@zintrust/core 0.1.53 → 0.1.54

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.1.53",
+  "version": "0.1.54",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {

package/src/boot/bootstrap.js

@@ -220,7 +220,7 @@ const BootstrapFunctions = Object.freeze({
             // Start listening
             await server.listen();
             Logger.info(`Server running at http://${host}:${port}`);
-            Logger.info(`ZinTrust documentation at http://${host}:${port}/doc`);
+            Logger.info(`ZinTrust documentation at http://${host}:${port}/zintrust-doc`);
             // Start schedules for long-running runtimes (Node.js / Fargate)
             await startSchedulesIfNeeded(app);
             if (appConfig.worker === true &&

package/src/boot/registry/runtime.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../../../src/boot/registry/runtime.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAOvD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAoJ9C,eAAO,MAAM,8BAA8B,GAAI,iBAAiB,gBAAgB,KAAG,IA4BlF,CAAC;AAyLF,eAAO,MAAM,eAAe,GAAI,QAAQ;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,eAAe,EAAE,gBAAgB,CAAC;IAClC,SAAS,EAAE,MAAM,OAAO,CAAC;IACzB,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrC,KAAG;IAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CA6E7D,CAAC"}
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../../../../src/boot/registry/runtime.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAOvD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAsJ9C,eAAO,MAAM,8BAA8B,GAAI,iBAAiB,gBAAgB,KAAG,IA4BlF,CAAC;AAyLF,eAAO,MAAM,eAAe,GAAI,QAAQ;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,OAAO,CAAC;IAChB,eAAe,EAAE,gBAAgB,CAAC;IAClC,SAAS,EAAE,MAAM,OAAO,CAAC;IACzB,SAAS,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACrC,KAAG;IAAE,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAA;CA6E7D,CAAC"}

package/src/boot/registry/runtime.js

@@ -42,8 +42,8 @@ const appConfig = readRuntimeConfig('appConfig', {
     port: 7777,
     dockerWorker: false,
     worker: false,
-    detectRuntime: () => 'nodejs',
 });
+// exported solely for tests to exercise the default detectRuntime handler
 const cacheConfig = readRuntimeConfig('cacheConfig', RuntimeConfig.cacheConfig);
 const databaseConfig = readRuntimeConfig('databaseConfig', {
     default: 'sqlite',

package/src/cli/scaffolding/ProjectScaffolder.js

@@ -503,7 +503,7 @@ zin s
 
 - Health: http://localhost:{{port}}/health
 - Tasks:  http://localhost:{{port}}/api/tasks
-- Doc:  http://localhost:{{port}}/doc
+- Doc:  http://localhost:{{port}}/zintrust-doc
 `;
     }
     return createFiles(state.projectPath, files, variables);

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.1.53
+ * @zintrust/core v0.1.54
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-03-01T10:16:24.833Z
+ *   Built: 2026-03-02T09:00:32.128Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,7 +21,7 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.41';
-export const ZINTRUST_BUILD_DATE = '2026-03-01T10:16:24.797Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-03-02T09:00:32.097Z'; // Replaced during build
 export { Application } from './boot/Application.js';
 export { AwsSigV4 } from './common/index.js';
 export { SignedRequest } from './security/SignedRequest.js';

package/src/orm/Database.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Database.d.ts","sourceRoot":"","sources":["../../../src/orm/Database.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAOH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAWxD,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAE1F,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGvD,MAAM,MAAM,QAAQ,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzC,MAAM,WAAW,SAAS;IACxB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5B,WAAW,IAAI,OAAO,CAAC;IACvB,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACjF,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACrF,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC;IAC7B,WAAW,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAAC;IACnC,aAAa,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,GAAG,IAAI,CAAC;IACzE,YAAY,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAAC;IAC1F,cAAc,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,GAAG,IAAI,CAAC;IAC1E,aAAa,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAAC;IAC3F,kBAAkB,CAAC,MAAM,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAAC;IACvD,OAAO,IAAI,eAAe,CAAC;IAC3B,SAAS,IAAI,cAAc,CAAC;IAC5B,OAAO,IAAI,IAAI,CAAC;CACjB;AAghBD,eAAO,MAAM,QAAQ;IACnB;;OAEG;oBACa,cAAc,GAAG,SAAS;EAI1C,CAAC;AAIH,eAAO,MAAM,oBAAoB,GAC/B,SAAQ,cAAc,GAAG,SAAqB,EAC9C,uBAA0B,KACzB,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAMxC,CAAC;AAEF,wBAAgB,WAAW,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,UAAU,SAAY,GAAG,SAAS,CAoBtF;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAWnD"}
+{"version":3,"file":"Database.d.ts","sourceRoot":"","sources":["../../../src/orm/Database.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAOH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAWxD,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAE1F,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAGvD,MAAM,MAAM,QAAQ,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEzC,MAAM,WAAW,SAAS;IACxB,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5B,WAAW,IAAI,OAAO,CAAC;IACvB,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IACjF,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,OAAO,EAAE,EAAE,MAAM,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACrF,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAAC;IAC7B,WAAW,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,EAAE,SAAS,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACpE,KAAK,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAAC;IACnC,aAAa,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,GAAG,IAAI,CAAC;IACzE,YAAY,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAAC;IAC1F,cAAc,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,GAAG,IAAI,CAAC;IAC1E,aAAa,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAAC;IAC3F,kBAAkB,CAAC,MAAM,CAAC,EAAE,OAAO,GAAG,gBAAgB,CAAC;IACvD,OAAO,IAAI,eAAe,CAAC;IAC3B,SAAS,IAAI,cAAc,CAAC;IAC5B,OAAO,IAAI,IAAI,CAAC;CACjB;AAqhBD,eAAO,MAAM,QAAQ;IACnB;;OAEG;oBACa,cAAc,GAAG,SAAS;EAI1C,CAAC;AAIH,eAAO,MAAM,oBAAoB,GAC/B,SAAQ,cAAc,GAAG,SAAqB,EAC9C,uBAA0B,KACzB,OAAO,CAAC,UAAU,CAAC,OAAO,WAAW,CAAC,CAMxC,CAAC;AAEF,wBAAgB,WAAW,CAAC,MAAM,CAAC,EAAE,cAAc,EAAE,UAAU,SAAY,GAAG,SAAS,CAoBtF;AAED,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAWnD"}

