@opensecurity/zonzon-control-plane 0.1.2 → 0.1.3

package/dist/domain/config/config.handler.d.ts

@@ -0,0 +1,12 @@
+import * as http from "http";
+import { ConfigService } from "./config.service.js";
+export declare class ConfigHandler {
+    private service;
+    private blindIndexSalt;
+    private expectedApiKeyHash;
+    constructor(service: ConfigService, rawApiKey: string, blindIndexSalt: string);
+    private readBodyStrict;
+    private verifyProofOfWork;
+    private extractContext;
+    handleRequest(req: http.IncomingMessage, res: http.ServerResponse): Promise<void>;
+}

package/dist/domain/config/config.handler.js

@@ -0,0 +1,118 @@
+import { createHash, createHmac, timingSafeEqual } from "crypto";
+import { audit } from "@opensecurity/zonzon-core";
+import { ApiAuthHeaderSchema } from "./config.schema.js";
+export class ConfigHandler {
+    service;
+    blindIndexSalt;
+    expectedApiKeyHash;
+    constructor(service, rawApiKey, blindIndexSalt) {
+        this.service = service;
+        this.blindIndexSalt = blindIndexSalt;
+        this.expectedApiKeyHash = createHmac("sha256", this.blindIndexSalt).update(rawApiKey).digest("hex");
+    }
+    readBodyStrict(req) {
+        return new Promise((resolve, reject) => {
+            let body = "";
+            let length = 0;
+            req.on("data", (chunk) => {
+                length += chunk.length;
+                if (length > 1048576) {
+                    reject(new Error("Payload size limit exceeded"));
+                    return;
+                }
+                body += chunk.toString("utf8");
+            });
+            req.on("end", () => resolve(body));
+            req.on("error", reject);
+        });
+    }
+    verifyProofOfWork(nonce) {
+        const hash = createHash("sha256").update(this.blindIndexSalt + nonce).digest("hex");
+        if (!hash.startsWith("0000")) {
+            throw new Error("Invalid Proof of Work Challenge");
+        }
+    }
+    extractContext(req, isMutation) {
+        const rawHeaders = {
+            authorization: req.headers.authorization,
+            "x-api-key": req.headers["x-api-key"],
+            "x-device-id": req.headers["x-device-id"],
+            "x-pow-nonce": req.headers["x-pow-nonce"],
+        };
+        const parsed = ApiAuthHeaderSchema.safeParse(rawHeaders);
+        if (!parsed.success) {
+            const issueString = parsed.error.issues.map(i => `${i.path.join('.')}: ${i.message}`).join('; ');
+            throw new Error(`Authentication Validation Failed (${issueString})`);
+        }
+        const validatedHeaders = parsed.data;
+        const providedKey = validatedHeaders["x-api-key"] || "";
+        if (!providedKey) {
+            throw new Error("Missing API Key");
+        }
+        const providedHash = createHmac("sha256", this.blindIndexSalt).update(providedKey).digest("hex");
+        const expectedBuffer = Buffer.from(this.expectedApiKeyHash, "utf8");
+        const providedBuffer = Buffer.from(providedHash, "utf8");
+        if (expectedBuffer.length !== providedBuffer.length || !timingSafeEqual(expectedBuffer, providedBuffer)) {
+            throw new Error("Unauthorized Access");
+        }
+        if (isMutation) {
+            if (!validatedHeaders["x-pow-nonce"]) {
+                throw new Error("Mutation endpoint requires x-pow-nonce header");
+            }
+            this.verifyProofOfWork(validatedHeaders["x-pow-nonce"]);
+        }
+        const deviceHash = createHmac("sha256", this.blindIndexSalt).update(validatedHeaders["x-device-id"]).digest("hex");
+        return {
+            tenantId: "system-tenant-001",
+            deviceHash: deviceHash,
+        };
+    }
+    async handleRequest(req, res) {
+        const clientIp = req.socket.remoteAddress || "unknown";
+        const method = req.method || "GET";
+        const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+        if (url.pathname !== "/api/v1/config") {
+            res.writeHead(404, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Endpoint Not Found" }));
+            return;
+        }
+        try {
+            const isMutation = method === "PUT" || method === "POST";
+            const context = this.extractContext(req, isMutation);
+            if (method === "GET") {
+                const config = await this.service.getConfig(context);
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify(config));
+                audit.http(clientIp, "GET", "control-plane", url.pathname, 200, "Config retrieved");
+                return;
+            }
+            if (method === "PUT") {
+                const bodyStr = await this.readBodyStrict(req);
+                const rawConfig = JSON.parse(bodyStr);
+                await this.service.updateConfig(context, rawConfig);
+                res.writeHead(200, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({ success: true, timestamp: Date.now() }));
+                audit.http(clientIp, "PUT", "control-plane", url.pathname, 200, "Config updated");
+                return;
+            }
+            res.writeHead(405, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Method Not Allowed" }));
+        }
+        catch (error) {
+            const message = error.message || "Internal Server Error";
+            let statusCode = 400;
+            if (message.includes("Payload size limit")) {
+                statusCode = 413;
+            }
+            else if (message.includes("Authentication Validation Failed") || message.includes("Unauthorized") || message.includes("API Key") || message.includes("x-pow-nonce")) {
+                statusCode = 401;
+            }
+            else if (message.includes("Invalid Proof of Work")) {
+                statusCode = 403;
+            }
+            audit.error(`Control Plane API Fault: HTTP ${statusCode} | ${message} | Client: ${clientIp}`);
+            res.writeHead(statusCode, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: message }));
+        }
+    }
+}

