npm - @hardenlabs/hmac - Versions diffs - 0.1.0 - Mend

@hardenlabs/hmac 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/dist/canonical.d.ts +26 -0
package/dist/canonical.d.ts.map +1 -0
package/dist/canonical.js +87 -0
package/dist/canonical.js.map +1 -0
package/dist/client-factory.d.ts +23 -0
package/dist/client-factory.d.ts.map +1 -0
package/dist/client-factory.js +53 -0
package/dist/client-factory.js.map +1 -0
package/dist/config.d.ts +75 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +85 -0
package/dist/config.js.map +1 -0
package/dist/env-loader.d.ts +21 -0
package/dist/env-loader.d.ts.map +1 -0
package/dist/env-loader.js +145 -0
package/dist/env-loader.js.map +1 -0
package/dist/errors.d.ts +8 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +10 -0
package/dist/errors.js.map +1 -0
package/dist/http-client.d.ts +61 -0
package/dist/http-client.d.ts.map +1 -0
package/dist/http-client.js +51 -0
package/dist/http-client.js.map +1 -0
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +11 -0
package/dist/index.js.map +1 -0
package/dist/middleware/express.d.ts +24 -0
package/dist/middleware/express.d.ts.map +1 -0
package/dist/middleware/express.js +145 -0
package/dist/middleware/express.js.map +1 -0
package/dist/middleware/fetch.d.ts +16 -0
package/dist/middleware/fetch.d.ts.map +1 -0
package/dist/middleware/fetch.js +105 -0
package/dist/middleware/fetch.js.map +1 -0
package/dist/signing.d.ts +18 -0
package/dist/signing.d.ts.map +1 -0
package/dist/signing.js +62 -0
package/dist/signing.js.map +1 -0
package/dist/validation.d.ts +21 -0
package/dist/validation.d.ts.map +1 -0
package/dist/validation.js +47 -0
package/dist/validation.js.map +1 -0
package/package.json +51 -0

package/dist/canonical.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { type SignedHeadersConfig } from "./config.js";
+/** Parameters for building a canonical string. */
+export interface CanonicalStringParams {
+    method: string;
+    path: string;
+    body: string;
+    timestamp: number;
+    signedHeadersConfig?: SignedHeadersConfig;
+    requestHeaders?: Record<string, string>;
+}
+/**
+ * Build a canonical string from request components per the v1.0 specification.
+ *
+ * Format: METHOD\nPATH\nSIGNED_HEADERS\nBODY\nTIMESTAMP
+ */
+export declare function buildCanonicalString(params: CanonicalStringParams): string;
+/** Result of building signed headers. */
+export interface SignedHeadersResult {
+    headerString: string;
+    headerNames: string[];
+}
+/**
+ * Build the signed headers string and return header names.
+ */
+export declare function buildSignedHeaders(config: SignedHeadersConfig, requestHeaders: Record<string, string>): SignedHeadersResult;
+//# sourceMappingURL=canonical.d.ts.map

package/dist/canonical.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,mBAAmB,EACzB,MAAM,aAAa,CAAC;AAErB,kDAAkD;AAClD,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,mBAAmB,CAAC,EAAE,mBAAmB,CAAC;IAC1C,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACzC;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,qBAAqB,GAAG,MAAM,CAkC1E;AAED,yCAAyC;AACzC,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,mBAAmB,EAC3B,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GACrC,mBAAmB,CAOrB"}

package/dist/canonical.js ADDED Viewed

@@ -0,0 +1,87 @@
+import { CLIENT_ID_HEADER_LOWER, HARDEN_HEADER_PREFIX, X_HEADER_PREFIX, } from "./config.js";
+/**
+ * Build a canonical string from request components per the v1.0 specification.
+ *
+ * Format: METHOD\nPATH\nSIGNED_HEADERS\nBODY\nTIMESTAMP
+ */
+export function buildCanonicalString(params) {
+    const { method, path, body, timestamp, signedHeadersConfig, requestHeaders, } = params;
+    if (method.includes("\n")) {
+        throw new Error("method must not contain newline characters");
+    }
+    if (path.includes("\n")) {
+        throw new Error("path must not contain newline characters");
+    }
+    const config = signedHeadersConfig ?? {
+        includeAuthorization: false,
+        includeXHeaders: false,
+        additionalHeaders: [],
+        excludeHeaders: [],
+    };
+    const headers = requestHeaders ?? {};
+    const signedHeadersString = buildSignedHeadersString(config, headers);
+    return [
+        method.toUpperCase(),
+        path,
+        signedHeadersString,
+        body ?? "",
+        String(timestamp),
+    ].join("\n");
+}
+/**
+ * Build the signed headers string and return header names.
+ */
+export function buildSignedHeaders(config, requestHeaders) {
+    const selected = selectHeaders(config, requestHeaders);
+    const headerNames = selected.map((h) => h.name);
+    const headerString = selected
+        .map((h) => `${h.name}:${h.value}`)
+        .join("\n");
+    return { headerString, headerNames };
+}
+function buildSignedHeadersString(config, requestHeaders) {
+    const selected = selectHeaders(config, requestHeaders);
+    return selected.map((h) => `${h.name}:${h.value}`).join("\n");
+}
+function selectHeaders(config, requestHeaders) {
+    const excludeSet = new Set(config.excludeHeaders.map((h) => h.toLowerCase()));
+    const additionalSet = new Set(config.additionalHeaders.map((h) => h.toLowerCase()));
+    const selected = [];
+    for (const [name, value] of Object.entries(requestHeaders)) {
+        const lowerName = name.toLowerCase();
+        const trimmedValue = value.trim();
+        // Always exclude X-Harden-* headers, EXCEPT X-Harden-Client-Id
+        // (client identity is an identity claim, not signing metadata)
+        if (lowerName.startsWith(HARDEN_HEADER_PREFIX) && lowerName !== CLIENT_ID_HEADER_LOWER) {
+            continue;
+        }
+        let include = false;
+        if (config.includeAuthorization && lowerName === "authorization") {
+            include = true;
+        }
+        if (config.includeXHeaders &&
+            lowerName.startsWith(X_HEADER_PREFIX) &&
+            (!lowerName.startsWith(HARDEN_HEADER_PREFIX) || lowerName === CLIENT_ID_HEADER_LOWER)) {
+            include = true;
+        }
+        // X-Harden-Client-Id is always signed when present (identity claim must not be spoofable)
+        if (lowerName === CLIENT_ID_HEADER_LOWER) {
+            include = true;
+        }
+        if (additionalSet.has(lowerName)) {
+            include = true;
+        }
+        // Apply exclude override
+        if (excludeSet.has(lowerName)) {
+            include = false;
+        }
+        if (include) {
+            selected.push({ name: lowerName, value: trimmedValue });
+        }
+    }
+    // Sort by Unicode code point order (ordinal), matching C# StringComparison.Ordinal
+    // and Python default string comparison. Do NOT use localeCompare — it varies by runtime locale.
+    selected.sort((a, b) => (a.name < b.name ? -1 : a.name > b.name ? 1 : 0));
+    return selected;
+}
+//# sourceMappingURL=canonical.js.map

