@vorionsys/security 1.0.0

package/dist/api/errors.js

@@ -0,0 +1,464 @@
+/**
+ * API Error Handling
+ *
+ * Provides standardized error classes, error handler middleware,
+ * and error serialization for consistent API error responses.
+ *
+ * @packageDocumentation
+ */
+import { ZodError } from 'zod';
+import { trace, SpanStatusCode } from '@opentelemetry/api';
+import { createLogger } from '../common/logger.js';
+import { getTraceContext } from '../common/trace.js';
+import { getConfig } from '../common/config.js';
+import { isVorionError } from '../common/errors.js';
+const logger = createLogger({ component: 'api-errors' });
+const tracer = trace.getTracer('vorion-api-errors');
+/**
+ * Standard error codes for API responses
+ */
+export var ErrorCode;
+(function (ErrorCode) {
+    // Client Errors (4xx)
+    ErrorCode["VALIDATION_ERROR"] = "VALIDATION_ERROR";
+    ErrorCode["INVALID_INPUT"] = "INVALID_INPUT";
+    ErrorCode["INVALID_PARAMS"] = "INVALID_PARAMS";
+    ErrorCode["INVALID_QUERY"] = "INVALID_QUERY";
+    ErrorCode["MISSING_FIELD"] = "MISSING_FIELD";
+    ErrorCode["INVALID_FORMAT"] = "INVALID_FORMAT";
+    ErrorCode["PAYLOAD_TOO_LARGE"] = "PAYLOAD_TOO_LARGE";
+    ErrorCode["INJECTION_DETECTED"] = "INJECTION_DETECTED";
+    ErrorCode["UNAUTHORIZED"] = "UNAUTHORIZED";
+    ErrorCode["TOKEN_INVALID"] = "TOKEN_INVALID";
+    ErrorCode["TOKEN_EXPIRED"] = "TOKEN_EXPIRED";
+    ErrorCode["TOKEN_REVOKED"] = "TOKEN_REVOKED";
+    ErrorCode["MISSING_AUTH"] = "MISSING_AUTH";
+    ErrorCode["FORBIDDEN"] = "FORBIDDEN";
+    ErrorCode["INSUFFICIENT_PERMISSIONS"] = "INSUFFICIENT_PERMISSIONS";
+    ErrorCode["TENANT_MISMATCH"] = "TENANT_MISMATCH";
+    ErrorCode["NOT_FOUND"] = "NOT_FOUND";
+    ErrorCode["RESOURCE_NOT_FOUND"] = "RESOURCE_NOT_FOUND";
+    ErrorCode["INTENT_NOT_FOUND"] = "INTENT_NOT_FOUND";
+    ErrorCode["POLICY_NOT_FOUND"] = "POLICY_NOT_FOUND";
+    ErrorCode["ESCALATION_NOT_FOUND"] = "ESCALATION_NOT_FOUND";
+    ErrorCode["CONFLICT"] = "CONFLICT";
+    ErrorCode["RESOURCE_EXISTS"] = "RESOURCE_EXISTS";
+    ErrorCode["INVALID_STATE"] = "INVALID_STATE";
+    ErrorCode["RATE_LIMIT_EXCEEDED"] = "RATE_LIMIT_EXCEEDED";
+    ErrorCode["QUOTA_EXCEEDED"] = "QUOTA_EXCEEDED";
+    // Server Errors (5xx)
+    ErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+    ErrorCode["DATABASE_ERROR"] = "DATABASE_ERROR";
+    ErrorCode["EXTERNAL_SERVICE_ERROR"] = "EXTERNAL_SERVICE_ERROR";
+    ErrorCode["TIMEOUT"] = "TIMEOUT";
+    ErrorCode["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
+})(ErrorCode || (ErrorCode = {}));
+/**
+ * HTTP status code mapping for error codes
+ */
+const ERROR_STATUS_MAP = {
+    // 400 Bad Request
+    [ErrorCode.VALIDATION_ERROR]: 400,
+    [ErrorCode.INVALID_INPUT]: 400,
+    [ErrorCode.INVALID_PARAMS]: 400,
+    [ErrorCode.INVALID_QUERY]: 400,
+    [ErrorCode.MISSING_FIELD]: 400,
+    [ErrorCode.INVALID_FORMAT]: 400,
+    [ErrorCode.INJECTION_DETECTED]: 400,
+    // 401 Unauthorized
+    [ErrorCode.UNAUTHORIZED]: 401,
+    [ErrorCode.TOKEN_INVALID]: 401,
+    [ErrorCode.TOKEN_EXPIRED]: 401,
+    [ErrorCode.TOKEN_REVOKED]: 401,
+    [ErrorCode.MISSING_AUTH]: 401,
+    // 403 Forbidden
+    [ErrorCode.FORBIDDEN]: 403,
+    [ErrorCode.INSUFFICIENT_PERMISSIONS]: 403,
+    [ErrorCode.TENANT_MISMATCH]: 403,
+    // 404 Not Found
+    [ErrorCode.NOT_FOUND]: 404,
+    [ErrorCode.RESOURCE_NOT_FOUND]: 404,
+    [ErrorCode.INTENT_NOT_FOUND]: 404,
+    [ErrorCode.POLICY_NOT_FOUND]: 404,
+    [ErrorCode.ESCALATION_NOT_FOUND]: 404,
+    // 409 Conflict
+    [ErrorCode.CONFLICT]: 409,
+    [ErrorCode.RESOURCE_EXISTS]: 409,
+    [ErrorCode.INVALID_STATE]: 409,
+    // 413 Payload Too Large
+    [ErrorCode.PAYLOAD_TOO_LARGE]: 413,
+    // 429 Too Many Requests
+    [ErrorCode.RATE_LIMIT_EXCEEDED]: 429,
+    [ErrorCode.QUOTA_EXCEEDED]: 429,
+    // 500 Internal Server Error
+    [ErrorCode.INTERNAL_ERROR]: 500,
+    [ErrorCode.DATABASE_ERROR]: 500,
+    // 502 Bad Gateway
+    [ErrorCode.EXTERNAL_SERVICE_ERROR]: 502,
+    // 503 Service Unavailable
+    [ErrorCode.SERVICE_UNAVAILABLE]: 503,
+    // 504 Gateway Timeout
+    [ErrorCode.TIMEOUT]: 504,
+};
+/**
+ * Base API error class
+ */
+export class ApiError extends Error {
+    code;
+    statusCode;
+    details;
+    retryAfter;
+    constructor(code, message, details, retryAfter) {
+        super(message);
+        this.name = 'ApiError';
+        this.code = code;
+        this.statusCode = ERROR_STATUS_MAP[code] ?? 500;
+        this.details = details;
+        this.retryAfter = retryAfter;
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, this.constructor);
+        }
+    }
+    /**
+     * Serialize to VorionErrorResponse format
+     */
+    toResponse(requestId, includeDetails = true) {
