clawfire 0.1.0

package/dist/functions.cjs

@@ -0,0 +1,1156 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/core/errors.ts
+var errors_exports = {};
+__export(errors_exports, {
+  ClawfireError: () => ClawfireError,
+  Errors: () => Errors
+});
+var HTTP_STATUS_MAP, ClawfireError, Errors;
+var init_errors = __esm({
+  "src/core/errors.ts"() {
+    "use strict";
+    HTTP_STATUS_MAP = {
+      VALIDATION_ERROR: 400,
+      UNAUTHORIZED: 401,
+      FORBIDDEN: 403,
+      NOT_FOUND: 404,
+      CONFLICT: 409,
+      RATE_LIMITED: 429,
+      REAUTH_REQUIRED: 401,
+      INTERNAL_ERROR: 500,
+      SERVICE_UNAVAILABLE: 503
+    };
+    ClawfireError = class extends Error {
+      code;
+      statusCode;
+      details;
+      constructor(code, message, details) {
+        super(message);
+        this.name = "ClawfireError";
+        this.code = code;
+        this.statusCode = HTTP_STATUS_MAP[code];
+        this.details = details;
+      }
+      toJSON() {
+        return {
+          error: {
+            code: this.code,
+            message: this.message,
+            ...this.details ? { details: this.details } : {}
+          }
+        };
+      }
+    };
+    Errors = {
+      validation: (message, details) => new ClawfireError("VALIDATION_ERROR", message, details),
+      unauthorized: (message = "Authentication required") => new ClawfireError("UNAUTHORIZED", message),
+      forbidden: (message = "Insufficient permissions") => new ClawfireError("FORBIDDEN", message),
+      notFound: (message = "Resource not found") => new ClawfireError("NOT_FOUND", message),
+      conflict: (message) => new ClawfireError("CONFLICT", message),
+      rateLimited: (message = "Too many requests") => new ClawfireError("RATE_LIMITED", message),
+      reauthRequired: (message = "Re-authentication required for this action") => new ClawfireError("REAUTH_REQUIRED", message),
+      internal: (message = "Internal server error") => new ClawfireError("INTERNAL_ERROR", message),
+      unavailable: (message = "Service temporarily unavailable") => new ClawfireError("SERVICE_UNAVAILABLE", message)
+    };
+  }
+});
+
+// src/functions.ts
+var functions_exports = {};
+__export(functions_exports, {
+  ClawfireError: () => ClawfireError,
+  ClawfireRouter: () => ClawfireRouter,
+  Errors: () => Errors,
+  checkAuthLevel: () => checkAuthLevel,
+  corsMiddleware: () => corsMiddleware,
+  createAdminDB: () => createAdminDB,
+  createRouter: () => createRouter,
+  createSecurityMiddleware: () => createSecurityMiddleware,
+  defineAPI: () => defineAPI,
+  defineModel: () => defineModel,
+  discoverRoutes: () => discoverRoutes,
+  extractBearerToken: () => extractBearerToken,
+  generateDefaultRules: () => generateDefaultRules,
+  generateFirebaseJson: () => generateFirebaseJson,
+  generateFirestoreIndexes: () => generateFirestoreIndexes,
+  generateFirestoreRules: () => generateFirestoreRules,
+  generateRouteImports: () => generateRouteImports,
+  getUserRole: () => getUserRole,
+  inputSizeLimit: () => inputSizeLimit,
+  logger: () => logger,
+  modelToZodSchema: () => modelToZodSchema,
+  requestLogger: () => requestLogger,
+  sanitizeInput: () => sanitizeInput,
+  setCustomClaims: () => setCustomClaims,
+  setUserRole: () => setUserRole,
+  verifyReauth: () => verifyReauth,
+  verifyToken: () => verifyToken,
+  z: () => import_zod2.z,
+  zodToJsonSchema: () => zodToJsonSchema
+});
+module.exports = __toCommonJS(functions_exports);
+
+// src/core/schema.ts
+var import_zod = require("zod");
+function defineAPI(contract) {
+  return contract;
+}
+function defineModel(definition) {
+  return {
+    timestamps: true,
+    ...definition
+  };
+}
+function zodToJsonSchema(schema) {
+  return extractZodShape(schema);
+}
+function extractZodShape(schema) {
+  const def = schema._def;
+  if (!def) return { type: "unknown" };
+  switch (def.typeName) {
+    case "ZodObject": {
+      const shape = schema.shape;
+      const properties = {};
+      const required = [];
+      for (const [key, value] of Object.entries(shape)) {
+        properties[key] = extractZodShape(value);
+        if (!value.isOptional?.()) {
+          const innerDef = value._def;
+          if (innerDef?.typeName !== "ZodOptional" && innerDef?.typeName !== "ZodDefault") {
+            required.push(key);
+          }
+        }
+      }
+      return { type: "object", properties, ...required.length > 0 ? { required } : {} };
+    }
+    case "ZodString":
+      return { type: "string", ...def.checks?.length ? extractStringChecks(def.checks) : {} };