package/dist/domain/config/config.schema.d.ts

@@ -0,0 +1,27 @@
+import { z } from "zod";
+export declare const ApiAuthHeaderSchema: z.ZodEffects<z.ZodObject<{
+    authorization: z.ZodOptional<z.ZodString>;
+    "x-api-key": z.ZodOptional<z.ZodString>;
+    "x-device-id": z.ZodString;
+    "x-pow-nonce": z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    "x-device-id": string;
+    authorization?: string | undefined;
+    "x-api-key"?: string | undefined;
+    "x-pow-nonce"?: string | undefined;
+}, {
+    "x-device-id": string;
+    authorization?: string | undefined;
+    "x-api-key"?: string | undefined;
+    "x-pow-nonce"?: string | undefined;
+}>, {
+    "x-device-id": string;
+    authorization?: string | undefined;
+    "x-api-key"?: string | undefined;
+    "x-pow-nonce"?: string | undefined;
+}, {
+    "x-device-id": string;
+    authorization?: string | undefined;
+    "x-api-key"?: string | undefined;
+    "x-pow-nonce"?: string | undefined;
+}>;

package/dist/domain/config/config.schema.js

@@ -0,0 +1,10 @@
+import { z } from "zod";
+export const ApiAuthHeaderSchema = z.object({
+    authorization: z.string().regex(/^Bearer [a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/).optional(),
+    "x-api-key": z.string().min(32).max(128).optional(),
+    "x-device-id": z.string().min(16).max(64),
+    "x-pow-nonce": z.string().min(1).max(64).optional()
+}).refine(data => data.authorization || data["x-api-key"], {
+    message: "Missing authentication credentials",
+    path: ["x-api-key"]
+});

package/dist/domain/config/config.service.d.ts

@@ -0,0 +1,11 @@
+import { ServerConfig } from "@opensecurity/zonzon-core";
+import { ConfigContext } from "./config.types.js";
+export declare class ConfigService {
+    private config;
+    private lock;
+    private subscribers;
+    constructor(initialConfig: ServerConfig);
+    subscribe(callback: (config: ServerConfig) => void): void;
+    getConfig(ctx: ConfigContext): Promise<ServerConfig>;
+    updateConfig(ctx: ConfigContext, rawConfig: unknown): Promise<void>;
+}

package/dist/domain/config/config.service.js

@@ -0,0 +1,60 @@
+import { validateServerConfig, audit } from "@opensecurity/zonzon-core";
+class PessimisticLock {
+    locked = false;
+    queue = [];
+    acquire() {
+        if (!this.locked) {
+            this.locked = true;
+            return Promise.resolve();
+        }
+        return new Promise(resolve => this.queue.push(resolve));
+    }
+    release() {
+        if (this.queue.length > 0) {
+            const next = this.queue.shift();
+            if (next)
+                next();
+        }
+        else {
+            this.locked = false;
+        }
+    }
+}
+export class ConfigService {
+    config;
+    lock = new PessimisticLock();
+    subscribers = [];
+    constructor(initialConfig) {
+        this.config = validateServerConfig(initialConfig);
+    }
+    subscribe(callback) {
+        this.subscribers.push(callback);
+    }
+    async getConfig(ctx) {
+        if (!ctx.tenantId) {
+            throw new Error("Security Exception: Missing Tenant Context");
+        }
+        return this.config;
+    }
+    async updateConfig(ctx, rawConfig) {
+        if (!ctx.tenantId) {
+            throw new Error("Security Exception: Missing Tenant Context");
+        }
+        await this.lock.acquire();
+        try {
+            const validatedConfig = validateServerConfig(rawConfig);
+            this.config = validatedConfig;
+            for (const callback of this.subscribers) {
+                try {
+                    callback(this.config);
+                }
+                catch (err) {
+                    audit.error(`Subscriber failed to process configuration update: ${err}`);
+                }
+            }
+        }
+        finally {
+            this.lock.release();
+        }
+    }
+}

