npm - @actuate-media/cms-core - Versions diffs - 0.12.0 → 0.14.0 - Mend

@actuate-media/cms-core 0.12.0 → 0.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (110) hide show

package/LICENSE +21 -21
package/dist/__tests__/api/api-key-auth.test.d.ts +2 -0
package/dist/__tests__/api/api-key-auth.test.d.ts.map +1 -0
package/dist/__tests__/api/api-key-auth.test.js +217 -0
package/dist/__tests__/api/api-key-auth.test.js.map +1 -0
package/dist/__tests__/api/health.test.d.ts +2 -0
package/dist/__tests__/api/health.test.d.ts.map +1 -0
package/dist/__tests__/api/health.test.js +140 -0
package/dist/__tests__/api/health.test.js.map +1 -0
package/dist/__tests__/auth/oauth.test.d.ts +2 -0
package/dist/__tests__/auth/oauth.test.d.ts.map +1 -0
package/dist/__tests__/auth/oauth.test.js +406 -0
package/dist/__tests__/auth/oauth.test.js.map +1 -0
package/dist/__tests__/auth/reset.test.d.ts +2 -0
package/dist/__tests__/auth/reset.test.d.ts.map +1 -0
package/dist/__tests__/auth/reset.test.js +303 -0
package/dist/__tests__/auth/reset.test.js.map +1 -0
package/dist/__tests__/diagnostics/env.test.d.ts +2 -0
package/dist/__tests__/diagnostics/env.test.d.ts.map +1 -0
package/dist/__tests__/diagnostics/env.test.js +119 -0
package/dist/__tests__/diagnostics/env.test.js.map +1 -0
package/dist/__tests__/diagnostics/logger.test.d.ts +2 -0
package/dist/__tests__/diagnostics/logger.test.d.ts.map +1 -0
package/dist/__tests__/diagnostics/logger.test.js +111 -0
package/dist/__tests__/diagnostics/logger.test.js.map +1 -0
package/dist/__tests__/security/api-key-enhanced.test.d.ts +2 -0
package/dist/__tests__/security/api-key-enhanced.test.d.ts.map +1 -0
package/dist/__tests__/security/api-key-enhanced.test.js +110 -0
package/dist/__tests__/security/api-key-enhanced.test.js.map +1 -0
package/dist/__tests__/security/rate-limit.test.js +42 -0
package/dist/__tests__/security/rate-limit.test.js.map +1 -1
package/dist/actions.d.ts.map +1 -1
package/dist/actions.js +7 -6
package/dist/actions.js.map +1 -1
package/dist/api/handler-factory.d.ts.map +1 -1
package/dist/api/handler-factory.js +31 -8
package/dist/api/handler-factory.js.map +1 -1
package/dist/api/handlers.d.ts.map +1 -1
package/dist/api/handlers.js +508 -55
package/dist/api/handlers.js.map +1 -1
package/dist/auth/oauth.d.ts.map +1 -1
package/dist/auth/oauth.js +5 -1
package/dist/auth/oauth.js.map +1 -1
package/dist/auth/reset.d.ts.map +1 -1
package/dist/auth/reset.js +2 -1
package/dist/auth/reset.js.map +1 -1
package/dist/config/runtime.d.ts +99 -0
package/dist/config/runtime.d.ts.map +1 -0
package/dist/config/runtime.js +43 -0
package/dist/config/runtime.js.map +1 -0
package/dist/config/types.d.ts +21 -0
package/dist/config/types.d.ts.map +1 -1
package/dist/diagnostics/env.d.ts +44 -0
package/dist/diagnostics/env.d.ts.map +1 -0
package/dist/diagnostics/env.js +293 -0
package/dist/diagnostics/env.js.map +1 -0
package/dist/diagnostics/logger.d.ts +38 -0
package/dist/diagnostics/logger.d.ts.map +1 -0
package/dist/diagnostics/logger.js +89 -0
package/dist/diagnostics/logger.js.map +1 -0
package/dist/page-builder/blocks.d.ts.map +1 -1
package/dist/page-builder/blocks.js +6 -1
package/dist/page-builder/blocks.js.map +1 -1
package/dist/security/api-key-enhanced.d.ts +48 -5
package/dist/security/api-key-enhanced.d.ts.map +1 -1
package/dist/security/api-key-enhanced.js +60 -9
package/dist/security/api-key-enhanced.js.map +1 -1
package/dist/security/audit.d.ts.map +1 -1
package/dist/security/audit.js +3 -1
package/dist/security/audit.js.map +1 -1
package/dist/security/rate-limit.d.ts +8 -0
package/dist/security/rate-limit.d.ts.map +1 -1
package/dist/security/rate-limit.js +81 -3
package/dist/security/rate-limit.js.map +1 -1
package/generated/browser.ts +109 -0
package/generated/client.ts +133 -0
package/generated/commonInputTypes.ts +709 -0
package/generated/enums.ts +125 -0
package/generated/internal/class.ts +376 -0
package/generated/internal/prismaNamespace.ts +2617 -0
package/generated/internal/prismaNamespaceBrowser.ts +611 -0
package/generated/models/ApiKey.ts +1550 -0
package/generated/models/AuditLog.ts +1206 -0
package/generated/models/BackupRecord.ts +1250 -0
package/generated/models/ContentLock.ts +1472 -0
package/generated/models/ContentTemplate.ts +1416 -0
package/generated/models/Document.ts +3005 -0
package/generated/models/Folder.ts +1904 -0
package/generated/models/FormSubmission.ts +1200 -0
package/generated/models/InAppNotification.ts +1457 -0
package/generated/models/Media.ts +2340 -0
package/generated/models/MediaUsage.ts +1472 -0
package/generated/models/OAuthAccount.ts +1463 -0
package/generated/models/Redirect.ts +1284 -0
package/generated/models/Session.ts +1492 -0
package/generated/models/Site.ts +1206 -0
package/generated/models/User.ts +3513 -0
package/generated/models/Version.ts +1511 -0
package/generated/models/WorkflowState.ts +1514 -0
package/generated/models.ts +29 -0
package/package.json +1 -1
package/prisma/cms-schema.prisma +306 -306
package/prisma/migrations/0001_init/migration.sql +384 -384
package/prisma/migrations/0002_folders/migration.sql +39 -39
package/prisma/migrations/0003_search_and_webhooks/migration.sql +50 -50
package/prisma/migrations/0004_script_tags/migration.sql +21 -21
package/prisma/migrations/0005_password_reset_tokens/migration.sql +20 -20
package/prisma/migrations/0006_page_builder/migration.sql +38 -38
package/prisma/migrations/migration_lock.toml +3 -3
package/prisma/schema.prisma +549 -549