package/dist/canonical.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"canonical.js","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,eAAe,GAEhB,MAAM,aAAa,CAAC;AAYrB;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAA6B;IAChE,MAAM,EACJ,MAAM,EACN,IAAI,EACJ,IAAI,EACJ,SAAS,EACT,mBAAmB,EACnB,cAAc,GACf,GAAG,MAAM,CAAC;IAEX,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,MAAM,GAAwB,mBAAmB,IAAI;QACzD,oBAAoB,EAAE,KAAK;QAC3B,eAAe,EAAE,KAAK;QACtB,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,EAAE;KACnB,CAAC;IAEF,MAAM,OAAO,GAAG,cAAc,IAAI,EAAE,CAAC;IACrC,MAAM,mBAAmB,GAAG,wBAAwB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEtE,OAAO;QACL,MAAM,CAAC,WAAW,EAAE;QACpB,IAAI;QACJ,mBAAmB;QACnB,IAAI,IAAI,EAAE;QACV,MAAM,CAAC,SAAS,CAAC;KAClB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAQD;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAA2B,EAC3B,cAAsC;IAEtC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACvD,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,QAAQ;SAC1B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;SAClC,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,CAAC;AACvC,CAAC;AAED,SAAS,wBAAwB,CAC/B,MAA2B,EAC3B,cAAsC;IAEtC,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACvD,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChE,CAAC;AAOD,SAAS,aAAa,CACpB,MAA2B,EAC3B,cAAsC;IAEtC,MAAM,UAAU,GAAG,IAAI,GAAG,CACxB,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAClD,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CACrD,CAAC;IAEF,MAAM,QAAQ,GAAqB,EAAE,CAAC;IAEtC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAElC,+DAA+D;QAC/D,+DAA+D;QAC/D,IAAI,SAAS,CAAC,UAAU,CAAC,oBAAoB,CAAC,IAAI,SAAS,KAAK,sBAAsB,EAAE,CAAC;YACvF,SAAS;QACX,CAAC;QAED,IAAI,OAAO,GAAG,KAAK,CAAC;QAEpB,IAAI,MAAM,CAAC,oBAAoB,IAAI,SAAS,KAAK,eAAe,EAAE,CAAC;YACjE,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;QAED,IACE,MAAM,CAAC,eAAe;YACtB,SAAS,CAAC,UAAU,CAAC,eAAe,CAAC;YACrC,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,oBAAoB,CAAC,IAAI,SAAS,KAAK,sBAAsB,CAAC,EACrF,CAAC;YACD,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;QAED,0FAA0F;QAC1F,IAAI,SAAS,KAAK,sBAAsB,EAAE,CAAC;YACzC,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;QAED,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;QAED,yBAAyB;QACzB,IAAI,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,OAAO,GAAG,KAAK,CAAC;QAClB,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,mFAAmF;IACnF,gGAAgG;IAChG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE1E,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/client-factory.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import type { HmacConfig } from "./config.js";
+import type { HmacClient, HmacClientFactoryOptions } from "./http-client.js";
+/** Factory for creating pre-configured HMAC-signing HTTP clients per named target. */
+export interface HmacClientFactory {
+    /**
+     * Create an HTTP client for the named target.
+     * The client prepends the target's base URL and signs all requests.
+     *
+     * @param targetName - The target name as defined in config.targets.
+     * @returns An HmacClient that auto-signs requests.
+     * @throws {Error} If the target name is not found.
+     */
+    createClient(targetName: string): HmacClient;
+}
+/**
+ * Create an HmacClientFactory from the given config.
+ *
+ * @param config - HMAC configuration with targets.
+ * @param options - Optional adapter configuration (fetch function or axios instance).
+ * @returns Factory that creates per-target signed HTTP clients.
+ */
+export declare function createHmacClientFactory(config: HmacConfig, options?: HmacClientFactoryOptions): HmacClientFactory;
+//# sourceMappingURL=client-factory.d.ts.map

