@vivero/stoma 0.1.0-rc.10

package/dist/policies/auth/verify-http-signature.js

@@ -0,0 +1,147 @@
+import { GatewayError } from "../../core/errors";
+import { definePolicy, Priority } from "../sdk";
+import {
+  algorithmToCrypto,
+  buildSignatureBase,
+  fromBase64,
+  importVerifyKey,
+  parseSignatureParams
+} from "./http-signature-base";
+const verifyHttpSignature = /* @__PURE__ */ definePolicy({
+  name: "verify-http-signature",
+  priority: Priority.AUTH,
+  defaults: {
+    requiredComponents: ["@method"],
+    maxAge: 300,
+    signatureHeaderName: "Signature",
+    signatureInputHeaderName: "Signature-Input",
+    label: "sig1"
+  },
+  handler: async (c, next, { config, debug }) => {
+    if (!config.keys || Object.keys(config.keys).length === 0) {
+      throw new GatewayError(
+        500,
+        "config_error",
+        "verifyHttpSignature requires at least one key in 'keys'"
+      );
+    }
+    const label = config.label;
+    const signatureInputHeader = c.req.header(
+      config.signatureInputHeaderName
+    );
+    if (!signatureInputHeader) {
+      throw new GatewayError(
+        401,
+        "signature_invalid",
+        "Missing Signature-Input header"
+      );
+    }
+    const signatureHeader = c.req.header(config.signatureHeaderName);
+    if (!signatureHeader) {
+      throw new GatewayError(
+        401,
+        "signature_invalid",
+        "Missing Signature header"
+      );
+    }
+    const inputPrefix = `${label}=`;
+    if (!signatureInputHeader.startsWith(inputPrefix)) {
+      throw new GatewayError(
+        401,
+        "signature_invalid",
+        `Missing signature label "${label}" in Signature-Input header`
+      );
+    }
+    const inputValue = signatureInputHeader.slice(inputPrefix.length);
+    const { components, params } = parseSignatureParams(inputValue);
+    debug(`verifying label=${label}, components=${components.join(",")}`);
+    const sigPrefix = `${label}=:`;
+    if (!signatureHeader.startsWith(sigPrefix) || !signatureHeader.endsWith(":")) {
+      throw new GatewayError(
+        401,
+        "signature_invalid",
+        `Invalid Signature header format for label "${label}"`
+      );
+    }
+    const signatureB64 = signatureHeader.slice(sigPrefix.length, -1);
+    const now = Math.floor(Date.now() / 1e3);
+    if (params.created) {
+      const created = Number.parseInt(params.created, 10);
+      if (created + config.maxAge < now) {
+        throw new GatewayError(
+          401,
+          "signature_invalid",
+          "Signature has expired (maxAge exceeded)"
+        );
+      }
+    }
+    if (params.expires) {
+      const expires = Number.parseInt(params.expires, 10);
+      if (expires < now) {
+        throw new GatewayError(
+          401,
+          "signature_invalid",
+          "Signature has expired (expires parameter)"
+        );
+      }
+    }
+    for (const required of config.requiredComponents) {
+      if (!components.includes(required)) {
+        throw new GatewayError(
+          401,
+          "signature_invalid",
+          `Required component "${required}" not found in signature`
+        );
+      }
+    }
+    const keyId = params.keyid;
+    if (!keyId) {
+      throw new GatewayError(
+        401,
+        "signature_invalid",
+        "Missing keyid in signature parameters"
+      );
+    }
+    const keyEntry = config.keys[keyId];
+    if (!keyEntry) {
+      throw new GatewayError(
+        401,
+        "signature_invalid",
+        "Unknown key identifier"
+      );
+    }
+    const signatureParamsStr = inputValue;
+    const signatureBase = buildSignatureBase(
+      components,
+      signatureParamsStr,
+      c.req.raw
+    );
+    const key = await importVerifyKey(
+      keyEntry.algorithm,
+      keyEntry.secret,
+      keyEntry.publicKey
+    );
+    const { signAlg } = algorithmToCrypto(keyEntry.algorithm);
+    const encoder = new TextEncoder();
+    const signatureBytes = fromBase64(signatureB64);
+    const valid = await crypto.subtle.verify(
+      signAlg,
+      key,
+      signatureBytes,
+      encoder.encode(signatureBase)
+    );
+    if (!valid) {
+      throw new GatewayError(
+        401,
+        "signature_invalid",
+        "Signature verification failed"
+      );
+    }
+    debug("signature verified successfully");
+    await next();
+  }
+});
+export {
+  verifyHttpSignature
+};
+//# sourceMappingURL=verify-http-signature.js.map

