@voyant-travel/hono 0.114.0 → 0.115.0

package/dist/anonymous-paths.d.ts

@@ -0,0 +1,15 @@
+import type { HonoExtension, HonoModule } from "./module.js";
+/**
+ * Assemble the anonymous-access allow-list (ADR-0008) from module/extension
+ * `anonymous` declarations, unioned with any explicit `publicPaths` the
+ * deployment still passes (the escape hatch — e.g. plugin/webhook routes that
+ * aren't owned by a module, like a payment-processor callback).
+ *
+ * For each declaring unit the public mount is `resolveSurfaceMountPath` of its
+ * `publicPath`/name under `/v1/public`. `anonymous: true` opens the whole mount;
+ * a string array opens specific sub-paths relative to it. Pure and sorted for a
+ * deterministic, snapshot-auditable result; the global list is what `requireAuth`
+ * matches to skip auth (and stamp `actor: "customer"`).
+ */
+export declare function assembleAnonymousPaths(modules: readonly HonoModule[], extensions: readonly HonoExtension[], explicit?: readonly string[]): string[];
+//# sourceMappingURL=anonymous-paths.d.ts.map

package/dist/anonymous-paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anonymous-paths.d.ts","sourceRoot":"","sources":["../src/anonymous-paths.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAG5D;;;;;;;;;;;GAWG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,SAAS,UAAU,EAAE,EAC9B,UAAU,EAAE,SAAS,aAAa,EAAE,EACpC,QAAQ,GAAE,SAAS,MAAM,EAAO,GAC/B,MAAM,EAAE,CAuBV"}

package/dist/anonymous-paths.js

@@ -0,0 +1,35 @@
+import { resolveSurfaceMountPath } from "./mount-paths.js";
+/**
+ * Assemble the anonymous-access allow-list (ADR-0008) from module/extension
+ * `anonymous` declarations, unioned with any explicit `publicPaths` the
+ * deployment still passes (the escape hatch — e.g. plugin/webhook routes that
+ * aren't owned by a module, like a payment-processor callback).
+ *
+ * For each declaring unit the public mount is `resolveSurfaceMountPath` of its
+ * `publicPath`/name under `/v1/public`. `anonymous: true` opens the whole mount;
+ * a string array opens specific sub-paths relative to it. Pure and sorted for a
+ * deterministic, snapshot-auditable result; the global list is what `requireAuth`
+ * matches to skip auth (and stamp `actor: "customer"`).
+ */
+export function assembleAnonymousPaths(modules, extensions, explicit = []) {
+    const paths = new Set(explicit);
+    const add = (mount, anonymous) => {
+        if (!anonymous)
+            return;
+        if (anonymous === true) {
+            paths.add(mount);
+            return;
+        }
+        for (const sub of anonymous) {
+            const trimmed = sub.trim().replace(/^\/+|\/+$/g, "");
+            paths.add(trimmed ? `${mount}/${trimmed}` : mount);
+        }
+    };
+    for (const m of modules) {
+        add(resolveSurfaceMountPath("/v1/public", m.publicPath, m.module.name), m.anonymous);
+    }
+    for (const e of extensions) {
+        add(resolveSurfaceMountPath("/v1/public", e.publicPath, e.extension.module), e.anonymous);
+    }
+    return [...paths].sort();
+}

package/dist/app.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAgC3B,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAY,eAAe,EAAE,MAAM,YAAY,CAAA;AA2C5F;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB,CAAC,SAAS,GAAG,OAAO;IACtD;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC1C;;;;;;;;OAQG;IACH,QAAQ,EAAE,OAAO,qBAAqB,EAAE,QAAQ,CAAA;CACjD;AAED;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,SAAS,SAAS,cAAc,EACvD,MAAM,EAAE,eAAe,CAAC,SAAS,CAAC,GACjC,IAAI,CAAC;IAAE,QAAQ,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,eAAe,CAAA;CAAE,CAAC,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAqc5F"}
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAkC3B,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAY,eAAe,EAAE,MAAM,YAAY,CAAA;AAyB5F;;;;;;;;;;GAUG;AACH,MAAM,WAAW,mBAAmB,CAAC,SAAS,GAAG,OAAO;IACtD;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC1C;;;;;;;;OAQG;IACH,QAAQ,EAAE,OAAO,qBAAqB,EAAE,QAAQ,CAAA;CACjD;AAED;;;;;;GAMG;AACH,wBAAgB,QAAQ,CAAC,SAAS,SAAS,cAAc,EACvD,MAAM,EAAE,eAAe,CAAC,SAAS,CAAC,GACjC,IAAI,CAAC;IAAE,QAAQ,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,eAAe,CAAA;CAAE,CAAC,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAyc5F"}

