npm - @xopcai/xopc - Versions diffs - 0.0.27 → 0.0.28 - Mend

@xopcai/xopc 0.0.27 → 0.0.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (150) hide show

package/dist/src/gateway/auth.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.js","names":[],"sources":["../../../src/gateway/auth.ts"],"sourcesContent":["import crypto from 'crypto';\nimport type { GatewayAuthConfig } from '../config/schema.js';\n\n/*\n Resolved gateway authentication configuration.\n /\nexport interface ResolvedGatewayAuth {\n mode: 'none' \| 'token';\n token?: string;\n}\n\n/\n Resolve gateway authentication configuration.\n * Priority: env vars > config > defaults\n /\nexport function resolveGatewayAuth(params: {\n authConfig?: GatewayAuthConfig \| null;\n env?: NodeJS.ProcessEnv;\n}): ResolvedGatewayAuth {\n const env = params.env ?? process.env;\n const config: GatewayAuthConfig = params.authConfig ?? { mode: 'token' };\n\n // Environment variables take precedence\n const envMode = env.XOPC_GATEWAY_AUTH_MODE;\n const envToken = env.XOPC_GATEWAY_TOKEN;\n\n // Resolve mode\n let mode: ResolvedGatewayAuth['mode'] = 'token';\n if (envMode === 'none' \|\| envMode === 'token') {\n mode = envMode;\n } else if (config.mode === 'none') {\n mode = '~~none~~';\n }\n\n // Resolve token\n let token: string \| undefined;\n if (envToken) {\n token = envToken;\n } else if (config.token) {\n token = config.token;\n } else ~~if (mode === 'token')~~ {\n // Auto-generate token if not provided\n token = crypto.randomBytes(24).toString('hex');\n }\n\n return { mode, token };\n}\n\n/\n Assert that gateway auth is properly configured.\n /\nexport function assertGatewayAuthConfigured(auth: ResolvedGatewayAuth): void {\n if (auth.mode === 'token' && !auth.token) {\n throw new Error(\n 'Gateway auth mode is token, but no token was configured. ' +\n 'Set gateway.auth.token in config or XOPC_GATEWAY_TOKEN environment variable.'\n );\n }\n}\n\n/\n Constant-time string comparison to prevent timing attacks.\n /\nexport ~~function~~ ~~safeCompare(a:~~ ~~string,~~ b: ~~string):~~ ~~boolean~~ {\n ~~const~~ ~~aBuf~~ = ~~Buffer~~.~~from(a,~~ ~~'utf8');\~~n ~~const~~ ~~bBuf~~ = ~~Buffer.~~from~~(b,~~ ~~'utf8');\~~n ~~\n if~~ (~~aBuf.length~~ ~~===~~ ~~bBuf.length~~) {\n return ~~crypto.timingSafeEqual~~(~~aBuf~~, ~~bBuf~~);\n }\n \n // ~~For~~ ~~different~~ ~~lengths\n let~~ ~~result~~ = ~~aBuf.length~~ ^ ~~bBuf.length;\n const~~ ~~maxLen~~ = ~~Math.max(aBuf.length, bBuf.length);\~~n ~~for~~ ~~(let~~ i = 0; i < ~~maxLen;~~ ~~i++)~~ ~~{\n result~~ \|= ~~(aBuf[i~~ % ~~aBuf.length]~~ ~~^ bBuf[i % bBuf.length]);\n }~~\n ~~return~~ ~~result~~ ~~===~~ ~~0;\n}\n\n/\n~~ ~~Validate~~ ~~token~~ ~~against~~ ~~configured~~ ~~auth~~.\n /\nexport function validateToken(auth: ResolvedGatewayAuth, ~~providedToken~~?: string \| null): boolean {\n if (auth.mode === 'none') {\n return true;\n }\n if (!auth.~~token~~ \|\| ~~!providedToken~~) {\n return false;\n }\n return ~~safeCompare~~(auth.token, ~~providedToken~~);\n}\n\n/\n Extract token from request headers.\n * Supports: Authorization: Bearer <token>, X-Api-Key: <token>\n */\nexport function extractToken(headers?: Record<string, string \| string[] \| undefined>): string \| undefined {\n if (!headers) return undefined;\n\n // Authorization: Bearer <token>\n const authHeader = headers.authorization;\n if (authHeader) {\n const value = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n if (value?.startsWith('Bearer ')) {\n return value.slice(7);\n }\n }\n\n // X-Api-Key: <token>\n const apiKey = headers['x-api-key'];\n if (apiKey) {\n return Array.isArray(apiKey) ? apiKey[0] : apiKey;\n }\n\n return undefined;\n}\n"],"mappings":"~~;;;;;;AAeA~~,SAAgB,mBAAmB,QAGX;CACtB,MAAM,MAAM,OAAO,OAAO,QAAQ;CAClC,MAAM,SAA4B,OAAO,cAAc,EAAE,MAAM,SAAS;CAGxE,MAAM,UAAU,IAAI;CACpB,MAAM,WAAW,IAAI;~~CAGrB~~,IAAI,OAAoC;AACxC,KAAI,YAAY,UAAU,YAAY,~~QACpC~~,QAAO;UACE,OAAO,SAAS,~~OACzB~~,QAAO;~~CAIT~~,IAAI;AACJ,KAAI,SACF,SAAQ;UACC,OAAO,MAChB,SAAQ,OAAO;~~UACN~~,~~SAAS,QAElB,~~SAAQ,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;~~AAGhD~~,QAAO;EAAE;EAAM;EAAO;;;;;~~AAMxB~~,SAAgB,4BAA4B,MAAiC;AAC3E,KAAI,KAAK,SAAS,WAAW,CAAC,KAAK,MACjC,OAAM,IAAI,MACR,wIAED~~;;;;;AAOL,SAAgB,YAAY,GAAW,GAAoB~~;~~CACzD~~,~~MAAM~~,~~OAAO,OAAO,~~KAAK,~~GAAG~~,~~OAAO;CACnC~~,~~MAAM~~,~~OAAO~~,~~OAAO~~,~~KAAK~~,~~GAAG~~,~~OAAO;AAEnC~~,~~KAAI~~,~~KAAK~~,~~WAAW~~,~~KAAK~~,~~OACvB~~,QAAO,~~OAAO,~~gBAAgB,~~MAAM~~,~~KAAK;CAI3C~~,~~IAAI~~,~~SAAS~~,~~KAAK~~,~~SAAS,KAAK~~;~~CAChC~~,~~MAAM~~,~~SAAS,~~KAAK,~~IAAI~~,~~KAAK~~,~~QAAQ,KAAK,OAAO~~;~~AACjD~~,~~MAAK~~,~~IAAI~~,~~IAAI~~,~~GAAG~~,~~IAAI~~,~~QAAQ~~,~~IAC1B~~,~~WAAW~~,~~KAAK~~,~~IAAI~~,KAAK,~~UAAU~~,~~KAAK,IAAI,KAAK~~;~~AAEnD~~,~~QAAO~~,~~WAAW;;;;;AAMpB~~,~~SAAgB,cAAc,MAA2B,eAAwC;AAC/F,KAAI,~~KAAK,~~SAAS~~,~~OAChB~~,~~QAAO;AAET,~~KAAI,CAAC,KAAK,~~SAAS~~,~~CAAC,cAClB,~~QAAO;~~AAET~~,QAAO,~~YAAY~~,KAAK,OAAO,~~cAAc~~;;;;;;~~AAO/C~~,SAAgB,aAAa,SAA6E;AACxG,KAAI,CAAC,QAAS,QAAO,KAAA;CAGrB,MAAM,aAAa,QAAQ;AAC3B,KAAI,YAAY;EACd,MAAM,QAAQ,MAAM,QAAQ,WAAW,GAAG,WAAW,KAAK;AAC1D,MAAI,OAAO,WAAW,UAAU,CAC9B,QAAO,MAAM,MAAM,EAAE;;CAKzB,MAAM,SAAS,QAAQ;AACvB,KAAI,OACF,QAAO,MAAM,QAAQ,OAAO,GAAG,OAAO,KAAK"}
1	+ {"version":3,"file":"auth.js","names":[],"sources":["../../../src/gateway/auth.ts"],"sourcesContent":["import crypto from 'crypto';\nimport type { GatewayAuthConfig } from '../config/schema.js';\nimport { safeEqualSecret } from './security/secret-equal.js';\n\n/*\n Resolved gateway authentication configuration.\n \n Supports three modes:\n * - `none`: no authentication (local dev only)\n * - `token`: Bearer token authentication (default)\n * - `password`: password-based authentication (for simpler setups)\n /\nexport interface ResolvedGatewayAuth {\n mode: 'none' \| 'token' \| 'password';\n token?: string;\n password?: string;\n}\n\n/\n Resolve gateway authentication configuration.\n * Priority: env vars > config > defaults\n /\nexport function resolveGatewayAuth(params: {\n authConfig?: GatewayAuthConfig \| null;\n env?: NodeJS.ProcessEnv;\n}): ResolvedGatewayAuth {\n const env = params.env ?? process.env;\n const config: GatewayAuthConfig = params.authConfig ?? { mode: 'token' };\n\n // Environment variables take precedence\n const envMode = env.XOPC_GATEWAY_AUTH_MODE;\n const envToken = env.XOPC_GATEWAY_TOKEN;\n const envPassword = env.XOPC_GATEWAY_PASSWORD;\n\n // Resolve mode\n let mode: ResolvedGatewayAuth['mode'] = 'token';\n if (envMode === 'none' \|\| envMode === 'token' \|\| envMode === 'password') {\n mode = envMode;\n } else if (config.mode === 'none' \|\| config.mode === 'password') {\n mode = config.mode;\n }\n\n // Ambiguity detection: reject conflicting credential types\n const hasToken = Boolean(envToken \|\| config.token);\n const hasPassword = Boolean(envPassword \|\| config.password);\n if (hasToken && hasPassword) {\n throw new Error(\n 'Invalid config: both gateway.auth.token and gateway.auth.password are set. ' +\n 'Choose one authentication mode: \"token\" (Bearer header) or \"password\".',\n );\n }\n\n // Resolve token\n let token: string \| undefined;\n if (mode === 'token') {\n if (envToken) {\n token = envToken;\n } else if (config.token) {\n token = config.token;\n } else {\n // Auto-generate token if not provided\n token = crypto.randomBytes(24).toString('hex');\n }\n }\n\n // Resolve password\n let password: string \| undefined;\n if (mode === 'password') {\n if (envPassword) {\n password = envPassword;\n } else if (config.password) {\n password = config.password;\n }\n }\n\n return { mode, token, password };\n}\n\n/\n Assert that gateway auth is properly configured.\n /\nexport function assertGatewayAuthConfigured(auth: ResolvedGatewayAuth): void {\n if (auth.mode === 'token' && !auth.token) {\n throw new Error(\n 'Gateway auth mode is token, but no token was configured. ' +\n 'Set gateway.auth.token in config or XOPC_GATEWAY_TOKEN environment variable.',\n );\n }\n if (auth.mode === 'password' && !auth.password) {\n throw new Error(\n 'Gateway auth mode is password, but no password was configured. ' +\n 'Set gateway.auth.password in config or XOPC_GATEWAY_PASSWORD environment variable.',\n );\n }\n}\n\n/\n Constant-time string comparison to prevent timing attacks.\n \n Uses `crypto.timingSafeEqual` with padding so both buffers always have\n * the same byte length. The actual length is checked separately.\n \n @deprecated Use `safeEqualSecret` from `./security/secret-equal.js` directly.\n /\nexport function safeCompare(a: string, b: string): boolean {\n return safeEqualSecret(a, b);\n}\n\n/\n Validate a credential against configured auth using constant-time comparison.\n \n Works for both token and password modes — the caller extracts the credential\n * from the appropriate transport (header, query param, etc.).\n /\nexport function validateToken(auth: ResolvedGatewayAuth, providedCredential?: string \| null): boolean {\n if (auth.mode === 'none') {\n return true;\n }\n\n if (!providedCredential) {\n return false;\n }\n\n if (auth.mode === 'password') {\n if (!auth.password) return false;\n return safeEqualSecret(auth.password, providedCredential);\n }\n\n // Default: token mode\n if (!auth.token) return false;\n return safeEqualSecret(auth.token, providedCredential);\n}\n\n/\n Extract token from request headers.\n * Supports: Authorization: Bearer <token>, X-Api-Key: <token>\n */\nexport function extractToken(headers?: Record<string, string \| string[] \| undefined>): string \| undefined {\n if (!headers) return undefined;\n\n // Authorization: Bearer <token>\n const authHeader = headers.authorization;\n if (authHeader) {\n const value = Array.isArray(authHeader) ? authHeader[0] : authHeader;\n if (value?.startsWith('Bearer ')) {\n return value.slice(7);\n }\n }\n\n // X-Api-Key: <token>\n const apiKey = headers['x-api-key'];\n if (apiKey) {\n return Array.isArray(apiKey) ? apiKey[0] : apiKey;\n }\n\n return undefined;\n}\n"],"mappings":";;;;;;;AAsBA,SAAgB,mBAAmB,QAGX;CACtB,MAAM,MAAM,OAAO,OAAO,QAAQ;CAClC,MAAM,SAA4B,OAAO,cAAc,EAAE,MAAM,SAAS;CAGxE,MAAM,UAAU,IAAI;CACpB,MAAM,WAAW,IAAI;CACrB,MAAM,cAAc,IAAI;CAGxB,IAAI,OAAoC;AACxC,KAAI,YAAY,UAAU,YAAY,WAAW,YAAY,WAC3D,QAAO;UACE,OAAO,SAAS,UAAU,OAAO,SAAS,WACnD,QAAO,OAAO;CAIhB,MAAM,WAAW,QAAQ,YAAY,OAAO,MAAM;CAClD,MAAM,cAAc,QAAQ,eAAe,OAAO,SAAS;AAC3D,KAAI,YAAY,YACd,OAAM,IAAI,MACR,wJAED;CAIH,IAAI;AACJ,KAAI,SAAS,QACX,KAAI,SACF,SAAQ;UACC,OAAO,MAChB,SAAQ,OAAO;KAGf,SAAQ,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;CAKlD,IAAI;AACJ,KAAI,SAAS;MACP,YACF,YAAW;WACF,OAAO,SAChB,YAAW,OAAO;;AAItB,QAAO;EAAE;EAAM;EAAO;EAAU;;;;;AAMlC,SAAgB,4BAA4B,MAAiC;AAC3E,KAAI,KAAK,SAAS,WAAW,CAAC,KAAK,MACjC,OAAM,IAAI,MACR,wIAED;AAEH,KAAI,KAAK,SAAS,cAAc,CAAC,KAAK,SACpC,OAAM,IAAI,MACR,oJAED;;;;;;;;;;AAYL,SAAgB,YAAY,GAAW,GAAoB;AACzD,QAAO,gBAAgB,GAAG,EAAE;;;;;;;;AAS9B,SAAgB,cAAc,MAA2B,oBAA6C;AACpG,KAAI,KAAK,SAAS,OAChB,QAAO;AAGT,KAAI,CAAC,mBACH,QAAO;AAGT,KAAI,KAAK,SAAS,YAAY;AAC5B,MAAI,CAAC,KAAK,SAAU,QAAO;AAC3B,SAAO,gBAAgB,KAAK,UAAU,mBAAmB;;AAI3D,KAAI,CAAC,KAAK,MAAO,QAAO;AACxB,QAAO,gBAAgB,KAAK,OAAO,mBAAmB;;;;;;AAOxD,SAAgB,aAAa,SAA6E;AACxG,KAAI,CAAC,QAAS,QAAO,KAAA;CAGrB,MAAM,aAAa,QAAQ;AAC3B,KAAI,YAAY;EACd,MAAM,QAAQ,MAAM,QAAQ,WAAW,GAAG,WAAW,KAAK;AAC1D,MAAI,OAAO,WAAW,UAAU,CAC9B,QAAO,MAAM,MAAM,EAAE;;CAKzB,MAAM,SAAS,QAAQ;AACvB,KAAI,OACF,QAAO,MAAM,QAAQ,OAAO,GAAG,OAAO,KAAK"}