package/dist/client-factory.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client-factory.d.ts","sourceRoot":"","sources":["../src/client-factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,KAAK,EACV,UAAU,EAIV,wBAAwB,EACzB,MAAM,kBAAkB,CAAC;AAI1B,sFAAsF;AACtF,MAAM,WAAW,iBAAiB;IAChC;;;;;;;OAOG;IACH,YAAY,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,CAAC;CAC9C;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,UAAU,EAClB,OAAO,CAAC,EAAE,wBAAwB,GACjC,iBAAiB,CAgEnB"}

package/dist/client-factory.js ADDED Viewed

@@ -0,0 +1,53 @@
+import { CLIENT_ID_HEADER, configForTarget } from "./config.js";
+import { FetchAdapter, AxiosAdapter } from "./http-client.js";
+import { signRequestHeaders } from "./middleware/fetch.js";
+/**
+ * Create an HmacClientFactory from the given config.
+ *
+ * @param config - HMAC configuration with targets.
+ * @param options - Optional adapter configuration (fetch function or axios instance).
+ * @returns Factory that creates per-target signed HTTP clients.
+ */
+export function createHmacClientFactory(config, options) {
+    const adapter = options?.axios
+        ? new AxiosAdapter(options.axios)
+        : new FetchAdapter(options?.fetchFn);
+    return {
+        createClient(targetName) {
+            const target = config.targets?.[targetName];
+            if (!target) {
+                const available = config.targets
+                    ? Object.keys(config.targets).join(", ")
+                    : "";
+                throw new Error(`Target '${targetName}' is not configured. Available targets: [${available}].`);
+            }
+            const targetConfig = configForTarget(config, targetName);
+            const baseUrl = target.baseUrl.replace(/\/+$/, "");
+            function signedRequest(method, path, body, opts) {
+                const existingHeaders = {
+                    [CLIENT_ID_HEADER.toLowerCase()]: targetName,
+                    ...Object.fromEntries(Object.entries(opts?.headers ?? {}).map(([k, v]) => [
+                        k.toLowerCase(),
+                        v,
+                    ])),
+                };
+                const sigHeaders = signRequestHeaders(targetConfig, method, path, body ?? "", existingHeaders);
+                const mergedHeaders = {
+                    ...existingHeaders,
+                    ...sigHeaders,
+                };
+                const fullUrl = `${baseUrl}${path}`;
+                return adapter.request(fullUrl, method, body, mergedHeaders);
+            }
+            return {
+                get: (path, opts) => signedRequest("GET", path, undefined, opts),
+                post: (path, body, opts) => signedRequest("POST", path, body, opts),
+                put: (path, body, opts) => signedRequest("PUT", path, body, opts),
+                patch: (path, body, opts) => signedRequest("PATCH", path, body, opts),
+                delete: (path, opts) => signedRequest("DELETE", path, undefined, opts),
+                request: (method, path, body, opts) => signedRequest(method.toUpperCase(), path, body, opts),
+            };
+        },
+    };
+}
+//# sourceMappingURL=client-factory.js.map

