npm - @sigil-security/runtime - Versions diffs - 0.0.0 - Mend

@sigil-security/runtime 0.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/LICENSE +201 -0
package/dist/adapters/elysia.cjs +307 -0
package/dist/adapters/elysia.cjs.map +1 -0
package/dist/adapters/elysia.d.cts +41 -0
package/dist/adapters/elysia.d.ts +41 -0
package/dist/adapters/elysia.js +98 -0
package/dist/adapters/elysia.js.map +1 -0
package/dist/adapters/express.cjs +286 -0
package/dist/adapters/express.cjs.map +1 -0
package/dist/adapters/express.d.cts +59 -0
package/dist/adapters/express.d.ts +59 -0
package/dist/adapters/express.js +77 -0
package/dist/adapters/express.js.map +1 -0
package/dist/adapters/fastify.cjs +308 -0
package/dist/adapters/fastify.cjs.map +1 -0
package/dist/adapters/fastify.d.cts +54 -0
package/dist/adapters/fastify.d.ts +54 -0
package/dist/adapters/fastify.js +99 -0
package/dist/adapters/fastify.js.map +1 -0
package/dist/adapters/fetch.cjs +359 -0
package/dist/adapters/fetch.cjs.map +1 -0
package/dist/adapters/fetch.d.cts +46 -0
package/dist/adapters/fetch.d.ts +46 -0
package/dist/adapters/fetch.js +149 -0
package/dist/adapters/fetch.js.map +1 -0
package/dist/adapters/hono.cjs +300 -0
package/dist/adapters/hono.cjs.map +1 -0
package/dist/adapters/hono.d.cts +41 -0
package/dist/adapters/hono.d.ts +41 -0
package/dist/adapters/hono.js +91 -0
package/dist/adapters/hono.js.map +1 -0
package/dist/adapters/oak.cjs +318 -0
package/dist/adapters/oak.cjs.map +1 -0
package/dist/adapters/oak.d.cts +48 -0
package/dist/adapters/oak.d.ts +48 -0
package/dist/adapters/oak.js +109 -0
package/dist/adapters/oak.js.map +1 -0
package/dist/chunk-JPT5I5W5.js +225 -0
package/dist/chunk-JPT5I5W5.js.map +1 -0
package/dist/index.cjs +486 -0
package/dist/index.cjs.map +1 -0
package/dist/index.d.cts +201 -0
package/dist/index.d.ts +201 -0
package/dist/index.js +284 -0
package/dist/index.js.map +1 -0
package/dist/types-DySgT8rA.d.cts +184 -0
package/dist/types-DySgT8rA.d.ts +184 -0
package/package.json +141 -0

package/dist/adapters/express.js ADDED Viewed

@@ -0,0 +1,77 @@
+import {
+  DEFAULT_ONESHOT_ENDPOINT_PATH,
+  DEFAULT_TOKEN_ENDPOINT_PATH,
+  createErrorResponse,
+  extractRequestMetadata,
+  handleTokenEndpoint,
+  normalizePath,
+  normalizePathSet,
+  parseContentType,
+  resolveTokenSource
+} from "../chunk-JPT5I5W5.js";
+// src/adapters/express.ts
+function createExpressHeaderGetter(headers) {
+  return (name) => {
+    const value = headers[name.toLowerCase()];
+    if (typeof value === "string") return value;
+    if (Array.isArray(value)) return value[0] ?? null;
+    return null;
+  };
+}
+function createExpressMiddleware(sigil, options) {
+  const excludePaths = normalizePathSet(options?.excludePaths ?? []);
+  const tokenEndpointPath = normalizePath(options?.tokenEndpointPath ?? DEFAULT_TOKEN_ENDPOINT_PATH);
+  const oneShotEndpointPath = normalizePath(options?.oneShotEndpointPath ?? DEFAULT_ONESHOT_ENDPOINT_PATH);
+  return (req, res, next) => {
+    if (excludePaths.has(normalizePath(req.path))) {
+      next();
+      return;
+    }
+    handleRequest(sigil, req, res, next, tokenEndpointPath, oneShotEndpointPath).catch(next);
+  };
+}
+async function handleRequest(sigil, req, res, next, tokenEndpointPath, oneShotEndpointPath) {
+  const reqPath = normalizePath(req.path);
+  const getHeaderForToken = createExpressHeaderGetter(req.headers);
+  const csrfTokenValue = getHeaderForToken(sigil.config.headerName);
+  const tokenResult = await handleTokenEndpoint(
+    sigil,
+    req.method,
+    reqPath,
+    req.body,
+    tokenEndpointPath,
+    oneShotEndpointPath,
+    csrfTokenValue
+  );
+  if (tokenResult !== null) {
+    for (const [key, value] of Object.entries(tokenResult.headers)) {
+      res.setHeader(key, value);
+    }
+    res.status(tokenResult.status).json(tokenResult.body);
+    return;
+  }
+  const getHeader = createExpressHeaderGetter(req.headers);
+  const contentType = parseContentType(getHeader("content-type"));
+  const tokenSource = resolveTokenSource(
+    getHeader,
+    req.body,
+    contentType,
+    sigil.config.headerName
+  );
+  const metadata = extractRequestMetadata(req.method, getHeader, tokenSource);
+  const result = await sigil.protect(metadata);
+  if (!result.allowed) {
+    const errorResponse = createErrorResponse(result.expired);
+    for (const [key, value] of Object.entries(errorResponse.headers)) {
+      res.setHeader(key, value);
+    }
+    res.status(errorResponse.status).json(errorResponse.body);
+    return;
+  }
+  next();
+}
+export {
+  createExpressMiddleware
+};
+//# sourceMappingURL=express.js.map

package/dist/adapters/express.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/adapters/express.ts"],"sourcesContent":["// @sigil-security/runtime — Express middleware adapter\n// Reference: SPECIFICATION.md §3\n\nimport type { SigilInstance, MiddlewareOptions, ProtectResult } from '../types.js'\nimport { DEFAULT_TOKEN_ENDPOINT_PATH, DEFAULT_ONESHOT_ENDPOINT_PATH } from '../types.js'\nimport { extractRequestMetadata, resolveTokenSource, parseContentType, normalizePath, normalizePathSet } from '../extract-metadata.js'\nimport type { HeaderGetter } from '../extract-metadata.js'\nimport { createErrorResponse } from '../error-response.js'\nimport { handleTokenEndpoint } from '../token-endpoint.js'\n\n// ============================================================\n// Minimal Express-Compatible Types\n// ============================================================\n\n/**\n * Minimal Express-compatible request interface.\n * Structurally compatible with `express.Request`.\n */\nexport interface ExpressLikeRequest {\n readonly method: string\n readonly path: string\n readonly headers: Readonly<Record<string, string | string[] | undefined>>\n body?: Record<string, unknown> | undefined\n}\n\n/**\n * Minimal Express-compatible response interface.\n * Structurally compatible with `express.Response`.\n */\nexport interface ExpressLikeResponse {\n status(code: number): ExpressLikeResponse\n json(body: unknown): ExpressLikeResponse\n setHeader(name: string, value: string): ExpressLikeResponse\n readonly headersSent: boolean\n}\n\n/** Express-compatible next function */\nexport type ExpressNextFunction = (err?: unknown) => void\n\n/** Express middleware signature */\nexport type ExpressMiddleware = (\n req: ExpressLikeRequest,\n res: ExpressLikeResponse,\n next: ExpressNextFunction,\n) => void\n\n// ============================================================\n// Header Getter for Express\n// ============================================================\n\nfunction createExpressHeaderGetter(\n headers: Readonly<Record<string, string | string[] | undefined>>,\n): HeaderGetter {\n return (name: string): string | null => {\n const value = headers[name.toLowerCase()]\n if (typeof value === 'string') return value\n if (Array.isArray(value)) return value[0] ?? null\n return null\n }\n}\n\n// ============================================================\n// Express Middleware Factory\n// ============================================================\n\n/**\n * Creates Express middleware for Sigil CSRF protection.