npm - @zero-server/auth - Versions diffs - 0.9.6 → 0.9.7 - Mend

@zero-server/auth 0.9.6 → 0.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/index.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-// AUTO-GENERATED by .tools/generate-package-stubs.js — edit .tools/scope-manifest.js and re-run `npm run packages:generate`.
+// AUTO-GENERATED by .tools/generate-package-stubs.js - edit .tools/scope-manifest.js and re-run `npm run packages:generate`.
 export * from './types/auth';

package/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-// AUTO-GENERATED by .tools/generate-package-stubs.js — edit .tools/scope-manifest.js and re-run `npm run packages:generate`.
+// AUTO-GENERATED by .tools/generate-package-stubs.js - edit .tools/scope-manifest.js and re-run `npm run packages:generate`.
 'use strict';
 const lib = require("./lib/auth");

package/lib/auth/authorize.js CHANGED Viewed

@@ -1,6 +1,6 @@
 /**
  * @module auth/authorize
- * @description Authorization helpers — role-based access control (RBAC),
+ * @description Authorization helpers - role-based access control (RBAC),
  *              permission-based access, and policy classes.
  *
  *              Works with any authentication middleware that sets `req.user`.
@@ -13,22 +13,22 @@
  *   app.use(jwt({ secret: process.env.JWT_SECRET }));
  *   app.use(attachUserHelpers());
  *
- *   // Role-based — only admins and editors can modify posts
+ *   // Role-based - only admins and editors can modify posts
  *   app.put('/posts/:id', authorize('admin', 'editor'), (req, res) => {
  *       res.json({ updated: true });
  *   });
  *
- *   // Permission-based — require ALL listed permissions
+ *   // Permission-based - require ALL listed permissions
  *   app.delete('/users/:id', can('users:read', 'users:delete'), (req, res) => {
  *       res.json({ deleted: true });
  *   });
  *
- *   // ANY permission — useful for overlapping access
+ *   // ANY permission - useful for overlapping access
  *   app.get('/reports', canAny('reports:read', 'admin:read'), (req, res) => {
  *       res.json({ reports: [] });
  *   });
  *
- *   // Policy class — resource-level authorization
+ *   // Policy class - resource-level authorization
  *   class PostPolicy extends Policy {
  *       before(user) { if (user.role === 'superadmin') return true; }
  *       update(user, post) { return user.id === post.authorId || user.role === 'admin'; }
@@ -114,9 +114,9 @@ function authorize(...roles)
  * Checks `req.user.permissions` (array or Set) for the required permission(s).
  *
  * Permission strings follow a `resource:action` convention:
- *   - `'posts:write'` — write access to posts
- *   - `'users:delete'` — delete users
- *   - `'*'` — superuser wildcard
+ *   - `'posts:write'` - write access to posts
+ *   - `'users:delete'` - delete users
+ *   - `'*'` - superuser wildcard
  *
  * @param {...string} permissions - Required permissions (ALL must be present unless `opts.any` is true).
  * @returns {Function} Middleware `(req, res, next) => void`.
@@ -293,7 +293,7 @@ function gate(policy, action, getResource)
             });
         }
-        // Attach resource if loaded — saves a redundant DB query in the handler
+        // Attach resource if loaded - saves a redundant DB query in the handler
         if (resource && !req.resource) req.resource = resource;
         next();
     };
@@ -306,8 +306,8 @@ function gate(policy, action, getResource)
  * Call this middleware after JWT/session middleware.
  *
  * Adds:
- *   - `req.user.is(...roles)` — check roles
- *   - `req.user.can(...perms)` — check permissions
+ *   - `req.user.is(...roles)` - check roles
+ *   - `req.user.can(...perms)` - check permissions
  *
  * @returns {Function} Middleware.
  *

package/lib/auth/enrollment.js CHANGED Viewed

@@ -5,10 +5,10 @@
  *              for TOTP-based two-factor authentication.
  *
  *              Steps:
- *              1. `start()` — Generate secret + backup codes, store in session
- *              2. `verify()` — Confirm user can produce a valid TOTP code
- *              3. `complete()` — Persist the verified secret to the database
- *              4. `disable()` — Remove 2FA from the account
+ *              1. `start()` - Generate secret + backup codes, store in session
+ *              2. `verify()` - Confirm user can produce a valid TOTP code
+ *              3. `complete()` - Persist the verified secret to the database
+ *              4. `disable()` - Remove 2FA from the account
  *
  * @example | Full enrollment flow
  *   const { enrollment } = require('@zero-server/sdk');
@@ -356,7 +356,7 @@ function enrollment(opts = {})
 function _defaultGetAccount(req)
 {
-    if (!req.user) throw new Error('No user on request — authentication middleware required');
+    if (!req.user) throw new Error('No user on request - authentication middleware required');
     return req.user.email || req.user.id || req.user.sub;
 }

