@voyantjs/hono 0.1.0

package/LICENSE

@@ -0,0 +1,109 @@
+# Functional Source License, Version 1.1, Apache 2.0 Future License
+
+## Abbreviation
+
+FSL-1.1-Apache-2.0
+
+## Notice
+
+Copyright 2026 PixelMakers Studio SRL
+
+## Terms and Conditions
+
+### Licensor ("We")
+
+The party offering the Software under these Terms and Conditions.
+
+### The Software
+
+The "Software" is each version of the software that we make available under
+these Terms and Conditions, as indicated by our inclusion of these Terms and
+Conditions with the Software.
+
+### License Grant
+
+Subject to your compliance with this License Grant and the Patents,
+Redistribution and Trademark clauses below, we hereby grant you the right to
+use, copy, modify, create derivative works, publicly perform, publicly
+display and redistribute the Software for any Permitted Purpose identified
+below.
+
+### Permitted Purpose
+
+A Permitted Purpose is any purpose other than a Competing Use. A Competing
+Use means making the Software available to others in a commercial product or
+service that:
+
+1. substitutes for the Software;
+
+2. substitutes for any other product or service we offer using the Software
+   that exists as of the date we make the Software available; or
+
+3. offers the same or substantially similar functionality as the Software.
+
+Permitted Purposes specifically include using the Software:
+
+1. for your internal use and access;
+
+2. for non-commercial education;
+
+3. for non-commercial research; and
+
+4. in connection with professional services that you provide to a licensee
+   using the Software in accordance with these Terms and Conditions.
+
+### Patents
+
+To the extent your use for a Permitted Purpose would necessarily infringe
+our patents, the license grant above includes a license under our patents.
+If you make a claim against any party that the Software infringes or
+contributes to the infringement of any patent, then your patent license to
+the Software ends immediately.
+
+### Redistribution
+
+The Terms and Conditions apply to all copies, modifications and derivatives
+of the Software.
+
+If you redistribute any copies, modifications or derivatives of the
+Software, you must include a copy of or a link to these Terms and Conditions
+and not remove any copyright notices provided in or with the Software.
+
+### Disclaimer
+
+THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A
+PARTICULAR PURPOSE, MERCHANTABILITY, TITLE OR NON-INFRINGEMENT.
+
+IN NO EVENT WILL WE HAVE ANY LIABILITY TO YOU ARISING OUT OF OR RELATED TO
+THE SOFTWARE, INCLUDING INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL
+DAMAGES, EVEN IF WE HAVE BEEN INFORMED OF THEIR POSSIBILITY IN ADVANCE.
+
+### Trademarks
+
+Except for displaying the License Details and identifying us as the origin
+of the Software, you have no right under these Terms and Conditions to use
+our trademarks, trade names, service marks or product names.
+
+---
+
+## Grant of Future License
+
+We hereby irrevocably grant you an additional license to use the Software
+under the Apache License, Version 2.0 that is effective on the second
+anniversary of the date we make the Software available. On or after that
+date, you may use the Software under the Apache License, Version 2.0, in
+which case the following will apply:
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not
+use this file except in compliance with the License.
+
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+License for the specific language governing permissions and limitations
+under the License.

