@voyant-travel/hono 0.109.1

package/dist/middleware/auth.js

@@ -0,0 +1,280 @@
+import { apikeyTable } from "@voyant-travel/db/schema/iam";
+import { permissionsToStrings } from "@voyant-travel/types/api-keys";
+import { and, eq, sql } from "drizzle-orm";
+import { constantTimeEqual, sha256Base64Url, sha256Hex } from "../auth/crypto.js";
+import { extractBearerToken, verifySession } from "../auth/session-jwt.js";
+import { tryGetExecutionCtx } from "../lib/execution-ctx.js";
+import { matchesPublicPath, normalizePathname } from "../lib/public-paths.js";
+import { selectDbFactory, } from "../types.js";
+import { acquireRequestDb } from "./request-db.js";
+const API_KEY_PREFIX = "voy_";
+/**
+ * Parse `INTERNAL_API_KEY` as one-or-more comma-separated values, so the
+ * credential can be rotated without a window where one side rejects the
+ * other: deploy `new,old`, flip callers to `new`, then drop `old`.
+ */
+function parseInternalApiKeys(raw) {
+    if (!raw)
+        return [];
+    return raw
+        .split(",")
+        .map((value) => value.trim())
+        .filter(Boolean);
+}
+function parseInternalApiKeyScopes(raw) {
+    const scopes = (raw ?? "")
+        .split(",")
+        .map((value) => value.trim())
+        .filter(Boolean);
+    return scopes.length > 0 ? scopes : ["*:*"];
+}
+/**
+ * Timing-safe membership check for the internal API key. Both sides are
+ * SHA-256-hashed before comparison so the constant-time equality runs on
+ * fixed-length digests — masking both content and length of the
+ * configured keys. Every configured key is checked (no early exit) so
+ * the match position is not observable either.
+ */
+async function matchesInternalApiKey(token, keys) {
+    const tokenDigest = await sha256Hex(token);
+    let matched = false;
+    for (const key of keys) {
+        if (constantTimeEqual(tokenDigest, await sha256Hex(key))) {
+            matched = true;
+        }
+    }
+    return matched;
+}
+// ---- API-key lookup cache (env.CACHE KV) ----
+//
+// Validating a `voy_` key costs one Postgres SELECT per request. For
+// keys WITHOUT a usage quota (`remaining === null`) the row is cached in
+// KV for a short TTL so steady-state server-to-server traffic skips the
+// DB roundtrip. Quota-limited keys are never cached — their remaining
+// count must be read fresh. Trade-off: disabling/revoking a cached key
+// takes effect within the TTL, not instantly.
+const API_KEY_CACHE_PREFIX = "apikey:v1:";
+/** KV minimum is 60s; keep revocation latency at that floor. */
+const API_KEY_CACHE_TTL_SECONDS = 60;
+const API_KEY_DATE_FIELDS = [
+    "createdAt",
+    "updatedAt",
+    "expiresAt",
+    "lastRequest",
+    "lastRefillAt",
+];
+async function readCachedApiKey(kv, keyHash) {
+    try {
+        const entry = await kv.get(`${API_KEY_CACHE_PREFIX}${keyHash}`, {
+            type: "json",
+        });
+        if (!entry || typeof entry !== "object")
+            return null;
+        for (const field of API_KEY_DATE_FIELDS) {
+            const value = entry[field];
+            if (typeof value === "string")
+                entry[field] = new Date(value);
+        }
+        return entry;
+    }
+    catch {
+        return null;
+    }
+}
+async function writeCachedApiKey(kv, keyHash, row) {
+    try {
+        await kv.put(`${API_KEY_CACHE_PREFIX}${keyHash}`, JSON.stringify(row), {
+            expirationTtl: API_KEY_CACHE_TTL_SECONDS,
+        });
+    }
+    catch {
+        // cache writes are best-effort
+    }
+}
+function applyAuthContext(c, auth) {
+    if (auth.userId)
+        c.set("userId", auth.userId);
+    if (auth.sessionId)
+        c.set("sessionId", auth.sessionId);
+    if (auth.organizationId !== undefined)
+        c.set("organizationId", auth.organizationId ?? undefined);
+    if (auth.callerType)
+        c.set("callerType", auth.callerType);
+    if (auth.actor)
+        c.set("actor", auth.actor);
+    if (auth.scopes !== undefined)
+        c.set("scopes", auth.scopes);
+    if (auth.isInternalRequest !== undefined)
+        c.set("isInternalRequest", auth.isInternalRequest);
+    if (auth.apiTokenId)
