@saacms/core 0.1.0

package/dist/index-b7z43xwp.js

@@ -0,0 +1,6 @@
+// src/access/index.ts
+function evaluateAccess(_predicate, _ctx) {
+  throw new Error("NOT_IMPLEMENTED: evaluateAccess");
+}
+
+export { evaluateAccess };

package/dist/index-r0at8zaw.js

@@ -0,0 +1,13 @@
+// src/types/ids.ts
+var id = {
+  user: (s) => s,
+  session: (s) => s,
+  collection: (s) => s,
+  record: (s) => s,
+  page: (s) => s,
+  block: (s) => s,
+  draft: (s) => s,
+  publication: (s) => s,
+  migration: (s) => s
+};
+export { id };

package/dist/index-zgbq60fy.js

@@ -0,0 +1,74 @@
+// src/hooks/index.ts
+import { Effect } from "effect";
+var COMMAND_PHASE_MOMENTS = new Set([
+  "beforeValidate",
+  "beforeChange",
+  "beforeRead",
+  "beforeDelete",
+  "beforePublish",
+  "beforeRender"
+]);
+function isCommandPhase(moment) {
+  return COMMAND_PHASE_MOMENTS.has(moment);
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null;
+}
+function runHooks(moment, ctx, hooks) {
+  const command = isCommandPhase(moment);
+  if (hooks.length === 0) {
+    return command ? Effect.succeed(ctx.data) : Effect.void;
+  }
+  return command ? runCommandPhase(ctx, hooks) : runEventPhase(moment, ctx, hooks);
+}
+function runCommandPhase(initialCtx, hooks) {
+  const seed = Effect.succeed({
+    currentData: initialCtx.data,
+    lastResult: initialCtx.data
+  });
+  const chained = hooks.reduce((acc, hook) => Effect.flatMap(acc, (state) => {
+    const hookCtx = {
+      ...initialCtx,
+      data: state.currentData
+    };
+    return Effect.map(hook.fn(hookCtx), (out) => {
+      if (isPlainObject(out)) {
+        return { currentData: out, lastResult: out };
+      }
+      return state;
+    });
+  }), seed);
+  return Effect.map(chained, (state) => state.lastResult);
+}
+function runEventPhase(moment, ctx, hooks) {
+  const effects = hooks.map((hook) => {
+    const effect = hook.fn(ctx);
+    if (hook.options?.failOnError === true) {
+      return effect;
+    }
+    return Effect.catchAll(effect, (err) => Effect.sync(() => {
+      console.warn(`[saacms/hooks] ${moment} hook failed:`, err);
+    }));
+  });
+  return Effect.all(effects, { concurrency: "unbounded", discard: true });
+}
+function resolveHooksFor(moment, source) {
+  const result = [];
+  appendEntry(source.collection?.hooks?.[moment], result);
+  for (const plugin of source.plugins ?? []) {
+    appendEntry(plugin.hooks?.[moment], result);
+  }
+  return result;
+}
+function appendEntry(entry, result) {
+  if (typeof entry === "function") {
+    result.push({ fn: entry });
+    return;
+  }
+  if (isPlainObject(entry) && typeof entry.fn === "function") {
+    const e = entry;
+    result.push(e.options !== undefined ? { fn: e.fn, options: e.options } : { fn: e.fn });
+  }
+}
+
+export { runHooks, resolveHooksFor };

