@voyant-travel/storage 0.104.1 → 0.106.0

package/dist/routes.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Media upload + serve HTTP routes, owned by `@voyant-travel/storage`.
+ *
+ * agent-quality: file-size exception -- the media surface (multipart upload,
+ * video upload ticket, and hardened R2 serve) is one cohesive route family that
+ * shares the same content-type safety + key-parsing helpers; splitting it would
+ * scatter a single storage-backed contract.
+ *
+ *   POST /v1/admin/uploads         — multipart file upload → storage ticket
+ *   POST /v1/admin/uploads/video   — video upload ticket (deployment signer)
+ *   GET  /v1/admin/media/*         — serve stored bytes (hardened)
+ *
+ * These routes register ABSOLUTE admin paths, so a deployment mounts the
+ * returned `Hono` at the app root rather than under a module prefix.
+ *
+ * The deployment supplies the storage-backed specifics via `options`:
+ *   - `resolveStorage(c)` — the R2-backed `StorageProvider` for this request
+ *     (or `null` when storage isn't configured → 503),
+ *   - `signVideoUploadTicket(c, input)` — turn a validated video-upload request
+ *     into a provider ticket (TUS / Cloudflare Stream / …),
+ *   - `guessServedMimeType(key)` — best-effort MIME guess for the serve route.
+ *
+ * The package never imports the deployment's R2 binding or video provider.
+ */
+import { type Context, Hono } from "hono";
+import { z } from "zod";
+import type { StorageProvider } from "./types.js";
+/** Validated body shape for a video upload ticket request. */
+export declare const videoUploadTicketBodySchema: z.ZodObject<{
+    fileSize: z.ZodNumber;
+    maxDurationSeconds: z.ZodNumber;
+    name: z.ZodNullable<z.ZodOptional<z.ZodString>>;
+    requireSignedUrls: z.ZodOptional<z.ZodBoolean>;
+    allowedOrigins: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    thumbnailTimestampPct: z.ZodNullable<z.ZodOptional<z.ZodNumber>>;
+    meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+}, z.core.$strip>;
+export type VideoUploadTicketRequest = z.infer<typeof videoUploadTicketBodySchema>;
+/**
+ * Deployment-supplied options for the media route module. Structural only —
+ * the injected functions encapsulate the deployment's R2 binding and video
+ * provider so this package stays free of those static imports.
+ */
+export interface MediaRoutesOptions {
+    /**
+     * Resolve the storage provider for this request, or `null` when storage
+     * isn't configured (the upload/serve routes then respond `503`).
+     */
+    resolveStorage(c: Context): StorageProvider | null;
+    /**
+     * Turn a validated video-upload request into a provider ticket. The
+     * deployment owns the provider (Cloudflare Stream / any TUS host).
+     */
+    signVideoUploadTicket(c: Context, input: VideoUploadTicketRequest): Promise<unknown>;
+    /**
+     * Best-effort MIME guess from a stored object key, used by the serve route.
+     * Defaults to {@link guessMimeType}.
+     */
+    guessServedMimeType?(key: string): string;
+}
+/** Best-effort MIME type guess from a file key/path. Used by the serve route. */
+export declare function guessMimeType(key: string): string;
+/**
+ * Build the media upload + serve routes (ABSOLUTE paths; mount at the app
+ * root). The deployment supplies the storage provider + video signer via
+ * `options`.
+ */
+export declare function createMediaRoutes(options: MediaRoutesOptions): Hono;
+//# sourceMappingURL=routes.d.ts.map

package/dist/routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.d.ts","sourceRoot":"","sources":["../src/routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,KAAK,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AACzC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAyBjD,8DAA8D;AAC9D,eAAO,MAAM,2BAA2B;;;;;;;;iBAQtC,CAAA;AAEF,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAA;AAMlF;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,cAAc,CAAC,CAAC,EAAE,OAAO,GAAG,eAAe,GAAG,IAAI,CAAA;IAClD;;;OAGG;IACH,qBAAqB,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,wBAAwB,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACpF;;;OAGG;IACH,mBAAmB,CAAC,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAC1C;AA4BD,iFAAiF;AACjF,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAGjD;AAiGD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI,CAkGnE"}

package/dist/routes.js

@@ -0,0 +1,256 @@
+/**
+ * Media upload + serve HTTP routes, owned by `@voyant-travel/storage`.
