@voyant-travel/hono 0.109.1

package/dist/middleware/request-db.d.ts

@@ -0,0 +1,42 @@
+import { type DbFactory, type VoyantBindings, type VoyantDb } from "../types.js";
+/**
+ * Minimal structural slice of a Hono `Context` that the request-db
+ * helpers need. Typed structurally so unit tests can pass a stub and so
+ * this module doesn't constrain the app's `Variables` generic.
+ */
+export interface RequestDbContextLike<TBindings extends VoyantBindings = VoyantBindings> {
+    req: {
+        raw: Request;
+    };
+    env: TBindings;
+    /**
+     * Hono throws on `executionCtx` access in runtimes without one (Node
+     * tests, some adapters) — callers of {@link acquireRequestDb} never
+     * touch it directly; we read it defensively inside `release`.
+     */
+    executionCtx?: unknown;
+}
+export interface RequestDbLease {
+    db: VoyantDb;
+    /**
+     * Whether this lease created the underlying client. Only the creator's
+     * `release()` disposes; reuse leases are no-ops, so the client stays
+     * alive until the outermost (creating) middleware's `finally` runs —
+     * which is after the entire downstream pipeline has completed.
+     */
+    isCreator: boolean;
+    /**
+     * Settle the lease. For the creating lease this schedules `dispose()`
+     * via `executionCtx.waitUntil` (or awaits inline outside Workers).
+     * Idempotent; reuse leases resolve immediately.
+     */
+    release: () => Promise<void>;
+}
+/**
+ * Resolve the shared per-request db client for `factory`, creating it on
+ * first acquisition. The creating caller MUST call `lease.release()` in
+ * a `finally` after its `next()` completes; later acquirers within the
+ * same request reuse the client and their `release()` is a no-op.
+ */
+export declare function acquireRequestDb<TBindings extends VoyantBindings>(c: RequestDbContextLike<TBindings>, factory: DbFactory<TBindings>): RequestDbLease;
+//# sourceMappingURL=request-db.d.ts.map

package/dist/middleware/request-db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-db.d.ts","sourceRoot":"","sources":["../../src/middleware/request-db.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,SAAS,EAEd,KAAK,cAAc,EACnB,KAAK,QAAQ,EACd,MAAM,aAAa,CAAA;AAOpB;;;;GAIG;AACH,MAAM,WAAW,oBAAoB,CAAC,SAAS,SAAS,cAAc,GAAG,cAAc;IACrF,GAAG,EAAE;QAAE,GAAG,EAAE,OAAO,CAAA;KAAE,CAAA;IACrB,GAAG,EAAE,SAAS,CAAA;IACd;;;;OAIG;IACH,YAAY,CAAC,EAAE,OAAO,CAAA;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,QAAQ,CAAA;IACZ;;;;;OAKG;IACH,SAAS,EAAE,OAAO,CAAA;IAClB;;;;OAIG;IACH,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CAC7B;AA4BD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,SAAS,cAAc,EAC/D,CAAC,EAAE,oBAAoB,CAAC,SAAS,CAAC,EAClC,OAAO,EAAE,SAAS,CAAC,SAAS,CAAC,GAC5B,cAAc,CAkChB"}

