@actuate-media/cms-core 0.10.4 → 0.11.1

package/dist/security/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAG7H,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAEnG,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEhE,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEnE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAGlD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAG1D,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAG7E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAG3D,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEnE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAG3C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAEnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAGxD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAG5E,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,qBAAqB,EACrB,kBAAkB,EAClB,oBAAoB,EACpB,gBAAgB,GACjB,MAAM,aAAa,CAAA;AAGpB,OAAO,EAAE,aAAa,IAAI,iBAAiB,EAAE,aAAa,IAAI,iBAAiB,EAAE,MAAM,WAAW,CAAA;AAElG,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAA;AAGnD,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAA;AAEvD,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAA;AAE/D,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAElE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAGlD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AAGjD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAA;AAGzD,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAA;AAEjD,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAG5E,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAG1D,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAE/C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAA;AAG1D,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAElE,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAA;AAG1C,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAA;AAElE,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAA;AAGvD,OAAO,EAAE,cAAc,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAA;AAG3E,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAA;AAG9D,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAG1D,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAA;AAG7D,OAAO,EACL,aAAa,EACb,aAAa,EACb,WAAW,EACX,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,qBAAqB,CAAA;AAE5B,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAE3C,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAA"}

package/dist/security/internal-keys.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Centralised list of "system" keys that may appear inside `Document.data`
+ * but are managed by the CMS rather than the user. Anything here is:
+ *
+ *  - stripped from API responses (so internal scoring data isn't leaked)
+ *  - allowed through field-level write access checks (so plugins can
+ *    set them even when the field isn't declared in the collection)
+ *
+ * Keep this in lockstep with `actions.ts`/`access.ts` to avoid drift.
+ */
+export declare const INTERNAL_DATA_KEYS: Set<string>;
+export declare function isInternalDataKey(key: string): boolean;
+/** Return a shallow copy of `data` with all internal/system keys removed. */
+export declare function stripInternalDataKeys<T extends Record<string, unknown>>(data: T): T;
+//# sourceMappingURL=internal-keys.d.ts.map

package/dist/security/internal-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-keys.d.ts","sourceRoot":"","sources":["../../src/security/internal-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,aAQ7B,CAAA;AAEF,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAEtD;AAED,6EAA6E;AAC7E,wBAAgB,qBAAqB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,CAOnF"}

package/dist/security/internal-keys.js

@@ -0,0 +1,33 @@
+/**
+ * Centralised list of "system" keys that may appear inside `Document.data`
+ * but are managed by the CMS rather than the user. Anything here is:
+ *
+ *  - stripped from API responses (so internal scoring data isn't leaked)
+ *  - allowed through field-level write access checks (so plugins can
+ *    set them even when the field isn't declared in the collection)
+ *
+ * Keep this in lockstep with `actions.ts`/`access.ts` to avoid drift.
+ */
+export const INTERNAL_DATA_KEYS = new Set([
+    '_layout',
+    '_pageSettings',
+    '_aiScore',
+    '_embedding',
+    '_seoScore',
+    '_brandScore',
+    '_readabilityScore',
+]);
+export function isInternalDataKey(key) {
+    return key.startsWith('_') || INTERNAL_DATA_KEYS.has(key);
+}
+/** Return a shallow copy of `data` with all internal/system keys removed. */
+export function stripInternalDataKeys(data) {
+    const out = {};
+    for (const [key, value] of Object.entries(data)) {
+        if (isInternalDataKey(key))
+            continue;
+        out[key] = value;
+    }
+    return out;
+}
+//# sourceMappingURL=internal-keys.js.map

package/dist/security/internal-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"internal-keys.js","sourceRoot":"","sources":["../../src/security/internal-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAS;IAChD,SAAS;IACT,eAAe;IACf,UAAU;IACV,YAAY;IACZ,WAAW;IACX,aAAa;IACb,mBAAmB;CACpB,CAAC,CAAA;AAEF,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,OAAO,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAC3D,CAAC;AAED,6EAA6E;AAC7E,MAAM,UAAU,qBAAqB,CAAoC,IAAO;IAC9E,MAAM,GAAG,GAA4B,EAAE,CAAA;IACvC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,IAAI,iBAAiB,CAAC,GAAG,CAAC;YAAE,SAAQ;QACpC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;IAClB,CAAC;IACD,OAAO,GAAQ,CAAA;AACjB,CAAC"}

