@adcp/sdk 6.9.0 → 6.11.0

package/dist/lib/server/wire-safe.d.ts

@@ -0,0 +1,211 @@
+/**
+ * Wire-spec field discipline at the operational fan-out boundary.
+ *
+ * `WireSafe<T>` is a branded type that signals "this object has been
+ * stripped to AdCP wire-spec fields and is safe to forward upstream."
+ * The brand is constructed only by {@link pickWireSpecFields} (or
+ * variants). Code that spreads a buyer request directly cannot satisfy
+ * the brand — `{ ...buyerReq, paused: true }` is `T`, not
+ * `WireSafe<T>`.
+ *
+ * The brand is the L2 of #1529: where L1 (`credentialPolicy`,
+ * `src/lib/server/credential-policy.ts`) catches credential-shaped
+ * keys at the buyer-facing dispatch boundary, L2 catches structural
+ * leakage at the operational dispatch boundary — storefront fan-out
+ * code that picks per-target args from a buyer request, where the
+ * scrub happens BEFORE the credential scan would have run on the
+ * upstream call.
+ *
+ * **The brand is opt-in at the type level.** `OperationalPlatform`
+ * methods accept plain `UpdateMediaBuyRequest` etc. (not branded —
+ * see #1530's interface), so adopters who don't use the helper
+ * aren't broken. Adopters who DO use the helper get the safety
+ * benefit at the picking site: assigning the result to a
+ * `WireSafe<UpdateMediaBuyRequest>` variable forces `pickWireSpecFields`
+ * to be the constructor; spreading the buyer request elsewhere fails
+ * to satisfy the brand.
+ *
+ * **Migration footgun:** `pickWireSpecFields` ALONE doesn't close
+ * the round-2 / round-3 vectors (nested `context.<x>_access_token`,
+ * nested `ext.<x>_access_token`). `ext` and `context` are wire-spec
+ * fields, so the helper preserves them whole. Storefronts that fan
+ * out MUST chain {@link scrubExtensions} after the pick — that helper
+ * filters ext/context to a caller-specified key allowlist AND
+ * recursively drops credential-shaped keys at any depth (using the
+ * L1 default pattern set or an adopter-supplied matcher). Calling
+ * `pickWireSpecFields` without `scrubExtensions` reopens the
+ * round-2/round-3 attack surface.
+ *
+ * @see docs/guides/CTX-METADATA-SAFETY.md
+ * @see scripts/generate-wire-spec-fields.ts — codegen for the
+ *      allowlist constants this module reads.
+ *
+ * @public
+ */
+import { type CredentialPatternsConfig } from './credential-policy';
+import { WIRE_SPEC_FIELDS, type WireSpecRequestName } from './wire-spec-fields.generated';
+declare const __wireSafe: unique symbol;
+/**
+ * A request shape that has been narrowed to AdCP wire-spec fields.
+ * Cannot be produced by spreading a buyer request — only via
+ * {@link pickWireSpecFields} or by typed `as WireSafe<T>` assertion
+ * at a known-safe construction site (e.g. a poller that builds the
+ * request from stored state, not from buyer input).
+ *
+ * The brand is what makes this load-bearing: `{ ...buyerRequest }` is
+ * `T`, not `WireSafe<T>`, so passing it where `WireSafe<T>` is
+ * required is a compile error.
+ */
+export type WireSafe<T> = T & {
+    readonly [__wireSafe]: true;
+};
+export type { WireSpecRequestName };
+export { WIRE_SPEC_FIELDS };
+/**
+ * The wire-spec request type associated with a `WireSpecRequestName`.
+ * Internal — adopters access it transparently via
+ * `pickWireSpecFields`'s return narrowing.
+ */
+type WireSpecRequestShape<K extends WireSpecRequestName> = (typeof WIRE_SPEC_FIELDS)[K]['__type'];
+/**
+ * Strip a buyer request to the wire-spec fields defined for
+ * `schemaName` and return the result branded `WireSafe<T>`. The
+ * canonical constructor of {@link WireSafe}.
+ *
+ * Drops every property NOT in the schema's `properties` allowlist,
+ * including buyer-supplied unknown keys (`<platform>_access_token`,
+ * `account: { brand: 'attacker.com' }`-style identity-pivot fields,
+ * arbitrary attacker payload). The allowlist comes from codegen — the
+ * AdCP request schema IS the allowlist; drift is structurally
+ * impossible.
+ *
+ * **Top-level only.** `ext` and `context` are wire-spec fields and
+ * are preserved verbatim by this helper. Storefronts MUST chain
+ * {@link scrubExtensions} to drop nested credentials in those
+ * envelopes. See the module-level migration footgun warning.
+ *
+ * Storefronts call this once per upstream target during fan-out:
+ *
+ * ```ts
+ * const safe = pickWireSpecFields(buyerReq, 'UpdateMediaBuyRequest');
+ * for (const target of targets) {
+ *   const perTarget = scrubExtensions(safe, { ... });
+ *   await operational.updateMediaBuy(ctxFor(target), perTarget);
+ * }
+ * ```
+ *
+ * Pollers that construct requests from stored state typically don't
+ * need this — their inputs aren't buyer-controlled. They can opt in
+ * for symmetric type safety with `as WireSafe<T>` if their type
+ * system encourages it, or call this helper anyway (the strip is a
+ * no-op when input is already wire-spec only).