package/dist/index.d.ts

@@ -0,0 +1,23 @@
+/**
+ * @saacms/core — public surface.
+ *
+ * Re-exports the canonical types and (when implemented) the runtime handler,
+ * schema projections, hook orchestrator, signals, and SSE primitives.
+ *
+ * v1 alpha status: types are stable; implementations are stubs.
+ */
+export * from "./types/index.ts";
+export * from "./schema/index.ts";
+export * from "./theme/index.ts";
+export * from "./access/index.ts";
+export * from "./auth/index.ts";
+export * from "./hooks/index.ts";
+export * from "./runtime/index.ts";
+export * from "./signals/index.ts";
+export * from "./storage/index.ts";
+export * from "./host/index.ts";
+export * from "./codegen/index.ts";
+export * from "./publish/compile.ts";
+export * from "./tenant/index.ts";
+export * from "./observability/index.ts";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,cAAc,kBAAkB,CAAA;AAChC,cAAc,mBAAmB,CAAA;AACjC,cAAc,kBAAkB,CAAA;AAChC,cAAc,mBAAmB,CAAA;AACjC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,kBAAkB,CAAA;AAChC,cAAc,oBAAoB,CAAA;AAClC,cAAc,oBAAoB,CAAA;AAClC,cAAc,oBAAoB,CAAA;AAClC,cAAc,iBAAiB,CAAA;AAC/B,cAAc,oBAAoB,CAAA;AAClC,cAAc,sBAAsB,CAAA;AACpC,cAAc,mBAAmB,CAAA;AACjC,cAAc,0BAA0B,CAAA"}

