@xlock/node 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 x-lock
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,112 @@
+# @xlock/node
+
+Invisible bot protection middleware for Node.js. Drop-in replacement for reCAPTCHA, Turnstile, and hCaptcha — no visual challenges, no user friction.
+
+Supports **Express**, **Fastify**, **Koa**, **Next.js**, and **Hono**.
+
+## Install
+
+```bash
+npm install @xlock/node
+```
+
+## Quick Start
+
+### Express
+
+```js
+import { xlockMiddleware } from "@xlock/node/express";
+
+app.use("/api/auth", xlockMiddleware({ siteKey: "sk_..." }));
+```
+
+### Fastify
+
+```js
+import { xlockPlugin } from "@xlock/node/fastify";
+
+fastify.register(xlockPlugin, {
+  siteKey: "sk_...",
+  routes: ["/api/auth/*"],
+});
+```
+
+### Next.js
+
+```ts
+// middleware.ts
+import { withXlock } from "@xlock/node/next";
+
+export const middleware = withXlock({
+  siteKey: process.env.NEXT_PUBLIC_XLOCK_SITE_KEY!,
+  protectedPaths: ["/api/auth/callback"],
+});
+
+export const config = { matcher: ["/api/:path*"] };
+```
+
+### Hono
+
+```ts
+import { xlockMiddleware } from "@xlock/node/hono";
+
+app.use("/api/auth/*", xlockMiddleware({ siteKey: "sk_..." }));
+```
+
+### Koa
+
+```js
+import { xlockMiddleware } from "@xlock/node/koa";
+
+router.post("/api/auth/login", xlockMiddleware({ siteKey: "sk_..." }), loginHandler);
+```
+
+### Direct Verification
+
+```js
+import { verify } from "@xlock/node";
+
+const result = await verify("https://api.x-lock.dev", "sk_...", token, "/api/login");
+if (result.blocked) {
+  console.log("Blocked:", result.reason);
+}
+```
+
+## Configuration
+
+All middleware accepts these options:
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `siteKey` | `string` | `XLOCK_SITE_KEY` env | Your x-lock site key |
+| `apiUrl` | `string` | `https://api.x-lock.dev` | x-lock API endpoint |
+| `failOpen` | `boolean` | `true` | Allow requests through on API errors |
+
+## How It Works
+
+1. Your frontend loads the x-lock script (invisible to users)
+2. x-lock runs proof-of-work + behavioral analysis in the background
+3. The script attaches a token to requests via the `x-lock` header
+4. This middleware verifies the token server-side before your route handler runs
+
+No CAPTCHAs. No clicking fire hydrants. No Google tracking.
+
+## Migrating from reCAPTCHA
+
+```diff
+- const { RecaptchaEnterpriseServiceClient } = require("@google-cloud/recaptcha-enterprise");
++ import { xlockMiddleware } from "@xlock/node/express";
+
+- app.post("/login", async (req, res) => {
+-   const score = await recaptcha.assessToken(req.body.token);
+-   if (score < 0.5) return res.status(403).json({ error: "Bot detected" });
+-   // handle login
+- });
++ app.post("/login", xlockMiddleware({ siteKey: "sk_..." }), (req, res) => {
++   // handle login — x-lock already verified the request
++ });
+```
+
+## License
+
+MIT

package/dist/core-D4eszYbi.d.mts

@@ -0,0 +1,23 @@
+/**
+ * Core x-lock enforcement logic shared across all framework adapters.
+ */
+declare const DEFAULT_API_URL = "https://api.x-lock.dev";
+interface XLockConfig {
+    /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */
+    siteKey?: string;
+    /** x-lock API URL (default: https://api.x-lock.dev) */
+    apiUrl?: string;
+    /** Allow requests through on API errors (default: true) */
+    failOpen?: boolean;
+}
+interface EnforceResult {
+    blocked: boolean;
+    reason?: string;
+    error?: boolean;
+}
+/**
+ * Call the x-lock enforcement API to verify a token.
+ */
+declare function enforce(apiUrl: string, siteKey: string, token: string, path?: string): Promise<EnforceResult>;
+
+export { DEFAULT_API_URL as D, type EnforceResult as E, type XLockConfig as X, enforce as e };

