@olane/o-server 0.8.0 → 0.8.1

package/dist/src/interfaces/server-config.interface.d.ts

@@ -1,11 +1,31 @@
 import { oCore } from '@olane/o-core';
 import { Request } from 'express';
 import { CorsOptions } from 'cors';
+import { Algorithm } from 'jsonwebtoken';
 export interface AuthUser {
     userId?: string;
     [key: string]: any;
 }
 export type AuthenticateFunction = (req: Request) => Promise<AuthUser>;
+/**
+ * JWT authentication configuration
+ */
+export interface JwtAuthConfig {
+    /** JWT verification method: 'publicKey' (RS256) or 'secret' (HS256) */
+    method: 'publicKey' | 'secret';
+    /** Secret key for HS256 verification (required if method='secret') */
+    secret?: string;
+    /** Path to public key PEM file for RS256 verification (required if method='publicKey') */
+    publicKeyPath?: string;
+    /** Expected issuer (iss claim) - optional */
+    issuer?: string;
+    /** Expected audience (aud claim) - optional */
+    audience?: string;
+    /** Allowed algorithms - defaults to ['RS256'] for publicKey, ['HS256'] for secret */
+    algorithms?: Algorithm[];
+    /** Clock tolerance in seconds for exp/nbf validation - default 0 */
+    clockTolerance?: number;
+}
 export interface ServerConfig {
     /** Node instance (any oCore-based node with 'use' method) */
     node: oCore;
@@ -15,8 +35,34 @@ export interface ServerConfig {
     basePath?: string;
     /** CORS configuration */
     cors?: CorsOptions;
-    /** Authentication middleware */
+    /**
+     * @deprecated Use jwtAuth instead. Authentication middleware will be removed in future versions.
+     * JWT authentication is now mandatory (except for /health endpoint).
+     */
     authenticate?: AuthenticateFunction;
+    /**
+     * JWT authentication configuration.
+     * When provided, JWT verification will be enforced on all routes except /health.
+     *
+     * @example
+     * ```typescript
+     * // RS256 with public key
+     * jwtAuth: {
+     *   method: 'publicKey',
+     *   publicKeyPath: '/path/to/public-key.pem',
+     *   issuer: 'https://auth.example.com',
+     *   audience: 'https://api.example.com'
+     * }
+     *
+     * // HS256 with secret
+     * jwtAuth: {
+     *   method: 'secret',
+     *   secret: 'your-secret-key',
+     *   clockTolerance: 5
+     * }
+     * ```
+     */
+    jwtAuth?: JwtAuthConfig;
     /** Enable debug logging */
     debug?: boolean;
 }

package/dist/src/interfaces/server-config.interface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server-config.interface.d.ts","sourceRoot":"","sources":["../../../src/interfaces/server-config.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AAEnC,MAAM,WAAW,QAAQ;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEvE,MAAM,WAAW,YAAY;IAC3B,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAC;IAEZ,kCAAkC;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd,oDAAoD;IACpD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,yBAAyB;IACzB,IAAI,CAAC,EAAE,WAAW,CAAC;IAEnB,gCAAgC;IAChC,YAAY,CAAC,EAAE,oBAAoB,CAAC;IAEpC,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,2BAA2B;IAC3B,GAAG,EAAE,GAAG,CAAC;IAET,uBAAuB;IACvB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB,sBAAsB;IACtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB"}
+{"version":3,"file":"server-config.interface.d.ts","sourceRoot":"","sources":["../../../src/interfaces/server-config.interface.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,WAAW,EAAE,MAAM,MAAM,CAAC;AACnC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,MAAM,WAAW,QAAQ;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED,MAAM,MAAM,oBAAoB,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,uEAAuE;IACvE,MAAM,EAAE,WAAW,GAAG,QAAQ,CAAC;IAE/B,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,0FAA0F;IAC1F,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,6CAA6C;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,qFAAqF;IACrF,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC;IAEzB,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B,6DAA6D;IAC7D,IAAI,EAAE,KAAK,CAAC;IAEZ,kCAAkC;IAClC,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd,oDAAoD;IACpD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,yBAAyB;IACzB,IAAI,CAAC,EAAE,WAAW,CAAC;IAEnB;;;OAGG;IACH,YAAY,CAAC,EAAE,oBAAoB,CAAC;IAEpC;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,OAAO,CAAC,EAAE,aAAa,CAAC;IAExB,2BAA2B;IAC3B,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,2BAA2B;IAC3B,GAAG,EAAE,GAAG,CAAC;IAET,uBAAuB;IACvB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvB,sBAAsB;IACtB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACvB"}

