@actuate-media/cms-core 0.10.4 → 0.11.0

package/dist/security/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG7H,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEnG,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEhE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEnE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAG7E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEnE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAG5E,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG7H,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEnG,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEhE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEnE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAG7E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEnE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAG5E,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAG/D,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAG3D,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAG9D,OAAO,EACL,aAAa,EACb,aAAa,EACb,WAAW,EACX,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/security/internal-keys.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Centralised list of "system" keys that may appear inside `Document.data`
+ * but are managed by the CMS rather than the user. Anything here is:
+ *
+ *  - stripped from API responses (so internal scoring data isn't leaked)
+ *  - allowed through field-level write access checks (so plugins can
+ *    set them even when the field isn't declared in the collection)
+ *
+ * Keep this in lockstep with `actions.ts`/`access.ts` to avoid drift.
+ */
+export declare const INTERNAL_DATA_KEYS: Set<string>;
+export declare function isInternalDataKey(key: string): boolean;
+/** Return a shallow copy of `data` with all internal/system keys removed. */
+export declare function stripInternalDataKeys<T extends Record<string, unknown>>(data: T): T;
+//# sourceMappingURL=internal-keys.d.ts.map

package/dist/security/internal-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-keys.d.ts","sourceRoot":"","sources":["../../src/security/internal-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,aAQ7B,CAAC;AAEH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAEtD;AAED,6EAA6E;AAC7E,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,CAOnF"}

package/dist/security/internal-keys.js

@@ -0,0 +1,33 @@
+/**
+ * Centralised list of "system" keys that may appear inside `Document.data`
+ * but are managed by the CMS rather than the user. Anything here is:
+ *
+ *  - stripped from API responses (so internal scoring data isn't leaked)
+ *  - allowed through field-level write access checks (so plugins can
+ *    set them even when the field isn't declared in the collection)
+ *
+ * Keep this in lockstep with `actions.ts`/`access.ts` to avoid drift.
+ */
+export const INTERNAL_DATA_KEYS = new Set([
+    '_layout',
+    '_pageSettings',
+    '_aiScore',
+    '_embedding',
+    '_seoScore',
+    '_brandScore',
+    '_readabilityScore',
+]);
+export function isInternalDataKey(key) {
+    return key.startsWith('_') || INTERNAL_DATA_KEYS.has(key);
+}
+/** Return a shallow copy of `data` with all internal/system keys removed. */
+export function stripInternalDataKeys(data) {
+    const out = {};
+    for (const [key, value] of Object.entries(data)) {
+        if (isInternalDataKey(key))
+            continue;
+        out[key] = value;
+    }
+    return out;
+}
+//# sourceMappingURL=internal-keys.js.map

package/dist/security/internal-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-keys.js","sourceRoot":"","sources":["../../src/security/internal-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAS;IAChD,SAAS;IACT,eAAe;IACf,UAAU;IACV,YAAY;IACZ,WAAW;IACX,aAAa;IACb,mBAAmB;CACpB,CAAC,CAAC;AAEH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AAC5D,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,qBAAqB,CAAoC,IAAO;IAC9E,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,SAAS;QACrC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IACD,OAAO,GAAQ,CAAC;AAClB,CAAC"}

package/dist/security/ip-allowlist.d.ts

@@ -1,3 +1,15 @@
-/** Check whether an IP address is within a list of allowed IPs or CIDR ranges. */
+/**
+ * IP allowlist matcher supporting both IPv4 and IPv6, including CIDR ranges.
+ *
+ * - Empty allowlist allows everything (the integrator opted out).
+ * - When the allowlist is non-empty, the literal `'unknown'` (the sentinel
+ *   returned by the trusted-IP resolver when no proxy header was present)
+ *   never matches.
+ * - IPv4 entries match IPv4 addresses (with optional `/n` CIDR mask, n=0..32).
+ * - IPv6 entries match IPv6 addresses (with optional `/n` CIDR mask, n=0..128).
+ *   Two IPv6 strings are equal when their canonical 16-byte form matches —
+ *   so `2001:db8::1` matches `2001:db8:0:0:0:0:0:1`.
+ * - Mapped IPv4-in-IPv6 addresses (`::ffff:1.2.3.4`) are normalised to IPv4.
+ */
 export declare function isIpAllowed(ip: string, allowlist: string[]): boolean;
 //# sourceMappingURL=ip-allowlist.d.ts.map

