npm - @tstdl/base - Versions diffs - 0.93.86 → 0.93.89 - Mend

@tstdl/base 0.93.86 → 0.93.89

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (318) hide show

package/ai/genkit/helpers.d.ts +3 -1
package/ai/genkit/helpers.js +3 -3
package/api/server/gateway.d.ts +3 -0
package/api/server/gateway.js +15 -4
package/api/server/middlewares/catch-error.middleware.js +2 -4
package/api/server/middlewares/cors.middleware.js +2 -3
package/api/server/middlewares/csrf.middleware.d.ts +41 -0
package/api/server/middlewares/csrf.middleware.js +108 -0
package/api/server/middlewares/index.d.ts +1 -0
package/api/server/middlewares/index.js +1 -0
package/api/server/module.d.ts +8 -2
package/api/server/module.js +14 -8
package/api/server/tests/csrf.middleware.test.js +91 -0
package/audit/drizzle/{0000_bored_stick.sql → 0000_lumpy_thunderball.sql} +3 -3
package/audit/drizzle/meta/0000_snapshot.json +4 -4
package/audit/drizzle/meta/_journal.json +2 -9
package/audit/module.d.ts +4 -1
package/audit/module.js +3 -2
package/audit/schemas.d.ts +1 -1
package/audit/types.d.ts +1 -1
package/audit/types.js +1 -1
package/authentication/client/authentication.service.d.ts +14 -1
package/authentication/client/authentication.service.js +82 -23
package/authentication/client/http-client.middleware.d.ts +6 -0
package/authentication/client/http-client.middleware.js +36 -0
package/authentication/client/module.js +8 -2
package/authentication/models/service-account.model.d.ts +2 -2
package/authentication/models/service-account.model.js +10 -5
package/authentication/models/subject.model.d.ts +19 -5
package/authentication/models/subject.model.js +25 -29
package/authentication/models/system-account.model.d.ts +3 -2
package/authentication/models/system-account.model.js +11 -5
package/authentication/models/user.model.d.ts +2 -11
package/authentication/models/user.model.js +5 -16
package/authentication/server/authentication-api-request-token.provider.d.ts +0 -2
package/authentication/server/authentication-api-request-token.provider.js +3 -11
package/authentication/server/authentication.api-controller.d.ts +1 -2
package/authentication/server/authentication.api-controller.js +8 -9
package/authentication/server/authentication.audit.d.ts +3 -2
package/authentication/server/authentication.service.d.ts +27 -1
package/authentication/server/authentication.service.js +67 -18
package/authentication/server/drizzle/{0000_normal_paper_doll.sql → 0000_soft_tag.sql} +25 -32
package/authentication/server/drizzle/meta/0000_snapshot.json +180 -205
package/authentication/server/drizzle/meta/_journal.json +2 -2
package/authentication/server/helper.js +9 -2
package/authentication/server/module.d.ts +4 -1
package/authentication/server/module.js +9 -5
package/authentication/server/schemas.d.ts +2 -1
package/authentication/server/schemas.js +2 -2
package/authentication/server/subject.service.d.ts +14 -8
package/authentication/server/subject.service.js +86 -84
package/authentication/tests/authentication-ancillary.service.test.d.ts +1 -0
package/authentication/tests/authentication-ancillary.service.test.js +13 -0
package/authentication/tests/authentication-secret-requirements.validator.test.d.ts +1 -0
package/authentication/tests/authentication-secret-requirements.validator.test.js +29 -0
package/authentication/tests/authentication.api-controller.test.d.ts +1 -0
package/authentication/tests/authentication.api-controller.test.js +88 -0
package/authentication/tests/authentication.api-request-token.provider.test.d.ts +1 -0
package/authentication/tests/authentication.api-request-token.provider.test.js +48 -0
package/authentication/tests/authentication.client-middleware.test.d.ts +1 -0
package/authentication/tests/authentication.client-middleware.test.js +23 -0
package/authentication/tests/authentication.client-service.test.d.ts +1 -0
package/authentication/tests/authentication.client-service.test.js +70 -0
package/authentication/tests/authentication.service.test.d.ts +1 -0
package/authentication/tests/authentication.service.test.js +186 -0
package/authentication/tests/authentication.test-ancillary-service.d.ts +9 -0
package/authentication/tests/authentication.test-ancillary-service.js +27 -0
package/authentication/tests/helper.test.d.ts +1 -0
package/authentication/tests/helper.test.js +107 -0
package/authentication/tests/secret-requirements.error.test.d.ts +1 -0
package/authentication/tests/secret-requirements.error.test.js +14 -0
package/authentication/tests/subject.service.test.d.ts +1 -0
package/authentication/tests/subject.service.test.js +140 -0
package/circuit-breaker/postgres/drizzle/meta/0000_snapshot.json +1 -1
package/circuit-breaker/postgres/drizzle/meta/_journal.json +2 -2
package/circuit-breaker/postgres/module.d.ts +7 -1
package/circuit-breaker/postgres/module.js +8 -6
package/circuit-breaker/tests/circuit-breaker.test.js +2 -22
package/document-management/api/document-management.api.js +2 -6
package/document-management/server/services/document-validation.service.js +6 -5
package/document-management/server/services/document-workflow.service.js +5 -5
package/document-management/service-models/document-folders.view-model.d.ts +5 -2
package/document-management/service-models/document-folders.view-model.js +42 -9
package/document-management/service-models/enriched/enriched-document-management-data.view.js +1 -1
package/examples/document-management/main.js +4 -4
package/http/client/adapters/undici.adapter.d.ts +7 -5
package/http/client/adapters/undici.adapter.js +13 -10
package/http/client/module.d.ts +3 -1
