer(config) {
     services: config.services,
     diagnostics: config.diagnostics,
     logger: config.resources?.logger,
+    auth: config.auth,
     onBeforeActionHandler: config.onBeforeActionHandler,
     onAfterActionHandler: config.onAfterActionHandler
   });
@@ -1406,6 +1896,9 @@ export {
   getContext,
   getLogs,
   getZodSchema,
-  handleError
+  handleError,
+  handleFormDataRequest,
+  validateFiles,
+  verifyJWT
 };
 //# sourceMappingURL=index.js.map