@vobase/core 0.10.0 → 0.12.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vobase/core",
-  "version": "0.10.0",
+  "version": "0.12.0",
   "license": "MIT",
   "description": "The app framework built for AI coding agents - core runtime",
   "repository": {
@@ -9,24 +9,22 @@
     "directory": "packages/core"
   },
   "type": "module",
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
   "exports": {
     ".": {
-      "import": "./dist/index.js",
-      "require": "./dist/index.js",
-      "types": "./dist/index.d.ts"
+      "import": "./src/index.ts",
+      "types": "./src/index.ts"
     }
   },
   "files": [
-    "dist"
+    "src"
   ],
   "publishConfig": {
     "access": "public"
   },
   "scripts": {
-    "build": "bun build ./src/index.ts --outdir ./dist --target=bun --sourcemap=inline && tsc -p tsconfig.build.json --emitDeclarationOnly --outDir ./dist",
-    "dev": "bun run build --watch",
+    "build": "tsc --noEmit",
     "test": "bun test src/",
     "lint": "biome lint src/",
     "typecheck": "tsc --noEmit"

package/src/__tests__/drizzle-introspection.test.ts

@@ -0,0 +1,77 @@
+import { describe, expect, it } from 'bun:test';
+import { getTableColumns, getTableName } from 'drizzle-orm';
+
+import { auditLog } from '../modules/audit/schema';
+import { authUser } from '../modules/auth/schema';
+
+/**
+ * Drizzle Introspection Spike (US-005)
+ *
+ * Validates that Drizzle table column metadata (types, nullability, defaults,
+ * primary keys) is extractable via getTableColumns(). This API is used in
+ * Step 2.2 (MCP CRUD generation) to build Zod input schemas dynamically.
+ *
+ * API reference for MCP CRUD generation:
+ * - getTableColumns(table) → Record<string, Column> with .dataType, .notNull, .hasDefault, .primary, .columnType
+ * - getTableName(table) → string (the SQL table name)
+ */
+describe('Drizzle table introspection', () => {
+  it('extracts column names from a table', () => {
+    const columns = getTableColumns(auditLog);
+    const names = Object.keys(columns);
+    expect(names).toContain('id');
+    expect(names).toContain('event');
+    expect(names).toContain('actorId');
+    expect(names).toContain('createdAt');
+  });
+
+  it('extracts SQL data types', () => {
+    const columns = getTableColumns(auditLog);
+    expect(columns.id.dataType).toBe('string'); // text
+    expect(columns.event.dataType).toBe('string'); // text
+    // timestamp_ms mode columns report as 'object date', not 'number'
+    expect(columns.createdAt.dataType).toBe('object date');
+  });
+
+  it('extracts columnType for precise SQL type', () => {
+    const columns = getTableColumns(auditLog);
+    expect(columns.id.columnType).toBe('SQLiteText');
+    // timestamp_ms columns use SQLiteTimestamp, not SQLiteInteger
+    expect(columns.createdAt.columnType).toBe('SQLiteTimestamp');
+  });
+
+  it('extracts nullability', () => {
+    const columns = getTableColumns(auditLog);
+    expect(columns.event.notNull).toBe(true);
+    expect(columns.actorId.notNull).toBe(false);
+  });
+
+  it('extracts hasDefault flag', () => {
+    const columns = getTableColumns(auditLog);
+    // id has a $defaultFn (nanoid)
+    expect(columns.id.hasDefault).toBe(true);
+    // event has no default
+    expect(columns.event.hasDefault).toBe(false);
+  });
+
+  it('extracts primary key flag via .primary', () => {
+    const columns = getTableColumns(auditLog);
+    expect((columns.id as any).primary).toBe(true);
+    expect((columns.event as any).primary).toBe(false);
+  });
+
+  it('extracts SQL table name', () => {
+    const name = getTableName(auditLog);
+    expect(name).toBe('_audit_log');
+  });
+
+  it('works on auth user table with all field types', () => {
+    const columns = getTableColumns(authUser);
+    expect((columns.id as any).primary).toBe(true);
+    expect(columns.email.notNull).toBe(true);
+    expect(columns.image.notNull).toBe(false);
+    expect(columns.role.hasDefault).toBe(true);
+    // integer boolean uses 'boolean' dataType in Drizzle
+    expect(columns.emailVerified.columnType).toBe('SQLiteBoolean');
+  });
+});

package/src/__tests__/e2e.test.ts

@@ -0,0 +1,225 @@
+import { rmSync } from 'node:fs';
+import { Database } from 'bun:sqlite';
+import { afterAll, beforeAll, describe, expect, it } from 'bun:test';
+import { shutdownManager } from 'bunqueue/client';
+
+import { createApp } from '../app';
+import { createDatabase, type VobaseDb } from '../db';
+type DbWithClient = VobaseDb & { $client: Database };
+
+const dbPath = `/tmp/vobase-e2e-${process.pid}-${Date.now()}.db`;
+const queueDbPath = dbPath.replace(/\.db$/, '-queue.db');
+const email = `e2e-${Date.now()}@test.com`;
+const password = 'Test1234!';
+
+let app: Awaited<ReturnType<typeof createApp>>;
+let systemDb: DbWithClient;
+let sessionCookie = '';
+let previousAuthSecret: string | undefined;
+let previousAuthUrl: string | undefined;
+
+/**
+ * Create all required tables for the e2e test.
