@spring-systems/server 0.8.0

package/dist/chunk-OYTV4D7E.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/proxy-middleware.ts"],"sourcesContent":["import { getFrameworkConfig } from \"@spring-systems/core/config\";\nimport { type NextRequest, NextResponse } from \"next/server.js\";\n\nimport { BASE_SECURITY_HEADER_VALUES } from \"./security-headers\";\n\nfunction toOriginSource(value: string): string[] {\n    const raw = value.trim();\n    if (!raw) return [];\n\n    try {\n        const parsed = new URL(raw);\n        const out = [parsed.origin];\n\n        if (parsed.protocol === \"https:\") {\n            out.push(`wss://${parsed.host}`);\n        } else if (parsed.protocol === \"http:\") {\n            out.push(`ws://${parsed.host}`);\n        }\n\n        return out;\n    } catch {\n        return [];\n    }\n}\n\nconst BLOCKED_CSP_SCHEMES = new Set([\"javascript:\", \"data:\", \"blob:\", \"vbscript:\", \"filesystem:\"]);\n\nfunction parseCspSource(token: string): string | null {\n    const value = token.trim();\n    if (!value) return null;\n\n    // Prevent header/CSP injection via env values.\n    if (/[\\s;,\\r\\n]/.test(value)) return null;\n\n    // Allow safe scheme sources (e.g. https:, wss:). Block dangerous schemes\n    // that enable XSS or data exfiltration when used in CSP directives.\n    if (/^[a-zA-Z][a-zA-Z0-9+.-]*:$/.test(value)) {\n        const lower = value.toLowerCase();\n        if (BLOCKED_CSP_SCHEMES.has(lower)) return null;\n        return lower;\n    }\n\n    try {\n        const parsed = new URL(value);\n        if (![\"http:\", \"https:\", \"ws:\", \"wss:\"].includes(parsed.protocol)) return null;\n        if (parsed.username || parsed.password) return null;\n        if (parsed.pathname !== \"/\" || parsed.search || parsed.hash) return null;\n        return `${parsed.protocol}//${parsed.host}`;\n    } catch {\n        return null;\n    }\n}\n\nfunction parseReportUri(value: string): string | null {\n    const trimmed = value.trim();\n    if (!trimmed) return null;\n    // Block header injection characters and double-quotes (used in Reporting-Endpoints structured header).\n    if (/[\\s;,\\r\\n\"]/.test(trimmed)) return null;\n    try {\n        const parsed = new URL(trimmed);\n        if (![\"http:\", \"https:\"].includes(parsed.protocol)) return null;\n        if (parsed.username || parsed.password) return null;\n        return parsed.toString();\n    } catch {\n        return null;\n    }\n}\n\nfunction parseCspList(value: string): string[] {\n    const parsed = value\n        .split(\",\")\n        .map((s) => parseCspSource(s))\n        .filter((s): s is string => !!s);\n    return [...new Set(parsed)];\n}\n\nexport function proxy(req: NextRequest) {\n    const url = req.nextUrl.clone();\n\n    const TARGET_ENV = process.env.TARGET_ENV || \"test\";\n    const isProdRuntime = TARGET_ENV === \"prod\" || process.env.NODE_ENV === \"production\";\n    const isTargetProd = TARGET_ENV === \"prod\";\n\n    const isLocalHost = url.hostname === \"localhost\" || url.hostname === \"127.0.0.1\";\n\n    const nonce = crypto.randomUUID().replace(/-/g, \"\");\n    const allowUnsafeStyleAttr = process.env.CSP_ALLOW_UNSAFE_STYLE_ATTR === \"true\";\n    const denyStyleAttr = isTargetProd && !allowUnsafeStyleAttr;\n    const allowUnsafeInlineStyle = !isTargetProd;\n\n    const connectHostsEnv = parseCspList(process.env.CSP_CONNECT_HOSTS || \"\");\n    const apiConnectSources = toOriginSource(process.env.API_URL || \"\");\n    const imgHostsEnv = parseCspList(process.env.CSP_IMG_HOSTS || \"\");\n    const scriptHostsEnv = parseCspList(process.env.CSP_SCRIPT_HOSTS || \"\");\n    const frameHostsEnv = parseCspList(process.env.CSP_FRAME_HOSTS || \"\");\n\n    const cspConfig = getFrameworkConfig().csp;\n\n    // Validate framework config CSP sources through parseCspSource to prevent injection\n    const validatedConnectSources = cspConfig.thirdPartyConnectSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedImgSources = cspConfig.thirdPartyImageSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedScriptSources = cspConfig.thirdPartyScriptSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedFrameSources = cspConfig.thirdPartyFrameSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n\n    const connectSrc = [\n        \"'self'\",\n        ...validatedConnectSources,\n        ...apiConnectSources,\n        ...connectHostsEnv,\n        ...