package/dist/app.js

@@ -1,6 +1,7 @@
 import { createContainer, createEventBus, createQueryRunner, } from "@voyant-travel/core";
 import { createOutboxEventStore } from "@voyant-travel/db/outbox";
 import { Hono } from "hono";
+import { assembleAnonymousPaths } from "./anonymous-paths.js";
 import { containerToServiceResolver, makeFrameworkLogger, wireWorkflowRuntime, } from "./app-workflows.js";
 import { mountLazyRoutePaths, mountLazyRoutesAt } from "./lazy-routes.js";
 import { mountAuthForwarding } from "./lib/auth-forward.js";
@@ -19,19 +20,10 @@ import { publicResponseCache } from "./middleware/public-cache.js";
 import { rateLimit, resolveRateLimitStore, } from "./middleware/rate-limit.js";
 import { requireActor } from "./middleware/require-actor.js";
 import { securityHeaders } from "./middleware/security-headers.js";
+import { resolveSurfaceMountPath } from "./mount-paths.js";
 import { noopReporter, safeCaptureException } from "./observability/reporter.js";
 import { getRequestId } from "./observability/request-context.js";
 import { expandHonoPlugins } from "./plugin.js";
-function resolveSurfaceMountPath(prefix, path, fallback) {
-    const normalized = path?.trim();
-    if (!normalized) {
-        return `${prefix}/${fallback}`;
-    }
-    if (normalized === "/") {
-        return prefix;
-    }
-    return `${prefix}/${normalized.replace(/^\/+|\/+$/g, "")}`;
-}
 const WRITE_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
 function resolveConfiguredRateLimitStore(config, env) {
     if (!config?.store)
@@ -63,6 +55,11 @@ export function mountApp(config) {
     const expanded = config.plugins ? expandHonoPlugins(config.plugins) : null;
     const allModules = [...(config.modules ?? []), ...(expanded?.modules ?? [])];
     const allExtensions = [...(config.extensions ?? []), ...(expanded?.extensions ?? [])];
+    // Anonymous-access allow-list (ADR-0008): assembled from module/extension
+    // `anonymous` declarations + any explicit `publicPaths` escape-hatch entries.
+    // Used by both the auth middleware (skip auth / stamp customer actor) and the
+    // public-write rate-limit matcher below, so the two never diverge.
+    const anonymousPaths = assembleAnonymousPaths(allModules, allExtensions, config.publicPaths);
     // When the framework owns the bus, route subscriber-dispatch failures
     // (including the workflow forwarder) to the reporter — they're otherwise
     // only console-logged per the fire-and-forget EventBus contract (RFC #1553).
@@ -235,8 +232,7 @@ export function mountApp(config) {
                 if (!WRITE_METHODS.has(c.req.method))
                     return next();
                 const pathname = normalizePathname(new URL(c.req.url).pathname);
-                const isPublicWrite = pathname.startsWith("/v1/public/") ||
-                    matchesPublicPath(pathname, config.publicPaths ?? []);
+                const isPublicWrite = pathname.startsWith("/v1/public/") || matchesPublicPath(pathname, anonymousPaths);
                 if (!isPublicWrite)
                     return next();
                 return rateLimit(buildRateLimitPolicy(rateLimitConfig, c.env, "public-write", publicWriteRule))(c, next);
@@ -356,7 +352,7 @@ export function mountApp(config) {
         })
         : config.db;
     // Auth middleware for all other routes
-    app.use("*", requireAuth(dbSource, { publicPaths: config.publicPaths, auth: config.auth }));
+    app.use("*", requireAuth(dbSource, { publicPaths: anonymousPaths, auth: config.auth }));
     // DB middleware — sets c.var.db for all downstream handlers.
     // Pass the list of modules that need interactive transactions so the
     // middleware can throw a clear startup-style error on first request if