package/dist/core-D4eszYbi.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Core x-lock enforcement logic shared across all framework adapters.
+ */
+declare const DEFAULT_API_URL = "https://api.x-lock.dev";
+interface XLockConfig {
+    /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */
+    siteKey?: string;
+    /** x-lock API URL (default: https://api.x-lock.dev) */
+    apiUrl?: string;
+    /** Allow requests through on API errors (default: true) */
+    failOpen?: boolean;
+}
+interface EnforceResult {
+    blocked: boolean;
+    reason?: string;
+    error?: boolean;
+}
+/**
+ * Call the x-lock enforcement API to verify a token.
+ */
+declare function enforce(apiUrl: string, siteKey: string, token: string, path?: string): Promise<EnforceResult>;
+
+export { DEFAULT_API_URL as D, type EnforceResult as E, type XLockConfig as X, enforce as e };

package/dist/express.d.mts

@@ -0,0 +1,15 @@
+import { X as XLockConfig } from './core-D4eszYbi.mjs';
+
+/**
+ * x-lock middleware for Express.js
+ *
+ * @example
+ * ```js
+ * import { xlockMiddleware } from "@xlock/node/express";
+ * app.use("/api/auth", xlockMiddleware({ siteKey: "sk_..." }));
+ * ```
+ */
+
+declare function xlockMiddleware(options?: XLockConfig): (_req: any, _res: any, next: () => void) => void;
+
+export { XLockConfig, xlockMiddleware };

package/dist/express.d.ts

@@ -0,0 +1,15 @@
+import { X as XLockConfig } from './core-D4eszYbi.js';
+
+/**
+ * x-lock middleware for Express.js
+ *
+ * @example
+ * ```js
+ * import { xlockMiddleware } from "@xlock/node/express";
+ * app.use("/api/auth", xlockMiddleware({ siteKey: "sk_..." }));
+ * ```
+ */
+
+declare function xlockMiddleware(options?: XLockConfig): (_req: any, _res: any, next: () => void) => void;
+
+export { XLockConfig, xlockMiddleware };

package/dist/express.js

@@ -0,0 +1,95 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/express.ts
+var express_exports = {};
+__export(express_exports, {
+  xlockMiddleware: () => xlockMiddleware
+});
+module.exports = __toCommonJS(express_exports);
+
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+function resolveSiteKey(siteKey) {
+  return siteKey || process.env.XLOCK_SITE_KEY;
+}
+
+// src/express.ts
+function xlockMiddleware(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  if (!siteKey) {
+    console.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return (_req, _res, next) => next();
+  }
+  return async (req, res, next) => {
+    const token = req.headers["x-lock"];
+    if (!token) {
+      return res.status(403).json({ error: "Blocked by x-lock: missing token" });
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);
+      if (result.blocked) {
+        return res.status(403).json({ error: "Blocked by x-lock", reason: result.reason });
+      }
+      if (result.error && !failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    }
+    next();
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  xlockMiddleware
+});
+//# sourceMappingURL=express.js.map

