@zintrust/cloudflare-kv-proxy 0.7.9

package/README.md

@@ -0,0 +1,78 @@
+# @zintrust/cloudflare-kv-proxy
+
+Cloudflare Worker service that exposes a small HTTPS API for KV operations.
+
+Docs: https://zintrust.com/package-cloudflare-kv-proxy
+
+This is intended for **server-to-server** use (e.g. a Node app running outside Cloudflare), via ZinTrust’s `kv-remote` cache driver.
+
+## Endpoints
+
+All endpoints are `POST` and require signed request headers.
+
+- `/zin/kv/get` → `{ namespace?, key, type? }` → `{ value }`
+- `/zin/kv/put` → `{ namespace?, key, value, ttlSeconds? }` → `{ ok: true }`
+- `/zin/kv/delete` → `{ namespace?, key }` → `{ ok: true }`
+- `/zin/kv/list` → `{ namespace?, prefix?, cursor?, limit? }` → `{ keys, cursor, listComplete }`
+
+## Required bindings
+
+- KV binding: `CACHE`
+
+If your binding name is not `CACHE`, set Worker var `KV_NAMESPACE` to your binding name.
+
+Optional (recommended):
+
+- KV binding: `ZT_NONCES` (nonce replay protection)
+
+## Required secrets / vars
+
+**Secret (required):**
+
+- `KV_REMOTE_SECRET` – shared signing secret used to verify requests.
+- `APP_KEY` – fallback shared signing secret if `KV_REMOTE_SECRET` is not set.
+
+Example:
+
+```json
+{
+  "k1": { "secret": "super-secret-shared-key" }
+}
+```
+
+**Vars (optional):**
+
+- `ZT_PROXY_SIGNING_WINDOW_MS` (default `60000`)
+- `ZT_MAX_BODY_BYTES` (default `131072`)
+- `ZT_KV_PREFIX` (default empty) – prefix used when storing keys
+- `ZT_KV_LIST_LIMIT` (default `100`) – upper bound for list limit
+
+## Deploy
+
+From this package directory:
+
+```bash
+wrangler deploy
+```
+
+Set secrets:
+
+```bash
+wrangler secret put KV_REMOTE_SECRET
+```
+
+## Use from ZinTrust (Node app)
+
+Configure your app:
+
+- `CACHE_DRIVER=kv-remote`
+- `KV_REMOTE_URL=https://<your-worker-host>`
+- `KV_REMOTE_KEY_ID=k1`
+- `KV_REMOTE_SECRET=super-secret-shared-key`
+- `KV_REMOTE_NAMESPACE=CACHE` (or empty)
+
+Then use `Cache.get/set/delete` as normal.
+
+## License
+
+This package and its dependencies are MIT licensed, permitting free commercial use.

package/dist/SignedRequest.d.ts

@@ -0,0 +1,38 @@
+export type SignedRequestHeaders = {
+    'x-zt-key-id': string;
+    'x-zt-timestamp': string;
+    'x-zt-nonce': string;
+    'x-zt-body-sha256': string;
+    'x-zt-signature': string;
+};
+export type SignedRequestVerifyParams = {
+    method: string;
+    url: string | URL;
+    body?: string | Uint8Array | null;
+    headers: Headers | Record<string, string | undefined>;
+    getSecretForKeyId: (keyId: string) => string | undefined | Promise<string | undefined>;
+    nowMs?: number;
+    windowMs?: number;
+    verifyNonce?: (keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+};
+export type SignedRequestVerifyResult = {
+    ok: true;
+    keyId: string;
+    timestampMs: number;
+    nonce: string;
+} | {
+    ok: false;
+    code: 'MISSING_HEADER' | 'INVALID_TIMESTAMP' | 'EXPIRED' | 'INVALID_BODY_SHA' | 'INVALID_SIGNATURE' | 'UNKNOWN_KEY' | 'REPLAYED';
+    message: string;
+};
+export declare const SignedRequest: Readonly<{
+    sha256Hex: (data: string | Uint8Array) => Promise<string>;
+    canonicalString: (params: {
+        method: string;
+        url: string | URL;
+        timestampMs: number;
+        nonce: string;
+        bodySha256Hex: string;
+    }) => string;
+    verify(params: SignedRequestVerifyParams): Promise<SignedRequestVerifyResult>;
+}>;

