@spring-systems/server 0.8.1 → 0.8.2

package/CHANGELOG.md

@@ -1,62 +1,29 @@
 # @spring-systems/server
 
-## 0.7.5
+## 0.8.2
 
 ### Patch Changes
 
-- Restored backward-compatible default for `createNextUIAdapter()` dynamic imports (`ssr: true` by default).
-- Added `createClientOnlyNextUIAdapter()` helper for client-only apps (`ssr: false` by default).
-- Added a dev-time warning when `createNextUIAdapter()` is used without explicit `defaultDynamicSsr`, to prevent accidental SSR defaults in client-only apps.
-- Restricted `@spring-systems/server/client` exports to client-safe factories only (`createNextRouteAdapter`, `createClientOnlyNextUIAdapter`).
-- Applied CORS headers consistently for proxy error responses (including non-logout routes).
-- Enforced server-only root entrypoint via `import "server-only"`; client-safe adapters remain available under `@spring-systems/server/client`.
-- Updated docs to use explicit `defaultDynamicSsr` in SSR-oriented adapter examples.
-- Added dedicated `@spring-systems/server/client` export for client-only adapter imports.
-- Refactored API route internals by extracting shared utility helpers from `api-route-handler`.
+- Improve npm package metadata and documentation quality (author, keywords, descriptions, peer dependency docs, compatibility section, changelog coverage).
 - Updated dependencies
-    - @spring-systems/core@0.7.5
-    - @spring-systems/ui@0.7.5
+    - @spring-systems/core@0.8.2
+    - @spring-systems/ui@0.8.2
 
-## 0.7.4
+## 0.8.1
 
 ### Patch Changes
 
-- Dependency updates and version alignment.
+- Fix Bitbucket documentation URLs (blob/main → src/main).
 - Updated dependencies
-    - @spring-systems/core@0.7.4
-    - @spring-systems/ui@0.7.4
+    - @spring-systems/core@0.8.1
+    - @spring-systems/ui@0.8.1
 
-## 0.7.3
+## 0.8.0
 
-### Patch Changes
-
-- Updated dependencies
-    - @spring-systems/ui@0.7.3
-    - @spring-systems/core@0.7.3
-
-## 0.7.2
-
-### Patch Changes
-
-- Improve package documentation, onboarding navigation, and npm-published docs coverage.
-- Updated dependencies
-    - @spring-systems/core@0.7.2
-    - @spring-systems/ui@0.7.2
-
-## 0.7.1
-
-### Patch Changes
-
-- Align package documentation with repository docs and enforce docs quality checks in release workflow.
-- Updated dependencies
-    - @spring-systems/core@0.7.1
-    - @spring-systems/ui@0.7.1
-
-## 0.7.0
-
-### Patch Changes
+### Minor Changes
 
-- Initial npm registry release
+- Initial public release.
+- Next.js 16 proxy middleware (proxy.ts), API route handler with CSRF protection, nonce-based CSP and security headers, login rate limiting (per-IP and per-account), runtime environment bootstrap, Next.js adapter factories, and server-only enforcement with client-safe adapter subpath.
 - Updated dependencies
-    - @spring-systems/core@0.7.0
-    - @spring-systems/ui@0.7.0
+    - @spring-systems/core@0.8.0
+    - @spring-systems/ui@0.8.0

package/README.md

@@ -1,6 +1,6 @@
 # @spring-systems/server
 
-Next.js server-side integration for the Spring Systems SPRING framework. This package keeps the browser-to-backend boundary explicit: proxying, runtime env exposure, security headers, and server adapters live here instead of leaking into app code.
+Next.js server-side integration for the Spring Systems framework. This package keeps the browser-to-backend boundary explicit: proxying, runtime env exposure, security headers, and server adapters live here instead of leaking into app code.
 