+ * Since ensureCoreTables() was removed, we create tables via raw SQL
+ * matching the Drizzle schema definitions.
+ */
+function createTables(db: Database) {
+  db.run(`CREATE TABLE IF NOT EXISTS "user" (
+    "id" text PRIMARY KEY NOT NULL,
+    "name" text NOT NULL,
+    "email" text NOT NULL,
+    "email_verified" integer NOT NULL DEFAULT 0,
+    "image" text,
+    "role" text NOT NULL DEFAULT 'user',
+    "created_at" integer NOT NULL,
+    "updated_at" integer NOT NULL
+  )`);
+  db.run(`CREATE UNIQUE INDEX IF NOT EXISTS "user_email_unique" ON "user" ("email")`);
+
+  db.run(`CREATE TABLE IF NOT EXISTS "session" (
+    "id" text PRIMARY KEY NOT NULL,
+    "expires_at" integer NOT NULL,
+    "token" text NOT NULL,
+    "created_at" integer NOT NULL,
+    "updated_at" integer NOT NULL,
+    "ip_address" text,
+    "user_agent" text,
+    "user_id" text NOT NULL REFERENCES "user" ("id") ON DELETE CASCADE
+  )`);
+  db.run(`CREATE UNIQUE INDEX IF NOT EXISTS "session_token_unique" ON "session" ("token")`);
+  db.run(`CREATE INDEX IF NOT EXISTS "session_user_id_idx" ON "session" ("user_id")`);
+
+  db.run(`CREATE TABLE IF NOT EXISTS "account" (
+    "id" text PRIMARY KEY NOT NULL,
+    "account_id" text NOT NULL,
+    "provider_id" text NOT NULL,
+    "user_id" text NOT NULL REFERENCES "user" ("id") ON DELETE CASCADE,
+    "access_token" text,
+    "refresh_token" text,
+    "id_token" text,
+    "access_token_expires_at" integer,
+    "refresh_token_expires_at" integer,
+    "scope" text,
+    "password" text,
+    "created_at" integer NOT NULL,
+    "updated_at" integer NOT NULL
+  )`);
+  db.run(`CREATE INDEX IF NOT EXISTS "account_user_id_idx" ON "account" ("user_id")`);
+
+  db.run(`CREATE TABLE IF NOT EXISTS "verification" (
+    "id" text PRIMARY KEY NOT NULL,
+    "identifier" text NOT NULL,
+    "value" text NOT NULL,
+    "expires_at" integer NOT NULL,
+    "created_at" integer NOT NULL,
+    "updated_at" integer NOT NULL
+  )`);
+  db.run(`CREATE INDEX IF NOT EXISTS "verification_identifier_idx" ON "verification" ("identifier")`);
+
+  db.run(`CREATE TABLE IF NOT EXISTS "_audit_log" (
+    "id" text PRIMARY KEY NOT NULL,
+    "event" text NOT NULL,
+    "actor_id" text,
+    "actor_email" text,
+    "ip" text,
+    "details" text,
+    "created_at" integer NOT NULL
+  )`);
+
+  db.run(`CREATE TABLE IF NOT EXISTS "_record_audits" (
+    "id" text PRIMARY KEY NOT NULL,
+    "table_name" text NOT NULL,
+    "record_id" text NOT NULL,
+    "old_data" text,
+    "new_data" text,
+    "changed_by" text,
+    "created_at" integer NOT NULL
+  )`);
+
+  db.run(`CREATE TABLE IF NOT EXISTS "_sequences" (
+    "id" text PRIMARY KEY NOT NULL,
+    "prefix" text NOT NULL,
+    "current_value" integer NOT NULL DEFAULT 0,
+    "updated_at" integer NOT NULL
+  )`);
+  db.run(`CREATE UNIQUE INDEX IF NOT EXISTS "_sequences_prefix_unique" ON "_sequences" ("prefix")`);
+
+  db.run(`CREATE TABLE IF NOT EXISTS "_webhook_dedup" (
+    "id" text NOT NULL,
+    "source" text NOT NULL,
+    "received_at" integer NOT NULL,
+    PRIMARY KEY ("id", "source")
+  )`);
+}
+
+const getPragmaValue = (db: DbWithClient, pragma: string): string => {
+  const row = db.$client.query(`PRAGMA ${pragma}`).get() as Record<
+    string,
+    unknown
+  >;
+  return String(Object.values(row)[0]);
+};
+
+beforeAll(async () => {
+  previousAuthSecret = process.env.BETTER_AUTH_SECRET;
+  previousAuthUrl = process.env.BETTER_AUTH_URL;
+  process.env.BETTER_AUTH_SECRET = 'vobase-e2e-secret';
+  process.env.BETTER_AUTH_URL = 'http://localhost';
+
+  // Create tables before createApp opens its own connection
+  const bootstrapDb = new Database(dbPath);
+  createTables(bootstrapDb);
