@arcjet/astro 1.0.0-beta.2

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,240 @@
+<a href="https://arcjet.com" target="_arcjet-home">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://arcjet.com/logo/arcjet-dark-lockup-voyage-horizontal.svg">
+    <img src="https://arcjet.com/logo/arcjet-light-lockup-voyage-horizontal.svg" alt="Arcjet Logo" height="128" width="auto">
+  </picture>
+</a>
+
+# `@arcjet/astro`
+
+<p>
+  <a href="https://www.npmjs.com/package/@arcjet/astro">
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="https://img.shields.io/npm/v/%40arcjet%2Fastro?style=flat-square&label=%E2%9C%A6Aj&labelColor=000000&color=5C5866">
+      <img alt="npm badge" src="https://img.shields.io/npm/v/%40arcjet%2Fastro?style=flat-square&label=%E2%9C%A6Aj&labelColor=ECE6F0&color=ECE6F0">
+    </picture>
+  </a>
+</p>
+
+[Arcjet][arcjet] helps developers protect their apps in just a few lines of
+code. Implement rate limiting, bot protection, email verification, and defense
+against common attacks.
+
+This is the [Arcjet][arcjet] SDK integration for [Astro][astro].
+
+## Getting started
+
+Visit the [quick start guide][quick-start] to get started.
+
+## Example app
+
+Try an Arcjet protected app live at [https://example.arcjet.com][example-url]
+([source code][example-source]).
+
+## Installation
+
+```shell
+npx astro add @arcjet/astro
+```
+
+## Usage
+
+If installed via the Astro CLI command above, your `astro.config.mjs` should be
+changed like:
+
+```diff
+  // @ts-check
+  import { defineConfig } from "astro/config";
++ import arcjet from "@arcjet/astro";
+
+  // https://astro.build/config
+  export default defineConfig({
++   integrations: [
++     arcjet(),
++   ],
+  });
+```
+
+However, if installed manually, you'll want to add the above lines to your Astro
+configuration.
+
+We also recommended validating your environment variables at build time. To do
+this, update your `astro.config.mjs` to add the option:
+
+```diff
+  // @ts-check
+  import { defineConfig } from "astro/config";
+  import arcjet from "@arcjet/astro";
+
+  // https://astro.build/config
+  export default defineConfig({
++   env: {
++     validateSecrets: true
++   },
+    integrations: [
+      arcjet(),
+    ],
+  });
+```
+
+Once Arcjet is added as an integration, you'll want to start the Astro dev
+server to build the `arcjet:client` virtual module and types. In your terminal,
+run:
+
+```sh
+npx astro dev
+```
+
+You can now import from the `arcjet:client` module within your Astro project!
+
+This example adds Arcjet to your middleware, but note this only works for
+non-prerendered pages:
+
+```ts
+// src/middleware.ts
+import { defineMiddleware } from "astro:middleware";
+import aj from "arcjet:client";
+
+export const onRequest = defineMiddleware(
+  async ({ isPrerendered, request }, next) => {
+    // Arcjet can be run in your middleware; however, Arcjet can only process a
+    // request when the page is NOT prerendered.
+    if (!isPrerendered) {
+      // console.log(request);
+      const decision = await aj.protect(request);
+
+      // Deny decisions respond immediately to avoid any additional server
+      // processing.
+      if (decision.isDenied()) {
+        return new Response(null, { status: 403, statusText: "Forbidden" });
+      }
+    }
+
+    return next();
+  },
+);
+```
+
+## Rate limit + bot detection example
+
+The [Arcjet rate limit][rate-limit-concepts-docs] example below applies a token
+bucket rate limit rule to a route where we identify the user based on their ID