package/dist/middleware/request-db.js

@@ -0,0 +1,62 @@
+import { resolveDbFactoryResult, } from "../types.js";
+/**
+ * Per-request db holders, keyed by the raw `Request` then by factory
+ * identity. One `createApp` instance passes the same `config.db` factory
+ * to the auth, permission, and db middlewares — so all of them resolve
+ * the same holder and the request opens a single client instead of one
+ * per middleware (previously 2–3 Neon WebSocket pools per authenticated
+ * request). The WeakMap keeps holders from outliving their request.
+ */
+const requestDbHolders = new WeakMap();
+function readExecutionCtx(c) {
+    try {
+        const ctx = c.executionCtx;
+        if (ctx && typeof ctx.waitUntil === "function")
+            return ctx;
+    }
+    catch {
+        // Hono throws when the adapter provides no ExecutionContext.
+    }
+    return undefined;
+}
+/**
+ * Resolve the shared per-request db client for `factory`, creating it on
+ * first acquisition. The creating caller MUST call `lease.release()` in
+ * a `finally` after its `next()` completes; later acquirers within the
+ * same request reuse the client and their `release()` is a no-op.
+ */
+export function acquireRequestDb(c, factory) {
+    let byFactory = requestDbHolders.get(c.req.raw);
+    if (!byFactory) {
+        byFactory = new Map();
+        requestDbHolders.set(c.req.raw, byFactory);
+    }
+    const existing = byFactory.get(factory);
+    if (existing && !existing.disposed) {
+        return { db: existing.db, isCreator: false, release: async () => { } };
+    }
+    const { db, dispose } = resolveDbFactoryResult(factory(c.env));
+    const holder = { db, dispose, disposed: false };
+    byFactory.set(factory, holder);
+    return {
+        db,
+        isCreator: true,
+        release: async () => {
+            if (holder.disposed)
+                return;
+            holder.disposed = true;
+            if (!holder.dispose)
+                return;
+            // `waitUntil` keeps the Workers isolate alive for the close
+            // handshake without delaying the response; outside Workers we
+            // await inline so tests and Node deployments clean up too.
+            const ctx = readExecutionCtx(c);
+            if (ctx) {
+                ctx.waitUntil(holder.dispose());
+            }
+            else {
+                await holder.dispose();
+            }
+        },
+    };
+}

package/dist/middleware/require-actor.d.ts

@@ -0,0 +1,28 @@
+import type { Actor } from "@voyant-travel/core";
+import type { MiddlewareHandler } from "hono";
+import type { VoyantBindings, VoyantVariables } from "../types.js";
+/**
+ * Guards a route surface by actor type.
+ *
+ * Voyant exposes two API surfaces:
+ * - `/v1/admin/*` — operator staff (`"staff"`)
+ * - `/v1/public/*` — customers, partners, suppliers
+ *
+ * Requests carry an `actor` on `c.var`, typically set by `requireAuth` or a
+ * custom `auth.resolve` integration.
+ *
+ * When the caller has no resolved actor, this middleware returns `401
+ * Unauthorized`. Earlier versions defaulted unset callers to `"staff"` for
+ * backwards compatibility, but that meant a misordered or missing auth
+ * middleware silently granted operator privileges to anonymous traffic.
+ * The default is now fail-closed.
+ *
+ * @example
+ * app.use("/v1/admin/*", requireActor("staff"))
+ * app.use("/v1/public/*", requireActor("customer", "partner", "supplier"))
+ */
+export declare function requireActor<TBindings extends VoyantBindings = VoyantBindings>(...allowed: Actor[]): MiddlewareHandler<{
+    Bindings: TBindings;
+    Variables: VoyantVariables;
+}>;
+//# sourceMappingURL=require-actor.d.ts.map

package/dist/middleware/require-actor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-actor.d.ts","sourceRoot":"","sources":["../../src/middleware/require-actor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,qBAAqB,CAAA;AAEhD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAuClE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,YAAY,CAAC,SAAS,SAAS,cAAc,GAAG,cAAc,EAC5E,GAAG,OAAO,EAAE,KAAK,EAAE,GAClB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CA6CD"}

