@holo-js/security 0.1.3 → 0.1.5

package/dist/index.mjs

@@ -1,3 +1,39 @@
+import {
+  SecurityRuntimeNotConfiguredError,
+  apply,
+  clearRateLimit,
+  configureSecurityRuntime,
+  cookie,
+  cors,
+  corsInternals,
+  createFileRateLimitStore,
+  createMemoryRateLimitStore,
+  createRateLimitStoreFromConfig,
+  createRedisRateLimitStore,
+  csrf,
+  csrfInternals,
+  defaultRateLimitKey,
+  defineSecurityConfig,
+  field,
+  fileRateLimitDriverInternals,
+  getSecurityRuntime,
+  getSecurityRuntimeBindings,
+  headers,
+  input,
+  isSecureRequest,
+  memoryRateLimitDriverInternals,
+  preflight,
+  protect,
+  rateLimit,
+  rateLimitInternals,
+  redisRateLimitDriverInternals,
+  resetSecurityRuntime,
+  securityRuntimeInternals,
+  securityStoreInternals,
+  src_default,
+  token,
+  verify
+} from "./chunk-Q3A7RJ67.mjs";
 import {
   SecurityCsrfError,
   SecurityRateLimitError,
@@ -9,880 +45,21 @@ import {
   ip,
   limit,
   securityInternals
-} from "./chunk-3J5QRTPZ.mjs";
-
-// src/csrf.ts
-import { createHmac, randomBytes, timingSafeEqual } from "crypto";
-
-// src/runtime.ts
-import { normalizeSecurityConfig } from "@holo-js/config";
-function getSecurityRuntimeState() {
-  const runtime = globalThis;
-  runtime.__holoSecurityRuntime__ ??= {};
-  return runtime.__holoSecurityRuntime__;
-}
-var SecurityRuntimeNotConfiguredError = class extends Error {
-  constructor() {
-    super("[@holo-js/security] Security runtime is not configured yet.");
-  }
-};
-function configureSecurityRuntime(bindings) {
-  getSecurityRuntimeState().bindings = bindings ? Object.freeze({
-    config: normalizeSecurityConfig(bindings.config),
-    rateLimitStore: bindings.rateLimitStore,
-    csrfSigningKey: bindings.csrfSigningKey,
-    defaultKeyResolver: bindings.defaultKeyResolver
-  }) : void 0;
-}
-function getSecurityRuntime() {
-  const bindings = getSecurityRuntimeState().bindings;
-  if (!bindings) {
-    throw new SecurityRuntimeNotConfiguredError();
-  }
-  return bindings;
-}
-function getSecurityRuntimeBindings() {
-  return getSecurityRuntimeState().bindings;
-}
-function resetSecurityRuntime() {
-  getSecurityRuntimeState().bindings = void 0;
-}
-var securityRuntimeInternals = {
-  getSecurityRuntimeState
-};
-
-// src/rate-limit.ts
-function encodeBucketPart(value) {
-  return encodeURIComponent(value);
-}
-function createLimiterPrefix(limiter) {
-  return `limiter:${encodeBucketPart(limiter)}|`;
-}
-function createBucketKey(limiter, key) {
-  return `${createLimiterPrefix(limiter)}${encodeBucketPart(key)}`;
-}
-function getRateLimitStore() {
-  const store = getSecurityRuntime().rateLimitStore;
-  if (!store) {
-    throw new Error("[@holo-js/security] Rate-limit store is not configured yet.");
-  }
-  return store;
-}
-function resolveLimiterConfig(name) {
-  const limiter = getSecurityRuntime().config.rateLimit.limiters[name];
-  if (!limiter) {
-    throw new Error(`[@holo-js/security] Rate limiter "${name}" is not defined in config/security.ts.`);
-  }
-  return limiter;
-}
-function normalizeResolvedLimiterKey(value, label) {
-  if (typeof value === "string" && value.length > 0) {
-    return value;
-  }
-  if (typeof value === "number" && Number.isFinite(value)) {
-    return String(value);
-  }
-  throw new TypeError(`[@holo-js/security] ${label} must resolve a non-empty string key.`);
-}
-function shouldTrustProxyHeaders() {
-  const trustedProxy = typeof process !== "undefined" ? process.env.HOLO_SECURITY_TRUST_PROXY?.trim().toLowerCase() : void 0;
-  return trustedProxy === "1" || trustedProxy === "true" || trustedProxy === "yes" || trustedProxy === "on";
-}
-async function defaultRateLimitKey(request) {
-  const runtimeDefaultKey = await getSecurityRuntime().defaultKeyResolver?.(request);