+ *
+ * @param request - Buyer-supplied (or otherwise untrusted) input.
+ * @param schemaName - PascalCase request type name from
+ *   {@link WIRE_SPEC_FIELDS}. TypeScript narrows the return type to
+ *   `WireSafe<RequestType>` based on this — so
+ *   `pickWireSpecFields(req, 'UpdateMediaBuyRequest')` returns
+ *   `WireSafe<UpdateMediaBuyRequest>`.
+ *
+ * @example
+ * ```ts
+ * import { pickWireSpecFields } from '@adcp/sdk/server';
+ *
+ * // Buyer sends:
+ * //   { media_buy_id: 'mb_1', paused: true, snap_access_token: 'attacker' }
+ * const safe = pickWireSpecFields(buyerReq, 'UpdateMediaBuyRequest');
+ * // safe: WireSafe<UpdateMediaBuyRequest>
+ * //   value: { media_buy_id: 'mb_1', paused: true } — credential dropped
+ * ```
+ */
+export declare function pickWireSpecFields<K extends WireSpecRequestName>(request: unknown, schemaName: K): WireSafe<WireSpecRequestShape<K>>;
+/**
+ * Apply an extension-object allowlist to a `WireSafe<T>` and
+ * recursively scrub credential-shaped values. Closes the round-2 /
+ * round-3 nested-credential vectors that `pickWireSpecFields` alone
+ * leaves open (because `ext` and `context` are wire-spec fields and
+ * are preserved verbatim by the pick).
+ *
+ * Three operations, applied in order:
+ *
+ * 1. **Top-level allowlist filter** (when `allowedExtKeys` is set):
+ *    drop keys from `ext` and `context` that aren't in the
+ *    allowlist. Pass an empty Set to drop both fields entirely;
+ *    pass `undefined` to leave the top level untouched.
+ * 2. **Recursive credential scan** (when `recursiveCredentialScan`
+ *    is `true`, default): walk surviving values in `ext`/`context`
+ *    at any depth and drop nested keys that match the L1
+ *    credential-pattern set (or an adopter-supplied matcher). Closes
+ *    `ext.partner.token` and similar deep-nesting attack vectors.
+ * 3. **Adopter inject** (when `inject` is set): merge
+ *    storefront-controlled values into `ext` and/or `context`.
+ *    Inject runs LAST so storefront-resolved credentials override
+ *    any allowlisted buyer values that collide.
+ *
+ * The `WireSafe<T>` brand survives — the operation is closed over
+ * the wire-spec field set.
+ *
+ * @example
+ * ```ts
+ * const safe = pickWireSpecFields(buyerReq, 'UpdateMediaBuyRequest');
+ * const perTarget = scrubExtensions(safe, {
+ *   allowedExtKeys: new Set(['scope3_api_key', 'partner_request_id']),
+ *   inject: {
+ *     context: {
+ *       managed_access_token: target.token,
+ *       managed_advertiser_id: target.advertiserId,
+ *     },
+ *   },
+ * });
+ * ```
+ */
+export interface ScrubExtensionsOptions {
+    /**
+     * Set of keys permitted to survive on `ext` and `context`. Keys
+     * outside this set are dropped from both. Pass `undefined` to leave
+     * `ext`/`context` top-level untouched (only the recursive scan and
+     * `inject` apply); pass an empty set to drop both entirely.
+     */
+    allowedExtKeys?: ReadonlySet<string>;
+    /**
+     * When true (default), recursively walk surviving `ext`/`context`
+     * values and drop nested keys matching the credential-pattern set.
+     * Closes round-4-style deep-nesting attack vectors that the
+     * top-level allowlist alone cannot — e.g. an adopter who allowlists
+     * `partner` and forgets that `partner.token` is buyer-controlled.
+     *
+     * Set to `false` only when you've validated the surviving
+     * `ext`/`context` shapes yourself (e.g. via Zod-typed extensions).
+     */
+    recursiveCredentialScan?: boolean;
+    /**
+     * Optional matcher overrides for the recursive scan. Defaults to
+     * the L1 credential-policy default pattern set
+     * ({@link DEFAULT_CREDENTIAL_PATTERNS}). Pass `extend` to add
+     * adopter-specific patterns; pass `matcher` to fully replace the
+     * regex set.
+     */
+    credentialPatterns?: CredentialPatternsConfig;
+    /**
+     * Adopter-controlled values to merge into `ext` and/or `context`
+     * AFTER the allowlist filter and recursive scan run. Used to inject
+     * storefront-owned routing tokens (e.g. resolved per-target
+     * advertiser IDs) into the per-target request.
+     *
+     * **Adopter-side ONLY — values here MUST be storefront-derived,
+     * never read from the incoming buyer request.** Threading buyer-
+     * controlled values through `inject` defeats the discipline.
+     * Values injected here bypass the recursive credential scan and
+     * are merged in after it completes — ensure they are fully
+     * storefront-derived, never shaped by buyer input.
