@agentlensai/server 0.11.0 → 0.14.0

package/dist/middleware/body-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/body-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,4CAA4C;AAC5C,eAAO,MAAM,YAAY,kCAQvB,CAAC"}

package/dist/middleware/body-limit.js

@@ -0,0 +1,15 @@
+/**
+ * SH-3: Global Body Limit Middleware
+ *
+ * Applies a 1MB default body size limit to all API routes.
+ * Individual routes can override with their own bodyLimit (e.g., events uses 10MB).
+ */
+import { bodyLimit } from 'hono/body-limit';
+/** 1MB default body limit for API routes */
+export const apiBodyLimit = bodyLimit({
+    maxSize: 1 * 1024 * 1024, // 1MB
+    onError: (c) => {
+        return c.json({ error: 'Request body too large', status: 413, maxSize: '1MB' }, 413);
+    },
+});
+//# sourceMappingURL=body-limit.js.map

package/dist/middleware/body-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"body-limit.js","sourceRoot":"","sources":["../../src/middleware/body-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,4CAA4C;AAC5C,MAAM,CAAC,MAAM,YAAY,GAAG,SAAS,CAAC;IACpC,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI,EAAE,MAAM;IAChC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACb,OAAO,CAAC,CAAC,IAAI,CACX,EAAE,KAAK,EAAE,wBAAwB,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;CACF,CAAC,CAAC"}

package/dist/middleware/cors-config.d.ts

@@ -0,0 +1,30 @@
+/**
+ * SH-4: CORS Hardening — explicit origin callback for hono/cors.
+ *
+ * Reads CORS_ORIGINS (comma-separated) and builds an origin callback that:
+ * - Rejects unlisted origins (returns empty string → no CORS headers)
+ * - Blocks wildcard '*' in production
+ * - Auto-allows http://localhost:* in dev mode
+ * - Supports credentials, explicit allowed/exposed headers, and maxAge
+ */
+/** Local mirror of hono/cors CORSOptions (not exported by the package). */
+type CorsOptions = {
+    origin: string | string[] | ((origin: string) => string);
+    allowMethods?: string[];
+    allowHeaders?: string[];
+    maxAge?: number;
+    credentials?: boolean;
+    exposeHeaders?: string[];
+};
+export interface CorsConfig {
+    /** Comma-separated allowed origins, or a single origin */
+    corsOrigins?: string;
+    /** NODE_ENV value */
+    nodeEnv?: string;
+}
+/**
+ * Build hono/cors options with an explicit origin callback.
+ */
+export declare function buildCorsOptions(config: CorsConfig): CorsOptions;
+export {};
+//# sourceMappingURL=cors-config.d.ts.map

package/dist/middleware/cors-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors-config.d.ts","sourceRoot":"","sources":["../../src/middleware/cors-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,2EAA2E;AAC3E,KAAK,WAAW,GAAG;IACjB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,KAAK,MAAM,CAAC,CAAC;IACzD,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;CAC1B,CAAC;AAEF,MAAM,WAAW,UAAU;IACzB,0DAA0D;IAC1D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAcD;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,UAAU,GAAG,WAAW,CAoChE"}

package/dist/middleware/cors-config.js

@@ -0,0 +1,55 @@
+/**
+ * SH-4: CORS Hardening — explicit origin callback for hono/cors.
+ *
+ * Reads CORS_ORIGINS (comma-separated) and builds an origin callback that:
+ * - Rejects unlisted origins (returns empty string → no CORS headers)
+ * - Blocks wildcard '*' in production
+ * - Auto-allows http://localhost:* in dev mode
+ * - Supports credentials, explicit allowed/exposed headers, and maxAge
+ */
+/**
+ * Parse CORS_ORIGINS env var into a Set of allowed origins.
+ */
+function parseOrigins(raw) {
+    if (!raw)
+        return new Set();
+    return new Set(raw.split(',')
+        .map(o => o.trim())
+        .filter(Boolean));
+}
+/**
+ * Build hono/cors options with an explicit origin callback.
+ */
+export function buildCorsOptions(config) {
+    const isDev = config.nodeEnv !== 'production';
+    const origins = parseOrigins(config.corsOrigins);
+    // Block wildcard in production
+    if (!isDev && origins.has('*')) {
+        throw new Error('CORS wildcard (*) is not allowed in production. ' +
+            'Set CORS_ORIGINS to specific origins.');
+    }
+    return {
+        origin: (requestOrigin) => {
+            // No origin header (e.g. same-origin, server-to-server) — allow
+            if (!requestOrigin)
+                return requestOrigin;
+            // Exact match
+            if (origins.has(requestOrigin))
+                return requestOrigin;
+            // Wildcard in dev
+            if (isDev && origins.has('*'))
+                return requestOrigin;
+            // Dev mode: auto-allow localhost on any port
+            if (isDev && /^https?:\/\/localhost(:\d+)?$/.test(requestOrigin)) {
+                return requestOrigin;
+            }
+            // Reject — return empty string so hono/cors omits CORS headers
+            return '';
+        },
+        credentials: true,
+        allowHeaders: ['Authorization', 'Content-Type', 'X-Request-ID'],
+        exposeHeaders: ['X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset'],
+        maxAge: 86400,
+    };
+}
+//# sourceMappingURL=cors-config.js.map

