@parsrun/server 0.1.0

package/dist/index.js

@@ -0,0 +1,2094 @@
+// src/app.ts
+import { Hono } from "hono";
+import { createLogger } from "@parsrun/core";
+
+// src/context.ts
+function success(data, meta) {
+  return {
+    success: true,
+    data,
+    meta: meta ?? void 0
+  };
+}
+function error(code, message, details) {
+  return {
+    success: false,
+    error: { code, message, details: details ?? void 0 }
+  };
+}
+function generateRequestId() {
+  return crypto.randomUUID();
+}
+
+// src/app.ts
+function createServer(options) {
+  const app = new Hono({
+    strict: options.strict ?? false
+  });
+  const logger = options.logger ?? createLogger({ name: "pars-server" });
+  app.use("*", async (c, next) => {
+    c.set("db", options.database);
+    c.set("config", options);
+    c.set("logger", logger);
+    c.set("enabledModules", /* @__PURE__ */ new Set());
+    c.set("cookiePrefix", options.cookiePrefix);
+    c.set("custom", options.custom ?? {});
+    if (options.requestId !== false) {
+      const requestId = c.req.header("x-request-id") ?? generateRequestId();
+      c.set("requestId", requestId);
+      c.header("x-request-id", requestId);
+    }
+    await next();
+  });
+  return app;
+}
+function createRouter() {
+  return new Hono();
+}
+function createVersionedRouter(version) {
+  const router = new Hono();
+  const versionedRouter = new Hono();
+  versionedRouter.route(`/${version}`, router);
+  return versionedRouter;
+}
+function createModuleRouter(moduleName, options) {
+  const moduleRouter = new Hono();
+  if (options.middleware) {
+    for (const mw of options.middleware) {
+      moduleRouter.use("*", mw);
+    }
+  }
+  options.routes(moduleRouter);
+  const wrappedRouter = new Hono();
+  wrappedRouter.route(`/${moduleName}`, moduleRouter);
+  return wrappedRouter;
+}
+
+// src/module-loader.ts
+import { Hono as Hono2 } from "hono";
+import { cors } from "hono/cors";
+import { createLogger as createLogger2 } from "@parsrun/core";
+var ModuleLoader = class {
+  app;
+  db;
+  enabledModules = /* @__PURE__ */ new Set();
+  moduleRegistry = /* @__PURE__ */ new Map();
+  logger;
+  config;
+  cookiePrefix;
+  initialized = false;
+  constructor(options) {
+    this.config = options.config;
+    this.db = options.config.database;
+    this.cookiePrefix = options.cookiePrefix;
+    this.logger = options.logger ?? createLogger2({ name: "ModuleLoader" });
+    this.app = new Hono2();
+    this.setupMiddleware();
+    this.setupCoreRoutes();
+  }
+  /**
+   * Initialize the module loader
+   * Checks database connection
+   */
+  async initialize() {
+    if (this.initialized) {
+      this.logger.warn("ModuleLoader already initialized");
+      return;
+    }
+    this.logger.info("Initializing ModuleLoader...");
+    try {
+      if (this.db.ping) {
+        const ok = await this.db.ping();
+        if (!ok) throw new Error("Database ping returned false");
+      } else {
+        await this.db.execute("SELECT 1");
+      }
+      this.logger.info("Database connection: OK");
+    } catch (error2) {
+      this.logger.error("Database connection failed", error2);
+      throw new Error("Database connection failed");
+    }
+    this.initialized = true;
+    this.logger.info("ModuleLoader initialized successfully");
+  }
+  /**
+   * Setup core middleware
+   */
+  setupMiddleware() {
+    this.app.use("*", async (c, next) => {
+      const requestId = generateRequestId();
+      const requestLogger2 = this.logger.child({ requestId });
+      c.set("db", this.db);
+      c.set("config", this.config);
+      c.set("enabledModules", this.enabledModules);
+      c.set("logger", requestLogger2);
+      c.set("requestId", requestId);
+      c.set("cookiePrefix", this.cookiePrefix);
+      c.set("custom", this.config.custom ?? {});
+      c.set("user", void 0);
+      c.set("tenant", void 0);
+      const start = Date.now();
+      await next();
+      const duration = Date.now() - start;
+      requestLogger2.debug("Request completed", {
+        method: c.req.method,
+        path: c.req.path,
+        status: c.res.status,
+        durationMs: duration
+      });
+    });
+    if (this.config.cors) {
+      this.app.use("*", cors(this.normalizeCorsConfig(this.config.cors)));
+    }
+  }
+  /**
+   * Normalize CORS config for Hono
+   */
+  normalizeCorsConfig(config) {
+    const result = {
+      origin: typeof config.origin === "function" ? (origin) => config.origin(origin) ? origin : null : config.origin
+    };
+    if (config.credentials !== void 0) {
+      result.credentials = config.credentials;
+    }
+    if (config.methods !== void 0) {
+      result.allowMethods = config.methods;
+    }
+    if (config.allowedHeaders !== void 0) {
+      result.allowHeaders = config.allowedHeaders;
+    }
+    if (config.exposedHeaders !== void 0) {
+      result.exposeHeaders = config.exposedHeaders;
+    }
+    if (config.maxAge !== void 0) {
+      result.maxAge = config.maxAge;
+    }
+    return result;
+  }
+  /**
+   * Setup core routes
+   */
+  setupCoreRoutes() {
+    const basePath = this.config.basePath ?? "/api/v1";
+    this.app.get("/health", (c) => {
+      return c.json({
+        status: "ok",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    });
+    this.app.get("/health/details", async (c) => {
+      let dbStatus = "unknown";
+      try {
+        if (this.db.ping) {
+          dbStatus = await this.db.ping() ? "ok" : "error";
+        } else {
+          await this.db.execute("SELECT 1");
+          dbStatus = "ok";
+        }
+      } catch {
+        dbStatus = "error";
+      }
+      return c.json({
+        status: dbStatus === "ok" ? "ok" : "degraded",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        services: {
+          database: dbStatus
+        },
+        modules: {
+          enabled: Array.from(this.enabledModules),
+          registered: Array.from(this.moduleRegistry.keys())
+        }
+      });
+    });
+    this.app.get(basePath, (c) => {
+      const endpoints = {
+        health: "/health",
+        features: `${basePath}/features`
+      };
+      for (const moduleName of this.enabledModules) {
+        endpoints[moduleName] = `${basePath}/${moduleName}`;
+      }
+      return c.json({
+        name: "Pars API",
+        version: "1.0.0",
+        endpoints
+      });
+    });
+    this.app.get(`${basePath}/features`, (c) => {
+      const features = Array.from(this.enabledModules).map((name) => {
+        const module = this.moduleRegistry.get(name);
+        return {
+          name,
+          version: module?.version ?? "1.0.0",
+          description: module?.description ?? "",
+          permissions: module?.permissions ?? {}
+        };
+      });
+      return c.json({
+        enabled: Array.from(this.enabledModules),
+        features
+      });
+    });
+  }
+  /**
+   * Register a module
+   */
+  registerModule(manifest) {
+    if (this.moduleRegistry.has(manifest.name)) {
+      this.logger.warn(`Module already registered: ${manifest.name}`);
+      return;
+    }
+    this.moduleRegistry.set(manifest.name, manifest);
+    this.logger.info(`Registered module: ${manifest.name}`);
+  }
+  /**
+   * Enable a registered module
+   */
+  async enableModule(moduleName) {
+    const module = this.moduleRegistry.get(moduleName);
+    if (!module) {
+      this.logger.error(`Module not found: ${moduleName}`);
+      return false;
+    }
+    if (this.enabledModules.has(moduleName)) {
