@zintrust/core 0.1.46 → 0.1.49

package/README.md

@@ -230,7 +230,7 @@ ZinTrust uses a proven layered architecture:
 - 📚 [Documentation](https://zintrust.com)
 - 💬 [Discord Community](https://discord.gg/zintrust)
 - 🐦 [Follow on X](https://x.com/zintrust)
-- 🐛 [Issue Tracker](https://github.com/ZinTrust /ZinTrust /issues)
+- 🐛 [Issue Tracker](https://github.com/ZinTrust/ZinTrust/issues)
 - 🤝 [Contributing Guide](./contributing.md)
 
 ## License

package/app/Controllers/AuthController.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthController.d.ts","sourceRoot":"","sources":["../../../app/Controllers/AuthController.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,iBAAiB,EAAuB,MAAM,uBAAuB,CAAC;AA+MpF,eAAO,MAAM,cAAc;cACf,iBAAiB;EAQ3B,CAAC;AAEH,eAAe,cAAc,CAAC"}
+{"version":3,"file":"AuthController.d.ts","sourceRoot":"","sources":["../../../app/Controllers/AuthController.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAE,iBAAiB,EAAuB,MAAM,uBAAuB,CAAC;AAsOpF,eAAO,MAAM,cAAc;cACf,iBAAiB;EAS3B,CAAC;AAEH,eAAe,cAAc,CAAC"}

package/app/Controllers/AuthController.js

@@ -3,12 +3,12 @@
  * Minimal, real auth endpoints backing the example API routes.
  */
 import { Auth } from '../../src/auth/Auth.js';
+import { isUndefinedOrNull } from '../../src/helper/index.js';
 import { User } from '../Models/User.js';
 import { getString } from '../../src/common/utility.js';
 import { Logger } from '../../src/config/logger.js';
 import { getValidatedBody } from '../../src/http/ValidationHelper.js';
 import { JwtManager } from '../../src/security/JwtManager.js';
-import { TokenRevocation } from '../../src/security/TokenRevocation.js';
 const pickPublicUser = (row) => {
     return {
         id: row.id,
@@ -66,9 +66,14 @@ async function login(req, res) {
                 return String(id);
             return undefined;
         })();
-        const token = JwtManager.signAccessToken({
+        // Bulletproof Auth (device binding) expects a device id header to match a JWT claim.
+        // For the example app, we mint a stable device id derived from the subject.
+        // Production apps should issue a per-device id and manage a per-device signing secret.
+        const deviceId = isUndefinedOrNull(subject) ? undefined : `dev-${subject}`;
+        const token = await JwtManager.signAccessToken({
             sub: subject,
             email,
+            ...(isUndefinedOrNull(deviceId) ? {} : { deviceId }),
         });
         Logger.info('AuthController.login: successful login', {
             userId: subject,
@@ -79,6 +84,7 @@ async function login(req, res) {
         res.json({
             token,
             token_type: 'Bearer',
+            ...(isUndefinedOrNull(deviceId) ? {} : { deviceId }),
             user,
         });
     }
@@ -168,9 +174,24 @@ async function register(req, res) {
  */
 async function logout(req, res) {
     const authHeader = typeof req.getHeader === 'function' ? req.getHeader('authorization') : undefined;
-    await TokenRevocation.revoke(authHeader);
+    await JwtManager.logout(authHeader);
     res.json({ message: 'Logged out' });
 }
+/**
+ * Logs out the current user from all devices by removing all active sessions for their subject.
+ *
+ * With session allowlist enforcement, deleting a user's session records causes any previously issued
+ * tokens to become unauthorized (401) immediately.
+ */
+async function logoutAll(req, res) {
+    const sub = typeof req.user?.sub === 'string' ? req.user.sub.trim() : '';
+    if (sub === '') {
+        res.setStatus(401).json({ error: 'Unauthorized' });
+        return;
+    }
+    await JwtManager.logoutAll(sub);
+    res.json({ message: 'Logged out everywhere' });
+}
 /**
  * Refreshes the user's JWT access token.
  * Generates a new token with the same claims as the current user.
@@ -185,7 +206,7 @@ async function refresh(req, res) {
         res.setStatus(401).json({ error: 'Unauthorized' });
         return;
     }
-    const token = JwtManager.signAccessToken(user);
+    const token = await JwtManager.signAccessToken(user);
     res.json({ token, token_type: 'Bearer' });
 }
 export const AuthController = Object.freeze({
@@ -194,6 +215,7 @@ export const AuthController = Object.freeze({
             login,
             register,
             logout,
+            logoutAll,
             refresh,
         };
     },

