@agent-native/core 0.4.1 → 0.4.3

package/dist/server/auth.js

@@ -0,0 +1,499 @@
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { defineEventHandler, readBody, getMethod, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, } from "h3";
+import { createClient } from "@libsql/client";
+// ---------------------------------------------------------------------------
+// Constants
+// ---------------------------------------------------------------------------
+const COOKIE_NAME = "an_session";
+const DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
+// ---------------------------------------------------------------------------
+// Session store — SQL-backed
+// ---------------------------------------------------------------------------
+let _sessionClient;
+let _sessionTableReady = false;
+let sessionMaxAge = DEFAULT_MAX_AGE;
+function getSessionClient() {
+    if (!_sessionClient) {
+        const url = process.env.DATABASE_URL || "file:./data/app.db";
+        if (url.startsWith("file:")) {
+            fs.mkdirSync(path.join(process.cwd(), "data"), { recursive: true });
+        }
+        _sessionClient = createClient({
+            url,
+            authToken: process.env.DATABASE_AUTH_TOKEN,
+        });
+    }
+    return _sessionClient;
+}
+async function ensureSessionTable() {
+    if (_sessionTableReady)
+        return;
+    const client = getSessionClient();
+    await client.execute(`
+    CREATE TABLE IF NOT EXISTS sessions (
+      token TEXT PRIMARY KEY,
+      email TEXT,
+      created_at INTEGER NOT NULL
+    )
+  `);
+    // Migration: add email column to existing tables that lack it
+    try {
+        await client.execute(`ALTER TABLE sessions ADD COLUMN email TEXT`);
+    }
+    catch {
+        // Column already exists — ignore
+    }
+    _sessionTableReady = true;
+}
+async function pruneExpiredSessions() {
+    await ensureSessionTable();
+    const client = getSessionClient();
+    const cutoff = Date.now() - sessionMaxAge * 1000;
+    await client.execute({
+        sql: `DELETE FROM sessions WHERE created_at < ?`,
+        args: [cutoff],
+    });
+}
+/**
+ * Create a new session. Optionally associate it with an email address
+ * (used by Google OAuth and other identity-aware auth providers).
+ */
+export async function addSession(token, email) {
+    await ensureSessionTable();
+    const client = getSessionClient();
+    await client.execute({
+        sql: `INSERT OR REPLACE INTO sessions (token, email, created_at) VALUES (?, ?, ?)`,
+        args: [token, email ?? null, Date.now()],
+    });
+}
+/** Remove a session by token. */
+export async function removeSession(token) {
+    await ensureSessionTable();
+    const client = getSessionClient();
+    await client.execute({
+        sql: `DELETE FROM sessions WHERE token = ?`,
+        args: [token],
+    });
+}
+/**
+ * Look up the email associated with a session token.
+ * Returns null if the session doesn't exist, is expired, or has no email.
+ */
+export async function getSessionEmail(token) {
+    await ensureSessionTable();
+    const client = getSessionClient();
+    const { rows } = await client.execute({
+        sql: `SELECT email, created_at FROM sessions WHERE token = ?`,
+        args: [token],
+    });
+    if (rows.length === 0)
+        return null;
+    const createdAt = rows[0].created_at;
+    if (Date.now() - createdAt > sessionMaxAge * 1000) {
+        await client.execute({
+            sql: `DELETE FROM sessions WHERE token = ?`,
+            args: [token],
+        });
+        return null;
+    }
+    return rows[0].email ?? null;
+}
+async function hasSession(token) {
+    await ensureSessionTable();
+    const client = getSessionClient();
+    const { rows } = await client.execute({
+        sql: `SELECT created_at FROM sessions WHERE token = ?`,
+        args: [token],
+    });
+    if (rows.length === 0)
+        return false;
+    const createdAt = rows[0].created_at;
+    if (Date.now() - createdAt > sessionMaxAge * 1000) {
+        await client.execute({
+            sql: `DELETE FROM sessions WHERE token = ?`,
+            args: [token],
+        });
+        return false;
+    }
+    return true;
+}
+// ---------------------------------------------------------------------------
+// Token resolution — supports ACCESS_TOKEN (single) or ACCESS_TOKENS (multi)
+// ---------------------------------------------------------------------------
+function getAccessTokens() {
+    const single = process.env.ACCESS_TOKEN;
+    const multi = process.env.ACCESS_TOKENS;
+    const tokens = [];
+    if (single)
+        tokens.push(single);
+    if (multi) {
+        for (const t of multi.split(",")) {
+            const trimmed = t.trim();
+            if (trimmed && !tokens.includes(trimmed))
+                tokens.push(trimmed);
+        }
+    }
+    return tokens;
+}
+// ---------------------------------------------------------------------------
+// Dev mode detection
+// ---------------------------------------------------------------------------
+function isDevMode() {
+    return process.env.NODE_ENV !== "production";
+}
+// ---------------------------------------------------------------------------
+// getSession — the auth contract
+// ---------------------------------------------------------------------------
+let customGetSession = null;
+let authDisabledMode = false;
+const DEV_SESSION = { email: "local@localhost" };
+/**
+ * Get the current auth session for a request.
