npm - @wopr-network/platform-core - Versions diffs - 0.1.0 - Mend

@wopr-network/platform-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (694) hide show

package/biome.json +61 -0
package/dist/admin/admin-audit-log-repository.d.ts +33 -0
package/dist/admin/admin-audit-log-repository.js +102 -0
package/dist/admin/audit-log.d.ts +49 -0
package/dist/admin/audit-log.js +63 -0
package/dist/admin/index.d.ts +6 -0
package/dist/admin/index.js +3 -0
package/dist/admin/role-store.d.ts +37 -0
package/dist/admin/role-store.js +106 -0
package/dist/auth/api-key-repository.d.ts +11 -0
package/dist/auth/api-key-repository.js +33 -0
package/dist/auth/api-key-repository.test.d.ts +1 -0
package/dist/auth/api-key-repository.test.js +46 -0
package/dist/auth/auth.test.d.ts +1 -0
package/dist/auth/auth.test.js +140 -0
package/dist/auth/better-auth.d.ts +42 -0
package/dist/auth/better-auth.js +196 -0
package/dist/auth/index.d.ts +186 -0
package/dist/auth/index.js +422 -0
package/dist/auth/login-history-repository.d.ts +14 -0
package/dist/auth/login-history-repository.js +15 -0
package/dist/auth/login-history-repository.test.d.ts +1 -0
package/dist/auth/login-history-repository.test.js +47 -0
package/dist/auth/middleware.d.ts +55 -0
package/dist/auth/middleware.js +101 -0
package/dist/auth/middleware.test.d.ts +1 -0
package/dist/auth/middleware.test.js +213 -0
package/dist/auth/scoped-tokens.test.d.ts +1 -0
package/dist/auth/scoped-tokens.test.js +306 -0
package/dist/auth/tenant-access.test.d.ts +1 -0
package/dist/auth/tenant-access.test.js +62 -0
package/dist/auth/user-creator.d.ts +9 -0
package/dist/auth/user-creator.js +47 -0
package/dist/auth/user-creator.test.d.ts +1 -0
package/dist/auth/user-creator.test.js +78 -0
package/dist/auth/user-role-repository.d.ts +31 -0
package/dist/auth/user-role-repository.js +53 -0
package/dist/auth/user-role-repository.test.d.ts +1 -0
package/dist/auth/user-role-repository.test.js +122 -0
package/dist/billing/drizzle-webhook-seen-repository.d.ts +10 -0
package/dist/billing/drizzle-webhook-seen-repository.js +28 -0
package/dist/billing/index.d.ts +7 -0
package/dist/billing/index.js +7 -0
package/dist/billing/payment-processor.d.ts +127 -0
package/dist/billing/payment-processor.js +8 -0
package/dist/billing/payment-processor.test.d.ts +1 -0
package/dist/billing/payment-processor.test.js +71 -0
package/dist/billing/payram/cents-credits-boundary.test.d.ts +1 -0
package/dist/billing/payram/cents-credits-boundary.test.js +75 -0
package/dist/billing/payram/charge-store.d.ts +41 -0
package/dist/billing/payram/charge-store.js +72 -0
package/dist/billing/payram/charge-store.test.d.ts +1 -0
package/dist/billing/payram/charge-store.test.js +64 -0
package/dist/billing/payram/checkout.d.ts +15 -0
package/dist/billing/payram/checkout.js +24 -0
package/dist/billing/payram/checkout.test.d.ts +1 -0
package/dist/billing/payram/checkout.test.js +74 -0
package/dist/billing/payram/client.d.ts +7 -0
package/dist/billing/payram/client.js +15 -0
package/dist/billing/payram/client.test.d.ts +1 -0
package/dist/billing/payram/client.test.js +52 -0
package/dist/billing/payram/index.d.ts +8 -0
package/dist/billing/payram/index.js +4 -0
package/dist/billing/payram/types.d.ts +40 -0
package/dist/billing/payram/types.js +1 -0
package/dist/billing/payram/webhook.d.ts +19 -0
package/dist/billing/payram/webhook.js +67 -0
package/dist/billing/payram/webhook.test.d.ts +7 -0
package/dist/billing/payram/webhook.test.js +248 -0
package/dist/billing/stripe/cents-credits-boundary.test.d.ts +1 -0
package/dist/billing/stripe/cents-credits-boundary.test.js +62 -0
package/dist/billing/stripe/checkout.d.ts +20 -0
package/dist/billing/stripe/checkout.js +63 -0
package/dist/billing/stripe/checkout.test.d.ts +1 -0
package/dist/billing/stripe/checkout.test.js +148 -0
package/dist/billing/stripe/client.d.ts +14 -0
package/dist/billing/stripe/client.js +33 -0
package/dist/billing/stripe/client.test.d.ts +1 -0
package/dist/billing/stripe/client.test.js +58 -0
package/dist/billing/stripe/credit-prices.d.ts +63 -0
package/dist/billing/stripe/credit-prices.js +81 -0
package/dist/billing/stripe/credit-prices.test.d.ts +1 -0
package/dist/billing/stripe/credit-prices.test.js +87 -0
package/dist/billing/stripe/index.d.ts +14 -0
package/dist/billing/stripe/index.js +8 -0
package/dist/billing/stripe/payment-methods-detach-all.test.d.ts +1 -0
package/dist/billing/stripe/payment-methods-detach-all.test.js +40 -0
package/dist/billing/stripe/payment-methods.d.ts +25 -0
package/dist/billing/stripe/payment-methods.js +53 -0
package/dist/billing/stripe/payment-methods.test.d.ts +1 -0
package/dist/billing/stripe/payment-methods.test.js +122 -0
package/dist/billing/stripe/portal.d.ts +10 -0
package/dist/billing/stripe/portal.js +16 -0
package/dist/billing/stripe/portal.test.d.ts +1 -0
package/dist/billing/stripe/portal.test.js +48 -0
package/dist/billing/stripe/setup-intent.d.ts +16 -0
package/dist/billing/stripe/setup-intent.js +22 -0
package/dist/billing/stripe/setup-intent.test.d.ts +1 -0
package/dist/billing/stripe/setup-intent.test.js +58 -0
package/dist/billing/stripe/stripe-payment-processor.d.ts +49 -0
package/dist/billing/stripe/stripe-payment-processor.js +166 -0
package/dist/billing/stripe/stripe-payment-processor.test.d.ts +1 -0
package/dist/billing/stripe/stripe-payment-processor.test.js +413 -0
package/dist/billing/stripe/tenant-store.d.ts +56 -0
package/dist/billing/stripe/tenant-store.js +119 -0
package/dist/billing/stripe/tenant-store.test.d.ts +1 -0
package/dist/billing/stripe/tenant-store.test.js +97 -0
package/dist/billing/stripe/types.d.ts +49 -0
package/dist/billing/stripe/types.js +1 -0
package/dist/billing/webhook-seen-repository.d.ts +14 -0
package/dist/billing/webhook-seen-repository.js +13 -0
package/dist/config/billing-env.test.d.ts +1 -0
package/dist/config/billing-env.test.js +48 -0
package/dist/config/index.d.ts +46 -0
package/dist/config/index.js +38 -0
