@sigil-security/runtime 0.0.0

package/dist/index.d.cts

@@ -0,0 +1,201 @@
+import { S as SigilConfig, a as SigilInstance, T as TokenEndpointResult } from './types-DySgT8rA.cjs';
+export { D as DEFAULT_ONESHOT_ENDPOINT_PATH, b as DEFAULT_TOKEN_ENDPOINT_PATH, E as ErrorResponseBody, M as MetadataExtractor, c as MiddlewareOptions, O as OneShotTokenRequestBody, P as ProtectResult, R as ResolvedSigilConfig, d as TokenEndpointRequest, e as TokenGenerationResponse, f as TokenValidationResponse } from './types-DySgT8rA.cjs';
+import { TokenSource, RequestMetadata } from '@sigil-security/policy';
+import '@sigil-security/core';
+
+/**
+ * Creates a Sigil runtime instance.
+ *
+ * This is the main entry point for Sigil. It initializes keyrings,
+ * sets up policy chains, and returns an orchestration instance
+ * that adapters use for token generation, validation, and request protection.
+ *
+ * @param config - Sigil configuration
+ * @returns Initialized SigilInstance
+ *
+ * @example
+ * ```typescript
+ * const sigil = await createSigil({
+ *   masterSecret: process.env.CSRF_SECRET!,
+ *   allowedOrigins: ['https://example.com'],
+ * })
+ *
+ * // Generate a token
+ * const result = await sigil.generateToken()
+ *
+ * // Protect a request
+ * const protection = await sigil.protect(metadata)
+ * ```
+ */
+declare function createSigil(config: SigilConfig): Promise<SigilInstance>;
+
+/**
+ * Framework-agnostic error response structure.
+ *
+ * Used by all adapters to produce consistent 403 responses.
+ */
+interface ErrorResponse {
+    readonly status: number;
+    readonly body: {
+        readonly error: string;
+    };
+    readonly headers: Readonly<Record<string, string>>;
+}
+/**
+ * Creates a uniform 403 error response.
+ *
+ * - Always returns `403 { error: "CSRF validation failed" }`
+ * - If the token is expired, adds `X-CSRF-Token-Expired: true` header
+ *   (allows client-side silent refresh without exposing failure reason)
+ *
+ * @param expired - Whether the failure is due to token expiry
+ * @returns Framework-agnostic error response
+ */
+declare function createErrorResponse(expired: boolean): ErrorResponse;
+/**
+ * Creates a framework-agnostic success response for token generation.
+ *
+ * @param token - Generated token string
+ * @param expiresAt - Token expiration timestamp (milliseconds)
+ */
+declare function createTokenResponse(token: string, expiresAt: number): {
+    readonly status: number;
+    readonly body: {
+        readonly token: string;
+        readonly expiresAt: number;
+    };
+};
+/**
+ * Creates a framework-agnostic success response for one-shot token generation.
+ *
+ * @param token - Generated one-shot token string
+ * @param expiresAt - Token expiration timestamp (milliseconds)
+ * @param action - The action the token is bound to
+ */
+declare function createOneShotTokenResponse(token: string, expiresAt: number, action: string): {
+    readonly status: number;
+    readonly body: {
+        readonly token: string;
+        readonly expiresAt: number;
+        readonly action: string;
+    };
+};
+
+/**
+ * Normalizes a URL path for consistent comparison.
+ *
+ * **Security (L3 fix):** Strips trailing slashes to prevent
+ * protection bypass via `/health/` vs `/health` mismatch.
+ * Does NOT lowercase (paths are case-sensitive per RFC 3986).
+ *
+ * @param path - URL path to normalize
+ * @returns Normalized path (no trailing slash, except for root "/")
+ */
+declare function normalizePath(path: string): string;
+/**
+ * Creates a normalized Set from an array of paths for consistent matching.
+ *
+ * @param paths - Array of paths to normalize
+ * @returns Set of normalized paths
+ */
+declare function normalizePathSet(paths: readonly string[]): Set<string>;
+/**
+ * Generic header getter function.
+ * Adapters implement this to bridge framework-specific header access.
+ */
+type HeaderGetter = (name: string) => string | null;
+/**
+ * Assembles normalized `RequestMetadata` from generic request components.