package/http/client/module.js +8 -9
package/http/server/http-server.d.ts +2 -0
package/http/server/node/module.d.ts +6 -2
package/http/server/node/module.js +6 -4
package/http/server/node/node-http-server.d.ts +2 -0
package/http/server/node/node-http-server.js +7 -0
package/http/types.d.ts +1 -1
package/key-value-store/postgres/module.d.ts +7 -1
package/key-value-store/postgres/module.js +7 -3
package/lock/postgres/lock.js +0 -1
package/lock/postgres/module.d.ts +7 -1
package/lock/postgres/module.js +9 -5
package/logger/formatter.d.ts +2 -0
package/logger/formatters/json.js +2 -2
package/logger/formatters/pretty-print.js +8 -10
package/logger/logger.d.ts +1 -1
package/logger/logger.js +15 -12
package/message-bus/local/module.d.ts +5 -2
package/message-bus/local/module.js +5 -4
package/module/module.d.ts +2 -1
package/module/module.js +3 -0
package/module/modules/web-server.module.d.ts +11 -6
package/module/modules/web-server.module.js +15 -10
package/orm/decorators.d.ts +24 -1
package/orm/decorators.js +40 -4
package/orm/index.d.ts +1 -1
package/orm/index.js +1 -1
package/orm/query/base.d.ts +17 -17
package/orm/query/base.js +1 -1
package/orm/repository.types.d.ts +46 -2
package/orm/schemas/tsvector.js +1 -1
package/orm/server/drizzle/schema-converter.d.ts +3 -1
package/orm/server/drizzle/schema-converter.js +120 -14
package/orm/server/index.d.ts +1 -0
package/orm/server/index.js +1 -0
package/orm/server/module.d.ts +4 -2
package/orm/server/module.js +6 -5
package/orm/server/query-converter.d.ts +6 -3
package/orm/server/query-converter.js +33 -21
package/orm/server/repository-config.d.ts +8 -0
package/orm/server/repository-config.js +8 -0
package/orm/server/repository.d.ts +117 -43
package/orm/server/repository.js +758 -254
package/orm/server/transaction.d.ts +4 -2
package/orm/server/transaction.js +14 -5
package/orm/server/transactional.d.ts +6 -2
package/orm/server/transactional.js +39 -9
package/orm/server/types.d.ts +2 -0
package/orm/sqls/case-when.d.ts +25 -0
package/orm/sqls/case-when.js +54 -0
package/orm/sqls/index.d.ts +2 -0
package/orm/sqls/index.js +2 -0
package/orm/{sqls.d.ts → sqls/sqls.d.ts} +67 -19
package/orm/{sqls.js → sqls/sqls.js} +116 -22
package/orm/tests/data-types.test.d.ts +1 -0
package/orm/tests/data-types.test.js +39 -0
package/orm/tests/decorators.test.d.ts +1 -0
package/orm/tests/decorators.test.js +77 -0
package/orm/tests/encryption.test.d.ts +1 -0
package/orm/tests/encryption.test.js +34 -0
package/orm/tests/query-complex.test.d.ts +1 -0
package/orm/tests/query-complex.test.js +203 -0
package/orm/tests/query-converter-complex.test.d.ts +1 -0
package/orm/tests/query-converter-complex.test.js +126 -0
package/orm/tests/query-converter.test.d.ts +1 -0
package/orm/tests/query-converter.test.js +123 -0
package/orm/tests/repository-advanced.test.d.ts +1 -0
package/orm/tests/repository-advanced.test.js +232 -0
package/orm/tests/repository-attributes.test.d.ts +1 -0
package/orm/tests/repository-attributes.test.js +99 -0
package/orm/tests/repository-comprehensive.test.d.ts +1 -0
package/orm/tests/repository-comprehensive.test.js +187 -0
package/orm/tests/repository-coverage.test.d.ts +1 -0
package/orm/tests/repository-coverage.test.js +303 -0
package/orm/tests/repository-cti-complex.test.d.ts +1 -0
package/orm/tests/repository-cti-complex.test.js +170 -0
package/orm/tests/repository-cti-embedded.test.d.ts +1 -0
package/orm/tests/repository-cti-embedded.test.js +188 -0
package/orm/tests/repository-cti-extensive.test.d.ts +1 -0
package/orm/tests/repository-cti-extensive.test.js +308 -0
package/orm/tests/repository-cti-mapping.test.d.ts +1 -0
package/orm/tests/repository-cti-mapping.test.js +121 -0
package/orm/tests/repository-cti-search.test.d.ts +1 -0
package/orm/tests/repository-cti-search.test.js +152 -0
package/orm/tests/repository-cti-soft-delete.test.d.ts +1 -0
package/orm/tests/repository-cti-soft-delete.test.js +115 -0
package/orm/tests/repository-cti-transactions.test.d.ts +1 -0
package/orm/tests/repository-cti-transactions.test.js +126 -0
package/orm/tests/repository-cti-upsert-many.test.d.ts +1 -0
package/orm/tests/repository-cti-upsert-many.test.js +127 -0
package/orm/tests/repository-cti.test.d.ts +1 -0
package/orm/tests/repository-cti.test.js +456 -0
package/orm/tests/repository-edge-cases.test.d.ts +1 -0
package/orm/tests/repository-edge-cases.test.js +216 -0
package/orm/tests/repository-expiration.test.d.ts +1 -0
package/orm/tests/repository-expiration.test.js +153 -0
package/orm/tests/repository-extra-coverage.test.d.ts +1 -0
package/orm/tests/repository-extra-coverage.test.js +546 -0
package/orm/tests/repository-mapping.test.d.ts +1 -0
package/orm/tests/repository-mapping.test.js +71 -0
package/orm/tests/repository-regression.test.d.ts +1 -0
package/orm/tests/repository-regression.test.js +330 -0
package/orm/tests/repository-search-coverage.test.d.ts +1 -0
package/orm/tests/repository-search-coverage.test.js +129 -0
package/orm/tests/repository-search.test.d.ts +1 -0
package/orm/tests/repository-search.test.js +116 -0
package/orm/tests/repository-soft-delete.test.d.ts +1 -0
package/orm/tests/repository-soft-delete.test.js +143 -0
package/orm/tests/repository-transactions-nested.test.d.ts +1 -0
package/orm/tests/repository-transactions-nested.test.js +202 -0
package/orm/tests/repository-types.test.d.ts +1 -0
package/orm/tests/repository-types.test.js +218 -0
package/orm/tests/schema-converter.test.d.ts +1 -0
package/orm/tests/schema-converter.test.js +81 -0
package/orm/tests/schema-generation.test.d.ts +1 -0
package/orm/tests/schema-generation.test.js +127 -0
