theokit 0.12.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (131) hide show
  1. package/dist/{actions-virtual-module-SQDY3V5X.js → actions-virtual-module-3CDQTWOC.js} +6 -6
  2. package/dist/{actions-virtual-module-PNPRCEOS.js → actions-virtual-module-EIPXX4ZB.js} +3 -3
  3. package/dist/adapters/web-shim.d.ts +67 -0
  4. package/dist/adapters/ws-shim.d.ts +55 -0
  5. package/dist/agent-events-DosDXkSV.d.ts +94 -0
  6. package/dist/agents-typed-client-SAWAAH7K.js +142 -0
  7. package/dist/agents-typed-client-SAWAAH7K.js.map +1 -0
  8. package/dist/agents-typed-client-UTEQUA63.js +143 -0
  9. package/dist/agents-typed-client-UTEQUA63.js.map +1 -0
  10. package/dist/{app-typed-client-5GYEOYP3.js → app-typed-client-7PBFWZUE.js} +3 -3
  11. package/dist/{app-typed-client-QG7BVZYW.js → app-typed-client-CSOK7NPC.js} +6 -6
  12. package/dist/audit-log-BQWM5YLG.d.ts +60 -0
  13. package/dist/body-parser-web-FV5HWCY3.js +71 -0
  14. package/dist/body-parser-web-FV5HWCY3.js.map +1 -0
  15. package/dist/boot/index.d.ts +39 -0
  16. package/dist/{build-QFRLSEZ4.js → build-HXND27XG.js} +11 -11
  17. package/dist/{chunk-223EFY5X.js → chunk-2J7XU3PW.js} +68 -27
  18. package/dist/chunk-2J7XU3PW.js.map +1 -0
  19. package/dist/{chunk-RESN62GB.js → chunk-2KZQPDYR.js} +5 -48
  20. package/dist/chunk-2KZQPDYR.js.map +1 -0
  21. package/dist/chunk-3S3BNW5K.js +445 -0
  22. package/dist/chunk-3S3BNW5K.js.map +1 -0
  23. package/dist/{chunk-6FYD34NX.js → chunk-BQDGES7C.js} +28 -28
  24. package/dist/{chunk-6FYD34NX.js.map → chunk-BQDGES7C.js.map} +1 -1
  25. package/dist/chunk-EXP56GFQ.js +52 -0
  26. package/dist/chunk-EXP56GFQ.js.map +1 -0
  27. package/dist/chunk-F4YUPDJ2.js +115 -0
  28. package/dist/chunk-F4YUPDJ2.js.map +1 -0
  29. package/dist/{chunk-NAZ4E2GT.js → chunk-KXA37ONC.js} +2 -2
  30. package/dist/chunk-NHJMZCAS.js +32 -0
  31. package/dist/chunk-NHJMZCAS.js.map +1 -0
  32. package/dist/{chunk-43D6XNDR.js → chunk-O62MW4MT.js} +91 -18
  33. package/dist/chunk-O62MW4MT.js.map +1 -0
  34. package/dist/chunk-RSVN727G.js +1 -0
  35. package/dist/{chunk-7CBRKNQA.js → chunk-RYTZYFSD.js} +198 -6
  36. package/dist/chunk-RYTZYFSD.js.map +1 -0
  37. package/dist/chunk-UNLA45FY.js +235 -0
  38. package/dist/chunk-UNLA45FY.js.map +1 -0
  39. package/dist/{chunk-GFMQJHXX.js → chunk-WR4F4EEZ.js} +1082 -1074
  40. package/dist/chunk-WR4F4EEZ.js.map +1 -0
  41. package/dist/{chunk-AD74EAK3.js → chunk-ZSTZXR2D.js} +1 -30
  42. package/dist/chunk-ZSTZXR2D.js.map +1 -0
  43. package/dist/cli/index.js +5 -5
  44. package/dist/client/index.d.ts +418 -0
  45. package/dist/client/index.js +84 -3
  46. package/dist/client/index.js.map +1 -1
  47. package/dist/csrf-BBrEZSBW.d.ts +107 -0
  48. package/dist/csrf-readiness-store-CjIoub3U.d.ts +43 -0
  49. package/dist/define-websocket-CdK94O-D.d.ts +64 -0
  50. package/dist/{dev-GBXOTXUP.js → dev-OWW4XVIH.js} +10 -10
  51. package/dist/{dev-emit-FEFEDLZF.js → dev-emit-5MDSBP5D.js} +3 -3
  52. package/dist/{dev-emit-O4EGOSNV.js → dev-emit-QH2YGZXN.js} +2 -2
  53. package/dist/devtools/entry.d.ts +5 -0
  54. package/dist/error-envelope-BsNzzAV5.d.ts +62 -0
  55. package/dist/health-route-C0hk64_U.d.ts +57 -0
  56. package/dist/index-B40qUSrQ.d.ts +575 -0
  57. package/dist/index.d.ts +361 -0
  58. package/dist/index.js +6 -4
  59. package/dist/index.js.map +1 -1
  60. package/dist/internal-api-4YTJDITC.js +83 -0
  61. package/dist/internal-api-EFKZWIYZ.js +66 -0
  62. package/dist/internal-api-EFKZWIYZ.js.map +1 -0
  63. package/dist/job-backend-CgC8Xf33.d.ts +68 -0
  64. package/dist/match-CfbEFRG4.d.ts +26 -0
  65. package/dist/{openapi-VR6AFBLJ.js → openapi-FHY6HC6I.js} +7 -7
  66. package/dist/plugin-runner-BGBkzgi0.d.ts +95 -0
  67. package/dist/plugin-types-DNJGxr4Z.d.ts +79 -0
  68. package/dist/rate-limit-BdNDZ3vt.d.ts +58 -0
  69. package/dist/rate-limit-store-BEJnhWdw.d.ts +72 -0