package/dist/security/api-key-enhanced.js CHANGED Viewed

@@ -1,3 +1,12 @@
+/**
+ * API key generation and scope validation.
+ *
+ * Keys are formatted `act_sk_<64 hex chars>`. We store only a SHA-256 hash of
+ * the key in the database; the raw key is shown to the user exactly once at
+ * creation time. The first 15 chars (`act_sk_` + 8 hex) are stored as
+ * `keyPrefix` so the admin UI can display a human-recognizable token without
+ * leaking the secret half.
+ */
 /** Generate a new API key with scoped permissions. */
 export async function generateApiKey(config) {
     const rawBytes = crypto.getRandomValues(new Uint8Array(32));
@@ -5,21 +14,63 @@ export async function generateApiKey(config) {
         .map((b) => b.toString(16).padStart(2, '0'))
         .join('');
     const key = `${config.prefix}_${rawKey}`;
+    // First 8 hex chars after the underscore are safe to display (the remaining
+    // 56 hex chars provide >224 bits of entropy).
     const keyPrefix = key.slice(0, config.prefix.length + 9);
-    const hashBuffer = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(key));
-    const keyHash = Array.from(new Uint8Array(hashBuffer))
+    const keyHash = await hashApiKey(key);
+    return { key, keyHash, keyPrefix };
+}
+/** SHA-256 hash a raw API key for lookup. */
+export async function hashApiKey(rawKey) {
+    const hashBuffer = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(rawKey));
+    return Array.from(new Uint8Array(hashBuffer))
         .map((b) => b.toString(16).padStart(2, '0'))
         .join('');
-    return { key, keyHash, keyPrefix };
 }
-/** Validate an API key's scopes against a requested action. */
+/** True when the request's bearer token looks like an API key (vs a session JWT). */
+export function looksLikeApiKey(token) {
+    return /^act_sk_[a-f0-9]{32,}$/i.test(token);
+}
+/**
+ * Validate an API key's scopes against a collection action. Returns true when
+ * the key is permitted to perform `action` on `collection`. Admin keys always
+ * pass.
+ */
 export function validateApiKeyScope(scopes, collection, action) {
-    if (scopes.collections && !scopes.collections.includes(collection)) {
+    if (scopes.admin)
+        return true;
+    if (!scopes.collections || scopes.collections.length === 0)
+        return false;
+    if (!scopes.actions || !scopes.actions.includes(action))
         return false;
-    }
-    if (scopes.actions && !scopes.actions.includes(action)) {
+    if (scopes.collections.includes('*'))
+        return true;
+    return scopes.collections.includes(collection);
+}
+/** Validate scope for a global action. */
+export function validateApiKeyGlobalScope(scopes, slug) {
+    if (scopes.admin)
+        return true;
+    if (!scopes.globals || scopes.globals.length === 0)
+        return false;
+    if (scopes.globals.includes('*'))
+        return true;
+    return scopes.globals.includes(slug);
+}
+/** Validate scope for media uploads/management. */
+export function validateApiKeyMediaScope(scopes) {
+    return scopes.admin === true || scopes.media === true;
+}
+/** Validate scope for page-builder/AI endpoints. */
+export function validateApiKeyPageBuilderScope(scopes) {
+    return scopes.admin === true || scopes.pageBuilder === true;
+}
+/** Validate IP restrictions against the request's client IP. */
+export function validateApiKeyIp(restrictions, ip) {
+    if (!restrictions || restrictions.length === 0)
+        return true;
+    if (!ip || ip === 'unknown')
         return false;
-    }
-    return true;
+    return restrictions.includes(ip);
 }
 //# sourceMappingURL=api-key-enhanced.js.map

