@neutron-build/security 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Tyler
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,25 @@
+# @neutron-build/security
+
+Security middleware for Neutron.
+
+CSRF protection, rate limiting, input validation, and tenant isolation.
+
+## Installation
+
+```bash
+npm install @neutron-build/security
+```
+
+## Usage
+
+```typescript
+import { csrfMiddleware, rateLimitMiddleware } from "@neutron-build/security";
+```
+
+## Documentation
+
+[neutron.build](https://neutron.build)
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,50 @@
+import { type AppContext, type CookieSerializeOptions, type MiddlewareFn } from "@neutron-build/core";
+export interface CspNonceMiddlewareOptions {
+    contextKey?: string;
+    headerName?: string;
+    policy?: string | ((args: {
+        nonce: string;
+        request: Request;
+        context: AppContext;
+    }) => string);
+}
+export interface CsrfMiddlewareOptions {
+    cookieName?: string;
+    headerName?: string;
+    formFieldName?: string;
+    safeMethods?: string[];
+    cookie?: CookieSerializeOptions;
+    contextKey?: string;
+}
+export interface TrustedProxyOptions {
+    trustProxy?: boolean;
+    forwardedHeader?: string;
+    maxForwardedIps?: number;
+    /**
+     * Number of trusted proxies between this server and the client. The client
+     * IP is read this many hops from the right of the forwarded chain, since the
+     * left-most entries are attacker-controlled. Default 1.
+     */
+    trustedHops?: number;
+}
+export interface RateLimitMiddlewareOptions {
+    capacity: number;
+    refillPerSecond?: number;
+    tokensPerRequest?: number;
+    key?: (request: Request, context: AppContext) => string | Promise<string>;
+    denyStatus?: number;
+    maxBuckets?: number;
+    bucketTtlMs?: number;
+    cleanupEvery?: number;
+}
+export interface SecureCookieDefaultsOptions extends CookieSerializeOptions {
+    nodeEnv?: string;
+}
+export declare function createCspNonceMiddleware(options?: CspNonceMiddlewareOptions): MiddlewareFn;
+export declare function getCspNonceFromContext(context: AppContext, contextKey?: string): string | null;
+export declare function createCsrfMiddleware(options?: CsrfMiddlewareOptions): MiddlewareFn;
+export declare function getCsrfTokenFromContext(context: AppContext, contextKey?: string): string | null;
+export declare function resolveClientIp(request: Request, options?: TrustedProxyOptions): string | null;
+export declare function createRateLimitMiddleware(options: RateLimitMiddlewareOptions): MiddlewareFn;
+export declare function resolveSecureCookieOptions(options?: SecureCookieDefaultsOptions): CookieSerializeOptions;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAGL,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC3B,KAAK,YAAY,EAClB,MAAM,qBAAqB,CAAC;AAE7B,MAAM,WAAW,yBAAyB;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EACH,MAAM,GACN,CAAC,CAAC,IAAI,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,UAAU,CAAA;KAAE,KAAK,MAAM,CAAC,CAAC;CAClF;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,MAAM,CAAC,EAAE,sBAAsB,CAAC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,2BAA4B,SAAQ,sBAAsB;IACzE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAKD,wBAAgB,wBAAwB,CACtC,OAAO,GAAE,yBAA8B,GACtC,YAAY,CAgBd;AAED,wBAAgB,sBAAsB,CACpC,OAAO,EAAE,UAAU,EACnB,UAAU,GAAE,MAAgC,GAC3C,MAAM,GAAG,IAAI,CAGf;AAED,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,qBAA0B,GAClC,YAAY,CAsDd;AAED,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,UAAU,EACnB,UAAU,GAAE,MAAiC,GAC5C,MAAM,GAAG,IAAI,CAGf;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,mBAAwB,GAChC,MAAM,GAAG,IAAI,CAwCf;AAED,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,0BAA0B,GAClC,YAAY,CAgDd;AA+BD,wBAAgB,0BAA0B,CACxC,OAAO,GAAE,2BAAgC,GACxC,sBAAsB,CAYxB"}

package/dist/index.js

@@ -0,0 +1,250 @@
+import { timingSafeEqual } from "node:crypto";
+import { getCookie, serializeCookie, } from "@neutron-build/core";
+const DEFAULT_CSP_CONTEXT_KEY = "cspNonce";
+const DEFAULT_CSRF_CONTEXT_KEY = "csrfToken";
+export function createCspNonceMiddleware(options = {}) {