package/src/orm/Database.js

@@ -116,7 +116,7 @@ const resolveWorkersAdapter = (cfg) => {
     const workersEnv = Cloudflare.getWorkersEnv();
     if (workersEnv === null)
         return null;
-    Logger.info('[Database] Resolving adapter for Cloudflare Workers runtime', {
+    Logger.debug('[Database] Resolving adapter for Cloudflare Workers runtime', {
         driver: cfg.driver,
         useMySqlProxy: Env.getBool('USE_MYSQL_PROXY', false),
         mysqlProxyUrlConfigured: Env.get('MYSQL_PROXY_URL', '').trim() !== '',
@@ -138,13 +138,16 @@ const createAdapter = (cfg) => {
     const explicitProxy = resolveExplicitProxyAdapter(cfg);
     if (explicitProxy)
         return explicitProxy;
-    const workersAdapter = resolveWorkersAdapter(cfg);
-    if (workersAdapter)
-        return workersAdapter;
+    // First: Check the specific configured driver via registry
     const registered = DatabaseAdapterRegistry.get(cfg.driver);
     if (registered !== undefined) {
         return registered(cfg);
     }
+    // Second: Try workers adapter resolution (only if registry lookup failed)
+    const workersAdapter = resolveWorkersAdapter(cfg);
+    if (workersAdapter)
+        return workersAdapter;
+    // Third: Fallback to direct adapter creation
     switch (cfg.driver) {
         case 'postgresql':
             return PostgreSQLAdapter.create(cfg);

package/src/routes/doc.d.ts

@@ -1,6 +1,6 @@
 /**
  * Documentation Routes
- * Serves static files from /doc/* paths with relaxed CSP headers.
+ * Serves static files from /zintrust-doc/* paths with relaxed CSP headers.
  */
 import type { IRouter } from './Router';
 import type { IResponse } from '../http/Response';

package/src/routes/doc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"doc.d.ts","sourceRoot":"","sources":["../../../src/routes/doc.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAIhD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD;;GAEG;AAEH,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,uBAAuB,EACvB,4BAA4B,EAC5B,aAAa,EACb,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AAkCjC;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,UAAU,SAAS,KAAG,IAWhE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACtC,SAAS,MAAM,EACf,UAAU,SAAS,KAClB,OAAO,CAAC,OAAO,CAgDjB,CAAC;AASF,eAAO,MAAM,iBAAiB,GAAI,QAAQ,OAAO,KAAG,IAMnD,CAAC;;gCANwC,OAAO,KAAG,IAAI;2CA5EH,SAAS,KAAG,IAAI;2CAiB1D,MAAM,YACL,SAAS,KAClB,OAAO,CAAC,OAAO,CAAC;;AAiEnB,wBAIE"}
+{"version":3,"file":"doc.d.ts","sourceRoot":"","sources":["../../../src/routes/doc.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAIhD,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD;;GAEG;AAEH,OAAO,EACL,eAAe,EACf,oBAAoB,EACpB,uBAAuB,EACvB,4BAA4B,EAC5B,aAAa,EACb,kBAAkB,GACnB,MAAM,yBAAyB,CAAC;AAmCjC;;GAEG;AACH,eAAO,MAAM,0BAA0B,GAAI,UAAU,SAAS,KAAG,IAWhE,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACtC,SAAS,MAAM,EACf,UAAU,SAAS,KAClB,OAAO,CAAC,OAAO,CAgDjB,CAAC;AASF,eAAO,MAAM,iBAAiB,GAAI,QAAQ,OAAO,KAAG,IAMnD,CAAC;;gCANwC,OAAO,KAAG,IAAI;2CA5EH,SAAS,KAAG,IAAI;2CAiB1D,MAAM,YACL,SAAS,KAClB,OAAO,CAAC,OAAO,CAAC;;AAiEnB,wBAIE"}

