@truesift/express 0.1.0

package/dist/index.js

@@ -0,0 +1,921 @@
+// src/http/buildBotGuardUrl.ts
+var BOT_GUARD_ENDPOINT_PATHS = {
+  challenge: "/challenge",
+  verify: "/verify"
+};
+function removeTrailingSlashes(value) {
+  return value.replace(/\/+$/, "");
+}
+function buildBotGuardUrl(apiBaseUrl, endpoint) {
+  const normalizedApiBaseUrl = removeTrailingSlashes(apiBaseUrl);
+  const endpointPath = BOT_GUARD_ENDPOINT_PATHS[endpoint];
+  return `${normalizedApiBaseUrl}${endpointPath}`;
+}
+
+// src/errors/BotGuardError.ts
+var BotGuardError = class extends Error {
+  code;
+  statusCode;
+  requestId;
+  context;
+  constructor(options) {
+    const errorOptions = options.cause === void 0 ? void 0 : { cause: options.cause };
+    super(options.message, errorOptions);
+    this.name = new.target.name;
+    this.code = options.code;
+    if (options.statusCode !== void 0) {
+      this.statusCode = options.statusCode;
+    }
+    if (options.requestId !== void 0) {
+      this.requestId = options.requestId;
+    }
+    if (options.context !== void 0) {
+      this.context = options.context;
+    }
+    Object.setPrototypeOf(this, new.target.prototype);
+  }
+  toJSON() {
+    return {
+      name: this.name,
+      code: this.code,
+      message: this.message,
+      ...this.statusCode !== void 0 ? { statusCode: this.statusCode } : {},
+      ...this.requestId !== void 0 ? { requestId: this.requestId } : {},
+      ...this.context !== void 0 ? { context: this.context } : {}
+    };
+  }
+};
+
+// src/errors/BotGuardRequestError.ts
+var DEFAULT_REQUEST_ERROR_MESSAGE = "TrueSift API request failed.";
+var BotGuardRequestError = class extends BotGuardError {
+  constructor(options = {}) {
+    const errorOptions = {
+      code: "TRUESIFT_REQUEST_ERROR",
+      message: options.message ?? DEFAULT_REQUEST_ERROR_MESSAGE,
+      ...options.statusCode !== void 0 ? { statusCode: options.statusCode } : {},
+      ...options.requestId !== void 0 ? { requestId: options.requestId } : {},
+      ...options.context !== void 0 ? { context: options.context } : {},
+      ...options.cause !== void 0 ? { cause: options.cause } : {}
+    };
+    super(errorOptions);
+  }
+};
+
+// src/errors/BotGuardTimeoutError.ts
+var DEFAULT_TIMEOUT_ERROR_MESSAGE = "TrueSift API request timed out.";
+var BotGuardTimeoutError = class extends BotGuardError {
+  timeoutMs;
+  constructor(options = {}) {
+    const context = {
+      ...options.context ?? {},
+      ...options.timeoutMs !== void 0 ? { timeoutMs: options.timeoutMs } : {}
+    };
+    const errorOptions = {
+      code: "TRUESIFT_TIMEOUT_ERROR",
+      message: options.message ?? DEFAULT_TIMEOUT_ERROR_MESSAGE,
+      ...options.requestId !== void 0 ? { requestId: options.requestId } : {},
+      ...Object.keys(context).length > 0 ? { context } : {},
+      ...options.cause !== void 0 ? { cause: options.cause } : {}
+    };
+    super(errorOptions);
+    if (options.timeoutMs !== void 0) {
+      this.timeoutMs = options.timeoutMs;
+    }
+  }
+  toJSON() {
+    return {
+      ...super.toJSON(),
+      code: "TRUESIFT_TIMEOUT_ERROR",
+      ...this.timeoutMs !== void 0 ? { timeoutMs: this.timeoutMs } : {}
+    };
+  }
+};
+
+// src/errors/BotGuardApiError.ts
+var DEFAULT_API_ERROR_MESSAGE = "TrueSift API returned an error response.";
+var BotGuardApiError = class extends BotGuardError {
+  apiError;
+  constructor(options = {}) {
+    const context = {
+      ...options.context ?? {},
+      ...options.apiError !== void 0 ? { apiError: options.apiError } : {}
+    };
+    const errorOptions = {
+      code: "TRUESIFT_API_ERROR",
+      message: options.message ?? DEFAULT_API_ERROR_MESSAGE,