package/dist/security/api-key-enhanced.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"api-key-enhanced.js","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"~~AAeA~~,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAA4B;IAE5B,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;IACX,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,EAAE,CAAA;IACxC,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;~~IAExD~~,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,~~GAAG~~,CAAC,CAAC,CAAA;~~IACvF~~,~~MAAM,~~OAAO,~~GAAG,~~KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;~~SACnD~~,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;~~IAEX~~,~~OAAO~~,~~EAAE~~,~~GAAG~~,~~EAAE~~,OAAO,~~EAAE~~,~~SAAS~~,~~EAAE~~,CAAA;~~AACpC~~,CAAC;AAED~~,+DAA+D~~;~~AAC/D~~,MAAM,UAAU,mBAAmB,CACjC,MAAmB,EACnB,UAAkB,EAClB,MAA+C;IAE/C,IAAI,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;~~QACnE~~,OAAO,~~KAAK~~,CAAA;~~IACd~~,CAAC~~;IACD~~,IAAI,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,~~EAAE~~,CAAC;~~QACvD~~,OAAO,KAAK,CAAA;~~IACd~~,CAAC;~~IACD~~,OAAO,IAAI,CAAA;~~AACb~~,CAAC"}
1	+ {"version":3,"file":"api-key-enhanced.js","sourceRoot":"","sources":["../../src/security/api-key-enhanced.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAsCH,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAA4B;IAE5B,MAAM,QAAQ,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;SAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;IACX,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,EAAE,CAAA;IACxC,4EAA4E;IAC5E,8CAA8C;IAC9C,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IACxD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,CAAA;IAErC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,SAAS,EAAE,CAAA;AACpC,CAAC;AAED,6CAA6C;AAC7C,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc;IAC7C,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAA;IAC1F,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;SAC1C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAA;AACb,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAmB,EACnB,UAAkB,EAClB,MAA+C;IAE/C,IAAI,MAAM,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IAC7B,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IACxE,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAA;IACrE,IAAI,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACjD,OAAO,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;AAChD,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,yBAAyB,CAAC,MAAmB,EAAE,IAAY;IACzE,IAAI,MAAM,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IAC7B,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IAChE,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAC7C,OAAO,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;AACtC,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,wBAAwB,CAAC,MAAmB;IAC1D,OAAO,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,MAAM,CAAC,KAAK,KAAK,IAAI,CAAA;AACvD,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,8BAA8B,CAAC,MAAmB;IAChE,OAAO,MAAM,CAAC,KAAK,KAAK,IAAI,IAAI,MAAM,CAAC,WAAW,KAAK,IAAI,CAAA;AAC7D,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,gBAAgB,CAAC,YAAyC,EAAE,EAAU;IACpF,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAC3D,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,SAAS;QAAE,OAAO,KAAK,CAAA;IACzC,OAAO,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAA;AAClC,CAAC"}

