@holo-js/security 0.1.4 → 0.1.6

package/dist/chunk-Q3A7RJ67.mjs

@@ -0,0 +1,1171 @@
+import {
+  SecurityCsrfError,
+  SecurityRateLimitError,
+  ip,
+  limit
+} from "./chunk-EWQKJSFA.mjs";
+
+// src/csrf.ts
+import { createHmac, randomBytes, timingSafeEqual } from "crypto";
+
+// src/runtime.ts
+import { normalizeCorsConfig, normalizeSecurityConfig } from "@holo-js/config";
+function getSecurityRuntimeState() {
+  const runtime = globalThis;
+  runtime.__holoSecurityRuntime__ ??= {};
+  return runtime.__holoSecurityRuntime__;
+}
+var SecurityRuntimeNotConfiguredError = class extends Error {
+  constructor() {
+    super("[@holo-js/security] Security runtime is not configured yet.");
+  }
+};
+function configureSecurityRuntime(bindings) {
+  getSecurityRuntimeState().bindings = bindings ? Object.freeze({
+    config: normalizeSecurityConfig(bindings.config),
+    cors: normalizeCorsConfig(bindings.cors),
+    rateLimitStore: bindings.rateLimitStore,
+    csrfSigningKey: bindings.csrfSigningKey,
+    defaultKeyResolver: bindings.defaultKeyResolver
+  }) : void 0;
+}
+function getSecurityRuntime() {
+  const bindings = getSecurityRuntimeState().bindings;
+  if (!bindings) {
+    throw new SecurityRuntimeNotConfiguredError();
+  }
+  return bindings;
+}
+function getSecurityRuntimeBindings() {
+  return getSecurityRuntimeState().bindings;
+}
+function resetSecurityRuntime() {
+  getSecurityRuntimeState().bindings = void 0;
+}
+var securityRuntimeInternals = {
+  getSecurityRuntimeState
+};
+
+// src/rate-limit.ts
+function encodeBucketPart(value) {
+  return encodeURIComponent(value);
+}
+function createLimiterPrefix(limiter) {
+  return `limiter:${encodeBucketPart(limiter)}|`;
+}
+function createBucketKey(limiter, key) {
+  return `${createLimiterPrefix(limiter)}${encodeBucketPart(key)}`;
+}
+function getRateLimitStore() {
+  const store = getSecurityRuntime().rateLimitStore;
+  if (!store) {
+    throw new Error("[@holo-js/security] Rate-limit store is not configured yet.");
+  }
+  return store;
+}
+function resolveLimiterConfig(name) {
+  const limiter = getSecurityRuntime().config.rateLimit.limiters[name];
+  if (!limiter) {
+    throw new Error(`[@holo-js/security] Rate limiter "${name}" is not defined in config/security.ts.`);
+  }
+  return limiter;
+}
+function normalizeResolvedLimiterKey(value, label) {
+  if (typeof value === "string" && value.length > 0) {
+    return value;
+  }
+  if (typeof value === "number" && Number.isFinite(value)) {
+    return String(value);
+  }
+  throw new TypeError(`[@holo-js/security] ${label} must resolve a non-empty string key.`);
+}
+function shouldTrustProxyHeaders() {
+  const trustedProxy = typeof process !== "undefined" ? process.env.HOLO_SECURITY_TRUST_PROXY?.trim().toLowerCase() : void 0;
+  return trustedProxy === "1" || trustedProxy === "true" || trustedProxy === "yes" || trustedProxy === "on";
+}
+async function defaultRateLimitKey(request) {
+  const runtimeDefaultKey = await getSecurityRuntime().defaultKeyResolver?.(request);
+  if (typeof runtimeDefaultKey !== "undefined" && runtimeDefaultKey !== null) {
+    return normalizeResolvedLimiterKey(runtimeDefaultKey, "Default rate limiter key resolver");
+  }
+  return `ip:${ip(request, shouldTrustProxyHeaders())}`;
+}
+async function resolveLimiterKey(name, limiter, options) {
+  if (typeof options.key === "string" && options.key.length > 0) {
+    return options.key;
+  }
+  if (limiter.key) {
+    if (!options.request) {
+      throw new TypeError(`[@holo-js/security] Rate limiter "${name}" requires a request when using its configured key resolver.`);
+    }
+    const resolved = await limiter.key({
+      request: options.request,
+      values: options.values
+    });
+    return normalizeResolvedLimiterKey(resolved, `Rate limiter "${name}"`);
+  }
+  if (options.request) {
+    return await defaultRateLimitKey(options.request);
+  }
+  throw new TypeError(`[@holo-js/security] Rate limiter "${name}" requires either an explicit key or a request for the default key resolver.`);
+}
+async function rateLimit(name, options) {
+  const limiter = resolveLimiterConfig(name);
+  const resolvedKey = await resolveLimiterKey(name, limiter, options);
+  const bucketKey = createBucketKey(name, resolvedKey);
+  const result = await getRateLimitStore().hit(bucketKey, {
+    maxAttempts: limiter.maxAttempts,
+    decaySeconds: limiter.decaySeconds
+  });
+  const snapshot = Object.freeze({
+    limiter: name,
+    key: resolvedKey,
+    attempts: result.snapshot.attempts,
+    maxAttempts: limiter.maxAttempts,
+    remainingAttempts: Math.max(0, limiter.maxAttempts - result.snapshot.attempts),
+    expiresAt: result.snapshot.expiresAt
+  });
+  const normalizedResult = Object.freeze({
+    limited: result.limited,
