@actuate-media/cms-core 0.11.2 → 0.13.0

package/dist/security/encrypted-fields.js.map

@@ -1 +1 @@
-{"version":3,"file":"encrypted-fields.js","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG,SAAS,CAAA;AAC3B,MAAM,SAAS,GAAG,EAAE,CAAA;AACpB,MAAM,UAAU,GAAG,GAAG,CAAA;AAEtB,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,MAAc;IAC9D,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAA;IAC5D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAE/C,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,OAAO,CACR,CAAA;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;IAClE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAChB,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAA;IAEnD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAA;AAC9B,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE,MAAc;IAClE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IACnC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACnC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;IAExC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,UAAU,CACX,CAAA;IAED,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,MAAc;IACrC,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAkC,EAAE,SAAS,EAAE,KAAK,EAAE;QAC1F,SAAS;QACT,SAAS;KACV,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAkB;IACrC,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;AACb,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAClD,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC"}
+{"version":3,"file":"encrypted-fields.js","sourceRoot":"","sources":["../../src/security/encrypted-fields.ts"],"names":[],"mappings":"AAAA,MAAM,SAAS,GAAG,SAAS,CAAA;AAC3B,MAAM,SAAS,GAAG,EAAE,CAAA;AACpB,MAAM,UAAU,GAAG,GAAG,CAAA;AACtB,MAAM,SAAS,GAAG,EAAE,CAAA,CAAC,oCAAoC;AACzD,MAAM,cAAc,GAAG,SAAS,GAAG,CAAC,CAAA;AAEpC,MAAM,MAAM,GAAG,gBAAgB,CAAA;AAE/B;;;;;GAKG;AACH,MAAM,OAAO,yBAA0B,SAAQ,KAAK;IAClD,YAAY,MAAc;QACxB,KAAK,CACH,gDAAgD,MAAM,IAAI;YACxD,6BAA6B;YAC7B,0EAA0E,CAC7E,CAAA;QACD,IAAI,CAAC,IAAI,GAAG,2BAA2B,CAAA;IACzC,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,SAAS,WAAW,CAAC,MAAc;IACjC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,yBAAyB,CAAC,8BAA8B,CAAC,CAAA;IACrE,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;QACrC,MAAM,IAAI,yBAAyB,CACjC,eAAe,cAAc,oBAAoB,SAAS,gBAAgB,MAAM,CAAC,MAAM,EAAE,CAC1F,CAAA;IACH,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,yBAAyB,CAAC,kDAAkD,CAAC,CAAA;IACzF,CAAC;AACH,CAAC;AAED,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,KAAa,EAAE,MAAc;IAC9D,WAAW,CAAC,MAAM,CAAC,CAAA;IACnB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAA;IAC5D,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAE/C,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,OAAO,CACR,CAAA;IAED,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,MAAM,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;IAClE,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;IAChB,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAA;IAEnD,OAAO,WAAW,CAAC,QAAQ,CAAC,CAAA;AAC9B,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,SAAiB,EAAE,MAAc;IAClE,WAAW,CAAC,MAAM,CAAC,CAAA;IACnB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,CAAA;IACnC,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IACnC,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACnC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;IAExC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,SAAS,EAAE,UAAU,EAAE,EAC9C,GAAG,EACH,UAAU,CACX,CAAA;IAED,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;AAC5C,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,MAAc;IACrC,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IACnC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAkC,EAAE,SAAS,EAAE,KAAK,EAAE;QAC1F,SAAS;QACT,SAAS;KACV,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAkB;IACrC,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;SACtB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;AACb,CAAC;AAED;;;;GAIG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAA;IACtE,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;QAC9C,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAA;QACzD,CAAC;QACD,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAA;IACrB,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/security/ip-canon.d.ts

@@ -0,0 +1,71 @@
+/**
+ * IP canonicalization for SSRF defense.
+ *
+ * The previous regex-based approach in `webhook.ts` only matched the literal
+ * dotted-quad form. It missed every encoding that `getaddrinfo` (and therefore
+ * `fetch`) accepts:
+ *
+ *   - Decimal:        http://2130706433/        → 127.0.0.1
+ *   - Octal:          http://0177.0.0.1/        → 127.0.0.1
+ *   - Hex:            http://0x7f.0.0.1/        → 127.0.0.1
+ *   - Short-form:     http://127.1/             → 127.0.0.1
+ *   - IPv4-mapped v6: http://[::ffff:127.0.0.1] → 127.0.0.1
+ *   - IPv4-compat v6: http://[::127.0.0.1]      → 127.0.0.1
+ *
+ * This module canonicalizes any of those forms to a 4-octet IPv4 string (or
+ * a normalized 16-byte IPv6 address), then range-checks against a complete
+ * private/internal block list including AWS/GCP/Azure metadata endpoints and
+ * the carrier-grade NAT range.
+ */
+/**
+ * Result of {@link canonicalizeHostname}. There are exactly three valid
+ * shapes:
+ *
+ *  - **Valid IPv4 literal** — `isHostname=false`, `isValidIp=true`, `ipv4` set.
+ *  - **Valid IPv6 literal** — `isHostname=false`, `isValidIp=true`, `ipv6` set.
+ *  - **Hostname (DNS name)** — `isHostname=true`, `isValidIp=false`, neither
+ *    `ipv4` nor `ipv6` set.