package/dist/security/ip-allowlist.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ip-allowlist.d.ts","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,wBAAgB,WAAW,CACzB,EAAE,EAAE,MAAM,EACV,SAAS,EAAE,MAAM,EAAE,GAClB,OAAO,CAWT"}
+{"version":3,"file":"ip-allowlist.d.ts","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAcpE"}

package/dist/security/ip-allowlist.js

@@ -1,35 +1,143 @@
-/** Check whether an IP address is within a list of allowed IPs or CIDR ranges. */
+/**
+ * IP allowlist matcher supporting both IPv4 and IPv6, including CIDR ranges.
+ *
+ * - Empty allowlist allows everything (the integrator opted out).
+ * - When the allowlist is non-empty, the literal `'unknown'` (the sentinel
+ *   returned by the trusted-IP resolver when no proxy header was present)
+ *   never matches.
+ * - IPv4 entries match IPv4 addresses (with optional `/n` CIDR mask, n=0..32).
+ * - IPv6 entries match IPv6 addresses (with optional `/n` CIDR mask, n=0..128).
+ *   Two IPv6 strings are equal when their canonical 16-byte form matches —
+ *   so `2001:db8::1` matches `2001:db8:0:0:0:0:0:1`.
+ * - Mapped IPv4-in-IPv6 addresses (`::ffff:1.2.3.4`) are normalised to IPv4.
+ */
 export function isIpAllowed(ip, allowlist) {
     if (allowlist.length === 0)
         return true;
+    if (!ip || ip === 'unknown')
+        return false;
+    const normalised = normaliseIp(ip);
     for (const entry of allowlist) {
-        if (entry.includes("/")) {
-            if (isInCidr(ip, entry))
+        if (entry.includes('/')) {
+            if (isInCidr(normalised, entry))
                 return true;
         }
-        else if (ip === entry) {
+        else if (ipsEqual(normalised, normaliseIp(entry))) {
             return true;
         }
     }
     return false;
 }
+function ipsEqual(a, b) {
+    if (a === b)
+        return true;
+    // Compare IPv6 by canonical bytes so `2001:db8::1` === `2001:db8:0:0:0:0:0:1`.
+    if (a.includes(':') && b.includes(':')) {
+        const ca = canonicalIpv6(a);
+        const cb = canonicalIpv6(b);
+        return ca !== null && cb !== null && ca === cb;
+    }
+    return false;
+}
+function canonicalIpv6(ip) {
+    const bytes = ipv6ToBytes(ip);
+    if (!bytes)
+        return null;
+    let out = '';
+    for (let i = 0; i < 16; i++) {
+        out += (bytes[i] ?? 0).toString(16).padStart(2, '0');
+    }
+    return out;
+}
+function normaliseIp(ip) {
+    const trimmed = ip.trim();
+    // ::ffff:1.2.3.4 → 1.2.3.4
+    if (trimmed.toLowerCase().startsWith('::ffff:')) {
+        const v4 = trimmed.slice(7);
+        if (isValidIPv4(v4))
+            return v4;
+    }
+    return trimmed;
+}
+function isValidIPv4(s) {
+    const parts = s.split('.').map(Number);
+    return parts.length === 4 && parts.every((p) => Number.isInteger(p) && p >= 0 && p <= 255);
+}
 function isInCidr(ip, cidr) {
-    const [range, bitsStr] = cidr.split("/");
