tina4-nodejs 3.13.37 → 3.13.39

package/packages/core/src/graphql.ts

@@ -20,6 +20,9 @@
  *   - Error capture (resolver exceptions become GraphQL errors)
  */
 
+import { Log } from "./logger.js";
+import { isDebugMode } from "./errorOverlay.js";
+
 // ── Types ────────────────────────────────────────────────────
 
 export interface GraphQLField {
@@ -115,6 +118,19 @@ interface ParsedField {
   selections: ParsedSelection[] | null;
 }
 
+interface ParsedFragmentSpread {
+  kind: "fragment_spread";
+  name: string;
+  directives: ParsedDirective[];
+}
+
+interface ParsedInlineFragment {
+  kind: "inline_fragment";
+  on: string | null;
+  directives: ParsedDirective[];
+  selections: ParsedSelection[];
+}
+
 interface ParsedDirective {
   name: string;
   args: Record<string, unknown>;
@@ -129,13 +145,22 @@ interface ParsedOperation {
   selections: ParsedSelection[];
 }
 
+interface ParsedFragment {
+  kind: "fragment";
+  name: string;
+  on: string;
+  directives: ParsedDirective[];
+  selections: ParsedSelection[];
+}
+
 interface ParsedVariableDef {
   name: string;
   type: string;
   default: unknown;
 }
 
-type ParsedSelection = ParsedField;
+type ParsedSelection = ParsedField | ParsedFragmentSpread | ParsedInlineFragment;
+type ParsedDefinition = ParsedOperation | ParsedFragment;
 
 class Parser {
   private tokens: Token[];
@@ -174,14 +199,38 @@ class Parser {
     return null;
   }
 
-  parse(): { definitions: ParsedOperation[] } {
-    const doc: { definitions: ParsedOperation[] } = { definitions: [] };
+  parse(): { definitions: ParsedDefinition[] } {
+    const doc: { definitions: ParsedDefinition[] } = { definitions: [] };
     while (this.pos < this.tokens.length) {
-      doc.definitions.push(this.parseOperation());
+      doc.definitions.push(this.parseDefinition());
     }
     return doc;
   }
 
+  private parseDefinition(): ParsedDefinition {
+    const t = this.peek();
+    if (t && t.type === "NAME" && t.value === "fragment") {
+      return this.parseFragment();
+    }
+    return this.parseOperation();
+  }
+
+  private parseFragment(): ParsedFragment {
+    this.expect("NAME", "fragment");
+    const name = this.expect("NAME").value;
+    this.expect("NAME", "on");
+    const typeName = this.expect("NAME").value;
+    const directives = this.parseDirectives();
+    const selections = this.parseSelectionSet();
+    return {
+      kind: "fragment",
+      name,
+      on: typeName,
+      directives,
+      selections,
+    };
+  }
+
   private parseOperation(): ParsedOperation {
     const t = this.peek();
     let opType = "query";
@@ -216,7 +265,29 @@ class Parser {
     this.expect("LBRACE");
     const selections: ParsedSelection[] = [];
     while (!this.match("RBRACE")) {
-      selections.push(this.parseField());
+      if (this.match("SPREAD")) {
+        const next = this.peek();
+        if (next && next.type === "NAME" && next.value === "on") {
+          // Inline fragment: ... on Type { ... }
+          this.advance();
+          const typeName = this.expect("NAME").value;
+          const directives = this.parseDirectives();
+          const sels = this.parseSelectionSet();
+          selections.push({ kind: "inline_fragment", on: typeName, directives, selections: sels });
+        } else if (next && next.type === "LBRACE") {
+          // Inline fragment without type condition: ... { ... }
+          const directives = this.parseDirectives();
+          const sels = this.parseSelectionSet();
+          selections.push({ kind: "inline_fragment", on: null, directives, selections: sels });
+        } else {
+          // Fragment spread: ...FragmentName
+          const name = this.expect("NAME").value;
+          const directives = this.parseDirectives();
+          selections.push({ kind: "fragment_spread", name, directives });
+        }
+      } else {
+        selections.push(this.parseField());
+      }
     }
     return selections;
   }
@@ -397,6 +468,18 @@ export function graphqlAutoSchemaEnabled(): boolean {
   return ["true", "1", "yes", "on"].includes(raw);
 }
 