package/lib/auth/jwt.js CHANGED Viewed

@@ -13,7 +13,7 @@
  *   const app = createApp();
  *   const SECRET = process.env.JWT_SECRET;
  *
- *   // Public — issue tokens
+ *   // Public - issue tokens
  *   app.post('/login', json(), async (req, res) => {
  *       const { email, password } = req.body;
  *       const user = await db.users.findOne({ email });
@@ -24,7 +24,7 @@
  *       res.json({ token });
  *   });
  *
- *   // Protected — everything under /api requires a valid token
+ *   // Protected - everything under /api requires a valid token
  *   const api = Router();
  *   api.use(jwt({ secret: SECRET }));
  *   api.get('/me', (req, res) => res.json({ id: req.user.sub, role: req.user.role }));
@@ -79,7 +79,7 @@ function _base64urlDecode(str)
 /**
  * Decode a JWT without verifying the signature.
- * Returns `null` for malformed tokens — never throws.
+ * Returns `null` for malformed tokens - never throws.
  *
  * @param {string} token - Raw JWT string.
  * @returns {{ header: object, payload: object, signature: string }|null}
@@ -268,7 +268,7 @@ function verify(token, secretOrKey, opts = {})
  * @param {Function} [opts.fetcher] - Custom fetch function (default: built-in fetch).
  * @param {number} [opts.cacheTtl=600000] - Cache TTL in ms (default 10 minutes).
  * @param {number} [opts.requestTimeout=5000] - Request timeout in ms.
- * @returns {Function} `async (header) => publicKey` — resolves the signing key for a JWT header.
+ * @returns {Function} `async (header) => publicKey` - resolves the signing key for a JWT header.
  *
  * @example
  *   const getKey = jwks('https://auth.example.com/.well-known/jwks.json');
@@ -330,7 +330,7 @@ function jwks(jwksUri, opts = {})
             return pem;
         }
-        // No kid — return the first RSA key
+        // No kid - return the first RSA key
         const first = keys.values().next().value;
         if (!first) throw _jwtError('No suitable key in JWKS', 'JWKS_NO_KEY');
         return first;
@@ -347,9 +347,9 @@ function jwks(jwksUri, opts = {})
  * Create JWT authentication middleware.
  *
  * On success, populates:
- *   - `req.user` — decoded payload
- *   - `req.auth` — `{ header, payload, token }` full decode info
- *   - `req.token` — raw JWT string
+ *   - `req.user` - decoded payload
+ *   - `req.auth` - `{ header, payload, token }` full decode info
+ *   - `req.token` - raw JWT string
  *
  * @param {object} opts - Configuration.
  * @param {string|Buffer} [opts.secret] - HMAC secret for HS* algorithms.
@@ -367,7 +367,7 @@ function jwks(jwksUri, opts = {})
  * @param {number} [opts.clockTolerance=0] - Clock skew tolerance in seconds.
  * @param {number} [opts.maxAge] - Maximum token age in seconds.
  * @param {boolean} [opts.credentialsRequired=true] - Return 401 if no token found (false = optional auth).
- * @param {Function} [opts.isRevoked] - `async (payload) => boolean` — check token revocation.
+ * @param {Function} [opts.isRevoked] - `async (payload) => boolean` - check token revocation.
  * @param {Function} [opts.onError] - Custom error handler `(err, req, res) => void`.
  * @returns {Function} Middleware `(req, res, next) => void`.
  *

package/lib/auth/oauth.js CHANGED Viewed

@@ -224,7 +224,7 @@ function oauth(opts = {})
             // Validate state (CSRF prevention)
             if (verify.state && query.state !== verify.state)
             {
-                throw _oauthError('State mismatch — possible CSRF attack', 'OAUTH_STATE_MISMATCH');
+                throw _oauthError('State mismatch - possible CSRF attack', 'OAUTH_STATE_MISMATCH');
             }
             const body = {

package/lib/auth/session.js CHANGED Viewed

@@ -263,7 +263,7 @@ class Session
         return { ...this._flash };
     }
-    /** @private — serialize to JSON for cookie/store */
+    /** @private - serialize to JSON for cookie/store */
     _serialize()
     {
         const obj = { d: this._data };
@@ -271,7 +271,7 @@ class Session
         return JSON.stringify(obj);
     }
-    /** @private — deserialize from JSON */
+    /** @private - deserialize from JSON */
     static _deserialize(json, id)
     {
         try
@@ -472,7 +472,7 @@ function session(opts = {})
         req.session = sess;
         // Intercept response to persist session
-        // Hook into res.raw.end (Node ServerResponse) — the Response wrapper
+        // Hook into res.raw.end (Node ServerResponse) - the Response wrapper
         // has no .end() method; its .send()/.json() helpers call raw.end().
         const raw = res.raw;
         const origEnd = raw.end.bind(raw);
@@ -481,7 +481,7 @@ function session(opts = {})
             try
             {
                 // _saveSession calls res.cookie() / res.clearCookie() which set
-                // Set-Cookie headers on raw via raw.setHeader — safe because
+                // Set-Cookie headers on raw via raw.setHeader - safe because
                 // headers aren't flushed until the original end() runs.
                 // NOTE: store-based sessions are sync-compatible because
                 // MemoryStore.set/get return resolved promises synchronously
@@ -574,7 +574,7 @@ function _saveSession(req, res, sess, ctx)
         const encrypted = _encrypt(payload, ctx.keys[0]);
         if (encrypted.length > MAX_COOKIE_SIZE)
         {
-            log.warn('session cookie exceeds %d bytes — consider using a store', MAX_COOKIE_SIZE);
+            log.warn('session cookie exceeds %d bytes - consider using a store', MAX_COOKIE_SIZE);
         }
         res.cookie(ctx.cookieName, encrypted, cOpts);
         log.debug('cookie session saved');

package/lib/auth/trustedDevice.js CHANGED Viewed

@@ -7,7 +7,7 @@
  *              Subsequent requests skip the 2FA prompt if the trust token is valid.
  *              Supports secret rotation, IP binding, and revocation.
  *
- *              Uses AES-256-GCM encryption — tokens are encrypted, not just signed,
+ *              Uses AES-256-GCM encryption - tokens are encrypted, not just signed,
  *              preventing information leakage.
  *
  * @example
@@ -370,7 +370,7 @@ function _defaultFingerprint(req)
  */
 function _defaultGetUserId(req)
 {
-    if (!req.user) throw new Error('No user on request — authentication middleware required');
+    if (!req.user) throw new Error('No user on request - authentication middleware required');
     return req.user.id || req.user.sub || req.user._id;
 }