+ *
+ * This is the single point where framework-specific HTTP objects
+ * are transformed into the policy layer's input format.
+ *
+ * @param method - HTTP method (will be uppercased)
+ * @param getHeader - Framework-specific header getter
+ * @param tokenSource - Pre-resolved token source
+ * @returns Normalized RequestMetadata for the policy layer
+ */
+declare function extractRequestMetadata(method: string, getHeader: HeaderGetter, tokenSource: TokenSource): RequestMetadata;
+/**
+ * Parses Content-Type header, stripping parameters (charset, boundary, etc.).
+ *
+ * @example
+ * parseContentType("application/json; charset=utf-8") → "application/json"
+ * parseContentType(null) → null
+ */
+declare function parseContentType(contentType: string | null): string | null;
+/**
+ * Extracts CSRF token from a custom header.
+ *
+ * @param getHeader - Header getter function
+ * @param headerName - Header name to check (default: 'x-csrf-token')
+ * @returns TokenSource from header, or { from: 'none' }
+ */
+declare function extractTokenFromHeader(getHeader: HeaderGetter, headerName?: string): TokenSource;
+/**
+ * Extracts CSRF token from a parsed JSON body.
+ *
+ * @param body - Parsed request body (or null/undefined)
+ * @param fieldName - JSON field name (default: 'csrf_token')
+ * @returns TokenSource if found, or null
+ */
+declare function extractTokenFromJsonBody(body: Record<string, unknown> | null | undefined, fieldName?: string): TokenSource | null;
+/**
+ * Extracts CSRF token from a parsed form body.
+ *
+ * @param body - Parsed form body (or null/undefined)
+ * @param fieldName - Form field name (default: 'csrf_token')
+ * @returns TokenSource if found, or null
+ */
+declare function extractTokenFromFormBody(body: Record<string, unknown> | null | undefined, fieldName?: string): TokenSource | null;
+/**
+ * Resolves token source following the transport precedence from SPECIFICATION.md §8.3:
+ *
+ * 1. Custom header (highest priority): `X-CSRF-Token`
+ * 2. Request body (JSON): `{ "csrf_token": "..." }`
+ * 3. Request body (form): `csrf_token=...`
+ * 4. Query parameter: NEVER (not supported)
+ *
+ * First valid token wins. Multiple tokens → first match wins.
+ *
+ * @param getHeader - Header getter function
+ * @param body - Parsed request body (JSON or form-encoded)
+ * @param contentType - Parsed Content-Type MIME (lowercase, no params)
+ * @param headerName - Custom header name override
+ * @param jsonFieldName - Custom JSON field name override
+ * @param formFieldName - Custom form field name override
+ * @returns Resolved TokenSource
+ */
+declare function resolveTokenSource(getHeader: HeaderGetter, body: Record<string, unknown> | null | undefined, contentType: string | null, headerName?: string, jsonFieldName?: string, formFieldName?: string): TokenSource;
+
+/**
+ * Handles token generation requests.
+ *
+ * This is a framework-agnostic handler that processes token endpoint requests.
+ * Each adapter calls this and maps the result to framework-specific responses.
+ *
+ * Supported endpoints:
+ * - `GET {tokenEndpointPath}` → Generate a regular CSRF token
+ * - `POST {oneShotEndpointPath}` → Generate a one-shot token (requires action binding)
+ *
+ * **Security (M2 fix):** The one-shot endpoint (POST) requires a valid regular
+ * CSRF token in the request header. This prevents cross-origin one-shot token
+ * generation and nonce cache exhaustion attacks.
+ *
+ * @param sigil - The Sigil instance
+ * @param method - HTTP method (uppercase)
+ * @param path - Request path
+ * @param body - Parsed request body (for POST endpoints)
+ * @param tokenEndpointPath - Token generation endpoint path
+ * @param oneShotEndpointPath - One-shot token endpoint path
+ * @param csrfTokenValue - CSRF token from request header (required for POST one-shot endpoint)
+ * @returns TokenEndpointResult if the request was handled, or null if not a token endpoint
+ */
+declare function handleTokenEndpoint(sigil: SigilInstance, method: string, path: string, body: Record<string, unknown> | null | undefined, tokenEndpointPath: string, oneShotEndpointPath: string, csrfTokenValue?: string | null): Promise<TokenEndpointResult | null>;
+/**
+ * Creates a standardized error result for the token endpoint.