package/dist/policies/auth/verify-http-signature.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/auth/verify-http-signature.ts"],"sourcesContent":["/**\n * Verify HTTP Message Signatures per RFC 9421.\n *\n * Validates inbound requests by parsing `Signature` + `Signature-Input` headers,\n * reconstructing the signature base, and verifying the cryptographic signature.\n *\n * @module verify-http-signature\n */\n\nimport { GatewayError } from \"../../core/errors\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\nimport {\n  algorithmToCrypto,\n  buildSignatureBase,\n  fromBase64,\n  importVerifyKey,\n  parseSignatureParams,\n} from \"./http-signature-base\";\n\nexport interface HttpSignatureKey {\n  /** HMAC secret. */\n  secret?: string;\n  /** RSA public key as JWK. */\n  publicKey?: JsonWebKey;\n  /** Algorithm identifier. */\n  algorithm: string;\n}\n\nexport interface VerifyHttpSignatureConfig extends PolicyConfig {\n  /** Map of keyId to key material. */\n  keys: Record<string, HttpSignatureKey>;\n  /** Components that MUST be in the signature. Default: [\"@method\"]. */\n  requiredComponents?: string[];\n  /** Max signature age in seconds. Default: 300 (5 min). */\n  maxAge?: number;\n  /** Signature header name. Default: \"Signature\". */\n  signatureHeaderName?: string;\n  /** Signature-Input header name. Default: \"Signature-Input\". */\n  signatureInputHeaderName?: string;\n  /** Expected signature label. Default: \"sig1\". */\n  label?: string;\n}\n\nexport const verifyHttpSignature =\n  /*#__PURE__*/ definePolicy<VerifyHttpSignatureConfig>({\n    name: \"verify-http-signature\",\n    priority: Priority.AUTH,\n    defaults: {\n      requiredComponents: [\"@method\"],\n      maxAge: 300,\n      signatureHeaderName: \"Signature\",\n      signatureInputHeaderName: \"Signature-Input\",\n      label: \"sig1\",\n    },\n    handler: async (c, next, { config, debug }) => {\n      // Validate keys at request time\n      if (!config.keys || Object.keys(config.keys).length === 0) {\n        throw new GatewayError(\n          500,\n          \"config_error\",\n          \"verifyHttpSignature requires at least one key in 'keys'\"\n        );\n      }\n\n      const label = config.label!;\n\n      // 1. Extract Signature-Input header\n      const signatureInputHeader = c.req.header(\n        config.signatureInputHeaderName!\n      );\n      if (!signatureInputHeader) {\n        throw new GatewayError(\n          401,\n          \"signature_invalid\",\n          \"Missing Signature-Input header\"\n        );\n      }\n\n      // 2. Extract Signature header\n      const signatureHeader = c.req.header(config.signatureHeaderName!);\n      if (!signatureHeader) {\n        throw new GatewayError(\n          401,\n          \"signature_invalid\",\n          \"Missing Signature header\"\n        );\n      }\n\n      // 3. Parse the labelled Signature-Input: label=(...);params\n      const inputPrefix = `${label}=`;\n      if (!signatureInputHeader.startsWith(inputPrefix)) {\n        throw new GatewayError(\n          401,\n          \"signature_invalid\",\n          `Missing signature label \"${label}\" in Signature-Input header`\n        );\n      }\n      const inputValue = signatureInputHeader.slice(inputPrefix.length);\n      const { components, params } = parseSignatureParams(inputValue);\n\n      debug(`verifying label=${label}, components=${components.join(\",\")}`);\n\n      // 4. Parse the labelled Signature: label=:<base64>:\n      const sigPrefix = `${label}=:`;\n      if (\n        !signatureHeader.startsWith(sigPrefix) ||\n        !signatureHeader.endsWith(\":\")\n      ) {\n        throw new GatewayError(\n          401,\n          \"signature_invalid\",\n          `Invalid Signature header format for label \"${label}\"`\n        );\n      }\n      const signatureB64 = signatureHeader.slice(sigPrefix.length, -1);\n\n      // 5. Validate created + maxAge (signature freshness)\n      const now = Math.floor(Date.now() / 1000);\n      if (params.created) {\n        const created = Number.parseInt(params.created, 10);\n        if (created + config.maxAge! < now) {\n          throw new GatewayError(\n            401,\n            \"signature_invalid\",\n            \"Signature has expired (maxAge exceeded)\"\n          );\n        }\n      }\n\n      // 6. Validate expires if present\n      if (params.expires) {\n        const expires = Number.parseInt(params.expires, 10);\n        if (expires < now) {\n          throw new GatewayError(\n            401,\n            \"signature_invalid\",\n            \"Signature has expired (expires parameter)\"\n          );\n        }\n      }\n\n      // 7. Check required components are present\n      for (const required of config.requiredComponents!) {\n        if (!components.includes(required)) {\n          throw new GatewayError(\n            401,\n            \"signature_invalid\",\n            `Required component \"${required}\" not found in signature`\n          );\n        }\n      }\n\n      // 8. Look up key by keyid parameter\n      const keyId = params.keyid;\n      if (!keyId) {\n        throw new GatewayError(\n          401,\n          \"signature_invalid\",\n          \"Missing keyid in signature parameters\"\n        );\n      }\n\n      const keyEntry = config.keys[keyId];\n      if (!keyEntry) {\n        throw new GatewayError(\n          401,\n          \"signature_invalid\",\n          \"Unknown key identifier\"\n        );\n      }\n\n      // 9. Reconstruct the signature base\n      const signatureParamsStr = inputValue;\n      const signatureBase = buildSignatureBase(\n        components,\n        signatureParamsStr,\n        c.req.raw\n      );\n\n      // 10. Verify the signature\n      const key = await importVerifyKey(\n        keyEntry.algorithm,\n        keyEntry.secret,\n        keyEntry.publicKey\n      );\n      const { signAlg } = algorithmToCrypto(keyEntry.algorithm);\n      const encoder = new TextEncoder();\n      const signatureBytes = fromBase64(signatureB64);\n\n      const valid = await crypto.subtle.verify(\n        signAlg,\n        key,\n        signatureBytes,\n        encoder.encode(signatureBase)\n      );\n\n      if (!valid) {\n        throw new GatewayError(\n          401,\n          \"signature_invalid\",\n          \"Signature verification failed\"\n        );\n      }\n\n      debug(\"signature verified successfully\");\n      await next();\n    },\n  });\n"],"mappings":"AASA,SAAS,oBAAoB;AAC7B,SAAS,cAAc,gBAAgB;AAEvC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AA0BA,MAAM,sBACG,6BAAwC;AAAA,EACpD,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,IACR,oBAAoB,CAAC,SAAS;AAAA,IAC9B,QAAQ;AAAA,IACR,qBAAqB;AAAA,IACrB,0BAA0B;AAAA,IAC1B,OAAO;AAAA,EACT;AAAA,EACA,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,MAAM,MAAM;AAE7C,QAAI,CAAC,OAAO,QAAQ,OAAO,KAAK,OAAO,IAAI,EAAE,WAAW,GAAG;AACzD,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,QAAQ,OAAO;AAGrB,UAAM,uBAAuB,EAAE,IAAI;AAAA,MACjC,OAAO;AAAA,IACT;AACA,QAAI,CAAC,sBAAsB;AACzB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAGA,UAAM,kBAAkB,EAAE,IAAI,OAAO,OAAO,mBAAoB;AAChE,QAAI,CAAC,iBAAiB;AACpB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAGA,UAAM,cAAc,GAAG,KAAK;AAC5B,QAAI,CAAC,qBAAqB,WAAW,WAAW,GAAG;AACjD,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,4BAA4B,KAAK;AAAA,MACnC;AAAA,IACF;AACA,UAAM,aAAa,qBAAqB,MAAM,YAAY,MAAM;AAChE,UAAM,EAAE,YAAY,OAAO,IAAI,qBAAqB,UAAU;AAE9D,UAAM,mBAAmB,KAAK,gBAAgB,WAAW,KAAK,GAAG,CAAC,EAAE;AAGpE,UAAM,YAAY,GAAG,KAAK;AAC1B,QACE,CAAC,gBAAgB,WAAW,SAAS,KACrC,CAAC,gBAAgB,SAAS,GAAG,GAC7B;AACA,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA,8CAA8C,KAAK;AAAA,MACrD;AAAA,IACF;AACA,UAAM,eAAe,gBAAgB,MAAM,UAAU,QAAQ,EAAE;AAG/D,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,QAAI,OAAO,SAAS;AAClB,YAAM,UAAU,OAAO,SAAS,OAAO,SAAS,EAAE;AAClD,UAAI,UAAU,OAAO,SAAU,KAAK;AAClC,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,OAAO,SAAS;AAClB,YAAM,UAAU,OAAO,SAAS,OAAO,SAAS,EAAE;AAClD,UAAI,UAAU,KAAK;AACjB,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,eAAW,YAAY,OAAO,oBAAqB;AACjD,UAAI,CAAC,WAAW,SAAS,QAAQ,GAAG;AAClC,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA,uBAAuB,QAAQ;AAAA,QACjC;AAAA,MACF;AAAA,IACF;AAGA,UAAM,QAAQ,OAAO;AACrB,QAAI,CAAC,OAAO;AACV,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,WAAW,OAAO,KAAK,KAAK;AAClC,QAAI,CAAC,UAAU;AACb,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAGA,UAAM,qBAAqB;AAC3B,UAAM,gBAAgB;AAAA,MACpB;AAAA,MACA;AAAA,MACA,EAAE,IAAI;AAAA,IACR;AAGA,UAAM,MAAM,MAAM;AAAA,MAChB,SAAS;AAAA,MACT,SAAS;AAAA,MACT,SAAS;AAAA,IACX;AACA,UAAM,EAAE,QAAQ,IAAI,kBAAkB,SAAS,SAAS;AACxD,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,iBAAiB,WAAW,YAAY;AAE9C,UAAM,QAAQ,MAAM,OAAO,OAAO;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ,OAAO,aAAa;AAAA,IAC9B;AAEA,QAAI,CAAC,OAAO;AACV,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,iCAAiC;AACvC,UAAM,KAAK;AAAA,EACb;AACF,CAAC;","names":[]}