package/lib/auth/twoFactor.js CHANGED Viewed

@@ -4,7 +4,7 @@
  *              Implements TOTP (RFC 6238 / RFC 4226), backup codes,
  *              and composable middleware for step-up verification.
  *
- *              Uses only Node.js built-in `crypto` — no external packages.
+ *              Uses only Node.js built-in `crypto` - no external packages.
  *
  * @example | Setup 2FA for a user
  *   const { twoFactor } = require('@zero-server/sdk');
@@ -228,7 +228,7 @@ function _base32Decode(str)
 /**
  * Generate an HOTP code for a given counter value.
- * Implements RFC 4226 §5 — HMAC-based One-Time Password.
+ * Implements RFC 4226 §5 - HMAC-based One-Time Password.
  *
  * @param {Buffer} secret - Shared secret key.
  * @param {number} counter - 8-byte counter value.
@@ -498,13 +498,13 @@ function verifyBackupCode(code, hashes)
 /**
  * Middleware that requires completed 2FA verification on the session.
- * Checks `req.session.get('twoFactorVerified')` — returns 403 if not set.
+ * Checks `req.session.get('twoFactorVerified')` - returns 403 if not set.
  *
  * Designed to compose with `jwt()` or `session()` middleware:
  *
  *     app.use(jwt({ secret }));
  *     app.use(require2FA());
- *     // — or —
+ *     // - or -
  *     app.use(session({ secret }));
  *     app.use(require2FA());
  *
@@ -517,7 +517,7 @@ function verifyBackupCode(code, hashes)
  *        Defaults to always requiring 2FA.
  * @returns {Function} Middleware `(req, res, next) => void`.
  *
- * @example | Basic — all authenticated users must complete 2FA
+ * @example | Basic - all authenticated users must complete 2FA
  *   app.use(require2FA());
  *
  * @example | Only enforce for users who have enrolled
@@ -548,7 +548,7 @@ function require2FA(opts = {})
                 const enabled = await isEnabled(req);
                 if (!enabled)
                 {
-                    log('2FA not enabled for user — skipping');
+                    log('2FA not enabled for user - skipping');
                     return next();
                 }
             }
@@ -568,7 +568,7 @@ function require2FA(opts = {})
         const session = req.session;
         if (!session || typeof session.get !== 'function')
         {
-            log.warn('require2FA: no session found — is session() middleware active?');
+            log.warn('require2FA: no session found - is session() middleware active?');
             const raw = res.raw || res;
             if (raw.headersSent) return;
             raw.statusCode = 500;
@@ -583,7 +583,7 @@ function require2FA(opts = {})
             return next();
         }
-        log.warn('2FA not completed — blocking request');
+        log.warn('2FA not completed - blocking request');
         const raw = res.raw || res;
         if (raw.headersSent) return;
         raw.statusCode = statusCode;
@@ -690,7 +690,7 @@ function verifyTOTPMiddleware(opts = {})
                 raw.end(JSON.stringify({ error: 'Too many attempts. Try again later.', retryAfter }));
                 return;
             }
-            // Lockout expired — reset
+            // Lockout expired - reset
             attempts.delete(ip);
         }
@@ -735,7 +735,7 @@ function verifyTOTPMiddleware(opts = {})
         if (result.valid)
         {
-            // Replay prevention (RFC 6238 §5.2) — check AFTER signature
+            // Replay prevention (RFC 6238 §5.2) - check AFTER signature
             // verification to avoid leaking timing information about whether
             // a code was previously used.
             if (opts.replayStore)
@@ -775,7 +775,7 @@ function verifyTOTPMiddleware(opts = {})
                 catch (err)
                 {
                     log.error('replay store error: %s', err.message);
-                    // Fail open for store errors — don't block legitimate users
+                    // Fail open for store errors - don't block legitimate users
                 }
             }

package/lib/auth/webauthn.js CHANGED Viewed

@@ -145,7 +145,7 @@ const cbor = {
                     if (additionalInfo === 23) return undefined;
                     if (additionalInfo === 25)
                     {
-                        // float16 — not commonly used in WebAuthn but handle it
+                        // float16 - not commonly used in WebAuthn but handle it
                         offset -= 0; // already read
                         return readArgument(additionalInfo);
                     }
@@ -593,7 +593,7 @@ function verifyRegistration(opts)
         if (clientData.type !== 'webauthn.create')
             return { verified: false, credential: null, error: `Invalid type: ${clientData.type}` };
-        // Strict origin validation — exact match, no regex
+        // Strict origin validation - exact match, no regex
         if (clientData.origin !== expectedOrigin)
             return { verified: false, credential: null, error: `Origin mismatch: ${clientData.origin}` };
@@ -627,7 +627,7 @@ function verifyRegistration(opts)
         if (fmt === 'none')
         {
-            // No attestation — acceptable for 'none' conveyance
+            // No attestation - acceptable for 'none' conveyance
             log.debug('registration with "none" attestation format');
         }
         else if (fmt === 'packed')
@@ -644,7 +644,7 @@ function verifyRegistration(opts)
         }
         else
         {
-            log.warn('unknown attestation format: %s — treating as none', fmt);
+            log.warn('unknown attestation format: %s - treating as none', fmt);
         }
         // 8. Extract public key from COSE format
@@ -703,7 +703,7 @@ function _verifyPackedAttestation(attStmt, parsedAuthData, rawAuthData, clientDa
     }
     else
     {
-        // Self-attestation — verify with the credential public key
+        // Self-attestation - verify with the credential public key
         const { key } = _coseToPublicKey(parsedAuthData.credentialPublicKey);
         const algName = _coseAlgToNodeAlg(alg);
         return crypto.verify(algName, signedData, key, sig);
@@ -881,7 +881,7 @@ function verifyAuthentication(opts)
         if (!authData.userPresent)
             return { verified: false, newCounter: null, error: 'User not present' };
-        // 5. Counter validation — detect cloned authenticators
+        // 5. Counter validation - detect cloned authenticators
         if (authData.signCount > 0 || credential.counter > 0)
         {
             if (authData.signCount <= credential.counter)

