@zintrust/core 0.1.39 → 0.1.41

package/src/proxy/ProxyConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxyConfig.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxyConfig.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CAAC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,QAAQ,CAAC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC,CAAC"}

package/src/proxy/ProxyConfig.js

@@ -0,0 +1 @@
+export {};

package/src/proxy/ProxyRegistry.d.ts

@@ -0,0 +1,10 @@
+export type ProxyRegistration = Readonly<{
+    name: string;
+    description: string;
+}>;
+export declare const ProxyRegistry: Readonly<{
+    register: (proxy: ProxyRegistration) => void;
+    get: (name: string) => ProxyRegistration | undefined;
+    list: () => ProxyRegistration[];
+}>;
+//# sourceMappingURL=ProxyRegistry.d.ts.map

package/src/proxy/ProxyRegistry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxyRegistry.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxyRegistry.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,iBAAiB,GAAG,QAAQ,CAAC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC,CAAC;AAYH,eAAO,MAAM,aAAa;sBARD,iBAAiB,KAAG,IAAI;gBAI9B,MAAM,KAAG,iBAAiB,GAAG,SAAS;gBAExC,iBAAiB,EAAE;EAMlC,CAAC"}

package/src/proxy/ProxyRegistry.js

@@ -0,0 +1,11 @@
+const registry = new Map();
+const register = (proxy) => {
+    registry.set(proxy.name, proxy);
+};
+const get = (name) => registry.get(name);
+const list = () => Array.from(registry.values());
+export const ProxyRegistry = Object.freeze({
+    register,
+    get,
+    list,
+});

package/src/proxy/ProxyServer.d.ts

@@ -0,0 +1,21 @@
+import { type IncomingMessage, type Server } from '../node-singletons/http';
+import type { ProxyBackend } from './ProxyBackend';
+export type ProxyServerOptions = Readonly<{
+    host: string;
+    port: number;
+    maxBodyBytes: number;
+    backend: ProxyBackend;
+    verify?: (req: IncomingMessage, body: string) => Promise<{
+        ok: true;
+    } | {
+        ok: false;
+        status: number;
+        message: string;
+    }>;
+}>;
+export declare const createProxyServer: (options: ProxyServerOptions) => Readonly<{
+    start: () => Promise<void>;
+    stop: () => Promise<void>;
+    server: Server;
+}>;
+//# sourceMappingURL=ProxyServer.d.ts.map

package/src/proxy/ProxyServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxyServer.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxyServer.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,KAAK,eAAe,EACpB,KAAK,MAAM,EAEZ,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAE,YAAY,EAA+B,MAAM,qBAAqB,CAAC;AAErF,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CAAC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,YAAY,CAAC;IACtB,MAAM,CAAC,EAAE,CACP,GAAG,EAAE,eAAe,EACpB,IAAI,EAAE,MAAM,KACT,OAAO,CAAC;QAAE,EAAE,EAAE,IAAI,CAAA;KAAE,GAAG;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC7E,CAAC,CAAC;AA0CH,eAAO,MAAM,iBAAiB,GAC5B,SAAS,kBAAkB,KAC1B,QAAQ,CAAC;IACV,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,IAAI,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;CAChB,CAsDA,CAAC"}