+      this.logger.warn(`Module already enabled: ${moduleName}`);
+      return true;
+    }
+    if (module.dependencies) {
+      for (const dep of module.dependencies) {
+        if (!this.enabledModules.has(dep)) {
+          this.logger.error(
+            `Module ${moduleName} requires ${dep} to be enabled first`
+          );
+          return false;
+        }
+      }
+    }
+    try {
+      this.logger.info(`Enabling module: ${moduleName}`);
+      if (module.onEnable) {
+        await module.onEnable();
+      }
+      module.registerRoutes(this.app);
+      this.enabledModules.add(moduleName);
+      this.logger.info(`Enabled module: ${moduleName}`);
+      return true;
+    } catch (error2) {
+      this.logger.error(`Failed to enable module ${moduleName}`, error2);
+      return false;
+    }
+  }
+  /**
+   * Disable an enabled module
+   */
+  async disableModule(moduleName) {
+    if (!this.enabledModules.has(moduleName)) {
+      this.logger.warn(`Module not enabled: ${moduleName}`);
+      return true;
+    }
+    const module = this.moduleRegistry.get(moduleName);
+    if (!module) {
+      this.logger.error(`Module not found: ${moduleName}`);
+      return false;
+    }
+    for (const [name, m] of this.moduleRegistry) {
+      if (this.enabledModules.has(name) && m.dependencies?.includes(moduleName)) {
+        this.logger.error(
+          `Cannot disable ${moduleName}: ${name} depends on it`
+        );
+        return false;
+      }
+    }
+    try {
+      if (module.onDisable) {
+        await module.onDisable();
+      }
+      this.enabledModules.delete(moduleName);
+      this.logger.info(`Disabled module: ${moduleName}`);
+      return true;
+    } catch (error2) {
+      this.logger.error(`Failed to disable module ${moduleName}`, error2);
+      return false;
+    }
+  }
+  /**
+   * Get the Hono app instance
+   */
+  getApp() {
+    return this.app;
+  }
+  /**
+   * Get enabled modules
+   */
+  getEnabledModules() {
+    return Array.from(this.enabledModules);
+  }
+  /**
+   * Get registered modules
+   */
+  getRegisteredModules() {
+    return Array.from(this.moduleRegistry.keys());
+  }
+  /**
+   * Check if module is enabled
+   */
+  isModuleEnabled(moduleName) {
+    return this.enabledModules.has(moduleName);
+  }
+  /**
+   * Check if module is registered
+   */
+  isModuleRegistered(moduleName) {
+    return this.moduleRegistry.has(moduleName);
+  }
+  /**
+   * Get database adapter
+   */
+  getDatabase() {
+    return this.db;
+  }
+  /**
+   * Get logger
+   */
+  getLogger() {
+    return this.logger;
+  }
+};
+function createModuleLoader(options) {
+  return new ModuleLoader(options);
+}
+function defineModule(manifest) {
+  return manifest;
+}
+
+// src/rls.ts
+var DEFAULT_RLS_CONFIG = {
+  tenantIdColumn: "tenant_id",
+  sessionVariable: "app.current_tenant_id",
+  enabled: true
+};
+var RLSManager = class {
+  constructor(db, config = {}) {
+    this.db = db;
+    this.config = { ...DEFAULT_RLS_CONFIG, ...config };
+  }
+  config;
+  /**
+   * Set current tenant ID in database session
+   * This enables RLS policies to filter by tenant
+   */
+  async setTenantId(tenantId) {
+    if (!this.config.enabled) return;
+    try {
+      const escapedTenantId = tenantId.replace(/'/g, "''");
+      await this.db.execute(`SET ${this.config.sessionVariable} = '${escapedTenantId}'`);
+    } catch (error2) {
+      console.error("Failed to set tenant ID for RLS:", error2);
+      throw new RLSError("Failed to set tenant context", "RLS_SET_FAILED", error2);
+    }
+  }
+  /**
+   * Clear current tenant ID from database session
+   */
+  async clearTenantId() {
+    if (!this.config.enabled) return;
+    try {
+      await this.db.execute(`RESET ${this.config.sessionVariable}`);
+    } catch (error2) {
+      console.error("Failed to clear tenant ID for RLS:", error2);
+      throw new RLSError("Failed to clear tenant context", "RLS_CLEAR_FAILED", error2);
+    }
+  }
+  /**
+   * Execute a function with tenant context
+   * Automatically sets and clears tenant ID
+   */
+  async withTenant(tenantId, operation) {
+    await this.setTenantId(tenantId);
+    try {
+      return await operation();
+    } finally {
+      await this.clearTenantId();
+    }
+  }
+  /**
+   * Check if RLS is enabled
+   */
+  isEnabled() {
+    return this.config.enabled;
+  }
+  /**
+   * Get current configuration
+   */
+  getConfig() {
+    return { ...this.config };
+  }
+};
+var RLSError = class extends Error {
+  constructor(message, code, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = "RLSError";
+  }
+};
+function createRLSManager(db, config) {
+  return new RLSManager(db, config);
+}
+function rlsMiddleware(config) {
+  return async (c, next) => {
+    const user = c.get("user");
+    const db = c.get("db");
+    if (!user?.tenantId || !db) {
+      return next();
+    }
+    const rls = new RLSManager(db, config);
+    try {
+      await rls.setTenantId(user.tenantId);
+      await next();
+    } finally {
+      await rls.clearTenantId();
+    }
+  };
+}
+function generateRLSPolicy(tableName, options = {}) {
+  const {
+    tenantIdColumn = "tenant_id",
+    sessionVariable = "app.current_tenant_id",
+    policyName = `${tableName}_tenant_isolation`,
+    castType = "uuid"
+  } = options;
+  return `
+-- Enable RLS on table
+ALTER TABLE ${tableName} ENABLE ROW LEVEL SECURITY;
+
+-- Force RLS for table owner too
+ALTER TABLE ${tableName} FORCE ROW LEVEL SECURITY;
+
+-- Create tenant isolation policy
+DROP POLICY IF EXISTS ${policyName} ON ${tableName};
+CREATE POLICY ${policyName} ON ${tableName}
+  FOR ALL
+  USING (${tenantIdColumn} = current_setting('${sessionVariable}', true)::${castType});
+`.trim();
+}
+function generateDisableRLS(tableName) {
+  return `
+ALTER TABLE ${tableName} DISABLE ROW LEVEL SECURITY;
+ALTER TABLE ${tableName} NO FORCE ROW LEVEL SECURITY;
+`.trim();
+}
+
+// src/rbac.ts
+import { ForbiddenError, UnauthorizedError } from "@parsrun/core";
+var InMemoryRBAC = class {
+  userPermissions = /* @__PURE__ */ new Map();
+  userRoles = /* @__PURE__ */ new Map();
+  rolePermissions = /* @__PURE__ */ new Map();
+  tenantMembers = /* @__PURE__ */ new Map();
+  /**
+   * Grant permission to user
+   */
+  grantPermission(userId, permission) {
+    if (!this.userPermissions.has(userId)) {
+      this.userPermissions.set(userId, /* @__PURE__ */ new Set());
+    }
+    this.userPermissions.get(userId).add(permission);
+  }
+  /**
+   * Revoke permission from user
+   */
+  revokePermission(userId, permission) {
+    this.userPermissions.get(userId)?.delete(permission);
+  }
+  /**
+   * Assign role to user
+   */
+  assignRole(userId, role) {
+    if (!this.userRoles.has(userId)) {
+      this.userRoles.set(userId, /* @__PURE__ */ new Set());
+    }
+    this.userRoles.get(userId).add(role);
+  }
+  /**
+   * Remove role from user
+   */
+  removeRole(userId, role) {
+    this.userRoles.get(userId)?.delete(role);
+  }
+  /**
+   * Define role with permissions
+   */
+  defineRole(roleName, permissions) {
+    this.rolePermissions.set(roleName, new Set(permissions));
+  }
+  /**
+   * Add user to tenant
+   */
+  addTenantMember(tenantId, userId) {
+    if (!this.tenantMembers.has(tenantId)) {
+      this.tenantMembers.set(tenantId, /* @__PURE__ */ new Set());
+    }
+    this.tenantMembers.get(tenantId).add(userId);
+  }
+  /**
+   * Remove user from tenant
+   */