+    const [range, bitsStr] = cidr.split('/');
     if (!range || !bitsStr)
         return false;
     const bits = parseInt(bitsStr, 10);
-    const ipNum = ipToNumber(ip);
-    const rangeNum = ipToNumber(range);
+    if (Number.isNaN(bits))
+        return false;
+    if (ip.includes(':') || range.includes(':')) {
+        return matchIpv6Cidr(ip, range, bits);
+    }
+    return matchIpv4Cidr(ip, range, bits);
+}
+function matchIpv4Cidr(ip, range, bits) {
+    if (bits < 0 || bits > 32)
+        return false;
+    const ipNum = ipv4ToNumber(ip);
+    const rangeNum = ipv4ToNumber(range);
     if (ipNum === null || rangeNum === null)
         return false;
-    const mask = ~((1 << (32 - bits)) - 1) >>> 0;
+    if (bits === 0)
+        return true;
+    const mask = (~((1 << (32 - bits)) - 1)) >>> 0;
     return (ipNum & mask) === (rangeNum & mask);
 }
-function ipToNumber(ip) {
-    const parts = ip.split(".").map(Number);
-    if (parts.length !== 4 || parts.some((p) => isNaN(p) || p < 0 || p > 255)) {
+function ipv4ToNumber(ip) {
+    if (!isValidIPv4(ip))
         return null;
-    }
+    const parts = ip.split('.').map(Number);
     return ((parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]) >>> 0;
 }
+function matchIpv6Cidr(ip, range, bits) {
+    if (bits < 0 || bits > 128)
+        return false;
+    const ipBytes = ipv6ToBytes(ip);
+    const rangeBytes = ipv6ToBytes(range);
+    if (!ipBytes || !rangeBytes)
+        return false;
+    let remaining = bits;
+    for (let i = 0; i < 16 && remaining > 0; i++) {
+        const take = Math.min(8, remaining);
+        const mask = (0xff << (8 - take)) & 0xff;
+        if ((ipBytes[i] & mask) !== (rangeBytes[i] & mask))
+            return false;
+        remaining -= take;
+    }
+    return true;
+}
+/** Expand the `::` shorthand and return 16 bytes; null when the input isn't a valid IPv6. */
+function ipv6ToBytes(ip) {
+    // Reject IPv4-mapped form for the IPv6 path; caller normalises ::ffff:x.x.x.x first.
+    if (ip.includes('.'))
+        return null;
+    const halves = ip.split('::');
+    if (halves.length > 2)
+        return null;
+    const left = halves[0] ? halves[0].split(':') : [];
+    const groups = halves.length === 2
+        ? fillGroups(left, halves[1] ? halves[1].split(':') : [])
+        : left;
+    if (groups.length !== 8)
+        return null;
+    const bytes = new Uint8Array(16);
+    for (let i = 0; i < 8; i++) {
+        const value = parseInt(groups[i] || '0', 16);
+        if (Number.isNaN(value) || value < 0 || value > 0xffff)
+            return null;
+        bytes[i * 2] = (value >> 8) & 0xff;
+        bytes[i * 2 + 1] = value & 0xff;
+    }
+    return bytes;
+}
+function fillGroups(left, right) {
+    const fill = 8 - left.length - right.length;
+    if (fill < 0)
+        return [];
+    return [...left, ...new Array(fill).fill('0'), ...right];
+}
 //# sourceMappingURL=ip-allowlist.js.map

