npm - @ursalock/server - Versions diffs - 0.2.0 → 0.3.0 - Mend

@ursalock/server 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/chunk-BYTMLM3Q.js DELETED Viewed

@@ -1,1048 +0,0 @@
-// src/env.ts
-import { z } from "zod";
-var numeric = z.string().transform((val) => Number.parseInt(val, 10));
-var envSchema = {
-  NODE_ENV: z.enum(["development", "production", "test"]).default("development"),
-  PORT: numeric.default("3456"),
-  /** SQLite database file path */
-  DATABASE_PATH: z.string().default("./data/vault.db"),
-  /** JWT secret for signing tokens (32+ bytes recommended) */
-  JWT_SECRET: z.string().min(32),
-  /** JWT token expiry in seconds (default: 7 days) */
-  JWT_EXPIRY: numeric.default("604800"),
-  /** Relying Party ID for WebAuthn (your domain) */
-  RP_ID: z.string().default("localhost"),
-  /** Relying Party name shown during passkey registration */
-  RP_NAME: z.string().default("zod-vault"),
-  /** Expected origin for WebAuthn (e.g., https://app.example.com) */
-  RP_ORIGIN: z.string().url().default("http://localhost:5173")
-};
-var skipEnvValidation = process.env["NODE_ENV"] === "test";
-var env = (() => {
-  if (skipEnvValidation) {
-    return Object.fromEntries(
-      Object.entries(envSchema).map(([key, schema]) => {
-        const result = schema.safeParse(process.env[key]);
-        return [key, result.success ? result.data : void 0];
-      })
-    );
-  }
-  const parsed = z.object(envSchema).safeParse(process.env);
-  if (!parsed.success) {
-    const errors2 = parsed.error.errors.map((e) => `  ${e.path.join(".")}: ${e.message}`).join("\n");
-    throw new Error(`Invalid environment variables:
-${errors2}`);
-  }
-  return parsed.data;
-})();
-// src/db/client.ts
-import Database from "better-sqlite3";
-// src/db/schema.ts
-var CREATE_TABLES_SQL = `
--- Users table
-CREATE TABLE IF NOT EXISTS users (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
-  email TEXT UNIQUE,
-  password_hash TEXT,
-  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
-  updated_at INTEGER NOT NULL DEFAULT (unixepoch())
-);
-CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
-CREATE INDEX IF NOT EXISTS idx_users_uid ON users(uid);
--- Passkeys table (WebAuthn credentials)
-CREATE TABLE IF NOT EXISTS passkeys (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-  credential_id TEXT NOT NULL UNIQUE,
-  public_key TEXT NOT NULL,
-  counter INTEGER NOT NULL DEFAULT 0,
-  device_type TEXT NOT NULL DEFAULT 'singleDevice',
-  backed_up INTEGER NOT NULL DEFAULT 0,
-  transports TEXT,
-  created_at INTEGER NOT NULL DEFAULT (unixepoch())
-);
-CREATE INDEX IF NOT EXISTS idx_passkeys_user_id ON passkeys(user_id);
-CREATE INDEX IF NOT EXISTS idx_passkeys_credential_id ON passkeys(credential_id);
--- Sessions table
-CREATE TABLE IF NOT EXISTS sessions (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-  token_hash TEXT NOT NULL UNIQUE,
-  expires_at INTEGER NOT NULL,
-  created_at INTEGER NOT NULL DEFAULT (unixepoch())
-);
-CREATE INDEX IF NOT EXISTS idx_sessions_token_hash ON sessions(token_hash);
-CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
--- Vaults table (encrypted blobs)
-CREATE TABLE IF NOT EXISTS vaults (
-  id INTEGER PRIMARY KEY AUTOINCREMENT,
-  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
-  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-  name TEXT NOT NULL,
-  data TEXT NOT NULL,
-  salt TEXT NOT NULL,
-  version INTEGER NOT NULL DEFAULT 1,
-  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
-  updated_at INTEGER NOT NULL DEFAULT (unixepoch())
-);
-CREATE INDEX IF NOT EXISTS idx_vaults_uid ON vaults(uid);
-CREATE INDEX IF NOT EXISTS idx_vaults_user_id ON vaults(user_id);
-CREATE UNIQUE INDEX IF NOT EXISTS idx_vaults_user_name ON vaults(user_id, name);
-`;
-// src/db/client.ts
-var _db = null;
-function getDb() {
-  if (!_db) {
-    _db = new Database(env.DATABASE_PATH);
-    _db.pragma("journal_mode = WAL");
-    _db.pragma("foreign_keys = ON");
-    _db.exec(CREATE_TABLES_SQL);
-  }
-  return _db;
-}
-function closeDb() {
-  if (_db) {
-    _db.close();
-    _db = null;
-  }
-}
-function createUser(input) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    INSERT INTO users (email, password_hash)
-    VALUES (?, ?)
