@ursalock/server 0.2.0

package/dist/chunk-BYTMLM3Q.js

@@ -0,0 +1,1048 @@
+// src/env.ts
+import { z } from "zod";
+var numeric = z.string().transform((val) => Number.parseInt(val, 10));
+var envSchema = {
+  NODE_ENV: z.enum(["development", "production", "test"]).default("development"),
+  PORT: numeric.default("3456"),
+  /** SQLite database file path */
+  DATABASE_PATH: z.string().default("./data/vault.db"),
+  /** JWT secret for signing tokens (32+ bytes recommended) */
+  JWT_SECRET: z.string().min(32),
+  /** JWT token expiry in seconds (default: 7 days) */
+  JWT_EXPIRY: numeric.default("604800"),
+  /** Relying Party ID for WebAuthn (your domain) */
+  RP_ID: z.string().default("localhost"),
+  /** Relying Party name shown during passkey registration */
+  RP_NAME: z.string().default("zod-vault"),
+  /** Expected origin for WebAuthn (e.g., https://app.example.com) */
+  RP_ORIGIN: z.string().url().default("http://localhost:5173")
+};
+var skipEnvValidation = process.env["NODE_ENV"] === "test";
+var env = (() => {
+  if (skipEnvValidation) {
+    return Object.fromEntries(
+      Object.entries(envSchema).map(([key, schema]) => {
+        const result = schema.safeParse(process.env[key]);
+        return [key, result.success ? result.data : void 0];
+      })
+    );
+  }
+  const parsed = z.object(envSchema).safeParse(process.env);
+  if (!parsed.success) {
+    const errors2 = parsed.error.errors.map((e) => `  ${e.path.join(".")}: ${e.message}`).join("\n");
+    throw new Error(`Invalid environment variables:
+${errors2}`);
+  }
+  return parsed.data;
+})();
+
+// src/db/client.ts
+import Database from "better-sqlite3";
+
+// src/db/schema.ts
+var CREATE_TABLES_SQL = `
+-- Users table
+CREATE TABLE IF NOT EXISTS users (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
+  email TEXT UNIQUE,
+  password_hash TEXT,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+CREATE INDEX IF NOT EXISTS idx_users_uid ON users(uid);
+
+-- Passkeys table (WebAuthn credentials)
+CREATE TABLE IF NOT EXISTS passkeys (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  credential_id TEXT NOT NULL UNIQUE,
+  public_key TEXT NOT NULL,
+  counter INTEGER NOT NULL DEFAULT 0,
+  device_type TEXT NOT NULL DEFAULT 'singleDevice',
+  backed_up INTEGER NOT NULL DEFAULT 0,
+  transports TEXT,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_passkeys_user_id ON passkeys(user_id);
+CREATE INDEX IF NOT EXISTS idx_passkeys_credential_id ON passkeys(credential_id);
+
+-- Sessions table
+CREATE TABLE IF NOT EXISTS sessions (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  token_hash TEXT NOT NULL UNIQUE,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_token_hash ON sessions(token_hash);
+CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
+
+-- Vaults table (encrypted blobs)
+CREATE TABLE IF NOT EXISTS vaults (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  data TEXT NOT NULL,
+  salt TEXT NOT NULL,
+  version INTEGER NOT NULL DEFAULT 1,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_vaults_uid ON vaults(uid);
+CREATE INDEX IF NOT EXISTS idx_vaults_user_id ON vaults(user_id);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_vaults_user_name ON vaults(user_id, name);
+`;
+
+// src/db/client.ts
+var _db = null;
+function getDb() {
+  if (!_db) {
+    _db = new Database(env.DATABASE_PATH);
+    _db.pragma("journal_mode = WAL");
+    _db.pragma("foreign_keys = ON");
+    _db.exec(CREATE_TABLES_SQL);
+  }
+  return _db;
+}
+function closeDb() {
+  if (_db) {
+    _db.close();
+    _db = null;
+  }
+}
+function createUser(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO users (email, password_hash)
+    VALUES (?, ?)