package/src/routes/doc.js

@@ -1,6 +1,6 @@
 /**
  * Documentation Routes
- * Serves static files from /doc/* paths with relaxed CSP headers.
+ * Serves static files from /zintrust-doc/* paths with relaxed CSP headers.
  */
 import { HTTP_HEADERS } from '../config/constants.js';
 import { MIME_TYPES_MAP, resolveSafePath, tryDecodeURIComponent } from './common.js';
@@ -16,6 +16,7 @@ export { MIME_TYPES_MAP } from './common.js';
  */
 // Backward-compatible re-exports
 export { findPackageRoot, findPackageRootAsync, getFrameworkPublicRoots, getFrameworkPublicRootsAsync, getPublicRoot, getPublicRootAsync, } from './publicRoot.js';
+const docPath = 'zintrust-doc';
 const PUBLIC_ROOT_CACHE_TTL_MS = 3000000000; // 50 minutes, can be adjusted as needed
 let cachedPublicRoot = null;
 const getCachedPublicRootAsync = async () => {
@@ -33,10 +34,10 @@ const getCachedPublicRootAsync = async () => {
 const mapStaticPathAsync = async (urlPath) => {
     const publicRoot = await getCachedPublicRootAsync();
     const normalize = (p) => (p.startsWith('/') ? p.slice(1) : p);
-    if (urlPath === '/doc' || urlPath === '/doc/')
+    if (urlPath === `/${docPath}` || urlPath === `/${docPath}/`)
         return publicRoot;
-    if (urlPath.startsWith('/doc/')) {
-        const rawRelative = urlPath.slice('/doc/'.length);
+    if (urlPath.startsWith(`/${docPath}/`)) {
+        const rawRelative = urlPath.slice(`/${docPath}/`.length);
         const normalizedRelative = tryDecodeURIComponent(rawRelative).replaceAll('\\', '/');
         return resolveSafePath(publicRoot, normalize(normalizedRelative));
     }
@@ -112,10 +113,10 @@ const handleDocRequest = async (req, res) => {
 };
 export const registerDocRoutes = (router) => {
     // Root docs entrypoints.
-    Router.get(router, '/doc', handleDocRequest);
-    Router.get(router, '/doc/', handleDocRequest);
-    // Greedy path match for nested assets like /doc/assets/app.js
-    Router.get(router, '/doc/:path*', handleDocRequest);
+    Router.get(router, `/${docPath}`, handleDocRequest);
+    Router.get(router, `/${docPath}/`, handleDocRequest);
+    // Greedy path match for nested assets like /zintrust-doc/assets/app.js
+    Router.get(router, `/${docPath}/:path*`, handleDocRequest);
 };
 export default {
     registerDocRoutes,

package/src/start.js

@@ -35,7 +35,7 @@ export const start = async () => {
     // Compiled output places bootstrap at `dist/src/boot/bootstrap.js`.
     // This file compiles to `dist/src/start.js`, so relative import is stable.
     // In unit tests, importing bootstrap has heavy side effects (starts server + exits).
-    await import('./boot/' + ZintrustLang.BOOTSTRAPJS);
+    await import('./boot/bootstrap.js');
 };
 /**
  * Cloudflare Workers entry (module worker style).

package/src/templates/project/basic/app/Controllers/AuthController.ts.tpl

@@ -10,11 +10,13 @@ import {
   Auth,
   JwtManager,
   Logger,
-  TokenRevocation,
   getString,
   getValidatedBody,
+  isUndefinedOrNull,
 } from '@zintrust/core';
 
+
+
 const pickPublicUser = (row: UserRow): { id: unknown; name: string; email: string } => {
   return {
     id: row.id,
@@ -77,9 +79,15 @@ async function login(req: IRequest, res: IResponse): Promise<void> {
       return undefined;
     })();
 
-    const token = JwtManager.signAccessToken({
+    // Bulletproof Auth (device binding) expects a device id header to match a JWT claim.
+    // For the example app, we mint a stable device id derived from the subject.
+    // Production apps should issue a per-device id and manage a per-device signing secret.
+    const deviceId = isUndefinedOrNull(subject) ? undefined : `dev-${subject}`;
+
+    const token = await JwtManager.signAccessToken({
       sub: subject,
       email,
+      ...(isUndefinedOrNull(deviceId) ? {} : { deviceId }),
     });
 