(!isProdRuntime ? [\"http://localhost:*\", \"http://127.0.0.1:*\", \"ws://localhost:*\", \"ws://127.0.0.1:*\"] : []),\n    ].join(\" \");\n\n    const imgSrc = [\"'self'\", \"data:\", \"blob:\", ...validatedImgSources, ...imgHostsEnv].join(\" \");\n\n    const scriptSrcHosts = [...validatedScriptSources, ...scriptHostsEnv].join(\" \");\n    const frameSrcHosts = [...validatedFrameSources, ...frameHostsEnv].join(\" \");\n\n    const reportUri = parseReportUri(process.env.CSP_REPORT_URI || \"\");\n\n    const cspDirectives = [\n        \"default-src 'self'\",\n        \"base-uri 'self'\",\n        \"object-src 'none'\",\n        `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,\n        `script-src-elem 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,\n        \"script-src-attr 'none'\",\n        allowUnsafeInlineStyle ? \"style-src 'self' 'unsafe-inline'\" : `style-src 'self' 'nonce-${nonce}'`,\n        denyStyleAttr ? \"style-src-attr 'none'\" : \"style-src-attr 'unsafe-inline'\",\n        `img-src ${imgSrc}`,\n        \"media-src 'self' blob: data:\",\n        \"manifest-src 'self'\",\n        `connect-src ${connectSrc}`,\n        `frame-src ${frameSrcHosts || \"'none'\"}`,\n        \"frame-ancestors 'none'\",\n        \"form-action 'self'\",\n        ...(isTargetProd ? [\"upgrade-insecure-requests\"] : []),\n        ...(reportUri ? [`report-uri ${reportUri}`, \"report-to csp-violations\"] : []),\n    ];\n    const csp = cspDirectives.join(\"; \");\n\n    const blockedPrefixes = getFrameworkConfig().proxy.blockedPathPrefixesInProd ?? [];\n    if (isProdRuntime) {\n        for (const prefix of blockedPrefixes) {\n            if (url.pathname.startsWith(prefix)) {\n                const res = new NextResponse(\"Not Found\", { status: 404 });\n                return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n            }\n        }\n    }\n\n    if (url.pathname === \"/\") {\n        const dest = new URL(url.toString());\n        if (!isLocalHost) dest.protocol = \"https:\";\n        dest.pathname = getFrameworkConfig().app.defaultRoute;\n        dest.search = \"\";\n\n        const res = makeRedirect(dest, 308);\n        return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n    }\n\n    const requestHeaders = new Headers(req.headers);\n    requestHeaders.set(\"x-nonce\", nonce);\n\n    const res = NextResponse.next({ request: { headers: requestHeaders } });\n    return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n}\n\nfunction setSecurity(\n    res: NextResponse,\n    opts: { isLocalHost: boolean; isTargetProd: boolean; csp?: string; nonce?: string; reportUri?: string | null }\n) {\n    const { isLocalHost, csp, nonce, reportUri } = opts;\n    if (csp) res.headers.set(\"Content-Security-Policy\", csp);\n    for (const [key, value] of Object.entries(BASE_SECURITY_HEADER_VALUES)) {\n        res.headers.set(key, value);\n    }\n    if (opts.isTargetProd && !isLocalHost)\n        res.headers.set(\"Strict-Transport-Security\", \"max-age=63072000; includeSubDomains; preload\");\n    if (reportUri) res.headers.set(\"Reporting-Endpoints\", `csp-violations=\"${reportUri}\"`);\n    if (nonce) res.headers.set(\"x-nonce\", nonce);\n    return res;\n}\n\nfunction makeRedirect(to: URL | string, status = 308) {\n    const res = new NextResponse(null, { status });\n    res.headers.set(\"Location\", typeof to === \"string\" ? to : to.toString());\n    return res;\n}\n\nexport const proxyConfig = {\n    matcher: [\"/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|api/health).