+     */
+    inject?: {
+        ext?: Record<string, unknown>;
+        context?: Record<string, unknown>;
+    };
+}
+/**
+ * Implementation of {@link ScrubExtensionsOptions}. See JSDoc above.
+ */
+export declare function scrubExtensions<T extends object>(request: WireSafe<T>, options: ScrubExtensionsOptions): WireSafe<T>;
+//# sourceMappingURL=wire-safe.d.ts.map

package/dist/lib/server/wire-safe.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-safe.d.ts","sourceRoot":"","sources":["../../../src/lib/server/wire-safe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,EAA0B,KAAK,wBAAwB,EAAE,MAAM,qBAAqB,CAAC;AAC5F,OAAO,EAAE,gBAAgB,EAAE,KAAK,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAE1F,OAAO,CAAC,MAAM,UAAU,EAAE,OAAO,MAAM,CAAC;AAExC;;;;;;;;;;GAUG;AACH,MAAM,MAAM,QAAQ,CAAC,CAAC,IAAI,CAAC,GAAG;IAAE,QAAQ,CAAC,CAAC,UAAU,CAAC,EAAE,IAAI,CAAA;CAAE,CAAC;AAE9D,YAAY,EAAE,mBAAmB,EAAE,CAAC;AAEpC,OAAO,EAAE,gBAAgB,EAAE,CAAC;AAE5B;;;;GAIG;AACH,KAAK,oBAAoB,CAAC,CAAC,SAAS,mBAAmB,IAAI,CAAC,OAAO,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;AAElG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,wBAAgB,kBAAkB,CAAC,CAAC,SAAS,mBAAmB,EAC9D,OAAO,EAAE,OAAO,EAChB,UAAU,EAAE,CAAC,GACZ,QAAQ,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAuBnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;;;OAKG;IACH,cAAc,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAErC;;;;;;;;;OASG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAElC;;;;;;OAMG;IACH,kBAAkB,CAAC,EAAE,wBAAwB,CAAC;IAE9C;;;;;;;;;;;;OAYG;IACH,MAAM,CAAC,EAAE;QACP,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACnC,CAAC;CACH;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,sBAAsB,GAAG,QAAQ,CAAC,CAAC,CAAC,CAyDpH"}

package/dist/lib/server/wire-safe.js

@@ -0,0 +1,231 @@
+"use strict";
+/**
+ * Wire-spec field discipline at the operational fan-out boundary.
+ *
+ * `WireSafe<T>` is a branded type that signals "this object has been
+ * stripped to AdCP wire-spec fields and is safe to forward upstream."
+ * The brand is constructed only by {@link pickWireSpecFields} (or
+ * variants). Code that spreads a buyer request directly cannot satisfy
+ * the brand — `{ ...buyerReq, paused: true }` is `T`, not
+ * `WireSafe<T>`.
+ *
+ * The brand is the L2 of #1529: where L1 (`credentialPolicy`,
+ * `src/lib/server/credential-policy.ts`) catches credential-shaped
+ * keys at the buyer-facing dispatch boundary, L2 catches structural
+ * leakage at the operational dispatch boundary — storefront fan-out
+ * code that picks per-target args from a buyer request, where the
+ * scrub happens BEFORE the credential scan would have run on the
+ * upstream call.
+ *
+ * **The brand is opt-in at the type level.** `OperationalPlatform`
+ * methods accept plain `UpdateMediaBuyRequest` etc. (not branded —
+ * see #1530's interface), so adopters who don't use the helper
+ * aren't broken. Adopters who DO use the helper get the safety
+ * benefit at the picking site: assigning the result to a
+ * `WireSafe<UpdateMediaBuyRequest>` variable forces `pickWireSpecFields`
+ * to be the constructor; spreading the buyer request elsewhere fails
+ * to satisfy the brand.
+ *
+ * **Migration footgun:** `pickWireSpecFields` ALONE doesn't close
+ * the round-2 / round-3 vectors (nested `context.<x>_access_token`,
+ * nested `ext.<x>_access_token`). `ext` and `context` are wire-spec
+ * fields, so the helper preserves them whole. Storefronts that fan
+ * out MUST chain {@link scrubExtensions} after the pick — that helper
+ * filters ext/context to a caller-specified key allowlist AND
+ * recursively drops credential-shaped keys at any depth (using the
+ * L1 default pattern set or an adopter-supplied matcher). Calling
+ * `pickWireSpecFields` without `scrubExtensions` reopens the
+ * round-2/round-3 attack surface.
+ *
+ * @see docs/guides/CTX-METADATA-SAFETY.md
+ * @see scripts/generate-wire-spec-fields.ts — codegen for the
+ *      allowlist constants this module reads.
+ *
+ * @public
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WIRE_SPEC_FIELDS = void 0;
+exports.pickWireSpecFields = pickWireSpecFields;
+exports.scrubExtensions = scrubExtensions;
+const credential_policy_1 = require("./credential-policy");
+const wire_spec_fields_generated_1 = require("./wire-spec-fields.generated");
+Object.defineProperty(exports, "WIRE_SPEC_FIELDS", { enumerable: true, get: function () { return wire_spec_fields_generated_1.WIRE_SPEC_FIELDS; } });
+/**
+ * Strip a buyer request to the wire-spec fields defined for
+ * `schemaName` and return the result branded `WireSafe<T>`. The
+ * canonical constructor of {@link WireSafe}.