package/lib/debug.js CHANGED Viewed

@@ -16,7 +16,7 @@
  *   log.error('failed to connect', err);
  *   log('shorthand for debug level');
  *
- *   // Set minimum level — anything below is silenced
+ *   // Set minimum level - anything below is silenced
  *   debug.level('warn');   // only warn, error, fatal
  *   debug.level('silent'); // suppress all output
  *   debug.level('trace');  // show everything
@@ -81,7 +81,7 @@ _enabledPatterns = _parsePatterns();
  */
 function _isEnabled(ns)
 {
-    if (!_enabledPatterns) return true; // No DEBUG set — enable all
+    if (!_enabledPatterns) return true; // No DEBUG set - enable all
     let enabled = false;
     for (const { neg, re } of _enabledPatterns)
     {
@@ -116,7 +116,7 @@ function _ts()
 }
 /**
- * Format arguments (like console.log — supports %s, %d, %j, %o).
+ * Format arguments (like console.log - supports %s, %d, %j, %o).
  * @private
  */
 function _format(args)
@@ -278,13 +278,13 @@ function debug(namespace)
  * Messages below this level are silenced.
  *
  * @param {string|number} level - Level name or number.
- *   `'trace'` (0) — all output
- *   `'debug'` (1) — debug and above
- *   `'info'` (2) — info and above
- *   `'warn'` (3) — warn and above
- *   `'error'` (4) — error and fatal only
- *   `'fatal'` (5) — fatal only
- *   `'silent'` (6) — nothing
+ *   `'trace'` (0) - all output
+ *   `'debug'` (1) - debug and above
+ *   `'info'` (2) - info and above
+ *   `'warn'` (3) - warn and above
+ *   `'error'` (4) - error and fatal only
+ *   `'fatal'` (5) - fatal only
+ *   `'silent'` (6) - nothing
  */
 debug.level = function(level)
 {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@zero-server/auth",
-  "version": "0.9.6",
+  "version": "0.9.7",
   "description": "JWT, sessions, OAuth, authorize, MFA stack.",
   "keywords": [
     "zero-server",
@@ -45,10 +45,10 @@
   },
   "sideEffects": false,
   "dependencies": {
-    "@zero-server/fetch": "0.9.6"
+    "@zero-server/fetch": "0.9.7"
   },
   "peerDependencies": {
-    "@zero-server/sdk": ">=0.9.6"
+    "@zero-server/sdk": ">=0.9.7"
   },
   "peerDependenciesMeta": {
     "@zero-server/sdk": {

package/types/body.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-// Re-exports for @zero-server/body — body parser types
+// Re-exports for @zero-server/body - body parser types
 export {
     BodyParserOptions,
     JsonParserOptions,

package/types/cli.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-// Re-exports for @zero-server/cli — CLI runner types
+// Re-exports for @zero-server/cli - CLI runner types
 export { CLI, runCLI } from './orm';

package/types/index.d.ts CHANGED Viewed

@@ -11,6 +11,18 @@ export { RouterInstance, RouteChain, RouteEntry, RouteInfo, RouteOptions, RouteH
 export { Request, RangeResult } from './request';
 export { Response, SendFileOptions, CookieOptions, PushOptions } from './response';
 export { SSEOptions, SSEStream } from './sse';
+export {
+    createWebRTC, SignalingHub, Room as WebRTCRoom, Peer as WebRTCPeer,
+    parseSdp, stringifySdp, parseCandidate, stringifyCandidate,
+    stunBinding, encodeBindingRequest, decodeMessage,
+    encodeXorMappedAddress, decodeXorMappedAddress,
+    STUN_MAGIC_COOKIE, STUN_METHOD, STUN_CLASS, STUN_ATTR,
+    issueTurnCredentials, TurnServer, SfuAdapter,
+    signJoinToken, verifyJoinToken,
+    WebRTCOptions, RoomOptions as WebRTCRoomOptions, PeerInfo, SignalingMessage,
+    IceServerConfig, TurnCredentials, IssueTurnCredentialsOptions, ClusterAdapter as WebRTCClusterAdapter,
+    WebRTCError, SignalingError, IceError, TurnError, SdpError,
+} from './webrtc';
 export { LifecycleManager, LifecycleState, LIFECYCLE_STATE } from './lifecycle';
 export { ClusterManager, ClusterOptions, cluster } from './cluster';
 export {
@@ -294,10 +306,10 @@ declare const zeroServer: {
     LIFECYCLE_STATE: typeof LIFECYCLE_STATE;
     ClusterManager: typeof ClusterManager;
     cluster: typeof clusterize;
-    // Observability — Structured Logging
+    // Observability - Structured Logging
     Logger: typeof Logger;
     structuredLogger: typeof structuredLogger;
-    // Observability — Metrics
+    // Observability - Metrics
     Counter: typeof Counter;
     Gauge: typeof Gauge;
     Histogram: typeof Histogram;
@@ -306,14 +318,14 @@ declare const zeroServer: {
     createDefaultMetrics: typeof createDefaultMetrics;
     metricsMiddleware: typeof metricsMiddleware;
     metricsEndpoint: typeof metricsEndpointHandler;
-    // Observability — Tracing
+    // Observability - Tracing
     Span: typeof Span;
     Tracer: typeof Tracer;
     parseTraceparent: typeof parseTraceparent;
     formatTraceparent: typeof formatTraceparent;
     tracingMiddleware: typeof tracingMiddleware;
     instrumentFetch: typeof instrumentFetch;
-    // Observability — Health Checks
+    // Observability - Health Checks
     healthCheck: typeof healthCheck;
     createHealthHandlers: typeof createHealthHandlers;
     memoryCheck: typeof memoryCheck;

