@zintrust/core 0.1.11 → 0.1.13

package/src/security/SignedRequest.js

@@ -0,0 +1,172 @@
+import { ErrorFactory } from '../exceptions/ZintrustError.js';
+const getHeader = (headers, name) => {
+    if (typeof headers.get === 'function') {
+        const value = headers.get(name);
+        return value ?? undefined;
+    }
+    return headers[name];
+};
+const timingSafeEquals = (a, b) => {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= (a.codePointAt(i) ?? 0) ^ (b.codePointAt(i) ?? 0);
+    }
+    return result === 0;
+};
+const getCrypto = () => {
+    if (typeof crypto === 'undefined' || crypto.subtle === undefined) {
+        // Some runtimes (or test environments) may not expose WebCrypto.
+        // Keep this as a typed Zintrust error to satisfy lint rules.
+        throw ErrorFactory.createSecurityError('WebCrypto is not available in this runtime');
+    }
+    return crypto;
+};
+const getSubtle = () => getCrypto().subtle;
+const toBytes = (data) => {
+    const bytes = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+    return new Uint8Array(bytes);
+};
+const toHex = (bytes) => {
+    const view = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+    let out = '';
+    for (const element of view) {
+        out += element.toString(16).padStart(2, '0');
+    }
+    return out;
+};
+const sha256Hex = async (data) => {
+    const digest = await getSubtle().digest('SHA-256', toBytes(data));
+    return toHex(digest);
+};
+const canonicalString = (params) => {
+    const u = typeof params.url === 'string' ? new URL(params.url) : params.url;
+    const method = params.method.toUpperCase();
+    // Keep URL pieces aligned with plan: pathname + search (including leading '?' or '').
+    return [
+        method,
+        u.pathname,
+        u.search,
+        String(params.timestampMs),
+        params.nonce,
+        params.bodySha256Hex,
+    ].join('\n');
+};
+export const SignedRequest = Object.freeze({
+    sha256Hex,
+    canonicalString,
+    async createHeaders(params) {
+        const timestampMs = params.timestampMs ?? Date.now();
+        const webCrypto = getCrypto();
+        const nonce = params.nonce ??
+            (typeof webCrypto.randomUUID === 'function'
+                ? webCrypto.randomUUID()
+                : toHex(webCrypto.getRandomValues(new Uint8Array(16))));
+        const body = params.body ?? '';
+        const bodySha = await sha256Hex(body);
+        const canonical = canonicalString({
+            method: params.method,
+            url: params.url,
+            timestampMs,
+            nonce,
+            bodySha256Hex: bodySha,
+        });
+        const subtle = getSubtle();
+        const key = await subtle.importKey('raw', toBytes(params.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        const signatureBytes = await subtle.sign('HMAC', key, toBytes(canonical));
+        const signature = toHex(signatureBytes);
+        return {
+            'x-zt-key-id': params.keyId,
+            'x-zt-timestamp': String(timestampMs),
+            'x-zt-nonce': nonce,
+            'x-zt-body-sha256': bodySha,
+            'x-zt-signature': signature,
+        };
+    },
+    async verify(params) {
+        const parsed = parseAndValidateHeaders(params.headers);
+        if (parsed.ok === false)
+            return parsed;
+        const { keyId, timestampMs, nonce, bodySha, signature } = parsed;
+        const nowMs = params.nowMs ?? Date.now();
+        const windowMs = params.windowMs ?? 60_000;
+        const windowCheck = validateTimestampWindow({ nowMs, timestampMs, windowMs });
+        if (windowCheck.ok === false)
+            return windowCheck;
+        const bodyCheck = await validateBodyHash({ body: params.body ?? '', bodyShaHeader: bodySha });
+        if (bodyCheck.ok === false)
+            return bodyCheck;
+        const secret = await params.getSecretForKeyId(keyId);
+        if (secret === undefined || secret.trim() === '') {
+            return { ok: false, code: 'UNKNOWN_KEY', message: 'Unknown key id' };
+        }
+        const sigCheck = await validateSignature({
+            method: params.method,
+            url: params.url,
+            timestampMs,
+            nonce,
+            bodySha,
+            signature,
+            secret,
+        });
+        if (sigCheck.ok === false)
+            return sigCheck;
+        if (params.verifyNonce !== undefined) {
+            const ok = await params.verifyNonce(keyId, nonce, windowMs);
+            if (ok === false) {
+                return { ok: false, code: 'REPLAYED', message: 'Nonce replayed or rejected' };
+            }
+        }
+        return { ok: true, keyId, timestampMs, nonce };
+    },
+});
+const parseAndValidateHeaders = (headers) => {
+    const keyId = getHeader(headers, 'x-zt-key-id');
+    const ts = getHeader(headers, 'x-zt-timestamp');
+    const nonce = getHeader(headers, 'x-zt-nonce');
+    const bodySha = getHeader(headers, 'x-zt-body-sha256');
+    const signature = getHeader(headers, 'x-zt-signature');
+    if (keyId === undefined ||
+        ts === undefined ||
+        nonce === undefined ||
+        bodySha === undefined ||
+        signature === undefined) {
+        return { ok: false, code: 'MISSING_HEADER', message: 'Missing required signing headers' };
+    }
+    const timestampMs = Number.parseInt(ts, 10);
+    if (!Number.isFinite(timestampMs)) {
+        return { ok: false, code: 'INVALID_TIMESTAMP', message: 'Invalid x-zt-timestamp' };
+    }
+    return { ok: true, keyId, timestampMs, nonce, bodySha, signature };
+};
+const validateTimestampWindow = (params) => {
+    if (Math.abs(params.nowMs - params.timestampMs) > params.windowMs) {
+        return { ok: false, code: 'EXPIRED', message: 'Request timestamp outside allowed window' };
+    }
+    return { ok: true };
+};
+const validateBodyHash = async (params) => {
+    const computedBodySha = await sha256Hex(params.body);
+    if (!timingSafeEquals(computedBodySha, params.bodyShaHeader)) {
+        return { ok: false, code: 'INVALID_BODY_SHA', message: 'Body hash mismatch' };
+    }
+    return { ok: true };
+};
+const validateSignature = async (params) => {
+    const subtle = getSubtle();
+    const canonical = canonicalString({
+        method: params.method,
+        url: params.url,
+        timestampMs: params.timestampMs,
+        nonce: params.nonce,
+        bodySha256Hex: params.bodySha,
+    });
+    const key = await subtle.importKey('raw', toBytes(params.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const expectedBytes = await subtle.sign('HMAC', key, toBytes(canonical));
+    const expected = toHex(expectedBytes);
+    if (!timingSafeEquals(expected, params.signature)) {
+        return { ok: false, code: 'INVALID_SIGNATURE', message: 'Invalid signature' };
+    }
+    return { ok: true };
+};

