@tetrascience-npm/request 0.2.0-beta.106.2

package/dist/server/types.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Request-scoped context that persists throughout the lifecycle
+ * of a single request via AsyncLocalStorage.
+ */
+export interface RequestContext {
+    requestId: string;
+    sessionId: string;
+    /** Organization slug from the incoming request. */
+    orgSlug?: string;
+    /** Auth token from the incoming request. */
+    authToken?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/server/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/server/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,mDAAmD;IACnD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB"}

package/dist/server/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/shared/client-types.d.ts

@@ -0,0 +1,63 @@
+import type { HeaderValue, RequestTrackingLogger } from './types';
+/** Tracing options — identity, correlation, and logging. */
+export interface TracingOptions {
+    /** Request ID for end-to-end correlation. Defaults to a new UUID per request. */
+    requestId?: HeaderValue;
+    /** Session ID for cross-request correlation. */
+    sessionId?: HeaderValue;
+    /** Service name injected as ts-initiating-service-name (audit/identity). */
+    serviceName?: HeaderValue;
+    /** If provided, logs outgoing requests, responses, and errors with the request ID. */
+    logger?: RequestTrackingLogger;
+}
+/**
+ * Base auth fields shared by both auth modes.
+ * Values can be static strings or functions resolved per-request.
+ */
+export interface AuthBase {
+    /** Auth token (ts-auth-token). Auto-resolves from context if not provided. */
+    authToken?: HeaderValue;
+    /** Organization slug (x-org-slug). Auto-resolves from context if not provided. */
+    orgSlug?: HeaderValue;
+}
+/**
+ * Internal (service-to-service) authentication with explicit config.
+ *
+ * @example
+ * ```ts
+ * auth: { internalApiKey: process.env.INTERNAL_API_KEY, orgSlug: 'my-org' }
+ * ```
+ */
+export interface InternalAuthExplicit extends AuthBase {
+    /** Internal API key for service-to-service auth. */
+    internalApiKey: HeaderValue;
+}
+/**
+ * Internal or direct authentication.
+ *
+ * Use string shorthands for auto-resolve, or explicit objects for manual config.
+ *
+ * @example
+ * ```ts
+ * auth: 'internal'  // reads INTERNAL_API_KEY env var, orgSlug + authToken from context
+ * auth: 'direct'    // reads authToken + orgSlug from context/cookies
+ * auth: { internalApiKey: env.KEY }            // explicit API key, rest from context
+ * auth: { authToken: jwt, orgSlug: 'my-org' }  // explicit direct auth
+ * ```
+ */
+export type InternalAuth = InternalAuthExplicit | 'internal';
+export type DirectAuth = AuthBase | 'direct';
+/** Base options shared by all generated service clients. */
+export interface ServiceClientOptions extends TracingOptions {
+    /** API base URL. Required on server. Defaults to relative URLs (current origin) in browser. */
+    baseUrl?: string;
+    /** Custom headers. For anything outside the standard auth/tracing fields. */
+    headers?: Record<string, string>;
+    /** Disable request body validation (default: enabled). */
+    skipValidation?: boolean;
+    /** Authentication mode. */
+    auth: InternalAuth | DirectAuth;
+}
+/** Type guard to distinguish InternalAuth from DirectAuth. */
+export declare function isInternalAuth(auth: InternalAuth | DirectAuth): auth is InternalAuth;
+//# sourceMappingURL=client-types.d.ts.map

package/dist/shared/client-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-types.d.ts","sourceRoot":"","sources":["../../src/shared/client-types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,WAAW,EAAE,qBAAqB,EAAC,MAAM,SAAS,CAAC;AAEhE,4DAA4D;AAC5D,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,gDAAgD;IAChD,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,4EAA4E;IAC5E,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,sFAAsF;IACtF,MAAM,CAAC,EAAE,qBAAqB,CAAC;CAC/B;AAED;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACxB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,kFAAkF;IAClF,OAAO,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAqB,SAAQ,QAAQ;IACrD,oDAAoD;IACpD,cAAc,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,YAAY,GAAG,oBAAoB,GAAG,UAAU,CAAC;AAC7D,MAAM,MAAM,UAAU,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAE7C,4DAA4D;AAC5D,MAAM,WAAW,oBAAqB,SAAQ,cAAc;IAC3D,+FAA+F;IAC/F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6EAA6E;IAC7E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,0DAA0D;IAC1D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,2BAA2B;IAC3B,IAAI,EAAE,YAAY,GAAG,UAAU,CAAC;CAChC;AAED,8DAA8D;AAC9D,wBAAgB,cAAc,CAAC,IAAI,EAAE,YAAY,GAAG,UAAU,GAAG,IAAI,IAAI,YAAY,CAEpF"}