+  removeTenantMember(tenantId, userId) {
+    this.tenantMembers.get(tenantId)?.delete(userId);
+  }
+  // PermissionChecker implementation
+  async getUserPermissions(userId, _tenantId) {
+    const permissions = /* @__PURE__ */ new Set();
+    const direct = this.userPermissions.get(userId);
+    if (direct) {
+      direct.forEach((p) => permissions.add(p));
+    }
+    const roles = this.userRoles.get(userId);
+    if (roles) {
+      roles.forEach((role) => {
+        const rolePerms = this.rolePermissions.get(role);
+        if (rolePerms) {
+          rolePerms.forEach((p) => permissions.add(p));
+        }
+      });
+    }
+    return Array.from(permissions);
+  }
+  async getUserRoles(userId, _tenantId) {
+    return Array.from(this.userRoles.get(userId) ?? []);
+  }
+  async hasPermission(userId, check, tenantId) {
+    const permissions = await this.getUserPermissions(userId, tenantId);
+    const permissionName = `${check.resource}:${check.action}`;
+    if (permissions.includes(permissionName)) {
+      return true;
+    }
+    for (const perm of permissions) {
+      if (perm === "*") return true;
+      if (perm === `${check.resource}:*`) return true;
+      if (perm === `*:${check.action}`) return true;
+    }
+    return false;
+  }
+  async isTenantMember(userId, tenantId) {
+    return this.tenantMembers.get(tenantId)?.has(userId) ?? false;
+  }
+};
+var RBACService = class {
+  constructor(checker) {
+    this.checker = checker;
+  }
+  /**
+   * Get user's permissions
+   */
+  async getUserPermissions(userId, tenantId) {
+    return this.checker.getUserPermissions(userId, tenantId);
+  }
+  /**
+   * Get user's roles
+   */
+  async getUserRoles(userId, tenantId) {
+    return this.checker.getUserRoles(userId, tenantId);
+  }
+  /**
+   * Check if user has specific permission
+   */
+  async hasPermission(userId, check, tenantId) {
+    return this.checker.hasPermission(userId, check, tenantId);
+  }
+  /**
+   * Check if user has any of the specified permissions
+   */
+  async hasAnyPermission(userId, checks, tenantId) {
+    for (const check of checks) {
+      if (await this.hasPermission(userId, check, tenantId)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Check if user has all specified permissions
+   */
+  async hasAllPermissions(userId, checks, tenantId) {
+    for (const check of checks) {
+      if (!await this.hasPermission(userId, check, tenantId)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Check if user is member of tenant
+   */
+  async isTenantMember(userId, tenantId) {
+    return this.checker.isTenantMember(userId, tenantId);
+  }
+  /**
+   * Check if user has specific role
+   */
+  async hasRole(userId, role, tenantId) {
+    const roles = await this.getUserRoles(userId, tenantId);
+    return roles.includes(role);
+  }
+  /**
+   * Check if user has any of the specified roles
+   */
+  async hasAnyRole(userId, roles, tenantId) {
+    const userRoles = await this.getUserRoles(userId, tenantId);
+    return roles.some((role) => userRoles.includes(role));
+  }
+};
+function createInMemoryRBAC() {
+  const checker = new InMemoryRBAC();
+  const rbac = new RBACService(checker);
+  return { rbac, checker };
+}
+function createRBACService(checker) {
+  return new RBACService(checker);
+}
+function requireAuth() {
+  return async (c, next) => {
+    const user = c.get("user");
+    if (!user) {
+      throw new UnauthorizedError("Authentication required");
+    }
+    return next();
+  };
+}
+function requirePermission(resource, action, options = {}) {
+  return async (c, next) => {
+    const user = c.get("user");
+    if (!user) {
+      throw new UnauthorizedError("Authentication required");
+    }
+    const check = {
+      resource,
+      action,
+      scope: options.scope ?? "tenant"
+    };
+    let hasPermission = false;
+    if (options.checker) {
+      hasPermission = await options.checker.hasPermission(user.id, check, user.tenantId);
+    } else {
+      hasPermission = checkUserPermission(user, check);
+    }
+    if (!hasPermission) {
+      throw new ForbiddenError(`Permission denied: ${resource}:${action}`);
+    }
+    return next();
+  };
+}
+function requireAnyPermission(permissions, options = {}) {
+  return async (c, next) => {
+    const user = c.get("user");
+    if (!user) {
+      throw new UnauthorizedError("Authentication required");
+    }
+    let hasAny = false;
+    for (const perm of permissions) {
+      const check = { resource: perm.resource, action: perm.action };
+      if (options.checker) {
+        if (await options.checker.hasPermission(user.id, check, user.tenantId)) {
+          hasAny = true;
+          break;
+        }
+      } else {
+        if (checkUserPermission(user, check)) {
+          hasAny = true;
+          break;
+        }
+      }
+    }
+    if (!hasAny) {
+      throw new ForbiddenError("Insufficient permissions");
+    }
+    return next();
+  };
+}
+function requireRole(role) {
+  return async (c, next) => {
+    const user = c.get("user");
+    if (!user) {
+      throw new UnauthorizedError("Authentication required");
+    }
+    if (user.role !== role) {
+      throw new ForbiddenError(`Role required: ${role}`);
+    }
+    return next();
+  };
+}
+function requireAnyRole(roles) {
+  return async (c, next) => {
+    const user = c.get("user");
+    if (!user) {
+      throw new UnauthorizedError("Authentication required");
+    }
+    if (!user.role || !roles.includes(user.role)) {
+      throw new ForbiddenError(`One of these roles required: ${roles.join(", ")}`);
+    }
+    return next();
+  };
+}
+function requireTenantMember(requiredRole) {
+  return async (c, next) => {
+    const user = c.get("user");
+    const tenant = c.get("tenant");
+    if (!user) {
+      throw new UnauthorizedError("Authentication required");
+    }
+    if (!tenant) {
+      throw new ForbiddenError("Tenant context required");
+    }
+    if (user.tenantId !== tenant.id) {
+      throw new ForbiddenError("Not a member of this tenant");
+    }
+    if (requiredRole && user.role !== requiredRole) {
+      throw new ForbiddenError(`Role required in tenant: ${requiredRole}`);
+    }
+    return next();
+  };
+}
+function checkUserPermission(user, check) {
+  const permissionName = `${check.resource}:${check.action}`;
+  for (const perm of user.permissions) {
+    if (perm === permissionName) return true;
+    if (perm === "*") return true;
+    if (perm === `${check.resource}:*`) return true;
+    if (perm === `*:${check.action}`) return true;
+  }
+  return false;
+}
+function parsePermission(permission) {
+  const [resource, action] = permission.split(":");
+  if (!resource || !action) {
+    throw new Error(`Invalid permission format: ${permission}`);
+  }
+  return { resource, action };
+}
+function createPermission(resource, action) {
+  return `${resource}:${action}`;
+}
+function crudPermissions(resource) {
+  return [
+    { name: `${resource}:create`, resource, action: "create" },
+    { name: `${resource}:read`, resource, action: "read" },
+    { name: `${resource}:update`, resource, action: "update" },
+    { name: `${resource}:delete`, resource, action: "delete" },
+    { name: `${resource}:list`, resource, action: "list" }
+  ];
+}
+var StandardRoles = {
+  OWNER: {
+    name: "owner",
+    displayName: "Owner",
+    description: "Full access to all resources",
+    permissions: ["*"],
+    isSystem: true
+  },
+  ADMIN: {
+    name: "admin",
