@ursalock/server 0.2.0

package/dist/index.js

@@ -0,0 +1,1251 @@
+// src/app.ts
+import { Hono as Hono5 } from "hono";
+import { cors } from "hono/cors";
+import { logger } from "hono/logger";
+import { ZodError } from "zod";
+
+// src/api/auth/router.ts
+import { createHash as createHash2, randomBytes } from "crypto";
+import { Hono as Hono3 } from "hono";
+import { zValidator as zValidator3 } from "@hono/zod-validator";
+
+// src/db/client.ts
+import Database from "better-sqlite3";
+
+// src/env.ts
+import { z } from "zod";
+var numeric = z.string().transform((val) => Number.parseInt(val, 10));
+var envSchema = {
+  NODE_ENV: z.enum(["development", "production", "test"]).default("development"),
+  PORT: numeric.default("3456"),
+  /** SQLite database file path */
+  DATABASE_PATH: z.string().default("./data/vault.db"),
+  /** JWT secret for signing tokens (32+ bytes recommended) */
+  JWT_SECRET: z.string().min(32),
+  /** JWT token expiry in seconds (default: 7 days) */
+  JWT_EXPIRY: numeric.default("604800"),
+  /** Relying Party name shown during passkey registration */
+  RP_NAME: z.string().default("ursalock"),
+  /** 
+   * Allowed origins for WebAuthn (comma-separated)
+   * e.g., "https://app1.example.com,https://app2.example.com"
+   * The RP_ID is derived from the hostname of the validated origin
+   */
+  RP_ORIGINS: z.string().default("http://localhost:5173")
+};
+var skipEnvValidation = process.env["NODE_ENV"] === "test";
+var env = (() => {
+  if (skipEnvValidation) {
+    return Object.fromEntries(
+      Object.entries(envSchema).map(([key, schema]) => {
+        const result = schema.safeParse(process.env[key]);
+        return [key, result.success ? result.data : void 0];
+      })
+    );
+  }
+  const parsed = z.object(envSchema).safeParse(process.env);
+  if (!parsed.success) {
+    const errors2 = parsed.error.errors.map((e) => `  ${e.path.join(".")}: ${e.message}`).join("\n");
+    throw new Error(`Invalid environment variables:
+${errors2}`);
+  }
+  return parsed.data;
+})();
+
+// src/db/schema.ts
+var CREATE_TABLES_SQL = `
+-- Users table
+CREATE TABLE IF NOT EXISTS users (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
+  email TEXT UNIQUE,
+  password_hash TEXT,
+  opaque_id TEXT UNIQUE,
+  display_name TEXT,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+CREATE INDEX IF NOT EXISTS idx_users_uid ON users(uid);
+CREATE INDEX IF NOT EXISTS idx_users_opaque_id ON users(opaque_id);
+
+-- Passkeys table (WebAuthn credentials) - kept for legacy support
+CREATE TABLE IF NOT EXISTS passkeys (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  credential_id TEXT NOT NULL UNIQUE,
+  public_key TEXT NOT NULL,
+  counter INTEGER NOT NULL DEFAULT 0,
+  device_type TEXT NOT NULL DEFAULT 'singleDevice',
+  backed_up INTEGER NOT NULL DEFAULT 0,
+  transports TEXT,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_passkeys_user_id ON passkeys(user_id);
+CREATE INDEX IF NOT EXISTS idx_passkeys_credential_id ON passkeys(credential_id);
+
+-- Sessions table
+CREATE TABLE IF NOT EXISTS sessions (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  token_hash TEXT NOT NULL UNIQUE,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_token_hash ON sessions(token_hash);
+CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
+
+-- Vaults table (encrypted blobs)
+CREATE TABLE IF NOT EXISTS vaults (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  data TEXT NOT NULL,
+  salt TEXT NOT NULL,
+  version INTEGER NOT NULL DEFAULT 1,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+);
+
+CREATE INDEX IF NOT EXISTS idx_vaults_uid ON vaults(uid);
+CREATE INDEX IF NOT EXISTS idx_vaults_user_id ON vaults(user_id);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_vaults_user_name ON vaults(user_id, name);
+`;
+
+// src/db/client.ts
+var _db = null;
+function getDb() {
+  if (!_db) {
+    _db = new Database(env.DATABASE_PATH);
+    _db.pragma("journal_mode = WAL");
+    _db.pragma("foreign_keys = ON");
+    _db.exec(CREATE_TABLES_SQL);
+    runMigrations(_db);
+  }
+  return _db;
+}
+function runMigrations(db) {
+  const columns = db.pragma("table_info(users)");
+  const hasOpaqueId = columns.some((col) => col.name === "opaque_id");
+  if (!hasOpaqueId) {
+    try {
+      db.exec(`
+        ALTER TABLE users ADD COLUMN opaque_id TEXT UNIQUE;
+        ALTER TABLE users ADD COLUMN display_name TEXT;
+      `);
+      db.exec("CREATE INDEX IF NOT EXISTS idx_users_opaque_id ON users(opaque_id);");
+    } catch {
+    }
+  }
+}
+function closeDb() {
+  if (_db) {
+    _db.close();
+    _db = null;
+  }
+}
+function createUser(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO users (email, password_hash, opaque_id, display_name)
+    VALUES (?, ?, ?, ?)