package/dist/security/audit.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"~~AAEA~~,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,IAAI,CAAA;IACX,EAAE,CAAC,EAAE,IAAI,CAAA;IACT,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;CACd;AAED,iCAAiC;AACjC,wBAAsB,QAAQ,CAAC,KAAK,EAAE;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBhB;AAED,2DAA2D;AAC3D,wBAAsB,WAAW,CAC/B,OAAO,GAAE;IACP,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;CACb,GACL,OAAO,CAAC;IAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAmB5C"}
1	+ {"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAKA,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,SAAS,CAAC,EAAE,IAAI,CAAA;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,IAAI,CAAC,EAAE,IAAI,CAAA;IACX,EAAE,CAAC,EAAE,IAAI,CAAA;IACT,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,KAAK,EAAE,MAAM,CAAA;CACd;AAED,iCAAiC;AACjC,wBAAsB,QAAQ,CAAC,KAAK,EAAE;IACpC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAClC,GAAG,OAAO,CAAC,IAAI,CAAC,CAmBhB;AAED,2DAA2D;AAC3D,wBAAsB,WAAW,CAC/B,OAAO,GAAE;IACP,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;CACb,GACL,OAAO,CAAC;IAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,CAmB5C"}

package/dist/security/audit.js CHANGED Viewed

@@ -1,4 +1,6 @@
 import { getDB } from '../db.js';
+import { createLogger } from '../diagnostics/logger.js';
+const logger = createLogger('audit');
 /** Record an audit log event. */
 export async function logEvent(event) {
     try {
@@ -17,7 +19,7 @@ export async function logEvent(event) {
         // Fail open — audit logging should never block the primary operation,
         // but still surface the failure so the operator can fix it.
         if (process.env.NODE_ENV !== 'test') {
-            console.error('[actuate][audit] logEvent failed:', err instanceof Error ? err.message : err);
+            logger.error('logEvent failed', { reason: err instanceof Error ? err.message : String(err) });
         }
     }
 }

package/dist/security/audit.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAA;~~AAyBhC~~,iCAAiC;AACjC,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAM9B;IACC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;QACvB,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YACvB,IAAI,EAAE;gBACJ,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;aAC/B;SACF,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sEAAsE;QACtE,4DAA4D;QAC5D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACpC,~~OAAO~~,CAAC,KAAK,CAAC,~~mCAAmC~~,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAA;~~QAC9F~~,CAAC;IACH,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAKI,EAAE;IAEN,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;IACvB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAA;IAE1D,MAAM,KAAK,GAAQ,EAAE,CAAA;IACrB,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAA;IACjC,IAAI,KAAK;QAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAA;IAE9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnB,KAAK;YACL,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ;YAC3B,IAAI,EAAE,QAAQ;SACf,CAAC;QACF,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;KAC7B,CAAC,CAAA;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AAC3B,CAAC"}
1	+ {"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/security/audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,UAAU,CAAA;AAChC,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAEvD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;AAyBpC,iCAAiC;AACjC,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,KAM9B;IACC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;QACvB,MAAM,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;YACvB,IAAI,EAAE;gBACJ,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,IAAI;gBAC5B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;gBAClC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;aAC/B;SACF,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,sEAAsE;QACtE,4DAA4D;QAC5D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACpC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAC/F,CAAC;IACH,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,UAKI,EAAE;IAEN,MAAM,EAAE,GAAG,KAAK,EAAO,CAAA;IACvB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,GAAG,CAAC,EAAE,QAAQ,GAAG,EAAE,EAAE,GAAG,OAAO,CAAA;IAE1D,MAAM,KAAK,GAAQ,EAAE,CAAA;IACrB,IAAI,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,MAAM,CAAA;IACjC,IAAI,KAAK;QAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAA;IAE9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACzC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnB,KAAK;YACL,OAAO,EAAE,EAAE,SAAS,EAAE,MAAM,EAAE;YAC9B,IAAI,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ;YAC3B,IAAI,EAAE,QAAQ;SACf,CAAC;QACF,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC;KAC7B,CAAC,CAAA;IAEF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAA;AAC3B,CAAC"}

package/dist/security/rate-limit.d.ts CHANGED Viewed

@@ -11,6 +11,14 @@ export interface RateLimiter {
 export interface RateLimitConfig {
     windowMs: number;
     maxRequests: number;
+    /**
+     * Maximum number of distinct keys retained by the in-memory limiter.
+     * When exceeded, the oldest entry (insertion order) is evicted. Defaults
+     * to 10,000 — high enough to cover any legitimate single-process traffic
+     * while bounding worst-case memory under enumeration / IP-spoofing
+     * attacks. See M1 in the engineering audit.
+     */
+    maxKeys?: number;
 }
 /** Create a rate limiter backed by an in-memory sliding window (for dev/single-process). */
 export declare function createInMemoryRateLimiter(config: RateLimitConfig): RateLimiter;

