@sentinel-atl/hardening 0.3.0

package/README.md

@@ -0,0 +1,102 @@
+# @sentinel-atl/hardening
+
+Production hardening middleware for Sentinel services — API key auth, CORS, TLS, rate limiting, nonce replay protection, audit log rotation, and security headers.
+
+## Install
+
+```bash
+npm install @sentinel-atl/hardening
+```
+
+## Modules
+
+### Authentication
+
+API key auth with scoped access control and constant-time comparison.
+
+```ts
+import { authenticate, hasScope, authConfigFromEnv } from '@sentinel-atl/hardening';
+
+const config = authConfigFromEnv();
+// Or manual: { enabled: true, keys: [{ key: 'secret', scopes: ['read', 'write'] }] }
+
+const result = authenticate(req, config);
+if (!result.authenticated) sendUnauthorized(res);
+if (!hasScope(result, 'write')) sendForbidden(res);
+```
+
+Key extraction order: `Authorization: Bearer <key>` → `X-API-Key` header → `?apiKey=` query param.
+
+**Environment**: `SENTINEL_API_KEYS=key1:read,write;key2:admin`
+
+### CORS
+
+```ts
+import { applyCors, corsConfigFromEnv } from '@sentinel-atl/hardening';
+
+const config = corsConfigFromEnv();
+const isPreflight = applyCors(req, res, config);
+if (isPreflight) return; // Already responded to OPTIONS
+```
+
+**Environment**: `SENTINEL_CORS_ORIGINS=https://example.com,https://app.example.com`
+
+### TLS
+
+```ts
+import { createSecureServer, tlsConfigFromEnv } from '@sentinel-atl/hardening';
+
+const tls = tlsConfigFromEnv();
+const server = createSecureServer(tls, handler);
+// Returns https.Server when TLS is configured, http.Server otherwise
+```
+
+**Environment**: `SENTINEL_TLS_CERT_PATH`, `SENTINEL_TLS_KEY_PATH`
+
+### Rate Limiting
+
+RFC 6585 compliant, in-memory rate limiter.
+
+```ts
+import { RateLimiter, parseRateLimit } from '@sentinel-atl/hardening';
+
+const { max, windowMs } = parseRateLimit('100/min');
+const limiter = new RateLimiter(max, windowMs);
+
+const info = limiter.check(clientId);
+setRateLimitHeaders(res, info);
+if (!info.allowed) sendRateLimited(res, info);
+```
+
+### Nonce Store (Replay Protection)
+
+```ts
+import { NonceStore } from '@sentinel-atl/hardening';
+
+const nonces = new NonceStore({ backend: store, ttl: 300 });
+const isNew = await nonces.consume(nonce);
+if (!isNew) return res.end('Replay detected');
+```
+
+### Audit Log Rotation
+
+```ts
+import { rotateIfNeeded, cleanupRotatedFiles } from '@sentinel-atl/hardening';
+
+await rotateIfNeeded('./audit.jsonl', { maxSize: 10_000_000 }); // 10MB
+await cleanupRotatedFiles('./audit.jsonl', { maxAge: 30 * 86400_000 }); // 30 days
+```
+
+### Security Headers
+
+```ts
+import { applySecurityHeaders } from '@sentinel-atl/hardening';
+
+applySecurityHeaders(res, { hsts: true });
+// Sets: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options,
+//       X-XSS-Protection, Referrer-Policy, Permissions-Policy, HSTS
+```
+
+## License
+
+MIT