 ## When To Use It
 
@@ -15,6 +15,8 @@ Use this package when the app should talk to the backend through Next.js rather
 pnpm add @spring-systems/server @spring-systems/core @spring-systems/ui
 ```
 
+Requires `next` (^16.0.0) and `react` (^19.0.0) as peer dependencies — already present in any Next.js 16 project.
+
 ## Quick Start
 
 Three files wire the server layer into a Next.js 16 app:
@@ -77,7 +79,93 @@ The `@/project-config` side-effect import must come first — it registers frame
 
 ## Compatibility
 
-Requires **Next.js 16** and **React 19**. Peer dependencies: `@spring-systems/core`, `@spring-systems/ui`.
+Peer dependencies: `next` (^16.0.0), `react` (^19.0.0), `@spring-systems/core`, `@spring-systems/ui`.
+
+## Request Pipeline
+
+Two layers process every request. The **proxy middleware** runs first on all routes, then the **API route handler** takes over for `/api/[...path]` requests.
+
+### Proxy Middleware (`proxy.ts`)
+
+```
+Browser request
+│
+├─ 1. Generate nonce (crypto.randomUUID)
+├─ 2. Build CSP directives (nonce, env vars, framework config)
+│
+├─ 3. pathname matches blockedPathPrefixesInProd (prod only)?
+│      └─ YES → 404 Not Found (with CSP + security headers)
+│
+├─ 4. pathname === "/" ?
+│      └─ YES → 308 redirect to defaultRoute (with CSP + security headers)
+│
+└─ 5. Passthrough
+       ├─ Inject x-nonce into request headers (for layout.tsx)
+       ├─ NextResponse.next() → continue to route handler
+       └─ Set security headers (X-Frame-Options, HSTS, COOP, CORP, …)
+```
+
+### API Route Handler (`app/api/[...path]/route.ts`)
+
+```
+Incoming API request (GET/POST/PUT/DELETE/PATCH/OPTIONS)
+│
+├─ OPTIONS? → 204 with CORS headers (skip full pipeline)
+│
+├─ 1. Cleanup expired rate-limit entries
+├─ 2. Production security config validation
+│      └─ CSRF_EXEMPT_PATHS in prod? → 500
+│
+├─ 3. Path validation
+│      ├─ isSafeProxyPathSegment (no traversal, no control chars)
+│      └─ maxProxyPathLength check → 400 / 414
+│
+├─ 4. URL building
+│      ├─ Resolve API_URL base
+│      ├─ Deduplicate API version prefix (v1/v1/… → v1/…)
+│      └─ Merge query parameters
+│
+├─ 5. Header filtering
+│      ├─ Strip: host, content-length, cookie, authorization
+│      ├─ Strip: hop-by-hop headers (RFC 7230)
+│      └─ Add: X-Requested-With: XMLHttpRequest
+│
+├─ 6. Auth / info short-circuit
+│      └─ auth/info + no token → 204 (clear stale cookies)
+│
+├─ 7. CSRF protection (state-changing methods only)
+│      ├─ Sec-Fetch-Site check → reject cross-site
+│      ├─ Origin validation (FRONTEND_URL / FRONTEND_IP)
+│      └─ Referer fallback → all checks fail? → 403 Forbidden
+│
+├─ 8. Authorization header injection
+│      └─ Session cookie → Bearer token (except public auth paths)
+│
+├─ 9. Hash forwarding
+│      └─ Sanitize X-Hash header → set X-hash, Hash headers + query params
+│
+├─ 10. Body handling + rate limiting (POST/PUT/PATCH/DELETE)
+│      ├─ Content-Length vs body limit (10 MB / 50 MB multipart)
+│      ├─ Streaming size-limited body for multipart uploads
+│      └─ Login route: parse username → check rate limit → 429
+│
+├─ 11. Proxy fetch → backend API
+│
+├─ 12. Response processing
+│       ├─ Strip hop-by-hop + content-encoding headers
+│       ├─ Login success: extract token → set session cookie
+│       │   └─ Strip tokens from response body (no leakage)
+│       ├─ Login failure: register failed attempt for rate limiting
+│       ├─ Logout / 401 / expired 403: clear session cookie
+│       │   └─ Clear-Site-Data header on successful logout
+│       ├─ CORS headers (origin allowlist, Vary: Origin)
+│       └─ Cache-Control (no-store for auth routes, private otherwise)
+│
+└─ 13. Error handling
+        ├─ PayloadTooLargeError → 413
+        ├─ Logout errors: still clear session cookie
+        └─ Dev: error details in response; Prod: generic message
+```
 
 ## Boundary Rules
 

package/dist/{chunk-OYTV4D7E.js → chunk-GSACJGAM.js}

@@ -120,7 +120,7 @@ function proxy(req) {
   }
   if (url.pathname === "/") {
     const dest = new URL(url.toString());
-    if (!isLocalHost) dest.protocol = "https:";
+    if (!isLocalHost && isTargetProd) dest.protocol = "https:";
     dest.pathname = getFrameworkConfig().app.defaultRoute;
     dest.search = "";
     const res2 = makeRedirect(dest, 308);
@@ -156,4 +156,4 @@ export {
   proxy,
   proxyConfig
 };
-//# sourceMappingURL=chunk-OYTV4D7E.js.map
+//# sourceMappingURL=chunk-GSACJGAM.js.map