package/dist/src/gateway/hono/app.js CHANGED Viewed

@@ -1,7 +1,10 @@
 import { createLogger } from "../../utils/logger/index.js";
 import { init_logger } from "../../utils/logger.js";
 import { maxWebchatAgentRequestBodyBytes } from "../chat-limits.js";
+import { buildGatewayConsoleCspHeader } from "../security/csp.js";
+import { checkBrowserOrigin } from "../security/origin-check.js";
 import { auth } from "./middleware/auth.js";
+import { operatorScopes } from "./middleware/scopes.js";
 import { logContextMiddleware } from "./middleware/log-context.js";
 import { logger } from "./middleware/logger.js";
 import { registerPublicExtensionAssetRoutes } from "./routes/auth-registry-extensions.js";
@@ -57,6 +60,7 @@ function createHonoApp(config) {
 	app.use(logContextMiddleware());
 	app.use(logger());
 	app.use(cors(CORS_OPTIONS));
+	const gatewayConsoleCsp = buildGatewayConsoleCspHeader();
 	app.use(createMiddleware(async (c, next) => {
 		await next();
 		if (isExtensionGatewayUiAssetPath(c.req.path)) return;
@@ -65,7 +69,31 @@ function createHonoApp(config) {
 		c.header("Referrer-Policy", "strict-origin-when-cross-origin");
 		c.header("X-XSS-Protection", "1; mode=block");
 		c.header("Permissions-Policy", "camera=(), microphone=(self), geolocation=()");
-		c.header("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'");
+		c.header("Content-Security-Policy", gatewayConsoleCsp);
+	}));
+	const allowedOrigins = Array.isArray(corsOrigin) ? corsOrigin : [corsOrigin];
+	app.use("/api/*", createMiddleware(async (c, next) => {
+		const origin = c.req.header("origin");
+		if (!origin) return next();
+		const result = checkBrowserOrigin({
+			requestHost: c.req.header("host"),
+			origin,
+			allowedOrigins,
+			allowHostHeaderOriginFallback: true,
+			isLocalClient: false
+		});
+		if (!result.ok) {
+			log.warn({
+				origin,
+				reason: "reason" in result ? result.reason : "unknown",
+				path: c.req.path
+			}, "Browser origin check failed");
+			return c.json({
+				error: "Forbidden",
+				message: "Origin not allowed"
+			}, 403);
+		}
+		return next();
 	}));
 	app.use("/api/skills/upload", bodyLimit({
 		maxSize: 10 * 1024 * 1024,
@@ -96,6 +124,7 @@ function createHonoApp(config) {
 		token,
 		getGatewayAuth: () => service.currentConfig.gateway?.auth
 	}));
+	authenticated.use(operatorScopes());
 	const strictRateLimiter = /* @__PURE__ */ new Map();
 	setInterval(() => {
 		for (const [ip, limiter] of strictRateLimiter.entries()) if (limiter.consume().remaining === 9) strictRateLimiter.delete(ip);