*)\"],\n};\n"],"mappings":";;;;;AAAA,SAAS,0BAA0B;AACnC,SAA2B,oBAAoB;AAI/C,SAAS,eAAe,OAAyB;AAC7C,QAAM,MAAM,MAAM,KAAK;AACvB,MAAI,CAAC,IAAK,QAAO,CAAC;AAElB,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,UAAM,MAAM,CAAC,OAAO,MAAM;AAE1B,QAAI,OAAO,aAAa,UAAU;AAC9B,UAAI,KAAK,SAAS,OAAO,IAAI,EAAE;AAAA,IACnC,WAAW,OAAO,aAAa,SAAS;AACpC,UAAI,KAAK,QAAQ,OAAO,IAAI,EAAE;AAAA,IAClC;AAEA,WAAO;AAAA,EACX,QAAQ;AACJ,WAAO,CAAC;AAAA,EACZ;AACJ;AAEA,IAAM,sBAAsB,oBAAI,IAAI,CAAC,eAAe,SAAS,SAAS,aAAa,aAAa,CAAC;AAEjG,SAAS,eAAe,OAA8B;AAClD,QAAM,QAAQ,MAAM,KAAK;AACzB,MAAI,CAAC,MAAO,QAAO;AAGnB,MAAI,aAAa,KAAK,KAAK,EAAG,QAAO;AAIrC,MAAI,6BAA6B,KAAK,KAAK,GAAG;AAC1C,UAAM,QAAQ,MAAM,YAAY;AAChC,QAAI,oBAAoB,IAAI,KAAK,EAAG,QAAO;AAC3C,WAAO;AAAA,EACX;AAEA,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,KAAK;AAC5B,QAAI,CAAC,CAAC,SAAS,UAAU,OAAO,MAAM,EAAE,SAAS,OAAO,QAAQ,EAAG,QAAO;AAC1E,QAAI,OAAO,YAAY,OAAO,SAAU,QAAO;AAC/C,QAAI,OAAO,aAAa,OAAO,OAAO,UAAU,OAAO,KAAM,QAAO;AACpE,WAAO,GAAG,OAAO,QAAQ,KAAK,OAAO,IAAI;AAAA,EAC7C,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,eAAe,OAA8B;AAClD,QAAM,UAAU,MAAM,KAAK;AAC3B,MAAI,CAAC,QAAS,QAAO;AAErB,MAAI,cAAc,KAAK,OAAO,EAAG,QAAO;AACxC,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,OAAO;AAC9B,QAAI,CAAC,CAAC,SAAS,QAAQ,EAAE,SAAS,OAAO,QAAQ,EAAG,QAAO;AAC3D,QAAI,OAAO,YAAY,OAAO,SAAU,QAAO;AAC/C,WAAO,OAAO,SAAS;AAAA,EAC3B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,aAAa,OAAyB;AAC3C,QAAM,SAAS,MACV,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAC5B,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AACnC,SAAO,CAAC,GAAG,IAAI,IAAI,MAAM,CAAC;AAC9B;AAEO,SAAS,MAAM,KAAkB;AACpC,QAAM,MAAM,IAAI,QAAQ,MAAM;AAE9B,QAAM,aAAa,QAAQ,IAAI,cAAc;AAC7C,QAAM,gBAAgB,eAAe,UAAU,QAAQ,IAAI,aAAa;AACxE,QAAM,eAAe,eAAe;AAEpC,QAAM,cAAc,IAAI,aAAa,eAAe,IAAI,aAAa;AAErE,QAAM,QAAQ,OAAO,WAAW,EAAE,QAAQ,MAAM,EAAE;AAClD,QAAM,uBAAuB,QAAQ,IAAI,gCAAgC;AACzE,QAAM,gBAAgB,gBAAgB,CAAC;AACvC,QAAM,yBAAyB,CAAC;AAEhC,QAAM,kBAAkB,aAAa,QAAQ,IAAI,qBAAqB,EAAE;AACxE,QAAM,oBAAoB,eAAe,QAAQ,IAAI,WAAW,EAAE;AAClE,QAAM,cAAc,aAAa,QAAQ,IAAI,iBAAiB,EAAE;AAChE,QAAM,iBAAiB,aAAa,QAAQ,IAAI,oBAAoB,EAAE;AACtE,QAAM,gBAAgB,aAAa,QAAQ,IAAI,mBAAmB,EAAE;AAEpE,QAAM,YAAY,mBAAmB,EAAE;AAGvC,QAAM,0BAA0B,UAAU,yBAAyB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAC/H,QAAM,sBAAsB,UAAU,uBAAuB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AACzH,QAAM,yBAAyB,UAAU,wBAAwB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAC7H,QAAM,wBAAwB,UAAU,uBAAuB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAE3H,QAAM,aAAa;AAAA,IACf;AAAA,IACA,GAAG;AAAA,IACH,GAAG;AAAA,IACH,GAAG;AAAA,IACH,GAAI,CAAC,gBAAgB,CAAC,sBAAsB,sBAAsB,oBAAoB,kBAAkB,IAAI,CAAC;AAAA,EACjH,EAAE,KAAK,GAAG;AAEV,QAAM,SAAS,CAAC,UAAU,SAAS,SAAS,GAAG,qBAAqB,GAAG,WAAW,EAAE,KAAK,GAAG;AAE5F,QAAM,iBAAiB,CAAC,GAAG,wBAAwB,GAAG,cAAc,EAAE,KAAK,GAAG;AAC9E,QAAM,gBAAgB,CAAC,GAAG,uBAAuB,GAAG,aAAa,EAAE,KAAK,GAAG;AAE3E,QAAM,YAAY,eAAe,QAAQ,IAAI,kBAAkB,EAAE;AAEjE,QAAM,gBAAgB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA,4BAA4B,KAAK,sBAAsB,cAAc;AAAA,IACrE,iCAAiC,KAAK,sBAAsB,cAAc;AAAA,IAC1E;AAAA,IACA,yBAAyB,qCAAqC,2BAA2B,KAAK;AAAA,IAC9F,gBAAgB,0BAA0B;AAAA,IAC1C,WAAW,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,eAAe,UAAU;AAAA,IACzB,aAAa,iBAAiB,QAAQ;AAAA,IACtC;AAAA,IACA;AAAA,IACA,GAAI,eAAe,CAAC,2BAA2B,IAAI,CAAC;AAAA,IACpD,GAAI,YAAY,CAAC,cAAc,SAAS,IAAI,0BAA0B,IAAI,CAAC;AAAA,EAC/E;AACA,QAAM,MAAM,cAAc,KAAK,IAAI;AAEnC,QAAM,kBAAkB,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AACjF,MAAI,eAAe;AACf,eAAW,UAAU,iBAAiB;AAClC,UAAI,IAAI,SAAS,WAAW,MAAM,GAAG;AACjC,cAAMA,OAAM,IAAI,aAAa,aAAa,EAAE,QAAQ,IAAI,CAAC;AACzD,eAAO,YAAYA,MAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAAA,MAChF;AAAA,IACJ;AAAA,EACJ;AAEA,MAAI,IAAI,aAAa,KAAK;AACtB,UAAM,OAAO,IAAI,IAAI,IAAI,SAAS,CAAC;AACnC,QAAI,CAAC,YAAa,MAAK,WAAW;AAClC,SAAK,WAAW,mBAAmB,EAAE,IAAI;AACzC,SAAK,SAAS;AAEd,UAAMA,OAAM,aAAa,MAAM,GAAG;AAClC,WAAO,YAAYA,MAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAAA,EAChF;AAEA,QAAM,iBAAiB,IAAI,QAAQ,IAAI,OAAO;AAC9C,iBAAe,IAAI,WAAW,KAAK;AAEnC,QAAM,MAAM,aAAa,KAAK,EAAE,SAAS,EAAE,SAAS,eAAe,EAAE,CAAC;AACtE,SAAO,YAAY,KAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAChF;AAEA,SAAS,YACL,KACA,MACF;AACE,QAAM,EAAE,aAAa,KAAK,OAAO,UAAU,IAAI;AAC/C,MAAI,IAAK,KAAI,QAAQ,IAAI,2BAA2B,GAAG;AACvD,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,2BAA2B,GAAG;AACpE,QAAI,QAAQ,IAAI,KAAK,KAAK;AAAA,EAC9B;AACA,MAAI,KAAK,gBAAgB,CAAC;AACtB,QAAI,QAAQ,IAAI,6BAA6B,8CAA8C;AAC/F,MAAI,UAAW,KAAI,QAAQ,IAAI,uBAAuB,mBAAmB,SAAS,GAAG;AACrF,MAAI,MAAO,KAAI,QAAQ,IAAI,WAAW,KAAK;AAC3C,SAAO;AACX;AAEA,SAAS,aAAa,IAAkB,SAAS,KAAK;AAClD,QAAM,MAAM,IAAI,aAAa,MAAM,EAAE,OAAO,CAAC;AAC7C,MAAI,QAAQ,IAAI,YAAY,OAAO,OAAO,WAAW,KAAK,GAAG,SAAS,CAAC;AACvE,SAAO;AACX;AAEO,IAAM,cAAc;AAAA,EACvB,SAAS,CAAC,iFAAiF;AAC/F;","names":["res"]}

