@ursalock/server 0.3.1 → 0.4.2

package/dist/index.js

@@ -1,5 +1,5 @@
 // src/app.ts
-import { Hono as Hono5 } from "hono";
+import { Hono as Hono6 } from "hono";
 import { cors } from "hono/cors";
 import { logger } from "hono/logger";
 import { bodyLimit } from "hono/body-limit";
@@ -88,6 +88,13 @@ function getAllowedOrigins() {
 }
 
 // src/db/schema.ts
+function parseApiKeyScopes(key) {
+  return {
+    permissions: JSON.parse(key.permissions),
+    vaultUids: key.vaultUids ? JSON.parse(key.vaultUids) : null,
+    collections: key.collections ? JSON.parse(key.collections) : null
+  };
+}
 var CREATE_TABLES_SQL = `
 -- Users table
 CREATE TABLE IF NOT EXISTS users (
@@ -149,6 +156,47 @@ CREATE TABLE IF NOT EXISTS vaults (
 CREATE INDEX IF NOT EXISTS idx_vaults_uid ON vaults(uid);
 CREATE INDEX IF NOT EXISTS idx_vaults_user_id ON vaults(user_id);
 CREATE UNIQUE INDEX IF NOT EXISTS idx_vaults_user_name ON vaults(user_id, name);
+
+-- Documents table (individually encrypted items within vaults)
+CREATE TABLE IF NOT EXISTS documents (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
+  vault_uid TEXT NOT NULL,
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  collection TEXT NOT NULL,
+  data TEXT NOT NULL,
+  hmac TEXT,
+  version INTEGER NOT NULL DEFAULT 1,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  updated_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  deleted_at INTEGER
+);
+
+CREATE INDEX IF NOT EXISTS idx_documents_vault_uid ON documents(vault_uid);
+CREATE INDEX IF NOT EXISTS idx_documents_user_id ON documents(user_id);
+CREATE INDEX IF NOT EXISTS idx_documents_vault_collection ON documents(vault_uid, collection);
+CREATE INDEX IF NOT EXISTS idx_documents_vault_updated ON documents(vault_uid, updated_at);
+CREATE INDEX IF NOT EXISTS idx_documents_vault_collection_deleted ON documents(vault_uid, collection, deleted_at);
+
+-- API keys table (for agent/service access)
+CREATE TABLE IF NOT EXISTS api_keys (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  uid TEXT NOT NULL UNIQUE DEFAULT (lower(hex(randomblob(16)))),
+  user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  name TEXT NOT NULL,
+  key_hash TEXT NOT NULL UNIQUE,
+  key_prefix TEXT NOT NULL,
+  permissions TEXT NOT NULL DEFAULT '["read","write"]',
+  vault_uids TEXT,
+  collections TEXT,
+  expires_at INTEGER,
+  last_used_at INTEGER,
+  created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+  revoked_at INTEGER
+);
+
+CREATE INDEX IF NOT EXISTS idx_api_keys_key_hash ON api_keys(key_hash);
+CREATE INDEX IF NOT EXISTS idx_api_keys_user_id ON api_keys(user_id);
 `;
 
 // src/db/client.ts
@@ -400,6 +448,186 @@ function deleteVault(uid, userId) {
   const stmt = db.prepare(`DELETE FROM vaults WHERE uid = ? AND user_id = ?`);
   return stmt.run(uid, userId).changes > 0;
 }
+var DOCUMENT_COLUMNS = `id, uid, vault_uid as vaultUid, user_id as userId, collection,
+           data, hmac, version, created_at as createdAt, updated_at as updatedAt, deleted_at as deletedAt`;
+function createDocument(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO documents (vault_uid, user_id, collection, data, hmac)
+    VALUES (?, ?, ?, ?, ?)
+    RETURNING ${DOCUMENT_COLUMNS}
+  `);
+  return stmt.get(
+    input.vaultUid,
+    input.userId,
+    input.collection,
+    input.data,
+    input.hmac ?? null
+  );
+}
+function getDocumentByUid(uid, vaultUid, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT ${DOCUMENT_COLUMNS}
+    FROM documents WHERE uid = ? AND vault_uid = ? AND user_id = ?
