@fuzdev/fuz_app 0.63.0 → 0.65.0

package/dist/http/error_schemas.d.ts

@@ -43,8 +43,6 @@ export declare const ERROR_INVALID_CREDENTIALS: "invalid_credentials";
 export declare const ERROR_PAYLOAD_TOO_LARGE: "payload_too_large";
 /** Request origin not in allowlist. */
 export declare const ERROR_FORBIDDEN_ORIGIN: "forbidden_origin";
-/** Request referer not in allowlist. */
-export declare const ERROR_FORBIDDEN_REFERER: "forbidden_referer";
 /** Bearer token sent with Origin/Referer header (browser context). */
 export declare const ERROR_BEARER_REJECTED_BROWSER: "bearer_token_rejected_in_browser_context";
 /** Bearer token failed validation (missing, malformed, or revoked). */
@@ -94,8 +92,6 @@ export declare const ERROR_KEEPER_ACCOUNT_NOT_FOUND: "keeper_account_not_found";
 export declare const ERROR_ALREADY_BOOTSTRAPPED: "already_bootstrapped";
 /** Bootstrap token file not found on disk. */
 export declare const ERROR_TOKEN_FILE_MISSING: "token_file_missing";
-/** Bootstrap endpoint called but no token path configured. */
-export declare const ERROR_BOOTSTRAP_NOT_CONFIGURED: "bootstrap_not_configured";
 /** No unclaimed invite matches the signup credentials. */
 export declare const ERROR_NO_MATCHING_INVITE: "no_matching_invite";
 /** Signup conflict — username or email already taken (intentionally vague for enumeration prevention). */