package/dist/middleware/cors-config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors-config.js","sourceRoot":"","sources":["../../src/middleware/cors-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAmBH;;GAEG;AACH,SAAS,YAAY,CAAC,GAAY;IAChC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,GAAG,EAAE,CAAC;IAC3B,OAAO,IAAI,GAAG,CACZ,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SAClB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAkB;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,KAAK,YAAY,CAAC;IAC9C,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEjD,+BAA+B;IAC/B,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,kDAAkD;YAClD,uCAAuC,CACxC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,CAAC,aAAqB,EAAE,EAAE;YAChC,gEAAgE;YAChE,IAAI,CAAC,aAAa;gBAAE,OAAO,aAAa,CAAC;YAEzC,cAAc;YACd,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;gBAAE,OAAO,aAAa,CAAC;YAErD,kBAAkB;YAClB,IAAI,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,OAAO,aAAa,CAAC;YAEpD,6CAA6C;YAC7C,IAAI,KAAK,IAAI,+BAA+B,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjE,OAAO,aAAa,CAAC;YACvB,CAAC;YAED,+DAA+D;YAC/D,OAAO,EAAE,CAAC;QACZ,CAAC;QACD,WAAW,EAAE,IAAI;QACjB,YAAY,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,cAAc,CAAC;QAC/D,aAAa,EAAE,CAAC,mBAAmB,EAAE,uBAAuB,EAAE,mBAAmB,CAAC;QAClF,MAAM,EAAE,KAAK;KACd,CAAC;AACJ,CAAC"}

package/dist/middleware/rate-limit.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Rate-limiting middleware for auth and API endpoints.
+ * Uses hono-rate-limiter with in-memory store.
+ *
+ * @module middleware/rate-limit
+ */
+export declare const authRateLimit: import("hono").MiddlewareHandler<import("hono").Env, string, import("hono").Input, Response>;
+export declare const apiRateLimit: import("hono").MiddlewareHandler<import("hono").Env, string, import("hono").Input, Response>;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/middleware/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA0BH,eAAO,MAAM,aAAa,8FAWxB,CAAC;AAOH,eAAO,MAAM,YAAY,8FAkBvB,CAAC"}

package/dist/middleware/rate-limit.js

@@ -0,0 +1,56 @@
+/**
+ * Rate-limiting middleware for auth and API endpoints.
+ * Uses hono-rate-limiter with in-memory store.
+ *
+ * @module middleware/rate-limit
+ */
+import { rateLimiter } from 'hono-rate-limiter';
+import { createLogger } from '../lib/logger.js';
+const log = createLogger('RateLimit');
+// ─── Helpers ─────────────────────────────────────────────
+/**
+ * Extract client IP using x-forwarded-for → cf-connecting-ip → 'unknown'.
+ */
+function getClientIp(c) {
+    return (c.req.header('x-forwarded-for')?.split(',')[0]?.trim() ||
+        c.req.header('cf-connecting-ip') ||
+        'unknown');
+}
+// ─── Auth rate limiter ───────────────────────────────────
+const AUTH_MAX = Number(process.env['RATE_LIMIT_AUTH_MAX'] ?? 20);
+const AUTH_WINDOW_MS = Number(process.env['RATE_LIMIT_AUTH_WINDOW_MS'] ?? 15 * 60 * 1000);
+export const authRateLimit = rateLimiter({
+    windowMs: AUTH_WINDOW_MS,
+    limit: AUTH_MAX,
+    standardHeaders: 'draft-7',
+    keyGenerator: (c) => `auth:${getClientIp(c)}`,
+    handler: (c) => {
+        const ip = getClientIp(c);
+        const route = new URL(c.req.url).pathname;
+        log.warn('Auth rate limit exceeded', { ip, route });
+        return c.json({ error: 'Too Many Requests' }, 429);
+    },
+});
+// ─── API rate limiter ────────────────────────────────────
+const API_MAX = Number(process.env['RATE_LIMIT_API_MAX'] ?? 200);
+const API_WINDOW_MS = Number(process.env['RATE_LIMIT_API_WINDOW_MS'] ?? 60 * 1000);
+export const apiRateLimit = rateLimiter({
+    windowMs: API_WINDOW_MS,
+    limit: API_MAX,
+    standardHeaders: 'draft-7',
+    keyGenerator: (c) => {
+        // Prefer API key from Authorization header, fall back to IP
+        const authHeader = c.req.header('authorization');
+        if (authHeader?.startsWith('Bearer ')) {
+            return `api:${authHeader.slice(7)}`;
+        }
+        return `api:${getClientIp(c)}`;
+    },
+    handler: (c) => {
+        const ip = getClientIp(c);
+        const route = new URL(c.req.url).pathname;
+        log.warn('API rate limit exceeded', { ip, route });
+        return c.json({ error: 'Too Many Requests' }, 429);
+    },
+});
+//# sourceMappingURL=rate-limit.js.map