package/dist/chunk-YV6DZVPI.js

@@ -0,0 +1,43 @@
+// src/runtime-env-route.ts
+import { getRuntimeEnvKeys } from "@spring-systems/core/config";
+import { NextResponse } from "next/server.js";
+async function GET() {
+  const isProd = (process.env.NODE_ENV || "") === "production" || (process.env.TARGET_ENV || "") === "prod";
+  const allowInProd = (process.env.RUNTIME_ENV_PUBLIC_IN_PROD || "").toLowerCase() === "true";
+  if (isProd && !allowInProd) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  const filtered = Object.fromEntries(
+    getRuntimeEnvKeys().map((key) => [key, process.env[key]]).filter(([, value]) => typeof value === "string")
+  );
+  return NextResponse.json(filtered, {
+    status: 200,
+    headers: {
+      "Cache-Control": "no-store, no-cache, must-revalidate, proxy-revalidate",
+      Pragma: "no-cache",
+      Expires: "0"
+    }
+  });
+}
+
+// src/RuntimeEnvScript.tsx
+import { getRuntimeEnvKeys as getRuntimeEnvKeys2 } from "@spring-systems/core/config";
+import { jsx } from "react/jsx-runtime";
+function serializeForInlineScript(value) {
+  return JSON.stringify(value).replace(/</g, "\\u003C").replace(/>/g, "\\u003E").replace(/&/g, "\\u0026").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+}
+function RuntimeEnvScript({ nonce }) {
+  const runtimeEnv = {};
+  for (const k of getRuntimeEnvKeys2()) {
+    const v = process.env[k];
+    if (typeof v === "string") runtimeEnv[k] = v;
+  }
+  const inline = `window.__RUNTIME_ENV__ = ${serializeForInlineScript(runtimeEnv)};`;
+  return /* @__PURE__ */ jsx("script", { id: "runtime-env", nonce, suppressHydrationWarning: true, dangerouslySetInnerHTML: { __html: inline } });
+}
+
+export {
+  GET,
+  RuntimeEnvScript
+};
+//# sourceMappingURL=chunk-YV6DZVPI.js.map

package/dist/chunk-YV6DZVPI.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/runtime-env-route.ts","../src/RuntimeEnvScript.tsx"],"sourcesContent":["import { getRuntimeEnvKeys } from \"@spring-systems/core/config\";\nimport { NextResponse } from \"next/server.js\";\n\nexport async function GET() {\n    const isProd = (process.env.NODE_ENV || \"\") === \"production\" || (process.env.TARGET_ENV || \"\") === \"prod\";\n    const allowInProd = (process.env.RUNTIME_ENV_PUBLIC_IN_PROD || \"\").toLowerCase() === \"true\";\n    if (isProd && !allowInProd) {\n        return NextResponse.json({ error: \"Not found\" }, { status: 404 });\n    }\n\n    const filtered = Object.fromEntries(\n        getRuntimeEnvKeys()\n            .map((key) => [key, process.env[key]] as const)\n            .filter(([, value]) => typeof value === \"string\")\n    );\n\n    return NextResponse.json(filtered, {\n        status: 200,\n        headers: {\n            \"Cache-Control\": \"no-store, no-cache, must-revalidate, proxy-revalidate\",\n            Pragma: \"no-cache\",\n            Expires: \"0\",\n        },\n    });\n}\n","import { getRuntimeEnvKeys } from \"@spring-systems/core/config\";\n\nfunction serializeForInlineScript(value: unknown): string {\n    return JSON.stringify(value)\n        .replace(/</g, \"\\\\u003C\")\n        .replace(/>/g, \"\\\\u003E\")\n        .replace(/&/g, \"\\\\u0026\")\n        .replace(/\\u2028/g, \"\\\\u2028\")\n        .replace(/\\u2029/g, \"\\\\u2029\");\n}\n\nexport interface RuntimeEnvScriptProps {\n    nonce?: string;\n}\n\nexport function RuntimeEnvScript({ nonce }: RuntimeEnvScriptProps) {\n    const runtimeEnv: Record<string, string> = {};\n    for (const k of getRuntimeEnvKeys()) {\n        const v = process.env[k];\n        if (typeof v === \"string\") runtimeEnv[k] = v;\n    }\n\n    const inline = `window.__RUNTIME_ENV__ = ${serializeForInlineScript(runtimeEnv)};`;\n\n    return (\n        <script id=\"runtime-env\" nonce={nonce} suppressHydrationWarning dangerouslySetInnerHTML={{ __html: inline }} />\n    );\n}\n"],"mappings":";AAAA,SAAS,yBAAyB;AAClC,SAAS,oBAAoB;AAE7B,eAAsB,MAAM;AACxB,QAAM,UAAU,QAAQ,IAAI,YAAY,QAAQ,iBAAiB,QAAQ,IAAI,cAAc,QAAQ;AACnG,QAAM,eAAe,QAAQ,IAAI,8BAA8B,IAAI,YAAY,MAAM;AACrF,MAAI,UAAU,CAAC,aAAa;AACxB,WAAO,aAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpE;AAEA,QAAM,WAAW,OAAO;AAAA,IACpB,kBAAkB,EACb,IAAI,CAAC,QAAQ,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,CAAU,EAC7C,OAAO,CAAC,CAAC,EAAE,KAAK,MAAM,OAAO,UAAU,QAAQ;AAAA,EACxD;AAEA,SAAO,aAAa,KAAK,UAAU;AAAA,IAC/B,QAAQ;AAAA,IACR,SAAS;AAAA,MACL,iBAAiB;AAAA,MACjB,QAAQ;AAAA,MACR,SAAS;AAAA,IACb;AAAA,EACJ,CAAC;AACL;;;ACxBA,SAAS,qBAAAA,0BAAyB;AAyB1B;AAvBR,SAAS,yBAAyB,OAAwB;AACtD,SAAO,KAAK,UAAU,KAAK,EACtB,QAAQ,MAAM,SAAS,EACvB,QAAQ,MAAM,SAAS,EACvB,QAAQ,MAAM,SAAS,EACvB,QAAQ,WAAW,SAAS,EAC5B,QAAQ,WAAW,SAAS;AACrC;AAMO,SAAS,iBAAiB,EAAE,MAAM,GAA0B;AAC/D,QAAM,aAAqC,CAAC;AAC5C,aAAW,KAAKA,mBAAkB,GAAG;AACjC,UAAM,IAAI,QAAQ,IAAI,CAAC;AACvB,QAAI,OAAO,MAAM,SAAU,YAAW,CAAC,IAAI;AAAA,EAC/C;AAEA,QAAM,SAAS,4BAA4B,yBAAyB,UAAU,CAAC;AAE/E,SACI,oBAAC,YAAO,IAAG,eAAc,OAAc,0BAAwB,MAAC,yBAAyB,EAAE,QAAQ,OAAO,GAAG;AAErH;","names":["getRuntimeEnvKeys"]}