+        c.set("apiTokenId", auth.apiTokenId);
+    if (auth.apiKeyId)
+        c.set("apiKeyId", auth.apiKeyId);
+}
+export function requireAuth(dbSource, opts) {
+    const publicPaths = opts?.publicPaths ?? [];
+    return async (c, next) => {
+        if (c.req.method === "OPTIONS")
+            return next();
+        // Resolve the surface-appropriate factory once — the db middleware
+        // downstream resolves the same one, so both share one client.
+        const dbFactory = selectDbFactory(dbSource, c.req.path);
+        const url = new URL(c.req.url);
+        const p = normalizePathname(url.pathname);
+        const isPublicAuth = p === "/auth/callback" || p.startsWith("/auth/");
+        const isHealthCheck = p === "/health";
+        if (isPublicAuth || isHealthCheck)
+            return next();
+        if (matchesPublicPath(p, publicPaths)) {
+            if (p.startsWith("/v1/public/")) {
+                c.set("actor", "customer");
+            }
+            return next();
+        }
+        const authHeader = c.req.header("authorization") || c.req.header("Authorization");
+        const token = extractBearerToken(authHeader);
+        // Strategy 1: Internal API Key
+        const internalKeys = parseInternalApiKeys(c.env.INTERNAL_API_KEY);
+        if (token && internalKeys.length > 0 && (await matchesInternalApiKey(token, internalKeys))) {
+            applyAuthContext(c, {
+                callerType: "internal",
+                isInternalRequest: true,
+                actor: "staff",
+                scopes: parseInternalApiKeyScopes(c.env.INTERNAL_API_KEY_SCOPES),
+            });
+            return next();
+        }
+        // Strategy 2: Core-owned API key support (voy_ prefixed)
+        if (token?.startsWith(API_KEY_PREFIX)) {
+            // Shared per-request client — the db middleware downstream reuses
+            // this same client instead of opening a second Pool.
+            const lease = acquireRequestDb(c, dbFactory);
+            const db = lease.db;
+            try {
+                const keyHash = await sha256Base64Url(token);
+                const kv = c.env.CACHE;
+                let row = kv ? await readCachedApiKey(kv, keyHash) : null;
+                if (!row) {
+                    const [dbRow] = await db
+                        .select()
+                        .from(apikeyTable)
+                        .where(and(eq(apikeyTable.key, keyHash), eq(apikeyTable.enabled, true)))
+                        .limit(1);
+                    row = dbRow ?? null;
+                    // Only quota-less keys are cacheable — `remaining` must be
+                    // read fresh for limited keys.
+                    if (row && row.remaining === null && kv) {
+                        const cacheable = row;
+                        tryGetExecutionCtx(c)?.waitUntil(writeCachedApiKey(kv, keyHash, cacheable));
+                    }
+                }
+                if (!row?.enabled) {
+                    return c.json({ error: "Invalid API key" }, 401);
+                }
+                if (row.expiresAt && row.expiresAt < new Date()) {
+                    return c.json({ error: "API key expired" }, 401);
+                }
+                if (row.remaining !== null && row.remaining <= 0) {
+                    return c.json({ error: "API key usage limit exceeded" }, 429);
+                }
+                if (opts?.auth?.validateApiKey) {
+                    const isValid = await opts.auth.validateApiKey({
+                        request: c.req.raw,
+                        env: c.env,
+                        db,
+                        // Guarded: Hono throws on `executionCtx` access outside Workers.
+                        ctx: tryGetExecutionCtx(c),
+                        apiKey: row,
+                    });
+                    if (!isValid) {
+                        return c.json({ error: "Invalid API key" }, 401);
+                    }
+                }
+                // Usage counters update off the response path, as SQL increments
+                // so concurrent requests (and cache-served rows) never clobber
