@mindfulauth/core 1.3.0 → 2.0.0-beta.10

package/dist/{security.js → core/security.js}

@@ -1,15 +1,5 @@
-// Security utilities - path traversal prevention, nonce generation
+// Security utilities - path traversal prevention
 const MAX_PATH_LENGTH = 2048;
-/**
- * Generate a cryptographically secure random nonce for use in CSP headers.
- * The same nonce must be added as a `nonce` attribute on every inline <script>
- * tag so the browser allows it to execute.
- */
-export function generateNonce() {
-    const bytes = new Uint8Array(16);
-    crypto.getRandomValues(bytes);
-    return btoa(String.fromCharCode(...bytes));
-}
 /** Decode and check for traversal attacks */
 function decodeAndValidate(str) {
     if (!str || typeof str !== 'string' || str.length > MAX_PATH_LENGTH)

package/dist/{types.d.ts → core/types.d.ts}

@@ -1,12 +1,6 @@
 import type { MiddlewareHandler } from 'astro';
 export interface MindfulAuthLocals {
     recordId: string | null;
-    cspNonce?: string;
-    runtime?: {
-        env?: {
-            INTERNAL_API_KEY?: string;
-        };
-    };
 }
 declare global {
     namespace App {

package/dist/core/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/package.json

@@ -1,26 +1,34 @@
 {
   "name": "@mindfulauth/core",
-  "version": "1.3.0",
-  "description": "Mindful Auth core authentication library for Astro",
+  "version": "2.0.0-beta.10",
+  "description": "Mindful Auth core authentication library for Astro 6",
   "type": "module",
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
+  "sideEffects": false,
   "exports": {
     ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.js"
+      "types": "./dist/core/index.d.ts",
+      "import": "./dist/core/index.js"
     },
+    "./astro": {
+      "types": "./dist/astro/index.d.ts",
+      "import": "./dist/astro/index.js"
+    },
+    "./astro/*.astro": "./dist/astro/*.astro",
     "./middleware": {
-      "types": "./dist/middleware.d.ts",
-      "import": "./dist/middleware.js"
+      "types": "./dist/core/middleware.d.ts",
+      "import": "./dist/core/middleware.js"
     },
     "./auth-handler": {
-      "types": "./dist/auth-handler.d.ts",
-      "import": "./dist/auth-handler.js"
+      "types": "./dist/core/auth-handler.d.ts",
+      "import": "./dist/core/auth-handler.js"
     },
     "./config": {
-      "types": "./dist/config.d.ts",
-      "import": "./dist/config.js"
+      "types": "./dist/core/config.d.ts",
+      "import": "./dist/core/config.js"
+    },
+    "./csp": {
+      "types": "./dist/core/csp.d.ts",
+      "import": "./dist/core/csp.js"
     }
   },
   "files": [
@@ -28,7 +36,7 @@
     "README.md"
   ],
   "scripts": {
-    "build": "tsc",
+    "build": "tsc && cp src/astro/*.astro dist/astro/",
     "dev": "tsc --watch",
     "prepublishOnly": "npm run build"
   },
@@ -42,10 +50,12 @@
   "author": "Mindful Auth",
   "license": "MIT",
   "peerDependencies": {
-    "astro": "^5.0.0"
+    "astro": "^6.0.0-beta.20"
   },
   "devDependencies": {
-    "astro": "^5.17.3",
+    "@cloudflare/workers-types": "^4.20260307.1",
+    "@types/node": "^25.3.5",
+    "astro": "^6.0.0-beta.20",
     "typescript": "^5.9.3"
   }
 }

package/dist/auth-handler.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth-handler.d.ts","sourceRoot":"","sources":["../src/auth-handler.ts"],"names":[],"mappings":"AAmEA,2EAA2E;AAC3E,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CA4BpH;AAED,gEAAgE;AAChE,wBAAsB,cAAc,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,CAAC,EAAE,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAwDrH"}

package/dist/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,SAAS,CAAC;AAEvD,yDAAyD;AACzD,wBAAsB,eAAe,CACjC,OAAO,EAAE,OAAO,EAChB,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GACvB,OAAO,CAAC,uBAAuB,CAAC,CAsClC;AAED,oGAAoG;AACpG,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,IAAI,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAerI"}

