@xlock/node 0.1.0

package/dist/hono.d.mts

@@ -0,0 +1,15 @@
+import { X as XLockConfig } from './core-D4eszYbi.mjs';
+
+/**
+ * x-lock middleware for Hono (Bun / Cloudflare Workers / Deno / Node)
+ *
+ * @example
+ * ```ts
+ * import { xlockMiddleware } from "@xlock/node/hono";
+ * app.use("/api/auth/*", xlockMiddleware({ siteKey: "sk_..." }));
+ * ```
+ */
+
+declare function xlockMiddleware(options?: XLockConfig): (c: any, next: () => Promise<void>) => Promise<any>;
+
+export { XLockConfig, xlockMiddleware };

package/dist/hono.d.ts

@@ -0,0 +1,15 @@
+import { X as XLockConfig } from './core-D4eszYbi.js';
+
+/**
+ * x-lock middleware for Hono (Bun / Cloudflare Workers / Deno / Node)
+ *
+ * @example
+ * ```ts
+ * import { xlockMiddleware } from "@xlock/node/hono";
+ * app.use("/api/auth/*", xlockMiddleware({ siteKey: "sk_..." }));
+ * ```
+ */
+
+declare function xlockMiddleware(options?: XLockConfig): (c: any, next: () => Promise<void>) => Promise<any>;
+
+export { XLockConfig, xlockMiddleware };

package/dist/hono.js

@@ -0,0 +1,91 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/hono.ts
+var hono_exports = {};
+__export(hono_exports, {
+  xlockMiddleware: () => xlockMiddleware
+});
+module.exports = __toCommonJS(hono_exports);
+
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+
+// src/hono.ts
+function xlockMiddleware(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = options.siteKey || (typeof process !== "undefined" ? process.env?.XLOCK_SITE_KEY : void 0);
+  const failOpen = options.failOpen !== false;
+  return async (c, next) => {
+    if (!siteKey || c.req.method !== "POST") {
+      return next();
+    }
+    const token = c.req.header("x-lock");
+    if (!token) {
+      return c.json({ error: "Blocked by x-lock: missing token" }, 403);
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, c.req.path);
+      if (result.blocked) {
+        return c.json({ error: "Blocked by x-lock", reason: result.reason }, 403);
+      }
+      if (result.error && !failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err);
+      if (!failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    }
+    return next();
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  xlockMiddleware
+});
+//# sourceMappingURL=hono.js.map

package/dist/hono.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/hono.ts","../src/core.ts"],"sourcesContent":["/**\n * x-lock middleware for Hono (Bun / Cloudflare Workers / Deno / Node)\n *\n * @example\n * ```ts\n * import { xlockMiddleware } from \"@xlock/node/hono\";\n * app.use(\"/api/auth/*\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey =\n    options.siteKey ||\n    (typeof process !== \"undefined\" ? process.env?.XLOCK_SITE_KEY : undefined);\n  const failOpen = options.failOpen !== false;\n\n  return async (c: any, next: () => Promise<void>) => {\n    if (!siteKey || c.req.method !== \"POST\") {\n      return next();\n    }\n\n    const token = c.req.header(\"x-lock\");\n\n    if (!token) {\n      return c.json({ error: \"Blocked by x-lock: missing token\" }, 403);\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, c.req.path);\n\n      if (result.blocked) {\n        return c.json({ error: \"Blocked by x-lock\", reason: result.reason }, 403);\n      }\n\n      if (result.error && !failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    } catch (err) {\n      console.error(\"[x-lock] Enforcement error:\", err);\n      if (!failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    }\n\n    return next();\n  };\n}\n","/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;;;ACIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;;;AD9CO,SAAS,gBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UACJ,QAAQ,YACP,OAAO,YAAY,cAAc,QAAQ,KAAK,iBAAiB;AAClE,QAAM,WAAW,QAAQ,aAAa;AAEtC,SAAO,OAAO,GAAQ,SAA8B;AAClD,QAAI,CAAC,WAAW,EAAE,IAAI,WAAW,QAAQ;AACvC,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,QAAQ,EAAE,IAAI,OAAO,QAAQ;AAEnC,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,KAAK,EAAE,OAAO,mCAAmC,GAAG,GAAG;AAAA,IAClE;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,EAAE,IAAI,IAAI;AAE/D,UAAI,OAAO,SAAS;AAClB,eAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,GAAG,GAAG;AAAA,MAC1E;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,+BAA+B,GAAG;AAChD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF;AAEA,WAAO,KAAK;AAAA,EACd;AACF;","names":[]}