+    case "ZodNumber":
+      return { type: "number" };
+    case "ZodBoolean":
+      return { type: "boolean" };
+    case "ZodArray":
+      return { type: "array", items: extractZodShape(def.type) };
+    case "ZodEnum":
+      return { type: "string", enum: def.values };
+    case "ZodOptional":
+      return { ...extractZodShape(def.innerType), optional: true };
+    case "ZodDefault":
+      return { ...extractZodShape(def.innerType), default: def.defaultValue() };
+    case "ZodNullable":
+      return { ...extractZodShape(def.innerType), nullable: true };
+    case "ZodLiteral":
+      return { type: typeof def.value, const: def.value };
+    case "ZodUnion":
+      return { oneOf: def.options.map((o) => extractZodShape(o)) };
+    case "ZodRecord":
+      return { type: "object", additionalProperties: extractZodShape(def.valueType) };
+    case "ZodDate":
+      return { type: "string", format: "date-time" };
+    default:
+      return { type: "unknown" };
+  }
+}
+function extractStringChecks(checks) {
+  const result = {};
+  for (const check of checks) {
+    switch (check.kind) {
+      case "min":
+        result.minLength = check.value;
+        break;
+      case "max":
+        result.maxLength = check.value;
+        break;
+      case "email":
+        result.format = "email";
+        break;
+      case "url":
+        result.format = "uri";
+        break;
+      case "uuid":
+        result.format = "uuid";
+        break;
+    }
+  }
+  return result;
+}
+function modelToZodSchema(model) {
+  const shape = {};
+  for (const [key, field] of Object.entries(model.fields)) {
+    let fieldSchema = fieldToZod(field);
+    if (!field.required) {
+      fieldSchema = fieldSchema.optional();
+    }
+    shape[key] = fieldSchema;
+  }
+  if (model.timestamps) {
+    shape.createdAt = import_zod.z.string().datetime().optional();
+    shape.updatedAt = import_zod.z.string().datetime().optional();
+  }
+  if (model.softDelete) {
+    shape.deletedAt = import_zod.z.string().datetime().nullable().optional();
+  }
+  return import_zod.z.object(shape);
+}
+function fieldToZod(field) {
+  switch (field.type) {
+    case "string":
+      if (field.enum) return import_zod.z.enum(field.enum);
+      return import_zod.z.string();
+    case "number":
+      return import_zod.z.number();
+    case "boolean":
+      return import_zod.z.boolean();
+    case "timestamp":
+      return import_zod.z.string().datetime();
+    case "array":
+      if (field.items) return import_zod.z.array(fieldToZod(field.items));
+      return import_zod.z.array(import_zod.z.unknown());
+    case "map":
+      if (field.values) return import_zod.z.record(import_zod.z.string(), fieldToZod(field.values));
+      return import_zod.z.record(import_zod.z.string(), import_zod.z.unknown());
+    case "reference":
+      return import_zod.z.string();
+    // 참조는 문서 경로 문자열
+    case "geopoint":
+      return import_zod.z.object({ latitude: import_zod.z.number(), longitude: import_zod.z.number() });
+    default:
+      return import_zod.z.unknown();
+  }
+}
+function contractToManifest(path, contract) {
+  return {
+    path,
+    method: "POST",
+    meta: contract.meta,
+    inputSchema: zodToJsonSchema(contract.input),
+    outputSchema: zodToJsonSchema(contract.output)
+  };
+}
+
+// src/routing/router.ts
+init_errors();
+
+// src/core/logger.ts
+var SENSITIVE_FIELDS = [
+  "password",
+  "token",
+  "secret",
+  "apiKey",
+  "api_key",
+  "authorization",
+  "credit_card",
+  "creditCard",
+  "ssn",
+  "cardNumber",
+  "card_number",
+  "cvv",
+  "pin"
+];
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+var currentLevel = "info";
+function shouldLog(level) {
+  return LOG_LEVELS[level] >= LOG_LEVELS[currentLevel];
+}
+function maskSensitive(obj) {
+  if (obj === null || obj === void 0) return obj;
+  if (typeof obj === "string") return obj;
+  if (typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) {
+    return obj.map(maskSensitive);
+  }
+  const masked = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (SENSITIVE_FIELDS.some((f) => key.toLowerCase().includes(f.toLowerCase()))) {
+      masked[key] = "***MASKED***";
+    } else if (typeof value === "object" && value !== null) {
+      masked[key] = maskSensitive(value);
+    } else {
+      masked[key] = value;
+    }
+  }
+  return masked;
+}
+function formatLog(level, message, data) {
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const prefix = `[${timestamp}] [CLAWFIRE] [${level.toUpperCase()}]`;