+                // each other with stale arithmetic. The query promise starts
+                // immediately either way; `waitUntil` (when the runtime has one)
+                // just keeps the isolate alive until it settles.
+                const counterUpdate = db
+                    .update(apikeyTable)
+                    .set({
+                    // agent-quality: raw-sql reviewed -- Atomic quota counters must increment in SQL to avoid stale read/modify/write races.
+                    requestCount: sql `${apikeyTable.requestCount} + 1`,
+                    lastRequest: new Date(),
+                    // agent-quality: raw-sql reviewed -- Atomic remaining decrement is guarded by the selected API-key row and avoids concurrent quota clobbering.
+                    ...(row.remaining !== null ? { remaining: sql `${apikeyTable.remaining} - 1` } : {}),
+                })
+                    .where(eq(apikeyTable.id, row.id))
+                    .then(() => { })
+                    .catch(() => { });
+                tryGetExecutionCtx(c)?.waitUntil(counterUpdate);
+                const scopes = permissionsToStrings(row.permissions);
+                applyAuthContext(c, {
+                    organizationId: row.referenceId,
+                    scopes,
+                    callerType: "api_key",
+                    apiTokenId: row.id,
+                    apiKeyId: row.id,
+                    // Core-owned API keys (`voy_` prefix) are server-to-server credentials
+                    // issued to operator staff. The actor stays explicit here so that
+                    // `requireActor` doesn't have to default unset callers to "staff".
+                    actor: "staff",
+                });
+                // `await` is load-bearing: with a bare `return next()` the
+                // `finally` would run as soon as the downstream promise is
+                // CREATED — releasing the shared client while the route is
+                // still querying it. Awaiting keeps the release after the
+                // entire downstream pipeline completes.
+                return await next();
+            }
+            catch {
+                // fall through to next strategy
+            }
+            finally {
+                // The creating lease schedules pool teardown via waitUntil so
+                // the worker stays alive for the close handshake; reuse leases
+                // are no-ops.
+                await lease.release();
+            }
+        }
+        // Strategy 3: App-provided auth resolution (cookies, provider tokens, etc.)
+        if (opts?.auth?.resolve) {
+            const lease = acquireRequestDb(c, dbFactory);
+            try {
+                const resolved = await opts.auth.resolve({
+                    request: c.req.raw,
+                    env: c.env,
+                    db: lease.db,
+                    // Guarded: Hono throws on `executionCtx` access outside Workers.
+                    ctx: tryGetExecutionCtx(c),
+                });
+                if (resolved?.userId) {
+                    applyAuthContext(c, resolved);
+                    // `await` is load-bearing — see strategy 2: a bare
+                    // `return next()` would let the `finally` release the shared
+                    // client while downstream is still using it.
+                    return await next();
+                }
+            }
+            finally {
+                await lease.release();
+            }
+        }
+        // Strategy 4: Generic session-claims bearer token support
+        const sessionSecret = c.env.SESSION_CLAIMS_SECRET;
+        if (token && sessionSecret && token.includes(".")) {
+            try {
+                const sessionAuth = await verifySession(token, sessionSecret);
+                applyAuthContext(c, {
+                    ...sessionAuth,
+                    callerType: "session",
+                });
+                return next();
+            }
+            catch {
+                // fall through
+            }
+        }
+        return c.json({ error: "Unauthorized" }, 401);
+    };
+}