package/dist/shared/client-types.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isInternalAuth = isInternalAuth;
+/** Type guard to distinguish InternalAuth from DirectAuth. */
+function isInternalAuth(auth) {
+    return auth === 'internal' || (typeof auth === 'object' && 'internalApiKey' in auth);
+}

package/dist/shared/constants.d.ts

@@ -0,0 +1,7 @@
+export declare const ORG_SLUG_HEADER = "x-org-slug";
+export declare const AUTH_TOKEN_HEADER = "ts-auth-token";
+export declare const REQUEST_ID_HEADER = "ts-request-id";
+export declare const INTERNAL_API_KEY_HEADER = "ts-internal-api-key";
+export declare const INITIATING_SERVICE_NAME_HEADER = "ts-initiating-service-name";
+export declare const SESSION_ID_HEADER = "ts-session-id";
+//# sourceMappingURL=constants.d.ts.map

package/dist/shared/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/shared/constants.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,eAAe,CAAC;AAC5C,eAAO,MAAM,iBAAiB,kBAAkB,CAAC;AACjD,eAAO,MAAM,iBAAiB,kBAAkB,CAAC;AACjD,eAAO,MAAM,uBAAuB,wBAAwB,CAAC;AAC7D,eAAO,MAAM,8BAA8B,+BAA+B,CAAC;AAC3E,eAAO,MAAM,iBAAiB,kBAAkB,CAAC"}

package/dist/shared/constants.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SESSION_ID_HEADER = exports.INITIATING_SERVICE_NAME_HEADER = exports.INTERNAL_API_KEY_HEADER = exports.REQUEST_ID_HEADER = exports.AUTH_TOKEN_HEADER = exports.ORG_SLUG_HEADER = void 0;
+exports.ORG_SLUG_HEADER = 'x-org-slug';
+exports.AUTH_TOKEN_HEADER = 'ts-auth-token';
+exports.REQUEST_ID_HEADER = 'ts-request-id';
+exports.INTERNAL_API_KEY_HEADER = 'ts-internal-api-key';
+exports.INITIATING_SERVICE_NAME_HEADER = 'ts-initiating-service-name';
+exports.SESSION_ID_HEADER = 'ts-session-id';

package/dist/shared/generate-request-id.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Generate a fresh UUID v4 request ID. Always creates a new ID — does not
+ * read from AsyncLocalStorage context. For context-aware request IDs on
+ * the server, use `getRequestId()` from the `/server` entrypoint instead.
+ *
+ * Uses crypto.randomUUID() when available (modern browsers and Node).
+ * Falls back to a Math.random()-based implementation for insecure contexts (HTTP in dev).
+ */
+export declare function generateRequestId(): string;
+//# sourceMappingURL=generate-request-id.d.ts.map

package/dist/shared/generate-request-id.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-request-id.d.ts","sourceRoot":"","sources":["../../src/shared/generate-request-id.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAU1C"}

package/dist/shared/generate-request-id.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateRequestId = generateRequestId;
+/**
+ * Generate a fresh UUID v4 request ID. Always creates a new ID — does not
+ * read from AsyncLocalStorage context. For context-aware request IDs on
+ * the server, use `getRequestId()` from the `/server` entrypoint instead.
+ *
+ * Uses crypto.randomUUID() when available (modern browsers and Node).
+ * Falls back to a Math.random()-based implementation for insecure contexts (HTTP in dev).
+ */
+function generateRequestId() {
+    if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+        return crypto.randomUUID();
+    }
+    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
+        const r = (Math.random() * 16) | 0;
+        const v = c === 'x' ? r : (r & 0x3) | 0x8;
+        return v.toString(16);
+    });
+}

