@boldsec/next 0.1.0

package/README.md

@@ -0,0 +1,78 @@
+# @boldsec/next
+
+Live BOLA/IDOR monitoring for **Next.js (App Router)**. Wrap an API route; BoLD watches it and
+raises an alarm the moment one user reaches another user's object — in real time, from your app's
+actual traffic.
+
+- **Metadata only.** BoLD receives who made the request (an opaque, non-reversible handle — never
+  the token), the endpoint shape, the object id, the status, and the object's declared owner if the
+  response exposed one. The response body is read once to extract that single owner field and then
+  discarded. No body, no headers, no credentials ever leave your app.
+- **Fail-safe.** Shipping the metadata is fire-and-forget. If BoLD is slow or down, your response is
+  returned untouched and on time. BoLD can never break or slow the app it watches.
+- **Never alters your response.** Your handler runs exactly as before; its response is returned
+  byte-for-byte.
+
+## Install
+
+```bash
+npm install @boldsec/next
+```
+
+## Configure (once)
+
+Add your keys (from the BoLD **Live** page, shown once when you connect the app):
+
+```bash
+# .env.local
+BOLD_INGEST_URL=https://<your-bold>/api/live/ingest
+BOLD_INGEST_KEY=blk_...
+# optional — owner-field names to look for in responses (default covers common ones)
+BOLD_OWNER_FIELDS=ownerId,owner_id,user_id
+```
+
+## Use
+
+Wrap the route handlers you want watched:
+
+```ts
+// app/api/invoices/[id]/route.ts
+import { withBold } from "@boldsec/next";
+
+export const GET = withBold(
+  async (req, ctx) => {
+    const invoice = await getInvoice(ctx.params.id);
+    return Response.json(invoice); // { id, ownerId, ... }
+  },
+  // STRONGLY RECOMMENDED — tell BoLD who the caller is, in the SAME namespace as your owner field:
+  { resolveCallerId: (req) => getUserIdFromSession(req) }, // e.g. "usr_101"
+);
+```
+
+Works for `GET` / `PUT` / `PATCH` / `POST` / `DELETE` handlers. Redeploy, and your app's real
+traffic is watched automatically — catches appear in your BoLD **Findings** with a live timestamp.
+
+### App shapes it reads
+
+- **REST object routes** — string ids (`/api/invoices/inv_8101`), numeric ids (`/api/orders/4021`),
+  UUIDs.
+- **Nested / oddly-named owner fields** — the owner is found wherever it nests (bounded depth) as
+  long as the field name is in your owner-field list (e.g. add `holderId` for `data.account.holderId`).
+- **GraphQL** — wrap your `app/api/graphql/route.ts` the same way. BoLD parses the operation and its
+  `id` (from `variables` or an inline literal) and reads the owner from `data.<field>`. Single-object
+  queries and mutations are watched; batched/list queries, or an id BoLD can't resolve, are skipped
+  (it never guesses — a shape it can't read is held for review, never reported clean).
+
+### Why `resolveCallerId` matters
+
+Your app already authenticated the caller, so it knows their id (e.g. `usr_101`). Passing it lets
+BoLD compare the **caller** against the **object's owner** directly: if they match, it's the owner's
+own access and BoLD stays silent — no false alarm. Without it, BoLD falls back to a non-reversible
+hash of the auth header, which can't be matched against your owner ids, so a user reading **their
+own** object may be flagged. Always provide `resolveCallerId` in production.
+
+## How it confirms a violation
+
+BoLD confirms a BOLA when a request returns an object whose **owner field** identifies a *different*
+user than the caller. If a response doesn't expose an owner field, BoLD reports **needs review**
+rather than guessing — it never raises a false alarm.

package/dist/index.d.ts

@@ -0,0 +1,76 @@
+/**
+ * @boldsec/next: the Next.js (App Router) route wrapper for BoLD live monitoring (Stage 3 / S3.3).
+ *
+ * Why a route wrapper and not `proxy.ts`/middleware: Next.js proxy runs BEFORE the response and
+ * cannot read the response body — but confirming a BOLA needs the owner field FROM the response
+ * (e.g. `ownerId`). The route handler is the only place that sees both the request and the response,
+ * so that is where BoLD watches. The user wraps their existing handler; it runs unchanged.