+      ...options.statusCode !== void 0 ? { statusCode: options.statusCode } : {},
+      ...options.requestId !== void 0 ? { requestId: options.requestId } : {},
+      ...Object.keys(context).length > 0 ? { context } : {},
+      ...options.cause !== void 0 ? { cause: options.cause } : {}
+    };
+    super(errorOptions);
+    if (options.apiError !== void 0) {
+      this.apiError = options.apiError;
+    }
+  }
+  toJSON() {
+    return {
+      ...super.toJSON(),
+      code: "TRUESIFT_API_ERROR",
+      ...this.apiError !== void 0 ? { apiError: this.apiError } : {}
+    };
+  }
+};
+
+// src/errors/BotGuardAuthError.ts
+var DEFAULT_AUTH_ERROR_MESSAGE = "TrueSift API authentication failed.";
+var BotGuardAuthError = class extends BotGuardError {
+  constructor(options = {}) {
+    const errorOptions = {
+      code: "TRUESIFT_AUTH_ERROR",
+      message: options.message ?? DEFAULT_AUTH_ERROR_MESSAGE,
+      ...options.statusCode !== void 0 ? { statusCode: options.statusCode } : {},
+      ...options.requestId !== void 0 ? { requestId: options.requestId } : {},
+      ...options.context !== void 0 ? { context: options.context } : {},
+      ...options.cause !== void 0 ? { cause: options.cause } : {}
+    };
+    super(errorOptions);
+  }
+};
+
+// src/errors/BotGuardResponseError.ts
+var DEFAULT_RESPONSE_ERROR_MESSAGE = "TrueSift API returned an invalid response.";
+var BotGuardResponseError = class extends BotGuardError {
+  constructor(options = {}) {
+    const errorOptions = {
+      code: "TRUESIFT_RESPONSE_ERROR",
+      message: options.message ?? DEFAULT_RESPONSE_ERROR_MESSAGE,
+      ...options.statusCode !== void 0 ? { statusCode: options.statusCode } : {},
+      ...options.requestId !== void 0 ? { requestId: options.requestId } : {},
+      ...options.context !== void 0 ? { context: options.context } : {},
+      ...options.cause !== void 0 ? { cause: options.cause } : {}
+    };
+    super(errorOptions);
+  }
+};
+
+// src/utils/isRecord.ts
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+// src/http/parseBotGuardResponse.ts
+function getRequestIdFromHeaders(headers) {
+  const requestId = headers.get("x-request-id") ?? headers.get("x-correlation-id") ?? headers.get("x-trace-id");
+  return requestId === null || requestId.trim().length === 0 ? void 0 : requestId.trim();
+}
+function isJsonContentType(headers) {
+  const contentType = headers.get("content-type");
+  return contentType !== null && contentType.toLowerCase().includes("json");
+}
+function isTrueSiftJsonErrorResponse(body) {
+  return isRecord(body) && body["success"] === false && (body["error"] === void 0 || isRecord(body["error"]));
+}
+function getApiErrorMessage(body) {
+  return body.error?.message ?? "TrueSift API returned an error response.";
+}
+function getApiErrorCode(body) {
+  return body.error?.code;
+}
+async function parseJsonBody(response) {
+  try {
+    return await response.json();
+  } catch (error) {
+    throw new BotGuardResponseError({
+      message: "TrueSift API returned invalid JSON.",
+      statusCode: response.status,
+      requestId: getRequestIdFromHeaders(response.headers),
+      context: {
+        statusCode: response.status
+      },
+      cause: error
+    });
+  }
+}
+async function parseBotGuardResponse(response) {
+  const requestId = getRequestIdFromHeaders(response.headers);
+  if (!isJsonContentType(response.headers)) {
+    throw new BotGuardResponseError({
+      message: "TrueSift API response must be JSON.",
+      statusCode: response.status,
+      ...requestId !== void 0 ? { requestId } : {},
+      context: {
+        statusCode: response.status,