package/dist/security/ip-allowlist.js.map

@@ -1 +1 @@
-{"version":3,"file":"ip-allowlist.js","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,UAAU,WAAW,CACzB,EAAU,EACV,SAAmB;IAEnB,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;QACvC,CAAC;aAAM,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,EAAU,EAAE,IAAY;IACxC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAEnC,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAEtD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,UAAU,CAAC,EAAU;IAC5B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,CAAC;AACtF,CAAC"}
+{"version":3,"file":"ip-allowlist.js","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,WAAW,CAAC,EAAU,EAAE,SAAmB;IACzD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAE1C,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAEnC,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC/C,CAAC;aAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,CAAS;IACpC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,+EAA+E;IAC/E,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC5B,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC5B,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,EAAE,CAAC;IACjD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,EAAU;IAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC9B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,WAAW,CAAC,EAAU;IAC7B,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;IAC1B,2BAA2B;IAC3B,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChD,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,WAAW,CAAC,EAAE,CAAC;YAAE,OAAO,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,QAAQ,CAAC,EAAU,EAAE,IAAY;IACxC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IACrC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5C,OAAO,aAAa,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,aAAa,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,aAAa,CAAC,EAAU,EAAE,KAAa,EAAE,IAAY;IAC5D,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACrC,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAC/C,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,YAAY,CAAC,EAAU;IAC9B,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,aAAa,CAAC,EAAU,EAAE,KAAa,EAAE,IAAY;IAC5D,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IACzC,MAAM,OAAO,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAChC,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACtC,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC1C,IAAI,SAAS,GAAG,IAAI,CAAC;IACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QACzC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACnE,SAAS,IAAI,IAAI,CAAC;IACpB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6FAA6F;AAC7F,SAAS,WAAW,CAAC,EAAU;IAC7B,qFAAqF;IACrF,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAElC,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC9B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACnD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC;QAChC,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACzD,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAErC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;QAC7C,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,MAAM;YAAE,OAAO,IAAI,CAAC;QACpE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;QACnC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,IAAc,EAAE,KAAe;IACjD,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC5C,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,EAAE,CAAC;IACxB,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,CAAC;AAC3D,CAAC"}

package/dist/security/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,IAAI,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAiD7E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAStE"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,IAAI,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAqF7E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAStE"}

package/dist/security/rate-limit.js

@@ -31,38 +31,70 @@ export function createUpstashRateLimiter(config) {
     if (!url || !token) {
         throw new Error('UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN are required');
     }
-    async function redisCommand(command) {
-        const response = await fetch(`${url}`, {
+    async function redisPipeline(commands) {
+        // Upstash exposes pipelined commands via the /pipeline endpoint. Sending
+        // INCR + EXPIRE in a single round-trip eliminates the race where the
+        // process dies after INCR (or where EXPIRE silently fails) and leaves a
+        // counter that never resets — a subtle DoS where one unlucky user is
+        // permanently locked out.
+        const response = await fetch(`${url}/pipeline`, {
             method: 'POST',
             headers: {
                 Authorization: `Bearer ${token}`,
                 'Content-Type': 'application/json',
             },
-            body: JSON.stringify(command),
+            body: JSON.stringify(commands),
         });
+        if (!response.ok) {
+            throw new Error(`Upstash pipeline returned ${response.status}`);
+        }
         const data = await response.json();
-        return data?.result;
+        return data.map((entry) => entry?.result);
     }
     const windowSec = Math.ceil(config.windowMs / 1000);
     return {
         async check(key) {
             const redisKey = `ratelimit:${key}`;
-            const count = await redisCommand(['INCR', redisKey]);
-            if (count === 1) {
-                await redisCommand(['EXPIRE', redisKey, String(windowSec)]);
+            try {
+                const [count, _expireResult, ttl] = await redisPipeline([
+                    ['INCR', redisKey],
+                    ['EXPIRE', redisKey, String(windowSec), 'NX'], // only set when no TTL exists
+                    ['TTL', redisKey],
+                ]);
+                // Belt-and-braces: if Redis reports the key with no TTL, set one. This
+                // can only happen if the EXPIRE NX above wasn't supported, in which
+                // case we still want to bound the counter's lifetime.
+                if (ttl < 0) {
+                    await redisPipeline([['EXPIRE', redisKey, String(windowSec)]]).catch(() => undefined);
+                }
+                const effectiveTtl = ttl > 0 ? ttl : windowSec;
+                const resetAt = new Date(Date.now() + effectiveTtl * 1000);
+                const allowed = count <= config.maxRequests;
+                return {
+                    allowed,
+                    remaining: Math.max(0, config.maxRequests - count),
+                    resetAt,
+                    retryAfter: allowed ? undefined : effectiveTtl,
+                };
+            }
+            catch (err) {
+                // Fail open with logging — a Redis outage should NOT take the entire
+                // CMS offline. Audit-level logging makes the degradation visible.
+                console.error('[actuate][rate-limit] Upstash request failed, allowing through:', err instanceof Error ? err.message : err);
+                return {
+                    allowed: true,
+                    remaining: Math.max(0, config.maxRequests - 1),
+                    resetAt: new Date(Date.now() + config.windowMs),
+                };
             }
-            const ttl = await redisCommand(['TTL', redisKey]);
-            const resetAt = new Date(Date.now() + (ttl > 0 ? ttl * 1000 : config.windowMs));
-            const allowed = count <= config.maxRequests;
-            return {
-                allowed,
-                remaining: Math.max(0, config.maxRequests - count),
-                resetAt,
-                retryAfter: allowed ? undefined : ttl > 0 ? ttl : Math.ceil(config.windowMs / 1000),
-            };
         },
         async reset(key) {
-            await redisCommand(['DEL', `ratelimit:${key}`]);
+            try {
+                await redisPipeline([['DEL', `ratelimit:${key}`]]);
+            }
+            catch (err) {
+                console.error('[actuate][rate-limit] Upstash reset failed:', err instanceof Error ? err.message : err);
+            }
         },
     };
 }

