@protegoprotect/middleware-next 2.0.0

package/dist/auto.d.ts

@@ -0,0 +1,14 @@
+import { createProtegoMiddleware } from './middleware.js';
+import type { ProtegoNextConfig, ProtegoScriptProps } from './types.js';
+export interface ProtegoAutoOptions extends Partial<ProtegoNextConfig> {
+    matcher?: string[];
+}
+export declare function createProtego(options?: ProtegoAutoOptions): {
+    middleware: ReturnType<typeof createProtegoMiddleware>;
+    config: {
+        matcher: string[];
+    };
+    scriptProps: ProtegoScriptProps;
+    protegoConfig: ProtegoNextConfig;
+};
+//# sourceMappingURL=auto.d.ts.map

package/dist/auto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto.d.ts","sourceRoot":"","sources":["../src/auto.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,KAAK,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAKxE,MAAM,WAAW,kBAAmB,SAAQ,OAAO,CAAC,iBAAiB,CAAC;IACpE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAQD,wBAAgB,aAAa,CAAC,OAAO,GAAE,kBAAuB,GAAG;IAC/D,UAAU,EAAE,UAAU,CAAC,OAAO,uBAAuB,CAAC,CAAC;IACvD,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAC9B,WAAW,EAAE,kBAAkB,CAAC;IAChC,aAAa,EAAE,iBAAiB,CAAC;CAClC,CA2CA"}

package/dist/auto.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createProtego = createProtego;
+const protocol_1 = require("@protegoprotect/core/protocol");
+const middleware_js_1 = require("./middleware.js");
+const DEFAULT_EXCLUDE_ROUTES = ['/_next', '/favicon.ico', '/robots.txt', '/sitemap.xml'];
+const DEFAULT_MATCHER = ['/((?!_next/static|_next/image|favicon.ico|robots.txt|sitemap.xml).*)'];
+function getRequiredEnv(name, fallback) {
+    const value = process.env[name] ?? fallback;
+    if (!value)
+        throw new Error(`[protego] Missing required environment variable: ${name}`);
+    return value;
+}
+function createProtego(options = {}) {
+    const attestationUrl = options.attestationUrl
+        ?? process.env.NEXT_PUBLIC_PROTEGO_ATTESTATION_URL
+        ?? '';
+    const audience = options.audience
+        ?? process.env.NEXT_PUBLIC_PROTEGO_AUDIENCE
+        ?? process.env.PROTEGO_AUDIENCE
+        ?? 'protego-site';
+    const sensorScriptUrl = options.sensorScriptUrl
+        ?? (attestationUrl ? `${attestationUrl.replace(/\/$/, '')}/_protego/sensor.js` : '/_protego/sensor.js');
+    const protegoConfig = {
+        attestationUrl,
+        signingKey: options.signingKey ?? getRequiredEnv('PROTEGO_SIGNING_KEY'),
+        audience,
+        ipSalt: options.ipSalt ?? getRequiredEnv('PROTEGO_IP_SALT'),
+        policies: options.policies ?? [],
+        defaultMode: options.defaultMode ?? protocol_1.EnforcementMode.Monitor,
+        defaultTrustLevel: options.defaultTrustLevel ?? protocol_1.TrustLevel.Untrusted,
+        protectedRoutes: options.protectedRoutes,
+        excludeRoutes: options.excludeRoutes ?? DEFAULT_EXCLUDE_ROUTES,
+        sensorScriptUrl,
+        scriptNonce: options.scriptNonce,
+        scriptAsync: options.scriptAsync ?? true,
+        scriptDefer: options.scriptDefer ?? false,
+        log: options.log,
+    };
+    return {
+        middleware: (0, middleware_js_1.createProtegoMiddleware)(protegoConfig),
+        config: { matcher: options.matcher ?? DEFAULT_MATCHER },
+        scriptProps: {
+            attestationUrl: protegoConfig.attestationUrl,
+            audience: protegoConfig.audience,
+            sensorScriptUrl: protegoConfig.sensorScriptUrl,
+            nonce: protegoConfig.scriptNonce,
+            async: protegoConfig.scriptAsync,
+            defer: protegoConfig.scriptDefer,
+        },
+        protegoConfig,
+    };
+}
+//# sourceMappingURL=auto.js.map

package/dist/auto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto.js","sourceRoot":"","sources":["../src/auto.ts"],"names":[],"mappings":";;AAiBA,sCAgDC;AAjED,4DAA4E;AAC5E,mDAA0D;AAG1D,MAAM,sBAAsB,GAAG,CAAC,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;AACzF,MAAM,eAAe,GAAG,CAAC,sEAAsE,CAAC,CAAC;AAMjG,SAAS,cAAc,CAAC,IAAY,EAAE,QAAiB;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC;IAC5C,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,oDAAoD,IAAI,EAAE,CAAC,CAAC;IACxF,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,aAAa,CAAC,UAA8B,EAAE;IAM5D,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc;WACxC,OAAO,CAAC,GAAG,CAAC,mCAAmC;WAC/C,EAAE,CAAC;IAER,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ;WAC5B,OAAO,CAAC,GAAG,CAAC,4BAA4B;WACxC,OAAO,CAAC,GAAG,CAAC,gBAAgB;WAC5B,cAAc,CAAC;IAEpB,MAAM,eAAe,GAAG,OAAO,CAAC,eAAe;WAC1C,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,cAAc,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC;IAE1G,MAAM,aAAa,GAAsB;QACvC,cAAc;QACd,UAAU,EAAE,OAAO,CAAC,UAAU,IAAI,cAAc,CAAC,qBAAqB,CAAC;QACvE,QAAQ;QACR,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC,iBAAiB,CAAC;QAC3D,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE;QAChC,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,0BAAe,CAAC,OAAO;QAC3D,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,IAAI,qBAAU,CAAC,SAAS;QACpE,eAAe,EAAE,OAAO,CAAC,eAAe;QACxC,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,sBAAsB;QAC9D,eAAe;QACf,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI;QACxC,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,KAAK;QACzC,GAAG,EAAE,OAAO,CAAC,GAAG;KACjB,CAAC;IAEF,OAAO;QACL,UAAU,EAAE,IAAA,uCAAuB,EAAC,aAAa,CAAC;QAClD,MAAM,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,eAAe,EAAE;QACvD,WAAW,EAAE;YACX,cAAc,EAAE,aAAa,CAAC,cAAc;YAC5C,QAAQ,EAAE,aAAa,CAAC,QAAQ;YAChC,eAAe,EAAE,aAAa,CAAC,eAAe;YAC9C,KAAK,EAAE,aAAa,CAAC,WAAW;YAChC,KAAK,EAAE,aAAa,CAAC,WAAW;YAChC,KAAK,EAAE,aAAa,CAAC,WAAW;SACjC;QACD,aAAa;KACd,CAAC;AACJ,CAAC"}

package/dist/edge.d.ts

@@ -0,0 +1,4 @@
+export { shouldSkip, matchPolicy, verifyTokenEdge, evaluateEdgeEnforcement } from './logic.js';
+export type { EdgeEnforcementInput, EdgeEnforcementOutput } from './logic.js';
+export type { ProtegoNextConfig, ProtegoScriptProps, EdgeVerifyResult, } from './types.js';
+//# sourceMappingURL=edge.d.ts.map

package/dist/edge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"edge.d.ts","sourceRoot":"","sources":["../src/edge.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAC/F,YAAY,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AAC9E,YAAY,EACV,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/edge.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateEdgeEnforcement = exports.verifyTokenEdge = exports.matchPolicy = exports.shouldSkip = void 0;
+var logic_js_1 = require("./logic.js");
+Object.defineProperty(exports, "shouldSkip", { enumerable: true, get: function () { return logic_js_1.shouldSkip; } });
+Object.defineProperty(exports, "matchPolicy", { enumerable: true, get: function () { return logic_js_1.matchPolicy; } });
+Object.defineProperty(exports, "verifyTokenEdge", { enumerable: true, get: function () { return logic_js_1.verifyTokenEdge; } });
+Object.defineProperty(exports, "evaluateEdgeEnforcement", { enumerable: true, get: function () { return logic_js_1.evaluateEdgeEnforcement; } });
+//# sourceMappingURL=edge.js.map

package/dist/edge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"edge.js","sourceRoot":"","sources":["../src/edge.ts"],"names":[],"mappings":";;;AAAA,uCAA+F;AAAtF,sGAAA,UAAU,OAAA;AAAE,uGAAA,WAAW,OAAA;AAAE,2GAAA,eAAe,OAAA;AAAE,mHAAA,uBAAuB,OAAA"}

package/dist/encrypt.d.ts

@@ -0,0 +1,24 @@
+import type { SessionStore } from '@protegoprotect/attestation/store';
+import { NextResponse } from 'next/server';
+/**
+ * Returns an encrypted NextResponse if the request carries a valid trust token
+ * with an active session that has derived keys. Gracefully falls back to plain
+ * JSON when no valid token or session exists, so unauthenticated requests still
+ * receive a response (the middleware layer should gate access upstream).
+ *
+ * Usage in a Next.js API route:
+ *
+ *   import { protegoJsonResponse } from '@protegoprotect/middleware-next';
+ *   import { getProtegoRuntime } from '@/lib/protego';
+ *
+ *   const SIGNING_KEY = Buffer.from(process.env.PROTEGO_SIGNING_KEY!, 'hex');
+ *
+ *   export async function GET(request: NextRequest) {
+ *     // ... build data ...
+ *     const trustToken = request.cookies.get('ptg_trust')?.value ?? null;
+ *     const { store } = getProtegoRuntime();
+ *     return protegoJsonResponse({ data }, store, SIGNING_KEY, trustToken);
+ *   }
+ */
+export declare function protegoJsonResponse(data: unknown, store: SessionStore, signingKey: Buffer, trustToken: string | null, status?: number): Promise<NextResponse>;
+//# sourceMappingURL=encrypt.d.ts.map