+/**
+ * Maximum selection-set nesting depth. A deeply nested query (or a circular
+ * fragment) would otherwise recurse without bound — a classic GraphQL DoS /
+ * stack-overflow vector. `TINA4_GRAPHQL_MAX_DEPTH` overrides the default (50);
+ * set `<= 0` to disable the guard. A non-numeric value falls back to 50.
+ */
+export function graphqlMaxDepth(): number {
+  const raw = (process.env.TINA4_GRAPHQL_MAX_DEPTH ?? "50").trim();
+  const n = parseInt(raw, 10);
+  return Number.isNaN(n) ? 50 : n;
+}
+
 // ── GraphQL Engine ───────────────────────────────────────────
 
 export class GraphQL {
@@ -416,6 +499,14 @@ export class GraphQL {
   private static classResolvers = new Map<string, Map<string, ResolverFn>>();
   private static defaultInstance: GraphQL | null = null;
 
+  /**
+   * Maximum selection-set nesting depth (read from `TINA4_GRAPHQL_MAX_DEPTH`,
+   * default 50; `<= 0` disables the guard). Public so tests can set it and the
+   * dev app can introspect it. Counted per selection level AND per fragment
+   * spread / inline fragment, so circular fragments are caught too.
+   */
+  public maxDepth: number = graphqlMaxDepth();
+
   /**
    * Decorator-style resolver registration.
    *
@@ -527,21 +618,6 @@ export class GraphQL {
     return this;
   }
 
-  /**
-   * Return schema metadata for debugging.
-   */
-  introspect(): Record<string, unknown> {
-    const queries: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.queries)) {
-      queries[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    const mutations: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.mutations)) {
-      mutations[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    return { types: Object.keys(this.types), queries, mutations };
-  }
-
   /**
    * Register a query resolver.
    */
@@ -555,21 +631,6 @@ export class GraphQL {
     return this;
   }
 
-  /**
-   * Return schema metadata for debugging.
-   */
-  introspect(): Record<string, unknown> {
-    const queries: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.queries)) {
-      queries[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    const mutations: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.mutations)) {
-      mutations[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    return { types: Object.keys(this.types), queries, mutations };
-  }
-
   /**
    * Register a mutation resolver.
    */
@@ -583,21 +644,6 @@ export class GraphQL {
     return this;
   }
 
-  /**
-   * Return schema metadata for debugging.
-   */
-  introspect(): Record<string, unknown> {
-    const queries: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.queries)) {
-      queries[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    const mutations: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.mutations)) {
-      mutations[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    return { types: Object.keys(this.types), queries, mutations };
-  }
-
   /**
    * Execute a GraphQL query string.
    */
@@ -606,7 +652,7 @@ export class GraphQL {
     const ctx = context ?? {};
     const errors: Array<{ message: string; path?: string[] }> = [];
 
-    let doc: { definitions: ParsedOperation[] };
+    let doc: { definitions: ParsedDefinition[] };
     try {
       const tokens = tokenize(query);
       const parser = new Parser(tokens);
@@ -616,11 +662,23 @@ export class GraphQL {
       return { data: null, errors: [{ message }] };
     }
 
-    if (doc.definitions.length === 0) {
+    // Split definitions into operations and fragments (fragments are named
+    // and referenced by spreads, so collect them first).
+    const fragments: Map<string, ParsedFragment> = new Map();
+    const operations: ParsedOperation[] = [];
+    for (const defn of doc.definitions) {
+      if (defn.kind === "fragment") {
+        fragments.set(defn.name, defn);
+      } else {
+        operations.push(defn);
+      }
+    }
+
+    if (operations.length === 0) {
       return { data: null, errors: [{ message: "No operation found" }] };
     }
 
-    const op = doc.definitions[0];
+    const op = operations[0];
     const resolvers = op.operation === "query" ? this.queries : this.mutations;
 