package/types/middleware.d.ts CHANGED Viewed

@@ -136,7 +136,7 @@ export interface CompressOptions {
     level?: number;
     /** Force specific encoding(s). */
     encoding?: string | string[];
-    /** Filter function — return false to skip compression. */
+    /** Filter function - return false to skip compression. */
     filter?: (req: Request, res: Response) => boolean;
 }

package/types/orm.d.ts CHANGED Viewed

@@ -29,7 +29,7 @@ export interface SchemaColumnDef {
     enum?: string[];
     /** Allowed values (set type). */
     values?: string[];
-    /** Mass-assignment protection — exclude from bulk writes. */
+    /** Mass-assignment protection - exclude from bulk writes. */
     guarded?: boolean;
     /** Precision for decimal types. */
     precision?: number;
@@ -229,7 +229,7 @@ export class Query {
     take(n: number): Query;
     /** Alias for offset (LINQ naming). */
     skip(n: number): Query;
-    /** Alias for exec — explicitly convert to array. */
+    /** Alias for exec - explicitly convert to array. */
     toArray(): Promise<Model[]>;
     /** Shorthand for orderBy(field, 'desc'). */
     orderByDesc(field: string): Query;
@@ -260,7 +260,7 @@ export class Query {
     /** Inject a raw WHERE clause for SQL adapters (ignored by memory/mongo). */
     whereRaw(sql: string, ...params: any[]): Query;
-    /** Thenable support — `await query`. */
+    /** Thenable support - `await query`. */
     then<TResult1 = Model[], TResult2 = never>(
         onfulfilled?: ((value: Model[]) => TResult1 | PromiseLike<TResult1>) | null,
         onrejected?: ((reason: any) => TResult2 | PromiseLike<TResult2>) | null

package/types/request.d.ts CHANGED Viewed

@@ -31,7 +31,7 @@ export interface Request {
     readonly ips: string[];
     /** `true` when the connection is over TLS (trust-proxy-aware). */
     readonly secure: boolean;
-    /** Protocol string — `'https'` or `'http'` (trust-proxy-aware). */
+    /** Protocol string - `'https'` or `'http'` (trust-proxy-aware). */
     readonly protocol: 'http' | 'https';
     /** HTTP version string (e.g. '1.1', '2.0'). */
     httpVersion: string;
@@ -49,7 +49,7 @@ export interface Request {
     id?: string;
     /** Whether the request timed out (populated by timeout middleware). */
     timedOut?: boolean;
-    /** The original URL as received — never rewritten by middleware. */
+    /** The original URL as received - never rewritten by middleware. */
     originalUrl: string;
     /** The URL path on which the current router was mounted. */
     baseUrl: string;
@@ -83,7 +83,7 @@ export interface Request {
     subdomains(offset?: number): string[];
     /**
-     * Content negotiation — check which types the client accepts.
+     * Content negotiation - check which types the client accepts.
      */
     accepts(...types: string[]): string | false;