package/orm/tests/sql-helpers.test.d.ts +1 -0
package/orm/tests/sql-helpers.test.js +67 -0
package/orm/tests/transaction-safety.test.d.ts +1 -0
package/orm/tests/transaction-safety.test.js +81 -0
package/orm/tests/transactional.test.d.ts +1 -0
package/orm/tests/transactional.test.js +224 -0
package/orm/tests/utils.test.d.ts +1 -0
package/orm/tests/utils.test.js +70 -0
package/orm/utils.d.ts +7 -0
package/orm/utils.js +26 -6
package/package.json +12 -7
package/pool/pool.js +1 -1
package/rate-limit/index.d.ts +2 -0
package/rate-limit/index.js +2 -0
package/rate-limit/postgres/drizzle/0000_watery_rage.sql +7 -0
package/{queue → rate-limit}/postgres/drizzle/meta/0000_snapshot.json +14 -39
package/rate-limit/postgres/drizzle/meta/_journal.json +13 -0
package/{queue → rate-limit}/postgres/drizzle.config.js +1 -1
package/rate-limit/postgres/index.d.ts +4 -0
package/rate-limit/postgres/index.js +4 -0
package/rate-limit/postgres/module.d.ts +12 -0
package/rate-limit/postgres/module.js +28 -0
package/rate-limit/postgres/postgres-rate-limiter.d.ts +9 -0
package/rate-limit/postgres/postgres-rate-limiter.js +56 -0
package/rate-limit/postgres/rate-limit.model.d.ts +8 -0
package/rate-limit/postgres/rate-limit.model.js +35 -0
package/rate-limit/postgres/rate-limiter.provider.d.ts +6 -0
package/rate-limit/postgres/rate-limiter.provider.js +21 -0
package/rate-limit/postgres/schemas.d.ts +3 -0
package/rate-limit/postgres/schemas.js +4 -0
package/rate-limit/provider.d.ts +9 -0
package/rate-limit/provider.js +2 -0
package/rate-limit/rate-limiter.d.ts +35 -0
package/rate-limit/rate-limiter.js +3 -0
package/rate-limit/tests/postgres-rate-limiter.test.d.ts +1 -0
package/rate-limit/tests/postgres-rate-limiter.test.js +92 -0
package/signals/implementation/configure.d.ts +3 -0
package/signals/implementation/configure.js +3 -0
package/sse/data-stream-source.d.ts +1 -1
package/sse/data-stream-source.js +6 -6
package/task-queue/enqueue-batch.d.ts +17 -0
package/task-queue/enqueue-batch.js +24 -0
package/{queue → task-queue}/index.d.ts +1 -1
package/{queue → task-queue}/index.js +1 -1
package/task-queue/postgres/drizzle/0000_thin_black_panther.sql +74 -0
package/task-queue/postgres/drizzle/meta/0000_snapshot.json +592 -0
package/task-queue/postgres/drizzle/meta/_journal.json +13 -0
package/task-queue/postgres/drizzle.config.d.ts +2 -0
package/task-queue/postgres/drizzle.config.js +11 -0
package/task-queue/postgres/index.d.ts +4 -0
package/task-queue/postgres/index.js +4 -0
package/task-queue/postgres/module.d.ts +12 -0
package/task-queue/postgres/module.js +28 -0
package/task-queue/postgres/schemas.d.ts +16 -0
package/task-queue/postgres/schemas.js +8 -0
package/task-queue/postgres/task-queue.d.ts +83 -0
package/task-queue/postgres/task-queue.js +1054 -0
package/task-queue/postgres/task-queue.provider.d.ts +7 -0
package/{queue/postgres/queue.provider.js → task-queue/postgres/task-queue.provider.js} +8 -8
package/task-queue/postgres/task.model.d.ts +39 -0
package/task-queue/postgres/task.model.js +178 -0
package/{queue → task-queue}/provider.d.ts +3 -3
package/task-queue/provider.js +2 -0
package/{queue → task-queue}/task-context.d.ts +7 -7
package/{queue → task-queue}/task-context.js +8 -8
package/{queue/queue.d.ts → task-queue/task-queue.d.ts} +128 -59
package/task-queue/task-queue.js +200 -0
package/task-queue/tests/complex.test.d.ts +1 -0
package/task-queue/tests/complex.test.js +299 -0
package/task-queue/tests/dependencies.test.d.ts +1 -0
package/task-queue/tests/dependencies.test.js +174 -0
package/task-queue/tests/queue.test.d.ts +1 -0
package/task-queue/tests/queue.test.js +334 -0
package/task-queue/tests/worker.test.d.ts +1 -0
package/task-queue/tests/worker.test.js +163 -0
package/test1.js +1 -1
package/test4.js +2 -2
package/unit-test/index.d.ts +1 -0
package/unit-test/index.js +1 -0
package/unit-test/integration-setup.d.ts +55 -0
package/unit-test/integration-setup.js +182 -0
package/utils/patterns.d.ts +3 -0
package/utils/patterns.js +6 -1
package/audit/drizzle/0001_previous_network.sql +0 -2
package/audit/drizzle/meta/0001_snapshot.json +0 -195
package/queue/enqueue-batch.d.ts +0 -17
package/queue/enqueue-batch.js +0 -18
package/queue/postgres/drizzle/0000_zippy_moondragon.sql +0 -11
package/queue/postgres/drizzle/0001_certain_wild_pack.sql +0 -2
package/queue/postgres/drizzle/0002_dear_meggan.sql +0 -2
package/queue/postgres/drizzle/0003_tricky_venom.sql +0 -30
package/queue/postgres/drizzle/meta/0001_snapshot.json +0 -103
package/queue/postgres/drizzle/meta/0002_snapshot.json +0 -90
package/queue/postgres/drizzle/meta/0003_snapshot.json +0 -288
package/queue/postgres/drizzle/meta/_journal.json +0 -34
package/queue/postgres/index.d.ts +0 -4
package/queue/postgres/index.js +0 -4
package/queue/postgres/module.d.ts +0 -9
package/queue/postgres/module.js +0 -29
package/queue/postgres/queue.d.ts +0 -60
package/queue/postgres/queue.js +0 -681
package/queue/postgres/queue.provider.d.ts +0 -7
package/queue/postgres/schemas.d.ts +0 -14
package/queue/postgres/schemas.js +0 -6
package/queue/postgres/task.model.d.ts +0 -24
package/queue/postgres/task.model.js +0 -115
package/queue/provider.js +0 -2
package/queue/queue.js +0 -131
package/queue/tests/queue.test.js +0 -623
package/test3.d.ts +0 -1
package/test3.js +0 -47
/package/{queue/tests/queue.test.d.ts → api/server/tests/csrf.middleware.test.d.ts} +0 -0
/package/circuit-breaker/postgres/drizzle/{0000_hard_shocker.sql → 0000_cooing_korath.sql} +0 -0
/package/{queue → rate-limit}/postgres/drizzle.config.d.ts +0 -0