  70. package/dist/react-query/index.d.ts +33 -0
  71. package/dist/{registry-Q2TZQLUH.js → registry-34LL7NF4.js} +1 -1
  72. package/dist/{routes-LRYOIIAI.js → routes-EW7TP7NJ.js} +2 -2
  73. package/dist/schema-BpH6ivDY.d.ts +74 -0
  74. package/dist/server/agent/index.d.ts +229 -0
  75. package/dist/server/agent/index.js +2 -1
  76. package/dist/server/auth/index.d.ts +419 -0
  77. package/dist/server/cost/index.d.ts +177 -0
  78. package/dist/server/cron/index.d.ts +208 -0
  79. package/dist/server/define/index.d.ts +313 -0
  80. package/dist/server/define/index.js +4 -2
  81. package/dist/server/http/index.d.ts +11 -0
  82. package/dist/server/index.d.ts +848 -0
  83. package/dist/server/index.js +9 -294
  84. package/dist/server/index.js.map +1 -1
  85. package/dist/server/jobs/index.d.ts +348 -0
  86. package/dist/server/observability/index.d.ts +324 -0
  87. package/dist/server/plugins/index.d.ts +17 -0
  88. package/dist/server/rate-limit/index.d.ts +105 -0
  89. package/dist/server/realtime/index.d.ts +15 -0
  90. package/dist/server/scan/index.d.ts +126 -0
  91. package/dist/server/scan/index.js +1 -1
  92. package/dist/server/security/index.d.ts +193 -0
  93. package/dist/server/storage/index.d.ts +22 -0
  94. package/dist/server/webhook/index.d.ts +148 -0
  95. package/dist/{start-3ZHAXSJE.js → start-KIQ5TTLR.js} +76 -13
  96. package/dist/start-KIQ5TTLR.js.map +1 -0
  97. package/dist/storage-manager-C4jsO0Tp.d.ts +89 -0
  98. package/dist/storage-types-DsDTCPbp.d.ts +96 -0
  99. package/dist/vite-plugin/index.d.ts +115 -0
  100. package/dist/vite-plugin/index.js +6 -4
  101. package/dist/{vite-plugin-WO72VLYR.js → vite-plugin-RK66K26Z.js} +7 -7
  102. package/dist/vite-plugin-RK66K26Z.js.map +1 -0
  103. package/package.json +4 -4
  104. package/dist/chunk-223EFY5X.js.map +0 -1
  105. package/dist/chunk-3LVRAGAZ.js +0 -73
  106. package/dist/chunk-3LVRAGAZ.js.map +0 -1
  107. package/dist/chunk-43D6XNDR.js.map +0 -1
  108. package/dist/chunk-7CBRKNQA.js.map +0 -1
  109. package/dist/chunk-AD74EAK3.js.map +0 -1
  110. package/dist/chunk-GFMQJHXX.js.map +0 -1
  111. package/dist/chunk-PBEH6NXR.js +0 -44
  112. package/dist/chunk-PBEH6NXR.js.map +0 -1
  113. package/dist/chunk-PIVX3DYW.js +0 -142
  114. package/dist/chunk-PIVX3DYW.js.map +0 -1
  115. package/dist/chunk-PPPR5DGR.js +0 -1
  116. package/dist/chunk-RESN62GB.js.map +0 -1
  117. package/dist/start-3ZHAXSJE.js.map +0 -1
  118. /package/dist/{actions-virtual-module-SQDY3V5X.js.map → actions-virtual-module-3CDQTWOC.js.map} +0 -0
  119. /package/dist/{actions-virtual-module-PNPRCEOS.js.map → actions-virtual-module-EIPXX4ZB.js.map} +0 -0
  120. /package/dist/{app-typed-client-5GYEOYP3.js.map → app-typed-client-7PBFWZUE.js.map} +0 -0
  121. /package/dist/{app-typed-client-QG7BVZYW.js.map → app-typed-client-CSOK7NPC.js.map} +0 -0
  122. /package/dist/{build-QFRLSEZ4.js.map → build-HXND27XG.js.map} +0 -0
  123. /package/dist/{chunk-NAZ4E2GT.js.map → chunk-KXA37ONC.js.map} +0 -0
  124. /package/dist/{chunk-PPPR5DGR.js.map → chunk-RSVN727G.js.map} +0 -0
  125. /package/dist/{dev-GBXOTXUP.js.map → dev-OWW4XVIH.js.map} +0 -0
  126. /package/dist/{dev-emit-FEFEDLZF.js.map → dev-emit-5MDSBP5D.js.map} +0 -0
  127. /package/dist/{dev-emit-O4EGOSNV.js.map → dev-emit-QH2YGZXN.js.map} +0 -0
  128. /package/dist/{vite-plugin-WO72VLYR.js.map → internal-api-4YTJDITC.js.map} +0 -0
  129. /package/dist/{openapi-VR6AFBLJ.js.map → openapi-FHY6HC6I.js.map} +0 -0
  130. /package/dist/{registry-Q2TZQLUH.js.map → registry-34LL7NF4.js.map} +0 -0
  131. /package/dist/{routes-LRYOIIAI.js.map → routes-EW7TP7NJ.js.map} +0 -0
@@ -0,0 +1,575 @@
1
+ import { a as TheoErrorCode, T as TheoErrorEnvelope } from './error-envelope-BsNzzAV5.js';
2
+ import { IncomingMessage, ServerResponse } from 'node:http';
3
+ import { P as PluginContext } from './plugin-types-DNJGxr4Z.js';