+        contentType: response.headers.get("content-type")
+      }
+    });
+  }
+  const body = await parseJsonBody(response);
+  if (response.status === 401 || response.status === 403) {
+    throw new BotGuardAuthError({
+      statusCode: response.status,
+      ...requestId !== void 0 ? { requestId } : {},
+      context: {
+        statusCode: response.status
+      }
+    });
+  }
+  if (!response.ok) {
+    if (isTrueSiftJsonErrorResponse(body)) {
+      throw new BotGuardApiError({
+        message: getApiErrorMessage(body),
+        statusCode: response.status,
+        requestId: body.requestId ?? requestId,
+        apiError: {
+          ...getApiErrorCode(body) !== void 0 ? { code: getApiErrorCode(body) } : {},
+          message: getApiErrorMessage(body),
+          ...body.error?.details !== void 0 ? { details: body.error.details } : {}
+        },
+        context: {
+          statusCode: response.status
+        }
+      });
+    }
+    throw new BotGuardResponseError({
+      message: "TrueSift API returned an unexpected error response.",
+      statusCode: response.status,
+      ...requestId !== void 0 ? { requestId } : {},
+      context: {
+        statusCode: response.status
+      }
+    });
+  }
+  return {
+    statusCode: response.status,
+    ok: response.ok,
+    headers: response.headers,
+    body,
+    ...requestId !== void 0 ? { requestId } : {}
+  };
+}
+
+// src/http/botGuardFetch.ts
+function isAbortError(error) {
+  return error instanceof DOMException || error instanceof Error && error.name === "AbortError";
+}
+async function botGuardFetch(config, options) {
+  const timeoutMs = options.timeoutMs ?? config.timeoutMs;
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => {
+    controller.abort();
+  }, timeoutMs);
+  try {
+    const response = await config.fetchImpl(options.url, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        accept: "application/json"
+      },
+      body: JSON.stringify(options.body),
+      signal: controller.signal
+    });
+    const parsedResponse = await parseBotGuardResponse(response);
+    return parsedResponse.body;
+  } catch (error) {
+    if (isAbortError(error)) {
+      throw new BotGuardTimeoutError({
+        timeoutMs,
+        context: {
+          url: options.url,
+          timeoutMs
+        },
+        cause: error
+      });
+    }
+    if (error instanceof BotGuardError) {
+      throw error;
+    }
+    throw new BotGuardRequestError({
+      context: {
+        url: options.url
+      },
+      cause: error
+    });
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
+// src/utils/decisionHelpers.ts
+function isAllowedDecision(decision) {
+  return decision === "allow";
+}
+function isReviewDecision(decision) {
+  return decision === "review";
+}
+function isBlockedDecision(decision) {
+  return decision === "block";
+}
+function createDecisionFlags(decision) {
+  return {
+    isAllowed: isAllowedDecision(decision),
+    isReview: isReviewDecision(decision),
+    isBlocked: isBlockedDecision(decision)
+  };
+}
+function isAllowed(result) {
+  return result.decision === "allow";
+}
+function isReview(result) {
+  return result.decision === "review";
+}
+function isBlocked(result) {
+  return result.decision === "block";
+}
+var isBotGuardAllowedDecision = isAllowedDecision;
+var isBotGuardReviewDecision = isReviewDecision;
+var isBotGuardBlockedDecision = isBlockedDecision;
+function createBotGuardDecisionFlags(decision) {
+  return createDecisionFlags(decision);
+}
+function isBotGuardAllowed(result) {
+  return isAllowed(result);
+}
+function isBotGuardReview(result) {
+  return isReview(result);
+}
+function isBotGuardBlocked(result) {