package/dist/index.js

@@ -0,0 +1,261 @@
+import {
+  evaluateAccess
+} from "./index-b7z43xwp.js";
+import {
+  DEFAULT_THRESHOLDS,
+  RowStorageError,
+  UniqueConstraintError,
+  collectServices,
+  computeScaleCostSignal,
+  createSaacmsRuntime,
+  getServices,
+  recordAuditEvent
+} from "./index-b59hfany.js";
+import {
+  resolveHooksFor,
+  runHooks
+} from "./index-zgbq60fy.js";
+import {
+  computed,
+  effect,
+  signal
+} from "./index-172n82sz.js";
+import {
+  id
+} from "./index-r0at8zaw.js";
+import {
+  assertNoTableNameCollisions,
+  camelToSnakeCase,
+  collectionToOpenApiPaths,
+  contentMigrationModuleSource,
+  defaultLabel,
+  detectPendingContentMigrations,
+  diffBlockSchemas,
+  filterOpenApiForUser,
+  fingerprintBlockSchema,
+  fingerprintToString,
+  normalizeDateSchemas,
+  schemaToD1Migration,
+  schemaToD1Migrations,
+  schemaToDrizzle,
+  schemaToOpenApiSchema,
+  schemaToPuckFields,
+  schemaToTsType,
+  schemaToTsTypes,
+  slugToTableName
+} from "./index-a3pnt8yz.js";
+import {
+  MEDIA_FIELD_NAMES,
+  MediaFields,
+  MediaRef,
+  PLUGIN_CAPABILITIES,
+  REPO_MEDIA_FIELD_NAMES,
+  assertPluginCapabilities,
+  defineBlock,
+  defineCollection,
+  defineConfig,
+  definePage,
+  definePageTemplate,
+  definePlugin,
+  deriveContributedCapabilities,
+  mediaRepoName,
+  mediaTransformUrl,
+  resolveMediaRef,
+  stageRepoMedia,
+  withMediaFields
+} from "./index-8g8ymd37.js";
+// src/theme/index.ts
+function defineTheme(opts) {
+  return opts;
+}
+function themeFingerprint(schemeId, darkMode, tenantScope) {
+  const schemeSegment = schemeId != null ? `id:${schemeId}` : "none";
+  const darkSegment = darkMode ? "dark" : "light";
+  const tenantSegment = tenantScope != null ? `:t:${tenantScope}` : "";
+  return `scheme:${schemeSegment}:${darkSegment}${tenantSegment}`;
+}
+// src/host/index.ts
+var SCHEME_COOKIE = "saacms-scheme";
+var DARK_MODE_COOKIE = "saacms-dark";
+// src/publish/compile.ts
+import { mkdirSync, writeFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+function isCompileAdapter(host) {
+  if (typeof host !== "object" || host === null)
+    return false;
+  const h = host;
+  return typeof h.assetRoot === "function" && typeof h.generateRoute === "function";
+}
+async function compileForPublish(config, opts) {
+  const { cwd, dryRun = false } = opts;
+  const routes = [];
+  const content = [];
+  const media = [];
+  const adapter = isCompileAdapter(config.host) ? config.host : null;
+  for (const page of config.pages ?? []) {
+    const pageId = String(page.id);
+    const pageLayout = opts.readPageContent ? opts.readPageContent(pageId) : page.layout;
+    const contentRelPath = `content/pages/${pageId}.json`;
+    if (!dryRun) {
+      writeFileSafe(resolve(cwd, contentRelPath), cwd, JSON.stringify({ id: pageId, path: page.path, layout: pageLayout }, null, 2));
+    }
+    content.push(contentRelPath);
+    if (adapter !== null) {
+      const rawPath = String(page.path);
+      const url = rawPath.startsWith("/") ? rawPath.slice(1) : rawPath;
+      const generated = adapter.generateRoute({
+        id: pageId,
+        url,
+        renderMode: page.renderMode ?? "static",
+        layout: pageLayout
+      }, {});
+      if (!dryRun) {
+        writeFileSafe(resolve(cwd, generated.path), cwd, generated.source);
+      }
+      routes.push(generated.path);
+    }
+  }
+  const assetRoot = adapter?.assetRoot() ?? "public/";
+  for (const coll of config.collections ?? []) {
+    if (coll.kind !== "media")
+      continue;
+    const storage = coll.storage;
+    if (!storage || storage.mode !== "repo")
+      continue;
+    const slug = String(coll.slug);
+    const records = opts.readRepoMedia?.(slug) ?? [];
+    for (const record of records) {
+      const staged = await stageRepoMedia({
+        collectionSlug: slug,
+        assetRoot,
+        bytes: record.bytes,
+        mime: record.mime,
+        originalFilename: record.originalFilename,
+        policy: storage.naming
+      });
+      if (!dryRun) {
+        writeFileSafe(resolve(cwd, staged.repoPath), cwd, staged.bytes);
+      }
+      media.push(staged.repoPath);
+    }
+  }
+  const written = [...routes, ...content, ...media];
+  return { written, routes, content, media };
+}
+function writeFileSafe(absPath, cwd, data) {
+  const normalized = resolve(absPath);
+  const cwdNorm = resolve(cwd);
+  if (!normalized.startsWith(cwdNorm + "/")) {
+    throw new Error(`compileForPublish: refusing to write outside cwd "${cwdNorm}": ${absPath}`);
+  }
+  mkdirSync(dirname(absPath), { recursive: true });
+  writeFileSync(absPath, data);
+}
+// src/tenant/index.ts
+import { Effect, SchemaAST } from "effect";
+function tenantScoped(opts) {
+  const { userField, recordField = userField } = opts;
+  const read = ({ user }) => {
+    if (user == null)
+      return false;
+    const tenantValue = user.claims[userField];
+    if (tenantValue == null)
+      return false;
+    return { where: { [recordField]: tenantValue } };
+  };
+  const beforeChange = (ctx) => Effect.sync(() => {
+    if (ctx.user == null)
+      return;
+    const tenantValue = ctx.user.claims[userField];
+    if (tenantValue == null)
+      return;
+    const data = ctx.data;
+    if (data != null) {
+      data[recordField] = tenantValue;
+    }
+  });
+  return { read, hooks: { beforeChange } };
+}
+function assertTenantIsolation(config, opts) {
+  const { tenantField, exempt = [] } = opts;
+  const exemptSet = new Set(exempt);
+  const unscoped = [];
+  for (const coll of config.collections ?? []) {
+    const slug = String(coll.slug);
+    if (exemptSet.has(slug))
+      continue;
+    if (!schemaHasField(coll.schema, tenantField))
+      continue;
+    if (coll.access?.read == null) {
+      unscoped.push(slug);
+    }
+  }
+  return { ok: unscoped.length === 0, unscoped };
+}
+function schemaHasField(schema, fieldName) {
+  const ast = schema.ast;
+  if (!SchemaAST.isTypeLiteral(ast))
+    return false;
+  return ast.propertySignatures.some((p) => String(p.name) === fieldName);
+}
+export {
+  withMediaFields,
+  themeFingerprint,
+  tenantScoped,
+  stageRepoMedia,
+  slugToTableName,
+  signal,
+  schemaToTsTypes,
+  schemaToTsType,
+  schemaToPuckFields,
+  schemaToOpenApiSchema,
+  schemaToDrizzle,
+  schemaToD1Migrations,
+  schemaToD1Migration,
+  runHooks,
+  resolveMediaRef,
+  resolveHooksFor,
+  recordAuditEvent,
+  normalizeDateSchemas,
+  mediaTransformUrl,
+  mediaRepoName,
+  id,
+  getServices,
+  fingerprintToString,
+  fingerprintBlockSchema,
+  filterOpenApiForUser,
+  evaluateAccess,
+  effect,
+  diffBlockSchemas,
+  detectPendingContentMigrations,
+  deriveContributedCapabilities,
+  defineTheme,
+  definePlugin,
+  definePageTemplate,
+  definePage,
+  defineConfig,
+  defineCollection,
+  defineBlock,
+  defaultLabel,
+  createSaacmsRuntime,
+  contentMigrationModuleSource,
+  computed,
+  computeScaleCostSignal,
+  compileForPublish,
+  collectionToOpenApiPaths,
+  collectServices,
+  camelToSnakeCase,
+  assertTenantIsolation,
+  assertPluginCapabilities,
+  assertNoTableNameCollisions,
+  UniqueConstraintError,
+  SCHEME_COOKIE,
+  RowStorageError,
+  REPO_MEDIA_FIELD_NAMES,
+  PLUGIN_CAPABILITIES,
+  MediaRef,
+  MediaFields,
+  MEDIA_FIELD_NAMES,
+  DEFAULT_THRESHOLDS,
+  DARK_MODE_COOKIE
+};

