npm - @digilogiclabs/platform-core - Versions diffs - 1.4.0 → 1.5.0 - Mend

@digilogiclabs/platform-core 1.4.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.d.mts +1513 -132
package/dist/index.d.ts +1513 -132
package/dist/index.js +1322 -58
package/dist/index.js.map +1 -1
package/dist/index.mjs +1233 -24
package/dist/index.mjs.map +1 -1
package/dist/migrate.js +0 -0
package/dist/security-headers.js.map +1 -1
package/dist/security-headers.mjs.map +1 -1
package/dist/testing.js +3 -1
package/dist/testing.js.map +1 -1
package/dist/testing.mjs +9 -2
package/dist/testing.mjs.map +1 -1
package/package.json +11 -11

package/dist/migrate.js CHANGED Viewed

File without changes

package/dist/security-headers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/*\r\n Shared Security Headers Utility\r\n * Generates consistent security headers for all Next.js apps.\r\n * Zero heavy dependencies — pure utility function.\r\n /\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// TYPES\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport interface SecurityHeadersConfig {\r\n /* Enable Content-Security-Policy (default: true) /\r\n csp?: boolean;\r\n /* Additional allowed script-src domains /\r\n cspScriptSrc?: string[];\r\n /* Additional allowed connect-src domains /\r\n cspConnectSrc?: string[];\r\n /* Additional allowed frame-src domains /\r\n cspFrameSrc?: string[];\r\n /* Additional allowed style-src domains /\r\n cspStyleSrc?: string[];\r\n /* Additional allowed img-src domains /\r\n cspImgSrc?: string[];\r\n /* X-Frame-Options value (default: 'DENY') /\r\n frameOptions?: \"DENY\" \| \"SAMEORIGIN\";\r\n /* Enable HSTS in production (default: true) /\r\n hsts?: boolean;\r\n /* HSTS max-age in seconds (default: 31536000 = 1 year) /\r\n hstsMaxAge?: number;\r\n /* Whether this is a production build (default: auto-detect from NODE_ENV) /\r\n isProduction?: boolean;\r\n}\r\n\r\nexport interface NextHeaderEntry {\r\n source: string;\r\n headers: Array<{ key: string; value: string }>;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// PRESETS\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport const SecurityHeaderPresets = {\r\n /* Minimal: basic headers only, no CSP /\r\n minimal: {\r\n csp: false,\r\n hsts: false,\r\n } satisfies SecurityHeadersConfig,\r\n\r\n /* Standard: full CSP + HSTS for most apps /\r\n standard: {\r\n csp: true,\r\n hsts: true,\r\n frameOptions: \"DENY\",\r\n } satisfies SecurityHeadersConfig,\r\n\r\n /* Strict: deny all permissions, strict CSP, no frame embedding /\r\n strict: {\r\n csp: true,\r\n hsts: true,\r\n hstsMaxAge: 63072000, // 2 years\r\n frameOptions: \"DENY\",\r\n } satisfies SecurityHeadersConfig,\r\n} as const;\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// MAIN FUNCTION\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\n/\r\n Generate security headers array compatible with Next.js `headers()` config.\r\n \r\n Usage in next.config.mjs:\r\n * ```js\r\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\r\n \r\n module.exports = {\r\n * async headers() {\r\n * return generateSecurityHeaders({\r\n * isProduction: process.env.NODE_ENV === 'production',\r\n * cspScriptSrc: ['https://js.stripe.com'],\r\n * cspConnectSrc: ['https://api.stripe.com'],\r\n * });\r\n * },\r\n * };\r\n * ```\r\n /\r\nexport function generateSecurityHeaders(\r\n config: SecurityHeadersConfig = {},\r\n): NextHeaderEntry[] {\r\n const isProduction =\r\n config.isProduction ?? process.env.NODE_ENV === \"production\";\r\n const frameOptions = config.frameOptions ?? \"DENY\";\r\n const enableCsp = config.csp ?? true;\r\n const enableHsts = config.hsts ?? true;\r\n const hstsMaxAge = config.hstsMaxAge ?? 31536000;\r\n\r\n // Base headers applied to all routes in all environments\r\n const baseHeaders: Array<{ key: string; value: string }> = [\r\n { key: \"X-Frame-Options\", value: frameOptions },\r\n { key: \"X-Content-Type-Options\", value: \"nosniff\" },\r\n // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\r\n // legacy filter which can itself introduce vulnerabilities.