+ *
+ * - In dev mode: always returns { email: "local@localhost" }
+ * - In production with built-in auth: returns session if cookie is valid
+ * - With custom auth (BYOA): delegates to the custom getSession
+ */
+export async function getSession(event) {
+    if (isDevMode())
+        return DEV_SESSION;
+    if (authDisabledMode)
+        return DEV_SESSION;
+    if (customGetSession)
+        return customGetSession(event);
+    const cookie = getCookie(event, COOKIE_NAME);
+    if (cookie && (await hasSession(cookie))) {
+        return { email: "user", token: cookie };
+    }
+    return null;
+}
+// ---------------------------------------------------------------------------
+// Constant-time token comparison
+// ---------------------------------------------------------------------------
+function safeTokenMatch(input, tokens) {
+    const inputBuf = Buffer.from(input);
+    for (const token of tokens) {
+        const tokenBuf = Buffer.from(token);
+        if (inputBuf.length === tokenBuf.length &&
+            crypto.timingSafeEqual(inputBuf, tokenBuf)) {
+            return true;
+        }
+    }
+    return false;
+}
+// ---------------------------------------------------------------------------
+// Login page HTML
+// ---------------------------------------------------------------------------
+const LOGIN_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Sign in</title>
+<style>
+  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+    background: #0a0a0a;
+    color: #e5e5e5;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    min-height: 100vh;
+  }
+  .card {
+    width: 100%;
+    max-width: 360px;
+    padding: 2rem;
+    background: #141414;
+    border: 1px solid rgba(255,255,255,0.08);
+    border-radius: 12px;
+  }
+  h1 { font-size: 1.125rem; font-weight: 600; margin-bottom: 1.5rem; color: #fff; }
+  label { display: block; font-size: 0.8125rem; color: #888; margin-bottom: 0.375rem; }
+  input {
+    width: 100%;
+    padding: 0.625rem 0.75rem;
+    background: #1e1e1e;
+    border: 1px solid rgba(255,255,255,0.12);
+    border-radius: 8px;
+    color: #e5e5e5;
+    font-size: 0.9375rem;
+    outline: none;
+    transition: border-color 0.15s;
+  }
+  input:focus { border-color: rgba(255,255,255,0.3); }
+  button {
+    width: 100%;
+    margin-top: 1rem;
+    padding: 0.625rem;
+    background: #fff;
+    color: #000;
+    border: none;
+    border-radius: 8px;
+    font-size: 0.9375rem;
+    font-weight: 500;
+    cursor: pointer;
+    transition: opacity 0.15s;
+  }
+  button:hover { opacity: 0.85; }
+  .error { margin-top: 0.75rem; font-size: 0.8125rem; color: #f87171; display: none; }
+  .error.show { display: block; }
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Sign in</h1>
+  <form id="form">
+    <label for="token">Access token</label>
+    <input id="token" type="password" autocomplete="current-password" autofocus placeholder="Enter access token" />
+    <button type="submit">Continue</button>
+    <p class="error" id="err">Invalid token. Please try again.</p>
+  </form>
+</div>
+<script>
+  document.getElementById('form').addEventListener('submit', async (e) => {
+    e.preventDefault();
+    const token = document.getElementById('token').value;
+    const res = await fetch('/api/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ token }),
+    });
+    if (res.ok) {
+      window.location.reload();
+    } else {
+      document.getElementById('err').classList.add('show');
+    }
+  });
+</script>
+</body>
+</html>`;
+// ---------------------------------------------------------------------------
+// mountAuthMiddleware — mounts login/logout/session routes + auth guard
+// ---------------------------------------------------------------------------
+/**
+ * Mount auth middleware + login/logout/session routes onto an H3 app.