package/dist/http/error_schemas.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error_schemas.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/error_schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAc,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAI5D,0CAA0C;AAC1C,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,uDAAuD;AACvD,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AAEpE,6CAA6C;AAC7C,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,8CAA8C;AAC9C,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAI1E,wCAAwC;AACxC,eAAO,MAAM,6BAA6B,EAAG,yBAAkC,CAAC;AAEhF,+CAA+C;AAC/C,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAElF;;;;;;;;GAQG;AACH,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAElF,yCAAyC;AACzC,eAAO,MAAM,yBAAyB,EAAG,qBAA8B,CAAC;AAExE,sFAAsF;AACtF,eAAO,MAAM,yBAAyB,EAAG,qBAA8B,CAAC;AAExE,qDAAqD;AACrD,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AAIpE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAElE,wCAAwC;AACxC,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AAEpE,sEAAsE;AACtE,eAAO,MAAM,6BAA6B,EAAG,0CAAmD,CAAC;AAEjG,uEAAuE;AACvE,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAE5D,0CAA0C;AAC1C,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,EAAG,gBAAyB,CAAC;AAE9D;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAIlE,wFAAwF;AACxF,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,8EAA8E;AAC9E,eAAO,MAAM,mCAAmC,EAAG,+BAAwC,CAAC;AAE5F,uDAAuD;AACvD,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAIlF,qEAAqE;AACrE,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,8CAA8C;AAC9C,eAAO,MAAM,wBAAwB,EAAG,oBAA6B,CAAC;AAEtE,8DAA8D;AAC9D,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAIlF,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,EAAG,oBAA6B,CAAC;AAEtE,0GAA0G;AAC1G,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAEhE,gDAAgD;AAChD,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAElE,qEAAqE;AACrE,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAElE,6DAA6D;AAC7D,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,0DAA0D;AAC1D,eAAO,MAAM,iCAAiC,EAAG,6BAAsC,CAAC;AAIxF,6DAA6D;AAC7D,eAAO,MAAM,4BAA4B,EAAG,wBAAiC,CAAC;AAE9E,gEAAgE;AAChE,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,oEAAoE;AACpE,eAAO,MAAM,wBAAwB,EAAG,oBAA6B,CAAC;AAItE,kDAAkD;AAClD,eAAO,MAAM,2BAA2B,EAAG,uBAAgC,CAAC;AAE5E,oDAAoD;AACpD,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAEhE,iEAAiE;AACjE,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,6CAA6C;AAC7C,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAE5D,wEAAwE;AACxE,eAAO,MAAM,gCAAgC,EAAG,4BAAqC,CAAC;AAKtF,iFAAiF;AACjF,eAAO,MAAM,QAAQ;;iBAAqC,CAAC;AAC3D,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;iBAgB1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,eAAe;;;iBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B;;;iBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,2EAA2E;AAC3E,eAAO,MAAM,cAAc;;;iBAGzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,uFAAuF;AACvF,eAAO,MAAM,oBAAoB;;iBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,qFAAqF;AACrF,eAAO,MAAM,eAAe;;iBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,kBAAkB;;;;;;iBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,eAAO,MAAM,sBAAsB;;iBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,eAAO,MAAM,sBAAsB;;iBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,eAAO,MAAM,oBAAoB;;iBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AAEnE;;;;;;;;;GASG;AACH,eAAO,MAAM,YAAY;;;;EAAoC,CAAC;AAC9D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,WAAW,yBAAyB;IACzC,IAAI,EAAE,SAAS,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,YAAY,CAAC;CAC1B;AAED,eAAO,MAAM,oBAAoB,GAAI,yDAMlC,yBAAyB,KAAG,iBAwC9B,CAAC"}
+{"version":3,"file":"error_schemas.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/error_schemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAc,KAAK,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAI5D,0CAA0C;AAC1C,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,uDAAuD;AACvD,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AAEpE,6CAA6C;AAC7C,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,8CAA8C;AAC9C,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAI1E,wCAAwC;AACxC,eAAO,MAAM,6BAA6B,EAAG,yBAAkC,CAAC;AAEhF,+CAA+C;AAC/C,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAElF;;;;;;;;GAQG;AACH,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAElF,yCAAyC;AACzC,eAAO,MAAM,yBAAyB,EAAG,qBAA8B,CAAC;AAExE,sFAAsF;AACtF,eAAO,MAAM,yBAAyB,EAAG,qBAA8B,CAAC;AAExE,qDAAqD;AACrD,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AAIpE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAElE,sEAAsE;AACtE,eAAO,MAAM,6BAA6B,EAAG,0CAAmD,CAAC;AAEjG,uEAAuE;AACvE,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAE5D,0CAA0C;AAC1C,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,EAAG,gBAAyB,CAAC;AAE9D;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAIlE,wFAAwF;AACxF,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,8EAA8E;AAC9E,eAAO,MAAM,mCAAmC,EAAG,+BAAwC,CAAC;AAE5F,uDAAuD;AACvD,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAIlF,qEAAqE;AACrE,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,8CAA8C;AAC9C,eAAO,MAAM,wBAAwB,EAAG,oBAA6B,CAAC;AAItE,0DAA0D;AAC1D,eAAO,MAAM,wBAAwB,EAAG,oBAA6B,CAAC;AAEtE,0GAA0G;AAC1G,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAEhE,gDAAgD;AAChD,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAElE,qEAAqE;AACrE,eAAO,MAAM,sBAAsB,EAAG,kBAA2B,CAAC;AAElE,6DAA6D;AAC7D,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,0DAA0D;AAC1D,eAAO,MAAM,iCAAiC,EAAG,6BAAsC,CAAC;AAIxF,6DAA6D;AAC7D,eAAO,MAAM,4BAA4B,EAAG,wBAAiC,CAAC;AAE9E,gEAAgE;AAChE,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,oEAAoE;AACpE,eAAO,MAAM,wBAAwB,EAAG,oBAA6B,CAAC;AAItE,kDAAkD;AAClD,eAAO,MAAM,2BAA2B,EAAG,uBAAgC,CAAC;AAE5E,oDAAoD;AACpD,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAEhE,iEAAiE;AACjE,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E,6CAA6C;AAC7C,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAE5D,wEAAwE;AACxE,eAAO,MAAM,gCAAgC,EAAG,4BAAqC,CAAC;AAKtF,iFAAiF;AACjF,eAAO,MAAM,QAAQ;;iBAAqC,CAAC;AAC3D,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,eAAe;;;;;;;;;;;;iBAgB1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,eAAe;;;iBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;;;;;;GAUG;AACH,eAAO,MAAM,2BAA2B;;;iBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,2EAA2E;AAC3E,eAAO,MAAM,cAAc;;;iBAGzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,uFAAuF;AACvF,eAAO,MAAM,oBAAoB;;iBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,qFAAqF;AACrF,eAAO,MAAM,eAAe;;iBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,kBAAkB;;;;;;iBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,eAAO,MAAM,sBAAsB;;iBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,eAAO,MAAM,sBAAsB;;iBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,eAAO,MAAM,oBAAoB;;iBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AAEnE;;;;;;;;;GASG;AACH,eAAO,MAAM,YAAY;;;;EAAoC,CAAC;AAC9D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,WAAW,yBAAyB;IACzC,IAAI,EAAE,SAAS,CAAC;IAChB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,YAAY,CAAC;CAC1B;AAED,eAAO,MAAM,oBAAoB,GAAI,yDAMlC,yBAAyB,KAAG,iBAwC9B,CAAC"}

package/dist/http/error_schemas.js

@@ -46,8 +46,6 @@ export const ERROR_PAYLOAD_TOO_LARGE = 'payload_too_large';
 // --- Origin & bearer token verification ---
 /** Request origin not in allowlist. */
 export const ERROR_FORBIDDEN_ORIGIN = 'forbidden_origin';
-/** Request referer not in allowlist. */
-export const ERROR_FORBIDDEN_REFERER = 'forbidden_referer';
 /** Bearer token sent with Origin/Referer header (browser context). */
 export const ERROR_BEARER_REJECTED_BROWSER = 'bearer_token_rejected_in_browser_context';
 /** Bearer token failed validation (missing, malformed, or revoked). */
@@ -99,8 +97,6 @@ export const ERROR_KEEPER_ACCOUNT_NOT_FOUND = 'keeper_account_not_found';
 export const ERROR_ALREADY_BOOTSTRAPPED = 'already_bootstrapped';
 /** Bootstrap token file not found on disk. */
 export const ERROR_TOKEN_FILE_MISSING = 'token_file_missing';
-/** Bootstrap endpoint called but no token path configured. */
-export const ERROR_BOOTSTRAP_NOT_CONFIGURED = 'bootstrap_not_configured';
 // --- Signup / Invites ---
 /** No unclaimed invite matches the signup credentials. */
 export const ERROR_NO_MATCHING_INVITE = 'no_matching_invite';