package/dist/security/rate-limit.js.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAC;IAEtE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAE/B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1F,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;YAClD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAEnD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,OAAiB;QAC3C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,EAAE,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,IAAI,EAAE,MAAM,CAAC;IACtB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAEpD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAC;YAEpC,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;YAErD,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,MAAM,YAAY,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;YAClD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YAChF,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;YAE5C,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;gBAClD,OAAO;gBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;aACpF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,YAAY,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC;QAClD,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAC3C,CAAC"}
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAC;IAEtE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAE/B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1F,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;YAClD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAEnD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAClE,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6C,CAAC;QAC9E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAEpD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAC;YAEpC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,MAAM,aAAa,CAAC;oBACtD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAA6B,CAAC;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;gBACxF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC/C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAC;gBAC3D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;gBAE5C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,kEAAkE;gBAClE,OAAO,CAAC,KAAK,CACX,iEAAiE,EACjE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;gBACF,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC;YACrD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CACX,6CAA6C,EAC7C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAC3C,CAAC"}

package/dist/security/redact.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Best-effort scrubber for secrets pasted into prompts, search queries, and
+ * other user-supplied text that ends up in audit logs. Replaces matched
+ * patterns with `[REDACTED]` so we don't store live keys/tokens in plain
+ * `details` JSON.
+ *
+ * This is defensive, not exhaustive — clients should never paste secrets
+ * into prompts in the first place. The patterns favour false negatives over
+ * false positives so we don't mangle legitimate content.
+ */
+export declare function redactSecrets(input: string): string;
+//# sourceMappingURL=redact.d.ts.map

package/dist/security/redact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../../src/security/redact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAwBH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOnD"}

package/dist/security/redact.js

@@ -0,0 +1,41 @@
+/**
+ * Best-effort scrubber for secrets pasted into prompts, search queries, and
+ * other user-supplied text that ends up in audit logs. Replaces matched
+ * patterns with `[REDACTED]` so we don't store live keys/tokens in plain
+ * `details` JSON.
+ *
+ * This is defensive, not exhaustive — clients should never paste secrets
+ * into prompts in the first place. The patterns favour false negatives over
+ * false positives so we don't mangle legitimate content.
+ */
+const PATTERNS = [
+    // OpenAI / Anthropic / Google API keys
+    { name: 'openai-key', regex: /\bsk-[A-Za-z0-9_-]{20,}\b/g },
+    { name: 'anthropic-key', regex: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
+    // Actuate API keys
+    { name: 'actuate-key', regex: /\bact_[A-Za-z0-9_]{20,}\b/g },
+    // GitHub tokens
+    { name: 'github-token', regex: /\bgh[opsu]_[A-Za-z0-9]{30,}\b/g },
+    // AWS access keys
+    { name: 'aws-access-key', regex: /\bAKIA[0-9A-Z]{16}\b/g },
+    // AWS secret access keys (40 char base64-ish, prefixed with common context words)
+    { name: 'aws-secret', regex: /\b(?:aws_secret_access_key|aws_secret|secret_key)\s*[:=]\s*["']?([A-Za-z0-9/+]{40})["']?/gi },
+    // JWTs (3 base64url segments)
+    { name: 'jwt', regex: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    // Slack tokens
+    { name: 'slack-token', regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g },
+    // Stripe keys
+    { name: 'stripe-key', regex: /\b(?:sk|pk|rk)_(?:test|live)_[A-Za-z0-9]{20,}\b/g },
+    // Generic password assignment
+    { name: 'password-assign', regex: /\b(?:password|passwd|pwd)\s*[:=]\s*["']([^"']{6,})["']/gi },
+];
+export function redactSecrets(input) {
+    if (!input)
+        return input;
+    let result = input;
+    for (const { regex } of PATTERNS) {
+        result = result.replace(regex, '[REDACTED]');
+    }
+    return result;
+}
+//# sourceMappingURL=redact.js.map

