appos 0.3.5-0 → 0.3.7-0

package/dist/exports/cli/api/auth.d.mts

@@ -1,379 +0,0 @@
-import { Database, QualifiedTableNames } from "./database.mjs";
-import { z } from "zod";
-import { betterAuth } from "better-auth";
-import { Role, createAccessControl } from "better-auth/plugins/access";
-
-//#region src/api/auth.d.ts
-
-/**
- * Type for access controller created via createAccessControl().
- * Used for RBAC on both server and client.
- */
-type AccessController = ReturnType<typeof createAccessControl>;
-/**
- * Type for roles created via ac.newRole().
- * Uses Role type from better-auth for compatibility.
- */
-type AccessControlRoles = Record<string, Role>;
-/**
- * Type-safe audit log options for defineAuth().
- * Generic over db object to provide autocomplete for excludeTables.
- *
- * @template TDb - Database record type for table name inference
- */
-type AuditLogOptions<TDb> = {
-  /**
-   * Tables to exclude from audit logging.
-   */
-  excludeTables?: QualifiedTableNames<TDb>[];
-  /**
-   * Cron expression for purge schedule.
-   *
-   * @default "0 0 * * *"
-   */
-  purgeCron?: string;
-  /**
-   * Retention period in days. Audit logs older than this are auto-deleted.
-   * @default 90
-   */
-  retentionDays?: number;
-};
-/**
- * Neutral auth configuration - shared between server and client.
- * Contains ONLY fields that affect both sides (UI + server features).
- *
- * PRESENCE-BASED CONFIG: If a key exists, it's enabled. No redundant `enabled` fields.
- * Server-only fields (appName, session) are passed via DefineAuthOptions.
- */
-interface AuthConfig {
-  /**
-   * Base URL where auth server is hosted.
-   *
-   * @default "" (same origin - client uses relative URLs)
-   * @example "http://localhost:8000" for cross-origin
-   */
-  baseURL?: string;
-  /**
-   * Base path for auth routes.
-   *
-   * @default "/auth"
-   */
-  basePath?: string;
-  /** Authentication methods - if defined, it's enabled */
-  methods?: {
-    /** Email/password auth. If defined, enabled. */
-    emailPassword?: {
-      requireEmailVerification?: boolean;
-      minPasswordLength?: number;
-      maxPasswordLength?: number;
-    };
-    /** Magic link auth. If defined, enabled. */
-    magicLink?: {
-      expiresIn?: number;
-    };
-    /** Passkey auth. If defined (even as empty object), enabled. */
-    passkey?: Record<string, never>;
-    /** Phone OTP auth. If defined, enabled. */
-    phoneOtp?: {
-      otpLength?: number;
-      expiresIn?: number;
-    };
-    /** Email OTP auth. If defined, enabled. */
-    emailOtp?: {
-      otpLength?: number;
-      expiresIn?: number;
-    };
-  };
-  /** OAuth providers - true = enabled, undefined/false = disabled */
-  oauth?: {
-    google?: boolean;
-    github?: boolean;
-    apple?: boolean;
-    facebook?: boolean;
-  };
-  /** Plugins - if defined, it's enabled */
-  plugins?: {
-    /** Admin plugin. If defined, enabled. Includes RBAC for both server and client. */
-    admin?: {
-      defaultRole?: string;
-      adminRoles?: string[];
-      /** Access controller created via createAccessControl() - shared between server and client */
-      ac: AccessController;
-      /** Role definitions created via ac.newRole() - shared between server and client */
-      roles: AccessControlRoles;
-    };
-    /** API key plugin. If defined, enabled. */
-    apiKey?: {
-      defaultPrefix?: string;
-      defaultKeyLength?: number;
-      rateLimit?: {
-        maxRequests?: number;
-        timeWindow?: number;
-      };
-    };
-    /** Two-factor plugin. If defined, enabled. Sub-features also presence-based. */
-    twoFactor?: {
-      issuer?: string;
-      totp?: {
-        digits?: 6 | 8;
-        period?: number;
-      };
-      otp?: boolean;
-      backupCodes?: {
-        amount?: number;
-        length?: number;
-      };
-    };
-    /** Multi-session plugin. If defined, enabled. */
-    multiSession?: {
-      maximumSessions?: number;
-    };
-    /** Username plugin. If defined, enabled. */
-    username?: {
-      minUsernameLength?: number;
-      maxUsernameLength?: number;
-    };
-    /** Anonymous auth plugin. If defined, enabled. */
-    anonymous?: {
-      emailDomainName?: string;
-    };
-    /** SSO plugin. If defined, enabled. Import from @better-auth/sso */
-    sso?: {
-      providersLimit?: number;
-      trustEmailVerified?: boolean;
-      domainVerification?: boolean;
-    };
-  };
-}
-/** Base hook types for reference */
-type EmailHook = (params: {
-  email: string;
-  url: string;
-  token: string;
-}) => Promise<void>;
-type OtpHook = (params: {
-  email: string;
-  otp: string;
-}) => Promise<void>;
-type PhoneOtpHook = (params: {
-  phoneNumber: string;
-  otp: string;
-}) => Promise<void>;
-/**
- * Conditionally required hooks based on config.
- * Uses PRESENCE-BASED detection - if key exists, hook is REQUIRED.
- */
-type RequiredHooks<T extends AuthConfig> = (T["methods"] extends {
-  emailPassword: {
-    requireEmailVerification: true;
-  };
-} ? {
-  sendVerificationEmail: EmailHook;