package/dist/config/logger.d.ts +2 -0
package/dist/config/logger.js +11 -0
package/dist/config/provider-endpoints.d.ts +6 -0
package/dist/config/provider-endpoints.js +12 -0
package/dist/credits/auto-topup-charge.d.ts +27 -0
package/dist/credits/auto-topup-charge.js +139 -0
package/dist/credits/auto-topup-charge.test.d.ts +1 -0
package/dist/credits/auto-topup-charge.test.js +242 -0
package/dist/credits/auto-topup-event-log-repository.d.ts +16 -0
package/dist/credits/auto-topup-event-log-repository.js +18 -0
package/dist/credits/auto-topup-event-log-repository.test.d.ts +1 -0
package/dist/credits/auto-topup-event-log-repository.test.js +83 -0
package/dist/credits/auto-topup-schedule.d.ts +27 -0
package/dist/credits/auto-topup-schedule.js +66 -0
package/dist/credits/auto-topup-schedule.test.d.ts +1 -0
package/dist/credits/auto-topup-schedule.test.js +145 -0
package/dist/credits/auto-topup-settings-repository.d.ts +54 -0
package/dist/credits/auto-topup-settings-repository.js +184 -0
package/dist/credits/auto-topup-settings-repository.test.d.ts +1 -0
package/dist/credits/auto-topup-settings-repository.test.js +104 -0
package/dist/credits/auto-topup-usage.d.ts +22 -0
package/dist/credits/auto-topup-usage.js +56 -0
package/dist/credits/auto-topup-usage.test.d.ts +1 -0
package/dist/credits/auto-topup-usage.test.js +181 -0
package/dist/credits/credit-expiry-cron.d.ts +19 -0
package/dist/credits/credit-expiry-cron.js +50 -0
package/dist/credits/credit-expiry-cron.test.d.ts +1 -0
package/dist/credits/credit-expiry-cron.test.js +67 -0
package/dist/credits/credit-ledger-extra.test.d.ts +1 -0
package/dist/credits/credit-ledger-extra.test.js +40 -0
package/dist/credits/credit-ledger.bench.d.ts +1 -0
package/dist/credits/credit-ledger.bench.js +33 -0
package/dist/credits/credit-ledger.d.ts +130 -0
package/dist/credits/credit-ledger.js +293 -0
package/dist/credits/credit-ledger.test.d.ts +4 -0
package/dist/credits/credit-ledger.test.js +203 -0
package/dist/credits/credit-transaction-repository.d.ts +17 -0
package/dist/credits/credit-transaction-repository.js +35 -0
package/dist/credits/credit-transaction-repository.test.d.ts +1 -0
package/dist/credits/credit-transaction-repository.test.js +232 -0
package/dist/credits/credit.d.ts +75 -0
package/dist/credits/credit.js +139 -0
package/dist/credits/credit.test.d.ts +1 -0
package/dist/credits/credit.test.js +196 -0
package/dist/credits/dividend-cron.d.ts +29 -0
package/dist/credits/dividend-cron.js +88 -0
package/dist/credits/dividend-cron.test.d.ts +1 -0
package/dist/credits/dividend-cron.test.js +128 -0
package/dist/credits/dividend-repository.d.ts +29 -0
package/dist/credits/dividend-repository.js +126 -0
package/dist/credits/dividend-repository.test.d.ts +1 -0
package/dist/credits/dividend-repository.test.js +176 -0
package/dist/credits/index.d.ts +9 -0
package/dist/credits/index.js +5 -0
package/dist/credits/repository-types.d.ts +29 -0
package/dist/credits/repository-types.js +1 -0
package/dist/credits/signup-grant.d.ts +12 -0
package/dist/credits/signup-grant.js +35 -0
package/dist/credits/signup-grant.test.d.ts +1 -0
package/dist/credits/signup-grant.test.js +51 -0
package/dist/credits/tenant-customer-repository.d.ts +30 -0
package/dist/credits/tenant-customer-repository.js +5 -0
package/dist/db/auth-user-repository.d.ts +46 -0
package/dist/db/auth-user-repository.js +90 -0
package/dist/db/credit-column.d.ts +27 -0
package/dist/db/credit-column.js +13 -0
package/dist/db/index.d.ts +14 -0
package/dist/db/index.js +8 -0
package/dist/db/schema/account-deletion-requests.d.ts +203 -0
package/dist/db/schema/account-deletion-requests.js +36 -0
package/dist/db/schema/account-export-requests.d.ts +148 -0
package/dist/db/schema/account-export-requests.js +19 -0
package/dist/db/schema/admin-audit.d.ts +194 -0
package/dist/db/schema/admin-audit.js +21 -0
package/dist/db/schema/admin-users.d.ts +177 -0
package/dist/db/schema/admin-users.js +23 -0
package/dist/db/schema/affiliate-fraud.d.ts +160 -0
package/dist/db/schema/affiliate-fraud.js +18 -0
package/dist/db/schema/affiliate.d.ts +277 -0
package/dist/db/schema/affiliate.js +32 -0
package/dist/db/schema/coupon-codes.d.ts +143 -0
package/dist/db/schema/coupon-codes.js +17 -0
package/dist/db/schema/credit-auto-topup-settings.d.ts +232 -0
package/dist/db/schema/credit-auto-topup-settings.js +27 -0
package/dist/db/schema/credit-auto-topup.d.ts +130 -0
package/dist/db/schema/credit-auto-topup.js +21 -0
package/dist/db/schema/credits.d.ts +283 -0
package/dist/db/schema/credits.js +38 -0
package/dist/db/schema/dividend-distributions.d.ts +130 -0
package/dist/db/schema/dividend-distributions.js +19 -0
package/dist/db/schema/email-notifications.d.ts +99 -0
package/dist/db/schema/email-notifications.js +21 -0
package/dist/db/schema/index.d.ts +33 -0
package/dist/db/schema/index.js +33 -0
package/dist/db/schema/meter-events.d.ts +599 -0
package/dist/db/schema/meter-events.js +55 -0
package/dist/db/schema/notification-preferences.d.ts +165 -0
package/dist/db/schema/notification-preferences.js +18 -0
package/dist/db/schema/notification-queue.d.ts +236 -0
package/dist/db/schema/notification-queue.js +40 -0
package/dist/db/schema/org-memberships.d.ts +63 -0
package/dist/db/schema/org-memberships.js +15 -0
package/dist/db/schema/organization-members.d.ts +235 -0
package/dist/db/schema/organization-members.js +27 -0
package/dist/db/schema/payram.d.ts +164 -0
package/dist/db/schema/payram.js +21 -0
package/dist/db/schema/platform-api-keys.d.ts +143 -0
package/dist/db/schema/platform-api-keys.js +20 -0
package/dist/db/schema/promotion-redemptions.d.ts +143 -0
package/dist/db/schema/promotion-redemptions.js +18 -0
package/dist/db/schema/promotions.d.ts +445 -0
package/dist/db/schema/promotions.js +48 -0
package/dist/db/schema/provider-credentials.d.ts +201 -0
package/dist/db/schema/provider-credentials.js +36 -0
package/dist/db/schema/rate-limit-entries.d.ts +75 -0