package/dist/encrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../src/encrypt.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,OAAO,EACb,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,GAAG,IAAI,EACzB,MAAM,SAAM,GACX,OAAO,CAAC,YAAY,CAAC,CA4BvB"}

package/dist/encrypt.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.protegoJsonResponse = protegoJsonResponse;
+const core_1 = require("@protegoprotect/core");
+const server_1 = require("next/server");
+/**
+ * Returns an encrypted NextResponse if the request carries a valid trust token
+ * with an active session that has derived keys. Gracefully falls back to plain
+ * JSON when no valid token or session exists, so unauthenticated requests still
+ * receive a response (the middleware layer should gate access upstream).
+ *
+ * Usage in a Next.js API route:
+ *
+ *   import { protegoJsonResponse } from '@protegoprotect/middleware-next';
+ *   import { getProtegoRuntime } from '@/lib/protego';
+ *
+ *   const SIGNING_KEY = Buffer.from(process.env.PROTEGO_SIGNING_KEY!, 'hex');
+ *
+ *   export async function GET(request: NextRequest) {
+ *     // ... build data ...
+ *     const trustToken = request.cookies.get('ptg_trust')?.value ?? null;
+ *     const { store } = getProtegoRuntime();
+ *     return protegoJsonResponse({ data }, store, SIGNING_KEY, trustToken);
+ *   }
+ */
+async function protegoJsonResponse(data, store, signingKey, trustToken, status = 200) {
+    // Graceful fallback: no token → plain JSON
+    if (!trustToken) {
+        return server_1.NextResponse.json(data, { status });
+    }
+    const claims = (0, core_1.verifyTrustToken)(trustToken, signingKey);
+    if (!claims) {
+        return server_1.NextResponse.json(data, { status });
+    }
+    const session = await store.get(claims.sid);
+    if (!session?.derivedKeys?.responseEncKey) {
+        return server_1.NextResponse.json(data, { status });
+    }
+    const plaintext = Buffer.from(JSON.stringify(data), 'utf-8');
+    // AAD binds the ciphertext to this specific session to prevent cross-session replay
+    const aad = `${claims.sid}:response`;
+    const encrypted = (0, core_1.encrypt)(session.derivedKeys.responseEncKey, plaintext, aad);
+    return server_1.NextResponse.json(encrypted, {
+        status,
+        headers: {
+            'X-Protego-Encrypted': '1',
+            'Content-Type': 'application/json',
+        },
+    });
+}
+//# sourceMappingURL=encrypt.js.map

package/dist/encrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../src/encrypt.ts"],"names":[],"mappings":";;AAwBA,kDAkCC;AA1DD,+CAAiE;AAEjE,wCAA2C;AAE3C;;;;;;;;;;;;;;;;;;;GAmBG;AACI,KAAK,UAAU,mBAAmB,CACvC,IAAa,EACb,KAAmB,EACnB,UAAkB,EAClB,UAAyB,EACzB,MAAM,GAAG,GAAG;IAEZ,2CAA2C;IAC3C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,qBAAY,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,qBAAY,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,CAAC;QAC1C,OAAO,qBAAY,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;IAC7D,oFAAoF;IACpF,MAAM,GAAG,GAAG,GAAG,MAAM,CAAC,GAAG,WAAW,CAAC;IACrC,MAAM,SAAS,GAAG,IAAA,cAAO,EAAC,OAAO,CAAC,WAAW,CAAC,cAAc,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IAE9E,OAAO,qBAAY,CAAC,IAAI,CAAC,SAAS,EAAE;QAClC,MAAM;QACN,OAAO,EAAE;YACP,qBAAqB,EAAE,GAAG;YAC1B,cAAc,EAAE,kBAAkB;SACnC;KACF,CAAC,CAAC;AACL,CAAC"}

package/dist/fetch.d.ts

@@ -0,0 +1,79 @@
+export interface EncryptedPayload {
+    iv: string;
+    ciphertext: string;
+    tag: string;
+    aad: string;
+}
+/**
+ * Crypto context for encrypted fetch operations.
+ * Typically obtained from ProtegoClient.getSession().
+ */
+export interface ProtegoFetchContext {
+    sessionId: string;
+    trustToken: string | null;
+    derivedKeys: {
+        responseEncKey: CryptoKey;
+        pathSignKey: CryptoKey;
+        payloadEncKey: CryptoKey;
+    } | null;
+    /** Mutable counter for HMAC path rotation. Incremented on each rotated request. */
+    pathCounter: number;
+    /** ECDSA P-256 key pair for DPoP proof-of-possession signing. */
+    dpopKeyPair: {
+        publicKey: CryptoKey;
+        privateKey: CryptoKey;
+    } | null;
+}
+export interface ProtegoFetchOptions {
+    /** Attach trust token as Authorization header. Default true. */
+    includeTrustToken?: boolean;
+    /** Set credentials to 'include'. Default true. */
+    includeSessionCookie?: boolean;
+    /** Encrypt the request body. Requires derivedKeys. Default false. */
+    encryptRequest?: boolean;
+    /** Decrypt the response body if server sends encrypted response. Default true when context has keys. */
+    decryptResponse?: boolean;
+    /** Rotate the path using HMAC. Requires derivedKeys. Default false. */
+    rotate?: boolean;
+    /** Attach DPoP proof-of-possession header. Requires dpopKeyPair + trustToken. Default false. */
+    includeDPoP?: boolean;
+}
+declare function generateNonce(): string;
+declare function signDPoPProof(method: string, url: string, trustToken: string, sessionId: string, signingKey: CryptoKey): Promise<string>;
+declare function encryptPayload(key: CryptoKey, plaintext: BufferSource, aad: string): Promise<EncryptedPayload>;
+declare function decryptPayload(key: CryptoKey, payload: EncryptedPayload): Promise<Uint8Array>;
+declare function generateRotatedPath(key: CryptoKey, endpointId: string, counter: number): Promise<string>;
+declare global {
+    interface Window {
+        __protego_client?: {
+            getTrustToken(): string | null;
+            getSession(): {
+                sessionId: string;
+                derivedKeys: {
+                    responseEncKey: CryptoKey;
+                    pathSignKey: CryptoKey;
+                    payloadEncKey: CryptoKey;
+                };
+                dpopKeyPair: {
+                    publicKey: CryptoKey;
+                    privateKey: CryptoKey;
+                };
+            } | null;
+        };
+        /** Resolves when Protego attestation completes (set by init script). */
+        __protego_ready?: Promise<void>;
+        /** Resolver function for __protego_ready (internal use by init script). */
+        __protego_ready_resolve?: () => void;
+    }
+}
+/**
+ * Authenticated and optionally encrypted fetch.
+ * If no explicit context is provided, attempts to get context from window.__protego_client.
+ */
+export declare function protegoFetch(input: RequestInfo | URL, init?: RequestInit, options?: ProtegoFetchOptions, context?: ProtegoFetchContext | null): Promise<Response>;
+/**
+ * Create a bound fetch function with a fixed base URL and optional crypto context.
+ */
+export declare function createProtegoFetch(baseUrl: string, contextOrOptions?: ProtegoFetchContext | ProtegoFetchOptions, defaultOptions?: ProtegoFetchOptions): (path: string, init?: RequestInit, options?: ProtegoFetchOptions) => Promise<Response>;
+export { encryptPayload, decryptPayload, generateRotatedPath, generateNonce, signDPoPProof };
+//# sourceMappingURL=fetch.d.ts.map

package/dist/fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,WAAW,EAAE;QACX,cAAc,EAAE,SAAS,CAAC;QAC1B,WAAW,EAAE,SAAS,CAAC;QACvB,aAAa,EAAE,SAAS,CAAC;KAC1B,GAAG,IAAI,CAAC;IACT,mFAAmF;IACnF,WAAW,EAAE,MAAM,CAAC;IACpB,iEAAiE;IACjE,WAAW,EAAE;QACX,SAAS,EAAE,SAAS,CAAC;QACrB,UAAU,EAAE,SAAS,CAAC;KACvB,GAAG,IAAI,CAAC;CACV;AAED,MAAM,WAAW,mBAAmB;IAClC,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,kDAAkD;IAClD,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,qEAAqE;IACrE,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,wGAAwG;IACxG,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,uEAAuE;IACvE,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,gGAAgG;IAChG,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAwBD,iBAAS,aAAa,IAAI,MAAM,CAO/B;AAwBD,iBAAe,aAAa,CAC1B,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,SAAS,GACpB,OAAO,CAAC,MAAM,CAAC,CAwBjB;AAED,iBAAe,cAAc,CAC3B,GAAG,EAAE,SAAS,EACd,SAAS,EAAE,YAAY,EACvB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,gBAAgB,CAAC,CAqB3B;AAED,iBAAe,cAAc,CAC3B,GAAG,EAAE,SAAS,EACd,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,UAAU,CAAC,CAkBrB;AAED,iBAAe,mBAAmB,CAChC,GAAG,EAAE,SAAS,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,CAMjB;AAsBD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,gBAAgB,CAAC,EAAE;YACjB,aAAa,IAAI,MAAM,GAAG,IAAI,CAAC;YAC/B,UAAU,IAAI;gBACZ,SAAS,EAAE,MAAM,CAAC;gBAClB,WAAW,EAAE;oBACX,cAAc,EAAE,SAAS,CAAC;oBAC1B,WAAW,EAAE,SAAS,CAAC;oBACvB,aAAa,EAAE,SAAS,CAAC;iBAC1B,CAAC;gBACF,WAAW,EAAE;oBACX,SAAS,EAAE,SAAS,CAAC;oBACrB,UAAU,EAAE,SAAS,CAAC;iBACvB,CAAC;aACH,GAAG,IAAI,CAAC;SACV,CAAC;QACF,wEAAwE;QACxE,eAAe,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QAChC,2EAA2E;QAC3E,uBAAuB,CAAC,EAAE,MAAM,IAAI,CAAC;KACtC;CACF;AA+DD;;;GAGG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,EAClB,OAAO,CAAC,EAAE,mBAAmB,EAC7B,OAAO,CAAC,EAAE,mBAAmB,GAAG,IAAI,GACnC,OAAO,CAAC,QAAQ,CAAC,CA0HnB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,gBAAgB,CAAC,EAAE,mBAAmB,GAAG,mBAAmB,EAC5D,cAAc,CAAC,EAAE,mBAAmB,IAgBlC,MAAM,MAAM,EACZ,OAAO,WAAW,EAClB,UAAU,mBAAmB,KAC5B,OAAO,CAAC,QAAQ,CAAC,CAIrB;AAED,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,mBAAmB,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC"}