+  bootstrapDb.close();
+
+  systemDb = createDatabase(dbPath) as DbWithClient;
+  app = await createApp({
+    database: dbPath,
+    modules: [],
+    mcp: { enabled: true },
+  });
+});
+
+afterAll(() => {
+  shutdownManager();
+  systemDb?.$client.close();
+  if (previousAuthSecret === undefined) delete process.env.BETTER_AUTH_SECRET;
+  else process.env.BETTER_AUTH_SECRET = previousAuthSecret;
+  if (previousAuthUrl === undefined) delete process.env.BETTER_AUTH_URL;
+  else process.env.BETTER_AUTH_URL = previousAuthUrl;
+
+  rmSync(dbPath, { force: true });
+  rmSync(`${dbPath}-wal`, { force: true });
+  rmSync(`${dbPath}-shm`, { force: true });
+  rmSync(queueDbPath, { force: true });
+  rmSync(`${queueDbPath}-wal`, { force: true });
+  rmSync(`${queueDbPath}-shm`, { force: true });
+  rmSync('./data/bunqueue.db', { force: true });
+  rmSync('./data/bunqueue.db-wal', { force: true });
+  rmSync('./data/bunqueue.db-shm', { force: true });
+});
+
+describe('vobase engine e2e integration', () => {
+  it('passes health, auth, mcp, and db pragma checks', async () => {
+    const health = await app.request('http://localhost/health');
+    const healthBody = (await health.json()) as {
+      status: string;
+      uptime: number;
+    };
+    expect(health.status).toBe(200);
+    expect(healthBody).toMatchObject({ status: 'ok' });
+    expect(typeof healthBody.uptime).toBe('number');
+
+    const signup = await app.request(
+      'http://localhost/api/auth/sign-up/email',
+      {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ email, password, name: 'E2E Test' }),
+      },
+    );
+    const signupBody = (await signup.json()) as { user?: { email?: string } };
+    expect(signup.status).toBe(200);
+    expect(signupBody.user?.email).toBe(email);
+
+    const signin = await app.request(
+      'http://localhost/api/auth/sign-in/email',
+      {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ email, password }),
+      },
+    );
+    expect(signin.status).toBe(200);
+    sessionCookie =
+      (signin.headers.get('set-cookie') ?? '').split(';')[0] ?? '';
+    expect(sessionCookie.length).toBeGreaterThan(0);
+
+    const mcp = await app.request('http://localhost/mcp', {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        accept: 'application/json, text/event-stream',
+      },
+      body: JSON.stringify({ jsonrpc: '2.0', method: 'tools/list', id: 1 }),
+    });
+    expect(mcp.status).toBe(200);
+    expect(
+      Array.isArray(
+        ((await mcp.json()) as { result?: { tools?: unknown[] } }).result
+          ?.tools,
+      ),
+    ).toBe(true);
+
+    expect({
+      journalMode: getPragmaValue(systemDb, 'journal_mode'),
+      busyTimeout: getPragmaValue(systemDb, 'busy_timeout'),
+      synchronous: getPragmaValue(systemDb, 'synchronous'),
+      foreignKeys: getPragmaValue(systemDb, 'foreign_keys'),
+    }).toEqual({
+      journalMode: 'wal',
+      busyTimeout: '5000',
+      synchronous: '1',
+      foreignKeys: '1',
+    });
+  });
+});

package/src/__tests__/permissions.test.ts

@@ -0,0 +1,157 @@
+import { describe, expect, it, beforeEach } from 'bun:test';
+import { Hono } from 'hono';
+
+import { requireRole, requirePermission, requireOrg } from '../modules/auth/permissions';
+import { setOrganizationEnabled } from '../modules/auth/permissions';
+
+function createTestApp() {
+  const app = new Hono();
+  // Simulate the context variable map user field
+  return app;
+}
+
+function withUser(app: Hono, user: { id: string; email: string; name: string; role: string; activeOrganizationId?: string; orgRole?: string } | null) {
+  app.use('*', async (c, next) => {
+    c.set('user', user as any);
+    await next();
+  });
+  return app;