+  if (data !== void 0) {
+    return `${prefix} ${message} ${JSON.stringify(maskSensitive(data))}`;
+  }
+  return `${prefix} ${message}`;
+}
+var logger = {
+  debug(message, data) {
+    if (shouldLog("debug")) console.debug(formatLog("debug", message, data));
+  },
+  info(message, data) {
+    if (shouldLog("info")) console.info(formatLog("info", message, data));
+  },
+  warn(message, data) {
+    if (shouldLog("warn")) console.warn(formatLog("warn", message, data));
+  },
+  error(message, data) {
+    if (shouldLog("error")) console.error(formatLog("error", message, data));
+  }
+};
+
+// src/firebase/auth.ts
+init_errors();
+async function verifyToken(auth, idToken) {
+  const decoded = await auth.verifyIdToken(idToken);
+  return {
+    uid: decoded.uid,
+    email: decoded.email,
+    emailVerified: decoded.email_verified,
+    role: decoded.role || decoded.customClaims?.role,
+    customClaims: decoded,
+    token: idToken
+  };
+}
+async function verifyReauth(auth, idToken, maxAgeSeconds = 300) {
+  const decoded = await auth.verifyIdToken(idToken, true);
+  const authTime = decoded.auth_time * 1e3;
+  const now = Date.now();
+  if (now - authTime > maxAgeSeconds * 1e3) {
+    throw Errors.reauthRequired(
+      `Re-authentication required. Last auth was ${Math.floor((now - authTime) / 1e3)}s ago.`
+    );
+  }
+  return {
+    uid: decoded.uid,
+    email: decoded.email,
+    emailVerified: decoded.email_verified,
+    role: decoded.role || decoded.customClaims?.role,
+    customClaims: decoded,
+    token: idToken
+  };
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  const parts = authHeader.split(" ");
+  if (parts.length !== 2 || parts[0] !== "Bearer") return null;
+  return parts[1];
+}
+function checkAuthLevel(authCtx, level, roles, reauthenticated) {
+  switch (level) {
+    case "public":
+      return;
+    // 누구나 접근 가능
+    case "authenticated":
+      if (!authCtx) throw Errors.unauthorized();
+      return;
+    case "role":
+      if (!authCtx) throw Errors.unauthorized();
+      if (!roles || roles.length === 0) return;
+      if (!authCtx.role || !roles.includes(authCtx.role)) {
+        throw Errors.forbidden(`Required role: ${roles.join(" or ")}`);
+      }
+      return;
+    case "reauth":
+      if (!authCtx) throw Errors.unauthorized();
+      if (!reauthenticated) {
+        throw Errors.reauthRequired();
+      }
+      return;
+  }
+}
+async function setUserRole(auth, uid, role) {
+  const user = await auth.getUser(uid);
+  const currentClaims = user.customClaims || {};
+  await auth.setCustomUserClaims(uid, { ...currentClaims, role });
+}
+async function getUserRole(auth, uid) {
+  const user = await auth.getUser(uid);
+  return user.customClaims?.role;
+}
+async function setCustomClaims(auth, uid, claims) {
+  const user = await auth.getUser(uid);
+  const currentClaims = user.customClaims || {};
+  await auth.setCustomUserClaims(uid, { ...currentClaims, ...claims });
+}
+
+// src/routing/router.ts
+var RateLimiter = class {
+  store = /* @__PURE__ */ new Map();
+  defaultLimit;
+  constructor(defaultLimit) {
+    this.defaultLimit = defaultLimit;
+  }
+  check(key, limit) {
+    const max = limit || this.defaultLimit;
+    const now = Date.now();
+    const entry = this.store.get(key);
+    if (!entry || now > entry.resetAt) {
+      this.store.set(key, { count: 1, resetAt: now + 6e4 });
+      return true;
+    }
+    if (entry.count >= max) {
+      return false;
+    }
+    entry.count++;
+    return true;
+  }
+  // 오래된 엔트리 정리
+  cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.store) {
+      if (now > entry.resetAt) this.store.delete(key);
+    }
+  }
+};
+var ClawfireRouter = class {
+  routes = /* @__PURE__ */ new Map();
+  options;
+  rateLimiter;
+  cleanupInterval;
+  constructor(options = {}) {
+    this.options = options;
+    this.rateLimiter = new RateLimiter(options.rateLimit || 100);
+    this.cleanupInterval = setInterval(() => this.rateLimiter.cleanup(), 6e4);
+  }
+  /** 라우트 등록 */
+  register(path, contract) {
+    const normalizedPath = path.startsWith("/") ? path : `/${path}`;
+    this.routes.set(normalizedPath, { path: normalizedPath, contract });
+    logger.debug(`Route registered: ${normalizedPath}`);
+    return this;
+  }
+  /** 여러 라우트 한 번에 등록 */
+  registerAll(routes) {
+    for (const [path, contract] of Object.entries(routes)) {
+      this.register(path, contract);
+    }
+    return this;
+  }
+  /** 매니페스트 생성 */
+  getManifest() {
+    const apis = [];
+    for (const [path, route] of this.routes) {
