@actuate-media/cms-core 0.11.1 → 0.12.0

package/dist/security/ip-canon.js

@@ -0,0 +1,352 @@
+/**
+ * IP canonicalization for SSRF defense.
+ *
+ * The previous regex-based approach in `webhook.ts` only matched the literal
+ * dotted-quad form. It missed every encoding that `getaddrinfo` (and therefore
+ * `fetch`) accepts:
+ *
+ *   - Decimal:        http://2130706433/        → 127.0.0.1
+ *   - Octal:          http://0177.0.0.1/        → 127.0.0.1
+ *   - Hex:            http://0x7f.0.0.1/        → 127.0.0.1
+ *   - Short-form:     http://127.1/             → 127.0.0.1
+ *   - IPv4-mapped v6: http://[::ffff:127.0.0.1] → 127.0.0.1
+ *   - IPv4-compat v6: http://[::127.0.0.1]      → 127.0.0.1
+ *
+ * This module canonicalizes any of those forms to a 4-octet IPv4 string (or
+ * a normalized 16-byte IPv6 address), then range-checks against a complete
+ * private/internal block list including AWS/GCP/Azure metadata endpoints and
+ * the carrier-grade NAT range.
+ */
+const PRIVATE_IPV4_RANGES = [
+    // 0.0.0.0/8         "this network"
+    { network: 0x00_00_00_00, mask: 0xff_00_00_00, reason: '0.0.0.0/8 (this network)' },
+    // 10.0.0.0/8        RFC1918 private
+    { network: 0x0a_00_00_00, mask: 0xff_00_00_00, reason: '10.0.0.0/8 (RFC1918 private)' },
+    // 100.64.0.0/10     RFC6598 carrier-grade NAT
+    { network: 0x64_40_00_00, mask: 0xff_c0_00_00, reason: '100.64.0.0/10 (CGNAT)' },
+    // 127.0.0.0/8       loopback
+    { network: 0x7f_00_00_00, mask: 0xff_00_00_00, reason: '127.0.0.0/8 (loopback)' },
+    // 169.254.0.0/16    link-local + cloud metadata (AWS 169.254.169.254 is in here)
+    { network: 0xa9_fe_00_00, mask: 0xff_ff_00_00, reason: '169.254.0.0/16 (link-local + metadata)' },
+    // 172.16.0.0/12     RFC1918 private
+    { network: 0xac_10_00_00, mask: 0xff_f0_00_00, reason: '172.16.0.0/12 (RFC1918 private)' },
+    // 192.0.0.0/24      RFC6890 IETF protocol assignments
+    { network: 0xc0_00_00_00, mask: 0xff_ff_ff_00, reason: '192.0.0.0/24 (IETF reserved)' },
+    // 192.0.2.0/24      TEST-NET-1 (documentation)
+    { network: 0xc0_00_02_00, mask: 0xff_ff_ff_00, reason: '192.0.2.0/24 (TEST-NET-1)' },
+    // 192.168.0.0/16    RFC1918 private
+    { network: 0xc0_a8_00_00, mask: 0xff_ff_00_00, reason: '192.168.0.0/16 (RFC1918 private)' },
+    // 198.18.0.0/15     benchmark
+    { network: 0xc6_12_00_00, mask: 0xff_fe_00_00, reason: '198.18.0.0/15 (benchmark)' },
+    // 198.51.100.0/24   TEST-NET-2
+    { network: 0xc6_33_64_00, mask: 0xff_ff_ff_00, reason: '198.51.100.0/24 (TEST-NET-2)' },
+    // 203.0.113.0/24    TEST-NET-3
+    { network: 0xcb_00_71_00, mask: 0xff_ff_ff_00, reason: '203.0.113.0/24 (TEST-NET-3)' },
+    // 224.0.0.0/4       multicast
+    { network: 0xe0_00_00_00, mask: 0xf0_00_00_00, reason: '224.0.0.0/4 (multicast)' },
+    // 240.0.0.0/4       reserved (includes 255.255.255.255 broadcast)
+    { network: 0xf0_00_00_00, mask: 0xf0_00_00_00, reason: '240.0.0.0/4 (reserved)' },
+];
+/**
+ * Canonicalize a URL hostname into either a normalized IP address or a
+ * passthrough hostname. Handles every IPv4 encoding accepted by `inet_aton`
+ * (decimal, octal, hex, short-form), IPv4-mapped IPv6, and bracketed IPv6.
+ */
+export function canonicalizeHostname(rawHostname) {
+    const raw = rawHostname;
+    // Strip surrounding brackets (URLs use `[::1]` for IPv6 hosts).
+    let host = raw;
+    if (host.startsWith('[') && host.endsWith(']')) {
+        host = host.slice(1, -1);
+    }
+    // Try IPv6 first — only IPv6 contains ':'.
+    if (host.includes(':')) {
+        const ipv6 = parseIPv6(host);
+        if (ipv6) {
+            // IPv4-mapped (::ffff:a.b.c.d) and IPv4-compatible (::a.b.c.d) both
+            // tunnel an IPv4 address through IPv6 — collapse to the underlying v4
+            // so the v4 range check catches them.
+            const tunnelled = extractIPv4FromIPv6(ipv6);
+            if (tunnelled !== null) {
+                return { raw, ipv4: ipv4ToString(tunnelled), isHostname: false, isValidIp: true };
+            }
+            return { raw, ipv6: formatIPv6(ipv6), isHostname: false, isValidIp: true };
+        }
+        // Looked like IPv6 (had a colon) but didn't parse. Mark as a non-hostname
+        // *and* not a valid IP — SSRF gates fail closed on this shape.
+        return { raw, isHostname: false, isValidIp: false };
+    }
+    // Try IPv4 in any of: decimal, octal, hex, dotted, short-form.
+    const ipv4 = parseIPv4Literal(host);
+    if (ipv4 !== null) {
+        return { raw, ipv4: ipv4ToString(ipv4), isHostname: false, isValidIp: true };
+    }
+    // Not an IP literal in any form → treat as DNS hostname.
+    return { raw, isHostname: true, isValidIp: false };
+}
+/**
+ * Returns the matching private/internal range when the canonicalized host is