package/dist/middleware/body-size.d.ts

@@ -0,0 +1,7 @@
+import type { MiddlewareHandler } from "hono";
+export interface RequestBodyLimitOptions {
+    maxBytes: number;
+}
+export declare const DEFAULT_REQUEST_BODY_LIMIT_BYTES: number;
+export declare function requestBodyLimit(options: RequestBodyLimitOptions): MiddlewareHandler;
+//# sourceMappingURL=body-size.d.ts.map

package/dist/middleware/body-size.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-size.d.ts","sourceRoot":"","sources":["../../src/middleware/body-size.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,MAAM,WAAW,uBAAuB;IACtC,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,eAAO,MAAM,gCAAgC,QAAmB,CAAA;AAEhE,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,iBAAiB,CAuBpF"}

package/dist/middleware/body-size.js

@@ -0,0 +1,20 @@
+export const DEFAULT_REQUEST_BODY_LIMIT_BYTES = 10 * 1024 * 1024;
+export function requestBodyLimit(options) {
+    return async (c, next) => {
+        if (c.req.method === "GET" || c.req.method === "HEAD" || c.req.method === "OPTIONS") {
+            return next();
+        }
+        const contentLength = c.req.header("content-length");
+        if (contentLength) {
+            const size = Number(contentLength);
+            if (Number.isFinite(size) && size > options.maxBytes) {
+                return c.json({
+                    error: "Request body too large",
+                    code: "request_body_too_large",
+                    maxBytes: options.maxBytes,
+                }, 413);
+            }
+        }
+        return next();
+    };
+}

package/dist/middleware/cors.d.ts

@@ -0,0 +1,6 @@
+import type { MiddlewareHandler } from "hono";
+import type { VoyantBindings } from "../types.js";
+export declare function cors(): MiddlewareHandler<{
+    Bindings: VoyantBindings;
+}>;
+//# sourceMappingURL=cors.d.ts.map

package/dist/middleware/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/middleware/cors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AA0EjD,wBAAgB,IAAI,IAAI,iBAAiB,CAAC;IAAE,QAAQ,EAAE,cAAc,CAAA;CAAE,CAAC,CAwCtE"}

package/dist/middleware/cors.js

@@ -0,0 +1,94 @@
+/**
+ * Parsed allowlists keyed by the raw `CORS_ALLOWLIST` value. The env value
+ * is constant per deployment (at most a handful of distinct values per
+ * isolate across preview/production bindings), so the cache stays tiny —
+ * but it saves a split + trim + wildcard RegExp compilation on every
+ * request.
+ */
+const compiledAllowlists = new Map();
+function compileMatcher(pattern) {
+    // Credentialed CORS must never turn a bare "*" into reflected allow-all.
+    if (pattern === "*")
+        return () => false;
+    if (!pattern.includes("*")) {
+        return (origin) => origin === pattern;
+    }
+    if (!pattern.startsWith("https://*.") || pattern.slice("https://*.".length).includes("*")) {
+        return () => false;
+    }
+    // Keep local development origins exact. A wildcard such as
+    // `http://localhost:*` is too broad for credentialed requests.
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*");
+    const regex = new RegExp(`^${escaped}$`);
+    return (origin) => regex.test(origin);
+}
+function compileAllowlist(raw) {
+    const key = raw ?? "";
+    const cached = compiledAllowlists.get(key);
+    if (cached)
+        return cached;
+    const entries = key
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+    const compiled = {
+        entries,
+        matchers: entries.map(compileMatcher),
+    };
+    compiledAllowlists.set(key, compiled);
+    return compiled;
+}
+function isAllowedOrigin(origin, allowlist) {
+    if (allowlist.entries.length === 0)
+        return false;
+    return allowlist.matchers.some((matches) => matches(origin));
+}
+const DEFAULT_ALLOWED_REQUEST_HEADERS = new Set([
+    "authorization",
+    "content-type",
+    "idempotency-key",
+    "x-api-key",
+    "x-request-id",
+    "x-voyant-checkout-capability",
+    "x-voyant-guest-booking-access",
+]);
+function allowedRequestHeaders(requested) {
+    if (!requested)
+        return "content-type, authorization";
+    const allowed = requested
+        .split(",")
+        .map((header) => header.trim().toLowerCase())
+        .filter((header) => DEFAULT_ALLOWED_REQUEST_HEADERS.has(header));
+    return allowed.length > 0 ? allowed.join(", ") : "content-type, authorization";
+}
+export function cors() {
+    return async (c, next) => {
+        const origin = c.req.header("origin") || "";
+        const allowlist = compileAllowlist(c.env.CORS_ALLOWLIST);
+        const allowed = isAllowedOrigin(origin, allowlist);
+        if (origin && !allowed) {
+            console.warn("[CORS] Origin not in allowlist - CORS headers will NOT be set", {
+                origin,
+                allowlist: allowlist.entries,
+                path: c.req.path,
+                method: c.req.method,
+            });
+        }
+        if (c.req.method === "OPTIONS") {
+            if (allowed) {
+                c.header("Access-Control-Allow-Origin", origin);
+                c.header("Vary", "Origin");
+                c.header("Access-Control-Allow-Credentials", "true");
+                c.header("Access-Control-Allow-Headers", allowedRequestHeaders(c.req.header("access-control-request-headers")));
+                c.header("Access-Control-Allow-Methods", c.req.header("access-control-request-method") || "GET,POST,PUT,PATCH,DELETE,OPTIONS");
+            }
+            return c.body(null, 204);
+        }
+        await next();
+        if (allowed) {
+            c.header("Access-Control-Allow-Origin", origin);
+            c.header("Vary", "Origin");
+            c.header("Access-Control-Allow-Credentials", "true");
+        }
+    };
+}