\r\n { key: \"X-XSS-Protection\", value: \"0\" },\r\n {\r\n key: \"Referrer-Policy\",\r\n value: \"strict-origin-when-cross-origin\",\r\n },\r\n {\r\n key: \"Permissions-Policy\",\r\n value: \"camera=(), microphone=(), geolocation=()\",\r\n },\r\n ];\r\n\r\n const entries: NextHeaderEntry[] = [\r\n { source: \"/:path\", headers: baseHeaders },\r\n ];\r\n\r\n // Production-only headers\r\n if (isProduction) {\r\n const prodHeaders: Array<{ key: string; value: string }> = [];\r\n\r\n // HSTS\r\n if (enableHsts) {\r\n prodHeaders.push({\r\n key: \"Strict-Transport-Security\",\r\n value: `max-age=${hstsMaxAge}; includeSubDomains`,\r\n });\r\n }\r\n\r\n // Content-Security-Policy\r\n if (enableCsp) {\r\n const csp = buildCsp(config);\r\n prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\r\n }\r\n\r\n if (prodHeaders.length > 0) {\r\n entries.push({ source: \"/:path*\", headers: prodHeaders });\r\n }\r\n }\r\n\r\n return entries;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// CSP BUILDER\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nfunction buildCsp(config: SecurityHeadersConfig): string {\r\n const scriptSrc = [\r\n \"'self'\",\r\n \"'unsafe-inline'\",\r\n \"'unsafe-eval'\",\r\n ...(config.cspScriptSrc ?? []),\r\n ];\r\n\r\n const styleSrc = [\r\n \"'self'\",\r\n \"'unsafe-inline'\",\r\n \"https://fonts.googleapis.com\",\r\n ...(config.cspStyleSrc ?? []),\r\n ];\r\n\r\n const imgSrc = [\r\n \"'self'\",\r\n \"data:\",\r\n \"https:\",\r\n \"blob:\",\r\n ...(config.cspImgSrc ?? []),\r\n ];\r\n\r\n const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\r\n\r\n const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\r\n\r\n const frameSrc = [...(config.cspFrameSrc ?? [])];\r\n\r\n const directives = [\r\n `default-src 'self'`,\r\n `script-src ${scriptSrc.join(\" \")}`,\r\n `style-src ${styleSrc.join(\" \")}`,\r\n `img-src ${imgSrc.join(\" \")}`,\r\n `font-src ${fontSrc.join(\" \")}`,\r\n `connect-src ${connectSrc.join(\" \")}`,\r\n ];\r\n\r\n if (frameSrc.length > 0) {\r\n directives.push(`frame-src ${frameSrc.join(\" \")}`);\r\n }\r\n\r\n directives.push(\r\n `object-src 'none'`,\r\n `base-uri 'self'`,\r\n `form-action 'self'`,\r\n `frame-ancestors 'none'`,\r\n );\r\n\r\n return directives.join(\"; \");\r\n}\r\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}
1	+ {"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/*\n Shared Security Headers Utility\n * Generates consistent security headers for all Next.js apps.\n * Zero heavy dependencies — pure utility function.\n /\n\n// ═══════════════════════════════════════════════════════════════\n// TYPES\n// ═══════════════════════════════════════════════════════════════\n\nexport interface SecurityHeadersConfig {\n /* Enable Content-Security-Policy (default: true) /\n csp?: boolean;\n /* Additional allowed script-src domains /\n cspScriptSrc?: string[];\n /* Additional allowed connect-src domains /\n cspConnectSrc?: string[];\n /* Additional allowed frame-src domains /\n cspFrameSrc?: string[];\n /* Additional allowed style-src domains /\n cspStyleSrc?: string[];\n /* Additional allowed img-src domains /\n cspImgSrc?: string[];\n /* X-Frame-Options value (default: 'DENY') /\n frameOptions?: \"DENY\" \| \"SAMEORIGIN\";\n /* Enable HSTS in production (default: true) /\n hsts?: boolean;\n /* HSTS max-age in seconds (default: 31536000 = 1 year) /\n hstsMaxAge?: number;\n /* Whether this is a production build (default: auto-detect from NODE_ENV) /\n isProduction?: boolean;\n}\n\nexport interface NextHeaderEntry {\n source: string;\n headers: Array<{ key: string; value: string }>;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// PRESETS\n// ═══════════════════════════════════════════════════════════════\n\nexport const SecurityHeaderPresets = {\n /* Minimal: basic headers only, no CSP /\n minimal: {\n csp: false,\n hsts: false,\n } satisfies SecurityHeadersConfig,\n\n /* Standard: full CSP + HSTS for most apps /\n standard: {\n csp: true,\n hsts: true,\n frameOptions: \"DENY\",\n } satisfies SecurityHeadersConfig,\n\n /* Strict: deny all permissions, strict CSP, no frame embedding /\n strict: {\n csp: true,\n hsts: true,\n hstsMaxAge: 63072000, // 2 years\n frameOptions: \"DENY\",\n } satisfies SecurityHeadersConfig,\n} as const;\n\n// ═══════════════════════════════════════════════════════════════\n// MAIN FUNCTION\n// ═══════════════════════════════════════════════════════════════\n\n/\n Generate security headers array compatible with Next.js `headers()` config.\n \n Usage in next.config.mjs:\n * ```js\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\n \n module.exports = {\n * async headers() {\n * return generateSecurityHeaders({\n * isProduction: process.env.NODE_ENV === 'production',\n * cspScriptSrc: ['https://js.stripe.com'],\n * cspConnectSrc: ['https://api.stripe.com'],\n * });\n * },\n * };\n * ```\n /\nexport function generateSecurityHeaders(\n config: SecurityHeadersConfig = {},\n): NextHeaderEntry[] {\n const isProduction =\n config.isProduction ?? process.env.NODE_ENV === \"production\";\n const frameOptions = config.frameOptions ?? \"DENY\";\n const enableCsp = config.csp ?? true;\n const enableHsts = config.hsts ?? true;\n const hstsMaxAge = config.hstsMaxAge ?? 31536000;\n\n // Base headers applied to all routes in all environments\n const baseHeaders: Array<{ key: string; value: string }> = [\n { key: \"X-Frame-Options\", value: frameOptions },\n { key: \"X-Content-Type-Options\", value: \"nosniff\" },\n // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\n // legacy filter which can itself introduce vulnerabilities.\n { key: \"X-XSS-Protection\", value: \"0\" },\n {\n key: \"Referrer-Policy\",\n value: \"strict-origin-when-cross-origin\",\n },\n {\n key: \"Permissions-Policy\",\n value: \"camera=(), microphone=(), geolocation=()\",\n },\n ];\n\n const entries: NextHeaderEntry[] = [\n { source: \"/:path\", headers: baseHeaders },\n ];\n\n // Production-only headers\n if (isProduction) {\n const prodHeaders: Array<{ key: string; value: string }> = [];\n\n // HSTS\n if (enableHsts) {\n prodHeaders.push({\n key: \"Strict-Transport-Security\",\n value: `max-age=${hstsMaxAge}; includeSubDomains`,\n });\n }\n\n // Content-Security-Policy\n if (enableCsp) {\n const csp = buildCsp(config);\n prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\n }\n\n if (prodHeaders.length > 0) {\n entries.push({ source: \"/:path*\", headers: prodHeaders });\n }\n }\n\n return entries;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// CSP BUILDER\n// ═══════════════════════════════════════════════════════════════\n\nfunction buildCsp(config: SecurityHeadersConfig): string {\n const scriptSrc = [\n \"'self'\",\n \"'unsafe-inline'\",\n \"'unsafe-eval'\",\n ...(config.cspScriptSrc ?? []),\n ];\n\n const styleSrc = [\n \"'self'\",\n \"'unsafe-inline'\",\n \"https://fonts.googleapis.com\",\n ...(config.cspStyleSrc ?? []),\n ];\n\n const imgSrc = [\n \"'self'\",\n \"data:\",\n \"https:\",\n \"blob:\",\n ...(config.cspImgSrc ?? []),\n ];\n\n const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\n\n const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\n\n const frameSrc = [...(config.cspFrameSrc ?? [])];\n\n const directives = [\n `default-src 'self'`,\n `script-src ${scriptSrc.join(\" \")}`,\n `style-src ${styleSrc.join(\" \")}`,\n `img-src ${imgSrc.join(\" \")}`,\n `font-src ${fontSrc.join(\" \")}`,\n `connect-src ${connectSrc.join(\" \")}`,\n ];\n\n if (frameSrc.length > 0) {\n directives.push(`frame-src ${frameSrc.join(\" \")}`);\n }\n\n directives.push(\n `object-src 'none'`,\n `base-uri 'self'`,\n `form-action 'self'`,\n `frame-ancestors 'none'`,\n );\n\n return directives.join(\"; \");\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}