     Logger.info('AuthController.login: successful login', {
@@ -92,6 +100,7 @@ async function login(req: IRequest, res: IResponse): Promise<void> {
     res.json({
       token,
       token_type: 'Bearer',
+      ...(isUndefinedOrNull(deviceId) ? {} : { deviceId }),
       user,
     });
   } catch (error) {
@@ -166,7 +175,10 @@ async function register(req: IRequest, res: IResponse): Promise<void> {
 
       res.setStatus(201).json({ message: 'Registered' });
     } else {
-      Logger.error('Failed to retrieve inserted user ID');
+      Logger.error('Failed to retrieve inserted user ID', {
+        email,
+        ip: ipAddress,
+      });
       res.setStatus(500).json({ error: 'Registration failed' });
     }
     return;
@@ -187,10 +199,27 @@ async function register(req: IRequest, res: IResponse): Promise<void> {
 async function logout(req: IRequest, res: IResponse): Promise<void> {
   const authHeader =
     typeof req.getHeader === 'function' ? req.getHeader('authorization') : undefined;
-  await TokenRevocation.revoke(authHeader);
+  await JwtManager.logout(authHeader);
   res.json({ message: 'Logged out' });
 }
 
+/**
+ * Logs out the current user from all devices by removing all active sessions for their subject.
+ *
+ * With session allowlist enforcement, deleting a user's session records causes any previously issued
+ * tokens to become unauthorized (401) immediately.
+ */
+async function logoutAll(req: IRequest, res: IResponse): Promise<void> {
+  const sub = typeof req.user?.sub === 'string' ? req.user.sub.trim() : '';
+  if (sub === '') {
+    res.setStatus(401).json({ error: 'Unauthorized' });
+    return;
+  }
+
+  await JwtManager.logoutAll(sub);
+  res.json({ message: 'Logged out everywhere' });
+}
+
 /**
  * Refreshes the user's JWT access token.
  * Generates a new token with the same claims as the current user.
@@ -206,7 +235,7 @@ async function refresh(req: IRequest, res: IResponse): Promise<void> {
     return;
   }
 
-  const token = JwtManager.signAccessToken(user);
+  const token = await JwtManager.signAccessToken(user);
   res.json({ token, token_type: 'Bearer' });
 }
 
@@ -216,6 +245,7 @@ export const AuthController = Object.freeze({
       login,
       register,
       logout,
+      logoutAll,
       refresh,
     };
   },

package/src/templates/project/basic/app/Types/controller.ts.tpl

@@ -23,6 +23,7 @@ export type AuthControllerApi = {
   login(req: IRequest, res: IResponse): Promise<void>;
   register(req: IRequest, res: IResponse): Promise<void>;
   logout(req: IRequest, res: IResponse): Promise<void>;
+  logoutAll(req: IRequest, res: IResponse): Promise<void>;
   refresh(req: IRequest, res: IResponse): Promise<void>;
 };
 

package/src/templates/project/basic/database/migrations/{create_users_table.ts.tpl → 20260109074544_create_users_table.ts.tpl}

@@ -1,5 +1,9 @@
-import { MigrationSchema, type Blueprint } from '@zintrust/core';
-import type { IDatabase } from '@zintrust/core';
+/**
+ * Migration: CreateUsersTable
+ * Creates users table
+ */
+import type { Blueprint, IDatabase } from '@zintrust/core';
+import { MigrationSchema } from '@zintrust/core';
 
 export interface Migration {
   up(db: IDatabase): Promise<void>;
@@ -15,10 +19,7 @@ export const migration: Migration = {
       table.string('name');
       table.string('email').unique();
       table.string('password');
-      table.timestamp('email_verified_at').nullable();
-      table.boolean('active').default(true);
       table.timestamps();
-      table.timestamp('deleted_at').nullable();
     });
   },
 

package/src/templates/project/basic/database/migrations/20260218121500_create_jwt_revocations_table.ts.tpl

@@ -0,0 +1,36 @@
+/**
+ * Migration: CreateJwtRevocationsTable
+ * Creates a storage table for JWT token revocation (token invalidation).
+ */
+import type { Blueprint, IDatabase } from '@zintrust/core';
+import { MigrationSchema } from '@zintrust/core';
+
+export interface Migration {
+  up(db: IDatabase): Promise<void>;
+  down(db: IDatabase): Promise<void>;
+}
+
+export const migration: Migration = {
+  async up(db: IDatabase): Promise<void> {
+    const schema = MigrationSchema.create(db);
+
+    await schema.create('zintrust_jwt_revocations', (table: Blueprint) => {
+      table.id();
+      table.string('user_id', 191).nullable();
+      table.string('jti', 128).unique();
+      table.string('sub', 191).nullable();
+      table.string('kind', 16).notNullable().default('revoked');
+      table.bigInteger('expires_at_ms');
+      table.timestamp('revoked_at').notNullable().default('CURRENT_TIMESTAMP');
+
+      table.index(['user_id']);
+      table.index(['kind']);
+      table.index(['expires_at_ms']);
+    });
+  },
+
+  async down(db: IDatabase): Promise<void> {
+    const schema = MigrationSchema.create(db);
+    await schema.dropIfExists('zintrust_jwt_revocations');
+  },
+};

