@beignet/core 0.0.31 → 0.0.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (156) hide show
  1. package/CHANGELOG.md +115 -0
  2. package/README.md +346 -21
  3. package/dist/application/index.d.ts.map +1 -1
  4. package/dist/application/index.js +63 -47
  5. package/dist/application/index.js.map +1 -1
  6. package/dist/domain/entity.d.ts +37 -6
  7. package/dist/domain/entity.d.ts.map +1 -1
  8. package/dist/domain/entity.js +9 -7
  9. package/dist/domain/entity.js.map +1 -1
  10. package/dist/domain/index.d.ts +4 -4
  11. package/dist/domain/index.d.ts.map +1 -1
  12. package/dist/domain/index.js +4 -4
  13. package/dist/domain/index.js.map +1 -1
  14. package/dist/events/index.d.ts +6 -0
  15. package/dist/events/index.d.ts.map +1 -1
  16. package/dist/events/index.js +20 -10
  17. package/dist/events/index.js.map +1 -1
  18. package/dist/flags/index.d.ts +5 -4
  19. package/dist/flags/index.d.ts.map +1 -1
  20. package/dist/flags/index.js +10 -9
  21. package/dist/flags/index.js.map +1 -1
  22. package/dist/idempotency/index.d.ts +11 -1
  23. package/dist/idempotency/index.d.ts.map +1 -1
  24. package/dist/idempotency/index.js +4 -3
  25. package/dist/idempotency/index.js.map +1 -1
  26. package/dist/jobs/index.d.ts +449 -9
  27. package/dist/jobs/index.d.ts.map +1 -1
  28. package/dist/jobs/index.js +472 -12
  29. package/dist/jobs/index.js.map +1 -1
  30. package/dist/outbox/index.d.ts +170 -3
  31. package/dist/outbox/index.d.ts.map +1 -1
  32. package/dist/outbox/index.js +192 -8
  33. package/dist/outbox/index.js.map +1 -1
  34. package/dist/ports/events.d.ts +2 -2
  35. package/dist/ports/index.d.ts +6 -1
  36. package/dist/ports/index.d.ts.map +1 -1
  37. package/dist/ports/index.js +1 -0
  38. package/dist/ports/index.js.map +1 -1
  39. package/dist/providers/instrumentation.d.ts +4 -0
  40. package/dist/providers/instrumentation.d.ts.map +1 -1
  41. package/dist/providers/instrumentation.js.map +1 -1
  42. package/dist/providers/provider.d.ts +10 -2
  43. package/dist/providers/provider.d.ts.map +1 -1
  44. package/dist/providers/provider.js.map +1 -1
  45. package/dist/schedules/index.d.ts +8 -7
  46. package/dist/schedules/index.d.ts.map +1 -1
  47. package/dist/schedules/index.js +47 -16
  48. package/dist/schedules/index.js.map +1 -1
  49. package/dist/search/index.d.ts +2 -1
  50. package/dist/search/index.d.ts.map +1 -1
  51. package/dist/search/index.js +1 -0
  52. package/dist/search/index.js.map +1 -1
  53. package/dist/server/hooks/index.d.ts +1 -0
  54. package/dist/server/hooks/index.d.ts.map +1 -1
  55. package/dist/server/hooks/index.js +1 -0
  56. package/dist/server/hooks/index.js.map +1 -1
  57. package/dist/server/hooks/rate-limit.d.ts +26 -13
  58. package/dist/server/hooks/rate-limit.d.ts.map +1 -1
  59. package/dist/server/hooks/rate-limit.js +28 -34
  60. package/dist/server/hooks/rate-limit.js.map +1 -1
  61. package/dist/server/hooks/security.d.ts +179 -0
  62. package/dist/server/hooks/security.d.ts.map +1 -0
  63. package/dist/server/hooks/security.js +225 -0
  64. package/dist/server/hooks/security.js.map +1 -0
  65. package/dist/server/index.d.ts +8 -0
  66. package/dist/server/index.d.ts.map +1 -1
  67. package/dist/server/index.js +8 -0
  68. package/dist/server/index.js.map +1 -1
  69. package/dist/server/instrumentation.d.ts.map +1 -1
  70. package/dist/server/instrumentation.js +22 -6
  71. package/dist/server/instrumentation.js.map +1 -1
  72. package/dist/server/providers/loadProviderConfig.d.ts.map +1 -1
  73. package/dist/server/providers/loadProviderConfig.js +15 -2
  74. package/dist/server/providers/loadProviderConfig.js.map +1 -1
  75. package/dist/server/request-context.d.ts +4 -0
  76. package/dist/server/request-context.d.ts.map +1 -1
  77. package/dist/server/request-context.js +3 -0
  78. package/dist/server/request-context.js.map +1 -1
  79. package/dist/server/runtime-integrity.d.ts +84 -0
  80. package/dist/server/runtime-integrity.d.ts.map +1 -0
  81. package/dist/server/runtime-integrity.js +160 -0
  82. package/dist/server/runtime-integrity.js.map +1 -0
  83. package/dist/server/server.d.ts +10 -0
  84. package/dist/server/server.d.ts.map +1 -1
  85. package/dist/server/server.js +55 -1
  86. package/dist/server/server.js.map +1 -1
  87. package/dist/server/trusted-proxy.d.ts +77 -0
  88. package/dist/server/trusted-proxy.d.ts.map +1 -0
  89. package/dist/server/trusted-proxy.js +129 -0
  90. package/dist/server/trusted-proxy.js.map +1 -0
  91. package/dist/tasks/index.d.ts +6 -7
  92. package/dist/tasks/index.d.ts.map +1 -1
  93. package/dist/tasks/index.js +22 -5
  94. package/dist/tasks/index.js.map +1 -1
  95. package/dist/tenancy/index.d.ts +41 -0
  96. package/dist/tenancy/index.d.ts.map +1 -0
  97. package/dist/tenancy/index.js +34 -0
  98. package/dist/tenancy/index.js.map +1 -0
  99. package/dist/testing/index.d.ts +6 -0
  100. package/dist/testing/index.d.ts.map +1 -1
  101. package/dist/testing/index.js +12 -3
  102. package/dist/testing/index.js.map +1 -1
  103. package/dist/tracing/execution.d.ts +14 -0
  104. package/dist/tracing/execution.d.ts.map +1 -0
  105. package/dist/tracing/execution.js +17 -0
  106. package/dist/tracing/execution.js.map +1 -0
  107. package/dist/tracing/index.d.ts +49 -0
  108. package/dist/tracing/index.d.ts.map +1 -1
  109. package/dist/tracing/index.js +59 -0
  110. package/dist/tracing/index.js.map +1 -1
  111. package/dist/uploads/client.d.ts.map +1 -1
  112. package/dist/uploads/client.js +44 -6
  113. package/dist/uploads/client.js.map +1 -1
  114. package/dist/uploads/index.d.ts +182 -2
  115. package/dist/uploads/index.d.ts.map +1 -1
  116. package/dist/uploads/index.js +468 -76
  117. package/dist/uploads/index.js.map +1 -1
  118. package/dist/webhooks/index.d.ts +56 -4
  119. package/dist/webhooks/index.d.ts.map +1 -1
  120. package/dist/webhooks/index.js +107 -2
  121. package/dist/webhooks/index.js.map +1 -1
  122. package/package.json +5 -1
  123. package/skills/app-architecture/SKILL.md +23 -2
  124. package/src/application/index.ts +88 -56
  125. package/src/domain/entity.ts +61 -13
  126. package/src/domain/index.ts +8 -7
  127. package/src/events/index.ts +27 -14
  128. package/src/flags/index.ts +23 -19
  129. package/src/idempotency/index.ts +17 -3
  130. package/src/jobs/index.ts +1022 -19
  131. package/src/outbox/index.ts +409 -9
  132. package/src/ports/events.ts +2 -2
  133. package/src/ports/index.ts +17 -0
  134. package/src/providers/instrumentation.ts +4 -0
  135. package/src/providers/provider.ts +11 -2
  136. package/src/schedules/index.ts +60 -26
  137. package/src/search/index.ts +3 -1
  138. package/src/server/hooks/index.ts +10 -0
  139. package/src/server/hooks/rate-limit.ts +52 -46
  140. package/src/server/hooks/security.ts +503 -0