package/dist/src/middleware/error-handler.d.ts

@@ -4,5 +4,14 @@ export interface OlaneError extends Error {
     status?: number;
     details?: any;
 }
+/**
+ * Sanitizes error message for production use
+ * Removes sensitive information and returns a generic message
+ */
+export declare function sanitizeErrorMessage(code: string, originalMessage: string): string;
+/**
+ * Global error handler middleware
+ * Sanitizes errors for production and provides detailed errors in development
+ */
 export declare function errorHandler(err: OlaneError, req: Request, res: Response, next: NextFunction): void;
 //# sourceMappingURL=error-handler.d.ts.map

package/dist/src/middleware/error-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../../src/middleware/error-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D,MAAM,WAAW,UAAW,SAAQ,KAAK;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,GAAG,CAAC;CACf;AAED,wBAAgB,YAAY,CAC1B,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,QAenB"}
+{"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../../src/middleware/error-handler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG1D,MAAM,WAAW,UAAW,SAAQ,KAAK;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,GAAG,CAAC;CACf;AA0BD;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,MAAM,CAQlF;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAC1B,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,OAAO,EACZ,GAAG,EAAE,QAAQ,EACb,IAAI,EAAE,YAAY,QAuBnB"}

package/dist/src/middleware/error-handler.js

@@ -1,11 +1,57 @@
+/**
+ * Map of error codes to production-safe error messages
+ * These messages are generic and don't leak sensitive information
+ */
+const PRODUCTION_ERROR_MESSAGES = {
+    NODE_NOT_FOUND: 'The requested resource was not found',
+    TOOL_NOT_FOUND: 'The requested tool was not found',
+    INVALID_PARAMS: 'Invalid parameters provided',
+    TIMEOUT: 'The request timed out',
+    EXECUTION_ERROR: 'An error occurred while processing your request',
+    INTERNAL_ERROR: 'An internal error occurred',
+    UNAUTHORIZED: 'Unauthorized access',
+    FORBIDDEN: 'Access forbidden',
+    // JWT-specific error codes
+    MISSING_TOKEN: 'Authentication required',
+    INVALID_TOKEN_FORMAT: 'Invalid authentication format',
+    TOKEN_EXPIRED: 'Authentication token has expired',
+    TOKEN_NOT_ACTIVE: 'Authentication token not yet valid',
+    INVALID_TOKEN: 'Invalid authentication token',
+    // Input validation error codes
+    INVALID_ADDRESS: 'Invalid address format',
+    INVALID_METHOD: 'Invalid method name',
+};
+/**
+ * Sanitizes error message for production use
+ * Removes sensitive information and returns a generic message
+ */
+export function sanitizeErrorMessage(code, originalMessage) {
+    // In production, use generic messages from the map
+    if (process.env.NODE_ENV !== 'development') {
+        return PRODUCTION_ERROR_MESSAGES[code] || PRODUCTION_ERROR_MESSAGES.INTERNAL_ERROR;
+    }
+    // In development, return the original message
+    return originalMessage;
+}
+/**
+ * Global error handler middleware
+ * Sanitizes errors for production and provides detailed errors in development
+ */
 export function errorHandler(err, req, res, next) {
-    console.error('[o-server] Error:', err);
+    // Log the full error server-side (never sent to client)
+    console.error('[o-server] Error:', {
+        message: err.message,
+        code: err.code,
+        stack: err.stack,
+        details: err.details,
+    });
     const status = err.status || 500;
+    const errorCode = err.code || 'INTERNAL_ERROR';
     const errorResponse = {
         success: false,
         error: {
-            code: err.code || 'INTERNAL_ERROR',
-            message: err.message || 'An internal error occurred',
+            code: errorCode,
+            message: sanitizeErrorMessage(errorCode, err.message || 'An internal error occurred'),
             details: process.env.NODE_ENV === 'development' ? err.details : undefined,
         },
     };