package/types/webrtc.d.ts ADDED Viewed

@@ -0,0 +1,501 @@
+/**
+ * TypeScript surface for @zero-server/webrtc.
+ *
+ * Mirrors the runtime surface exported from `lib/webrtc/index.js` and
+ * re-exported from the top-level SDK in `index.js`.  Every entry listed
+ * in `.tools/scope-manifest.js` under the `webrtc` scope MUST have a
+ * matching declaration here - this is enforced by
+ * `test/packages/webrtc-types.test.js`.
+ */
+import type { EventEmitter } from 'node:events';
+import type { KeyObject } from 'node:crypto';
+// ---------------------------------------------------------------------------
+//  Shared option / config types
+// ---------------------------------------------------------------------------
+export interface IceServerConfig {
+    urls: string | string[];
+    username?: string;
+    credential?: string;
+}
+export interface TurnCredentials {
+    urls: string[];
+    username: string;
+    credential: string;
+    ttl: number;
+}
+export interface IssueTurnCredentialsOptions {
+    secret: string;
+    userId: string;
+    ttl?: string | number;
+    servers: string[];
+    realm?: string;
+}
+export interface SignalingHubOptions {
+    maxSdpSize?: number;
+    maxCandidatesPerOffer?: number;
+    peerMessageRate?: number;
+    maxProtocolErrors?: number;
+    ipAttachRate?: number;
+    originAllowlist?: string[];
+    joinTokenSecret?: string | Buffer;
+    autoCreateRooms?: boolean;
+}
+export interface WebRTCOptions extends SignalingHubOptions {
+    path?: string;
+    iceServers?: IceServerConfig[] | 'auto';
+}
+export interface PeerAttachInfo {
+    user?: unknown;
+    ip?: string;
+    origin?: string;
+    [extra: string]: unknown;
+}
+export interface PeerTransport {
+    send(data: string): void;
+    on(event: 'message' | 'close', cb: (...args: unknown[]) => void): void;
+    close(code?: number, reason?: string): void;
+}
+// ---------------------------------------------------------------------------
+//  SDP / ICE helpers
+// ---------------------------------------------------------------------------
+export interface ParsedSdpMedia {
+    type: string;
+    port: number;
+    proto: string;
+    formats: string[];
+    iceUfrag?: string;
+    icePwd?: string;
+    fingerprint?: { algorithm: string; hash: string };
+    candidates?: ParsedIceCandidate[];
+    [key: string]: unknown;
+}
+export interface ParsedSdp {
+    version: number;
+    origin: Record<string, unknown>;
+    sessionName: string;
+    media: ParsedSdpMedia[];
+    [key: string]: unknown;
+}
+export interface ParsedIceCandidate {
+    foundation: string;
+    component: number;
+    transport: string;
+    priority: number;
+    address: string;
+    port: number;
+    type: string;
+    relatedAddress?: string;
+    relatedPort?: number;
+    tcpType?: string;
+    [key: string]: unknown;
+}
+export declare function parseSdp(sdp: string, opts?: { maxBytes?: number }): ParsedSdp;
+export declare function stringifySdp(parsed: ParsedSdp): string;
+export declare function parseCandidate(line: string): ParsedIceCandidate;
+export declare function stringifyCandidate(parsed: ParsedIceCandidate): string;
+export declare function filterCandidates(
+    candidates: ParsedIceCandidate[],
+    opts?: { allowPrivate?: boolean; allowLoopback?: boolean; allowLinkLocal?: boolean; allowMdns?: boolean }
+): ParsedIceCandidate[];
+export declare function isPrivateIp(addr: string): boolean;
+export declare function isLoopbackIp(addr: string): boolean;
+export declare function isLinkLocalIp(addr: string): boolean;
+export declare function isMdnsHostname(addr: string): boolean;
+export declare const CANDIDATE_TYPES: Readonly<{ HOST: string; SRFLX: string; PRFLX: string; RELAY: string }>;
+export declare const TCP_TYPES: Readonly<{ ACTIVE: string; PASSIVE: string; SO: string }>;
+// ---------------------------------------------------------------------------
+//  STUN / TURN
+// ---------------------------------------------------------------------------
+export declare function stunBinding(opts: {
+    host: string;
+    port?: number;
+    timeoutMs?: number;
+    retries?: number;
+    socketType?: 'udp4' | 'udp6';
+}): Promise<{ family: 4 | 6; address: string; port: number }>;
+export declare function encodeBindingRequest(transactionId?: Buffer): { buffer: Buffer; transactionId: Buffer };
+export declare function decodeMessage(buf: Buffer): {
+    method: number;
+    class: number;
+    transactionId: Buffer;
+    attributes: Array<{ type: number; value: Buffer }>;
+};
+export declare function encodeXorMappedAddress(address: string, port: number, transactionId: Buffer): Buffer;
+export declare function decodeXorMappedAddress(value: Buffer, transactionId: Buffer): { family: 4 | 6; address: string; port: number };
+export declare const STUN_MAGIC_COOKIE: number;
+export declare const STUN_METHOD: Readonly<{ BINDING: number }>;
+export declare const STUN_CLASS: Readonly<{ REQUEST: number; INDICATION: number; SUCCESS: number; ERROR: number }>;
+export declare const STUN_ATTR: Readonly<{ MAPPED_ADDRESS: number; XOR_MAPPED_ADDRESS: number; ERROR_CODE: number; SOFTWARE: number }>;
+export declare function issueTurnCredentials(opts: IssueTurnCredentialsOptions): TurnCredentials;
+export declare class TurnServer {
+    constructor(opts: {
+        secret: string;
+        realm?: string;
+        listeners: Array<{ proto: 'udp' | 'tcp' | 'tls'; port: number; host?: string; tls?: { cert: Buffer; key: Buffer } }>;
+        quotas?: { maxAllocationsPerUser?: number; maxBytesPerMinute?: number };
+        defaultLifetime?: number;
+        maxLifetime?: number;
+        relayHost?: string;
+    });
+    readonly realm: string;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+    address(): { address: string; port: number } | null;
+    on(event: 'allocation', listener: (ev: { userId: string; relay: { address: string; port: number }; client: { address: string; port: number } }) => void): this;
+    on(event: 'deallocation', listener: (ev: { userId: string; client: { address: string; port: number }; reason?: string }) => void): this;