package/dist/fetch.js

@@ -0,0 +1,313 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.protegoFetch = protegoFetch;
+exports.createProtegoFetch = createProtegoFetch;
+exports.encryptPayload = encryptPayload;
+exports.decryptPayload = decryptPayload;
+exports.generateRotatedPath = generateRotatedPath;
+exports.generateNonce = generateNonce;
+exports.signDPoPProof = signDPoPProof;
+const AES_GCM_IV_BYTES = 12;
+const HMAC_PATH_BYTES = 16;
+const ROTATED_PATH_PREFIX = '/_protego/r/';
+// ─── Encoding Helpers ──────────────────────────────────────────────
+function bufToBase64url(buf) {
+    const bytes = new Uint8Array(buf);
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function base64urlToBuf(b64) {
+    const padded = b64.replace(/-/g, '+').replace(/_/g, '/');
+    const pad = (4 - (padded.length % 4)) % 4;
+    const str = atob(padded + '='.repeat(pad));
+    const buf = new Uint8Array(str.length);
+    for (let i = 0; i < str.length; i++) {
+        buf[i] = str.charCodeAt(i);
+    }
+    return buf.buffer;
+}
+function generateNonce() {
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    let hex = '';
+    for (let i = 0; i < bytes.length; i++) {
+        hex += bytes[i].toString(16).padStart(2, '0');
+    }
+    return hex;
+}
+// ─── Crypto Helpers ────────────────────────────────────────────────
+async function sha256Hex(data) {
+    const enc = new TextEncoder();
+    const hash = await crypto.subtle.digest('SHA-256', enc.encode(data));
+    const bytes = new Uint8Array(hash);
+    let hex = '';
+    for (let i = 0; i < bytes.length; i++) {
+        hex += bytes[i].toString(16).padStart(2, '0');
+    }
+    return hex;
+}
+function generateDPoPJti() {
+    const bytes = crypto.getRandomValues(new Uint8Array(16));
+    let hex = '';
+    for (let i = 0; i < bytes.length; i++) {
+        hex += bytes[i].toString(16).padStart(2, '0');
+    }
+    return hex;
+}
+async function signDPoPProof(method, url, trustToken, sessionId, signingKey) {
+    const ath = await sha256Hex(trustToken);
+    const claims = {
+        jti: generateDPoPJti(),
+        htm: method.toUpperCase(),
+        htu: url,
+        iat: Math.floor(Date.now() / 1000),
+        sid: sessionId,
+        ath,
+    };
+    const payload = btoa(JSON.stringify(claims))
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+    const payloadBytes = new TextEncoder().encode(payload);
+    const signature = await crypto.subtle.sign({ name: 'ECDSA', hash: 'SHA-256' }, signingKey, payloadBytes);
+    return `${payload}.${bufToBase64url(signature)}`;
+}
+async function encryptPayload(key, plaintext, aad) {
+    const iv = crypto.getRandomValues(new Uint8Array(AES_GCM_IV_BYTES));
+    const enc = new TextEncoder();
+    const aadBuf = enc.encode(aad);
+    const encrypted = await crypto.subtle.encrypt({ name: 'AES-GCM', iv, additionalData: aadBuf, tagLength: 128 }, key, plaintext);
+    const combined = new Uint8Array(encrypted);
+    const ciphertextBytes = combined.slice(0, combined.length - 16);
+    const tagBytes = combined.slice(combined.length - 16);
+    return {
+        iv: bufToBase64url(iv.buffer),
+        ciphertext: bufToBase64url(ciphertextBytes.buffer),
+        tag: bufToBase64url(tagBytes.buffer),
+        aad,
+    };
+}
+async function decryptPayload(key, payload) {
+    const iv = new Uint8Array(base64urlToBuf(payload.iv));
+    const ciphertext = new Uint8Array(base64urlToBuf(payload.ciphertext));
+    const tag = new Uint8Array(base64urlToBuf(payload.tag));
+    const enc = new TextEncoder();
+    const aadBuf = enc.encode(payload.aad);
+    const combined = new Uint8Array(ciphertext.length + tag.length);
+    combined.set(ciphertext, 0);
+    combined.set(tag, ciphertext.length);
+    const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv, additionalData: aadBuf, tagLength: 128 }, key, combined);
+    return new Uint8Array(decrypted);
+}
+async function generateRotatedPath(key, endpointId, counter) {
+    const enc = new TextEncoder();
+    const data = enc.encode(`${endpointId}:${counter}`);
+    const sig = await crypto.subtle.sign('HMAC', key, data);
+    const truncated = new Uint8Array(sig).slice(0, HMAC_PATH_BYTES);
+    return bufToBase64url(truncated.buffer);
+}
+const PATH_MASK_LABEL = 'protego-path-mask';
+async function encryptPathHeader(key, endpointId) {
+    const enc = new TextEncoder();
+    const keystream = new Uint8Array(await crypto.subtle.sign('HMAC', key, enc.encode(PATH_MASK_LABEL)));
+    const pathBytes = enc.encode(endpointId);
+    const masked = new Uint8Array(pathBytes.length);
+    for (let i = 0; i < pathBytes.length; i++) {
+        masked[i] = pathBytes[i] ^ keystream[i % keystream.length];
+    }
+    return bufToBase64url(masked.buffer);
+}
+/** Shared context cached after first successful read so all calls share one counter. */
+let cachedContext = null;
+function getContextFromWindow() {
+    if (typeof window === 'undefined')
+        return null;
+    if (cachedContext)
+        return cachedContext;
+    const client = window.__protego_client;
+    if (!client)
+        return null;
+    const session = client.getSession();
+    if (!session)
+        return null;
+    cachedContext = {
+        sessionId: session.sessionId,
+        trustToken: client.getTrustToken(),
+        derivedKeys: session.derivedKeys,
+        pathCounter: 0,
+        dpopKeyPair: session.dpopKeyPair ?? null,
+    };
+    return cachedContext;
+}
+const ATTESTATION_TIMEOUT_MS = 8000;
+const POLL_INTERVAL_MS = 100;
+async function waitForContext() {
+    const immediate = getContextFromWindow();
+    if (immediate)
+        return immediate;
+    if (typeof window === 'undefined')
+        return null;
+    if (window.__protego_ready) {
+        try {
+            await Promise.race([
+                window.__protego_ready,
+                new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), ATTESTATION_TIMEOUT_MS)),
+            ]);
+        }
+        catch {
+        }
+        return getContextFromWindow();
+    }
+    return new Promise((resolve) => {
+        const start = Date.now();
+        const timer = setInterval(() => {
+            const ctx = getContextFromWindow();
+            if (ctx) {
+                clearInterval(timer);
+                resolve(ctx);
+                return;
+            }
+            if (Date.now() - start >= ATTESTATION_TIMEOUT_MS) {
+                clearInterval(timer);
+                resolve(null);
+            }
+        }, POLL_INTERVAL_MS);
+    });
+}
+// ─── Core Fetch ────────────────────────────────────────────────────
+/**
+ * Authenticated and optionally encrypted fetch.
+ * If no explicit context is provided, attempts to get context from window.__protego_client.
+ */
+async function protegoFetch(input, init, options, context) {
+    const opts = {
+        includeTrustToken: true,
+        includeSessionCookie: true,
+        encryptRequest: false,
+        decryptResponse: true,
+        rotate: false,
+        includeDPoP: false,
+        ...options,
+    };
+    const ctx = context ?? (opts.rotate ? await waitForContext() : getContextFromWindow());
+    const headers = new Headers(init?.headers);
+    // Attach trust token
+    if (opts.includeTrustToken && ctx?.trustToken) {
+        headers.set('Authorization', `Protego ${ctx.trustToken}`);
+    }
+    // Attach session ID
+    if (ctx?.sessionId) {
+        headers.set('X-Protego-Session', ctx.sessionId);
+    }
+    let url = typeof input === 'string' ? input : input instanceof URL ? input.href : input.url;
+    const originalUrl = url;
+    // Path rotation
+    if (opts.rotate && ctx?.derivedKeys?.pathSignKey) {
+        const urlObj = new URL(url, typeof window !== 'undefined' ? window.location.origin : undefined);
+        const endpointId = urlObj.pathname;
+        const segment = await generateRotatedPath(ctx.derivedKeys.pathSignKey, endpointId, ctx.pathCounter);
+        // Send HMAC of the path instead of the plaintext path — hides real API routes from DevTools
+        const pathId = await encryptPathHeader(ctx.derivedKeys.pathSignKey, endpointId);
+        headers.set('X-Protego-Path', pathId);
+        urlObj.pathname = `${ROTATED_PATH_PREFIX}${segment}`;
+        url = urlObj.href;
+        ctx.pathCounter++;
+    }
+    // Build the request init
+    let finalBody = init?.body;
+    // Request encryption
+    if (opts.encryptRequest && ctx?.derivedKeys?.payloadEncKey && init?.body != null) {
+        const nonce = generateNonce();
+        const timestamp = Math.floor(Date.now() / 1000);
+        const aad = `${ctx.sessionId}:${nonce}:${timestamp}`;
+        let bodyBuf;
+        if (typeof init.body === 'string') {
+            bodyBuf = new TextEncoder().encode(init.body).buffer;
+        }
+        else if (init.body instanceof ArrayBuffer) {
+            bodyBuf = init.body;
+        }
+        else if (init.body instanceof Uint8Array) {
+            bodyBuf = init.body.buffer.slice(init.body.byteOffset, init.body.byteOffset + init.body.byteLength);
+        }
+        else {
+            bodyBuf = new TextEncoder().encode(String(init.body)).buffer;
+        }
+        const encrypted = await encryptPayload(ctx.derivedKeys.payloadEncKey, bodyBuf, aad);
+        finalBody = JSON.stringify(encrypted);
+        headers.set('Content-Type', 'application/x-protego-encrypted');
+        headers.set('X-Protego-Nonce', nonce);
+        headers.set('X-Protego-Timestamp', String(timestamp));
+    }
+    // DPoP proof-of-possession
+    if (opts.includeDPoP && ctx?.dpopKeyPair?.privateKey && ctx.trustToken && ctx.sessionId) {
+        const method = init?.method?.toUpperCase() ?? 'GET';
+        const dpopProof = await signDPoPProof(method, url, ctx.trustToken, ctx.sessionId, ctx.dpopKeyPair.privateKey);
+        headers.set('X-Protego-DPoP', dpopProof);
+    }
+    const response = await fetch(url, {
+        ...init,
+        body: finalBody,
+        headers,
+        credentials: init?.credentials ?? 'include',
+    });
+    // If a rotated request failed, retry with the original unrotated URL.
+    if (opts.rotate && !response.ok && originalUrl !== url) {
+        const fallbackHeaders = new Headers(init?.headers);
+        if (ctx?.trustToken) {
+            fallbackHeaders.set('Authorization', `Protego ${ctx.trustToken}`);
+        }
+        if (ctx?.sessionId) {
+            fallbackHeaders.set('X-Protego-Session', ctx.sessionId);
+        }
+        return fetch(originalUrl, {
+            ...init,
+            headers: fallbackHeaders,
+            credentials: init?.credentials ?? 'include',
+        });
+    }
+    // Response decryption
+    if (opts.decryptResponse && ctx?.derivedKeys?.responseEncKey) {
+        const isEncrypted = response.headers.get('X-Protego-Encrypted') === '1' ||
+            response.headers.get('Content-Type')?.includes('application/x-protego-encrypted');
+        if (isEncrypted) {
+            const encBody = (await response.json());
+            if (!encBody.iv || !encBody.ciphertext || !encBody.tag || !encBody.aad) {
+                throw new Error('Protego: invalid encrypted response payload');
+            }
+            const decrypted = await decryptPayload(ctx.derivedKeys.responseEncKey, encBody);
+            const decryptedText = new TextDecoder().decode(decrypted);
+            return new Response(decryptedText, {
+                status: response.status,
+                statusText: response.statusText,
+                headers: new Headers({
+                    'Content-Type': 'application/json',
+                }),
+            });
+        }
+    }
+    return response;
+}
+/**
+ * Create a bound fetch function with a fixed base URL and optional crypto context.
+ */
+function createProtegoFetch(baseUrl, contextOrOptions, defaultOptions) {
+    // Determine if second arg is context or options
+    let fixedContext;
+    let fixedOpts;
+    if (contextOrOptions && 'sessionId' in contextOrOptions) {
+        fixedContext = contextOrOptions;
+        fixedOpts = defaultOptions;
+    }
+    else {
+        fixedOpts = contextOrOptions;
+    }
+    const normalizedBase = baseUrl.replace(/\/$/, '');
+    return function boundProtegoFetch(path, init, options) {
+        const url = path.startsWith('http') ? path : `${normalizedBase}${path}`;
+        return protegoFetch(url, init, { ...fixedOpts, ...options }, fixedContext ?? null);
+    };
+}
+//# sourceMappingURL=fetch.js.map