package/dist/config.d.ts

@@ -1,88 +0,0 @@
-export declare const CENTRAL_AUTH_ORIGIN = "https://api.mindfulauth.com";
-export declare const CDN_ORIGIN = "https://cdn.mindfulauth.com";
-export declare const ALLOWED_AUTH_METHODS: string[];
-export declare const MAX_BODY_SIZE_BYTES = 1048576;
-export declare const AUTH_PROXY_TIMEOUT_MS = 15000;
-export declare const SESSION_VALIDATION_TIMEOUT_MS = 10000;
-/**
- * Returns the combined list of assets to skip session validation for.
- * Merges defaults with any custom assets configured via mauthSecurityConfig().
- */
-export declare function GET_SKIP_ASSETS(): string[];
-export declare const PUBLIC_ROUTES: string[];
-export declare const PUBLIC_PREFIXES: string[];
-/**
- * Configure Mindful Auth security settings including CSP sources and static
- * assets to skip. Returns the options to be passed to getMauthViteDefines().
- *
- *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
- *
- * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
- *
- * Call in astro.config.mjs and pass the result to vite.define:
- *
- * @example
- * // astro.config.mjs
- * const mauthCfg = mauthSecurityConfig({
- *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest'],
- *   csp: {
- *     scriptSources: ['https://analytics.example.com'],
- *     connectSources: ['https://api.example.com'],
- *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com'],
- *     styleSources: ['https://cdn.example.com/styles'],
- *     imageSources: ['https://images.example.com'],
- *     frameAncestors: ["'self'"],
- *     workerSources: ["'self'"],
- *     manifestSources: ["'self'"],
- *     objectSources: ["'none'"],
- *     baseUris: ["'self'"],
- *     formActions: ["'self'"]
- *   }
- * });
- *
- * export default defineConfig({
- *   vite: { define: getMauthViteDefines(mauthCfg) }
- * });
- */
-export declare function mauthSecurityConfig(options?: {
-    skipAssets?: string[];
-    csp?: {
-        scriptSources?: string[];
-        connectSources?: string[];
-        frameSources?: string[];
-        fontSources?: string[];
-        styleSources?: string[];
-        imageSources?: string[];
-        frameAncestors?: string[];
-        workerSources?: string[];
-        manifestSources?: string[];
-        objectSources?: string[];
-        baseUris?: string[];
-        formActions?: string[];
-    };
-}): typeof options;
-/**
- * Converts the result of mauthSecurityConfig() into Vite define entries.
- * Pass the output to vite.define in astro.config.mjs so custom values are
- * baked into the SSR bundle at build time.
- */
-export declare function getMauthViteDefines(options?: {
-    skipAssets?: string[];
-    csp?: {
-        scriptSources?: string[];
-        connectSources?: string[];
-        frameSources?: string[];
-        fontSources?: string[];
-        styleSources?: string[];
-        imageSources?: string[];
-        frameAncestors?: string[];
-        workerSources?: string[];
-        manifestSources?: string[];
-        objectSources?: string[];
-        baseUris?: string[];
-        formActions?: string[];
-    };
-}): Record<string, string>;
-export declare function GET_SECURITY_HEADERS(nonce?: string): Record<string, string>;
-//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,UAAU,gCAAgC,CAAC;AAGxD,eAAO,MAAM,oBAAoB,UAAkB,CAAC;AACpD,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAC3C,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAC3C,eAAO,MAAM,6BAA6B,QAAQ,CAAC;AAenD;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,EAAE,CAE1C;AAID,eAAO,MAAM,aAAa,UAQzB,CAAC;AAIF,eAAO,MAAM,eAAe,UAO3B,CAAC;AA2FF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,OAAO,OAAO,CAEjB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,GAAG,CAAC,EAAE;QACF,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;QAC3B,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;QACzB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;KAC1B,CAAC;CACL,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBzB;AAED,wBAAgB,oBAAoB,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CA2E3E"}