package/dist/security/rate-limit.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"~~AAAA~~,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;~~CACpB~~;~~AAED~~,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,~~CA4B9E~~;~~AAED~~,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,~~CAqF7E~~;AA6BD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAkBtE"}
1	+ {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAA;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;IAC5C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,MAAM,CAAA;IACnB;;;;;;OAMG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AASD,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAmE9E;AA2BD,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAuF7E;AA6BD,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAkBtE"}

package/dist/security/rate-limit.js CHANGED Viewed

@@ -1,16 +1,61 @@
+import { createLogger } from '../diagnostics/logger.js';
+const logger = createLogger('rate-limit');
+const DEFAULT_MAX_KEYS = 10_000;
+/**
+ * Sweep expired entries on every Nth `check()` call. Tunable at module level
+ * so tests can stub it without exposing it via the public config surface.
+ */
+const SWEEP_EVERY_N_CHECKS = 256;
 /** Create a rate limiter backed by an in-memory sliding window (for dev/single-process). */
 export function createInMemoryRateLimiter(config) {
+    // `Map` preserves insertion order so we can use it as an LRU directly:
+    // every `check()` re-inserts the touched key (delete + set) which moves it
+    // to the tail. When we exceed the cap, `windows.keys().next().value` is the
+    // least-recently-touched entry and we evict it.
     const windows = new Map();
+    const maxKeys = config.maxKeys && config.maxKeys > 0 ? config.maxKeys : DEFAULT_MAX_KEYS;
+    let checksSinceSweep = 0;
+    function sweepExpired(now) {
+        // Bounded periodic cleanup of expired entries. We cap iterations so a
+        // pathological burst of new keys can't make this O(n) on every call.
+        let removed = 0;
+        for (const [key, entry] of windows) {
+            if (entry.resetAt <= now) {
+                windows.delete(key);
+                removed++;
+                if (removed >= 1000)
+                    break;
+            }
+        }
+    }
+    function evictIfFull() {
+        while (windows.size >= maxKeys) {
+            const oldestKey = windows.keys().next().value;
+            if (oldestKey === undefined)
+                break;
+            windows.delete(oldestKey);
+        }
+    }
     return {
         async check(key) {
             const now = Date.now();
+            checksSinceSweep++;
+            if (checksSinceSweep >= SWEEP_EVERY_N_CHECKS) {
+                checksSinceSweep = 0;
+                sweepExpired(now);
+            }
             const entry = windows.get(key);
             if (!entry || now > entry.resetAt) {
                 const resetAt = now + config.windowMs;
+                windows.delete(key);
+                evictIfFull();
                 windows.set(key, { count: 1, resetAt });
                 return { allowed: true, remaining: config.maxRequests - 1, resetAt: new Date(resetAt) };
             }
             entry.count++;
+            // Re-insert to mark as most-recently-used.
+            windows.delete(key);
+            windows.set(key, entry);
             const allowed = entry.count <= config.maxRequests;
             return {
                 allowed,
@@ -24,6 +69,31 @@ export function createInMemoryRateLimiter(config) {
         },
     };
 }
+/**
+ * Throttle the noisy "Upstash failed" audit event so a sustained outage does
+ * not generate one DB write per request. We allow at most one audit log per
+ * `AUDIT_THROTTLE_MS`. The `console.error` line still fires on every failure
+ * for live operator visibility.
+ */
+const AUDIT_THROTTLE_MS = 60_000;
+let lastAuditAt = 0;
+async function emitDegradedAudit(reason) {
+    const now = Date.now();
+    if (now - lastAuditAt < AUDIT_THROTTLE_MS)
+        return;
+    lastAuditAt = now;
+    try {
+        // Lazy import — avoids a static dep cycle (audit.ts -> db.js -> ...).
+        const { logEvent } = await import('./audit.js');
+        await logEvent({
+            event: 'rate_limit.degraded',
+            details: { reason, throttleMs: AUDIT_THROTTLE_MS },
+        });
+    }
+    catch {
+        // Audit failures are themselves logged in audit.ts; don't double-log here.
+    }
+}
 /** Create a rate limiter backed by Upstash Redis (for serverless/production). */
 export function createUpstashRateLimiter(config) {
     const url = process.env.UPSTASH_REDIS_REST_URL;
@@ -79,8 +149,14 @@ export function createUpstashRateLimiter(config) {
             }
             catch (err) {
                 // Fail open with logging — a Redis outage should NOT take the entire
-                // CMS offline. Audit-level logging makes the degradation visible.
-                console.error('[actuate][rate-limit] Upstash request failed, allowing through:', err instanceof Error ? err.message : err);
+                // CMS offline. We surface the degradation through:
+                //   1. console.error for live ops/log aggregator dashboards;
+                //   2. a throttled audit-log event so the outage is preserved in the
+                //      durable security record without flooding the DB during long
+                //      Upstash incidents.
+                const reason = err instanceof Error ? err.message : String(err);
+                logger.error('Upstash request failed, allowing through', { reason });
+                void emitDegradedAudit(reason);
                 return {
                     allowed: true,
                     remaining: Math.max(0, config.maxRequests - 1),
@@ -93,7 +169,9 @@ export function createUpstashRateLimiter(config) {
                 await redisPipeline([['DEL', `ratelimit:${key}`]]);
             }
             catch (err) {
-                console.error('[actuate][rate-limit] Upstash reset failed:', err instanceof Error ? err.message : err);
+                logger.error('Upstash reset failed', {
+                    reason: err instanceof Error ? err.message : String(err),
+                });
             }
         },
     };