package/dist/http/ip_canonical.d.ts

@@ -0,0 +1,100 @@
+/**
+ * IP address canonicalization — collapse equivalent string forms into a
+ * single key per RFC 5952 (IPv6) plus the dotted form for IPv4-mapped
+ * IPv6 addresses.
+ *
+ * **Why this exists.** Without canonicalization, the four representations
+ * `::1`, `::01`, `::0001`, and `0:0:0:0:0:0:0:1` are the same IPv6 address
+ * but produce four distinct strings — so an attacker rotating
+ * equivalent forms behind a trusted-passthrough proxy could defeat
+ * per-IP rate limiting (each form gets a fresh bucket) and pollute
+ * `audit_log.ip` forensics. The collision can extend to IPv4-mapped
+ * IPv6 forms (`::ffff:127.0.0.1` vs `0:0:0:0:0:ffff:7f00:1` vs the
+ * bare `127.0.0.1`) — three keys for one address.
+ *
+ * Canonicalization runs through {@link canonicalize_ip} which:
+ *
+ * 1. Lowercases and char-set filters (`IP_LITERAL_CHARS`) — non-IP
+ *    strings (`'unknown'`, `'attacker:controlled'`, `'::1\n'`) pass
+ *    through unchanged so downstream strict validators can still
+ *    reject them.
+ * 2. Parses via Hono's `convertIPv*ToBinary` family.
+ * 3. Re-emits the canonical RFC 5952 string (lowercase hex,
+ *    longest-zero-run compressed, IPv4-mapped emitted in the dotted
+ *    form mandated by RFC 5952 §5).
+ * 4. Strips the `::ffff:` prefix from dotted IPv4-mapped forms so the
+ *    bucket collapses to plain IPv4 — the strip moves AFTER
+ *    canonicalization because the dotted form is the only form the
+ *    strip can recognize symmetrically.
+ *
+ * Mirrors `zzz_server::proxy::normalize_ip` (landed 2026-05-16) which
+ * uses the same parse-then-canonicalize-then-strip ordering for the
+ * same rate-limit-key-poisoning surface.
+ *
+ * @module
+ */
+/**
+ * Allowed character set for a bare IP literal.
+ *
+ * Covers the union of IPv4 (digits + `.`), IPv6 (hex digits + `:`), and
+ * IPv4-mapped IPv6 forms (`::ffff:127.0.0.1`). Anything outside this
+ * set — brackets, whitespace, control bytes, letters g–z — disqualifies
+ * the input from parsing.
+ *
+ * Same regex `proxy.ts`'s `validate_ip_strict` uses; exported here so
+ * both modules can share one source of truth.
+ */
+export declare const IP_LITERAL_CHARS: RegExp;
+/**
+ * Canonicalize an IP address string.
+ *
+ * Returns the RFC 5952 canonical form for parseable IPv4 or IPv6
+ * input. Returns the input unchanged (only lowercased) when the input
+ * is non-IP (`'unknown'`), malformed (`'attacker:controlled'`,
+ * `'::1\n'`), or any string the strict char-set filter rejects.
+ *
+ * **Idempotent.** `canonicalize_ip(canonicalize_ip(x)) === canonicalize_ip(x)`
+ * for every input.
+ *
+ * **Order-safe for IPv4-mapped IPv6.** The `::ffff:` prefix strip
+ * runs AFTER the canonical emit because the canonical form of an
+ * IPv4-mapped IPv6 address is the dotted form (`::ffff:127.0.0.1`,
+ * not `::ffff:7f00:1`). Stripping before canonicalize would miss the
+ * full-hex form. Closes the
+ * `normalize_ipv4_mapped_collapse_is_order_safe` test from the Rust
+ * port.
+ *
+ * @example
+ * canonicalize_ip('::0001')                    // → '::1'
+ * canonicalize_ip('0:0:0:0:0:0:0:1')           // → '::1'
+ * canonicalize_ip('2001:0DB8::0001')           // → '2001:db8::1'
+ * canonicalize_ip('::ffff:127.0.0.1')          // → '127.0.0.1'
+ * canonicalize_ip('0:0:0:0:0:ffff:7f00:1')     // → '127.0.0.1'
+ * canonicalize_ip('::ffff:1')                  // → '::ffff:1' (NOT IPv4-mapped — group[5] is 0, not ffff)
+ * canonicalize_ip('127.0.0.1')                 // → '127.0.0.1'
+ * canonicalize_ip('not-an-ip')                 // → 'not-an-ip' (passes through)
+ * canonicalize_ip('::1\n')                     // → '::1\n' (fails char-set; passes through)
+ * canonicalize_ip('203.0.113.1:8080')          // → '203.0.113.1:8080' (passes through; validate_ip_strict rejects)
+ */
+export declare const canonicalize_ip: (ip: string) => string;
+/**
+ * Convert a 128-bit IPv6 binary value into its RFC 5952 canonical string form.
+ *
+ * - IPv4-mapped (groups[0..5] = 0, groups[5] = 0xffff) emits the
+ *   `::ffff:a.b.c.d` dotted form per RFC 5952 §5.
+ * - Otherwise: lowercase hex with no leading zeros per group (§4.1),
+ *   the longest run of consecutive zero groups (≥ 2 groups) is
+ *   replaced with `::` (§4.2.1, §4.2.3), and on equal-length runs the
+ *   first one wins (§4.2.3). Single-zero groups stay as `0` (§4.2.2).
+ *
+ * Pure helper exported for the test suite to exercise the
+ * canonicalization invariants directly without a full
+ * `convertIPv6ToBinary` round-trip.
+ *
+ * @param bits - the 128-bit IPv6 value as `bigint`. Must satisfy `0n <= bits < 2n ** 128n`;
+ *   throws `RangeError` otherwise. Silent truncation would mask caller bugs since the
+ *   bit-extraction loop only consumes the low 128 bits.
+ * @throws {RangeError} when `bits` is negative or exceeds 128 bits
+ */
+export declare const ipv6_bigint_to_canonical: (bits: bigint) => string;
+//# sourceMappingURL=ip_canonical.d.ts.map