+    RETURNING id, uid, email, password_hash as passwordHash, 
+              opaque_id as opaqueId, display_name as displayName,
+              created_at as createdAt, updated_at as updatedAt
+  `);
+  return stmt.get(
+    input.email ?? null,
+    input.passwordHash ?? null,
+    input.opaqueId ?? null,
+    input.displayName ?? null
+  );
+}
+function getUserByEmail(email) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, email, password_hash as passwordHash,
+           opaque_id as opaqueId, display_name as displayName,
+           created_at as createdAt, updated_at as updatedAt
+    FROM users WHERE email = ?
+  `);
+  return stmt.get(email);
+}
+function getUserByOpaqueId(opaqueId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, email, password_hash as passwordHash,
+           opaque_id as opaqueId, display_name as displayName,
+           created_at as createdAt, updated_at as updatedAt
+    FROM users WHERE opaque_id = ?
+  `);
+  return stmt.get(opaqueId);
+}
+function createPasskey(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO passkeys (user_id, credential_id, public_key, counter, device_type, backed_up, transports)
+    VALUES (?, ?, ?, ?, ?, ?, ?)
+    RETURNING id, user_id as userId, credential_id as credentialId, public_key as publicKey,
+              counter, device_type as deviceType, backed_up as backedUp, transports, created_at as createdAt
+  `);
+  const result = stmt.get(
+    input.userId,
+    input.credentialId,
+    input.publicKey,
+    input.counter,
+    input.deviceType,
+    input.backedUp ? 1 : 0,
+    input.transports?.join(",") ?? null
+  );
+  return { ...result, backedUp: Boolean(result.backedUp) };
+}
+function getPasskeyByCredentialId(credentialId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT 
+      p.id, p.user_id as userId, p.credential_id as credentialId, p.public_key as publicKey,
+      p.counter, p.device_type as deviceType, p.backed_up as backedUp, p.transports, p.created_at as createdAt,
+      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
+    FROM passkeys p
+    JOIN users u ON p.user_id = u.id
+    WHERE p.credential_id = ?
+  `);
+  const row = stmt.get(credentialId);
+  if (!row) return void 0;
+  return {
+    id: row["id"],
+    userId: row["userId"],
+    credentialId: row["credentialId"],
+    publicKey: row["publicKey"],
+    counter: row["counter"],
+    deviceType: row["deviceType"],
+    backedUp: Boolean(row["backedUp"]),
+    transports: row["transports"],
+    createdAt: row["createdAt"],
+    user: {
+      id: row["user.id"],
+      uid: row["user.uid"],
+      email: row["user.email"],
+      passwordHash: null,
+      opaqueId: null,
+      displayName: null,
+      createdAt: 0,
+      updatedAt: 0
+    }
+  };
+}
+function getPasskeysByUserId(userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, user_id as userId, credential_id as credentialId, public_key as publicKey,
+           counter, device_type as deviceType, backed_up as backedUp, transports, created_at as createdAt
+    FROM passkeys WHERE user_id = ?
+  `);
+  return stmt.all(userId).map((p) => ({ ...p, backedUp: Boolean(p.backedUp) }));
+}
+function updatePasskeyCounter(credentialId, counter) {
+  const db = getDb();
+  const stmt = db.prepare(`UPDATE passkeys SET counter = ? WHERE credential_id = ?`);
+  stmt.run(counter, credentialId);
+}
+function createSession(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO sessions (user_id, token_hash, expires_at)
+    VALUES (?, ?, ?)
+    RETURNING id, user_id as userId, token_hash as tokenHash, expires_at as expiresAt, created_at as createdAt
+  `);
+  return stmt.get(input.userId, input.tokenHash, input.expiresAt);
+}
+function getSessionByTokenHash(tokenHash) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT 
+      s.id, s.user_id as userId, s.token_hash as tokenHash, s.expires_at as expiresAt, s.created_at as createdAt,
+      u.id as "user.id", u.uid as "user.uid", u.email as "user.email"
+    FROM sessions s
+    JOIN users u ON s.user_id = u.id
+    WHERE s.token_hash = ? AND s.expires_at > unixepoch()
+  `);
+  const row = stmt.get(tokenHash);
+  if (!row) return void 0;
+  return {
+    id: row["id"],
+    userId: row["userId"],
+    tokenHash: row["tokenHash"],
+    expiresAt: row["expiresAt"],
+    createdAt: row["createdAt"],
+    user: {
+      id: row["user.id"],
+      uid: row["user.uid"],
+      email: row["user.email"],
+      passwordHash: null,
+      opaqueId: null,
+      displayName: null,
+      createdAt: 0,
+      updatedAt: 0
+    }
+  };
+}
+function deleteSession(tokenHash) {
+  const db = getDb();
+  const stmt = db.prepare(`DELETE FROM sessions WHERE token_hash = ?`);
+  stmt.run(tokenHash);
+}
+function createVault(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO vaults (user_id, name, data, salt, version)
+    VALUES (?, ?, ?, ?, ?)