-    RETURNING id, uid, email, password_hash as passwordHash, created_at as createdAt, updated_at as updatedAt
-  `);
-  return stmt.get(input.email ?? null, input.passwordHash ?? null);
-}
-function getUserByEmail(email) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    SELECT id, uid, email, password_hash as passwordHash, created_at as createdAt, updated_at as updatedAt
-    FROM users WHERE email = ?
-  `);
-  return stmt.get(email);
-}
-function createPasskey(input) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    INSERT INTO passkeys (user_id, credential_id, public_key, counter, device_type, backed_up, transports)
-    VALUES (?, ?, ?, ?, ?, ?, ?)
-    RETURNING id, user_id as userId, credential_id as credentialId, public_key as publicKey,
-              counter, device_type as deviceType, backed_up as backedUp, transports, created_at as createdAt
-  `);
-  const result = stmt.get(
-    input.userId,
-    input.credentialId,
-    input.publicKey,
-    input.counter,
-    input.deviceType,
-    input.backedUp ? 1 : 0,
-    input.transports?.join(",") ?? null
-  );
-  return { ...result, backedUp: Boolean(result.backedUp) };
-}
-function getPasskeyByCredentialId(credentialId) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    SELECT
-      p.id, p.user_id as userId, p.credential_id as credentialId, p.public_key as publicKey,
-      p.counter, p.device_type as deviceType, p.backed_up as backedUp, p.transports, p.created_at as createdAt,
-      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
-    FROM passkeys p
-    JOIN users u ON p.user_id = u.id
-    WHERE p.credential_id = ?
-  `);
-  const row = stmt.get(credentialId);
-  if (!row) return void 0;
-  return {
-    id: row["id"],
-    userId: row["userId"],
-    credentialId: row["credentialId"],
-    publicKey: row["publicKey"],
-    counter: row["counter"],
-    deviceType: row["deviceType"],
-    backedUp: Boolean(row["backedUp"]),
-    transports: row["transports"],
-    createdAt: row["createdAt"],
-    user: {
-      id: row["user.id"],
-      uid: row["user.uid"],
-      email: row["user.email"],
-      passwordHash: null,
-      createdAt: 0,
-      updatedAt: 0
-    }
-  };
-}
-function getPasskeysByUserId(userId) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    SELECT id, user_id as userId, credential_id as credentialId, public_key as publicKey,
-           counter, device_type as deviceType, backed_up as backedUp, transports, created_at as createdAt
-    FROM passkeys WHERE user_id = ?
-  `);
-  return stmt.all(userId).map((p) => ({ ...p, backedUp: Boolean(p.backedUp) }));
-}
-function updatePasskeyCounter(credentialId, counter) {
-  const db = getDb();
-  const stmt = db.prepare(`UPDATE passkeys SET counter = ? WHERE credential_id = ?`);
-  stmt.run(counter, credentialId);
-}
-function createSession(input) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    INSERT INTO sessions (user_id, token_hash, expires_at)
-    VALUES (?, ?, ?)