\n *\n * This middleware:\n * 1. Handles token generation endpoints (GET /api/csrf/token, POST /api/csrf/one-shot)\n * 2. Validates CSRF tokens on protected methods (POST, PUT, PATCH, DELETE)\n * 3. Passes through safe methods (GET, HEAD, OPTIONS) without validation\n * 4. Returns uniform 403 responses on validation failure\n *\n * @param sigil - Initialized SigilInstance\n * @param options - Middleware configuration options\n * @returns Express middleware function\n *\n * @example\n * ```typescript\n * import express from 'express'\n * import { createSigil } from '@sigil-security/runtime'\n * import { createExpressMiddleware } from '@sigil-security/runtime/express'\n *\n * const sigil = await createSigil({\n * masterSecret: process.env.CSRF_SECRET!,\n * allowedOrigins: ['https://example.com'],\n * })\n *\n * const app = express()\n * app.use(createExpressMiddleware(sigil))\n * ```\n */\nexport function createExpressMiddleware(\n sigil: SigilInstance,\n options?: MiddlewareOptions,\n): ExpressMiddleware {\n const excludePaths = normalizePathSet(options?.excludePaths ?? [])\n const tokenEndpointPath = normalizePath(options?.tokenEndpointPath ?? DEFAULT_TOKEN_ENDPOINT_PATH)\n const oneShotEndpointPath = normalizePath(options?.oneShotEndpointPath ?? DEFAULT_ONESHOT_ENDPOINT_PATH)\n\n // Express middleware must NOT be async — errors are caught and forwarded to next()\n return (req, res, next) => {\n // Skip excluded paths (normalized comparison)\n if (excludePaths.has(normalizePath(req.path))) {\n next()\n return\n }\n\n // Handle async operations with proper error forwarding\n handleRequest(sigil, req, res, next, tokenEndpointPath, oneShotEndpointPath).catch(next)\n }\n}\n\n/**\n * Internal async handler for Express requests.\n */\nasync function handleRequest(\n sigil: SigilInstance,\n req: ExpressLikeRequest,\n res: ExpressLikeResponse,\n next: ExpressNextFunction,\n tokenEndpointPath: string,\n oneShotEndpointPath: string,\n): Promise<void> {\n // Step 1: Check if this is a token endpoint request\n const reqPath = normalizePath(req.path)\n const getHeaderForToken = createExpressHeaderGetter(req.headers)\n const csrfTokenValue = getHeaderForToken(sigil.config.headerName)\n\n const tokenResult = await handleTokenEndpoint(\n sigil,\n req.method,\n reqPath,\n req.body,\n tokenEndpointPath,\n oneShotEndpointPath,\n csrfTokenValue,\n )\n\n if (tokenResult !== null) {\n for (const [key, value] of Object.entries(tokenResult.headers)) {\n res.setHeader(key, value)\n }\n res.status(tokenResult.status).json(tokenResult.body)\n return\n }\n\n // Step 2: Extract metadata for protection\n const getHeader = createExpressHeaderGetter(req.headers)\n const contentType = parseContentType(getHeader('content-type'))\n\n const tokenSource = resolveTokenSource(\n getHeader,\n req.body,\n contentType,\n sigil.config.headerName,\n )\n\n const metadata = extractRequestMetadata(req.method, getHeader, tokenSource)\n\n // Step 3: Run protection\n const result: ProtectResult = await sigil.protect(metadata)\n\n if (!result.allowed) {\n const errorResponse = createErrorResponse(result.expired)\n for (const [key, value] of Object.entries(errorResponse.headers)) {\n res.setHeader(key, value)\n }\n res.status(errorResponse.status).json(errorResponse.body)\n return\n }\n\n // Step 4: Request allowed — continue\n next()\n}\n"],"mappings":";;;;;;;;;;;;;AAkDA,SAAS,0BACP,SACc;AACd,SAAO,CAAC,SAAgC;AACtC,UAAM,QAAQ,QAAQ,KAAK,YAAY,CAAC;AACxC,QAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,CAAC,KAAK;AAC7C,WAAO;AAAA,EACT;AACF;AAkCO,SAAS,wBACd,OACA,SACmB;AACnB,QAAM,eAAe,iBAAiB,SAAS,gBAAgB,CAAC,CAAC;AACjE,QAAM,oBAAoB,cAAc,SAAS,qBAAqB,2BAA2B;AACjG,QAAM,sBAAsB,cAAc,SAAS,uBAAuB,6BAA6B;AAGvG,SAAO,CAAC,KAAK,KAAK,SAAS;AAEzB,QAAI,aAAa,IAAI,cAAc,IAAI,IAAI,CAAC,GAAG;AAC7C,WAAK;AACL;AAAA,IACF;AAGA,kBAAc,OAAO,KAAK,KAAK,MAAM,mBAAmB,mBAAmB,EAAE,MAAM,IAAI;AAAA,EACzF;AACF;AAKA,eAAe,cACb,OACA,KACA,KACA,MACA,mBACA,qBACe;AAEf,QAAM,UAAU,cAAc,IAAI,IAAI;AACtC,QAAM,oBAAoB,0BAA0B,IAAI,OAAO;AAC/D,QAAM,iBAAiB,kBAAkB,MAAM,OAAO,UAAU;AAEhE,QAAM,cAAc,MAAM;AAAA,IACxB;AAAA,IACA,IAAI;AAAA,IACJ;AAAA,IACA,IAAI;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,MAAI,gBAAgB,MAAM;AACxB,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,YAAY,OAAO,GAAG;AAC9D,UAAI,UAAU,KAAK,KAAK;AAAA,IAC1B;AACA,QAAI,OAAO,YAAY,MAAM,EAAE,KAAK,YAAY,IAAI;AACpD;AAAA,EACF;AAGA,QAAM,YAAY,0BAA0B,IAAI,OAAO;AACvD,QAAM,cAAc,iBAAiB,UAAU,cAAc,CAAC;AAE9D,QAAM,cAAc;AAAA,IAClB;AAAA,IACA,IAAI;AAAA,IACJ;AAAA,IACA,MAAM,OAAO;AAAA,EACf;AAEA,QAAM,WAAW,uBAAuB,IAAI,QAAQ,WAAW,WAAW;AAG1E,QAAM,SAAwB,MAAM,MAAM,QAAQ,QAAQ;AAE1D,MAAI,CAAC,OAAO,SAAS;AACnB,UAAM,gBAAgB,oBAAoB,OAAO,OAAO;AACxD,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,cAAc,OAAO,GAAG;AAChE,UAAI,UAAU,KAAK,KAAK;AAAA,IAC1B;AACA,QAAI,OAAO,cAAc,MAAM,EAAE,KAAK,cAAc,IAAI;AACxD;AAAA,EACF;AAGA,OAAK;AACP;","names":[]}

package/dist/adapters/fastify.cjs ADDED Viewed

@@ -0,0 +1,308 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/adapters/fastify.ts
+var fastify_exports = {};
+__export(fastify_exports, {
+  createFastifyPlugin: () => createFastifyPlugin
+});
+module.exports = __toCommonJS(fastify_exports);
+// src/types.ts
+var DEFAULT_TOKEN_ENDPOINT_PATH = "/api/csrf/token";
+var DEFAULT_ONESHOT_ENDPOINT_PATH = "/api/csrf/one-shot";
+// src/extract-metadata.ts
+var import_policy = require("@sigil-security/policy");
+function normalizePath(path) {
+  if (path.length === 0 || path === "/") return "/";
+  let end = path.length;
+  while (end > 0 && path.charCodeAt(end - 1) === 47) end--;
+  if (end === path.length) return path;
+  if (end === 0) return "/";
+  return path.slice(0, end);
+}
+function normalizePathSet(paths) {
+  return new Set(paths.map(normalizePath));
+}
+function extractRequestMetadata(method, getHeader, tokenSource) {
+  return {
+    method: method.toUpperCase(),
+    origin: getHeader("origin"),
+    referer: getHeader("referer"),
+    secFetchSite: getHeader("sec-fetch-site"),
+    secFetchMode: getHeader("sec-fetch-mode"),
+    secFetchDest: getHeader("sec-fetch-dest"),
+    contentType: parseContentType(getHeader("content-type")),
+    tokenSource,
+    clientType: getHeader("x-client-type") ?? void 0
+  };
+}
+function parseContentType(contentType) {
+  if (contentType === null) return null;
+  const semicolonIdx = contentType.indexOf(";");
+  const mimeType = semicolonIdx >= 0 ? contentType.substring(0, semicolonIdx) : contentType;
+  return mimeType.trim().toLowerCase();
+}
+function extractTokenFromHeader(getHeader, headerName = import_policy.DEFAULT_HEADER_NAME) {
+  const value = getHeader(headerName);
+  if (value !== null && value !== "") {
+    return { from: "header", value };
+  }
+  return { from: "none" };
+}
+function extractTokenFromJsonBody(body, fieldName = import_policy.DEFAULT_JSON_FIELD_NAME) {
+  if (body !== null && body !== void 0 && typeof body === "object") {
+    const value = body[fieldName];
+    if (typeof value === "string" && value !== "") {
+      return { from: "body-json", value };
+    }
+  }
+  return null;
+}
+function extractTokenFromFormBody(body, fieldName = import_policy.DEFAULT_FORM_FIELD_NAME) {
+  if (body !== null && body !== void 0 && typeof body === "object") {
+    const value = body[fieldName];
+    if (typeof value === "string" && value !== "") {
+      return { from: "body-form", value };
+    }
+  }
+  return null;
+}
+function resolveTokenSource(getHeader, body, contentType, headerName, jsonFieldName, formFieldName) {
+  const headerToken = extractTokenFromHeader(getHeader, headerName);
+  if (headerToken.from !== "none") return headerToken;
+  if (contentType !== null && contentType.includes("application/json")) {
+    const jsonToken = extractTokenFromJsonBody(body, jsonFieldName);
+    if (jsonToken !== null) return jsonToken;
+  }
+  if (contentType !== null && (contentType.includes("application/x-www-form-urlencoded") || contentType.includes("multipart/form-data"))) {
+    const formToken = extractTokenFromFormBody(body, formFieldName);
+    if (formToken !== null) return formToken;
+  }
+  return { from: "none" };
+}
+// src/error-response.ts
+var CSRF_FAILURE_MESSAGE = "CSRF validation failed";
+var EXPIRED_HEADER_NAME = "X-CSRF-Token-Expired";
+function createErrorResponse(expired) {
+  const headers = {};
+  if (expired) {
+    headers[EXPIRED_HEADER_NAME] = "true";
+  }
+  return {
+    status: 403,
+    body: { error: CSRF_FAILURE_MESSAGE },
+    headers
+  };
+}
+function createTokenResponse(token, expiresAt) {
+  return {
+    status: 200,
+    body: { token, expiresAt }
+  };
+}
+function createOneShotTokenResponse(token, expiresAt, action) {
+  return {
+    status: 200,
+    body: { token, expiresAt, action }
+  };
+}
+// src/token-endpoint.ts
+async function handleTokenEndpoint(sigil, method, path, body, tokenEndpointPath, oneShotEndpointPath, csrfTokenValue) {