+}
+
+describe('requireRole', () => {
+  it('allows user with matching role', async () => {
+    const app = createTestApp();
+    withUser(app, { id: '1', email: 'a@b.com', name: 'Test', role: 'admin' });
+    app.get('/test', requireRole('admin'), (c) => c.json({ ok: true }));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(200);
+  });
+
+  it('allows user with any of multiple roles', async () => {
+    const app = createTestApp();
+    withUser(app, { id: '1', email: 'a@b.com', name: 'Test', role: 'editor' });
+    app.get('/test', requireRole('admin', 'editor'), (c) => c.json({ ok: true }));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(200);
+  });
+
+  it('rejects user with non-matching role with 403', async () => {
+    const app = createTestApp();
+    withUser(app, { id: '1', email: 'a@b.com', name: 'Test', role: 'user' });
+    app.get('/test', requireRole('admin'), (c) => c.json({ ok: true }));
+    app.onError((err, c) => c.json({ error: err.message }, 403));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(403);
+  });
+
+  it('rejects unauthenticated request (no user) with 403', async () => {
+    const app = createTestApp();
+    withUser(app, null);
+    app.get('/test', requireRole('admin'), (c) => c.json({ ok: true }));
+    app.onError((err, c) => c.json({ error: err.message }, 403));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(403);
+  });
+});
+
+describe('requirePermission', () => {
+  beforeEach(() => {
+    setOrganizationEnabled(false);
+  });
+
+  it('throws descriptive error at call time when org is NOT enabled', () => {
+    setOrganizationEnabled(false);
+    expect(() => requirePermission('invoices:write')).toThrow(
+      'Organization plugin required for permission-based auth. Use requireRole() instead or enable organization in config.',
+    );
+  });
+
+  it('returns middleware when org IS enabled', () => {
+    setOrganizationEnabled(true);
+    const middleware = requirePermission('invoices:write');
+    expect(typeof middleware).toBe('function');
+  });
+
+  it('middleware rejects unauthenticated request when org is enabled', async () => {
+    setOrganizationEnabled(true);
+    const app = createTestApp();
+    withUser(app, null);
+    app.get('/test', requirePermission('invoices:write'), (c) => c.json({ ok: true }));
+    app.onError((err, c) => c.json({ error: err.message }, 403));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(403);
+  });
+
+  it('middleware allows authenticated user when org is enabled', async () => {
+    setOrganizationEnabled(true);
+    const app = createTestApp();
+    withUser(app, { id: '1', email: 'a@b.com', name: 'Test', role: 'admin' });
+    app.get('/test', requirePermission('invoices:write'), (c) => c.json({ ok: true }));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(200);
+  });
+});
+
+describe('requireOrg', () => {
+  beforeEach(() => {
+    setOrganizationEnabled(false);
+  });
+
+  it('throws descriptive error at call time when org is NOT enabled', () => {
+    setOrganizationEnabled(false);
+    expect(() => requireOrg()).toThrow(
+      'Organization plugin required. Enable organization in config.',
+    );
+  });
+
+  it('rejects user without active organization with 403 when org is enabled', async () => {
+    setOrganizationEnabled(true);
+    const app = createTestApp();
+    withUser(app, { id: '1', email: 'a@b.com', name: 'Test', role: 'user' });
+    app.get('/test', requireOrg(), (c) => c.json({ ok: true }));
+    app.onError((err, c) => c.json({ error: err.message }, 403));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(403);
+  });
+
+  it('allows user with active organization when org is enabled', async () => {