package/dist/src/middleware/jwt-auth.d.ts

@@ -0,0 +1,54 @@
+import { Request, Response, NextFunction } from 'express';
+import jwt from 'jsonwebtoken';
+/**
+ * JWT verification configuration
+ */
+export interface JwtConfig {
+    /** JWT verification method: 'publicKey' (RS256) or 'secret' (HS256) */
+    method: 'publicKey' | 'secret';
+    /** Secret key for HS256 verification (required if method='secret') */
+    secret?: string;
+    /** Path to public key PEM file for RS256 verification (required if method='publicKey') */
+    publicKeyPath?: string;
+    /** Expected issuer (iss claim) - optional */
+    issuer?: string;
+    /** Expected audience (aud claim) - optional */
+    audience?: string;
+    /** Allowed algorithms - defaults to ['RS256'] for publicKey, ['HS256'] for secret */
+    algorithms?: jwt.Algorithm[];
+    /** Clock tolerance in seconds for exp/nbf validation - default 0 */
+    clockTolerance?: number;
+}
+/**
+ * JWT token payload added to Express request
+ */
+export interface JwtPayload {
+    sub?: string;
+    iss?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    [key: string]: any;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            jwt?: JwtPayload;
+        }
+    }
+}
+/**
+ * Creates JWT authentication middleware
+ *
+ * @param config - JWT configuration
+ * @returns Express middleware function
+ *
+ * @throws {OlaneError} MISSING_TOKEN - No Authorization header present
+ * @throws {OlaneError} INVALID_TOKEN_FORMAT - Malformed token (not "Bearer <token>")
+ * @throws {OlaneError} TOKEN_EXPIRED - Token exp claim in the past
+ * @throws {OlaneError} TOKEN_NOT_ACTIVE - Token nbf claim in the future
+ * @throws {OlaneError} INVALID_TOKEN - Signature verification failed or invalid structure
+ */
+export declare function createJwtMiddleware(config: JwtConfig): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=jwt-auth.d.ts.map

package/dist/src/middleware/jwt-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.d.ts","sourceRoot":"","sources":["../../../src/middleware/jwt-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,GAAG,MAAM,cAAc,CAAC;AAI/B;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,uEAAuE;IACvE,MAAM,EAAE,WAAW,GAAG,QAAQ,CAAC;IAE/B,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,0FAA0F;IAC1F,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,6CAA6C;IAC7C,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,qFAAqF;IACrF,UAAU,CAAC,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC;IAE7B,oEAAoE;IACpE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAGD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,GAAG,CAAC,EAAE,UAAU,CAAC;SAClB;KACF;CACF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,SAAS,SA4ChC,OAAO,OAAO,QAAQ,QAAQ,YAAY,mBAyG9D"}