+ * Used by adapters when they need to produce error responses.
+ */
+declare function createTokenEndpointError(expired: boolean): TokenEndpointResult;
+
+export { type ErrorResponse, type HeaderGetter, SigilConfig, SigilInstance, TokenEndpointResult, createErrorResponse, createOneShotTokenResponse, createSigil, createTokenEndpointError, createTokenResponse, extractRequestMetadata, extractTokenFromFormBody, extractTokenFromHeader, extractTokenFromJsonBody, handleTokenEndpoint, normalizePath, normalizePathSet, parseContentType, resolveTokenSource };

package/dist/index.d.ts

@@ -0,0 +1,201 @@
+import { S as SigilConfig, a as SigilInstance, T as TokenEndpointResult } from './types-DySgT8rA.js';
+export { D as DEFAULT_ONESHOT_ENDPOINT_PATH, b as DEFAULT_TOKEN_ENDPOINT_PATH, E as ErrorResponseBody, M as MetadataExtractor, c as MiddlewareOptions, O as OneShotTokenRequestBody, P as ProtectResult, R as ResolvedSigilConfig, d as TokenEndpointRequest, e as TokenGenerationResponse, f as TokenValidationResponse } from './types-DySgT8rA.js';
+import { TokenSource, RequestMetadata } from '@sigil-security/policy';
+import '@sigil-security/core';
+
+/**
+ * Creates a Sigil runtime instance.
+ *
+ * This is the main entry point for Sigil. It initializes keyrings,
+ * sets up policy chains, and returns an orchestration instance
+ * that adapters use for token generation, validation, and request protection.
+ *
+ * @param config - Sigil configuration
+ * @returns Initialized SigilInstance
+ *
+ * @example
+ * ```typescript
+ * const sigil = await createSigil({
+ *   masterSecret: process.env.CSRF_SECRET!,
+ *   allowedOrigins: ['https://example.com'],
+ * })
+ *
+ * // Generate a token
+ * const result = await sigil.generateToken()
+ *
+ * // Protect a request
+ * const protection = await sigil.protect(metadata)
+ * ```
+ */
+declare function createSigil(config: SigilConfig): Promise<SigilInstance>;
+
+/**
+ * Framework-agnostic error response structure.
+ *
+ * Used by all adapters to produce consistent 403 responses.
+ */
+interface ErrorResponse {
+    readonly status: number;
+    readonly body: {
+        readonly error: string;
+    };
+    readonly headers: Readonly<Record<string, string>>;
+}
+/**
+ * Creates a uniform 403 error response.
+ *
+ * - Always returns `403 { error: "CSRF validation failed" }`
+ * - If the token is expired, adds `X-CSRF-Token-Expired: true` header
+ *   (allows client-side silent refresh without exposing failure reason)
+ *
+ * @param expired - Whether the failure is due to token expiry
+ * @returns Framework-agnostic error response
+ */
+declare function createErrorResponse(expired: boolean): ErrorResponse;
+/**
+ * Creates a framework-agnostic success response for token generation.
+ *
+ * @param token - Generated token string
+ * @param expiresAt - Token expiration timestamp (milliseconds)
+ */
+declare function createTokenResponse(token: string, expiresAt: number): {
+    readonly status: number;
+    readonly body: {
+        readonly token: string;
+        readonly expiresAt: number;
+    };
+};
+/**
+ * Creates a framework-agnostic success response for one-shot token generation.
+ *
+ * @param token - Generated one-shot token string
+ * @param expiresAt - Token expiration timestamp (milliseconds)
+ * @param action - The action the token is bound to
+ */
+declare function createOneShotTokenResponse(token: string, expiresAt: number, action: string): {
+    readonly status: number;
+    readonly body: {
+        readonly token: string;
+        readonly expiresAt: number;
+        readonly action: string;
+    };
+};
+
+/**
+ * Normalizes a URL path for consistent comparison.