+  `);
+  return stmt.get(uid, vaultUid, userId);
+}
+function listDocuments(vaultUid, userId, opts) {
+  const db = getDb();
+  const conditions = ["vault_uid = ?", "user_id = ?"];
+  const params = [vaultUid, userId];
+  if (opts?.collection) {
+    conditions.push("collection = ?");
+    params.push(opts.collection);
+  }
+  if (opts?.since != null) {
+    conditions.push("updated_at >= ?");
+    params.push(opts.since);
+  }
+  if (!opts?.includeDeleted) {
+    conditions.push("deleted_at IS NULL");
+  }
+  let query = `SELECT ${DOCUMENT_COLUMNS} FROM documents WHERE ${conditions.join(" AND ")} ORDER BY updated_at DESC`;
+  if (opts?.limit != null) {
+    query += ` LIMIT ?`;
+    params.push(opts.limit);
+  }
+  if (opts?.offset != null) {
+    query += ` OFFSET ?`;
+    params.push(opts.offset);
+  }
+  const stmt = db.prepare(query);
+  return stmt.all(...params);
+}
+function updateDocument(uid, vaultUid, userId, input) {
+  const db = getDb();
+  if (input.version != null) {
+    const result = db.transaction(() => {
+      const stmt2 = db.prepare(`
+        UPDATE documents SET data = ?, hmac = ?, version = ? + 1, updated_at = unixepoch()
+        WHERE uid = ? AND vault_uid = ? AND user_id = ? AND version = ?
+        RETURNING ${DOCUMENT_COLUMNS}
+      `);
+      const doc2 = stmt2.get(input.data, input.hmac ?? null, input.version, uid, vaultUid, userId, input.version);
+      if (doc2) return { document: doc2, conflict: false };
+      const exists = db.prepare(
+        `SELECT 1 FROM documents WHERE uid = ? AND vault_uid = ? AND user_id = ?`
+      ).get(uid, vaultUid, userId);
+      return { document: void 0, conflict: !!exists };
+    })();
+    return result;
+  }
+  const stmt = db.prepare(`
+    UPDATE documents SET data = ?, hmac = ?, version = version + 1, updated_at = unixepoch()
+    WHERE uid = ? AND vault_uid = ? AND user_id = ?
+    RETURNING ${DOCUMENT_COLUMNS}
+  `);
+  const doc = stmt.get(input.data, input.hmac ?? null, uid, vaultUid, userId);
+  return { document: doc, conflict: false };
+}
+function softDeleteDocument(uid, vaultUid, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    UPDATE documents SET deleted_at = unixepoch(), updated_at = unixepoch()
+    WHERE uid = ? AND vault_uid = ? AND user_id = ? AND deleted_at IS NULL
+    RETURNING ${DOCUMENT_COLUMNS}
+  `);
+  return stmt.get(uid, vaultUid, userId);
+}
+function getDocumentsSince(vaultUid, userId, since) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT ${DOCUMENT_COLUMNS}
+    FROM documents WHERE vault_uid = ? AND user_id = ? AND updated_at >= ?
+    ORDER BY updated_at DESC
+  `);
+  return stmt.all(vaultUid, userId, since);
+}
+var API_KEY_COLUMNS = `id, uid, user_id as userId, name, key_hash as keyHash, key_prefix as keyPrefix,
+           permissions, vault_uids as vaultUids, collections, expires_at as expiresAt,
+           last_used_at as lastUsedAt, created_at as createdAt, revoked_at as revokedAt`;
+function createApiKey(input) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    INSERT INTO api_keys (user_id, name, key_hash, key_prefix, permissions, vault_uids, collections, expires_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+    RETURNING ${API_KEY_COLUMNS}
+  `);
+  const permissions = input.permissions ? JSON.stringify(input.permissions) : '["read","write"]';
+  const vaultUids = input.vaultUids ? JSON.stringify(input.vaultUids) : null;
+  const collections = input.collections ? JSON.stringify(input.collections) : null;
+  return stmt.get(
+    input.userId,
+    input.name,
+    input.keyHash,
+    input.keyPrefix,
+    permissions,
+    vaultUids,
+    collections,
+    input.expiresAt ?? null
+  );
+}
+function getApiKeyByHash(keyHash) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT 
+      k.id, k.uid, k.user_id as userId, k.name, k.key_hash as keyHash, k.key_prefix as keyPrefix,
+      k.permissions, k.vault_uids as vaultUids, k.collections, k.expires_at as expiresAt,
+      k.last_used_at as lastUsedAt, k.created_at as createdAt, k.revoked_at as revokedAt,
+      ${USER_JOIN_COLUMNS}
+    FROM api_keys k
+    JOIN users u ON k.user_id = u.id
+    WHERE k.key_hash = ?
+  `);
+  const row = stmt.get(keyHash);
+  if (!row) return void 0;
+  return {
+    id: row["id"],
+    uid: row["uid"],
+    userId: row["userId"],
+    name: row["name"],
+    keyHash: row["keyHash"],
+    keyPrefix: row["keyPrefix"],
+    permissions: row["permissions"],
+    vaultUids: row["vaultUids"] ?? null,
+    collections: row["collections"] ?? null,
+    expiresAt: row["expiresAt"] ?? null,
+    lastUsedAt: row["lastUsedAt"] ?? null,
+    createdAt: row["createdAt"],
+    revokedAt: row["revokedAt"] ?? null,
+    user: userFromRow(row)
+  };
+}
+function listApiKeysByUserId(userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    SELECT id, uid, user_id as userId, name, key_prefix as keyPrefix,
+           permissions, vault_uids as vaultUids, collections, expires_at as expiresAt,
+           last_used_at as lastUsedAt, created_at as createdAt, revoked_at as revokedAt
+    FROM api_keys WHERE user_id = ?
