npm - @vertz/server - Versions diffs - 0.2.0 - Mend

@vertz/server 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,386 @@
+import { AccumulateProvides, AppBuilder, AppConfig, BootInstruction, BootSequence, CorsConfig, Ctx, DeepReadonly, Deps, EnvConfig, ExtractMethods, HandlerCtx, HttpMethod, HttpStatusCode, Infer as Infer2, InferSchema, ListenOptions, MiddlewareDef, Module, ModuleBootInstruction, ModuleDef, NamedMiddlewareDef, NamedModule, NamedModuleDef, NamedRouterDef, NamedServiceDef, RawRequest, ResolveInjectMap, RouterDef, ServerAdapter, ServerHandle, ServiceBootInstruction, ServiceDef, ServiceFactory } from "@vertz/core";
+import { BadRequestException, ConflictException, createEnv, createImmutableProxy, createMiddleware, createModule, createModuleDef, createServer, deepFreeze, ForbiddenException, InternalServerErrorException, makeImmutable, NotFoundException, ServiceUnavailableException, UnauthorizedException, ValidationException, VertzException, vertz } from "@vertz/core";
+interface JsonbValidator<T> {
+	parse(value: unknown): T;
+}
+interface ColumnMetadata {
+	readonly sqlType: string;
+	readonly primary: boolean;
+	readonly unique: boolean;
+	readonly nullable: boolean;
+	readonly hasDefault: boolean;
+	readonly sensitive: boolean;
+	readonly hidden: boolean;
+	readonly isTenant: boolean;
+	readonly references: {
+		readonly table: string;
+		readonly column: string;
+	} | null;
+	readonly check: string | null;
+	readonly defaultValue?: unknown;
+	readonly format?: string;
+	readonly length?: number;
+	readonly precision?: number;
+	readonly scale?: number;
+	readonly enumName?: string;
+	readonly enumValues?: readonly string[];
+	readonly validator?: JsonbValidator<unknown>;
+}
+/** Phantom symbol to carry the TypeScript type without a runtime value. */
+declare const PhantomType: unique symbol;
+interface ColumnBuilder<
+	TType,
+	TMeta extends ColumnMetadata = ColumnMetadata
+> {
+	/** Phantom field -- only exists at the type level for inference. Do not access at runtime. */
+	readonly [PhantomType]: TType;
+	readonly _meta: TMeta;
+	primary(): ColumnBuilder<TType, Omit<TMeta, "primary" | "hasDefault"> & {
+		readonly primary: true;
+		readonly hasDefault: true;
+	}>;
+	unique(): ColumnBuilder<TType, Omit<TMeta, "unique"> & {
+		readonly unique: true;
+	}>;
+	nullable(): ColumnBuilder<TType | null, Omit<TMeta, "nullable"> & {
+		readonly nullable: true;
+	}>;
+	default(value: TType | "now"): ColumnBuilder<TType, Omit<TMeta, "hasDefault"> & {
+		readonly hasDefault: true;
+		readonly defaultValue: TType | "now";
+	}>;
+	sensitive(): ColumnBuilder<TType, Omit<TMeta, "sensitive"> & {
+		readonly sensitive: true;
+	}>;
+	hidden(): ColumnBuilder<TType, Omit<TMeta, "hidden"> & {
+		readonly hidden: true;
+	}>;
+	check(sql: string): ColumnBuilder<TType, Omit<TMeta, "check"> & {
+		readonly check: string;
+	}>;
+	references(table: string, column?: string): ColumnBuilder<TType, Omit<TMeta, "references"> & {
+		readonly references: {
+			readonly table: string;
+			readonly column: string;
+		};
+	}>;
+}
+type InferColumnType<C> = C extends ColumnBuilder<infer T, ColumnMetadata> ? T : never;
+interface ThroughDef<TJoin extends TableDef<ColumnRecord> = TableDef<ColumnRecord>> {
+	readonly table: () => TJoin;
+	readonly thisKey: string;
+	readonly thatKey: string;
+}
+interface RelationDef<
+	TTarget extends TableDef<ColumnRecord> = TableDef<ColumnRecord>,
+	TType extends "one" | "many" = "one" | "many"
+> {
+	readonly _type: TType;
+	readonly _target: () => TTarget;
+	readonly _foreignKey: string | null;
+	readonly _through: ThroughDef | null;
+}
+interface IndexDef {
+	readonly columns: readonly string[];
+}
+/** A record of column builders -- the shape passed to d.table(). */
+type ColumnRecord = Record<string, ColumnBuilder<unknown, ColumnMetadata>>;
+/** Extract the TypeScript type from every column in a record. */
+type InferColumns<T extends ColumnRecord> = { [K in keyof T] : InferColumnType<T[K]> };
+/** Keys of columns where a given metadata flag is `true`. */
+type ColumnKeysWhere<
+	T extends ColumnRecord,
+	Flag extends keyof ColumnMetadata
+> = { [K in keyof T] : T[K] extends ColumnBuilder<unknown, infer M> ? M extends Record<Flag, true> ? K : never : never }[keyof T];
+/** Keys of columns where a given metadata flag is NOT `true` (i.e., false). */
+type ColumnKeysWhereNot<
+	T extends ColumnRecord,
+	Flag extends keyof ColumnMetadata
+> = { [K in keyof T] : T[K] extends ColumnBuilder<unknown, infer M> ? M extends Record<Flag, true> ? never : K : never }[keyof T];
+/**
+* $infer -- default SELECT type.