package/dist/middleware/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,MAAM,GAAG,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;AAEtC,4DAA4D;AAE5D;;GAEG;AACH,SAAS,WAAW,CAAC,CAAU;IAC7B,OAAO,CACL,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;QACtD,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC;QAChC,SAAS,CACV,CAAC;AACJ,CAAC;AAED,4DAA4D;AAE5D,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,IAAI,EAAE,CAAC,CAAC;AAClE,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;AAE1F,MAAM,CAAC,MAAM,aAAa,GAAG,WAAW,CAAC;IACvC,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE,QAAQ;IACf,eAAe,EAAE,SAAS;IAC1B,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,WAAW,CAAC,CAAC,CAAC,EAAE;IAC7C,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACb,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;CACF,CAAC,CAAC;AAEH,4DAA4D;AAE5D,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,IAAI,GAAG,CAAC,CAAC;AACjE,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;AAEnF,MAAM,CAAC,MAAM,YAAY,GAAG,WAAW,CAAC;IACtC,QAAQ,EAAE,aAAa;IACvB,KAAK,EAAE,OAAO;IACd,eAAe,EAAE,SAAS;IAC1B,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE;QAClB,4DAA4D;QAC5D,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACjD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACtC,OAAO,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACtC,CAAC;QACD,OAAO,OAAO,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;IACjC,CAAC;IACD,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE;QACb,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAC;IACrD,CAAC;CACF,CAAC,CAAC"}

package/dist/middleware/rbac.d.ts

@@ -0,0 +1,30 @@
+/**
+ * RBAC Enforcement Middleware [F2-S2]
+ *
+ * Hono middleware factories that read c.var.auth.role (set by unified-auth)
+ * and enforce permission categories using the existing cloud/auth/rbac.ts module.
+ */
+import { type ActionCategory } from '../cloud/auth/rbac.js';
+import type { UnifiedAuthVariables } from './unified-auth.js';
+/**
+ * Require a minimum action category for the route.
+ * Reads role from c.var.auth.role (set by unified-auth).
+ */
+export declare function requireCategory(category: ActionCategory): import("hono").MiddlewareHandler<{
+    Variables: UnifiedAuthVariables;
+}, string, {}, Response>;
+/**
+ * Auto-categorize by HTTP method.
+ * GET/HEAD/OPTIONS → read; all others → write
+ */
+export declare function requireMethodCategory(): import("hono").MiddlewareHandler<{
+    Variables: UnifiedAuthVariables;
+}, string, {}, Response>;
+/**
+ * Map specific HTTP methods to action categories.
+ * Unlisted methods default to 'write'.
+ */
+export declare function requireCategoryByMethod(mapping: Partial<Record<string, ActionCategory>>): import("hono").MiddlewareHandler<{
+    Variables: UnifiedAuthVariables;
+}, string, {}, Response>;
+//# sourceMappingURL=rbac.d.ts.map

package/dist/middleware/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../src/middleware/rbac.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAoC,KAAK,cAAc,EAAa,MAAM,uBAAuB,CAAC;AAEzG,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAe9D;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,cAAc;eACjB,oBAAoB;yBAgB1D;AAED;;;GAGG;AACH,wBAAgB,qBAAqB;eACE,oBAAoB;yBAoB1D;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;eACjD,oBAAoB;yBAmB1D"}

