@voyant-travel/hono 0.109.1

package/dist/app.js

@@ -0,0 +1,403 @@
+import { createContainer, createEventBus, createQueryRunner, } from "@voyant-travel/core";
+import { createOutboxEventStore } from "@voyant-travel/db/outbox";
+import { Hono } from "hono";
+import { containerToServiceResolver, makeFrameworkLogger, wireWorkflowRuntime, } from "./app-workflows.js";
+import { createPathDbSelector } from "./lib/db-selector.js";
+import { tryGetExecutionCtx } from "./lib/execution-ctx.js";
+import { matchesPublicPath, normalizePathname } from "./lib/public-paths.js";
+import { requestScopedEventBus } from "./lib/request-event-bus.js";
+import { requireAuth } from "./middleware/auth.js";
+import { DEFAULT_REQUEST_BODY_LIMIT_BYTES, requestBodyLimit } from "./middleware/body-size.js";
+import { cors } from "./middleware/cors.js";
+import { db } from "./middleware/db.js";
+import { handleApiError, requestId } from "./middleware/error-boundary.js";
+import { logger } from "./middleware/logger.js";
+import { metrics } from "./middleware/metrics.js";
+import { publicResponseCache } from "./middleware/public-cache.js";
+import { rateLimit, resolveRateLimitStore, } from "./middleware/rate-limit.js";
+import { requireActor } from "./middleware/require-actor.js";
+import { securityHeaders } from "./middleware/security-headers.js";
+import { expandHonoPlugins } from "./plugin.js";
+function resolveSurfaceMountPath(prefix, path, fallback) {
+    const normalized = path?.trim();
+    if (!normalized) {
+        return `${prefix}/${fallback}`;
+    }
+    if (normalized === "/") {
+        return prefix;
+    }
+    return `${prefix}/${normalized.replace(/^\/+|\/+$/g, "")}`;
+}
+const WRITE_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+function resolveConfiguredRateLimitStore(config, env) {
+    if (!config?.store)
+        return undefined;
+    return typeof config.store === "function" ? config.store(env) : config.store;
+}
+function buildRateLimitPolicy(config, env, bucket, defaults) {
+    return {
+        bucket,
+        ...defaults,
+        store: resolveConfiguredRateLimitStore(config, env) ?? resolveRateLimitStore({ env }),
+    };
+}
+export function createApp(config) {
+    const app = new Hono();
+    app.onError(handleApiError);
+    // Expand plugins into their constituent modules/extensions before mounting
+    const expanded = config.plugins ? expandHonoPlugins(config.plugins) : null;
+    const allModules = [...(config.modules ?? []), ...(expanded?.modules ?? [])];
+    const allExtensions = [...(config.extensions ?? []), ...(expanded?.extensions ?? [])];
+    const eventBus = config.eventBus ?? createEventBus();
+    const query = typeof config.query === "function"
+        ? config.query
+        : config.query
+            ? createQueryRunner(config.query)
+            : undefined;
+    // Module container — registered services are resolvable from routes
+    const container = createContainer();
+    for (const mod of allModules) {
+        if (mod.module.service !== undefined) {
+            container.register(mod.module.name, mod.module.service);
+        }
+    }
+    for (const sub of expanded?.subscribers ?? []) {
+        eventBus.subscribe(sub.event, sub.handler, { inline: sub.inline ?? false });
+    }
+    // ---- Workflow runtime wiring (synchronous setup; manifest registration
+    //      + EventBus forwarder run inside the lazy bootstrap below) ----
+    //
+    // We collect `workflows` + `eventFilters` from every module and plugin
+    // here so the failure mode for "duplicate workflow id across modules"
+    // surfaces at construction time (per architecture doc §18, the workflow
+    // runtime is fail-closed).
+    const collectedWorkflows = [];
+    const collectedFilters = [];
+    for (const mod of allModules) {
+        if (mod.module.workflows)
+            collectedWorkflows.push(...mod.module.workflows);
+        if (mod.module.eventFilters)
+            collectedFilters.push(...mod.module.eventFilters);
+    }
+    for (const plugin of config.plugins ?? []) {
+        if (plugin.workflows)
+            collectedWorkflows.push(...plugin.workflows);
