@holo-js/security 0.1.3 → 0.1.5

package/dist/client.d.ts

@@ -1,19 +1,14 @@
-import { SecurityClientBindings, SecurityClientConfig } from './contracts.js';
+import { SecurityClientConfig } from './contracts.js';
 import '@holo-js/config';
 
-type RuntimeSecurityClientState = {
-    bindings?: SecurityClientConfig;
-};
 declare function getDefaultSecurityClientConfig(): SecurityClientConfig;
-declare function getSecurityClientState(): RuntimeSecurityClientState;
-declare function normalizeSecurityClientConfig(bindings?: SecurityClientBindings): SecurityClientConfig;
-declare function configureSecurityClient(bindings?: SecurityClientBindings): void;
+declare function readSecurityClientConfigFromCookies(cookieHeader: string | null | undefined): SecurityClientConfig | undefined;
+
 declare function getSecurityClientConfig(): SecurityClientConfig;
-declare function resetSecurityClient(): void;
 declare const securityClientInternals: {
+    parseCookieHeader: (header: string | null | undefined) => Readonly<Record<string, string>>;
     getDefaultSecurityClientConfig: typeof getDefaultSecurityClientConfig;
-    getSecurityClientState: typeof getSecurityClientState;
-    normalizeSecurityClientConfig: typeof normalizeSecurityClientConfig;
+    readSecurityClientConfigFromCookies: typeof readSecurityClientConfigFromCookies;
 };
 
-export { SecurityClientBindings, SecurityClientConfig, configureSecurityClient, getSecurityClientConfig, resetSecurityClient, securityClientInternals };
+export { SecurityClientConfig, getSecurityClientConfig, securityClientInternals };

package/dist/client.mjs

@@ -1,47 +1,20 @@
+import {
+  getDefaultSecurityClientConfig,
+  readSecurityClientConfigFromCookies,
+  securityClientConfigInternals
+} from "./chunk-FUOZWKHK.mjs";
+
 // src/client.ts
-import { normalizeSecurityConfig } from "@holo-js/config";
-var DEFAULT_SECURITY_CONFIG = normalizeSecurityConfig({});
-var DEFAULT_SECURITY_CLIENT_CONFIG = Object.freeze({
-  csrf: Object.freeze({
-    field: DEFAULT_SECURITY_CONFIG.csrf.field,
-    cookie: DEFAULT_SECURITY_CONFIG.csrf.cookie
-  })
-});
-function getDefaultSecurityClientConfig() {
-  return DEFAULT_SECURITY_CLIENT_CONFIG;
-}
-function getSecurityClientState() {
-  const runtime = globalThis;
-  runtime.__holoSecurityClient__ ??= {};
-  return runtime.__holoSecurityClient__;
-}
-function normalizeSecurityClientConfig(bindings) {
-  const defaults = getDefaultSecurityClientConfig();
-  const csrf = Object.freeze({
-    field: bindings?.config?.csrf?.field ?? defaults.csrf.field,
-    cookie: bindings?.config?.csrf?.cookie ?? defaults.csrf.cookie
-  });
-  return Object.freeze({
-    csrf
-  });
-}
-function configureSecurityClient(bindings) {
-  getSecurityClientState().bindings = bindings ? normalizeSecurityClientConfig(bindings) : void 0;
-}
 function getSecurityClientConfig() {
-  return getSecurityClientState().bindings ?? DEFAULT_SECURITY_CLIENT_CONFIG;
-}
-function resetSecurityClient() {
-  getSecurityClientState().bindings = void 0;
+  const runtime = globalThis;
+  return readSecurityClientConfigFromCookies(runtime.document?.cookie) ?? getDefaultSecurityClientConfig();
 }
 var securityClientInternals = {
   getDefaultSecurityClientConfig,
-  getSecurityClientState,
-  normalizeSecurityClientConfig
+  readSecurityClientConfigFromCookies,
+  ...securityClientConfigInternals
 };
 export {
-  configureSecurityClient,
   getSecurityClientConfig,
-  resetSecurityClient,
   securityClientInternals
 };