package/dist/client.d.ts

@@ -0,0 +1,6 @@
+export { NextUIAdapterOptions, createClientOnlyNextUIAdapter, createNextRouteAdapter } from './next-adapters.js';
+import '@spring-systems/ui/adapters';
+
+declare const SPRING_SERVER_VERSION: string;
+
+export { SPRING_SERVER_VERSION };

package/dist/client.js

@@ -0,0 +1,14 @@
+"use client";
+import {
+  createClientOnlyNextUIAdapter,
+  createNextRouteAdapter
+} from "./chunk-CP33WQ5Q.js";
+
+// src/client.ts
+var SPRING_SERVER_VERSION = true ? "0.8.0" : "0.1.0";
+export {
+  SPRING_SERVER_VERSION,
+  createClientOnlyNextUIAdapter,
+  createNextRouteAdapter
+};
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/client.ts"],"sourcesContent":["\"use client\";\n\ndeclare const __VERSION__: string;\nexport const SPRING_SERVER_VERSION: string = typeof __VERSION__ !== \"undefined\" ? __VERSION__ : \"0.1.0\";\n\nexport { createClientOnlyNextUIAdapter, createNextRouteAdapter, type NextUIAdapterOptions } from \"./next-adapters\";\n"],"mappings":";;;;;;;AAGO,IAAM,wBAAgC,OAAqC,UAAc;","names":[]}

package/dist/handlers/index.d.ts

@@ -0,0 +1,81 @@
+import { NextResponse, NextRequest } from 'next/server';
+export { RateLimitEntry } from '../rate-limiter.js';
+
+/**
+ * Session/cookie management for the API proxy.
+ *
+ * Handles session token extraction from cookies, secure cookie setting/clearing,
+ * and session expiry detection from API responses.
+ *
+ * @module handlers/auth-session
+ */
+
+/** Check if a request targets localhost. */
+declare function isLocalHostRequest(req: NextRequest): boolean;
+/** Whether to use Secure flag on cookies (HTTPS or TARGET_ENV=prod, excluding localhost). */
+declare function useSecureCookies(req: NextRequest): boolean;
+/** Resolve the correct session cookie name based on runtime context. */
+declare function resolveSessionCookieName(req: NextRequest): string;
+/** Set the session cookie with the given token. Clears the stale variant. */
+declare function setSessionCookie(res: NextResponse, req: NextRequest, token: string): void;
+/** Clear all session cookies (both regular and secure variants). */
+declare function clearSessionCookie(res: NextResponse, req: NextRequest): void;
+/** Extract session token from request cookies (tries both cookie names). */
+declare function getSessionToken(req: NextRequest): string;
+/** Check if a value is a session-expired error code. */
+declare function isSessionExpiredCode(value: unknown): boolean;
+/** Detect if a 403 response indicates session expiry (reads response body). */
+declare function shouldClearSessionFromForbidden(response: Response): Promise<boolean>;
+
+/**
+ * CSRF protection and CORS header management for the API proxy.
+ *
+ * Validates request origins against configured allowed origins,
+ * applies CORS headers to responses, and enforces CSRF protection
+ * for state-changing HTTP methods.
+ *
+ * @module handlers/csrf-cors
+ */
+
+/** Normalize a URL string to its origin (scheme + host + port). */
+declare function normalizeOrigin(value: string): string | null;
+/** Check if the request comes from the configured FRONTEND_IP. */
+declare function isInternalIpAccess(req: NextRequest): boolean;
+/** Resolve the allowed origin for a request (checks FRONTEND_URL and FRONTEND_IP). */
+declare function resolveAllowedOrigin(req: NextRequest): string | null;
+/** Check if a request should be rejected by CSRF protection. */
+declare function shouldRejectByCsrfProtection(req: NextRequest, method: string, pathKey: string): boolean;
+/** Apply CORS headers to a response. */
+declare function applyCorsHeaders(headers: Headers, req: NextRequest, isIpAccess: boolean): void;
+/** Check if CSRF exempt paths are configured (disallowed in production). */
+declare function hasCsrfExemptPaths(): boolean;
+/** Validate production security config. Returns error string or null. */
+declare function resolveProdSecurityConfigError(): string | null;
+
+/**
+ * Login rate limiting logic for the API proxy.
+ *
+ * Uses the pluggable RateLimiterAdapter from rate-limiter.ts so multi-instance
+ * deployments can swap in a shared-storage adapter.
+ *
+ * @module handlers/rate-limit-handler
+ */
+
+interface RateLimitKeys {
+    pairKey: string;
+    accountKey: string | null;
+}
+/** Get client IP address from request headers or connection. */
+declare function getClientAddress(request: NextRequest): string;
+/** Build rate limit keys from request and username. */
+declare function getLoginRateLimitKeys(request: NextRequest, username: string): RateLimitKeys;
+/** Remove expired rate limit entries from adapter stores. */
+declare function cleanupExpiredLoginLimits(now: number): void;
+/** Get remaining block time in ms (0 = not blocked). */
+declare function getRateLimitRetryAfterMs(keys: RateLimitKeys, now: number): number;
+/** Record a failed login attempt for rate limiting. */
+declare function registerFailedLoginAttempt(keys: RateLimitKeys, _now: number): void;
+/** Clear rate limit state for given keys (after successful login). */
+declare function clearLoginAttemptState(keys: RateLimitKeys): void;
+
+export { type RateLimitKeys, applyCorsHeaders, cleanupExpiredLoginLimits, clearLoginAttemptState, clearSessionCookie, getClientAddress, getLoginRateLimitKeys, getRateLimitRetryAfterMs, getSessionToken, hasCsrfExemptPaths, isInternalIpAccess, isLocalHostRequest, isSessionExpiredCode, normalizeOrigin, registerFailedLoginAttempt, resolveAllowedOrigin, resolveProdSecurityConfigError, resolveSessionCookieName, setSessionCookie, shouldClearSessionFromForbidden, shouldRejectByCsrfProtection, useSecureCookies };