package/dist/db/schema/rate-limit-entries.js +7 -0
package/dist/db/schema/secret-audit-log.d.ts +109 -0
package/dist/db/schema/secret-audit-log.js +15 -0
package/dist/db/schema/session-usage.d.ts +194 -0
package/dist/db/schema/session-usage.js +19 -0
package/dist/db/schema/spending-limits.d.ts +92 -0
package/dist/db/schema/spending-limits.js +8 -0
package/dist/db/schema/tenant-addons.d.ts +58 -0
package/dist/db/schema/tenant-addons.js +9 -0
package/dist/db/schema/tenant-api-keys.d.ts +131 -0
package/dist/db/schema/tenant-api-keys.js +21 -0
package/dist/db/schema/tenant-capability-settings.d.ts +79 -0
package/dist/db/schema/tenant-capability-settings.js +12 -0
package/dist/db/schema/tenant-customers.d.ts +303 -0
package/dist/db/schema/tenant-customers.js +25 -0
package/dist/db/schema/tenants.d.ts +126 -0
package/dist/db/schema/tenants.js +18 -0
package/dist/db/schema/user-roles.d.ts +98 -0
package/dist/db/schema/user-roles.js +18 -0
package/dist/db/schema/webhook-seen-events.d.ts +58 -0
package/dist/db/schema/webhook-seen-events.js +9 -0
package/dist/email/billing-emails.d.ts +51 -0
package/dist/email/billing-emails.js +163 -0
package/dist/email/billing-emails.test.d.ts +1 -0
package/dist/email/billing-emails.test.js +162 -0
package/dist/email/client.d.ts +51 -0
package/dist/email/client.js +102 -0
package/dist/email/client.test.d.ts +1 -0
package/dist/email/client.test.js +120 -0
package/dist/email/drizzle-billing-email-repository.d.ts +21 -0
package/dist/email/drizzle-billing-email-repository.js +36 -0
package/dist/email/drizzle-billing-email-repository.test.d.ts +1 -0
package/dist/email/drizzle-billing-email-repository.test.js +42 -0
package/dist/email/index.d.ts +33 -0
package/dist/email/index.js +22 -0
package/dist/email/notification-preferences-store.d.ts +12 -0
package/dist/email/notification-preferences-store.js +82 -0
package/dist/email/notification-preferences-store.test.d.ts +1 -0
package/dist/email/notification-preferences-store.test.js +86 -0
package/dist/email/notification-queue-store.d.ts +25 -0
package/dist/email/notification-queue-store.js +97 -0
package/dist/email/notification-queue-store.test.d.ts +1 -0
package/dist/email/notification-queue-store.test.js +177 -0
package/dist/email/notification-repository-types.d.ts +70 -0
package/dist/email/notification-repository-types.js +6 -0
package/dist/email/notification-service.d.ts +41 -0
package/dist/email/notification-service.js +196 -0
package/dist/email/notification-service.test.d.ts +1 -0
package/dist/email/notification-service.test.js +160 -0
package/dist/email/notification-templates.d.ts +18 -0
package/dist/email/notification-templates.js +574 -0
package/dist/email/notification-templates.test.d.ts +1 -0
package/dist/email/notification-templates.test.js +238 -0
package/dist/email/notification-worker.d.ts +24 -0
package/dist/email/notification-worker.js +109 -0
package/dist/email/notification-worker.test.d.ts +1 -0
package/dist/email/notification-worker.test.js +153 -0
package/dist/email/require-verified.d.ts +25 -0
package/dist/email/require-verified.js +52 -0
package/dist/email/require-verified.test.d.ts +1 -0
package/dist/email/require-verified.test.js +62 -0
package/dist/email/resend-adapter.d.ts +47 -0
package/dist/email/resend-adapter.js +137 -0
package/dist/email/resend-adapter.test.d.ts +1 -0
package/dist/email/resend-adapter.test.js +190 -0
package/dist/email/templates.d.ts +22 -0
package/dist/email/templates.js +359 -0
package/dist/email/templates.test.d.ts +1 -0
package/dist/email/templates.test.js +170 -0
package/dist/email/verification.d.ts +42 -0
package/dist/email/verification.js +83 -0
package/dist/email/verification.test.d.ts +1 -0
package/dist/email/verification.test.js +141 -0
package/dist/index.d.ts +13 -0
package/dist/index.js +23 -0
package/dist/metering/aggregator.d.ts +54 -0
package/dist/metering/aggregator.js +123 -0
package/dist/metering/aggregator.test.d.ts +1 -0
package/dist/metering/aggregator.test.js +179 -0
package/dist/metering/dlq.d.ts +31 -0
package/dist/metering/dlq.js +82 -0
package/dist/metering/dlq.test.d.ts +1 -0
package/dist/metering/dlq.test.js +117 -0
package/dist/metering/drizzle-usage-summary-repository.d.ts +67 -0
package/dist/metering/drizzle-usage-summary-repository.js +98 -0
package/dist/metering/emitter.d.ts +66 -0
package/dist/metering/emitter.js +185 -0
package/dist/metering/emitter.test.d.ts +1 -0
package/dist/metering/emitter.test.js +171 -0
package/dist/metering/index.d.ts +11 -0
package/dist/metering/index.js +5 -0
package/dist/metering/load-test.bench.d.ts +1 -0
package/dist/metering/load-test.bench.js +103 -0
package/dist/metering/meter-event-repository.d.ts +33 -0
package/dist/metering/meter-event-repository.js +58 -0
package/dist/metering/meter-repositories.test.d.ts +1 -0
package/dist/metering/meter-repositories.test.js +419 -0
package/dist/metering/metering.test.d.ts +1 -0
package/dist/metering/metering.test.js +1046 -0
package/dist/metering/reconciliation-cron.d.ts +37 -0
package/dist/metering/reconciliation-cron.js +85 -0
package/dist/metering/reconciliation-cron.test.d.ts +1 -0
package/dist/metering/reconciliation-cron.test.js +162 -0
package/dist/metering/reconciliation-repository.d.ts +27 -0
package/dist/metering/reconciliation-repository.js +43 -0
package/dist/metering/reconciliation-repository.test.d.ts +1 -0
package/dist/metering/reconciliation-repository.test.js +160 -0
package/dist/metering/types.d.ts +88 -0
package/dist/metering/types.js +1 -0
package/dist/metering/wal.d.ts +49 -0
package/dist/metering/wal.js +124 -0
package/dist/metering/wal.test.d.ts +1 -0
package/dist/metering/wal.test.js +175 -0
package/dist/middleware/csrf.d.ts +24 -0
package/dist/middleware/csrf.js +80 -0
package/dist/middleware/csrf.test.d.ts +1 -0
package/dist/middleware/csrf.test.js +152 -0
package/dist/middleware/drizzle-rate-limit-repository.d.ts +9 -0
package/dist/middleware/drizzle-rate-limit-repository.js +52 -0