+    const contextKey = options.contextKey || DEFAULT_CSP_CONTEXT_KEY;
+    const headerName = options.headerName || "Content-Security-Policy";
+    return async (request, context, next) => {
+        const nonce = createNonce();
+        context[contextKey] = nonce;
+        const response = await next();
+        if (!response.headers.has(headerName)) {
+            response.headers.set(headerName, resolvePolicy(options.policy, { nonce, request, context }));
+        }
+        return response;
+    };
+}
+export function getCspNonceFromContext(context, contextKey = DEFAULT_CSP_CONTEXT_KEY) {
+    const value = context[contextKey];
+    return typeof value === "string" ? value : null;
+}
+export function createCsrfMiddleware(options = {}) {
+    const cookieName = options.cookieName || "__neutron_csrf";
+    const headerName = (options.headerName || "x-csrf-token").toLowerCase();
+    const formFieldName = options.formFieldName || "_csrf";
+    const safeMethods = new Set((options.safeMethods || ["GET", "HEAD", "OPTIONS"]).map((method) => method.toUpperCase()));
+    const contextKey = options.contextKey || DEFAULT_CSRF_CONTEXT_KEY;
+    // Secure-by-default double-submit: the token is exposed to the page through
+    // context (rendered into forms / a meta tag), so the cookie itself stays
+    // HttpOnly and SameSite=Strict. This blocks JS/subdomain cookie reads while
+    // the page still has the value it needs to echo back in the header/field.
+    const cookieOptions = resolveSecureCookieOptions({
+        path: "/",
+        sameSite: "Strict",
+        httpOnly: true,
+        ...options.cookie,
+    });
+    return async (request, context, next) => {
+        const method = request.method.toUpperCase();
+        const existingToken = getCookie(request, cookieName) || "";
+        const csrfToken = existingToken || createNonce();
+        context[contextKey] = csrfToken;
+        if (!safeMethods.has(method)) {
+            if (!isSameOrigin(request)) {
+                return new Response("Invalid CSRF origin", { status: 403 });
+            }
+            // Prefer the header token; only fall back to parsing the (potentially
+            // large) form body when no header was supplied.
+            const headerToken = request.headers.get(headerName) || "";
+            const submittedToken = headerToken || (await readFormToken(request, formFieldName));
+            if (!existingToken ||
+                !submittedToken ||
+                !timingSafeEqualStr(submittedToken, existingToken)) {
+                return new Response("Invalid CSRF token", { status: 403 });
+            }
+        }
+        const response = await next();
+        if (!existingToken) {
+            response.headers.append("Set-Cookie", serializeCookie(cookieName, csrfToken, cookieOptions));
+        }
+        return response;
+    };
+}
+export function getCsrfTokenFromContext(context, contextKey = DEFAULT_CSRF_CONTEXT_KEY) {
+    const value = context[contextKey];
+    return typeof value === "string" ? value : null;
+}
+export function resolveClientIp(request, options = {}) {
+    const trustProxy = options.trustProxy ?? false;
+    if (!trustProxy) {
+        return null;
+    }
+    const maxForwardedIps = Math.max(1, options.maxForwardedIps ?? 5);
+    const forwardedHeader = (options.forwardedHeader || "x-forwarded-for").toLowerCase();
+    const cfConnectingIp = request.headers.get("cf-connecting-ip");
+    if (cfConnectingIp) {
+        return cfConnectingIp.trim();
+    }
+    const xRealIp = request.headers.get("x-real-ip");
+    if (xRealIp) {
+        return xRealIp.trim();
+    }
+    const xForwardedFor = request.headers.get(forwardedHeader);
+    if (!xForwardedFor || !trustProxy) {
+        return null;
+    }
+    const ips = xForwardedFor
+        .split(",")
+        .map((value) => value.trim())
+        .filter(Boolean)
+        .slice(-maxForwardedIps);
+    if (ips.length === 0) {
+        return null;
+    }
+    // The left-most entries are supplied by the client and cannot be trusted.
+    // Read the entry `trustedHops` from the right — the address observed by the
+    // outermost proxy we actually trust.