+    displayName: "Administrator",
+    description: "Administrative access",
+    permissions: ["*:read", "*:create", "*:update", "*:list"],
+    isSystem: true
+  },
+  MEMBER: {
+    name: "member",
+    displayName: "Member",
+    description: "Standard member access",
+    permissions: ["*:read", "*:list"],
+    isSystem: true
+  },
+  VIEWER: {
+    name: "viewer",
+    displayName: "Viewer",
+    description: "Read-only access",
+    permissions: ["*:read", "*:list"],
+    isSystem: true
+  }
+};
+
+// src/middleware/error-handler.ts
+var ApiError = class extends Error {
+  constructor(statusCode, code, message, details) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+    this.details = details;
+    this.name = "ApiError";
+  }
+  toResponse() {
+    return error(this.code, this.message, this.details);
+  }
+};
+var BadRequestError = class extends ApiError {
+  constructor(message = "Bad request", details) {
+    super(400, "BAD_REQUEST", message, details);
+    this.name = "BadRequestError";
+  }
+};
+var UnauthorizedError2 = class extends ApiError {
+  constructor(message = "Unauthorized", details) {
+    super(401, "UNAUTHORIZED", message, details);
+    this.name = "UnauthorizedError";
+  }
+};
+var ForbiddenError2 = class extends ApiError {
+  constructor(message = "Forbidden", details) {
+    super(403, "FORBIDDEN", message, details);
+    this.name = "ForbiddenError";
+  }
+};
+var NotFoundError = class extends ApiError {
+  constructor(message = "Not found", details) {
+    super(404, "NOT_FOUND", message, details);
+    this.name = "NotFoundError";
+  }
+};
+var ConflictError = class extends ApiError {
+  constructor(message = "Conflict", details) {
+    super(409, "CONFLICT", message, details);
+    this.name = "ConflictError";
+  }
+};
+var ValidationError = class extends ApiError {
+  constructor(message = "Validation failed", details) {
+    super(422, "VALIDATION_ERROR", message, details);
+    this.name = "ValidationError";
+  }
+};
+var RateLimitError = class extends ApiError {
+  constructor(message = "Too many requests", retryAfter) {
+    super(429, "RATE_LIMIT_EXCEEDED", message, { retryAfter });
+    this.retryAfter = retryAfter;
+    this.name = "RateLimitError";
+  }
+};
+var InternalError = class extends ApiError {
+  constructor(message = "Internal server error", details) {
+    super(500, "INTERNAL_ERROR", message, details);
+    this.name = "InternalError";
+  }
+};
+var ServiceUnavailableError = class extends ApiError {
+  constructor(message = "Service unavailable", details) {
+    super(503, "SERVICE_UNAVAILABLE", message, details);
+    this.name = "ServiceUnavailableError";
+  }
+};
+function errorHandler(options = {}) {
+  const {
+    includeStack = false,
+    onError,
+    errorTransport,
+    captureAllErrors = false,
+    shouldCapture
+  } = options;
+  return async (c, next) => {
+    try {
+      await next();
+    } catch (err) {
+      const error2 = err instanceof Error ? err : new Error(String(err));
+      const statusCode = error2 instanceof ApiError ? error2.statusCode : 500;
+      if (onError) {
+        onError(error2, c);
+      } else {
+        const logger = c.get("logger");
+        if (logger) {
+          logger.error("Request error", {
+            requestId: c.get("requestId"),
+            error: error2.message,
+            stack: error2.stack
+          });
+        }
+      }
+      if (errorTransport) {
+        const shouldCaptureError = shouldCapture ? shouldCapture(error2, statusCode) : captureAllErrors || statusCode >= 500;
+        if (shouldCaptureError) {
+          const user = c.get("user");
+          const tenant = c.get("tenant");
+          const errorContext = {
+            requestId: c.get("requestId"),
+            tags: {
+              path: c.req.path,
+              method: c.req.method,
+              statusCode: String(statusCode)
+            }
+          };
+          if (user?.id) {
+            errorContext.userId = user.id;
+          }
+          if (tenant?.id) {
+            errorContext.tenantId = tenant.id;
+          }
+          const extra = {
+            query: c.req.query()
+          };
+          if (error2 instanceof ApiError) {
+            extra["errorCode"] = error2.code;
+          }
+          errorContext.extra = extra;
+          Promise.resolve(
+            errorTransport.captureException(error2, errorContext)
+          ).catch(() => {
+          });
+        }
+      }
+      if (error2 instanceof ApiError) {
+        return c.json(error2.toResponse(), error2.statusCode);
+      }
+      const details = {};
+      if (includeStack && error2.stack) {
+        details["stack"] = error2.stack;
+      }
+      return c.json(
+        error("INTERNAL_ERROR", "An unexpected error occurred", details),
+        500
+      );
+    }
+  };
+}
+function notFoundHandler(c) {
+  return c.json(
+    error("NOT_FOUND", `Route ${c.req.method} ${c.req.path} not found`),
+    404
+  );
+}
+
+// src/middleware/auth.ts
+function extractToken(c, header, prefix, cookie) {
+  const authHeader = c.req.header(header);
+  if (authHeader) {
+    if (prefix && authHeader.startsWith(`${prefix} `)) {
+      return authHeader.slice(prefix.length + 1);
+    }
+    return authHeader;
+  }
+  if (cookie) {
+    const cookieHeader = c.req.header("cookie");
+    if (cookieHeader) {
+      const cookies = cookieHeader.split(";").map((c2) => c2.trim());
+      for (const c2 of cookies) {
+        const [key, ...valueParts] = c2.split("=");
+        if (key === cookie) {
+          return valueParts.join("=");
+        }
+      }
+    }
+  }
+  return null;
+}
+function auth(options) {
+  const {
+    verify,
+    header = "authorization",
+    prefix = "Bearer",
+    cookie,
+    skip,
+    message = "Authentication required"
+  } = options;
+  return async (c, next) => {
+    if (skip?.(c)) {
+      return next();
+    }
+    const token = extractToken(c, header, prefix, cookie);
+    if (!token) {
+      throw new UnauthorizedError2(message);
+    }
+    const payload = await verify(token);
+    if (!payload) {
+      throw new UnauthorizedError2("Invalid or expired token");
+    }
+    const user = {
+      id: payload.sub,
+      email: payload.email,
+      tenantId: payload.tenantId,
+      role: payload.role,
+      permissions: payload.permissions ?? []
+    };
+    c.set("user", user);
+    await next();
+  };
+}
+function optionalAuth(options) {
+  const { verify, header = "authorization", prefix = "Bearer", cookie, skip } = options;
+  return async (c, next) => {
+    if (skip?.(c)) {
+      return next();
+    }
+    const token = extractToken(c, header, prefix, cookie);
+    if (token) {
+      try {
+        const payload = await verify(token);
+        if (payload) {
+          const user = {
+            id: payload.sub,
+            email: payload.email,
+            tenantId: payload.tenantId,
+            role: payload.role,
+            permissions: payload.permissions ?? []
+          };
+          c.set("user", user);
+        }
+      } catch {
+      }
+    }
+    await next();
+  };
+}
+function createAuthMiddleware(baseOptions) {
+  return {
+    auth: (options) => auth({ ...baseOptions, ...options }),
+    optionalAuth: (options) => optionalAuth({ ...baseOptions, ...options })
+  };
+}
+
+// src/middleware/cors.ts
+var defaultCorsConfig = {
+  origin: "*",
+  credentials: false,
