@vivero/stoma 0.1.0-rc.10

package/dist/policies/traffic/json-threat-protection.js

@@ -0,0 +1,173 @@
+import { GatewayError } from "../../core/errors";
+import { definePolicy, Priority } from "../sdk";
+function validateJsonStructure(value, config, currentDepth = 0) {
+  if (currentDepth > config.maxDepth) {
+    throw new GatewayError(400, "json_threat", "JSON exceeds maximum depth");
+  }
+  if (typeof value === "string" && value.length > config.maxStringLength) {
+    throw new GatewayError(
+      400,
+      "json_threat",
+      "String value exceeds maximum length"
+    );
+  }
+  if (Array.isArray(value)) {
+    if (value.length > config.maxArraySize) {
+      throw new GatewayError(400, "json_threat", "Array exceeds maximum size");
+    }
+    for (const item of value) {
+      validateJsonStructure(item, config, currentDepth + 1);
+    }
+  } else if (value !== null && typeof value === "object") {
+    const keys = Object.keys(value);
+    if (keys.length > config.maxKeys) {
+      throw new GatewayError(
+        400,
+        "json_threat",
+        "Object exceeds maximum key count"
+      );
+    }
+    for (const key of keys) {
+      if (key.length > config.maxStringLength) {
+        throw new GatewayError(
+          400,
+          "json_threat",
+          "String value exceeds maximum length"
+        );
+      }
+      validateJsonStructure(
+        value[key],
+        config,
+        currentDepth + 1
+      );
+    }
+  }
+}
+const jsonThreatProtection = /* @__PURE__ */ definePolicy({
+  name: "json-threat-protection",
+  priority: Priority.EARLY,
+  phases: ["request-body"],
+  defaults: {
+    maxDepth: 20,
+    maxKeys: 100,
+    maxStringLength: 1e4,
+    maxArraySize: 100,
+    maxBodySize: 1048576,
+    contentTypes: ["application/json"]
+  },
+  handler: async (c, next, { config, debug }) => {
+    const contentType = c.req.header("content-type") ?? "";
+    const matchedType = config.contentTypes.some(
+      (ct) => contentType.includes(ct)
+    );
+    if (!matchedType) {
+      debug("skipping - content type %s not inspected", contentType);
+      await next();
+      return;
+    }
+    const contentLength = c.req.header("content-length");
+    if (contentLength !== void 0) {
+      const length = Number.parseInt(contentLength, 10);
+      if (!Number.isNaN(length) && length > config.maxBodySize) {
+        debug("body size %d exceeds max %d", length, config.maxBodySize);
+        throw new GatewayError(
+          413,
+          "body_too_large",
+          "Request body exceeds maximum size"
+        );
+      }
+    }
+    const cloned = c.req.raw.clone();
+    const text = await cloned.text();
+    if (!text) {
+      debug("empty body - passing through");
+      await next();
+      return;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      debug("invalid JSON");
+      throw new GatewayError(
+        400,
+        "invalid_json",
+        "Invalid JSON in request body"
+      );
+    }
+    validateJsonStructure(parsed, {
+      maxDepth: config.maxDepth,
+      maxKeys: config.maxKeys,
+      maxStringLength: config.maxStringLength,
+      maxArraySize: config.maxArraySize
+    });
+    debug("JSON structure validated");
+    await next();
+  },
+  evaluate: {
+    onRequest: async (input, { config, debug }) => {
+      const contentType = input.headers.get("content-type") ?? "";
+      const matchedType = config.contentTypes.some(
+        (ct) => contentType.includes(ct)
+      );
+      if (!matchedType) {
+        debug("skipping - content type %s not inspected", contentType);
+        return { action: "continue" };
+      }
+      const contentLength = input.headers.get("content-length");
+      if (contentLength) {
+        const length = Number.parseInt(contentLength, 10);
+        if (!Number.isNaN(length) && length > config.maxBodySize) {
+          debug("body size %d exceeds max %d", length, config.maxBodySize);
+          return {
+            action: "reject",
+            status: 413,
+            code: "body_too_large",
+            message: "Request body exceeds maximum size"
+          };
+        }
+      }
+      let parsed;
+      try {
+        if (!input.body) {
+          debug("empty body - passing through");
+          return { action: "continue" };
+        }
+        const bodyStr = typeof input.body === "string" ? input.body : new TextDecoder().decode(input.body);
+        parsed = JSON.parse(bodyStr);
+      } catch {
+        debug("invalid JSON");
+        return {
+          action: "reject",
+          status: 400,
+          code: "invalid_json",
+          message: "Invalid JSON in request body"
+        };
+      }
+      try {
+        validateJsonStructure(parsed, {
+          maxDepth: config.maxDepth,
+          maxKeys: config.maxKeys,
+          maxStringLength: config.maxStringLength,
+          maxArraySize: config.maxArraySize
+        });
+      } catch (err) {
+        if (err instanceof GatewayError) {
+          return {
+            action: "reject",
+            status: err.statusCode,
+            code: err.code,
+            message: err.message
+          };
+        }
+        throw err;
+      }
+      debug("JSON structure validated");
+      return { action: "continue" };
+    }
+  }
+});
+export {
+  jsonThreatProtection
+};
+//# sourceMappingURL=json-threat-protection.js.map