+        if (plugin.eventFilters)
+            collectedFilters.push(...plugin.eventFilters);
+    }
+    // Validate duplicate workflow ids across modules + plugins. Same id from
+    // re-imports (HMR / shared bundles) is fine because identity is by id —
+    // we only flag genuinely-different definitions sharing an id.
+    if (config.workflows && collectedWorkflows.length > 0) {
+        const seen = new Map();
+        for (const wf of collectedWorkflows) {
+            const existing = seen.get(wf.id);
+            if (existing && existing !== wf) {
+                throw new Error(`[voyant] duplicate workflow id "${wf.id}" registered by multiple modules/plugins. ` +
+                    `Workflow ids must be unique across the app — use a module-scoped prefix ` +
+                    `(e.g. "${wf.id.includes(".") ? wf.id : `<module>.${wf.id}`}").`);
+            }
+            seen.set(wf.id, wf);
+        }
+    }
+    // Workflow driver construction is **deferred** to the lazy bootstrap
+    // path so CF-edge users (whose driver options come from `env.*`
+    // bindings only available at request time) can pass a function-of-
+    // bindings shape — `(env) => createCloudflareEdgeDriver({...})` —
+    // rather than constructing at module-load time. Mode 2 / InMemory
+    // users pass a direct factory; the framework adapts both shapes.
+    // See reviewer feedback P2.1 + architecture doc §6.3.
+    let workflowDriver;
+    let bootstrapPromise = null;
+    function ensureRuntimeBootstrapped(bindings) {
+        if (!bootstrapPromise) {
+            bootstrapPromise = (async () => {
+                const ctx = { bindings, container, eventBus };
+                // ---- Workflow runtime FIRST — fail-closed manifest registration
+                //      and EventBus forwarder must be in place before any module
+                //      bootstrap can emit. Otherwise a `module.bootstrap` that
+                //      emits an event during its own bootstrap would route through
+                //      a bus with no workflow forwarder yet, silently losing the
+                //      event. Per architecture doc §21.22 + reviewer feedback P2.3.
+                if (config.workflows) {
+                    // `driver` is always a function-of-bindings (per
+                    // VoyantWorkflowsConfig — see types.ts + reviewer feedback P2.1).
+                    // Mode 2 / InMemory users wrap with `() => createXxxDriver({...})`.
+                    // CF-edge users use `(env) => createCloudflareEdgeDriver({ env.* })`.
+                    // We invoke with bindings, then the resulting DriverFactory
+                    // with framework deps.
+                    const factoryDeps = {
+                        services: containerToServiceResolver(container),
+                        logger: makeFrameworkLogger(config.logger),
+                    };
+                    const factory = config.workflows.driver(bindings);
+                    workflowDriver = factory(factoryDeps);
+                    await wireWorkflowRuntime({
+                        modules: allModules.map((m) => m.module),
+                        collectedWorkflows,
+                        collectedFilters,
+                        driver: workflowDriver,
+                        environment: config.workflows.environment ?? "development",
+                        projectId: config.workflows.projectId ?? "default",
+                        eventBus,
+                    });
+                }
+                // Run each bootstrap in isolation — a single failing plugin/module/extension
+                // must not poison the cached promise and kill the whole app's request pipeline.
+                const runIsolated = async (label, fn) => {
+                    if (!fn)
+                        return;
+                    try {
+                        await fn(ctx);
+                    }
+                    catch (error) {
+                        const message = error instanceof Error ? error.message : String(error);
+                        console.error(`[voyant] bootstrap failed for ${label}: ${message}`);