package/dist/policies/index.d.ts

@@ -0,0 +1,51 @@
+export { mock } from './mock.js';
+export { proxy } from './proxy.js';
+export { apiKeyAuth } from './auth/api-key-auth.js';
+export { basicAuth } from './auth/basic-auth.js';
+export { GenerateHttpSignatureConfig, generateHttpSignature } from './auth/generate-http-signature.js';
+export { GenerateJwtConfig, generateJwt } from './auth/generate-jwt.js';
+export { JwsConfig, jws } from './auth/jws.js';
+export { JwtAuthConfig, jwtAuth } from './auth/jwt-auth.js';
+export { OAuth2Config, clearOAuth2Cache, oauth2 } from './auth/oauth2.js';
+export { RbacConfig, rbac } from './auth/rbac.js';
+export { HttpSignatureKey, VerifyHttpSignatureConfig, verifyHttpSignature } from './auth/verify-http-signature.js';
+export { A as AttributeMutation, B as BodyMutation, u as CacheConfig, C as CacheStore, v as CircuitBreakerConfig, a as CircuitBreakerSnapshot, b as CircuitBreakerStore, c as CircuitState, H as HeaderMutation, I as InMemoryCacheStore, d as InMemoryCacheStoreOptions, e as InMemoryCircuitBreakerStore, w as InMemoryRateLimitStore, f as InMemoryRateLimitStoreOptions, M as Mutation, P as Policy, g as PolicyConfig, h as PolicyContext, i as PolicyContinue, j as PolicyEvalContext, k as PolicyEvaluator, l as PolicyImmediateResponse, m as PolicyInput, n as PolicyReject, o as PolicyResult, p as ProcessingPhase, q as ProtocolType, x as RateLimitConfig, R as RateLimitStore, S as StatusMutation, r as cache, s as circuitBreaker, t as rateLimit } from '../protocol-2fD3DJrL.js';
+export { DynamicRoutingConfig, RoutingRule, dynamicRouting } from './traffic/dynamic-routing.js';
+export { GeoIpFilterConfig, geoIpFilter } from './traffic/geo-ip-filter.js';
+export { HttpCalloutConfig, httpCallout } from './traffic/http-callout.js';
+export { InterruptConfig, interrupt } from './traffic/interrupt.js';
+export { IpFilterConfig, ipFilter } from './traffic/ip-filter.js';
+export { JsonThreatProtectionConfig, jsonThreatProtection } from './traffic/json-threat-protection.js';
+export { RegexThreatProtectionConfig, regexThreatProtection } from './traffic/regex-threat-protection.js';
+export { RequestLimitConfig, requestLimit } from './traffic/request-limit.js';
+export { ResourceFilterConfig, resourceFilter } from './traffic/resource-filter.js';
+export { SslEnforceConfig, sslEnforce } from './traffic/ssl-enforce.js';
+export { TrafficShadowConfig, trafficShadow } from './traffic/traffic-shadow.js';
+export { LatencyInjectionConfig, latencyInjection } from './resilience/latency-injection.js';
+export { RetryConfig, retry } from './resilience/retry.js';
+export { TimeoutConfig, timeout } from './resilience/timeout.js';
+export { AssignAttributesConfig, assignAttributes } from './transform/assign-attributes.js';
+export { AssignContentConfig, assignContent } from './transform/assign-content.js';
+export { cors } from './transform/cors.js';
+export { JsonValidationConfig, JsonValidationResult, jsonValidation } from './transform/json-validation.js';
+export { OverrideMethodConfig, overrideMethod } from './transform/override-method.js';
+export { RequestValidationConfig, requestValidation } from './transform/request-validation.js';
+export { RequestTransformConfig, ResponseTransformConfig, requestTransform, responseTransform } from './transform/transform.js';
+export { HealthConfig, health } from '../core/health.js';
+export { AssignMetricsConfig, assignMetrics } from './observability/assign-metrics.js';
+export { MetricsReporterConfig, metricsReporter } from './observability/metrics-reporter.js';
+export { LogEntry, RequestLogConfig, requestLog } from './observability/request-log.js';
+export { ServerTimingConfig, ServerTimingVisibility, serverTiming } from './observability/server-timing.js';
+export { Priority, PriorityLevel } from './sdk/priority.js';
+export { policyDebug, resolveConfig, withSkip } from './sdk/helpers.js';
+export { PolicyDefinition, PolicyEvalHandlerContext, PolicyHandlerContext, definePolicy } from './sdk/define-policy.js';
+export { PolicyTestHarnessOptions, createPolicyTestHarness } from './sdk/testing.js';
+export { PolicyTrace, PolicyTraceDetail, PolicyTraceEntry, TraceReporter, policyTrace } from './sdk/trace.js';
+export { clearJwksCache, clearJwksCache as clearJwsJwksCache } from './auth/crypto.js';
+import 'hono';
+import '@vivero/stoma-core';
+import '../core/types.js';
+import '../observability/metrics.js';
+import '../observability/tracing.js';
+import 'hono/types';
+import '../adapters/testing.js';