package/dist/shared/index.d.ts

@@ -0,0 +1,8 @@
+export * from './constants';
+export * from './types';
+export * from './client-types';
+export * from './generate-request-id';
+export * from './middleware';
+export { default as createClient } from 'openapi-fetch';
+export type { Client as OpenAPIClient, Middleware } from 'openapi-fetch';
+//# sourceMappingURL=index.d.ts.map

package/dist/shared/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,SAAS,CAAC;AACxB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,uBAAuB,CAAC;AACtC,cAAc,cAAc,CAAC;AAI7B,OAAO,EAAC,OAAO,IAAI,YAAY,EAAC,MAAM,eAAe,CAAC;AAEtD,YAAY,EAAC,MAAM,IAAI,aAAa,EAAE,UAAU,EAAC,MAAM,eAAe,CAAC"}

package/dist/shared/index.js

@@ -0,0 +1,29 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createClient = void 0;
+__exportStar(require("./constants"), exports);
+__exportStar(require("./types"), exports);
+__exportStar(require("./client-types"), exports);
+__exportStar(require("./generate-request-id"), exports);
+__exportStar(require("./middleware"), exports);
+// Re-export openapi-fetch for generated clients (renamed, can't use export *)
+// eslint-disable-next-line no-restricted-syntax
+var openapi_fetch_1 = require("openapi-fetch");
+Object.defineProperty(exports, "createClient", { enumerable: true, get: function () { return __importDefault(openapi_fetch_1).default; } });

package/dist/shared/middleware/auth.d.ts

@@ -0,0 +1,39 @@
+import type { Middleware } from 'openapi-fetch';
+import type { InternalAuth, DirectAuth } from '../client-types';
+/**
+ * Create middleware that injects internal (service-to-service) auth headers.
+ *
+ * This mode is server-only. In browser context, use 'direct' instead.
+ *
+ * @example
+ * ```ts
+ * // Auto — reads INTERNAL_API_KEY env var, orgSlug + authToken from context
+ * client.use(createInternalAuthMiddleware('internal'))
+ *
+ * // Explicit API key, rest from context
+ * client.use(createInternalAuthMiddleware({ internalApiKey: env.KEY }))
+ * ```
+ */
+export declare function createInternalAuthMiddleware(auth: InternalAuth): Middleware;
+/**
+ * Create middleware that injects direct (user/browser) auth headers.
+ *
+ * In browser context, `'direct'` is a no-op — the browser sends
+ * `ts-auth-token` and `x-org-slug` cookies automatically with
+ * same-origin `fetch()` requests. No JS cookie reading needed.
+ *
+ * On the server, `'direct'` reads from AsyncLocalStorage context
+ * (set by `createRequestMiddleware`).
+ *
+ * @example
+ * ```ts
+ * // Browser — no-op, cookies handle auth
+ * // Server — reads from RequestContext
+ * client.use(createDirectAuthMiddleware('direct'))
+ *
+ * // Explicit (E2E tests, non-cookie flows)
+ * client.use(createDirectAuthMiddleware({ authToken: jwt, orgSlug: 'my-org' }))
+ * ```
+ */
+export declare function createDirectAuthMiddleware(auth: DirectAuth): Middleware;
+//# sourceMappingURL=auth.d.ts.map

package/dist/shared/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/shared/middleware/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAC,YAAY,EAAE,UAAU,EAAC,MAAM,iBAAiB,CAAC;AAoF9D;;;;;;;;;;;;;GAaG;AACH,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,YAAY,GAAG,UAAU,CAyB3E;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CA2BvE"}