4
+ import { P as PluginRunner } from './plugin-runner-BGBkzgi0.js';
5
+ import { J as JobBackend } from './job-backend-CgC8Xf33.js';
6
+ import { L as LoadModule, S as ServerRouteNode } from './match-CfbEFRG4.js';
7
+ import { c as CsrfMode, D as DisallowedConfig } from './csrf-BBrEZSBW.js';
8
+ import { z } from 'zod';
9
+
10
+ interface ExecuteActionOptions {
11
+ filePath: string;
12
+ exportName: string;
13
+ req: IncomingMessage;
14
+ res: ServerResponse;
15
+ loadModule: LoadModule;
16
+ serverDir?: string;
17
+ requestId?: string;
18
+ pluginRunner?: PluginRunner;
19
+ csrfMode?: CsrfMode;
20
+ disallowed?: DisallowedConfig;
21
+ }
22
+ declare function executeAction(filePath: string, exportName: string, req: IncomingMessage, res: ServerResponse, loadModule: LoadModule, serverDir?: string, requestId?: string, pluginRunner?: PluginRunner, csrfMode?: CsrfMode, disallowed?: DisallowedConfig): Promise<void>;
23
+
24
+ /**
25
+ * T5.2 — pluggable response/request transformer.
26
+ *
27
+ * `superjson` is the default, preserving Date/Map/Set/BigInt/etc.
28
+ * `json` is the lightweight option (plain JSON.stringify/parse).
29
+ * Users can supply a custom object implementing this contract.
30
+ */
31
+ interface TheoTransformer {
32
+ name: string;
33
+ serialize: (value: unknown) => string;
34
+ deserialize: (raw: string) => unknown;
35
+ }
36
+ declare const superjsonTransformer: TheoTransformer;
37
+ declare const jsonTransformer: TheoTransformer;
38
+ declare function resolveTransformer(selector: 'json' | 'superjson' | TheoTransformer): TheoTransformer;
39
+
40
+ /**
41
+ * server/http/execute-context.ts
42
+ *
43
+ * `ExecuteRouteContext` — the parameter object passed to `executeRoute()`
44
+ * and `executeAction()` per ADR-0016 (T3.1 of architecture-cleanup).
45
+ *
46
+ * Replaces the 12-positional-param signature with a single named-field
47
+ * object, eliminating 3 of 4 eslint-disable comments on `executeRoute`.
48
+ *
49
+ * Location: lives in `server/http/` (not `core/contracts/`) because the
50
+ * shape references server-side types (CsrfMode, JobBackend, PluginRunner,
51
+ * TheoTransformer, ServerRouteNode, LoadModule, DisallowedConfig). Keeping
52
+ * the type here preserves the existing module direction graph — no new
53
+ * `core → server` edges.
54
+ *
55
+ * Consumers within server/ build this object once per request; external
56
+ * callers (router-runner) see the same shape via the `ExecuteRouteContext`
57
+ * named export.
58
+ */
59
+
60
+ /**
61
+ * The request-execution context. Each request builds one of these and passes
62
+ * it to `executeRoute(ctx)`.
63
+ *
64
+ * All fields are required EXCEPT those with optional `?` markers; defaults
65
+ * are applied inside `executeRoute` via destructure (e.g., `csrfMode = 'strict'`).
66
+ */
67
+ interface ExecuteRouteContext {
68
+ route: ServerRouteNode;
69
+ method: string;
70
+ params: Record<string, string>;
71
+ req: IncomingMessage;
72
+ res: ServerResponse;
73
+ loadModule: LoadModule;
74
+ serverDir?: string;
75
+ requestId?: string;
76
+ pluginRunner?: PluginRunner;
77
+ transformer?: TheoTransformer;
78
+ /** Defaults to `'strict'` when omitted. */
79
+ csrfMode?: CsrfMode;
80
+ disallowed?: DisallowedConfig;
81
+ /** When provided, `ctx.queue` auto-injects + outbox lifecycle hooks attach. */
82
+ jobBackend?: JobBackend;
83
+ }
84
+
85
+ /**
86
+ * Canonical HTTP response helpers (T5.1 extraction).
87
+ *
88
+ * Moved out of execute.ts so request-pipeline stages (execute-stages.ts,
89
+ * handle-request-error.ts, etc.) can depend on these helpers without
90
+ * creating a cycle through execute.ts.
91
+ *
92
+ * Public surface re-exported from execute.ts for backward compat — every
93
+ * existing caller of `sendError` / `sendJson` continues to work via the
94
+ * `theokit/server` barrel.