package/dist/fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":";;AAiTA,oCA+HC;AAKD,gDA0BC;AAEQ,wCAAc;AAAE,wCAAc;AAAE,kDAAmB;AAAE,sCAAa;AAAE,sCAAa;AAjd1F,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAC5B,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,mBAAmB,GAAG,cAAc,CAAC;AA+C3C,sEAAsE;AAEtE,SAAS,cAAc,CAAC,GAAgB;IACtC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC;AACpB,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,sEAAsE;AAEtE,KAAK,UAAU,SAAS,CAAC,IAAY;IACnC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IACrE,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe;IACtB,MAAM,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACzD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,GAAG,IAAI,KAAK,CAAC,CAAC,CAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,MAAc,EACd,GAAW,EACX,UAAkB,EAClB,SAAiB,EACjB,UAAqB;IAErB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,UAAU,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG;QACb,GAAG,EAAE,eAAe,EAAE;QACtB,GAAG,EAAE,MAAM,CAAC,WAAW,EAAE;QACzB,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;QAClC,GAAG,EAAE,SAAS;QACd,GAAG;KACJ,CAAC;IAEF,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;SACzC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAEtB,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACxC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,UAAU,EACV,YAAY,CACb,CAAC;IAEF,OAAO,GAAG,OAAO,IAAI,cAAc,CAAC,SAAS,CAAC,EAAE,CAAC;AACnD,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,GAAc,EACd,SAAuB,EACvB,GAAW;IAEX,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACpE,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAE/B,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,EAC/D,GAAG,EACH,SAAS,CACV,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IAC3C,MAAM,eAAe,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAEtD,OAAO;QACL,EAAE,EAAE,cAAc,CAAC,EAAE,CAAC,MAAM,CAAC;QAC7B,UAAU,EAAE,cAAc,CAAC,eAAe,CAAC,MAAM,CAAC;QAClD,GAAG,EAAE,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC;QACpC,GAAG;KACJ,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,GAAc,EACd,OAAyB;IAEzB,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAEvC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAChE,QAAQ,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IAC5B,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IAErC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,cAAc,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,EAC/D,GAAG,EACH,QAAQ,CACT,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,GAAc,EACd,UAAkB,EAClB,OAAe;IAEf,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,UAAU,IAAI,OAAO,EAAE,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;IAChE,OAAO,cAAc,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,eAAe,GAAG,mBAAmB,CAAC;AAE5C,KAAK,UAAU,iBAAiB,CAC9B,GAAc,EACd,UAAkB;IAElB,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,SAAS,GAAG,IAAI,UAAU,CAC9B,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CACnE,CAAC;IACF,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAE,GAAG,SAAS,CAAC,CAAC,GAAG,SAAS,CAAC,MAAM,CAAE,CAAC;IAC/D,CAAC;IACD,OAAO,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AACvC,CAAC;AA4BD,wFAAwF;AACxF,IAAI,aAAa,GAA+B,IAAI,CAAC;AAErD,SAAS,oBAAoB;IAC3B,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAC/C,IAAI,aAAa;QAAE,OAAO,aAAa,CAAC;IACxC,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC;IACvC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACpC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,aAAa,GAAG;QACd,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,MAAM,CAAC,aAAa,EAAE;QAClC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,WAAW,EAAE,CAAC;QACd,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI;KACzC,CAAC;IACF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,sBAAsB,GAAG,IAAI,CAAC;AACpC,MAAM,gBAAgB,GAAG,GAAG,CAAC;AAE7B,KAAK,UAAU,cAAc;IAC3B,MAAM,SAAS,GAAG,oBAAoB,EAAE,CAAC;IACzC,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC;IAEhC,IAAI,OAAO,MAAM,KAAK,WAAW;QAAE,OAAO,IAAI,CAAC;IAE/C,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,OAAO,CAAC,IAAI,CAAC;gBACjB,MAAM,CAAC,eAAe;gBACtB,IAAI,OAAO,CAAO,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,CAC9B,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,sBAAsB,CAAC,CACvE;aACF,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;QACT,CAAC;QACD,OAAO,oBAAoB,EAAE,CAAC;IAChC,CAAC;IAED,OAAO,IAAI,OAAO,CAA6B,CAAC,OAAO,EAAE,EAAE;QACzD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE;YAC7B,MAAM,GAAG,GAAG,oBAAoB,EAAE,CAAC;YACnC,IAAI,GAAG,EAAE,CAAC;gBACR,aAAa,CAAC,KAAK,CAAC,CAAC;gBACrB,OAAO,CAAC,GAAG,CAAC,CAAC;gBACb,OAAO;YACT,CAAC;YACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,IAAI,sBAAsB,EAAE,CAAC;gBACjD,aAAa,CAAC,KAAK,CAAC,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC;QACH,CAAC,EAAE,gBAAgB,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,sEAAsE;AAEtE;;;GAGG;AACI,KAAK,UAAU,YAAY,CAChC,KAAwB,EACxB,IAAkB,EAClB,OAA6B,EAC7B,OAAoC;IAEpC,MAAM,IAAI,GAAkC;QAC1C,iBAAiB,EAAE,IAAI;QACvB,oBAAoB,EAAE,IAAI;QAC1B,cAAc,EAAE,KAAK;QACrB,eAAe,EAAE,IAAI;QACrB,MAAM,EAAE,KAAK;QACb,WAAW,EAAE,KAAK;QAClB,GAAG,OAAO;KACX,CAAC;IAEF,MAAM,GAAG,GAAG,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,cAAc,EAAE,CAAC,CAAC,CAAC,oBAAoB,EAAE,CAAC,CAAC;IACvF,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAE3C,qBAAqB;IACrB,IAAI,IAAI,CAAC,iBAAiB,IAAI,GAAG,EAAE,UAAU,EAAE,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,WAAW,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;IAC5D,CAAC;IAED,oBAAoB;IACpB,IAAI,GAAG,EAAE,SAAS,EAAE,CAAC;QACnB,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAE,KAAiB,CAAC,GAAG,CAAC;IACzG,MAAM,WAAW,GAAG,GAAG,CAAC;IAExB,gBAAgB;IAChB,IAAI,IAAI,CAAC,MAAM,IAAI,GAAG,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;QACjD,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAChG,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC;QACnC,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;QACpG,4FAA4F;QAC5F,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAChF,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACtC,MAAM,CAAC,QAAQ,GAAG,GAAG,mBAAmB,GAAG,OAAO,EAAE,CAAC;QACrD,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC;QAClB,GAAG,CAAC,WAAW,EAAE,CAAC;IACpB,CAAC;IAED,yBAAyB;IACzB,IAAI,SAAS,GAAG,IAAI,EAAE,IAAI,CAAC;IAE3B,qBAAqB;IACrB,IAAI,IAAI,CAAC,cAAc,IAAI,GAAG,EAAE,WAAW,EAAE,aAAa,IAAI,IAAI,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC;QACjF,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,SAAS,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;QAErD,IAAI,OAAoB,CAAC;QACzB,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAClC,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAqB,CAAC;QACtE,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,YAAY,WAAW,EAAE,CAAC;YAC5C,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC;QACtB,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