+    on(event: 'error', listener: (err: Error) => void): this;
+    on(event: string, listener: (...args: unknown[]) => void): this;
+}
+// ---------------------------------------------------------------------------
+//  Signaling core
+// ---------------------------------------------------------------------------
+export type PeerState = 'stable' | 'have-local-offer' | 'have-remote-offer';
+export declare const PEER_STATE: Readonly<{
+    STABLE: 'stable';
+    HAVE_LOCAL_OFFER: 'have-local-offer';
+    HAVE_REMOTE_OFFER: 'have-remote-offer';
+}>;
+export declare class Peer {
+    readonly id: string;
+    readonly user: unknown;
+    readonly ip: string | null;
+    readonly transport: PeerTransport;
+    state: PeerState;
+    room: Room | null;
+    errors: number;
+    readonly connectedAt: number;
+    closed: boolean;
+    e2ee?: E2eeChannel;
+    constructor(transport: PeerTransport, info?: PeerAttachInfo);
+    send(type: string, payload?: object): void;
+    sendError(code: string, message: string): void;
+    close(code?: number, reason?: string): void;
+}
+export declare class Room {
+    readonly name: string;
+    readonly hub: SignalingHub | null;
+    isOpen: boolean;
+    constructor(name: string, opts?: { hub?: SignalingHub });
+    open(): this;
+    require(fn: (peer: Peer) => boolean | Promise<boolean>): this;
+    canPublish(fn: (peer: Peer) => boolean): this;
+    canSubscribe(fn: (peer: Peer) => boolean): this;
+    readonly size: number;
+    peers(): Peer[];
+    canJoin(peer: Peer): boolean | Promise<boolean>;
+    broadcast(type: string, payload?: object, exceptPeerId?: string): void;
+    close(reason?: string): void;
+}
+export interface SignalingHubEvents {
+    join:            (ev: { peer: Peer; room: Room }) => void;
+    leave:           (ev: { peer: Peer; room: Room }) => void;
+    offer:           (ev: { peer: Peer; target: Peer | null; room: Room; sdp: string }) => void;
+    answer:          (ev: { peer: Peer; target: Peer | null; room: Room; sdp: string }) => void;
+    signal:          (ev: { peer: Peer; type: string }) => void;
+    joinFailed:      (ev: { peer: Peer; reason: string; room?: string }) => void;
+    publishFailed:   (ev: { peer: Peer; reason: string; room: string }) => void;
+    subscribeFailed: (ev: { peer: Peer; reason: string; room: string }) => void;
+    wireError:       (ev: { peer: Peer; code: string }) => void;
+    e2eeKey:         (ev: { peer: Peer; room: Room; epoch: number; key: string }) => void;
+    clusterError:    (err: Error) => void;
+}
+export declare class SignalingHub extends EventEmitter {
+    constructor(opts?: SignalingHubOptions);
+    readonly size: number;
+    room(name: string): Room;
+    rooms(): Room[];
+    attach(transport: PeerTransport, info?: PeerAttachInfo): Peer;
+    close(): void;
+    on<E extends keyof SignalingHubEvents>(event: E, listener: SignalingHubEvents[E]): this;
+    on(event: string, listener: (...args: unknown[]) => void): this;
+    off<E extends keyof SignalingHubEvents>(event: E, listener: SignalingHubEvents[E]): this;
+    off(event: string, listener: (...args: unknown[]) => void): this;
+    emit<E extends keyof SignalingHubEvents>(event: E, ...args: Parameters<SignalingHubEvents[E]>): boolean;
+    emit(event: string, ...args: unknown[]): boolean;
+}
+export declare function createWebRTC(app: unknown, opts?: WebRTCOptions): SignalingHub;
+// ---------------------------------------------------------------------------
+//  Join tokens
+// ---------------------------------------------------------------------------
+export interface SignJoinTokenOptions {
+    secret: string | Buffer;
+    user: string | { id?: string; userId?: string; sub?: string; [k: string]: unknown };
+    room: string;
+    ttl?: number;
+    claims?: Record<string, unknown>;
+    algorithm?: string;
+    audience?: string;
+}
+export interface VerifyJoinTokenOptions {
+    secret: string | Buffer;
+    room?: string;
+    audience?: string | string[];
+    algorithms?: string | string[];
+    clockTolerance?: number;
+}
+export declare function signJoinToken(opts: SignJoinTokenOptions): string;
+export declare function verifyJoinToken(
+    token: string,
+    opts: VerifyJoinTokenOptions
+): { room: string; user: unknown; sub?: string; aud?: string; [k: string]: unknown };
+// ---------------------------------------------------------------------------
+//  Observability
+// ---------------------------------------------------------------------------
+export interface ObservabilityBindOptions {
+    metrics?: unknown;
+    tracer?: unknown;
+    prefix?: string;
+}
+export declare function bindObservability(
+    hub: SignalingHub,
+    opts?: ObservabilityBindOptions
+): () => void;
+// ---------------------------------------------------------------------------
+//  E2EE key relay
+// ---------------------------------------------------------------------------
+export interface E2eeKeyEvent {
+    from: string;
+    epoch: number;
+    key: Buffer;
+}
+export declare class E2eeChannel {
+    readonly peer: Peer;
+    readonly hub: SignalingHub;
+    epoch: number;
+    constructor(peer: Peer, hub: SignalingHub);
+    publish(epoch: number | null, key: Buffer | Uint8Array | string): number;
+    subscribe(fn: (ev: E2eeKeyEvent) => void): () => void;
+}
+export declare function attachE2ee(peer: Peer, hub: SignalingHub): E2eeChannel;
+export declare function generateE2eeKeyPair(): { publicKey: KeyObject; privateKey: KeyObject };
+export declare function sealKey(plaintext: Buffer | Uint8Array, recipientPubKey: KeyObject | Buffer): Buffer;
+export declare function openSealedKey(sealed: Buffer | Uint8Array, recipientPrivKey: KeyObject | Buffer): Buffer;
+// ---------------------------------------------------------------------------
+//  Cluster adapter
+// ---------------------------------------------------------------------------
+export interface ClusterAdapter {
+    publish(channel: string, message: unknown): void | Promise<void>;