package/dist/policies/index.js

@@ -0,0 +1,109 @@
+import { mock } from "./mock";
+import { proxy } from "./proxy";
+import { apiKeyAuth } from "./auth/api-key-auth";
+import { basicAuth } from "./auth/basic-auth";
+import { generateHttpSignature } from "./auth/generate-http-signature";
+import { generateJwt } from "./auth/generate-jwt";
+import { clearJwsJwksCache, jws } from "./auth/jws";
+import { clearJwksCache, jwtAuth } from "./auth/jwt-auth";
+import { clearOAuth2Cache, oauth2 } from "./auth/oauth2";
+import { rbac } from "./auth/rbac";
+import { verifyHttpSignature } from "./auth/verify-http-signature";
+import { cache, InMemoryCacheStore } from "./traffic/cache";
+import { dynamicRouting } from "./traffic/dynamic-routing";
+import { geoIpFilter } from "./traffic/geo-ip-filter";
+import { httpCallout } from "./traffic/http-callout";
+import { interrupt } from "./traffic/interrupt";
+import { ipFilter } from "./traffic/ip-filter";
+import { jsonThreatProtection } from "./traffic/json-threat-protection";
+import { InMemoryRateLimitStore, rateLimit } from "./traffic/rate-limit";
+import { regexThreatProtection } from "./traffic/regex-threat-protection";
+import { requestLimit } from "./traffic/request-limit";
+import { resourceFilter } from "./traffic/resource-filter";
+import { sslEnforce } from "./traffic/ssl-enforce";
+import { trafficShadow } from "./traffic/traffic-shadow";
+import {
+  circuitBreaker,
+  InMemoryCircuitBreakerStore
+} from "./resilience/circuit-breaker";
+import { latencyInjection } from "./resilience/latency-injection";
+import { retry } from "./resilience/retry";
+import { timeout } from "./resilience/timeout";
+import { assignAttributes } from "./transform/assign-attributes";
+import { assignContent } from "./transform/assign-content";
+import { cors } from "./transform/cors";
+import { jsonValidation } from "./transform/json-validation";
+import { overrideMethod } from "./transform/override-method";
+import { requestValidation } from "./transform/request-validation";
+import { requestTransform, responseTransform } from "./transform/transform";
+import { health } from "../core/health";
+import { assignMetrics } from "./observability/assign-metrics";
+import { metricsReporter } from "./observability/metrics-reporter";
+import { requestLog } from "./observability/request-log";
+import { serverTiming } from "./observability/server-timing";
+import {
+  createPolicyTestHarness,
+  definePolicy,
+  Priority,
+  policyDebug,
+  policyTrace,
+  resolveConfig,
+  withSkip
+} from "./sdk";
+export {
+  InMemoryCacheStore,
+  InMemoryCircuitBreakerStore,
+  InMemoryRateLimitStore,
+  Priority,
+  apiKeyAuth,
+  assignAttributes,
+  assignContent,
+  assignMetrics,
+  basicAuth,
+  cache,
+  circuitBreaker,
+  clearJwksCache,
+  clearJwsJwksCache,
+  clearOAuth2Cache,
+  cors,
+  createPolicyTestHarness,
+  definePolicy,
+  dynamicRouting,
+  generateHttpSignature,
+  generateJwt,
+  geoIpFilter,
+  health,
+  httpCallout,
+  interrupt,
+  ipFilter,
+  jsonThreatProtection,
+  jsonValidation,
+  jws,
+  jwtAuth,
+  latencyInjection,
+  metricsReporter,
+  mock,
+  oauth2,
+  overrideMethod,
+  policyDebug,
+  policyTrace,
+  proxy,
+  rateLimit,
+  rbac,
+  regexThreatProtection,
+  requestLimit,
+  requestLog,
+  requestTransform,
+  requestValidation,
+  resolveConfig,
+  resourceFilter,
+  responseTransform,
+  retry,
+  serverTiming,
+  sslEnforce,
+  timeout,
+  trafficShadow,
+  verifyHttpSignature,
+  withSkip
+};
+//# sourceMappingURL=index.js.map

