@voyantjs/hono 0.9.0 → 0.10.0

package/dist/index.d.ts

@@ -2,7 +2,7 @@ export type { VoyantPermission } from "@voyantjs/core";
 export { createApp } from "./app.js";
 export type { SessionAuthContext } from "./auth/index.js";
 export { extractBearerToken, generateNumericCode, randomBytesHex, requireUserId, sha256Base64Url, sha256Hex, unsignCookie, verifySession, } from "./auth/index.js";
-export { consoleLoggerProvider, cors, db, errorBoundary, handleApiError, LIVE_LIMITS, logger, rateLimit, requestId, requireActor, requireAuth, requirePermission, } from "./middleware/index.js";
+export { consoleLoggerProvider, cors, DEFAULT_IDEMPOTENCY_TTL_MS, db, errorBoundary, handleApiError, type IdempotencyKeyOptions, idempotencyKey, LIVE_LIMITS, logger, purgeExpiredIdempotencyKeys, rateLimit, requestId, requireActor, requireAuth, requirePermission, } from "./middleware/index.js";
 export type { HonoExtension, HonoModule } from "./module.js";
 export type { ExpandedHonoBundles, ExpandedHonoPlugins, HonoBundle, HonoPlugin, } from "./plugin.js";
 export { defineHonoBundle, defineHonoPlugin, expandHonoBundles, expandHonoPlugins, } from "./plugin.js";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,GACd,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,qBAAqB,EACrB,IAAI,EACJ,EAAE,EACF,aAAa,EACb,cAAc,EACd,WAAW,EACX,MAAM,EACN,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAC5D,YAAY,EACV,mBAAmB,EACnB,mBAAmB,EACnB,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,SAAS,EACT,QAAQ,EACR,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,wBAAwB,EACxB,qBAAqB,EACrB,cAAc,EACd,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,wBAAwB,EACxB,eAAe,GAChB,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,UAAU,EACV,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,iBAAiB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAA;AACzD,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,eAAe,EACf,SAAS,EACT,YAAY,EACZ,aAAa,GACd,MAAM,iBAAiB,CAAA;AACxB,OAAO,EACL,qBAAqB,EACrB,IAAI,EACJ,0BAA0B,EAC1B,EAAE,EACF,aAAa,EACb,cAAc,EACd,KAAK,qBAAqB,EAC1B,cAAc,EACd,WAAW,EACX,MAAM,EACN,2BAA2B,EAC3B,SAAS,EACT,SAAS,EACT,YAAY,EACZ,WAAW,EACX,iBAAiB,GAClB,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAC5D,YAAY,EACV,mBAAmB,EACnB,mBAAmB,EACnB,UAAU,EACV,UAAU,GACX,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,aAAa,CAAA;AACpB,YAAY,EACV,SAAS,EACT,QAAQ,EACR,cAAc,EACd,eAAe,EACf,qBAAqB,EACrB,wBAAwB,EACxB,qBAAqB,EACrB,cAAc,EACd,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,wBAAwB,EACxB,eAAe,GAChB,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,wBAAwB,EACxB,aAAa,EACb,qBAAqB,EACrB,UAAU,EACV,sBAAsB,EACtB,oBAAoB,GACrB,MAAM,iBAAiB,CAAA"}

package/dist/index.js

@@ -1,5 +1,5 @@
 export { createApp } from "./app.js";
 export { extractBearerToken, generateNumericCode, randomBytesHex, requireUserId, sha256Base64Url, sha256Hex, unsignCookie, verifySession, } from "./auth/index.js";
-export { consoleLoggerProvider, cors, db, errorBoundary, handleApiError, LIVE_LIMITS, logger, rateLimit, requestId, requireActor, requireAuth, requirePermission, } from "./middleware/index.js";
+export { consoleLoggerProvider, cors, DEFAULT_IDEMPOTENCY_TTL_MS, db, errorBoundary, handleApiError, idempotencyKey, LIVE_LIMITS, logger, purgeExpiredIdempotencyKeys, rateLimit, requestId, requireActor, requireAuth, requirePermission, } from "./middleware/index.js";
 export { defineHonoBundle, defineHonoPlugin, expandHonoBundles, expandHonoPlugins, } from "./plugin.js";
 export { ApiHttpError, ForbiddenApiError, normalizeValidationError, parseJsonBody, parseOptionalJsonBody, parseQuery, RequestValidationError, UnauthorizedApiError, } from "./validation.js";

