mythik-server 0.1.0

package/dist/auth/jwt-strategy.js

@@ -0,0 +1,39 @@
+import jwt from 'jsonwebtoken';
+export function createJwtStrategy(config) {
+    const secret = config.secret;
+    function extractToken(req) {
+        const auth = req.headers.authorization ?? req.headers.Authorization;
+        if (typeof auth !== 'string')
+            return null;
+        if (!auth.startsWith('Bearer '))
+            return null;
+        const token = auth.slice(7).trim();
+        return token.length > 0 ? token : null;
+    }
+    async function validateToken(token) {
+        return new Promise((resolve, reject) => {
+            const options = {};
+            if (config.issuer)
+                options.issuer = config.issuer;
+            if (config.audience)
+                options.audience = config.audience;
+            jwt.verify(token, secret, options, (err, decoded) => {
+                if (err)
+                    return reject(err);
+                resolve(decoded);
+            });
+        });
+    }
+    function generateToken(payload, expiresInMinutes) {
+        const options = {
+            expiresIn: expiresInMinutes * 60,
+        };
+        if (config.issuer)
+            options.issuer = config.issuer;
+        if (config.audience)
+            options.audience = config.audience;
+        return jwt.sign(payload, secret, options);
+    }
+    return { extractToken, validateToken, generateToken };
+}
+//# sourceMappingURL=jwt-strategy.js.map

package/dist/auth/jwt-strategy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-strategy.js","sourceRoot":"","sources":["../../src/auth/jwt-strategy.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,cAAc,CAAC;AAG/B,MAAM,UAAU,iBAAiB,CAAC,MAAiB;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAE7B,SAAS,YAAY,CAAC,GAA+D;QACnF,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QACpE,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;IACzC,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,KAAa;QACxC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,OAAO,GAAsB,EAAE,CAAC;YACtC,IAAI,MAAM,CAAC,MAAM;gBAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YAClD,IAAI,MAAM,CAAC,QAAQ;gBAAE,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAExD,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE;gBAClD,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC5B,OAAO,CAAC,OAAkC,CAAC,CAAC;YAC9C,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,aAAa,CAAC,OAAgC,EAAE,gBAAwB;QAC/E,MAAM,OAAO,GAAoB;YAC/B,SAAS,EAAE,gBAAgB,GAAG,EAAE;SACjC,CAAC;QACF,IAAI,MAAM,CAAC,MAAM;YAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAClD,IAAI,MAAM,CAAC,QAAQ;YAAE,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAExD,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC;AACxD,CAAC"}

package/dist/auth/middleware.d.ts

@@ -0,0 +1,4 @@
+import type { Request, Response, NextFunction } from 'express';
+import type { AuthConfig } from './types.js';
+export declare function createAuthMiddleware(authConfig: AuthConfig): (policy?: string) => (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAM7C,wBAAgB,oBAAoB,CAAC,UAAU,EAAE,UAAU,IAKnB,SAAS,MAAM,MACd,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CAiCvG"}

package/dist/auth/middleware.js

@@ -0,0 +1,40 @@
+import { createJwtStrategy } from './jwt-strategy.js';
+import { buildUserContext } from './user-context.js';
+import { evaluatePolicy } from './policy-evaluator.js';
+export function createAuthMiddleware(authConfig) {
+    const jwtStrategy = createJwtStrategy(authConfig.jwt);
+    const policies = authConfig.policies ?? {};
+    const claimsMapping = authConfig.jwt.claims ?? {};
+    return function authMiddlewareFactory(policy) {
+        return async function authMiddleware(req, res, next) {
+            // Public endpoints skip auth
+            if (policy === 'public')
+                return next();
+            // Extract token
+            const token = jwtStrategy.extractToken(req);
+            if (!token) {
+                res.status(401).json({ error: { code: 'TOKEN_REQUIRED', message: 'Authentication required' } });
+                return;
+            }
+            // Validate token
+            let claims;
+            try {
+                claims = await jwtStrategy.validateToken(token);
+            }
+            catch {
+                res.status(401).json({ error: { code: 'TOKEN_INVALID', message: 'Invalid or expired token' } });
+                return;
+            }
+            // Build user context
+            const user = buildUserContext(claims, claimsMapping);
+            req.user = user;
+            // Evaluate policy
+            if (!evaluatePolicy(policy, user.roles, policies)) {
+                res.status(403).json({ error: { code: 'FORBIDDEN', message: 'Insufficient permissions' } });
+                return;
+            }
+            next();
+        };
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/auth/middleware.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,MAAM,UAAU,oBAAoB,CAAC,UAAsB;IACzD,MAAM,WAAW,GAAG,iBAAiB,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,IAAI,EAAE,CAAC;IAC3C,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;IAElD,OAAO,SAAS,qBAAqB,CAAC,MAAe;QACnD,OAAO,KAAK,UAAU,cAAc,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;YAClF,6BAA6B;YAC7B,IAAI,MAAM,KAAK,QAAQ;gBAAE,OAAO,IAAI,EAAE,CAAC;YAEvC,gBAAgB;YAChB,MAAM,KAAK,GAAG,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAC5C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,yBAAyB,EAAE,EAAE,CAAC,CAAC;gBAChG,OAAO;YACT,CAAC;YAED,iBAAiB;YACjB,IAAI,MAA+B,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,GAAG,MAAM,WAAW,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;YAClD,CAAC;YAAC,MAAM,CAAC;gBACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,0BAA0B,EAAE,EAAE,CAAC,CAAC;gBAChG,OAAO;YACT,CAAC;YAED,qBAAqB;YACrB,MAAM,IAAI,GAAgB,gBAAgB,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;YACjE,GAA0C,CAAC,IAAI,GAAG,IAAI,CAAC;YAExD,kBAAkB;YAClB,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;gBAClD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,0BAA0B,EAAE,EAAE,CAAC,CAAC;gBAC5F,OAAO;YACT,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}