package/src/proxy/ProxyServer.js

@@ -0,0 +1,84 @@
+import { ErrorFactory } from '../exceptions/ZintrustError.js';
+import { createServer, } from '../node-singletons/http.js';
+const readBody = async (req, maxBodyBytes) => {
+    const chunks = [];
+    let size = 0;
+    for await (const chunk of req) {
+        const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+        size += buffer.length;
+        if (size > maxBodyBytes) {
+            throw ErrorFactory.createValidationError('Body too large');
+        }
+        chunks.push(buffer);
+    }
+    return Buffer.concat(chunks).toString('utf8');
+};
+const respond = (res, response) => {
+    res.writeHead(response.status, {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Cache-Control': 'no-store',
+        ...response.headers,
+    });
+    res.end(JSON.stringify(response.body));
+};
+const toProxyRequest = (req, body) => {
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const headers = {};
+    for (const [key, value] of Object.entries(req.headers)) {
+        headers[key.toLowerCase()] = Array.isArray(value) ? value.join(',') : value;
+    }
+    return {
+        method: req.method ?? 'POST',
+        path: url.pathname,
+        headers,
+        body,
+    };
+};
+export const createProxyServer = (options) => {
+    const server = createServer(async (req, res) => {
+        try {
+            const body = await readBody(req, options.maxBodyBytes);
+            if ((req.url ?? '').startsWith('/health')) {
+                const response = await options.backend.health();
+                respond(res, response);
+                return;
+            }
+            if (options.verify) {
+                const verified = await options.verify(req, body);
+                if (!verified.ok) {
+                    respond(res, {
+                        status: verified.status,
+                        body: { code: 'UNAUTHORIZED', message: verified.message },
+                    });
+                    return;
+                }
+            }
+            const request = toProxyRequest(req, body);
+            const response = await options.backend.handle(request);
+            respond(res, response);
+        }
+        catch (error) {
+            respond(res, {
+                status: 500,
+                body: { code: 'PROXY_ERROR', message: String(error) },
+            });
+        }
+    });
+    const start = async () => new Promise((resolve) => {
+        server.listen(options.port, options.host, () => resolve());
+    });
+    const stop = async () => new Promise((resolve, reject) => {
+        server.close((error) => {
+            if (error) {
+                reject(error);
+                return;
+            }
+            resolve();
+        });
+    });
+    return Object.freeze({
+        start,
+        stop,
+        server,
+    });
+};

package/src/proxy/ProxyServerUtils.d.ts

@@ -0,0 +1,37 @@
+import type { IncomingMessage } from '../node-singletons/http';
+import type { ProxySigningConfig } from './ProxyConfig';
+export type BaseProxyConfig = {
+    host: string;
+    port: number;
+    maxBodyBytes: number;
+};
+export type BaseProxyOverrides = Partial<{
+    host: string;
+    port: number;
+    maxBodyBytes: number;
+    requireSigning: boolean;
+    keyId: string;
+    secret: string;
+    signingWindowMs: number;
+}>;
+export declare const resolveBaseConfig: (overrides: BaseProxyOverrides, prefix: string, defaults?: {
+    host?: string;
+    port?: number;
+    maxBodyBytes?: number;
+}) => BaseProxyConfig;
+export declare const resolveBaseSigningConfig: (overrides: BaseProxyOverrides, prefix: string) => {
+    keyId: string;
+    secret: string;
+    requireSigning: boolean;
+    signingWindowMs: number;
+};
+export declare const verifyRequestSignature: (req: IncomingMessage, body: string, config: {
+    signing: ProxySigningConfig;
+}, serviceName: string) => Promise<{
+    ok: boolean;
+    error?: {
+        status: number;
+        message: string;
+    };
+}>;
+//# sourceMappingURL=ProxyServerUtils.d.ts.map

package/src/proxy/ProxyServerUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxyServerUtils.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxyServerUtils.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAI7D,MAAM,MAAM,eAAe,GAAG;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,kBAAkB,GAAG,OAAO,CAAC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AAEH,eAAO,MAAM,iBAAiB,GAC5B,WAAW,kBAAkB,EAC7B,QAAQ,MAAM,EACd,WAAW;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,KACjE,eAUF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,WAAW,kBAAkB,EAC7B,QAAQ,MAAM,KACb;IACD,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,OAAO,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CAOtB,CAAC;AAEL,eAAO,MAAM,sBAAsB,GACjC,KAAK,eAAe,EACpB,MAAM,MAAM,EACZ,QAAQ;IAAE,OAAO,EAAE,kBAAkB,CAAA;CAAE,EACvC,aAAa,MAAM,KAClB,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CA8BtE,CAAC"}