package/dist/hono.mjs

@@ -0,0 +1,64 @@
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+
+// src/hono.ts
+function xlockMiddleware(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = options.siteKey || (typeof process !== "undefined" ? process.env?.XLOCK_SITE_KEY : void 0);
+  const failOpen = options.failOpen !== false;
+  return async (c, next) => {
+    if (!siteKey || c.req.method !== "POST") {
+      return next();
+    }
+    const token = c.req.header("x-lock");
+    if (!token) {
+      return c.json({ error: "Blocked by x-lock: missing token" }, 403);
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, c.req.path);
+      if (result.blocked) {
+        return c.json({ error: "Blocked by x-lock", reason: result.reason }, 403);
+      }
+      if (result.error && !failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err);
+      if (!failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    }
+    return next();
+  };
+}
+export {
+  xlockMiddleware
+};
+//# sourceMappingURL=hono.mjs.map

package/dist/hono.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core.ts","../src/hono.ts"],"sourcesContent":["/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n","/**\n * x-lock middleware for Hono (Bun / Cloudflare Workers / Deno / Node)\n *\n * @example\n * ```ts\n * import { xlockMiddleware } from \"@xlock/node/hono\";\n * app.use(\"/api/auth/*\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey =\n    options.siteKey ||\n    (typeof process !== \"undefined\" ? process.env?.XLOCK_SITE_KEY : undefined);\n  const failOpen = options.failOpen !== false;\n\n  return async (c: any, next: () => Promise<void>) => {\n    if (!siteKey || c.req.method !== \"POST\") {\n      return next();\n    }\n\n    const token = c.req.header(\"x-lock\");\n\n    if (!token) {\n      return c.json({ error: \"Blocked by x-lock: missing token\" }, 403);\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, c.req.path);\n\n      if (result.blocked) {\n        return c.json({ error: \"Blocked by x-lock\", reason: result.reason }, 403);\n      }\n\n      if (result.error && !failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    } catch (err) {\n      console.error(\"[x-lock] Enforcement error:\", err);\n      if (!failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    }\n\n    return next();\n  };\n}\n"],"mappings":";AAIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;;;AC9CO,SAAS,gBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UACJ,QAAQ,YACP,OAAO,YAAY,cAAc,QAAQ,KAAK,iBAAiB;AAClE,QAAM,WAAW,QAAQ,aAAa;AAEtC,SAAO,OAAO,GAAQ,SAA8B;AAClD,QAAI,CAAC,WAAW,EAAE,IAAI,WAAW,QAAQ;AACvC,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,QAAQ,EAAE,IAAI,OAAO,QAAQ;AAEnC,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,KAAK,EAAE,OAAO,mCAAmC,GAAG,GAAG;AAAA,IAClE;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,EAAE,IAAI,IAAI;AAE/D,UAAI,OAAO,SAAS;AAClB,eAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,GAAG,GAAG;AAAA,MAC1E;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,+BAA+B,GAAG;AAChD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF;AAEA,WAAO,KAAK;AAAA,EACd;AACF;","names":[]}

package/dist/index.d.mts

@@ -0,0 +1,4 @@
+export { D as DEFAULT_API_URL, E as EnforceResult, X as XLockConfig, e as verify } from './core-D4eszYbi.mjs';
+export { xlockMiddleware as expressMiddleware } from './express.mjs';
+export { xlockMiddleware as koaMiddleware } from './koa.mjs';
+export { xlockMiddleware as honoMiddleware } from './hono.mjs';

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { D as DEFAULT_API_URL, E as EnforceResult, X as XLockConfig, e as verify } from './core-D4eszYbi.js';
+export { xlockMiddleware as expressMiddleware } from './express.js';
+export { xlockMiddleware as koaMiddleware } from './koa.js';
+export { xlockMiddleware as honoMiddleware } from './hono.js';