package/dist/security-headers.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/*\r\n Shared Security Headers Utility\r\n * Generates consistent security headers for all Next.js apps.\r\n * Zero heavy dependencies — pure utility function.\r\n /\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// TYPES\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport interface SecurityHeadersConfig {\r\n /* Enable Content-Security-Policy (default: true) /\r\n csp?: boolean;\r\n /* Additional allowed script-src domains /\r\n cspScriptSrc?: string[];\r\n /* Additional allowed connect-src domains /\r\n cspConnectSrc?: string[];\r\n /* Additional allowed frame-src domains /\r\n cspFrameSrc?: string[];\r\n /* Additional allowed style-src domains /\r\n cspStyleSrc?: string[];\r\n /* Additional allowed img-src domains /\r\n cspImgSrc?: string[];\r\n /* X-Frame-Options value (default: 'DENY') /\r\n frameOptions?: \"DENY\" \| \"SAMEORIGIN\";\r\n /* Enable HSTS in production (default: true) /\r\n hsts?: boolean;\r\n /* HSTS max-age in seconds (default: 31536000 = 1 year) /\r\n hstsMaxAge?: number;\r\n /* Whether this is a production build (default: auto-detect from NODE_ENV) /\r\n isProduction?: boolean;\r\n}\r\n\r\nexport interface NextHeaderEntry {\r\n source: string;\r\n headers: Array<{ key: string; value: string }>;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// PRESETS\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nexport const SecurityHeaderPresets = {\r\n /* Minimal: basic headers only, no CSP /\r\n minimal: {\r\n csp: false,\r\n hsts: false,\r\n } satisfies SecurityHeadersConfig,\r\n\r\n /* Standard: full CSP + HSTS for most apps /\r\n standard: {\r\n csp: true,\r\n hsts: true,\r\n frameOptions: \"DENY\",\r\n } satisfies SecurityHeadersConfig,\r\n\r\n /* Strict: deny all permissions, strict CSP, no frame embedding /\r\n strict: {\r\n csp: true,\r\n hsts: true,\r\n hstsMaxAge: 63072000, // 2 years\r\n frameOptions: \"DENY\",\r\n } satisfies SecurityHeadersConfig,\r\n} as const;\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// MAIN FUNCTION\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\n/\r\n Generate security headers array compatible with Next.js `headers()` config.\r\n \r\n Usage in next.config.mjs:\r\n * ```js\r\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\r\n \r\n module.exports = {\r\n * async headers() {\r\n * return generateSecurityHeaders({\r\n * isProduction: process.env.NODE_ENV === 'production',\r\n * cspScriptSrc: ['https://js.stripe.com'],\r\n * cspConnectSrc: ['https://api.stripe.com'],\r\n * });\r\n * },\r\n * };\r\n * ```\r\n /\r\nexport function generateSecurityHeaders(\r\n config: SecurityHeadersConfig = {},\r\n): NextHeaderEntry[] {\r\n const isProduction =\r\n config.isProduction ?? process.env.NODE_ENV === \"production\";\r\n const frameOptions = config.frameOptions ?? \"DENY\";\r\n const enableCsp = config.csp ?? true;\r\n const enableHsts = config.hsts ?? true;\r\n const hstsMaxAge = config.hstsMaxAge ?? 31536000;\r\n\r\n // Base headers applied to all routes in all environments\r\n const baseHeaders: Array<{ key: string; value: string }> = [\r\n { key: \"X-Frame-Options\", value: frameOptions },\r\n { key: \"X-Content-Type-Options\", value: \"nosniff\" },\r\n // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\r\n // legacy filter which can itself introduce vulnerabilities.\r\n { key: \"X-XSS-Protection\", value: \"0\" },\r\n {\r\n key: \"Referrer-Policy\",\r\n value: \"strict-origin-when-cross-origin\",\r\n },\r\n {\r\n key: \"Permissions-Policy\",\r\n value: \"camera=(), microphone=(), geolocation=()\",\r\n },\r\n ];\r\n\r\n const entries: NextHeaderEntry[] = [\r\n { source: \"/:path\", headers: baseHeaders },\r\n ];\r\n\r\n // Production-only headers\r\n if (isProduction) {\r\n const prodHeaders: Array<{ key: string; value: string }> = [];\r\n\r\n // HSTS\r\n if (enableHsts) {\r\n prodHeaders.push({\r\n key: \"Strict-Transport-Security\",\r\n value: `max-age=${hstsMaxAge}; includeSubDomains`,\r\n });\r\n }\r\n\r\n // Content-Security-Policy\r\n if (enableCsp) {\r\n const csp = buildCsp(config);\r\n prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\r\n }\r\n\r\n if (prodHeaders.length > 0) {\r\n entries.push({ source: \"/:path*\", headers: prodHeaders });\r\n }\r\n }\r\n\r\n return entries;\r\n}\r\n\r\n// ═══════════════════════════════════════════════════════════════\r\n// CSP BUILDER\r\n// ═══════════════════════════════════════════════════════════════\r\n\r\nfunction buildCsp(config: SecurityHeadersConfig): string {\r\n const scriptSrc = [\r\n \"'self'\",\r\n \"'unsafe-inline'\",\r\n \"'unsafe-eval'\",\r\n ...(config.cspScriptSrc ?? []),\r\n ];\r\n\r\n const styleSrc = [\r\n \"'self'\",\r\n \"'unsafe-inline'\",\r\n \"https://fonts.googleapis.com\",\r\n ...(config.cspStyleSrc ?? []),\r\n ];\r\n\r\n const imgSrc = [\r\n \"'self'\",\r\n \"data:\",\r\n \"https:\",\r\n \"blob:\",\r\n ...(config.cspImgSrc ?? []),\r\n ];\r\n\r\n const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\r\n\r\n const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\r\n\r\n const frameSrc = [...(config.cspFrameSrc ?? [])];\r\n\r\n const directives = [\r\n `default-src 'self'`,\r\n `script-src ${scriptSrc.join(\" \")}`,\r\n `style-src ${styleSrc.join(\" \")}`,\r\n `img-src ${imgSrc.join(\" \")}`,\r\n `font-src ${fontSrc.join(\" \")}`,\r\n `connect-src ${connectSrc.join(\" \")}`,\r\n ];\r\n\r\n if (frameSrc.length > 0) {\r\n directives.push(`frame-src ${frameSrc.join(\" \")}`);\r\n }\r\n\r\n directives.push(\r\n `object-src 'none'`,\r\n `base-uri 'self'`,\r\n `form-action 'self'`,\r\n `frame-ancestors 'none'`,\r\n );\r\n\r\n return directives.join(\"; \");\r\n}\r\n"],"mappings":";AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}
1	+ {"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/*\n Shared Security Headers Utility\n * Generates consistent security headers for all Next.js apps.\n * Zero heavy dependencies — pure utility function.\n /\n\n// ═══════════════════════════════════════════════════════════════\n// TYPES\n// ═══════════════════════════════════════════════════════════════\n\nexport interface SecurityHeadersConfig {\n /* Enable Content-Security-Policy (default: true) /\n csp?: boolean;\n /* Additional allowed script-src domains /\n cspScriptSrc?: string[];\n /* Additional allowed connect-src domains /\n cspConnectSrc?: string[];\n /* Additional allowed frame-src domains /\n cspFrameSrc?: string[];\n /* Additional allowed style-src domains /\n cspStyleSrc?: string[];\n /* Additional allowed img-src domains /\n cspImgSrc?: string[];\n /* X-Frame-Options value (default: 'DENY') /\n frameOptions?: \"DENY\" \| \"SAMEORIGIN\";\n /* Enable HSTS in production (default: true) /\n hsts?: boolean;\n /* HSTS max-age in seconds (default: 31536000 = 1 year) /\n hstsMaxAge?: number;\n /* Whether this is a production build (default: auto-detect from NODE_ENV) /\n isProduction?: boolean;\n}\n\nexport interface NextHeaderEntry {\n source: string;\n headers: Array<{ key: string; value: string }>;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// PRESETS\n// ═══════════════════════════════════════════════════════════════\n\nexport const SecurityHeaderPresets = {\n /* Minimal: basic headers only, no CSP /\n minimal: {\n csp: false,\n hsts: false,\n } satisfies SecurityHeadersConfig,\n\n /* Standard: full CSP + HSTS for most apps /\n standard: {\n csp: true,\n hsts: true,\n frameOptions: \"DENY\",\n } satisfies SecurityHeadersConfig,\n\n /* Strict: deny all permissions, strict CSP, no frame embedding /\n strict: {\n csp: true,\n hsts: true,\n hstsMaxAge: 63072000, // 2 years\n frameOptions: \"DENY\",\n } satisfies SecurityHeadersConfig,\n} as const;\n\n// ═══════════════════════════════════════════════════════════════\n// MAIN FUNCTION\n// ═══════════════════════════════════════════════════════════════\n\n/\n Generate security headers array compatible with Next.js `headers()` config.