+    RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+  `);
+  return stmt.get(input.userId, input.name, input.data, input.salt, input.version ?? 1);
+}
+function getVaultByUid(uid, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+    FROM vaults WHERE uid = ? AND user_id = ?
+  `);
+  return stmt.get(uid, userId);
+}
+function getVaultByName(name, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+    FROM vaults WHERE name = ? AND user_id = ?
+  `);
+  return stmt.get(name, userId);
+}
+function getVaultsByUserId(userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+    FROM vaults WHERE user_id = ?
+    ORDER BY updated_at DESC
+  `);
+  return stmt.all(userId);
+}
+function updateVault(uid, userId, input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    UPDATE vaults SET data = ?, salt = ?, version = COALESCE(?, version), updated_at = unixepoch()
+    WHERE uid = ? AND user_id = ?
+    RETURNING id, uid, user_id as userId, name, data, salt, version, created_at as createdAt, updated_at as updatedAt
+  `);
+  return stmt.get(input.data, input.salt, input.version ?? null, uid, userId);
+}
+function deleteVault(uid, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`DELETE FROM vaults WHERE uid = ? AND user_id = ?`);
+  return stmt.run(uid, userId).changes > 0;
+}
+
+// src/features/auth/jwt.ts
+import { createHash } from "crypto";
+import { SignJWT, jwtVerify } from "jose";
+function getSecretKey() {
+  return new TextEncoder().encode(env.JWT_SECRET);
+}
+async function createToken(payload) {
+  const jti = crypto.randomUUID();
+  const jwt = new SignJWT({ email: payload.email }).setSubject(payload.userId).setJti(jti).setIssuedAt().setExpirationTime(`${env.JWT_EXPIRY}s`).setProtectedHeader({ alg: "HS256" });
+  return jwt.sign(getSecretKey());
+}
+async function verifyToken(token) {
+  try {
+    const { payload } = await jwtVerify(token, getSecretKey());
+    if (!payload.sub) {
+      return null;
+    }
+    return payload;
+  } catch {
+    return null;
+  }
+}
+function hashToken(token) {
+  return createHash("sha256").update(token).digest("hex");
+}
+
+// src/features/auth/middleware.ts
+import { createMiddleware } from "hono/factory";
+
+// src/errors.ts
+import { z as z2 } from "zod";
+var ErrorCode = z2.enum([
+  // Auth errors
+  "unauthorized",
+  "invalid_credentials",
+  "email_already_exists",
+  "passkey_not_found",
+  "session_expired",
+  "invalid_origin",
+  // Vault errors
+  "vault_not_found",
+  "vault_already_exists",
+  "invalid_vault_data",
+  // Validation errors
+  "validation_error",
+  "invalid_request",
+  // Server errors
+  "internal_error"
+]);
+var ApiException = class extends Error {
+  constructor(error, status = 400) {
+    super(error.message);
+    this.error = error;
+    this.status = status;
+    this.name = "ApiException";
+  }
+};
+var errors = {
+  // Auth errors
+  unauthorized: { code: "unauthorized", message: "Unauthorized" },
+  invalid_credentials: { code: "invalid_credentials", message: "Invalid email or password" },
+  email_already_exists: { code: "email_already_exists", message: "Email already registered" },
+  passkey_not_found: { code: "passkey_not_found", message: "Passkey not found" },
+  session_expired: { code: "session_expired", message: "Session expired" },
+  invalid_origin: { code: "invalid_origin", message: "Origin not allowed" },
+  // Vault errors
+  vault_not_found: { code: "vault_not_found", message: "Vault not found" },
+  vault_already_exists: (name) => ({
+    code: "vault_already_exists",
+    message: `Vault "${name}" already exists`
+  }),
+  invalid_vault_data: { code: "invalid_vault_data", message: "Invalid vault data" },
+  // Validation errors
+  validation_error: (details) => ({
+    code: "validation_error",
+    message: details
+  }),
+  invalid_request: { code: "invalid_request", message: "Invalid request" },
+  // Server errors
+  internal_error: { code: "internal_error", message: "Internal server error" }
+};
+function getError(code, arg) {
+  const factory = errors[code];
+  if (typeof factory === "function") {
+    return factory(arg ?? "");
+  }
+  return factory;
+}
+
+// src/features/auth/middleware.ts
+var optionalAuthMiddleware = createMiddleware(async (c, next) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    c.set("session", null);
+    return next();
+  }
+  const token = authHeader.slice(7);
+  const payload = await verifyToken(token);
+  if (!payload?.sub) {
+    c.set("session", null);
+    return next();
+  }
+  const tokenHash = hashToken(token);