package/README.md

@@ -0,0 +1,48 @@
+# @voyantjs/hono
+
+Hono transport adapter for Voyant. Provides `createApp()`, middleware, auth helpers, and plugin expansion for mounting Voyant modules behind a Hono app.
+
+## Install
+
+```bash
+pnpm add @voyantjs/hono hono
+```
+
+## Usage
+
+```typescript
+import { createApp } from "@voyantjs/hono"
+
+const app = createApp({
+  db: (env) => getDb(env),
+  auth: { handler, resolve },
+  modules: [crmModule, productsModule, bookingsModule],
+  plugins: [payloadCmsPlugin({ /* ... */ })],
+})
+```
+
+The middleware chain is: container → requestId → logger → errorBoundary → CORS → health → auth handler → requireAuth → db → actor guards → module routes.
+
+## Exports
+
+| Entry | Description |
+| --- | --- |
+| `.` | Barrel re-exports |
+| `./app` | `createApp` factory |
+| `./module` | `HonoModule`, `HonoExtension` contracts |
+| `./plugin` | `HonoPlugin`, `defineHonoPlugin`, `expandHonoPlugins` |
+| `./middleware` | All middleware re-exports |
+| `./middleware/auth` | `requireAuth` session/API-key/JWT auth |
+| `./middleware/cors` | CORS configuration |
+| `./middleware/error-boundary` | Error handling + JSON error envelope |
+| `./middleware/db` | Attach db client to `c.var.db` |
+| `./middleware/rate-limit` | KV-backed rate limiter |
+| `./middleware/require-actor` | Enforce `staff`/`customer`/`partner`/`supplier` actor |
+| `./middleware/require-permission` | Permission-based guards |
+| `./middleware/logger` | Request logger |
+| `./auth/session-jwt` | `verifySession` JWT verification |
+| `./auth/crypto` | `sha256Base64Url`, cookie helpers |
+
+## License
+
+FSL-1.1-Apache-2.0

package/dist/app.d.ts

@@ -0,0 +1,7 @@
+import { Hono } from "hono";
+import type { VoyantAppConfig, VoyantBindings, VoyantVariables } from "./types.js";
+export declare function createApp<TBindings extends VoyantBindings>(config: VoyantAppConfig<TBindings>): Hono<{
+    Bindings: TBindings;
+    Variables: VoyantVariables;
+}>;
+//# sourceMappingURL=app.d.ts.map

package/dist/app.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAS3B,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAElF,wBAAgB,SAAS,CAAC,SAAS,SAAS,cAAc,EACxD,MAAM,EAAE,eAAe,CAAC,SAAS,CAAC,GACjC,IAAI,CAAC;IAAE,QAAQ,EAAE,SAAS,CAAC;IAAC,SAAS,EAAE,eAAe,CAAA;CAAE,CAAC,CAsF3D"}

package/dist/app.js

@@ -0,0 +1,81 @@
+import { createContainer } from "@voyantjs/core";
+import { Hono } from "hono";
+import { requireAuth } from "./middleware/auth.js";
+import { cors } from "./middleware/cors.js";
+import { db } from "./middleware/db.js";
+import { errorBoundary, requestId } from "./middleware/error-boundary.js";
+import { logger } from "./middleware/logger.js";
+import { requireActor } from "./middleware/require-actor.js";
+import { expandHonoPlugins } from "./plugin.js";
+export function createApp(config) {