+e.g. if they are logged in. The bucket is configured with a maximum capacity of
+10 tokens and refills by 5 tokens every 10 seconds. Each request consumes 5
+tokens.
+
+The rule is defined in your `astro.config.mjs` file:
+
+```js
+// @ts-check
+import { defineConfig } from "astro/config";
+import arcjet, { tokenBucket, detectBot } from "@arcjet/astro";
+
+// https://astro.build/config
+export default defineConfig({
+  env: {
+    validateSecrets: true,
+  },
+  integrations: [
+    arcjet({
+      characteristics: ["userId"], // track requests by a custom user ID
+      rules: [
+        // Create a token bucket rate limit. Other algorithms are supported.
+        tokenBucket({
+          mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
+          refillRate: 5, // refill 5 tokens per interval
+          interval: 10, // refill every 10 seconds
+          capacity: 10, // bucket maximum capacity of 10 tokens
+        }),
+        detectBot({
+          mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
+          // configured with a list of bots to allow from
+          // https://arcjet.com/bot-list
+          allow: [], // "allow none" will block all detected bots
+        }),
+      ],
+    }),
+  ],
+});
+```
+
+Then Arcjet is called from within this page route:
+
+```ts
+// src/pages/api.json.ts
+import type { APIRoute } from "astro";
+import aj from "arcjet:client";
+
+export const GET: APIRoute = async ({ request }) => {
+  const userId = "user123"; // Replace with your authenticated user ID
+  const decision = await aj.protect(request, { userId, requested: 5 }); // Deduct 5 tokens from the bucket
+  console.log("Arcjet decision", decision);
+
+  if (decision.isDenied()) {
+    return Response.json({ error: "Forbidden" }, { status: 403 });
+  } else {
+    return Response.json({ message: "Hello world" });
+  }
+};
+```
+
+## Shield example
+
+[Arcjet Shield][shield-concepts-docs] protects your application against common
+attacks, including the OWASP Top 10. You can run Shield on every request with
+negligible performance impact.
+
+The rule is defined in your `astro.config.mjs` file:
+
+```js
+// @ts-check
+import { defineConfig } from "astro/config";
+import arcjet, { shield } from "@arcjet/astro";
+
+// https://astro.build/config
+export default defineConfig({
+  env: {
+    validateSecrets: true,
+  },
+  integrations: [
+    arcjet({
+      rules: [
+        shield({
+          mode: "LIVE", // will block requests. Use "DRY_RUN" to log only
+        }),
+      ],
+    }),
+  ],
+});
+```
+
+Then Arcjet is called from within this page route:
+
+```ts
+// src/pages/api.json.ts
+import type { APIRoute } from "astro";
+import aj from "arcjet:client";
+
+export const GET: APIRoute = async ({ request }) => {
+  const decision = await aj.protect(request);
+
+  if (decision.isDenied()) {
+    return Response.json({ error: "Forbidden" }, { status: 403 });
+  } else {
+    return Response.json({ message: "Hello world" });
+  }
+};
+```
+
+## License
+
+Licensed under the [Apache License, Version 2.0][apache-license].
+
+[arcjet]: https://arcjet.com
+[astro]: https://astro.build/
+[example-url]: https://example.arcjet.com
+[quick-start]: https://docs.arcjet.com/get-started/astro
+[example-source]: https://github.com/arcjet/arcjet-js-example
+[rate-limit-concepts-docs]: https://docs.arcjet.com/rate-limiting/concepts
+[shield-concepts-docs]: https://docs.arcjet.com/shield/concepts
+[apache-license]: http://www.apache.org/licenses/LICENSE-2.0