package/dist/src/middleware/jwt-auth.js

@@ -0,0 +1,145 @@
+import jwt from 'jsonwebtoken';
+import { readFileSync } from 'fs';
+/**
+ * Creates JWT authentication middleware
+ *
+ * @param config - JWT configuration
+ * @returns Express middleware function
+ *
+ * @throws {OlaneError} MISSING_TOKEN - No Authorization header present
+ * @throws {OlaneError} INVALID_TOKEN_FORMAT - Malformed token (not "Bearer <token>")
+ * @throws {OlaneError} TOKEN_EXPIRED - Token exp claim in the past
+ * @throws {OlaneError} TOKEN_NOT_ACTIVE - Token nbf claim in the future
+ * @throws {OlaneError} INVALID_TOKEN - Signature verification failed or invalid structure
+ */
+export function createJwtMiddleware(config) {
+    // Validate configuration
+    if (!config.method) {
+        throw new Error('JWT method is required (publicKey or secret)');
+    }
+    if (config.method === 'secret' && !config.secret) {
+        throw new Error('JWT secret is required when method is "secret"');
+    }
+    if (config.method === 'publicKey' && !config.publicKeyPath) {
+        throw new Error('JWT publicKeyPath is required when method is "publicKey"');
+    }
+    // Load verification key
+    let verificationKey;
+    if (config.method === 'publicKey') {
+        try {
+            verificationKey = readFileSync(config.publicKeyPath, 'utf8');
+        }
+        catch (error) {
+            throw new Error(`Failed to read public key file: ${error.message}`);
+        }
+    }
+    else {
+        verificationKey = config.secret;
+    }
+    // Set default algorithms based on method
+    const algorithms = config.algorithms || (config.method === 'publicKey' ? ['RS256'] : ['HS256']);
+    // Build verify options
+    const verifyOptions = {
+        algorithms,
+        clockTolerance: config.clockTolerance || 0,
+    };
+    if (config.issuer) {
+        verifyOptions.issuer = config.issuer;
+    }
+    if (config.audience) {
+        verifyOptions.audience = config.audience;
+    }
+    // Return middleware function
+    return async (req, res, next) => {
+        try {
+            // Extract Authorization header
+            const authHeader = req.headers.authorization;
+            if (!authHeader) {
+                const error = new Error('No authorization token provided');
+                error.code = 'MISSING_TOKEN';
+                error.status = 401;
+                throw error;
+            }
+            // Validate Bearer format
+            const parts = authHeader.split(' ');
+            if (parts.length !== 2 || parts[0] !== 'Bearer') {
+                const error = new Error('Invalid authorization format. Expected: Bearer <token>');
+                error.code = 'INVALID_TOKEN_FORMAT';
+                error.status = 401;
+                throw error;
+            }
+            const token = parts[1];
+            // Verify token
+            try {
+                const decoded = jwt.verify(token, verificationKey, verifyOptions);
+                // Additional validation for standard claims
+                const now = Math.floor(Date.now() / 1000);
+                // Check expiration (if not already checked by jwt.verify)
+                if (decoded.exp && decoded.exp <= now - (config.clockTolerance || 0)) {
+                    const error = new Error('Token has expired');
+                    error.code = 'TOKEN_EXPIRED';
+                    error.status = 401;
+                    throw error;
+                }
+                // Check not before
+                if (decoded.nbf && decoded.nbf > now + (config.clockTolerance || 0)) {
+                    const error = new Error('Token is not yet valid');
+                    error.code = 'TOKEN_NOT_ACTIVE';
+                    error.status = 401;
+                    throw error;
+                }
+                // Check subject exists
+                if (!decoded.sub) {
+                    const error = new Error('Token missing required claim: sub');
+                    error.code = 'INVALID_TOKEN';
+                    error.status = 401;
+                    throw error;
+                }
+                // Attach decoded payload to request
+                req.jwt = decoded;
+                // Also attach to req.user for backward compatibility
+                if (!req.user) {
+                    req.user = {
+                        userId: decoded.sub,
+                        ...decoded,
+                    };
+                }
+                next();
+            }
+            catch (error) {
+                // Handle jwt.verify errors
+                if (error.name === 'TokenExpiredError') {
+                    const err = new Error('Token has expired');
+                    err.code = 'TOKEN_EXPIRED';
+                    err.status = 401;
+                    throw err;
+                }
+                if (error.name === 'NotBeforeError') {
+                    const err = new Error('Token is not yet valid');
+                    err.code = 'TOKEN_NOT_ACTIVE';
+                    err.status = 401;
+                    throw err;
+                }
+                if (error.name === 'JsonWebTokenError') {
+                    const err = new Error(`Invalid token: ${error.message}`);
+                    err.code = 'INVALID_TOKEN';
+                    err.status = 401;
+                    throw err;
+                }
+                // Re-throw if already an OlaneError
+                if (error.code) {
+                    throw error;
+                }
+                // Generic invalid token error
+                const err = new Error('Token verification failed');
+                err.code = 'INVALID_TOKEN';
+                err.status = 401;
+                throw err;
+            }
+        }
+        catch (error) {
+            // Pass error to error handler
+            next(error);
+        }
+    };
+}