+        const response = {
+            success: false,
+            error: {
+                code: this.code,
+                message: this.message,
+            },
+            meta: {
+                requestId,
+                timestamp: new Date().toISOString(),
+            },
+        };
+        if (includeDetails && this.details) {
+            response.error.details = this.details;
+        }
+        if (this.retryAfter !== undefined) {
+            response.error.retryAfter = this.retryAfter;
+        }
+        return response;
+    }
+}
+/**
+ * Not Found error (404)
+ */
+export class NotFoundError extends ApiError {
+    constructor(resource = 'Resource', message, details) {
+        super(ErrorCode.NOT_FOUND, message ?? `${resource} not found`, details);
+        this.name = 'NotFoundError';
+    }
+}
+/**
+ * Validation error (400)
+ */
+export class ValidationError extends ApiError {
+    constructor(message = 'Validation failed', details) {
+        super(ErrorCode.VALIDATION_ERROR, message, details);
+        this.name = 'ValidationError';
+    }
+    /**
+     * Create from Zod error
+     */
+    static fromZodError(error) {
+        const errors = error.errors.map((e) => ({
+            path: e.path.join('.') || '(root)',
+            message: e.message,
+            code: e.code,
+        }));
+        return new ValidationError('Request validation failed', { errors });
+    }
+}
+/**
+ * Authentication error (401)
+ */
+export class AuthError extends ApiError {
+    constructor(message = 'Authentication required', code = ErrorCode.UNAUTHORIZED, details) {
+        super(code, message, details);
+        this.name = 'AuthError';
+    }
+    static tokenInvalid(message = 'Invalid token') {
+        return new AuthError(message, ErrorCode.TOKEN_INVALID);
+    }
+    static tokenExpired(message = 'Token has expired') {
+        return new AuthError(message, ErrorCode.TOKEN_EXPIRED);
+    }
+    static tokenRevoked(message = 'Token has been revoked') {
+        return new AuthError(message, ErrorCode.TOKEN_REVOKED);
+    }
+    static missingAuth(message = 'Authorization header is required') {
+        return new AuthError(message, ErrorCode.MISSING_AUTH);
+    }
+}
+/**
+ * Rate limit error (429)
+ */
+export class RateLimitError extends ApiError {
+    constructor(message = 'Rate limit exceeded', retryAfter, details) {
+        super(ErrorCode.RATE_LIMIT_EXCEEDED, message, details, retryAfter);
+        this.name = 'RateLimitError';
+    }
+}
+/**
+ * Conflict error (409)
+ */
+export class ConflictError extends ApiError {
+    constructor(message = 'Resource conflict', details) {
+        super(ErrorCode.CONFLICT, message, details);
+        this.name = 'ConflictError';
+    }
+    static invalidState(currentState, allowedStates) {
+        return new ConflictError(`Invalid state transition. Current state: ${currentState}, allowed states: ${allowedStates.join(', ')}`, { currentState, allowedStates });
+    }
+}
+/**
+ * Forbidden error (403)
+ */
+export class ForbiddenError extends ApiError {
+    constructor(message = 'Access denied', details) {
+        super(ErrorCode.FORBIDDEN, message, details);
+        this.name = 'ForbiddenError';
+    }
+    static insufficientPermissions(requiredPermission) {
+        return new ForbiddenError(`Insufficient permissions. Required: ${requiredPermission}`, { requiredPermission });
+    }
+    static tenantMismatch() {
+        return new ForbiddenError('Access denied. Resource belongs to a different tenant.', {});
+    }
+}
+/**
+ * Internal server error (500)
+ */
+export class InternalError extends ApiError {
+    constructor(message = 'An unexpected error occurred', details) {
+        super(ErrorCode.INTERNAL_ERROR, message, details);
+        this.name = 'InternalError';
+    }
+}
+/**
+ * Get status code for an error code
+ */
+export function getStatusForErrorCode(code) {
+    return ERROR_STATUS_MAP[code] ?? 500;
+}
+/**
+ * Check if an error is an API error
+ */
+export function isApiError(error) {
+    return error instanceof ApiError;
+}
+/**
+ * Sanitize error message for production
+ * Removes potentially sensitive information
+ */
+function sanitizeErrorMessage(message) {
+    const sensitivePatterns = [
+        /password/i,
+        /secret/i,
+        /token/i,
+        /key/i,
+        /credential/i,
+        /connection string/i,
+        /database.*error/i,
+        /sql.*error/i,
+    ];
+    for (const pattern of sensitivePatterns) {
+        if (pattern.test(message)) {
+            return 'An error occurred while processing your request';
+        }
+    }
+    // Remove stack traces
+    const stackIndex = message.indexOf('\n    at ');
+    if (stackIndex !== -1) {
+        return message.substring(0, stackIndex);