+    ORDER BY created_at DESC
+  `);
+  return stmt.all(userId);
+}
+function revokeApiKey(uid, userId) {
+  const db = getDb();
+  const stmt = db.prepare(`
+    UPDATE api_keys SET revoked_at = unixepoch()
+    WHERE uid = ? AND user_id = ? AND revoked_at IS NULL
+  `);
+  return stmt.run(uid, userId).changes > 0;
+}
+function updateApiKeyLastUsed(uid) {
+  const db = getDb();
+  const stmt = db.prepare(`UPDATE api_keys SET last_used_at = unixepoch() WHERE uid = ?`);
+  stmt.run(uid);
+}
+function deleteExpiredApiKeys() {
+  const db = getDb();
+  const stmt = db.prepare(`DELETE FROM api_keys WHERE expires_at IS NOT NULL AND expires_at <= unixepoch()`);
+  return stmt.run().changes;
+}
 
 // src/features/auth/jwt.ts
 import { createHash } from "crypto";
@@ -460,11 +688,18 @@ var ErrorCode = z2.enum([
   "passkey_not_found",
   "session_expired",
   "invalid_origin",
+  "api_key_not_found",
+  "api_key_revoked",
+  "insufficient_permissions",
   // Vault errors
   "vault_not_found",
   "vault_already_exists",
   "vault_conflict",
   "invalid_vault_data",
+  // Document errors
+  "document_not_found",
+  "document_conflict",
+  "document_already_exists",
   // Validation errors
   "validation_error",
   "invalid_request",
@@ -488,29 +723,37 @@ var errors = {
   passkey_not_found: { code: "passkey_not_found", message: "Passkey not found" },
   session_expired: { code: "session_expired", message: "Session expired" },
   invalid_origin: { code: "invalid_origin", message: "Origin not allowed" },
+  api_key_not_found: { code: "api_key_not_found", message: "API key not found" },
+  api_key_revoked: { code: "api_key_revoked", message: "API key has been revoked" },
+  insufficient_permissions: { code: "insufficient_permissions", message: "Insufficient permissions" },
   // Vault errors
   vault_not_found: { code: "vault_not_found", message: "Vault not found" },
-  vault_already_exists: (name) => ({
-    code: "vault_already_exists",
-    message: `Vault "${name}" already exists`
-  }),
   vault_conflict: { code: "vault_conflict", message: "Version conflict - vault has been modified. Please refresh and retry." },
   invalid_vault_data: { code: "invalid_vault_data", message: "Invalid vault data" },
+  // Document errors
+  document_not_found: { code: "document_not_found", message: "Document not found" },
+  document_conflict: { code: "document_conflict", message: "Version conflict - document has been modified. Please refresh and retry." },
+  document_already_exists: { code: "document_already_exists", message: "Document already exists" },
   // Validation errors
-  validation_error: (details) => ({
-    code: "validation_error",
-    message: details
-  }),
   invalid_request: { code: "invalid_request", message: "Invalid request" },
   // Server errors
   internal_error: { code: "internal_error", message: "Internal server error" }
 };
-function getError(code, arg) {
-  const factory = errors[code];
-  if (typeof factory === "function") {
-    return factory(arg ?? "");
+var errorBuilders = {
+  vaultAlreadyExists: (name) => ({
+    code: "vault_already_exists",
+    message: `Vault "${name}" already exists`
+  }),
+  validationError: (details) => ({
+    code: "validation_error",
+    message: details
+  })
+};
+function getError(code) {
+  if (code in errors) {
+    return errors[code];
   }
-  return factory;
+  return { code, message: code.replace(/_/g, " ") };
 }
 
 // src/features/auth/middleware.ts
@@ -538,7 +781,8 @@ var optionalAuthMiddleware = createMiddleware(async (c, next) => {
       uid: session.user.uid,
       email: session.user.email
     },
-    sessionId: session.id
+    sessionId: session.id,
+    authType: "jwt"
   });
   return next();
 });
@@ -548,6 +792,44 @@ var requireAuthMiddleware = createMiddleware(async (c, next) => {
     throw new ApiException(getError("unauthorized"), 401);
   }
