@chain305/x-security 0.1.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +1 -1
  2. package/bin/xsecurity.mjs +1219 -629
  3. package/package.json +1 -1
package/bin/xsecurity.mjs CHANGED
@@ -13,10 +13,10 @@ var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require
13
13
  if (typeof require !== "undefined") return require.apply(this, arguments);
14
14
  throw Error('Dynamic require of "' + x + '" is not supported');
15
15
  });
16
- var __glob = (map3) => (path28) => {
17
- var fn = map3[path28];
16
+ var __glob = (map3) => (path30) => {
17
+ var fn = map3[path30];
18
18
  if (fn) return fn();
19
- throw new Error("Module not found in bundle: " + path28);
19
+ throw new Error("Module not found in bundle: " + path30);
20
20
  };
21
21
  var __esm = (fn, res) => function __init() {
22
22
  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
@@ -1098,8 +1098,8 @@ function buildRuleBasedAuthzPlugins(authz, ctx = {}) {
1098
1098
  function luaHostSet(domains) {
1099
1099
  return "{" + domains.map((d5) => `[${luaStr(d5.toLowerCase())}]=true`).join(", ") + "}";
1100
1100
  }
1101
- function buildSsrfPreFunctionPlugins(request7, ctx = {}) {
1102
- const schema = request7?.schema;
1101
+ function buildSsrfPreFunctionPlugins(request9, ctx = {}) {
1102
+ const schema = request9?.schema;
1103
1103
  if (!schema) return [];
1104
1104
  const items = [];
1105
1105
  for (const [field, ps] of Object.entries(schema)) {
@@ -1160,11 +1160,11 @@ function buildSsrfPreFunctionPlugins(request7, ctx = {}) {
1160
1160
  tags: [SS_SSRF_TAG]
1161
1161
  }];
1162
1162
  }
1163
- function buildMassAssignPreFunctionPlugins(request7, ctx = {}) {
1164
- if (!request7) return [];
1165
- const explicitAllow = Array.isArray(request7.allowedFields) ? request7.allowedFields : void 0;
1166
- const schemaKeys = request7.schema ? Object.keys(request7.schema) : [];
1167
- const denyUnknown = request7.denyUnknownFields === true;
1163
+ function buildMassAssignPreFunctionPlugins(request9, ctx = {}) {
1164
+ if (!request9) return [];
1165
+ const explicitAllow = Array.isArray(request9.allowedFields) ? request9.allowedFields : void 0;
1166
+ const schemaKeys = request9.schema ? Object.keys(request9.schema) : [];
1167
+ const denyUnknown = request9.denyUnknownFields === true;
1168
1168
  let allow;
1169
1169
  if (explicitAllow && explicitAllow.length > 0) {
1170
1170
  allow = explicitAllow;
@@ -1208,12 +1208,12 @@ function buildMassAssignPreFunctionPlugins(request7, ctx = {}) {
1208
1208
  tags: [SS_MASS_ASSIGN_TAG]
1209
1209
  }];
1210
1210
  }
1211
- function buildSqliPreFunctionPlugins(request7, ctx = {}) {
1212
- if (!request7) return [];
1213
- const ct = request7.contentType ?? [];
1211
+ function buildSqliPreFunctionPlugins(request9, ctx = {}) {
1212
+ if (!request9) return [];
1213
+ const ct = request9.contentType ?? [];
1214
1214
  const acceptsJson = ct.some((t) => t.toLowerCase().includes("json"));
1215
1215
  if (!acceptsJson) return [];
1216
- if (!request7.schema || Object.keys(request7.schema).length === 0) return [];
1216
+ if (!request9.schema || Object.keys(request9.schema).length === 0) return [];
1217
1217
  const checks = [];
1218
1218
  for (let i5 = 0; i5 < SQLI_LUA_PATTERNS.length; i5++) {
1219
1219
  checks.push(` if vl:match(${luaStr(SQLI_LUA_PATTERNS[i5])}) then return k, ${i5 + 1} end`);
@@ -2844,9 +2844,9 @@ var init_v07_rules = __esm({
2844
2844
  });
2845
2845
 
2846
2846
  // src/generators/coraza/rules.ts
2847
- function endpointHash3(method, path28) {
2847
+ function endpointHash3(method, path30) {
2848
2848
  let h5 = 2166136261 >>> 0;
2849
- const s = `${method} ${path28}`;
2849
+ const s = `${method} ${path30}`;
2850
2850
  for (let i5 = 0; i5 < s.length; i5++) {
2851
2851
  h5 ^= s.charCodeAt(i5);
2852
2852
  h5 = Math.imul(h5, 16777619) >>> 0;
@@ -2880,8 +2880,8 @@ function parseDurationSec(v) {
2880
2880
  const unit = (m3[2] ?? "s").toLowerCase();
2881
2881
  return unit === "d" ? n2 * 86400 : unit === "h" ? n2 * 3600 : unit === "m" ? n2 * 60 : n2;
2882
2882
  }
2883
- function pathRegex(path28) {
2884
- const escaped = path28.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
2883
+ function pathRegex(path30) {
2884
+ const escaped = path30.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
2885
2885
  const withParams = escaped.replace(/\\\{[^/]+?\\\}/g, "[^/]+");
2886
2886
  return `^${withParams}$`;
2887
2887
  }
@@ -3795,16 +3795,16 @@ function durationToHaproxy(window2) {
3795
3795
  if (!Number.isFinite(secs) || secs <= 0) return "1m";
3796
3796
  return window2.trim();
3797
3797
  }
3798
- function slugify(method, path28) {
3799
- const raw = `${method}_${path28}`.toLowerCase();
3798
+ function slugify(method, path30) {
3799
+ const raw = `${method}_${path30}`.toLowerCase();
3800
3800
  return raw.replace(/[{}]/g, "").replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "").slice(0, 60);
3801
3801
  }
3802
- function aclPathPredicate(aclName, path28) {
3803
- const firstBrace = path28.indexOf("{");
3802
+ function aclPathPredicate(aclName, path30) {
3803
+ const firstBrace = path30.indexOf("{");
3804
3804
  if (firstBrace === -1) {
3805
- return `acl ${aclName} path ${path28}`;
3805
+ return `acl ${aclName} path ${path30}`;
3806
3806
  }
3807
- const prefix = path28.slice(0, firstBrace);
3807
+ const prefix = path30.slice(0, firstBrace);
3808
3808
  return `acl ${aclName} path_beg ${prefix}`;
3809
3809
  }
3810
3810
  function flattenIdentifier(id) {
@@ -4063,8 +4063,8 @@ var init_haproxy_stick_tables = __esm({
4063
4063
  });
4064
4064
 
4065
4065
  // src/generators/coraza/templates/modsec-nginx-server.ts
4066
- function pathToNginxLocation(path28) {
4067
- const re = path28.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\\\{([^/]+?)\\\}/g, "(?<$1>[^/]+)");
4066
+ function pathToNginxLocation(path30) {
4067
+ const re = path30.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\\\{([^/]+?)\\\}/g, "(?<$1>[^/]+)");
4068
4068
  return `^${re}$`;
4069
4069
  }
4070
4070
  function buildEndpointBlock(ep) {
@@ -4388,10 +4388,10 @@ function createCorazaGenerator(opts = {}) {
4388
4388
  if (profile.name !== "coraza-go") meta["engine"] = profile.name;
4389
4389
  meta["source"] = { title: spec.info.title, version: spec.info.version };
4390
4390
  meta["directives"] = directives;
4391
- const yaml17 = dump(meta, { lineWidth: -1, noRefs: true });
4391
+ const yaml18 = dump(meta, { lineWidth: -1, noRefs: true });
4392
4392
  artifacts.push({
4393
4393
  path: "coraza.yml",
4394
- content: yaml17,
4394
+ content: yaml18,
4395
4395
  format: "yaml"
4396
4396
  });
4397
4397
  }
@@ -4893,9 +4893,9 @@ function pathRegex2(p2) {
4893
4893
  }).join("/");
4894
4894
  return `^/${rebuilt}$`;
4895
4895
  }
4896
- function slotIdFor(method, path28) {
4896
+ function slotIdFor(method, path30) {
4897
4897
  let h5 = 0;
4898
- const s = `${method} ${path28}`;
4898
+ const s = `${method} ${path30}`;
4899
4899
  for (let i5 = 0; i5 < s.length; i5++) h5 = (h5 << 5) - h5 + s.charCodeAt(i5) | 0;
4900
4900
  return Math.abs(h5) % 100;
4901
4901
  }
@@ -4938,9 +4938,9 @@ function pathRegex3(p2) {
4938
4938
  }).join("/");
4939
4939
  return `^/${rebuilt}$`;
4940
4940
  }
4941
- function slotIdFor2(method, path28) {
4941
+ function slotIdFor2(method, path30) {
4942
4942
  let h5 = 0;
4943
- const s = `${method} ${path28}`;
4943
+ const s = `${method} ${path30}`;
4944
4944
  for (let i5 = 0; i5 < s.length; i5++) h5 = (h5 << 5) - h5 + s.charCodeAt(i5) | 0;
4945
4945
  return Math.abs(h5) % 50 * 2;
4946
4946
  }
@@ -5007,9 +5007,9 @@ function pathRegex4(p2) {
5007
5007
  }).join("/");
5008
5008
  return `^/${rebuilt}$`;
5009
5009
  }
5010
- function stableHash(method, path28) {
5010
+ function stableHash(method, path30) {
5011
5011
  let h5 = 0;
5012
- const s = `${method} ${path28}`;
5012
+ const s = `${method} ${path30}`;
5013
5013
  for (let i5 = 0; i5 < s.length; i5++) h5 = (h5 << 5) - h5 + s.charCodeAt(i5) | 0;
5014
5014
  return Math.abs(h5);
5015
5015
  }
@@ -7051,19 +7051,19 @@ var init_firewall = __esm({
7051
7051
  function yamlString(s) {
7052
7052
  return '"' + s.replace(/\\/g, "\\\\").replace(/"/g, '\\"') + '"';
7053
7053
  }
7054
- function pathToSafeRegex(path28) {
7054
+ function pathToSafeRegex(path30) {
7055
7055
  const parts = [];
7056
7056
  let i5 = 0;
7057
- while (i5 < path28.length) {
7058
- const open = path28.indexOf("{", i5);
7057
+ while (i5 < path30.length) {
7058
+ const open = path30.indexOf("{", i5);
7059
7059
  if (open === -1) {
7060
- parts.push(escapeRegex(path28.slice(i5)));
7060
+ parts.push(escapeRegex(path30.slice(i5)));
7061
7061
  break;
7062
7062
  }
7063
- if (open > i5) parts.push(escapeRegex(path28.slice(i5, open)));
7064
- const close = path28.indexOf("}", open + 1);
7063
+ if (open > i5) parts.push(escapeRegex(path30.slice(i5, open)));
7064
+ const close = path30.indexOf("}", open + 1);
7065
7065
  if (close === -1) {
7066
- parts.push(escapeRegex(path28.slice(open)));
7066
+ parts.push(escapeRegex(path30.slice(open)));
7067
7067
  break;
7068
7068
  }
7069
7069
  parts.push("[^/]+");
@@ -7148,19 +7148,19 @@ var init_clusters = __esm({
7148
7148
  function regoString(s) {
7149
7149
  return '"' + s.replace(/\\/g, "\\\\").replace(/"/g, '\\"') + '"';
7150
7150
  }
7151
- function pathToRegoRegex(path28) {
7151
+ function pathToRegoRegex(path30) {
7152
7152
  const parts = [];
7153
7153
  let i5 = 0;
7154
- while (i5 < path28.length) {
7155
- const open = path28.indexOf("{", i5);
7154
+ while (i5 < path30.length) {
7155
+ const open = path30.indexOf("{", i5);
7156
7156
  if (open === -1) {
7157
- parts.push(escapeRegex2(path28.slice(i5)));
7157
+ parts.push(escapeRegex2(path30.slice(i5)));
7158
7158
  break;
7159
7159
  }
7160
- if (open > i5) parts.push(escapeRegex2(path28.slice(i5, open)));
7161
- const close = path28.indexOf("}", open + 1);
7160
+ if (open > i5) parts.push(escapeRegex2(path30.slice(i5, open)));
7161
+ const close = path30.indexOf("}", open + 1);
7162
7162
  if (close === -1) {
7163
- parts.push(escapeRegex2(path28.slice(open)));
7163
+ parts.push(escapeRegex2(path30.slice(open)));
7164
7164
  break;
7165
7165
  }
7166
7166
  parts.push("[^/]+");
@@ -7171,8 +7171,8 @@ function pathToRegoRegex(path28) {
7171
7171
  function escapeRegex2(s) {
7172
7172
  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
7173
7173
  }
7174
- function paramSplitIndex(path28, paramName) {
7175
- const parts = path28.split("/");
7174
+ function paramSplitIndex(path30, paramName) {
7175
+ const parts = path30.split("/");
7176
7176
  for (let i5 = 0; i5 < parts.length; i5++) {
7177
7177
  if (parts[i5] === `{${paramName}}`) return i5;
7178
7178
  }
@@ -7911,11 +7911,11 @@ function emitSinkTypedConfig(lines, indent, r5) {
7911
7911
  lines.push(`${indent} transport_api_version: V3`);
7912
7912
  return;
7913
7913
  }
7914
- const path28 = r5.sink === "file" ? "/var/log/envoy/access.log" : "/dev/stdout";
7914
+ const path30 = r5.sink === "file" ? "/var/log/envoy/access.log" : "/dev/stdout";
7915
7915
  lines.push(`${indent}- name: envoy.access_loggers.file`);
7916
7916
  lines.push(`${indent} typed_config:`);
7917
7917
  lines.push(`${indent} "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog`);
7918
- lines.push(`${indent} path: ${path28}`);
7918
+ lines.push(`${indent} path: ${path30}`);
7919
7919
  lines.push(`${indent} log_format:`);
7920
7920
  lines.push(`${indent} json_format:`);
7921
7921
  for (const [k5, v] of fields) {
@@ -8670,19 +8670,19 @@ function endpointNeedsLua(ep) {
8670
8670
  r5.contentType || r5.maxBodySize || r5.duplicateParamPolicy || r5.headerInjectionGuard || r5.signature
8671
8671
  );
8672
8672
  }
8673
- function envoyPathPattern(path28) {
8673
+ function envoyPathPattern(path30) {
8674
8674
  const parts = [];
8675
8675
  let i5 = 0;
8676
- while (i5 < path28.length) {
8677
- const open = path28.indexOf("{", i5);
8676
+ while (i5 < path30.length) {
8677
+ const open = path30.indexOf("{", i5);
8678
8678
  if (open === -1) {
8679
- parts.push(escapeLuaPattern(path28.slice(i5)));
8679
+ parts.push(escapeLuaPattern(path30.slice(i5)));
8680
8680
  break;
8681
8681
  }
8682
- if (open > i5) parts.push(escapeLuaPattern(path28.slice(i5, open)));
8683
- const close = path28.indexOf("}", open + 1);
8682
+ if (open > i5) parts.push(escapeLuaPattern(path30.slice(i5, open)));
8683
+ const close = path30.indexOf("}", open + 1);
8684
8684
  if (close === -1) {
8685
- parts.push(escapeLuaPattern(path28.slice(open)));
8685
+ parts.push(escapeLuaPattern(path30.slice(open)));
8686
8686
  break;
8687
8687
  }
8688
8688
  parts.push("[^/]+");
@@ -8831,10 +8831,10 @@ function buildMethodAllowlist(endpoints) {
8831
8831
  byPath.set(ep.path, set);
8832
8832
  }
8833
8833
  const out = [];
8834
- for (const [path28, methods] of byPath.entries()) {
8834
+ for (const [path30, methods] of byPath.entries()) {
8835
8835
  out.push({
8836
- path: path28,
8837
- pattern: envoyPathPattern(path28),
8836
+ path: path30,
8837
+ pattern: envoyPathPattern(path30),
8838
8838
  methods: [...methods]
8839
8839
  });
8840
8840
  }
@@ -9123,9 +9123,9 @@ var require_util = __commonJS({
9123
9123
  var parse = (u) => new URL(u);
9124
9124
  exports.swaggerParamRegExp = /\{([^/}]+)}/g;
9125
9125
  var operationsList = ["get", "post", "put", "delete", "patch", "options", "head", "trace"];
9126
- function fixServers(server, path28) {
9126
+ function fixServers(server, path30) {
9127
9127
  if (server.url && server.url.startsWith("/")) {
9128
- const inUrl = parse(path28);
9128
+ const inUrl = parse(path30);
9129
9129
  const finalUrl = inUrl.protocol + "//" + inUrl.hostname + server.url;
9130
9130
  server.url = finalUrl;
9131
9131
  return server;
@@ -9137,8 +9137,8 @@ var require_util = __commonJS({
9137
9137
  schema.servers.map((server) => fixServers(server, filePath));
9138
9138
  }
9139
9139
  ["paths", "webhooks"].forEach((component) => {
9140
- Object.keys(schema[component] || []).forEach((path28) => {
9141
- const pathItem = schema[component][path28];
9140
+ Object.keys(schema[component] || []).forEach((path30) => {
9141
+ const pathItem = schema[component][path30];
9142
9142
  Object.keys(pathItem).forEach((opItem) => {
9143
9143
  if (opItem === "servers") {
9144
9144
  pathItem[opItem].map((server) => fixServers(server, filePath));
@@ -12708,8 +12708,8 @@ var require_utils = __commonJS({
12708
12708
  }
12709
12709
  return ind;
12710
12710
  }
12711
- function removeDotSegments(path28) {
12712
- let input = path28;
12711
+ function removeDotSegments(path30) {
12712
+ let input = path30;
12713
12713
  const output = [];
12714
12714
  let nextSlash = -1;
12715
12715
  let len = 0;
@@ -12961,8 +12961,8 @@ var require_schemes = __commonJS({
12961
12961
  wsComponent.secure = void 0;
12962
12962
  }
12963
12963
  if (wsComponent.resourceName) {
12964
- const [path28, query] = wsComponent.resourceName.split("?");
12965
- wsComponent.path = path28 && path28 !== "/" ? path28 : void 0;
12964
+ const [path30, query] = wsComponent.resourceName.split("?");
12965
+ wsComponent.path = path30 && path30 !== "/" ? path30 : void 0;
12966
12966
  wsComponent.query = query;
12967
12967
  wsComponent.resourceName = void 0;
12968
12968
  }
@@ -21753,10 +21753,10 @@ var require_spec = __commonJS({
21753
21753
  let paths = Object.keys(api.paths || {});
21754
21754
  let operationIds = [];
21755
21755
  for (let pathName of paths) {
21756
- let path28 = api.paths[pathName];
21756
+ let path30 = api.paths[pathName];
21757
21757
  let pathId = "/paths" + pathName;
21758
- if (path28 && pathName.indexOf("/") === 0) {
21759
- validatePath(api, path28, pathId, operationIds);
21758
+ if (path30 && pathName.indexOf("/") === 0) {
21759
+ validatePath(api, path30, pathId, operationIds);
21760
21760
  }
21761
21761
  }
21762
21762
  let definitions = Object.keys(api.definitions || {});
@@ -21766,9 +21766,9 @@ var require_spec = __commonJS({
21766
21766
  validateRequiredPropertiesExist(definition, definitionId);
21767
21767
  }
21768
21768
  }
21769
- function validatePath(api, path28, pathId, operationIds) {
21769
+ function validatePath(api, path30, pathId, operationIds) {
21770
21770
  for (let operationName of swaggerMethods) {
21771
- let operation2 = path28[operationName];
21771
+ let operation2 = path30[operationName];
21772
21772
  let operationId = pathId + "/" + operationName;
21773
21773
  if (operation2) {
21774
21774
  let declaredOperationId = operation2.operationId;
@@ -21779,7 +21779,7 @@ var require_spec = __commonJS({
21779
21779
  throw ono.syntax(`Validation failed. Duplicate operation id '${declaredOperationId}'`);
21780
21780
  }
21781
21781
  }
21782
- validateParameters(api, path28, pathId, operation2, operationId);
21782
+ validateParameters(api, path30, pathId, operation2, operationId);
21783
21783
  let responses = Object.keys(operation2.responses || {});
21784
21784
  for (let responseName of responses) {
21785
21785
  let response = operation2.responses[responseName];
@@ -21789,8 +21789,8 @@ var require_spec = __commonJS({
21789
21789
  }
21790
21790
  }
21791
21791
  }
21792
- function validateParameters(api, path28, pathId, operation2, operationId) {
21793
- let pathParams = path28.parameters || [];
21792
+ function validateParameters(api, path30, pathId, operation2, operationId) {
21793
+ let pathParams = path30.parameters || [];
21794
21794
  let operationParams = operation2.parameters || [];
21795
21795
  try {
21796
21796
  checkForDuplicates(pathParams);
@@ -22085,57 +22085,57 @@ var require_url = __commonJS({
22085
22085
  if (typeof window !== "undefined") {
22086
22086
  return location.href;
22087
22087
  }
22088
- const path28 = process.cwd();
22089
- const lastChar = path28.slice(-1);
22088
+ const path30 = process.cwd();
22089
+ const lastChar = path30.slice(-1);
22090
22090
  if (lastChar === "/" || lastChar === "\\") {
22091
- return path28;
22091
+ return path30;
22092
22092
  } else {
22093
- return path28 + "/";
22093
+ return path30 + "/";
22094
22094
  }
22095
22095
  }
22096
- function getProtocol(path28) {
22097
- const match = protocolPattern.exec(path28 || "");
22096
+ function getProtocol(path30) {
22097
+ const match = protocolPattern.exec(path30 || "");
22098
22098
  if (match) {
22099
22099
  return match[1].toLowerCase();
22100
22100
  }
22101
22101
  return void 0;
22102
22102
  }
22103
- function getExtension(path28) {
22104
- const lastDot = path28.lastIndexOf(".");
22103
+ function getExtension(path30) {
22104
+ const lastDot = path30.lastIndexOf(".");
22105
22105
  if (lastDot >= 0) {
22106
- return stripQuery(path28.substr(lastDot).toLowerCase());
22106
+ return stripQuery(path30.substr(lastDot).toLowerCase());
22107
22107
  }
22108
22108
  return "";
22109
22109
  }
22110
- function stripQuery(path28) {
22111
- const queryIndex = path28.indexOf("?");
22110
+ function stripQuery(path30) {
22111
+ const queryIndex = path30.indexOf("?");
22112
22112
  if (queryIndex >= 0) {
22113
- path28 = path28.substr(0, queryIndex);
22113
+ path30 = path30.substr(0, queryIndex);
22114
22114
  }
22115
- return path28;
22115
+ return path30;
22116
22116
  }
22117
- function getHash(path28) {
22118
- if (!path28) {
22117
+ function getHash(path30) {
22118
+ if (!path30) {
22119
22119
  return "#";
22120
22120
  }
22121
- const hashIndex = path28.indexOf("#");
22121
+ const hashIndex = path30.indexOf("#");
22122
22122
  if (hashIndex >= 0) {
22123
- return path28.substring(hashIndex);
22123
+ return path30.substring(hashIndex);
22124
22124
  }
22125
22125
  return "#";
22126
22126
  }
22127
- function stripHash(path28) {
22128
- if (!path28) {
22127
+ function stripHash(path30) {
22128
+ if (!path30) {
22129
22129
  return "";
22130
22130
  }
22131
- const hashIndex = path28.indexOf("#");
22131
+ const hashIndex = path30.indexOf("#");
22132
22132
  if (hashIndex >= 0) {
22133
- path28 = path28.substring(0, hashIndex);
22133
+ path30 = path30.substring(0, hashIndex);
22134
22134
  }
22135
- return path28;
22135
+ return path30;
22136
22136
  }
22137
- function isHttp(path28) {
22138
- const protocol = getProtocol(path28);
22137
+ function isHttp(path30) {
22138
+ const protocol = getProtocol(path30);
22139
22139
  if (protocol === "http" || protocol === "https") {
22140
22140
  return true;
22141
22141
  } else if (protocol === void 0) {
@@ -22144,58 +22144,58 @@ var require_url = __commonJS({
22144
22144
  return false;
22145
22145
  }
22146
22146
  }
22147
- function isFileSystemPath(path28) {
22147
+ function isFileSystemPath(path30) {
22148
22148
  if (typeof window !== "undefined" || typeof process !== "undefined" && process.browser) {
22149
22149
  return false;
22150
22150
  }
22151
- const protocol = getProtocol(path28);
22151
+ const protocol = getProtocol(path30);
22152
22152
  return protocol === void 0 || protocol === "file";
22153
22153
  }
22154
- function fromFileSystemPath(path28) {
22154
+ function fromFileSystemPath(path30) {
22155
22155
  if ((0, is_windows_1.isWindows)()) {
22156
22156
  const projectDir = cwd();
22157
- const upperPath = path28.toUpperCase();
22157
+ const upperPath = path30.toUpperCase();
22158
22158
  const projectDirPosixPath = (0, convert_path_to_posix_1.default)(projectDir);
22159
22159
  const posixUpper = projectDirPosixPath.toUpperCase();
22160
22160
  const hasProjectDir = upperPath.includes(posixUpper);
22161
22161
  const hasProjectUri = upperPath.includes(posixUpper);
22162
- const isAbsolutePath = path_1.win32?.isAbsolute(path28) || path28.startsWith("http://") || path28.startsWith("https://") || path28.startsWith("file://");
22162
+ const isAbsolutePath = path_1.win32?.isAbsolute(path30) || path30.startsWith("http://") || path30.startsWith("https://") || path30.startsWith("file://");
22163
22163
  if (!(hasProjectDir || hasProjectUri || isAbsolutePath) && !projectDir.startsWith("http")) {
22164
- path28 = (0, path_2.join)(projectDir, path28);
22164
+ path30 = (0, path_2.join)(projectDir, path30);
22165
22165
  }
22166
- path28 = (0, convert_path_to_posix_1.default)(path28);
22166
+ path30 = (0, convert_path_to_posix_1.default)(path30);
22167
22167
  }
22168
- path28 = encodeURI(path28);
22168
+ path30 = encodeURI(path30);
22169
22169
  for (const pattern of urlEncodePatterns) {
22170
- path28 = path28.replace(pattern[0], pattern[1]);
22170
+ path30 = path30.replace(pattern[0], pattern[1]);
22171
22171
  }
22172
- return path28;
22172
+ return path30;
22173
22173
  }
22174
- function toFileSystemPath(path28, keepFileProtocol) {
22175
- path28 = decodeURI(path28);
22174
+ function toFileSystemPath(path30, keepFileProtocol) {
22175
+ path30 = decodeURI(path30);
22176
22176
  for (let i5 = 0; i5 < urlDecodePatterns.length; i5 += 2) {
22177
- path28 = path28.replace(urlDecodePatterns[i5], urlDecodePatterns[i5 + 1]);
22177
+ path30 = path30.replace(urlDecodePatterns[i5], urlDecodePatterns[i5 + 1]);
22178
22178
  }
22179
- let isFileUrl = path28.substr(0, 7).toLowerCase() === "file://";
22179
+ let isFileUrl = path30.substr(0, 7).toLowerCase() === "file://";
22180
22180
  if (isFileUrl) {
22181
- path28 = path28[7] === "/" ? path28.substr(8) : path28.substr(7);
22182
- if ((0, is_windows_1.isWindows)() && path28[1] === "/") {
22183
- path28 = path28[0] + ":" + path28.substr(1);
22181
+ path30 = path30[7] === "/" ? path30.substr(8) : path30.substr(7);
22182
+ if ((0, is_windows_1.isWindows)() && path30[1] === "/") {
22183
+ path30 = path30[0] + ":" + path30.substr(1);
22184
22184
  }
22185
22185
  if (keepFileProtocol) {
22186
- path28 = "file:///" + path28;
22186
+ path30 = "file:///" + path30;
22187
22187
  } else {
22188
22188
  isFileUrl = false;
22189
- path28 = (0, is_windows_1.isWindows)() ? path28 : "/" + path28;
22189
+ path30 = (0, is_windows_1.isWindows)() ? path30 : "/" + path30;
22190
22190
  }
22191
22191
  }
22192
22192
  if ((0, is_windows_1.isWindows)() && !isFileUrl) {
22193
- path28 = path28.replace(forwardSlashPattern, "\\");
22194
- if (path28.substr(1, 2) === ":\\") {
22195
- path28 = path28[0].toUpperCase() + path28.substr(1);
22193
+ path30 = path30.replace(forwardSlashPattern, "\\");
22194
+ if (path30.substr(1, 2) === ":\\") {
22195
+ path30 = path30[0].toUpperCase() + path30.substr(1);
22196
22196
  }
22197
22197
  }
22198
- return path28;
22198
+ return path30;
22199
22199
  }
22200
22200
  function safePointerToPath(pointer) {
22201
22201
  if (pointer.length <= 1 || pointer[0] !== "#" || pointer[1] !== "/") {
@@ -22300,8 +22300,8 @@ var require_errors2 = __commonJS({
22300
22300
  };
22301
22301
  exports.UnmatchedResolverError = UnmatchedResolverError;
22302
22302
  var MissingPointerError = class extends JSONParserError {
22303
- constructor(token, path28) {
22304
- super(`Token "${token}" does not exist.`, (0, url_js_1.stripHash)(path28));
22303
+ constructor(token, path30) {
22304
+ super(`Token "${token}" does not exist.`, (0, url_js_1.stripHash)(path30));
22305
22305
  this.code = "EUNMATCHEDRESOLVER";
22306
22306
  this.name = "MissingPointerError";
22307
22307
  }
@@ -22316,8 +22316,8 @@ var require_errors2 = __commonJS({
22316
22316
  };
22317
22317
  exports.TimeoutError = TimeoutError;
22318
22318
  var InvalidPointerError = class extends JSONParserError {
22319
- constructor(pointer, path28) {
22320
- super(`Invalid $ref pointer "${pointer}". Pointers must begin with "#/"`, (0, url_js_1.stripHash)(path28));
22319
+ constructor(pointer, path30) {
22320
+ super(`Invalid $ref pointer "${pointer}". Pointers must begin with "#/"`, (0, url_js_1.stripHash)(path30));
22321
22321
  this.code = "EUNMATCHEDRESOLVER";
22322
22322
  this.name = "InvalidPointerError";
22323
22323
  }
@@ -22385,10 +22385,10 @@ var require_pointer = __commonJS({
22385
22385
  }
22386
22386
  };
22387
22387
  var Pointer = class _Pointer {
22388
- constructor($ref, path28, friendlyPath) {
22388
+ constructor($ref, path30, friendlyPath) {
22389
22389
  this.$ref = $ref;
22390
- this.path = path28;
22391
- this.originalPath = friendlyPath || path28;
22390
+ this.path = path30;
22391
+ this.originalPath = friendlyPath || path30;
22392
22392
  this.value = void 0;
22393
22393
  this.circular = false;
22394
22394
  this.indirections = 0;
@@ -22486,8 +22486,8 @@ var require_pointer = __commonJS({
22486
22486
  * @param [originalPath]
22487
22487
  * @returns
22488
22488
  */
22489
- static parse(path28, originalPath) {
22490
- const pointer = url.getHash(path28).substring(1);
22489
+ static parse(path30, originalPath) {
22490
+ const pointer = url.getHash(path30).substring(1);
22491
22491
  if (!pointer) {
22492
22492
  return [];
22493
22493
  }
@@ -22496,7 +22496,7 @@ var require_pointer = __commonJS({
22496
22496
  split2[i5] = safeDecodeURIComponent(split2[i5].replace(escapedSlash, "/").replace(escapedTilde, "~"));
22497
22497
  }
22498
22498
  if (split2[0] !== "") {
22499
- throw new errors_js_1.InvalidPointerError(split2, originalPath === void 0 ? path28 : originalPath);
22499
+ throw new errors_js_1.InvalidPointerError(split2, originalPath === void 0 ? path30 : originalPath);
22500
22500
  }
22501
22501
  return split2.slice(1);
22502
22502
  }
@@ -22609,9 +22609,9 @@ var require_ref2 = __commonJS({
22609
22609
  * @param options
22610
22610
  * @returns
22611
22611
  */
22612
- exists(path28, options) {
22612
+ exists(path30, options) {
22613
22613
  try {
22614
- this.resolve(path28, options);
22614
+ this.resolve(path30, options);
22615
22615
  return true;
22616
22616
  } catch {
22617
22617
  return false;
@@ -22624,8 +22624,8 @@ var require_ref2 = __commonJS({
22624
22624
  * @param options
22625
22625
  * @returns - Returns the resolved value
22626
22626
  */
22627
- get(path28, options) {
22628
- return this.resolve(path28, options)?.value;
22627
+ get(path30, options) {
22628
+ return this.resolve(path30, options)?.value;
22629
22629
  }
22630
22630
  /**
22631
22631
  * Resolves the given JSON reference within this {@link $Ref#value}.