+ *
+ * What it sends to BoLD: METADATA ONLY — who made the request (an opaque, non-reversible identity
+ * handle, never the token/cookie), the endpoint shape, the object id, the status, and the object's
+ * declared owner if the response JSON exposed one. The response body is read once to extract that
+ * single owner field and then DISCARDED. No body, no headers, no credentials ever leave the app.
+ *
+ * Failure mode: FAIL-SAFE. Shipping the metadata is fire-and-forget; if BoLD is slow or down, the
+ * user's response is returned untouched and on time. BoLD can never break or slow the app it watches.
+ *
+ * Usage (a few lines, no terminal):
+ *
+ *   // app/api/invoices/[id]/route.ts
+ *   import { withBold } from "@boldsec/next";
+ *
+ *   export const GET = withBold(
+ *     async (req, ctx) => {
+ *       const invoice = await getInvoice(ctx.params.id);
+ *       return Response.json(invoice); // { id, ownerId, ... }
+ *     },
+ *     { resolveCallerId: (req) => getUserIdFromSession(req) }, // RECOMMENDED — see BoldConfig
+ *   );
+ *
+ * Config via env (set once): BOLD_INGEST_URL, BOLD_INGEST_KEY, optional BOLD_OWNER_FIELDS.
+ */
+export interface BoldConfig {
+    /** Where to send events — your BoLD ingest endpoint. Defaults to env BOLD_INGEST_URL. */
+    ingestUrl?: string;
+    /** The monitor's ingest key (shown once when you connect the app). Defaults to env BOLD_INGEST_KEY. */
+    ingestKey?: string;
+    /** Owner-field names to look for in the response JSON. Defaults to env BOLD_OWNER_FIELDS or a
+     *  common set. The FIRST one present (top level or one level of nesting) is used. */
+    ownerFields?: string[];
+    /** The authenticated caller's RESOLVED id (e.g. `usr_101`) — same namespace as the response's
+     *  owner field. STRONGLY RECOMMENDED: your app already authenticated the user, so it knows this.
+     *  With it, BoLD sees "caller IS the owner" and never false-CONFIRMs an owner's own access. Pass
+     *  a `(request) => id` resolver. Without it, identity falls back to a non-reversible hash of the
+     *  auth header — which cannot match the owner namespace, so an owner reading their own object can
+     *  be wrongly flagged. */
+    resolveCallerId?: (request: Request) => string | null | Promise<string | null>;
+}
+/** The shape of a Next.js App Router route handler: (request, context) => Response. We keep the
+ *  context generic so any `{ params }` shape passes through untouched. */
+export type RouteHandler<C> = (request: Request, context: C) => Response | Promise<Response>;
+/** Split a path into an endpoint template (".../{id}") + the object id, or null if no id segment. */
+export declare function endpointAndObject(pathname: string): {
+    endpoint: string;
+    objectId: string | null;
+};
+/** Pull the first owner-looking field from a parsed JSON body, searching by KNOWN field name only,
+ *  breadth-first to a bounded depth. We NEVER guess an owner from an unnamed field — if no
+ *  configured owner-field name is present anywhere in range, we return null, and the engine then
+ *  yields needs-review (the anthem: an unfindable owner is loud, never a false clean). Breadth-first
+ *  + shallow bound means the SHALLOWEST match wins (the real owner), not a deep look-alike. */
+export declare function declaredOwner(json: unknown, ownerFields: string[]): string | null;
+export interface GraphqlOp {
+    field: string;
+    objectId: string;
+    isMutation: boolean;
+}
+/** Parse a GraphQL request body into a single object operation + its id, or null. Reads the id from
+ *  `variables` (the standard pattern) when the query references `$var`, else from an inline literal.
+ *  Returns null for anything ambiguous (no id, multiple object ops, batched array) so we stay loud. */
+export declare function parseGraphqlOp(body: unknown): GraphqlOp | null;
+/**
+ * Wrap a Next.js App Router route handler so BoLD watches it live. The handler runs exactly as
+ * before; its response is returned untouched. BoLD observes metadata out of band.
