@zintrust/core 0.1.11 → 0.1.12

package/src/orm/adapters/D1RemoteAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"D1RemoteAdapter.d.ts","sourceRoot":"","sources":["../../../../src/orm/adapters/D1RemoteAdapter.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAe,MAAM,sBAAsB,CAAC;AA+I1F,eAAO,MAAM,eAAe;oBACV,cAAc,GAAG,gBAAgB;EA+EjD,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/orm/adapters/D1RemoteAdapter.js

@@ -0,0 +1,162 @@
+/**
+ * D1 Remote Database Adapter
+ *
+ * Calls a Zintrust Cloudflare Worker proxy over HTTPS.
+ */
+import { RemoteSignedJson } from '../../common/RemoteSignedJson.js';
+import { Env } from '../../config/env.js';
+import { ErrorFactory } from '../../exceptions/ZintrustError.js';
+import { QueryBuilder } from '../QueryBuilder.js';
+import { SignedRequest } from '../../security/SignedRequest.js';
+const createRemoteConfig = () => {
+    const settings = {
+        baseUrl: Env.get('D1_REMOTE_URL'),
+        keyId: Env.get('D1_REMOTE_KEY_ID'),
+        secret: Env.get('D1_REMOTE_SECRET'),
+        mode: Env.get('D1_REMOTE_MODE', 'registry') ?? 'registry',
+        timeoutMs: Env.getInt('ZT_PROXY_TIMEOUT_MS', Env.REQUEST_TIMEOUT),
+    };
+    const remote = {
+        baseUrl: settings.baseUrl,
+        keyId: settings.keyId,
+        secret: settings.secret,
+        timeoutMs: settings.timeoutMs,
+        missingUrlMessage: 'D1 remote proxy URL is missing (D1_REMOTE_URL)',
+        missingCredentialsMessage: 'D1 remote signing credentials are missing (D1_REMOTE_KEY_ID / D1_REMOTE_SECRET)',
+        messages: {
+            unauthorized: 'D1 remote proxy unauthorized',
+            forbidden: 'D1 remote proxy forbidden',
+            rateLimited: 'D1 remote proxy rate limited',
+            rejected: 'D1 remote proxy rejected request',
+            error: 'D1 remote proxy error',
+            timedOut: 'D1 remote proxy request timed out',
+        },
+    };
+    return { mode: settings.mode, remote };
+};
+const isMutatingSql = (sql) => {
+    const s = sql.trimStart().toLowerCase();
+    return (s.startsWith('insert') ||
+        s.startsWith('update') ||
+        s.startsWith('delete') ||
+        s.startsWith('create') ||
+        s.startsWith('drop') ||
+        s.startsWith('alter') ||
+        s.startsWith('replace'));
+};
+const createStatementPayload = async (sql, parameters) => {
+    const statementId = await SignedRequest.sha256Hex(sql);
+    return { statementId, params: parameters };
+};
+const isRecord = (value) => typeof value === 'object' && value !== null;
+const isQueryResponse = (value) => isRecord(value) &&
+    Array.isArray(value['rows']) &&
+    typeof value['rowCount'] === 'number' &&
+    value['rows'].every((r) => isRecord(r));
+const isQueryOneResponse = (value) => isRecord(value) && 'row' in value && (value['row'] === null || isRecord(value['row']));
+const getExecChanges = (value) => {
+    if (!isRecord(value) || typeof value['ok'] !== 'boolean')
+        return 0;
+    const meta = value['meta'];
+    if (!isRecord(meta) || typeof meta['changes'] !== 'number')
+        return 0;
+    return meta['changes'];
+};
+const queryRegistry = async (settings, sql, parameters) => {
+    const payload = await createStatementPayload(sql, parameters);
+    const out = await RemoteSignedJson.request(settings, '/zin/d1/statement', payload);
+    if (isQueryResponse(out)) {
+        return { rows: out.rows, rowCount: out.rowCount };
+    }
+    if (isQueryOneResponse(out)) {
+        const row = out.row;