@@ -22636,8 +22636,8 @@ var require_ref2 = __commonJS({
22636
22636
  * @param pathFromRoot - The path of `obj` from the schema root
22637
22637
  * @returns
22638
22638
  */
22639
- resolve(path28, options, friendlyPath, pathFromRoot) {
22640
- const pointer = new pointer_js_1.default(this, path28, friendlyPath);
22639
+ resolve(path30, options, friendlyPath, pathFromRoot) {
22640
+ const pointer = new pointer_js_1.default(this, path30, friendlyPath);
22641
22641
  try {
22642
22642
  return pointer.resolve(this.value, options, pathFromRoot);
22643
22643
  } catch (err2) {
@@ -22661,8 +22661,8 @@ var require_ref2 = __commonJS({
22661
22661
  * @param path - The full path of the property to set, optionally with a JSON pointer in the hash
22662
22662
  * @param value - The value to assign
22663
22663
  */
22664
- set(path28, value) {
22665
- const pointer = new pointer_js_1.default(this, path28);
22664
+ set(path30, value) {
22665
+ const pointer = new pointer_js_1.default(this, path30);
22666
22666
  this.value = pointer.set(this.value, value);
22667
22667
  }
22668
22668
  /**
@@ -22841,8 +22841,8 @@ var require_refs = __commonJS({
22841
22841
  */
22842
22842
  paths(...types) {
22843
22843
  const paths = getPaths(this._$refs, types.flat());
22844
- return paths.map((path28) => {
22845
- return (0, convert_path_to_posix_1.default)(path28.decoded);
22844
+ return paths.map((path30) => {
22845
+ return (0, convert_path_to_posix_1.default)(path30.decoded);
22846
22846
  });
22847
22847
  }
22848
22848
  /**
@@ -22855,8 +22855,8 @@ var require_refs = __commonJS({
22855
22855
  values(...types) {
22856
22856
  const $refs = this._$refs;
22857
22857
  const paths = getPaths($refs, types.flat());
22858
- return paths.reduce((obj, path28) => {
22859
- obj[(0, convert_path_to_posix_1.default)(path28.decoded)] = $refs[path28.encoded].value;
22858
+ return paths.reduce((obj, path30) => {
22859
+ obj[(0, convert_path_to_posix_1.default)(path30.decoded)] = $refs[path30.encoded].value;
22860
22860
  return obj;
22861
22861
  }, {});
22862
22862
  }
@@ -22874,9 +22874,9 @@ var require_refs = __commonJS({
22874
22874
  * @param [options]
22875
22875
  * @returns
22876
22876
  */
22877
- exists(path28, options) {
22877
+ exists(path30, options) {
22878
22878
  try {
22879
- this._resolve(path28, "", options);
22879
+ this._resolve(path30, "", options);
22880
22880
  return true;
22881
22881
  } catch {
22882
22882
  return false;
@@ -22889,8 +22889,8 @@ var require_refs = __commonJS({
22889
22889
  * @param [options]
22890
22890
  * @returns - Returns the resolved value
22891
22891
  */
22892
- get(path28, options) {
22893
- return this._resolve(path28, "", options).value;
22892
+ get(path30, options) {
22893
+ return this._resolve(path30, "", options).value;
22894
22894
  }
22895
22895
  /**
22896
22896
  * Sets the value at the given path in the schema. If the property, or any of its parents, don't exist, they will be created.
@@ -22898,12 +22898,12 @@ var require_refs = __commonJS({
22898
22898
  * @param path The JSON Reference path, optionally with a JSON Pointer in the hash
22899
22899
  * @param value The value to assign. Can be anything (object, string, number, etc.)
22900
22900
  */
22901
- set(path28, value) {
22902
- const absPath = url.resolve(this._root$Ref.path, path28);
22901
+ set(path30, value) {
22902
+ const absPath = url.resolve(this._root$Ref.path, path30);
22903
22903
  const withoutHash = url.stripHash(absPath);
22904
22904
  const $ref = this._$refs[withoutHash];
22905
22905
  if (!$ref) {
22906
- throw (0, ono_1.ono)(`Error resolving $ref pointer "${path28}".
22906
+ throw (0, ono_1.ono)(`Error resolving $ref pointer "${path30}".
22907
22907
  "${withoutHash}" not found.`);
22908
22908
  }
22909
22909
  $ref.set(absPath, value);
@@ -22915,9 +22915,9 @@ var require_refs = __commonJS({
22915
22915
  * @returns
22916
22916
  * @protected
22917
22917
  */
22918
- _get$Ref(path28) {
22919
- path28 = url.resolve(this._root$Ref.path, path28);
22920
- const withoutHash = url.stripHash(path28);
22918
+ _get$Ref(path30) {
22919
+ path30 = url.resolve(this._root$Ref.path, path30);
22920
+ const withoutHash = url.stripHash(path30);
22921
22921
  return this._$refs[withoutHash];
22922
22922
  }
22923
22923
  /**
@@ -22925,8 +22925,8 @@ var require_refs = __commonJS({
22925
22925
  *
22926
22926
  * @param path - The file path or URL of the referenced file
22927
22927
  */
22928
- _add(path28) {
22929
- const withoutHash = url.stripHash(path28);
22928
+ _add(path30) {
22929
+ const withoutHash = url.stripHash(path30);
22930
22930
  const $ref = new ref_js_1.default(this);
22931
22931
  $ref.path = withoutHash;
22932
22932
  this._$refs[withoutHash] = $ref;
@@ -22942,15 +22942,15 @@ var require_refs = __commonJS({
22942
22942
  * @returns
22943
22943
  * @protected
22944
22944
  */
22945
- _resolve(path28, pathFromRoot, options) {
22946
- const absPath = url.resolve(this._root$Ref.path, path28);
22945
+ _resolve(path30, pathFromRoot, options) {
22946
+ const absPath = url.resolve(this._root$Ref.path, path30);
22947
22947
  const withoutHash = url.stripHash(absPath);
22948
22948
  const $ref = this._$refs[withoutHash];
22949
22949
  if (!$ref) {
22950
- throw (0, ono_1.ono)(`Error resolving $ref pointer "${path28}".
22950
+ throw (0, ono_1.ono)(`Error resolving $ref pointer "${path30}".
22951
22951
  "${withoutHash}" not found.`);
22952
22952
  }
22953
- return $ref.resolve(absPath, options, path28, pathFromRoot);
22953
+ return $ref.resolve(absPath, options, path30, pathFromRoot);
22954
22954
  }
22955
22955
  constructor() {
22956
22956
  this._$refs = {};
@@ -22969,10 +22969,10 @@ var require_refs = __commonJS({
22969
22969
  return types.includes($refs[key].pathType);
22970
22970
  });
22971
22971
  }
22972
- return paths.map((path28) => {
22972
+ return paths.map((path30) => {
22973
22973
  return {
22974
- encoded: path28,
22975
- decoded: $refs[path28].pathType === "file" ? url.toFileSystemPath(path28, true) : path28
22974
+ encoded: path30,
22975
+ decoded: $refs[path30].pathType === "file" ? url.toFileSystemPath(path30, true) : path30
22976
22976
  };
22977
22977
  });
22978
22978
  }
@@ -23110,18 +23110,18 @@ var require_parse = __commonJS({
23110
23110
  var url = __importStar2(require_url());
23111
23111
  var plugins = __importStar2(require_plugins());
23112
23112
  var errors_js_1 = require_errors2();
23113
- async function parse(path28, $refs, options) {
23114
- const hashIndex = path28.indexOf("#");
23113
+ async function parse(path30, $refs, options) {
23114
+ const hashIndex = path30.indexOf("#");
23115
23115
  let hash = "";
23116
23116
  if (hashIndex >= 0) {
23117
- hash = path28.substring(hashIndex);
23118
- path28 = path28.substring(0, hashIndex);
23117
+ hash = path30.substring(hashIndex);
23118
+ path30 = path30.substring(0, hashIndex);
23119
23119
  }
23120
- const $ref = $refs._add(path28);
23120
+ const $ref = $refs._add(path30);
23121
23121
  const file = {
23122
- url: path28,
23122
+ url: path30,
23123
23123
  hash,
23124
- extension: url.getExtension(path28)
23124
+ extension: url.getExtension(path30)
23125
23125
  };
23126
23126
  try {
23127
23127
  const resolver = await readFile17(file, options, $refs);
@@ -23446,16 +23446,16 @@ var require_file = __commonJS({
23446
23446
  * Reads the given file and returns its raw contents as a Buffer.
23447
23447
  */
23448
23448
  async read(file) {
23449
- let path28;
23449
+ let path30;
23450
23450
  try {
23451
- path28 = url.toFileSystemPath(file.url);
23451
+ path30 = url.toFileSystemPath(file.url);
23452
23452
  } catch (err2) {
23453
23453
  throw new errors_js_1.ResolverError(ono_1.ono.uri(err2, `Malformed URI: ${file.url}`), file.url);
23454
23454
  }
23455
23455
  try {
23456
- return await fs_1.default.promises.readFile(path28);
23456
+ return await fs_1.default.promises.readFile(path30);
23457
23457
  } catch (err2) {
23458
- throw new errors_js_1.ResolverError((0, ono_1.ono)(err2, `Error opening file "${path28}"`), path28);
23458
+ throw new errors_js_1.ResolverError((0, ono_1.ono)(err2, `Error opening file "${path30}"`), path30);
23459
23459
  }
23460
23460
  }
23461
23461
  };
@@ -23715,7 +23715,7 @@ var require_normalize_args = __commonJS({
23715
23715
  exports.normalizeArgs = normalizeArgs;
23716
23716
  var options_js_1 = require_options();
23717
23717
  function normalizeArgs(_args) {
23718
- let path28;
23718
+ let path30;
23719
23719
  let schema;
23720
23720
  let options;
23721
23721
  let callback;
@@ -23724,7 +23724,7 @@ var require_normalize_args = __commonJS({
23724
23724
  callback = args.pop();
23725
23725
  }
23726
23726
  if (typeof args[0] === "string") {
23727
- path28 = args[0];
23727
+ path30 = args[0];
23728
23728
  if (typeof args[2] === "object") {
23729
23729
  schema = args[1];
23730
23730
  options = args[2];
@@ -23733,7 +23733,7 @@ var require_normalize_args = __commonJS({
23733
23733
  options = args[1];
23734
23734
  }
23735
23735
  } else {
23736
- path28 = "";
23736
+ path30 = "";
23737
23737
  schema = args[0];
23738
23738
  options = args[1];
23739
23739
  }
@@ -23746,7 +23746,7 @@ var require_normalize_args = __commonJS({
23746
23746
  schema = JSON.parse(JSON.stringify(schema));
23747
23747
  }
23748
23748
  return {
23749
- path: path28,
23749
+ path: path30,
23750
23750
  schema,
23751
23751
  options,
23752
23752
  callback
@@ -23807,26 +23807,26 @@ var require_resolve_external = __commonJS({
23807
23807
  return Promise.reject(e5);
23808
23808
  }
23809
23809
  }
23810
- function crawl(obj, path28, $refs, options, seen, external) {
23810
+ function crawl(obj, path30, $refs, options, seen, external) {
23811
23811
  seen || (seen = /* @__PURE__ */ new Set());
23812
23812
  let promises = [];
23813
23813
  if (obj && typeof obj === "object" && !ArrayBuffer.isView(obj) && !seen.has(obj)) {
23814
23814
  seen.add(obj);
23815
23815
  if (ref_js_1.default.isExternal$Ref(obj)) {
23816
- promises.push(resolve$Ref(obj, path28, $refs, options));
23816
+ promises.push(resolve$Ref(obj, path30, $refs, options));
23817
23817
  }
23818
23818
  const keys = Object.keys(obj);
23819
23819
  for (const key of keys) {
23820
- const keyPath = pointer_js_1.default.join(path28, key);
23820
+ const keyPath = pointer_js_1.default.join(path30, key);
23821
23821
  const value = obj[key];
23822
23822
  promises = promises.concat(crawl(value, keyPath, $refs, options, seen, external));
23823
23823
  }
23824
23824
  }
23825
23825
  return promises;
23826
23826
  }
23827
- async function resolve$Ref($ref, path28, $refs, options) {
23827
+ async function resolve$Ref($ref, path30, $refs, options) {
23828
23828
  const shouldResolveOnCwd = options.dereference?.externalReferenceResolution === "root";
23829
- const resolvedPath2 = url.resolve(shouldResolveOnCwd ? url.cwd() : path28, $ref.$ref);
23829
+ const resolvedPath2 = url.resolve(shouldResolveOnCwd ? url.cwd() : path30, $ref.$ref);
23830
23830
  const withoutHash = url.stripHash(resolvedPath2);
23831
23831
  const ref = $refs._$refs[withoutHash];
23832
23832
  if (ref) {
@@ -23841,8 +23841,8 @@ var require_resolve_external = __commonJS({
23841
23841
  throw err2;
23842
23842
  }
23843
23843
  if ($refs._$refs[withoutHash]) {
23844
- err2.source = decodeURI(url.stripHash(path28));
23845
- err2.path = url.safePointerToPath(url.getHash(path28));
23844
+ err2.source = decodeURI(url.stripHash(path30));
23845
+ err2.path = url.safePointerToPath(url.getHash(path30));
23846
23846
  }
23847
23847
  return [];
23848
23848
  }
@@ -23894,11 +23894,11 @@ var require_bundle = __commonJS({
23894
23894
  crawl(parser, "schema", parser.$refs._root$Ref.path + "#", "#", 0, inventory, parser.$refs, options);
23895
23895
  remap(inventory);
23896
23896
  }
23897
- function crawl(parent, key, path28, pathFromRoot, indirections, inventory, $refs, options) {
23897
+ function crawl(parent, key, path30, pathFromRoot, indirections, inventory, $refs, options) {
23898
23898
  const obj = key === null ? parent : parent[key];
23899
23899
  if (obj && typeof obj === "object" && !ArrayBuffer.isView(obj)) {
23900
23900
  if (ref_js_1.default.isAllowed$Ref(obj)) {
23901
- inventory$Ref(parent, key, path28, pathFromRoot, indirections, inventory, $refs, options);
23901
+ inventory$Ref(parent, key, path30, pathFromRoot, indirections, inventory, $refs, options);
23902
23902
  } else {
23903
23903
  const keys = Object.keys(obj).sort((a5, b5) => {
23904
23904
  if (a5 === "definitions") {
@@ -23910,11 +23910,11 @@ var require_bundle = __commonJS({
23910
23910
  }
23911
23911
  });
23912
23912
  for (const key2 of keys) {
23913
- const keyPath = pointer_js_1.default.join(path28, key2);
23913
+ const keyPath = pointer_js_1.default.join(path30, key2);
23914
23914
  const keyPathFromRoot = pointer_js_1.default.join(pathFromRoot, key2);
23915
23915
  const value = obj[key2];
23916
23916
  if (ref_js_1.default.isAllowed$Ref(value)) {
23917
- inventory$Ref(obj, key2, path28, keyPathFromRoot, indirections, inventory, $refs, options);
23917
+ inventory$Ref(obj, key2, path30, keyPathFromRoot, indirections, inventory, $refs, options);
23918
23918
  } else {
23919
23919
  crawl(obj, key2, keyPath, keyPathFromRoot, indirections, inventory, $refs, options);
23920
23920
  }
@@ -23922,9 +23922,9 @@ var require_bundle = __commonJS({
23922
23922
  }
23923
23923
  }
23924
23924
  }
23925
- function inventory$Ref($refParent, $refKey, path28, pathFromRoot, indirections, inventory, $refs, options) {
23925
+ function inventory$Ref($refParent, $refKey, path30, pathFromRoot, indirections, inventory, $refs, options) {
23926
23926
  const $ref = $refKey === null ? $refParent : $refParent[$refKey];
23927
- const $refPath = url.resolve(path28, $ref.$ref);
23927
+ const $refPath = url.resolve(path30, $ref.$ref);
23928
23928
  const pointer = $refs._resolve($refPath, pathFromRoot, options);
23929
23929
  if (pointer === null) {
23930
23930
  return;
@@ -24080,7 +24080,7 @@ var require_dereference = __commonJS({
24080
24080
  parser.$refs.circular = dereferenced.circular;
24081
24081
  parser.schema = dereferenced.value;
24082
24082
  }
24083
- function crawl(obj, path28, pathFromRoot, parents, processedObjects, dereferencedCache, $refs, options, startTime) {
24083
+ function crawl(obj, path30, pathFromRoot, parents, processedObjects, dereferencedCache, $refs, options, startTime) {
24084
24084
  let dereferenced;
24085
24085
  const result2 = {
24086
24086
  value: obj,
@@ -24098,12 +24098,12 @@ var require_dereference = __commonJS({
24098
24098
  parents.add(obj);
24099
24099
  processedObjects.add(obj);
24100
24100
  if (ref_js_1.default.isAllowed$Ref(obj, options)) {
24101
- dereferenced = dereference$Ref(obj, path28, pathFromRoot, parents, processedObjects, dereferencedCache, $refs, options, startTime);
24101
+ dereferenced = dereference$Ref(obj, path30, pathFromRoot, parents, processedObjects, dereferencedCache, $refs, options, startTime);
24102
24102
  result2.circular = dereferenced.circular;
24103
24103
  result2.value = dereferenced.value;
24104
24104
  } else {
24105
24105
  for (const key of Object.keys(obj)) {
24106
- const keyPath = pointer_js_1.default.join(path28, key);
24106
+ const keyPath = pointer_js_1.default.join(path30, key);
24107
24107
  const keyPathFromRoot = pointer_js_1.default.join(pathFromRoot, key);
24108
24108
  if (isExcludedPath(keyPathFromRoot)) {
24109
24109
  continue;
@@ -24136,10 +24136,10 @@ var require_dereference = __commonJS({
24136
24136
  }
24137
24137
  return result2;
24138
24138
  }
24139
- function dereference$Ref($ref, path28, pathFromRoot, parents, processedObjects, dereferencedCache, $refs, options, startTime) {
24139
+ function dereference$Ref($ref, path30, pathFromRoot, parents, processedObjects, dereferencedCache, $refs, options, startTime) {
24140
24140
  const isExternalRef = ref_js_1.default.isExternal$Ref($ref);
24141
24141
  const shouldResolveOnCwd = isExternalRef && options?.dereference?.externalReferenceResolution === "root";
24142
- const $refPath = url.resolve(shouldResolveOnCwd ? url.cwd() : path28, $ref.$ref);
24142
+ const $refPath = url.resolve(shouldResolveOnCwd ? url.cwd() : path30, $ref.$ref);
24143
24143
  const cache6 = dereferencedCache.get($refPath);
24144
24144
  if (cache6 && !cache6.circular) {
24145
24145
  const refKeys = Object.keys($ref);
@@ -24157,7 +24157,7 @@ var require_dereference = __commonJS({
24157
24157
  }
24158
24158
  return cache6;
24159
24159
  }
24160
- const pointer = $refs._resolve($refPath, path28, options);
24160
+ const pointer = $refs._resolve($refPath, path30, options);
24161
24161
  if (pointer === null) {
24162
24162
  return {
24163
24163
  circular: false,
@@ -24167,7 +24167,7 @@ var require_dereference = __commonJS({
24167
24167
  const directCircular = pointer.circular;
24168
24168
  let circular = directCircular || parents.has(pointer.value);
24169
24169
  if (circular) {
24170
- foundCircularReference(path28, $refs, options);
24170
+ foundCircularReference(path30, $refs, options);
24171
24171
  }
24172
24172
  let dereferencedValue = ref_js_1.default.dereference($ref, pointer.value);
24173
24173
  if (!circular) {
@@ -24564,7 +24564,7 @@ var require_lib4 = __commonJS({
24564
24564
  * @param {Function} [callback] - An error-first callback. The second parameter is the parsed API object.
24565
24565
  * @returns {Promise} - The returned promise resolves with the parsed API object.
24566
24566
  */
24567
- async parse(path28, api, options, callback) {
24567
+ async parse(path30, api, options, callback) {
24568
24568
  let args = normalizeArgs(arguments);
24569
24569
  args.options = new Options(args.options);
24570
24570
  try {
@@ -24616,7 +24616,7 @@ var require_lib4 = __commonJS({
24616
24616
  * @param {Function} [callback] - An error-first callback. The second parameter is the parsed API object.
24617
24617
  * @returns {Promise} - The returned promise resolves with the parsed API object.