package/dist/security/ip-allowlist.d.ts

@@ -1,3 +1,15 @@
-/** Check whether an IP address is within a list of allowed IPs or CIDR ranges. */
+/**
+ * IP allowlist matcher supporting both IPv4 and IPv6, including CIDR ranges.
+ *
+ * - Empty allowlist allows everything (the integrator opted out).
+ * - When the allowlist is non-empty, the literal `'unknown'` (the sentinel
+ *   returned by the trusted-IP resolver when no proxy header was present)
+ *   never matches.
+ * - IPv4 entries match IPv4 addresses (with optional `/n` CIDR mask, n=0..32).
+ * - IPv6 entries match IPv6 addresses (with optional `/n` CIDR mask, n=0..128).
+ *   Two IPv6 strings are equal when their canonical 16-byte form matches —
+ *   so `2001:db8::1` matches `2001:db8:0:0:0:0:0:1`.
+ * - Mapped IPv4-in-IPv6 addresses (`::ffff:1.2.3.4`) are normalised to IPv4.
+ */
 export declare function isIpAllowed(ip: string, allowlist: string[]): boolean;
 //# sourceMappingURL=ip-allowlist.d.ts.map

package/dist/security/ip-allowlist.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ip-allowlist.d.ts","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,wBAAgB,WAAW,CACzB,EAAE,EAAE,MAAM,EACV,SAAS,EAAE,MAAM,EAAE,GAClB,OAAO,CAWT"}
+{"version":3,"file":"ip-allowlist.d.ts","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,wBAAgB,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,CAcpE"}