package/dist/shared/middleware/auth.js

@@ -0,0 +1,164 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createInternalAuthMiddleware = createInternalAuthMiddleware;
+exports.createDirectAuthMiddleware = createDirectAuthMiddleware;
+const constants_1 = require("../constants");
+const utils_1 = require("./utils");
+const isBrowser = typeof document !== 'undefined';
+const isLocalhost = (hostname) => hostname === 'localhost' || hostname === '127.0.0.1';
+/**
+ * Get the trusted internal domain from INTERNAL_DOMAIN env var.
+ * e.g. "tetrascience-dev.int" → allows https://{service}.tetrascience-dev.int
+ */
+function getTrustedDomain() {
+    if (typeof process !== 'undefined') {
+        return process.env?.INTERNAL_DOMAIN;
+    }
+    return undefined;
+}
+/**
+ * Guard against leaking auth tokens over insecure connections.
+ * Allows HTTPS and localhost (for local dev).
+ */
+function assertSecureUrl(request) {
+    const url = new URL(request.url);
+    if (url.protocol !== 'https:' && !isLocalhost(url.hostname)) {
+        throw new Error(`Refusing to send auth credentials over insecure connection: ${url.protocol}//${url.hostname}. ` +
+            'Use HTTPS or localhost.');
+    }
+}
+/**
+ * Stricter guard for internal API keys.
+ *
+ * If INTERNAL_DOMAIN is set (e.g. "tetrascience-dev.int"), only
+ * allows requests to that exact domain or its subdomains.
+ *
+ * If not set, falls back to requiring a .int TLD.
+ *
+ * Always allows localhost for local dev.
+ */
+function assertInternalUrl(request) {
+    assertSecureUrl(request);
+    const url = new URL(request.url);
+    if (isLocalhost(url.hostname))
+        return;
+    const trustedDomain = getTrustedDomain();
+    if (trustedDomain) {
+        // Exact match or subdomain match
+        if (url.hostname !== trustedDomain && !url.hostname.endsWith(`.${trustedDomain}`)) {
+            throw new Error(`Refusing to send internal API key to untrusted domain: ${url.hostname}. ` +
+                `Expected ${trustedDomain} (set by INTERNAL_DOMAIN).`);
+        }
+    }
+    else {
+        // Fallback: require .int or .internal TLD (both used across TDP environments)
+        if (!url.hostname.endsWith('.int') && !url.hostname.endsWith('.internal')) {
+            throw new Error(`Refusing to send internal API key to non-internal domain: ${url.hostname}. ` +
+                'Set INTERNAL_DOMAIN or use a .int/.internal domain.');
+        }
+    }
+}
+/**
+ * Try to read auth values from server context (Node only).
+ * Returns empty object in browser — auth is handled by cookies automatically.
+ */
+function tryGetServerAuthContext() {
+    if (isBrowser)
+        return {};
+    try {
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        const { getRequestContext } = require('@tetrascience-npm/request/server');
+        const ctx = getRequestContext();
+        return { orgSlug: ctx.orgSlug, authToken: ctx.authToken };
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Create middleware that injects internal (service-to-service) auth headers.
+ *
+ * This mode is server-only. In browser context, use 'direct' instead.
+ *
+ * @example
+ * ```ts
+ * // Auto — reads INTERNAL_API_KEY env var, orgSlug + authToken from context
+ * client.use(createInternalAuthMiddleware('internal'))
+ *
+ * // Explicit API key, rest from context
+ * client.use(createInternalAuthMiddleware({ internalApiKey: env.KEY }))
+ * ```
+ */
+function createInternalAuthMiddleware(auth) {
+    if (auth === 'internal') {
+        return {
+            onRequest({ request }) {
+                assertInternalUrl(request);
+                const apiKey = process.env.INTERNAL_API_KEY;
+                if (apiKey)
+                    (0, utils_1.setIfAbsent)(request, constants_1.INTERNAL_API_KEY_HEADER, apiKey);
+                const ctx = tryGetServerAuthContext();
+                (0, utils_1.setIfAbsent)(request, constants_1.ORG_SLUG_HEADER, ctx.orgSlug);
+                (0, utils_1.setIfAbsent)(request, constants_1.AUTH_TOKEN_HEADER, ctx.authToken);
+                return request;
+            },
+        };
+    }
+    return {
+        onRequest({ request }) {
+            assertInternalUrl(request);
+            (0, utils_1.setIfAbsent)(request, constants_1.INTERNAL_API_KEY_HEADER, auth.internalApiKey);
+            const ctx = tryGetServerAuthContext();
+            (0, utils_1.setIfAbsent)(request, constants_1.ORG_SLUG_HEADER, auth.orgSlug ?? ctx.orgSlug);
+            (0, utils_1.setIfAbsent)(request, constants_1.AUTH_TOKEN_HEADER, auth.authToken ?? ctx.authToken);
+            return request;
+        },
+    };
+}
+/**
+ * Create middleware that injects direct (user/browser) auth headers.
+ *
+ * In browser context, `'direct'` is a no-op — the browser sends
+ * `ts-auth-token` and `x-org-slug` cookies automatically with
+ * same-origin `fetch()` requests. No JS cookie reading needed.
+ *
+ * On the server, `'direct'` reads from AsyncLocalStorage context
+ * (set by `createRequestMiddleware`).
+ *
+ * @example
+ * ```ts
+ * // Browser — no-op, cookies handle auth
+ * // Server — reads from RequestContext
+ * client.use(createDirectAuthMiddleware('direct'))
+ *
+ * // Explicit (E2E tests, non-cookie flows)
+ * client.use(createDirectAuthMiddleware({ authToken: jwt, orgSlug: 'my-org' }))
+ * ```
+ */
+function createDirectAuthMiddleware(auth) {
+    if (auth === 'direct') {
+        // Browser: no-op. Cookies are sent automatically by fetch().
+        // Server: read from AsyncLocalStorage context.
+        if (isBrowser) {
+            return { onRequest: ({ request }) => request };
+        }
+        return {
+            onRequest({ request }) {
+                assertSecureUrl(request);
+                const ctx = tryGetServerAuthContext();
+                (0, utils_1.setIfAbsent)(request, constants_1.AUTH_TOKEN_HEADER, ctx.authToken);
+                (0, utils_1.setIfAbsent)(request, constants_1.ORG_SLUG_HEADER, ctx.orgSlug);
+                return request;
+            },
+        };
+    }
+    // Explicit values — always set headers (E2E tests, non-cookie flows)
+    return {
+        onRequest({ request }) {
+            assertSecureUrl(request);
+            (0, utils_1.setIfAbsent)(request, constants_1.AUTH_TOKEN_HEADER, auth.authToken);
+            (0, utils_1.setIfAbsent)(request, constants_1.ORG_SLUG_HEADER, auth.orgSlug);
+            return request;
+        },
+    };
+}