package/dist/policies/traffic/json-threat-protection.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/traffic/json-threat-protection.ts"],"sourcesContent":["/**\n * JSON threat protection policy - structural limits on request bodies.\n *\n * Protects against JSON-based attacks by enforcing maximum depth, key count,\n * string length, array size, and raw body size. Zero external dependencies -\n * uses a recursive JSON walker.\n *\n * @module json-threat-protection\n */\n\nimport { GatewayError } from \"../../core/errors\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\n\nexport interface JsonThreatProtectionConfig extends PolicyConfig {\n  /** Maximum nesting depth. Default: `20`. */\n  maxDepth?: number;\n  /** Maximum number of keys per object. Default: `100`. */\n  maxKeys?: number;\n  /** Maximum string value length (also applies to object keys). Default: `10000`. */\n  maxStringLength?: number;\n  /** Maximum array length. Default: `100`. */\n  maxArraySize?: number;\n  /** Maximum raw body size in bytes. Checked BEFORE parsing. Default: `1048576` (1 MB). */\n  maxBodySize?: number;\n  /**\n   * Content types to inspect.\n   * Requests with other content types pass through without inspection.\n   * Default: `[\"application/json\"]`.\n   */\n  contentTypes?: string[];\n}\n\n/**\n * Recursively validate the structural constraints of a parsed JSON value.\n *\n * Throws a `GatewayError` with code `\"json_threat\"` if any limit is exceeded.\n */\nfunction validateJsonStructure(\n  value: unknown,\n  config: {\n    maxDepth: number;\n    maxKeys: number;\n    maxStringLength: number;\n    maxArraySize: number;\n  },\n  currentDepth = 0\n): void {\n  if (currentDepth > config.maxDepth) {\n    throw new GatewayError(400, \"json_threat\", \"JSON exceeds maximum depth\");\n  }\n\n  if (typeof value === \"string\" && value.length > config.maxStringLength) {\n    throw new GatewayError(\n      400,\n      \"json_threat\",\n      \"String value exceeds maximum length\"\n    );\n  }\n\n  if (Array.isArray(value)) {\n    if (value.length > config.maxArraySize) {\n      throw new GatewayError(400, \"json_threat\", \"Array exceeds maximum size\");\n    }\n    for (const item of value) {\n      validateJsonStructure(item, config, currentDepth + 1);\n    }\n  } else if (value !== null && typeof value === \"object\") {\n    const keys = Object.keys(value as Record<string, unknown>);\n    if (keys.length > config.maxKeys) {\n      throw new GatewayError(\n        400,\n        \"json_threat\",\n        \"Object exceeds maximum key count\"\n      );\n    }\n    for (const key of keys) {\n      if (key.length > config.maxStringLength) {\n        throw new GatewayError(\n          400,\n          \"json_threat\",\n          \"String value exceeds maximum length\"\n        );\n      }\n      validateJsonStructure(\n        (value as Record<string, unknown>)[key],\n        config,\n        currentDepth + 1\n      );\n    }\n  }\n}\n\n/**\n * JSON threat protection policy.\n *\n * Enforces structural limits on JSON request bodies to prevent abuse\n * from deeply nested objects, excessively large arrays, long strings,\n * or oversized payloads. Runs at EARLY priority to reject malicious\n * payloads before they reach business logic.\n *\n * @example\n * ```ts\n * import { jsonThreatProtection } from \"@vivero/stoma\";\n *\n * // Default limits (20 depth, 100 keys, 10K string, 100 array, 1MB body)\n * jsonThreatProtection();\n *\n * // Strict limits for a public API\n * jsonThreatProtection({\n *   maxDepth: 5,\n *   maxKeys: 20,\n *   maxStringLength: 1000,\n *   maxArraySize: 50,\n *   maxBodySize: 102400, // 100KB\n * });\n * ```\n */\nexport const jsonThreatProtection =\n  /*#__PURE__*/ definePolicy<JsonThreatProtectionConfig>({\n    name: \"json-threat-protection\",\n    priority: Priority.EARLY,\n    phases: [\"request-body\"],\n    defaults: {\n      maxDepth: 20,\n      maxKeys: 100,\n      maxStringLength: 10000,\n      maxArraySize: 100,\n      maxBodySize: 1048576,\n      contentTypes: [\"application/json\"],\n    },\n    handler: async (c, next, { config, debug }) => {\n      const contentType = c.req.header(\"content-type\") ?? \"\";\n      const matchedType = config.contentTypes!.some((ct) =>\n        contentType.includes(ct)\n      );\n\n      if (!matchedType) {\n        debug(\"skipping - content type %s not inspected\", contentType);\n        await next();\n        return;\n      }\n\n      // Check Content-Length against maxBodySize BEFORE parsing\n      const contentLength = c.req.header(\"content-length\");\n      if (contentLength !== undefined) {\n        const length = Number.parseInt(contentLength, 10);\n        if (!Number.isNaN(length) && length > config.maxBodySize!) {\n          debug(\"body size %d exceeds max %d\", length, config.maxBodySize);\n          throw new GatewayError(\n            413,\n            \"body_too_large\",\n            \"Request body exceeds maximum size\"\n          );\n        }\n      }\n\n      // Clone the request so downstream handlers can still read the body\n      const cloned = c.req.raw.clone();\n      const text = await cloned.text();\n\n      if (!text) {\n        debug(\"empty body - passing through\");\n        await next();\n        return;\n      }\n\n      // Parse JSON\n      let parsed: unknown;\n      try {\n        parsed = JSON.parse(text);\n      } catch {\n        debug(\"invalid JSON\");\n        throw new GatewayError(\n          400,\n          \"invalid_json\",\n          \"Invalid JSON in request body\"\n        );\n      }\n\n      // Walk the parsed JSON and validate structural limits\n      validateJsonStructure(parsed, {\n        maxDepth: config.maxDepth!,\n        maxKeys: config.maxKeys!,\n        maxStringLength: config.maxStringLength!,\n        maxArraySize: config.maxArraySize!,\n      });\n\n      debug(\"JSON structure validated\");\n      await next();\n    },\n    evaluate: {\n      onRequest: async (input, { config, debug }) => {\n        const contentType = input.headers.get(\"content-type\") ?? \"\";\n        const matchedType = config.contentTypes!.some((ct) =>\n          contentType.includes(ct)\n        );\n\n        if (!matchedType) {\n          debug(\"skipping - content type %s not inspected\", contentType);\n          return { action: \"continue\" };\n        }\n\n        // Check Content-Length against maxBodySize BEFORE parsing\n        const contentLength = input.headers.get(\"content-length\");\n        if (contentLength) {\n          const length = Number.parseInt(contentLength, 10);\n          if (!Number.isNaN(length) && length > config.maxBodySize!) {\n            debug(\"body size %d exceeds max %d\", length, config.maxBodySize);\n            return {\n              action: \"reject\",\n              status: 413,\n              code: \"body_too_large\",\n              message: \"Request body exceeds maximum size\",\n            };\n          }\n        }\n\n        // Parse JSON\n        let parsed: unknown;\n        try {\n          if (!input.body) {\n            debug(\"empty body - passing through\");\n            return { action: \"continue\" };\n          }\n          const bodyStr =\n            typeof input.body === \"string\"\n              ? input.body\n              : new TextDecoder().decode(input.body);\n          parsed = JSON.parse(bodyStr);\n        } catch {\n          debug(\"invalid JSON\");\n          return {\n            action: \"reject\",\n            status: 400,\n            code: \"invalid_json\",\n            message: \"Invalid JSON in request body\",\n          };\n        }\n\n        // Walk the parsed JSON and validate structural limits\n        try {\n          validateJsonStructure(parsed, {\n            maxDepth: config.maxDepth!,\n            maxKeys: config.maxKeys!,\n            maxStringLength: config.maxStringLength!,\n            maxArraySize: config.maxArraySize!,\n          });\n        } catch (err) {\n          if (err instanceof GatewayError) {\n            return {\n              action: \"reject\",\n              status: err.statusCode,\n              code: err.code,\n              message: err.message,\n            };\n          }\n          throw err;\n        }\n\n        debug(\"JSON structure validated\");\n        return { action: \"continue\" };\n      },\n    },\n  });\n"],"mappings":"AAUA,SAAS,oBAAoB;AAC7B,SAAS,cAAc,gBAAgB;AA2BvC,SAAS,sBACP,OACA,QAMA,eAAe,GACT;AACN,MAAI,eAAe,OAAO,UAAU;AAClC,UAAM,IAAI,aAAa,KAAK,eAAe,4BAA4B;AAAA,EACzE;AAEA,MAAI,OAAO,UAAU,YAAY,MAAM,SAAS,OAAO,iBAAiB;AACtE,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,QAAI,MAAM,SAAS,OAAO,cAAc;AACtC,YAAM,IAAI,aAAa,KAAK,eAAe,4BAA4B;AAAA,IACzE;AACA,eAAW,QAAQ,OAAO;AACxB,4BAAsB,MAAM,QAAQ,eAAe,CAAC;AAAA,IACtD;AAAA,EACF,WAAW,UAAU,QAAQ,OAAO,UAAU,UAAU;AACtD,UAAM,OAAO,OAAO,KAAK,KAAgC;AACzD,QAAI,KAAK,SAAS,OAAO,SAAS;AAChC,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,eAAW,OAAO,MAAM;AACtB,UAAI,IAAI,SAAS,OAAO,iBAAiB;AACvC,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AACA;AAAA,QACG,MAAkC,GAAG;AAAA,QACtC;AAAA,QACA,eAAe;AAAA,MACjB;AAAA,IACF;AAAA,EACF;AACF;AA2BO,MAAM,uBACG,6BAAyC;AAAA,EACrD,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,QAAQ,CAAC,cAAc;AAAA,EACvB,UAAU;AAAA,IACR,UAAU;AAAA,IACV,SAAS;AAAA,IACT,iBAAiB;AAAA,IACjB,cAAc;AAAA,IACd,aAAa;AAAA,IACb,cAAc,CAAC,kBAAkB;AAAA,EACnC;AAAA,EACA,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,MAAM,MAAM;AAC7C,UAAM,cAAc,EAAE,IAAI,OAAO,cAAc,KAAK;AACpD,UAAM,cAAc,OAAO,aAAc;AAAA,MAAK,CAAC,OAC7C,YAAY,SAAS,EAAE;AAAA,IACzB;AAEA,QAAI,CAAC,aAAa;AAChB,YAAM,4CAA4C,WAAW;AAC7D,YAAM,KAAK;AACX;AAAA,IACF;AAGA,UAAM,gBAAgB,EAAE,IAAI,OAAO,gBAAgB;AACnD,QAAI,kBAAkB,QAAW;AAC/B,YAAM,SAAS,OAAO,SAAS,eAAe,EAAE;AAChD,UAAI,CAAC,OAAO,MAAM,MAAM,KAAK,SAAS,OAAO,aAAc;AACzD,cAAM,+BAA+B,QAAQ,OAAO,WAAW;AAC/D,cAAM,IAAI;AAAA,UACR;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,UAAM,SAAS,EAAE,IAAI,IAAI,MAAM;AAC/B,UAAM,OAAO,MAAM,OAAO,KAAK;AAE/B,QAAI,CAAC,MAAM;AACT,YAAM,8BAA8B;AACpC,YAAM,KAAK;AACX;AAAA,IACF;AAGA,QAAI;AACJ,QAAI;AACF,eAAS,KAAK,MAAM,IAAI;AAAA,IAC1B,QAAQ;AACN,YAAM,cAAc;AACpB,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAGA,0BAAsB,QAAQ;AAAA,MAC5B,UAAU,OAAO;AAAA,MACjB,SAAS,OAAO;AAAA,MAChB,iBAAiB,OAAO;AAAA,MACxB,cAAc,OAAO;AAAA,IACvB,CAAC;AAED,UAAM,0BAA0B;AAChC,UAAM,KAAK;AAAA,EACb;AAAA,EACA,UAAU;AAAA,IACR,WAAW,OAAO,OAAO,EAAE,QAAQ,MAAM,MAAM;AAC7C,YAAM,cAAc,MAAM,QAAQ,IAAI,cAAc,KAAK;AACzD,YAAM,cAAc,OAAO,aAAc;AAAA,QAAK,CAAC,OAC7C,YAAY,SAAS,EAAE;AAAA,MACzB;AAEA,UAAI,CAAC,aAAa;AAChB,cAAM,4CAA4C,WAAW;AAC7D,eAAO,EAAE,QAAQ,WAAW;AAAA,MAC9B;AAGA,YAAM,gBAAgB,MAAM,QAAQ,IAAI,gBAAgB;AACxD,UAAI,eAAe;AACjB,cAAM,SAAS,OAAO,SAAS,eAAe,EAAE;AAChD,YAAI,CAAC,OAAO,MAAM,MAAM,KAAK,SAAS,OAAO,aAAc;AACzD,gBAAM,+BAA+B,QAAQ,OAAO,WAAW;AAC/D,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,SAAS;AAAA,UACX;AAAA,QACF;AAAA,MACF;AAGA,UAAI;AACJ,UAAI;AACF,YAAI,CAAC,MAAM,MAAM;AACf,gBAAM,8BAA8B;AACpC,iBAAO,EAAE,QAAQ,WAAW;AAAA,QAC9B;AACA,cAAM,UACJ,OAAO,MAAM,SAAS,WAClB,MAAM,OACN,IAAI,YAAY,EAAE,OAAO,MAAM,IAAI;AACzC,iBAAS,KAAK,MAAM,OAAO;AAAA,MAC7B,QAAQ;AACN,cAAM,cAAc;AACpB,eAAO;AAAA,UACL,QAAQ;AAAA,UACR,QAAQ;AAAA,UACR,MAAM;AAAA,UACN,SAAS;AAAA,QACX;AAAA,MACF;AAGA,UAAI;AACF,8BAAsB,QAAQ;AAAA,UAC5B,UAAU,OAAO;AAAA,UACjB,SAAS,OAAO;AAAA,UAChB,iBAAiB,OAAO;AAAA,UACxB,cAAc,OAAO;AAAA,QACvB,CAAC;AAAA,MACH,SAAS,KAAK;AACZ,YAAI,eAAe,cAAc;AAC/B,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ,IAAI;AAAA,YACZ,MAAM,IAAI;AAAA,YACV,SAAS,IAAI;AAAA,UACf;AAAA,QACF;AACA,cAAM;AAAA,MACR;AAEA,YAAM,0BAA0B;AAChC,aAAO,EAAE,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;","names":[]}