+ * one, `null` when it's a safe public IP, or a "malformed" reason when the
+ * input claims to be an IP literal but didn't parse cleanly.
+ *
+ * Defense-in-depth: even if a caller forgets to gate on `isValidIp`, this
+ * function still fails closed on the malformed shape (`isHostname=false`
+ * with no `ipv4`/`ipv6`).
+ */
+export function isPrivateAddress(host) {
+    if (host.ipv4) {
+        const num = ipv4StringToNumber(host.ipv4);
+        if (num === null)
+            return { reason: 'invalid IPv4 numeric form' };
+        for (const range of PRIVATE_IPV4_RANGES) {
+            // `>>> 0` forces the int32 result of `&` back to an unsigned 32-bit
+            // value so comparisons with `range.network` (a positive JS number)
+            // work correctly even when the high bit is set (172.16.x.x and up).
+            if ((num & range.mask) >>> 0 === range.network) {
+                return { reason: range.reason };
+            }
+        }
+        return null;
+    }
+    if (host.ipv6) {
+        const v6 = parseIPv6(host.ipv6);
+        if (!v6)
+            return { reason: 'invalid IPv6 form' };
+        return checkPrivateIPv6(v6);
+    }
+    // Malformed IP literal (looked like an IP but didn't parse). Fail closed.
+    if (!host.isHostname) {
+        return { reason: 'malformed IP literal' };
+    }
+    // DNS hostname → no IP-level check possible without resolution.
+    return null;
+}
+/**
+ * Parse an IPv4 literal in *any* form `inet_aton` accepts:
+ *   - 4 parts: a.b.c.d  (each 0-255)
+ *   - 3 parts: a.b.c    (c is bottom 16 bits)
+ *   - 2 parts: a.b      (b is bottom 24 bits)
+ *   - 1 part:  a        (full 32-bit number)
+ *
+ * Each part may be decimal, octal (leading 0), or hex (leading 0x).
+ */
+function parseIPv4Literal(input) {
+    if (input.length === 0)
+        return null;
+    const parts = input.split('.');
+    if (parts.length === 0 || parts.length > 4)
+        return null;
+    const nums = [];
+    for (const p of parts) {
+        if (p.length === 0)
+            return null;
+        const n = parsePartNumber(p);
+        if (n === null)
+            return null;
+        nums.push(n);
+    }
+    // Build 32-bit value per inet_aton rules.
+    switch (nums.length) {
+        case 1: {
+            const a = nums[0];
+            if (a > 0xff_ff_ff_ff)
+                return null;
+            return a >>> 0;
+        }
+        case 2: {
+            const [a, b] = nums;
+            if (a > 0xff || b > 0xff_ff_ff)
+                return null;
+            return ((a << 24) | b) >>> 0;
+        }
+        case 3: {
+            const [a, b, c] = nums;
+            if (a > 0xff || b > 0xff || c > 0xff_ff)
+                return null;
+            return ((a << 24) | (b << 16) | c) >>> 0;
+        }
+        case 4: {
+            const [a, b, c, d] = nums;
+            if (a > 0xff || b > 0xff || c > 0xff || d > 0xff)
+                return null;
+            return ((a << 24) | (b << 16) | (c << 8) | d) >>> 0;
+        }
+        default:
+            return null;
+    }
+}
+function parsePartNumber(part) {
+    // Hex: 0x...
+    if (part.startsWith('0x') || part.startsWith('0X')) {
+        const hex = part.slice(2);
+        if (hex.length === 0 || !/^[0-9a-fA-F]+$/.test(hex))
+            return null;
+        const n = parseInt(hex, 16);
+        return Number.isFinite(n) ? n : null;
+    }
+    // Octal: starts with 0 followed by digits (but bare "0" is decimal 0).
+    if (part.length > 1 && part.startsWith('0')) {
+        if (!/^[0-7]+$/.test(part))
+            return null;
+        const n = parseInt(part, 8);
+        return Number.isFinite(n) ? n : null;
+    }
+    // Decimal.
+    if (!/^[0-9]+$/.test(part))
+        return null;
+    const n = parseInt(part, 10);
+    return Number.isFinite(n) ? n : null;
+}
+function ipv4StringToNumber(s) {
+    const parts = s.split('.');
+    if (parts.length !== 4)
+        return null;
+    let n = 0;
+    for (const p of parts) {
+        const x = parseInt(p, 10);
+        if (!Number.isFinite(x) || x < 0 || x > 255)
+            return null;
+        n = (n << 8) | x;
+    }
+    return n >>> 0;
+}
+function ipv4ToString(n) {
+    return [(n >>> 24) & 0xff, (n >>> 16) & 0xff, (n >>> 8) & 0xff, n & 0xff].join('.');
+}
+/**
+ * Parse an IPv6 address into 8 groups of 16-bit numbers. Supports `::`
+ * compression and the `::ffff:a.b.c.d` IPv4-mapped trailing form.
+ *
+ * Reconstruction order with compression:
+ *   [head hextets] [zero-fill] [tail hextets] [optional v4 suffix as 2 hextets]
+ *
+ * Without compression: just `[8 hextets, optional last replaced by v4 suffix]`.
+ */
+function parseIPv6(input) {
+    if (input.length === 0)
+        return null;
+    const doubleColon = input.indexOf('::');