+ *
+ * **Security (L3 fix):** Strips trailing slashes to prevent
+ * protection bypass via `/health/` vs `/health` mismatch.
+ * Does NOT lowercase (paths are case-sensitive per RFC 3986).
+ *
+ * @param path - URL path to normalize
+ * @returns Normalized path (no trailing slash, except for root "/")
+ */
+declare function normalizePath(path: string): string;
+/**
+ * Creates a normalized Set from an array of paths for consistent matching.
+ *
+ * @param paths - Array of paths to normalize
+ * @returns Set of normalized paths
+ */
+declare function normalizePathSet(paths: readonly string[]): Set<string>;
+/**
+ * Generic header getter function.
+ * Adapters implement this to bridge framework-specific header access.
+ */
+type HeaderGetter = (name: string) => string | null;
+/**
+ * Assembles normalized `RequestMetadata` from generic request components.
+ *
+ * This is the single point where framework-specific HTTP objects
+ * are transformed into the policy layer's input format.
+ *
+ * @param method - HTTP method (will be uppercased)
+ * @param getHeader - Framework-specific header getter
+ * @param tokenSource - Pre-resolved token source
+ * @returns Normalized RequestMetadata for the policy layer
+ */
+declare function extractRequestMetadata(method: string, getHeader: HeaderGetter, tokenSource: TokenSource): RequestMetadata;
+/**
+ * Parses Content-Type header, stripping parameters (charset, boundary, etc.).
+ *
+ * @example
+ * parseContentType("application/json; charset=utf-8") → "application/json"
+ * parseContentType(null) → null
+ */
+declare function parseContentType(contentType: string | null): string | null;
+/**
+ * Extracts CSRF token from a custom header.
+ *
+ * @param getHeader - Header getter function
+ * @param headerName - Header name to check (default: 'x-csrf-token')
+ * @returns TokenSource from header, or { from: 'none' }
+ */
+declare function extractTokenFromHeader(getHeader: HeaderGetter, headerName?: string): TokenSource;
+/**
+ * Extracts CSRF token from a parsed JSON body.
+ *
+ * @param body - Parsed request body (or null/undefined)
+ * @param fieldName - JSON field name (default: 'csrf_token')
+ * @returns TokenSource if found, or null
+ */
+declare function extractTokenFromJsonBody(body: Record<string, unknown> | null | undefined, fieldName?: string): TokenSource | null;
+/**
+ * Extracts CSRF token from a parsed form body.
+ *
+ * @param body - Parsed form body (or null/undefined)
+ * @param fieldName - Form field name (default: 'csrf_token')
+ * @returns TokenSource if found, or null
+ */
+declare function extractTokenFromFormBody(body: Record<string, unknown> | null | undefined, fieldName?: string): TokenSource | null;
+/**
+ * Resolves token source following the transport precedence from SPECIFICATION.md §8.3:
+ *
+ * 1. Custom header (highest priority): `X-CSRF-Token`
+ * 2. Request body (JSON): `{ "csrf_token": "..." }`
+ * 3. Request body (form): `csrf_token=...`
+ * 4. Query parameter: NEVER (not supported)
+ *
+ * First valid token wins. Multiple tokens → first match wins.
+ *
+ * @param getHeader - Header getter function
+ * @param body - Parsed request body (JSON or form-encoded)
+ * @param contentType - Parsed Content-Type MIME (lowercase, no params)
+ * @param headerName - Custom header name override
+ * @param jsonFieldName - Custom JSON field name override
+ * @param formFieldName - Custom form field name override
+ * @returns Resolved TokenSource
+ */
+declare function resolveTokenSource(getHeader: HeaderGetter, body: Record<string, unknown> | null | undefined, contentType: string | null, headerName?: string, jsonFieldName?: string, formFieldName?: string): TokenSource;
+
+/**
+ * Handles token generation requests.
+ *
+ * This is a framework-agnostic handler that processes token endpoint requests.
+ * Each adapter calls this and maps the result to framework-specific responses.