,YAAY,UAAU,EAAE,CAAC;YAC3C,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAgB,CAAC;QACrH,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAqB,CAAC;QAC9E,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QACpF,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,iCAAiC,CAAC,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,2BAA2B;IAC3B,IAAI,IAAI,CAAC,WAAW,IAAI,GAAG,EAAE,WAAW,EAAE,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;QACxF,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,KAAK,CAAC;QACpD,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAC9G,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,GAAG,IAAI;QACP,IAAI,EAAE,SAAS;QACf,OAAO;QACP,WAAW,EAAE,IAAI,EAAE,WAAW,IAAI,SAAS;KAC5C,CAAC,CAAC;IAEH,sEAAsE;IACtE,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,WAAW,KAAK,GAAG,EAAE,CAAC;QACvD,MAAM,eAAe,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACnD,IAAI,GAAG,EAAE,UAAU,EAAE,CAAC;YACpB,eAAe,CAAC,GAAG,CAAC,eAAe,EAAE,WAAW,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,GAAG,EAAE,SAAS,EAAE,CAAC;YACnB,eAAe,CAAC,GAAG,CAAC,mBAAmB,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,KAAK,CAAC,WAAW,EAAE;YACxB,GAAG,IAAI;YACP,OAAO,EAAE,eAAe;YACxB,WAAW,EAAE,IAAI,EAAE,WAAW,IAAI,SAAS;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,sBAAsB;IACtB,IAAI,IAAI,CAAC,eAAe,IAAI,GAAG,EAAE,WAAW,EAAE,cAAc,EAAE,CAAC;QAC7D,MAAM,WAAW,GACf,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,KAAK,GAAG;YACnD,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,QAAQ,CAAC,iCAAiC,CAAC,CAAC;QAEpF,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqB,CAAC;YAC5D,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;gBACvE,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;YACjE,CAAC;YACD,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC,GAAG,CAAC,WAAW,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;YAChF,MAAM,aAAa,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAE1D,OAAO,IAAI,QAAQ,CAAC,aAAa,EAAE;gBACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,OAAO,EAAE,IAAI,OAAO,CAAC;oBACnB,cAAc,EAAE,kBAAkB;iBACnC,CAAC;aACH,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,OAAe,EACf,gBAA4D,EAC5D,cAAoC;IAEpC,gDAAgD;IAChD,IAAI,YAA6C,CAAC;IAClD,IAAI,SAA0C,CAAC;IAE/C,IAAI,gBAAgB,IAAI,WAAW,IAAI,gBAAgB,EAAE,CAAC;QACxD,YAAY,GAAG,gBAAgB,CAAC;QAChC,SAAS,GAAG,cAAc,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,SAAS,GAAG,gBAAmD,CAAC;IAClE,CAAC;IAED,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAElD,OAAO,SAAS,iBAAiB,CAC/B,IAAY,EACZ,IAAkB,EAClB,OAA6B;QAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,cAAc,GAAG,IAAI,EAAE,CAAC;QACxE,OAAO,YAAY,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,SAAS,EAAE,GAAG,OAAO,EAAE,EAAE,YAAY,IAAI,IAAI,CAAC,CAAC;IACrF,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+export { ProtegoScript } from './script.js';
+export { createProtegoMiddleware } from './middleware.js';
+export { createProtego, type ProtegoAutoOptions } from './auto.js';
+export { protegoFetch, createProtegoFetch, encryptPayload, decryptPayload, generateRotatedPath, generateNonce, signDPoPProof, type ProtegoFetchOptions, type ProtegoFetchContext, type EncryptedPayload, } from './fetch.js';
+export { shouldSkip, matchPolicy, verifyTokenEdge, evaluateEdgeEnforcement } from './logic.js';
+export { protegoJsonResponse } from './encrypt.js';
+export type { ProtegoNextConfig, ProtegoScriptProps, EdgeVerifyResult, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACnE,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,aAAa,EACb,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACxB,KAAK,gBAAgB,GACtB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,YAAY,CAAC;AAC/F,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,YAAY,EACV,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.protegoJsonResponse = exports.evaluateEdgeEnforcement = exports.verifyTokenEdge = exports.matchPolicy = exports.shouldSkip = exports.signDPoPProof = exports.generateNonce = exports.generateRotatedPath = exports.decryptPayload = exports.encryptPayload = exports.createProtegoFetch = exports.protegoFetch = exports.createProtego = exports.createProtegoMiddleware = exports.ProtegoScript = void 0;
+var script_js_1 = require("./script.js");
+Object.defineProperty(exports, "ProtegoScript", { enumerable: true, get: function () { return script_js_1.ProtegoScript; } });
+var middleware_js_1 = require("./middleware.js");
+Object.defineProperty(exports, "createProtegoMiddleware", { enumerable: true, get: function () { return middleware_js_1.createProtegoMiddleware; } });
+var auto_js_1 = require("./auto.js");
+Object.defineProperty(exports, "createProtego", { enumerable: true, get: function () { return auto_js_1.createProtego; } });
+var fetch_js_1 = require("./fetch.js");
+Object.defineProperty(exports, "protegoFetch", { enumerable: true, get: function () { return fetch_js_1.protegoFetch; } });
+Object.defineProperty(exports, "createProtegoFetch", { enumerable: true, get: function () { return fetch_js_1.createProtegoFetch; } });
+Object.defineProperty(exports, "encryptPayload", { enumerable: true, get: function () { return fetch_js_1.encryptPayload; } });
+Object.defineProperty(exports, "decryptPayload", { enumerable: true, get: function () { return fetch_js_1.decryptPayload; } });
+Object.defineProperty(exports, "generateRotatedPath", { enumerable: true, get: function () { return fetch_js_1.generateRotatedPath; } });
+Object.defineProperty(exports, "generateNonce", { enumerable: true, get: function () { return fetch_js_1.generateNonce; } });
+Object.defineProperty(exports, "signDPoPProof", { enumerable: true, get: function () { return fetch_js_1.signDPoPProof; } });
+var logic_js_1 = require("./logic.js");
+Object.defineProperty(exports, "shouldSkip", { enumerable: true, get: function () { return logic_js_1.shouldSkip; } });
+Object.defineProperty(exports, "matchPolicy", { enumerable: true, get: function () { return logic_js_1.matchPolicy; } });
+Object.defineProperty(exports, "verifyTokenEdge", { enumerable: true, get: function () { return logic_js_1.verifyTokenEdge; } });
+Object.defineProperty(exports, "evaluateEdgeEnforcement", { enumerable: true, get: function () { return logic_js_1.evaluateEdgeEnforcement; } });
+var encrypt_js_1 = require("./encrypt.js");
+Object.defineProperty(exports, "protegoJsonResponse", { enumerable: true, get: function () { return encrypt_js_1.protegoJsonResponse; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,yCAA4C;AAAnC,0GAAA,aAAa,OAAA;AACtB,iDAA0D;AAAjD,wHAAA,uBAAuB,OAAA;AAChC,qCAAmE;AAA1D,wGAAA,aAAa,OAAA;AACtB,uCAWoB;AAVlB,wGAAA,YAAY,OAAA;AACZ,8GAAA,kBAAkB,OAAA;AAClB,0GAAA,cAAc,OAAA;AACd,0GAAA,cAAc,OAAA;AACd,+GAAA,mBAAmB,OAAA;AACnB,yGAAA,aAAa,OAAA;AACb,yGAAA,aAAa,OAAA;AAKf,uCAA+F;AAAtF,sGAAA,UAAU,OAAA;AAAE,uGAAA,WAAW,OAAA;AAAE,2GAAA,eAAe,OAAA;AAAE,mHAAA,uBAAuB,OAAA;AAC1E,2CAAmD;AAA1C,iHAAA,mBAAmB,OAAA"}