package/dist/policies/traffic/rate-limit.d.ts

@@ -0,0 +1,4 @@
+export { w as InMemoryRateLimitStore, f as InMemoryRateLimitStoreOptions, x as RateLimitConfig, R as RateLimitStore, t as rateLimit } from '../../protocol-2fD3DJrL.js';
+import 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';

package/dist/policies/traffic/rate-limit.js

@@ -0,0 +1,145 @@
+import { GatewayError } from "../../core/errors";
+import { extractClientIp } from "../../utils/ip";
+import { definePolicy, Priority, safeCall, setDebugHeader } from "../sdk";
+class InMemoryRateLimitStore {
+  counters = /* @__PURE__ */ new Map();
+  cleanupInterval = null;
+  /** Maximum number of unique keys to prevent memory exhaustion */
+  maxKeys;
+  cleanupIntervalMs;
+  constructor(options) {
+    if (typeof options === "number") {
+      this.maxKeys = options;
+      this.cleanupIntervalMs = 6e4;
+    } else {
+      this.maxKeys = options?.maxKeys ?? 1e5;
+      this.cleanupIntervalMs = options?.cleanupIntervalMs ?? 6e4;
+    }
+  }
+  /** Start the periodic cleanup interval on first use (Workers-safe). */
+  ensureCleanupInterval() {
+    if (this.cleanupInterval) return;
+    this.cleanupInterval = setInterval(
+      () => this.cleanup(),
+      this.cleanupIntervalMs
+    );
+  }
+  /**
+   * Increment the counter for a key within the given time window.
+   *
+   * When the store reaches `maxKeys` capacity and no expired entries can
+   * be evicted, returns `{ count: MAX_SAFE_INTEGER, resetAt }` to trigger
+   * rate limiting (fail-closed). This prevents unbounded memory growth at
+   * the cost of potentially rejecting legitimate requests - an intentional
+   * security trade-off where memory safety takes priority over availability.
+   */
+  async increment(key, windowSeconds) {
+    this.ensureCleanupInterval();
+    const now = Date.now();
+    const existing = this.counters.get(key);
+    if (existing && existing.resetAt > now) {
+      existing.count++;
+      return { count: existing.count, resetAt: existing.resetAt };
+    }
+    if (this.counters.size >= this.maxKeys && !existing) {
+      this.cleanup();
+      if (this.counters.size >= this.maxKeys) {
+        const resetAt2 = now + windowSeconds * 1e3;
+        return { count: Number.MAX_SAFE_INTEGER, resetAt: resetAt2 };
+      }
+    }
+    const resetAt = now + windowSeconds * 1e3;
+    const entry = { count: 1, resetAt };
+    this.counters.set(key, entry);
+    return { count: 1, resetAt };
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [key, entry] of this.counters) {
+      if (entry.resetAt <= now) {
+        this.counters.delete(key);
+      }
+    }
+  }
+  /** Stop the cleanup interval (for testing) */
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+  /** Reset all counters (for testing) */
+  reset() {
+    this.counters.clear();
+  }
+}
+const defaultStores = /* @__PURE__ */ new WeakMap();
+function getStore(config) {
+  if (config.store) return config.store;
+  let store = defaultStores.get(config);
+  if (!store) {
+    store = new InMemoryRateLimitStore();
+    defaultStores.set(config, store);
+  }
+  return store;
+}
+const rateLimit = /* @__PURE__ */ definePolicy({
+  name: "rate-limit",
+  priority: Priority.RATE_LIMIT,
+  defaults: {
+    windowSeconds: 60,
+    statusCode: 429,
+    message: "Rate limit exceeded"
+  },
+  handler: async (c, next, { config, debug, trace }) => {
+    const store = getStore(config);
+    let key;
+    if (config.keyBy) {
+      key = await config.keyBy(c);
+    } else {
+      key = extractClientIp(c.req.raw.headers, { ipHeaders: config.ipHeaders });
+    }
+    const result = await safeCall(
+      () => store.increment(key, config.windowSeconds),
+      null,
+      debug,
+      "store.increment()"
+    );
+    if (!result) {
+      debug(`store unavailable, failing open (key=${key})`);
+      await next();
+      return;
+    }
+    const { count, resetAt } = result;
+    const remaining = Math.max(0, config.max - count);
+    const resetSeconds = Math.ceil((resetAt - Date.now()) / 1e3);
+    setDebugHeader(c, "x-stoma-ratelimit-key", key);
+    setDebugHeader(c, "x-stoma-ratelimit-window", config.windowSeconds);
+    if (count > config.max) {
+      debug(`limited (key=${key}, count=${count}, max=${config.max})`);
+      trace("rejected", { key, count, max: config.max });
+      const resetHeader = String(resetSeconds);
+      throw new GatewayError(
+        config.statusCode,
+        "rate_limited",
+        config.message,
+        {
+          "x-ratelimit-limit": String(config.max),
+          "x-ratelimit-remaining": "0",
+          "x-ratelimit-reset": resetHeader,
+          "retry-after": resetHeader
+        }
+      );
+    }
+    trace("allowed", { key, count, max: config.max, remaining });
+    await next();
+    c.res.headers.set("x-ratelimit-limit", String(config.max));
+    c.res.headers.set("x-ratelimit-remaining", String(remaining));
+    c.res.headers.set("x-ratelimit-reset", String(resetSeconds));
+  }
+});
+export {
+  InMemoryRateLimitStore,
+  rateLimit
+};
+//# sourceMappingURL=rate-limit.js.map