24618
24618
  */
24619
- async validate(path28, api, options, callback) {
24619
+ async validate(path30, api, options, callback) {
24620
24620
  let me = this;
24621
24621
  let args = normalizeArgs(arguments);
24622
24622
  args.options = new Options(args.options);
@@ -25231,12 +25231,12 @@ var require_dist2 = __commonJS({
25231
25231
  throw new Error(`Unknown format "${name}"`);
25232
25232
  return f5;
25233
25233
  };
25234
- function addFormats2(ajv, list2, fs22, exportName) {
25234
+ function addFormats2(ajv, list2, fs23, exportName) {
25235
25235
  var _a2;
25236
25236
  var _b;
25237
25237
  (_a2 = (_b = ajv.opts.code).formats) !== null && _a2 !== void 0 ? _a2 : _b.formats = (0, codegen_1._)`require("ajv-formats/dist/formats").${exportName}`;
25238
25238
  for (const f5 of list2)
25239
- ajv.addFormat(f5, fs22[f5]);
25239
+ ajv.addFormat(f5, fs23[f5]);
25240
25240
  }
25241
25241
  module.exports = exports = formatsPlugin;
25242
25242
  Object.defineProperty(exports, "__esModule", { value: true });
@@ -26757,8 +26757,8 @@ var init_parseUtil = __esm({
26757
26757
  init_errors();
26758
26758
  init_en();
26759
26759
  makeIssue = (params) => {
26760
- const { data: data2, path: path28, errorMaps, issueData } = params;
26761
- const fullPath = [...path28, ...issueData.path || []];
26760
+ const { data: data2, path: path30, errorMaps, issueData } = params;
26761
+ const fullPath = [...path30, ...issueData.path || []];
26762
26762
  const fullIssue = {
26763
26763
  ...issueData,
26764
26764
  path: fullPath
@@ -27066,11 +27066,11 @@ var init_types = __esm({
27066
27066
  init_parseUtil();
27067
27067
  init_util();
27068
27068
  ParseInputLazyPath = class {
27069
- constructor(parent, value, path28, key) {
27069
+ constructor(parent, value, path30, key) {
27070
27070
  this._cachedPath = [];
27071
27071
  this.parent = parent;
27072
27072
  this.data = value;
27073
- this._path = path28;
27073
+ this._path = path30;
27074
27074
  this._key = key;
27075
27075
  }
27076
27076
  get path() {
@@ -30987,10 +30987,10 @@ function detectDialect(version) {
30987
30987
  return "3.0";
30988
30988
  throw new UnsupportedDialectError(version);
30989
30989
  }
30990
- function deriveOperationId(method, path28, explicit) {
30990
+ function deriveOperationId(method, path30, explicit) {
30991
30991
  if (explicit)
30992
30992
  return explicit;
30993
- return `${method.toLowerCase()}_${path28.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_|_$/g, "")}`;
30993
+ return `${method.toLowerCase()}_${path30.replace(/[^A-Za-z0-9]+/g, "_").replace(/^_|_$/g, "")}`;
30994
30994
  }
30995
30995
  function collectParameters(op2, pathItem) {
30996
30996
  const all = [...pathItem.parameters ?? [], ...op2.parameters ?? []];
@@ -31023,7 +31023,7 @@ async function loadSpec(specPath, opts = {}) {
31023
31023
  const endpoints = [];
31024
31024
  const unprotected = [];
31025
31025
  const unresolvedAgg = /* @__PURE__ */ new Map();
31026
- for (const [path28, pathItem] of Object.entries(doc.paths ?? {})) {
31026
+ for (const [path30, pathItem] of Object.entries(doc.paths ?? {})) {
31027
31027
  if (!pathItem)
31028
31028
  continue;
31029
31029
  for (const method of METHODS) {
@@ -31032,13 +31032,13 @@ async function loadSpec(specPath, opts = {}) {
31032
31032
  continue;
31033
31033
  const rawXSecurity = op2["x-security"];
31034
31034
  if (!rawXSecurity) {
31035
- unprotected.push({ method: method.toUpperCase(), path: path28 });
31035
+ unprotected.push({ method: method.toUpperCase(), path: path30 });
31036
31036
  continue;
31037
31037
  }
31038
31038
  if (validate) {
31039
31039
  const result2 = validateXSecurity(rawXSecurity, dialect === "3.1" ? "2020-12" : "draft-04");
31040
31040
  if (!result2.valid) {
31041
- throw new SchemaValidationError(`Invalid x-security at ${method.toUpperCase()} ${path28}: ${result2.errors.map((e5) => `${e5.instancePath} ${e5.message}`).join("; ")}`, result2.errors);
31041
+ throw new SchemaValidationError(`Invalid x-security at ${method.toUpperCase()} ${path30}: ${result2.errors.map((e5) => `${e5.instancePath} ${e5.message}`).join("; ")}`, result2.errors);
31042
31042
  }
31043
31043
  }
31044
31044
  const { value: policy, resolved, unresolved } = await resolveVariables(rawXSecurity, {
@@ -31046,7 +31046,7 @@ async function loadSpec(specPath, opts = {}) {
31046
31046
  strict: false
31047
31047
  });
31048
31048
  if (unresolved.length > 0) {
31049
- const opRef = `${method.toUpperCase()} ${path28}`;
31049
+ const opRef = `${method.toUpperCase()} ${path30}`;
31050
31050
  for (const v of unresolved) {
31051
31051
  const list2 = unresolvedAgg.get(v) ?? [];
31052
31052
  list2.push(opRef);
@@ -31055,8 +31055,8 @@ async function loadSpec(specPath, opts = {}) {
31055
31055
  }
31056
31056
  endpoints.push({
31057
31057
  method: method.toUpperCase(),
31058
- path: path28,
31059
- operationId: deriveOperationId(method, path28, op2.operationId),
31058
+ path: path30,
31059
+ operationId: deriveOperationId(method, path30, op2.operationId),
31060
31060
  policy,
31061
31061
  parameters: collectParameters(op2, pathItem),
31062
31062
  raw: op2,
@@ -31136,8 +31136,8 @@ function assertNoPlaceholders(spec) {
31136
31136
  lines.push("Hint: set real values for these variables, or re-run with --no-strict to allow placeholders.");
31137
31137
  throw new StrictnessViolation("S1", lines.join("\n"), { hits });
31138
31138
  }
31139
- function normalizePathForMatch(path28) {
31140
- return path28.replace(/\{[^}]+\}/g, "").replace(/\/+$/, "/");
31139
+ function normalizePathForMatch(path30) {
31140
+ return path30.replace(/\{[^}]+\}/g, "").replace(/\/+$/, "/");
31141
31141
  }
31142
31142
  function detectEmissionGaps(spec, artifacts) {
31143
31143
  if (artifacts.length === 0) {
@@ -32867,14 +32867,14 @@ var init_readFile = __esm({
32867
32867
  "../../node_modules/.pnpm/@smithy+core@3.24.2/node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/readFile.js"() {
32868
32868
  filePromises = {};
32869
32869
  fileIntercept = {};
32870
- readFile2 = (path28, options) => {
32871
- if (fileIntercept[path28] !== void 0) {
32872
- return fileIntercept[path28];
32870
+ readFile2 = (path30, options) => {
32871
+ if (fileIntercept[path30] !== void 0) {
32872
+ return fileIntercept[path30];
32873
32873
  }
32874
- if (!filePromises[path28] || options?.ignoreCache) {
32875
- filePromises[path28] = fsReadFile(path28, "utf8");
32874
+ if (!filePromises[path30] || options?.ignoreCache) {
32875
+ filePromises[path30] = fsReadFile(path30, "utf8");
32876
32876
  }
32877
- return filePromises[path28];
32877
+ return filePromises[path30];
32878
32878
  };
32879
32879
  }
32880
32880
  });
@@ -32986,8 +32986,8 @@ var init_externalDataInterceptor = __esm({
32986
32986
  getFileRecord() {
32987
32987
  return fileIntercept;
32988
32988
  },
32989
- interceptFile(path28, contents) {
32990
- fileIntercept[path28] = Promise.resolve(contents);
32989
+ interceptFile(path30, contents) {
32990
+ fileIntercept[path30] = Promise.resolve(contents);
32991
32991
  },
32992
32992
  getTokenRecord() {
32993
32993
  return tokenIntercept;
@@ -33839,14 +33839,14 @@ var init_schemaSerializationMiddleware = __esm({
33839
33839
  const { operationSchema } = getSmithyContext(context);
33840
33840
  const [, ns, n2, t, i5, o2] = operationSchema ?? [];
33841
33841
  const endpoint = context.endpointV2 ? async () => toEndpointV1(context.endpointV2) : config.endpoint;
33842
- const request7 = await config.protocol.serializeRequest(operation(ns, n2, t, i5, o2), args.input, {
33842
+ const request9 = await config.protocol.serializeRequest(operation(ns, n2, t, i5, o2), args.input, {
33843
33843
  ...config,
33844
33844
  ...context,
33845
33845
  endpoint
33846
33846
  });
33847
33847
  return next({
33848
33848
  ...args,
33849
- request: request7
33849
+ request: request9
33850
33850
  });
33851
33851
  };
33852
33852
  }
@@ -34629,7 +34629,7 @@ var init_command = __esm({
34629
34629
  ...requestOptions
34630
34630
  };
34631
34631
  }
34632
- return stack.resolve((request7) => requestHandler.handle(request7.request, requestOptions), handlerExecutionContext);
34632
+ return stack.resolve((request9) => requestHandler.handle(request9.request, requestOptions), handlerExecutionContext);
34633
34633
  }
34634
34634
  };
34635
34635
  ClassBuilder = class {
@@ -35595,13 +35595,13 @@ var init_resolveDefaultsModeConfig = __esm({
35595
35595
  }
35596
35596
  return { hostname: "169.254.169.254", path: "/" };
35597
35597
  };
35598
- imdsHttpGet = async ({ hostname, path: path28 }) => {
35599
- const { request: request7 } = await import("node:http");
35598
+ imdsHttpGet = async ({ hostname, path: path30 }) => {
35599
+ const { request: request9 } = await import("node:http");
35600
35600
  return new Promise((resolve2, reject) => {
35601
- const req = request7({
35601
+ const req = request9({
35602
35602
  method: "GET",
35603
35603
  hostname: hostname.replace(/^\[(.+)]$/, "$1"),
35604
- path: path28,
35604
+ path: path30,
35605
35605
  timeout: 1e3,
35606
35606
  signal: AbortSignal.timeout(1e3)
35607
35607
  });
@@ -35850,8 +35850,8 @@ var init_createConfigValueProvider = __esm({
35850
35850
  return endpoint.url.href;
35851
35851
  }
35852
35852
  if ("hostname" in endpoint) {
35853
- const { protocol, hostname, port, path: path28 } = endpoint;
35854
- return `${protocol}//${hostname}${port ? ":" + port : ""}${path28}`;
35853
+ const { protocol, hostname, port, path: path30 } = endpoint;
35854
+ return `${protocol}//${hostname}${port ? ":" + port : ""}${path30}`;
35855
35855
  }
35856
35856
  }
35857
35857
  return endpoint;
@@ -36290,18 +36290,18 @@ var getAttrPathList;
36290
36290
  var init_getAttrPathList = __esm({
36291
36291
  "../../node_modules/.pnpm/@smithy+core@3.24.2/node_modules/@smithy/core/dist-es/submodules/endpoints/util-endpoints/lib/getAttrPathList.js"() {
36292
36292
  init_types3();
36293
- getAttrPathList = (path28) => {
36294
- const parts = path28.split(".");
36293
+ getAttrPathList = (path30) => {
36294
+ const parts = path30.split(".");
36295
36295
  const pathList = [];
36296
36296
  for (const part of parts) {
36297
36297
  const squareBracketIndex = part.indexOf("[");
36298
36298
  if (squareBracketIndex !== -1) {
36299
36299
  if (part.indexOf("]") !== part.length - 1) {
36300
- throw new EndpointError(`Path: '${path28}' does not end with ']'`);
36300
+ throw new EndpointError(`Path: '${path30}' does not end with ']'`);
36301
36301
  }
36302
36302
  const arrayIndex = part.slice(squareBracketIndex + 1, -1);
36303
36303
  if (Number.isNaN(parseInt(arrayIndex))) {
36304
- throw new EndpointError(`Invalid array index: '${arrayIndex}' in path: '${path28}'`);
36304
+ throw new EndpointError(`Invalid array index: '${arrayIndex}' in path: '${path30}'`);
36305
36305
  }
36306
36306
  if (squareBracketIndex !== 0) {
36307
36307
  pathList.push(part.slice(0, squareBracketIndex));
@@ -36322,9 +36322,9 @@ var init_getAttr = __esm({
36322
36322
  "../../node_modules/.pnpm/@smithy+core@3.24.2/node_modules/@smithy/core/dist-es/submodules/endpoints/util-endpoints/lib/getAttr.js"() {
36323
36323
  init_types3();
36324
36324
  init_getAttrPathList();
36325
- getAttr = (value, path28) => getAttrPathList(path28).reduce((acc, index) => {
36325
+ getAttr = (value, path30) => getAttrPathList(path30).reduce((acc, index) => {
36326
36326
  if (typeof acc !== "object") {
36327
- throw new EndpointError(`Index '${index}' in '${path28}' not found in '${JSON.stringify(value)}'`);
36327
+ throw new EndpointError(`Index '${index}' in '${path30}' not found in '${JSON.stringify(value)}'`);
36328
36328
  } else if (Array.isArray(acc)) {
36329
36329
  const i5 = parseInt(index);
36330
36330
  return acc[i5 < 0 ? acc.length + i5 : i5];
@@ -36405,8 +36405,8 @@ var init_parseURL = __esm({
36405
36405
  return value;
36406
36406
  }
36407
36407
  if (typeof value === "object" && "hostname" in value) {
36408
- const { hostname: hostname2, port, protocol: protocol2 = "", path: path28 = "", query = {} } = value;
36409
- const url = new URL(`${protocol2}//${hostname2}${port ? `:${port}` : ""}${path28}`);
36408
+ const { hostname: hostname2, port, protocol: protocol2 = "", path: path30 = "", query = {} } = value;
36409
+ const url = new URL(`${protocol2}//${hostname2}${port ? `:${port}` : ""}${path30}`);
36410
36410
  url.search = Object.entries(query).map(([k5, v]) => `${k5}=${v}`).join("&");
36411
36411
  return url;
36412
36412
  }
@@ -37031,10 +37031,10 @@ var init_serializerMiddleware = __esm({
37031
37031
  if (!endpoint) {
37032
37032
  throw new Error("No valid endpoint provider available.");
37033
37033
  }
37034
- const request7 = await serializer(args.input, { ...options, endpoint });
37034
+ const request9 = await serializer(args.input, { ...options, endpoint });
37035
37035
  return next({
37036
37036
  ...args,
37037
- request: request7
37037
+ request: request9
37038
37038
  });
37039
37039
  };
37040
37040
  }
@@ -38194,21 +38194,21 @@ var init_httpRequest = __esm({
38194
38194
  this.password = options.password;
38195
38195
  this.fragment = options.fragment;
38196
38196
  }
38197
- static clone(request7) {
38197
+ static clone(request9) {
38198
38198
  const cloned = new _HttpRequest({
38199
- ...request7,
38200
- headers: { ...request7.headers }
38199
+ ...request9,
38200
+ headers: { ...request9.headers }
38201
38201
  });
38202
38202
  if (cloned.query) {
38203
38203
  cloned.query = cloneQuery(cloned.query);
38204
38204
  }
38205
38205
  return cloned;
38206
38206
  }
38207
- static isInstance(request7) {
38208
- if (!request7) {
38207
+ static isInstance(request9) {
38208
+ if (!request9) {
38209
38209
  return false;
38210
38210
  }
38211
- const req = request7;
38211
+ const req = request9;
38212
38212
  return "method" in req && "protocol" in req && "hostname" in req && "path" in req && typeof req["query"] === "object" && typeof req["headers"] === "object";
38213
38213
  }
38214
38214
  clone() {
@@ -38672,13 +38672,13 @@ function __disposeResources(env) {
38672
38672
  }
38673
38673
  return next();
38674
38674
  }
38675
- function __rewriteRelativeImportExtension(path28, preserveJsx) {
38676
- if (typeof path28 === "string" && /^\.\.?\//.test(path28)) {
38677
- return path28.replace(/\.(tsx)$|((?:\.d)?)((?:\.[^./]+?)?)\.([cm]?)ts$/i, function(m3, tsx, d5, ext, cm) {
38675
+ function __rewriteRelativeImportExtension(path30, preserveJsx) {
38676
+ if (typeof path30 === "string" && /^\.\.?\//.test(path30)) {
38677
+ return path30.replace(/\.(tsx)$|((?:\.d)?)((?:\.[^./]+?)?)\.([cm]?)ts$/i, function(m3, tsx, d5, ext, cm) {
38678
38678
  return tsx ? preserveJsx ? ".jsx" : ".js" : d5 && (!ext || !cm) ? m3 : d5 + ext + "." + cm.toLowerCase() + "js";
38679
38679
  });
38680
38680
  }
38681
- return path28;
38681
+ return path30;
38682
38682
  }
38683
38683
  var extendStatics, __assign, __createBinding, __setModuleDefault, ownKeys, _SuppressedError, tslib_es6_default;
38684
38684
  var init_tslib_es6 = __esm({
@@ -40368,44 +40368,44 @@ var init_HttpProtocol = __esm({
40368
40368
  this.getPayloadCodec().setSerdeContext(serdeContext);
40369
40369
  }
40370
40370
  }
40371
- updateServiceEndpoint(request7, endpoint) {
40371
+ updateServiceEndpoint(request9, endpoint) {
40372
40372
  if ("url" in endpoint) {
40373
- request7.protocol = endpoint.url.protocol;
40374
- request7.hostname = endpoint.url.hostname;
40375
- request7.port = endpoint.url.port ? Number(endpoint.url.port) : void 0;
40376
- request7.path = endpoint.url.pathname;
40377
- request7.fragment = endpoint.url.hash || void 0;
40378
- request7.username = endpoint.url.username || void 0;
40379
- request7.password = endpoint.url.password || void 0;
40380
- if (!request7.query) {
40381
- request7.query = {};
40373
+ request9.protocol = endpoint.url.protocol;
40374
+ request9.hostname = endpoint.url.hostname;
40375
+ request9.port = endpoint.url.port ? Number(endpoint.url.port) : void 0;
40376
+ request9.path = endpoint.url.pathname;
40377
+ request9.fragment = endpoint.url.hash || void 0;
40378
+ request9.username = endpoint.url.username || void 0;
40379
+ request9.password = endpoint.url.password || void 0;
40380
+ if (!request9.query) {
40381
+ request9.query = {};
40382
40382
  }
40383
40383
  for (const [k5, v] of endpoint.url.searchParams.entries()) {
40384
- request7.query[k5] = v;
40384
+ request9.query[k5] = v;
40385
40385
  }
40386
40386
  if (endpoint.headers) {
40387
40387
  for (const name in endpoint.headers) {
40388
- request7.headers[name] = endpoint.headers[name].join(", ");
40388
+ request9.headers[name] = endpoint.headers[name].join(", ");
40389
40389
  }
40390
40390
  }
40391
- return request7;
40391
+ return request9;
40392
40392
  } else {
40393
- request7.protocol = endpoint.protocol;
40394
- request7.hostname = endpoint.hostname;
40395
- request7.port = endpoint.port ? Number(endpoint.port) : void 0;
40396
- request7.path = endpoint.path;
40397
- request7.query = {
40393
+ request9.protocol = endpoint.protocol;
40394
+ request9.hostname = endpoint.hostname;
40395
+ request9.port = endpoint.port ? Number(endpoint.port) : void 0;
40396
+ request9.path = endpoint.path;
40397
+ request9.query = {
40398
40398
  ...endpoint.query
40399
40399
  };
40400
40400
  if (endpoint.headers) {
40401
40401
  for (const name in endpoint.headers) {
40402
- request7.headers[name] = endpoint.headers[name];
40402
+ request9.headers[name] = endpoint.headers[name];
40403
40403
  }
40404
40404
  }
40405
- return request7;
40405
+ return request9;
40406
40406
  }
40407
40407
  }
40408
- setHostPrefix(request7, operationSchema, input) {
40408
+ setHostPrefix(request9, operationSchema, input) {
40409
40409
  if (this.serdeContext?.disableHostPrefix) {
40410
40410
  return;
40411
40411
  }
@@ -40424,7 +40424,7 @@ var init_HttpProtocol = __esm({
40424
40424
  }
40425
40425
  hostPrefix = hostPrefix.replace(`{${name}}`, replacement);
40426
40426
  }
40427
- request7.hostname = hostPrefix + request7.hostname;
40427
+ request9.hostname = hostPrefix + request9.hostname;
40428
40428
  }
40429
40429
  }
40430
40430
  }
@@ -40501,7 +40501,7 @@ var init_HttpBindingProtocol = __esm({
40501
40501
  const payloadMemberSchemas = [];
40502
40502
  let hasNonHttpBindingMember = false;
40503
40503
  let payload2;
40504
- const request7 = new HttpRequest({
40504
+ const request9 = new HttpRequest({
40505
40505
  protocol: "",
40506
40506
  hostname: "",
40507
40507
  port: void 0,
@@ -40512,16 +40512,16 @@ var init_HttpBindingProtocol = __esm({
40512
40512
  body: void 0
40513
40513
  });
40514
40514
  if (endpoint) {
40515
- this.updateServiceEndpoint(request7, endpoint);
40516
- this.setHostPrefix(request7, operationSchema, input);
40515
+ this.updateServiceEndpoint(request9, endpoint);
40516
+ this.setHostPrefix(request9, operationSchema, input);
40517
40517
  const opTraits = translateTraits(operationSchema.traits);
40518
40518
  if (opTraits.http) {
40519
- request7.method = opTraits.http[0];
40520
- const [path28, search] = opTraits.http[1].split("?");
40521
- if (request7.path == "/") {
40522
- request7.path = path28;
40519
+ request9.method = opTraits.http[0];
40520
+ const [path30, search] = opTraits.http[1].split("?");
40521
+ if (request9.path == "/") {
40522
+ request9.path = path30;
40523
40523
  } else {
40524
- request7.path += path28;
40524
+ request9.path += path30;
40525
40525
  }
40526
40526
  const traitSearchParams = new URLSearchParams(search ?? "");
40527
40527
  for (const [key, value] of traitSearchParams) {
@@ -40534,7 +40534,7 @@ var init_HttpBindingProtocol = __esm({
40534
40534
  const inputMemberValue = input[memberName];
40535
40535
  if (inputMemberValue == null && !memberNs.isIdempotencyToken()) {
40536
40536
  if (memberTraits.httpLabel) {
40537
- if (request7.path.includes(`{${memberName}+}`) || request7.path.includes(`{${memberName}}`)) {
40537
+ if (request9.path.includes(`{${memberName}+}`) || request9.path.includes(`{${memberName}}`)) {
40538
40538
  throw new Error(`No value provided for input HTTP label: ${memberName}.`);
40539
40539
  }
40540
40540
  }
@@ -40561,10 +40561,10 @@ var init_HttpBindingProtocol = __esm({
40561
40561
  } else if (memberTraits.httpLabel) {
40562
40562
  serializer.write(memberNs, inputMemberValue);
40563
40563
  const replacement = serializer.flush();
40564
- if (request7.path.includes(`{${memberName}+}`)) {
40565
- request7.path = request7.path.replace(`{${memberName}+}`, replacement.split("/").map(extendedEncodeURIComponent).join("/"));
40566
- } else if (request7.path.includes(`{${memberName}}`)) {
40567
- request7.path = request7.path.replace(`{${memberName}}`, extendedEncodeURIComponent(replacement));
40564
+ if (request9.path.includes(`{${memberName}+}`)) {
40565
+ request9.path = request9.path.replace(`{${memberName}+}`, replacement.split("/").map(extendedEncodeURIComponent).join("/"));
40566
+ } else if (request9.path.includes(`{${memberName}}`)) {
40567
+ request9.path = request9.path.replace(`{${memberName}}`, extendedEncodeURIComponent(replacement));
40568
40568
  }
40569
40569
  } else if (memberTraits.httpHeader) {
40570
40570
  serializer.write(memberNs, inputMemberValue);
@@ -40604,10 +40604,10 @@ var init_HttpBindingProtocol = __esm({
40604
40604
  serializer.write(payloadSchema, input);
40605
40605
  payload2 = serializer.flush();
40606
40606
  }
40607
- request7.headers = headers;
40608
- request7.query = query;
40609
- request7.body = payload2;
40610
- return request7;
40607
+ request9.headers = headers;
40608
+ request9.query = query;
40609
+ request9.body = payload2;
40610
+ return request9;
40611
40611
  }
40612
40612
  serializeQuery(ns, data2, query) {
40613
40613
  const serializer = this.serializer;
@@ -40772,7 +40772,7 @@ var init_RpcProtocol = __esm({
40772
40772
  const schema = ns.getSchema();
40773
40773
  let payload2;
40774
40774
  const input = _input && typeof _input === "object" ? _input : {};
40775
- const request7 = new HttpRequest({
40775
+ const request9 = new HttpRequest({
40776
40776
  protocol: "",
40777
40777
  hostname: "",
40778
40778
  port: void 0,
@@ -40783,8 +40783,8 @@ var init_RpcProtocol = __esm({
40783
40783
  body: void 0
40784
40784
  });
40785
40785
  if (endpoint) {
40786
- this.updateServiceEndpoint(request7, endpoint);
40787
- this.setHostPrefix(request7, operationSchema, input);
40786
+ this.updateServiceEndpoint(request9, endpoint);
40787
+ this.setHostPrefix(request9, operationSchema, input);
40788
40788
  }
40789
40789
  if (input) {
40790
40790
  const eventStreamMember = ns.getEventStreamMember();
@@ -40808,11 +40808,11 @@ var init_RpcProtocol = __esm({
40808
40808
  payload2 = serializer.flush();
40809
40809
  }
40810
40810
  }
40811
- request7.headers = Object.assign(request7.headers, headers);
40812
- request7.query = query;
40813
- request7.body = payload2;
40814
- request7.method = "POST";
40815
- return request7;
40811
+ request9.headers = Object.assign(request9.headers, headers);
40812
+ request9.query = query;
40813
+ request9.body = payload2;
40814
+ request9.method = "POST";
40815
+ return request9;
40816
40816
  }
40817
40817
  async deserializeResponse(operationSchema, context, response) {
40818
40818
  const deserializer = this.deserializer;
@@ -40922,8 +40922,8 @@ var init_requestBuilder = __esm({
40922
40922
  return this;
40923
40923
  }
40924
40924
  p(memberName, labelValueProvider, uriLabel, isGreedyLabel) {
40925
- this.resolvePathStack.push((path28) => {
40926
- this.path = resolvedPath(path28, this.input, memberName, labelValueProvider, uriLabel, isGreedyLabel);
40925
+ this.resolvePathStack.push((path30) => {
40926
+ this.path = resolvedPath(path30, this.input, memberName, labelValueProvider, uriLabel, isGreedyLabel);
40927
40927
  });
40928
40928
  return this;
40929
40929
  }
@@ -41319,14 +41319,14 @@ var init_httpExtensionConfiguration = __esm({
41319
41319
  // ../../node_modules/.pnpm/@smithy+core@3.24.2/node_modules/@smithy/core/dist-es/submodules/protocols/middleware-content-length/contentLengthMiddleware.js
41320
41320
  function contentLengthMiddleware(bodyLengthChecker) {
41321
41321
  return (next) => async (args) => {
41322
- const request7 = args.request;
41323
- if (HttpRequest.isInstance(request7)) {
41324
- const { body, headers } = request7;
41322
+ const request9 = args.request;
41323
+ if (HttpRequest.isInstance(request9)) {
41324
+ const { body, headers } = request9;
41325
41325
  if (body && Object.keys(headers).map((str) => str.toLowerCase()).indexOf(CONTENT_LENGTH_HEADER) === -1) {
41326
41326
  try {
41327
41327
  const length = bodyLengthChecker(body);
41328
- request7.headers = {
41329
- ...request7.headers,
41328
+ request9.headers = {
41329
+ ...request9.headers,
41330
41330
  [CONTENT_LENGTH_HEADER]: String(length)
41331
41331
  };
41332
41332
  } catch (error2) {
@@ -41335,7 +41335,7 @@ function contentLengthMiddleware(bodyLengthChecker) {
41335
41335
  }
41336
41336
  return next({
41337
41337
  ...args,
41338
- request: request7
41338
+ request: request9
41339
41339
  });
41340
41340
  };
41341