package/dist/middleware/require-actor.js

@@ -0,0 +1,89 @@
+import { hasApiKeyPermission, permissionStringsToPermissions } from "@voyant-travel/types/api-keys";
+function apiKeyResourceFromPath(pathname) {
+    const surfaceMatch = pathname.match(/^\/v1\/(?:admin|public)\/([^/]+)/);
+    if (surfaceMatch?.[1])
+        return surfaceMatch[1];
+    const legacyMatch = pathname.match(/^\/v1\/([^/]+)/);
+    if (legacyMatch?.[1] && legacyMatch[1] !== "admin" && legacyMatch[1] !== "public") {
+        return legacyMatch[1];
+    }
+    return null;
+}
+function apiKeyPermissionActionsForMethod(method) {
+    switch (method.toUpperCase()) {
+        case "GET":
+        case "HEAD":
+            return ["read", "search"];
+        case "POST":
+            return ["write", "trigger", "relay"];
+        case "PUT":
+        case "PATCH":
+            return ["write"];
+        case "DELETE":
+            return ["delete"];
+        default:
+            return [];
+    }
+}
+function hasAnyApiKeyPermission(scopes, resource, actions) {
+    if (!scopes || scopes.length === 0)
+        return false;
+    const permissions = permissionStringsToPermissions(scopes);
+    return actions.some((action) => hasApiKeyPermission(permissions, resource, action));
+}
+/**
+ * Guards a route surface by actor type.
+ *
+ * Voyant exposes two API surfaces:
+ * - `/v1/admin/*` — operator staff (`"staff"`)
+ * - `/v1/public/*` — customers, partners, suppliers
+ *
+ * Requests carry an `actor` on `c.var`, typically set by `requireAuth` or a
+ * custom `auth.resolve` integration.
+ *
+ * When the caller has no resolved actor, this middleware returns `401
+ * Unauthorized`. Earlier versions defaulted unset callers to `"staff"` for
+ * backwards compatibility, but that meant a misordered or missing auth
+ * middleware silently granted operator privileges to anonymous traffic.
+ * The default is now fail-closed.
+ *
+ * @example
+ * app.use("/v1/admin/*", requireActor("staff"))
+ * app.use("/v1/public/*", requireActor("customer", "partner", "supplier"))
+ */
+export function requireActor(...allowed) {
+    if (allowed.length === 0) {
+        throw new Error("requireActor: must specify at least one allowed actor");
+    }
+    const allowSet = new Set(allowed);
+    return async (c, next) => {
+        if (c.req.method === "OPTIONS")
+            return next();
+        if (c.get("callerType") === "api_key" || c.get("callerType") === "internal") {
+            const resource = apiKeyResourceFromPath(new URL(c.req.url).pathname);
+            // Meta/discovery endpoints (e.g. `/v1/admin/_meta/capabilities`) report
+            // what the caller can do — including the key's own granted scopes — so any
+            // authenticated API key may read them, regardless of module scope. `_meta`
+            // is a reserved namespace (no module is named `_meta`).
+            if (resource === "_meta")
+                return next();
+            const actions = apiKeyPermissionActionsForMethod(c.req.method);
+            if (resource && hasAnyApiKeyPermission(c.get("scopes"), resource, actions)) {
+                return next();
+            }
+            return c.json({ error: "Forbidden: API key missing required permission" }, 403);
+        }
+        const actor = c.get("actor");
+        if (!actor) {
+            return c.json({
+                error: "Unauthorized: actor not resolved. The auth pipeline did not assign an `actor` to this request. " +
+                    "If you set `auth.resolve` on `createApp({...})`, the returned object must include `actor` " +
+                    '(usually `"staff"` for admin sessions). Public routes should be listed in `publicPaths`.',
+            }, 401);
+        }
+        if (!allowSet.has(actor)) {
+            return c.json({ error: "Forbidden: actor not permitted on this surface" }, 403);
+        }
+        return next();
+    };
+}

package/dist/middleware/require-permission.d.ts

@@ -0,0 +1,9 @@
+import type { MiddlewareHandler } from "hono";
+import { type DbSource, type VoyantAuthIntegration, type VoyantBindings, type VoyantVariables } from "../types.js";
+export declare function requirePermission<TBindings extends VoyantBindings>(dbSource: DbSource<TBindings>, resource: string, action: string, opts?: {
+    auth?: VoyantAuthIntegration<TBindings>;
+}): MiddlewareHandler<{
+    Bindings: TBindings;
+    Variables: VoyantVariables;
+}>;
+//# sourceMappingURL=require-permission.d.ts.map

package/dist/middleware/require-permission.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-permission.d.ts","sourceRoot":"","sources":["../../src/middleware/require-permission.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAI7C,OAAO,EACL,KAAK,QAAQ,EAEb,KAAK,qBAAqB,EAC1B,KAAK,cAAc,EACnB,KAAK,eAAe,EACrB,MAAM,aAAa,CAAA;AAIpB,wBAAgB,iBAAiB,CAAC,SAAS,SAAS,cAAc,EAChE,QAAQ,EAAE,QAAQ,CAAC,SAAS,CAAC,EAC7B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IACL,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAmED"}