package/dist/logic.d.ts

@@ -0,0 +1,28 @@
+import { EnforcementMode, type EnforcementPolicy, type TrustLevel } from '@protegoprotect/core/protocol';
+import type { ProtegoNextConfig, EdgeVerifyResult } from './types.js';
+export declare function matchPolicy(policies: EnforcementPolicy[], path: string): EnforcementPolicy | null;
+export declare function shouldSkip(pathname: string, config: Pick<ProtegoNextConfig, 'excludeRoutes' | 'protectedRoutes'>): boolean;
+export declare function verifyTokenEdge(token: string): {
+    valid: boolean;
+    claims: Record<string, unknown> | null;
+};
+export declare function buildVerifyResult(trusted: boolean, mode: EnforcementMode, sessionId: string | null, trustLevel: TrustLevel | null, errorCode: string | null): EdgeVerifyResult;
+export interface EdgeEnforcementInput {
+    pathname: string;
+    trustToken: string | null;
+    dpopHeader: string | null;
+    config: ProtegoNextConfig;
+}
+export interface EdgeEnforcementOutput {
+    action: 'skip' | 'allow' | 'block';
+    result?: EdgeVerifyResult;
+    responseBody?: {
+        error: string;
+        code: string;
+    };
+    responseStatus?: number;
+    sessionId?: string | null;
+    trustLevel?: TrustLevel | null;
+}
+export declare function evaluateEdgeEnforcement(input: EdgeEnforcementInput): EdgeEnforcementOutput;
+//# sourceMappingURL=logic.d.ts.map

package/dist/logic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.d.ts","sourceRoot":"","sources":["../src/logic.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,eAAe,EAAE,KAAK,iBAAiB,EAAE,KAAK,UAAU,EAAE,MAAM,+BAA+B,CAAC;AACnH,OAAO,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAKtE,wBAAgB,WAAW,CAAC,QAAQ,EAAE,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CASjG;AAED,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,iBAAiB,EAAE,eAAe,GAAG,iBAAiB,CAAC,GAAG,OAAO,CAwB1H;AAKD,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAAE,CAmBzG;AAED,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,eAAe,EACrB,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,UAAU,EAAE,UAAU,GAAG,IAAI,EAC7B,SAAS,EAAE,MAAM,GAAG,IAAI,GACvB,gBAAgB,CAElB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,MAAM,EAAE,iBAAiB,CAAC;CAC3B;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC;IACnC,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAC1B,YAAY,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IAC/C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,CAAC,EAAE,UAAU,GAAG,IAAI,CAAC;CAChC;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,oBAAoB,GAAG,qBAAqB,CA+E1F"}

package/dist/logic.js

@@ -0,0 +1,144 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.matchPolicy = matchPolicy;
+exports.shouldSkip = shouldSkip;
+exports.verifyTokenEdge = verifyTokenEdge;
+exports.buildVerifyResult = buildVerifyResult;
+exports.evaluateEdgeEnforcement = evaluateEdgeEnforcement;
+const protocol_1 = require("@protegoprotect/core/protocol");
+const STATIC_EXTENSIONS = /\.(ico|png|jpg|jpeg|gif|svg|webp|avif|css|js|map|woff|woff2|ttf|eot|json|txt|xml|webmanifest)$/;
+const NEXT_INTERNALS = /^\/_next\//;
+function matchPolicy(policies, path) {
+    for (const policy of policies) {
+        if (typeof policy.path === 'string') {
+            if (path === policy.path || path.startsWith(policy.path + '/'))
+                return policy;
+        }
+        else if (policy.path instanceof RegExp) {
+            if (policy.path.test(path))
+                return policy;
+        }
+    }
+    return null;
+}
+function shouldSkip(pathname, config) {
+    if (STATIC_EXTENSIONS.test(pathname))
+        return true;
+    if (NEXT_INTERNALS.test(pathname))
+        return true;
+    if (pathname === protocol_1.Protocol.PATH_HANDSHAKE || pathname === protocol_1.Protocol.PATH_ATTEST)
+        return true;
+    if (config.excludeRoutes) {
+        for (const pattern of config.excludeRoutes) {
+            if (pathname === pattern || pathname.startsWith(pattern + '/'))
+                return true;
+        }
+    }
+    if (config.protectedRoutes && config.protectedRoutes.length > 0) {
+        let matched = false;
+        for (const pattern of config.protectedRoutes) {
+            if (pathname === pattern || pathname.startsWith(pattern + '/')) {
+                matched = true;
+                break;
+            }
+        }
+        if (!matched)
+            return true;
+    }
+    return false;
+}
+// Token format: base64url(JSON).base64url(HMAC-SHA256)
+// Edge runtime does structural + expiry check synchronously.
+// Full HMAC verification happens in the backend (defense-in-depth).
+function verifyTokenEdge(token) {
+    const dotIndex = token.indexOf('.');
+    if (dotIndex === -1)
+        return { valid: false, claims: null };
+    const payloadB64 = token.substring(0, dotIndex);
+    try {
+        const payloadJson = Buffer.from(payloadB64, 'base64url').toString('utf-8');
+        const claims = JSON.parse(payloadJson);
+        const now = Math.floor(Date.now() / 1000);
+        if (typeof claims['exp'] === 'number' && claims['exp'] < now) {
+            return { valid: false, claims };
+        }
+        return { valid: true, claims };
+    }
+    catch {
+        return { valid: false, claims: null };
+    }
+}
+function buildVerifyResult(trusted, mode, sessionId, trustLevel, errorCode) {
+    return { trusted, mode, sessionId, trustLevel, errorCode };
+}
+function evaluateEdgeEnforcement(input) {
+    const { pathname, trustToken, config } = input;
+    if (shouldSkip(pathname, config)) {
+        return { action: 'skip' };
+    }
+    const policy = matchPolicy(config.policies, pathname);
+    const mode = policy?.mode ?? config.defaultMode;
+    const requiredLevel = policy?.requiredTrustLevel ?? config.defaultTrustLevel;
+    if (!trustToken) {
+        if (mode === protocol_1.EnforcementMode.Hard) {
+            return {
+                action: 'block',
+                result: buildVerifyResult(false, mode, null, null, 'PTG_NO_TOKEN'),
+                responseBody: { error: 'Trust token required', code: 'PTG_NO_TOKEN' },
+                responseStatus: 401,
+            };
+        }
+        return { action: 'allow' };
+    }
+    const { valid, claims } = verifyTokenEdge(trustToken);
+    if (!valid) {
+        if (mode === protocol_1.EnforcementMode.Hard) {
+            return {
+                action: 'block',
+                result: buildVerifyResult(false, mode, null, null, 'PTG_TOKEN_INVALID'),
+                responseBody: { error: 'Invalid trust token', code: 'PTG_TOKEN_INVALID' },
+                responseStatus: 403,
+            };
+        }
+        return { action: 'allow' };
+    }
+    const sessionId = claims?.['sid'] ?? null;
+    const trustLevel = claims?.['lvl'] ?? null;
+    const tokenAudience = claims?.['aud'];
+    if (tokenAudience && tokenAudience !== config.audience) {
+        if (mode === protocol_1.EnforcementMode.Hard) {
+            return {
+                action: 'block',
+                result: buildVerifyResult(false, mode, sessionId, trustLevel, 'PTG_TOKEN_INVALID'),
+                responseBody: { error: 'Audience mismatch', code: 'PTG_TOKEN_INVALID' },
+                responseStatus: 403,
+            };
+        }
+        return { action: 'allow' };
+    }
+    if (trustLevel !== null && trustLevel < requiredLevel) {
+        if (mode === protocol_1.EnforcementMode.Hard) {
+            return {
+                action: 'block',
+                result: buildVerifyResult(false, mode, sessionId, trustLevel, 'PTG_TOKEN_INVALID'),
+                responseBody: { error: 'Insufficient trust level', code: 'PTG_TOKEN_INVALID' },
+                responseStatus: 403,
+            };
+        }
+        return { action: 'allow' };
+    }
+    const requireDPoP = policy?.requireDPoP ?? false;
+    if (requireDPoP && !input.dpopHeader) {
+        if (mode === protocol_1.EnforcementMode.Hard) {
+            return {
+                action: 'block',
+                result: buildVerifyResult(false, mode, sessionId, trustLevel, 'PTG_DPOP_INVALID'),
+                responseBody: { error: 'DPoP proof required', code: 'PTG_DPOP_INVALID' },
+                responseStatus: 403,
+            };
+        }
+        return { action: 'allow' };
+    }
+    return { action: 'allow', sessionId, trustLevel };
+}
+//# sourceMappingURL=logic.js.map