+    snapshot,
+    retryAfterSeconds: result.retryAfterSeconds
+  });
+  if (normalizedResult.limited) {
+    throw new SecurityRateLimitError(void 0, {
+      retryAfterSeconds: normalizedResult.retryAfterSeconds,
+      snapshot
+    });
+  }
+  return normalizedResult;
+}
+async function clearRateLimit(options) {
+  const store = getRateLimitStore();
+  if (options.all && (options.limiter || options.key)) {
+    throw new TypeError("[@holo-js/security] clearRateLimit(...) must use either { all: true } or a scoped limiter/key pair, not both.");
+  }
+  if (options.all) {
+    return await store.clearAll();
+  }
+  if (!options.limiter) {
+    throw new TypeError("[@holo-js/security] clearRateLimit(...) requires a limiter name unless { all: true } is used.");
+  }
+  if (typeof options.key === "string" && options.key.length > 0) {
+    return await store.clear(createBucketKey(options.limiter, options.key));
+  }
+  return await store.clearByPrefix(createLimiterPrefix(options.limiter));
+}
+var rateLimitInternals = {
+  createBucketKey,
+  createLimiterPrefix,
+  encodeBucketPart,
+  defaultRateLimitKey,
+  getRateLimitStore,
+  normalizeResolvedLimiterKey,
+  resolveLimiterConfig,
+  resolveLimiterKey
+};
+
+// src/csrf.ts
+var generatedTokenCache = /* @__PURE__ */ new WeakMap();
+function parseCookieHeader(header) {
+  if (!header) {
+    return Object.freeze({});
+  }
+  const decodeCookiePart = (value) => {
+    try {
+      return decodeURIComponent(value);
+    } catch {
+      return void 0;
+    }
+  };
+  const entries = header.split(";").map((segment) => segment.trim()).filter(Boolean).map((segment) => {
+    const separator = segment.indexOf("=");
+    if (separator <= 0) {
+      return void 0;
+    }
+    const key = decodeCookiePart(segment.slice(0, separator));
+    const value = decodeCookiePart(segment.slice(separator + 1));
+    if (!key || typeof value === "undefined") {
+      return void 0;
+    }
+    return [key, value];
+  }).filter((entry) => !!entry);
+  return Object.freeze(Object.fromEntries(entries));
+}
+function serializeCookie(name, value, options = {}) {
+  const attributes = [
+    `${encodeURIComponent(name)}=${encodeURIComponent(value)}`,
+    "Path=/",
+    "SameSite=Lax"
+  ];
+  if (options.secure) {
+    attributes.push("Secure");
+  }
+  return attributes.join("; ");
+}
+function isSafeMethod(method) {
+  const normalized = method.trim().toUpperCase();
+  return normalized === "GET" || normalized === "HEAD" || normalized === "OPTIONS" || normalized === "TRACE";
+}
+function escapeRegex(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}
+function matchesPathPattern(pathname, pattern) {
+  const source = `^${escapeRegex(pattern).replaceAll("*", ".*")}$`;
+  return new RegExp(source).test(pathname);
+}
+function isExcludedPath(request) {
+  const { except } = getSecurityRuntime().config.csrf;
+  const pathname = new URL(request.url).pathname;
+  return except.some((pattern) => matchesPathPattern(pathname, pattern));
+}
+function normalizeForwardedValue(value) {
+  return value.trim().replace(/^"|"$/g, "").toLowerCase();
+}
+function getForwardedProto(request) {
+  const forwardedProto = request.headers.get("x-forwarded-proto")?.split(",", 1)[0]?.trim();
+  if (forwardedProto) {
+    return normalizeForwardedValue(forwardedProto);
+  }
+  const forwarded = request.headers.get("forwarded")?.split(",", 1)[0];
+  if (!forwarded) {
+    return void 0;
+  }
+  for (const segment of forwarded.split(";")) {
+    const [name, value] = segment.split("=", 2);
+    if (name?.trim().toLowerCase() === "proto" && value) {
+      return normalizeForwardedValue(value);
+    }
+  }
+  return void 0;
+}
+function isSecureRequest(request) {
+  return getForwardedProto(request) === "https" || new URL(request.url).protocol === "https:";
+}
+function createCsrfToken() {
+  return randomBytes(32).toString("base64url");
+}
+function getCsrfSigningKey() {
+  const configured = getSecurityRuntime().csrfSigningKey?.trim();
+  if (configured) {
+    return configured;
+  }
+  throw new Error("[@holo-js/security] CSRF signing key is not configured.");
+}
+function signCsrfNonce(nonce) {
+  return createHmac("sha256", getCsrfSigningKey()).update(nonce).digest("base64url");
+}
+function encodeCsrfToken(nonce) {
+  return `${nonce}.${signCsrfNonce(nonce)}`;
+}
+function decodeCsrfToken(token2) {
+  const separator = token2.lastIndexOf(".");
+  if (separator <= 0 || separator === token2.length - 1) {
+    return null;
+  }
+  return Object.freeze({
+    nonce: token2.slice(0, separator),
+    signature: token2.slice(separator + 1)
+  });
+}
+function isValidSignedCsrfToken(token2) {
+  const decoded = decodeCsrfToken(token2);
+  if (!decoded) {
+    return false;
+  }