package/dist/middleware/require-permission.js

@@ -0,0 +1,62 @@
+import { hasApiKeyPermission, permissionStringsToPermissions } from "@voyant-travel/types/api-keys";
+import { requireUserId } from "../auth/require-user.js";
+import { tryGetExecutionCtx } from "../lib/execution-ctx.js";
+import { selectDbFactory, } from "../types.js";
+import { ForbiddenApiError, UnauthorizedApiError } from "../validation.js";
+import { acquireRequestDb } from "./request-db.js";
+export function requirePermission(dbSource, resource, action, opts) {
+    return async (c, next) => {
+        const permission = { resource, action };
+        const scopes = c.get("scopes");
+        if (scopes &&
+            hasApiKeyPermission(permissionStringsToPermissions(scopes), permission.resource, permission.action)) {
+            return next();
+        }
+        const userId = requireUserId(c);
+        const actor = c.get("actor");
+        if (!actor) {
+            // Should be unreachable in well-wired apps: `requireActor` runs before
+            // `requirePermission`. Throw rather than fabricate a default so callers
+            // see the upstream wiring bug instead of a silent privilege grant.
+            throw new UnauthorizedApiError();
+        }
+        if (!opts?.auth?.hasPermission) {
+            return c.json({ error: "No auth permission checker configured" }, 500);
+        }
+        // Reuses the per-request client created by the auth/db middleware
+        // upstream (same factory) instead of opening another Pool.
+        const lease = acquireRequestDb(c, selectDbFactory(dbSource, c.req.path));
+        try {
+            const allowed = await opts.auth.hasPermission({
+                request: c.req.raw,
+                env: c.env,
+                db: lease.db,
+                // Guarded: Hono throws on `executionCtx` access outside Workers.
+                ctx: tryGetExecutionCtx(c),
+                auth: {
+                    userId,
+                    actor,
+                    sessionId: c.get("sessionId"),
+                    organizationId: c.get("organizationId"),
+                    callerType: c.get("callerType"),
+                    scopes,
+                    isInternalRequest: c.get("isInternalRequest"),
+                    apiTokenId: c.get("apiTokenId"),
+                    apiKeyId: c.get("apiKeyId"),
+                },
+                permission,
+            });
+            if (!allowed) {
+                throw new ForbiddenApiError();
+            }
+            // `await` is load-bearing: a bare `return next()` would run the
+            // `finally` (and release the shared client) as soon as the
+            // downstream promise is created, while the route is still
+            // querying it.
+            return await next();
+        }
+        finally {
+            await lease.release();
+        }
+    };
+}

package/dist/middleware/security-headers.d.ts

@@ -0,0 +1,10 @@
+import type { MiddlewareHandler } from "hono";
+import type { VoyantBindings } from "../types.js";
+export interface SecurityHeadersOptions {
+    contentSecurityPolicy?: string | false;
+    hsts?: boolean;
+}
+export declare function securityHeaders(options?: SecurityHeadersOptions): MiddlewareHandler<{
+    Bindings: VoyantBindings;
+}>;
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/middleware/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAOjD,MAAM,WAAW,sBAAsB;IACrC,qBAAqB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAA;IACtC,IAAI,CAAC,EAAE,OAAO,CAAA;CACf;AAED,wBAAgB,eAAe,CAC7B,OAAO,GAAE,sBAA2B,GACnC,iBAAiB,CAAC;IAAE,QAAQ,EAAE,cAAc,CAAA;CAAE,CAAC,CAiBjD"}