-  if (typeof runtimeDefaultKey !== "undefined" && runtimeDefaultKey !== null) {
-    return normalizeResolvedLimiterKey(runtimeDefaultKey, "Default rate limiter key resolver");
-  }
-  return `ip:${ip(request, shouldTrustProxyHeaders())}`;
-}
-async function resolveLimiterKey(name, limiter, options) {
-  if (typeof options.key === "string" && options.key.length > 0) {
-    return options.key;
-  }
-  if (limiter.key) {
-    if (!options.request) {
-      throw new TypeError(`[@holo-js/security] Rate limiter "${name}" requires a request when using its configured key resolver.`);
-    }
-    const resolved = await limiter.key({
-      request: options.request,
-      values: options.values
-    });
-    return normalizeResolvedLimiterKey(resolved, `Rate limiter "${name}"`);
-  }
-  if (options.request) {
-    return await defaultRateLimitKey(options.request);
-  }
-  throw new TypeError(`[@holo-js/security] Rate limiter "${name}" requires either an explicit key or a request for the default key resolver.`);
-}
-async function rateLimit(name, options) {
-  const limiter = resolveLimiterConfig(name);
-  const resolvedKey = await resolveLimiterKey(name, limiter, options);
-  const bucketKey = createBucketKey(name, resolvedKey);
-  const result = await getRateLimitStore().hit(bucketKey, {
-    maxAttempts: limiter.maxAttempts,
-    decaySeconds: limiter.decaySeconds
-  });
-  const snapshot = Object.freeze({
-    limiter: name,
-    key: resolvedKey,
-    attempts: result.snapshot.attempts,
-    maxAttempts: limiter.maxAttempts,
-    remainingAttempts: Math.max(0, limiter.maxAttempts - result.snapshot.attempts),
-    expiresAt: result.snapshot.expiresAt
-  });
-  const normalizedResult = Object.freeze({
-    limited: result.limited,
-    snapshot,
-    retryAfterSeconds: result.retryAfterSeconds
-  });
-  if (normalizedResult.limited) {
-    throw new SecurityRateLimitError(void 0, {
-      retryAfterSeconds: normalizedResult.retryAfterSeconds,
-      snapshot
-    });
-  }
-  return normalizedResult;
-}
-async function clearRateLimit(options) {
-  const store = getRateLimitStore();
-  if (options.all && (options.limiter || options.key)) {
-    throw new TypeError("[@holo-js/security] clearRateLimit(...) must use either { all: true } or a scoped limiter/key pair, not both.");
-  }
-  if (options.all) {
-    return await store.clearAll();
-  }
-  if (!options.limiter) {
-    throw new TypeError("[@holo-js/security] clearRateLimit(...) requires a limiter name unless { all: true } is used.");
-  }
-  if (typeof options.key === "string" && options.key.length > 0) {
-    return await store.clear(createBucketKey(options.limiter, options.key));
-  }
-  return await store.clearByPrefix(createLimiterPrefix(options.limiter));
-}
-var rateLimitInternals = {
-  createBucketKey,
-  createLimiterPrefix,
-  encodeBucketPart,
-  defaultRateLimitKey,
-  getRateLimitStore,
-  normalizeResolvedLimiterKey,
-  resolveLimiterConfig,
-  resolveLimiterKey
-};
-
-// src/csrf.ts
-var generatedTokenCache = /* @__PURE__ */ new WeakMap();
-function parseCookieHeader(header) {
-  if (!header) {
-    return Object.freeze({});
-  }
-  const decodeCookiePart = (value) => {
-    try {
-      return decodeURIComponent(value);
-    } catch {
-      return void 0;
-    }
-  };
-  const entries = header.split(";").map((segment) => segment.trim()).filter(Boolean).map((segment) => {
-    const separator = segment.indexOf("=");
-    if (separator <= 0) {
-      return void 0;
-    }
-    const key = decodeCookiePart(segment.slice(0, separator));
-    const value = decodeCookiePart(segment.slice(separator + 1));
-    if (!key || typeof value === "undefined") {
-      return void 0;
-    }
-    return [key, value];
-  }).filter((entry) => !!entry);
-  return Object.freeze(Object.fromEntries(entries));