package/dist/config.js

@@ -1,230 +0,0 @@
-// ============================================================================
-// Configuration for the Astro Portal
-// ============================================================================
-// API Endpoints
-export const CENTRAL_AUTH_ORIGIN = 'https://api.mindfulauth.com';
-export const CDN_ORIGIN = 'https://cdn.mindfulauth.com';
-// Request & Timeout Configuration
-export const ALLOWED_AUTH_METHODS = ['GET', 'POST'];
-export const MAX_BODY_SIZE_BYTES = 1048576; // 1MB limit
-export const AUTH_PROXY_TIMEOUT_MS = 15000;
-export const SESSION_VALIDATION_TIMEOUT_MS = 10000;
-// ============================================================================
-// Static Assets & Route Configuration
-// ============================================================================
-// Static assets to skip session validation (favicon, robots.txt, etc.)
-// SECURITY CRITICAL: Only add actual static file requests here.
-// Examples of safe entries: /favicon.ico, /robots.txt, /sitemap.xml
-// NEVER add application routes like /dashboard, /profile, /secure/* - this COMPLETELY bypasses authentication. If you add a route here, unauthenticated users can access it without logging in.
-const DEFAULT_SKIP_ASSETS = ['/favicon.ico', '/robots.txt', '/.well-known/security.txt'];
-/**
- * Returns the combined list of assets to skip session validation for.
- * Merges defaults with any custom assets configured via mauthSecurityConfig().
- */
-export function GET_SKIP_ASSETS() {
-    return [...DEFAULT_SKIP_ASSETS, ...__MAUTH_SKIP_ASSETS__];
-}
-// Public routes that do not require authentication
-// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
-export const PUBLIC_ROUTES = [
-    '/',
-    '/login',
-    '/register',
-    '/magic-login',
-    '/magic-register',
-    '/forgot-password',
-    '/resend-verification',
-];
-// Dynamic public routes (prefix matching)
-// ⚠️ DO NOT EDIT - These are critical for the authentication system to work correctly
-export const PUBLIC_PREFIXES = [
-    '/auth/',
-    '/email-verified/',
-    '/reset-password/',
-    '/verify-email/',
-    '/verify-magic-link/',
-    '/api/public/',
-];
-// ============================================================================
-// Security Headers & CSP Configuration
-// ============================================================================
-// Default allowed script sources for CSP
-// ⚠️ IMPORTANT: Do not remove these domains - they are critical for authentication:
-// Removing these will break authentication and user will be unable to log in.
-const DEFAULT_SCRIPT_SOURCES = [
-    "'self'",
-    'https://*.cloudflare.com',
-    'https://*.cloudflareinsights.com',
-    'https://cdn.mindfulauth.com',
-    'https://api.mindfulauth.com'
-];
-// Default allowed connection sources for CSP
-const DEFAULT_CONNECT_SOURCES = [
-    "'self'",
-    'https://*.cloudflare.com',
-    'https://api.mindfulauth.com'
-];
-// Default allowed frame sources for CSP
-const DEFAULT_FRAME_SOURCES = [
-    "'self'",
-    'https://*.cloudflare.com'
-];
-// Default allowed font sources for CSP
-const DEFAULT_FONT_SOURCES = [
-    "'self'",
-    'data:'
-];
-// Default allowed style sources for CSP
-const DEFAULT_STYLE_SOURCES = [
-    "'self'",
-];
-// Default allowed image sources for CSP
-const DEFAULT_IMAGE_SOURCES = [
-    "'self'",