  141. package/src/server/index.ts +8 -0
  142. package/src/server/instrumentation.ts +25 -5
  143. package/src/server/providers/loadProviderConfig.ts +19 -2
  144. package/src/server/request-context.ts +7 -0
  145. package/src/server/runtime-integrity.ts +322 -0
  146. package/src/server/server.ts +86 -1
  147. package/src/server/trusted-proxy.ts +249 -0
  148. package/src/tasks/index.ts +29 -12
  149. package/src/tenancy/index.ts +55 -0
  150. package/src/testing/index.ts +19 -3
  151. package/src/tracing/execution.ts +37 -0
  152. package/src/tracing/index.ts +137 -0
  153. package/src/uploads/client.ts +65 -6
  154. package/src/uploads/index.ts +713 -76
  155. package/src/webhooks/index.ts +240 -9
  156. package/src/domain/events.ts +0 -59
@@ -1 +1 @@
1
- {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE/D,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAKzE,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE/D;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,SAAS,EAAE,aAAa,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,cAAc,CAAC;IACtB,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,KAAK,mBAAmB,GAAG,OAAO,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;AAE3D;;;;;;;;;;;;;;GAcG;AACH,MAAM,MAAM,iBAAiB,GACzB,MAAM,GACN,sBAAsB,GACtB,uBAAuB,GACvB,CAAC,CAAC,GAAG,EAAE,eAAe,KAAK,MAAM,GAAG,SAAS,CAAC,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,gBAAgB,CAAC,GAAG;IACnC;;;;OAIG;IACH,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE;QACX,GAAG,EAAE,GAAG,CAAC;QACT,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,cAAc,CAAC;KACvB,KAAK,MAAM,CAAC;IACb;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,mBAAmB,CAAC;KAC5B,KAAK,MAAM,CAAC;IACb;;;;;;;;OAQG;IACH,QAAQ,CAAC,EAAE,iBAAiB,CAAC;CAC9B;AAiJD;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,SAAS,gBAAgB,EAC/D,OAAO,GAAE,gBAAgB,CAAC,GAAG,CAAM,GAClC,UAAU,CAAC,GAAG,EAAE,cAAc,CAAC,CA+EjC"}
1
+ {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE/D,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAKzE,OAAO,EAEL,KAAK,0BAA0B,EAC/B,KAAK,kBAAkB,EACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE/D;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG;IAC3B,SAAS,EAAE,aAAa,CAAC;CAC1B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,KAAK,EAAE,cAAc,CAAC;IACtB,KAAK,CAAC,EAAE,aAAa,CAAC;CACvB,CAAC;AAEF,KAAK,mBAAmB,GAAG,OAAO,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;AAE3D;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,0BAA0B,CAAC;AAEpE;;GAEG;AACH,MAAM,WAAW,gBAAgB,CAAC,GAAG;IACnC;;;;OAIG;IACH,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE;QACX,GAAG,EAAE,GAAG,CAAC;QACT,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,cAAc,CAAC;KACvB,KAAK,MAAM,CAAC;IACb;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE;QAChB,GAAG,EAAE,eAAe,CAAC;QACrB,KAAK,EAAE,mBAAmB,CAAC;KAC5B,KAAK,MAAM,CAAC;IACb;;;;;;;;;OASG;IACH,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,kBAAkB,CAAC;CACnC;AAmID;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,SAAS,gBAAgB,EAC/D,OAAO,GAAE,gBAAgB,CAAC,GAAG,CAAM,GAClC,UAAU,CAAC,GAAG,EAAE,cAAc,CAAC,CAsFjC"}
@@ -3,36 +3,25 @@
3
3
  */
4
4
  import { AppError, httpErrors } from "../../errors/index.js";
5
5
  import { createProviderInstrumentation, } from "../../providers/index.js";
6
- function parseForwardedFor(req) {
7
- const header = req.headers.get("x-forwarded-for") ?? "";
8
- return header
9
- .split(",")
10
- .map((entry) => entry.trim())
11
- .filter(Boolean);
12
- }
6
+ import { resolveTrustedClientIp, } from "../trusted-proxy.js";
13
7
  function resolveClientIp(req, ipSource) {
14
- if (typeof ipSource === "function") {
15
- return ipSource(req) || undefined;
16
- }
17
8
  if (ipSource === "none") {
18
9
  return undefined;
19
10
  }
20
- const entries = parseForwardedFor(req);
21
- if (entries.length === 0) {
22
- return undefined;
23
- }
24
- return ipSource === "x-forwarded-for-first"
25
- ? entries[0]
26
- : entries[entries.length - 1];
11
+ return resolveTrustedClientIp(req, ipSource);
12
+ }
13
+ function hasTrustedProxyClientIp(config) {
14
+ if (!config)
15
+ return false;
16
+ return Boolean(config.clientIp);
27
17
  }
28
18
  function formatContractNames(names) {
29
19
  return names.map((name) => `"${name}"`).join(", ");
30
20
  }
31
21
  function ipSourceConfigurationError(contractNames) {
32
- return new Error(`createRateLimitHooks(...) has no ipSource configured, but contract(s) ${contractNames} declare an "ip"-scoped rate limit. ` +
33
- `Set ipSource to "x-forwarded-for-last" (app is always behind a trusted reverse proxy that appends the socket address), ` +
34
- `"x-forwarded-for-first" (a trusted edge normalizes the header before it reaches the app), ` +
35
- `a function for platform-specific headers such as cf-connecting-ip, ` +
22
+ return new Error(`createRateLimitHooks(...) has no client IP source configured, but contract(s) ${contractNames} declare an "ip"-scoped rate limit. ` +
23
+ `Set trustedProxy.clientIp or ipSource to a header source written by a trusted edge, ` +
24
+ `for example "x-forwarded-for-last", "x-forwarded-for-first", "x-real-ip", "cf-connecting-ip", or a custom function, ` +
36
25
  `or "none" to explicitly accept one shared ip:unknown bucket for all clients.`);
37
26
  }
38
27
  function emitUserKey(userId) {
@@ -106,30 +95,35 @@ async function enforceRateLimit(ports, args) {
106
95
  * never sent to clients; denials emit a `rateLimit.denied` instrumentation
107
96
  * event that carries the key for operators.
108
97
  *
109
- * `ip`-scoped limits require an explicit `ipSource` (or a custom `earlyKey`):
110
- * the hook's `validate` phase fails `createServer(...)` startup when a
111
- * registered contract declares an `ip` scope without one, instead of silently
112
- * collapsing all clients into a shared `ip:unknown` bucket. Contracts added
113
- * later through `server.route(...)` are not visible to `validate`, so
114
- * enforcing an `ip`-scoped limit without an `ipSource` throws the same
115
- * configuration error at request time as a backstop. Pass `ipSource: "none"`
116
- * to explicitly opt in to the shared `ip:unknown` bucket.
98
+ * `ip`-scoped limits require an explicit `trustedProxy.clientIp`, `ipSource`,
99
+ * or custom `earlyKey`: the hook's `validate` phase fails `createServer(...)`
100
+ * startup when a registered contract declares an `ip` scope without one,
101
+ * instead of silently collapsing all clients into a shared `ip:unknown` bucket.
102
+ * Contracts added later through `server.route(...)` are not visible to
103
+ * `validate`, so enforcing an `ip`-scoped limit without a client-IP source
104
+ * throws the same configuration error at request time as a backstop. Pass
105
+ * `ipSource: "none"` to explicitly opt in to the shared `ip:unknown` bucket.