+      apis.push(contractToManifest(path, route.contract));
+    }
+    return {
+      version: "1.0.0",
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      apis,
+      models: {}
+    };
+  }
+  /** HTTP 요청 핸들러 (Firebase Functions에서 사용) */
+  async handleRequest(req, res) {
+    const corsOrigins = this.options.cors || [];
+    const origin = req.headers?.origin || req.headers?.Origin || "";
+    if (corsOrigins.length > 0 && corsOrigins.includes(origin)) {
+      res.set({
+        "Access-Control-Allow-Origin": origin,
+        "Access-Control-Allow-Methods": "POST, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, Authorization",
+        "Access-Control-Max-Age": "86400"
+      });
+    } else if (corsOrigins.length === 0) {
+      res.set({
+        "Access-Control-Allow-Origin": "",
+        "Access-Control-Allow-Methods": "POST, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, Authorization"
+      });
+    }
+    if (req.method === "OPTIONS") {
+      res.status(204).end();
+      return;
+    }
+    res.set({
+      "X-Content-Type-Options": "nosniff",
+      "X-Frame-Options": "DENY",
+      "X-XSS-Protection": "1; mode=block",
+      "Content-Type": "application/json"
+    });
+    let routePath = req.path || req.url || "";
+    if (routePath.startsWith("/api")) {
+      routePath = routePath.slice(4);
+    }
+    if (routePath === "/__manifest") {
+      res.status(200).json(this.getManifest());
+      return;
+    }
+    if (req.method && req.method !== "POST") {
+      res.status(405).json({ error: { code: "METHOD_NOT_ALLOWED", message: "Only POST is allowed" } });
+      return;
+    }
+    const route = this.matchRoute(routePath);
+    if (!route) {
+      res.status(404).json({ error: { code: "NOT_FOUND", message: `API not found: ${routePath}` } });
+      return;
+    }
+    try {
+      const clientKey = req.ip || "unknown";
+      const rateLimit = route.contract.meta.rateLimit || this.options.rateLimit;
+      if (rateLimit && !this.rateLimiter.check(clientKey, rateLimit)) {
+        throw Errors.rateLimited();
+      }
+      let authCtx = null;
+      let reauthenticated = false;
+      const authHeader = req.headers?.authorization || req.headers?.Authorization;
+      if (authHeader && this.options.auth) {
+        const token = extractBearerToken(authHeader);
+        if (token) {
+          if (route.contract.meta.reauth || route.contract.meta.auth === "reauth") {
+            authCtx = await verifyReauth(this.options.auth, token);
+            reauthenticated = true;
+          } else {
+            authCtx = await verifyToken(this.options.auth, token);
+          }
+        }
+      }
+      if (route.contract.meta.auth) {
+        checkAuthLevel(authCtx, route.contract.meta.auth, route.contract.meta.roles, reauthenticated);
+      }
+      const rawInput = req.body || {};
+      const parsed = route.contract.input.safeParse(rawInput);
+      if (!parsed.success) {
+        throw Errors.validation("Invalid input", parsed.error.flatten());
+      }
+      const ctx = {
+        auth: authCtx,
+        reauthenticated,
+        headers: req.headers,
+        ip: req.ip
+      };
+      let result;
+      if (this.options.middleware && this.options.middleware.length > 0) {
+        result = await this.runMiddleware(
+          this.options.middleware,
+          parsed.data,
+          ctx,
+          () => route.contract.handler(parsed.data, ctx)
+        );
+      } else {
+        result = await route.contract.handler(parsed.data, ctx);
+      }
+      res.status(200).json({ data: result });
+    } catch (err) {
+      if (err instanceof ClawfireError) {
+        logger.warn(`API error [${err.code}]: ${err.message}`);
+        res.status(err.statusCode).json(err.toJSON());
+      } else {
+        logger.error("Unhandled error", err);
+        res.status(500).json({
+          error: {
+            code: "INTERNAL_ERROR",
+            message: "An unexpected error occurred"
+          }
+        });
+      }
+    }
+  }
+  /** 라우트 매칭 (동적 파라미터 지원) */
+  matchRoute(path) {
+    const exact = this.routes.get(path);
+    if (exact) return exact;
+    for (const [routePath, route] of this.routes) {
+      if (this.matchDynamicRoute(routePath, path)) {
+        return route;
+      }
+    }
+    return void 0;
+  }
+  matchDynamicRoute(pattern, actual) {
+    const patternParts = pattern.split("/").filter(Boolean);
+    const actualParts = actual.split("/").filter(Boolean);
+    if (patternParts.length !== actualParts.length) return false;