package/dist/domain/config/config.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/domain/config/config.test.js

@@ -0,0 +1,139 @@
+import { describe, it, before, after } from "node:test";
+import assert from "node:assert";
+import * as http from "http";
+import { createHash } from "crypto";
+import { ConfigService } from "./config.service.js";
+import { ConfigHandler } from "./config.handler.js";
+const MOCK_SALT = "test-salt-1234567890";
+const MOCK_API_KEY = "test-api-key-very-long-and-secure-32-chars";
+const MOCK_DEVICE_ID = "test-device-id-1234";
+function generateValidPoW(salt) {
+    let nonce = 0;
+    while (true) {
+        const hash = createHash("sha256").update(salt + nonce.toString()).digest("hex");
+        if (hash.startsWith("0000")) {
+            return nonce.toString();
+        }
+        nonce++;
+    }
+}
+describe("Control Plane API Tests", () => {
+    let server;
+    let port;
+    let validNonce;
+    const initialConfig = {
+        port: 53,
+        hosts: {
+            "initial.loop": { records: [{ type: "A", address: "1.1.1.1" }] }
+        }
+    };
+    before(async () => {
+        validNonce = generateValidPoW(MOCK_SALT);
+        const service = new ConfigService(initialConfig);
+        const handler = new ConfigHandler(service, MOCK_API_KEY, MOCK_SALT);
+        server = http.createServer((req, res) => handler.handleRequest(req, res));
+        await new Promise((resolve) => {
+            server.listen(0, "127.0.0.1", () => {
+                port = server.address().port;
+                resolve();
+            });
+        });
+    });
+    after(() => {
+        server.close();
+    });
+    function makeRequest(method, path, headers, body) {
+        return new Promise((resolve, reject) => {
+            const options = {
+                hostname: "127.0.0.1",
+                port: port,
+                path: path,
+                method: method,
+                headers: headers
+            };
+            const req = http.request(options, (res) => {
+                let responseBody = "";
+                res.on("data", chunk => responseBody += chunk);
+                res.on("end", () => {
+                    try {
+                        resolve({ status: res.statusCode || 500, data: JSON.parse(responseBody) });
+                    }
+                    catch {
+                        resolve({ status: res.statusCode || 500, data: responseBody });
+                    }
+                });
+            });
+            req.on("error", reject);
+            if (body)
+                req.write(body);
+            req.end();
+        });
+    }
+    it("rejects GET requests without authentication", async () => {
+        const res = await makeRequest("GET", "/api/v1/config", {});
+        assert.strictEqual(res.status, 401);
+    });
+    it("accepts GET requests with valid API key and device ID", async () => {
+        const res = await makeRequest("GET", "/api/v1/config", {
+            "x-api-key": MOCK_API_KEY,
+            "x-device-id": MOCK_DEVICE_ID
+        });
+        assert.strictEqual(res.status, 200);
+        assert.ok("hosts" in res.data);
+        assert.ok("initial.loop" in res.data.hosts);
+    });
+    it("rejects PUT requests without Proof of Work challenge", async () => {
+        const newConfig = { ...initialConfig, port: 5353 };
+        const res = await makeRequest("PUT", "/api/v1/config", {
+            "x-api-key": MOCK_API_KEY,
+            "x-device-id": MOCK_DEVICE_ID,
+            "Content-Type": "application/json"
+        }, JSON.stringify(newConfig));
+        assert.strictEqual(res.status, 401);
+        assert.ok(res.data.error.includes("x-pow-nonce"));
+    });
+    it("rejects PUT requests with invalid Proof of Work challenge", async () => {
+        const newConfig = { ...initialConfig, port: 5353 };
+        const res = await makeRequest("PUT", "/api/v1/config", {
+            "x-api-key": MOCK_API_KEY,
+            "x-device-id": MOCK_DEVICE_ID,
+            "x-pow-nonce": "invalid-nonce-value",
+            "Content-Type": "application/json"
+        }, JSON.stringify(newConfig));
+        assert.strictEqual(res.status, 403);
+        assert.ok(res.data.error.includes("Invalid Proof of Work"));
+    });
+    it("accepts PUT requests with valid configuration and PoW", async () => {
+        const newConfig = {
+            port: 5353,
+            hosts: {
+                "updated.loop": { records: [{ type: "A", address: "8.8.8.8" }] }
+            }
+        };
+        const res = await makeRequest("PUT", "/api/v1/config", {
+            "x-api-key": MOCK_API_KEY,
+            "x-device-id": MOCK_DEVICE_ID,
+            "x-pow-nonce": validNonce,
+            "Content-Type": "application/json"
+        }, JSON.stringify(newConfig));
+        assert.strictEqual(res.status, 200);
+        assert.strictEqual(res.data.success, true);
+        const checkRes = await makeRequest("GET", "/api/v1/config", {
+            "x-api-key": MOCK_API_KEY,
+            "x-device-id": MOCK_DEVICE_ID
+        });
+        assert.strictEqual(checkRes.status, 200);
+        assert.strictEqual(checkRes.data.port, 5353);
+        assert.ok("updated.loop" in checkRes.data.hosts);
+    });
+    it("rejects payloads exceeding the memory boundary", async () => {
+        const hugePayload = JSON.stringify({ port: 53, hosts: {} }) + " ".repeat(1.5 * 1024 * 1024);
+        const res = await makeRequest("PUT", "/api/v1/config", {
+            "x-api-key": MOCK_API_KEY,
+            "x-device-id": MOCK_DEVICE_ID,
+            "x-pow-nonce": validNonce,
+            "Content-Type": "application/json"
+        }, hugePayload);
+        assert.strictEqual(res.status, 413);
+    });
+});