package/dist/handlers/index.js

@@ -0,0 +1,48 @@
+import {
+  applyCorsHeaders,
+  cleanupExpiredLoginLimits,
+  clearLoginAttemptState,
+  clearSessionCookie,
+  getClientAddress,
+  getLoginRateLimitKeys,
+  getRateLimitRetryAfterMs,
+  getSessionToken,
+  hasCsrfExemptPaths,
+  isInternalIpAccess,
+  isLocalHostRequest,
+  isSessionExpiredCode,
+  normalizeOrigin,
+  registerFailedLoginAttempt,
+  resolveAllowedOrigin,
+  resolveProdSecurityConfigError,
+  resolveSessionCookieName,
+  setSessionCookie,
+  shouldClearSessionFromForbidden,
+  shouldRejectByCsrfProtection,
+  useSecureCookies
+} from "../chunk-FEB3UZEG.js";
+import "../chunk-7IUSTA5W.js";
+export {
+  applyCorsHeaders,
+  cleanupExpiredLoginLimits,
+  clearLoginAttemptState,
+  clearSessionCookie,
+  getClientAddress,
+  getLoginRateLimitKeys,
+  getRateLimitRetryAfterMs,
+  getSessionToken,
+  hasCsrfExemptPaths,
+  isInternalIpAccess,
+  isLocalHostRequest,
+  isSessionExpiredCode,
+  normalizeOrigin,
+  registerFailedLoginAttempt,
+  resolveAllowedOrigin,
+  resolveProdSecurityConfigError,
+  resolveSessionCookieName,
+  setSessionCookie,
+  shouldClearSessionFromForbidden,
+  shouldRejectByCsrfProtection,
+  useSecureCookies
+};
+//# sourceMappingURL=index.js.map

package/dist/handlers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export { DELETE, GET, OPTIONS, PATCH, POST, PUT } from './api-route-handler.js';
+export { proxy, proxyConfig } from './proxy-middleware.js';
+export { RuntimeEnvScript, runtimeEnvGET } from './runtime-env.js';
+export { BASE_SECURITY_HEADERS, BASE_SECURITY_HEADER_VALUES, PERMISSIONS_POLICY_VALUE } from './security-headers.js';
+import 'next/server.js';
+import 'react/jsx-runtime';
+
+declare const SPRING_SERVER_VERSION: string;
+
+export { SPRING_SERVER_VERSION };

package/dist/index.js

@@ -0,0 +1,44 @@
+import {
+  proxy,
+  proxyConfig
+} from "./chunk-OYTV4D7E.js";
+import {
+  DELETE,
+  GET,
+  OPTIONS,
+  PATCH,
+  POST,
+  PUT
+} from "./chunk-CLZU34DG.js";
+import "./chunk-FEB3UZEG.js";
+import {
+  GET as GET2,
+  RuntimeEnvScript
+} from "./chunk-YV6DZVPI.js";
+import "./chunk-7IUSTA5W.js";
+import {
+  BASE_SECURITY_HEADERS,
+  BASE_SECURITY_HEADER_VALUES,
+  PERMISSIONS_POLICY_VALUE
+} from "./chunk-KA7RJCWA.js";
+
+// src/index.ts
+import "server-only";
+var SPRING_SERVER_VERSION = true ? "0.8.0" : "0.0.0-dev";
+export {
+  BASE_SECURITY_HEADERS,
+  BASE_SECURITY_HEADER_VALUES,
+  DELETE,
+  GET,
+  OPTIONS,
+  PATCH,
+  PERMISSIONS_POLICY_VALUE,
+  POST,
+  PUT,
+  RuntimeEnvScript,
+  SPRING_SERVER_VERSION,
+  proxy,
+  proxyConfig,
+  GET2 as runtimeEnvGET
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["// @spring-systems/server\n// Next.js server-only code: proxy middleware, API route handler, runtime env injection.\n// Use sub-path imports: @spring-systems/server/proxy, /api-handler, /runtime-env\nimport \"server-only\";\n\ndeclare const __VERSION__: string;\nexport const SPRING_SERVER_VERSION: string = typeof __VERSION__ !== \"undefined\" ? __VERSION__ : \"0.0.0-dev\";\n\nexport { DELETE, GET, OPTIONS, PATCH, POST, PUT } from \"./api-route-handler\";\nexport { proxy, proxyConfig } from \"./proxy-middleware\";\nexport { runtimeEnvGET, RuntimeEnvScript } from \"./runtime-env\";\nexport { BASE_SECURITY_HEADER_VALUES, BASE_SECURITY_HEADERS, PERMISSIONS_POLICY_VALUE } from \"./security-headers\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAGA,OAAO;AAGA,IAAM,wBAAgC,OAAqC,UAAc;","names":[]}