package/dist/express.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/express.ts","../src/core.ts"],"sourcesContent":["/**\n * x-lock middleware for Express.js\n *\n * @example\n * ```js\n * import { xlockMiddleware } from \"@xlock/node/express\";\n * app.use(\"/api/auth\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n\n  if (!siteKey) {\n    console.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return (_req: any, _res: any, next: () => void) => next();\n  }\n\n  return async (req: any, res: any, next: () => void) => {\n    const token = req.headers[\"x-lock\"];\n\n    if (!token) {\n      return res.status(403).json({ error: \"Blocked by x-lock: missing token\" });\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);\n\n      if (result.blocked) {\n        return res.status(403).json({ error: \"Blocked by x-lock\", reason: result.reason });\n      }\n\n      if (result.error && !failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    } catch (err: any) {\n      console.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    }\n\n    next();\n  };\n}\n","/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;AAKO,SAAS,eAAe,SAAsC;AACnE,SAAO,WAAW,QAAQ,IAAI;AAChC;;;ADrDO,SAAS,gBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AAEtC,MAAI,CAAC,SAAS;AACZ,YAAQ,KAAK,6DAAwD;AACrE,WAAO,CAAC,MAAW,MAAW,SAAqB,KAAK;AAAA,EAC1D;AAEA,SAAO,OAAO,KAAU,KAAU,SAAqB;AACrD,UAAM,QAAQ,IAAI,QAAQ,QAAQ;AAElC,QAAI,CAAC,OAAO;AACV,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,mCAAmC,CAAC;AAAA,IAC3E;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,IAAI,eAAe,IAAI,GAAG;AAE/E,UAAI,OAAO,SAAS;AAClB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,CAAC;AAAA,MACnF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,MAAM,+BAA+B,IAAI,OAAO;AACxD,UAAI,CAAC,UAAU;AACb,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF;AAEA,SAAK;AAAA,EACP;AACF;","names":[]}

package/dist/express.mjs

@@ -0,0 +1,68 @@
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+function resolveSiteKey(siteKey) {
+  return siteKey || process.env.XLOCK_SITE_KEY;
+}
+
+// src/express.ts
+function xlockMiddleware(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  if (!siteKey) {
+    console.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return (_req, _res, next) => next();
+  }
+  return async (req, res, next) => {
+    const token = req.headers["x-lock"];
+    if (!token) {
+      return res.status(403).json({ error: "Blocked by x-lock: missing token" });
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);
+      if (result.blocked) {
+        return res.status(403).json({ error: "Blocked by x-lock", reason: result.reason });
+      }
+      if (result.error && !failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    }
+    next();
+  };
+}
+export {
+  xlockMiddleware
+};
+//# sourceMappingURL=express.mjs.map

package/dist/express.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core.ts","../src/express.ts"],"sourcesContent":["/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n","/**\n * x-lock middleware for Express.js\n *\n * @example\n * ```js\n * import { xlockMiddleware } from \"@xlock/node/express\";\n * app.use(\"/api/auth\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n\n  if (!siteKey) {\n    console.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return (_req: any, _res: any, next: () => void) => next();\n  }\n\n  return async (req: any, res: any, next: () => void) => {\n    const token = req.headers[\"x-lock\"];\n\n    if (!token) {\n      return res.status(403).json({ error: \"Blocked by x-lock: missing token\" });\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);\n\n      if (result.blocked) {\n        return res.status(403).json({ error: \"Blocked by x-lock\", reason: result.reason });\n      }\n\n      if (result.error && !failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    } catch (err: any) {\n      console.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    }\n\n    next();\n  };\n}\n"],"mappings":";AAIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;AAKO,SAAS,eAAe,SAAsC;AACnE,SAAO,WAAW,QAAQ,IAAI;AAChC;;;ACrDO,SAAS,gBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AAEtC,MAAI,CAAC,SAAS;AACZ,YAAQ,KAAK,6DAAwD;AACrE,WAAO,CAAC,MAAW,MAAW,SAAqB,KAAK;AAAA,EAC1D;AAEA,SAAO,OAAO,KAAU,KAAU,SAAqB;AACrD,UAAM,QAAQ,IAAI,QAAQ,QAAQ;AAElC,QAAI,CAAC,OAAO;AACV,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,mCAAmC,CAAC;AAAA,IAC3E;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,IAAI,eAAe,IAAI,GAAG;AAE/E,UAAI,OAAO,SAAS;AAClB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,CAAC;AAAA,MACnF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,MAAM,+BAA+B,IAAI,OAAO;AACxD,UAAI,CAAC,UAAU;AACb,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF;AAEA,SAAK;AAAA,EACP;AACF;","names":[]}