package/dist/audit-rotation.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Audit log rotation — prevents unbounded log file growth.
+ *
+ * Supports:
+ * - Size-based rotation: rotate when file exceeds maxSizeBytes
+ * - Time-based rotation: rotate daily/hourly
+ * - Retention: keep N rotated files, delete older ones
+ * - Compression-ready: rotated files get .N suffix (gzip can be added later)
+ */
+export interface RotationConfig {
+    /** Path to the active log file */
+    logPath: string;
+    /** Maximum size in bytes before rotation (default: 10MB) */
+    maxSizeBytes?: number;
+    /** Maximum number of rotated files to keep (default: 10) */
+    maxFiles?: number;
+    /** Rotation interval: 'size' | 'daily' | 'hourly' (default: 'size') */
+    interval?: 'size' | 'daily' | 'hourly';
+}
+/**
+ * Check if the log file needs rotation and rotate if so.
+ * Returns true if rotation occurred.
+ */
+export declare function rotateIfNeeded(config: RotationConfig): Promise<boolean>;
+/**
+ * Clean up rotated files beyond the retention limit.
+ */
+export declare function cleanupRotatedFiles(config: RotationConfig): Promise<number>;
+/**
+ * Get total size of all log files (active + rotated).
+ */
+export declare function totalLogSize(config: RotationConfig): Promise<number>;
+//# sourceMappingURL=audit-rotation.d.ts.map

package/dist/audit-rotation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-rotation.d.ts","sourceRoot":"","sources":["../src/audit-rotation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,MAAM,WAAW,cAAc;IAC7B,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uEAAuE;IACvE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;CACxC;AAID;;;GAGG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,CA+B7E;AA8BD;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAwBjF;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,MAAM,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAsB1E"}

package/dist/audit-rotation.js

@@ -0,0 +1,120 @@
+/**
+ * Audit log rotation — prevents unbounded log file growth.
+ *
+ * Supports:
+ * - Size-based rotation: rotate when file exceeds maxSizeBytes
+ * - Time-based rotation: rotate daily/hourly
+ * - Retention: keep N rotated files, delete older ones
+ * - Compression-ready: rotated files get .N suffix (gzip can be added later)
+ */
+import { stat, rename, unlink, readdir } from 'node:fs/promises';
+import { existsSync } from 'node:fs';
+import { dirname, basename, join } from 'node:path';
+// ─── Rotation ────────────────────────────────────────────────────────
+/**
+ * Check if the log file needs rotation and rotate if so.
+ * Returns true if rotation occurred.
+ */
+export async function rotateIfNeeded(config) {
+    const { logPath } = config;
+    const maxSize = config.maxSizeBytes ?? 10_485_760; // 10 MB
+    const maxFiles = config.maxFiles ?? 10;
+    if (!existsSync(logPath))
+        return false;
+    const interval = config.interval ?? 'size';
+    let shouldRotate = false;
+    if (interval === 'size') {
+        const fileStat = await stat(logPath);
+        shouldRotate = fileStat.size >= maxSize;
+    }
+    else if (interval === 'daily' || interval === 'hourly') {
+        const fileStat = await stat(logPath);
+        const now = new Date();
+        const fileTime = new Date(fileStat.mtime);
+        if (interval === 'daily') {
+            shouldRotate = now.toDateString() !== fileTime.toDateString();
+        }
+        else {
+            shouldRotate = now.getHours() !== fileTime.getHours() ||
+                now.toDateString() !== fileTime.toDateString();
+        }
+    }
+    if (!shouldRotate)
+        return false;
+    await rotate(logPath, maxFiles);
+    return true;
+}
+/**
+ * Perform the rotation: shift existing files and rename current log.
+ *
+ * log.jsonl    → log.jsonl.1
+ * log.jsonl.1  → log.jsonl.2
+ * ...
+ * log.jsonl.N  → deleted (if N > maxFiles)
+ */
+async function rotate(logPath, maxFiles) {
+    // Delete the oldest file if it exists
+    const oldest = `${logPath}.${maxFiles}`;
+    if (existsSync(oldest)) {
+        await unlink(oldest);
+    }
+    // Shift existing rotated files
+    for (let i = maxFiles - 1; i >= 1; i--) {
+        const from = `${logPath}.${i}`;
+        const to = `${logPath}.${i + 1}`;
+        if (existsSync(from)) {
+            await rename(from, to);
+        }
+    }
+    // Rotate current log
+    await rename(logPath, `${logPath}.1`);
+}
+/**
+ * Clean up rotated files beyond the retention limit.
+ */
+export async function cleanupRotatedFiles(config) {
+    const maxFiles = config.maxFiles ?? 10;
+    const dir = dirname(config.logPath);
+    const base = basename(config.logPath);
+    const files = await readdir(dir);
+    const rotatedFiles = files
+        .filter(f => f.startsWith(base + '.') && /\.\d+$/.test(f))
+        .sort((a, b) => {
+        const numA = parseInt(a.split('.').pop());
+        const numB = parseInt(b.split('.').pop());
+        return numA - numB;
+    });
+    let removed = 0;
+    for (const file of rotatedFiles) {
+        const num = parseInt(file.split('.').pop());
+        if (num > maxFiles) {
+            await unlink(join(dir, file));
+            removed++;
+        }
+    }
+    return removed;
+}
+/**
+ * Get total size of all log files (active + rotated).
+ */
+export async function totalLogSize(config) {
+    const dir = dirname(config.logPath);
+    const base = basename(config.logPath);
+    let total = 0;
+    if (existsSync(config.logPath)) {
+        total += (await stat(config.logPath)).size;
+    }
+    try {
+        const files = await readdir(dir);
+        for (const file of files) {
+            if (file.startsWith(base + '.') && /\.\d+$/.test(file)) {
+                total += (await stat(join(dir, file))).size;
+            }
+        }
+    }
+    catch {
+        // Directory might not exist
+    }
+    return total;
+}
+//# sourceMappingURL=audit-rotation.js.map