package/dist/security/ip-allowlist.js

@@ -1,35 +1,141 @@
-/** Check whether an IP address is within a list of allowed IPs or CIDR ranges. */
+/**
+ * IP allowlist matcher supporting both IPv4 and IPv6, including CIDR ranges.
+ *
+ * - Empty allowlist allows everything (the integrator opted out).
+ * - When the allowlist is non-empty, the literal `'unknown'` (the sentinel
+ *   returned by the trusted-IP resolver when no proxy header was present)
+ *   never matches.
+ * - IPv4 entries match IPv4 addresses (with optional `/n` CIDR mask, n=0..32).
+ * - IPv6 entries match IPv6 addresses (with optional `/n` CIDR mask, n=0..128).
+ *   Two IPv6 strings are equal when their canonical 16-byte form matches —
+ *   so `2001:db8::1` matches `2001:db8:0:0:0:0:0:1`.
+ * - Mapped IPv4-in-IPv6 addresses (`::ffff:1.2.3.4`) are normalised to IPv4.
+ */
 export function isIpAllowed(ip, allowlist) {
     if (allowlist.length === 0)
         return true;
+    if (!ip || ip === 'unknown')
+        return false;
+    const normalised = normaliseIp(ip);
     for (const entry of allowlist) {
-        if (entry.includes("/")) {
-            if (isInCidr(ip, entry))
+        if (entry.includes('/')) {
+            if (isInCidr(normalised, entry))
                 return true;
         }
-        else if (ip === entry) {
+        else if (ipsEqual(normalised, normaliseIp(entry))) {
             return true;
         }
     }
     return false;
 }
+function ipsEqual(a, b) {
+    if (a === b)
+        return true;
+    // Compare IPv6 by canonical bytes so `2001:db8::1` === `2001:db8:0:0:0:0:0:1`.
+    if (a.includes(':') && b.includes(':')) {
+        const ca = canonicalIpv6(a);
+        const cb = canonicalIpv6(b);
+        return ca !== null && cb !== null && ca === cb;
+    }
+    return false;
+}
+function canonicalIpv6(ip) {
+    const bytes = ipv6ToBytes(ip);
+    if (!bytes)
+        return null;
+    let out = '';
+    for (let i = 0; i < 16; i++) {
+        out += (bytes[i] ?? 0).toString(16).padStart(2, '0');
+    }
+    return out;
+}
+function normaliseIp(ip) {
+    const trimmed = ip.trim();
+    // ::ffff:1.2.3.4 → 1.2.3.4
+    if (trimmed.toLowerCase().startsWith('::ffff:')) {
+        const v4 = trimmed.slice(7);
+        if (isValidIPv4(v4))
+            return v4;
+    }
+    return trimmed;
+}
+function isValidIPv4(s) {
+    const parts = s.split('.').map(Number);
+    return parts.length === 4 && parts.every((p) => Number.isInteger(p) && p >= 0 && p <= 255);
+}
 function isInCidr(ip, cidr) {
-    const [range, bitsStr] = cidr.split("/");
+    const [range, bitsStr] = cidr.split('/');
     if (!range || !bitsStr)
         return false;
     const bits = parseInt(bitsStr, 10);
-    const ipNum = ipToNumber(ip);
-    const rangeNum = ipToNumber(range);
+    if (Number.isNaN(bits))
+        return false;
+    if (ip.includes(':') || range.includes(':')) {
+        return matchIpv6Cidr(ip, range, bits);
+    }
+    return matchIpv4Cidr(ip, range, bits);
+}
+function matchIpv4Cidr(ip, range, bits) {
+    if (bits < 0 || bits > 32)
+        return false;
+    const ipNum = ipv4ToNumber(ip);
+    const rangeNum = ipv4ToNumber(range);
     if (ipNum === null || rangeNum === null)
         return false;
+    if (bits === 0)
+        return true;
     const mask = ~((1 << (32 - bits)) - 1) >>> 0;
     return (ipNum & mask) === (rangeNum & mask);
 }
-function ipToNumber(ip) {
-    const parts = ip.split(".").map(Number);
-    if (parts.length !== 4 || parts.some((p) => isNaN(p) || p < 0 || p > 255)) {
+function ipv4ToNumber(ip) {
+    if (!isValidIPv4(ip))
         return null;
-    }
+    const parts = ip.split('.').map(Number);
     return ((parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3]) >>> 0;
 }
+function matchIpv6Cidr(ip, range, bits) {
+    if (bits < 0 || bits > 128)
+        return false;
+    const ipBytes = ipv6ToBytes(ip);
+    const rangeBytes = ipv6ToBytes(range);
+    if (!ipBytes || !rangeBytes)
+        return false;
+    let remaining = bits;
+    for (let i = 0; i < 16 && remaining > 0; i++) {
+        const take = Math.min(8, remaining);
+        const mask = (0xff << (8 - take)) & 0xff;
+        if ((ipBytes[i] & mask) !== (rangeBytes[i] & mask))
+            return false;
+        remaining -= take;
+    }
+    return true;
+}
+/** Expand the `::` shorthand and return 16 bytes; null when the input isn't a valid IPv6. */
+function ipv6ToBytes(ip) {
+    // Reject IPv4-mapped form for the IPv6 path; caller normalises ::ffff:x.x.x.x first.
+    if (ip.includes('.'))
+        return null;
+    const halves = ip.split('::');
+    if (halves.length > 2)
+        return null;
+    const left = halves[0] ? halves[0].split(':') : [];
+    const groups = halves.length === 2 ? fillGroups(left, halves[1] ? halves[1].split(':') : []) : left;
+    if (groups.length !== 8)
+        return null;
+    const bytes = new Uint8Array(16);
+    for (let i = 0; i < 8; i++) {
+        const value = parseInt(groups[i] || '0', 16);
+        if (Number.isNaN(value) || value < 0 || value > 0xffff)
+            return null;
+        bytes[i * 2] = (value >> 8) & 0xff;
+        bytes[i * 2 + 1] = value & 0xff;
+    }
+    return bytes;
+}
+function fillGroups(left, right) {
+    const fill = 8 - left.length - right.length;
+    if (fill < 0)
+        return [];
+    return [...left, ...new Array(fill).fill('0'), ...right];
+}
 //# sourceMappingURL=ip-allowlist.js.map