+                    }
+                };
+                for (const plugin of config.plugins ?? []) {
+                    await runIsolated(`plugin:${plugin.name}`, plugin.bootstrap);
+                }
+                for (const mod of allModules) {
+                    await runIsolated(`module:${mod.module.name}`, mod.module.bootstrap);
+                }
+                for (const ext of allExtensions) {
+                    await runIsolated(`extension:${ext.extension.module}/${ext.extension.name}`, ext.extension.bootstrap);
+                }
+            })();
+        }
+        return bootstrapPromise;
+    }
+    // Request ID header
+    app.use("*", requestId);
+    // Structured logger
+    app.use("*", logger(config.logger));
+    // Per-request metrics → Analytics Engine (no-op without the binding).
+    // Mounted before the cache middleware so cache hits are measured too.
+    if (config.metrics !== false) {
+        app.use("*", metrics());
+    }
+    // CORS (allowlist via env CORS_ALLOWLIST)
+    app.use("*", cors());
+    if (config.securityHeaders !== false) {
+        app.use("*", securityHeaders(config.securityHeaders));
+    }
+    if (config.requestBodyLimit !== false) {
+        app.use("*", requestBodyLimit({
+            maxBytes: config.requestBodyLimit?.maxBytes ?? DEFAULT_REQUEST_BODY_LIMIT_BYTES,
+        }));
+    }
+    if (config.rateLimit !== false) {
+        const rateLimitConfig = config.rateLimit;
+        if (rateLimitConfig?.auth !== false) {
+            const authRule = rateLimitConfig?.auth ?? { max: 10, windowSeconds: 60 };
+            app.use("/auth/*", async (c, next) => {
+                if (c.req.method !== "POST")
+                    return next();
+                return rateLimit(buildRateLimitPolicy(rateLimitConfig, c.env, "auth", authRule))(c, next);
+            });
+        }
+        if (rateLimitConfig?.publicWrite !== false) {
+            const publicWriteRule = rateLimitConfig?.publicWrite ?? { max: 60, windowSeconds: 60 };
+            app.use("*", async (c, next) => {
+                if (!WRITE_METHODS.has(c.req.method))
+                    return next();
+                const pathname = normalizePathname(new URL(c.req.url).pathname);
+                const isPublicWrite = pathname.startsWith("/v1/public/") ||
+                    matchesPublicPath(pathname, config.publicPaths ?? []);
+                if (!isPublicWrite)
+                    return next();
+                return rateLimit(buildRateLimitPolicy(rateLimitConfig, c.env, "public-write", publicWriteRule))(c, next);
+            });
+        }
+    }
+    // Shared response cache for the public surface. Mounted BEFORE the
+    // runtime bootstrap on purpose: a cache hit skips module-graph
+    // instantiation, auth, and the per-request db client entirely — the
+    // hit path allocates nothing but the cached body. Only responses a
+    // route explicitly marks `Cache-Control: public, s-maxage=…` are
+    // stored (see middleware docs).
+    if (config.publicCache !== false) {
+        app.use("*", publicResponseCache(config.publicCache ?? {}));
+    }
+    // Per-request outbox store factory: emits happen in route handlers,
+    // after the db middleware ran, so the request's db client is resolved
+    // lazily at capture time. Outbox writes are single statements — the
+    // cheap http client on non-transactional surfaces handles them fine.
+    const buildOutboxStore = config.outbox
+        ? (c) => createOutboxEventStore(() => {
+            const requestDb = c.get("db");
+            if (!requestDb) {
+                throw new Error("[voyant] outbox capture needs the per-request db — emit ran before the db middleware");
+            }
+            return requestDb;
+        })
+        : undefined;
+    app.use("*", async (c, next) => {
+        c.set("container", container);
+        // Request-scoped bus: emits defer non-`inline` subscribers past the
+        // response via waitUntil, so handlers doing outbound HTTP (CMS sync,
+        // e-invoicing) no longer add their latency to every mutation.
+        //