+ */
+export declare function withBold<C>(handler: RouteHandler<C>, config?: BoldConfig): RouteHandler<C>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,MAAM,WAAW,UAAU;IACzB,yFAAyF;IACzF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,uGAAuG;IACvG,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;yFACqF;IACrF,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;8BAK0B;IAC1B,eAAe,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CAChF;AAED;0EAC0E;AAC1E,MAAM,MAAM,YAAY,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;AAsE7F,qGAAqG;AACrG,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAMjG;AAOD;;;;+FAI+F;AAC/F,wBAAgB,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,IAAI,CAuBjF;AAeD,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,OAAO,CAAC;CACrB;AAED;;uGAEuG;AACvG,wBAAgB,cAAc,CAAC,IAAI,EAAE,OAAO,GAAG,SAAS,GAAG,IAAI,CAyB9D;AAiGD;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,CAAC,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE,UAAU,GAAG,YAAY,CAAC,CAAC,CAAC,CA4B1F"}

package/dist/index.js

@@ -0,0 +1,312 @@
+/**
+ * @boldsec/next: the Next.js (App Router) route wrapper for BoLD live monitoring (Stage 3 / S3.3).
+ *
+ * Why a route wrapper and not `proxy.ts`/middleware: Next.js proxy runs BEFORE the response and
+ * cannot read the response body — but confirming a BOLA needs the owner field FROM the response
+ * (e.g. `ownerId`). The route handler is the only place that sees both the request and the response,
+ * so that is where BoLD watches. The user wraps their existing handler; it runs unchanged.
+ *
+ * What it sends to BoLD: METADATA ONLY — who made the request (an opaque, non-reversible identity
+ * handle, never the token/cookie), the endpoint shape, the object id, the status, and the object's
+ * declared owner if the response JSON exposed one. The response body is read once to extract that
+ * single owner field and then DISCARDED. No body, no headers, no credentials ever leave the app.
+ *
+ * Failure mode: FAIL-SAFE. Shipping the metadata is fire-and-forget; if BoLD is slow or down, the
+ * user's response is returned untouched and on time. BoLD can never break or slow the app it watches.
+ *
+ * Usage (a few lines, no terminal):
+ *
+ *   // app/api/invoices/[id]/route.ts
+ *   import { withBold } from "@boldsec/next";
+ *
+ *   export const GET = withBold(
+ *     async (req, ctx) => {
+ *       const invoice = await getInvoice(ctx.params.id);
+ *       return Response.json(invoice); // { id, ownerId, ... }
+ *     },
+ *     { resolveCallerId: (req) => getUserIdFromSession(req) }, // RECOMMENDED — see BoldConfig
+ *   );
+ *
+ * Config via env (set once): BOLD_INGEST_URL, BOLD_INGEST_KEY, optional BOLD_OWNER_FIELDS.
+ */
+const DEFAULT_OWNER_FIELDS = [
+    "ownerId",
+    "owner_id",
+    "userId",
+    "user_id",
+    "accountId",
+    "account_id",
+    "createdBy",
+    "created_by",
+    "tenantId",
+    "tenant_id",
+];
+const OBJECT_PATH = /^(.*?)\/([^/]+)\/?$/; // ".../{prefix}/{lastSegment}"
+// An id-looking last path segment: a pure number (42), a uuid/long-hex (>=6 hex/dash chars), or a
+// PREFIXED id with one OR MORE underscore segments (inv_7001, acct_northstar_001,
+// note_priya_investor_followup). Requiring at least one `_segment` is what distinguishes a real id
+// from a route word like `orders` / `login` (which must NOT be treated as an object id).
+const ID_LIKE = /^[0-9]+$|^[0-9a-fA-F-]{6,}$|^[a-zA-Z][a-zA-Z0-9]*(?:_[a-zA-Z0-9]+)+$/;
+function resolveConfig(cfg) {
+    const env = typeof process !== "undefined" && process.env ? process.env : {};
+    const ingestUrl = cfg?.ingestUrl ?? env.BOLD_INGEST_URL ?? "";
+    const ingestKey = cfg?.ingestKey ?? env.BOLD_INGEST_KEY ?? "";
+    if (!ingestUrl || !ingestKey)
+        return null; // not configured -> silently no-op (never throw)
+    const ownerFields = cfg?.ownerFields ??