package/dist/security/ip-allowlist.js.map

@@ -1 +1 @@
-{"version":3,"file":"ip-allowlist.js","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,UAAU,WAAW,CACzB,EAAU,EACV,SAAmB;IAEnB,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;QACvC,CAAC;aAAM,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,QAAQ,CAAC,EAAU,EAAE,IAAY;IACxC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAEnC,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAEtD,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,UAAU,CAAC,EAAU;IAC5B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,CAAC;AACtF,CAAC"}
+{"version":3,"file":"ip-allowlist.js","sourceRoot":"","sources":["../../src/security/ip-allowlist.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,WAAW,CAAC,EAAU,EAAE,SAAmB;IACzD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACvC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,SAAS;QAAE,OAAO,KAAK,CAAA;IAEzC,MAAM,UAAU,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;IAElC,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAA;QAC9C,CAAC;aAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,CAAS;IACpC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACxB,+EAA+E;IAC/E,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;QAC3B,MAAM,EAAE,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;QAC3B,OAAO,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,EAAE,CAAA;IAChD,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,aAAa,CAAC,EAAU;IAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IACvB,IAAI,GAAG,GAAG,EAAE,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5B,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IACtD,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,EAAU;IAC7B,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAA;IACzB,2BAA2B;IAC3B,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChD,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QAC3B,IAAI,WAAW,CAAC,EAAE,CAAC;YAAE,OAAO,EAAE,CAAA;IAChC,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACtC,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAA;AAC5F,CAAC;AAED,SAAS,QAAQ,CAAC,EAAU,EAAE,IAAY;IACxC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACxC,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAA;IACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;IAClC,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAA;IAEpC,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5C,OAAO,aAAa,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;IACvC,CAAC;IACD,OAAO,aAAa,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;AACvC,CAAC;AAED,SAAS,aAAa,CAAC,EAAU,EAAE,KAAa,EAAE,IAAY;IAC5D,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,EAAE;QAAE,OAAO,KAAK,CAAA;IACvC,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,CAAA;IAC9B,MAAM,QAAQ,GAAG,YAAY,CAAC,KAAK,CAAC,CAAA;IACpC,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,KAAK,CAAA;IACrD,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;IAC5C,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;AAC7C,CAAC;AAED,SAAS,YAAY,CAAC,EAAU;IAC9B,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAAE,OAAO,IAAI,CAAA;IACjC,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;IACvC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,CAAA;AACrF,CAAC;AAED,SAAS,aAAa,CAAC,EAAU,EAAE,KAAa,EAAE,IAAY;IAC5D,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,GAAG;QAAE,OAAO,KAAK,CAAA;IACxC,MAAM,OAAO,GAAG,WAAW,CAAC,EAAE,CAAC,CAAA;IAC/B,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,CAAA;IACrC,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAA;IACzC,IAAI,SAAS,GAAG,IAAI,CAAA;IACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;QACnC,MAAM,IAAI,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,CAAA;QACxC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC;YAAE,OAAO,KAAK,CAAA;QAClE,SAAS,IAAI,IAAI,CAAA;IACnB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,6FAA6F;AAC7F,SAAS,WAAW,CAAC,EAAU;IAC7B,qFAAqF;IACrF,IAAI,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEjC,MAAM,MAAM,GAAG,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC7B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAElC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;IAClD,MAAM,MAAM,GACV,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAEtF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAEpC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAA;IAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAA;QAC5C,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,MAAM;YAAE,OAAO,IAAI,CAAA;QACnE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,CAAA;QAClC,KAAK,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAA;IACjC,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,UAAU,CAAC,IAAc,EAAE,KAAe;IACjD,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAA;IAC3C,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,EAAE,CAAA;IACvB,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,CAAA;AAC1D,CAAC"}

package/dist/security/middleware.d.ts

@@ -1,5 +1,5 @@
-import { type SecurityHeadersConfig } from "./headers.js";
-import type { RateLimiter } from "./rate-limit.js";
+import { type SecurityHeadersConfig } from './headers.js';
+import type { RateLimiter } from './rate-limit.js';
 export interface SecurityMiddlewareConfig {
     headers?: SecurityHeadersConfig;
     csrf?: {

package/dist/security/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,KAAK,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAE9E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEnD,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC;CAC7C;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,4FAA4F;AAC5F,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,wBAAwB,CAAC,CAiCnC"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,KAAK,qBAAqB,EAAE,MAAM,cAAc,CAAA;AAE7E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAA;AAElD,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,qBAAqB,CAAA;IAC/B,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IAChD,SAAS,CAAC,EAAE,WAAW,CAAA;IACvB,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAA;CAC5C;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAA;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,4FAA4F;AAC5F,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,wBAAwB,CAAC,CAiCnC"}