package/dist/{chunk-OYTV4D7E.js.map → chunk-GSACJGAM.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/proxy-middleware.ts"],"sourcesContent":["import { getFrameworkConfig } from \"@spring-systems/core/config\";\nimport { type NextRequest, NextResponse } from \"next/server.js\";\n\nimport { BASE_SECURITY_HEADER_VALUES } from \"./security-headers\";\n\nfunction toOriginSource(value: string): string[] {\n    const raw = value.trim();\n    if (!raw) return [];\n\n    try {\n        const parsed = new URL(raw);\n        const out = [parsed.origin];\n\n        if (parsed.protocol === \"https:\") {\n            out.push(`wss://${parsed.host}`);\n        } else if (parsed.protocol === \"http:\") {\n            out.push(`ws://${parsed.host}`);\n        }\n\n        return out;\n    } catch {\n        return [];\n    }\n}\n\nconst BLOCKED_CSP_SCHEMES = new Set([\"javascript:\", \"data:\", \"blob:\", \"vbscript:\", \"filesystem:\"]);\n\nfunction parseCspSource(token: string): string | null {\n    const value = token.trim();\n    if (!value) return null;\n\n    // Prevent header/CSP injection via env values.\n    if (/[\\s;,\\r\\n]/.test(value)) return null;\n\n    // Allow safe scheme sources (e.g. https:, wss:). Block dangerous schemes\n    // that enable XSS or data exfiltration when used in CSP directives.\n    if (/^[a-zA-Z][a-zA-Z0-9+.-]*:$/.test(value)) {\n        const lower = value.toLowerCase();\n        if (BLOCKED_CSP_SCHEMES.has(lower)) return null;\n        return lower;\n    }\n\n    try {\n        const parsed = new URL(value);\n        if (![\"http:\", \"https:\", \"ws:\", \"wss:\"].includes(parsed.protocol)) return null;\n        if (parsed.username || parsed.password) return null;\n        if (parsed.pathname !== \"/\" || parsed.search || parsed.hash) return null;\n        return `${parsed.protocol}//${parsed.host}`;\n    } catch {\n        return null;\n    }\n}\n\nfunction parseReportUri(value: string): string | null {\n    const trimmed = value.trim();\n    if (!trimmed) return null;\n    // Block header injection characters and double-quotes (used in Reporting-Endpoints structured header).\n    if (/[\\s;,\\r\\n\"]/.test(trimmed)) return null;\n    try {\n        const parsed = new URL(trimmed);\n        if (![\"http:\", \"https:\"].includes(parsed.protocol)) return null;\n        if (parsed.username || parsed.password) return null;\n        return parsed.toString();\n    } catch {\n        return null;\n    }\n}\n\nfunction parseCspList(value: string): string[] {\n    const parsed = value\n        .split(\",\")\n        .map((s) => parseCspSource(s))\n        .filter((s): s is string => !!s);\n    return [...new Set(parsed)];\n}\n\nexport function proxy(req: NextRequest) {\n    const url = req.nextUrl.clone();\n\n    const TARGET_ENV = process.env.TARGET_ENV || \"test\";\n    const isProdRuntime = TARGET_ENV === \"prod\" || process.env.NODE_ENV === \"production\";\n    const isTargetProd = TARGET_ENV === \"prod\";\n\n    const isLocalHost = url.hostname === \"localhost\" || url.hostname === \"127.0.0.1\";\n\n    const nonce = crypto.randomUUID().replace(/-/g, \"\");\n    const allowUnsafeStyleAttr = process.env.CSP_ALLOW_UNSAFE_STYLE_ATTR === \"true\";\n    const denyStyleAttr = isTargetProd && !allowUnsafeStyleAttr;\n    const allowUnsafeInlineStyle = !isTargetProd;\n\n    const connectHostsEnv = parseCspList(process.env.CSP_CONNECT_HOSTS || \"\");\n    const apiConnectSources = toOriginSource(process.env.API_URL || \"\");\n    const imgHostsEnv = parseCspList(process.env.CSP_IMG_HOSTS || \"\");\n    const scriptHostsEnv = parseCspList(process.env.CSP_SCRIPT_HOSTS || \"\");\n    const frameHostsEnv = parseCspList(process.env.CSP_FRAME_HOSTS || \"\");\n\n    const cspConfig = getFrameworkConfig().csp;\n\n    // Validate framework config CSP sources through parseCspSource to prevent injection\n    const validatedConnectSources = cspConfig.thirdPartyConnectSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedImgSources = cspConfig.thirdPartyImageSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedScriptSources = cspConfig.thirdPartyScriptSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedFrameSources = cspConfig.thirdPartyFrameSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n\n    const connectSrc = [\n        \"'self'\",\n        ...validatedConnectSources,\n        ...apiConnectSources,\n        ...connectHostsEnv,\n        ...