npm - pipework - Versions diffs - 0.7.11 → 0.7.12 - Mend

pipework 0.7.11 → 0.7.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/CHANGELOG.md +12 -0
package/REFERENCE.md +778 -0
package/dist/REFERENCE.md +844 -0
package/dist/cli/commands/run.d.ts.map +1 -1
package/dist/cli/commands/run.js +0 -2
package/dist/cli/commands/run.js.map +1 -1
package/dist/cli/commands/test.d.ts.map +1 -1
package/dist/cli/commands/test.js +0 -2
package/dist/cli/commands/test.js.map +1 -1
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +2 -0
package/dist/cli/index.js.map +1 -1
package/dist/db/excluded.d.ts +7 -0
package/dist/db/excluded.d.ts.map +1 -0
package/dist/db/excluded.js +11 -0
package/dist/db/excluded.js.map +1 -0
package/dist/db/index.d.ts +1 -0
package/dist/db/index.d.ts.map +1 -1
package/dist/db/index.js +1 -0
package/dist/db/index.js.map +1 -1
package/dist/db/namespace.d.ts +5 -0
package/dist/db/namespace.d.ts.map +1 -1
package/dist/db/namespace.js +5 -0
package/dist/db/namespace.js.map +1 -1
package/dist/domain/field.d.ts +4 -2
package/dist/domain/field.d.ts.map +1 -1
package/dist/domain/field.js.map +1 -1
package/dist/domain/index.d.ts +1 -1
package/dist/domain/index.d.ts.map +1 -1
package/dist/domain/types.d.ts +19 -6
package/dist/domain/types.d.ts.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/log/namespace.d.ts +1 -1
package/dist/logging/index.d.ts +1 -1
package/dist/logging/index.d.ts.map +1 -1
package/dist/logging/proxy.d.ts +2 -2
package/dist/logging/proxy.d.ts.map +1 -1
package/dist/logging/proxy.js +9 -2
package/dist/logging/proxy.js.map +1 -1
package/dist/logging/types.d.ts +7 -0
package/dist/logging/types.d.ts.map +1 -1
package/dist/temporal/definition-queries.d.ts +5 -5
package/dist/temporal/definition-queries.d.ts.map +1 -1
package/dist/temporal/definition-queries.js.map +1 -1
package/dist/vector/query.d.ts +1 -1
package/dist/vector/query.d.ts.map +1 -1
package/dist/vector/query.js.map +1 -1
package/package.json +3 -2

package/REFERENCE.md ADDED Viewed

@@ -0,0 +1,778 @@
+# Pipework API Reference
+> Auto-generated from source JSDoc. Do not edit manually.
+> Generated: 2026-05-07
+## Contents
+- [Core](#core)
+- [audit — Audit Logging](#audit-audit-logging)
+- [auth — Authentication](#auth-authentication)
+- [behavior — Resource Decorators](#behavior-resource-decorators)
+- [cache — Caching](#cache-caching)
+- [config — Configuration](#config-configuration)
+- [pipe — Database](#pipe-database)
+- [errors — Error Classes](#errors-error-classes)
+- [fitting — Dependency Injection](#fitting-dependency-injection)
+- [fixture — REST Resources](#fixture-rest-resources)
+- [flow — Context (AsyncLocalStorage)](#flow-context-asynclocalstorage)
+- [http — Server](#http-server)
+- [jobs — Background Jobs](#jobs-background-jobs)
+- [lifecycle — Startup & Shutdown](#lifecycle-startup-shutdown)
+- [log — Structured Logging](#log-structured-logging)
+- [openapi — API Documentation](#openapi-api-documentation)
+- [pipeline — Multi-Step Pipelines](#pipeline-multi-step-pipelines)
+- [rbac — Access Control](#rbac-access-control)
+- [schema — Validation & Schema](#schema-validation-schema)
+- [state](#state)
+- [surface — Entry Points](#surface-entry-points)
+- [temporal — Bitemporal Data](#temporal-bitemporal-data)
+- [tenant — Multi-Tenancy](#tenant-multi-tenancy)
+- [vector — Vector & Full-Text Search](#vector-vector-full-text-search)
+- [webhook — Inbound & Outbound Webhooks](#webhook-inbound-outbound-webhooks)
+## Core
+Application instance and foundational types.