+    return patternParts.every(
+      (part, i) => part.startsWith(":") || part.startsWith("[") || part === actualParts[i]
+    );
+  }
+  /** 미들웨어 체인 실행 */
+  async runMiddleware(middlewares, input, ctx, handler) {
+    let index = 0;
+    const next = async () => {
+      if (index >= middlewares.length) {
+        return handler();
+      }
+      const mw = middlewares[index++];
+      return mw(input, ctx, next);
+    };
+    return next();
+  }
+  /** 등록된 라우트 목록 */
+  getRoutes() {
+    return Array.from(this.routes.values());
+  }
+  /** 리소스 정리 */
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+    }
+  }
+};
+function createRouter(options) {
+  return new ClawfireRouter(options);
+}
+
+// src/routing/discover.ts
+var import_path = require("path");
+var import_fs = require("fs");
+function discoverRoutes(routesDir) {
+  if (!(0, import_fs.existsSync)(routesDir)) {
+    return [];
+  }
+  const routes = [];
+  scanDirectory(routesDir, routesDir, routes);
+  return routes.sort((a, b) => a.apiPath.localeCompare(b.apiPath));
+}
+function scanDirectory(baseDir, currentDir, routes) {
+  const entries = (0, import_fs.readdirSync)(currentDir);
+  for (const entry of entries) {
+    const fullPath = (0, import_path.join)(currentDir, entry);
+    const stat = (0, import_fs.statSync)(fullPath);
+    if (stat.isDirectory()) {
+      if (entry.startsWith(".") || entry === "node_modules") continue;
+      scanDirectory(baseDir, fullPath, routes);
+    } else if (stat.isFile()) {
+      if (!entry.endsWith(".ts") && !entry.endsWith(".js")) continue;
+      if (entry.startsWith("_")) continue;
+      if (entry.endsWith(".d.ts")) continue;
+      const relativePath = (0, import_path.relative)(baseDir, fullPath);
+      const route = filePathToRoute(relativePath);
+      routes.push(route);
+    }
+  }
+}
+function filePathToRoute(filePath) {
+  const params = [];
+  let routePath = filePath.replace(/\.(ts|js)$/, "");
+  routePath = routePath.replace(/\\/g, "/");
+  if (routePath.endsWith("/index") || routePath === "index") {
+    routePath = routePath.replace(/\/?index$/, "");
+  }
+  routePath = routePath.replace(/\[([^\]]+)\]/g, (_, param) => {
+    params.push(param);
+    return `:${param}`;
+  });
+  const apiPath = `/${routePath}`;
+  return {
+    filePath,
+    apiPath,
+    params
+  };
+}
+function generateRouteImports(routes, routesDir) {
+  const lines = [
+    "// AUTO-GENERATED by Clawfire \u2014 DO NOT EDIT",
+    "// This file is regenerated whenever routes change.",
+    "",
+    'import { createRouter } from "clawfire/functions";',
+    ""
+  ];
+  routes.forEach((route, i) => {
+    const importPath = `./${route.filePath.replace(/\.(ts|js)$/, ".js")}`;
+    lines.push(`import route_${i} from "${importPath}";`);
+  });
+  lines.push("");
+  lines.push("export function registerAllRoutes(router: ReturnType<typeof createRouter>) {");
+  routes.forEach((route, i) => {
+    lines.push(`  router.register("${route.apiPath}", route_${i});`);
+  });
+  lines.push("  return router;");
+  lines.push("}");
+  return lines.join("\n");
+}
+
+// src/firebase/firestore.ts
+function createAdminDB(firestore) {
+  return {
+    /** 문서 조회 */
+    async get(collection, id) {
+      const doc = await firestore.collection(collection).doc(id).get();
+      if (!doc.exists) return null;
+      return { id: doc.id, ...doc.data() };
+    },
+    /** 문서 생성 (ID 자동 생성) */
+    async create(collection, data) {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      const ref = await firestore.collection(collection).add({
+        ...data,
+        createdAt: now,
+        updatedAt: now
+      });
+      return ref.id;
+    },
+    /** 문서 생성 (ID 지정) */
+    async set(collection, id, data, merge = false) {
+      const now = (/* @__PURE__ */ new Date()).toISOString();
+      await firestore.collection(collection).doc(id).set(
+        {
+          ...data,
+          ...merge ? { updatedAt: now } : { createdAt: now, updatedAt: now }
+        },
+        { merge }
+      );
+    },
+    /** 문서 부분 업데이트 */
+    async update(collection, id, data) {
+      await firestore.collection(collection).doc(id).update({
+        ...data,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    },
+    /** 문서 삭제 */
+    async delete(collection, id) {
+      await firestore.collection(collection).doc(id).delete();
+    },
+    /** 소프트 삭제 */
+    async softDelete(collection, id) {
+      await firestore.collection(collection).doc(id).update({