+  const expected = Buffer.from(signCsrfNonce(decoded.nonce));
+  const received = Buffer.from(decoded.signature);
+  if (expected.length !== received.length) {
+    return false;
+  }
+  return timingSafeEqual(expected, received);
+}
+function getCookieToken(request) {
+  const { cookie: cookie2 } = getSecurityRuntime().config.csrf;
+  return parseCookieHeader(request.headers.get("cookie"))[cookie2];
+}
+function getHeaderToken(request) {
+  const { header } = getSecurityRuntime().config.csrf;
+  return request.headers.get(header)?.trim() || void 0;
+}
+function getRequestOrigin(request) {
+  const origin = request.headers.get("origin")?.trim();
+  if (origin) {
+    return origin;
+  }
+  const referer = request.headers.get("referer")?.trim();
+  if (!referer) {
+    return void 0;
+  }
+  try {
+    return new URL(referer).origin;
+  } catch {
+    return void 0;
+  }
+}
+function isSameOriginRequest(request) {
+  const requestOrigin = getRequestOrigin(request);
+  if (!requestOrigin) {
+    return false;
+  }
+  return requestOrigin === new URL(request.url).origin;
+}
+async function readFormToken(request) {
+  const { field: field2 } = getSecurityRuntime().config.csrf;
+  try {
+    const formData = await request.clone().formData();
+    const value = formData.get(field2);
+    return typeof value === "string" ? value : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function verifyRequest(request, options) {
+  if (isSafeMethod(request.method)) {
+    return;
+  }
+  if (options.allowExcludedPath && isExcludedPath(request)) {
+    return;
+  }
+  const cookieToken = getCookieToken(request);
+  if (!cookieToken || !isValidSignedCsrfToken(cookieToken)) {
+    throw new SecurityCsrfError();
+  }
+  const headerToken = getHeaderToken(request);
+  if (headerToken) {
+    if (headerToken !== cookieToken) {
+      throw new SecurityCsrfError();
+    }
+    return;
+  }
+  if (isSameOriginRequest(request)) {
+    return;
+  }
+  const requestToken = await readFormToken(request);
+  if (requestToken !== cookieToken) {
+    throw new SecurityCsrfError();
+  }
+}
+function resolveShouldProtect(request, options = {}) {
+  if (options.csrf === false) {
+    return false;
+  }
+  if (isSafeMethod(request.method)) {
+    return false;
+  }
+  if (options.csrf === true) {
+    return true;
+  }
+  const { enabled } = getSecurityRuntime().config.csrf;
+  if (!enabled) {
+    return false;
+  }
+  if (isExcludedPath(request)) {
+    return false;
+  }
+  return true;
+}
+async function token(request) {
+  const cookieToken = getCookieToken(request);
+  if (cookieToken && isValidSignedCsrfToken(cookieToken)) {
+    return cookieToken;
+  }
+  const cached = generatedTokenCache.get(request);
+  if (cached) {
+    return cached;
+  }
+  const created = encodeCsrfToken(createCsrfToken());
+  generatedTokenCache.set(request, created);
+  return created;
+}
+async function field(request) {
+  const config = getSecurityRuntime().config.csrf;
+  return Object.freeze({
+    name: config.field,
+    value: await token(request)
+  });
+}
+async function input(request) {
+  const csrfField = await field(request);
+  return Object.freeze({
+    type: "hidden",
+    name: csrfField.name,
+    value: csrfField.value
+  });
+}
+async function cookie(request, explicitToken) {
+  const config = getSecurityRuntime().config.csrf;
+  const value = explicitToken ? isValidSignedCsrfToken(explicitToken) ? explicitToken : encodeCsrfToken(explicitToken) : await token(request);
+  return serializeCookie(config.cookie, value, {
+    secure: isSecureRequest(request)
+  });
+}
+async function verify(request) {
+  await verifyRequest(request, { allowExcludedPath: true });
+}
+async function protect(request, options = {}) {
+  if (typeof options.throttle === "string") {
+    await rateLimit(options.throttle, { request });
+  }
+  if (resolveShouldProtect(request, options)) {
+    await verifyRequest(request, {
+      allowExcludedPath: options.csrf !== true
+    });
+  }
+}
+var csrf = Object.freeze({
+  token,
+  field,
+  input,
+  cookie,
+  verify
+});
+var csrfInternals = {
+  createCsrfToken,
+  generatedTokenCache,
+  getForwardedProto,
+  getCookieToken,
+  getHeaderToken,
+  isSecureRequest,
+  isSameOriginRequest,
+  readFormToken,
+  isExcludedPath,
+  isSafeMethod,
+  matchesPathPattern,
+  parseCookieHeader,
+  serializeCookie,
+  decodeCsrfToken,
+  encodeCsrfToken,
+  getCsrfSigningKey,
+  isValidSignedCsrfToken
+};
+
+// src/cors.ts
+function matchesPathPattern2(pathname, pattern) {
+  const segments = pattern.split("*");
+  if (segments.length === 1) {
+    return pathname === pattern;
+  }
+  const firstSegment = segments[0];
+  if (firstSegment && !pathname.startsWith(firstSegment)) {
+    return false;
+  }
