@drawbridge/drawbridge-utils 0.0.5 → 0.0.7

package/dist/axios.cjs

@@ -0,0 +1,126 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// axios.js
+var axios_exports = {};
+__export(axios_exports, {
+  axios: () => axios,
+  isBlockedIP: () => isBlockedIP,
+  safe: () => safe
+});
+module.exports = __toCommonJS(axios_exports);
+var import_axios = __toESM(require("axios"), 1);
+var import_dns = __toESM(require("dns"), 1);
+var import_https = __toESM(require("https"), 1);
+var import_net = __toESM(require("net"), 1);
+var dnsLookup = import_dns.default.promises.lookup;
+var isBlockedIPv4 = (ip) => {
+  const parts = ip.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((n) => Number.isNaN(n) || n < 0 || n > 255)) return true;
+  const [a, b] = parts;
+  if (a === 0) return true;
+  if (a === 10) return true;
+  if (a === 127) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 192 && b === 0) return true;
+  if (a === 198 && (b === 18 || b === 19)) return true;
+  if (a === 198 && b === 51) return true;
+  if (a === 203 && b === 0) return true;
+  if (a >= 224) return true;
+  return false;
+};
+var isBlockedIPv6 = (ip) => {
+  const lower = ip.toLowerCase();
+  if (lower === "::1" || lower === "::") return true;
+  if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
+  if (/^fe[89ab]/.test(lower)) return true;
+  if (lower.startsWith("ff")) return true;
+  if (lower.startsWith("::ffff:")) {
+    const v4 = lower.slice(7);
+    return isBlockedIPv4(v4);
+  }
+  ;
+  return false;
+};
+var isBlockedIP = (ip) => {
+  const version = import_net.default.isIP(ip);
+  if (version === 4) return isBlockedIPv4(ip);
+  if (version === 6) return isBlockedIPv6(ip);
+  return true;
+};
+var safeGet = async (url, axiosOptions = {}) => {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error("Invalid URL");
+  }
+  ;
+  if (parsed.protocol !== "https:") {
+    throw new Error("Only https URLs are allowed");
+  }
+  ;
+  const records = await dnsLookup(parsed.hostname, { all: true });
+  if (!records || records.length === 0) {
+    throw new Error("Host could not be resolved");
+  }
+  ;
+  for (const record of records) {
+    if (isBlockedIP(record.address)) {
+      throw new Error("Host resolves to a blocked IP range");
+    }
+    ;
+  }
+  ;
+  const pinned = records[0];
+  const agent = new import_https.default.Agent({
+    lookup: (hostname, options, callback) => {
+      callback(null, pinned.address, pinned.family);
+    }
+  });
+  return import_axios.default.get(url, {
+    ...axiosOptions,
+    httpsAgent: agent,
+    maxRedirects: 0,
+    maxContentLength: 5 * 1024 * 1024,
+    maxBodyLength: 5 * 1024 * 1024
+  });
+};
+var safe = {
+  get: safeGet
+};
+var axios = import_axios.default;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  axios,
+  isBlockedIP,
+  safe
+});