     // Apply variable defaults
@@ -631,16 +689,9 @@ export class GraphQL {
     }
 
     const data: Record<string, unknown> = {};
-
-    for (const sel of op.selections) {
-      // Check directives (@skip, @include, @auth, @role, @guest)
-      if (!this.checkDirectives(sel.directives ?? [], vars, ctx)) continue;
-
-      const [value, errs] = this.resolveField(sel, resolvers, null, vars, ctx);
-      errors.push(...errs);
-      const key = sel.alias ?? sel.name;
-      data[key] = value;
-    }
+    // Top-level selections start at depth 1.
+    const errs = this.resolveSelectionsInto(op.selections, resolvers, null, vars, ctx, fragments, data, 1);
+    errors.push(...errs);
 
     const result: GraphQLResult = { data };
     if (errors.length > 0) {
@@ -650,55 +701,68 @@ export class GraphQL {
   }
 
   /**
-   * Return schema metadata for debugging.
+   * Resolve a list of selections and merge results into the `target` dict.
+   * Fragment spreads and inline fragments are merged (not nested).
+   *
+   * `depth` is incremented on every recursive entry (field sub-selections,
+   * fragment spreads, inline fragments) and checked against `maxDepth` so an
+   * over-deep query or a circular fragment fails with a structured error
+   * instead of recursing until the interpreter stack overflows. Top-level
+   * starts at depth 1; `maxDepth <= 0` disables the guard.
    */
-  introspect(): Record<string, unknown> {
-    const queries: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.queries)) {
-      queries[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    const mutations: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.mutations)) {
-      mutations[name] = { type: (config as any).type, args: (config as any).args ?? {} };
+  private resolveSelectionsInto(
+    selections: ParsedSelection[],
+    resolvers: Map<string, QueryConfig>,
+    parent: unknown,
+    variables: Record<string, unknown>,
+    context: Record<string, unknown>,
+    fragments: Map<string, ParsedFragment>,
+    target: Record<string, unknown>,
+    depth: number,
+  ): Array<{ message: string; path?: string[] }> {
+    const errors: Array<{ message: string; path?: string[] }> = [];
+
+    if (this.maxDepth > 0 && depth > this.maxDepth) {
+      return [{ message: `Query exceeds maximum depth of ${this.maxDepth}` }];
     }
-    return { types: Object.keys(this.types), queries, mutations };
-  }
 
+    for (const sel of selections) {
+      // Check directives (@skip, @include, @auth, @role, @guest)
+      if (!this.checkDirectives(sel.directives ?? [], variables, context)) continue;
 
-  /**
-   * Return schema metadata for debugging.
-   */
-  introspect(): Record<string, unknown> {
-    const queries: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.queries)) {
-      queries[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    const mutations: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.mutations)) {
-      mutations[name] = { type: (config as any).type, args: (config as any).args ?? {} };
+      if (sel.kind === "fragment_spread") {
+        const frag = fragments.get(sel.name);
+        if (!frag) {
+          errors.push({ message: `Fragment not found: ${sel.name}` });
+          continue;
+        }
+        const errs = this.resolveSelectionsInto(
+          frag.selections, resolvers, parent, variables, context, fragments, target, depth + 1,
+        );
+        errors.push(...errs);
+        continue;
+      }
+
+      if (sel.kind === "inline_fragment") {
+        const errs = this.resolveSelectionsInto(
+          sel.selections, resolvers, parent, variables, context, fragments, target, depth + 1,
+        );
+        errors.push(...errs);
+        continue;
+      }
+
+      const [value, errs] = this.resolveField(sel, resolvers, parent, variables, context, fragments, depth);
+      errors.push(...errs);
+      const key = sel.alias ?? sel.name;
+      target[key] = value;
     }
-    return { types: Object.keys(this.types), queries, mutations };
+
+    return errors;
   }
 
   /**
    * Generate SDL schema string.
    */
-
-  /**
-   * Return schema metadata for debugging.
-   */
-  introspect(): Record<string, unknown> {
-    const queries: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.queries)) {
-      queries[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    const mutations: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.mutations)) {
-      mutations[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    return { types: Object.keys(this.types), queries, mutations };
-  }
-
   schemaSdl(): string {
     const lines: string[] = [];
 