+  methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+  allowedHeaders: ["Content-Type", "Authorization", "X-Request-ID", "X-CSRF-Token"],
+  exposedHeaders: ["X-Request-ID", "X-Total-Count"],
+  maxAge: 86400
+  // 24 hours
+};
+function isOriginAllowed(origin, config) {
+  if (config.origin === "*") return true;
+  if (typeof config.origin === "string") {
+    return origin === config.origin;
+  }
+  if (Array.isArray(config.origin)) {
+    return config.origin.includes(origin);
+  }
+  if (typeof config.origin === "function") {
+    return config.origin(origin);
+  }
+  return false;
+}
+function cors2(config) {
+  const corsConfig2 = { ...defaultCorsConfig, ...config };
+  return async (c, next) => {
+    const origin = c.req.header("origin") ?? "";
+    if (c.req.method === "OPTIONS") {
+      const response = new Response(null, { status: 204 });
+      if (isOriginAllowed(origin, corsConfig2)) {
+        response.headers.set("Access-Control-Allow-Origin", origin || "*");
+      }
+      if (corsConfig2.credentials) {
+        response.headers.set("Access-Control-Allow-Credentials", "true");
+      }
+      if (corsConfig2.methods) {
+        response.headers.set(
+          "Access-Control-Allow-Methods",
+          corsConfig2.methods.join(", ")
+        );
+      }
+      if (corsConfig2.allowedHeaders) {
+        response.headers.set(
+          "Access-Control-Allow-Headers",
+          corsConfig2.allowedHeaders.join(", ")
+        );
+      }
+      if (corsConfig2.maxAge) {
+        response.headers.set("Access-Control-Max-Age", String(corsConfig2.maxAge));
+      }
+      return response;
+    }
+    await next();
+    if (isOriginAllowed(origin, corsConfig2)) {
+      c.header("Access-Control-Allow-Origin", origin || "*");
+    }
+    if (corsConfig2.credentials) {
+      c.header("Access-Control-Allow-Credentials", "true");
+    }
+    if (corsConfig2.exposedHeaders) {
+      c.header("Access-Control-Expose-Headers", corsConfig2.exposedHeaders.join(", "));
+    }
+  };
+}
+
+// src/middleware/csrf.ts
+function generateRandomToken() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function getCookie(c, name) {
+  const cookieHeader = c.req.header("cookie");
+  if (!cookieHeader) return void 0;
+  const cookies = cookieHeader.split(";").map((c2) => c2.trim());
+  for (const cookie of cookies) {
+    const [key, ...valueParts] = cookie.split("=");
+    if (key === name) {
+      return valueParts.join("=");
+    }
+  }
+  return void 0;
+}
+function csrf(options = {}) {
+  const {
+    cookieName = "_csrf",
+    headerName = "x-csrf-token",
+    methods = ["POST", "PUT", "PATCH", "DELETE"],
+    excludePaths = [],
+    skip,
+    generateToken = generateRandomToken,
+    cookie = {}
+  } = options;
+  const cookieOptions = {
+    secure: cookie.secure ?? true,
+    httpOnly: cookie.httpOnly ?? true,
+    sameSite: cookie.sameSite ?? "lax",
+    path: cookie.path ?? "/",
+    maxAge: cookie.maxAge ?? 86400
+    // 24 hours
+  };
+  return async (c, next) => {
+    if (skip?.(c)) {
+      return next();
+    }
+    const path = c.req.path;
+    if (excludePaths.some((p) => path.startsWith(p))) {
+      return next();
+    }
+    let token = getCookie(c, cookieName);
+    if (!token) {
+      token = generateToken();
+      const cookieValue = [
+        `${cookieName}=${token}`,
+        `Path=${cookieOptions.path}`,
+        `Max-Age=${cookieOptions.maxAge}`,
+        cookieOptions.sameSite && `SameSite=${cookieOptions.sameSite}`,
+        cookieOptions.secure && "Secure",
+        cookieOptions.httpOnly && "HttpOnly"
+      ].filter(Boolean).join("; ");
+      c.header("Set-Cookie", cookieValue);
+    }
+    c.set("csrfToken", token);
+    if (methods.includes(c.req.method)) {
+      const headerToken = c.req.header(headerName);
+      const bodyToken = await getBodyToken(c);
+      const providedToken = headerToken ?? bodyToken;
+      if (!providedToken || providedToken !== token) {
+        throw new ForbiddenError2("Invalid CSRF token");
+      }
+    }
+    await next();
+  };
+}
+async function getBodyToken(c) {
+  try {
+    const contentType = c.req.header("content-type") ?? "";
+    if (contentType.includes("application/json")) {
+      const body = await c.req.json();
+      return body["_csrf"] ?? body["csrfToken"] ?? body["csrf_token"];
+    }
+    if (contentType.includes("application/x-www-form-urlencoded")) {
+      const body = await c.req.parseBody();
+      return body["_csrf"];
+    }
+  } catch {
+  }
+  return void 0;
+}
+function doubleSubmitCookie(options = {}) {
+  return csrf({
+    ...options,
+    cookie: {
+      ...options.cookie,
+      httpOnly: false
+      // Allow JS to read the cookie
+    }
+  });
+}
+
+// src/middleware/rate-limit.ts
+var MemoryRateLimitStorage = class {
+  store = /* @__PURE__ */ new Map();
+  async get(key) {
+    const entry = this.store.get(key);
+    if (!entry || entry.expires < Date.now()) {
+      return 0;
+    }
+    return entry.count;
+  }
+  async increment(key, windowMs) {
+    const now = Date.now();
+    const entry = this.store.get(key);
+    if (!entry || entry.expires < now) {
+      this.store.set(key, { count: 1, expires: now + windowMs });
+      return 1;
+    }
+    entry.count++;
+    return entry.count;
+  }
+  async reset(key) {
+    this.store.delete(key);
+  }
+  /** Clean up expired entries */
+  cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.store) {
+      if (entry.expires < now) {
+        this.store.delete(key);
+      }
+    }
+  }
+};
+var defaultStorage = null;
+function getDefaultStorage() {
+  if (!defaultStorage) {
+    defaultStorage = new MemoryRateLimitStorage();
+  }
+  return defaultStorage;
+}
+function rateLimit(options = {}) {
+  const {
+    windowMs = 60 * 1e3,
+    // 1 minute
+    max = 100,
+    keyGenerator = defaultKeyGenerator,
+    skip,
+    storage = getDefaultStorage(),
+    message = "Too many requests, please try again later",
+    headers = true,
+    onLimitReached
+  } = options;
+  return async (c, next) => {
+    if (skip?.(c)) {
+      return next();
+    }
+    const key = `ratelimit:${keyGenerator(c)}`;
+    const current = await storage.increment(key, windowMs);
+    if (headers) {
+      c.header("X-RateLimit-Limit", String(max));
+      c.header("X-RateLimit-Remaining", String(Math.max(0, max - current)));
+      c.header("X-RateLimit-Reset", String(Math.ceil((Date.now() + windowMs) / 1e3)));
+    }
+    if (current > max) {
+      if (onLimitReached) {
+        onLimitReached(c, key);
+      }
+      const retryAfter = Math.ceil(windowMs / 1e3);
+      c.header("Retry-After", String(retryAfter));
+      throw new RateLimitError(message, retryAfter);
+    }
+    await next();
+  };
+}
+function defaultKeyGenerator(c) {
+  return c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ?? c.req.header("x-real-ip") ?? c.req.header("cf-connecting-ip") ?? "unknown";
+}
+function createRateLimiter(options = {}) {
+  const storage = options.storage ?? getDefaultStorage();
+  return {
+    middleware: rateLimit({ ...options, storage }),
+    storage,
+    reset: (key) => storage.reset(`ratelimit:${key}`),
+    get: (key) => storage.get(`ratelimit:${key}`)
+  };
+}
+
+// src/middleware/request-logger.ts
+function formatBytes(bytes) {
+  if (bytes < 1024) return `${bytes}B`;
+  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
+  return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+}
+function requestLogger(options = {}) {
+  const {
+    skip,
+    format = "json",