+### `createManifold`
+Creates the Pipework application instance. This is the entry point for every Pipework app. Define in `pipework.config.ts` and export as default. /
+```typescript
+function createManifold<const TEnv extends EnvDefs = EnvDefs>( raw: Omit<Blueprint, 'env'> &
+```
+### Types
+**`Manifold`** — The application instance — holds config, connection pools, surfaces, and lifecycle.
+```typescript
+interface Manifold<TEnv extends EnvDefs = EnvDefs>
+```
+**`PoolState`** — Manages database connection pools keyed by database name.
+```typescript
+interface PoolState
+```
+**`IsolationState`** — Tracks test isolation lifecycle — detects leaked isolation contexts.
+```typescript
+interface IsolationState
+```
+**`ConnectionTracker`** — Tracks active database connections for leak detection.
+```typescript
+interface ConnectionTracker
+```
+## audit — Audit Logging
+Audit logging namespace — structured audit trail for data changes.
+### `audit.create`
+Creates an Audit instance that writes audit records to a Postgres table.
+## auth — Authentication
+Authentication namespace — session management, multi-org support, auth chain resolution.
+### `auth.createSessions`
+Creates a Sessions manager with JWT access/refresh tokens, rotation, and reuse detection.
+### `auth.createMultiOrg`
+Creates multi-org session management — org selection, switching, membership CRUD.
+### `auth.runChain`
+Executes an auth chain (strategy pipeline) to resolve auth + tenant from a request.
+### `auth.resolveCookie`
+Resolves CookieConfig with defaults for secure cookie-based token delivery.
+### `auth.parseCookie`
+Parses a Cookie header string into key-value pairs.
+### `auth.buildSetCookie`
+Builds a Set-Cookie header string from name, value, and CookieConfig.
+### `auth.buildClearCookie`
+Builds a Set-Cookie header that clears (expires) a cookie.
+### Types
+**`AuthContext`** — Runtime auth context passed to strategies — carries the resolved DB and request metadata.
+```typescript
+interface AuthContext
+```
+**`AuthStrategy`** — Pluggable auth strategy — implement authenticate() to extract auth from a request.
+```typescript
+interface AuthStrategy<TAuth>
+```
+**`AuthRequest`** — Normalized request shape passed to auth strategies — headers, cookies, method, url.
+```typescript
+interface AuthRequest
+```
+**`BaseAuth`** — Minimum auth shape — userId and tenantId. Extend for app-specific auth fields.
+```typescript
+interface BaseAuth
+```
+**`AuthEnricher`** — Post-authentication hook — enrich the resolved auth with additional data (roles, permissions, etc.).
+```typescript
+interface AuthEnricher<TAuth>
+```
+**`TenantResolver`** — Resolves tenant ID from auth context — called after authentication in the chain.
+```typescript
+interface TenantResolver<TAuth>
+```
+**`AuthChainConfig`** — Configuration for the auth chain — strategies, enrichers, tenant resolver.
+```typescript
+interface AuthChainConfig<TAuth>
+```
+**`SessionConfig`** — Session configuration — signing keys, issuer, audience, token TTLs, refresh rotation.
+```typescript
+interface SessionConfig
+```
+**`TokenPair`** — Access + refresh token pair returned by issueTokens().
+```typescript
+interface TokenPair
+```
+**`TokenPayload`** — Decoded JWT payload — userId, tenantId, roles, version.
+```typescript
+interface TokenPayload
+```
+**`HttpTokenResult`** — Result from HTTP token operations — the token pair plus whether cookies were set.