package/dist/policies/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/policies/index.ts"],"sourcesContent":["/**\n * Policy barrel - re-exports all built-in policies, their config types, and the policy SDK.\n *\n * Import from `@vivero/stoma/policies` for direct access to all policies\n * and their configuration types, or from `@vivero/stoma` which re-exports\n * the most common symbols.\n *\n * @module policies\n */\n\n// ── Root-level policies ─────────────────────────────────────────────────\n\n/** Return a static mock response, bypassing the upstream entirely (priority 999). */\nexport { mock } from \"./mock\";\n/** Per-route header manipulation, timeout control, and Host header preservation (priority 95). */\nexport { proxy } from \"./proxy\";\n\n// ── Auth ────────────────────────────────────────────────────────────────\n\n/** Validate API keys from headers or query parameters (priority 10). */\nexport { apiKeyAuth } from \"./auth/api-key-auth\";\n/** Validate HTTP Basic credentials with WWW-Authenticate challenge (priority 10). */\nexport { basicAuth } from \"./auth/basic-auth\";\n/** Generate RFC 9421 HTTP Message Signatures on outbound requests (priority 95). */\nexport { generateHttpSignature } from \"./auth/generate-http-signature\";\n/** Mint JWTs (HMAC or RSA) and attach to outgoing requests (priority 50). */\nexport { generateJwt } from \"./auth/generate-jwt\";\n/** Verify JWS compact serialization signatures - embedded or detached payloads (priority 10). */\nexport { clearJwsJwksCache, jws } from \"./auth/jws\";\n/** Validate JWT bearer tokens via HMAC secret or JWKS endpoint (priority 10). */\nexport { clearJwksCache, jwtAuth } from \"./auth/jwt-auth\";\n/** Validate OAuth2 tokens via RFC 7662 introspection or local validation (priority 10). */\nexport { clearOAuth2Cache, oauth2 } from \"./auth/oauth2\";\n/** Role-based access control using claims forwarded as request headers (priority 10). */\nexport { rbac } from \"./auth/rbac\";\n\n/** Verify RFC 9421 HTTP Message Signatures on inbound requests (priority 10). */\nexport { verifyHttpSignature } from \"./auth/verify-http-signature\";\n\n// ── Traffic ─────────────────────────────────────────────────────────────\n\n/** Response caching with pluggable storage and TTL (priority 40). */\nexport { cache, InMemoryCacheStore } from \"./traffic/cache\";\n/** Evaluate ordered routing rules and expose first match on context (priority 50). */\nexport { dynamicRouting } from \"./traffic/dynamic-routing\";\n\n/** Block or allow requests by geographic country code (priority 1). */\nexport { geoIpFilter } from \"./traffic/geo-ip-filter\";\n/** Make an external HTTP call mid-pipeline for authorization or enrichment (priority 50). */\nexport { httpCallout } from \"./traffic/http-callout\";\n/** Conditionally short-circuit the pipeline and return a static response (priority 100). */\nexport { interrupt } from \"./traffic/interrupt\";\n/** Block or allow requests by client IP address or CIDR range (priority 1). */\nexport { ipFilter } from \"./traffic/ip-filter\";\n\n/** Enforce structural limits on JSON bodies - depth, key count, string length, array size (priority 5). */\nexport { jsonThreatProtection } from \"./traffic/json-threat-protection\";\n/** Sliding-window rate limiting with pluggable counter storage (priority 20). */\nexport { InMemoryRateLimitStore, rateLimit } from \"./traffic/rate-limit\";\n/** Block requests matching regex patterns in path, query, headers, or body (priority 5). */\nexport { regexThreatProtection } from \"./traffic/regex-threat-protection\";\n/** Reject requests whose Content-Length exceeds a byte limit (priority 5). */\nexport { requestLimit } from \"./traffic/request-limit\";\n/** Strip or allow fields from JSON responses using dot-notation paths (priority 92). */\nexport { resourceFilter } from \"./traffic/resource-filter\";\n/** Enforce HTTPS with optional redirect (301) and HSTS header injection (priority 5). */\nexport { sslEnforce } from \"./traffic/ssl-enforce\";\n/** Mirror traffic to a secondary upstream without affecting the primary response (priority 92). */\nexport { trafficShadow } from \"./traffic/traffic-shadow\";\n\n// ── Resilience ──────────────────────────────────────────────────────────\n\n/** Three-state circuit breaker (closed/open/half-open) with pluggable state storage (priority 30). */\nexport {\n  circuitBreaker,\n  InMemoryCircuitBreakerStore,\n} from \"./resilience/circuit-breaker\";\n/** Inject artificial latency for chaos/resilience testing (priority 5). */\nexport { latencyInjection } from \"./resilience/latency-injection\";\n/** Retry failed upstream calls with exponential or fixed backoff and jitter (priority 90). */\nexport { retry } from \"./resilience/retry\";\n/** Enforce a response time budget - races downstream against a timer (priority 85). */\nexport { timeout } from \"./resilience/timeout\";\n\n// ── Transform ───────────────────────────────────────────────────────────\n\n/** Set key-value attributes on the Hono request context (priority 50). */\nexport { assignAttributes } from \"./transform/assign-attributes\";\n/** Inject or override fields in JSON request/response bodies (priority 50). */\nexport { assignContent } from \"./transform/assign-content\";\n/** Add CORS headers to responses via Hono's built-in CORS middleware (priority 5). */\nexport { cors } from \"./transform/cors\";\n/** Pluggable JSON body validation - wrap Zod, AJV, or any validator (priority 10). */\nexport { jsonValidation } from \"./transform/json-validation\";\n/** Override the HTTP method of POST requests via a header (priority 5). */\nexport { overrideMethod } from \"./transform/override-method\";\n\n/** Pluggable request body validation via user-provided sync/async function (priority 10). */\nexport { requestValidation } from \"./transform/request-validation\";\n/** Modify request headers (set/remove/rename, priority 50) and response headers (priority 92). */\nexport { requestTransform, responseTransform } from \"./transform/transform\";\n\n// ── Observability ───────────────────────────────────────────────────────\n\n/** Create a health check route with optional upstream probing (returns a RouteConfig). */\nexport { health } from \"../core/health\";\n/** Attach metric tags/dimensions to request context for metricsReporter consumption (priority 0). */\nexport { assignMetrics } from \"./observability/assign-metrics\";\n/** Record request counts, latencies, and errors to a pluggable MetricsCollector (priority 1). */\nexport { metricsReporter } from \"./observability/metrics-reporter\";\n/** Structured JSON request logging with trace context, body capture, and redaction (priority 0). */\nexport { requestLog } from \"./observability/request-log\";\n/** Emit W3C Server-Timing and X-Response-Time response headers with per-policy breakdown (priority 1). */\nexport { serverTiming } from \"./observability/server-timing\";\n\n// ── SDK - shared primitives for built-in and custom policies ────────────\n\nexport type {\n  /** Declarative policy definition passed to definePolicy. */\n  PolicyDefinition,\n  /** Context injected into definePolicy evaluate handlers (protocol-agnostic, with typed config). */\n  PolicyEvalHandlerContext,\n  /** Context injected into definePolicy handlers. */\n  PolicyHandlerContext,\n  /** Options for createPolicyTestHarness. */\n  PolicyTestHarnessOptions,\n  /** Full trace payload. */\n  PolicyTrace,\n  /** Policy-reported trace detail. */\n  PolicyTraceDetail,\n  /** Combined trace entry (baseline + detail). */\n  PolicyTraceEntry,\n  /** Union of all named priority level values. */\n  PriorityLevel,\n  /** Trace reporter function type. */\n  TraceReporter,\n} from \"./sdk\";\nexport {\n  /** Create a minimal test harness for a policy. */\n  createPolicyTestHarness,\n  /** Create a policy factory from a declarative definition. */\n  definePolicy,\n  /** Named priority constants for policy ordering. */\n  Priority,\n  /** Get a debug logger pre-namespaced to `stoma:policy:{name}`. */\n  policyDebug,\n  /** Get a trace reporter for a specific policy. */\n  policyTrace,\n  /** Shallow-merge default config values with user-provided config. */\n  resolveConfig,\n  /** Wrap a handler with `PolicyConfig.skip` conditional bypass logic. */\n  withSkip,\n} from \"./sdk\";\n\n// ── Types ───────────────────────────────────────────────────────────────\n\n/** Configuration for the health route factory. */\nexport type { HealthConfig } from \"../core/health\";\n/** Configuration for the generateHttpSignature policy. */\nexport type { GenerateHttpSignatureConfig } from \"./auth/generate-http-signature\";\n/** Configuration for the generateJwt policy. */\nexport type { GenerateJwtConfig } from \"./auth/generate-jwt\";\n/** Configuration for the jws policy. */\nexport type { JwsConfig } from \"./auth/jws\";\n/** Configuration for the jwtAuth policy. */\nexport type { JwtAuthConfig } from \"./auth/jwt-auth\";\n/** Configuration for the oauth2 policy. */\nexport type { OAuth2Config } from \"./auth/oauth2\";\n/** Configuration for the rbac policy. */\nexport type { RbacConfig } from \"./auth/rbac\";\n/** Configuration for the verifyHttpSignature policy. */\nexport type {\n  /** Key material (HMAC secret or RSA public key) for HTTP signature verification. */\n  HttpSignatureKey,\n  VerifyHttpSignatureConfig,\n} from \"./auth/verify-http-signature\";\n/** Configuration for the assignMetrics policy. */\nexport type { AssignMetricsConfig } from \"./observability/assign-metrics\";\n/** Configuration for the metricsReporter policy. */\nexport type { MetricsReporterConfig } from \"./observability/metrics-reporter\";\n/** Structured log entry emitted by the requestLog policy. */\n/** Configuration for the requestLog policy. */\nexport type { LogEntry, RequestLogConfig } from \"./observability/request-log\";\n/** Configuration for the serverTiming policy. */\nexport type {\n  ServerTimingConfig,\n  /** Visibility mode for the serverTiming policy. */\n  ServerTimingVisibility,\n} from \"./observability/server-timing\";\nexport type {\n  /** Configuration for the circuitBreaker policy. */\n  CircuitBreakerConfig,\n  /** Point-in-time snapshot of a circuit's state and counters. */\n  CircuitBreakerSnapshot,\n  /** Pluggable storage backend for circuit breaker state. */\n  CircuitBreakerStore,\n  /** The three circuit breaker states: `\"closed\"`, `\"open\"`, `\"half-open\"`. */\n  CircuitState,\n} from \"./resilience/circuit-breaker\";\n/** Configuration for the latencyInjection policy. */\nexport type { LatencyInjectionConfig } from \"./resilience/latency-injection\";\n/** Configuration for the retry policy. */\nexport type { RetryConfig } from \"./resilience/retry\";\n/** Configuration for the timeout policy. */\nexport type { TimeoutConfig } from \"./resilience/timeout\";\n/** Configuration for the cache policy. */\nexport type {\n  CacheConfig,\n  /** Pluggable cache storage backend. */\n  CacheStore,\n  /** Options for the in-memory cache store. */\n  InMemoryCacheStoreOptions,\n} from \"./traffic/cache\";\n/** Configuration for the dynamicRouting policy. */\nexport type {\n  DynamicRoutingConfig,\n  /** A single routing rule evaluated by the dynamicRouting policy. */\n  RoutingRule,\n} from \"./traffic/dynamic-routing\";\n/** Configuration for the geoIpFilter policy. */\nexport type { GeoIpFilterConfig } from \"./traffic/geo-ip-filter\";\n/** Configuration for the httpCallout policy. */\nexport type { HttpCalloutConfig } from \"./traffic/http-callout\";\n\n/** Configuration for the interrupt policy. */\nexport type { InterruptConfig } from \"./traffic/interrupt\";\n/** Configuration for the ipFilter policy. */\nexport type { IpFilterConfig } from \"./traffic/ip-filter\";\n/** Configuration for the jsonThreatProtection policy. */\nexport type { JsonThreatProtectionConfig } from \"./traffic/json-threat-protection\";\n/** Pluggable storage backend for rate limit counters. */\n/** Configuration for the rateLimit policy. */\nexport type {\n  /** Options for the in-memory rate limit store. */\n  InMemoryRateLimitStoreOptions,\n  RateLimitConfig,\n  RateLimitStore,\n} from \"./traffic/rate-limit\";\n/** Configuration for the regexThreatProtection policy. */\nexport type { RegexThreatProtectionConfig } from \"./traffic/regex-threat-protection\";\n/** Configuration for the requestLimit policy. */\nexport type { RequestLimitConfig } from \"./traffic/request-limit\";\n/** Configuration for the resourceFilter policy. */\nexport type { ResourceFilterConfig } from \"./traffic/resource-filter\";\n/** Configuration for the sslEnforce policy. */\nexport type { SslEnforceConfig } from \"./traffic/ssl-enforce\";\n/** Configuration for the trafficShadow policy. */\nexport type { TrafficShadowConfig } from \"./traffic/traffic-shadow\";\n/** Configuration for the assignAttributes policy. */\nexport type { AssignAttributesConfig } from \"./transform/assign-attributes\";\n/** Configuration for the assignContent policy. */\nexport type { AssignContentConfig } from \"./transform/assign-content\";\n/** Configuration for the jsonValidation policy. */\nexport type {\n  JsonValidationConfig,\n  /** Result shape returned by jsonValidation's user-provided validator. */\n  JsonValidationResult,\n} from \"./transform/json-validation\";\n/** Configuration for the overrideMethod policy. */\nexport type { OverrideMethodConfig } from \"./transform/override-method\";\n/** Configuration for the requestValidation policy. */\nexport type { RequestValidationConfig } from \"./transform/request-validation\";\n/** Configuration for requestTransform and responseTransform policies. */\nexport type {\n  RequestTransformConfig,\n  ResponseTransformConfig,\n} from \"./transform/transform\";\n/** A composable policy: name, priority, Hono middleware handler, and optional protocol-agnostic evaluator. */\nexport type {\n  Policy,\n  /** Base configuration for all policies, including the `skip` bypass predicate. */\n  PolicyConfig,\n  /** Per-request gateway context: request ID, trace ID, span ID, timing, and debug factory. */\n  PolicyContext,\n} from \"./types\";\n\n// ── Protocol - multi-runtime types ──────────────────────────────────────\n\nexport type {\n  AttributeMutation,\n  BodyMutation,\n  HeaderMutation,\n  Mutation,\n  PolicyContinue,\n  PolicyEvalContext,\n  PolicyEvaluator,\n  PolicyImmediateResponse,\n  PolicyInput,\n  PolicyReject,\n  PolicyResult,\n  ProcessingPhase,\n  ProtocolType,\n  StatusMutation,\n} from \"../core/protocol\";\n"],"mappings":"AAaA,SAAS,YAAY;AAErB,SAAS,aAAa;AAKtB,SAAS,kBAAkB;AAE3B,SAAS,iBAAiB;AAE1B,SAAS,6BAA6B;AAEtC,SAAS,mBAAmB;AAE5B,SAAS,mBAAmB,WAAW;AAEvC,SAAS,gBAAgB,eAAe;AAExC,SAAS,kBAAkB,cAAc;AAEzC,SAAS,YAAY;AAGrB,SAAS,2BAA2B;AAKpC,SAAS,OAAO,0BAA0B;AAE1C,SAAS,sBAAsB;AAG/B,SAAS,mBAAmB;AAE5B,SAAS,mBAAmB;AAE5B,SAAS,iBAAiB;AAE1B,SAAS,gBAAgB;AAGzB,SAAS,4BAA4B;AAErC,SAAS,wBAAwB,iBAAiB;AAElD,SAAS,6BAA6B;AAEtC,SAAS,oBAAoB;AAE7B,SAAS,sBAAsB;AAE/B,SAAS,kBAAkB;AAE3B,SAAS,qBAAqB;AAK9B;AAAA,EACE;AAAA,EACA;AAAA,OACK;AAEP,SAAS,wBAAwB;AAEjC,SAAS,aAAa;AAEtB,SAAS,eAAe;AAKxB,SAAS,wBAAwB;AAEjC,SAAS,qBAAqB;AAE9B,SAAS,YAAY;AAErB,SAAS,sBAAsB;AAE/B,SAAS,sBAAsB;AAG/B,SAAS,yBAAyB;AAElC,SAAS,kBAAkB,yBAAyB;AAKpD,SAAS,cAAc;AAEvB,SAAS,qBAAqB;AAE9B,SAAS,uBAAuB;AAEhC,SAAS,kBAAkB;AAE3B,SAAS,oBAAoB;AAwB7B;AAAA,EAEE;AAAA,EAEA;AAAA,EAEA;AAAA,EAEA;AAAA,EAEA;AAAA,EAEA;AAAA,EAEA;AAAA,OACK;","names":[]}