95
+ */
96
+ declare function sendJson(res: ServerResponse, data: unknown, status?: number, transformer?: TheoTransformer): void;
97
+ interface SendErrorOptions {
98
+ custom404Html?: string;
99
+ custom500Html?: string;
100
+ }
101
+ /**
102
+ * Canonical error response.
103
+ *
104
+ * T6.3 (PV-17): the positional 7-param signature is preserved for backward
105
+ * compat. New call sites should use the options-bag form:
106
+ *
107
+ * sendError(res, { code, message, status, issues?, requestId?, options? })
108
+ *
109
+ * Both shapes resolve to the same implementation.
110
+ */
111
+ interface SendErrorInput {
112
+ code: string;
113
+ message: string;
114
+ status: number;
115
+ issues?: unknown[];
116
+ requestId?: string;
117
+ options?: SendErrorOptions;
118
+ }
119
+ declare function sendError(res: ServerResponse, input: SendErrorInput): void;
120
+ declare function sendError(res: ServerResponse, code: string, message: string, status: number, issues?: unknown[], requestId?: string, options?: SendErrorOptions): void;
121
+
122
+ declare function executeRoute(ctx: ExecuteRouteContext): Promise<void>;
123
+
124
+ /**
125
+ * T1.4 — Server-side batch handler.
126
+ *
127
+ * Receives `{ requests: [...] }` POSTed to `/api/__theo_batch__` and returns
128
+ * `{ results: [...] }` with per-item error isolation. EC-2: items cannot
129
+ * override auth/forwarded headers (would be a session-bypass vector).
130
+ */
131
+
132
+ declare const STRIPPED_HEADERS: readonly ["authorization", "cookie", "x-forwarded-for", "x-forwarded-host", "x-forwarded-proto", "x-real-ip", "host"];
133
+ declare const BATCH_PATH = "/api/__theo_batch__";
134
+ declare class BatchPathConflictError extends Error {
135
+ constructor(path: string);
136
+ }
137
+ declare const batchRequestSchema: z.ZodObject<{
138
+ path: z.ZodString;
139
+ method: z.ZodString;
140
+ query: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
141
+ body: z.ZodOptional<z.ZodUnknown>;
142
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
143
+ }, z.core.$strip>;
144
+ declare const batchPayloadSchema: z.ZodObject<{
145
+ requests: z.ZodArray<z.ZodObject<{
146
+ path: z.ZodString;
147
+ method: z.ZodString;
148
+ query: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
149
+ body: z.ZodOptional<z.ZodUnknown>;
150
+ headers: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
151
+ }, z.core.$strip>>;
152
+ }, z.core.$strip>;
153
+ type BatchRequestItem = z.infer<typeof batchRequestSchema>;
154
+ type BatchPayload = z.infer<typeof batchPayloadSchema>;
155
+ type BatchExecuteFn = (req: BatchRequestItem) => Promise<{
156
+ data: unknown;
157
+ } | {
158
+ error: {
159
+ message: string;
160
+ code?: string;
161
+ };
162
+ }>;
163
+ interface HandleBatchOptions {
164
+ execute: BatchExecuteFn;
165
+ /** Max number of items per batch. Default 32. */
166
+ max?: number;
167
+ /** Outer-request headers that override per-item headers in STRIPPED_HEADERS. */
168
+ outerHeaders?: Record<string, string>;
169
+ }
170
+ type BatchResultItem = {
171
+ data: unknown;
172
+ } | {
173
+ error: {
174
+ message: string;
175
+ code?: string;
176
+ };
177
+ };
178
+ interface BatchResponse {
179
+ results: BatchResultItem[];
180
+ }
181
+ /**
182
+ * Validate + execute a batch request.
183
+ *
184
+ * CR-028 fix: previously the signature was `payload: BatchPayload`,
185
+ * suggesting the caller had already validated. In reality `api-middleware`
186
+ * passes `JSON.parse(rawBody) as BatchPayload` — an unsafe cast over raw
187
+ * HTTP input. We widen the input type to `unknown` so the type system
188
+ * forces validation, then run Zod once at this single trust boundary.
189
+ */
190
+ declare function handleBatchRequest(payload: unknown, options: HandleBatchOptions): Promise<BatchResponse>;
191
+
192
+ /**
193
+ * T1.2 — CORS middleware.
194
+ *
195
+ * Single global middleware that runs FIRST in the request pipeline:
196
+ * CORS preflight → rate limit → CSRF → security headers → handler
197
+ *
198
+ * Preflight (`OPTIONS` with `Access-Control-Request-Method`) is handled
199
+ * by `handlePreflight`, which short-circuits the response with 204 +
200
+ * Access-Control-* headers.
201
+ *
202
+ * Non-preflight requests pass through; `applyHeaders` adds
203
+ * `Access-Control-Allow-Origin` (echoing the request's Origin),
204
+ * `Access-Control-Expose-Headers`, and `Access-Control-Allow-Credentials`.
205
+ *
206
+ * Per ADR D3: preflight responses are deterministic and only the matched
207
+ * origin is echoed back (never `'*'` when credentials are enabled —
208
+ * required by the CORS spec).