-    'https:'
-];
-// Default allowed frame ancestors for CSP (clickjacking protection)
-const DEFAULT_FRAME_ANCESTORS = [
-    "'self'"
-];
-// Default allowed worker sources for CSP (Web Workers, Service Workers)
-const DEFAULT_WORKER_SOURCES = [
-    "'self'"
-];
-// Default allowed manifest sources for CSP (web app manifest)
-const DEFAULT_MANIFEST_SOURCES = [
-    "'self'"
-];
-// Default allowed object sources for CSP (disallow plugins like Flash/Java)
-const DEFAULT_OBJECT_SOURCES = [
-    "'none'"
-];
-// Default allowed base URIs for CSP
-const DEFAULT_BASE_URIS = [
-    "'self'"
-];
-// Default allowed form actions for CSP
-const DEFAULT_FORM_ACTIONS = [
-    "'self'"
-];
-/**
- * Configure Mindful Auth security settings including CSP sources and static
- * assets to skip. Returns the options to be passed to getMauthViteDefines().
- *
- *  IMPORTANT: A nonce must be provided for inline styles to work. Without a nonce, inline styles will be blocked by CSP. If you need 'unsafe-inline' for development or testing, explicitly add it to styleSources in mauthSecurityConfig().
- *
- * IMPORTANT: Do not use Astro 6 security.csp in astro.config.mjs alongside this function. Astro's CSP will override these headers. Use mauthSecurityConfig() exclusively.
- *
- * Call in astro.config.mjs and pass the result to vite.define:
- *
- * @example
- * // astro.config.mjs
- * const mauthCfg = mauthSecurityConfig({
- *   skipAssets: ['/sitemap.xml', '/manifest.webmanifest'],
- *   csp: {
- *     scriptSources: ['https://analytics.example.com'],
- *     connectSources: ['https://api.example.com'],
- *     frameSources: ['https://stripe.com'],
- *     fontSources: ['https://fonts.googleapis.com'],
- *     styleSources: ['https://cdn.example.com/styles'],
- *     imageSources: ['https://images.example.com'],
- *     frameAncestors: ["'self'"],
- *     workerSources: ["'self'"],
- *     manifestSources: ["'self'"],
- *     objectSources: ["'none'"],
- *     baseUris: ["'self'"],
- *     formActions: ["'self'"]
- *   }
- * });
- *
- * export default defineConfig({
- *   vite: { define: getMauthViteDefines(mauthCfg) }
- * });
- */
-export function mauthSecurityConfig(options) {
-    return options;
-}
-/**
- * Converts the result of mauthSecurityConfig() into Vite define entries.
- * Pass the output to vite.define in astro.config.mjs so custom values are
- * baked into the SSR bundle at build time.
- */
-export function getMauthViteDefines(options) {
-    return {
-        __MAUTH_SKIP_ASSETS__: JSON.stringify(options?.skipAssets ?? []),
-        __MAUTH_SCRIPT_SOURCES__: JSON.stringify(options?.csp?.scriptSources ?? []),
-        __MAUTH_CONNECT_SOURCES__: JSON.stringify(options?.csp?.connectSources ?? []),
-        __MAUTH_FRAME_SOURCES__: JSON.stringify(options?.csp?.frameSources ?? []),
-        __MAUTH_FONT_SOURCES__: JSON.stringify(options?.csp?.fontSources ?? []),
-        __MAUTH_STYLE_SOURCES__: JSON.stringify(options?.csp?.styleSources ?? []),
-        __MAUTH_IMAGE_SOURCES__: JSON.stringify(options?.csp?.imageSources ?? []),
-        __MAUTH_FRAME_ANCESTORS__: JSON.stringify(options?.csp?.frameAncestors ?? []),
-        __MAUTH_WORKER_SOURCES__: JSON.stringify(options?.csp?.workerSources ?? []),
-        __MAUTH_MANIFEST_SOURCES__: JSON.stringify(options?.csp?.manifestSources ?? []),
-        __MAUTH_OBJECT_SOURCES__: JSON.stringify(options?.csp?.objectSources ?? []),