package/astro-env.d.ts

@@ -0,0 +1,16 @@
+declare module "astro:env/server" {
+  const ARCJET_BASE_URL: string | undefined;
+  const ARCJET_ENV: string | undefined;
+  const ARCJET_KEY: string | undefined;
+  const ARCJET_LOG_LEVEL: string | undefined;
+  const FLY_APP_NAME: string | undefined;
+  const VERCEL: string | undefined;
+}
+
+interface ImportMetaEnv {
+  readonly MODE: string | undefined;
+}
+
+interface ImportMeta {
+  readonly env: ImportMetaEnv;
+}

package/index.d.ts

@@ -0,0 +1,75 @@
+import type { BotOptions, EmailOptions, FixedWindowRateLimitOptions, ProtectSignupOptions, SensitiveInfoOptions, ShieldOptions, SlidingWindowRateLimitOptions, TokenBucketRateLimitOptions } from "arcjet";
+import type { AstroIntegration } from "astro";
+type IntegrationRule<Characteristics extends readonly string[]> = {
+    type: "shield";
+    options?: ShieldOptions;
+} | {
+    type: "bot";
+    options?: BotOptions;
+} | {
+    type: "email";
+    options?: EmailOptions;
+} | {
+    type: "sensitiveInfo";
+    options?: SensitiveInfoOptions<never>;
+} | {
+    type: "fixedWindow";
+    options?: FixedWindowRateLimitOptions<Characteristics>;
+} | {
+    type: "slidingWindow";
+    options?: SlidingWindowRateLimitOptions<Characteristics>;
+} | {
+    type: "tokenBucket";
+    options?: TokenBucketRateLimitOptions<Characteristics>;
+} | {
+    type: "protectSignup";
+    options?: ProtectSignupOptions<Characteristics>;
+};
+type ArcjetIntegrationOptions<Characteristics extends readonly string[]> = {
+    rules: IntegrationRule<Characteristics>[];
+    characteristics?: Characteristics;
+    client?: RemoteClientOptions;
+    proxies?: string[];
+};
+export declare function shield(options?: ShieldOptions): {
+    readonly type: "shield";
+    readonly options: ShieldOptions | undefined;
+};
+export declare function detectBot(options?: BotOptions): {
+    readonly type: "bot";
+    readonly options: BotOptions | undefined;
+};
+export declare function validateEmail(options?: EmailOptions): {
+    readonly type: "email";
+    readonly options: EmailOptions | undefined;
+};
+export declare function sensitiveInfo(options?: SensitiveInfoOptions<never>): {
+    readonly type: "sensitiveInfo";
+    readonly options: SensitiveInfoOptions<never> | undefined;
+};
+export declare function fixedWindow<Characteristics extends readonly string[]>(options?: FixedWindowRateLimitOptions<Characteristics>): {
+    readonly type: "fixedWindow";
+    readonly options: FixedWindowRateLimitOptions<Characteristics> | undefined;
+};
+export declare function slidingWindow<Characteristics extends readonly string[]>(options?: SlidingWindowRateLimitOptions<Characteristics>): {
+    readonly type: "slidingWindow";
+    readonly options: SlidingWindowRateLimitOptions<Characteristics> | undefined;
+};
+export declare function tokenBucket<Characteristics extends readonly string[]>(options?: TokenBucketRateLimitOptions<Characteristics>): {
+    readonly type: "tokenBucket";
+    readonly options: TokenBucketRateLimitOptions<Characteristics> | undefined;
+};
+export declare function protectSignup<Characteristics extends readonly string[]>(options?: ProtectSignupOptions<Characteristics>): {
+    readonly type: "protectSignup";
+    readonly options: ProtectSignupOptions<Characteristics> | undefined;
+};
+export type RemoteClientOptions = {
+    baseUrl?: string;
+    timeout?: number;
+};
+export declare function createRemoteClient({ baseUrl, timeout }: RemoteClientOptions): {
+    readonly baseUrl: string | undefined;
+    readonly timeout: number | undefined;
+};
+export default function arcjet<Characteristics extends readonly string[]>({ rules, characteristics, client, proxies, }?: ArcjetIntegrationOptions<Characteristics>): AstroIntegration;
+export {};