+        return { rows: row ? [row] : [], rowCount: row ? 1 : 0 };
+    }
+    return { rows: [], rowCount: getExecChanges(out) };
+};
+const querySqlMode = async (settings, sql, parameters) => {
+    if (isMutatingSql(sql)) {
+        const out = await RemoteSignedJson.request(settings, '/zin/d1/exec', {
+            sql,
+            params: parameters,
+        });
+        return { rows: [], rowCount: getExecChanges(out) };
+    }
+    const out = await RemoteSignedJson.request(settings, '/zin/d1/query', {
+        sql,
+        params: parameters,
+    });
+    return { rows: out.rows, rowCount: out.rowCount };
+};
+export const D1RemoteAdapter = Object.freeze({
+    create(_config) {
+        let connected = false;
+        const { mode, remote } = createRemoteConfig();
+        return {
+            // eslint-disable-next-line @typescript-eslint/require-await
+            async connect() {
+                connected = true;
+            },
+            // eslint-disable-next-line @typescript-eslint/require-await
+            async disconnect() {
+                connected = false;
+            },
+            async query(sql, parameters) {
+                if (!connected)
+                    throw ErrorFactory.createConnectionError('Database not connected');
+                if (mode === 'registry') {
+                    return queryRegistry(remote, sql, parameters);
+                }
+                return querySqlMode(remote, sql, parameters);
+            },
+            async queryOne(sql, parameters) {
+                if (!connected)
+                    throw ErrorFactory.createConnectionError('Database not connected');
+                if (mode === 'registry') {
+                    const payload = await createStatementPayload(sql, parameters);
+                    const out = await RemoteSignedJson.request(remote, '/zin/d1/statement', payload);
+                    if (isQueryOneResponse(out))
+                        return out.row;
+                    if (isQueryResponse(out))
+                        return out.rows[0] ?? null;
+                    return null;
+                }
+                const out = await RemoteSignedJson.request(remote, '/zin/d1/queryOne', {
+                    sql,
+                    params: parameters,
+                });
+                return out.row;
+            },
+            async ping() {
+                if (!connected)
+                    throw ErrorFactory.createConnectionError('Database not connected');
+                const sql = QueryBuilder.create('').select('1').toSQL();
+                await this.queryOne(sql, []);
+            },
+            async transaction(callback) {
+                if (!connected)
+                    throw ErrorFactory.createConnectionError('Database not connected');
+                try {
+                    return await callback(this);
+                }
+                catch (error) {
+                    throw ErrorFactory.createTryCatchError('Transaction failed', error);
+                }
+            },
+            async rawQuery(sql, parameters = []) {
+                const out = await this.query(sql, parameters);
+                return out.rows;
+            },
+            getType() {
+                return 'd1-remote';
+            },
+            isConnected() {
+                return connected;
+            },
+            getPlaceholder(_index) {
+                return '?';
+            },
+        };
+    },
+});
+export default D1RemoteAdapter;