package/dist/auth/password-verifier.d.ts

@@ -0,0 +1,3 @@
+import type { PasswordVerifier } from './types.js';
+export declare function getPasswordVerifier(algorithm: string | undefined): PasswordVerifier;
+//# sourceMappingURL=password-verifier.d.ts.map

package/dist/auth/password-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-verifier.d.ts","sourceRoot":"","sources":["../../src/auth/password-verifier.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAYnD,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAOnF"}

package/dist/auth/password-verifier.js

@@ -0,0 +1,18 @@
+import bcrypt from 'bcryptjs';
+const bcryptVerifier = {
+    async verify(password, hash) {
+        return bcrypt.compare(password, hash);
+    },
+};
+const verifiers = {
+    bcrypt: bcryptVerifier,
+};
+export function getPasswordVerifier(algorithm) {
+    const name = algorithm ?? 'bcrypt';
+    const verifier = verifiers[name];
+    if (!verifier) {
+        throw new Error(`Unsupported password hash algorithm: "${name}". Supported: ${Object.keys(verifiers).join(', ')}`);
+    }
+    return verifier;
+}
+//# sourceMappingURL=password-verifier.js.map

package/dist/auth/password-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-verifier.js","sourceRoot":"","sources":["../../src/auth/password-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,UAAU,CAAC;AAG9B,MAAM,cAAc,GAAqB;IACvC,KAAK,CAAC,MAAM,CAAC,QAAgB,EAAE,IAAY;QACzC,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACxC,CAAC;CACF,CAAC;AAEF,MAAM,SAAS,GAAqC;IAClD,MAAM,EAAE,cAAc;CACvB,CAAC;AAEF,MAAM,UAAU,mBAAmB,CAAC,SAA6B;IAC/D,MAAM,IAAI,GAAG,SAAS,IAAI,QAAQ,CAAC;IACnC,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,yCAAyC,IAAI,iBAAiB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACrH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/auth/policy-evaluator.d.ts

@@ -0,0 +1,3 @@
+import type { PolicyConfig } from './types.js';
+export declare function evaluatePolicy(policy: string | undefined, userRoles: string[], policies: Record<string, PolicyConfig>): boolean;
+//# sourceMappingURL=policy-evaluator.d.ts.map

package/dist/auth/policy-evaluator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-evaluator.d.ts","sourceRoot":"","sources":["../../src/auth/policy-evaluator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,wBAAgB,cAAc,CAC5B,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,SAAS,EAAE,MAAM,EAAE,EACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,GACrC,OAAO,CAQT"}

package/dist/auth/policy-evaluator.js

@@ -0,0 +1,11 @@
+export function evaluatePolicy(policy, userRoles, policies) {
+    if (policy === 'public')
+        return true;
+    if (!policy || policy === 'authenticated')
+        return true;
+    const policyConfig = policies[policy];
+    if (!policyConfig)
+        return false;
+    return policyConfig.roles.some(role => userRoles.includes(role));
+}
+//# sourceMappingURL=policy-evaluator.js.map

package/dist/auth/policy-evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-evaluator.js","sourceRoot":"","sources":["../../src/auth/policy-evaluator.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,cAAc,CAC5B,MAA0B,EAC1B,SAAmB,EACnB,QAAsC;IAEtC,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACrC,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,eAAe;QAAE,OAAO,IAAI,CAAC;IAEvD,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IACtC,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAEhC,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACnE,CAAC"}