package/dist/next-adapters.d.ts

@@ -0,0 +1,25 @@
+import { UIAdapter, RouteAdapter } from '@spring-systems/ui/adapters';
+
+/**
+ * Next.js adapter presets for RouteAdapter and UIAdapter.
+ * Consumer app calls these in Root.tsx / layout.tsx to register the Next.js implementations.
+ * @module next-adapters
+ */
+
+interface NextUIAdapterOptions {
+    /**
+     * Default SSR behavior for `dynamic` when call-site does not provide `{ ssr }`.
+     * Defaults to `true` for backward compatibility.
+     */
+    defaultDynamicSsr?: boolean;
+}
+/** Creates a RouteAdapter backed by Next.js App Router hooks. */
+declare function createNextRouteAdapter(): RouteAdapter;
+/** Creates a UIAdapter backed by Next.js Image, Link, and dynamic imports. */
+declare function createNextUIAdapter(options?: NextUIAdapterOptions): UIAdapter;
+/** Creates a UIAdapter preset optimized for client-only apps (dynamic imports default to `ssr: false`). */
+declare function createClientOnlyNextUIAdapter(): UIAdapter;
+/** Creates a UIAdapter preset with SSR-enabled dynamic imports by default. */
+declare function createSsrNextUIAdapter(): UIAdapter;
+
+export { type NextUIAdapterOptions, createClientOnlyNextUIAdapter, createNextRouteAdapter, createNextUIAdapter, createSsrNextUIAdapter };

package/dist/next-adapters.js

@@ -0,0 +1,14 @@
+"use client";
+import {
+  createClientOnlyNextUIAdapter,
+  createNextRouteAdapter,
+  createNextUIAdapter,
+  createSsrNextUIAdapter
+} from "./chunk-CP33WQ5Q.js";
+export {
+  createClientOnlyNextUIAdapter,
+  createNextRouteAdapter,
+  createNextUIAdapter,
+  createSsrNextUIAdapter
+};
+//# sourceMappingURL=next-adapters.js.map

package/dist/next-adapters.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/proxy-middleware.d.ts

@@ -0,0 +1,8 @@
+import { NextRequest, NextResponse } from 'next/server.js';
+
+declare function proxy(req: NextRequest): NextResponse<unknown>;
+declare const proxyConfig: {
+    matcher: string[];
+};
+
+export { proxy, proxyConfig };

package/dist/proxy-middleware.js

@@ -0,0 +1,10 @@
+import {
+  proxy,
+  proxyConfig
+} from "./chunk-OYTV4D7E.js";
+import "./chunk-KA7RJCWA.js";
+export {
+  proxy,
+  proxyConfig
+};
+//# sourceMappingURL=proxy-middleware.js.map

package/dist/proxy-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/rate-limiter.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Pluggable rate limiter for API proxy authentication.
+ *
+ * The default implementation uses in-memory Maps (suitable for single-instance deployments).
+ * Multi-instance deployments can replace this with a custom adapter via `setRateLimiterAdapter()`.
+ *
+ * @example
+ * ```ts
+ * import { setRateLimiterAdapter } from "@spring-systems/server/rate-limiter";
+ * import { createCustomRateLimiter } from "./my-rate-limiter";
+ *
+ * setRateLimiterAdapter(createCustomRateLimiter());
+ * ```
+ *
+ * @module rate-limiter
+ */
+interface RateLimitEntry {
+    count: number;
+    windowStartedAt: number;
+    blockedUntil: number;
+}
+interface RateLimitPolicy {
+    windowMs: number;
+    blockMs: number;
+    maxAttemptsByIpAndAccount: number;
+    maxAttemptsByAccount: number;
+    maxKeys: number;
+}
+/**
+ * Rate limiter adapter interface. Implementations must be async-safe.
+ */
+interface RateLimiterAdapter {
+    /** Get the current rate limit entry for a key, or null if no entry exists. */
+    get(store: "ip" | "account", key: string): RateLimitEntry | null;
+    /** Set/update the rate limit entry for a key. */
+    set(store: "ip" | "account", key: string, entry: RateLimitEntry): void;
+    /** Delete an entry (e.g. on successful login). */
+    delete(store: "ip" | "account", key: string): void;
+    /** Get the total number of tracked keys (for eviction logic). */
+    size(store: "ip" | "account"): number;
+    /** Clear the oldest entries when maxKeys is exceeded. */
+    evictOldest(store: "ip" | "account", count: number): void;
+    /**
+     * Remove expired entries for a store.
+     * Optional to preserve compatibility with existing custom adapters.
+     */
+    sweepExpired?(store: "ip" | "account", now: number, windowMs: number): void;
+}
+/** Replace the default in-memory rate limiter with a custom adapter. */
+declare function setRateLimiterAdapter(custom: RateLimiterAdapter): void;
+/** Get the current rate limiter adapter. */
+declare function getRateLimiterAdapter(): RateLimiterAdapter;
+/**
+ * Check if a login attempt should be rate-limited.
+ * @returns A reason string if blocked, or null if allowed.
+ */
+declare function checkRateLimit(ipKey: string, accountKey: string | null, policy: RateLimitPolicy): string | null;
+/**
+ * Record a failed login attempt.
+ */
+declare function recordFailedAttempt(ipKey: string, accountKey: string | null, policy: RateLimitPolicy): void;
+/**
+ * Clear rate limit entries for a key (e.g. on successful login).
+ */
+declare function clearRateLimitEntries(ipKey: string, accountKey: string | null): void;
+
+export { type RateLimitEntry, type RateLimitPolicy, type RateLimiterAdapter, checkRateLimit, clearRateLimitEntries, getRateLimiterAdapter, recordFailedAttempt, setRateLimiterAdapter };

package/dist/rate-limiter.js

@@ -0,0 +1,15 @@
+import {
+  checkRateLimit,
+  clearRateLimitEntries,
+  getRateLimiterAdapter,
+  recordFailedAttempt,
+  setRateLimiterAdapter
+} from "./chunk-7IUSTA5W.js";
+export {
+  checkRateLimit,
+  clearRateLimitEntries,
+  getRateLimiterAdapter,
+  recordFailedAttempt,
+  setRateLimiterAdapter
+};
+//# sourceMappingURL=rate-limiter.js.map

package/dist/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/runtime-env.d.ts

