@sentinel-atl/hardening 0.3.0

package/dist/nonce-store.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Persistent nonce store — survives server restarts.
+ *
+ * Wraps the SentinelStore interface to provide a Set-like API for nonce tracking.
+ * Nonces auto-expire based on intent expiry to prevent unbounded growth.
+ */
+import type { SentinelStore } from '@sentinel-atl/store';
+export interface NonceStoreConfig {
+    /** Underlying persistent store */
+    store: SentinelStore;
+    /** Key prefix (default: 'nonce:') */
+    prefix?: string;
+    /** Default TTL in seconds (default: 300 = 5 minutes) */
+    defaultTtl?: number;
+}
+/**
+ * A Set<string>-compatible nonce tracker backed by persistent storage.
+ *
+ * Drop-in replacement for the in-memory Set<string> used in validateIntent().
+ * Nonces are stored with a TTL so they auto-expire and don't grow forever.
+ */
+export declare class NonceStore {
+    private store;
+    private prefix;
+    private defaultTtl;
+    constructor(config: NonceStoreConfig);
+    /** Check if a nonce has been seen. */
+    has(nonce: string): Promise<boolean>;
+    /** Mark a nonce as seen with optional TTL in seconds. */
+    add(nonce: string, ttlSeconds?: number): Promise<void>;
+    /**
+     * Create a Set<string>-compatible adapter for use with validateIntent().
+     *
+     * Returns an object that looks like Set<string> with .has() and .add()
+     * but uses async persistent storage under the hood.
+     *
+     * IMPORTANT: The returned adapter makes .has() and .add() synchronous-looking
+     * by maintaining a local cache that's flushed asynchronously. For strict
+     * distributed replay protection, use the async methods directly.
+     */
+    toSyncAdapter(): Set<string> & {
+        flush(): Promise<void>;
+    };
+    /**
+     * Pre-load nonces from the store into a local Set for synchronous checking.
+     * Useful at startup to restore state from a previous session.
+     */
+    preload(): Promise<Set<string>>;
+}
+//# sourceMappingURL=nonce-store.d.ts.map

package/dist/nonce-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-store.d.ts","sourceRoot":"","sources":["../src/nonce-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAIzD,MAAM,WAAW,gBAAgB;IAC/B,kCAAkC;IAClC,KAAK,EAAE,aAAa,CAAC;IACrB,qCAAqC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wDAAwD;IACxD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAID;;;;;GAKG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,KAAK,CAAgB;IAC7B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,UAAU,CAAS;gBAEf,MAAM,EAAE,gBAAgB;IAMpC,sCAAsC;IAChC,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI1C,yDAAyD;IACnD,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5D;;;;;;;;;OASG;IACH,aAAa,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG;QAAE,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAA;KAAE;IAuCzD;;;OAGG;IACG,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;CAQtC"}