package/dist/http/ip_canonical.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip_canonical.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/ip_canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAIH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,QAAqB,CAAC;AAEnD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,eAAe,GAAI,IAAI,MAAM,KAAG,MAmC5C,CAAC;AAEF;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GAAI,MAAM,MAAM,KAAG,MAgEvD,CAAC"}

package/dist/http/ip_canonical.js

@@ -0,0 +1,195 @@
+/**
+ * IP address canonicalization — collapse equivalent string forms into a
+ * single key per RFC 5952 (IPv6) plus the dotted form for IPv4-mapped
+ * IPv6 addresses.
+ *
+ * **Why this exists.** Without canonicalization, the four representations
+ * `::1`, `::01`, `::0001`, and `0:0:0:0:0:0:0:1` are the same IPv6 address
+ * but produce four distinct strings — so an attacker rotating
+ * equivalent forms behind a trusted-passthrough proxy could defeat
+ * per-IP rate limiting (each form gets a fresh bucket) and pollute
+ * `audit_log.ip` forensics. The collision can extend to IPv4-mapped
+ * IPv6 forms (`::ffff:127.0.0.1` vs `0:0:0:0:0:ffff:7f00:1` vs the
+ * bare `127.0.0.1`) — three keys for one address.
+ *
+ * Canonicalization runs through {@link canonicalize_ip} which:
+ *
+ * 1. Lowercases and char-set filters (`IP_LITERAL_CHARS`) — non-IP
+ *    strings (`'unknown'`, `'attacker:controlled'`, `'::1\n'`) pass
+ *    through unchanged so downstream strict validators can still
+ *    reject them.
+ * 2. Parses via Hono's `convertIPv*ToBinary` family.
+ * 3. Re-emits the canonical RFC 5952 string (lowercase hex,
+ *    longest-zero-run compressed, IPv4-mapped emitted in the dotted
+ *    form mandated by RFC 5952 §5).
+ * 4. Strips the `::ffff:` prefix from dotted IPv4-mapped forms so the
+ *    bucket collapses to plain IPv4 — the strip moves AFTER
+ *    canonicalization because the dotted form is the only form the
+ *    strip can recognize symmetrically.
+ *
+ * Mirrors `zzz_server::proxy::normalize_ip` (landed 2026-05-16) which
+ * uses the same parse-then-canonicalize-then-strip ordering for the
+ * same rate-limit-key-poisoning surface.
+ *
+ * @module
+ */
+import { convertIPv6ToBinary, distinctRemoteAddr } from 'hono/utils/ipaddr';
+/**
+ * Allowed character set for a bare IP literal.
+ *
+ * Covers the union of IPv4 (digits + `.`), IPv6 (hex digits + `:`), and
+ * IPv4-mapped IPv6 forms (`::ffff:127.0.0.1`). Anything outside this
+ * set — brackets, whitespace, control bytes, letters g–z — disqualifies
+ * the input from parsing.
+ *
+ * Same regex `proxy.ts`'s `validate_ip_strict` uses; exported here so
+ * both modules can share one source of truth.
+ */
+export const IP_LITERAL_CHARS = /^[0-9a-fA-F.:]+$/;
+/**
+ * Canonicalize an IP address string.
+ *
+ * Returns the RFC 5952 canonical form for parseable IPv4 or IPv6
+ * input. Returns the input unchanged (only lowercased) when the input
+ * is non-IP (`'unknown'`), malformed (`'attacker:controlled'`,
+ * `'::1\n'`), or any string the strict char-set filter rejects.
+ *
+ * **Idempotent.** `canonicalize_ip(canonicalize_ip(x)) === canonicalize_ip(x)`
+ * for every input.
+ *
+ * **Order-safe for IPv4-mapped IPv6.** The `::ffff:` prefix strip
+ * runs AFTER the canonical emit because the canonical form of an
+ * IPv4-mapped IPv6 address is the dotted form (`::ffff:127.0.0.1`,
+ * not `::ffff:7f00:1`). Stripping before canonicalize would miss the
+ * full-hex form. Closes the
+ * `normalize_ipv4_mapped_collapse_is_order_safe` test from the Rust
+ * port.
+ *
+ * @example
+ * canonicalize_ip('::0001')                    // → '::1'
+ * canonicalize_ip('0:0:0:0:0:0:0:1')           // → '::1'
+ * canonicalize_ip('2001:0DB8::0001')           // → '2001:db8::1'
+ * canonicalize_ip('::ffff:127.0.0.1')          // → '127.0.0.1'
+ * canonicalize_ip('0:0:0:0:0:ffff:7f00:1')     // → '127.0.0.1'
+ * canonicalize_ip('::ffff:1')                  // → '::ffff:1' (NOT IPv4-mapped — group[5] is 0, not ffff)
+ * canonicalize_ip('127.0.0.1')                 // → '127.0.0.1'
+ * canonicalize_ip('not-an-ip')                 // → 'not-an-ip' (passes through)
+ * canonicalize_ip('::1\n')                     // → '::1\n' (fails char-set; passes through)
+ * canonicalize_ip('203.0.113.1:8080')          // → '203.0.113.1:8080' (passes through; validate_ip_strict rejects)
+ */
+export const canonicalize_ip = (ip) => {
+    const lowered = ip.toLowerCase();
+    // Strict char-set filter — reject brackets, whitespace, control bytes,