package/dist/composition.d.ts

@@ -52,6 +52,38 @@ export interface ComposedApp {
  * wired" fails loudly at boot rather than silently dropping a module.
  */
 export declare function composeFromManifest<TCapabilities>(manifest: CompositionManifest, registry: CompositionRegistry<TCapabilities>, capabilities: TCapabilities): ComposedApp;
+/**
+ * A module's place in the capability dependency graph (ADR-0007). `provides`
+ * are capability tokens the module supplies (e.g. `"people-directory"`);
+ * `requires` are tokens it depends on another mounted module — or an injected
+ * substitute — to supply. Tokens are opaque strings; the graph is the contract
+ * between modules, decoupled from concrete service shapes.
+ *
+ * `isRequired` marks a module the platform cannot run without: it can be
+ * *overridden* by a substitute (a future capability) but never `exclude`d.
+ */
+export interface CapabilityDeclaration {
+    provides?: readonly string[];
+    requires?: readonly string[];
+    isRequired?: boolean;
+}
+/** Maps a module specifier to its capability declaration. */
+export type CapabilityGraph = Record<string, CapabilityDeclaration>;
+/** An unmet `requires`: a capability no mounted module (nor a substitute) provides. */
+export interface CapabilityGap {
+    capability: string;
+    /** Specifiers of the still-mounted modules that require the missing capability. */
+    requiredBy: string[];
+}
+/**
+ * Pure dependency-graph check for module subsetting (ADR-0007). Given the
+ * specifiers that will actually mount (after any `exclude`) and the capability
+ * graph, return the gaps: required capabilities that nothing still-mounted
+ * provides. An empty array means the subset is safe to compose. Callers turn a
+ * non-empty result into a build/boot error so dropping a depended-on module
+ * fails loudly here rather than as a runtime 500.
+ */
+export declare function findCapabilityGaps(mountedSpecifiers: readonly string[], graph: CapabilityGraph): CapabilityGap[];
 export interface ManifestRegistryDiff {
     /** In the manifest but with no registered factory. */
     missingFactories: string[];