+        (env.BOLD_OWNER_FIELDS
+            ? env.BOLD_OWNER_FIELDS.split(",").map((s) => s.trim())
+            : DEFAULT_OWNER_FIELDS);
+    return { ingestUrl, ingestKey, ownerFields, resolveCallerId: cfg?.resolveCallerId };
+}
+/** The caller's identity for the engine. Best: the app's RESOLVED owner-id (same namespace as the
+ *  response owner field) so own-access is never false-CONFIRMED. Fallback: a NON-reversible hash of
+ *  the auth material (never the token) — lets BoLD tell "same vs different caller" but can't match
+ *  the owner namespace. */
+async function identityFrom(request, cfg) {
+    if (cfg.resolveCallerId) {
+        try {
+            const resolved = await cfg.resolveCallerId(request);
+            if (resolved)
+                return String(resolved);
+        }
+        catch {
+            // a throwing resolver must never break the app -> fall back to the hash
+        }
+    }
+    const auth = request.headers.get("authorization") ?? request.headers.get("cookie") ?? "";
+    if (!auth)
+        return null;
+    try {
+        const data = new TextEncoder().encode(auth);
+        const digest = await crypto.subtle.digest("SHA-256", data);
+        const hex = Array.from(new Uint8Array(digest))
+            .map((b) => b.toString(16).padStart(2, "0"))
+            .join("");
+        return "id_" + hex.slice(0, 16);
+    }
+    catch {
+        return null;
+    }
+}
+/** Split a path into an endpoint template (".../{id}") + the object id, or null if no id segment. */
+export function endpointAndObject(pathname) {
+    const m = pathname.match(OBJECT_PATH);
+    if (!m)
+        return { endpoint: pathname, objectId: null };
+    const [, prefix, last] = m;
+    if (!ID_LIKE.test(last))
+        return { endpoint: pathname, objectId: null };
+    return { endpoint: `${prefix}/{id}`, objectId: last };
+}
+/** Max nesting depth declaredOwner walks. Real owner fields live shallow (top level, or under a
+ *  `data`/`account`/`attributes` wrapper); we bound the walk so a deeply nested LOOK-ALIKE field can
+ *  never be mistaken for the owner, and so a huge response can't cost unbounded work. */
+const OWNER_MAX_DEPTH = 4;
+/** Pull the first owner-looking field from a parsed JSON body, searching by KNOWN field name only,
+ *  breadth-first to a bounded depth. We NEVER guess an owner from an unnamed field — if no
+ *  configured owner-field name is present anywhere in range, we return null, and the engine then
+ *  yields needs-review (the anthem: an unfindable owner is loud, never a false clean). Breadth-first
+ *  + shallow bound means the SHALLOWEST match wins (the real owner), not a deep look-alike. */
+export function declaredOwner(json, ownerFields) {
+    const fields = new Set(ownerFields);
+    // BFS so the shallowest occurrence of an owner field wins; bounded depth + visited-guard keep it
+    // safe on large/cyclic objects.
+    let level = [json];
+    const seen = new Set();
+    for (let depth = 0; depth <= OWNER_MAX_DEPTH && level.length; depth++) {
+        const next = [];
+        for (const node of level) {
+            if (!node || typeof node !== "object" || Array.isArray(node) || seen.has(node))
+                continue;
+            seen.add(node);
+            const obj = node;
+            for (const f of fields) {
+                const v = obj[f];
+                if (v !== undefined && v !== null && typeof v !== "object")
+                    return String(v);
+            }
+            for (const v of Object.values(obj)) {
+                if (v && typeof v === "object")
+                    next.push(v);
+            }
+        }
+        level = next;
+    }
+    return null;
+}
+// ── GraphQL adapter (Shape 3) ──────────────────────────────────────────────────────────────────
+// GraphQL puts the object id in the REQUEST BODY (not the URL path) and the data under `data.<field>`
+// in the response, so the path-based extractor finds nothing. This adapter parses the operation +
+// id from the request and maps the owner from the response. The anthem floor holds throughout: if we
+// cannot identify EXACTLY ONE object operation + its id, we return null and ship nothing for it —
+// BoLD never invents an object, so it never produces a false verdict on a query it can't read.