+ *
+ * Drops every property NOT in the schema's `properties` allowlist,
+ * including buyer-supplied unknown keys (`<platform>_access_token`,
+ * `account: { brand: 'attacker.com' }`-style identity-pivot fields,
+ * arbitrary attacker payload). The allowlist comes from codegen — the
+ * AdCP request schema IS the allowlist; drift is structurally
+ * impossible.
+ *
+ * **Top-level only.** `ext` and `context` are wire-spec fields and
+ * are preserved verbatim by this helper. Storefronts MUST chain
+ * {@link scrubExtensions} to drop nested credentials in those
+ * envelopes. See the module-level migration footgun warning.
+ *
+ * Storefronts call this once per upstream target during fan-out:
+ *
+ * ```ts
+ * const safe = pickWireSpecFields(buyerReq, 'UpdateMediaBuyRequest');
+ * for (const target of targets) {
+ *   const perTarget = scrubExtensions(safe, { ... });
+ *   await operational.updateMediaBuy(ctxFor(target), perTarget);
+ * }
+ * ```
+ *
+ * Pollers that construct requests from stored state typically don't
+ * need this — their inputs aren't buyer-controlled. They can opt in
+ * for symmetric type safety with `as WireSafe<T>` if their type
+ * system encourages it, or call this helper anyway (the strip is a
+ * no-op when input is already wire-spec only).
+ *
+ * @param request - Buyer-supplied (or otherwise untrusted) input.
+ * @param schemaName - PascalCase request type name from
+ *   {@link WIRE_SPEC_FIELDS}. TypeScript narrows the return type to
+ *   `WireSafe<RequestType>` based on this — so
+ *   `pickWireSpecFields(req, 'UpdateMediaBuyRequest')` returns
+ *   `WireSafe<UpdateMediaBuyRequest>`.
+ *
+ * @example
+ * ```ts
+ * import { pickWireSpecFields } from '@adcp/sdk/server';
+ *
+ * // Buyer sends:
+ * //   { media_buy_id: 'mb_1', paused: true, snap_access_token: 'attacker' }
+ * const safe = pickWireSpecFields(buyerReq, 'UpdateMediaBuyRequest');
+ * // safe: WireSafe<UpdateMediaBuyRequest>
+ * //   value: { media_buy_id: 'mb_1', paused: true } — credential dropped
+ * ```
+ */
+function pickWireSpecFields(request, schemaName) {
+    const allowlist = wire_spec_fields_generated_1.WIRE_SPEC_FIELDS[schemaName].fields;
+    const out = {};
+    if (request === null || typeof request !== 'object') {
+        // Defensive: caller passed something that isn't a request object.
+        // Return an empty WireSafe — the upstream call will reject on
+        // missing required fields (e.g. `idempotency_key`), which is the
+        // right error class to surface (it's adopter-side, not buyer-side).
+        return out;
+    }
+    const source = request;
+    // Indexed loop instead of for-of: avoids Array.prototype[Symbol.iterator]
+    // dispatch, which a supply-chain dep could poison to inject extra field
+    // names into the iteration at call time (freeze of the array object does
+    // not prevent iterator-protocol interception).
+    const len = allowlist.length;
+    for (let i = 0; i < len; i++) {
+        const field = allowlist[i]; // non-null: i is bounds-checked by len
+        if (Object.prototype.hasOwnProperty.call(source, field)) {
+            out[field] = source[field];
+        }
+    }
+    return out;
+}
+/**
+ * Implementation of {@link ScrubExtensionsOptions}. See JSDoc above.
+ */
+function scrubExtensions(request, options) {
+    const out = { ...request };
+    const { allowedExtKeys, recursiveCredentialScan = true, credentialPatterns, inject } = options;
+    // Step 1: top-level allowlist filter. When `allowedExtKeys` is
+    // undefined we leave the top level alone (recursive scan and
+    // inject still run); when it's an empty set we drop both fields.
+    if (allowedExtKeys !== undefined) {
+        const sourceExt = (out.ext ?? {});
+        const sourceCtx = (out.context ?? {});
+        const filteredExt = {};
+        const filteredCtx = {};
+        for (const k of allowedExtKeys) {
+            if (Object.prototype.hasOwnProperty.call(sourceExt, k))
+                filteredExt[k] = sourceExt[k];
+            if (Object.prototype.hasOwnProperty.call(sourceCtx, k))
+                filteredCtx[k] = sourceCtx[k];
+        }
+        out.ext = filteredExt;
+        out.context = filteredCtx;
+    }
+    // Step 2: recursive credential-shape scan. Strategy depends on
+    // whether step 1 ran:
+    //
+    //   - With `allowedExtKeys` set: top-level is already gated by
+    //     the explicit allowlist. The adopter has affirmed those keys
+    //     are legitimate (e.g. `scope3_api_key` allowlisted on a
+    //     specific tool), so we DON'T second-guess them by name. The
+    //     scan applies to depths 1+ — dropping nested credentials
+    //     INSIDE allowlisted values (`partner: { token: '...' }`
+    //     becomes `partner: {}`).