package/dist/observability/audit.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Authorization audit emit seam — ADR 0031.
+ *
+ * Provides the `AuditEvent` type, the `AuditSink` interface, and the
+ * `recordAuditEvent` helper. Persistence (D1 table / SIEM) is host-configured
+ * and OUT OF SCOPE for this module — this module is the *emit seam + interface*,
+ * not a storage backend.
+ *
+ * The default sink is a no-op (zero-config, never throws). The host or a plugin
+ * supplies a real sink by contributing `services: { auditSink: <AuditSink> }`
+ * in a `PluginDef` — exactly the same pattern as `services.cache` and
+ * `services.realtime` (ADR 0014 / `runtime/services.ts`).
+ *
+ * Per ADR 0020 §Observability, the Observability bounded context never owns
+ * business state; it receives domain events via a thin service interface. This
+ * module IS that thin interface for authorization decisions.
+ */
+import type { Context } from "hono";
+import type { User } from "../types/user.ts";
+/**
+ * A single authorization-decision audit record.
+ *
+ * Field rationale (ADR 0027 §9 `{ op, user, collection, result, recordId }`
+ * extended with `decision` + `at`):
+ * - `op`         — which CRUD verb was attempted
+ * - `collection` — which Collection was targeted
+ * - `user`       — the authenticated principal (null = anonymous)
+ * - `decision`   — the binary outcome of the access predicate
+ * - `reason`     — human-readable context (primarily useful for `denied`)
+ * - `recordId`   — present when the predicate evaluated at record grain
+ * - `at`         — ISO 8601 wall-clock timestamp of the decision
+ */
+export interface AuditEvent {
+    readonly op: "read" | "list" | "create" | "update" | "put" | "delete";
+    readonly collection: string;
+    readonly user: User | null;
+    readonly decision: "granted" | "denied";
+    readonly reason?: string;
+    readonly recordId?: string;
+    readonly at: string;
+}
+/**
+ * Host-supplied sink. The host or a plugin provides a concrete implementation
+ * via `PluginDef.services.auditSink`. Persistence (D1 table, SIEM, log
+ * pipeline) is entirely host-configured — this module ships no backend.
+ */
+export interface AuditSink {
+    emit(e: AuditEvent): void | Promise<void>;
+}
+/**
+ * Emit an authorization audit event via the injected sink, best-effort.
+ *
+ * Best-effort contract (mirrors event-phase hooks, ADR 0013):
+ * - A synchronous sink throw is caught and logged; it NEVER propagates to
+ *   the caller or alters the HTTP response.
+ * - An async sink rejection is caught via `.catch`; it NEVER propagates.
+ * - This function returns synchronously; it NEVER blocks or delays the
+ *   request regardless of sink latency.
+ *
+ * The sink is resolved from `getServices(c).auditSink`; when no sink is
+ * injected (the common case), the frozen no-op sink is used — zero overhead,
+ * zero config required.
+ */
+export declare function recordAuditEvent(c: Context, event: AuditEvent): void;
+//# sourceMappingURL=audit.d.ts.map