+    RETURNING id, uid, email, password_hash as passwordHash, created_at as createdAt, updated_at as updatedAt
+  `);
+  return stmt.get(input.email ?? null, input.passwordHash ?? null);
+}
+function getUserByEmail(email) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, email, password_hash as passwordHash, created_at as createdAt, updated_at as updatedAt
+    FROM users WHERE email = ?
+  `);
+  return stmt.get(email);
+}
+function createPasskey(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO passkeys (user_id, credential_id, public_key, counter, device_type, backed_up, transports)
+    VALUES (?, ?, ?, ?, ?, ?, ?)
+    RETURNING id, user_id as userId, credential_id as credentialId, public_key as publicKey,
+              counter, device_type as deviceType, backed_up as backedUp, transports, created_at as createdAt
+  `);
+  const result = stmt.get(
+    input.userId,
+    input.credentialId,
+    input.publicKey,
+    input.counter,
+    input.deviceType,
+    input.backedUp ? 1 : 0,
+    input.transports?.join(",") ?? null
+  );
+  return { ...result, backedUp: Boolean(result.backedUp) };
+}
+function getPasskeyByCredentialId(credentialId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT 
+      p.id, p.user_id as userId, p.credential_id as credentialId, p.public_key as publicKey,
+      p.counter, p.device_type as deviceType, p.backed_up as backedUp, p.transports, p.created_at as createdAt,
+      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
+    FROM passkeys p
+    JOIN users u ON p.user_id = u.id
+    WHERE p.credential_id = ?
+  `);
+  const row = stmt.get(credentialId);
+  if (!row) return void 0;
+  return {
+    id: row["id"],
+    userId: row["userId"],
+    credentialId: row["credentialId"],
+    publicKey: row["publicKey"],
+    counter: row["counter"],
+    deviceType: row["deviceType"],
+    backedUp: Boolean(row["backedUp"]),
+    transports: row["transports"],
+    createdAt: row["createdAt"],
+    user: {
+      id: row["user.id"],
+      uid: row["user.uid"],
+      email: row["user.email"],
+      passwordHash: null,
+      createdAt: 0,
+      updatedAt: 0
+    }
+  };
+}
+function getPasskeysByUserId(userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, user_id as userId, credential_id as credentialId, public_key as publicKey,
+           counter, device_type as deviceType, backed_up as backedUp, transports, created_at as createdAt
+    FROM passkeys WHERE user_id = ?
+  `);
+  return stmt.all(userId).map((p) => ({ ...p, backedUp: Boolean(p.backedUp) }));
+}
+function updatePasskeyCounter(credentialId, counter) {
+  const db = getDb();
+  const stmt = db.prepare(`UPDATE passkeys SET counter = ? WHERE credential_id = ?`);
+  stmt.run(counter, credentialId);
+}
+function createSession(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO sessions (user_id, token_hash, expires_at)
+    VALUES (?, ?, ?)
+    RETURNING id, user_id as userId, token_hash as tokenHash, expires_at as expiresAt, created_at as createdAt
+  `);
+  return stmt.get(input.userId, input.tokenHash, input.expiresAt);
+}
+function getSessionByTokenHash(tokenHash) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT 
+      s.id, s.user_id as userId, s.token_hash as tokenHash, s.expires_at as expiresAt, s.created_at as createdAt,
+      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
+    FROM sessions s
+    JOIN users u ON s.user_id = u.id
+    WHERE s.token_hash = ? AND s.expires_at > unixepoch()
+  `);
+  const row = stmt.get(tokenHash);
+  if (!row) return void 0;
+  return {
+    id: row["id"],
+    userId: row["userId"],
+    tokenHash: row["tokenHash"],
+    expiresAt: row["expiresAt"],
+    createdAt: row["createdAt"],
+    user: {
+      id: row["user.id"],
+      uid: row["user.uid"],
+      email: row["user.email"],
+      passwordHash: null,
+      createdAt: 0,
+      updatedAt: 0
+    }
+  };
+}
+function deleteSession(tokenHash) {
+  const db = getDb();
+  const stmt = db.prepare(`DELETE FROM sessions WHERE token_hash = ?`);
+  stmt.run(tokenHash);
+}
+function createVault(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO vaults (user_id, name, data, salt, version)
+    VALUES (?, ?, ?, ?, ?)