package/dist/fastify.d.mts

@@ -0,0 +1,19 @@
+import { X as XLockConfig } from './core-D4eszYbi.mjs';
+
+/**
+ * x-lock plugin for Fastify
+ *
+ * @example
+ * ```js
+ * import { xlockPlugin } from "@xlock/node/fastify";
+ * fastify.register(xlockPlugin, { siteKey: "sk_...", routes: ["/api/auth/*"] });
+ * ```
+ */
+
+interface XLockFastifyConfig extends XLockConfig {
+    /** Route patterns to protect (supports trailing /*) */
+    routes?: string[];
+}
+declare function xlockPlugin(fastify: any, options: XLockFastifyConfig): Promise<void>;
+
+export { type XLockFastifyConfig, xlockPlugin };

package/dist/fastify.d.ts

@@ -0,0 +1,19 @@
+import { X as XLockConfig } from './core-D4eszYbi.js';
+
+/**
+ * x-lock plugin for Fastify
+ *
+ * @example
+ * ```js
+ * import { xlockPlugin } from "@xlock/node/fastify";
+ * fastify.register(xlockPlugin, { siteKey: "sk_...", routes: ["/api/auth/*"] });
+ * ```
+ */
+
+interface XLockFastifyConfig extends XLockConfig {
+    /** Route patterns to protect (supports trailing /*) */
+    routes?: string[];
+}
+declare function xlockPlugin(fastify: any, options: XLockFastifyConfig): Promise<void>;
+
+export { type XLockFastifyConfig, xlockPlugin };

package/dist/fastify.js

@@ -0,0 +1,106 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/fastify.ts
+var fastify_exports = {};
+__export(fastify_exports, {
+  xlockPlugin: () => xlockPlugin
+});
+module.exports = __toCommonJS(fastify_exports);
+
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+function resolveSiteKey(siteKey) {
+  return siteKey || process.env.XLOCK_SITE_KEY;
+}
+
+// src/fastify.ts
+async function xlockPlugin(fastify, options) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  const routes = options.routes || [];
+  if (!siteKey) {
+    fastify.log.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return;
+  }
+  function matchesRoute(path) {
+    return routes.some((pattern) => {
+      if (pattern.endsWith("/*")) {
+        return path.startsWith(pattern.slice(0, -2));
+      }
+      return path === pattern;
+    });
+  }
+  fastify.addHook("preHandler", async (request, reply) => {
+    if (routes.length > 0 && !matchesRoute(request.url)) return;
+    const token = request.headers["x-lock"];
+    if (!token) {
+      return reply.code(403).send({ error: "Blocked by x-lock: missing token" });
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, request.url);
+      if (result.blocked) {
+        return reply.code(403).send({ error: "Blocked by x-lock", reason: result.reason });
+      }
+      if (result.error && !failOpen) {
+        return reply.code(403).send({ error: "x-lock verification failed" });
+      }
+    } catch (err) {
+      request.log.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        return reply.code(403).send({ error: "x-lock verification failed" });
+      }
+    }
+  });
+}
+xlockPlugin[/* @__PURE__ */ Symbol.for("skip-override")] = true;
+xlockPlugin[/* @__PURE__ */ Symbol.for("fastify.display-name")] = "x-lock";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  xlockPlugin
+});
+//# sourceMappingURL=fastify.js.map