package/dist/axios.d.cts

@@ -0,0 +1,142 @@
+import axiosLib from 'axios';
+import dns from 'dns';
+import https from 'https';
+import net from 'net';
+
+const dnsLookup = dns.promises.lookup;
+
+// Reject any IPv4 in the standard private/loopback/link-local/CGN/multicast/reserved
+// ranges. Matches RFC 1918, 5735, 5737, 6598, 6890.
+
+const isBlockedIPv4 = ( ip ) => {
+
+	const parts = ip.split( '.' ).map( Number );
+
+	if( parts.length !== 4 || parts.some( ( n ) => Number.isNaN( n ) || n < 0 || n > 255 ) ) return true;
+
+	const [ a, b ] = parts;
+
+	if( a === 0 ) return true;
+	if( a === 10 ) return true;
+	if( a === 127 ) return true;
+	if( a === 169 && b === 254 ) return true;
+	if( a === 172 && b >= 16 && b <= 31 ) return true;
+	if( a === 192 && b === 168 ) return true;
+	if( a === 100 && b >= 64 && b <= 127 ) return true;
+	if( a === 192 && b === 0 ) return true;
+	if( a === 198 && ( b === 18 || b === 19 ) ) return true;
+	if( a === 198 && b === 51 ) return true;
+	if( a === 203 && b === 0 ) return true;
+	if( a >= 224 ) return true;
+
+	return false;
+
+};
+
+const isBlockedIPv6 = ( ip ) => {
+
+	const lower = ip.toLowerCase();
+
+	if( lower === '::1' || lower === '::' ) return true;
+
+	// fc00::/7 — unique local addresses
+	if( lower.startsWith( 'fc' ) || lower.startsWith( 'fd' ) ) return true;
+
+	// fe80::/10 — link-local
+	if( /^fe[89ab]/.test( lower ) ) return true;
+
+	// ff00::/8 — multicast
+	if( lower.startsWith( 'ff' ) ) return true;
+
+	// ::ffff:0:0/96 — IPv4-mapped; check the embedded v4
+	if( lower.startsWith( '::ffff:' ) ){
+
+		const v4 = lower.slice( 7 );
+
+		return isBlockedIPv4( v4 );
+
+	}
+	return false;
+
+};
+
+const isBlockedIP = ( ip ) => {
+
+	const version = net.isIP( ip );
+
+	if( version === 4 ) return isBlockedIPv4( ip );
+	if( version === 6 ) return isBlockedIPv6( ip );
+
+	return true;
+
+};
+
+// SSRF-protected GET for user-supplied URLs.
+// Requires https://, resolves all A/AAAA records and rejects if any is in a blocked
+// range, then pins the axios lookup to the validated IP (closes DNS rebinding) and
+// caps response size + disables redirects.
+const safeGet = async ( url, axiosOptions = {} ) => {
+
+	let parsed;
+
+	try {
+
+		parsed = new URL( url );
+
+	} catch {
+
+		throw new Error( 'Invalid URL' );
+
+	}
+	if( parsed.protocol !== 'https:' ){
+
+		throw new Error( 'Only https URLs are allowed' );
+
+	}
+	const records = await dnsLookup( parsed.hostname, { all : true } );
+
+	if( ! records || records.length === 0 ){
+
+		throw new Error( 'Host could not be resolved' );
+
+	}
+	for( const record of records ){
+
+		if( isBlockedIP( record.address ) ){
+
+			throw new Error( 'Host resolves to a blocked IP range' );
+
+		}
+	}
+	const pinned = records[ 0 ];
+
+	const agent = new https.Agent({
+		lookup : ( hostname, options, callback ) => {
+
+			callback( null, pinned.address, pinned.family );
+
+		}
+	});
+
+	return axiosLib.get( url, {
+		...axiosOptions,
+		httpsAgent : agent,
+		maxRedirects : 0,
+		maxContentLength : 5 * 1024 * 1024,
+		maxBodyLength : 5 * 1024 * 1024
+	});
+
+};
+
+// SSRF-protected namespace. Use for ANY URL that comes from request input.
+//   await safe.get( userUrl, options );
+const safe = {
+	get : safeGet
+};
+
+// Raw axios passthrough. Use for trusted/hardcoded URLs (Google APIs, Stripe, etc.).
+//   await axios.get( 'https://api.stripe.com/...' );
+//   await axios.post( ... );
+const axios = axiosLib;
+
+export { axios, isBlockedIP, safe };