package/src/proxy/ProxyServerUtils.js

@@ -0,0 +1,42 @@
+import { Env } from '../config/env.js';
+import { Logger } from '../config/logger.js';
+import { resolveProxySigningConfig } from './ProxySigningConfigResolver.js';
+import { extractSigningHeaders, verifyProxySignatureIfNeeded } from './ProxySigningRequest.js';
+export const resolveBaseConfig = (overrides, prefix, defaults) => {
+    const host = overrides.host ?? Env.get(`${prefix}_PROXY_HOST`, Env.HOST ?? defaults?.host ?? '127.0.0.1');
+    const port = overrides.port ?? Env.getInt(`${prefix}_PROXY_PORT`, Env.PORT ?? defaults?.port ?? 3000);
+    const maxBodyBytes = overrides.maxBodyBytes ??
+        Env.getInt(`${prefix}_PROXY_MAX_BODY_BYTES`, Env.MAX_BODY_SIZE ?? defaults?.maxBodyBytes ?? 0);
+    return { host, port, maxBodyBytes };
+};
+export const resolveBaseSigningConfig = (overrides, prefix) => resolveProxySigningConfig(overrides, {
+    keyIdEnvVar: `${prefix}_PROXY_KEY_ID`,
+    secretEnvVar: `${prefix}_PROXY_SECRET`,
+    requireEnvVar: `${prefix}_PROXY_REQUIRE_SIGNING`,
+    windowEnvVar: `${prefix}_PROXY_SIGNING_WINDOW_MS`,
+});
+export const verifyRequestSignature = async (req, body, config, serviceName) => {
+    const headers = extractSigningHeaders(req);
+    const hasAnySigningHeader = Object.values(headers).some((value) => typeof value === 'string' && value.trim() !== '');
+    Logger.debug(`[${serviceName}] Verifying request signature`, {
+        path: req.url ?? '',
+        method: req.method ?? 'POST',
+        requireSigning: config.signing.require,
+        hasAnySigningHeader,
+        configuredKeyId: config.signing.keyId,
+        hasConfiguredSecret: config.signing.secret.trim() !== '',
+        bodyBytes: body.length,
+    });
+    const verified = await verifyProxySignatureIfNeeded(req, body, config.signing);
+    if (!verified.ok) {
+        const error = verified.error ?? { status: 401, message: 'Unauthorized' };
+        Logger.warn(`[${serviceName}] Signature verification failed`, {
+            path: req.url ?? '',
+            method: req.method ?? 'POST',
+            status: error.status,
+            message: error.message,
+        });
+        return { ok: false, error };
+    }
+    return { ok: true };
+};

package/src/proxy/ProxySigningConfigResolver.d.ts

@@ -0,0 +1,22 @@
+type SigningOverrideLike = Partial<{
+    requireSigning: boolean;
+    keyId: string;
+    secret: string;
+    signingWindowMs: number;
+}>;
+type ResolveSigningConfigOptions = {
+    keyIdEnvVar: string;
+    secretEnvVar: string;
+    requireEnvVar: string;
+    windowEnvVar: string;
+    defaultRequire?: boolean;
+    defaultWindowMs?: number;
+};
+export declare const resolveProxySigningConfig: (overrides: SigningOverrideLike | undefined, options: ResolveSigningConfigOptions) => {
+    keyId: string;
+    secret: string;
+    requireSigning: boolean;
+    signingWindowMs: number;
+};
+export default resolveProxySigningConfig;
+//# sourceMappingURL=ProxySigningConfigResolver.d.ts.map

package/src/proxy/ProxySigningConfigResolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxySigningConfigResolver.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxySigningConfigResolver.ts"],"names":[],"mappings":"AAGA,KAAK,mBAAmB,GAAG,OAAO,CAAC;IACjC,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AAEH,KAAK,2BAA2B,GAAG;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,eAAO,MAAM,yBAAyB,GACpC,WAAW,mBAAmB,GAAG,SAAS,EAC1C,SAAS,2BAA2B,KACnC;IACD,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,OAAO,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CA4BzB,CAAC;AAEF,eAAe,yBAAyB,CAAC"}