package/ai/genkit/helpers.d.ts CHANGED Viewed

@@ -1,10 +1,12 @@
 import type { GenerateOptions, z } from 'genkit';
+import { type SchemaConversionOptions } from '../../schema/converters/zod-v3-converter.js';
 import type { SchemaTestable } from '../../schema/index.js';
 import type { TypedOmit } from '../../types/types.js';
 export type TstdlGenkitGenerationOptions<T, O extends z.ZodTypeAny> = TypedOmit<GenerateOptions<z.ZodType<NoInfer<T>>, O>, 'output'> & {
     output?: TypedOmit<NonNullable<GenerateOptions['output']>, 'schema'> & {
         schema?: SchemaTestable<T>;
+        schemaOptions?: SchemaConversionOptions;
     };
 };
-export declare function convertToGenkitSchema<T>(schema: SchemaTestable<T>): z.ZodType<T>;
+export declare function convertToGenkitSchema<T>(schema: SchemaTestable<T>, options?: SchemaConversionOptions): z.ZodType<T>;
 export declare function genkitGenerationOptions<T, O extends z.ZodTypeAny>(options: TstdlGenkitGenerationOptions<T, O>): GenerateOptions<z.ZodType<T>, z.ZodType<O>>;

package/ai/genkit/helpers.js CHANGED Viewed

@@ -1,14 +1,14 @@
 import { convertToZodV3Schema } from '../../schema/converters/zod-v3-converter.js';
 import { isDefined } from '../../utils/type-guards.js';
-export function convertToGenkitSchema(schema) {
-    return convertToZodV3Schema(schema); // eslint-disable-line @typescript-eslint/no-unsafe-return
+export function convertToGenkitSchema(schema, options) {
+    return convertToZodV3Schema(schema, options); // eslint-disable-line @typescript-eslint/no-unsafe-return
 }
 export function genkitGenerationOptions(options) {
     return {
         ...options,
         output: {
             ...options.output,
-            schema: isDefined(options.output?.schema) ? convertToGenkitSchema(options.output.schema) : undefined,
+            schema: isDefined(options.output?.schema) ? convertToGenkitSchema(options.output.schema, options.output.schemaOptions) : undefined,
         },
     };
 }

package/api/server/gateway.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import type { Type } from '../../types/index.js';
 import { type AsyncMiddleware, type AsyncMiddlewareNext } from '../../utils/middleware.js';
 import { type ApiController, type ApiDefinition, type ApiEndpointDefinition, type ApiEndpointMethod, type ApiEndpointServerImplementation } from '../types.js';
 import type { CorsMiddlewareOptions } from './middlewares/cors.middleware.js';
+import { type CsrfMiddlewareOptions } from './middlewares/index.js';
 export type ApiGatewayMiddlewareContext = {
     readonly api: ApiItem;
     /** can be undefined if used before allowedMethods middleware */
@@ -28,6 +29,8 @@ export declare abstract class ApiGatewayOptions {
     supressedErrors?: Type<Error>[];
     /** Cors middleware options */
     cors?: CorsMiddlewareOptions;
+    /** Csrf middleware options */
+    csrf?: CsrfMiddlewareOptions;
     /**
      * Maximum size of request body. Useful to prevent harmful requests.
      * @default 10 MB