+  const upperMethod = method.toUpperCase();
+  if (path === tokenEndpointPath && upperMethod === "GET") {
+    return handleRegularTokenGeneration(sigil);
+  }
+  if (sigil.config.oneShotEnabled && path === oneShotEndpointPath && upperMethod === "POST") {
+    if (csrfTokenValue === void 0 || csrfTokenValue === null || csrfTokenValue === "") {
+      const errorResponse = createErrorResponse(false);
+      return {
+        handled: true,
+        status: errorResponse.status,
+        body: errorResponse.body,
+        headers: errorResponse.headers
+      };
+    }
+    const csrfResult = await sigil.validateToken(csrfTokenValue);
+    if (!csrfResult.valid) {
+      const errorResponse = createErrorResponse(false);
+      return {
+        handled: true,
+        status: errorResponse.status,
+        body: errorResponse.body,
+        headers: errorResponse.headers
+      };
+    }
+    return handleOneShotTokenGeneration(sigil, body);
+  }
+  return null;
+}
+async function handleRegularTokenGeneration(sigil) {
+  const result = await sigil.generateToken();
+  if (!result.success) {
+    return {
+      handled: true,
+      status: 500,
+      body: { error: "Token generation failed" },
+      headers: {}
+    };
+  }
+  const response = createTokenResponse(result.token, result.expiresAt);
+  return {
+    handled: true,
+    status: response.status,
+    body: response.body,
+    headers: {}
+  };
+}
+async function handleOneShotTokenGeneration(sigil, body) {
+  if (body === null || body === void 0 || typeof body !== "object") {
+    return {
+      handled: true,
+      status: 400,
+      body: { error: "Request body required" },
+      headers: {}
+    };
+  }
+  const action = body["action"];
+  if (typeof action !== "string" || action === "") {
+    return {
+      handled: true,
+      status: 400,
+      body: { error: "Missing or invalid action parameter" },
+      headers: {}
+    };
+  }
+  let context;
+  const rawContext = body["context"];
+  if (Array.isArray(rawContext)) {
+    const isAllStrings = rawContext.every((item) => typeof item === "string");
+    if (isAllStrings) {
+      context = rawContext;
+    }
+  }
+  const result = await sigil.generateOneShotToken(action, context);
+  if (!result.success) {
+    return {
+      handled: true,
+      status: 500,
+      body: { error: "One-shot token generation failed" },
+      headers: {}
+    };
+  }
+  const response = createOneShotTokenResponse(result.token, result.expiresAt, action);
+  return {
+    handled: true,
+    status: response.status,
+    body: response.body,
+    headers: {}
+  };
+}
+// src/adapters/fastify.ts
+function createFastifyHeaderGetter(headers) {
+  return (name) => {
+    const value = headers[name.toLowerCase()];
+    if (typeof value === "string") return value;
+    if (Array.isArray(value)) return value[0] ?? null;
+    return null;
+  };
+}
+function extractPath(url) {
+  const qIndex = url.indexOf("?");
+  return qIndex >= 0 ? url.slice(0, qIndex) : url;
+}
+function createFastifyPlugin(sigil, options) {
+  const excludePaths = normalizePathSet(options?.excludePaths ?? []);
+  const tokenEndpointPath = normalizePath(options?.tokenEndpointPath ?? DEFAULT_TOKEN_ENDPOINT_PATH);
+  const oneShotEndpointPath = normalizePath(options?.oneShotEndpointPath ?? DEFAULT_ONESHOT_ENDPOINT_PATH);
+  return (fastify, _opts, done) => {
+    fastify.get(tokenEndpointPath, async (request, reply) => {
+      const result = await handleTokenEndpoint(
+        sigil,
+        request.method,
+        tokenEndpointPath,
+        void 0,
+        tokenEndpointPath,
+        oneShotEndpointPath
+      );
+      if (result !== null) {
+        for (const [key, value] of Object.entries(result.headers)) {
+          reply.header(key, value);
+        }
+        reply.code(result.status).send(result.body);
+      }
+    });
+    if (sigil.config.oneShotEnabled) {
+      fastify.post(oneShotEndpointPath, async (request, reply) => {
+        const body = typeof request.body === "object" && request.body !== null ? request.body : void 0;
+        const getHeader = createFastifyHeaderGetter(request.headers);
+        const csrfTokenValue = getHeader(sigil.config.headerName);
+        const result = await handleTokenEndpoint(
+          sigil,
+          request.method,
+          oneShotEndpointPath,
+          body,
+          tokenEndpointPath,
+          oneShotEndpointPath,
+          csrfTokenValue
+        );
+        if (result !== null) {
+          for (const [key, value] of Object.entries(result.headers)) {
+            reply.header(key, value);
+          }
+          reply.code(result.status).send(result.body);
+        }
+      });
+    }
+    fastify.addHook("preHandler", async (request, reply) => {
+      const path = normalizePath(extractPath(request.url));
+      if (excludePaths.has(path)) return;
+      if (path === tokenEndpointPath) return;
+      if (sigil.config.oneShotEnabled && path === oneShotEndpointPath) return;
+      const getHeader = createFastifyHeaderGetter(request.headers);
+      const contentType = parseContentType(getHeader("content-type"));
+      const body = typeof request.body === "object" && request.body !== null ? request.body : void 0;
+      const tokenSource = resolveTokenSource(
+        getHeader,
+        body,
+        contentType,
+        sigil.config.headerName
+      );
+      const metadata = extractRequestMetadata(request.method, getHeader, tokenSource);
+      const result = await sigil.protect(metadata);
+      if (!result.allowed) {
+        const errorResponse = createErrorResponse(result.expired);
+        for (const [key, value] of Object.entries(errorResponse.headers)) {
+          reply.header(key, value);
+        }
+        reply.code(errorResponse.status).send(errorResponse.body);
+      }
+    });
+    done();
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createFastifyPlugin
+});
+//# sourceMappingURL=fastify.cjs.map

package/dist/adapters/fastify.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/adapters/fastify.ts","../../src/types.ts","../../src/extract-metadata.ts","../../src/error-response.ts","../../src/token-endpoint.ts"],"sourcesContent":["// @sigil-security/runtime — Fastify plugin adapter\n// Reference: SPECIFICATION.md §3\n\nimport type { SigilInstance, MiddlewareOptions, ProtectResult } from '../types.js'\nimport { DEFAULT_TOKEN_ENDPOINT_PATH, DEFAULT_ONESHOT_ENDPOINT_PATH } from '../types.js'\nimport { extractRequestMetadata, resolveTokenSource, parseContentType, normalizePath, normalizePathSet } from '../extract-metadata.js'\nimport type { HeaderGetter } from '../extract-metadata.js'\nimport { createErrorResponse } from '../error-response.js'\nimport { handleTokenEndpoint } from '../token-endpoint.js'\n\n// ============================================================\n// Minimal Fastify-Compatible Types\n// ============================================================\n\n/** Minimal Fastify-compatible request */\nexport interface FastifyLikeRequest {\n readonly method: string\n readonly url: string\n readonly headers: Readonly<Record<string, string | string[] | undefined>>\n body?: unknown\n}\n\n/** Minimal Fastify-compatible reply */\nexport interface FastifyLikeReply {\n status(code: number): FastifyLikeReply\n code(code: number): FastifyLikeReply\n send(payload?: unknown): FastifyLikeReply\n header(name: string, value: string): FastifyLikeReply\n readonly sent: boolean\n}\n\n/** Minimal Fastify-compatible instance */\nexport interface FastifyLikeInstance {\n addHook(\n name: 'preHandler',\n handler: (\n request: FastifyLikeRequest,\n reply: FastifyLikeReply,\n ) => Promise<void>,\n ): void\n get(\n path: string,\n handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>,\n ): void\n post(\n path: string,\n handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>,\n ): void\n}\n\n/** Fastify plugin done callback */\nexport type FastifyPluginDone = (err?: Error) => void\n\n/** Fastify plugin signature */\nexport type FastifyPlugin = (\n fastify: FastifyLikeInstance,\n options: MiddlewareOptions | undefined,\n done: FastifyPluginDone,\n) => void\n\n// ============================================================\n// Header Getter for Fastify\n// ============================================================\n\nfunction createFastifyHeaderGetter(\n headers: Readonly<Record<string, string | string[] | undefined>>,\n): HeaderGetter {\n return (name: string): string | null => {\n const value = headers[name.toLowerCase()]\n if (typeof value === 'string') return value\n if (Array.isArray(value)) return value[0] ?? null\n return null\n }\n}\n\n/**\n * Extracts the path portion from a Fastify URL (which may include query strings).