+    const app = new Hono();
+    // Expand plugins into their constituent modules/extensions before mounting
+    const expanded = config.plugins ? expandHonoPlugins(config.plugins) : null;
+    const allModules = [...(config.modules ?? []), ...(expanded?.modules ?? [])];
+    const allExtensions = [...(config.extensions ?? []), ...(expanded?.extensions ?? [])];
+    // Module container — registered services are resolvable from routes
+    const container = createContainer();
+    for (const mod of allModules) {
+        if (mod.module.service !== undefined) {
+            container.register(mod.module.name, mod.module.service);
+        }
+    }
+    app.use("*", async (c, next) => {
+        c.set("container", container);
+        return next();
+    });
+    // Request ID header
+    app.use("*", requestId);
+    // Structured logger
+    app.use("*", logger(config.logger));
+    // Global error boundary
+    app.use("*", errorBoundary);
+    // CORS (allowlist via env CORS_ALLOWLIST)
+    app.use("*", cors());
+    // Health check (public, no auth)
+    app.get("/health", (c) => c.json({ status: "ok" }));
+    // App-owned auth handler (must be before auth middleware — these routes are public)
+    const authHandler = config.auth?.handler;
+    if (authHandler) {
+        app.all("/auth/*", async (c) => {
+            const authApp = authHandler(c.env);
+            return authApp.fetch(c.req.raw, c.env, c.executionCtx);
+        });
+    }
+    // Auth middleware for all other routes
+    app.use("*", requireAuth(config.db, { publicPaths: config.publicPaths, auth: config.auth }));
+    // DB middleware — sets c.var.db for all downstream handlers
+    app.use("*", db(config.db));
+    // Actor guards for the two API surfaces
+    app.use("/v1/admin/*", requireActor("staff"));
+    app.use("/v1/public/*", requireActor("customer", "partner", "supplier"));
+    // Mount module routes
+    for (const mod of allModules) {
+        if (mod.adminRoutes) {
+            app.route(`/v1/admin/${mod.module.name}`, mod.adminRoutes);
+        }
+        if (mod.publicRoutes) {
+            app.route(`/v1/public/${mod.module.name}`, mod.publicRoutes);
+        }
+        if (mod.routes) {
+            app.route(`/v1/${mod.module.name}`, mod.routes);
+        }
+    }
+    // Mount extension routes
+    for (const ext of allExtensions) {
+        if (ext.adminRoutes) {
+            app.route(`/v1/admin/${ext.extension.module}`, ext.adminRoutes);
+        }
+        if (ext.publicRoutes) {
+            app.route(`/v1/public/${ext.extension.module}`, ext.publicRoutes);
+        }
+        if (ext.routes) {
+            app.route(`/v1/${ext.extension.module}`, ext.routes);
+        }
+    }
+    // Additional routes
+    if (config.additionalRoutes) {
+        config.additionalRoutes(app);
+    }
+    return app;
+}