package/dist/security/redact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.js","sourceRoot":"","sources":["../../src/security/redact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,QAAQ,GAA2C;IACvD,uCAAuC;IACvC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC3D,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,gCAAgC,EAAE;IAClE,mBAAmB;IACnB,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC5D,gBAAgB;IAChB,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACjE,kBAAkB;IAClB,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IAC1D,kFAAkF;IAClF,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,4FAA4F,EAAE;IAC3H,8BAA8B;IAC9B,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,oEAAoE,EAAE;IAC5F,eAAe;IACf,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,mCAAmC,EAAE;IACnE,cAAc;IACd,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,kDAAkD,EAAE;IACjF,8BAA8B;IAC9B,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,0DAA0D,EAAE;CAC/F,CAAC;AAEF,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,KAAK,MAAM,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;QACjC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/security/safe-fetch.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Perform a `fetch()` with SSRF defenses applied:
+ *
+ *  - Reject non-http/https URLs (no `file:`, `gopher:`, `data:`).
+ *  - Reject hostnames that resolve to private/loopback IP literals
+ *    (`10.x`, `127.x`, `169.254.x`, `192.168.x`, `::1`, …).
+ *  - Reject `localhost` and `0.0.0.0`.
+ *  - Disable HTTP redirects by default (`redirect: 'manual'`) — a 302 to an
+ *    internal address would otherwise smuggle the request past the validator.
+ *  - Apply a hard request timeout via `AbortSignal.timeout`.
+ *
+ * Use this for any internal `fetch()` call that targets a URL derived from
+ * user/admin input (webhooks, link health, image URL fetches, etc).
+ *
+ * Note: this guards against the URL **as written**. For full DNS-rebinding
+ * protection use `resolveAndCheck()` from `./webhook.js` to pre-resolve the
+ * hostname; on Node 20+ this can be combined with a custom dispatcher to bind
+ * the request to the resolved IP. The default policy here trades that
+ * protection for portability across runtimes (Edge, Bun, Workers).
+ */
+export interface SafeFetchOptions extends RequestInit {
+    /** Hard timeout applied via AbortSignal. Defaults to 5000ms. */
+    timeoutMs?: number;
+    /** When true, allow following redirects. Each hop is re-validated. Default: false. */
+    followRedirects?: boolean;
+    /** Maximum number of redirect hops when followRedirects is true. Default: 3. */
+    maxRedirects?: number;
+}
+export declare class SsrfBlockedError extends Error {
+    readonly url: string;
+    readonly reason: string;
+    constructor(url: string, reason: string);
+}
+export declare function safeFetch(url: string, options?: SafeFetchOptions): Promise<Response>;
+//# sourceMappingURL=safe-fetch.d.ts.map

package/dist/security/safe-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-fetch.d.ts","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sFAAsF;IACtF,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBACZ,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAMxC;AAED,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EACX,OAAO,GAAE,gBAAqB,GAC7B,OAAO,CAAC,QAAQ,CAAC,CAsCnB"}