package/dist/auth/refresh-store.d.ts

@@ -0,0 +1,8 @@
+export interface RefreshStore {
+    store(username: string, token: string): void;
+    getUsername(token: string): string | null;
+    revoke(token: string): void;
+    generateToken(): string;
+}
+export declare function createRefreshStore(ttlMinutes: number): RefreshStore;
+//# sourceMappingURL=refresh-store.d.ts.map

package/dist/auth/refresh-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-store.d.ts","sourceRoot":"","sources":["../../src/auth/refresh-store.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7C,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAC1C,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,aAAa,IAAI,MAAM,CAAC;CACzB;AAED,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,CAmCnE"}

package/dist/auth/refresh-store.js

@@ -0,0 +1,34 @@
+import { randomBytes } from 'crypto';
+export function createRefreshStore(ttlMinutes) {
+    const tokens = new Map();
+    const ttlMs = ttlMinutes * 60 * 1000;
+    function cleanExpired() {
+        const now = Date.now();
+        for (const [token, entry] of tokens) {
+            if (entry.expiry <= now)
+                tokens.delete(token);
+        }
+    }
+    function store(username, token) {
+        tokens.set(token, { username, expiry: Date.now() + ttlMs });
+        cleanExpired();
+    }
+    function getUsername(token) {
+        const entry = tokens.get(token);
+        if (!entry)
+            return null;
+        if (entry.expiry <= Date.now()) {
+            tokens.delete(token);
+            return null;
+        }
+        return entry.username;
+    }
+    function revoke(token) {
+        tokens.delete(token);
+    }
+    function generateToken() {
+        return randomBytes(64).toString('base64url');
+    }
+    return { store, getUsername, revoke, generateToken };
+}
+//# sourceMappingURL=refresh-store.js.map

package/dist/auth/refresh-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"refresh-store.js","sourceRoot":"","sources":["../../src/auth/refresh-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAcrC,MAAM,UAAU,kBAAkB,CAAC,UAAkB;IACnD,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,MAAM,KAAK,GAAG,UAAU,GAAG,EAAE,GAAG,IAAI,CAAC;IAErC,SAAS,YAAY;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;YACpC,IAAI,KAAK,CAAC,MAAM,IAAI,GAAG;gBAAE,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,SAAS,KAAK,CAAC,QAAgB,EAAE,KAAa;QAC5C,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;QAC5D,YAAY,EAAE,CAAC;IACjB,CAAC;IAED,SAAS,WAAW,CAAC,KAAa;QAChC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC/B,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC,QAAQ,CAAC;IACxB,CAAC;IAED,SAAS,MAAM,CAAC,KAAa;QAC3B,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;IAED,SAAS,aAAa;QACpB,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;AACvD,CAAC"}

package/dist/auth/scope-filter.d.ts

@@ -0,0 +1,10 @@
+import type { ScopeFilterConfig } from './types.js';
+export interface ScopeClause {
+    sql: string;
+    params: Record<string, unknown>;
+}
+export declare function resolveActiveScope(headerValue: string | undefined, type: 'int' | 'string' | undefined): unknown | null;
+export declare function buildScopeWhereClause(config: ScopeFilterConfig, userScope: unknown[], activeScope: unknown | undefined, userRoles: string[], columnOverride?: string): ScopeClause | null;
+export declare function validateScopeForInsert(config: ScopeFilterConfig, body: Record<string, unknown>, userScope: unknown[], userRoles: string[]): boolean;
+export declare function wrapQueryWithScopeFilter(originalSql: string, scopeClause: ScopeClause): string;
+//# sourceMappingURL=scope-filter.d.ts.map

package/dist/auth/scope-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-filter.d.ts","sourceRoot":"","sources":["../../src/auth/scope-filter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAGpD,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC;AAED,wBAAgB,kBAAkB,CAChC,WAAW,EAAE,MAAM,GAAG,SAAS,EAC/B,IAAI,EAAE,KAAK,GAAG,QAAQ,GAAG,SAAS,GACjC,OAAO,GAAG,IAAI,CAKhB;AAMD,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,iBAAiB,EACzB,SAAS,EAAE,OAAO,EAAE,EACpB,WAAW,EAAE,OAAO,GAAG,SAAS,EAChC,SAAS,EAAE,MAAM,EAAE,EACnB,cAAc,CAAC,EAAE,MAAM,GACtB,WAAW,GAAG,IAAI,CA4BpB;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,iBAAiB,EACzB,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,SAAS,EAAE,OAAO,EAAE,EACpB,SAAS,EAAE,MAAM,EAAE,GAClB,OAAO,CAST;AAED,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,WAAW,GACvB,MAAM,CAER"}