+ *
+ * @deprecated Use `autoMountAuth(app, options?)` instead for automatic
+ * dev/prod behavior. This function is kept for backwards compatibility
+ * when you need explicit control over the access token.
+ */
+export function mountAuthMiddleware(app, accessToken) {
+    mountAuthRoutes(app, [accessToken]);
+}
+function isPublicPath(url, publicPaths) {
+    const p = url.split("?")[0];
+    return publicPaths.some((pp) => p === pp || p.startsWith(pp + "/"));
+}
+function mountAuthRoutes(app, accessTokens, publicPaths = []) {
+    // POST /api/auth/login
+    app.use("/api/auth/login", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const body = await readBody(event);
+        if (!body?.token ||
+            typeof body.token !== "string" ||
+            !safeTokenMatch(body.token, accessTokens)) {
+            setResponseStatus(event, 401);
+            return { error: "Invalid token" };
+        }
+        const sessionToken = crypto.randomBytes(32).toString("hex");
+        await addSession(sessionToken);
+        setCookie(event, COOKIE_NAME, sessionToken, {
+            httpOnly: true,
+            secure: true,
+            sameSite: "lax",
+            path: "/",
+            maxAge: sessionMaxAge,
+        });
+        return { ok: true };
+    }));
+    // POST /api/auth/logout
+    app.use("/api/auth/logout", defineEventHandler(async (event) => {
+        const cookie = getCookie(event, COOKIE_NAME);
+        if (cookie)
+            await removeSession(cookie);
+        deleteCookie(event, COOKIE_NAME, { path: "/" });
+        return { ok: true };
+    }));
+    // GET /api/auth/session — client session check
+    app.use("/api/auth/session", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "GET") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const session = await getSession(event);
+        return session ?? { error: "Not authenticated" };
+    }));
+    // Auth guard — runs before all other handlers
+    app.use(defineEventHandler(async (event) => {
+        const url = event.node.req.url ?? "/";
+        const p = url.split("?")[0];
+        // Skip auth routes
+        if (p === "/api/auth/login" ||
+            p === "/api/auth/logout" ||
+            p === "/api/auth/session") {
+            return;
+        }
+        // Skip public paths
+        if (isPublicPath(url, publicPaths)) {
+            return;
+        }
+        // Use getSession() so BYOA custom auth is respected
+        const session = await getSession(event);
+        if (session) {
+            return; // Authenticated
+        }
+        // Unauthenticated
+        if (p.startsWith("/api/")) {
+            setResponseStatus(event, 401);
+            setResponseHeader(event, "Content-Type", "application/json");
+            event.node.res.end(JSON.stringify({ error: "Unauthorized" }));
+            return;
+        }
+        setResponseHeader(event, "Content-Type", "text/html");
+        event.node.res.end(LOGIN_HTML);
+    }));
+}
+// ---------------------------------------------------------------------------
+// autoMountAuth — the recommended entry point
+// ---------------------------------------------------------------------------
+/**
+ * Automatically configure auth based on the environment:
+ *
+ * - **Dev mode** (`NODE_ENV !== "production"`): Auth is skipped entirely.
+ *   `getSession()` returns `{ email: "local@localhost" }` for all requests.
+ *
+ * - **Production with ACCESS_TOKEN/ACCESS_TOKENS set**: Auth middleware is
+ *   mounted. Unauthenticated requests see a login page. One env var is all
+ *   you need.
+ *
+ * - **Production without tokens and AUTH_DISABLED !== "true"**: Refuses to
+ *   start. Logs a clear error explaining what to do.
+ *
+ * - **Production with AUTH_DISABLED=true**: Auth is skipped (for apps behind
+ *   infrastructure-level auth like Cloudflare Access or a VPN).
+ *
+ * Returns true if auth was mounted, false if skipped.