package/dist/nonce-store.js

@@ -0,0 +1,88 @@
+/**
+ * Persistent nonce store — survives server restarts.
+ *
+ * Wraps the SentinelStore interface to provide a Set-like API for nonce tracking.
+ * Nonces auto-expire based on intent expiry to prevent unbounded growth.
+ */
+// ─── Persistent Nonce Set ────────────────────────────────────────────
+/**
+ * A Set<string>-compatible nonce tracker backed by persistent storage.
+ *
+ * Drop-in replacement for the in-memory Set<string> used in validateIntent().
+ * Nonces are stored with a TTL so they auto-expire and don't grow forever.
+ */
+export class NonceStore {
+    store;
+    prefix;
+    defaultTtl;
+    constructor(config) {
+        this.store = config.store;
+        this.prefix = config.prefix ?? 'nonce:';
+        this.defaultTtl = config.defaultTtl ?? 300;
+    }
+    /** Check if a nonce has been seen. */
+    async has(nonce) {
+        return this.store.has(this.prefix + nonce);
+    }
+    /** Mark a nonce as seen with optional TTL in seconds. */
+    async add(nonce, ttlSeconds) {
+        await this.store.set(this.prefix + nonce, '1', ttlSeconds ?? this.defaultTtl);
+    }
+    /**
+     * Create a Set<string>-compatible adapter for use with validateIntent().
+     *
+     * Returns an object that looks like Set<string> with .has() and .add()
+     * but uses async persistent storage under the hood.
+     *
+     * IMPORTANT: The returned adapter makes .has() and .add() synchronous-looking
+     * by maintaining a local cache that's flushed asynchronously. For strict
+     * distributed replay protection, use the async methods directly.
+     */
+    toSyncAdapter() {
+        const self = this;
+        const pendingAdds = [];
+        const localCache = new Set();
+        const adapter = {
+            has(nonce) {
+                return localCache.has(nonce);
+            },
+            add(nonce) {
+                localCache.add(nonce);
+                pendingAdds.push({ nonce });
+                return adapter;
+            },
+            get size() {
+                return localCache.size;
+            },
+            async flush() {
+                for (const { nonce } of pendingAdds) {
+                    await self.add(nonce);
+                }
+                pendingAdds.length = 0;
+            },
+            // Satisfy Set interface minimally
+            delete: (nonce) => localCache.delete(nonce),
+            clear: () => localCache.clear(),
+            forEach: (cb) => localCache.forEach(cb),
+            entries: () => localCache.entries(),
+            keys: () => localCache.keys(),
+            values: () => localCache.values(),
+            [Symbol.iterator]: () => localCache[Symbol.iterator](),
+            [Symbol.toStringTag]: 'NonceStore',
+        };
+        return adapter;
+    }
+    /**
+     * Pre-load nonces from the store into a local Set for synchronous checking.
+     * Useful at startup to restore state from a previous session.
+     */
+    async preload() {
+        const keys = await this.store.keys(this.prefix);
+        const set = new Set();
+        for (const key of keys) {
+            set.add(key.slice(this.prefix.length));
+        }
+        return set;
+    }
+}
+//# sourceMappingURL=nonce-store.js.map

package/dist/nonce-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nonce-store.js","sourceRoot":"","sources":["../src/nonce-store.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,wEAAwE;AAExE;;;;;GAKG;AACH,MAAM,OAAO,UAAU;IACb,KAAK,CAAgB;IACrB,MAAM,CAAS;IACf,UAAU,CAAS;IAE3B,YAAY,MAAwB;QAClC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,QAAQ,CAAC;QACxC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;IAC7C,CAAC;IAED,sCAAsC;IACtC,KAAK,CAAC,GAAG,CAAC,KAAa;QACrB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,CAAC;IAC7C,CAAC;IAED,yDAAyD;IACzD,KAAK,CAAC,GAAG,CAAC,KAAa,EAAE,UAAmB;QAC1C,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,KAAK,EAAE,GAAG,EAAE,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC;IAChF,CAAC;IAED;;;;;;;;;OASG;IACH,aAAa;QACX,MAAM,IAAI,GAAG,IAAI,CAAC;QAClB,MAAM,WAAW,GAA2C,EAAE,CAAC;QAC/D,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;QAIrC,MAAM,OAAO,GAAgB;YAC3B,GAAG,CAAC,KAAa;gBACf,OAAO,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAC/B,CAAC;YACD,GAAG,CAAC,KAAa;gBACf,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACtB,WAAW,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC5B,OAAO,OAAO,CAAC;YACjB,CAAC;YACD,IAAI,IAAI;gBACN,OAAO,UAAU,CAAC,IAAI,CAAC;YACzB,CAAC;YACD,KAAK,CAAC,KAAK;gBACT,KAAK,MAAM,EAAE,KAAK,EAAE,IAAI,WAAW,EAAE,CAAC;oBACpC,MAAM,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACxB,CAAC;gBACD,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC;YACzB,CAAC;YACD,kCAAkC;YAClC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC;YACnD,KAAK,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE;YAC/B,OAAO,EAAE,CAAC,EAAmD,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACxF,OAAO,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE;YACnC,IAAI,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE;YAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE;YACjC,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE;YACtD,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,YAAY;SACnC,CAAC;QAEF,OAAO,OAAmD,CAAC;IAC7D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO;QACX,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;QAC9B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QACzC,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}