+    }
+    return message;
+}
+/**
+ * Create error response from any error
+ */
+export function createErrorResponse(error, requestId, isProduction = false) {
+    const traceContext = getTraceContext();
+    // Handle API errors
+    if (isApiError(error)) {
+        const response = error.toResponse(requestId, !isProduction);
+        if (traceContext) {
+            response.trace = { traceId: traceContext.traceId };
+        }
+        return { response, statusCode: error.statusCode };
+    }
+    // Handle Vorion errors from common/errors.ts
+    if (isVorionError(error)) {
+        const response = {
+            success: false,
+            error: {
+                code: error.code,
+                message: isProduction ? sanitizeErrorMessage(error.message) : error.message,
+                details: !isProduction && error.details ? error.details : undefined,
+            },
+            meta: {
+                requestId,
+                timestamp: new Date().toISOString(),
+            },
+        };
+        if (traceContext) {
+            response.trace = { traceId: traceContext.traceId };
+        }
+        return { response, statusCode: error.statusCode };
+    }
+    // Handle Zod validation errors
+    if (error instanceof ZodError) {
+        const validationError = ValidationError.fromZodError(error);
+        const response = validationError.toResponse(requestId, !isProduction);
+        if (traceContext) {
+            response.trace = { traceId: traceContext.traceId };
+        }
+        return { response, statusCode: 400 };
+    }
+    // Handle Fastify errors
+    if (isFastifyError(error)) {
+        let code = ErrorCode.INTERNAL_ERROR;
+        let statusCode = error.statusCode ?? 500;
+        let message = error.message;
+        // Map specific Fastify error codes
+        if (error.code === 'FST_JWT_NO_AUTHORIZATION_IN_HEADER') {
+            code = ErrorCode.MISSING_AUTH;
+            statusCode = 401;
+            message = 'Authorization header is missing';
+        }
+        else if (error.code === 'FST_JWT_AUTHORIZATION_TOKEN_INVALID') {
+            code = ErrorCode.TOKEN_INVALID;
+            statusCode = 401;
+            message = 'Invalid authorization token';
+        }
+        else if (error.code === 'FST_JWT_AUTHORIZATION_TOKEN_EXPIRED') {
+            code = ErrorCode.TOKEN_EXPIRED;
+            statusCode = 401;
+            message = 'Authorization token has expired';
+        }
+        else if (statusCode === 429) {
+            code = ErrorCode.RATE_LIMIT_EXCEEDED;
+        }
+        else if (statusCode === 413) {
+            code = ErrorCode.PAYLOAD_TOO_LARGE;
+        }
+        const response = {
+            success: false,
+            error: {
+                code,
+                message: isProduction && statusCode >= 500 ? 'An unexpected error occurred' : message,
+            },
+            meta: {
+                requestId,
+                timestamp: new Date().toISOString(),
+            },
+        };
+        if (traceContext) {
+            response.trace = { traceId: traceContext.traceId };
+        }
+        return { response, statusCode };
+    }
+    // Handle generic errors
+    const message = error instanceof Error ? error.message : 'Unknown error';
+    const response = {
+        success: false,
+        error: {
+            code: ErrorCode.INTERNAL_ERROR,
+            message: isProduction ? 'An unexpected error occurred' : sanitizeErrorMessage(message),
+        },
+        meta: {
+            requestId,
+            timestamp: new Date().toISOString(),
+        },
+    };
+    if (traceContext) {
+        response.trace = { traceId: traceContext.traceId };
+    }
+    return { response, statusCode: 500 };
+}
+/**
+ * Type guard for Fastify errors
+ */
+function isFastifyError(error) {
+    return (error !== null &&
+        typeof error === 'object' &&
+        'statusCode' in error &&
+        typeof error.statusCode === 'number');
+}
+/**
+ * Create standard error handler middleware for Fastify
+ *
+ * @param options - Error handler options
+ * @returns Fastify error handler
+ */
+export function createErrorHandler(options) {
+    const config = getConfig();
+    const isProduction = config.env === 'production';
+    return async (error, request, reply) => {
+        const requestId = request.id || 'unknown';
+        const traceContext = request.traceContext;
+        // Apply custom transform if provided
+        const transformedError = options?.transformError?.(error) ?? error;
+        // Create error response
+        const { response, statusCode } = createErrorResponse(transformedError, requestId, isProduction);
+        // Add trace context if available