package/dist/fastify.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/fastify.ts","../src/core.ts"],"sourcesContent":["/**\n * x-lock plugin for Fastify\n *\n * @example\n * ```js\n * import { xlockPlugin } from \"@xlock/node/fastify\";\n * fastify.register(xlockPlugin, { siteKey: \"sk_...\", routes: [\"/api/auth/*\"] });\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport interface XLockFastifyConfig extends XLockConfig {\n  /** Route patterns to protect (supports trailing /*) */\n  routes?: string[];\n}\n\nexport async function xlockPlugin(fastify: any, options: XLockFastifyConfig) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n  const routes = options.routes || [];\n\n  if (!siteKey) {\n    fastify.log.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return;\n  }\n\n  function matchesRoute(path: string): boolean {\n    return routes.some((pattern) => {\n      if (pattern.endsWith(\"/*\")) {\n        return path.startsWith(pattern.slice(0, -2));\n      }\n      return path === pattern;\n    });\n  }\n\n  fastify.addHook(\"preHandler\", async (request: any, reply: any) => {\n    if (routes.length > 0 && !matchesRoute(request.url)) return;\n\n    const token = request.headers[\"x-lock\"];\n\n    if (!token) {\n      return reply.code(403).send({ error: \"Blocked by x-lock: missing token\" });\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, request.url);\n\n      if (result.blocked) {\n        return reply.code(403).send({ error: \"Blocked by x-lock\", reason: result.reason });\n      }\n\n      if (result.error && !failOpen) {\n        return reply.code(403).send({ error: \"x-lock verification failed\" });\n      }\n    } catch (err: any) {\n      request.log.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        return reply.code(403).send({ error: \"x-lock verification failed\" });\n      }\n    }\n  });\n}\n\n// Fastify plugin metadata\n(xlockPlugin as any)[Symbol.for(\"skip-override\")] = true;\n(xlockPlugin as any)[Symbol.for(\"fastify.display-name\")] = \"x-lock\";\n","/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;AAKO,SAAS,eAAe,SAAsC;AACnE,SAAO,WAAW,QAAQ,IAAI;AAChC;;;ADlDA,eAAsB,YAAY,SAAc,SAA6B;AAC3E,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AACtC,QAAM,SAAS,QAAQ,UAAU,CAAC;AAElC,MAAI,CAAC,SAAS;AACZ,YAAQ,IAAI,KAAK,6DAAwD;AACzE;AAAA,EACF;AAEA,WAAS,aAAa,MAAuB;AAC3C,WAAO,OAAO,KAAK,CAAC,YAAY;AAC9B,UAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,eAAO,KAAK,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,MAC7C;AACA,aAAO,SAAS;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,UAAQ,QAAQ,cAAc,OAAO,SAAc,UAAe;AAChE,QAAI,OAAO,SAAS,KAAK,CAAC,aAAa,QAAQ,GAAG,EAAG;AAErD,UAAM,QAAQ,QAAQ,QAAQ,QAAQ;AAEtC,QAAI,CAAC,OAAO;AACV,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,mCAAmC,CAAC;AAAA,IAC3E;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,QAAQ,GAAG;AAEhE,UAAI,OAAO,SAAS;AAClB,eAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,CAAC;AAAA,MACnF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,IAAI,MAAM,+BAA+B,IAAI,OAAO;AAC5D,UAAI,CAAC,UAAU;AACb,eAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF;AAAA,EACF,CAAC;AACH;AAGC,YAAoB,uBAAO,IAAI,eAAe,CAAC,IAAI;AACnD,YAAoB,uBAAO,IAAI,sBAAsB,CAAC,IAAI;","names":[]}

package/dist/fastify.mjs

@@ -0,0 +1,79 @@
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+function resolveSiteKey(siteKey) {
+  return siteKey || process.env.XLOCK_SITE_KEY;
+}
+
+// src/fastify.ts
+async function xlockPlugin(fastify, options) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  const routes = options.routes || [];
+  if (!siteKey) {
+    fastify.log.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return;
+  }
+  function matchesRoute(path) {
+    return routes.some((pattern) => {
+      if (pattern.endsWith("/*")) {
+        return path.startsWith(pattern.slice(0, -2));
+      }
+      return path === pattern;
+    });
+  }
+  fastify.addHook("preHandler", async (request, reply) => {
+    if (routes.length > 0 && !matchesRoute(request.url)) return;
+    const token = request.headers["x-lock"];
+    if (!token) {
+      return reply.code(403).send({ error: "Blocked by x-lock: missing token" });
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, request.url);
+      if (result.blocked) {
+        return reply.code(403).send({ error: "Blocked by x-lock", reason: result.reason });
+      }
+      if (result.error && !failOpen) {
+        return reply.code(403).send({ error: "x-lock verification failed" });
+      }
+    } catch (err) {
+      request.log.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        return reply.code(403).send({ error: "x-lock verification failed" });
+      }
+    }
+  });
+}
+xlockPlugin[/* @__PURE__ */ Symbol.for("skip-override")] = true;
+xlockPlugin[/* @__PURE__ */ Symbol.for("fastify.display-name")] = "x-lock";
+export {
+  xlockPlugin
+};
+//# sourceMappingURL=fastify.mjs.map