package/dist/domain/config/config.types.d.ts

@@ -0,0 +1,14 @@
+export interface ConfigContext {
+    tenantId: string;
+    deviceHash: string;
+}
+export interface ConfigUpdateResponse {
+    success: boolean;
+    timestamp: number;
+}
+export interface ApiAuthHeaders {
+    authorization?: string;
+    "x-api-key"?: string;
+    "x-device-id": string;
+    "x-pow-nonce"?: string;
+}

package/dist/domain/config/config.types.js

@@ -0,0 +1 @@
+export {};

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+import { ServerConfig } from "@opensecurity/zonzon-core";
+export interface ControlPlaneOptions {
+    port: number;
+    apiKey: string;
+    blindIndexSalt: string;
+    initialConfig: ServerConfig;
+}
+export declare class ControlPlane {
+    private service;
+    private server;
+    private options;
+    constructor(options: ControlPlaneOptions);
+    subscribe(callback: (config: ServerConfig) => void): void;
+    start(): Promise<void>;
+    stop(): Promise<void>;
+}

package/dist/index.js

@@ -0,0 +1,43 @@
+import * as http from "http";
+import { audit } from "@opensecurity/zonzon-core";
+import { ConfigService } from "./domain/config/config.service.js";
+import { ConfigHandler } from "./domain/config/config.handler.js";
+export class ControlPlane {
+    service;
+    server = null;
+    options;
+    constructor(options) {
+        this.options = options;
+        this.service = new ConfigService(options.initialConfig);
+    }
+    subscribe(callback) {
+        this.service.subscribe(callback);
+    }
+    async start() {
+        const handler = new ConfigHandler(this.service, this.options.apiKey, this.options.blindIndexSalt);
+        return new Promise((resolve, reject) => {
+            this.server = http.createServer((req, res) => {
+                handler.handleRequest(req, res).catch(err => {
+                    audit.error(`Control Plane Native Fault: ${err.message}`);
+                    if (!res.headersSent) {
+                        res.writeHead(500);
+                        res.end(JSON.stringify({ error: "Internal Server Fault" }));
+                    }
+                });
+            });
+            this.server.on("error", reject);
+            this.server.listen(this.options.port, "127.0.0.1", () => {
+                audit.system(`Control Plane locked strictly to loopback interface on port ${this.options.port}`);
+                resolve();
+            });
+        });
+    }
+    async stop() {
+        if (this.server) {
+            await new Promise((resolve) => {
+                this.server.close(() => resolve());
+            });
+            this.server = null;
+        }
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opensecurity/zonzon-control-plane",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "dynamic configuration api for the core engine",
   "type": "module",
   "author": "Lucian BLETAN <neuraluc@gmail.com>",
@@ -21,11 +21,14 @@
   "publishConfig": {
     "access": "public"
   },
+  "files": [
+    "dist"
+  ],
   "scripts": {
     "build": "tsc -b"
   },
   "dependencies": {
-    "@opensecurity/zonzon-core": "*",
+    "@opensecurity/zonzon-core": "^0.1.3",
     "zod": "^3.24.2"
   }
 }