package/dist/auth/scope-filter.js

@@ -0,0 +1,51 @@
+import { assertValidIdentifier } from 'mythik';
+export function resolveActiveScope(headerValue, type) {
+    if (headerValue === undefined || headerValue === '')
+        return null;
+    if (type === 'string')
+        return headerValue;
+    const parsed = parseInt(headerValue, 10);
+    return isNaN(parsed) ? null : parsed;
+}
+function hasBypassRole(bypassRoles, userRoles) {
+    return bypassRoles.some(role => userRoles.includes(role));
+}
+export function buildScopeWhereClause(config, userScope, activeScope, userRoles, columnOverride) {
+    const bypassRoles = config.bypassRoles ?? [];
+    if (hasBypassRole(bypassRoles, userRoles))
+        return null;
+    const column = columnOverride ?? config.column;
+    assertValidIdentifier(column, 'scopeFilter.column');
+    const mode = config.mode ?? 'all';
+    if (mode === 'select') {
+        return {
+            sql: `_scoped.${column} = @_activeScope`,
+            params: { _activeScope: activeScope },
+        };
+    }
+    // mode "all"
+    if (userScope.length === 0) {
+        return { sql: '1 = 0', params: {} };
+    }
+    const paramNames = userScope.map((_, i) => `@_scope${i}`);
+    const params = {};
+    userScope.forEach((val, i) => { params[`_scope${i}`] = val; });
+    return {
+        sql: `_scoped.${column} IN (${paramNames.join(', ')})`,
+        params,
+    };
+}
+export function validateScopeForInsert(config, body, userScope, userRoles) {
+    const bypassRoles = config.bypassRoles ?? [];
+    if (hasBypassRole(bypassRoles, userRoles))
+        return true;
+    const column = config.column;
+    const bodyValue = body[column];
+    if (bodyValue === undefined || bodyValue === null)
+        return false;
+    return userScope.includes(bodyValue);
+}
+export function wrapQueryWithScopeFilter(originalSql, scopeClause) {
+    return `SELECT * FROM (\n${originalSql}\n) AS _scoped\nWHERE ${scopeClause.sql}`;
+}
+//# sourceMappingURL=scope-filter.js.map

package/dist/auth/scope-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-filter.js","sourceRoot":"","sources":["../../src/auth/scope-filter.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,QAAQ,CAAC;AAO/C,MAAM,UAAU,kBAAkB,CAChC,WAA+B,EAC/B,IAAkC;IAElC,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,IAAI,KAAK,QAAQ;QAAE,OAAO,WAAW,CAAC;IAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;AACvC,CAAC;AAED,SAAS,aAAa,CAAC,WAAqB,EAAE,SAAmB;IAC/D,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,MAAyB,EACzB,SAAoB,EACpB,WAAgC,EAChC,SAAmB,EACnB,cAAuB;IAEvB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC;IAC7C,IAAI,aAAa,CAAC,WAAW,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvD,MAAM,MAAM,GAAG,cAAc,IAAI,MAAM,CAAC,MAAM,CAAC;IAC/C,qBAAqB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC;IAElC,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,OAAO;YACL,GAAG,EAAE,WAAW,MAAM,kBAAkB;YACxC,MAAM,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE;SACtC,CAAC;IACJ,CAAC;IAED,aAAa;IACb,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;IAC1D,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,SAAS,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAE/D,OAAO;QACL,GAAG,EAAE,WAAW,MAAM,QAAQ,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;QACtD,MAAM;KACP,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,MAAyB,EACzB,IAA6B,EAC7B,SAAoB,EACpB,SAAmB;IAEnB,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC;IAC7C,IAAI,aAAa,CAAC,WAAW,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEvD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;IAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAEhE,OAAO,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,WAAmB,EACnB,WAAwB;IAExB,OAAO,oBAAoB,WAAW,yBAAyB,WAAW,CAAC,GAAG,EAAE,CAAC;AACnF,CAAC"}