package/dist/axios.d.ts

@@ -0,0 +1,142 @@
+import axiosLib from 'axios';
+import dns from 'dns';
+import https from 'https';
+import net from 'net';
+
+const dnsLookup = dns.promises.lookup;
+
+// Reject any IPv4 in the standard private/loopback/link-local/CGN/multicast/reserved
+// ranges. Matches RFC 1918, 5735, 5737, 6598, 6890.
+
+const isBlockedIPv4 = ( ip ) => {
+
+	const parts = ip.split( '.' ).map( Number );
+
+	if( parts.length !== 4 || parts.some( ( n ) => Number.isNaN( n ) || n < 0 || n > 255 ) ) return true;
+
+	const [ a, b ] = parts;
+
+	if( a === 0 ) return true;
+	if( a === 10 ) return true;
+	if( a === 127 ) return true;
+	if( a === 169 && b === 254 ) return true;
+	if( a === 172 && b >= 16 && b <= 31 ) return true;
+	if( a === 192 && b === 168 ) return true;
+	if( a === 100 && b >= 64 && b <= 127 ) return true;
+	if( a === 192 && b === 0 ) return true;
+	if( a === 198 && ( b === 18 || b === 19 ) ) return true;
+	if( a === 198 && b === 51 ) return true;
+	if( a === 203 && b === 0 ) return true;
+	if( a >= 224 ) return true;
+
+	return false;
+
+};
+
+const isBlockedIPv6 = ( ip ) => {
+
+	const lower = ip.toLowerCase();
+
+	if( lower === '::1' || lower === '::' ) return true;
+
+	// fc00::/7 — unique local addresses
+	if( lower.startsWith( 'fc' ) || lower.startsWith( 'fd' ) ) return true;
+
+	// fe80::/10 — link-local
+	if( /^fe[89ab]/.test( lower ) ) return true;
+
+	// ff00::/8 — multicast
+	if( lower.startsWith( 'ff' ) ) return true;
+
+	// ::ffff:0:0/96 — IPv4-mapped; check the embedded v4
+	if( lower.startsWith( '::ffff:' ) ){
+
+		const v4 = lower.slice( 7 );
+
+		return isBlockedIPv4( v4 );
+
+	}
+	return false;
+
+};
+
+const isBlockedIP = ( ip ) => {
+
+	const version = net.isIP( ip );
+
+	if( version === 4 ) return isBlockedIPv4( ip );
+	if( version === 6 ) return isBlockedIPv6( ip );
+
+	return true;
+
+};
+
+// SSRF-protected GET for user-supplied URLs.
+// Requires https://, resolves all A/AAAA records and rejects if any is in a blocked
+// range, then pins the axios lookup to the validated IP (closes DNS rebinding) and
+// caps response size + disables redirects.
+const safeGet = async ( url, axiosOptions = {} ) => {
+
+	let parsed;
+
+	try {
+
+		parsed = new URL( url );
+
+	} catch {
+
+		throw new Error( 'Invalid URL' );
+
+	}
+	if( parsed.protocol !== 'https:' ){
+
+		throw new Error( 'Only https URLs are allowed' );
+
+	}
+	const records = await dnsLookup( parsed.hostname, { all : true } );
+
+	if( ! records || records.length === 0 ){
+
+		throw new Error( 'Host could not be resolved' );
+
+	}
+	for( const record of records ){
+
+		if( isBlockedIP( record.address ) ){
+
+			throw new Error( 'Host resolves to a blocked IP range' );
+
+		}
+	}
+	const pinned = records[ 0 ];
+
+	const agent = new https.Agent({
+		lookup : ( hostname, options, callback ) => {
+
+			callback( null, pinned.address, pinned.family );
+
+		}
+	});
+
+	return axiosLib.get( url, {
+		...axiosOptions,
+		httpsAgent : agent,
+		maxRedirects : 0,
+		maxContentLength : 5 * 1024 * 1024,
+		maxBodyLength : 5 * 1024 * 1024
+	});
+
+};
+
+// SSRF-protected namespace. Use for ANY URL that comes from request input.
+//   await safe.get( userUrl, options );
+const safe = {
+	get : safeGet
+};
+
+// Raw axios passthrough. Use for trusted/hardcoded URLs (Google APIs, Stripe, etc.).
+//   await axios.get( 'https://api.stripe.com/...' );
+//   await axios.post( ... );
+const axios = axiosLib;
+
+export { axios, isBlockedIP, safe };

package/dist/axios.js

@@ -0,0 +1,90 @@
+// axios.js
+import axiosLib from "axios";
+import dns from "dns";
+import https from "https";
+import net from "net";
+var dnsLookup = dns.promises.lookup;
+var isBlockedIPv4 = (ip) => {
+  const parts = ip.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((n) => Number.isNaN(n) || n < 0 || n > 255)) return true;
+  const [a, b] = parts;
+  if (a === 0) return true;
+  if (a === 10) return true;
+  if (a === 127) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a === 192 && b === 0) return true;
+  if (a === 198 && (b === 18 || b === 19)) return true;
+  if (a === 198 && b === 51) return true;
+  if (a === 203 && b === 0) return true;
+  if (a >= 224) return true;
+  return false;
+};
+var isBlockedIPv6 = (ip) => {
+  const lower = ip.toLowerCase();
+  if (lower === "::1" || lower === "::") return true;
+  if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
+  if (/^fe[89ab]/.test(lower)) return true;
+  if (lower.startsWith("ff")) return true;
+  if (lower.startsWith("::ffff:")) {
+    const v4 = lower.slice(7);
+    return isBlockedIPv4(v4);
+  }
+  ;
+  return false;
+};
+var isBlockedIP = (ip) => {
+  const version = net.isIP(ip);
+  if (version === 4) return isBlockedIPv4(ip);
+  if (version === 6) return isBlockedIPv6(ip);
+  return true;
+};
+var safeGet = async (url, axiosOptions = {}) => {
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    throw new Error("Invalid URL");
+  }
+  ;
+  if (parsed.protocol !== "https:") {
+    throw new Error("Only https URLs are allowed");
+  }
+  ;
+  const records = await dnsLookup(parsed.hostname, { all: true });
+  if (!records || records.length === 0) {
+    throw new Error("Host could not be resolved");
+  }
+  ;
+  for (const record of records) {
+    if (isBlockedIP(record.address)) {
+      throw new Error("Host resolves to a blocked IP range");
+    }
+    ;
+  }
+  ;
+  const pinned = records[0];
+  const agent = new https.Agent({
+    lookup: (hostname, options, callback) => {
+      callback(null, pinned.address, pinned.family);
+    }
+  });
+  return axiosLib.get(url, {
+    ...axiosOptions,
+    httpsAgent: agent,
+    maxRedirects: 0,
+    maxContentLength: 5 * 1024 * 1024,
+    maxBodyLength: 5 * 1024 * 1024
+  });
+};
+var safe = {
+  get: safeGet
+};
+var axios = axiosLib;
+export {
+  axios,
+  isBlockedIP,
+  safe
+};