+    // letters g-z before invoking the parser. Hono's `convertIPv6ToBinary`
+    // silently accepts `'::1\n'` and similar; canonicalizing those would
+    // erase the malformed form so downstream `validate_ip_strict` could no
+    // longer reject it. Pass-through preserves the original string.
+    if (!IP_LITERAL_CHARS.test(lowered))
+        return lowered;
+    const family = distinctRemoteAddr(lowered);
+    if (family === 'IPv4') {
+        // IPv4's dotted-decimal form is already canonical — no transform
+        // needed. Malformed forms (`999.999.999.999`) still pass through
+        // here; downstream `validate_ip_strict` rejects them via its own
+        // round-trip parse.
+        return lowered;
+    }
+    if (family === 'IPv6') {
+        try {
+            const bits = convertIPv6ToBinary(lowered);
+            const canonical = ipv6_bigint_to_canonical(bits);
+            // Strip `::ffff:` only when the canonical form is dotted
+            // IPv4-mapped (`::ffff:X.X.X.X`). Pure IPv6 values that happen
+            // to start with `::ffff:` (e.g. `::ffff:1` → `0:0:0:0:0:0:ffff:1`,
+            // where group[5] is 0 not 0xffff) emit without the dot and
+            // are preserved.
+            if (canonical.startsWith('::ffff:') && canonical.substring(7).includes('.')) {
+                return canonical.substring(7);
+            }
+            return canonical;
+        }
+        catch {
+            return lowered;
+        }
+    }
+    return lowered;
+};
+/**
+ * Convert a 128-bit IPv6 binary value into its RFC 5952 canonical string form.
+ *
+ * - IPv4-mapped (groups[0..5] = 0, groups[5] = 0xffff) emits the
+ *   `::ffff:a.b.c.d` dotted form per RFC 5952 §5.
+ * - Otherwise: lowercase hex with no leading zeros per group (§4.1),
+ *   the longest run of consecutive zero groups (≥ 2 groups) is
+ *   replaced with `::` (§4.2.1, §4.2.3), and on equal-length runs the
+ *   first one wins (§4.2.3). Single-zero groups stay as `0` (§4.2.2).
+ *
+ * Pure helper exported for the test suite to exercise the
+ * canonicalization invariants directly without a full
+ * `convertIPv6ToBinary` round-trip.
+ *
+ * @param bits - the 128-bit IPv6 value as `bigint`. Must satisfy `0n <= bits < 2n ** 128n`;
+ *   throws `RangeError` otherwise. Silent truncation would mask caller bugs since the
+ *   bit-extraction loop only consumes the low 128 bits.
+ * @throws {RangeError} when `bits` is negative or exceeds 128 bits
+ */
+export const ipv6_bigint_to_canonical = (bits) => {
+    if (bits < 0n || bits >= 1n << 128n) {
+        throw new RangeError(`ipv6_bigint_to_canonical: bits out of [0, 2^128) range: ${bits}`);
+    }
+    // Split into 8 16-bit groups, big-endian (group[0] is the high-order group).
+    const groups = new Array(8);
+    let remaining = bits;
+    for (let i = 7; i >= 0; i--) {
+        groups[i] = Number(remaining & 0xffffn);
+        remaining >>= 16n;
+    }
+    // IPv4-mapped detection: leading 80 bits zero, next 16 bits 0xffff.
+    if (groups[0] === 0 &&
+        groups[1] === 0 &&
+        groups[2] === 0 &&
+        groups[3] === 0 &&
+        groups[4] === 0 &&
+        groups[5] === 0xffff) {
+        const high = groups[6];
+        const low = groups[7];
+        const a = (high >> 8) & 0xff;
+        const b = high & 0xff;
+        const c = (low >> 8) & 0xff;
+        const d = low & 0xff;
+        return `::ffff:${a}.${b}.${c}.${d}`;
+    }
+    // Find longest run of consecutive zero groups for `::` compression.
+    // RFC 5952 §4.2.1: only compress runs of two or more.
+    // RFC 5952 §4.2.3: on ties, compress the first run.
+    let best_start = -1;
+    let best_len = 0;
+    let cur_start = -1;
+    let cur_len = 0;
+    for (let i = 0; i < 8; i++) {
+        if (groups[i] === 0) {
+            if (cur_start === -1)
+                cur_start = i;
+            cur_len++;
+            if (cur_len > best_len) {
+                best_start = cur_start;
+                best_len = cur_len;
+            }
+        }
+        else {
+            cur_start = -1;
+            cur_len = 0;
+        }
+    }
+    const to_hex = (g) => g.toString(16);
+    // RFC 5952 §4.2.2 — never compress a single zero group.
+    if (best_len < 2) {
+        return groups.map(to_hex).join(':');
+    }
+    const before = groups.slice(0, best_start).map(to_hex).join(':');
+    const after = groups
+        .slice(best_start + best_len)
+        .map(to_hex)
+        .join(':');
+    return before + '::' + after;
+};