package/dist/fastify.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core.ts","../src/fastify.ts"],"sourcesContent":["/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n","/**\n * x-lock plugin for Fastify\n *\n * @example\n * ```js\n * import { xlockPlugin } from \"@xlock/node/fastify\";\n * fastify.register(xlockPlugin, { siteKey: \"sk_...\", routes: [\"/api/auth/*\"] });\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport interface XLockFastifyConfig extends XLockConfig {\n  /** Route patterns to protect (supports trailing /*) */\n  routes?: string[];\n}\n\nexport async function xlockPlugin(fastify: any, options: XLockFastifyConfig) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n  const routes = options.routes || [];\n\n  if (!siteKey) {\n    fastify.log.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return;\n  }\n\n  function matchesRoute(path: string): boolean {\n    return routes.some((pattern) => {\n      if (pattern.endsWith(\"/*\")) {\n        return path.startsWith(pattern.slice(0, -2));\n      }\n      return path === pattern;\n    });\n  }\n\n  fastify.addHook(\"preHandler\", async (request: any, reply: any) => {\n    if (routes.length > 0 && !matchesRoute(request.url)) return;\n\n    const token = request.headers[\"x-lock\"];\n\n    if (!token) {\n      return reply.code(403).send({ error: \"Blocked by x-lock: missing token\" });\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, request.url);\n\n      if (result.blocked) {\n        return reply.code(403).send({ error: \"Blocked by x-lock\", reason: result.reason });\n      }\n\n      if (result.error && !failOpen) {\n        return reply.code(403).send({ error: \"x-lock verification failed\" });\n      }\n    } catch (err: any) {\n      request.log.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        return reply.code(403).send({ error: \"x-lock verification failed\" });\n      }\n    }\n  });\n}\n\n// Fastify plugin metadata\n(xlockPlugin as any)[Symbol.for(\"skip-override\")] = true;\n(xlockPlugin as any)[Symbol.for(\"fastify.display-name\")] = \"x-lock\";\n"],"mappings":";AAIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;AAKO,SAAS,eAAe,SAAsC;AACnE,SAAO,WAAW,QAAQ,IAAI;AAChC;;;AClDA,eAAsB,YAAY,SAAc,SAA6B;AAC3E,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AACtC,QAAM,SAAS,QAAQ,UAAU,CAAC;AAElC,MAAI,CAAC,SAAS;AACZ,YAAQ,IAAI,KAAK,6DAAwD;AACzE;AAAA,EACF;AAEA,WAAS,aAAa,MAAuB;AAC3C,WAAO,OAAO,KAAK,CAAC,YAAY;AAC9B,UAAI,QAAQ,SAAS,IAAI,GAAG;AAC1B,eAAO,KAAK,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,MAC7C;AACA,aAAO,SAAS;AAAA,IAClB,CAAC;AAAA,EACH;AAEA,UAAQ,QAAQ,cAAc,OAAO,SAAc,UAAe;AAChE,QAAI,OAAO,SAAS,KAAK,CAAC,aAAa,QAAQ,GAAG,EAAG;AAErD,UAAM,QAAQ,QAAQ,QAAQ,QAAQ;AAEtC,QAAI,CAAC,OAAO;AACV,aAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,mCAAmC,CAAC;AAAA,IAC3E;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,QAAQ,GAAG;AAEhE,UAAI,OAAO,SAAS;AAClB,eAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,CAAC;AAAA,MACnF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,IAAI,MAAM,+BAA+B,IAAI,OAAO;AAC5D,UAAI,CAAC,UAAU;AACb,eAAO,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF;AAAA,EACF,CAAC;AACH;AAGC,YAAoB,uBAAO,IAAI,eAAe,CAAC,IAAI;AACnD,YAAoB,uBAAO,IAAI,sBAAsB,CAAC,IAAI;","names":[]}