package/src/proxy/ProxySigningConfigResolver.js

@@ -0,0 +1,24 @@
+import { Env } from '../config/env.js';
+import { normalizeSigningCredentials } from './SigningService.js';
+export const resolveProxySigningConfig = (overrides, options) => {
+    const normalizedOverrides = overrides ?? {};
+    const appName = Env.get('APP_NAME', Env.APP_NAME ?? 'ZinTrust');
+    const appKey = Env.get('APP_KEY', Env.APP_KEY ?? '');
+    const envKeyId = Env.get(options.keyIdEnvVar, appName);
+    const envSecret = Env.get(options.secretEnvVar, appKey);
+    const keyIdRaw = normalizedOverrides.keyId ?? (envKeyId.trim() === '' ? appName : envKeyId);
+    const secretRaw = normalizedOverrides.secret ?? (envSecret.trim() === '' ? appKey : envSecret);
+    const secret = secretRaw.trim() === '' ? appKey : secretRaw;
+    const creds = normalizeSigningCredentials({ keyId: keyIdRaw, secret });
+    const requireSigning = normalizedOverrides.requireSigning ??
+        Env.getBool(options.requireEnvVar, options.defaultRequire ?? true);
+    const signingWindowMs = normalizedOverrides.signingWindowMs ??
+        Env.getInt(options.windowEnvVar, options.defaultWindowMs ?? 60000);
+    return {
+        keyId: creds.keyId,
+        secret: creds.secret,
+        requireSigning,
+        signingWindowMs,
+    };
+};
+export default resolveProxySigningConfig;

package/src/proxy/ProxySigningRequest.d.ts

@@ -0,0 +1,12 @@
+import type { IncomingMessage } from '../node-singletons/http';
+import type { ProxySigningConfig } from './ProxyConfig';
+export declare const normalizeHeaderValue: (value: string | string[] | undefined) => string | undefined;
+export declare const extractSigningHeaders: (req: IncomingMessage) => Record<string, string | undefined>;
+export declare const verifyProxySignatureIfNeeded: (req: IncomingMessage, body: string, signing: ProxySigningConfig) => Promise<{
+    ok: boolean;
+    error?: {
+        status: number;
+        message: string;
+    };
+}>;
+//# sourceMappingURL=ProxySigningRequest.d.ts.map

package/src/proxy/ProxySigningRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxySigningRequest.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxySigningRequest.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAG,MAAM,GAAG,SAGpF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAChC,KAAK,eAAe,KACnB,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAMlC,CAAC;AAEH,eAAO,MAAM,4BAA4B,GACvC,KAAK,eAAe,EACpB,MAAM,MAAM,EACZ,SAAS,kBAAkB,KAC1B,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAqBtE,CAAC"}

package/src/proxy/ProxySigningRequest.js

@@ -0,0 +1,31 @@
+import { SigningService } from './SigningService.js';
+export const normalizeHeaderValue = (value) => {
+    if (Array.isArray(value))
+        return value.join(',');
+    return value;
+};
+export const extractSigningHeaders = (req) => ({
+    'x-zt-key-id': normalizeHeaderValue(req.headers['x-zt-key-id']),
+    'x-zt-timestamp': normalizeHeaderValue(req.headers['x-zt-timestamp']),
+    'x-zt-nonce': normalizeHeaderValue(req.headers['x-zt-nonce']),
+    'x-zt-body-sha256': normalizeHeaderValue(req.headers['x-zt-body-sha256']),
+    'x-zt-signature': normalizeHeaderValue(req.headers['x-zt-signature']),
+});
+export const verifyProxySignatureIfNeeded = async (req, body, signing) => {
+    const headers = extractSigningHeaders(req);
+    if (!SigningService.shouldVerify(signing, headers)) {
+        return { ok: true };
+    }
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const verified = await SigningService.verify({
+        method: req.method ?? 'POST',
+        url,
+        body,
+        headers,
+        signing,
+    });
+    if (!verified.ok) {
+        return { ok: false, error: { status: verified.status, message: verified.message } };
+    }
+    return { ok: true };
+};