package/dist/contracts.d.ts

@@ -1,14 +1,16 @@
-import { HoloSecurityConfig, NormalizedHoloSecurityConfig, SecurityRateLimitFileConfig, SecurityRateLimitMemoryConfig, SecurityRateLimitRedisConfig, SecurityLimiterConfig, SecurityRateLimitKeyResolver } from '@holo-js/config';
-export { HoloSecurityConfig, HoloSecurityCsrfConfig, HoloSecurityRateLimitConfig, NormalizedHoloSecurityConfig, NormalizedHoloSecurityCsrfConfig, NormalizedHoloSecurityRateLimitConfig, NormalizedSecurityLimiterConfig, SecurityLimiterConfig, SecurityRateLimitContext, SecurityRateLimitDriver, SecurityRateLimitFileConfig, SecurityRateLimitKeyResolver, SecurityRateLimitMemoryConfig, SecurityRateLimitRedisConfig } from '@holo-js/config';
+import { HoloSecurityConfig, NormalizedHoloSecurityConfig, HoloCorsConfig, NormalizedHoloCorsConfig, SecurityRateLimitFileConfig, SecurityRateLimitMemoryConfig, SecurityRateLimitRedisConfig, SecurityLimiterConfig, SecurityRateLimitKeyResolver } from '@holo-js/config';
+export { HoloCorsConfig, HoloSecurityConfig, HoloSecurityCsrfConfig, HoloSecurityRateLimitConfig, NormalizedHoloCorsConfig, NormalizedHoloSecurityConfig, NormalizedHoloSecurityCsrfConfig, NormalizedHoloSecurityRateLimitConfig, NormalizedSecurityLimiterConfig, SecurityLimiterConfig, SecurityRateLimitContext, SecurityRateLimitDriver, SecurityRateLimitFileConfig, SecurityRateLimitKeyResolver, SecurityRateLimitMemoryConfig, SecurityRateLimitRedisConfig } from '@holo-js/config';
 