package/dist/security/rate-limit.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"~~AAiBA~~,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAA;~~IAErE~~,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YACtB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAE9B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACrC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;gBACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAA;YACb,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;YACjD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAA;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAElD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAA;QAC/E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAEnD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC;oBACvD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAAC,CAA6B,CAAA;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;gBACvF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAA;gBAC1D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;gBAE3C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,~~kEAAkE~~;~~gBAClE~~,~~OAAO~~,~~CAAC~~,~~KAAK~~,~~CACX~~,~~iEAAiE~~,~~EACjE~~,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,~~CACzC~~,CAAA;~~gBACD~~,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,~~OAAO~~,CAAC,KAAK,~~CACX~~,~~6CAA6C~~,~~EAC7C~~,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,~~CACzC~~,CAAA;~~YACH~~,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH;;;;;;;;;GASG;AACH,SAAS,2BAA2B,CAAC,MAAuB;IAC1D,OAAO;QACL,KAAK,CAAC,KAAK;YACT,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM,CAAC,WAAW;gBAC7B,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;aAChD,CAAA;QACH,CAAC;QACD,KAAK,CAAC,KAAK,KAAmB,CAAC;KAChC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,yEAAyE;IACzE,uEAAuE;IACvE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,GAAG,EAAE,CAAC;QACnD,OAAO,2BAA2B,CAAC,MAAM,CAAC,CAAA;IAC5C,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAA;AAC1C,CAAC"}
1	+ {"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAEvD,MAAM,MAAM,GAAG,YAAY,CAAC,YAAY,CAAC,CAAA;AA2BzC,MAAM,gBAAgB,GAAG,MAAM,CAAA;AAC/B;;;GAGG;AACH,MAAM,oBAAoB,GAAG,GAAG,CAAA;AAEhC,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,uEAAuE;IACvE,2EAA2E;IAC3E,4EAA4E;IAC5E,gDAAgD;IAChD,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAA;IACrE,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAA;IACxF,IAAI,gBAAgB,GAAG,CAAC,CAAA;IAExB,SAAS,YAAY,CAAC,GAAW;QAC/B,sEAAsE;QACtE,qEAAqE;QACrE,IAAI,OAAO,GAAG,CAAC,CAAA;QACf,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;gBACzB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBACnB,OAAO,EAAE,CAAA;gBACT,IAAI,OAAO,IAAI,IAAI;oBAAE,MAAK;YAC5B,CAAC;QACH,CAAC;IACH,CAAC;IAED,SAAS,WAAW;QAClB,OAAO,OAAO,CAAC,IAAI,IAAI,OAAO,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAA;YAC7C,IAAI,SAAS,KAAK,SAAS;gBAAE,MAAK;YAClC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QAC3B,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;YACtB,gBAAgB,EAAE,CAAA;YAClB,IAAI,gBAAgB,IAAI,oBAAoB,EAAE,CAAC;gBAC7C,gBAAgB,GAAG,CAAC,CAAA;gBACpB,YAAY,CAAC,GAAG,CAAC,CAAA;YACnB,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;YAE9B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAA;gBACrC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBACnB,WAAW,EAAE,CAAA;gBACb,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAA;gBACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAA;YACzF,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAA;YACb,2CAA2C;YAC3C,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YACnB,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAEvB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;YACjD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAA;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACrB,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,iBAAiB,GAAG,MAAM,CAAA;AAChC,IAAI,WAAW,GAAG,CAAC,CAAA;AAEnB,KAAK,UAAU,iBAAiB,CAAC,MAAc;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IACtB,IAAI,GAAG,GAAG,WAAW,GAAG,iBAAiB;QAAE,OAAM;IACjD,WAAW,GAAG,GAAG,CAAA;IACjB,IAAI,CAAC;QACH,sEAAsE;QACtE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAA;QAC/C,MAAM,QAAQ,CAAC;YACb,KAAK,EAAE,qBAAqB;YAC5B,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE;SACnD,CAAC,CAAA;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,2EAA2E;IAC7E,CAAC;AACH,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAA;IAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAElD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAA;IACrF,CAAC;IAED,KAAK,UAAU,aAAa,CAAC,QAAoB;QAC/C,yEAAyE;QACzE,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,WAAW,EAAE;YAC9C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;SAC/B,CAAC,CAAA;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QACjE,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4C,CAAA;QAC/E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAA;IAEnD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAA;YAEnC,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,GAAG,CAAC,MAAM,aAAa,CAAC;oBACvD,CAAC,MAAM,EAAE,QAAQ,CAAC;oBAClB,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,EAAE,8BAA8B;oBAC7E,CAAC,KAAK,EAAE,QAAQ,CAAC;iBAClB,CAAC,CAA6B,CAAA;gBAE/B,uEAAuE;gBACvE,oEAAoE;gBACpE,sDAAsD;gBACtD,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;oBACZ,MAAM,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAA;gBACvF,CAAC;gBAED,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,GAAG,IAAI,CAAC,CAAA;gBAC1D,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAA;gBAE3C,OAAO;oBACL,OAAO;oBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;oBAClD,OAAO;oBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY;iBAC/C,CAAA;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,qEAAqE;gBACrE,mDAAmD;gBACnD,6DAA6D;gBAC7D,qEAAqE;gBACrE,mEAAmE;gBACnE,0BAA0B;gBAC1B,MAAM,MAAM,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;gBAC/D,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;gBACpE,KAAK,iBAAiB,CAAC,MAAM,CAAC,CAAA;gBAC9B,OAAO;oBACL,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,CAAC;oBAC9C,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;iBAChD,CAAA;YACH,CAAC;QACH,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC,CAAA;YACpD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;oBACnC,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACzD,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;KACF,CAAA;AACH,CAAC;AAED;;;GAGG;AACH;;;;;;;;;GASG;AACH,SAAS,2BAA2B,CAAC,MAAuB;IAC1D,OAAO;QACL,KAAK,CAAC,KAAK;YACT,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,MAAM,CAAC,WAAW;gBAC7B,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC;aAChD,CAAA;QACH,CAAC;QACD,KAAK,CAAC,KAAK,KAAmB,CAAC;KAChC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,yEAAyE;IACzE,uEAAuE;IACvE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,GAAG,EAAE,CAAC;QACnD,OAAO,2BAA2B,CAAC,MAAM,CAAC,CAAA;IAC5C,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAA;AAC1C,CAAC"}