   const token = authHeader.slice(7);
+  if (token.startsWith("ulk_")) {
+    if (token.length !== 52) {
+      throw new ApiException(getError("unauthorized"), 401);
+    }
+    const keyHash = hashToken(token);
+    const keyRecord = getApiKeyByHash(keyHash);
+    if (!keyRecord) {
+      throw new ApiException(getError("unauthorized"), 401);
+    }
+    if (keyRecord.revokedAt !== null) {
+      throw new ApiException(getError("api_key_revoked"), 401);
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    if (keyRecord.expiresAt !== null && keyRecord.expiresAt <= now) {
+      throw new ApiException(getError("unauthorized"), 401);
+    }
+    setImmediate(() => {
+      try {
+        updateApiKeyLastUsed(keyRecord.uid);
+      } catch {
+      }
+    });
+    const scopes = parseApiKeyScopes(keyRecord);
+    c.set("session", {
+      user: {
+        id: keyRecord.user.id,
+        uid: keyRecord.user.uid,
+        email: keyRecord.user.email
+      },
+      sessionId: keyRecord.id,
+      authType: "apiKey",
+      apiKey: {
+        uid: keyRecord.uid,
+        ...scopes
+      }
+    });
+    return next();
+  }
   const payload = await verifyToken(token);
   if (!payload?.sub) {
     throw new ApiException(getError("unauthorized"), 401);
@@ -563,10 +845,39 @@ var requireAuthMiddleware = createMiddleware(async (c, next) => {
       uid: session.user.uid,
       email: session.user.email
     },
-    sessionId: session.id
+    sessionId: session.id,
+    authType: "jwt"
+  });
+  return next();
+});
+var requirePermission = (permission) => {
+  return createMiddleware(async (c, next) => {
+    const session = c.get("session");
+    if (!session.apiKey) return next();
+    if (!session.apiKey.permissions.includes(permission)) {
+      throw new ApiException(getError("insufficient_permissions"), 403);
+    }
+    return next();
   });
+};
+var requireVaultAccess = createMiddleware(async (c, next) => {
+  const session = c.get("session");
+  if (!session.apiKey) return next();
+  if (session.apiKey.vaultUids === null) return next();
+  const vaultUid = c.req.param("vaultUid") ?? c.req.param("uid");
+  if (!vaultUid) return next();
+  if (!session.apiKey.vaultUids.includes(vaultUid)) {
+    throw new ApiException(getError("vault_not_found"), 404);
+  }
   return next();
 });
+function assertCollectionAccess(session, collection) {
+  if (!session.apiKey) return;
+  if (session.apiKey.collections === null) return;
+  if (!session.apiKey.collections.includes(collection)) {
+    throw new ApiException(getError("insufficient_permissions"), 403);
+  }
+}
 
 // src/api/schemas.ts
 import { z as z3 } from "zod";
@@ -633,6 +944,70 @@ var VaultResponse = z3.object({
 var VaultsListResponse = z3.object({
   vaults: z3.array(VaultResponse)
 });
+var COLLECTION_NAME_RE = /^[A-Za-z0-9_-]+$/;
+var HMAC_HEX_RE = /^[0-9a-f]{64}$/;
+var CreateDocumentRequest = z3.object({
+  collection: z3.string().min(1).max(255).regex(COLLECTION_NAME_RE, "Collection name must be alphanumeric (hyphens and underscores allowed)"),
+  data: z3.string().max(MAX_DATA_SIZE, `Data must not exceed ${MAX_DATA_SIZE} bytes`).regex(BASE64_RE, "Data must be valid base64"),
+  hmac: z3.string().regex(HMAC_HEX_RE, "HMAC must be a valid SHA-256 hex string (64 characters)").optional()
+});
+var UpdateDocumentRequest = z3.object({
+  data: z3.string().max(MAX_DATA_SIZE, `Data must not exceed ${MAX_DATA_SIZE} bytes`).regex(BASE64_RE, "Data must be valid base64"),
+  hmac: z3.string().regex(HMAC_HEX_RE, "HMAC must be a valid SHA-256 hex string (64 characters)").optional(),
+  version: z3.number().optional()
+});
+var DocumentResponse = z3.object({
+  uid: z3.string(),
+  collection: z3.string(),
+  data: z3.string(),
+  hmac: z3.string().nullable(),
+  version: z3.number(),
+  createdAt: z3.number(),
+  updatedAt: z3.number(),
+  deletedAt: z3.number().nullable()
+});