+  let position = firstSegment.length;
+  for (let index = 1; index < segments.length; index += 1) {
+    const segment = segments[index];
+    if (!segment) {
+      continue;
+    }
+    const nextPosition = pathname.indexOf(segment, position);
+    if (nextPosition < 0) {
+      return false;
+    }
+    position = nextPosition + segment.length;
+  }
+  const lastSegment = segments[segments.length - 1];
+  return pattern.endsWith("*") || pathname.endsWith(lastSegment);
+}
+function normalizeDomain(value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return "";
+  }
+  try {
+    const parsed = new URL(trimmed);
+    return parsed.host.toLowerCase();
+  } catch {
+    return trimmed.replace(/^\/+|\/+$/g, "").toLowerCase();
+  }
+}
+function isCorsPath(config, request) {
+  const pathname = new URL(request.url).pathname;
+  return config.paths.some((pattern) => matchesPathPattern2(pathname, pattern));
+}
+function isStatefulOrigin(config, origin) {
+  const normalizedOrigin = normalizeDomain(origin);
+  return normalizedOrigin !== "" && config.statefulDomains.some((domain) => normalizeDomain(domain) === normalizedOrigin);
+}
+function resolveAllowedOrigin(config, origin) {
+  if (!origin) {
+    return void 0;
+  }
+  if (config.origins.includes(origin) || isStatefulOrigin(config, origin)) {
+    return origin;
+  }
+  if (config.origins.includes("*")) {
+    return config.credentials ? origin : "*";
+  }
+  return void 0;
+}
+function appendVary(headers2, value) {
+  const existing = headers2.get("vary");
+  const entries = new Set([
+    ...existing ? existing.split(",") : [],
+    ...value.split(",")
+  ].map((entry) => entry.trim()).filter(Boolean));
+  headers2.set("Vary", Array.from(entries).join(", "));
+}
+function headers(request) {
+  const config = getSecurityRuntime().cors;
+  const result = new Headers();
+  if (!isCorsPath(config, request)) {
+    return result;
+  }
+  const origin = request.headers.get("origin");
+  if (origin === null) {
+    appendVary(result, "Origin");
+    return result;
+  }
+  const allowedOrigin = resolveAllowedOrigin(config, origin);
+  if (!allowedOrigin) {
+    appendVary(result, "Origin");
+    return result;
+  }
+  result.set("Access-Control-Allow-Origin", allowedOrigin);
+  appendVary(result, "Origin");
+  if (config.credentials || isStatefulOrigin(config, origin)) {
+    result.set("Access-Control-Allow-Credentials", "true");
+  }
+  if (request.method.toUpperCase() === "OPTIONS") {
+    result.set("Access-Control-Allow-Methods", config.methods.join(", "));
+    result.set("Access-Control-Allow-Headers", config.headers.join(", "));
+    result.set("Access-Control-Max-Age", String(config.maxAge));
+    appendVary(result, "Access-Control-Request-Method");
+    appendVary(result, "Access-Control-Request-Headers");
+  }
+  return result;
+}
+function apply(request, response = new Response(null, { status: 204 })) {
+  const nextHeaders = new Headers(response.headers);
+  const corsHeaders = headers(request);
+  corsHeaders.forEach((value, key) => {
+    if (key.toLowerCase() === "vary") {
+      appendVary(nextHeaders, value);
+      return;
+    }
+    nextHeaders.set(key, value);
+  });
+  return new Response(response.body, {
+    status: response.status,
+    statusText: response.statusText,
+    headers: nextHeaders
+  });
+}
+function preflight(request) {
+  if (request.method.toUpperCase() !== "OPTIONS") {
+    return null;
+  }
+  if (!request.headers.has("access-control-request-method")) {
+    return null;
+  }
+  const response = apply(request);
+  return response.headers.has("access-control-allow-origin") ? response : null;
+}
+var cors = Object.freeze({
+  headers,
+  preflight,
+  apply
+});
+var corsInternals = {
+  appendVary,
+  isCorsPath,
+  isStatefulOrigin,
+  matchesPathPattern: matchesPathPattern2,
+  normalizeDomain,
+  resolveAllowedOrigin
+};
+
+// src/store.ts
+import { resolve } from "path";
+import { normalizeSecurityConfig as normalizeSecurityConfig2 } from "@holo-js/config";
+
+// src/drivers/file.ts
+import { createHash, randomUUID } from "crypto";
+import { mkdir, readFile, readdir, rename, rm, stat, utimes, writeFile } from "fs/promises";
+import { dirname, join } from "path";
+var LOCK_OWNER_FILE = "owner";
+var BUCKETS_DIRECTORY = "buckets";
+function createBucketHash(key) {
+  return createHash("sha256").update(key).digest("hex");
+}
+function createBucketNamespace(key) {
+  const separatorIndex = key.indexOf("|");
+  return separatorIndex >= 0 ? key.slice(0, separatorIndex + 1) : key;
+}
+function createBucketNamespaceHash(key) {
+  return createBucketHash(createBucketNamespace(key));
+}
+function createBucketPrefixHashes(key) {
+  const prefixHashes = [];
+  for (let index = 1; index <= key.length; index += 1) {