package/dist/client-factory.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client-factory.js","sourceRoot":"","sources":["../src/client-factory.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAQhE,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAe3D;;;;;;GAMG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAkB,EAClB,OAAkC;IAElC,MAAM,OAAO,GAAgB,OAAO,EAAE,KAAK;QACzC,CAAC,CAAC,IAAI,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC;QACjC,CAAC,CAAC,IAAI,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEvC,OAAO;QACL,YAAY,CAAC,UAAkB;YAC7B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC;YAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO;oBAC9B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;oBACxC,CAAC,CAAC,EAAE,CAAC;gBACP,MAAM,IAAI,KAAK,CACb,WAAW,UAAU,4CAA4C,SAAS,IAAI,CAC/E,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,eAAe,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;YACzD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAEnD,SAAS,aAAa,CACpB,MAAc,EACd,IAAY,EACZ,IAAa,EACb,IAAqB;gBAErB,MAAM,eAAe,GAA2B;oBAC9C,CAAC,gBAAgB,CAAC,WAAW,EAAE,CAAC,EAAE,UAAU;oBAC5C,GAAG,MAAM,CAAC,WAAW,CACnB,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC;wBAClD,CAAC,CAAC,WAAW,EAAE;wBACf,CAAC;qBACF,CAAC,CACH;iBACF,CAAC;gBAEF,MAAM,UAAU,GAAG,kBAAkB,CACnC,YAAY,EACZ,MAAM,EACN,IAAI,EACJ,IAAI,IAAI,EAAE,EACV,eAAe,CAChB,CAAC;gBAEF,MAAM,aAAa,GAA2B;oBAC5C,GAAG,eAAe;oBAClB,GAAG,UAAU;iBACd,CAAC;gBAEF,MAAM,OAAO,GAAG,GAAG,OAAO,GAAG,IAAI,EAAE,CAAC;gBACpC,OAAO,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,CAAC,CAAC;YAC/D,CAAC;YAED,OAAO;gBACL,GAAG,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC;gBAChE,IAAI,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC;gBACnE,GAAG,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC;gBACjE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC;gBACrE,MAAM,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC;gBACtE,OAAO,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,CACpC,aAAa,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC;aACxD,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/config.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/** Configuration for which request headers are included in the HMAC signature. */
+export interface SignedHeadersConfig {
+    /** Include the Authorization header in the signature. Default: true. */
+    includeAuthorization: boolean;
+    /** Include all X-* headers (except X-Harden-*) in the signature. Default: true. */
+    includeXHeaders: boolean;
+    /** Additional header names to include (case-insensitive). */
+    additionalHeaders: string[];
+    /** Header names to exclude (case-insensitive, overrides inclusion). */
+    excludeHeaders: string[];
+}
+/** Identity and credentials for a named client that connects to this server. */
+export interface HmacClientIdentity {
+    /** The shared secret as a Base64-encoded string for this client. */
+    sharedSecret: string;
+}
+/** Per-target configuration for a named service target (client-side). */
+export interface HmacTargetConfig {
+    /** Base URL for the target service. */
+    baseUrl: string;
+    /** The shared secret as a Base64-encoded string for this target. */
+    sharedSecret: string;
+    /** Per-target signed headers override. If undefined, uses global config. */
+    signedHeaders?: SignedHeadersConfig;
+    /** Per-target timestamp tolerance override. If undefined, uses global config. */
+    timestampToleranceSeconds?: number;
+}
+/** Configuration for HMAC signing and validation. */
+export interface HmacConfig {
+    /** The shared secret as a Base64-encoded string. */
+    sharedSecretBase64: string;
+    /** Named service targets with their own base URLs and secrets. */
+    targets?: Record<string, HmacTargetConfig>;
+    /** Named client identities for server-side multi-client secret resolution. */
+    clients?: Record<string, HmacClientIdentity>;
+    /** Configuration for which headers to include in the signature. */
+    signedHeaders: SignedHeadersConfig;
+    /** Timestamp tolerance in seconds for server-side validation. Default: 30. */
+    timestampToleranceSeconds: number;
+}
+/** Header name constants. */
+export declare const SIGNATURE_HEADER = "X-Harden-Signature";
+export declare const TIMESTAMP_HEADER = "X-Harden-Timestamp";
+export declare const SIGNED_HEADERS_HEADER = "X-Harden-Signed-Headers";
+export declare const CLIENT_ID_HEADER = "X-Harden-Client-Id";
+export declare const HARDEN_HEADER_PREFIX = "x-harden-";
+export declare const CLIENT_ID_HEADER_LOWER = "x-harden-client-id";
+export declare const X_HEADER_PREFIX = "x-";
+export declare const DEFAULT_TIMESTAMP_TOLERANCE_SECONDS = 30;
+/** Default signed headers configuration: include Authorization and X-* headers. */
+export declare function defaultSignedHeadersConfig(): SignedHeadersConfig;
+/** Signed headers configuration that signs no headers. */
+export declare function noneSignedHeadersConfig(): SignedHeadersConfig;
+/** Create an HmacConfig with sensible defaults. */
+export declare function createHmacConfig(sharedSecretBase64: string, overrides?: Partial<Omit<HmacConfig, "sharedSecretBase64">>): HmacConfig;
+/**
+ * Resolve the effective shared secret for a named target.
+ * Returns the target's secret if set, otherwise the global secret.
+ *
+ * @throws {Error} If the target is not found.
+ */
+export declare function getEffectiveSecret(config: HmacConfig, targetName: string): string;
+/**
+ * Resolve the effective signed headers config for a named target.
+ */
+export declare function getEffectiveSignedHeaders(config: HmacConfig, targetName: string): SignedHeadersConfig;
+/**
+ * Resolve the effective timestamp tolerance for a named target.
+ */
+export declare function getEffectiveTimestampTolerance(config: HmacConfig, targetName: string): number;
+/**
+ * Build an effective HmacConfig for a specific target with all overrides resolved.
+ */
+export declare function configForTarget(config: HmacConfig, targetName: string): HmacConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,WAAW,mBAAmB;IAClC,wEAAwE;IACxE,oBAAoB,EAAE,OAAO,CAAC;IAC9B,mFAAmF;IACnF,eAAe,EAAE,OAAO,CAAC;IACzB,6DAA6D;IAC7D,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,uEAAuE;IACvE,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,gFAAgF;AAChF,MAAM,WAAW,kBAAkB;IACjC,oEAAoE;IACpE,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,yEAAyE;AACzE,MAAM,WAAW,gBAAgB;IAC/B,uCAAuC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,YAAY,EAAE,MAAM,CAAC;IACrB,4EAA4E;IAC5E,aAAa,CAAC,EAAE,mBAAmB,CAAC;IACpC,iFAAiF;IACjF,yBAAyB,CAAC,EAAE,MAAM,CAAC;CACpC;AAED,qDAAqD;AACrD,MAAM,WAAW,UAAU;IACzB,oDAAoD;IACpD,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC3C,8EAA8E;IAC9E,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAC7C,mEAAmE;IACnE,aAAa,EAAE,mBAAmB,CAAC;IACnC,8EAA8E;IAC9E,yBAAyB,EAAE,MAAM,CAAC;CACnC;AAED,6BAA6B;AAC7B,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AACrD,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AACrD,eAAO,MAAM,qBAAqB,4BAA4B,CAAC;AAC/D,eAAO,MAAM,gBAAgB,uBAAuB,CAAC;AACrD,eAAO,MAAM,oBAAoB,cAAc,CAAC;AAChD,eAAO,MAAM,sBAAsB,uBAAuB,CAAC;AAC3D,eAAO,MAAM,eAAe,OAAO,CAAC;AACpC,eAAO,MAAM,mCAAmC,KAAK,CAAC;AAEtD,mFAAmF;AACnF,wBAAgB,0BAA0B,IAAI,mBAAmB,CAOhE;AAED,0DAA0D;AAC1D,wBAAgB,uBAAuB,IAAI,mBAAmB,CAO7D;AAED,mDAAmD;AACnD,wBAAgB,gBAAgB,CAC9B,kBAAkB,EAAE,MAAM,EAC1B,SAAS,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAC,GAC1D,UAAU,CAUZ;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,GACjB,MAAM,CAWR;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,GACjB,mBAAmB,CAMrB;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,GACjB,MAAM,CAMR;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,GACjB,UAAU,CASZ"}