package/dist/policies/mock.d.ts

@@ -0,0 +1,60 @@
+import { g as PolicyConfig, P as Policy } from '../protocol-2fD3DJrL.js';
+import 'hono';
+import './sdk/trace.js';
+import '@vivero/stoma-core';
+
+interface MockConfig extends PolicyConfig {
+    /** HTTP status code to return. Default: 200. */
+    status?: number;
+    /** Response body. Can be a string or object (will be JSON-serialized). */
+    body?: string | Record<string, unknown>;
+    /** Response headers. */
+    headers?: Record<string, string>;
+    /** Artificial delay in milliseconds. Default: 0. */
+    delayMs?: number;
+    /** When `true`, suppress the production usage warning. Default: `false`. */
+    allowInProduction?: boolean;
+}
+/**
+ * Return a static mock response, bypassing the upstream entirely.
+ *
+ * Useful for development stubs, testing, and placeholder routes. Runs at
+ * priority 999 (always last) and short-circuits - `next()` is never called,
+ * so no upstream request is made. Object bodies are automatically
+ * JSON-serialized with `content-type: application/json`.
+ *
+ * @param config - Status code, response body, headers, and artificial delay. All fields optional.
+ * @returns A {@link Policy} at priority 999 (replaces the upstream).
+ *
+ * @example
+ * ```ts
+ * import { createGateway } from "@vivero/stoma";
+ * import { mock } from "@vivero/stoma/policies";
+ *
+ * createGateway({
+ *   routes: [{
+ *     path: "/api/stub",
+ *     pipeline: {
+ *       policies: [
+ *         // Return a JSON stub with 200ms simulated latency
+ *         mock({
+ *           body: { message: "Hello from stub" },
+ *           delayMs: 200,
+ *         }),
+ *       ],
+ *       upstream: { type: "handler", handler: () => new Response() }, // never reached
+ *     },
+ *   }],
+ * });
+ *
+ * // Simulate a 503 maintenance page
+ * mock({
+ *   status: 503,
+ *   body: "Service temporarily unavailable",
+ *   headers: { "retry-after": "300" },
+ * });
+ * ```
+ */
+declare const mock: (config?: MockConfig | undefined) => Policy;
+
+export { type MockConfig, mock };