(!isProdRuntime ? [\"http://localhost:*\", \"http://127.0.0.1:*\", \"ws://localhost:*\", \"ws://127.0.0.1:*\"] : []),\n    ].join(\" \");\n\n    const imgSrc = [\"'self'\", \"data:\", \"blob:\", ...validatedImgSources, ...imgHostsEnv].join(\" \");\n\n    const scriptSrcHosts = [...validatedScriptSources, ...scriptHostsEnv].join(\" \");\n    const frameSrcHosts = [...validatedFrameSources, ...frameHostsEnv].join(\" \");\n\n    const reportUri = parseReportUri(process.env.CSP_REPORT_URI || \"\");\n\n    const cspDirectives = [\n        \"default-src 'self'\",\n        \"base-uri 'self'\",\n        \"object-src 'none'\",\n        `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,\n        `script-src-elem 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,\n        \"script-src-attr 'none'\",\n        allowUnsafeInlineStyle ? \"style-src 'self' 'unsafe-inline'\" : `style-src 'self' 'nonce-${nonce}'`,\n        denyStyleAttr ? \"style-src-attr 'none'\" : \"style-src-attr 'unsafe-inline'\",\n        `img-src ${imgSrc}`,\n        \"media-src 'self' blob: data:\",\n        \"manifest-src 'self'\",\n        `connect-src ${connectSrc}`,\n        `frame-src ${frameSrcHosts || \"'none'\"}`,\n        \"frame-ancestors 'none'\",\n        \"form-action 'self'\",\n        ...(isTargetProd ? [\"upgrade-insecure-requests\"] : []),\n        ...(reportUri ? [`report-uri ${reportUri}`, \"report-to csp-violations\"] : []),\n    ];\n    const csp = cspDirectives.join(\"; \");\n\n    const blockedPrefixes = getFrameworkConfig().proxy.blockedPathPrefixesInProd ?? [];\n    if (isProdRuntime) {\n        for (const prefix of blockedPrefixes) {\n            if (url.pathname.startsWith(prefix)) {\n                const res = new NextResponse(\"Not Found\", { status: 404 });\n                return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n            }\n        }\n    }\n\n    if (url.pathname === \"/\") {\n        const dest = new URL(url.toString());\n        if (!isLocalHost) dest.protocol = \"https:\";\n        dest.pathname = getFrameworkConfig().app.defaultRoute;\n        dest.search = \"\";\n\n        const res = makeRedirect(dest, 308);\n        return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n    }\n\n    const requestHeaders = new Headers(req.headers);\n    requestHeaders.set(\"x-nonce\", nonce);\n\n    const res = NextResponse.next({ request: { headers: requestHeaders } });\n    return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n}\n\nfunction setSecurity(\n    res: NextResponse,\n    opts: { isLocalHost: boolean; isTargetProd: boolean; csp?: string; nonce?: string; reportUri?: string | null }\n) {\n    const { isLocalHost, csp, nonce, reportUri } = opts;\n    if (csp) res.headers.set(\"Content-Security-Policy\", csp);\n    for (const [key, value] of Object.entries(BASE_SECURITY_HEADER_VALUES)) {\n        res.headers.set(key, value);\n    }\n    if (opts.isTargetProd && !isLocalHost)\n        res.headers.set(\"Strict-Transport-Security\", \"max-age=63072000; includeSubDomains; preload\");\n    if (reportUri) res.headers.set(\"Reporting-Endpoints\", `csp-violations=\"${reportUri}\"`);\n    if (nonce) res.headers.set(\"x-nonce\", nonce);\n    return res;\n}\n\nfunction makeRedirect(to: URL | string, status = 308) {\n    const res = new NextResponse(null, { status });\n    res.headers.set(\"Location\", typeof to === \"string\" ? to : to.toString());\n    return res;\n}\n\nexport const proxyConfig = {\n    matcher: [\"/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|api/health).*)\"],\n};\n"],"mappings":";;;;;AAAA,SAAS,0BAA0B;AACnC,SAA2B,oBAAoB;AAI/C,SAAS,eAAe,OAAyB;AAC7C,QAAM,MAAM,MAAM,KAAK;AACvB,MAAI,CAAC,IAAK,QAAO,CAAC;AAElB,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,UAAM,MAAM,CAAC,OAAO,MAAM;AAE1B,QAAI,OAAO,aAAa,UAAU;AAC9B,UAAI,KAAK,SAAS,OAAO,IAAI,EAAE;AAAA,IACnC,WAAW,OAAO,aAAa,SAAS;AACpC,UAAI,KAAK,QAAQ,OAAO,IAAI,EAAE;AAAA,IAClC;AAEA,WAAO;AAAA,EACX,QAAQ;AACJ,WAAO,CAAC;AAAA,EACZ;AACJ;AAEA,IAAM,sBAAsB,oBAAI,IAAI,CAAC,eAAe,SAAS,SAAS,aAAa,aAAa,CAAC;AAEjG,SAAS,eAAe,OAA8B;AAClD,QAAM,QAAQ,MAAM,KAAK;AACzB,MAAI,CAAC,MAAO,QAAO;AAGnB,MAAI,aAAa,KAAK,KAAK,EAAG,QAAO;AAIrC,MAAI,6BAA6B,KAAK,KAAK,GAAG;AAC1C,UAAM,QAAQ,MAAM,YAAY;AAChC,QAAI,oBAAoB,IAAI,KAAK,EAAG,QAAO;AAC3C,WAAO;AAAA,EACX;AAEA,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,KAAK;AAC5B,QAAI,CAAC,CAAC,SAAS,UAAU,OAAO,MAAM,EAAE,SAAS,OAAO,QAAQ,EAAG,QAAO;AAC1E,QAAI,OAAO,YAAY,OAAO,SAAU,QAAO;AAC/C,QAAI,OAAO,aAAa,OAAO,OAAO,UAAU,OAAO,KAAM,QAAO;AACpE,WAAO,GAAG,OAAO,QAAQ,KAAK,OAAO,IAAI;AAAA,EAC7C,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,eAAe,OAA8B;AAClD,QAAM,UAAU,MAAM,KAAK;AAC3B,MAAI,CAAC,QAAS,QAAO;AAErB,MAAI,cAAc,KAAK,OAAO,EAAG,QAAO;AACxC,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,OAAO;AAC9B,QAAI,CAAC,CAAC,SAAS,QAAQ,EAAE,SAAS,OAAO,QAAQ,EAAG,QAAO;AAC3D,QAAI,OAAO,YAAY,OAAO,SAAU,QAAO;AAC/C,WAAO,OAAO,SAAS;AAAA,EAC3B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,aAAa,OAAyB;AAC3C,QAAM,SAAS,MACV,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAC5B,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AACnC,SAAO,CAAC,GAAG,IAAI,IAAI,MAAM,CAAC;AAC9B;AAEO,SAAS,MAAM,KAAkB;AACpC,QAAM,MAAM,IAAI,QAAQ,MAAM;AAE9B,QAAM,aAAa,QAAQ,IAAI,cAAc;AAC7C,QAAM,gBAAgB,eAAe,UAAU,QAAQ,IAAI,aAAa;AACxE,QAAM,eAAe,eAAe;AAEpC,QAAM,cAAc,IAAI,aAAa,eAAe,IAAI,aAAa;AAErE,QAAM,QAAQ,OAAO,WAAW,EAAE,QAAQ,MAAM,EAAE;AAClD,QAAM,uBAAuB,QAAQ,IAAI,gCAAgC;AACzE,QAAM,gBAAgB,gBAAgB,CAAC;AACvC,QAAM,yBAAyB,CAAC;AAEhC,QAAM,kBAAkB,aAAa,QAAQ,IAAI,qBAAqB,EAAE;AACxE,QAAM,oBAAoB,eAAe,QAAQ,IAAI,WAAW,EAAE;AAClE,QAAM,cAAc,aAAa,QAAQ,IAAI,iBAAiB,EAAE;AAChE,QAAM,iBAAiB,aAAa,QAAQ,IAAI,oBAAoB,EAAE;AACtE,QAAM,gBAAgB,aAAa,QAAQ,IAAI,mBAAmB,EAAE;AAEpE,QAAM,YAAY,mBAAmB,EAAE;AAGvC,QAAM,0BAA0B,UAAU,yBAAyB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAC/H,QAAM,sBAAsB,UAAU,uBAAuB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AACzH,QAAM,yBAAyB,UAAU,wBAAwB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAC7H,QAAM,wBAAwB,UAAU,uBAAuB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAE3H,QAAM,aAAa;AAAA,IACf;AAAA,IACA,GAAG;AAAA,IACH,GAAG;AAAA,IACH,GAAG;AAAA,IACH,GAAI,CAAC,gBAAgB,CAAC,sBAAsB,sBAAsB,oBAAoB,kBAAkB,IAAI,CAAC;AAAA,EACjH,EAAE,KAAK,GAAG;AAEV,QAAM,SAAS,CAAC,UAAU,SAAS,SAAS,GAAG,qBAAqB,GAAG,WAAW,EAAE,KAAK,GAAG;AAE5F,QAAM,iBAAiB,CAAC,GAAG,wBAAwB,GAAG,cAAc,EAAE,KAAK,GAAG;AAC9E,QAAM,gBAAgB,CAAC,GAAG,uBAAuB,GAAG,aAAa,EAAE,KAAK,GAAG;AAE3E,QAAM,YAAY,eAAe,QAAQ,IAAI,kBAAkB,EAAE;AAEjE,QAAM,gBAAgB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA,4BAA4B,KAAK,sBAAsB,cAAc;AAAA,IACrE,iCAAiC,KAAK,sBAAsB,cAAc;AAAA,IAC1E;AAAA,IACA,yBAAyB,qCAAqC,2BAA2B,KAAK;AAAA,IAC9F,gBAAgB,0BAA0B;AAAA,IAC1C,WAAW,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,eAAe,UAAU;AAAA,IACzB,aAAa,iBAAiB,QAAQ;AAAA,IACtC;AAAA,IACA;AAAA,IACA,GAAI,eAAe,CAAC,2BAA2B,IAAI,CAAC;AAAA,IACpD,GAAI,YAAY,CAAC,cAAc,SAAS,IAAI,0BAA0B,IAAI,CAAC;AAAA,EAC/E;AACA,QAAM,MAAM,cAAc,KAAK,IAAI;AAEnC,QAAM,kBAAkB,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AACjF,MAAI,eAAe;AACf,eAAW,UAAU,iBAAiB;AAClC,UAAI,IAAI,SAAS,WAAW,MAAM,GAAG;AACjC,cAAMA,OAAM,IAAI,aAAa,aAAa,EAAE,QAAQ,IAAI,CAAC;AACzD,eAAO,YAAYA,MAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAAA,MAChF;AAAA,IACJ;AAAA,EACJ;AAEA,MAAI,IAAI,aAAa,KAAK;AACtB,UAAM,OAAO,IAAI,IAAI,IAAI,SAAS,CAAC;AACnC,QAAI,CAAC,YAAa,MAAK,WAAW;AAClC,SAAK,WAAW,mBAAmB,EAAE,IAAI;AACzC,SAAK,SAAS;AAEd,UAAMA,OAAM,aAAa,MAAM,GAAG;AAClC,WAAO,YAAYA,MAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAAA,EAChF;AAEA,QAAM,iBAAiB,IAAI,QAAQ,IAAI,OAAO;AAC9C,iBAAe,IAAI,WAAW,KAAK;AAEnC,QAAM,MAAM,aAAa,KAAK,EAAE,SAAS,EAAE,SAAS,eAAe,EAAE,CAAC;AACtE,SAAO,YAAY,KAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAChF;AAEA,SAAS,YACL,KACA,MACF;AACE,QAAM,EAAE,aAAa,KAAK,OAAO,UAAU,IAAI;AAC/C,MAAI,IAAK,KAAI,QAAQ,IAAI,2BAA2B,GAAG;AACvD,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,2BAA2B,GAAG;AACpE,QAAI,QAAQ,IAAI,KAAK,KAAK;AAAA,EAC9B;AACA,MAAI,KAAK,gBAAgB,CAAC;AACtB,QAAI,QAAQ,IAAI,6BAA6B,8CAA8C;AAC/F,MAAI,UAAW,KAAI,QAAQ,IAAI,uBAAuB,mBAAmB,SAAS,GAAG;AACrF,MAAI,MAAO,KAAI,QAAQ,IAAI,WAAW,KAAK;AAC3C,SAAO;AACX;AAEA,SAAS,aAAa,IAAkB,SAAS,KAAK;AAClD,QAAM,MAAM,IAAI,aAAa,MAAM,EAAE,OAAO,CAAC;AAC7C,MAAI,QAAQ,IAAI,YAAY,OAAO,OAAO,WAAW,KAAK,GAAG,SAAS,CAAC;AACvE,SAAO;AACX;AAEO,IAAM,cAAc;AAAA,EACvB,SAAS,CAAC,iFAAiF;AAC/F;","names":["res"]}
+{"version":3,"sources":["../src/proxy-middleware.ts"],"sourcesContent":["import { getFrameworkConfig } from \"@spring-systems/core/config\";\nimport { type NextRequest, NextResponse } from \"next/server.js\";\n\nimport { BASE_SECURITY_HEADER_VALUES } from \"./security-headers\";\n\nfunction toOriginSource(value: string): string[] {\n    const raw = value.trim();\n    if (!raw) return [];\n\n    try {\n        const parsed = new URL(raw);\n        const out = [parsed.origin];\n\n        if (parsed.protocol === \"https:\") {\n            out.push(`wss://${parsed.host}`);\n        } else if (parsed.protocol === \"http:\") {\n            out.push(`ws://${parsed.host}`);\n        }\n\n        return out;\n    } catch {\n        return [];\n    }\n}\n\nconst BLOCKED_CSP_SCHEMES = new Set([\"javascript:\", \"data:\", \"blob:\", \"vbscript:\", \"filesystem:\"]);\n\nfunction parseCspSource(token: string): string | null {\n    const value = token.trim();\n    if (!value) return null;\n\n    // Prevent header/CSP injection via env values.\n    if (/[\\s;,\\r\\n]/.test(value)) return null;\n\n    // Allow safe scheme sources (e.g. https:, wss:). Block dangerous schemes\n    // that enable XSS or data exfiltration when used in CSP directives.