+```typescript
+interface HttpTokenResult
+```
+**`Sessions`** — Session manager with JWT issue/refresh/revoke lifecycle and cookie-based HTTP helpers.
+```typescript
+interface Sessions
+```
+**`CookieConfig`** — Cookie configuration for token delivery — name, domain, path, secure, sameSite, httpOnly.
+```typescript
+interface CookieConfig
+```
+**`MultiOrgConfig`** — Configuration for multi-org sessions — base sessions, signing keys, org-select token TTL.
+```typescript
+interface MultiOrgConfig
+```
+**`OrgMembership`** — A user's membership in an organization — userId, orgId, role.
+```typescript
+interface OrgMembership
+```
+**`OrgInfo`** — Basic organization info — id and display name.
+```typescript
+interface OrgInfo
+```
+**`OrgMembershipDetail`** — Organization membership with display name — extends OrgMembership with org info.
+```typescript
+interface OrgMembershipDetail
+```
+**`AuthenticatedResult`** — Result when user has exactly one org — direct authentication, no org selection needed.
+```typescript
+interface AuthenticatedResult
+```
+**`OrgSelectResult`** — Result when user has multiple orgs — returns a session token for org selection.
+```typescript
+interface OrgSelectResult
+```
+**`ResolveLoginResult`** — Union result from resolveLogin() — either AuthenticatedResult or OrgSelectResult.
+```typescript
+type ResolveLoginResult = AuthenticatedResult | OrgSelectResult
+```
+**`MultiOrgSessions`** — Multi-org session manager — login resolution, org selection, switching, membership CRUD.
+```typescript
+interface MultiOrgSessions
+```
+## behavior — Resource Decorators
+Resource behavior decorators — compose versioning, audit trails, and cache invalidation onto CRUD operations.
+### `behavior.compose`
+Applies multiple behaviors to a ResourceOperations set in order.
+### `behavior.versioned`
+Adds optimistic concurrency control via a version column — rejects stale updates.
+### `behavior.audited`
+Wraps operations to emit audit records on create/update/delete.
+### `behavior.invalidate`
+Wraps operations to invalidate a cache on mutations. Returns ops with an attached .cache handle.
+## cache — Caching
+In-memory caching namespace — TTL-based with stats, preload, and tenant-aware variants.
+### `cache.create`
+Creates a single-key cache with TTL, a loader function, and invalidation.
+### `cache.createTenant`
+Creates a per-tenant cache — each tenant gets its own TTL and loader keyed by tenant ID.
+## config — Configuration
+Configuration namespace — loads and resolves Blueprint configs, discovers pipework.config.ts.
+### `config.load`
+Parses and resolves a raw Blueprint into a ResolvedConfig with environment detection.
+### `config.discover`
+Walks up from cwd to find pipework.config.ts, imports it, and returns the Manifold.
+### `config.configSchema`
+The zod schema for Blueprint validation — useful for custom config tooling.
+### `config.ConfigError`
+Thrown for configuration problems — includes a suggestion for how to fix.
+## pipe — Database
+Database accessor — returns a Drizzle DB instance scoped to the current request/job/test context. Requires active AsyncLocalStorage context.
+### `pipe.unscoped`
+Bypasses tenant scoping for admin/cross-tenant queries. Still requires ALS context.
+### `pipe.filter`
+Query operators and aggregates — eq, gt, lt, and, or, count, sum, etc.
+### `pipe.sql`
+SQL template tag for raw SQL expressions — pipe.sql\`NOW()\`.
+### `pipe.migrate`
+Runs migrations for all configured databases.
+### `pipe.migrateOne`
+Runs migrations for a single named database.
+## errors — Error Classes
+Standard error classes — all extend PipeworkError with structured error codes and actionable messages.
+### `errors.Base`
+Base error class with code, statusCode, and suggestion fields.
+### `errors.NotFound`
+404 — resource not found.