package/dist/security/middleware.js

@@ -1,5 +1,5 @@
-import { getSecurityHeaders } from "./headers.js";
-import { validateToken as validateCsrf } from "./csrf.js";
+import { getSecurityHeaders } from './headers.js';
+import { validateToken as validateCsrf } from './csrf.js';
 /** Compose a security middleware pipeline that applies headers, CSRF, and rate limiting. */
 export async function applySecurityMiddleware(request, config) {
     const responseHeaders = getSecurityHeaders(config.headers);
@@ -10,22 +10,22 @@ export async function applySecurityMiddleware(request, config) {
             return {
                 allowed: false,
                 headers: responseHeaders,
-                error: "Rate limit exceeded",
+                error: 'Rate limit exceeded',
                 status: 429,
             };
         }
-        responseHeaders["X-RateLimit-Remaining"] = String(result.remaining);
-        responseHeaders["X-RateLimit-Reset"] = result.resetAt.toISOString();
+        responseHeaders['X-RateLimit-Remaining'] = String(result.remaining);
+        responseHeaders['X-RateLimit-Reset'] = result.resetAt.toISOString();
     }
     if (config.csrf?.enabled && isMutatingMethod(request.method)) {
-        const csrfToken = request.headers.get("x-csrf-token") ?? "";
-        const cookieName = config.csrf.cookieName ?? "__actuate_csrf";
-        const storedToken = parseCookie(request.headers.get("cookie") ?? "", cookieName);
+        const csrfToken = request.headers.get('x-csrf-token') ?? '';
+        const cookieName = config.csrf.cookieName ?? '__actuate_csrf';
+        const storedToken = parseCookie(request.headers.get('cookie') ?? '', cookieName);
         if (!storedToken || !validateCsrf(csrfToken, storedToken)) {
             return {
                 allowed: false,
                 headers: responseHeaders,
-                error: "Invalid CSRF token",
+                error: 'Invalid CSRF token',
                 status: 403,
             };
         }
@@ -33,10 +33,10 @@ export async function applySecurityMiddleware(request, config) {
     return { allowed: true, headers: responseHeaders };
 }
 function isMutatingMethod(method) {
-    return ["POST", "PUT", "PATCH", "DELETE"].includes(method.toUpperCase());
+    return ['POST', 'PUT', 'PATCH', 'DELETE'].includes(method.toUpperCase());
 }
 function getClientIp(request) {
-    return request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown";
+    return request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ?? 'unknown';
 }
 function parseCookie(cookieHeader, name) {
     const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));

package/dist/security/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAA8B,MAAM,cAAc,CAAC;AAC9E,OAAO,EAAE,aAAa,IAAI,YAAY,EAAE,MAAM,WAAW,CAAC;AAiB1D,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAgB,EAChB,MAAgC;IAEhC,MAAM,eAAe,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE3D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,qBAAqB;gBAC5B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;QACD,eAAe,CAAC,uBAAuB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACpE,eAAe,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IACtE,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,EAAE,OAAO,IAAI,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;QAC9D,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC;QACjF,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,oBAAoB;gBAC3B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACpF,CAAC;AAED,SAAS,WAAW,CAAC,YAAoB,EAAE,IAAY;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC;IAC3E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAA8B,MAAM,cAAc,CAAA;AAC7E,OAAO,EAAE,aAAa,IAAI,YAAY,EAAE,MAAM,WAAW,CAAA;AAiBzD,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAgB,EAChB,MAAgC;IAEhC,MAAM,eAAe,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAE1D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,OAAO,CAAC,CAAA;QAClE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAChD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,qBAAqB;gBAC5B,MAAM,EAAE,GAAG;aACZ,CAAA;QACH,CAAC;QACD,eAAe,CAAC,uBAAuB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QACnE,eAAe,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAA;IACrE,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,EAAE,OAAO,IAAI,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;QAC3D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAA;QAC7D,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,UAAU,CAAC,CAAA;QAChF,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,oBAAoB;gBAC3B,MAAM,EAAE,GAAG;aACZ,CAAA;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,CAAA;AACpD,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAA;AAC1E,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAA;AACnF,CAAC;AAED,SAAS,WAAW,CAAC,YAAoB,EAAE,IAAY;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAA;IAC1E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAA;AACnB,CAAC"}

package/dist/security/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,IAAI,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAiD7E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAStE"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAqF7E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAStE"}