-        __MAUTH_BASE_URIS__: JSON.stringify(options?.csp?.baseUris ?? []),
-        __MAUTH_FORM_ACTIONS__: JSON.stringify(options?.csp?.formActions ?? []),
-    };
-}
-export function GET_SECURITY_HEADERS(nonce) {
-    // Custom sources are baked in at build time via vite.define
-    // Using Set to deduplicate sources while preserving order
-    const SCRIPT_SOURCES = [...new Set([
-            ...DEFAULT_SCRIPT_SOURCES,
-            ...__MAUTH_SCRIPT_SOURCES__,
-            ...(nonce ? [`'nonce-${nonce}'`] : []),
-        ])];
-    const STYLE_SOURCES = [...new Set([
-            ...DEFAULT_STYLE_SOURCES,
-            ...__MAUTH_STYLE_SOURCES__,
-            ...(nonce ? [`'nonce-${nonce}'`] : []),
-        ])];
-    const CONNECT_SOURCES = [...new Set([...DEFAULT_CONNECT_SOURCES, ...__MAUTH_CONNECT_SOURCES__])];
-    const FRAME_SOURCES = [...new Set([...DEFAULT_FRAME_SOURCES, ...__MAUTH_FRAME_SOURCES__])];
-    const FONT_SOURCES = [...new Set([...DEFAULT_FONT_SOURCES, ...__MAUTH_FONT_SOURCES__])];
-    const IMAGE_SOURCES = [...new Set([...DEFAULT_IMAGE_SOURCES, ...__MAUTH_IMAGE_SOURCES__])];
-    const FRAME_ANCESTORS = [...new Set([...DEFAULT_FRAME_ANCESTORS, ...__MAUTH_FRAME_ANCESTORS__])];
-    const WORKER_SOURCES = [...new Set([...DEFAULT_WORKER_SOURCES, ...__MAUTH_WORKER_SOURCES__])];
-    const MANIFEST_SOURCES = [...new Set([...DEFAULT_MANIFEST_SOURCES, ...__MAUTH_MANIFEST_SOURCES__])];
-    const OBJECT_SOURCES = [...new Set([...DEFAULT_OBJECT_SOURCES, ...__MAUTH_OBJECT_SOURCES__])];
-    const BASE_URIS = [...new Set([...DEFAULT_BASE_URIS, ...__MAUTH_BASE_URIS__])];
-    const FORM_ACTIONS = [...new Set([...DEFAULT_FORM_ACTIONS, ...__MAUTH_FORM_ACTIONS__])];
-    return {
-        'X-Content-Type-Options': 'nosniff',
-        'X-Frame-Options': 'SAMEORIGIN',
-        'Referrer-Policy': 'strict-origin-when-cross-origin',
-        'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
-        'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
-        'Content-Security-Policy': [
-            // Deny by default - only allow explicitly defined sources
-            "default-src 'none'",
-            // Scripts
-            `script-src ${SCRIPT_SOURCES.join(' ')}`,
-            // Styles
-            `style-src ${STYLE_SOURCES.join(' ')}`,
-            // Images
-            `img-src ${IMAGE_SOURCES.join(' ')}`,
-            // Connections
-            `connect-src ${CONNECT_SOURCES.join(' ')}`,
-            // Frames
-            `frame-src ${FRAME_SOURCES.join(' ')}`,
-            // Frame ancestors (clickjacking protection)
-            `frame-ancestors ${FRAME_ANCESTORS.join(' ')}`,
-            // Fonts
-            `font-src ${FONT_SOURCES.join(' ')}`,
-            // Web Workers and Service Workers
-            `worker-src ${WORKER_SOURCES.join(' ')}`,
-            // Web app manifest
-            `manifest-src ${MANIFEST_SOURCES.join(' ')}`,
-            // Disallow object/embed tags (Flash, Java, etc.)
-            `object-src ${OBJECT_SOURCES.join(' ')}`,
-            // Base URI
-            `base-uri ${BASE_URIS.join(' ')}`,
-            // Form action
-            `form-action ${FORM_ACTIONS.join(' ')}`,
-            // Security directives
-            "upgrade-insecure-requests",
-            "block-all-mixed-content"
-        ].join('; ')
-    };
-}