+    //
+    //   - Without `allowedExtKeys`: no top-level gate; scan from
+    //     depth 0 to drop credential-shaped keys at any depth. This
+    //     is the path adopters take when they trust their own
+    //     ext/context shapes but want belt-and-suspenders coverage.
+    if (recursiveCredentialScan) {
+        const fromDepth = allowedExtKeys !== undefined ? 1 : 0;
+        if (out.ext !== undefined && out.ext !== null && typeof out.ext === 'object') {
+            out.ext = stripNestedCredentials(out.ext, credentialPatterns, fromDepth);
+        }
+        if (out.context !== undefined && out.context !== null && typeof out.context === 'object') {
+            out.context = stripNestedCredentials(out.context, credentialPatterns, fromDepth);
+        }
+    }
+    // Step 3: adopter-controlled inject. Runs AFTER the scan so
+    // storefront-resolved credentials/IDs aren't accidentally dropped
+    // by the recursive scan (e.g. injected `managed_access_token` is
+    // intentional and belongs).
+    if (inject?.ext) {
+        out.ext = { ...out.ext, ...inject.ext };
+    }
+    if (inject?.context) {
+        out.context = { ...out.context, ...inject.context };
+    }
+    return out;
+}
+/**
+ * Recursively walk a value and drop keys matching the credential
+ * pattern set, starting from `fromDepth`. Used by `scrubExtensions`
+ * to close round-4 nesting.
+ *
+ * `fromDepth = 0` scans every depth including the top level — used
+ * when no `allowedExtKeys` is supplied.
+ * `fromDepth = 1` skips the top level — used when the top-level
+ * keys have already been gated by an explicit allowlist (the
+ * adopter affirmed them legitimate by name).
+ *
+ * Returns a NEW object/array tree — input is not mutated. Cycle-safe
+ * via `WeakSet`. Primitives pass through.
+ */
+function stripNestedCredentials(value, patterns, fromDepth = 0) {
+    // Identify credential-shaped paths via the L1 scanner.
+    const hits = new Set((0, credential_policy_1.scanArgsForCredentials)(value, patterns));
+    if (hits.size === 0)
+        return value;
+    const seen = new WeakSet();
+    const walk = (node, path, depth) => {
+        if (node === null || typeof node !== 'object')
+            return node;
+        if (seen.has(node))
+            return node;
+        seen.add(node);
+        if (Array.isArray(node)) {
+            return node.map((item, i) => walk(item, [...path, String(i)], depth + 1));
+        }
+        const out = {};
+        for (const [key, child] of Object.entries(node)) {
+            const childPath = [...path, key];
+            // Only drop the key if we're AT or BEYOND `fromDepth`. Keys
+            // shallower than fromDepth pass through unchecked because
+            // they were already gated upstream.
+            if (depth >= fromDepth && hits.has(childPath.join('.'))) {
+                continue;
+            }
+            out[key] = walk(child, childPath, depth + 1);
+        }
+        return out;
+    };
+    return walk(value, [], 0);
+}
+//# sourceMappingURL=wire-safe.js.map

package/dist/lib/server/wire-safe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-safe.js","sourceRoot":"","sources":["../../../src/lib/server/wire-safe.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;;;AAkFH,gDA0BC;AA8FD,0CAyDC;AAjQD,2DAA4F;AAC5F,6EAA0F;AAmBjF,iGAnBA,6CAAgB,OAmBA;AASzB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkDG;AACH,SAAgB,kBAAkB,CAChC,OAAgB,EAChB,UAAa;IAEb,MAAM,SAAS,GAAG,6CAAgB,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QACpD,kEAAkE;QAClE,8DAA8D;QAC9D,iEAAiE;QACjE,oEAAoE;QACpE,OAAO,GAAwC,CAAC;IAClD,CAAC;IACD,MAAM,MAAM,GAAG,OAAkC,CAAC;IAClD,0EAA0E;IAC1E,wEAAwE;IACxE,yEAAyE;IACzE,+CAA+C;IAC/C,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC;IAC7B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC,CAAC,uCAAuC;QACpE,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC;YACxD,GAAG,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,OAAO,GAAwC,CAAC;AAClD,CAAC;AA2FD;;GAEG;AACH,SAAgB,eAAe,CAAmB,OAAoB,EAAE,OAA+B;IACrG,MAAM,GAAG,GAAG,EAAE,GAAI,OAAkB,EAA6B,CAAC;IAClE,MAAM,EAAE,cAAc,EAAE,uBAAuB,GAAG,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAE/F,+DAA+D;IAC/D,6DAA6D;IAC7D,iEAAiE;IACjE,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