+    RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+  `);
+  return stmt.get(input.userId, input.name, input.data, input.salt, input.version ?? 1);
+}
+function getVaultByUid(uid, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+    FROM vaults WHERE uid = ? AND user_id = ?
+  `);
+  return stmt.get(uid, userId);
+}
+function getVaultByName(name, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+    FROM vaults WHERE name = ? AND user_id = ?
+  `);
+  return stmt.get(name, userId);
+}
+function getVaultsByUserId(userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+    FROM vaults WHERE user_id = ?
+    ORDER BY updated_at DESC
+  `);
+  return stmt.all(userId);
+}
+function updateVault(uid, userId, input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    UPDATE vaults SET data = ?, salt = ?, version = COALESCE(?, version), updated_at = unixepoch()
+    WHERE uid = ? AND user_id = ?
+    RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+  `);
+  return stmt.get(input.data, input.salt, input.version ?? null, uid, userId);
+}
+function deleteVault(uid, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`DELETE FROM vaults WHERE uid = ? AND user_id = ?`);
+  return stmt.run(uid, userId).changes > 0;
+}
+
+// src/features/auth/jwt.ts
+import { createHash } from "crypto";
+import { SignJWT, jwtVerify } from "jose";
+function getSecretKey() {
+  return new TextEncoder().encode(env.JWT_SECRET);
+}
+async function createToken(payload) {
+  const jti = crypto.randomUUID();
+  const jwt = new SignJWT({ email: payload.email }).setSubject(payload.userId).setJti(jti).setIssuedAt().setExpirationTime(`${env.JWT_EXPIRY}s`).setProtectedHeader({ alg: "HS256" });
+  return jwt.sign(getSecretKey());
+}
+async function verifyToken(token) {
+  try {
+    const { payload } = await jwtVerify(token, getSecretKey());
+    if (!payload.sub) {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function hashToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+
+// src/errors.ts
+import { z as z2 } from "zod";
+var ErrorCode = z2.enum([
+  // Auth errors
+  "unauthorized",
+  "invalid_credentials",
+  "email_already_exists",
+  "passkey_not_found",
+  "session_expired",
+  // Vault errors
+  "vault_not_found",
+  "vault_already_exists",
+  "invalid_vault_data",
+  // Validation errors
+  "validation_error",
+  "invalid_request",
+  // Server errors
+  "internal_error"
+]);
+var ApiException = class extends Error {
+  constructor(error, status = 400) {
+    super(error.message);
+    this.error = error;
+    this.status = status;
+    this.name = "ApiException";
+  }
+};
+var errors = {
+  // Auth errors
+  unauthorized: { code: "unauthorized", message: "Unauthorized" },
+  invalid_credentials: { code: "invalid_credentials", message: "Invalid email or password" },
+  email_already_exists: { code: "email_already_exists", message: "Email already registered" },
+  passkey_not_found: { code: "passkey_not_found", message: "Passkey not found" },
+  session_expired: { code: "session_expired", message: "Session expired" },
+  // Vault errors
+  vault_not_found: { code: "vault_not_found", message: "Vault not found" },
+  vault_already_exists: (name) => ({
+    code: "vault_already_exists",
+    message: `Vault "${name}" already exists`
+  }),
+  invalid_vault_data: { code: "invalid_vault_data", message: "Invalid vault data" },
+  // Validation errors
+  validation_error: (details) => ({
+    code: "validation_error",
+    message: details
+  }),
+  invalid_request: { code: "invalid_request", message: "Invalid request" },
+  // Server errors
+  internal_error: { code: "internal_error", message: "Internal server error" }
+};
+function getError(code, arg) {
+  const factory = errors[code];
+  if (typeof factory === "function") {