package/dist/middleware/auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAI7C,OAAO,KAAK,EAAE,SAAS,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAsCpG,wBAAgB,WAAW,CAAC,SAAS,SAAS,cAAc,EAC1D,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,IAAI,CAAC,EAAE;IACL,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAwID"}
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/middleware/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAI7C,OAAO,KAAK,EAAE,SAAS,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAsCpG,wBAAgB,WAAW,CAAC,SAAS,SAAS,cAAc,EAC1D,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,IAAI,CAAC,EAAE;IACL,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,IAAI,CAAC,EAAE,qBAAqB,CAAC,SAAS,CAAC,CAAA;CACxC,GACA,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CA4ID"}

package/dist/middleware/auth.js

@@ -118,6 +118,10 @@ export function requireAuth(dbFactory, opts) {
                     scopes,
                     callerType: "api_key",
                     apiKeyId: row.id,
+                    // Core-owned API keys (`voy_` prefix) are server-to-server credentials
+                    // issued to operator staff. The actor stays explicit here so that
+                    // `requireActor` doesn't have to default unset callers to "staff".
+                    actor: "staff",
                 });
                 return next();
             }

package/dist/middleware/idempotency-key.d.ts

@@ -0,0 +1,71 @@
+import type { MiddlewareHandler } from "hono";
+import type { DbFactory, VoyantBindings, VoyantVariables } from "../types.js";
+/**
+ * Twenty-four hours, in milliseconds. Default TTL for stored idempotency
+ * keys. Tunable per middleware instance.
+ */
+export declare const DEFAULT_IDEMPOTENCY_TTL_MS: number;
+export interface IdempotencyKeyOptions {
+    /**
+     * Namespacing label so unrelated endpoints can safely accept overlapping
+     * client keys. Defaults to the request method + pathname when omitted.
+     */
+    scope?: string;
+    /**
+     * How long stored responses are replayable. Defaults to
+     * {@link DEFAULT_IDEMPOTENCY_TTL_MS}.
+     */
+    ttlMs?: number;
+    /**
+     * Whether the header is required. When `true`, requests without the header
+     * are rejected with 400. Defaults to `false` so existing clients keep
+     * working through a deprecation window.
+     */
+    required?: boolean;
+    /**
+     * Optional callback that, given the response body that's about to be
+     * stored, returns a `referenceId` (typically the booking id). Used for
+     * operational queries to correlate replays with the underlying entity.
+     */
+    extractReferenceId?: (body: unknown) => string | null | undefined;
+}
+interface ContextWithIdempotency {
+    idempotencyKey?: string;
+    idempotencyReplayed?: boolean;
+}
+declare module "hono" {
+    interface ContextVariableMap extends ContextWithIdempotency {
+    }
+}
+/**
+ * Idempotency-Key middleware.
+ *
+ * On request:
+ * - reads the `Idempotency-Key` header
+ * - if absent and `required` is false, passes through
+ * - if absent and `required` is true, returns 400
+ * - looks up `(scope, key)` in `idempotency_keys`:
+ *   - hit + same body hash → returns the stored response (replay)
+ *   - hit + different body hash → returns 409 (conflict)
+ *   - miss → runs the handler, then stores the response on the way out
+ *
+ * The handler's response body is captured by cloning the response. The
+ * `Idempotency-Key` and a `Idempotency-Replayed: true` header are echoed
+ * on replay so callers can detect replays in client-side logging.
+ *
+ * The middleware reads the `db` instance off the request context (set by
+ * the `db` middleware that ships with `createApp`) — caller is responsible
+ * for ordering this middleware after `db`.
+ */
+export declare function idempotencyKey<TBindings extends VoyantBindings = VoyantBindings>(options?: IdempotencyKeyOptions): MiddlewareHandler<{
+    Bindings: TBindings;
+    Variables: VoyantVariables;
+}>;
+/**
+ * Sweep expired idempotency rows. Call from a daily cron.
+ */
+export declare function purgeExpiredIdempotencyKeys<TBindings extends VoyantBindings>(dbFactory: DbFactory<TBindings>, env: TBindings): Promise<{
+    removed: number;
+}>;
+export {};
+//# sourceMappingURL=idempotency-key.d.ts.map