209
+ */
210
+ type CorsOrigin = string | RegExp | readonly (string | RegExp)[] | ((origin: string) => boolean);
211
+ interface CorsConfig {
212
+ origins: CorsOrigin;
213
+ methods?: readonly ('GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'OPTIONS' | 'HEAD')[];
214
+ allowedHeaders?: readonly string[];
215
+ exposedHeaders?: readonly string[];
216
+ credentials?: boolean;
217
+ maxAge?: number;
218
+ }
219
+ interface CorsHandler {
220
+ handlePreflight(req: IncomingMessage, res: ServerResponse): boolean;
221
+ applyHeaders(req: IncomingMessage, res: ServerResponse): void;
222
+ }
223
+ /**
224
+ * Test whether `origin` is allowed by `allowed`. Pure function — no I/O.
225
+ *
226
+ * EC-8: callback variants that throw are fail-closed (deny). Without
227
+ * this, a transient datastore outage would silently widen CORS during
228
+ * the failure window.
229
+ */
230
+ declare function matchesOrigin(origin: string, allowed: CorsOrigin): boolean;
231
+ declare function createCorsHandler(config: CorsConfig): CorsHandler;
232
+ /**
233
+ * T5a.2 Phase B slice 5/6 — Web-Standards CORS handler.
234
+ *
235
+ * Mirror of `createCorsHandler(config): CorsHandler` for the Web `Request`
236
+ * shape. Same `CorsConfig`, same `matchesOrigin` logic (pure helper
237
+ * already), same security guarantees (echo matched origin only — never
238
+ * `'*'` when credentials enabled; EC-8 fail-closed on callback throw).
239
+ *
240
+ * Signature differences vs the IncomingMessage pair:
241
+ * - `handlePreflightRequest(request, config): Response | null` — returns
242
+ * `Response` when this is a CORS preflight; `null` when not. Caller
243
+ * short-circuits accordingly (same control-flow semantic as boolean).
244
+ * - `applyCorsHeaders(request, target, config): void` — mutates a
245
+ * `Headers` instance in place. Caller passes the headers they're
246
+ * building for their Response.
247
+ */
248
+ interface CorsWebHandler {
249
+ handlePreflightRequest(request: Request): Response | null;
250
+ applyCorsHeaders(request: Request, target: Headers): void;
251
+ }
252
+ declare function createCorsWebHandler(config: CorsConfig): CorsWebHandler;
253
+
254
+ /**
255
+ * Phase 7 — Observability: traceId propagation (D7).
256
+ *
257
+ * Extract a stable identifier from incoming requests so a single value
258
+ * correlates the client request, every server log line, the response
259
+ * envelope, and any downstream span. Precedence:
260
+ *
261
+ * 1. `traceparent` (W3C Trace Context — `00-{32-hex}-{16-hex}-{flags}`)
262
+ * 2. `x-request-id` (Heroku / GCP / generic proxy header)
263
+ * 3. Generated UUID (fresh per request)
264
+ *
265
+ * UUIDs are accepted as trace identifiers by every major vendor that
266
+ * does not enforce strict 32-hex (Datadog, Honeycomb, Sentry, Logflare,
267
+ * Axiom, etc). We don't need ULIDs to ship this surface.
268
+ */
269
+ declare const TRACE_HEADER = "x-trace-id";
270
+ declare const TRACE_PARENT_HEADER = "traceparent";
271
+ /**
272
+ * Parse a W3C Trace Context `traceparent` header value. Returns the
273
+ * 32-hex trace-id when valid (and not the reserved all-zeros), else
274
+ * `null`.
275
+ */
276
+ declare function parseTraceparent(value: string): string | null;
277
+ /**
278
+ * Resolve the request's traceId following the precedence above.
279
+ */
280
+ declare function extractTraceId(req: IncomingMessage): string;
281
+ /**
282
+ * T5a.2 Phase C slice 1/2 — Web-Standards-shaped traceId resolver.
283
+ *
284
+ * Mirror of `extractTraceId(req: IncomingMessage)` for the Web `Request`
285
+ * shape. Same precedence (`traceparent` → `x-request-id` → generated
286
+ * UUID). Uses `request.headers.get(name)` (native Web `Headers` API)
287
+ * instead of the Node indexer.
288
+ *
289
+ * **Multi-value note:** Web `Headers` collapses repeated headers into a
290
+ * single comma-separated string at parse. The IncomingMessage path's
291
+ * `pickHeader` "first non-empty value" semantic is naturally satisfied
292
+ * because there's no array to pick from on the Web side — `.get()`
293
+ * returns the comma-joined value, which for `traceparent` / `x-request-id`
294
+ * is treated as a single string anyway (both headers are conventionally
295
+ * single-valued).
296
+ */
297
+ declare function extractTraceIdFromRequest(request: Request): string;
298
+
299
+ /**
300
+ * `TheoError` — envelope-emitting `Error` subclass per plan
301
+ * g5-error-envelope-cross-layer v1.0 § Phase 1 / T1.2.
302
+ *
303
+ * Mirrors trpc's TRPCError ergonomic pattern (referencia:
304
+ * trpc/packages/server/src/unstable-core-do-not-import/error/TRPCError.ts:65-87)
305
+ * adapted for theokit's hybrid envelope model (blueprint Form 4).
306
+ *
307
+ * Per ADR D5: `meta.stack` is auto-stripped in non-dev builds when serialized
308
+ * via `toJSON()` — defense against accidental stack leak to clients (encore
309
+ * `json:"-"` analog).
310
+ *
311
+ * Lives in `core/contracts/` per architecture.md v3 invariant #3.