package/dist/middleware/drizzle-rate-limit-repository.test.d.ts +1 -0
package/dist/middleware/drizzle-rate-limit-repository.test.js +74 -0
package/dist/middleware/get-client-ip.d.ts +22 -0
package/dist/middleware/get-client-ip.js +51 -0
package/dist/middleware/get-client-ip.test.d.ts +1 -0
package/dist/middleware/get-client-ip.test.js +40 -0
package/dist/middleware/index.d.ts +5 -0
package/dist/middleware/index.js +4 -0
package/dist/middleware/rate-limit-repository.d.ts +19 -0
package/dist/middleware/rate-limit-repository.js +1 -0
package/dist/middleware/rate-limit.d.ts +57 -0
package/dist/middleware/rate-limit.js +109 -0
package/dist/middleware/rate-limit.test.d.ts +1 -0
package/dist/middleware/rate-limit.test.js +247 -0
package/dist/security/credential-vault/audit-repository.d.ts +27 -0
package/dist/security/credential-vault/audit-repository.js +42 -0
package/dist/security/credential-vault/audit-repository.test.d.ts +1 -0
package/dist/security/credential-vault/audit-repository.test.js +78 -0
package/dist/security/credential-vault/credential-repository.d.ts +94 -0
package/dist/security/credential-vault/credential-repository.js +145 -0
package/dist/security/credential-vault/credential-repository.test.d.ts +1 -0
package/dist/security/credential-vault/credential-repository.test.js +206 -0
package/dist/security/credential-vault/index.d.ts +12 -0
package/dist/security/credential-vault/index.js +6 -0
package/dist/security/credential-vault/key-rotation.d.ts +18 -0
package/dist/security/credential-vault/key-rotation.js +52 -0
package/dist/security/credential-vault/key-rotation.test.d.ts +1 -0
package/dist/security/credential-vault/key-rotation.test.js +95 -0
package/dist/security/credential-vault/migrate-plaintext.d.ts +15 -0
package/dist/security/credential-vault/migrate-plaintext.js +80 -0
package/dist/security/credential-vault/migrate-plaintext.test.d.ts +1 -0
package/dist/security/credential-vault/migrate-plaintext.test.js +111 -0
package/dist/security/credential-vault/migration-check.d.ts +15 -0
package/dist/security/credential-vault/migration-check.js +71 -0
package/dist/security/credential-vault/migration-check.test.d.ts +1 -0
package/dist/security/credential-vault/migration-check.test.js +457 -0
package/dist/security/credential-vault/store.d.ts +106 -0
package/dist/security/credential-vault/store.js +181 -0
package/dist/security/credential-vault/store.test.d.ts +1 -0
package/dist/security/credential-vault/store.test.js +482 -0
package/dist/security/encryption.d.ts +22 -0
package/dist/security/encryption.js +53 -0
package/dist/security/encryption.test.d.ts +1 -0
package/dist/security/encryption.test.js +95 -0
package/dist/security/host-validation.d.ts +11 -0
package/dist/security/host-validation.js +108 -0
package/dist/security/host-validation.test.d.ts +1 -0
package/dist/security/host-validation.test.js +106 -0
package/dist/security/index.d.ts +11 -0
package/dist/security/index.js +11 -0
package/dist/security/key-audit.d.ts +16 -0
package/dist/security/key-audit.js +35 -0
package/dist/security/key-audit.test.d.ts +1 -0
package/dist/security/key-audit.test.js +50 -0
package/dist/security/key-injection.d.ts +28 -0
package/dist/security/key-injection.js +57 -0
package/dist/security/key-injection.test.d.ts +1 -0
package/dist/security/key-injection.test.js +97 -0
package/dist/security/key-validation.d.ts +16 -0
package/dist/security/key-validation.js +78 -0
package/dist/security/key-validation.test.d.ts +1 -0
package/dist/security/key-validation.test.js +87 -0
package/dist/security/redirect-allowlist.d.ts +6 -0
package/dist/security/redirect-allowlist.js +36 -0
package/dist/security/redirect-allowlist.test.d.ts +1 -0
package/dist/security/redirect-allowlist.test.js +55 -0
package/dist/security/tenant-keys/capability-settings-store.d.ts +22 -0
package/dist/security/tenant-keys/capability-settings-store.js +33 -0
package/dist/security/tenant-keys/capability-settings-store.test.d.ts +1 -0
package/dist/security/tenant-keys/capability-settings-store.test.js +77 -0
package/dist/security/tenant-keys/index.d.ts +10 -0
package/dist/security/tenant-keys/index.js +5 -0
package/dist/security/tenant-keys/key-resolution-repository.d.ts +15 -0
package/dist/security/tenant-keys/key-resolution-repository.js +18 -0
package/dist/security/tenant-keys/key-resolution-repository.test.d.ts +1 -0
package/dist/security/tenant-keys/key-resolution-repository.test.js +72 -0
package/dist/security/tenant-keys/key-resolution.d.ts +39 -0
package/dist/security/tenant-keys/key-resolution.js +59 -0
package/dist/security/tenant-keys/key-resolution.test.d.ts +1 -0
package/dist/security/tenant-keys/key-resolution.test.js +97 -0
package/dist/security/tenant-keys/org-key-resolution.d.ts +30 -0
package/dist/security/tenant-keys/org-key-resolution.js +50 -0
package/dist/security/tenant-keys/org-key-resolution.test.d.ts +1 -0
package/dist/security/tenant-keys/org-key-resolution.test.js +103 -0
package/dist/security/tenant-keys/tenant-key-repository.d.ts +36 -0
package/dist/security/tenant-keys/tenant-key-repository.js +96 -0
package/dist/security/tenant-keys/tenant-key-repository.test.d.ts +1 -0
package/dist/security/tenant-keys/tenant-key-repository.test.js +114 -0
package/dist/security/types.d.ts +35 -0
package/dist/security/types.js +15 -0
package/dist/tenancy/drizzle-org-repository.d.ts +40 -0
package/dist/tenancy/drizzle-org-repository.js +126 -0
package/dist/tenancy/index.d.ts +6 -0
package/dist/tenancy/index.js +3 -0
package/dist/tenancy/org-member-repository.d.ts +57 -0
package/dist/tenancy/org-member-repository.js +99 -0
package/dist/tenancy/org-repository.test.d.ts +1 -0
package/dist/tenancy/org-repository.test.js +143 -0
package/dist/tenancy/org-service.d.ts +70 -0
package/dist/tenancy/org-service.js +223 -0
package/dist/tenancy/org-service.test.d.ts +1 -0
package/dist/tenancy/org-service.test.js +550 -0
package/dist/test/db.d.ts +33 -0