package/app/Middleware/index.js

@@ -3,7 +3,7 @@
  * Common middleware patterns for ZinTrust
  */
 import { Logger } from '../../src/config/logger.js';
-import { TokenRevocation } from '../../src/security/TokenRevocation.js';
+import { JwtSessions } from '../../src/security/JwtSessions.js';
 import { XssProtection } from '../../src/security/XssProtection.js';
 import { Validator } from '../../src/validation/Validator.js';
 const resolveJwtManager = (jwtManager) => 'verify' in jwtManager ? jwtManager : jwtManager.create();
@@ -118,11 +118,11 @@ export const jwtMiddleware = (jwtManager, algorithm = 'HS256') => {
             res.setStatus(401).json({ error: 'Invalid authorization header format' });
             return;
         }
-        if (await TokenRevocation.isRevoked(token)) {
-            res.setStatus(401).json({ error: 'Invalid or expired token' });
-            return;
-        }
         try {
+            if (!(await JwtSessions.isActive(token))) {
+                res.setStatus(401).json({ error: 'Invalid or expired token' });
+                return;
+            }
             const payload = resolveJwtManager(jwtManager).verify(token, algorithm);
             // Store in request context (TypeScript allows dynamic properties)
             req.user = payload;

package/app/Types/controller.d.ts

@@ -20,6 +20,7 @@ export type AuthControllerApi = {
     login(req: IRequest, res: IResponse): Promise<void>;
     register(req: IRequest, res: IResponse): Promise<void>;
     logout(req: IRequest, res: IResponse): Promise<void>;
+    logoutAll(req: IRequest, res: IResponse): Promise<void>;
     refresh(req: IRequest, res: IResponse): Promise<void>;
 };
 export type ValidationErrorLike = {
@@ -39,4 +40,5 @@ export interface IUserController {
     update(req: IRequest, res: IResponse): Promise<void>;
     destroy(req: IRequest, res: IResponse): Promise<void>;
 }
+export declare const __controllerTypesRuntime = 1;
 //# sourceMappingURL=controller.d.ts.map

package/app/Types/controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../app/Types/controller.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEhD,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEjD,MAAM,MAAM,SAAS,GAAG;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,OAAO,GAAG;IACpB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AACF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvD,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC3C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvD"}
+{"version":3,"file":"controller.d.ts","sourceRoot":"","sources":["../../../app/Types/controller.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAEhD,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAEjD,MAAM,MAAM,SAAS,GAAG;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,MAAM,OAAO,GAAG;IACpB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AACF,MAAM,MAAM,iBAAiB,GAAG;IAC9B,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACvD,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,SAAS,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvD,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAC3C,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,MAAM,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACvD;AAED,eAAO,MAAM,wBAAwB,IAAI,CAAC"}

package/app/Types/controller.js

@@ -1 +1 @@
-export {};
+export const __controllerTypesRuntime = 1;

package/config/storage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../config/storage.ts"],"names":[],"mappings":"AAIA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,wBAiDmC"}
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../config/storage.ts"],"names":[],"mappings":"AAGA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,wBAiDmC"}

package/config/storage.js

@@ -1,5 +1,5 @@
 // @ts-ignore - config templates are excluded from the main TS project in this repo
-import { Env } from '../src/config/env.js';
+import { Env } from '../src/index.js';
 /**
  * Storage Configuration (default override)
  *

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.1.46",
+  "version": "0.1.49",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {

package/routes/api.js

@@ -69,6 +69,9 @@ function registerApiV1Routes(router, authController, userController) {
         Router.post(r, '/auth/logout', authController.logout, {
             middleware: ['auth', 'jwt'],
         });
+        Router.post(r, '/auth/logout-all', authController.logoutAll, {
+            middleware: ['auth', 'jwt'],
+        });
         Router.post(r, '/auth/refresh', authController.refresh, {
             middleware: ['auth', 'jwt'],
         });
@@ -82,10 +85,14 @@ function registerApiV1Routes(router, authController, userController) {
             update: userController.update,
             destroy: userController.destroy,
         }, {
-            middleware: ['auth', 'jwt'],
-            store: { middleware: ['auth', 'jwt', 'userMutationRateLimit', 'validateUserStore'] },
-            update: { middleware: ['auth', 'jwt', 'userMutationRateLimit', 'validateUserUpdate'] },
-            destroy: { middleware: ['auth', 'jwt', 'userMutationRateLimit'] },
+            middleware: ['auth', 'bulletproof'],
+            store: {
+                middleware: ['auth', 'bulletproof', 'userMutationRateLimit', 'validateUserStore'],
+            },
+            update: {
+                middleware: ['auth', 'bulletproof', 'userMutationRateLimit', 'validateUserUpdate'],
+            },
+            destroy: { middleware: ['auth', 'bulletproof', 'userMutationRateLimit'] },
         });
         Router.post(pr, '/users/fill', userController.fill, {
             middleware: ['auth', 'jwt', 'fillRateLimit', 'validateUserFill'],
@@ -100,10 +107,10 @@ function registerApiV1Routes(router, authController, userController) {
         // Custom user routes
         Router.get(pr, '/profile', async (__req, res) => {
             res.json({ message: 'Get user profile' });
-        }, { middleware: ['auth', 'jwt'] });
+        }, { middleware: ['auth', 'bulletproof'] });
         Router.put(pr, '/profile', async (__req, res) => {
             res.json({ message: 'Update user profile' });
-        }, { middleware: ['auth', 'jwt'] });
+        }, { middleware: ['auth', 'bulletproof'] });
         // Posts resource
         Router.get(r, '/posts', async (_req, res) => {
             res.json({ data: [] });

package/src/cli/CLI.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CLI.d.ts","sourceRoot":"","sources":["../../../src/cli/CLI.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAqEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,MAAM,WAAW,IAAI;IACnB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,UAAU,IAAI,OAAO,CAAC;CACvB;AA2PD;;;;;;;GAOG;AACH,eAAO,MAAM,GAAG;cACJ,IAAI;EAed,CAAC"}
+{"version":3,"file":"CLI.d.ts","sourceRoot":"","sources":["../../../src/cli/CLI.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAsEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,MAAM,WAAW,IAAI;IACnB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACnC,UAAU,IAAI,OAAO,CAAC;CACvB;AA4PD;;;;;;;GAOG;AACH,eAAO,MAAM,GAAG;cACJ,IAAI;EAed,CAAC"}

package/src/cli/CLI.js

@@ -4,6 +4,7 @@
  */
 import { AddCommand } from './commands/AddCommand.js';
 import { BroadcastWorkCommand } from './commands/BroadcastWorkCommand.js';
+import { BulletproofKeyGenerateCommand } from './commands/BulletproofKeyGenerateCommand.js';
 import { ConfigCommand } from './commands/ConfigCommand.js';
 import { ContainerProxiesCommand } from './commands/ContainerProxiesCommand.js';
 import { ContainerWorkersCommand } from './commands/ContainerWorkersCommand.js';
@@ -119,6 +120,7 @@ const buildCommandRegistry = () => {
         QACommand(),
         FixCommand.create(),
         KeyGenerateCommand.create(),
+        BulletproofKeyGenerateCommand.create(),
         SimulateCommand,
         TemplatesCommand,
         MakeMailTemplateCommand.create(),

package/src/cli/commands/AddCommand.js

@@ -33,7 +33,7 @@ const addOptions = (command) => {
         .option('--port <number>', 'Service port - for services')
         .option('--service <path>', 'Service path (relative to project root) - for features')
         .option('--with-test', 'Generate test files - for features')
-        .option('--controller-type <type>', 'Controller type: crud, resource, api, graphql, websocket, webhook - for controllers')
+        .option('--controller-type <type>', 'Controller type: crud, resource, api, graphql, websocket - for controllers')
         .option('--soft-delete', 'Add soft delete to model')
         .option('--timestamps', 'Add timestamps to model (default: true)')
         .option('--resource', 'Generate resource routes')
@@ -304,7 +304,7 @@ const promptControllerConfig = async () => {
             type: 'list',
             name: 'type',
             message: 'Controller type:',
-            choices: ['crud', 'resource', 'api', 'graphql', 'websocket', 'webhook'],
+            choices: ['crud', 'resource', 'api', 'graphql', 'websocket'],
             default: 'crud',
         },
     ]);

package/src/cli/commands/BulletproofKeyGenerateCommand.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Bulletproof Signing Secret Generate Command
+ * Generates and sets BULLETPROOF_SIGNING_SECRET (with rotation backups)
+ */
+import type { IBaseCommand } from '../BaseCommand';
+export declare const BulletproofKeyGenerateCommand: Readonly<{
+    create(): IBaseCommand;
+}>;
+export default BulletproofKeyGenerateCommand;
+//# sourceMappingURL=BulletproofKeyGenerateCommand.d.ts.map