+    setOrganizationEnabled(true);
+    const app = createTestApp();
+    withUser(app, { id: '1', email: 'a@b.com', name: 'Test', role: 'user', activeOrganizationId: 'org-1' });
+    app.get('/test', requireOrg(), (c) => c.json({ ok: true }));
+
+    const res = await app.request('/test');
+    expect(res.status).toBe(200);
+  });
+});
+
+describe('getActiveSchemas', () => {
+  it('always includes apikey schema', async () => {
+    const { getActiveSchemas } = await import('../schemas');
+    const schemas = getActiveSchemas();
+    expect(schemas.apikey).toBeDefined();
+  });
+
+  it('excludes org schema by default', async () => {
+    const { getActiveSchemas } = await import('../schemas');
+    const schemas = getActiveSchemas();
+    expect(schemas.organization).toBeUndefined();
+    expect(schemas.member).toBeUndefined();
+    expect(schemas.invitation).toBeUndefined();
+  });
+
+  it('includes org schema when organization is true', async () => {
+    const { getActiveSchemas } = await import('../schemas');
+    const schemas = getActiveSchemas({ organization: true });
+    expect(schemas.organization).toBeDefined();
+    expect(schemas.member).toBeDefined();
+    expect(schemas.invitation).toBeDefined();
+  });
+});

package/src/__tests__/rpc-types.test.ts

@@ -0,0 +1,92 @@
+import { describe, expect, it } from 'bun:test';
+import { Hono } from 'hono';
+import { hc } from 'hono/client';
+
+/**
+ * Hono RPC Type Inference Validation (T17)
+ *
+ * FINDINGS:
+ * - Chained .route(): WORKS - runtime mounting works, and `typeof chainedApp` preserves route literals for RPC typing.
+ * - Dynamic reduce: DOESN'T WORK (for RPC typing) - runtime mounting works, but `new Hono() as Hono` widens the schema and drops typed client paths.
+ * - hc<AppType> inference: WORKS with chained route exports - typed client methods (`$get`, `$post`, `$url`) are inferred from mounted paths.
+ * - TypeScript compilation: passes with 2 chained routes when the dynamic reduce limitation is captured via `@ts-expect-error`.
+ *
+ * RECOMMENDATION for vobase:
+ * - Export an RPC-facing app type from chained `.route()` composition and avoid reduce-based widened `Hono` values for frontend RPC typing.
+ */
+
+type Invoice = { id: string; total: number };
+
+const invoicingRouter = new Hono()
+  .get('/list', (c) => c.json({ invoices: [] as Invoice[] }))
+  .post('/create', (c) => c.json({ id: 'inv-001', total: 0 } as Invoice));
+
+const ordersRouter = new Hono().get('/list', (c) =>
+  c.json({ orders: [] as Array<{ id: string }> }),
+);
+
+const chainedApp = new Hono()
+  .route('/api/invoicing', invoicingRouter)
+  .route('/api/orders', ordersRouter);
+export type ChainedAppType = typeof chainedApp;
+
+const chainedClient = hc<ChainedAppType>('http://localhost:3000');
+
+const modules = [
+  { name: 'invoicing', routes: invoicingRouter },
+  { name: 'orders', routes: ordersRouter },
+];
+
+const dynamicApp = modules.reduce(
+  (acc, mod) => acc.route(`/api/${mod.name}`, mod.routes),
+  new Hono() as Hono,
+);
+
+type DynamicAppType = typeof dynamicApp;
+const dynamicClient = hc<DynamicAppType>('http://localhost:3000');
+
+// biome-ignore lint/complexity/noBannedTypes: intentional Function check for type-level test
+type IsFunction<T> = T extends Function ? true : false;
+type Expect<T extends true> = T;
+
+const chainedListGet = chainedClient.api.invoicing.list.$get;
+const chainedCreatePost = chainedClient.api.invoicing.create.$post;
+type _ChainedListGetCallable = Expect<IsFunction<typeof chainedListGet>>;
+type _ChainedCreatePostCallable = Expect<IsFunction<typeof chainedCreatePost>>;
+
+// @ts-expect-error Dynamic reduce app type loses literal route inference for RPC client access.