package/dist/security/rate-limit.js

@@ -31,38 +31,70 @@ export function createUpstashRateLimiter(config) {
     if (!url || !token) {
         throw new Error('UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN are required');
     }
-    async function redisCommand(command) {
-        const response = await fetch(`${url}`, {
+    async function redisPipeline(commands) {
+        // Upstash exposes pipelined commands via the /pipeline endpoint. Sending
+        // INCR + EXPIRE in a single round-trip eliminates the race where the
+        // process dies after INCR (or where EXPIRE silently fails) and leaves a
+        // counter that never resets — a subtle DoS where one unlucky user is
+        // permanently locked out.
+        const response = await fetch(`${url}/pipeline`, {
             method: 'POST',
             headers: {
                 Authorization: `Bearer ${token}`,
                 'Content-Type': 'application/json',
             },
-            body: JSON.stringify(command),
+            body: JSON.stringify(commands),
         });
-        const data = await response.json();
-        return data?.result;
+        if (!response.ok) {
+            throw new Error(`Upstash pipeline returned ${response.status}`);
+        }
+        const data = (await response.json());
+        return data.map((entry) => entry?.result);
     }
     const windowSec = Math.ceil(config.windowMs / 1000);
     return {
         async check(key) {
             const redisKey = `ratelimit:${key}`;
-            const count = await redisCommand(['INCR', redisKey]);
-            if (count === 1) {
-                await redisCommand(['EXPIRE', redisKey, String(windowSec)]);
+            try {
+                const [count, _expireResult, ttl] = (await redisPipeline([
+                    ['INCR', redisKey],
+                    ['EXPIRE', redisKey, String(windowSec), 'NX'], // only set when no TTL exists
+                    ['TTL', redisKey],
+                ]));
+                // Belt-and-braces: if Redis reports the key with no TTL, set one. This
+                // can only happen if the EXPIRE NX above wasn't supported, in which
+                // case we still want to bound the counter's lifetime.
+                if (ttl < 0) {
+                    await redisPipeline([['EXPIRE', redisKey, String(windowSec)]]).catch(() => undefined);
+                }
+                const effectiveTtl = ttl > 0 ? ttl : windowSec;
+                const resetAt = new Date(Date.now() + effectiveTtl * 1000);
+                const allowed = count <= config.maxRequests;
+                return {
+                    allowed,
+                    remaining: Math.max(0, config.maxRequests - count),
+                    resetAt,
+                    retryAfter: allowed ? undefined : effectiveTtl,
+                };
+            }
+            catch (err) {
+                // Fail open with logging — a Redis outage should NOT take the entire
+                // CMS offline. Audit-level logging makes the degradation visible.
+                console.error('[actuate][rate-limit] Upstash request failed, allowing through:', err instanceof Error ? err.message : err);
+                return {
+                    allowed: true,
+                    remaining: Math.max(0, config.maxRequests - 1),
+                    resetAt: new Date(Date.now() + config.windowMs),
+                };
             }
-            const ttl = await redisCommand(['TTL', redisKey]);
-            const resetAt = new Date(Date.now() + (ttl > 0 ? ttl * 1000 : config.windowMs));
-            const allowed = count <= config.maxRequests;
-            return {
-                allowed,
-                remaining: Math.max(0, config.maxRequests - count),
-                resetAt,
-                retryAfter: allowed ? undefined : ttl > 0 ? ttl : Math.ceil(config.windowMs / 1000),
-            };
         },
         async reset(key) {
-            await redisCommand(['DEL', `ratelimit:${key}`]);
+            try {
+                await redisPipeline([['DEL', `ratelimit:${key}`]]);
+            }
+            catch (err) {
+                console.error('[actuate][rate-limit] Upstash reset failed:', err instanceof Error ? err.message : err);
+            }
         },
     };
 }

package/dist/security/rate-limit.js.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAC;IAEtE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAE/B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1F,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;YAClD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAEnD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,OAAiB;QAC3C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,EAAE,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,IAAI,EAAE,MAAM,CAAC;IACtB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAEpD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAC;YAEpC,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;YAErD,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,MAAM,YAAY,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;YAClD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YAChF,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;YAE5C,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;gBAClD,OAAO;gBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;aACpF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,YAAY,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC;QAClD,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAC3C,CAAC"}
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAA;IAErE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YACtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAE9B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACrC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;gBACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAA;YACb,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;YACjD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAA;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAElD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAA;QAC/E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAEnD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC;oBACvD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAAC,CAA6B,CAAA;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;gBACvF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAA;gBAC1D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;gBAE3C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,kEAAkE;gBAClE,OAAO,CAAC,KAAK,CACX,iEAAiE,EACjE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;gBACD,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CACX,6CAA6C,EAC7C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;YACH,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAA;AAC1C,CAAC"}

package/dist/security/reauth.d.ts

@@ -9,7 +9,7 @@ export interface ReauthContext {
 /** Check whether a sensitive action requires re-authentication. */
 export declare function requiresReauth(context: ReauthContext, config: ReauthConfig): boolean;
 /** Verify re-authentication credentials (password or TOTP). */
-export declare function verifyReauth(userId: string, credential: string, method: "password" | "totp", db?: any): Promise<boolean>;
+export declare function verifyReauth(userId: string, credential: string, method: 'password' | 'totp', db?: any): Promise<boolean>;
 /** Default configuration for sensitive actions requiring re-auth. */
 export declare const DEFAULT_REAUTH_CONFIG: ReauthConfig;
 //# sourceMappingURL=reauth.d.ts.map

