App surface generation — JSON-serializable attack surface from route and middleware specs.
Pure schema helpers (is_null_schema, schema_to_surface, middleware_applies,
merge_error_schemas) live in schema_helpers.ts.
13 declarations
AppSurface Generated attack surface — JSON-serializable.
middlewareArray<AppSurfaceMiddleware>routesArray<AppSurfaceRoute>envArray<AppSurfaceEnv>eventsArray<AppSurfaceEvent>diagnosticsArray<AppSurfaceDiagnostic>AppSurfaceDiagnostic Assembly-time diagnostic collected during surface generation or server assembly.
level'warning' | 'info'categorystringmessagestringsourcestringAppSurfaceEnv An env var in the generated attack surface (JSON-serializable).
namestringdescriptionstringsensitivitySensitivity level from .meta({sensitivity}). null when not sensitive.
Sensitivity | nullhas_defaultbooleanoptionalbooleanAppSurfaceEvent An SSE event in the generated attack surface (JSON-serializable).
methodstringdescriptionstringchannelstring | nullparams_schemaunknownAppSurfaceMiddleware A middleware in the generated attack surface (JSON-serializable).
namestringpathstringerror_schemasJSON Schema representations of error responses, keyed by HTTP status code. null when none.
Record<string, unknown> | nullAppSurfaceRoute A route in the generated attack surface (JSON-serializable).
methodstringpathstringauthapplicable_middlewareArray<string>descriptionstringis_mutationWhether this route mutates state (POST, PUT, DELETE, PATCH).
booleantransactionWhether this route's handler runs inside a database transaction.
booleanrate_limit_keyRate limit key type declared on the route spec. null when not rate-limited.
RateLimitKey | nullparams_schemaJSON Schema representation of the URL path params schema. null when no params.
unknownquery_schemaJSON Schema representation of the URL query params schema. null when no query schema.
unknowninput_schemaJSON Schema representation of the request body schema. null for no-body routes.
unknownoutput_schemaJSON Schema representation of the success response schema.
unknownerror_schemasJSON Schema representations of error responses, keyed by HTTP status code. null when none.
Record<string, unknown> | nullAppSurfaceSpec The surface bundled with the source specs that produced it.
AppSurface is JSON-serializable (snapshots, UI, startup logging). AppSurfaceSpec is runtime-only (tests, introspection, attack surface assertions).
surfaceroute_specsArray<RouteSpec>middleware_specsArray<MiddlewareSpec>(middleware: MiddlewareSpec[], route_path: string): Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> | null Collect error schemas from all middleware that applies to a route path.
middlewarethe middleware specs
MiddlewareSpec[]route_paththe route path to match against
stringPartial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> | null merged middleware error schemas, or null if none
(options: GenerateAppSurfaceOptions): AppSurfaceSpec Create an AppSurfaceSpec — the surface bundled with its source specs.
optionsthe surface generation options
AppSurfaceSpec the surface spec with surface and raw specs
(schema: ZodObject<$ZodLooseShape, $strip>): AppSurfaceEnv[] Convert env schema to surface entries using .meta() metadata.
schemaZod object schema with .meta() on fields
ZodObject<$ZodLooseShape, $strip>AppSurfaceEnv[] array of env surface entries
(event_specs: SseEventSpec[]): AppSurfaceEvent[] Convert SSE event specs to surface entries.
event_specsevent specs to convert
SseEventSpec[]AppSurfaceEvent[] array of event surface entries
(options: GenerateAppSurfaceOptions): AppSurface Generate a JSON-serializable attack surface from middleware, route specs, and optional env/event metadata.
optionsthe surface generation options
AppSurface the attack surface
GenerateAppSurfaceOptions Options for generate_app_surface.
route_specsArray<RouteSpec>middleware_specsArray<MiddlewareSpec>env_schemaz.ZodObjectevent_specsArray<SseEventSpec>