+  return isBlocked(result);
+}
+
+// src/types/decision.types.ts
+var TRUE_SIFT_DECISIONS = ["allow", "review", "block"];
+
+// src/utils/normalizeDecision.ts
+var TRUE_SIFT_DECISION_SET = new Set(
+  TRUE_SIFT_DECISIONS
+);
+function isTrueSiftDecision(value) {
+  return typeof value === "string" && TRUE_SIFT_DECISION_SET.has(value);
+}
+var isBotGuardDecision = isTrueSiftDecision;
+function normalizeDecision(value) {
+  if (isTrueSiftDecision(value)) {
+    return value;
+  }
+  if (typeof value === "string") {
+    const normalizedValue = value.trim().toLowerCase();
+    if (isTrueSiftDecision(normalizedValue)) {
+      return normalizedValue;
+    }
+  }
+  throw new TypeError(
+    `Invalid TrueSift decision. Expected one of: ${TRUE_SIFT_DECISIONS.join(
+      ", "
+    )}.`
+  );
+}
+function normalizeBotGuardDecision(value) {
+  return normalizeDecision(value);
+}
+
+// src/validation/validateBotGuardResponse.ts
+var TRUE_SIFT_VERIFICATION_MODES = ["observe", "protect"];
+function createResponseError(message, context) {
+  return new BotGuardResponseError({
+    message,
+    context
+  });
+}
+function requireRecord(response) {
+  if (!isRecord(response)) {
+    throw createResponseError("TrueSift API response must be an object.", {
+      fieldName: "response",
+      expected: "object"
+    });
+  }
+  return response;
+}
+function requireSuccessTrue(record) {
+  if (record["success"] !== true) {
+    throw createResponseError(
+      "TrueSift API success response must contain success: true.",
+      {
+        fieldName: "success",
+        expected: "true"
+      }
+    );
+  }
+}
+function requireStringField(record, fieldName) {
+  const value = record[fieldName];
+  if (typeof value !== "string" || value.trim().length === 0) {
+    throw createResponseError(
+      `TrueSift API response field "${fieldName}" must be a non-empty string.`,
+      {
+        fieldName,
+        expected: "non-empty string"
+      }
+    );
+  }
+  return value.trim();
+}
+function optionalStringField(record, fieldName) {
+  const value = record[fieldName];
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string" || value.trim().length === 0) {
+    throw createResponseError(
+      `TrueSift API response field "${fieldName}" must be a non-empty string when present.`,
+      {
+        fieldName,
+        expected: "non-empty string"
+      }
+    );
+  }
+  return value.trim();
+}
+function requireFiniteNumberField(record, fieldName) {
+  const value = record[fieldName];
+  if (typeof value !== "number" || !Number.isFinite(value)) {
+    throw createResponseError(
+      `TrueSift API response field "${fieldName}" must be a finite number.`,
+      {
+        fieldName,
+        expected: "finite number"
+      }
+    );
+  }
+  return value;
+}
+function optionalStringArrayField(record, fieldName) {
+  const value = record[fieldName];
+  if (value === void 0) {
+    return [];
+  }
+  if (!Array.isArray(value)) {
+    throw createResponseError(
+      `TrueSift API response field "${fieldName}" must be an array when present.`,
+      {
+        fieldName,
+        expected: "string[]"
+      }
+    );
+  }
+  const reasonCodes = [];
+  for (const item of value) {
+    if (typeof item !== "string") {
+      throw createResponseError(
+        `TrueSift API response field "${fieldName}" must contain only strings.`,
+        {
+          fieldName,
+          expected: "string[]"
+        }
+      );
+    }
+    const trimmedItem = item.trim();
+    if (trimmedItem.length > 0) {
+      reasonCodes.push(trimmedItem);
+    }
+  }
+  return reasonCodes;
+}
+function optionalVerificationModeField(record, fieldName) {