package/dist/audit-rotation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-rotation.js","sourceRoot":"","sources":["../src/audit-rotation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAepD,wEAAwE;AAExE;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAsB;IACzD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC;IAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,IAAI,UAAU,CAAC,CAAC,QAAQ;IAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;IAEvC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAEvC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC;IAE3C,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC;QACrC,YAAY,GAAG,QAAQ,CAAC,IAAI,IAAI,OAAO,CAAC;IAC1C,CAAC;SAAM,IAAI,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1C,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzB,YAAY,GAAG,GAAG,CAAC,YAAY,EAAE,KAAK,QAAQ,CAAC,YAAY,EAAE,CAAC;QAChE,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,GAAG,CAAC,QAAQ,EAAE,KAAK,QAAQ,CAAC,QAAQ,EAAE;gBACtC,GAAG,CAAC,YAAY,EAAE,KAAK,QAAQ,CAAC,YAAY,EAAE,CAAC;QAChE,CAAC;IACH,CAAC;IAED,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAEhC,MAAM,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAChC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,KAAK,UAAU,MAAM,CAAC,OAAe,EAAE,QAAgB;IACrD,sCAAsC;IACtC,MAAM,MAAM,GAAG,GAAG,OAAO,IAAI,QAAQ,EAAE,CAAC;IACxC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACvB,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,+BAA+B;IAC/B,KAAK,IAAI,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,IAAI,GAAG,GAAG,OAAO,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,EAAE,GAAG,GAAG,OAAO,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACjC,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,MAAM,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,MAAM,MAAM,CAAC,OAAO,EAAE,GAAG,OAAO,IAAI,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,MAAsB;IAC9D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;IACvC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEtC,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,YAAY,GAAG,KAAK;SACvB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;SACzD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACb,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC;QAC3C,MAAM,IAAI,GAAG,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC;QAC3C,OAAO,IAAI,GAAG,IAAI,CAAC;IACrB,CAAC,CAAC,CAAC;IAEL,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC;QAC7C,IAAI,GAAG,GAAG,QAAQ,EAAE,CAAC;YACnB,MAAM,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAAsB;IACvD,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEtC,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,IAAI,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7C,CAAC;IAED,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvD,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,4BAA4B;IAC9B,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/auth.d.ts