,EAAE,CAA4B,CAAC;QAC7D,MAAM,SAAS,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAA4B,CAAC;QACjE,MAAM,WAAW,GAA4B,EAAE,CAAC;QAChD,MAAM,WAAW,GAA4B,EAAE,CAAC;QAChD,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;YAC/B,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBAAE,WAAW,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YACtF,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;gBAAE,WAAW,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QACxF,CAAC;QACD,GAAG,CAAC,GAAG,GAAG,WAAW,CAAC;QACtB,GAAG,CAAC,OAAO,GAAG,WAAW,CAAC;IAC5B,CAAC;IAED,+DAA+D;IAC/D,sBAAsB;IACtB,EAAE;IACF,+DAA+D;IAC/D,kEAAkE;IAClE,6DAA6D;IAC7D,iEAAiE;IACjE,8DAA8D;IAC9D,6DAA6D;IAC7D,8BAA8B;IAC9B,EAAE;IACF,6DAA6D;IAC7D,gEAAgE;IAChE,0DAA0D;IAC1D,gEAAgE;IAChE,IAAI,uBAAuB,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,cAAc,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC7E,GAAG,CAAC,GAAG,GAAG,sBAAsB,CAAC,GAAG,CAAC,GAAG,EAAE,kBAAkB,EAAE,SAAS,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,GAAG,CAAC,OAAO,KAAK,SAAS,IAAI,GAAG,CAAC,OAAO,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACzF,GAAG,CAAC,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,OAAO,EAAE,kBAAkB,EAAE,SAAS,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,kEAAkE;IAClE,iEAAiE;IACjE,4BAA4B;IAC5B,IAAI,MAAM,EAAE,GAAG,EAAE,CAAC;QAChB,GAAG,CAAC,GAAG,GAAG,EAAE,GAAI,GAAG,CAAC,GAA2C,EAAE,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC;IACnF,CAAC;IACD,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;QACpB,GAAG,CAAC,OAAO,GAAG,EAAE,GAAI,GAAG,CAAC,OAA+C,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;IAC/F,CAAC;IAED,OAAO,GAAkB,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAS,sBAAsB,CAAC,KAAc,EAAE,QAAmC,EAAE,SAAS,GAAG,CAAC;IAChG,uDAAuD;IACvD,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAA,0CAAsB,EAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC9D,IAAI,IAAI,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAElC,MAAM,IAAI,GAAG,IAAI,OAAO,EAAU,CAAC;IACnC,MAAM,IAAI,GAAG,CAAC,IAAa,EAAE,IAAuB,EAAE,KAAa,EAAW,EAAE;QAC9E,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QAC3D,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAEf,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAA+B,CAAC,EAAE,CAAC;YAC3E,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;YACjC,4DAA4D;YAC5D,0DAA0D;YAC1D,oCAAoC;YACpC,IAAI,KAAK,IAAI,SAAS,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBACxD,SAAS;YACX,CAAC;YACD,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC;IACF,OAAO,IAAI,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAC5B,CAAC"}

package/dist/lib/server/wire-spec-fields.generated.d.ts

@@ -0,0 +1,168 @@
+import type { AcquireRightsRequest, ActivateSignalRequest, BuildCreativeRequest, CalibrateContentRequest, CreateCollectionListRequest, CreateContentStandardsRequest, CreateMediaBuyRequest, CreatePropertyListRequest, DeleteCollectionListRequest, DeletePropertyListRequest, GetMediaBuyDeliveryRequest, LogEventRequest, ProvidePerformanceFeedbackRequest, ReportPlanOutcomeRequest, ReportUsageRequest, SIInitiateSessionRequest, SISendMessageRequest, SyncAccountsRequest, SyncAudiencesRequest, SyncCatalogsRequest, SyncCreativesRequest, SyncEventSourcesRequest, SyncGovernanceRequest, SyncPlansRequest, UpdateCollectionListRequest, UpdateContentStandardsRequest, UpdateMediaBuyRequest, UpdatePropertyListRequest, UpdateRightsRequest } from '../types';
+/**
+ * Wire-spec field allowlists per request type. The `fields` values
+ * are exact top-level property names from the AdCP request JSON
+ * schemas; `pickWireSpecFields(req, schemaName)` uses them to strip
+ * buyer-controlled args to schema-spec fields at the operational
+ * fan-out boundary. Drift between this map and the schemas is
+ * impossible by construction — both are emitted from the same
+ * codegen pass.
+ *
+ * The `__type` phantom is type-only (`null as unknown as T`) — it
+ * carries the wire-spec request shape so `pickWireSpecFields`'s
+ * return type narrows per `schemaName`. Runtime cost: one null
+ * property per entry.
+ *
+ * Arrays and entry objects are runtime-frozen via `Object.freeze`
+ * so a misbehaving dependency cannot widen the scrub via prototype
+ * pollution or shared-state mutation of the allowlist.