package/dist/SignedRequest.js

@@ -0,0 +1,144 @@
+const getHeader = (headers, name) => {
+    if (typeof headers.get === 'function') {
+        const value = headers.get(name);
+        return value ?? undefined;
+    }
+    return headers[name];
+};
+const timingSafeEquals = (a, b) => {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= (a.codePointAt(i) ?? 0) ^ (b.codePointAt(i) ?? 0);
+    }
+    return result === 0;
+};
+const getSubtleOrNull = () => {
+    if (typeof crypto === 'undefined' || crypto.subtle === undefined)
+        return null;
+    return crypto.subtle;
+};
+const toBytes = (data) => {
+    const bytes = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+    return new Uint8Array(bytes);
+};
+const toHex = (bytes) => {
+    const view = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+    let out = '';
+    for (const element of view) {
+        out += element.toString(16).padStart(2, '0');
+    }
+    return out;
+};
+const sha256Hex = async (data) => {
+    const subtle = getSubtleOrNull();
+    if (subtle === null)
+        return '';
+    const digest = await subtle.digest('SHA-256', toBytes(data));
+    return toHex(digest);
+};
+const canonicalString = (params) => {
+    const u = typeof params.url === 'string' ? new URL(params.url) : params.url;
+    const method = params.method.toUpperCase();
+    return [
+        method,
+        u.pathname,
+        u.search,
+        String(params.timestampMs),
+        params.nonce,
+        params.bodySha256Hex,
+    ].join('\n');
+};
+const parseAndValidateHeaders = (headers) => {
+    const keyId = getHeader(headers, 'x-zt-key-id');
+    const ts = getHeader(headers, 'x-zt-timestamp');
+    const nonce = getHeader(headers, 'x-zt-nonce');
+    const bodySha = getHeader(headers, 'x-zt-body-sha256');
+    const signature = getHeader(headers, 'x-zt-signature');
+    if (keyId === undefined ||
+        ts === undefined ||
+        nonce === undefined ||
+        bodySha === undefined ||
+        signature === undefined) {
+        return { ok: false, code: 'MISSING_HEADER', message: 'Missing required signing headers' };
+    }
+    const timestampMs = Number.parseInt(ts, 10);
+    if (!Number.isFinite(timestampMs)) {
+        return { ok: false, code: 'INVALID_TIMESTAMP', message: 'Invalid x-zt-timestamp' };
+    }
+    return { ok: true, keyId, timestampMs, nonce, bodySha, signature };
+};
+const validateTimestampWindow = (params) => {
+    if (Math.abs(params.nowMs - params.timestampMs) > params.windowMs) {
+        return { ok: false, code: 'EXPIRED', message: 'Request timestamp outside allowed window' };
+    }
+    return { ok: true };
+};
+const validateBodyHash = async (params) => {
+    const computedBodySha = await sha256Hex(params.body);
+    if (computedBodySha === '' || !timingSafeEquals(computedBodySha, params.bodyShaHeader)) {
+        return { ok: false, code: 'INVALID_BODY_SHA', message: 'Body hash mismatch' };
+    }
+    return { ok: true };
+};
+const validateSignature = async (params) => {
+    const subtle = getSubtleOrNull();
+    if (subtle === null) {
+        return { ok: false, code: 'INVALID_SIGNATURE', message: 'WebCrypto is not available' };
+    }
+    const canonical = canonicalString({
+        method: params.method,
+        url: params.url,
+        timestampMs: params.timestampMs,
+        nonce: params.nonce,
+        bodySha256Hex: params.bodySha,
+    });
+    const key = await subtle.importKey('raw', toBytes(params.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const expectedBytes = await subtle.sign('HMAC', key, toBytes(canonical));
+    const expected = toHex(expectedBytes);
+    if (!timingSafeEquals(expected, params.signature)) {
+        return { ok: false, code: 'INVALID_SIGNATURE', message: 'Invalid signature' };
+    }
+    return { ok: true };
+};
+export const SignedRequest = Object.freeze({
+    sha256Hex,
+    canonicalString,
+    async verify(params) {
+        const parsed = parseAndValidateHeaders(params.headers);
+        if (parsed.ok === false)
+            return parsed;
+        const { keyId, timestampMs, nonce, bodySha, signature } = parsed;
+        const nowMs = params.nowMs ?? Date.now();
+        const windowMs = params.windowMs ?? 60_000;
+        const windowCheck = validateTimestampWindow({ nowMs, timestampMs, windowMs });
+        if (windowCheck.ok === false)
+            return windowCheck;
+        const bodyCheck = await validateBodyHash({ body: params.body ?? '', bodyShaHeader: bodySha });
+        if (bodyCheck.ok === false)
+            return bodyCheck;
+        const secret = await params.getSecretForKeyId(keyId);
+        if (secret === undefined || secret.trim() === '') {
+            return { ok: false, code: 'UNKNOWN_KEY', message: 'Unknown key id' };
+        }
+        const sigCheck = await validateSignature({
+            method: params.method,
+            url: params.url,
+            timestampMs,
+            nonce,
+            bodySha,
+            signature,
+            secret,
+        });
+        if (sigCheck.ok === false)
+            return sigCheck;
+        if (params.verifyNonce !== undefined) {
+            const ok = await params.verifyNonce(keyId, nonce, windowMs);
+            if (ok === false) {
+                return { ok: false, code: 'REPLAYED', message: 'Nonce replayed or rejected' };
+            }
+        }
+        return { ok: true, keyId, timestampMs, nonce };
+    },
+});