@@ -737,21 +801,6 @@ export class GraphQL {
     return lines.join("\n");
   }
 
-  /**
-   * Return schema metadata for debugging.
-   */
-  introspect(): Record<string, unknown> {
-    const queries: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.queries)) {
-      queries[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    const mutations: Record<string, unknown> = {};
-    for (const [name, config] of Object.entries(this.mutations)) {
-      mutations[name] = { type: (config as any).type, args: (config as any).args ?? {} };
-    }
-    return { types: Object.keys(this.types), queries, mutations };
-  }
-
   /**
    * Auto-generate type, queries, and CRUD mutations from an ORM model class.
    *
@@ -967,6 +1016,8 @@ export class GraphQL {
     parent: unknown,
     variables: Record<string, unknown>,
     context: Record<string, unknown> = {},
+    fragments: Map<string, ParsedFragment> = new Map(),
+    depth: number = 1,
   ): [unknown, Array<{ message: string; path?: string[] }>] {
     const errors: Array<{ message: string; path?: string[] }> = [];
     const name = sel.name;
@@ -997,8 +1048,13 @@ export class GraphQL {
       try {
         value = config.resolver(null, args, ctx);
       } catch (e: unknown) {
+        // Log the real cause; only surface the detail to the client in debug
+        // mode — a resolver exception can carry internal state (DB errors,
+        // credentials) that must not leak. The path is always preserved.
         const message = e instanceof Error ? e.message : String(e);
-        errors.push({ message, path: [name] });
+        Log.error(`GraphQL resolver '${name}' failed: ${message}`);
+        const detail = isDebugMode() ? message : "Internal server error";
+        errors.push({ message: detail, path: [name] });
         return [null, errors];
       }
     }
@@ -1011,11 +1067,10 @@ export class GraphQL {
       const result: Record<string, unknown>[] = [];
       for (const item of value) {
         const obj: Record<string, unknown> = {};
-        for (const subSel of sel.selections) {
-          const [subVal, subErrs] = this.resolveField(subSel, new Map(), item, variables, context);
-          errors.push(...subErrs);
-          obj[subSel.alias ?? subSel.name] = subVal;
-        }
+        const errs = this.resolveSelectionsInto(
+          sel.selections, new Map(), item, variables, context, fragments, obj, depth + 1,
+        );
+        errors.push(...errs);
         result.push(obj);
       }
       return [result, errors];
@@ -1023,11 +1078,10 @@ export class GraphQL {
 
     if (value !== null && value !== undefined) {
       const obj: Record<string, unknown> = {};
-      for (const subSel of sel.selections) {
-        const [subVal, subErrs] = this.resolveField(subSel, new Map(), value, variables, context);
-        errors.push(...subErrs);
-        obj[subSel.alias ?? subSel.name] = subVal;
-      }
+      const errs = this.resolveSelectionsInto(
+        sel.selections, new Map(), value, variables, context, fragments, obj, depth + 1,
+      );
+      errors.push(...errs);
       return [obj, errors];
     }
 

package/packages/core/src/htmlElement.ts

@@ -45,8 +45,35 @@ const HTML_TAGS: readonly string[] = [
   "wbr",
 ];
 
+/**
+ * Raw — marker for trusted, pre-sanitised HTML that must render UNESCAPED.
+ *
+ * String/scalar children of an HtmlElement are HTML-escaped by default to
+ * prevent stored/reflected XSS. Wrap a value in Raw to opt out of escaping
+ * when (and only when) you have already sanitised it yourself.
+ *
+ *   new HtmlElement("div", {}, ["<b>x</b>"]).toString()           // &lt;b&gt;x&lt;/b&gt;  (escaped)
+ *   new HtmlElement("div", {}, [new Raw("<b>x</b>")]).toString()  // <b>x</b>              (raw)
+ *
+ * Alias: SafeString.
+ */
+export class Raw {
+  readonly value: string;
+
+  constructor(value: string) {
+    this.value = String(value);
+  }
+
+  toString(): string {
+    return this.value;
+  }
+}
+
+// Alias — some callers/frameworks prefer the SafeString name (matches Frond/Python).
+export const SafeString = Raw;
+
 type Attrs = Record<string, string | number | boolean | null | undefined>;
-type Child = string | number | HtmlElement;
+type Child = string | number | HtmlElement | Raw;
 