package/dist/auth/types.d.ts

@@ -0,0 +1,75 @@
+export interface AuthStrategy {
+    extractToken(req: {
+        headers: Record<string, string | string[] | undefined>;
+    }): string | null;
+    validateToken(token: string): Promise<Record<string, unknown>>;
+    generateToken(payload: Record<string, unknown>, expiresInMinutes: number): string;
+}
+export interface PasswordVerifier {
+    verify(password: string, hash: string): Promise<boolean>;
+}
+export interface JwtConfig {
+    secret: string;
+    issuer?: string;
+    audience?: string;
+    expiresIn?: number;
+    refreshExpiresIn?: number;
+    claims?: ClaimsMapping;
+}
+export interface ClaimsMapping {
+    username?: string;
+    name?: string;
+    roles?: string;
+    scope?: string;
+}
+export interface ProviderConfig {
+    usersTable: string;
+    usernameColumn: string;
+    passwordColumn: string;
+    passwordHash?: 'bcrypt' | 'argon2';
+    activeCondition?: string;
+    emailColumn?: string;
+    displayNameQuery?: string;
+    rolesQuery: string;
+    scopeQuery: string;
+    defaultScopeQuery?: string;
+}
+export interface PolicyConfig {
+    roles: string[];
+}
+export interface ScopeFilterConfig {
+    claim: string;
+    type?: 'int' | 'string';
+    column: string;
+    bypassRoles?: string[];
+    mode?: 'all' | 'select';
+    header?: string;
+}
+export interface EndpointScopeOverride {
+    column: string;
+}
+export interface AuthConfig {
+    strategy: 'jwt';
+    jwt: JwtConfig;
+    provider?: ProviderConfig;
+    policies?: Record<string, PolicyConfig>;
+    scopeFilter?: ScopeFilterConfig;
+    catalogsPolicy?: 'public';
+}
+export interface LoginResponseUser {
+    id: string;
+    email: string;
+    name: string;
+    role: string;
+    roles: string[];
+    scope: unknown[];
+    defaultScope: unknown;
+    metadata: Record<string, unknown>;
+}
+export interface LoginResponse {
+    token: string;
+    refreshToken: string;
+    expiresIn: number;
+    user: LoginResponseUser;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/auth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,YAAY;IAC3B,YAAY,CAAC,GAAG,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAA;KAAE,GAAG,MAAM,GAAG,IAAI,CAAC;IAC7F,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC/D,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,gBAAgB,EAAE,MAAM,GAAG,MAAM,CAAC;CACnF;AAID,MAAM,WAAW,gBAAgB;IAC/B,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAC1D;AAID,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,MAAM,CAAC,EAAE,aAAa,CAAC;CACxB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,YAAY,CAAC,EAAE,QAAQ,GAAG,QAAQ,CAAC;IACnC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAID,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAID,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,IAAI,CAAC,EAAE,KAAK,GAAG,QAAQ,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;CAChB;AAID,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,KAAK,CAAC;IAChB,GAAG,EAAE,SAAS,CAAC;IACf,QAAQ,CAAC,EAAE,cAAc,CAAC;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACxC,WAAW,CAAC,EAAE,iBAAiB,CAAC;IAChC,cAAc,CAAC,EAAE,QAAQ,CAAC;CAC3B;AAID,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,EAAE,OAAO,EAAE,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,iBAAiB,CAAC;CACzB"}

package/dist/auth/types.js

@@ -0,0 +1,3 @@
+// --- Auth Strategy (extensible — only JWT implemented) ---
+export {};
+//# sourceMappingURL=types.js.map

package/dist/auth/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/auth/types.ts"],"names":[],"mappings":"AAAA,4DAA4D"}

package/dist/auth/user-context.d.ts

@@ -0,0 +1,4 @@
+import type { UserContext } from '../types.js';
+import type { ClaimsMapping } from './types.js';
+export declare function buildUserContext(claims: Record<string, unknown>, mapping: ClaimsMapping): UserContext;
+//# sourceMappingURL=user-context.d.ts.map

package/dist/auth/user-context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-context.d.ts","sourceRoot":"","sources":["../../src/auth/user-context.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,aAAa,GAAG,WAAW,CAoBrG"}

package/dist/auth/user-context.js

@@ -0,0 +1,18 @@
+export function buildUserContext(claims, mapping) {
+    const usernameKey = mapping.username ?? 'sub';
+    const nameKey = mapping.name;
+    const rolesKey = mapping.roles ?? 'roles';
+    const scopeKey = mapping.scope;
+    const username = String(claims[usernameKey] ?? '');
+    const name = nameKey ? claims[nameKey] ?? null : null;
+    const rolesRaw = claims[rolesKey];
+    const roles = Array.isArray(rolesRaw)
+        ? rolesRaw
+        : typeof rolesRaw === 'string'
+            ? [rolesRaw]
+            : [];
+    const scopeRaw = scopeKey ? claims[scopeKey] : undefined;
+    const scope = Array.isArray(scopeRaw) ? scopeRaw : [];
+    return { username, name, roles, scope, raw: claims };
+}
+//# sourceMappingURL=user-context.js.map

package/dist/auth/user-context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-context.js","sourceRoot":"","sources":["../../src/auth/user-context.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,gBAAgB,CAAC,MAA+B,EAAE,OAAsB;IACtF,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC;IAC9C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAC7B,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC;IAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC;IAE/B,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAE,MAAM,CAAC,OAAO,CAAmB,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;IAClC,MAAM,KAAK,GAAa,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC7C,CAAC,CAAC,QAAQ;QACV,CAAC,CAAC,OAAO,QAAQ,KAAK,QAAQ;YAC5B,CAAC,CAAC,CAAC,QAAQ,CAAC;YACZ,CAAC,CAAC,EAAE,CAAC;IAET,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACzD,MAAM,KAAK,GAAc,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;IAEjE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACvD,CAAC"}