package/dist/logic.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logic.js","sourceRoot":"","sources":["../src/logic.ts"],"names":[],"mappings":";;AAMA,kCASC;AAED,gCAwBC;AAKD,0CAmBC;AAED,8CAQC;AAkBD,0DA+EC;AA5KD,4DAAmH;AAGnH,MAAM,iBAAiB,GAAG,gGAAgG,CAAC;AAC3H,MAAM,cAAc,GAAG,YAAY,CAAC;AAEpC,SAAgB,WAAW,CAAC,QAA6B,EAAE,IAAY;IACrE,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YACpC,IAAI,IAAI,KAAK,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,GAAG,GAAG,CAAC;gBAAE,OAAO,MAAM,CAAC;QAChF,CAAC;aAAM,IAAI,MAAM,CAAC,IAAI,YAAY,MAAM,EAAE,CAAC;YACzC,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,OAAO,MAAM,CAAC;QAC5C,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAgB,UAAU,CAAC,QAAgB,EAAE,MAAoE;IAC/G,IAAI,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAE/C,IAAI,QAAQ,KAAK,mBAAQ,CAAC,cAAc,IAAI,QAAQ,KAAK,mBAAQ,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE3F,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YAC3C,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,GAAG,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,eAAe,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChE,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC7C,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC,OAAO,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC/D,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;IAC5B,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uDAAuD;AACvD,6DAA6D;AAC7D,oEAAoE;AACpE,SAAgB,eAAe,CAAC,KAAa;IAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,QAAQ,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAE3D,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;IAEhD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAA4B,CAAC;QAElE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC;YAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxC,CAAC;AACH,CAAC;AAED,SAAgB,iBAAiB,CAC/B,OAAgB,EAChB,IAAqB,EACrB,SAAwB,EACxB,UAA6B,EAC7B,SAAwB;IAExB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AAC7D,CAAC;AAkBD,SAAgB,uBAAuB,CAAC,KAA2B;IACjE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;IAE/C,IAAI,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;QACjC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;IAC5B,CAAC;IAED,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACtD,MAAM,IAAI,GAAG,MAAM,EAAE,IAAI,IAAI,MAAM,CAAC,WAAW,CAAC;IAChD,MAAM,aAAa,GAAG,MAAM,EAAE,kBAAkB,IAAI,MAAM,CAAC,iBAAiB,CAAC;IAE7E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,IAAI,IAAI,KAAK,0BAAe,CAAC,IAAI,EAAE,CAAC;YAClC,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;gBAClE,YAAY,EAAE,EAAE,KAAK,EAAE,sBAAsB,EAAE,IAAI,EAAE,cAAc,EAAE;gBACrE,cAAc,EAAE,GAAG;aACpB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAEtD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,IAAI,IAAI,KAAK,0BAAe,CAAC,IAAI,EAAE,CAAC;YAClC,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,mBAAmB,CAAC;gBACvE,YAAY,EAAE,EAAE,KAAK,EAAE,qBAAqB,EAAE,IAAI,EAAE,mBAAmB,EAAE;gBACzE,cAAc,EAAE,GAAG;aACpB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED,MAAM,SAAS,GAAI,MAAM,EAAE,CAAC,KAAK,CAAY,IAAI,IAAI,CAAC;IACtD,MAAM,UAAU,GAAI,MAAM,EAAE,CAAC,KAAK,CAAgB,IAAI,IAAI,CAAC;IAC3D,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,KAAK,CAAuB,CAAC;IAE5D,IAAI,aAAa,IAAI,aAAa,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QACvD,IAAI,IAAI,KAAK,0BAAe,CAAC,IAAI,EAAE,CAAC;YAClC,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,mBAAmB,CAAC;gBAClF,YAAY,EAAE,EAAE,KAAK,EAAE,mBAAmB,EAAE,IAAI,EAAE,mBAAmB,EAAE;gBACvE,cAAc,EAAE,GAAG;aACpB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED,IAAI,UAAU,KAAK,IAAI,IAAI,UAAU,GAAG,aAAa,EAAE,CAAC;QACtD,IAAI,IAAI,KAAK,0BAAe,CAAC,IAAI,EAAE,CAAC;YAClC,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,mBAAmB,CAAC;gBAClF,YAAY,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE,IAAI,EAAE,mBAAmB,EAAE;gBAC9E,cAAc,EAAE,GAAG;aACpB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,EAAE,WAAW,IAAI,KAAK,CAAC;IACjD,IAAI,WAAW,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QACrC,IAAI,IAAI,KAAK,0BAAe,CAAC,IAAI,EAAE,CAAC;YAClC,OAAO;gBACL,MAAM,EAAE,OAAO;gBACf,MAAM,EAAE,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,kBAAkB,CAAC;gBACjF,YAAY,EAAE,EAAE,KAAK,EAAE,qBAAqB,EAAE,IAAI,EAAE,kBAAkB,EAAE;gBACxE,cAAc,EAAE,GAAG;aACpB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IAC7B,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,CAAC;AACpD,CAAC"}

package/dist/middleware.d.ts

@@ -0,0 +1,4 @@
+import { NextResponse, type NextRequest } from 'next/server';
+import type { ProtegoNextConfig } from './types.js';
+export declare function createProtegoMiddleware(config: ProtegoNextConfig): (request: NextRequest) => NextResponse | undefined;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,KAAK,WAAW,EAAE,MAAM,aAAa,CAAC;AAE7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAQpD,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,iBAAiB,IAG7B,SAAS,WAAW,KAAG,YAAY,GAAG,SAAS,CAgClF"}

package/dist/middleware.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createProtegoMiddleware = createProtegoMiddleware;
+const server_1 = require("next/server");
+const protocol_1 = require("@protegoprotect/core/protocol");
+const logic_js_1 = require("./logic.js");
+function defaultLog(level, message, _meta) {
+    if (level === 'error')
+        console.error(`[protego-edge] ${message}`);
+    else if (level === 'warn')
+        console.warn(`[protego-edge] ${message}`);
+}
+function createProtegoMiddleware(config) {
+    const log = config.log ?? defaultLog;
+    return function protegoMiddleware(request) {
+        const pathname = request.nextUrl.pathname;
+        const trustToken = request.cookies.get(protocol_1.Protocol.COOKIE_TRUST)?.value ?? null;
+        const dpopHeader = request.headers.get('X-Protego-DPoP') ?? null;
+        const result = (0, logic_js_1.evaluateEdgeEnforcement)({ pathname, trustToken, dpopHeader, config });
+        if (result.action === 'skip') {
+            return undefined;
+        }
+        if (result.action === 'block') {
+            log('warn', `Blocked: ${pathname} — ${result.responseBody?.code ?? 'unknown'}`);
+            const response = server_1.NextResponse.json(result.responseBody, { status: result.responseStatus ?? 403 });
+            if (result.result) {
+                response.headers.set('X-Protego-Result', JSON.stringify(result.result));
+            }
+            return response;
+        }
+        if (result.sessionId) {
+            const response = server_1.NextResponse.next();
+            response.headers.set('X-Protego-Session', result.sessionId);
+            response.headers.set('X-Protego-Trust-Level', String(result.trustLevel ?? ''));
+            return response;
+        }
+        return undefined;
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":";;AAUA,0DAmCC;AA7CD,wCAA6D;AAC7D,4DAAyD;AAEzD,yCAAqD;AAErD,SAAS,UAAU,CAAC,KAAgC,EAAE,OAAe,EAAE,KAA+B;IACpG,IAAI,KAAK,KAAK,OAAO;QAAE,OAAO,CAAC,KAAK,CAAC,kBAAkB,OAAO,EAAE,CAAC,CAAC;SAC7D,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,kBAAkB,OAAO,EAAE,CAAC,CAAC;AACvE,CAAC;AAED,SAAgB,uBAAuB,CAAC,MAAyB;IAC/D,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,UAAU,CAAC;IAErC,OAAO,SAAS,iBAAiB,CAAC,OAAoB;QACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC1C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAQ,CAAC,YAAY,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC;QAC7E,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,IAAI,CAAC;QAEjE,MAAM,MAAM,GAAG,IAAA,kCAAuB,EAAC,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC;QAErF,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC7B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC9B,GAAG,CAAC,MAAM,EAAE,YAAY,QAAQ,MAAM,MAAM,CAAC,YAAY,EAAE,IAAI,IAAI,SAAS,EAAE,CAAC,CAAC;YAChF,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,CAChC,MAAM,CAAC,YAAY,EACnB,EAAE,MAAM,EAAE,MAAM,CAAC,cAAc,IAAI,GAAG,EAAE,CACzC,CAAC;YACF,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1E,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,MAAM,QAAQ,GAAG,qBAAY,CAAC,IAAI,EAAE,CAAC;YACrC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YAC5D,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,CAAC;YAC/E,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC;AACJ,CAAC"}

package/dist/script.d.ts

@@ -0,0 +1,4 @@
+import React from 'react';
+import type { ProtegoScriptProps } from './types.js';
+export declare function ProtegoScript(props: ProtegoScriptProps): React.JSX.Element;
+//# sourceMappingURL=script.d.ts.map

package/dist/script.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"script.d.ts","sourceRoot":"","sources":["../src/script.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAErD,wBAAgB,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAyD1E"}