package/dist/auth/crypto.d.ts

@@ -0,0 +1,15 @@
+export declare function randomBytesHex(lengthBytes: number): string;
+export declare function sha256Hex(input: string | Uint8Array): Promise<string>;
+export declare function generateNumericCode(length: number): string;
+/**
+ * SHA-256 hash a string using Web Crypto API.
+ * Returns the hash as a base64url string without padding,
+ * matching Better Auth's `defaultKeyHasher` format.
+ */
+export declare function sha256Base64Url(input: string): Promise<string>;
+/**
+ * Unsign a Better Auth session cookie.
+ * Better Auth signs cookies as: encodeURIComponent(value + "." + base64(HMAC-SHA256(value, secret)))
+ */
+export declare function unsignCookie(rawCookieValue: string, secret: string): Promise<string | null>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/auth/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/auth/crypto.ts"],"names":[],"mappings":"AAAA,wBAAgB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAM1D;AAED,wBAAsB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAK3E;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAM1D;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAUpE;AAED;;;GAGG;AACH,wBAAsB,YAAY,CAAC,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAwBjG"}

package/dist/auth/crypto.js

@@ -0,0 +1,58 @@
+export function randomBytesHex(lengthBytes) {
+    const bytes = new Uint8Array(lengthBytes);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+export async function sha256Hex(input) {
+    const data = typeof input === "string" ? new TextEncoder().encode(input) : input;
+    const hash = await crypto.subtle.digest("SHA-256", data.buffer);
+    const arr = Array.from(new Uint8Array(hash));
+    return arr.map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+export function generateNumericCode(length) {
+    const max = 10 ** length;
+    const buf = new Uint32Array(1);
+    crypto.getRandomValues(buf);
+    const code = Number((buf[0] ?? 0) % max);
+    return String(code).padStart(length, "0");
+}
+/**
+ * SHA-256 hash a string using Web Crypto API.
+ * Returns the hash as a base64url string without padding,
+ * matching Better Auth's `defaultKeyHasher` format.
+ */
+export async function sha256Base64Url(input) {
+    const data = new TextEncoder().encode(input);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const bytes = new Uint8Array(hashBuffer);
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    const base64 = btoa(binary);
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+/**
+ * Unsign a Better Auth session cookie.
+ * Better Auth signs cookies as: encodeURIComponent(value + "." + base64(HMAC-SHA256(value, secret)))
+ */
+export async function unsignCookie(rawCookieValue, secret) {
+    const decoded = decodeURIComponent(rawCookieValue);
+    const lastDot = decoded.lastIndexOf(".");
+    if (lastDot < 1)
+        return null;
+    const value = decoded.substring(0, lastDot);
+    const signature = decoded.substring(lastDot + 1);
+    if (signature.length !== 44 || !signature.endsWith("="))
+        return null;
+    const encoder = new TextEncoder();
+    const key = await crypto.subtle.importKey("raw", encoder.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["verify"]);
+    const sigBinStr = atob(signature);
+    const sigBytes = new Uint8Array(sigBinStr.length);
+    for (let i = 0; i < sigBinStr.length; i++)
+        sigBytes[i] = sigBinStr.charCodeAt(i);
+    const valid = await crypto.subtle.verify("HMAC", key, sigBytes, encoder.encode(value));
+    return valid ? value : null;
+}

package/dist/auth/index.d.ts

@@ -0,0 +1,4 @@
+export { generateNumericCode, randomBytesHex, sha256Base64Url, sha256Hex, unsignCookie, } from "./crypto.js";
+export type { SessionAuthContext } from "./session-jwt.js";
+export { extractBearerToken, verifySession } from "./session-jwt.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,SAAS,EACT,YAAY,GACb,MAAM,aAAa,CAAA;AACpB,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAC1D,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA"}

package/dist/auth/index.js

@@ -0,0 +1,2 @@
+export { generateNumericCode, randomBytesHex, sha256Base64Url, sha256Hex, unsignCookie, } from "./crypto.js";
+export { extractBearerToken, verifySession } from "./session-jwt.js";

package/dist/auth/session-jwt.d.ts

@@ -0,0 +1,7 @@
+export interface SessionAuthContext {
+    userId: string;
+    sessionId?: string;
+}
+export declare function verifySession(token: string, secretKey: string): Promise<SessionAuthContext>;
+export declare function extractBearerToken(authHeader: string | undefined): string | null;
+//# sourceMappingURL=session-jwt.d.ts.map

package/dist/auth/session-jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-jwt.d.ts","sourceRoot":"","sources":["../../src/auth/session-jwt.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAWjG;AAED,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,IAAI,CAWhF"}