-}
-function serializeCookie(name, value, options = {}) {
-  const attributes = [
-    `${encodeURIComponent(name)}=${encodeURIComponent(value)}`,
-    "Path=/",
-    "SameSite=Lax"
-  ];
-  if (options.secure) {
-    attributes.push("Secure");
-  }
-  return attributes.join("; ");
-}
-function isSafeMethod(method) {
-  const normalized = method.trim().toUpperCase();
-  return normalized === "GET" || normalized === "HEAD" || normalized === "OPTIONS" || normalized === "TRACE";
-}
-function escapeRegex(value) {
-  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
-}
-function matchesPathPattern(pathname, pattern) {
-  const source = `^${escapeRegex(pattern).replaceAll("*", ".*")}$`;
-  return new RegExp(source).test(pathname);
-}
-function isExcludedPath(request) {
-  const { except } = getSecurityRuntime().config.csrf;
-  const pathname = new URL(request.url).pathname;
-  return except.some((pattern) => matchesPathPattern(pathname, pattern));
-}
-function isSecureRequest(request) {
-  return new URL(request.url).protocol === "https:";
-}
-function createCsrfToken() {
-  return randomBytes(32).toString("base64url");
-}
-function getCsrfSigningKey() {
-  const configured = getSecurityRuntime().csrfSigningKey?.trim();
-  if (configured) {
-    return configured;
-  }
-  throw new Error("[@holo-js/security] CSRF signing key is not configured.");
-}
-function signCsrfNonce(nonce) {
-  return createHmac("sha256", getCsrfSigningKey()).update(nonce).digest("base64url");
-}
-function encodeCsrfToken(nonce) {
-  return `${nonce}.${signCsrfNonce(nonce)}`;
-}
-function decodeCsrfToken(token2) {
-  const separator = token2.indexOf(".");
-  if (separator <= 0 || separator === token2.length - 1) {
-    return null;
-  }
-  return Object.freeze({
-    nonce: token2.slice(0, separator),
-    signature: token2.slice(separator + 1)
-  });
-}
-function isValidSignedCsrfToken(token2) {
-  const decoded = decodeCsrfToken(token2);
-  if (!decoded) {
-    return false;
-  }
-  const expected = Buffer.from(signCsrfNonce(decoded.nonce));
-  const received = Buffer.from(decoded.signature);
-  if (expected.length !== received.length) {
-    return false;
-  }
-  return timingSafeEqual(expected, received);
-}
-function getCookieToken(request) {
-  const { cookie: cookie2 } = getSecurityRuntime().config.csrf;
-  return parseCookieHeader(request.headers.get("cookie"))[cookie2];
-}
-async function readFormToken(request) {
-  const { field: field2 } = getSecurityRuntime().config.csrf;
-  try {
-    const formData = await request.clone().formData();
-    const value = formData.get(field2);
-    return typeof value === "string" ? value : void 0;
-  } catch {
-    return void 0;
-  }
-}
-async function getRequestToken(request) {
-  const { header } = getSecurityRuntime().config.csrf;
-  const headerToken = request.headers.get(header)?.trim();
-  if (headerToken) {
-    return headerToken;
-  }
-  return await readFormToken(request);
-}
-async function verifyRequest(request, options) {
-  if (isSafeMethod(request.method)) {
-    return;
-  }
-  if (options.allowExcludedPath && isExcludedPath(request)) {
-    return;
-  }
-  const cookieToken = getCookieToken(request);
-  const requestToken = await getRequestToken(request);
-  if (!cookieToken || !requestToken || cookieToken !== requestToken || !isValidSignedCsrfToken(cookieToken)) {
-    throw new SecurityCsrfError();
-  }
-}
-function resolveShouldProtect(request, options = {}) {
-  if (options.csrf === false) {
-    return false;
-  }
-  if (isSafeMethod(request.method)) {
-    return false;
-  }
-  if (options.csrf === true) {
-    return true;
-  }
-  const { enabled } = getSecurityRuntime().config.csrf;
-  if (!enabled) {
-    return false;
-  }
-  if (isExcludedPath(request)) {
-    return false;
-  }