+  const value = record[fieldName];
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value === "string" && TRUE_SIFT_VERIFICATION_MODES.includes(value)) {
+    return value;
+  }
+  throw createResponseError(
+    `TrueSift API response field "${fieldName}" must be a valid verification mode when present.`,
+    {
+      fieldName,
+      expected: "observe | protect"
+    }
+  );
+}
+function optionalDecisionField(record, fieldName) {
+  const value = record[fieldName];
+  if (value === void 0) {
+    return void 0;
+  }
+  return normalizeDecision(value);
+}
+function getDecisionMetadata(record) {
+  const mode = optionalVerificationModeField(record, "mode");
+  const calculatedDecision = optionalDecisionField(record, "calculatedDecision");
+  const effectiveDecision = optionalDecisionField(record, "effectiveDecision");
+  return {
+    ...mode !== void 0 ? { mode } : {},
+    ...calculatedDecision !== void 0 ? { calculatedDecision } : {},
+    ...effectiveDecision !== void 0 ? { effectiveDecision } : {}
+  };
+}
+function validateCreateChallengeResponse(response) {
+  const record = requireRecord(response);
+  requireSuccessTrue(record);
+  const requestId = optionalStringField(record, "requestId");
+  return {
+    success: true,
+    challengeId: requireStringField(record, "challengeId"),
+    challengeToken: requireStringField(record, "challengeToken"),
+    expiresAt: requireStringField(record, "expiresAt"),
+    ...requestId !== void 0 ? { requestId } : {},
+    raw: record
+  };
+}
+function validateVerifyChallengeResponse(response) {
+  const record = requireRecord(response);
+  requireSuccessTrue(record);
+  const decision = normalizeDecision(requireStringField(record, "decision"));
+  const decisionFlags = createDecisionFlags(decision);
+  const metadata = getDecisionMetadata(record);
+  const challengeId = optionalStringField(record, "challengeId");
+  const requestId = optionalStringField(record, "requestId");
+  return {
+    success: true,
+    decision,
+    score: requireFiniteNumberField(record, "score"),
+    reasonCodes: optionalStringArrayField(record, "reasonCodes"),
+    ...challengeId !== void 0 ? { challengeId } : {},
+    ...requestId !== void 0 ? { requestId } : {},
+    ...metadata,
+    ...decisionFlags,
+    raw: record
+  };
+}
+
+// src/errors/BotGuardConfigError.ts
+var DEFAULT_CONFIG_ERROR_MESSAGE = "TrueSift SDK configuration is invalid.";
+var BotGuardConfigError = class extends BotGuardError {
+  constructor(options = {}) {
+    const errorOptions = {
+      code: "TRUESIFT_CONFIG_ERROR",
+      message: options.message ?? DEFAULT_CONFIG_ERROR_MESSAGE,
+      ...options.context !== void 0 ? { context: options.context } : {},
+      ...options.cause !== void 0 ? { cause: options.cause } : {}
+    };
+    super(errorOptions);
+  }
+};
+
+// src/validation/validateChallengeInput.ts
+function validateChallengeString(value, context) {
+  if (typeof value !== "string" || value.trim().length === 0) {
+    throw new BotGuardConfigError({
+      message: `TrueSift challenge field "${context.fieldName}" is required.`,
+      context
+    });
+  }
+  return value.trim();
+}
+function resolveChallengeString(inputValue, configValue, fieldName) {
+  if (inputValue !== void 0) {
+    return validateChallengeString(inputValue, {
+      fieldName,
+      source: "input"
+    });
+  }
+  return validateChallengeString(configValue, {
+    fieldName,
+    source: "config"
+  });
+}
+function validateChallengeInput(input, config) {
+  const siteKey = resolveChallengeString(
+    input.siteKey,
+    config.siteKey,
+    "siteKey"
+  );
+  const origin = resolveChallengeString(