package/dist/src/o-server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"o-server.d.ts","sourceRoot":"","sources":["../../src/o-server.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,YAAY,EACZ,cAAc,EACf,MAAM,yCAAyC,CAAC;AAQjD,wBAAgB,OAAO,CAAC,MAAM,EAAE,YAAY,GAAG,cAAc,CA2O5D"}
+{"version":3,"file":"o-server.d.ts","sourceRoot":"","sources":["../../src/o-server.ts"],"names":[],"mappings":"AAGA,OAAO,EACL,YAAY,EACZ,cAAc,EACf,MAAM,yCAAyC,CAAC;AAiBjD,wBAAgB,OAAO,CAAC,MAAM,EAAE,YAAY,GAAG,cAAc,CAgR5D"}

package/dist/src/o-server.js

@@ -2,10 +2,12 @@ import express from 'express';
 import cors from 'cors';
 import { errorHandler } from './middleware/error-handler.js';
 import { authMiddleware } from './middleware/auth.js';
+import { createJwtMiddleware } from './middleware/jwt-auth.js';
 import { ServerLogger } from './utils/logger.js';
 import { oAddress } from '@olane/o-core';
+import { validateAddress, validateMethod, sanitizeParams, validateRequest, useRequestSchema, streamRequestSchema, } from './validation/index.js';
 export function oServer(config) {
-    const { node, port = 3000, basePath = '/api/v1', cors: corsConfig, authenticate, debug = false, } = config;
+    const { node, port = 3000, basePath = '/api/v1', cors: corsConfig, authenticate, jwtAuth, debug = false, } = config;
     const app = express();
     const logger = new ServerLogger(debug);
     let server = null;
@@ -14,8 +16,20 @@ export function oServer(config) {
     if (corsConfig) {
         app.use(cors(corsConfig));
     }
-    // Optional authentication
-    if (authenticate) {
+    // JWT authentication (mandatory, except for health endpoint)
+    if (jwtAuth) {
+        const jwtMiddleware = createJwtMiddleware(jwtAuth);
+        // Apply JWT middleware to all routes except health
+        app.use((req, res, next) => {
+            if (req.path === `${basePath}/health`) {
+                return next(); // Skip JWT for health check
+            }
+            return jwtMiddleware(req, res, next);
+        });
+    }
+    else if (authenticate) {
+        // Deprecated: Legacy authentication support
+        logger.log('⚠️  WARNING: The "authenticate" parameter is deprecated. Please migrate to "jwtAuth".');
         app.use(basePath, authMiddleware(authenticate));
     }
     // Health check endpoint
@@ -32,18 +46,20 @@ export function oServer(config) {
     // This is the main entrypoint that wraps the node's 'use' method
     app.post(`${basePath}/use`, async (req, res, next) => {
         try {
-            const { address: addressStr, method, params, id } = req.body;
-            if (!addressStr) {
-                const error = new Error('Address is required');
-                error.code = 'INVALID_PARAMS';
-                error.status = 400;
-                throw error;
-            }
+            // Validate request schema
+            const validated = validateRequest(req.body, useRequestSchema);
+            const { address: addressStr, method, params, id } = validated;
+            // Validate address
+            validateAddress(addressStr);
+            // Validate method
+            validateMethod(method);
+            // Sanitize params
+            const sanitizedParams = sanitizeParams(params);
             logger.debugLog(`Calling use with address ${addressStr}, method: ${method}`);
             const address = new oAddress(addressStr);
             const result = await node.use(address, {
                 method,
-                params,
+                params: sanitizedParams,
                 id,
             });
             const response = {
@@ -62,11 +78,19 @@ export function oServer(config) {
         try {
             const { address: addressParam, method } = req.params;
             const params = req.body;
-            logger.debugLog(`Calling method ${method} on ${addressParam} with params:`, params);
-            const address = new oAddress(`o://${addressParam}`);
+            // Construct full address
+            const addressStr = `o://${addressParam}`;
+            // Validate address
+            validateAddress(addressStr);
+            // Validate method
+            validateMethod(method);
+            // Sanitize params
+            const sanitizedParams = sanitizeParams(params);
+            logger.debugLog(`Calling method ${method} on ${addressParam} with params:`, sanitizedParams);
+            const address = new oAddress(addressStr);
             const result = await node.use(address, {
                 method,
-                params,
+                params: sanitizedParams,
             });
             const response = {
                 success: true,
@@ -81,13 +105,15 @@ export function oServer(config) {
     // Streaming endpoint - POST /api/v1/use/stream
     app.post(`${basePath}/use/stream`, async (req, res, next) => {
         try {
-            const { address: addressStr, method, params } = req.body;
-            if (!addressStr) {
-                const error = new Error('Address is required');
-                error.code = 'INVALID_PARAMS';
-                error.status = 400;
-                throw error;
-            }
+            // Validate request schema
+            const validated = validateRequest(req.body, streamRequestSchema);
+            const { address: addressStr, method, params } = validated;
+            // Validate address
+            validateAddress(addressStr);
+            // Validate method
+            validateMethod(method);
+            // Sanitize params
+            const sanitizedParams = sanitizeParams(params);
             logger.debugLog(`Streaming use call to ${addressStr}, method: ${method}`);
             // Set headers for Server-Sent Events
             res.setHeader('Content-Type', 'text/event-stream');
@@ -99,7 +125,7 @@ export function oServer(config) {
                 // For now, execute and return result
                 const result = await node.use(address, {
                     method,
-                    params,
+                    params: sanitizedParams,
                 });
                 res.write(`data: ${JSON.stringify({
                     type: 'complete',
@@ -152,7 +178,11 @@ export function oServer(config) {
             olaneError.code = 'EXECUTION_ERROR';
             olaneError.status = 500;
         }
-        olaneError.details = error.details || error.stack;
+        // Only include stack traces and details in development mode
+        olaneError.details =
+            process.env.NODE_ENV === 'development'
+                ? error.details || error.stack
+                : undefined;
         next(olaneError);
     }
     // Server instance