 interface SecurityRuntimeBindings {
     readonly config: HoloSecurityConfig | NormalizedHoloSecurityConfig;
+    readonly cors?: HoloCorsConfig | NormalizedHoloCorsConfig;
     readonly rateLimitStore?: SecurityRateLimitStore;
     readonly csrfSigningKey?: string;
     readonly defaultKeyResolver?: SecurityDefaultRateLimitKeyResolver;
 }
 interface SecurityRuntimeFacade {
     readonly config: NormalizedHoloSecurityConfig;
+    readonly cors: NormalizedHoloCorsConfig;
     readonly rateLimitStore?: SecurityRateLimitStore;
     readonly csrfSigningKey?: string;
     readonly defaultKeyResolver?: SecurityDefaultRateLimitKeyResolver;
@@ -19,15 +21,15 @@ interface SecurityClientConfig {
         readonly cookie: string;
     };
 }
-interface SecurityClientBindings {
-    readonly config?: {
-        readonly csrf?: Partial<SecurityClientConfig['csrf']>;
-    };
-}
 interface SecurityCsrfField {
     readonly name: string;
     readonly value: string;
 }
+interface SecurityCsrfInput {
+    readonly type: 'hidden';
+    readonly name: string;
+    readonly value: string;
+}
 interface SecurityProtectOptions {
     readonly csrf?: boolean;
     readonly throttle?: string;
@@ -45,9 +47,15 @@ interface SecurityClearRateLimitOptions {
 interface SecurityCsrfFacade {
     token(request: Request): Promise<string>;
     field(request: Request): Promise<SecurityCsrfField>;
+    input(request: Request): Promise<SecurityCsrfInput>;
     cookie(request: Request, token?: string): Promise<string>;
     verify(request: Request): Promise<void>;
 }
+interface SecurityCorsFacade {
+    headers(request: Request): Headers;
+    preflight(request: Request): Response | null;
+    apply(request: Request, response?: Response): Response;
+}
 interface SecurityRateLimitBucketSnapshot {
     readonly limiter: string;
     readonly key: string;
@@ -112,7 +120,6 @@ declare class PendingSecurityLimiterDefinition<TValues extends Readonly<Record<s
     define(): SecurityLimiterConfig<TValues>;
 }
 declare function normalizeLimiterAttempts(value: number, label: string): number;
-declare function normalizeLimiterWindowSeconds(value: number, label: string): number;
 declare const limit: Readonly<{
     perMinute(maxAttempts: number): PendingSecurityLimiterDefinition<Readonly<Record<string, unknown>> | undefined>;
     perHour(maxAttempts: number): PendingSecurityLimiterDefinition<Readonly<Record<string, unknown>> | undefined>;
@@ -121,6 +128,7 @@ declare function ip(request: Request, trustedProxy?: boolean): string;
 declare function defineRateLimiter<TValues extends Readonly<Record<string, unknown>> | undefined = Readonly<Record<string, unknown>> | undefined>(definition: SecurityLimiterConfig<TValues>): SecurityLimiterConfig<TValues>;
 declare function defineSecurityRuntimeBindings(bindings: SecurityRuntimeBindings): Readonly<{
     config: NormalizedHoloSecurityConfig;
+    cors: NormalizedHoloCorsConfig;
     rateLimitStore?: SecurityRateLimitStore;
     csrfSigningKey?: string;
     defaultKeyResolver?: SecurityDefaultRateLimitKeyResolver;
@@ -131,7 +139,6 @@ declare function createRedisRateLimitStoreConfig(config?: SecurityRateLimitRedis
 declare const securityInternals: {
     PendingSecurityLimiterDefinition: typeof PendingSecurityLimiterDefinition;
     normalizeLimiterAttempts: typeof normalizeLimiterAttempts;
-    normalizeLimiterWindowSeconds: typeof normalizeLimiterWindowSeconds;
 };
 
-export { type SecurityClearRateLimitOptions, type SecurityClientBindings, type SecurityClientConfig, SecurityCsrfError, type SecurityCsrfFacade, type SecurityCsrfField, type SecurityDefaultRateLimitKeyResolver, type SecurityProtectOptions, type SecurityRateLimitBucketSnapshot, type SecurityRateLimitCallOptions, SecurityRateLimitError, type SecurityRateLimitHitResult, type SecurityRateLimitRedisDriverAdapter, type SecurityRateLimitStore, type SecurityRateLimitStoreFactoryOptions, type SecurityRuntimeBindings, type SecurityRuntimeFacade, createFileRateLimitStoreConfig, createMemoryRateLimitStoreConfig, createRedisRateLimitStoreConfig, defineRateLimiter, defineSecurityRuntimeBindings, ip, limit, securityInternals };
+export { type SecurityClearRateLimitOptions, type SecurityClientConfig, type SecurityCorsFacade, SecurityCsrfError, type SecurityCsrfFacade, type SecurityCsrfField, type SecurityCsrfInput, type SecurityDefaultRateLimitKeyResolver, type SecurityProtectOptions, type SecurityRateLimitBucketSnapshot, type SecurityRateLimitCallOptions, SecurityRateLimitError, type SecurityRateLimitHitResult, type SecurityRateLimitRedisDriverAdapter, type SecurityRateLimitStore, type SecurityRateLimitStoreFactoryOptions, type SecurityRuntimeBindings, type SecurityRuntimeFacade, createFileRateLimitStoreConfig, createMemoryRateLimitStoreConfig, createRedisRateLimitStoreConfig, defineRateLimiter, defineSecurityRuntimeBindings, ip, limit, securityInternals };