package/dist/circuit.cjs

@@ -0,0 +1,77 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// circuit.js
+var circuit_exports = {};
+__export(circuit_exports, {
+  circuit: () => circuit
+});
+module.exports = __toCommonJS(circuit_exports);
+var CLOSED = "CLOSED";
+var OPEN = "OPEN";
+var HALF_OPEN = "HALF_OPEN";
+var circuit = ({
+  name,
+  threshold = 5,
+  timeout = 3e4
+}) => {
+  let state = CLOSED;
+  let failures = 0;
+  let openedAt = null;
+  const trip = () => {
+    state = OPEN;
+    openedAt = Date.now();
+    console.error(`Circuit breaker OPEN: ${name}`);
+  };
+  const reset = () => {
+    state = CLOSED;
+    failures = 0;
+    openedAt = null;
+    console.log(`Circuit breaker CLOSED: ${name}`);
+  };
+  return async (fn) => {
+    if (state === OPEN) {
+      if (Date.now() - openedAt >= timeout) {
+        state = HALF_OPEN;
+      } else {
+        const error = new Error(`${name} is temporarily unavailable`);
+        error.status = 503;
+        throw error;
+      }
+    }
+    try {
+      const result = await fn();
+      if (state === HALF_OPEN) {
+        reset();
+      } else {
+        failures = 0;
+      }
+      return result;
+    } catch (error) {
+      failures++;
+      if (state === HALF_OPEN || failures >= threshold) {
+        trip();
+      }
+      throw error;
+    }
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  circuit
+});

package/dist/circuit.d.cts

@@ -0,0 +1,96 @@
+// Simple circuit breaker for wrapped async operations.
+//
+//   const breaker = circuit({ name : 'kinde-auth', threshold : 5, timeout : 30000 });
+//   const result = await breaker( () => validateToken( ... ) );
+//
+// States: CLOSED → OPEN (after `threshold` consecutive failures) → HALF_OPEN
+// (after `timeout` ms; next call probes recovery) → CLOSED (on success).
+//
+// IMPORTANT: state is per-process (per closure). With multiple replicas, each has
+// its own counters — you can get N × threshold failures globally before any replica
+// trips. For higher-stakes calls, back this with Redis.
+
+const CLOSED = 'CLOSED';
+const OPEN = 'OPEN';
+const HALF_OPEN = 'HALF_OPEN';
+
+const circuit = ({
+	name,
+	threshold = 5,
+	timeout = 30000
+}) => {
+
+	let state = CLOSED;
+	let failures = 0;
+	let openedAt = null;
+
+	const trip = () => {
+
+		state = OPEN;
+		openedAt = Date.now();
+		console.error( `Circuit breaker OPEN: ${ name }` );
+
+	};
+
+	const reset = () => {
+
+		state = CLOSED;
+		failures = 0;
+		openedAt = null;
+		console.log( `Circuit breaker CLOSED: ${ name }` );
+
+	};
+
+	return async ( fn ) => {
+
+		if( state === OPEN ){
+
+			if( Date.now() - openedAt >= timeout ){
+
+				state = HALF_OPEN;
+
+			} else {
+
+				const error = new Error( `${ name } is temporarily unavailable` );
+				error.status = 503;
+				throw error;
+
+			}
+
+		}
+
+		try {
+
+			const result = await fn();
+
+			if( state === HALF_OPEN ){
+
+				reset();
+
+			} else {
+
+				failures = 0;
+
+			}
+
+			return result;
+
+		} catch ( error ) {
+
+			failures++;
+
+			if( state === HALF_OPEN || failures >= threshold ){
+
+				trip();
+
+			}
+
+			throw error;
+
+		}
+
+	};
+
+};
+
+export { circuit };