\n */\nfunction extractPath(url: string): string {\n const qIndex = url.indexOf('?')\n return qIndex >= 0 ? url.slice(0, qIndex) : url\n}\n\n// ============================================================\n// Fastify Plugin Factory\n// ============================================================\n\n/**\n * Creates a Fastify plugin for Sigil CSRF protection.\n *\n * Registers:\n * - Token generation routes (GET /api/csrf/token, POST /api/csrf/one-shot)\n * - `preHandler` hook for CSRF validation on protected methods (runs after body parsing)\n *\n * @param sigil - Initialized SigilInstance\n * @param options - Middleware configuration options\n * @returns Fastify plugin function\n *\n * @example\n * ```typescript\n * import Fastify from 'fastify'\n * import { createSigil } from '@sigil-security/runtime'\n * import { createFastifyPlugin } from '@sigil-security/runtime/fastify'\n *\n * const sigil = await createSigil({ ... })\n * const fastify = Fastify()\n * fastify.register(createFastifyPlugin(sigil))\n * ```\n */\nexport function createFastifyPlugin(\n sigil: SigilInstance,\n options?: MiddlewareOptions,\n): FastifyPlugin {\n const excludePaths = normalizePathSet(options?.excludePaths ?? [])\n const tokenEndpointPath = normalizePath(options?.tokenEndpointPath ?? DEFAULT_TOKEN_ENDPOINT_PATH)\n const oneShotEndpointPath = normalizePath(options?.oneShotEndpointPath ?? DEFAULT_ONESHOT_ENDPOINT_PATH)\n\n return (fastify, _opts, done) => {\n // Register token generation routes\n fastify.get(tokenEndpointPath, async (request, reply) => {\n const result = await handleTokenEndpoint(\n sigil,\n request.method,\n tokenEndpointPath,\n undefined,\n tokenEndpointPath,\n oneShotEndpointPath,\n )\n\n if (result !== null) {\n for (const [key, value] of Object.entries(result.headers)) {\n reply.header(key, value)\n }\n reply.code(result.status).send(result.body)\n }\n })\n\n if (sigil.config.oneShotEnabled) {\n fastify.post(oneShotEndpointPath, async (request, reply) => {\n const body = typeof request.body === 'object' && request.body !== null\n ? (request.body as Record<string, unknown>)\n : undefined\n\n const getHeader = createFastifyHeaderGetter(request.headers)\n const csrfTokenValue = getHeader(sigil.config.headerName)\n\n const result = await handleTokenEndpoint(\n sigil,\n request.method,\n oneShotEndpointPath,\n body,\n tokenEndpointPath,\n oneShotEndpointPath,\n csrfTokenValue,\n )\n\n if (result !== null) {\n for (const [key, value] of Object.entries(result.headers)) {\n reply.header(key, value)\n }\n reply.code(result.status).send(result.body)\n }\n })\n }\n\n // Register preHandler hook for CSRF validation\n // NOTE: preHandler runs AFTER body parsing, so request.body is available.\n // onRequest would run BEFORE body parsing — body-based tokens would never work.\n fastify.addHook('preHandler', async (request, reply) => {\n const path = normalizePath(extractPath(request.url))\n\n // Skip excluded paths (normalized comparison)\n if (excludePaths.has(path)) return\n\n // Skip token endpoints (handled by routes above)\n if (path === tokenEndpointPath) return\n if (sigil.config.oneShotEnabled && path === oneShotEndpointPath) return\n\n // Extract metadata\n const getHeader = createFastifyHeaderGetter(request.headers)\n const contentType = parseContentType(getHeader('content-type'))\n\n const body = typeof request.body === 'object' && request.body !== null\n ? (request.body as Record<string, unknown>)\n : undefined\n\n const tokenSource = resolveTokenSource(\n getHeader,\n body,\n contentType,\n sigil.config.headerName,\n )\n\n const metadata = extractRequestMetadata(request.method, getHeader, tokenSource)\n\n // Run protection\n const result: ProtectResult = await sigil.protect(metadata)\n\n if (!result.allowed) {\n const errorResponse = createErrorResponse(result.expired)\n for (const [key, value] of Object.entries(errorResponse.headers)) {\n reply.header(key, value)\n }\n reply.code(errorResponse.status).send(errorResponse.body)\n }\n })\n\n done()\n }\n}\n","// @sigil-security/runtime — Types and configuration interfaces\n// Reference: SPECIFICATION.md Sections 3, 8\n\nimport type { CryptoProvider } from '@sigil-security/core'\nimport type {\n ContextBindingConfig,\n LegacyBrowserMode,\n PolicyChainResult,\n RequestMetadata,\n} from '@sigil-security/policy'\n\n// ============================================================\n// Sigil Configuration\n// ============================================================\n\n/**\n * Main configuration for Sigil runtime.\n *\n * This is the single entry point for configuring CSRF protection.\n * The runtime layer orchestrates all interactions between core and policy.\n *\n * @example\n * ```typescript\n * const sigil = await createSigil({\n * masterSecret: process.env.CSRF_SECRET,\n * allowedOrigins: ['https://example.com'],\n * })\n * ```\n */\nexport interface SigilConfig {\n // ---- Core ----\n\n /** Master secret for HKDF key derivation (minimum 32 bytes recommended) */\n readonly masterSecret: ArrayBuffer | string\n\n /** Token TTL in milliseconds (default: 20 minutes = 1_200_000ms) */\n readonly tokenTTL?: number | undefined\n\n /** Grace window after TTL expiry for in-flight requests (default: 60s = 60_000ms) */\n readonly graceWindow?: number | undefined\n\n // ---- Policy ----\n\n /** List of allowed origins (e.g., ['https://example.com']) */\n readonly allowedOrigins: readonly string[]\n\n /** How to handle legacy browsers without Fetch Metadata (default: 'degraded') */\n readonly legacyBrowserMode?: LegacyBrowserMode | undefined\n\n /** Allow API mode (non-browser clients with token-only validation) (default: true) */\n readonly allowApiMode?: boolean | undefined\n\n /** HTTP methods that require CSRF protection (default: ['POST','PUT','PATCH','DELETE']) */\n readonly protectedMethods?: readonly string[] | undefined\n\n // ---- Context Binding ----\n\n /** Context binding configuration (risk tier model) */\n readonly contextBinding?: ContextBindingConfig | undefined\n\n // ---- One-Shot ----\n\n /** Enable one-shot token support (default: false) */\n readonly oneShotEnabled?: boolean | undefined\n\n /** One-shot token TTL in milliseconds (default: 5 minutes = 300_000ms) */\n readonly oneShotTTL?: number | undefined\n\n // ---- Token Transport ----\n\n /** Custom header name for CSRF tokens (default: 'x-csrf-token') */\n readonly headerName?: string | undefined\n\n /** Custom header name for one-shot tokens (default: 'x-csrf-one-shot-token') */\n readonly oneShotHeaderName?: string | undefined\n\n // ---- Security Hardening ----\n\n /**\n * Disable X-Client-Type header override for mode detection.\n * When true, clients cannot self-declare as API mode to bypass\n * Fetch Metadata and Origin validation policies.\n *\n * Enable this if CORS configuration cannot be tightly controlled.\n * Default: false\n */\n readonly disableClientModeOverride?: boolean | undefined\n\n // ---- Provider Override ----\n\n /** Custom CryptoProvider implementation (default: WebCryptoCryptoProvider) */\n readonly cryptoProvider?: CryptoProvider | undefined\n}\n\n// ============================================================\n// Resolved Configuration (defaults applied)\n// ============================================================\n\n/**\n * Fully resolved configuration with all defaults applied.