package/dist/composition.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"composition.d.ts","sourceRoot":"","sources":["../src/composition.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAE5D;;;;;;;;;;;;;;;GAeG;AAEH,oEAAoE;AACpE,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAA;AAE9F,wDAAwD;AACxD,MAAM,WAAW,mBAAmB;IAClC,OAAO,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAC5B,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;CAChC;AAED,qFAAqF;AACrF,MAAM,WAAW,kBAAkB,CAAC,aAAa;IAC/C,YAAY,EAAE,aAAa,CAAA;IAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACjC;AAED,MAAM,MAAM,aAAa,CAAC,aAAa,IAAI,CACzC,GAAG,EAAE,kBAAkB,CAAC,aAAa,CAAC,KACnC,UAAU,GAAG,UAAU,EAAE,CAAA;AAC9B,MAAM,MAAM,gBAAgB,CAAC,aAAa,IAAI,CAC5C,GAAG,EAAE,kBAAkB,CAAC,aAAa,CAAC,KACnC,aAAa,CAAA;AAElB;;;GAGG;AACH,MAAM,WAAW,mBAAmB,CAAC,aAAa;IAChD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC,CAAA;IACrD,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,aAAa,CAAC,CAAC,CAAA;CAC7D;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAUD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,aAAa,EAC/C,QAAQ,EAAE,mBAAmB,EAC7B,QAAQ,EAAE,mBAAmB,CAAC,aAAa,CAAC,EAC5C,YAAY,EAAE,aAAa,GAC1B,WAAW,CA0Bb;AAED,MAAM,WAAW,oBAAoB;IACnC,sDAAsD;IACtD,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,2DAA2D;IAC3D,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,gBAAgB,EAAE,EACnC,YAAY,EAAE,MAAM,EAAE,GACrB,oBAAoB,CAOtB"}
+{"version":3,"file":"composition.d.ts","sourceRoot":"","sources":["../src/composition.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAE5D;;;;;;;;;;;;;;;GAeG;AAEH,oEAAoE;AACpE,MAAM,MAAM,gBAAgB,GAAG,MAAM,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAA;AAE9F,wDAAwD;AACxD,MAAM,WAAW,mBAAmB;IAClC,OAAO,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAC5B,UAAU,CAAC,EAAE,gBAAgB,EAAE,CAAA;CAChC;AAED,qFAAqF;AACrF,MAAM,WAAW,kBAAkB,CAAC,aAAa;IAC/C,YAAY,EAAE,aAAa,CAAA;IAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACjC;AAED,MAAM,MAAM,aAAa,CAAC,aAAa,IAAI,CACzC,GAAG,EAAE,kBAAkB,CAAC,aAAa,CAAC,KACnC,UAAU,GAAG,UAAU,EAAE,CAAA;AAC9B,MAAM,MAAM,gBAAgB,CAAC,aAAa,IAAI,CAC5C,GAAG,EAAE,kBAAkB,CAAC,aAAa,CAAC,KACnC,aAAa,CAAA;AAElB;;;GAGG;AACH,MAAM,WAAW,mBAAmB,CAAC,aAAa;IAChD,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC,CAAA;IACrD,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,aAAa,CAAC,CAAC,CAAA;CAC7D;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,UAAU,EAAE,aAAa,EAAE,CAAA;CAC5B;AAUD;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,aAAa,EAC/C,QAAQ,EAAE,mBAAmB,EAC7B,QAAQ,EAAE,mBAAmB,CAAC,aAAa,CAAC,EAC5C,YAAY,EAAE,aAAa,GAC1B,WAAW,CA0Bb;AAED;;;;;;;;;GASG;AACH,MAAM,WAAW,qBAAqB;IACpC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IAC5B,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAA;IAC5B,UAAU,CAAC,EAAE,OAAO,CAAA;CACrB;AAED,6DAA6D;AAC7D,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAA;AAEnE,uFAAuF;AACvF,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,MAAM,CAAA;IAClB,mFAAmF;IACnF,UAAU,EAAE,MAAM,EAAE,CAAA;CACrB;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,iBAAiB,EAAE,SAAS,MAAM,EAAE,EACpC,KAAK,EAAE,eAAe,GACrB,aAAa,EAAE,CAmBjB;AAED,MAAM,WAAW,oBAAoB;IACnC,sDAAsD;IACtD,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,2DAA2D;IAC3D,eAAe,EAAE,MAAM,EAAE,CAAA;CAC1B;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,gBAAgB,EAAE,EACnC,YAAY,EAAE,MAAM,EAAE,GACrB,oBAAoB,CAOtB"}

package/dist/composition.js

@@ -31,6 +31,34 @@ export function composeFromManifest(manifest, registry, capabilities) {
     });
     return { modules, extensions };
 }
+/**
+ * Pure dependency-graph check for module subsetting (ADR-0007). Given the
+ * specifiers that will actually mount (after any `exclude`) and the capability
+ * graph, return the gaps: required capabilities that nothing still-mounted
+ * provides. An empty array means the subset is safe to compose. Callers turn a
+ * non-empty result into a build/boot error so dropping a depended-on module
+ * fails loudly here rather than as a runtime 500.
+ */
+export function findCapabilityGaps(mountedSpecifiers, graph) {
+    const provided = new Set();
+    for (const spec of mountedSpecifiers) {
+        for (const cap of graph[spec]?.provides ?? [])
+            provided.add(cap);
+    }
+    const gaps = new Map();
+    for (const spec of mountedSpecifiers) {
+        for (const cap of graph[spec]?.requires ?? []) {
+            if (provided.has(cap))
+                continue;
+            const by = gaps.get(cap) ?? new Set();
+            by.add(spec);
+            gaps.set(cap, by);
+        }
+    }
+    return [...gaps.entries()]
+        .map(([capability, by]) => ({ capability, requiredBy: [...by].sort() }))
+        .sort((a, b) => a.capability.localeCompare(b.capability));
+}
 /**
  * Pure parity check between a manifest's entries and a registry's keys, for
  * tooling (`voyant db doctor`). Reports manifest entries with no factory and