@@ -0,0 +1,59 @@
+/**
+ * API Key Authentication middleware.
+ *
+ * Supports:
+ * - Bearer token in Authorization header
+ * - X-API-Key header
+ * - ?apiKey query parameter
+ *
+ * Keys are validated using constant-time comparison to prevent timing attacks.
+ * Multiple keys can be configured with different scopes (read, write, admin).
+ */
+import type { IncomingMessage, ServerResponse } from 'node:http';
+export type AuthScope = 'read' | 'write' | 'admin';
+export interface ApiKey {
+    /** The key value (plaintext — in production, store hashed) */
+    key: string;
+    /** Human-readable label */
+    label?: string;
+    /** Scopes this key grants */
+    scopes: AuthScope[];
+}
+export interface AuthConfig {
+    /** Whether auth is enabled (default: false — opt-in) */
+    enabled: boolean;
+    /** Registered API keys */
+    keys: ApiKey[];
+    /** Paths that don't require auth (e.g., /health, badge endpoints) */
+    publicPaths?: string[];
+    /** Custom realm for WWW-Authenticate header */
+    realm?: string;
+}
+export interface AuthResult {
+    authenticated: boolean;
+    key?: ApiKey;
+    error?: string;
+}
+/**
+ * Authenticate an incoming request.
+ */
+export declare function authenticate(req: IncomingMessage, config: AuthConfig): AuthResult;
+/**
+ * Check if request has the required scope.
+ */
+export declare function hasScope(result: AuthResult, required: AuthScope): boolean;
+/**
+ * Send a 401 Unauthorized response.
+ */
+export declare function sendUnauthorized(res: ServerResponse, config: AuthConfig, error?: string): void;
+/**
+ * Send a 403 Forbidden response.
+ */
+export declare function sendForbidden(res: ServerResponse, error?: string): void;
+/**
+ * Create a default auth config from environment variables.
+ *
+ * SENTINEL_API_KEYS=key1:read,write;key2:admin
+ */
+export declare function authConfigFromEnv(): AuthConfig;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAKjE,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC;AAEnD,MAAM,WAAW,MAAM;IACrB,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6BAA6B;IAC7B,MAAM,EAAE,SAAS,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,wDAAwD;IACxD,OAAO,EAAE,OAAO,CAAC;IACjB,0BAA0B;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,qEAAqE;IACrE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,+CAA+C;IAC/C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,OAAO,CAAC;IACvB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAoCD;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,eAAe,EAAE,MAAM,EAAE,UAAU,GAAG,UAAU,CAyBjF;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,GAAG,OAAO,CAKzE;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,cAAc,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAO9F;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,cAAc,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAGvE;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,UAAU,CAiB9C"}