117
106
  *
118
107
  * @param options - Optional key builders and client-IP source.
119
108
  * @returns A server hook backed by `ctx.ports.rateLimit`.
120
109
  */
121
110
  export function createRateLimitHooks(options = {}) {
122
- const { ipSource } = options;
111
+ const { ipSource, trustedProxy } = options;
123
112
  const getClientIp = (req, contractName) => {
124
- if (ipSource === undefined) {
125
- throw ipSourceConfigurationError(formatContractNames([contractName]));
113
+ if (ipSource !== undefined) {
114
+ return resolveClientIp(req, ipSource);
115
+ }
116
+ if (hasTrustedProxyClientIp(trustedProxy) && trustedProxy) {
117
+ return resolveTrustedClientIp(req, trustedProxy.clientIp);
126
118
  }
127
- return resolveClientIp(req, ipSource);
119
+ throw ipSourceConfigurationError(formatContractNames([contractName]));
128
120
  };
129
121
  return {
130
122
  name: "rate-limit",
131
123
  validate: ({ contracts }) => {
132
- if (ipSource !== undefined || options.earlyKey) {
124
+ if (ipSource !== undefined ||
125
+ hasTrustedProxyClientIp(trustedProxy) ||
126
+ options.earlyKey) {
133
127
  return;
134
128
  }
135
129
  const ipScoped = contracts
@@ -1 +1 @@
1
- {"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../../src/server/hooks/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAE7D,OAAO,EACL,6BAA6B,GAE9B,MAAM,0BAA0B,CAAC;AA4ElC,SAAS,iBAAiB,CAAC,GAAoB;IAC7C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,EAAE,CAAC;IACxD,OAAO,MAAM;SACV,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAED,SAAS,eAAe,CACtB,GAAoB,EACpB,QAA2B;IAE3B,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;IACpC,CAAC;IAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,QAAQ,KAAK,uBAAuB;QACzC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;QACZ,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAwB;IACnD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,0BAA0B,CAAC,aAAqB;IACvD,OAAO,IAAI,KAAK,CACd,yEAAyE,aAAa,sCAAsC;QAC1H,yHAAyH;QACzH,4FAA4F;QAC5F,qEAAqE;QACrE,8EAA8E,CACjF,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,QAAQ,MAAM,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,SAAS,CAAC,EAAU;IAC3B,OAAO,MAAM,EAAE,EAAE,CAAC;AACpB,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAIC,EACD,WAAyD;IAEzD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IAEjC,IAAI,KAAK,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACnE,OAAO,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QACzC,OAAO,SAAS,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,wBAAwB,CAC/B,IAGC,EACD,WAAyD;IAEzD,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;QACxB,MAAM,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QAC9C,OAAO,SAAS,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,KAAqB,EACrB,IAKC;IAED,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC;QACvC,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,4EAA4E;IAC5E,8DAA8D;IAC9D,MAAM,eAAe,GAAG,6BAA6B,CACnD,KAAsC,EACtC;QACE,YAAY,EAAE,YAAY;QAC1B,OAAO,EAAE,WAAW;KACrB,CACF,CAAC;IACF,eAAe,CAAC,MAAM,CAAC;QACrB,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,mBAAmB;QAC1B,OAAO,EAAE,yBAAyB,IAAI,CAAC,GAAG,EAAE;QAC5C,OAAO,EAAE;YACP,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B;KACF,CAAC,CAAC;IAEH,MAAM,IAAI,QAAQ,CAChB,UAAU,CAAC,eAAe,EAC1B;QACE,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;QAC3C,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,IAAI;KAC/C,EACD,qBAAqB,EACrB,MAAM,CAAC,iBAAiB,KAAK,IAAI;QAC/B,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,EAAE;QAClE,CAAC,CAAC,SAAS,CACd,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAiC,EAAE;IAEnC,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAC7B,MAAM,WAAW,GAAG,CAClB,GAAoB,EACpB,YAAoB,EACA,EAAE;QACtB,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,0BAA0B,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;QACD,OAAO,eAAe,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACxC,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;YAC1B,IAAI,QAAQ,KAAK,SAAS,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBAC/C,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,SAAS;iBACvB,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,KAAK,IAAI,CAAC;iBAClE,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO;YACT,CAAC;YACD,MAAM,0BAA0B,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,SAAS,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE;YAC5C,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC;YAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,KAAK,GAAmB,MAAM,CAAC,KAAK,IAAI,QAAQ,CAAC;YACvD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;gBACrB,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,GAAG,GACP,OAAO,CAAC,QAAQ,EAAE,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;gBAClC,wBAAwB,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAC7C,WAAW,CAAC,CAAC,EAAE,QAAQ,CAAC,IAAI,CAAC,CAC9B,CAAC;YAEJ,MAAM,gBAAgB,CAAC,KAAK,EAAE;gBAC5B,GAAG;gBACH,KAAK,EAAE,MAAM,CAAC,GAAG;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,KAAK;aACN,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,YAAY,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,EAAE;YAC7C,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC;YAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,KAAK,GAAmB,MAAM,CAAC,KAAK,IAAI,QAAQ,CAAC;YACvD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;gBACrB,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,GAAG,GACP,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;gBAClC,mBAAmB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAC7C,WAAW,CAAC,CAAC,EAAE,QAAQ,CAAC,IAAI,CAAC,CAC9B,CAAC;YAEJ,MAAM,gBAAgB,CAAC,GAAG,CAAC,KAAK,EAAE;gBAChC,GAAG;gBACH,KAAK,EAAE,MAAM,CAAC,GAAG;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,KAAK;aACN,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../../src/server/hooks/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAE7D,OAAO,EACL,6BAA6B,GAE9B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,sBAAsB,GAGvB,MAAM,qBAAqB,CAAC;AAoF7B,SAAS,eAAe,CACtB,GAAoB,EACpB,QAA2B;IAE3B,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,uBAAuB,CAC9B,MAAsC;IAEtC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,OAAO,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAwB;IACnD,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,0BAA0B,CAAC,aAAqB;IACvD,OAAO,IAAI,KAAK,CACd,iFAAiF,aAAa,sCAAsC;QAClI,sFAAsF;QACtF,sHAAsH;QACtH,8EAA8E,CACjF,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,QAAQ,MAAM,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,SAAS,CAAC,EAAU;IAC3B,OAAO,MAAM,EAAE,EAAE,CAAC;AACpB,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAIC,EACD,WAAyD;IAEzD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;IAEjC,IAAI,KAAK,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACnE,OAAO,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QACzC,OAAO,SAAS,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,wBAAwB,CAC/B,IAGC,EACD,WAAyD;IAEzD,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI,EAAE,CAAC;QACxB,MAAM,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QAC9C,OAAO,SAAS,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,KAAqB,EACrB,IAKC;IAED,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC;QACvC,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,4EAA4E;IAC5E,8DAA8D;IAC9D,MAAM,eAAe,GAAG,6BAA6B,CACnD,KAAsC,EACtC;QACE,YAAY,EAAE,YAAY;QAC1B,OAAO,EAAE,WAAW;KACrB,CACF,CAAC