package/dist/middleware/security-headers.js

@@ -0,0 +1,19 @@
+const DEFAULT_CSP = "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'; " +
+    "img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self'; " +
+    "connect-src 'self'";
+export function securityHeaders(options = {}) {
+    const csp = options.contentSecurityPolicy === undefined ? DEFAULT_CSP : options.contentSecurityPolicy;
+    const hsts = options.hsts ?? true;
+    return async (c, next) => {
+        await next();
+        c.header("X-Content-Type-Options", "nosniff");
+        c.header("Referrer-Policy", "strict-origin-when-cross-origin");
+        c.header("X-Frame-Options", "DENY");
+        c.header("Cross-Origin-Opener-Policy", "same-origin");
+        if (csp)
+            c.header("Content-Security-Policy", csp);
+        if (hsts && new URL(c.req.url).protocol === "https:") {
+            c.header("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+        }
+    };
+}

package/dist/module.d.ts

@@ -0,0 +1,41 @@
+import type { Extension, Module } from "@voyant-travel/core";
+import type { Hono } from "hono";
+export interface HonoModule {
+    module: Module;
+    /**
+     * Legacy routes — mounted at `/v1/{module.name}`. Gated by the caller's
+     * `requireAuth` configuration. Use `adminRoutes` / `publicRoutes` for new
+     * modules that participate in the admin/public API split.
+     *
+     * @deprecated Prefer `adminRoutes` or `publicRoutes`.
+     */
+    routes?: Hono<any>;
+    /** Staff-facing routes — mounted at `/v1/admin/{module.name}`. */
+    adminRoutes?: Hono<any>;
+    /** Customer/partner/supplier-facing routes — mounted at `/v1/public/{module.name}`. */
+    publicRoutes?: Hono<any>;
+    /**
+     * Optional override for the public mount path relative to `/v1/public`.
+     *
+     * Defaults to `{module.name}`. Use `"/"` to mount a module directly at the
+     * public root and omit the extra module segment.
+     */
+    publicPath?: string;
+}
+export interface HonoExtension {
+    extension: Extension;
+    /** @deprecated Prefer `adminRoutes` or `publicRoutes`. */
+    routes?: Hono<any>;
+    /** Staff-facing routes — mounted at `/v1/admin/{extension.module}`. */
+    adminRoutes?: Hono<any>;
+    /** Customer/partner/supplier-facing routes — mounted at `/v1/public/{extension.module}`. */
+    publicRoutes?: Hono<any>;
+    /**
+     * Optional override for the public mount path relative to `/v1/public`.
+     *
+     * Defaults to `{extension.module}`. Use `"/"` to mount an extension directly
+     * at the public root and omit the extra module segment.
+     */
+    publicPath?: string;
+}
+//# sourceMappingURL=module.d.ts.map

package/dist/module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd;;;;;;OAMG;IAEH,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IAClB,kEAAkE;IAElE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,uFAAuF;IAEvF,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,SAAS,CAAA;IACpB,0DAA0D;IAE1D,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IAClB,uEAAuE;IAEvE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,4FAA4F;IAE5F,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB"}

package/dist/module.js

@@ -0,0 +1 @@
+export {};