package/dist/circuit.d.ts

@@ -0,0 +1,96 @@
+// Simple circuit breaker for wrapped async operations.
+//
+//   const breaker = circuit({ name : 'kinde-auth', threshold : 5, timeout : 30000 });
+//   const result = await breaker( () => validateToken( ... ) );
+//
+// States: CLOSED → OPEN (after `threshold` consecutive failures) → HALF_OPEN
+// (after `timeout` ms; next call probes recovery) → CLOSED (on success).
+//
+// IMPORTANT: state is per-process (per closure). With multiple replicas, each has
+// its own counters — you can get N × threshold failures globally before any replica
+// trips. For higher-stakes calls, back this with Redis.
+
+const CLOSED = 'CLOSED';
+const OPEN = 'OPEN';
+const HALF_OPEN = 'HALF_OPEN';
+
+const circuit = ({
+	name,
+	threshold = 5,
+	timeout = 30000
+}) => {
+
+	let state = CLOSED;
+	let failures = 0;
+	let openedAt = null;
+
+	const trip = () => {
+
+		state = OPEN;
+		openedAt = Date.now();
+		console.error( `Circuit breaker OPEN: ${ name }` );
+
+	};
+
+	const reset = () => {
+
+		state = CLOSED;
+		failures = 0;
+		openedAt = null;
+		console.log( `Circuit breaker CLOSED: ${ name }` );
+
+	};
+
+	return async ( fn ) => {
+
+		if( state === OPEN ){
+
+			if( Date.now() - openedAt >= timeout ){
+
+				state = HALF_OPEN;
+
+			} else {
+
+				const error = new Error( `${ name } is temporarily unavailable` );
+				error.status = 503;
+				throw error;
+
+			}
+
+		}
+
+		try {
+
+			const result = await fn();
+
+			if( state === HALF_OPEN ){
+
+				reset();
+
+			} else {
+
+				failures = 0;
+
+			}
+
+			return result;
+
+		} catch ( error ) {
+
+			failures++;
+
+			if( state === HALF_OPEN || failures >= threshold ){
+
+				trip();
+
+			}
+
+			throw error;
+
+		}
+
+	};
+
+};
+
+export { circuit };

package/dist/circuit.js

@@ -0,0 +1,53 @@
+// circuit.js
+var CLOSED = "CLOSED";
+var OPEN = "OPEN";
+var HALF_OPEN = "HALF_OPEN";
+var circuit = ({
+  name,
+  threshold = 5,
+  timeout = 3e4
+}) => {
+  let state = CLOSED;
+  let failures = 0;
+  let openedAt = null;
+  const trip = () => {
+    state = OPEN;
+    openedAt = Date.now();
+    console.error(`Circuit breaker OPEN: ${name}`);
+  };
+  const reset = () => {
+    state = CLOSED;
+    failures = 0;
+    openedAt = null;
+    console.log(`Circuit breaker CLOSED: ${name}`);
+  };
+  return async (fn) => {
+    if (state === OPEN) {
+      if (Date.now() - openedAt >= timeout) {
+        state = HALF_OPEN;
+      } else {
+        const error = new Error(`${name} is temporarily unavailable`);
+        error.status = 503;
+        throw error;
+      }
+    }
+    try {
+      const result = await fn();
+      if (state === HALF_OPEN) {
+        reset();
+      } else {
+        failures = 0;
+      }
+      return result;
+    } catch (error) {
+      failures++;
+      if (state === HALF_OPEN || failures >= threshold) {
+        trip();
+      }
+      throw error;
+    }
+  };
+};
+export {
+  circuit
+};