+ *  - **Malformed IP literal** — `isHostname=false`, `isValidIp=false`, neither
+ *    IP field set. (Inputs that look like IP literals — e.g. contain `:` or
+ *    only digits and dots — but fail to parse cleanly.)
+ *
+ * SSRF gates MUST treat the malformed shape as "reject" rather than as
+ * "validated IP literal". Use `isValidIp` to distinguish the two `false`
+ * `isHostname` cases.
+ */
+export interface CanonicalizedHost {
+    /** Original hostname as it appeared in the URL. */
+    raw: string;
+    /** Canonical IPv4 dotted-quad string when the literal was IPv4 (in any form). */
+    ipv4?: string;
+    /** Canonical IPv6 hextet string when the literal was IPv6. */
+    ipv6?: string;
+    /** True when the input was a DNS name (not an IP literal in any form). */
+    isHostname: boolean;
+    /**
+     * True when the input parsed cleanly into a canonical IP address (`ipv4`
+     * or `ipv6` is set). False for both DNS hostnames and malformed IP-shaped
+     * strings. Callers performing a security check on the parsed IP MUST
+     * verify `isValidIp` before reading `ipv4` / `ipv6`.
+     */
+    isValidIp: boolean;
+}
+/**
+ * Canonicalize a URL hostname into either a normalized IP address or a
+ * passthrough hostname. Handles every IPv4 encoding accepted by `inet_aton`
+ * (decimal, octal, hex, short-form), IPv4-mapped IPv6, and bracketed IPv6.
+ */
+export declare function canonicalizeHostname(rawHostname: string): CanonicalizedHost;
+/**
+ * Returns the matching private/internal range when the canonicalized host is
+ * one, `null` when it's a safe public IP, or a "malformed" reason when the
+ * input claims to be an IP literal but didn't parse cleanly.
+ *
+ * Defense-in-depth: even if a caller forgets to gate on `isValidIp`, this
+ * function still fails closed on the malformed shape (`isHostname=false`
+ * with no `ipv4`/`ipv6`).
+ */
+export declare function isPrivateAddress(host: CanonicalizedHost): {
+    reason: string;
+} | null;
+//# sourceMappingURL=ip-canon.d.ts.map

package/dist/security/ip-canon.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-canon.d.ts","sourceRoot":"","sources":["../../src/security/ip-canon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAiCH;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,iBAAiB;IAChC,mDAAmD;IACnD,GAAG,EAAE,MAAM,CAAA;IACX,iFAAiF;IACjF,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,8DAA8D;IAC9D,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,0EAA0E;IAC1E,UAAU,EAAE,OAAO,CAAA;IACnB;;;;;OAKG;IACH,SAAS,EAAE,OAAO,CAAA;CACnB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,iBAAiB,CAmC3E;AAED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,iBAAiB,GAAG;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CA4BnF"}

package/dist/security/ip-canon.js

@@ -0,0 +1,352 @@
+/**
+ * IP canonicalization for SSRF defense.
+ *
+ * The previous regex-based approach in `webhook.ts` only matched the literal
+ * dotted-quad form. It missed every encoding that `getaddrinfo` (and therefore
+ * `fetch`) accepts:
+ *
+ *   - Decimal:        http://2130706433/        → 127.0.0.1
+ *   - Octal:          http://0177.0.0.1/        → 127.0.0.1
+ *   - Hex:            http://0x7f.0.0.1/        → 127.0.0.1
+ *   - Short-form:     http://127.1/             → 127.0.0.1
+ *   - IPv4-mapped v6: http://[::ffff:127.0.0.1] → 127.0.0.1
+ *   - IPv4-compat v6: http://[::127.0.0.1]      → 127.0.0.1
+ *
+ * This module canonicalizes any of those forms to a 4-octet IPv4 string (or
+ * a normalized 16-byte IPv6 address), then range-checks against a complete
+ * private/internal block list including AWS/GCP/Azure metadata endpoints and
+ * the carrier-grade NAT range.