+    input.origin,
+    config.defaultOrigin,
+    "origin"
+  );
+  const action = resolveChallengeString(
+    input.action,
+    config.defaultAction,
+    "action"
+  );
+  const path = validateChallengeString(input.path, {
+    fieldName: "path",
+    source: "input"
+  });
+  return {
+    siteKey,
+    origin,
+    action,
+    path,
+    ...input.metadata !== void 0 ? { metadata: input.metadata } : {}
+  };
+}
+
+// src/validation/validateVerifyInput.ts
+function validateVerifyString(value, context) {
+  if (typeof value !== "string" || value.trim().length === 0) {
+    throw new BotGuardConfigError({
+      message: `TrueSift verify field "${context.fieldName}" is required.`,
+      context
+    });
+  }
+  return value.trim();
+}
+function resolveVerifyString(inputValue, configValue, fieldName) {
+  if (inputValue !== void 0) {
+    return validateVerifyString(inputValue, {
+      fieldName,
+      source: "input"
+    });
+  }
+  return validateVerifyString(configValue, {
+    fieldName,
+    source: "config"
+  });
+}
+function normalizeClientSignals(clientSignals) {
+  if (clientSignals === void 0) {
+    return void 0;
+  }
+  const elapsedMs = typeof clientSignals.elapsedMs === "number" && Number.isFinite(clientSignals.elapsedMs) && clientSignals.elapsedMs >= 0 ? Math.trunc(clientSignals.elapsedMs) : void 0;
+  const honeypotValue = typeof clientSignals.honeypotValue === "string" ? clientSignals.honeypotValue.slice(0, 500) : void 0;
+  const normalizedSignals = {
+    ...elapsedMs !== void 0 ? { elapsedMs } : {},
+    ...honeypotValue !== void 0 ? { honeypotValue } : {}
+  };
+  return Object.keys(normalizedSignals).length > 0 ? normalizedSignals : void 0;
+}
+function validateVerifyInput(input, config) {
+  const siteKey = resolveVerifyString(input.siteKey, config.siteKey, "siteKey");
+  const secretKey = resolveVerifyString(
+    input.secretKey,
+    config.secretKey,
+    "secretKey"
+  );
+  const challengeId = validateVerifyString(input.challengeId, {
+    fieldName: "challengeId",
+    source: "input"
+  });
+  const challengeToken = validateVerifyString(input.challengeToken, {
+    fieldName: "challengeToken",
+    source: "input"
+  });
+  const origin = resolveVerifyString(
+    input.origin,
+    config.defaultOrigin,
+    "origin"
+  );
+  const action = resolveVerifyString(
+    input.action,
+    config.defaultAction,
+    "action"
+  );
+  const path = validateVerifyString(input.path, {
+    fieldName: "path",
+    source: "input"
+  });
+  const clientSignals = normalizeClientSignals(input.clientSignals);
+  return {
+    siteKey,
+    secretKey,
+    challengeId,
+    challengeToken,
+    origin,
+    action,
+    path,
+    ...clientSignals !== void 0 ? { clientSignals } : {},
+    ...input.metadata !== void 0 ? { metadata: input.metadata } : {}
+  };
+}
+
+// src/client/BotGuardClient.ts
+var BotGuardClient = class {
+  config;
+  constructor(config) {
+    this.config = config;
+  }
+  async createChallenge(input = {}) {
+    const payload = validateChallengeInput(input, this.config);
+    const url = buildBotGuardUrl(this.config.apiBaseUrl, "challenge");
+    const response = await botGuardFetch(this.config, {
+      url,
+      body: payload
+    });
+    return validateCreateChallengeResponse(response);
+  }
+  async verifyChallenge(input) {
+    const payload = validateVerifyInput(input, this.config);
+    const url = buildBotGuardUrl(this.config.apiBaseUrl, "verify");
+    const response = await botGuardFetch(this.config, {
+      url,
+      body: payload
+    });
+    return validateVerifyChallengeResponse(response);
+  }
+};
+var TrueSiftClient = class extends BotGuardClient {