-} : {
-  sendVerificationEmail?: EmailHook;
-}) & (T["methods"] extends {
-  emailPassword: object;
-} ? {
-  sendResetPasswordEmail: EmailHook;
-} : {
-  sendResetPasswordEmail?: EmailHook;
-}) & (T["methods"] extends {
-  magicLink: object;
-} ? {
-  sendMagicLink: EmailHook;
-} : {
-  sendMagicLink?: EmailHook;
-}) & (T["methods"] extends {
-  emailOtp: object;
-} ? {
-  sendEmailOTP: OtpHook;
-} : {
-  sendEmailOTP?: OtpHook;
-}) & (T["methods"] extends {
-  phoneOtp: object;
-} ? {
-  sendPhoneOTP: PhoneOtpHook;
-} : {
-  sendPhoneOTP?: PhoneOtpHook;
-}) & (T["plugins"] extends {
-  twoFactor: {
-    otp: true;
-  };
-} ? {
-  send2FAOTP: OtpHook;
-} : {
-  send2FAOTP?: OtpHook;
-});
-/**
- * Conditionally required OAuth credentials based on config.
- * If an OAuth provider is enabled in config, its credentials are REQUIRED.
- */
-type RequiredOAuth<T extends AuthConfig> = (T["oauth"] extends {
-  google: true;
-} ? {
-  google: {
-    clientId: string;
-    clientSecret: string;
-  };
-} : {
-  google?: {
-    clientId: string;
-    clientSecret: string;
-  };
-}) & (T["oauth"] extends {
-  github: true;
-} ? {
-  github: {
-    clientId: string;
-    clientSecret: string;
-  };
-} : {
-  github?: {
-    clientId: string;
-    clientSecret: string;
-  };
-}) & (T["oauth"] extends {
-  apple: true;
-} ? {
-  apple: {
-    clientId: string;
-    clientSecret: string;
-  };
-} : {
-  apple?: {
-    clientId: string;
-    clientSecret: string;
-  };
-}) & (T["oauth"] extends {
-  facebook: true;
-} ? {
-  facebook: {
-    clientId: string;
-    clientSecret: string;
-  };
-} : {
-  facebook?: {
-    clientId: string;
-    clientSecret: string;
-  };
-});
-/** Check if any OAuth provider is enabled */
-type HasOAuthEnabled<T extends AuthConfig> = T["oauth"] extends {
-  google: true;
-} | {
-  github: true;
-} | {
-  apple: true;
-} | {
-  facebook: true;
-} ? true : false;
-/** Check if passkey is enabled */
-type HasPasskeyEnabled<T extends AuthConfig> = T["methods"] extends {
-  passkey: object;
-} ? true : false;
-/**
- * Server-only session configuration.
- */
-interface AuthSessionConfig {
-  /**
-   * Session duration in seconds.
-   *
-   * @default 604800 (7 days)
-   */
-  expiresIn?: number;
-  /**
-   * How often to update session in seconds.
-   *
-   * @default 86400 (1 day)
-   */
-  updateAge?: number;
-  /**
-   * Session freshness in seconds for sensitive ops.
-   *
-   * @default 86400 (1 day)
-   */
-  freshAge?: number;
-}
-/**
- * Server-only passkey configuration (required if passkey is enabled).
- */
-interface AuthPasskeyConfig {
-  /**
-   * Relying Party ID - domain for passkey (e.g., "example.com" or "localhost").
-   */
-  rpID: string;
-  /**
-   * Origin URL for passkey verification (e.g., "http://localhost:8000").
-   */
-  origin: string;
-}
-/**
- * Fully type-safe options for defineAuth().
- *
- * Server-only fields:
- * - `appName` - Application name for passkey rpName, TOTP issuer, emails
- * - `auditLog` - Audit logging configuration
- * - `session` - Session duration and freshness settings
- *
- * Conditional requirements:
- * - If config has `oauth.google: true`, then `oauth.google` credentials are REQUIRED
- * - If config has `methods.magicLink` defined, then `hooks.sendMagicLink` is REQUIRED
- *
- * @template T - Auth config type
- * @template TDb - Database record type for type-safe excludeTables
- */
-type DefineAuthOptions<T extends AuthConfig, TDb = unknown> = {
-  /**
-   * The application name.
-   */
-  appName: string;
-  /**
-   * Audit logging configuration (server-only). Use qualified table names: "dbName.tableName".
-   */
-  auditLog?: AuditLogOptions<TDb>;
-  /**
-   * The neutral auth configuration.
-   */
-  config: T;
-  /**
-   * Full db object (container.db) for type inference.
-   */
-  db: TDb;
-  /**
-   * Primary database for Better Auth storage.
-   */
-  database: Database;
-  /**
-   * Hooks for email sending and OTP delivery.
-   */
-  hooks: RequiredHooks<T>;
-  /**
-   * Secret key for signing tokens and cookies.
-   */
-  secret: string;
-  /**
-   * Session configuration.
-   */
-  session?: AuthSessionConfig;
-} & (HasOAuthEnabled<T> extends true ? {
-  oauth: RequiredOAuth<T>;
-} : {
-  oauth?: RequiredOAuth<T>;
-}) & (HasPasskeyEnabled<T> extends true ? {
-  passkey: AuthPasskeyConfig;
-} : {
-  passkey?: AuthPasskeyConfig;
-});
-/**
- * Defines Better Auth instance from neutral config + server dependencies.
- */
-declare function defineAuth<T extends AuthConfig, TDb extends Record<"primary", Database> & Record<string, Database> = Record<"primary", Database> & Record<string, Database>>(opts: DefineAuthOptions<T, TDb>): ReturnType<typeof betterAuth> & {
-  auditLog?: AuditLogOptions<TDb>;
-  shouldAudit(tableName: QualifiedTableNames<TDb>): boolean;
-};
-/**
- * The auth instance type.
- */
-type Auth<TDb extends Record<"primary", Database> & Record<string, Database> = Record<"primary", Database> & Record<string, Database>> = ReturnType<typeof defineAuth<AuthConfig, TDb>>;
-//#endregion
-export { Auth };