package/dist/policies/traffic/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/traffic/rate-limit.ts"],"sourcesContent":["/**\n * Rate limiting policy with pluggable counter storage.\n *\n * @module rate-limit\n */\nimport type { Context } from \"hono\";\nimport { GatewayError } from \"../../core/errors\";\nimport { extractClientIp } from \"../../utils/ip\";\nimport { definePolicy, Priority, safeCall, setDebugHeader } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\n\nexport interface RateLimitConfig extends PolicyConfig {\n  /** Maximum requests per window */\n  max: number;\n  /** Time window in seconds. Default: 60. */\n  windowSeconds?: number;\n  /** Key extractor - determines the rate limit bucket. Default: client IP. */\n  keyBy?: (c: Context) => string | Promise<string>;\n  /** Storage backend for counters */\n  store?: RateLimitStore;\n  /** Response status code when limited. Default: 429. */\n  statusCode?: number;\n  /** Custom response body when limited */\n  message?: string;\n  /** Ordered list of headers to inspect for the client IP (when `keyBy` is not set). Default: `[\"cf-connecting-ip\", \"x-forwarded-for\"]`. */\n  ipHeaders?: string[];\n}\n\n/** Pluggable storage backend for rate limit counters */\nexport interface RateLimitStore {\n  /** Increment the counter for a key, returning the new count and TTL */\n  increment(\n    key: string,\n    windowSeconds: number\n  ): Promise<{ count: number; resetAt: number }>;\n  /** Optional: cleanup resources (like intervals) used by the store */\n  destroy?(): void;\n}\n\n/** Default in-memory rate limit store */\nexport interface InMemoryRateLimitStoreOptions {\n  /** Maximum number of unique keys to prevent memory exhaustion. Default: 100000. */\n  maxKeys?: number;\n  /** Cleanup interval in ms for expired entries. Default: 60000. */\n  cleanupIntervalMs?: number;\n}\n\n/**\n * Default in-memory rate limit store backed by a `Map`.\n *\n * The store is bounded by `maxKeys` (default 100,000) to prevent unbounded\n * memory growth from unique rate-limit keys. When the store reaches capacity\n * and no expired entries can be evicted, it **fails closed** - returning\n * `MAX_SAFE_INTEGER` as the count to trigger rate limiting. This is an\n * intentional security design: memory safety takes priority over availability.\n *\n * Note the distinction between store-level and policy-level failure modes:\n * - **Store at capacity** (this class): fail-closed - reject the request\n * - **Store throws/times out** (policy handler via `safeCall`): fail-open - allow the request\n */\nexport class InMemoryRateLimitStore implements RateLimitStore {\n  private counters = new Map<string, { count: number; resetAt: number }>();\n  private cleanupInterval: ReturnType<typeof setInterval> | null = null;\n  /** Maximum number of unique keys to prevent memory exhaustion */\n  private maxKeys: number;\n  private cleanupIntervalMs: number;\n\n  constructor(options?: InMemoryRateLimitStoreOptions | number) {\n    // Back-compat: accept a plain number as maxKeys\n    if (typeof options === \"number\") {\n      this.maxKeys = options;\n      this.cleanupIntervalMs = 60_000;\n    } else {\n      this.maxKeys = options?.maxKeys ?? 100_000;\n      this.cleanupIntervalMs = options?.cleanupIntervalMs ?? 60_000;\n    }\n  }\n\n  /** Start the periodic cleanup interval on first use (Workers-safe). */\n  private ensureCleanupInterval(): void {\n    if (this.cleanupInterval) return;\n    this.cleanupInterval = setInterval(\n      () => this.cleanup(),\n      this.cleanupIntervalMs\n    );\n  }\n\n  /**\n   * Increment the counter for a key within the given time window.\n   *\n   * When the store reaches `maxKeys` capacity and no expired entries can\n   * be evicted, returns `{ count: MAX_SAFE_INTEGER, resetAt }` to trigger\n   * rate limiting (fail-closed). This prevents unbounded memory growth at\n   * the cost of potentially rejecting legitimate requests - an intentional\n   * security trade-off where memory safety takes priority over availability.\n   */\n  async increment(\n    key: string,\n    windowSeconds: number\n  ): Promise<{ count: number; resetAt: number }> {\n    this.ensureCleanupInterval();\n    const now = Date.now();\n    const existing = this.counters.get(key);\n\n    if (existing && existing.resetAt > now) {\n      existing.count++;\n      return { count: existing.count, resetAt: existing.resetAt };\n    }\n\n    // Protect against memory exhaustion: if we're at capacity, evict expired\n    // entries first. If still at capacity, reject with a high count to\n    // trigger rate limiting rather than allowing unbounded memory growth.\n    if (this.counters.size >= this.maxKeys && !existing) {\n      this.cleanup();\n      if (this.counters.size >= this.maxKeys) {\n        const resetAt = now + windowSeconds * 1000;\n        return { count: Number.MAX_SAFE_INTEGER, resetAt };\n      }\n    }\n\n    const resetAt = now + windowSeconds * 1000;\n    const entry = { count: 1, resetAt };\n    this.counters.set(key, entry);\n    return { count: 1, resetAt };\n  }\n\n  private cleanup(): void {\n    const now = Date.now();\n    for (const [key, entry] of this.counters) {\n      if (entry.resetAt <= now) {\n        this.counters.delete(key);\n      }\n    }\n  }\n\n  /** Stop the cleanup interval (for testing) */\n  destroy(): void {\n    if (this.cleanupInterval) {\n      clearInterval(this.cleanupInterval);\n      this.cleanupInterval = null;\n    }\n  }\n\n  /** Reset all counters (for testing) */\n  reset(): void {\n    this.counters.clear();\n  }\n}\n\n/**\n * Per-instance default stores for factory calls that don't provide their own.\n *\n * Keyed by the resolved config object (unique per factory call via\n * `resolveConfig`'s spread). This preserves the lazy-init behavior: the\n * `InMemoryRateLimitStore` is only created on the first request, not at\n * factory time, avoiding premature timer starts in test environments.\n */\nconst defaultStores = new WeakMap<object, InMemoryRateLimitStore>();\n\nfunction getStore(config: RateLimitConfig): RateLimitStore {\n  if (config.store) return config.store;\n  let store = defaultStores.get(config);\n  if (!store) {\n    store = new InMemoryRateLimitStore();\n    defaultStores.set(config, store);\n  }\n  return store;\n}\n\n/**\n * Rate limit requests with pluggable storage backends.