package/dist/index.js

@@ -0,0 +1,179 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  DEFAULT_API_URL: () => DEFAULT_API_URL,
+  expressMiddleware: () => xlockMiddleware,
+  honoMiddleware: () => xlockMiddleware3,
+  koaMiddleware: () => xlockMiddleware2,
+  verify: () => enforce
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+function resolveSiteKey(siteKey) {
+  return siteKey || process.env.XLOCK_SITE_KEY;
+}
+
+// src/express.ts
+function xlockMiddleware(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  if (!siteKey) {
+    console.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return (_req, _res, next) => next();
+  }
+  return async (req, res, next) => {
+    const token = req.headers["x-lock"];
+    if (!token) {
+      return res.status(403).json({ error: "Blocked by x-lock: missing token" });
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);
+      if (result.blocked) {
+        return res.status(403).json({ error: "Blocked by x-lock", reason: result.reason });
+      }
+      if (result.error && !failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    }
+    next();
+  };
+}
+
+// src/koa.ts
+function xlockMiddleware2(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  const routes = options.routes || [];
+  if (!siteKey) {
+    console.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return async (_ctx, next) => next();
+  }
+  return async (ctx, next) => {
+    if (ctx.method !== "POST") return next();
+    if (routes.length > 0 && !routes.some((r) => ctx.path.startsWith(r))) {
+      return next();
+    }
+    const token = ctx.get("x-lock");
+    if (!token) {
+      ctx.status = 403;
+      ctx.body = { error: "Blocked by x-lock: missing token" };
+      return;
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, ctx.path);
+      if (result.blocked) {
+        ctx.status = 403;
+        ctx.body = { error: "Blocked by x-lock", reason: result.reason };
+        return;
+      }
+      if (result.error && !failOpen) {
+        ctx.status = 403;
+        ctx.body = { error: "x-lock verification failed" };
+        return;
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        ctx.status = 403;
+        ctx.body = { error: "x-lock verification failed" };
+        return;
+      }
+    }
+    return next();
+  };
+}
+
+// src/hono.ts
+function xlockMiddleware3(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = options.siteKey || (typeof process !== "undefined" ? process.env?.XLOCK_SITE_KEY : void 0);
+  const failOpen = options.failOpen !== false;
+  return async (c, next) => {
+    if (!siteKey || c.req.method !== "POST") {
+      return next();
+    }
+    const token = c.req.header("x-lock");
+    if (!token) {
+      return c.json({ error: "Blocked by x-lock: missing token" }, 403);
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, c.req.path);
+      if (result.blocked) {
+        return c.json({ error: "Blocked by x-lock", reason: result.reason }, 403);
+      }
+      if (result.error && !failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err);
+      if (!failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    }
+    return next();
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DEFAULT_API_URL,
+  expressMiddleware,
+  honoMiddleware,
+  koaMiddleware,
+  verify
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/core.ts","../src/express.ts","../src/koa.ts","../src/hono.ts"],"sourcesContent":["/**\n * @xlock/node — invisible bot protection middleware for Node.js\n *\n * Framework-specific imports:\n *   import { xlockMiddleware } from \"@xlock/node/express\";\n *   import { xlockPlugin } from \"@xlock/node/fastify\";\n *   import { xlockMiddleware } from \"@xlock/node/koa\";\n *   import { withXlock } from \"@xlock/node/next\";\n *   import { xlockMiddleware } from \"@xlock/node/hono\";\n *\n * Or use the core verify function directly:\n *   import { verify } from \"@xlock/node\";\n */\n\nexport { enforce as verify, DEFAULT_API_URL, type XLockConfig, type EnforceResult } from \"./core\";\n\n// Re-export framework adapters that don't require peer deps at import time\nexport { xlockMiddleware as expressMiddleware } from \"./express\";\nexport { xlockMiddleware as koaMiddleware } from \"./koa\";\nexport { xlockMiddleware as honoMiddleware } from \"./hono\";\n// Fastify and Next.js should be imported via subpath:\n//   import { xlockPlugin } from \"@xlock/node/fastify\";\n//   import { withXlock } from \"@xlock/node/next\";\n","/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n","/**\n * x-lock middleware for Express.js\n *\n * @example\n * ```js\n * import { xlockMiddleware } from \"@xlock/node/express\";\n * app.use(\"/api/auth\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n\n  if (!siteKey) {\n    console.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return (_req: any, _res: any, next: () => void) => next();\n  }\n\n  return async (req: any, res: any, next: () => void) => {\n    const token = req.headers[\"x-lock\"];\n\n    if (!token) {\n      return res.status(403).json({ error: \"Blocked by x-lock: missing token\" });\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);\n\n      if (result.blocked) {\n        return res.status(403).json({ error: \"Blocked by x-lock\", reason: result.reason });\n      }\n\n      if (result.error && !failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    } catch (err: any) {\n      console.