ServerKit
A modular collection of TypeScript packages for building Node.js server applications.
Packages
AppConfig
Flexible, type-safe configuration management with support for multiple sources and value transformation.
- Load from JSON, YAML, and
.envfiles - Transform values using environment variables and GCP/AWS secrets
- Merge configurations from multiple sources
- Reload config at runtime and inject the latest values via an
IOptions-style accessor trio
Authentication
Authentication primitives for ServerKit applications.
- Pluggable authentication factors: password, email (OTP/magic link), phone (OTP), authenticator app (TOTP/HOTP), FIDO2/WebAuthn, and single-use recovery codes
- Scheme-based handler dispatch with built-in JWT (multi-issuer Bearer) and Basic support
- Server-side session lifecycle and JWT issuance
- Password strength validation (zxcvbn + HaveIBeenPwned) and rate-limited verification
- Account recovery orchestrator covering forgot-password, MFA recovery, account unlock, and full account recovery
Cache
Cache utilities with pluggable backends.
- DI-friendly cache interface
- Redis (ioredis) backend support
- Rate limiting helpers
Encryption
Encryption primitives for ServerKit applications, including envelope encryption and a pluggable KMS provider interface.
- DI-friendly encryption services
- Per-id KMS provider with key rotation and deterministic fingerprinting
- In-memory KMS provider for tests and local development
- Integrates with the errors package for consistent failures
Errors
Comprehensive error handling with fluent API design and database integration.
ServerkitErrorbase class with chainablewithDetails/withCause/withInternalDetailsHttpErrorsubclass with status codes and response headers- PostgreSQL error mapping and handling
- Class-level error decorators
JobBroker
Background job processing powered by PostgreSQL-backed queues.
- Scheduled and on-demand job execution
- Built on pg-boss for reliable delivery
- Simple runner abstraction
Johnny5
A CLI framework for ServerKit-based applications.
createCliAppassembles acommanderprogram from declarativeCommandModuledefinitions- Built-in
doctorrunner with auto-remediation hooks and a richCheckAPI - Workspace-package plugin discovery via a top-level
"johnny5"field in each plugin'spackage.json - Opt-in integrations exposed as subpath exports: ServerKit DI bootstrap, Postgres / Redis / Docker / filesystem / version checks
Koa
Koa middleware, body parsing, and utilities for ServerKit.
- Typed
ServerKitContextwith request-scoped DI container - Error, CORS, rate limiting, and context middleware
- Type-safe router and middleware wrappers
Kysely
Kysely utilities for ServerKit applications backed by PostgreSQL.
- DI-friendly database client setup
- Shared helpers for
pgand Luxon types
Logger
Lightweight logging abstraction designed for dependency injection.
- Multiple log levels
- DI-friendly interface
- Console logger implementation
Multipart
Robust multipart/form-data parsing with stream support.
- Promise-based API
- Configurable size limits
- Efficient stream-based file handling
Permissions
Zanzibar-style relationship-based access control.
- Authorization model DSL with
direct,computed,tupleToUserset,union,intersection,exclusion - Validated
AuthorizationModel— bad models fail at startup, not at Check time - Pluggable
PermissionsTupleRepositoryfor any storage backend, plus a built-inInMemoryTupleRepositoryfor tests and tooling - Recursive Check evaluator with per-request memo, cycle guard, and pluggable metrics sink
explain()returns a hierarchicalCheckTracefor debugging why a check passed or failed
Permissions DSL
A surface-syntax DSL and compiler (pdsl CLI) for authoring permissions declaratively, plus a test/checker for them.
- Human-readable
.permfiles with|union,&intersection,-exclusion,->tupleToUserset operators - Ohm-based grammar with caret-annotated diagnostics
- Generates TypeScript that calls the
@maroonedsoftware/permissionsbuilders - SpiceDB-style
.perm.yamlfixtures withassertTrue/assertFalse/validationblocks pdslCLI subcommands:compile,validate <fixture>,check, andexplain(with trace output)
Policies
Small, DI-friendly framework for encoding allow/deny rules as named, injectable Policy classes.
- Discriminated
PolicyResult({ allowed: true } | { allowed: false, reason, details? }) so policies surface machine-readable reasons instead of throwing - Type-safe
PolicyService— declare aPoliciesmap andcheck/assertenforce the right context per name at compile time - Per-evaluation envelope with
now: DateTime(extend with session, request id, …) denyStepUp(reason, requirement)helper bundles aStepUpRequirementfor re-auth-gated operations
SCIM
SCIM 2.0 (RFC 7643/7644) server toolkit — schemas, filter parser, PATCH applier, error envelope, and a Koa router with abstract repositories.
- Core schemas (User, Group, EnterpriseUser) and discovery endpoints (
/Schemas,/ResourceTypes,/ServiceProviderConfig) - Full SCIM filter grammar with a typed AST
- PATCH op applier with value-path filters
- Abstract
ScimUserRepository/ScimGroupRepositoryfor any datastore - Bearer-scope guard that integrates with
@maroonedsoftware/authentication
Storage
Object storage abstraction with pluggable backends.
- DI-friendly
StorageProviderinterface (write/read/stat/exists/delete/copy/move/list, byte-range reads, signed URLs) - Local filesystem, AWS S3, and Google Cloud Storage backends
- Cloud SDKs are optional peer dependencies — install only what you use
- Typed errors for not-found, access-denied, and unsupported operations
Utilities
Common utility functions for everyday server development.
- UUID and email validation
- Base32 encoding/decoding
- Deterministic SVG avatar and identicon generation
- Lightweight and dependency-free
Zod
Zod utilities for ServerKit, integrated with the errors package.
- Helpers for translating Zod issues into HTTP errors
- Shared schema utilities
Requirements
- Node.js 22+
- pnpm 10.24.0+
Development
pnpm install # Install dependencies
pnpm build # Build all packages
pnpm test # Run tests
pnpm lint # Lint
pnpm format # Format
License
MIT