\n *\n * Defaults to client IP extraction via `CF-Connecting-IP` or `X-Forwarded-For`.\n * Sets standard `X-RateLimit-*` response headers on every request and\n * throws a 429 when the limit is exceeded.\n *\n * @param config - Rate limit settings. `max` is required; other fields have sensible defaults.\n * @returns A {@link Policy} at priority 20 (runs after auth).\n *\n * @example\n * ```ts\n * // 100 requests per minute per IP (in-memory)\n * rateLimit({ max: 100 });\n *\n * // Custom key + Cloudflare KV store\n * rateLimit({\n *   max: 50,\n *   windowSeconds: 300,\n *   keyBy: (c) => c.req.header(\"x-user-id\") ?? \"anonymous\",\n *   store: new KVRateLimitStore(env.RATE_LIMIT_KV),\n * });\n * ```\n */\nexport const rateLimit = /*#__PURE__*/ definePolicy<RateLimitConfig>({\n  name: \"rate-limit\",\n  priority: Priority.RATE_LIMIT,\n  defaults: {\n    windowSeconds: 60,\n    statusCode: 429,\n    message: \"Rate limit exceeded\",\n  },\n  handler: async (c, next, { config, debug, trace }) => {\n    const store = getStore(config);\n\n    // Extract the rate limit key\n    let key: string;\n    if (config.keyBy) {\n      key = await config.keyBy(c);\n    } else {\n      key = extractClientIp(c.req.raw.headers, { ipHeaders: config.ipHeaders });\n    }\n\n    // Resilient to store failures - fail-open (allow the request) if the\n    // store is unreachable, but skip rate-limit headers since we have no data.\n    const result = await safeCall(\n      () => store.increment(key, config.windowSeconds!),\n      null,\n      debug,\n      \"store.increment()\"\n    );\n\n    if (!result) {\n      debug(`store unavailable, failing open (key=${key})`);\n      await next();\n      return;\n    }\n\n    const { count, resetAt } = result;\n    const remaining = Math.max(0, config.max - count);\n    const resetSeconds = Math.ceil((resetAt - Date.now()) / 1000);\n    setDebugHeader(c, \"x-stoma-ratelimit-key\", key);\n    setDebugHeader(c, \"x-stoma-ratelimit-window\", config.windowSeconds!);\n\n    if (count > config.max) {\n      debug(`limited (key=${key}, count=${count}, max=${config.max})`);\n      trace(\"rejected\", { key, count, max: config.max });\n      const resetHeader = String(resetSeconds);\n      throw new GatewayError(\n        config.statusCode!,\n        \"rate_limited\",\n        config.message!,\n        {\n          \"x-ratelimit-limit\": String(config.max),\n          \"x-ratelimit-remaining\": \"0\",\n          \"x-ratelimit-reset\": resetHeader,\n          \"retry-after\": resetHeader,\n        }\n      );\n    }\n\n    trace(\"allowed\", { key, count, max: config.max, remaining });\n\n    await next();\n\n    // Set rate limit headers on the response AFTER downstream runs,\n    // so they're applied even when handlers return raw Response objects\n    c.res.headers.set(\"x-ratelimit-limit\", String(config.max));\n    c.res.headers.set(\"x-ratelimit-remaining\", String(remaining));\n    c.res.headers.set(\"x-ratelimit-reset\", String(resetSeconds));\n  },\n});\n"],"mappings":"AAMA,SAAS,oBAAoB;AAC7B,SAAS,uBAAuB;AAChC,SAAS,cAAc,UAAU,UAAU,sBAAsB;AAoD1D,MAAM,uBAAiD;AAAA,EACpD,WAAW,oBAAI,IAAgD;AAAA,EAC/D,kBAAyD;AAAA;AAAA,EAEzD;AAAA,EACA;AAAA,EAER,YAAY,SAAkD;AAE5D,QAAI,OAAO,YAAY,UAAU;AAC/B,WAAK,UAAU;AACf,WAAK,oBAAoB;AAAA,IAC3B,OAAO;AACL,WAAK,UAAU,SAAS,WAAW;AACnC,WAAK,oBAAoB,SAAS,qBAAqB;AAAA,IACzD;AAAA,EACF;AAAA;AAAA,EAGQ,wBAA8B;AACpC,QAAI,KAAK,gBAAiB;AAC1B,SAAK,kBAAkB;AAAA,MACrB,MAAM,KAAK,QAAQ;AAAA,MACnB,KAAK;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,UACJ,KACA,eAC6C;AAC7C,SAAK,sBAAsB;AAC3B,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,WAAW,KAAK,SAAS,IAAI,GAAG;AAEtC,QAAI,YAAY,SAAS,UAAU,KAAK;AACtC,eAAS;AACT,aAAO,EAAE,OAAO,SAAS,OAAO,SAAS,SAAS,QAAQ;AAAA,IAC5D;AAKA,QAAI,KAAK,SAAS,QAAQ,KAAK,WAAW,CAAC,UAAU;AACnD,WAAK,QAAQ;AACb,UAAI,KAAK,SAAS,QAAQ,KAAK,SAAS;AACtC,cAAMA,WAAU,MAAM,gBAAgB;AACtC,eAAO,EAAE,OAAO,OAAO,kBAAkB,SAAAA,SAAQ;AAAA,MACnD;AAAA,IACF;AAEA,UAAM,UAAU,MAAM,gBAAgB;AACtC,UAAM,QAAQ,EAAE,OAAO,GAAG,QAAQ;AAClC,SAAK,SAAS,IAAI,KAAK,KAAK;AAC5B,WAAO,EAAE,OAAO,GAAG,QAAQ;AAAA,EAC7B;AAAA,EAEQ,UAAgB;AACtB,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,KAAK,KAAK,KAAK,KAAK,UAAU;AACxC,UAAI,MAAM,WAAW,KAAK;AACxB,aAAK,SAAS,OAAO,GAAG;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,UAAgB;AACd,QAAI,KAAK,iBAAiB;AACxB,oBAAc,KAAK,eAAe;AAClC,WAAK,kBAAkB;AAAA,IACzB;AAAA,EACF;AAAA;AAAA,EAGA,QAAc;AACZ,SAAK,SAAS,MAAM;AAAA,EACtB;AACF;AAUA,MAAM,gBAAgB,oBAAI,QAAwC;AAElE,SAAS,SAAS,QAAyC;AACzD,MAAI,OAAO,MAAO,QAAO,OAAO;AAChC,MAAI,QAAQ,cAAc,IAAI,MAAM;AACpC,MAAI,CAAC,OAAO;AACV,YAAQ,IAAI,uBAAuB;AACnC,kBAAc,IAAI,QAAQ,KAAK;AAAA,EACjC;AACA,SAAO;AACT;AA0BO,MAAM,YAA0B,6BAA8B;AAAA,EACnE,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,IACR,eAAe;AAAA,IACf,YAAY;AAAA,IACZ,SAAS;AAAA,EACX;AAAA,EACA,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,OAAO,MAAM,MAAM;AACpD,UAAM,QAAQ,SAAS,MAAM;AAG7B,QAAI;AACJ,QAAI,OAAO,OAAO;AAChB,YAAM,MAAM,OAAO,MAAM,CAAC;AAAA,IAC5B,OAAO;AACL,YAAM,gBAAgB,EAAE,IAAI,IAAI,SAAS,EAAE,WAAW,OAAO,UAAU,CAAC;AAAA,IAC1E;AAIA,UAAM,SAAS,MAAM;AAAA,MACnB,MAAM,MAAM,UAAU,KAAK,OAAO,aAAc;AAAA,MAChD;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,CAAC,QAAQ;AACX,YAAM,wCAAwC,GAAG,GAAG;AACpD,YAAM,KAAK;AACX;AAAA,IACF;AAEA,UAAM,EAAE,OAAO,QAAQ,IAAI;AAC3B,UAAM,YAAY,KAAK,IAAI,GAAG,OAAO,MAAM,KAAK;AAChD,UAAM,eAAe,KAAK,MAAM,UAAU,KAAK,IAAI,KAAK,GAAI;AAC5D,mBAAe,GAAG,yBAAyB,GAAG;AAC9C,mBAAe,GAAG,4BAA4B,OAAO,aAAc;AAEnE,QAAI,QAAQ,OAAO,KAAK;AACtB,YAAM,gBAAgB,GAAG,WAAW,KAAK,SAAS,OAAO,GAAG,GAAG;AAC/D,YAAM,YAAY,EAAE,KAAK,OAAO,KAAK,OAAO,IAAI,CAAC;AACjD,YAAM,cAAc,OAAO,YAAY;AACvC,YAAM,IAAI;AAAA,QACR,OAAO;AAAA,QACP;AAAA,QACA,OAAO;AAAA,QACP;AAAA,UACE,qBAAqB,OAAO,OAAO,GAAG;AAAA,UACtC,yBAAyB;AAAA,UACzB,qBAAqB;AAAA,UACrB,eAAe;AAAA,QACjB;AAAA,MACF;AAAA,IACF;AAEA,UAAM,WAAW,EAAE,KAAK,OAAO,KAAK,OAAO,KAAK,UAAU,CAAC;AAE3D,UAAM,KAAK;AAIX,MAAE,IAAI,QAAQ,IAAI,qBAAqB,OAAO,OAAO,GAAG,CAAC;AACzD,MAAE,IAAI,QAAQ,IAAI,yBAAyB,OAAO,SAAS,CAAC;AAC5D,MAAE,IAAI,QAAQ,IAAI,qBAAqB,OAAO,YAAY,CAAC;AAAA,EAC7D;AACF,CAAC;","names":["resetAt"]}