package/dist/index.d.ts

@@ -1,7 +0,0 @@
-export * from './types';
-export * from './config';
-export * from './auth';
-export * from './auth-handler';
-export * from './security';
-export { onRequest } from './middleware';
-//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,cAAc,SAAS,CAAC;AAGxB,cAAc,UAAU,CAAC;AAGzB,cAAc,QAAQ,CAAC;AAGvB,cAAc,gBAAgB,CAAC;AAG/B,cAAc,YAAY,CAAC;AAG3B,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -1,13 +0,0 @@
-// Mindful Auth Core - Main exports
-// Types
-export * from './types';
-// Configuration
-export * from './config';
-// Authentication
-export * from './auth';
-// Auth handler for API routes
-export * from './auth-handler';
-// Security utilities
-export * from './security';
-// Middleware (also available via '@mindful-auth/core/middleware')
-export { onRequest } from './middleware';

package/dist/middleware.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAuBA,eAAO,MAAM,SAAS,mCAyEpB,CAAC"}

package/dist/middleware.js

@@ -1,81 +0,0 @@
-// Global middleware for session validation
-// Runs before all route handlers to enforce authentication
-import { defineMiddleware } from 'astro:middleware';
-import { PUBLIC_ROUTES, PUBLIC_PREFIXES, GET_SECURITY_HEADERS, GET_SKIP_ASSETS } from './config';
-import { sanitizePath, generateNonce } from './security';
-import { validateSession, validateMemberIdInUrl } from './auth';
-/** Check if a path is a public route (no auth required) */
-function isPublicRoute(pathname) {
-    return PUBLIC_ROUTES.includes(pathname) ||
-        PUBLIC_PREFIXES.some(prefix => pathname.startsWith(prefix));
-}
-/** Add security headers (including CSP nonce) to a response */
-function addSecurityHeaders(response, nonce) {
-    Object.entries(GET_SECURITY_HEADERS(nonce)).forEach(([key, value]) => {
-        response.headers.set(key, value);
-    });
-    return response;
-}
-// Main middleware function
-export const onRequest = defineMiddleware(async (context, next) => {
-    const { request, url, redirect, locals } = context;
-    const pathname = url.pathname;
-    // Redirect HTTP to HTTPS (skip in dev mode and localhost)
-    if (!import.meta.env.DEV && url.protocol === 'http:' && url.hostname !== 'localhost' && url.hostname !== '127.0.0.1') {
-        const httpsUrl = url.toString().replace('http://', 'https://');
-        return redirect(httpsUrl, 307);
-    }
-    // Type assertion for locals (users should extend App.Locals in their project)
-    const authLocals = locals;
-    // Generate a per-request nonce for CSP. Exposed as locals.cspNonce so
-    // layouts can add nonce={Astro.locals.cspNonce} to inline <script> tags.
-    const nonce = generateNonce();
-    authLocals.cspNonce = nonce;
-    // Skip middleware for static assets FIRST (before dev mode)
-    if (GET_SKIP_ASSETS().includes(pathname)) {
-        return next();
-    }
-    // DEV MODE: Skip auth on localhost
-    if (import.meta.env.DEV && (url.hostname === 'localhost' || url.hostname === '127.0.0.1')) {
-        if (isPublicRoute(pathname)) {
-            authLocals.recordId = null;
-            return next();
-        }
-        // For protected routes, extract or create mock recordId
-        // Match memberid with trailing slash
-        const match = pathname.match(/^\/([a-zA-Z0-9-]+)(?:\/|$)/);
-        authLocals.recordId = match ? match[1] : 'dev-user-123';
-        return next();
-    }
-    // Sanitize path
-    const safePath = sanitizePath(pathname);
-    if (!safePath) {
-        return new Response('Bad Request', { status: 400 });
-    }
-    // Public routes - no auth needed
-    if (isPublicRoute(safePath)) {
-        authLocals.recordId = null;
-        return addSecurityHeaders(await next(), nonce);
-    }
-    // Protected route - validate session
-    const internalApiKey = authLocals.runtime?.env?.INTERNAL_API_KEY || import.meta.env.INTERNAL_API_KEY;
-    if (!internalApiKey) {
-        console.error('[middleware] CRITICAL: INTERNAL_API_KEY not configured');
-        return new Response('Internal Server Error', { status: 500 });
-    }
-    // URL must have memberid
-    if (!validateMemberIdInUrl(safePath, null).valid) {
-        return new Response('Forbidden: URL must include memberid', { status: 403 });
-    }
-    // Validate session
-    const session = await validateSession(request, url.hostname, safePath, internalApiKey);
-    if (!session.valid) {
-        return redirect('/login');
-    }
-    // Validate memberid matches session
-    if (!validateMemberIdInUrl(safePath, session.recordId).valid) {
-        return new Response('Forbidden: Invalid user ID in URL', { status: 403 });
-    }
-    authLocals.recordId = session.recordId;
-    return addSecurityHeaders(await next(), nonce);
-});

package/dist/security.d.ts

@@ -1,11 +0,0 @@
-/**
- * Generate a cryptographically secure random nonce for use in CSP headers.
- * The same nonce must be added as a `nonce` attribute on every inline <script>
- * tag so the browser allows it to execute.
- */
-export declare function generateNonce(): string;
-/** Sanitize endpoint path (prevents ../ traversal and encoded variants) */
-export declare function sanitizeEndpoint(endpoint: string): string | null;
-/** Sanitize URL path (prevents ../ traversal and encoded variants) */
-export declare function sanitizePath(pathname: string): string | null;
-//# sourceMappingURL=security.d.ts.map

package/dist/security.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../src/security.ts"],"names":[],"mappings":"AAIA;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAItC;AAgBD,2EAA2E;AAC3E,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAIhE;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAI5D"}

package/dist/types.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,OAAO,CAAC;AAG/C,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE;QACR,GAAG,CAAC,EAAE;YACJ,gBAAgB,CAAC,EAAE,MAAM,CAAC;SAC3B,CAAC;KACH,CAAC;CACH;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,GAAG,CAAC;QACZ,UAAU,MAAO,SAAQ,iBAAiB;SAAG;KAC9C;CACF;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}