package/dist/src/gateway/hono/app.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"app.js","names":[],"sources":["../../../../src/gateway/hono/app.ts"],"sourcesContent":["import { Hono } from 'hono';\nimport { cors } from 'hono/cors';\nimport { createMiddleware } from 'hono/factory';\nimport { bodyLimit } from 'hono/body-limit';\n\nimport { createFixedWindowRateLimiter } from '../../infra/rate-limit.js';\nimport { createLogger } from '../../utils/logger.js';\nimport type { GatewayService } from '../service.js';\nimport { maxWebchatAgentRequestBodyBytes } from '../chat-limits.js';\nimport { auth } from './middleware/auth.js';\nimport { logContextMiddleware } from './middleware/log-context.js';\nimport { logger } from './middleware/logger.js';\nimport { registerPublicExtensionAssetRoutes } from './routes/auth-registry-extensions.js';\nimport { registerAuthenticatedRoutes } from './routes/index.js';\nimport { registerPublicGatewayRoutes } from './routes/public-gateway.js';\n\nconst log = createLogger('HonoApp');\n\nexport interface HonoAppConfig {\n service: GatewayService;\n token?: string;\n}\n\n/*\n Extension sandbox HTML under `/api/extensions/:id/assets/` ships its own CSP\n (`frame-ancestors 'self'`). The global gateway middleware must not overwrite it\n * with `frame-ancestors 'none'` / `X-Frame-Options: DENY`, or the console cannot embed iframes.\n /\nexport function isExtensionGatewayUiAssetPath(path: string): boolean {\n return /^\\/api\\/extensions\\/[^/]+\\/assets\\//.test(path);\n}\n\nexport function createHonoApp(config: HonoAppConfig): Hono {\n const { service, token } = config;\n const app = new Hono();\n\n const gatewayPort = service.currentConfig.gateway.port ?? 18790;\n const configuredOrigins = service.currentConfig.gateway.corsOrigins;\n\n let corsOrigin: string \| string[];\n if (configuredOrigins && configuredOrigins.length > 0) {\n corsOrigin = configuredOrigins;\n } else {\n corsOrigin = [\n `http://localhost:${gatewayPort}`,\n `http://127.0.0.1:${gatewayPort}`,\n 'http://localhost:3000',\n 'http://127.0.0.1:3000',\n ];\n }\n\n const CORS_OPTIONS = {\n origin: corsOrigin,\n allowMethods: ['GET', 'POST', 'PATCH', 'DELETE', 'OPTIONS'],\n allowHeaders: ['Content-Type', 'Authorization', 'Accept', 'X-Session-Id', 'Last-Event-ID'],\n credentials: true,\n maxAge: 86400,\n };\n\n app.use(logContextMiddleware());\n app.use(logger());\n app.use(cors(CORS_OPTIONS));\n\n app.use(createMiddleware(async (c, next) => {\n await next();\n if (isExtensionGatewayUiAssetPath(c.req.path)) {\n return;\n }\n c.header('X-Frame-Options', 'DENY');\n c.header('X-Content-Type-Options', 'nosniff');\n c.header('Referrer-Policy', 'strict-origin-when-cross-origin');\n c.header('X-XSS-Protection', '1; mode=block');\n // microphone=(self): allow same-origin chat voice (composer). microphone=() breaks packaged Electron loading the gateway SPA.\n c.header('Permissions-Policy', 'camera=(), microphone=(self), geolocation=()');\n c.header(\n 'Content-Security-Policy',\n \~~"default~~-~~src~~ '~~self~~'; ~~script-src~~ '~~self~~'; ~~style~~-~~src~~ '~~self~~' '~~unsafe-inline~~'; ~~img-src~~ '~~self~~' ~~data~~: ~~blob:~~ ~~https:;~~ ~~font-src~~ '~~self';~~ ~~connect-src~~ '~~self~~'; ~~frame-ancestors~~ '~~none~~'\~~",\~~n );\n }));\n\n app.use('/api/skills/upload', bodyLimit({\n maxSize: 10 1024 * 1024,\n onError: (c) => {\n return c.json({ error: 'Skill package too large', maxSize: '10MB' }, 413);\n },\n }));\n\n const DEFAULT_API_BODY_MAX = 1 * 1024 * 1024;\n const WEBCHAT_AGENT_BODY_MAX = maxWebchatAgentRequestBodyBytes();\n\n app.use('/api/', async (c, next) => {\n const maxSize = c.req.path === '/api/agent' ? WEBCHAT_AGENT_BODY_MAX : DEFAULT_API_BODY_MAX;\n const maxSizeMb = Math.ceil(maxSize / (1024 1024));\n return bodyLimit({\n maxSize,\n onError: (ctx) =>\n ctx.json({ error: 'Request body too large', maxSize: `${maxSizeMb}MB` }, 413),\n })(c, next);\n });\n\n registerPublicGatewayRoutes(app, service);\n\n // Extension UI assets are served without auth: sandboxed iframes (no allow-same-origin)\n // have an opaque origin of `null` and cannot forward the ?token= from the parent HTML URL.\n // Security is enforced by the strict CSP (frame-ancestors 'self') on every response.\n registerPublicExtensionAssetRoutes(app, service);\n\n const authenticated = new Hono();\n authenticated.use(\n auth({\n token,\n getGatewayAuth: () => service.currentConfig.gateway?.auth,\n }),\n );\n\n const strictRateLimiter = new Map<string, ReturnType<typeof createFixedWindowRateLimiter>>();\n\n const RATE_LIMIT_CLEANUP_INTERVAL = 5 * 60 * 1000;\n setInterval(() => {\n for (const [ip, limiter] of strictRateLimiter.entries()) {\n const result = limiter.consume();\n if (result.remaining === 9) {\n strictRateLimiter.delete(ip);\n }\n }\n }, RATE_LIMIT_CLEANUP_INTERVAL);\n\n const strictRateLimitMiddleware = createMiddleware(async (c, next) => {\n /\n const clientIp = c.req.header('x-forwarded-for')?.split(',')[0]?.trim()\n ?? c.req.header('x-real-ip')\n ?? 'unknown';\n\n let limiter = strictRateLimiter.get(clientIp);\n if (!limiter) {\n limiter = createFixedWindowRateLimiter({ maxRequests: 10, windowMs: 60_000 });\n strictRateLimiter.set(clientIp, limiter);\n }\n\n const result = limiter.consume();\n if (!result.allowed) {\n c.header('Retry-After', String(Math.ceil(result.retryAfterMs / 1000)));\n return c.json({ error: 'Too many requests' }, 429);\n }\n\n c.header('X-RateLimit-Remaining', String(result.remaining));\n /\n await next();\n });\n\n const sseConfig = {\n service,\n maxSseConnections: service.currentConfig.gateway.maxSseConnections,\n };\n\n registerAuthenticatedRoutes(authenticated, {\n service,\n strictRateLimitMiddleware,\n sseConfig,\n });\n\n app.route('/', authenticated);\n\n app.notFound((c) => {\n return c.json({ error: 'Not found' }, 404);\n });\n\n app.onError((err, c) => {\n log.error({ err }, 'Hono error');\n return c.json({ error: 'Internal server error' }, 500);\n });\n\n return app;\n}\n"],"mappings":"~~;;;;;;;;;;;;;;~~aAMqD;~~AAUrD~~,MAAM,MAAM,aAAa,UAAU;;;;;;AAYnC,SAAgB,8BAA8B,MAAuB;AACnE,QAAO,sCAAsC,KAAK,KAAK;;AAGzD,SAAgB,cAAc,QAA6B;CACzD,MAAM,EAAE,SAAS,UAAU;CAC3B,MAAM,MAAM,IAAI,MAAM;CAEtB,MAAM,cAAc,QAAQ,cAAc,QAAQ,QAAQ;CAC1D,MAAM,oBAAoB,QAAQ,cAAc,QAAQ;CAExD,IAAI;AACJ,KAAI,qBAAqB,kBAAkB,SAAS,EAClD,cAAa;KAEb,cAAa;EACX,oBAAoB;EACpB,oBAAoB;EACpB;EACA;EACD;CAGH,MAAM,eAAe;EACnB,QAAQ;EACR,cAAc;GAAC;GAAO;GAAQ;GAAS;GAAU;GAAU;EAC3D,cAAc;GAAC;GAAgB;GAAiB;GAAU;GAAgB;GAAgB;EAC1F,aAAa;EACb,QAAQ;EACT;AAED,KAAI,IAAI,sBAAsB,CAAC;AAC/B,KAAI,IAAI,QAAQ,CAAC;AACjB,KAAI,IAAI,KAAK,aAAa,CAAC;~~AAE3B~~,KAAI,IAAI,iBAAiB,OAAO,GAAG,SAAS;AAC1C,QAAM,MAAM;AACZ,MAAI,8BAA8B,EAAE,IAAI,KAAK,CAC3C;AAEF,IAAE,OAAO,mBAAmB,OAAO;AACnC,IAAE,OAAO,0BAA0B,UAAU;AAC7C,IAAE,OAAO,mBAAmB,kCAAkC;AAC9D,IAAE,OAAO,oBAAoB,gBAAgB;AAE7C,IAAE,OAAO,sBAAsB,+CAA+C;AAC9E,IAAE,~~OACA~~,~~2BACA~~,~~0KACD~~;~~GACD~~,CAAC;AAEH,KAAI,IAAI,sBAAsB,UAAU;EACtC,SAAS,KAAK,OAAO;EACrB,UAAU,MAAM;AACd,UAAO,EAAE,KAAK;IAAE,OAAO;IAA2B,SAAS;IAAQ,EAAE,IAAI;;EAE5E,CAAC,CAAC;CAEH,MAAM,uBAAuB,IAAI,OAAO;CACxC,MAAM,yBAAyB,iCAAiC;AAEhE,KAAI,IAAI,UAAU,OAAO,GAAG,SAAS;EACnC,MAAM,UAAU,EAAE,IAAI,SAAS,eAAe,yBAAyB;EACvE,MAAM,YAAY,KAAK,KAAK,WAAW,OAAO,MAAM;AACpD,SAAO,UAAU;GACf;GACA,UAAU,QACR,IAAI,KAAK;IAAE,OAAO;IAA0B,SAAS,GAAG,UAAU;IAAK,EAAE,IAAI;GAChF,CAAC,CAAC,GAAG,KAAK;GACX;AAEF,6BAA4B,KAAK,QAAQ;AAKzC,oCAAmC,KAAK,QAAQ;CAEhD,MAAM,gBAAgB,IAAI,MAAM;AAChC,eAAc,IACZ,KAAK;EACH;EACA,sBAAsB,QAAQ,cAAc,SAAS;EACtD,CAAC,CACH;~~CAED~~,MAAM,oCAAoB,IAAI,KAA8D;AAG5F,mBAAkB;AAChB,OAAK,MAAM,CAAC,IAAI,YAAY,kBAAkB,SAAS,CAErD,KADe,QAAQ,SACb,CAAC,cAAc,EACvB,mBAAkB,OAAO,GAAG;IALE,MAAS,IAQd;AA8B/B,6BAA4B,eAAe;EACzC;EACA,2BA9BgC,iBAAiB,OAAO,GAAG,SAAS;AAoBpE,SAAM,MAAM;IAUa;EACzB,WAAA;GAPA;GACA,mBAAmB,QAAQ,cAAc,QAAQ;GAMxC;EACV,CAAC;AAEF,KAAI,MAAM,KAAK,cAAc;AAE7B,KAAI,UAAU,MAAM;AAClB,SAAO,EAAE,KAAK,EAAE,OAAO,aAAa,EAAE,IAAI;GAC1C;AAEF,KAAI,SAAS,KAAK,MAAM;AACtB,MAAI,MAAM,EAAE,KAAK,EAAE,aAAa;AAChC,SAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,EAAE,IAAI;GACtD;AAEF,QAAO"}
1	+ {"version":3,"file":"app.js","names":[],"sources":["../../../../src/gateway/hono/app.ts"],"sourcesContent":["import { Hono } from 'hono';\nimport { cors } from 'hono/cors';\nimport { createMiddleware } from 'hono/factory';\nimport { bodyLimit } from 'hono/body-limit';\n\nimport { createFixedWindowRateLimiter } from '../../infra/rate-limit.js';\nimport { createLogger } from '../../utils/logger.js';\nimport type { GatewayService } from '../service.js';\nimport { maxWebchatAgentRequestBodyBytes } from '../chat-limits.js';\nimport { buildGatewayConsoleCspHeader } from '../security/csp.js';\nimport { checkBrowserOrigin } from '../security/origin-check.js';\nimport { auth } from './middleware/auth.js';\nimport { operatorScopes } from './middleware/scopes.js';\nimport { logContextMiddleware } from './middleware/log-context.js';\nimport { logger } from './middleware/logger.js';\nimport { registerPublicExtensionAssetRoutes } from './routes/auth-registry-extensions.js';\nimport { registerAuthenticatedRoutes } from './routes/index.js';\nimport { registerPublicGatewayRoutes } from './routes/public-gateway.js';\n\nconst log = createLogger('HonoApp');\n\nexport interface HonoAppConfig {\n service: GatewayService;\n token?: string;\n}\n\n/*\n Extension sandbox HTML under `/api/extensions/:id/assets/` ships its own CSP\n (`frame-ancestors 'self'`). The global gateway middleware must not overwrite it\n * with `frame-ancestors 'none'` / `X-Frame-Options: DENY`, or the console cannot embed iframes.\n /\nexport function isExtensionGatewayUiAssetPath(path: string): boolean {\n return /^\\/api\\/extensions\\/[^/]+\\/assets\\//.test(path);\n}\n\nexport function createHonoApp(config: HonoAppConfig): Hono {\n const { service, token } = config;\n const app = new Hono();\n\n const gatewayPort = service.currentConfig.gateway.port ?? 18790;\n const configuredOrigins = service.currentConfig.gateway.corsOrigins;\n\n let corsOrigin: string \| string[];\n if (configuredOrigins && configuredOrigins.length > 0) {\n corsOrigin = configuredOrigins;\n } else {\n corsOrigin = [\n `http://localhost:${gatewayPort}`,\n `http://127.0.0.1:${gatewayPort}`,\n 'http://localhost:3000',\n 'http://127.0.0.1:3000',\n ];\n }\n\n const CORS_OPTIONS = {\n origin: corsOrigin,\n allowMethods: ['GET', 'POST', 'PATCH', 'DELETE', 'OPTIONS'],\n allowHeaders: ['Content-Type', 'Authorization', 'Accept', 'X-Session-Id', 'Last-Event-ID'],\n credentials: true,\n maxAge: 86400,\n };\n\n app.use(logContextMiddleware());\n app.use(logger());\n app.use(cors(CORS_OPTIONS));\n\n // Build CSP header once at startup (no inline script hashes needed for SPA)\n const gatewayConsoleCsp = buildGatewayConsoleCspHeader();\n\n // Security headers middleware\n app.use(createMiddleware(async (c, next) => {\n await next();\n if (isExtensionGatewayUiAssetPath(c.req.path)) {\n return;\n }\n c.header('X-Frame-Options', 'DENY');\n c.header('X-Content-Type-Options', 'nosniff');\n c.header('Referrer-Policy', 'strict-origin-when-cross-origin');\n c.header('X-XSS-Protection', '1; mode=block');\n // microphone=(self): allow same-origin chat voice (composer). microphone=() breaks packaged Electron loading the gateway SPA.\n c.header('Permissions-Policy', 'camera=(), microphone=(self), geolocation=()');\n c.header('Content-Security-Policy', gatewayConsoleCsp);\n }));\n\n // Browser Origin check middleware for API routes (CSRF protection).\n // Non-browser requests (no Origin header) pass through — they are\n // authenticated by the token middleware instead.\n const allowedOrigins = Array.isArray(corsOrigin) ? corsOrigin : [corsOrigin];\n app.use('/api/', createMiddleware(async (c, next) => {\n const origin = c.req.header('origin');\n if (!origin) {\n // Non-browser request (CLI, server-to-server) — skip origin check\n return next();\n }\n\n const result = checkBrowserOrigin({\n requestHost: c.req.header('host'),\n origin,\n allowedOrigins,\n allowHostHeaderOriginFallback: true,\n isLocalClient: false,\n });\n\n if (!result.ok) {\n log.warn(\n { origin, reason: 'reason' in result ? result.reason : 'unknown', path: c.req.path },\n 'Browser origin check failed',\n );\n return c.json({ error: 'Forbidden', message: 'Origin not allowed' }, 403);\n }\n\n return next();\n }));\n\n app.use('/api/skills/upload', bodyLimit({\n maxSize: 10 * 1024 * 1024,\n onError: (c) => {\n return c.json({ error: 'Skill package too large', maxSize: '10MB' }, 413);\n },\n }));\n\n const DEFAULT_API_BODY_MAX = 1 * 1024 * 1024;\n const WEBCHAT_AGENT_BODY_MAX = maxWebchatAgentRequestBodyBytes();\n\n app.use('/api/', async (c, next) => {\n const maxSize = c.req.path === '/api/agent' ? WEBCHAT_AGENT_BODY_MAX : DEFAULT_API_BODY_MAX;\n const maxSizeMb = Math.ceil(maxSize / (1024 1024));\n return bodyLimit({\n maxSize,\n onError: (ctx) =>\n ctx.json({ error: 'Request body too large', maxSize: `${maxSizeMb}MB` }, 413),\n })(c, next);\n });\n\n registerPublicGatewayRoutes(app, service);\n\n // Extension UI assets are served without auth: sandboxed iframes (no allow-same-origin)\n // have an opaque origin of `null` and cannot forward the ?token= from the parent HTML URL.\n // Security is enforced by the strict CSP (frame-ancestors 'self') on every response.\n registerPublicExtensionAssetRoutes(app, service);\n\n const authenticated = new Hono();\n authenticated.use(\n auth({\n token,\n getGatewayAuth: () => service.currentConfig.gateway?.auth,\n }),\n );\n authenticated.use(operatorScopes());\n\n const strictRateLimiter = new Map<string, ReturnType<typeof createFixedWindowRateLimiter>>();\n\n const RATE_LIMIT_CLEANUP_INTERVAL = 5 * 60 * 1000;\n setInterval(() => {\n for (const [ip, limiter] of strictRateLimiter.entries()) {\n const result = limiter.consume();\n if (result.remaining === 9) {\n strictRateLimiter.delete(ip);\n }\n }\n }, RATE_LIMIT_CLEANUP_INTERVAL);\n\n const strictRateLimitMiddleware = createMiddleware(async (c, next) => {\n /\n const clientIp = c.req.header('x-forwarded-for')?.split(',')[0]?.trim()\n ?? c.req.header('x-real-ip')\n ?? 'unknown';\n\n let limiter = strictRateLimiter.get(clientIp);\n if (!limiter) {\n limiter = createFixedWindowRateLimiter({ maxRequests: 10, windowMs: 60_000 });\n strictRateLimiter.set(clientIp, limiter);\n }\n\n const result = limiter.consume();\n if (!result.allowed) {\n c.header('Retry-After', String(Math.ceil(result.retryAfterMs / 1000)));\n return c.json({ error: 'Too many requests' }, 429);\n }\n\n c.header('X-RateLimit-Remaining', String(result.remaining));\n /\n await next();\n });\n\n const sseConfig = {\n service,\n maxSseConnections: service.currentConfig.gateway.maxSseConnections,\n };\n\n registerAuthenticatedRoutes(authenticated, {\n service,\n strictRateLimitMiddleware,\n sseConfig,\n });\n\n app.route('/', authenticated);\n\n app.notFound((c) => {\n return c.json({ error: 'Not found' }, 404);\n });\n\n app.onError((err, c) => {\n log.error({ err }, 'Hono error');\n return c.json({ error: 'Internal server error' }, 500);\n });\n\n return app;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;aAMqD;AAarD,MAAM,MAAM,aAAa,UAAU;;;;;;AAYnC,SAAgB,8BAA8B,MAAuB;AACnE,QAAO,sCAAsC,KAAK,KAAK;;AAGzD,SAAgB,cAAc,QAA6B;CACzD,MAAM,EAAE,SAAS,UAAU;CAC3B,MAAM,MAAM,IAAI,MAAM;CAEtB,MAAM,cAAc,QAAQ,cAAc,QAAQ,QAAQ;CAC1D,MAAM,oBAAoB,QAAQ,cAAc,QAAQ;CAExD,IAAI;AACJ,KAAI,qBAAqB,kBAAkB,SAAS,EAClD,cAAa;KAEb,cAAa;EACX,oBAAoB;EACpB,oBAAoB;EACpB;EACA;EACD;CAGH,MAAM,eAAe;EACnB,QAAQ;EACR,cAAc;GAAC;GAAO;GAAQ;GAAS;GAAU;GAAU;EAC3D,cAAc;GAAC;GAAgB;GAAiB;GAAU;GAAgB;GAAgB;EAC1F,aAAa;EACb,QAAQ;EACT;AAED,KAAI,IAAI,sBAAsB,CAAC;AAC/B,KAAI,IAAI,QAAQ,CAAC;AACjB,KAAI,IAAI,KAAK,aAAa,CAAC;CAG3B,MAAM,oBAAoB,8BAA8B;AAGxD,KAAI,IAAI,iBAAiB,OAAO,GAAG,SAAS;AAC1C,QAAM,MAAM;AACZ,MAAI,8BAA8B,EAAE,IAAI,KAAK,CAC3C;AAEF,IAAE,OAAO,mBAAmB,OAAO;AACnC,IAAE,OAAO,0BAA0B,UAAU;AAC7C,IAAE,OAAO,mBAAmB,kCAAkC;AAC9D,IAAE,OAAO,oBAAoB,gBAAgB;AAE7C,IAAE,OAAO,sBAAsB,+CAA+C;AAC9E,IAAE,OAAO,2BAA2B,kBAAkB;GACtD,CAAC;CAKH,MAAM,iBAAiB,MAAM,QAAQ,WAAW,GAAG,aAAa,CAAC,WAAW;AAC5E,KAAI,IAAI,UAAU,iBAAiB,OAAO,GAAG,SAAS;EACpD,MAAM,SAAS,EAAE,IAAI,OAAO,SAAS;AACrC,MAAI,CAAC,OAEH,QAAO,MAAM;EAGf,MAAM,SAAS,mBAAmB;GAChC,aAAa,EAAE,IAAI,OAAO,OAAO;GACjC;GACA;GACA,+BAA+B;GAC/B,eAAe;GAChB,CAAC;AAEF,MAAI,CAAC,OAAO,IAAI;AACd,OAAI,KACF;IAAE;IAAQ,QAAQ,YAAY,SAAS,OAAO,SAAS;IAAW,MAAM,EAAE,IAAI;IAAM,EACpF,8BACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAa,SAAS;IAAsB,EAAE,IAAI;;AAG3E,SAAO,MAAM;GACb,CAAC;AAEH,KAAI,IAAI,sBAAsB,UAAU;EACtC,SAAS,KAAK,OAAO;EACrB,UAAU,MAAM;AACd,UAAO,EAAE,KAAK;IAAE,OAAO;IAA2B,SAAS;IAAQ,EAAE,IAAI;;EAE5E,CAAC,CAAC;CAEH,MAAM,uBAAuB,IAAI,OAAO;CACxC,MAAM,yBAAyB,iCAAiC;AAEhE,KAAI,IAAI,UAAU,OAAO,GAAG,SAAS;EACnC,MAAM,UAAU,EAAE,IAAI,SAAS,eAAe,yBAAyB;EACvE,MAAM,YAAY,KAAK,KAAK,WAAW,OAAO,MAAM;AACpD,SAAO,UAAU;GACf;GACA,UAAU,QACR,IAAI,KAAK;IAAE,OAAO;IAA0B,SAAS,GAAG,UAAU;IAAK,EAAE,IAAI;GAChF,CAAC,CAAC,GAAG,KAAK;GACX;AAEF,6BAA4B,KAAK,QAAQ;AAKzC,oCAAmC,KAAK,QAAQ;CAEhD,MAAM,gBAAgB,IAAI,MAAM;AAChC,eAAc,IACZ,KAAK;EACH;EACA,sBAAsB,QAAQ,cAAc,SAAS;EACtD,CAAC,CACH;AACD,eAAc,IAAI,gBAAgB,CAAC;CAEnC,MAAM,oCAAoB,IAAI,KAA8D;AAG5F,mBAAkB;AAChB,OAAK,MAAM,CAAC,IAAI,YAAY,kBAAkB,SAAS,CAErD,KADe,QAAQ,SACb,CAAC,cAAc,EACvB,mBAAkB,OAAO,GAAG;IALE,MAAS,IAQd;AA8B/B,6BAA4B,eAAe;EACzC;EACA,2BA9BgC,iBAAiB,OAAO,GAAG,SAAS;AAoBpE,SAAM,MAAM;IAUa;EACzB,WAAA;GAPA;GACA,mBAAmB,QAAQ,cAAc,QAAQ;GAMxC;EACV,CAAC;AAEF,KAAI,MAAM,KAAK,cAAc;AAE7B,KAAI,UAAU,MAAM;AAClB,SAAO,EAAE,KAAK,EAAE,OAAO,aAAa,EAAE,IAAI;GAC1C;AAEF,KAAI,SAAS,KAAK,MAAM;AACtB,MAAI,MAAM,EAAE,KAAK,EAAE,aAAa;AAChC,SAAO,EAAE,KAAK,EAAE,OAAO,yBAAyB,EAAE,IAAI;GACtD;AAEF,QAAO"}