+ */
+export function autoMountAuth(app, options = {}) {
+    // In Nitro 3.0 dev mode, the H3 app may not be available yet.
+    // In dev mode auth is bypassed anyway, so we can safely skip.
+    if (!app) {
+        if (isDevMode()) {
+            authDisabledMode = false;
+            customGetSession = null;
+            return false;
+        }
+        throw new Error("autoMountAuth: H3 app is required. In Nitro plugins, pass nitroApp.h3App.");
+    }
+    // Reset globals to avoid stale state from prior calls
+    customGetSession = null;
+    authDisabledMode = false;
+    sessionMaxAge = options.maxAge ?? DEFAULT_MAX_AGE;
+    const publicPaths = options.publicPaths ?? [];
+    if (options.getSession) {
+        customGetSession = options.getSession;
+    }
+    // Dev mode — skip auth entirely
+    if (isDevMode()) {
+        // Mount a session endpoint that returns the dev stub
+        app.use("/api/auth/session", defineEventHandler(async (event) => {
+            if (getMethod(event) !== "GET") {
+                setResponseStatus(event, 405);
+                return { error: "Method not allowed" };
+            }
+            return DEV_SESSION;
+        }));
+        // Mount no-op login/logout so client code doesn't break
+        app.use("/api/auth/login", defineEventHandler(() => ({ ok: true })));
+        app.use("/api/auth/logout", defineEventHandler(() => ({ ok: true })));
+        return false;
+    }
+    // BYOA with custom getSession — skip token check, mount session/guard routes
+    if (customGetSession) {
+        // Mount session endpoint
+        app.use("/api/auth/session", defineEventHandler(async (event) => {
+            if (getMethod(event) !== "GET") {
+                setResponseStatus(event, 405);
+                return { error: "Method not allowed" };
+            }
+            const session = await getSession(event);
+            return session ?? { error: "Not authenticated" };
+        }));
+        app.use("/api/auth/login", defineEventHandler(() => ({ ok: true })));
+        app.use("/api/auth/logout", defineEventHandler(() => ({ ok: true })));
+        // Mount auth guard that delegates to custom getSession
+        const byoaLoginHtml = options.loginHtml ?? LOGIN_HTML;
+        app.use(defineEventHandler(async (event) => {
+            const url = event.node.req.url ?? "/";
+            const p = url.split("?")[0];
+            if (p === "/api/auth/login" ||
+                p === "/api/auth/logout" ||
+                p === "/api/auth/session") {
+                return;
+            }
+            // Skip public paths
+            if (isPublicPath(url, publicPaths)) {
+                return;
+            }
+            const session = await getSession(event);
+            if (session)
+                return;
+            if (p.startsWith("/api/")) {
+                setResponseStatus(event, 401);
+                setResponseHeader(event, "Content-Type", "application/json");
+                event.node.res.end(JSON.stringify({ error: "Unauthorized" }));
+                return;
+            }
+            setResponseHeader(event, "Content-Type", "text/html");
+            event.node.res.end(byoaLoginHtml);
+        }));
+        console.log("[agent-native] Auth enabled — custom getSession provider.");
+        return true;
+    }
+    // Production — check for tokens
+    const tokens = getAccessTokens();
+    if (tokens.length === 0) {
+        // No tokens set — check if auth is explicitly disabled
+        if (process.env.AUTH_DISABLED === "true") {
+            authDisabledMode = true;
+            console.warn("[agent-native] AUTH_DISABLED=true — running in production without auth. " +
+                "Ensure this app is behind infrastructure-level auth (Cloudflare Access, VPN, etc.).");
+            // Mount session endpoint — getSession() will return DEV_SESSION
+            app.use("/api/auth/session", defineEventHandler(async (event) => {
+                if (getMethod(event) !== "GET") {
+                    setResponseStatus(event, 405);
+                    return { error: "Method not allowed" };
+                }
+                return DEV_SESSION;