\n    if (/^[a-zA-Z][a-zA-Z0-9+.-]*:$/.test(value)) {\n        const lower = value.toLowerCase();\n        if (BLOCKED_CSP_SCHEMES.has(lower)) return null;\n        return lower;\n    }\n\n    try {\n        const parsed = new URL(value);\n        if (![\"http:\", \"https:\", \"ws:\", \"wss:\"].includes(parsed.protocol)) return null;\n        if (parsed.username || parsed.password) return null;\n        if (parsed.pathname !== \"/\" || parsed.search || parsed.hash) return null;\n        return `${parsed.protocol}//${parsed.host}`;\n    } catch {\n        return null;\n    }\n}\n\nfunction parseReportUri(value: string): string | null {\n    const trimmed = value.trim();\n    if (!trimmed) return null;\n    // Block header injection characters and double-quotes (used in Reporting-Endpoints structured header).\n    if (/[\\s;,\\r\\n\"]/.test(trimmed)) return null;\n    try {\n        const parsed = new URL(trimmed);\n        if (![\"http:\", \"https:\"].includes(parsed.protocol)) return null;\n        if (parsed.username || parsed.password) return null;\n        return parsed.toString();\n    } catch {\n        return null;\n    }\n}\n\nfunction parseCspList(value: string): string[] {\n    const parsed = value\n        .split(\",\")\n        .map((s) => parseCspSource(s))\n        .filter((s): s is string => !!s);\n    return [...new Set(parsed)];\n}\n\nexport function proxy(req: NextRequest) {\n    const url = req.nextUrl.clone();\n\n    const TARGET_ENV = process.env.TARGET_ENV || \"test\";\n    const isProdRuntime = TARGET_ENV === \"prod\" || process.env.NODE_ENV === \"production\";\n    const isTargetProd = TARGET_ENV === \"prod\";\n\n    const isLocalHost = url.hostname === \"localhost\" || url.hostname === \"127.0.0.1\";\n\n    const nonce = crypto.randomUUID().replace(/-/g, \"\");\n    const allowUnsafeStyleAttr = process.env.CSP_ALLOW_UNSAFE_STYLE_ATTR === \"true\";\n    const denyStyleAttr = isTargetProd && !allowUnsafeStyleAttr;\n    const allowUnsafeInlineStyle = !isTargetProd;\n\n    const connectHostsEnv = parseCspList(process.env.CSP_CONNECT_HOSTS || \"\");\n    const apiConnectSources = toOriginSource(process.env.API_URL || \"\");\n    const imgHostsEnv = parseCspList(process.env.CSP_IMG_HOSTS || \"\");\n    const scriptHostsEnv = parseCspList(process.env.CSP_SCRIPT_HOSTS || \"\");\n    const frameHostsEnv = parseCspList(process.env.CSP_FRAME_HOSTS || \"\");\n\n    const cspConfig = getFrameworkConfig().csp;\n\n    // Validate framework config CSP sources through parseCspSource to prevent injection\n    const validatedConnectSources = cspConfig.thirdPartyConnectSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedImgSources = cspConfig.thirdPartyImageSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedScriptSources = cspConfig.thirdPartyScriptSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n    const validatedFrameSources = cspConfig.thirdPartyFrameSources.map((s) => parseCspSource(s)).filter((s): s is string => !!s);\n\n    const connectSrc = [\n        \"'self'\",\n        ...validatedConnectSources,\n        ...apiConnectSources,\n        ...connectHostsEnv,\n        ...(!isProdRuntime ? [\"http://localhost:*\", \"http://127.0.0.1:*\", \"ws://localhost:*\", \"ws://127.0.0.1:*\"] : []),\n    ].join(\" \");\n\n    const imgSrc = [\"'self'\", \"data:\", \"blob:\", ...validatedImgSources, ...imgHostsEnv].join(\" \");\n\n    const scriptSrcHosts = [...validatedScriptSources, ...scriptHostsEnv].join(\" \");\n    const frameSrcHosts = [...validatedFrameSources, ...frameHostsEnv].join(\" \");\n\n    const reportUri = parseReportUri(process.env.CSP_REPORT_URI || \"\");\n\n    const cspDirectives = [\n        \"default-src 'self'\",\n        \"base-uri 'self'\",\n        \"object-src 'none'\",\n        `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,\n        `script-src-elem 'self' 'nonce-${nonce}' 'strict-dynamic' ${scriptSrcHosts}`,\n        \"script-src-attr 'none'\",\n        allowUnsafeInlineStyle ? \"style-src 'self' 'unsafe-inline'\" : `style-src 'self' 'nonce-${nonce}'`,\n        denyStyleAttr ? \"style-src-attr 'none'\" : \"style-src-attr 'unsafe-inline'\",\n        `img-src ${imgSrc}`,\n        \"media-src 'self' blob: data:\",\n        \"manifest-src 'self'\",\n        `connect-src ${connectSrc}`,\n        `frame-src ${frameSrcHosts || \"'none'\"}`,\n        \"frame-ancestors 'none'\",\n        \"form-action 'self'\",\n        ...(isTargetProd ? [\"upgrade-insecure-requests\"] : []),\n        ...