package/dist/build-manifest.json

@@ -0,0 +1,45 @@
+{
+  "name": "@zintrust/cloudflare-kv-proxy",
+  "version": "0.7.9",
+  "buildDate": "2026-04-20T20:59:45.308Z",
+  "buildEnvironment": {
+    "node": "v22.22.1",
+    "platform": "darwin",
+    "arch": "arm64"
+  },
+  "git": {
+    "commit": "e04d1cae",
+    "branch": "release"
+  },
+  "package": {
+    "engines": {
+      "node": ">=20.0.0"
+    },
+    "dependencies": [],
+    "peerDependencies": [
+      "@zintrust/core"
+    ]
+  },
+  "files": {
+    "SignedRequest.d.ts": {
+      "size": 1270,
+      "sha256": "961adc3b27574e480dfaa478b20e5fae421f59500b3fcdf2e10414550a963f6f"
+    },
+    "SignedRequest.js": {
+      "size": 5398,
+      "sha256": "5be1bc4b1ad88b1980c28e5ca45c1e564f44466bd5d0cda8bc07403031ce87a1"
+    },
+    "build-manifest.json": {
+      "size": 1112,
+      "sha256": "16ecf8e9daae610fd9d1fc8367fe00c315e3c93ffa9e79d6b884fbfb04213982"
+    },
+    "index.d.ts": {
+      "size": 1352,
+      "sha256": "549fb10f7f52c85ed38ee9f6627c43579b77b164f2791747b5daa760e50aab53"
+    },
+    "index.js": {
+      "size": 12757,
+      "sha256": "d2db5b641bc317c4296d81e90f72aa45d8fa460a2c94129f613cad3ee3aacdbd"
+    }
+  }
+}