+            }));
+            app.use("/api/auth/login", defineEventHandler(() => ({ ok: true })));
+            app.use("/api/auth/logout", defineEventHandler(() => ({ ok: true })));
+            return false;
+        }
+        // Refuse to start without auth in production
+        const msg = "\n" +
+            "=".repeat(70) +
+            "\n" +
+            " ERROR: Running in production without authentication.\n\n" +
+            " Set ACCESS_TOKEN=<your-secret> to enable auth, or\n" +
+            " set AUTH_DISABLED=true if this app is behind infrastructure auth.\n\n" +
+            " For multi-user access: ACCESS_TOKENS=token1,token2,token3\n" +
+            "=".repeat(70) +
+            "\n";
+        console.error(msg);
+        process.exit(1);
+    }
+    // Production with tokens — mount auth
+    pruneExpiredSessions().catch(() => { });
+    mountAuthRoutes(app, tokens, publicPaths);
+    console.log(`[agent-native] Auth enabled — ${tokens.length} access token(s) configured.`);
+    return true;
+}
+//# sourceMappingURL=auth.js.map

package/dist/server/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,kBAAkB,EAClB,QAAQ,EACR,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,SAAS,EACT,SAAS,EACT,YAAY,GACb,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,YAAY,EAAe,MAAM,gBAAgB,CAAC;AAkC3D,8EAA8E;AAC9E,YAAY;AACZ,8EAA8E;AAE9E,MAAM,WAAW,GAAG,YAAY,CAAC;AACjC,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAErD,8EAA8E;AAC9E,6BAA6B;AAC7B,8EAA8E;AAE9E,IAAI,cAAkC,CAAC;AACvC,IAAI,kBAAkB,GAAG,KAAK,CAAC;AAC/B,IAAI,aAAa,GAAG,eAAe,CAAC;AAEpC,SAAS,gBAAgB;IACvB,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,oBAAoB,CAAC;QAC7D,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,cAAc,GAAG,YAAY,CAAC;YAC5B,GAAG;YACH,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB;SAC3C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,IAAI,kBAAkB;QAAE,OAAO;IAC/B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;GAMpB,CAAC,CAAC;IACH,8DAA8D;IAC9D,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,OAAO,CAAC,4CAA4C,CAAC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;IACnC,CAAC;IACD,kBAAkB,GAAG,IAAI,CAAC;AAC5B,CAAC;AAED,KAAK,UAAU,oBAAoB;IACjC,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,aAAa,GAAG,IAAI,CAAC;IACjD,MAAM,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,EAAE,2CAA2C;QAChD,IAAI,EAAE,CAAC,MAAM,CAAC;KACf,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAa,EAAE,KAAc;IAC5D,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,MAAM,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,EAAE,6EAA6E;QAClF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,IAAI,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;KACzC,CAAC,CAAC;AACL,CAAC;AAED,iCAAiC;AACjC,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa;IAC/C,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,MAAM,MAAM,CAAC,OAAO,CAAC;QACnB,GAAG,EAAE,sCAAsC;QAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QACpC,GAAG,EAAE,wDAAwD;QAC7D,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAoB,CAAC;IAC/C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,aAAa,GAAG,IAAI,EAAE,CAAC;QAClD,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sCAAsC;YAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;SACd,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,KAAgB,IAAI,IAAI,CAAC;AAC3C,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,KAAa;IACrC,MAAM,kBAAkB,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC;QACpC,GAAG,EAAE,iDAAiD;QACtD,IAAI,EAAE,CAAC,KAAK,CAAC;KACd,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,UAAoB,CAAC;IAC/C,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,GAAG,aAAa,GAAG,IAAI,EAAE,CAAC;QAClD,MAAM,MAAM,CAAC,OAAO,CAAC;YACnB,GAAG,EAAE,sCAAsC;YAC3C,IAAI,EAAE,CAAC,KAAK,CAAC;SACd,CAAC,CAAC;QACH,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,6EAA6E;AAC7E,8EAA8E;AAE9E,SAAS,eAAe;IACtB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,MAAM;QAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACzB,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,SAAS,SAAS;IAChB,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;AAC/C,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