+        deletedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    },
+    /** 쿼리 */
+    async query(collection, options = {}) {
+      let ref = firestore.collection(collection);
+      if (options.filters) {
+        for (const filter of options.filters) {
+          ref = ref.where(filter.field, filter.op, filter.value);
+        }
+      }
+      if (options.orderBy) {
+        for (const order of options.orderBy) {
+          ref = ref.orderBy(order.field, order.direction || "asc");
+        }
+      }
+      if (options.startAfter) {
+        ref = ref.startAfter(options.startAfter);
+      }
+      const limit = options.limit || 20;
+      ref = ref.limit(limit + 1);
+      const snapshot = await ref.get();
+      const docs = snapshot.docs.map((doc) => ({
+        id: doc.id,
+        ...doc.data()
+      }));
+      const hasMore = docs.length > limit;
+      if (hasMore) docs.pop();
+      return {
+        data: docs,
+        hasMore,
+        lastDoc: docs.length > 0 ? snapshot.docs[docs.length - 1] : void 0
+      };
+    },
+    /** 문서 수 */
+    async count(collection, filters) {
+      let ref = firestore.collection(collection);
+      if (filters) {
+        for (const filter of filters) {
+          ref = ref.where(filter.field, filter.op, filter.value);
+        }
+      }
+      const snapshot = await ref.count().get();
+      return snapshot.data().count;
+    },
+    /** 배치 작업 */
+    async batch(operations) {
+      const batch = firestore.batch();
+      const ids = [];
+      for (const op of operations) {
+        const now = (/* @__PURE__ */ new Date()).toISOString();
+        switch (op.type) {
+          case "create": {
+            const ref = firestore.collection(op.collection).doc();
+            batch.set(ref, { ...op.data, createdAt: now, updatedAt: now });
+            ids.push(ref.id);
+            break;
+          }
+          case "set": {
+            const ref = firestore.collection(op.collection).doc(op.id);
+            batch.set(ref, { ...op.data, createdAt: now, updatedAt: now });
+            ids.push(op.id);
+            break;
+          }
+          case "update": {
+            const ref = firestore.collection(op.collection).doc(op.id);
+            batch.update(ref, { ...op.data, updatedAt: now });
+            ids.push(op.id);
+            break;
+          }
+          case "delete": {
+            const ref = firestore.collection(op.collection).doc(op.id);
+            batch.delete(ref);
+            ids.push(op.id);
+            break;
+          }
+        }
+      }
+      await batch.commit();
+      return ids;
+    },
+    /** 트랜잭션 */
+    async transaction(fn) {
+      return firestore.runTransaction(async (transaction) => {
+        return fn({
+          async get(collection, id) {
+            const doc = await transaction.get(firestore.collection(collection).doc(id));
+            if (!doc.exists) return null;
+            return { id: doc.id, ...doc.data() };
+          },
+          set(collection, id, data) {
+            const now = (/* @__PURE__ */ new Date()).toISOString();
+            transaction.set(firestore.collection(collection).doc(id), {
+              ...data,
+              createdAt: now,
+              updatedAt: now
+            });
+          },
+          update(collection, id, data) {
+            transaction.update(firestore.collection(collection).doc(id), {
+              ...data,
+              updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+            });
+          },
+          delete(collection, id) {
+            transaction.delete(firestore.collection(collection).doc(id));
+          }
+        });
+      });
+    },
+    /** 원시 Firestore 접근 */
+    raw: firestore
+  };
+}
+
+// src/firebase/rules.ts
+function generateFirestoreRules(models) {
+  const rules = [];
+  rules.push("rules_version = '2';");
+  rules.push("service cloud.firestore {");
+  rules.push("  match /databases/{database}/documents {");
+  rules.push("");
+  rules.push("    // \u2500\u2500 Helper Functions \u2500\u2500");
+  rules.push("    function isAuthenticated() {");
+  rules.push("      return request.auth != null;");
+  rules.push("    }");
+  rules.push("");
+  rules.push("    function isOwner(userId) {");
+  rules.push("      return isAuthenticated() && request.auth.uid == userId;");
+  rules.push("    }");
+  rules.push("");
+  rules.push("    function hasRole(role) {");
+  rules.push("      return isAuthenticated() && request.auth.token.role == role;");
+  rules.push("    }");
+  rules.push("");