+    let head;
+    let tail;
+    if (doubleColon >= 0) {
+        if (input.indexOf('::', doubleColon + 1) !== -1)
+            return null; // multiple ::
+        head = input
+            .slice(0, doubleColon)
+            .split(':')
+            .filter((s) => s.length > 0);
+        tail = input
+            .slice(doubleColon + 2)
+            .split(':')
+            .filter((s) => s.length > 0);
+    }
+    else {
+        head = input.split(':');
+        tail = [];
+        // No compression: must be exactly 8 hextets (or 7 + a trailing IPv4).
+    }
+    // The trailing group may be a dotted-quad IPv4. It's always at the end of
+    // either `tail` (when compression is present) or `head` (when not).
+    let v4Suffix = null;
+    const trailingGroupArr = tail.length > 0 ? tail : head;
+    const trailingGroup = trailingGroupArr[trailingGroupArr.length - 1] ?? '';
+    if (trailingGroup.includes('.')) {
+        const v4 = parseIPv4Literal(trailingGroup);
+        if (v4 === null)
+            return null;
+        v4Suffix = [(v4 >>> 16) & 0xff_ff, v4 & 0xff_ff];
+        if (tail.length > 0)
+            tail = tail.slice(0, -1);
+        else
+            head = head.slice(0, -1);
+    }
+    const headGroups = head.map(parseHextet);
+    const tailGroups = tail.map(parseHextet);
+    if (headGroups.includes(null) || tailGroups.includes(null))
+        return null;
+    const v4Count = v4Suffix ? 2 : 0;
+    if (doubleColon >= 0) {
+        const fillCount = 8 - headGroups.length - tailGroups.length - v4Count;
+        if (fillCount < 0)
+            return null;
+        const zeros = new Array(fillCount).fill(0);
+        const result = [
+            ...headGroups,
+            ...zeros,
+            ...tailGroups,
+            ...(v4Suffix ?? []),
+        ];
+        return result.length === 8 ? result : null;
+    }
+    // No compression — must add up to exactly 8 hextets including v4 suffix.
+    const result = [...headGroups, ...(v4Suffix ?? [])];
+    return result.length === 8 ? result : null;
+}
+function parseHextet(s) {
+    if (s.length === 0 || s.length > 4)
+        return null;
+    if (!/^[0-9a-fA-F]+$/.test(s))
+        return null;
+    return parseInt(s, 16);
+}
+function formatIPv6(groups) {
+    return groups.map((g) => g.toString(16)).join(':');
+}
+/**
+ * If `groups` represents an IPv4-mapped (`::ffff:a.b.c.d`) or non-trivial
+ * IPv4-compatible (`::a.b.c.d` with a.b.c.d != ::1, deprecated) IPv6 address,
+ * return the inner 32-bit IPv4 value.
+ *
+ * IMPORTANT: We deliberately do NOT extract from `::1` (loopback) or `::`
+ * (unspecified). Those are pure IPv6 addresses, not tunneled IPv4 — treating
+ * `::1` as `0.0.0.1` would silently allow loopback bypass via the IPv4
+ * range checks (which don't include `0.0.0.1`).
+ */
+function extractIPv4FromIPv6(groups) {
+    // First 5 groups must be all zero (the high-order 80 bits).
+    if (groups.slice(0, 5).some((g) => g !== 0))
+        return null;
+    const isMapped = groups[5] === 0xff_ff;
+    if (isMapped) {
+        return (((groups[6] ?? 0) << 16) | (groups[7] ?? 0)) >>> 0;
+    }
+    // IPv4-compatible (deprecated by RFC4291 §2.5.5.1): only when groups[5]===0
+    // AND the embedded "IPv4" is itself a real public-looking address (i.e.
+    // the whole thing isn't just `::N` for small N). We require the high
+    // hextet of the IPv4 portion (groups[6]) to be non-zero — that excludes
+    // `::1`, `::`, `::N` for N < 65536, all of which should be treated as
+    // pure IPv6 by their own range checks (loopback, unspecified, etc).
+    const isCompat = groups[5] === 0 && (groups[6] ?? 0) !== 0;
+    if (isCompat) {
+        return (((groups[6] ?? 0) << 16) | (groups[7] ?? 0)) >>> 0;
+    }
+    return null;
+}
+function checkPrivateIPv6(groups) {
+    // ::1 loopback
+    if (groups.every((g, i) => (i === 7 ? g === 1 : g === 0))) {
+        return { reason: '::1 (IPv6 loopback)' };
+    }
+    // :: unspecified
+    if (groups.every((g) => g === 0)) {
+        return { reason: ':: (unspecified)' };
+    }
+    // fc00::/7  unique local
+    if ((groups[0] & 0xfe_00) === 0xfc_00) {
+        return { reason: 'fc00::/7 (IPv6 unique local)' };
+    }
+    // fe80::/10  link-local
+    if ((groups[0] & 0xff_c0) === 0xfe_80) {
+        return { reason: 'fe80::/10 (IPv6 link-local)' };
+    }
+    // ff00::/8  multicast
+    if ((groups[0] & 0xff_00) === 0xff_00) {
+        return { reason: 'ff00::/8 (IPv6 multicast)' };
+    }
+    // 64:ff9b::/96  well-known IPv4/IPv6 translation
+    if (groups[0] === 0x00_64 && groups[1] === 0xff_9b && groups.slice(2, 6).every((g) => g === 0)) {
+        return { reason: '64:ff9b::/96 (IPv4-IPv6 translation)' };
+    }
+    return null;
+}
+//# sourceMappingURL=ip-canon.js.map