package/src/domain/config/config.handler.ts

@@ -1,141 +0,0 @@
-import * as http from "http";
-import { createHash, createHmac, timingSafeEqual } from "crypto";
-import { audit } from "@opensecurity/zonzon-core";
-import { ConfigService } from "./config.service.js";
-import { ApiAuthHeaderSchema } from "./config.schema.js";
-import { ConfigContext } from "./config.types.js";
-
-export class ConfigHandler {
-  private service: ConfigService;
-  private blindIndexSalt: string;
-  private expectedApiKeyHash: string;
-
-  constructor(service: ConfigService, rawApiKey: string, blindIndexSalt: string) {
-    this.service = service;
-    this.blindIndexSalt = blindIndexSalt;
-    this.expectedApiKeyHash = createHmac("sha256", this.blindIndexSalt).update(rawApiKey).digest("hex");
-  }
-
-  private readBodyStrict(req: http.IncomingMessage): Promise<string> {
-    return new Promise((resolve, reject) => {
-      let body = "";
-      let length = 0;
-      req.on("data", (chunk: Buffer) => {
-        length += chunk.length;
-        if (length > 1048576) {
-          reject(new Error("Payload size limit exceeded"));
-          return;
-        }
-        body += chunk.toString("utf8");
-      });
-      req.on("end", () => resolve(body));
-      req.on("error", reject);
-    });
-  }
-
-  private verifyProofOfWork(nonce: string): void {
-    const hash = createHash("sha256").update(this.blindIndexSalt + nonce).digest("hex");
-    if (!hash.startsWith("0000")) {
-      throw new Error("Invalid Proof of Work Challenge");
-    }
-  }
-
-  private extractContext(req: http.IncomingMessage, isMutation: boolean): ConfigContext {
-    const rawHeaders = {
-      authorization: req.headers.authorization,
-      "x-api-key": req.headers["x-api-key"],
-      "x-device-id": req.headers["x-device-id"],
-      "x-pow-nonce": req.headers["x-pow-nonce"],
-    };
-
-    const parsed = ApiAuthHeaderSchema.safeParse(rawHeaders);
-    if (!parsed.success) {
-      const issueString = parsed.error.issues.map(i => `${i.path.join('.')}: ${i.message}`).join('; ');
-      throw new Error(`Authentication Validation Failed (${issueString})`);
-    }
-
-    const validatedHeaders = parsed.data;
-
-    const providedKey = validatedHeaders["x-api-key"] || "";
-    if (!providedKey) {
-      throw new Error("Missing API Key");
-    }
-
-    const providedHash = createHmac("sha256", this.blindIndexSalt).update(providedKey).digest("hex");
-    const expectedBuffer = Buffer.from(this.expectedApiKeyHash, "utf8");
-    const providedBuffer = Buffer.from(providedHash, "utf8");
-
-    if (expectedBuffer.length !== providedBuffer.length || !timingSafeEqual(expectedBuffer, providedBuffer)) {
-      throw new Error("Unauthorized Access");
-    }
-
-    if (isMutation) {
-      if (!validatedHeaders["x-pow-nonce"]) {
-        throw new Error("Mutation endpoint requires x-pow-nonce header");
-      }
-      this.verifyProofOfWork(validatedHeaders["x-pow-nonce"]);
-    }
-
-    const deviceHash = createHmac("sha256", this.blindIndexSalt).update(validatedHeaders["x-device-id"]).digest("hex");
-
-    return {
-      tenantId: "system-tenant-001",
-      deviceHash: deviceHash,
-    };
-  }
-
-  public async handleRequest(req: http.IncomingMessage, res: http.ServerResponse): Promise<void> {
-    const clientIp = req.socket.remoteAddress || "unknown";
-    const method = req.method || "GET";
-    const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
-
-    if (url.pathname !== "/api/v1/config") {
-      res.writeHead(404, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Endpoint Not Found" }));
-      return;
-    }
-
-    try {
-      const isMutation = method === "PUT" || method === "POST";
-      const context = this.extractContext(req, isMutation);
-
-      if (method === "GET") {
-        const config = await this.service.getConfig(context);
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify(config));
-        audit.http(clientIp, "GET", "control-plane", url.pathname, 200, "Config retrieved");
-        return;
-      }
-
-      if (method === "PUT") {
-        const bodyStr = await this.readBodyStrict(req);
-        const rawConfig = JSON.parse(bodyStr);
-        await this.service.updateConfig(context, rawConfig);
-        res.writeHead(200, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ success: true, timestamp: Date.now() }));
-        audit.http(clientIp, "PUT", "control-plane", url.pathname, 200, "Config updated");
-        return;
-      }
-
-      res.writeHead(405, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Method Not Allowed" }));
-
-    } catch (error: any) {
-      const message = error.message || "Internal Server Error";
-      
-      let statusCode = 400;
-      if (message.includes("Payload size limit")) {
-        statusCode = 413;
-      } else if (message.includes("Authentication Validation Failed") || message.includes("Unauthorized") || message.includes("API Key") || message.includes("x-pow-nonce")) {
-        statusCode = 401;
-      } else if (message.includes("Invalid Proof of Work")) {
-        statusCode = 403;
-      }
-
-      audit.error(`Control Plane API Fault: HTTP ${statusCode} | ${message} | Client: ${clientIp}`);
-
-      res.writeHead(statusCode, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: message }));
-    }
-  }
-}

