theokit 0.4.0-beta.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (297) hide show
  1. package/dist/{actions-virtual-module-HWNTIEPI.js → actions-virtual-module-IY46EEEX.js} +2 -2
  2. package/dist/{actions-virtual-module-SEIPACG5.js → actions-virtual-module-XNHDNCZ6.js} +2 -2
  3. package/dist/add-2ZFFGGE4.js +0 -0
  4. package/dist/{app-typed-client-ITIYTBXO.js → app-typed-client-OUJO3V5J.js} +10 -5
  5. package/dist/{app-typed-client-62FYBLVJ.js.map → app-typed-client-OUJO3V5J.js.map} +1 -1
  6. package/dist/{app-typed-client-62FYBLVJ.js → app-typed-client-YOMWSA3F.js} +11 -6
  7. package/dist/{app-typed-client-ITIYTBXO.js.map → app-typed-client-YOMWSA3F.js.map} +1 -1
  8. package/dist/audit-log-BQWM5YLG.d.ts +60 -0
  9. package/dist/{aws-lambda-XYCGZH3I.js → aws-lambda-GKSTX6HD.js} +3 -3
  10. package/dist/body-parser-web-MUWBKZ3F.js +70 -0
  11. package/dist/body-parser-web-MUWBKZ3F.js.map +1 -0
  12. package/dist/broadcast-QOQGUNNK.js +0 -0
  13. package/dist/{build-HIGHJQQV.js → build-D4J7XECU.js} +31 -22
  14. package/dist/build-D4J7XECU.js.map +1 -0
  15. package/dist/build-request-body-preview-II2235E6.js +0 -0
  16. package/dist/{bun-K73TQEWC.js → bun-ISHSNFIO.js} +3 -3
  17. package/dist/{check-PZR67OY5.js → check-NXYPLM6M.js} +2 -2
  18. package/dist/{chunk-WZ7CPVQB.js → chunk-27LWMYNK.js} +28 -24
  19. package/dist/chunk-27LWMYNK.js.map +1 -0
  20. package/dist/{chunk-BIGBFZSU.js → chunk-2F4FROEQ.js} +1689 -1521
  21. package/dist/chunk-2F4FROEQ.js.map +1 -0
  22. package/dist/chunk-4HBI7DHP.js +20 -0
  23. package/dist/chunk-4HBI7DHP.js.map +1 -0
  24. package/dist/{chunk-X4JAX2U3.js → chunk-4S2UCILN.js} +180 -125
  25. package/dist/chunk-4S2UCILN.js.map +1 -0
  26. package/dist/{chunk-C52GSJPF.js → chunk-4S6YHNG2.js} +11 -8
  27. package/dist/chunk-4S6YHNG2.js.map +1 -0
  28. package/dist/chunk-5ODOE6EF.js +0 -0
  29. package/dist/{chunk-KJVEJILQ.js → chunk-5PU65T5W.js} +9 -3
  30. package/dist/chunk-5PU65T5W.js.map +1 -0
  31. package/dist/chunk-5QW7IQQU.js +36 -0
  32. package/dist/chunk-5QW7IQQU.js.map +1 -0
  33. package/dist/chunk-5Z2727GV.js +1324 -0
  34. package/dist/chunk-5Z2727GV.js.map +1 -0
  35. package/dist/{chunk-YLBSSEHX.js → chunk-6NEXVBPY.js} +5 -15
  36. package/dist/chunk-6NEXVBPY.js.map +1 -0
  37. package/dist/chunk-7MQOHNHE.js +36 -0
  38. package/dist/chunk-7MQOHNHE.js.map +1 -0
  39. package/dist/{chunk-TPCT3MXV.js → chunk-ABVITXFH.js} +405 -272
  40. package/dist/chunk-ABVITXFH.js.map +1 -0
  41. package/dist/chunk-ASDXVRJD.js +185 -0
  42. package/dist/chunk-ASDXVRJD.js.map +1 -0
  43. package/dist/chunk-B3L3TJVF.js +406 -0
  44. package/dist/chunk-B3L3TJVF.js.map +1 -0
  45. package/dist/{chunk-PB4GR7EP.js → chunk-C3ZZ56YZ.js} +1 -18
  46. package/dist/chunk-C3ZZ56YZ.js.map +1 -0
  47. package/dist/{chunk-O7335ZGH.js → chunk-CG563V5M.js} +5 -3
  48. package/dist/chunk-CG563V5M.js.map +1 -0
  49. package/dist/{chunk-5OFPQK6N.js → chunk-COXLEZCN.js} +2 -1
  50. package/dist/chunk-COXLEZCN.js.map +1 -0
  51. package/dist/{chunk-O4BLVPML.js → chunk-DNMSV3R3.js} +22 -28
  52. package/dist/chunk-DNMSV3R3.js.map +1 -0
  53. package/dist/chunk-E3JH6YUM.js +1 -0
  54. package/dist/chunk-ESC54TAK.js +220 -0
  55. package/dist/chunk-ESC54TAK.js.map +1 -0
  56. package/dist/chunk-FI7MPTJW.js +77 -0
  57. package/dist/chunk-FI7MPTJW.js.map +1 -0
  58. package/dist/chunk-H4J2LECY.js +201 -0
  59. package/dist/chunk-H4J2LECY.js.map +1 -0
  60. package/dist/chunk-IAJ2JVEH.js +256 -0
  61. package/dist/chunk-IAJ2JVEH.js.map +1 -0
  62. package/dist/{chunk-F3TG5FJV.js → chunk-IEZCAT2I.js} +7 -1
  63. package/dist/{chunk-F3TG5FJV.js.map → chunk-IEZCAT2I.js.map} +1 -1
  64. package/dist/chunk-JHEAWR3L.js +1 -0
  65. package/dist/chunk-JQSKBMXP.js +17 -0
  66. package/dist/chunk-JQSKBMXP.js.map +1 -0
  67. package/dist/{chunk-4QTKSLTO.js → chunk-K4M64WD6.js} +9 -5
  68. package/dist/{chunk-4QTKSLTO.js.map → chunk-K4M64WD6.js.map} +1 -1
  69. package/dist/chunk-KI7OWQUX.js +293 -0
  70. package/dist/chunk-KI7OWQUX.js.map +1 -0
  71. package/dist/chunk-KT3MWNZG.js +0 -0
  72. package/dist/{chunk-ZJW5FFYJ.js → chunk-LC5PYNJP.js} +2 -2
  73. package/dist/{chunk-JAAHOGKI.js → chunk-M2EY7KDR.js} +1223 -1124
  74. package/dist/chunk-M2EY7KDR.js.map +1 -0
  75. package/dist/{chunk-2VQKDRVF.js → chunk-MR7OLIC6.js} +3 -3
  76. package/dist/chunk-NM4WF3XD.js +63 -0
  77. package/dist/chunk-NM4WF3XD.js.map +1 -0
  78. package/dist/chunk-NPMCKOX4.js +1 -0
  79. package/dist/{chunk-VRHXOKRP.js → chunk-NZXH2LQQ.js} +86 -83
  80. package/dist/chunk-NZXH2LQQ.js.map +1 -0
  81. package/dist/{chunk-B6RP57M3.js → chunk-OLPB36O2.js} +4 -4
  82. package/dist/chunk-PIVX3DYW.js +142 -0
  83. package/dist/chunk-PIVX3DYW.js.map +1 -0
  84. package/dist/{chunk-7TOMTMHT.js → chunk-R7OC6UDK.js} +2 -1
  85. package/dist/chunk-R7OC6UDK.js.map +1 -0
  86. package/dist/chunk-RESN62GB.js +269 -0
  87. package/dist/chunk-RESN62GB.js.map +1 -0
  88. package/dist/{chunk-64JI5LTO.js → chunk-RMU7EBRO.js} +2 -2
  89. package/dist/chunk-RMU7EBRO.js.map +1 -0
  90. package/dist/chunk-TQYSPYKU.js +131 -0
  91. package/dist/chunk-TQYSPYKU.js.map +1 -0
  92. package/dist/chunk-TSLSIRBR.js +107 -0
  93. package/dist/chunk-TSLSIRBR.js.map +1 -0
  94. package/dist/{chunk-XP7YXRHO.js → chunk-U6TPSW4L.js} +37 -5
  95. package/dist/chunk-U6TPSW4L.js.map +1 -0
  96. package/dist/chunk-UD3LFGDL.js +45 -0
  97. package/dist/chunk-UD3LFGDL.js.map +1 -0
  98. package/dist/chunk-UUFYP2UM.js +161 -0
  99. package/dist/chunk-UUFYP2UM.js.map +1 -0
  100. package/dist/{chunk-OXIQI2XZ.js → chunk-VBZCVFSA.js} +2 -2
  101. package/dist/chunk-VMEWD57H.js +137 -0
  102. package/dist/chunk-VMEWD57H.js.map +1 -0
  103. package/dist/{chunk-TRH2L3FI.js → chunk-WEGALZEU.js} +3 -3
  104. package/dist/{chunk-ZOXNJV2O.js → chunk-WGHJD6I7.js} +35 -138
  105. package/dist/chunk-WGHJD6I7.js.map +1 -0
  106. package/dist/chunk-XMS5VRIK.js +0 -0
  107. package/dist/chunk-Y4H3JNVK.js +18 -0
  108. package/dist/chunk-Y4H3JNVK.js.map +1 -0
  109. package/dist/chunk-Z5IGLBWE.js +329 -0
  110. package/dist/chunk-Z5IGLBWE.js.map +1 -0
  111. package/dist/chunk-ZEGYW52B.js +26 -0
  112. package/dist/chunk-ZEGYW52B.js.map +1 -0
  113. package/dist/chunk-ZJQ4O76G.js +87 -0
  114. package/dist/chunk-ZJQ4O76G.js.map +1 -0
  115. package/dist/cli/index.js +32 -21
  116. package/dist/cli/index.js.map +1 -1
  117. package/dist/client/index.d.ts +107 -1
  118. package/dist/client/index.js +152 -6
  119. package/dist/client/index.js.map +1 -1
  120. package/dist/{cloudflare-LCAOTRYZ.js → cloudflare-OJGJ7R2D.js} +3 -3
  121. package/dist/configure-agent-registry-6YGTJYBC.js +0 -0
  122. package/dist/cookies-MJKMGJ7N.js +22 -0
  123. package/dist/csrf-BBrEZSBW.d.ts +107 -0
  124. package/dist/csrf-readiness-store-CjIoub3U.d.ts +43 -0
  125. package/dist/define-websocket-CdK94O-D.d.ts +64 -0
  126. package/dist/{deno-deploy-ZN4RE5HF.js → deno-deploy-BHWKFTOW.js} +3 -3
  127. package/dist/{dev-266MVCVA.js → dev-MJVSRZGF.js} +11 -11
  128. package/dist/{dev-emit-RBSFZZNO.js → dev-emit-5VPRCHOD.js} +39 -142
  129. package/dist/dev-emit-5VPRCHOD.js.map +1 -0
  130. package/dist/{dev-emit-NO6OZJOQ.js → dev-emit-HHP2XJXE.js} +5 -5
  131. package/dist/devtools/entry.js +185 -131
  132. package/dist/devtools/entry.js.map +1 -1
  133. package/dist/{dispatcher-AQJGI3HU.js → dispatcher-63LBXYLE.js} +2 -2
  134. package/dist/{dispatcher-E6QV32BO.js → dispatcher-EJME6C6M.js} +5 -2
  135. package/dist/dispatcher-EJME6C6M.js.map +1 -0
  136. package/dist/{dist-5V77Z223.js → dist-KRW6OVD4.js} +7 -7
  137. package/dist/dist-KRW6OVD4.js.map +1 -0
  138. package/dist/docker-EZDA5FT7.js +0 -0
  139. package/dist/error-envelope-BsNzzAV5.d.ts +62 -0
  140. package/dist/{generate-DT4IIAHF.js → generate-AZ2K6Z2Z.js} +75 -2
  141. package/dist/generate-AZ2K6Z2Z.js.map +1 -0
  142. package/dist/index-DWWEdFh5.d.ts +399 -0
  143. package/dist/index.d.ts +161 -1391
  144. package/dist/index.js +20 -8
  145. package/dist/index.js.map +1 -1
  146. package/dist/{info-FJ4NXKTB.js → info-47VB62MV.js} +5 -5
  147. package/dist/job-backend-CgC8Xf33.d.ts +68 -0
  148. package/dist/{lib-NL5JXGEB.js → lib-NST3PNZX.js} +31 -31
  149. package/dist/lib-NST3PNZX.js.map +1 -0
  150. package/dist/module-loader-Cfz7dgCP.d.ts +26 -0
  151. package/dist/{netlify-5VQ22Z2P.js → netlify-GSNSJGMN.js} +3 -3
  152. package/dist/{node-3APTLGWB.js → node-6I5B6RL3.js} +3 -3
  153. package/dist/node-6I5B6RL3.js.map +1 -0
  154. package/dist/{openapi-FNVSWZOL.js → openapi-NFLSNNVQ.js} +10 -10
  155. package/dist/plugin-runner-BGBkzgi0.d.ts +95 -0
  156. package/dist/plugin-types-DNJGxr4Z.d.ts +79 -0
  157. package/dist/{proper-lockfile-4Y3DP3RP.js → proper-lockfile-MVKMQGFK.js} +27 -27
  158. package/dist/proper-lockfile-MVKMQGFK.js.map +1 -0
  159. package/dist/rate-limit-BdNDZ3vt.d.ts +58 -0
  160. package/dist/registry-QHEZ3BWB.js +25 -0
  161. package/dist/router-RGZFX75G.js +0 -0
  162. package/dist/{routes-H4SPLFHJ.js → routes-3A4XGIEJ.js} +6 -6
  163. package/dist/{scan-C2BOKLSY.js → scan-NQFI5S7P.js} +2 -2
  164. package/dist/scan-NQFI5S7P.js.map +1 -0
  165. package/dist/schema-D3v8VB7o.d.ts +76 -0
  166. package/dist/{schema-VR6YNVLQ.js → schema-KZVOV333.js} +5 -3
  167. package/dist/schema-KZVOV333.js.map +1 -0
  168. package/dist/server/agent/index.d.ts +229 -0
  169. package/dist/server/agent/index.js +16 -0
  170. package/dist/server/agent/index.js.map +1 -0
  171. package/dist/server/auth/index.d.ts +46 -1
  172. package/dist/server/auth/index.js +10 -3
  173. package/dist/server/cost/index.d.ts +1 -3
  174. package/dist/server/cost/index.js +1 -1
  175. package/dist/server/cron/index.js +4 -2
  176. package/dist/server/define/index.d.ts +281 -0
  177. package/dist/server/define/index.js +26 -0
  178. package/dist/server/define/index.js.map +1 -0
  179. package/dist/server/http/index.d.ts +10 -0
  180. package/dist/server/http/index.js +74 -0
  181. package/dist/server/http/index.js.map +1 -0
  182. package/dist/server/index.d.ts +151 -1677
  183. package/dist/server/index.js +558 -1102
  184. package/dist/server/index.js.map +1 -1
  185. package/dist/server/jobs/index.d.ts +348 -2
  186. package/dist/server/jobs/index.js +5 -3
  187. package/dist/server/observability/index.d.ts +324 -0
  188. package/dist/server/observability/index.js +48 -0
  189. package/dist/server/observability/index.js.map +1 -0
  190. package/dist/server/plugins/index.d.ts +17 -0
  191. package/dist/server/plugins/index.js +17 -0
  192. package/dist/server/plugins/index.js.map +1 -0
  193. package/dist/server/rate-limit/index.d.ts +105 -0
  194. package/dist/server/rate-limit/index.js +25 -0
  195. package/dist/server/rate-limit/index.js.map +1 -0
  196. package/dist/server/realtime/index.d.ts +15 -0
  197. package/dist/server/realtime/index.js +8 -0
  198. package/dist/server/realtime/index.js.map +1 -0
  199. package/dist/server/scan/index.d.ts +106 -0
  200. package/dist/server/scan/index.js +43 -0
  201. package/dist/server/scan/index.js.map +1 -0
  202. package/dist/server/security/index.d.ts +193 -0
  203. package/dist/server/security/index.js +50 -0
  204. package/dist/server/security/index.js.map +1 -0
  205. package/dist/server/storage/index.d.ts +22 -0
  206. package/dist/server/storage/index.js +14 -0
  207. package/dist/server/storage/index.js.map +1 -0
  208. package/dist/server/webhook/index.d.ts +148 -0
  209. package/dist/server/webhook/index.js +19 -0
  210. package/dist/server/webhook/index.js.map +1 -0
  211. package/dist/server-error-to-envelope-NO4CCAFQ.js +8 -0
  212. package/dist/server-error-to-envelope-NO4CCAFQ.js.map +1 -0
  213. package/dist/server-error-to-envelope-UJK6OWDJ.js +134 -0
  214. package/dist/server-error-to-envelope-UJK6OWDJ.js.map +1 -0
  215. package/dist/server-routes-hmr-GZJGPWMS.js +0 -0
  216. package/dist/services-json-Z2QNGVPW.js +142 -0
  217. package/dist/services-json-Z2QNGVPW.js.map +1 -0
  218. package/dist/{services-typed-client-XWYYBWGW.js → services-typed-client-KK6RHRDG.js} +2 -2
  219. package/dist/{services-typed-client-ZX5JUHH3.js → services-typed-client-T7M5VPBP.js} +2 -2
  220. package/dist/{sqlite-vec-ARPNUBWT.js → sqlite-vec-54KB4RD3.js} +2 -2
  221. package/dist/sqlite-vec-54KB4RD3.js.map +1 -0
  222. package/dist/{start-HX3QUSOS.js → start-CGSZPBAG.js} +23 -23
  223. package/dist/start-CGSZPBAG.js.map +1 -0
  224. package/dist/{static-TZBVBDTB.js → static-QI5NQT2X.js} +6 -6
  225. package/dist/storage-manager-C4jsO0Tp.d.ts +89 -0
  226. package/dist/storage-manager-D5KBXXKB.js +0 -0
  227. package/dist/{storage-types-DtIVejC1.d.ts → storage-types-DsDTCPbp.d.ts} +1 -1
  228. package/dist/{theo-cloud-3K4DGB3S.js → theo-cloud-RSQCBNXL.js} +4 -4
  229. package/dist/theo-cloud-RSQCBNXL.js.map +1 -0
  230. package/dist/upgrade-readiness-GUJBCJIS.js +0 -0
  231. package/dist/{vercel-MWW24ABC.js → vercel-TKPZK62A.js} +3 -3
  232. package/dist/vite-plugin/index.d.ts +3 -1
  233. package/dist/vite-plugin/index.js +20 -8
  234. package/dist/{vite-plugin-IK3NOWXS.js → vite-plugin-CR4JDFUQ.js} +9 -9
  235. package/dist/vite-plugin-CR4JDFUQ.js.map +1 -0
  236. package/package.json +59 -10
  237. package/LICENSE +0 -201
  238. package/dist/build-HIGHJQQV.js.map +0 -1
  239. package/dist/chunk-5OFPQK6N.js.map +0 -1
  240. package/dist/chunk-64JI5LTO.js.map +0 -1
  241. package/dist/chunk-7TOMTMHT.js.map +0 -1
  242. package/dist/chunk-BIGBFZSU.js.map +0 -1
  243. package/dist/chunk-C52GSJPF.js.map +0 -1
  244. package/dist/chunk-CZM6WWWS.js +0 -2450
  245. package/dist/chunk-CZM6WWWS.js.map +0 -1
  246. package/dist/chunk-JAAHOGKI.js.map +0 -1
  247. package/dist/chunk-KJVEJILQ.js.map +0 -1
  248. package/dist/chunk-O4BLVPML.js.map +0 -1
  249. package/dist/chunk-O7335ZGH.js.map +0 -1
  250. package/dist/chunk-PB4GR7EP.js.map +0 -1
  251. package/dist/chunk-TPCT3MXV.js.map +0 -1
  252. package/dist/chunk-VRHXOKRP.js.map +0 -1
  253. package/dist/chunk-WZ7CPVQB.js.map +0 -1
  254. package/dist/chunk-X4JAX2U3.js.map +0 -1
  255. package/dist/chunk-XP7YXRHO.js.map +0 -1
  256. package/dist/chunk-YLBSSEHX.js.map +0 -1
  257. package/dist/chunk-ZOXNJV2O.js.map +0 -1
  258. package/dist/dev-emit-RBSFZZNO.js.map +0 -1
  259. package/dist/dispatcher-E6QV32BO.js.map +0 -1
  260. package/dist/dist-5V77Z223.js.map +0 -1
  261. package/dist/generate-DT4IIAHF.js.map +0 -1
  262. package/dist/index-li83Swxa.d.ts +0 -506
  263. package/dist/lib-NL5JXGEB.js.map +0 -1
  264. package/dist/proper-lockfile-4Y3DP3RP.js.map +0 -1
  265. package/dist/registry-4MZ26TZD.js +0 -25
  266. package/dist/schema-CjVly9c_.d.ts +0 -274
  267. package/dist/sqlite-vec-ARPNUBWT.js.map +0 -1
  268. package/dist/start-HX3QUSOS.js.map +0 -1
  269. package/dist/theo-cloud-3K4DGB3S.js.map +0 -1
  270. /package/dist/{actions-virtual-module-HWNTIEPI.js.map → actions-virtual-module-IY46EEEX.js.map} +0 -0
  271. /package/dist/{actions-virtual-module-SEIPACG5.js.map → actions-virtual-module-XNHDNCZ6.js.map} +0 -0