package/dist/rate-limit.d.ts

@@ -0,0 +1,55 @@
+/**
+ * Rate-limit response headers per RFC 6585 / draft-ietf-httpapi-ratelimit-headers.
+ *
+ * Adds standard headers so clients know their quota status:
+ *   RateLimit-Limit:     total requests allowed per window
+ *   RateLimit-Remaining: requests remaining in current window
+ *   RateLimit-Reset:     seconds until window resets
+ *   Retry-After:         seconds to wait (only on 429)
+ */
+import type { ServerResponse } from 'node:http';
+export interface RateLimitInfo {
+    /** Maximum requests per window */
+    limit: number;
+    /** Remaining requests in current window */
+    remaining: number;
+    /** When the window resets (Unix timestamp in seconds) */
+    resetAt: number;
+}
+/**
+ * Set rate limit headers on a response.
+ */
+export declare function setRateLimitHeaders(res: ServerResponse, info: RateLimitInfo): void;
+/**
+ * Send a 429 Too Many Requests response with Retry-After header.
+ */
+export declare function sendRateLimited(res: ServerResponse, info: RateLimitInfo): void;
+/**
+ * Production-grade rate limiter with header support.
+ */
+export declare class RateLimiter {
+    private maxRequests;
+    private windowMs;
+    private windows;
+    constructor(maxRequests: number, windowMs: number);
+    /**
+     * Check if a request is allowed and return rate limit info.
+     */
+    check(key: string): {
+        allowed: boolean;
+        info: RateLimitInfo;
+    };
+    /**
+     * Clean up expired windows to prevent memory leaks.
+     * Call periodically (e.g., every 5 minutes).
+     */
+    cleanup(): number;
+}
+/**
+ * Parse a rate limit spec like "100/min" into limiter parameters.
+ */
+export declare function parseRateLimit(spec: string): {
+    max: number;
+    windowMs: number;
+};
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../src/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAIhD,MAAM,WAAW,aAAa;IAC5B,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAID;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,GAAG,IAAI,CAMlF;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,GAAG,IAAI,CAc9E;AAID;;GAEG;AACH,qBAAa,WAAW;IAIpB,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,QAAQ;IAJlB,OAAO,CAAC,OAAO,CAAyD;gBAG9D,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM;IAG1B;;OAEG;IACH,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,aAAa,CAAA;KAAE;IAuC7D;;;OAGG;IACH,OAAO,IAAI,MAAM;CAWlB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAU9E"}