package/dist/index.d.ts

@@ -0,0 +1,43 @@
+type KVNamespacePutOptions = {
+    expirationTtl?: number;
+};
+type KvGetType = 'text' | 'json' | 'arrayBuffer';
+type KVListResult = {
+    keys: Array<{
+        name: string;
+    }>;
+    cursor: string;
+    list_complete: boolean;
+};
+type KVNamespace = {
+    get: {
+        (key: string): Promise<string | null>;
+        (key: string, type: 'json'): Promise<unknown | null>;
+        (key: string, type: 'arrayBuffer'): Promise<ArrayBuffer | null>;
+        (key: string, type: KvGetType): Promise<unknown | ArrayBuffer | string | null>;
+    };
+    put: (key: string, value: string, options?: KVNamespacePutOptions) => Promise<void>;
+    delete: (key: string) => Promise<void>;
+    list: (options: {
+        prefix?: string;
+        limit?: number;
+        cursor?: string;
+    }) => Promise<KVListResult>;
+};
+type KvEnv = {
+    CACHE?: KVNamespace;
+    KV_NAMESPACE?: string;
+    APP_KEY?: string;
+    KV_REMOTE_SECRET?: string;
+    ZT_PROXY_SIGNING_WINDOW_MS?: string;
+    ZT_NONCES?: KVNamespace;
+    ZT_MAX_BODY_BYTES?: string;
+    ZT_KV_PREFIX?: string;
+    ZT_KV_LIST_LIMIT?: string;
+};
+export declare const ZintrustKvProxy: Readonly<{
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION: "0.1.15";
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE: "__BUILD_DATE__";
+    fetch(request: Request, env: KvEnv): Promise<Response>;
+}>;
+export default ZintrustKvProxy;