  272. /package/dist/{aws-lambda-XYCGZH3I.js.map → aws-lambda-GKSTX6HD.js.map} +0 -0
  273. /package/dist/{bun-K73TQEWC.js.map → bun-ISHSNFIO.js.map} +0 -0
  274. /package/dist/{check-PZR67OY5.js.map → check-NXYPLM6M.js.map} +0 -0
  275. /package/dist/{dispatcher-AQJGI3HU.js.map → chunk-E3JH6YUM.js.map} +0 -0
  276. /package/dist/{node-3APTLGWB.js.map → chunk-JHEAWR3L.js.map} +0 -0
  277. /package/dist/{chunk-ZJW5FFYJ.js.map → chunk-LC5PYNJP.js.map} +0 -0
  278. /package/dist/{chunk-2VQKDRVF.js.map → chunk-MR7OLIC6.js.map} +0 -0
  279. /package/dist/{scan-C2BOKLSY.js.map → chunk-NPMCKOX4.js.map} +0 -0
  280. /package/dist/{chunk-B6RP57M3.js.map → chunk-OLPB36O2.js.map} +0 -0
  281. /package/dist/{chunk-OXIQI2XZ.js.map → chunk-VBZCVFSA.js.map} +0 -0
  282. /package/dist/{chunk-TRH2L3FI.js.map → chunk-WEGALZEU.js.map} +0 -0
  283. /package/dist/{cloudflare-LCAOTRYZ.js.map → cloudflare-OJGJ7R2D.js.map} +0 -0
  284. /package/dist/{schema-VR6YNVLQ.js.map → cookies-MJKMGJ7N.js.map} +0 -0
  285. /package/dist/{deno-deploy-ZN4RE5HF.js.map → deno-deploy-BHWKFTOW.js.map} +0 -0
  286. /package/dist/{dev-266MVCVA.js.map → dev-MJVSRZGF.js.map} +0 -0
  287. /package/dist/{dev-emit-NO6OZJOQ.js.map → dev-emit-HHP2XJXE.js.map} +0 -0
  288. /package/dist/{vite-plugin-IK3NOWXS.js.map → dispatcher-63LBXYLE.js.map} +0 -0
  289. /package/dist/{info-FJ4NXKTB.js.map → info-47VB62MV.js.map} +0 -0
  290. /package/dist/{netlify-5VQ22Z2P.js.map → netlify-GSNSJGMN.js.map} +0 -0
  291. /package/dist/{openapi-FNVSWZOL.js.map → openapi-NFLSNNVQ.js.map} +0 -0
  292. /package/dist/{registry-4MZ26TZD.js.map → registry-QHEZ3BWB.js.map} +0 -0
  293. /package/dist/{routes-H4SPLFHJ.js.map → routes-3A4XGIEJ.js.map} +0 -0
  294. /package/dist/{services-typed-client-XWYYBWGW.js.map → services-typed-client-KK6RHRDG.js.map} +0 -0
  295. /package/dist/{services-typed-client-ZX5JUHH3.js.map → services-typed-client-T7M5VPBP.js.map} +0 -0
  296. /package/dist/{static-TZBVBDTB.js.map → static-QI5NQT2X.js.map} +0 -0
  297. /package/dist/{vercel-MWW24ABC.js.map → vercel-TKPZK62A.js.map} +0 -0
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/server/security/csrf-readiness-store.ts","../src/server/security/csp-report.ts","../src/server/security/csrf-readiness-endpoint.ts","../src/server/security/security-headers.ts"],"sourcesContent":["/**\n * T2.2 — In-memory bounded counter for CSRF warn events.\n *\n * Aggregates `csrf.warn` payloads by `(method, path, reason)` triple.\n * Used by the `/__theo/csrf-readiness` endpoint to expose a summary the\n * developer (or devtools tab) can inspect, so users do NOT need to grep\n * stdout to know which endpoints will break under 0.3.0 strict CSRF.\n *\n * Bounded at 1000 distinct keys (EC-22). Eviction is LRU-by-insertion —\n * when the cap is hit, the oldest key is dropped and a re-record of an\n * evicted key starts fresh (count: 1).\n *\n * Single-threaded by virtue of the JS event loop; Map operations are\n * atomic. NOT shared across processes — each worker has its own store.\n */\n\nexport interface CsrfWarnRecord {\n method: string\n path: string\n reason: string\n}\n\nexport interface CsrfReadinessRouteSummary {\n method: string\n path: string\n reason: string\n count: number\n firstSeen: string\n lastSeen: string\n}\n\nexport interface CsrfReadinessSummary {\n generatedAt: string\n totalEvents: number\n routes: CsrfReadinessRouteSummary[]\n}\n\ninterface StoredEntry {\n count: number\n firstSeen: string\n lastSeen: string\n}\n\nexport class CsrfReadinessStore {\n static readonly MAX_ENTRIES = 1000\n private readonly entries = new Map<string, StoredEntry>()\n\n private keyFor(event: CsrfWarnRecord): string {\n return `${event.method}\u0000${event.path}\u0000${event.reason}`\n }\n\n record(event: CsrfWarnRecord): void {\n const key = this.keyFor(event)\n const now = new Date().toISOString()\n const existing = this.entries.get(key)\n if (existing) {\n existing.count++\n existing.lastSeen = now\n return\n }\n if (this.entries.size >= CsrfReadinessStore.MAX_ENTRIES) {\n const firstKey = this.entries.keys().next().value\n if (firstKey !== undefined) this.entries.delete(firstKey)\n }\n this.entries.set(key, { count: 1, firstSeen: now, lastSeen: now })\n }\n\n summary(): CsrfReadinessSummary {\n let total = 0\n const routes: CsrfReadinessRouteSummary[] = []\n for (const [key, entry] of this.entries) {\n const [method, path, reason] = key.split('\u0000')\n routes.push({\n method,\n path,\n reason,\n count: entry.count,\n firstSeen: entry.firstSeen,\n lastSeen: entry.lastSeen,\n })\n total += entry.count\n }\n return {\n generatedAt: new Date().toISOString(),\n totalEvents: total,\n routes,\n }\n }\n\n reset(): void {\n this.entries.clear()\n }\n}\n","import type { IncomingMessage, ServerResponse } from 'node:http'\n\nimport { safeAudit, type AuditLogger } from '../observability/audit-log.js'\n\n/**\n * T5.1 — Built-in CSP report endpoint.\n *\n * Browsers POST violation reports to `report-uri` (legacy `application/csp-report`)\n * or `Reporting API` (`application/reports+json`). Framework auto-registers this\n * endpoint so `cspMode: 'report-only'` is actually useful out of the box.\n *\n * Forwards normalized violations to:\n * - audit logger (`csp.violation`)\n * - devtools dispatcher (dev only, for Errors tab)\n * - optional user hook (Sentry, etc.)\n *\n * EC-2: browser MAY send `{\"csp-report\": null}`, empty `{}`, or\n * reports+json entries lacking `body`. Handler MUST short-circuit to\n * 204 (valid format, no violation), NEVER crash via null deref.\n */\n\nexport const CSP_REPORT_PATH = '/__theo/csp-report'\n\n/** Max body bytes accepted. Real CSP reports are < 2 KB; 16 KB is generous. */\nconst MAX_BODY = 16 * 1024\n\nexport interface CspViolation {\n blockedUrl: string\n documentUrl: string\n violatedDirective: string\n effectiveDirective?: string\n originalPolicy?: string\n disposition?: 'enforce' | 'report'\n statusCode?: number\n sourceFile?: string\n lineNumber?: number\n columnNumber?: number\n}\n\nexport interface CspReportHandlerOptions {\n auditLogger?: AuditLogger\n devtoolsDispatcher?: {\n onCspViolation?: (v: CspViolation) => void\n }\n /** Optional user-provided sink (Sentry, custom log router). Errors here are swallowed. */\n onViolation?: (v: CspViolation) => void\n}\n\n/**\n * Map a legacy `application/csp-report` payload to the internal shape.\n * Caller must ensure `raw` is a non-null object.\n */\nfunction pickHeader(value: string | string[] | undefined): string {\n if (typeof value === 'string') return value\n if (Array.isArray(value) && value.length > 0) return value[0]\n return ''\n}\n\nfunction toStringSafe(value: unknown, fallback = '(missing)'): string {\n if (typeof value === 'string') return value\n if (typeof value === 'number' || typeof value === 'boolean') return String(value)\n return fallback\n}\n\nexport function normalizeLegacy(raw: Record<string, unknown>): CspViolation {\n return {\n blockedUrl: toStringSafe(raw['blocked-uri']),\n documentUrl: toStringSafe(raw['document-uri']),\n violatedDirective: toStringSafe(raw['violated-directive']),\n effectiveDirective:\n typeof raw['effective-directive'] === 'string' ? raw['effective-directive'] : undefined,\n originalPolicy: typeof raw['original-policy'] === 'string' ? raw['original-policy'] : undefined,\n disposition:\n raw.disposition === 'enforce' || raw.disposition === 'report' ? raw.disposition : undefined,\n statusCode: typeof raw['status-code'] === 'number' ? raw['status-code'] : undefined,\n sourceFile: typeof raw['source-file'] === 'string' ? raw['source-file'] : undefined,\n lineNumber: typeof raw['line-number'] === 'number' ? raw['line-number'] : undefined,\n columnNumber: typeof raw['column-number'] === 'number' ? raw['column-number'] : undefined,\n }\n}\n\n/**\n * Map a `reports+json` entry to the internal shape. Returns `null` if\n * the entry lacks a usable `body` object (EC-2).\n */\nexport function normalizeNew(entry: unknown): CspViolation | null {\n if (!entry || typeof entry !== 'object') return null\n const body = (entry as { body?: unknown }).body\n if (!body || typeof body !== 'object') return null\n const b = body as Record<string, unknown>\n return {\n blockedUrl: toStringSafe(b.blockedURL),\n documentUrl: toStringSafe(b.documentURL),\n violatedDirective: toStringSafe(b.violatedDirective),\n effectiveDirective: typeof b.effectiveDirective === 'string' ? b.effectiveDirective : undefined,\n originalPolicy: typeof b.originalPolicy === 'string' ? b.originalPolicy : undefined,\n disposition:\n b.disposition === 'enforce' || b.disposition === 'report' ? b.disposition : undefined,\n statusCode: typeof b.statusCode === 'number' ? b.statusCode : undefined,\n sourceFile: typeof b.sourceFile === 'string' ? b.sourceFile : undefined,\n lineNumber: typeof b.lineNumber === 'number' ? b.lineNumber : undefined,\n columnNumber: typeof b.columnNumber === 'number' ? b.columnNumber : undefined,\n }\n}\n\nasync function readBody(req: IncomingMessage, maxBytes: number): Promise<string> {\n return await new Promise<string>((resolve, reject) => {\n const chunks: Buffer[] = []\n let total = 0\n req.on('data', (chunk: Buffer) => {\n total += chunk.length\n if (total > maxBytes) {\n reject(new Error('body too large'))\n req.destroy()\n return\n }\n chunks.push(chunk)\n })\n req.on('end', () => {\n resolve(Buffer.concat(chunks).toString('utf8'))\n })\n req.on('error', reject)\n })\n}\n\nexport async function handleCspReport(\n req: IncomingMessage,\n res: ServerResponse,\n opts: CspReportHandlerOptions,\n): Promise<void> {\n const ctHeader = req.headers['content-type']\n const ct = pickHeader(ctHeader)\n\n let raw: string\n try {\n raw = await readBody(req, MAX_BODY)\n } catch {\n res.statusCode = 413\n res.end()\n return\n }\n\n let violations: CspViolation[]\n try {\n if (ct.startsWith('application/csp-report')) {\n // EC-2: browsers MAY POST {\"csp-report\": null} or {} on\n // disposition='report' policies. Guard against null/undefined/non-object.\n const parsed = JSON.parse(raw) as Record<string, unknown>\n const inner = parsed['csp-report']\n if (!inner || typeof inner !== 'object') {\n res.statusCode = 204\n res.end()\n return\n }\n violations = [normalizeLegacy(inner as Record<string, unknown>)]\n } else if (ct.startsWith('application/reports+json')) {\n // EC-2: filter out entries lacking `body` BEFORE normalizing.\n const parsed: unknown = JSON.parse(raw)\n const entries = Array.isArray(parsed) ? parsed : []\n violations = entries.map((e) => normalizeNew(e)).filter((v): v is CspViolation => v !== null)\n } else {\n res.statusCode = 415\n res.end()\n return\n }\n } catch {\n res.statusCode = 400\n res.end()\n return\n }\n\n for (const v of violations) {\n safeAudit(opts.auditLogger, {\n action: 'csp.violation',\n metadata: v as unknown as Record<string, unknown>,\n })\n try {\n opts.devtoolsDispatcher?.onCspViolation?.(v)\n } catch {\n // dispatcher errors are isolated from the request\n }\n try {\n opts.onViolation?.(v)\n } catch {\n // user hook throws are swallowed — never crash the request\n }\n }\n\n res.statusCode = 204\n res.end()\n}\n\n/**\n * T5a.2 Phase B slice 4/6 — Web-Standards CSP report handler.\n *\n * Mirror of `handleCspReport(req: IncomingMessage, res: ServerResponse,\n * opts): Promise<void>` for the Web `Request` shape. Returns\n * `Response` directly instead of mutating `res`.\n *\n * Same content-type dispatch (legacy `application/csp-report` vs new\n * `application/reports+json`), same normalizers (`normalizeLegacy`,\n * `normalizeNew`), same side-effect loop (safeAudit + devtools + user\n * hook). The body cap is enforced post-read because Web Request body\n * streaming doesn't have a portable mid-stream rejection primitive\n * across CF Workers / Bun / Deno; CSP reports are < 2 KB typical, well\n * under MAX_BODY (16 KB).\n *\n * Returns:\n * - 204 on accepted reports OR no-op empty payload\n * - 413 on body too large (post-read check)\n * - 415 on unsupported content-type\n * - 400 on malformed JSON\n */\nasync function readBodyFromRequest(request: Request, maxBytes: number): Promise<string | null> {\n const contentLengthHeader = request.headers.get('content-length')\n if (contentLengthHeader !== null) {\n const declared = Number.parseInt(contentLengthHeader, 10)\n if (Number.isFinite(declared) && declared > maxBytes) return null\n }\n const text = await request.text()\n if (text.length > maxBytes) return null\n return text\n}\n\nfunction dispatchViolations(violations: CspViolation[], opts: CspReportHandlerOptions): void {\n for (const v of violations) {\n safeAudit(opts.auditLogger, {\n action: 'csp.violation',\n metadata: v as unknown as Record<string, unknown>,\n })\n try {\n opts.devtoolsDispatcher?.onCspViolation?.(v)\n } catch {\n // dispatcher errors are isolated from the request\n }\n try {\n opts.onViolation?.(v)\n } catch {\n // user hook throws are swallowed — never crash the request\n }\n }\n}\n\nexport async function handleCspReportRequest(\n request: Request,\n opts: CspReportHandlerOptions,\n): Promise<Response> {\n const ct = request.headers.get('content-type') ?? ''\n\n const raw = await readBodyFromRequest(request, MAX_BODY)\n if (raw === null) {\n return new Response(null, { status: 413 })\n }\n\n let violations: CspViolation[]\n try {\n if (ct.startsWith('application/csp-report')) {\n const parsed = JSON.parse(raw) as Record<string, unknown>\n const inner = parsed['csp-report']\n if (!inner || typeof inner !== 'object') {\n return new Response(null, { status: 204 })\n }\n violations = [normalizeLegacy(inner as Record<string, unknown>)]\n } else if (ct.startsWith('application/reports+json')) {\n const parsed: unknown = JSON.parse(raw)\n const entries = Array.isArray(parsed) ? parsed : []\n violations = entries.map((e) => normalizeNew(e)).filter((v): v is CspViolation => v !== null)\n } else {\n return new Response(null, { status: 415 })\n }\n } catch {\n return new Response(null, { status: 400 })\n }\n\n dispatchViolations(violations, opts)\n return new Response(null, { status: 204 })\n}\n","/**\n * T2.2 — `/__theo/csrf-readiness` endpoint.\n *\n * GET /__theo/csrf-readiness → 200 + JSON summary\n * POST /__theo/csrf-readiness/reset → 204; clears the store\n *\n * The reset endpoint enforces CSRF (own dog food) — requires\n * `X-Theo-Action: 1` AND a matching Origin header (EC-15). This avoids\n * the endpoint being weaponizable from a cross-origin page when the\n * endpoint is opt-in exposed in production.\n *\n * Mount opt-in: in dev mode, the host wires this in unconditionally. In\n * production, only mount when `config.security.csrfTelemetry.exposeReadinessEndpoint === true`.\n * EC-10 parallel: returns 404 (via boolean false return) when the URL\n * does not match — the caller continues normal request handling.