package/dist/policies/traffic/regex-threat-protection.d.ts

@@ -0,0 +1,54 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+import 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+
+/** A single pattern rule with target areas and optional custom message. */
+interface RegexPatternRule {
+    /** Regular expression pattern string. */
+    regex: string;
+    /** Which parts of the request to scan. */
+    targets: Array<"path" | "headers" | "body" | "query">;
+    /** Custom error message when this pattern matches. */
+    message?: string;
+}
+interface RegexThreatProtectionConfig extends PolicyConfig {
+    /** Pattern rules to evaluate against request data. */
+    patterns: RegexPatternRule[];
+    /** Regex flags applied to all patterns. Default: `"i"` (case-insensitive). */
+    flags?: string;
+    /** Only inspect body for these content types. Default: `["application/json", "text/plain"]`. */
+    contentTypes?: string[];
+    /** Maximum body bytes to scan. Default: `65536` (64KB). */
+    maxBodyScanLength?: number;
+}
+/**
+ * Regex threat protection policy.
+ *
+ * Scans request path, query string, headers, and/or body against
+ * configurable regex patterns. Throws a 400 GatewayError on first match.
+ *
+ * @security User-provided regex patterns can cause catastrophic backtracking
+ * (ReDoS) if they contain nested quantifiers or overlapping alternations
+ * (e.g. `(a+)+`, `(a|a)*b`). A crafted input string can cause the regex
+ * engine to run in exponential time, blocking the worker thread and
+ * effectively denying service. All patterns should be reviewed for
+ * super-linear time complexity before deployment. Consider using atomic
+ * patterns, possessive quantifiers (where supported), or testing patterns
+ * with a ReDoS detection tool.
+ *
+ * @example
+ * ```ts
+ * import { regexThreatProtection } from "@vivero/stoma";
+ *
+ * regexThreatProtection({
+ *   patterns: [
+ *     { regex: "(union|select|insert|delete|drop)\\s", targets: ["path", "query", "body"], message: "SQL injection detected" },
+ *     { regex: "<script[^>]*>", targets: ["body", "headers"], message: "XSS detected" },
+ *   ],
+ * });
+ * ```
+ */
+declare const regexThreatProtection: (config: RegexThreatProtectionConfig) => Policy;
+
+export { type RegexPatternRule, type RegexThreatProtectionConfig, regexThreatProtection };

package/dist/policies/traffic/regex-threat-protection.js

@@ -0,0 +1,109 @@
+import { GatewayError } from "../../core/errors";
+import { definePolicy, Priority } from "../sdk";
+const patternCache = /* @__PURE__ */ new WeakMap();
+function getCompiledPatterns(patterns, flags) {
+  let compiled = patternCache.get(patterns);
+  if (!compiled) {
+    const sanitizedFlags = flags.replace(/g/g, "");
+    if (sanitizedFlags !== flags) {
+      console.warn(
+        "[stoma:regex-threat-protection] Stripped 'g' flag - not meaningful with .test()"
+      );
+    }
+    compiled = patterns.map((p) => ({
+      regex: new RegExp(p.regex, sanitizedFlags),
+      targets: p.targets,
+      message: p.message ?? "Request blocked by threat protection"
+    }));
+    patternCache.set(patterns, compiled);
+  }
+  return compiled;
+}
+const regexThreatProtection = /* @__PURE__ */ definePolicy({
+  name: "regex-threat-protection",
+  priority: Priority.EARLY,
+  defaults: {
+    patterns: [],
+    flags: "i",
+    contentTypes: ["application/json", "text/plain"],
+    maxBodyScanLength: 65536
+  },
+  handler: async (c, next, { config, debug }) => {
+    const compiled = getCompiledPatterns(
+      config.patterns,
+      config.flags ?? "i"
+    );
+    if (compiled.length === 0) {
+      debug("no patterns configured - passing through");
+      await next();
+      return;
+    }
+    const anyTargetsBody = compiled.some((p) => p.targets.includes("body"));
+    let bodyText = null;
+    if (anyTargetsBody) {
+      const contentType = c.req.header("content-type") ?? "";
+      const matchedType = config.contentTypes.some(
+        (ct) => contentType.includes(ct)
+      );
+      if (matchedType) {
+        const cloned = c.req.raw.clone();
+        const reader = cloned.body?.getReader();
+        if (reader) {
+          let text = "";
+          const maxLen = config.maxBodyScanLength;
+          let done = false;
+          const decoder = new TextDecoder();
+          while (!done && text.length < maxLen) {
+            const result = await reader.read();
+            if (result.done) {
+              done = true;
+            } else {
+              text += decoder.decode(result.value, { stream: true });
+            }
+          }
+          reader.cancel();
+          if (text.length > maxLen) {
+            text = text.slice(0, maxLen);
+          }
+          bodyText = text || null;
+        }
+      }
+    }
+    for (const pattern of compiled) {
+      if (pattern.targets.includes("path")) {
+        if (pattern.regex.test(c.req.path)) {
+          debug("path matched pattern: %s", pattern.regex.source);
+          throw new GatewayError(400, "threat_detected", pattern.message);
+        }
+      }
+      if (pattern.targets.includes("query")) {
+        const url = new URL(c.req.url);
+        const queryString = decodeURIComponent(url.search.slice(1));
+        if (queryString && pattern.regex.test(queryString)) {
+          debug("query matched pattern: %s", pattern.regex.source);
+          throw new GatewayError(400, "threat_detected", pattern.message);
+        }
+      }
+      if (pattern.targets.includes("headers")) {
+        for (const [, value] of c.req.raw.headers.entries()) {
+          if (pattern.regex.test(value)) {
+            debug("header matched pattern: %s", pattern.regex.source);
+            throw new GatewayError(400, "threat_detected", pattern.message);
+          }
+        }
+      }
+      if (pattern.targets.includes("body") && bodyText) {
+        if (pattern.regex.test(bodyText)) {
+          debug("body matched pattern: %s", pattern.regex.source);
+          throw new GatewayError(400, "threat_detected", pattern.message);
+        }
+      }
+    }
+    debug("all patterns passed");
+    await next();
+  }
+});
+export {
+  regexThreatProtection
+};
+//# sourceMappingURL=regex-threat-protection.js.map