package/src/domain/config/config.schema.ts

@@ -1,11 +0,0 @@
-import { z } from "zod";
-
-export const ApiAuthHeaderSchema = z.object({
-  authorization: z.string().regex(/^Bearer [a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+$/).optional(),
-  "x-api-key": z.string().min(32).max(128).optional(),
-  "x-device-id": z.string().min(16).max(64),
-  "x-pow-nonce": z.string().min(1).max(64).optional()
-}).refine(data => data.authorization || data["x-api-key"], {
-  message: "Missing authentication credentials",
-  path: ["x-api-key"]
-});

package/src/domain/config/config.service.ts

@@ -1,66 +0,0 @@
-import { ServerConfig, validateServerConfig, audit } from "@opensecurity/zonzon-core";
-import { ConfigContext } from "./config.types.js";
-
-class PessimisticLock {
-  private locked = false;
-  private queue: Array<() => void> = [];
-
-  public acquire(): Promise<void> {
-    if (!this.locked) {
-      this.locked = true;
-      return Promise.resolve();
-    }
-    return new Promise(resolve => this.queue.push(resolve));
-  }
-
-  public release(): void {
-    if (this.queue.length > 0) {
-      const next = this.queue.shift();
-      if (next) next();
-    } else {
-      this.locked = false;
-    }
-  }
-}
-
-export class ConfigService {
-  private config: ServerConfig;
-  private lock = new PessimisticLock();
-  private subscribers: Array<(config: ServerConfig) => void> = [];
-
-  constructor(initialConfig: ServerConfig) {
-    this.config = validateServerConfig(initialConfig);
-  }
-
-  public subscribe(callback: (config: ServerConfig) => void): void {
-    this.subscribers.push(callback);
-  }
-
-  public async getConfig(ctx: ConfigContext): Promise<ServerConfig> {
-    if (!ctx.tenantId) {
-      throw new Error("Security Exception: Missing Tenant Context");
-    }
-    return this.config;
-  }
-
-  public async updateConfig(ctx: ConfigContext, rawConfig: unknown): Promise<void> {
-    if (!ctx.tenantId) {
-      throw new Error("Security Exception: Missing Tenant Context");
-    }
-
-    await this.lock.acquire();
-    try {
-      const validatedConfig = validateServerConfig(rawConfig);
-      this.config = validatedConfig;
-      for (const callback of this.subscribers) {
-        try {
-          callback(this.config);
-        } catch (err) {
-          audit.error(`Subscriber failed to process configuration update: ${err}`);
-        }
-      }
-    } finally {
-      this.lock.release();
-    }
-  }
-}