\n */\nimport type { IncomingMessage, ServerResponse } from 'node:http'\n\nimport type { CsrfReadinessStore } from './csrf-readiness-store.js'\n\nexport const CSRF_READINESS_PATH = '/__theo/csrf-readiness'\nexport const CSRF_READINESS_RESET_PATH = '/__theo/csrf-readiness/reset'\n\nfunction originMatchesHost(req: IncomingMessage): boolean {\n const origin = req.headers.origin\n if (typeof origin !== 'string') return false\n const host = req.headers.host\n if (typeof host !== 'string') return false\n try {\n const parsed = new URL(origin)\n return parsed.host === host\n } catch {\n return false\n }\n}\n\nfunction sendJson(res: ServerResponse, status: number, body: unknown): void {\n res.writeHead(status, { 'content-type': 'application/json' })\n res.end(JSON.stringify(body))\n}\n\nfunction sendNoContent(res: ServerResponse): void {\n res.writeHead(204)\n res.end()\n}\n\nfunction sendError(res: ServerResponse, status: number, code: string, message: string): void {\n res.writeHead(status, { 'content-type': 'application/json' })\n res.end(JSON.stringify({ error: { code, message } }))\n}\n\n// eslint-disable-next-line @typescript-eslint/require-await -- async return for future telemetry hooks\nexport async function handleCsrfReadiness(\n req: IncomingMessage,\n res: ServerResponse,\n store: CsrfReadinessStore,\n): Promise<boolean> {\n const url = (req.url ?? '').split('?')[0]\n const method = req.method ?? 'GET'\n\n if (url === CSRF_READINESS_PATH) {\n if (method === 'GET') {\n sendJson(res, 200, store.summary())\n return true\n }\n sendError(res, 405, 'METHOD_NOT_ALLOWED', `Use GET on ${CSRF_READINESS_PATH}`)\n return true\n }\n\n if (url === CSRF_READINESS_RESET_PATH) {\n if (method !== 'POST') {\n sendError(res, 405, 'METHOD_NOT_ALLOWED', `Use POST on ${CSRF_READINESS_RESET_PATH}`)\n return true\n }\n // Enforce CSRF on our own endpoint (dog-food).\n const hasHeader = req.headers['x-theo-action'] === '1'\n if (!hasHeader || !originMatchesHost(req)) {\n sendError(res, 403, 'CSRF_INVALID', 'Reset requires X-Theo-Action: 1 + same-origin')\n return true\n }\n store.reset()\n sendNoContent(res)\n return true\n }\n\n return false\n}\n\n/**\n * T5a.2 Phase B slice 3/6 — Web-Standards-shaped CSRF readiness handler.\n *\n * Mirror of `handleCsrfReadiness(req: IncomingMessage, res: ServerResponse,\n * store): Promise<boolean>` for the Web `Request` shape. Returns\n * `Response | null` instead of mutating `res` and returning a boolean:\n * - `Response` → this handler claimed the URL; caller short-circuits.\n * - `null` → URL doesn't match our endpoint; caller continues normal dispatch.\n *\n * Same routes (GET `CSRF_READINESS_PATH`, POST `CSRF_READINESS_RESET_PATH`).\n * Same CSRF dog-food on reset (X-Theo-Action + same-origin).\n *\n * Wire into `executeWebRequest` integration via a future Phase B sub-slice\n * (consumer can also call this directly today via the\n * `theokit/server/security` sub-path).\n */\nfunction buildJsonResponse(status: number, body: unknown): Response {\n return new Response(JSON.stringify(body), {\n status,\n headers: { 'content-type': 'application/json' },\n })\n}\n\nfunction buildErrorResponse(status: number, code: string, message: string): Response {\n return buildJsonResponse(status, { error: { code, message } })\n}\n\n/**\n * Returns true when `Origin` header and request URL host match (RFC 6454\n * same-origin check). Web-Standards counterpart of `originMatchesHost`.\n */\nfunction originMatchesHostFromRequest(request: Request): boolean {\n const origin = request.headers.get('origin')\n if (origin === null || origin.length === 0) return false\n const host = request.headers.get('host')\n if (host === null || host.length === 0) {\n // Fallback: derive host from request.url (Web Request guarantees absolute URL)\n try {\n const reqHost = new URL(request.url).host\n const originHost = new URL(origin).host\n return originHost === reqHost\n } catch {\n return false\n }\n }\n try {\n return new URL(origin).host === host\n } catch {\n return false\n }\n}\n\n// eslint-disable-next-line @typescript-eslint/require-await -- async return for future telemetry hooks\nexport async function handleCsrfReadinessRequest(\n request: Request,\n store: CsrfReadinessStore,\n): Promise<Response | null> {\n const url = new URL(request.url).pathname\n const method = request.method.toUpperCase()\n\n if (url === CSRF_READINESS_PATH) {\n if (method === 'GET') {\n return buildJsonResponse(200, store.summary())\n }\n return buildErrorResponse(405, 'METHOD_NOT_ALLOWED', `Use GET on ${CSRF_READINESS_PATH}`)\n }\n\n if (url === CSRF_READINESS_RESET_PATH) {\n if (method !== 'POST') {\n return buildErrorResponse(\n 405,\n 'METHOD_NOT_ALLOWED',\n `Use POST on ${CSRF_READINESS_RESET_PATH}`,\n )\n }\n // Enforce CSRF on our own endpoint (dog-food).\n const hasHeader = request.headers.get('x-theo-action') === '1'\n if (!hasHeader || !originMatchesHostFromRequest(request)) {\n return buildErrorResponse(\n 403,\n 'CSRF_INVALID',\n 'Reset requires X-Theo-Action: 1 + same-origin',\n )\n }\n store.reset()\n return new Response(null, { status: 204 })\n }\n\n return null\n}\n","import type { ServerResponse } from 'node:http'\n\n/**\n * Phase 6 — Default Security Headers (D4 / EC-2).\n *\n * Per-response security baseline. The framework applies these BEFORE the\n * route handler runs so a handler can still override via `res.setHeader`.\n *\n * EC-2 backward-compatibility: CSP ships in `report-only` mode by default\n * for 0.2.0. Existing apps with inline scripts or third-party CDN scripts\n * keep working but consumers see violation reports via their CSP report\n * collector (or browser DevTools). 0.3.0 will flip the default to\n * `enforce` after a release of visibility.\n */\n\n/**\n * Default Content-Security-Policy. Conservative-but-not-paralyzing:\n *\n * - default-src 'self' — every fetch falls back to same-origin\n * - script-src 'self' — T6.1 (0.3.0): `'unsafe-inline'`\n * dropped. The SSR pipeline issues a\n * per-request nonce that REPLACES\n * this directive at runtime\n * (`'nonce-<token>'`). For static /\n * non-SSR contexts where no nonce is\n * available, the policy is strict-\n * no-inline — user inline scripts\n * must be migrated to external\n * `<script src=\"...\">` or threaded\n * through `ctx.nonce`.\n * - style-src 'self' 'unsafe-inline' — Tailwind + TheoUI use style attrs\n * in animation directives\n * - img-src 'self' data: blob: — supports inline data URIs, blobs\n * from canvas exports\n * - font-src 'self' data: — Geist fonts inline-base64\n * - connect-src 'self' ws: wss: — WebSocket dev HMR + agent streams\n * - frame-ancestors 'none' — clickjacking defense\n */\n/**\n * T5.1 — default CSP includes the built-in report endpoint so violations\n * are visible without extra config. Apps that ship a custom `csp` string\n * override the report-uri.\n */\nexport const DEFAULT_CSP =\n \"default-src 'self'; \" +\n \"script-src 'self'; \" +\n \"style-src 'self' 'unsafe-inline'; \" +\n \"img-src 'self' data: blob:; \" +\n \"font-src 'self' data:; \" +\n \"connect-src 'self' ws: wss:; \" +\n \"frame-ancestors 'none'; \" +\n 'report-uri /__theo/csp-report'\n\n/**\n * T1.1 — Default Permissions-Policy header (default-deny stance).\n *\n * Disables sensitive Web APIs that the vast majority of apps don't use.\n * Apps that DO need any of these opt in by overriding `permissionsPolicy`\n * in `config.security.headers`.\n *\n * The seven features listed are the most-abused for: tracking\n * (geolocation, accelerometer, gyroscope), spyware (camera, microphone),\n * fraud (payment), and hardware exfiltration (usb).\n *\n * Aligns with Mozilla baseline + OWASP Secure Headers + Lighthouse PWA.\n */\nexport const DEFAULT_PERMISSIONS_POLICY =\n 'geolocation=(), camera=(), microphone=(), payment=(), usb=(), accelerometer=(), gyroscope=()'\n\nexport type CspMode = 'enforce' | 'report-only' | 'off'\n\nexport interface SecurityHeadersConfig {\n /**\n * Custom CSP policy string. When set, replaces the default verbatim.\n * Pass `false` to disable CSP entirely (alias for `cspMode: 'off'`).\n */\n csp?: string | false\n /**\n * Enforcement mode for CSP. Default `report-only` for 0.2.0 (EC-2).\n * 0.3.0 will default to `enforce`.\n */\n cspMode?: CspMode\n /**\n * Strict-Transport-Security value. Defaults to\n * `max-age=31536000; includeSubDomains` in production. Pass `false` to\n * suppress (e.g. internal LANs without TLS).\n */\n hsts?: string | false\n /** X-Frame-Options. Default DENY. */\n frameOptions?: 'DENY' | 'SAMEORIGIN'\n /** X-Content-Type-Options. Default `nosniff`. */\n contentTypeOptions?: 'nosniff'\n /** Referrer-Policy. Default `strict-origin-when-cross-origin`. */\n referrerPolicy?: string\n /**\n * T1.1 — Permissions-Policy directive string. When set, replaces the\n * default verbatim (no merge — see ADR-EC-12). Pass `false` to disable\n * the header entirely. Schema-level refinement rejects any string\n * containing CR/LF (EC-3 — CWE-113 HTTP Response Splitting mitigation).\n */\n permissionsPolicy?: string | false\n}\n\nexport interface SecurityEnv {\n production: boolean\n}\n\n/**\n * T4.1 — Per-request options passed by the SSR pipeline.\n *\n * - `nonce`: when set, the framework substitutes the `'unsafe-inline'`\n * token in `script-src` with `'nonce-<nonce>'`. EC-3 forces\n * `Cache-Control: private, no-store` so a CDN cannot cache the HTML\n * (carrying one nonce) and re-serve it with a freshly-generated CSP\n * header (carrying a different nonce).\n * - `prerender`: when true, the nonce is IGNORED. Prerendered HTML is\n * generated at build time with no nonce in the script tags; mixing a\n * runtime nonce in the header would block every script. EC-4.\n */\nexport interface SecurityHeadersOptions {\n nonce?: string\n prerender?: boolean\n}\n\nconst DEFAULT_HSTS = 'max-age=31536000; includeSubDomains'\n\n/**\n * Apply a nonce to the script-src directive of an existing CSP policy\n * string. Replaces `'unsafe-inline'` (if present) with `'nonce-<value>'`;\n * otherwise appends the nonce directive to the script-src line.\n */\nfunction applyNonceToCsp(policy: string, nonce: string): string {\n return policy\n .split(';')\n .map((directive) => {\n const trimmed = directive.trim()\n if (!trimmed.startsWith('script-src')) return directive\n if (trimmed.includes(\"'unsafe-inline'\")) {\n return directive.replace(\"'unsafe-inline'\", `'nonce-${nonce}'`)\n }\n return `${directive} 'nonce-${nonce}'`\n })\n .join(';')\n}\n\n/**\n * Apply Content-Security-Policy header(s) to `out`. Extracted from\n * `buildSecurityHeaders` to keep that function's complexity within ceiling.\n * Handles the four shapes:\n * csp: false → opt out\n * cspMode: 'off' → opt out\n * cspMode: 'enforce' → Content-Security-Policy (T6.1 default for 0.3.0)\n * cspMode: 'report-only' → Content-Security-Policy-Report-Only (legacy 0.2.x)\n */\nfunction applyCsp(\n out: Record<string, string>,\n config: SecurityHeadersConfig,\n effectiveNonce: string | undefined,\n): void {\n if (config.csp === false || config.cspMode === 'off') return\n let policy = typeof config.csp === 'string' ? config.csp : DEFAULT_CSP\n if (effectiveNonce) {\n policy = applyNonceToCsp(policy, effectiveNonce)\n }\n // T6.1 — default flipped from 'report-only' to 'enforce' for 0.3.0.\n const mode: CspMode = config.cspMode ?? 'enforce'\n if (mode === 'enforce') {\n out['Content-Security-Policy'] = policy\n } else {\n out['Content-Security-Policy-Report-Only'] = policy\n }\n}\n\n/**\n * Build the security headers map for a given config + env. Pure function —\n * returned object can be inspected, logged, or applied to a response.\n */\nexport function buildSecurityHeaders(\n config: SecurityHeadersConfig,\n env: SecurityEnv,\n options: SecurityHeadersOptions = {},\n): Record<string, string> {\n const out: Record<string, string> = {}\n\n // EC-4: prerendered routes must NOT receive a nonce — the build-time\n // HTML carries no nonce, so a runtime nonce would mismatch.\n const effectiveNonce = options.prerender ? undefined : options.nonce\n\n applyCsp(out, config, effectiveNonce)\n\n // X-Frame-Options\n out['X-Frame-Options'] = config.frameOptions ?? 'DENY'\n\n // X-Content-Type-Options\n out['X-Content-Type-Options'] = config.contentTypeOptions ?? 'nosniff'\n\n // Referrer-Policy\n out['Referrer-Policy'] = config.referrerPolicy ?? 'strict-origin-when-cross-origin'\n\n // T1.1 — Permissions-Policy. Default-deny on geo/camera/mic/payment/usb;\n // configurable via `permissionsPolicy`; suppressed via `permissionsPolicy: false`.\n if (config.permissionsPolicy !== false) {\n out['Permissions-Policy'] =\n typeof config.permissionsPolicy === 'string'\n ? config.permissionsPolicy\n : DEFAULT_PERMISSIONS_POLICY\n }\n\n // HSTS — production only, suppressible via hsts: false\n if (env.production && config.hsts !== false) {\n out['Strict-Transport-Security'] = typeof config.hsts === 'string' ? config.hsts : DEFAULT_HSTS\n }\n\n // EC-3: when a nonce is in play, the response carries a one-shot CSP\n // header AND inline scripts in the HTML body. A CDN that caches the\n // HTML and proxies a fresh CSP per request would block every script\n // (nonces wouldn't match). Force no-store to prevent that class of\n // silent prod-only failure. Prerendered routes (which carry no nonce\n // by design — EC-4) are exempt; their HTML is meant to be cacheable.\n if (effectiveNonce) {\n out['Cache-Control'] = 'private, no-store'\n }\n\n return out\n}\n\n/**\n * Apply security headers to a Node ServerResponse. Called by the\n * api-middleware before the route handler runs. The handler can override\n * any header via `res.setHeader()` — last write wins by Node convention.