package/dist/middleware/db.d.ts

@@ -0,0 +1,43 @@
+import type { MiddlewareHandler } from "hono";
+import { type DbSource, type VoyantBindings, type VoyantDb } from "../types.js";
+import { DB_METRICS_CONTEXT_KEY, type RequestDbMetrics } from "./metrics.js";
+export interface DbMiddlewareOptions {
+    /**
+     * Names of modules that require a transaction-capable db adapter
+     * (those that set `Module.requiresTransactionalDb`). If non-empty
+     * and the first resolved db reports
+     * `dbSupportsTransactions(db) === false`, the middleware throws a
+     * clear error naming the offending modules. A capability of
+     * `undefined` (untagged drivers like raw `drizzle-orm/node-postgres`)
+     * is treated as "assume capable" — only an explicit `false`
+     * (neon-http) trips the assertion.
+     */
+    requiresTransactionalDb?: readonly string[];
+}
+/**
+ * Resolves the per-request db client and stores it on Hono context.
+ *
+ * If the factory returns a {@link DisposableDb} (e.g. a
+ * `dbFromEnvForApp` that owns a per-request Neon WebSocket Pool), the
+ * middleware schedules `dispose()` via `c.executionCtx.waitUntil` so
+ * the Pool closes cleanly after the response is sent. Without the
+ * scheduled dispose every request would leak its Pool until isolate
+ * teardown, which at scale exhausts Neon's connection budget.
+ *
+ * Factories that return a plain {@link VoyantDb} (e.g. a long-lived
+ * postgres-js client cached at the module level) are wired up as
+ * before with no cleanup hook.
+ *
+ * The client is shared per request via {@link acquireRequestDb}: if the
+ * auth middleware (which runs earlier) already created one for the same
+ * factory, this middleware reuses it instead of opening a second Pool —
+ * the creator's `release()` owns the dispose.
+ */
+export declare function db<TBindings extends VoyantBindings>(source: DbSource<TBindings>, options?: DbMiddlewareOptions): MiddlewareHandler<{
+    Bindings: TBindings;
+    Variables: {
+        db: VoyantDb;
+        [DB_METRICS_CONTEXT_KEY]?: RequestDbMetrics;
+    };
+}>;
+//# sourceMappingURL=db.d.ts.map