package/dist/middleware/rbac.js

@@ -0,0 +1,87 @@
+/**
+ * RBAC Enforcement Middleware [F2-S2]
+ *
+ * Hono middleware factories that read c.var.auth.role (set by unified-auth)
+ * and enforce permission categories using the existing cloud/auth/rbac.ts module.
+ */
+import { createMiddleware } from 'hono/factory';
+import { isRoleAllowed, PERMISSION_MATRIX } from '../cloud/auth/rbac.js';
+import { authRequired, insufficientPermissions } from './auth-errors.js';
+/**
+ * Get the minimum role required for a given action category.
+ */
+function minRoleForCategory(category) {
+    const roles = PERMISSION_MATRIX[category];
+    // Return the least-privileged role in the list
+    const hierarchy = ['viewer', 'member', 'admin', 'owner'];
+    for (const r of hierarchy) {
+        if (roles.includes(r))
+            return r;
+    }
+    return 'owner';
+}
+/**
+ * Require a minimum action category for the route.
+ * Reads role from c.var.auth.role (set by unified-auth).
+ */
+export function requireCategory(category) {
+    return createMiddleware(async (c, next) => {
+        const auth = c.var.auth;
+        if (!auth) {
+            return authRequired(c);
+        }
+        if (!isRoleAllowed(auth.role, category)) {
+            return insufficientPermissions(c, {
+                required: minRoleForCategory(category),
+                current: auth.role,
+                hint: `This action requires '${minRoleForCategory(category)}' role or higher. Your current role is '${auth.role}'.`,
+            });
+        }
+        return next();
+    });
+}
+/**
+ * Auto-categorize by HTTP method.
+ * GET/HEAD/OPTIONS → read; all others → write
+ */
+export function requireMethodCategory() {
+    return createMiddleware(async (c, next) => {
+        const auth = c.var.auth;
+        if (!auth) {
+            return authRequired(c);
+        }
+        const method = c.req.method;
+        const category = ['GET', 'HEAD', 'OPTIONS'].includes(method) ? 'read' : 'write';
+        if (!isRoleAllowed(auth.role, category)) {
+            return insufficientPermissions(c, {
+                required: minRoleForCategory(category),
+                current: auth.role,
+                hint: `${method} requires '${minRoleForCategory(category)}' role. Your role is '${auth.role}'.`,
+            });
+        }
+        return next();
+    });
+}
+/**
+ * Map specific HTTP methods to action categories.
+ * Unlisted methods default to 'write'.
+ */
+export function requireCategoryByMethod(mapping) {
+    return createMiddleware(async (c, next) => {
+        const auth = c.var.auth;
+        if (!auth) {
+            return authRequired(c);
+        }
+        const method = c.req.method;
+        const category = mapping[method] ?? 'write';
+        if (!isRoleAllowed(auth.role, category)) {
+            return insufficientPermissions(c, {
+                required: minRoleForCategory(category),
+                current: auth.role,
+                hint: `${method} on this resource requires '${minRoleForCategory(category)}' role. Your role is '${auth.role}'.`,
+            });
+        }
+        return next();
+    });
+}
+//# sourceMappingURL=rbac.js.map

package/dist/middleware/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../src/middleware/rbac.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAkC,MAAM,uBAAuB,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAGzE;;GAEG;AACH,SAAS,kBAAkB,CAAC,QAAwB;IAClD,MAAM,KAAK,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC1C,+CAA+C;IAC/C,MAAM,SAAS,GAAW,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IACjE,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;QAC1B,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAE,OAAO,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAAwB;IACtD,OAAO,gBAAgB,CAAsC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7E,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QAED,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,uBAAuB,CAAC,CAAC,EAAE;gBAChC,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,IAAI,EAAE,yBAAyB,kBAAkB,CAAC,QAAQ,CAAC,2CAA2C,IAAI,CAAC,IAAI,IAAI;aACpH,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB;IACnC,OAAO,gBAAgB,CAAsC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7E,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;QAC5B,MAAM,QAAQ,GACZ,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;QAEjE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,uBAAuB,CAAC,CAAC,EAAE;gBAChC,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,IAAI,EAAE,GAAG,MAAM,cAAc,kBAAkB,CAAC,QAAQ,CAAC,yBAAyB,IAAI,CAAC,IAAI,IAAI;aAChG,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAgD;IACtF,OAAO,gBAAgB,CAAsC,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;QAC7E,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,YAAY,CAAC,CAAC,CAAC,CAAC;QACzB,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;QAC5B,MAAM,QAAQ,GAAmB,OAAO,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC;QAE5D,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;YACxC,OAAO,uBAAuB,CAAC,CAAC,EAAE;gBAChC,QAAQ,EAAE,kBAAkB,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,IAAI,EAAE,GAAG,MAAM,+BAA+B,kBAAkB,CAAC,QAAQ,CAAC,yBAAyB,IAAI,CAAC,IAAI,IAAI;aACjH,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/security-headers.d.ts