\n */\nexport function applySecurityHeaders(\n res: ServerResponse,\n config: SecurityHeadersConfig,\n env: SecurityEnv,\n options: SecurityHeadersOptions = {},\n): void {\n const headers = buildSecurityHeaders(config, env, options)\n for (const [key, value] of Object.entries(headers)) {\n res.setHeader(key, value)\n }\n}\n"],"mappings":";;;;;AA2CO,IAAM,qBAAN,MAAM,oBAAmB;AAAA,EAC9B,OAAgB,cAAc;AAAA,EACb,UAAU,oBAAI,IAAyB;AAAA,EAEhD,OAAO,OAA+B;AAC5C,WAAO,GAAG,MAAM,MAAM,KAAI,MAAM,IAAI,KAAI,MAAM,MAAM;AAAA,EACtD;AAAA,EAEA,OAAO,OAA6B;AAClC,UAAM,MAAM,KAAK,OAAO,KAAK;AAC7B,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,WAAW,KAAK,QAAQ,IAAI,GAAG;AACrC,QAAI,UAAU;AACZ,eAAS;AACT,eAAS,WAAW;AACpB;AAAA,IACF;AACA,QAAI,KAAK,QAAQ,QAAQ,oBAAmB,aAAa;AACvD,YAAM,WAAW,KAAK,QAAQ,KAAK,EAAE,KAAK,EAAE;AAC5C,UAAI,aAAa,OAAW,MAAK,QAAQ,OAAO,QAAQ;AAAA,IAC1D;AACA,SAAK,QAAQ,IAAI,KAAK,EAAE,OAAO,GAAG,WAAW,KAAK,UAAU,IAAI,CAAC;AAAA,EACnE;AAAA,EAEA,UAAgC;AAC9B,QAAI,QAAQ;AACZ,UAAM,SAAsC,CAAC;AAC7C,eAAW,CAAC,KAAK,KAAK,KAAK,KAAK,SAAS;AACvC,YAAM,CAAC,QAAQ,MAAM,MAAM,IAAI,IAAI,MAAM,IAAG;AAC5C,aAAO,KAAK;AAAA,QACV;AAAA,QACA;AAAA,QACA;AAAA,QACA,OAAO,MAAM;AAAA,QACb,WAAW,MAAM;AAAA,QACjB,UAAU,MAAM;AAAA,MAClB,CAAC;AACD,eAAS,MAAM;AAAA,IACjB;AACA,WAAO;AAAA,MACL,cAAa,oBAAI,KAAK,GAAE,YAAY;AAAA,MACpC,aAAa;AAAA,MACb;AAAA,IACF;AAAA,EACF;AAAA,EAEA,QAAc;AACZ,SAAK,QAAQ,MAAM;AAAA,EACrB;AACF;;;ACvEO,IAAM,kBAAkB;AAG/B,IAAM,WAAW,KAAK;AA4BtB,SAAS,WAAW,OAA8C;AAChE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,MAAM,QAAQ,KAAK,KAAK,MAAM,SAAS,EAAG,QAAO,MAAM,CAAC;AAC5D,SAAO;AACT;AAEA,SAAS,aAAa,OAAgB,WAAW,aAAqB;AACpE,MAAI,OAAO,UAAU,SAAU,QAAO;AACtC,MAAI,OAAO,UAAU,YAAY,OAAO,UAAU,UAAW,QAAO,OAAO,KAAK;AAChF,SAAO;AACT;AAEO,SAAS,gBAAgB,KAA4C;AAC1E,SAAO;AAAA,IACL,YAAY,aAAa,IAAI,aAAa,CAAC;AAAA,IAC3C,aAAa,aAAa,IAAI,cAAc,CAAC;AAAA,IAC7C,mBAAmB,aAAa,IAAI,oBAAoB,CAAC;AAAA,IACzD,oBACE,OAAO,IAAI,qBAAqB,MAAM,WAAW,IAAI,qBAAqB,IAAI;AAAA,IAChF,gBAAgB,OAAO,IAAI,iBAAiB,MAAM,WAAW,IAAI,iBAAiB,IAAI;AAAA,IACtF,aACE,IAAI,gBAAgB,aAAa,IAAI,gBAAgB,WAAW,IAAI,cAAc;AAAA,IACpF,YAAY,OAAO,IAAI,aAAa,MAAM,WAAW,IAAI,aAAa,IAAI;AAAA,IAC1E,YAAY,OAAO,IAAI,aAAa,MAAM,WAAW,IAAI,aAAa,IAAI;AAAA,IAC1E,YAAY,OAAO,IAAI,aAAa,MAAM,WAAW,IAAI,aAAa,IAAI;AAAA,IAC1E,cAAc,OAAO,IAAI,eAAe,MAAM,WAAW,IAAI,eAAe,IAAI;AAAA,EAClF;AACF;AAMO,SAAS,aAAa,OAAqC;AAChE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,OAAQ,MAA6B;AAC3C,MAAI,CAAC,QAAQ,OAAO,SAAS,SAAU,QAAO;AAC9C,QAAM,IAAI;AACV,SAAO;AAAA,IACL,YAAY,aAAa,EAAE,UAAU;AAAA,IACrC,aAAa,aAAa,EAAE,WAAW;AAAA,IACvC,mBAAmB,aAAa,EAAE,iBAAiB;AAAA,IACnD,oBAAoB,OAAO,EAAE,uBAAuB,WAAW,EAAE,qBAAqB;AAAA,IACtF,gBAAgB,OAAO,EAAE,mBAAmB,WAAW,EAAE,iBAAiB;AAAA,IAC1E,aACE,EAAE,gBAAgB,aAAa,EAAE,gBAAgB,WAAW,EAAE,cAAc;AAAA,IAC9E,YAAY,OAAO,EAAE,eAAe,WAAW,EAAE,aAAa;AAAA,IAC9D,YAAY,OAAO,EAAE,eAAe,WAAW,EAAE,aAAa;AAAA,IAC9D,YAAY,OAAO,EAAE,eAAe,WAAW,EAAE,aAAa;AAAA,IAC9D,cAAc,OAAO,EAAE,iBAAiB,WAAW,EAAE,eAAe;AAAA,EACtE;AACF;AAEA,eAAe,SAAS,KAAsB,UAAmC;AAC/E,SAAO,MAAM,IAAI,QAAgB,CAAC,SAAS,WAAW;AACpD,UAAM,SAAmB,CAAC;AAC1B,QAAI,QAAQ;AACZ,QAAI,GAAG,QAAQ,CAAC,UAAkB;AAChC,eAAS,MAAM;AACf,UAAI,QAAQ,UAAU;AACpB,eAAO,IAAI,MAAM,gBAAgB,CAAC;AAClC,YAAI,QAAQ;AACZ;AAAA,MACF;AACA,aAAO,KAAK,KAAK;AAAA,IACnB,CAAC;AACD,QAAI,GAAG,OAAO,MAAM;AAClB,cAAQ,OAAO,OAAO,MAAM,EAAE,SAAS,MAAM,CAAC;AAAA,IAChD,CAAC;AACD,QAAI,GAAG,SAAS,MAAM;AAAA,EACxB,CAAC;AACH;AAEA,eAAsB,gBACpB,KACA,KACA,MACe;AACf,QAAM,WAAW,IAAI,QAAQ,cAAc;AAC3C,QAAM,KAAK,WAAW,QAAQ;AAE9B,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,SAAS,KAAK,QAAQ;AAAA,EACpC,QAAQ;AACN,QAAI,aAAa;AACjB,QAAI,IAAI;AACR;AAAA,EACF;AAEA,MAAI;AACJ,MAAI;AACF,QAAI,GAAG,WAAW,wBAAwB,GAAG;AAG3C,YAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,YAAM,QAAQ,OAAO,YAAY;AACjC,UAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,YAAI,aAAa;AACjB,YAAI,IAAI;AACR;AAAA,MACF;AACA,mBAAa,CAAC,gBAAgB,KAAgC,CAAC;AAAA,IACjE,WAAW,GAAG,WAAW,0BAA0B,GAAG;AAEpD,YAAM,SAAkB,KAAK,MAAM,GAAG;AACtC,YAAM,UAAU,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC;AAClD,mBAAa,QAAQ,IAAI,CAAC,MAAM,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,MAAyB,MAAM,IAAI;AAAA,IAC9F,OAAO;AACL,UAAI,aAAa;AACjB,UAAI,IAAI;AACR;AAAA,IACF;AAAA,EACF,QAAQ;AACN,QAAI,aAAa;AACjB,QAAI,IAAI;AACR;AAAA,EACF;AAEA,aAAW,KAAK,YAAY;AAC1B,cAAU,KAAK,aAAa;AAAA,MAC1B,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,CAAC;AACD,QAAI;AACF,WAAK,oBAAoB,iBAAiB,CAAC;AAAA,IAC7C,QAAQ;AAAA,IAER;AACA,QAAI;AACF,WAAK,cAAc,CAAC;AAAA,IACtB,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,MAAI,aAAa;AACjB,MAAI,IAAI;AACV;AAuBA,eAAe,oBAAoB,SAAkB,UAA0C;AAC7F,QAAM,sBAAsB,QAAQ,QAAQ,IAAI,gBAAgB;AAChE,MAAI,wBAAwB,MAAM;AAChC,UAAM,WAAW,OAAO,SAAS,qBAAqB,EAAE;AACxD,QAAI,OAAO,SAAS,QAAQ,KAAK,WAAW,SAAU,QAAO;AAAA,EAC/D;AACA,QAAM,OAAO,MAAM,QAAQ,KAAK;AAChC,MAAI,KAAK,SAAS,SAAU,QAAO;AACnC,SAAO;AACT;AAEA,SAAS,mBAAmB,YAA4B,MAAqC;AAC3F,aAAW,KAAK,YAAY;AAC1B,cAAU,KAAK,aAAa;AAAA,MAC1B,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,CAAC;AACD,QAAI;AACF,WAAK,oBAAoB,iBAAiB,CAAC;AAAA,IAC7C,QAAQ;AAAA,IAER;AACA,QAAI;AACF,WAAK,cAAc,CAAC;AAAA,IACtB,QAAQ;AAAA,IAER;AAAA,EACF;AACF;AAEA,eAAsB,uBACpB,SACA,MACmB;AACnB,QAAM,KAAK,QAAQ,QAAQ,IAAI,cAAc,KAAK;AAElD,QAAM,MAAM,MAAM,oBAAoB,SAAS,QAAQ;AACvD,MAAI,QAAQ,MAAM;AAChB,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C;AAEA,MAAI;AACJ,MAAI;AACF,QAAI,GAAG,WAAW,wBAAwB,GAAG;AAC3C,YAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,YAAM,QAAQ,OAAO,YAAY;AACjC,UAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,eAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,MAC3C;AACA,mBAAa,CAAC,gBAAgB,KAAgC,CAAC;AAAA,IACjE,WAAW,GAAG,WAAW,0BAA0B,GAAG;AACpD,YAAM,SAAkB,KAAK,MAAM,GAAG;AACtC,YAAM,UAAU,MAAM,QAAQ,MAAM,IAAI,SAAS,CAAC;AAClD,mBAAa,QAAQ,IAAI,CAAC,MAAM,aAAa,CAAC,CAAC,EAAE,OAAO,CAAC,MAAyB,MAAM,IAAI;AAAA,IAC9F,OAAO;AACL,aAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC3C;AAAA,EACF,QAAQ;AACN,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C;AAEA,qBAAmB,YAAY,IAAI;AACnC,SAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAC3C;;;AChQO,IAAM,sBAAsB;AAC5B,IAAM,4BAA4B;AAEzC,SAAS,kBAAkB,KAA+B;AACxD,QAAM,SAAS,IAAI,QAAQ;AAC3B,MAAI,OAAO,WAAW,SAAU,QAAO;AACvC,QAAM,OAAO,IAAI,QAAQ;AACzB,MAAI,OAAO,SAAS,SAAU,QAAO;AACrC,MAAI;AACF,UAAM,SAAS,IAAI,IAAI,MAAM;AAC7B,WAAO,OAAO,SAAS;AAAA,EACzB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,SAAS,KAAqB,QAAgB,MAAqB;AAC1E,MAAI,UAAU,QAAQ,EAAE,gBAAgB,mBAAmB,CAAC;AAC5D,MAAI,IAAI,KAAK,UAAU,IAAI,CAAC;AAC9B;AAEA,SAAS,cAAc,KAA2B;AAChD,MAAI,UAAU,GAAG;AACjB,MAAI,IAAI;AACV;AAEA,SAAS,UAAU,KAAqB,QAAgB,MAAc,SAAuB;AAC3F,MAAI,UAAU,QAAQ,EAAE,gBAAgB,mBAAmB,CAAC;AAC5D,MAAI,IAAI,KAAK,UAAU,EAAE,OAAO,EAAE,MAAM,QAAQ,EAAE,CAAC,CAAC;AACtD;AAGA,eAAsB,oBACpB,KACA,KACA,OACkB;AAClB,QAAM,OAAO,IAAI,OAAO,IAAI,MAAM,GAAG,EAAE,CAAC;AACxC,QAAM,SAAS,IAAI,UAAU;AAE7B,MAAI,QAAQ,qBAAqB;AAC/B,QAAI,WAAW,OAAO;AACpB,eAAS,KAAK,KAAK,MAAM,QAAQ,CAAC;AAClC,aAAO;AAAA,IACT;AACA,cAAU,KAAK,KAAK,sBAAsB,cAAc,mBAAmB,EAAE;AAC7E,WAAO;AAAA,EACT;AAEA,MAAI,QAAQ,2BAA2B;AACrC,QAAI,WAAW,QAAQ;AACrB,gBAAU,KAAK,KAAK,sBAAsB,eAAe,yBAAyB,EAAE;AACpF,aAAO;AAAA,IACT;AAEA,UAAM,YAAY,IAAI,QAAQ,eAAe,MAAM;AACnD,QAAI,CAAC,aAAa,CAAC,kBAAkB,GAAG,GAAG;AACzC,gBAAU,KAAK,KAAK,gBAAgB,+CAA+C;AACnF,aAAO;AAAA,IACT;AACA,UAAM,MAAM;AACZ,kBAAc,GAAG;AACjB,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAkBA,SAAS,kBAAkB,QAAgB,MAAyB;AAClE,SAAO,IAAI,SAAS,KAAK,UAAU,IAAI,GAAG;AAAA,IACxC;AAAA,IACA,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,EAChD,CAAC;AACH;AAEA,SAAS,mBAAmB,QAAgB,MAAc,SAA2B;AACnF,SAAO,kBAAkB,QAAQ,EAAE,OAAO,EAAE,MAAM,QAAQ,EAAE,CAAC;AAC/D;AAMA,SAAS,6BAA6B,SAA2B;AAC/D,QAAM,SAAS,QAAQ,QAAQ,IAAI,QAAQ;AAC3C,MAAI,WAAW,QAAQ,OAAO,WAAW,EAAG,QAAO;AACnD,QAAM,OAAO,QAAQ,QAAQ,IAAI,MAAM;AACvC,MAAI,SAAS,QAAQ,KAAK,WAAW,GAAG;AAEtC,QAAI;AACF,YAAM,UAAU,IAAI,IAAI,QAAQ,GAAG,EAAE;AACrC,YAAM,aAAa,IAAI,IAAI,MAAM,EAAE;AACnC,aAAO,eAAe;AAAA,IACxB,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI;AACF,WAAO,IAAI,IAAI,MAAM,EAAE,SAAS;AAAA,EAClC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGA,eAAsB,2BACpB,SACA,OAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,QAAQ,GAAG,EAAE;AACjC,QAAM,SAAS,QAAQ,OAAO,YAAY;AAE1C,MAAI,QAAQ,qBAAqB;AAC/B,QAAI,WAAW,OAAO;AACpB,aAAO,kBAAkB,KAAK,MAAM,QAAQ,CAAC;AAAA,IAC/C;AACA,WAAO,mBAAmB,KAAK,sBAAsB,cAAc,mBAAmB,EAAE;AAAA,EAC1F;AAEA,MAAI,QAAQ,2BAA2B;AACrC,QAAI,WAAW,QAAQ;AACrB,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA,eAAe,yBAAyB;AAAA,MAC1C;AAAA,IACF;AAEA,UAAM,YAAY,QAAQ,QAAQ,IAAI,eAAe,MAAM;AAC3D,QAAI,CAAC,aAAa,CAAC,6BAA6B,OAAO,GAAG;AACxD,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,UAAM,MAAM;AACZ,WAAO,IAAI,SAAS,MAAM,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC3C;AAEA,SAAO;AACT;;;ACtIO,IAAM,cACX;AAsBK,IAAM,6BACX;AAyDF,IAAM,eAAe;AAOrB,SAAS,gBAAgB,QAAgB,OAAuB;AAC9D,SAAO,OACJ,MAAM,GAAG,EACT,IAAI,CAAC,cAAc;AAClB,UAAM,UAAU,UAAU,KAAK;AAC/B,QAAI,CAAC,QAAQ,WAAW,YAAY,EAAG,QAAO;AAC9C,QAAI,QAAQ,SAAS,iBAAiB,GAAG;AACvC,aAAO,UAAU,QAAQ,mBAAmB,UAAU,KAAK,GAAG;AAAA,IAChE;AACA,WAAO,GAAG,SAAS,WAAW,KAAK;AAAA,EACrC,CAAC,EACA,KAAK,GAAG;AACb;AAWA,SAAS,SACP,KACA,QACA,gBACM;AACN,MAAI,OAAO,QAAQ,SAAS,OAAO,YAAY,MAAO;AACtD,MAAI,SAAS,OAAO,OAAO,QAAQ,WAAW,OAAO,MAAM;AAC3D,MAAI,gBAAgB;AAClB,aAAS,gBAAgB,QAAQ,cAAc;AAAA,EACjD;AAEA,QAAM,OAAgB,OAAO,WAAW;AACxC,MAAI,SAAS,WAAW;AACtB,QAAI,yBAAyB,IAAI;AAAA,EACnC,OAAO;AACL,QAAI,qCAAqC,IAAI;AAAA,EAC/C;AACF;AAMO,SAAS,qBACd,QACA,KACA,UAAkC,CAAC,GACX;AACxB,QAAM,MAA8B,CAAC;AAIrC,QAAM,iBAAiB,QAAQ,YAAY,SAAY,QAAQ;AAE/D,WAAS,KAAK,QAAQ,cAAc;AAGpC,MAAI,iBAAiB,IAAI,OAAO,gBAAgB;AAGhD,MAAI,wBAAwB,IAAI,OAAO,sBAAsB;AAG7D,MAAI,iBAAiB,IAAI,OAAO,kBAAkB;AAIlD,MAAI,OAAO,sBAAsB,OAAO;AACtC,QAAI,oBAAoB,IACtB,OAAO,OAAO,sBAAsB,WAChC,OAAO,oBACP;AAAA,EACR;AAGA,MAAI,IAAI,cAAc,OAAO,SAAS,OAAO;AAC3C,QAAI,2BAA2B,IAAI,OAAO,OAAO,SAAS,WAAW,OAAO,OAAO;AAAA,EACrF;AAQA,MAAI,gBAAgB;AAClB,QAAI,eAAe,IAAI;AAAA,EACzB;AAEA,SAAO;AACT;AAOO,SAAS,qBACd,KACA,QACA,KACA,UAAkC,CAAC,GAC7B;AACN,QAAM,UAAU,qBAAqB,QAAQ,KAAK,OAAO;AACzD,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AAClD,QAAI,UAAU,KAAK,KAAK;AAAA,EAC1B;AACF;","names":[]}
@@ -1,18 +1,3 @@
1
- // src/server/auth/auth.ts
2
- var AuthRequiredError = class extends Error {
3
- code = "AUTH_REQUIRED";
4
- status = 401;
5
- constructor(message = "Authentication required") {
6
- super(message);
7
- this.name = "AuthRequiredError";
8
- }
9
- };
10
- function requireAuth(session) {
11
- if (session === null || session === void 0) {
12
- throw new AuthRequiredError();
13
- }
14
- }
15
-
16
1
  // src/server/auth/nonce.ts
17
2
  function bytesToBase64(bytes) {
18
3
  if (typeof Buffer !== "undefined") {
@@ -44,8 +29,6 @@ function generateNonce() {
44
29
  }
45
30
 
46
31
  export {
47
- AuthRequiredError,
48
- requireAuth,
49
32
  generateNonce
50
33
  };
51
- //# sourceMappingURL=chunk-PB4GR7EP.js.map
34
+ //# sourceMappingURL=chunk-C3ZZ56YZ.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/server/auth/nonce.ts"],"sourcesContent":["/**\n * T4.1 — Per-request CSP nonce generation.\n *\n * Returns a 22–24 character base64-encoded string carrying 16 bytes of\n * cryptographic entropy. Used by the SSR pipeline to nonce the inline\n * hydration data script so the default CSP can drop `'unsafe-inline'`\n * from `script-src` in 0.3.0.\n *\n * Runtime portability: prefers Web Crypto (`globalThis.crypto`) because\n * it is available on every target runtime (Node 19+, Bun, Deno, Vercel\n * Edge, Cloudflare Workers). Falls back to `node:crypto` for older Node\n * builds where `globalThis.crypto` is absent.\n *\n * NOT a security primitive in the cryptographic sense — the nonce is a\n * one-shot, single-request value that defeats trivial XSS injection by\n * making the attacker guess a 128-bit string per request. It is NOT\n * suitable for signing or session tokens.\n */\n\nfunction bytesToBase64(bytes: Uint8Array): string {\n // Prefer Buffer when available (Node, Bun) — its base64 encoder is fast\n // and well-tested. In Edge runtimes that lack Buffer, fall back to the\n // standard btoa(String.fromCharCode(...)) trick.\n if (typeof Buffer !== 'undefined') {\n return Buffer.from(bytes).toString('base64')\n }\n let binary = ''\n for (const b of bytes) {\n binary += String.fromCharCode(b)\n }\n // `btoa` exists in browsers + edge runtimes; if it doesn't, the caller\n // is on a JS runtime we don't support — let the ReferenceError bubble.\n return btoa(binary)\n}\n\n// CR-027 fix: the previous fallback path used `require('node:crypto')`,\n// which throws ReferenceError in strict ESM contexts (Bun, Deno, Vercel\n// Edge) when reached. Web Crypto has been a hard requirement since Node\n// 19; for older Node we now throw a clear error at module load time\n// instead of failing on first SSR request.\nlet cachedWebCrypto: Crypto | null | undefined\n\nfunction getWebCrypto(): Crypto {\n if (cachedWebCrypto === undefined) {\n const candidate = (globalThis as { crypto?: Crypto }).crypto\n cachedWebCrypto =\n candidate && typeof candidate.getRandomValues === 'function' ? candidate : null\n }\n if (!cachedWebCrypto) {\n throw new Error(\n 'generateNonce: Web Crypto unavailable. TheoKit requires Node.js 19+, Bun, Deno, ' +\n 'or any modern Edge runtime where `globalThis.crypto.getRandomValues` is present.',\n )\n }\n return cachedWebCrypto\n}\n\nexport function generateNonce(): string {\n const buf = new Uint8Array(16)\n getWebCrypto().getRandomValues(buf)\n return bytesToBase64(buf)\n}\n"],"mappings":";AAmBA,SAAS,cAAc,OAA2B;AAIhD,MAAI,OAAO,WAAW,aAAa;AACjC,WAAO,OAAO,KAAK,KAAK,EAAE,SAAS,QAAQ;AAAA,EAC7C;AACA,MAAI,SAAS;AACb,aAAW,KAAK,OAAO;AACrB,cAAU,OAAO,aAAa,CAAC;AAAA,EACjC;AAGA,SAAO,KAAK,MAAM;AACpB;AAOA,IAAI;AAEJ,SAAS,eAAuB;AAC9B,MAAI,oBAAoB,QAAW;AACjC,UAAM,YAAa,WAAmC;AACtD,sBACE,aAAa,OAAO,UAAU,oBAAoB,aAAa,YAAY;AAAA,EAC/E;AACA,MAAI,CAAC,iBAAiB;AACpB,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,gBAAwB;AACtC,QAAM,MAAM,IAAI,WAAW,EAAE;AAC7B,eAAa,EAAE,gBAAgB,GAAG;AAClC,SAAO,cAAc,GAAG;AAC1B;","names":[]}
@@ -59,8 +59,10 @@ function scanDir(dir, segment, routePath) {
59
59
  for (const entry of readdirSync(dir, { withFileTypes: true })) {
60
60
  if (!entry.isDirectory()) continue;
61
61
  if (entry.name.startsWith("_") || entry.name.startsWith(".")) continue;
62
- const childPath = routePath === "/" ? `/${entry.name}` : `${routePath}/${entry.name}`;
63
- const child = scanDir(join(dir, entry.name), entry.name, childPath);
62
+ const isRouteGroup = entry.name.startsWith("(") && entry.name.endsWith(")");
63
+ const urlSegment = isRouteGroup ? "" : entry.name;
64
+ const childPath = urlSegment ? routePath === "/" ? `/${urlSegment}` : `${routePath}/${urlSegment}` : routePath;
65
+ const child = scanDir(join(dir, entry.name), isRouteGroup ? "" : entry.name, childPath);
64
66
  if (nodeHasContent(child)) {
65
67
  node.children.push(child);
66
68
  }
@@ -81,4 +83,4 @@ export {
81
83
  isRouteFile,
82
84
  scanRoutes
83
85
  };
84
- //# sourceMappingURL=chunk-O7335ZGH.js.map
86