(reportUri ? [`report-uri ${reportUri}`, \"report-to csp-violations\"] : []),\n    ];\n    const csp = cspDirectives.join(\"; \");\n\n    const blockedPrefixes = getFrameworkConfig().proxy.blockedPathPrefixesInProd ?? [];\n    if (isProdRuntime) {\n        for (const prefix of blockedPrefixes) {\n            if (url.pathname.startsWith(prefix)) {\n                const res = new NextResponse(\"Not Found\", { status: 404 });\n                return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n            }\n        }\n    }\n\n    if (url.pathname === \"/\") {\n        const dest = new URL(url.toString());\n        if (!isLocalHost && isTargetProd) dest.protocol = \"https:\";\n        dest.pathname = getFrameworkConfig().app.defaultRoute;\n        dest.search = \"\";\n\n        const res = makeRedirect(dest, 308);\n        return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n    }\n\n    const requestHeaders = new Headers(req.headers);\n    requestHeaders.set(\"x-nonce\", nonce);\n\n    const res = NextResponse.next({ request: { headers: requestHeaders } });\n    return setSecurity(res, { isLocalHost, isTargetProd, csp, nonce, reportUri });\n}\n\nfunction setSecurity(\n    res: NextResponse,\n    opts: { isLocalHost: boolean; isTargetProd: boolean; csp?: string; nonce?: string; reportUri?: string | null }\n) {\n    const { isLocalHost, csp, nonce, reportUri } = opts;\n    if (csp) res.headers.set(\"Content-Security-Policy\", csp);\n    for (const [key, value] of Object.entries(BASE_SECURITY_HEADER_VALUES)) {\n        res.headers.set(key, value);\n    }\n    if (opts.isTargetProd && !isLocalHost)\n        res.headers.set(\"Strict-Transport-Security\", \"max-age=63072000; includeSubDomains; preload\");\n    if (reportUri) res.headers.set(\"Reporting-Endpoints\", `csp-violations=\"${reportUri}\"`);\n    if (nonce) res.headers.set(\"x-nonce\", nonce);\n    return res;\n}\n\nfunction makeRedirect(to: URL | string, status = 308) {\n    const res = new NextResponse(null, { status });\n    res.headers.set(\"Location\", typeof to === \"string\" ? to : to.toString());\n    return res;\n}\n\nexport const proxyConfig = {\n    matcher: [\"/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt|api/health).*)\"],\n};\n"],"mappings":";;;;;AAAA,SAAS,0BAA0B;AACnC,SAA2B,oBAAoB;AAI/C,SAAS,eAAe,OAAyB;AAC7C,QAAM,MAAM,MAAM,KAAK;AACvB,MAAI,CAAC,IAAK,QAAO,CAAC;AAElB,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,GAAG;AAC1B,UAAM,MAAM,CAAC,OAAO,MAAM;AAE1B,QAAI,OAAO,aAAa,UAAU;AAC9B,UAAI,KAAK,SAAS,OAAO,IAAI,EAAE;AAAA,IACnC,WAAW,OAAO,aAAa,SAAS;AACpC,UAAI,KAAK,QAAQ,OAAO,IAAI,EAAE;AAAA,IAClC;AAEA,WAAO;AAAA,EACX,QAAQ;AACJ,WAAO,CAAC;AAAA,EACZ;AACJ;AAEA,IAAM,sBAAsB,oBAAI,IAAI,CAAC,eAAe,SAAS,SAAS,aAAa,aAAa,CAAC;AAEjG,SAAS,eAAe,OAA8B;AAClD,QAAM,QAAQ,MAAM,KAAK;AACzB,MAAI,CAAC,MAAO,QAAO;AAGnB,MAAI,aAAa,KAAK,KAAK,EAAG,QAAO;AAIrC,MAAI,6BAA6B,KAAK,KAAK,GAAG;AAC1C,UAAM,QAAQ,MAAM,YAAY;AAChC,QAAI,oBAAoB,IAAI,KAAK,EAAG,QAAO;AAC3C,WAAO;AAAA,EACX;AAEA,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,KAAK;AAC5B,QAAI,CAAC,CAAC,SAAS,UAAU,OAAO,MAAM,EAAE,SAAS,OAAO,QAAQ,EAAG,QAAO;AAC1E,QAAI,OAAO,YAAY,OAAO,SAAU,QAAO;AAC/C,QAAI,OAAO,aAAa,OAAO,OAAO,UAAU,OAAO,KAAM,QAAO;AACpE,WAAO,GAAG,OAAO,QAAQ,KAAK,OAAO,IAAI;AAAA,EAC7C,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,eAAe,OAA8B;AAClD,QAAM,UAAU,MAAM,KAAK;AAC3B,MAAI,CAAC,QAAS,QAAO;AAErB,MAAI,cAAc,KAAK,OAAO,EAAG,QAAO;AACxC,MAAI;AACA,UAAM,SAAS,IAAI,IAAI,OAAO;AAC9B,QAAI,CAAC,CAAC,SAAS,QAAQ,EAAE,SAAS,OAAO,QAAQ,EAAG,QAAO;AAC3D,QAAI,OAAO,YAAY,OAAO,SAAU,QAAO;AAC/C,WAAO,OAAO,SAAS;AAAA,EAC3B,QAAQ;AACJ,WAAO;AAAA,EACX;AACJ;AAEA,SAAS,aAAa,OAAyB;AAC3C,QAAM,SAAS,MACV,MAAM,GAAG,EACT,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAC5B,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AACnC,SAAO,CAAC,GAAG,IAAI,IAAI,MAAM,CAAC;AAC9B;AAEO,SAAS,MAAM,KAAkB;AACpC,QAAM,MAAM,IAAI,QAAQ,MAAM;AAE9B,QAAM,aAAa,QAAQ,IAAI,cAAc;AAC7C,QAAM,gBAAgB,eAAe,UAAU,QAAQ,IAAI,aAAa;AACxE,QAAM,eAAe,eAAe;AAEpC,QAAM,cAAc,IAAI,aAAa,eAAe,IAAI,aAAa;AAErE,QAAM,QAAQ,OAAO,WAAW,EAAE,QAAQ,MAAM,EAAE;AAClD,QAAM,uBAAuB,QAAQ,IAAI,gCAAgC;AACzE,QAAM,gBAAgB,gBAAgB,CAAC;AACvC,QAAM,yBAAyB,CAAC;AAEhC,QAAM,kBAAkB,aAAa,QAAQ,IAAI,qBAAqB,EAAE;AACxE,QAAM,oBAAoB,eAAe,QAAQ,IAAI,WAAW,EAAE;AAClE,QAAM,cAAc,aAAa,QAAQ,IAAI,iBAAiB,EAAE;AAChE,QAAM,iBAAiB,aAAa,QAAQ,IAAI,oBAAoB,EAAE;AACtE,QAAM,gBAAgB,aAAa,QAAQ,IAAI,mBAAmB,EAAE;AAEpE,QAAM,YAAY,mBAAmB,EAAE;AAGvC,QAAM,0BAA0B,UAAU,yBAAyB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAC/H,QAAM,sBAAsB,UAAU,uBAAuB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AACzH,QAAM,yBAAyB,UAAU,wBAAwB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAC7H,QAAM,wBAAwB,UAAU,uBAAuB,IAAI,CAAC,MAAM,eAAe,CAAC,CAAC,EAAE,OAAO,CAAC,MAAmB,CAAC,CAAC,CAAC;AAE3H,QAAM,aAAa;AAAA,IACf;AAAA,IACA,GAAG;AAAA,IACH,GAAG;AAAA,IACH,GAAG;AAAA,IACH,GAAI,CAAC,gBAAgB,CAAC,sBAAsB,sBAAsB,oBAAoB,kBAAkB,IAAI,CAAC;AAAA,EACjH,EAAE,KAAK,GAAG;AAEV,QAAM,SAAS,CAAC,UAAU,SAAS,SAAS,GAAG,qBAAqB,GAAG,WAAW,EAAE,KAAK,GAAG;AAE5F,QAAM,iBAAiB,CAAC,GAAG,wBAAwB,GAAG,cAAc,EAAE,KAAK,GAAG;AAC9E,QAAM,gBAAgB,CAAC,GAAG,uBAAuB,GAAG,aAAa,EAAE,KAAK,GAAG;AAE3E,QAAM,YAAY,eAAe,QAAQ,IAAI,kBAAkB,EAAE;AAEjE,QAAM,gBAAgB;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA,4BAA4B,KAAK,sBAAsB,cAAc;AAAA,IACrE,iCAAiC,KAAK,sBAAsB,cAAc;AAAA,IAC1E;AAAA,IACA,yBAAyB,qCAAqC,2BAA2B,KAAK;AAAA,IAC9F,gBAAgB,0BAA0B;AAAA,IAC1C,WAAW,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,eAAe,UAAU;AAAA,IACzB,aAAa,iBAAiB,QAAQ;AAAA,IACtC;AAAA,IACA;AAAA,IACA,GAAI,eAAe,CAAC,2BAA2B,IAAI,CAAC;AAAA,IACpD,GAAI,YAAY,CAAC,cAAc,SAAS,IAAI,0BAA0B,IAAI,CAAC;AAAA,EAC/E;AACA,QAAM,MAAM,cAAc,KAAK,IAAI;AAEnC,QAAM,kBAAkB,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AACjF,MAAI,eAAe;AACf,eAAW,UAAU,iBAAiB;AAClC,UAAI,IAAI,SAAS,WAAW,MAAM,GAAG;AACjC,cAAMA,OAAM,IAAI,aAAa,aAAa,EAAE,QAAQ,IAAI,CAAC;AACzD,eAAO,YAAYA,MAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAAA,MAChF;AAAA,IACJ;AAAA,EACJ;AAEA,MAAI,IAAI,aAAa,KAAK;AACtB,UAAM,OAAO,IAAI,IAAI,IAAI,SAAS,CAAC;AACnC,QAAI,CAAC,eAAe,aAAc,MAAK,WAAW;AAClD,SAAK,WAAW,mBAAmB,EAAE,IAAI;AACzC,SAAK,SAAS;AAEd,UAAMA,OAAM,aAAa,MAAM,GAAG;AAClC,WAAO,YAAYA,MAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAAA,EAChF;AAEA,QAAM,iBAAiB,IAAI,QAAQ,IAAI,OAAO;AAC9C,iBAAe,IAAI,WAAW,KAAK;AAEnC,QAAM,MAAM,aAAa,KAAK,EAAE,SAAS,EAAE,SAAS,eAAe,EAAE,CAAC;AACtE,SAAO,YAAY,KAAK,EAAE,aAAa,cAAc,KAAK,OAAO,UAAU,CAAC;AAChF;AAEA,SAAS,YACL,KACA,MACF;AACE,QAAM,EAAE,aAAa,KAAK,OAAO,UAAU,IAAI;AAC/C,MAAI,IAAK,KAAI,QAAQ,IAAI,2BAA2B,GAAG;AACvD,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,2BAA2B,GAAG;AACpE,QAAI,QAAQ,IAAI,KAAK,KAAK;AAAA,EAC9B;AACA,MAAI,KAAK,gBAAgB,CAAC;AACtB,QAAI,QAAQ,IAAI,6BAA6B,8CAA8C;AAC/F,MAAI,UAAW,KAAI,QAAQ,IAAI,uBAAuB,mBAAmB,SAAS,GAAG;AACrF,MAAI,MAAO,KAAI,QAAQ,IAAI,WAAW,KAAK;AAC3C,SAAO;AACX;AAEA,SAAS,aAAa,IAAkB,SAAS,KAAK;AAClD,QAAM,MAAM,IAAI,aAAa,MAAM,EAAE,OAAO,CAAC;AAC7C,MAAI,QAAQ,IAAI,YAAY,OAAO,OAAO,WAAW,KAAK,GAAG,SAAS,CAAC;AACvE,SAAO;AACX;AAEO,IAAM,cAAc;AAAA,EACvB,SAAS,CAAC,iFAAiF;AAC/F;","names":["res"]}

package/dist/client.js

@@ -5,7 +5,7 @@ import {
 } from "./chunk-CP33WQ5Q.js";
 
 // src/client.ts
-var SPRING_SERVER_VERSION = true ? "0.8.1" : "0.1.0";
+var SPRING_SERVER_VERSION = true ? "0.8.2" : "0.1.0";
 export {
   SPRING_SERVER_VERSION,
   createClientOnlyNextUIAdapter,

package/dist/index.js

@@ -1,7 +1,7 @@
 import {
   proxy,
   proxyConfig
-} from "./chunk-OYTV4D7E.js";
+} from "./chunk-GSACJGAM.js";
 import {
   DELETE,
   GET,
@@ -24,7 +24,7 @@ import {
 
 // src/index.ts
 import "server-only";
-var SPRING_SERVER_VERSION = true ? "0.8.1" : "0.0.0-dev";
+var SPRING_SERVER_VERSION = true ? "0.8.2" : "0.0.0-dev";
 export {
   BASE_SECURITY_HEADERS,
   BASE_SECURITY_HEADER_VALUES,

package/dist/proxy-middleware.js

@@ -1,7 +1,7 @@
 import {
   proxy,
   proxyConfig
-} from "./chunk-OYTV4D7E.js";
+} from "./chunk-GSACJGAM.js";
 import "./chunk-KA7RJCWA.js";
 export {
   proxy,

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@spring-systems/server",
-    "version": "0.8.1",
-    "description": "Next.js server-only code for Spring Systems SPRING (proxy, API routes, runtime env)",
+    "version": "0.8.2",
+    "description": "Next.js server-only code for the Spring Systems framework (proxy, API routes, runtime env)",
     "type": "module",
     "main": "./dist/index.js",
     "types": "./dist/index.d.ts",
@@ -12,9 +12,13 @@
         "CHANGELOG.md"
     ],
     "license": "UNLICENSED",
+    "author": "Spring Systems",
+    "publishConfig": {
+        "access": "restricted"
+    },
     "repository": {
         "type": "git",
-        "url": "git+https://martin-zadak@bitbucket.org/springsystems-projects/spring-framework-frontend.git",
+        "url": "git+https://bitbucket.org/springsystems-projects/spring-framework-frontend.git",
         "directory": "packages/server"
     },
     "homepage": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/src/main/packages/server#readme",
@@ -22,7 +26,7 @@
         "url": "https://bitbucket.org/springsystems-projects/spring-framework-frontend/issues"
     },
     "keywords": [
-        "spring",
+        "spring-systems",
         "nextjs",
         "server",
         "proxy",