+ *
+ * agent-quality: file-size exception -- the media surface (multipart upload,
+ * video upload ticket, and hardened R2 serve) is one cohesive route family that
+ * shares the same content-type safety + key-parsing helpers; splitting it would
+ * scatter a single storage-backed contract.
+ *
+ *   POST /v1/admin/uploads         — multipart file upload → storage ticket
+ *   POST /v1/admin/uploads/video   — video upload ticket (deployment signer)
+ *   GET  /v1/admin/media/*         — serve stored bytes (hardened)
+ *
+ * These routes register ABSOLUTE admin paths, so a deployment mounts the
+ * returned `Hono` at the app root rather than under a module prefix.
+ *
+ * The deployment supplies the storage-backed specifics via `options`:
+ *   - `resolveStorage(c)` — the R2-backed `StorageProvider` for this request
+ *     (or `null` when storage isn't configured → 503),
+ *   - `signVideoUploadTicket(c, input)` — turn a validated video-upload request
+ *     into a provider ticket (TUS / Cloudflare Stream / …),
+ *   - `guessServedMimeType(key)` — best-effort MIME guess for the serve route.
+ *
+ * The package never imports the deployment's R2 binding or video provider.
+ */
+import { Hono } from "hono";
+import { z } from "zod";
+// ─────────────────────────────────────────────────────────────────
+// Tuning constants (preserved byte-for-byte from the operator origin)
+// ─────────────────────────────────────────────────────────────────
+const MAX_UPLOAD_BYTES = 25 * 1024 * 1024;
+const MAX_MULTIPART_UPLOAD_BYTES = MAX_UPLOAD_BYTES + 1024 * 1024;
+const MAX_VIDEO_UPLOAD_BYTES = 1024 * 1024 * 1024;
+const MAX_VIDEO_DURATION_SECONDS = 12 * 60 * 60;
+const ALLOWED_MEDIA_KEY_PREFIXES = ["uploads/", "brochures/products/"];
+const UNSAFE_UPLOAD_EXTENSIONS = new Set(["cjs", "htm", "html", "js", "mjs", "svg", "xhtml", "xml"]);
+const SCRIPTABLE_MIME_TYPES = new Set([
+    "application/ecmascript",
+    "application/javascript",
+    "application/xhtml+xml",
+    "application/xml",
+    "image/svg+xml",
+    "text/ecmascript",
+    "text/html",
+    "text/javascript",
+    "text/xml",
+]);
+/** Validated body shape for a video upload ticket request. */
+export const videoUploadTicketBodySchema = z.object({
+    fileSize: z.number().int().positive().max(MAX_VIDEO_UPLOAD_BYTES),
+    maxDurationSeconds: z.number().int().positive().max(MAX_VIDEO_DURATION_SECONDS),
+    name: z.string().trim().min(1).max(255).optional().nullable(),
+    requireSignedUrls: z.boolean().optional(),
+    allowedOrigins: z.array(z.string().trim().min(1).max(2048)).max(20).optional(),
+    thumbnailTimestampPct: z.number().min(0).max(1).optional().nullable(),
+    meta: z.record(z.string().max(128), z.string().max(2048)).optional(),
+});
+// ─────────────────────────────────────────────────────────────────
+// Default MIME guessing (so a deployment can omit `guessServedMimeType`)
+// ─────────────────────────────────────────────────────────────────
+const MIME_BY_EXT = {
+    pdf: "application/pdf",
+    png: "image/png",
+    jpg: "image/jpeg",
+    jpeg: "image/jpeg",
+    gif: "image/gif",
+    webp: "image/webp",
+    svg: "image/svg+xml",
+    mp4: "video/mp4",
+    webm: "video/webm",
+    mov: "video/quicktime",
+    txt: "text/plain",
+    csv: "text/csv",
+    json: "application/json",
+    xml: "application/xml",
+    zip: "application/zip",
+    doc: "application/msword",
+    docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+    xls: "application/vnd.ms-excel",