;IACF,eAAe,CAAC,MAAM,CAAC;QACrB,IAAI,EAAE,kBAAkB;QACxB,KAAK,EAAE,mBAAmB;QAC1B,OAAO,EAAE,yBAAyB,IAAI,CAAC,GAAG,EAAE;QAC5C,OAAO,EAAE;YACP,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,SAAS,EAAE,IAAI,CAAC,SAAS;SAC1B;KACF,CAAC,CAAC;IAEH,MAAM,IAAI,QAAQ,CAChB,UAAU,CAAC,eAAe,EAC1B;QACE,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;QAC3C,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,IAAI;KAC/C,EACD,qBAAqB,EACrB,MAAM,CAAC,iBAAiB,KAAK,IAAI;QAC/B,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,EAAE;QAClE,CAAC,CAAC,SAAS,CACd,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,oBAAoB,CAClC,UAAiC,EAAE;IAEnC,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC;IAC3C,MAAM,WAAW,GAAG,CAClB,GAAoB,EACpB,YAAoB,EACA,EAAE;QACtB,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,OAAO,eAAe,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACxC,CAAC;QACD,IAAI,uBAAuB,CAAC,YAAY,CAAC,IAAI,YAAY,EAAE,CAAC;YAC1D,OAAO,sBAAsB,CAAC,GAAG,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;QAC5D,CAAC;QACD,MAAM,0BAA0B,CAAC,mBAAmB,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,CAAC,EAAE,SAAS,EAAE,EAAE,EAAE;YAC1B,IACE,QAAQ,KAAK,SAAS;gBACtB,uBAAuB,CAAC,YAAY,CAAC;gBACrC,OAAO,CAAC,QAAQ,EAChB,CAAC;gBACD,OAAO;YACT,CAAC;YACD,MAAM,QAAQ,GAAG,SAAS;iBACvB,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,SAAS,EAAE,KAAK,KAAK,IAAI,CAAC;iBAClE,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACpC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO;YACT,CAAC;YACD,MAAM,0BAA0B,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,SAAS,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,EAAE;YAC5C,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC;YAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,KAAK,GAAmB,MAAM,CAAC,KAAK,IAAI,QAAQ,CAAC;YACvD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;gBACrB,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,GAAG,GACP,OAAO,CAAC,QAAQ,EAAE,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;gBAClC,wBAAwB,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAC7C,WAAW,CAAC,CAAC,EAAE,QAAQ,CAAC,IAAI,CAAC,CAC9B,CAAC;YAEJ,MAAM,gBAAgB,CAAC,KAAK,EAAE;gBAC5B,GAAG;gBACH,KAAK,EAAE,MAAM,CAAC,GAAG;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,KAAK;aACN,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,YAAY,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,EAAE;YAC7C,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC;YAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,KAAK,GAAmB,MAAM,CAAC,KAAK,IAAI,QAAQ,CAAC;YACvD,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;gBACrB,OAAO,SAAS,CAAC;YACnB,CAAC;YAED,MAAM,GAAG,GACP,OAAO,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;gBAClC,mBAAmB,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,CAC7C,WAAW,CAAC,CAAC,EAAE,QAAQ,CAAC,IAAI,CAAC,CAC9B,CAAC;YAEJ,MAAM,gBAAgB,CAAC,GAAG,CAAC,KAAK,EAAE;gBAChC,GAAG;gBACH,KAAK,EAAE,MAAM,CAAC,GAAG;gBACjB,SAAS,EAAE,MAAM,CAAC,SAAS;gBAC3B,KAAK;aACN,CAAC,CAAC;YAEH,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}
@@ -0,0 +1,179 @@
1
+ /**
2
+ * Security hooks for @beignet/core/server
3
+ */
4
+ import type { HttpContractConfig } from "../../contracts/index.js";
5
+ import { type TrustedProxyConfig } from "../trusted-proxy.js";
6
+ import type { HttpRequestLike, ServerHook } from "../types.js";
7
+ /**
8
+ * Strict-Transport-Security configuration.
9
+ *
10
+ * HSTS is disabled by default because it should only be sent by HTTPS
11
+ * deployments that intentionally commit browsers to the configured host policy.
12
+ */
13
+ export interface StrictTransportSecurityOptions {
14
+ /**
15
+ * HSTS max-age value in seconds.
16
+ *
17
+ * Defaults to one year when `strictTransportSecurity` is configured as an
18
+ * object.
19
+ */
20
+ maxAgeSec?: number;
21
+ /**
22
+ * Include subdomains in the HSTS policy.
23
+ */
24
+ includeSubDomains?: boolean;
25
+ /**
26
+ * Mark the policy as eligible for browser preload lists.
27
+ */
28
+ preload?: boolean;
29
+ }
30
+ /**
31
+ * Response security headers applied by `createSecurityHeadersHooks(...)`.
32
+ *
33
+ * Headers are only added when the response does not already define the same
34
+ * header name. Route handlers can therefore opt into route-specific CSP or
35
+ * download headers without fighting the global hook.
36
+ */
37
+ export interface SecurityHeadersOptions {
38
+ /**
39
+ * Content Security Policy value. Disabled by default because browser apps need
40
+ * an app-owned asset, image, frame, and script policy.
41
+ */
42
+ contentSecurityPolicy?: string | false;
43
+ /**
44
+ * Cross-Origin-Opener-Policy value.
45
+ *
46
+ * Defaults to `"same-origin"`.
47
+ */
48
+ crossOriginOpenerPolicy?: string | false;
49
+ /**
50
+ * Cross-Origin-Resource-Policy value.
51
+ *
52
+ * Defaults to `"same-origin"`.
53
+ */
54
+ crossOriginResourcePolicy?: string | false;
55
+ /**
56
+ * Permissions-Policy value.
57
+ *
58
+ * Defaults to disabling camera, microphone, and geolocation.
59
+ */
60
+ permissionsPolicy?: string | false;
61
+ /**
62
+ * Referrer-Policy value.
63
+ *
64
+ * Defaults to `"strict-origin-when-cross-origin"`.
65
+ */
66
+ referrerPolicy?: string | false;
67
+ /**
68
+ * Strict-Transport-Security value. Pass a string for full control or an object
69
+ * for Beignet to format the header. Disabled by default.
70
+ */
71
+ strictTransportSecurity?: StrictTransportSecurityOptions | string | false;
72
+ /**
73
+ * X-Content-Type-Options value.
74
+ *
75
+ * Defaults to `"nosniff"`.
76
+ */
77
+ xContentTypeOptions?: "nosniff" | false;
78
+ /**
79
+ * X-Frame-Options value.
80
+ *
81
+ * Defaults to `"DENY"`. Use `contentSecurityPolicy` with `frame-ancestors`
82
+ * for more precise frame control.
83
+ */
84
+ xFrameOptions?: "DENY" | "SAMEORIGIN" | false;
85
+ }
86
+ export type CsrfFailureReason = "missing_origin" | "untrusted_origin" | "missing_token" | "invalid_token";
87
+ /**
88
+ * Double-submit cookie token configuration for `createCsrfHooks(...)`.
89
+ */
90
+ export interface CsrfTokenOptions {
91
+ /**
92
+ * Header that must carry the CSRF token.
93
+ *
94
+ * Defaults to `"x-csrf-token"`.
95
+ */
96
+ headerName?: string;
97
+ /**
98
+ * Cookie that stores the expected CSRF token.
99
+ *
100
+ * Defaults to `"beignet.csrf"`.
101
+ */
102
+ cookieName?: string;
103
+ }
104
+ /**
105
+ * Options for `createCsrfHooks(...)`.
106
+ */
107
+ export interface CsrfHooksOptions {
108
+ /**
109
+ * Unsafe HTTP methods protected by the hook.
110
+ *
111
+ * Defaults to `POST`, `PUT`, `PATCH`, and `DELETE`.
112
+ */
113
+ protectedMethods?: readonly string[];
114
+ /**
115
+ * Additional trusted origins allowed to send protected requests.
116
+ *
117
+ * The request URL's own origin is always trusted. Use this for sibling
118
+ * frontends such as `https://app.example.com` calling `https://api.example.com`.
119
+ */
120
+ trustedOrigins?: readonly string[] | ((args: {
121
+ origin: string;
122
+ req: HttpRequestLike;
123
+ contract: HttpContractConfig;
124
+ }) => boolean);
125
+ /**
126
+ * Whether unsafe requests without `Origin` or `Referer` are allowed.
127
+ *
128
+ * Defaults to `true` so server-to-server calls, tests, and older same-origin
129
+ * clients keep working. Set to `false` for cookie-backed browser-only APIs.
130
+ */
131
+ allowMissingOrigin?: boolean;
132
+ /**
133
+ * Optional double-submit cookie token check.