-    RETURNING id, user_id as userId, token_hash as tokenHash, expires_at as expiresAt, created_at as createdAt
-  `);
-  return stmt.get(input.userId, input.tokenHash, input.expiresAt);
-}
-function getSessionByTokenHash(tokenHash) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    SELECT
-      s.id, s.user_id as userId, s.token_hash as tokenHash, s.expires_at as expiresAt, s.created_at as createdAt,
-      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
-    FROM sessions s
-    JOIN users u ON s.user_id = u.id
-    WHERE s.token_hash = ? AND s.expires_at > unixepoch()
-  `);
-  const row = stmt.get(tokenHash);
-  if (!row) return void 0;
-  return {
-    id: row["id"],
-    userId: row["userId"],
-    tokenHash: row["tokenHash"],
-    expiresAt: row["expiresAt"],
-    createdAt: row["createdAt"],
-    user: {
-      id: row["user.id"],
-      uid: row["user.uid"],
-      email: row["user.email"],
-      passwordHash: null,
-      createdAt: 0,
-      updatedAt: 0
-    }
-  };
-}
-function deleteSession(tokenHash) {
-  const db = getDb();
-  const stmt = db.prepare(`DELETE FROM sessions WHERE token_hash = ?`);
-  stmt.run(tokenHash);
-}
-function createVault(input) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    INSERT INTO vaults (user_id, name, data, salt, version)
-    VALUES (?, ?, ?, ?, ?)
-    RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
-  `);
-  return stmt.get(input.userId, input.name, input.data, input.salt, input.version ?? 1);
-}
-function getVaultByUid(uid, userId) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
-    FROM vaults WHERE uid = ? AND user_id = ?
-  `);
-  return stmt.get(uid, userId);
-}
-function getVaultByName(name, userId) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
-    FROM vaults WHERE name = ? AND user_id = ?
-  `);
-  return stmt.get(name, userId);
-}
-function getVaultsByUserId(userId) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
-    FROM vaults WHERE user_id = ?
-    ORDER BY updated_at DESC
-  `);
-  return stmt.all(userId);
-}
-function updateVault(uid, userId, input) {
-  const db = getDb();
-  const stmt = db.prepare(`
-    UPDATE vaults SET data = ?, salt = ?, version = COALESCE(?, version), updated_at = unixepoch()
-    WHERE uid = ? AND user_id = ?
-    RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
-  `);
-  return stmt.get(input.data, input.salt, input.version ?? null, uid, userId);
-}
-function deleteVault(uid, userId) {
-  const db = getDb();
-  const stmt = db.prepare(`DELETE FROM vaults WHERE uid = ? AND user_id = ?`);
-  return stmt.run(uid, userId).changes > 0;
-}
-// src/features/auth/jwt.ts
-import { createHash } from "crypto";
-import { SignJWT, jwtVerify } from "jose";
-function getSecretKey() {
-  return new TextEncoder().encode(env.JWT_SECRET);
-}
-async function createToken(payload) {
-  const jti = crypto.randomUUID();
-  const jwt = new SignJWT({ email: payload.email }).setSubject(payload.userId).setJti(jti).setIssuedAt().setExpirationTime(`${env.JWT_EXPIRY}s`).setProtectedHeader({ alg: "HS256" });
-  return jwt.sign(getSecretKey());
-}
-async function verifyToken(token) {
-  try {
-    const { payload } = await jwtVerify(token, getSecretKey());
-    if (!payload.sub) {
-      return null;
-    }
-    return payload;
-  } catch {
-    return null;
-  }
-}
-function hashToken(token) {
-  return createHash("sha256").update(token).digest("hex");
-}
-// src/errors.ts
-import { z as z2 } from "zod";
-var ErrorCode = z2.enum([
-  // Auth errors
-  "unauthorized",
-  "invalid_credentials",
-  "email_already_exists",
-  "passkey_not_found",
-  "session_expired",
-  // Vault errors
-  "vault_not_found",
-  "vault_already_exists",
-  "invalid_vault_data",
-  // Validation errors
-  "validation_error",
-  "invalid_request",
-  // Server errors
-  "internal_error"
-]);
-var ApiException = class extends Error {
-  constructor(error, status = 400) {
-    super(error.message);
-    this.error = error;
-    this.status = status;
-    this.name = "ApiException";
-  }
-};
-var errors = {
-  // Auth errors
-  unauthorized: { code: "unauthorized", message: "Unauthorized" },