-  return true;
-}
-async function token(request) {
-  const cookieToken = getCookieToken(request);
-  if (cookieToken && isValidSignedCsrfToken(cookieToken)) {
-    return cookieToken;
-  }
-  const cached = generatedTokenCache.get(request);
-  if (cached) {
-    return cached;
-  }
-  const created = encodeCsrfToken(createCsrfToken());
-  generatedTokenCache.set(request, created);
-  return created;
-}
-async function field(request) {
-  const config = getSecurityRuntime().config.csrf;
-  return Object.freeze({
-    name: config.field,
-    value: await token(request)
-  });
-}
-async function cookie(request, explicitToken) {
-  const config = getSecurityRuntime().config.csrf;
-  const value = explicitToken ? isValidSignedCsrfToken(explicitToken) ? explicitToken : encodeCsrfToken(explicitToken) : await token(request);
-  return serializeCookie(config.cookie, value, {
-    secure: isSecureRequest(request)
-  });
-}
-async function verify(request) {
-  await verifyRequest(request, { allowExcludedPath: true });
-}
-async function protect(request, options = {}) {
-  if (!resolveShouldProtect(request, options)) {
-    if (typeof options.throttle !== "string") {
-      return;
-    }
-  } else {
-    await verifyRequest(request, {
-      allowExcludedPath: options.csrf !== true
-    });
-  }
-  if (typeof options.throttle === "string") {
-    await rateLimit(options.throttle, { request });
-  }
-}
-var csrf = Object.freeze({
-  token,
-  field,
-  cookie,
-  verify
-});
-var csrfInternals = {
-  createCsrfToken,
-  generatedTokenCache,
-  getCookieToken,
-  getRequestToken,
-  isExcludedPath,
-  isSafeMethod,
-  matchesPathPattern,
-  parseCookieHeader,
-  serializeCookie,
-  decodeCsrfToken,
-  encodeCsrfToken,
-  getCsrfSigningKey,
-  isValidSignedCsrfToken
-};
-
-// src/store.ts
-import { resolve } from "path";
-import { normalizeSecurityConfig as normalizeSecurityConfig2 } from "@holo-js/config";
-
-// src/drivers/file.ts
-import { createHash, randomUUID } from "crypto";
-import { mkdir, readFile, readdir, rename, rm, stat, utimes, writeFile } from "fs/promises";
-import { dirname, join } from "path";
-function createBucketHash(key) {
-  return createHash("sha256").update(key).digest("hex");
-}
-function createBucketNamespace(key) {
-  const separatorIndex = key.indexOf("|");
-  return separatorIndex >= 0 ? key.slice(0, separatorIndex + 1) : key;
-}
-function createBucketPrefixHashes(key) {
-  const prefixHashes = [];
-  for (let index = 1; index <= key.length; index += 1) {
-    prefixHashes.push(createBucketHash(key.slice(0, index)));
-  }
-  return prefixHashes;
-}
-function getBucketPath(root, key) {
-  const hash = createBucketHash(key);
-  return join(root, hash.slice(0, 2), hash.slice(2, 4), `${hash}.json`);
-}
-function serializeBucket(bucket) {
-  return JSON.stringify({
-    namespace: bucket.namespace,
-    keyHash: bucket.keyHash,
-    prefixHashes: [...bucket.prefixHashes],
-    attempts: bucket.attempts,
-    expiresAt: bucket.expiresAt.toISOString()
-  });
-}
-function deserializeBucket(raw) {
-  const parsed = JSON.parse(raw);
-  const namespace = typeof parsed.namespace === "string" && parsed.namespace.length > 0 ? parsed.namespace : void 0;
-  const keyHash = typeof parsed.keyHash === "string" && parsed.keyHash.length > 0 ? parsed.keyHash : void 0;
-  const prefixHashes = Array.isArray(parsed.prefixHashes) && parsed.prefixHashes.every(
-    (value) => typeof value === "string" && value.length > 0
-  ) ? parsed.prefixHashes : void 0;
-  const { attempts, expiresAt: expiresAtValue } = parsed;
-  if (typeof namespace !== "string" || namespace.length === 0) {
-    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain a non-empty string namespace.");
-  }
-  if (typeof keyHash !== "string" || keyHash.length === 0) {