package/index.js

@@ -0,0 +1,345 @@
+import { z } from 'astro/zod';
+import fs from 'node:fs/promises';
+
+const resolvedVirtualClientId = "\0ARCJET_VIRTUAL_CLIENT";
+const validateMode = z.enum(["LIVE", "DRY_RUN"]);
+const validateProxies = z.array(z.string());
+const validateCharacteristics = z.array(z.string());
+const validateClientOptions = z
+    .object({
+    baseUrl: z.string(),
+    timeout: z.number(),
+})
+    .strict()
+    .optional();
+const validateShieldOptions = z
+    .object({
+    mode: validateMode,
+})
+    .strict()
+    .optional();
+const validateBotOptions = z
+    .union([
+    z
+        .object({
+        mode: validateMode,
+        allow: z.array(z.string()),
+    })
+        .strict(),
+    z
+        .object({
+        mode: validateMode,
+        deny: z.array(z.string()),
+    })
+        .strict(),
+])
+    .optional();
+const validateEmailOptions = z
+    .union([
+    z
+        .object({
+        mode: validateMode,
+        allow: z.array(z.string()),
+        requireTopLevelDomain: z.boolean(),
+        allowDomainLiteral: z.boolean(),
+    })
+        .strict(),
+    z
+        .object({
+        mode: validateMode,
+        deny: z.array(z.string()),
+        requireTopLevelDomain: z.boolean(),
+        allowDomainLiteral: z.boolean(),
+    })
+        .strict(),
+])
+    .optional();
+const validateSensitiveInfoOptions = z
+    .union([
+    z
+        .object({
+        mode: validateMode,
+        allow: z.array(z.string()),
+        contextWindowSize: z.number(),
+    })
+        .strict(),
+    z
+        .object({
+        mode: validateMode,
+        deny: z.array(z.string()),
+        contextWindowSize: z.number(),
+    })
+        .strict(),
+])
+    .optional();
+const validateFixedWindowOptions = z
+    .object({
+    mode: validateMode,
+    characteristics: validateCharacteristics,
+    window: z.union([z.string(), z.number()]),
+    max: z.number(),
+})
+    .strict()
+    .optional();
+const validateSlidingWindowOptions = z
+    .object({
+    mode: validateMode,
+    characteristics: validateCharacteristics,
+    interval: z.union([z.string(), z.number()]),
+    max: z.number(),
+})
+    .strict()
+    .optional();
+const validateTokenBucketOptions = z
+    .object({
+    mode: validateMode,
+    characteristics: validateCharacteristics,
+    refillRate: z.number(),
+    interval: z.union([z.string(), z.number()]),
+    capacity: z.number(),
+})
+    .strict()
+    .optional();
+const validateProtectSignupOptions = z
+    .object({
+    rateLimit: validateSlidingWindowOptions,
+    bots: validateBotOptions,
+    email: validateEmailOptions,
+})
+    .strict()
+    .optional();
+function validateAndSerialize(schema, value) {
+    const v = schema.parse(value);
+    return v ? JSON.stringify(v) : "";
+}
+function integrationRuleToClientRule(rule) {
+    switch (rule.type) {
+        case "shield": {
+            const serializedOpts = validateAndSerialize(validateShieldOptions, rule.options);
+            return {
+                importName: `shield`,
+                code: `shield(${serializedOpts})`,
+            };
+        }
+        case "bot": {
+            const serializedOpts = validateAndSerialize(validateBotOptions, rule.options);
+            return {
+                importName: `detectBot`,
+                code: `detectBot(${serializedOpts})`,
+            };
+        }
+        case "email": {
+            const serializedOpts = validateAndSerialize(validateEmailOptions, rule.options);
+            return {
+                importName: `validateEmail`,
+                code: `validateEmail(${serializedOpts})`,
+            };
+        }
+        case "sensitiveInfo": {
+            const serializedOpts = validateAndSerialize(validateSensitiveInfoOptions, rule.options);
+            return {
+                importName: `sensitiveInfo`,
+                code: `sensitiveInfo(${serializedOpts})`,
+            };
+        }
+        case "fixedWindow": {
+            const serializedOpts = validateAndSerialize(validateFixedWindowOptions, rule.options);
+            return {
+                importName: `fixedWindow`,
+                code: `fixedWindow(${serializedOpts})`,
+            };
+        }
+        case "slidingWindow": {
+            const serializedOpts = validateAndSerialize(validateSlidingWindowOptions, rule.options);
+            return {
+                importName: `slidingWindow`,
+                code: `slidingWindow(${serializedOpts})`,
+            };
+        }
+        case "tokenBucket": {
+            const serializedOpts = validateAndSerialize(validateTokenBucketOptions, rule.options);
+            return {
+                importName: `tokenBucket`,
+                code: `tokenBucket(${serializedOpts})`,
+            };
+        }
+        case "protectSignup": {
+            const serializedOpts = validateAndSerialize(validateProtectSignupOptions, rule.options);
+            return {
+                importName: `protectSignup`,
+                code: `protectSignup(${serializedOpts})`,
+            };
+        }
+        default: {
+            throw new Error("Cannot convert rule via integration");
+        }
+    }
+}
+// Mirror the rule functions in the SDK but produce serializable rules
+function shield(options) {
+    return { type: "shield", options };
+}
+function detectBot(options) {
+    return { type: "bot", options };
+}
+function validateEmail(options) {
+    return { type: "email", options };
+}
+function sensitiveInfo(options) {
+    return { type: "sensitiveInfo", options };
+}
+function fixedWindow(options) {
+    return { type: "fixedWindow", options };
+}
+function slidingWindow(options) {
+    return { type: "slidingWindow", options };
+}
+function tokenBucket(options) {
+    return { type: "tokenBucket", options };
+}
+function protectSignup(options) {
+    return { type: "protectSignup", options };
+}
+function createRemoteClient({ baseUrl, timeout }) {