+    return factory(arg ?? "");
+  }
+  return factory;
+}
+
+// src/features/auth/middleware.ts
+import { createMiddleware } from "hono/factory";
+var optionalAuthMiddleware = createMiddleware(async (c, next) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    c.set("session", null);
+    return next();
+  }
+  const token = authHeader.slice(7);
+  const payload = await verifyToken(token);
+  if (!payload?.sub) {
+    c.set("session", null);
+    return next();
+  }
+  const tokenHash = hashToken(token);
+  const session = getSessionByTokenHash(tokenHash);
+  if (!session) {
+    c.set("session", null);
+    return next();
+  }
+  c.set("session", {
+    user: {
+      id: session.user.id,
+      uid: session.user.uid,
+      email: session.user.email
+    },
+    sessionId: session.id
+  });
+  return next();
+});
+var requireAuthMiddleware = createMiddleware(async (c, next) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    throw new ApiException(getError("unauthorized"), 401);
+  }
+  const token = authHeader.slice(7);
+  const payload = await verifyToken(token);
+  if (!payload?.sub) {
+    throw new ApiException(getError("unauthorized"), 401);
+  }
+  const tokenHash = hashToken(token);
+  const session = getSessionByTokenHash(tokenHash);
+  if (!session) {
+    throw new ApiException(getError("session_expired"), 401);
+  }
+  c.set("session", {
+    user: {
+      id: session.user.id,
+      uid: session.user.uid,
+      email: session.user.email
+    },
+    sessionId: session.id
+  });
+  return next();
+});
+
+// src/api/schemas.ts
+import { z as z3 } from "zod";
+var UserResponse = z3.object({
+  id: z3.string(),
+  email: z3.string().email().nullable(),
+  createdAt: z3.number()
+});
+var EmailRegisterRequest = z3.object({
+  email: z3.string().email(),
+  password: z3.string().min(8, "Password must be at least 8 characters")
+});
+var EmailLoginRequest = z3.object({
+  email: z3.string().email(),
+  password: z3.string().min(1)
+});
+var AuthResponse = z3.object({
+  user: UserResponse,
+  token: z3.string(),
+  recoveryKey: z3.string().optional()
+});
+var RefreshResponse = z3.object({
+  token: z3.string(),
+  expiresIn: z3.number()
+});
+var MeResponse = z3.object({
+  user: UserResponse
+});
+var PasskeyRegisterOptionsRequest = z3.object({
+  email: z3.string().email().optional()
+});
+var PasskeyRegisterVerifyRequest = z3.object({
+  email: z3.string().email().optional(),
+  credential: z3.record(z3.unknown())
+});
+var PasskeyLoginOptionsRequest = z3.object({
+  email: z3.string().email().optional()
+});
+var PasskeyLoginVerifyRequest = z3.object({
+  credential: z3.record(z3.unknown())
+});
+var PasskeyCheckResponse = z3.object({
+  hasPasskey: z3.boolean()
+});
+var CreateVaultRequest = z3.object({
+  name: z3.string().min(1).max(255),
+  data: z3.string(),
+  // Encrypted blob (base64)
+  salt: z3.string()
+  // Salt (base64)
+});
+var UpdateVaultRequest = z3.object({
+  data: z3.string(),
+  salt: z3.string(),
+  version: z3.number().optional()
+});
+var VaultResponse = z3.object({
+  uid: z3.string(),
+  name: z3.string(),
+  data: z3.string(),
+  salt: z3.string(),
+  version: z3.number(),
+  updatedAt: z3.number()
+});
+var VaultsListResponse = z3.object({
+  vaults: z3.array(VaultResponse)
+});
+
+// src/app.ts
+import { Hono as Hono4 } from "hono";
+import { cors } from "hono/cors";
+import { logger } from "hono/logger";
+import { ZodError } from "zod";
+
+// src/api/auth/router.ts
+import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
+import { Hono as Hono2 } from "hono";
+import { zValidator as zValidator2 } from "@hono/zod-validator";
+
+// src/api/auth/passkey.ts
+import { Hono } from "hono";
+import { zValidator } from "@hono/zod-validator";
+import { z as z4 } from "zod";