package/dist/rate-limit.js

@@ -0,0 +1,116 @@
+/**
+ * Rate-limit response headers per RFC 6585 / draft-ietf-httpapi-ratelimit-headers.
+ *
+ * Adds standard headers so clients know their quota status:
+ *   RateLimit-Limit:     total requests allowed per window
+ *   RateLimit-Remaining: requests remaining in current window
+ *   RateLimit-Reset:     seconds until window resets
+ *   Retry-After:         seconds to wait (only on 429)
+ */
+// ─── Header Application ──────────────────────────────────────────────
+/**
+ * Set rate limit headers on a response.
+ */
+export function setRateLimitHeaders(res, info) {
+    const retryAfter = Math.max(0, Math.ceil(info.resetAt - Date.now() / 1000));
+    res.setHeader('RateLimit-Limit', String(info.limit));
+    res.setHeader('RateLimit-Remaining', String(Math.max(0, info.remaining)));
+    res.setHeader('RateLimit-Reset', String(retryAfter));
+}
+/**
+ * Send a 429 Too Many Requests response with Retry-After header.
+ */
+export function sendRateLimited(res, info) {
+    const retryAfter = Math.max(1, Math.ceil(info.resetAt - Date.now() / 1000));
+    res.writeHead(429, {
+        'Content-Type': 'application/json',
+        'Retry-After': String(retryAfter),
+        'RateLimit-Limit': String(info.limit),
+        'RateLimit-Remaining': '0',
+        'RateLimit-Reset': String(retryAfter),
+    });
+    res.end(JSON.stringify({
+        error: 'Too Many Requests',
+        retryAfter,
+    }));
+}
+// ─── Enhanced Rate Limiter ──────────────────────────────────────────
+/**
+ * Production-grade rate limiter with header support.
+ */
+export class RateLimiter {
+    maxRequests;
+    windowMs;
+    windows = new Map();
+    constructor(maxRequests, windowMs) {
+        this.maxRequests = maxRequests;
+        this.windowMs = windowMs;
+    }
+    /**
+     * Check if a request is allowed and return rate limit info.
+     */
+    check(key) {
+        const now = Date.now();
+        const entry = this.windows.get(key);
+        if (!entry || now >= entry.resetAt) {
+            const resetAt = now + this.windowMs;
+            this.windows.set(key, { count: 1, resetAt });
+            return {
+                allowed: true,
+                info: {
+                    limit: this.maxRequests,
+                    remaining: this.maxRequests - 1,
+                    resetAt: Math.ceil(resetAt / 1000),
+                },
+            };
+        }
+        if (entry.count >= this.maxRequests) {
+            return {
+                allowed: false,
+                info: {
+                    limit: this.maxRequests,
+                    remaining: 0,
+                    resetAt: Math.ceil(entry.resetAt / 1000),
+                },
+            };
+        }
+        entry.count++;
+        return {
+            allowed: true,
+            info: {
+                limit: this.maxRequests,
+                remaining: this.maxRequests - entry.count,
+                resetAt: Math.ceil(entry.resetAt / 1000),
+            },
+        };
+    }
+    /**
+     * Clean up expired windows to prevent memory leaks.
+     * Call periodically (e.g., every 5 minutes).
+     */
+    cleanup() {
+        const now = Date.now();
+        let removed = 0;
+        for (const [key, entry] of this.windows) {
+            if (now >= entry.resetAt) {
+                this.windows.delete(key);
+                removed++;
+            }
+        }
+        return removed;
+    }
+}
+/**
+ * Parse a rate limit spec like "100/min" into limiter parameters.
+ */
+export function parseRateLimit(spec) {
+    const match = spec.match(/^(\d+)\/(min|hour|day)$/);
+    if (!match)
+        return { max: 100, windowMs: 60_000 };
+    const max = parseInt(match[1]);
+    const windowMs = match[2] === 'min' ? 60_000
+        : match[2] === 'hour' ? 3_600_000
+            : 86_400_000;
+    return { max, windowMs };
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../src/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAeH,wEAAwE;AAExE;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAmB,EAAE,IAAmB;IAC1E,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAE5E,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IACrD,GAAG,CAAC,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAC1E,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,GAAmB,EAAE,IAAmB;IACtE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAE5E,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;QACjB,cAAc,EAAE,kBAAkB;QAClC,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC;QACjC,iBAAiB,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;QACrC,qBAAqB,EAAE,GAAG;QAC1B,iBAAiB,EAAE,MAAM,CAAC,UAAU,CAAC;KACtC,CAAC,CAAC;IACH,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;QACrB,KAAK,EAAE,mBAAmB;QAC1B,UAAU;KACX,CAAC,CAAC,CAAC;AACN,CAAC;AAED,uEAAuE;AAEvE;;GAEG;AACH,MAAM,OAAO,WAAW;IAIZ;IACA;IAJF,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAC;IAExE,YACU,WAAmB,EACnB,QAAgB;QADhB,gBAAW,GAAX,WAAW,CAAQ;QACnB,aAAQ,GAAR,QAAQ,CAAQ;IACvB,CAAC;IAEJ;;OAEG;IACH,KAAK,CAAC,GAAW;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEpC,IAAI,CAAC,KAAK,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;YACpC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;YAC7C,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,IAAI,EAAE;oBACJ,KAAK,EAAE,IAAI,CAAC,WAAW;oBACvB,SAAS,EAAE,IAAI,CAAC,WAAW,GAAG,CAAC;oBAC/B,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;iBACnC;aACF,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACpC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,IAAI,EAAE;oBACJ,KAAK,EAAE,IAAI,CAAC,WAAW;oBACvB,SAAS,EAAE,CAAC;oBACZ,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;iBACzC;aACF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE;gBACJ,KAAK,EAAE,IAAI,CAAC,WAAW;gBACvB,SAAS,EAAE,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK;gBACzC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC;aACzC;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACxC,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;gBACzB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACzB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IAElD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,MAAM;QAC1C,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,SAAS;YACjC,CAAC,CAAC,UAAU,CAAC;IAEf,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;AAC3B,CAAC"}