package/dist/catalog-builder.d.ts

@@ -0,0 +1,3 @@
+import type { CatalogConfig } from './types.js';
+export declare function buildCatalogQuery(config: CatalogConfig): string | null;
+//# sourceMappingURL=catalog-builder.d.ts.map

package/dist/catalog-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog-builder.d.ts","sourceRoot":"","sources":["../src/catalog-builder.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAGhD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,GAAG,IAAI,CAiCtE"}

package/dist/catalog-builder.js

@@ -0,0 +1,35 @@
+import { assertValidIdentifier } from './validation/identifier-guard.js';
+export function buildCatalogQuery(config) {
+    if (config.static)
+        return null;
+    if (!config.from)
+        return null;
+    assertValidIdentifier(config.from, 'catalog.from');
+    if (config.distinct) {
+        assertValidIdentifier(config.distinct, 'catalog.distinct');
+        const orderByClause = config.orderBy
+            ? `ORDER BY ${bracketOrderBy(config.orderBy)}`
+            : `ORDER BY [${config.distinct}] ASC`;
+        return `SELECT DISTINCT [${config.distinct}] AS [value], [${config.distinct}] AS [label] FROM [${config.from}] ${orderByClause}`;
+    }
+    assertValidIdentifier(config.value, 'catalog.value');
+    assertValidIdentifier(config.label, 'catalog.label');
+    const selectParts = [`[${config.value}] AS [value]`, `[${config.label}] AS [label]`];
+    if (config.extra) {
+        for (const field of config.extra) {
+            assertValidIdentifier(field, 'catalog.extra');
+            selectParts.push(`[${field}]`);
+        }
+    }
+    const whereClause = config.where ? ` WHERE ${config.where}` : '';
+    const orderByClause = config.orderBy
+        ? `ORDER BY ${bracketOrderBy(config.orderBy)}`
+        : `ORDER BY [${config.label}] ASC`;
+    return `SELECT ${selectParts.join(', ')} FROM [${config.from}]${whereClause} ${orderByClause}`;
+}
+function bracketOrderBy(orderBy) {
+    return orderBy.replace(/^(\w+)(\s+(?:ASC|DESC))?$/i, (_match, col, dir) => {
+        return `[${col}]${dir ?? ''}`;
+    });
+}
+//# sourceMappingURL=catalog-builder.js.map

package/dist/catalog-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalog-builder.js","sourceRoot":"","sources":["../src/catalog-builder.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AAEzE,MAAM,UAAU,iBAAiB,CAAC,MAAqB;IACrD,IAAI,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAE/B,IAAI,CAAC,MAAM,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAE9B,qBAAqB,CAAC,MAAM,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAEnD,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,qBAAqB,CAAC,MAAM,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;QAC3D,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO;YAClC,CAAC,CAAC,YAAY,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE;YAC9C,CAAC,CAAC,aAAa,MAAM,CAAC,QAAQ,OAAO,CAAC;QACxC,OAAO,oBAAoB,MAAM,CAAC,QAAQ,kBAAkB,MAAM,CAAC,QAAQ,sBAAsB,MAAM,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;IACnI,CAAC;IAED,qBAAqB,CAAC,MAAM,CAAC,KAAM,EAAE,eAAe,CAAC,CAAC;IACtD,qBAAqB,CAAC,MAAM,CAAC,KAAM,EAAE,eAAe,CAAC,CAAC;IAEtD,MAAM,WAAW,GAAG,CAAC,IAAI,MAAM,CAAC,KAAK,cAAc,EAAE,IAAI,MAAM,CAAC,KAAK,cAAc,CAAC,CAAC;IAErF,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjC,qBAAqB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;YAC9C,WAAW,CAAC,IAAI,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACjE,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO;QAClC,CAAC,CAAC,YAAY,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE;QAC9C,CAAC,CAAC,aAAa,MAAM,CAAC,KAAK,OAAO,CAAC;IAErC,OAAO,UAAU,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,MAAM,CAAC,IAAI,IAAI,WAAW,IAAI,aAAa,EAAE,CAAC;AACjG,CAAC;AAED,SAAS,cAAc,CAAC,OAAe;IACrC,OAAO,OAAO,CAAC,OAAO,CAAC,4BAA4B,EAAE,CAAC,MAAM,EAAE,GAAW,EAAE,GAAuB,EAAE,EAAE;QACpG,OAAO,IAAI,GAAG,IAAI,GAAG,IAAI,EAAE,EAAE,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/connection.d.ts