41341
  }
@@ -41528,16 +41528,16 @@ var require_dist_cjs5 = __commonJS({
41528
41528
  var hostHeaderMiddleware = (options) => (next) => async (args) => {
41529
41529
  if (!protocols.HttpRequest.isInstance(args.request))
41530
41530
  return next(args);
41531
- const { request: request7 } = args;
41531
+ const { request: request9 } = args;
41532
41532
  const { handlerProtocol = "" } = options.requestHandler.metadata || {};
41533
- if (handlerProtocol.indexOf("h2") >= 0 && !request7.headers[":authority"]) {
41534
- delete request7.headers["host"];
41535
- request7.headers[":authority"] = request7.hostname + (request7.port ? ":" + request7.port : "");
41536
- } else if (!request7.headers["host"]) {
41537
- let host = request7.hostname;
41538
- if (request7.port != null)
41539
- host += `:${request7.port}`;
41540
- request7.headers["host"] = host;
41533
+ if (handlerProtocol.indexOf("h2") >= 0 && !request9.headers[":authority"]) {
41534
+ delete request9.headers["host"];
41535
+ request9.headers[":authority"] = request9.hostname + (request9.port ? ":" + request9.port : "");
41536
+ } else if (!request9.headers["host"]) {
41537
+ let host = request9.hostname;
41538
+ if (request9.port != null)
41539
+ host += `:${request9.port}`;
41540
+ request9.headers["host"] = host;
41541
41541
  }
41542
41542
  return next(args);
41543
41543
  };
@@ -41743,12 +41743,12 @@ var require_recursionDetectionMiddleware = __commonJS({
41743
41743
  var ENV_LAMBDA_FUNCTION_NAME = "AWS_LAMBDA_FUNCTION_NAME";
41744
41744
  var ENV_TRACE_ID = "_X_AMZN_TRACE_ID";
41745
41745
  var recursionDetectionMiddleware = () => (next) => async (args) => {
41746
- const { request: request7 } = args;
41747
- if (!protocols_1.HttpRequest.isInstance(request7)) {
41746
+ const { request: request9 } = args;
41747
+ if (!protocols_1.HttpRequest.isInstance(request9)) {
41748
41748
  return next(args);
41749
41749
  }
41750
- const traceIdHeader = Object.keys(request7.headers ?? {}).find((h5) => h5.toLowerCase() === TRACE_ID_HEADER_NAME.toLowerCase()) ?? TRACE_ID_HEADER_NAME;
41751
- if (request7.headers.hasOwnProperty(traceIdHeader)) {
41750
+ const traceIdHeader = Object.keys(request9.headers ?? {}).find((h5) => h5.toLowerCase() === TRACE_ID_HEADER_NAME.toLowerCase()) ?? TRACE_ID_HEADER_NAME;
41751
+ if (request9.headers.hasOwnProperty(traceIdHeader)) {
41752
41752
  return next(args);
41753
41753
  }
41754
41754
  const functionName = process.env[ENV_LAMBDA_FUNCTION_NAME];
@@ -41758,11 +41758,11 @@ var require_recursionDetectionMiddleware = __commonJS({
41758
41758
  const traceId = traceIdFromInvokeStore ?? traceIdFromEnv;
41759
41759
  const nonEmptyString = (str) => typeof str === "string" && str.length > 0;
41760
41760
  if (nonEmptyString(functionName) && nonEmptyString(traceId)) {
41761
- request7.headers[TRACE_ID_HEADER_NAME] = traceId;
41761
+ request9.headers[TRACE_ID_HEADER_NAME] = traceId;
41762
41762
  }
41763
41763
  return next({
41764
41764
  ...args,
41765
- request: request7
41765
+ request: request9
41766
41766
  });
41767
41767
  };
41768
41768
  exports.recursionDetectionMiddleware = recursionDetectionMiddleware;
@@ -42046,9 +42046,9 @@ var init_createPaginator = __esm({
42046
42046
  command = withCommand(command) ?? command;
42047
42047
  return await client.send(command, ...args);
42048
42048
  };
42049
- get = (fromObject, path28) => {
42049
+ get = (fromObject, path30) => {
42050
42050
  let cursor2 = fromObject;
42051
- const pathComponents = path28.split(".");
42051
+ const pathComponents = path30.split(".");
42052
42052
  for (const step of pathComponents) {
42053
42053
  if (!cursor2 || typeof cursor2 !== "object") {
42054
42054
  return void 0;
@@ -42758,7 +42758,7 @@ import { Readable as Readable5 } from "node:stream";
42758
42758
  var isStreamingPayload;
42759
42759
  var init_isStreamingPayload = __esm({
42760
42760
  "../../node_modules/.pnpm/@smithy+core@3.24.2/node_modules/@smithy/core/dist-es/submodules/retry/middleware-retry/isStreamingPayload/isStreamingPayload.js"() {
42761
- isStreamingPayload = (request7) => request7?.body instanceof Readable5 || typeof ReadableStream !== "undefined" && request7?.body instanceof ReadableStream;
42761
+ isStreamingPayload = (request9) => request9?.body instanceof Readable5 || typeof ReadableStream !== "undefined" && request9?.body instanceof ReadableStream;
42762
42762
  }
42763
42763
  });
42764
42764
 
@@ -42930,15 +42930,15 @@ function bindRetryMiddleware(isStreamingPayload2) {
42930
42930
  let lastError = new Error();
42931
42931
  let attempts = 0;
42932
42932
  let totalRetryDelay = 0;
42933
- const { request: request7 } = args;
42934
- const isRequest = HttpRequest.isInstance(request7);
42933
+ const { request: request9 } = args;
42934
+ const isRequest = HttpRequest.isInstance(request9);
42935
42935
  if (isRequest) {
42936
- request7.headers[INVOCATION_ID_HEADER] = v4();
42936
+ request9.headers[INVOCATION_ID_HEADER] = v4();
42937
42937
  }
42938
42938
  while (true) {
42939
42939
  try {
42940
42940
  if (isRequest) {
42941
- request7.headers[REQUEST_HEADER] = `attempt=${attempts + 1}; max=${maxAttempts}`;
42941
+ request9.headers[REQUEST_HEADER] = `attempt=${attempts + 1}; max=${maxAttempts}`;
42942
42942
  }
42943
42943
  const { response, output } = await next(args);
42944
42944
  retryStrategy.recordSuccess(retryToken);
@@ -42948,7 +42948,7 @@ function bindRetryMiddleware(isStreamingPayload2) {
42948
42948
  } catch (e5) {
42949
42949
  const retryErrorInfo = getRetryErrorInfo(e5, options.logger);
42950
42950
  lastError = asSdkError(e5);
42951
- if (isRequest && isStreamingPayload2(request7)) {
42951
+ if (isRequest && isStreamingPayload2(request9)) {
42952
42952
  (context.logger instanceof NoOpLogger ? console : context.logger)?.warn("An error was encountered in a non-retryable streaming request.");
42953
42953
  throw lastError;
42954
42954
  }
@@ -43499,14 +43499,14 @@ var init_StandardRetryStrategy2 = __esm({
43499
43499
  let attempts = 0;
43500
43500
  let totalDelay = 0;
43501
43501
  const maxAttempts = await this.getMaxAttempts();
43502
- const { request: request7 } = args;
43503
- if (HttpRequest.isInstance(request7)) {
43504
- request7.headers[INVOCATION_ID_HEADER] = v4();
43502
+ const { request: request9 } = args;
43503
+ if (HttpRequest.isInstance(request9)) {
43504
+ request9.headers[INVOCATION_ID_HEADER] = v4();
43505
43505
  }
43506
43506
  while (true) {
43507
43507
  try {
43508
- if (HttpRequest.isInstance(request7)) {
43509
- request7.headers[REQUEST_HEADER] = `attempt=${attempts + 1}; max=${maxAttempts}`;
43508
+ if (HttpRequest.isInstance(request9)) {
43509
+ request9.headers[REQUEST_HEADER] = `attempt=${attempts + 1}; max=${maxAttempts}`;
43510
43510
  }
43511
43511
  if (options?.beforeRequest) {
43512
43512
  await options.beforeRequest();
@@ -43646,10 +43646,10 @@ var init_omitRetryHeadersMiddleware = __esm({
43646
43646
  init_protocols();
43647
43647
  init_constants5();
43648
43648
  omitRetryHeadersMiddleware = () => (next) => async (args) => {
43649
- const { request: request7 } = args;
43650
- if (HttpRequest.isInstance(request7)) {
43651
- delete request7.headers[INVOCATION_ID_HEADER];
43652
- delete request7.headers[REQUEST_HEADER];
43649
+ const { request: request9 } = args;
43650
+ if (HttpRequest.isInstance(request9)) {
43651
+ delete request9.headers[INVOCATION_ID_HEADER];
43652
+ delete request9.headers[REQUEST_HEADER];
43653
43653
  }
43654
43654
  return next(args);
43655
43655
  };
@@ -43829,8 +43829,8 @@ var require_dist_cjs9 = __commonJS({
43829
43829
  }
43830
43830
  var ACCOUNT_ID_ENDPOINT_REGEX = /\d{12}\.ddb/;
43831
43831
  async function checkFeatures(context, config, args) {
43832
- const request7 = args.request;
43833
- if (request7?.headers?.["smithy-protocol"] === "rpc-v2-cbor") {
43832
+ const request9 = args.request;
43833
+ if (request9?.headers?.["smithy-protocol"] === "rpc-v2-cbor") {
43834
43834
  client.setFeature(context, "PROTOCOL_RPC_V2_CBOR", "M");
43835
43835
  }
43836
43836
  if (typeof config.retryStrategy === "function") {
@@ -43899,11 +43899,11 @@ var require_dist_cjs9 = __commonJS({
43899
43899
  return buffer;
43900
43900
  }
43901
43901
  var userAgentMiddleware = (options) => (next, context) => async (args) => {
43902
- const { request: request7 } = args;
43903
- if (!protocols.HttpRequest.isInstance(request7)) {
43902
+ const { request: request9 } = args;
43903
+ if (!protocols.HttpRequest.isInstance(request9)) {
43904
43904
  return next(args);
43905
43905
  }
43906
- const { headers } = request7;
43906
+ const { headers } = request9;
43907
43907
  const userAgent = context?.userAgent?.map(escapeUserAgent) || [];
43908
43908
  const defaultUserAgent = (await options.defaultUserAgentProvider()).map(escapeUserAgent);
43909
43909
  await checkFeatures(context, options, args);
@@ -43930,7 +43930,7 @@ var require_dist_cjs9 = __commonJS({
43930
43930
  }
43931
43931
  return next({
43932
43932
  ...args,
43933
- request: request7
43933
+ request: request9
43934
43934
  });
43935
43935
  };
43936
43936
  var escapeUserAgent = (userAgentPair) => {
@@ -44425,11 +44425,11 @@ var require_dist_cjs10 = __commonJS({
44425
44425
  this.regionProvider = client.normalizeProvider(region);
44426
44426
  this.credentialProvider = client.normalizeProvider(credentials);
44427
44427
  }
44428
- createCanonicalRequest(request7, canonicalHeaders, payloadHash) {
44428
+ createCanonicalRequest(request9, canonicalHeaders, payloadHash) {
44429
44429
  const sortedHeaders = Object.keys(canonicalHeaders).sort();
44430
- return `${request7.method}
44431
- ${this.getCanonicalPath(request7)}
44432
- ${getCanonicalQuery(request7)}
44430
+ return `${request9.method}
44431
+ ${this.getCanonicalPath(request9)}
44432
+ ${getCanonicalQuery(request9)}
44433
44433
  ${sortedHeaders.map((name) => `${name}:${canonicalHeaders[name]}`).join("\n")}
44434
44434
 
44435
44435
  ${sortedHeaders.join(";")}
@@ -44444,10 +44444,10 @@ ${longDate}
44444
44444
  ${credentialScope}
44445
44445
  ${serde.toHex(hashedRequest)}`;
44446
44446
  }
44447
- getCanonicalPath({ path: path28 }) {
44447
+ getCanonicalPath({ path: path30 }) {
44448
44448
  if (this.uriEscapePath) {
44449
44449
  const normalizedPathSegments = [];
44450
- for (const pathSegment of path28.split("/")) {
44450
+ for (const pathSegment of path30.split("/")) {
44451
44451
  if (pathSegment?.length === 0)
44452
44452
  continue;
44453
44453
  if (pathSegment === ".")
@@ -44458,11 +44458,11 @@ ${serde.toHex(hashedRequest)}`;
44458
44458
  normalizedPathSegments.push(pathSegment);
44459
44459
  }
44460
44460
  }
44461
- const normalizedPath = `${path28?.startsWith("/") ? "/" : ""}${normalizedPathSegments.join("/")}${normalizedPathSegments.length > 0 && path28?.endsWith("/") ? "/" : ""}`;
44461
+ const normalizedPath = `${path30?.startsWith("/") ? "/" : ""}${normalizedPathSegments.join("/")}${normalizedPathSegments.length > 0 && path30?.endsWith("/") ? "/" : ""}`;
44462
44462
  const doubleEncoded = protocols.escapeUri(normalizedPath);
44463
44463
  return doubleEncoded.replace(/%2F/g, "/");
44464
44464
  }
44465
- return path28;
44465
+ return path30;
44466
44466
  }
44467
44467
  validateResolvedCredentials(credentials) {
44468
44468
  if (typeof credentials !== "object" || typeof credentials.accessKeyId !== "string" || typeof credentials.secretAccessKey !== "string") {
@@ -44550,8 +44550,8 @@ ${serde.toHex(hashedRequest)}`;
44550
44550
  }
44551
44551
  return false;
44552
44552
  };
44553
- var moveHeadersToQuery = (request7, options = {}) => {
44554
- const { headers, query = {} } = protocols.HttpRequest.clone(request7);
44553
+ var moveHeadersToQuery = (request9, options = {}) => {
44554
+ const { headers, query = {} } = protocols.HttpRequest.clone(request9);
44555
44555
  for (const name of Object.keys(headers)) {
44556
44556
  const lname = name.toLowerCase();
44557
44557
  if (lname.slice(0, 6) === "x-amz-" && !options.unhoistableHeaders?.has(lname) || options.hoistableHeaders?.has(lname)) {
@@ -44560,19 +44560,19 @@ ${serde.toHex(hashedRequest)}`;
44560
44560
  }
44561
44561
  }
44562
44562
  return {
44563
- ...request7,
44563
+ ...request9,
44564
44564
  headers,
44565
44565
  query
44566
44566
  };
44567
44567
  };
44568
- var prepareRequest = (request7) => {
44569
- request7 = protocols.HttpRequest.clone(request7);
44570
- for (const headerName of Object.keys(request7.headers)) {
44568
+ var prepareRequest = (request9) => {
44569
+ request9 = protocols.HttpRequest.clone(request9);
44570
+ for (const headerName of Object.keys(request9.headers)) {
44571
44571
  if (GENERATED_HEADERS.indexOf(headerName.toLowerCase()) > -1) {
44572
- delete request7.headers[headerName];
44572
+ delete request9.headers[headerName];
44573
44573
  }
44574
44574
  }
44575
- return request7;
44575
+ return request9;
44576
44576
  };
44577
44577
  var SignatureV42 = class extends SignatureV4Base {
44578
44578
  headerFormatter = new HeaderFormatter();
@@ -44596,18 +44596,18 @@ ${serde.toHex(hashedRequest)}`;
44596
44596
  return Promise.reject("Signature version 4 presigned URLs must have an expiration date less than one week in the future");
44597
44597
  }
44598
44598
  const scope = createScope(shortDate, region, signingService ?? this.service);
44599
- const request7 = moveHeadersToQuery(prepareRequest(originalRequest), { unhoistableHeaders, hoistableHeaders });
44599
+ const request9 = moveHeadersToQuery(prepareRequest(originalRequest), { unhoistableHeaders, hoistableHeaders });
44600
44600
  if (credentials.sessionToken) {
44601
- request7.query[TOKEN_QUERY_PARAM] = credentials.sessionToken;
44601
+ request9.query[TOKEN_QUERY_PARAM] = credentials.sessionToken;
44602
44602
  }
44603
- request7.query[ALGORITHM_QUERY_PARAM] = ALGORITHM_IDENTIFIER;
44604
- request7.query[CREDENTIAL_QUERY_PARAM] = `${credentials.accessKeyId}/${scope}`;
44605
- request7.query[AMZ_DATE_QUERY_PARAM] = longDate;
44606
- request7.query[EXPIRES_QUERY_PARAM] = expiresIn.toString(10);
44607
- const canonicalHeaders = getCanonicalHeaders(request7, unsignableHeaders, signableHeaders);
44608
- request7.query[SIGNED_HEADERS_QUERY_PARAM] = this.getCanonicalHeaderList(canonicalHeaders);
44609
- request7.query[SIGNATURE_QUERY_PARAM] = await this.getSignature(longDate, scope, this.getSigningKey(credentials, region, shortDate, signingService), this.createCanonicalRequest(request7, canonicalHeaders, await getPayloadHash(originalRequest, this.sha256)));
44610
- return request7;
44603
+ request9.query[ALGORITHM_QUERY_PARAM] = ALGORITHM_IDENTIFIER;
44604
+ request9.query[CREDENTIAL_QUERY_PARAM] = `${credentials.accessKeyId}/${scope}`;
44605
+ request9.query[AMZ_DATE_QUERY_PARAM] = longDate;
44606
+ request9.query[EXPIRES_QUERY_PARAM] = expiresIn.toString(10);
44607
+ const canonicalHeaders = getCanonicalHeaders(request9, unsignableHeaders, signableHeaders);
44608
+ request9.query[SIGNED_HEADERS_QUERY_PARAM] = this.getCanonicalHeaderList(canonicalHeaders);
44609
+ request9.query[SIGNATURE_QUERY_PARAM] = await this.getSignature(longDate, scope, this.getSigningKey(credentials, region, shortDate, signingService), this.createCanonicalRequest(request9, canonicalHeaders, await getPayloadHash(originalRequest, this.sha256)));
44610
+ return request9;
44611
44611
  }
44612
44612
  async sign(toSign, options) {
44613
44613
  if (typeof toSign === "string") {
@@ -44671,21 +44671,21 @@ ${serde.toHex(hashedRequest)}`;
44671
44671
  const credentials = await this.credentialProvider();
44672
44672
  this.validateResolvedCredentials(credentials);
44673
44673
  const region = signingRegion ?? await this.regionProvider();
44674
- const request7 = prepareRequest(requestToSign);
44674
+ const request9 = prepareRequest(requestToSign);
44675
44675
  const { longDate, shortDate } = this.formatDate(signingDate);
44676
44676
  const scope = createScope(shortDate, region, signingService ?? this.service);
44677
- request7.headers[AMZ_DATE_HEADER] = longDate;
44677
+ request9.headers[AMZ_DATE_HEADER] = longDate;
44678
44678
  if (credentials.sessionToken) {
44679
- request7.headers[TOKEN_HEADER] = credentials.sessionToken;
44679
+ request9.headers[TOKEN_HEADER] = credentials.sessionToken;
44680
44680
  }
44681
- const payloadHash = await getPayloadHash(request7, this.sha256);
44682
- if (!hasHeader2(SHA256_HEADER, request7.headers) && this.applyChecksum) {
44683
- request7.headers[SHA256_HEADER] = payloadHash;
44681
+ const payloadHash = await getPayloadHash(request9, this.sha256);
44682
+ if (!hasHeader2(SHA256_HEADER, request9.headers) && this.applyChecksum) {
44683
+ request9.headers[SHA256_HEADER] = payloadHash;
44684
44684
  }
44685
- const canonicalHeaders = getCanonicalHeaders(request7, unsignableHeaders, signableHeaders);
44686
- const signature = await this.getSignature(longDate, scope, this.getSigningKey(credentials, region, shortDate, signingService), this.createCanonicalRequest(request7, canonicalHeaders, payloadHash));
44687
- request7.headers[AUTH_HEADER] = `${ALGORITHM_IDENTIFIER} Credential=${credentials.accessKeyId}/${scope}, SignedHeaders=${this.getCanonicalHeaderList(canonicalHeaders)}, Signature=${signature}`;
44688
- return request7;
44685
+ const canonicalHeaders = getCanonicalHeaders(request9, unsignableHeaders, signableHeaders);
44686
+ const signature = await this.getSignature(longDate, scope, this.getSigningKey(credentials, region, shortDate, signingService), this.createCanonicalRequest(request9, canonicalHeaders, payloadHash));
44687
+ request9.headers[AUTH_HEADER] = `${ALGORITHM_IDENTIFIER} Credential=${credentials.accessKeyId}/${scope}, SignedHeaders=${this.getCanonicalHeaderList(canonicalHeaders)}, Signature=${signature}`;
44688
+ return request9;
44689
44689
  }
44690
44690
  async getSignature(longDate, credentialScope, keyPromise, canonicalRequest) {
44691
44691
  const stringToSign = await this.createStringToSign(longDate, credentialScope, canonicalRequest, ALGORITHM_IDENTIFIER);
@@ -45482,13 +45482,13 @@ var require_dist_cjs13 = __commonJS({
45482
45482
  clearTimeout: (timeoutId) => clearTimeout(timeoutId)
45483
45483
  };
45484
45484
  var DEFER_EVENT_LISTENER_TIME$2 = 1e3;
45485
- var setConnectionTimeout = (request7, reject, timeoutInMs = 0) => {
45485
+ var setConnectionTimeout = (request9, reject, timeoutInMs = 0) => {
45486
45486
  if (!timeoutInMs) {
45487
45487
  return -1;
45488
45488
  }
45489
45489
  const registerTimeout = (offset) => {
45490
45490
  const timeoutId = timing.setTimeout(() => {
45491
- request7.destroy();
45491
+ request9.destroy();
45492
45492
  reject(Object.assign(new Error(`@smithy/node-http-handler - the request socket did not establish a connection with the server within the configured timeout of ${timeoutInMs} ms.`), {
45493
45493
  name: "TimeoutError"
45494
45494
  }));
@@ -45502,10 +45502,10 @@ var require_dist_cjs13 = __commonJS({
45502
45502
  timing.clearTimeout(timeoutId);
45503
45503
  }
45504
45504
  };
45505
- if (request7.socket) {
45506
- doWithSocket(request7.socket);
45505
+ if (request9.socket) {
45506
+ doWithSocket(request9.socket);
45507
45507
  } else {
45508
- request7.on("socket", doWithSocket);
45508
+ request9.on("socket", doWithSocket);
45509
45509
  }
45510
45510
  };
45511
45511
  if (timeoutInMs < 2e3) {
@@ -45534,15 +45534,15 @@ var require_dist_cjs13 = __commonJS({
45534
45534
  return -1;
45535
45535
  };
45536
45536
  var DEFER_EVENT_LISTENER_TIME$1 = 3e3;
45537
- var setSocketKeepAlive = (request7, { keepAlive, keepAliveMsecs }, deferTimeMs = DEFER_EVENT_LISTENER_TIME$1) => {
45537
+ var setSocketKeepAlive = (request9, { keepAlive, keepAliveMsecs }, deferTimeMs = DEFER_EVENT_LISTENER_TIME$1) => {
45538
45538
  if (keepAlive !== true) {
45539
45539
  return -1;
45540
45540
  }
45541
45541
  const registerListener = () => {
45542
- if (request7.socket) {
45543
- request7.socket.setKeepAlive(keepAlive, keepAliveMsecs || 0);
45542
+ if (request9.socket) {
45543
+ request9.socket.setKeepAlive(keepAlive, keepAliveMsecs || 0);
45544
45544
  } else {
45545
- request7.on("socket", (socket) => {
45545
+ request9.on("socket", (socket) => {
45546
45546
  socket.setKeepAlive(keepAlive, keepAliveMsecs || 0);
45547
45547
  });
45548
45548
  }
@@ -45554,18 +45554,18 @@ var require_dist_cjs13 = __commonJS({
45554
45554
  return timing.setTimeout(registerListener, deferTimeMs);
45555
45555
  };
45556
45556
  var DEFER_EVENT_LISTENER_TIME = 3e3;
45557
- var setSocketTimeout = (request7, reject, timeoutInMs = 0) => {
45557
+ var setSocketTimeout = (request9, reject, timeoutInMs = 0) => {
45558
45558
  const registerTimeout = (offset) => {
45559
45559
  const timeout = timeoutInMs - offset;
45560
45560
  const onTimeout = () => {
45561
- request7.destroy();
45561
+ request9.destroy();
45562
45562
  reject(Object.assign(new Error(`@smithy/node-http-handler - the request socket timed out after ${timeoutInMs} ms of inactivity (configured by client requestHandler).`), { name: "TimeoutError" }));
45563
45563
  };
45564
- if (request7.socket) {
45565
- request7.socket.setTimeout(timeout, onTimeout);
45566
- request7.on("close", () => request7.socket?.removeListener("timeout", onTimeout));
45564
+ if (request9.socket) {
45565
+ request9.socket.setTimeout(timeout, onTimeout);
45566
+ request9.on("close", () => request9.socket?.removeListener("timeout", onTimeout));
45567
45567
  } else {
45568
- request7.setTimeout(timeout, onTimeout);
45568
+ request9.setTimeout(timeout, onTimeout);
45569
45569
  }
45570
45570
  };
45571
45571
  if (0 < timeoutInMs && timeoutInMs < 6e3) {
@@ -45575,8 +45575,8 @@ var require_dist_cjs13 = __commonJS({
45575
45575
  return timing.setTimeout(registerTimeout.bind(null, timeoutInMs === 0 ? 0 : DEFER_EVENT_LISTENER_TIME), DEFER_EVENT_LISTENER_TIME);
45576
45576
  };
45577
45577
  var MIN_WAIT_TIME = 6e3;
45578
- async function writeRequestBody(httpRequest, request7, maxContinueTimeoutMs = MIN_WAIT_TIME, externalAgent = false) {
45579
- const headers = request7.headers;
45578
+ async function writeRequestBody(httpRequest, request9, maxContinueTimeoutMs = MIN_WAIT_TIME, externalAgent = false) {
45579
+ const headers = request9.headers;
45580
45580
  const expect = headers ? headers.Expect || headers.expect : void 0;
45581
45581
  let timeoutId = -1;
45582
45582
  let sendBody = true;
@@ -45602,7 +45602,7 @@ var require_dist_cjs13 = __commonJS({
45602
45602
  ]);
45603
45603
  }
45604
45604
  if (sendBody) {
45605
- writeBody(httpRequest, request7.body);
45605
+ writeBody(httpRequest, request9.body);
45606
45606
  }
45607
45607
  }
45608
45608
  function writeBody(httpRequest, body) {
@@ -45684,12 +45684,12 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
45684
45684
  this.config?.httpAgent?.destroy();
45685
45685
  this.config?.httpsAgent?.destroy();
45686
45686
  }
45687
- async handle(request7, { abortSignal, requestTimeout } = {}) {
45687
+ async handle(request9, { abortSignal, requestTimeout } = {}) {
45688
45688
  if (!this.config) {
45689
45689
  this.config = await this.configProvider;
45690
45690
  }
45691
45691
  const config = this.config;
45692
- const isSSL = request7.protocol === "https:";
45692
+ const isSSL = request9.protocol === "https:";
45693
45693
  if (!isSSL && !this.config.httpAgent) {
45694
45694
  this.config.httpAgent = await this.config.httpAgentProvider();
45695
45695
  }
@@ -45722,7 +45722,7 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
45722
45722
  reject(abortError);
45723
45723
  return;
45724
45724
  }
45725
- const headers = request7.headers;
45725
+ const headers = request9.headers;
45726
45726
  const expectContinue = headers ? (headers.Expect ?? headers.expect) === "100-continue" : false;
45727
45727
  let agent = isSSL ? config.httpsAgent : config.httpAgent;
45728
45728
  if (expectContinue && !this.externalAgent) {
@@ -45734,32 +45734,32 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
45734
45734
  socketWarningTimeoutId = timing.setTimeout(() => {
45735
45735
  this.socketWarningTimestamp = _NodeHttpHandler.checkSocketUsage(agent, this.socketWarningTimestamp, config.logger);
45736
45736
  }, config.socketAcquisitionWarningTimeout ?? (config.requestTimeout ?? 2e3) + (config.connectionTimeout ?? 1e3));
45737
- const queryString = request7.query ? protocols.buildQueryString(request7.query) : "";
45737
+ const queryString = request9.query ? protocols.buildQueryString(request9.query) : "";
45738
45738
  let auth = void 0;
45739
- if (request7.username != null || request7.password != null) {
45740
- const username = request7.username ?? "";
45741
- const password = request7.password ?? "";
45739
+ if (request9.username != null || request9.password != null) {
45740
+ const username = request9.username ?? "";
45741
+ const password = request9.password ?? "";
45742
45742
  auth = `${username}:${password}`;
45743
45743
  }
45744
- let path28 = request7.path;
45744
+ let path30 = request9.path;
45745
45745
  if (queryString) {
45746
- path28 += `?${queryString}`;
45746
+ path30 += `?${queryString}`;
45747
45747
  }
45748
- if (request7.fragment) {
45749
- path28 += `#${request7.fragment}`;