package/dist/shared/middleware/default.d.ts

@@ -0,0 +1,29 @@
+import type { Client } from 'openapi-fetch';
+import type { ServiceClientOptions } from '../client-types';
+import type { Parseable } from './validation';
+/**
+ * Apply the default middleware pipeline to an openapi-fetch client.
+ *
+ * Pipeline order:
+ *   1. Tracing — ts-request-id, ts-session-id, ts-initiating-service-name
+ *   2. Auth — internal (API key + context) or direct (JWT)
+ *   3. Validation — Zod request body validation (unless skipValidation)
+ *   4. Safe response — wraps non-JSON success responses
+ *
+ * On Node servers, request IDs are automatically propagated from
+ * AsyncLocalStorage context (set by requestContextMiddleware) when
+ * no explicit requestId option is provided. In browsers, a fresh
+ * UUID is generated per request.
+ *
+ * This is the standard pipeline used by all generated service clients.
+ * New middleware added here will be picked up by existing clients on
+ * their next dependency update — no client regeneration needed.
+ *
+ * @example
+ * ```ts
+ * const client = createClient<paths>({ baseUrl, headers })
+ * applyDefaultMiddleware(client, options, requestBodySchemas)
+ * ```
+ */
+export declare function applyDefaultMiddleware(client: Client<any>, options: ServiceClientOptions, schemas?: Record<string, Parseable>): void;
+//# sourceMappingURL=default.d.ts.map