-    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain a non-empty string key hash.");
-  }
-  if (!Array.isArray(prefixHashes) || prefixHashes.length === 0) {
-    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain non-empty prefix hashes.");
-  }
-  if (typeof attempts !== "number" || !Number.isInteger(attempts) || attempts < 1) {
-    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain an integer attempts count greater than 0.");
-  }
-  const normalizedAttempts = attempts;
-  if (typeof expiresAtValue !== "string") {
-    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain an ISO expiry timestamp.");
-  }
-  const expiresAt = new Date(expiresAtValue);
-  if (Number.isNaN(expiresAt.getTime())) {
-    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain a valid expiry timestamp.");
-  }
-  return Object.freeze({
-    namespace,
-    keyHash,
-    prefixHashes: Object.freeze([...prefixHashes]),
-    attempts: normalizedAttempts,
-    expiresAt
-  });
-}
-async function readBucket(path) {
-  const raw = await readFile(path, "utf8").catch((error) => {
-    if (error.code === "ENOENT") {
-      return void 0;
-    }
-    throw error;
-  });
-  return raw ? deserializeBucket(raw) : null;
-}
-function isExpired(bucket, now) {
-  return bucket.expiresAt.getTime() <= now.getTime();
-}
-async function writeBucket(path, bucket) {
-  await mkdir(dirname(path), { recursive: true });
-  const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
-  await writeFile(tempPath, serializeBucket(bucket), "utf8");
-  await rename(tempPath, path);
-}
-async function deleteBucket(path) {
-  await rm(path, { force: true });
-}
-function getBucketLockPath(path) {
-  return `${path}.lock`;
-}
-async function sleep(delayMs) {
-  await new Promise((resolve2) => {
-    setTimeout(resolve2, delayMs);
-  });
-}
-function startLockHeartbeat(lockPath, timeoutMs) {
-  const heartbeat = setInterval(() => {
-    const now = /* @__PURE__ */ new Date();
-    void utimes(lockPath, now, now).catch(() => {
-    });
-  }, Math.max(1, Math.floor(timeoutMs / 2)));
-  heartbeat.unref?.();
-  return heartbeat;
-}
-async function withBucketLock(path, options, operation) {
-  const lockPath = getBucketLockPath(path);
-  const deadline = Date.now() + options.timeoutMs;
-  await mkdir(dirname(lockPath), { recursive: true });
-  while (true) {
-    try {
-      await mkdir(lockPath);
-      break;
-    } catch (error) {
-      const candidate = error;
-      if (candidate.code !== "EEXIST") {
-        throw error;
-      }
-      const stale = await stat(lockPath).then((stats) => stats.mtimeMs <= Date.now() - options.timeoutMs).catch(() => false);
-      if (stale) {
-        await rm(lockPath, { recursive: true, force: true });
-        continue;
-      }
-      if (Date.now() >= deadline) {
-        throw new Error(`[@holo-js/security] Timed out waiting for file rate-limit lock "${lockPath}".`);
-      }
-      await sleep(options.retryDelayMs);
-    }
-  }
-  const heartbeat = startLockHeartbeat(lockPath, options.timeoutMs);
-  try {
-    return await operation();
-  } finally {
-    clearInterval(heartbeat);
-    await rm(lockPath, { recursive: true, force: true });
-  }
-}
-async function listBucketPaths(root) {
-  const entries = await readdir(root, { withFileTypes: true }).catch((error) => {
-    if (error.code === "ENOENT") {
-      return [];
-    }
-    throw error;
-  });
-  const nested = await Promise.all(entries.map(async (entry) => {
-    const entryPath = join(root, entry.name);
-    if (entry.isDirectory()) {
-      return await listBucketPaths(entryPath);
-    }
-    return entry.name.endsWith(".json") ? [entryPath] : [];
-  }));
-  return nested.flat();
-}
-function createSnapshot(key, bucket, maxAttempts) {