package/dist/config.js ADDED Viewed

@@ -0,0 +1,85 @@
+/** Header name constants. */
+export const SIGNATURE_HEADER = "X-Harden-Signature";
+export const TIMESTAMP_HEADER = "X-Harden-Timestamp";
+export const SIGNED_HEADERS_HEADER = "X-Harden-Signed-Headers";
+export const CLIENT_ID_HEADER = "X-Harden-Client-Id";
+export const HARDEN_HEADER_PREFIX = "x-harden-";
+export const CLIENT_ID_HEADER_LOWER = "x-harden-client-id";
+export const X_HEADER_PREFIX = "x-";
+export const DEFAULT_TIMESTAMP_TOLERANCE_SECONDS = 30;
+/** Default signed headers configuration: include Authorization and X-* headers. */
+export function defaultSignedHeadersConfig() {
+    return {
+        includeAuthorization: true,
+        includeXHeaders: true,
+        additionalHeaders: [],
+        excludeHeaders: [],
+    };
+}
+/** Signed headers configuration that signs no headers. */
+export function noneSignedHeadersConfig() {
+    return {
+        includeAuthorization: false,
+        includeXHeaders: false,
+        additionalHeaders: [],
+        excludeHeaders: [],
+    };
+}
+/** Create an HmacConfig with sensible defaults. */
+export function createHmacConfig(sharedSecretBase64, overrides) {
+    return {
+        sharedSecretBase64,
+        targets: overrides?.targets,
+        clients: overrides?.clients,
+        signedHeaders: overrides?.signedHeaders ?? defaultSignedHeadersConfig(),
+        timestampToleranceSeconds: overrides?.timestampToleranceSeconds ??
+            DEFAULT_TIMESTAMP_TOLERANCE_SECONDS,
+    };
+}
+/**
+ * Resolve the effective shared secret for a named target.
+ * Returns the target's secret if set, otherwise the global secret.
+ *
+ * @throws {Error} If the target is not found.
+ */
+export function getEffectiveSecret(config, targetName) {
+    const target = config.targets?.[targetName];
+    if (!target) {
+        const available = config.targets
+            ? Object.keys(config.targets).join(", ")
+            : "";
+        throw new Error(`Target '${targetName}' is not configured. Available targets: [${available}].`);
+    }
+    return target.sharedSecret || config.sharedSecretBase64;
+}
+/**
+ * Resolve the effective signed headers config for a named target.
+ */
+export function getEffectiveSignedHeaders(config, targetName) {
+    const target = config.targets?.[targetName];
+    if (target?.signedHeaders) {
+        return target.signedHeaders;
+    }
+    return config.signedHeaders;
+}
+/**
+ * Resolve the effective timestamp tolerance for a named target.
+ */
+export function getEffectiveTimestampTolerance(config, targetName) {
+    const target = config.targets?.[targetName];
+    if (target?.timestampToleranceSeconds !== undefined) {
+        return target.timestampToleranceSeconds;
+    }
+    return config.timestampToleranceSeconds;
+}
+/**
+ * Build an effective HmacConfig for a specific target with all overrides resolved.
+ */
+export function configForTarget(config, targetName) {
+    return {
+        sharedSecretBase64: getEffectiveSecret(config, targetName),
+        signedHeaders: getEffectiveSignedHeaders(config, targetName),
+        timestampToleranceSeconds: getEffectiveTimestampTolerance(config, targetName),
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AA4CA,6BAA6B;AAC7B,MAAM,CAAC,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AACrD,MAAM,CAAC,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AACrD,MAAM,CAAC,MAAM,qBAAqB,GAAG,yBAAyB,CAAC;AAC/D,MAAM,CAAC,MAAM,gBAAgB,GAAG,oBAAoB,CAAC;AACrD,MAAM,CAAC,MAAM,oBAAoB,GAAG,WAAW,CAAC;AAChD,MAAM,CAAC,MAAM,sBAAsB,GAAG,oBAAoB,CAAC;AAC3D,MAAM,CAAC,MAAM,eAAe,GAAG,IAAI,CAAC;AACpC,MAAM,CAAC,MAAM,mCAAmC,GAAG,EAAE,CAAC;AAEtD,mFAAmF;AACnF,MAAM,UAAU,0BAA0B;IACxC,OAAO;QACL,oBAAoB,EAAE,IAAI;QAC1B,eAAe,EAAE,IAAI;QACrB,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,EAAE;KACnB,CAAC;AACJ,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,uBAAuB;IACrC,OAAO;QACL,oBAAoB,EAAE,KAAK;QAC3B,eAAe,EAAE,KAAK;QACtB,iBAAiB,EAAE,EAAE;QACrB,cAAc,EAAE,EAAE;KACnB,CAAC;AACJ,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,gBAAgB,CAC9B,kBAA0B,EAC1B,SAA2D;IAE3D,OAAO;QACL,kBAAkB;QAClB,OAAO,EAAE,SAAS,EAAE,OAAO;QAC3B,OAAO,EAAE,SAAS,EAAE,OAAO;QAC3B,aAAa,EAAE,SAAS,EAAE,aAAa,IAAI,0BAA0B,EAAE;QACvE,yBAAyB,EACvB,SAAS,EAAE,yBAAyB;YACpC,mCAAmC;KACtC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAChC,MAAkB,EAClB,UAAkB;IAElB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO;YAC9B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YACxC,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,IAAI,KAAK,CACb,WAAW,UAAU,4CAA4C,SAAS,IAAI,CAC/E,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,kBAAkB,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,MAAkB,EAClB,UAAkB;IAElB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,aAAa,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,aAAa,CAAC;IAC9B,CAAC;IACD,OAAO,MAAM,CAAC,aAAa,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC5C,MAAkB,EAClB,UAAkB;IAElB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,yBAAyB,KAAK,SAAS,EAAE,CAAC;QACpD,OAAO,MAAM,CAAC,yBAAyB,CAAC;IAC1C,CAAC;IACD,OAAO,MAAM,CAAC,yBAAyB,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAkB,EAClB,UAAkB;IAElB,OAAO;QACL,kBAAkB,EAAE,kBAAkB,CAAC,MAAM,EAAE,UAAU,CAAC;QAC1D,aAAa,EAAE,yBAAyB,CAAC,MAAM,EAAE,UAAU,CAAC;QAC5D,yBAAyB,EAAE,8BAA8B,CACvD,MAAM,EACN,UAAU,CACX;KACF,CAAC;AACJ,CAAC"}