45748
+ if (request9.fragment) {
45749
+ path30 += `#${request9.fragment}`;
45750
45750
  }
45751
- let hostname = request7.hostname ?? "";
45751
+ let hostname = request9.hostname ?? "";
45752
45752
  if (hostname[0] === "[" && hostname.endsWith("]")) {
45753
- hostname = request7.hostname.slice(1, -1);
45753
+ hostname = request9.hostname.slice(1, -1);
45754
45754
  } else {
45755
- hostname = request7.hostname;
45755
+ hostname = request9.hostname;
45756
45756
  }
45757
45757
  const nodeHttpsOptions = {
45758
- headers: request7.headers,
45758
+ headers: request9.headers,
45759
45759
  host: hostname,
45760
- method: request7.method,
45761
- path: path28,
45762
- port: request7.port,
45760
+ method: request9.method,
45761
+ path: path30,
45762
+ port: request9.port,
45763
45763
  agent,
45764
45764
  auth
45765
45765
  };
@@ -45805,7 +45805,7 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
45805
45805
  keepAliveMsecs: httpAgent.keepAliveMsecs
45806
45806
  });
45807
45807
  }
45808
- writeRequestBodyPromise = writeRequestBody(req, request7, effectiveRequestTimeout, this.externalAgent).catch((e5) => {
45808
+ writeRequestBodyPromise = writeRequestBody(req, request9, effectiveRequestTimeout, this.externalAgent).catch((e5) => {
45809
45809
  clearTimeouts();
45810
45810
  return _reject(e5);
45811
45811
  });
@@ -45834,8 +45834,8 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
45834
45834
  socketAcquisitionWarningTimeout,
45835
45835
  throwOnRequestTimeout,
45836
45836
  httpAgentProvider: async () => {
45837
- const { Agent, request: request7 } = await import("node:http");
45838
- hRequest = request7;
45837
+ const { Agent, request: request9 } = await import("node:http");
45838
+ hRequest = request9;
45839
45839
  hAgent = Agent;
45840
45840
  if (httpAgent instanceof hAgent || typeof httpAgent?.destroy === "function") {
45841
45841
  this.externalAgent = true;
@@ -46072,8 +46072,8 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
46072
46072
  }
46073
46073
  return this.connectionPools.get(url);
46074
46074
  }
46075
- getUrlString(request7) {
46076
- return request7.destination.toString();
46075
+ getUrlString(request9) {
46076
+ return request9.destination.toString();
46077
46077
  }
46078
46078
  connect(url) {
46079
46079
  return this.connectOptions === void 0 ? http2.connect(url) : http2.connect(url, this.connectOptions);
@@ -46104,7 +46104,7 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
46104
46104
  destroy() {
46105
46105
  this.connectionManager.destroy();
46106
46106
  }
46107
- async handle(request7, { abortSignal, requestTimeout, isEventStream } = {}) {
46107
+ async handle(request9, { abortSignal, requestTimeout, isEventStream } = {}) {
46108
46108
  if (!this.config) {
46109
46109
  this.config = await this.configProvider;
46110
46110
  const { disableConcurrentStreams: disableConcurrentStreams2, maxConcurrentStreams, nodeHttp2ConnectOptions } = this.config;
@@ -46136,11 +46136,11 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
46136
46136
  reject(abortError);
46137
46137
  return;
46138
46138
  }
46139
- const { hostname, method, port, protocol, query } = request7;
46139
+ const { hostname, method, port, protocol, query } = request9;
46140
46140
  let auth = "";
46141
- if (request7.username != null || request7.password != null) {
46142
- const username = request7.username ?? "";
46143
- const password = request7.password ?? "";
46141
+ if (request9.username != null || request9.password != null) {
46142
+ const username = request9.username ?? "";
46143
+ const password = request9.password ?? "";
46144
46144
  auth = `${username}:${password}@`;
46145
46145
  }
46146
46146
  const authority = `${protocol}//${auth}${hostname}${port ? `:${port}` : ""}`;
@@ -46159,16 +46159,16 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
46159
46159
  reject(err2);
46160
46160
  };
46161
46161
  const queryString = query ? protocols.buildQueryString(query) : "";
46162
- let path28 = request7.path;
46162
+ let path30 = request9.path;
46163
46163
  if (queryString) {
46164
- path28 += `?${queryString}`;
46164
+ path30 += `?${queryString}`;
46165
46165
  }
46166
- if (request7.fragment) {
46167
- path28 += `#${request7.fragment}`;
46166
+ if (request9.fragment) {
46167
+ path30 += `#${request9.fragment}`;
46168
46168
  }
46169
46169
  const clientHttp2Stream = session.request({
46170
- ...request7.headers,
46171
- [http2.constants.HTTP2_HEADER_PATH]: path28,
46170
+ ...request9.headers,
46171
+ [http2.constants.HTTP2_HEADER_PATH]: path30,
46172
46172
  [http2.constants.HTTP2_HEADER_METHOD]: method
46173
46173
  });
46174
46174
  if (effectiveRequestTimeout) {
@@ -46222,7 +46222,7 @@ or increase socketAcquisitionWarningTimeout=(millis) in the NodeHttpHandler conf
46222
46222
  rejectWithDestroy(new Error("Unexpected error: http2 request did not get a response"));
46223
46223
  }
46224
46224
  });
46225
- writeRequestBodyPromise = writeRequestBody(clientHttp2Stream, request7, effectiveRequestTimeout);
46225
+ writeRequestBodyPromise = writeRequestBody(clientHttp2Stream, request9, effectiveRequestTimeout);
46226
46226
  });
46227
46227
  }
46228
46228
  updateHttpClientConfig(key, value) {
@@ -46462,14 +46462,14 @@ Set AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
46462
46462
  connectionTimeout: options.timeout ?? 1e3
46463
46463
  });
46464
46464
  return (0, retry_wrapper_1.retryWrapper)(async () => {
46465
- const request7 = (0, requestHelpers_1.createGetRequest)(url);
46465
+ const request9 = (0, requestHelpers_1.createGetRequest)(url);
46466
46466
  if (token) {
46467
- request7.headers.Authorization = token;
46467
+ request9.headers.Authorization = token;
46468
46468
  } else if (tokenFile) {
46469
- request7.headers.Authorization = (await promises_1.default.readFile(tokenFile)).toString();
46469
+ request9.headers.Authorization = (await promises_1.default.readFile(tokenFile)).toString();
46470
46470
  }
46471
46471
  try {
46472
- const result2 = await requestHandler.handle(request7);
46472
+ const result2 = await requestHandler.handle(request9);
46473
46473
  return (0, requestHelpers_1.getCredentials)(result2.response).then((creds) => (0, client_1.setCredentialFeature)(creds, "CREDENTIALS_HTTP", "z"));
46474
46474
  } catch (e5) {
46475
46475
  throw new config_1.CredentialsProviderError(String(e5), { logger: options.logger });
@@ -46718,12 +46718,12 @@ var require_dist_cjs15 = __commonJS({
46718
46718
  }
46719
46719
  return ["md/nodejs", node_process.versions.node];
46720
46720
  };
46721
- var getNodeModulesParentDirs = (dirname4) => {
46721
+ var getNodeModulesParentDirs = (dirname6) => {
46722
46722
  const cwd = process.cwd();
46723
- if (!dirname4) {
46723
+ if (!dirname6) {
46724
46724
  return [cwd];
46725
46725
  }
46726
- const normalizedPath = node_path.normalize(dirname4);
46726
+ const normalizedPath = node_path.normalize(dirname6);
46727
46727
  const parts = normalizedPath.split(node_path.sep);
46728
46728
  const nodeModulesIndex = parts.indexOf("node_modules");
46729
46729
  const parentDir = nodeModulesIndex !== -1 ? parts.slice(0, nodeModulesIndex).join(node_path.sep) : normalizedPath;
@@ -46771,8 +46771,8 @@ var require_dist_cjs15 = __commonJS({
46771
46771
  tscVersion = null;
46772
46772
  return void 0;
46773
46773
  }
46774
- const dirname4 = typeof __dirname !== "undefined" ? __dirname : void 0;
46775
- const nodeModulesParentDirs = getNodeModulesParentDirs(dirname4);
46774
+ const dirname6 = typeof __dirname !== "undefined" ? __dirname : void 0;
46775
+ const nodeModulesParentDirs = getNodeModulesParentDirs(dirname6);
46776
46776
  let versionFromApp;
46777
46777
  for (const nodeModulesParentDir of nodeModulesParentDirs) {
46778
46778
  try {
@@ -47822,33 +47822,33 @@ var init_SmithyRpcV2CborProtocol = __esm({
47822
47822
  return this.codec;
47823
47823
  }
47824
47824
  async serializeRequest(operationSchema, input, context) {
47825
- const request7 = await super.serializeRequest(operationSchema, input, context);
47826
- Object.assign(request7.headers, {
47825
+ const request9 = await super.serializeRequest(operationSchema, input, context);
47826
+ Object.assign(request9.headers, {
47827
47827
  "content-type": this.getDefaultContentType(),
47828
47828
  "smithy-protocol": "rpc-v2-cbor",
47829
47829
  accept: this.getDefaultContentType()
47830
47830
  });
47831
47831
  if (deref(operationSchema.input) === "unit") {
47832
- delete request7.body;
47833
- delete request7.headers["content-type"];
47832
+ delete request9.body;
47833
+ delete request9.headers["content-type"];
47834
47834
  } else {
47835
- if (!request7.body) {
47835
+ if (!request9.body) {
47836
47836
  this.serializer.write(15, {});
47837
- request7.body = this.serializer.flush();
47837
+ request9.body = this.serializer.flush();
47838
47838
  }
47839
47839
  try {
47840
- request7.headers["content-length"] = String(request7.body.byteLength);
47840
+ request9.headers["content-length"] = String(request9.body.byteLength);
47841
47841
  } catch (e5) {
47842
47842
  }
47843
47843
  }
47844
47844
  const { service, operation: operation2 } = getSmithyContext(context);
47845
- const path28 = `/service/${service}/operation/${operation2}`;
47846
- if (request7.path.endsWith("/")) {
47847
- request7.path += path28.slice(1);
47845
+ const path30 = `/service/${service}/operation/${operation2}`;
47846
+ if (request9.path.endsWith("/")) {
47847
+ request9.path += path30.slice(1);
47848
47848
  } else {
47849
- request7.path += path28;
47849
+ request9.path += path30;
47850
47850
  }
47851
- return request7;
47851
+ return request9;
47852
47852
  }
47853
47853
  async deserializeResponse(operationSchema, context, response) {
47854
47854
  return super.deserializeResponse(operationSchema, context, response);
@@ -48068,11 +48068,11 @@ var init_AwsSmithyRpcV2CborProtocol = __esm({
48068
48068
  this.mixin = new ProtocolLib(this.awsQueryCompatible);
48069
48069
  }
48070
48070
  async serializeRequest(operationSchema, input, context) {
48071
- const request7 = await super.serializeRequest(operationSchema, input, context);
48071
+ const request9 = await super.serializeRequest(operationSchema, input, context);
48072
48072
  if (this.awsQueryCompatible) {
48073
- request7.headers["x-amzn-query-mode"] = "true";
48073
+ request9.headers["x-amzn-query-mode"] = "true";
48074
48074
  }
48075
- return request7;
48075
+ return request9;
48076
48076
  }
48077
48077
  async handleError(operationSchema, context, response, dataObject, metadata) {
48078
48078
  if (this.awsQueryCompatible) {
@@ -48777,19 +48777,19 @@ var init_AwsJsonRpcProtocol = __esm({
48777
48777
  this.mixin = new ProtocolLib(this.awsQueryCompatible);
48778
48778
  }
48779
48779
  async serializeRequest(operationSchema, input, context) {
48780
- const request7 = await super.serializeRequest(operationSchema, input, context);
48781
- if (!request7.path.endsWith("/")) {
48782
- request7.path += "/";
48780
+ const request9 = await super.serializeRequest(operationSchema, input, context);
48781
+ if (!request9.path.endsWith("/")) {
48782
+ request9.path += "/";
48783
48783
  }
48784
- request7.headers["content-type"] = `application/x-amz-json-${this.getJsonRpcVersion()}`;
48785
- request7.headers["x-amz-target"] = `${this.serviceTarget}.${operationSchema.name}`;
48784
+ request9.headers["content-type"] = `application/x-amz-json-${this.getJsonRpcVersion()}`;
48785
+ request9.headers["x-amz-target"] = `${this.serviceTarget}.${operationSchema.name}`;
48786
48786
  if (this.awsQueryCompatible) {
48787
- request7.headers["x-amzn-query-mode"] = "true";
48787
+ request9.headers["x-amzn-query-mode"] = "true";
48788
48788
  }
48789
- if (deref(operationSchema.input) === "unit" || !request7.body) {
48790
- request7.body = "{}";
48789
+ if (deref(operationSchema.input) === "unit" || !request9.body) {
48790
+ request9.body = "{}";
48791
48791
  }
48792
- return request7;
48792
+ return request9;
48793
48793
  }
48794
48794
  getPayloadCodec() {
48795
48795
  return this.codec;
@@ -48923,18 +48923,18 @@ var init_AwsRestJsonProtocol = __esm({
48923
48923
  super.setSerdeContext(serdeContext);
48924
48924
  }
48925
48925
  async serializeRequest(operationSchema, input, context) {
48926
- const request7 = await super.serializeRequest(operationSchema, input, context);
48926
+ const request9 = await super.serializeRequest(operationSchema, input, context);
48927
48927
  const inputSchema4 = NormalizedSchema.of(operationSchema.input);
48928
- if (!request7.headers["content-type"]) {
48928
+ if (!request9.headers["content-type"]) {
48929
48929
  const contentType = this.mixin.resolveRestContentType(this.getDefaultContentType(), inputSchema4);
48930
48930
  if (contentType) {
48931
- request7.headers["content-type"] = contentType;
48931
+ request9.headers["content-type"] = contentType;
48932
48932
  }
48933
48933
  }
48934
- if (request7.body == null && request7.headers["content-type"] === this.getDefaultContentType()) {
48935
- request7.body = "{}";
48934
+ if (request9.body == null && request9.headers["content-type"] === this.getDefaultContentType()) {
48935
+ request9.body = "{}";
48936
48936
  }
48937
- return request7;
48937
+ return request9;
48938
48938
  }
48939
48939
  async deserializeResponse(operationSchema, context, response) {
48940
48940
  const output = await super.deserializeResponse(operationSchema, context, response);
@@ -51401,20 +51401,20 @@ var init_AwsQueryProtocol = __esm({
51401
51401
  throw new Error("AWSQuery protocol has no payload codec.");
51402
51402
  }
51403
51403
  async serializeRequest(operationSchema, input, context) {
51404
- const request7 = await super.serializeRequest(operationSchema, input, context);
51405
- if (!request7.path.endsWith("/")) {
51406
- request7.path += "/";
51404
+ const request9 = await super.serializeRequest(operationSchema, input, context);
51405
+ if (!request9.path.endsWith("/")) {
51406
+ request9.path += "/";
51407
51407
  }
51408
- request7.headers["content-type"] = "application/x-www-form-urlencoded";
51409
- if (deref(operationSchema.input) === "unit" || !request7.body) {
51410
- request7.body = "";
51408
+ request9.headers["content-type"] = "application/x-www-form-urlencoded";
51409
+ if (deref(operationSchema.input) === "unit" || !request9.body) {
51410
+ request9.body = "";
51411
51411
  }
51412
51412
  const action = operationSchema.name.split("#")[1] ?? operationSchema.name;
51413
- request7.body = `Action=${action}&Version=${this.options.version}` + request7.body;
51414
- if (request7.body.endsWith("&")) {
51415
- request7.body = request7.body.slice(-1);
51413
+ request9.body = `Action=${action}&Version=${this.options.version}` + request9.body;
51414
+ if (request9.body.endsWith("&")) {
51415
+ request9.body = request9.body.slice(-1);
51416
51416
  }
51417
- return request7;
51417
+ return request9;
51418
51418
  }
51419
51419
  async deserializeResponse(operationSchema, context, response) {
51420
51420
  const deserializer = this.deserializer;
@@ -51924,18 +51924,18 @@ var init_AwsRestXmlProtocol = __esm({
51924
51924
  return "aws.protocols#restXml";
51925
51925
  }
51926
51926
  async serializeRequest(operationSchema, input, context) {
51927
- const request7 = await super.serializeRequest(operationSchema, input, context);
51927
+ const request9 = await super.serializeRequest(operationSchema, input, context);
51928
51928
  const inputSchema4 = NormalizedSchema.of(operationSchema.input);
51929
- if (!request7.headers["content-type"]) {
51929
+ if (!request9.headers["content-type"]) {
51930
51930
  const contentType = this.mixin.resolveRestContentType(this.getDefaultContentType(), inputSchema4);
51931
51931
  if (contentType) {
51932
- request7.headers["content-type"] = contentType;
51932
+ request9.headers["content-type"] = contentType;
51933
51933
  }
51934
51934
  }
51935
- if (typeof request7.body === "string" && request7.headers["content-type"] === this.getDefaultContentType() && !request7.body.startsWith("<?xml ") && !this.hasUnstructuredPayloadBinding(inputSchema4)) {
51936
- request7.body = '<?xml version="1.0" encoding="UTF-8"?>' + request7.body;
51935
+ if (typeof request9.body === "string" && request9.headers["content-type"] === this.getDefaultContentType() && !request9.body.startsWith("<?xml ") && !this.hasUnstructuredPayloadBinding(inputSchema4)) {
51936
+ request9.body = '<?xml version="1.0" encoding="UTF-8"?>' + request9.body;
51937
51937
  }
51938
- return request7;
51938
+ return request9;
51939
51939
  }
51940
51940
  async deserializeResponse(operationSchema, context, response) {
51941
51941
  return super.deserializeResponse(operationSchema, context, response);
@@ -54797,11 +54797,11 @@ var require_dist_cjs20 = __commonJS({
54797
54797
  createDPoPInterceptor(middlewareStack) {
54798
54798
  middlewareStack.add((next) => async (args) => {
54799
54799
  if (protocols.HttpRequest.isInstance(args.request)) {
54800
- const request7 = args.request;
54801
- const actualEndpoint = `${request7.protocol}//${request7.hostname}${request7.port ? `:${request7.port}` : ""}${request7.path}`;
54802
- const dpop = await this.generateDpop(request7.method, actualEndpoint);
54803
- request7.headers = {
54804
- ...request7.headers,
54800
+ const request9 = args.request;
54801
+ const actualEndpoint = `${request9.protocol}//${request9.hostname}${request9.port ? `:${request9.port}` : ""}${request9.path}`;
54802
+ const dpop = await this.generateDpop(request9.method, actualEndpoint);
54803
+ request9.headers = {
54804
+ ...request9.headers,
54805
54805
  DPoP: dpop
54806
54806
  };
54807
54807
  }
@@ -58840,11 +58840,22 @@ var init_kong_shared = __esm({
58840
58840
 
58841
58841
  // src/drift/kong-admin.ts
58842
58842
  import { request as request2 } from "undici";
58843
- async function fetchAll(baseUrl, resource) {
58843
+ async function fetchAll(baseUrl, resource, timeoutMs) {
58844
58844
  const out = [];
58845
58845
  let url = `${baseUrl.replace(/\/$/, "")}/${resource}`;
58846
58846
  while (url) {
58847
- const res = await request2(url, { method: "GET" });
58847
+ let res;
58848
+ try {
58849
+ res = await request2(url, {
58850
+ method: "GET",
58851
+ ...timeoutMs !== void 0 ? { signal: AbortSignal.timeout(timeoutMs) } : {}
58852
+ });
58853
+ } catch (e5) {
58854
+ if (e5.name === "TimeoutError" || e5.name === "AbortError") {
58855
+ throw new Error(`Kong admin GET ${url} timed out after ${timeoutMs}ms`);
58856
+ }
58857
+ throw e5;
58858
+ }
58848
58859
  if (res.statusCode >= 400) {
58849
58860
  throw new Error(`Kong admin GET ${url} \u2192 ${res.statusCode}`);
58850
58861
  }
@@ -58854,10 +58865,10 @@ async function fetchAll(baseUrl, resource) {
58854
58865
  }
58855
58866
  return out;
58856
58867
  }
58857
- function createHttpClient(baseUrl) {
58868
+ function createHttpClient(baseUrl, timeoutMs) {
58858
58869
  return {
58859
- routes: () => fetchAll(baseUrl, "routes"),
58860
- plugins: () => fetchAll(baseUrl, "plugins")
58870
+ routes: () => fetchAll(baseUrl, "routes", timeoutMs),
58871
+ plugins: () => fetchAll(baseUrl, "plugins", timeoutMs)
58861
58872
  };
58862
58873
  }
58863
58874
  function indexActualFromAdmin(routes, plugins, spec) {
@@ -58884,7 +58895,7 @@ function indexActualFromAdmin(routes, plugins, spec) {
58884
58895
  return out;
58885
58896
  }
58886
58897
  async function detectAdminDrift(spec, opts) {
58887
- const client = opts.client ?? createHttpClient(opts.gatewayUrl);
58898
+ const client = opts.client ?? createHttpClient(opts.gatewayUrl, opts.timeoutMs);
58888
58899
  const [routes, plugins] = await Promise.all([client.routes(), client.plugins()]);
58889
58900
  const actual = indexActualFromAdmin(routes, plugins, spec);
58890
58901
  const expected = buildExpected(spec);
@@ -60366,7 +60377,7 @@ async function runValidate(specPath, opts) {
60366
60377
  let report;
60367
60378
  switch (opts.target) {
60368
60379
  case "kong":
60369
- report = isHttp ? await detectAdminDrift(spec, { gatewayUrl: opts.gateway }) : await detectFileDrift(spec, { filePath: opts.gateway });
60380
+ report = isHttp ? await detectAdminDrift(spec, { gatewayUrl: opts.gateway, ...opts.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {} }) : await detectFileDrift(spec, { filePath: opts.gateway });
60370
60381
  break;
60371
60382
  case "coraza":
60372
60383
  if (isHttp) throw new Error("coraza drift is file-mode only \u2014 pass a path to the deployed YAML.");
@@ -60571,8 +60582,8 @@ async function bringUp(plan, opts = {}) {
60571
60582
  );
60572
60583
  }
60573
60584
  const DockerMod = await import("dockerode");
60574
- const Docker = DockerMod.default;
60575
- const docker = new Docker();
60585
+ const Docker2 = DockerMod.default;
60586
+ const docker = new Docker2();
60576
60587
  await docker.ping().catch(() => {
60577
60588
  throw new Error("Docker daemon not reachable (set DOCKER_HOST or start Docker Desktop).");
60578
60589
  });
@@ -60693,7 +60704,7 @@ var init_docker_compose = __esm({
60693
60704
 
60694
60705
  // src/test-harness/traffic.ts
60695
60706
  import { request as undiciRequest2 } from "undici";
60696
- async function sendOnce(baseUrl, req) {
60707
+ async function sendOnce(baseUrl, req, timeoutMs) {
60697
60708
  const start = Date.now();
60698
60709
  const url = baseUrl.replace(/\/$/, "") + req.path;
60699
60710
  const opts = {
@@ -60702,19 +60713,28 @@ async function sendOnce(baseUrl, req) {
60702
60713
  };
60703
60714
  if (req.body !== void 0) opts.body = req.body;
60704
60715
  if (req.timeout) opts.headersTimeout = req.timeout;
60705
- const res = await undiciRequest2(url, opts);
60706
- const buf = await res.body.arrayBuffer();
60707
- return {
60708
- status: res.statusCode,
60709
- headers: res.headers,
60710
- body: Buffer.from(buf).toString("utf8"),
60711
- durationMs: Date.now() - start
60712
- };
60716
+ if (timeoutMs !== void 0) opts.signal = AbortSignal.timeout(timeoutMs);
60717
+ try {
60718
+ const res = await undiciRequest2(url, opts);
60719
+ const buf = await res.body.arrayBuffer();
60720
+ return {
60721
+ status: res.statusCode,
60722
+ headers: res.headers,
60723
+ body: Buffer.from(buf).toString("utf8"),
60724
+ durationMs: Date.now() - start
60725
+ };
60726
+ } catch (e5) {
60727
+ const name = e5.name;
60728
+ if (name === "TimeoutError" || name === "AbortError") {
60729
+ throw new Error(`${req.method} ${url} timed out after ${timeoutMs}ms`);
60730
+ }
60731
+ throw e5;
60732
+ }
60713
60733
  }
60714
- async function sendN(baseUrl, req, count) {
60734
+ async function sendN(baseUrl, req, count, timeoutMs) {
60715
60735
  const out = [];
60716
60736
  for (let i5 = 0; i5 < count; i5++) {
60717
- out.push(await sendOnce(baseUrl, req));
60737
+ out.push(await sendOnce(baseUrl, req, timeoutMs));
60718
60738
  }
60719
60739
  return out;
60720
60740
  }
@@ -60749,7 +60769,7 @@ function result(endpoint, rule, verdict, message, startMs) {
60749
60769
  durationMs: Date.now() - startMs
60750
60770
  };
60751
60771
  }
60752
- async function assertRateLimit(baseUrl, endpoint) {
60772
+ async function assertRateLimit(baseUrl, endpoint, timeoutMs) {
60753
60773
  const rls = endpoint.policy.rateLimit;
60754
60774
  if (!rls) return [];
60755
60775
  const list2 = Array.isArray(rls) ? rls : [rls];
@@ -60758,7 +60778,7 @@ async function assertRateLimit(baseUrl, endpoint) {
60758
60778
  const start = Date.now();
60759
60779
  const total = rl.requests + 1;
60760
60780
  try {
60761
- const responses = await sendN(baseUrl, baseRequest(endpoint), total);
60781
+ const responses = await sendN(baseUrl, baseRequest(endpoint), total, timeoutMs);
60762
60782
  const last = responses[responses.length - 1];
60763
60783
  if (last.status === 429) {
60764
60784
  out.push(result(endpoint, "rateLimit", "PASS", `429 after ${rl.requests} requests`, start));
@@ -60779,12 +60799,12 @@ async function assertRateLimit(baseUrl, endpoint) {
60779
60799
  }
60780
60800
  return out;
60781
60801
  }
60782
- async function assertAuth(baseUrl, endpoint) {
60802
+ async function assertAuth(baseUrl, endpoint, timeoutMs) {
60783
60803
  const auth = endpoint.policy.authentication;
60784
60804
  if (!auth || auth.type === "none") return null;
60785
60805
  const start = Date.now();
60786
60806
  try {
60787
- const res = await sendOnce(baseUrl, baseRequest(endpoint));
60807
+ const res = await sendOnce(baseUrl, baseRequest(endpoint), timeoutMs);
60788
60808
  if (res.status === 401 || res.status === 403) {
60789
60809
  return result(endpoint, "authentication", "PASS", `Unauth \u2192 ${res.status}`, start);
60790
60810
  }
@@ -60799,7 +60819,7 @@ async function assertAuth(baseUrl, endpoint) {
60799
60819
  return result(endpoint, "authentication", "SKIP", `traffic error: ${e5.message}`, start);
60800
60820
  }
60801
60821
  }
60802
- async function assertCors(baseUrl, endpoint) {
60822
+ async function assertCors(baseUrl, endpoint, timeoutMs) {
60803
60823
  const cors = endpoint.policy.cors;
60804
60824
  if (!cors || !cors.allowedOrigins?.length) return null;
60805
60825
  const start = Date.now();