+### `errors.Unauthorized`
+401 — missing or invalid authentication.
+### `errors.Forbidden`
+403 — authenticated but insufficient permissions.
+### `errors.Validation`
+422 — input validation failed, carries field-level details.
+### `errors.Conflict`
+409 — resource state conflict (duplicate, version mismatch).
+## fitting — Dependency Injection
+## fixture — REST Resources
+REST resource builder namespace — declarative CRUD with cursor pagination and batch operations.
+### `fixture.register`
+Registers a Resource's routes on a Fastify instance.
+### `fixture.build`
+Builds a Resource from a name, operations map, and builder state — used internally by fitting().fixture().
+### `fixture.encodeCursor`
+Encodes pagination cursor values into an opaque base64 string.
+### `fixture.decodeCursor`
+Decodes an opaque pagination cursor back into its values.
+### `fixture.buildPage`
+Builds a PageResult from rows, limit, and cursor extractor — handles hasMore detection.
+### `fixture.validateBatch`
+Validates a batch request body (preview/execute mode, targets, actions).
+### `fixture.MethodNotAllowedError`
+Thrown when a resource doesn't support the requested HTTP method.
+## flow — Context (AsyncLocalStorage)
+AsyncLocalStorage context namespace — manages request/job/test contexts that carry auth, tenant, transactions.
+### `flow.run`
+Executes a function within a Flow context (AsyncLocalStorage). All pipe() calls inside will use this context.
+### `flow.require`
+Returns the current Flow or throws — use in code that must run inside a managed context.
+### `flow.get`
+Returns the current Flow or undefined — use for optional context detection.
+### `flow.createRequest`
+Creates a Flow for an HTTP request with auth, tenant, and request metadata.
+### `flow.createJob`
+Creates a Flow for a background job with optional auth and tenant.
+### `flow.createTest`
+Creates a Flow for test isolation with optional auth and tenant overrides.
+### `flow.verifyBinding`
+Defense-in-depth: verifies a transaction's nonce/tenant matches the current context.
+### `flow.bindTransaction`
+Binds a Drizzle transaction to the current context with nonce fingerprinting.
+## http — Server
+HTTP server namespace — Fastify wrapper with automatic request IDs, CORS, rate limiting, and transaction-per-request.
+### `http.createServer`
+Creates a PipeworkServer (Fastify wrapper) with production validation, auto request IDs, and transaction management.
+### Types
+**`CorsConfig`** — CORS configuration — origin, methods, headers, credentials, maxAge.
+```typescript
+interface CorsConfig
+```
+**`SecurityConfig`** — Security header configuration — passed to @fastify/helmet.
+```typescript
+interface SecurityConfig
+```
+**`RateLimitConfig`** — Rate limiting configuration — max requests, time window, key generator.
+```typescript
+interface RateLimitConfig
+```
+**`InjectOptions`** — Options for server.inject() — method, url, headers, payload for testing without HTTP.
+```typescript
+interface InjectOptions
+```
+**`InjectResponse`** — Response from server.inject() — statusCode, headers, body, json() helper.
+```typescript
+interface InjectResponse
+```
+**`ServerConfig`** — Configuration for http.createServer() — CORS, security headers, rate limiting, transaction timeout.
+```typescript
+interface ServerConfig
+```
+**`HandlerResponse`** — Standard handler response shape — statusCode, headers, body.
+```typescript
+interface HandlerResponse
+```
+**`ErrorResponse`** — Standard error response shape — { error: { code, message }, statusCode }.
+```typescript
+interface ErrorResponse
+```
+**`PipeworkServer`** — Fastify server wrapper with route registration, handler auto-wiring, and inject() for testing.
+```typescript
+interface PipeworkServer
+```
+**`HttpRequest`** — Fastify request with pipework extensions — req.id (UUID), typed headers.
+```typescript
+interface HttpRequest
+```
+**`HttpResponse`** — Fastify reply with pipework extensions.