package/dist/auth.js

@@ -0,0 +1,117 @@
+/**
+ * API Key Authentication middleware.
+ *
+ * Supports:
+ * - Bearer token in Authorization header
+ * - X-API-Key header
+ * - ?apiKey query parameter
+ *
+ * Keys are validated using constant-time comparison to prevent timing attacks.
+ * Multiple keys can be configured with different scopes (read, write, admin).
+ */
+import { timingSafeEqual } from 'node:crypto';
+// ─── Helpers ──────────────────────────────────────────────────────────
+function constantTimeCompare(a, b) {
+    if (a.length !== b.length)
+        return false;
+    const bufA = Buffer.from(a, 'utf-8');
+    const bufB = Buffer.from(b, 'utf-8');
+    return timingSafeEqual(bufA, bufB);
+}
+function extractApiKey(req) {
+    // 1. Authorization: Bearer <key>
+    const authHeader = req.headers['authorization'];
+    if (authHeader?.startsWith('Bearer ')) {
+        return authHeader.slice(7);
+    }
+    // 2. X-API-Key header
+    const xApiKey = req.headers['x-api-key'];
+    if (typeof xApiKey === 'string' && xApiKey) {
+        return xApiKey;
+    }
+    // 3. Query parameter
+    const url = new URL(req.url ?? '/', `http://localhost`);
+    const queryKey = url.searchParams.get('apiKey');
+    if (queryKey) {
+        return queryKey;
+    }
+    return undefined;
+}
+// ─── Auth Check ──────────────────────────────────────────────────────
+/**
+ * Authenticate an incoming request.
+ */
+export function authenticate(req, config) {
+    if (!config.enabled) {
+        return { authenticated: true };
+    }
+    // Check public paths
+    const url = new URL(req.url ?? '/', `http://localhost`);
+    const path = url.pathname;
+    if (config.publicPaths?.some(p => path === p || path.startsWith(p + '/'))) {
+        return { authenticated: true };
+    }
+    const providedKey = extractApiKey(req);
+    if (!providedKey) {
+        return { authenticated: false, error: 'Missing API key' };
+    }
+    // Find matching key (constant-time comparison)
+    for (const registeredKey of config.keys) {
+        if (constantTimeCompare(providedKey, registeredKey.key)) {
+            return { authenticated: true, key: registeredKey };
+        }
+    }
+    return { authenticated: false, error: 'Invalid API key' };
+}
+/**
+ * Check if request has the required scope.
+ */
+export function hasScope(result, required) {
+    if (!result.authenticated)
+        return false;
+    if (!result.key)
+        return true; // Auth disabled or public path
+    if (result.key.scopes.includes('admin'))
+        return true;
+    return result.key.scopes.includes(required);
+}
+/**
+ * Send a 401 Unauthorized response.
+ */
+export function sendUnauthorized(res, config, error) {
+    const realm = config.realm ?? 'Sentinel';
+    res.writeHead(401, {
+        'Content-Type': 'application/json',
+        'WWW-Authenticate': `Bearer realm="${realm}"`,
+    });
+    res.end(JSON.stringify({ error: error ?? 'Unauthorized' }));
+}
+/**
+ * Send a 403 Forbidden response.
+ */
+export function sendForbidden(res, error) {
+    res.writeHead(403, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: error ?? 'Forbidden: insufficient scope' }));
+}
+/**
+ * Create a default auth config from environment variables.
+ *
+ * SENTINEL_API_KEYS=key1:read,write;key2:admin
+ */
+export function authConfigFromEnv() {
+    const envKeys = process.env['SENTINEL_API_KEYS'];
+    if (!envKeys) {
+        return { enabled: false, keys: [] };
+    }
+    const keys = envKeys.split(';').filter(Boolean).map((entry, i) => {
+        const [key, scopeStr] = entry.split(':');
+        const scopes = (scopeStr ?? 'read').split(',').map(s => s.trim());
+        return { key: key.trim(), label: `key-${i}`, scopes };
+    });
+    return {
+        enabled: keys.length > 0,
+        keys,
+        publicPaths: ['/health'],
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAgC9C,yEAAyE;AAEzE,SAAS,mBAAmB,CAAC,CAAS,EAAE,CAAS;IAC/C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACrC,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,aAAa,CAAC,GAAoB;IACzC,iCAAiC;IACjC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAChD,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,sBAAsB;IACtB,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IACzC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,EAAE,CAAC;QAC3C,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,qBAAqB;IACrB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAChD,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wEAAwE;AAExE;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,GAAoB,EAAE,MAAkB;IACnE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACjC,CAAC;IAED,qBAAqB;IACrB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACxD,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,CAAC;IAC1B,IAAI,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC;QAC1E,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACjC,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACvC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;IAC5D,CAAC;IAED,+CAA+C;IAC/C,KAAK,MAAM,aAAa,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QACxC,IAAI,mBAAmB,CAAC,WAAW,EAAE,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YACxD,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC;QACrD,CAAC;IACH,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;AAC5D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,MAAkB,EAAE,QAAmB;IAC9D,IAAI,CAAC,MAAM,CAAC,aAAa;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC,CAAC,+BAA+B;IAC7D,IAAI,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,OAAO,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,GAAmB,EAAE,MAAkB,EAAE,KAAc;IACtF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,UAAU,CAAC;IACzC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;QACjB,cAAc,EAAE,kBAAkB;QAClC,kBAAkB,EAAE,iBAAiB,KAAK,GAAG;KAC9C,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,IAAI,cAAc,EAAE,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,GAAmB,EAAE,KAAc;IAC/D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,IAAI,+BAA+B,EAAE,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACjD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,IAAI,GAAa,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;QACzE,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,MAAM,GAAG,CAAC,QAAQ,IAAI,MAAM,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAgB,CAAC;QACjF,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC;QACxB,IAAI;QACJ,WAAW,EAAE,CAAC,SAAS,CAAC;KACzB,CAAC;AACJ,CAAC"}