package/dist/src/gateway/hono/lib/config-payload.d.ts CHANGED Viewed

@@ -124,7 +124,7 @@ export declare function buildSafeWebConfigPayload(service: GatewayService): Prom
         host: string;
         port: number;
         auth: {
-            mode: "none" | "token";
+            mode: "none" | "token" | "password";
             token: string;
         };
         heartbeat: {

package/dist/src/gateway/hono/middleware/auth.js CHANGED Viewed

@@ -1,16 +1,17 @@
 import { createLogger } from "../../../utils/logger/index.js";
 import { init_logger } from "../../../utils/logger.js";
+import { safeEqualSecret } from "../../security/secret-equal.js";
 import { getAuthFailureRateLimiter, getClientIpFromHeaders, isAuthRateLimitGloballyDisabled, resolveAuthRateLimitConfig } from "../../auth-rate-limit.js";
 import { createMiddleware } from "hono/factory";
 //#region src/gateway/hono/middleware/auth.ts
 init_logger();
 const log = createLogger("Hono:Auth");
 /**
-* Validate token from header or query parameter
+* Validate token using constant-time comparison to prevent timing attacks.
 */
 function validateToken(providedToken, expectedToken) {
 	if (!providedToken) return false;
-	return providedToken === expectedToken;
+	return safeEqualSecret(providedToken, expectedToken);
 }
 /**
 * Extract token from Authorization header
@@ -106,7 +107,7 @@ function validateWebSocketAuth(url, authHeader, expectedToken) {
 			error: "Missing authentication token"
 		};
 	}
-	if (!validateToken(providedToken, expectedToken)) {
+	if (!safeEqualSecret(providedToken, expectedToken)) {
 		log.warn({
 			path: url.pathname,
 			reason: "invalid_token"