+ //# sourceMappingURL=chunk-CG563V5M.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/router/scan.ts","../src/router/types.ts"],"sourcesContent":["/* eslint-disable security/detect-non-literal-fs-filename --\n * Build-time file-system scanner. All paths originate from `appDir`,\n * which is itself derived from `process.cwd()`. No HTTP input flows here.\n */\nimport { readdirSync, statSync, existsSync } from 'node:fs'\nimport { join, resolve } from 'node:path'\n\nimport type { RouteNode, RouteFileName } from './types.js'\nimport { ROUTE_FILE_NAMES, ROUTE_FILE_EXTENSIONS } from './types.js'\n\nfunction toNodeKey(name: RouteFileName): 'page' | 'layout' | 'error' | 'loading' | 'notFound' {\n if (name === 'not-found') return 'notFound'\n return name\n}\n\nfunction setRouteFile(\n node: RouteNode,\n key: 'page' | 'layout' | 'error' | 'loading' | 'notFound',\n value: string,\n): void {\n switch (key) {\n case 'page':\n node.page = value\n break\n case 'layout':\n node.layout = value\n break\n case 'error':\n node.error = value\n break\n case 'loading':\n node.loading = value\n break\n case 'notFound':\n node.notFound = value\n break\n }\n}\n\nfunction attachRouteFiles(node: RouteNode, dir: string): void {\n // Check route files with extension priority (.tsx > .ts > .jsx > .js)\n for (const name of ROUTE_FILE_NAMES) {\n const key = toNodeKey(name)\n if (node[key] !== undefined) continue\n for (const ext of ROUTE_FILE_EXTENSIONS) {\n const filename = `${name}${ext}`\n if (existsSync(join(dir, filename))) {\n setRouteFile(node, key, resolve(dir, filename))\n break\n }\n }\n }\n}\n\nfunction nodeHasContent(node: RouteNode): boolean {\n return (\n node.page !== undefined ||\n node.layout !== undefined ||\n node.error !== undefined ||\n node.loading !== undefined ||\n node.notFound !== undefined ||\n node.children.length > 0\n )\n}\n\nfunction scanDir(dir: string, segment: string, routePath: string): RouteNode {\n const node: RouteNode = { segment, path: routePath, children: [] }\n attachRouteFiles(node, dir)\n\n // Recurse into subdirectories\n for (const entry of readdirSync(dir, { withFileTypes: true })) {\n if (!entry.isDirectory()) continue\n if (entry.name.startsWith('_') || entry.name.startsWith('.')) continue\n\n // Route groups: (marketing), (shop) — organize without affecting URL\n const isRouteGroup = entry.name.startsWith('(') && entry.name.endsWith(')')\n const urlSegment = isRouteGroup ? '' : entry.name\n const childPath = urlSegment\n ? (routePath === '/' ? `/${urlSegment}` : `${routePath}/${urlSegment}`)\n : routePath\n const child = scanDir(join(dir, entry.name), isRouteGroup ? '' : entry.name, childPath)\n\n // Prune empty nodes — a directory with no route files AND no\n // children is irrelevant to the manifest.\n if (nodeHasContent(child)) {\n node.children.push(child)\n }\n }\n\n return node\n}\n\nexport function scanRoutes(appDir: string): RouteNode {\n if (!existsSync(appDir)) {\n throw new Error(`App directory does not exist: ${appDir}`)\n }\n if (!statSync(appDir).isDirectory()) {\n throw new Error(`App path is not a directory: ${appDir}`)\n }\n return scanDir(appDir, '', '/')\n}\n","// T2.2 (architecture-cleanup) — RouteNode moved to core/contracts/route-node.ts\n// (canonical home per ADR-0001 v3). Re-export keeps the local path stable.\nexport type { RouteNode } from '../core/contracts/route-node.js'\n\nexport const ROUTE_FILE_NAMES = ['page', 'layout', 'error', 'loading', 'not-found'] as const\n\nexport type RouteFileName = (typeof ROUTE_FILE_NAMES)[number]\n\nexport const ROUTE_FILE_EXTENSIONS = ['.tsx', '.ts', '.jsx', '.js'] as const\n\nconst ROUTE_FILE_REGEX = /^(page|layout|error|loading|not-found)\\.(tsx|ts|jsx|js)$/\n\nexport function isRouteFile(filename: string): boolean {\n return ROUTE_FILE_REGEX.test(filename)\n}\n"],"mappings":";;;;AAIA,SAAS,aAAa,UAAU,kBAAkB;AAClD,SAAS,MAAM,eAAe;;;ACDvB,IAAM,mBAAmB,CAAC,QAAQ,UAAU,SAAS,WAAW,WAAW;AAI3E,IAAM,wBAAwB,CAAC,QAAQ,OAAO,QAAQ,KAAK;AAElE,IAAM,mBAAmB;AAElB,SAAS,YAAY,UAA2B;AACrD,SAAO,iBAAiB,KAAK,QAAQ;AACvC;;;ADJA,SAAS,UAAU,MAA2E;AAC5F,MAAI,SAAS,YAAa,QAAO;AACjC,SAAO;AACT;AAEA,SAAS,aACP,MACA,KACA,OACM;AACN,UAAQ,KAAK;AAAA,IACX,KAAK;AACH,WAAK,OAAO;AACZ;AAAA,IACF,KAAK;AACH,WAAK,SAAS;AACd;AAAA,IACF,KAAK;AACH,WAAK,QAAQ;AACb;AAAA,IACF,KAAK;AACH,WAAK,UAAU;AACf;AAAA,IACF,KAAK;AACH,WAAK,WAAW;AAChB;AAAA,EACJ;AACF;AAEA,SAAS,iBAAiB,MAAiB,KAAmB;AAE5D,aAAW,QAAQ,kBAAkB;AACnC,UAAM,MAAM,UAAU,IAAI;AAC1B,QAAI,KAAK,GAAG,MAAM,OAAW;AAC7B,eAAW,OAAO,uBAAuB;AACvC,YAAM,WAAW,GAAG,IAAI,GAAG,GAAG;AAC9B,UAAI,WAAW,KAAK,KAAK,QAAQ,CAAC,GAAG;AACnC,qBAAa,MAAM,KAAK,QAAQ,KAAK,QAAQ,CAAC;AAC9C;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAEA,SAAS,eAAe,MAA0B;AAChD,SACE,KAAK,SAAS,UACd,KAAK,WAAW,UAChB,KAAK,UAAU,UACf,KAAK,YAAY,UACjB,KAAK,aAAa,UAClB,KAAK,SAAS,SAAS;AAE3B;AAEA,SAAS,QAAQ,KAAa,SAAiB,WAA8B;AAC3E,QAAM,OAAkB,EAAE,SAAS,MAAM,WAAW,UAAU,CAAC,EAAE;AACjE,mBAAiB,MAAM,GAAG;AAG1B,aAAW,SAAS,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC,GAAG;AAC7D,QAAI,CAAC,MAAM,YAAY,EAAG;AAC1B,QAAI,MAAM,KAAK,WAAW,GAAG,KAAK,MAAM,KAAK,WAAW,GAAG,EAAG;AAG9D,UAAM,eAAe,MAAM,KAAK,WAAW,GAAG,KAAK,MAAM,KAAK,SAAS,GAAG;AAC1E,UAAM,aAAa,eAAe,KAAK,MAAM;AAC7C,UAAM,YAAY,aACb,cAAc,MAAM,IAAI,UAAU,KAAK,GAAG,SAAS,IAAI,UAAU,KAClE;AACJ,UAAM,QAAQ,QAAQ,KAAK,KAAK,MAAM,IAAI,GAAG,eAAe,KAAK,MAAM,MAAM,SAAS;AAItF,QAAI,eAAe,KAAK,GAAG;AACzB,WAAK,SAAS,KAAK,KAAK;AAAA,IAC1B;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,WAAW,QAA2B;AACpD,MAAI,CAAC,WAAW,MAAM,GAAG;AACvB,UAAM,IAAI,MAAM,iCAAiC,MAAM,EAAE;AAAA,EAC3D;AACA,MAAI,CAAC,SAAS,MAAM,EAAE,YAAY,GAAG;AACnC,UAAM,IAAI,MAAM,gCAAgC,MAAM,EAAE;AAAA,EAC1D;AACA,SAAO,QAAQ,QAAQ,IAAI,GAAG;AAChC;","names":[]}
@@ -35,6 +35,7 @@ var ActionScanError = class extends Error {
35
35
  conflictingPaths;
36
36
  constructor(code, message, conflictingPaths) {
37
37
  super(message);
38
+ this.name = "ActionScanError";
38
39
  this.code = code;
39
40
  this.conflictingPaths = conflictingPaths;
40
41
  }
@@ -177,4 +178,4 @@ export {
177
178
  scanServerActions,
178
179
  scanServerActionsEnriched
179
180
  };
180
- //# sourceMappingURL=chunk-5OFPQK6N.js.map
181
+ //# sourceMappingURL=chunk-COXLEZCN.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/server/scan/action-scan.ts","../src/server/_internal/scan-walker.ts"],"sourcesContent":["/* eslint-disable security/detect-non-literal-fs-filename --\n * Build-time scanner: walks `serverDir/actions/` derived from cwd.\n * No HTTP input ever reaches these fs calls.\n */\nimport { existsSync, readFileSync, statSync } from 'node:fs'\nimport { extname, join, relative } from 'node:path'\n\nimport { walkSourceFiles } from '../_internal/scan-walker.js'\n\nexport interface ActionNode {\n filePath: string\n actionPath: string\n}\n\n/**\n * Enriched manifest entry per plan g3-server-actions-and-useaction v1.2\n * § Phase 1 / T1.4 + ADR D4. Consumed by virtual module `@theo/actions`\n * (T3.1) and G4 devtools \"Actions\" tab (T5.1).\n */\nexport interface ActionManifestEntry {\n name: string\n filePath: string\n urlPath: string\n accept: 'form' | 'json'\n hasInput: boolean\n /**\n * P#4 plugin-forms shared-schema convention (per plan p4-plugin-forms v1.1 T1.1).\n * When present, points to an isomorphic schema file at\n * `<serverDir>/actions/schemas/<basename>.ts` exporting `export const schema = z.object(...)`.\n * Virtual module emits `import {schema} from '<schemaFilePath>'` + attaches as\n * `actions.X.__zodSchema` so client-side <TheoForm> can drive zodResolver.\n * Undefined when convention not followed (graceful degrade — TheoForm still\n * works via explicit `schema={...}` prop escape hatch).\n */\n schemaFilePath?: string\n}\n\n/**\n * EC-2: structured error for scan-time defects (name collision, reserved\n * identifier, etc.). Throw at scan time to fail loud — silent shadowing is\n * a security/correctness footgun.\n */\nexport class ActionScanError extends Error {\n readonly code: 'NAME_COLLISION' | 'RESERVED_NAME'\n readonly conflictingPaths: readonly string[]\n\n constructor(\n code: 'NAME_COLLISION' | 'RESERVED_NAME',\n message: string,\n conflictingPaths: readonly string[],\n ) {\n super(message)\n // T4.1 fix: identify class by name so serverErrorToEnvelope boundary\n // translator can route via class-name lookup (without this, runtime\n // `err.name` defaults to 'Error' and the meta.name diagnostic is wrong).\n this.name = 'ActionScanError'\n this.code = code\n this.conflictingPaths = conflictingPaths\n }\n}\n\nconst ACTION_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx'])\nconst TEST_FILE_RE = /\\.(test|spec)\\.(ts|tsx|js|jsx)$/\nconst RESERVED_NAMES = new Set(['index', 'constructor', '__proto__', 'prototype', 'hasOwnProperty'])\n\n/**\n * Backward-compatible: original simple-shape scanner used by existing\n * consumers. Preserved verbatim; new consumers should call\n * `scanServerActionsEnriched`.\n */\nexport function scanServerActions(serverDir: string): ActionNode[] {\n const actionsDir = join(serverDir, 'actions')\n if (!existsSync(actionsDir) || !statSync(actionsDir).isDirectory()) {\n return []\n }\n\n const results: ActionNode[] = []\n walkSourceFiles(actionsDir, { extensions: ACTION_EXTENSIONS }, (absPath) => {\n if (TEST_FILE_RE.test(absPath)) return\n let rel = relative(actionsDir, absPath)\n rel = rel.replace(/\\\\/g, '/')\n rel = rel.slice(0, -extname(rel).length)\n results.push({\n filePath: absPath,\n actionPath: rel,\n })\n })\n return results\n}\n\n/**\n * Enriched scan: light AST detection of `accept: 'form'|'json'` + `input:`\n * presence via regex-after-comment-stripping (EC-9). Throws ActionScanError\n * on file/dir name collision (EC-2) or reserved JS identifier names.\n *\n * Output `ActionManifestEntry[]` is sorted by `name` for deterministic\n * `.theo/actions-manifest.json` emission.\n */\nexport function scanServerActionsEnriched(serverDir: string): ActionManifestEntry[] {\n const actionsDir = join(serverDir, 'actions')\n if (!existsSync(actionsDir) || !statSync(actionsDir).isDirectory()) {\n return []\n }\n\n const seenNames = new Set<string>()\n const entries: ActionManifestEntry[] = []\n\n // Collect first; collision-check after the full walk.\n walkSourceFiles(actionsDir, { extensions: ACTION_EXTENSIONS }, (absPath) => {\n if (TEST_FILE_RE.test(absPath)) return\n const rel = relative(actionsDir, absPath).replace(/\\\\/g, '/')\n // P#4 plugin-forms — `schemas/` subdir holds isomorphic zod schemas\n // for the shared-schema convention (T1.1). NOT executable actions; skip.\n if (rel.startsWith('schemas/')) return\n const name = rel.slice(0, -extname(rel).length)\n\n const basename = name.includes('/') ? (name.split('/').pop() ?? name) : name\n if (RESERVED_NAMES.has(basename)) {\n throw new ActionScanError(\n 'RESERVED_NAME',\n `Reserved JS identifier \"${basename}\" cannot be an action name (${absPath})`,\n [absPath],\n )\n }\n // File-level collision (one file appearing twice) is impossible via the\n // walker; per-export collision check happens inside the export loop below.\n const source = readFileSync(absPath, 'utf8')\n const stripped = stripComments(source)\n const accept = /\\baccept\\s*:\\s*['\"]form['\"]/.test(stripped) ? 'form' : 'json'\n const hasInput = /\\binput\\s*:\\s*z\\./.test(stripped) || /\\binput\\s*:\\s*\\w+\\(/.test(stripped)\n\n // T7.1 wire fix — extract exports so the urlPath includes the second\n // segment required by action-middleware (`/api/__actions/<file>/<export>`).\n // Each named action export becomes its own manifest entry.\n // Proxy key on the EXPORT name (so consumers write `actions.saveMemory(input)`).\n // URL keeps the runtime 2-segment shape `/api/__actions/<file>/<export>`\n // expected by action-middleware. Cross-file export collisions become a\n // scan error to surface the ambiguity early.\n const exportNames = extractActionExportNames(stripped)\n // P#4 plugin-forms shared-schema convention: check for\n // `<actionsDir>/schemas/<basename>.ts` (or .tsx/.js/.jsx).\n // Skip when actions live in subdirs (`schemas/` is flat by convention).\n const schemaFilePath = name.includes('/') ? undefined : detectSchemaFile(actionsDir, basename)\n for (const exportName of exportNames) {\n const proxyKey = exportName === 'default' ? name : exportName\n if (seenNames.has(proxyKey)) {\n throw new ActionScanError(\n 'NAME_COLLISION',\n `Duplicate action proxy key \"${proxyKey}\" (two files export the same name)`,\n [absPath],\n )\n }\n seenNames.add(proxyKey)\n const entry: ActionManifestEntry = {\n name: proxyKey,\n filePath: absPath,\n urlPath: `/api/__actions/${name}/${exportName}`,\n accept,\n hasInput,\n }\n if (schemaFilePath !== undefined) {\n entry.schemaFilePath = schemaFilePath\n }\n entries.push(entry)\n }\n })\n\n // EC-2: detect file vs dir collisions (e.g., foo.ts AND foo/bar.ts).\n // After walk completes, any name that has children prefixed `name/` triggers collision.\n for (const entry of entries) {\n const childPrefix = `${entry.name}/`\n const conflictingChild = entries.find((other) => other.name.startsWith(childPrefix))\n if (conflictingChild) {\n throw new ActionScanError(\n 'NAME_COLLISION',\n `Action \"${entry.name}\" conflicts with directory of same name containing \"${conflictingChild.name}\"`,\n [entry.filePath, conflictingChild.filePath],\n )\n }\n }\n\n entries.sort((a, b) => {\n if (a.name < b.name) return -1\n if (a.name > b.name) return 1\n return 0\n })\n return entries\n}\n\n/**\n * Strip JavaScript line + block comments from source. Simple state machine\n * (does not parse strings — false positives if a comment marker appears\n * inside a string literal, but that's an acceptable trade-off for v1 vs\n * full AST parse).\n */\n/**\n * Extract action export names via regex over comment-stripped source.\n * Matches `export const <name> = defineAction(...)`, `export default\n * defineAction(...)`, and `export function <name>(...)` forms. Returns\n * `['default']` when no named action exports are found (best-effort fallback\n * for default-export shapes the regex misses).\n */\nfunction extractActionExportNames(stripped: string): string[] {\n const names = new Set<string>()\n const namedRe = /\\bexport\\s+(?:const|let|var|function\\*?)\\s+([a-zA-Z_$][\\w$]*)\\s*[=(]/g\n let m: RegExpExecArray | null\n while ((m = namedRe.exec(stripped)) !== null) {\n const name = m[1]\n if (typeof name === 'string' && name.length > 0) names.add(name)\n }\n if (/\\bexport\\s+default\\s+defineAction\\b/.test(stripped)) {\n names.add('default')\n }\n if (names.size === 0) names.add('default')\n return [...names]\n}\n\n/**\n * P#4 plugin-forms shared-schema convention helper (per plan p4-plugin-forms v1.1 T1.1).\n * Returns the resolved path to `<actionsDir>/schemas/<basename>.<ext>` if it exists.\n * Tries `.ts`, `.tsx`, `.js`, `.jsx` in that order. Returns undefined when no match.\n */\nfunction detectSchemaFile(actionsDir: string, basename: string): string | undefined {\n const schemasDir = join(actionsDir, 'schemas')\n if (!existsSync(schemasDir)) return undefined\n for (const ext of ['.ts', '.tsx', '.js', '.jsx']) {\n const candidate = join(schemasDir, `${basename}${ext}`)\n if (existsSync(candidate)) return candidate\n }\n return undefined\n}\n\nfunction stripComments(source: string): string {\n let out = ''\n let i = 0\n while (i < source.length) {\n const ch = source[i]\n const next = source[i + 1]\n if (ch === '/' && next === '/') {\n // Line comment: skip until newline\n while (i < source.length && source[i] !== '\\n') i++\n continue\n }\n if (ch === '/' && next === '*') {\n // Block comment: skip until */\n i += 2\n while (i < source.length - 1 && !(source[i] === '*' && source[i + 1] === '/')) i++\n i += 2\n continue\n }\n out += ch\n i++\n }\n return out\n}\n","/* eslint-disable security/detect-non-literal-fs-filename --\n * Build-time scanner: walks directories derived from cwd.\n * No HTTP input ever reaches these fs calls.\n */\nimport { readdirSync } from 'node:fs'\nimport { extname, join, resolve } from 'node:path'\n\n/**\n * Options for walkSourceFiles.\n *\n * Sequential by design — callers (route precedence) depend on insertion\n * order (EC-19 documented decision). Async-callback support is implicit\n * via JavaScript's serial await loop.\n *\n * Tested on macOS + Linux. Windows long-path support not validated (EC-20).