package/dist/policies/traffic/regex-threat-protection.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/traffic/regex-threat-protection.ts"],"sourcesContent":["/**\n * Regex-based threat protection policy.\n *\n * Blocks requests matching dangerous patterns (SQL injection, XSS, etc.)\n * in the path, query string, headers, or body. Patterns are compiled once\n * per config object and cached via WeakMap.\n *\n * @module regex-threat-protection\n */\n\nimport { GatewayError } from \"../../core/errors\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\n\n/** A single pattern rule with target areas and optional custom message. */\nexport interface RegexPatternRule {\n  /** Regular expression pattern string. */\n  regex: string;\n  /** Which parts of the request to scan. */\n  targets: Array<\"path\" | \"headers\" | \"body\" | \"query\">;\n  /** Custom error message when this pattern matches. */\n  message?: string;\n}\n\nexport interface RegexThreatProtectionConfig extends PolicyConfig {\n  /** Pattern rules to evaluate against request data. */\n  patterns: RegexPatternRule[];\n  /** Regex flags applied to all patterns. Default: `\"i\"` (case-insensitive). */\n  flags?: string;\n  /** Only inspect body for these content types. Default: `[\"application/json\", \"text/plain\"]`. */\n  contentTypes?: string[];\n  /** Maximum body bytes to scan. Default: `65536` (64KB). */\n  maxBodyScanLength?: number;\n}\n\n/** Compiled pattern with pre-built RegExp for efficient matching. */\ninterface CompiledPattern {\n  regex: RegExp;\n  targets: Array<\"path\" | \"headers\" | \"body\" | \"query\">;\n  message: string;\n}\n\nconst patternCache = new WeakMap<RegexPatternRule[], CompiledPattern[]>();\n\nfunction getCompiledPatterns(\n  patterns: RegexPatternRule[],\n  flags: string\n): CompiledPattern[] {\n  let compiled = patternCache.get(patterns);\n  if (!compiled) {\n    // Strip 'g' flag - not meaningful with .test() and can cause\n    // stateful lastIndex issues across calls.\n    const sanitizedFlags = flags.replace(/g/g, \"\");\n    if (sanitizedFlags !== flags) {\n      console.warn(\n        \"[stoma:regex-threat-protection] Stripped 'g' flag - not meaningful with .test()\"\n      );\n    }\n    compiled = patterns.map((p) => ({\n      regex: new RegExp(p.regex, sanitizedFlags),\n      targets: p.targets,\n      message: p.message ?? \"Request blocked by threat protection\",\n    }));\n    patternCache.set(patterns, compiled);\n  }\n  return compiled;\n}\n\n/**\n * Regex threat protection policy.\n *\n * Scans request path, query string, headers, and/or body against\n * configurable regex patterns. Throws a 400 GatewayError on first match.\n *\n * @security User-provided regex patterns can cause catastrophic backtracking\n * (ReDoS) if they contain nested quantifiers or overlapping alternations\n * (e.g. `(a+)+`, `(a|a)*b`). A crafted input string can cause the regex\n * engine to run in exponential time, blocking the worker thread and\n * effectively denying service. All patterns should be reviewed for\n * super-linear time complexity before deployment. Consider using atomic\n * patterns, possessive quantifiers (where supported), or testing patterns\n * with a ReDoS detection tool.\n *\n * @example\n * ```ts\n * import { regexThreatProtection } from \"@vivero/stoma\";\n *\n * regexThreatProtection({\n *   patterns: [\n *     { regex: \"(union|select|insert|delete|drop)\\\\s\", targets: [\"path\", \"query\", \"body\"], message: \"SQL injection detected\" },\n *     { regex: \"<script[^>]*>\", targets: [\"body\", \"headers\"], message: \"XSS detected\" },\n *   ],\n * });\n * ```\n */\nexport const regexThreatProtection =\n  /*#__PURE__*/ definePolicy<RegexThreatProtectionConfig>({\n    name: \"regex-threat-protection\",\n    priority: Priority.EARLY,\n    defaults: {\n      patterns: [],\n      flags: \"i\",\n      contentTypes: [\"application/json\", \"text/plain\"],\n      maxBodyScanLength: 65536,\n    },\n    handler: async (c, next, { config, debug }) => {\n      const compiled = getCompiledPatterns(\n        config.patterns,\n        config.flags ?? \"i\"\n      );\n\n      if (compiled.length === 0) {\n        debug(\"no patterns configured - passing through\");\n        await next();\n        return;\n      }\n\n      // Pre-compute whether any pattern targets body so we only read it once\n      const anyTargetsBody = compiled.some((p) => p.targets.includes(\"body\"));\n      let bodyText: string | null = null;\n\n      if (anyTargetsBody) {\n        const contentType = c.req.header(\"content-type\") ?? \"\";\n        const matchedType = config.contentTypes!.some((ct) =>\n          contentType.includes(ct)\n        );\n\n        if (matchedType) {\n          const cloned = c.req.raw.clone();\n          const reader = cloned.body?.getReader();\n          if (reader) {\n            let text = \"\";\n            const maxLen = config.maxBodyScanLength!;\n            let done = false;\n            const decoder = new TextDecoder();\n\n            while (!done && text.length < maxLen) {\n              const result = await reader.read();\n              if (result.done) {\n                done = true;\n              } else {\n                text += decoder.decode(result.value, { stream: true });\n              }\n            }\n            reader.cancel();\n\n            if (text.length > maxLen) {\n              text = text.slice(0, maxLen);\n            }\n\n            bodyText = text || null;\n          }\n        }\n      }\n\n      for (const pattern of compiled) {\n        // Check path\n        if (pattern.targets.includes(\"path\")) {\n          if (pattern.regex.test(c.req.path)) {\n            debug(\"path matched pattern: %s\", pattern.regex.source);\n            throw new GatewayError(400, \"threat_detected\", pattern.message);\n          }\n        }\n\n        // Check query string (decoded so URL-encoded payloads are caught)\n        if (pattern.targets.includes(\"query\")) {\n          const url = new URL(c.req.url);\n          const queryString = decodeURIComponent(url.search.slice(1));\n          if (queryString && pattern.regex.test(queryString)) {\n            debug(\"query matched pattern: %s\", pattern.regex.source);\n            throw new GatewayError(400, \"threat_detected\", pattern.message);\n          }\n        }\n\n        // Check headers\n        if (pattern.targets.includes(\"headers\")) {\n          for (const [, value] of c.req.raw.headers.entries()) {\n            if (pattern.regex.test(value)) {\n              debug(\"header matched pattern: %s\", pattern.regex.source);\n              throw new GatewayError(400, \"threat_detected\", pattern.message);\n            }\n          }\n        }\n\n        // Check body (using the pre-read body text)\n        if (pattern.targets.includes(\"body\") && bodyText) {\n          if (pattern.regex.test(bodyText)) {\n            debug(\"body matched pattern: %s\", pattern.regex.source);\n            throw new GatewayError(400, \"threat_detected\", pattern.message);\n          }\n        }\n      }\n\n      debug(\"all patterns passed\");\n      await next();\n    },\n  });\n"],"mappings":"AAUA,SAAS,oBAAoB;AAC7B,SAAS,cAAc,gBAAgB;AA+BvC,MAAM,eAAe,oBAAI,QAA+C;AAExE,SAAS,oBACP,UACA,OACmB;AACnB,MAAI,WAAW,aAAa,IAAI,QAAQ;AACxC,MAAI,CAAC,UAAU;AAGb,UAAM,iBAAiB,MAAM,QAAQ,MAAM,EAAE;AAC7C,QAAI,mBAAmB,OAAO;AAC5B,cAAQ;AAAA,QACN;AAAA,MACF;AAAA,IACF;AACA,eAAW,SAAS,IAAI,CAAC,OAAO;AAAA,MAC9B,OAAO,IAAI,OAAO,EAAE,OAAO,cAAc;AAAA,MACzC,SAAS,EAAE;AAAA,MACX,SAAS,EAAE,WAAW;AAAA,IACxB,EAAE;AACF,iBAAa,IAAI,UAAU,QAAQ;AAAA,EACrC;AACA,SAAO;AACT;AA6BO,MAAM,wBACG,6BAA0C;AAAA,EACtD,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,UAAU;AAAA,IACR,UAAU,CAAC;AAAA,IACX,OAAO;AAAA,IACP,cAAc,CAAC,oBAAoB,YAAY;AAAA,IAC/C,mBAAmB;AAAA,EACrB;AAAA,EACA,SAAS,OAAO,GAAG,MAAM,EAAE,QAAQ,MAAM,MAAM;AAC7C,UAAM,WAAW;AAAA,MACf,OAAO;AAAA,MACP,OAAO,SAAS;AAAA,IAClB;AAEA,QAAI,SAAS,WAAW,GAAG;AACzB,YAAM,0CAA0C;AAChD,YAAM,KAAK;AACX;AAAA,IACF;AAGA,UAAM,iBAAiB,SAAS,KAAK,CAAC,MAAM,EAAE,QAAQ,SAAS,MAAM,CAAC;AACtE,QAAI,WAA0B;AAE9B,QAAI,gBAAgB;AAClB,YAAM,cAAc,EAAE,IAAI,OAAO,cAAc,KAAK;AACpD,YAAM,cAAc,OAAO,aAAc;AAAA,QAAK,CAAC,OAC7C,YAAY,SAAS,EAAE;AAAA,MACzB;AAEA,UAAI,aAAa;AACf,cAAM,SAAS,EAAE,IAAI,IAAI,MAAM;AAC/B,cAAM,SAAS,OAAO,MAAM,UAAU;AACtC,YAAI,QAAQ;AACV,cAAI,OAAO;AACX,gBAAM,SAAS,OAAO;AACtB,cAAI,OAAO;AACX,gBAAM,UAAU,IAAI,YAAY;AAEhC,iBAAO,CAAC,QAAQ,KAAK,SAAS,QAAQ;AACpC,kBAAM,SAAS,MAAM,OAAO,KAAK;AACjC,gBAAI,OAAO,MAAM;AACf,qBAAO;AAAA,YACT,OAAO;AACL,sBAAQ,QAAQ,OAAO,OAAO,OAAO,EAAE,QAAQ,KAAK,CAAC;AAAA,YACvD;AAAA,UACF;AACA,iBAAO,OAAO;AAEd,cAAI,KAAK,SAAS,QAAQ;AACxB,mBAAO,KAAK,MAAM,GAAG,MAAM;AAAA,UAC7B;AAEA,qBAAW,QAAQ;AAAA,QACrB;AAAA,MACF;AAAA,IACF;AAEA,eAAW,WAAW,UAAU;AAE9B,UAAI,QAAQ,QAAQ,SAAS,MAAM,GAAG;AACpC,YAAI,QAAQ,MAAM,KAAK,EAAE,IAAI,IAAI,GAAG;AAClC,gBAAM,4BAA4B,QAAQ,MAAM,MAAM;AACtD,gBAAM,IAAI,aAAa,KAAK,mBAAmB,QAAQ,OAAO;AAAA,QAChE;AAAA,MACF;AAGA,UAAI,QAAQ,QAAQ,SAAS,OAAO,GAAG;AACrC,cAAM,MAAM,IAAI,IAAI,EAAE,IAAI,GAAG;AAC7B,cAAM,cAAc,mBAAmB,IAAI,OAAO,MAAM,CAAC,CAAC;AAC1D,YAAI,eAAe,QAAQ,MAAM,KAAK,WAAW,GAAG;AAClD,gBAAM,6BAA6B,QAAQ,MAAM,MAAM;AACvD,gBAAM,IAAI,aAAa,KAAK,mBAAmB,QAAQ,OAAO;AAAA,QAChE;AAAA,MACF;AAGA,UAAI,QAAQ,QAAQ,SAAS,SAAS,GAAG;AACvC,mBAAW,CAAC,EAAE,KAAK,KAAK,EAAE,IAAI,IAAI,QAAQ,QAAQ,GAAG;AACnD,cAAI,QAAQ,MAAM,KAAK,KAAK,GAAG;AAC7B,kBAAM,8BAA8B,QAAQ,MAAM,MAAM;AACxD,kBAAM,IAAI,aAAa,KAAK,mBAAmB,QAAQ,OAAO;AAAA,UAChE;AAAA,QACF;AAAA,MACF;AAGA,UAAI,QAAQ,QAAQ,SAAS,MAAM,KAAK,UAAU;AAChD,YAAI,QAAQ,MAAM,KAAK,QAAQ,GAAG;AAChC,gBAAM,4BAA4B,QAAQ,MAAM,MAAM;AACtD,gBAAM,IAAI,aAAa,KAAK,mBAAmB,QAAQ,OAAO;AAAA,QAChE;AAAA,MACF;AAAA,IACF;AAEA,UAAM,qBAAqB;AAC3B,UAAM,KAAK;AAAA,EACb;AACF,CAAC;","names":[]}