package/dist/exports/cli/api/cache.d.mts

@@ -1,44 +0,0 @@
-import { Logger } from "./logger.mjs";
-import * as _keyv_redis0 from "@keyv/redis";
-import { KeyvRedisOptions } from "@keyv/redis";
-
-//#region src/api/cache.d.ts
-/**
- * The cache instance type.
- */
-type Cache = ReturnType<typeof defineCache>;
-/**
- * Options for defining the cache.
- */
-type DefineCacheOptions = {
-  /**
-   * Redis URL(s). Single or comma-separated for cluster.
-   */
-  url: string;
-  /**
-   * The logger instance.
-   */
-  logger: Logger;
-  /**
-   * The Keyv Redis options.
-   */
-  options?: KeyvRedisOptions;
-};
-/**
- * Define the cache instance using shared Redis client.
- * Connection is lazy - only connects when first cache operation is performed.
- *
- * Algorithm:
- * 1. Create Redis client using defineRedisClient() (lazy connection)
- * 2. Pass client to createKeyv() - connection happens on first use
- *
- * @param opts - The options for defining the cache.
- * @returns The cache instance.
- */
-declare function defineCache({
-  url,
-  logger,
-  options
-}: DefineCacheOptions): _keyv_redis0.Keyv<any>;
-//#endregion
-export { Cache };