\n * Exposed as `sigil.config` on a SigilInstance.\n */\nexport interface ResolvedSigilConfig {\n readonly tokenTTL: number\n readonly graceWindow: number\n readonly allowedOrigins: readonly string[]\n readonly legacyBrowserMode: LegacyBrowserMode\n readonly allowApiMode: boolean\n readonly protectedMethods: readonly string[]\n readonly contextBinding: ContextBindingConfig | undefined\n readonly oneShotEnabled: boolean\n readonly oneShotTTL: number\n readonly headerName: string\n readonly oneShotHeaderName: string\n readonly disableClientModeOverride: boolean\n}\n\n// ============================================================\n// Sigil Instance (Orchestration Core)\n// ============================================================\n\n/**\n * The Sigil runtime instance.\n *\n * Created by `createSigil(config)`. Holds the keyring, nonce cache,\n * and provides token generation / validation / protection methods.\n */\nexport interface SigilInstance {\n /** Generate a new CSRF token */\n generateToken(context?: readonly string[]): Promise<TokenGenerationResponse>\n\n /** Validate a CSRF token */\n validateToken(\n tokenString: string,\n expectedContext?: readonly string[],\n ): Promise<TokenValidationResponse>\n\n /** Generate a one-shot token (requires `oneShotEnabled: true`) */\n generateOneShotToken(\n action: string,\n context?: readonly string[],\n ): Promise<TokenGenerationResponse>\n\n /** Validate a one-shot token (tries all keys in the oneshot keyring) */\n validateOneShotToken(\n tokenString: string,\n expectedAction: string,\n expectedContext?: readonly string[],\n ): Promise<TokenValidationResponse>\n\n /** Rotate keyrings — new key becomes active, oldest dropped */\n rotateKeys(): Promise<void>\n\n /**\n * Full request protection: policy chain + token validation.\n *\n * 1. Checks if the method needs protection\n * 2. Detects client mode (browser vs API)\n * 3. Runs appropriate policy chain\n * 4. Validates CSRF token\n *\n * @param metadata - Normalized request metadata (extracted by adapter)\n * @param contextBindings - Optional context bindings for token validation\n */\n protect(\n metadata: RequestMetadata,\n contextBindings?: readonly string[],\n ): Promise<ProtectResult>\n\n /** Resolved configuration (readonly) */\n readonly config: ResolvedSigilConfig\n}\n\n// ============================================================\n// Token Response Types\n// ============================================================\n\n/** Token generation response */\nexport type TokenGenerationResponse =\n | { readonly success: true; readonly token: string; readonly expiresAt: number }\n | { readonly success: false; readonly reason: string }\n\n/** Token validation response */\nexport type TokenValidationResponse =\n | { readonly valid: true }\n | { readonly valid: false; readonly reason: string }\n\n// ============================================================\n// Protection Result\n// ============================================================\n\n/**\n * Result of full request protection (policy chain + token validation).\n *\n * - `allowed: true` → request passed all checks\n * - `allowed: false` → request blocked, `reason` is for internal logging only\n */\nexport type ProtectResult =\n | {\n readonly allowed: true\n readonly tokenValid: boolean\n readonly policyResult: PolicyChainResult\n }\n | {\n readonly allowed: false\n readonly reason: string\n readonly expired: boolean\n readonly policyResult: PolicyChainResult | null\n }\n\n// ============================================================\n// Metadata Extractor Contract\n// ============================================================\n\n/**\n * Extracts normalized `RequestMetadata` from a framework-specific request object.\n *\n * Each framework adapter implements this for its own request type.\n * This bridges framework HTTP objects to the policy layer.\n */\nexport type MetadataExtractor<TRequest> = (req: TRequest) => RequestMetadata\n\n// ============================================================\n// Token Endpoint Types\n// ============================================================\n\n/** Minimal request shape for the token endpoint handler */\nexport interface TokenEndpointRequest {\n readonly method: string\n readonly path: string\n readonly body?: Record<string, unknown> | undefined\n}\n\n/** Token endpoint response (returned by `handleTokenEndpoint`) */\nexport interface TokenEndpointResult {\n readonly handled: boolean\n readonly status: number\n readonly body: Record<string, unknown>\n readonly headers: Record<string, string>\n}\n\n/** One-shot token request body */\nexport interface OneShotTokenRequestBody {\n readonly action: string\n readonly context?: readonly string[] | undefined\n}\n\n// ============================================================\n// Error Response Types\n// ============================================================\n\n/** Uniform error response body — NEVER differentiates error types to client */\nexport interface ErrorResponseBody {\n readonly error: string\n}\n\n// ============================================================\n// Middleware Options\n// ============================================================\n\n/**\n * Options for framework middleware adapters.\n *\n * Controls path exclusion, token endpoint paths, and context binding extraction.\n */\nexport interface MiddlewareOptions {\n /** Paths to exclude from protection (exact match) */\n readonly excludePaths?: readonly string[] | undefined\n\n /** Token generation endpoint path (default: '/api/csrf/token') */\n readonly tokenEndpointPath?: string | undefined\n\n /** One-shot token endpoint path (default: '/api/csrf/one-shot') */\n readonly oneShotEndpointPath?: string | undefined\n}\n\n// ============================================================\n// Default Constants\n// ============================================================\n\n/** Default token generation endpoint path */\nexport const DEFAULT_TOKEN_ENDPOINT_PATH = '/api/csrf/token'\n\n/** Default one-shot token endpoint path */\nexport const DEFAULT_ONESHOT_ENDPOINT_PATH = '/api/csrf/one-shot'\n","// @sigil-security/runtime — Request metadata extraction helpers\n// Reference: SPECIFICATION.md §8.3\n\nimport type { RequestMetadata, TokenSource } from '@sigil-security/policy'\nimport {\n DEFAULT_FORM_FIELD_NAME,\n DEFAULT_HEADER_NAME,\n DEFAULT_JSON_FIELD_NAME,\n} from '@sigil-security/policy'\n\n// ============================================================\n// Path Normalization\n// ============================================================\n\n/**\n * Normalizes a URL path for consistent comparison.\n *\n * **Security (L3 fix):** Strips trailing slashes to prevent\n * protection bypass via `/health/` vs `/health` mismatch.\n * Does NOT lowercase (paths are case-sensitive per RFC 3986).\n *\n * @param path - URL path to normalize\n * @returns Normalized path (no trailing slash, except for root \"/\")\n */\nexport function normalizePath(path: string): string {\n if (path.length === 0 || path === '/') return '/'\n\n let end = path.length\n while (end > 0 && path.charCodeAt(end - 1) === 47) end--\n\n if (end === path.length) return path // no trailing slash → zero allocation\n if (end === 0) return '/'\n return path.slice(0, end)\n}\n\n/**\n * Creates a normalized Set from an array of paths for consistent matching.\n *\n * @param paths - Array of paths to normalize\n * @returns Set of normalized paths\n */\nexport function normalizePathSet(paths: readonly string[]): Set<string> {\n return new Set(paths.map(normalizePath))\n}\n\n// ============================================================\n// Header Getter Abstraction\n// ============================================================\n\n/**\n * Generic header getter function.\n * Adapters implement this to bridge framework-specific header access.