312
+ */
313
+
314
+ /**
315
+ * Constructor options. `code` and `message` are required; `cause` follows TC39
316
+ * proposal-error-cause; `meta` and `ext` are opt-in per blueprint ADR D2.
317
+ */
318
+ interface TheoErrorOptions<TExt = unknown> {
319
+ readonly code: TheoErrorCode;
320
+ readonly message: string;
321
+ readonly cause?: unknown;
322
+ readonly meta?: Record<string, unknown>;
323
+ readonly ext?: TExt;
324
+ }
325
+ /**
326
+ * `TheoError` — envelope-emitting Error subclass. Use this anywhere in
327
+ * `theokit/server`, route handlers, or middleware to emit a typed,
328
+ * cross-layer-compatible error.
329
+ *
330
+ * Mirrors TRPCError pattern: `code` is required, `message` defaults to
331
+ * code if omitted, `cause` chain is preserved via TC39 proposal-error-cause.
332
+ */
333
+ declare class TheoError<TExt = unknown> extends Error {
334
+ readonly name = "TheoError";
335
+ readonly code: TheoErrorCode;
336
+ readonly meta?: Record<string, unknown>;
337
+ readonly ext?: TExt;
338
+ constructor(opts: TheoErrorOptions<TExt>);
339
+ /**
340
+ * The canonical envelope view of this error. Use when crossing the wire
341
+ * boundary or feeding telemetry — exposes the shape consumers can rely on
342
+ * without depending on the class identity.
343
+ */
344
+ get envelope(): TheoErrorEnvelope<TExt>;
345
+ /**
346
+ * JSON serialization — emits envelope shape only (no name/stack class
347
+ * internals). Per ADR D5, `meta.stack` is auto-stripped in non-dev to
348
+ * prevent accidental leak; other meta keys are preserved.
349
+ */
350
+ toJSON(): TheoErrorEnvelope<TExt>;
351
+ }
352
+ /**
353
+ * Coerce any unknown value into a TheoError envelope.
354
+ *
355
+ * - If value is already a TheoError, returns it unchanged (no double-wrap).
356
+ * - If value is a plain Error, wraps it as `INTERNAL_SERVER_ERROR` with
357
+ * `cause` chain preserving the original.
358
+ * - Other values (string, undefined, object) are coerced safely with a
359
+ * meaningful message.
360
+ *
361
+ * Use at framework boundaries (route handler catch-all, middleware catch,
362
+ * SDK egress) to ensure every error crossing the wire carries an envelope.
363
+ */
364
+ /**
365
+ * `NotFoundError` — typed 404. A `TheoError` with code `NOT_FOUND`, so it
366
+ * carries a stable `code` (not a bare status literal) and maps to HTTP 404 via
367
+ * `envelopeCodeToStatus`. Throw it from a `defineRoute` handler for ergonomic
368
+ * 404s (M7-1).
369
+ */
370
+ declare class NotFoundError extends TheoError {
371
+ constructor(message?: string, meta?: Record<string, unknown>);
372
+ }
373
+ declare function fromUnknown(value: unknown): TheoError;
374
+
375
+ /**
376
+ * G5 T2.5 — server-side boundary translation per blueprint ADR D3.
377
+ *
378
+ * Translates ad-hoc Error class instances (FileTooLargeError,
379
+ * AuthRequiredError, RouterConventionError, etc.) into the canonical
380
+ * `TheoErrorEnvelope` shape at the wire boundary. This is the SINGLE
381
+ * boundary translation point — class identities stay in place inside the
382
+ * codebase (no invasive call-site rewrites), but the envelope is what
383
+ * crosses to clients.
384
+ *
385
+ * Pure; no I/O. Lives in `core/contracts/` per architecture.md v3
386
+ * invariant #3 (canonical home for shared client↔server types). This file
387
+ * is the EXCEPTION-of-an-exception: it intentionally inspects Error names
388
+ * by string instead of `instanceof` to avoid `core/contracts/` taking a
389
+ * dependency on `server/`. The mapping table is small and grep-discoverable.
390
+ */
391
+
392
+ /**
393
+ * Translate any server-side Error instance into a canonical envelope.
394
+ *
395
+ * Pass-through behavior:
396
+ * - `TheoError` instances return their `.envelope` unchanged.
397
+ * - Plain `Error` with unknown name → `INTERNAL_SERVER_ERROR`.
398
+ * - Non-Error values → wrapped via `TheoError.fromUnknown` semantics.
399
+ *
400
+ * Meta carries the source class `name` plus class-specific fields when an
401
+ * extractor is registered. This keeps wire-side telemetry useful without
402
+ * leaking implementation details.
403
+ */
404
+ declare function serverErrorToEnvelope(value: unknown): TheoErrorEnvelope;
405
+
406
+ /**
407
+ * Maps a TheoErrorEnvelope `code` to its canonical HTTP status.
408
+ *
409
+ * Single source of truth — previously duplicated in `web-handler.ts` and
410
+ * `handle-request-error.ts` (architecture-remediation plan T1.2, 2026-06-12).
411
+ *
412
+ * Every TheoErrorCode value MUST have an explicit entry here. SDK-domain codes
413
+ * (AGENT_RUN_ERROR, PROVIDER_KEY_MISSING, BUDGET_EXCEEDED, CREDENTIAL_POOL_EXHAUSTED)
414
+ * intentionally map to 500 — they represent internal failures, not client errors.