package/dist/security-headers.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Security Response Headers — standard HTTP security headers for all Sentinel servers.
+ *
+ * Sets headers recommended by OWASP:
+ *   X-Content-Type-Options: nosniff
+ *   X-Frame-Options: DENY
+ *   X-XSS-Protection: 0  (modern browsers use CSP instead)
+ *   Content-Security-Policy: default-src 'none'
+ *   Strict-Transport-Security: max-age=31536000; includeSubDomains (when TLS)
+ *   Referrer-Policy: strict-origin-when-cross-origin
+ *   Permissions-Policy: camera=(), microphone=(), geolocation=()
+ */
+import type { ServerResponse } from 'node:http';
+export interface SecurityHeadersConfig {
+    /** Whether to add HSTS header (only makes sense over TLS) */
+    hsts?: boolean;
+    /** HSTS max-age in seconds (default: 31536000 = 1 year) */
+    hstsMaxAge?: number;
+    /** Custom Content-Security-Policy (default: "default-src 'none'") */
+    contentSecurityPolicy?: string;
+    /** Custom Permissions-Policy */
+    permissionsPolicy?: string;
+    /** Whether to add X-Frame-Options (default: true) */
+    frameOptions?: boolean;
+}
+/**
+ * Apply standard security headers to a response.
+ */
+export declare function applySecurityHeaders(res: ServerResponse, config?: SecurityHeadersConfig): void;
+/**
+ * Create a security headers config from environment variables.
+ *
+ * SENTINEL_HSTS=true (enabled when TLS is enabled)
+ */
+export declare function securityHeadersConfigFromEnv(): SecurityHeadersConfig;
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAEhD,MAAM,WAAW,qBAAqB;IACpC,6DAA6D;IAC7D,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qEAAqE;IACrE,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gCAAgC;IAChC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qDAAqD;IACrD,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,cAAc,EACnB,MAAM,CAAC,EAAE,qBAAqB,GAC7B,IAAI,CAgCN;AAED;;;;GAIG;AACH,wBAAgB,4BAA4B,IAAI,qBAAqB,CAKpE"}