package/dist/observability/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/observability/audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAEnC,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAA;AAE5C;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,KAAK,GAAG,QAAQ,CAAA;IACrE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;IAC1B,QAAQ,CAAC,QAAQ,EAAE,SAAS,GAAG,QAAQ,CAAA;IACvC,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;CACpB;AAED;;;;GAIG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,CAAC,EAAE,UAAU,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAC1C;AAKD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,GAAG,IAAI,CAepE"}

package/dist/observability/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./audit.ts";
+//# sourceMappingURL=index.d.ts.map

package/dist/observability/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/observability/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAA"}

package/dist/publish/compile.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Publish compile step — the "compile" half of `saacms publish`.
+ *
+ * Given a resolved `SaacmsConfig`, emits all artifacts the Publish pipeline
+ * commits to the developer's repo:
+ *
+ *   1. Host route files (e.g. `src/pages/<url>.astro`) for each Page in
+ *      `config.pages`, generated via the host adapter.
+ *   2. Published content JSON (`content/pages/<id>.json`) for each Page —
+ *      the page's Puck/Block tree persisted as a deterministic JSON file
+ *      alongside the route in the commit.
+ *   3. Repo-mode media bytes (`<assetRoot>saacms/<slug>/<name>`) for each
+ *      record in a `kind:"media", storage:{mode:"repo"}` Collection.
+ *      Bucket-mode media lives in R2 and is never committed (ADR 0024).
+ *
+ * Pure w.r.t. injected readers: the CLI supplies real adapters that read from
+ * the live DB / R2; tests inject in-process stubs. The compile step itself
+ * only *writes* — it has no direct coupling to the live storage tier.
+ *
+ * Per ADR 0001 (compile step), ADR 0003 (saacms owns routing), ADR 0009
+ * (repo-mode media on Publish).
+ */
+import type { SaacmsConfig } from "../schema/index.ts";
+/** The manifest returned by `compileForPublish`. */
+export interface CompileManifest {
+    /** All paths written (routes + content + media). Relative to `opts.cwd`. */
+    readonly written: ReadonlyArray<string>;
+    /** Emitted host route files (e.g. `src/pages/about.astro`). */
+    readonly routes: ReadonlyArray<string>;
+    /** Emitted published content JSON files (e.g. `content/pages/p-about.json`). */
+    readonly content: ReadonlyArray<string>;
+    /** Emitted repo-mode media files (e.g. `public/saacms/images/abc.png`). */
+    readonly media: ReadonlyArray<string>;
+}
+/** One repo-mode media record to materialize on Publish. */
+export interface RepoMediaRecord {
+    readonly bytes: Uint8Array;
+    readonly mime: string;
+    readonly originalFilename?: string;
+}
+/** Options for `compileForPublish`. */
+export interface CompileOptions {
+    /** Absolute path to the project root (files are written here). */
+    readonly cwd: string;
+    /**
+     * When `true`, compute the manifest but do NOT write files to disk.
+     * Used by `saacms publish --dry` to report what would be emitted.
+     * Default: `false`.
+     */
+    readonly dryRun?: boolean;
+    /**
+     * Inject the Puck/Block layout for a given page id. When omitted, the
+     * compile step uses `page.layout` from the config directly. Allows the CLI
+     * to supply the live-DB version of the layout while tests supply a stub.
+     */
+    readonly readPageContent?: (pageId: string) => unknown;
+    /**
+     * Inject repo-mode media records for a given collection slug. Each record
+     * carries the raw bytes, MIME type, and optional original filename. When
+     * omitted, no media is written (the collection has no pending uploads).
+     */
+    readonly readRepoMedia?: (collectionSlug: string) => ReadonlyArray<RepoMediaRecord>;
+}
+/**
+ * Emit all publish artifacts for the given `SaacmsConfig` into `opts.cwd`.
+ *
+ * Files are written deterministically: same config + same content → same
+ * bytes at the same paths. The compile step never writes outside `opts.cwd`
+ * (path-safety enforced by `writeFileSafe`).
+ *
+ * Returns a manifest of all written (or, in dryRun mode, would-be-written)
+ * paths relative to `opts.cwd`. The CLI passes these exact paths to
+ * `git add` so only saacms-emitted artifacts are staged.
+ */
+export declare function compileForPublish(config: SaacmsConfig, opts: CompileOptions): Promise<CompileManifest>;
+//# sourceMappingURL=compile.d.ts.map