+var DocumentListResponse = z3.object({
+  documents: z3.array(DocumentResponse)
+});
+var DocumentSyncResponse = z3.object({
+  documents: z3.array(DocumentResponse),
+  syncedAt: z3.number()
+});
+var CreateApiKeyRequest = z3.object({
+  name: z3.string().min(1).max(255),
+  permissions: z3.array(z3.enum(["read", "write", "delete"])).optional(),
+  vaultUids: z3.array(z3.string()).optional(),
+  collections: z3.array(z3.string()).optional(),
+  expiresAt: z3.number().optional()
+});
+var ApiKeyResponse = z3.object({
+  uid: z3.string(),
+  name: z3.string(),
+  keyPrefix: z3.string(),
+  permissions: z3.array(z3.string()),
+  vaultUids: z3.array(z3.string()).nullable(),
+  collections: z3.array(z3.string()).nullable(),
+  expiresAt: z3.number().nullable(),
+  lastUsedAt: z3.number().nullable(),
+  createdAt: z3.number(),
+  revokedAt: z3.number().nullable()
+});
+var ApiKeyCreatedResponse = ApiKeyResponse.extend({
+  key: z3.string()
+});
+var ApiKeysListResponse = z3.object({
+  apiKeys: z3.array(ApiKeyResponse)
+});
+
+// src/features/auth/key-gen.ts
+import { randomBytes } from "crypto";
+function generateApiKey() {
+  const randomPart = randomBytes(24).toString("hex");
+  return `ulk_${randomPart}`;
+}
+function getKeyPrefix(key) {
+  return key.substring(0, 8);
+}
 
 // src/api/auth/passkey.ts
 import { Hono } from "hono";
@@ -1058,6 +1433,12 @@ var zkcRouter = new Hono2().post(
 );
 
 // src/api/auth/router.ts
+var MAX_API_KEYS_PER_USER = 50;
+function requireJwtSession(session) {
+  if (session.apiKey) {
+    throw new ApiException(errors.insufficient_permissions, 403);
+  }
+}
 var authRouter = new Hono3().post(
   "/email/register",
   zValidator3("json", EmailRegisterRequest),
@@ -1154,6 +1535,82 @@ var authRouter = new Hono3().post(
     }
     return c.json({ success: true });
   }
+).post(
+  "/api-keys",
+  requireAuthMiddleware,
+  zValidator3("json", CreateApiKeyRequest),
+  async (c) => {
+    const session = c.get("session");
+    requireJwtSession(session);
+    const existing = listApiKeysByUserId(session.user.id);
+    if (existing.length >= MAX_API_KEYS_PER_USER) {
+      throw new ApiException(
+        { code: "rate_limited", message: `Maximum ${MAX_API_KEYS_PER_USER} API keys per user` },
+        429
+      );
+    }
+    const input = c.req.valid("json");
+    const key = generateApiKey();
+    const keyHash = hashToken(key);
+    const apiKey = createApiKey({
+      userId: session.user.id,
+      name: input.name,
+      keyHash,
+      keyPrefix: getKeyPrefix(key),
+      permissions: input.permissions,
+      vaultUids: input.vaultUids,
+      collections: input.collections,
+      expiresAt: input.expiresAt
+    });
+    const scopes = parseApiKeyScopes(apiKey);
+    return c.json({
+      uid: apiKey.uid,
+      name: apiKey.name,
+      key,
+      // Only returned on creation!
+      keyPrefix: apiKey.keyPrefix,
+      ...scopes,
+      expiresAt: apiKey.expiresAt,
+      lastUsedAt: apiKey.lastUsedAt,
+      createdAt: apiKey.createdAt,
+      revokedAt: apiKey.revokedAt
+    });
+  }
+).get(
+  "/api-keys",
+  requireAuthMiddleware,
+  (c) => {
+    const session = c.get("session");
+    requireJwtSession(session);
+    const apiKeys = listApiKeysByUserId(session.user.id);
+    return c.json({
+      apiKeys: apiKeys.map((key) => {
+        const scopes = parseApiKeyScopes(key);
+        return {
+          uid: key.uid,
+          name: key.name,
+          keyPrefix: key.keyPrefix,
+          ...scopes,
+          expiresAt: key.expiresAt,
+          lastUsedAt: key.lastUsedAt,
+          createdAt: key.createdAt,
+          revokedAt: key.revokedAt
+        };
+      })
+    });
+  }
+).delete(
+  "/api-keys/:uid",
+  requireAuthMiddleware,
+  (c) => {
+    const session = c.get("session");
+    requireJwtSession(session);
+    const uid = c.req.param("uid");