+  constructor(config) {
+    super(config);
+  }
+  async createChallenge(input = {}) {
+    return super.createChallenge(input);
+  }
+  async verifyChallenge(input) {
+    return super.verifyChallenge(input);
+  }
+};
+
+// src/utils/redactBotGuardConfig.ts
+var REDACTED_VALUE = "[REDACTED]";
+var SENSITIVE_KEY_PATTERNS = [
+  "secret",
+  "token",
+  "authorization",
+  "auth",
+  "credential",
+  "password",
+  "cookie",
+  "set-cookie",
+  "api-key",
+  "apikey",
+  "private"
+];
+function redactSensitiveValue(value) {
+  if (typeof value === "string" && value.length > 0) {
+    return REDACTED_VALUE;
+  }
+  if (typeof value === "number" || typeof value === "boolean") {
+    return value;
+  }
+  if (value === null || value === void 0) {
+    return value;
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => redactSensitiveValue(item));
+  }
+  if (typeof value === "object") {
+    return redactSensitiveRecord(value);
+  }
+  return REDACTED_VALUE;
+}
+function isSensitiveKey(key) {
+  const normalizedKey = key.trim().toLowerCase();
+  return SENSITIVE_KEY_PATTERNS.some(
+    (pattern) => normalizedKey.includes(pattern)
+  );
+}
+function redactSensitiveRecord(record) {
+  const redactedRecord = {};
+  for (const [key, value] of Object.entries(record)) {
+    redactedRecord[key] = isSensitiveKey(key) ? REDACTED_VALUE : redactSensitiveValue(value);
+  }
+  return redactedRecord;
+}
+function redactTrueSiftClientConfig(config) {
+  return {
+    ...typeof config.apiBaseUrl === "string" ? { apiBaseUrl: config.apiBaseUrl } : {},
+    ...typeof config.siteKey === "string" ? { siteKey: config.siteKey } : {},
+    ...typeof config.defaultAction === "string" ? { defaultAction: config.defaultAction } : {},
+    ...typeof config.defaultOrigin === "string" ? { defaultOrigin: config.defaultOrigin } : {},
+    ...typeof config.timeoutMs === "number" ? { timeoutMs: config.timeoutMs } : {},
+    hasSecretKey: typeof config.secretKey === "string" && config.secretKey.length > 0,
+    hasCustomFetch: typeof config.fetchImpl === "function",
+    hasLogger: typeof config.logger === "object" && config.logger !== null
+  };
+}
+function redactBotGuardConfig(config) {
+  return redactTrueSiftClientConfig(config);
+}
+
+// src/validation/validateClientConfig.ts
+var DEFAULT_TIMEOUT_MS = 2500;
+var MIN_TIMEOUT_MS = 100;
+var MAX_TIMEOUT_MS = 3e4;
+function validateRequiredString(value, fieldName, config) {
+  if (typeof value !== "string" || value.trim().length === 0) {
+    throw new BotGuardConfigError({
+      message: `TrueSift SDK configuration field "${fieldName}" is required.`,
+      context: {
+        fieldName,
+        config: redactBotGuardConfig(config)
+      }
+    });
+  }
+  return value.trim();
+}
+function validateOptionalString(value, fieldName, config) {
+  if (value === void 0) {
+    return void 0;
+  }
+  if (typeof value !== "string") {
+    throw new BotGuardConfigError({
+      message: `TrueSift SDK configuration field "${fieldName}" must be a string.`,
+      context: {
+        fieldName,
+        config: redactBotGuardConfig(config)
+      }
+    });
+  }
+  const trimmedValue = value.trim();
+  return trimmedValue.length > 0 ? trimmedValue : void 0;
+}
+function validateTimeoutMs(value, config) {
+  if (value === void 0) {
+    return DEFAULT_TIMEOUT_MS;
+  }
+  if (!Number.isFinite(value)) {
+    throw new BotGuardConfigError({
+      message: 'TrueSift SDK configuration field "timeoutMs" must be finite.',
+      context: {
+        fieldName: "timeoutMs",
+        config: redactBotGuardConfig(config)
+      }
+    });
+  }
+  if (!Number.isInteger(value)) {
+    throw new BotGuardConfigError({