package/dist/plugin.d.ts

@@ -0,0 +1,66 @@
+import type { BootstrapHandler, EventFilterDescriptor, LinkDefinition, Subscriber, WorkflowDescriptor } from "@voyant-travel/core";
+import type { HonoExtension, HonoModule } from "./module.js";
+/**
+ * Hono-flavoured bundle contribution surface.
+ *
+ * `@voyant-travel/hono` is the default HTTP transport adapter for Voyant. The
+ * preferred `HonoBundle` term describes reusable packages that contribute
+ * {@link HonoModule} / {@link HonoExtension} wrappers that can carry HTTP
+ * routes. `HonoPlugin` remains as a compatibility alias for the same shape.
+ *
+ * Registered via `createApp({ plugins: [...] })` — the app factory expands
+ * each bundle into the underlying modules, extensions, subscribers, and link
+ * definitions before mounting them.
+ */
+export interface HonoBundle {
+    /** Unique bundle identifier (e.g. "payload-cms", "bokun"). */
+    name: string;
+    /** Optional version tag for diagnostics. */
+    version?: string;
+    /** Optional lazy runtime bootstrap executed once per app/isolate. */
+    bootstrap?: BootstrapHandler;
+    /** Hono modules (module + routes) contributed by the plugin. */
+    modules?: HonoModule[];
+    /** Hono extensions (extension + routes) contributed by the plugin. */
+    extensions?: HonoExtension[];
+    /** Event subscribers wired to the caller's event bus, when provided. */
+    subscribers?: Subscriber[];
+    /** Link definitions contributed by the plugin. */
+    links?: LinkDefinition[];
+    /**
+     * Workflows contributed by the plugin. Mirrors the `Plugin.workflows`
+     * field in `@voyant-travel/core` — collected at `createApp()` boot and
+     * registered with the configured workflow driver.
+     */
+    workflows?: readonly WorkflowDescriptor[];
+    /**
+     * Event filters contributed by the plugin. Mirrors
+     * `Plugin.eventFilters` in `@voyant-travel/core`.
+     */
+    eventFilters?: readonly EventFilterDescriptor[];
+}
+/** @deprecated Prefer {@link HonoBundle}. */
+export type HonoPlugin = HonoBundle;
+/**
+ * Identity helper — returns the bundle unchanged, purely for IDE inference.
+ */
+export declare function defineHonoBundle<P extends HonoBundle>(bundle: P): P;
+/** @deprecated Prefer {@link defineHonoBundle}. */
+export declare const defineHonoPlugin: typeof defineHonoBundle;
+export interface ExpandedHonoBundles {
+    modules: HonoModule[];
+    extensions: HonoExtension[];
+    subscribers: Subscriber[];
+    links: LinkDefinition[];
+}
+/** @deprecated Prefer {@link ExpandedHonoBundles}. */
+export type ExpandedHonoPlugins = ExpandedHonoBundles;
+/**
+ * Flatten a list of {@link HonoBundle} values into their constituent pieces.
+ *
+ * Throws if two bundles declare the same `name`.
+ */
+export declare function expandHonoBundles(bundles: ReadonlyArray<HonoBundle>): ExpandedHonoBundles;
+/** @deprecated Prefer {@link expandHonoBundles}. */
+export declare const expandHonoPlugins: typeof expandHonoBundles;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,gBAAgB,EAChB,qBAAqB,EACrB,cAAc,EACd,UAAU,EACV,kBAAkB,EACnB,MAAM,qBAAqB,CAAA;AAE5B,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAE5D;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,UAAU;IACzB,8DAA8D;IAC9D,IAAI,EAAE,MAAM,CAAA;IACZ,4CAA4C;IAC5C,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,qEAAqE;IACrE,SAAS,CAAC,EAAE,gBAAgB,CAAA;IAC5B,gEAAgE;IAChE,OAAO,CAAC,EAAE,UAAU,EAAE,CAAA;IACtB,sEAAsE;IACtE,UAAU,CAAC,EAAE,aAAa,EAAE,CAAA;IAC5B,wEAAwE;IACxE,WAAW,CAAC,EAAE,UAAU,EAAE,CAAA;IAC1B,kDAAkD;IAClD,KAAK,CAAC,EAAE,cAAc,EAAE,CAAA;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE,SAAS,kBAAkB,EAAE,CAAA;IACzC;;;OAGG;IACH,YAAY,CAAC,EAAE,SAAS,qBAAqB,EAAE,CAAA;CAChD;AAED,6CAA6C;AAC7C,MAAM,MAAM,UAAU,GAAG,UAAU,CAAA;AAEnC;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,CAAC,SAAS,UAAU,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAEnE;AAED,mDAAmD;AACnD,eAAO,MAAM,gBAAgB,yBAAmB,CAAA;AAEhD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B,WAAW,EAAE,UAAU,EAAE,CAAA;IACzB,KAAK,EAAE,cAAc,EAAE,CAAA;CACxB;AAED,sDAAsD;AACtD,MAAM,MAAM,mBAAmB,GAAG,mBAAmB,CAAA;AAErD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,GAAG,mBAAmB,CAoBzF;AAED,oDAAoD;AACpD,eAAO,MAAM,iBAAiB,0BAAoB,CAAA"}