+* Excludes hidden columns. Includes everything else (including sensitive).
+*/
+type Infer<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "hidden">] : InferColumnType<T[K]> };
+/**
+* $infer_all -- all columns including hidden.
+*/
+type InferAll<T extends ColumnRecord> = InferColumns<T>;
+/**
+* $insert -- write type. ALL columns included (visibility is read-side only).
+* Columns with hasDefault: true become optional.
+*/
+type Insert<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "hasDefault">] : InferColumnType<T[K]> } & { [K in ColumnKeysWhere<T, "hasDefault">]? : InferColumnType<T[K]> };
+/**
+* $update -- write type. ALL non-primary-key columns, all optional.
+* Primary key excluded (you don't update a PK).
+*/
+type Update<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "primary">]? : InferColumnType<T[K]> };
+/**
+* $not_sensitive -- excludes columns marked .sensitive() OR .hidden().
+* (hidden implies sensitive for read purposes)
+*/
+type NotSensitive<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "sensitive"> & ColumnKeysWhereNot<T, "hidden"> & keyof T] : InferColumnType<T[K]> };
+/**
+* $not_hidden -- excludes columns marked .hidden().
+* Same as $infer (excludes hidden, keeps sensitive).
+*/
+type NotHidden<T extends ColumnRecord> = { [K in ColumnKeysWhereNot<T, "hidden">] : InferColumnType<T[K]> };
+interface TableDef<TColumns extends ColumnRecord = ColumnRecord> {
+	readonly _name: string;
+	readonly _columns: TColumns;
+	readonly _indexes: readonly IndexDef[];
+	readonly _shared: boolean;
+	/** Default SELECT type -- excludes hidden columns. */
+	readonly $infer: Infer<TColumns>;
+	/** All columns including hidden. */
+	readonly $infer_all: InferAll<TColumns>;
+	/** Insert type -- defaulted columns optional. ALL columns included. */
+	readonly $insert: Insert<TColumns>;
+	/** Update type -- all non-PK columns optional. ALL columns included. */
+	readonly $update: Update<TColumns>;
+	/** Excludes sensitive and hidden columns. */
+	readonly $not_sensitive: NotSensitive<TColumns>;
+	/** Excludes hidden columns. */
+	readonly $not_hidden: NotHidden<TColumns>;
+	/** Mark this table as shared / cross-tenant. */
+	shared(): TableDef<TColumns>;
+}
+/** Relations record — maps relation names to RelationDef. */
+type RelationsRecord = Record<string, RelationDef>;
+/** A table entry in the database registry, pairing a table with its relations. */
+interface TableEntry<
+	TTable extends TableDef<ColumnRecord> = TableDef<ColumnRecord>,
+	TRelations extends RelationsRecord = RelationsRecord
+> {
+	readonly table: TTable;
+	readonly relations: TRelations;
+}
+type DomainType = "persisted" | "process" | "view" | "session";
+interface DomainContext<TRow = any> {
+	user: {
+		id: string;
+		role: string;
+		[key: string]: unknown;
+	} | null;
+	tenant: {
+		id: string;
+		[key: string]: unknown;
+	} | null;
+	request: {
+		method: string;
+		path: string;
+		headers: Record<string, string>;
+		ip: string;
+	};
+	db: Record<string, any>;
+	services: Record<string, unknown>;
+	defaultHandler: (data: any) => Promise<TRow>;
+}
+type AccessRule<TRow> = (row: TRow, ctx: DomainContext<TRow>) => boolean;
+interface AccessRules<TRow> {
+	read?: AccessRule<TRow>;
+	create?: AccessRule<Partial<TRow>>;
+	update?: AccessRule<TRow>;
+	delete?: AccessRule<TRow>;
+}
+type Result<
+	T,
+	E = any
+> = {
+	ok: true;
+	data: T;
+} | {
+	ok: false;
+	error: E;
+};
+interface DomainError {
+	type: string;
+	code: string;
+	message: string;
+	entity?: string;
+	field?: string;
+}
+interface DomainOptions<TEntry extends TableEntry<any, any>> {
+	type: DomainType;
+	table: TEntry;
+	fields?: any;
+	expose?: any;
+	access?: AccessRules<any>;
+	handlers?: any;
+	actions?: Record<string, any>;
+}
+interface DomainDefinition2<TEntry extends TableEntry<any, any> = TableEntry<any, any>> {
+	readonly name: string;
+	readonly type: DomainType;
+	readonly table: TEntry;
+	readonly exposedRelations: Record<string, any>;
+	readonly access: AccessRules<any>;
+	readonly handlers: any;
+	readonly actions: Record<string, any>;
+}
+/**
+* STUB: domain() function for TDD red phase
+* This returns a properly shaped, frozen object that passes all structure tests.