package/dist/src/gateway/hono/middleware/auth.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport {\n getAuthFailureRateLimiter,\n getClientIpFromHeaders,\n isAuthRateLimitGloballyDisabled,\n resolveAuthRateLimitConfig,\n} from '../../auth-rate-limit.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n token?: string;\n /** Current gateway auth from config (for rate-limit settings); optional. /\n getGatewayAuth?: () => GatewayAuthConfig \| undefined;\n}\n\n/\n Validate token ~~from~~ ~~header~~ or ~~query~~ ~~parameter\~~n /\nfunction validateToken(providedToken: string \| undefined, expectedToken: string): boolean {\n if (!providedToken) return false;\n return providedToken ~~===~~ expectedToken;\n}\n\n/\n Extract token from Authorization header\n * Supports: \"Bearer <token>\", \"<token>\"\n /\nfunction extractTokenFromHeader(authHeader: string \| null): string \| null {\n if (!authHeader) return null;\n\n const parts = authHeader.split(' ');\n if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {\n return parts[1];\n }\n return authHeader;\n}\n\n/\n Extract token from query parameter\n /\nfunction extractTokenFromQuery(url: string): string \| null {\n const parsed = new URL(url);\n return parsed.searchParams.get('token');\n}\n\n/\n Create auth middleware for HTTP routes\n /\nexport function auth(config?: AuthConfig) {\n const { token, getGatewayAuth } = config \|\| {};\n const limiter = getAuthFailureRateLimiter();\n\n return createMiddleware(async (c, next) => {\n // If no token configured, allow all\n if (!token) {\n return next();\n }\n\n const rlInput = getGatewayAuth?.()?.rateLimit;\n const rlCfg = resolveAuthRateLimitConfig(rlInput);\n const rateLimitActive =\n rlCfg.enabled && !isAuthRateLimitGloballyDisabled();\n\n const clientIp = getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n });\n\n // Try header first, then query param\n const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n const queryToken = extractTokenFromQuery(c.req.url);\n\n const providedToken = authHeader \|\| queryToken;\n\n // Allow valid credentials to pass immediately and clear historical failures for this client.\n // This avoids lockout after a user fixes token configuration.\n if (providedToken && validateToken(providedToken, token)) {\n if (rateLimitActive) {\n limiter.recordSuccess(clientIp);\n }\n await next();\n return;\n }\n\n if (rateLimitActive) {\n const blocked = limiter.checkBlocked(clientIp, rlCfg);\n if (blocked.blocked) {\n c.header('Retry-After', String(blocked.retryAfterSec));\n return c.json(\n {\n error: 'Too Many Requests',\n message: 'Too many authentication attempts',\n retryAfter: blocked.retryAfterSec,\n },\n 429,\n );\n }\n }\n\n if (!providedToken) {\n if (rateLimitActive) {\n limiter.recordFailure(clientIp, rlCfg);\n }\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n 'HTTP auth rejected: no Bearer or ?token=',\n );\n return c.json({ error: 'Unauthorized', message: 'Missing authentication token' }, 401);\n }\n\n if (!validateToken(providedToken, token)) {\n if (rateLimitActive) {\n limiter.recordFailure(clientIp, rlCfg);\n }\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n 'HTTP auth rejected: token mismatch',\n );\n return c.json({ error: 'Unauthorized', message: 'Invalid authentication token' }, 401);\n }\n });\n}\n\nexport interface WebSocketAuthResult {\n valid: boolean;\n error?: string;\n}\n\n/\n Validate WebSocket connection token\n */\nexport function validateWebSocketAuth(\n url: URL,\n authHeader: string \| null,\n expectedToken?: string\n): WebSocketAuthResult {\n // If no token configured, allow all\n if (!expectedToken) {\n return { valid: true };\n }\n\n // Extract token from query param or header\n const queryToken = url.searchParams.get('token');\n const headerToken = extractTokenFromHeader(authHeader);\n\n const providedToken = queryToken \|\| headerToken;\n\n if (!providedToken) {\n log.warn(\n { path: url.pathname, reason: 'missing_token', hasHeaderToken: Boolean(headerToken) },\n 'WebSocket auth rejected: no token in query or Authorization',\n );\n return { valid: false, error: 'Missing authentication token' };\n }\n\n if (!~~validateToken~~(providedToken, expectedToken)) {\n log.warn({ path: url.pathname, reason: 'invalid_token' }, 'WebSocket auth rejected: token mismatch');\n return { valid: false, error: 'Invalid authentication token' };\n }\n\n return { valid: true };\n}\n"],"mappings":"~~;;;;;aAQwD~~;AAExD,MAAM,MAAM,aAAa,YAAY;;;;AAWrC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,~~kBAAkB~~;;;;;;~~AAO3B~~,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CAExB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SACnD,QAAO,MAAM;AAEf,QAAO;;;;;AAMT,SAAS,sBAAsB,KAA4B;AAEzD,QAAO,IADY,IAAI,IACV,CAAC,aAAa,IAAI,QAAQ;;;;;AAMzC,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,mBAAmB,UAAU,EAAE;CAC9C,MAAM,UAAU,2BAA2B;AAE3C,QAAO,iBAAiB,OAAO,GAAG,SAAS;AAEzC,MAAI,CAAC,MACH,QAAO,MAAM;EAGf,MAAM,UAAU,kBAAkB,EAAE;EACpC,MAAM,QAAQ,2BAA2B,QAAQ;EACjD,MAAM,kBACJ,MAAM,WAAW,CAAC,iCAAiC;EAErD,MAAM,WAAW,uBAAuB,EACtC,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;EAGF,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,aAAa,sBAAsB,EAAE,IAAI,IAAI;EAEnD,MAAM,gBAAgB,cAAc;AAIpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,OAAI,gBACF,SAAQ,cAAc,SAAS;AAEjC,SAAM,MAAM;AACZ;;AAGF,MAAI,iBAAiB;GACnB,MAAM,UAAU,QAAQ,aAAa,UAAU,MAAM;AACrD,OAAI,QAAQ,SAAS;AACnB,MAAE,OAAO,eAAe,OAAO,QAAQ,cAAc,CAAC;AACtD,WAAO,EAAE,KACP;KACE,OAAO;KACP,SAAS;KACT,YAAY,QAAQ;KACrB,EACD,IACD;;;AAIL,MAAI,CAAC,eAAe;AAClB,OAAI,gBACF,SAAQ,cAAc,UAAU,MAAM;AAExC,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;AAGxF,MAAI,CAAC,cAAc,eAAe,MAAM,EAAE;AACxC,OAAI,gBACF,SAAQ,cAAc,UAAU,MAAM;AAExC,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,qCACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;GAExF;;;;;AAWJ,SAAgB,sBACd,KACA,YACA,eACqB;AAErB,KAAI,CAAC,cACH,QAAO,EAAE,OAAO,MAAM;CAIxB,MAAM,aAAa,IAAI,aAAa,IAAI,QAAQ;CAChD,MAAM,cAAc,uBAAuB,WAAW;CAEtD,MAAM,gBAAgB,cAAc;AAEpC,KAAI,CAAC,eAAe;AAClB,MAAI,KACF;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,gBAAgB,QAAQ,YAAY;GAAE,EACrF,8DACD;AACD,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,KAAI,CAAC,~~cAAc~~,eAAe,cAAc,EAAE;~~AAChD~~,MAAI,KAAK;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,EAAE,0CAA0C;AACpG,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,QAAO,EAAE,OAAO,MAAM"}
1	+ {"version":3,"file":"auth.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/auth.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport type { GatewayAuthConfig } from '../../../config/schema.js';\nimport {\n getAuthFailureRateLimiter,\n getClientIpFromHeaders,\n isAuthRateLimitGloballyDisabled,\n resolveAuthRateLimitConfig,\n} from '../../auth-rate-limit.js';\nimport { safeEqualSecret } from '../../security/secret-equal.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Auth');\n\nexport interface AuthConfig {\n token?: string;\n /** Current gateway auth from config (for rate-limit settings); optional. /\n getGatewayAuth?: () => GatewayAuthConfig \| undefined;\n}\n\n/\n Validate token using constant-time comparison to prevent timing attacks.\n /\nfunction validateToken(providedToken: string \| undefined, expectedToken: string): boolean {\n if (!providedToken) return false;\n return safeEqualSecret(providedToken, expectedToken);\n}\n\n/\n Extract token from Authorization header\n * Supports: \"Bearer <token>\", \"<token>\"\n /\nfunction extractTokenFromHeader(authHeader: string \| null): string \| null {\n if (!authHeader) return null;\n\n const parts = authHeader.split(' ');\n if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {\n return parts[1];\n }\n return authHeader;\n}\n\n/\n Extract token from query parameter\n /\nfunction extractTokenFromQuery(url: string): string \| null {\n const parsed = new URL(url);\n return parsed.searchParams.get('token');\n}\n\n/\n Create auth middleware for HTTP routes\n /\nexport function auth(config?: AuthConfig) {\n const { token, getGatewayAuth } = config \|\| {};\n const limiter = getAuthFailureRateLimiter();\n\n return createMiddleware(async (c, next) => {\n // If no token configured, allow all\n if (!token) {\n return next();\n }\n\n const rlInput = getGatewayAuth?.()?.rateLimit;\n const rlCfg = resolveAuthRateLimitConfig(rlInput);\n const rateLimitActive =\n rlCfg.enabled && !isAuthRateLimitGloballyDisabled();\n\n const clientIp = getClientIpFromHeaders({\n get: (name: string) => c.req.header(name) ?? undefined,\n });\n\n // Try header first, then query param\n const authHeader = extractTokenFromHeader(c.req.header('authorization'));\n const queryToken = extractTokenFromQuery(c.req.url);\n\n const providedToken = authHeader \|\| queryToken;\n\n // Allow valid credentials to pass immediately and clear historical failures for this client.\n // This avoids lockout after a user fixes token configuration.\n if (providedToken && validateToken(providedToken, token)) {\n if (rateLimitActive) {\n limiter.recordSuccess(clientIp);\n }\n await next();\n return;\n }\n\n if (rateLimitActive) {\n const blocked = limiter.checkBlocked(clientIp, rlCfg);\n if (blocked.blocked) {\n c.header('Retry-After', String(blocked.retryAfterSec));\n return c.json(\n {\n error: 'Too Many Requests',\n message: 'Too many authentication attempts',\n retryAfter: blocked.retryAfterSec,\n },\n 429,\n );\n }\n }\n\n if (!providedToken) {\n if (rateLimitActive) {\n limiter.recordFailure(clientIp, rlCfg);\n }\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'missing_token' },\n 'HTTP auth rejected: no Bearer or ?token=',\n );\n return c.json({ error: 'Unauthorized', message: 'Missing authentication token' }, 401);\n }\n\n if (!validateToken(providedToken, token)) {\n if (rateLimitActive) {\n limiter.recordFailure(clientIp, rlCfg);\n }\n log.warn(\n { path: c.req.path, method: c.req.method, clientIp, reason: 'invalid_token' },\n 'HTTP auth rejected: token mismatch',\n );\n return c.json({ error: 'Unauthorized', message: 'Invalid authentication token' }, 401);\n }\n });\n}\n\nexport interface WebSocketAuthResult {\n valid: boolean;\n error?: string;\n}\n\n/\n Validate WebSocket connection token\n */\nexport function validateWebSocketAuth(\n url: URL,\n authHeader: string \| null,\n expectedToken?: string\n): WebSocketAuthResult {\n // If no token configured, allow all\n if (!expectedToken) {\n return { valid: true };\n }\n\n // Extract token from query param or header\n const queryToken = url.searchParams.get('token');\n const headerToken = extractTokenFromHeader(authHeader);\n\n const providedToken = queryToken \|\| headerToken;\n\n if (!providedToken) {\n log.warn(\n { path: url.pathname, reason: 'missing_token', hasHeaderToken: Boolean(headerToken) },\n 'WebSocket auth rejected: no token in query or Authorization',\n );\n return { valid: false, error: 'Missing authentication token' };\n }\n\n if (!safeEqualSecret(providedToken, expectedToken)) {\n log.warn({ path: url.pathname, reason: 'invalid_token' }, 'WebSocket auth rejected: token mismatch');\n return { valid: false, error: 'Invalid authentication token' };\n }\n\n return { valid: true };\n}\n"],"mappings":";;;;;;aASwD;AAExD,MAAM,MAAM,aAAa,YAAY;;;;AAWrC,SAAS,cAAc,eAAmC,eAAgC;AACxF,KAAI,CAAC,cAAe,QAAO;AAC3B,QAAO,gBAAgB,eAAe,cAAc;;;;;;AAOtD,SAAS,uBAAuB,YAA0C;AACxE,KAAI,CAAC,WAAY,QAAO;CAExB,MAAM,QAAQ,WAAW,MAAM,IAAI;AACnC,KAAI,MAAM,WAAW,KAAK,MAAM,GAAG,aAAa,KAAK,SACnD,QAAO,MAAM;AAEf,QAAO;;;;;AAMT,SAAS,sBAAsB,KAA4B;AAEzD,QAAO,IADY,IAAI,IACV,CAAC,aAAa,IAAI,QAAQ;;;;;AAMzC,SAAgB,KAAK,QAAqB;CACxC,MAAM,EAAE,OAAO,mBAAmB,UAAU,EAAE;CAC9C,MAAM,UAAU,2BAA2B;AAE3C,QAAO,iBAAiB,OAAO,GAAG,SAAS;AAEzC,MAAI,CAAC,MACH,QAAO,MAAM;EAGf,MAAM,UAAU,kBAAkB,EAAE;EACpC,MAAM,QAAQ,2BAA2B,QAAQ;EACjD,MAAM,kBACJ,MAAM,WAAW,CAAC,iCAAiC;EAErD,MAAM,WAAW,uBAAuB,EACtC,MAAM,SAAiB,EAAE,IAAI,OAAO,KAAK,IAAI,KAAA,GAC9C,CAAC;EAGF,MAAM,aAAa,uBAAuB,EAAE,IAAI,OAAO,gBAAgB,CAAC;EACxE,MAAM,aAAa,sBAAsB,EAAE,IAAI,IAAI;EAEnD,MAAM,gBAAgB,cAAc;AAIpC,MAAI,iBAAiB,cAAc,eAAe,MAAM,EAAE;AACxD,OAAI,gBACF,SAAQ,cAAc,SAAS;AAEjC,SAAM,MAAM;AACZ;;AAGF,MAAI,iBAAiB;GACnB,MAAM,UAAU,QAAQ,aAAa,UAAU,MAAM;AACrD,OAAI,QAAQ,SAAS;AACnB,MAAE,OAAO,eAAe,OAAO,QAAQ,cAAc,CAAC;AACtD,WAAO,EAAE,KACP;KACE,OAAO;KACP,SAAS;KACT,YAAY,QAAQ;KACrB,EACD,IACD;;;AAIL,MAAI,CAAC,eAAe;AAClB,OAAI,gBACF,SAAQ,cAAc,UAAU,MAAM;AAExC,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,2CACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;AAGxF,MAAI,CAAC,cAAc,eAAe,MAAM,EAAE;AACxC,OAAI,gBACF,SAAQ,cAAc,UAAU,MAAM;AAExC,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAU,QAAQ;IAAiB,EAC7E,qCACD;AACD,UAAO,EAAE,KAAK;IAAE,OAAO;IAAgB,SAAS;IAAgC,EAAE,IAAI;;GAExF;;;;;AAWJ,SAAgB,sBACd,KACA,YACA,eACqB;AAErB,KAAI,CAAC,cACH,QAAO,EAAE,OAAO,MAAM;CAIxB,MAAM,aAAa,IAAI,aAAa,IAAI,QAAQ;CAChD,MAAM,cAAc,uBAAuB,WAAW;CAEtD,MAAM,gBAAgB,cAAc;AAEpC,KAAI,CAAC,eAAe;AAClB,MAAI,KACF;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,gBAAgB,QAAQ,YAAY;GAAE,EACrF,8DACD;AACD,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,KAAI,CAAC,gBAAgB,eAAe,cAAc,EAAE;AAClD,MAAI,KAAK;GAAE,MAAM,IAAI;GAAU,QAAQ;GAAiB,EAAE,0CAA0C;AACpG,SAAO;GAAE,OAAO;GAAO,OAAO;GAAgC;;AAGhE,QAAO,EAAE,OAAO,MAAM"}