\n */\nexport interface WalkOptions {\n /** File extensions to include (e.g., new Set(['.ts', '.tsx'])). */\n extensions: ReadonlySet<string>\n /** Skip directories whose name starts with any of these (default: ['_', '.']). */\n skipPrefixes?: readonly string[]\n}\n\n/**\n * Recursively walk `root`, invoking `onFile(absPath)` for every file matching\n * `opts.extensions`. Directories whose name starts with any `skipPrefixes`\n * char are skipped (defaults to `_` and `.`).\n *\n * Replaces 3 near-identical recursive walkers in scan.ts, action-scan.ts,\n * ws-scan.ts (PV-3 — DRY consolidation). Resolves T3.1 of\n * architecture-review-remediation-plan.\n *\n * Symlink loops are NOT tracked — callers must avoid them or pre-resolve\n * via `fs.realpath`. EC-11 documented but not implemented (rare in dev).\n */\nexport function walkSourceFiles(\n root: string,\n opts: WalkOptions,\n onFile: (absPath: string) => void,\n): void {\n const skipPrefixes = opts.skipPrefixes ?? ['_', '.']\n const visit = (dir: string): void => {\n let entries\n try {\n entries = readdirSync(dir, { withFileTypes: true })\n } catch {\n // Silently skip unreadable directories — caller controls discoverability\n return\n }\n for (const entry of entries) {\n const fullPath = join(dir, entry.name)\n if (entry.isDirectory() && !skipPrefixes.some((p) => entry.name.startsWith(p))) {\n visit(fullPath)\n } else if (entry.isFile() && opts.extensions.has(extname(entry.name))) {\n onFile(resolve(fullPath))\n }\n }\n }\n visit(root)\n}\n"],"mappings":";;;;AAIA,SAAS,YAAY,cAAc,gBAAgB;AACnD,SAAS,WAAAA,UAAS,QAAAC,OAAM,gBAAgB;;;ACDxC,SAAS,mBAAmB;AAC5B,SAAS,SAAS,MAAM,eAAe;AA8BhC,SAAS,gBACd,MACA,MACA,QACM;AACN,QAAM,eAAe,KAAK,gBAAgB,CAAC,KAAK,GAAG;AACnD,QAAM,QAAQ,CAAC,QAAsB;AACnC,QAAI;AACJ,QAAI;AACF,gBAAU,YAAY,KAAK,EAAE,eAAe,KAAK,CAAC;AAAA,IACpD,QAAQ;AAEN;AAAA,IACF;AACA,eAAW,SAAS,SAAS;AAC3B,YAAM,WAAW,KAAK,KAAK,MAAM,IAAI;AACrC,UAAI,MAAM,YAAY,KAAK,CAAC,aAAa,KAAK,CAAC,MAAM,MAAM,KAAK,WAAW,CAAC,CAAC,GAAG;AAC9E,cAAM,QAAQ;AAAA,MAChB,WAAW,MAAM,OAAO,KAAK,KAAK,WAAW,IAAI,QAAQ,MAAM,IAAI,CAAC,GAAG;AACrE,eAAO,QAAQ,QAAQ,CAAC;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AACA,QAAM,IAAI;AACZ;;;ADjBO,IAAM,kBAAN,cAA8B,MAAM;AAAA,EAChC;AAAA,EACA;AAAA,EAET,YACE,MACA,SACA,kBACA;AACA,UAAM,OAAO;AAIb,SAAK,OAAO;AACZ,SAAK,OAAO;AACZ,SAAK,mBAAmB;AAAA,EAC1B;AACF;AAEA,IAAM,oBAAoB,oBAAI,IAAI,CAAC,OAAO,QAAQ,OAAO,MAAM,CAAC;AAChE,IAAM,eAAe;AACrB,IAAM,iBAAiB,oBAAI,IAAI,CAAC,SAAS,eAAe,aAAa,aAAa,gBAAgB,CAAC;AAO5F,SAAS,kBAAkB,WAAiC;AACjE,QAAM,aAAaC,MAAK,WAAW,SAAS;AAC5C,MAAI,CAAC,WAAW,UAAU,KAAK,CAAC,SAAS,UAAU,EAAE,YAAY,GAAG;AAClE,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,UAAwB,CAAC;AAC/B,kBAAgB,YAAY,EAAE,YAAY,kBAAkB,GAAG,CAAC,YAAY;AAC1E,QAAI,aAAa,KAAK,OAAO,EAAG;AAChC,QAAI,MAAM,SAAS,YAAY,OAAO;AACtC,UAAM,IAAI,QAAQ,OAAO,GAAG;AAC5B,UAAM,IAAI,MAAM,GAAG,CAACC,SAAQ,GAAG,EAAE,MAAM;AACvC,YAAQ,KAAK;AAAA,MACX,UAAU;AAAA,MACV,YAAY;AAAA,IACd,CAAC;AAAA,EACH,CAAC;AACD,SAAO;AACT;AAUO,SAAS,0BAA0B,WAA0C;AAClF,QAAM,aAAaD,MAAK,WAAW,SAAS;AAC5C,MAAI,CAAC,WAAW,UAAU,KAAK,CAAC,SAAS,UAAU,EAAE,YAAY,GAAG;AAClE,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,YAAY,oBAAI,IAAY;AAClC,QAAM,UAAiC,CAAC;AAGxC,kBAAgB,YAAY,EAAE,YAAY,kBAAkB,GAAG,CAAC,YAAY;AAC1E,QAAI,aAAa,KAAK,OAAO,EAAG;AAChC,UAAM,MAAM,SAAS,YAAY,OAAO,EAAE,QAAQ,OAAO,GAAG;AAG5D,QAAI,IAAI,WAAW,UAAU,EAAG;AAChC,UAAM,OAAO,IAAI,MAAM,GAAG,CAACC,SAAQ,GAAG,EAAE,MAAM;AAE9C,UAAM,WAAW,KAAK,SAAS,GAAG,IAAK,KAAK,MAAM,GAAG,EAAE,IAAI,KAAK,OAAQ;AACxE,QAAI,eAAe,IAAI,QAAQ,GAAG;AAChC,YAAM,IAAI;AAAA,QACR;AAAA,QACA,2BAA2B,QAAQ,+BAA+B,OAAO;AAAA,QACzE,CAAC,OAAO;AAAA,MACV;AAAA,IACF;AAGA,UAAM,SAAS,aAAa,SAAS,MAAM;AAC3C,UAAM,WAAW,cAAc,MAAM;AACrC,UAAM,SAAS,8BAA8B,KAAK,QAAQ,IAAI,SAAS;AACvE,UAAM,WAAW,oBAAoB,KAAK,QAAQ,KAAK,sBAAsB,KAAK,QAAQ;AAS1F,UAAM,cAAc,yBAAyB,QAAQ;AAIrD,UAAM,iBAAiB,KAAK,SAAS,GAAG,IAAI,SAAY,iBAAiB,YAAY,QAAQ;AAC7F,eAAW,cAAc,aAAa;AACpC,YAAM,WAAW,eAAe,YAAY,OAAO;AACnD,UAAI,UAAU,IAAI,QAAQ,GAAG;AAC3B,cAAM,IAAI;AAAA,UACR;AAAA,UACA,+BAA+B,QAAQ;AAAA,UACvC,CAAC,OAAO;AAAA,QACV;AAAA,MACF;AACA,gBAAU,IAAI,QAAQ;AACtB,YAAM,QAA6B;AAAA,QACjC,MAAM;AAAA,QACN,UAAU;AAAA,QACV,SAAS,kBAAkB,IAAI,IAAI,UAAU;AAAA,QAC7C;AAAA,QACA;AAAA,MACF;AACA,UAAI,mBAAmB,QAAW;AAChC,cAAM,iBAAiB;AAAA,MACzB;AACA,cAAQ,KAAK,KAAK;AAAA,IACpB;AAAA,EACF,CAAC;AAID,aAAW,SAAS,SAAS;AAC3B,UAAM,cAAc,GAAG,MAAM,IAAI;AACjC,UAAM,mBAAmB,QAAQ,KAAK,CAAC,UAAU,MAAM,KAAK,WAAW,WAAW,CAAC;AACnF,QAAI,kBAAkB;AACpB,YAAM,IAAI;AAAA,QACR;AAAA,QACA,WAAW,MAAM,IAAI,uDAAuD,iBAAiB,IAAI;AAAA,QACjG,CAAC,MAAM,UAAU,iBAAiB,QAAQ;AAAA,MAC5C;AAAA,IACF;AAAA,EACF;AAEA,UAAQ,KAAK,CAAC,GAAG,MAAM;AACrB,QAAI,EAAE,OAAO,EAAE,KAAM,QAAO;AAC5B,QAAI,EAAE,OAAO,EAAE,KAAM,QAAO;AAC5B,WAAO;AAAA,EACT,CAAC;AACD,SAAO;AACT;AAeA,SAAS,yBAAyB,UAA4B;AAC5D,QAAM,QAAQ,oBAAI,IAAY;AAC9B,QAAM,UAAU;AAChB,MAAI;AACJ,UAAQ,IAAI,QAAQ,KAAK,QAAQ,OAAO,MAAM;AAC5C,UAAM,OAAO,EAAE,CAAC;AAChB,QAAI,OAAO,SAAS,YAAY,KAAK,SAAS,EAAG,OAAM,IAAI,IAAI;AAAA,EACjE;AACA,MAAI,sCAAsC,KAAK,QAAQ,GAAG;AACxD,UAAM,IAAI,SAAS;AAAA,EACrB;AACA,MAAI,MAAM,SAAS,EAAG,OAAM,IAAI,SAAS;AACzC,SAAO,CAAC,GAAG,KAAK;AAClB;AAOA,SAAS,iBAAiB,YAAoB,UAAsC;AAClF,QAAM,aAAaD,MAAK,YAAY,SAAS;AAC7C,MAAI,CAAC,WAAW,UAAU,EAAG,QAAO;AACpC,aAAW,OAAO,CAAC,OAAO,QAAQ,OAAO,MAAM,GAAG;AAChD,UAAM,YAAYA,MAAK,YAAY,GAAG,QAAQ,GAAG,GAAG,EAAE;AACtD,QAAI,WAAW,SAAS,EAAG,QAAO;AAAA,EACpC;AACA,SAAO;AACT;AAEA,SAAS,cAAc,QAAwB;AAC7C,MAAI,MAAM;AACV,MAAI,IAAI;AACR,SAAO,IAAI,OAAO,QAAQ;AACxB,UAAM,KAAK,OAAO,CAAC;AACnB,UAAM,OAAO,OAAO,IAAI,CAAC;AACzB,QAAI,OAAO,OAAO,SAAS,KAAK;AAE9B,aAAO,IAAI,OAAO,UAAU,OAAO,CAAC,MAAM,KAAM;AAChD;AAAA,IACF;AACA,QAAI,OAAO,OAAO,SAAS,KAAK;AAE9B,WAAK;AACL,aAAO,IAAI,OAAO,SAAS,KAAK,EAAE,OAAO,CAAC,MAAM,OAAO,OAAO,IAAI,CAAC,MAAM,KAAM;AAC/E,WAAK;AACL;AAAA,IACF;AACA,WAAO;AACP;AAAA,EACF;AACA,SAAO;AACT;","names":["extname","join","join","extname"]}
@@ -58,31 +58,10 @@ async function generateTypedClient(options) {
58
58
  }
59
59
  }
60
60
 
61
- // src/services/adapters-bridge/vite-proxy-builder.ts
62
- function buildServicesProxyConfig(services, userProxy = {}) {
63
- const fromServices = {};
64
- for (const [, def] of Object.entries(services)) {
65
- const prefix = def.proxy;
66
- fromServices[prefix] = {
67
- target: `http://localhost:${String(def.port)}`,
68
- changeOrigin: true,
69
- // Strip the service's `proxy` prefix from the upstream URL so the
70
- // sidecar receives its own native paths (e.g. `/api/agent/echo` →
71
- // `/echo`). The sidecar declares routes against its own root path —
72
- // it doesn't know about the TheoKit proxy prefix.
73
- rewrite: (path) => path.startsWith(prefix) ? path.slice(prefix.length) || "/" : path
74
- };
75
- }
76
- return { ...fromServices, ...userProxy };
77
- }
78
-
79
- // src/services/adapters-bridge/manifest.ts
80
- import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
81
- import { dirname, join } from "path";
82
-
83
- // src/services/schema/schema.ts
61
+ // src/services/schema.ts
84
62
  import { z } from "zod";
85
63
  var ServiceRuntimeSchema = z.enum(["python", "node"]);
64
+ var ServiceTypeSchema = z.enum(["server", "worker", "frontend"]);
86
65
  var RESERVED_SERVICE_NAMES = ["web", "caddy", "postgres", "redis"];
87
66
  var ServiceNameSchema = z.string().min(1).regex(
88
67
  /^[a-z][a-z0-9-]*$/,
@@ -92,6 +71,7 @@ var ServiceNameSchema = z.string().min(1).regex(
92
71
  });
93
72
  var ServiceDefinitionSchema = z.object({
94
73
  runtime: ServiceRuntimeSchema,
74
+ type: ServiceTypeSchema.optional(),
95
75
  port: z.number().int().min(1).max(65535),
96
76
  proxy: z.string().regex(/^\/[a-zA-Z0-9\-_/]+$/, "proxy must be a non-root path starting with /"),
97
77
  dev: z.string().min(1),
@@ -100,7 +80,7 @@ var ServiceDefinitionSchema = z.object({
100
80
  openapi: z.string().url().optional(),
101
81
  healthcheck: z.string().regex(/^\//, "healthcheck must start with /").default("/health"),
102
82
  cors: z.boolean().default(false),
103
- env: z.record(z.string()).optional(),
83
+ env: z.record(z.string(), z.string()).optional(),
104
84
  dependsOn: z.array(z.string()).optional(),
105
85
  /**
106
86
  * EC-25 + ref doc §8: by default the proxy strips upstream Set-Cookie
@@ -161,13 +141,27 @@ var servicesConfigSchema = z.record(ServiceNameSchema, ServiceDefinitionSchema).
161
141
  }
162
142
  );
163
143
 
164
- // src/services/runtime/orchestrator.ts
165
- import { spawn } from "child_process";
166
- import { resolve } from "path";
144
+ // src/services/adapters-bridge/vite-proxy-builder.ts
145
+ function buildServicesProxyConfig(services, userProxy = {}) {
146
+ const fromServices = {};
147
+ for (const [, def] of Object.entries(services)) {
148
+ const prefix = def.proxy;
149
+ fromServices[prefix] = {
150
+ target: `http://localhost:${String(def.port)}`,
151
+ changeOrigin: true,
152
+ // Strip the service's `proxy` prefix from the upstream URL so the
153
+ // sidecar receives its own native paths (e.g. `/api/agent/echo` →
154
+ // `/echo`). The sidecar declares routes against its own root path —
155
+ // it doesn't know about the TheoKit proxy prefix.
156
+ rewrite: (path) => path.startsWith(prefix) ? path.slice(prefix.length) || "/" : path
157
+ };
158
+ }
159
+ return { ...fromServices, ...userProxy };
160
+ }
167
161
 
168
162
  export {
169
163
  generateTypedClient,
170
164
  servicesConfigSchema,
171
165
  buildServicesProxyConfig
172
166
  };
173
- //# sourceMappingURL=chunk-O4BLVPML.js.map
167
+ //# sourceMappingURL=chunk-DNMSV3R3.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/services/generators/openapi-client-gen.ts","../src/services/schema.ts","../src/services/adapters-bridge/vite-proxy-builder.ts"],"sourcesContent":["/**\n * OpenAPI → TypeScript client generation (T5.1).\n *\n * Thin wrapper around `@hey-api/openapi-ts` (the de facto 2026 generator\n * used by Vercel/OpenCode/PayPal). Called by the Vite plugin\n * `services-typed-client.ts` at dev startup and when an OpenAPI URL\n * changes.\n *\n * Production behavior:\n * - For each service with a `openapi` URL, fetch the spec\n * - Run Hey API generator to write `<cwd>/clients/<service-name>.ts`\n * - On any failure: log warning, do NOT crash dev (best-effort)\n *\n * The actual `@hey-api/openapi-ts` invocation is dynamic-imported so\n * that consumers without the dep (TS-only Wave 1 apps) don't pay\n * the bundle cost.\n */\nimport type { ManifestServiceEntry } from '../adapters-bridge/manifest.js'\n\nexport interface GenerateClientOptions {\n service: ManifestServiceEntry\n /** Directory to write `<service-name>.ts` into. */\n outputDir: string\n /** Logger for warnings/info. */\n log?: (level: 'info' | 'warn' | 'error', msg: string) => void\n /** Test injection — replace fetch (so tests don't hit the network). */\n customFetch?: typeof fetch\n}\n\nexport interface GenerateClientResult {\n generated: boolean\n outputFile?: string\n skippedReason?: string\n}\n\n/**\n * Generate a typed client for one service. No-op (returns skipped=true)\n * if the service has no `openapi` URL.\n *\n * The generator runs the Hey API tool. If the tool import fails (not\n * installed), the function logs a warning and returns `{ generated: false }`.\n */\nexport async function generateTypedClient(\n options: GenerateClientOptions,\n): Promise<GenerateClientResult> {\n const log =\n options.log ??\n ((_level: 'info' | 'warn' | 'error', _msg: string) => {\n // default: silent in production; tests inject their own\n })\n const { service, outputDir } = options\n\n if (!service.openapi) {\n return { generated: false, skippedReason: 'no openapi URL declared' }\n }\n\n const f = options.customFetch ?? fetch\n let spec: unknown\n try {\n const res = await f(service.openapi)\n if (!res.ok) {\n log('warn', `[${service.name}] openapi fetch returned ${String(res.status)}; skipping`)\n return { generated: false, skippedReason: `fetch returned ${String(res.status)}` }\n }\n spec = await res.json()\n } catch (err) {\n log(\n 'warn',\n `[${service.name}] openapi fetch failed: ${err instanceof Error ? err.message : String(err)}`,\n )\n return { generated: false, skippedReason: 'fetch failed' }\n }\n\n // Dynamic import — soft dep. We pass through a variable so the typechecker\n // doesn't resolve the literal at build time (the dep is optional;\n // consumers without it get a graceful skip).\n let createClient: unknown\n try {\n // Soft-dep resolution. We pass the module name through a String wrapper\n // call site that the typechecker cannot statically resolve — so missing\n // dep at typecheck time does not break the build. Runtime behavior is\n // identical to `import('@hey-api/openapi-ts')`.\n const segment1 = '@hey-api/'\n const segment2 = 'openapi-ts'\n const moduleName = `${segment1}${segment2}`\n const dyn: Promise<unknown> = import(moduleName).catch(() => null)\n const mod = (await dyn) as { createClient?: unknown } | null\n createClient = mod?.createClient\n } catch {\n createClient = undefined\n }\n\n if (typeof createClient !== 'function') {\n log(\n 'warn',\n `[${service.name}] @hey-api/openapi-ts not installed; typed client not generated. ` +\n `Run \\`pnpm add -D @hey-api/openapi-ts @hey-api/client-fetch\\` to enable.`,\n )\n return { generated: false, skippedReason: 'hey-api not installed' }\n }\n\n const outputFile = `${outputDir}/${service.name}.ts`\n try {\n await (createClient as (cfg: unknown) => Promise<unknown>)({\n input: spec,\n output: { path: outputDir, format: 'prettier' },\n plugins: [{ name: '@hey-api/client-fetch' }],\n })\n log('info', `[${service.name}] typed client generated at ${outputFile}`)\n return { generated: true, outputFile }\n } catch (err) {\n log(\n 'warn',\n `[${service.name}] Hey API generation failed: ${err instanceof Error ? err.message : String(err)}`,\n )\n return { generated: false, skippedReason: 'generator threw' }\n }\n}\n","/**\n * Wave 2 — Polyglot Services Orchestration (T1.1).\n *\n * Declarative `services: {}` primitive for `theo.config.ts`. Each entry\n * declares an external sidecar process (Python FastAPI / Node Hono) that\n * boots alongside the TheoKit TS app. Empty `services: {}` is the default\n * and preserves Wave 1 behavior (no impact on TS-only apps).\n *\n * See ADRs 0012-0015 + plan: docs/plans/wave-2-polyglot-services-plan.md\n */\nimport { z } from 'zod'\n\n/** Wave 2 runtime kinds. Go/Rust/Java/Ruby/PHP archived; deferred per ADR-0012 invariant #2/#3. */\nconst ServiceRuntimeSchema = z.enum(['python', 'node'])\n\n/**\n * Plan v1.2 T2.2 — service shape enum, mirrored from `services.schema.json`\n * server | worker | frontend. Optional; emitters default to \"server\".\n */\nconst ServiceTypeSchema = z.enum(['server', 'worker', 'frontend'])\n\n/** EC-3 fix: names that conflict with generated docker-compose entries. */\nconst RESERVED_SERVICE_NAMES = ['web', 'caddy', 'postgres', 'redis'] as const\n\n/**\n * EC-12 fix: service names must be docker-compose-safe — lowercase,\n * start with a letter, contain only a-z 0-9 -. Reserved names rejected.\n */\nconst ServiceNameSchema = z\n .string()\n .min(1)\n .regex(\n /^[a-z][a-z0-9-]*$/,\n 'service name must be lowercase, start with letter, contain only a-z 0-9 -',\n )\n .refine((n) => !