@@ -60812,7 +60832,7 @@ async function assertCors(baseUrl, endpoint) {
60812
60832
  Origin: origin,
60813
60833
  "Access-Control-Request-Method": endpoint.method
60814
60834
  }
60815
- });
60835
+ }, timeoutMs);
60816
60836
  const allowed = res.headers["access-control-allow-origin"];
60817
60837
  if (allowed && (allowed === origin || allowed === "*")) {
60818
60838
  return result(endpoint, "cors", "PASS", `CORS preflight echoed ${allowed}`, start);
@@ -60822,7 +60842,7 @@ async function assertCors(baseUrl, endpoint) {
60822
60842
  return result(endpoint, "cors", "SKIP", `traffic error: ${e5.message}`, start);
60823
60843
  }
60824
60844
  }
60825
- async function assertMaxBodySize(baseUrl, endpoint) {
60845
+ async function assertMaxBodySize(baseUrl, endpoint, timeoutMs) {
60826
60846
  const maxBody = endpoint.policy.request?.maxBodySize;
60827
60847
  if (!maxBody) return null;
60828
60848
  const start = Date.now();
@@ -60835,7 +60855,7 @@ async function assertMaxBodySize(baseUrl, endpoint) {
60835
60855
  const res = await sendOnce(baseUrl, {
60836
60856
  ...baseRequest(endpoint, { "Content-Type": "application/octet-stream" }),
60837
60857
  body: big
60838
- });
60858
+ }, timeoutMs);
60839
60859
  if (res.status === 413) {
60840
60860
  return result(endpoint, "maxBodySize", "PASS", `413 on ${bytes}B payload`, start);
60841
60861
  }
@@ -60844,7 +60864,7 @@ async function assertMaxBodySize(baseUrl, endpoint) {
60844
60864
  return result(endpoint, "maxBodySize", "SKIP", `traffic error: ${e5.message}`, start);
60845
60865
  }
60846
60866
  }
60847
- async function assertContentType(baseUrl, endpoint) {
60867
+ async function assertContentType(baseUrl, endpoint, timeoutMs) {
60848
60868
  const allowed = endpoint.policy.request?.contentType;
60849
60869
  if (!allowed?.length) return null;
60850
60870
  if (endpoint.method === "GET" || endpoint.method === "HEAD") return null;
@@ -60853,7 +60873,7 @@ async function assertContentType(baseUrl, endpoint) {
60853
60873
  const res = await sendOnce(baseUrl, {
60854
60874
  ...baseRequest(endpoint, { "Content-Type": "application/x-disallowed-type" }),
60855
60875
  body: "x"
60856
- });
60876
+ }, timeoutMs);
60857
60877
  if (res.status === 415 || res.status === 400) {
60858
60878
  return result(endpoint, "contentType", "PASS", `${res.status} on bad content-type`, start);
60859
60879
  }
@@ -60862,7 +60882,7 @@ async function assertContentType(baseUrl, endpoint) {
60862
60882
  return result(endpoint, "contentType", "SKIP", `traffic error: ${e5.message}`, start);
60863
60883
  }
60864
60884
  }
60865
- async function assertSchema(baseUrl, endpoint) {
60885
+ async function assertSchema(baseUrl, endpoint, timeoutMs) {
60866
60886
  const schema = endpoint.policy.request?.schema;
60867
60887
  if (!schema || Object.keys(schema).length === 0) return null;
60868
60888
  const start = Date.now();
@@ -60870,7 +60890,7 @@ async function assertSchema(baseUrl, endpoint) {
60870
60890
  const res = await sendOnce(baseUrl, {
60871
60891
  ...baseRequest(endpoint, { "Content-Type": "application/json" }),
60872
60892
  body: "{}"
60873
- });
60893
+ }, timeoutMs);
60874
60894
  if (res.status === 400 || res.status === 422) {
60875
60895
  return result(endpoint, "requestSchema", "PASS", `${res.status} on empty body`, start);
60876
60896
  }
@@ -60879,19 +60899,19 @@ async function assertSchema(baseUrl, endpoint) {
60879
60899
  return result(endpoint, "requestSchema", "SKIP", `traffic error: ${e5.message}`, start);
60880
60900
  }
60881
60901
  }
60882
- async function runAllAssertions(baseUrl, endpoint) {
60902
+ async function runAllAssertions(baseUrl, endpoint, timeoutMs) {
60883
60903
  const cases = [];
60884
- const auth = await assertAuth(baseUrl, endpoint);
60904
+ const auth = await assertAuth(baseUrl, endpoint, timeoutMs);
60885
60905
  if (auth) cases.push(auth);
60886
- const cors = await assertCors(baseUrl, endpoint);
60906
+ const cors = await assertCors(baseUrl, endpoint, timeoutMs);
60887
60907
  if (cors) cases.push(cors);
60888
- const ct = await assertContentType(baseUrl, endpoint);
60908
+ const ct = await assertContentType(baseUrl, endpoint, timeoutMs);
60889
60909
  if (ct) cases.push(ct);
60890
- const sz = await assertMaxBodySize(baseUrl, endpoint);
60910
+ const sz = await assertMaxBodySize(baseUrl, endpoint, timeoutMs);
60891
60911
  if (sz) cases.push(sz);
60892
- const sch = await assertSchema(baseUrl, endpoint);
60912
+ const sch = await assertSchema(baseUrl, endpoint, timeoutMs);
60893
60913
  if (sch) cases.push(sch);
60894
- cases.push(...await assertRateLimit(baseUrl, endpoint));
60914
+ cases.push(...await assertRateLimit(baseUrl, endpoint, timeoutMs));
60895
60915
  return cases;
60896
60916
  }
60897
60917
  var init_assertions = __esm({
@@ -60903,16 +60923,23 @@ var init_assertions = __esm({
60903
60923
 
60904
60924
  // src/verify/readers/kong.ts
60905
60925
  import { request as request3 } from "undici";
60906
- async function getJson(base, p2) {
60926
+ async function getJson(base, p2, timeoutMs) {
60907
60927
  const url = base.replace(/\/$/, "") + p2;
60908
60928
  try {
60909
- const res = await request3(url, { method: "GET" });
60929
+ const res = await request3(url, {
60930
+ method: "GET",
60931
+ ...timeoutMs !== void 0 ? { signal: AbortSignal.timeout(timeoutMs) } : {}
60932
+ });
60910
60933
  if (res.statusCode >= 400) {
60911
60934
  throw new Error(`${url} \u2192 HTTP ${res.statusCode}`);
60912
60935
  }
60913
60936
  const body = await res.body.json();
60914
60937
  return body;
60915
60938
  } catch (e5) {
60939
+ const name = e5.name;
60940
+ if (name === "TimeoutError" || name === "AbortError") {
60941
+ throw new Error(`${url} timed out after ${timeoutMs}ms`);
60942
+ }
60916
60943
  const msg = e5.message;
60917
60944
  if (/ECONNREFUSED|ENOTFOUND|EAI_AGAIN/.test(msg)) {
60918
60945
  throw new Error(`gateway-unreachable: ${msg}`);
@@ -60920,11 +60947,11 @@ async function getJson(base, p2) {
60920
60947
  throw e5;
60921
60948
  }
60922
60949
  }
60923
- async function listAll(base, p2) {
60950
+ async function listAll(base, p2, timeoutMs) {
60924
60951
  let url = p2;
60925
60952
  const out = [];
60926
60953
  while (url) {
60927
- const page = await getJson(base, url);
60954
+ const page = await getJson(base, url, timeoutMs);
60928
60955
  out.push(...page.data);
60929
60956
  if (page.next) {
60930
60957
  const u = new URL(page.next, base + "/");
@@ -60978,11 +61005,11 @@ var init_kong = __esm({
60978
61005
  const decl = load7(kongYml.content);
60979
61006
  return scanEmittedFromDeclarative(decl);
60980
61007
  },
60981
- async readLoadedArtifacts(gateway) {
61008
+ async readLoadedArtifacts(gateway, timeoutMs) {
60982
61009
  const [services, routes, plugins] = await Promise.all([
60983
- listAll(gateway, "/services"),
60984
- listAll(gateway, "/routes"),
60985
- listAll(gateway, "/plugins")
61010
+ listAll(gateway, "/services", timeoutMs),
61011
+ listAll(gateway, "/routes", timeoutMs),
61012
+ listAll(gateway, "/plugins", timeoutMs)
60986
61013
  ]);
60987
61014
  const routeIdToName = /* @__PURE__ */ new Map();
60988
61015
  for (const r5 of routes) if (r5.id && r5.name) routeIdToName.set(r5.id, r5.name);
@@ -61050,13 +61077,13 @@ async function readNginxConfigDump(gateway) {
61050
61077
  if (m3 && m3[1]) modsecFiles.add(m3[1]);
61051
61078
  }
61052
61079
  const extra = [];
61053
- for (const path28 of modsecFiles) {
61054
- const cat = spawnSync("docker", ["exec", name, "cat", path28], {
61080
+ for (const path30 of modsecFiles) {
61081
+ const cat = spawnSync("docker", ["exec", name, "cat", path30], {
61055
61082
  encoding: "utf8",
61056
61083
  maxBuffer: 4 * 1024 * 1024
61057
61084
  });
61058
61085
  if (cat.error || cat.status !== 0) continue;
61059
- extra.push(`# configuration file ${path28}:`);
61086
+ extra.push(`# configuration file ${path30}:`);
61060
61087
  extra.push(cat.stdout || "");
61061
61088
  }
61062
61089
  return dump4 + "\n" + extra.join("\n");
@@ -61069,8 +61096,8 @@ function listGlobInContainer(container, glob) {
61069
61096
  if (r5.error || r5.status !== 0) return [];
61070
61097
  return (r5.stdout || "").split("\n").map((s) => s.trim()).filter(Boolean);
61071
61098
  }
61072
- function fileHasWritHeader(container, path28) {
61073
- const r5 = spawnSync("docker", ["exec", container, "sh", "-c", `head -5 ${JSON.stringify(path28)} 2>/dev/null`], {
61099
+ function fileHasWritHeader(container, path30) {
61100
+ const r5 = spawnSync("docker", ["exec", container, "sh", "-c", `head -5 ${JSON.stringify(path30)} 2>/dev/null`], {
61074
61101
  encoding: "utf8",
61075
61102
  maxBuffer: 64 * 1024
61076
61103
  });
@@ -61122,8 +61149,8 @@ async function readGatewaySource(gateway) {
61122
61149
  throw new Error(msg);
61123
61150
  }
61124
61151
  }
61125
- function extractDirectives(yaml17) {
61126
- const m3 = yaml17.match(/^directives:\s*\|\s*\n([\s\S]*)$/m);
61152
+ function extractDirectives(yaml18) {
61153
+ const m3 = yaml18.match(/^directives:\s*\|\s*\n([\s\S]*)$/m);
61127
61154
  const body = m3?.[1];
61128
61155
  if (!body) return "";
61129
61156
  return body.split("\n").map((l3) => l3.replace(/^ {2}/, "")).join("\n");
@@ -61184,7 +61211,7 @@ var init_modsec_nginx = __esm({
61184
61211
  const directives = extractDirectives(yml.content);
61185
61212
  return scanEmittedRules(directives);
61186
61213
  },
61187
- async readLoadedArtifacts(gateway) {
61214
+ async readLoadedArtifacts(gateway, _timeoutMs) {
61188
61215
  const raw = await readGatewaySource(gateway);
61189
61216
  const out = [];
61190
61217
  const nginxDump = await readNginxConfigDump(gateway);
@@ -61284,8 +61311,8 @@ var init_modsec_nginx = __esm({
61284
61311
  import { readFile as readFile10 } from "node:fs/promises";
61285
61312
  import { spawnSync as spawnSync2 } from "node:child_process";
61286
61313
  import { request as request4 } from "undici";
61287
- function extractDirectives2(yaml17) {
61288
- const m3 = yaml17.match(/^directives:\s*\|\s*\n([\s\S]*)$/m);
61314
+ function extractDirectives2(yaml18) {
61315
+ const m3 = yaml18.match(/^directives:\s*\|\s*\n([\s\S]*)$/m);
61289
61316
  const body = m3?.[1];
61290
61317
  if (!body) return "";
61291
61318
  return body.split("\n").map((l3) => l3.replace(/^ {2}/, "")).join("\n");
@@ -61351,11 +61378,14 @@ var init_coraza_go = __esm({
61351
61378
  if (!yml) throw new Error("coraza generator did not emit a YAML artifact");
61352
61379
  return scanEmittedRules2(extractDirectives2(yml.content));
61353
61380
  },
61354
- async readLoadedArtifacts(gateway) {
61381
+ async readLoadedArtifacts(gateway, timeoutMs) {
61355
61382
  if (gateway.startsWith("http://") || gateway.startsWith("https://")) {
61356
61383
  const url = gateway.replace(/\/$/, "") + "/debug/rules";
61357
61384
  try {
61358
- const res = await request4(url, { method: "GET" });
61385
+ const res = await request4(url, {
61386
+ method: "GET",
61387
+ ...timeoutMs !== void 0 ? { signal: AbortSignal.timeout(timeoutMs) } : {}
61388
+ });
61359
61389
  if (res.statusCode >= 400) {
61360
61390
  throw new Error(`debug-rules endpoint returned HTTP ${res.statusCode}`);
61361
61391
  }
@@ -61363,6 +61393,10 @@ var init_coraza_go = __esm({
61363
61393
  const ids = body.rules ?? [];
61364
61394
  return ids.map((r5) => ({ id: String(r5.id), kind: "coraza-rule" }));
61365
61395
  } catch (e5) {
61396
+ const name = e5.name;
61397
+ if (name === "TimeoutError" || name === "AbortError") {
61398
+ throw new Error(`${url} timed out after ${timeoutMs}ms`);
61399
+ }
61366
61400
  const msg = e5.message;
61367
61401
  if (/ECONNREFUSED|ENOTFOUND|EAI_AGAIN/.test(msg)) throw new Error(`gateway-unreachable: ${msg}`);
61368
61402
  throw e5;
@@ -61667,7 +61701,7 @@ var init_coraza_spoa = __esm({
61667
61701
  if (!yml) throw new Error("coraza generator did not emit a YAML artifact");
61668
61702
  return scanEmittedRules3(extractDirectives3(yml.content));
61669
61703
  },
61670
- async readLoadedArtifacts(gateway) {
61704
+ async readLoadedArtifacts(gateway, _timeoutMs) {
61671
61705
  const split2 = parseSpoaGateway(gateway);
61672
61706
  const haproxyLog = split2.haproxy ? dockerLogs(split2.haproxy) : "";
61673
61707
  const spoaLog = split2.spoa ? dockerLogs(split2.spoa) : "";
@@ -61823,15 +61857,22 @@ var init_coraza_spoa = __esm({
61823
61857
  // src/verify/readers/envoy.ts
61824
61858
  import { request as request5 } from "undici";
61825
61859
  import * as yaml7 from "js-yaml";
61826
- async function getJson2(base, p2) {
61860
+ async function getJson2(base, p2, timeoutMs) {
61827
61861
  const url = base.replace(/\/$/, "") + p2;
61828
61862
  try {
61829
- const res = await request5(url, { method: "GET" });
61863
+ const res = await request5(url, {
61864
+ method: "GET",
61865
+ ...timeoutMs !== void 0 ? { signal: AbortSignal.timeout(timeoutMs) } : {}
61866
+ });
61830
61867
  if (res.statusCode >= 400) {
61831
61868
  throw new Error(`${url} \u2192 HTTP ${res.statusCode}`);
61832
61869
  }
61833
61870
  return await res.body.json();
61834
61871
  } catch (e5) {
61872
+ const name = e5.name;
61873
+ if (name === "TimeoutError" || name === "AbortError") {
61874
+ throw new Error(`${url} timed out after ${timeoutMs}ms`);
61875
+ }
61835
61876
  const msg = e5.message;
61836
61877
  if (/ECONNREFUSED|ENOTFOUND|EAI_AGAIN/.test(msg)) {
61837
61878
  throw new Error(`gateway-unreachable: ${msg}`);
@@ -61999,7 +62040,7 @@ function routeLabel(route) {
61999
62040
  const match = route.match;
62000
62041
  if (!match) return null;
62001
62042
  const sr = match.safe_regex;
62002
- const path28 = sr?.regex ?? match.prefix ?? null;
62043
+ const path30 = sr?.regex ?? match.prefix ?? null;
62003
62044
  const headers = match.headers;
62004
62045
  let method = "";
62005
62046
  if (headers) {
@@ -62011,7 +62052,7 @@ function routeLabel(route) {
62011
62052
  }
62012
62053
  }
62013
62054
  }
62014
- return path28 ? `${method} ${path28}`.trim() : null;
62055
+ return path30 ? `${method} ${path30}`.trim() : null;
62015
62056
  }
62016
62057
  function emittedToArtifacts(parsed) {
62017
62058
  const out = [];
@@ -62063,8 +62104,8 @@ function emittedToArtifacts(parsed) {
62063
62104
  });
62064
62105
  }
62065
62106
  for (const key of parsed.endpointPolicies) {
62066
- const [method, path28] = key.split(":", 2);
62067
- const endpoint = method && path28 ? `${method} ${path28}` : key;
62107
+ const [method, path30] = key.split(":", 2);
62108
+ const endpoint = method && path30 ? `${method} ${path30}` : key;
62068
62109
  push({
62069
62110
  id: key,
62070
62111
  kind: "envoy-endpoint-policy",
@@ -62107,11 +62148,11 @@ var init_envoy3 = __esm({
62107
62148
  const parsed = parseEmittedSnippet(envoyYaml.content);
62108
62149
  return emittedToArtifacts(parsed);
62109
62150
  },
62110
- async readLoadedArtifacts(gateway) {
62151
+ async readLoadedArtifacts(gateway, timeoutMs) {
62111
62152
  const [listeners, clusters, configDump] = await Promise.all([
62112
- getJson2(gateway, "/listeners?format=json").catch(() => ({})),
62113
- getJson2(gateway, "/clusters?format=json").catch(() => ({})),
62114
- getJson2(gateway, "/config_dump?include_eds=false")
62153
+ getJson2(gateway, "/listeners?format=json", timeoutMs).catch(() => ({})),
62154
+ getJson2(gateway, "/clusters?format=json", timeoutMs).catch(() => ({})),
62155
+ getJson2(gateway, "/config_dump?include_eds=false", timeoutMs)
62115
62156
  ]);
62116
62157
  const out = [];
62117
62158
  const filterNames = /* @__PURE__ */ new Set();
@@ -62287,7 +62328,7 @@ var init_bunkerweb3 = __esm({
62287
62328
  line: r5.line
62288
62329
  }));
62289
62330
  },
62290
- async readLoadedArtifacts(gateway) {
62331
+ async readLoadedArtifacts(gateway, _timeoutMs) {
62291
62332
  const split2 = parseBunkerwebGateway(gateway);
62292
62333
  const dump4 = dumpNginxConfig(split2.bunkerweb);
62293
62334
  const ids = /* @__PURE__ */ new Set();
@@ -62419,8 +62460,8 @@ function parseOpenappsecPolicy(policyYaml) {
62419
62460
  const name = typeof obj.name === "string" ? obj.name : void 0;
62420
62461
  const binding = obj.binding;
62421
62462
  const method = binding && typeof binding.method === "string" ? binding.method : "";
62422
- const path28 = binding && typeof binding.path === "string" ? binding.path : "";
62423
- if (name && method && path28) schemaEntries.push({ name, endpoint: `${method} ${path28}` });
62463
+ const path30 = binding && typeof binding.path === "string" ? binding.path : "";
62464
+ if (name && method && path30) schemaEntries.push({ name, endpoint: `${method} ${path30}` });
62424
62465
  }
62425
62466
  }
62426
62467
  return { practices, assets, triggers, customResponses, schemaEntries };
@@ -62496,7 +62537,7 @@ var init_openappsec3 = __esm({
62496
62537
  if (!policy) throw new Error("openappsec generator did not emit policy.yaml");
62497
62538
  return policyToArtifacts(parseOpenappsecPolicy(policy.content));
62498
62539
  },
62499
- async readLoadedArtifacts(gateway) {
62540
+ async readLoadedArtifacts(gateway, _timeoutMs) {
62500
62541
  if (!gateway.startsWith("docker:")) {
62501
62542
  throw new Error(`openappsec gateway must be docker:<container> (got "${gateway}")`);
62502
62543
  }
@@ -62694,7 +62735,7 @@ async function runVerify(specPath, opts) {
62694
62735
  }
62695
62736
  let unreachable = false;
62696
62737
  try {
62697
- loaded = await reader.readLoadedArtifacts(opts.gateway);
62738
+ loaded = await reader.readLoadedArtifacts(opts.gateway, opts.timeoutMs);
62698
62739
  } catch (e5) {
62699
62740
  const msg = e5.message;
62700
62741
  diagnostics.push(`gateway read error: ${msg}`);
@@ -62856,7 +62897,7 @@ ${plan.yaml}`,
62856
62897
  const cases = [];
62857
62898
  try {
62858
62899
  await handle.ready();
62859
- const coverageOk = await verifyCoverageOrSkip(specPath, target, handle);
62900
+ const coverageOk = await verifyCoverageOrSkip(specPath, target, handle, opts.timeoutMs);
62860
62901
  if (coverageOk === false) {
62861
62902
  cases.push({
62862
62903
  endpoint: "(gateway)",
@@ -62867,7 +62908,7 @@ ${plan.yaml}`,
62867
62908
  });
62868
62909
  } else {
62869
62910
  for (const e5 of spec.endpoints) {
62870
- cases.push(...await runAllAssertions(handle.gatewayUrl, e5));
62911
+ cases.push(...await runAllAssertions(handle.gatewayUrl, e5, opts.timeoutMs));
62871
62912
  }
62872
62913
  }
62873
62914
  } finally {
@@ -62893,32 +62934,36 @@ ${plan.yaml}`,
62893
62934
  const failures = cases.filter((c5) => c5.verdict === "FAIL").length;
62894
62935
  return { report, rendered, composeYaml: plan.yaml, exitCode: failures > 0 ? 1 : 0 };
62895
62936
  }
62896
- async function verifyCoverageOrSkip(specPath, target, handle) {
62937
+ async function verifyCoverageOrSkip(specPath, target, handle, timeoutMs) {
62938
+ const timeoutOpt = timeoutMs !== void 0 ? { timeoutMs } : {};
62897
62939
  try {
62898
62940
  if (target === "kong") {
62899
62941
  const adminUrl = handle.gatewayUrl.replace(/:(\d+)$/, (_, p2) => `:${Number(p2) + 1}`);
62900
- const r5 = await runVerify(specPath, { target: "kong", gateway: adminUrl });
62942
+ const r5 = await runVerify(specPath, { target: "kong", gateway: adminUrl, ...timeoutOpt });
62901
62943
  return r5.exitCode === 0;
62902
62944
  }
62903
62945
  if (target === "coraza") {
62904
62946
  const r5 = await runVerify(specPath, {
62905
62947
  target: "coraza",
62906
62948
  engine: "modsec-nginx",
62907
- gateway: `docker:${handle.gatewayContainerName}`
62949
+ gateway: `docker:${handle.gatewayContainerName}`,
62950
+ ...timeoutOpt
62908
62951
  });
62909
62952
  return r5.exitCode === 0;
62910
62953
  }
62911
62954
  if (target === "bunkerweb") {
62912
62955
  const r5 = await runVerify(specPath, {
62913
62956
  target: "bunkerweb",
62914
- gateway: `docker:${handle.gatewayContainerName}`
62957
+ gateway: `docker:${handle.gatewayContainerName}`,
62958
+ ...timeoutOpt
62915
62959
  });
62916
62960
  return r5.exitCode === 0;
62917
62961
  }
62918
62962
  if (target === "openappsec") {
62919
62963
  const r5 = await runVerify(specPath, {
62920
62964
  target: "openappsec",
62921
- gateway: `docker:${handle.gatewayContainerName}`
62965
+ gateway: `docker:${handle.gatewayContainerName}`,
62966
+ ...timeoutOpt
62922
62967
  });
62923
62968
  return r5.exitCode === 0;
62924
62969
  }
@@ -63768,9 +63813,9 @@ var init_init = __esm({
63768
63813
  // ../cursor-mcp/dist/tools/propose-annotation.js
63769
63814
  function propose(input) {
63770
63815
  const method = (input.method ?? "GET").toUpperCase();
63771
- const path28 = input.path ?? "/";
63816
+ const path30 = input.path ?? "/";
63772
63817
  const desc = (input.description ?? "").toLowerCase();
63773
- const lower = path28.toLowerCase();
63818
+ const lower = path30.toLowerCase();
63774
63819
  const rationale = [];
63775
63820
  const isAuthEndpoint = /\/(login|signin|signup|register|auth|token|password[-_/]?reset|forgot[-_/]?password)\b/.test(lower) || desc.includes("login") || desc.includes("sign in") || desc.includes("signup");
63776
63821
  const isAdmin = /\/admin(\/|$)/.test(lower) || desc.includes("admin");
@@ -63808,7 +63853,7 @@ function propose(input) {
63808
63853
  const maxBody = isUpload ? "10MB" : "32KB";
63809
63854
  if (isUpload)
63810
63855
  rationale.push("upload endpoint \u2014 10MB body cap");
63811
- const hasIdParam = /\{[^}]+\}/.test(path28) || /:[A-Za-z_][\w]*/.test(path28);
63856
+ const hasIdParam = /\{[^}]+\}/.test(path30) || /:[A-Za-z_][\w]*/.test(path30);
63812
63857
  if (hasIdParam) {
63813
63858
  rationale.push("path has a resource identifier \u2014 add authorization rules to prevent IDOR (API1:2023)");
63814
63859
  }
@@ -63865,12 +63910,12 @@ var init_propose_annotation = __esm({
63865
63910
  if (!input.method || !input.path) {
63866
63911
  throw new Error("method and path are required");
63867
63912
  }
63868
- const { yaml: yaml17, rationale } = propose(input);
63913
+ const { yaml: yaml18, rationale } = propose(input);
63869
63914
  return `# Proposed x-security for ${input.method.toUpperCase()} ${input.path}
63870
63915
  # Rationale:
63871
63916
  ` + rationale.map((r5) => `# - ${r5}`).join("\n") + `
63872
63917
 
63873
- ${yaml17}`;
63918
+ ${yaml18}`;
63874
63919
  }
63875
63920
  };
63876
63921
  }
@@ -64288,11 +64333,11 @@ async function runVerifyBundle(tarballPath, opts = {}) {
64288
64333
  } else {
64289
64334
  pubKeyPem = BUNDLE_VERIFY_PUBLIC_KEY;
64290
64335
  }
64291
- const tmpdir4 = fs.mkdtempSync(path6.join(os2.tmpdir(), "writ-verify-"));
64336
+ const tmpdir5 = fs.mkdtempSync(path6.join(os2.tmpdir(), "writ-verify-"));
64292
64337
  try {
64293
- await extractTarball(tarballPath, tmpdir4);
64294
- const manifestPath = path6.join(tmpdir4, MANIFEST);
64295
- const sigPath = path6.join(tmpdir4, SIG);
64338
+ await extractTarball(tarballPath, tmpdir5);
64339
+ const manifestPath = path6.join(tmpdir5, MANIFEST);
64340
+ const sigPath = path6.join(tmpdir5, SIG);
64296
64341
  if (!fs.existsSync(manifestPath)) {
64297
64342
  return { exitCode: 1, message: `verify-bundle: ${MANIFEST} missing from bundle` };
64298
64343
  }
@@ -64321,7 +64366,7 @@ async function runVerifyBundle(tarballPath, opts = {}) {
64321
64366
  };
64322
64367
  }
64323
64368
  const expectedHex = expected.slice("sha256:".length).toLowerCase();
64324
- const filePath = path6.join(tmpdir4, relPath);
64369
+ const filePath = path6.join(tmpdir5, relPath);
64325
64370
  if (!fs.existsSync(filePath)) {
64326
64371
  process.stderr.write(`hash mismatch: ${relPath} (missing from bundle)
64327
64372
  `);
@@ -64360,7 +64405,7 @@ pubkey fingerprint: ${fingerprint}`,
64360
64405
  };
64361
64406
  } finally {
64362
64407
  try {
64363
- fs.rmSync(tmpdir4, { recursive: true, force: true });
64408
+ fs.rmSync(tmpdir5, { recursive: true, force: true });
64364
64409
  } catch {
64365
64410
  }
64366
64411
  }
@@ -64424,6 +64469,7 @@ async function runVerifyCli(specPath, opts) {
64424
64469
  };
64425
64470
  if (engine) runOpts.engine = engine;
64426
64471
  if (opts.threshold !== void 0) runOpts.thresholdPct = opts.threshold;
64472
+ if (opts.timeoutMs !== void 0) runOpts.timeoutMs = opts.timeoutMs;
64427
64473
  const r5 = await runVerify(specPath, runOpts);
64428
64474
  return { rendered: r5.rendered, exitCode: r5.exitCode, passed: r5.report.passed };
64429
64475
  }
@@ -67102,8 +67148,8 @@ function isSelfMutationBodyOwnership(route, policy) {
67102
67148
  const hasBodyOwnership = fields.some((f5) => f5.loc === "body");
67103
67149
  if (!hasBodyOwnership)
67104
67150
  return false;
67105
- const path28 = route.path.toLowerCase();
67106
- if (SELF_MUTATION_PATH_TOKENS.some((t) => path28.includes(t)))
67151
+ const path30 = route.path.toLowerCase();
67152
+ if (SELF_MUTATION_PATH_TOKENS.some((t) => path30.includes(t)))
67107
67153
  return true;
67108
67154
  const pinsRequestVisibleId = fields.some((f5) => f5.loc === "path" || f5.loc === "params" || f5.loc === "query");
67109
67155
  return !pinsRequestVisibleId;
@@ -67406,8 +67452,8 @@ function normPath(p2) {
67406
67452
  }
67407
67453
  return out;