+ */
+const PRIVATE_IPV4_RANGES = [
+    // 0.0.0.0/8         "this network"
+    { network: 0x00_00_00_00, mask: 0xff_00_00_00, reason: '0.0.0.0/8 (this network)' },
+    // 10.0.0.0/8        RFC1918 private
+    { network: 0x0a_00_00_00, mask: 0xff_00_00_00, reason: '10.0.0.0/8 (RFC1918 private)' },
+    // 100.64.0.0/10     RFC6598 carrier-grade NAT
+    { network: 0x64_40_00_00, mask: 0xff_c0_00_00, reason: '100.64.0.0/10 (CGNAT)' },
+    // 127.0.0.0/8       loopback
+    { network: 0x7f_00_00_00, mask: 0xff_00_00_00, reason: '127.0.0.0/8 (loopback)' },
+    // 169.254.0.0/16    link-local + cloud metadata (AWS 169.254.169.254 is in here)
+    { network: 0xa9_fe_00_00, mask: 0xff_ff_00_00, reason: '169.254.0.0/16 (link-local + metadata)' },
+    // 172.16.0.0/12     RFC1918 private
+    { network: 0xac_10_00_00, mask: 0xff_f0_00_00, reason: '172.16.0.0/12 (RFC1918 private)' },
+    // 192.0.0.0/24      RFC6890 IETF protocol assignments
+    { network: 0xc0_00_00_00, mask: 0xff_ff_ff_00, reason: '192.0.0.0/24 (IETF reserved)' },
+    // 192.0.2.0/24      TEST-NET-1 (documentation)
+    { network: 0xc0_00_02_00, mask: 0xff_ff_ff_00, reason: '192.0.2.0/24 (TEST-NET-1)' },
+    // 192.168.0.0/16    RFC1918 private
+    { network: 0xc0_a8_00_00, mask: 0xff_ff_00_00, reason: '192.168.0.0/16 (RFC1918 private)' },
+    // 198.18.0.0/15     benchmark
+    { network: 0xc6_12_00_00, mask: 0xff_fe_00_00, reason: '198.18.0.0/15 (benchmark)' },
+    // 198.51.100.0/24   TEST-NET-2
+    { network: 0xc6_33_64_00, mask: 0xff_ff_ff_00, reason: '198.51.100.0/24 (TEST-NET-2)' },
+    // 203.0.113.0/24    TEST-NET-3
+    { network: 0xcb_00_71_00, mask: 0xff_ff_ff_00, reason: '203.0.113.0/24 (TEST-NET-3)' },
+    // 224.0.0.0/4       multicast
+    { network: 0xe0_00_00_00, mask: 0xf0_00_00_00, reason: '224.0.0.0/4 (multicast)' },
+    // 240.0.0.0/4       reserved (includes 255.255.255.255 broadcast)
+    { network: 0xf0_00_00_00, mask: 0xf0_00_00_00, reason: '240.0.0.0/4 (reserved)' },
+];
+/**
+ * Canonicalize a URL hostname into either a normalized IP address or a
+ * passthrough hostname. Handles every IPv4 encoding accepted by `inet_aton`
+ * (decimal, octal, hex, short-form), IPv4-mapped IPv6, and bracketed IPv6.
+ */
+export function canonicalizeHostname(rawHostname) {
+    const raw = rawHostname;
+    // Strip surrounding brackets (URLs use `[::1]` for IPv6 hosts).
+    let host = raw;
+    if (host.startsWith('[') && host.endsWith(']')) {
+        host = host.slice(1, -1);
+    }
+    // Try IPv6 first — only IPv6 contains ':'.
+    if (host.includes(':')) {
+        const ipv6 = parseIPv6(host);
+        if (ipv6) {
+            // IPv4-mapped (::ffff:a.b.c.d) and IPv4-compatible (::a.b.c.d) both
+            // tunnel an IPv4 address through IPv6 — collapse to the underlying v4
+            // so the v4 range check catches them.
+            const tunnelled = extractIPv4FromIPv6(ipv6);
+            if (tunnelled !== null) {
+                return { raw, ipv4: ipv4ToString(tunnelled), isHostname: false, isValidIp: true };
+            }
+            return { raw, ipv6: formatIPv6(ipv6), isHostname: false, isValidIp: true };
+        }
+        // Looked like IPv6 (had a colon) but didn't parse. Mark as a non-hostname
+        // *and* not a valid IP — SSRF gates fail closed on this shape.
+        return { raw, isHostname: false, isValidIp: false };
+    }
+    // Try IPv4 in any of: decimal, octal, hex, dotted, short-form.
+    const ipv4 = parseIPv4Literal(host);
+    if (ipv4 !== null) {
+        return { raw, ipv4: ipv4ToString(ipv4), isHostname: false, isValidIp: true };
+    }
+    // Not an IP literal in any form → treat as DNS hostname.
+    return { raw, isHostname: true, isValidIp: false };
+}
+/**
+ * Returns the matching private/internal range when the canonicalized host is
+ * one, `null` when it's a safe public IP, or a "malformed" reason when the
+ * input claims to be an IP literal but didn't parse cleanly.
+ *
+ * Defense-in-depth: even if a caller forgets to gate on `isValidIp`, this
+ * function still fails closed on the malformed shape (`isHostname=false`
+ * with no `ipv4`/`ipv6`).
+ */
+export function isPrivateAddress(host) {
+    if (host.ipv4) {
+        const num = ipv4StringToNumber(host.ipv4);
+        if (num === null)
+            return { reason: 'invalid IPv4 numeric form' };
+        for (const range of PRIVATE_IPV4_RANGES) {
+            // `>>> 0` forces the int32 result of `&` back to an unsigned 32-bit
+            // value so comparisons with `range.network` (a positive JS number)
+            // work correctly even when the high bit is set (172.16.x.x and up).
+            if ((num & range.mask) >>> 0 === range.network) {
+                return { reason: range.reason };
+            }
+        }
+        return null;
+    }
+    if (host.ipv6) {
+        const v6 = parseIPv6(host.ipv6);
+        if (!v6)
+            return { reason: 'invalid IPv6 form' };
+        return checkPrivateIPv6(v6);
+    }
+    // Malformed IP literal (looked like an IP but didn't parse). Fail closed.
+    if (!host.isHostname) {
+        return { reason: 'malformed IP literal' };
+    }
+    // DNS hostname → no IP-level check possible without resolution.
+    return null;
+}
+/**
+ * Parse an IPv4 literal in *any* form `inet_aton` accepts:
+ *   - 4 parts: a.b.c.d  (each 0-255)
+ *   - 3 parts: a.b.c    (c is bottom 16 bits)
+ *   - 2 parts: a.b      (b is bottom 24 bits)
+ *   - 1 part:  a        (full 32-bit number)
+ *
+ * Each part may be decimal, octal (leading 0), or hex (leading 0x).