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 export type { VoyantPermission } from "@voyant-travel/core";
+export { assembleAnonymousPaths } from "./anonymous-paths.js";
 export { mountApp } from "./app.js";
 export type { SessionAuthContext } from "./auth/index.js";
 export { constantTimeEqual, extractBearerToken, generateNumericCode, randomBytesHex, requireUserId, sha256Base64Url, sha256Hex, unsignCookie, verifySession, } from "./auth/index.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAC3D,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA;AACnC,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,GACd,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,KAAK,eAAe,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AACjE,YAAY,EACV,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EAAE,6BAA6B,EAAE,MAAM,wBAAwB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,kBAAkB,CAAA;AACzB,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,sBAAsB,CAAA;AACvF,OAAO,EACL,WAAW,EACX,qBAAqB,EACrB,IAAI,EACJ,0BAA0B,EAC1B,EAAE,EACF,gBAAgB,EAChB,aAAa,EACb,cAAc,EACd,KAAK,qBAAqB,EAC1B,cAAc,EACd,mBAAmB,EACnB,WAAW,EACX,MAAM,EACN,2BAA2B,EAC3B,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAC5D,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AACpE,OAAO,EACL,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,0BAA0B,CAAA;AACjC,YAAY,EACV,mBAAmB,EACnB,mBAAmB,EACnB,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,6BAA6B,EAC7B,6BAA6B,EAC7B,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,2BAA2B,EAC3B,4BAA4B,EAC5B,+BAA+B,EAC/B,2BAA2B,GAC5B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,KAAK,iCAAiC,EACtC,6CAA6C,EAC7C,iCAAiC,EACjC,sCAAsC,EACtC,kCAAkC,EAClC,KAAK,mCAAmC,EACxC,KAAK,8BAA8B,EACnC,KAAK,2BAA2B,EAChC,KAAK,gCAAgC,EACrC,KAAK,gCAAgC,EACrC,KAAK,kCAAkC,EACvC,KAAK,4BAA4B,EACjC,KAAK,sCAAsC,EAC3C,kCAAkC,EAClC,iCAAiC,GAClC,MAAM,+BAA+B,CAAA;AACtC,YAAY,EACV,SAAS,EACT,iBAAiB,EACjB,QAAQ,EACR,kBAAkB,EAClB,QAAQ,EACR,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,wBAAwB,EACxB,qBAAqB,EACrB,cAAc,EACd,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,wBAAwB,EACxB,eAAe,GAChB,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,UAAU,EACV,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,iBAAiB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAA;AAC3D,OAAO,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAA;AAC7D,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAA;AACnC,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EACL,iBAAiB,EACjB,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,GACd,MAAM,iBAAiB,CAAA;AACxB,OAAO,EAAE,KAAK,eAAe,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AACjE,YAAY,EACV,wBAAwB,EACxB,0BAA0B,EAC1B,wBAAwB,EACxB,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EAAE,6BAA6B,EAAE,MAAM,wBAAwB,CAAA;AACtE,OAAO,EACL,sBAAsB,EACtB,KAAK,cAAc,EACnB,KAAK,gBAAgB,EACrB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,kBAAkB,CAAA;AACzB,OAAO,EAAE,oBAAoB,EAAE,KAAK,qBAAqB,EAAE,MAAM,sBAAsB,CAAA;AACvF,OAAO,EACL,WAAW,EACX,qBAAqB,EACrB,IAAI,EACJ,0BAA0B,EAC1B,EAAE,EACF,gBAAgB,EAChB,aAAa,EACb,cAAc,EACd,KAAK,qBAAqB,EAC1B,cAAc,EACd,mBAAmB,EACnB,WAAW,EACX,MAAM,EACN,2BAA2B,EAC3B,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAC5D,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAA;AACpE,OAAO,EACL,eAAe,EACf,YAAY,EACZ,YAAY,EACZ,gBAAgB,EAChB,oBAAoB,GACrB,MAAM,0BAA0B,CAAA;AACjC,YAAY,EACV,mBAAmB,EACnB,mBAAmB,EACnB,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,6BAA6B,EAC7B,6BAA6B,EAC7B,uBAAuB,EACvB,6BAA6B,GAC9B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,2BAA2B,EAC3B,4BAA4B,EAC5B,+BAA+B,EAC/B,2BAA2B,GAC5B,MAAM,wBAAwB,CAAA;AAC/B,OAAO,EACL,KAAK,iCAAiC,EACtC,6CAA6C,EAC7C,iCAAiC,EACjC,sCAAsC,EACtC,kCAAkC,EAClC,KAAK,mCAAmC,EACxC,KAAK,8BAA8B,EACnC,KAAK,2BAA2B,EAChC,KAAK,gCAAgC,EACrC,KAAK,gCAAgC,EACrC,KAAK,kCAAkC,EACvC,KAAK,4BAA4B,EACjC,KAAK,sCAAsC,EAC3C,kCAAkC,EAClC,iCAAiC,GAClC,MAAM,+BAA+B,CAAA;AACtC,YAAY,EACV,SAAS,EACT,iBAAiB,EACjB,QAAQ,EACR,kBAAkB,EAClB,QAAQ,EACR,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,wBAAwB,EACxB,qBAAqB,EACrB,cAAc,EACd,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,wBAAwB,EACxB,eAAe,GAChB,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,UAAU,EACV,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,iBAAiB,CAAA"}