package/dist/index.js

@@ -0,0 +1,336 @@
+/**
+ * @zintrust/cloudflare-kv-proxy v0.7.9
+ *
+ * Cloudflare KV proxy package for ZinTrust.
+ *
+ * Build Information:
+ *   Built: 2026-04-20T20:59:45.237Z
+ *   Node: >=20.0.0
+ *   License: MIT
+ *
+ */
+import { ErrorHandler, RequestValidator, SigningService } from '@zintrust/core/proxy';
+const DEFAULT_SIGNING_WINDOW_MS = 60_000;
+const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
+const DEFAULT_LIST_LIMIT = 100;
+const json = (status, body) => {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: {
+            'Content-Type': 'application/json; charset=utf-8',
+            'Cache-Control': 'no-store',
+        },
+    });
+};
+const toErrorResponse = (status, code, message) => {
+    const error = ErrorHandler.toProxyError(status, code, message);
+    return json(error.status, error.body);
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = env[name];
+    if (typeof raw !== 'string')
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const isRecord = (value) => typeof value === 'object' && value !== null;
+const isString = (value) => typeof value === 'string';
+const normalizeBindingName = (value) => {
+    if (!isString(value))
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+};
+const readBodyBytes = async (request, maxBytes) => {
+    const buf = await request.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+        return {
+            ok: false,
+            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
+        };
+    }
+    const bytes = new Uint8Array(buf);
+    const text = new TextDecoder().decode(bytes);
+    return { ok: true, bytes, text };
+};
+const parseOptionalJson = (text) => {
+    if (text.trim() === '')
+        return { ok: true, payload: null };
+    const parsed = RequestValidator.parseJson(text);
+    if (!parsed.ok) {
+        // Type guard: we know parsed has 'error' property when ok is false
+        const errorResult = parsed;
+        let message = errorResult.error.message;
+        if (errorResult.error.code === 'INVALID_JSON') {
+            message = 'Invalid JSON body';
+        }
+        else if (errorResult.error.code === 'VALIDATION_ERROR') {
+            message = 'Invalid body';
+        }
+        return { ok: false, response: toErrorResponse(400, errorResult.error.code, message) };
+    }
+    // Type guard: we know parsed has 'value' property when ok is true
+    const successResult = parsed;
+    return { ok: true, payload: successResult.value };
+};
+const loadSigningSecret = (env) => {
+    const direct = typeof env.KV_REMOTE_SECRET === 'string' ? env.KV_REMOTE_SECRET.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallback = typeof env.APP_KEY === 'string' ? env.APP_KEY.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes) => {
+    const secret = loadSigningSecret(env);
+    if (secret === null) {
+        return toErrorResponse(500, 'CONFIG_ERROR', 'Missing signing secret (KV_REMOTE_SECRET or APP_KEY)');
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
+    const verifyResult = await SigningService.verifyWithKeyProvider({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: async (_keyId) => secret,
+        verifyNonce: env.ZT_NONCES === undefined
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
+    });
+    if (verifyResult.ok === false) {
+        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
+    }
+    return { ok: true };
+};
+const requireCache = (env) => {
+    if (env.CACHE !== undefined && env.CACHE !== null)
+        return env.CACHE;
+    const bindingName = normalizeBindingName(env.KV_NAMESPACE);
+    if (bindingName !== null) {
+        const record = env;
+        const kv = record[bindingName];
+        if (kv !== undefined && kv !== null)
+            return kv;
+    }
+    return toErrorResponse(500, 'CONFIG_ERROR', 'Missing KV binding (CACHE)');
+};
+const normalizeNamespace = (value) => {
+    if (!isString(value))
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed === '' ? undefined : trimmed;
+};
+const buildStorageKey = (env, params) => {
+    const prefix = typeof env.ZT_KV_PREFIX === 'string' ? env.ZT_KV_PREFIX : '';
+    const ns = normalizeNamespace(params.namespace);
+    const parts = [];
+    if (prefix.trim() !== '')
+        parts.push(prefix.trim());
+    if (ns !== undefined)
+        parts.push(ns);
+    parts.push(params.key);
+    return parts.join(':');
+};
+const readAndVerifyJson = async (request, env) => {
+    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
+    const bodyResult = await readBodyBytes(request, maxBodyBytes);
+    if (bodyResult.ok === false)
+        return { ok: false, response: bodyResult.response };
+    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
+    if (auth instanceof Response)
+        return { ok: false, response: auth };
+    const parsed = parseOptionalJson(bodyResult.text);
+    if (parsed.ok === false)
+        return { ok: false, response: parsed.response };
+    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+};
+const parseGetPayload = (payload) => {
+    if (!isRecord(payload)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body'),
+        };
+    }
+    const key = payload['key'];
+    const type = payload['type'];
+    if (!isString(key) || key.trim() === '') {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required'),
+        };
+    }
+    const typeValue = type === 'text' || type === 'arrayBuffer' || type === 'json' ? type : 'text';
+    return { ok: true, namespace: normalizeNamespace(payload['namespace']), key, type: typeValue };
+};
+const handleGet = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (check.ok === false)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseGetPayload(check.payload);