-  invalid_credentials: { code: "invalid_credentials", message: "Invalid email or password" },
-  email_already_exists: { code: "email_already_exists", message: "Email already registered" },
-  passkey_not_found: { code: "passkey_not_found", message: "Passkey not found" },
-  session_expired: { code: "session_expired", message: "Session expired" },
-  // Vault errors
-  vault_not_found: { code: "vault_not_found", message: "Vault not found" },
-  vault_already_exists: (name) => ({
-    code: "vault_already_exists",
-    message: `Vault "${name}" already exists`
-  }),
-  invalid_vault_data: { code: "invalid_vault_data", message: "Invalid vault data" },
-  // Validation errors
-  validation_error: (details) => ({
-    code: "validation_error",
-    message: details
-  }),
-  invalid_request: { code: "invalid_request", message: "Invalid request" },
-  // Server errors
-  internal_error: { code: "internal_error", message: "Internal server error" }
-};
-function getError(code, arg) {
-  const factory = errors[code];
-  if (typeof factory === "function") {
-    return factory(arg ?? "");
-  }
-  return factory;
-}
-// src/features/auth/middleware.ts
-import { createMiddleware } from "hono/factory";
-var optionalAuthMiddleware = createMiddleware(async (c, next) => {
-  const authHeader = c.req.header("Authorization");
-  if (!authHeader?.startsWith("Bearer ")) {
-    c.set("session", null);
-    return next();
-  }
-  const token = authHeader.slice(7);
-  const payload = await verifyToken(token);
-  if (!payload?.sub) {
-    c.set("session", null);
-    return next();
-  }
-  const tokenHash = hashToken(token);
-  const session = getSessionByTokenHash(tokenHash);
-  if (!session) {
-    c.set("session", null);
-    return next();
-  }
-  c.set("session", {
-    user: {
-      id: session.user.id,
-      uid: session.user.uid,
-      email: session.user.email
-    },
-    sessionId: session.id
-  });
-  return next();
-});
-var requireAuthMiddleware = createMiddleware(async (c, next) => {
-  const authHeader = c.req.header("Authorization");
-  if (!authHeader?.startsWith("Bearer ")) {
-    throw new ApiException(getError("unauthorized"), 401);
-  }
-  const token = authHeader.slice(7);
-  const payload = await verifyToken(token);
-  if (!payload?.sub) {
-    throw new ApiException(getError("unauthorized"), 401);
-  }
-  const tokenHash = hashToken(token);
-  const session = getSessionByTokenHash(tokenHash);
-  if (!session) {
-    throw new ApiException(getError("session_expired"), 401);
-  }
-  c.set("session", {
-    user: {
-      id: session.user.id,
-      uid: session.user.uid,
-      email: session.user.email
-    },
-    sessionId: session.id
-  });
-  return next();
-});
-// src/api/schemas.ts
-import { z as z3 } from "zod";
-var UserResponse = z3.object({
-  id: z3.string(),
-  email: z3.string().email().nullable(),
-  createdAt: z3.number()
-});
-var EmailRegisterRequest = z3.object({
-  email: z3.string().email(),
-  password: z3.string().min(8, "Password must be at least 8 characters")
-});
-var EmailLoginRequest = z3.object({
-  email: z3.string().email(),
-  password: z3.string().min(1)
-});
-var AuthResponse = z3.object({
-  user: UserResponse,
-  token: z3.string(),
-  recoveryKey: z3.string().optional()
-});
-var RefreshResponse = z3.object({
-  token: z3.string(),
-  expiresIn: z3.number()
-});
-var MeResponse = z3.object({
-  user: UserResponse
-});
-var PasskeyRegisterOptionsRequest = z3.object({
-  email: z3.string().email().optional()
-});
-var PasskeyRegisterVerifyRequest = z3.object({
-  email: z3.string().email().optional(),
-  credential: z3.record(z3.unknown())
-});
-var PasskeyLoginOptionsRequest = z3.object({
-  email: z3.string().email().optional()
-});
-var PasskeyLoginVerifyRequest = z3.object({
-  credential: z3.record(z3.unknown())
-});
-var PasskeyCheckResponse = z3.object({
-  hasPasskey: z3.boolean()
-});
-var CreateVaultRequest = z3.object({
-  name: z3.string().min(1).max(255),
-  data: z3.string(),
-  // Encrypted blob (base64)
-  salt: z3.string()
-  // Salt (base64)
-});