package/src/cli/commands/BulletproofKeyGenerateCommand.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"BulletproofKeyGenerateCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/BulletproofKeyGenerateCommand.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAkB,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAgBrE,eAAO,MAAM,6BAA6B;cAC9B,YAAY;EAkEtB,CAAC;AAoFH,eAAe,6BAA6B,CAAC"}

package/src/cli/commands/BulletproofKeyGenerateCommand.js

@@ -0,0 +1,139 @@
+/**
+ * Bulletproof Signing Secret Generate Command
+ * Generates and sets BULLETPROOF_SIGNING_SECRET (with rotation backups)
+ */
+import { BaseCommand } from '../BaseCommand.js';
+import { Logger } from '../../config/logger.js';
+import * as crypto from '../../node-singletons/crypto.js';
+import { fsPromises as fs } from '../../node-singletons/fs.js';
+import * as path from '../../node-singletons/path.js';
+const ENV_KEY = 'BULLETPROOF_SIGNING_SECRET';
+const ENV_BK_KEY = 'BULLETPROOF_SIGNING_SECRET_BK';
+export const BulletproofKeyGenerateCommand = Object.freeze({
+    create() {
+        return BaseCommand.create({
+            name: 'key:bulletproof',
+            description: 'Generate/rotate BULLETPROOF_SIGNING_SECRET (signed-request proof key)',
+            aliases: ['bulletproof:key', 'key:signer'],
+            addOptions: (command) => {
+                command.option('--show', 'Display the key (and suggested env) instead of modifying files');
+                command.option('--max-backups <n>', 'Max secrets to keep in BULLETPROOF_SIGNING_SECRET_BK (default: 5)', '5');
+            },
+            execute: async (options) => {
+                const key = generateRandomKey();
+                const maxBackups = parseMaxBackups(options.maxBackups);
+                if (options.show === true) {
+                    Logger.info(`${ENV_KEY}=${key}`);
+                    Logger.info(`${ENV_BK_KEY}=[]`);
+                    return;
+                }
+                const envPath = path.resolve(process.cwd(), '.env');
+                try {
+                    let envContent = '';
+                    try {
+                        envContent = await fs.readFile(envPath, 'utf-8');
+                    }
+                    catch (error) {
+                        Logger.warn('Could not read .env file, attempting to create from example', { error });
+                        const examplePath = path.resolve(process.cwd(), '.env.example');
+                        try {
+                            envContent = await fs.readFile(examplePath, 'utf-8');
+                            await fs.writeFile(envPath, envContent);
+                            Logger.info('.env file created from .env.example');
+                        }
+                        catch (copyError) {
+                            Logger.error('Failed to create .env from example', { error: copyError });
+                            Logger.warn('.env file not found and .env.example not found. Creating new .env file.');
+                            envContent = '';
+                        }
+                    }
+                    const currentSecret = readEnvLineValue(envContent, ENV_KEY);
+                    const currentBackups = parseBackups(readEnvLineValue(envContent, ENV_BK_KEY));
+                    const nextBackups = rotateBackups({
+                        currentSecret,
+                        currentBackups,
+                        maxBackups,
+                    });
+                    envContent = upsertEnvLine(envContent, ENV_BK_KEY, JSON.stringify(nextBackups));
+                    envContent = upsertEnvLine(envContent, ENV_KEY, key);
+                    await fs.writeFile(envPath, envContent);
+                    Logger.info(`Bulletproof signing secret set successfully. [${key}]`);
+                }
+                catch (error) {
+                    Logger.error('Failed to update .env file', error);
+                }
+            },
+        });
+    },
+});
+const parseMaxBackups = (raw) => {
+    const n = typeof raw === 'string' ? Number.parseInt(raw, 10) : Number.NaN;
+    if (!Number.isFinite(n) || n < 0)
+        return 5;
+    return Math.min(50, n);
+};
+const generateRandomKey = () => {
+    // 32 bytes = 256-bit (same as APP_KEY default strength).
+    return 'base64:' + crypto.randomBytes(32).toString('base64');
+};
+const readEnvLineValue = (envContent, key) => {
+    const re = new RegExp(`^${escapeRegExp(key)}=(.*)$`, 'm');
+    const match = re.exec(envContent);
+    return typeof match?.[1] === 'string' ? match[1].trim() : '';
+};
+const upsertEnvLine = (envContent, key, value) => {
+    const line = `${key}=${value}`;
+    const re = new RegExp(`^${escapeRegExp(key)}=.*$`, 'm');
+    if (re.test(envContent)) {
+        return envContent.replace(re, line);
+    }
+    const trimmed = envContent.trimEnd();
+    if (trimmed === '')
+        return `${line}\n`;
+    return `${trimmed}\n${line}\n`;
+};
+const escapeRegExp = (value) => value.replaceAll(/[.*+?^${}()|[\]\\]/g, String.raw `\$&`);
+const parseBackups = (raw) => {
+    const value = raw.trim();
+    if (value === '')
+        return [];
+    if (value.startsWith('[')) {
+        try {
+            const parsed = JSON.parse(value);
+            if (!Array.isArray(parsed))
+                return [];
+            return parsed
+                .filter((v) => typeof v === 'string')
+                .map((s) => s.trim())
+                .filter((s) => s !== '');
+        }
+        catch {
+            return [];
+        }
+    }
+    return value
+        .split(',')
+        .map((s) => s.trim())
+        .filter((s) => s !== '');
+};
+const rotateBackups = (params) => {
+    const seen = new Set();
+    const out = [];
+    const pushUnique = (secret) => {
+        const s = secret.trim();
+        if (s === '')
+            return;
+        if (seen.has(s))
+            return;
+        seen.add(s);
+        out.push(s);
+    };
+    if (params.currentSecret !== '') {
+        pushUnique(params.currentSecret);
+    }
+    for (const s of params.currentBackups) {
+        pushUnique(s);
+    }
+    return out.slice(0, Math.max(0, params.maxBackups));
+};
+export default BulletproofKeyGenerateCommand;