package/dist/src/validation/address-validator.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Validates address strings to prevent path traversal and injection attacks
+ *
+ * Security checks:
+ * - Path traversal prevention (../, ..\\, URL-encoded variants)
+ * - o:// protocol format validation
+ * - Control character blocking (null bytes, newlines, etc.)
+ *
+ * @param address - The address string to validate
+ * @throws {ValidationError} If validation fails
+ */
+export declare function validateAddress(address: string): void;
+//# sourceMappingURL=address-validator.d.ts.map

package/dist/src/validation/address-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"address-validator.d.ts","sourceRoot":"","sources":["../../../src/validation/address-validator.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAkDrD"}

package/dist/src/validation/address-validator.js

@@ -0,0 +1,40 @@
+import { ValidationError } from './validation-error.js';
+/**
+ * Validates address strings to prevent path traversal and injection attacks
+ *
+ * Security checks:
+ * - Path traversal prevention (../, ..\\, URL-encoded variants)
+ * - o:// protocol format validation
+ * - Control character blocking (null bytes, newlines, etc.)
+ *
+ * @param address - The address string to validate
+ * @throws {ValidationError} If validation fails
+ */
+export function validateAddress(address) {
+    if (!address || typeof address !== 'string') {
+        throw new ValidationError('Invalid address: must be a non-empty string', 'INVALID_ADDRESS');
+    }
+    // Block path traversal - literal patterns
+    if (address.includes('../') || address.includes('..\\')) {
+        throw new ValidationError('Invalid address: path traversal detected', 'INVALID_ADDRESS');
+    }
+    // Block path traversal - URL-encoded variants
+    // %2e = '.', so %2e%2e = '..'
+    const lowerAddress = address.toLowerCase();
+    if (lowerAddress.includes('%2e%2e') || lowerAddress.includes('%252e')) {
+        throw new ValidationError('Invalid address: path traversal detected', 'INVALID_ADDRESS');
+    }
+    // Validate o:// format
+    if (!address.startsWith('o://')) {
+        throw new ValidationError('Invalid address: must start with o://', 'INVALID_ADDRESS');
+    }
+    // Block control characters (0x00-0x1F and 0x7F)
+    // These include null bytes, newlines, tabs, etc.
+    if (/[\x00-\x1F\x7F]/.test(address)) {
+        throw new ValidationError('Invalid address: control characters not allowed', 'INVALID_ADDRESS');
+    }
+    // Block other dangerous patterns
+    if (address.includes('\\')) {
+        throw new ValidationError('Invalid address: backslashes not allowed', 'INVALID_ADDRESS');
+    }
+}