package/api/server/gateway.js CHANGED Viewed

@@ -35,7 +35,7 @@ import { normalizedApiDefinitionEndpointsEntries } from '../types.js';
 import { getFullApiEndpointResource } from '../utils.js';
 import { ApiRequestTokenProvider } from './api-request-token.provider.js';
 import { handleApiError } from './error-handler.js';
-import { allowedMethodsMiddleware, contentTypeMiddleware, corsMiddleware, getCatchErrorMiddleware, responseTimeMiddleware } from './middlewares/index.js';
+import { allowedMethodsMiddleware, contentTypeMiddleware, corsMiddleware, csrfMiddleware, getCatchErrorMiddleware, responseTimeMiddleware } from './middlewares/index.js';
 import { API_MODULE_OPTIONS } from './tokens.js';
 const defaultMaxBytes = 10 * mebibyte;
 export class ApiGatewayOptions {
@@ -50,6 +50,8 @@ export class ApiGatewayOptions {
     supressedErrors;
     /** Cors middleware options */
     cors;
+    /** Csrf middleware options */
+    csrf;
     /**
      * Maximum size of request body. Useful to prevent harmful requests.
      * @default 10 MB
@@ -162,7 +164,16 @@ let ApiGateway = ApiGateway_1 = class ApiGateway {
         throw new NotFoundError(`Resource ${resource.pathname} not available.`);
     }
     updateMiddleware() {
-        const middlewares = [responseTimeMiddleware, contentTypeMiddleware, this.#catchErrorMiddleware, corsMiddleware(this.#options.cors), allowedMethodsMiddleware, ...this.#middlewares, async (context, next) => await this.endpointMiddleware(context, next)];
+        const middlewares = [
+            responseTimeMiddleware,
+            contentTypeMiddleware,
+            this.#catchErrorMiddleware,
+            corsMiddleware(this.#options.cors),
+            csrfMiddleware(this.#options.csrf),
+            allowedMethodsMiddleware,
+            ...this.#middlewares,
+            async (context, next) => await this.endpointMiddleware(context, next)
+        ];
         this.#composedMiddleware = composeAsyncMiddleware(middlewares);
     }
     async endpointMiddleware(context, next) {
@@ -198,9 +209,9 @@ let ApiGateway = ApiGateway_1 = class ApiGateway {
                 return auditor.fork(context.api.resource)
                     .withCorrelation()
                     .with({
-                    actorType: isNotNull(token) ? ActorType.User : ActorType.Anonymous,
+                    actorType: isNotNull(token) ? ActorType.Subject : ActorType.Anonymous,
                     actor: token?.payload.subject ?? NIL_UUID,
-                    impersonatorType: isNotNullOrUndefined(token?.payload.impersonator) ? ActorType.User : null,
+                    impersonatorType: isNotNullOrUndefined(token?.payload.impersonator) ? ActorType.Subject : null,
                     impersonator: token?.payload.impersonator ?? null,
                     network: {
                         path: context.request.url.pathname,

package/api/server/middlewares/catch-error.middleware.js CHANGED Viewed

@@ -1,13 +1,11 @@
 import { handleApiError } from '../error-handler.js';
 export function getCatchErrorMiddleware(supressedErrors, logger) {
-    // eslint-disable-next-line @typescript-eslint/no-shadow
-    async function catchErrorMiddleware(context, next) {
+    return async function catchErrorMiddleware(context, next) {
         try {
             await next();
         }
         catch (error) {
             handleApiError(error, context.response, supressedErrors, logger);
         }
-    }
-    return catchErrorMiddleware;
+    };
 }

package/api/server/middlewares/cors.middleware.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { resolveApiEndpointDataProvider } from '../../../api/types.js';
 import { toArray } from '../../../utils/array/array.js';
 import { isDefined } from '../../../utils/type-guards.js';
 export function corsMiddleware(options = {}) {
-    async function corsMiddleware(context, next) {
+    return async function corsMiddleware(context, next) {
         try {
             await next();
         }
@@ -49,6 +49,5 @@ export function corsMiddleware(options = {}) {
                 }
             }
         }
-    }
-    return corsMiddleware;
+    };
 }

package/api/server/middlewares/csrf.middleware.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import type { ApiGatewayMiddleware } from '../gateway.js';
+export interface CsrfMiddlewareOptions {
+    /**
+     * List of additional hostnames to trust (e.g. 'api.example.com').
+     */
+    trustedHosts?: string[];
+    /**
+     * Whether to allow `Sec-Fetch-Site: same-site`.
+     * If false, only `same-origin` is accepted via Fetch Metadata.
+     * Disable this if you host untrusted content on subdomains.
+     * @default true
+     */
+    allowFetchSiteSameSite?: boolean;
+    /**
+     * Whether to allow requests with `Sec-Fetch-Site: none`.
+     * Useful for user-initiated actions like clicking a link or bookmark opening an app.
+     * @default false
+     */
+    allowFetchSiteNone?: boolean;
+    /**
+     * Whether to trust the `X-Forwarded-Host` header.
+     * Enable this when running behind a reverse proxy (e.g., Nginx, AWS ALB).
+     * @default false
+     */
+    trustProxy?: boolean;
+}
+/**
+ * Creates a middleware for Stateless CSRF Protection using Fetch Metadata and Origin headers.
+ *
+ * This middleware verifies that mutating requests (POST, PUT, DELETE, PATCH) originate from a trusted source.
+ * It uses the following strategy:
+ * 1. Allows "safe" HTTP methods (GET, HEAD, OPTIONS, TRACE).
+ * 2. Validates the `Sec-Fetch-Site` header if present.
+ * 3. Falls back to validating the `Origin` header against the resolved Host.
+ * 4. Falls back to validating the `Referer` header against the resolved Host.
+ * 5. Allows requests that lack all standard headers (assumed non-browser clients).
+ *
+ * @param options CSRF middleware options.
+ * @returns An API middleware function.
+ */
+export declare function csrfMiddleware(options?: CsrfMiddlewareOptions): ApiGatewayMiddleware;