package/src/templates/project/basic/config/cache.ts.tpl

@@ -48,6 +48,10 @@ const cacheConfigObj = {
       driver: 'kv' as const,
       ttl: Env.getInt('CACHE_KV_TTL', 3600),
     },
+    'kv-remote': {
+      driver: 'kv-remote' as const,
+      ttl: Env.getInt('CACHE_KV_TTL', 3600),
+    },
   },
 
   /**

package/src/templates/project/basic/config/env.ts.tpl

@@ -79,6 +79,21 @@ export const Env = Object.freeze({
   D1_DATABASE_ID: get('D1_DATABASE_ID'),
   KV_NAMESPACE_ID: get('KV_NAMESPACE_ID'),
 
+  // Cloudflare proxy services (D1/KV outside Cloudflare)
+  D1_REMOTE_URL: get('D1_REMOTE_URL', ''),
+  D1_REMOTE_KEY_ID: get('D1_REMOTE_KEY_ID', ''),
+  D1_REMOTE_SECRET: get('D1_REMOTE_SECRET', ''),
+  D1_REMOTE_MODE: get('D1_REMOTE_MODE', 'registry'),
+
+  KV_REMOTE_URL: get('KV_REMOTE_URL', ''),
+  KV_REMOTE_KEY_ID: get('KV_REMOTE_KEY_ID', ''),
+  KV_REMOTE_SECRET: get('KV_REMOTE_SECRET', ''),
+  KV_REMOTE_NAMESPACE: get('KV_REMOTE_NAMESPACE', ''),
+
+  // Proxy client tuning
+  ZT_PROXY_SIGNING_WINDOW_MS: getInt('ZT_PROXY_SIGNING_WINDOW_MS', 60000),
+  ZT_PROXY_TIMEOUT_MS: getInt('ZT_PROXY_TIMEOUT_MS', 30000),
+
   // Cache
   CACHE_DRIVER: get('CACHE_DRIVER', 'memory'),
   REDIS_HOST: get('REDIS_HOST', 'localhost'),

package/src/templates/project/basic/config/type.ts.tpl

@@ -1,6 +1,5 @@
-import type { Middleware } from '@zintrust/core';
-
 import { Env } from './env';
+import type { Middleware as MiddlewareFn } from '../middleware/MiddlewareStack';
 