+    const trustedHops = Math.max(1, options.trustedHops ?? 1);
+    const index = ips.length - trustedHops;
+    return ips[Math.max(0, index)] ?? null;
+}
+export function createRateLimitMiddleware(options) {
+    const capacity = Math.max(1, Math.floor(options.capacity));
+    const refillPerSecond = Math.max(0.001, options.refillPerSecond ?? capacity);
+    const tokensPerRequest = Math.max(1, options.tokensPerRequest ?? 1);
+    const denyStatus = options.denyStatus ?? 429;
+    const maxBuckets = Math.max(1_000, Math.floor(options.maxBuckets ?? 50_000));
+    const bucketTtlMs = Math.max(1_000, Math.floor(options.bucketTtlMs ?? (capacity / refillPerSecond) * 4_000));
+    const cleanupEvery = Math.max(1, Math.floor(options.cleanupEvery ?? 128));
+    const buckets = new Map();
+    let handledRequests = 0;
+    return async (request, context, next) => {
+        const key = options.key
+            ? await options.key(request, context)
+            : resolveClientIp(request) || "anonymous";
+        const now = Date.now();
+        handledRequests += 1;
+        if (handledRequests % cleanupEvery === 0 || buckets.size > maxBuckets) {
+            pruneBuckets(buckets, now, maxBuckets, bucketTtlMs);
+        }
+        const state = buckets.get(key) || { tokens: capacity, lastRefillMs: now };
+        const elapsedSeconds = Math.max(0, (now - state.lastRefillMs) / 1000);
+        const replenished = Math.min(capacity, state.tokens + elapsedSeconds * refillPerSecond);
+        const remainingAfter = replenished - tokensPerRequest;
+        if (remainingAfter < 0) {
+            const retryAfterSec = Math.ceil((tokensPerRequest - replenished) / refillPerSecond);
+            const denied = new Response("Too Many Requests", { status: denyStatus });
+            denied.headers.set("Retry-After", String(Math.max(1, retryAfterSec)));
+            denied.headers.set("RateLimit-Limit", String(capacity));
+            denied.headers.set("RateLimit-Remaining", "0");
+            denied.headers.set("RateLimit-Reset", String(Math.max(1, retryAfterSec)));
+            buckets.set(key, { tokens: replenished, lastRefillMs: now });
+            return denied;
+        }
+        buckets.set(key, { tokens: remainingAfter, lastRefillMs: now });
+        const response = await next();
+        const resetSec = Math.ceil((capacity - remainingAfter) / refillPerSecond);
+        response.headers.set("RateLimit-Limit", String(capacity));
+        response.headers.set("RateLimit-Remaining", String(Math.floor(remainingAfter)));
+        response.headers.set("RateLimit-Reset", String(Math.max(1, resetSec)));
+        return response;
+    };
+}
+function pruneBuckets(buckets, now, maxBuckets, bucketTtlMs) {
+    if (buckets.size === 0) {
+        return;
+    }
+    for (const [key, state] of buckets) {
+        if (now - state.lastRefillMs > bucketTtlMs) {
+            buckets.delete(key);
+        }
+    }
+    if (buckets.size <= maxBuckets) {
+        return;
+    }
+    const overflow = buckets.size - maxBuckets;
+    const oldest = Array.from(buckets.entries())
+        .sort((left, right) => left[1].lastRefillMs - right[1].lastRefillMs)
+        .slice(0, overflow);
+    for (const [key] of oldest) {
+        buckets.delete(key);
+    }
+}
+export function resolveSecureCookieOptions(options = {}) {
+    const nodeEnv = options.nodeEnv || process.env.NODE_ENV || "development";
+    const isProduction = nodeEnv === "production";
+    return {
+        path: options.path ?? "/",
+        domain: options.domain,
+        httpOnly: options.httpOnly ?? true,
+        sameSite: options.sameSite ?? "Lax",
+        secure: options.secure ?? isProduction,
+        expires: options.expires,
+        maxAge: options.maxAge,
+    };
+}
+function resolvePolicy(policy, args) {
+    if (typeof policy === "function") {
+        return policy(args);
+    }
+    if (typeof policy === "string" && policy.trim().length > 0) {
+        return policy.replace(/\{\{\s*nonce\s*\}\}/g, args.nonce);
+    }
+    return [
+        "default-src 'self'",
+        `script-src 'self' 'nonce-${args.nonce}'`,
+        "style-src 'self' 'unsafe-inline'",
+        "object-src 'none'",
+        "base-uri 'self'",
+        "frame-ancestors 'none'",
+    ].join("; ");
+}
+function timingSafeEqualStr(a, b) {
+    const aBuf = Buffer.from(a, "utf8");
+    const bBuf = Buffer.from(b, "utf8");
+    if (aBuf.length !== bBuf.length) {
+        return false;
+    }
+    return timingSafeEqual(aBuf, bBuf);
+}
+function isSameOrigin(request) {
+    const source = request.headers.get("Origin") || request.headers.get("Referer");
+    if (!source) {
+        return true;
+    }
+    try {
+        return new URL(source).host === new URL(request.url).host;
+    }
+    catch {
+        return false;
+    }
+}
+async function readFormToken(request, fieldName) {
+    const contentType = request.headers.get("content-type") || "";
+    if (!contentType.includes("application/x-www-form-urlencoded") &&