+const GQL_PATH = /\/graphql\/?$/i; // the conventional GraphQL endpoint
+// A top-level selection like `order(id: $x)` or `invoice(id: "7")` — capture the field name + the id
+// arg (variable ref `$name` or an inline string/number literal). Intentionally conservative.
+const GQL_FIELD_WITH_ID = /\b([A-Za-z_][A-Za-z0-9_]*)\s*\(\s*[^)]*?\bid\s*:\s*(?:\$([A-Za-z_][A-Za-z0-9_]*)|"([^"]+)"|([0-9]+))/;
+/** Parse a GraphQL request body into a single object operation + its id, or null. Reads the id from
+ *  `variables` (the standard pattern) when the query references `$var`, else from an inline literal.
+ *  Returns null for anything ambiguous (no id, multiple object ops, batched array) so we stay loud. */
+export function parseGraphqlOp(body) {
+    if (Array.isArray(body))
+        return null; // batched queries -> ambiguous, hold loud
+    if (!body || typeof body !== "object")
+        return null;
+    const b = body;
+    const query = b.query;
+    if (typeof query !== "string")
+        return null;
+    const variables = (b.variables && typeof b.variables === "object" ? b.variables : {});
+    const isMutation = /^\s*mutation\b/i.test(query) || /\bmutation\b/i.test(query.split("{")[0] ?? "");
+    const m = query.match(GQL_FIELD_WITH_ID);
+    if (!m)
+        return null;
+    const [, field, varRef, strLit, numLit] = m;
+    let objectId = null;
+    if (varRef) {
+        const v = variables[varRef];
+        if (v !== undefined && v !== null && typeof v !== "object")
+            objectId = String(v);
+    }
+    else if (strLit !== undefined) {
+        objectId = strLit;
+    }
+    else if (numLit !== undefined) {
+        objectId = numLit;
+    }
+    if (!objectId)
+        return null; // an id we can't resolve -> don't guess, hold loud
+    return { field, objectId, isMutation };
+}
+/** The owner for a GraphQL op: look under the response's `data.<field>` subtree (the GraphQL result
+ *  shape), reusing the same name-based owner search. Null if not present -> needs-review. */
+function graphqlOwner(json, field, ownerFields) {
+    if (!json || typeof json !== "object")
+        return null;
+    const data = json.data;
+    if (!data || typeof data !== "object")
+        return null;
+    const node = data[field];
+    if (node === undefined)
+        return null;
+    return declaredOwner(node, ownerFields);
+}
+function methodToAction(method) {
+    const m = method.toUpperCase();
+    if (m === "GET")
+        return "GET";
+    if (m === "PUT" || m === "PATCH" || m === "POST")
+        return m;
+    if (m === "DELETE")
+        return "DELETE";
+    return null;
+}
+/** Build the metadata event + ship it fire-and-forget. Never throws; never blocks the response. */
+async function observe(request, response, cfg, 
+// The GraphQL request body, captured BEFORE the handler ran (the handler consumes the body, so a
+// clone taken afterwards is empty — only the up-front capture in withBold has the query). null for
+// non-GraphQL requests or when the body could not be read.
+gqlBody) {
+    try {
+        const url = new URL(request.url);
+        const respIsJson = (response.headers.get("content-type") ?? "").includes("application/json");
+        // Resolve {endpoint, objectId, owner, method} for either a REST object route OR a GraphQL op.
+        let endpoint;
+        let objectId;
+        let owner = null;
+        let method;
+        if (request.method.toUpperCase() === "POST" && GQL_PATH.test(url.pathname)) {
+            // ── GraphQL path: the id is in the request body (captured up-front), owner under data.<field>.