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    }\n\n    next();\n  };\n}\n","/**\n * x-lock middleware for Koa\n *\n * @example\n * ```js\n * import { xlockMiddleware } from \"@xlock/node/koa\";\n * router.post(\"/api/auth/login\", xlockMiddleware({ siteKey: \"sk_...\" }), loginHandler);\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport interface XLockKoaConfig extends XLockConfig {\n  /** Route prefixes to protect */\n  routes?: string[];\n}\n\nexport function xlockMiddleware(options: XLockKoaConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n  const routes = options.routes || [];\n\n  if (!siteKey) {\n    console.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return async (_ctx: any, next: () => Promise<void>) => next();\n  }\n\n  return async (ctx: any, next: () => Promise<void>) => {\n    if (ctx.method !== \"POST\") return next();\n\n    if (routes.length > 0 && !routes.some((r: string) => ctx.path.startsWith(r))) {\n      return next();\n    }\n\n    const token = ctx.get(\"x-lock\");\n\n    if (!token) {\n      ctx.status = 403;\n      ctx.body = { error: \"Blocked by x-lock: missing token\" };\n      return;\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, ctx.path);\n\n      if (result.blocked) {\n        ctx.status = 403;\n        ctx.body = { error: \"Blocked by x-lock\", reason: result.reason };\n        return;\n      }\n\n      if (result.error && !failOpen) {\n        ctx.status = 403;\n        ctx.body = { error: \"x-lock verification failed\" };\n        return;\n      }\n    } catch (err: any) {\n      console.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        ctx.status = 403;\n        ctx.body = { error: \"x-lock verification failed\" };\n        return;\n      }\n    }\n\n    return next();\n  };\n}\n","/**\n * x-lock middleware for Hono (Bun / Cloudflare Workers / Deno / Node)\n *\n * @example\n * ```ts\n * import { xlockMiddleware } from \"@xlock/node/hono\";\n * app.use(\"/api/auth/*\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey =\n    options.siteKey ||\n    (typeof process !== \"undefined\" ? process.env?.XLOCK_SITE_KEY : undefined);\n  const failOpen = options.failOpen !== false;\n\n  return async (c: any, next: () => Promise<void>) => {\n    if (!siteKey || c.req.method !== \"POST\") {\n      return next();\n    }\n\n    const token = c.req.header(\"x-lock\");\n\n    if (!token) {\n      return c.json({ error: \"Blocked by x-lock: missing token\" }, 403);\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, c.req.path);\n\n      if (result.blocked) {\n        return c.json({ error: \"Blocked by x-lock\", reason: result.reason }, 403);\n      }\n\n      if (result.error && !failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    } catch (err) {\n      console.error(\"[x-lock] Enforcement error:\", err);\n      if (!failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    }\n\n    return next();\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA,wBAAAA;AAAA,EAAA,qBAAAA;AAAA,EAAA;AAAA;AAAA;;;ACIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;AAKO,SAAS,eAAe,SAAsC;AACnE,SAAO,WAAW,QAAQ,IAAI;AAChC;;;ACrDO,SAAS,gBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AAEtC,MAAI,CAAC,SAAS;AACZ,YAAQ,KAAK,6DAAwD;AACrE,WAAO,CAAC,MAAW,MAAW,SAAqB,KAAK;AAAA,EAC1D;AAEA,SAAO,OAAO,KAAU,KAAU,SAAqB;AACrD,UAAM,QAAQ,IAAI,QAAQ,QAAQ;AAElC,QAAI,CAAC,OAAO;AACV,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,mCAAmC,CAAC;AAAA,IAC3E;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,IAAI,eAAe,IAAI,GAAG;AAE/E,UAAI,OAAO,SAAS;AAClB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,CAAC;AAAA,MACnF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,MAAM,+BAA+B,IAAI,OAAO;AACxD,UAAI,CAAC,UAAU;AACb,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF;AAEA,SAAK;AAAA,EACP;AACF;;;ACjCO,SAASC,iBAAgB,UAA0B,CAAC,GAAG;AAC5D,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AACtC,QAAM,SAAS,QAAQ,UAAU,CAAC;AAElC,MAAI,CAAC,SAAS;AACZ,YAAQ,KAAK,6DAAwD;AACrE,WAAO,OAAO,MAAW,SAA8B,KAAK;AAAA,EAC9D;AAEA,SAAO,OAAO,KAAU,SAA8B;AACpD,QAAI,IAAI,WAAW,OAAQ,QAAO,KAAK;AAEvC,QAAI,OAAO,SAAS,KAAK,CAAC,OAAO,KAAK,CAAC,MAAc,IAAI,KAAK,WAAW,CAAC,CAAC,GAAG;AAC5E,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,QAAQ,IAAI,IAAI,QAAQ;AAE9B,QAAI,CAAC,OAAO;AACV,UAAI,SAAS;AACb,UAAI,OAAO,EAAE,OAAO,mCAAmC;AACvD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,IAAI,IAAI;AAE7D,UAAI,OAAO,SAAS;AAClB,YAAI,SAAS;AACb,YAAI,OAAO,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO;AAC/D;AAAA,MACF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,YAAI,SAAS;AACb,YAAI,OAAO,EAAE,OAAO,6BAA6B;AACjD;AAAA,MACF;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,MAAM,+BAA+B,IAAI,OAAO;AACxD,UAAI,CAAC,UAAU;AACb,YAAI,SAAS;AACb,YAAI,OAAO,EAAE,OAAO,6BAA6B;AACjD;AAAA,MACF;AAAA,IACF;AAEA,WAAO,KAAK;AAAA,EACd;AACF;;;ACtDO,SAASC,iBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UACJ,QAAQ,YACP,OAAO,YAAY,cAAc,QAAQ,KAAK,iBAAiB;AAClE,QAAM,WAAW,QAAQ,aAAa;AAEtC,SAAO,OAAO,GAAQ,SAA8B;AAClD,QAAI,CAAC,WAAW,EAAE,IAAI,WAAW,QAAQ;AACvC,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,QAAQ,EAAE,IAAI,OAAO,QAAQ;AAEnC,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,KAAK,EAAE,OAAO,mCAAmC,GAAG,GAAG;AAAA,IAClE;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,EAAE,IAAI,IAAI;AAE/D,UAAI,OAAO,SAAS;AAClB,eAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,GAAG,GAAG;AAAA,MAC1E;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,+BAA+B,GAAG;AAChD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF;AAEA,WAAO,KAAK;AAAA,EACd;AACF;","names":["xlockMiddleware","xlockMiddleware","xlockMiddleware"]}