+ */
+export declare const WIRE_SPEC_FIELDS: Readonly<{
+    /** schemas/cache/3.0.6/brand/acquire-rights-request.json */
+    readonly AcquireRightsRequest: Readonly<{
+        fields: readonly string[];
+        __type: AcquireRightsRequest;
+    }>;
+    /** schemas/cache/3.0.6/signals/activate-signal-request.json */
+    readonly ActivateSignalRequest: Readonly<{
+        fields: readonly string[];
+        __type: ActivateSignalRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/build-creative-request.json */
+    readonly BuildCreativeRequest: Readonly<{
+        fields: readonly string[];
+        __type: BuildCreativeRequest;
+    }>;
+    /** schemas/cache/3.0.6/content-standards/calibrate-content-request.json */
+    readonly CalibrateContentRequest: Readonly<{
+        fields: readonly string[];
+        __type: CalibrateContentRequest;
+    }>;
+    /** schemas/cache/3.0.6/collection/create-collection-list-request.json */
+    readonly CreateCollectionListRequest: Readonly<{
+        fields: readonly string[];
+        __type: CreateCollectionListRequest;
+    }>;
+    /** schemas/cache/3.0.6/content-standards/create-content-standards-request.json */
+    readonly CreateContentStandardsRequest: Readonly<{
+        fields: readonly string[];
+        __type: CreateContentStandardsRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/create-media-buy-request.json */
+    readonly CreateMediaBuyRequest: Readonly<{
+        fields: readonly string[];
+        __type: CreateMediaBuyRequest;
+    }>;
+    /** schemas/cache/3.0.6/property/create-property-list-request.json */
+    readonly CreatePropertyListRequest: Readonly<{
+        fields: readonly string[];
+        __type: CreatePropertyListRequest;
+    }>;
+    /** schemas/cache/3.0.6/collection/delete-collection-list-request.json */
+    readonly DeleteCollectionListRequest: Readonly<{
+        fields: readonly string[];
+        __type: DeleteCollectionListRequest;
+    }>;
+    /** schemas/cache/3.0.6/property/delete-property-list-request.json */
+    readonly DeletePropertyListRequest: Readonly<{
+        fields: readonly string[];
+        __type: DeletePropertyListRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/get-media-buy-delivery-request.json */
+    readonly GetMediaBuyDeliveryRequest: Readonly<{
+        fields: readonly string[];
+        __type: GetMediaBuyDeliveryRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/log-event-request.json */
+    readonly LogEventRequest: Readonly<{
+        fields: readonly string[];
+        __type: LogEventRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/provide-performance-feedback-request.json */
+    readonly ProvidePerformanceFeedbackRequest: Readonly<{
+        fields: readonly string[];
+        __type: ProvidePerformanceFeedbackRequest;
+    }>;
+    /** schemas/cache/3.0.6/governance/report-plan-outcome-request.json */
+    readonly ReportPlanOutcomeRequest: Readonly<{
+        fields: readonly string[];
+        __type: ReportPlanOutcomeRequest;
+    }>;
+    /** schemas/cache/3.0.6/account/report-usage-request.json */
+    readonly ReportUsageRequest: Readonly<{
+        fields: readonly string[];
+        __type: ReportUsageRequest;
+    }>;
+    /** schemas/cache/3.0.6/sponsored-intelligence/si-initiate-session-request.json */
+    readonly SIInitiateSessionRequest: Readonly<{
+        fields: readonly string[];
+        __type: SIInitiateSessionRequest;
+    }>;
+    /** schemas/cache/3.0.6/sponsored-intelligence/si-send-message-request.json */
+    readonly SISendMessageRequest: Readonly<{
+        fields: readonly string[];
+        __type: SISendMessageRequest;
+    }>;
+    /** schemas/cache/3.0.6/account/sync-accounts-request.json */
+    readonly SyncAccountsRequest: Readonly<{
+        fields: readonly string[];
+        __type: SyncAccountsRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/sync-audiences-request.json */
+    readonly SyncAudiencesRequest: Readonly<{
+        fields: readonly string[];
+        __type: SyncAudiencesRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/sync-catalogs-request.json */
+    readonly SyncCatalogsRequest: Readonly<{
+        fields: readonly string[];
+        __type: SyncCatalogsRequest;
+    }>;