-var UpdateVaultRequest = z3.object({
-  data: z3.string(),
-  salt: z3.string(),
-  version: z3.number().optional()
-});
-var VaultResponse = z3.object({
-  uid: z3.string(),
-  name: z3.string(),
-  data: z3.string(),
-  salt: z3.string(),
-  version: z3.number(),
-  updatedAt: z3.number()
-});
-var VaultsListResponse = z3.object({
-  vaults: z3.array(VaultResponse)
-});
-// src/app.ts
-import { Hono as Hono4 } from "hono";
-import { cors } from "hono/cors";
-import { logger } from "hono/logger";
-import { ZodError } from "zod";
-// src/api/auth/router.ts
-import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
-import { Hono as Hono2 } from "hono";
-import { zValidator as zValidator2 } from "@hono/zod-validator";
-// src/api/auth/passkey.ts
-import { Hono } from "hono";
-import { zValidator } from "@hono/zod-validator";
-import { z as z4 } from "zod";
-import {
-  generateRegistrationOptions,
-  verifyRegistrationResponse,
-  generateAuthenticationOptions,
-  verifyAuthenticationResponse
-} from "@simplewebauthn/server";
-// src/features/crypto/recovery.ts
-import { randomBytes } from "crypto";
-var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
-function generateRecoveryKey() {
-  const bytes = randomBytes(32);
-  const raw = base32Encode(bytes);
-  return formatWithDashes(raw);
-}
-function base32Encode(bytes) {
-  let result = "";
-  let bits = 0;
-  let value = 0;
-  for (const byte of bytes) {
-    value = value << 8 | byte;
-    bits += 8;
-    while (bits >= 5) {
-      bits -= 5;
-      result += BASE32_ALPHABET[value >> bits & 31];
-    }
-  }
-  if (bits > 0) {
-    result += BASE32_ALPHABET[value << 5 - bits & 31];
-  }
-  return result;
-}
-function formatWithDashes(raw) {
-  const chunks = [];
-  for (let i = 0; i < raw.length; i += 4) {
-    chunks.push(raw.slice(i, i + 4));
-  }
-  return chunks.join("-");
-}
-// src/api/auth/passkey.ts
-var challengeStore = /* @__PURE__ */ new Map();
-setInterval(() => {
-  const now = Date.now();
-  for (const [key, value] of challengeStore) {
-    if (value.expiresAt < now) {
-      challengeStore.delete(key);
-    }
-  }
-}, 6e4);
-var PasskeyRegisterOptionsRequest2 = z4.object({
-  email: z4.string().email().optional()
-});
-var PasskeyRegisterVerifyRequest2 = z4.object({
-  email: z4.string().email().optional(),
-  credential: z4.any()
-  // RegistrationResponseJSON
-});
-var PasskeyLoginOptionsRequest2 = z4.object({
-  email: z4.string().email().optional()
-});
-var PasskeyLoginVerifyRequest2 = z4.object({
-  credential: z4.any()
-  // AuthenticationResponseJSON
-});
-var PasskeyCheckRequest = z4.object({
-  email: z4.string().email()
-});
-var passkeyRouter = new Hono().post(
-  "/register/options",
-  zValidator("json", PasskeyRegisterOptionsRequest2),
-  async (c) => {
-    const { email } = c.req.valid("json");
-    if (email) {
-      const existing = getUserByEmail(email);
-      if (existing) {
-        throw new ApiException(errors.email_already_exists, 409);
-      }
-    }
-    const tempUserId = crypto.randomUUID();
-    const options = await generateRegistrationOptions({
-      rpName: env.RP_NAME,
-      rpID: env.RP_ID,
-      userName: email ?? tempUserId,
-      userDisplayName: email ?? "Anonymous User",
-      attestationType: "none",
-      authenticatorSelection: {
-        residentKey: "preferred",
-        userVerification: "preferred",
-        authenticatorAttachment: "platform"
-      },
-      timeout: 6e4
-    });
-    const challengeKey = email ?? tempUserId;
-    challengeStore.set(challengeKey, {
-      challenge: options.challenge,
-      expiresAt: Date.now() + 12e4
-      // 2 min expiry
-    });
-    return c.json(options);
-  }
-).post(
-  "/register/verify",
-  zValidator("json", PasskeyRegisterVerifyRequest2),
-  async (c) => {
-    const { email, credential } = c.req.valid("json");
-    const response = credential;
-    const challengeKey = email ?? response.id;
-    const stored = challengeStore.get(challengeKey);
-    if (!stored) {
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-    if (email) {
-      const existing = getUserByEmail(email);