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+  generateAuthenticationOptions,
+  verifyAuthenticationResponse
+} from "@simplewebauthn/server";
+
+// src/features/crypto/recovery.ts
+import { randomBytes } from "crypto";
+var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function generateRecoveryKey() {
+  const bytes = randomBytes(32);
+  const raw = base32Encode(bytes);
+  return formatWithDashes(raw);
+}
+function base32Encode(bytes) {
+  let result = "";
+  let bits = 0;
+  let value = 0;
+  for (const byte of bytes) {
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      bits -= 5;
+      result += BASE32_ALPHABET[value >> bits & 31];
+    }
+  }
+  if (bits > 0) {
+    result += BASE32_ALPHABET[value << 5 - bits & 31];
+  }
+  return result;
+}
+function formatWithDashes(raw) {
+  const chunks = [];
+  for (let i = 0; i < raw.length; i += 4) {
+    chunks.push(raw.slice(i, i + 4));
+  }
+  return chunks.join("-");
+}
+
+// src/api/auth/passkey.ts
+var challengeStore = /* @__PURE__ */ new Map();
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, value] of challengeStore) {
+    if (value.expiresAt < now) {
+      challengeStore.delete(key);
+    }
+  }
+}, 6e4);
+var PasskeyRegisterOptionsRequest2 = z4.object({
+  email: z4.string().email().optional()
+});
+var PasskeyRegisterVerifyRequest2 = z4.object({
+  email: z4.string().email().optional(),
+  credential: z4.any()
+  // RegistrationResponseJSON
+});
+var PasskeyLoginOptionsRequest2 = z4.object({
+  email: z4.string().email().optional()
+});
+var PasskeyLoginVerifyRequest2 = z4.object({
+  credential: z4.any()
+  // AuthenticationResponseJSON
+});
+var PasskeyCheckRequest = z4.object({
+  email: z4.string().email()
+});
+var passkeyRouter = new Hono().post(
+  "/register/options",
+  zValidator("json", PasskeyRegisterOptionsRequest2),
+  async (c) => {
+    const { email } = c.req.valid("json");
+    if (email) {
+      const existing = getUserByEmail(email);
+      if (existing) {
+        throw new ApiException(errors.email_already_exists, 409);
+      }
+    }
+    const tempUserId = crypto.randomUUID();
+    const options = await generateRegistrationOptions({
+      rpName: env.RP_NAME,
+      rpID: env.RP_ID,
+      userName: email ?? tempUserId,
+      userDisplayName: email ?? "Anonymous User",
+      attestationType: "none",
+      authenticatorSelection: {
+        residentKey: "preferred",
+        userVerification: "preferred",
+        authenticatorAttachment: "platform"
+      },
+      timeout: 6e4
+    });
+    const challengeKey = email ?? tempUserId;
+    challengeStore.set(challengeKey, {
+      challenge: options.challenge,
+      expiresAt: Date.now() + 12e4
+      // 2 min expiry
+    });
+    return c.json(options);
+  }
+).post(
+  "/register/verify",
+  zValidator("json", PasskeyRegisterVerifyRequest2),
+  async (c) => {
+    const { email, credential } = c.req.valid("json");
+    const response = credential;
+    const challengeKey = email ?? response.id;
+    const stored = challengeStore.get(challengeKey);
+    if (!stored) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    if (email) {
+      const existing = getUserByEmail(email);
+      if (existing) {
+        throw new ApiException(errors.email_already_exists, 409);
+      }
+    }
+    try {
+      const verification = await verifyRegistrationResponse({
+        response,
+        expectedChallenge: stored.challenge,
+        expectedOrigin: env.RP_ORIGIN,
+        expectedRPID: env.RP_ID
+      });
+      if (!verification.verified || !verification.registrationInfo) {
+        throw new ApiException(errors.invalid_credentials, 401);
+      }
+      const { credentialID, credentialPublicKey, counter, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