package/dist/env-loader.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { HmacConfig } from "./config.js";
+/**
+ * Load HmacConfig from environment variables.
+ *
+ * Supports the following variables (prefix default: "HARDEN_HMAC_"):
+ *   {prefix}SHARED_SECRET_BASE64 — global shared secret
+ *   {prefix}TIMESTAMP_TOLERANCE_SECONDS — global tolerance
+ *   {prefix}SIGNED_HEADERS__INCLUDE_AUTHORIZATION — true/false
+ *   {prefix}SIGNED_HEADERS__INCLUDE_X_HEADERS — true/false
+ *   {prefix}TARGETS__{NAME}__BASE_URL — per-target base URL
+ *   {prefix}TARGETS__{NAME}__SHARED_SECRET — per-target secret
+ *   {prefix}TARGETS__{NAME}__TIMESTAMP_TOLERANCE_SECONDS — per-target tolerance
+ *
+ * If dotenv is installed as a peer dependency, .env file variables are loaded first.
+ *
+ * @param prefix - Environment variable prefix. Default: "HARDEN_HMAC_".
+ * @param env - Optional env object for testing. Defaults to process.env.
+ * @returns Parsed HmacConfig.
+ */
+export declare function fromEnv(prefix?: string, env?: Record<string, string | undefined>): Promise<HmacConfig>;
+//# sourceMappingURL=env-loader.d.ts.map

package/dist/env-loader.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"env-loader.d.ts","sourceRoot":"","sources":["../src/env-loader.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAEV,UAAU,EAGX,MAAM,aAAa,CAAC;AAoCrB;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,OAAO,CAC3B,MAAM,GAAE,MAAuB,EAC/B,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GACvC,OAAO,CAAC,UAAU,CAAC,CAqHrB"}