package/src/runtime/PluginRegistry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"PluginRegistry.d.ts","sourceRoot":"","sources":["../../../src/runtime/PluginRegistry.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,kBAAkB,GAAG,SAAS,GAAG,QAAQ,CAAC;IAChD,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,EAAE;QACT,MAAM,EAAE,MAAM,CAAC;QACf,WAAW,EAAE,MAAM,CAAC;KACrB,EAAE,CAAC;IACJ,WAAW,CAAC,EAAE;QACZ,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CA8G3D,CAAC"}
+{"version":3,"file":"PluginRegistry.d.ts","sourceRoot":"","sources":["../../../src/runtime/PluginRegistry.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,kBAAkB,GAAG,SAAS,GAAG,QAAQ,CAAC;IAChD,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,EAAE;QACT,MAAM,EAAE,MAAM,CAAC;QACf,WAAW,EAAE,MAAM,CAAC;KACrB,EAAE,CAAC;IACJ,WAAW,CAAC,EAAE;QACZ,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AA2DD,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAmJ3D,CAAC"}

package/src/runtime/PluginRegistry.js

@@ -2,6 +2,37 @@
  * Plugin Registry
  * Defines available plugins, their dependencies, and template paths.
  */
+const feature = (config) => ({
+    name: config.name,
+    description: config.description,
+    type: 'feature',
+    aliases: config.aliases,
+    dependencies: config.dependencies ?? [],
+    devDependencies: config.devDependencies ?? [],
+    autoImports: config.autoImports,
+    templates: config.templates,
+    postInstall: config.postInstall,
+});
+const driver = (config) => ({
+    name: config.name,
+    description: config.description,
+    type: 'driver',
+    aliases: config.aliases,
+    dependencies: config.dependencies,
+    devDependencies: [],
+    autoImports: config.autoImports,
+    templates: [],
+});
+const adapter = (config) => ({
+    name: config.name,
+    description: config.description,
+    type: 'database-adapter',
+    aliases: config.aliases,
+    dependencies: [config.dependency],
+    devDependencies: [],
+    autoImports: [config.autoImport],
+    templates: [],
+});
 export const PluginRegistry = {
     'feature:auth': {
         name: 'Authentication Feature',
@@ -20,96 +51,133 @@ export const PluginRegistry = {
             message: 'Authentication installed! Please add JWT_SECRET to your .env file.',
         },
     },
-    'feature:queue': {
+    'feature:queue': feature({
         name: 'Queue Feature',
         description: 'Simple job queue interface (In-Memory default)',
-        type: 'feature',
         aliases: ['f:queue', 'queue'],
-        dependencies: [],
-        devDependencies: [],
         templates: [
             {
                 source: 'features/Queue.ts.tpl',
                 destination: 'src/features/Queue.ts',
             },
         ],
-    },
-    'driver:queue-redis': {
+    }),
+    'driver:queue-redis': driver({
         name: 'Redis Queue Driver',
-        description: 'Redis-backed queue driver (installs redis client dependency)',
-        type: 'driver',
+        description: 'Redis-backed queue driver (installs @zintrust/queue-redis)',
         aliases: ['queue:redis'],
-        dependencies: ['redis'],
-        devDependencies: [],
-        templates: [],
-    },
-    'driver:broadcast-redis': {
+        dependencies: ['@zintrust/queue-redis'],
+        autoImports: ['@zintrust/queue-redis/register'],
+    }),
+    'driver:queue-rabbitmq': driver({
+        name: 'RabbitMQ Queue Driver',
+        description: 'RabbitMQ-backed queue driver (installs @zintrust/queue-rabbitmq)',
+        aliases: ['queue:rabbitmq', 'queue:amqp'],
+        dependencies: ['@zintrust/queue-rabbitmq', 'amqplib'],
+        autoImports: ['@zintrust/queue-rabbitmq/register'],
+    }),
+    'driver:queue-sqs': driver({
+        name: 'AWS SQS Queue Driver',
+        description: 'SQS-backed queue driver (installs @zintrust/queue-sqs)',
+        aliases: ['queue:sqs'],
+        dependencies: ['@zintrust/queue-sqs', '@aws-sdk/client-sqs'],
+        autoImports: ['@zintrust/queue-sqs/register'],
+    }),
+    'driver:broadcast-redis': driver({
         name: 'Redis Broadcast Driver',
         description: 'Redis-backed broadcast driver (installs redis client dependency)',
-        type: 'driver',
         aliases: ['broadcast:redis'],
         dependencies: ['redis'],
-        devDependencies: [],
-        templates: [],
-    },
-    'driver:cache-redis': {
+    }),
+    'driver:cache-redis': driver({
         name: 'Redis Cache Driver',
         description: 'Redis-backed cache driver (installs @zintrust/cache-redis)',
-        type: 'driver',
         aliases: ['cache:redis'],
         dependencies: ['@zintrust/cache-redis'],
-        devDependencies: [],
         autoImports: ['@zintrust/cache-redis/register'],
-        templates: [],
-    },
-    'driver:mail-nodemailer': {
+    }),
+    'driver:cache-mongodb': driver({