package/src/templates/project/basic/wrangler.jsonc.tpl

@@ -5,6 +5,18 @@
   "compatibility_flags": ["nodejs_compat"],
   "workers_dev": true,
   "minify": false,
+  "alias": {
+    "@routes/api.ts": "./routes/api.ts",
+    "../zintrust.plugins.wg.js": "./src/zintrust.plugins.wg.ts",
+    "@runtime-config/broadcast.ts": "./config/broadcast.ts",
+    "@runtime-config/cache.ts": "./config/cache.ts",
+    "@runtime-config/database.ts": "./config/database.ts",
+    "@runtime-config/mail.ts": "./config/mail.ts",
+    "@runtime-config/storage.ts": "./config/storage.ts",
+    "@runtime-config/queue.ts": "./config/queue.ts",
+    "@runtime-config/notification.ts": "./config/notification.ts",
+    "@runtime-config/middleware.ts": "./config/middleware.ts"
+  },
 
   "vars": {
     "ENVIRONMENT": "development"

package/src/zintrust.plugins.d.ts

@@ -1,14 +1,8 @@
 /**
- * ZinTrust plugin auto-imports
- *
- * In real projects, this file is managed by `zin plugin install` and contains
- * side-effect imports (e.g. `@zintrust/db-sqlite/register`) that register
- * optional adapters/drivers into core registries.
- *
- * In the ZinTrust monorepo/dev workspace, we import a local bundle of plugin
- * registrations so `zin s` works out-of-the-box (database adapters, queue, mail).
+ * Auto-generated fallback module.
+ * This file is created by scripts/ensure-worker-plugins.mjs when missing.
+ * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-import './zintrust.comon';
 export declare const __zintrustGeneratedPluginStub = "zintrust.plugins.ts";
 declare const _default: {};
 export default _default;

package/src/zintrust.plugins.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"zintrust.plugins.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,kBAAkB,CAAC;AAuB1B,eAAO,MAAM,6BAA6B,wBAAwB,CAAC;;AACnE,wBAAkB"}
+{"version":3,"file":"zintrust.plugins.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,6BAA6B,wBAAwB,CAAC;;AACnE,wBAAkB"}

package/src/zintrust.plugins.js

@@ -1,34 +1,7 @@
 /**
- * ZinTrust plugin auto-imports
- *
- * In real projects, this file is managed by `zin plugin install` and contains
- * side-effect imports (e.g. `@zintrust/db-sqlite/register`) that register
- * optional adapters/drivers into core registries.
- *
- * In the ZinTrust monorepo/dev workspace, we import a local bundle of plugin
- * registrations so `zin s` works out-of-the-box (database adapters, queue, mail).
+ * Auto-generated fallback module.
+ * This file is created by scripts/ensure-worker-plugins.mjs when missing.
+ * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-import './zintrust.comon.js';
-// Example: pre-register persisted worker processorSpec mappings.
-// Uncomment and adapt to your project as needed.
-//
-// import { ZinTrustProcessor } from '../app/Workers/AdvancEmailWorker';
-// import { WorkerFactory, type WorkerFactoryConfig } from '@zintrust/workers';
-//
-// type PreRegisteredProcessorSpec = {
-//   processorSpec: string;
-//   processor: WorkerFactoryConfig['processor'];
-// };
-//
-// export const preRegisteredWorkerProcessorSpecs: ReadonlyArray<PreRegisteredProcessorSpec> = [
-//   {
-//     processorSpec: 'https://wk.zintrust.com/AdvancEmailWorker.js',
-//     processor: ZinTrustProcessor,
-//   },
-// ];
-//
-// for (const entry of preRegisteredWorkerProcessorSpecs) {
-//   WorkerFactory.registerProcessorSpec(entry.processorSpec, entry.processor);
-// }
 export const __zintrustGeneratedPluginStub = 'zintrust.plugins.ts';
 export default {};

package/src/zintrust.plugins.wg.d.ts

@@ -3,7 +3,6 @@
  * This file is created by scripts/ensure-worker-plugins.mjs when missing.
  * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-import './zintrust.comon';
 export declare const __zintrustGeneratedPluginStub = "zintrust.plugins.wg.ts";
 declare const _default: {};
 export default _default;