+        // With `outbox: true`, emits are also durable (persisted before
+        // delivery, retried by `drainOutbox` from @voyant-travel/db/outbox) —
+        // INCLUDING on runtimes without an ExecutionContext (Node/headless),
+        // where emits await handlers inline but still capture through the
+        // store. Only when there's neither a scheduler nor a store does the
+        // raw bus go on the context unwrapped.
+        const executionCtx = tryGetExecutionCtx(c);
+        const outboxStore = buildOutboxStore?.(c);
+        c.set("eventBus", executionCtx || outboxStore
+            ? requestScopedEventBus(eventBus, executionCtx ? (pending) => executionCtx.waitUntil(pending) : undefined, outboxStore)
+            : eventBus);
+        if (config.link) {
+            c.set("link", config.link);
+        }
+        if (query) {
+            c.set("query", query);
+        }
+        // Bootstrap (fires once, idempotent) — resolves the workflow driver
+        // with c.env-supplied bindings on the first request, so deferred
+        // driver construction sees real runtime bindings (reviewer P2.1).
+        await ensureRuntimeBootstrapped(c.env);
+        if (workflowDriver) {
+            // Surfaced on `c.var.workflowDriver` so HTTP route handlers can
+            // call `driver.trigger(...)` directly without re-resolving from
+            // the container. Also used by the optional HTTP ingest adapter
+            // (`mountHttpIngestAdapter` from `@voyant-travel/workflows/http-ingest`).
+            c.set("workflowDriver", workflowDriver);
+        }
+        return next();
+    });
+    // Health check (public, no auth)
+    app.get("/health", (c) => c.json({ status: "ok" }));
+    // App-owned auth handler (must be before auth middleware — these routes are public)
+    const authHandler = config.auth?.handler;
+    if (authHandler) {
+        app.all("/auth/*", async (c) => {
+            const authApp = authHandler(c.env);
+            return authApp.fetch(c.req.raw, c.env, c.executionCtx);
+        });
+    }
+    // Transactional surface map: a request must be served by a
+    // transaction-capable db client when its path belongs to (a) a module
+    // declaring `requiresTransactionalDb`, (b) a module targeted by an
+    // extension that declares it (extensions mount under the target
+    // module's prefix — e.g. catalog-authoring's compose routes live under
+    // /v1/admin/products), or (c) a template-supplied extra path
+    // (`dbTransactionalPaths` — for additionalRoutes / adapter-wired flows
+    // like the catalog booking engine whose transactionality depends on
+    // starter wiring).
+    const txModuleNames = new Set(allModules.filter((m) => m.module.requiresTransactionalDb).map((m) => m.module.name));
+    for (const ext of allExtensions) {
+        if (ext.extension.requiresTransactionalDb)
+            txModuleNames.add(ext.extension.module);
+    }
+    const txRequiringModules = [...txModuleNames];
+    const txPrefixes = [...(config.dbTransactionalPaths ?? [])];
+    for (const name of txModuleNames) {
+        // `/v1/public/<name>` is added unconditionally (not only when the
+        // module mounts publicRoutes): other modules mounted at the public
+        // root can serve paths under a flagged module's segment — e.g.
+        // storefront (publicPath "/") handles
+        // /v1/public/bookings/sessions/bootstrap, which reaches
+        // bookings' transactional reserve flow.
+        txPrefixes.push(`/v1/admin/${name}`, `/v1/${name}`, `/v1/public/${name}`);
+    }
+    for (const mod of allModules) {
+        if (txModuleNames.has(mod.module.name) && mod.publicRoutes) {
+            txPrefixes.push(resolveSurfaceMountPath("/v1/public", mod.publicPath, mod.module.name));
+        }
+    }
+    for (const ext of allExtensions) {
+        if (txModuleNames.has(ext.extension.module) && ext.publicRoutes) {
+            txPrefixes.push(resolveSurfaceMountPath("/v1/public", ext.publicPath, ext.extension.module));
+        }
+    }
+    // With a `dbTransactional` factory, requests are routed per surface:
+    // transactional prefixes get it, everything else gets the cheap