package/dist/index.mjs

@@ -0,0 +1,148 @@
+// src/core.ts
+var DEFAULT_API_URL = "https://api.x-lock.dev";
+async function enforce(apiUrl, siteKey, token, path) {
+  let enforceUrl;
+  let body;
+  if (token.startsWith("v3.")) {
+    const sessionId = token.split(".")[1];
+    enforceUrl = `${apiUrl}/v3/session/enforce`;
+    body = { sessionId, siteKey };
+    if (path) body.path = path;
+  } else {
+    enforceUrl = `${apiUrl}/v1/enforce`;
+    body = { token, siteKey };
+    if (path) body.path = path;
+  }
+  const response = await fetch(enforceUrl, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body)
+  });
+  if (response.status === 403) {
+    const data = await response.json();
+    return { blocked: true, reason: data.reason };
+  }
+  if (!response.ok) {
+    return { blocked: false, error: true };
+  }
+  return { blocked: false };
+}
+function resolveSiteKey(siteKey) {
+  return siteKey || process.env.XLOCK_SITE_KEY;
+}
+
+// src/express.ts
+function xlockMiddleware(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  if (!siteKey) {
+    console.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return (_req, _res, next) => next();
+  }
+  return async (req, res, next) => {
+    const token = req.headers["x-lock"];
+    if (!token) {
+      return res.status(403).json({ error: "Blocked by x-lock: missing token" });
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);
+      if (result.blocked) {
+        return res.status(403).json({ error: "Blocked by x-lock", reason: result.reason });
+      }
+      if (result.error && !failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        return res.status(403).json({ error: "x-lock verification failed" });
+      }
+    }
+    next();
+  };
+}
+
+// src/koa.ts
+function xlockMiddleware2(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = resolveSiteKey(options.siteKey);
+  const failOpen = options.failOpen !== false;
+  const routes = options.routes || [];
+  if (!siteKey) {
+    console.warn("[x-lock] No site key configured \u2014 skipping enforcement");
+    return async (_ctx, next) => next();
+  }
+  return async (ctx, next) => {
+    if (ctx.method !== "POST") return next();
+    if (routes.length > 0 && !routes.some((r) => ctx.path.startsWith(r))) {
+      return next();
+    }
+    const token = ctx.get("x-lock");
+    if (!token) {
+      ctx.status = 403;
+      ctx.body = { error: "Blocked by x-lock: missing token" };
+      return;
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, ctx.path);
+      if (result.blocked) {
+        ctx.status = 403;
+        ctx.body = { error: "Blocked by x-lock", reason: result.reason };
+        return;
+      }
+      if (result.error && !failOpen) {
+        ctx.status = 403;
+        ctx.body = { error: "x-lock verification failed" };
+        return;
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err.message);
+      if (!failOpen) {
+        ctx.status = 403;
+        ctx.body = { error: "x-lock verification failed" };
+        return;
+      }
+    }
+    return next();
+  };
+}
+
+// src/hono.ts
+function xlockMiddleware3(options = {}) {
+  const apiUrl = options.apiUrl || DEFAULT_API_URL;
+  const siteKey = options.siteKey || (typeof process !== "undefined" ? process.env?.XLOCK_SITE_KEY : void 0);
+  const failOpen = options.failOpen !== false;
+  return async (c, next) => {
+    if (!siteKey || c.req.method !== "POST") {
+      return next();
+    }
+    const token = c.req.header("x-lock");
+    if (!token) {
+      return c.json({ error: "Blocked by x-lock: missing token" }, 403);
+    }
+    try {
+      const result = await enforce(apiUrl, siteKey, token, c.req.path);
+      if (result.blocked) {
+        return c.json({ error: "Blocked by x-lock", reason: result.reason }, 403);
+      }
+      if (result.error && !failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    } catch (err) {
+      console.error("[x-lock] Enforcement error:", err);
+      if (!failOpen) {
+        return c.json({ error: "x-lock verification failed" }, 403);
+      }
+    }
+    return next();
+  };
+}
+export {
+  DEFAULT_API_URL,
+  xlockMiddleware as expressMiddleware,
+  xlockMiddleware3 as honoMiddleware,
+  xlockMiddleware2 as koaMiddleware,
+  enforce as verify