+    includeBody = false,
+    maxBodyLength = 1e3
+  } = options;
+  return async (c, next) => {
+    if (skip?.(c)) {
+      return next();
+    }
+    const start = Date.now();
+    const logger = c.get("logger");
+    const requestId = c.get("requestId");
+    const method = c.req.method;
+    const path = c.req.path;
+    const query = c.req.query();
+    const userAgent = c.req.header("user-agent");
+    const ip = c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip") ?? "unknown";
+    if (format === "json") {
+      logger?.debug("Request started", {
+        requestId,
+        method,
+        path,
+        query: Object.keys(query).length > 0 ? query : void 0,
+        ip,
+        userAgent
+      });
+    }
+    let requestBody;
+    if (includeBody && ["POST", "PUT", "PATCH"].includes(method)) {
+      try {
+        const contentType = c.req.header("content-type") ?? "";
+        if (contentType.includes("application/json")) {
+          const body = await c.req.text();
+          requestBody = body.length > maxBodyLength ? body.substring(0, maxBodyLength) + "..." : body;
+        }
+      } catch {
+      }
+    }
+    await next();
+    const duration = Date.now() - start;
+    const status2 = c.res.status;
+    const contentLength = c.res.headers.get("content-length");
+    const size = contentLength ? parseInt(contentLength, 10) : 0;
+    if (format === "json") {
+      const logData = {
+        requestId,
+        method,
+        path,
+        status: status2,
+        duration: `${duration}ms`,
+        size: formatBytes(size)
+      };
+      if (requestBody) {
+        logData["requestBody"] = requestBody;
+      }
+      if (status2 >= 500) {
+        logger?.error("Request completed", logData);
+      } else if (status2 >= 400) {
+        logger?.warn("Request completed", logData);
+      } else {
+        logger?.info("Request completed", logData);
+      }
+    } else if (format === "combined") {
+      const log = `${ip} - - [${(/* @__PURE__ */ new Date()).toISOString()}] "${method} ${path}" ${status2} ${size} "-" "${userAgent}" ${duration}ms`;
+      console.log(log);
+    } else {
+      const log = `${method} ${path} ${status2} ${duration}ms`;
+      console.log(log);
+    }
+  };
+}
+
+// src/middleware/usage-tracking.ts
+function usageTracking(options) {
+  const {
+    usageService,
+    featureKey = "api_calls",
+    quantity = 1,
+    skip,
+    trackOn = "response",
+    successOnly = true,
+    getCustomerId = (c) => c.get("user")?.id,
+    getTenantId = (c) => c.get("tenant")?.id ?? c.get("user")?.tenantId,
+    getSubscriptionId,
+    includeMetadata = true,
+    getIdempotencyKey
+  } = options;
+  return async (c, next) => {
+    if (trackOn === "request") {
+      await trackUsage(c);
+      return next();
+    }
+    await next();
+    if (skip?.(c)) return;
+    if (successOnly && c.res.status >= 400) return;
+    await trackUsage(c);
+  };
+  async function trackUsage(c) {
+    const customerId = getCustomerId(c);
+    const tenantId = getTenantId(c);
+    if (!customerId || !tenantId) return;
+    const resolvedFeatureKey = typeof featureKey === "function" ? featureKey(c) : featureKey;
+    const resolvedQuantity = typeof quantity === "function" ? quantity(c) : quantity;
+    const metadata = includeMetadata ? {
+      path: c.req.path,
+      method: c.req.method,
+      statusCode: c.res.status,
+      userAgent: c.req.header("user-agent")
+    } : void 0;
+    try {
+      const trackOptions = {
+        tenantId,
+        customerId,
+        featureKey: resolvedFeatureKey,
+        quantity: resolvedQuantity
+      };
+      const subscriptionId = getSubscriptionId?.(c);
+      if (subscriptionId !== void 0) {
+        trackOptions.subscriptionId = subscriptionId;
+      }
+      if (metadata !== void 0) {
+        trackOptions.metadata = metadata;
+      }
+      const idempotencyKey = getIdempotencyKey?.(c);
+      if (idempotencyKey !== void 0) {
+        trackOptions.idempotencyKey = idempotencyKey;
+      }
+      await usageService.trackUsage(trackOptions);
+    } catch (error2) {
+      const logger = c.get("logger");
+      if (logger) {
+        logger.error("Usage tracking failed", {
+          error: error2 instanceof Error ? error2.message : String(error2),
+          customerId,
+          featureKey: resolvedFeatureKey
+        });
+      }
+    }
+  }
+}
+function createUsageTracking(baseOptions) {
+  return (overrides) => {
+    return usageTracking({ ...baseOptions, ...overrides });
+  };
+}
+
+// src/middleware/quota-enforcement.ts
+var QuotaExceededError = class extends Error {
+  constructor(featureKey, limit, currentUsage, requestedQuantity = 1) {
+    super(
+      `Quota exceeded for "${featureKey}": ${currentUsage}/${limit ?? "unlimited"} used`
+    );
+    this.featureKey = featureKey;
+    this.limit = limit;
+    this.currentUsage = currentUsage;
+    this.requestedQuantity = requestedQuantity;
+    this.name = "QuotaExceededError";
+  }
+  statusCode = 429;
+  code = "QUOTA_EXCEEDED";
+};
+function quotaEnforcement(options) {
+  const {
+    quotaManager,
+    featureKey,
+    quantity = 1,
+    skip,
+    getCustomerId = (c) => c.get("user")?.id,
+    includeHeaders = true,
+    onQuotaExceeded,
+    softLimit = false,
+    onQuotaWarning
+  } = options;
+  return async (c, next) => {
+    if (skip?.(c)) {
+      return next();
+    }
+    const customerId = getCustomerId(c);
+    if (!customerId) {
+      return next();
+    }
+    const resolvedFeatureKey = typeof featureKey === "function" ? featureKey(c) : featureKey;
+    const resolvedQuantity = typeof quantity === "function" ? quantity(c) : quantity;
+    try {
+      const result = await quotaManager.checkQuota(
+        customerId,
+        resolvedFeatureKey,
+        resolvedQuantity
+      );
+      if (includeHeaders) {
+        c.header("X-Quota-Limit", String(result.limit ?? "unlimited"));
+        c.header("X-Quota-Remaining", String(result.remaining ?? "unlimited"));
+        c.header("X-Quota-Used", String(result.currentUsage));
+        if (result.percentAfter !== null) {
+          c.header("X-Quota-Percent", String(result.percentAfter));
+        }
+      }
+      if (result.percentAfter !== null && result.percentAfter >= 80 && onQuotaWarning) {
+        onQuotaWarning(c, result, resolvedFeatureKey);
+      }
+      if (!result.allowed && !softLimit) {
+        if (onQuotaExceeded) {
+          const response = onQuotaExceeded(c, result, resolvedFeatureKey);
+          if (response) return response;
+        }
+        throw new QuotaExceededError(
+          resolvedFeatureKey,
+          result.limit,
+          result.currentUsage,
+          resolvedQuantity
+        );
+      }
+      await next();
+    } catch (error2) {
+      if (error2 instanceof QuotaExceededError) {
+        throw error2;
+      }
+      const logger = c.get("logger");
+      if (logger) {
+        logger.error("Quota check failed", {
+          error: error2 instanceof Error ? error2.message : String(error2),
+          customerId,
+          featureKey: resolvedFeatureKey
+        });
+      }
+      await next();
+    }
+  };
+}
+function createQuotaEnforcement(baseOptions) {
+  return (featureKey) => {
+    return quotaEnforcement({ ...baseOptions, featureKey });
+  };
+}
+function multiQuotaEnforcement(options) {
+  const { features } = options;
+  return async (c, next) => {