package/src/proxy/RequestValidator.d.ts

@@ -0,0 +1,15 @@
+export type ValidationError = Readonly<{
+    code: string;
+    message: string;
+}>;
+export declare const RequestValidator: Readonly<{
+    parseJson: (body: string) => {
+        ok: true;
+        value: Record<string, unknown>;
+    } | {
+        ok: false;
+        error: ValidationError;
+    };
+    requirePost: (method: string | undefined) => ValidationError | null;
+}>;
+//# sourceMappingURL=RequestValidator.d.ts.map

package/src/proxy/RequestValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequestValidator.d.ts","sourceRoot":"","sources":["../../../src/proxy/RequestValidator.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG,QAAQ,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AA4B1E,eAAO,MAAM,gBAAgB;sBAtBrB,MAAM,KACX;QAAE,EAAE,EAAE,IAAI,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,KAAK,EAAE,eAAe,CAAA;KAAE;0BAgB1D,MAAM,GAAG,SAAS,KAAG,eAAe,GAAG,IAAI;EAQtE,CAAC"}

package/src/proxy/RequestValidator.js

@@ -0,0 +1,25 @@
+const isRecord = (value) => typeof value === 'object' && value !== null;
+const parseJson = (body) => {
+    if (body.trim() === '') {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'Body is required' } };
+    }
+    try {
+        const parsed = JSON.parse(body);
+        if (!isRecord(parsed)) {
+            return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'Body must be an object' } };
+        }
+        return { ok: true, value: parsed };
+    }
+    catch (error) {
+        return { ok: false, error: { code: 'INVALID_JSON', message: String(error) } };
+    }
+};
+const requirePost = (method) => {
+    if (method === 'POST')
+        return null;
+    return { code: 'METHOD_NOT_ALLOWED', message: 'POST only' };
+};
+export const RequestValidator = Object.freeze({
+    parseJson,
+    requirePost,
+});

package/src/proxy/SigningService.d.ts

@@ -0,0 +1,39 @@
+import type { ProxySigningConfig } from './ProxyConfig';
+export type SigningHeaders = Headers | Record<string, string | undefined>;
+export type SigningVerificationResult = {
+    ok: true;
+} | {
+    ok: false;
+    status: number;
+    code: string;
+    message: string;
+};
+export type SigningCredentials = Readonly<{
+    keyId: string;
+    secret: string;
+}>;
+type SigningServiceApi = Readonly<{
+    normalizeConfig: (signing: ProxySigningConfig) => ProxySigningConfig;
+    shouldVerify: (signing: ProxySigningConfig, headers: SigningHeaders) => boolean;
+    verify: (params: {
+        method: string;
+        url: string | URL;
+        body: string | Uint8Array;
+        headers: SigningHeaders;
+        signing: ProxySigningConfig;
+    }) => Promise<SigningVerificationResult>;
+    verifyWithKeyProvider: (params: {
+        method: string;
+        url: string | URL;
+        body: string | Uint8Array;
+        headers: SigningHeaders;
+        windowMs: number;
+        getSecretForKeyId: (keyId: string) => string | undefined | Promise<string | undefined>;
+        verifyNonce?: (keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+    }) => Promise<SigningVerificationResult>;
+}>;
+export declare const normalizeSigningConfig: (signing: ProxySigningConfig) => ProxySigningConfig;
+export declare const normalizeSigningCredentials: (input: SigningCredentials) => SigningCredentials;
+export declare const SigningService: SigningServiceApi;
+export {};
+//# sourceMappingURL=SigningService.d.ts.map