package/dist/cors.d.ts

@@ -0,0 +1,34 @@
+/**
+ * CORS middleware — configurable origin allowlist.
+ *
+ * Replaces the `Access-Control-Allow-Origin: *` wildcard with
+ * explicit origin checking and proper Vary headers.
+ */
+import type { IncomingMessage, ServerResponse } from 'node:http';
+export interface CorsConfig {
+    /** Allowed origins. Use ['*'] to allow all (not recommended for production). */
+    allowedOrigins: string[];
+    /** Allowed HTTP methods */
+    allowedMethods?: string[];
+    /** Allowed request headers */
+    allowedHeaders?: string[];
+    /** Headers to expose to the browser */
+    exposedHeaders?: string[];
+    /** Whether to allow credentials (cookies, auth headers) */
+    allowCredentials?: boolean;
+    /** Max age for preflight cache (seconds) */
+    maxAge?: number;
+}
+export declare function defaultCorsConfig(): CorsConfig;
+/**
+ * Apply CORS headers to a response.
+ * Returns true if this was a preflight request (caller should end the response).
+ */
+export declare function applyCors(req: IncomingMessage, res: ServerResponse, config: CorsConfig): boolean;
+/**
+ * Create a CORS config from environment variable.
+ *
+ * SENTINEL_CORS_ORIGINS=https://example.com,https://app.example.com
+ */
+export declare function corsConfigFromEnv(): CorsConfig;
+//# sourceMappingURL=cors.d.ts.map

package/dist/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../src/cors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAIjE,MAAM,WAAW,UAAU;IACzB,gFAAgF;IAChF,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,2BAA2B;IAC3B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,8BAA8B;IAC9B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,uCAAuC;IACvC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,2DAA2D;IAC3D,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAID,wBAAgB,iBAAiB,IAAI,UAAU,CAQ9C;AAID;;;GAGG;AACH,wBAAgB,SAAS,CACvB,GAAG,EAAE,eAAe,EACpB,GAAG,EAAE,cAAc,EACnB,MAAM,EAAE,UAAU,GACjB,OAAO,CAoDT;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI,UAAU,CAU9C"}