package/dist/index.js

@@ -1,3 +1,4 @@
+export { assembleAnonymousPaths } from "./anonymous-paths.js";
 export { mountApp } from "./app.js";
 export { constantTimeEqual, extractBearerToken, generateNumericCode, randomBytesHex, requireUserId, sha256Base64Url, sha256Hex, unsignCookie, verifySession, } from "./auth/index.js";
 export { createApp } from "./create-app.js";

package/dist/module.d.ts

@@ -38,6 +38,19 @@ export interface HonoModule {
      * public root and omit the extra module segment.
      */
     publicPath?: string;
+    /**
+     * Declares which of this module's PUBLIC routes are reachable without a
+     * session (ADR-0008). `true` = the whole public mount is anonymous; a string
+     * array = specific sub-paths relative to the public mount (e.g.
+     * `["/contact-exists"]` on a module mounted at `/v1/public/customer-portal`
+     * opens `/v1/public/customer-portal/contact-exists`). The framework assembles
+     * the global anonymous allow-list from these declarations, so the
+     * "reachable-without-auth" decision lives next to the route rather than in a
+     * hand-maintained `publicPaths` list. Anonymous public requests are stamped
+     * `actor: "customer"`. Only affects the public surface — admin routes always
+     * require a `staff` actor.
+     */
+    anonymous?: boolean | readonly string[];
 }
 export interface HonoExtension {
     extension: Extension;
@@ -60,5 +73,11 @@ export interface HonoExtension {
      * at the public root and omit the extra module segment.
      */
     publicPath?: string;
+    /**
+     * Declares which of this extension's PUBLIC routes are reachable without a
+     * session (ADR-0008). Same semantics as {@link HonoModule.anonymous}, relative
+     * to the extension's public mount.
+     */
+    anonymous?: boolean | readonly string[];
 }
 //# sourceMappingURL=module.d.ts.map