+  rules.push("    function hasAnyRole(roles) {");
+  rules.push("      return isAuthenticated() && request.auth.token.role in roles;");
+  rules.push("    }");
+  rules.push("");
+  rules.push("    function isRecentAuth() {");
+  rules.push("      return request.auth.token.auth_time > (request.time - duration.value(5, 'm'));");
+  rules.push("    }");
+  rules.push("");
+  for (const [name, model] of Object.entries(models)) {
+    rules.push(`    // \u2500\u2500 ${name} \u2500\u2500`);
+    rules.push(`    match /${model.collection}/{docId} {`);
+    const modelRules = model.rules || { read: "authenticated", create: "authenticated", update: "authenticated", delete: "authenticated" };
+    rules.push(`      allow read: if ${buildRuleCondition(modelRules, "read", model)};`);
+    rules.push(`      allow create: if ${buildRuleCondition(modelRules, "create", model)};`);
+    rules.push(`      allow update: if ${buildRuleCondition(modelRules, "update", model)};`);
+    rules.push(`      allow delete: if ${buildRuleCondition(modelRules, "delete", model)};`);
+    if (model.subcollections) {
+      for (const [subName, subModel] of Object.entries(model.subcollections)) {
+        rules.push("");
+        rules.push(`      // ${subName}`);
+        rules.push(`      match /${subModel.collection}/{subDocId} {`);
+        const subRules = subModel.rules || { read: "authenticated", create: "authenticated", update: "authenticated", delete: "authenticated" };
+        rules.push(`        allow read: if ${buildRuleCondition(subRules, "read", subModel)};`);
+        rules.push(`        allow create: if ${buildRuleCondition(subRules, "create", subModel)};`);
+        rules.push(`        allow update: if ${buildRuleCondition(subRules, "update", subModel)};`);
+        rules.push(`        allow delete: if ${buildRuleCondition(subRules, "delete", subModel)};`);
+        rules.push("      }");
+      }
+    }
+    rules.push("    }");
+    rules.push("");
+  }
+  rules.push("  }");
+  rules.push("}");
+  return rules.join("\n");
+}
+function buildRuleCondition(rules, operation, model) {
+  const level = rules[operation] || "authenticated";
+  const roles = rules[`${operation}Roles`];
+  const ownerField = rules.ownerField;
+  const conditions = [];
+  switch (level) {
+    case "public":
+      return "true";
+    case "authenticated":
+      conditions.push("isAuthenticated()");
+      break;
+    case "role":
+      if (roles && roles.length > 0) {
+        if (roles.length === 1) {
+          conditions.push(`hasRole('${roles[0]}')`);
+        } else {
+          conditions.push(`hasAnyRole(${JSON.stringify(roles)})`);
+        }
+      } else {
+        conditions.push("isAuthenticated()");
+      }
+      break;
+    case "reauth":
+      conditions.push("isAuthenticated()");
+      conditions.push("isRecentAuth()");
+      break;
+  }
+  if (ownerField && (operation === "read" || operation === "update" || operation === "delete")) {
+    const ownerCondition = operation === "read" ? `resource.data.${ownerField} == request.auth.uid` : `resource.data.${ownerField} == request.auth.uid`;
+    if (conditions.length > 0) {
+      return `(${conditions.join(" && ")}) || (isAuthenticated() && ${ownerCondition})`;
+    }
+    return `isAuthenticated() && ${ownerCondition}`;
+  }
+  if (ownerField && operation === "create") {
+    conditions.push(`request.resource.data.${ownerField} == request.auth.uid`);
+  }
+  return conditions.join(" && ") || "false";
+}
+function generateFirestoreIndexes(models) {
+  const indexes = [];
+  for (const model of Object.values(models)) {
+    if (model.indexes) {
+      for (const index of model.indexes) {
+        indexes.push({
+          collectionGroup: model.collection,
+          queryScope: "COLLECTION",
+          fields: index.fields.map((f) => ({
+            fieldPath: f.field,
+            order: (f.order || "asc").toUpperCase()
+          }))
+        });
+      }
+    }
+  }
+  return { indexes };
+}
+
+// src/firebase/hosting.ts
+function generateFirebaseJson(config) {
+  return {
+    hosting: {
+      public: "public",
+      ignore: ["firebase.json", "**/.*", "**/node_modules/**"],
+      rewrites: [
+        {
+          source: "/api/**",
+          function: "api"
+        },
+        {
+          source: "**",
+          destination: "/index.html"
+        }
+      ],
+      headers: [
+        {
+          source: "/api/**",
+          headers: [
+            { key: "Cache-Control", value: "no-store" },
+            { key: "X-Content-Type-Options", value: "nosniff" },