+    // default (typically neon-http — no per-request connection handshake).
+    // Without it, `config.db` serves everything as before.
+    const dbSource = config.dbTransactional
+        ? createPathDbSelector({
+            defaultFactory: config.db,
+            transactionalFactory: config.dbTransactional,
+            transactionalPrefixes: txPrefixes,
+        })
+        : config.db;
+    // Auth middleware for all other routes
+    app.use("*", requireAuth(dbSource, { publicPaths: config.publicPaths, auth: config.auth }));
+    // DB middleware — sets c.var.db for all downstream handlers.
+    // Pass the list of modules that need interactive transactions so the
+    // middleware can throw a clear startup-style error on first request if
+    // the wired adapter is neon-http (which doesn't support db.transaction).
+    app.use("*", db(dbSource, { requiresTransactionalDb: txRequiringModules }));
+    // Actor guards for the two API surfaces
+    app.use("/v1/admin/*", requireActor("staff"));
+    app.use("/v1/public/*", requireActor("customer", "partner", "supplier"));
+    const requireLegacyActor = requireActor("staff");
+    app.use("/v1/*", (c, next) => {
+        const pathname = new URL(c.req.url).pathname;
+        if (pathname.startsWith("/v1/admin/") || pathname.startsWith("/v1/public/")) {
+            return next();
+        }
+        return requireLegacyActor(c, next);
+    });
+    // Admin capability discovery — GET /v1/admin/_meta/capabilities. A built-in
+    // framework route (like /health), mounted only when the deployment supplies
+    // the operation catalogue via `config.adminMeta` (from
+    // `@voyant-travel/admin-contracts`) — keeping `@voyant-travel/hono` decoupled from it.
+    // Guarded by the `/v1/admin/*` staff actor guard above.
+    if (config.adminMeta) {
+        const adminMeta = config.adminMeta;
+        app.get("/v1/admin/_meta/capabilities", (c) => c.json({
+            contractVersion: adminMeta.contractVersion,
+            ...(adminMeta.deploymentVersion ? { deploymentVersion: adminMeta.deploymentVersion } : {}),
+            modules: allModules.map((m) => m.module.name),
+            operations: adminMeta.operations,
+            actor: c.get("actor"),
+            scopes: c.get("scopes"),
+        }));
+    }
+    // Mount module routes
+    for (const mod of allModules) {
+        if (mod.adminRoutes) {
+            app.route(`/v1/admin/${mod.module.name}`, mod.adminRoutes);
+        }
+        if (mod.publicRoutes) {
+            app.route(resolveSurfaceMountPath("/v1/public", mod.publicPath, mod.module.name), mod.publicRoutes);
+        }
+        if (mod.routes) {
+            app.route(`/v1/${mod.module.name}`, mod.routes);
+        }
+    }
+    // Mount extension routes
+    for (const ext of allExtensions) {
+        if (ext.adminRoutes) {
+            app.route(`/v1/admin/${ext.extension.module}`, ext.adminRoutes);
+        }
+        if (ext.publicRoutes) {
+            app.route(resolveSurfaceMountPath("/v1/public", ext.publicPath, ext.extension.module), ext.publicRoutes);
+        }
+        if (ext.routes) {
+            app.route(`/v1/${ext.extension.module}`, ext.routes);
+        }
+    }
+    // Additional routes
+    if (config.additionalRoutes) {
+        config.additionalRoutes(app);
+    }
+    // Attach `ready()` directly to the Hono instance. Fires the lazy
+    // bootstrap with the supplied bindings (or `{}` for back-compat with
+    // Mode 2 / InMemory drivers that ignore them). Production code never
+    // calls `ready()` — the first request triggers the same boot via
+    // `ensureRuntimeBootstrapped(c.env)`. Tests + Mode 2 sibling processes
+    // use this so the time wheel + manifest registration happen without
+    // traffic; CF-edge users that want eager boot must pass the real `env`
+    // (otherwise the memoized bootstrap promise locks in a driver built
+    // from `{}` and every later request reuses that broken instance).
+    const augmented = app;
+    augmented.eventBus = eventBus;
+    augmented.ready = (bindings) => ensureRuntimeBootstrapped(bindings ?? {});
+    return augmented;
+}