(RESERVED_SERVICE_NAMES as readonly string[]).includes(n), {\n message: `service name conflicts with reserved name (${RESERVED_SERVICE_NAMES.join('/')})`,\n })\n\n/**\n * Single service definition. All commands run from `services/<name>/` cwd.\n *\n * EC-4 fix: `proxy` regex requires NON-EMPTY path after `/` (the `+` quantifier)\n * to reject `/` which would catch-all and conflict with TheoKit's own routing.\n */\nconst ServiceDefinitionSchema = z.object({\n runtime: ServiceRuntimeSchema,\n type: ServiceTypeSchema.optional(),\n port: z.number().int().min(1).max(65535),\n proxy: z.string().regex(/^\\/[a-zA-Z0-9\\-_/]+$/, 'proxy must be a non-root path starting with /'),\n dev: z.string().min(1),\n build: z.string().optional(),\n start: z.string().min(1),\n openapi: z.string().url().optional(),\n healthcheck: z.string().regex(/^\\//, 'healthcheck must start with /').default('/health'),\n cors: z.boolean().default(false),\n env: z.record(z.string(), z.string()).optional(),\n dependsOn: z.array(z.string()).optional(),\n /**\n * EC-25 + ref doc §8: by default the proxy strips upstream Set-Cookie\n * to prevent the polyglot service from issuing cookies that conflict\n * with TheoKit's encrypted session. Set to true to opt-in.\n */\n passSetCookie: z.boolean().default(false),\n})\n\nexport type ServiceDefinition = z.infer<typeof ServiceDefinitionSchema>\nexport type ServicesConfig = Record<string, ServiceDefinition>\n\n/**\n * Topological-order helper used by `dependsOn` cycle detection refine.\n * Returns true iff `graph` is a DAG. Each node's deps must all reference\n * existing nodes; cycles return false.\n */\nfunction isDag(graph: Record<string, readonly string[]>): boolean {\n const WHITE = 0\n const GRAY = 1\n const BLACK = 2\n const colors: Record<string, 0 | 1 | 2> = {}\n for (const node of Object.keys(graph)) colors[node] = WHITE\n\n function visit(node: string): boolean {\n if (colors[node] === GRAY) return false // cycle\n if (colors[node] === BLACK) return true\n colors[node] = GRAY\n for (const dep of graph[node] ?? []) {\n if (!(dep in graph)) return false // missing reference\n if (!visit(dep)) return false\n }\n colors[node] = BLACK\n return true\n }\n\n for (const node of Object.keys(graph)) {\n if (colors[node] === WHITE && !visit(node)) return false\n }\n return true\n}\n\n/**\n * Full services config schema with cross-service refines.\n *\n * EC-1 fix: detect duplicate ports across services.\n * EC-13: empty `dependsOn: []` accepted as no-deps.\n * Self-dep, missing-ref, and cycles rejected via topological check.\n */\nexport const servicesConfigSchema = z\n .record(ServiceNameSchema, ServiceDefinitionSchema)\n .default({})\n // EC-1: duplicate port detection across services\n .refine(\n (s) => {\n const ports = Object.values(s).map((v) => v.port)\n return new Set(ports).size === ports.length\n },\n {\n message: 'duplicate port across services — each service must bind a unique port',\n },\n )\n // duplicate proxy prefix detection\n .refine(\n (s) => {\n const prefixes = Object.values(s).map((v) => v.proxy)\n return new Set(prefixes).size === prefixes.length\n },\n { message: 'duplicate proxy prefix across services' },\n )\n // dependsOn correctness (self-dep, missing reference, cycle)\n .refine(\n (s) => {\n // Build graph\n const graph: Record<string, readonly string[]> = {}\n for (const [name, def] of Object.entries(s)) {\n graph[name] = def.dependsOn ?? []\n }\n // Self-dep: a service mentioning itself is rejected as part of cycle detection\n for (const [name, deps] of Object.entries(graph)) {\n if (deps.includes(name)) return false\n }\n return isDag(graph)\n },\n {\n message: 'invalid dependsOn — must reference existing services, no self-deps, no cycles',\n },\n )\n\nexport type ServicesConfigInput = z.input<typeof servicesConfigSchema>\nexport type ServicesConfigOutput = z.output<typeof servicesConfigSchema>\n","/**\n * Builds a Vite `server.proxy` configuration from TheoKit's\n * declarative `services: {}` config (T2.1).\n *\n * Pure function — no Vite imports, just data shaping. The Vite plugin\n * (services-dev.ts) calls this and merges the result into `vite.config.server.proxy`.\n *\n * Pattern follows Vite proxy reference (referencias/vite/packages/vite/src/node/server/middlewares/proxy.ts):\n * - Each path prefix becomes its own entry\n * - `changeOrigin: true` set by default (matches Vite's string-shortcut behavior)\n * - User-set entries take precedence on prefix collision (we never clobber)\n */\nimport type { ServicesConfig } from '../schema.js'\n\n/**\n * Shape compatible with Vite's `server.proxy` type. We intentionally don't\n * import Vite's `ProxyOptions` so this module stays platform-neutral and\n * unit-testable without Vite.\n */\nexport interface ViteProxyEntry {\n target: string\n changeOrigin: boolean\n rewrite?: (path: string) => string\n}\n\nexport type ViteProxyConfig = Record<string, string | ViteProxyEntry>\n\nexport function buildServicesProxyConfig(\n services: ServicesConfig,\n userProxy: ViteProxyConfig = {},\n): ViteProxyConfig {\n const fromServices: ViteProxyConfig = {}\n for (const [, def] of Object.entries(services)) {\n const prefix = def.proxy\n fromServices[prefix] = {\n target: `http://localhost:${String(def.port)}`,\n changeOrigin: true,\n // Strip the service's `proxy` prefix from the upstream URL so the\n // sidecar receives its own native paths (e.g. `/api/agent/echo` →\n // `/echo`). The sidecar declares routes against its own root path —\n // it doesn't know about the TheoKit proxy prefix.\n rewrite: (path: string) =>\n path.startsWith(prefix) ? path.slice(prefix.length) || '/' : path,\n }\n }\n // User proxy wins on collision (we add services first, then spread user on top)\n return { ...fromServices, ...userProxy }\n}\n"],"mappings":";AA0CA,eAAsB,oBACpB,SAC+B;AAC/B,QAAM,MACJ,QAAQ,QACP,CAAC,QAAmC,SAAiB;AAAA,EAEtD;AACF,QAAM,EAAE,SAAS,UAAU,IAAI;AAE/B,MAAI,CAAC,QAAQ,SAAS;AACpB,WAAO,EAAE,WAAW,OAAO,eAAe,0BAA0B;AAAA,EACtE;AAEA,QAAM,IAAI,QAAQ,eAAe;AACjC,MAAI;AACJ,MAAI;AACF,UAAM,MAAM,MAAM,EAAE,QAAQ,OAAO;AACnC,QAAI,CAAC,IAAI,IAAI;AACX,UAAI,QAAQ,IAAI,QAAQ,IAAI,4BAA4B,OAAO,IAAI,MAAM,CAAC,YAAY;AACtF,aAAO,EAAE,WAAW,OAAO,eAAe,kBAAkB,OAAO,IAAI,MAAM,CAAC,GAAG;AAAA,IACnF;AACA,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,SAAS,KAAK;AACZ;AAAA,MACE;AAAA,MACA,IAAI,QAAQ,IAAI,2BAA2B,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAC7F;AACA,WAAO,EAAE,WAAW,OAAO,eAAe,eAAe;AAAA,EAC3D;AAKA,MAAI;AACJ,MAAI;AAKF,UAAM,WAAW;AACjB,UAAM,WAAW;AACjB,UAAM,aAAa,GAAG,QAAQ,GAAG,QAAQ;AACzC,UAAM,MAAwB,OAAO,YAAY,MAAM,MAAM,IAAI;AACjE,UAAM,MAAO,MAAM;AACnB,mBAAe,KAAK;AAAA,EACtB,QAAQ;AACN,mBAAe;AAAA,EACjB;AAEA,MAAI,OAAO,iBAAiB,YAAY;AACtC;AAAA,MACE;AAAA,MACA,IAAI,QAAQ,IAAI;AAAA,IAElB;AACA,WAAO,EAAE,WAAW,OAAO,eAAe,wBAAwB;AAAA,EACpE;AAEA,QAAM,aAAa,GAAG,SAAS,IAAI,QAAQ,IAAI;AAC/C,MAAI;AACF,UAAO,aAAoD;AAAA,MACzD,OAAO;AAAA,MACP,QAAQ,EAAE,MAAM,WAAW,QAAQ,WAAW;AAAA,MAC9C,SAAS,CAAC,EAAE,MAAM,wBAAwB,CAAC;AAAA,IAC7C,CAAC;AACD,QAAI,QAAQ,IAAI,QAAQ,IAAI,+BAA+B,UAAU,EAAE;AACvE,WAAO,EAAE,WAAW,MAAM,WAAW;AAAA,EACvC,SAAS,KAAK;AACZ;AAAA,MACE;AAAA,MACA,IAAI,QAAQ,IAAI,gCAAgC,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IAClG;AACA,WAAO,EAAE,WAAW,OAAO,eAAe,kBAAkB;AAAA,EAC9D;AACF;;;AC3GA,SAAS,SAAS;AAGlB,IAAM,uBAAuB,EAAE,KAAK,CAAC,UAAU,MAAM,CAAC;AAMtD,IAAM,oBAAoB,EAAE,KAAK,CAAC,UAAU,UAAU,UAAU,CAAC;AAGjE,IAAM,yBAAyB,CAAC,OAAO,SAAS,YAAY,OAAO;AAMnE,IAAM,oBAAoB,EACvB,OAAO,EACP,IAAI,CAAC,EACL;AAAA,EACC;AAAA,EACA;AACF,EACC,OAAO,CAAC,MAAM,CAAE,uBAA6C,SAAS,CAAC,GAAG;AAAA,EACzE,SAAS,8CAA8C,uBAAuB,KAAK,GAAG,CAAC;AACzF,CAAC;AAQH,IAAM,0BAA0B,EAAE,OAAO;AAAA,EACvC,SAAS;AAAA,EACT,MAAM,kBAAkB,SAAS;AAAA,EACjC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,KAAK;AAAA,EACvC,OAAO,EAAE,OAAO,EAAE,MAAM,wBAAwB,+CAA+C;AAAA,EAC/F,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACrB,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA,EAC3B,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACvB,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS;AAAA,EACnC,aAAa,EAAE,OAAO,EAAE,MAAM,OAAO,+BAA+B,EAAE,QAAQ,SAAS;AAAA,EACvF,MAAM,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,EAC/B,KAAK,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,EAC/C,WAAW,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxC,eAAe,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAC1C,CAAC;AAUD,SAAS,MAAM,OAAmD;AAChE,QAAM,QAAQ;AACd,QAAM,OAAO;AACb,QAAM,QAAQ;AACd,QAAM,SAAoC,CAAC;AAC3C,aAAW,QAAQ,OAAO,KAAK,KAAK,EAAG,QAAO,IAAI,IAAI;AAEtD,WAAS,MAAM,MAAuB;AACpC,QAAI,OAAO,IAAI,MAAM,KAAM,QAAO;AAClC,QAAI,OAAO,IAAI,MAAM,MAAO,QAAO;AACnC,WAAO,IAAI,IAAI;AACf,eAAW,OAAO,MAAM,IAAI,KAAK,CAAC,GAAG;AACnC,UAAI,EAAE,OAAO,OAAQ,QAAO;AAC5B,UAAI,CAAC,MAAM,GAAG,EAAG,QAAO;AAAA,IAC1B;AACA,WAAO,IAAI,IAAI;AACf,WAAO;AAAA,EACT;AAEA,aAAW,QAAQ,OAAO,KAAK,KAAK,GAAG;AACrC,QAAI,OAAO,IAAI,MAAM,SAAS,CAAC,MAAM,IAAI,EAAG,QAAO;AAAA,EACrD;AACA,SAAO;AACT;AASO,IAAM,uBAAuB,EACjC,OAAO,mBAAmB,uBAAuB,EACjD,QAAQ,CAAC,CAAC,EAEV;AAAA,EACC,CAAC,MAAM;AACL,UAAM,QAAQ,OAAO,OAAO,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI;AAChD,WAAO,IAAI,IAAI,KAAK,EAAE,SAAS,MAAM;AAAA,EACvC;AAAA,EACA;AAAA,IACE,SAAS;AAAA,EACX;AACF,EAEC;AAAA,EACC,CAAC,MAAM;AACL,UAAM,WAAW,OAAO,OAAO,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK;AACpD,WAAO,IAAI,IAAI,QAAQ,EAAE,SAAS,SAAS;AAAA,EAC7C;AAAA,EACA,EAAE,SAAS,yCAAyC;AACtD,EAEC;AAAA,EACC,CAAC,MAAM;AAEL,UAAM,QAA2C,CAAC;AAClD,eAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,CAAC,GAAG;AAC3C,YAAM,IAAI,IAAI,IAAI,aAAa,CAAC;AAAA,IAClC;AAEA,eAAW,CAAC,MAAM,IAAI,KAAK,OAAO,QAAQ,KAAK,GAAG;AAChD,UAAI,KAAK,SAAS,IAAI,EAAG,QAAO;AAAA,IAClC;AACA,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA,EACA;AAAA,IACE,SAAS;AAAA,EACX;AACF;;;ACrHK,SAAS,yBACd,UACA,YAA6B,CAAC,GACb;AACjB,QAAM,eAAgC,CAAC;AACvC,aAAW,CAAC,EAAE,GAAG,KAAK,OAAO,QAAQ,QAAQ,GAAG;AAC9C,UAAM,SAAS,IAAI;AACnB,iBAAa,MAAM,IAAI;AAAA,MACrB,QAAQ,oBAAoB,OAAO,IAAI,IAAI,CAAC;AAAA,MAC5C,cAAc;AAAA;AAAA;AAAA;AAAA;AAAA,MAKd,SAAS,CAAC,SACR,KAAK,WAAW,MAAM,IAAI,KAAK,MAAM,OAAO,MAAM,KAAK,MAAM;AAAA,IACjE;AAAA,EACF;AAEA,SAAO,EAAE,GAAG,cAAc,GAAG,UAAU;AACzC;","names":[]}
@@ -0,0 +1 @@
1
+ //# sourceMappingURL=chunk-E3JH6YUM.js.map
@@ -0,0 +1,220 @@
1
+ // src/server/storage/storage-manager.ts
2
+ var StorageManager = class {
3
+ #config;
4
+ #dbPools = /* @__PURE__ */ new Map();
5
+ #redisClients = /* @__PURE__ */ new Map();
6
+ #genericClients = /* @__PURE__ */ new Map();
7
+ #adapters = /* @__PURE__ */ new Set();
8
+ #disposed = false;
9
+ /**
10
+ * Apply the storage config block from `theo.config.ts`. Second call warns
11
+ * and is ignored (D3). Reset only via `__resetForTests()`.
12
+ */
13
+ configure(config) {
14
+ if (this.#config !== void 0) {
15
+ console.warn("[theokit] StorageManager already configured; ignoring second configure() call");
16
+ return;
17
+ }
18
+ this.#config = config;
19
+ }
20
+ /**
21
+ * Generic cache + factory for ANY client (MySQL, Mongo, Turso, DynamoDB, …).
22
+ * Returns the cached client OR invokes the factory and caches its return.
23
+ *
24
+ * EC-1 FIX: cache-hit check uses `Map.has(name)`, NOT `cached !== undefined`.
25
+ * Factories returning `null` or `undefined` are valid (lazy connect, stubs);
26
+ * the `!== undefined` check would re-invoke the factory infinitely for
27
+ * undefined returns AND silently cache `null` cast as `T`.
28
+ *
29
+ * EC-2 (documented type hole): `useStorage<A>('x', fA)` followed by
30
+ * `useStorage<B>('x', fB)` returns the cached A cast as B. Same trade-off
31
+ * as `Map<string, unknown>` — caller is responsible for using unique names
32
+ * per type.
33
+ *
34
+ * Lifecycle: generic clients are NOT auto-drained by `dispose()`. Call
35
+ * `manager.register({ name, dispose })` separately to participate.
36
+ *
37
+ * Reserved name prefixes (do NOT use): `__pg:`, `__redis:`, `__unstorage:`,
38
+ * `__db0:` — these are used internally by the typed helpers.
39
+ */
40
+ useStorage(name, factory) {
41
+ if (this.#disposed) throw new Error("StorageManager is disposed");
42
+ if (this.#genericClients.has(name)) return this.#genericClients.get(name);
43
+ const client = factory();
44
+ this.#genericClients.set(name, client);
45
+ return client;
46
+ }
47
+ /**
48
+ * Return a Postgres pool for the named database. Lazy + cached. Factory
49
+ * invoked exactly once per `dbName` (D2).
50
+ *
51
+ * Throws if:
52
+ * - manager is disposed
53
+ * - `dbName` is not in `config.databases`
54
+ * - the referenced server is not in `config.servers` (EC-2: deferred
55
+ * cross-field validation surfaces here, not at configure time)
56
+ */
57
+ usePostgres(dbName, factory) {
58
+ if (this.#disposed) throw new Error("StorageManager is disposed");
59
+ const cached = this.#dbPools.get(dbName);
60
+ if (cached !== void 0) return cached;
61
+ const dbConfig = this.#config?.databases?.[dbName];
62
+ if (dbConfig === void 0) {
63
+ throw new Error(
64
+ `Database "${dbName}" not configured. Add it to theo.config.ts > storage.databases.`
65
+ );
66
+ }
67
+ const server = this.#config?.servers?.[dbConfig.server];
68
+ if (server === void 0) {
69
+ throw new Error(
70
+ `Server "${dbConfig.server}" referenced by database "${dbName}" not found in theo.config.ts > storage.servers.`
71
+ );
72
+ }
73
+ const pool = factory(server, dbConfig);
74
+ this.#dbPools.set(dbName, pool);
75
+ return pool;
76
+ }
77
+ /**
78
+ * Return a Redis client for the named server. Lazy + cached. Factory
79
+ * invoked exactly once per `serverName`.
80
+ */
81
+ useRedis(serverName, factory) {
82
+ if (this.#disposed) throw new Error("StorageManager is disposed");
83
+ const cached = this.#redisClients.get(serverName);
84
+ if (cached !== void 0) return cached;
85
+ const serverConfig = this.#config?.redis?.[serverName];
86
+ if (serverConfig === void 0) {
87
+ throw new Error(
88
+ `Redis server "${serverName}" not configured. Add it to theo.config.ts > storage.redis.`
89
+ );
90
+ }
91
+ const client = factory(serverConfig);
92
+ this.#redisClients.set(serverName, client);
93
+ return client;
94
+ }
95
+ /**
96
+ * Register an adapter for graceful shutdown coordination (D6).
97
+ *
98
+ * EC-4: throws if the manager is already disposed — prevents silent
99
+ * leaks in test seams that reset+reuse the manager.
100
+ */
101
+ register(adapter) {
102
+ if (this.#disposed) {
103
+ throw new Error(
104
+ "StorageManager is disposed; cannot register new adapter. Call __resetForTests() in test setup."
105
+ );
106
+ }
107
+ this.#adapters.add(adapter);
108
+ }
109
+ /**
110
+ * Drain in parallel — registered adapters, then PG pools, then Redis
111
+ * clients. Idempotent (D5). Errors per resource are logged and swallowed
112
+ * — they do NOT prevent shutdown of the remaining resources.
113
+ *
114
+ * Caller must wrap in a timeout if a bound is needed (EC-7: documented).
115
+ * In production, `start.ts` wraps the whole shutdown sequence in a 25 s
116
+ * force-exit timer.