+        name: 'MongoDB Cache Driver',
+        description: 'MongoDB Atlas Data API cache driver (installs @zintrust/cache-mongodb)',
+        aliases: ['cache:mongodb', 'cache:mongo'],
+        dependencies: ['@zintrust/cache-mongodb'],
+        autoImports: ['@zintrust/cache-mongodb/register'],
+    }),
+    'driver:mail-nodemailer': driver({
         name: 'Nodemailer Mail Driver',
         description: 'Nodemailer-based mail driver (installs @zintrust/mail-nodemailer)',
-        type: 'driver',
         aliases: ['mail:nodemailer'],
         dependencies: ['@zintrust/mail-nodemailer'],
-        devDependencies: [],
         autoImports: ['@zintrust/mail-nodemailer/register'],
-        templates: [],
-    },
-    'adapter:postgres': {
+    }),
+    'driver:mail-smtp': driver({
+        name: 'SMTP Mail Driver',
+        description: 'SMTP mail driver (installs @zintrust/mail-smtp)',
+        aliases: ['mail:smtp'],
+        dependencies: ['@zintrust/mail-smtp'],
+        autoImports: ['@zintrust/mail-smtp/register'],
+    }),
+    'driver:mail-sendgrid': driver({
+        name: 'SendGrid Mail Driver',
+        description: 'SendGrid mail driver (installs @zintrust/mail-sendgrid)',
+        aliases: ['mail:sendgrid'],
+        dependencies: ['@zintrust/mail-sendgrid'],
+        autoImports: ['@zintrust/mail-sendgrid/register'],
+    }),
+    'driver:mail-mailgun': driver({
+        name: 'Mailgun Mail Driver',
+        description: 'Mailgun mail driver (installs @zintrust/mail-mailgun)',
+        aliases: ['mail:mailgun'],
+        dependencies: ['@zintrust/mail-mailgun'],
+        autoImports: ['@zintrust/mail-mailgun/register'],
+    }),
+    'driver:storage-s3': driver({
+        name: 'S3 Storage Driver',
+        description: 'S3 storage driver (installs @zintrust/storage-s3)',
+        aliases: ['storage:s3'],
+        dependencies: ['@zintrust/storage-s3'],
+        autoImports: ['@zintrust/storage-s3/register'],
+    }),
+    'driver:storage-r2': driver({
+        name: 'R2 Storage Driver',
+        description: 'Cloudflare R2 storage driver (installs @zintrust/storage-r2)',
+        aliases: ['storage:r2'],
+        dependencies: ['@zintrust/storage-r2'],
+        autoImports: ['@zintrust/storage-r2/register'],
+    }),
+    'driver:storage-gcs': driver({
+        name: 'GCS Storage Driver',
+        description: 'Google Cloud Storage driver (installs @zintrust/storage-gcs)',
+        aliases: ['storage:gcs'],
+        dependencies: ['@zintrust/storage-gcs', '@google-cloud/storage'],
+        autoImports: ['@zintrust/storage-gcs/register'],
+    }),
+    'adapter:postgres': adapter({
         name: 'PostgreSQL Adapter',
         description: 'Production-ready PostgreSQL database adapter using pg',
-        type: 'database-adapter',
         aliases: ['a:postgres', 'pg', 'db:postgres', 'postgresql', 'db:postgresql'],
-        dependencies: ['@zintrust/db-postgres'],
-        devDependencies: [],
-        autoImports: ['@zintrust/db-postgres/register'],
-        templates: [],
-    },
-    'adapter:mysql': {
+        dependency: '@zintrust/db-postgres',
+        autoImport: '@zintrust/db-postgres/register',
+    }),
+    'adapter:mysql': adapter({
         name: 'MySQL Adapter',
         description: 'Production-ready MySQL database adapter using mysql2',
-        type: 'database-adapter',
         aliases: ['a:mysql', 'mysql', 'db:mysql'],
-        dependencies: ['@zintrust/db-mysql'],
-        devDependencies: [],
-        autoImports: ['@zintrust/db-mysql/register'],
-        templates: [],
-    },
-    'adapter:mssql': {
+        dependency: '@zintrust/db-mysql',
+        autoImport: '@zintrust/db-mysql/register',
+    }),
+    'adapter:mssql': adapter({
         name: 'SQL Server Adapter',
         description: 'Production-ready SQL Server database adapter using mssql',
-        type: 'database-adapter',
         aliases: ['a:mssql', 'mssql', 'db:mssql'],
-        dependencies: ['@zintrust/db-sqlserver'],
-        devDependencies: [],
-        autoImports: ['@zintrust/db-sqlserver/register'],
-        templates: [],
-    },
-    'adapter:sqlite': {
+        dependency: '@zintrust/db-sqlserver',
+        autoImport: '@zintrust/db-sqlserver/register',
+    }),
+    'adapter:sqlite': adapter({
         name: 'SQLite Adapter',
-        description: 'Production-ready SQLite database adapter using better-sqlite3',
-        type: 'database-adapter',
+        description: 'SQLite database adapter using better-sqlite3',
         aliases: ['a:sqlite', 'sqlite', 'db:sqlite'],
-        dependencies: ['@zintrust/db-sqlite'],
-        devDependencies: [],
-        autoImports: ['@zintrust/db-sqlite/register'],
-        templates: [],
-    },
+        dependency: '@zintrust/db-sqlite',
+        autoImport: '@zintrust/db-sqlite/register',
+    }),
 };