package/dist/http/origin.d.ts

@@ -11,7 +11,7 @@
  */
 import type { Handler } from 'hono';
 /**
- * Parses ALLOWED_ORIGINS env var into regex matchers for request source verification.
+ * Parses FUZ_ALLOWED_ORIGINS env var into regex matchers for request source verification.
  * Origin allowlisting for locally-running services — not the CSRF layer
  * (that's `SameSite: strict` on session cookies).
  *
@@ -35,16 +35,24 @@ export declare const parse_allowed_origins: (env_value: string | undefined) => A
  * Tests if a request source (origin or referer) matches any of the allowed patterns.
  * Pattern matching is case-insensitive for domains (as per web standards).
  */
-export declare const should_allow_origin: (origin: string, allowed_patterns: Array<RegExp>) => boolean;
+export declare const should_allow_origin: (origin: string, allowed_patterns: ReadonlyArray<RegExp>) => boolean;
 /**
  * Middleware that verifies the request source against an allowlist.
  *
  * Origin allowlisting (not the CSRF layer — that's `SameSite: strict` cookies):
- * - Checks the `Origin` header first (if present)
- * - Falls back to `Referer` header (if no `Origin`)
- * - Allows requests without `Origin`/`Referer` headers (direct access, curl, etc.)
+ * - Checks the `Origin` header (if present) against the allowlist
+ * - Allows requests without an `Origin` header (direct access, curl, etc.)
+ *
+ * Origin-only by design — Fetch spec mandates `Origin` on every unsafe
+ * method (POST / PUT / DELETE / PATCH) regardless of `Referrer-Policy`,
+ * so every real browser request on the state-changing surface carries it.
+ * Non-browser clients (curl, server-to-server, CLI) don't ship auto-
+ * attached session cookies, so CSRF isn't the relevant threat there —
+ * auth (bearer / daemon token) is the actual control. A Referer fallback
+ * would only widen the accepted-shape envelope without closing a real
+ * CSRF hole; mirrors `zzz_server::auth::is_request_origin_allowed`.
  *
  * @param allowed_patterns - compiled regex patterns from `parse_allowed_origins`
  */
-export declare const verify_request_source: (allowed_patterns: Array<RegExp>) => Handler;
+export declare const verify_request_source: (allowed_patterns: ReadonlyArray<RegExp>) => Handler;
 //# sourceMappingURL=origin.d.ts.map

package/dist/http/origin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"origin.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/origin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAIlC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,KAAK,CAAC,MAAM,CAO5E,CAAC;AAEP;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAAI,QAAQ,MAAM,EAAE,kBAAkB,KAAK,CAAC,MAAM,CAAC,KAAG,OACzC,CAAC;AAE9C;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GAChC,kBAAkB,KAAK,CAAC,MAAM,CAAC,KAAG,OA2BlC,CAAC"}
+{"version":3,"file":"origin.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/origin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAIlC;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,MAAM,GAAG,SAAS,KAAG,KAAK,CAAC,MAAM,CAO5E,CAAC;AAEP;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAC/B,QAAQ,MAAM,EACd,kBAAkB,aAAa,CAAC,MAAM,CAAC,KACrC,OAAuD,CAAC;AAE3D;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,qBAAqB,GAChC,kBAAkB,aAAa,CAAC,MAAM,CAAC,KAAG,OAgB1C,CAAC"}