package/dist/auth/session-jwt.js

@@ -0,0 +1,23 @@
+import { verifySessionClaims } from "@voyantjs/utils/session-claims";
+export async function verifySession(token, secretKey) {
+    const payload = await verifySessionClaims(token, secretKey);
+    if (!payload) {
+        throw new Error("Invalid or expired token");
+    }
+    return {
+        userId: payload.userId,
+        sessionId: payload.sessionId,
+    };
+}
+export function extractBearerToken(authHeader) {
+    if (!authHeader)
+        return null;
+    const parts = authHeader.trim().split(/\s+/);
+    if (parts.length !== 2)
+        return null;
+    const scheme = parts[0];
+    const token = parts[1];
+    if (!scheme || !token || !/^bearer$/i.test(scheme))
+        return null;
+    return token;
+}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export type { VoyantPermission } from "@voyantjs/core";
+export { createApp } from "./app.js";
+export type { SessionAuthContext } from "./auth/index.js";
+export { extractBearerToken, generateNumericCode, randomBytesHex, sha256Base64Url, sha256Hex, unsignCookie, verifySession, } from "./auth/index.js";
+export { consoleLoggerProvider, cors, db, errorBoundary, LIVE_LIMITS, logger, rateLimit, requestId, requireActor, requireAuth, requirePermission, } from "./middleware/index.js";
+export type { HonoExtension, HonoModule } from "./module.js";
+export type { ExpandedHonoPlugins, HonoPlugin } from "./plugin.js";
+export { defineHonoPlugin, expandHonoPlugins } from "./plugin.js";
+export type { DbFactory, LogEntry, LoggerProvider, VoyantAppConfig, VoyantAuthIntegration, VoyantAuthPermissionArgs, VoyantAuthResolveArgs, VoyantBindings, VoyantDb, VoyantExecutionContext, VoyantRequestAuthContext, VoyantVariables, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,GACd,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,qBAAqB,EACrB,IAAI,EACJ,EAAE,EACF,aAAa,EACb,WAAW,EACX,MAAM,EACN,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAC5D,YAAY,EAAE,mBAAmB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAClE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAA;AACjE,YAAY,EACV,SAAS,EACT,QAAQ,EACR,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,wBAAwB,EACxB,qBAAqB,EACrB,cAAc,EACd,QAAQ,EACR,sBAAsB,EACtB,wBAAwB,EACxB,eAAe,GAChB,MAAM,YAAY,CAAA"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { createApp } from "./app.js";
+export { extractBearerToken, generateNumericCode, randomBytesHex, sha256Base64Url, sha256Hex, unsignCookie, verifySession, } from "./auth/index.js";
+export { consoleLoggerProvider, cors, db, errorBoundary, LIVE_LIMITS, logger, rateLimit, requestId, requireActor, requireAuth, requirePermission, } from "./middleware/index.js";
+export { defineHonoPlugin, expandHonoPlugins } from "./plugin.js";

package/dist/middleware/auth.d.ts

@@ -0,0 +1,10 @@
+import type { MiddlewareHandler } from "hono";
+import type { DbFactory, VoyantAuthIntegration, VoyantBindings, VoyantVariables } from "../types.js";
+export declare function requireAuth<TBindings extends VoyantBindings>(dbFactory: DbFactory<TBindings>, opts?: {
+    publicPaths?: string[];
+    auth?: VoyantAuthIntegration<TBindings>;
+}): MiddlewareHandler<{
+    Bindings: TBindings;
+    Variables: VoyantVariables;
+}>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAI7C,OAAO,KAAK,EAAE,SAAS,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAsCpG,wBAAgB,WAAW,CAAC,SAAS,SAAS,cAAc,EAC1D,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,IAAI,CAAC,EAAE;IACL,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAmID"}