+    prefixHashes.push(createBucketHash(key.slice(0, index)));
+  }
+  return prefixHashes;
+}
+function getBucketPath(root, key) {
+  const hash = createBucketHash(key);
+  return join(root, BUCKETS_DIRECTORY, hash.slice(0, 2), hash.slice(2, 4), `${hash}.json`);
+}
+function serializeBucket(bucket) {
+  return JSON.stringify({
+    namespaceHash: bucket.namespaceHash,
+    keyHash: bucket.keyHash,
+    prefixHashes: [...bucket.prefixHashes],
+    attempts: bucket.attempts,
+    expiresAt: bucket.expiresAt.toISOString()
+  });
+}
+function deserializeBucket(raw) {
+  const parsed = JSON.parse(raw);
+  const namespaceHash = typeof parsed.namespaceHash === "string" && parsed.namespaceHash.length > 0 ? parsed.namespaceHash : typeof parsed.namespace === "string" && parsed.namespace.length > 0 ? createBucketHash(parsed.namespace) : void 0;
+  const keyHash = typeof parsed.keyHash === "string" && parsed.keyHash.length > 0 ? parsed.keyHash : void 0;
+  const prefixHashes = Array.isArray(parsed.prefixHashes) && parsed.prefixHashes.every(
+    (value) => typeof value === "string" && value.length > 0
+  ) ? parsed.prefixHashes : void 0;
+  const { attempts, expiresAt: expiresAtValue } = parsed;
+  if (typeof namespaceHash !== "string" || namespaceHash.length === 0) {
+    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain a non-empty string namespace hash.");
+  }
+  if (typeof keyHash !== "string" || keyHash.length === 0) {
+    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain a non-empty string key hash.");
+  }
+  if (!Array.isArray(prefixHashes) || prefixHashes.length === 0) {
+    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain non-empty prefix hashes.");
+  }
+  if (typeof attempts !== "number" || !Number.isInteger(attempts) || attempts < 1) {
+    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain an integer attempts count greater than 0.");
+  }
+  const normalizedAttempts = attempts;
+  if (typeof expiresAtValue !== "string") {
+    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain an ISO expiry timestamp.");
+  }
+  const expiresAt = new Date(expiresAtValue);
+  if (Number.isNaN(expiresAt.getTime())) {
+    throw new TypeError("[@holo-js/security] File rate-limit buckets must contain a valid expiry timestamp.");
+  }
+  return Object.freeze({
+    namespaceHash,
+    keyHash,
+    prefixHashes: Object.freeze([...prefixHashes]),
+    attempts: normalizedAttempts,
+    expiresAt
+  });
+}
+async function readBucket(path) {
+  const raw = await readFile(path, "utf8").catch((error) => {
+    if (error.code === "ENOENT") {
+      return void 0;
+    }
+    throw error;
+  });
+  return raw ? deserializeBucket(raw) : null;
+}
+function isExpired(bucket, now) {
+  return bucket.expiresAt.getTime() <= now.getTime();
+}
+async function writeBucket(path, bucket) {
+  await mkdir(dirname(path), { recursive: true });
+  const tempPath = `${path}.${process.pid}.${randomUUID()}.tmp`;
+  await writeFile(tempPath, serializeBucket(bucket), "utf8");
+  await rename(tempPath, path);
+}
+async function deleteBucket(path) {
+  await rm(path, { force: true });
+}
+function getBucketLockPath(path) {
+  return `${path}.lock`;
+}
+function getBucketLockCleanupPath(lockPath) {
+  return `${lockPath}.cleanup`;
+}
+function getBucketLockOwnerPath(lockPath) {
+  return join(lockPath, LOCK_OWNER_FILE);
+}
+async function sleep(delayMs) {
+  await new Promise((resolve2) => {
+    setTimeout(resolve2, delayMs);
+  });
+}
+function startLockHeartbeat(lockPath, timeoutMs) {
+  const heartbeat = setInterval(() => {
+    const now = /* @__PURE__ */ new Date();
+    void utimes(lockPath, now, now).catch(() => {
+    });
+  }, Math.max(1, Math.floor(timeoutMs / 2)));
+  heartbeat.unref?.();
+  return heartbeat;
+}
+async function tryCreateBucketLock(lockPath) {
+  const ownerId = `${process.pid}:${randomUUID()}`;
+  await mkdir(lockPath);
+  try {
+    await writeFile(getBucketLockOwnerPath(lockPath), ownerId, "utf8");
+  } catch (error) {
+    await rm(lockPath, { recursive: true, force: true });
+    throw error;
+  }
+  return { ownerId, path: lockPath };
+}
+async function removeOwnedBucketLock(lock) {
+  const ownerId = await readFile(getBucketLockOwnerPath(lock.path), "utf8").catch((error) => {
+    if (error.code === "ENOENT") {
+      return void 0;
+    }
+    throw error;
+  });
+  if (ownerId === lock.ownerId) {
+    await rm(lock.path, { recursive: true, force: true });
+  }
+}
+async function isBucketLockStale(lockPath, timeoutMs) {
+  return await stat(lockPath).then((stats) => stats.mtimeMs <= Date.now() - timeoutMs).catch(() => false);
+}
+async function reclaimStaleBucketLock(lockPath, timeoutMs) {
+  const cleanupPath = getBucketLockCleanupPath(lockPath);
+  let cleanupLock;
+  try {