+    return { baseUrl, timeout };
+}
+function arcjet({ rules, characteristics, client, proxies, } = { rules: [] }) {
+    const arcjetImports = new Set();
+    const arcjetRules = [];
+    for (const rule of rules) {
+        const { importName, code } = integrationRuleToClientRule(rule);
+        arcjetImports.add(importName);
+        arcjetRules.push(code);
+    }
+    const characteristicsInjection = characteristics
+        ? `characteristics: ${validateAndSerialize(validateCharacteristics, characteristics)},`
+        : "";
+    const proxiesInjection = proxies
+        ? `proxies: ${validateAndSerialize(validateProxies, proxies)},`
+        : "";
+    const clientInjection = client
+        ? `client: createRemoteClient(${validateAndSerialize(validateClientOptions, client)}),`
+        : "";
+    return {
+        name: "@arcjet/astro",
+        hooks: {
+            "astro:config:setup"({ updateConfig, addMiddleware }) {
+                updateConfig({
+                    env: {
+                        schema: {
+                            ARCJET_KEY: {
+                                type: "string",
+                                context: "server",
+                                access: "secret",
+                                startsWith: "ajkey_",
+                            },
+                            ARCJET_ENV: {
+                                type: "enum",
+                                context: "server",
+                                access: "public",
+                                values: ["production", "development"],
+                                optional: true,
+                            },
+                            ARCJET_BASE_URL: {
+                                type: "string",
+                                context: "server",
+                                access: "public",
+                                startsWith: "https://",
+                                optional: true,
+                            },
+                            ARCJET_LOG_LEVEL: {
+                                type: "enum",
+                                context: "server",
+                                access: "public",
+                                values: ["debug", "info", "warn", "error"],
+                                optional: true,
+                            },
+                            FLY_APP_NAME: {
+                                type: "string",
+                                context: "server",
+                                access: "public",
+                                optional: true,
+                            },
+                            VERCEL: {
+                                type: "string",
+                                context: "server",
+                                access: "public",
+                                optional: true,
+                            },
+                        },
+                    },
+                    vite: {
+                        plugins: [
+                            {
+                                name: "@arcjet/astro",
+                                resolveId(id) {
+                                    if (id === "arcjet:client") {
+                                        return resolvedVirtualClientId;
+                                    }
+                                    return;
+                                },
+                                async load(id) {
+                                    if (id === resolvedVirtualClientId) {
+                                        const implSource = await fs.readFile(new URL("./internal.js", import.meta.url), { encoding: "utf-8" });
+                                        return {
+                                            code: `
+                        ${implSource}
+
+                        import {
+                          ${Array.from(arcjetImports).join(",\n")}
+                        } from "arcjet"
+
+                        // Construct an Arcjet client for the virtual module
+                        const aj = createArcjetClient({
+                          key: ARCJET_KEY,
+                          rules: [
+                            ${arcjetRules.join(",\n")}
+                          ],
+                          ${characteristicsInjection}
+                          ${proxiesInjection}
+                          ${clientInjection}
+                        })
+
+                        export default aj;
+                      `,
+                                        };
+                                    }
+                                },
+                            },
+                        ],
+                    },
+                });
+                addMiddleware({
+                    entrypoint: new URL("./middleware.js", import.meta.url),
+                    order: "pre",
+                });
+            },
+            "astro:config:done": async ({ injectTypes }) => {
+                const implTypes = await fs.readFile(new URL("./internal.d.ts", import.meta.url), { encoding: "utf-8" });
+                injectTypes({
+                    content: `
+          declare module "arcjet:client" {
+            ${implTypes}
+
+            import {
+              ${Array.from(arcjetImports).join(",\n")}
+            } from "arcjet"
+
+            const client = createArcjetClient({
+              rules: [
+                ${arcjetRules.join(",\n")}
+              ],
+              ${characteristicsInjection}
+              ${proxiesInjection}
+              ${clientInjection}
+            })
+            export default client
+          }`,
+                    filename: "client.d.ts",
+                });
+            },
+        },
+    };
+}
+
+export { createRemoteClient, arcjet as default, detectBot, fixedWindow, protectSignup, sensitiveInfo, shield, slidingWindow, tokenBucket, validateEmail };