package/src/security/SignedRequest.d.ts

@@ -0,0 +1,53 @@
+export type SignedRequestHeaders = {
+    'x-zt-key-id': string;
+    'x-zt-timestamp': string;
+    'x-zt-nonce': string;
+    'x-zt-body-sha256': string;
+    'x-zt-signature': string;
+};
+export type SignedRequestCreateHeadersParams = {
+    method: string;
+    url: string | URL;
+    body?: string | Uint8Array | null;
+    keyId: string;
+    secret: string;
+    timestampMs?: number;
+    nonce?: string;
+};
+export type SignedRequestVerifyParams = {
+    method: string;
+    url: string | URL;
+    body?: string | Uint8Array | null;
+    headers: Headers | Record<string, string | undefined>;
+    getSecretForKeyId: (keyId: string) => string | undefined | Promise<string | undefined>;
+    nowMs?: number;
+    windowMs?: number;
+    /**
+     * Optional replay protection hook.
+     * Return true if the nonce is accepted and stored; false if replayed/invalid.
+     */
+    verifyNonce?: (keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+};
+export type SignedRequestVerifyResult = {
+    ok: true;
+    keyId: string;
+    timestampMs: number;
+    nonce: string;
+} | {
+    ok: false;
+    code: 'MISSING_HEADER' | 'INVALID_TIMESTAMP' | 'EXPIRED' | 'INVALID_BODY_SHA' | 'INVALID_SIGNATURE' | 'UNKNOWN_KEY' | 'REPLAYED';
+    message: string;
+};
+export declare const SignedRequest: Readonly<{
+    sha256Hex: (data: string | Uint8Array) => Promise<string>;
+    canonicalString: (params: {
+        method: string;
+        url: string | URL;
+        timestampMs: number;
+        nonce: string;
+        bodySha256Hex: string;
+    }) => string;
+    createHeaders(params: SignedRequestCreateHeadersParams): Promise<SignedRequestHeaders>;
+    verify(params: SignedRequestVerifyParams): Promise<SignedRequestVerifyResult>;
+}>;
+//# sourceMappingURL=SignedRequest.d.ts.map

package/src/security/SignedRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SignedRequest.d.ts","sourceRoot":"","sources":["../../../src/security/SignedRequest.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,gBAAgB,EAAE,MAAM,CAAC;CAC1B,CAAC;AAIF,MAAM,MAAM,gCAAgC,GAAG;IAC7C,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;IAClB,IAAI,CAAC,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC;IAClC,OAAO,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;IACtD,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IACvF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;CACjF,CAAC;AAEF,MAAM,MAAM,yBAAyB,GACjC;IACE,EAAE,EAAE,IAAI,CAAC;IACT,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;CACf,GACD;IACE,EAAE,EAAE,KAAK,CAAC;IACV,IAAI,EACA,gBAAgB,GAChB,mBAAmB,GACnB,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,aAAa,GACb,UAAU,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAyFN,eAAO,MAAM,aAAa;sBAzBK,MAAM,GAAG,UAAU,KAAG,OAAO,CAAC,MAAM,CAAC;8BAKnC;QAC/B,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;QAClB,WAAW,EAAE,MAAM,CAAC;QACpB,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;KACvB,KAAG,MAAM;0BAiBoB,gCAAgC,GAAG,OAAO,CAAC,oBAAoB,CAAC;mBAuCvE,yBAAyB,GAAG,OAAO,CAAC,yBAAyB,CAAC;EAuCnF,CAAC"}