package/dist/module.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAExE,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd;;;;;;OAMG;IAEH,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IAClB,kEAAkE;IAElE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,uFAAuF;IAEvF,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,gBAAgB,CAAA;IAClC,4FAA4F;IAC5F,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IACnC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,SAAS,CAAA;IACpB,0DAA0D;IAE1D,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IAClB,uEAAuE;IAEvE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,4FAA4F;IAE5F,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB,kGAAkG;IAClG,eAAe,CAAC,EAAE,gBAAgB,CAAA;IAClC,iGAAiG;IACjG,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IACnC,gFAAgF;IAChF,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB"}
+{"version":3,"file":"module.d.ts","sourceRoot":"","sources":["../src/module.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAA;AAC5D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAEhC,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAExE,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd;;;;;;OAMG;IAEH,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IAClB,kEAAkE;IAElE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,uFAAuF;IAEvF,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,gBAAgB,CAAA;IAClC,4FAA4F;IAC5F,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IACnC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;;;;;;;;OAWG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,SAAS,MAAM,EAAE,CAAA;CACxC;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,SAAS,CAAA;IACpB,0DAA0D;IAE1D,MAAM,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IAClB,uEAAuE;IAEvE,WAAW,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACvB,4FAA4F;IAE5F,YAAY,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAA;IACxB,kGAAkG;IAClG,eAAe,CAAC,EAAE,gBAAgB,CAAA;IAClC,iGAAiG;IACjG,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;IACnC,gFAAgF;IAChF,UAAU,CAAC,EAAE,cAAc,CAAA;IAC3B;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,SAAS,MAAM,EAAE,CAAA;CACxC"}

package/dist/mount-paths.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Resolve a route family's mount path under a surface prefix (`/v1/admin`,
+ * `/v1/public`). `path` is the optional `publicPath` override: empty →
+ * `{prefix}/{fallback}` (the module/extension name); `"/"` → the surface root
+ * (`prefix`); otherwise `{prefix}/{trimmed path}`.
+ *
+ * Shared by the route mounting in `app.ts` and the anonymous-path assembly in
+ * `anonymous-paths.ts` so both compute the same mount.
+ */
+export declare function resolveSurfaceMountPath(prefix: string, path: string | undefined, fallback: string): string;
+//# sourceMappingURL=mount-paths.d.ts.map

package/dist/mount-paths.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mount-paths.d.ts","sourceRoot":"","sources":["../src/mount-paths.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,QAAQ,EAAE,MAAM,GACf,MAAM,CAYR"}

package/dist/mount-paths.js

@@ -0,0 +1,19 @@
+/**
+ * Resolve a route family's mount path under a surface prefix (`/v1/admin`,
+ * `/v1/public`). `path` is the optional `publicPath` override: empty →
+ * `{prefix}/{fallback}` (the module/extension name); `"/"` → the surface root
+ * (`prefix`); otherwise `{prefix}/{trimmed path}`.
+ *
+ * Shared by the route mounting in `app.ts` and the anonymous-path assembly in
+ * `anonymous-paths.ts` so both compute the same mount.
+ */
+export function resolveSurfaceMountPath(prefix, path, fallback) {
+    const normalized = path?.trim();
+    if (!normalized) {
+        return `${prefix}/${fallback}`;
+    }
+    if (normalized === "/") {
+        return prefix;
+    }
+    return `${prefix}/${normalized.replace(/^\/+|\/+$/g, "")}`;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@voyant-travel/hono",
-  "version": "0.114.0",
+  "version": "0.115.0",
   "license": "Apache-2.0",
   "type": "module",
   "exports": {
@@ -127,16 +127,16 @@
     "@voyant-travel/core": "^0.111.0",
     "@voyant-travel/db": "^0.109.0",
     "@voyant-travel/storage": "^0.105.0",
-    "@voyant-travel/types": "^0.105.0",
-    "@voyant-travel/utils": "^0.105.3",
-    "@voyant-travel/workflows": "^0.111.4"
+    "@voyant-travel/types": "^0.106.0",
+    "@voyant-travel/utils": "^0.105.4",
+    "@voyant-travel/workflows": "^0.111.5"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260426.1",
     "typescript": "^6.0.2",
     "vitest": "^4.1.2",
     "@voyant-travel/voyant-typescript-config": "^0.1.0",
-    "@voyant-travel/workflows-orchestrator": "^0.111.4"
+    "@voyant-travel/workflows-orchestrator": "^0.111.5"
   },
   "files": [
     "dist"