+    xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+};
+/** Best-effort MIME type guess from a file key/path. Used by the serve route. */
+export function guessMimeType(key) {
+    const ext = key.split(".").pop()?.toLowerCase() ?? "";
+    return MIME_BY_EXT[ext] ?? "application/octet-stream";
+}
+// ─────────────────────────────────────────────────────────────────
+// Pure helpers (preserved byte-for-byte from the operator origin)
+// ─────────────────────────────────────────────────────────────────
+function maybeString(value) {
+    const trimmed = value?.trim();
+    return trimmed && trimmed.length > 0 ? trimmed : null;
+}
+function safeAsciiFilename(filename) {
+    const normalized = maybeString(filename);
+    if (!normalized)
+        return "download";
+    const safe = normalized
+        .normalize("NFKD")
+        .replace(/[^\w .-]+/g, "-")
+        .replace(/[\r\n"\\]+/g, "-")
+        .replace(/\s+/g, " ")
+        .trim()
+        .slice(0, 160);
+    return safe || "download";
+}
+function contentDispositionForKey(key) {
+    return `attachment; filename="${safeAsciiFilename(key.split("/").filter(Boolean).at(-1))}"`;
+}
+function getContentLength(c) {
+    const raw = c.req.header("content-length");
+    if (!raw)
+        return null;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) && parsed >= 0 ? parsed : null;
+}
+function normalizedMimeType(contentType) {
+    const value = maybeString(contentType);
+    if (!value)
+        return null;
+    return value.split(";")[0]?.trim().toLowerCase() || null;
+}
+function isScriptableMimeType(contentType) {
+    const normalized = normalizedMimeType(contentType);
+    return normalized ? SCRIPTABLE_MIME_TYPES.has(normalized) : false;
+}
+function extensionFromFilename(filename) {
+    const lastSegment = filename.split(/[\\/]/).at(-1) ?? filename;
+    const ext = lastSegment.includes(".") ? lastSegment.split(".").pop() : undefined;
+    const normalized = ext?.trim().toLowerCase();
+    return normalized && /^[a-z0-9]{1,16}$/.test(normalized) ? normalized : "bin";
+}
+function safeUploadContentType(file) {
+    const contentType = normalizedMimeType(file.type);
+    if (!contentType || isScriptableMimeType(contentType)) {
+        return "application/octet-stream";
+    }
+    return contentType;
+}
+function parseMediaKey(path) {
+    const rawKey = path.replace(/^\/v1\/(?:admin\/)?media\//, "");
+    if (!rawKey)
+        return null;
+    const segments = [];
+    for (const rawSegment of rawKey.split("/")) {
+        if (!rawSegment)
+            return null;
+        let segment;
+        try {
+            segment = decodeURIComponent(rawSegment);
+        }
+        catch {
+            return null;
+        }
+        if (!segment ||
+            segment === "." ||
+            segment === ".." ||
+            segment.includes("/") ||
+            segment.includes("\\") ||
+            segment.includes("\0")) {
+            return null;
+        }
+        segments.push(segment);
+    }
+    const key = segments.join("/");
+    return ALLOWED_MEDIA_KEY_PREFIXES.some((prefix) => key.startsWith(prefix)) ? key : null;
+}
+// ─────────────────────────────────────────────────────────────────
+// Routes
+// ─────────────────────────────────────────────────────────────────
+/**
+ * Build the media upload + serve routes (ABSOLUTE paths; mount at the app
+ * root). The deployment supplies the storage provider + video signer via
+ * `options`.