+    /** schemas/cache/3.0.6/creative/sync-creatives-request.json */
+    readonly SyncCreativesRequest: Readonly<{
+        fields: readonly string[];
+        __type: SyncCreativesRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/sync-event-sources-request.json */
+    readonly SyncEventSourcesRequest: Readonly<{
+        fields: readonly string[];
+        __type: SyncEventSourcesRequest;
+    }>;
+    /** schemas/cache/3.0.6/account/sync-governance-request.json */
+    readonly SyncGovernanceRequest: Readonly<{
+        fields: readonly string[];
+        __type: SyncGovernanceRequest;
+    }>;
+    /** schemas/cache/3.0.6/governance/sync-plans-request.json */
+    readonly SyncPlansRequest: Readonly<{
+        fields: readonly string[];
+        __type: SyncPlansRequest;
+    }>;
+    /** schemas/cache/3.0.6/collection/update-collection-list-request.json */
+    readonly UpdateCollectionListRequest: Readonly<{
+        fields: readonly string[];
+        __type: UpdateCollectionListRequest;
+    }>;
+    /** schemas/cache/3.0.6/content-standards/update-content-standards-request.json */
+    readonly UpdateContentStandardsRequest: Readonly<{
+        fields: readonly string[];
+        __type: UpdateContentStandardsRequest;
+    }>;
+    /** schemas/cache/3.0.6/media-buy/update-media-buy-request.json */
+    readonly UpdateMediaBuyRequest: Readonly<{
+        fields: readonly string[];
+        __type: UpdateMediaBuyRequest;
+    }>;
+    /** schemas/cache/3.0.6/property/update-property-list-request.json */
+    readonly UpdatePropertyListRequest: Readonly<{
+        fields: readonly string[];
+        __type: UpdatePropertyListRequest;
+    }>;
+    /** schemas/cache/3.0.6/brand/update-rights-request.json */
+    readonly UpdateRightsRequest: Readonly<{
+        fields: readonly string[];
+        __type: UpdateRightsRequest;
+    }>;
+}>;
+export type WireSpecRequestName = keyof typeof WIRE_SPEC_FIELDS;
+//# sourceMappingURL=wire-spec-fields.generated.d.ts.map

package/dist/lib/server/wire-spec-fields.generated.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-spec-fields.generated.d.ts","sourceRoot":"","sources":["../../../src/lib/server/wire-spec-fields.generated.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EACV,oBAAoB,EACpB,qBAAqB,EACrB,oBAAoB,EACpB,uBAAuB,EACvB,2BAA2B,EAC3B,6BAA6B,EAC7B,qBAAqB,EACrB,yBAAyB,EACzB,2BAA2B,EAC3B,yBAAyB,EACzB,0BAA0B,EAC1B,eAAe,EACf,iCAAiC,EACjC,wBAAwB,EACxB,kBAAkB,EAClB,wBAAwB,EACxB,oBAAoB,EACpB,mBAAmB,EACnB,oBAAoB,EACpB,mBAAmB,EACnB,oBAAoB,EACpB,uBAAuB,EACvB,qBAAqB,EACrB,gBAAgB,EAChB,2BAA2B,EAC3B,6BAA6B,EAC7B,qBAAqB,EACrB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,UAAU,CAAC;AAElB;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,gBAAgB;IAC3B,4DAA4D;;gBAE4H,SAAS,MAAM,EAAE;gBAC5K,oBAAoB;;IAEjD,+DAA+D;;gBAEsG,SAAS,MAAM,EAAE;gBACzJ,qBAAqB;;IAElD,gEAAgE;;gBAEsR,SAAS,MAAM,EAAE;gBAC1U,oBAAoB;;IAEjD,2EAA2E;;gBAEoC,SAAS,MAAM,EAAE;gBACnG,uBAAuB;;IAEpD,yEAAyE;;gBAEgF,SAAS,MAAM,EAAE;gBAC7I,2BAA2B;;IAExD,kFAAkF;;gBAEoE,SAAS,MAAM,EAAE;gBAC1I,6BAA6B;;IAE1D,kEAAkE;;gBAEgR,SAAS,MAAM,EAAE;gBACtU,qBAAqB;;IAElD,qEAAqE;;gBAEmF,SAAS,MAAM,EAAE;gBAC5I,yBAAyB;;IAEtD,yEAAyE;;gBAEgC,SAAS,MAAM,EAAE;gBAC7F,2BAA2B;;IAExD,qEAAqE;;gBAEoC,SAAS,MAAM,EAAE;gBAC7F,yBAAyB;;IAEtD,wEAAwE;;gBAE2I,SAAS,MAAM,EAAE;gBACvM,0BAA0B;;IAEvD,2DAA2D;;gBAEuE,SAAS,MAAM,EAAE;gBACtH,eAAe;;IAE5C,8EAA8E;;gBAE0H,SAAS,MAAM,EAAE;gBAC5L,iCAAiC;;IAE9D,sEAAsE;;gBAEwH,SAAS,MAAM,EAAE;gBAClL,wBAAwB;;IAErD,4DAA4D;;gBAEoD,SAAS,MAAM,EAAE;gBACpG,kBAAkB;;IAE/C,kFAAkF;;gBAE0G,SAAS,MAAM,EAAE;gBAChL,wBAAwB;;IAErD,8EAA8E;;gBAEgD,SAAS,MAAM,EAAE;gBAClH,oBAAoB;;IAEjD,6DAA6D;;gBAEyF,SAAS,MAAM,EAAE;gBAC1I,mBAAmB;;IAEhD,gEAAgE;;gBAE4D,SAAS,MAAM,EAAE;gBAChH,oBAAoB;;IAEjD,+DAA+D;;gBAEiI,SAAS,MAAM,EAAE;gBACpL,mBAAmB;;IAEhD,+DAA+D;;gBAEiJ,SAAS,MAAM,EAAE;gBACpM,oBAAoB;;IAEjD,oEAAoE;;gBAE4D,SAAS,MAAM,EAAE;gBACpH,uBAAuB;;IAEpD,+DAA+D;;gBAEiC,SAAS,MAAM,EAAE;gBACpF,qBAAqB;;IAElD,6DAA6D;;gBAEgC,SAAS,MAAM,EAAE;gBACjF,gBAAgB;;IAE7C,yEAAyE;;gBAEwG,SAAS,MAAM,EAAE;gBACrK,2BAA2B;;IAExD,kFAAkF;;gBAEmF,SAAS,MAAM,EAAE;gBACzJ,6BAA6B;;IAE1D,kEAAkE;;gBAEsN,SAAS,MAAM,EAAE;gBAC5Q,qBAAqB;;IAElD,qEAAqE;;gBAE2G,SAAS,MAAM,EAAE;gBACpK,yBAAyB;;IAEtD,2DAA2D;;gBAE0H,SAAS,MAAM,EAAE;gBACzK,mBAAmB;;EAEvC,CAAC;AAEZ,MAAM,MAAM,mBAAmB,GAAG,MAAM,OAAO,gBAAgB,CAAC"}