package/src/zintrust.plugins.wg.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"zintrust.plugins.wg.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.wg.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,kBAAkB,CAAC;AAC1B,eAAO,MAAM,6BAA6B,2BAA2B,CAAC;;AACtE,wBAAkB"}
+{"version":3,"file":"zintrust.plugins.wg.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.wg.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,eAAO,MAAM,6BAA6B,2BAA2B,CAAC;;AACtE,wBAAkB"}

package/src/zintrust.plugins.wg.js

@@ -3,6 +3,5 @@
  * This file is created by scripts/ensure-worker-plugins.mjs when missing.
  * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
-import './zintrust.comon.js';
 export const __zintrustGeneratedPluginStub = 'zintrust.plugins.wg.ts';
 export default {};

package/src/templates/project/basic/app/Middleware/ProfilerMiddleware.ts.tpl

@@ -1,54 +0,0 @@
-// @ts-nocheck - Example middleware - WIP
-/**
- * Profiler Middleware
- * Enables request profiling when ENABLE_PROFILER environment variable is set
- */
-
-import { Middleware, Logger , RequestProfiler} from '@zintrust/core';
-
-/**
- * ProfilerMiddleware wraps request execution with performance profiling
- * Enabled via ENABLE_PROFILER=true environment variable
- * Attaches profiling report to response headers
- */
-export const ProfilerMiddleware: Middleware = async (req, res, next) => {
-  const isEnabled = process.env.ENABLE_PROFILER === 'true';
-
-  if (!isEnabled) {
-    // Pass through without profiling
-    await next();
-    return;
-  }
-
-  const profiler = RequestProfiler.create();
-  const queryLogger = profiler.getQueryLogger();
-
-  // Set up query logging if database is available
-  const db = req.context.db;
-  if (db !== undefined && db !== null && typeof db.onAfterQuery === 'function') {
-    db.onAfterQuery((sql: string, params: unknown[], duration: number) => {
-      queryLogger.logQuery(sql, params, duration, 'middleware-profiling');
-    });
-  }
-
-  // Capture request execution
-  const profile = await profiler.captureRequest(async () => next());
-
-  // Attach profile to response
-  res.locals.profile = profile;
-
-  // Add profiling report to response header
-  try {
-    const report = profiler.generateReport(profile);
-    res.setHeader('X-Profiler-Report', Buffer.from(report).toString('base64'));
-    res.setHeader('X-Profiler-Queries', profile.queriesExecuted.toString());
-    res.setHeader('X-Profiler-Duration', profile.duration.toString());
-
-    if (profile.n1Patterns.length > 0) {
-      res.setHeader('X-Profiler-N1-Patterns', profile.n1Patterns.length.toString());
-    }
-  } catch (error) {
-    // Silently fail if header encoding fails
-    Logger.error('Failed to encode profiler report header:', error);
-  }
-};