package/dist/middleware/auth.js

@@ -0,0 +1,154 @@
+import { apikeyTable } from "@voyantjs/db/schema/iam";
+import { and, eq } from "drizzle-orm";
+import { sha256Base64Url } from "../auth/crypto.js";
+import { extractBearerToken, verifySession } from "../auth/session-jwt.js";
+function permissionsToScopes(permissions) {
+    if (!permissions)
+        return [];
+    try {
+        const parsed = JSON.parse(permissions);
+        const scopes = [];
+        for (const [resource, actions] of Object.entries(parsed)) {
+            if (Array.isArray(actions)) {
+                for (const action of actions) {
+                    scopes.push(`${resource}:${action}`);
+                }
+            }
+        }
+        return scopes;
+    }
+    catch {
+        return [];
+    }
+}
+const API_KEY_PREFIX = "voy_";
+function applyAuthContext(c, auth) {
+    if (auth.userId)
+        c.set("userId", auth.userId);
+    if (auth.sessionId)
+        c.set("sessionId", auth.sessionId);
+    if (auth.organizationId !== undefined)
+        c.set("organizationId", auth.organizationId ?? undefined);
+    if (auth.callerType)
+        c.set("callerType", auth.callerType);
+    if (auth.actor)
+        c.set("actor", auth.actor);
+    if (auth.scopes !== undefined)
+        c.set("scopes", auth.scopes);
+    if (auth.isInternalRequest !== undefined)
+        c.set("isInternalRequest", auth.isInternalRequest);
+    if (auth.apiKeyId)
+        c.set("apiKeyId", auth.apiKeyId);
+}
+export function requireAuth(dbFactory, opts) {
+    const publicPaths = opts?.publicPaths ?? [];
+    return async (c, next) => {
+        if (c.req.method === "OPTIONS")
+            return next();
+        const url = new URL(c.req.url);
+        const p = url.pathname.replace(/\/$/, "");
+        const isPublicAuth = p === "/auth/callback" || p.startsWith("/auth/");
+        const isHealthCheck = p === "/health";
+        if (isPublicAuth || isHealthCheck)
+            return next();
+        for (const pp of publicPaths) {
+            if (p === pp || p.startsWith(`${pp}/`))
+                return next();
+        }
+        const authHeader = c.req.header("authorization") || c.req.header("Authorization");
+        const token = extractBearerToken(authHeader);
+        // Strategy 1: Internal API Key
+        const internalKey = c.env.INTERNAL_API_KEY;
+        if (token && internalKey && token === internalKey) {
+            applyAuthContext(c, {
+                callerType: "internal",
+                isInternalRequest: true,
+            });
+            return next();
+        }
+        // Strategy 2: Core-owned API key support (voy_ prefixed)
+        if (token?.startsWith(API_KEY_PREFIX)) {
+            try {
+                const db = dbFactory(c.env);
+                const keyHash = await sha256Base64Url(token);
+                const [row] = await db
+                    .select()
+                    .from(apikeyTable)
+                    .where(and(eq(apikeyTable.key, keyHash), eq(apikeyTable.enabled, true)))
+                    .limit(1);
+                if (!row) {
+                    return c.json({ error: "Invalid API key" }, 401);
+                }
+                if (row.expiresAt && row.expiresAt < new Date()) {
+                    return c.json({ error: "API key expired" }, 401);
+                }
+                if (row.remaining !== null && row.remaining <= 0) {
+                    return c.json({ error: "API key usage limit exceeded" }, 429);
+                }
+                if (row.remaining !== null) {
+                    c.executionCtx.waitUntil?.(db
+                        .update(apikeyTable)
+                        .set({
+                        remaining: row.remaining - 1,
+                        requestCount: row.requestCount + 1,
+                        lastRequest: new Date(),
+                    })
+                        .where(eq(apikeyTable.id, row.id))
+                        .then(() => { })
+                        .catch(() => { }));
+                }
+                else {
+                    c.executionCtx.waitUntil?.(db
+                        .update(apikeyTable)
+                        .set({
+                        requestCount: row.requestCount + 1,
+                        lastRequest: new Date(),
+                    })
+                        .where(eq(apikeyTable.id, row.id))
+                        .then(() => { })
+                        .catch(() => { }));
+                }
+                const scopes = permissionsToScopes(row.permissions);
+                applyAuthContext(c, {
+                    organizationId: row.referenceId,
+                    scopes,
+                    callerType: "api_key",
+                    apiKeyId: row.id,
+                });
+                return next();
+            }
+            catch {
+                // fall through to next strategy
+            }
+        }
+        // Strategy 3: App-provided auth resolution (cookies, provider tokens, etc.)
+        if (opts?.auth?.resolve) {
+            const resolved = await opts.auth.resolve({
+                request: c.req.raw,
+                env: c.env,
+                db: dbFactory(c.env),
+                ctx: c.executionCtx,
+            });
+            if (resolved?.userId) {
+                applyAuthContext(c, resolved);
+                return next();
+            }
+        }
+        // Strategy 4: Generic session-claims bearer token support
+        const sessionSecret = c.env.SESSION_CLAIMS_SECRET;
+        if (token && sessionSecret && token.includes(".")) {
+            try {
+                const sessionAuth = await verifySession(token, sessionSecret);
+                applyAuthContext(c, {
+                    ...sessionAuth,
+                    callerType: "session",
+                });
+                return next();
+            }
+            catch {
+                // fall through
+            }
+        }
+        return c.json({ error: "Unauthorized" }, 401);
+    };
+}