package/src/cli/commands/JwtDevCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"JwtDevCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/JwtDevCommand.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AA6FvF,eAAO,MAAM,aAAa,EAAE,YAqD3B,CAAC;AAEF,eAAe,aAAa,CAAC"}
+{"version":3,"file":"JwtDevCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/JwtDevCommand.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAoC,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAyHvF,eAAO,MAAM,aAAa,EAAE,YAgD3B,CAAC;AAEF,eAAe,aAAa,CAAC"}

package/src/cli/commands/JwtDevCommand.js

@@ -2,11 +2,54 @@
  * JWT Dev Command
  * Mint a local development JWT for quick manual API testing.
  */
+import { isUndefinedOrNull } from '../../helper/index.js';
 import { BaseCommand } from '../BaseCommand.js';
 import { appConfig } from '../../config/app.js';
 import { securityConfig } from '../../config/security.js';
 import { ErrorFactory } from '../../exceptions/ZintrustError.js';
+import * as crypto from '../../node-singletons/crypto.js';
 import { JwtManager } from '../../security/JwtManager.js';
+const sha256Hex = (value) => {
+    return crypto.createHash('sha256').update(value).digest('hex');
+};
+const optionalTrimmed = (value) => {
+    if (typeof value !== 'string')
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed === '' ? undefined : trimmed;
+};
+const buildPayload = (options) => {
+    const payload = {};
+    const sub = optionalTrimmed(options.sub);
+    if (!isUndefinedOrNull(sub))
+        payload.sub = sub;
+    const email = optionalTrimmed(options.email);
+    if (!isUndefinedOrNull(email))
+        payload['email'] = email;
+    const role = optionalTrimmed(options.role);
+    if (!isUndefinedOrNull(role))
+        payload['role'] = role;
+    const deviceId = optionalTrimmed(options.deviceId);
+    if (!isUndefinedOrNull(deviceId))
+        payload['deviceId'] = deviceId;
+    const tenantId = optionalTrimmed(options.tenantId);
+    if (!isUndefinedOrNull(tenantId))
+        payload['tenantId'] = tenantId;
+    const tz = optionalTrimmed(options.tz);
+    if (!isUndefinedOrNull(tz))
+        payload['tz'] = tz;
+    const uaHash = optionalTrimmed(options.uaHash);
+    if (isUndefinedOrNull(uaHash)) {
+        const ua = optionalTrimmed(options.ua);
+        if (ua !== undefined) {
+            payload['uaHash'] = sha256Hex(ua);
+        }
+    }
+    else {
+        payload['uaHash'] = uaHash;
+    }
+    return payload;
+};
 const parseExpiresToSeconds = (value) => {
     const raw = typeof value === 'string' ? value.trim() : '';
     if (raw === '')
@@ -47,25 +90,6 @@ const assertNotProduction = (allowProduction) => {
         return;
     throw ErrorFactory.createCliError("Refusing to mint a dev JWT in production. Use --allow-production only if you know what you're doing.");
 };
-const createJwt = (payload, expiresInSeconds) => {
-    const algorithm = securityConfig.jwt.algorithm;
-    const secret = securityConfig.jwt.secret;
-    const jwt = JwtManager.create();
-    if (algorithm === 'HS256' || algorithm === 'HS512') {
-        jwt.setHmacSecret(secret);
-    }
-    else {
-        throw ErrorFactory.createCliError(`JWT algorithm '${algorithm}' is not supported by zin jwt:dev (HS256/HS512 only).`);
-    }
-    return jwt.sign(payload, {
-        algorithm,
-        expiresIn: expiresInSeconds,
-        issuer: securityConfig.jwt.issuer,
-        audience: securityConfig.jwt.audience,
-        subject: typeof payload.sub === 'string' ? payload.sub : undefined,
-        jwtId: jwt.generateJwtId(),
-    });
-};
 export const JwtDevCommand = Object.freeze(BaseCommand.create({
     name: 'jwt:dev',
     description: 'Mint a local development JWT (for manual API testing)',
@@ -75,25 +99,20 @@ export const JwtDevCommand = Object.freeze(BaseCommand.create({