\n */\nexport type HeaderGetter = (name: string) => string | null\n\n// ============================================================\n// Request Metadata Assembly\n// ============================================================\n\n/**\n * Assembles normalized `RequestMetadata` from generic request components.\n *\n * This is the single point where framework-specific HTTP objects\n * are transformed into the policy layer's input format.\n *\n * @param method - HTTP method (will be uppercased)\n * @param getHeader - Framework-specific header getter\n * @param tokenSource - Pre-resolved token source\n * @returns Normalized RequestMetadata for the policy layer\n */\nexport function extractRequestMetadata(\n method: string,\n getHeader: HeaderGetter,\n tokenSource: TokenSource,\n): RequestMetadata {\n return {\n method: method.toUpperCase(),\n origin: getHeader('origin'),\n referer: getHeader('referer'),\n secFetchSite: getHeader('sec-fetch-site'),\n secFetchMode: getHeader('sec-fetch-mode'),\n secFetchDest: getHeader('sec-fetch-dest'),\n contentType: parseContentType(getHeader('content-type')),\n tokenSource,\n clientType: getHeader('x-client-type') ?? undefined,\n }\n}\n\n// ============================================================\n// Content-Type Parsing\n// ============================================================\n\n/**\n * Parses Content-Type header, stripping parameters (charset, boundary, etc.).\n *\n * @example\n * parseContentType(\"application/json; charset=utf-8\") → \"application/json\"\n * parseContentType(null) → null\n */\nexport function parseContentType(contentType: string | null): string | null {\n if (contentType === null) return null\n const semicolonIdx = contentType.indexOf(';')\n const mimeType = semicolonIdx >= 0 ? contentType.substring(0, semicolonIdx) : contentType\n return mimeType.trim().toLowerCase()\n}\n\n// ============================================================\n// Token Source Resolution\n// ============================================================\n\n/**\n * Extracts CSRF token from a custom header.\n *\n * @param getHeader - Header getter function\n * @param headerName - Header name to check (default: 'x-csrf-token')\n * @returns TokenSource from header, or { from: 'none' }\n */\nexport function extractTokenFromHeader(\n getHeader: HeaderGetter,\n headerName: string = DEFAULT_HEADER_NAME,\n): TokenSource {\n const value = getHeader(headerName)\n if (value !== null && value !== '') {\n return { from: 'header', value }\n }\n return { from: 'none' }\n}\n\n/**\n * Extracts CSRF token from a parsed JSON body.\n *\n * @param body - Parsed request body (or null/undefined)\n * @param fieldName - JSON field name (default: 'csrf_token')\n * @returns TokenSource if found, or null\n */\nexport function extractTokenFromJsonBody(\n body: Record<string, unknown> | null | undefined,\n fieldName: string = DEFAULT_JSON_FIELD_NAME,\n): TokenSource | null {\n if (body !== null && body !== undefined && typeof body === 'object') {\n const value = body[fieldName]\n if (typeof value === 'string' && value !== '') {\n return { from: 'body-json', value }\n }\n }\n return null\n}\n\n/**\n * Extracts CSRF token from a parsed form body.\n *\n * @param body - Parsed form body (or null/undefined)\n * @param fieldName - Form field name (default: 'csrf_token')\n * @returns TokenSource if found, or null\n */\nexport function extractTokenFromFormBody(\n body: Record<string, unknown> | null | undefined,\n fieldName: string = DEFAULT_FORM_FIELD_NAME,\n): TokenSource | null {\n if (body !== null && body !== undefined && typeof body === 'object') {\n const value = body[fieldName]\n if (typeof value === 'string' && value !== '') {\n return { from: 'body-form', value }\n }\n }\n return null\n}\n\n/**\n * Resolves token source following the transport precedence from SPECIFICATION.md §8.3:\n *\n * 1. Custom header (highest priority): `X-CSRF-Token`\n * 2. Request body (JSON): `{ \"csrf_token\": \"...\" }`\n * 3. Request body (form): `csrf_token=...`\n * 4. Query parameter: NEVER (not supported)\n *\n * First valid token wins. Multiple tokens → first match wins.\n *\n * @param getHeader - Header getter function\n * @param body - Parsed request body (JSON or form-encoded)\n * @param contentType - Parsed Content-Type MIME (lowercase, no params)\n * @param headerName - Custom header name override\n * @param jsonFieldName - Custom JSON field name override\n * @param formFieldName - Custom form field name override\n * @returns Resolved TokenSource\n */\nexport function resolveTokenSource(\n getHeader: HeaderGetter,\n body: Record<string, unknown> | null | undefined,\n contentType: string | null,\n headerName?: string,\n jsonFieldName?: string,\n formFieldName?: string,\n): TokenSource {\n // 1. Custom header (highest precedence)\n const headerToken = extractTokenFromHeader(getHeader, headerName)\n if (headerToken.from !== 'none') return headerToken\n\n // 2. JSON body\n if (contentType !== null && contentType.includes('application/json')) {\n const jsonToken = extractTokenFromJsonBody(body, jsonFieldName)\n if (jsonToken !== null) return jsonToken\n }\n\n // 3. Form body\n if (\n contentType !== null &&\n (contentType.includes('application/x-www-form-urlencoded') ||\n contentType.includes('multipart/form-data'))\n ) {\n const formToken = extractTokenFromFormBody(body, formFieldName)\n if (formToken !== null) return formToken\n }\n\n // No token found\n return { from: 'none' }\n}\n","// @sigil-security/runtime — Uniform error responses\n// Reference: SPECIFICATION.md §5.8 — NEVER differentiate error types to client\n\n/**\n * Uniform CSRF validation failure message.\n *\n * **CRITICAL:** This is the ONLY error message sent to the client.\n * Detailed failure reasons go to internal logs ONLY — never in HTTP response body.\n */\nconst CSRF_FAILURE_MESSAGE = 'CSRF validation failed'\n\n/** HTTP header name indicating token expiry */\nconst EXPIRED_HEADER_NAME = 'X-CSRF-Token-Expired'\n\n/**\n * Framework-agnostic error response structure.\n *\n * Used by all adapters to produce consistent 403 responses.\n */\nexport interface ErrorResponse {\n readonly status: number\n readonly body: { readonly error: string }\n readonly headers: Readonly<Record<string, string>>\n}\n\n/**\n * Creates a uniform 403 error response.\n *\n * - Always returns `403 { error: \"CSRF validation failed\" }`\n * - If the token is expired, adds `X-CSRF-Token-Expired: true` header\n * (allows client-side silent refresh without exposing failure reason)\n *\n * @param expired - Whether the failure is due to token expiry\n * @returns Framework-agnostic error response\n */\nexport function createErrorResponse(expired: boolean): ErrorResponse {\n const headers: Record<string, string> = {}\n if (expired) {\n headers[EXPIRED_HEADER_NAME] = 'true'\n }\n return {\n status: 403,\n body: { error: CSRF_FAILURE_MESSAGE },\n headers,\n }\n}\n\n/**\n * Creates a framework-agnostic success response for token generation.\n *\n * @param token - Generated token string\n * @param expiresAt - Token expiration timestamp (milliseconds)\n */\nexport function createTokenResponse(\n token: string,\n expiresAt: number,\n): { readonly status: number; readonly body: { readonly token: string; readonly expiresAt: number } } {\n return {\n status: 200,\n body: { token, expiresAt },\n }\n}\n\n/**\n * Creates a framework-agnostic success response for one-shot token generation.\n *\n * @param token - Generated one-shot token string\n * @param expiresAt - Token expiration timestamp (milliseconds)\n * @param action - The action the token is bound to\n */\nexport function createOneShotTokenResponse(\n token: string,\n expiresAt: number,\n action: string,\n): {\n readonly status: number\n readonly body: { readonly token: string; readonly expiresAt: number; readonly action: string }\n} {\n return {\n status: 200,\n body: { token, expiresAt, action },\n }\n}\n","// @sigil-security/runtime — Token endpoint handler\n// Reference: SPECIFICATION.md §3 — Token generation endpoints\n\nimport type { SigilInstance, TokenEndpointResult } from './types.js'\nimport {\n createErrorResponse,\n createTokenResponse,\n createOneShotTokenResponse,\n} from './error-response.js'\n\n/**\n * Handles token generation requests.