+* Business logic (CRUD generation, access enforcement, etc.) will be implemented next.
+*/
+declare function domain<TEntry extends TableEntry<any, any>>(name?: string, options?: DomainOptions<TEntry>): DomainDefinition2<TEntry>;
+type SessionStrategy = "jwt" | "database" | "hybrid";
+interface CookieConfig {
+	name?: string;
+	httpOnly?: boolean;
+	secure?: boolean;
+	sameSite?: "strict" | "lax" | "none";
+	path?: string;
+	maxAge?: number;
+}
+interface SessionConfig {
+	strategy: SessionStrategy;
+	ttl: string | number;
+	refreshable?: boolean;
+	cookie?: CookieConfig;
+}
+interface PasswordRequirements {
+	minLength?: number;
+	requireUppercase?: boolean;
+	requireNumbers?: boolean;
+	requireSymbols?: boolean;
+}
+interface EmailPasswordConfig {
+	enabled?: boolean;
+	password?: PasswordRequirements;
+	rateLimit?: RateLimitConfig;
+}
+interface RateLimitConfig {
+	window: string;
+	maxAttempts: number;
+}
+interface AuthConfig {
+	session: SessionConfig;
+	emailPassword?: EmailPasswordConfig;
+	jwtSecret?: string;
+	jwtAlgorithm?: "HS256" | "HS384" | "HS512" | "RS256";
+	/** Custom claims function for JWT payload */
+	claims?: (user: AuthUser) => Record<string, unknown>;
+}
+interface AuthUser {
+	id: string;
+	email: string;
+	role: string;
+	plan?: string;
+	createdAt: Date;
+	updatedAt: Date;
+	[key: string]: unknown;
+}
+interface SessionPayload {
+	sub: string;
+	email: string;
+	role: string;
+	iat: number;
+	exp: number;
+	claims?: Record<string, unknown>;
+}
+interface Session {
+	user: AuthUser;
+	expiresAt: Date;
+	payload: SessionPayload;
+}
+interface SignUpInput {
+	email: string;
+	password: string;
+	role?: string;
+	[key: string]: unknown;
+}
+interface SignInInput {
+	email: string;
+	password: string;
+}
+interface AuthApi {
+	signUp: (data: SignUpInput) => Promise<AuthResult<Session>>;
+	signIn: (data: SignInInput) => Promise<AuthResult<Session>>;
+	signOut: (ctx: AuthContext) => Promise<AuthResult<void>>;
+	getSession: (headers: Headers) => Promise<AuthResult<Session | null>>;
+	refreshSession: (ctx: AuthContext) => Promise<AuthResult<Session>>;
+}
+interface AuthInstance {
+	/** HTTP handler for auth routes */
+	handler: (request: Request) => Promise<Response>;
+	/** Server-side API */
+	api: AuthApi;
+	/** Session middleware that injects ctx.user */
+	middleware: () => any;
+	/** Initialize auth (create tables, etc.) */
+	initialize: () => Promise<void>;
+}
+interface AuthContext {
+	headers: Headers;
+	request: Request;
+	ip?: string;
+}
+type AuthResult<T> = {
+	ok: true;
+	data: T;
+} | {
+	ok: false;
+	error: AuthError;
+};
+interface AuthError {
+	code: string;
+	message: string;
+	status: number;
+}
+interface RateLimitResult {
+	allowed: boolean;
+	remaining: number;
+	resetAt: Date;
+}
+type Entitlement = string;
+interface RoleDefinition {
+	entitlements: Entitlement[];
+}
+interface EntitlementDefinition {
+	roles: string[];
+	/** Optional: Description for documentation */
+	description?: string;
+}
+interface AccessConfig {
+	roles: Record<string, RoleDefinition>;
+	entitlements: Record<string, EntitlementDefinition>;
+}
+interface AccessInstance {
+	/** Check if user has a specific entitlement */
+	can(entitlement: Entitlement, user: AuthUser | null): Promise<boolean>;
+	/** Check with resource context */
+	canWithResource(entitlement: Entitlement, resource: Resource, user: AuthUser | null): Promise<boolean>;
+	/** Throws if not authorized */
+	authorize(entitlement: Entitlement, user: AuthUser | null): Promise<void>;
+	/** Authorize with resource context */
+	authorizeWithResource(entitlement: Entitlement, resource: Resource, user: AuthUser | null): Promise<void>;
+	/** Check multiple entitlements at once */
+	canAll(checks: Array<{
+		entitlement: Entitlement;
+		resource?: Resource;
+	}>, user: AuthUser | null): Promise<Map<string, boolean>>;
+	/** Get all entitlements for a role */
+	getEntitlementsForRole(role: string): Entitlement[];
+	/** Middleware that adds ctx.can() and ctx.authorize() to context */
+	middleware: () => any;
+}
+interface Resource {
+	id: string;
+	type: string;
+	ownerId?: string;
+	[key: string]: unknown;
+}
+declare class AuthorizationError extends Error {
+	readonly entitlement: Entitlement;
+	readonly userId?: string | undefined;
+	constructor(message: string, entitlement: Entitlement, userId?: string | undefined);
+}
+declare function createAccess(config: AccessConfig): AccessInstance;
+declare const defaultAccess: AccessInstance;
+declare function hashPassword(password: string): Promise<string>;
+declare function verifyPassword(password: string, hash: string): Promise<boolean>;