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/core.ts","../src/express.ts","../src/koa.ts","../src/hono.ts"],"sourcesContent":["/**\n * Core x-lock enforcement logic shared across all framework adapters.\n */\n\nexport const DEFAULT_API_URL = \"https://api.x-lock.dev\";\n\nexport interface XLockConfig {\n  /** Your x-lock site key (or set XLOCK_SITE_KEY env var) */\n  siteKey?: string;\n  /** x-lock API URL (default: https://api.x-lock.dev) */\n  apiUrl?: string;\n  /** Allow requests through on API errors (default: true) */\n  failOpen?: boolean;\n}\n\nexport interface EnforceResult {\n  blocked: boolean;\n  reason?: string;\n  error?: boolean;\n}\n\n/**\n * Call the x-lock enforcement API to verify a token.\n */\nexport async function enforce(\n  apiUrl: string,\n  siteKey: string,\n  token: string,\n  path?: string\n): Promise<EnforceResult> {\n  let enforceUrl: string;\n  let body: Record<string, string>;\n\n  if (token.startsWith(\"v3.\")) {\n    const sessionId = token.split(\".\")[1];\n    enforceUrl = `${apiUrl}/v3/session/enforce`;\n    body = { sessionId, siteKey };\n    if (path) body.path = path;\n  } else {\n    enforceUrl = `${apiUrl}/v1/enforce`;\n    body = { token, siteKey };\n    if (path) body.path = path;\n  }\n\n  const response = await fetch(enforceUrl, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify(body),\n  });\n\n  if (response.status === 403) {\n    const data = (await response.json()) as { reason?: string };\n    return { blocked: true, reason: data.reason };\n  }\n\n  if (!response.ok) {\n    return { blocked: false, error: true };\n  }\n\n  return { blocked: false };\n}\n\n/**\n * Resolve site key from options or environment.\n */\nexport function resolveSiteKey(siteKey?: string): string | undefined {\n  return siteKey || process.env.XLOCK_SITE_KEY;\n}\n","/**\n * x-lock middleware for Express.js\n *\n * @example\n * ```js\n * import { xlockMiddleware } from \"@xlock/node/express\";\n * app.use(\"/api/auth\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n\n  if (!siteKey) {\n    console.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return (_req: any, _res: any, next: () => void) => next();\n  }\n\n  return async (req: any, res: any, next: () => void) => {\n    const token = req.headers[\"x-lock\"];\n\n    if (!token) {\n      return res.status(403).json({ error: \"Blocked by x-lock: missing token\" });\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, req.originalUrl || req.url);\n\n      if (result.blocked) {\n        return res.status(403).json({ error: \"Blocked by x-lock\", reason: result.reason });\n      }\n\n      if (result.error && !failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    } catch (err: any) {\n      console.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        return res.status(403).json({ error: \"x-lock verification failed\" });\n      }\n    }\n\n    next();\n  };\n}\n","/**\n * x-lock middleware for Koa\n *\n * @example\n * ```js\n * import { xlockMiddleware } from \"@xlock/node/koa\";\n * router.post(\"/api/auth/login\", xlockMiddleware({ siteKey: \"sk_...\" }), loginHandler);\n * ```\n */\n\nimport { enforce, resolveSiteKey, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport interface XLockKoaConfig extends XLockConfig {\n  /** Route prefixes to protect */\n  routes?: string[];\n}\n\nexport function xlockMiddleware(options: XLockKoaConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey = resolveSiteKey(options.siteKey);\n  const failOpen = options.failOpen !== false;\n  const routes = options.routes || [];\n\n  if (!siteKey) {\n    console.warn(\"[x-lock] No site key configured — skipping enforcement\");\n    return async (_ctx: any, next: () => Promise<void>) => next();\n  }\n\n  return async (ctx: any, next: () => Promise<void>) => {\n    if (ctx.method !== \"POST\") return next();\n\n    if (routes.length > 0 && !routes.some((r: string) => ctx.path.startsWith(r))) {\n      return next();\n    }\n\n    const token = ctx.get(\"x-lock\");\n\n    if (!token) {\n      ctx.status = 403;\n      ctx.body = { error: \"Blocked by x-lock: missing token\" };\n      return;\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, ctx.path);\n\n      if (result.blocked) {\n        ctx.status = 403;\n        ctx.body = { error: \"Blocked by x-lock\", reason: result.reason };\n        return;\n      }\n\n      if (result.error && !failOpen) {\n        ctx.status = 403;\n        ctx.body = { error: \"x-lock verification failed\" };\n        return;\n      }\n    } catch (err: any) {\n      console.error(\"[x-lock] Enforcement error:\", err.message);\n      if (!failOpen) {\n        ctx.status = 403;\n        ctx.body = { error: \"x-lock verification failed\" };\n        return;\n      }\n    }\n\n    return next();\n  };\n}\n","/**\n * x-lock middleware for Hono (Bun / Cloudflare Workers / Deno / Node)\n *\n * @example\n * ```ts\n * import { xlockMiddleware } from \"@xlock/node/hono\";\n * app.use(\"/api/auth/*\", xlockMiddleware({ siteKey: \"sk_...