package/src/templates/project/basic/app/Middleware/index.ts.tpl

@@ -1,293 +0,0 @@
-/**
- * Example Middleware
- * Common middleware patterns for ZinTrust
- */
-
-import type { IJwtManager, JwtAlgorithm, JwtManagerType, ISchema, SchemaType, CsrfTokenManagerType, ICsrfTokenManager } from '@zintrust/core';
-import { Logger , Validator, IRequest, IResponse, XssProtection} from '@zintrust/core';
-
-
-type JwtManagerInput = IJwtManager | JwtManagerType;
-type CsrfManagerInput = ICsrfTokenManager | CsrfTokenManagerType;
-
-const resolveJwtManager = (jwtManager: JwtManagerInput): IJwtManager =>
-  'verify' in jwtManager ? jwtManager : jwtManager.create();
-
-const resolveCsrfManager = (csrfManager: CsrfManagerInput): ICsrfTokenManager =>
-  'validateToken' in csrfManager ? csrfManager : csrfManager.create();
-
-type ValidationSchema = ISchema | SchemaType;
-
-const resolveSchema = (schema: ValidationSchema): ISchema =>
-  'getRules' in schema ? schema : schema.create();
-
-/**
- * Authentication Middleware
- * Verify user is authenticated
- */
-export const authMiddleware = async (
-  req: IRequest,
-  res: IResponse,
-  next: () => Promise<void>
-): Promise<void> => {
-  const token = req.getHeader('authorization');
-
-  if (token === undefined || token === '') {
-    res.setStatus(401).json({ error: 'Unauthorized' });
-    return;
-  }
-
-  await next();
-};
-
-/**
- * CORS Middleware
- * Handle CORS headers
- */
-export const corsMiddleware = async (
-  req: IRequest,
-  res: IResponse,
-  next: () => Promise<void>
-): Promise<void> => {
-  res.setHeader('Access-Control-Allow-Origin', '*');
-  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS');
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
-
-  if (req.getMethod() === 'OPTIONS') {
-    res.setStatus(200).send('');
-    return;
-  }
-
-  await next();
-};
-
-/**
- * JSON Request Middleware
- * Parse JSON request bodies
- */
-export const jsonMiddleware = async (
-  req: IRequest,
-  res: IResponse,
-  next: () => Promise<void>
-): Promise<void> => {
-  if (req.getMethod() === 'GET' || req.getMethod() === 'DELETE') {
-    await next();
-    return;
-  }
-
-  if (req.isJson() === false) {
-    res.setStatus(415).json({ error: 'Content-Type must be application/json' });
-    return;
-  }
-
-  await next();
-};
-
-/**
- * Logging Middleware
- * Log all requests
- */
-export const loggingMiddleware = async (
-  req: IRequest,
-  res: IResponse,
-  next: () => Promise<void>
-): Promise<void> => {
-  const startTime = Date.now();
-  const method = req.getMethod();
-  const path = req.getPath();
-
-  Logger.info(`→ ${method} ${path}`);
-
-  await next();
-
-  const duration = Date.now() - startTime;
-  const status = res.getStatus();
-  Logger.info(`← ${status} ${method} ${path} (${duration}ms)`);
-};
-
-/**
- * Rate Limiting Middleware
- * Simple in-memory rate limiting
- */
-const requestCounts = new Map<string, number[]>();
-
-export const rateLimitMiddleware = async (
-  req: IRequest,
-  res: IResponse,
-  next: () => Promise<void>
-): Promise<void> => {
-  const ip = req.getRaw().socket.remoteAddress ?? 'unknown';
-  const now = Date.now();
-  const windowMs = 60 * 1000; // 1 minute
-  const maxRequests = 100;
-
-  if (requestCounts.has(ip) === false) {
-    requestCounts.set(ip, []);
-  }
-
-  const requests = requestCounts.get(ip) ?? [];
-  const recentRequests = requests.filter((time) => now - time < windowMs);
-
-  if (recentRequests.length >= maxRequests) {
-    res.setStatus(429).json({ error: 'Too many requests' });
-    return;
-  }
-
-  recentRequests.push(now);
-  requestCounts.set(ip, recentRequests);
-
-  await next();
-};
-
-/**
- * Trailing Slash Middleware
- * Redirect URLs with trailing slashes
- */
-export const trailingSlashMiddleware = async (
-  req: IRequest,
-  res: IResponse,
-  next: () => Promise<void>
-): Promise<void> => {
-  const path = req.getPath();
-
-  if (path.length > 1 && path.endsWith('/') === true) {
-    const withoutSlash = path.slice(0, -1);
-    res.redirect(withoutSlash, 301);
-    return;
-  }
-
-  await next();
-};
-
-/**
- * JWT Authentication Middleware
- * Verify JWT token and extract claims
- */
-export const jwtMiddleware = (jwtManager: JwtManagerInput, algorithm: JwtAlgorithm = 'HS256') => {
-  return async (req: IRequest, res: IResponse, next: () => Promise<void>): Promise<void> => {
-    const authHeader = req.getHeader('authorization');
-
-    if (authHeader === undefined || authHeader === '') {
-      res.setStatus(401).json({ error: 'Missing authorization header' });
-      return;
-    }
-
-    const authHeaderStr = Array.isArray(authHeader) ? authHeader[0] : authHeader;
-    const [scheme, token] = authHeaderStr.split(' ');
-
-    if (scheme !== 'Bearer' || token === undefined || token === '') {
-      res.setStatus(401).json({ error: 'Invalid authorization header format' });
-      return;
-    }
-
-    try {
-      const payload = resolveJwtManager(jwtManager).verify(token, algorithm);
-      // Store in request context (TypeScript allows dynamic properties)
-      req.user = payload;
-      await next();
-    } catch (error) {
-      Logger.error('JWT verification failed:', error);
-      res.setStatus(401).json({ error: 'Invalid or expired token' });
-    }
-  };
-};
-
-/**
- * CSRF Protection Middleware
- * Validate CSRF tokens for state-changing requests
- */
-export const csrfMiddleware = (csrfManager: CsrfManagerInput) => {
-  return async (req: IRequest, res: IResponse, next: () => Promise<void>): Promise<void> => {
-    const method = req.getMethod();
-
-    // Only validate on state-changing requests
-    if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method) === false) {
-      await next();
-      return;
-    }
-
-    const sessionId = req.sessionId ?? req.getHeader('x-session-id');
-
-    if (sessionId === undefined || sessionId === '') {
-      res.setStatus(400).json({ error: 'Missing session ID' });
-      return;
-    }
-
-    const csrfToken = req.getHeader('x-csrf-token');
-
-    if (csrfToken === undefined || csrfToken === '') {
-      res.setStatus(403).json({ error: 'Missing CSRF token' });
-      return;
-    }
-
-    const isValid = await resolveCsrfManager(csrfManager).validateToken(
-      String(sessionId),
-      String(csrfToken)
-    );
-
-    if (isValid === false) {
-      res.setStatus(403).json({ error: 'Invalid or expired CSRF token' });
-      return;
-    }
-
-    await next();
-  };
-};
-
-/**
- * Input Validation Middleware
- * Validate request body against schema
- */
-export const validationMiddleware = (schema: SchemaType) => {
-  return async (req: IRequest, res: IResponse, next: () => Promise<void>): Promise<void> => {
-    if (req.getMethod() === 'GET' || req.getMethod() === 'DELETE') {
-      await next();
-      return;
-    }
-
-    try {
-      const body = req.body ?? {};
-      Validator.validate(body, resolveSchema(schema));
-      await next();
-    } catch (error: unknown) {
-      Logger.error('Validation error:', error);
-      const newError = error as Error & { toObject?: () => Record<string, unknown> };
-      if (
-        error !== undefined &&
-        'toObject' in newError &&
-        typeof newError.toObject === 'function'
-      ) {
-        res.setStatus(422).json({ errors: newError.toObject() });
-      } else {
-        res.setStatus(400).json({ error: 'Invalid request body' });
-      }
-    }
-  };
-};
-
-/**
- * XSS Protection Middleware
- * Sanitize and escape user input
- */
-export const xssProtectionMiddleware = async (
-  req: IRequest,
-  res: IResponse,
-  next: () => Promise<void>
-): Promise<void> => {
-  // Add XSS protection headers
-  res.setHeader('X-Content-Type-Options', 'nosniff');
-  res.setHeader('X-Frame-Options', 'DENY');
-  res.setHeader('X-XSS-Protection', '1; mode=block');
-
-  // Sanitize request body if present
-  const body = req.body;
-  if (body !== undefined && body !== null && typeof body === 'object') {
-    for (const [key, value] of Object.entries(body)) {
-      if (typeof value === 'string') {
-        body[key] = XssProtection.escape(value);
-      }
-    }
-  }
-
-  await next();
-};