 export type Environment =
   | 'development'
@@ -203,8 +202,8 @@ export type NotificationProviders = {
 };
 
 export type MiddlewareConfigType = {
-  global: Middleware[];
-  route: Record<string, Middleware>;
+  global: MiddlewareFn[];
+  route: Record<string, MiddlewareFn>;
 };
 
 export type MailDriverName = 'disabled' | 'sendgrid' | 'smtp' | 'ses' | 'mailgun' | 'nodemailer';
@@ -371,17 +370,24 @@ export type KvCacheDriverConfig = {
   ttl: number;
 };
 
+export type KvRemoteCacheDriverConfig = {
+  driver: 'kv-remote';
+  ttl: number;
+};
+
 export type CacheDriverConfig =
   | MemoryCacheDriverConfig
   | RedisCacheDriverConfig
   | MongoCacheDriverConfig
-  | KvCacheDriverConfig;
+  | KvCacheDriverConfig
+  | KvRemoteCacheDriverConfig;
 
 export type CacheDrivers = {
   memory: MemoryCacheDriverConfig;
   redis: RedisCacheDriverConfig;
   mongodb: MongoCacheDriverConfig;
   kv: KvCacheDriverConfig;
+  'kv-remote': KvRemoteCacheDriverConfig;
 };
 
 export type CacheConfigInput = {

package/src/tools/mail/Mail.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Mail.d.ts","sourceRoot":"","sources":["../../../../src/tools/mail/Mail.ts"],"names":[],"mappings":"AAQA,OAAO,EAAsB,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAI7E,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE;QACL,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;IACF,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;CACjC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,UAAU,GAAG,UAAU,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,GAAG,YAAY,CAAC;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AA6IF,eAAO,MAAM,IAAI;gBACG,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;EAqBzD,CAAC;AAEH,eAAe,IAAI,CAAC"}
+{"version":3,"file":"Mail.d.ts","sourceRoot":"","sources":["../../../../src/tools/mail/Mail.ts"],"names":[],"mappings":"AAMA,OAAO,EAAsB,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAI7E,MAAM,MAAM,aAAa,GAAG;IAC1B,EAAE,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE;QACL,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;IACF,WAAW,CAAC,EAAE,eAAe,EAAE,CAAC;CACjC,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,UAAU,GAAG,UAAU,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,GAAG,YAAY,CAAC;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAuHF,eAAO,MAAM,IAAI;gBACG,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;EAqBzD,CAAC;AAEH,eAAe,IAAI,CAAC"}

package/src/tools/mail/Mail.js

@@ -1,9 +1,6 @@
 import { mailConfig } from '../../config/mail.js';
 import { ErrorFactory } from '../../exceptions/ZintrustError.js';
-import { MailgunDriver } from './drivers/Mailgun.js';
-import { SendGridDriver } from './drivers/SendGrid.js';
 import { SesDriver } from './drivers/Ses.js';
-import { SmtpDriver } from './drivers/Smtp.js';
 import { resolveAttachments } from './attachments.js';
 import { MailDriverRegistry } from './MailDriverRegistry.js';
 import { Storage } from '../storage/index.js';
@@ -55,29 +52,11 @@ const createStorageWrapper = () => ({
     },
 });
 const sendWithDriver = async (driver, message) => {
-    if (driver.driver === 'sendgrid') {
-        const result = await SendGridDriver.send({ apiKey: driver.apiKey }, message);
-        return { ok: result.ok, driver: 'sendgrid', messageId: result.messageId };
-    }
-    if (driver.driver === 'mailgun') {
-        const result = await MailgunDriver.send({ apiKey: driver.apiKey, domain: driver.domain, baseUrl: driver.baseUrl }, message);
-        return { ok: result.ok, driver: 'mailgun', messageId: result.messageId };
-    }
-    if (driver.driver === 'smtp') {
-        const result = await SmtpDriver.send({
-            host: driver.host,
-            port: driver.port,
-            username: driver.username,
-            password: driver.password,
-            secure: driver.secure,
-        }, message);
-        return { ok: result.ok, driver: 'smtp', messageId: result.messageId };
-    }
     if (driver.driver === 'ses') {
         const result = await SesDriver.send({ region: driver.region }, message);
         return { ok: result.ok, driver: 'ses', messageId: result.messageId };
     }
-    // External drivers can register via MailDriverRegistry (e.g., nodemailer)
+    // Drivers resolve via MailDriverRegistry (external packages)
     const external = MailDriverRegistry.get(driver.driver);
     if (external !== undefined) {
         const result = await external(driver, message);
@@ -87,6 +66,9 @@ const sendWithDriver = async (driver, message) => {
             messageId: typeof result?.messageId === 'string' ? result.messageId : undefined,
         };
     }
+    if (driver.driver === 'sendgrid' || driver.driver === 'mailgun' || driver.driver === 'smtp') {
+        throw ErrorFactory.createConfigError(`Mail driver not registered: ${driver.driver} (run \`zin add mail:${driver.driver}\` / \`npm i @zintrust/mail-${driver.driver}\`)`);
+    }
     // Config exists for future drivers, but implementations are intentionally CLI/runtime-safe and added incrementally.
     {
         const err = ErrorFactory.createConfigError(`Mail driver not implemented: ${mailConfig.default}`);