+            const op = parseGraphqlOp(gqlBody);
+            if (!op)
+                return; // can't identify exactly one object op -> ship nothing, never guess
+            endpoint = `${url.pathname}#${op.field}`; // endpoint template names the GraphQL field
+            objectId = op.objectId;
+            method = op.isMutation ? "PATCH" : "GET"; // mutation -> write (UPDATE), query -> read
+            if (respIsJson) {
+                try {
+                    owner = graphqlOwner(await response.clone().json(), op.field, cfg.ownerFields);
+                }
+                catch {
+                    owner = null;
+                }
+            }
+        }
+        else {
+            // ── REST path: id in the URL, owner anywhere named in the response JSON. ──
+            const eo = endpointAndObject(url.pathname);
+            endpoint = eo.endpoint;
+            objectId = eo.objectId;
+            if (!objectId)
+                return; // not an object-by-id route -> nothing to judge
+            if (!methodToAction(request.method))
+                return;
+            method = request.method.toUpperCase();
+            if (respIsJson) {
+                try {
+                    owner = declaredOwner(await response.clone().json(), cfg.ownerFields);
+                }
+                catch {
+                    owner = null; // not the JSON shape we need -> no owner signal, never an error
+                }
+            }
+        }
+        const event = {
+            identity: await identityFrom(request, cfg),
+            method,
+            endpoint,
+            object_id: objectId,
+            status_code: response.status,
+            declared_owner: owner,
+        };
+        // On serverless (Vercel/Lambda) the function is FROZEN the instant the response is returned, so
+        // an un-awaited fetch is killed mid-flight and the metadata never leaves (proven on a real
+        // deploy — `keepalive` is a browser-only hint Node ignores). So we AWAIT the POST. Still
+        // fail-safe: the inner .catch + the outer try/catch mean a slow/down BoLD can never break or
+        // alter the response — and `observe()` itself is awaited by the wrapper only up to here, so the
+        // owner-bytes were already read from the clone before this.
+        await fetch(cfg.ingestUrl, {
+            method: "POST",
+            headers: { "content-type": "application/json", authorization: `Bearer ${cfg.ingestKey}` },
+            body: JSON.stringify(event),
+        }).catch(() => { });
+    }
+    catch {
+        // The wrapper must NEVER affect the app. Swallow everything.
+    }
+}
+/**
+ * Wrap a Next.js App Router route handler so BoLD watches it live. The handler runs exactly as
+ * before; its response is returned untouched. BoLD observes metadata out of band.
+ */
+export function withBold(handler, config) {
+    return async (request, context) => {
+        const cfg = resolveConfig(config);
+        // For a GraphQL POST, the id lives in the request body — and the handler will CONSUME that body
+        // when it reads it. So we must capture it from a CLONE *before* the handler runs; a clone taken
+        // afterwards is empty. We read it fail-safe: any error leaves gqlBody null and the request is
+        // simply not judged (never breaks the handler, which gets the original body untouched).
+        let gqlBody = null;
+        if (cfg && request.method.toUpperCase() === "POST") {
+            try {
+                const url = new URL(request.url);
+                if (GQL_PATH.test(url.pathname))
+                    gqlBody = await request.clone().json();
+            }
+            catch {
+                gqlBody = null;
+            }
+        }
+        const response = await handler(request, context);
+        if (cfg) {
+            // AWAIT the observe so the metadata POST actually transmits before the serverless function
+            // freezes at return (an un-awaited POST is silently dropped on Vercel/Lambda — proven on a
+            // real deploy). observe() is fully fail-safe internally (try/catch + .catch), so awaiting it
+            // can never throw, never alter the response, and only briefly delays returning it.