+    if (!revokeApiKey(uid, session.user.id)) {
+      throw new ApiException(errors.api_key_not_found, 404);
+    }
+    return c.json({ success: true });
+  }
 ).route("/passkey", passkeyRouter).route("/zkc", zkcRouter);
 
 // src/api/vault/router.ts
@@ -1172,8 +1629,8 @@ function toVaultResponse(vault) {
   };
 }
 var VaultService = class {
-  constructor(vaultRepo2) {
-    this.vaultRepo = vaultRepo2;
+  constructor(vaultRepo3) {
+    this.vaultRepo = vaultRepo3;
   }
   /**
    * List all vaults for a user
@@ -1210,7 +1667,7 @@ var VaultService = class {
   createVault(userId, data) {
     const existing = this.vaultRepo.findByName(data.name, userId);
     if (existing) {
-      throw new ApiException(errors.vault_already_exists(data.name), 409);
+      throw new ApiException(errorBuilders.vaultAlreadyExists(data.name), 409);
     }
     const vault = this.vaultRepo.create({
       userId,
@@ -1275,19 +1732,32 @@ var vaultRepo = new VaultRepository();
 var vaultService = new VaultService(vaultRepo);
 var vaultRouter = new Hono4().use("/*", requireAuthMiddleware).get(
   "/",
+  requirePermission("read"),
   (c) => {
     const session = c.get("session");
-    return c.json(vaultService.listVaults(session.user.id));
+    const result = vaultService.listVaults(session.user.id);
+    if (session.apiKey?.vaultUids) {
+      const allowed = new Set(session.apiKey.vaultUids);
+      result.vaults = result.vaults.filter((v) => allowed.has(v.uid));
+    }
+    return c.json(result);
   }
 ).get(
   "/by-name/:name",
+  requirePermission("read"),
   (c) => {
     const session = c.get("session");
     const { name } = c.req.param();
-    return c.json(vaultService.getVaultByName(name, session.user.id));
+    const vault = vaultService.getVaultByName(name, session.user.id);
+    if (session.apiKey?.vaultUids && !session.apiKey.vaultUids.includes(vault.uid)) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+    return c.json(vault);
   }
 ).get(
   "/:uid",
+  requirePermission("read"),
+  requireVaultAccess,
   (c) => {
     const session = c.get("session");
     const { uid } = c.req.param();
@@ -1295,6 +1765,7 @@ var vaultRouter = new Hono4().use("/*", requireAuthMiddleware).get(
   }
 ).post(
   "/",
+  requirePermission("write"),
   zValidator4("json", CreateVaultRequest),
   (c) => {
     const session = c.get("session");
@@ -1306,6 +1777,8 @@ var vaultRouter = new Hono4().use("/*", requireAuthMiddleware).get(
   }
 ).put(
   "/:uid",
+  requirePermission("write"),
+  requireVaultAccess,
   zValidator4("json", UpdateVaultRequest),
   (c) => {
     const session = c.get("session");
@@ -1317,6 +1790,8 @@ var vaultRouter = new Hono4().use("/*", requireAuthMiddleware).get(
   }
 ).delete(
   "/:uid",
+  requirePermission("delete"),
+  requireVaultAccess,
   (c) => {
     const session = c.get("session");
     const { uid } = c.req.param();
@@ -1324,6 +1799,245 @@ var vaultRouter = new Hono4().use("/*", requireAuthMiddleware).get(
   }
 );
 
+// src/api/document/router.ts
+import { Hono as Hono5 } from "hono";
+import { zValidator as zValidator5 } from "@hono/zod-validator";
+import { z as z6 } from "zod";
+
+// src/services/document-service.ts
+function toDocumentResponse(document) {
+  return {
+    uid: document.uid,
+    collection: document.collection,
+    data: document.data,
+    hmac: document.hmac,
+    version: document.version,
+    createdAt: document.createdAt,
+    updatedAt: document.updatedAt,
+    deletedAt: document.deletedAt
+  };
+}
+var DocumentService = class {
+  constructor(documentRepo2, vaultRepo3) {
+    this.documentRepo = documentRepo2;
+    this.vaultRepo = vaultRepo3;
+  }
+  /**
+   * Verify vault exists and belongs to user.
+   * Only needed for create (to prevent orphan documents referencing non-existent vaults).
+   * Read/update/delete queries already filter by userId — no vault exists = empty result.