package/dist/middleware/idempotency-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idempotency-key.d.ts","sourceRoot":"","sources":["../../src/middleware/idempotency-key.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAE7E;;;GAGG;AACH,eAAO,MAAM,0BAA0B,QAAsB,CAAA;AAmB7D,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd;;;;OAIG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAA;CAClE;AAED,UAAU,sBAAsB;IAC9B,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,mBAAmB,CAAC,EAAE,OAAO,CAAA;CAC9B;AAED,OAAO,QAAQ,MAAM,CAAC;IACpB,UAAU,kBAAmB,SAAQ,sBAAsB;KAAG;CAC/D;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,cAAc,CAAC,SAAS,SAAS,cAAc,GAAG,cAAc,EAC9E,OAAO,GAAE,qBAA0B,GAClC,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAkID;AAiBD;;GAEG;AACH,wBAAsB,2BAA2B,CAAC,SAAS,SAAS,cAAc,EAChF,SAAS,EAAE,SAAS,CAAC,SAAS,CAAC,EAC/B,GAAG,EAAE,SAAS,GACb,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAO9B"}

package/dist/middleware/idempotency-key.js

@@ -0,0 +1,179 @@
+import { infraIdempotencyKeysTable } from "@voyantjs/db/schema/infra";
+import { and, eq, lt } from "drizzle-orm";
+/**
+ * Twenty-four hours, in milliseconds. Default TTL for stored idempotency
+ * keys. Tunable per middleware instance.
+ */
+export const DEFAULT_IDEMPOTENCY_TTL_MS = 24 * 60 * 60 * 1000;
+const HEADER_NAME = "Idempotency-Key";
+/**
+ * Hashes a UTF-8 string with SHA-256 and returns the hex digest. Uses Web
+ * Crypto so the middleware works in Cloudflare Workers and Node.
+ */
+async function sha256Hex(value) {
+    const data = new TextEncoder().encode(value);
+    const digest = await crypto.subtle.digest("SHA-256", data);
+    const bytes = new Uint8Array(digest);
+    let out = "";
+    for (const byte of bytes) {
+        out += byte.toString(16).padStart(2, "0");
+    }
+    return out;
+}
+/**
+ * Idempotency-Key middleware.
+ *
+ * On request:
+ * - reads the `Idempotency-Key` header
+ * - if absent and `required` is false, passes through
+ * - if absent and `required` is true, returns 400
+ * - looks up `(scope, key)` in `idempotency_keys`:
+ *   - hit + same body hash → returns the stored response (replay)
+ *   - hit + different body hash → returns 409 (conflict)
+ *   - miss → runs the handler, then stores the response on the way out
+ *
+ * The handler's response body is captured by cloning the response. The
+ * `Idempotency-Key` and a `Idempotency-Replayed: true` header are echoed
+ * on replay so callers can detect replays in client-side logging.
+ *
+ * The middleware reads the `db` instance off the request context (set by
+ * the `db` middleware that ships with `createApp`) — caller is responsible
+ * for ordering this middleware after `db`.
+ */
+export function idempotencyKey(options = {}) {
+    const ttlMs = options.ttlMs ?? DEFAULT_IDEMPOTENCY_TTL_MS;
+    return async (c, next) => {
+        if (c.req.method === "OPTIONS")
+            return next();
+        const headerKey = c.req.header(HEADER_NAME) ?? c.req.header(HEADER_NAME.toLowerCase());
+        if (!headerKey) {
+            if (options.required) {
+                return c.json({ error: `${HEADER_NAME} header is required for this endpoint` }, 400);
+            }
+            return next();
+        }
+        if (headerKey.length > 255) {
+            return c.json({ error: `${HEADER_NAME} must be 255 characters or fewer` }, 400);
+        }
+        const scope = options.scope ?? `${c.req.method} ${new URL(c.req.url).pathname}`;
+        const rawBody = await c.req.text();
+        const bodyHash = await sha256Hex(rawBody);
+        const db = c.get("db");
+        if (!db) {
+            throw new Error("idempotencyKey middleware requires `db` on the request context. Mount `db()` (or `createApp`) before this middleware.");
+        }
+        // Look up an existing record. If the (scope, key) was used recently we
+        // either replay or 409.
+        const [existing] = await db
+            .select()
+            .from(infraIdempotencyKeysTable)
+            .where(and(eq(infraIdempotencyKeysTable.scope, scope), eq(infraIdempotencyKeysTable.key, headerKey)))
+            .limit(1);
+        if (existing) {
+            if (existing.expiresAt < new Date()) {
+                // The row is past its TTL — clean it up and proceed as if missed.
+                await db
+                    .delete(infraIdempotencyKeysTable)
+                    .where(eq(infraIdempotencyKeysTable.id, existing.id));
+            }
+            else if (existing.bodyHash !== bodyHash) {
+                return c.json({