package/dist/security-headers.js

@@ -0,0 +1,48 @@
+/**
+ * Security Response Headers — standard HTTP security headers for all Sentinel servers.
+ *
+ * Sets headers recommended by OWASP:
+ *   X-Content-Type-Options: nosniff
+ *   X-Frame-Options: DENY
+ *   X-XSS-Protection: 0  (modern browsers use CSP instead)
+ *   Content-Security-Policy: default-src 'none'
+ *   Strict-Transport-Security: max-age=31536000; includeSubDomains (when TLS)
+ *   Referrer-Policy: strict-origin-when-cross-origin
+ *   Permissions-Policy: camera=(), microphone=(), geolocation=()
+ */
+/**
+ * Apply standard security headers to a response.
+ */
+export function applySecurityHeaders(res, config) {
+    // Prevent MIME type sniffing
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    // Disable legacy XSS filter (CSP is the modern approach)
+    res.setHeader('X-XSS-Protection', '0');
+    // Content Security Policy
+    res.setHeader('Content-Security-Policy', config?.contentSecurityPolicy ?? "default-src 'none'");
+    // Clickjacking protection
+    if (config?.frameOptions !== false) {
+        res.setHeader('X-Frame-Options', 'DENY');
+    }
+    // Referrer policy
+    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+    // Permissions policy
+    res.setHeader('Permissions-Policy', config?.permissionsPolicy ?? 'camera=(), microphone=(), geolocation=()');
+    // HSTS (only over TLS)
+    if (config?.hsts) {
+        const maxAge = config.hstsMaxAge ?? 31_536_000;
+        res.setHeader('Strict-Transport-Security', `max-age=${maxAge}; includeSubDomains`);
+    }
+}
+/**
+ * Create a security headers config from environment variables.
+ *
+ * SENTINEL_HSTS=true (enabled when TLS is enabled)
+ */
+export function securityHeadersConfigFromEnv() {
+    return {
+        hsts: process.env['SENTINEL_HSTS'] === 'true' ||
+            !!process.env['SENTINEL_TLS_CERT'],
+    };
+}
+//# sourceMappingURL=security-headers.js.map

package/dist/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAiBH;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAmB,EACnB,MAA8B;IAE9B,6BAA6B;IAC7B,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IAEnD,yDAAyD;IACzD,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;IAEvC,0BAA0B;IAC1B,GAAG,CAAC,SAAS,CACX,yBAAyB,EACzB,MAAM,EAAE,qBAAqB,IAAI,oBAAoB,CACtD,CAAC;IAEF,0BAA0B;IAC1B,IAAI,MAAM,EAAE,YAAY,KAAK,KAAK,EAAE,CAAC;QACnC,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAED,kBAAkB;IAClB,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,iCAAiC,CAAC,CAAC;IAEpE,qBAAqB;IACrB,GAAG,CAAC,SAAS,CACX,oBAAoB,EACpB,MAAM,EAAE,iBAAiB,IAAI,0CAA0C,CACxE,CAAC;IAEF,uBAAuB;IACvB,IAAI,MAAM,EAAE,IAAI,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,IAAI,UAAU,CAAC;QAC/C,GAAG,CAAC,SAAS,CAAC,2BAA2B,EAAE,WAAW,MAAM,qBAAqB,CAAC,CAAC;IACrF,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,4BAA4B;IAC1C,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,MAAM;YACvC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;KACzC,CAAC;AACJ,CAAC"}

package/dist/tls.d.ts

@@ -0,0 +1,33 @@
+/**
+ * TLS support — wraps HTTP servers with HTTPS using Node.js native TLS.
+ *
+ * Reads cert/key from files or environment variables:
+ *   SENTINEL_TLS_CERT — path to PEM certificate
+ *   SENTINEL_TLS_KEY  — path to PEM private key
+ */
+import { type Server as HttpsServer } from 'node:https';
+import { type Server as HttpServer, type RequestListener } from 'node:http';
+export interface TlsConfig {
+    /** Whether TLS is enabled */
+    enabled: boolean;
+    /** Path to PEM certificate file */
+    certPath?: string;
+    /** Path to PEM private key file */
+    keyPath?: string;
+    /** PEM certificate string (alternative to certPath) */
+    cert?: string;
+    /** PEM private key string (alternative to keyPath) */
+    key?: string;
+}
+/**
+ * Create an HTTP or HTTPS server based on TLS configuration.
+ */
+export declare function createSecureServer(handler: RequestListener, tls?: TlsConfig): HttpServer | HttpsServer;
+/**
+ * Create TLS config from environment variables.
+ *
+ * SENTINEL_TLS_CERT=./certs/server.crt
+ * SENTINEL_TLS_KEY=./certs/server.key
+ */
+export declare function tlsConfigFromEnv(): TlsConfig;
+//# sourceMappingURL=tls.d.ts.map