package/dist/http/origin.js

@@ -10,9 +10,9 @@
  * @module
  */
 import { escape_regexp } from '@fuzdev/fuz_util/regexp.js';
-import { ERROR_FORBIDDEN_ORIGIN, ERROR_FORBIDDEN_REFERER } from './error_schemas.js';
+import { ERROR_FORBIDDEN_ORIGIN } from './error_schemas.js';
 /**
- * Parses ALLOWED_ORIGINS env var into regex matchers for request source verification.
+ * Parses FUZ_ALLOWED_ORIGINS env var into regex matchers for request source verification.
  * Origin allowlisting for locally-running services — not the CSRF layer
  * (that's `SameSite: strict` on session cookies).
  *
@@ -47,9 +47,17 @@ export const should_allow_origin = (origin, allowed_patterns) => allowed_pattern
  * Middleware that verifies the request source against an allowlist.
  *
  * Origin allowlisting (not the CSRF layer — that's `SameSite: strict` cookies):
- * - Checks the `Origin` header first (if present)
- * - Falls back to `Referer` header (if no `Origin`)
- * - Allows requests without `Origin`/`Referer` headers (direct access, curl, etc.)
+ * - Checks the `Origin` header (if present) against the allowlist
+ * - Allows requests without an `Origin` header (direct access, curl, etc.)
+ *
+ * Origin-only by design — Fetch spec mandates `Origin` on every unsafe
+ * method (POST / PUT / DELETE / PATCH) regardless of `Referrer-Policy`,
+ * so every real browser request on the state-changing surface carries it.
+ * Non-browser clients (curl, server-to-server, CLI) don't ship auto-
+ * attached session cookies, so CSRF isn't the relevant threat there —
+ * auth (bearer / daemon token) is the actual control. A Referer fallback
+ * would only widen the accepted-shape envelope without closing a real
+ * CSRF hole; mirrors `zzz_server::auth::is_request_origin_allowed`.
  *
  * @param allowed_patterns - compiled regex patterns from `parse_allowed_origins`
  */
@@ -64,17 +72,7 @@ export const verify_request_source = (allowed_patterns) => (c, next) => {
         }
         return next();
     }
-    // Check referer header (fallback for some requests like gets and navigation).
-    // Same !== undefined check as origin.
-    const referer = c.req.header('referer');
-    if (referer !== undefined) {
-        const referer_origin = extract_origin_from_referer(referer);
-        if (!should_allow_origin(referer_origin, allowed_patterns)) {
-            return c.json({ error: ERROR_FORBIDDEN_REFERER }, 403);
-        }
-        return next();
-    }
-    // No origin or referer - direct access (curl, CLI, etc.)
+    // No origin header - direct access (curl, CLI, etc.)
     // Allow through since token auth is the primary security control.
     return next();
 };
@@ -182,19 +180,3 @@ const origin_pattern_to_regexp = (pattern) => {
     // Case-insensitive matching (web standards specify domains are case-insensitive)
     return new RegExp(regex_pattern, 'i');
 };
-/**
- * Extracts the origin from a referer URL, removing the path, query string, and fragment.
- *
- * @param referer - the referer URL (e.g., `https://fuz.dev/path?query#hash`)
- * @returns the origin part (e.g., `https://fuz.dev`)
- */
-const extract_origin_from_referer = (referer) => {
-    try {
-        return new URL(referer).origin;
-    }
-    catch {
-        // If URL parsing fails, return the original string
-        // (it will likely fail pattern matching anyway)
-        return referer;
-    }
-};

package/dist/http/pending_effects.d.ts

@@ -47,7 +47,7 @@ export interface EmitAfterCommitContext {
  * middleware (in `server/app_server.ts` and the per-message WS dispatcher)
  * is the only site that ever invokes `fn`. This is load-bearing: a
  * previous implementation queued `Promise.resolve().then(fn)`, which
- * JavaScript's microtask scheduler drains before the wrapping
+ * JS's microtask scheduler drains before the wrapping
  * `await db.query('COMMIT')` resumes — `fn` fired mid-transaction and a
  * rollback would leak a notification for state that never landed.
  *

package/dist/http/pending_effects.js

@@ -37,7 +37,7 @@
  * middleware (in `server/app_server.ts` and the per-message WS dispatcher)
  * is the only site that ever invokes `fn`. This is load-bearing: a
  * previous implementation queued `Promise.resolve().then(fn)`, which
- * JavaScript's microtask scheduler drains before the wrapping
+ * JS's microtask scheduler drains before the wrapping
  * `await db.query('COMMIT')` resumes — `fn` fired mid-transaction and a
  * rollback would leak a notification for state that never landed.
  *

package/dist/http/proxy.d.ts

@@ -13,11 +13,19 @@ import type { MiddlewareSpec } from './middleware_spec.js';
 /**
  * Normalize an IP address for consistent matching and storage.
  *
- * - Strips `::ffff:` prefix from IPv4-mapped IPv6 addresses
- *   (e.g. `::ffff:127.0.0.1` → `127.0.0.1`)
- * - Lowercases for case-insensitive IPv6 comparison
- * - Idempotent: calling twice produces the same result
- * - Safe on non-IP strings: `normalize_ip('unknown')` returns `'unknown'`
+ * Delegates to `canonicalize_ip` from `ip_canonical.ts` — collapses
+ * RFC 5952-equivalent IPv6 forms (`::1`, `::0001`, `0:0:0:0:0:0:0:1`)
+ * into a single key, emits IPv4-mapped IPv6 in dotted form, and
+ * strips the `::ffff:` prefix from dotted IPv4-mapped values so the
+ * bucket collapses to plain IPv4.
+ *
+ * - Lowercases for case-insensitive IPv6 comparison.
+ * - Idempotent: calling twice produces the same result.
+ * - Safe on non-IP strings: `normalize_ip('unknown')` returns `'unknown'`.
+ *   Malformed inputs (`'attacker:controlled'`, `'::1\n'`,
+ *   `'203.0.113.1:8080'`) pass through unchanged so downstream
+ *   `validate_ip_strict` can still reject them — canonicalization
+ *   never erases the malformed-form signal.
  */
 export declare const normalize_ip: (ip: string) => string;
 /**