package/dist/publish/compile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compile.d.ts","sourceRoot":"","sources":["../../src/publish/compile.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAIH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AA+BtD,oDAAoD;AACpD,MAAM,WAAW,eAAe;IAC9B,4EAA4E;IAC5E,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IACvC,+DAA+D;IAC/D,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IACtC,gFAAgF;IAChF,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IACvC,2EAA2E;IAC3E,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;CACtC;AAED,4DAA4D;AAC5D,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;IACrB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CACnC;AAED,uCAAuC;AACvC,MAAM,WAAW,cAAc;IAC7B,kEAAkE;IAClE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB;;;;OAIG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAA;IACzB;;;;OAIG;IACH,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAA;IACtD;;;;OAIG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,CACvB,cAAc,EAAE,MAAM,KACnB,aAAa,CAAC,eAAe,CAAC,CAAA;CACpC;AAMD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,YAAY,EACpB,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,eAAe,CAAC,CA6E1B"}

package/dist/runtime/auth-middleware.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Auth middleware — resolves the calling `User` once per request and stashes
+ * it under `c.set("user", ...)` so downstream handlers can read it.
+ *
+ * Per ADR 0008 + ADR 0020 (Identity bounded context), the runtime never imports
+ * a concrete auth library; the host wires a `config.auth: AuthAdapter`, and
+ * this middleware bridges it into the Hono request lifecycle.
+ *
+ * Mounted FIRST in `runtime/index.ts` so all downstream route handlers see a
+ * resolved user (or `undefined` for anonymous) when they read `c.get("user")`.
+ *
+ * Contract:
+ *   - `config.auth` undefined → no middleware is registered at all
+ *     (anonymous-only mode; the runtime stays usable before the host wires auth).
+ *   - Otherwise, for every request:
+ *       1. call `config.auth.getSession(c.req.raw)` (the underlying Web Request),
+ *       2. on non-null `User` → `c.set("user", user)`,
+ *       3. on `null` → leave the variable unset,
+ *       4. on thrown exception → log via `console.warn` with the `[saacms/auth]`
+ *          prefix and leave the variable unset.
+ *   - The middleware NEVER rejects a request. Auth-required routes emit 401/403
+ *     themselves via the `access` predicate.
+ */
+import type { Context, Env, Hono } from "hono";
+import type { SaacmsConfig } from "../schema/index.ts";
+import type { User } from "../types/user.ts";
+export declare function mountAuthMiddleware<E extends Env>(app: Hono<E>, config: SaacmsConfig): void;
+/**
+ * Read the user that the middleware stashed onto the context, or `null` for
+ * anonymous. The route handlers currently inline this cast; this helper exists
+ * so future refactors can converge on a single read site.
+ */
+export declare function getUser(c: Context): User | null;
+//# sourceMappingURL=auth-middleware.d.ts.map

package/dist/runtime/auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-middleware.d.ts","sourceRoot":"","sources":["../../src/runtime/auth-middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC9C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACtD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAA;AAI5C,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,GAAG,EAC/C,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,EACZ,MAAM,EAAE,YAAY,GACnB,IAAI,CAuBN;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,CAAC,EAAE,OAAO,GAAG,IAAI,GAAG,IAAI,CAG/C"}