package/dist/test/db.js +65 -0
package/dist/trpc/index.d.ts +1 -0
package/dist/trpc/index.js +1 -0
package/dist/trpc/init.d.ts +49 -0
package/dist/trpc/init.js +108 -0
package/dist/trpc/init.test.d.ts +1 -0
package/dist/trpc/init.test.js +154 -0
package/drizzle/migrations/0000_slippery_mandrill.sql +559 -0
package/drizzle/migrations/meta/0000_snapshot.json +4374 -0
package/drizzle/migrations/meta/_journal.json +13 -0
package/drizzle.config.ts +41 -0
package/package.json +64 -0
package/src/admin/admin-audit-log-repository.ts +135 -0
package/src/admin/audit-log.ts +111 -0
package/src/admin/index.ts +6 -0
package/src/admin/role-store.ts +134 -0
package/src/auth/api-key-repository.test.ts +63 -0
package/src/auth/api-key-repository.ts +46 -0
package/src/auth/auth.test.ts +166 -0
package/src/auth/better-auth.ts +216 -0
package/src/auth/index.ts +520 -0
package/src/auth/login-history-repository.test.ts +54 -0
package/src/auth/login-history-repository.ts +28 -0
package/src/auth/middleware.test.ts +264 -0
package/src/auth/middleware.ts +117 -0
package/src/auth/scoped-tokens.test.ts +362 -0
package/src/auth/tenant-access.test.ts +69 -0
package/src/auth/user-creator.test.ts +98 -0
package/src/auth/user-creator.ts +54 -0
package/src/auth/user-role-repository.test.ts +149 -0
package/src/auth/user-role-repository.ts +67 -0
package/src/billing/drizzle-webhook-seen-repository.ts +34 -0
package/src/billing/index.ts +22 -0
package/src/billing/payment-processor.test.ts +93 -0
package/src/billing/payment-processor.ts +150 -0
package/src/billing/payram/cents-credits-boundary.test.ts +84 -0
package/src/billing/payram/charge-store.test.ts +84 -0
package/src/billing/payram/charge-store.ts +109 -0
package/src/billing/payram/checkout.test.ts +99 -0
package/src/billing/payram/checkout.ts +40 -0
package/src/billing/payram/client.test.ts +62 -0
package/src/billing/payram/client.ts +21 -0
package/src/billing/payram/index.ts +14 -0
package/src/billing/payram/types.ts +44 -0
package/src/billing/payram/webhook.test.ts +318 -0
package/src/billing/payram/webhook.ts +97 -0
package/src/billing/stripe/cents-credits-boundary.test.ts +70 -0
package/src/billing/stripe/checkout.test.ts +186 -0
package/src/billing/stripe/checkout.ts +82 -0
package/src/billing/stripe/client.test.ts +64 -0
package/src/billing/stripe/client.ts +39 -0
package/src/billing/stripe/credit-prices.test.ts +114 -0
package/src/billing/stripe/credit-prices.ts +113 -0
package/src/billing/stripe/index.ts +14 -0
package/src/billing/stripe/payment-methods-detach-all.test.ts +53 -0
package/src/billing/stripe/payment-methods.test.ts +157 -0
package/src/billing/stripe/payment-methods.ts +76 -0
package/src/billing/stripe/portal.test.ts +63 -0
package/src/billing/stripe/portal.ts +25 -0
package/src/billing/stripe/setup-intent.test.ts +78 -0
package/src/billing/stripe/setup-intent.ts +34 -0
package/src/billing/stripe/stripe-payment-processor.test.ts +517 -0
package/src/billing/stripe/stripe-payment-processor.ts +255 -0
package/src/billing/stripe/tenant-store.test.ts +124 -0
package/src/billing/stripe/tenant-store.ts +151 -0
package/src/billing/stripe/types.ts +53 -0
package/src/billing/webhook-seen-repository.ts +24 -0
package/src/config/billing-env.test.ts +54 -0
package/src/config/index.ts +44 -0
package/src/config/logger.ts +12 -0
package/src/config/provider-endpoints.ts +14 -0
package/src/credits/auto-topup-charge.test.ts +292 -0
package/src/credits/auto-topup-charge.ts +171 -0
package/src/credits/auto-topup-event-log-repository.test.ts +99 -0
package/src/credits/auto-topup-event-log-repository.ts +30 -0
package/src/credits/auto-topup-schedule.test.ts +179 -0
package/src/credits/auto-topup-schedule.ts +93 -0
package/src/credits/auto-topup-settings-repository.test.ts +123 -0
package/src/credits/auto-topup-settings-repository.ts +245 -0
package/src/credits/auto-topup-usage.test.ts +220 -0
package/src/credits/auto-topup-usage.ts +68 -0
package/src/credits/credit-expiry-cron.test.ts +125 -0
package/src/credits/credit-expiry-cron.ts +76 -0
package/src/credits/credit-ledger-extra.test.ts +57 -0
package/src/credits/credit-ledger.bench.ts +56 -0
package/src/credits/credit-ledger.test.ts +276 -0
package/src/credits/credit-ledger.ts +450 -0
package/src/credits/credit-transaction-repository.test.ts +274 -0
package/src/credits/credit-transaction-repository.ts +62 -0
package/src/credits/credit.test.ts +234 -0
package/src/credits/credit.ts +160 -0
package/src/credits/dividend-cron.test.ts +158 -0
package/src/credits/dividend-cron.ts +127 -0
package/src/credits/dividend-repository.test.ts +223 -0
package/src/credits/dividend-repository.ts +182 -0
package/src/credits/index.ts +25 -0
package/src/credits/repository-types.ts +33 -0
package/src/credits/signup-grant.test.ts +63 -0
package/src/credits/signup-grant.ts +44 -0
package/src/credits/tenant-customer-repository.ts +28 -0
package/src/db/auth-user-repository.ts +124 -0
package/src/db/credit-column.ts +17 -0
package/src/db/index.ts +21 -0
package/src/db/schema/account-deletion-requests.ts +41 -0
package/src/db/schema/account-export-requests.ts +24 -0
package/src/db/schema/admin-audit.ts +26 -0
package/src/db/schema/admin-users.ts +31 -0
package/src/db/schema/affiliate-fraud.ts +23 -0
package/src/db/schema/affiliate.ts +38 -0
package/src/db/schema/coupon-codes.ts +22 -0
package/src/db/schema/credit-auto-topup-settings.ts +32 -0
package/src/db/schema/credit-auto-topup.ts +26 -0
package/src/db/schema/credits.ts +44 -0
package/src/db/schema/dividend-distributions.ts +24 -0
package/src/db/schema/email-notifications.ts +26 -0
package/src/db/schema/index.ts +33 -0
package/src/db/schema/meter-events.ts +70 -0
package/src/db/schema/notification-preferences.ts +19 -0
package/src/db/schema/notification-queue.ts +45 -0
package/src/db/schema/org-memberships.ts +20 -0
package/src/db/schema/organization-members.ts +37 -0
package/src/db/schema/payram.ts +26 -0
package/src/db/schema/platform-api-keys.ts +25 -0