@@ -0,0 +1,12 @@
+/**
+ * SH-5: CSP & Security Headers middleware.
+ *
+ * Applies security headers to ALL responses. Must be registered as the
+ * first middleware in the stack.
+ *
+ * CSP policy is overridable via the `CSP_POLICY` environment variable.
+ * When set, the raw string replaces the built-in CSP object.
+ */
+import type { MiddlewareHandler } from 'hono';
+export declare function securityHeadersMiddleware(): MiddlewareHandler;
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/middleware/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAO9C,wBAAgB,yBAAyB,IAAI,iBAAiB,CA8C7D"}

package/dist/middleware/security-headers.js

@@ -0,0 +1,57 @@
+/**
+ * SH-5: CSP & Security Headers middleware.
+ *
+ * Applies security headers to ALL responses. Must be registered as the
+ * first middleware in the stack.
+ *
+ * CSP policy is overridable via the `CSP_POLICY` environment variable.
+ * When set, the raw string replaces the built-in CSP object.
+ */
+import { secureHeaders } from 'hono/secure-headers';
+const DEFAULT_CSP_STRING = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; " +
+    "img-src 'self' data:; connect-src 'self'; font-src 'self'; object-src 'none'; frame-ancestors 'none'";
+export function securityHeadersMiddleware() {
+    const cspOverride = process.env['CSP_POLICY'];
+    if (cspOverride) {
+        // When CSP_POLICY env var is set, use raw middleware to set the string directly
+        // because hono/secure-headers only accepts CSP as an object.
+        const base = secureHeaders({
+            contentSecurityPolicy: false,
+            xContentTypeOptions: 'nosniff',
+            xFrameOptions: 'DENY',
+            referrerPolicy: 'strict-origin-when-cross-origin',
+            strictTransportSecurity: 'max-age=31536000; includeSubDomains',
+            permissionsPolicy: {
+                camera: [],
+                microphone: [],
+                geolocation: [],
+            },
+        });
+        return async (c, next) => {
+            await base(c, next);
+            c.res.headers.set('Content-Security-Policy', cspOverride);
+        };
+    }
+    return secureHeaders({
+        contentSecurityPolicy: {
+            defaultSrc: ["'self'"],
+            scriptSrc: ["'self'"],
+            styleSrc: ["'self'", "'unsafe-inline'"],
+            imgSrc: ["'self'", 'data:'],
+            connectSrc: ["'self'"],
+            fontSrc: ["'self'"],
+            objectSrc: ["'none'"],
+            frameAncestors: ["'none'"],
+        },
+        xContentTypeOptions: 'nosniff',
+        xFrameOptions: 'DENY',
+        referrerPolicy: 'strict-origin-when-cross-origin',
+        strictTransportSecurity: 'max-age=31536000; includeSubDomains',
+        permissionsPolicy: {
+            camera: [],
+            microphone: [],
+            geolocation: [],
+        },
+    });
+}
+//# sourceMappingURL=security-headers.js.map