package/dist/security/safe-fetch.js

@@ -0,0 +1,45 @@
+import { validateWebhookUrl } from './webhook.js';
+export class SsrfBlockedError extends Error {
+    url;
+    reason;
+    constructor(url, reason) {
+        super(`SSRF blocked: ${reason} (url=${url})`);
+        this.name = 'SsrfBlockedError';
+        this.url = url;
+        this.reason = reason;
+    }
+}
+export async function safeFetch(url, options = {}) {
+    const { timeoutMs = 5000, followRedirects = false, maxRedirects = 3, ...init } = options;
+    let currentUrl = url;
+    let hops = 0;
+    while (true) {
+        const check = validateWebhookUrl(currentUrl);
+        if (!check.valid) {
+            throw new SsrfBlockedError(currentUrl, check.error ?? 'URL rejected by SSRF policy');
+        }
+        const response = await fetch(currentUrl, {
+            ...init,
+            redirect: 'manual',
+            signal: init.signal ?? AbortSignal.timeout(timeoutMs),
+        });
+        const isRedirect = response.status >= 300 && response.status < 400;
+        if (!isRedirect || !followRedirects) {
+            return response;
+        }
+        if (hops >= maxRedirects) {
+            throw new SsrfBlockedError(currentUrl, `exceeded ${maxRedirects} redirects`);
+        }
+        const location = response.headers.get('location');
+        if (!location)
+            return response;
+        try {
+            currentUrl = new URL(location, currentUrl).toString();
+        }
+        catch {
+            throw new SsrfBlockedError(location, 'invalid Location header');
+        }
+        hops += 1;
+    }
+}
+//# sourceMappingURL=safe-fetch.js.map

package/dist/security/safe-fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-fetch.js","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AA+BlD,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,GAAG,CAAS;IACZ,MAAM,CAAS;IACxB,YAAY,GAAW,EAAE,MAAc;QACrC,KAAK,CAAC,iBAAiB,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC;QAC9C,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;QACf,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAW,EACX,UAA4B,EAAE;IAE9B,MAAM,EAAE,SAAS,GAAG,IAAI,EAAE,eAAe,GAAG,KAAK,EAAE,YAAY,GAAG,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAEzF,IAAI,UAAU,GAAG,GAAG,CAAC;IACrB,IAAI,IAAI,GAAG,CAAC,CAAC;IAEb,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,IAAI,gBAAgB,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,IAAI,6BAA6B,CAAC,CAAC;QACvF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;YACvC,GAAG,IAAI;YACP,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC;SACtD,CAAC,CAAC;QAEH,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,CAAC;QACnE,IAAI,CAAC,UAAU,IAAI,CAAC,eAAe,EAAE,CAAC;YACpC,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,IAAI,IAAI,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,gBAAgB,CAAC,UAAU,EAAE,YAAY,YAAY,YAAY,CAAC,CAAC;QAC/E,CAAC;QAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE/B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE,CAAC;QACxD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,gBAAgB,CAAC,QAAQ,EAAE,yBAAyB,CAAC,CAAC;QAClE,CAAC;QAED,IAAI,IAAI,CAAC,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/security/secret-storage.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Encrypt a value for storage. Returns the original value unchanged when no
+ * encryption key is configured (development convenience). Production deployments
+ * MUST set `CMS_ENCRYPTION_KEY` — see `security.mdc`.
+ */
+export declare function encryptSecret(plaintext: string): Promise<string>;
+/**
+ * Decrypt a value that was stored via `encryptSecret`. Plaintext values
+ * (written before encryption was enabled, or written by a deployment without
+ * the key) are returned unchanged.
+ */
+export declare function decryptSecret(stored: string): Promise<string>;
+/** True when the value is stored encrypted (and therefore needs decryption). */
+export declare function isEncrypted(value: string): boolean;
+/**
+ * Encrypt each string element in an array. Returns the array unchanged when
+ * encryption is disabled. Used for things like TOTP backup codes.
+ */
+export declare function encryptStringArray(values: string[]): Promise<string[]>;
+/** Decrypt each element in an array stored via `encryptStringArray`. */
+export declare function decryptStringArray(values: string[]): Promise<string[]>;
+//# sourceMappingURL=secret-storage.d.ts.map

package/dist/security/secret-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-storage.d.ts","sourceRoot":"","sources":["../../src/security/secret-storage.ts"],"names":[],"mappings":"AAiCA;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAMtE;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAWnE;AAED,gFAAgF;AAChF,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAE5E;AAED,wEAAwE;AACxE,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAE5E"}