package/dist/contracts.mjs

@@ -9,7 +9,7 @@ import {
   ip,
   limit,
   securityInternals
-} from "./chunk-3J5QRTPZ.mjs";
+} from "./chunk-EWQKJSFA.mjs";
 export {
   SecurityCsrfError,
   SecurityRateLimitError,

package/dist/drivers/redis-adapter.d.ts

@@ -39,6 +39,8 @@ declare class RedisSecurityAdapter implements SecurityRateLimitRedisDriverAdapte
     private qualifyKey;
     private qualifyPattern;
     private normalizeScanResponse;
+    private clearMatchingKeysForClient;
+    private clearMatchingKeysForCluster;
     private clearMatchingKeys;
     private parseOldestScore;
     private getCommandValue;

package/dist/drivers/redis-adapter.mjs

@@ -2,6 +2,9 @@
 import { randomUUID } from "crypto";
 import Redis from "ioredis";
 var REDIS_SCAN_COUNT = 100;
+function isRedisClusterClientLike(client) {
+  return typeof client.nodes === "function";
+}
 function isRedisConnectionTarget(value) {
   return value.startsWith("redis://") || value.startsWith("rediss://") || value.startsWith("unix://") || value.startsWith("/");
 }
@@ -106,11 +109,11 @@ var RedisSecurityAdapter = class {
       keys
     };
   }
-  async clearMatchingKeys(pattern) {
+  async clearMatchingKeysForClient(client, pattern) {
     let cursor = "0";
     let cleared = 0;
     do {
-      const page = this.normalizeScanResponse(await this.client.scan(
+      const page = this.normalizeScanResponse(await client.scan(
         cursor,
         "MATCH",
         pattern,
@@ -119,11 +122,37 @@ var RedisSecurityAdapter = class {
       ));
       cursor = page.cursor;
       if (page.keys.length > 0) {
-        cleared += await this.client.del(...page.keys);
+        cleared += await client.del(...page.keys);
       }
     } while (cursor !== "0");
     return cleared;
   }
+  async clearMatchingKeysForCluster(client, pattern) {
+    let cleared = 0;
+    for (const node of client.nodes("master")) {
+      let cursor = "0";
+      do {
+        const page = this.normalizeScanResponse(await node.scan(
+          cursor,
+          "MATCH",
+          pattern,
+          "COUNT",
+          REDIS_SCAN_COUNT
+        ));
+        cursor = page.cursor;
+        for (const key of page.keys) {
+          cleared += await node.del(key);
+        }
+      } while (cursor !== "0");
+    }
+    return cleared;
+  }
+  async clearMatchingKeys(pattern) {
+    if (isRedisClusterClientLike(this.client)) {
+      return await this.clearMatchingKeysForCluster(this.client, pattern);
+    }
+    return await this.clearMatchingKeysForClient(this.client, pattern);
+  }
   parseOldestScore(result) {
     if (!Array.isArray(result) || result.length < 2) {
       throw new Error("[@holo-js/security] Redis transaction failed to return the oldest rate-limit hit.");