+ */
+export function createMediaRoutes(options) {
+    const hono = new Hono();
+    const guessServedMimeType = options.guessServedMimeType ?? guessMimeType;
+    function safeServedContentType(key) {
+        const guessed = guessServedMimeType(key);
+        return isScriptableMimeType(guessed) ? "application/octet-stream" : guessed;
+    }
+    const handleUpload = async (c) => {
+        const storage = options.resolveStorage(c);
+        if (!storage) {
+            return c.json({ error: "Storage not configured" }, 503);
+        }
+        const contentLength = getContentLength(c);
+        if (contentLength !== null && contentLength > MAX_MULTIPART_UPLOAD_BYTES) {
+            return c.json({ error: `Upload is too large; limit is ${MAX_UPLOAD_BYTES} bytes` }, 413);
+        }
+        const body = await c.req.parseBody();
+        const file = body.file;
+        if (!(file instanceof File)) {
+            return c.json({ error: "Missing file field in multipart body" }, 400);
+        }
+        if (file.size > MAX_UPLOAD_BYTES) {
+            return c.json({ error: `Upload is too large; limit is ${MAX_UPLOAD_BYTES} bytes` }, 413);
+        }
+        const ext = extensionFromFilename(file.name);
+        if (UNSAFE_UPLOAD_EXTENSIONS.has(ext) || isScriptableMimeType(file.type)) {
+            return c.json({ error: "Unsupported upload file type" }, 415);
+        }
+        const key = `uploads/${Date.now()}-${crypto.randomUUID().slice(0, 8)}.${ext}`;
+        const contentType = safeUploadContentType(file);
+        const result = await storage.upload(await file.arrayBuffer(), {
+            key,
+            contentType,
+        });
+        return c.json({
+            key: result.key,
+            url: result.url,
+            mimeType: contentType,
+            size: file.size,
+        });
+    };
+    hono.post("/v1/admin/uploads", handleUpload);
+    const handleVideoUploadTicket = async (c) => {
+        let raw;
+        try {
+            raw = await c.req.json();
+        }
+        catch {
+            return c.json({ error: "Invalid JSON body" }, 400);
+        }
+        const parsed = videoUploadTicketBodySchema.safeParse(raw);
+        if (!parsed.success) {
+            return c.json({ error: "Invalid request", issues: parsed.error.issues }, 400);
+        }
+        const ticket = await options.signVideoUploadTicket(c, parsed.data);
+        return c.json(ticket);
+    };
+    hono.post("/v1/admin/uploads/video", handleVideoUploadTicket);
+    const handleMediaServe = async (c) => {
+        const storage = options.resolveStorage(c);
+        if (!storage) {
+            return c.json({ error: "Storage not configured" }, 503);
+        }
+        const key = parseMediaKey(c.req.path);
+        if (!key) {
+            return c.json({ error: "Invalid media key" }, 400);
+        }
+        const buffer = await storage.get(key);
+        if (!buffer) {
+            return c.json({ error: "Not found" }, 404);
+        }
+        const headers = new Headers();
+        headers.set("Content-Type", safeServedContentType(key));
+        headers.set("X-Content-Type-Options", "nosniff");
+        headers.set("Content-Disposition", contentDispositionForKey(key));
+        headers.set("Cache-Control", "public, max-age=31536000, immutable");
+        headers.set("Content-Length", String(buffer.byteLength));
+        return new Response(buffer, { headers });
+    };
+    hono.get("/v1/admin/media/*", handleMediaServe);
+    return hono;
+}

package/dist/routes.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=routes.test.d.ts.map

package/dist/routes.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"routes.test.d.ts","sourceRoot":"","sources":["../src/routes.test.ts"],"names":[],"mappings":""}

package/dist/routes.test.js

@@ -0,0 +1,144 @@
+// @vitest-environment node
+import { Hono } from "hono";
+import { describe, expect, it, vi } from "vitest";
+import { createMediaRoutes } from "./routes.js";
+function makeStorage(overrides) {
+    return {
+        name: "stub",
+        upload: vi.fn(async () => ({ key: "k", url: "/u" })),
+        delete: vi.fn(async () => { }),
+        signedUrl: vi.fn(async () => "/signed"),
+        get: vi.fn(async () => null),
+        ...overrides,
+    };
+}
+function mountApp(options) {
+    const app = new Hono();
+    app.route("/", createMediaRoutes({
+        resolveStorage: options.resolveStorage ?? (() => null),
+        signVideoUploadTicket: options.signVideoUploadTicket ??