package/dist/tls.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tls.d.ts","sourceRoot":"","sources":["../src/tls.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAqC,KAAK,MAAM,IAAI,WAAW,EAAE,MAAM,YAAY,CAAC;AAC3F,OAAO,EAAoC,KAAK,MAAM,IAAI,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,WAAW,CAAC;AAK9G,MAAM,WAAW,SAAS;IACxB,6BAA6B;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sDAAsD;IACtD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAID;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,eAAe,EACxB,GAAG,CAAC,EAAE,SAAS,GACd,UAAU,GAAG,WAAW,CAa1B;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,IAAI,SAAS,CAS5C"}

package/dist/tls.js

@@ -0,0 +1,41 @@
+/**
+ * TLS support — wraps HTTP servers with HTTPS using Node.js native TLS.
+ *
+ * Reads cert/key from files or environment variables:
+ *   SENTINEL_TLS_CERT — path to PEM certificate
+ *   SENTINEL_TLS_KEY  — path to PEM private key
+ */
+import { createServer as createHttpsServer } from 'node:https';
+import { createServer as createHttpServer } from 'node:http';
+import { readFileSync } from 'node:fs';
+// ─── Factory ──────────────────────────────────────────────────────────
+/**
+ * Create an HTTP or HTTPS server based on TLS configuration.
+ */
+export function createSecureServer(handler, tls) {
+    if (!tls?.enabled) {
+        return createHttpServer(handler);
+    }
+    const cert = tls.cert ?? (tls.certPath ? readFileSync(tls.certPath, 'utf-8') : undefined);
+    const key = tls.key ?? (tls.keyPath ? readFileSync(tls.keyPath, 'utf-8') : undefined);
+    if (!cert || !key) {
+        throw new Error('TLS enabled but no certificate/key provided. Set certPath/keyPath or cert/key.');
+    }
+    return createHttpsServer({ cert, key }, handler);
+}
+/**
+ * Create TLS config from environment variables.
+ *
+ * SENTINEL_TLS_CERT=./certs/server.crt
+ * SENTINEL_TLS_KEY=./certs/server.key
+ */
+export function tlsConfigFromEnv() {
+    const certPath = process.env['SENTINEL_TLS_CERT'];
+    const keyPath = process.env['SENTINEL_TLS_KEY'];
+    return {
+        enabled: !!(certPath && keyPath),
+        certPath,
+        keyPath,
+    };
+}
+//# sourceMappingURL=tls.js.map

package/dist/tls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tls.js","sourceRoot":"","sources":["../src/tls.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,IAAI,iBAAiB,EAA8B,MAAM,YAAY,CAAC;AAC3F,OAAO,EAAE,YAAY,IAAI,gBAAgB,EAAmD,MAAM,WAAW,CAAC;AAC9G,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAiBvC,yEAAyE;AAEzE;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAwB,EACxB,GAAe;IAEf,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC;QAClB,OAAO,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAC1F,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEtF,IAAI,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,gFAAgF,CAAC,CAAC;IACpG,CAAC;IAED,OAAO,iBAAiB,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB;IAC9B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IAEhD,OAAO;QACL,OAAO,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,OAAO,CAAC;QAChC,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@sentinel-atl/hardening",
+  "version": "0.3.0",
+  "description": "Production hardening middleware — API key auth, CORS, TLS, rate-limit headers, nonce persistence, audit rotation",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "lint": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@sentinel-atl/store": "*"
+  },
+  "devDependencies": {
+    "vitest": "^3.2.4",
+    "typescript": "^5.7.0",
+    "@types/node": "^20.0.0"
+  },
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sentinel-atl/project-sentinel.git",
+    "directory": "packages/hardening"
+  },
+  "keywords": [
+    "sentinel",
+    "security",
+    "hardening",
+    "auth",
+    "cors",
+    "tls",
+    "production"
+  ]
+}