67408
67454
  }
67409
- function routeKey(method, path28) {
67410
- return `${method}\0${normPath(path28)}`;
67455
+ function routeKey(method, path30) {
67456
+ return `${method}\0${normPath(path30)}`;
67411
67457
  }
67412
67458
  function dedupeRoutes(routes) {
67413
67459
  const seen = /* @__PURE__ */ new Map();
@@ -67437,8 +67483,8 @@ function dedupeRoutes(routes) {
67437
67483
  }
67438
67484
  return out;
67439
67485
  }
67440
- function underMount(prefix, path28) {
67441
- const p2 = "/" + path28.replace(/^\/+/, "");
67486
+ function underMount(prefix, path30) {
67487
+ const p2 = "/" + path30.replace(/^\/+/, "");
67442
67488
  const full = prefix ? prefix.replace(/\/+$/, "") + p2 : p2;
67443
67489
  return full.replace(/\/\/+/g, "/");
67444
67490
  }
@@ -70057,8 +70103,8 @@ function compileAssumptionsToPolicy(emission) {
70057
70103
  return { emission, applied: [] };
70058
70104
  const applied = [];
70059
70105
  const policy = emission.policy ? structuredClone(emission.policy) : {};
70060
- const request7 = policy["request"] ??= {};
70061
- const schema = request7["schema"] ??= {};
70106
+ const request9 = policy["request"] ??= {};
70107
+ const schema = request9["schema"] ??= {};
70062
70108
  for (const a5 of emission.assumptions) {
70063
70109
  if (a5.confidence !== "high" && a5.confidence !== "medium")
70064
70110
  continue;
@@ -70121,8 +70167,8 @@ function compileAssumptionsToPolicy(emission) {
70121
70167
  continue;
70122
70168
  }
70123
70169
  if (hint.kind === "denyUnknownFields") {
70124
- if (request7["denyUnknownFields"] !== true) {
70125
- request7["denyUnknownFields"] = true;
70170
+ if (request9["denyUnknownFields"] !== true) {
70171
+ request9["denyUnknownFields"] = true;
70126
70172
  applied.push("request.denyUnknownFields:true");
70127
70173
  }
70128
70174
  continue;
@@ -70155,10 +70201,10 @@ function compileAssumptionsToPolicy(emission) {
70155
70201
  continue;
70156
70202
  }
70157
70203
  if (hint.kind === "contentType") {
70158
- if (request7["contentType"] !== void 0)
70204
+ if (request9["contentType"] !== void 0)
70159
70205
  continue;
70160
70206
  const allowed = hint.allowed && hint.allowed.length > 0 ? hint.allowed : ["application/json"];
70161
- request7["contentType"] = allowed;
70207
+ request9["contentType"] = allowed;
70162
70208
  applied.push(`request.contentType:[${allowed.join(",")}]`);
70163
70209
  continue;
70164
70210
  }
@@ -72039,12 +72085,12 @@ function dismissalProvesOwnership(cites, surface) {
72039
72085
  return PRINCIPAL_TOKEN_RE2.test(q2) && COMPARE_OR_BIND_RE.test(q2);
72040
72086
  });
72041
72087
  }
72042
- function isSensitivePath(path28) {
72043
- const p2 = path28.toLowerCase();
72088
+ function isSensitivePath(path30) {
72089
+ const p2 = path30.toLowerCase();
72044
72090
  return SENSITIVE_PATH_TOKENS.some((t) => p2.includes(t));
72045
72091
  }
72046
- function isAuthEndpointPath(path28) {
72047
- const p2 = path28.toLowerCase();
72092
+ function isAuthEndpointPath(path30) {
72093
+ const p2 = path30.toLowerCase();
72048
72094
  return AUTH_ENDPOINT_PATH_TOKENS.some((t) => p2.includes(t));
72049
72095
  }
72050
72096
  function findCredentialCheck(pack) {
@@ -72175,7 +72221,7 @@ function citedDismissalCovers(cites, surface) {
72175
72221
  function assessRouteDepth(args) {
72176
72222
  const { policy, pack } = args;
72177
72223
  const method = args.method.toUpperCase();
72178
- const path28 = args.path ?? "";
72224
+ const path30 = args.path ?? "";
72179
72225
  const auth = args.auth;
72180
72226
  const dismissalCites = args.dismissalCites;
72181
72227
  const gaps = [];
@@ -72252,7 +72298,7 @@ function assessRouteDepth(args) {
72252
72298
  }
72253
72299
  }
72254
72300
  {
72255
- const sensitive = isSensitivePath(path28) || emitsPrincipalScopedOutput(pack);
72301
+ const sensitive = isSensitivePath(path30) || emitsPrincipalScopedOutput(pack);
72256
72302
  const hasAuthBlock = Boolean(policy.authentication && policy.authentication.type && policy.authentication.type !== "none");
72257
72303
  const c1 = sensitive && authChainResolvedEmpty && !hasAuthBlock;
72258
72304
  const c22 = sensitive && !authChainResolvedEmpty && !hasAuthBlock;
@@ -72263,7 +72309,7 @@ function assessRouteDepth(args) {
72263
72309
  const why = c1 ? `the resolved auth chain is EMPTY (no middleware, no inline auth call)` : `app middleware exists but the emitted policy carries no authentication block (the gateway is the enforcement point, not app middleware)`;
72264
72310
  const gap = {
72265
72311
  kind: "sensitive-route-no-auth",
72266
- detail: `${method} ${path28 || "(route)"} is sensitive (path token or principal-scoped output) and ${why}. Emit an authentication block, or cite a public-routes allowlist line proving it is intentionally public.`,
72312
+ detail: `${method} ${path30 || "(route)"} is sensitive (path token or principal-scoped output) and ${why}. Emit an authentication block, or cite a public-routes allowlist line proving it is intentionally public.`,
72267
72313
  surface: surfaceCite
72268
72314
  };
72269
72315
  gaps.push(gap);
@@ -72272,7 +72318,7 @@ function assessRouteDepth(args) {
72272
72318
  }
72273
72319
  {
72274
72320
  const credCheck = findCredentialCheck(pack);
72275
- const isAuthEndpoint = isAuthEndpointPath(path28) || credCheck !== null;
72321
+ const isAuthEndpoint = isAuthEndpointPath(path30) || credCheck !== null;
72276
72322
  if (isAuthEndpoint && !rateLimitPresent(policy.rateLimit)) {
72277
72323
  const surfaceCite = credCheck ?? (pack.handlerSnippet ? {
72278
72324
  file: pack.handlerSnippet.file,
@@ -72282,7 +72328,7 @@ function assessRouteDepth(args) {
72282
72328
  if (surfaceCite && !citedDismissalCovers(dismissalCites, surfaceCite)) {
72283
72329
  gaps.push({
72284
72330
  kind: "auth-endpoint-no-rate-limit",
72285
- detail: `${method} ${path28 || "(route)"} is an authentication/credential endpoint with no rateLimit \u2014 a brute-force surface. Emit a rateLimit (e.g. { requests: 5, window: '1m', identifier: 'ip' }) or cite why it is intentionally unthrottled.`,
72331
+ detail: `${method} ${path30 || "(route)"} is an authentication/credential endpoint with no rateLimit \u2014 a brute-force surface. Emit a rateLimit (e.g. { requests: 5, window: '1m', identifier: 'ip' }) or cite why it is intentionally unthrottled.`,
72286
72332
  surface: surfaceCite
72287
72333
  });
72288
72334
  }
@@ -73100,8 +73146,8 @@ var init_push = __esm({
73100
73146
  PushError = class extends Error {
73101
73147
  };
73102
73148
  defaultPoster = async (url, init) => {
73103
- const { request: request7 } = await import("undici");
73104
- const res = await request7(url, { method: "POST", headers: init.headers, body: init.body });
73149
+ const { request: request9 } = await import("undici");
73150
+ const res = await request9(url, { method: "POST", headers: init.headers, body: init.body });
73105
73151
  const text = await res.body.text();
73106
73152
  let body = text;
73107
73153
  try {
@@ -74419,10 +74465,517 @@ var init_byo_commands = __esm({
74419
74465
  }
74420
74466
  });
74421
74467
 
74468
+ // src/commands/doctor.ts
74469
+ import Docker from "dockerode";
74470
+ import { request as request7 } from "undici";
74471
+ async function runDoctor(opts = {}) {
74472
+ const checks = [checkNode(), await checkDocker()];
74473
+ if (opts.gateway) {
74474
+ checks.push(await checkGateway(opts.gateway, opts.timeoutMs ?? DEFAULT_GATEWAY_TIMEOUT_MS));
74475
+ }
74476
+ const exitCode = checks.some((c5) => c5.status === "fail") ? 1 : 0;
74477
+ const rendered = opts.format === "json" ? renderJson2(checks, exitCode) : renderTable3(checks);
74478
+ return { exitCode, rendered, checks };
74479
+ }
74480
+ function checkNode() {
74481
+ const version = process.versions.node;
74482
+ const major = Number(version.split(".")[0]);
74483
+ const ok2 = major >= MIN_NODE_MAJOR;
74484
+ return {
74485
+ name: "node",
74486
+ status: ok2 ? "ok" : "fail",
74487
+ detail: `v${version} (requires >=${MIN_NODE_MAJOR})`
74488
+ };
74489
+ }
74490
+ async function checkDocker() {
74491
+ try {
74492
+ const docker = new Docker();
74493
+ await withTimeout(docker.ping(), DOCKER_PING_TIMEOUT_MS);
74494
+ return { name: "docker", status: "ok", detail: "daemon reachable" };
74495
+ } catch (e5) {
74496
+ return {
74497
+ name: "docker",
74498
+ status: "warn",
74499
+ detail: `Docker not reachable \u2014 only needed for \`test\` (${e5.message})`
74500
+ };
74501
+ }
74502
+ }
74503
+ function withTimeout(p2, ms) {
74504
+ return new Promise((resolve2, reject) => {
74505
+ const timer = setTimeout(() => reject(new Error(`timed out after ${ms}ms`)), ms);
74506
+ p2.then(
74507
+ (v) => {
74508
+ clearTimeout(timer);
74509
+ resolve2(v);
74510
+ },
74511
+ (e5) => {
74512
+ clearTimeout(timer);
74513
+ reject(e5);
74514
+ }
74515
+ );
74516
+ });
74517
+ }
74518
+ function isHttpUrl(value) {
74519
+ try {
74520
+ const u = new URL(value);
74521
+ return u.protocol === "http:" || u.protocol === "https:";
74522
+ } catch {
74523
+ return false;
74524
+ }
74525
+ }
74526
+ async function checkGateway(gateway, timeoutMs) {
74527
+ if (!isHttpUrl(gateway)) {
74528
+ return {
74529
+ name: "gateway",
74530
+ status: "ok",
74531
+ detail: `skipped: non-HTTP gateway (${gateway})`
74532
+ };
74533
+ }
74534
+ try {
74535
+ await request7(gateway, { signal: AbortSignal.timeout(timeoutMs) });
74536
+ return { name: "gateway", status: "ok", detail: `reachable at ${gateway}` };
74537
+ } catch (e5) {
74538
+ return {
74539
+ name: "gateway",
74540
+ status: "fail",
74541
+ detail: `unreachable: ${gateway} (${e5.message})`
74542
+ };
74543
+ }
74544
+ }
74545
+ function renderJson2(checks, exitCode) {
74546
+ return JSON.stringify({ checks, ok: exitCode === 0 }, null, 2) + "\n";
74547
+ }
74548
+ function renderTable3(checks) {
74549
+ const nameWidth = Math.max(...checks.map((c5) => c5.name.length));
74550
+ const lines = checks.map(
74551
+ (c5) => `[${c5.status}]${" ".repeat(Math.max(1, 6 - c5.status.length))}${c5.name.padEnd(nameWidth)} ${c5.detail}`
74552
+ );
74553
+ return lines.join("\n") + "\n";
74554
+ }
74555
+ function registerDoctor(program2) {
74556
+ program2.command("doctor").description("Preflight: check Node, Docker, and (optionally) a gateway URL are usable.").option("--format <fmt>", "table|json (default table)", "table").option("--gateway <url>", "Also check this gateway admin URL is reachable").option("--timeout <ms>", "Gateway reachability timeout (default 3000)", (v) => Number(v)).action(async (opts) => {
74557
+ try {
74558
+ const doctorOpts = { format: opts.format };
74559
+ if (opts.gateway !== void 0) doctorOpts.gateway = opts.gateway;
74560
+ if (opts.timeout !== void 0) doctorOpts.timeoutMs = opts.timeout;
74561
+ const r5 = await runDoctor(doctorOpts);
74562
+ process.stdout.write(r5.rendered);
74563
+ process.exit(r5.exitCode);
74564
+ } catch (e5) {
74565
+ process.stderr.write(`doctor failed: ${e5.message}
74566
+ `);
74567
+ process.exit(1);
74568
+ }
74569
+ });
74570
+ }
74571
+ var MIN_NODE_MAJOR, DEFAULT_GATEWAY_TIMEOUT_MS, DOCKER_PING_TIMEOUT_MS;
74572
+ var init_doctor = __esm({
74573
+ "src/commands/doctor.ts"() {
74574
+ "use strict";
74575
+ MIN_NODE_MAJOR = 20;
74576
+ DEFAULT_GATEWAY_TIMEOUT_MS = 3e3;
74577
+ DOCKER_PING_TIMEOUT_MS = 2e3;
74578
+ }
74579
+ });
74580
+
74581
+ // src/bin/completion.ts
74582
+ function sanitizeIdentifier(binName) {
74583
+ return binName.replace(/[^A-Za-z0-9_]/g, "_");
74584
+ }
74585
+ function generateBash(binName, subcommands) {
74586
+ const fnName = `_${sanitizeIdentifier(binName)}_completions`;
74587
+ const words = subcommands.join(" ");
74588
+ return `# bash completion for ${binName}
74589
+ ${fnName}() {
74590
+ local cur
74591
+ cur="\${COMP_WORDS[1]}"
74592
+ COMPREPLY=( $(compgen -W "${words}" -- "$cur") )
74593
+ }
74594
+ complete -F ${fnName} ${binName}
74595
+ `;
74596
+ }
74597
+ function generateZsh(binName, subcommands) {
74598
+ const words = subcommands.join(" ");
74599
+ return `#compdef ${binName}
74600
+ # zsh completion for ${binName}
74601
+ _${sanitizeIdentifier(binName)}() {
74602
+ local -a subcommands
74603
+ subcommands=(${words})
74604
+ _describe 'command' subcommands
74605
+ }
74606
+ compdef _${sanitizeIdentifier(binName)} ${binName}
74607
+ `;
74608
+ }
74609
+ function generateFish(binName, subcommands) {
74610
+ const words = subcommands.join(" ");
74611
+ return `# fish completion for ${binName}
74612
+ complete -c ${binName} -f -n '__fish_use_subcommand' -a '${words}'
74613
+ `;
74614
+ }
74615
+ function generateCompletion(shell, binName, subcommands) {
74616
+ switch (shell) {
74617
+ case "bash":
74618
+ return generateBash(binName, subcommands);
74619
+ case "zsh":
74620
+ return generateZsh(binName, subcommands);
74621
+ case "fish":
74622
+ return generateFish(binName, subcommands);
74623
+ }
74624
+ }
74625
+ function isSupportedShell(shell) {
74626
+ return SUPPORTED_SHELLS.includes(shell);
74627
+ }
74628
+ function registerCompletion(program2) {
74629
+ program2.command("completion [shell]").description(
74630
+ 'Print a shell completion script. Usage: eval "$(<bin> completion zsh)" or add to your rc file.'
74631
+ ).addHelpText(
74632
+ "after",
74633
+ `
74634
+ Examples:
74635
+ # bash: add to ~/.bashrc
74636
+ eval "$(${program2.name()} completion bash)"
74637
+
74638
+ # zsh: add to ~/.zshrc
74639
+ eval "$(${program2.name()} completion zsh)"
74640
+
74641
+ # fish: write to a completions file
74642
+ ${program2.name()} completion fish > ~/.config/fish/completions/${program2.name()}.fish
74643
+ `
74644
+ ).action((shell) => {
74645
+ const binName = program2.name();
74646
+ const subcommands = program2.commands.map((c5) => c5.name()).filter((name) => name !== "completion" && name !== "help");
74647
+ const resolvedShell = shell ?? "bash";
74648
+ if (!isSupportedShell(resolvedShell)) {
74649
+ process.stderr.write(`unsupported shell "${resolvedShell}" (use bash|zsh|fish)
74650
+ `);
74651
+ process.exit(1);
74652
+ return;
74653
+ }
74654
+ process.stdout.write(generateCompletion(resolvedShell, binName, subcommands));
74655
+ });
74656
+ }
74657
+ var SUPPORTED_SHELLS;
74658
+ var init_completion = __esm({
74659
+ "src/bin/completion.ts"() {
74660
+ "use strict";
74661
+ SUPPORTED_SHELLS = ["bash", "zsh", "fish"];
74662
+ }
74663
+ });
74664
+
74665
+ // src/bin/update-check.ts
74666
+ import { readFileSync as readFileSync4 } from "node:fs";
74667
+ import { dirname as dirname4, join as join12 } from "node:path";
74668
+ import { fileURLToPath as fileURLToPath2 } from "node:url";
74669
+ import { request as request8 } from "undici";
74670
+ function resolvePackageMeta() {
74671
+ const here = dirname4(fileURLToPath2(import.meta.url));
74672
+ for (const rel of ["../package.json", "../../package.json"]) {
74673
+ try {
74674
+ const pkg = JSON.parse(readFileSync4(join12(here, rel), "utf8"));
74675
+ if (typeof pkg.name === "string" && typeof pkg.version === "string") {
74676
+ return { name: pkg.name, version: pkg.version };
74677
+ }
74678
+ } catch {
74679
+ }
74680
+ }
74681
+ return { name: "x-security", version: "0.0.0" };
74682
+ }
74683
+ async function fetchLatestVersion(name, timeoutMs = 2e3) {
74684
+ try {
74685
+ const { body } = await request8(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`, {
74686
+ signal: AbortSignal.timeout(timeoutMs)
74687
+ });
74688
+ const json = await body.json();
74689
+ return typeof json.version === "string" ? json.version : null;
74690
+ } catch {
74691
+ return null;
74692
+ }
74693
+ }
74694
+ function toSegments(v) {
74695
+ const [major, minor, patch] = v.split(".").map((n2) => parseInt(n2, 10));
74696
+ return [major || 0, minor || 0, patch || 0];
74697
+ }
74698
+ function isNewer(latest, current) {
74699
+ const [aMajor, aMinor, aPatch] = toSegments(latest);
74700
+ const [bMajor, bMinor, bPatch] = toSegments(current);
74701
+ if (aMajor !== bMajor) return aMajor > bMajor;
74702
+ if (aMinor !== bMinor) return aMinor > bMinor;
74703
+ return aPatch > bPatch;
74704
+ }
74705
+ function truthyEnv(v) {
74706
+ return !!v && v !== "0" && v.toLowerCase() !== "false";
74707
+ }
74708
+ function registerUpdateCheck(program2) {
74709
+ program2.command("update-check").description("Check npm for a newer release (explicit; makes one network call).").option("--timeout <ms>", "Registry request timeout in ms", (v) => Number(v)).action(async (opts) => {
74710
+ const { name, version } = resolvePackageMeta();
74711
+ const latest = await fetchLatestVersion(name, opts.timeout);
74712
+ if (latest === null) {
74713
+ process.stderr.write("update-check failed: could not reach npm registry\n");
74714
+ process.exit(1);
74715
+ return;
74716
+ }
74717
+ if (isNewer(latest, version)) {
74718
+ process.stdout.write(`update available: ${version} \u2192 ${latest} (npm i -g ${name}@latest)
74719
+ `);
74720
+ } else {
74721
+ process.stdout.write(`up to date (v${version})
74722
+ `);
74723
+ }
74724
+ });
74725
+ program2.hook("postAction", async () => {
74726
+ if (!truthyEnv(process.env.XSECURITY_UPDATE_CHECK)) return;
74727
+ if (truthyEnv(process.env.NO_UPDATE_NOTIFIER) || truthyEnv(process.env.XSECURITY_NO_UPDATE_CHECK)) return;
74728
+ try {
74729
+ const { name, version } = resolvePackageMeta();
74730
+ const latest = await fetchLatestVersion(name);
74731
+ if (latest !== null && isNewer(latest, version)) {
74732
+ process.stderr.write(`\u21E1 x-security ${latest} available (you have ${version}) \u2014 run: ${name} update-check
74733
+ `);
74734
+ }
74735
+ } catch {
74736
+ }
74737
+ });
74738
+ }
74739
+ var init_update_check = __esm({
74740
+ "src/bin/update-check.ts"() {
74741
+ "use strict";
74742
+ }
74743
+ });
74744
+
74745
+ // src/config/defaults.ts
74746
+ import { existsSync as existsSync4, readFileSync as readFileSync5 } from "node:fs";
74747
+ import os3 from "node:os";
74748
+ import path28 from "node:path";
74749
+ import yaml17 from "js-yaml";
74750
+ function readConfigFile(file) {
74751
+ try {
74752
+ if (!existsSync4(file)) return {};
74753
+ const raw = readFileSync5(file, "utf8");
74754
+ const doc = yaml17.load(raw);
74755
+ return pickKnown(doc);
74756
+ } catch {
74757
+ return {};
74758
+ }
74759
+ }
74760
+ function pickKnown(doc) {
74761
+ if (doc === null || typeof doc !== "object") return {};
74762
+ const src = doc;
74763
+ const out = {};
74764
+ if (typeof src.format === "string") out.format = src.format;
74765
+ if (typeof src.out === "string") out.out = src.out;
74766
+ if (src.timeout !== void 0) {
74767
+ const n2 = Number(src.timeout);
74768
+ if (!Number.isNaN(n2)) out.timeout = n2;
74769
+ }
74770
+ return out;
74771
+ }
74772
+ function firstExisting(candidates) {
74773
+ return candidates.find((c5) => existsSync4(c5));
74774
+ }
74775
+ function loadConfig2(cwd = process.cwd(), home = os3.homedir()) {
74776
+ const homeFile = firstExisting([
74777
+ path28.join(home, ".config", "xsecurity", "config.yaml"),
74778
+ path28.join(home, ".config", "xsecurity", "config.yml"),
74779
+ path28.join(home, ".config", "xsecurity", "config.json")
74780
+ ]);
74781
+ const projectFile = firstExisting([
74782
+ path28.join(cwd, ".xsecurityrc.yaml"),
74783
+ path28.join(cwd, ".xsecurityrc.yml"),
74784
+ path28.join(cwd, ".xsecurityrc.json"),
74785
+ path28.join(cwd, ".xsecurityrc")
74786
+ ]);
74787
+ let merged = {};
74788
+ if (homeFile) merged = { ...merged, ...readConfigFile(homeFile) };
74789
+ if (projectFile) merged = { ...merged, ...readConfigFile(projectFile) };
74790
+ const envPath = process.env.XSECURITY_CONFIG;
74791
+ if (envPath) merged = { ...merged, ...readConfigFile(envPath) };
74792
+ return merged;
74793
+ }
74794
+ function applyConfigDefaults(program2) {
74795
+ const config = loadConfig2();
74796
+ if (Object.keys(config).length === 0) return;
74797
+ program2.hook("preAction", (_thisCommand, actionCommand) => {
74798
+ for (const key of KNOWN_KEYS) {
74799
+ const value = config[key];
74800
+ if (value === void 0) continue;
74801
+ const longFlag = LONG_FLAGS[key];
74802
+ const hasOption = actionCommand.options.some((o2) => o2.long === longFlag);
74803
+ if (!hasOption) continue;
74804
+ const attr = OPTION_ATTRS[key];
74805
+ const source = actionCommand.getOptionValueSource(attr);
74806
+ if (source !== "default" && source !== void 0) continue;
74807
+ actionCommand.setOptionValue(attr, value);
74808
+ const withSource = actionCommand;
74809
+ withSource.setOptionValueWithSource?.(attr, value, "config");
74810
+ }
74811
+ });
74812
+ }
74813
+ var KNOWN_KEYS, OPTION_ATTRS, LONG_FLAGS;
74814
+ var init_defaults = __esm({
74815
+ "src/config/defaults.ts"() {
74816
+ "use strict";
74817
+ KNOWN_KEYS = ["format", "timeout", "out"];
74818
+ OPTION_ATTRS = {
74819
+ format: "format",
74820
+ timeout: "timeout",
74821
+ out: "out"
74822
+ };
74823
+ LONG_FLAGS = {
74824
+ format: "--format",
74825
+ timeout: "--timeout",
74826
+ out: "--out"
74827
+ };
74828
+ }
74829
+ });
74830
+
74831
+ // src/bin/register-extras.ts
74832
+ function registerExtras(program2) {
74833
+ registerByoCommands(program2);
74834
+ registerDoctor(program2);
74835
+ registerCompletion(program2);
74836
+ registerUpdateCheck(program2);
74837
+ applyConfigDefaults(program2);
74838
+ }
74839
+ var init_register_extras = __esm({
74840
+ "src/bin/register-extras.ts"() {
74841
+ "use strict";
74842
+ init_byo_commands();
74843
+ init_doctor();
74844
+ init_completion();
74845
+ init_update_check();
74846
+ init_defaults();
74847
+ }
74848
+ });
74849
+
74850
+ // src/bin/cli-io.ts
74851
+ import * as fs22 from "node:fs";
74852
+ import * as path29 from "node:path";
74853
+ import * as os4 from "node:os";
74854
+ function _cleanupTempSpecs() {
74855
+ for (const dir of tempSpecDirs) {
74856
+ try {
74857
+ fs22.rmSync(dir, { recursive: true, force: true });
74858
+ } catch {
74859
+ }
74860
+ }
74861
+ }
74862
+ async function resolveSpecArg(arg, stdin = process.stdin) {
74863
+ if (arg !== "-") return arg;
74864
+ const chunks = [];
74865
+ for await (const chunk of stdin) {
74866
+ chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
74867
+ }
74868
+ const content = Buffer.concat(chunks).toString("utf8").trim();
74869
+ if (!content) {
74870
+ throw new Error("expected a spec document on stdin, got empty input");
74871
+ }
74872
+ const dir = fs22.mkdtempSync(path29.join(os4.tmpdir(), "writ-stdin-"));
74873
+ tempSpecDirs.add(dir);
74874
+ if (!exitHandlerRegistered) {
74875
+ exitHandlerRegistered = true;
74876
+ process.once("exit", _cleanupTempSpecs);
74877
+ }
74878
+ const specPath = path29.join(dir, "spec.yaml");
74879
+ fs22.writeFileSync(specPath, content, "utf8");
74880
+ return specPath;
74881
+ }
74882
+ function makeDiagnostics(v) {
74883
+ return {
74884
+ warn(line) {
74885
+ if (v === "quiet") return;
74886
+ process.stderr.write(`${line}
74887
+ `);
74888
+ },
74889
+ info(line) {
74890
+ if (v !== "verbose") return;
74891
+ process.stderr.write(`${line}
74892
+ `);
74893
+ }
74894
+ };
74895
+ }
74896
+ var tempSpecDirs, exitHandlerRegistered;
74897
+ var init_cli_io = __esm({
74898
+ "src/bin/cli-io.ts"() {
74899
+ "use strict";
74900
+ tempSpecDirs = /* @__PURE__ */ new Set();
74901
+ exitHandlerRegistered = false;
74902
+ }
74903
+ });
74904
+
74905
+ // src/bin/help-text.ts
74906
+ var generateExamples, validateExamples, verifyExamples, reportExamples, diffExamples;
74907
+ var init_help_text = __esm({
74908
+ "src/bin/help-text.ts"() {
74909
+ "use strict";
74910
+ generateExamples = `
74911
+ Examples:
74912
+ # Compile a spec on disk into Kong config
74913
+ $ lazy generate --target kong spec.yaml
74914
+
74915
+ # Read the spec from stdin (- means stdin)
74916
+ $ cat spec.yaml | lazy generate --target kong -
74917
+ `;
74918
+ validateExamples = `
74919
+ Examples:
74920
+ # Check a running Kong gateway against the spec
74921
+ $ lazy validate --target kong --gateway http://localhost:8001 spec.yaml
74922
+
74923
+ # Pipe the spec in and diff against an exported kong.yml
74924
+ $ cat spec.yaml | lazy validate --target kong --gateway ./kong.yml -
74925
+ `;
74926
+ verifyExamples = `
74927
+ Examples:
74928
+ # Confirm the gateway actually loaded what we emitted
74929
+ $ lazy verify --target kong --gateway http://localhost:8001 spec.yaml
74930
+
74931
+ # Read the spec from stdin
74932
+ $ cat spec.yaml | lazy verify --target kong --gateway http://localhost:8001 -
74933
+ `;
74934
+ reportExamples = `
74935
+ Examples:
74936
+ # OWASP API Top 10 coverage report
74937
+ $ lazy report --owasp spec.yaml
74938
+
74939
+ # Read the spec from stdin
74940
+ $ cat spec.yaml | lazy report --owasp -
74941
+ `;
74942
+ diffExamples = `
74943
+ Examples:
74944
+ # Diff generated Kong config across two spec versions
74945
+ $ lazy diff --target kong old.yaml new.yaml
74946
+
74947
+ # Read the new spec from stdin (only one side may be -)
74948
+ $ cat new.yaml | lazy diff --target kong old.yaml -
74949
+
74950
+ Exit code: 0 when the two specs produce identical config, 1 when they differ
74951
+ (git diff --exit-code style).