package/src/db/schema/promotion-redemptions.ts +23 -0
package/src/db/schema/promotions.ts +57 -0
package/src/db/schema/provider-credentials.ts +41 -0
package/src/db/schema/rate-limit-entries.ts +12 -0
package/src/db/schema/secret-audit-log.ts +20 -0
package/src/db/schema/session-usage.ts +24 -0
package/src/db/schema/spending-limits.ts +9 -0
package/src/db/schema/tenant-addons.ts +14 -0
package/src/db/schema/tenant-api-keys.ts +26 -0
package/src/db/schema/tenant-capability-settings.ts +17 -0
package/src/db/schema/tenant-customers.ts +35 -0
package/src/db/schema/tenants.ts +23 -0
package/src/db/schema/user-roles.ts +23 -0
package/src/db/schema/webhook-seen-events.ts +14 -0
package/src/email/billing-emails.test.ts +198 -0
package/src/email/billing-emails.ts +211 -0
package/src/email/client.test.ts +149 -0
package/src/email/client.ts +137 -0
package/src/email/drizzle-billing-email-repository.test.ts +52 -0
package/src/email/drizzle-billing-email-repository.ts +59 -0
package/src/email/index.ts +57 -0
package/src/email/notification-preferences-store.test.ts +102 -0
package/src/email/notification-preferences-store.ts +90 -0
package/src/email/notification-queue-store.test.ts +215 -0
package/src/email/notification-queue-store.ts +127 -0
package/src/email/notification-repository-types.ts +101 -0
package/src/email/notification-service.test.ts +178 -0
package/src/email/notification-service.ts +265 -0
package/src/email/notification-templates.test.ts +261 -0
package/src/email/notification-templates.ts +727 -0
package/src/email/notification-worker.test.ts +189 -0
package/src/email/notification-worker.ts +133 -0
package/src/email/require-verified.ts +65 -0
package/src/email/resend-adapter.test.ts +253 -0
package/src/email/resend-adapter.ts +157 -0
package/src/email/templates.test.ts +217 -0
package/src/email/templates.ts +469 -0
package/src/email/verification.test.ts +185 -0
package/src/email/verification.ts +110 -0
package/src/index.ts +51 -0
package/src/metering/aggregator.test.ts +239 -0
package/src/metering/aggregator.ts +160 -0
package/src/metering/dlq.test.ts +134 -0
package/src/metering/dlq.ts +102 -0
package/src/metering/drizzle-usage-summary-repository.ts +167 -0
package/src/metering/emitter.test.ts +202 -0
package/src/metering/emitter.ts +227 -0
package/src/metering/index.ts +21 -0
package/src/metering/load-test.bench.ts +130 -0
package/src/metering/meter-event-repository.ts +87 -0
package/src/metering/meter-repositories.test.ts +491 -0
package/src/metering/metering.test.ts +1317 -0
package/src/metering/reconciliation-cron.test.ts +202 -0
package/src/metering/reconciliation-cron.ts +134 -0
package/src/metering/reconciliation-repository.test.ts +196 -0
package/src/metering/reconciliation-repository.ts +83 -0
package/src/metering/types.ts +93 -0
package/src/metering/wal.test.ts +222 -0
package/src/metering/wal.ts +139 -0
package/src/middleware/csrf.test.ts +178 -0
package/src/middleware/csrf.ts +101 -0
package/src/middleware/drizzle-rate-limit-repository.test.ts +97 -0
package/src/middleware/drizzle-rate-limit-repository.ts +57 -0
package/src/middleware/get-client-ip.test.ts +49 -0
package/src/middleware/get-client-ip.ts +62 -0
package/src/middleware/index.ts +12 -0
package/src/middleware/rate-limit-repository.ts +22 -0
package/src/middleware/rate-limit.test.ts +338 -0
package/src/middleware/rate-limit.ts +169 -0
package/src/security/credential-vault/audit-repository.test.ts +91 -0
package/src/security/credential-vault/audit-repository.ts +64 -0
package/src/security/credential-vault/credential-repository.test.ts +264 -0
package/src/security/credential-vault/credential-repository.ts +233 -0
package/src/security/credential-vault/index.ts +26 -0
package/src/security/credential-vault/key-rotation.test.ts +139 -0
package/src/security/credential-vault/key-rotation.ts +70 -0
package/src/security/credential-vault/migrate-plaintext.test.ts +138 -0
package/src/security/credential-vault/migrate-plaintext.ts +101 -0
package/src/security/credential-vault/migration-check.test.ts +533 -0
package/src/security/credential-vault/migration-check.ts +88 -0
package/src/security/credential-vault/store.test.ts +569 -0
package/src/security/credential-vault/store.ts +284 -0
package/src/security/encryption.test.ts +114 -0
package/src/security/encryption.ts +65 -0
package/src/security/host-validation.test.ts +136 -0
package/src/security/host-validation.ts +116 -0
package/src/security/index.ts +59 -0
package/src/security/key-audit.test.ts +57 -0
package/src/security/key-audit.ts +45 -0
package/src/security/key-injection.test.ts +131 -0
package/src/security/key-injection.ts +71 -0
package/src/security/key-validation.test.ts +111 -0
package/src/security/key-validation.ts +84 -0
package/src/security/redirect-allowlist.test.ts +70 -0
package/src/security/redirect-allowlist.ts +35 -0
package/src/security/tenant-keys/capability-settings-store.test.ts +98 -0
package/src/security/tenant-keys/capability-settings-store.ts +53 -0
package/src/security/tenant-keys/index.ts +10 -0
package/src/security/tenant-keys/key-resolution-repository.test.ts +95 -0
package/src/security/tenant-keys/key-resolution-repository.ts +31 -0
package/src/security/tenant-keys/key-resolution.test.ts +173 -0
package/src/security/tenant-keys/key-resolution.ts +87 -0
package/src/security/tenant-keys/org-key-resolution.test.ts +217 -0
package/src/security/tenant-keys/org-key-resolution.ts +76 -0
package/src/security/tenant-keys/tenant-key-repository.test.ts +143 -0
package/src/security/tenant-keys/tenant-key-repository.ts +130 -0
package/src/security/types.ts +43 -0
package/src/tenancy/drizzle-org-repository.ts +169 -0
package/src/tenancy/index.ts +6 -0
package/src/tenancy/org-member-repository.ts +159 -0
package/src/tenancy/org-repository.test.ts +172 -0
package/src/tenancy/org-service.test.ts +634 -0
package/src/tenancy/org-service.ts +290 -0
package/src/test/db.ts +97 -0