-  const expiresAt = new Date(bucket.expiresAt.getTime());
-  return Object.freeze({
-    limiter: "",
-    key,
-    attempts: bucket.attempts,
-    maxAttempts,
-    remainingAttempts: Math.max(0, maxAttempts - bucket.attempts),
-    expiresAt
-  });
-}
-function createFileRateLimitStore(root, options = {}) {
-  const resolveNow = options.now ?? (() => /* @__PURE__ */ new Date());
-  const lockRetryDelayMs = options.lockRetryDelayMs ?? 5;
-  const lockTimeoutMs = options.lockTimeoutMs ?? 2e3;
-  return {
-    async hit(key, hitOptions) {
-      const now = resolveNow();
-      const path = getBucketPath(root, key);
-      return await withBucketLock(path, {
-        retryDelayMs: lockRetryDelayMs,
-        timeoutMs: lockTimeoutMs
-      }, async () => {
-        const existing = await readBucket(path);
-        if (existing && existing.keyHash !== createBucketHash(key)) {
-          throw new Error(`[@holo-js/security] File rate-limit bucket hash collision detected for stored bucket ${existing.keyHash}.`);
-        }
-        if (existing && isExpired(existing, now)) {
-          await deleteBucket(path);
-        }
-        const bucket = existing && !isExpired(existing, now) ? {
-          ...existing,
-          attempts: existing.attempts + 1
-        } : {
-          namespace: createBucketNamespace(key),
-          keyHash: createBucketHash(key),
-          prefixHashes: Object.freeze(createBucketPrefixHashes(key)),
-          attempts: 1,
-          expiresAt: new Date(now.getTime() + hitOptions.decaySeconds * 1e3)
-        };
-        await writeBucket(path, bucket);
-        return Object.freeze({
-          limited: bucket.attempts > hitOptions.maxAttempts,
-          snapshot: createSnapshot(key, bucket, hitOptions.maxAttempts),
-          retryAfterSeconds: Math.max(0, Math.ceil((bucket.expiresAt.getTime() - now.getTime()) / 1e3))
-        });
-      });
-    },
-    async clear(key) {
-      const path = getBucketPath(root, key);
-      return await withBucketLock(path, {
-        retryDelayMs: lockRetryDelayMs,
-        timeoutMs: lockTimeoutMs
-      }, async () => {
-        const existing = await readBucket(path);
-        if (!existing || existing.keyHash !== createBucketHash(key)) {
-          return false;
-        }
-        await deleteBucket(path);
-        return true;
-      });
-    },
-    async clearByPrefix(prefix) {
-      let cleared = 0;
-      const now = resolveNow();
-      const paths = await listBucketPaths(root);
-      for (const path of paths) {
-        const removed = await withBucketLock(path, {
-          retryDelayMs: lockRetryDelayMs,
-          timeoutMs: lockTimeoutMs
-        }, async () => {
-          const bucket = await readBucket(path);
-          if (!bucket) {
-            return false;
-          }
-          if (isExpired(bucket, now)) {
-            await deleteBucket(path);
-            return false;
-          }
-          if (!bucket.prefixHashes.includes(createBucketHash(prefix))) {
-            return false;
-          }
-          await deleteBucket(path);
-          return true;
-        });
-        if (removed) {
-          cleared += 1;
-        }
-      }
-      return cleared;
-    },
-    async clearAll() {
-      const paths = await listBucketPaths(root);
-      let cleared = 0;
-      for (const path of paths) {
-        const removed = await withBucketLock(path, {
-          retryDelayMs: lockRetryDelayMs,
-          timeoutMs: lockTimeoutMs
-        }, async () => {
-          const bucket = await readBucket(path);
-          if (!bucket) {
-            return false;
-          }
-          await deleteBucket(path);
-          return true;
-        });
-        if (removed) {
-          cleared += 1;
-        }
-      }
-      return cleared;
-    }
-  };
-}