package/dist/security/reauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"reauth.d.ts","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,IAAI,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,mEAAmE;AACnE,wBAAgB,cAAc,CAC5B,OAAO,EAAE,aAAa,EACtB,MAAM,EAAE,YAAY,GACnB,OAAO,CAIT;AAED,+DAA+D;AAC/D,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,UAAU,GAAG,MAAM,EAC3B,EAAE,CAAC,EAAE,GAAG,GACP,OAAO,CAAC,OAAO,CAAC,CA8BlB;AAED,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,EAAE,YASnC,CAAC"}
+{"version":3,"file":"reauth.d.ts","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAA;IACrB,kBAAkB,EAAE,MAAM,EAAE,CAAA;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,IAAI,CAAA;IAChB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,mEAAmE;AACnE,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,GAAG,OAAO,CAIpF;AAED,+DAA+D;AAC/D,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,UAAU,GAAG,MAAM,EAC3B,EAAE,CAAC,EAAE,GAAG,GACP,OAAO,CAAC,OAAO,CAAC,CA8BlB;AAED,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,EAAE,YASnC,CAAA"}

package/dist/security/reauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"reauth.js","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAYrD,mEAAmE;AACnE,MAAM,UAAU,cAAc,CAC5B,OAAsB,EACtB,MAAoB;IAEpB,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC;IACnE,OAAO,OAAO,GAAG,MAAM,CAAC,aAAa,CAAC;AACxC,CAAC;AAED,+DAA+D;AAC/D,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,UAAkB,EAClB,MAA2B,EAC3B,EAAQ;IAER,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QAC3C,EAAE,GAAG,KAAK,EAAE,CAAC;IACf,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;YACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;YACrB,MAAM,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;SAChE,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACvD,OAAO,UAAU,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;QACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QACrB,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;KAC/C,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,qEAAqE;AACrE,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,aAAa,EAAE,GAAG;IAClB,kBAAkB,EAAE;QAClB,aAAa;QACb,kBAAkB;QAClB,iBAAiB;QACjB,aAAa;QACb,sBAAsB;KACvB;CACF,CAAC"}
+{"version":3,"file":"reauth.js","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAYpD,mEAAmE;AACnE,MAAM,UAAU,cAAc,CAAC,OAAsB,EAAE,MAAoB;IACzE,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IACrE,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAA;IAClE,OAAO,OAAO,GAAG,MAAM,CAAC,aAAa,CAAA;AACvC,CAAC;AAED,+DAA+D;AAC/D,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,UAAkB,EAClB,MAA2B,EAC3B,EAAQ;IAER,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAA;QAC1C,EAAE,GAAG,KAAK,EAAE,CAAA;IACd,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;YACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;YACrB,MAAM,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;SAChE,CAAC,CAAA;QAEF,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrE,OAAO,KAAK,CAAA;QACd,CAAC;QAED,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAA;QACtD,OAAO,UAAU,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAA;IAChD,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;QACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QACrB,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;KAC/C,CAAC,CAAA;IAEF,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,CAAA;AACtD,CAAC;AAED,qEAAqE;AACrE,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,aAAa,EAAE,GAAG;IAClB,kBAAkB,EAAE;QAClB,aAAa;QACb,kBAAkB;QAClB,iBAAiB;QACjB,aAAa;QACb,sBAAsB;KACvB;CACF,CAAA"}

package/dist/security/redact.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Best-effort scrubber for secrets pasted into prompts, search queries, and
+ * other user-supplied text that ends up in audit logs. Replaces matched
+ * patterns with `[REDACTED]` so we don't store live keys/tokens in plain
+ * `details` JSON.
+ *
+ * This is defensive, not exhaustive — clients should never paste secrets
+ * into prompts in the first place. The patterns favour false negatives over
+ * false positives so we don't mangle legitimate content.
+ */
+export declare function redactSecrets(input: string): string;
+//# sourceMappingURL=redact.d.ts.map

package/dist/security/redact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../../src/security/redact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AA4BH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOnD"}