package/dist/cors.js

@@ -0,0 +1,86 @@
+/**
+ * CORS middleware — configurable origin allowlist.
+ *
+ * Replaces the `Access-Control-Allow-Origin: *` wildcard with
+ * explicit origin checking and proper Vary headers.
+ */
+// ─── Default Config ──────────────────────────────────────────────────
+export function defaultCorsConfig() {
+    return {
+        allowedOrigins: ['*'],
+        allowedMethods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+        allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key', 'X-Caller-Id', 'X-Server-Name'],
+        allowCredentials: false,
+        maxAge: 86400, // 24 hours
+    };
+}
+// ─── CORS Application ───────────────────────────────────────────────
+/**
+ * Apply CORS headers to a response.
+ * Returns true if this was a preflight request (caller should end the response).
+ */
+export function applyCors(req, res, config) {
+    const origin = req.headers['origin'];
+    // Determine if origin is allowed
+    let allowedOrigin;
+    if (config.allowedOrigins.includes('*')) {
+        // Wildcard — but if credentials are enabled, must echo specific origin
+        allowedOrigin = config.allowCredentials && origin ? origin : '*';
+    }
+    else if (origin && config.allowedOrigins.includes(origin)) {
+        allowedOrigin = origin;
+    }
+    else if (!origin) {
+        // Same-origin or non-browser request — no CORS header needed
+        allowedOrigin = '';
+    }
+    else {
+        // Origin not allowed — don't set any CORS headers
+        allowedOrigin = '';
+    }
+    if (allowedOrigin) {
+        res.setHeader('Access-Control-Allow-Origin', allowedOrigin);
+        // Vary: Origin — critical for caching when origin-specific
+        if (allowedOrigin !== '*') {
+            res.setHeader('Vary', 'Origin');
+        }
+    }
+    if (config.allowCredentials) {
+        res.setHeader('Access-Control-Allow-Credentials', 'true');
+    }
+    if (config.exposedHeaders?.length) {
+        res.setHeader('Access-Control-Expose-Headers', config.exposedHeaders.join(', '));
+    }
+    // Handle preflight
+    if (req.method === 'OPTIONS') {
+        if (config.allowedMethods?.length) {
+            res.setHeader('Access-Control-Allow-Methods', config.allowedMethods.join(', '));
+        }
+        if (config.allowedHeaders?.length) {
+            res.setHeader('Access-Control-Allow-Headers', config.allowedHeaders.join(', '));
+        }
+        if (config.maxAge !== undefined) {
+            res.setHeader('Access-Control-Max-Age', String(config.maxAge));
+        }
+        res.writeHead(204);
+        res.end();
+        return true;
+    }
+    return false;
+}
+/**
+ * Create a CORS config from environment variable.
+ *
+ * SENTINEL_CORS_ORIGINS=https://example.com,https://app.example.com
+ */
+export function corsConfigFromEnv() {
+    const envOrigins = process.env['SENTINEL_CORS_ORIGINS'];
+    const origins = envOrigins
+        ? envOrigins.split(',').map(o => o.trim()).filter(Boolean)
+        : ['*'];
+    return {
+        ...defaultCorsConfig(),
+        allowedOrigins: origins,
+    };
+}
+//# sourceMappingURL=cors.js.map