package/dist/shared/middleware/default.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"default.d.ts","sourceRoot":"","sources":["../../../src/shared/middleware/default.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,eAAe,CAAC;AAC1C,OAAO,KAAK,EAAC,oBAAoB,EAAC,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,cAAc,CAAC;AAyB5C;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,sBAAsB,CACrC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,EACnB,OAAO,EAAE,oBAAoB,EAC7B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GACjC,IAAI,CAoBN"}

package/dist/shared/middleware/default.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyDefaultMiddleware = applyDefaultMiddleware;
+const client_types_1 = require("../client-types");
+const tracing_1 = require("./tracing");
+const auth_1 = require("./auth");
+const validation_1 = require("./validation");
+const safe_response_1 = require("./safe-response");
+/**
+ * Try to resolve getRequestId from the /server entrypoint at runtime.
+ * On Node, this reads the request ID from AsyncLocalStorage context.
+ * In browsers, the require fails and we return undefined (falls back
+ * to generating a new UUID).
+ */
+function tryGetServerContext() {
+    try {
+        // Dynamic require so this module stays browser-safe at import time.
+        // eslint-disable-next-line @typescript-eslint/no-var-requires
+        const { getRequestContext, getRequestId } = require('@tetrascience-npm/request/server');
+        const ctx = getRequestContext();
+        return { requestId: getRequestId(), sessionId: ctx.sessionId, orgSlug: ctx.orgSlug, authToken: ctx.authToken };
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Apply the default middleware pipeline to an openapi-fetch client.
+ *
+ * Pipeline order:
+ *   1. Tracing — ts-request-id, ts-session-id, ts-initiating-service-name
+ *   2. Auth — internal (API key + context) or direct (JWT)
+ *   3. Validation — Zod request body validation (unless skipValidation)
+ *   4. Safe response — wraps non-JSON success responses
+ *
+ * On Node servers, request IDs are automatically propagated from
+ * AsyncLocalStorage context (set by requestContextMiddleware) when
+ * no explicit requestId option is provided. In browsers, a fresh
+ * UUID is generated per request.
+ *
+ * This is the standard pipeline used by all generated service clients.
+ * New middleware added here will be picked up by existing clients on
+ * their next dependency update — no client regeneration needed.
+ *
+ * @example
+ * ```ts
+ * const client = createClient<paths>({ baseUrl, headers })
+ * applyDefaultMiddleware(client, options, requestBodySchemas)
+ * ```
+ */
+function applyDefaultMiddleware(client, options, schemas) {
+    // If no explicit requestId/sessionId, try to read from server context (AsyncLocalStorage).
+    // This makes tracing propagation automatic for server-side consumers.
+    const tracingOptions = (options.requestId && options.sessionId)
+        ? options
+        : { ...options,
+            requestId: options.requestId ?? (() => tryGetServerContext().requestId),
+            sessionId: options.sessionId ?? (() => tryGetServerContext().sessionId),
+        };
+    client.use((0, tracing_1.createTracingMiddleware)(tracingOptions));
+    const { auth } = options;
+    client.use((0, client_types_1.isInternalAuth)(auth) ? (0, auth_1.createInternalAuthMiddleware)(auth) : (0, auth_1.createDirectAuthMiddleware)(auth));
+    if (!options.skipValidation && schemas) {
+        client.use((0, validation_1.createRequestValidationMiddleware)({ schemas }));
+    }
+    client.use((0, safe_response_1.createSafeResponseMiddleware)());
+}

package/dist/shared/middleware/index.d.ts

@@ -0,0 +1,6 @@
+export * from './tracing';
+export * from './auth';
+export * from './validation';
+export * from './safe-response';
+export * from './default';
+//# sourceMappingURL=index.d.ts.map

package/dist/shared/middleware/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/shared/middleware/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,cAAc,QAAQ,CAAC;AACvB,cAAc,cAAc,CAAC;AAC7B,cAAc,iBAAiB,CAAC;AAChC,cAAc,WAAW,CAAC"}

package/dist/shared/middleware/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./tracing"), exports);
+__exportStar(require("./auth"), exports);
+__exportStar(require("./validation"), exports);
+__exportStar(require("./safe-response"), exports);
+__exportStar(require("./default"), exports);