package/src/security/SignedRequest.js

@@ -0,0 +1,172 @@
+import { ErrorFactory } from '../exceptions/ZintrustError.js';
+const getHeader = (headers, name) => {
+    if (typeof headers.get === 'function') {
+        const value = headers.get(name);
+        return value ?? undefined;
+    }
+    return headers[name];
+};
+const timingSafeEquals = (a, b) => {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= (a.codePointAt(i) ?? 0) ^ (b.codePointAt(i) ?? 0);
+    }
+    return result === 0;
+};
+const getCrypto = () => {
+    if (typeof crypto === 'undefined' || crypto.subtle === undefined) {
+        // Some runtimes (or test environments) may not expose WebCrypto.
+        // Keep this as a typed Zintrust error to satisfy lint rules.
+        throw ErrorFactory.createSecurityError('WebCrypto is not available in this runtime');
+    }
+    return crypto;
+};
+const getSubtle = () => getCrypto().subtle;
+const toBytes = (data) => {
+    const bytes = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+    return new Uint8Array(bytes);
+};
+const toHex = (bytes) => {
+    const view = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+    let out = '';
+    for (const element of view) {
+        out += element.toString(16).padStart(2, '0');
+    }
+    return out;
+};
+const sha256Hex = async (data) => {
+    const digest = await getSubtle().digest('SHA-256', toBytes(data));
+    return toHex(digest);
+};
+const canonicalString = (params) => {
+    const u = typeof params.url === 'string' ? new URL(params.url) : params.url;
+    const method = params.method.toUpperCase();
+    // Keep URL pieces aligned with plan: pathname + search (including leading '?' or '').
+    return [
+        method,
+        u.pathname,
+        u.search,
+        String(params.timestampMs),
+        params.nonce,
+        params.bodySha256Hex,
+    ].join('\n');
+};
+export const SignedRequest = Object.freeze({
+    sha256Hex,
+    canonicalString,
+    async createHeaders(params) {
+        const timestampMs = params.timestampMs ?? Date.now();
+        const webCrypto = getCrypto();
+        const nonce = params.nonce ??
+            (typeof webCrypto.randomUUID === 'function'
+                ? webCrypto.randomUUID()
+                : toHex(webCrypto.getRandomValues(new Uint8Array(16))));
+        const body = params.body ?? '';
+        const bodySha = await sha256Hex(body);
+        const canonical = canonicalString({
+            method: params.method,
+            url: params.url,
+            timestampMs,
+            nonce,
+            bodySha256Hex: bodySha,
+        });
+        const subtle = getSubtle();
+        const key = await subtle.importKey('raw', toBytes(params.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        const signatureBytes = await subtle.sign('HMAC', key, toBytes(canonical));
+        const signature = toHex(signatureBytes);
+        return {
+            'x-zt-key-id': params.keyId,
+            'x-zt-timestamp': String(timestampMs),
+            'x-zt-nonce': nonce,
+            'x-zt-body-sha256': bodySha,
+            'x-zt-signature': signature,
+        };
+    },
+    async verify(params) {
+        const parsed = parseAndValidateHeaders(params.headers);
+        if (parsed.ok === false)
+            return parsed;
+        const { keyId, timestampMs, nonce, bodySha, signature } = parsed;
+        const nowMs = params.nowMs ?? Date.now();
+        const windowMs = params.windowMs ?? 60_000;
+        const windowCheck = validateTimestampWindow({ nowMs, timestampMs, windowMs });
+        if (windowCheck.ok === false)
+            return windowCheck;
+        const bodyCheck = await validateBodyHash({ body: params.body ?? '', bodyShaHeader: bodySha });
+        if (bodyCheck.ok === false)
+            return bodyCheck;
+        const secret = await params.getSecretForKeyId(keyId);
+        if (secret === undefined || secret.trim() === '') {
+            return { ok: false, code: 'UNKNOWN_KEY', message: 'Unknown key id' };
+        }
+        const sigCheck = await validateSignature({
+            method: params.method,
+            url: params.url,
+            timestampMs,
+            nonce,
+            bodySha,
+            signature,
+            secret,
+        });
+        if (sigCheck.ok === false)
+            return sigCheck;
+        if (params.verifyNonce !== undefined) {
+            const ok = await params.verifyNonce(keyId, nonce, windowMs);
+            if (ok === false) {
+                return { ok: false, code: 'REPLAYED', message: 'Nonce replayed or rejected' };
+            }
+        }
+        return { ok: true, keyId, timestampMs, nonce };
+    },
+});
+const parseAndValidateHeaders = (headers) => {
+    const keyId = getHeader(headers, 'x-zt-key-id');
+    const ts = getHeader(headers, 'x-zt-timestamp');
+    const nonce = getHeader(headers, 'x-zt-nonce');
+    const bodySha = getHeader(headers, 'x-zt-body-sha256');
+    const signature = getHeader(headers, 'x-zt-signature');
+    if (keyId === undefined ||
+        ts === undefined ||
+        nonce === undefined ||
+        bodySha === undefined ||
+        signature === undefined) {
+        return { ok: false, code: 'MISSING_HEADER', message: 'Missing required signing headers' };
+    }
+    const timestampMs = Number.parseInt(ts, 10);
+    if (!Number.isFinite(timestampMs)) {
+        return { ok: false, code: 'INVALID_TIMESTAMP', message: 'Invalid x-zt-timestamp' };
+    }
+    return { ok: true, keyId, timestampMs, nonce, bodySha, signature };
+};
+const validateTimestampWindow = (params) => {
+    if (Math.abs(params.nowMs - params.timestampMs) > params.windowMs) {
+        return { ok: false, code: 'EXPIRED', message: 'Request timestamp outside allowed window' };
+    }
+    return { ok: true };
+};
+const validateBodyHash = async (params) => {
+    const computedBodySha = await sha256Hex(params.body);
+    if (!timingSafeEquals(computedBodySha, params.bodyShaHeader)) {
+        return { ok: false, code: 'INVALID_BODY_SHA', message: 'Body hash mismatch' };
+    }
+    return { ok: true };
+};
+const validateSignature = async (params) => {
+    const subtle = getSubtle();
+    const canonical = canonicalString({
+        method: params.method,
+        url: params.url,
+        timestampMs: params.timestampMs,
+        nonce: params.nonce,
+        bodySha256Hex: params.bodySha,
+    });
+    const key = await subtle.importKey('raw', toBytes(params.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const expectedBytes = await subtle.sign('HMAC', key, toBytes(canonical));
+    const expected = toHex(expectedBytes);
+    if (!timingSafeEquals(expected, params.signature)) {
+        return { ok: false, code: 'INVALID_SIGNATURE', message: 'Invalid signature' };
+    }
+    return { ok: true };
+};