+declare function validatePassword(password: string, requirements?: PasswordRequirements): AuthError | null;
+declare function createAuth(config: AuthConfig): AuthInstance;
+export { vertz, verifyPassword, validatePassword, makeImmutable, hashPassword, domain, defaultAccess, deepFreeze, createServer, createModuleDef, createModule, createMiddleware, createImmutableProxy, createEnv, createAuth, createAccess, VertzException, ValidationException, UnauthorizedException, SignUpInput, SignInInput, SessionStrategy, SessionPayload, SessionConfig, Session, ServiceUnavailableException, ServiceFactory, ServiceDef, ServiceBootInstruction, ServerHandle, ServerAdapter, RouterDef, Result, Resource, ResolveInjectMap, RawRequest, RateLimitResult, RateLimitConfig, PasswordRequirements, NotFoundException, NamedServiceDef, NamedRouterDef, NamedModuleDef, NamedModule, NamedMiddlewareDef, ModuleDef, ModuleBootInstruction, Module, MiddlewareDef, ListenOptions, InternalServerErrorException, InferSchema, Infer2 as Infer, HttpStatusCode, HttpMethod, HandlerCtx, ForbiddenException, ExtractMethods, EnvConfig, EntitlementDefinition, Entitlement, EmailPasswordConfig, DomainType, DomainOptions, DomainError, DomainDefinition2 as DomainDefinition, DomainContext, Deps, DeepReadonly, Ctx, CorsConfig, CookieConfig, ConflictException, BootSequence, BootInstruction, BadRequestException, AuthorizationError, AuthUser, AuthResult, AuthInstance, AuthError, AuthContext, AuthConfig, AuthApi, AppConfig, AppBuilder, AccumulateProvides, AccessRules, AccessRule, AccessInstance, AccessConfig };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,638 @@
+// src/index.ts
+import {
+  BadRequestException,
+  ConflictException,
+  createEnv,
+  createImmutableProxy,
+  createMiddleware,
+  createModule,
+  createModuleDef,
+  createServer,
+  deepFreeze,
+  ForbiddenException,
+  InternalServerErrorException,
+  makeImmutable,
+  NotFoundException,
+  ServiceUnavailableException,
+  UnauthorizedException,
+  ValidationException,
+  VertzException,
+  vertz
+} from "@vertz/core";
+// src/domain/domain.ts
+function domain(name, options) {
+  if (!name || !options) {
+    return Object.freeze({
+      name: name || "",
+      type: "persisted",
+      table: null,
+      exposedRelations: {},
+      access: {},
+      handlers: {},
+      actions: {}
+    });
+  }
+  const def = {
+    name,
+    type: options.type,
+    table: options.table,
+    exposedRelations: options.expose || {},
+    access: options.access || {},
+    handlers: options.handlers || {},
+    actions: options.actions || {}
+  };
+  return Object.freeze(def);
+}
+// src/auth/index.ts
+import * as jose from "jose";
+import bcrypt from "bcryptjs";
+// src/auth/access.ts
+class AuthorizationError extends Error {
+  entitlement;
+  userId;
+  constructor(message, entitlement, userId) {
+    super(message);
+    this.entitlement = entitlement;
+    this.userId = userId;
+    this.name = "AuthorizationError";
+  }
+}
+function createAccess(config) {
+  const { roles, entitlements } = config;
+  const roleEntitlements = new Map;
+  for (const [roleName, roleDef] of Object.entries(roles)) {
+    roleEntitlements.set(roleName, new Set(roleDef.entitlements));
+  }
+  const entitlementRoles = new Map;
+  for (const [entName, entDef] of Object.entries(entitlements)) {
+    entitlementRoles.set(entName, new Set(entDef.roles));
+  }
+  function roleHasEntitlement(role, entitlement) {
+    const roleEnts = roleEntitlements.get(role);
+    if (!roleEnts)
+      return false;
+    if (roleEnts.has(entitlement))
+      return true;
+    const [resource, action] = entitlement.split(":");
+    if (action && resource !== "*") {
+      const wildcard = `${resource}:*`;
+      if (roleEnts.has(wildcard))
+        return true;
+    }
+    return false;
+  }
+  async function checkEntitlement(entitlement, user) {
+    if (!user)
+      return false;
+    const allowedRoles = entitlementRoles.get(entitlement);
+    if (!allowedRoles) {
+      return true;
+    }
+    return allowedRoles.has(user.role) || roleHasEntitlement(user.role, entitlement);
+  }
+  async function can(entitlement, user) {
+    return checkEntitlement(entitlement, user);
+  }
+  async function canWithResource(entitlement, _resource, user) {
+    const hasEntitlement = await checkEntitlement(entitlement, user);
+    if (!hasEntitlement)
+      return false;
+    return true;
+  }
+  async function authorize(entitlement, user) {
+    const allowed = await can(entitlement, user);
+    if (!allowed) {
+      throw new AuthorizationError(`Not authorized to perform this action: ${entitlement}`, entitlement, user?.id);
+    }
+  }
+  async function authorizeWithResource(entitlement, resource, user) {