+  const session = getSessionByTokenHash(tokenHash);
+  if (!session) {
+    c.set("session", null);
+    return next();
+  }
+  c.set("session", {
+    user: {
+      id: session.user.id,
+      uid: session.user.uid,
+      email: session.user.email
+    },
+    sessionId: session.id
+  });
+  return next();
+});
+var requireAuthMiddleware = createMiddleware(async (c, next) => {
+  const authHeader = c.req.header("Authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    throw new ApiException(getError("unauthorized"), 401);
+  }
+  const token = authHeader.slice(7);
+  const payload = await verifyToken(token);
+  if (!payload?.sub) {
+    throw new ApiException(getError("unauthorized"), 401);
+  }
+  const tokenHash = hashToken(token);
+  const session = getSessionByTokenHash(tokenHash);
+  if (!session) {
+    throw new ApiException(getError("session_expired"), 401);
+  }
+  c.set("session", {
+    user: {
+      id: session.user.id,
+      uid: session.user.uid,
+      email: session.user.email
+    },
+    sessionId: session.id
+  });
+  return next();
+});
+
+// src/api/schemas.ts
+import { z as z3 } from "zod";
+var UserResponse = z3.object({
+  id: z3.string(),
+  email: z3.string().email().nullable(),
+  createdAt: z3.number()
+});
+var EmailRegisterRequest = z3.object({
+  email: z3.string().email(),
+  password: z3.string().min(8, "Password must be at least 8 characters")
+});
+var EmailLoginRequest = z3.object({
+  email: z3.string().email(),
+  password: z3.string().min(1)
+});
+var AuthResponse = z3.object({
+  user: UserResponse,
+  token: z3.string(),
+  recoveryKey: z3.string().optional()
+});
+var RefreshResponse = z3.object({
+  token: z3.string(),
+  expiresIn: z3.number()
+});
+var MeResponse = z3.object({
+  user: UserResponse
+});
+var PasskeyRegisterOptionsRequest = z3.object({
+  email: z3.string().email().optional()
+});
+var PasskeyRegisterVerifyRequest = z3.object({
+  email: z3.string().email().optional(),
+  credential: z3.record(z3.unknown())
+});
+var PasskeyLoginOptionsRequest = z3.object({
+  email: z3.string().email().optional()
+});
+var PasskeyLoginVerifyRequest = z3.object({
+  credential: z3.record(z3.unknown())
+});
+var PasskeyCheckResponse = z3.object({
+  hasPasskey: z3.boolean()
+});
+var CreateVaultRequest = z3.object({
+  name: z3.string().min(1).max(255),
+  data: z3.string(),
+  // Encrypted blob (base64)
+  salt: z3.string()
+  // Salt (base64)
+});
+var UpdateVaultRequest = z3.object({
+  data: z3.string(),
+  salt: z3.string(),
+  version: z3.number().optional()
+});
+var VaultResponse = z3.object({
+  uid: z3.string(),
+  name: z3.string(),
+  data: z3.string(),
+  salt: z3.string(),
+  version: z3.number(),
+  updatedAt: z3.number()
+});
+var VaultsListResponse = z3.object({
+  vaults: z3.array(VaultResponse)
+});
+
+// src/api/auth/passkey.ts
+import { Hono } from "hono";
+import { zValidator } from "@hono/zod-validator";
+import { z as z4 } from "zod";
+import {
+  generateRegistrationOptions,
+  verifyRegistrationResponse,
+  generateAuthenticationOptions,
+  verifyAuthenticationResponse
+} from "@simplewebauthn/server";
+
+// src/features/auth/origin.ts
+var allowedOrigins = null;
+function getAllowedOrigins() {
+  if (!allowedOrigins) {
+    allowedOrigins = env.RP_ORIGINS.split(",").map((o) => o.trim()).filter(Boolean);
+  }
+  return allowedOrigins;
+}
+function validateOrigin(origin) {
+  if (!origin) {
+    throw new ApiException(errors.invalid_origin, 403);
+  }
+  const allowed = getAllowedOrigins();
+  if (!allowed.includes(origin)) {
+    console.warn(`[auth] Rejected origin: ${origin}. Allowed: ${allowed.join(", ")}`);
+    throw new ApiException(errors.invalid_origin, 403);
+  }
+  const url = new URL(origin);
+  const rpId = url.hostname;
+  return { rpId, rpOrigin: origin };
+}
+function getRpConfigFromRequest(c) {
+  const origin = c.req.header("origin");
+  return validateOrigin(origin);
+}
+
+// src/api/auth/passkey.ts
+var challengeStore = /* @__PURE__ */ new Map();
+setInterval(() => {
+  const now = Date.now();
+  for (const [key, value] of challengeStore) {
+    if (value.expiresAt < now) {
+      challengeStore.delete(key);
+    }
+  }
+}, 6e4);
+var PasskeyRegisterOptionsRequest2 = z4.object({
+  email: z4.string().email().optional()
+});
+var PasskeyRegisterVerifyRequest2 = z4.object({
+  email: z4.string().email().optional(),
+  credential: z4.any()
+  // RegistrationResponseJSON
+});
+var PasskeyLoginOptionsRequest2 = z4.object({
+  email: z4.string().email().optional()
+});
+var PasskeyLoginVerifyRequest2 = z4.object({