package/dist/script.js

@@ -0,0 +1,54 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProtegoScript = ProtegoScript;
+const react_1 = __importDefault(require("react"));
+function ProtegoScript(props) {
+    const { attestationUrl, audience, sensorScriptUrl, nonce, async: asyncLoad = true, defer: deferLoad = false, behaviorDelayMs = 2000, autoRefresh = true, } = props;
+    const configJson = JSON.stringify({
+        baseUrl: attestationUrl,
+        audience,
+        behaviorDelayMs,
+        autoRefresh,
+    });
+    const initScript = `
+(function(){
+  if(window.__protego_init) return;
+  window.__protego_init = true;
+  window.__protego_ready = new Promise(function(resolve){ window.__protego_ready_resolve = resolve; });
+  var s = document.createElement('script');
+  s.src = ${JSON.stringify(sensorScriptUrl)};
+  s.onload = function(){
+    var P = (window.Protego && window.Protego.ProtegoClient) || (window.__protego_sensor && window.__protego_sensor.ProtegoClient);
+    if(P){
+      var c = new P(${configJson});
+      window.__protego_client = c;
+      c.attest().then(function(session){
+        if(session && session.trustToken){
+          document.cookie = 'ptg_trust=' + session.trustToken + '; path=/; SameSite=Lax; max-age=1800';
+        }
+        if(window.__protego_sensor && window.__protego_sensor.startDevToolsProtection){
+          window.__protego_sensor.startDevToolsProtection();
+        } else if(window.Protego && window.Protego.startDevToolsProtection){
+          window.Protego.startDevToolsProtection();
+        }
+      }).catch(function(e){ console.warn('[protego] attestation failed:', e); })
+        .finally(function(){ if(window.__protego_ready_resolve) window.__protego_ready_resolve(); });
+    } else {
+      if(window.__protego_ready_resolve) window.__protego_ready_resolve();
+    }
+  };
+  s.onerror = function(){ if(window.__protego_ready_resolve) window.__protego_ready_resolve(); };
+  document.head.appendChild(s);
+})();
+`.trim();
+    return react_1.default.createElement('script', {
+        dangerouslySetInnerHTML: { __html: initScript },
+        nonce: nonce ?? undefined,
+        async: asyncLoad || undefined,
+        defer: deferLoad || undefined,
+    });
+}
+//# sourceMappingURL=script.js.map

package/dist/script.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"script.js","sourceRoot":"","sources":["../src/script.tsx"],"names":[],"mappings":";;;;;AAGA,sCAyDC;AA5DD,kDAA0B;AAG1B,SAAgB,aAAa,CAAC,KAAyB;IACrD,MAAM,EACJ,cAAc,EACd,QAAQ,EACR,eAAe,EACf,KAAK,EACL,KAAK,EAAE,SAAS,GAAG,IAAI,EACvB,KAAK,EAAE,SAAS,GAAG,KAAK,EACxB,eAAe,GAAG,IAAI,EACtB,WAAW,GAAG,IAAI,GACnB,GAAG,KAAK,CAAC;IAEV,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,OAAO,EAAE,cAAc;QACvB,QAAQ;QACR,eAAe;QACf,WAAW;KACZ,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG;;;;;;YAMT,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC;;;;sBAIrB,UAAU;;;;;;;;;;;;;;;;;;;;CAoB/B,CAAC,IAAI,EAAE,CAAC;IAEP,OAAO,eAAK,CAAC,aAAa,CAAC,QAAQ,EAAE;QACnC,uBAAuB,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE;QAC/C,KAAK,EAAE,KAAK,IAAI,SAAS;QACzB,KAAK,EAAE,SAAS,IAAI,SAAS;QAC7B,KAAK,EAAE,SAAS,IAAI,SAAS;KAC9B,CAAC,CAAC;AACL,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,71 @@
+import type { EnforcementMode, EnforcementPolicy, TrustLevel } from '@protegoprotect/core/protocol';
+/**
+ * Configuration for the Protego Next.js middleware.
+ */
+export interface ProtegoNextConfig {
+    /** URL of the attestation server (e.g. "https://api.example.com" or same-origin ""). */
+    attestationUrl: string;
+    /** HMAC-SHA256 signing key for trust token verification (hex or Buffer). Used in edge middleware. */
+    signingKey: string | Buffer;
+    /** Audience identifier for this project (e.g. "seatlabs"). */
+    audience: string;
+    /** Salt for IP hashing (same as attestation server). */
+    ipSalt: string;
+    /** Enforcement policies per-route. Evaluated in order, first match wins. */
+    policies: EnforcementPolicy[];
+    /** Default enforcement mode when no policy matches. */
+    defaultMode: EnforcementMode;
+    /** Default required trust level when no policy matches. */
+    defaultTrustLevel: TrustLevel;
+    /** Route patterns to protect with edge middleware. Default: all routes. */
+    protectedRoutes?: string[];
+    /** Route patterns to exclude from middleware (e.g. static assets). */
+    excludeRoutes?: string[];
+    /** URL path to the sensor SDK script (hosted or bundled). */
+    sensorScriptUrl: string;
+    /** Optional nonce for CSP compliance. */
+    scriptNonce?: string;
+    /** Whether to load the sensor script with async attribute. Default: true. */
+    scriptAsync?: boolean;
+    /** Whether to load the sensor script with defer attribute. Default: false. */
+    scriptDefer?: boolean;
+    /** Custom logging function for edge middleware. */
+    log?: (level: 'info' | 'warn' | 'error', message: string, meta?: Record<string, unknown>) => void;
+}
+/**
+ * Configuration for the ProtegoScript React component.
+ */
+export interface ProtegoScriptProps {
+    /** URL of the attestation server. */
+    attestationUrl: string;
+    /** Audience identifier for this project. */
+    audience: string;
+    /** URL path to the sensor SDK script. */
+    sensorScriptUrl: string;
+    /** Optional nonce for CSP compliance. */
+    nonce?: string;
+    /** Whether to load async. Default: true. */
+    async?: boolean;
+    /** Whether to load deferred. Default: false. */
+    defer?: boolean;
+    /** Minimum milliseconds for behavior collection before attesting. Default: 2000. */
+    behaviorDelayMs?: number;
+    /** Whether to auto-refresh trust tokens. Default: true. */
+    autoRefresh?: boolean;
+}
+/**
+ * Result of the edge middleware trust verification.
+ */
+export interface EdgeVerifyResult {
+    /** Whether the request passed enforcement. */
+    trusted: boolean;
+    /** The enforcement mode applied. */
+    mode: EnforcementMode;
+    /** Session ID from the trust token (null if no valid token). */
+    sessionId: string | null;
+    /** Trust level from the token (null if no valid token). */
+    trustLevel: TrustLevel | null;
+    /** Error code if verification failed. */
+    errorCode: string | null;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,+BAA+B,CAAC;AAEpG;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wFAAwF;IACxF,cAAc,EAAE,MAAM,CAAC;IAEvB,qGAAqG;IACrG,UAAU,EAAE,MAAM,GAAG,MAAM,CAAC;IAE5B,8DAA8D;IAC9D,QAAQ,EAAE,MAAM,CAAC;IAEjB,wDAAwD;IACxD,MAAM,EAAE,MAAM,CAAC;IAEf,4EAA4E;IAC5E,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAE9B,uDAAuD;IACvD,WAAW,EAAE,eAAe,CAAC;IAE7B,2DAA2D;IAC3D,iBAAiB,EAAE,UAAU,CAAC;IAE9B,2EAA2E;IAC3E,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAE3B,sEAAsE;IACtE,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzB,6DAA6D;IAC7D,eAAe,EAAE,MAAM,CAAC;IAExB,yCAAyC;IACzC,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,6EAA6E;IAC7E,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB,8EAA8E;IAC9E,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB,mDAAmD;IACnD,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CACnG;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,qCAAqC;IACrC,cAAc,EAAE,MAAM,CAAC;IAEvB,4CAA4C;IAC5C,QAAQ,EAAE,MAAM,CAAC;IAEjB,yCAAyC;IACzC,eAAe,EAAE,MAAM,CAAC;IAExB,yCAAyC;IACzC,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,4CAA4C;IAC5C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,gDAAgD;IAChD,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,2DAA2D;IAC3D,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAC;IAEjB,oCAAoC;IACpC,IAAI,EAAE,eAAe,CAAC;IAEtB,gEAAgE;IAChE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IAEzB,2DAA2D;IAC3D,UAAU,EAAE,UAAU,GAAG,IAAI,CAAC;IAE9B,yCAAyC;IACzC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B"}

package/dist/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@protegoprotect/middleware-next",
+  "version": "2.0.0",
+  "description": "Protego Next.js middleware — script injection, trust enforcement, protegoFetch",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./script": {
+      "types": "./dist/script.d.ts",
+      "default": "./dist/script.js"
+    },
+    "./middleware": {
+      "types": "./dist/middleware.d.ts",
+      "default": "./dist/middleware.js"
+    },
+    "./fetch": {
+      "types": "./dist/fetch.d.ts",
+      "default": "./dist/fetch.js"
+    },
+    "./edge": {
+      "types": "./dist/edge.d.ts",
+      "default": "./dist/edge.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "npx tsx --test tests/middleware.test.ts tests/script.test.ts tests/fetch.test.ts tests/auto.test.ts tests/encrypt.test.ts"
+  },
+  "files": ["dist", "README.md"],
+  "keywords": ["antibot", "nextjs", "middleware", "bot-detection"],
+  "license": "ISC",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@protegoprotect/core": "2.0.0",
+    "@protegoprotect/attestation": "2.0.0"
+  },
+  "peerDependencies": {
+    "next": ">=13.0.0",
+    "react": ">=18.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.7.0",
+    "@types/node": "^22.0.0",
+    "@types/react": "^19.0.0"
+  }
+}