package/dist/auth/crypto.d.ts

@@ -0,0 +1,16 @@
+export declare function randomBytesHex(lengthBytes: number): string;
+export declare function sha256Hex(input: string | Uint8Array): Promise<string>;
+export declare function constantTimeEqual(a: string, b: string): boolean;
+export declare function generateNumericCode(length: number): string;
+/**
+ * SHA-256 hash a string using Web Crypto API.
+ * Returns the hash as a base64url string without padding,
+ * matching Better Auth's `defaultKeyHasher` format.
+ */
+export declare function sha256Base64Url(input: string): Promise<string>;
+/**
+ * Unsign a Better Auth session cookie.
+ * Better Auth signs cookies as: encodeURIComponent(value + "." + base64(HMAC-SHA256(value, secret)))
+ */
+export declare function unsignCookie(rawCookieValue: string, secret: string): Promise<string | null>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/auth/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA,wBAAgB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAM1D;AAED,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAK3E;AAED,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAO/D;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAM1D;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAUpE;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAwBjG"}

package/dist/auth/crypto.js

@@ -0,0 +1,66 @@
+export function randomBytesHex(lengthBytes) {
+    const bytes = new Uint8Array(lengthBytes);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+export async function sha256Hex(input) {
+    const data = typeof input === "string" ? new TextEncoder().encode(input) : input;
+    const hash = await crypto.subtle.digest("SHA-256", data.buffer);
+    const arr = Array.from(new Uint8Array(hash));
+    return arr.map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+export function constantTimeEqual(a, b) {
+    const length = Math.max(a.length, b.length, 1);
+    let diff = a.length === b.length ? 0 : 1;
+    for (let i = 0; i < length; i++) {
+        diff |= (a.charCodeAt(i) | 0) ^ (b.charCodeAt(i) | 0);
+    }
+    return diff === 0;
+}
+export function generateNumericCode(length) {
+    const max = 10 ** length;
+    const buf = new Uint32Array(1);
+    crypto.getRandomValues(buf);
+    const code = Number((buf[0] ?? 0) % max);
+    return String(code).padStart(length, "0");
+}
+/**
+ * SHA-256 hash a string using Web Crypto API.
+ * Returns the hash as a base64url string without padding,
+ * matching Better Auth's `defaultKeyHasher` format.
+ */
+export async function sha256Base64Url(input) {
+    const data = new TextEncoder().encode(input);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const bytes = new Uint8Array(hashBuffer);
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+/**
+ * Unsign a Better Auth session cookie.
+ * Better Auth signs cookies as: encodeURIComponent(value + "." + base64(HMAC-SHA256(value, secret)))
+ */
+export async function unsignCookie(rawCookieValue, secret) {
+    const decoded = decodeURIComponent(rawCookieValue);
+    const lastDot = decoded.lastIndexOf(".");
+    if (lastDot < 1)
+        return null;
+    const value = decoded.substring(0, lastDot);
+    const signature = decoded.substring(lastDot + 1);
+    if (signature.length !== 44 || !signature.endsWith("="))
+        return null;
+    const encoder = new TextEncoder();
+    const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["verify"]);
+    const sigBinStr = atob(signature);
+    const sigBytes = new Uint8Array(sigBinStr.length);
+    for (let i = 0; i < sigBinStr.length; i++)
+        sigBytes[i] = sigBinStr.charCodeAt(i);
+    const valid = await crypto.subtle.verify("HMAC", key, sigBytes, encoder.encode(value));
+    return valid ? value : null;
+}

package/dist/auth/index.d.ts

@@ -0,0 +1,5 @@
+export { constantTimeEqual, generateNumericCode, randomBytesHex, sha256Base64Url, sha256Hex, unsignCookie, } from "./crypto.js";
+export { requireUserId } from "./require-user.js";
+export type { SessionAuthContext } from "./session-jwt.js";
+export { extractBearerToken, verifySession } from "./session-jwt.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,SAAS,EACT,YAAY,GACb,MAAM,aAAa,CAAA;AACpB,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AACjD,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAC1D,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA"}