415
+ */
416
+ declare function envelopeCodeToStatus(code: string): number;
417
+
418
+ /**
419
+ * Canonical error handler for HTTP request pipelines (T3.4 of
420
+ * architecture-review-remediation-plan, PV-9 DRY).
421
+ *
422
+ * Replaces the duplicated catch-block logic in `executeRoute` (1 site) and
423
+ * `executeAction` (1 site, via `handleActionError`). Both code paths now
424
+ * share this implementation.
425
+ *
426
+ * Behavior contract (preserved from previous inline catches):
427
+ * - Plugin `onError` fires first (swallowed if it throws — never amplify failure).
428
+ * - `AuthRequiredError` is detected via `instanceof` AND a duck-type shape
429
+ * check (`code === 'AUTH_REQUIRED' && status === 401`) — required because
430
+ * under Vite dev / vitest the module-loader can produce a duplicate
431
+ * AuthRequiredError class identity, breaking `instanceof`.
432
+ * - `onResponse({ inErrorPath: true })` always fires at the end (swallowed
433
+ * if it throws — EC-9).
434
+ */
435
+ interface HandleRequestErrorCtx {
436
+ req: IncomingMessage;
437
+ res: ServerResponse;
438
+ requestId: string | undefined;
439
+ pluginRunner: PluginRunner | undefined;
440
+ buildPluginCtx: (ctxObj: Record<string, unknown>) => PluginContext;
441
+ }
442
+ declare function handleRequestError(err: unknown, c: HandleRequestErrorCtx): Promise<void>;
443
+ /**
444
+ * T5a.2 Phase G slice 3/N — Web-Standards request error handler.
445
+ *
446
+ * Mirror of `handleRequestError(err, c: HandleRequestErrorCtx)` for the
447
+ * Web `Request` shape. Returns a native `Response` directly instead of
448
+ * mutating `res`. Same behavioral contract:
449
+ *
450
+ * 1. Auth-error detection via `instanceof AuthRequiredError` PLUS a
451
+ * duck-type fallback (`code === 'AUTH_REQUIRED' && status === 401`)
452
+ * — needed because Vite dev / vitest can produce duplicate class
453
+ * identities, breaking `instanceof`.
454
+ * 2. Envelope-shaped JSON body using `serverErrorToEnvelope` (G5 D3
455
+ * boundary translation).
456
+ * 3. Status code derived from envelope.code via `envelopeCodeToStatus`
457
+ * mirror (already implemented inline in web-handler.ts; this slice
458
+ * uses the same mapping table).
459
+ *
460
+ * **Difference vs IncomingMessage path:** the Web path's plugin runner
461
+ * orchestration lives in `executeWebRequest`'s `runWithHooks` /
462
+ * `runErrorHooks` (Phase G slice 1/N) — `handleWebRequestError` is the
463
+ * leaf that builds the error Response WITHOUT touching plugin hooks.
464
+ * Callers compose: `executeWebRequest` (or future Web execute pipeline)
465
+ * catches a throw, calls `handleWebRequestError(err, { requestId })` to
466
+ * build the Response, then routes through onError hooks separately.
467
+ */
468
+ interface HandleWebRequestErrorCtx {
469
+ requestId?: string;
470
+ }
471
+ declare function handleWebRequestError(err: unknown, ctx?: HandleWebRequestErrorCtx): Promise<Response>;
472
+
473
+ interface MiddlewareResult {
474
+ ctx: unknown;
475
+ aborted: boolean;
476
+ }
477
+ declare function _resetMiddlewareCacheForTests(): void;
478
+ declare function runMiddlewareAndContext(req: IncomingMessage, res: ServerResponse, loadModule: LoadModule, serverDir: string): Promise<MiddlewareResult>;
479
+
480
+ interface CookieOptions {
481
+ httpOnly?: boolean;
482
+ secure?: boolean;
483
+ sameSite?: 'strict' | 'lax' | 'none';
484
+ maxAge?: number;
485
+ path?: string;
486
+ domain?: string;
487
+ }
488
+ /**
489
+ * Parse a `Cookie` header into a Map (RFC 6265 §5.4).
490
+ * - Empty/missing input → empty Map.
491
+ * - Malformed entries (no `=`) skipped silently (defensive).
492
+ * - Duplicate names → last-wins.
493
+ * - Values URL-decoded if possible; raw on decode failure (CR-009 protection).
494
+ *
495
+ * Canonical helper (T3.2 of architecture-review-remediation-plan; PV-4 DRY).
496
+ * Consumed by `getCookie` here AND by `rate-limit/rate-limit-per-route.ts`.
497
+ */
498
+ declare function parseCookieHeader(header: string | undefined): Map<string, string>;
499
+ declare function getCookie(req: IncomingMessage, name: string): string | undefined;
500
+ /**
501
+ * T5a.2 Phase B slice 6/6 — pure Set-Cookie serializer. Extracted from
502
+ * `setCookie(res, ...)` so the IncomingMessage path AND the Web Headers
503
+ * path can share the cookie attribute composition.
504
+ *
505
+ * Returns the canonical `Set-Cookie` header value string (no surrounding
506
+ * `Set-Cookie:` prefix — caller wraps via `res.setHeader('Set-Cookie', ...)`
507
+ * or `headers.append('Set-Cookie', ...)`).