package/dist/policies/mock.js

@@ -0,0 +1,29 @@
+import { definePolicy, Priority } from "./sdk";
+const mock = /* @__PURE__ */ definePolicy({
+  name: "mock",
+  priority: Priority.MOCK,
+  httpOnly: true,
+  defaults: { status: 200, delayMs: 0 },
+  validate: (config) => {
+    if (!config.allowInProduction) {
+      console.warn(
+        "[stoma] mock policy active - intended for development/testing only"
+      );
+    }
+  },
+  handler: async (c, _next, { config }) => {
+    if (config.delayMs > 0) {
+      await new Promise((resolve) => setTimeout(resolve, config.delayMs));
+    }
+    const body = config.body === void 0 ? null : typeof config.body === "string" ? config.body : JSON.stringify(config.body);
+    const headers = new Headers(config.headers);
+    if (typeof config.body === "object" && !headers.has("content-type")) {
+      headers.set("content-type", "application/json");
+    }
+    c.res = new Response(body, { status: config.status, headers });
+  }
+});
+export {
+  mock
+};
+//# sourceMappingURL=mock.js.map

package/dist/policies/mock.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/policies/mock.ts"],"sourcesContent":["/**\n * Mock policy - return static responses for development and testing.\n *\n * @module mock\n */\n\nimport { definePolicy, Priority } from \"./sdk\";\nimport type { PolicyConfig } from \"./types\";\n\nexport interface MockConfig extends PolicyConfig {\n  /** HTTP status code to return. Default: 200. */\n  status?: number;\n  /** Response body. Can be a string or object (will be JSON-serialized). */\n  body?: string | Record<string, unknown>;\n  /** Response headers. */\n  headers?: Record<string, string>;\n  /** Artificial delay in milliseconds. Default: 0. */\n  delayMs?: number;\n  /** When `true`, suppress the production usage warning. Default: `false`. */\n  allowInProduction?: boolean;\n}\n\n/**\n * Return a static mock response, bypassing the upstream entirely.\n *\n * Useful for development stubs, testing, and placeholder routes. Runs at\n * priority 999 (always last) and short-circuits - `next()` is never called,\n * so no upstream request is made. Object bodies are automatically\n * JSON-serialized with `content-type: application/json`.\n *\n * @param config - Status code, response body, headers, and artificial delay. All fields optional.\n * @returns A {@link Policy} at priority 999 (replaces the upstream).\n *\n * @example\n * ```ts\n * import { createGateway } from \"@vivero/stoma\";\n * import { mock } from \"@vivero/stoma/policies\";\n *\n * createGateway({\n *   routes: [{\n *     path: \"/api/stub\",\n *     pipeline: {\n *       policies: [\n *         // Return a JSON stub with 200ms simulated latency\n *         mock({\n *           body: { message: \"Hello from stub\" },\n *           delayMs: 200,\n *         }),\n *       ],\n *       upstream: { type: \"handler\", handler: () => new Response() }, // never reached\n *     },\n *   }],\n * });\n *\n * // Simulate a 503 maintenance page\n * mock({\n *   status: 503,\n *   body: \"Service temporarily unavailable\",\n *   headers: { \"retry-after\": \"300\" },\n * });\n * ```\n */\nexport const mock = /*#__PURE__*/ definePolicy<MockConfig>({\n  name: \"mock\",\n  priority: Priority.MOCK,\n  httpOnly: true,\n  defaults: { status: 200, delayMs: 0 },\n  validate: (config) => {\n    if (!config.allowInProduction) {\n      console.warn(\n        \"[stoma] mock policy active - intended for development/testing only\"\n      );\n    }\n  },\n  handler: async (c, _next, { config }) => {\n    if (config.delayMs! > 0) {\n      await new Promise((resolve) => setTimeout(resolve, config.delayMs!));\n    }\n\n    const body =\n      config.body === undefined\n        ? null\n        : typeof config.body === \"string\"\n          ? config.body\n          : JSON.stringify(config.body);\n\n    const headers = new Headers(config.headers);\n    if (typeof config.body === \"object\" && !headers.has(\"content-type\")) {\n      headers.set(\"content-type\", \"application/json\");\n    }\n\n    // Short-circuit: set the response directly, skipping upstream.\n    // Middleware that ran before mock (context injector, auth, etc.)\n    // already ran their pre-next() code. The context injector adds\n    // x-request-id via c.res.headers after next(), which won't fire\n    // for mock - but that's acceptable for mock/dev scenarios.\n    c.res = new Response(body, { status: config.status!, headers });\n  },\n});\n"],"mappings":"AAMA,SAAS,cAAc,gBAAgB;AAwDhC,MAAM,OAAqB,6BAAyB;AAAA,EACzD,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,EACV,UAAU,EAAE,QAAQ,KAAK,SAAS,EAAE;AAAA,EACpC,UAAU,CAAC,WAAW;AACpB,QAAI,CAAC,OAAO,mBAAmB;AAC7B,cAAQ;AAAA,QACN;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EACA,SAAS,OAAO,GAAG,OAAO,EAAE,OAAO,MAAM;AACvC,QAAI,OAAO,UAAW,GAAG;AACvB,YAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,OAAO,OAAQ,CAAC;AAAA,IACrE;AAEA,UAAM,OACJ,OAAO,SAAS,SACZ,OACA,OAAO,OAAO,SAAS,WACrB,OAAO,OACP,KAAK,UAAU,OAAO,IAAI;AAElC,UAAM,UAAU,IAAI,QAAQ,OAAO,OAAO;AAC1C,QAAI,OAAO,OAAO,SAAS,YAAY,CAAC,QAAQ,IAAI,cAAc,GAAG;AACnE,cAAQ,IAAI,gBAAgB,kBAAkB;AAAA,IAChD;AAOA,MAAE,MAAM,IAAI,SAAS,MAAM,EAAE,QAAQ,OAAO,QAAS,QAAQ,CAAC;AAAA,EAChE;AACF,CAAC;","names":[]}

package/dist/policies/observability/assign-metrics.d.ts

@@ -0,0 +1,37 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+import { Context } from 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+
+interface AssignMetricsConfig extends PolicyConfig {
+    /**
+     * Metric tags to attach to the request.
+     * Values can be static strings or functions that receive the context.
+     */
+    tags: Record<string, string | ((c: Context) => string | Promise<string>)>;
+}
+/**
+ * Attach metric tags to the request context for downstream consumers.
+ *
+ * Tags are resolved (static or dynamic) and stored as a plain object at
+ * `c.get("_metricsTags")`. The {@link metricsReporter} policy (or any custom
+ * observer) can read these tags to enrich collected metrics.
+ *
+ * @param config - Must include `tags` - a record of tag names to values or resolver functions.
+ * @returns A {@link Policy} at priority 0 (OBSERVABILITY).
+ *
+ * @example
+ * ```ts
+ * import { assignMetrics } from "@vivero/stoma";
+ *
+ * assignMetrics({
+ *   tags: {
+ *     service: "users-api",
+ *     region: (c) => c.req.header("cf-ipcountry") ?? "unknown",
+ *   },
+ * });
+ * ```
+ */
+declare const assignMetrics: (config: AssignMetricsConfig) => Policy;
+
+export { type AssignMetricsConfig, assignMetrics };