package/dist/security/redact.js

@@ -0,0 +1,44 @@
+/**
+ * Best-effort scrubber for secrets pasted into prompts, search queries, and
+ * other user-supplied text that ends up in audit logs. Replaces matched
+ * patterns with `[REDACTED]` so we don't store live keys/tokens in plain
+ * `details` JSON.
+ *
+ * This is defensive, not exhaustive — clients should never paste secrets
+ * into prompts in the first place. The patterns favour false negatives over
+ * false positives so we don't mangle legitimate content.
+ */
+const PATTERNS = [
+    // OpenAI / Anthropic / Google API keys
+    { name: 'openai-key', regex: /\bsk-[A-Za-z0-9_-]{20,}\b/g },
+    { name: 'anthropic-key', regex: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g },
+    // Actuate API keys
+    { name: 'actuate-key', regex: /\bact_[A-Za-z0-9_]{20,}\b/g },
+    // GitHub tokens
+    { name: 'github-token', regex: /\bgh[opsu]_[A-Za-z0-9]{30,}\b/g },
+    // AWS access keys
+    { name: 'aws-access-key', regex: /\bAKIA[0-9A-Z]{16}\b/g },
+    // AWS secret access keys (40 char base64-ish, prefixed with common context words)
+    {
+        name: 'aws-secret',
+        regex: /\b(?:aws_secret_access_key|aws_secret|secret_key)\s*[:=]\s*["']?([A-Za-z0-9/+]{40})["']?/gi,
+    },
+    // JWTs (3 base64url segments)
+    { name: 'jwt', regex: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    // Slack tokens
+    { name: 'slack-token', regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g },
+    // Stripe keys
+    { name: 'stripe-key', regex: /\b(?:sk|pk|rk)_(?:test|live)_[A-Za-z0-9]{20,}\b/g },
+    // Generic password assignment
+    { name: 'password-assign', regex: /\b(?:password|passwd|pwd)\s*[:=]\s*["']([^"']{6,})["']/gi },
+];
+export function redactSecrets(input) {
+    if (!input)
+        return input;
+    let result = input;
+    for (const { regex } of PATTERNS) {
+        result = result.replace(regex, '[REDACTED]');
+    }
+    return result;
+}
+//# sourceMappingURL=redact.js.map

package/dist/security/redact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.js","sourceRoot":"","sources":["../../src/security/redact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,QAAQ,GAA2C;IACvD,uCAAuC;IACvC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC3D,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,gCAAgC,EAAE;IAClE,mBAAmB;IACnB,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAC5D,gBAAgB;IAChB,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACjE,kBAAkB;IAClB,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,uBAAuB,EAAE;IAC1D,kFAAkF;IAClF;QACE,IAAI,EAAE,YAAY;QAClB,KAAK,EACH,4FAA4F;KAC/F;IACD,8BAA8B;IAC9B,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,oEAAoE,EAAE;IAC5F,eAAe;IACf,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,mCAAmC,EAAE;IACnE,cAAc;IACd,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,kDAAkD,EAAE;IACjF,8BAA8B;IAC9B,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,0DAA0D,EAAE;CAC/F,CAAA;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAA;IACxB,IAAI,MAAM,GAAG,KAAK,CAAA;IAClB,KAAK,MAAM,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;QACjC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,YAAY,CAAC,CAAA;IAC9C,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/security/safe-fetch.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Perform a `fetch()` with SSRF defenses applied:
+ *
+ *  - Reject non-http/https URLs (no `file:`, `gopher:`, `data:`).
+ *  - Reject hostnames that resolve to private/loopback IP literals
+ *    (`10.x`, `127.x`, `169.254.x`, `192.168.x`, `::1`, …).
+ *  - Reject `localhost` and `0.0.0.0`.
+ *  - Disable HTTP redirects by default (`redirect: 'manual'`) — a 302 to an
+ *    internal address would otherwise smuggle the request past the validator.
+ *  - Apply a hard request timeout via `AbortSignal.timeout`.
+ *
+ * Use this for any internal `fetch()` call that targets a URL derived from
+ * user/admin input (webhooks, link health, image URL fetches, etc).
+ *
+ * Note: this guards against the URL **as written**. For full DNS-rebinding
+ * protection use `resolveAndCheck()` from `./webhook.js` to pre-resolve the
+ * hostname; on Node 20+ this can be combined with a custom dispatcher to bind
+ * the request to the resolved IP. The default policy here trades that
+ * protection for portability across runtimes (Edge, Bun, Workers).
+ */
+export interface SafeFetchOptions extends RequestInit {
+    /** Hard timeout applied via AbortSignal. Defaults to 5000ms. */
+    timeoutMs?: number;
+    /** When true, allow following redirects. Each hop is re-validated. Default: false. */
+    followRedirects?: boolean;
+    /** Maximum number of redirect hops when followRedirects is true. Default: 3. */
+    maxRedirects?: number;
+}
+export declare class SsrfBlockedError extends Error {
+    readonly url: string;
+    readonly reason: string;
+    constructor(url: string, reason: string);
+}
+export declare function safeFetch(url: string, options?: SafeFetchOptions): Promise<Response>;
+//# sourceMappingURL=safe-fetch.d.ts.map

package/dist/security/safe-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-fetch.d.ts","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,sFAAsF;IACtF,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;gBACX,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAMxC;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAsC9F"}