134
+ *
135
+ * When configured, protected requests must send the same token in the
136
+ * configured header and cookie.
137
+ */
138
+ token?: false | CsrfTokenOptions;
139
+ /**
140
+ * Shared trusted-proxy policy used when comparing the request's external
141
+ * origin against `Origin` or `Referer`.
142
+ *
143
+ * Configure this only when the app is always behind a platform or reverse
144
+ * proxy that strips or normalizes forwarding headers. Without this option,
145
+ * CSRF uses `req.url` exactly as the adapter provided it.
146
+ */
147
+ trustedProxy?: TrustedProxyConfig;
148
+ /**
149
+ * App-owned escape hatch for routes that have another verifier, such as
150
+ * provider webhooks or auth callbacks.
151
+ */
152
+ skip?: (args: {
153
+ req: HttpRequestLike;
154
+ contract: HttpContractConfig;
155
+ params: Record<string, string>;
156
+ }) => boolean | Promise<boolean>;
157
+ }
158
+ /**
159
+ * Apply Beignet's default security response headers to a mutable header record.
160
+ *
161
+ * Existing headers are preserved case-insensitively so route-owned responses can
162
+ * provide more specific policies.
163
+ */
164
+ export declare function applySecurityHeaders(headers: Record<string, string>, options?: SecurityHeadersOptions): void;
165
+ /**
166
+ * Create a server hook that adds common browser security headers to every
167
+ * response, including native streamed responses.
168
+ */
169
+ export declare function createSecurityHeadersHooks<Ctx>(options?: SecurityHeadersOptions): ServerHook<Ctx>;
170
+ /**
171
+ * Create CSRF protection for unsafe HTTP methods.
172
+ *
173
+ * The default protects cookie-backed browser routes from cross-origin unsafe
174
+ * requests while still allowing server-to-server calls and tests that do not
175
+ * send browser origin headers. Set `allowMissingOrigin: false` and configure
176
+ * `token` for stricter browser-only APIs.
177
+ */
178
+ export declare function createCsrfHooks<Ctx>(options?: CsrfHooksOptions): ServerHook<Ctx>;
179
+ //# sourceMappingURL=security.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/server/hooks/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAEnE,OAAO,EAEL,KAAK,kBAAkB,EAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE/D;;;;;GAKG;AACH,MAAM,WAAW,8BAA8B;IAC7C;;;;;OAKG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC;;;OAGG;IACH,qBAAqB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IACvC;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IACzC;;;;OAIG;IACH,yBAAyB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAC3C;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IACnC;;;;OAIG;IACH,cAAc,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAChC;;;OAGG;IACH,uBAAuB,CAAC,EAAE,8BAA8B,GAAG,MAAM,GAAG,KAAK,CAAC;IAC1E;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,SAAS,GAAG,KAAK,CAAC;IACxC;;;;;OAKG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,YAAY,GAAG,KAAK,CAAC;CAC/C;AAED,MAAM,MAAM,iBAAiB,GACzB,gBAAgB,GAChB,kBAAkB,GAClB,eAAe,GACf,eAAe,CAAC;AAEpB;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC;;;;;OAKG;IACH,cAAc,CAAC,EACX,SAAS,MAAM,EAAE,GACjB,CAAC,CAAC,IAAI,EAAE;QACN,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,eAAe,CAAC;QACrB,QAAQ,EAAE,kBAAkB,CAAC;KAC9B,KAAK,OAAO,CAAC,CAAC;IACnB;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B;;;;;OAKG;IACH,KAAK,CAAC,EAAE,KAAK,GAAG,gBAAgB,CAAC;IACjC;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,kBAAkB,CAAC;IAClC;;;OAGG;IACH,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE;QACZ,GAAG,EAAE,eAAe,CAAC;QACrB,QAAQ,EAAE,kBAAkB,CAAC;QAC7B,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAChC,KAAK,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;CAClC;AAsCD;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC/B,OAAO,GAAE,sBAA2B,GACnC,IAAI,CAyCN;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,EAC5C,OAAO,GAAE,sBAA2B,GACnC,UAAU,CAAC,GAAG,CAAC,CAYjB;AAwLD;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,GAAG,EACjC,OAAO,GAAE,gBAAqB,GAC7B,UAAU,CAAC,GAAG,CAAC,CA2BjB"}
@@ -0,0 +1,225 @@
1
+ /**
2
+ * Security hooks for @beignet/core/server
3
+ */
4
+ import { AppError, httpErrors } from "../../errors/index.js";
5
+ import { resolveTrustedRequest, } from "../trusted-proxy.js";
6
+ const DEFAULT_PERMISSIONS_POLICY = "camera=(), microphone=(), geolocation=()";
7
+ const DEFAULT_PROTECTED_METHODS = ["POST", "PUT", "PATCH", "DELETE"];
8
+ const DEFAULT_CSRF_HEADER = "x-csrf-token";
9
+ const DEFAULT_CSRF_COOKIE = "beignet.csrf";
10
+ function headerKey(headers, name) {
11
+ const lowerName = name.toLowerCase();
12
+ return Object.keys(headers).find((key) => key.toLowerCase() === lowerName);
13
+ }
14
+ function setHeaderIfMissing(headers, name, value) {
15
+ if (value === false || value === undefined)
16
+ return;
17
+ if (headerKey(headers, name))
18
+ return;
19
+ headers[name] = value;
20
+ }
21
+ function formatStrictTransportSecurity(config) {
22
+ if (typeof config === "string" || config === false || config === undefined) {
23
+ return config;
24
+ }
25
+ const directives = [`max-age=${config.maxAgeSec ?? 31_536_000}`];
26
+ if (config.includeSubDomains)
27
+ directives.push("includeSubDomains");
28
+ if (config.preload)
29
+ directives.push("preload");
30
+ return directives.join("; ");
31
+ }
32
+ /**
33
+ * Apply Beignet's default security response headers to a mutable header record.
34
+ *
35
+ * Existing headers are preserved case-insensitively so route-owned responses can
36
+ * provide more specific policies.
37
+ */
38
+ export function applySecurityHeaders(headers, options = {}) {
39
+ setHeaderIfMissing(headers, "Content-Security-Policy", options.contentSecurityPolicy);
40
+ setHeaderIfMissing(headers, "Cross-Origin-Opener-Policy", options.crossOriginOpenerPolicy ?? "same-origin");
41
+ setHeaderIfMissing(headers, "Cross-Origin-Resource-Policy", options.crossOriginResourcePolicy ?? "same-origin");
42
+ setHeaderIfMissing(headers, "Permissions-Policy", options.permissionsPolicy ?? DEFAULT_PERMISSIONS_POLICY);
43
+ setHeaderIfMissing(headers, "Referrer-Policy", options.referrerPolicy ?? "strict-origin-when-cross-origin");
44
+ setHeaderIfMissing(headers, "Strict-Transport-Security", formatStrictTransportSecurity(options.strictTransportSecurity));
45
+ setHeaderIfMissing(headers, "X-Content-Type-Options", options.xContentTypeOptions ?? "nosniff");
46
+ setHeaderIfMissing(headers, "X-Frame-Options", options.xFrameOptions ?? "DENY");
47
+ }
48
+ /**
49
+ * Create a server hook that adds common browser security headers to every
50
+ * response, including native streamed responses.