\n *\n * This is a framework-agnostic handler that processes token endpoint requests.\n * Each adapter calls this and maps the result to framework-specific responses.\n *\n * Supported endpoints:\n * - `GET {tokenEndpointPath}` → Generate a regular CSRF token\n * - `POST {oneShotEndpointPath}` → Generate a one-shot token (requires action binding)\n *\n * **Security (M2 fix):** The one-shot endpoint (POST) requires a valid regular\n * CSRF token in the request header. This prevents cross-origin one-shot token\n * generation and nonce cache exhaustion attacks.\n *\n * @param sigil - The Sigil instance\n * @param method - HTTP method (uppercase)\n * @param path - Request path\n * @param body - Parsed request body (for POST endpoints)\n * @param tokenEndpointPath - Token generation endpoint path\n * @param oneShotEndpointPath - One-shot token endpoint path\n * @param csrfTokenValue - CSRF token from request header (required for POST one-shot endpoint)\n * @returns TokenEndpointResult if the request was handled, or null if not a token endpoint\n */\nexport async function handleTokenEndpoint(\n sigil: SigilInstance,\n method: string,\n path: string,\n body: Record<string, unknown> | null | undefined,\n tokenEndpointPath: string,\n oneShotEndpointPath: string,\n csrfTokenValue?: string | null,\n): Promise<TokenEndpointResult | null> {\n const upperMethod = method.toUpperCase()\n\n // GET /api/csrf/token → Generate regular CSRF token\n if (path === tokenEndpointPath && upperMethod === 'GET') {\n return handleRegularTokenGeneration(sigil)\n }\n\n // POST /api/csrf/one-shot → Generate one-shot token\n // Requires a valid regular CSRF token for defense-in-depth\n if (\n sigil.config.oneShotEnabled &&\n path === oneShotEndpointPath &&\n upperMethod === 'POST'\n ) {\n // Validate CSRF token before generating one-shot token\n if (csrfTokenValue === undefined || csrfTokenValue === null || csrfTokenValue === '') {\n const errorResponse = createErrorResponse(false)\n return {\n handled: true,\n status: errorResponse.status,\n body: errorResponse.body,\n headers: errorResponse.headers as Record<string, string>,\n }\n }\n\n const csrfResult = await sigil.validateToken(csrfTokenValue)\n if (!csrfResult.valid) {\n const errorResponse = createErrorResponse(false)\n return {\n handled: true,\n status: errorResponse.status,\n body: errorResponse.body,\n headers: errorResponse.headers as Record<string, string>,\n }\n }\n\n return handleOneShotTokenGeneration(sigil, body)\n }\n\n // Not a token endpoint request\n return null\n}\n\n/**\n * Generates a regular CSRF token.\n */\nasync function handleRegularTokenGeneration(\n sigil: SigilInstance,\n): Promise<TokenEndpointResult> {\n const result = await sigil.generateToken()\n\n if (!result.success) {\n return {\n handled: true,\n status: 500,\n body: { error: 'Token generation failed' },\n headers: {},\n }\n }\n\n const response = createTokenResponse(result.token, result.expiresAt)\n return {\n handled: true,\n status: response.status,\n body: response.body,\n headers: {},\n }\n}\n\n/**\n * Generates a one-shot token with action binding.\n */\nasync function handleOneShotTokenGeneration(\n sigil: SigilInstance,\n body: Record<string, unknown> | null | undefined,\n): Promise<TokenEndpointResult> {\n // Validate request body\n if (body === null || body === undefined || typeof body !== 'object') {\n return {\n handled: true,\n status: 400,\n body: { error: 'Request body required' },\n headers: {},\n }\n }\n\n const action = body['action']\n if (typeof action !== 'string' || action === '') {\n return {\n handled: true,\n status: 400,\n body: { error: 'Missing or invalid action parameter' },\n headers: {},\n }\n }\n\n // Optional context bindings\n let context: readonly string[] | undefined\n const rawContext = body['context']\n if (Array.isArray(rawContext)) {\n const isAllStrings = rawContext.every((item): item is string => typeof item === 'string')\n if (isAllStrings) {\n context = rawContext\n }\n }\n\n const result = await sigil.generateOneShotToken(action, context)\n\n if (!result.success) {\n return {\n handled: true,\n status: 500,\n body: { error: 'One-shot token generation failed' },\n headers: {},\n }\n }\n\n const response = createOneShotTokenResponse(result.token, result.expiresAt, action)\n return {\n handled: true,\n status: response.status,\n body: response.body,\n headers: {},\n }\n}\n\n/**\n * Creates a standardized error result for the token endpoint.\n * Used by adapters when they need to produce error responses.\n */\nexport function createTokenEndpointError(\n expired: boolean,\n): TokenEndpointResult {\n const errorResponse = createErrorResponse(expired)\n return {\n handled: true,\n status: errorResponse.status,\n body: errorResponse.body,\n headers: errorResponse.headers as Record<string, string>,\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACyRO,IAAM,8BAA8B;AAGpC,IAAM,gCAAgC;;;ACxR7C,oBAIO;AAgBA,SAAS,cAAc,MAAsB;AAClD,MAAI,KAAK,WAAW,KAAK,SAAS,IAAK,QAAO;AAE9C,MAAI,MAAM,KAAK;AACf,SAAO,MAAM,KAAK,KAAK,WAAW,MAAM,CAAC,MAAM,GAAI;AAEnD,MAAI,QAAQ,KAAK,OAAQ,QAAO;AAChC,MAAI,QAAQ,EAAG,QAAO;AACtB,SAAO,KAAK,MAAM,GAAG,GAAG;AAC1B;AAQO,SAAS,iBAAiB,OAAuC;AACtE,SAAO,IAAI,IAAI,MAAM,IAAI,aAAa,CAAC;AACzC;AA2BO,SAAS,uBACd,QACA,WACA,aACiB;AACjB,SAAO;AAAA,IACL,QAAQ,OAAO,YAAY;AAAA,IAC3B,QAAQ,UAAU,QAAQ;AAAA,IAC1B,SAAS,UAAU,SAAS;AAAA,IAC5B,cAAc,UAAU,gBAAgB;AAAA,IACxC,cAAc,UAAU,gBAAgB;AAAA,IACxC,cAAc,UAAU,gBAAgB;AAAA,IACxC,aAAa,iBAAiB,UAAU,cAAc,CAAC;AAAA,IACvD;AAAA,IACA,YAAY,UAAU,eAAe,KAAK;AAAA,EAC5C;AACF;AAaO,SAAS,iBAAiB,aAA2C;AAC1E,MAAI,gBAAgB,KAAM,QAAO;AACjC,QAAM,eAAe,YAAY,QAAQ,GAAG;AAC5C,QAAM,WAAW,gBAAgB,IAAI,YAAY,UAAU,GAAG,YAAY,IAAI;AAC9E,SAAO,SAAS,KAAK,EAAE,YAAY;AACrC;AAaO,SAAS,uBACd,WACA,aAAqB,mCACR;AACb,QAAM,QAAQ,UAAU,UAAU;AAClC,MAAI,UAAU,QAAQ,UAAU,IAAI;AAClC,WAAO,EAAE,MAAM,UAAU,MAAM;AAAA,EACjC;AACA,SAAO,EAAE,MAAM,OAAO;AACxB;AASO,SAAS,yBACd,MACA,YAAoB,uCACA;AACpB,MAAI,SAAS,QAAQ,SAAS,UAAa,OAAO,SAAS,UAAU;AACnE,UAAM,QAAQ,KAAK,SAAS;AAC5B,QAAI,OAAO,UAAU,YAAY,UAAU,IAAI;AAC7C,aAAO,EAAE,MAAM,aAAa,MAAM;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;AASO,SAAS,yBACd,MACA,YAAoB,uCACA;AACpB,MAAI,SAAS,QAAQ,SAAS,UAAa,OAAO,SAAS,UAAU;AACnE,UAAM,QAAQ,KAAK,SAAS;AAC5B,QAAI,OAAO,UAAU,YAAY,UAAU,IAAI;AAC7C,aAAO,EAAE,MAAM,aAAa,MAAM;AAAA,IACpC;AAAA,EACF;AACA,SAAO;AACT;AAoBO,SAAS,mBACd,WACA,MACA,aACA,YACA,eACA,eACa;AAEb,QAAM,cAAc,uBAAuB,WAAW,UAAU;AAChE,MAAI,YAAY,SAAS,OAAQ,QAAO;AAGxC,MAAI,gBAAgB,QAAQ,YAAY,SAAS,kBAAkB,GAAG;AACpE,UAAM,YAAY,yBAAyB,MAAM,aAAa;AAC9D,QAAI,cAAc,KAAM,QAAO;AAAA,EACjC;AAGA,MACE,gBAAgB,SACf,YAAY,SAAS,mCAAmC,KACvD,YAAY,SAAS,qBAAqB,IAC5C;AACA,UAAM,YAAY,yBAAyB,MAAM,aAAa;AAC9D,QAAI,cAAc,KAAM,QAAO;AAAA,EACjC;AAGA,SAAO,EAAE,MAAM,OAAO;AACxB;;;AC/MA,IAAM,uBAAuB;AAG7B,IAAM,sBAAsB;AAuBrB,SAAS,oBAAoB,SAAiC;AACnE,QAAM,UAAkC,CAAC;AACzC,MAAI,SAAS;AACX,YAAQ,mBAAmB,IAAI;AAAA,EACjC;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM,EAAE,OAAO,qBAAqB;AAAA,IACpC;AAAA,EACF;AACF;AAQO,SAAS,oBACd,OACA,WACoG;AACpG,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM,EAAE,OAAO,UAAU;AAAA,EAC3B;AACF;AASO,SAAS,2BACd,OACA,WACA,QAIA;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,MAAM,EAAE,OAAO,WAAW,OAAO;AAAA,EACnC;AACF;;;ACjDA,eAAsB,oBACpB,OACA,QACA,MACA,MACA,mBACA,qBACA,gBACqC;AACrC,QAAM,cAAc,OAAO,YAAY;AAGvC,MAAI,SAAS,qBAAqB,gBAAgB,OAAO;AACvD,WAAO,6BAA6B,KAAK;AAAA,EAC3C;AAIA,MACE,MAAM,OAAO,kBACb,SAAS,uBACT,gBAAgB,QAChB;AAEA,QAAI,mBAAmB,UAAa,mBAAmB,QAAQ,mBAAmB,IAAI;AACpF,YAAM,gBAAgB,oBAAoB,KAAK;AAC/C,aAAO;AAAA,QACL,SAAS;AAAA,QACT,QAAQ,cAAc;AAAA,QACtB,MAAM,cAAc;AAAA,QACpB,SAAS,cAAc;AAAA,MACzB;AAAA,IACF;AAEA,UAAM,aAAa,MAAM,MAAM,cAAc,cAAc;AAC3D,QAAI,CAAC,WAAW,OAAO;AACrB,YAAM,gBAAgB,oBAAoB,KAAK;AAC/C,aAAO;AAAA,QACL,SAAS;AAAA,QACT,QAAQ,cAAc;AAAA,QACtB,MAAM,cAAc;AAAA,QACpB,SAAS,cAAc;AAAA,MACzB;AAAA,IACF;AAEA,WAAO,6BAA6B,OAAO,IAAI;AAAA,EACjD;AAGA,SAAO;AACT;AAKA,eAAe,6BACb,