+ */
+function parseIPv4Literal(input) {
+    if (input.length === 0)
+        return null;
+    const parts = input.split('.');
+    if (parts.length === 0 || parts.length > 4)
+        return null;
+    const nums = [];
+    for (const p of parts) {
+        if (p.length === 0)
+            return null;
+        const n = parsePartNumber(p);
+        if (n === null)
+            return null;
+        nums.push(n);
+    }
+    // Build 32-bit value per inet_aton rules.
+    switch (nums.length) {
+        case 1: {
+            const a = nums[0];
+            if (a > 0xff_ff_ff_ff)
+                return null;
+            return a >>> 0;
+        }
+        case 2: {
+            const [a, b] = nums;
+            if (a > 0xff || b > 0xff_ff_ff)
+                return null;
+            return ((a << 24) | b) >>> 0;
+        }
+        case 3: {
+            const [a, b, c] = nums;
+            if (a > 0xff || b > 0xff || c > 0xff_ff)
+                return null;
+            return ((a << 24) | (b << 16) | c) >>> 0;
+        }
+        case 4: {
+            const [a, b, c, d] = nums;
+            if (a > 0xff || b > 0xff || c > 0xff || d > 0xff)
+                return null;
+            return ((a << 24) | (b << 16) | (c << 8) | d) >>> 0;
+        }
+        default:
+            return null;
+    }
+}
+function parsePartNumber(part) {
+    // Hex: 0x...
+    if (part.startsWith('0x') || part.startsWith('0X')) {
+        const hex = part.slice(2);
+        if (hex.length === 0 || !/^[0-9a-fA-F]+$/.test(hex))
+            return null;
+        const n = parseInt(hex, 16);
+        return Number.isFinite(n) ? n : null;
+    }
+    // Octal: starts with 0 followed by digits (but bare "0" is decimal 0).
+    if (part.length > 1 && part.startsWith('0')) {
+        if (!/^[0-7]+$/.test(part))
+            return null;
+        const n = parseInt(part, 8);
+        return Number.isFinite(n) ? n : null;
+    }
+    // Decimal.
+    if (!/^[0-9]+$/.test(part))
+        return null;
+    const n = parseInt(part, 10);
+    return Number.isFinite(n) ? n : null;
+}
+function ipv4StringToNumber(s) {
+    const parts = s.split('.');
+    if (parts.length !== 4)
+        return null;
+    let n = 0;
+    for (const p of parts) {
+        const x = parseInt(p, 10);
+        if (!Number.isFinite(x) || x < 0 || x > 255)
+            return null;
+        n = (n << 8) | x;
+    }
+    return n >>> 0;
+}
+function ipv4ToString(n) {
+    return [(n >>> 24) & 0xff, (n >>> 16) & 0xff, (n >>> 8) & 0xff, n & 0xff].join('.');
+}
+/**
+ * Parse an IPv6 address into 8 groups of 16-bit numbers. Supports `::`
+ * compression and the `::ffff:a.b.c.d` IPv4-mapped trailing form.
+ *
+ * Reconstruction order with compression:
+ *   [head hextets] [zero-fill] [tail hextets] [optional v4 suffix as 2 hextets]
+ *
+ * Without compression: just `[8 hextets, optional last replaced by v4 suffix]`.
+ */
+function parseIPv6(input) {
+    if (input.length === 0)
+        return null;
+    const doubleColon = input.indexOf('::');
+    let head;
+    let tail;
+    if (doubleColon >= 0) {
+        if (input.indexOf('::', doubleColon + 1) !== -1)
+            return null; // multiple ::
+        head = input
+            .slice(0, doubleColon)
+            .split(':')
+            .filter((s) => s.length > 0);
+        tail = input
+            .slice(doubleColon + 2)
+            .split(':')
+            .filter((s) => s.length > 0);
+    }
+    else {
+        head = input.split(':');
+        tail = [];
+        // No compression: must be exactly 8 hextets (or 7 + a trailing IPv4).
+    }
+    // The trailing group may be a dotted-quad IPv4. It's always at the end of
+    // either `tail` (when compression is present) or `head` (when not).
+    let v4Suffix = null;
+    const trailingGroupArr = tail.length > 0 ? tail : head;
+    const trailingGroup = trailingGroupArr[trailingGroupArr.length - 1] ?? '';
+    if (trailingGroup.includes('.')) {
+        const v4 = parseIPv4Literal(trailingGroup);
+        if (v4 === null)
+            return null;
+        v4Suffix = [(v4 >>> 16) & 0xff_ff, v4 & 0xff_ff];
+        if (tail.length > 0)
+            tail = tail.slice(0, -1);
+        else
+            head = head.slice(0, -1);
+    }
+    const headGroups = head.map(parseHextet);
+    const tailGroups = tail.map(parseHextet);
+    if (headGroups.includes(null) || tailGroups.includes(null))
+        return null;
+    const v4Count = v4Suffix ? 2 : 0;
+    if (doubleColon >= 0) {
+        const fillCount = 8 - headGroups.length - tailGroups.length - v4Count;
+        if (fillCount < 0)
+            return null;
+        const zeros = new Array(fillCount).fill(0);
+        const result = [
+            ...headGroups,
+            ...zeros,
+            ...tailGroups,
+            ...(v4Suffix ?? []),
+        ];
+        return result.length === 8 ? result : null;
+    }
+    // No compression — must add up to exactly 8 hextets including v4 suffix.