package/dist/plugin.js

@@ -0,0 +1,37 @@
+/**
+ * Identity helper — returns the bundle unchanged, purely for IDE inference.
+ */
+export function defineHonoBundle(bundle) {
+    return bundle;
+}
+/** @deprecated Prefer {@link defineHonoBundle}. */
+export const defineHonoPlugin = defineHonoBundle;
+/**
+ * Flatten a list of {@link HonoBundle} values into their constituent pieces.
+ *
+ * Throws if two bundles declare the same `name`.
+ */
+export function expandHonoBundles(bundles) {
+    const seen = new Set();
+    const modules = [];
+    const extensions = [];
+    const subscribers = [];
+    const links = [];
+    for (const bundle of bundles) {
+        if (seen.has(bundle.name)) {
+            throw new Error(`Duplicate bundle name: "${bundle.name}"`);
+        }
+        seen.add(bundle.name);
+        if (bundle.modules)
+            modules.push(...bundle.modules);
+        if (bundle.extensions)
+            extensions.push(...bundle.extensions);
+        if (bundle.subscribers)
+            subscribers.push(...bundle.subscribers);
+        if (bundle.links)
+            links.push(...bundle.links);
+    }
+    return { modules, extensions, subscribers, links };
+}
+/** @deprecated Prefer {@link expandHonoBundles}. */
+export const expandHonoPlugins = expandHonoBundles;

package/dist/public-capability.d.ts

@@ -0,0 +1,46 @@
+import type { Context } from "hono";
+export interface PublicCapabilityPayload {
+    v: 1;
+    scope: string;
+    subjectId: string;
+    actions: string[];
+    iat: number;
+    exp: number;
+    jti?: string;
+}
+export interface CreatePublicCapabilityOptions {
+    secret: string;
+    scope: string;
+    subjectId: string;
+    actions: string[];
+    ttlSeconds: number;
+    now?: Date;
+    jti?: string;
+}
+export interface VerifyPublicCapabilityOptions {
+    secret: string;
+    scope: string;
+    subjectId: string;
+    action: string;
+    now?: Date;
+}
+export interface PublicCapabilityCookieOptions {
+    name: string;
+    token: string;
+    expiresAt: Date;
+    secure?: boolean;
+    sameSite?: "Strict" | "Lax" | "None";
+    path?: string;
+}
+export declare function createPublicCapabilityToken(options: CreatePublicCapabilityOptions): Promise<{
+    token: string;
+    payload: PublicCapabilityPayload;
+    expiresAt: Date;
+}>;
+export declare function verifyPublicCapabilityToken(token: string, options: VerifyPublicCapabilityOptions): Promise<PublicCapabilityPayload>;
+export declare function extractPublicCapabilityToken(c: Context, options?: {
+    headerName?: string;
+    cookieName?: string;
+}): string | null;
+export declare function serializePublicCapabilityCookie(options: PublicCapabilityCookieOptions): string;
+//# sourceMappingURL=public-capability.d.ts.map

package/dist/public-capability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"public-capability.d.ts","sourceRoot":"","sources":["../src/public-capability.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AAInC,MAAM,WAAW,uBAAuB;IACtC,CAAC,EAAE,CAAC,CAAA;IACJ,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,GAAG,CAAC,EAAE,IAAI,CAAA;IACV,GAAG,CAAC,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,6BAA6B;IAC5C,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;IACd,GAAG,CAAC,EAAE,IAAI,CAAA;CACX;AAED,MAAM,WAAW,6BAA6B;IAC5C,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,IAAI,CAAA;IACf,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAA;IACpC,IAAI,CAAC,EAAE,MAAM,CAAA;CACd;AA2DD,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,uBAAuB,CAAC;IAAC,SAAS,EAAE,IAAI,CAAA;CAAE,CAAC,CAyB/E;AAED,wBAAsB,2BAA2B,CAC/C,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,6BAA6B,GACrC,OAAO,CAAC,uBAAuB,CAAC,CAyClC;AAED,wBAAgB,4BAA4B,CAC1C,CAAC,EAAE,OAAO,EACV,OAAO,GAAE;IAAE,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAA;CAAO,iBA0B3D;AAED,wBAAgB,+BAA+B,CAAC,OAAO,EAAE,6BAA6B,UAiBrF"}