+            { key: "X-Frame-Options", value: "DENY" },
+            { key: "X-XSS-Protection", value: "1; mode=block" },
+            { key: "Referrer-Policy", value: "strict-origin-when-cross-origin" }
+          ]
+        },
+        {
+          source: "**/*.@(js|css|svg|png|jpg|jpeg|gif|ico|webp|woff|woff2)",
+          headers: [
+            { key: "Cache-Control", value: "public, max-age=31536000, immutable" }
+          ]
+        }
+      ]
+    },
+    functions: {
+      source: "functions",
+      runtime: "nodejs20",
+      codebase: "clawfire"
+    },
+    firestore: {
+      rules: "firestore.rules",
+      indexes: "firestore.indexes.json"
+    },
+    emulators: {
+      functions: { port: 5001 },
+      firestore: { port: 8080 },
+      auth: { port: 9099 },
+      hosting: { port: 5e3 },
+      ui: { enabled: true, port: 4e3 }
+    }
+  };
+}
+function generateDefaultRules() {
+  return `rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+
+    // Helper functions
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    function isOwner(userId) {
+      return isAuthenticated() && request.auth.uid == userId;
+    }
+
+    function hasRole(role) {
+      return isAuthenticated() && request.auth.token.role == role;
+    }
+
+    // Default: deny all
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}
+`;
+}
+
+// src/security/middleware.ts
+function requestLogger() {
+  return async (input, ctx, next) => {
+    const start = Date.now();
+    const uid = ctx.auth?.uid || "anonymous";
+    logger.info(`\u2192 Request from ${uid}`, {
+      hasAuth: !!ctx.auth,
+      ip: ctx.ip
+    });
+    try {
+      const result = await next();
+      const duration = Date.now() - start;
+      logger.info(`\u2190 Response [${duration}ms]`);
+      return result;
+    } catch (err) {
+      const duration = Date.now() - start;
+      logger.error(`\u2190 Error [${duration}ms]`, {
+        error: err instanceof Error ? err.message : "Unknown error"
+      });
+      throw err;
+    }
+  };
+}
+function inputSizeLimit(maxBytes = 1024 * 1024) {
+  return async (input, ctx, next) => {
+    const size = JSON.stringify(input).length;
+    if (size > maxBytes) {
+      const { Errors: Errors2 } = await Promise.resolve().then(() => (init_errors(), errors_exports));
+      throw Errors2.validation(`Input too large: ${size} bytes (max: ${maxBytes})`);
+    }
+    return next();
+  };
+}
+function sanitizeInput() {
+  return async (input, ctx, next) => {
+    if (typeof input === "object" && input !== null) {
+      sanitizeObject(input);
+    }
+    return next();
+  };
+}
+function sanitizeObject(obj) {
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === "string") {
+      obj[key] = value.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+    } else if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+      sanitizeObject(value);
+    } else if (Array.isArray(value)) {
+      for (let i = 0; i < value.length; i++) {
+        if (typeof value[i] === "string") {
+          value[i] = value[i].replace(/</g, "&lt;").replace(/>/g, "&gt;");
+        } else if (typeof value[i] === "object" && value[i] !== null) {
+          sanitizeObject(value[i]);
+        }
+      }
+    }
+  }
+}
+function corsMiddleware(allowedOrigins = []) {
+  return async (input, ctx, next) => {
+    return next();
+  };
+}
+function createSecurityMiddleware(options) {
+  const middlewares = [];
+  if (options?.logRequests !== false) {
+    middlewares.push(requestLogger());
+  }
+  if (options?.maxInputSize) {
+    middlewares.push(inputSizeLimit(options.maxInputSize));
+  } else {
+    middlewares.push(inputSizeLimit());
+  }
+  if (options?.sanitize !== false) {
+    middlewares.push(sanitizeInput());
+  }
+  return middlewares;
+}
+
+// src/core/index.ts
+init_errors();
+
+// src/functions.ts
+init_errors();
+var import_zod2 = require("zod");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ClawfireError,
+  ClawfireRouter,
+  Errors,
+  checkAuthLevel,
+  corsMiddleware,
+  createAdminDB,
+  createRouter,
+  createSecurityMiddleware,
+  defineAPI,
+  defineModel,
+  discoverRoutes,
+  extractBearerToken,
+  generateDefaultRules,
+  generateFirebaseJson,
+  generateFirestoreIndexes,
+  generateFirestoreRules,
+  generateRouteImports,
+  getUserRole,
+  inputSizeLimit,
+  logger,
+  modelToZodSchema,
+  requestLogger,
+  sanitizeInput,
+  setCustomClaims,
+  setUserRole,
+  verifyReauth,
+  verifyToken,
+  z,
+  zodToJsonSchema
+});
+//# sourceMappingURL=functions.cjs.map