+  credential: z4.any()
+  // AuthenticationResponseJSON
+});
+var PasskeyCheckRequest = z4.object({
+  email: z4.string().email()
+});
+var passkeyRouter = new Hono().post(
+  "/register/options",
+  zValidator("json", PasskeyRegisterOptionsRequest2),
+  async (c) => {
+    const { email } = c.req.valid("json");
+    if (email) {
+      const existing = getUserByEmail(email);
+      if (existing) {
+        throw new ApiException(errors.email_already_exists, 409);
+      }
+    }
+    const tempUserId = crypto.randomUUID();
+    const { rpId } = getRpConfigFromRequest(c);
+    const options = await generateRegistrationOptions({
+      rpName: env.RP_NAME,
+      rpID: rpId,
+      userName: email ?? tempUserId,
+      userDisplayName: email ?? "Anonymous User",
+      attestationType: "none",
+      authenticatorSelection: {
+        residentKey: "preferred",
+        userVerification: "preferred"
+        // No authenticatorAttachment = allow both platform (TouchID) AND cross-platform (Proton Pass, security keys)
+      },
+      timeout: 6e4
+    });
+    challengeStore.set(options.challenge, {
+      challenge: options.challenge,
+      email: email ?? void 0,
+      expiresAt: Date.now() + 12e4
+      // 2 min expiry
+    });
+    return c.json(options);
+  }
+).post(
+  "/register/verify",
+  zValidator("json", PasskeyRegisterVerifyRequest2),
+  async (c) => {
+    const { email, credential } = c.req.valid("json");
+    const response = credential;
+    const clientDataJSON = JSON.parse(
+      Buffer.from(response.response.clientDataJSON, "base64url").toString("utf-8")
+    );
+    const challenge = clientDataJSON.challenge;
+    const stored = challengeStore.get(challenge);
+    if (!stored) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const userEmail = email ?? stored.email;
+    if (userEmail) {
+      const existing = getUserByEmail(userEmail);
+      if (existing) {
+        throw new ApiException(errors.email_already_exists, 409);
+      }
+    }
+    const { rpId, rpOrigin } = getRpConfigFromRequest(c);
+    try {
+      const verification = await verifyRegistrationResponse({
+        response,
+        expectedChallenge: stored.challenge,
+        expectedOrigin: rpOrigin,
+        expectedRPID: rpId
+      });
+      if (!verification.verified || !verification.registrationInfo) {
+        throw new ApiException(errors.invalid_credentials, 401);
+      }
+      const { credentialID, credentialPublicKey, counter, credentialDeviceType, credentialBackedUp } = verification.registrationInfo;
+      const user = createUser({ email: userEmail ?? void 0, passwordHash: void 0 });
+      createPasskey({
+        userId: user.id,
+        credentialId: credentialID,
+        publicKey: Buffer.from(credentialPublicKey).toString("base64"),
+        counter,
+        deviceType: credentialDeviceType,
+        backedUp: credentialBackedUp,
+        transports: response.response.transports
+      });
+      const token = await createToken({ userId: user.uid, email: userEmail ?? void 0 });
+      const tokenHash = hashToken(token);
+      const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+      createSession({ userId: user.id, tokenHash, expiresAt });
+      challengeStore.delete(challenge);
+      return c.json({
+        user: {
+          id: user.uid,
+          email: user.email,
+          createdAt: user.createdAt
+        },
+        token
+      });
+    } catch (error) {
+      if (error instanceof ApiException) throw error;
+      console.error("Passkey registration error:", error);
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+  }
+).post(
+  "/login/options",
+  zValidator("json", PasskeyLoginOptionsRequest2),
+  async (c) => {
+    const { email } = c.req.valid("json");
+    let allowCredentials;
+    if (email) {
+      const user = getUserByEmail(email);
+      if (user) {
+        const passkeys = getPasskeysByUserId(user.id);
+        allowCredentials = passkeys.map((p) => ({
+          id: p.credentialId,
+          transports: p.transports?.split(",")
+        }));
+      }
+    }
+    const { rpId } = getRpConfigFromRequest(c);
+    const options = await generateAuthenticationOptions({
+      rpID: rpId,
+      allowCredentials,
+      userVerification: "preferred",
+      timeout: 6e4
+    });
+    const challengeKey = `auth:${options.challenge}`;
+    challengeStore.set(challengeKey, {
+      challenge: options.challenge,
+      expiresAt: Date.now() + 12e4
+    });
+    return c.json(options);
+  }
+).post(
+  "/login/verify",