package/dist/kinde.cjs

@@ -0,0 +1,56 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// kinde.js
+var kinde_exports = {};
+__export(kinde_exports, {
+  verifyToken: () => verifyToken
+});
+module.exports = __toCommonJS(kinde_exports);
+var import_jwt_decoder = require("@kinde/jwt-decoder");
+var import_jwt_validator = require("@kinde/jwt-validator");
+var normalizeDomain = (raw) => {
+  const trimmed = (raw || "").trim().replace(/\/+$/, "");
+  if (!trimmed) return trimmed;
+  return /^https?:\/\//.test(trimmed) ? trimmed : "https://" + trimmed;
+};
+var verifyToken = async (rawToken, { domain } = {}) => {
+  if (!rawToken) {
+    throw new Error("No token");
+  }
+  ;
+  const token = rawToken.startsWith("Bearer ") ? rawToken.slice(7) : rawToken;
+  const validation = await (0, import_jwt_validator.validateToken)({
+    domain: normalizeDomain(domain),
+    token
+  });
+  if (!(validation == null ? void 0 : validation.valid)) {
+    throw new Error((validation == null ? void 0 : validation.message) || "Invalid token");
+  }
+  ;
+  const decoded = (0, import_jwt_decoder.jwtDecoder)(token);
+  if (!(decoded == null ? void 0 : decoded.sub)) {
+    throw new Error("Invalid token payload");
+  }
+  ;
+  return decoded;
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  verifyToken
+});

package/dist/kinde.d.cts

@@ -0,0 +1,52 @@
+import { jwtDecoder } from '@kinde/jwt-decoder';
+import { validateToken } from '@kinde/jwt-validator';
+
+const normalizeDomain = ( raw ) => {
+
+	const trimmed = ( raw || '' ).trim().replace( /\/+$/, '' );
+
+	if( ! trimmed ) return trimmed;
+
+	return /^https?:\/\//.test( trimmed ) ? trimmed : 'https://' + trimmed;
+
+};
+
+// Verifies a Kinde access token cryptographically via JWKS and returns the decoded
+// payload. Throws on any failure (missing/invalid signature, missing sub claim, etc.).
+// Caller does user lookup + service-specific glue around this.
+//
+//   const decoded = await verifyToken( token, { domain : process.env.KINDE_DOMAIN } );
+//   decoded.sub                // Kinde user id
+//   decoded.org_code           // org code
+//   decoded.permissions        // permissions array
+const verifyToken = async ( rawToken, { domain } = {} ) => {
+
+	if( ! rawToken ){
+
+		throw new Error( 'No token' );
+
+	}
+	const token = rawToken.startsWith( 'Bearer ' ) ? rawToken.slice( 7 ) : rawToken;
+
+	const validation = await validateToken({
+		domain : normalizeDomain( domain ),
+		token
+	});
+
+	if( ! validation?.valid ){
+
+		throw new Error( validation?.message || 'Invalid token' );
+
+	}
+	const decoded = jwtDecoder( token );
+
+	if( ! decoded?.sub ){
+
+		throw new Error( 'Invalid token payload' );
+
+	}
+	return decoded;
+
+};
+
+export { verifyToken };

package/dist/kinde.d.ts

@@ -0,0 +1,52 @@
+import { jwtDecoder } from '@kinde/jwt-decoder';
+import { validateToken } from '@kinde/jwt-validator';
+
+const normalizeDomain = ( raw ) => {
+
+	const trimmed = ( raw || '' ).trim().replace( /\/+$/, '' );
+
+	if( ! trimmed ) return trimmed;
+
+	return /^https?:\/\//.test( trimmed ) ? trimmed : 'https://' + trimmed;
+
+};
+
+// Verifies a Kinde access token cryptographically via JWKS and returns the decoded
+// payload. Throws on any failure (missing/invalid signature, missing sub claim, etc.).
+// Caller does user lookup + service-specific glue around this.
+//
+//   const decoded = await verifyToken( token, { domain : process.env.KINDE_DOMAIN } );
+//   decoded.sub                // Kinde user id
+//   decoded.org_code           // org code
+//   decoded.permissions        // permissions array
+const verifyToken = async ( rawToken, { domain } = {} ) => {
+
+	if( ! rawToken ){
+
+		throw new Error( 'No token' );
+
+	}
+	const token = rawToken.startsWith( 'Bearer ' ) ? rawToken.slice( 7 ) : rawToken;
+
+	const validation = await validateToken({
+		domain : normalizeDomain( domain ),
+		token
+	});
+
+	if( ! validation?.valid ){
+
+		throw new Error( validation?.message || 'Invalid token' );
+
+	}
+	const decoded = jwtDecoder( token );
+
+	if( ! decoded?.sub ){
+
+		throw new Error( 'Invalid token payload' );
+
+	}
+	return decoded;
+
+};
+
+export { verifyToken };