+                    error: `${HEADER_NAME} ${headerKey} was previously used with a different request body`,
+                }, 409);
+            }
+            else {
+                c.set("idempotencyKey", headerKey);
+                c.set("idempotencyReplayed", true);
+                const replayed = c.json(existing.responseBody, existing.responseStatus);
+                replayed.headers.set("Idempotency-Replayed", "true");
+                replayed.headers.set("Idempotency-Key", headerKey);
+                return replayed;
+            }
+        }
+        // Re-attach the body so downstream handlers can re-parse it. Hono's
+        // `c.req.text()` consumed the original; rebuild a Request whose body
+        // matches what we hashed.
+        c.req.raw = new Request(c.req.raw, { body: rawBody });
+        c.set("idempotencyKey", headerKey);
+        c.set("idempotencyReplayed", false);
+        await next();
+        // Capture the response without consuming the original.
+        const response = c.res;
+        if (!response)
+            return;
+        const cloned = response.clone();
+        let parsedBody = null;
+        try {
+            const text = await cloned.text();
+            parsedBody = text.length > 0 ? JSON.parse(text) : null;
+        }
+        catch {
+            // Non-JSON responses are not stored — idempotency replay only works
+            // for JSON endpoints. Pass through silently.
+            return;
+        }
+        // Only persist successful, replayable responses (2xx). 4xx/5xx leave
+        // the slot open so the client can retry with a corrected body.
+        if (response.status < 200 || response.status >= 300)
+            return;
+        const referenceId = options.extractReferenceId?.(parsedBody) ??
+            pickStringField(parsedBody, ["bookingId", "id"]) ??
+            null;
+        try {
+            await db
+                .insert(infraIdempotencyKeysTable)
+                .values({
+                scope,
+                key: headerKey,
+                bodyHash,
+                responseStatus: response.status,
+                responseBody: parsedBody,
+                referenceId,
+                expiresAt: new Date(Date.now() + ttlMs),
+            })
+                .onConflictDoNothing({
+                target: [infraIdempotencyKeysTable.scope, infraIdempotencyKeysTable.key],
+            });
+            // Echo the header so callers can confirm idempotent storage.
+            c.res = new Response(c.res.body, {
+                status: c.res.status,
+                statusText: c.res.statusText,
+                headers: new Headers(c.res.headers),
+            });
+            c.res.headers.set("Idempotency-Key", headerKey);
+        }
+        catch {
+            // Best-effort storage. If the write fails we still return the
+            // response — duplicate-detection just degrades to "no protection
+            // for this request." Logging is the deployment's responsibility.
+        }
+    };
+}
+function pickStringField(body, keys) {
+    if (!body || typeof body !== "object")
+        return null;
+    const obj = body;
+    for (const key of keys) {
+        const value = obj[key];
+        if (typeof value === "string" && value.length > 0)
+            return value;
+        // Common shape: `{ data: { id: ... } }`
+        if (key === "id" && obj.data && typeof obj.data === "object") {
+            const nested = obj.data.id;
+            if (typeof nested === "string" && nested.length > 0)
+                return nested;
+        }
+    }
+    return null;
+}
+/**
+ * Sweep expired idempotency rows. Call from a daily cron.
+ */
+export async function purgeExpiredIdempotencyKeys(dbFactory, env) {
+    const db = dbFactory(env);
+    const result = await db
+        .delete(infraIdempotencyKeysTable)
+        .where(lt(infraIdempotencyKeysTable.expiresAt, new Date()))
+        .returning();
+    return { removed: result.length };
+}

package/dist/middleware/index.d.ts

@@ -2,6 +2,7 @@ export { requireAuth } from "./auth.js";
 export { cors } from "./cors.js";
 export { db } from "./db.js";
 export { errorBoundary, handleApiError, requestId } from "./error-boundary.js";
+export { DEFAULT_IDEMPOTENCY_TTL_MS, type IdempotencyKeyOptions, idempotencyKey, purgeExpiredIdempotencyKeys, } from "./idempotency-key.js";
 export { consoleLoggerProvider, logger } from "./logger.js";
 export { LIVE_LIMITS, rateLimit } from "./rate-limit.js";
 export { requireActor } from "./require-actor.js";