package/dist/index.d.ts

@@ -1,16 +1,18 @@
 import * as _holo_js_config from '@holo-js/config';
-import { NormalizedSecurityLimiterConfig, HoloSecurityConfig, NormalizedHoloSecurityConfig } from '@holo-js/config';
-export { HoloSecurityConfig, HoloSecurityCsrfConfig, HoloSecurityRateLimitConfig, NormalizedHoloSecurityConfig, NormalizedHoloSecurityCsrfConfig, NormalizedHoloSecurityRateLimitConfig, NormalizedSecurityLimiterConfig, SecurityLimiterConfig, SecurityRateLimitContext, SecurityRateLimitDriver, SecurityRateLimitFileConfig, SecurityRateLimitKeyResolver, SecurityRateLimitMemoryConfig, SecurityRateLimitRedisConfig, defineSecurityConfig } from '@holo-js/config';
-import { SecurityCsrfField, SecurityProtectOptions, SecurityClearRateLimitOptions, SecurityRateLimitCallOptions, SecurityRateLimitHitResult, SecurityRateLimitStore, SecurityRateLimitStoreFactoryOptions, SecurityRateLimitRedisDriverAdapter, SecurityRuntimeBindings, SecurityRuntimeFacade, ip } from './contracts.js';
-export { SecurityClientBindings, SecurityClientConfig, SecurityCsrfError, SecurityCsrfFacade, SecurityDefaultRateLimitKeyResolver, SecurityRateLimitBucketSnapshot, SecurityRateLimitError, createFileRateLimitStoreConfig, createMemoryRateLimitStoreConfig, createRedisRateLimitStoreConfig, defineRateLimiter, defineSecurityRuntimeBindings, limit, securityInternals } from './contracts.js';
+import { NormalizedHoloCorsConfig, NormalizedSecurityLimiterConfig, HoloSecurityConfig, NormalizedHoloSecurityConfig } from '@holo-js/config';
+export { HoloCorsConfig, HoloSecurityConfig, HoloSecurityCsrfConfig, HoloSecurityRateLimitConfig, NormalizedHoloCorsConfig, NormalizedHoloSecurityConfig, NormalizedHoloSecurityCsrfConfig, NormalizedHoloSecurityRateLimitConfig, NormalizedSecurityLimiterConfig, SecurityLimiterConfig, SecurityRateLimitContext, SecurityRateLimitDriver, SecurityRateLimitFileConfig, SecurityRateLimitKeyResolver, SecurityRateLimitMemoryConfig, SecurityRateLimitRedisConfig, defineSecurityConfig } from '@holo-js/config';
+import { SecurityCsrfField, SecurityCsrfInput, SecurityProtectOptions, SecurityClearRateLimitOptions, SecurityRateLimitCallOptions, SecurityRateLimitHitResult, SecurityRateLimitStore, SecurityRateLimitStoreFactoryOptions, SecurityRateLimitRedisDriverAdapter, SecurityRuntimeBindings, SecurityRuntimeFacade, ip } from './contracts.js';
+export { SecurityClientConfig, SecurityCorsFacade, SecurityCsrfError, SecurityCsrfFacade, SecurityDefaultRateLimitKeyResolver, SecurityRateLimitBucketSnapshot, SecurityRateLimitError, createFileRateLimitStoreConfig, createMemoryRateLimitStoreConfig, createRedisRateLimitStoreConfig, defineRateLimiter, defineSecurityRuntimeBindings, limit, securityInternals } from './contracts.js';
 