package/generated/browser.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/* !!! This is code generated by Prisma. Do not edit directly. !!! */
+/* eslint-disable */
+// biome-ignore-all lint: generated file
+// @ts-nocheck
+/*
+ * This file should be your main import to use Prisma-related types and utilities in a browser.
+ * Use it to get access to models, enums, and input types.
+ *
+ * This file does not contain a `PrismaClient` class, nor several other helpers that are intended as server-side only.
+ * See `client.ts` for the standard, server-side entry point.
+ *
+ * 🟢 You can import this file directly.
+ */
+import * as Prisma from './internal/prismaNamespaceBrowser'
+export { Prisma }
+export * as $Enums from './enums'
+export * from './enums';
+/**
+ * Model User
+ *
+ */
+export type User = Prisma.UserModel
+/**
+ * Model OAuthAccount
+ *
+ */
+export type OAuthAccount = Prisma.OAuthAccountModel
+/**
+ * Model Session
+ *
+ */
+export type Session = Prisma.SessionModel
+/**
+ * Model ApiKey
+ *
+ */
+export type ApiKey = Prisma.ApiKeyModel
+/**
+ * Model AuditLog
+ *
+ */
+export type AuditLog = Prisma.AuditLogModel
+/**
+ * Model Folder
+ *
+ */
+export type Folder = Prisma.FolderModel
+/**
+ * Model Document
+ *
+ */
+export type Document = Prisma.DocumentModel
+/**
+ * Model Version
+ *
+ */
+export type Version = Prisma.VersionModel
+/**
+ * Model Media
+ *
+ */
+export type Media = Prisma.MediaModel
+/**
+ * Model MediaUsage
+ *
+ */
+export type MediaUsage = Prisma.MediaUsageModel
+/**
+ * Model ContentLock
+ *
+ */
+export type ContentLock = Prisma.ContentLockModel
+/**
+ * Model InAppNotification
+ *
+ */
+export type InAppNotification = Prisma.InAppNotificationModel
+/**
+ * Model ContentTemplate
+ *
+ */
+export type ContentTemplate = Prisma.ContentTemplateModel
+/**
+ * Model Site
+ *
+ */
+export type Site = Prisma.SiteModel
+/**
+ * Model WorkflowState
+ *
+ */
+export type WorkflowState = Prisma.WorkflowStateModel
+/**
+ * Model Redirect
+ *
+ */
+export type Redirect = Prisma.RedirectModel
+/**
+ * Model FormSubmission
+ *
+ */
+export type FormSubmission = Prisma.FormSubmissionModel
+/**
+ * Model BackupRecord
+ *
+ */
+export type BackupRecord = Prisma.BackupRecordModel