package/src/templates/project/basic/database/migrations/create_tasks_table.ts.tpl

@@ -1,28 +0,0 @@
-import { MigrationSchema, type Blueprint } from '@zintrust/core';
-import type { IDatabase } from '@zintrust/core';
-
-export interface Migration {
-  up(db: IDatabase): Promise<void>;
-  down(db: IDatabase): Promise<void>;
-}
-
-export const migration: Migration = {
-  async up(db: IDatabase): Promise<void> {
-    const schema = MigrationSchema.create(db);
-
-    await schema.create('tasks', (table: Blueprint) => {
-      table.id();
-      table.string('title');
-      table.text('description').nullable();
-      table.string('status').default('pending');
-      table.integer('user_id');
-      table.foreign('user_id').references('id').on('users').onDelete('CASCADE');
-      table.timestamps();
-    });
-  },
-
-  async down(db: IDatabase): Promise<void> {
-    const schema = MigrationSchema.create(db);
-    await schema.dropIfExists('tasks');
-  },
-};

package/src/zintrust.comon.d.ts

@@ -1,9 +0,0 @@
-import '../packages/db-d1/src/register.js';
-import '../packages/db-mysql/src/register.js';
-import '../packages/db-postgres/src/register.js';
-import '../packages/db-sqlite/src/register.js';
-import '../packages/db-sqlserver/src/register.js';
-import '../packages/mail-sendgrid/src/register.js';
-import '../packages/mail-smtp/src/register.js';
-import '../packages/queue-redis/src/register.js';
-//# sourceMappingURL=zintrust.comon.d.ts.map

package/src/zintrust.comon.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"zintrust.comon.d.ts","sourceRoot":"","sources":["../../src/zintrust.comon.ts"],"names":[],"mappings":"AAQA,OAAO,mCAAmC,CAAC;AAC3C,OAAO,sCAAsC,CAAC;AAC9C,OAAO,yCAAyC,CAAC;AACjD,OAAO,uCAAuC,CAAC;AAC/C,OAAO,0CAA0C,CAAC;AAClD,OAAO,2CAA2C,CAAC;AACnD,OAAO,uCAAuC,CAAC;AAC/C,OAAO,yCAAyC,CAAC"}

package/src/zintrust.comon.js

@@ -1,15 +0,0 @@
-/* eslint-disable no-restricted-imports */
-// /**
-//  * ZinTrust comon plugin auto-imports
-//  *
-//  * This file is managed by `zin plugin install` and contains side-effect
-//  * imports that register optional adapters/drivers into core registries.
-//  */
-import '../packages/db-d1/src/register.js';
-import '../packages/db-mysql/src/register.js';
-import '../packages/db-postgres/src/register.js';
-import '../packages/db-sqlite/src/register.js';
-import '../packages/db-sqlserver/src/register.js';
-import '../packages/mail-sendgrid/src/register.js';
-import '../packages/mail-smtp/src/register.js';
-import '../packages/queue-redis/src/register.js';