 declare function parseCookieHeader(header: string | null | undefined): Readonly<Record<string, string>>;
 declare function serializeCookie(name: string, value: string, options?: {
     readonly secure?: boolean;
 }): string;
 declare function isSafeMethod(method: string): boolean;
-declare function matchesPathPattern(pathname: string, pattern: string): boolean;
+declare function matchesPathPattern$1(pathname: string, pattern: string): boolean;
 declare function isExcludedPath(request: Request): boolean;
+declare function getForwardedProto(request: Request): string | undefined;
+declare function isSecureRequest(request: Request): boolean;
 declare function createCsrfToken(): string;
 declare function getCsrfSigningKey(): string;
 declare function encodeCsrfToken(nonce: string): string;
@@ -20,26 +22,34 @@ declare function decodeCsrfToken(token: string): {
 } | null;
 declare function isValidSignedCsrfToken(token: string): boolean;
 declare function getCookieToken(request: Request): string | undefined;
-declare function getRequestToken(request: Request): Promise<string | undefined>;
+declare function getHeaderToken(request: Request): string | undefined;
+declare function isSameOriginRequest(request: Request): boolean;
+declare function readFormToken(request: Request): Promise<string | undefined>;
 declare function token(request: Request): Promise<string>;
 declare function field(request: Request): Promise<SecurityCsrfField>;
+declare function input(request: Request): Promise<SecurityCsrfInput>;
 declare function cookie(request: Request, explicitToken?: string): Promise<string>;
 declare function verify(request: Request): Promise<void>;
 declare function protect(request: Request, options?: SecurityProtectOptions): Promise<void>;
 declare const csrf: Readonly<{
     token: typeof token;
     field: typeof field;
+    input: typeof input;
     cookie: typeof cookie;
     verify: typeof verify;
 }>;
 declare const csrfInternals: {
     createCsrfToken: typeof createCsrfToken;
     generatedTokenCache: WeakMap<Request, string>;
+    getForwardedProto: typeof getForwardedProto;
     getCookieToken: typeof getCookieToken;
-    getRequestToken: typeof getRequestToken;
+    getHeaderToken: typeof getHeaderToken;
+    isSecureRequest: typeof isSecureRequest;
+    isSameOriginRequest: typeof isSameOriginRequest;
+    readFormToken: typeof readFormToken;
     isExcludedPath: typeof isExcludedPath;
     isSafeMethod: typeof isSafeMethod;
-    matchesPathPattern: typeof matchesPathPattern;
+    matchesPathPattern: typeof matchesPathPattern$1;
     parseCookieHeader: typeof parseCookieHeader;
     serializeCookie: typeof serializeCookie;
     decodeCsrfToken: typeof decodeCsrfToken;
@@ -48,6 +58,29 @@ declare const csrfInternals: {
     isValidSignedCsrfToken: typeof isValidSignedCsrfToken;
 };
 
+declare function matchesPathPattern(pathname: string, pattern: string): boolean;
+declare function normalizeDomain(value: string): string;
+declare function isCorsPath(config: NormalizedHoloCorsConfig, request: Request): boolean;
+declare function isStatefulOrigin(config: NormalizedHoloCorsConfig, origin: string): boolean;
+declare function resolveAllowedOrigin(config: NormalizedHoloCorsConfig, origin: string | null): string | undefined;
+declare function appendVary(headers: Headers, value: string): void;
+declare function headers(request: Request): Headers;
+declare function apply(request: Request, response?: Response): Response;
+declare function preflight(request: Request): Response | null;
+declare const cors: Readonly<{
+    headers: typeof headers;
+    preflight: typeof preflight;
+    apply: typeof apply;
+}>;
+declare const corsInternals: {
+    appendVary: typeof appendVary;
+    isCorsPath: typeof isCorsPath;
+    isStatefulOrigin: typeof isStatefulOrigin;
+    matchesPathPattern: typeof matchesPathPattern;
+    normalizeDomain: typeof normalizeDomain;
+    resolveAllowedOrigin: typeof resolveAllowedOrigin;
+};
+
 declare function encodeBucketPart(value: string): string;
 declare function createLimiterPrefix(limiter: string): string;
 declare function createBucketKey(limiter: string, key: string): string;
@@ -76,12 +109,16 @@ declare const securityStoreInternals: {
 };
 