+  zValidator("json", PasskeyLoginVerifyRequest2),
+  async (c) => {
+    const { credential } = c.req.valid("json");
+    const response = credential;
+    const passkey = getPasskeyByCredentialId(response.id);
+    if (!passkey) {
+      throw new ApiException(errors.passkey_not_found, 401);
+    }
+    let storedChallenge = null;
+    for (const [key, value] of challengeStore) {
+      if (key.startsWith("auth:") && value.expiresAt > Date.now()) {
+        storedChallenge = value.challenge;
+        break;
+      }
+    }
+    if (!storedChallenge) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const { rpId, rpOrigin } = getRpConfigFromRequest(c);
+    try {
+      const verification = await verifyAuthenticationResponse({
+        response,
+        expectedChallenge: storedChallenge,
+        expectedOrigin: rpOrigin,
+        expectedRPID: rpId,
+        authenticator: {
+          credentialID: passkey.credentialId,
+          credentialPublicKey: Buffer.from(passkey.publicKey, "base64"),
+          counter: passkey.counter,
+          transports: passkey.transports?.split(",")
+        }
+      });
+      if (!verification.verified) {
+        throw new ApiException(errors.invalid_credentials, 401);
+      }
+      updatePasskeyCounter(passkey.credentialId, verification.authenticationInfo.newCounter);
+      const token = await createToken({
+        userId: passkey.user.uid,
+        email: passkey.user.email ?? void 0
+      });
+      const tokenHash = hashToken(token);
+      const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+      createSession({ userId: passkey.user.id, tokenHash, expiresAt });
+      challengeStore.delete(`auth:${storedChallenge}`);
+      return c.json({
+        user: {
+          id: passkey.user.uid,
+          email: passkey.user.email,
+          createdAt: passkey.user.createdAt
+        },
+        token
+      });
+    } catch (error) {
+      if (error instanceof ApiException) throw error;
+      console.error("Passkey authentication error:", error);
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+  }
+).post(
+  "/check",
+  zValidator("json", PasskeyCheckRequest),
+  (c) => {
+    const { email } = c.req.valid("json");
+    const user = getUserByEmail(email);
+    if (!user) {
+      return c.json({ hasPasskey: false });
+    }
+    const passkeys = getPasskeysByUserId(user.id);
+    return c.json({ hasPasskey: passkeys.length > 0 });
+  }
+);
+
+// src/api/auth/zkc.ts
+import { Hono as Hono2 } from "hono";
+import { zValidator as zValidator2 } from "@hono/zod-validator";
+import { z as z5 } from "zod";
+var ZkcRegisterRequest = z5.object({
+  /** Opaque identifier from ZKCredentials */
+  opaqueId: z5.string().min(1),
+  /** Optional display name */
+  displayName: z5.string().optional()
+});
+var ZkcAuthenticateRequest = z5.object({
+  /** Opaque identifier from ZKCredentials */
+  opaqueId: z5.string().min(1)
+});
+var ZkcCheckRequest = z5.object({
+  /** Opaque identifier to check */
+  opaqueId: z5.string().min(1)
+});
+var zkcRouter = new Hono2().post(
+  "/register",
+  zValidator2("json", ZkcRegisterRequest),
+  async (c) => {
+    const { opaqueId, displayName } = c.req.valid("json");
+    const existing = getUserByOpaqueId(opaqueId);
+    if (existing) {
+      throw new ApiException(errors.email_already_exists, 409);
+    }
+    const user = createUser({
+      opaqueId,
+      displayName
+    });
+    const token = await createToken({ userId: user.uid });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    createSession({ userId: user.id, tokenHash, expiresAt });
+    return c.json({
+      user: {
+        id: user.uid,
+        createdAt: user.createdAt
+      },
+      token
+    });
+  }
+).post(
+  "/authenticate",
+  zValidator2("json", ZkcAuthenticateRequest),
+  async (c) => {
+    const { opaqueId } = c.req.valid("json");
+    const user = getUserByOpaqueId(opaqueId);
+    if (!user) {
+      throw new ApiException(errors.passkey_not_found, 401);
+    }
+    const token = await createToken({ userId: user.uid });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    createSession({ userId: user.id, tokenHash, expiresAt });
+    return c.json({
+      user: {
+        id: user.uid,
+        createdAt: user.createdAt
+      },
+      token
+    });
+  }
+).post(
+  "/check",
+  zValidator2("json", ZkcCheckRequest),
+  (c) => {
+    const { opaqueId } = c.req.valid("json");
+    const user = getUserByOpaqueId(opaqueId);
+    return c.json({ hasPasskey: user !== void 0 });
+  }
+);
+
+// src/api/auth/router.ts