package/dist/kinde.js

@@ -0,0 +1,32 @@
+// kinde.js
+import { jwtDecoder } from "@kinde/jwt-decoder";
+import { validateToken } from "@kinde/jwt-validator";
+var normalizeDomain = (raw) => {
+  const trimmed = (raw || "").trim().replace(/\/+$/, "");
+  if (!trimmed) return trimmed;
+  return /^https?:\/\//.test(trimmed) ? trimmed : "https://" + trimmed;
+};
+var verifyToken = async (rawToken, { domain } = {}) => {
+  if (!rawToken) {
+    throw new Error("No token");
+  }
+  ;
+  const token = rawToken.startsWith("Bearer ") ? rawToken.slice(7) : rawToken;
+  const validation = await validateToken({
+    domain: normalizeDomain(domain),
+    token
+  });
+  if (!(validation == null ? void 0 : validation.valid)) {
+    throw new Error((validation == null ? void 0 : validation.message) || "Invalid token");
+  }
+  ;
+  const decoded = jwtDecoder(token);
+  if (!(decoded == null ? void 0 : decoded.sub)) {
+    throw new Error("Invalid token payload");
+  }
+  ;
+  return decoded;
+};
+export {
+  verifyToken
+};

package/dist/upload.cjs

@@ -0,0 +1,65 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// upload.js
+var upload_exports = {};
+__export(upload_exports, {
+  allowedMimes: () => allowedMimes,
+  allowedUploadTypes: () => allowedUploadTypes,
+  isAllowedMime: () => isAllowedMime,
+  resolveUploadType: () => resolveUploadType
+});
+module.exports = __toCommonJS(upload_exports);
+var allowedUploadTypes = {
+  application: {
+    pdf: "application/pdf"
+  },
+  image: {
+    jpeg: "image/jpeg",
+    jpg: "image/jpeg",
+    png: "image/png",
+    webp: "image/webp"
+  },
+  video: {
+    mp4: "video/mp4"
+  }
+};
+var allowedMimes = new Set(
+  Object.values(allowedUploadTypes).flatMap(
+    (extensions) => Object.values(extensions)
+  )
+);
+var resolveUploadType = (type, extension) => {
+  var _a;
+  const mime = (_a = allowedUploadTypes == null ? void 0 : allowedUploadTypes[type]) == null ? void 0 : _a[extension];
+  if (!mime) {
+    const error = new Error("Unsupported upload type or extension");
+    error.status = 400;
+    throw error;
+  }
+  ;
+  return mime;
+};
+var isAllowedMime = (mime) => allowedMimes.has(mime);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  allowedMimes,
+  allowedUploadTypes,
+  isAllowedMime,
+  resolveUploadType
+});

package/dist/upload.d.cts

@@ -0,0 +1,58 @@
+// Source-of-truth allowlist for file upload types accepted across drawbridge.
+//
+// Two consumer shapes:
+//
+//   1. The API needs `(type, extension) → mime` when serving an upload route
+//      where the URL carries those params. Use `resolveUploadType( type, extension )`.
+//      Throws { status: 400 } on anything not in the allowlist.
+//
+//   2. The sync worker downstream needs to validate that a `mimetype` flowing
+//      from the DB / job payload is one of the canonical values before passing
+//      it to S3 as a ContentType header. Use `isAllowedMime( mime )`.
+//
+// Adding a new accepted upload format means updating `allowedUploadTypes` here
+// AND publishing a new utils version. Both api and sync inherit the change.
+//
+// Why both helpers and not just one: api routes know (type, extension) but not
+// the canonical mime; sync workers have the mime but not the original type tuple.
+
+const allowedUploadTypes = {
+	application : {
+		pdf : 'application/pdf'
+	},
+	image : {
+		jpeg : 'image/jpeg',
+		jpg : 'image/jpeg',
+		png : 'image/png',
+		webp : 'image/webp'
+	},
+	video : {
+		mp4 : 'video/mp4'
+	}
+};
+
+const allowedMimes = new Set(
+	Object.values( allowedUploadTypes ).flatMap(
+		( extensions ) => Object.values( extensions )
+	)
+);
+
+const resolveUploadType = ( type, extension ) => {
+
+	const mime = allowedUploadTypes?.[ type ]?.[ extension ];
+
+	if( ! mime ){
+
+		const error = new Error( 'Unsupported upload type or extension' );
+		error.status = 400;
+
+		throw error;
+
+	}
+	return mime;
+
+};
+
+const isAllowedMime = ( mime ) => allowedMimes.has( mime );
+
+export { allowedMimes, allowedUploadTypes, isAllowedMime, resolveUploadType };