+    const result = [...headGroups, ...(v4Suffix ?? [])];
+    return result.length === 8 ? result : null;
+}
+function parseHextet(s) {
+    if (s.length === 0 || s.length > 4)
+        return null;
+    if (!/^[0-9a-fA-F]+$/.test(s))
+        return null;
+    return parseInt(s, 16);
+}
+function formatIPv6(groups) {
+    return groups.map((g) => g.toString(16)).join(':');
+}
+/**
+ * If `groups` represents an IPv4-mapped (`::ffff:a.b.c.d`) or non-trivial
+ * IPv4-compatible (`::a.b.c.d` with a.b.c.d != ::1, deprecated) IPv6 address,
+ * return the inner 32-bit IPv4 value.
+ *
+ * IMPORTANT: We deliberately do NOT extract from `::1` (loopback) or `::`
+ * (unspecified). Those are pure IPv6 addresses, not tunneled IPv4 — treating
+ * `::1` as `0.0.0.1` would silently allow loopback bypass via the IPv4
+ * range checks (which don't include `0.0.0.1`).
+ */
+function extractIPv4FromIPv6(groups) {
+    // First 5 groups must be all zero (the high-order 80 bits).
+    if (groups.slice(0, 5).some((g) => g !== 0))
+        return null;
+    const isMapped = groups[5] === 0xff_ff;
+    if (isMapped) {
+        return (((groups[6] ?? 0) << 16) | (groups[7] ?? 0)) >>> 0;
+    }
+    // IPv4-compatible (deprecated by RFC4291 §2.5.5.1): only when groups[5]===0
+    // AND the embedded "IPv4" is itself a real public-looking address (i.e.
+    // the whole thing isn't just `::N` for small N). We require the high
+    // hextet of the IPv4 portion (groups[6]) to be non-zero — that excludes
+    // `::1`, `::`, `::N` for N < 65536, all of which should be treated as
+    // pure IPv6 by their own range checks (loopback, unspecified, etc).
+    const isCompat = groups[5] === 0 && (groups[6] ?? 0) !== 0;
+    if (isCompat) {
+        return (((groups[6] ?? 0) << 16) | (groups[7] ?? 0)) >>> 0;
+    }
+    return null;
+}
+function checkPrivateIPv6(groups) {
+    // ::1 loopback
+    if (groups.every((g, i) => (i === 7 ? g === 1 : g === 0))) {
+        return { reason: '::1 (IPv6 loopback)' };
+    }
+    // :: unspecified
+    if (groups.every((g) => g === 0)) {
+        return { reason: ':: (unspecified)' };
+    }
+    // fc00::/7  unique local
+    if ((groups[0] & 0xfe_00) === 0xfc_00) {
+        return { reason: 'fc00::/7 (IPv6 unique local)' };
+    }
+    // fe80::/10  link-local
+    if ((groups[0] & 0xff_c0) === 0xfe_80) {
+        return { reason: 'fe80::/10 (IPv6 link-local)' };
+    }
+    // ff00::/8  multicast
+    if ((groups[0] & 0xff_00) === 0xff_00) {
+        return { reason: 'ff00::/8 (IPv6 multicast)' };
+    }
+    // 64:ff9b::/96  well-known IPv4/IPv6 translation
+    if (groups[0] === 0x00_64 && groups[1] === 0xff_9b && groups.slice(2, 6).every((g) => g === 0)) {
+        return { reason: '64:ff9b::/96 (IPv4-IPv6 translation)' };
+    }
+    return null;
+}
+//# sourceMappingURL=ip-canon.js.map

package/dist/security/ip-canon.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-canon.js","sourceRoot":"","sources":["../../src/security/ip-canon.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,MAAM,mBAAmB,GAAqE;IAC5F,mCAAmC;IACnC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,0BAA0B,EAAE;IACnF,oCAAoC;IACpC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACvF,8CAA8C;IAC9C,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,uBAAuB,EAAE;IAChF,6BAA6B;IAC7B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,wBAAwB,EAAE;IACjF,iFAAiF;IACjF,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,wCAAwC,EAAE;IACjG,oCAAoC;IACpC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,iCAAiC,EAAE;IAC1F,sDAAsD;IACtD,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACvF,+CAA+C;IAC/C,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE;IACpF,oCAAoC;IACpC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,kCAAkC,EAAE;IAC3F,8BAA8B;IAC9B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE;IACpF,+BAA+B;IAC/B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,8BAA8B,EAAE;IACvF,+BAA+B;IAC/B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,6BAA6B,EAAE;IACtF,8BAA8B;IAC9B,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,yBAAyB,EAAE;IAClF,kEAAkE;IAClE,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,wBAAwB,EAAE;CAClF,CAAA;AAoCD;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,WAAmB;IACtD,MAAM,GAAG,GAAG,WAAW,CAAA;IAEvB,gEAAgE;IAChE,IAAI,IAAI,GAAG,GAAG,CAAA;IACd,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC1B,CAAC;IAED,2CAA2C;IAC3C,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAA;QAC5B,IAAI,IAAI,EAAE,CAAC;YACT,oEAAoE;YACpE,sEAAsE;YACtE,sCAAsC;YACtC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAA;YAC3C,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;gBACvB,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA;YACnF,CAAC;YACD,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA;QAC5E,CAAC;QACD,0EAA0E;QAC1E,+DAA+D;QAC/D,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;IACrD,CAAC;IAED,+DAA+D;IAC/D,MAAM,IAAI,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAA;IACnC,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAA;IAC9E,CAAC;IAED,yDAAyD;IACzD,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAA;AACpD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAuB;IACtD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACzC,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAA;QAChE,KAAK,MAAM,KAAK,IAAI,mBAAmB,EAAE,CAAC;YACxC,oEAAoE;YACpE,mEAAmE;YACnE,oEAAoE;YACpE,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC/C,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAA;YACjC,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,MAAM,EAAE,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/B,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QAC/C,OAAO,gBAAgB,CAAC,EAAE,CAAC,CAAA;IAC7B,CAAC;IAED,0EAA0E;IAC1E,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAA;IAC3C,CAAC;IAED,gEAAgE;IAChE,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACnC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvD,MAAM,IAAI,GAAa,EAAE,CAAA;IACzB,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAA;QAC/B,MAAM,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,CAAA;QAC5B,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QAC3B,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACd,CAAC;IAED,0CAA0C;IAC1C,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACpB,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAE,CAAA;YAClB,IAAI,CAAC,GAAG,aAAa;gBAAE,OAAO,IAAI,CAAA;YAClC,OAAO,CAAC,KAAK,CAAC,CAAA;QAChB,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,IAAwB,CAAA;YACvC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,UAAU;gBAAE,OAAO,IAAI,CAAA;YAC3C,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QAC9B,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,IAAgC,CAAA;YAClD,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,OAAO;gBAAE,OAAO,IAAI,CAAA;YACpD,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QAC1C,CAAC;QACD,KAAK,CAAC,CAAC,CAAC,CAAC;YACP,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,IAAwC,CAAA;YAC7D,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI;gBAAE,OAAO,IAAI,CAAA;YAC7D,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAA;QACrD,CAAC;QACD;YACE,OAAO,IAAI,CAAA;IACf,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,aAAa;IACb,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;QACzB,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QAChE,MAAM,CAAC,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;QAC3B,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACtC,CAAC;IACD,uEAAuE;IACvE,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5C,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAA;QACvC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAA;QAC3B,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IACtC,CAAC;IACD,WAAW;IACX,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IACvC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;IAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;AACtC,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAS;IACnC,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC1B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IACnC,IAAI,CAAC,GAAG,CAAC,CAAA;IACT,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;QACzB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG;YAAE,OAAO,IAAI,CAAA;QACxD,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;IAClB,CAAC;IACD,OAAO,CAAC,KAAK,CAAC,CAAA;AAChB,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,OAAO,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AACrF,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnC,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IACvC,IAAI,IAAc,CAAA;IAClB,IAAI,IAAc,CAAA;IAClB,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAA,CAAC,cAAc;QAC3E,IAAI,GAAG,KAAK;aACT,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC;aACrB,KAAK,CAAC,GAAG,CAAC;aACV,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;QAC9B,IAAI,GAAG,KAAK;aACT,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;aACtB,KAAK,CAAC,GAAG,CAAC;aACV,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAChC,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvB,IAAI,GAAG,EAAE,CAAA;QACT,sEAAsE;IACxE,CAAC;IAED,0EAA0E;IAC1E,oEAAoE;IACpE,IAAI,QAAQ,GAA4B,IAAI,CAAA;IAC5C,MAAM,gBAAgB,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAA;IACtD,MAAM,aAAa,GAAG,gBAAgB,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAA;IACzE,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,EAAE,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAA;QAC1C,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QAC5B,QAAQ,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,OAAO,EAAE,EAAE,GAAG,OAAO,CAAC,CAAA;QAChD,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;;YACxC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/B,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IACxC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAA;IAEvE,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAEhC,IAAI,WAAW,IAAI,CAAC,EAAE,CAAC;QACrB,MAAM,SAAS,GAAG,CAAC,GAAG,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,GAAG,OAAO,CAAA;QACrE,IAAI,SAAS,GAAG,CAAC;YAAE,OAAO,IAAI,CAAA;QAC9B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAS,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAClD,MAAM,MAAM,GAAG;YACb,GAAI,UAAuB;YAC3B,GAAG,KAAK;YACR,GAAI,UAAuB;YAC3B,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC;SACpB,CAAA;QACD,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAA;IAC5C,CAAC;IAED,yEAAyE;IACzE,MAAM,MAAM,GAAG,CAAC,GAAI,UAAuB,EAAE,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAA;IACjE,OAAO,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAA;AAC5C,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAC/C,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAA;IAC1C,OAAO,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;AACxB,CAAC;AAED,SAAS,UAAU,CAAC,MAAgB;IAClC,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;AACpD,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,mBAAmB,CAAC,MAAgB;IAC3C,4DAA4D;IAC5D,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAA;IAExD,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,CAAA;IACtC,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;IAC5D,CAAC;IAED,4EAA4E;IAC5E,wEAAwE;IACxE,qEAAqE;IACrE,wEAAwE;IACxE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAA;IAC1D,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;IAC5D,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAgB;IACxC,eAAe;IACf,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,OAAO,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAA;IAC1C,CAAC;IACD,iBAAiB;IACjB,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAA;IACvC,CAAC;IACD,yBAAyB;IACzB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,GAAG,OAAO,CAAC,KAAK,OAAO,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;IACnD,CAAC;IACD,wBAAwB;IACxB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,GAAG,OAAO,CAAC,KAAK,OAAO,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAA;IAClD,CAAC;IACD,sBAAsB;IACtB,IAAI,CAAC,MAAM,CAAC,CAAC,CAAE,GAAG,OAAO,CAAC,KAAK,OAAO,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAA;IAChD,CAAC;IACD,iDAAiD;IACjD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,OAAO,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QAC/F,OAAO,EAAE,MAAM,EAAE,sCAAsC,EAAE,CAAA;IAC3D,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/security/rate-limit.d.ts

@@ -11,6 +11,14 @@ export interface RateLimiter {
 export interface RateLimitConfig {
     windowMs: number;
     maxRequests: number;
+    /**
+     * Maximum number of distinct keys retained by the in-memory limiter.