-      if (existing) {
-        throw new ApiException(errors.email_already_exists, 409);
-      }
-    }
-    try {
-      const verification = await verifyRegistrationResponse({
-        response,
-        expectedChallenge: stored.challenge,
-        expectedOrigin: env.RP_ORIGIN,
-        expectedRPID: env.RP_ID
-      });
-      if (!verification.verified || !verification.registrationInfo) {
-        throw new ApiException(errors.invalid_credentials, 401);
-      }
-      const { credentialID, credentialPublicKey, counter, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
-      const user = createUser({ email: email ?? void 0, passwordHash: void 0 });
-      createPasskey({
-        userId: user.id,
-        credentialId: credentialID,
-        publicKey: Buffer.from(credentialPublicKey).toString("base64"),
-        counter,
-        deviceType: credentialDeviceType,
-        backedUp: credentialBackedUp,
-        transports: response.response.transports
-      });
-      const recoveryKey = generateRecoveryKey();
-      const token = await createToken({ userId: user.uid, email: email ?? void 0 });
-      const tokenHash = hashToken(token);
-      const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
-      createSession({ userId: user.id, tokenHash, expiresAt });
-      challengeStore.delete(challengeKey);
-      return c.json({
-        user: {
-          id: user.uid,
-          email: user.email,
-          createdAt: user.createdAt
-        },
-        token,
-        recoveryKey
-      });
-    } catch (error) {
-      if (error instanceof ApiException) throw error;
-      console.error("Passkey registration error:", error);
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-  }
-).post(
-  "/login/options",
-  zValidator("json", PasskeyLoginOptionsRequest2),
-  async (c) => {
-    const { email } = c.req.valid("json");
-    let allowCredentials;
-    if (email) {
-      const user = getUserByEmail(email);
-      if (user) {
-        const passkeys = getPasskeysByUserId(user.id);
-        allowCredentials = passkeys.map((p) => ({
-          id: p.credentialId,
-          transports: p.transports?.split(",")
-        }));
-      }
-    }
-    const options = await generateAuthenticationOptions({
-      rpID: env.RP_ID,
-      allowCredentials,
-      userVerification: "preferred",
-      timeout: 6e4
-    });
-    const challengeKey = `auth:${options.challenge}`;
-    challengeStore.set(challengeKey, {
-      challenge: options.challenge,
-      expiresAt: Date.now() + 12e4
-    });
-    return c.json(options);
-  }
-).post(
-  "/login/verify",
-  zValidator("json", PasskeyLoginVerifyRequest2),
-  async (c) => {
-    const { credential } = c.req.valid("json");
-    const response = credential;
-    const passkey = getPasskeyByCredentialId(response.id);
-    if (!passkey) {
-      throw new ApiException(errors.passkey_not_found, 401);
-    }
-    let storedChallenge = null;
-    for (const [key, value] of challengeStore) {
-      if (key.startsWith("auth:") && value.expiresAt > Date.now()) {
-        storedChallenge = value.challenge;
-        break;
-      }
-    }
-    if (!storedChallenge) {
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-    try {
-      const verification = await verifyAuthenticationResponse({
-        response,
-        expectedChallenge: storedChallenge,
-        expectedOrigin: env.RP_ORIGIN,
-        expectedRPID: env.RP_ID,
-        authenticator: {
-          credentialID: passkey.credentialId,
-          credentialPublicKey: Buffer.from(passkey.publicKey, "base64"),
-          counter: passkey.counter,
-          transports: passkey.transports?.split(",")
-        }
-      });
-      if (!verification.verified) {
-        throw new ApiException(errors.invalid_credentials, 401);
-      }
-      updatePasskeyCounter(passkey.credentialId, verification.authenticationInfo.newCounter);
-      const token = await createToken({
-        userId: passkey.user.uid,
-        email: passkey.user.email ?? void 0
-      });
-      const tokenHash = hashToken(token);
-      const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