\n \n Usage in next.config.mjs:\n * ```js\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\n \n module.exports = {\n * async headers() {\n * return generateSecurityHeaders({\n * isProduction: process.env.NODE_ENV === 'production',\n * cspScriptSrc: ['https://js.stripe.com'],\n * cspConnectSrc: ['https://api.stripe.com'],\n * });\n * },\n * };\n * ```\n /\nexport function generateSecurityHeaders(\n config: SecurityHeadersConfig = {},\n): NextHeaderEntry[] {\n const isProduction =\n config.isProduction ?? process.env.NODE_ENV === \"production\";\n const frameOptions = config.frameOptions ?? \"DENY\";\n const enableCsp = config.csp ?? true;\n const enableHsts = config.hsts ?? true;\n const hstsMaxAge = config.hstsMaxAge ?? 31536000;\n\n // Base headers applied to all routes in all environments\n const baseHeaders: Array<{ key: string; value: string }> = [\n { key: \"X-Frame-Options\", value: frameOptions },\n { key: \"X-Content-Type-Options\", value: \"nosniff\" },\n // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\n // legacy filter which can itself introduce vulnerabilities.\n { key: \"X-XSS-Protection\", value: \"0\" },\n {\n key: \"Referrer-Policy\",\n value: \"strict-origin-when-cross-origin\",\n },\n {\n key: \"Permissions-Policy\",\n value: \"camera=(), microphone=(), geolocation=()\",\n },\n ];\n\n const entries: NextHeaderEntry[] = [\n { source: \"/:path\", headers: baseHeaders },\n ];\n\n // Production-only headers\n if (isProduction) {\n const prodHeaders: Array<{ key: string; value: string }> = [];\n\n // HSTS\n if (enableHsts) {\n prodHeaders.push({\n key: \"Strict-Transport-Security\",\n value: `max-age=${hstsMaxAge}; includeSubDomains`,\n });\n }\n\n // Content-Security-Policy\n if (enableCsp) {\n const csp = buildCsp(config);\n prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\n }\n\n if (prodHeaders.length > 0) {\n entries.push({ source: \"/:path*\", headers: prodHeaders });\n }\n }\n\n return entries;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// CSP BUILDER\n// ═══════════════════════════════════════════════════════════════\n\nfunction buildCsp(config: SecurityHeadersConfig): string {\n const scriptSrc = [\n \"'self'\",\n \"'unsafe-inline'\",\n \"'unsafe-eval'\",\n ...(config.cspScriptSrc ?? []),\n ];\n\n const styleSrc = [\n \"'self'\",\n \"'unsafe-inline'\",\n \"https://fonts.googleapis.com\",\n ...(config.cspStyleSrc ?? []),\n ];\n\n const imgSrc = [\n \"'self'\",\n \"data:\",\n \"https:\",\n \"blob:\",\n ...(config.cspImgSrc ?? []),\n ];\n\n const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\n\n const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\n\n const frameSrc = [...(config.cspFrameSrc ?? [])];\n\n const directives = [\n `default-src 'self'`,\n `script-src ${scriptSrc.join(\" \")}`,\n `style-src ${styleSrc.join(\" \")}`,\n `img-src ${imgSrc.join(\" \")}`,\n `font-src ${fontSrc.join(\" \")}`,\n `connect-src ${connectSrc.join(\" \")}`,\n ];\n\n if (frameSrc.length > 0) {\n directives.push(`frame-src ${frameSrc.join(\" \")}`);\n }\n\n directives.push(\n `object-src 'none'`,\n `base-uri 'self'`,\n `form-action 'self'`,\n `frame-ancestors 'none'`,\n );\n\n return directives.join(\"; \");\n}\n"],"mappings":";AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}

package/dist/testing.js CHANGED Viewed

@@ -2523,7 +2523,9 @@ var RAGConfigSchema = import_zod.z.object({
 var CryptoConfigSchema = import_zod.z.object({
   enabled: import_zod.z.boolean().default(false).describe("Enable field-level encryption"),
   masterKey: import_zod.z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
-  hmacKey: import_zod.z.string().optional().describe("HMAC key for deterministic hashing (derived from master key if not provided)")
+  hmacKey: import_zod.z.string().optional().describe(
+    "HMAC key for deterministic hashing (derived from master key if not provided)"
+  )
 }).refine(
   (data) => {
     if (data.enabled) {