+ *
+ * Supported endpoints:
+ * - `GET {tokenEndpointPath}` → Generate a regular CSRF token
+ * - `POST {oneShotEndpointPath}` → Generate a one-shot token (requires action binding)
+ *
+ * **Security (M2 fix):** The one-shot endpoint (POST) requires a valid regular
+ * CSRF token in the request header. This prevents cross-origin one-shot token
+ * generation and nonce cache exhaustion attacks.
+ *
+ * @param sigil - The Sigil instance
+ * @param method - HTTP method (uppercase)
+ * @param path - Request path
+ * @param body - Parsed request body (for POST endpoints)
+ * @param tokenEndpointPath - Token generation endpoint path
+ * @param oneShotEndpointPath - One-shot token endpoint path
+ * @param csrfTokenValue - CSRF token from request header (required for POST one-shot endpoint)
+ * @returns TokenEndpointResult if the request was handled, or null if not a token endpoint
+ */
+declare function handleTokenEndpoint(sigil: SigilInstance, method: string, path: string, body: Record<string, unknown> | null | undefined, tokenEndpointPath: string, oneShotEndpointPath: string, csrfTokenValue?: string | null): Promise<TokenEndpointResult | null>;
+/**
+ * Creates a standardized error result for the token endpoint.
+ * Used by adapters when they need to produce error responses.
+ */
+declare function createTokenEndpointError(expired: boolean): TokenEndpointResult;
+
+export { type ErrorResponse, type HeaderGetter, SigilConfig, SigilInstance, TokenEndpointResult, createErrorResponse, createOneShotTokenResponse, createSigil, createTokenEndpointError, createTokenResponse, extractRequestMetadata, extractTokenFromFormBody, extractTokenFromHeader, extractTokenFromJsonBody, handleTokenEndpoint, normalizePath, normalizePathSet, parseContentType, resolveTokenSource };

package/dist/index.js

@@ -0,0 +1,284 @@
+import {
+  DEFAULT_ONESHOT_ENDPOINT_PATH,
+  DEFAULT_TOKEN_ENDPOINT_PATH,
+  createErrorResponse,
+  createOneShotTokenResponse,
+  createTokenEndpointError,
+  createTokenResponse,
+  extractRequestMetadata,
+  extractTokenFromFormBody,
+  extractTokenFromHeader,
+  extractTokenFromJsonBody,
+  handleTokenEndpoint,
+  normalizePath,
+  normalizePathSet,
+  parseContentType,
+  resolveTokenSource
+} from "./chunk-JPT5I5W5.js";
+
+// src/sigil.ts
+import {
+  WebCryptoCryptoProvider,
+  createKeyring,
+  rotateKey,
+  getActiveKey,
+  generateToken as coreGenerateToken,
+  validateToken as coreValidateToken,
+  computeContext,
+  generateOneShotToken as coreGenerateOneShotToken,
+  validateOneShotToken as coreValidateOneShotToken,
+  createNonceCache,
+  DEFAULT_TOKEN_TTL_MS,
+  DEFAULT_GRACE_WINDOW_MS,
+  DEFAULT_ONESHOT_TTL_MS
+} from "@sigil-security/core";
+import {
+  createFetchMetadataPolicy,
+  createOriginPolicy,
+  createMethodPolicy,
+  createContentTypePolicy,
+  detectClientMode,
+  isProtectedMethod,
+  evaluatePolicyChain,
+  DEFAULT_HEADER_NAME,
+  DEFAULT_ONESHOT_HEADER_NAME,
+  DEFAULT_PROTECTED_METHODS
+} from "@sigil-security/policy";
+var MIN_MASTER_SECRET_BYTES = 32;
+function normalizeMasterSecret(secret) {
+  if (typeof secret !== "string") {
+    if (secret.byteLength < MIN_MASTER_SECRET_BYTES) {
+      throw new Error(
+        `Master secret must be at least ${String(MIN_MASTER_SECRET_BYTES)} bytes, got ${String(secret.byteLength)} bytes. Use a cryptographically strong secret.`
+      );
+    }
+    return secret;
+  }
+  const encoder = new TextEncoder();
+  const bytes = encoder.encode(secret);
+  if (bytes.byteLength < MIN_MASTER_SECRET_BYTES) {
+    throw new Error(
+      `Master secret must be at least ${String(MIN_MASTER_SECRET_BYTES)} bytes when UTF-8 encoded, got ${String(bytes.byteLength)} bytes. Use a cryptographically strong secret.`
+    );
+  }