package/src/trpc/index.ts +11 -0
package/src/trpc/init.test.ts +196 -0
package/src/trpc/init.ts +138 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +8 -0

package/src/auth/middleware.test.ts ADDED Viewed

@@ -0,0 +1,264 @@
+import { createHash } from "node:crypto";
+import { Hono } from "hono";
+import { describe, expect, it, vi } from "vitest";
+import type { IApiKeyRepository } from "./api-key-repository.js";
+import type { Auth } from "./better-auth.js";
+import type { AuthUser } from "./index.js";
+import { dualAuth, type SessionAuthEnv, sessionAuth } from "./middleware.js";
+function sha256(token: string): string {
+  return createHash("sha256").update(token).digest("hex");
+}
+function mockApiKeyRepo(entries: Map<string, AuthUser>): IApiKeyRepository {
+  const hashMap = new Map<string, AuthUser>();
+  for (const [token, user] of entries) {
+    hashMap.set(sha256(token), user);
+  }
+  return {
+    async findByHash(keyHash: string) {
+      return hashMap.get(keyHash) ?? null;
+    },
+  };
+}
+function mockAuth(sessionResult: { user: { id: string; role?: string } } | null = null): Auth {
+  return {
+    api: {
+      getSession: vi.fn().mockResolvedValue(sessionResult),
+    },
+  } as unknown as Auth;
+}
+describe("sessionAuth middleware", () => {
+  it("sets user and authMethod for valid session", async () => {
+    const auth = mockAuth({ user: { id: "user-1", role: "admin" } });
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", sessionAuth(auth));
+    app.get("/test", (c) => {
+      const user = c.get("user");
+      const method = c.get("authMethod");
+      return c.json({ userId: user.id, roles: user.roles, method });
+    });
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.userId).toBe("user-1");
+    expect(body.roles).toEqual(["admin", "user"]);
+    expect(body.method).toBe("session");
+  });
+  it("sets user roles as ['user'] for non-admin", async () => {
+    const auth = mockAuth({ user: { id: "user-2" } });
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", sessionAuth(auth));
+    app.get("/test", (c) => {
+      const user = c.get("user");
+      return c.json({ roles: user.roles });
+    });
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.roles).toEqual(["user"]);
+  });
+  it("returns 401 when no session found", async () => {
+    const auth = mockAuth(null);
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", sessionAuth(auth));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test");
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Authentication required");
+  });
+  it("returns 401 when session has no user", async () => {
+    const auth = {
+      api: {
+        getSession: vi.fn().mockResolvedValue({ user: null }),
+      },
+    } as unknown as Auth;
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", sessionAuth(auth));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test");
+    expect(res.status).toBe(401);
+  });
+  it("returns 503 when getSession throws a DB error", async () => {
+    const auth = {
+      api: {
+        getSession: vi.fn().mockRejectedValue(new Error("DB error")),
+      },
+    } as unknown as Auth;
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", sessionAuth(auth));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test");
+    expect(res.status).toBe(503);
+    const body = await res.json();
+    expect(body.error).toBe("Service unavailable");
+  });
+});
+describe("dualAuth middleware", () => {
+  const apiKeyRepo = mockApiKeyRepo(
+    new Map<string, AuthUser>([
+      ["api-key-admin", { id: "admin-1", roles: ["admin"] }],
+      ["api-key-reader", { id: "reader-1", roles: ["user"] }],
+    ]),
+  );
+  it("authenticates with session cookie first", async () => {
+    const auth = mockAuth({ user: { id: "session-user", role: "admin" } });
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, apiKeyRepo));
+    app.get("/test", (c) => {
+      const user = c.get("user");
+      const method = c.get("authMethod");
+      return c.json({ userId: user.id, method });
+    });
+    const res = await app.request("/test");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.userId).toBe("session-user");
+    expect(body.method).toBe("session");
+  });
+  it("falls back to bearer token when session fails", async () => {
+    const auth = mockAuth(null);
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, apiKeyRepo));
+    app.get("/test", (c) => {
+      const user = c.get("user");
+      const method = c.get("authMethod");
+      return c.json({ userId: user.id, method });
+    });
+    const res = await app.request("/test", {
+      headers: { Authorization: "Bearer api-key-admin" },
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.userId).toBe("admin-1");
+    expect(body.method).toBe("api_key");
+  });
+  it("returns 401 when neither session nor token is valid", async () => {
+    const auth = mockAuth(null);
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, apiKeyRepo));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test");
+    expect(res.status).toBe(401);
+    const body = await res.json();
+    expect(body.error).toBe("Authentication required");
+  });
+  it("returns 401 when bearer token is unknown", async () => {
+    const auth = mockAuth(null);
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, apiKeyRepo));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test", {
+      headers: { Authorization: "Bearer bad-token" },
+    });
+    expect(res.status).toBe(401);
+  });
+  it("returns 401 when Authorization header is not Bearer scheme", async () => {
+    const auth = mockAuth(null);
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, apiKeyRepo));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test", {
+      headers: { Authorization: "Basic dXNlcjpwYXNz" },
+    });
+    expect(res.status).toBe(401);
+  });
+  it("works without apiKeyRepo (session-only mode)", async () => {