             .option('--sub <sub>', 'JWT subject claim (default: 1)', '1')
             .option('--email <email>', 'Email claim')
             .option('--role <role>', 'Role claim')
+            .option('--device-id <id>', 'Attach deviceId claim (for bulletproof auth)')
+            .option('--tenant-id <id>', 'Attach tenantId claim')
+            .option('--tz <tz>', 'Attach timezone claim (tz)')
+            .option('--ua <ua>', 'Compute and attach uaHash claim from a User-Agent string')
+            .option('--ua-hash <hash>', 'Attach uaHash claim directly (hex)')
             .option('--expires <duration>', "Expiry: seconds or 30m/1h/7d (default: '1h')", '1h')
             .option('--json', 'Output machine-readable JSON')
             .option('--allow-production', 'Allow running in production (dangerous)');
     },
-    execute: (options) => {
+    execute: async (options) => {
         assertNotProduction(options.allowProduction);
         const expiresInSeconds = parseExpiresToSeconds(options.expires);
-        const payload = {
-            ...(typeof options.sub === 'string' && options.sub.trim() !== ''
-                ? { sub: options.sub.trim() }
-                : {}),
-            ...(typeof options.email === 'string' && options.email.trim() !== ''
-                ? { email: options.email.trim() }
-                : {}),
-            ...(typeof options.role === 'string' && options.role.trim() !== ''
-                ? { role: options.role.trim() }
-                : {}),
-        };
-        const token = createJwt(payload, expiresInSeconds);
+        const payload = buildPayload(options);
+        const token = await JwtManager.signAccessToken(payload, expiresInSeconds);
         /* eslint-disable no-console */
         if (options.json === true) {
             const nowSeconds = Math.floor(Date.now() / 1000);

package/src/cli/scaffolding/ControllerGenerator.d.ts

@@ -2,7 +2,7 @@
  * ControllerGenerator - Generate controller files
  * Creates CRUD controllers with validation and error handling
  */
-export type ControllerType = 'crud' | 'resource' | 'api' | 'graphql' | 'websocket' | 'webhook';
+export type ControllerType = 'crud' | 'resource' | 'api' | 'graphql' | 'websocket';
 export interface ControllerOptions {
     name: string;
     controllerPath: string;

package/src/cli/scaffolding/ControllerGenerator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ControllerGenerator.d.ts","sourceRoot":"","sources":["../../../../src/cli/scaffolding/ControllerGenerator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,SAAS,GAAG,WAAW,GAAG,SAAS,CAAC;AAE/F,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,CAAC,EAAE,cAAc,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;CACjB;AAcD;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,iBAAiB,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAgChG;AAED;;GAEG;AAEH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,yBAAyB,CAAC,CA2CjG;AA8eD;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAEpD;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;EAI9B,CAAC"}
+{"version":3,"file":"ControllerGenerator.d.ts","sourceRoot":"","sources":["../../../../src/cli/scaffolding/ControllerGenerator.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,SAAS,GAAG,WAAW,CAAC;AAEnF,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,IAAI,CAAC,EAAE,cAAc,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;CACjB;AAaD;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,iBAAiB,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAgChG;AAED;;GAEG;AAEH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,yBAAyB,CAAC,CA2CjG;AAsaD;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,EAAE,CAEpD;AAED;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;EAI9B,CAAC"}