package/dist/shared/middleware/safe-response.d.ts

@@ -0,0 +1,22 @@
+import type { Middleware } from 'openapi-fetch';
+/**
+ * Create openapi-fetch middleware that prevents crashes when the server
+ * returns a non-JSON body (e.g. plain text "success") on a successful response.
+ *
+ * openapi-fetch's default parser calls `response.json()` which throws on
+ * non-JSON bodies. This middleware detects that case and wraps the body in
+ * a `{ message: "<text>" }` JSON envelope so parsing succeeds.
+ *
+ * 204 No Content responses are left untouched (no body to parse).
+ *
+ * @example
+ * ```ts
+ * import createClient from 'openapi-fetch';
+ * import {createSafeResponseMiddleware} from '@tetrascience-npm/request';
+ *
+ * const client = createClient<paths>({baseUrl: '...'});
+ * client.use(createSafeResponseMiddleware());
+ * ```
+ */
+export declare function createSafeResponseMiddleware(): Middleware;
+//# sourceMappingURL=safe-response.d.ts.map

package/dist/shared/middleware/safe-response.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-response.d.ts","sourceRoot":"","sources":["../../../src/shared/middleware/safe-response.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,eAAe,CAAC;AAE9C;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,4BAA4B,IAAI,UAAU,CAkBzD"}

package/dist/shared/middleware/safe-response.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSafeResponseMiddleware = createSafeResponseMiddleware;
+/**
+ * Create openapi-fetch middleware that prevents crashes when the server
+ * returns a non-JSON body (e.g. plain text "success") on a successful response.
+ *
+ * openapi-fetch's default parser calls `response.json()` which throws on
+ * non-JSON bodies. This middleware detects that case and wraps the body in
+ * a `{ message: "<text>" }` JSON envelope so parsing succeeds.
+ *
+ * 204 No Content responses are left untouched (no body to parse).
+ *
+ * @example
+ * ```ts
+ * import createClient from 'openapi-fetch';
+ * import {createSafeResponseMiddleware} from '@tetrascience-npm/request';
+ *
+ * const client = createClient<paths>({baseUrl: '...'});
+ * client.use(createSafeResponseMiddleware());
+ * ```
+ */
+function createSafeResponseMiddleware() {
+    return {
+        async onResponse({ response }) {
+            const contentType = response.headers.get('content-type') || '';
+            const isJson = contentType.includes('/json') || contentType.includes('+json');
+            if (response.ok && response.status !== 204 && !isJson) {
+                const text = await response.clone().text();
+                const headers = new Headers(response.headers);
+                headers.set('content-type', 'application/json');
+                return new Response(JSON.stringify({ message: text }), {
+                    status: response.status,
+                    statusText: response.statusText,
+                    headers,
+                });
+            }
+            return undefined;
+        },
+    };
+}

package/dist/shared/middleware/tracing.d.ts

@@ -0,0 +1,23 @@
+import type { Middleware } from 'openapi-fetch';
+import type { TracingOptions } from '../client-types';
+/**
+ * Create middleware that injects tracing headers and optionally logs
+ * requests, responses, and errors.
+ *
+ * Headers injected (only if not already present):
+ * - ts-request-id (auto-generates UUID if not provided)
+ * - ts-session-id (if provided)
+ * - ts-initiating-service-name (if provided)
+ *
+ * @example
+ * ```ts
+ * client.use(createTracingMiddleware({
+ *   requestId: () => getRequestId(),
+ *   sessionId: () => getRequestContext().sessionId,
+ *   serviceName: 'my-service',
+ *   logger: console,
+ * }))
+ * ```
+ */
+export declare function createTracingMiddleware(options?: TracingOptions): Middleware;
+//# sourceMappingURL=tracing.d.ts.map

package/dist/shared/middleware/tracing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tracing.d.ts","sourceRoot":"","sources":["../../../src/shared/middleware/tracing.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,iBAAiB,CAAC;AAMpD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,CAAC,EAAE,cAAc,GAAG,UAAU,CA6C5E"}