+            await observe(request, response, cfg, gqlBody);
+        }
+        return response;
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAuBH,MAAM,oBAAoB,GAAG;IAC3B,SAAS;IACT,UAAU;IACV,QAAQ;IACR,SAAS;IACT,WAAW;IACX,YAAY;IACZ,WAAW;IACX,YAAY;IACZ,UAAU;IACV,WAAW;CACZ,CAAC;AAEF,MAAM,WAAW,GAAG,qBAAqB,CAAC,CAAC,+BAA+B;AAC1E,kGAAkG;AAClG,kFAAkF;AAClF,mGAAmG;AACnG,yFAAyF;AACzF,MAAM,OAAO,GAAG,sEAAsE,CAAC;AASvF,SAAS,aAAa,CAAC,GAAgB;IACrC,MAAM,GAAG,GACP,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IACnE,MAAM,SAAS,GAAG,GAAG,EAAE,SAAS,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;IAC9D,MAAM,SAAS,GAAG,GAAG,EAAE,SAAS,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;IAC9D,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC,CAAC,iDAAiD;IAC5F,MAAM,WAAW,GACf,GAAG,EAAE,WAAW;QAChB,CAAC,GAAG,CAAC,iBAAiB;YACpB,CAAC,CAAC,GAAG,CAAC,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC/D,CAAC,CAAC,oBAAoB,CAAC,CAAC;IAC5B,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,EAAE,GAAG,EAAE,eAAe,EAAE,CAAC;AACtF,CAAC;AAED;;;2BAG2B;AAC3B,KAAK,UAAU,YAAY,CAAC,OAAgB,EAAE,GAAmB;IAC/D,IAAI,GAAG,CAAC,eAAe,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;YACpD,IAAI,QAAQ;gBAAE,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;QAC1E,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IACzF,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC3D,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;aAC3C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;aAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,OAAO,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,qGAAqG;AACrG,MAAM,UAAU,iBAAiB,CAAC,QAAgB;IAChD,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;IACtC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACtD,MAAM,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACvE,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;AACxD,CAAC;AAED;;yFAEyF;AACzF,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B;;;;+FAI+F;AAC/F,MAAM,UAAU,aAAa,CAAC,IAAa,EAAE,WAAqB;IAChE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACpC,iGAAiG;IACjG,gCAAgC;IAChC,IAAI,KAAK,GAAc,CAAC,IAAI,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAW,CAAC;IAChC,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,IAAI,eAAe,IAAI,KAAK,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC;QACtE,MAAM,IAAI,GAAc,EAAE,CAAC;QAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YACzF,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,MAAM,GAAG,GAAG,IAA+B,CAAC;YAC5C,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;gBACvB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;gBACjB,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;YAC/E,CAAC;YACD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;oBAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QACD,KAAK,GAAG,IAAI,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,kGAAkG;AAClG,sGAAsG;AACtG,kGAAkG;AAClG,qGAAqG;AACrG,kGAAkG;AAClG,+FAA+F;AAE/F,MAAM,QAAQ,GAAG,gBAAgB,CAAC,CAAC,oCAAoC;AACvE,qGAAqG;AACrG,6FAA6F;AAC7F,MAAM,iBAAiB,GACrB,sGAAsG,CAAC;AAQzG;;uGAEuG;AACvG,MAAM,UAAU,cAAc,CAAC,IAAa;IAC1C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,0CAA0C;IAChF,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,CAAC,GAAG,IAA+B,CAAC;IAC1C,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IACtB,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,SAAS,GAAG,CAAC,CAAC,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAGnF,CAAC;IACF,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACpG,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACzC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,MAAM,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;QAC5B,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACnF,CAAC;SAAM,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,QAAQ,GAAG,MAAM,CAAC;IACpB,CAAC;SAAM,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,QAAQ,GAAG,MAAM,CAAC;IACpB,CAAC;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC,CAAC,mDAAmD;IAC/E,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;AACzC,CAAC;AAED;6FAC6F;AAC7F,SAAS,YAAY,CAAC,IAAa,EAAE,KAAa,EAAE,WAAqB;IACvE,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,IAAI,GAAI,IAAgC,CAAC,IAAI,CAAC;IACpD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,IAAI,GAAI,IAAgC,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IACpC,OAAO,aAAa,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAC/B,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC9B,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,OAAO,IAAI,CAAC,KAAK,MAAM;QAAE,OAAO,CAAC,CAAC;IAC3D,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IACpC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,mGAAmG;AACnG,KAAK,UAAU,OAAO,CACpB,OAAgB,EAChB,QAAkB,EAClB,GAAmB;AACnB,iGAAiG;AACjG,mGAAmG;AACnG,2DAA2D;AAC3D,OAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,UAAU,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;QAE7F,8FAA8F;QAC9F,IAAI,QAAgB,CAAC;QACrB,IAAI,QAAuB,CAAC;QAC5B,IAAI,KAAK,GAAkB,IAAI,CAAC;QAChC,IAAI,MAAc,CAAC;QAEnB,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3E,gGAAgG;YAChG,MAAM,EAAE,GAAqB,cAAc,CAAC,OAAO,CAAC,CAAC;YACrD,IAAI,CAAC,EAAE;gBAAE,OAAO,CAAC,oEAAoE;YACrF,QAAQ,GAAG,GAAG,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,4CAA4C;YACtF,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC;YACvB,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,4CAA4C;YACtF,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,KAAK,GAAG,YAAY,CAAC,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,KAAK,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;gBACjF,CAAC;gBAAC,MAAM,CAAC;oBACP,KAAK,GAAG,IAAI,CAAC;gBACf,CAAC;YACH,CAAC;QACH,CAAC;aAAM,CAAC;YACN,6EAA6E;YAC7E,MAAM,EAAE,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC3C,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC;YACvB,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC;YACvB,IAAI,CAAC,QAAQ;gBAAE,OAAO,CAAC,gDAAgD;YACvE,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC;gBAAE,OAAO;YAC5C,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACtC,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,CAAC;oBACH,KAAK,GAAG,aAAa,CAAC,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;gBACxE,CAAC;gBAAC,MAAM,CAAC;oBACP,KAAK,GAAG,IAAI,CAAC,CAAC,gEAAgE;gBAChF,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG;YACZ,QAAQ,EAAE,MAAM,YAAY,CAAC,OAAO,EAAE,GAAG,CAAC;YAC1C,MAAM;YACN,QAAQ;YACR,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,QAAQ,CAAC,MAAM;YAC5B,cAAc,EAAE,KAAK;SACtB,CAAC;QAEF,gGAAgG;QAChG,2FAA2F;QAC3F,yFAAyF;QACzF,6FAA6F;QAC7F,gGAAgG;QAChG,4DAA4D;QAC5D,MAAM,KAAK,CAAC,GAAG,CAAC,SAAS,EAAE;YACzB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,aAAa,EAAE,UAAU,GAAG,CAAC,SAAS,EAAE,EAAE;YACzF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC5B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;IAC/D,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAI,OAAwB,EAAE,MAAmB;IACvE,OAAO,KAAK,EAAE,OAAgB,EAAE,OAAU,EAAqB,EAAE;QAC/D,MAAM,GAAG,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAElC,gGAAgG;QAChG,gGAAgG;QAChG,8FAA8F;QAC9F,wFAAwF;QACxF,IAAI,OAAO,GAAY,IAAI,CAAC;QAC5B,IAAI,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM,EAAE,CAAC;YACnD,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACjC,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC;YAC1E,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACjD,IAAI,GAAG,EAAE,CAAC;YACR,2FAA2F;YAC3F,2FAA2F;YAC3F,6FAA6F;YAC7F,mFAAmF;YACnF,MAAM,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@boldsec/next",
+  "version": "0.1.0",
+  "description": "BoLD live BOLA/IDOR monitoring for Next.js App Router: wrap a route, watch it for cross-user access. Metadata only, fail-safe.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": ["dist", "README.md"],
+  "publishConfig": {
+    "access": "public"
+  },
+  "homepage": "https://boldsec.io",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Sahith59/BoLD.git",
+    "directory": "web/sdk/bold-next"
+  },
+  "sideEffects": false,
+  "scripts": {
+    "build": "rm -rf dist && tsc -p tsconfig.build.json",
+    "typecheck": "tsc -p tsconfig.json",
+    "test": "node --test src/index.test.ts",
+    "prepublishOnly": "npm run typecheck && npm test && npm run build"
+  },
+  "keywords": [
+    "bola",
+    "idor",
+    "security",
+    "nextjs",
+    "authorization",
+    "monitoring",
+    "appsec"
+  ],
+  "license": "UNLICENSED",
+  "engines": {
+    "node": ">=18"
+  },
+  "peerDependencies": {
+    "next": ">=13"
+  },
+  "devDependencies": {
+    "@types/node": "^20",
+    "typescript": "^5"
+  }
+}