@@ -0,0 +1,4 @@
+import { type ConnectionPool } from 'mssql';
+import type { ConnectionConfig } from './types.js';
+export declare function createConnectionPool(config: ConnectionConfig): Promise<ConnectionPool>;
+//# sourceMappingURL=connection.d.ts.map

package/dist/connection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection.d.ts","sourceRoot":"","sources":["../src/connection.ts"],"names":[],"mappings":"AAAA,OAAY,EAAE,KAAK,cAAc,EAAE,MAAM,OAAO,CAAC;AACjD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAGnD,wBAAsB,oBAAoB,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,cAAc,CAAC,CAgB5F"}

package/dist/connection.js

@@ -0,0 +1,18 @@
+import sql from 'mssql';
+import { resolveEnvVars } from './spec-loader.js';
+export async function createConnectionPool(config) {
+    const resolved = resolveEnvVars(config);
+    const pool = new sql.ConnectionPool({
+        server: resolved.server,
+        database: resolved.database,
+        user: resolved.user,
+        password: resolved.password,
+        port: resolved.port ?? 1433,
+        options: {
+            trustServerCertificate: resolved.trustServerCertificate ?? true,
+        },
+    });
+    await pool.connect();
+    return pool;
+}
+//# sourceMappingURL=connection.js.map

package/dist/connection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection.js","sourceRoot":"","sources":["../src/connection.ts"],"names":[],"mappings":"AAAA,OAAO,GAA4B,MAAM,OAAO,CAAC;AAEjD,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,MAAwB;IACjE,MAAM,QAAQ,GAAG,cAAc,CAAC,MAA4C,CAAC,CAAC;IAE9E,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC;QAClC,MAAM,EAAE,QAAQ,CAAC,MAAgB;QACjC,QAAQ,EAAE,QAAQ,CAAC,QAAkB;QACrC,IAAI,EAAE,QAAQ,CAAC,IAA0B;QACzC,QAAQ,EAAE,QAAQ,CAAC,QAA8B;QACjD,IAAI,EAAG,QAAQ,CAAC,IAAe,IAAI,IAAI;QACvC,OAAO,EAAE;YACP,sBAAsB,EAAG,QAAQ,CAAC,sBAAkC,IAAI,IAAI;SAC7E;KACF,CAAC,CAAC;IAEH,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;IACrB,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/crud-builder.d.ts

@@ -0,0 +1,14 @@
+export declare function filterFields(body: Record<string, unknown>, allowedFields: string[]): Record<string, unknown>;
+export declare function buildInsertQuery(table: string, fields: Record<string, unknown>, primaryKey?: string): {
+    sql: string;
+    params: Record<string, unknown>;
+};
+export declare function buildUpdateQuery(table: string, primaryKey: string, pkValue: unknown, fields: Record<string, unknown>): {
+    sql: string;
+    params: Record<string, unknown>;
+};
+export declare function buildDeleteQuery(table: string, primaryKey: string, pkValue: unknown): {
+    sql: string;
+    params: Record<string, unknown>;
+};
+//# sourceMappingURL=crud-builder.d.ts.map

package/dist/crud-builder.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crud-builder.d.ts","sourceRoot":"","sources":["../src/crud-builder.ts"],"names":[],"mappings":"AAEA,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAS5G;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,UAAU,CAAC,EAAE,MAAM,GAClB;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAelD;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAUlD;AAED,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,OAAO,GACf;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAKlD"}

package/dist/crud-builder.js

@@ -0,0 +1,43 @@
+import { assertValidIdentifier } from './validation/identifier-guard.js';
+export function filterFields(body, allowedFields) {
+    const filtered = {};
+    const allowed = new Set(allowedFields);
+    for (const [key, value] of Object.entries(body)) {
+        if (allowed.has(key)) {
+            filtered[key] = value;
+        }
+    }
+    return filtered;
+}
+export function buildInsertQuery(table, fields, primaryKey) {
+    assertValidIdentifier(table, 'crud.table');
+    const columns = Object.keys(fields);
+    for (const col of columns) {
+        assertValidIdentifier(col, 'crud field');
+    }
+    const columnsList = columns.map(c => `[${c}]`).join(', ');
+    const paramsList = columns.map(c => `@${c}`).join(', ');
+    // Trigger-safe: INSERT + SELECT back by SCOPE_IDENTITY() instead of OUTPUT INSERTED.*
+    const selectBack = primaryKey
+        ? `; SELECT * FROM [${table}] WHERE [${primaryKey}] = SCOPE_IDENTITY()`
+        : '';
+    const sql = `INSERT INTO [${table}] (${columnsList}) VALUES (${paramsList})${selectBack}`;
+    return { sql, params: { ...fields } };
+}
+export function buildUpdateQuery(table, primaryKey, pkValue, fields) {
+    assertValidIdentifier(table, 'crud.table');
+    assertValidIdentifier(primaryKey, 'crud.primaryKey');
+    for (const col of Object.keys(fields)) {
+        assertValidIdentifier(col, 'crud field');
+    }
+    const setClauses = Object.keys(fields).map(c => `[${c}] = @${c}`).join(', ');
+    const sql = `UPDATE [${table}] SET ${setClauses} WHERE [${primaryKey}] = @_pkValue; SELECT * FROM [${table}] WHERE [${primaryKey}] = @_pkValue`;
+    return { sql, params: { ...fields, _pkValue: pkValue } };
+}
+export function buildDeleteQuery(table, primaryKey, pkValue) {
+    assertValidIdentifier(table, 'crud.table');
+    assertValidIdentifier(primaryKey, 'crud.primaryKey');
+    const sql = `DELETE FROM [${table}] WHERE [${primaryKey}] = @_pkValue`;
+    return { sql, params: { _pkValue: pkValue } };
+}
+//# sourceMappingURL=crud-builder.js.map