+     * When exceeded, the oldest entry (insertion order) is evicted. Defaults
+     * to 10,000 — high enough to cover any legitimate single-process traffic
+     * while bounding worst-case memory under enumeration / IP-spoofing
+     * attacks. See M1 in the engineering audit.
+     */
+    maxKeys?: number;
 }
 /** Create a rate limiter backed by an in-memory sliding window (for dev/single-process). */
 export declare function createInMemoryRateLimiter(config: RateLimitConfig): RateLimiter;

package/dist/security/rate-limit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAqF7E;AA6BD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAkBtE"}
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AASD,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAmE9E;AA2BD,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAuF7E;AA6BD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAkBtE"}

package/dist/security/rate-limit.js

@@ -1,16 +1,61 @@
+import { createLogger } from '../diagnostics/logger.js';
+const logger = createLogger('rate-limit');
+const DEFAULT_MAX_KEYS = 10_000;
+/**
+ * Sweep expired entries on every Nth `check()` call. Tunable at module level
+ * so tests can stub it without exposing it via the public config surface.
+ */
+const SWEEP_EVERY_N_CHECKS = 256;
 /** Create a rate limiter backed by an in-memory sliding window (for dev/single-process). */
 export function createInMemoryRateLimiter(config) {
+    // `Map` preserves insertion order so we can use it as an LRU directly:
+    // every `check()` re-inserts the touched key (delete + set) which moves it
+    // to the tail. When we exceed the cap, `windows.keys().next().value` is the
+    // least-recently-touched entry and we evict it.
     const windows = new Map();
+    const maxKeys = config.maxKeys && config.maxKeys > 0 ? config.maxKeys : DEFAULT_MAX_KEYS;
+    let checksSinceSweep = 0;
+    function sweepExpired(now) {
+        // Bounded periodic cleanup of expired entries. We cap iterations so a
+        // pathological burst of new keys can't make this O(n) on every call.
+        let removed = 0;
+        for (const [key, entry] of windows) {
+            if (entry.resetAt <= now) {
+                windows.delete(key);
+                removed++;
+                if (removed >= 1000)
+                    break;
+            }
+        }
+    }
+    function evictIfFull() {
+        while (windows.size >= maxKeys) {
+            const oldestKey = windows.keys().next().value;
+            if (oldestKey === undefined)
+                break;
+            windows.delete(oldestKey);
+        }
+    }
     return {
         async check(key) {
             const now = Date.now();
+            checksSinceSweep++;
+            if (checksSinceSweep >= SWEEP_EVERY_N_CHECKS) {
+                checksSinceSweep = 0;
+                sweepExpired(now);
+            }
             const entry = windows.get(key);
             if (!entry || now > entry.resetAt) {
                 const resetAt = now + config.windowMs;
+                windows.delete(key);
+                evictIfFull();
                 windows.set(key, { count: 1, resetAt });
                 return { allowed: true, remaining: config.maxRequests - 1, resetAt: new Date(resetAt) };
             }
             entry.count++;
+            // Re-insert to mark as most-recently-used.
+            windows.delete(key);
+            windows.set(key, entry);
             const allowed = entry.count <= config.maxRequests;
             return {
                 allowed,
@@ -24,6 +69,31 @@ export function createInMemoryRateLimiter(config) {
         },
     };
 }
+/**
+ * Throttle the noisy "Upstash failed" audit event so a sustained outage does
+ * not generate one DB write per request. We allow at most one audit log per
+ * `AUDIT_THROTTLE_MS`. The `console.error` line still fires on every failure
+ * for live operator visibility.
+ */
+const AUDIT_THROTTLE_MS = 60_000;
+let lastAuditAt = 0;
+async function emitDegradedAudit(reason) {
+    const now = Date.now();
+    if (now - lastAuditAt < AUDIT_THROTTLE_MS)
+        return;
+    lastAuditAt = now;
+    try {
+        // Lazy import — avoids a static dep cycle (audit.ts -> db.js -> ...).
+        const { logEvent } = await import('./audit.js');
+        await logEvent({
+            event: 'rate_limit.degraded',
+            details: { reason, throttleMs: AUDIT_THROTTLE_MS },
+        });
+    }
+    catch {
+        // Audit failures are themselves logged in audit.ts; don't double-log here.
+    }
+}
 /** Create a rate limiter backed by Upstash Redis (for serverless/production). */
 export function createUpstashRateLimiter(config) {
     const url = process.env.UPSTASH_REDIS_REST_URL;
@@ -79,8 +149,14 @@ export function createUpstashRateLimiter(config) {
             }
             catch (err) {
                 // Fail open with logging — a Redis outage should NOT take the entire
-                // CMS offline. Audit-level logging makes the degradation visible.
-                console.error('[actuate][rate-limit] Upstash request failed, allowing through:', err instanceof Error ? err.message : err);
+                // CMS offline. We surface the degradation through:
+                //   1. console.error for live ops/log aggregator dashboards;
+                //   2. a throttled audit-log event so the outage is preserved in the
+                //      durable security record without flooding the DB during long
+                //      Upstash incidents.