+      const user = createUser({ email: email ?? void 0, passwordHash: void 0 });
+      createPasskey({
+        userId: user.id,
+        credentialId: credentialID,
+        publicKey: Buffer.from(credentialPublicKey).toString("base64"),
+        counter,
+        deviceType: credentialDeviceType,
+        backedUp: credentialBackedUp,
+        transports: response.response.transports
+      });
+      const recoveryKey = generateRecoveryKey();
+      const token = await createToken({ userId: user.uid, email: email ?? void 0 });
+      const tokenHash = hashToken(token);
+      const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+      createSession({ userId: user.id, tokenHash, expiresAt });
+      challengeStore.delete(challengeKey);
+      return c.json({
+        user: {
+          id: user.uid,
+          email: user.email,
+          createdAt: user.createdAt
+        },
+        token,
+        recoveryKey
+      });
+    } catch (error) {
+      if (error instanceof ApiException) throw error;
+      console.error("Passkey registration error:", error);
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+  }
+).post(
+  "/login/options",
+  zValidator("json", PasskeyLoginOptionsRequest2),
+  async (c) => {
+    const { email } = c.req.valid("json");
+    let allowCredentials;
+    if (email) {
+      const user = getUserByEmail(email);
+      if (user) {
+        const passkeys = getPasskeysByUserId(user.id);
+        allowCredentials = passkeys.map((p) => ({
+          id: p.credentialId,
+          transports: p.transports?.split(",")
+        }));
+      }
+    }
+    const options = await generateAuthenticationOptions({
+      rpID: env.RP_ID,
+      allowCredentials,
+      userVerification: "preferred",
+      timeout: 6e4
+    });
+    const challengeKey = `auth:${options.challenge}`;
+    challengeStore.set(challengeKey, {
+      challenge: options.challenge,
+      expiresAt: Date.now() + 12e4
+    });
+    return c.json(options);
+  }
+).post(
+  "/login/verify",
+  zValidator("json", PasskeyLoginVerifyRequest2),
+  async (c) => {
+    const { credential } = c.req.valid("json");
+    const response = credential;
+    const passkey = getPasskeyByCredentialId(response.id);
+    if (!passkey) {
+      throw new ApiException(errors.passkey_not_found, 401);
+    }
+    let storedChallenge = null;
+    for (const [key, value] of challengeStore) {
+      if (key.startsWith("auth:") && value.expiresAt > Date.now()) {
+        storedChallenge = value.challenge;
+        break;
+      }
+    }
+    if (!storedChallenge) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    try {
+      const verification = await verifyAuthenticationResponse({
+        response,
+        expectedChallenge: storedChallenge,
+        expectedOrigin: env.RP_ORIGIN,
+        expectedRPID: env.RP_ID,
+        authenticator: {
+          credentialID: passkey.credentialId,
+          credentialPublicKey: Buffer.from(passkey.publicKey, "base64"),
+          counter: passkey.counter,
+          transports: passkey.transports?.split(",")
+        }
+      });
+      if (!verification.verified) {
+        throw new ApiException(errors.invalid_credentials, 401);
+      }
+      updatePasskeyCounter(passkey.credentialId, verification.authenticationInfo.newCounter);
+      const token = await createToken({
+        userId: passkey.user.uid,
+        email: passkey.user.email ?? void 0
+      });
+      const tokenHash = hashToken(token);
+      const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+      createSession({ userId: passkey.user.id, tokenHash, expiresAt });
+      challengeStore.delete(`auth:${storedChallenge}`);
+      return c.json({
+        user: {
+          id: passkey.user.uid,
+          email: passkey.user.email,
+          createdAt: passkey.user.createdAt