package/dist/cors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.js","sourceRoot":"","sources":["../src/cors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAqBH,wEAAwE;AAExE,MAAM,UAAU,iBAAiB;IAC/B,OAAO;QACL,cAAc,EAAE,CAAC,GAAG,CAAC;QACrB,cAAc,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC;QACpD,cAAc,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,CAAC;QAC9F,gBAAgB,EAAE,KAAK;QACvB,MAAM,EAAE,KAAK,EAAE,WAAW;KAC3B,CAAC;AACJ,CAAC;AAED,uEAAuE;AAEvE;;;GAGG;AACH,MAAM,UAAU,SAAS,CACvB,GAAoB,EACpB,GAAmB,EACnB,MAAkB;IAElB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAErC,iCAAiC;IACjC,IAAI,aAAqB,CAAC;IAC1B,IAAI,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACxC,uEAAuE;QACvE,aAAa,GAAG,MAAM,CAAC,gBAAgB,IAAI,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC;IACnE,CAAC;SAAM,IAAI,MAAM,IAAI,MAAM,CAAC,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5D,aAAa,GAAG,MAAM,CAAC;IACzB,CAAC;SAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACnB,6DAA6D;QAC7D,aAAa,GAAG,EAAE,CAAC;IACrB,CAAC;SAAM,CAAC;QACN,kDAAkD;QAClD,aAAa,GAAG,EAAE,CAAC;IACrB,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,aAAa,CAAC,CAAC;QAE5D,2DAA2D;QAC3D,IAAI,aAAa,KAAK,GAAG,EAAE,CAAC;YAC1B,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5B,GAAG,CAAC,SAAS,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;QAClC,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACnF,CAAC;IAED,mBAAmB;IACnB,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;YAClC,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;YAClC,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAChC,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QACjE,CAAC;QACD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACnB,GAAG,CAAC,GAAG,EAAE,CAAC;QACV,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB;IAC/B,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,UAAU;QACxB,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QAC1D,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAEV,OAAO;QACL,GAAG,iBAAiB,EAAE;QACtB,cAAc,EAAE,OAAO;KACxB,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @sentinel-atl/hardening — Production Hardening Middleware
+ *
+ * Reusable security middleware for all Sentinel HTTP servers:
+ * - API key authentication with scoped access
+ * - CORS with configurable origin allowlist
+ * - TLS/HTTPS support
+ * - Rate limit headers (RFC 6585)
+ * - Persistent nonce replay protection
+ * - Audit log rotation
+ */
+export { authenticate, hasScope, sendUnauthorized, sendForbidden, authConfigFromEnv, type AuthConfig, type AuthScope, type ApiKey, type AuthResult, } from './auth.js';
+export { applyCors, defaultCorsConfig, corsConfigFromEnv, type CorsConfig, } from './cors.js';
+export { createSecureServer, tlsConfigFromEnv, type TlsConfig, } from './tls.js';
+export { RateLimiter, setRateLimitHeaders, sendRateLimited, parseRateLimit, type RateLimitInfo, } from './rate-limit.js';
+export { NonceStore, type NonceStoreConfig, } from './nonce-store.js';
+export { rotateIfNeeded, cleanupRotatedFiles, totalLogSize, type RotationConfig, } from './audit-rotation.js';
+export { applySecurityHeaders, securityHeadersConfigFromEnv, type SecurityHeadersConfig, } from './security-headers.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,YAAY,EACZ,QAAQ,EACR,gBAAgB,EAChB,aAAa,EACb,iBAAiB,EACjB,KAAK,UAAU,EACf,KAAK,SAAS,EACd,KAAK,MAAM,EACX,KAAK,UAAU,GAChB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,KAAK,UAAU,GAChB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,SAAS,GACf,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,eAAe,EACf,cAAc,EACd,KAAK,aAAa,GACnB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,UAAU,EACV,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,YAAY,EACZ,KAAK,cAAc,GACpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,oBAAoB,EACpB,4BAA4B,EAC5B,KAAK,qBAAqB,GAC3B,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -0,0 +1,19 @@
+/**
+ * @sentinel-atl/hardening — Production Hardening Middleware
+ *
+ * Reusable security middleware for all Sentinel HTTP servers:
+ * - API key authentication with scoped access
+ * - CORS with configurable origin allowlist
+ * - TLS/HTTPS support
+ * - Rate limit headers (RFC 6585)
+ * - Persistent nonce replay protection
+ * - Audit log rotation
+ */
+export { authenticate, hasScope, sendUnauthorized, sendForbidden, authConfigFromEnv, } from './auth.js';
+export { applyCors, defaultCorsConfig, corsConfigFromEnv, } from './cors.js';
+export { createSecureServer, tlsConfigFromEnv, } from './tls.js';
+export { RateLimiter, setRateLimitHeaders, sendRateLimited, parseRateLimit, } from './rate-limit.js';
+export { NonceStore, } from './nonce-store.js';
+export { rotateIfNeeded, cleanupRotatedFiles, totalLogSize, } from './audit-rotation.js';
+export { applySecurityHeaders, securityHeadersConfigFromEnv, } from './security-headers.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,YAAY,EACZ,QAAQ,EACR,gBAAgB,EAChB,aAAa,EACb,iBAAiB,GAKlB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,kBAAkB,EAClB,gBAAgB,GAEjB,MAAM,UAAU,CAAC;AAElB,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,eAAe,EACf,cAAc,GAEf,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,UAAU,GAEX,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,YAAY,GAEb,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,oBAAoB,EACpB,4BAA4B,GAE7B,MAAM,uBAAuB,CAAC"}