package/dist/policies/observability/assign-metrics.js

@@ -0,0 +1,29 @@
+import { definePolicy, Priority, safeCall } from "../sdk";
+const assignMetrics = /* @__PURE__ */ definePolicy({
+  name: "assign-metrics",
+  priority: Priority.OBSERVABILITY,
+  httpOnly: true,
+  handler: async (c, next, { config, debug }) => {
+    const resolvedTags = {};
+    for (const [key, value] of Object.entries(config.tags)) {
+      if (typeof value === "function") {
+        resolvedTags[key] = await safeCall(
+          () => Promise.resolve(value(c)),
+          "unknown",
+          debug,
+          `tag resolver(${key})`
+        );
+        debug("tag %s = %s (dynamic)", key, resolvedTags[key]);
+      } else {
+        resolvedTags[key] = value;
+        debug("tag %s = %s (static)", key, value);
+      }
+    }
+    c.set("_metricsTags", resolvedTags);
+    await next();
+  }
+});
+export {
+  assignMetrics
+};
+//# sourceMappingURL=assign-metrics.js.map

package/dist/policies/observability/assign-metrics.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/observability/assign-metrics.ts"],"sourcesContent":["/**\n * Assign metric tags/dimensions to the request context.\n *\n * Resolved tags are stored at `c.get(\"_metricsTags\")` for consumption by\n * {@link metricsReporter} or custom downstream observers.\n *\n * @module assign-metrics\n */\nimport type { Context } from \"hono\";\nimport { definePolicy, Priority, safeCall } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\n\nexport interface AssignMetricsConfig extends PolicyConfig {\n  /**\n   * Metric tags to attach to the request.\n   * Values can be static strings or functions that receive the context.\n   */\n  tags: Record<string, string | ((c: Context) => string | Promise<string>)>;\n}\n\n/**\n * Attach metric tags to the request context for downstream consumers.\n *\n * Tags are resolved (static or dynamic) and stored as a plain object at\n * `c.get(\"_metricsTags\")`. The {@link metricsReporter} policy (or any custom\n * observer) can read these tags to enrich collected metrics.\n *\n * @param config - Must include `tags` - a record of tag names to values or resolver functions.\n * @returns A {@link Policy} at priority 0 (OBSERVABILITY).\n *\n * @example\n * ```ts\n * import { assignMetrics } from \"@vivero/stoma\";\n *\n * assignMetrics({\n *   tags: {\n *     service: \"users-api\",\n *     region: (c) => c.req.header(\"cf-ipcountry\") ?? \"unknown\",\n *   },\n * });\n * ```\n */\nexport const assignMetrics = /*#__PURE__*/ definePolicy<AssignMetricsConfig>({\n  name: \"assign-metrics\",\n  priority: Priority.OBSERVABILITY,\n  httpOnly: true,\n  handler: async (c, next, { config, debug }) => {\n    const resolvedTags: Record<string, string> = {};\n\n    for (const [key, value] of Object.entries(config.tags)) {\n      if (typeof value === \"function\") {\n        // Tag resolver failure must never prevent the request from proceeding\n        resolvedTags[key] = await safeCall(\n          () => Promise.resolve(value(c)),\n          \"unknown\",\n          debug,\n          `tag resolver(${key})`\n        );\n        debug(\"tag %s = %s (dynamic)\", key, resolvedTags[key]);\n      } else {\n        resolvedTags[key] = value;\n        debug(\"tag %s = %s (static)\", key, value);\n      }\n    }\n\n    c.set(\"_metricsTags\", resolvedTags);\n    await next();\n  },\n});\n"],"mappings":"AASA,SAAS,cAAc,UAAU,gBAAgB;AAiC1C,MAAM,gBAA8B,6BAAkC;AAAA,EAC3E,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,EACV,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,MAAM,MAAM;AAC7C,UAAM,eAAuC,CAAC;AAE9C,eAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,IAAI,GAAG;AACtD,UAAI,OAAO,UAAU,YAAY;AAE/B,qBAAa,GAAG,IAAI,MAAM;AAAA,UACxB,MAAM,QAAQ,QAAQ,MAAM,CAAC,CAAC;AAAA,UAC9B;AAAA,UACA;AAAA,UACA,gBAAgB,GAAG;AAAA,QACrB;AACA,cAAM,yBAAyB,KAAK,aAAa,GAAG,CAAC;AAAA,MACvD,OAAO;AACL,qBAAa,GAAG,IAAI;AACpB,cAAM,wBAAwB,KAAK,KAAK;AAAA,MAC1C;AAAA,IACF;AAEA,MAAE,IAAI,gBAAgB,YAAY;AAClC,UAAM,KAAK;AAAA,EACb;AACF,CAAC;","names":[]}

package/dist/policies/observability/metrics-reporter.d.ts

@@ -0,0 +1,25 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+import { MetricsCollector } from '../../observability/metrics.js';
+import 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+
+interface MetricsReporterConfig extends PolicyConfig {
+    /** The metrics collector to record to. */
+    collector: MetricsCollector;
+}
+/**
+ * Record standard gateway metrics for every request.
+ *
+ * Metrics recorded:
+ * - `gateway_requests_total` (counter) - total requests, tagged by method/path/status/gateway
+ * - `gateway_request_duration_ms` (histogram) - end-to-end request duration
+ * - `gateway_request_errors_total` (counter) - requests with status >= 400
+ * - `gateway_policy_duration_ms` (histogram) - per-policy timing when available
+ *
+ * @param config - Must include a {@link MetricsCollector} instance.
+ * @returns A {@link Policy} at priority 1.
+ */
+declare const metricsReporter: (config: MetricsReporterConfig) => Policy;
+
+export { type MetricsReporterConfig, metricsReporter };

package/dist/policies/observability/metrics-reporter.js

@@ -0,0 +1,62 @@
+import { definePolicy, Priority, safeCall } from "../sdk";
+const metricsReporter = /* @__PURE__ */ definePolicy({
+  name: "metrics-reporter",
+  priority: Priority.METRICS,
+  httpOnly: true,
+  handler: async (c, next, { config, debug, gateway }) => {
+    const startTime = Date.now();
+    await next();
+    await safeCall(
+      async () => {
+        const dynamicTagsRaw = c.get("_metricsTags");
+        const dynamicTags = {};
+        if (dynamicTagsRaw) {
+          for (const [key, value] of Object.entries(dynamicTagsRaw)) {
+            if (typeof value === "string") {
+              dynamicTags[key] = value;
+            }
+          }
+        }
+        const url = new URL(c.req.url);
+        const tags = {
+          ...dynamicTags,
+          method: c.req.method,
+          path: gateway?.routePath ?? url.pathname,
+          status: String(c.res.status),
+          gateway: gateway?.gatewayName ?? "unknown"
+        };
+        config.collector.increment("gateway_requests_total", 1, tags);
+        const duration = Date.now() - startTime;
+        config.collector.histogram(
+          "gateway_request_duration_ms",
+          duration,
+          tags
+        );
+        if (c.res.status >= 400) {
+          config.collector.increment("gateway_request_errors_total", 1, tags);
+        }
+        const timings = c.get("_policyTimings");
+        if (timings) {
+          for (const t of timings) {
+            config.collector.histogram(
+              "gateway_policy_duration_ms",
+              t.durationMs,
+              {
+                ...dynamicTags,
+                policy: t.name,
+                gateway: gateway?.gatewayName ?? "unknown"
+              }
+            );
+          }
+        }
+      },
+      void 0,
+      debug,
+      "collector"
+    );
+  }
+});
+export {
+  metricsReporter
+};
+//# sourceMappingURL=metrics-reporter.js.map