,IAAI,gBAAgB,GAClB,IAAI,CAAC;AACP,IAAI,gBAAgB,GAAG,KAAK,CAAC;AAE7B,MAAM,WAAW,GAAgB,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,KAAc;IAC7C,IAAI,SAAS,EAAE;QAAE,OAAO,WAAW,CAAC;IACpC,IAAI,gBAAgB;QAAE,OAAO,WAAW,CAAC;IAEzC,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;IAErD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAC7C,IAAI,MAAM,IAAI,CAAC,MAAM,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACzC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E,SAAS,cAAc,CAAC,KAAa,EAAE,MAAgB;IACrD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpC,IACE,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YACnC,MAAM,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAC1C,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E,MAAM,UAAU,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAoFX,CAAC;AAET,8EAA8E;AAC9E,wEAAwE;AACxE,8EAA8E;AAE9E;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAU,EAAE,WAAmB;IACjE,eAAe,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,YAAY,CAAC,GAAW,EAAE,WAAqB;IACtD,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5B,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,UAAU,CAAC,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,SAAS,eAAe,CACtB,GAAU,EACV,YAAsB,EACtB,cAAwB,EAAE;IAE1B,uBAAuB;IACvB,GAAG,CAAC,GAAG,CACL,iBAAiB,EACjB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;QACnC,IACE,CAAC,IAAI,EAAE,KAAK;YACZ,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ;YAC9B,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,CAAC,EACzC,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC;QACpC,CAAC;QACD,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,UAAU,CAAC,YAAY,CAAC,CAAC;QAC/B,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE;YAC1C,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,KAAK;YACf,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,aAAa;SACtB,CAAC,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,wBAAwB;IACxB,GAAG,CAAC,GAAG,CACL,kBAAkB,EAClB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QAC7C,IAAI,MAAM;YAAE,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;QACxC,YAAY,CAAC,KAAK,EAAE,WAAW,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;QAChD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC,CAAC,CACH,CAAC;IAEF,+CAA+C;IAC/C,GAAG,CAAC,GAAG,CACL,mBAAmB,EACnB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;YAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACnD,CAAC,CAAC,CACH,CAAC;IAEF,8CAA8C;IAC9C,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACjC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;QACtC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5B,mBAAmB;QACnB,IACE,CAAC,KAAK,iBAAiB;YACvB,CAAC,KAAK,kBAAkB;YACxB,CAAC,KAAK,mBAAmB,EACzB,CAAC;YACD,OAAO;QACT,CAAC;QAED,oBAAoB;QACpB,IAAI,YAAY,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,CAAC;YACnC,OAAO;QACT,CAAC;QAED,oDAAoD;QACpD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,gBAAgB;QAC1B,CAAC;QAED,kBAAkB;QAClB,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAC7D,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACjC,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,8CAA8C;AAC9C,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,aAAa,CAAC,GAAU,EAAE,UAAuB,EAAE;IACjE,8DAA8D;IAC9D,8DAA8D;IAC9D,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,SAAS,EAAE,EAAE,CAAC;YAChB,gBAAgB,GAAG,KAAK,CAAC;YACzB,gBAAgB,GAAG,IAAI,CAAC;YACxB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,IAAI,KAAK,CACb,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,sDAAsD;IACtD,gBAAgB,GAAG,IAAI,CAAC;IACxB,gBAAgB,GAAG,KAAK,CAAC;IACzB,aAAa,GAAG,OAAO,CAAC,MAAM,IAAI,eAAe,CAAC;IAClD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC;IAE9C,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;QACvB,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;IACxC,CAAC;IAED,gCAAgC;IAChC,IAAI,SAAS,EAAE,EAAE,CAAC;QAChB,qDAAqD;QACrD,GAAG,CAAC,GAAG,CACL,mBAAmB,EACnB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,OAAO,WAAW,CAAC;QACrB,CAAC,CAAC,CACH,CAAC;QAEF,wDAAwD;QACxD,GAAG,CAAC,GAAG,CACL,iBAAiB,EACjB,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QACF,GAAG,CAAC,GAAG,CACL,kBAAkB,EAClB,