package/dist/auth/index.js

@@ -0,0 +1,3 @@
+export { constantTimeEqual, generateNumericCode, randomBytesHex, sha256Base64Url, sha256Hex, unsignCookie, } from "./crypto.js";
+export { requireUserId } from "./require-user.js";
+export { extractBearerToken, verifySession } from "./session-jwt.js";

package/dist/auth/require-user.d.ts

@@ -0,0 +1,3 @@
+import type { Context } from "hono";
+export declare function requireUserId(c: Context): string;
+//# sourceMappingURL=require-user.d.ts.map

package/dist/auth/require-user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-user.d.ts","sourceRoot":"","sources":["../../src/auth/require-user.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAInC,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,CAOhD"}

package/dist/auth/require-user.js

@@ -0,0 +1,8 @@
+import { UnauthorizedApiError } from "../validation.js";
+export function requireUserId(c) {
+    const userId = c.get("userId");
+    if (!userId) {
+        throw new UnauthorizedApiError();
+    }
+    return userId;
+}

package/dist/auth/session-jwt.d.ts

@@ -0,0 +1,7 @@
+export interface SessionAuthContext {
+    userId: string;
+    sessionId?: string;
+}
+export declare function verifySession(token: string, secretKey: string): Promise<SessionAuthContext>;
+export declare function extractBearerToken(authHeader: string | undefined): string | null;
+//# sourceMappingURL=session-jwt.d.ts.map

package/dist/auth/session-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-jwt.d.ts","sourceRoot":"","sources":["../../src/auth/session-jwt.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAWjG;AAED,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAWhF"}

package/dist/auth/session-jwt.js

@@ -0,0 +1,23 @@
+import { verifySessionClaims } from "@voyant-travel/utils/session-claims";
+export async function verifySession(token, secretKey) {
+    const payload = await verifySessionClaims(token, secretKey);
+    if (!payload) {
+        throw new Error("Invalid or expired token");
+    }
+    return {
+        userId: payload.userId,
+        sessionId: payload.sessionId,
+    };
+}
+export function extractBearerToken(authHeader) {
+    if (!authHeader)
+        return null;
+    const parts = authHeader.trim().split(/\s+/);
+    if (parts.length !== 2)
+        return null;
+    const scheme = parts[0];
+    const token = parts[1];
+    if (!scheme || !token || !/^bearer$/i.test(scheme))
+        return null;
+    return token;
+}