package/dist/src/gateway/hono/middleware/scopes.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * Middleware that enforces operator scope requirements on API routes.
+ *
+ * This middleware runs AFTER the auth middleware. For authenticated requests,
+ * it checks that the declared operator scopes (defaulting to full access for
+ * token-authenticated users) satisfy the minimum scope required by the route.
+ *
+ * The scope system is currently implicit: all authenticated users get
+ * DEFAULT_OPERATOR_SCOPES. This lays the groundwork for future per-device
+ * or per-token scope restrictions (similar to OpenClaw's device pairing scopes).
+ */
+export declare function operatorScopes(): import("hono/dist/types/types.js").MiddlewareHandler<any, string, {}, Response & import("hono/dist/types/types.js").TypedResponse<{
+    error: string;
+    message: string;
+}, 403, "json">>;

package/dist/src/gateway/hono/middleware/scopes.js ADDED Viewed

@@ -0,0 +1,41 @@
+import { createLogger } from "../../../utils/logger/index.js";
+import { init_logger } from "../../../utils/logger.js";
+import { DEFAULT_OPERATOR_SCOPES, authorizeRouteScope } from "../../security/operator-scopes.js";
+import { createMiddleware } from "hono/factory";
+//#region src/gateway/hono/middleware/scopes.ts
+init_logger();
+const log = createLogger("Hono:Scopes");
+/**
+* Middleware that enforces operator scope requirements on API routes.
+*
+* This middleware runs AFTER the auth middleware. For authenticated requests,
+* it checks that the declared operator scopes (defaulting to full access for
+* token-authenticated users) satisfy the minimum scope required by the route.
+*
+* The scope system is currently implicit: all authenticated users get
+* DEFAULT_OPERATOR_SCOPES. This lays the groundwork for future per-device
+* or per-token scope restrictions (similar to OpenClaw's device pairing scopes).
+*/
+function operatorScopes() {
+	return createMiddleware(async (c, next) => {
+		const grantedScopes = [...DEFAULT_OPERATOR_SCOPES];
+		const scopeCheck = authorizeRouteScope(c.req.path, grantedScopes);
+		if (!scopeCheck.allowed && "requiredScope" in scopeCheck) {
+			const { requiredScope } = scopeCheck;
+			log.warn({
+				path: c.req.path,
+				method: c.req.method,
+				requiredScope
+			}, `Scope check failed: missing ${requiredScope}`);
+			return c.json({
+				error: "Forbidden",
+				message: `Missing required scope: ${requiredScope}`
+			}, 403);
+		}
+		await next();
+	});
+}
+//#endregion
+export { operatorScopes };
+//# sourceMappingURL=scopes.js.map

package/dist/src/gateway/hono/middleware/scopes.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scopes.js","names":[],"sources":["../../../../../src/gateway/hono/middleware/scopes.ts"],"sourcesContent":["import { createMiddleware } from 'hono/factory';\nimport { authorizeRouteScope, DEFAULT_OPERATOR_SCOPES, type OperatorScope } from '../../security/operator-scopes.js';\nimport { createLogger } from '../../../utils/logger.js';\n\nconst log = createLogger('Hono:Scopes');\n\n/**\n * Middleware that enforces operator scope requirements on API routes.\n *\n * This middleware runs AFTER the auth middleware. For authenticated requests,\n * it checks that the declared operator scopes (defaulting to full access for\n * token-authenticated users) satisfy the minimum scope required by the route.\n *\n * The scope system is currently implicit: all authenticated users get\n * DEFAULT_OPERATOR_SCOPES. This lays the groundwork for future per-device\n * or per-token scope restrictions (similar to OpenClaw's device pairing scopes).\n */\nexport function operatorScopes() {\n return createMiddleware(async (c, next) => {\n // All currently authenticated users get full operator scopes.\n // In the future, device-paired connections or scoped tokens can provide\n // a narrower set via x-xopc-scopes header or connect payload.\n const grantedScopes: OperatorScope[] = [...DEFAULT_OPERATOR_SCOPES];\n\n const scopeCheck = authorizeRouteScope(c.req.path, grantedScopes);\n if (!scopeCheck.allowed && 'requiredScope' in scopeCheck) {\n const { requiredScope } = scopeCheck;\n log.warn(\n { path: c.req.path, method: c.req.method, requiredScope },\n `Scope check failed: missing ${requiredScope}`,\n );\n return c.json(\n {\n error: 'Forbidden',\n message: `Missing required scope: ${requiredScope}`,\n },\n 403,\n );\n }\n\n await next();\n });\n}\n"],"mappings":";;;;;aAEwD;AAExD,MAAM,MAAM,aAAa,cAAc;;;;;;;;;;;;AAavC,SAAgB,iBAAiB;AAC/B,QAAO,iBAAiB,OAAO,GAAG,SAAS;EAIzC,MAAM,gBAAiC,CAAC,GAAG,wBAAwB;EAEnE,MAAM,aAAa,oBAAoB,EAAE,IAAI,MAAM,cAAc;AACjE,MAAI,CAAC,WAAW,WAAW,mBAAmB,YAAY;GACxD,MAAM,EAAE,kBAAkB;AAC1B,OAAI,KACF;IAAE,MAAM,EAAE,IAAI;IAAM,QAAQ,EAAE,IAAI;IAAQ;IAAe,EACzD,+BAA+B,gBAChC;AACD,UAAO,EAAE,KACP;IACE,OAAO;IACP,SAAS,2BAA2B;IACrC,EACD,IACD;;AAGH,QAAM,MAAM;GACZ"}

package/dist/src/gateway/security/audit.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { ResolvedGatewayAuth } from '../auth.js';
+export type SecurityAuditFinding = {
+    checkId: string;
+    severity: 'critical' | 'warn' | 'info';
+    title: string;
+    detail: string;
+};
+/**
+ * Audit the gateway configuration at startup and log security findings.
+ *
+ * This provides an early-warning system similar to OpenClaw's `security audit`
+ * command, adapted for xopc's configuration surface.
+ */
+export declare function auditGatewayConfig(params: {
+    auth: ResolvedGatewayAuth;
+    host?: string;
+    corsOrigins?: string[];
+}): SecurityAuditFinding[];

package/dist/src/gateway/security/audit.js ADDED Viewed

@@ -0,0 +1,68 @@
+import { createLogger } from "../../utils/logger/index.js";
+import { init_logger } from "../../utils/logger.js";
+//#region src/gateway/security/audit.ts
+init_logger();
+const log = createLogger("SecurityAudit");
+/**
+* Audit the gateway configuration at startup and log security findings.
+*
+* This provides an early-warning system similar to OpenClaw's `security audit`
+* command, adapted for xopc's configuration surface.
+*/
+function auditGatewayConfig(params) {
+	const findings = [];
+	if (params.auth.mode === "none") if (!(!params.host || params.host === "127.0.0.1" || params.host === "localhost" || params.host === "::1")) findings.push({
+		checkId: "gateway.auth.none_on_network",
+		severity: "critical",
+		title: "Gateway has no authentication on a network-accessible address",
+		detail: `Auth mode is "none" but gateway binds to ${params.host}. Any host on the network can access the gateway without credentials. Set gateway.auth.mode to "token" and configure a token.`
+	});
+	else findings.push({
+		checkId: "gateway.auth.none_loopback",
+		severity: "warn",
+		title: "Gateway authentication is disabled",
+		detail: "Auth mode is \"none\". This is acceptable for local development but should not be used in production."
+	});
+	if (params.corsOrigins?.includes("*")) findings.push({
+		checkId: "gateway.cors.wildcard",
+		severity: "warn",
+		title: "CORS allows all origins",
+		detail: "corsOrigins includes \"*\". Any website can make authenticated API calls to the gateway if it can obtain the token."
+	});
+	if (params.corsOrigins && params.corsOrigins.length > 20) findings.push({
+		checkId: "gateway.cors.excessive_origins",
+		severity: "info",
+		title: "Large number of CORS origins configured",
+		detail: `${params.corsOrigins.length} CORS origins configured. Review whether all are necessary.`
+	});
+	if (params.auth.mode === "token" && params.auth.token) {
+		if (!process.env.XOPC_GATEWAY_TOKEN) findings.push({
+			checkId: "gateway.auth.auto_generated_token",
+			severity: "info",
+			title: "Gateway token was auto-generated",
+			detail: "No explicit XOPC_GATEWAY_TOKEN set. The token was auto-generated and will change on each restart. Set XOPC_GATEWAY_TOKEN for a stable token."
+		});
+	}
+	for (const finding of findings) {
+		const logData = {
+			checkId: finding.checkId,
+			detail: finding.detail
+		};
+		switch (finding.severity) {
+			case "critical":
+				log.error(logData, `Security audit: ${finding.title}`);
+				break;
+			case "warn":
+				log.warn(logData, `Security audit: ${finding.title}`);
+				break;
+			case "info":
+				log.info(logData, `Security audit: ${finding.title}`);
+				break;
+		}
+	}
+	return findings;
+}
+//#endregion
+export { auditGatewayConfig };
+//# sourceMappingURL=audit.js.map