+        if (traceContext && response.trace) {
+            response.trace.traceId = traceContext.traceId;
+        }
+        // Log the error
+        const logData = {
+            requestId,
+            statusCode,
+            errorCode: response.error.code,
+            url: request.url,
+            method: request.method,
+        };
+        if (traceContext) {
+            logData.traceId = traceContext.traceId;
+        }
+        if (!isProduction && options?.includeStack !== false) {
+            logData.stack = error.stack;
+        }
+        // Log level based on status code
+        if (statusCode >= 500) {
+            logger.error(logData, error.message);
+            // Record exception in trace
+            const span = trace.getActiveSpan();
+            if (span) {
+                span.setStatus({ code: SpanStatusCode.ERROR, message: error.message });
+                span.recordException(error);
+            }
+        }
+        else if (statusCode >= 400) {
+            logger.warn(logData, error.message);
+        }
+        else {
+            logger.info(logData, error.message);
+        }
+        // Add Retry-After header for rate limit errors
+        if (response.error.retryAfter !== undefined) {
+            reply.header('Retry-After', response.error.retryAfter);
+        }
+        return reply.status(statusCode).send(response);
+    };
+}
+/**
+ * Wrap an async handler to catch and format errors
+ */
+export function wrapHandler(handler) {
+    return async (request, reply) => {
+        try {
+            return await handler(request, reply);
+        }
+        catch (error) {
+            const config = getConfig();
+            const { response, statusCode } = createErrorResponse(error, request.id || 'unknown', config.env === 'production');
+            reply.status(statusCode);
+            return response;
+        }
+    };
+}
+//# sourceMappingURL=errors.js.map

package/dist/api/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/api/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAC;AAC/B,OAAO,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAqB,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAe,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAGjE,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC;AACzD,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;AAEpD;;GAEG;AACH,MAAM,CAAN,IAAY,SAwCX;AAxCD,WAAY,SAAS;IACnB,sBAAsB;IACtB,kDAAqC,CAAA;IACrC,4CAA+B,CAAA;IAC/B,8CAAiC,CAAA;IACjC,4CAA+B,CAAA;IAC/B,4CAA+B,CAAA;IAC/B,8CAAiC,CAAA;IACjC,oDAAuC,CAAA;IACvC,sDAAyC,CAAA;IAEzC,0CAA6B,CAAA;IAC7B,4CAA+B,CAAA;IAC/B,4CAA+B,CAAA;IAC/B,4CAA+B,CAAA;IAC/B,0CAA6B,CAAA;IAE7B,oCAAuB,CAAA;IACvB,kEAAqD,CAAA;IACrD,gDAAmC,CAAA;IAEnC,oCAAuB,CAAA;IACvB,sDAAyC,CAAA;IACzC,kDAAqC,CAAA;IACrC,kDAAqC,CAAA;IACrC,0DAA6C,CAAA;IAE7C,kCAAqB,CAAA;IACrB,gDAAmC,CAAA;IACnC,4CAA+B,CAAA;IAE/B,wDAA2C,CAAA;IAC3C,8CAAiC,CAAA;IAEjC,sBAAsB;IACtB,8CAAiC,CAAA;IACjC,8CAAiC,CAAA;IACjC,8DAAiD,CAAA;IACjD,gCAAmB,CAAA;IACnB,wDAA2C,CAAA;AAC7C,CAAC,EAxCW,SAAS,KAAT,SAAS,QAwCpB;AAED;;GAEG;AACH,MAAM,gBAAgB,GAA8B;IAClD,kBAAkB;IAClB,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAAE,GAAG;IACjC,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,GAAG;IAC9B,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG;IAC/B,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,GAAG;IAC9B,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,GAAG;IAC9B,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG;IAC/B,CAAC,SAAS,CAAC,kBAAkB,CAAC,EAAE,GAAG;IAEnC,mBAAmB;IACnB,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,GAAG;IAC7B,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,GAAG;IAC9B,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,GAAG;IAC9B,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,GAAG;IAC9B,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE,GAAG;IAE7B,gBAAgB;IAChB,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,GAAG;IAC1B,CAAC,SAAS,CAAC,wBAAwB,CAAC,EAAE,GAAG;IACzC,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,GAAG;IAEhC,gBAAgB;IAChB,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,GAAG;IAC1B,CAAC,SAAS,CAAC,kBAAkB,CAAC,EAAE,GAAG;IACnC,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAAE,GAAG;IACjC,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAAE,GAAG;IACjC,CAAC,SAAS,CAAC,oBAAoB,CAAC,EAAE,GAAG;IAErC,eAAe;IACf,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,GAAG;IACzB,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,GAAG;IAChC,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,GAAG;IAE9B,wBAAwB;IACxB,CAAC,SAAS,CAAC,iBAAiB,CAAC,EAAE,GAAG;IAElC,wBAAwB;IACxB,CAAC,SAAS,CAAC,mBAAmB,CAAC,EAAE,GAAG;IACpC,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG;IAE/B,4BAA4B;IAC5B,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG;IAC/B,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE,GAAG;IAE/B,kBAAkB;IAClB,CAAC,SAAS,CAAC,sBAAsB,CAAC,EAAE,GAAG;IAEvC,0BAA0B;IAC1B,CAAC,SAAS,CAAC,mBAAmB,CAAC,EAAE,GAAG;IAEpC,sBAAsB;IACtB,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,GAAG;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,QAAS,SAAQ,KAAK;IACxB,IAAI,CAAY;IAChB,UAAU,CAAS;IACnB,OAAO,CAA2B;IAClC,UAAU,CAAU;IAE7B,YACE,IAAe,EACf,OAAe,EACf,OAAiC,EACjC,UAAmB;QAEnB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;QAChD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAE7B,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC5B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,SAAiB,EAAE,iBAA0B,IAAI;QAC1D,MAAM,QAAQ,GAAwB;YACpC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,OAAO,EAAE,IAAI,CAAC,OAAO;aACtB;YACD,IAAI,EAAE;gBACJ,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;SACF,CAAC;QAEF,IAAI,cAAc,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACnC,QAAQ,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;QACxC,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,QAAQ,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QAC9C,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,aAAc,SAAQ,QAAQ;IACzC,YACE,WAAmB,UAAU,EAC7B,OAAgB,EAChB,OAAiC;QAEjC,KAAK,CACH,SAAS,CAAC,SAAS,EACnB,OAAO,IAAI,GAAG,QAAQ,YAAY,EAClC,OAAO,CACR,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,QAAQ;IAC3C,YACE,UAAkB,mBAAmB,EACrC,OAAiC;QAEjC,KAAK,CAAC,SAAS,CAAC,gBAAgB,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACpD,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,KAAe;QACjC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACtC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ;YAClC,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC,CAAC,CAAC;QAEJ,OAAO,IAAI,eAAe,CAAC,2BAA2B,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IACtE,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,SAAU,SAAQ,QAAQ;IACrC,YACE,UAAkB,yBAAyB,EAC3C,OAAkB,SAAS,CAAC,YAAY,EACxC,OAAiC;QAEjC,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,UAAkB,eAAe;QACnD,OAAO,IAAI,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,UAAkB,mBAAmB;QACvD,OAAO,IAAI,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,UAAkB,wBAAwB;QAC5D,OAAO,IAAI,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,aAAa,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,WAAW,CAAC,UAAkB,kCAAkC;QACrE,OAAO,IAAI,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,YAAY,CAAC,CAAC;IACxD,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,cAAe,SAAQ,QAAQ;IAC1C,YACE,UAAkB,qBAAqB,EACvC,UAAkB,EAClB,OAAiC;QAEjC,KAAK,CAAC,SAAS,CAAC,mBAAmB,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACnE,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,aAAc,SAAQ,QAAQ;IACzC,YACE,UAAkB,mBAAmB,EACrC,OAAiC;QAEjC,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,YAAoB,EAAE,aAAuB;QAC/D,OAAO,IAAI,aAAa,CACtB,4CAA4C,YAAY,qBAAqB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EACvG,EAAE,YAAY,EAAE,aAAa,EAAE,CAChC,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,cAAe,SAAQ,QAAQ;IAC1C,YACE,UAAkB,eAAe,EACjC,OAAiC;QAEjC,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;IAED,MAAM,CAAC,uBAAuB,CAAC,kBAA0B;QACvD,OAAO,IAAI,cAAc,CACvB,uCAAuC,kBAAkB,EAAE,EAC3D,EAAE,kBAAkB,EAAE,CACvB,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,cAAc;QACnB,OAAO,IAAI,cAAc,CACvB,wDAAwD,EACxD,EAAE,CACH,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,aAAc,SAAQ,QAAQ;IACzC,YACE,UAAkB,8BAA8B,EAChD,OAAiC;QAEjC,KAAK,CAAC,SAAS,CAAC,cAAc,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAe;IACnD,OAAO,gBAAgB,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,KAAc;IACvC,OAAO,KAAK,YAAY,QAAQ,CAAC;AACnC,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,OAAe;IAC3C,MAAM,iBAAiB,GAAG;QACxB,WAAW;QACX,SAAS;QACT,QAAQ;QACR,MAAM;QACN,aAAa;QACb,oBAAoB;QACpB,kBAAkB;QAClB,aAAa;KACd,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,iDAAiD,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAc,EACd,SAAiB,EACjB,eAAwB,KAAK;IAE7B,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IAEvC,oBAAoB;IACpB,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC;QAE5D,IAAI,YAAY,EAAE,CAAC;YACjB,QAAQ,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;QACrD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC;IACpD,CAAC;IAED,6CAA6C;IAC7C,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAwB;YACpC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE;gBACL,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO;gBAC3E,OAAO,EAAE,CAAC,YAAY,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;aACpE;YACD,IAAI,EAAE;gBACJ,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;SACF,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,QAAQ,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;QACrD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,CAAC;IACpD,CAAC;IAED,+BAA+B;IAC/B,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;QAC9B,MAAM,eAAe,GAAG,eAAe,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,eAAe,CAAC,UAAU,CAAC,SAAS,EAAE,CAAC,YAAY,CAAC,CAAC;QAEtE,IAAI,YAAY,EAAE,CAAC;YACjB,QAAQ,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;QACrD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IACvC,CAAC;IAED,wBAAwB;IACxB,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,IAAI,IAAI,GAAG,SAAS,CAAC,cAAc,CAAC;QACpC,IAAI,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,GAAG,CAAC;QACzC,IAAI,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;QAE5B,mCAAmC;QACnC,IAAI,KAAK,CAAC,IAAI,KAAK,oCAAoC,EAAE,CAAC;YACxD,IAAI,GAAG,SAAS,CAAC,YAAY,CAAC;YAC9B,UAAU,GAAG,GAAG,CAAC;YACjB,OAAO,GAAG,iCAAiC,CAAC;QAC9C,CAAC;aAAM,IAAI,KAAK,CAAC,IAAI,KAAK,qCAAqC,EAAE,CAAC;YAChE,IAAI,GAAG,SAAS,CAAC,aAAa,CAAC;YAC/B,UAAU,GAAG,GAAG,CAAC;YACjB,OAAO,GAAG,6BAA6B,CAAC;QAC1C,CAAC;aAAM,IAAI,KAAK,CAAC,IAAI,KAAK,qCAAqC,EAAE,CAAC;YAChE,IAAI,GAAG,SAAS,CAAC,aAAa,CAAC;YAC/B,UAAU,GAAG,GAAG,CAAC;YACjB,OAAO,GAAG,iCAAiC,CAAC;QAC9C,CAAC;aAAM,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;YAC9B,IAAI,GAAG,SAAS,CAAC,mBAAmB,CAAC;QACvC,CAAC;aAAM,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;YAC9B,IAAI,GAAG,SAAS,CAAC,iBAAiB,CAAC;QACrC,CAAC;QAED,MAAM,QAAQ,GAAwB;YACpC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE;gBACL,IAAI;gBACJ,OAAO,EAAE,YAAY,IAAI,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,8BAA8B,CAAC,CAAC,CAAC,OAAO;aACtF;YACD,IAAI,EAAE;gBACJ,SAAS;gBACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;aACpC;SACF,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,QAAQ,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;QACrD,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC;IAClC,CAAC;IAED,wBAAwB;IACxB,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;IACzE,MAAM,QAAQ,GAAwB;QACpC,OAAO,EAAE,KAAK;QACd,KAAK,EAAE;YACL,IAAI,EAAE,SAAS,CAAC,cAAc;YAC9B,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC,8BAA8B,CAAC,CAAC,CAAC,oBAAoB,CAAC,OAAO,CAAC;SACvF;QACD,IAAI,EAAE;YACJ,SAAS;YACT,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC;KACF,CAAC;IAEF,IAAI,YAAY,EAAE,CAAC;QACjB,QAAQ,CAAC,KAAK,GAAG,EAAE,OAAO,EAAE,YAAY,CAAC,OAAO,EAAE,CAAC;IACrD,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,CACL,KAAK,KAAK,IAAI;QACd,OAAO,KAAK,KAAK,QAAQ;QACzB,YAAY,IAAI,KAAK;QACrB,OAAQ,KAAsB,CAAC,UAAU,KAAK,QAAQ,CACvD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAKlC;IACC,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,YAAY,GAAG,MAAM,CAAC,GAAG,KAAK,YAAY,CAAC;IAEjD,OAAO,KAAK,EAAE,KAAmB,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;QAChG,MAAM,SAAS,GAAG,OAAO,CAAC,EAAE,IAAI,SAAS,CAAC;QAC1C,MAAM,YAAY,GAAI,OAA4D,CAAC,YAAY,CAAC;QAEhG,qCAAqC;QACrC,MAAM,gBAAgB,GAAG,OAAO,EAAE,cAAc,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC;QAEnE,wBAAwB;QACxB,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAClD,gBAAgB,EAChB,SAAS,EACT,YAAY,CACb,CAAC;QAEF,iCAAiC;QACjC,IAAI,YAAY,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACnC,QAAQ,CAAC,KAAK,CAAC,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC;QAChD,CAAC;QAED,gBAAgB;QAChB,MAAM,OAAO,GAA4B;YACvC,SAAS;YACT,UAAU;YACV,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,IAAI;YAC9B,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,CAAC,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC;QACzC,CAAC;QAED,IAAI,CAAC,YAAY,IAAI,OAAO,EAAE,YAAY,KAAK,KAAK,EAAE,CAAC;YACrD,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;QAC9B,CAAC;QAED,iCAAiC;QACjC,IAAI,UAAU,IAAI,GAAG,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAErC,4BAA4B;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,aAAa,EAAE,CAAC;YACnC,IAAI,IAAI,EAAE,CAAC;gBACT,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBACvE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;aAAM,IAAI,UAAU,IAAI,GAAG,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;QAED,+CAA+C;QAC/C,IAAI,QAAQ,CAAC,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAC5C,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,OAAqE;IAErE,OAAO,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAoC,EAAE;QAC9F,IAAI,CAAC;YACH,OAAO,MAAM,OAAO,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAClD,KAAK,EACL,OAAO,CAAC,EAAE,IAAI,SAAS,EACvB,MAAM,CAAC,GAAG,KAAK,YAAY,CAC5B,CAAC;YAEF,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACzB,OAAO,QAAQ,CAAC;QAClB,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/api/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * API module exports
+ *
+ * Provides the Fastify API server with hardening middleware:
+ * - Input validation (Zod-based)
+ * - Rate limiting (per-tenant and per-endpoint)
+ * - Security headers (CORS, CSP, HSTS, etc.)