package/dist/security/ip-canon.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-canon.js","sourceRoot":"","sources":["../../src/security/ip-canon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,mBAAmB,GAAqE;IAC5F,mCAAmC;IACnC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,0BAA0B,EAAE;IACnF,oCAAoC;IACpC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACvF,8CAA8C;IAC9C,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,uBAAuB,EAAE;IAChF,6BAA6B;IAC7B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,wBAAwB,EAAE;IACjF,iFAAiF;IACjF,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,wCAAwC,EAAE;IACjG,oCAAoC;IACpC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,iCAAiC,EAAE;IAC1F,sDAAsD;IACtD,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACvF,+CAA+C;IAC/C,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE;IACpF,oCAAoC;IACpC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,kCAAkC,EAAE;IAC3F,8BAA8B;IAC9B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE;IACpF,+BAA+B;IAC/B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACvF,+BAA+B;IAC/B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,6BAA6B,EAAE;IACtF,8BAA8B;IAC9B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,yBAAyB,EAAE;IAClF,kEAAkE;IAClE,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,wBAAwB,EAAE;CAClF,CAAA;AAoCD;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAmB;IACtD,MAAM,GAAG,GAAG,WAAW,CAAA;IAEvB,gEAAgE;IAChE,IAAI,IAAI,GAAG,GAAG,CAAA;IACd,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC1B,CAAC;IAED,2CAA2C;IAC3C,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;QAC5B,IAAI,IAAI,EAAE,CAAC;YACT,oEAAoE;YACpE,sEAAsE;YACtE,sCAAsC;YACtC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAA;YAC3C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;gBACvB,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA;YACnF,CAAC;YACD,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA;QAC5E,CAAC;QACD,0EAA0E;QAC1E,+DAA+D;QAC/D,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;IACrD,CAAC;IAED,+DAA+D;IAC/D,MAAM,IAAI,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAA;IACnC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA;IAC9E,CAAC;IAED,yDAAyD;IACzD,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;AACpD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAuB;IACtD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACzC,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAA;QAChE,KAAK,MAAM,KAAK,IAAI,mBAAmB,EAAE,CAAC;YACxC,oEAAoE;YACpE,mEAAmE;YACnE,oEAAoE;YACpE,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC/C,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAA;YACjC,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/B,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QAC/C,OAAO,gBAAgB,CAAC,EAAE,CAAC,CAAA;IAC7B,CAAC;IAED,0EAA0E;IAC1E,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAA;IAC3C,CAAC;IAED,gEAAgE;IAChE,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACnC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAA;QAC/B,MAAM,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,CAAA;QAC5B,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QAC3B,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACd,CAAC;IAED,0CAA0C;IAC1C,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAE,CAAA;YAClB,IAAI,CAAC,GAAG,aAAa;gBAAE,OAAO,IAAI,CAAA;YAClC,OAAO,CAAC,KAAK,CAAC,CAAA;QAChB,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,IAAwB,CAAA;YACvC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,UAAU;gBAAE,OAAO,IAAI,CAAA;YAC3C,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QAC9B,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,IAAgC,CAAA;YAClD,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,OAAO;gBAAE,OAAO,IAAI,CAAA;YACpD,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QAC1C,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,IAAwC,CAAA;YAC7D,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI;gBAAE,OAAO,IAAI,CAAA;YAC7D,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACrD,CAAC;QACD;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,aAAa;IACb,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QACzB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QAChE,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;QAC3B,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACtC,CAAC;IACD,uEAAuE;IACvE,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAA;QACvC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;QAC3B,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACtC,CAAC;IACD,WAAW;IACX,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IACvC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;IAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;AACtC,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAS;IACnC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACnC,IAAI,CAAC,GAAG,CAAC,CAAA;IACT,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;QACzB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG;YAAE,OAAO,IAAI,CAAA;QACxD,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;IAClB,CAAC;IACD,OAAO,CAAC,KAAK,CAAC,CAAA;AAChB,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AACrF,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnC,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IACvC,IAAI,IAAc,CAAA;IAClB,IAAI,IAAc,CAAA;IAClB,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAA,CAAC,cAAc;QAC3E,IAAI,GAAG,KAAK;aACT,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC;aACrB,KAAK,CAAC,GAAG,CAAC;aACV,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QAC9B,IAAI,GAAG,KAAK;aACT,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;aACtB,KAAK,CAAC,GAAG,CAAC;aACV,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAChC,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvB,IAAI,GAAG,EAAE,CAAA;QACT,sEAAsE;IACxE,CAAC;IAED,0EAA0E;IAC1E,oEAAoE;IACpE,IAAI,QAAQ,GAA4B,IAAI,CAAA;IAC5C,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;IACtD,MAAM,aAAa,GAAG,gBAAgB,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACzE,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,EAAE,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAA;QAC1C,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QAC5B,QAAQ,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,EAAE,EAAE,GAAG,OAAO,CAAC,CAAA;QAChD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;;YACxC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IACxC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvE,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAEhC,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,SAAS,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,OAAO,CAAA;QACrE,IAAI,SAAS,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QAC9B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAS,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAClD,MAAM,MAAM,GAAG;YACb,GAAI,UAAuB;YAC3B,GAAG,KAAK;YACR,GAAI,UAAuB;YAC3B,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;SACpB,CAAA;QACD,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAA;IAC5C,CAAC;IAED,yEAAyE;IACzE,MAAM,MAAM,GAAG,CAAC,GAAI,UAAuB,EAAE,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IACjE,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAA;AAC5C,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAC/C,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAA;IAC1C,OAAO,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;AACxB,CAAC;AAED,SAAS,UAAU,CAAC,MAAgB;IAClC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AACpD,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,mBAAmB,CAAC,MAAgB;IAC3C,4DAA4D;IAC5D,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAA;IAExD,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAA;IACtC,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;IAC5D,CAAC;IAED,4EAA4E;IAC5E,wEAAwE;IACxE,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAA;IAC1D,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAgB;IACxC,eAAe;IACf,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,OAAO,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAA;IAC1C,CAAC;IACD,iBAAiB;IACjB,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAA;IACvC,CAAC;IACD,yBAAyB;IACzB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,GAAG,OAAO,CAAC,KAAK,OAAO,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;IACnD,CAAC;IACD,wBAAwB;IACxB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,GAAG,OAAO,CAAC,KAAK,OAAO,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAA;IAClD,CAAC;IACD,sBAAsB;IACtB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,GAAG,OAAO,CAAC,KAAK,OAAO,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAA;IAChD,CAAC;IACD,iDAAiD;IACjD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QAC/F,OAAO,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAA;IAC3D,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/security/rate-limit.d.ts