package/dist/src/gateway/security/audit.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"audit.js","names":[],"sources":["../../../../src/gateway/security/audit.ts"],"sourcesContent":["import type { ResolvedGatewayAuth } from '../auth.js';\nimport { createLogger } from '../../utils/logger.js';\n\nconst log = createLogger('SecurityAudit');\n\nexport type SecurityAuditFinding = {\n checkId: string;\n severity: 'critical' | 'warn' | 'info';\n title: string;\n detail: string;\n};\n\n/**\n * Audit the gateway configuration at startup and log security findings.\n *\n * This provides an early-warning system similar to OpenClaw's `security audit`\n * command, adapted for xopc's configuration surface.\n */\nexport function auditGatewayConfig(params: {\n auth: ResolvedGatewayAuth;\n host?: string;\n corsOrigins?: string[];\n}): SecurityAuditFinding[] {\n const findings: SecurityAuditFinding[] = [];\n\n // Check: no auth on non-loopback bind\n if (params.auth.mode === 'none') {\n const isLoopback = !params.host ||\n params.host === '127.0.0.1' ||\n params.host === 'localhost' ||\n params.host === '::1';\n\n if (!isLoopback) {\n findings.push({\n checkId: 'gateway.auth.none_on_network',\n severity: 'critical',\n title: 'Gateway has no authentication on a network-accessible address',\n detail: `Auth mode is \"none\" but gateway binds to ${params.host}. ` +\n 'Any host on the network can access the gateway without credentials. ' +\n 'Set gateway.auth.mode to \"token\" and configure a token.',\n });\n } else {\n findings.push({\n checkId: 'gateway.auth.none_loopback',\n severity: 'warn',\n title: 'Gateway authentication is disabled',\n detail: 'Auth mode is \"none\". This is acceptable for local development ' +\n 'but should not be used in production.',\n });\n }\n }\n\n // Check: wildcard CORS origins\n if (params.corsOrigins?.includes('*')) {\n findings.push({\n checkId: 'gateway.cors.wildcard',\n severity: 'warn',\n title: 'CORS allows all origins',\n detail: 'corsOrigins includes \"*\". Any website can make authenticated API calls ' +\n 'to the gateway if it can obtain the token.',\n });\n }\n\n // Check: too many CORS origins may indicate misconfiguration\n if (params.corsOrigins && params.corsOrigins.length > 20) {\n findings.push({\n checkId: 'gateway.cors.excessive_origins',\n severity: 'info',\n title: 'Large number of CORS origins configured',\n detail: `${params.corsOrigins.length} CORS origins configured. Review whether all are necessary.`,\n });\n }\n\n // Check: token mode without explicit token (auto-generated)\n if (params.auth.mode === 'token' && params.auth.token) {\n const envToken = process.env.XOPC_GATEWAY_TOKEN;\n if (!envToken) {\n findings.push({\n checkId: 'gateway.auth.auto_generated_token',\n severity: 'info',\n title: 'Gateway token was auto-generated',\n detail: 'No explicit XOPC_GATEWAY_TOKEN set. The token was auto-generated and will ' +\n 'change on each restart. Set XOPC_GATEWAY_TOKEN for a stable token.',\n });\n }\n }\n\n // Emit findings as log entries\n for (const finding of findings) {\n const logData = { checkId: finding.checkId, detail: finding.detail };\n switch (finding.severity) {\n case 'critical':\n log.error(logData, `Security audit: ${finding.title}`);\n break;\n case 'warn':\n log.warn(logData, `Security audit: ${finding.title}`);\n break;\n case 'info':\n log.info(logData, `Security audit: ${finding.title}`);\n break;\n }\n }\n\n return findings;\n}\n"],"mappings":";;;aACqD;AAErD,MAAM,MAAM,aAAa,gBAAgB;;;;;;;AAezC,SAAgB,mBAAmB,QAIR;CACzB,MAAM,WAAmC,EAAE;AAG3C,KAAI,OAAO,KAAK,SAAS,OAMvB,KAAI,EALe,CAAC,OAAO,QACzB,OAAO,SAAS,eAChB,OAAO,SAAS,eAChB,OAAO,SAAS,OAGhB,UAAS,KAAK;EACZ,SAAS;EACT,UAAU;EACV,OAAO;EACP,QAAQ,4CAA4C,OAAO,KAAK;EAGjE,CAAC;KAEF,UAAS,KAAK;EACZ,SAAS;EACT,UAAU;EACV,OAAO;EACP,QAAQ;EAET,CAAC;AAKN,KAAI,OAAO,aAAa,SAAS,IAAI,CACnC,UAAS,KAAK;EACZ,SAAS;EACT,UAAU;EACV,OAAO;EACP,QAAQ;EAET,CAAC;AAIJ,KAAI,OAAO,eAAe,OAAO,YAAY,SAAS,GACpD,UAAS,KAAK;EACZ,SAAS;EACT,UAAU;EACV,OAAO;EACP,QAAQ,GAAG,OAAO,YAAY,OAAO;EACtC,CAAC;AAIJ,KAAI,OAAO,KAAK,SAAS,WAAW,OAAO,KAAK;MAE1C,CADa,QAAQ,IAAI,mBAE3B,UAAS,KAAK;GACZ,SAAS;GACT,UAAU;GACV,OAAO;GACP,QAAQ;GAET,CAAC;;AAKN,MAAK,MAAM,WAAW,UAAU;EAC9B,MAAM,UAAU;GAAE,SAAS,QAAQ;GAAS,QAAQ,QAAQ;GAAQ;AACpE,UAAQ,QAAQ,UAAhB;GACE,KAAK;AACH,QAAI,MAAM,SAAS,mBAAmB,QAAQ,QAAQ;AACtD;GACF,KAAK;AACH,QAAI,KAAK,SAAS,mBAAmB,QAAQ,QAAQ;AACrD;GACF,KAAK;AACH,QAAI,KAAK,SAAS,mBAAmB,QAAQ,QAAQ;AACrD;;;AAIN,QAAO"}

package/dist/src/gateway/security/csp.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Compute SHA-256 CSP hashes for inline `<script>` blocks in an HTML string.
+ * Only scripts without a `src` attribute are considered inline.
+ */
+export declare function computeInlineScriptHashes(html: string): string[];
+/**
+ * Build a Content-Security-Policy header string.
+ *
+ * For the gateway console, we use:
+ * - `script-src 'self'` + optional SHA-256 hashes for inline scripts (no unsafe-inline)
+ * - `style-src 'self' 'unsafe-inline'` (Tailwind + runtime style injection)
+ * - `frame-ancestors 'none'` (prevent clickjacking)
+ * - `base-uri 'none'` (prevent base tag hijacking)
+ * - `object-src 'none'` (prevent plugin execution)
+ */
+export declare function buildGatewayConsoleCspHeader(options?: {
+    inlineScriptHashes?: string[];
+    connectSrc?: string;
+}): string;

package/dist/src/gateway/security/csp.js ADDED Viewed

@@ -0,0 +1,52 @@
+import { createHash } from "node:crypto";
+//#region src/gateway/security/csp.ts
+/**
+* Compute SHA-256 CSP hashes for inline `<script>` blocks in an HTML string.
+* Only scripts without a `src` attribute are considered inline.
+*/
+function computeInlineScriptHashes(html) {
+	const hashes = [];
+	const scriptRegex = /<script(?:\s[^>]*)?>([^]*?)<\/script>/gi;
+	let match;
+	while ((match = scriptRegex.exec(html)) !== null) {
+		if (hasSrcAttribute(match[0].slice(0, match[0].indexOf(">") + 1))) continue;
+		const content = match[1];
+		if (!content) continue;
+		const hash = createHash("sha256").update(content, "utf8").digest("base64");
+		hashes.push(`sha256-${hash}`);
+	}
+	return hashes;
+}
+const ATTRIBUTE_NAME_REGEX = /\s([^\s=/>]+)(?:\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]+))?/g;
+function hasSrcAttribute(openTag) {
+	return Array.from(openTag.matchAll(ATTRIBUTE_NAME_REGEX)).some((attrMatch) => attrMatch[1]?.toLowerCase() === "src");
+}
+/**
+* Build a Content-Security-Policy header string.
+*
+* For the gateway console, we use:
+* - `script-src 'self'` + optional SHA-256 hashes for inline scripts (no unsafe-inline)
+* - `style-src 'self' 'unsafe-inline'` (Tailwind + runtime style injection)
+* - `frame-ancestors 'none'` (prevent clickjacking)
+* - `base-uri 'none'` (prevent base tag hijacking)
+* - `object-src 'none'` (prevent plugin execution)
+*/
+function buildGatewayConsoleCspHeader(options) {
+	const hashes = options?.inlineScriptHashes;
+	return [
+		"default-src 'self'",
+		"base-uri 'none'",
+		"object-src 'none'",
+		"frame-ancestors 'none'",
+		hashes?.length ? `script-src 'self' ${hashes.map((hash) => `'${hash}'`).join(" ")}` : "script-src 'self'",
+		"style-src 'self' 'unsafe-inline'",
+		"img-src 'self' data: blob: https:",
+		"font-src 'self'",
+		`connect-src ${options?.connectSrc ?? "'self' ws: wss:"}`,
+		"worker-src 'self'"
+	].join("; ");
+}
+//#endregion
+export { buildGatewayConsoleCspHeader, computeInlineScriptHashes };
+//# sourceMappingURL=csp.js.map

package/dist/src/gateway/security/csp.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"csp.js","names":[],"sources":["../../../../src/gateway/security/csp.ts"],"sourcesContent":["import { createHash } from 'node:crypto';\n\n/**\n * Compute SHA-256 CSP hashes for inline `<script>` blocks in an HTML string.\n * Only scripts without a `src` attribute are considered inline.\n */\nexport function computeInlineScriptHashes(html: string): string[] {\n const hashes: string[] = [];\n const scriptRegex = /<script(?:\\s[^>]*)?>([^]*?)<\\/script>/gi;\n let match: RegExpExecArray | null;\n while ((match = scriptRegex.exec(html)) !== null) {\n const openTag = match[0].slice(0, match[0].indexOf('>') + 1);\n if (hasSrcAttribute(openTag)) {\n continue;\n }\n const content = match[1];\n if (!content) {\n continue;\n }\n const hash = createHash('sha256').update(content, 'utf8').digest('base64');\n hashes.push(`sha256-${hash}`);\n }\n return hashes;\n}\n\nconst ATTRIBUTE_NAME_REGEX = /\\s([^\\s=/>]+)(?:\\s*=\\s*(?:\"[^\"]*\"|'[^']*'|[^\\s>]+))?/g;\n\nfunction hasSrcAttribute(openTag: string): boolean {\n return Array.from(openTag.matchAll(ATTRIBUTE_NAME_REGEX)).some(\n (attrMatch) => attrMatch[1]?.toLowerCase() === 'src',\n );\n}\n\n/**\n * Build a Content-Security-Policy header string.\n *\n * For the gateway console, we use:\n * - `script-src 'self'` + optional SHA-256 hashes for inline scripts (no unsafe-inline)\n * - `style-src 'self' 'unsafe-inline'` (Tailwind + runtime style injection)\n * - `frame-ancestors 'none'` (prevent clickjacking)\n * - `base-uri 'none'` (prevent base tag hijacking)\n * - `object-src 'none'` (prevent plugin execution)\n */\nexport function buildGatewayConsoleCspHeader(options?: {\n inlineScriptHashes?: string[];\n connectSrc?: string;\n}): string {\n const hashes = options?.inlineScriptHashes;\n const scriptSrc = hashes?.length\n ? `script-src 'self' ${hashes.map((hash) => `'${hash}'`).join(' ')}`\n : \"script-src 'self'\";\n const connectSrc = options?.connectSrc ?? \"'self' ws: wss:\";\n\n return [\n \"default-src 'self'\",\n \"base-uri 'none'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n scriptSrc,\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: blob: https:\",\n \"font-src 'self'\",\n `connect-src ${connectSrc}`,\n \"worker-src 'self'\",\n ].join('; ');\n}\n"],"mappings":";;;;;;AAMA,SAAgB,0BAA0B,MAAwB;CAChE,MAAM,SAAmB,EAAE;CAC3B,MAAM,cAAc;CACpB,IAAI;AACJ,SAAQ,QAAQ,YAAY,KAAK,KAAK,MAAM,MAAM;AAEhD,MAAI,gBADY,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,QAAQ,IAAI,GAAG,EAC/B,CAAC,CAC1B;EAEF,MAAM,UAAU,MAAM;AACtB,MAAI,CAAC,QACH;EAEF,MAAM,OAAO,WAAW,SAAS,CAAC,OAAO,SAAS,OAAO,CAAC,OAAO,SAAS;AAC1E,SAAO,KAAK,UAAU,OAAO;;AAE/B,QAAO;;AAGT,MAAM,uBAAuB;AAE7B,SAAS,gBAAgB,SAA0B;AACjD,QAAO,MAAM,KAAK,QAAQ,SAAS,qBAAqB,CAAC,CAAC,MACvD,cAAc,UAAU,IAAI,aAAa,KAAK,MAChD;;;;;;;;;;;;AAaH,SAAgB,6BAA6B,SAGlC;CACT,MAAM,SAAS,SAAS;AAMxB,QAAO;EACL;EACA;EACA;EACA;EATgB,QAAQ,SACtB,qBAAqB,OAAO,KAAK,SAAS,IAAI,KAAK,GAAG,CAAC,KAAK,IAAI,KAChE;EASF;EACA;EACA;EACA,eAXiB,SAAS,cAAc;EAYxC;EACD,CAAC,KAAK,KAAK"}