+        !contentType.includes("multipart/form-data")) {
+        return "";
+    }
+    try {
+        const formData = await request.clone().formData();
+        const value = formData.get(fieldName);
+        return typeof value === "string" ? value : "";
+    }
+    catch {
+        return "";
+    }
+}
+function createNonce() {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    return toBase64Url(bytes);
+}
+function toBase64Url(bytes) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(bytes)
+            .toString("base64")
+            .replace(/\+/g, "-")
+            .replace(/\//g, "_")
+            .replace(/=+$/g, "");
+    }
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary)
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/g, "");
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EACL,SAAS,EACT,eAAe,GAIhB,MAAM,qBAAqB,CAAC;AA8C7B,MAAM,uBAAuB,GAAG,UAAU,CAAC;AAC3C,MAAM,wBAAwB,GAAG,WAAW,CAAC;AAE7C,MAAM,UAAU,wBAAwB,CACtC,UAAqC,EAAE;IAEvC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,uBAAuB,CAAC;IACjE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,yBAAyB,CAAC;IAEnE,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;QACtC,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC;QAC5B,OAAO,CAAC,UAAU,CAAC,GAAG,KAAK,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAC9B,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YACtC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAClB,UAAU,EACV,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAC3D,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAmB,EACnB,aAAqB,uBAAuB;IAE5C,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAClC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,UAAiC,EAAE;IAEnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,gBAAgB,CAAC;IAC1D,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;IACxE,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC;IACvD,MAAM,WAAW,GAAG,IAAI,GAAG,CACzB,CAAC,OAAO,CAAC,WAAW,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CACjE,MAAM,CAAC,WAAW,EAAE,CACrB,CACF,CAAC;IACF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,wBAAwB,CAAC;IAClE,4EAA4E;IAC5E,yEAAyE;IACzE,4EAA4E;IAC5E,0EAA0E;IAC1E,MAAM,aAAa,GAAG,0BAA0B,CAAC;QAC/C,IAAI,EAAE,GAAG;QACT,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,IAAI;QACd,GAAG,OAAO,CAAC,MAAM;KAClB,CAAC,CAAC;IAEH,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;QACtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,EAAE,CAAC;QAC3D,MAAM,SAAS,GAAG,aAAa,IAAI,WAAW,EAAE,CAAC;QACjD,OAAO,CAAC,UAAU,CAAC,GAAG,SAAS,CAAC;QAEhC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC3B,OAAO,IAAI,QAAQ,CAAC,qBAAqB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,sEAAsE;YACtE,gDAAgD;YAChD,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;YAC1D,MAAM,cAAc,GAClB,WAAW,IAAI,CAAC,MAAM,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC;YAC/D,IACE,CAAC,aAAa;gBACd,CAAC,cAAc;gBACf,CAAC,kBAAkB,CAAC,cAAc,EAAE,aAAa,CAAC,EAClD,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAC9B,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,QAAQ,CAAC,OAAO,CAAC,MAAM,CACrB,YAAY,EACZ,eAAe,CAAC,UAAU,EAAE,SAAS,EAAE,aAAa,CAAC,CACtD,CAAC;QACJ,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,OAAmB,EACnB,aAAqB,wBAAwB;IAE7C,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IAClC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAAgB,EAChB,UAA+B,EAAE;IAEjC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;IAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,eAAe,IAAI,CAAC,CAAC,CAAC;IAClE,MAAM,eAAe,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,iBAAiB,CAAC,CAAC,WAAW,EAAE,CAAC;IAErF,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAC/D,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC3D,IAAI,CAAC,aAAa,IAAI,CAAC,UAAU,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,GAAG,GAAG,aAAa;SACtB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,OAAO,CAAC;SACf,KAAK,CAAC,CAAC,eAAe,CAAC,CAAC;IAE3B,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0EAA0E;IAC1E,4EAA4E;IAC5E,qCAAqC;IACrC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,WAAW,IAAI,CAAC,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,WAAW,CAAC;IACvC,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,OAAmC;IAEnC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3D,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,eAAe,IAAI,QAAQ,CAAC,CAAC;IAC7E,MAAM,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,gBAAgB,IAAI,CAAC,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,GAAG,CAAC;IAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,IAAI,MAAM,CAAC,CAAC,CAAC;IAC7E,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAC1B,KAAK,EACL,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,IAAI,CAAC,QAAQ,GAAG,eAAe,CAAC,GAAG,KAAK,CAAC,CACxE,CAAC;IACF,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,IAAI,GAAG,CAAC,CAAC,CAAC;IAC1E,MAAM,OAAO,GAAG,IAAI,GAAG,EAAoD,CAAC;IAC5E,IAAI,eAAe,GAAG,CAAC,CAAC;IAExB,OAAO,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE;QACtC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG;YACrB,CAAC,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC;YACrC,CAAC,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC;QAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,eAAe,IAAI,CAAC,CAAC;QACrB,IAAI,eAAe,GAAG,YAAY,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,GAAG,UAAU,EAAE,CAAC;YACtE,YAAY,CAAC,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC;QAC1E,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,KAAK,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;QACtE,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAM,GAAG,cAAc,GAAG,eAAe,CAAC,CAAC;QACxF,MAAM,cAAc,GAAG,WAAW,GAAG,gBAAgB,CAAC;QAEtD,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,gBAAgB,GAAG,WAAW,CAAC,GAAG,eAAe,CAAC,CAAC;YACpF,MAAM,MAAM,GAAG,IAAI,QAAQ,CAAC,mBAAmB,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YACzE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;YACtE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YACxD,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC;YAC1E,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7D,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,YAAY,EAAE,GAAG,EAAE,CAAC,CAAC;QAChE,MAAM,QAAQ,GAAG,MAAM,IAAI,EAAE,CAAC;QAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,GAAG,cAAc,CAAC,GAAG,eAAe,CAAC,CAAC;QAC1E,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAChF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC;QACvE,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,OAA8D,EAC9D,GAAW,EACX,UAAkB,EAClB,WAAmB;IAEnB,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;IACT,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,OAAO,EAAE,CAAC;QACnC,IAAI,GAAG,GAAG,KAAK,CAAC,YAAY,GAAG,WAAW,EAAE,CAAC;YAC3C,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,IAAI,UAAU,EAAE,CAAC;QAC/B,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,GAAG,UAAU,CAAC;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;SACzC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;SACnE,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IACtB,KAAK,MAAM,CAAC,GAAG,CAAC,IAAI,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,UAAuC,EAAE;IAEzC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,aAAa,CAAC;IACzE,MAAM,YAAY,GAAG,OAAO,KAAK,YAAY,CAAC;IAC9C,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,GAAG;QACzB,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,KAAK;QACnC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,YAAY;QACtC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CACpB,MAA2C,EAC3C,IAA8D;IAE9D,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;QACjC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3D,OAAO,MAAM,CAAC,OAAO,CAAC,sBAAsB,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO;QACL,oBAAoB;QACpB,4BAA4B,IAAI,CAAC,KAAK,GAAG;QACzC,kCAAkC;QAClC,mBAAmB;QACnB,iBAAiB;QACjB,wBAAwB;KACzB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,kBAAkB,CAAC,CAAS,EAAE,CAAS;IAC9C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACpC,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,YAAY,CAAC,OAAgB;IACpC,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/E,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAgB,EAChB,SAAiB;IAEjB,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAC9D,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,mCAAmC,CAAC;QAC1D,CAAC,WAAW,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,CAAC;QAClD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACtC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IAChD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,WAAW;IAClB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;AAC5B,CAAC;AAED,SAAS,WAAW,CAAC,KAAiB;IACpC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;aACtB,QAAQ,CAAC,QAAQ,CAAC;aAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACzB,CAAC;IAED,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC;SAChB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC"}

package/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@neutron-build/security",
+  "version": "0.1.0",
+  "description": "Security middleware for Neutron. CSP, CSRF protection, rate limiting, and secure cookie defaults.",
+  "author": "Tyler",
+  "license": "MIT",
+  "homepage": "https://neutron.build",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/neutron-build/neutron",
+    "directory": "typescript/packages/neutron-security"
+  },
+  "keywords": [
+    "neutron",
+    "security",
+    "csp",
+    "csrf",
+    "rate-limiting",
+    "middleware"
+  ],
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "!dist/**/*.test.*"
+  ],
+  "dependencies": {
+    "@neutron-build/core": "0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.7",
+    "typescript": "^5.7.2"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {},
+  "engines": {
+    "node": ">=20"
+  },
+  "sideEffects": false,
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "lint": "tsc --noEmit --pretty false",
+    "test": "pnpm run build && node --test --experimental-test-isolation=none dist/index.test.js"
+  }
+}