+    const allowed = await canWithResource(entitlement, resource, user);
+    if (!allowed) {
+      throw new AuthorizationError(`Not authorized to perform this action on this resource: ${entitlement}`, entitlement, user?.id);
+    }
+  }
+  async function canAll(checks, user) {
+    const results = new Map;
+    for (const { entitlement, resource } of checks) {
+      const key = resource ? `${entitlement}:${resource.id}` : entitlement;
+      const allowed = resource ? await canWithResource(entitlement, resource, user) : await can(entitlement, user);
+      results.set(key, allowed);
+    }
+    return results;
+  }
+  function getEntitlementsForRole(role) {
+    const roleEnts = roleEntitlements.get(role);
+    return roleEnts ? Array.from(roleEnts) : [];
+  }
+  function createMiddleware() {
+    return async (ctx, next) => {
+      ctx.can = async (entitlement, resource) => {
+        if (resource) {
+          return canWithResource(entitlement, resource, ctx.user ?? null);
+        }
+        return can(entitlement, ctx.user ?? null);
+      };
+      ctx.authorize = async (entitlement, resource) => {
+        if (resource) {
+          return authorizeWithResource(entitlement, resource, ctx.user ?? null);
+        }
+        return authorize(entitlement, ctx.user ?? null);
+      };
+      await next();
+    };
+  }
+  return {
+    can,
+    canWithResource,
+    authorize,
+    authorizeWithResource,
+    canAll,
+    getEntitlementsForRole,
+    middleware: createMiddleware
+  };
+}
+var defaultAccess = createAccess({
+  roles: {
+    user: { entitlements: ["read", "create"] },
+    editor: { entitlements: ["read", "create", "update"] },
+    admin: { entitlements: ["read", "create", "update", "delete"] }
+  },
+  entitlements: {
+    "user:read": { roles: ["user", "editor", "admin"] },
+    "user:create": { roles: ["user", "editor", "admin"] },
+    "user:update": { roles: ["editor", "admin"] },
+    "user:delete": { roles: ["admin"] },
+    read: { roles: ["user", "editor", "admin"] },
+    create: { roles: ["user", "editor", "admin"] },
+    update: { roles: ["editor", "admin"] },
+    delete: { roles: ["admin"] }
+  }
+});
+// src/auth/index.ts
+class RateLimiter {
+  store = new Map;
+  windowMs;
+  constructor(window) {
+    this.windowMs = this.parseDuration(window);
+  }
+  parseDuration(duration) {
+    const match = duration.match(/^(\d+)([smh])$/);
+    if (!match)
+      throw new Error(`Invalid duration: ${duration}`);
+    const value = parseInt(match[1], 10);
+    const unit = match[2];
+    const multipliers = { s: 1000, m: 60000, h: 3600000 };
+    return value * multipliers[unit];
+  }
+  check(key, maxAttempts) {
+    const now = new Date;
+    const entry = this.store.get(key);
+    if (!entry || entry.resetAt < now) {
+      const resetAt = new Date(now.getTime() + this.windowMs);
+      this.store.set(key, { count: 1, resetAt });
+      return { allowed: true, remaining: maxAttempts - 1, resetAt };
+    }
+    if (entry.count >= maxAttempts) {
+      return { allowed: false, remaining: 0, resetAt: entry.resetAt };
+    }
+    entry.count++;
+    return { allowed: true, remaining: maxAttempts - entry.count, resetAt: entry.resetAt };
+  }
+  cleanup() {
+    const now = new Date;
+    for (const [key, entry] of this.store) {
+      if (entry.resetAt < now) {
+        this.store.delete(key);
+      }
+    }
+  }
+}
+var DEFAULT_PASSWORD_REQUIREMENTS = {
+  minLength: 8,
+  requireUppercase: false,
+  requireNumbers: false,
+  requireSymbols: false
+};
+var BCRYPT_ROUNDS = 12;
+async function hashPassword(password) {
+  return bcrypt.hash(password, BCRYPT_ROUNDS);
+}
+async function verifyPassword(password, hash) {
+  return bcrypt.compare(password, hash);
+}
+function validatePassword(password, requirements) {
+  const req = { ...DEFAULT_PASSWORD_REQUIREMENTS, ...requirements };
+  if (password.length < (req.minLength ?? 8)) {
+    return {
+      code: "PASSWORD_TOO_SHORT",
+      message: `Password must be at least ${req.minLength} characters`,
+      status: 400
+    };
+  }
+  if (req.requireUppercase && !/[A-Z]/.test(password)) {
+    return {
+      code: "PASSWORD_NO_UPPERCASE",
+      message: "Password must contain at least one uppercase letter",
+      status: 400
+    };
+  }
+  if (req.requireNumbers && !/\d/.test(password)) {
+    return {
+      code: "PASSWORD_NO_NUMBER",
+      message: "Password must contain at least one number",
+      status: 400
+    };
+  }
+  if (req.requireSymbols && !/[!@#$%^&*(),.?":{}|<>]/.test(password)) {
+    return {
+      code: "PASSWORD_NO_SYMBOL",
+      message: "Password must contain at least one symbol",