package/src/proxy/SigningService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SigningService.d.ts","sourceRoot":"","sources":["../../../src/proxy/SigningService.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAI7D,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;AAE1E,MAAM,MAAM,yBAAyB,GACjC;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjE,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CAAC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC,CAAC;AAEH,KAAK,iBAAiB,GAAG,QAAQ,CAAC;IAChC,eAAe,EAAE,CAAC,OAAO,EAAE,kBAAkB,KAAK,kBAAkB,CAAC;IACrE,YAAY,EAAE,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC;IAChF,MAAM,EAAE,CAAC,MAAM,EAAE;QACf,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;QAClB,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;QAC1B,OAAO,EAAE,cAAc,CAAC;QACxB,OAAO,EAAE,kBAAkB,CAAC;KAC7B,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;IACzC,qBAAqB,EAAE,CAAC,MAAM,EAAE;QAC9B,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;QAClB,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;QAC1B,OAAO,EAAE,cAAc,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;QACvF,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;KACjF,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAC1C,CAAC,CAAC;AAyCH,eAAO,MAAM,sBAAsB,EAAE,CAAC,OAAO,EAAE,kBAAkB,KAAK,kBAErB,CAAC;AAElD,eAAO,MAAM,2BAA2B,EAAE,CAAC,KAAK,EAAE,kBAAkB,KAAK,kBAKvE,CAAC;AA0FH,eAAO,MAAM,cAAc,EAAE,iBAK3B,CAAC"}

package/src/proxy/SigningService.js

@@ -0,0 +1,107 @@
+import { Env } from '../config/env.js';
+import { SignedRequest } from '../security/SignedRequest.js';
+const getHeader = (headers, name) => {
+    if (typeof headers.get === 'function') {
+        const value = headers.get(name);
+        return value ?? undefined;
+    }
+    return headers[name];
+};
+const hasSigningHeaders = (headers) => Boolean((getHeader(headers, 'x-zt-key-id') ?? '') ||
+    (getHeader(headers, 'x-zt-timestamp') ?? '') ||
+    (getHeader(headers, 'x-zt-nonce') ?? '') ||
+    (getHeader(headers, 'x-zt-body-sha256') ?? '') ||
+    getHeader(headers, 'x-zt-signature'));
+const normalizeKeyId = (keyId) => {
+    const trimmed = keyId.trim();
+    if (trimmed !== '')
+        return trimmed.toLowerCase();
+    const appNameRaw = Env.APP_NAME ?? 'zintrust';
+    const normalized = (appNameRaw.trim() === '' ? 'zintrust' : appNameRaw)
+        .toLowerCase()
+        .replaceAll(/\s+/g, '_');
+    return normalized;
+};
+const normalizeSecret = (secret) => {
+    const trimmed = secret.trim();
+    if (trimmed !== '')
+        return trimmed;
+    return Env.APP_KEY ?? '';
+};
+const normalizeConfig = (signing) => ({
+    ...signing,
+    keyId: normalizeKeyId(signing.keyId),
+    secret: normalizeSecret(signing.secret),
+});
+export const normalizeSigningConfig = (signing) => normalizeConfig(signing);
+export const normalizeSigningCredentials = (input) => ({
+    keyId: normalizeKeyId(input.keyId),
+    secret: normalizeSecret(input.secret),
+});
+const shouldVerify = (signing, headers) => {
+    const normalized = normalizeConfig(signing);
+    if (normalized.require)
+        return true;
+    if (normalized.keyId.trim() !== '' &&
+        normalized.secret.trim() !== '' &&
+        hasSigningHeaders(headers)) {
+        return true;
+    }
+    return false;
+};
+const mapVerifyResult = (result) => {
+    if (result.ok)
+        return { ok: true };
+    if (result.code === 'MISSING_HEADER' || result.code === 'INVALID_TIMESTAMP') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'EXPIRED') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'UNKNOWN_KEY') {
+        return { ok: false, status: 403, code: result.code, message: result.message };
+    }
+    if (result.code === 'REPLAYED') {
+        return { ok: false, status: 409, code: result.code, message: result.message };
+    }
+    return { ok: false, status: 403, code: result.code, message: result.message };
+};
+const verify = async (params) => {
+    const signing = normalizeConfig(params.signing);
+    if (signing.require && (signing.keyId.trim() === '' || signing.secret.trim() === '')) {
+        return {
+            ok: false,
+            status: 500,
+            code: 'SIGNING_REQUIRED',
+            message: 'Proxy signing is required but not configured',
+        };
+    }
+    const result = await SignedRequest.verify({
+        method: params.method,
+        url: params.url,
+        body: params.body,
+        headers: params.headers,
+        // eslint-disable-next-line @typescript-eslint/require-await
+        getSecretForKeyId: async (keyId) => keyId.trim().toLowerCase() === signing.keyId ? signing.secret : undefined,
+        windowMs: signing.windowMs,
+    });
+    return mapVerifyResult(result);
+};
+const verifyWithKeyProvider = async (params) => {
+    const result = await SignedRequest.verify({
+        method: params.method,
+        url: params.url,
+        body: params.body,
+        headers: params.headers,
+        windowMs: params.windowMs,
+        getSecretForKeyId: params.getSecretForKeyId,
+        verifyNonce: params.verifyNonce,
+    });
+    return mapVerifyResult(result);
+};
+export const SigningService = Object.freeze({
+    normalizeConfig,
+    shouldVerify,
+    verify,
+    verifyWithKeyProvider,
+});