+    const customerId = (options.getCustomerId ?? ((ctx) => ctx.get("user")?.id))(c);
+    if (!customerId || options.skip?.(c)) {
+      return next();
+    }
+    for (const feature of features) {
+      const resolvedQuantity = typeof feature.quantity === "function" ? feature.quantity(c) : feature.quantity ?? 1;
+      const result = await options.quotaManager.checkQuota(
+        customerId,
+        feature.featureKey,
+        resolvedQuantity
+      );
+      if (!result.allowed && !options.softLimit) {
+        if (options.onQuotaExceeded) {
+          const response = options.onQuotaExceeded(c, result, feature.featureKey);
+          if (response) return response;
+        }
+        throw new QuotaExceededError(
+          feature.featureKey,
+          result.limit,
+          result.currentUsage,
+          resolvedQuantity
+        );
+      }
+    }
+    await next();
+  };
+}
+
+// src/validation/index.ts
+import {
+  type,
+  uuid,
+  timestamp,
+  email,
+  url,
+  nonEmptyString,
+  positiveInt,
+  nonNegativeInt,
+  status,
+  pagination,
+  paginationMeta,
+  cursorPagination,
+  cursorPaginationMeta,
+  uuidParam,
+  paginationQuery,
+  cursorPaginationQuery,
+  searchQuery,
+  dateRangeQuery,
+  healthResponse,
+  apiInfoResponse,
+  corsConfig,
+  serverRateLimitConfig,
+  loggerConfig,
+  serverConfig,
+  authContext,
+  requestContext,
+  successResponse,
+  errorResponse,
+  paginatedResponse,
+  cursorPaginatedResponse,
+  parsError,
+  validateWithSchema,
+  safeValidate,
+  isValid,
+  formatErrors
+} from "@parsrun/types";
+import { type as type2, formatErrors as formatArkErrors } from "@parsrun/types";
+import {
+  uuidParam as uuidParam2,
+  paginationQuery as paginationQuery2,
+  searchQuery as searchQuery2,
+  dateRangeQuery as dateRangeQuery2
+} from "@parsrun/types";
+function formatValidationErrors(errors) {
+  const formatted = formatArkErrors(errors);
+  const result = {};
+  for (const [key, value] of Object.entries(formatted)) {
+    result[key] = [value];
+  }
+  return result;
+}
+function validateBody(schema, options = {}) {
+  return async (c, next) => {
+    let body;
+    try {
+      body = await c.req.json();
+    } catch {
+      throw new ValidationError("Invalid JSON body");
+    }
+    const result = schema(body);
+    if (result instanceof type2.errors) {
+      throw new ValidationError(
+        options.messagePrefix ?? "Validation failed",
+        { errors: formatValidationErrors(result) }
+      );
+    }
+    c.set("validatedBody", result);
+    await next();
+  };
+}
+function validateQuery(schema, options = {}) {
+  return async (c, next) => {
+    const query = c.req.query();
+    const result = schema(query);
+    if (result instanceof type2.errors) {
+      throw new ValidationError(
+        options.messagePrefix ?? "Invalid query parameters",
+        { errors: formatValidationErrors(result) }
+      );
+    }
+    c.set("validatedQuery", result);
+    await next();
+  };
+}
+function validateParams(schema, options = {}) {
+  return async (c, next) => {
+    const params = c.req.param();
+    const result = schema(params);
+    if (result instanceof type2.errors) {
+      throw new ValidationError(
+        options.messagePrefix ?? "Invalid route parameters",
+        { errors: formatValidationErrors(result) }
+      );
+    }
+    c.set("validatedParams", result);
+    await next();
+  };
+}
+function validateHeaders(schema, options = {}) {
+  return async (c, next) => {
+    const headers = {};
+    c.req.raw.headers.forEach((value, key) => {
+      headers[key.toLowerCase()] = value;
+    });
+    const result = schema(headers);
+    if (result instanceof type2.errors) {
+      throw new ValidationError(
+        options.messagePrefix ?? "Invalid headers",
+        { errors: formatValidationErrors(result) }
+      );
+    }
+    c.set("validatedHeaders", result);
+    await next();
+  };
+}
+function validate(schemas) {
+  return async (c, next) => {
+    if (schemas.params) {
+      const params = c.req.param();
+      const result = schemas.params(params);
+      if (result instanceof type2.errors) {
+        throw new ValidationError("Invalid route parameters", {
+          errors: formatValidationErrors(result)
+        });
+      }
+      c.set("validatedParams", result);
+    }
+    if (schemas.query) {
+      const query = c.req.query();
+      const result = schemas.query(query);
+      if (result instanceof type2.errors) {
+        throw new ValidationError("Invalid query parameters", {
+          errors: formatValidationErrors(result)
+        });
+      }
+      c.set("validatedQuery", result);
+    }
+    if (schemas.headers) {
+      const headers = {};
+      c.req.raw.headers.forEach((value, key) => {
+        headers[key.toLowerCase()] = value;
+      });
+      const result = schemas.headers(headers);
+      if (result instanceof type2.errors) {
+        throw new ValidationError("Invalid headers", {
+          errors: formatValidationErrors(result)
+        });
+      }
+      c.set("validatedHeaders", result);
+    }
+    if (schemas.body) {
+      let body;
+      try {
+        body = await c.req.json();
+      } catch {
+        throw new ValidationError("Invalid JSON body");
+      }
+      const result = schemas.body(body);
+      if (result instanceof type2.errors) {
+        throw new ValidationError("Validation failed", {
+          errors: formatValidationErrors(result)
+        });
+      }
+      c.set("validatedBody", result);
+    }
+    await next();
+  };
+}
+
+// src/utils/pagination.ts
+var defaultOptions = {
+  defaultLimit: 20,
+  maxLimit: 100,
+  pageParam: "page",
+  limitParam: "limit"
+};
+function parsePagination(c, options = {}) {
+  const opts = { ...defaultOptions, ...options };
+  const pageStr = c.req.query(opts.pageParam);
+  const limitStr = c.req.query(opts.limitParam);
+  let page = pageStr ? parseInt(pageStr, 10) : 1;
+  let limit = limitStr ? parseInt(limitStr, 10) : opts.defaultLimit;
+  if (isNaN(page) || page < 1) page = 1;
+  if (isNaN(limit) || limit < 1) limit = opts.defaultLimit;
+  if (limit > opts.maxLimit) limit = opts.maxLimit;
+  const offset = (page - 1) * limit;
+  return { page, limit, offset };
+}
+function createPaginationMeta(params) {
+  const { page, limit, total } = params;
+  const totalPages = Math.ceil(total / limit);
+  return {
+    page,
+    limit,
+    total,
+    totalPages,
+    hasNext: page < totalPages,
+    hasPrev: page > 1
+  };
+}
+function paginate(data, params) {
+  return {
+    data,
+    pagination: createPaginationMeta(params)
+  };
+}
+function parseCursorPagination(c, options = {}) {
+  const opts = { ...defaultOptions, ...options };
+  const cursor = c.req.query("cursor") ?? void 0;
+  const limitStr = c.req.query(opts.limitParam);
+  const direction = c.req.query("direction") === "backward" ? "backward" : "forward";
+  let limit = limitStr ? parseInt(limitStr, 10) : opts.defaultLimit;
+  if (isNaN(limit) || limit < 1) limit = opts.defaultLimit;
+  if (limit > opts.maxLimit) limit = opts.maxLimit;
+  return { cursor, limit, direction };
+}
+function cursorPaginate(data, params) {
+  const { cursor, limit } = params;
+  const hasMore = data.length > limit;
+  const items = hasMore ? data.slice(0, limit) : data;
+  const lastItem = items[items.length - 1];
+  const firstItem = items[0];
+  return {
+    data: items,
+    pagination: {
+      cursor,
+      nextCursor: hasMore && lastItem ? lastItem.id : void 0,