package/api/server/middlewares/csrf.middleware.js ADDED Viewed

@@ -0,0 +1,108 @@
+import { ForbiddenError } from '../../../errors/forbidden.error.js';
+import { isNotNullOrUndefined, isNull, isNullOrUndefined, isString } from '../../../utils/type-guards.js';
+const safeMethods = new Set(['GET', 'HEAD', 'OPTIONS', 'TRACE']);
+/**
+ * Creates a middleware for Stateless CSRF Protection using Fetch Metadata and Origin headers.
+ *
+ * This middleware verifies that mutating requests (POST, PUT, DELETE, PATCH) originate from a trusted source.
+ * It uses the following strategy:
+ * 1. Allows "safe" HTTP methods (GET, HEAD, OPTIONS, TRACE).
+ * 2. Validates the `Sec-Fetch-Site` header if present.
+ * 3. Falls back to validating the `Origin` header against the resolved Host.
+ * 4. Falls back to validating the `Referer` header against the resolved Host.
+ * 5. Allows requests that lack all standard headers (assumed non-browser clients).
+ *
+ * @param options CSRF middleware options.
+ * @returns An API middleware function.
+ */
+export function csrfMiddleware(options) {
+    const trustedHosts = new Set((options?.trustedHosts ?? [])
+        .map((h) => normalizeHost(h))
+        .filter(isNotNullOrUndefined));
+    const allowFetchSiteNone = options?.allowFetchSiteNone ?? false;
+    const allowFetchSiteSameSite = options?.allowFetchSiteSameSite ?? true;
+    const trustProxy = options?.trustProxy ?? false;
+    return async function csrfMiddleware(context, next) {
+        // 1. Skip safe methods
+        if (safeMethods.has(context.request.method)) {
+            return await next();
+        }
+        // 2. Set Vary headers to prevent cache poisoning on these crucial headers
+        context.response.headers.append('Vary', 'Sec-Fetch-Site, Origin, Referer');
+        const secFetchSite = context.request.headers.tryGet('Sec-Fetch-Site');
+        const origin = context.request.headers.tryGet('Origin');
+        const referer = context.request.headers.tryGet('Referer');
+        // Resolve current host
+        let rawHost = context.request.headers.tryGetSingle('Host');
+        if (trustProxy) {
+            const forwardedHost = context.request.headers.tryGetSingle('X-Forwarded-Host');
+            if (isString(forwardedHost)) {
+                // CAUTION: Ensure your proxy overwrites this header, or verify behavior
+                rawHost = forwardedHost.split(',')[0].trim();
+            }
+        }
+        const currentHost = normalizeHost(rawHost);
+        // 3. Primary Check: Fetch Metadata
+        if (isNotNullOrUndefined(secFetchSite)) {
+            if ((secFetchSite == 'same-origin')
+                || (allowFetchSiteSameSite && (secFetchSite == 'same-site'))
+                || (allowFetchSiteNone && (secFetchSite == 'none'))) {
+                return await next();
+            }
+            throw new ForbiddenError('Cross-site request blocked.');
+        }
+        // Helper to validate a URL against current host or trusted hosts
+        const isUrlTrusted = (url) => {
+            try {
+                const normalizedUrlHost = normalizeHost(url);
+                if (isNull(normalizedUrlHost)) {
+                    return false;
+                }
+                // 1. Check Explicit Trust List (Safest)
+                if (trustedHosts.has(normalizedUrlHost)) {
+                    return true;
+                }
+                // 2. Check Host Header (Fallback - Vulnerable to Host Injection)
+                if (currentHost && (normalizedUrlHost == currentHost)) {
+                    return true;
+                }
+                return false;
+            }
+            catch {
+                return false;
+            }
+        };
+        // 4. Secondary Check: Origin Header
+        if (isNotNullOrUndefined(origin)) {
+            if (isUrlTrusted(origin)) {
+                return await next();
+            }
+            throw new ForbiddenError('Cross-site request blocked.');
+        }
+        // 5. Tertiary Check: Referer Header
+        if (isNotNullOrUndefined(referer)) {
+            if (isUrlTrusted(referer)) {
+                return await next();
+            }
+            throw new ForbiddenError('Cross-site request blocked.');
+        }
+        // 6. Final Fallback: Allow requests with NO headers (Non-browser clients)
+        // Note: This relies on the assumption that browsers will always send at least
+        // one of the headers checked above for mutating requests.
+        await next();
+    };
+}
+function normalizeHost(host) {
+    if (isNullOrUndefined(host) || (host == 'null')) {
+        return null;
+    }
+    try {
+        const url = host.startsWith('http://') || host.startsWith('https://')
+            ? new URL(host)
+            : new URL(`http://${host}`);
+        return url.hostname;
+    }
+    catch {
+        return null;
+    }
+}

package/api/server/middlewares/index.d.ts CHANGED Viewed

@@ -2,4 +2,5 @@ export * from './allowed-methods.middleware.js';
 export * from './catch-error.middleware.js';
 export * from './content-type.middleware.js';
 export * from './cors.middleware.js';
+export * from './csrf.middleware.js';
 export * from './response-time.middleware.js';

package/api/server/middlewares/index.js CHANGED Viewed

@@ -2,4 +2,5 @@ export * from './allowed-methods.middleware.js';
 export * from './catch-error.middleware.js';
 export * from './content-type.middleware.js';
 export * from './cors.middleware.js';
+export * from './csrf.middleware.js';
 export * from './response-time.middleware.js';

package/api/server/module.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { Injector } from '../../injector/injector.js';
 import type { Type } from '../../types/index.js';
 import { ApiRequestTokenProvider } from './api-request-token.provider.js';
 import type { ApiGatewayOptions } from './gateway.js';
@@ -6,5 +7,10 @@ export type ApiModuleOptions = {
     requestTokenProvider?: Type<ApiRequestTokenProvider>;
     gatewayOptions?: ApiGatewayOptions;
 };
-export declare const apiModuleOptions: ApiModuleOptions;
-export declare function configureApiServer(options: Partial<ApiModuleOptions>): void;
+/**
+ * configure api server module
+ * @param options module configuration
+ */
+export declare function configureApiServer({ injector, ...options }?: Partial<ApiModuleOptions> & {
+    injector?: Injector;
+}): void;