package/src/proxy/SqlPayloadValidator.d.ts

@@ -0,0 +1,13 @@
+export type SqlPayloadValidation = {
+    valid: true;
+    sql: string;
+    params: unknown[];
+} | {
+    valid: false;
+    error: {
+        code: string;
+        message: string;
+    };
+};
+export declare const validateSqlPayload: (payload: Record<string, unknown>) => SqlPayloadValidation;
+//# sourceMappingURL=SqlPayloadValidator.d.ts.map

package/src/proxy/SqlPayloadValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlPayloadValidator.d.ts","sourceRoot":"","sources":["../../../src/proxy/SqlPayloadValidator.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,oBAAoB,GAC5B;IACE,KAAK,EAAE,IAAI,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,OAAO,EAAE,CAAC;CACnB,GACD;IACE,KAAK,EAAE,KAAK,CAAC;IACb,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEN,eAAO,MAAM,kBAAkB,GAAI,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,oBAerE,CAAC"}

package/src/proxy/SqlPayloadValidator.js

@@ -0,0 +1,14 @@
+export const validateSqlPayload = (payload) => {
+    const sql = payload['sql'];
+    const params = Array.isArray(payload['params']) ? payload['params'] : [];
+    if (typeof sql !== 'string') {
+        return {
+            valid: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'sql must be a string',
+            },
+        };
+    }
+    return { valid: true, sql, params };
+};

package/src/proxy/d1/ZintrustD1Proxy.d.ts

@@ -0,0 +1,2 @@
+export { _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION, ZintrustD1Proxy, } from '../../../packages/cloudflare-d1-proxy/src/index.js';
+//# sourceMappingURL=ZintrustD1Proxy.d.ts.map

package/src/proxy/d1/ZintrustD1Proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wCAAwC,EACxC,qCAAqC,EACrC,eAAe,GAChB,MAAM,+BAA+B,CAAC"}

package/src/proxy/d1/ZintrustD1Proxy.js

@@ -0,0 +1 @@
+export { _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION, ZintrustD1Proxy, } from '../../../packages/cloudflare-d1-proxy/src/index.js';

package/src/proxy/d1/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/d1/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/register.ts"],"names":[],"mappings":""}

package/src/proxy/d1/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'd1',
+    description: 'Cloudflare D1 Worker proxy endpoint',
+});

package/src/proxy/kv/ZintrustKvProxy.d.ts

@@ -0,0 +1,2 @@
+export { _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION, ZintrustKvProxy, } from '../../../packages/cloudflare-kv-proxy/src/index.js';
+//# sourceMappingURL=ZintrustKvProxy.d.ts.map

package/src/proxy/kv/ZintrustKvProxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wCAAwC,EACxC,qCAAqC,EACrC,eAAe,GAChB,MAAM,+BAA+B,CAAC"}

package/src/proxy/kv/ZintrustKvProxy.js

@@ -0,0 +1 @@
+export { _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE, _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION, ZintrustKvProxy, } from '../../../packages/cloudflare-kv-proxy/src/index.js';

package/src/proxy/kv/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/kv/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/register.ts"],"names":[],"mappings":""}

package/src/proxy/kv/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'kv',
+    description: 'Cloudflare KV Worker proxy endpoint',
+});