package/dist/middleware/db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/middleware/db.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,EAAE,KAAK,QAAQ,EAAuB,KAAK,cAAc,EAAE,KAAK,QAAQ,EAAE,MAAM,aAAa,CAAA;AACpG,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAqB,MAAM,cAAc,CAAA;AAG/F,MAAM,WAAW,mBAAmB;IAClC;;;;;;;;;OASG;IACH,uBAAuB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;CAC5C;AAcD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,EAAE,CAAC,SAAS,SAAS,cAAc,EACjD,MAAM,EAAE,QAAQ,CAAC,SAAS,CAAC,EAC3B,OAAO,GAAE,mBAAwB,GAChC,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE;QAAE,EAAE,EAAE,QAAQ,CAAC;QAAC,CAAC,sBAAsB,CAAC,CAAC,EAAE,gBAAgB,CAAA;KAAE,CAAA;CACzE,CAAC,CA2CD"}

package/dist/middleware/db.js

@@ -0,0 +1,78 @@
+import { dbSupportsTransactions } from "@voyant-travel/db/transaction-capability";
+import { isDbFactorySelector } from "../types.js";
+import { DB_METRICS_CONTEXT_KEY, withQueryCounting } from "./metrics.js";
+import { acquireRequestDb } from "./request-db.js";
+function buildIncapableDbError(modules) {
+    const list = [...modules].sort().join(", ");
+    return new Error(`[voyant] db adapter does not support interactive transactions, but the ` +
+        `following modules require it: ${list}. ` +
+        `Use createServerlessDbClient (neon-serverless / WebSocket) for ` +
+        `Cloudflare Workers, or createDbClient(url, { adapter: "node" }) for ` +
+        `Node deployments. The "edge" adapter (neon-http) is read-mostly ` +
+        `and cannot run db.transaction(async (tx) => …).`);
+}
+/**
+ * Resolves the per-request db client and stores it on Hono context.
+ *
+ * If the factory returns a {@link DisposableDb} (e.g. a
+ * `dbFromEnvForApp` that owns a per-request Neon WebSocket Pool), the
+ * middleware schedules `dispose()` via `c.executionCtx.waitUntil` so
+ * the Pool closes cleanly after the response is sent. Without the
+ * scheduled dispose every request would leak its Pool until isolate
+ * teardown, which at scale exhausts Neon's connection budget.
+ *
+ * Factories that return a plain {@link VoyantDb} (e.g. a long-lived
+ * postgres-js client cached at the module level) are wired up as
+ * before with no cleanup hook.
+ *
+ * The client is shared per request via {@link acquireRequestDb}: if the
+ * auth middleware (which runs earlier) already created one for the same
+ * factory, this middleware reuses it instead of opening a second Pool —
+ * the creator's `release()` owns the dispose.
+ */
+export function db(source, options = {}) {
+    const requiresTx = options.requiresTransactionalDb ?? [];
+    // Stays `false` until a request resolves a db whose capability tag is
+    // anything other than an explicit `false`. As long as the adapter is
+    // wired wrong, every request keeps surfacing the actionable error —
+    // we don't want the first failing request to silence subsequent
+    // checks and let later writes crash with the deep transaction error.
+    //
+    // With a DbFactorySelector the assertion is per-surface: only requests
+    // the selector routes to the transactional factory must resolve a
+    // transaction-capable client — the default (http) factory is allowed,
+    // by design, to be transaction-incapable.
+    let txCapabilityVerified = false;
+    return async (c, next) => {
+        const selection = isDbFactorySelector(source)
+            ? source.select(c.req.path)
+            : { factory: source, mustSupportTransactions: requiresTx.length > 0 };
+        const lease = acquireRequestDb(c, selection.factory);
+        if (!txCapabilityVerified && selection.mustSupportTransactions && requiresTx.length > 0) {
+            if (dbSupportsTransactions(lease.db) === false) {
+                try {
+                    await lease.release();
+                }
+                catch {
+                    // swallow dispose errors — the original throw is the actionable one
+                }
+                throw buildIncapableDbError(requiresTx);
+            }
+            txCapabilityVerified = true;
+        }
+        // When the metrics middleware put a counter on the context, expose a
+        // query-counting view of the client so per-route db-query counts land
+        // in Analytics Engine. The lease (and its dispose) stay unwrapped.
+        const dbMetrics = c.get(DB_METRICS_CONTEXT_KEY);
+        c.set("db", dbMetrics ? withQueryCounting(lease.db, dbMetrics) : lease.db);
+        try {
+            await next();
+        }
+        finally {
+            // No-op when the auth middleware created (and therefore owns) the
+            // shared client; otherwise schedules dispose via waitUntil (or
+            // awaits inline outside Workers).
+            await lease.release();
+        }
+    };
+}