package/src/tools/storage/StorageDriverRegistry.d.ts

@@ -0,0 +1,16 @@
+export type StorageDriverEntry = {
+    driver: unknown;
+    normalize?: (raw: Record<string, unknown>) => Record<string, unknown>;
+};
+declare function register(driverName: string, entry: StorageDriverEntry): void;
+declare function get(driverName: string): StorageDriverEntry | undefined;
+declare function has(driverName: string): boolean;
+declare function list(): string[];
+export declare const StorageDriverRegistry: Readonly<{
+    register: typeof register;
+    get: typeof get;
+    has: typeof has;
+    list: typeof list;
+}>;
+export default StorageDriverRegistry;
+//# sourceMappingURL=StorageDriverRegistry.d.ts.map

package/src/tools/storage/StorageDriverRegistry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StorageDriverRegistry.d.ts","sourceRoot":"","sources":["../../../../src/tools/storage/StorageDriverRegistry.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,kBAAkB,GAAG;IAC/B,MAAM,EAAE,OAAO,CAAC;IAChB,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvE,CAAC;AAIF,iBAAS,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,kBAAkB,GAAG,IAAI,CAErE;AAED,iBAAS,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,kBAAkB,GAAG,SAAS,CAE/D;AAED,iBAAS,GAAG,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAExC;AAED,iBAAS,IAAI,IAAI,MAAM,EAAE,CAExB;AAED,eAAO,MAAM,qBAAqB;;;;;EAKhC,CAAC;AAEH,eAAe,qBAAqB,CAAC"}

package/src/tools/storage/StorageDriverRegistry.js

@@ -0,0 +1,20 @@
+const registry = new Map();
+function register(driverName, entry) {
+    registry.set(String(driverName).trim().toLowerCase(), entry);
+}
+function get(driverName) {
+    return registry.get(String(driverName).trim().toLowerCase());
+}
+function has(driverName) {
+    return registry.has(String(driverName).trim().toLowerCase());
+}
+function list() {
+    return Array.from(registry.keys()).sort((a, b) => a.localeCompare(b));
+}
+export const StorageDriverRegistry = Object.freeze({
+    register,
+    get,
+    has,
+    list,
+});
+export default StorageDriverRegistry;

package/src/tools/storage/index.d.ts

@@ -1,10 +1,6 @@
-import { GcsDriver } from '../../tools/storage/drivers/Gcs';
-import { LocalDriver } from './drivers/Local';
-import { R2Driver } from './drivers/R2';
-import { S3Driver } from './drivers/S3';
 export type DiskName = 'local' | 's3' | 'gcs' | 'r2';
 export type StorageDisk = {
-    driver: typeof LocalDriver | typeof S3Driver | typeof R2Driver | typeof GcsDriver;
+    driver: unknown;
     config: unknown;
 };
 type TempUrlOptions = {