+   */
+  verifyVaultOwnership(vaultUid, userId) {
+    const vault = this.vaultRepo.findByUid(vaultUid, userId);
+    if (!vault) {
+      throw new ApiException(errors.vault_not_found, 404);
+    }
+  }
+  /**
+   * Create a new document
+   */
+  createDocument(userId, vaultUid, data) {
+    this.verifyVaultOwnership(vaultUid, userId);
+    const document = this.documentRepo.create({
+      vaultUid,
+      userId,
+      collection: data.collection,
+      data: data.data,
+      hmac: data.hmac
+    });
+    return toDocumentResponse(document);
+  }
+  /**
+   * Get document by UID
+   */
+  getDocument(uid, vaultUid, userId) {
+    const document = this.documentRepo.findByUid(uid, vaultUid, userId);
+    if (!document) {
+      throw new ApiException(errors.document_not_found, 404);
+    }
+    return toDocumentResponse(document);
+  }
+  /**
+   * List documents in a vault
+   */
+  listDocuments(vaultUid, userId, opts) {
+    const documents = this.documentRepo.list(vaultUid, userId, opts);
+    return {
+      documents: documents.map(toDocumentResponse)
+    };
+  }
+  /**
+   * Update a document
+   */
+  updateDocument(uid, vaultUid, userId, data) {
+    const { document, conflict } = this.documentRepo.update(uid, vaultUid, userId, data);
+    if (!document) {
+      if (conflict) {
+        throw new ApiException(errors.document_conflict, 409);
+      }
+      throw new ApiException(errors.document_not_found, 404);
+    }
+    return toDocumentResponse(document);
+  }
+  /**
+   * Soft delete a document
+   */
+  deleteDocument(uid, vaultUid, userId) {
+    const document = this.documentRepo.softDelete(uid, vaultUid, userId);
+    if (!document) {
+      throw new ApiException(errors.document_not_found, 404);
+    }
+    return { success: true };
+  }
+  /**
+   * Delta sync - get documents modified since timestamp
+   */
+  syncDocuments(vaultUid, userId, since) {
+    const documents = this.documentRepo.getSince(vaultUid, userId, since);
+    return {
+      documents: documents.map(toDocumentResponse),
+      syncedAt: Math.floor(Date.now() / 1e3)
+    };
+  }
+};
+
+// src/repositories/document-repository.ts
+var DocumentRepository = class {
+  create(document) {
+    return createDocument(document);
+  }
+  findByUid(uid, vaultUid, userId) {
+    return getDocumentByUid(uid, vaultUid, userId);
+  }
+  list(vaultUid, userId, opts) {
+    return listDocuments(vaultUid, userId, opts);
+  }
+  update(uid, vaultUid, userId, data) {
+    return updateDocument(uid, vaultUid, userId, data);
+  }
+  softDelete(uid, vaultUid, userId) {
+    return softDeleteDocument(uid, vaultUid, userId);
+  }
+  getSince(vaultUid, userId, since) {
+    return getDocumentsSince(vaultUid, userId, since);
+  }
+};
+
+// src/api/document/router.ts
+var documentRepo = new DocumentRepository();
+var vaultRepo2 = new VaultRepository();
+var documentService = new DocumentService(documentRepo, vaultRepo2);
+var ListQuerySchema = z6.object({
+  collection: z6.string().optional(),
+  since: z6.coerce.number().optional(),
+  includeDeleted: z6.enum(["true", "false"]).optional().transform((val) => val === "true"),
+  limit: z6.coerce.number().optional(),
+  offset: z6.coerce.number().optional()
+});
+var SyncQuerySchema = z6.object({
+  since: z6.coerce.number()
+});
+var documentRouter = new Hono5().use("/*", requireAuthMiddleware).get(
+  "/vault/:vaultUid/documents",
+  requirePermission("read"),
+  requireVaultAccess,
+  zValidator5("query", ListQuerySchema),
+  (c) => {
+    const session = c.get("session");
+    const { vaultUid } = c.req.param();
+    const query = c.req.valid("query");
+    if (query.collection) {
+      assertCollectionAccess(session, query.collection);
+    }
+    const result = documentService.listDocuments(vaultUid, session.user.id, {
+      collection: query.collection,
+      since: query.since,
+      includeDeleted: query.includeDeleted,
+      limit: query.limit,
+      offset: query.offset
+    });
+    if (!query.collection && session.apiKey?.collections) {
+      const allowed = new Set(session.apiKey.collections);
+      result.documents = result.documents.filter((doc) => allowed.has(doc.collection));
+    }
+    return c.json(result);
+  }
+).get(
+  "/vault/:vaultUid/documents/sync",
+  requirePermission("read"),
+  requireVaultAccess,
+  zValidator5("query", SyncQuerySchema),
+  (c) => {
+    const session = c.get("session");
+    const { vaultUid } = c.req.param();
+    const { since } = c.req.valid("query");
+    const result = documentService.syncDocuments(vaultUid, session.user.id, since);
+    if (session.apiKey?.collections) {
+      const allowed = new Set(session.apiKey.collections);
+      result.documents = result.documents.filter((doc) => allowed.has(doc.collection));
+    }
+    return c.json(result);
+  }
+).get(
+  "/vault/:vaultUid/documents/:uid",