package/dist/src/gateway/security/dangerous-tools.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Tools denied via Gateway HTTP tool invoke endpoints by default.
+ *
+ * These are high-risk because they enable command execution, file mutation,
+ * session orchestration, or control-plane actions that don't belong on a
+ * non-interactive HTTP surface.
+ */
+export declare const DEFAULT_GATEWAY_HTTP_TOOL_DENY: readonly string[];
+/**
+ * Check whether a tool name is in the default HTTP deny list.
+ */
+export declare function isDangerousHttpTool(toolName: string): boolean;
+/**
+ * Filter a list of tool names, removing those on the HTTP deny list.
+ * Returns only the safe tools.
+ */
+export declare function filterDangerousHttpTools(toolNames: string[]): {
+    allowed: string[];
+    denied: string[];
+};

package/dist/src/gateway/security/dangerous-tools.js ADDED Viewed

@@ -0,0 +1,46 @@
+//#region src/gateway/security/dangerous-tools.ts
+/**
+* Tools denied via Gateway HTTP tool invoke endpoints by default.
+*
+* These are high-risk because they enable command execution, file mutation,
+* session orchestration, or control-plane actions that don't belong on a
+* non-interactive HTTP surface.
+*/
+const DEFAULT_GATEWAY_HTTP_TOOL_DENY = [
+	"exec",
+	"spawn",
+	"shell",
+	"fs_write",
+	"fs_delete",
+	"fs_move",
+	"apply_patch",
+	"sessions_spawn",
+	"sessions_send",
+	"cron",
+	"gateway"
+];
+const DANGEROUS_TOOL_SET = new Set(DEFAULT_GATEWAY_HTTP_TOOL_DENY);
+/**
+* Check whether a tool name is in the default HTTP deny list.
+*/
+function isDangerousHttpTool(toolName) {
+	return DANGEROUS_TOOL_SET.has(toolName.toLowerCase());
+}
+/**
+* Filter a list of tool names, removing those on the HTTP deny list.
+* Returns only the safe tools.
+*/
+function filterDangerousHttpTools(toolNames) {
+	const allowed = [];
+	const denied = [];
+	for (const name of toolNames) if (isDangerousHttpTool(name)) denied.push(name);
+	else allowed.push(name);
+	return {
+		allowed,
+		denied
+	};
+}
+//#endregion
+export { DEFAULT_GATEWAY_HTTP_TOOL_DENY, filterDangerousHttpTools, isDangerousHttpTool };
+//# sourceMappingURL=dangerous-tools.js.map

package/dist/src/gateway/security/dangerous-tools.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dangerous-tools.js","names":[],"sources":["../../../../src/gateway/security/dangerous-tools.ts"],"sourcesContent":["/**\n * Tools denied via Gateway HTTP tool invoke endpoints by default.\n *\n * These are high-risk because they enable command execution, file mutation,\n * session orchestration, or control-plane actions that don't belong on a\n * non-interactive HTTP surface.\n */\nexport const DEFAULT_GATEWAY_HTTP_TOOL_DENY: readonly string[] = [\n // Direct command execution — immediate RCE surface\n 'exec',\n // Arbitrary child process creation\n 'spawn',\n // Shell command execution\n 'shell',\n // Arbitrary file mutation on the host\n 'fs_write',\n // Arbitrary file deletion on the host\n 'fs_delete',\n // Arbitrary file move/rename on the host\n 'fs_move',\n // Patch application can rewrite arbitrary files\n 'apply_patch',\n // Session orchestration — spawning agents remotely is RCE\n 'sessions_spawn',\n // Cross-session injection — message injection across sessions\n 'sessions_send',\n // Persistent automation control plane — can create/update/remove scheduled runs\n 'cron',\n // Gateway control plane — prevents gateway reconfiguration via HTTP\n 'gateway',\n] as const;\n\nconst DANGEROUS_TOOL_SET: ReadonlySet<string> = new Set(DEFAULT_GATEWAY_HTTP_TOOL_DENY);\n\n/**\n * Check whether a tool name is in the default HTTP deny list.\n */\nexport function isDangerousHttpTool(toolName: string): boolean {\n return DANGEROUS_TOOL_SET.has(toolName.toLowerCase());\n}\n\n/**\n * Filter a list of tool names, removing those on the HTTP deny list.\n * Returns only the safe tools.\n */\nexport function filterDangerousHttpTools(toolNames: string[]): {\n allowed: string[];\n denied: string[];\n} {\n const allowed: string[] = [];\n const denied: string[] = [];\n for (const name of toolNames) {\n if (isDangerousHttpTool(name)) {\n denied.push(name);\n } else {\n allowed.push(name);\n }\n }\n return { allowed, denied };\n}\n"],"mappings":";;;;;;;;AAOA,MAAa,iCAAoD;CAE/D;CAEA;CAEA;CAEA;CAEA;CAEA;CAEA;CAEA;CAEA;CAEA;CAEA;CACD;AAED,MAAM,qBAA0C,IAAI,IAAI,+BAA+B;;;;AAKvF,SAAgB,oBAAoB,UAA2B;AAC7D,QAAO,mBAAmB,IAAI,SAAS,aAAa,CAAC;;;;;;AAOvD,SAAgB,yBAAyB,WAGvC;CACA,MAAM,UAAoB,EAAE;CAC5B,MAAM,SAAmB,EAAE;AAC3B,MAAK,MAAM,QAAQ,UACjB,KAAI,oBAAoB,KAAK,CAC3B,QAAO,KAAK,KAAK;KAEjB,SAAQ,KAAK,KAAK;AAGtB,QAAO;EAAE;EAAS;EAAQ"}

package/dist/src/gateway/security/flood-guard.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Unauthorized flood guard for WebSocket connections.
+ *
+ * Tracks repeated unauthorized message attempts on a single WS connection
+ * and decides when to forcibly close it. Prevents a rogue client from
+ * holding a socket open and spamming unauthorized requests.
+ */
+export type FloodGuardOptions = {
+    /** Close the connection after this many unauthorized messages. @default 10 */
+    closeAfter?: number;
+    /** Log every N unauthorized messages to prevent log spam. @default 100 */
+    logEvery?: number;
+};
+export type FloodGuardDecision = {
+    shouldClose: boolean;
+    shouldLog: boolean;
+    count: number;
+    suppressedSinceLastLog: number;
+};
+export declare class UnauthorizedFloodGuard {
+    private readonly closeAfter;
+    private readonly logEvery;
+    private count;
+    private suppressedSinceLastLog;
+    constructor(options?: FloodGuardOptions);
+    registerUnauthorized(): FloodGuardDecision;
+    reset(): void;
+}

package/dist/src/gateway/security/flood-guard.js ADDED Viewed

@@ -0,0 +1,42 @@
+//#region src/gateway/security/flood-guard.ts
+const DEFAULT_CLOSE_AFTER = 10;
+const DEFAULT_LOG_EVERY = 100;
+var UnauthorizedFloodGuard = class {
+	closeAfter;
+	logEvery;
+	count = 0;
+	suppressedSinceLastLog = 0;
+	constructor(options) {
+		this.closeAfter = Math.max(1, Math.floor(options?.closeAfter ?? DEFAULT_CLOSE_AFTER));
+		this.logEvery = Math.max(1, Math.floor(options?.logEvery ?? DEFAULT_LOG_EVERY));
+	}
+	registerUnauthorized() {
+		this.count += 1;
+		const shouldClose = this.count > this.closeAfter;
+		if (!(this.count === 1 || this.count % this.logEvery === 0 || shouldClose)) {
+			this.suppressedSinceLastLog += 1;
+			return {
+				shouldClose,
+				shouldLog: false,
+				count: this.count,
+				suppressedSinceLastLog: 0
+			};
+		}
+		const suppressedSinceLastLog = this.suppressedSinceLastLog;
+		this.suppressedSinceLastLog = 0;
+		return {
+			shouldClose,
+			shouldLog: true,
+			count: this.count,
+			suppressedSinceLastLog
+		};
+	}
+	reset() {
+		this.count = 0;
+		this.suppressedSinceLastLog = 0;
+	}
+};
+//#endregion
+export { UnauthorizedFloodGuard };
+//# sourceMappingURL=flood-guard.js.map

package/dist/src/gateway/security/flood-guard.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"flood-guard.js","names":[],"sources":["../../../../src/gateway/security/flood-guard.ts"],"sourcesContent":["/**\n * Unauthorized flood guard for WebSocket connections.\n *\n * Tracks repeated unauthorized message attempts on a single WS connection\n * and decides when to forcibly close it. Prevents a rogue client from\n * holding a socket open and spamming unauthorized requests.\n */\n\nexport type FloodGuardOptions = {\n /** Close the connection after this many unauthorized messages. @default 10 */\n closeAfter?: number;\n /** Log every N unauthorized messages to prevent log spam. @default 100 */\n logEvery?: number;\n};\n\nexport type FloodGuardDecision = {\n shouldClose: boolean;\n shouldLog: boolean;\n count: number;\n suppressedSinceLastLog: number;\n};\n\nconst DEFAULT_CLOSE_AFTER = 10;\nconst DEFAULT_LOG_EVERY = 100;\n\nexport class UnauthorizedFloodGuard {\n private readonly closeAfter: number;\n private readonly logEvery: number;\n private count = 0;\n private suppressedSinceLastLog = 0;\n\n constructor(options?: FloodGuardOptions) {\n this.closeAfter = Math.max(1, Math.floor(options?.closeAfter ?? DEFAULT_CLOSE_AFTER));\n this.logEvery = Math.max(1, Math.floor(options?.logEvery ?? DEFAULT_LOG_EVERY));\n }\n\n registerUnauthorized(): FloodGuardDecision {\n this.count += 1;\n const shouldClose = this.count > this.closeAfter;\n const shouldLog = this.count === 1 || this.count % this.logEvery === 0 || shouldClose;\n\n if (!shouldLog) {\n this.suppressedSinceLastLog += 1;\n return {\n shouldClose,\n shouldLog: false,\n count: this.count,\n suppressedSinceLastLog: 0,\n };\n }\n\n const suppressedSinceLastLog = this.suppressedSinceLastLog;\n this.suppressedSinceLastLog = 0;\n return {\n shouldClose,\n shouldLog: true,\n count: this.count,\n suppressedSinceLastLog,\n };\n }\n\n reset(): void {\n this.count = 0;\n this.suppressedSinceLastLog = 0;\n }\n}\n"],"mappings":";AAsBA,MAAM,sBAAsB;AAC5B,MAAM,oBAAoB;AAE1B,IAAa,yBAAb,MAAoC;CAClC;CACA;CACA,QAAgB;CAChB,yBAAiC;CAEjC,YAAY,SAA6B;AACvC,OAAK,aAAa,KAAK,IAAI,GAAG,KAAK,MAAM,SAAS,cAAc,oBAAoB,CAAC;AACrF,OAAK,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,SAAS,YAAY,kBAAkB,CAAC;;CAGjF,uBAA2C;AACzC,OAAK,SAAS;EACd,MAAM,cAAc,KAAK,QAAQ,KAAK;AAGtC,MAAI,EAFc,KAAK,UAAU,KAAK,KAAK,QAAQ,KAAK,aAAa,KAAK,cAE1D;AACd,QAAK,0BAA0B;AAC/B,UAAO;IACL;IACA,WAAW;IACX,OAAO,KAAK;IACZ,wBAAwB;IACzB;;EAGH,MAAM,yBAAyB,KAAK;AACpC,OAAK,yBAAyB;AAC9B,SAAO;GACL;GACA,WAAW;GACX,OAAO,KAAK;GACZ;GACD;;CAGH,QAAc;AACZ,OAAK,QAAQ;AACb,OAAK,yBAAyB"}