+    if (parsed.ok === false)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    if (parsed.type === 'json') {
+        const value = await cache.get(storageKey, 'json');
+        return json(200, { value: value ?? null });
+    }
+    if (parsed.type === 'arrayBuffer') {
+        const value = await cache.get(storageKey, 'arrayBuffer');
+        return json(200, { value: value ?? null });
+    }
+    const value = await cache.get(storageKey);
+    return json(200, { value: value ?? null });
+};
+const parsePutPayload = (payload) => {
+    if (!isRecord(payload)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body'),
+        };
+    }
+    const key = payload['key'];
+    if (!isString(key) || key.trim() === '') {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required'),
+        };
+    }
+    const ttlSeconds = payload['ttlSeconds'];
+    const ttl = typeof ttlSeconds === 'number' && Number.isFinite(ttlSeconds) && ttlSeconds > 0
+        ? ttlSeconds
+        : undefined;
+    return {
+        ok: true,
+        namespace: normalizeNamespace(payload['namespace']),
+        key,
+        value: payload['value'],
+        ttlSeconds: ttl,
+    };
+};
+const handlePut = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (check.ok === false)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parsePutPayload(check.payload);
+    if (parsed.ok === false)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    const value = JSON.stringify(parsed.value);
+    const options = {};
+    if (parsed.ttlSeconds !== undefined) {
+        options.expirationTtl = Math.floor(parsed.ttlSeconds);
+    }
+    await cache.put(storageKey, value, options);
+    return json(200, { ok: true });
+};
+const parseDeletePayload = (payload) => {
+    if (!isRecord(payload)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body'),
+        };
+    }
+    const key = payload['key'];
+    if (!isString(key) || key.trim() === '') {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required'),
+        };
+    }
+    return { ok: true, namespace: normalizeNamespace(payload['namespace']), key };
+};
+const handleDelete = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (check.ok === false)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseDeletePayload(check.payload);
+    if (parsed.ok === false)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    await cache.delete(storageKey);
+    return json(200, { ok: true });
+};
+const parseListPayload = (payload) => {
+    if (payload === null)
+        return { ok: true, params: {} };
+    if (!isRecord(payload)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body'),
+        };
+    }
+    const namespace = normalizeNamespace(payload['namespace']);
+    const prefix = isString(payload['prefix']) ? payload['prefix'] : undefined;
+    const cursor = isString(payload['cursor']) ? payload['cursor'] : undefined;
+    const limitRaw = payload['limit'];
+    const limitParsed = typeof limitRaw === 'number' && Number.isFinite(limitRaw) ? Math.floor(limitRaw) : undefined;
+    return { ok: true, params: { namespace, prefix, cursor, limit: limitParsed } };
+};
+const handleList = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (check.ok === false)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseListPayload(check.payload);
+    if (parsed.ok === false)
+        return parsed.response;
+    const envLimit = getEnvInt(env, 'ZT_KV_LIST_LIMIT', DEFAULT_LIST_LIMIT);
+    const requested = parsed.params.limit ?? envLimit;
+    const limit = Math.max(1, Math.min(requested, envLimit));
+    const prefixKey = parsed.params.prefix;
+    const nsPrefix = normalizeNamespace(parsed.params.namespace);
+    const basePrefix = buildStorageKey(env, { namespace: nsPrefix, key: '' });
+    const fullPrefix = prefixKey === undefined ? basePrefix : `${basePrefix}${prefixKey}`;
+    const out = await cache.list({ prefix: fullPrefix, limit, cursor: parsed.params.cursor });
+    return json(200, {
+        keys: out.keys.map((k) => k.name),
+        cursor: out.cursor,
+        listComplete: out.list_complete,
+    });
+};
+export const ZintrustKvProxy = Object.freeze({
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION: '0.1.15',
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE: '2026-04-20T20:59:45.272Z',
+    async fetch(request, env) {
+        const url = new URL(request.url);
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError !== null) {
+            return toErrorResponse(405, methodError.code, 'Method not allowed');
+        }
+        switch (url.pathname) {
+            case '/zin/kv/get':
+                return handleGet(request, env);
+            case '/zin/kv/put':
+                return handlePut(request, env);
+            case '/zin/kv/delete':
+                return handleDelete(request, env);
+            case '/zin/kv/list':
+                return handleList(request, env);
+            default:
+                return toErrorResponse(404, 'NOT_FOUND', 'Not found');
+        }
+    },
+});
+export default ZintrustKvProxy;

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@zintrust/cloudflare-kv-proxy",
+  "version": "0.7.9",
+  "description": "Cloudflare KV proxy package for ZinTrust.",
+  "type": "module",
+  "private": false,
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@zintrust/core": "^0.7.9"
+  },
+  "keywords": [
+    "zintrust",
+    "cloudflare",
+    "kv",
+    "proxy",
+    "workers"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json && tsc-alias -p tsconfig.json",
+    "type-check": "tsc -p tsconfig.json --noEmit"
+  }
+}