package/dist/crud-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crud-builder.js","sourceRoot":"","sources":["../src/crud-builder.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,kCAAkC,CAAC;AAEzE,MAAM,UAAU,YAAY,CAAC,IAA6B,EAAE,aAAuB;IACjF,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAC7C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IACvC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,KAAa,EACb,MAA+B,EAC/B,UAAmB;IAEnB,qBAAqB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACpC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,qBAAqB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAExD,sFAAsF;IACtF,MAAM,UAAU,GAAG,UAAU;QAC3B,CAAC,CAAC,oBAAoB,KAAK,YAAY,UAAU,sBAAsB;QACvE,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,GAAG,GAAG,gBAAgB,KAAK,MAAM,WAAW,aAAa,UAAU,IAAI,UAAU,EAAE,CAAC;IAC1F,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,KAAa,EACb,UAAkB,EAClB,OAAgB,EAChB,MAA+B;IAE/B,qBAAqB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAC3C,qBAAqB,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACrD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACtC,qBAAqB,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE7E,MAAM,GAAG,GAAG,WAAW,KAAK,SAAS,UAAU,WAAW,UAAU,iCAAiC,KAAK,YAAY,UAAU,eAAe,CAAC;IAChJ,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,KAAa,EACb,UAAkB,EAClB,OAAgB;IAEhB,qBAAqB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAC3C,qBAAqB,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,gBAAgB,KAAK,YAAY,UAAU,eAAe,CAAC;IACvE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC;AAChD,CAAC"}

package/dist/handler-loader.d.ts

@@ -0,0 +1,9 @@
+import type { Handler } from './types.js';
+export declare function discoverHandlers(handlersDir: string): Promise<Map<string, Handler>>;
+export declare function validateHandlerRefs(refs: string[], handlers: Map<string, Handler>): string[];
+export declare function getHandlerRefs(spec: {
+    endpoints?: Record<string, {
+        handler?: string;
+    }>;
+}): string[];
+//# sourceMappingURL=handler-loader.d.ts.map

package/dist/handler-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler-loader.d.ts","sourceRoot":"","sources":["../src/handler-loader.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAK1C,wBAAsB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CA0BzF;AAED,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,EAAE,EACd,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,MAAM,EAAE,CAQV;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAAE,GAAG,MAAM,EAAE,CAKnG"}

package/dist/handler-loader.js

@@ -0,0 +1,42 @@
+import fs from 'fs';
+import path from 'path';
+import { pathToFileURL } from 'url';
+export async function discoverHandlers(handlersDir) {
+    const handlers = new Map();
+    if (!fs.existsSync(handlersDir)) {
+        return handlers;
+    }
+    const files = fs.readdirSync(handlersDir).filter(f => f.endsWith('.ts') || f.endsWith('.js') || f.endsWith('.mjs'));
+    for (const file of files) {
+        const name = path.basename(file, path.extname(file));
+        const fullPath = path.resolve(handlersDir, file);
+        try {
+            const mod = await import(pathToFileURL(fullPath).href);
+            const handler = mod.default;
+            if (typeof handler === 'function') {
+                handlers.set(name, handler);
+            }
+        }
+        catch {
+            // Skip files that fail to import
+        }
+    }
+    return handlers;
+}
+export function validateHandlerRefs(refs, handlers) {
+    const errors = [];
+    for (const ref of refs) {
+        if (!handlers.has(ref)) {
+            errors.push(`Handler "${ref}" referenced in spec but not found in handlers directory`);
+        }
+    }
+    return errors;
+}
+export function getHandlerRefs(spec) {
+    if (!spec.endpoints)
+        return [];
+    return Object.values(spec.endpoints)
+        .filter(e => e.handler)
+        .map(e => e.handler);
+}
+//# sourceMappingURL=handler-loader.js.map