508
+ *
509
+ * Defaults: `httpOnly: true`, `secure: NODE_ENV === 'production'`,
510
+ * `sameSite: 'lax'`, `path: '/'`.
511
+ */
512
+ declare function serializeCookie(name: string, value: string, options?: CookieOptions): string;
513
+ declare function setCookie(res: ServerResponse, name: string, value: string, options?: CookieOptions): void;
514
+ declare function deleteCookie(res: ServerResponse, name: string, options?: {
515
+ path?: string;
516
+ }): void;
517
+ /**
518
+ * T5a.2 Phase B slice 6/6 — Web-Standards cookie getter.
519
+ *
520
+ * Mirror of `getCookie(req: IncomingMessage, name)` for the Web `Request`
521
+ * shape. Consumes `request.headers.get('cookie')` (native `Headers` API)
522
+ * instead of `req.headers.cookie`. Same parse logic + same malformed
523
+ * percent-encoding sanity (returns undefined when raw value contains a
524
+ * lone `%` that didn't decode, preserving the IncomingMessage path's
525
+ * "treat as unreadable" CR-009 semantics).
526
+ */
527
+ declare function getCookieFromRequest(request: Request, name: string): string | undefined;
528
+ /**
529
+ * T5a.2 Phase B slice 6/6 — Web-Standards cookie setter.
530
+ *
531
+ * Mirror of `setCookie(res, name, value, options)` for the Web `Headers`
532
+ * shape. Appends a `Set-Cookie` entry to the caller's `Headers` instance
533
+ * via `headers.append('Set-Cookie', ...)`. Multiple appends produce
534
+ * multiple `Set-Cookie` headers per the Web spec; `headers.getSetCookie()`
535
+ * retrieves them as an array (the one multi-value header the Web API
536
+ * exposes natively).
537
+ *
538
+ * Uses the shared `serializeCookie` pure helper — same defaults and
539
+ * attribute composition as the IncomingMessage path.
540
+ */
541
+ declare function appendCookieToHeaders(target: Headers, name: string, value: string, options?: CookieOptions): void;
542
+ /**
543
+ * T5a.2 Phase B slice 6/6 — Web-Standards cookie deleter.
544
+ *
545
+ * Mirror of `deleteCookie(res, name, options)` — emits a Set-Cookie with
546
+ * `Max-Age=0` so the browser drops the cookie immediately.
547
+ */
548
+ declare function appendDeleteCookieToHeaders(target: Headers, name: string, options?: {
549
+ path?: string;
550
+ }): void;
551
+
552
+ /**
553
+ * T2.4 — Custom error pages loader.
554
+ *
555
+ * Loads optional `.theokit/client/404.html` and `500.html` from disk so adapters
556
+ * (Node, CF, Vercel, Bun, Netlify, AWS Lambda, Deno) can pass them to the
557
+ * shared `sendError` pipeline.
558
+ *
559
+ * EC-9: caps file size at 1MB. Files beyond the limit are skipped with a
560
+ * console.warn and the default JSON error path is used.
561
+ */
562
+ declare const MAX_ERROR_HTML_BYTES = 1048576;
563
+ interface CustomErrorPages {
564
+ custom404Html?: string;
565
+ custom500Html?: string;
566
+ }
567
+ /**
568
+ * Load `.theokit/client/{404,500}.html` from the given client directory.
569
+ * Returns object with both fields when present; missing pages remain undefined.
570
+ */
571
+ declare function loadCustomErrorPages(clientDir: string): CustomErrorPages;
572
+
573
+ declare function serveStaticFile(req: IncomingMessage, res: ServerResponse, clientDir: string): boolean;
574
+
575
+ export { serveStaticFile as $, extractTraceId as A, BATCH_PATH as B, type CookieOptions as C, extractTraceIdFromRequest as D, type ExecuteActionOptions as E, fromUnknown as F, getCookie as G, type HandleBatchOptions as H, getCookieFromRequest as I, handleBatchRequest as J, handleRequestError as K, handleWebRequestError as L, MAX_ERROR_HTML_BYTES as M, NotFoundError as N, jsonTransformer as O, loadCustomErrorPages as P, matchesOrigin as Q, parseCookieHeader as R, STRIPPED_HEADERS as S, TRACE_HEADER as T, parseTraceparent as U, resolveTransformer as V, runMiddlewareAndContext as W, sendError as X, sendJson as Y, serializeCookie as Z, _resetMiddlewareCacheForTests as _, type BatchExecuteFn as a, serverErrorToEnvelope as a0, setCookie as a1, superjsonTransformer as a2, BatchPathConflictError as b, type BatchPayload as c, type BatchRequestItem as d, type BatchResponse as e, type BatchResultItem as f, type CorsConfig as g, type CorsHandler as h, type CorsOrigin as i, type CorsWebHandler as j, type CustomErrorPages as k, type ExecuteRouteContext as l, type MiddlewareResult as m, type SendErrorInput as n, type SendErrorOptions as o, TRACE_PARENT_HEADER as p, TheoError as q, type TheoTransformer as r, appendCookieToHeaders as s, appendDeleteCookieToHeaders as t, createCorsHandler as u, createCorsWebHandler as v, deleteCookie as w, envelopeCodeToStatus as x, executeAction as y, executeRoute as z };