+  const buffer = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(buffer).set(bytes);
+  return buffer;
+}
+function resolveConfig(config) {
+  return {
+    tokenTTL: config.tokenTTL ?? DEFAULT_TOKEN_TTL_MS,
+    graceWindow: config.graceWindow ?? DEFAULT_GRACE_WINDOW_MS,
+    allowedOrigins: config.allowedOrigins,
+    legacyBrowserMode: config.legacyBrowserMode ?? "degraded",
+    allowApiMode: config.allowApiMode ?? true,
+    protectedMethods: config.protectedMethods ?? DEFAULT_PROTECTED_METHODS,
+    contextBinding: config.contextBinding,
+    oneShotEnabled: config.oneShotEnabled ?? false,
+    oneShotTTL: config.oneShotTTL ?? DEFAULT_ONESHOT_TTL_MS,
+    headerName: config.headerName ?? DEFAULT_HEADER_NAME,
+    oneShotHeaderName: config.oneShotHeaderName ?? DEFAULT_ONESHOT_HEADER_NAME,
+    disableClientModeOverride: config.disableClientModeOverride ?? false
+  };
+}
+async function validateOneShotWithKeyring(cryptoProvider, keyring, tokenString, expectedAction, nonceCache, expectedContext, ttlMs) {
+  let lastResult = { valid: false, reason: "no_keys" };
+  for (const key of keyring.keys) {
+    const result = await coreValidateOneShotToken(
+      cryptoProvider,
+      key,
+      tokenString,
+      expectedAction,
+      nonceCache,
+      expectedContext,
+      ttlMs
+    );
+    if (result.valid) return result;
+    lastResult = result;
+  }
+  return lastResult;
+}
+async function createSigil(config) {
+  const resolved = resolveConfig(config);
+  const cryptoProvider = config.cryptoProvider ?? new WebCryptoCryptoProvider();
+  const masterSecret = normalizeMasterSecret(config.masterSecret);
+  let kidCounter = 0;
+  function nextKid() {
+    kidCounter = kidCounter + 1 & 255;
+    return kidCounter;
+  }
+  const initialKid = nextKid();
+  let csrfKeyring = await createKeyring(cryptoProvider, masterSecret, initialKid, "csrf");
+  let oneShotKeyring = null;
+  let nonceCache = null;
+  if (resolved.oneShotEnabled) {
+    oneShotKeyring = await createKeyring(cryptoProvider, masterSecret, initialKid, "oneshot");
+    nonceCache = createNonceCache();
+  }
+  const browserPolicies = [
+    createMethodPolicy({ protectedMethods: [...resolved.protectedMethods] }),
+    createFetchMetadataPolicy({ legacyBrowserMode: resolved.legacyBrowserMode }),
+    createOriginPolicy({ allowedOrigins: [...resolved.allowedOrigins] }),
+    createContentTypePolicy()
+  ];
+  const apiPolicies = [
+    createMethodPolicy({ protectedMethods: [...resolved.protectedMethods] }),
+    createContentTypePolicy()
+  ];
+  const instance = {
+    config: resolved,
+    async generateToken(context) {
+      const activeKey = getActiveKey(csrfKeyring);
+      if (activeKey === void 0) {
+        return { success: false, reason: "no_active_key" };
+      }
+      let contextBytes;
+      if (context !== void 0 && context.length > 0) {
+        contextBytes = await computeContext(cryptoProvider, ...context);
+      }
+      return coreGenerateToken(cryptoProvider, activeKey, contextBytes, resolved.tokenTTL);
+    },
+    async validateToken(tokenString, expectedContext) {
+      let contextBytes;
+      if (expectedContext !== void 0 && expectedContext.length > 0) {
+        contextBytes = await computeContext(cryptoProvider, ...expectedContext);
+      }
+      return coreValidateToken(
+        cryptoProvider,
+        csrfKeyring,
+        tokenString,
+        contextBytes,
+        resolved.tokenTTL,
+        resolved.graceWindow
+      );
+    },
+    async generateOneShotToken(action, context) {
+      if (!resolved.oneShotEnabled || oneShotKeyring === null) {
+        return { success: false, reason: "oneshot_not_enabled" };
+      }
+      const activeKey = getActiveKey(oneShotKeyring);
+      if (activeKey === void 0) {