@@ -0,0 +1,15 @@
+import { NextResponse } from 'next/server.js';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+
+declare function GET(): Promise<NextResponse<{
+    error: string;
+}> | NextResponse<{
+    [k: string]: string | undefined;
+}>>;
+
+interface RuntimeEnvScriptProps {
+    nonce?: string;
+}
+declare function RuntimeEnvScript({ nonce }: RuntimeEnvScriptProps): react_jsx_runtime.JSX.Element;
+
+export { RuntimeEnvScript, type RuntimeEnvScriptProps, GET as runtimeEnvGET };

package/dist/runtime-env.js

@@ -0,0 +1,9 @@
+import {
+  GET,
+  RuntimeEnvScript
+} from "./chunk-YV6DZVPI.js";
+export {
+  RuntimeEnvScript,
+  GET as runtimeEnvGET
+};
+//# sourceMappingURL=runtime-env.js.map

package/dist/runtime-env.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/security-headers.d.ts

@@ -0,0 +1,8 @@
+declare const PERMISSIONS_POLICY_VALUE = "accelerometer=(), autoplay=(), camera=(), display-capture=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), browsing-topics=()";
+declare const BASE_SECURITY_HEADER_VALUES: Readonly<Record<string, string>>;
+declare const BASE_SECURITY_HEADERS: {
+    key: string;
+    value: string;
+}[];
+
+export { BASE_SECURITY_HEADERS, BASE_SECURITY_HEADER_VALUES, PERMISSIONS_POLICY_VALUE };

package/dist/security-headers.js

@@ -0,0 +1,11 @@
+import {
+  BASE_SECURITY_HEADERS,
+  BASE_SECURITY_HEADER_VALUES,
+  PERMISSIONS_POLICY_VALUE
+} from "./chunk-KA7RJCWA.js";
+export {
+  BASE_SECURITY_HEADERS,
+  BASE_SECURITY_HEADER_VALUES,
+  PERMISSIONS_POLICY_VALUE
+};
+//# sourceMappingURL=security-headers.js.map

package/dist/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/package.json

@@ -0,0 +1,114 @@
+{
+    "name": "@spring-systems/server",
+    "version": "0.8.0",
+    "description": "Next.js server-only code for Spring Systems SPRING (proxy, API routes, runtime env)",
+    "type": "module",
+    "main": "./dist/index.js",
+    "types": "./dist/index.d.ts",
+    "files": [
+        "dist",
+        "README.md",
+        "LICENSE",
+        "CHANGELOG.md"
+    ],
+    "license": "UNLICENSED",
+    "repository": {
+        "type": "git",
+        "url": "git+https://martin-zadak@bitbucket.org/springsystems-projects/spring-framework-frontend.git",
+        "directory": "packages/server"
+    },
+    "homepage": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/src/main/packages/server#readme",
+    "bugs": {
+        "url": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/issues"
+    },
+    "keywords": [
+        "spring",
+        "nextjs",
+        "server",
+        "proxy",
+        "api-routes",
+        "runtime-env",
+        "security"
+    ],
+    "engines": {
+        "node": ">=22.0.0"
+    },
+    "sideEffects": false,
+    "exports": {
+        ".": {
+            "types": "./dist/index.d.ts",
+            "import": "./dist/index.js",
+            "default": "./dist/index.js"
+        },
+        "./proxy": {
+            "types": "./dist/proxy-middleware.d.ts",
+            "import": "./dist/proxy-middleware.js",
+            "default": "./dist/proxy-middleware.js"
+        },
+        "./api-handler": {
+            "types": "./dist/api-route-handler.d.ts",
+            "import": "./dist/api-route-handler.js",
+            "default": "./dist/api-route-handler.js"
+        },
+        "./runtime-env": {
+            "types": "./dist/runtime-env.d.ts",
+            "import": "./dist/runtime-env.js",
+            "default": "./dist/runtime-env.js"
+        },
+        "./client": {
+            "types": "./dist/client.d.ts",
+            "import": "./dist/client.js",
+            "default": "./dist/client.js"
+        },
+        "./adapters": {
+            "types": "./dist/next-adapters.d.ts",
+            "import": "./dist/next-adapters.js",
+            "default": "./dist/next-adapters.js"
+        },
+        "./rate-limiter": {
+            "types": "./dist/rate-limiter.d.ts",
+            "import": "./dist/rate-limiter.js",
+            "default": "./dist/rate-limiter.js"
+        },
+        "./handlers": {
+            "types": "./dist/handlers/index.d.ts",
+            "import": "./dist/handlers/index.js",
+            "default": "./dist/handlers/index.js"
+        },
+        "./security-headers": {
+            "types": "./dist/security-headers.d.ts",
+            "import": "./dist/security-headers.js",
+            "default": "./dist/security-headers.js"
+        }
+    },
+    "scripts": {
+        "build": "tsup",
+        "dev": "tsup --watch",
+        "typecheck": "tsc --noEmit",
+        "test": "vitest run",
+        "check:exports": "node scripts/check-exports.mjs",
+        "prepack": "pnpm run build && pnpm check:exports",
+        "check:circular": "madge --circular --extensions ts,tsx --ts-config ../../tsconfig.base.json ./src",
+        "lint": "eslint src/"
+    },
+    "peerDependencies": {
+        "@spring-systems/core": "^0.8.0",
+        "@spring-systems/ui": "^0.8.0",
+        "next": "^16.0.0",
+        "react": "^19.0.0"
+    },
+    "dependencies": {
+        "server-only": "^0.0.1"
+    },
+    "devDependencies": {
+        "@spring-systems/core": "workspace:^",
+        "@spring-systems/ui": "workspace:^",
+        "@types/react": "^19.2.14",
+        "@vitest/coverage-v8": "^4.0.18",
+        "next": "^16.1.6",
+        "react": "^19.2.4",
+        "tsup": "^8.5.1",
+        "typescript": "^5.9.3",
+        "vitest": "^4.0.18"
+    }
+}