+function hashPassword(password, salt) {
+  const crypto2 = createHash2("sha256");
+  return crypto2.update(password + salt).digest("hex");
+}
+function generateSalt() {
+  return randomBytes(16).toString("hex");
+}
+var authRouter = new Hono3().post(
+  "/email/register",
+  zValidator3("json", EmailRegisterRequest),
+  async (c) => {
+    const { email, password } = c.req.valid("json");
+    const existing = getUserByEmail(email);
+    if (existing) {
+      throw new ApiException(errors.email_already_exists, 409);
+    }
+    const salt = generateSalt();
+    const passwordHash = hashPassword(password, salt) + ":" + salt;
+    const user = createUser({ email, passwordHash });
+    const token = await createToken({ userId: user.uid, email });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    createSession({ userId: user.id, tokenHash, expiresAt });
+    return c.json({
+      user: {
+        id: user.uid,
+        email: user.email,
+        createdAt: user.createdAt
+      },
+      token
+    });
+  }
+).post(
+  "/email/login",
+  zValidator3("json", EmailLoginRequest),
+  async (c) => {
+    const { email, password } = c.req.valid("json");
+    const user = getUserByEmail(email);
+    if (!user || !user.passwordHash) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const [storedHash, salt] = user.passwordHash.split(":");
+    if (!salt) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const inputHash = hashPassword(password, salt);
+    if (inputHash !== storedHash) {
+      throw new ApiException(errors.invalid_credentials, 401);
+    }
+    const token = await createToken({ userId: user.uid, email: user.email ?? void 0 });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    createSession({ userId: user.id, tokenHash, expiresAt });
+    return c.json({
+      user: {
+        id: user.uid,
+        email: user.email,
+        createdAt: user.createdAt
+      },
+      token
+    });
+  }
+).get(
+  "/me",
+  requireAuthMiddleware,
+  (c) => {
+    const session = c.get("session");
+    return c.json({
+      user: {
+        id: session.user.uid,
+        email: session.user.email,
+        createdAt: 0
+        // Not needed for /me
+      }
+    });
+  }
+).post(
+  "/refresh",
+  requireAuthMiddleware,
+  async (c) => {
+    const session = c.get("session");
+    const token = await createToken({
+      userId: session.user.uid,
+      email: session.user.email ?? void 0
+    });
+    const tokenHash = hashToken(token);
+    const expiresAt = Math.floor(Date.now() / 1e3) + env.JWT_EXPIRY;
+    const oldToken = c.req.header("Authorization")?.slice(7);
+    if (oldToken) {
+      deleteSession(hashToken(oldToken));
+    }
+    createSession({ userId: session.user.id, tokenHash, expiresAt });
+    return c.json({
+      token,
+      expiresIn: env.JWT_EXPIRY
+    });
+  }
+).post(
+  "/logout",
+  requireAuthMiddleware,
+  (c) => {
+    const token = c.req.header("Authorization")?.slice(7);
+    if (token) {
+      deleteSession(hashToken(token));
+    }
+    return c.json({ success: true });
+  }
+).route("/passkey", passkeyRouter).route("/zkc", zkcRouter);
+
+// src/api/vault/router.ts
+import { Hono as Hono4 } from "hono";
+import { zValidator as zValidator4 } from "@hono/zod-validator";
+
+// src/services/vault-service.ts
+function toVaultResponse(vault) {
+  return {
+    uid: vault.uid,
+    name: vault.name,
+    data: vault.data,
+    salt: vault.salt,
+    version: vault.version,
+    updatedAt: vault.updatedAt
+  };
+}
+var VaultService = class {
+  constructor(vaultRepo2) {
+    this.vaultRepo = vaultRepo2;
+  }
+  /**
+   * List all vaults for a user
+   */
+  listVaults(userId) {
+    const vaults = this.vaultRepo.findByUserId(userId);
+    return {
+      vaults: vaults.map(toVaultResponse)
+    };
+  }
+  /**
+   * Get vault by name
+   */
+  getVaultByName(name, userId) {
+    const vault = this.vaultRepo.findByName(name, userId);
+    if (!vault) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return toVaultResponse(vault);
+  }
+  /**
+   * Get vault by UID
+   */
+  getVaultByUid(uid, userId) {
+    const vault = this.vaultRepo.findByUid(uid, userId);
+    if (!vault) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return toVaultResponse(vault);
+  }
+  /**
+   * Create a new vault
+   */
+  createVault(userId, data) {
+    const existing = this.vaultRepo.findByName(data.name, userId);
+    if (existing) {
+      throw new ApiException(errors.vault_already_exists(data.name), 409);
+    }
+    const vault = this.vaultRepo.create({