package/src/domain/config/config.test.ts

@@ -1,158 +0,0 @@
-import { describe, it, before, after } from "node:test";
-import assert from "node:assert";
-import * as http from "http";
-import * as net from "net";
-import { createHash } from "crypto";
-import { ConfigService } from "./config.service.js";
-import { ConfigHandler } from "./config.handler.js";
-import { ServerConfig } from "@opensecurity/zonzon-core";
-
-const MOCK_SALT = "test-salt-1234567890";
-const MOCK_API_KEY = "test-api-key-very-long-and-secure-32-chars";
-const MOCK_DEVICE_ID = "test-device-id-1234";
-
-function generateValidPoW(salt: string): string {
-  let nonce = 0;
-  while (true) {
-    const hash = createHash("sha256").update(salt + nonce.toString()).digest("hex");
-    if (hash.startsWith("0000")) {
-      return nonce.toString();
-    }
-    nonce++;
-  }
-}
-
-describe("Control Plane API Tests", () => {
-  let server: http.Server;
-  let port: number;
-  let validNonce: string;
-
-  const initialConfig: ServerConfig = {
-    port: 53,
-    hosts: {
-      "initial.loop": { records: [{ type: "A", address: "1.1.1.1" }] }
-    }
-  };
-
-  before(async () => {
-    validNonce = generateValidPoW(MOCK_SALT);
-    const service = new ConfigService(initialConfig);
-    const handler = new ConfigHandler(service, MOCK_API_KEY, MOCK_SALT);
-
-    server = http.createServer((req, res) => handler.handleRequest(req, res));
-    await new Promise<void>((resolve) => {
-      server.listen(0, "127.0.0.1", () => {
-        port = (server.address() as net.AddressInfo).port;
-        resolve();
-      });
-    });
-  });
-
-  after(() => {
-    server.close();
-  });
-
-  function makeRequest(method: string, path: string, headers: Record<string, string>, body?: string): Promise<{ status: number, data: any }> {
-    return new Promise((resolve, reject) => {
-      const options = {
-        hostname: "127.0.0.1",
-        port: port,
-        path: path,
-        method: method,
-        headers: headers
-      };
-
-      const req = http.request(options, (res) => {
-        let responseBody = "";
-        res.on("data", chunk => responseBody += chunk);
-        res.on("end", () => {
-          try {
-            resolve({ status: res.statusCode || 500, data: JSON.parse(responseBody) });
-          } catch {
-            resolve({ status: res.statusCode || 500, data: responseBody });
-          }
-        });
-      });
-
-      req.on("error", reject);
-      if (body) req.write(body);
-      req.end();
-    });
-  }
-
-  it("rejects GET requests without authentication", async () => {
-    const res = await makeRequest("GET", "/api/v1/config", {});
-    assert.strictEqual(res.status, 401);
-  });
-
-  it("accepts GET requests with valid API key and device ID", async () => {
-    const res = await makeRequest("GET", "/api/v1/config", {
-      "x-api-key": MOCK_API_KEY,
-      "x-device-id": MOCK_DEVICE_ID
-    });
-    assert.strictEqual(res.status, 200);
-    assert.ok("hosts" in res.data);
-    assert.ok("initial.loop" in res.data.hosts);
-  });
-
-  it("rejects PUT requests without Proof of Work challenge", async () => {
-    const newConfig = { ...initialConfig, port: 5353 };
-    const res = await makeRequest("PUT", "/api/v1/config", {
-      "x-api-key": MOCK_API_KEY,
-      "x-device-id": MOCK_DEVICE_ID,
-      "Content-Type": "application/json"
-    }, JSON.stringify(newConfig));
-    assert.strictEqual(res.status, 401);
-    assert.ok(res.data.error.includes("x-pow-nonce"));
-  });
-
-  it("rejects PUT requests with invalid Proof of Work challenge", async () => {
-    const newConfig = { ...initialConfig, port: 5353 };
-    const res = await makeRequest("PUT", "/api/v1/config", {
-      "x-api-key": MOCK_API_KEY,
-      "x-device-id": MOCK_DEVICE_ID,
-      "x-pow-nonce": "invalid-nonce-value",
-      "Content-Type": "application/json"
-    }, JSON.stringify(newConfig));
-    assert.strictEqual(res.status, 403);
-    assert.ok(res.data.error.includes("Invalid Proof of Work"));
-  });
-
-  it("accepts PUT requests with valid configuration and PoW", async () => {
-    const newConfig: ServerConfig = {
-      port: 5353,
-      hosts: {
-        "updated.loop": { records: [{ type: "A", address: "8.8.8.8" }] }
-      }
-    };
-    const res = await makeRequest("PUT", "/api/v1/config", {
-      "x-api-key": MOCK_API_KEY,
-      "x-device-id": MOCK_DEVICE_ID,
-      "x-pow-nonce": validNonce,
-      "Content-Type": "application/json"
-    }, JSON.stringify(newConfig));
-    
-    assert.strictEqual(res.status, 200);
-    assert.strictEqual(res.data.success, true);
-
-    const checkRes = await makeRequest("GET", "/api/v1/config", {
-      "x-api-key": MOCK_API_KEY,
-      "x-device-id": MOCK_DEVICE_ID
-    });
-    assert.strictEqual(checkRes.status, 200);
-    assert.strictEqual(checkRes.data.port, 5353);
-    assert.ok("updated.loop" in checkRes.data.hosts);
-  });
-
-  it("rejects payloads exceeding the memory boundary", async () => {
-    const hugePayload = JSON.stringify({ port: 53, hosts: {} }) + " ".repeat(1.5 * 1024 * 1024);
-    const res = await makeRequest("PUT", "/api/v1/config", {
-      "x-api-key": MOCK_API_KEY,
-      "x-device-id": MOCK_DEVICE_ID,
-      "x-pow-nonce": validNonce,
-      "Content-Type": "application/json"
-    }, hugePayload);
-    
-    assert.strictEqual(res.status, 413);
-  });
-});