package/dist/upload.d.ts

@@ -0,0 +1,58 @@
+// Source-of-truth allowlist for file upload types accepted across drawbridge.
+//
+// Two consumer shapes:
+//
+//   1. The API needs `(type, extension) → mime` when serving an upload route
+//      where the URL carries those params. Use `resolveUploadType( type, extension )`.
+//      Throws { status: 400 } on anything not in the allowlist.
+//
+//   2. The sync worker downstream needs to validate that a `mimetype` flowing
+//      from the DB / job payload is one of the canonical values before passing
+//      it to S3 as a ContentType header. Use `isAllowedMime( mime )`.
+//
+// Adding a new accepted upload format means updating `allowedUploadTypes` here
+// AND publishing a new utils version. Both api and sync inherit the change.
+//
+// Why both helpers and not just one: api routes know (type, extension) but not
+// the canonical mime; sync workers have the mime but not the original type tuple.
+
+const allowedUploadTypes = {
+	application : {
+		pdf : 'application/pdf'
+	},
+	image : {
+		jpeg : 'image/jpeg',
+		jpg : 'image/jpeg',
+		png : 'image/png',
+		webp : 'image/webp'
+	},
+	video : {
+		mp4 : 'video/mp4'
+	}
+};
+
+const allowedMimes = new Set(
+	Object.values( allowedUploadTypes ).flatMap(
+		( extensions ) => Object.values( extensions )
+	)
+);
+
+const resolveUploadType = ( type, extension ) => {
+
+	const mime = allowedUploadTypes?.[ type ]?.[ extension ];
+
+	if( ! mime ){
+
+		const error = new Error( 'Unsupported upload type or extension' );
+		error.status = 400;
+
+		throw error;
+
+	}
+	return mime;
+
+};
+
+const isAllowedMime = ( mime ) => allowedMimes.has( mime );
+
+export { allowedMimes, allowedUploadTypes, isAllowedMime, resolveUploadType };

package/dist/upload.js

@@ -0,0 +1,38 @@
+// upload.js
+var allowedUploadTypes = {
+  application: {
+    pdf: "application/pdf"
+  },
+  image: {
+    jpeg: "image/jpeg",
+    jpg: "image/jpeg",
+    png: "image/png",
+    webp: "image/webp"
+  },
+  video: {
+    mp4: "video/mp4"
+  }
+};
+var allowedMimes = new Set(
+  Object.values(allowedUploadTypes).flatMap(
+    (extensions) => Object.values(extensions)
+  )
+);
+var resolveUploadType = (type, extension) => {
+  var _a;
+  const mime = (_a = allowedUploadTypes == null ? void 0 : allowedUploadTypes[type]) == null ? void 0 : _a[extension];
+  if (!mime) {
+    const error = new Error("Unsupported upload type or extension");
+    error.status = 400;
+    throw error;
+  }
+  ;
+  return mime;
+};
+var isAllowedMime = (mime) => allowedMimes.has(mime);
+export {
+  allowedMimes,
+  allowedUploadTypes,
+  isAllowedMime,
+  resolveUploadType
+};

package/package.json

@@ -1,6 +1,9 @@
 {
   "type": "module",
   "dependencies": {
+    "@kinde/jwt-decoder": "0.2.1",
+    "@kinde/jwt-validator": "0.4.1",
+    "axios": "1.16.0",
     "currency-codes": "2.2.0",
     "nanoid": "3.3.8",
     "tsup": "8.5.1",
@@ -16,6 +19,26 @@
       "types": "./dist/encrypt.d.ts",
       "import": "./dist/encrypt.js",
       "require": "./dist/encrypt.cjs"
+    },
+    "./kinde": {
+      "types": "./dist/kinde.d.ts",
+      "import": "./dist/kinde.js",
+      "require": "./dist/kinde.cjs"
+    },
+    "./axios": {
+      "types": "./dist/axios.d.ts",
+      "import": "./dist/axios.js",
+      "require": "./dist/axios.cjs"
+    },
+    "./circuit": {
+      "types": "./dist/circuit.d.ts",
+      "import": "./dist/circuit.js",
+      "require": "./dist/circuit.cjs"
+    },
+    "./upload": {
+      "types": "./dist/upload.d.ts",
+      "import": "./dist/upload.js",
+      "require": "./dist/upload.cjs"
     }
   },
   "files": [
@@ -32,5 +55,5 @@
     "build": "tsup && npm publish"
   },
   "types": "dist/index.d.ts",
-  "version": "0.0.5"
+  "version": "0.0.7"
 }