-      createSession({ userId: passkey.user.id, tokenHash, expiresAt });
-      challengeStore.delete(`auth:${storedChallenge}`);
-      return c.json({
-        user: {
-          id: passkey.user.uid,
-          email: passkey.user.email,
-          createdAt: passkey.user.createdAt
-        },
-        token
-      });
-    } catch (error) {
-      if (error instanceof ApiException) throw error;
-      console.error("Passkey authentication error:", error);
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-  }
-).post(
-  "/check",
-  zValidator("json", PasskeyCheckRequest),
-  (c) => {
-    const { email } = c.req.valid("json");
-    const user = getUserByEmail(email);
-    if (!user) {
-      return c.json({ hasPasskey: false });
-    }
-    const passkeys = getPasskeysByUserId(user.id);
-    return c.json({ hasPasskey: passkeys.length > 0 });
-  }
-);
-// src/api/auth/router.ts
-function hashPassword(password, salt) {
-  const crypto2 = createHash2("sha256");
-  return crypto2.update(password + salt).digest("hex");
-}
-function generateSalt() {
-  return randomBytes2(16).toString("hex");
-}
-var authRouter = new Hono2().post(
-  "/email/register",
-  zValidator2("json", EmailRegisterRequest),
-  async (c) => {
-    const { email, password } = c.req.valid("json");
-    const existing = getUserByEmail(email);
-    if (existing) {
-      throw new ApiException(errors.email_already_exists, 409);
-    }
-    const salt = generateSalt();
-    const passwordHash = hashPassword(password, salt) + ":" + salt;
-    const user = createUser({ email, passwordHash });
-    const token = await createToken({ userId: user.uid, email });
-    const tokenHash = hashToken(token);
-    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
-    createSession({ userId: user.id, tokenHash, expiresAt });
-    return c.json({
-      user: {
-        id: user.uid,
-        email: user.email,
-        createdAt: user.createdAt
-      },
-      token
-    });
-  }
-).post(
-  "/email/login",
-  zValidator2("json", EmailLoginRequest),
-  async (c) => {
-    const { email, password } = c.req.valid("json");
-    const user = getUserByEmail(email);
-    if (!user || !user.passwordHash) {
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-    const [storedHash, salt] = user.passwordHash.split(":");
-    if (!salt) {
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-    const inputHash = hashPassword(password, salt);
-    if (inputHash !== storedHash) {
-      throw new ApiException(errors.invalid_credentials, 401);
-    }
-    const token = await createToken({ userId: user.uid, email: user.email ?? void 0 });
-    const tokenHash = hashToken(token);
-    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
-    createSession({ userId: user.id, tokenHash, expiresAt });
-    return c.json({
-      user: {
-        id: user.uid,
-        email: user.email,
-        createdAt: user.createdAt
-      },
-      token
-    });
-  }
-).get(
-  "/me",
-  requireAuthMiddleware,
-  (c) => {
-    const session = c.get("session");
-    return c.json({
-      user: {
-        id: session.user.uid,
-        email: session.user.email,
-        createdAt: 0
-        // Not needed for /me
-      }
-    });
-  }
-).post(
-  "/refresh",
-  requireAuthMiddleware,
-  async (c) => {
-    const session = c.get("session");
-    const token = await createToken({
-      userId: session.user.uid,
-      email: session.user.email ?? void 0
-    });
-    const tokenHash = hashToken(token);
-    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
-    const oldToken = c.req.header("Authorization")?.slice(7);
-    if (oldToken) {
-      deleteSession(hashToken(oldToken));
-    }
-    createSession({ userId: session.user.id, tokenHash, expiresAt });
-    return c.json({
-      token,
-      expiresIn: env.JWT_EXPIRY
-    });
-  }
-).post(
-  "/logout",
-  requireAuthMiddleware,
-  (c) => {
-    const token = c.req.header("Authorization")?.slice(7);
-    if (token) {
-      deleteSession(hashToken(token));
-    }
-    return c.json({ success: true });
-  }