package/generated/client.ts ADDED Viewed

@@ -0,0 +1,133 @@
+/* !!! This is code generated by Prisma. Do not edit directly. !!! */
+/* eslint-disable */
+// biome-ignore-all lint: generated file
+// @ts-nocheck
+/*
+ * This file should be your main import to use Prisma. Through it you get access to all the models, enums, and input types.
+ * If you're looking for something you can import in the client-side of your application, please refer to the `browser.ts` file instead.
+ *
+ * 🟢 You can import this file directly.
+ */
+import * as process from 'node:process'
+import * as path from 'node:path'
+import { fileURLToPath } from 'node:url'
+globalThis['__dirname'] = path.dirname(fileURLToPath(import.meta.url))
+import * as runtime from "@prisma/client/runtime/client"
+import * as $Enums from "./enums"
+import * as $Class from "./internal/class"
+import * as Prisma from "./internal/prismaNamespace"
+export * as $Enums from './enums'
+export * from "./enums"
+/**
+ * ## Prisma Client
+ *
+ * Type-safe database client for TypeScript
+ * @example
+ * ```
+ * const prisma = new PrismaClient({
+ *   adapter: new PrismaPg({ connectionString: process.env.DATABASE_URL })
+ * })
+ * // Fetch zero or more Users
+ * const users = await prisma.user.findMany()
+ * ```
+ *
+ * Read more in our [docs](https://pris.ly/d/client).
+ */
+export const PrismaClient = $Class.getPrismaClientClass()
+export type PrismaClient<LogOpts extends Prisma.LogLevel = never, OmitOpts extends Prisma.PrismaClientOptions["omit"] = Prisma.PrismaClientOptions["omit"], ExtArgs extends runtime.Types.Extensions.InternalArgs = runtime.Types.Extensions.DefaultArgs> = $Class.PrismaClient<LogOpts, OmitOpts, ExtArgs>
+export { Prisma }
+/**
+ * Model User
+ *
+ */
+export type User = Prisma.UserModel
+/**
+ * Model OAuthAccount
+ *
+ */
+export type OAuthAccount = Prisma.OAuthAccountModel
+/**
+ * Model Session
+ *
+ */
+export type Session = Prisma.SessionModel
+/**
+ * Model ApiKey
+ *
+ */
+export type ApiKey = Prisma.ApiKeyModel
+/**
+ * Model AuditLog
+ *
+ */
+export type AuditLog = Prisma.AuditLogModel
+/**
+ * Model Folder
+ *
+ */
+export type Folder = Prisma.FolderModel
+/**
+ * Model Document
+ *
+ */
+export type Document = Prisma.DocumentModel
+/**
+ * Model Version
+ *
+ */
+export type Version = Prisma.VersionModel
+/**
+ * Model Media
+ *
+ */
+export type Media = Prisma.MediaModel
+/**
+ * Model MediaUsage
+ *
+ */
+export type MediaUsage = Prisma.MediaUsageModel
+/**
+ * Model ContentLock
+ *
+ */
+export type ContentLock = Prisma.ContentLockModel
+/**
+ * Model InAppNotification
+ *
+ */
+export type InAppNotification = Prisma.InAppNotificationModel
+/**
+ * Model ContentTemplate
+ *
+ */
+export type ContentTemplate = Prisma.ContentTemplateModel
+/**
+ * Model Site
+ *
+ */
+export type Site = Prisma.SiteModel
+/**
+ * Model WorkflowState
+ *
+ */
+export type WorkflowState = Prisma.WorkflowStateModel
+/**
+ * Model Redirect
+ *
+ */
+export type Redirect = Prisma.RedirectModel
+/**
+ * Model FormSubmission
+ *
+ */
+export type FormSubmission = Prisma.FormSubmissionModel
+/**
+ * Model BackupRecord
+ *
+ */
+export type BackupRecord = Prisma.BackupRecordModel