package/dist/http/proxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"proxy.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAErD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AAEzD;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAI,IAAI,MAAM,KAAG,MAQzC,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,sFAAsF;IACtF,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/B,+DAA+D;IAC/D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,wDAAwD;IACxD,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,MAAM,WAAW,GACpB;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAA;CAAC,CAAC;AAElF;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,GAAI,OAAO,MAAM,KAAG,WA6CjD,CAAC;AA2BF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,kBAAkB,GAAI,IAAI,MAAM,KAAG,MAAM,GAAG,MAAM,GAAG,SAWjE,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa,GAAI,IAAI,MAAM,EAAE,SAAS,KAAK,CAAC,WAAW,CAAC,KAAG,OAqBvE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,eAAO,MAAM,iBAAiB,GAC7B,eAAe,MAAM,EACrB,SAAS,KAAK,CAAC,WAAW,CAAC,KACzB,MAAM,GAAG,SA0BX,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,GAAI,SAAS,YAAY,KAAG,iBAyC/D,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,YAAY,KAAG,cAInE,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,aAAa,GAAI,GAAG,OAAO,KAAG,MAAyC,CAAC"}
+{"version":3,"file":"proxy.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/proxy.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAErD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,sBAAsB,CAAC;AAGzD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,YAAY,GAAI,IAAI,MAAM,KAAG,MAA6B,CAAC;AAExE;;GAEG;AACH,MAAM,WAAW,YAAY;IAC5B,sFAAsF;IACtF,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/B,+DAA+D;IAC/D,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;IACtD,wDAAwD;IACxD,GAAG,CAAC,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,MAAM,WAAW,GACpB;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAAA;CAAC,CAAC;AAElF;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB,GAAI,OAAO,MAAM,KAAG,WA6CjD,CAAC;AAiBF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,kBAAkB,GAAI,IAAI,MAAM,KAAG,MAAM,GAAG,MAAM,GAAG,SAWjE,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa,GAAI,IAAI,MAAM,EAAE,SAAS,KAAK,CAAC,WAAW,CAAC,KAAG,OAqBvE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,eAAO,MAAM,iBAAiB,GAC7B,eAAe,MAAM,EACrB,SAAS,KAAK,CAAC,WAAW,CAAC,KACzB,MAAM,GAAG,SA0BX,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,uBAAuB,GAAI,SAAS,YAAY,KAAG,iBAyC/D,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,YAAY,KAAG,cAInE,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,aAAa,GAAI,GAAG,OAAO,KAAG,MAAyC,CAAC"}

package/dist/http/proxy.js

@@ -8,24 +8,25 @@
  * @module
  */
 import { convertIPv4ToBinary, convertIPv6ToBinary, distinctRemoteAddr } from 'hono/utils/ipaddr';
+import { canonicalize_ip, IP_LITERAL_CHARS } from './ip_canonical.js';
 /**
  * Normalize an IP address for consistent matching and storage.
  *
- * - Strips `::ffff:` prefix from IPv4-mapped IPv6 addresses
- *   (e.g. `::ffff:127.0.0.1` → `127.0.0.1`)
- * - Lowercases for case-insensitive IPv6 comparison
- * - Idempotent: calling twice produces the same result
- * - Safe on non-IP strings: `normalize_ip('unknown')` returns `'unknown'`
+ * Delegates to `canonicalize_ip` from `ip_canonical.ts` — collapses
+ * RFC 5952-equivalent IPv6 forms (`::1`, `::0001`, `0:0:0:0:0:0:0:1`)
+ * into a single key, emits IPv4-mapped IPv6 in dotted form, and
+ * strips the `::ffff:` prefix from dotted IPv4-mapped values so the
+ * bucket collapses to plain IPv4.
+ *
+ * - Lowercases for case-insensitive IPv6 comparison.
+ * - Idempotent: calling twice produces the same result.
+ * - Safe on non-IP strings: `normalize_ip('unknown')` returns `'unknown'`.
+ *   Malformed inputs (`'attacker:controlled'`, `'::1\n'`,
+ *   `'203.0.113.1:8080'`) pass through unchanged so downstream
+ *   `validate_ip_strict` can still reject them — canonicalization
+ *   never erases the malformed-form signal.
  */
-export const normalize_ip = (ip) => {
-    const lowered = ip.toLowerCase();
-    // Strip ::ffff: prefix only when remainder contains a dot (IPv4-mapped IPv6).
-    // This distinguishes ::ffff:127.0.0.1 (IPv4-mapped) from ::ffff:1 (pure IPv6).
-    if (lowered.startsWith('::ffff:') && lowered.substring(7).includes('.')) {
-        return lowered.substring(7);
-    }
-    return lowered;
-};
+export const normalize_ip = (ip) => canonicalize_ip(ip);
 /**
  * Parse a trusted proxy entry string into a structured form.
  *
@@ -91,15 +92,6 @@ const cidr_contains = (ip_binary, network, prefix, total_bits) => {
     const shift = BigInt(total_bits - prefix);
     return ip_binary >> shift === network >> shift;
 };
-/**
- * Allowed character set for a bare IP literal.
- *
- * Covers the union of IPv4 (digits + `.`), IPv6 (hex digits + `:`), and
- * IPv4-mapped IPv6 forms (`::ffff:127.0.0.1`). Anything outside this
- * set — brackets, whitespace, control bytes, letters g-z — disqualifies
- * the input regardless of what Hono's parser does with it.
- */
-const IP_LITERAL_CHARS = /^[0-9a-fA-F.:]+$/;
 /**
  * Strict IP validity check.
  *