\" }));\n * ```\n */\n\nimport { enforce, DEFAULT_API_URL, type XLockConfig } from \"./core\";\n\nexport type { XLockConfig };\n\nexport function xlockMiddleware(options: XLockConfig = {}) {\n  const apiUrl = options.apiUrl || DEFAULT_API_URL;\n  const siteKey =\n    options.siteKey ||\n    (typeof process !== \"undefined\" ? process.env?.XLOCK_SITE_KEY : undefined);\n  const failOpen = options.failOpen !== false;\n\n  return async (c: any, next: () => Promise<void>) => {\n    if (!siteKey || c.req.method !== \"POST\") {\n      return next();\n    }\n\n    const token = c.req.header(\"x-lock\");\n\n    if (!token) {\n      return c.json({ error: \"Blocked by x-lock: missing token\" }, 403);\n    }\n\n    try {\n      const result = await enforce(apiUrl, siteKey, token, c.req.path);\n\n      if (result.blocked) {\n        return c.json({ error: \"Blocked by x-lock\", reason: result.reason }, 403);\n      }\n\n      if (result.error && !failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    } catch (err) {\n      console.error(\"[x-lock] Enforcement error:\", err);\n      if (!failOpen) {\n        return c.json({ error: \"x-lock verification failed\" }, 403);\n      }\n    }\n\n    return next();\n  };\n}\n"],"mappings":";AAIO,IAAM,kBAAkB;AAoB/B,eAAsB,QACpB,QACA,SACA,OACA,MACwB;AACxB,MAAI;AACJ,MAAI;AAEJ,MAAI,MAAM,WAAW,KAAK,GAAG;AAC3B,UAAM,YAAY,MAAM,MAAM,GAAG,EAAE,CAAC;AACpC,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,WAAW,QAAQ;AAC5B,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB,OAAO;AACL,iBAAa,GAAG,MAAM;AACtB,WAAO,EAAE,OAAO,QAAQ;AACxB,QAAI,KAAM,MAAK,OAAO;AAAA,EACxB;AAEA,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,IAAI;AAAA,EAC3B,CAAC;AAED,MAAI,SAAS,WAAW,KAAK;AAC3B,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,WAAO,EAAE,SAAS,MAAM,QAAQ,KAAK,OAAO;AAAA,EAC9C;AAEA,MAAI,CAAC,SAAS,IAAI;AAChB,WAAO,EAAE,SAAS,OAAO,OAAO,KAAK;AAAA,EACvC;AAEA,SAAO,EAAE,SAAS,MAAM;AAC1B;AAKO,SAAS,eAAe,SAAsC;AACnE,SAAO,WAAW,QAAQ,IAAI;AAChC;;;ACrDO,SAAS,gBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AAEtC,MAAI,CAAC,SAAS;AACZ,YAAQ,KAAK,6DAAwD;AACrE,WAAO,CAAC,MAAW,MAAW,SAAqB,KAAK;AAAA,EAC1D;AAEA,SAAO,OAAO,KAAU,KAAU,SAAqB;AACrD,UAAM,QAAQ,IAAI,QAAQ,QAAQ;AAElC,QAAI,CAAC,OAAO;AACV,aAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,mCAAmC,CAAC;AAAA,IAC3E;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,IAAI,eAAe,IAAI,GAAG;AAE/E,UAAI,OAAO,SAAS;AAClB,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,CAAC;AAAA,MACnF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,MAAM,+BAA+B,IAAI,OAAO;AACxD,UAAI,CAAC,UAAU;AACb,eAAO,IAAI,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,6BAA6B,CAAC;AAAA,MACrE;AAAA,IACF;AAEA,SAAK;AAAA,EACP;AACF;;;ACjCO,SAASA,iBAAgB,UAA0B,CAAC,GAAG;AAC5D,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UAAU,eAAe,QAAQ,OAAO;AAC9C,QAAM,WAAW,QAAQ,aAAa;AACtC,QAAM,SAAS,QAAQ,UAAU,CAAC;AAElC,MAAI,CAAC,SAAS;AACZ,YAAQ,KAAK,6DAAwD;AACrE,WAAO,OAAO,MAAW,SAA8B,KAAK;AAAA,EAC9D;AAEA,SAAO,OAAO,KAAU,SAA8B;AACpD,QAAI,IAAI,WAAW,OAAQ,QAAO,KAAK;AAEvC,QAAI,OAAO,SAAS,KAAK,CAAC,OAAO,KAAK,CAAC,MAAc,IAAI,KAAK,WAAW,CAAC,CAAC,GAAG;AAC5E,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,QAAQ,IAAI,IAAI,QAAQ;AAE9B,QAAI,CAAC,OAAO;AACV,UAAI,SAAS;AACb,UAAI,OAAO,EAAE,OAAO,mCAAmC;AACvD;AAAA,IACF;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,IAAI,IAAI;AAE7D,UAAI,OAAO,SAAS;AAClB,YAAI,SAAS;AACb,YAAI,OAAO,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO;AAC/D;AAAA,MACF;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,YAAI,SAAS;AACb,YAAI,OAAO,EAAE,OAAO,6BAA6B;AACjD;AAAA,MACF;AAAA,IACF,SAAS,KAAU;AACjB,cAAQ,MAAM,+BAA+B,IAAI,OAAO;AACxD,UAAI,CAAC,UAAU;AACb,YAAI,SAAS;AACb,YAAI,OAAO,EAAE,OAAO,6BAA6B;AACjD;AAAA,MACF;AAAA,IACF;AAEA,WAAO,KAAK;AAAA,EACd;AACF;;;ACtDO,SAASC,iBAAgB,UAAuB,CAAC,GAAG;AACzD,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,UACJ,QAAQ,YACP,OAAO,YAAY,cAAc,QAAQ,KAAK,iBAAiB;AAClE,QAAM,WAAW,QAAQ,aAAa;AAEtC,SAAO,OAAO,GAAQ,SAA8B;AAClD,QAAI,CAAC,WAAW,EAAE,IAAI,WAAW,QAAQ;AACvC,aAAO,KAAK;AAAA,IACd;AAEA,UAAM,QAAQ,EAAE,IAAI,OAAO,QAAQ;AAEnC,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,KAAK,EAAE,OAAO,mCAAmC,GAAG,GAAG;AAAA,IAClE;AAEA,QAAI;AACF,YAAM,SAAS,MAAM,QAAQ,QAAQ,SAAS,OAAO,EAAE,IAAI,IAAI;AAE/D,UAAI,OAAO,SAAS;AAClB,eAAO,EAAE,KAAK,EAAE,OAAO,qBAAqB,QAAQ,OAAO,OAAO,GAAG,GAAG;AAAA,MAC1E;AAEA,UAAI,OAAO,SAAS,CAAC,UAAU;AAC7B,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ,MAAM,+BAA+B,GAAG;AAChD,UAAI,CAAC,UAAU;AACb,eAAO,EAAE,KAAK,EAAE,OAAO,6BAA6B,GAAG,GAAG;AAAA,MAC5D;AAAA,IACF;AAEA,WAAO,KAAK;AAAA,EACd;AACF;","names":["xlockMiddleware","xlockMiddleware"]}