+            (async () => ({ uploadUrl: "https://uploads.example/video" })),
+        ...(options.guessServedMimeType ? { guessServedMimeType: options.guessServedMimeType } : {}),
+    }));
+    return app;
+}
+function multipartFileBody(options) {
+    return [
+        `--${options.boundary}`,
+        `Content-Disposition: form-data; name="file"; filename="${options.filename}"`,
+        `Content-Type: ${options.contentType}`,
+        "",
+        options.body,
+        `--${options.boundary}--`,
+        "",
+    ].join("\r\n");
+}
+describe("media routes", () => {
+    it("streams stored media by allowed key as an attachment", async () => {
+        const storage = makeStorage({ get: vi.fn(async () => new TextEncoder().encode("pdf").buffer) });
+        const app = mountApp({ resolveStorage: () => storage });
+        const response = await app.request("/v1/admin/media/brochures/products/example.pdf");
+        expect(response.status).toBe(200);
+        expect(response.headers.get("content-type")).toBe("application/pdf");
+        expect(response.headers.get("x-content-type-options")).toBe("nosniff");
+        expect(response.headers.get("content-disposition")).toBe('attachment; filename="example.pdf"');
+        await expect(response.text()).resolves.toBe("pdf");
+    });
+    it("rejects media keys outside allowed upload prefixes", async () => {
+        const get = vi.fn(async () => new TextEncoder().encode("private").buffer);
+        const app = mountApp({ resolveStorage: () => makeStorage({ get }) });
+        const response = await app.request("/v1/admin/media/private/example.pdf");
+        expect(response.status).toBe(400);
+        expect(get).not.toHaveBeenCalled();
+    });
+    it("forces scriptable stored media to octet-stream", async () => {
+        const storage = makeStorage({
+            get: vi.fn(async () => new TextEncoder().encode("<svg />").buffer),
+        });
+        const app = mountApp({ resolveStorage: () => storage });
+        const response = await app.request("/v1/admin/media/uploads/evil.svg");
+        expect(response.status).toBe(200);
+        expect(response.headers.get("content-type")).toBe("application/octet-stream");
+        expect(response.headers.get("content-disposition")).toBe('attachment; filename="evil.svg"');
+    });
+    it("serves media through the admin surface with the same hardening", async () => {
+        const get = vi.fn(async () => new TextEncoder().encode("pdf").buffer);
+        const app = mountApp({ resolveStorage: () => makeStorage({ get }) });
+        const response = await app.request("/v1/admin/media/uploads/example.pdf");
+        expect(response.status).toBe(200);
+        expect(get).toHaveBeenCalledWith("uploads/example.pdf");
+        expect(response.headers.get("x-content-type-options")).toBe("nosniff");
+        expect(response.headers.get("content-disposition")).toBe('attachment; filename="example.pdf"');
+    });
+    it("responds 503 when storage is unconfigured", async () => {
+        const app = mountApp({ resolveStorage: () => null });
+        const response = await app.request("/v1/admin/media/uploads/example.pdf");
+        expect(response.status).toBe(503);
+    });
+    it("rejects unsafe upload types", async () => {
+        const upload = vi.fn();
+        const app = mountApp({ resolveStorage: () => makeStorage({ upload }) });
+        const boundary = "----voyant-test-boundary";
+        const response = await app.request("/v1/admin/uploads", {
+            method: "POST",
+            headers: { "content-type": `multipart/form-data; boundary=${boundary}` },
+            body: multipartFileBody({
+                boundary,
+                filename: "evil.svg",
+                contentType: "image/svg+xml",
+                body: "<svg />",