+  requirePermission("read"),
+  requireVaultAccess,
+  (c) => {
+    const session = c.get("session");
+    const { vaultUid, uid } = c.req.param();
+    return c.json(
+      documentService.getDocument(uid, vaultUid, session.user.id)
+    );
+  }
+).post(
+  "/vault/:vaultUid/documents",
+  requirePermission("write"),
+  requireVaultAccess,
+  zValidator5("json", CreateDocumentRequest),
+  (c) => {
+    const session = c.get("session");
+    const { vaultUid } = c.req.param();
+    const { collection, data, hmac } = c.req.valid("json");
+    assertCollectionAccess(session, collection);
+    return c.json(
+      documentService.createDocument(session.user.id, vaultUid, {
+        collection,
+        data,
+        hmac
+      }),
+      201
+    );
+  }
+).put(
+  "/vault/:vaultUid/documents/:uid",
+  requirePermission("write"),
+  requireVaultAccess,
+  zValidator5("json", UpdateDocumentRequest),
+  (c) => {
+    const session = c.get("session");
+    const { vaultUid, uid } = c.req.param();
+    const { data, hmac, version } = c.req.valid("json");
+    return c.json(
+      documentService.updateDocument(uid, vaultUid, session.user.id, {
+        data,
+        hmac,
+        version
+      })
+    );
+  }
+).delete(
+  "/vault/:vaultUid/documents/:uid",
+  requirePermission("delete"),
+  requireVaultAccess,
+  (c) => {
+    const session = c.get("session");
+    const { vaultUid, uid } = c.req.param();
+    return c.json(
+      documentService.deleteDocument(uid, vaultUid, session.user.id)
+    );
+  }
+);
+
 // src/features/auth/rate-limit.ts
 import { createMiddleware as createMiddleware2 } from "hono/factory";
 var DEFAULT_CONFIG = { max: 100, windowMs: 6e4 };
@@ -1386,47 +2100,6 @@ function rateLimit(config = {}) {
   });
 }
 
-// src/features/auth/csrf.ts
-import { createMiddleware as createMiddleware3 } from "hono/factory";
-import { getCookie, setCookie } from "hono/cookie";
-var CSRF_COOKIE_NAME = "__csrf";
-var CSRF_HEADER_NAME = "x-csrf-token";
-var TOKEN_BYTES = 32;
-var SAFE_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
-function csrfCookieOptions() {
-  return {
-    path: "/",
-    httpOnly: false,
-    // Client JS must read this value
-    sameSite: "Strict",
-    secure: env.NODE_ENV === "production"
-  };
-}
-function generateToken() {
-  const bytes = new Uint8Array(TOKEN_BYTES);
-  crypto.getRandomValues(bytes);
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-var csrfProtection = createMiddleware3(async (c, next) => {
-  if (SAFE_METHODS.has(c.req.method)) {
-    const existing = getCookie(c, CSRF_COOKIE_NAME);
-    if (!existing) {
-      setCookie(c, CSRF_COOKIE_NAME, generateToken(), csrfCookieOptions());
-    }
-    return next();
-  }
-  const cookieToken = getCookie(c, CSRF_COOKIE_NAME);
-  const headerToken = c.req.header(CSRF_HEADER_NAME);
-  if (!cookieToken || !headerToken || cookieToken !== headerToken) {
-    throw new ApiException(
-      { code: "invalid_request", message: "Invalid or missing CSRF token" },
-      403
-    );
-  }
-  setCookie(c, CSRF_COOKIE_NAME, generateToken(), csrfCookieOptions());
-  await next();
-});
-
 // src/app.ts
 var errorHandler = (error, c) => {
   const requestId = c.req.header("x-request-id") ?? crypto.randomUUID();
@@ -1457,7 +2130,7 @@ var errorHandler = (error, c) => {
   );
 };
 function createApp() {
-  const app = new Hono5();
+  const app = new Hono6();
   app.use("*", bodyLimit({ maxSize: 11 * 1024 * 1024 }));
   app.use(
     "*",
@@ -1489,11 +2162,15 @@ function createApp() {
     })
   );
   app.use("*", rateLimit({ max: 100, windowMs: 6e4 }));
-  app.use("*", csrfProtection);
   app.get("/health", (c) => c.json({ status: "ok", timestamp: Date.now() }));
+  try {
+    deleteExpiredApiKeys();
+  } catch {
+  }
   app.use("/auth/*", rateLimit({ max: 10, windowMs: 6e4 }));
   app.route("/auth", authRouter);
   app.route("/vault", vaultRouter);
+  app.route("/", documentRouter);
   app.onError(errorHandler);
   app.notFound((c) => {
     const requestId = c.req.header("x-request-id") ?? crypto.randomUUID();
@@ -1506,8 +2183,16 @@ function createApp() {
 }
 export {
   ApiException,
+  ApiKeyCreatedResponse,
+  ApiKeyResponse,
+  ApiKeysListResponse,
   AuthResponse,
+  CreateApiKeyRequest,
+  CreateDocumentRequest,
   CreateVaultRequest,
+  DocumentListResponse,
+  DocumentResponse,
+  DocumentSyncResponse,
   EmailLoginRequest,
   EmailRegisterRequest,
   MeResponse,
@@ -1516,6 +2201,7 @@ export {
   PasskeyRegisterOptionsRequest,
   PasskeyRegisterVerifyRequest,
   RefreshResponse,
+  UpdateDocumentRequest,
   UpdateVaultRequest,
   UserResponse,
   VaultResponse,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ursalock/server",
-  "version": "0.3.1",
+  "version": "0.4.2",
   "description": "Self-hostable ursalock server with SQLite and ZKCredentials support",
   "type": "module",
   "main": "./dist/index.js",