117
+ */
118
+ async dispose() {
119
+ if (this.#disposed) return;
120
+ this.#disposed = true;
121
+ const adapterDrains = Array.from(this.#adapters).map(
122
+ (a) => a.dispose().catch((err) => {
123
+ const msg = err instanceof Error ? err.message : String(err);
124
+ console.warn(`[theokit] adapter "${a.name}" dispose failed: ${msg}`);
125
+ })
126
+ );
127
+ await Promise.all(adapterDrains);
128
+ const poolCloses = Array.from(this.#dbPools.values()).map((pool) => {
129
+ if (pool.end === void 0) return Promise.resolve();
130
+ return pool.end().catch((err) => {
131
+ const msg = err instanceof Error ? err.message : String(err);
132
+ console.warn(`[theokit] PG pool close failed: ${msg}`);
133
+ });
134
+ });
135
+ await Promise.all(poolCloses);
136
+ const redisCloses = Array.from(this.#redisClients.values()).map(
137
+ (c) => c.quit().catch((err) => {
138
+ const msg = err instanceof Error ? err.message : String(err);
139
+ console.warn(`[theokit] Redis quit failed, falling back to disconnect: ${msg}`);
140
+ c.disconnect();
141
+ })
142
+ );
143
+ await Promise.all(redisCloses);
144
+ this.#dbPools.clear();
145
+ this.#redisClients.clear();
146
+ this.#genericClients.clear();
147
+ this.#adapters.clear();
148
+ }
149
+ /** @internal Testing seam — resets state so a single test file can re-use the singleton across `it` blocks (EC-3). */
150
+ __resetForTests() {
151
+ this.#config = void 0;
152
+ this.#dbPools.clear();
153
+ this.#redisClients.clear();
154
+ this.#genericClients.clear();
155
+ this.#adapters.clear();
156
+ this.#disposed = false;
157
+ }
158
+ /** @internal Introspection helper for tests. */
159
+ __isConfiguredForTests() {
160
+ return this.#config !== void 0;
161
+ }
162
+ /** @internal Introspection helper for tests. */
163
+ __isDisposedForTests() {
164
+ return this.#disposed;
165
+ }
166
+ };
167
+ var __singleton;
168
+ function getStorageManager() {
169
+ __singleton ??= new StorageManager();
170
+ return __singleton;
171
+ }
172
+
173
+ // src/server/storage/use-unstorage.ts
174
+ async function useUnstorage(name, driver) {
175
+ const mod = await import("unstorage").catch(() => null);
176
+ if (mod === null) {
177
+ throw new Error(
178
+ "useUnstorage requires the 'unstorage' package. Install via: pnpm add unstorage"
179
+ );
180
+ }
181
+ const manager = getStorageManager();
182
+ return manager.useStorage(`__unstorage:${name}`, () => {
183
+ const storage = mod.createStorage({ driver });
184
+ manager.register({
185
+ name: `unstorage:${name}`,
186
+ dispose: () => storage.dispose?.() ?? Promise.resolve()
187
+ });
188
+ return storage;
189
+ });
190
+ }
191
+
192
+ // src/server/storage/use-database.ts
193
+ function detectUninvokedFactory(connector) {
194
+ if (typeof connector === "function") {
195
+ const fn = connector;
196
+ if ((fn.length ?? 0) > 0) {
197
+ const name = fn.name !== void 0 && fn.name !== "" ? fn.name : "connector";
198
+ return `useDatabase: connector argument looks like an un-invoked factory (function with ${String(fn.length)} parameter(s)). Did you forget to call the factory? Pass \`${name}({...})\` not \`${name}\`. Example: useDatabase('main', sqlite({ name: ':memory:' }))`;
199
+ }
200
+ }
201
+ return null;
202
+ }
203
+ async function useDatabase(name, connector) {
204
+ const factoryError = detectUninvokedFactory(connector);
205
+ if (factoryError !== null) throw new Error(factoryError);
206
+ const mod = await import("db0").catch(() => null);
207
+ if (mod === null) {
208
+ throw new Error("useDatabase requires the 'db0' package. Install via: pnpm add db0");
209
+ }
210
+ const manager = getStorageManager();
211
+ return manager.useStorage(`__db0:${name}`, () => mod.createDatabase(connector));
212
+ }
213
+
214
+ export {
215
+ StorageManager,
216
+ getStorageManager,
217
+ useUnstorage,
218
+ useDatabase
219
+ };
220
+ //# sourceMappingURL=chunk-ESC54TAK.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/server/storage/storage-manager.ts","../src/server/storage/use-unstorage.ts","../src/server/storage/use-database.ts"],"sourcesContent":["/**\n * StorageManager — per-process singleton coordinating pluggable storage\n * adapters (Postgres pools, Redis clients, in-memory adapters).\n *\n * Architectural decisions: see ADR-0007 (docs/adr/0007-storage-manager-singleton.md).\n *\n * Lifecycle:\n * 1. `getStorageManager()` returns the singleton (D1).\n * 2. `configure(storageConfig)` honored once per process (D3). Second call\n * warns and is ignored.\n * 3. `usePostgres(dbName, factory)` / `useRedis(serverName, factory)`\n * lazily create + cache (D2). Factory invoked exactly once per name.\n * 4. `register(adapter)` opts the adapter into the SIGTERM drain (D6).\n * 5. `dispose()` drains in parallel — adapters + pools + Redis (D5).\n * Idempotent. Adapter errors logged + swallowed (do not block shutdown).\n *\n * Test seam: `__resetForTests()` resets state. Test files MUST call it from\n * `beforeEach` to avoid pollution across `it` blocks (EC-3).\n */\n\nimport type {\n PoolLike,\n PostgresDatabaseConfig,\n RedisLike,\n RedisServerConfig,\n ServerConfig,\n StorageAdapter,\n StorageConfig,\n} from './storage-types.js'\n\nexport type PostgresFactory = (server: ServerConfig, db: PostgresDatabaseConfig) => PoolLike\nexport type RedisFactory = (config: RedisServerConfig) => RedisLike\n\nexport class StorageManager {\n #config: StorageConfig | undefined\n readonly #dbPools = new Map<string, PoolLike>()\n readonly #redisClients = new Map<string, RedisLike>()\n readonly #genericClients = new Map<string, unknown>()\n readonly #adapters = new Set<StorageAdapter>()\n #disposed = false\n\n /**\n * Apply the storage config block from `theo.config.ts`. Second call warns\n * and is ignored (D3). Reset only via `__resetForTests()`.\n */\n configure(config: StorageConfig): void {\n if (this.#config !== undefined) {\n console.warn('[theokit] StorageManager already configured; ignoring second configure() call')\n return\n }\n this.#config = config\n }\n\n /**\n * Generic cache + factory for ANY client (MySQL, Mongo, Turso, DynamoDB, …).\n * Returns the cached client OR invokes the factory and caches its return.\n *\n * EC-1 FIX: cache-hit check uses `Map.has(name)`, NOT `cached !== undefined`.\n * Factories returning `null` or `undefined` are valid (lazy connect, stubs);\n * the `!== undefined` check would re-invoke the factory infinitely for\n * undefined returns AND silently cache `null` cast as `T`.\n *\n * EC-2 (documented type hole): `useStorage<A>('x', fA)` followed by\n * `useStorage<B>('x', fB)` returns the cached A cast as B. Same trade-off\n * as `Map<string, unknown>` — caller is responsible for using unique names\n * per type.\n *\n * Lifecycle: generic clients are NOT auto-drained by `dispose()`. Call\n * `manager.register({ name, dispose })` separately to participate.\n *\n * Reserved name prefixes (do NOT use): `__pg:`, `__redis:`, `__unstorage:`,\n * `__db0:` — these are used internally by the typed helpers.\n */\n useStorage<T>(name: string, factory: () => T): T {\n if (this.#disposed) throw new Error('StorageManager is disposed')\n if (this.#genericClients.has(name)) return this.#genericClients.get(name) as T\n const client = factory()\n this.#genericClients.set(name, client)\n return client\n }\n\n /**\n * Return a Postgres pool for the named database. Lazy + cached. Factory\n * invoked exactly once per `dbName` (D2).\n *\n * Throws if:\n * - manager is disposed\n * - `dbName` is not in `config.databases`\n * - the referenced server is not in `config.servers` (EC-2: deferred\n * cross-field validation surfaces here, not at configure time)\n */\n usePostgres(dbName: string, factory: PostgresFactory): PoolLike {\n if (this.#disposed) throw new Error('StorageManager is disposed')\n const cached = this.#dbPools.get(dbName)\n if (cached !== undefined) return cached\n const dbConfig = this.#config?.databases?.[dbName]\n if (dbConfig === undefined) {\n throw new Error(\n `Database \"${dbName}\" not configured. Add it to theo.config.ts > storage.databases.`,\n )\n }\n const server = this.#config?.servers?.[dbConfig.server]\n if (server === undefined) {\n throw new Error(\n `Server \"${dbConfig.server}\" referenced by database \"${dbName}\" not found in theo.config.ts > storage.servers.`,\n )\n }\n const pool = factory(server, dbConfig)\n this.#dbPools.set(dbName, pool)\n return pool\n }\n\n /**\n * Return a Redis client for the named server. Lazy + cached. Factory\n * invoked exactly once per `serverName`.\n */\n useRedis(serverName: string, factory: RedisFactory): RedisLike {\n if (this.#disposed) throw new Error('StorageManager is disposed')\n const cached = this.#redisClients.get(serverName)\n if (cached !== undefined) return cached\n const serverConfig = this.#config?.redis?.[serverName]\n if (serverConfig === undefined) {\n throw new Error(\n `Redis server \"${serverName}\" not configured. Add it to theo.config.ts > storage.redis.`,\n )\n }\n const client = factory(serverConfig)\n this.#redisClients.set(serverName, client)\n return client\n }\n\n /**\n * Register an adapter for graceful shutdown coordination (D6).\n *\n * EC-4: throws if the manager is already disposed — prevents silent\n * leaks in test seams that reset+reuse the manager.\n */\n register(adapter: StorageAdapter): void {\n if (this.#disposed) {\n throw new Error(\n 'StorageManager is disposed; cannot register new adapter. Call __resetForTests() in test setup.',\n )\n }\n this.#adapters.add(adapter)\n }\n\n /**\n * Drain in parallel — registered adapters, then PG pools, then Redis\n * clients. Idempotent (D5). Errors per resource are logged and swallowed\n * — they do NOT prevent shutdown of the remaining resources.\n *\n * Caller must wrap in a timeout if a bound is needed (EC-7: documented).\n * In production, `start.ts` wraps the whole shutdown sequence in a 25 s\n * force-exit timer.\n */\n async dispose(): Promise<void> {\n if (this.#disposed) return\n this.#disposed = true\n\n const adapterDrains = Array.from(this.#adapters).map((a) =>\n a.dispose().catch((err: unknown) => {\n const msg = err instanceof Error ? err.message : String(err)\n console.warn(`[theokit] adapter \"${a.name}\" dispose failed: ${msg}`)\n }),\n )\n await Promise.all(adapterDrains)\n\n const poolCloses = Array.from(this.#dbPools.values()).map((pool) => {\n // EC-5: pool without `.end()` is silently skipped (TS already enforces\n // shape at factory signature; this is the graceful runtime fallback if\n // user bypasses via `as` cast).\n if (pool.end === undefined) return Promise.resolve()\n return pool.end().catch((err: unknown) => {\n const msg = err instanceof Error ? err.message : String(err)\n console.warn(`[theokit] PG pool close failed: ${msg}`)\n })\n })\n await Promise.all(poolCloses)\n\n const redisCloses = Array.from(this.#redisClients.values()).map((c) =>\n c.quit().catch((err: unknown) => {\n const msg = err instanceof Error ? err.message : String(err)\n console.warn(`[theokit] Redis quit failed, falling back to disconnect: ${msg}`)\n c.disconnect()\n }),\n )\n await Promise.all(redisCloses)\n\n this.#dbPools.clear()\n this.#redisClients.clear()\n this.#genericClients.clear()\n this.#adapters.clear()\n }\n\n /** @internal Testing seam — resets state so a single test file can re-use the singleton across `it` blocks (EC-3). */\n __resetForTests(): void {\n this.#config = undefined\n this.#dbPools.clear()\n this.#redisClients.clear()\n this.#genericClients.clear()\n this.#adapters.clear()\n this.#disposed = false\n }\n\n /** @internal Introspection helper for tests. */\n __isConfiguredForTests(): boolean {\n return this.#config !== undefined\n }\n\n /** @internal Introspection helper for tests. */\n __isDisposedForTests(): boolean {\n return this.#disposed\n }\n}\n\n// Singleton — one StorageManager per process (D1).\nlet __singleton: StorageManager | undefined\n\nexport function getStorageManager(): StorageManager {\n __singleton ??= new StorageManager()\n return __singleton\n}\n\n/** @internal Drops the module-level singleton — used by tests that need a fresh manager. */\nexport function __resetSingletonForTests(): void {\n __singleton = undefined\n}\n","/**\n * `useUnstorage(name, driver?)` — wraps `unstorage.createStorage({ driver })`\n * via `StorageManager.useStorage<T>` for caching + lifecycle coordination.\n *\n * Architectural decision: see ADR-0009 (`unstorage` adoption for KV drivers).\n *\n * `unstorage` is an OPTIONAL peer dependency. Apps that don't use KV pay zero\n * bundle cost; calling `useUnstorage` without `unstorage` installed throws an\n * actionable error.\n *\n * The returned `Storage<T>` is auto-registered with `manager.dispose()` so\n * SIGTERM drains it. Repeated calls with the same `name` return the cached\n * instance (factory invoked once).\n *\n * @example Memory driver (dev / tests)\n * const cache = await useUnstorage<string>('cache')\n * await cache.setItem('k', 'v')\n *\n * @example Redis driver (prod)\n * import redisDriver from 'unstorage/drivers/redis'\n * const cache = await useUnstorage<string>('cache', redisDriver({ url: process.env.REDIS_URL }))\n *\n * Reserved cache key prefix: `__unstorage:` — do NOT use this prefix in\n * `manager.useStorage<T>(name)` to avoid collision (EC-8 documented).\n */\nimport { getStorageManager } from './storage-manager.js'\n\ninterface UnstorageModule {\n createStorage: <T>(options?: { driver?: unknown }) => UnstorageInstance<T>\n}\n\nexport interface UnstorageInstance<T> {\n getItem(key: string): Promise<T | null>\n setItem(key: string, value: T): Promise<void>\n removeItem(key: string): Promise<void>\n keys(prefix?: string): Promise<string[]>\n hasItem(key: string): Promise<boolean>\n clear(prefix?: string): Promise<void>\n dispose?(): Promise<void>\n}\n\nexport async function useUnstorage<T = unknown>(\n name: string,\n driver?: unknown,\n): Promise<UnstorageInstance<T>> {\n const mod = (await import('unstorage').catch(() => null)) as UnstorageModule | null\n if (mod === null) {\n throw new Error(\n \"useUnstorage requires the 'unstorage' package. Install via: pnpm add unstorage\",\n )\n }\n const manager = getStorageManager()\n return manager.useStorage<UnstorageInstance<T>>(`__unstorage:${name}`, () => {\n const storage = mod.createStorage<T>({ driver })\n manager.register({\n name: `unstorage:${name}`,\n dispose: () => storage.dispose?.() ?? Promise.resolve(),\n })\n return storage\n })\n}\n","/**\n * `useDatabase(name, connector)` — wraps `db0.createDatabase(connector)` via\n * `StorageManager.useStorage<T>` for caching.\n *\n * Architectural decision: see ADR-0010 (db0 adoption for SQL non-Postgres).\n *\n * `db0` is an OPTIONAL peer dependency. Apps that don't use db0 pay zero bundle\n * cost; calling `useDatabase` without `db0` installed throws an actionable error.\n *\n * **For Postgres: prefer `usePostgres(dbName, factory)`** — returns `pg.Pool`\n * directly which integrates better with Drizzle / raw SQL.\n *\n * Lifecycle: db0 connectors don't share a unified close API. Users SHOULD\n * register a dispose hook manually if cleanup matters (EC-9 documented):\n * ```ts\n * const db = await useDatabase('main', sqlite({...}))\n * getStorageManager().register({ name: 'db:main', dispose: () => db.exec('...') })\n * ```\n *\n * Reserved cache key prefix: `__db0:` — do NOT use this prefix in\n * `manager.useStorage<T>(name)` to avoid collision (EC-8 documented).\n *\n * @example libSQL / Turso\n * import libsql from 'db0/connectors/libsql-core'\n * const db = await useDatabase('main', libsql({ url: process.env.TURSO_URL }))\n *\n * @example SQLite (better-sqlite3)\n * import sqlite from 'db0/connectors/better-sqlite3'\n * const db = await useDatabase('main', sqlite({ name: 'app.db' }))\n */\nimport { getStorageManager } from './storage-manager.js'\n\ninterface Db0Module {\n createDatabase: (connector: unknown) => Db0Database\n}\n\nexport interface Db0Database {\n exec: (sql: string) => Promise<unknown>\n prepare: (sql: string) => unknown\n sql: (strings: TemplateStringsArray, ...args: unknown[]) => Promise<unknown>\n}\n\n/**\n * EC-5 — heuristic to detect a connector factory that wasn't invoked.\n *\n * `db0` connectors are factories: `sqlite({...})` returns a `Connector`.\n * If the user passes `sqlite` (the factory itself) instead of `sqlite({...})`\n * (the invoked Connector), `db0.createDatabase` fails with a cryptic message.\n *\n * A connector is an object (with methods like `exec`, `prepare`). A factory\n * is a function with declared parameters (arity ≥ 1, since connectors take\n * an options object). We throw an actionable error in the factory case.\n */\nfunction detectUninvokedFactory(connector: unknown): string | null {\n if (typeof connector === 'function') {\n const fn = connector as { length?: number; name?: string }\n if ((fn.length ?? 0) > 0) {\n const name = fn.name !== undefined && fn.name !== '' ? fn.name : 'connector'\n return (\n `useDatabase: connector argument looks like an un-invoked factory (function with ${String(fn.length)} parameter(s)). ` +\n `Did you forget to call the factory? Pass \\`${name}({...})\\` not \\`${name}\\`. ` +\n `Example: useDatabase('main', sqlite({ name: ':memory:' }))`\n )\n }\n }\n return null\n}\n\nexport async function useDatabase(name: string, connector: unknown): Promise<Db0Database> {\n const factoryError = detectUninvokedFactory(connector)\n if (factoryError !== null) throw new Error(factoryError)\n\n const mod = (await import('db0').catch(() => null)) as Db0Module | null\n if (mod === null) {\n throw new Error(\"useDatabase requires the 'db0' package. Install via: pnpm add db0\")\n }\n const manager = getStorageManager()\n return manager.useStorage<Db0Database>(`__db0:${name}`, () => mod.createDatabase(connector))\n}\n"],"mappings":";AAiCO,IAAM,iBAAN,MAAqB;AAAA,EAC1B;AAAA,EACS,WAAW,oBAAI,IAAsB;AAAA,EACrC,gBAAgB,oBAAI,IAAuB;AAAA,EAC3C,kBAAkB,oBAAI,IAAqB;AAAA,EAC3C,YAAY,oBAAI,IAAoB;AAAA,EAC7C,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA,EAMZ,UAAU,QAA6B;AACrC,QAAI,KAAK,YAAY,QAAW;AAC9B,cAAQ,KAAK,+EAA+E;AAC5F;AAAA,IACF;AACA,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,WAAc,MAAc,SAAqB;AAC/C,QAAI,KAAK,UAAW,OAAM,IAAI,MAAM,4BAA4B;AAChE,QAAI,KAAK,gBAAgB,IAAI,IAAI,EAAG,QAAO,KAAK,gBAAgB,IAAI,IAAI;AACxE,UAAM,SAAS,QAAQ;AACvB,SAAK,gBAAgB,IAAI,MAAM,MAAM;AACrC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,YAAY,QAAgB,SAAoC;AAC9D,QAAI,KAAK,UAAW,OAAM,IAAI,MAAM,4BAA4B;AAChE,UAAM,SAAS,KAAK,SAAS,IAAI,MAAM;AACvC,QAAI,WAAW,OAAW,QAAO;AACjC,UAAM,WAAW,KAAK,SAAS,YAAY,MAAM;AACjD,QAAI,aAAa,QAAW;AAC1B,YAAM,IAAI;AAAA,QACR,aAAa,MAAM;AAAA,MACrB;AAAA,IACF;AACA,UAAM,SAAS,KAAK,SAAS,UAAU,SAAS,MAAM;AACtD,QAAI,WAAW,QAAW;AACxB,YAAM,IAAI;AAAA,QACR,WAAW,SAAS,MAAM,6BAA6B,MAAM;AAAA,MAC/D;AAAA,IACF;AACA,UAAM,OAAO,QAAQ,QAAQ,QAAQ;AACrC,SAAK,SAAS,IAAI,QAAQ,IAAI;AAC9B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,SAAS,YAAoB,SAAkC;AAC7D,QAAI,KAAK,UAAW,OAAM,IAAI,MAAM,4BAA4B;AAChE,UAAM,SAAS,KAAK,cAAc,IAAI,UAAU;AAChD,QAAI,WAAW,OAAW,QAAO;AACjC,UAAM,eAAe,KAAK,SAAS,QAAQ,UAAU;AACrD,QAAI,iBAAiB,QAAW;AAC9B,YAAM,IAAI;AAAA,QACR,iBAAiB,UAAU;AAAA,MAC7B;AAAA,IACF;AACA,UAAM,SAAS,QAAQ,YAAY;AACnC,SAAK,cAAc,IAAI,YAAY,MAAM;AACzC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,SAAS,SAA+B;AACtC,QAAI,KAAK,WAAW;AAClB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,UAAU,IAAI,OAAO;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,UAAyB;AAC7B,QAAI,KAAK,UAAW;AACpB,SAAK,YAAY;AAEjB,UAAM,gBAAgB,MAAM,KAAK,KAAK,SAAS,EAAE;AAAA,MAAI,CAAC,MACpD,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAiB;AAClC,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,gBAAQ,KAAK,sBAAsB,EAAE,IAAI,qBAAqB,GAAG,EAAE;AAAA,MACrE,CAAC;AAAA,IACH;AACA,UAAM,QAAQ,IAAI,aAAa;AAE/B,UAAM,aAAa,MAAM,KAAK,KAAK,SAAS,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS;AAIlE,UAAI,KAAK,QAAQ,OAAW,QAAO,QAAQ,QAAQ;AACnD,aAAO,KAAK,IAAI,EAAE,MAAM,CAAC,QAAiB;AACxC,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,gBAAQ,KAAK,mCAAmC,GAAG,EAAE;AAAA,MACvD,CAAC;AAAA,IACH,CAAC;AACD,UAAM,QAAQ,IAAI,UAAU;AAE5B,UAAM,cAAc,MAAM,KAAK,KAAK,cAAc,OAAO,CAAC,EAAE;AAAA,MAAI,CAAC,MAC/D,EAAE,KAAK,EAAE,MAAM,CAAC,QAAiB;AAC/B,cAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,gBAAQ,KAAK,4DAA4D,GAAG,EAAE;AAC9E,UAAE,WAAW;AAAA,MACf,CAAC;AAAA,IACH;AACA,UAAM,QAAQ,IAAI,WAAW;AAE7B,SAAK,SAAS,MAAM;AACpB,SAAK,cAAc,MAAM;AACzB,SAAK,gBAAgB,MAAM;AAC3B,SAAK,UAAU,MAAM;AAAA,EACvB;AAAA;AAAA,EAGA,kBAAwB;AACtB,SAAK,UAAU;AACf,SAAK,SAAS,MAAM;AACpB,SAAK,cAAc,MAAM;AACzB,SAAK,gBAAgB,MAAM;AAC3B,SAAK,UAAU,MAAM;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA,EAGA,yBAAkC;AAChC,WAAO,KAAK,YAAY;AAAA,EAC1B;AAAA;AAAA,EAGA,uBAAgC;AAC9B,WAAO,KAAK;AAAA,EACd;AACF;AAGA,IAAI;AAEG,SAAS,oBAAoC;AAClD,kBAAgB,IAAI,eAAe;AACnC,SAAO;AACT;;;ACpLA,eAAsB,aACpB,MACA,QAC+B;AAC/B,QAAM,MAAO,MAAM,OAAO,WAAW,EAAE,MAAM,MAAM,IAAI;AACvD,MAAI,QAAQ,MAAM;AAChB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,UAAU,kBAAkB;AAClC,SAAO,QAAQ,WAAiC,eAAe,IAAI,IAAI,MAAM;AAC3E,UAAM,UAAU,IAAI,cAAiB,EAAE,OAAO,CAAC;AAC/C,YAAQ,SAAS;AAAA,MACf,MAAM,aAAa,IAAI;AAAA,MACvB,SAAS,MAAM,QAAQ,UAAU,KAAK,QAAQ,QAAQ;AAAA,IACxD,CAAC;AACD,WAAO;AAAA,EACT,CAAC;AACH;;;ACPA,SAAS,uBAAuB,WAAmC;AACjE,MAAI,OAAO,cAAc,YAAY;AACnC,UAAM,KAAK;AACX,SAAK,GAAG,UAAU,KAAK,GAAG;AACxB,YAAM,OAAO,GAAG,SAAS,UAAa,GAAG,SAAS,KAAK,GAAG,OAAO;AACjE,aACE,mFAAmF,OAAO,GAAG,MAAM,CAAC,8DACtD,IAAI,mBAAmB,IAAI;AAAA,IAG7E;AAAA,EACF;AACA,SAAO;AACT;AAEA,eAAsB,YAAY,MAAc,WAA0C;AACxF,QAAM,eAAe,uBAAuB,SAAS;AACrD,MAAI,iBAAiB,KAAM,OAAM,IAAI,MAAM,YAAY;AAEvD,QAAM,MAAO,MAAM,OAAO,KAAK,EAAE,MAAM,MAAM,IAAI;AACjD,MAAI,QAAQ,MAAM;AAChB,UAAM,IAAI,MAAM,mEAAmE;AAAA,EACrF;AACA,QAAM,UAAU,kBAAkB;AAClC,SAAO,QAAQ,WAAwB,SAAS,IAAI,IAAI,MAAM,IAAI,eAAe,SAAS,CAAC;AAC7F;","names":[]}