+    cleanupLock = await tryCreateBucketLock(cleanupPath);
+  } catch (error) {
+    const candidate = error;
+    if (candidate.code === "EEXIST") {
+      return false;
+    }
+    throw error;
+  }
+  try {
+    if (await isBucketLockStale(lockPath, timeoutMs)) {
+      await rm(lockPath, { recursive: true, force: true });
+      return true;
+    }
+    return false;
+  } finally {
+    await removeOwnedBucketLock(cleanupLock);
+  }
+}
+async function acquireBucketLock(lockPath, options) {
+  const deadline = Date.now() + options.timeoutMs;
+  while (true) {
+    try {
+      return await tryCreateBucketLock(lockPath);
+    } catch (error) {
+      const candidate = error;
+      if (candidate.code !== "EEXIST") {
+        throw error;
+      }
+      if (await isBucketLockStale(lockPath, options.timeoutMs) && await reclaimStaleBucketLock(lockPath, options.timeoutMs)) {
+        continue;
+      }
+      if (Date.now() >= deadline) {
+        throw new Error(`[@holo-js/security] Timed out waiting for file rate-limit lock "${lockPath}".`);
+      }
+      await sleep(options.retryDelayMs);
+    }
+  }
+}
+async function withBucketLock(path, options, operation) {
+  const lockPath = getBucketLockPath(path);
+  await mkdir(dirname(lockPath), { recursive: true });
+  const acquiredLock = await acquireBucketLock(lockPath, options);
+  const heartbeat = startLockHeartbeat(lockPath, options.timeoutMs);
+  try {
+    return await operation();
+  } finally {
+    clearInterval(heartbeat);
+    await removeOwnedBucketLock(acquiredLock);
+  }
+}
+async function listBucketPaths(root) {
+  const entries = await readdir(root, { withFileTypes: true }).catch((error) => {
+    if (error.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  });
+  const nested = await Promise.all(entries.map(async (entry) => {
+    const entryPath = join(root, entry.name);
+    if (entry.isDirectory()) {
+      return await listBucketPaths(entryPath);
+    }
+    return entry.name.endsWith(".json") ? [entryPath] : [];
+  }));
+  return nested.flat();
+}
+function createSnapshot(key, bucket, maxAttempts) {
+  const expiresAt = new Date(bucket.expiresAt.getTime());
+  return Object.freeze({
+    limiter: "",
+    key,
+    attempts: bucket.attempts,
+    maxAttempts,
+    remainingAttempts: Math.max(0, maxAttempts - bucket.attempts),
+    expiresAt
+  });
+}
+function createFileRateLimitStore(root, options = {}) {
+  const resolveNow = options.now ?? (() => /* @__PURE__ */ new Date());
+  const lockRetryDelayMs = options.lockRetryDelayMs ?? 5;
+  const lockTimeoutMs = options.lockTimeoutMs ?? 2e3;
+  return {
+    async hit(key, hitOptions) {
+      const now = resolveNow();
+      const path = getBucketPath(root, key);
+      return await withBucketLock(path, {
+        retryDelayMs: lockRetryDelayMs,
+        timeoutMs: lockTimeoutMs
+      }, async () => {
+        const existing = await readBucket(path);
+        if (existing && existing.keyHash !== createBucketHash(key)) {
+          throw new Error(`[@holo-js/security] File rate-limit bucket hash collision detected for stored bucket ${existing.keyHash}.`);
+        }
+        if (existing && isExpired(existing, now)) {
+          await deleteBucket(path);
+        }
+        const bucket = existing && !isExpired(existing, now) ? {
+          ...existing,
+          attempts: existing.attempts + 1
+        } : {
+          namespaceHash: createBucketNamespaceHash(key),
+          keyHash: createBucketHash(key),
+          prefixHashes: Object.freeze(createBucketPrefixHashes(key)),
+          attempts: 1,
+          expiresAt: new Date(now.getTime() + hitOptions.decaySeconds * 1e3)
+        };
+        await writeBucket(path, bucket);
+        return Object.freeze({
+          limited: bucket.attempts > hitOptions.maxAttempts,
+          snapshot: createSnapshot(key, bucket, hitOptions.maxAttempts),
+          retryAfterSeconds: Math.max(0, Math.ceil((bucket.expiresAt.getTime() - now.getTime()) / 1e3))
+        });
+      });
+    },
+    async clear(key) {
+      const path = getBucketPath(root, key);
+      return await withBucketLock(path, {
+        retryDelayMs: lockRetryDelayMs,
+        timeoutMs: lockTimeoutMs
+      }, async () => {
+        const existing = await readBucket(path);
+        if (!existing || existing.keyHash !== createBucketHash(key)) {
+          return false;
+        }
+        await deleteBucket(path);
+        return true;
+      });
+    },
+    async clearByPrefix(prefix) {
+      let cleared = 0;
+      const now = resolveNow();
+      const paths = await listBucketPaths(root);
+      for (const path of paths) {
+        const removed = await withBucketLock(path, {
+          retryDelayMs: lockRetryDelayMs,
+          timeoutMs: lockTimeoutMs