package/dist/env-loader.js ADDED Viewed

@@ -0,0 +1,145 @@
+import { DEFAULT_TIMESTAMP_TOLERANCE_SECONDS, defaultSignedHeadersConfig, } from "./config.js";
+/**
+ * Try to load dotenv if it's available as a peer dependency.
+ * This is a best-effort load — if dotenv is not installed, we skip silently.
+ * Uses dynamic import() for ESM compatibility.
+ */
+async function tryLoadDotenv() {
+    try {
+        const dotenv = await import("dotenv");
+        dotenv.config();
+    }
+    catch {
+        // dotenv is an optional peer dependency — skip if not available
+    }
+}
+function parseBool(value, defaultValue) {
+    if (value === undefined)
+        return defaultValue;
+    return ["true", "1", "yes"].includes(value.toLowerCase());
+}
+/**
+ * Parse an integer from a string, returning the default if the value is
+ * undefined, empty, or not a valid integer.
+ */
+function safeParseInt(value, defaultValue) {
+    if (value === undefined || value === "")
+        return defaultValue;
+    const parsed = parseInt(value, 10);
+    if (isNaN(parsed))
+        return defaultValue;
+    return parsed;
+}
+/**
+ * Load HmacConfig from environment variables.
+ *
+ * Supports the following variables (prefix default: "HARDEN_HMAC_"):
+ *   {prefix}SHARED_SECRET_BASE64 — global shared secret
+ *   {prefix}TIMESTAMP_TOLERANCE_SECONDS — global tolerance
+ *   {prefix}SIGNED_HEADERS__INCLUDE_AUTHORIZATION — true/false
+ *   {prefix}SIGNED_HEADERS__INCLUDE_X_HEADERS — true/false
+ *   {prefix}TARGETS__{NAME}__BASE_URL — per-target base URL
+ *   {prefix}TARGETS__{NAME}__SHARED_SECRET — per-target secret
+ *   {prefix}TARGETS__{NAME}__TIMESTAMP_TOLERANCE_SECONDS — per-target tolerance
+ *
+ * If dotenv is installed as a peer dependency, .env file variables are loaded first.
+ *
+ * @param prefix - Environment variable prefix. Default: "HARDEN_HMAC_".
+ * @param env - Optional env object for testing. Defaults to process.env.
+ * @returns Parsed HmacConfig.
+ */
+export async function fromEnv(prefix = "HARDEN_HMAC_", env) {
+    if (!env) {
+        await tryLoadDotenv();
+        env = process.env;
+    }
+    const upperPrefix = prefix.toUpperCase();
+    // Extract all prefixed vars
+    const prefixed = {};
+    for (const [key, value] of Object.entries(env)) {
+        if (key && value !== undefined && key.toUpperCase().startsWith(upperPrefix)) {
+            const suffix = key.substring(upperPrefix.length).toUpperCase();
+            prefixed[suffix] = value;
+        }
+    }
+    // Parse global settings
+    const sharedSecretBase64 = prefixed["SHARED_SECRET_BASE64"] ?? "";
+    const timestampToleranceSeconds = safeParseInt(prefixed["TIMESTAMP_TOLERANCE_SECONDS"], DEFAULT_TIMESTAMP_TOLERANCE_SECONDS);
+    // Parse signed headers
+    const signedHeaders = {
+        ...defaultSignedHeadersConfig(),
+        includeAuthorization: parseBool(prefixed["SIGNED_HEADERS__INCLUDE_AUTHORIZATION"], true),
+        includeXHeaders: parseBool(prefixed["SIGNED_HEADERS__INCLUDE_X_HEADERS"], true),
+    };
+    // Parse targets: keys matching TARGETS__{NAME}__{FIELD}
+    const targetFields = {};
+    const targetPrefix = "TARGETS__";
+    for (const [key, value] of Object.entries(prefixed)) {
+        if (!key.startsWith(targetPrefix))
+            continue;
+        const rest = key.substring(targetPrefix.length);
+        const separatorIndex = rest.indexOf("__");
+        if (separatorIndex === -1)
+            continue;
+        const targetName = rest.substring(0, separatorIndex).toLowerCase().replace(/_/g, "-");
+        const fieldName = rest.substring(separatorIndex + 2).toUpperCase();
+        if (!targetFields[targetName]) {
+            targetFields[targetName] = {};
+        }
+        targetFields[targetName][fieldName] = value;
+    }
+    const targets = {};
+    for (const [name, fields] of Object.entries(targetFields)) {
+        let targetSignedHeaders;
+        if (fields["SIGNED_HEADERS__INCLUDE_AUTHORIZATION"] !== undefined ||
+            fields["SIGNED_HEADERS__INCLUDE_X_HEADERS"] !== undefined) {
+            targetSignedHeaders = {
+                ...defaultSignedHeadersConfig(),
+                includeAuthorization: parseBool(fields["SIGNED_HEADERS__INCLUDE_AUTHORIZATION"], true),
+                includeXHeaders: parseBool(fields["SIGNED_HEADERS__INCLUDE_X_HEADERS"], true),
+            };
+        }
+        let targetTimestampTolerance;
+        if (fields["TIMESTAMP_TOLERANCE_SECONDS"] !== undefined) {
+            const parsed = parseInt(fields["TIMESTAMP_TOLERANCE_SECONDS"], 10);
+            targetTimestampTolerance = isNaN(parsed) ? undefined : parsed;
+        }
+        targets[name] = {
+            baseUrl: fields["BASE_URL"] ?? "",
+            sharedSecret: fields["SHARED_SECRET"] ?? "",
+            signedHeaders: targetSignedHeaders,
+            timestampToleranceSeconds: targetTimestampTolerance,
+        };
+    }
+    // Parse clients: keys matching CLIENTS__{NAME}__{FIELD}
+    const clientFields = {};
+    const clientPrefix = "CLIENTS__";
+    for (const [key, value] of Object.entries(prefixed)) {
+        if (!key.startsWith(clientPrefix))
+            continue;
+        const rest = key.substring(clientPrefix.length);
+        const separatorIndex = rest.indexOf("__");
+        if (separatorIndex === -1)
+            continue;
+        const clientName = rest.substring(0, separatorIndex).toLowerCase().replace(/_/g, "-");
+        const fieldName = rest.substring(separatorIndex + 2).toUpperCase();
+        if (!clientFields[clientName]) {
+            clientFields[clientName] = {};
+        }
+        clientFields[clientName][fieldName] = value;
+    }
+    const clients = {};
+    for (const [name, fields] of Object.entries(clientFields)) {
+        clients[name] = {
+            sharedSecret: fields["SHARED_SECRET"] ?? "",
+        };
+    }
+    return {
+        sharedSecretBase64,
+        targets: Object.keys(targets).length > 0 ? targets : undefined,
+        clients: Object.keys(clients).length > 0 ? clients : undefined,
+        signedHeaders,
+        timestampToleranceSeconds,
+    };
+}
+//# sourceMappingURL=env-loader.js.map