+      message: 'TrueSift SDK configuration field "timeoutMs" must be an integer.',
+      context: {
+        fieldName: "timeoutMs",
+        config: redactBotGuardConfig(config)
+      }
+    });
+  }
+  if (value < MIN_TIMEOUT_MS || value > MAX_TIMEOUT_MS) {
+    throw new BotGuardConfigError({
+      message: `TrueSift SDK configuration field "timeoutMs" must be between ${MIN_TIMEOUT_MS} and ${MAX_TIMEOUT_MS}.`,
+      context: {
+        fieldName: "timeoutMs",
+        minTimeoutMs: MIN_TIMEOUT_MS,
+        maxTimeoutMs: MAX_TIMEOUT_MS,
+        config: redactBotGuardConfig(config)
+      }
+    });
+  }
+  return value;
+}
+function validateApiBaseUrl(value, config) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      throw new BotGuardConfigError({
+        message: 'TrueSift SDK configuration field "apiBaseUrl" must use http or https.',
+        context: {
+          fieldName: "apiBaseUrl",
+          config: redactBotGuardConfig(config)
+        }
+      });
+    }
+    return url.toString().replace(/\/$/, "");
+  } catch (error) {
+    if (error instanceof BotGuardConfigError) {
+      throw error;
+    }
+    throw new BotGuardConfigError({
+      message: 'TrueSift SDK configuration field "apiBaseUrl" must be a valid URL.',
+      context: {
+        fieldName: "apiBaseUrl",
+        config: redactBotGuardConfig(config)
+      },
+      cause: error
+    });
+  }
+}
+function validateClientConfig(config) {
+  const rawApiBaseUrl = validateRequiredString(
+    config.apiBaseUrl,
+    "apiBaseUrl",
+    config
+  );
+  const apiBaseUrl = validateApiBaseUrl(rawApiBaseUrl, config);
+  const siteKey = validateRequiredString(config.siteKey, "siteKey", config);
+  const secretKey = validateRequiredString(
+    config.secretKey,
+    "secretKey",
+    config
+  );
+  const defaultAction = validateOptionalString(
+    config.defaultAction,
+    "defaultAction",
+    config
+  );
+  const defaultOrigin = validateOptionalString(
+    config.defaultOrigin,
+    "defaultOrigin",
+    config
+  );
+  const timeoutMs = validateTimeoutMs(config.timeoutMs, config);
+  return {
+    apiBaseUrl,
+    siteKey,
+    secretKey,
+    ...defaultAction !== void 0 ? { defaultAction } : {},
+    ...defaultOrigin !== void 0 ? { defaultOrigin } : {},
+    timeoutMs,
+    fetchImpl: config.fetchImpl ?? fetch,
+    ...config.logger !== void 0 ? { logger: config.logger } : {}
+  };
+}
+
+// src/client/createBotGuardClient.ts
+function createBotGuardClient(config) {
+  return new BotGuardClient(validateClientConfig(config));
+}
+function createTrueSiftClient(config) {
+  return new TrueSiftClient(validateClientConfig(config));
+}
+
+export { BotGuardApiError, BotGuardAuthError, BotGuardClient, BotGuardConfigError, BotGuardError, BotGuardRequestError, BotGuardResponseError, BotGuardTimeoutError, REDACTED_VALUE, BotGuardApiError as TrueSiftApiError, BotGuardAuthError as TrueSiftAuthError, TrueSiftClient, BotGuardConfigError as TrueSiftConfigError, BotGuardError as TrueSiftError, BotGuardRequestError as TrueSiftRequestError, BotGuardResponseError as TrueSiftResponseError, BotGuardTimeoutError as TrueSiftTimeoutError, createBotGuardClient, createBotGuardDecisionFlags, createDecisionFlags, createTrueSiftClient, isAllowed, isAllowedDecision, isBlocked, isBlockedDecision, isBotGuardAllowed, isBotGuardAllowedDecision, isBotGuardBlocked, isBotGuardBlockedDecision, isBotGuardDecision, isBotGuardReview, isBotGuardReviewDecision, isReview, isReviewDecision, isSensitiveKey, isTrueSiftDecision, normalizeBotGuardDecision, normalizeDecision, redactBotGuardConfig, redactSensitiveRecord, redactSensitiveValue, redactTrueSiftClientConfig };