@xtrable-ltd/nanoesis 0.1.0

package/dist/adapter-shell.js

@@ -0,0 +1,56 @@
+// ../../adapters/shell/src/shell-prebuild.ts
+import { spawn } from "child_process";
+var defaultSpawner = (command, { cwd, env }) => new Promise((resolve, reject) => {
+  const child = spawn(command, { cwd, env, shell: true, stdio: "inherit" });
+  child.once("error", reject);
+  child.once("close", (code) => {
+    resolve(code);
+  });
+});
+var ShellPreBuildHook = class {
+  constructor(config) {
+    this.config = config;
+    this.spawnFn = config.spawn ?? defaultSpawner;
+  }
+  config;
+  spawnFn;
+  async run() {
+    const code = await this.spawnFn(this.config.command, {
+      cwd: this.config.cwd,
+      env: this.config.env ?? process.env
+    });
+    if (code !== 0) {
+      throw new Error(
+        `prebuild "${this.config.command}" exited with code ${code ?? "null (signal)"}`
+      );
+    }
+  }
+};
+
+// ../../adapters/shell/src/site-config.ts
+import { readFile } from "fs/promises";
+import { join } from "path";
+async function readPrebuildCommand(siteDir) {
+  let raw;
+  try {
+    raw = await readFile(join(siteDir, "package.json"), "utf8");
+  } catch {
+    return void 0;
+  }
+  const text = raw.charCodeAt(0) === 65279 ? raw.slice(1) : raw;
+  let pkg;
+  try {
+    pkg = JSON.parse(text);
+  } catch {
+    return void 0;
+  }
+  if (typeof pkg !== "object" || pkg === null) return void 0;
+  const nano = pkg["nanoesis"];
+  if (typeof nano !== "object" || nano === null) return void 0;
+  const cmd = nano["prebuild"];
+  return typeof cmd === "string" && cmd.trim() !== "" ? cmd : void 0;
+}
+export {
+  ShellPreBuildHook,
+  readPrebuildCommand
+};

package/dist/adapter-trusted-header.d.ts

@@ -0,0 +1,43 @@
+import { IdentityProvider } from '@nanoesis/engine';
+
+/**
+ * Configuration for {@link trustedHeaderIdentity}. Every header name is overridable so
+ * the same adapter handles standard reverse-proxy headers (oauth2-proxy, Authentik,
+ * Keycloak, Traefik forwardAuth) and named-header gateways alike. Defaults to the
+ * widely-used `X-Forwarded-User` / `X-Forwarded-Email` / `X-Forwarded-Roles`.
+ *
+ * For Easy Auth, point `userIdHeader` at `X-MS-Client-Principal-Name` (or `-Id`) and
+ * either set `rolesHeader` to a header the gateway exposes, or front the app with
+ * something that translates Easy Auth's base64 JSON principal into standard headers.
+ * For Cloudflare Access, `Cf-Access-Authenticated-User-Email` works as either userId
+ * or email, set the same header for both if you want.
+ */
+interface TrustedHeaderConfig {
+    /** Header carrying the user identifier (also used as the display handle). Default: `X-Forwarded-User`. */
+    readonly userIdHeader?: string;
+    /**
+     * Header carrying the roles as a comma-separated list (case-insensitive). Roles
+     * outside the known set (`author`, `developer`, `admin`) are dropped, defence in
+     * depth, the gateway is the authority on what counts as a real role. Default:
+     * `X-Forwarded-Roles`.
+     */
+    readonly rolesHeader?: string;
+}
+/**
+ * A trusted-header {@link IdentityProvider} (DESIGN §11, the recommended production
+ * path). An upstream gateway (Easy Auth, Cloudflare Access, oauth2-proxy, Authentik,
+ * Keycloak) does the actual authentication and forwards the result as request
+ * headers; nanoesis trusts those headers **because the host is only reachable
+ * through that gateway**.
+ *
+ * No login code, no session storage, no password handling, every one of those is the
+ * gateway's job. A missing or empty userId header resolves to anonymous (null), at
+ * which point the host's role policy denies the editing routes.
+ *
+ * **Operational guarantee:** if requests can reach the host without going through the
+ * gateway, this provider is unsafe (a client can forge the headers). This is true of
+ * every trusted-header scheme, not specific to this implementation.
+ */
+declare function trustedHeaderIdentity(config?: TrustedHeaderConfig): IdentityProvider;
+
+export { type TrustedHeaderConfig, trustedHeaderIdentity };

package/dist/adapter-trusted-header.js

@@ -0,0 +1,21 @@
+// ../../adapters/trusted-header/src/trusted-header.ts
+var KNOWN_ROLES = /* @__PURE__ */ new Set(["author", "developer", "admin"]);
+function isRole(value) {
+  return KNOWN_ROLES.has(value);
+}
+function trustedHeaderIdentity(config = {}) {
+  const userIdHeader = config.userIdHeader ?? "X-Forwarded-User";
+  const rolesHeader = config.rolesHeader ?? "X-Forwarded-Roles";
+  return {
+    async authenticate(getHeader) {
+      const userId = getHeader(userIdHeader);
+      if (userId === void 0 || userId === "") return null;
+      const rolesRaw = getHeader(rolesHeader) ?? "";
+      const roles = rolesRaw.split(",").map((r) => r.trim().toLowerCase()).filter(isRole);
+      return { userId, username: userId, roles };
+    }
+  };
+}
+export {
+  trustedHeaderIdentity
+};