+    const auth = mockAuth(null);
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test");
+    expect(res.status).toBe(401);
+  });
+  it("returns 503 when session DB lookup throws", async () => {
+    const auth = {
+      api: {
+        getSession: vi.fn().mockRejectedValue(new Error("Session DB error")),
+      },
+    } as unknown as Auth;
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, apiKeyRepo));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test", {
+      headers: { Authorization: "Bearer api-key-admin" },
+    });
+    expect(res.status).toBe(503);
+    const body = await res.json();
+    expect(body.error).toBe("Service unavailable");
+  });
+  it("returns 503 when API key DB lookup throws", async () => {
+    const auth = mockAuth(null);
+    const failingRepo: IApiKeyRepository = {
+      findByHash: vi.fn().mockRejectedValue(new Error("DB connection lost")),
+    };
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, failingRepo));
+    app.get("/test", (c) => c.json({ ok: true }));
+    const res = await app.request("/test", {
+      headers: { Authorization: "Bearer some-token" },
+    });
+    expect(res.status).toBe(503);
+    const body = await res.json();
+    expect(body.error).toBe("Service unavailable");
+  });
+  it("copies API user roles to prevent mutation", async () => {
+    const auth = mockAuth(null);
+    const app = new Hono<SessionAuthEnv>();
+    app.use("/*", dualAuth(auth, apiKeyRepo));
+    app.get("/test", (c) => {
+      const user = c.get("user");
+      return c.json({ roles: user.roles });
+    });
+    const res = await app.request("/test", {
+      headers: { Authorization: "Bearer api-key-reader" },
+    });
+    const body = await res.json();
+    expect(body.roles).toEqual(["user"]);
+  });
+});

package/src/auth/middleware.ts ADDED Viewed

@@ -0,0 +1,117 @@
+/**
+ * Session Auth Middleware — Resolves better-auth sessions for Hono routes.
+ *
+ * Reads the better-auth session cookie from the request, resolves the user,
+ * and sets `c.set("user", ...)` and `c.set("authMethod", "session")` for
+ * downstream route handlers.
+ *
+ * This middleware supports a dual-auth model:
+ * - **Session auth** (cookie-based): For browser/UI clients via better-auth
+ * - **Bearer token auth** (header-based): For machine-to-machine / API key access
+ *
+ * If neither is present, the request is rejected with 401.
+ */
+import { createHash } from "node:crypto";
+import type { Context, Next } from "hono";
+import type { IApiKeyRepository } from "./api-key-repository.js";
+import type { Auth } from "./better-auth.js";
+import type { AuthUser } from "./index.js";
+export interface SessionAuthEnv {
+  Variables: {
+    user: AuthUser;
+    authMethod: "session" | "api_key";
+  };
+}
+/**
+ * Create middleware that authenticates requests via better-auth session cookies.
+ *
+ * On success, sets:
+ * - `c.set("user", { id, roles })` — user context for downstream routes
+ * - `c.set("authMethod", "session")` — indicates session-based auth
+ *
+ * If no valid session cookie is found, returns 401.
+ *
+ * @param auth - The better-auth instance (use `getAuth()`)
+ */
+export function sessionAuth(auth: Auth) {
+  return async (c: Context<SessionAuthEnv>, next: Next) => {
+    try {
+      const session = await auth.api.getSession({ headers: c.req.raw.headers });
+      if (!session?.user) {
+        return c.json({ error: "Authentication required" }, 401);
+      }
+      const sessionUser = session.user as { id: string; role?: string };
+      const user: AuthUser = {
+        id: sessionUser.id,
+        roles: sessionUser.role === "admin" ? ["admin", "user"] : ["user"],
+      };
+      c.set("user", user);
+      c.set("authMethod", "session");
+      return next();
+    } catch {
+      return c.json({ error: "Service unavailable" }, 503);
+    }
+  };
+}
+/**
+ * Create dual-auth middleware that accepts EITHER a better-auth session cookie
+ * OR a bearer token. Session cookies are checked first; if absent, falls back
+ * to bearer token validation via DB-backed API key lookup.
+ *
+ * Bearer tokens are hashed with SHA-256 before lookup — raw tokens are never
+ * stored or compared in plaintext.
+ *
+ * @param auth - The better-auth instance
+ * @param apiKeyRepo - Optional repository for DB-backed API key lookup
+ */
+export function dualAuth(auth: Auth, apiKeyRepo?: IApiKeyRepository) {
+  return async (c: Context<SessionAuthEnv>, next: Next) => {
+    // 1. Try session cookie first
+    try {
+      const session = await auth.api.getSession({ headers: c.req.raw.headers });
+      if (session?.user) {
+        const sessionUser = session.user as { id: string; role?: string };
+        const user: AuthUser = {
+          id: sessionUser.id,
+          roles: sessionUser.role === "admin" ? ["admin", "user"] : ["user"],
+        };
+        c.set("user", user);
+        c.set("authMethod", "session");
+        return next();
+      }
+    } catch {
+      return c.json({ error: "Service unavailable" }, 503);
+    }
+    // 2. Fall back to bearer token (DB-backed lookup)
+    const authHeader = c.req.header("Authorization");
+    if (authHeader && apiKeyRepo) {
+      const trimmed = authHeader.trim();
+      if (trimmed.toLowerCase().startsWith("bearer ")) {
+        const token = trimmed.slice(7).trim();
+        if (token) {
+          const keyHash = createHash("sha256").update(token).digest("hex");
+          try {
+            const apiUser = await apiKeyRepo.findByHash(keyHash);
+            if (apiUser) {
+              c.set("user", { ...apiUser, roles: [...apiUser.roles] });
+              c.set("authMethod", "api_key");
+              return next();
+            }
+          } catch {
+            return c.json({ error: "Service unavailable" }, 503);
+          }
+        }
+      }
+    }
+    return c.json({ error: "Authentication required" }, 401);
+  };
+}