package/dist/middleware/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../src/middleware/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,MAAM,kBAAkB,GACtB,2EAA2E;IAC3E,sGAAsG,CAAC;AAEzG,MAAM,UAAU,yBAAyB;IACvC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAE9C,IAAI,WAAW,EAAE,CAAC;QAChB,gFAAgF;QAChF,6DAA6D;QAC7D,MAAM,IAAI,GAAG,aAAa,CAAC;YACzB,qBAAqB,EAAE,KAA6B;YACpD,mBAAmB,EAAE,SAAS;YAC9B,aAAa,EAAE,MAAM;YACrB,cAAc,EAAE,iCAAiC;YACjD,uBAAuB,EAAE,qCAAqC;YAC9D,iBAAiB,EAAE;gBACjB,MAAM,EAAE,EAAE;gBACV,UAAU,EAAE,EAAE;gBACd,WAAW,EAAE,EAAE;aAChB;SACF,CAAC,CAAC;QAEH,OAAO,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;YACvB,MAAM,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YACpB,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,EAAE,WAAW,CAAC,CAAC;QAC5D,CAAC,CAAC;IACJ,CAAC;IAED,OAAO,aAAa,CAAC;QACnB,qBAAqB,EAAE;YACrB,UAAU,EAAE,CAAC,QAAQ,CAAC;YACtB,SAAS,EAAE,CAAC,QAAQ,CAAC;YACrB,QAAQ,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;YACvC,MAAM,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC;YAC3B,UAAU,EAAE,CAAC,QAAQ,CAAC;YACtB,OAAO,EAAE,CAAC,QAAQ,CAAC;YACnB,SAAS,EAAE,CAAC,QAAQ,CAAC;YACrB,cAAc,EAAE,CAAC,QAAQ,CAAC;SAC3B;QACD,mBAAmB,EAAE,SAAS;QAC9B,aAAa,EAAE,MAAM;QACrB,cAAc,EAAE,iCAAiC;QACjD,uBAAuB,EAAE,qCAAqC;QAC9D,iBAAiB,EAAE;YACjB,MAAM,EAAE,EAAE;YACV,UAAU,EAAE,EAAE;YACd,WAAW,EAAE,EAAE;SAChB;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/middleware/unified-auth.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Unified Auth Middleware [F2-S1]
+ *
+ * Single Hono middleware accepting three credential types:
+ *   1. als_* API keys — SHA-256 hash lookup (existing OSS flow)
+ *   2. al_live_* / al_test_* cloud keys — cloud key verification
+ *   3. JWT Bearer / Cookie session — JWT verification via verifyJwt()
+ *
+ * Produces a normalized AuthContext on c.var.auth and sets the legacy
+ * c.var.apiKey for backward compatibility with all existing route handlers.
+ */
+import type { IApiKeyLookup } from '../db/api-key-lookup.js';
+import type { SqliteDb } from '../db/index.js';
+import { type ApiKeyInfo } from './auth.js';
+export type Role = 'owner' | 'admin' | 'auditor' | 'member' | 'viewer';
+export interface AuthContext {
+    type: 'api-key' | 'jwt';
+    userId: string | null;
+    orgId: string;
+    role: Role;
+    scopes: string[];
+    keyId: string | null;
+}
+export type UnifiedAuthVariables = {
+    auth: AuthContext;
+    apiKey: ApiKeyInfo;
+};
+export interface UnifiedAuthConfig {
+    authDisabled: boolean;
+    jwtSecret?: string;
+    /** Optional cloud API key middleware instance */
+    cloudKeyAuth?: {
+        authenticate(authHeader: string | undefined): Promise<{
+            orgId: string;
+            keyId: string;
+            scopes: string[];
+        }>;
+    };
+}
+/**
+ * Create the unified auth middleware.
+ *
+ * @param dbOrLookup - Drizzle SQLite DB or IApiKeyLookup for als_* key verification
+ * @param config - Auth configuration
+ */
+export declare function unifiedAuthMiddleware(dbOrLookup: SqliteDb | IApiKeyLookup | null, config: UnifiedAuthConfig): import("hono").MiddlewareHandler<{
+    Variables: UnifiedAuthVariables;
+}, string, {}, Response>;
+//# sourceMappingURL=unified-auth.d.ts.map

package/dist/middleware/unified-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unified-auth.d.ts","sourceRoot":"","sources":["../../src/middleware/unified-auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAc,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC;AAYxD,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,OAAO,GAAG,SAAS,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEvE,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,SAAS,GAAG,KAAK,CAAC;IACxB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,IAAI,CAAC;IACX,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,WAAW,CAAC;IAClB,MAAM,EAAE,UAAU,CAAC;CACpB,CAAC;AAEF,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,YAAY,CAAC,EAAE;QACb,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC;YACpD,KAAK,EAAE,MAAM,CAAC;YACd,KAAK,EAAE,MAAM,CAAC;YACd,MAAM,EAAE,MAAM,EAAE,CAAC;SAClB,CAAC,CAAC;KACJ,CAAC;CACH;AAuCD;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,QAAQ,GAAG,aAAa,GAAG,IAAI,EAC3C,MAAM,EAAE,iBAAiB;eAaY,oBAAoB;yBAqM1D"}