package/dist/runtime/boolean-columns.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Schema-driven Boolean ↔ INTEGER (de)serialisation at the runtime storage
+ * boundary.
+ *
+ * Per ADR 0005 the Effect Schema is the single source of truth; per ADR 0020
+ * the storage adapter is a schema-AGNOSTIC anti-corruption layer that only
+ * knows snake↔camel and never the column types. SQLite has no boolean type, so
+ * `to-d1-migration.ts` maps `Schema.Boolean` to an `INTEGER` column. The
+ * projection of a `boolean` domain field to its `0`/`1` integer cell (and
+ * back) therefore cannot live in the adapter — it lives here, at the runtime
+ * boundary, where the collection's Effect Schema is already in hand. This is
+ * the exact sibling of `json-columns.ts` for the scalar boolean case.
+ *
+ *   - `encodeBooleanColumns` — map `true→1` / `false→0` for the boolean-typed
+ *     fields of a record immediately BEFORE `rows.insert/update`.
+ *   - `decodeBooleanColumns` — map the stored `1`/`0` (SQLite may surface it as
+ *     a number OR a bigint) back to `true`/`false` immediately AFTER
+ *     `rows.getById/list`.
+ *
+ * Without `decodeBooleanColumns` a `Schema.Boolean` create persists `1`/`0`
+ * but reads back as a *number*, so a subsequent PATCH (which re-validates the
+ * merged record against the Effect Schema) sees `1` where `boolean` is
+ * expected → a validation error. This is the identical failure shape the JSON
+ * gap had.
+ *
+ * Contract (identical to `json-columns.ts`):
+ *   - Which fields are "boolean" is derived from the SAME AST the codegen walks
+ *     (post optional/nullable/refinement stripping) via `AST.isBooleanKeyword`
+ *     — the exact test `to-d1-migration.ts` uses to choose `INTEGER`, so codec
+ *     and DDL can never disagree. Non-boolean primitives and the complex
+ *     shapes `json-columns.ts` owns are never touched (disjoint by AST kind).
+ *   - `null` / absent values are left untouched, composing correctly with the
+ *     adapter's NULL→absent read behaviour (ADR 0020) — an absent optional
+ *     boolean never becomes `0`/`false`.
+ *   - Symmetric + idempotent for valid data: `decode∘encode = identity`;
+ *     `decode` of an already-decoded (boolean) value is a no-op, so it is safe
+ *     to run on a cache-hit raw record or a freshly-decoded one.
+ *   - Pure: never mutates its input record; returns a shallow copy.
+ *
+ * Composition with `json-columns.ts`: the two codecs operate on disjoint field
+ * sets (boolean keyword vs. tuple/struct/unknown/any/object), so on the write
+ * path the order of `encodeBooleanColumns`/`encodeJsonColumns` is irrelevant,
+ * and likewise for the decode pair on the read path. The disjointness is
+ * asserted by a test.
+ */
+import type { AnySchema } from "../schema/index.ts";
+/**
+ * Return a shallow copy of `record` with every boolean-typed field mapped
+ * `true→1` / `false→0`, ready for `rows.insert/update`. `null`/absent fields
+ * are passed through unchanged so the adapter's NULL handling still applies.
+ * A non-boolean value (e.g. an already-encoded `0`/`1`) is left as-is, which
+ * keeps `encode` idempotent.
+ */
+export declare function encodeBooleanColumns<T extends Record<string, unknown>>(schema: AnySchema, record: T): T;
+/**
+ * Return a shallow copy of `record` with every boolean-typed field mapped from
+ * its stored integer back to a real `boolean`. SQLite may surface the cell as
+ * a number OR a bigint, so `1`/`1n`→`true` and `0`/`0n`→`false`. Values that
+ * are already boolean (already decoded) or `null`/absent are left untouched,
+ * so this is idempotent and safe to run on a raw storage row OR an
+ * already-decoded one. Any other value is left unchanged (defensive — never
+ * throw on a read path).
+ */
+export declare function decodeBooleanColumns<T extends Record<string, unknown>>(schema: AnySchema, record: T): T;
+//# sourceMappingURL=boolean-columns.d.ts.map

package/dist/runtime/boolean-columns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"boolean-columns.d.ts","sourceRoot":"","sources":["../../src/runtime/boolean-columns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAGH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAmDnD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpE,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,CAAC,GACR,CAAC,CAWH;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACpE,MAAM,EAAE,SAAS,EACjB,MAAM,EAAE,CAAC,GACR,CAAC,CAiBH"}