package/internal.d.ts

@@ -0,0 +1,60 @@
+import type { ArcjetDecision, ArcjetOptions as CoreOptions, Primitive, Product, ExtraProps, CharacteristicProps } from "arcjet";
+export * from "arcjet";
+type Simplify<T> = {
+    [KeyType in keyof T]: T[KeyType];
+} & {};
+declare const emptyObjectSymbol: unique symbol;
+type WithoutCustomProps = {
+    [emptyObjectSymbol]?: never;
+};
+type PlainObject = {
+    [key: string]: unknown;
+};
+export type RemoteClientOptions = {
+    baseUrl?: string;
+    timeout?: number;
+};
+export declare function createRemoteClient(options?: RemoteClientOptions): import("@arcjet/protocol/client.js").Client;
+/**
+ * The options used to configure an {@link ArcjetAstro} client.
+ */
+export type ArcjetOptions<Rules extends [...Array<Primitive | Product>], Characteristics extends readonly string[]> = Simplify<CoreOptions<Rules, Characteristics> & {
+    /**
+     * One or more IP Address of trusted proxies in front of the application.
+     * These addresses will be excluded when Arcjet detects a public IP address.
+     */
+    proxies?: Array<string>;
+}>;
+/**
+ * The ArcjetAstro client provides a public `protect()` method to
+ * make a decision about how an Astro request should be handled.
+ */
+export interface ArcjetAstro<Props extends PlainObject> {
+    /**
+     * Runs a request through the configured protections. The request is
+     * analyzed and then a decision made on whether to allow, deny, or challenge
+     * the request.
+     *
+     * @param request - A `Request` provided to the fetch handler.
+     * @param props - Additonal properties required for running rules against a request.
+     * @returns An {@link ArcjetDecision} indicating Arcjet's decision about the request.
+     */
+    protect(request: Request, ...props: Props extends WithoutCustomProps ? [] : [Props]): Promise<ArcjetDecision>;
+    /**
+     * Augments the client with another rule. Useful for varying rules based on
+     * criteria in your handler—e.g. different rate limit for logged in users.
+     *
+     * @param rule The rule to add to this execution.
+     * @returns An augmented {@link ArcjetAstro} client.
+     */
+    withRule<Rule extends Primitive | Product>(rule: Rule): ArcjetAstro<Simplify<Props & ExtraProps<Rule>>>;
+}
+/**
+ * Create a new {@link ArcjetAstro} client. Always build your initial client
+ * outside of a request handler so it persists across requests. If you need to
+ * augment a client inside a handler, call the `withRule()` function on the base
+ * client.
+ *
+ * @param options - Arcjet configuration options to apply to all requests.
+ */
+export declare function createArcjetClient<const Rules extends (Primitive | Product)[], const Characteristics extends readonly string[]>(options: ArcjetOptions<Rules, Characteristics>): ArcjetAstro<Simplify<ExtraProps<Rules> & CharacteristicProps<Characteristics>>>;

package/internal.js

@@ -0,0 +1,140 @@
+import core__default from 'arcjet';
+export * from 'arcjet';
+import findIP from '@arcjet/ip';
+import ArcjetHeaders from '@arcjet/headers';
+import { baseUrl, isDevelopment, logLevel, platform } from '@arcjet/env';
+import { Logger } from '@arcjet/logger';
+import { createClient } from '@arcjet/protocol/client.js';
+import { createTransport } from '@arcjet/transport';
+import { VERCEL, FLY_APP_NAME, ARCJET_LOG_LEVEL, ARCJET_KEY, ARCJET_ENV, ARCJET_BASE_URL } from 'astro:env/server';
+
+// We use a middleware to store the IP address on a `Request` with this symbol.
+// This is due to Astro inconsistently using `Symbol.for("astro.clientAddress")`
+// to store the client address and not exporting it from their module.
+const ipSymbol = Symbol.for("arcjet.ip");
+const env = {
+    ARCJET_BASE_URL,
+    ARCJET_ENV,
+    ARCJET_KEY,
+    ARCJET_LOG_LEVEL,
+    FLY_APP_NAME,
+    VERCEL,
+    // `MODE` is only set on `import.meta.env`.
+    MODE: import.meta.env.MODE,
+};
+// TODO: Deduplicate with other packages
+function errorMessage(err) {
+    if (err) {
+        if (typeof err === "string") {
+            return err;
+        }
+        if (typeof err === "object" &&
+            "message" in err &&
+            typeof err.message === "string") {
+            return err.message;
+        }
+    }
+    return "Unknown problem";
+}
+function createRemoteClient(options) {
+    // The base URL for the Arcjet API. Will default to the standard production
+    // API unless environment variable `ARCJET_BASE_URL` is set.
+    const url = options?.baseUrl ?? baseUrl(env);
+    // The timeout for the Arcjet API in milliseconds. This is set to a low value
+    // in production so calls fail open.
+    const timeout = options?.timeout ?? (isDevelopment(env) ? 1000 : 500);
+    // Transport is the HTTP client that the client uses to make requests.
+    const transport = createTransport(url);
+    const sdkStack = "ASTRO";
+    const sdkVersion = "1.0.0-beta.2";
+    return createClient({
+        transport,
+        baseUrl: url,
+        timeout,
+        sdkStack,
+        sdkVersion,
+    });
+}
+/**
+ * Create a new {@link ArcjetAstro} client. Always build your initial client
+ * outside of a request handler so it persists across requests. If you need to
+ * augment a client inside a handler, call the `withRule()` function on the base
+ * client.
+ *
+ * @param options - Arcjet configuration options to apply to all requests.
+ */
+function createArcjetClient(options) {
+    const client = options.client ?? createRemoteClient();
+    const log = options.log
+        ? options.log
+        : new Logger({
+            level: logLevel(env),
+        });
+    function toArcjetRequest(request, props) {
+        const clientAddress = Reflect.get(request, ipSymbol);
+        if (!clientAddress) {
+            throw new Error("`protect()` cannot be used in prerendered pages");
+        }
+        const cookies = request.headers.get("cookie") ?? undefined;
+        // We construct an ArcjetHeaders to normalize over Headers
+        const headers = new ArcjetHeaders(request.headers);
+        const url = new URL(request.url);
+        let ip = findIP({
+            ip: clientAddress,
+            headers,
+        }, { platform: platform(env), proxies: options.proxies });
+        if (ip === "") {
+            // If the `ip` is empty but we're in development mode, we default the IP
+            // so the request doesn't fail.
+            if (isDevelopment(env)) {
+                log.warn("Using 127.0.0.1 as IP address in development mode");
+                ip = "127.0.0.1";
+            }
+            else {
+                log.warn(`Client IP address is missing. If this is a dev environment set the ARCJET_ENV env var to "development"`);
+            }
+        }
+        return {
+            ...props,
+            ip,
+            method: request.method,
+            protocol: url.protocol,
+            host: url.host,
+            path: url.pathname,
+            headers,
+            cookies,
+            query: url.search,
+        };
+    }
+    function withClient(aj) {
+        return Object.freeze({
+            withRule(rule) {
+                const client = aj.withRule(rule);
+                return withClient(client);
+            },
+            async protect(request, ...[props]) {
+                // TODO(#220): The generic manipulations get really mad here, so we cast
+                // Further investigation makes it seem like it has something to do with
+                // the definition of `props` in the signature but it's hard to track down
+                const req = toArcjetRequest(request, props ?? {});
+                const getBody = async () => {
+                    try {
+                        const clonedRequest = request.clone();
+                        // Awaited to throw if it rejects and we'll just return undefined
+                        const body = await clonedRequest.text();
+                        return body;
+                    }
+                    catch (e) {
+                        log.error("failed to get request body: %s", errorMessage(e));
+                        return;
+                    }
+                };
+                return aj.protect({ getBody }, req);
+            },
+        });
+    }
+    const aj = core__default({ ...options, client, log });
+    return withClient(aj);
+}
+
+export { createArcjetClient, createRemoteClient };