 function escapeAttr(value: string): string {
   return value
@@ -56,8 +83,28 @@ function escapeAttr(value: string): string {
     .replace(/>/g, "&gt;");
 }
 
+/**
+ * Escape a plain string/scalar child so it cannot inject markup (defeats XSS).
+ */
+function escapeText(value: string): string {
+  return value
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;");
+}
+
 function isAttrs(arg: unknown): arg is Attrs {
-  return typeof arg === "object" && arg !== null && !(arg instanceof HtmlElement) && !Array.isArray(arg);
+  return typeof arg === "object" && arg !== null
+    && !(arg instanceof HtmlElement) && !(arg instanceof Raw) && !Array.isArray(arg);
+}
+
+/**
+ * A builder produced by htmlElement() is a callable function branded with
+ * `_isHtmlElement`. Its toString() already produces fully-escaped HTML, so it
+ * must render verbatim (not be escaped as a string).
+ */
+function isBuilderElement(arg: unknown): boolean {
+  return typeof arg === "function" && (arg as { _isHtmlElement?: boolean })._isHtmlElement === true;
 }
 
 /**
@@ -95,7 +142,19 @@ export class HtmlElement {
     html += ">";
 
     for (const child of this.children) {
-      html += String(child);
+      if (child instanceof HtmlElement) {
+        // Nested elements render themselves (already escape their own children).
+        html += child.toString();
+      } else if (child instanceof Raw) {
+        // Explicitly trusted markup — emit unescaped.
+        html += child.toString();
+      } else if (isBuilderElement(child)) {
+        // Callable builder produced by htmlElement() — render via its toString.
+        html += String(child);
+      } else {
+        // Plain string/scalar child — escape to defeat XSS.
+        html += escapeText(String(child));
+      }
     }
 
     html += `</${this.tag}>`;