package/dist/middleware/cors.d.ts

@@ -0,0 +1,6 @@
+import type { MiddlewareHandler } from "hono";
+import type { VoyantBindings } from "../types.js";
+export declare function cors(): MiddlewareHandler<{
+    Bindings: VoyantBindings;
+}>;
+//# sourceMappingURL=cors.d.ts.map

package/dist/middleware/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/middleware/cors.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAWjD,wBAAgB,IAAI,IAAI,iBAAiB,CAAC;IAAE,QAAQ,EAAE,cAAc,CAAA;CAAE,CAAC,CAwCtE"}

package/dist/middleware/cors.js

@@ -0,0 +1,40 @@
+function parseAllowlist(env) {
+    const raw = env.CORS_ALLOWLIST;
+    if (!raw)
+        return [];
+    return raw
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+}
+export function cors() {
+    return async (c, next) => {
+        const origin = c.req.header("origin") || "";
+        const allowlist = parseAllowlist(c.env);
+        const allowed = allowlist.length === 0 ? false : allowlist.includes(origin);
+        if (origin && !allowed) {
+            console.warn("[CORS] Origin not in allowlist - CORS headers will NOT be set", {
+                origin,
+                allowlist,
+                path: c.req.path,
+                method: c.req.method,
+            });
+        }
+        if (c.req.method === "OPTIONS") {
+            if (allowed) {
+                c.header("Access-Control-Allow-Origin", origin);
+                c.header("Vary", "Origin");
+                c.header("Access-Control-Allow-Credentials", "true");
+                c.header("Access-Control-Allow-Headers", c.req.header("access-control-request-headers") || "content-type, authorization");
+                c.header("Access-Control-Allow-Methods", c.req.header("access-control-request-method") || "GET,POST,PUT,PATCH,DELETE,OPTIONS");
+            }
+            return new Response(null, { status: 204 });
+        }
+        await next();
+        if (allowed) {
+            c.header("Access-Control-Allow-Origin", origin);
+            c.header("Vary", "Origin");
+            c.header("Access-Control-Allow-Credentials", "true");
+        }
+    };
+}

package/dist/middleware/db.d.ts

@@ -0,0 +1,9 @@
+import type { MiddlewareHandler } from "hono";
+import type { DbFactory, VoyantBindings, VoyantDb } from "../types.js";
+export declare function db<TBindings extends VoyantBindings>(factory: DbFactory<TBindings>): MiddlewareHandler<{
+    Bindings: TBindings;
+    Variables: {
+        db: VoyantDb;
+    };
+}>;
+//# sourceMappingURL=db.d.ts.map

package/dist/middleware/db.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/middleware/db.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AAEtE,wBAAgB,EAAE,CAAC,SAAS,SAAS,cAAc,EACjD,OAAO,EAAE,SAAS,CAAC,SAAS,CAAC,GAC5B,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE;QAAE,EAAE,EAAE,QAAQ,CAAA;KAAE,CAAA;CAC5B,CAAC,CAKD"}

package/dist/middleware/db.js

@@ -0,0 +1,6 @@
+export function db(factory) {
+    return async (c, next) => {
+        c.set("db", factory(c.env));
+        await next();
+    };
+}

package/dist/middleware/error-boundary.d.ts

@@ -0,0 +1,4 @@
+import type { MiddlewareHandler } from "hono";
+export declare const requestId: MiddlewareHandler;
+export declare const errorBoundary: MiddlewareHandler;
+//# sourceMappingURL=error-boundary.d.ts.map

package/dist/middleware/error-boundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-boundary.d.ts","sourceRoot":"","sources":["../../src/middleware/error-boundary.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAU7C,eAAO,MAAM,SAAS,EAAE,iBAKvB,CAAA;AAID,eAAO,MAAM,aAAa,EAAE,iBAmC3B,CAAA"}