51
+ */
52
+ export function createSecurityHeadersHooks(options = {}) {
53
+ return {
54
+ name: "security-headers",
55
+ beforeSend: ({ response }) => {
56
+ const headers = { ...(response.headers ?? {}) };
57
+ applySecurityHeaders(headers, options);
58
+ return {
59
+ ...response,
60
+ headers,
61
+ };
62
+ },
63
+ };
64
+ }
65
+ function normalizeOrigin(value, source) {
66
+ try {
67
+ return new URL(value).origin;
68
+ }
69
+ catch {
70
+ throw new Error(`${source} must be an absolute URL origin.`);
71
+ }
72
+ }
73
+ function requestOrigin(req, trustedProxy) {
74
+ return resolveTrustedRequest(req, trustedProxyOriginConfig(trustedProxy))
75
+ .origin;
76
+ }
77
+ function trustedProxyOriginConfig(trustedProxy) {
78
+ if (!trustedProxy)
79
+ return trustedProxy;
80
+ const originConfig = {};
81
+ if (trustedProxy.hostHeader !== undefined) {
82
+ originConfig.hostHeader = trustedProxy.hostHeader;
83
+ }
84
+ if (trustedProxy.protocolHeader !== undefined) {
85
+ originConfig.protocolHeader = trustedProxy.protocolHeader;
86
+ }
87
+ return originConfig;
88
+ }
89
+ function headerOrigin(value) {
90
+ if (!value)
91
+ return undefined;
92
+ try {
93
+ return new URL(value).origin;
94
+ }
95
+ catch {
96
+ return undefined;
97
+ }
98
+ }
99
+ function originFromRequestHeaders(req) {
100
+ const origin = req.headers.get("origin");
101
+ if (origin)
102
+ return headerOrigin(origin) ?? origin;
103
+ return headerOrigin(req.headers.get("referer"));
104
+ }
105
+ function normalizeTrustedOrigins(trustedOrigins) {
106
+ if (!Array.isArray(trustedOrigins))
107
+ return trustedOrigins;
108
+ return trustedOrigins.map((origin) => normalizeOrigin(origin, "trustedOrigins entries"));
109
+ }
110
+ function isTrustedOrigin(args) {
111
+ if (args.origin === args.requestOrigin)
112
+ return true;
113
+ if (Array.isArray(args.trustedOrigins)) {
114
+ return args.trustedOrigins.includes(args.origin);
115
+ }
116
+ if (typeof args.trustedOrigins === "function") {
117
+ return args.trustedOrigins({
118
+ origin: args.origin,
119
+ req: args.req,
120
+ contract: args.contract,
121
+ });
122
+ }
123
+ return false;
124
+ }
125
+ function decodeCookiePart(value) {
126
+ try {
127
+ return decodeURIComponent(value);
128
+ }
129
+ catch {
130
+ return value;
131
+ }
132
+ }
133
+ function parseCookieHeader(cookieHeader) {
134
+ if (!cookieHeader)
135
+ return {};
136
+ return Object.fromEntries(cookieHeader
137
+ .split(";")
138
+ .map((entry) => entry.trim())
139
+ .filter(Boolean)
140
+ .map((entry) => {
141
+ const separator = entry.indexOf("=");
142
+ if (separator === -1)
143
+ return [entry, ""];
144
+ return [
145
+ decodeCookiePart(entry.slice(0, separator).trim()),
146
+ decodeCookiePart(entry.slice(separator + 1).trim()),
147
+ ];
148
+ }));
149
+ }
150
+ function tokensMatch(left, right) {
151
+ if (left.length !== right.length)
152
+ return false;
153
+ let result = 0;
154
+ for (let index = 0; index < left.length; index += 1) {
155
+ result |= left.charCodeAt(index) ^ right.charCodeAt(index);
156
+ }
157
+ return result === 0;
158
+ }
159
+ function csrfError(reason, message) {
160
+ return new AppError(httpErrors.Forbidden, { reason }, message);
161
+ }
162
+ function enforceOrigin(args) {
163
+ const origin = originFromRequestHeaders(args.req);
164
+ if (!origin) {
165
+ if (args.allowMissingOrigin)
166
+ return;
167
+ throw csrfError("missing_origin", "CSRF check failed because the request did not include an Origin or Referer header.");
168
+ }
169
+ if (!isTrustedOrigin({
170
+ origin,
171
+ req: args.req,
172
+ contract: args.contract,
173
+ requestOrigin: requestOrigin(args.req, args.trustedProxy),
174
+ trustedOrigins: args.trustedOrigins,
175
+ })) {
176
+ throw csrfError("untrusted_origin", "CSRF check failed because the request origin is not trusted.");
177
+ }
178
+ }
179
+ function enforceToken(req, token) {
180
+ if (!token)
181
+ return;
182
+ const headerName = token.headerName ?? DEFAULT_CSRF_HEADER;
183
+ const cookieName = token.cookieName ?? DEFAULT_CSRF_COOKIE;
184
+ const headerToken = req.headers.get(headerName);
185
+ const cookieToken = parseCookieHeader(req.headers.get("cookie"))[cookieName];
186
+ if (!headerToken || !cookieToken) {
187
+ throw csrfError("missing_token", `CSRF check failed because ${headerName} and ${cookieName} must both be present.`);
188
+ }
189
+ if (!tokensMatch(headerToken, cookieToken)) {
190
+ throw csrfError("invalid_token", "CSRF check failed because the submitted token does not match the cookie token.");
191
+ }
192
+ }
193
+ /**
194
+ * Create CSRF protection for unsafe HTTP methods.
195
+ *
196
+ * The default protects cookie-backed browser routes from cross-origin unsafe
197
+ * requests while still allowing server-to-server calls and tests that do not
198
+ * send browser origin headers. Set `allowMissingOrigin: false` and configure
199
+ * `token` for stricter browser-only APIs.
200
+ */
201
+ export function createCsrfHooks(options = {}) {
202
+ const protectedMethods = new Set((options.protectedMethods ?? DEFAULT_PROTECTED_METHODS).map((method) => method.toUpperCase()));
203
+ const allowMissingOrigin = options.allowMissingOrigin ?? true;
204
+ const trustedOrigins = normalizeTrustedOrigins(options.trustedOrigins);
205
+ const token = options.token ?? false;
206
+ return {
207
+ name: "csrf",
208
+ onRequest: async ({ req, contract, params }) => {
209
+ if (!protectedMethods.has(req.method.toUpperCase()))
210
+ return undefined;
211
+ if (await options.skip?.({ req, contract, params }))
212
+ return undefined;
213
+ enforceOrigin({
214
+ req,
215
+ contract,
216
+ allowMissingOrigin,
217
+ trustedOrigins,
218
+ trustedProxy: options.trustedProxy,
219
+ });
220
+ enforceToken(req, token);
221
+ return undefined;
222
+ },
223
+ };
224
+ }
225