package/dist/koa.d.mts

@@ -0,0 +1,19 @@
+import { X as XLockConfig } from './core-D4eszYbi.mjs';
+
+/**
+ * x-lock middleware for Koa
+ *
+ * @example
+ * ```js
+ * import { xlockMiddleware } from "@xlock/node/koa";
+ * router.post("/api/auth/login", xlockMiddleware({ siteKey: "sk_..." }), loginHandler);
+ * ```
+ */
+
+interface XLockKoaConfig extends XLockConfig {
+    /** Route prefixes to protect */
+    routes?: string[];
+}
+declare function xlockMiddleware(options?: XLockKoaConfig): (_ctx: any, next: () => Promise<void>) => Promise<void>;
+
+export { type XLockKoaConfig, xlockMiddleware };

package/dist/koa.d.ts

@@ -0,0 +1,19 @@
+import { X as XLockConfig } from './core-D4eszYbi.js';
+
+/**
+ * x-lock middleware for Koa
+ *
+ * @example
+ * ```js
+ * import { xlockMiddleware } from "@xlock/node/koa";
+ * router.post("/api/auth/login", xlockMiddleware({ siteKey: "sk_..." }), loginHandler);
+ * ```
+ */
+
+interface XLockKoaConfig extends XLockConfig {
+    /** Route prefixes to protect */
+    routes?: string[];
+}
+declare function xlockMiddleware(options?: XLockKoaConfig): (_ctx: any, next: () => Promise<void>) => Promise<void>;
+
+export { type XLockKoaConfig, xlockMiddleware };