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QAEF,OAAO,KAAK,CAAC;IACf,CAAC;IAED,6EAA6E;IAC7E,IAAI,gBAAgB,EAAE,CAAC;QACrB,yBAAyB;QACzB,GAAG,CAAC,GAAG,CACL,mBAAmB,EACnB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;YACzC,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,OAAO,OAAO,IAAI,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;QACnD,CAAC,CAAC,CACH,CAAC;QACF,GAAG,CAAC,GAAG,CACL,iBAAiB,EACjB,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QACF,GAAG,CAAC,GAAG,CACL,kBAAkB,EAClB,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;QAEF,uDAAuD;QACvD,MAAM,aAAa,GAAG,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC;QACtD,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC;YACtC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5B,IACE,CAAC,KAAK,iBAAiB;gBACvB,CAAC,KAAK,kBAAkB;gBACxB,CAAC,KAAK,mBAAmB,EACzB,CAAC;gBACD,OAAO;YACT,CAAC;YACD,oBAAoB;YACpB,IAAI,YAAY,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,CAAC;gBACnC,OAAO;YACT,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,OAAO;gBAAE,OAAO;YACpB,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,kBAAkB,CAAC,CAAC;gBAC7D,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;gBAC9D,OAAO;YACT,CAAC;YACD,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;YACtD,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QACpC,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;QACzE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IAEjC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,uDAAuD;QACvD,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,KAAK,MAAM,EAAE,CAAC;YACzC,gBAAgB,GAAG,IAAI,CAAC;YACxB,OAAO,CAAC,IAAI,CACV,0EAA0E;gBACxE,qFAAqF,CACxF,CAAC;YAEF,gEAAgE;YAChE,GAAG,CAAC,GAAG,CACL,mBAAmB,EACnB,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;gBACjC,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;oBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;oBAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;gBACzC,CAAC;gBACD,OAAO,WAAW,CAAC;YACrB,CAAC,CAAC,CACH,CAAC;YACF,GAAG,CAAC,GAAG,CACL,iBAAiB,EACjB,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;YACF,GAAG,CAAC,GAAG,CACL,kBAAkB,EAClB,kBAAkB,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CACzC,CAAC;YAEF,OAAO,KAAK,CAAC;QACf,CAAC;QAED,6CAA6C;QAC7C,MAAM,GAAG,GACP,IAAI;YACJ,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACd,IAAI;YACJ,2DAA2D;YAC3D,sDAAsD;YACtD,wEAAwE;YACxE,8DAA8D;YAC9D,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACd,IAAI,CAAC;QACP,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,sCAAsC;IACtC,oBAAoB,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACvC,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;IAE1C,OAAO,CAAC,GAAG,CACT,iCAAiC,MAAM,CAAC,MAAM,8BAA8B,CAC7E,CAAC;IACF,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/server/captcha.d.ts

@@ -0,0 +1,12 @@
+export interface CaptchaVerifyResult {
+    success: boolean;
+    errorCodes?: string[];
+}
+/**
+ * Verify a Cloudflare Turnstile token server-side.
+ *
+ * - If no secret key is provided (param or env), returns success (captcha is opt-in).
+ * - In dev mode (NODE_ENV !== "production"), always returns success.
+ */
+export declare function verifyCaptcha(token: string, secretKey?: string): Promise<CaptchaVerifyResult>;
+//# sourceMappingURL=captcha.d.ts.map

package/dist/server/captcha.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"captcha.d.ts","sourceRoot":"","sources":["../../src/server/captcha.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACvB;AAKD;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,SAAS,CAAC,EAAE,MAAM,GACjB,OAAO,CAAC,mBAAmB,CAAC,CAyC9B"}

package/dist/server/captcha.js

@@ -0,0 +1,43 @@
+// ---------------------------------------------------------------------------
+// Cloudflare Turnstile — server-side verification
+// ---------------------------------------------------------------------------
+const TURNSTILE_VERIFY_URL = "https://challenges.cloudflare.com/turnstile/v0/siteverify";
+/**
+ * Verify a Cloudflare Turnstile token server-side.
+ *
+ * - If no secret key is provided (param or env), returns success (captcha is opt-in).
+ * - In dev mode (NODE_ENV !== "production"), always returns success.