package/dist/env-loader.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"env-loader.js","sourceRoot":"","sources":["../src/env-loader.ts"],"names":[],"mappings":"AAMA,OAAO,EACL,mCAAmC,EACnC,0BAA0B,GAC3B,MAAM,aAAa,CAAC;AAErB;;;;GAIG;AACH,KAAK,UAAU,aAAa;IAC1B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,EAAE,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,gEAAgE;IAClE,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,KAAyB,EAAE,YAAqB;IACjE,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,YAAY,CAAC;IAC7C,OAAO,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CAAC,KAAyB,EAAE,YAAoB;IACnE,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,YAAY,CAAC;IAC7D,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,CAAC;QAAE,OAAO,YAAY,CAAC;IACvC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,SAAiB,cAAc,EAC/B,GAAwC;IAExC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,aAAa,EAAE,CAAC;QACtB,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACpB,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEzC,4BAA4B;IAC5B,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,GAAG,IAAI,KAAK,KAAK,SAAS,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5E,MAAM,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;YAC/D,QAAQ,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,MAAM,kBAAkB,GAAG,QAAQ,CAAC,sBAAsB,CAAC,IAAI,EAAE,CAAC;IAClE,MAAM,yBAAyB,GAAG,YAAY,CAC5C,QAAQ,CAAC,6BAA6B,CAAC,EACvC,mCAAmC,CACpC,CAAC;IAEF,uBAAuB;IACvB,MAAM,aAAa,GAAwB;QACzC,GAAG,0BAA0B,EAAE;QAC/B,oBAAoB,EAAE,SAAS,CAC7B,QAAQ,CAAC,uCAAuC,CAAC,EACjD,IAAI,CACL;QACD,eAAe,EAAE,SAAS,CACxB,QAAQ,CAAC,mCAAmC,CAAC,EAC7C,IAAI,CACL;KACF,CAAC;IAEF,wDAAwD;IACxD,MAAM,YAAY,GAA2C,EAAE,CAAC;IAChE,MAAM,YAAY,GAAG,WAAW,CAAC;IACjC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,SAAS;QAC5C,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,cAAc,KAAK,CAAC,CAAC;YAAE,SAAS;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACtF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACnE,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,YAAY,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAChC,CAAC;QACD,YAAY,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;IAC9C,CAAC;IAED,MAAM,OAAO,GAAqC,EAAE,CAAC;IACrD,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAC1D,IAAI,mBAAoD,CAAC;QACzD,IACE,MAAM,CAAC,uCAAuC,CAAC,KAAK,SAAS;YAC7D,MAAM,CAAC,mCAAmC,CAAC,KAAK,SAAS,EACzD,CAAC;YACD,mBAAmB,GAAG;gBACpB,GAAG,0BAA0B,EAAE;gBAC/B,oBAAoB,EAAE,SAAS,CAC7B,MAAM,CAAC,uCAAuC,CAAC,EAC/C,IAAI,CACL;gBACD,eAAe,EAAE,SAAS,CACxB,MAAM,CAAC,mCAAmC,CAAC,EAC3C,IAAI,CACL;aACF,CAAC;QACJ,CAAC;QAED,IAAI,wBAA4C,CAAC;QACjD,IAAI,MAAM,CAAC,6BAA6B,CAAC,KAAK,SAAS,EAAE,CAAC;YACxD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,6BAA6B,CAAC,EAAE,EAAE,CAAC,CAAC;YACnE,wBAAwB,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC;QAChE,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,GAAG;YACd,OAAO,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE;YACjC,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE;YAC3C,aAAa,EAAE,mBAAmB;YAClC,yBAAyB,EAAE,wBAAwB;SACpD,CAAC;IACJ,CAAC;IAED,wDAAwD;IACxD,MAAM,YAAY,GAA2C,EAAE,CAAC;IAChE,MAAM,YAAY,GAAG,WAAW,CAAC;IACjC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;YAAE,SAAS;QAC5C,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,cAAc,KAAK,CAAC,CAAC;YAAE,SAAS;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACtF,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACnE,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9B,YAAY,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAChC,CAAC;QACD,YAAY,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC;IAC9C,CAAC;IAED,MAAM,OAAO,GAAuC,EAAE,CAAC;IACvD,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,GAAG;YACd,YAAY,EAAE,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE;SAC5C,CAAC;IACJ,CAAC;IAED,OAAO;QACL,kBAAkB;QAClB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC9D,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC9D,aAAa;QACb,yBAAyB;KAC1B,CAAC;AACJ,CAAC"}

package/dist/errors.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/** Error types for HMAC validation failures. */
+export type HmacErrorType = "missing_signature" | "missing_timestamp" | "invalid_timestamp" | "timestamp_expired" | "timestamp_out_of_range" | "signature_invalid";
+/** Error thrown when HMAC validation fails. */
+export declare class HmacValidationError extends Error {
+    readonly errorType: HmacErrorType;
+    constructor(errorType: HmacErrorType, message: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,wBAAwB,GACxB,mBAAmB,CAAC;AAExB,+CAA+C;AAC/C,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC;gBAEtB,SAAS,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;CAKtD"}

package/dist/errors.js ADDED Viewed

@@ -0,0 +1,10 @@
+/** Error thrown when HMAC validation fails. */
+export class HmacValidationError extends Error {
+    errorType;
+    constructor(errorType, message) {
+        super(message);
+        this.name = "HmacValidationError";
+        this.errorType = errorType;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AASA,+CAA+C;AAC/C,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IACnC,SAAS,CAAgB;IAElC,YAAY,SAAwB,EAAE,OAAe;QACnD,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF"}