@@ -16,9 +16,5 @@ export interface RateLimitConfig {
 export declare function createInMemoryRateLimiter(config: RateLimitConfig): RateLimiter;
 /** Create a rate limiter backed by Upstash Redis (for serverless/production). */
 export declare function createUpstashRateLimiter(config: RateLimitConfig): RateLimiter;
-/**
- * Create a rate limiter with automatic backend detection.
- * Uses Upstash Redis if UPSTASH_REDIS_REST_URL is set, otherwise falls back to in-memory.
- */
 export declare function createRateLimiter(config: RateLimitConfig): RateLimiter;
 //# sourceMappingURL=rate-limit.d.ts.map

package/dist/security/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAqF7E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAStE"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAqF7E;AA6BD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAkBtE"}

package/dist/security/rate-limit.js

@@ -102,7 +102,37 @@ export function createUpstashRateLimiter(config) {
  * Create a rate limiter with automatic backend detection.
  * Uses Upstash Redis if UPSTASH_REDIS_REST_URL is set, otherwise falls back to in-memory.
  */
+/**
+ * Returns a rate limiter that always permits requests.
+ *
+ * Useful for test harnesses (Playwright, Vitest, k6) where every test
+ * shares the same client-side IP — without a bypass, the first 5 login
+ * attempts exhaust the strict 5-per-15-minute bucket and every later
+ * test fails with HTTP 429. Production never sets the env var that
+ * activates this; the activation lives in `createRateLimiter` so every
+ * caller gets it without scattering env checks across the codebase.
+ */
+function createPermissiveRateLimiter(config) {
+    return {
+        async check() {
+            return {
+                allowed: true,
+                remaining: config.maxRequests,
+                resetAt: new Date(Date.now() + config.windowMs),
+            };
+        },
+        async reset() { },
+    };
+}
 export function createRateLimiter(config) {
+    // Explicit, environment-gated bypass for test harnesses. We deliberately
+    // do NOT key off `NODE_ENV === 'test'` because Next.js builds run with
+    // NODE_ENV=test in some CI configurations and we want unit tests that
+    // explicitly opt in to still exercise the real limiter logic. Vercel +
+    // the deploy guide both omit this var, so production never disables.
+    if (process.env.ACTUATE_DISABLE_RATE_LIMIT === '1') {
+        return createPermissiveRateLimiter(config);
+    }
     if (process.env.UPSTASH_REDIS_REST_URL && process.env.UPSTASH_REDIS_REST_TOKEN) {
         try {
             return createUpstashRateLimiter(config);

package/dist/security/rate-limit.js.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAA;IAErE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YACtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAE9B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACrC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;gBACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAA;YACb,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;YACjD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAA;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAElD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAA;QAC/E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAEnD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC;oBACvD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAAC,CAA6B,CAAA;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;gBACvF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAA;gBAC1D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;gBAE3C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,kEAAkE;gBAClE,OAAO,CAAC,KAAK,CACX,iEAAiE,EACjE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;gBACD,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CACX,6CAA6C,EAC7C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;YACH,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAA;AAC1C,CAAC"}