package/dist/composition.d.ts

@@ -0,0 +1,67 @@
+import type { HonoExtension, HonoModule } from "./module.js";
+/**
+ * Manifest-driven runtime composition.
+ *
+ * The `voyant.config.ts` manifest already drives the migration/schema side
+ * (see `@voyant-travel/cli` `db doctor` and `docs/architecture/migration-resilience-rfc.md`).
+ * This module lets the SAME manifest drive runtime composition: instead of a
+ * template hand-listing `createApp({ modules, extensions })`, it registers a
+ * factory per manifest entry and derives the arrays from the manifest.
+ *
+ * The factories receive a typed **capability container** — the template's
+ * deployment-specific capabilities (storage, FX, notification providers,
+ * document-download resolvers, …) gathered in one place. Because Voyant runs
+ * on Cloudflare Workers (per-request `bindings`), capabilities are typically
+ * bindings-deferred closures (`(bindings) => T`), so the container is a plain
+ * typed value resolved per request rather than a boot-time singleton.
+ */
+/** A manifest entry: a bare specifier or `{ resolve, options }`. */
+export type CompositionEntry = string | {
+    resolve: string;
+    options?: Record<string, unknown>;
+};
+/** The subset of `VoyantConfig` this composer reads. */
+export interface CompositionManifest {
+    modules?: CompositionEntry[];
+    extensions?: CompositionEntry[];
+}
+/** Context handed to every factory: the capability container + per-entry options. */
+export interface CompositionContext<TCapabilities> {
+    capabilities: TCapabilities;
+    options: Record<string, unknown>;
+}
+export type ModuleFactory<TCapabilities> = (ctx: CompositionContext<TCapabilities>) => HonoModule | HonoModule[];
+export type ExtensionFactory<TCapabilities> = (ctx: CompositionContext<TCapabilities>) => HonoExtension;
+/**
+ * Maps manifest specifiers to the factory that builds the runtime unit. Keys
+ * MUST match the `voyant.config.ts` `modules` / `extensions` specifiers.
+ */
+export interface CompositionRegistry<TCapabilities> {
+    modules: Record<string, ModuleFactory<TCapabilities>>;
+    extensions?: Record<string, ExtensionFactory<TCapabilities>>;
+}
+export interface ComposedApp {
+    modules: HonoModule[];
+    extensions: HonoExtension[];
+}
+/**
+ * Derive the `createApp({ modules, extensions })` arrays from a manifest by
+ * looking each entry up in the registry, **preserving manifest order** (mount
+ * + hook-registration order is significant). Throws if the manifest lists an
+ * entry the registry has no factory for — so "added to the manifest but not
+ * wired" fails loudly at boot rather than silently dropping a module.
+ */
+export declare function composeFromManifest<TCapabilities>(manifest: CompositionManifest, registry: CompositionRegistry<TCapabilities>, capabilities: TCapabilities): ComposedApp;
+export interface ManifestRegistryDiff {
+    /** In the manifest but with no registered factory. */
+    missingFactories: string[];
+    /** Registered factories not referenced by the manifest. */
+    orphanFactories: string[];
+}
+/**
+ * Pure parity check between a manifest's entries and a registry's keys, for
+ * tooling (`voyant db doctor`). Reports manifest entries with no factory and
+ * factories the manifest never references.
+ */
+export declare function diffManifestRegistry(manifestEntries: CompositionEntry[], registryKeys: string[]): ManifestRegistryDiff;
+//# sourceMappingURL=composition.d.ts.map

package/dist/composition.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"composition.d.ts","sourceRoot":"","sources":["../src/composition.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAE5D;;;;;;;;;;;;;;;GAeG;AAEH,oEAAoE;AACpE,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAA;AAE9F,wDAAwD;AACxD,MAAM,WAAW,mBAAmB;IAClC,OAAO,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAC5B,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;CAChC;AAED,qFAAqF;AACrF,MAAM,WAAW,kBAAkB,CAAC,aAAa;IAC/C,YAAY,EAAE,aAAa,CAAA;IAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACjC;AAED,MAAM,MAAM,aAAa,CAAC,aAAa,IAAI,CACzC,GAAG,EAAE,kBAAkB,CAAC,aAAa,CAAC,KACnC,UAAU,GAAG,UAAU,EAAE,CAAA;AAC9B,MAAM,MAAM,gBAAgB,CAAC,aAAa,IAAI,CAC5C,GAAG,EAAE,kBAAkB,CAAC,aAAa,CAAC,KACnC,aAAa,CAAA;AAElB;;;GAGG;AACH,MAAM,WAAW,mBAAmB,CAAC,aAAa;IAChD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC,CAAA;IACrD,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,aAAa,CAAC,CAAC,CAAA;CAC7D;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAUD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,aAAa,EAC/C,QAAQ,EAAE,mBAAmB,EAC7B,QAAQ,EAAE,mBAAmB,CAAC,aAAa,CAAC,EAC5C,YAAY,EAAE,aAAa,GAC1B,WAAW,CA0Bb;AAED,MAAM,WAAW,oBAAoB;IACnC,sDAAsD;IACtD,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,2DAA2D;IAC3D,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,gBAAgB,EAAE,EACnC,YAAY,EAAE,MAAM,EAAE,GACrB,oBAAoB,CAOtB"}