+    subscribe(channel: string, handler: (message: unknown) => void): (() => void) | void;
+}
+export interface UseClusterOptions {
+    nodeId?: string;
+}
+export declare class ClusterCoordinator {
+    readonly hub: SignalingHub;
+    readonly adapter: ClusterAdapter;
+    readonly nodeId: string;
+    constructor(hub: SignalingHub, adapter: ClusterAdapter, opts?: UseClusterOptions);
+    locate(peerId: string): { nodeId: string; room: string } | null;
+    routeDirect(toPeerId: string, type: string, payload: object): boolean;
+    fanoutRoom(roomName: string, type: string, payload: object, excludeId?: string): void;
+    close(): void;
+}
+export declare function useCluster(
+    hub: SignalingHub,
+    adapter: ClusterAdapter,
+    opts?: UseClusterOptions
+): ClusterCoordinator;
+export declare class MemoryClusterAdapter implements ClusterAdapter {
+    publish(channel: string, message: unknown): void;
+    subscribe(channel: string, handler: (message: unknown) => void): () => void;
+}
+// ---------------------------------------------------------------------------
+//  CLI
+// ---------------------------------------------------------------------------
+export interface WebRTCCommandDeps {
+    out?: (line: string) => void;
+    err?: (line: string) => void;
+    setExit?: (code: number) => void;
+    stunBinding?: typeof stunBinding;
+}
+export declare function runWebRTCCommand(
+    subcmd: 'stun' | 'turn-creds' | 'join-token' | 'verify-token' | 'help' | string,
+    flags?: Map<string, string>,
+    deps?: WebRTCCommandDeps
+): Promise<number>;
+// ---------------------------------------------------------------------------
+//  SFU adapter (interface only - real implementations land in later PRs)
+// ---------------------------------------------------------------------------
+export interface SfuPeerInfo {
+    id: string;
+    user?: unknown;
+    room: string;
+    joinedAt: number;
+}
+export interface SfuRouter { id: string; routerId: string; }
+export interface SfuTransport {
+    id: string;
+    transportId: string;
+    routerId: string;
+    peer: SfuPeerInfo | null;
+    iceParameters: unknown;
+    dtlsParameters: unknown;
+}
+export interface SfuProducer {
+    id: string;
+    producerId: string;
+    transportId: string;
+    kind: 'audio' | 'video';
+    rtpParams: unknown;
+    paused: boolean;
+}
+export interface SfuConsumer {
+    id: string;
+    consumerId: string;
+    transportId: string;
+    producerId: string;
+    kind: 'audio' | 'video';
+    rtpParams: unknown;
+    rtpCaps: unknown;
+}
+export interface SfuStats {
+    kind: 'global' | 'router' | 'transport';
+    [key: string]: unknown;
+}
+export type SfuEventHandler = (event: string, payload: unknown) => void;
+export declare class SfuAdapter {
+    constructor();
+    createRouter(opts?: unknown): Promise<SfuRouter>;
+    createTransport(router: SfuRouter, peer: SfuPeerInfo): Promise<SfuTransport>;
+    produce(transport: SfuTransport, kind: 'audio' | 'video', rtpParams: unknown): Promise<SfuProducer>;
+    consume(transport: SfuTransport, producerId: string, rtpCaps: unknown): Promise<SfuConsumer>;
+    pauseProducer(producerId: string): Promise<void>;
+    resumeProducer(producerId: string): Promise<void>;
+    closeRouter(routerId: string): Promise<void>;
+    stats(scope?: string): Promise<SfuStats>;
+    onEvent(handler: SfuEventHandler): () => void;
+}
+export declare class MemorySfuAdapter extends SfuAdapter {
+    constructor(opts?: Record<string, unknown>);
+}
+export interface MediasoupAdapterOptions {
+    mediasoup?: unknown;
+    worker?: unknown;
+    workerSettings?: Record<string, unknown>;
+    mediaCodecs?: Array<Record<string, unknown>>;
+    webRtcTransportOptions?: Record<string, unknown>;
+}
+export declare class MediasoupSfuAdapter extends SfuAdapter {
+    constructor(opts?: MediasoupAdapterOptions);
+    close(): Promise<void>;
+}
+export interface LiveKitAdapterOptions {
+    url: string;
+    apiKey: string;
+    apiSecret: string;
+    livekit?: unknown;
+    client?: unknown;
+    defaultRoomOpts?: Record<string, unknown>;
+    defaultGrants?: Record<string, unknown>;
+    tokenTtl?: string | number;
+}
+export declare class LiveKitSfuAdapter extends SfuAdapter {
+    constructor(opts: LiveKitAdapterOptions);
+}
+export declare function loadSfuAdapter(
+    spec: SfuAdapter | 'memory' | 'mediasoup' | 'livekit' | string,
+    opts?: Record<string, unknown>,
+): SfuAdapter;
+// ---------------------------------------------------------------------------
+//  Server-side bot peer (wrtc)
+// ---------------------------------------------------------------------------
+export interface BotPeerOptions {
+    hub:            SignalingHub;
+    room:           string;
+    user?:          unknown;
+    ip?:            string;
+    joinToken?:     string;
+    iceServers?:    Array<Record<string, unknown>>;
+    rtcConfig?:     Record<string, unknown>;
+    wrtc?:          unknown;
+    onTrack?:       (track: unknown, streams: unknown[], fromPeerId: string) => void;
+    onDataChannel?: (channel: unknown, fromPeerId: string) => void;
+    onPeerJoin?:    (remotePeerId: string) => void;
+    onPeerLeave?:   (remotePeerId: string) => void;
+    onError?:       (err: Error) => void;
+}
+export interface BotPeerHandle {
+    peer:               Peer;
+    peerConnections:    Map<string, unknown>;
+    getPeerConnection:  (remotePeerId: string) => unknown | undefined;
+    ready:              Promise<{ peerId: string }>;
+    close:              () => void;
+}
+export declare function spawnBotPeer(opts: BotPeerOptions): BotPeerHandle;
+// ---------------------------------------------------------------------------
+//  Errors
+// ---------------------------------------------------------------------------
+export declare class WebRTCError extends Error { readonly code: string; }
+export declare class SignalingError extends WebRTCError {}
+export declare class IceError extends WebRTCError {}
+export declare class TurnError extends WebRTCError {}
+export declare class SdpError extends WebRTCError {}