-).route("/passkey", passkeyRouter);
-// src/api/vault/router.ts
-import { Hono as Hono3 } from "hono";
-import { zValidator as zValidator3 } from "@hono/zod-validator";
-function toVaultResponse(vault) {
-  return {
-    uid: vault.uid,
-    name: vault.name,
-    data: vault.data,
-    salt: vault.salt,
-    version: vault.version,
-    updatedAt: vault.updatedAt
-  };
-}
-var vaultRouter = new Hono3().use("/*", requireAuthMiddleware).get(
-  "/",
-  (c) => {
-    const session = c.get("session");
-    const vaults = getVaultsByUserId(session.user.id);
-    return c.json({
-      vaults: vaults.map(toVaultResponse)
-    });
-  }
-).get(
-  "/:uid",
-  (c) => {
-    const session = c.get("session");
-    const { uid } = c.req.param();
-    const vault = getVaultByUid(uid, session.user.id);
-    if (!vault) {
-      throw new ApiException(errors.vault_not_found, 404);
-    }
-    return c.json(toVaultResponse(vault));
-  }
-).post(
-  "/",
-  zValidator3("json", CreateVaultRequest),
-  (c) => {
-    const session = c.get("session");
-    const { name, data, salt } = c.req.valid("json");
-    const existing = getVaultByName(name, session.user.id);
-    if (existing) {
-      throw new ApiException(errors.vault_already_exists(name), 409);
-    }
-    const vault = createVault({
-      userId: session.user.id,
-      name,
-      data,
-      salt
-    });
-    return c.json(toVaultResponse(vault), 201);
-  }
-).put(
-  "/:uid",
-  zValidator3("json", UpdateVaultRequest),
-  (c) => {
-    const session = c.get("session");
-    const { uid } = c.req.param();
-    const { data, salt, version } = c.req.valid("json");
-    const vault = updateVault(uid, session.user.id, { data, salt, version });
-    if (!vault) {
-      throw new ApiException(errors.vault_not_found, 404);
-    }
-    return c.json(toVaultResponse(vault));
-  }
-).delete(
-  "/:uid",
-  (c) => {
-    const session = c.get("session");
-    const { uid } = c.req.param();
-    const deleted = deleteVault(uid, session.user.id);
-    if (!deleted) {
-      throw new ApiException(errors.vault_not_found, 404);
-    }
-    return c.json({ success: true });
-  }
-);
-// src/app.ts
-var errorHandler = (error, c) => {
-  const requestId = c.req.header("x-request-id") ?? crypto.randomUUID();
-  if (error instanceof ApiException) {
-    return c.json(
-      { error: error.error, requestId },
-      error.status
-    );
-  }
-  if (error instanceof ZodError) {
-    const message = error.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
-    return c.json(
-      {
-        error: {
-          code: "validation_error",
-          message,
-          details: { errors: error.errors }
-        },
-        requestId
-      },
-      400
-    );
-  }
-  console.error(`[${requestId}] Unhandled error:`, error);
-  return c.json(
-    { error: errors.internal_error, requestId },
-    500
-  );
-};
-function createApp() {
-  const app = new Hono4();
-  app.use("*", logger());
-  app.use(
-    "*",
-    cors({
-      origin: "*",
-      // Configure for production
-      allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-      allowHeaders: ["Content-Type", "Authorization"],
-      exposeHeaders: ["X-Request-Id"]
-    })
-  );
-  app.get("/health", (c) => c.json({ status: "ok", timestamp: Date.now() }));
-  app.route("/auth", authRouter);
-  app.route("/vault", vaultRouter);
-  app.onError(errorHandler);
-  app.notFound((c) => {
-    return c.json(
-      { error: { code: "not_found", message: "Endpoint not found" } },
-      404
-    );
-  });
-  return app;
-}
-export {
-  env,
-  getDb,
-  closeDb,
-  createToken,
-  verifyToken,
-  hashToken,
-  ApiException,
-  errors,
-  getError,
-  optionalAuthMiddleware,
-  requireAuthMiddleware,
-  UserResponse,
-  EmailRegisterRequest,
-  EmailLoginRequest,
-  AuthResponse,
-  RefreshResponse,
-  MeResponse,
-  PasskeyRegisterOptionsRequest,
-  PasskeyRegisterVerifyRequest,
-  PasskeyLoginOptionsRequest,
-  PasskeyLoginVerifyRequest,
-  PasskeyCheckResponse,
-  CreateVaultRequest,
-  UpdateVaultRequest,
-  VaultResponse,
-  VaultsListResponse,
-  createApp
-};