+        },
+        token
+      });
+    } catch (error) {
+      if (error instanceof ApiException) throw error;
+      console.error("Passkey authentication error:", error);
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+  }
+).post(
+  "/check",
+  zValidator("json", PasskeyCheckRequest),
+  (c) => {
+    const { email } = c.req.valid("json");
+    const user = getUserByEmail(email);
+    if (!user) {
+      return c.json({ hasPasskey: false });
+    }
+    const passkeys = getPasskeysByUserId(user.id);
+    return c.json({ hasPasskey: passkeys.length > 0 });
+  }
+);
+
+// src/api/auth/router.ts
+function hashPassword(password, salt) {
+  const crypto2 = createHash2("sha256");
+  return crypto2.update(password + salt).digest("hex");
+}
+function generateSalt() {
+  return randomBytes2(16).toString("hex");
+}
+var authRouter = new Hono2().post(
+  "/email/register",
+  zValidator2("json", EmailRegisterRequest),
+  async (c) => {
+    const { email, password } = c.req.valid("json");
+    const existing = getUserByEmail(email);
+    if (existing) {
+      throw new ApiException(errors.email_already_exists, 409);
+    }
+    const salt = generateSalt();
+    const passwordHash = hashPassword(password, salt) + ":" + salt;
+    const user = createUser({ email, passwordHash });
+    const token = await createToken({ userId: user.uid, email });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    createSession({ userId: user.id, tokenHash, expiresAt });
+    return c.json({
+      user: {
+        id: user.uid,
+        email: user.email,
+        createdAt: user.createdAt
+      },
+      token
+    });
+  }
+).post(
+  "/email/login",
+  zValidator2("json", EmailLoginRequest),
+  async (c) => {
+    const { email, password } = c.req.valid("json");
+    const user = getUserByEmail(email);
+    if (!user || !user.passwordHash) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const [storedHash, salt] = user.passwordHash.split(":");
+    if (!salt) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const inputHash = hashPassword(password, salt);
+    if (inputHash !== storedHash) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const token = await createToken({ userId: user.uid, email: user.email ?? void 0 });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    createSession({ userId: user.id, tokenHash, expiresAt });
+    return c.json({
+      user: {
+        id: user.uid,
+        email: user.email,
+        createdAt: user.createdAt
+      },
+      token
+    });
+  }
+).get(
+  "/me",
+  requireAuthMiddleware,
+  (c) => {
+    const session = c.get("session");
+    return c.json({
+      user: {
+        id: session.user.uid,
+        email: session.user.email,
+        createdAt: 0
+        // Not needed for /me
+      }
+    });
+  }
+).post(
+  "/refresh",
+  requireAuthMiddleware,
+  async (c) => {
+    const session = c.get("session");
+    const token = await createToken({
+      userId: session.user.uid,
+      email: session.user.email ?? void 0
+    });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    const oldToken = c.req.header("Authorization")?.slice(7);
+    if (oldToken) {
+      deleteSession(hashToken(oldToken));
+    }
+    createSession({ userId: session.user.id, tokenHash, expiresAt });
+    return c.json({
+      token,
+      expiresIn: env.JWT_EXPIRY
+    });
+  }
+).post(
+  "/logout",
+  requireAuthMiddleware,
+  (c) => {
+    const token = c.req.header("Authorization")?.slice(7);
+    if (token) {
+      deleteSession(hashToken(token));
+    }
+    return c.json({ success: true });
+  }
+).route("/passkey", passkeyRouter);
+
+// src/api/vault/router.ts
+import { Hono as Hono3 } from "hono";
+import { zValidator as zValidator3 } from "@hono/zod-validator";