package/dist/exports/cli/api/config.d.mts

@@ -1,18 +0,0 @@
-import { z } from "zod";
-
-//#region src/api/config.d.ts
-
-/**
- * The config base schema.
- */
-declare const baseSchema: z.ZodObject<{
-  APP_NAME: z.ZodDefault<z.ZodString>;
-  APP_DESC: z.ZodDefault<z.ZodString>;
-  APP_VERSION: z.ZodDefault<z.ZodString>;
-}, z.core.$strip>;
-/**
- * The configuration type inferred from the merged schema.
- */
-type Config<T extends z.ZodRawShape = {}> = z.infer<ReturnType<typeof baseSchema.extend<T>>>;
-//#endregion
-export { Config };

package/dist/exports/cli/api/container.d.mts

@@ -1,167 +0,0 @@
-import { Logger } from "./logger.mjs";
-import { Database } from "./database.mjs";
-import { Auth } from "./auth.mjs";
-import { Cache } from "./cache.mjs";
-import { Config } from "./config.mjs";
-import { EventBus } from "./event.mjs";
-import { Mailer } from "./mailer.mjs";
-import { Storage } from "./storage.mjs";
-import { CorsOptions } from "cors";
-import { Options } from "express-rate-limit";
-import { HelmetOptions } from "helmet";
-import { i18n } from "i18next";
-
-//#region src/api/container.d.ts
-
-/**
- * Server configuration for the HTTP server.
- */
-interface ServerConfig {
-  /**
-   * The host address the server will bind to.
-   *
-   * @default "0.0.0.0"
-   */
-  host?: string;
-  /**
-   * The port number the server will listen on.
-   */
-  port: number;
-  /**
-   * Request timeout in milliseconds. Requests exceeding this duration
-   * will receive a 408 Request Timeout response.
-   *
-   * @default 30000
-   */
-  timeout?: number;
-  /**
-   * Maximum request body size for JSON and URL-encoded payloads.
-   * Supports bytes.js format strings (e.g., "1mb", "500kb", "10mb").
-   *
-   * @default "1mb"
-   */
-  bodyLimit?: string;
-  /**
-   * The path for the health check endpoint.
-   *
-   * @default "/health"
-   */
-  healthPath?: string;
-  /**
-   * CORS configuration. Omit or set to undefined to disable.
-   *
-   * @example
-   * cors: { origin: "https://example.com", credentials: true }
-   */
-  cors?: CorsOptions;
-  /**
-   * Security headers configuration (via helmet). Omit or set to undefined to disable.
-   * Recommended for production deployments.
-   *
-   * @example
-   * helmet: { contentSecurityPolicy: false }  // Enable with CSP disabled
-   * helmet: {}  // Enable with all defaults
-   */
-  helmet?: HelmetOptions;
-  /**
-   * Rate limiting configuration. Array of express-rate-limit options.
-   * Each config is applied as a separate middleware - use `skip` function for path-specific limits.
-   * Redis store is automatically configured if `redisUrl` is provided.
-   *
-   * @example
-   * // Global rate limit
-   * rateLimit: [{ windowMs: 60000, limit: 100 }]
-   *
-   * @example
-   * // Path-specific rate limits
-   * rateLimit: [
-   *   { windowMs: 900000, limit: 5, skip: (req) => !req.path.startsWith("/api/auth") },
-   *   { windowMs: 60000, limit: 100 },  // Default for all other routes
-   * ]
-   */
-  rateLimit?: Options[];
-  /**
-   * Redis URL for rate limiting store (for multi-instance deployments).
-   * Server auto-connects and cleans up on shutdown.
-   * If omitted, uses in-memory store (not suitable for production clusters).
-   *
-   * @example
-   * redisUrl: "redis://localhost:6379"
-   */
-  redisUrl?: string;
-}
-/**
- * Worker configuration for the DBOS workflow worker.
- */
-interface WorkerConfig {
-  /**
-   * The system database URL for DBOS.
-   */
-  dbUrl: string;
-}
-/**
- * The base application container type that holds required services like
- * config, databases, and caches.
- */
-interface AppContainer<TDb extends Record<"primary", Database> & Record<string, Database> = Record<"primary", Database> & Record<string, Database>> {
-  /**
-   * The application auth configuration.
-   */
-  auth: Auth<TDb>;
-  /**
-   * A map of caches available in the application.
-   */
-  cache: Record<string, Cache>;
-  /**
-   * The application configuration.
-   */
-  config: Config;
-  /**
-   * A map of databases available in the application.
-   */
-  db: TDb;
-  /**
-   * The i18n instance for internationalization.
-   */
-  i18n: i18n;
-  /**
-   * The logger instance for logging messages.
-   */
-  logger: Logger;
-  /**
-   * The event bus for in-memory and Redis pub/sub messaging.
-   */
-  eventBus: EventBus;
-  /**
-   * The mailer instance for sending emails.
-   */
-  mailer: Mailer;
-  /**
-   * Server configuration for the HTTP server.
-   */
-  server: ServerConfig;
-  /**
-   * A map of storage services available in the application.
-   */
-  storage: Record<"primary", Storage> & Record<string, Storage>;
-  /**
-   * Worker configuration for the DBOS workflow worker.
-   */
-  worker: WorkerConfig;
-}
-/**
- * Global namespace for user container augmentation.
- * Users can extend Container interface in their container.ts file.
- */
-declare global {
-  namespace AppOS {
-    interface Container {}
-  }
-}
-/**
- * The container type used throughout the application.
- * Merges base AppContainer with user's custom Container augmentations.
- */
-type Container = AppContainer & AppOS.Container;
-//#endregion
-export { Container };