+```typescript
+interface HttpResponse
+```
+## jobs — Background Jobs
+Background job queue namespace — Postgres-backed with SKIP LOCKED, LISTEN/NOTIFY, cron scheduling.
+### `jobs.createQueue`
+Creates a job queue with claim/complete/fail lifecycle, heartbeat, and dead letter requeue.
+### `jobs.execute`
+Executes a fitting handler as a background job with its own Flow context.
+### `jobs.parseCron`
+Parses a 5-field cron expression into a CronSchedule (minute, hour, dom, month, dow).
+### `jobs.nextTick`
+Computes the next fire time for a CronSchedule after a given date, with optional timezone.
+## lifecycle — Startup & Shutdown
+Application lifecycle namespace — startup orchestration with hooks and timeouts.
+### `lifecycle.orchestrate`
+Runs pre-start hooks (DB readiness checks, migrations, etc.) with a configurable timeout.
+## log — Structured Logging
+Structured logger (Pino) — auto-binds requestId, tenantId, userId, sessionId from ALS context on every log call.
+### `log.create`
+Creates a new PipeworkLogger instance with custom config (level, redaction, transport).
+### `log.get`
+Returns the context-aware logger proxy (same as the log export itself).
+### `log.getBase`
+Returns the raw Pino logger without ALS context binding.
+### `log.configure`
+Sets global logging config (level, redaction paths, custom context fields).
+### `log.REDACT_PATHS`
+Default redaction paths — password, secret, token, authorization, cookie, etc.
+## openapi — API Documentation
+OpenAPI spec generation namespace.
+### `openapi.generate`
+Generates an OpenAPI 3.1 document from route registrations — schemas derived from fitting() input/output.
+## pipeline — Multi-Step Pipelines
+Multi-step pipeline namespace — define, execute, pause, and resume ordered step sequences.
+### `pipeline.define`
+Defines a pipeline from a config of named steps with handlers. Returns a Pipeline with execute/resume/getStatus.
+### `pipeline.PipelineStepError`
+Thrown when an individual pipeline step fails.
+### `pipeline.PipelineResumeError`
+Thrown when resuming a pipeline from an invalid state.
+## rbac — Access Control
+Role-based access control namespace — permission checking, enforcement, scope hierarchy.
+### `rbac.create`
+Creates an Rbac instance from config (roles, permissions, hierarchy).
+### `rbac.check`
+Checks if a permission set includes the required resource/action/scope. Pure function, no DB.
+### `rbac.enforce`
+Checks permission and throws ForbiddenError if denied. Loads permissions from DB with caching.
+### `rbac.satisfies`
+Checks if a granted scope satisfies a required scope given a hierarchy (e.g. org > team > self).
+### `rbac.PermissionCache`
+LRU cache for resolved permissions — avoids repeated DB lookups within a request.
+## schema — Validation & Schema
+Schema definition and validation namespace — wraps zod for validation, drizzle for table/column/index definitions.
+### `schema.check`
+Validation sub-namespace — type constructors, combinators, formats, coerce, parse, tryParse, toJsonSchema, branded.
+### `schema.col`
+Column type builders for table definitions — text, uuid, integer, timestamp, jsonb, boolean, varchar, etc.
+### `schema.idx`
+Index and constraint builders — index, uniqueIndex, primaryKey, foreignKey, unique, check.
+### Types
+**`Schema`** — Any validation schema — the base type accepted by .input(), .query(), .params() in the fitting builder.
+```typescript
+type Schema<T = unknown> = z.ZodType<T>
+```
+**`Infer`** — Extracts the TypeScript type from a Schema — Infer<typeof mySchema> gives you the validated type.
+```typescript
+type Infer<T extends Schema> = z.infer<T>
+```
+## state
+State machine namespace — define valid transitions with guards and side effects.