+function toVaultResponse(vault) {
+  return {
+    uid: vault.uid,
+    name: vault.name,
+    data: vault.data,
+    salt: vault.salt,
+    version: vault.version,
+    updatedAt: vault.updatedAt
+  };
+}
+var vaultRouter = new Hono3().use("/*", requireAuthMiddleware).get(
+  "/",
+  (c) => {
+    const session = c.get("session");
+    const vaults = getVaultsByUserId(session.user.id);
+    return c.json({
+      vaults: vaults.map(toVaultResponse)
+    });
+  }
+).get(
+  "/:uid",
+  (c) => {
+    const session = c.get("session");
+    const { uid } = c.req.param();
+    const vault = getVaultByUid(uid, session.user.id);
+    if (!vault) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return c.json(toVaultResponse(vault));
+  }
+).post(
+  "/",
+  zValidator3("json", CreateVaultRequest),
+  (c) => {
+    const session = c.get("session");
+    const { name, data, salt } = c.req.valid("json");
+    const existing = getVaultByName(name, session.user.id);
+    if (existing) {
+      throw new ApiException(errors.vault_already_exists(name), 409);
+    }
+    const vault = createVault({
+      userId: session.user.id,
+      name,
+      data,
+      salt
+    });
+    return c.json(toVaultResponse(vault), 201);
+  }
+).put(
+  "/:uid",
+  zValidator3("json", UpdateVaultRequest),
+  (c) => {
+    const session = c.get("session");
+    const { uid } = c.req.param();
+    const { data, salt, version } = c.req.valid("json");
+    const vault = updateVault(uid, session.user.id, { data, salt, version });
+    if (!vault) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return c.json(toVaultResponse(vault));
+  }
+).delete(
+  "/:uid",
+  (c) => {
+    const session = c.get("session");
+    const { uid } = c.req.param();
+    const deleted = deleteVault(uid, session.user.id);
+    if (!deleted) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return c.json({ success: true });
+  }
+);
+
+// src/app.ts
+var errorHandler = (error, c) => {
+  const requestId = c.req.header("x-request-id") ?? crypto.randomUUID();
+  if (error instanceof ApiException) {
+    return c.json(
+      { error: error.error, requestId },
+      error.status
+    );
+  }
+  if (error instanceof ZodError) {
+    const message = error.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+    return c.json(
+      {
+        error: {
+          code: "validation_error",
+          message,
+          details: { errors: error.errors }
+        },
+        requestId
+      },
+      400
+    );
+  }
+  console.error(`[${requestId}] Unhandled error:`, error);
+  return c.json(
+    { error: errors.internal_error, requestId },
+    500
+  );
+};
+function createApp() {
+  const app = new Hono4();
+  app.use("*", logger());
+  app.use(
+    "*",
+    cors({
+      origin: "*",
+      // Configure for production
+      allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["X-Request-Id"]
+    })
+  );
+  app.get("/health", (c) => c.json({ status: "ok", timestamp: Date.now() }));
+  app.route("/auth", authRouter);
+  app.route("/vault", vaultRouter);
+  app.onError(errorHandler);
+  app.notFound((c) => {
+    return c.json(
+      { error: { code: "not_found", message: "Endpoint not found" } },
+      404
+    );
+  });
+  return app;
+}
+
+export {
+  env,
+  getDb,
+  closeDb,
+  createToken,
+  verifyToken,
+  hashToken,
+  ApiException,
+  errors,
+  getError,
+  optionalAuthMiddleware,
+  requireAuthMiddleware,
+  UserResponse,
+  EmailRegisterRequest,
+  EmailLoginRequest,
+  AuthResponse,
+  RefreshResponse,
+  MeResponse,
+  PasskeyRegisterOptionsRequest,
+  PasskeyRegisterVerifyRequest,
+  PasskeyLoginOptionsRequest,
+  PasskeyLoginVerifyRequest,
+  PasskeyCheckResponse,
+  CreateVaultRequest,
+  UpdateVaultRequest,
+  VaultResponse,
+  VaultsListResponse,
+  createApp
+};