74952
+ `;
74953
+ }
74954
+ });
74955
+
74422
74956
  // src/bin/lazy.ts
74423
74957
  var lazy_exports = {};
74424
- import { basename as basename2 } from "node:path";
74958
+ import { readFileSync as readFileSync6 } from "node:fs";
74959
+ import { basename as basename2, dirname as dirname5, join as join14 } from "node:path";
74960
+ import { fileURLToPath as fileURLToPath3 } from "node:url";
74425
74961
  import { Command as Command2 } from "commander";
74962
+ function verbosity() {
74963
+ const opts = program.opts();
74964
+ if (opts.quiet) return "quiet";
74965
+ if (opts.verbose) return "verbose";
74966
+ return "normal";
74967
+ }
74968
+ function resolveVersion() {
74969
+ const here = dirname5(fileURLToPath3(import.meta.url));
74970
+ for (const rel of ["../package.json", "../../package.json"]) {
74971
+ try {
74972
+ const v = JSON.parse(readFileSync6(join14(here, rel), "utf8")).version;
74973
+ if (typeof v === "string") return v;
74974
+ } catch {
74975
+ }
74976
+ }
74977
+ return "0.0.0";
74978
+ }
74426
74979
  var program;
74427
74980
  var init_lazy = __esm({
74428
74981
  "src/bin/lazy.ts"() {
@@ -74438,12 +74991,18 @@ var init_lazy = __esm({
74438
74991
  init_verify2();
74439
74992
  init_migrate();
74440
74993
  init_push();
74441
- init_byo_commands();
74994
+ init_register_extras();
74995
+ init_cli_io();
74996
+ init_help_text();
74442
74997
  init_dist4();
74443
74998
  program = new Command2();
74444
- program.name(basename2(process.argv[1] ?? "lazy").replace(/\.(mjs|cjs|js)$/, "")).description("Compile, validate, test, and report on x-security policies in OpenAPI specs.").version("0.1.0");
74445
- program.command("generate <spec>").description("Compile an annotated OpenAPI spec into target-specific gateway config.").requiredOption("--target <name>", "Target: kong|coraza|bunkerweb|openappsec|firewall").option("--out <dir>", "Output directory (default: ./writ-out/<target>)").option("--dry-run", "Print planned artifacts without writing to disk").option("--no-strict", "Allow unresolved variables (default: strict)").option("--vault", "Resolve $vault.* refs via HashiCorp Vault (uses VAULT_ADDR + VAULT_TOKEN or AppRole)").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager (uses default credential chain + AWS_REGION)").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).option("--no-with-consumers", "Kong only: emit spec-only output (omit consumers + per-plugin credentials). Consumers are emitted by default so OSS Kong gateways actually authenticate; pass this for the spec-only baseline.").option("--kong-deployment <mode>", "Kong only: standalone|behind-proxy|with-coraza|with-istio. with-coraza rewrites all service URLs to http://coraza:8080.", "standalone").option("--kong-edition <edition>", "Kong only: oss|enterprise. enterprise emits openid-connect (real JWKS+RS256) instead of HS256 jwt_secrets downgrade.", "oss").option("--kong-dbless", "Kong only: deployment runs in DB-less mode (KONG_DATABASE=off). Per-identity rate-limits fall back to policy=local with a structured warning instead of policy=cluster.", false).option("--kong-policy <mode>", "Kong only: rate-limit policy. local|cluster. Default local (safe for OSS DB-less). Pass cluster only when Kong is running in database mode (postgres/cassandra); cluster is a boot error in DB-less Kong.", "local").option("--coraza-engine <name>", "Coraza only: modsec-nginx|modsec-apache|coraza-go|coraza-spoa (default modsec-nginx).", "modsec-nginx").option("--coraza-peers <list>", 'Coraza only (coraza-spoa|coraza-go): HAProxy peer-replication for stick-tables. Format: "name1:host1:port1,name2:host2:port2". When set, emitted haproxy-stick-tables.cfg includes a `peers writ` section so counters replicate across instances.').option("--strict-fidelity", "Exit 4 (S3) if any spec field cannot be enforced by the chosen target+engine. Independent of --strict.").action(async (spec, opts) => {
74999
+ program.name(basename2(process.argv[1] ?? "lazy").replace(/\.(mjs|cjs|js)$/, "")).description("Compile, validate, test, and report on x-security policies in OpenAPI specs.").option("--quiet", "Suppress warnings/advisories on stderr (results still print)").option("--verbose", "Print extra progress detail to stderr").version(resolveVersion()).showHelpAfterError("(add --help for usage)");
75000
+ program.command("generate <spec>").description("Compile an annotated OpenAPI spec into target-specific gateway config. <spec> may be - to read from stdin.").requiredOption("--target <name>", "Target: kong|coraza|bunkerweb|openappsec|firewall").option("--out <dir>", "Output directory (default: ./writ-out/<target>)").option("--dry-run", "Print planned artifacts without writing to disk").option("--no-strict", "Allow unresolved variables (default: strict)").option("--vault", "Resolve $vault.* refs via HashiCorp Vault (uses VAULT_ADDR + VAULT_TOKEN or AppRole)").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager (uses default credential chain + AWS_REGION)").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).option("--no-with-consumers", "Kong only: emit spec-only output (omit consumers + per-plugin credentials). Consumers are emitted by default so OSS Kong gateways actually authenticate; pass this for the spec-only baseline.").option("--kong-deployment <mode>", "Kong only: standalone|behind-proxy|with-coraza|with-istio. with-coraza rewrites all service URLs to http://coraza:8080.", "standalone").option("--kong-edition <edition>", "Kong only: oss|enterprise. enterprise emits openid-connect (real JWKS+RS256) instead of HS256 jwt_secrets downgrade.", "oss").option("--kong-dbless", "Kong only: deployment runs in DB-less mode (KONG_DATABASE=off). Per-identity rate-limits fall back to policy=local with a structured warning instead of policy=cluster.", false).option("--kong-policy <mode>", "Kong only: rate-limit policy. local|cluster. Default local (safe for OSS DB-less). Pass cluster only when Kong is running in database mode (postgres/cassandra); cluster is a boot error in DB-less Kong.", "local").option("--coraza-engine <name>", "Coraza only: modsec-nginx|modsec-apache|coraza-go|coraza-spoa (default modsec-nginx).", "modsec-nginx").option("--coraza-peers <list>", 'Coraza only (coraza-spoa|coraza-go): HAProxy peer-replication for stick-tables. Format: "name1:host1:port1,name2:host2:port2". When set, emitted haproxy-stick-tables.cfg includes a `peers writ` section so counters replicate across instances.').option("--strict-fidelity", "Exit 4 (S3) if any spec field cannot be enforced by the chosen target+engine. Independent of --strict.").addHelpText("after", generateExamples).action(async (spec, opts) => {
74446
75001
  try {
75002
+ const diag = makeDiagnostics(verbosity());
75003
+ const fromStdin = spec === "-";
75004
+ spec = await resolveSpecArg(spec);
75005
+ if (fromStdin) diag.info("reading spec from stdin");
74447
75006
  if (opts.target === "kong") {
74448
75007
  const dep = opts.kongDeployment;
74449
75008
  if (dep && !["standalone", "behind-proxy", "with-coraza", "with-istio"].includes(dep)) {
@@ -74496,9 +75055,9 @@ var init_lazy = __esm({
74496
75055
  }
74497
75056
  if (opts.strictFidelity) generateOpts.strictFidelity = true;
74498
75057
  const r5 = await runGenerate(spec, generateOpts);
74499
- for (const w of r5.warnings) process.stderr.write(`warning: ${w}
74500
- `);
75058
+ for (const w of r5.warnings) diag.warn(`warning: ${w}`);
74501
75059
  if (opts.dryRun) {
75060
+ diag.info(`generated ${r5.artifacts.length} artifact(s) for target ${opts.target} (dry-run)`);
74502
75061
  process.stdout.write(`# Dry-run \u2014 ${r5.artifacts.length} artifact(s) would be written:
74503
75062
  `);
74504
75063
  for (const a5 of r5.artifacts) {
@@ -74508,6 +75067,7 @@ ${a5.content}
74508
75067
  `);
74509
75068
  }
74510
75069
  } else {
75070
+ diag.info(`generated ${r5.artifactPaths.length} artifact(s) for target ${opts.target}`);
74511
75071
  for (const p2 of r5.artifactPaths) process.stdout.write(`${p2}
74512
75072
  `);
74513
75073
  }
@@ -74522,16 +75082,22 @@ ${a5.content}
74522
75082
  process.exit(1);
74523
75083
  }
74524
75084
  });
74525
- program.command("validate <spec>").description("Detect drift between the spec and a running/exported gateway config.").requiredOption("--target <name>", "Currently: kong").requiredOption("--gateway <urlOrPath>", "Kong admin URL (http://...) or path to exported kong.yml").option("--format <fmt>", "table|json|sarif|csv (default: table)", "table").option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).action(async (spec, opts) => {
75085
+ program.command("validate <spec>").description("Detect drift between the spec and a running/exported gateway config. <spec> may be - to read from stdin.").requiredOption("--target <name>", "Currently: kong").requiredOption("--gateway <urlOrPath>", "Kong admin URL (http://...) or path to exported kong.yml").option("--format <fmt>", "table|json|sarif|csv (default: table)", "table").option("--timeout <ms>", "Abort network calls after <ms> milliseconds (gateway admin URL / probes)", (v) => Number(v)).option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).addHelpText("after", validateExamples).action(async (spec, opts) => {
74526
75086
  try {
75087
+ const diag = makeDiagnostics(verbosity());
75088
+ const fromStdin = spec === "-";
75089
+ spec = await resolveSpecArg(spec);
75090
+ if (fromStdin) diag.info("reading spec from stdin");
74527
75091
  const validateOpts = {
74528
75092
  target: opts.target,
74529
75093
  gateway: opts.gateway,
74530
75094
  format: opts.format
74531
75095
  };
75096
+ if (opts.timeout !== void 0) validateOpts.timeoutMs = opts.timeout;
74532
75097
  if (opts.vault) validateOpts.vault = true;
74533
75098
  if (opts.awsSecrets) validateOpts.awsSecrets = true;
74534
75099
  if (opts.vaultKvVersion) validateOpts.vaultKvVersion = opts.vaultKvVersion;
75100
+ diag.info(`querying gateway ${opts.gateway}${opts.timeout ? ` (timeout ${opts.timeout}ms)` : ""}`);
74535
75101
  const r5 = await runValidate(spec, validateOpts);
74536
75102
  process.stdout.write(r5.rendered);
74537
75103
  process.exit(r5.exitCode);
@@ -74541,7 +75107,7 @@ ${a5.content}
74541
75107
  process.exit(1);
74542
75108
  }
74543
75109
  });
74544
- program.command("test <spec>").description("Closed-loop test: generate config, spin up Docker, send traffic, assert.").requiredOption("--target <name>", "kong|coraza|bunkerweb|openappsec").option("--upstream-port <port>", "Local port for mock upstream (ignored with --upstream-url)", (v) => Number(v)).option("--gateway-port <port>", "Local port for gateway", (v) => Number(v)).option("--upstream-url <url>", "Test against a real upstream (e.g. http://host.docker.internal:8000) instead of the mock-upstream container").option("--dry-run", "Print the docker-compose plan without running it").option("--keep", "Leave containers running on success (debug aid)").option("--format <fmt>", "table|junit|json (default: table)", "table").option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).addHelpText("after", `
75110
+ program.command("test <spec>").description("Closed-loop test: generate config, spin up Docker, send traffic, assert. <spec> may be - to read from stdin.").requiredOption("--target <name>", "kong|coraza|bunkerweb|openappsec").option("--upstream-port <port>", "Local port for mock upstream (ignored with --upstream-url)", (v) => Number(v)).option("--gateway-port <port>", "Local port for gateway", (v) => Number(v)).option("--upstream-url <url>", "Test against a real upstream (e.g. http://host.docker.internal:8000) instead of the mock-upstream container").option("--dry-run", "Print the docker-compose plan without running it").option("--keep", "Leave containers running on success (debug aid)").option("--format <fmt>", "table|junit|json (default: table)", "table").option("--timeout <ms>", "Abort network calls after <ms> milliseconds (gateway admin URL / probes)", (v) => Number(v)).option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).addHelpText("after", `
74545
75111
  Examples:
74546
75112
  # Mock upstream (default): brings up mendhak/http-https-echo as the backend
74547
75113
  $ lazy test --target kong spec.yaml
@@ -74553,10 +75119,15 @@ Examples:
74553
75119
  $ lazy test --target kong --upstream-url https://staging.example.com spec.yaml
74554
75120
  `).action(async (spec, opts) => {
74555
75121
  try {
75122
+ const diag = makeDiagnostics(verbosity());
75123
+ const fromStdin = spec === "-";
75124
+ spec = await resolveSpecArg(spec);
75125
+ if (fromStdin) diag.info("reading spec from stdin");
74556
75126
  const testOpts = {
74557
75127
  target: opts.target,
74558
75128
  format: opts.format
74559
75129
  };
75130
+ if (opts.timeout !== void 0) testOpts.timeoutMs = opts.timeout;
74560
75131
  if (opts.upstreamPort !== void 0) testOpts.upstreamPort = opts.upstreamPort;
74561
75132
  if (opts.gatewayPort !== void 0) testOpts.gatewayPort = opts.gatewayPort;
74562
75133
  if (opts.upstreamUrl !== void 0) testOpts.upstreamUrl = opts.upstreamUrl;
@@ -74565,6 +75136,7 @@ Examples:
74565
75136
  if (opts.vault) testOpts.vault = true;
74566
75137
  if (opts.awsSecrets) testOpts.awsSecrets = true;
74567
75138
  if (opts.vaultKvVersion) testOpts.vaultKvVersion = opts.vaultKvVersion;
75139
+ diag.info(`bringing up ${opts.target} gateway (upstream: ${opts.upstreamUrl ?? "mock"})`);
74568
75140
  const r5 = await runTest(spec, testOpts);
74569
75141
  process.stdout.write(r5.rendered);
74570
75142
  process.exit(r5.exitCode);
@@ -74574,8 +75146,12 @@ Examples:
74574
75146
  process.exit(1);
74575
75147
  }
74576
75148
  });
74577
- program.command("report <spec>").description("OWASP coverage and annotation reports.").option("--owasp", "OWASP API Top 10 coverage report (default if neither flag given)").option("--coverage", "Annotation coverage report").option("--format <fmt>", "table|json|sarif|csv|html (default: table)", "table").option("--feasible <targets>", "Comma-separated targets (e.g. kong,coraza). Downgrade Y\u2192Y*/~ for declared mitigations no listed target can enforce.").option("--strict-fidelity", "Exit 4 if --feasible would downgrade any Y to Y*/~. Requires --owasp --feasible.").option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).action(async (spec, opts) => {
75149
+ program.command("report <spec>").description("OWASP coverage and annotation reports. <spec> may be - to read from stdin.").option("--owasp", "OWASP API Top 10 coverage report (default if neither flag given)").option("--coverage", "Annotation coverage report").option("--format <fmt>", "table|json|sarif|csv|html (default: table)", "table").option("--feasible <targets>", "Comma-separated targets (e.g. kong,coraza). Downgrade Y\u2192Y*/~ for declared mitigations no listed target can enforce.").option("--strict-fidelity", "Exit 4 if --feasible would downgrade any Y to Y*/~. Requires --owasp --feasible.").option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).addHelpText("after", reportExamples).action(async (spec, opts) => {
74578
75150
  try {
75151
+ const diag = makeDiagnostics(verbosity());
75152
+ const fromStdin = spec === "-";
75153
+ spec = await resolveSpecArg(spec);
75154
+ if (fromStdin) diag.info("reading spec from stdin");
74579
75155
  const mode = opts.coverage ? "coverage" : "owasp";
74580
75156
  const reportOpts = {
74581
75157
  mode,
@@ -74599,8 +75175,12 @@ Examples:
74599
75175
  process.exit(1);
74600
75176
  }
74601
75177
  });
74602
- program.command("verify <spec>").description("Read-only post-deploy check: did the gateway actually load the artifacts we emitted?").requiredOption("--target <name>", "kong|coraza|envoy|bunkerweb|openappsec").requiredOption("--gateway <addr>", "Kong admin URL, Envoy admin URL, OR (for coraza) path to nginx error log / docker:<container> / coraza-go /debug/rules URL, OR (for bunkerweb) docker:<scheduler>+docker:<bunkerweb>, OR (for openappsec) docker:<agent>").option("--engine <name>", "Coraza engine: modsec-nginx|coraza-go|coraza-spoa (default modsec-nginx)").option("--format <fmt>", "table|json|sarif (default table)", "table").option("--threshold <pct>", "Minimum load-coverage % to consider PASS (default 90)", (v) => Number(v)).action(async (spec, opts) => {
75178
+ program.command("verify <spec>").description("Read-only post-deploy check: did the gateway actually load the artifacts we emitted? <spec> may be - to read from stdin.").requiredOption("--target <name>", "kong|coraza|envoy|bunkerweb|openappsec").requiredOption("--gateway <addr>", "Kong admin URL, Envoy admin URL, OR (for coraza) path to nginx error log / docker:<container> / coraza-go /debug/rules URL, OR (for bunkerweb) docker:<scheduler>+docker:<bunkerweb>, OR (for openappsec) docker:<agent>").option("--engine <name>", "Coraza engine: modsec-nginx|coraza-go|coraza-spoa (default modsec-nginx)").option("--format <fmt>", "table|json|sarif (default table)", "table").option("--threshold <pct>", "Minimum load-coverage % to consider PASS (default 90)", (v) => Number(v)).option("--timeout <ms>", "Abort network calls after <ms> milliseconds (gateway admin URL / probes)", (v) => Number(v)).addHelpText("after", verifyExamples).action(async (spec, opts) => {
74603
75179
  try {
75180
+ const diag = makeDiagnostics(verbosity());
75181
+ const fromStdin = spec === "-";
75182
+ spec = await resolveSpecArg(spec);
75183
+ if (fromStdin) diag.info("reading spec from stdin");
74604
75184
  const verifyOpts = {
74605
75185
  target: opts.target,
74606
75186
  gateway: opts.gateway,
@@ -74608,6 +75188,8 @@ Examples:
74608
75188
  };
74609
75189
  if (opts.engine !== void 0) verifyOpts.engine = opts.engine;
74610
75190
  if (opts.threshold !== void 0) verifyOpts.threshold = opts.threshold;
75191
+ if (opts.timeout !== void 0) verifyOpts.timeoutMs = opts.timeout;
75192
+ diag.info(`querying gateway ${opts.gateway} (threshold ${opts.threshold ?? 90}%)`);
74611
75193
  const r5 = await runVerifyCli(spec, verifyOpts);
74612
75194
  process.stdout.write(r5.rendered);
74613
75195
  process.exit(r5.exitCode);
@@ -74617,8 +75199,16 @@ Examples:
74617
75199
  process.exit(1);
74618
75200
  }
74619
75201
  });
74620
- program.command("diff <old> <new>").description("Diff the generated target config for two spec versions.").requiredOption("--target <name>", "Target generator to use for both specs").option("--format <fmt>", "human|json (default: human)", "human").option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).action(async (oldSpec, newSpec, opts) => {
75202
+ program.command("diff <old> <new>").description("Diff the generated target config for two spec versions. Either <old> or <new> may be - to read from stdin (not both). Exits 1 when configs differ, 0 when identical (git diff --exit-code style).").requiredOption("--target <name>", "Target generator to use for both specs").option("--format <fmt>", "human|json (default: human)", "human").option("--vault", "Resolve $vault.* refs via HashiCorp Vault").option("--aws-secrets", "Resolve $aws.* refs via AWS Secrets Manager").option("--vault-kv-version <v>", "Vault KV engine version: 1 or 2 (default 2)", (v) => v === "1" ? 1 : 2).addHelpText("after", diffExamples).action(async (oldSpec, newSpec, opts) => {
74621
75203
  try {
75204
+ const diag = makeDiagnostics(verbosity());
75205
+ if (oldSpec === "-" && newSpec === "-") {
75206
+ process.stderr.write("diff failed: only one of <old>/<new> can be - (a single stdin stream)\n");
75207
+ process.exit(1);
75208
+ }
75209
+ if (oldSpec === "-" || newSpec === "-") diag.info("reading spec from stdin");
75210
+ oldSpec = await resolveSpecArg(oldSpec);
75211
+ newSpec = await resolveSpecArg(newSpec);
74622
75212
  const diffOpts = {
74623
75213
  target: opts.target,
74624
75214
  format: opts.format
@@ -74628,7 +75218,7 @@ Examples:
74628
75218
  if (opts.vaultKvVersion) diffOpts.vaultKvVersion = opts.vaultKvVersion;
74629
75219
  const r5 = await runDiff(oldSpec, newSpec, diffOpts);
74630
75220
  process.stdout.write(r5.rendered);
74631
- process.exit(r5.modified.length + r5.added.length + r5.removed.length > 0 ? 0 : 0);
75221
+ process.exit(r5.modified.length + r5.added.length + r5.removed.length > 0 ? 1 : 0);
74632
75222
  } catch (e5) {
74633
75223
  process.stderr.write(`diff failed: ${e5.message}
74634
75224
  `);
@@ -74722,7 +75312,7 @@ Examples:
74722
75312
  process.exit(1);
74723
75313
  }
74724
75314
  });
74725
- registerByoCommands(program);
75315
+ registerExtras(program);
74726
75316
  program.command("push <repoDir>").description(
74727
75317
  "Upload the verified .writ/ policies to the Writ SaaS. Aborts if the local audit is not 100% cite-backed. Token from WRIT_API_TOKEN env only."
74728
75318
  ).option("--dry-run", "Assemble + validate the payload and print a summary WITHOUT sending.").action(async (repoDir, opts) => {
@@ -75379,8 +75969,8 @@ function buildForbidArrayRootPlugins(resp, ctx = {}) {
75379
75969
  var SS_IDEMPOTENCY_TAG = "writ-idempotency-replay-409";
75380
75970
  var SS_IDEMPOTENCY_CACHE_DICT = "writ_idempotency_cache";
75381
75971
  var SS_IDEMPOTENCY_CACHE_DICT_SIZE = "10m";
75382
- function buildIdempotencyKeyPlugins(request7, ctx = {}) {
75383
- const idem = request7?.idempotencyKey;
75972
+ function buildIdempotencyKeyPlugins(request9, ctx = {}) {
75973
+ const idem = request9?.idempotencyKey;
75384
75974
  if (!idem) return [];
75385
75975
  const ttl = durationSeconds(idem.ttl);
75386
75976
  if (ctx.warn) {