+ //# sourceMappingURL=security.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/server/hooks/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EACL,qBAAqB,GAGtB,MAAM,qBAAqB,CAAC;AAqK7B,MAAM,0BAA0B,GAAG,0CAA0C,CAAC;AAC9E,MAAM,yBAAyB,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAU,CAAC;AAC9E,MAAM,mBAAmB,GAAG,cAAc,CAAC;AAC3C,MAAM,mBAAmB,GAAG,cAAc,CAAC;AAE3C,SAAS,SAAS,CAChB,OAA+B,EAC/B,IAAY;IAEZ,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,kBAAkB,CACzB,OAA+B,EAC/B,IAAY,EACZ,KAAiC;IAEjC,IAAI,KAAK,KAAK,KAAK,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO;IACnD,IAAI,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC;QAAE,OAAO;IACrC,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;AACxB,CAAC;AAED,SAAS,6BAA6B,CACpC,MAAyD;IAEzD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,UAAU,GAAG,CAAC,WAAW,MAAM,CAAC,SAAS,IAAI,UAAU,EAAE,CAAC,CAAC;IACjE,IAAI,MAAM,CAAC,iBAAiB;QAAE,UAAU,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACnE,IAAI,MAAM,CAAC,OAAO;QAAE,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/C,OAAO,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAA+B,EAC/B,UAAkC,EAAE;IAEpC,kBAAkB,CAChB,OAAO,EACP,yBAAyB,EACzB,OAAO,CAAC,qBAAqB,CAC9B,CAAC;IACF,kBAAkB,CAChB,OAAO,EACP,4BAA4B,EAC5B,OAAO,CAAC,uBAAuB,IAAI,aAAa,CACjD,CAAC;IACF,kBAAkB,CAChB,OAAO,EACP,8BAA8B,EAC9B,OAAO,CAAC,yBAAyB,IAAI,aAAa,CACnD,CAAC;IACF,kBAAkB,CAChB,OAAO,EACP,oBAAoB,EACpB,OAAO,CAAC,iBAAiB,IAAI,0BAA0B,CACxD,CAAC;IACF,kBAAkB,CAChB,OAAO,EACP,iBAAiB,EACjB,OAAO,CAAC,cAAc,IAAI,iCAAiC,CAC5D,CAAC;IACF,kBAAkB,CAChB,OAAO,EACP,2BAA2B,EAC3B,6BAA6B,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAC/D,CAAC;IACF,kBAAkB,CAChB,OAAO,EACP,wBAAwB,EACxB,OAAO,CAAC,mBAAmB,IAAI,SAAS,CACzC,CAAC;IACF,kBAAkB,CAChB,OAAO,EACP,iBAAiB,EACjB,OAAO,CAAC,aAAa,IAAI,MAAM,CAChC,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CACxC,UAAkC,EAAE;IAEpC,OAAO;QACL,IAAI,EAAE,kBAAkB;QACxB,UAAU,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC3B,MAAM,OAAO,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC,EAAE,CAAC;YAChD,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YACvC,OAAO;gBACL,GAAG,QAAQ;gBACX,OAAO;aACR,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,KAAa,EAAE,MAAc;IACpD,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,GAAG,MAAM,kCAAkC,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,GAAoB,EACpB,YAA4C;IAE5C,OAAO,qBAAqB,CAAC,GAAG,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC;SACtE,MAAM,CAAC;AACZ,CAAC;AAED,SAAS,wBAAwB,CAC/B,YAA4C;IAE5C,IAAI,CAAC,YAAY;QAAE,OAAO,YAAY,CAAC;IAEvC,MAAM,YAAY,GAAwB,EAAE,CAAC;IAC7C,IAAI,YAAY,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC1C,YAAY,CAAC,UAAU,GAAG,YAAY,CAAC,UAAU,CAAC;IACpD,CAAC;IACD,IAAI,YAAY,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QAC9C,YAAY,CAAC,cAAc,GAAG,YAAY,CAAC,cAAc,CAAC;IAC5D,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,YAAY,CAAC,KAAoB;IACxC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAE7B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,wBAAwB,CAAC,GAAoB;IACpD,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,MAAM;QAAE,OAAO,YAAY,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC;IAElD,OAAO,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,uBAAuB,CAC9B,cAAkD;IAElD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;QAAE,OAAO,cAAc,CAAC;IAC1D,OAAO,cAAc,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CACnC,eAAe,CAAC,MAAM,EAAE,wBAAwB,CAAC,CAClD,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,IAMxB;IACC,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAEpD,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,OAAO,IAAI,CAAC,cAAc,KAAK,UAAU,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAC,cAAc,CAAC;YACzB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CACxB,YAA2B;IAE3B,IAAI,CAAC,YAAY;QAAE,OAAO,EAAE,CAAC;IAE7B,OAAO,MAAM,CAAC,WAAW,CACvB,YAAY;SACT,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACb,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,SAAS,KAAK,CAAC,CAAC;YAAE,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACzC,OAAO;YACL,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC;YAClD,gBAAgB,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpD,CAAC;IACJ,CAAC,CAAC,CACL,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,IAAY,EAAE,KAAa;IAC9C,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAE/C,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,SAAS,CAAC,MAAyB,EAAE,OAAe;IAC3D,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,aAAa,CAAC,IAMtB;IACC,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,IAAI,IAAI,CAAC,kBAAkB;YAAE,OAAO;QACpC,MAAM,SAAS,CACb,gBAAgB,EAChB,oFAAoF,CACrF,CAAC;IACJ,CAAC;IAED,IACE,CAAC,eAAe,CAAC;QACf,MAAM;QACN,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,aAAa,EAAE,aAAa,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC;QACzD,cAAc,EAAE,IAAI,CAAC,cAAc;KACpC,CAAC,EACF,CAAC;QACD,MAAM,SAAS,CACb,kBAAkB,EAClB,8DAA8D,CAC/D,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,GAAoB,EACpB,KAA+B;IAE/B,IAAI,CAAC,KAAK;QAAE,OAAO;IAEnB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAC3D,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,mBAAmB,CAAC;IAC3D,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAChD,MAAM,WAAW,GAAG,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IAE7E,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,EAAE,CAAC;QACjC,MAAM,SAAS,CACb,eAAe,EACf,6BAA6B,UAAU,QAAQ,UAAU,wBAAwB,CAClF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,WAAW,CAAC,EAAE,CAAC;QAC3C,MAAM,SAAS,CACb,eAAe,EACf,gFAAgF,CACjF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAC7B,UAA4B,EAAE;IAE9B,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAC9B,CAAC,OAAO,CAAC,gBAAgB,IAAI,yBAAyB,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CACrE,MAAM,CAAC,WAAW,EAAE,CACrB,CACF,CAAC;IACF,MAAM,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,IAAI,CAAC;IAC9D,MAAM,cAAc,GAAG,uBAAuB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAC;IAErC,OAAO;QACL,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,KAAK,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE;YAC7C,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;gBAAE,OAAO,SAAS,CAAC;YACtE,IAAI,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;gBAAE,OAAO,SAAS,CAAC;YAEtE,aAAa,CAAC;gBACZ,GAAG;gBACH,QAAQ;gBACR,kBAAkB;gBAClB,cAAc;gBACd,YAAY,EAAE,OAAO,CAAC,YAAY;aACnC,CAAC,CAAC;YACH,YAAY,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}
@@ -41,6 +41,10 @@ export * from "./providers/index.js";
41
41
  * Ambient request correlation context shared with instrumentation sinks.
42
42
  */
43
43
  export { type ActiveRequestContext, clearActiveRequestContext, enterActiveRequestContext, getActiveRequestContext, inheritActiveRequestContext, } from "./request-context.js";
44
+ /**
45
+ * Runtime workflow registration integrity helpers.
46
+ */
47
+ export * from "./runtime-integrity.js";
44
48
  /**
45
49
  * Server configuration and route types.
46
50
  */
@@ -53,6 +57,10 @@ export { contractsFromRoutes, createServer, defineRoute, defineRouteGroup, defin
53
57
  * Server context blueprint declaration helper.
54
58
  */
55
59
  export { defineServerContext } from "./server-context.js";
60
+ /**
61
+ * Trusted proxy request metadata helpers.
62
+ */
63
+ export * from "./trusted-proxy.js";
56
64
  export * from "./types.js";
57
65
  /**
58
66
  * Contract-aware route binder types and helpers.