+ * - Standardized error handling
+ *
+ * @packageDocumentation
+ */
+export * from './server.js';
+export * from './middleware/index.js';
+export * from './errors.js';
+export * from './versioning/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/api/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC"}

package/dist/api/index.js

@@ -0,0 +1,19 @@
+/**
+ * API module exports
+ *
+ * Provides the Fastify API server with hardening middleware:
+ * - Input validation (Zod-based)
+ * - Rate limiting (per-tenant and per-endpoint)
+ * - Security headers (CORS, CSP, HSTS, etc.)
+ * - Standardized error handling
+ *
+ * @packageDocumentation
+ */
+export * from './server.js';
+export * from './middleware/index.js';
+export * from './errors.js';
+export * from './versioning/index.js';
+// Note: validation.ts and rate-limit.ts exports are intentionally omitted
+// to avoid naming conflicts with middleware/validation.ts and middleware/rateLimit.ts
+// Use the middleware versions for API hardening.
+//# sourceMappingURL=index.js.map

package/dist/api/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/api/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,cAAc,aAAa,CAAC;AAC5B,cAAc,uBAAuB,CAAC;AACtC,0EAA0E;AAC1E,sFAAsF;AACtF,iDAAiD"}

package/dist/api/middleware/api-key-enforcement.d.ts

@@ -0,0 +1,131 @@
+/**
+ * API Key Enforcement Middleware
+ *
+ * Fastify plugin that integrates API key authentication with the existing
+ * JWT-based auth flow. Provides configurable route-level authentication
+ * strategies and enforces rate limiting from API keys.
+ *
+ * Authentication Strategies:
+ * - JWT only: Traditional token-based auth (default for browser clients)
+ * - API key only: Machine-to-machine communication
+ * - JWT OR API key: Routes that accept either method
+ * - API key with specific scopes: Scope-restricted API key access
+ *
+ * @packageDocumentation
+ */
+import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
+import { apiKeyMiddleware, requireScopes, getApiKey, hasApiKey, getApiKeyTenantId } from '../../security/api-keys/middleware.js';
+import { type ApiKeyScope } from '../../security/api-keys/types.js';
+import { type ApiKeyService } from '../../security/api-keys/service.js';
+/**
+ * Authentication method
+ */
+export type AuthMethod = 'jwt' | 'api_key' | 'jwt_or_api_key' | 'none';
+/**
+ * Route authentication configuration
+ */
+export interface RouteAuthConfig {
+    /** Authentication method for this route */
+    method: AuthMethod;
+    /** Required API key scopes (only for api_key or jwt_or_api_key) */
+    requiredScopes?: ApiKeyScope[];
+    /** Require all scopes (AND) or any scope (OR). Default: true (AND) */
+    requireAllScopes?: boolean;
+    /** Custom skip condition */
+    skip?: (request: FastifyRequest) => boolean;
+}
+/**
+ * Route pattern with auth configuration
+ */
+export interface RoutePattern {
+    /** HTTP method (GET, POST, etc.) or '*' for all methods */
+    method: string | '*';
+    /** URL pattern (exact match or with wildcards) */
+    pattern: string;
+    /** Auth configuration */
+    auth: RouteAuthConfig;
+}
+/**
+ * API Key Enforcement Plugin Options
+ */
+export interface ApiKeyEnforcementOptions {
+    /** API key service instance */
+    apiKeyService?: ApiKeyService;
+    /** Default authentication method for unspecified routes */
+    defaultAuth?: AuthMethod;
+    /** Default required scopes for API key auth */
+    defaultScopes?: ApiKeyScope[];
+    /** Route-specific auth configurations */
+    routeConfigs?: RoutePattern[];
+    /** Paths to skip all auth (e.g., /health, /ready) */
+    skipPaths?: string[];
+    /** Enforce API key rate limits */
+    enforceRateLimit?: boolean;
+    /** Log authentication decisions */
+    logAuthDecisions?: boolean;
+}
+/**
+ * Extended request with auth context
+ */
+declare module 'fastify' {
+    interface FastifyRequest {
+        /** Unified auth context (JWT or API key) */
+        authMethod?: 'jwt' | 'api_key' | 'none';
+        /** Tenant ID from auth (JWT or API key) */
+        authTenantId?: string;
+        /** User/key ID from auth */
+        authSubject?: string;
+    }
+}
+/**
+ * Async hook handler type (2 args, returns Promise)
+ * This matches the actual implementation of apiKeyMiddleware which is async
+ */
+type AsyncHookHandler = (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
+/**
+ * API Key Enforcement Plugin
+ *
+ * Registers API key authentication alongside existing JWT auth.