package/dist/middleware/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAA;AAC5B,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAC9E,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAC3D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAA;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAA;AAChC,OAAO,EAAE,EAAE,EAAE,MAAM,SAAS,CAAA;AAC5B,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAA;AAC9E,OAAO,EACL,0BAA0B,EAC1B,KAAK,qBAAqB,EAC1B,cAAc,EACd,2BAA2B,GAC5B,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,qBAAqB,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAC3D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAA"}

package/dist/middleware/index.js

@@ -2,6 +2,7 @@ export { requireAuth } from "./auth.js";
 export { cors } from "./cors.js";
 export { db } from "./db.js";
 export { errorBoundary, handleApiError, requestId } from "./error-boundary.js";
+export { DEFAULT_IDEMPOTENCY_TTL_MS, idempotencyKey, purgeExpiredIdempotencyKeys, } from "./idempotency-key.js";
 export { consoleLoggerProvider, logger } from "./logger.js";
 export { LIVE_LIMITS, rateLimit } from "./rate-limit.js";
 export { requireActor } from "./require-actor.js";

package/dist/middleware/require-actor.d.ts

@@ -12,9 +12,11 @@ import type { VoyantBindings, VoyantVariables } from "../types.js";
  * custom `auth.resolve` integration. Internal requests
  * (`isInternalRequest === true`) bypass the check.
  *
- * When the caller has no explicit actor, this middleware treats them as
- * `"staff"` to preserve backwards compatibility with existing deployments
- * that predate the actor concept.
+ * When the caller has no resolved actor, this middleware returns `401
+ * Unauthorized`. Earlier versions defaulted unset callers to `"staff"` for
+ * backwards compatibility, but that meant a misordered or missing auth
+ * middleware silently granted operator privileges to anonymous traffic.
+ * The default is now fail-closed.
  *
  * @example
  * app.use("/v1/admin/*", requireActor("staff"))

package/dist/middleware/require-actor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"require-actor.d.ts","sourceRoot":"","sources":["../../src/middleware/require-actor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAA;AAC3C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAElE;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAAC,SAAS,SAAS,cAAc,GAAG,cAAc,EAC5E,GAAG,OAAO,EAAE,KAAK,EAAE,GAClB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAoBD"}
+{"version":3,"file":"require-actor.d.ts","sourceRoot":"","sources":["../../src/middleware/require-actor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,gBAAgB,CAAA;AAC3C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE7C,OAAO,KAAK,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAElE;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,YAAY,CAAC,SAAS,SAAS,cAAc,GAAG,cAAc,EAC5E,GAAG,OAAO,EAAE,KAAK,EAAE,GAClB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,SAAS,CAAA;IACnB,SAAS,EAAE,eAAe,CAAA;CAC3B,CAAC,CAuBD"}

package/dist/middleware/require-actor.js

@@ -9,9 +9,11 @@
  * custom `auth.resolve` integration. Internal requests
  * (`isInternalRequest === true`) bypass the check.
  *
- * When the caller has no explicit actor, this middleware treats them as
- * `"staff"` to preserve backwards compatibility with existing deployments
- * that predate the actor concept.
+ * When the caller has no resolved actor, this middleware returns `401
+ * Unauthorized`. Earlier versions defaulted unset callers to `"staff"` for
+ * backwards compatibility, but that meant a misordered or missing auth
+ * middleware silently granted operator privileges to anonymous traffic.
+ * The default is now fail-closed.
  *
  * @example
  * app.use("/v1/admin/*", requireActor("staff"))
@@ -28,7 +30,10 @@ export function requireActor(...allowed) {
         if (c.get("isInternalRequest")) {
             return next();
         }
-        const actor = c.get("actor") ?? "staff";
+        const actor = c.get("actor");
+        if (!actor) {
+            return c.json({ error: "Unauthorized: actor not resolved" }, 401);
+        }
         if (!allowSet.has(actor)) {
             return c.json({ error: "Forbidden: actor not permitted on this surface" }, 403);
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@voyantjs/hono",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",
   "exports": {
@@ -77,10 +77,10 @@
     "drizzle-orm": "^0.45.2",
     "hono": "^4.12.10",
     "zod": "^4.3.6",
-    "@voyantjs/core": "0.9.0",
-    "@voyantjs/db": "0.9.0",
-    "@voyantjs/types": "0.9.0",
-    "@voyantjs/utils": "0.9.0"
+    "@voyantjs/core": "0.10.0",
+    "@voyantjs/db": "0.10.0",
+    "@voyantjs/types": "0.10.0",
+    "@voyantjs/utils": "0.10.0"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "^4.20260403.1",