-var fileRateLimitDriverInternals = {
-  createBucketHash,
-  createSnapshot,
-  deleteBucket,
-  deserializeBucket,
-  getBucketPath,
-  isExpired,
-  listBucketPaths,
-  readBucket,
-  serializeBucket,
-  sleep,
-  getBucketLockPath,
-  withBucketLock,
-  writeBucket
-};
-
-// src/drivers/memory.ts
-function createSnapshot2(key, bucket, maxAttempts) {
-  const expiresAt = new Date(bucket.expiresAt.getTime());
-  return Object.freeze({
-    limiter: "",
-    key,
-    attempts: bucket.attempts,
-    maxAttempts,
-    remainingAttempts: Math.max(0, maxAttempts - bucket.attempts),
-    expiresAt
-  });
-}
-function isExpired2(bucket, now) {
-  return bucket.expiresAt.getTime() <= now.getTime();
-}
-function createMemoryRateLimitStore(options = {}) {
-  const buckets = /* @__PURE__ */ new Map();
-  const resolveNow = options.now ?? (() => /* @__PURE__ */ new Date());
-  const maxBuckets = options.maxBuckets;
-  if (typeof maxBuckets !== "undefined" && (!Number.isInteger(maxBuckets) || maxBuckets < 1)) {
-    throw new TypeError("[@holo-js/security] Memory rate-limit store maxBuckets must be an integer greater than or equal to 1.");
-  }
-  const pruneIntervalMs = typeof options.pruneIntervalMs === "number" ? options.pruneIntervalMs : 6e4;
-  if (!Number.isInteger(pruneIntervalMs) || pruneIntervalMs < 1) {
-    throw new TypeError("[@holo-js/security] Memory rate-limit store pruneIntervalMs must be an integer greater than or equal to 1.");
-  }
-  const pruneExpiredBuckets = () => {
-    const now = resolveNow();
-    for (const [key, bucket] of buckets) {
-      if (isExpired2(bucket, now)) {
-        buckets.delete(key);
-      }
-    }
-  };
-  const pruneTimer = setInterval(pruneExpiredBuckets, pruneIntervalMs);
-  pruneTimer.unref?.();
-  const evictOldestBucket = () => {
-    const oldestKey = buckets.keys().next().value;
-    if (oldestKey) {
-      buckets.delete(oldestKey);
-    }
-  };
-  return {
-    async hit(key, hitOptions) {
-      const now = resolveNow();
-      const existing = buckets.get(key);
-      if (existing && isExpired2(existing, now)) {
-        buckets.delete(key);
-      }
-      const active = buckets.get(key);
-      const bucket = active ? {
-        ...active,
-        attempts: active.attempts + 1
-      } : {
-        key,
-        attempts: 1,
-        expiresAt: new Date(now.getTime() + hitOptions.decaySeconds * 1e3)
-      };
-      if (!active && typeof maxBuckets === "number") {
-        while (buckets.size >= maxBuckets) {
-          evictOldestBucket();
-        }
-      }
-      if (active) {
-        buckets.delete(key);
-      }
-      buckets.set(key, bucket);
-      return Object.freeze({
-        limited: bucket.attempts > hitOptions.maxAttempts,
-        snapshot: createSnapshot2(key, bucket, hitOptions.maxAttempts),
-        retryAfterSeconds: Math.max(0, Math.ceil((bucket.expiresAt.getTime() - now.getTime()) / 1e3))
-      });
-    },
-    async clear(key) {
-      return buckets.delete(key);
-    },
-    async clearByPrefix(prefix) {
-      let cleared = 0;
-      for (const key of buckets.keys()) {
-        if (!key.startsWith(prefix)) {
-          continue;
-        }
-        buckets.delete(key);
-        cleared += 1;
-      }
-      return cleared;
-    },
-    async clearAll() {
-      const cleared = buckets.size;
-      buckets.clear();
-      return cleared;
-    },
-    async close() {
-      clearInterval(pruneTimer);
-    }
-  };
-}
-var memoryRateLimitDriverInternals = {
-  createSnapshot: createSnapshot2,
-  isExpired: isExpired2
-};
-
-// src/drivers/redis.ts
-function assertNonNegativeInteger(value, label) {
-  if (typeof value !== "number" || !Number.isInteger(value) || value < 0) {
-    throw new TypeError(`[@holo-js/security] Redis rate-limit adapter ${label} must be a non-negative integer.`);