+dynamicClient.api.invoicing.list.$get;
+
+describe('Hono RPC type inference', () => {
+  it('mounts routes correctly via chained .route()', async () => {
+    const res = await chainedApp.request('http://localhost/api/invoicing/list');
+
+    expect(res.status).toBe(200);
+    const data = (await res.json()) as { invoices: Invoice[] };
+    expect(data).toHaveProperty('invoices');
+  });
+
+  it('exposes typed hc<AppType> methods for chained routes', () => {
+    const listUrl = chainedClient.api.invoicing.list.$url();
+    const createUrl = chainedClient.api.invoicing.create.$url();
+
+    expect(listUrl.pathname).toBe('/api/invoicing/list');
+    expect(createUrl.pathname).toBe('/api/invoicing/create');
+  });
+
+  it('mounts routes correctly via reduce() pattern used by createApp', async () => {
+    const invoicingRes = await dynamicApp.request(
+      'http://localhost/api/invoicing/list',
+    );
+    expect(invoicingRes.status).toBe(200);
+
+    const ordersRes = await dynamicApp.request(
+      'http://localhost/api/orders/list',
+    );
+    expect(ordersRes.status).toBe(200);
+    const ordersData = (await ordersRes.json()) as {
+      orders: Array<{ id: string }>;
+    };
+    expect(ordersData).toHaveProperty('orders');
+  });
+});

package/src/app.test.ts

@@ -0,0 +1,99 @@
+import { rmSync } from 'node:fs';
+import { afterAll, describe, expect, it } from 'bun:test';
+import { shutdownManager } from 'bunqueue/client';
+import { Hono } from 'hono';
+
+import { createApp } from './app';
+import { notFound } from './infra/errors';
+import type { VobaseModule } from './module';
+
+afterAll(() => {
+  shutdownManager();
+  rmSync('./data/bunqueue.db', { force: true });
+  rmSync('./data/bunqueue.db-shm', { force: true });
+  rmSync('./data/bunqueue.db-wal', { force: true });
+});
+
+function makeModule(
+  name: string,
+  routeFactory: (routes: Hono) => void,
+): VobaseModule {
+  const routes = new Hono();
+  routeFactory(routes);
+
+  return {
+    name,
+    schema: { test: {} },
+    routes,
+  };
+}
+
+describe('createApp()', () => {
+  it('creates a Hono app for in-memory database', async () => {
+    const app = await createApp({ modules: [], database: ':memory:' });
+    expect(app).toBeInstanceOf(Hono);
+  });
+
+  it('serves GET /health with status and uptime', async () => {
+    const app = await createApp({ modules: [], database: ':memory:' });
+
+    const response = await app.request('http://localhost/health');
+    const body = (await response.json()) as { status: string; uptime: number };
+
+    expect(response.status).toBe(200);
+    expect(body.status).toBe('ok');
+    expect(typeof body.uptime).toBe('number');
+  });
+
+  it('mounts /api/auth/* routes (not 404)', async () => {
+    const app = await createApp({ modules: [], database: ':memory:' });
+
+    const response = await app.request('http://localhost/api/auth/get-session');
+
+    expect(response.status).not.toBe(404);
+  });
+
+  it('mounts module routes under /api/{module}', async () => {
+    const testModule = makeModule('testmod', (routes) => {
+      routes.get('/ping', (c) => c.json({ pong: true }));
+    });
+    const app = await createApp({ modules: [testModule], database: ':memory:' });
+
+    const response = await app.request('http://localhost/api/testmod/ping');
+    const body = (await response.json()) as { pong: boolean };
+
+    expect(response.status).toBe(200);
+    expect(body.pong).toBe(true);
+  });
+
+  it('uses global error handler for thrown VobaseError', async () => {
+    const throwingModule = makeModule('errors', (routes) => {
+      routes.get('/boom', () => {
+        throw notFound('Record');
+      });
+    });
+    const app = await createApp({ modules: [throwingModule], database: ':memory:' });
+
+    const response = await app.request('http://localhost/api/errors/boom');
+    const body = (await response.json()) as {
+      error: { code: string; message: string; details?: unknown };
+    };
+
+    expect(response.status).toBe(404);
+    expect(body.error.code).toBe('NOT_FOUND');
+    expect(body.error.message).toBe('Record not found');
+  });
+
+  it('allows unauthenticated access on /api/* with optional session middleware', async () => {
+    const openModule = makeModule('open', (routes) => {
+      routes.get('/status', (c) => c.json({ user: c.get('user') }));
+    });
+    const app = await createApp({ modules: [openModule], database: ':memory:' });
+
+    const response = await app.request('http://localhost/api/open/status');
+    const body = (await response.json()) as { user: unknown };
+
+    expect(response.status).toBe(200);
+    expect(body.user).toBeNull();
+  });
+});