package/packages/core/src/index.ts

@@ -15,7 +15,7 @@ export type {
 
 export { startServer, resolvePortAndHost, handle, start, stop, httpReason, resolveTemplate, resetTemplateCache, templateAutoRoutingEnabled, isBannerSuppressed } from "./server.js";
 export { background, stopAllBackgroundTasks, backgroundTaskCount } from "./background.js";
-export { Router, RouteGroup, RouteRef, defaultRouter, runRouteMiddlewares, resolveStringMiddleware, isTrailingSlashRedirectEnabled } from "./router.js";
+export { Router, RouteGroup, RouteRef, WsRouteRef, defaultRouter, runRouteMiddlewares, resolveStringMiddleware, isTrailingSlashRedirectEnabled } from "./router.js";
 export { get, post, put, patch, del, any, websocket, del as delete } from "./router.js";
 export type { RouteInfo } from "./router.js";
 export { discoverRoutes } from "./routeDiscovery.js";
@@ -45,6 +45,7 @@ export {
   hashPassword, checkPassword,
   authMiddleware,
   refreshToken, authenticateRequest, validateApiKey,
+  ensureDevSecret,
   Auth,
 } from "./auth.js";
 export { Session, FileSessionHandler, RedisSessionHandler, buildSessionCookie } from "./session.js";
@@ -57,14 +58,15 @@ export { Queue } from "./queue.js";
 export type { QueueConfig, QueueJob, ProcessOptions } from "./queue.js";
 export { createJob } from "./job.js";
 export type { JobData, JobQueueBridge } from "./job.js";
-export { GraphQL, ParseError, graphqlEndpoint, graphqlAutoSchemaEnabled } from "./graphql.js";
+export { GraphQL, ParseError, graphqlEndpoint, graphqlAutoSchemaEnabled, graphqlMaxDepth } from "./graphql.js";
 export type { GraphQLField, ResolverFn, GraphQLResult } from "./graphql.js";
 export {
   WebSocketServer,
   devReloadWs,
-  computeAcceptKey, parseUpgradeHeaders, buildFrame, parseFrame,
+  computeAcceptKey, parseUpgradeHeaders, buildFrame, parseFrame, originAllowed,
+  wsToken, wsAuthorized, offeredBearerSubprotocol, serveWebSocketRoute, wsRouteManager,
   OP_TEXT, OP_BINARY, OP_CLOSE, OP_PING, OP_PONG,
-  CLOSE_NORMAL, CLOSE_PROTOCOL_ERROR,
+  CLOSE_NORMAL, CLOSE_GOING_AWAY, CLOSE_PROTOCOL_ERROR, CLOSE_POLICY_VIOLATION,
 } from "./websocket.js";
 export type { WebSocketClient } from "./websocket.js";
 export { ServiceRunner, Tina4Service, matchCronField, matchesCron } from "./service.js";
@@ -86,12 +88,12 @@ export {
   handleFeedbackWidgetJs,
   registerFeedbackRoutes,
 } from "./feedback.js";
-export { Messenger } from "./messenger.js";
+export { Messenger, MessengerConnectionError } from "./messenger.js";
 export type { SendResult, EmailMessage } from "./messenger.js";
 export { DevMailbox, createMessenger } from "./devMailbox.js";
 export { WSDLService, WSDLOperation } from "./wsdl.js";
 export type { WSDLOperationMeta } from "./wsdl.js";
-export { HtmlElement, htmlElement, addHtmlHelpers } from "./htmlElement.js";
+export { HtmlElement, htmlElement, addHtmlHelpers, Raw, SafeString } from "./htmlElement.js";
 export { renderErrorOverlay, renderProductionError, isDebugMode } from "./errorOverlay.js";
 export { AI_TOOLS, isInstalled, showMenu, installSelected, installAll, generateContext } from "./ai.js";
 export type { AiTool } from "./ai.js";
@@ -99,8 +101,12 @@ export type { ImapMessage, ImapFullMessage } from "./messenger.js";
 export { LiteBackend } from "./queueBackends/liteBackend.js";
 export { RabbitMQBackend, parseAmqpUrl } from "./queueBackends/rabbitmqBackend.js";
 export type { RabbitMQConfig } from "./queueBackends/rabbitmqBackend.js";
-export { KafkaBackend } from "./queueBackends/kafkaBackend.js";
-export type { KafkaConfig } from "./queueBackends/kafkaBackend.js";
+export { KafkaBackend, kafkaSecurityConfig } from "./queueBackends/kafkaBackend.js";
+export type {
+  KafkaConfig,
+  KafkaSecurityConfig,
+  KafkaClientConfig,
+} from "./queueBackends/kafkaBackend.js";
 export { MongoBackend } from "./queueBackends/mongoBackend.js";
 export type { MongoConfig as MongoQueueConfig } from "./queueBackends/mongoBackend.js";
 export { DatabaseSessionHandler } from "./sessionHandlers/databaseHandler.js";
@@ -119,8 +125,13 @@ export { Container, container } from "./container.js";
 export { Validator } from "./validator.js";
 export type { ValidationError } from "./validator.js";
 export type { WebSocketConnection } from "./websocketConnection.js";
-export { RedisBackplane, NATSBackplane, createBackplane } from "./websocketBackplane.js";
-export type { WebSocketBackplane } from "./websocketBackplane.js";
+export {
+  RedisBackplane, NATSBackplane, createBackplane,
+  WsBackplaneManager, buildEnvelope, WS_BACKPLANE_CHANNEL,
+} from "./websocketBackplane.js";
+export type {
+  WebSocketBackplane, WsEnvelope, WsEnvelopeKind, WsBackplaneLogger,
+} from "./websocketBackplane.js";
 export {
   McpServer, mcpTool, mcpResource, registerDevTools, getDefaultDevServer,
   encodeResponse, encodeError, encodeNotification, decodeRequest,