+        }, async () => {
+          const bucket = await readBucket(path);
+          if (!bucket) {
+            return false;
+          }
+          if (isExpired(bucket, now)) {
+            await deleteBucket(path);
+            return false;
+          }
+          if (!bucket.prefixHashes.includes(createBucketHash(prefix))) {
+            return false;
+          }
+          await deleteBucket(path);
+          return true;
+        });
+        if (removed) {
+          cleared += 1;
+        }
+      }
+      return cleared;
+    },
+    async clearAll() {
+      const paths = await listBucketPaths(root);
+      let cleared = 0;
+      for (const path of paths) {
+        const removed = await withBucketLock(path, {
+          retryDelayMs: lockRetryDelayMs,
+          timeoutMs: lockTimeoutMs
+        }, async () => {
+          const bucket = await readBucket(path);
+          if (!bucket) {
+            return false;
+          }
+          await deleteBucket(path);
+          return true;
+        });
+        if (removed) {
+          cleared += 1;
+        }
+      }
+      return cleared;
+    }
+  };
+}
+var fileRateLimitDriverInternals = {
+  createBucketHash,
+  createSnapshot,
+  deleteBucket,
+  deserializeBucket,
+  getBucketPath,
+  isExpired,
+  listBucketPaths,
+  readBucket,
+  serializeBucket,
+  sleep,
+  getBucketLockPath,
+  acquireBucketLock,
+  reclaimStaleBucketLock,
+  removeOwnedBucketLock,
+  withBucketLock,
+  writeBucket
+};
+
+// src/drivers/memory.ts
+function createSnapshot2(key, bucket, maxAttempts) {
+  const expiresAt = new Date(bucket.expiresAt.getTime());
+  return Object.freeze({
+    limiter: "",
+    key,
+    attempts: bucket.attempts,
+    maxAttempts,
+    remainingAttempts: Math.max(0, maxAttempts - bucket.attempts),
+    expiresAt
+  });
+}
+function isExpired2(bucket, now) {
+  return bucket.expiresAt.getTime() <= now.getTime();
+}
+function createMemoryRateLimitStore(options = {}) {
+  const buckets = /* @__PURE__ */ new Map();
+  const resolveNow = options.now ?? (() => /* @__PURE__ */ new Date());
+  const maxBuckets = options.maxBuckets;
+  if (typeof maxBuckets !== "undefined" && (!Number.isInteger(maxBuckets) || maxBuckets < 1)) {
+    throw new TypeError("[@holo-js/security] Memory rate-limit store maxBuckets must be an integer greater than or equal to 1.");
+  }
+  const pruneIntervalMs = typeof options.pruneIntervalMs === "number" ? options.pruneIntervalMs : 6e4;
+  if (!Number.isInteger(pruneIntervalMs) || pruneIntervalMs < 1) {
+    throw new TypeError("[@holo-js/security] Memory rate-limit store pruneIntervalMs must be an integer greater than or equal to 1.");
+  }
+  const pruneExpiredBuckets = () => {
+    const now = resolveNow();
+    for (const [key, bucket] of buckets) {
+      if (isExpired2(bucket, now)) {
+        buckets.delete(key);
+      }
+    }
+  };
+  const pruneTimer = setInterval(pruneExpiredBuckets, pruneIntervalMs);
+  pruneTimer.unref?.();
+  const evictOldestBucket = () => {
+    const oldestKey = buckets.keys().next().value;
+    buckets.delete(oldestKey);
+  };
+  return {
+    async hit(key, hitOptions) {
+      const now = resolveNow();
+      const existing = buckets.get(key);
+      if (existing && isExpired2(existing, now)) {
+        buckets.delete(key);
+      }
+      const active = buckets.get(key);
+      const bucket = active ? {
+        ...active,
+        attempts: active.attempts + 1
+      } : {
+        key,
+        attempts: 1,
+        expiresAt: new Date(now.getTime() + hitOptions.decaySeconds * 1e3)
+      };
+      if (!active && typeof maxBuckets === "number") {
+        while (buckets.size >= maxBuckets) {
+          evictOldestBucket();
+        }
+      }
+      if (active) {
+        buckets.delete(key);
+      }
+      buckets.set(key, bucket);
+      return Object.freeze({
+        limited: bucket.attempts > hitOptions.maxAttempts,
+        snapshot: createSnapshot2(key, bucket, hitOptions.maxAttempts),
+        retryAfterSeconds: Math.max(0, Math.ceil((bucket.expiresAt.getTime() - now.getTime()) / 1e3))
+      });
+    },
+    async clear(key) {
+      return buckets.delete(key);
+    },
+    async clearByPrefix(prefix) {
+      let cleared = 0;
+      for (const key of buckets.keys()) {
+        if (!key.startsWith(prefix)) {
+          continue;
+        }
+        buckets.delete(key);
+        cleared += 1;
+      }
+      return cleared;
+    },
+    async clearAll() {
+      const cleared = buckets.size;
+      buckets.clear();
+      return cleared;
+    },
+    async close() {
+      clearInterval(pruneTimer);
+    }
+  };
+}
+var memoryRateLimitDriverInternals = {
+  createSnapshot: createSnapshot2,
+  isExpired: isExpired2
+};
+
+// src/drivers/redis.ts