+            }),
+        });
+        expect(response.status).toBe(415);
+        expect(upload).not.toHaveBeenCalled();
+    });
+    it("accepts bounded uploads on the admin surface", async () => {
+        const upload = vi.fn(async (_body, options) => ({
+            key: options.key,
+            url: `/api/v1/admin/media/${options.key}`,
+        }));
+        const app = mountApp({ resolveStorage: () => makeStorage({ upload }) });
+        const boundary = "----voyant-test-boundary";
+        const response = await app.request("/v1/admin/uploads", {
+            method: "POST",
+            headers: { "content-type": `multipart/form-data; boundary=${boundary}` },
+            body: multipartFileBody({
+                boundary,
+                filename: "photo.png",
+                contentType: "image/png",
+                body: "png",
+            }),
+        });
+        expect(response.status).toBe(200);
+        expect(upload).toHaveBeenCalledOnce();
+        expect(upload.mock.calls[0]?.[1]).toMatchObject({ contentType: "image/png" });
+        const body = (await response.json());
+        expect(body.key).toMatch(/^uploads\/\d+-[a-f0-9-]+\.png$/);
+        expect(body.mimeType).toBe("image/png");
+        expect(body.size).toBe(3);
+    });
+    it("validates video upload ticket requests on the admin surface", async () => {
+        const signVideoUploadTicket = vi.fn(async () => ({
+            uploadUrl: "https://uploads.example/video",
+        }));
+        const app = mountApp({ signVideoUploadTicket });
+        const response = await app.request("/v1/admin/uploads/video", {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ fileSize: 1024, maxDurationSeconds: 60, name: "clip.mp4" }),
+        });
+        expect(response.status).toBe(200);
+        expect(signVideoUploadTicket).toHaveBeenCalledWith(expect.anything(), expect.objectContaining({ fileSize: 1024, maxDurationSeconds: 60, name: "clip.mp4" }));
+    });
+    it("rejects an invalid video upload ticket body", async () => {
+        const signVideoUploadTicket = vi.fn();
+        const app = mountApp({ signVideoUploadTicket });
+        const response = await app.request("/v1/admin/uploads/video", {
+            method: "POST",
+            headers: { "content-type": "application/json" },
+            body: JSON.stringify({ fileSize: -1, maxDurationSeconds: 60 }),
+        });
+        expect(response.status).toBe(400);
+        expect(signVideoUploadTicket).not.toHaveBeenCalled();
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@voyant-travel/storage",
-  "version": "0.104.1",
+  "version": "0.106.0",
   "license": "Apache-2.0",
   "type": "module",
   "exports": {
@@ -19,6 +19,11 @@
       "import": "./dist/service.js",
       "default": "./dist/service.js"
     },
+    "./routes": {
+      "types": "./dist/routes.d.ts",
+      "import": "./dist/routes.js",
+      "default": "./dist/routes.js"
+    },
     "./providers/local": {
       "types": "./dist/providers/local.d.ts",
       "import": "./dist/providers/local.js",
@@ -47,9 +52,15 @@
     "access": "public"
   },
   "dependencies": {},
+  "peerDependencies": {
+    "hono": "^4.12.10",
+    "zod": "^4.3.6"
+  },
   "devDependencies": {
+    "hono": "^4.12.10",
     "typescript": "^6.0.2",
     "vitest": "^4.1.2",
+    "zod": "^4.3.6",
     "@voyant-travel/voyant-typescript-config": "^0.1.0"
   },
   "repository": {
@@ -58,10 +69,10 @@
     "directory": "packages/storage"
   },
   "scripts": {
-    "typecheck": "tsc --noEmit",
+    "typecheck": "tsc -p tsconfig.typecheck.json",
     "lint": "biome check src/",
     "test": "vitest run",
-    "build": "tsc -p tsconfig.json",
+    "build": "tsc -p tsconfig.build.json",
     "clean": "rm -rf dist tsconfig.tsbuildinfo"
   },
   "main": "./dist/index.js",