package/middleware.d.ts

@@ -0,0 +1 @@
+export declare const onRequest: import("astro").MiddlewareHandler;

package/middleware.js

@@ -0,0 +1,14 @@
+import { defineMiddleware } from 'astro/middleware';
+
+// We use a middleware to store the IP address on a `Request` with this symbol.
+// This is due to Astro inconsistently using `Symbol.for("astro.clientAddress")`
+// to store the client address and not exporting it from their module.
+const ipSymbol = Symbol.for("arcjet.ip");
+const onRequest = defineMiddleware((ctx, next) => {
+    if (!ctx.isPrerendered) {
+        Reflect.set(ctx.request, ipSymbol, ctx.clientAddress);
+    }
+    return next();
+});
+
+export { onRequest };

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "@arcjet/astro",
+  "version": "1.0.0-beta.2",
+  "description": "Arcjet SDK integration for Astro",
+  "license": "Apache-2.0",
+  "homepage": "https://arcjet.com",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/arcjet/arcjet-js.git",
+    "directory": "arcjet-astro"
+  },
+  "bugs": {
+    "url": "https://github.com/arcjet/arcjet-js/issues",
+    "email": "support@arcjet.com"
+  },
+  "author": {
+    "name": "Arcjet",
+    "email": "support@arcjet.com",
+    "url": "https://arcjet.com"
+  },
+  "engines": {},
+  "type": "module",
+  "main": "./index.js",
+  "types": "./index.d.ts",
+  "files": [
+    "LICENSE",
+    "README.md",
+    "*.js",
+    "*.d.ts",
+    "!*.config.js"
+  ],
+  "scripts": {
+    "prepublishOnly": "npm run build",
+    "build": "rollup --config rollup.config.js",
+    "lint": "eslint .",
+    "pretest": "npm run build",
+    "test": "node --test --experimental-test-coverage"
+  },
+  "dependencies": {
+    "@arcjet/env": "1.0.0-beta.2",
+    "@arcjet/headers": "1.0.0-beta.2",
+    "@arcjet/ip": "1.0.0-beta.2",
+    "@arcjet/logger": "1.0.0-beta.2",
+    "@arcjet/protocol": "1.0.0-beta.2",
+    "@arcjet/transport": "1.0.0-beta.2",
+    "arcjet": "1.0.0-beta.2"
+  },
+  "peerDependencies": {
+    "astro": "^5"
+  },
+  "devDependencies": {
+    "@arcjet/eslint-config": "1.0.0-beta.2",
+    "@arcjet/rollup-config": "1.0.0-beta.2",
+    "@arcjet/tsconfig": "1.0.0-beta.2",
+    "@rollup/wasm-node": "4.34.2",
+    "astro": "5.2.5",
+    "expect": "29.7.0",
+    "typescript": "5.7.3"
+  },
+  "publishConfig": {
+    "access": "public",
+    "tag": "latest"
+  },
+  "keywords": [
+    "astro-integration"
+  ]
+}