+ */
+export async function verifyCaptcha(token, secretKey) {
+    // Dev mode — skip captcha
+    if (process.env.NODE_ENV !== "production") {
+        return { success: true };
+    }
+    const secret = secretKey ?? process.env.TURNSTILE_SECRET_KEY;
+    // No secret configured — captcha is opt-in, allow through
+    if (!secret) {
+        console.warn("[captcha] TURNSTILE_SECRET_KEY is not set — captcha verification is disabled. " +
+            "Set TURNSTILE_SECRET_KEY and VITE_TURNSTILE_SITE_KEY to enable bot protection.");
+        return { success: true };
+    }
+    // No token provided by client
+    if (!token) {
+        return { success: false, errorCodes: ["missing-input-response"] };
+    }
+    try {
+        const res = await fetch(TURNSTILE_VERIFY_URL, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({ secret, response: token }),
+        });
+        const data = (await res.json());
+        return {
+            success: data.success,
+            errorCodes: data["error-codes"],
+        };
+    }
+    catch {
+        return { success: false, errorCodes: ["network-error"] };
+    }
+}
+//# sourceMappingURL=captcha.js.map

package/dist/server/captcha.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"captcha.js","sourceRoot":"","sources":["../../src/server/captcha.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,kDAAkD;AAClD,8EAA8E;AAO9E,MAAM,oBAAoB,GACxB,2DAA2D,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAa,EACb,SAAkB;IAElB,0BAA0B;IAC1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,MAAM,MAAM,GAAG,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAE7D,0DAA0D;IAC1D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,IAAI,CACV,gFAAgF;YAC9E,gFAAgF,CACnF,CAAC;QACF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,8BAA8B;IAC9B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,wBAAwB,CAAC,EAAE,CAAC;IACpE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,oBAAoB,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;SACvD,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAG7B,CAAC;QAEF,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC;SAChC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC;IAC3D,CAAC;AACH,CAAC"}

package/dist/server/create-server.d.ts

@@ -1,5 +1,4 @@
-import express from "express";
-import cors from "cors";
+import { createApp, createRouter } from "h3";
 export interface EnvKeyConfig {
     /** Environment variable name (e.g. "HUBSPOT_ACCESS_TOKEN") */
     key: string;
@@ -9,9 +8,9 @@ export interface EnvKeyConfig {
     required?: boolean;
 }
 export interface CreateServerOptions {
-    /** CORS options. Pass false to disable. Default: enabled with defaults. */
-    cors?: cors.CorsOptions | false;
-    /** JSON body parser limit. Default: "50mb" */
+    /** CORS options. Ignored (H3 handles CORS via middleware). Default: enabled. */
+    cors?: Record<string, unknown> | false;
+    /** JSON body parser limit. Kept for API compatibility (H3 uses readBody). */
     jsonLimit?: string;
     /** Custom ping message. Default: reads PING_MESSAGE env var, falls back to "pong" */
     pingMessage?: string;
@@ -21,12 +20,23 @@ export interface CreateServerOptions {
     envKeys?: EnvKeyConfig[];
 }
 /**
- * Create a pre-configured Express app with standard agent-native middleware:
- * - CORS
- * - JSON body parser (50mb limit)
- * - URL-encoded body parser
+ * Upsert vars into a .env file, preserving existing structure.
+ */
+export declare function upsertEnvFile(envPath: string, vars: Array<{
+    key: string;
+    value: string;
+}>): void;
+export interface CreateServerResult {
+    app: ReturnType<typeof createApp>;
+    router: ReturnType<typeof createRouter>;
+}
+/**
+ * Create a pre-configured H3 app with standard agent-native setup:
+ * - CORS headers via middleware
  * - /api/ping health check
  * - /api/env-status and /api/env-vars (when envKeys is provided)
+ *
+ * Returns { app, router } — mount routes on `router`.
  */
-export declare function createServer(options?: CreateServerOptions): express.Express;
+export declare function createServer(options?: CreateServerOptions): CreateServerResult;
 //# sourceMappingURL=create-server.d.ts.map

package/dist/server/create-server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,IAAI,MAAM,MAAM,CAAC;AAKxB,MAAM,WAAW,YAAY;IAC3B,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,2EAA2E;IAC3E,IAAI,CAAC,EAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;IAChC,8CAA8C;IAC9C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,mGAAmG;IACnG,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AAuED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,OAAO,CAmEjB"}
+{"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EAKb,MAAM,IAAI,CAAC;AAKZ,MAAM,WAAW,YAAY;IAC3B,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,gFAAgF;IAChF,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;IACvC,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,yDAAyD;IACzD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,mGAAmG;IACnG,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AA0BD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,KAAK,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,GAC1C,IAAI,CA8CN;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;IAClC,MAAM,EAAE,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;CACzC;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAqGpB"}