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAA;IAErE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YACtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAE9B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACrC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;gBACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAA;YACb,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;YACjD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAA;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAElD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAA;QAC/E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAEnD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC;oBACvD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAAC,CAA6B,CAAA;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;gBACvF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAA;gBAC1D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;gBAE3C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,kEAAkE;gBAClE,OAAO,CAAC,KAAK,CACX,iEAAiE,EACjE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;gBACD,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CACX,6CAA6C,EAC7C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;YACH,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH;;;;;;;;;GASG;AACH,SAAS,2BAA2B,CAAC,MAAuB;IAC1D,OAAO;QACL,KAAK,CAAC,KAAK;YACT,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM,CAAC,WAAW;gBAC7B,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;aAChD,CAAA;QACH,CAAC;QACD,KAAK,CAAC,KAAK,KAAmB,CAAC;KAChC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,yEAAyE;IACzE,uEAAuE;IACvE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,GAAG,EAAE,CAAC;QACnD,OAAO,2BAA2B,CAAC,MAAM,CAAC,CAAA;IAC5C,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAA;AAC1C,CAAC"}

package/dist/security/safe-fetch.d.ts

@@ -2,21 +2,27 @@
  * Perform a `fetch()` with SSRF defenses applied:
  *
  *  - Reject non-http/https URLs (no `file:`, `gopher:`, `data:`).
- *  - Reject hostnames that resolve to private/loopback IP literals
- *    (`10.x`, `127.x`, `169.254.x`, `192.168.x`, `::1`, …).
- *  - Reject `localhost` and `0.0.0.0`.
+ *  - Reject hostnames that resolve to private/loopback IP literals via the
+ *    canonicalizer in `ip-canon.ts` (decimal, octal, hex, IPv4-mapped IPv6,
+ *    short-form, CGNAT, cloud metadata, etc.).
+ *  - Reject `localhost`, `0.0.0.0`, and `*.internal` hostnames.
+ *  - DNS-resolve the hostname before fetching and reject if any A/AAAA record
+ *    lands in a private range. This defeats DNS rebinding — without it, an
+ *    attacker controlling DNS for `evil.tld` returns `8.8.8.8` to our
+ *    validator and `127.0.0.1` to the actual `fetch`. The pre-resolution
+ *    forces the same lookup.
  *  - Disable HTTP redirects by default (`redirect: 'manual'`) — a 302 to an
  *    internal address would otherwise smuggle the request past the validator.
+ *    When `followRedirects: true`, each hop is re-validated AND re-resolved.
  *  - Apply a hard request timeout via `AbortSignal.timeout`.
  *
  * Use this for any internal `fetch()` call that targets a URL derived from
  * user/admin input (webhooks, link health, image URL fetches, etc).
  *
- * Note: this guards against the URL **as written**. For full DNS-rebinding
- * protection use `resolveAndCheck()` from `./webhook.js` to pre-resolve the
- * hostname; on Node 20+ this can be combined with a custom dispatcher to bind
- * the request to the resolved IP. The default policy here trades that
- * protection for portability across runtimes (Edge, Bun, Workers).
+ * **Runtime caveat:** DNS resolution uses `node:dns/promises`. On Edge / Bun
+ * / Workers without that module, `resolveDns` is skipped and only the
+ * URL-string check applies — set `requireDnsCheck: true` to fail closed on
+ * runtimes where the resolver isn't available.
  */
 export interface SafeFetchOptions extends RequestInit {
     /** Hard timeout applied via AbortSignal. Defaults to 5000ms. */
@@ -25,6 +31,22 @@ export interface SafeFetchOptions extends RequestInit {
     followRedirects?: boolean;
     /** Maximum number of redirect hops when followRedirects is true. Default: 3. */
     maxRedirects?: number;
+    /**
+     * When true, DNS resolution failures (including missing `node:dns/promises`)
+     * cause the request to fail closed with an `SsrfBlockedError` instead of
+     * proceeding with only the string-level check. Default: false (best effort
+     * — preserves portability across Edge/Workers runtimes).
+     */
+    requireDnsCheck?: boolean;
+    /**
+     * Test seam — allows tests to substitute a fake resolver instead of hitting
+     * real DNS. Production callers leave this undefined.
+     */
+    _resolver?: (hostname: string) => Promise<{
+        safe: boolean;
+        resolvedIp?: string;
+        error?: string;
+    }>;
 }
 export declare class SsrfBlockedError extends Error {
     readonly url: string;