+                const reason = err instanceof Error ? err.message : String(err);
+                logger.error('Upstash request failed, allowing through', { reason });
+                void emitDegradedAudit(reason);
                 return {
                     allowed: true,
                     remaining: Math.max(0, config.maxRequests - 1),
@@ -93,7 +169,9 @@ export function createUpstashRateLimiter(config) {
                 await redisPipeline([['DEL', `ratelimit:${key}`]]);
             }
             catch (err) {
-                console.error('[actuate][rate-limit] Upstash reset failed:', err instanceof Error ? err.message : err);
+                logger.error('Upstash reset failed', {
+                    reason: err instanceof Error ? err.message : String(err),
+                });
             }
         },
     };

package/dist/security/rate-limit.js.map

@@ -1 +1 @@
-{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAA;IAErE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YACtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAE9B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACrC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;gBACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAA;YACb,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;YACjD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAA;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAElD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAA;QAC/E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAEnD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC;oBACvD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAAC,CAA6B,CAAA;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;gBACvF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAA;gBAC1D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;gBAE3C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,kEAAkE;gBAClE,OAAO,CAAC,KAAK,CACX,iEAAiE,EACjE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;gBACD,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,KAAK,CACX,6CAA6C,EAC7C,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CACzC,CAAA;YACH,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH;;;;;;;;;GASG;AACH,SAAS,2BAA2B,CAAC,MAAuB;IAC1D,OAAO;QACL,KAAK,CAAC,KAAK;YACT,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM,CAAC,WAAW;gBAC7B,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;aAChD,CAAA;QACH,CAAC;QACD,KAAK,CAAC,KAAK,KAAmB,CAAC;KAChC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,yEAAyE;IACzE,uEAAuE;IACvE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,GAAG,EAAE,CAAC;QACnD,OAAO,2BAA2B,CAAC,MAAM,CAAC,CAAA;IAC5C,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAA;AAC1C,CAAC"}
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAEvD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAA;AA2BzC,MAAM,gBAAgB,GAAG,MAAM,CAAA;AAC/B;;;GAGG;AACH,MAAM,oBAAoB,GAAG,GAAG,CAAA;AAEhC,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,uEAAuE;IACvE,2EAA2E;IAC3E,4EAA4E;IAC5E,gDAAgD;IAChD,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAA;IACrE,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAA;IACxF,IAAI,gBAAgB,GAAG,CAAC,CAAA;IAExB,SAAS,YAAY,CAAC,GAAW;QAC/B,sEAAsE;QACtE,qEAAqE;QACrE,IAAI,OAAO,GAAG,CAAC,CAAA;QACf,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;gBACzB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBACnB,OAAO,EAAE,CAAA;gBACT,IAAI,OAAO,IAAI,IAAI;oBAAE,MAAK;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS,WAAW;QAClB,OAAO,OAAO,CAAC,IAAI,IAAI,OAAO,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAA;YAC7C,IAAI,SAAS,KAAK,SAAS;gBAAE,MAAK;YAClC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QAC3B,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YACtB,gBAAgB,EAAE,CAAA;YAClB,IAAI,gBAAgB,IAAI,oBAAoB,EAAE,CAAC;gBAC7C,gBAAgB,GAAG,CAAC,CAAA;gBACpB,YAAY,CAAC,GAAG,CAAC,CAAA;YACnB,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAE9B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACrC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBACnB,WAAW,EAAE,CAAA;gBACb,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;gBACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAA;YACb,2CAA2C;YAC3C,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YACnB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAEvB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;YACjD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAA;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,iBAAiB,GAAG,MAAM,CAAA;AAChC,IAAI,WAAW,GAAG,CAAC,CAAA;AAEnB,KAAK,UAAU,iBAAiB,CAAC,MAAc;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACtB,IAAI,GAAG,GAAG,WAAW,GAAG,iBAAiB;QAAE,OAAM;IACjD,WAAW,GAAG,GAAG,CAAA;IACjB,IAAI,CAAC;QACH,sEAAsE;QACtE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;QAC/C,MAAM,QAAQ,CAAC;YACb,KAAK,EAAE,qBAAqB;YAC5B,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE;SACnD,CAAC,CAAA;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;IAC7E,CAAC;AACH,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAElD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAA;QAC/E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAEnD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC;oBACvD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAAC,CAA6B,CAAA;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;gBACvF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAA;gBAC1D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;gBAE3C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,mDAAmD;gBACnD,6DAA6D;gBAC7D,qEAAqE;gBACrE,mEAAmE;gBACnE,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC/D,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;gBACpE,KAAK,iBAAiB,CAAC,MAAM,CAAC,CAAA;gBAC9B,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;oBACnC,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACzD,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH;;;;;;;;;GASG;AACH,SAAS,2BAA2B,CAAC,MAAuB;IAC1D,OAAO;QACL,KAAK,CAAC,KAAK;YACT,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM,CAAC,WAAW;gBAC7B,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;aAChD,CAAA;QACH,CAAC;QACD,KAAK,CAAC,KAAK,KAAmB,CAAC;KAChC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,yEAAyE;IACzE,uEAAuE;IACvE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,GAAG,EAAE,CAAC;QACnD,OAAO,2BAA2B,CAAC,MAAM,CAAC,CAAA;IAC5C,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAA;AAC1C,CAAC"}