+function assertNonNegativeInteger(value, label) {
+  if (typeof value !== "number" || !Number.isInteger(value) || value < 0) {
+    throw new TypeError(`[@holo-js/security] Redis rate-limit adapter ${label} must be a non-negative integer.`);
+  }
+  return value;
+}
+function createSnapshot3(key, attempts, maxAttempts, expiresAt) {
+  return Object.freeze({
+    limiter: "",
+    key,
+    attempts,
+    maxAttempts,
+    remainingAttempts: Math.max(0, maxAttempts - attempts),
+    expiresAt
+  });
+}
+function createRedisRateLimitStore(adapter, options = {}) {
+  const resolveNow = options.now ?? (() => /* @__PURE__ */ new Date());
+  return {
+    async hit(key, hitOptions) {
+      const result = await adapter.increment(key, {
+        decaySeconds: hitOptions.decaySeconds
+      });
+      const attempts = assertNonNegativeInteger(result.attempts, "attempts");
+      const ttlSeconds = assertNonNegativeInteger(result.ttlSeconds, "ttlSeconds");
+      const now = resolveNow();
+      const expiresAt = new Date(now.getTime() + ttlSeconds * 1e3);
+      return Object.freeze({
+        limited: attempts > hitOptions.maxAttempts,
+        snapshot: createSnapshot3(key, attempts, hitOptions.maxAttempts, expiresAt),
+        retryAfterSeconds: ttlSeconds
+      });
+    },
+    async clear(key) {
+      const deleted = await adapter.del(key);
+      return assertNonNegativeInteger(deleted, "del() result") > 0;
+    },
+    async clearByPrefix(prefix) {
+      if (typeof adapter.clearByPrefix !== "function") {
+        return 0;
+      }
+      const cleared = await adapter.clearByPrefix(prefix);
+      return assertNonNegativeInteger(cleared, "clearByPrefix() result");
+    },
+    async clearAll() {
+      if (typeof adapter.clearAll !== "function") {
+        return 0;
+      }
+      const cleared = await adapter.clearAll();
+      return assertNonNegativeInteger(cleared, "clearAll() result");
+    },
+    async close() {
+      await adapter.close?.();
+    }
+  };
+}
+var redisRateLimitDriverInternals = {
+  assertNonNegativeInteger,
+  createSnapshot: createSnapshot3
+};
+
+// src/store.ts
+function isNormalizedSecurityConfig(config) {
+  const candidate = config;
+  return typeof candidate.rateLimit?.memory?.driver === "string" && candidate.rateLimit.memory.driver === "memory" && typeof candidate.rateLimit.file?.path === "string" && typeof candidate.rateLimit.redis?.host === "string" && typeof candidate.rateLimit.redis.port === "number" && typeof candidate.rateLimit.redis.db === "number" && typeof candidate.rateLimit.redis.connection === "string" && typeof candidate.rateLimit.redis.prefix === "string" && typeof candidate.rateLimit.limiters === "object";
+}
+function normalizeStoreConfig(config) {
+  return isNormalizedSecurityConfig(config) ? config : normalizeSecurityConfig2(config);
+}
+function createRateLimitStoreFromConfig(config, options = {}) {
+  const normalized = normalizeStoreConfig(config);
+  switch (normalized.rateLimit.driver) {
+    case "memory":
+      return createMemoryRateLimitStore();
+    case "file": {
+      const root = options.projectRoot ? resolve(options.projectRoot, normalized.rateLimit.file.path) : normalized.rateLimit.file.path;
+      return createFileRateLimitStore(root);
+    }
+    case "redis":
+      if (!options.redisAdapter) {
+        throw new Error("[@holo-js/security] Redis-backed rate limits require a redis adapter.");
+      }
+      return createRedisRateLimitStore(options.redisAdapter);
+    default:
+      throw new Error(`[@holo-js/security] Unsupported rate limit driver "${normalized.rateLimit.driver}".`);
+  }
+}
+var securityStoreInternals = {
+  normalizeStoreConfig
+};
+
+// src/index.ts
+import { defineSecurityConfig } from "@holo-js/config";
+var security = Object.freeze({
+  configureSecurityRuntime,
+  getSecurityRuntime,
+  getSecurityRuntimeBindings,
+  resetSecurityRuntime,
+  csrf,
+  cors,
+  protect,
+  defaultRateLimitKey,
+  rateLimit,
+  clearRateLimit,
+  limit,
+  ip
+});
+var src_default = security;
+
+export {
+  SecurityRuntimeNotConfiguredError,
+  configureSecurityRuntime,
+  getSecurityRuntime,
+  getSecurityRuntimeBindings,
+  resetSecurityRuntime,
+  securityRuntimeInternals,
+  defaultRateLimitKey,
+  rateLimit,
+  clearRateLimit,
+  rateLimitInternals,
+  isSecureRequest,
+  token,
+  field,
+  input,
+  cookie,
+  verify,
+  protect,
+  csrf,
+  csrfInternals,
+  headers,
+  apply,
+  preflight,
+  cors,
+  corsInternals,
+  createFileRateLimitStore,
+  fileRateLimitDriverInternals,
+  createMemoryRateLimitStore,
+  memoryRateLimitDriverInternals,
+  createRedisRateLimitStore,
+  redisRateLimitDriverInternals,
+  createRateLimitStoreFromConfig,
+  securityStoreInternals,
+  src_default,
+  defineSecurityConfig
+};