 type FileRateLimitBucket = {
-    namespace: string;
+    namespaceHash: string;
     keyHash: string;
     prefixHashes: readonly string[];
     attempts: number;
     expiresAt: Date;
 };
+type FileBucketLock = {
+    readonly ownerId: string;
+    readonly path: string;
+};
 interface FileRateLimitStoreOptions {
     readonly now?: () => Date;
     readonly lockRetryDelayMs?: number;
@@ -97,6 +134,12 @@ declare function writeBucket(path: string, bucket: FileRateLimitBucket): Promise
 declare function deleteBucket(path: string): Promise<void>;
 declare function getBucketLockPath(path: string): string;
 declare function sleep(delayMs: number): Promise<void>;
+declare function removeOwnedBucketLock(lock: FileBucketLock): Promise<void>;
+declare function reclaimStaleBucketLock(lockPath: string, timeoutMs: number): Promise<boolean>;
+declare function acquireBucketLock(lockPath: string, options: {
+    readonly retryDelayMs: number;
+    readonly timeoutMs: number;
+}): Promise<FileBucketLock>;
 declare function withBucketLock<TValue>(path: string, options: {
     readonly retryDelayMs: number;
     readonly timeoutMs: number;
@@ -116,6 +159,9 @@ declare const fileRateLimitDriverInternals: {
     serializeBucket: typeof serializeBucket;
     sleep: typeof sleep;
     getBucketLockPath: typeof getBucketLockPath;
+    acquireBucketLock: typeof acquireBucketLock;
+    reclaimStaleBucketLock: typeof reclaimStaleBucketLock;
+    removeOwnedBucketLock: typeof removeOwnedBucketLock;
     withBucketLock: typeof withBucketLock;
     writeBucket: typeof writeBucket;
 };
@@ -172,9 +218,15 @@ declare const security: Readonly<{
     csrf: Readonly<{
         token: typeof token;
         field: typeof field;
+        input: typeof input;
         cookie: typeof cookie;
         verify: typeof verify;
     }>;
+    cors: Readonly<{
+        headers: typeof headers;
+        preflight: typeof preflight;
+        apply: typeof apply;
+    }>;
     protect: typeof protect;
     defaultRateLimitKey: typeof defaultRateLimitKey;
     rateLimit: typeof rateLimit;
@@ -196,4 +248,4 @@ declare const security: Readonly<{
     ip: typeof ip;
 }>;
 
-export { SecurityClearRateLimitOptions, SecurityCsrfField, SecurityProtectOptions, SecurityRateLimitCallOptions, SecurityRateLimitHitResult, SecurityRateLimitRedisDriverAdapter, SecurityRateLimitStore, SecurityRateLimitStoreFactoryOptions, SecurityRuntimeBindings, SecurityRuntimeFacade, SecurityRuntimeNotConfiguredError, clearRateLimit, configureSecurityRuntime, cookie as createCsrfCookie, field as createCsrfField, token as createCsrfToken, createFileRateLimitStore, createMemoryRateLimitStore, createRateLimitStoreFromConfig, createRedisRateLimitStore, csrf, csrfInternals, security as default, defaultRateLimitKey, fileRateLimitDriverInternals, getSecurityRuntime, getSecurityRuntimeBindings, ip, memoryRateLimitDriverInternals, protect, rateLimit, rateLimitInternals, redisRateLimitDriverInternals, resetSecurityRuntime, securityRuntimeInternals, securityStoreInternals, verify as verifyCsrfRequest };
+export { SecurityClearRateLimitOptions, SecurityCsrfField, SecurityCsrfInput, SecurityProtectOptions, SecurityRateLimitCallOptions, SecurityRateLimitHitResult, SecurityRateLimitRedisDriverAdapter, SecurityRateLimitStore, SecurityRateLimitStoreFactoryOptions, SecurityRuntimeBindings, SecurityRuntimeFacade, SecurityRuntimeNotConfiguredError, apply as applyCors, clearRateLimit, configureSecurityRuntime, cors, corsInternals, headers as createCorsHeaders, preflight as createCorsPreflightResponse, cookie as createCsrfCookie, field as createCsrfField, input as createCsrfInput, token as createCsrfToken, createFileRateLimitStore, createMemoryRateLimitStore, createRateLimitStoreFromConfig, createRedisRateLimitStore, csrf, csrfInternals, security as default, defaultRateLimitKey, fileRateLimitDriverInternals, getSecurityRuntime, getSecurityRuntimeBindings, ip, isSecureRequest, memoryRateLimitDriverInternals, protect, rateLimit, rateLimitInternals, redisRateLimitDriverInternals, resetSecurityRuntime, securityRuntimeInternals, securityStoreInternals, verify as verifyCsrfRequest };