package/dist/src/validation/index.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Input Validation & Sanitization Module
+ *
+ * Provides comprehensive security validation for o-server endpoints:
+ * - Address validation (path traversal, format, control chars)
+ * - Method validation (private methods, prototype pollution)
+ * - Parameter sanitization (recursive dangerous property removal)
+ * - Request schema validation (Zod-based type safety)
+ *
+ * Part of Phase 1 Security - Wave 2 (Input Validation)
+ */
+export { ValidationError } from './validation-error.js';
+export { validateAddress } from './address-validator.js';
+export { validateMethod } from './method-validator.js';
+export { sanitizeParams } from './params-sanitizer.js';
+export { validateRequest, useRequestSchema, convenienceRequestSchema, streamRequestSchema, } from './request-validator.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/validation/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/validation/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,wBAAwB,EACxB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC"}

package/dist/src/validation/index.js

@@ -0,0 +1,16 @@
+/**
+ * Input Validation & Sanitization Module
+ *
+ * Provides comprehensive security validation for o-server endpoints:
+ * - Address validation (path traversal, format, control chars)
+ * - Method validation (private methods, prototype pollution)
+ * - Parameter sanitization (recursive dangerous property removal)
+ * - Request schema validation (Zod-based type safety)
+ *
+ * Part of Phase 1 Security - Wave 2 (Input Validation)
+ */
+export { ValidationError } from './validation-error.js';
+export { validateAddress } from './address-validator.js';
+export { validateMethod } from './method-validator.js';
+export { sanitizeParams } from './params-sanitizer.js';
+export { validateRequest, useRequestSchema, convenienceRequestSchema, streamRequestSchema, } from './request-validator.js';

package/dist/src/validation/method-validator.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Validates method names to prevent prototype pollution and private method access
+ *
+ * Security checks:
+ * - Private method blocking (methods starting with '_')
+ * - Prototype pollution prevention (__proto__, constructor, prototype)
+ * - Case-insensitive blocking
+ *
+ * @param method - The method name to validate
+ * @throws {ValidationError} If validation fails
+ */
+export declare function validateMethod(method: string): void;
+//# sourceMappingURL=method-validator.d.ts.map

package/dist/src/validation/method-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"method-validator.d.ts","sourceRoot":"","sources":["../../../src/validation/method-validator.ts"],"names":[],"mappings":"AAQA;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAoCnD"}

package/dist/src/validation/method-validator.js

@@ -0,0 +1,36 @@
+import { ValidationError } from './validation-error.js';
+/**
+ * List of method names that are blocked due to prototype pollution risks
+ * These are checked case-insensitively
+ */
+const BLOCKED_METHODS = ['__proto__', 'constructor', 'prototype'];
+/**
+ * Validates method names to prevent prototype pollution and private method access
+ *
+ * Security checks:
+ * - Private method blocking (methods starting with '_')
+ * - Prototype pollution prevention (__proto__, constructor, prototype)
+ * - Case-insensitive blocking
+ *
+ * @param method - The method name to validate
+ * @throws {ValidationError} If validation fails
+ */
+export function validateMethod(method) {
+    if (!method || typeof method !== 'string') {
+        throw new ValidationError('Invalid method: must be a non-empty string', 'INVALID_METHOD');
+    }
+    // Block private methods (starting with underscore)
+    if (method.startsWith('_')) {
+        throw new ValidationError('Invalid method: private methods not allowed', 'INVALID_METHOD');
+    }
+    // Block prototype pollution methods (case-insensitive)
+    const lowerMethod = method.toLowerCase();
+    const isBlocked = BLOCKED_METHODS.some((blocked) => lowerMethod === blocked.toLowerCase());
+    if (isBlocked) {
+        throw new ValidationError('Invalid method: blocked method name', 'INVALID_METHOD');
+    }
+    // Block methods with control characters
+    if (/[\x00-\x1F\x7F]/.test(method)) {
+        throw new ValidationError('Invalid method: control characters not allowed', 'INVALID_METHOD');
+    }
+}