+      prevCursor: cursor && firstItem ? firstItem.id : void 0,
+      hasMore,
+      limit
+    }
+  };
+}
+function setPaginationHeaders(c, meta) {
+  c.header("X-Total-Count", String(meta.total));
+  c.header("X-Total-Pages", String(meta.totalPages));
+  c.header("X-Page", String(meta.page));
+  c.header("X-Per-Page", String(meta.limit));
+  c.header("X-Has-Next", String(meta.hasNext));
+  c.header("X-Has-Prev", String(meta.hasPrev));
+}
+
+// src/utils/response.ts
+function json(c, data, status2 = 200) {
+  return c.json(success(data), status2);
+}
+function jsonWithMeta(c, data, meta, status2 = 200) {
+  return c.json(success(data, meta), status2);
+}
+function jsonError(c, code, message, status2 = 400, details) {
+  return c.json(error(code, message, details), status2);
+}
+function created(c, data, location) {
+  if (location) {
+    c.header("Location", location);
+  }
+  return c.json(success(data), 201);
+}
+function noContent(_c) {
+  return new Response(null, { status: 204 });
+}
+function accepted(c, data) {
+  if (data) {
+    return c.json(success(data), 202);
+  }
+  return new Response(null, { status: 202 });
+}
+function redirect(c, url2, status2 = 302) {
+  return c.redirect(url2, status2);
+}
+function stream(_c, callback, options = {}) {
+  const encoder = new TextEncoder();
+  const readableStream = new ReadableStream({
+    async start(controller) {
+      const write = async (chunk) => {
+        controller.enqueue(encoder.encode(chunk));
+      };
+      try {
+        await callback(write);
+      } finally {
+        controller.close();
+      }
+    }
+  });
+  return new Response(readableStream, {
+    headers: {
+      "Content-Type": options.contentType ?? "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+      ...options.headers
+    }
+  });
+}
+function sse(c, callback) {
+  return stream(c, async (write) => {
+    const send = async (event) => {
+      let message = "";
+      if (event.id) {
+        message += `id: ${event.id}
+`;
+      }
+      if (event.event) {
+        message += `event: ${event.event}
+`;
+      }
+      if (event.retry) {
+        message += `retry: ${event.retry}
+`;
+      }
+      const data = typeof event.data === "string" ? event.data : JSON.stringify(event.data);
+      message += `data: ${data}
+
+`;
+      await write(message);
+    };
+    await callback(send);
+  });
+}
+function download(c, data, filename, contentType = "application/octet-stream") {
+  c.header("Content-Disposition", `attachment; filename="${filename}"`);
+  c.header("Content-Type", contentType);
+  if (typeof data === "string") {
+    return c.body(data);
+  }
+  return new Response(data, {
+    headers: c.res.headers
+  });
+}
+
+// src/health.ts
+import { Hono as Hono3 } from "hono";
+var startTime = Date.now();
+async function checkDatabase(db) {
+  const start = Date.now();
+  try {
+    if (db.ping) {
+      await db.ping();
+    }
+    return {
+      status: "healthy",
+      latency: Date.now() - start
+    };
+  } catch (err) {
+    return {
+      status: "unhealthy",
+      message: err instanceof Error ? err.message : "Database connection failed",
+      latency: Date.now() - start
+    };
+  }
+}
+function aggregateStatus(checks) {
+  const statuses = Object.values(checks).map((c) => c.status);
+  if (statuses.some((s) => s === "unhealthy")) {
+    return "unhealthy";
+  }
+  if (statuses.some((s) => s === "degraded")) {
+    return "degraded";
+  }
+  return "healthy";
+}
+function createHealthRouter(options = {}) {
+  const router = new Hono3();
+  const { checks = {}, detailed = true } = options;
+  router.get("/", async (c) => {
+    const db = c.get("db");
+    const results = {};
+    results["database"] = await checkDatabase(db);
+    const customCheckResults = await Promise.all(
+      Object.entries(checks).map(async ([name, check]) => {
+        try {
+          const result = await check();
+          return [name, result];
+        } catch (err) {
+          return [
+            name,
+            {
+              status: "unhealthy",
+              message: err instanceof Error ? err.message : "Check failed"
+            }
+          ];
+        }
+      })
+    );
+    for (const [name, result] of customCheckResults) {
+      results[name] = result;
+    }
+    const overallStatus = aggregateStatus(results);
+    const response = {
+      status: overallStatus,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      uptime: Math.floor((Date.now() - startTime) / 1e3),
+      checks: detailed ? results : {}
+    };
+    const statusCode = overallStatus === "healthy" ? 200 : overallStatus === "degraded" ? 200 : 503;
+    return c.json(response, statusCode);
+  });
+  router.get("/live", (c) => {
+    return c.json({
+      status: "ok",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  });
+  router.get("/ready", async (c) => {
+    const db = c.get("db");
+    const dbHealth = await checkDatabase(db);
+    if (dbHealth.status === "unhealthy") {
+      return c.json(
+        {
+          status: "not_ready",
+          reason: "database",
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        },
+        503
+      );
+    }
+    return c.json({
+      status: "ready",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  });
+  router.get("/startup", (c) => {
+    return c.json({
+      status: "started",
+      uptime: Math.floor((Date.now() - startTime) / 1e3),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  });
+  return router;
+}
+async function healthHandler(c) {
+  return c.json({
+    status: "ok",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    uptime: Math.floor((Date.now() - startTime) / 1e3)
+  });
+}
+export {
+  ApiError,
+  BadRequestError,
+  ConflictError,
+  dateRangeQuery2 as DateRangeQuerySchema,
+  ForbiddenError2 as ForbiddenError,
+  InMemoryRBAC,
+  InternalError,
+  MemoryRateLimitStorage,
+  ModuleLoader,
+  NotFoundError,
+  paginationQuery2 as PaginationQuerySchema,
+  QuotaExceededError,
+  RBACService,
+  RLSError,
+  RLSManager,
+  RateLimitError,
+  searchQuery2 as SearchQuerySchema,
+  ServiceUnavailableError,
+  StandardRoles,
+  UnauthorizedError2 as UnauthorizedError,
+  uuidParam2 as UuidParamSchema,
+  ValidationError,
+  accepted,
+  auth,
+  cors2 as cors,
+  createAuthMiddleware,
+  createHealthRouter,
+  createInMemoryRBAC,
+  createModuleLoader,
+  createModuleRouter,
+  createPaginationMeta,
+  createPermission,
+  createQuotaEnforcement,
+  createRBACService,
+  createRLSManager,
+  createRateLimiter,
+  createRouter,
+  createServer,
+  createUsageTracking,
+  createVersionedRouter,
+  created,
+  crudPermissions,
+  csrf,
+  cursorPaginate,
+  defineModule,
+  doubleSubmitCookie,
+  download,
+  error,
+  errorHandler,
+  generateDisableRLS,
+  generateRLSPolicy,
+  generateRequestId,
+  healthHandler,
+  json,
+  jsonError,
+  jsonWithMeta,
+  multiQuotaEnforcement,
+  noContent,
+  notFoundHandler,
+  optionalAuth,
+  paginate,
+  parseCursorPagination,
+  parsePagination,
+  parsePermission,
+  quotaEnforcement,
+  rateLimit,
+  redirect,
+  requestLogger,
+  requireAnyPermission,
+  requireAnyRole,
+  requireAuth,
+  requirePermission,
+  requireRole,
+  requireTenantMember,
+  rlsMiddleware,
+  setPaginationHeaders,
+  sse,
+  stream,
+  success,
+  type,
+  usageTracking,
+  validate,
+  validateBody,
+  validateHeaders,
+  validateParams,
+  validateQuery
+};
+//# sourceMappingURL=index.js.map