package/api/server/module.js CHANGED Viewed

@@ -3,19 +3,25 @@ import { isDefined } from '../../utils/type-guards.js';
 import { ensureApiController } from './api-controller.js';
 import { ApiRequestTokenProvider } from './api-request-token.provider.js';
 import { API_CONTROLLER, API_MODULE_OPTIONS } from './tokens.js';
-export const apiModuleOptions = {
-    controllers: [],
-};
-export function configureApiServer(options) {
+/**
+ * configure api server module
+ * @param options module configuration
+ */
+export function configureApiServer({ injector, ...options } = {}) {
+    const targetInjector = injector ?? Injector;
     if (isDefined(options.controllers)) {
         for (const controller of options.controllers) {
             ensureApiController(controller);
-            Injector.register(API_CONTROLLER, { useToken: controller }, { multi: true });
+            targetInjector.register(API_CONTROLLER, { useToken: controller }, { multi: true });
         }
     }
     if (isDefined(options.requestTokenProvider)) {
-        Injector.register(ApiRequestTokenProvider, { useToken: options.requestTokenProvider });
+        targetInjector.register(ApiRequestTokenProvider, { useToken: options.requestTokenProvider });
     }
-    apiModuleOptions.gatewayOptions = options.gatewayOptions ?? apiModuleOptions.gatewayOptions;
-    Injector.register(API_MODULE_OPTIONS, { useValue: apiModuleOptions });
+    const moduleOptions = {
+        controllers: options.controllers ?? [],
+        gatewayOptions: options.gatewayOptions,
+        requestTokenProvider: options.requestTokenProvider,
+    };
+    targetInjector.register(API_MODULE_OPTIONS, { useValue: moduleOptions });
 }

package/api/server/tests/csrf.middleware.test.js ADDED Viewed

@@ -0,0 +1,91 @@
+import { ForbiddenError } from '../../../errors/index.js';
+import { HttpHeaders } from '../../../http/http-headers.js';
+import { HttpServerResponse } from '../../../http/server/index.js';
+import { toArray } from '../../../utils/array/array.js';
+import { describe, expect, it, vi } from 'vitest';
+import { csrfMiddleware } from '../middlewares/csrf.middleware.js';
+describe('csrfMiddleware', () => {
+    const middleware = csrfMiddleware();
+    it('should allow safe methods (GET, HEAD, OPTIONS, TRACE)', async () => {
+        const safeMethods = ['GET', 'HEAD', 'OPTIONS', 'TRACE'];
+        for (const method of safeMethods) {
+            const context = {
+                request: { method, headers: new HttpHeaders() },
+                response: new HttpServerResponse(),
+            };
+            const next = vi.fn();
+            await middleware(context, next);
+            expect(next).toHaveBeenCalled();
+        }
+    });
+    it('should allow mutating methods (POST, PUT, DELETE, PATCH) without headers (non-browser client)', async () => {
+        const mutatingMethods = ['POST', 'PUT', 'DELETE', 'PATCH'];
+        for (const method of mutatingMethods) {
+            const context = {
+                request: { method, headers: new HttpHeaders() },
+                response: new HttpServerResponse(),
+            };
+            const next = vi.fn();
+            await middleware(context, next);
+            expect(next).toHaveBeenCalled();
+        }
+    });
+    it('should allow same-origin requests via Sec-Fetch-Site', async () => {
+        const headers = new HttpHeaders();
+        headers.set('Sec-Fetch-Site', 'same-origin');
+        const context = {
+            request: { method: 'POST', headers },
+            response: new HttpServerResponse(),
+        };
+        const next = vi.fn();
+        await middleware(context, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should allow user-initiated requests via Sec-Fetch-Site (none) when enabled', async () => {
+        const middlewareWithNone = csrfMiddleware({ allowFetchSiteNone: true });
+        const headers = new HttpHeaders();
+        headers.set('Sec-Fetch-Site', 'none');
+        const context = {
+            request: { method: 'POST', headers },
+            response: new HttpServerResponse(),
+        };
+        const next = vi.fn();
+        await middlewareWithNone(context, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should reject cross-site requests via Sec-Fetch-Site', async () => {
+        const headers = new HttpHeaders();
+        headers.set('Sec-Fetch-Site', 'cross-site');
+        const context = {
+            request: { method: 'POST', headers },
+            response: new HttpServerResponse(),
+        };
+        const next = vi.fn();
+        await expect(middleware(context, next)).rejects.toThrow(ForbiddenError);
+        expect(next).not.toHaveBeenCalled();
+    });
+    it('should allow same-origin requests via Origin fallback', async () => {
+        const headers = new HttpHeaders();
+        headers.set('Origin', 'http://localhost:8080');
+        headers.set('Host', 'localhost:8080');
+        const context = {
+            request: { method: 'POST', headers },
+            response: new HttpServerResponse(),
+        };
+        const next = vi.fn();
+        await middleware(context, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should include Vary: Sec-Fetch-Site, Origin for mutating methods', async () => {
+        const context = {
+            request: { method: 'POST', headers: new HttpHeaders() },
+            response: new HttpServerResponse(),
+        };
+        const next = vi.fn();
+        await middleware(context, next);
+        const vary = context.response.headers.tryGet('Vary');
+        const varyArray = toArray(vary).flatMap((v) => v.split(',').map((s) => s.trim()));
+        expect(varyArray).toContain('Sec-Fetch-Site');
+        expect(varyArray).toContain('Origin');
+    });
+});

package/audit/drizzle/{0000_bored_stick.sql → 0000_lumpy_thunderball.sql} RENAMED Viewed

@@ -1,4 +1,4 @@
-CREATE TYPE "audit"."actor_type" AS ENUM('anonymous', 'system', 'api-key', 'user');--> statement-breakpoint
+CREATE TYPE "audit"."actor_type" AS ENUM('anonymous', 'system', 'api-key', 'subject');--> statement-breakpoint
 CREATE TYPE "audit"."audit_outcome" AS ENUM('pending', 'success', 'cancelled', 'failure', 'denied');--> statement-breakpoint
 CREATE TYPE "audit"."audit_severity" AS ENUM('info', 'warn', 'error', 'critical');--> statement-breakpoint
 CREATE TABLE "audit"."event" (
@@ -11,12 +11,12 @@ CREATE TABLE "audit"."event" (
 	"outcome" "audit"."audit_outcome" NOT NULL,
 	"severity" "audit"."audit_severity" NOT NULL,
 	"actor_type" "audit"."actor_type" NOT NULL,
-	"actor" text NOT NULL,
+	"actor" text,
 	"impersonator_type" "audit"."actor_type",
 	"impersonator" text,
 	"target_type" text NOT NULL,
 	"target_id" uuid NOT NULL,
-	"network_path" text NOT NULL,
+	"network_path" text,
 	"network_ip_address" text,
 	"network_user_agent" text,
 	"network_session_id" uuid,