package/src/tools/storage/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/tools/storage/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,6BAA6B,CAAC;AAGxD,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAE/C,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,KAAK,GAAG,IAAI,CAAC;AAErD,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,OAAO,WAAW,GAAG,OAAO,QAAQ,GAAG,OAAO,QAAQ,GAAG,OAAO,SAAS,CAAC;IAClF,MAAM,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,KAAK,cAAc,GAAG;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK,CAAA;CAAE,CAAC;AAsCrE,eAAO,MAAM,OAAO;mBACH,MAAM,GAAG,WAAW;cAqBnB,MAAM,GAAG,SAAS,QAAQ,MAAM,YAAY,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;cAW7E,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;iBAW/C,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;iBASnD,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;cASzD,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,MAAM;kBAY/B,MAAM,GAAG,SAAS,QAAQ,MAAM,YAAY,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC;EAqBhG,CAAC;AAEH,eAAe,OAAO,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/tools/storage/index.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,KAAK,GAAG,IAAI,CAAC;AAErD,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;CACjB,CAAC;AAEF,KAAK,cAAc,GAAG;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,KAAK,GAAG,KAAK,CAAA;CAAE,CAAC;AAsCrE,eAAO,MAAM,OAAO;mBACH,MAAM,GAAG,WAAW;cAqCnB,MAAM,GAAG,SAAS,QAAQ,MAAM,YAAY,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;cAW7E,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;iBAW/C,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;iBASnD,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;cASzD,MAAM,GAAG,SAAS,QAAQ,MAAM,GAAG,MAAM;kBAY/B,MAAM,GAAG,SAAS,QAAQ,MAAM,YAAY,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC;EAqBhG,CAAC;AAEH,eAAe,OAAO,CAAC"}

package/src/tools/storage/index.js

@@ -1,9 +1,7 @@
-import { GcsDriver } from '../../tools/storage/drivers/Gcs.js';
 import { storageConfig } from '../../config/storage.js';
 import { ErrorFactory } from '../../exceptions/ZintrustError.js';
 import { LocalDriver } from './drivers/Local.js';
-import { R2Driver } from './drivers/R2.js';
-import { S3Driver } from './drivers/S3.js';
+import { StorageDriverRegistry } from './StorageDriverRegistry.js';
 const normalizers = {
     local: (raw) => ({
         root: String(raw['root'] ?? ''),
@@ -43,18 +41,25 @@ export const Storage = Object.freeze({
         const config = drivers[diskName];
         if (config === undefined)
             throw ErrorFactory.createValidationError('Storage: unknown disk', { disk: diskName });
-        const driverName = String(config['driver'] ?? '');
-        if (driverName === 'local')
+        const driverName = String(config['driver'] ?? '')
+            .trim()
+            .toLowerCase();
+        if (driverName === 'local') {
             return { driver: LocalDriver, config: normalizeDiskConfig('local', config) };
-        if (driverName === 's3')
-            return { driver: S3Driver, config: normalizeDiskConfig('s3', config) };
-        if (driverName === 'r2')
-            return { driver: R2Driver, config: normalizeDiskConfig('r2', config) };
-        if (driverName === 'gcs')
-            return { driver: GcsDriver, config: normalizeDiskConfig('gcs', config) };
-        throw ErrorFactory.createValidationError('Storage: unsupported disk driver', {
-            driver: config['driver'],
-        });
+        }
+        const entry = StorageDriverRegistry.get(driverName);
+        if (entry === undefined) {
+            if (driverName === 's3' || driverName === 'r2' || driverName === 'gcs') {
+                throw ErrorFactory.createConfigError(`Storage driver not registered: ${driverName} (run \`zin add storage:${driverName}\` / \`npm i @zintrust/storage-${driverName}\`)`);
+            }
+            throw ErrorFactory.createValidationError('Storage: unsupported disk driver', {
+                driver: config['driver'],
+            });
+        }
+        const normalizedConfig = typeof entry.normalize === 'function'
+            ? entry.normalize(config)
+            : normalizeDiskConfig(driverName, config);
+        return { driver: entry.driver, config: normalizedConfig };
     },
     async put(disk, path, contents) {
         const d = Storage.getDisk(disk);
@@ -77,14 +82,14 @@ export const Storage = Object.freeze({
         const driver = d.driver;
         if (typeof driver.exists !== 'function')
             return true;
-        return Boolean(await Promise.resolve(driver.exists(d.config, path)));
+        return Boolean(await driver.exists(d.config, path));
     },
     async delete(disk, path) {
         const d = Storage.getDisk(disk);
         const driver = d.driver;
         if (typeof driver.delete !== 'function')
             return;
-        await Promise.resolve(driver.delete(d.config, path));
+        await driver.delete(d.config, path);
     },
     url(disk, path) {
         const d = Storage.getDisk(disk);
@@ -99,7 +104,7 @@ export const Storage = Object.freeze({
         const d = Storage.getDisk(disk);
         const driver = d.driver;
         if (typeof driver.tempUrl === 'function') {
-            return Promise.resolve(driver.tempUrl(d.config, path, options));
+            return driver.tempUrl(d.config, path, options);
         }
         const url = typeof driver.url === 'function' ? driver.url(d.config, path) : undefined;
         if (typeof url !== 'string' || url.trim() === '') {