+### `state.define`
+Defines a state machine from states, transitions, guards, and effects. Returns a StateMachine with transition/canTransition.
+### `state.InvalidTransitionError`
+Thrown when a transition is not allowed from the current state.
+### `state.InvalidStateMachineError`
+Thrown when the state machine definition is internally inconsistent.
+## surface — Entry Points
+Surface namespace — declarative entry points that define how the app runs (HTTP server, background worker, one-shot script).
+### `surface.http`
+Creates an HTTP surface — a Fastify server with routes, middleware, and production validation.
+### `surface.worker`
+Creates a worker surface — a long-running process that claims and executes jobs from queues.
+### `surface.script`
+Creates a script surface — a one-shot process that runs and exits (migrations, seeds, CLI tools).
+## temporal — Bitemporal Data
+Temporal (bitemporal) data namespace — version history with effective date ranges.
+### `temporal.columns`
+Returns the standard temporal column definitions (effectiveFrom, effectiveTo, version, createdBy) for table schemas.
+### `temporal.revise`
+Creates a new version of a temporal record, closing the previous version's effectiveTo.
+### `temporal.close`
+Closes a temporal record by setting effectiveTo to now. Returns number of rows affected.
+### `temporal.current`
+Fetches the currently-effective version of a temporal record (effectiveTo IS NULL).
+### `temporal.atTime`
+Returns a SQL condition for records effective at a specific point in time.
+### `temporal.between`
+Returns a SQL condition for records overlapping a date range.
+### `temporal.TemporalIntegrityError`
+Thrown when a temporal operation would violate version continuity.
+## tenant — Multi-Tenancy
+Multi-tenant isolation namespace — RLS policies, tenant extraction, Postgres-side verification.
+### `tenant.validate`
+Validates a tenant ID format (non-empty string, safe characters).
+### `tenant.rls`
+Enables RLS on a table and creates the tenant isolation policy in Postgres.
+### `tenant.policy`
+Returns the SQL string for a tenant isolation RLS policy — use in migrations.
+### `tenant.verify`
+Cross-checks ALS tenant against Postgres set_config('pipework.tenant_id') — defense-in-depth.
+### `tenant.propagate`
+Sets pipework.tenant_id on the Postgres connection via set_config().
+### `tenant.extract`
+Extracts tenant ID from auth context using the configured extraction strategy.
+### `tenant.scoped`
+Marks a table as tenant-scoped — pipe() will auto-filter by tenant_id.
+### `tenant.isTenantScoped`
+Returns true if a table has been marked as tenant-scoped.
+## vector — Vector & Full-Text Search
+Vector and full-text search namespace — pgvector column types and similarity/ranking queries.
+### `vector.column`
+Defines a vector(N) column for embeddings.
+### `vector.tsvector`
+Defines a tsvector column for full-text search.
+### `vector.cosine`
+Cosine distance between a column and a query vector (lower = more similar).
+### `vector.cosineSimilarity`
+Cosine similarity (higher = more similar) — 1 - cosineDistance.
+### `vector.l2`
+L2 (Euclidean) distance between a column and a query vector.
+### `vector.innerProduct`
+Inner product between a column and a query vector.
+### `vector.toTsvector`
+Converts text to a tsvector for full-text indexing.
+### `vector.toTsquery`
+Converts a search query string to a tsquery.
+### `vector.rank`
+Computes ts_rank for full-text search result ordering.
+### `vector.validate`
+Verifies the pgvector extension is installed and accessible.
+## webhook — Inbound & Outbound Webhooks
+Webhook namespace — inbound verification, outbound delivery with retries, HMAC signing.
+### `webhook.defineInbound`
+Defines an inbound webhook handler with signature verification and optional idempotency.
+### `webhook.createOutbound`
+Creates an outbound webhook system — endpoint registration, payload signing, delivery with retries.
+### `webhook.sign`
+Signs a payload with HMAC for outbound delivery — returns body, signature, timestamp, messageId.