package/dist/security/safe-fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"safe-fetch.d.ts","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,sFAAsF;IACtF,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;gBACX,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAMxC;AAED,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAsC9F"}
+{"version":3,"file":"safe-fetch.d.ts","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,WAAW,gBAAiB,SAAQ,WAAW;IACnD,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,sFAAsF;IACtF,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB;;;;;OAKG;IACH,eAAe,CAAC,EAAE,OAAO,CAAA;IACzB;;;OAGG;IACH,SAAS,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,IAAI,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAClG;AAED,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;gBACX,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAMxC;AAuCD,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,OAAO,CAAC,QAAQ,CAAC,CA0C9F"}

package/dist/security/safe-fetch.js

@@ -1,4 +1,4 @@
-import { validateWebhookUrl } from './webhook.js';
+import { resolveAndCheck, validateWebhookUrl } from './webhook.js';
 export class SsrfBlockedError extends Error {
     url;
     reason;
@@ -9,15 +9,41 @@ export class SsrfBlockedError extends Error {
         this.reason = reason;
     }
 }
+async function preflightUrl(url, options) {
+    const check = validateWebhookUrl(url);
+    if (!check.valid) {
+        throw new SsrfBlockedError(url, check.error ?? 'URL rejected by SSRF policy');
+    }
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new SsrfBlockedError(url, 'invalid URL');
+    }
+    // resolveAndCheck short-circuits when the hostname is already an IP literal
+    // (which validateWebhookUrl just covered), so this only does real DNS work
+    // for actual hostnames.
+    let resolved;
+    try {
+        resolved = await options.resolver(parsed.hostname);
+    }
+    catch (err) {
+        if (options.requireDnsCheck) {
+            throw new SsrfBlockedError(url, `DNS resolution failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        return; // best-effort mode: proceed with string check only
+    }
+    if (!resolved.safe) {
+        throw new SsrfBlockedError(url, resolved.error ?? 'hostname resolves to a private IP');
+    }
+}
 export async function safeFetch(url, options = {}) {
-    const { timeoutMs = 5000, followRedirects = false, maxRedirects = 3, ...init } = options;
+    const { timeoutMs = 5000, followRedirects = false, maxRedirects = 3, requireDnsCheck = false, _resolver = resolveAndCheck, ...init } = options;
     let currentUrl = url;
     let hops = 0;
     while (true) {
-        const check = validateWebhookUrl(currentUrl);
-        if (!check.valid) {
-            throw new SsrfBlockedError(currentUrl, check.error ?? 'URL rejected by SSRF policy');
-        }
+        await preflightUrl(currentUrl, { requireDnsCheck, resolver: _resolver });
         const response = await fetch(currentUrl, {
             ...init,
             redirect: 'manual',