+ *
+ * @example
+ * ```typescript
+ * await fastify.register(apiKeyEnforcementPlugin, {
+ *   defaultAuth: 'jwt_or_api_key',
+ *   enforceRateLimit: true,
+ *   routeConfigs: [
+ *     { method: 'POST', pattern: '/api/v1/webhooks', auth: { method: 'api_key', requiredScopes: ['webhook'] } },
+ *   ],
+ * });
+ * ```
+ */
+export declare const apiKeyEnforcementPlugin: (fastify: FastifyInstance, options: ApiKeyEnforcementOptions) => Promise<void>;
+/**
+ * Create a route-specific auth config
+ */
+export declare function createRouteAuth(method: AuthMethod, options?: {
+    requiredScopes?: ApiKeyScope[];
+    requireAllScopes?: boolean;
+    skip?: (request: FastifyRequest) => boolean;
+}): RouteAuthConfig;
+/**
+ * Create a preHandler hook for specific auth requirements
+ *
+ * Use this for per-route auth configuration when registered at the route level.
+ *
+ * @example
+ * ```typescript
+ * fastify.post('/api/v1/sensitive', {
+ *   preHandler: requireApiKeyAuth(['admin']),
+ * }, handler);
+ * ```
+ */
+export declare function requireApiKeyAuth(requiredScopes?: ApiKeyScope[], options?: {
+    requireAll?: boolean;
+}): AsyncHookHandler;
+/**
+ * Create a preHandler that accepts either JWT or API key
+ */
+export declare function requireJwtOrApiKey(apiKeyScopes?: ApiKeyScope[]): AsyncHookHandler;
+export { apiKeyMiddleware, requireScopes, getApiKey, hasApiKey, getApiKeyTenantId, };
+export default apiKeyEnforcementPlugin;
+//# sourceMappingURL=api-key-enforcement.d.ts.map

package/dist/api/middleware/api-key-enforcement.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key-enforcement.d.ts","sourceRoot":"","sources":["../../../src/api/middleware/api-key-enforcement.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EACV,eAAe,EACf,cAAc,EACd,YAAY,EAEb,MAAM,SAAS,CAAC;AAMjB,OAAO,EACL,gBAAgB,EAChB,aAAa,EACb,SAAS,EACT,SAAS,EACT,iBAAiB,EAElB,MAAM,uCAAuC,CAAC;AAC/C,OAAO,EACL,KAAK,WAAW,EAEjB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAGL,KAAK,aAAa,EACnB,MAAM,oCAAoC,CAAC;AA2B5C;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,SAAS,GAAG,gBAAgB,GAAG,MAAM,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,2CAA2C;IAC3C,MAAM,EAAE,UAAU,CAAC;IACnB,mEAAmE;IACnE,cAAc,CAAC,EAAE,WAAW,EAAE,CAAC;IAC/B,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,4BAA4B;IAC5B,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,2DAA2D;IAC3D,MAAM,EAAE,MAAM,GAAG,GAAG,CAAC;IACrB,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,yBAAyB;IACzB,IAAI,EAAE,eAAe,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,+BAA+B;IAC/B,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,2DAA2D;IAC3D,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,+CAA+C;IAC/C,aAAa,CAAC,EAAE,WAAW,EAAE,CAAC;IAC9B,yCAAyC;IACzC,YAAY,CAAC,EAAE,YAAY,EAAE,CAAC;IAC9B,qDAAqD;IACrD,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,kCAAkC;IAClC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,mCAAmC;IACnC,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B;AAED;;GAEG;AACH,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,4CAA4C;QAC5C,UAAU,CAAC,EAAE,KAAK,GAAG,SAAS,GAAG,MAAM,CAAC;QACxC,2CAA2C;QAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,4BAA4B;QAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB;CACF;AAoGD;;;GAGG;AACH,KAAK,gBAAgB,GAAG,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AA8exF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uBAAuB,YAClB,eAAe,WAAW,wBAAwB,kBA8DnE,CAAC;AAMF;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,UAAU,EAClB,OAAO,CAAC,EAAE;IACR,cAAc,CAAC,EAAE,WAAW,EAAE,CAAC;IAC/B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC;CAC7C,GACA,eAAe,CAKjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAC/B,cAAc,CAAC,EAAE,WAAW,EAAE,EAC9B,OAAO,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,OAAO,CAAA;CAAE,GACjC,gBAAgB,CAmClB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,YAAY,CAAC,EAAE,WAAW,EAAE,GAC3B,gBAAgB,CA+ClB;AAMD,OAAO,EAEL,gBAAgB,EAChB,aAAa,EACb,SAAS,EACT,SAAS,EACT,iBAAiB,GAClB,CAAC;AAEF,eAAe,uBAAuB,CAAC"}