+      status: 400
+    };
+  }
+  return null;
+}
+var DEFAULT_COOKIE_CONFIG = {
+  name: "vertz.sid",
+  httpOnly: true,
+  secure: true,
+  sameSite: "lax",
+  path: "/",
+  maxAge: 60 * 60 * 24 * 7
+};
+function parseDuration(duration) {
+  if (typeof duration === "number")
+    return duration;
+  const match = duration.match(/^(\d+)([smhd])$/);
+  if (!match)
+    throw new Error(`Invalid duration: ${duration}`);
+  const value = parseInt(match[1], 10);
+  const unit = match[2];
+  const multipliers = { s: 1, m: 60, h: 3600, d: 86400 };
+  return value * multipliers[unit] * 1000;
+}
+async function createJWT(user, secret, ttl, algorithm, customClaims) {
+  const claims = customClaims ? customClaims(user) : {};
+  const jwt = await new jose.SignJWT({
+    sub: user.id,
+    email: user.email,
+    role: user.role,
+    ...claims
+  }).setProtectedHeader({ alg: algorithm }).setIssuedAt().setExpirationTime(Math.floor(ttl / 1000)).sign(new TextEncoder().encode(secret));
+  return jwt;
+}
+async function verifyJWT(token, secret, algorithm) {
+  try {
+    const { payload } = await jose.jwtVerify(token, new TextEncoder().encode(secret), { algorithms: [algorithm] });
+    return payload;
+  } catch {
+    return null;
+  }
+}
+var users = new Map;
+var sessions = new Map;
+function createAuth(config) {
+  const {
+    session,
+    emailPassword,
+    jwtSecret: configJwtSecret,
+    jwtAlgorithm = "HS256",
+    claims
+  } = config;
+  const envJwtSecret = process.env.AUTH_JWT_SECRET;
+  let jwtSecret;
+  if (configJwtSecret) {
+    jwtSecret = configJwtSecret;
+  } else if (envJwtSecret) {
+    jwtSecret = envJwtSecret;
+  } else {
+    if (false) {} else {
+      console.warn("⚠️ Using insecure default JWT secret. Set AUTH_JWT_SECRET for production.");
+      jwtSecret = "dev-secret-change-in-production";
+    }
+  }
+  const cookieConfig = { ...DEFAULT_COOKIE_CONFIG, ...session.cookie };
+  const ttlMs = parseDuration(session.ttl);
+  const signInLimiter = new RateLimiter(emailPassword?.rateLimit?.window || "15m");
+  const signUpLimiter = new RateLimiter("1h");
+  const refreshLimiter = new RateLimiter("1m");
+  setInterval(() => {
+    signInLimiter.cleanup();
+    signUpLimiter.cleanup();
+    refreshLimiter.cleanup();
+  }, 60000);
+  function buildAuthUser(stored) {
+    return stored.user;
+  }
+  async function signUp(data) {
+    const { email, password, role = "user", ...additionalFields } = data;
+    if (!email || !email.includes("@")) {
+      return { ok: false, error: { code: "INVALID_EMAIL", message: "Invalid email format", status: 400 } };
+    }
+    const passwordError = validatePassword(password, emailPassword?.password);
+    if (passwordError) {
+      return { ok: false, error: passwordError };
+    }
+    if (users.has(email.toLowerCase())) {
+      return { ok: false, error: { code: "USER_EXISTS", message: "User already exists", status: 409 } };
+    }
+    const signUpRateLimit = signUpLimiter.check(`signup:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 3);
+    if (!signUpRateLimit.allowed) {
+      return { ok: false, error: { code: "RATE_LIMITED", message: "Too many sign up attempts", status: 429 } };
+    }
+    const passwordHash = await hashPassword(password);
+    const now = new Date;
+    const user = {
+      id: crypto.randomUUID(),
+      email: email.toLowerCase(),
+      role,
+      createdAt: now,
+      updatedAt: now,
+      ...additionalFields
+    };
+    users.set(email.toLowerCase(), { user, passwordHash });
+    const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
+    const expiresAt = new Date(Date.now() + ttlMs);
+    const payload = {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      iat: Math.floor(Date.now() / 1000),
+      exp: Math.floor(expiresAt.getTime() / 1000),
+      claims: claims ? claims(user) : undefined
+    };
+    sessions.set(token, { userId: user.id, expiresAt });
+    return {
+      ok: true,
+      data: { user, expiresAt, payload }
+    };
+  }
+  async function signIn(data) {
+    const { email, password } = data;
+    const stored = users.get(email.toLowerCase());
+    if (!stored) {
+      return { ok: false, error: { code: "INVALID_CREDENTIALS", message: "Invalid email or password", status: 401 } };
+    }
+    const signInRateLimit = signInLimiter.check(`signin:${email.toLowerCase()}`, emailPassword?.rateLimit?.maxAttempts || 5);
+    if (!signInRateLimit.allowed) {
+      return { ok: false, error: { code: "RATE_LIMITED", message: "Too many sign in attempts", status: 429 } };
+    }
+    const valid = await verifyPassword(password, stored.passwordHash);
+    if (!valid) {