package/dist/exports/cli/api/database.d.mts

@@ -1,47 +0,0 @@
-import { Logger } from "./logger.mjs";
-import { AnyRelations, EmptyRelations } from "drizzle-orm";
-import "drizzle-orm/pg-core";
-import * as drizzle_orm_node_postgres0 from "drizzle-orm/node-postgres";
-import * as pg0 from "pg";
-import pg from "pg";
-
-//#region src/api/database.d.ts
-type PoolConfig = pg.PoolConfig;
-/**
- * Extract qualified table names from db object.
- */
-type QualifiedTableNames<TDb> = { [K in keyof TDb]: TDb[K] extends {
-  _: {
-    fullSchema: infer S;
-  };
-} ? `${K & string}.${keyof S & string}` : never }[keyof TDb];
-/**
- * Options for defining the database.
- */
-interface DefineDatabaseOptions<TSchema extends Record<string, unknown> = Record<string, never>, TRelations extends AnyRelations = EmptyRelations> {
-  logger: Logger;
-  poolConfig: PoolConfig;
-  relations?: TRelations;
-  schema?: TSchema;
-}
-/**
- * The database type.
- */
-type Database = Awaited<ReturnType<typeof defineDatabase>>;
-/**
- * Define the database with the provided options.
- *
- * Algorithm:
- * 1. Create a connection pool with sensible defaults
- * 2. Initialize drizzle ORM with schema and relations
- *
- * @param opts The options for defining the database, including pool configuration, relations, and schema.
- * @template TSchema The schema type for the database.
- * @template TRelations The relations type for the database.
- * @returns The defined database instance.
- */
-declare function defineDatabase<TSchema extends Record<string, unknown> = Record<string, never>, TRelations extends AnyRelations = EmptyRelations>(opts: DefineDatabaseOptions<TSchema, TRelations>): Promise<drizzle_orm_node_postgres0.NodePgDatabase<TSchema, TRelations> & {
-  $client: pg0.Pool;
-}>;
-//#endregion
-export { Database, QualifiedTableNames };