package/dist/middleware/error-boundary.d.ts

@@ -0,0 +1,5 @@
+import type { Context, MiddlewareHandler } from "hono";
+export declare const requestId: MiddlewareHandler;
+export declare function handleApiError(err: unknown, c: Context): Response;
+export declare const errorBoundary: MiddlewareHandler;
+//# sourceMappingURL=error-boundary.d.ts.map

package/dist/middleware/error-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-boundary.d.ts","sourceRoot":"","sources":["../../src/middleware/error-boundary.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAYtD,eAAO,MAAM,SAAS,EAAE,iBAKvB,CAAA;AAeD,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,QAAQ,CA6CjE;AAED,eAAO,MAAM,aAAa,EAAE,iBAM3B,CAAA"}

package/dist/middleware/error-boundary.js

@@ -0,0 +1,76 @@
+import { apiErrorSchema } from "@voyant-travel/types";
+import { normalizeValidationError } from "../validation.js";
+function generateRequestId() {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+export const requestId = async (c, next) => {
+    const existing = c.req.header("x-request-id");
+    const id = existing?.trim() || generateRequestId();
+    c.res.headers.set("X-Request-Id", id);
+    await next();
+};
+const LOGGED_HEADERS = new Set([
+    "accept",
+    "cf-connecting-ip",
+    "cf-ray",
+    "content-length",
+    "content-type",
+    "origin",
+    "referer",
+    "user-agent",
+    "x-forwarded-for",
+    "x-request-id",
+]);
+export function handleApiError(err, c) {
+    const id = c.res.headers.get("X-Request-Id") || generateRequestId();
+    const apiError = normalizeValidationError(err);
+    const errRecord = err instanceof Object ? err : {};
+    const code = apiError?.code;
+    const status = apiError?.status ?? 500;
+    const details = apiError?.details ??
+        (apiError && errRecord.details && typeof errRecord.details === "object"
+            ? errRecord.details
+            : undefined);
+    const errorMessage = apiError ? apiError.message : "Internal Server Error";
+    try {
+        const headers = {};
+        c.req.raw.headers.forEach((value, key) => {
+            const lowerKey = key.toLowerCase();
+            if (LOGGED_HEADERS.has(lowerKey))
+                headers[lowerKey] = value;
+        });
+        console.error("[API:error]", {
+            id,
+            status,
+            code,
+            path: c.req.path,
+            method: c.req.method,
+            headers,
+            err: err instanceof Error ? err.message : String(err),
+            cause: err instanceof Error && err.cause ? String(err.cause) : undefined,
+            stack: err instanceof Error ? err.stack : undefined,
+        });
+    }
+    catch {
+        /* ignore logging errors */
+    }
+    const statusCode = status >= 100 && status <= 599 ? status : 500;
+    return new Response(JSON.stringify(apiErrorSchema.parse({ error: errorMessage, code, requestId: id, details })), {
+        status: statusCode,
+        headers: {
+            "content-type": "application/json",
+        },
+    });
+}
+export const errorBoundary = async (c, next) => {
+    try {
+        await next();
+    }
+    catch (err) {
+        return handleApiError(err, c);
+    }
+};