OAC8B;AAC9B,QAAM,SAAS,MAAM,MAAM,cAAc;AAEzC,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,0BAA0B;AAAA,MACzC,SAAS,CAAC;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,WAAW,oBAAoB,OAAO,OAAO,OAAO,SAAS;AACnE,SAAO;AAAA,IACL,SAAS;AAAA,IACT,QAAQ,SAAS;AAAA,IACjB,MAAM,SAAS;AAAA,IACf,SAAS,CAAC;AAAA,EACZ;AACF;AAKA,eAAe,6BACb,OACA,MAC8B;AAE9B,MAAI,SAAS,QAAQ,SAAS,UAAa,OAAO,SAAS,UAAU;AACnE,WAAO;AAAA,MACL,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,wBAAwB;AAAA,MACvC,SAAS,CAAC;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,SAAS,KAAK,QAAQ;AAC5B,MAAI,OAAO,WAAW,YAAY,WAAW,IAAI;AAC/C,WAAO;AAAA,MACL,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,sCAAsC;AAAA,MACrD,SAAS,CAAC;AAAA,IACZ;AAAA,EACF;AAGA,MAAI;AACJ,QAAM,aAAa,KAAK,SAAS;AACjC,MAAI,MAAM,QAAQ,UAAU,GAAG;AAC7B,UAAM,eAAe,WAAW,MAAM,CAAC,SAAyB,OAAO,SAAS,QAAQ;AACxF,QAAI,cAAc;AAChB,gBAAU;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,SAAS,MAAM,MAAM,qBAAqB,QAAQ,OAAO;AAE/D,MAAI,CAAC,OAAO,SAAS;AACnB,WAAO;AAAA,MACL,SAAS;AAAA,MACT,QAAQ;AAAA,MACR,MAAM,EAAE,OAAO,mCAAmC;AAAA,MAClD,SAAS,CAAC;AAAA,IACZ;AAAA,EACF;AAEA,QAAM,WAAW,2BAA2B,OAAO,OAAO,OAAO,WAAW,MAAM;AAClF,SAAO;AAAA,IACL,SAAS;AAAA,IACT,QAAQ,SAAS;AAAA,IACjB,MAAM,SAAS;AAAA,IACf,SAAS,CAAC;AAAA,EACZ;AACF;;;AJtGA,SAAS,0BACP,SACc;AACd,SAAO,CAAC,SAAgC;AACtC,UAAM,QAAQ,QAAQ,KAAK,YAAY,CAAC;AACxC,QAAI,OAAO,UAAU,SAAU,QAAO;AACtC,QAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,CAAC,KAAK;AAC7C,WAAO;AAAA,EACT;AACF;AAKA,SAAS,YAAY,KAAqB;AACxC,QAAM,SAAS,IAAI,QAAQ,GAAG;AAC9B,SAAO,UAAU,IAAI,IAAI,MAAM,GAAG,MAAM,IAAI;AAC9C;AA4BO,SAAS,oBACd,OACA,SACe;AACf,QAAM,eAAe,iBAAiB,SAAS,gBAAgB,CAAC,CAAC;AACjE,QAAM,oBAAoB,cAAc,SAAS,qBAAqB,2BAA2B;AACjG,QAAM,sBAAsB,cAAc,SAAS,uBAAuB,6BAA6B;AAEvG,SAAO,CAAC,SAAS,OAAO,SAAS;AAE/B,YAAQ,IAAI,mBAAmB,OAAO,SAAS,UAAU;AACvD,YAAM,SAAS,MAAM;AAAA,QACnB;AAAA,QACA,QAAQ;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,UAAI,WAAW,MAAM;AACnB,mBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,gBAAM,OAAO,KAAK,KAAK;AAAA,QACzB;AACA,cAAM,KAAK,OAAO,MAAM,EAAE,KAAK,OAAO,IAAI;AAAA,MAC5C;AAAA,IACF,CAAC;AAED,QAAI,MAAM,OAAO,gBAAgB;AAC/B,cAAQ,KAAK,qBAAqB,OAAO,SAAS,UAAU;AAC1D,cAAM,OAAO,OAAO,QAAQ,SAAS,YAAY,QAAQ,SAAS,OAC7D,QAAQ,OACT;AAEJ,cAAM,YAAY,0BAA0B,QAAQ,OAAO;AAC3D,cAAM,iBAAiB,UAAU,MAAM,OAAO,UAAU;AAExD,cAAM,SAAS,MAAM;AAAA,UACnB;AAAA,UACA,QAAQ;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAEA,YAAI,WAAW,MAAM;AACnB,qBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,kBAAM,OAAO,KAAK,KAAK;AAAA,UACzB;AACA,gBAAM,KAAK,OAAO,MAAM,EAAE,KAAK,OAAO,IAAI;AAAA,QAC5C;AAAA,MACF,CAAC;AAAA,IACH;AAKA,YAAQ,QAAQ,cAAc,OAAO,SAAS,UAAU;AACtD,YAAM,OAAO,cAAc,YAAY,QAAQ,GAAG,CAAC;AAGnD,UAAI,aAAa,IAAI,IAAI,EAAG;AAG5B,UAAI,SAAS,kBAAmB;AAChC,UAAI,MAAM,OAAO,kBAAkB,SAAS,oBAAqB;AAGjE,YAAM,YAAY,0BAA0B,QAAQ,OAAO;AAC3D,YAAM,cAAc,iBAAiB,UAAU,cAAc,CAAC;AAE9D,YAAM,OAAO,OAAO,QAAQ,SAAS,YAAY,QAAQ,SAAS,OAC7D,QAAQ,OACT;AAEJ,YAAM,cAAc;AAAA,QAClB;AAAA,QACA;AAAA,QACA;AAAA,QACA,MAAM,OAAO;AAAA,MACf;AAEA,YAAM,WAAW,uBAAuB,QAAQ,QAAQ,WAAW,WAAW;AAG9E,YAAM,SAAwB,MAAM,MAAM,QAAQ,QAAQ;AAE1D,UAAI,CAAC,OAAO,SAAS;AACnB,cAAM,gBAAgB,oBAAoB,OAAO,OAAO;AACxD,mBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,cAAc,OAAO,GAAG;AAChE,gBAAM,OAAO,KAAK,KAAK;AAAA,QACzB;AACA,cAAM,KAAK,cAAc,MAAM,EAAE,KAAK,cAAc,IAAI;AAAA,MAC1D;AAAA,IACF,CAAC;AAED,SAAK;AAAA,EACP;AACF;","names":[]}

package/dist/adapters/fastify.d.cts ADDED Viewed

@@ -0,0 +1,54 @@
+import { c as MiddlewareOptions, a as SigilInstance } from '../types-DySgT8rA.cjs';
+import '@sigil-security/core';
+import '@sigil-security/policy';
+/** Minimal Fastify-compatible request */
+interface FastifyLikeRequest {
+    readonly method: string;
+    readonly url: string;
+    readonly headers: Readonly<Record<string, string | string[] | undefined>>;
+    body?: unknown;
+}
+/** Minimal Fastify-compatible reply */
+interface FastifyLikeReply {
+    status(code: number): FastifyLikeReply;
+    code(code: number): FastifyLikeReply;
+    send(payload?: unknown): FastifyLikeReply;
+    header(name: string, value: string): FastifyLikeReply;
+    readonly sent: boolean;
+}
+/** Minimal Fastify-compatible instance */
+interface FastifyLikeInstance {
+    addHook(name: 'preHandler', handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>): void;
+    get(path: string, handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>): void;
+    post(path: string, handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>): void;
+}
+/** Fastify plugin done callback */
+type FastifyPluginDone = (err?: Error) => void;
+/** Fastify plugin signature */
+type FastifyPlugin = (fastify: FastifyLikeInstance, options: MiddlewareOptions | undefined, done: FastifyPluginDone) => void;
+/**
+ * Creates a Fastify plugin for Sigil CSRF protection.
+ *
+ * Registers:
+ * - Token generation routes (GET /api/csrf/token, POST /api/csrf/one-shot)
+ * - `preHandler` hook for CSRF validation on protected methods (runs after body parsing)
+ *
+ * @param sigil - Initialized SigilInstance
+ * @param options - Middleware configuration options
+ * @returns Fastify plugin function
+ *
+ * @example
+ * ```typescript
+ * import Fastify from 'fastify'
+ * import { createSigil } from '@sigil-security/runtime'
+ * import { createFastifyPlugin } from '@sigil-security/runtime/fastify'
+ *
+ * const sigil = await createSigil({ ... })
+ * const fastify = Fastify()
+ * fastify.register(createFastifyPlugin(sigil))
+ * ```
+ */
+declare function createFastifyPlugin(sigil: SigilInstance, options?: MiddlewareOptions): FastifyPlugin;
+export { type FastifyLikeInstance, type FastifyLikeReply, type FastifyLikeRequest, type FastifyPlugin, type FastifyPluginDone, createFastifyPlugin };

package/dist/adapters/fastify.d.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { c as MiddlewareOptions, a as SigilInstance } from '../types-DySgT8rA.js';
+import '@sigil-security/core';
+import '@sigil-security/policy';
+/** Minimal Fastify-compatible request */
+interface FastifyLikeRequest {
+    readonly method: string;
+    readonly url: string;
+    readonly headers: Readonly<Record<string, string | string[] | undefined>>;
+    body?: unknown;
+}
+/** Minimal Fastify-compatible reply */
+interface FastifyLikeReply {
+    status(code: number): FastifyLikeReply;
+    code(code: number): FastifyLikeReply;
+    send(payload?: unknown): FastifyLikeReply;
+    header(name: string, value: string): FastifyLikeReply;
+    readonly sent: boolean;
+}
+/** Minimal Fastify-compatible instance */
+interface FastifyLikeInstance {
+    addHook(name: 'preHandler', handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>): void;
+    get(path: string, handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>): void;
+    post(path: string, handler: (request: FastifyLikeRequest, reply: FastifyLikeReply) => Promise<void>): void;
+}
+/** Fastify plugin done callback */
+type FastifyPluginDone = (err?: Error) => void;
+/** Fastify plugin signature */
+type FastifyPlugin = (fastify: FastifyLikeInstance, options: MiddlewareOptions | undefined, done: FastifyPluginDone) => void;
+/**
+ * Creates a Fastify plugin for Sigil CSRF protection.
+ *
+ * Registers:
+ * - Token generation routes (GET /api/csrf/token, POST /api/csrf/one-shot)
+ * - `preHandler` hook for CSRF validation on protected methods (runs after body parsing)
+ *
+ * @param sigil - Initialized SigilInstance
+ * @param options - Middleware configuration options
+ * @returns Fastify plugin function
+ *
+ * @example
+ * ```typescript
+ * import Fastify from 'fastify'
+ * import { createSigil } from '@sigil-security/runtime'
+ * import { createFastifyPlugin } from '@sigil-security/runtime/fastify'
+ *
+ * const sigil = await createSigil({ ... })
+ * const fastify = Fastify()
+ * fastify.register(createFastifyPlugin(sigil))
+ * ```
+ */
+declare function createFastifyPlugin(sigil: SigilInstance, options?: MiddlewareOptions): FastifyPlugin;
+export { type FastifyLikeInstance, type FastifyLikeReply, type FastifyLikeRequest, type FastifyPlugin, type FastifyPluginDone, createFastifyPlugin };