package/audit/drizzle/meta/0000_snapshot.json CHANGED Viewed

@@ -1,5 +1,5 @@
 {
-  "id": "8f6c87f8-1692-49bd-9bd4-09dc9d0bdcd4",
+  "id": "e6910cc2-1674-462e-be27-f94e3372393f",
   "prevId": "00000000-0000-0000-0000-000000000000",
   "version": "7",
   "dialect": "postgresql",
@@ -70,7 +70,7 @@
           "name": "actor",
           "type": "text",
           "primaryKey": false,
-          "notNull": true
+          "notNull": false
         },
         "impersonator_type": {
           "name": "impersonator_type",
@@ -101,7 +101,7 @@
           "name": "network_path",
           "type": "text",
           "primaryKey": false,
-          "notNull": true
+          "notNull": false
         },
         "network_ip_address": {
           "name": "network_ip_address",
@@ -157,7 +157,7 @@
         "anonymous",
         "system",
         "api-key",
-        "user"
+        "subject"
       ]
     },
     "audit.audit_outcome": {

package/audit/drizzle/meta/_journal.json CHANGED Viewed

@@ -5,15 +5,8 @@
     {
       "idx": 0,
       "version": "7",
-      "when": 1758041172363,
-      "tag": "0000_bored_stick",
-      "breakpoints": true
-    },
-    {
-      "idx": 1,
-      "version": "7",
-      "when": 1762968766536,
-      "tag": "0001_previous_network",
+      "when": 1768666123825,
+      "tag": "0000_lumpy_thunderball",
       "breakpoints": true
     }
   ]

package/audit/module.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { Injector } from '../injector/index.js';
 import { type DatabaseConfig } from '../orm/server/index.js';
 /**
  * Configuration for {@link configureAudit}.
@@ -13,7 +14,9 @@ export declare class AuditModuleConfig {
  * Configures audit server services.
  * @param config Configuration.
  */
-export declare function configureAudit(config: AuditModuleConfig): void;
+export declare function configureAudit({ injector, ...config }?: AuditModuleConfig & {
+    injector?: Injector;
+}): void;
 /**
  * Migrates the audit database schema to the latest version.
  * It uses the database connection provided with {@link configureAudit},

package/audit/module.js CHANGED Viewed

@@ -14,8 +14,9 @@ export class AuditModuleConfig {
  * Configures audit server services.
  * @param config Configuration.
  */
-export function configureAudit(config) {
-    Injector.register(AuditModuleConfig, { useValue: config });
+export function configureAudit({ injector, ...config } = {}) {
+    const targetInjector = injector ?? Injector;
+    targetInjector.register(AuditModuleConfig, { useValue: config });
 }
 /**
  * Migrates the audit database schema to the latest version.

package/audit/schemas.d.ts CHANGED Viewed

@@ -17,6 +17,6 @@ export declare const actorType: import("../orm/enums.js").PgEnumFromEnumeration<
     readonly Anonymous: "anonymous";
     readonly System: "system";
     readonly ApiKey: "api-key";
-    readonly User: "user";
+    readonly Subject: "subject";
 }>;
 export declare const auditEvent: import("../orm/server/types.js").PgTableFromType<typeof AuditEvent, "audit">;

package/audit/types.d.ts CHANGED Viewed

@@ -18,6 +18,6 @@ export declare const ActorType: {
     readonly Anonymous: "anonymous";
     readonly System: "system";
     readonly ApiKey: "api-key";
-    readonly User: "user";
+    readonly Subject: "subject";
 };
 export type ActorType = EnumType<typeof ActorType>;

package/audit/types.js CHANGED Viewed

@@ -16,5 +16,5 @@ export const ActorType = defineEnum('ActorType', {
     Anonymous: 'anonymous',
     System: 'system',
     ApiKey: 'api-key',
-    User: 'user',
+    Subject: 'subject',
 });

package/authentication/client/authentication.service.d.ts CHANGED Viewed

@@ -27,6 +27,7 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     private readonly logger;
     private readonly disposeToken;
     private clockOffset;
+    private refreshLoopPromise;
     /**
      * Observable for authentication errors.
      * Emits when a refresh fails.
@@ -34,6 +35,12 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
     readonly error$: import("rxjs").Observable<Error>;
     /** Current token */
     readonly token: import("../../signals/api.js").WritableSignal<TokenPayload<AdditionalTokenPayload> | undefined>;
+    /** Current raw token */
+    readonly rawToken: import("../../signals/api.js").WritableSignal<string | undefined>;
+    /** Current raw refresh token */
+    readonly rawRefreshToken: import("../../signals/api.js").WritableSignal<string | undefined>;
+    /** Current raw impersonator refresh token */
+    readonly rawImpersonatorRefreshToken: import("../../signals/api.js").WritableSignal<string | undefined>;
     /** Whether the user is logged in */
     readonly isLoggedIn: import("../../signals/api.js").Signal<boolean>;
     /** Current session id */
@@ -170,9 +177,15 @@ export declare class AuthenticationClientService<AdditionalTokenPayload extends
      * @returns The result of the check
      */
     checkSecret(secret: string): Promise<SecretCheckResult>;
+    /**
+     * Update raw tokens.
+     * @param token Raw token
+     * @param refreshToken Raw refresh token
+     * @param impersonatorRefreshToken Raw impersonator refresh token
+     */
+    updateRawTokens(token?: string, refreshToken?: string, impersonatorRefreshToken?: string): void;
     private setNewToken;
     private refreshLoop;
-    private refreshLoopIteration;
     private handleRefreshError;
     private estimatedServerTimestampSeconds;
     private syncClock;