+      userId,
+      name: data.name,
+      data: data.data,
+      salt: data.salt
+    });
+    return toVaultResponse(vault);
+  }
+  /**
+   * Update a vault
+   */
+  updateVault(uid, userId, data) {
+    const vault = this.vaultRepo.update(uid, userId, data);
+    if (!vault) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return toVaultResponse(vault);
+  }
+  /**
+   * Delete a vault
+   */
+  deleteVault(uid, userId) {
+    const deleted = this.vaultRepo.delete(uid, userId);
+    if (!deleted) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return { success: true };
+  }
+};
+
+// src/repositories/vault-repository.ts
+var VaultRepository = class {
+  create(vault) {
+    return createVault(vault);
+  }
+  findByUid(uid, userId) {
+    return getVaultByUid(uid, userId);
+  }
+  findByName(name, userId) {
+    return getVaultByName(name, userId);
+  }
+  findByUserId(userId) {
+    return getVaultsByUserId(userId);
+  }
+  update(uid, userId, data) {
+    return updateVault(uid, userId, data);
+  }
+  delete(uid, userId) {
+    return deleteVault(uid, userId);
+  }
+};
+
+// src/api/vault/router.ts
+var vaultRepo = new VaultRepository();
+var vaultService = new VaultService(vaultRepo);
+var vaultRouter = new Hono4().use("/*", requireAuthMiddleware).get(
+  "/",
+  (c) => {
+    const session = c.get("session");
+    return c.json(vaultService.listVaults(session.user.id));
+  }
+).get(
+  "/by-name/:name",
+  (c) => {
+    const session = c.get("session");
+    const { name } = c.req.param();
+    return c.json(vaultService.getVaultByName(name, session.user.id));
+  }
+).get(
+  "/:uid",
+  (c) => {
+    const session = c.get("session");
+    const { uid } = c.req.param();
+    return c.json(vaultService.getVaultByUid(uid, session.user.id));
+  }
+).post(
+  "/",
+  zValidator4("json", CreateVaultRequest),
+  (c) => {
+    const session = c.get("session");
+    const { name, data, salt } = c.req.valid("json");
+    return c.json(
+      vaultService.createVault(session.user.id, { name, data, salt }),
+      201
+    );
+  }
+).put(
+  "/:uid",
+  zValidator4("json", UpdateVaultRequest),
+  (c) => {
+    const session = c.get("session");
+    const { uid } = c.req.param();
+    const { data, salt, version } = c.req.valid("json");
+    return c.json(
+      vaultService.updateVault(uid, session.user.id, { data, salt, version })
+    );
+  }
+).delete(
+  "/:uid",
+  (c) => {
+    const session = c.get("session");
+    const { uid } = c.req.param();
+    return c.json(vaultService.deleteVault(uid, session.user.id));
+  }
+);
+
+// src/app.ts
+var errorHandler = (error, c) => {
+  const requestId = c.req.header("x-request-id") ?? crypto.randomUUID();
+  if (error instanceof ApiException) {
+    return c.json(
+      { error: error.error, requestId },
+      error.status
+    );
+  }
+  if (error instanceof ZodError) {
+    const message = error.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join(", ");
+    return c.json(
+      {
+        error: {
+          code: "validation_error",
+          message,
+          details: { errors: error.errors }
+        },
+        requestId
+      },
+      400
+    );
+  }
+  console.error(`[${requestId}] Unhandled error:`, error);
+  return c.json(
+    { error: errors.internal_error, requestId },
+    500
+  );
+};
+function createApp() {
+  const app = new Hono5();
+  app.use("*", logger());
+  app.use(
+    "*",
+    cors({
+      origin: "*",
+      // Configure for production
+      allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+      allowHeaders: ["Content-Type", "Authorization"],
+      exposeHeaders: ["X-Request-Id"]
+    })
+  );
+  app.get("/health", (c) => c.json({ status: "ok", timestamp: Date.now() }));
+  app.route("/auth", authRouter);
+  app.route("/vault", vaultRouter);
+  app.onError(errorHandler);
+  app.notFound((c) => {
+    return c.json(
+      { error: { code: "not_found", message: "Endpoint not found" } },
+      404
+    );
+  });
+  return app;
+}
+export {
+  ApiException,
+  AuthResponse,
+  CreateVaultRequest,
+  EmailLoginRequest,
+  EmailRegisterRequest,
+  MeResponse,
+  PasskeyCheckResponse,
+  PasskeyLoginOptionsRequest,
+  PasskeyLoginVerifyRequest,
+  PasskeyRegisterOptionsRequest,
+  PasskeyRegisterVerifyRequest,
+  RefreshResponse,
+  UpdateVaultRequest,
+  UserResponse,
+  VaultResponse,
+  VaultsListResponse,
+  closeDb,
+  createApp,
+  createToken,
+  errors,
+  getDb,
+  getError,
+  hashToken,
+  optionalAuthMiddleware,
+  requireAuthMiddleware,
+  verifyToken
+};