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,YAAY,EACV,kBAAkB,EAClB,WAAW,EACX,cAAc,EACd,gBAAgB,GACjB,MAAM,uBAAuB,CAAC;AAC/B;;GAEG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C;;GAEG;AACH,YAAY,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAClD;;GAEG;AACH,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D;;GAEG;AACH,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC3D;;GAEG;AACH,YAAY,EACV,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AACtB,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B;;GAEG;AACH,YAAY,EACV,kBAAkB,EAClB,4BAA4B,GAC7B,MAAM,sBAAsB,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,sBAAsB,CAAC;AACrC;;GAEG;AACH,OAAO,EACL,KAAK,oBAAoB,EACzB,yBAAyB,EACzB,yBAAyB,EACzB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,sBAAsB,CAAC;AAC9B;;GAEG;AACH,YAAY,EACV,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,cAAc,GACf,MAAM,aAAa,CAAC;AACrB;;GAEG;AACH,OAAO,EACL,mBAAmB,EACnB,YAAY,EACZ,WAAW,EACX,gBAAgB,EAChB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB;;GAEG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,cAAc,YAAY,CAAC;AAC3B;;GAEG;AACH,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,kBAAkB,EAClB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,YAAY,EACV,kBAAkB,EAClB,WAAW,EACX,cAAc,EACd,gBAAgB,GACjB,MAAM,uBAAuB,CAAC;AAC/B;;GAEG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C;;GAEG;AACH,YAAY,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAClD;;GAEG;AACH,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D;;GAEG;AACH,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAC3D;;GAEG;AACH,YAAY,EACV,WAAW,EACX,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EAClB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AACtB,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAC1B;;GAEG;AACH,YAAY,EACV,kBAAkB,EAClB,4BAA4B,GAC7B,MAAM,sBAAsB,CAAC;AAC9B,cAAc,cAAc,CAAC;AAC7B,cAAc,sBAAsB,CAAC;AACrC;;GAEG;AACH,OAAO,EACL,KAAK,oBAAoB,EACzB,yBAAyB,EACzB,yBAAyB,EACzB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,sBAAsB,CAAC;AAC9B;;GAEG;AACH,cAAc,wBAAwB,CAAC;AACvC;;GAEG;AACH,YAAY,EACV,mBAAmB,EACnB,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,UAAU,EACV,cAAc,GACf,MAAM,aAAa,CAAC;AACrB;;GAEG;AACH,OAAO,EACL,mBAAmB,EACnB,YAAY,EACZ,WAAW,EACX,gBAAgB,EAChB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB;;GAEG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D;;GAEG;AACH,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B;;GAEG;AACH,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,kBAAkB,EAClB,KAAK,gBAAgB,EACrB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC"}
@@ -21,6 +21,10 @@ export * from "./providers/index.js";
21
21
  * Ambient request correlation context shared with instrumentation sinks.
22
22
  */
23
23
  export { clearActiveRequestContext, enterActiveRequestContext, getActiveRequestContext, inheritActiveRequestContext, } from "./request-context.js";
24
+ /**
25
+ * Runtime workflow registration integrity helpers.
26
+ */
27
+ export * from "./runtime-integrity.js";
24
28
  /**
25
29
  * Server runtime helpers.
26
30
  */
@@ -29,6 +33,10 @@ export { contractsFromRoutes, createServer, defineRoute, defineRouteGroup, defin
29
33
  * Server context blueprint declaration helper.
30
34
  */
31
35
  export { defineServerContext } from "./server-context.js";
36
+ /**
37
+ * Trusted proxy request metadata helpers.
38
+ */
39
+ export * from "./trusted-proxy.js";
32
40
  export * from "./types.js";
33
41
  /**
34
42
  * Contract-aware route binder types and helpers.
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH;;GAEG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAS9C;;GAEG;AACH,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAY3D,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAQ1B,cAAc,cAAc,CAAC;AAC7B,cAAc,sBAAsB,CAAC;AACrC;;GAEG;AACH,OAAO,EAEL,yBAAyB,EACzB,yBAAyB,EACzB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,sBAAsB,CAAC;AAa9B;;GAEG;AACH,OAAO,EACL,mBAAmB,EACnB,YAAY,EACZ,WAAW,EACX,gBAAgB,EAChB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB;;GAEG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,cAAc,YAAY,CAAC;AAC3B;;GAEG;AACH,OAAO,EAIL,kBAAkB,GAKnB,MAAM,qBAAqB,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAWH;;GAEG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAS9C;;GAEG;AACH,OAAO,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAY3D,cAAc,aAAa,CAAC;AAC5B,cAAc,YAAY,CAAC;AAC3B,cAAc,WAAW,CAAC;AAQ1B,cAAc,cAAc,CAAC;AAC7B,cAAc,sBAAsB,CAAC;AACrC;;GAEG;AACH,OAAO,EAEL,yBAAyB,EACzB,yBAAyB,EACzB,uBAAuB,EACvB,2BAA2B,GAC5B,MAAM,sBAAsB,CAAC;AAC9B;;GAEG;AACH,cAAc,wBAAwB,CAAC;AAavC;;GAEG;AACH,OAAO,EACL,mBAAmB,EACnB,YAAY,EACZ,WAAW,EACX,gBAAgB,EAChB,YAAY,GACb,MAAM,aAAa,CAAC;AACrB;;GAEG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D;;GAEG;AACH,cAAc,oBAAoB,CAAC;AACnC,cAAc,YAAY,CAAC;AAC3B;;GAEG;AACH,OAAO,EAIL,kBAAkB,GAKnB,MAAM,qBAAqB,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"instrumentation.d.ts","sourceRoot":"","sources":["../../src/server/instrumentation.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,EACL,KAAK,iCAAiC,EAGvC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAGL,KAAK,YAAY,EAClB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAQ/E;;;;;;;;;;GAUG;AACH,MAAM,WAAW,4BAA4B,CAAC,GAAG,GAAG,OAAO;IACzD;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAEjC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAEpC;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAEhC;;;;OAIG;IACH,MAAM,CAAC,EAAE,CACP,KAAK,EAAE,iCAAiC,KACrC,iCAAiC,CAAC;IAEvC;;OAEG;IACH,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE;QACrB,GAAG,EAAE,eAAe,CAAC;QACrB,GAAG,CAAC,EAAE,GAAG,CAAC;QACV,QAAQ,EAAE,kBAAkB,CAAC;QAC7B,QAAQ,EAAE,gBAAgB,CAAC;QAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,KAAK,OAAO,CAAC;CACf;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,KAAK,EAAE,YAAY,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA4B,CAAC,GAAG;IAC/C;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI,CAAC;IACnC;;OAEG;IACH,cAAc,CAAC,GAAG,EAAE,eAAe,GAAG,kBAAkB,CAAC;IACzD;;OAEG;IACH,wBAAwB,IAAI,kBAAkB,CAAC;IAC/C;;;OAGG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;CAClC;AA2GD;;;;;;;GAOG;AACH,wBAAgB,2BAA2B,CAAC,GAAG,EAC7C,OAAO,EAAE,4BAA4B,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,SAAS,GAC7D,4BAA4B,CAAC,GAAG,CAAC,CA6OnC"}
1
+ {"version":3,"file":"instrumentation.d.ts","sourceRoot":"","sources":["../../src/server/instrumentation.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAElD,OAAO,EACL,KAAK,iCAAiC,EAGvC,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAIL,KAAK,YAAY,EAElB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAQ/E;;;;;;;;;;GAUG;AACH,MAAM,WAAW,4BAA4B,CAAC,GAAG,GAAG,OAAO;IACzD;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAEjC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,GAAG,KAAK,CAAC;IAEpC;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAEhC;;;;OAIG;IACH,MAAM,CAAC,EAAE,CACP,KAAK,EAAE,iCAAiC,KACrC,iCAAiC,CAAC;IAEvC;;OAEG;IACH,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE;QACrB,GAAG,EAAE,eAAe,CAAC;QACrB,GAAG,CAAC,EAAE,GAAG,CAAC;QACV,QAAQ,EAAE,kBAAkB,CAAC;QAC7B,QAAQ,EAAE,gBAAgB,CAAC;QAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,KAAK,OAAO,CAAC;CACf;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,KAAK,EAAE,YAAY,CAAC;CACrB;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA4B,CAAC,GAAG;IAC/C;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,QAAQ,GAAG,IAAI,CAAC;IACnC;;OAEG;IACH,cAAc,CAAC,GAAG,EAAE,eAAe,GAAG,kBAAkB,CAAC;IACzD;;OAEG;IACH,wBAAwB,IAAI,kBAAkB,CAAC;IAC/C;;;OAGG;IACH,IAAI,CAAC,EAAE,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;CAClC;AA8GD;;;;;;;GAOG;AACH,wBAAgB,2BAA2B,CAAC,GAAG,EAC7C,OAAO,EAAE,4BAA4B,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,SAAS,GAC7D,4BAA4B,CAAC,GAAG,CAAC,CA4PnC"}