+        return { success: false, reason: "no_active_key" };
+      }
+      let contextBytes;
+      if (context !== void 0 && context.length > 0) {
+        contextBytes = await computeContext(cryptoProvider, ...context);
+      }
+      return coreGenerateOneShotToken(
+        cryptoProvider,
+        activeKey,
+        action,
+        contextBytes,
+        resolved.oneShotTTL
+      );
+    },
+    async validateOneShotToken(tokenString, expectedAction, expectedContext) {
+      if (!resolved.oneShotEnabled || oneShotKeyring === null || nonceCache === null) {
+        return { valid: false, reason: "oneshot_not_enabled" };
+      }
+      let contextBytes;
+      if (expectedContext !== void 0 && expectedContext.length > 0) {
+        contextBytes = await computeContext(cryptoProvider, ...expectedContext);
+      }
+      return validateOneShotWithKeyring(
+        cryptoProvider,
+        oneShotKeyring,
+        tokenString,
+        expectedAction,
+        nonceCache,
+        contextBytes,
+        resolved.oneShotTTL
+      );
+    },
+    async rotateKeys() {
+      const newKid = nextKid();
+      csrfKeyring = await rotateKey(csrfKeyring, cryptoProvider, masterSecret, newKid);
+      if (oneShotKeyring !== null) {
+        oneShotKeyring = await rotateKey(oneShotKeyring, cryptoProvider, masterSecret, newKid);
+      }
+    },
+    async protect(metadata, contextBindings) {
+      if (!isProtectedMethod(metadata.method, [...resolved.protectedMethods])) {
+        return {
+          allowed: true,
+          tokenValid: false,
+          policyResult: { allowed: true, evaluated: [], failures: [] }
+        };
+      }
+      const mode = detectClientMode(metadata, {
+        disableClientModeOverride: resolved.disableClientModeOverride
+      });
+      if (mode === "api" && !resolved.allowApiMode) {
+        return {
+          allowed: false,
+          reason: "api_mode_not_allowed",
+          expired: false,
+          policyResult: null
+        };
+      }
+      const policies = mode === "browser" ? browserPolicies : apiPolicies;
+      const policyResult = evaluatePolicyChain(policies, metadata);
+      if (!policyResult.allowed) {
+        return {
+          allowed: false,
+          reason: policyResult.reason,
+          expired: false,
+          policyResult
+        };
+      }
+      if (metadata.tokenSource.from === "none") {
+        return {
+          allowed: false,
+          reason: "no_token_present",
+          expired: false,
+          policyResult
+        };
+      }
+      let contextBytes;
+      if (contextBindings !== void 0 && contextBindings.length > 0) {
+        contextBytes = await computeContext(cryptoProvider, ...contextBindings);
+      }
+      const tokenResult = await coreValidateToken(
+        cryptoProvider,
+        csrfKeyring,
+        metadata.tokenSource.value,
+        contextBytes,
+        resolved.tokenTTL,
+        resolved.graceWindow
+      );
+      if (!tokenResult.valid) {
+        return {
+          allowed: false,
+          reason: tokenResult.reason,
+          expired: tokenResult.reason === "expired",
+          policyResult
+        };
+      }
+      return {
+        allowed: true,
+        tokenValid: true,
+        policyResult
+      };
+    }
+  };
+  return instance;
+}
+export {
+  DEFAULT_ONESHOT_ENDPOINT_PATH,
+  DEFAULT_TOKEN_ENDPOINT_PATH,
+  createErrorResponse,
+  createOneShotTokenResponse,
+  createSigil,
+  createTokenEndpointError,
+  createTokenResponse,
+  extractRequestMetadata,
+  extractTokenFromFormBody,
+  extractTokenFromHeader,
+  extractTokenFromJsonBody,
+  handleTokenEndpoint,
+  normalizePath,
+  normalizePathSet,
+  parseContentType,
+  resolveTokenSource
+};
+//# sourceMappingURL=index.js.map