-  }
-  return value;
-}
-function createSnapshot3(key, attempts, maxAttempts, expiresAt) {
-  return Object.freeze({
-    limiter: "",
-    key,
-    attempts,
-    maxAttempts,
-    remainingAttempts: Math.max(0, maxAttempts - attempts),
-    expiresAt
-  });
-}
-function createRedisRateLimitStore(adapter, options = {}) {
-  const resolveNow = options.now ?? (() => /* @__PURE__ */ new Date());
-  return {
-    async hit(key, hitOptions) {
-      const result = await adapter.increment(key, {
-        decaySeconds: hitOptions.decaySeconds
-      });
-      const attempts = assertNonNegativeInteger(result.attempts, "attempts");
-      const ttlSeconds = assertNonNegativeInteger(result.ttlSeconds, "ttlSeconds");
-      const now = resolveNow();
-      const expiresAt = new Date(now.getTime() + ttlSeconds * 1e3);
-      return Object.freeze({
-        limited: attempts > hitOptions.maxAttempts,
-        snapshot: createSnapshot3(key, attempts, hitOptions.maxAttempts, expiresAt),
-        retryAfterSeconds: ttlSeconds
-      });
-    },
-    async clear(key) {
-      const deleted = await adapter.del(key);
-      return assertNonNegativeInteger(deleted, "del() result") > 0;
-    },
-    async clearByPrefix(prefix) {
-      if (typeof adapter.clearByPrefix !== "function") {
-        return 0;
-      }
-      const cleared = await adapter.clearByPrefix(prefix);
-      return assertNonNegativeInteger(cleared, "clearByPrefix() result");
-    },
-    async clearAll() {
-      if (typeof adapter.clearAll !== "function") {
-        return 0;
-      }
-      const cleared = await adapter.clearAll();
-      return assertNonNegativeInteger(cleared, "clearAll() result");
-    }
-  };
-}
-var redisRateLimitDriverInternals = {
-  assertNonNegativeInteger,
-  createSnapshot: createSnapshot3
-};
-
-// src/store.ts
-function normalizeStoreConfig(config) {
-  return normalizeSecurityConfig2(config);
-}
-function createRateLimitStoreFromConfig(config, options = {}) {
-  const normalized = normalizeStoreConfig(config);
-  switch (normalized.rateLimit.driver) {
-    case "memory":
-      return createMemoryRateLimitStore();
-    case "file": {
-      const root = options.projectRoot ? resolve(options.projectRoot, normalized.rateLimit.file.path) : normalized.rateLimit.file.path;
-      return createFileRateLimitStore(root);
-    }
-    case "redis":
-      if (!options.redisAdapter) {
-        throw new Error("[@holo-js/security] Redis-backed rate limits require a redis adapter.");
-      }
-      return createRedisRateLimitStore(options.redisAdapter);
-    default:
-      throw new Error(`[@holo-js/security] Unsupported rate limit driver "${normalized.rateLimit.driver}".`);
-  }
-}
-var securityStoreInternals = {
-  normalizeStoreConfig
-};
-
-// src/index.ts
-import { defineSecurityConfig } from "@holo-js/config";
-var security = Object.freeze({
-  configureSecurityRuntime,
-  getSecurityRuntime,
-  getSecurityRuntimeBindings,
-  resetSecurityRuntime,
-  csrf,
-  protect,
-  defaultRateLimitKey,
-  rateLimit,
-  clearRateLimit,
-  limit,
-  ip
-});
-var src_default = security;
+} from "./chunk-EWQKJSFA.mjs";
 export {
   SecurityCsrfError,
   SecurityRateLimitError,
   SecurityRuntimeNotConfiguredError,
+  apply as applyCors,
   clearRateLimit,
   configureSecurityRuntime,
+  cors,
+  corsInternals,
+  headers as createCorsHeaders,
+  preflight as createCorsPreflightResponse,
   cookie as createCsrfCookie,
   field as createCsrfField,
+  input as createCsrfInput,
   token as createCsrfToken,
   createFileRateLimitStore,
   createFileRateLimitStoreConfig,
@@ -902,6 +79,7 @@ export {
   getSecurityRuntime,
   getSecurityRuntimeBindings,
   ip,
+  isSecureRequest,
   limit,
   memoryRateLimitDriverInternals,
   protect,