+      return { ok: false, error: { code: "INVALID_CREDENTIALS", message: "Invalid email or password", status: 401 } };
+    }
+    const user = buildAuthUser(stored);
+    const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
+    const expiresAt = new Date(Date.now() + ttlMs);
+    const payload = {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      iat: Math.floor(Date.now() / 1000),
+      exp: Math.floor(expiresAt.getTime() / 1000),
+      claims: claims ? claims(user) : undefined
+    };
+    sessions.set(token, { userId: user.id, expiresAt });
+    return {
+      ok: true,
+      data: { user, expiresAt, payload }
+    };
+  }
+  async function signOut(ctx) {
+    const cookieName = cookieConfig.name || "vertz.sid";
+    const token = ctx.headers.get("cookie")?.split(";").find((c) => c.trim().startsWith(`${cookieName}=`))?.split("=")[1];
+    if (token) {
+      sessions.delete(token);
+    }
+    return { ok: true, data: undefined };
+  }
+  async function getSession(headers) {
+    const cookieName = cookieConfig.name || "vertz.sid";
+    const token = headers.get("cookie")?.split(";").find((c) => c.trim().startsWith(`${cookieName}=`))?.split("=")[1];
+    if (!token) {
+      return { ok: true, data: null };
+    }
+    const session2 = sessions.get(token);
+    if (!session2) {
+      return { ok: true, data: null };
+    }
+    if (session2.expiresAt < new Date) {
+      sessions.delete(token);
+      return { ok: true, data: null };
+    }
+    const payload = await verifyJWT(token, jwtSecret, jwtAlgorithm);
+    if (!payload) {
+      sessions.delete(token);
+      return { ok: true, data: null };
+    }
+    const stored = users.get(payload.email);
+    if (!stored) {
+      return { ok: true, data: null };
+    }
+    const user = buildAuthUser(stored);
+    const expiresAt = new Date(payload.exp * 1000);
+    return {
+      ok: true,
+      data: { user, expiresAt, payload }
+    };
+  }
+  async function refreshSession(ctx) {
+    const refreshRateLimit = refreshLimiter.check(`refresh:${ctx.headers.get("x-forwarded-ip") || "default"}`, 10);
+    if (!refreshRateLimit.allowed) {
+      return { ok: false, error: { code: "RATE_LIMITED", message: "Too many refresh attempts", status: 429 } };
+    }
+    const sessionResult = await getSession(ctx.headers);
+    if (!sessionResult.ok) {
+      return sessionResult;
+    }
+    if (!sessionResult.data) {
+      return { ok: false, error: { code: "NO_SESSION", message: "No active session", status: 401 } };
+    }
+    const user = sessionResult.data.user;
+    const token = await createJWT(user, jwtSecret, ttlMs, jwtAlgorithm, claims);
+    const expiresAt = new Date(Date.now() + ttlMs);
+    const payload = {
+      sub: user.id,
+      email: user.email,
+      role: user.role,
+      iat: Math.floor(Date.now() / 1000),
+      exp: Math.floor(expiresAt.getTime() / 1000),
+      claims: claims ? claims(user) : undefined
+    };
+    sessions.set(token, { userId: user.id, expiresAt });
+    return {
+      ok: true,
+      data: { user, expiresAt, payload }
+    };
+  }
+  async function handleAuthRequest(request) {
+    const url = new URL(request.url);
+    const path = url.pathname.replace("/api/auth", "") || "/";
+    const method = request.method;
+    if (["POST", "PUT", "DELETE", "PATCH"].includes(method)) {
+      const origin = request.headers.get("origin");
+      const referer = request.headers.get("referer");
+      if (!origin && !referer) {
+        if (false) {}
+      }
+    }
+    try {
+      if (method === "POST" && path === "/signup") {
+        const body = await request.json();
+        const result = await signUp(body);
+        if (!result.ok) {
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: result.error.status,
+            headers: { "Content-Type": "application/json" }
+          });
+        }
+        const cookieValue = await createJWT(result.data.user, jwtSecret, ttlMs, jwtAlgorithm, claims);
+        return new Response(JSON.stringify({ user: result.data.user }), {
+          status: 201,
+          headers: {
+            "Content-Type": "application/json",
+            "Set-Cookie": buildCookie(cookieValue)
+          }
+        });
+      }
+      if (method === "POST" && path === "/signin") {
+        const body = await request.json();
+        const result = await signIn(body);
+        if (!result.ok) {
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: result.error.status,
+            headers: { "Content-Type": "application/json" }
+          });
+        }
+        const cookieValue = await createJWT(result.data.user, jwtSecret, ttlMs, jwtAlgorithm, claims);