package/dist/security/safe-fetch.js.map

@@ -1 +1 @@
-{"version":3,"file":"safe-fetch.js","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AA+BjD,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,GAAG,CAAQ;IACX,MAAM,CAAQ;IACvB,YAAY,GAAW,EAAE,MAAc;QACrC,KAAK,CAAC,iBAAiB,MAAM,SAAS,GAAG,GAAG,CAAC,CAAA;QAC7C,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;QAC9B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAA;QACd,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;IACtB,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,UAA4B,EAAE;IACzE,MAAM,EAAE,SAAS,GAAG,IAAI,EAAE,eAAe,GAAG,KAAK,EAAE,YAAY,GAAG,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAA;IAExF,IAAI,UAAU,GAAG,GAAG,CAAA;IACpB,IAAI,IAAI,GAAG,CAAC,CAAA;IAEZ,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAA;QAC5C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,IAAI,gBAAgB,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,IAAI,6BAA6B,CAAC,CAAA;QACtF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;YACvC,GAAG,IAAI;YACP,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC;SACtD,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,CAAA;QAClE,IAAI,CAAC,UAAU,IAAI,CAAC,eAAe,EAAE,CAAC;YACpC,OAAO,QAAQ,CAAA;QACjB,CAAC;QAED,IAAI,IAAI,IAAI,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,gBAAgB,CAAC,UAAU,EAAE,YAAY,YAAY,YAAY,CAAC,CAAA;QAC9E,CAAC;QAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACjD,IAAI,CAAC,QAAQ;YAAE,OAAO,QAAQ,CAAA;QAE9B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE,CAAA;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,gBAAgB,CAAC,QAAQ,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC;QAED,IAAI,IAAI,CAAC,CAAA;IACX,CAAC;AACH,CAAC"}
+{"version":3,"file":"safe-fetch.js","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AAiDlE,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,GAAG,CAAQ;IACX,MAAM,CAAQ;IACvB,YAAY,GAAW,EAAE,MAAc;QACrC,KAAK,CAAC,iBAAiB,MAAM,SAAS,GAAG,GAAG,CAAC,CAAA;QAC7C,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;QAC9B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAA;QACd,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;IACtB,CAAC;CACF;AAED,KAAK,UAAU,YAAY,CACzB,GAAW,EACX,OAA2F;IAE3F,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,IAAI,6BAA6B,CAAC,CAAA;IAC/E,CAAC;IAED,IAAI,MAAW,CAAA;IACf,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAChD,CAAC;IAED,4EAA4E;IAC5E,2EAA2E;IAC3E,wBAAwB;IACxB,IAAI,QAAQ,CAAA;IACZ,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACpD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5B,MAAM,IAAI,gBAAgB,CACxB,GAAG,EACH,0BAA0B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7E,CAAA;QACH,CAAC;QACD,OAAM,CAAC,mDAAmD;IAC5D,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnB,MAAM,IAAI,gBAAgB,CAAC,GAAG,EAAE,QAAQ,CAAC,KAAK,IAAI,mCAAmC,CAAC,CAAA;IACxF,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,UAA4B,EAAE;IACzE,MAAM,EACJ,SAAS,GAAG,IAAI,EAChB,eAAe,GAAG,KAAK,EACvB,YAAY,GAAG,CAAC,EAChB,eAAe,GAAG,KAAK,EACvB,SAAS,GAAG,eAAe,EAC3B,GAAG,IAAI,EACR,GAAG,OAAO,CAAA;IAEX,IAAI,UAAU,GAAG,GAAG,CAAA;IACpB,IAAI,IAAI,GAAG,CAAC,CAAA;IAEZ,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,YAAY,CAAC,UAAU,EAAE,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,CAAA;QAExE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;YACvC,GAAG,IAAI;YACP,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC;SACtD,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,CAAA;QAClE,IAAI,CAAC,UAAU,IAAI,CAAC,eAAe,EAAE,CAAC;YACpC,OAAO,QAAQ,CAAA;QACjB,CAAC;QAED,IAAI,IAAI,IAAI,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,gBAAgB,CAAC,UAAU,EAAE,YAAY,YAAY,YAAY,CAAC,CAAA;QAC9E,CAAC;QAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACjD,IAAI,CAAC,QAAQ;YAAE,OAAO,QAAQ,CAAA;QAE9B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE,CAAA;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,gBAAgB,CAAC,QAAQ,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC;QAED,IAAI,IAAI,CAAC,CAAA;IACX,CAAC;AACH,CAAC"}

package/dist/security/webhook.d.ts

@@ -1,9 +1,27 @@
-/** Validate that a webhook URL does not target private/internal networks (SSRF prevention). */
+/**
+ * Validate that a webhook URL does not target private/internal networks
+ * (string-level SSRF prevention).
+ *
+ * Catches every IP-literal encoding `getaddrinfo` accepts: decimal
+ * (`http://2130706433`), octal (`http://0177.0.0.1`), hex
+ * (`http://0x7f.0.0.1`), short-form (`http://127.1`), IPv4-mapped IPv6
+ * (`http://[::ffff:127.0.0.1]`), bracketed IPv6, and the reserved
+ * `100.64.0.0/10` carrier-grade NAT range that previously slipped through.
+ *
+ * **Important caveat:** this only validates the URL **as written**. A hostname
+ * like `attacker-controlled.tld` that resolves to a public IP at validation
+ * time and to `127.0.0.1` at fetch time (DNS rebinding) still bypasses this
+ * check — `safeFetch` calls `resolveAndCheck()` on top to defend against that.
+ */
 export declare function validateWebhookUrl(url: string): {
     valid: boolean;
     error?: string;
 };
-/** Resolve a hostname and verify the resulting IP isn't in a private range. */
+/**
+ * Resolve a hostname's A/AAAA records and verify none of them land in a
+ * private range. Pair with `validateWebhookUrl` to defend against DNS
+ * rebinding — see `safeFetch`.
+ */
 export declare function resolveAndCheck(hostname: string): Promise<{
     safe: boolean;
     resolvedIp?: string;

package/dist/security/webhook.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAYA,+FAA+F;AAC/F,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBlF;AAED,+EAA+E;AAC/E,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA8BjE"}
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAmDlF;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAgEjE"}