package/src/domain/config/config.types.ts

@@ -1,18 +0,0 @@
-import { ServerConfig } from "@opensecurity/zonzon-core";
-
-export interface ConfigContext {
-  tenantId: string;
-  deviceHash: string;
-}
-
-export interface ConfigUpdateResponse {
-  success: boolean;
-  timestamp: number;
-}
-
-export interface ApiAuthHeaders {
-  authorization?: string;
-  "x-api-key"?: string;
-  "x-device-id": string;
-  "x-pow-nonce"?: string;
-}

package/src/index.ts

@@ -1,58 +0,0 @@
-import * as http from "http";
-import { ServerConfig, validateServerConfig, audit } from "@opensecurity/zonzon-core";
-import { ConfigService } from "./domain/config/config.service.js";
-import { ConfigHandler } from "./domain/config/config.handler.js";
-
-export interface ControlPlaneOptions {
-  port: number;
-  apiKey: string;
-  blindIndexSalt: string;
-  initialConfig: ServerConfig;
-}
-
-export class ControlPlane {
-  private service: ConfigService;
-  private server: http.Server | null = null;
-  private options: ControlPlaneOptions;
-
-  constructor(options: ControlPlaneOptions) {
-    this.options = options;
-    this.service = new ConfigService(options.initialConfig);
-  }
-
-  public subscribe(callback: (config: ServerConfig) => void): void {
-    this.service.subscribe(callback);
-  }
-
-  public async start(): Promise<void> {
-    const handler = new ConfigHandler(this.service, this.options.apiKey, this.options.blindIndexSalt);
-    
-    return new Promise((resolve, reject) => {
-      this.server = http.createServer((req, res) => {
-        handler.handleRequest(req, res).catch(err => {
-          audit.error(`Control Plane Native Fault: ${err.message}`);
-          if (!res.headersSent) {
-            res.writeHead(500);
-            res.end(JSON.stringify({ error: "Internal Server Fault" }));
-          }
-        });
-      });
-
-      this.server.on("error", reject);
-
-      this.server.listen(this.options.port, "127.0.0.1", () => {
-        audit.system(`Control Plane locked strictly to loopback interface on port ${this.options.port}`);
-        resolve();
-      });
-    });
-  }
-
-  public async stop(): Promise<void> {
-    if (this.server) {
-      await new Promise<void>((resolve) => {
-        this.server!.close(() => resolve());
-      });
-      this.server = null;
-    }
-  }
-}

package/tsconfig.json

@@ -1,12 +0,0 @@
-{
-  "extends": "../../tsconfig.base.json",
-  "compilerOptions": {
-    "outDir": "./dist",
-    "rootDir": "./src"
-  },
-  "references": [
-    { "path": "../core" }
-  ],
-  "include": ["src/**/*.ts"],
-  "exclude": ["node_modules", "dist"]
-}