package/dist/policies/traffic/request-limit.d.ts

@@ -0,0 +1,27 @@
+import { g as PolicyConfig, P as Policy } from '../../protocol-2fD3DJrL.js';
+import 'hono';
+import '../sdk/trace.js';
+import '@vivero/stoma-core';
+
+interface RequestLimitConfig extends PolicyConfig {
+    /** Maximum allowed body size in bytes (based on Content-Length). */
+    maxBytes: number;
+    /** Custom error message. Default: "Request body too large". */
+    message?: string;
+}
+/**
+ * Reject requests whose declared Content-Length exceeds `maxBytes`.
+ *
+ * This policy checks only the `Content-Length` header. If the header is
+ * absent or invalid, the request passes through. Notably, requests using
+ * chunked transfer encoding (`Transfer-Encoding: chunked`) do not include
+ * a `Content-Length` header and will bypass this check entirely. For strict
+ * body size enforcement, combine this policy with a body-reading policy
+ * that enforces limits on the actual stream length.
+ *
+ * @param config - Maximum byte limit and optional custom message.
+ * @returns A {@link Policy} at priority 5 (EARLY).
+ */
+declare const requestLimit: (config: RequestLimitConfig) => Policy;
+
+export { type RequestLimitConfig, requestLimit };

package/dist/policies/traffic/request-limit.js

@@ -0,0 +1,41 @@
+import { GatewayError } from "../../core/errors";
+import { definePolicy, Priority } from "../sdk";
+const requestLimit = /* @__PURE__ */ definePolicy({
+  name: "request-limit",
+  priority: Priority.EARLY,
+  phases: ["request-headers"],
+  defaults: {
+    message: "Request body too large"
+  },
+  handler: async (c, next, { config }) => {
+    const contentLength = c.req.header("content-length");
+    if (contentLength !== void 0) {
+      const length = Number.parseInt(contentLength, 10);
+      if (!Number.isNaN(length) && length > config.maxBytes) {
+        throw new GatewayError(413, "request_too_large", config.message);
+      }
+    }
+    await next();
+  },
+  evaluate: {
+    onRequest: async (input, { config }) => {
+      const contentLength = input.headers.get("content-length");
+      if (contentLength) {
+        const length = Number.parseInt(contentLength, 10);
+        if (!Number.isNaN(length) && length > config.maxBytes) {
+          return {
+            action: "reject",
+            status: 413,
+            code: "request_too_large",
+            message: config.message
+          };
+        }
+      }
+      return { action: "continue" };
+    }
+  }
+});
+export {
+  requestLimit
+};
+//# sourceMappingURL=request-limit.js.map

package/dist/policies/traffic/request-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/policies/traffic/request-limit.ts"],"sourcesContent":["/**\n * Request size limit policy - enforce maximum request body size via Content-Length.\n *\n * @module request-limit\n */\n\nimport { GatewayError } from \"../../core/errors\";\nimport { definePolicy, Priority } from \"../sdk\";\nimport type { PolicyConfig } from \"../types\";\n\nexport interface RequestLimitConfig extends PolicyConfig {\n  /** Maximum allowed body size in bytes (based on Content-Length). */\n  maxBytes: number;\n  /** Custom error message. Default: \"Request body too large\". */\n  message?: string;\n}\n\n/**\n * Reject requests whose declared Content-Length exceeds `maxBytes`.\n *\n * This policy checks only the `Content-Length` header. If the header is\n * absent or invalid, the request passes through. Notably, requests using\n * chunked transfer encoding (`Transfer-Encoding: chunked`) do not include\n * a `Content-Length` header and will bypass this check entirely. For strict\n * body size enforcement, combine this policy with a body-reading policy\n * that enforces limits on the actual stream length.\n *\n * @param config - Maximum byte limit and optional custom message.\n * @returns A {@link Policy} at priority 5 (EARLY).\n */\nexport const requestLimit = /*#__PURE__*/ definePolicy<RequestLimitConfig>({\n  name: \"request-limit\",\n  priority: Priority.EARLY,\n  phases: [\"request-headers\"],\n  defaults: {\n    message: \"Request body too large\",\n  },\n  handler: async (c, next, { config }) => {\n    const contentLength = c.req.header(\"content-length\");\n    if (contentLength !== undefined) {\n      const length = Number.parseInt(contentLength, 10);\n      if (!Number.isNaN(length) && length > config.maxBytes) {\n        throw new GatewayError(413, \"request_too_large\", config.message!);\n      }\n    }\n    await next();\n  },\n  evaluate: {\n    onRequest: async (input, { config }) => {\n      const contentLength = input.headers.get(\"content-length\");\n      if (contentLength) {\n        const length = Number.parseInt(contentLength, 10);\n        if (!Number.isNaN(length) && length > config.maxBytes) {\n          return {\n            action: \"reject\",\n            status: 413,\n            code: \"request_too_large\",\n            message: config.message!,\n          };\n        }\n      }\n      return { action: \"continue\" };\n    },\n  },\n});\n"],"mappings":"AAMA,SAAS,oBAAoB;AAC7B,SAAS,cAAc,gBAAgB;AAuBhC,MAAM,eAA6B,6BAAiC;AAAA,EACzE,MAAM;AAAA,EACN,UAAU,SAAS;AAAA,EACnB,QAAQ,CAAC,iBAAiB;AAAA,EAC1B,UAAU;AAAA,IACR,SAAS;AAAA,EACX;AAAA,EACA,SAAS,OAAO,GAAG,MAAM,EAAE,OAAO,MAAM;AACtC,UAAM,gBAAgB,EAAE,IAAI,OAAO,gBAAgB;AACnD,QAAI,kBAAkB,QAAW;AAC/B,YAAM,SAAS,OAAO,SAAS,eAAe,EAAE;AAChD,UAAI,CAAC,OAAO,MAAM,MAAM,KAAK,SAAS,OAAO,UAAU;AACrD,cAAM,IAAI,aAAa,KAAK,qBAAqB,OAAO,OAAQ;AAAA,MAClE;AAAA,IACF;AACA,UAAM,KAAK;AAAA,EACb;AAAA,EACA,UAAU;AAAA,IACR,WAAW,OAAO,OAAO,EAAE,OAAO,MAAM;AACtC,YAAM,gBAAgB,MAAM,QAAQ,IAAI,gBAAgB;AACxD,UAAI,eAAe;AACjB,cAAM,SAAS,OAAO,SAAS,eAAe,EAAE;AAChD,YAAI,CAAC,OAAO,MAAM,MAAM,KAAK,SAAS,OAAO,UAAU;AACrD,iBAAO;AAAA,YACL,QAAQ;AAAA,YACR,QAAQ;AAAA,YACR,MAAM;AAAA,YACN,SAAS,OAAO;AAAA,UAClB;AAAA,QACF;AAAA,MACF;AACA,aAAO,EAAE,QAAQ,WAAW;AAAA,IAC9B;AAAA,EACF;AACF,CAAC;","names":[]}