+        return new Response(JSON.stringify({ user: result.data.user }), {
+          status: 200,
+          headers: {
+            "Content-Type": "application/json",
+            "Set-Cookie": buildCookie(cookieValue)
+          }
+        });
+      }
+      if (method === "POST" && path === "/signout") {
+        await signOut({ headers: request.headers });
+        return new Response(JSON.stringify({ ok: true }), {
+          status: 200,
+          headers: {
+            "Content-Type": "application/json",
+            "Set-Cookie": buildCookie("", true)
+          }
+        });
+      }
+      if (method === "GET" && path === "/session") {
+        const result = await getSession(request.headers);
+        if (!result.ok) {
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: 500,
+            headers: { "Content-Type": "application/json" }
+          });
+        }
+        return new Response(JSON.stringify({ session: result.data }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" }
+        });
+      }
+      if (method === "POST" && path === "/refresh") {
+        const result = await refreshSession({ headers: request.headers });
+        if (!result.ok) {
+          return new Response(JSON.stringify({ error: result.error }), {
+            status: result.error.status,
+            headers: { "Content-Type": "application/json" }
+          });
+        }
+        const cookieValue = await createJWT(result.data.user, jwtSecret, ttlMs, jwtAlgorithm, claims);
+        return new Response(JSON.stringify({ user: result.data.user }), {
+          status: 200,
+          headers: {
+            "Content-Type": "application/json",
+            "Set-Cookie": buildCookie(cookieValue)
+          }
+        });
+      }
+      return new Response(JSON.stringify({ error: "Not found" }), {
+        status: 404,
+        headers: { "Content-Type": "application/json" }
+      });
+    } catch (error) {
+      return new Response(JSON.stringify({ error: "Internal server error" }), {
+        status: 500,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+  }
+  function buildCookie(value, clear = false) {
+    const name = cookieConfig.name || "vertz.sid";
+    const maxAge = cookieConfig.maxAge ?? 60 * 60 * 24 * 7;
+    const path = cookieConfig.path || "/";
+    const sameSite = cookieConfig.sameSite || "lax";
+    const secure = cookieConfig.secure ?? true;
+    if (clear) {
+      return `${name}=; Path=${path}; HttpOnly; SameSite=${sameSite}; Max-Age=0`;
+    }
+    return `${name}=${value}; Path=${path}; HttpOnly${secure ? "; Secure" : ""}; SameSite=${sameSite}; Max-Age=${maxAge}`;
+  }
+  function createMiddleware() {
+    return async (ctx, next) => {
+      const sessionResult = await getSession(ctx.headers);
+      if (sessionResult.ok && sessionResult.data) {
+        ctx.user = sessionResult.data.user;
+        ctx.session = sessionResult.data;
+      } else {
+        ctx.user = null;
+        ctx.session = null;
+      }
+      await next();
+    };
+  }
+  async function initialize() {
+    console.log("[Auth] Initialized with JWT strategy");
+  }
+  const api = {
+    signUp,
+    signIn,
+    signOut,
+    getSession,
+    refreshSession
+  };
+  return {
+    handler: handleAuthRequest,
+    api,
+    middleware: createMiddleware,
+    initialize
+  };
+}
+export {
+  vertz,
+  verifyPassword,
+  validatePassword,
+  makeImmutable,
+  hashPassword,
+  domain,
+  defaultAccess,
+  deepFreeze,
+  createServer,
+  createModuleDef,
+  createModule,
+  createMiddleware,
+  createImmutableProxy,
+  createEnv,
+  createAuth,
+  createAccess,
+  VertzException,
+  ValidationException,
+  UnauthorizedException,
+  ServiceUnavailableException,
+  NotFoundException,
+  InternalServerErrorException,
+  ForbiddenException,
+  ConflictException,
+  BadRequestException,
+  AuthorizationError
+};

package/package.json ADDED Viewed

@@ -0,0 +1,50 @@
+{
+  "name": "@vertz/server",
+  "version": "0.2.0",
+  "type": "module",
+  "license": "MIT",
+  "description": "Vertz server runtime — modules, routing, and auth",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/vertz-dev/vertz.git",
+    "directory": "packages/server"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "bunup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@vertz/core": "workspace:*",
+    "bcryptjs": "^2.4.3",
+    "jose": "^6.0.11"
+  },
+  "devDependencies": {
+    "@types/bcryptjs": "^2.4.6",
+    "@types/node": "^22.0.0",
+    "@vertz/db": "workspace:*",
+    "bunup": "latest",
+    "typescript": "^5.7.0",
+    "vitest": "^4.0.18"
+  },
+  "engines": {
+    "node": ">=22"
+  },
+  "sideEffects": false
+}