package/src/templates/project/basic/config/cache.ts.tpl

@@ -48,6 +48,10 @@ const cacheConfigObj = {
       driver: 'kv' as const,
       ttl: Env.getInt('CACHE_KV_TTL', 3600),
     },
+    'kv-remote': {
+      driver: 'kv-remote' as const,
+      ttl: Env.getInt('CACHE_KV_TTL', 3600),
+    },
   },
 
   /**

package/src/templates/project/basic/config/env.ts.tpl

@@ -79,6 +79,21 @@ export const Env = Object.freeze({
   D1_DATABASE_ID: get('D1_DATABASE_ID'),
   KV_NAMESPACE_ID: get('KV_NAMESPACE_ID'),
 
+  // Cloudflare proxy services (D1/KV outside Cloudflare)
+  D1_REMOTE_URL: get('D1_REMOTE_URL', ''),
+  D1_REMOTE_KEY_ID: get('D1_REMOTE_KEY_ID', ''),
+  D1_REMOTE_SECRET: get('D1_REMOTE_SECRET', ''),
+  D1_REMOTE_MODE: get('D1_REMOTE_MODE', 'registry'),
+
+  KV_REMOTE_URL: get('KV_REMOTE_URL', ''),
+  KV_REMOTE_KEY_ID: get('KV_REMOTE_KEY_ID', ''),
+  KV_REMOTE_SECRET: get('KV_REMOTE_SECRET', ''),
+  KV_REMOTE_NAMESPACE: get('KV_REMOTE_NAMESPACE', ''),
+
+  // Proxy client tuning
+  ZT_PROXY_SIGNING_WINDOW_MS: getInt('ZT_PROXY_SIGNING_WINDOW_MS', 60000),
+  ZT_PROXY_TIMEOUT_MS: getInt('ZT_PROXY_TIMEOUT_MS', 30000),
+
   // Cache
   CACHE_DRIVER: get('CACHE_DRIVER', 'memory'),
   REDIS_HOST: get('REDIS_HOST', 'localhost'),