@zintrust/core 0.1.40 → 0.1.42

package/src/proxy/ProxyServerUtils.js

@@ -0,0 +1,42 @@
+import { Env } from '../config/env.js';
+import { Logger } from '../config/logger.js';
+import { resolveProxySigningConfig } from './ProxySigningConfigResolver.js';
+import { extractSigningHeaders, verifyProxySignatureIfNeeded } from './ProxySigningRequest.js';
+export const resolveBaseConfig = (overrides, prefix, defaults) => {
+    const host = overrides.host ?? Env.get(`${prefix}_PROXY_HOST`, Env.HOST ?? defaults?.host ?? '127.0.0.1');
+    const port = overrides.port ?? Env.getInt(`${prefix}_PROXY_PORT`, Env.PORT ?? defaults?.port ?? 3000);
+    const maxBodyBytes = overrides.maxBodyBytes ??
+        Env.getInt(`${prefix}_PROXY_MAX_BODY_BYTES`, Env.MAX_BODY_SIZE ?? defaults?.maxBodyBytes ?? 0);
+    return { host, port, maxBodyBytes };
+};
+export const resolveBaseSigningConfig = (overrides, prefix) => resolveProxySigningConfig(overrides, {
+    keyIdEnvVar: `${prefix}_PROXY_KEY_ID`,
+    secretEnvVar: `${prefix}_PROXY_SECRET`,
+    requireEnvVar: `${prefix}_PROXY_REQUIRE_SIGNING`,
+    windowEnvVar: `${prefix}_PROXY_SIGNING_WINDOW_MS`,
+});
+export const verifyRequestSignature = async (req, body, config, serviceName) => {
+    const headers = extractSigningHeaders(req);
+    const hasAnySigningHeader = Object.values(headers).some((value) => typeof value === 'string' && value.trim() !== '');
+    Logger.debug(`[${serviceName}] Verifying request signature`, {
+        path: req.url ?? '',
+        method: req.method ?? 'POST',
+        requireSigning: config.signing.require,
+        hasAnySigningHeader,
+        configuredKeyId: config.signing.keyId,
+        hasConfiguredSecret: config.signing.secret.trim() !== '',
+        bodyBytes: body.length,
+    });
+    const verified = await verifyProxySignatureIfNeeded(req, body, config.signing);
+    if (!verified.ok) {
+        const error = verified.error ?? { status: 401, message: 'Unauthorized' };
+        Logger.warn(`[${serviceName}] Signature verification failed`, {
+            path: req.url ?? '',
+            method: req.method ?? 'POST',
+            status: error.status,
+            message: error.message,
+        });
+        return { ok: false, error };
+    }
+    return { ok: true };
+};

package/src/proxy/ProxySigningConfigResolver.d.ts

@@ -0,0 +1,22 @@
+type SigningOverrideLike = Partial<{
+    requireSigning: boolean;
+    keyId: string;
+    secret: string;
+    signingWindowMs: number;
+}>;
+type ResolveSigningConfigOptions = {
+    keyIdEnvVar: string;
+    secretEnvVar: string;
+    requireEnvVar: string;
+    windowEnvVar: string;
+    defaultRequire?: boolean;
+    defaultWindowMs?: number;
+};
+export declare const resolveProxySigningConfig: (overrides: SigningOverrideLike | undefined, options: ResolveSigningConfigOptions) => {
+    keyId: string;
+    secret: string;
+    requireSigning: boolean;
+    signingWindowMs: number;
+};
+export default resolveProxySigningConfig;
+//# sourceMappingURL=ProxySigningConfigResolver.d.ts.map

package/src/proxy/ProxySigningConfigResolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxySigningConfigResolver.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxySigningConfigResolver.ts"],"names":[],"mappings":"AAGA,KAAK,mBAAmB,GAAG,OAAO,CAAC;IACjC,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AAEH,KAAK,2BAA2B,GAAG;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B,CAAC;AAEF,eAAO,MAAM,yBAAyB,GACpC,WAAW,mBAAmB,GAAG,SAAS,EAC1C,SAAS,2BAA2B,KACnC;IACD,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,OAAO,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;CA4BzB,CAAC;AAEF,eAAe,yBAAyB,CAAC"}

package/src/proxy/ProxySigningConfigResolver.js

@@ -0,0 +1,24 @@
+import { Env } from '../config/env.js';
+import { normalizeSigningCredentials } from './SigningService.js';
+export const resolveProxySigningConfig = (overrides, options) => {
+    const normalizedOverrides = overrides ?? {};
+    const appName = Env.get('APP_NAME', Env.APP_NAME ?? 'ZinTrust');
+    const appKey = Env.get('APP_KEY', Env.APP_KEY ?? '');
+    const envKeyId = Env.get(options.keyIdEnvVar, appName);
+    const envSecret = Env.get(options.secretEnvVar, appKey);
+    const keyIdRaw = normalizedOverrides.keyId ?? (envKeyId.trim() === '' ? appName : envKeyId);
+    const secretRaw = normalizedOverrides.secret ?? (envSecret.trim() === '' ? appKey : envSecret);
+    const secret = secretRaw.trim() === '' ? appKey : secretRaw;
+    const creds = normalizeSigningCredentials({ keyId: keyIdRaw, secret });
+    const requireSigning = normalizedOverrides.requireSigning ??
+        Env.getBool(options.requireEnvVar, options.defaultRequire ?? true);
+    const signingWindowMs = normalizedOverrides.signingWindowMs ??
+        Env.getInt(options.windowEnvVar, options.defaultWindowMs ?? 60000);
+    return {
+        keyId: creds.keyId,
+        secret: creds.secret,
+        requireSigning,
+        signingWindowMs,
+    };
+};
+export default resolveProxySigningConfig;

package/src/proxy/ProxySigningRequest.d.ts

@@ -0,0 +1,12 @@
+import type { IncomingMessage } from '../node-singletons/http';
+import type { ProxySigningConfig } from './ProxyConfig';
+export declare const normalizeHeaderValue: (value: string | string[] | undefined) => string | undefined;
+export declare const extractSigningHeaders: (req: IncomingMessage) => Record<string, string | undefined>;
+export declare const verifyProxySignatureIfNeeded: (req: IncomingMessage, body: string, signing: ProxySigningConfig) => Promise<{
+    ok: boolean;
+    error?: {
+        status: number;
+        message: string;
+    };
+}>;
+//# sourceMappingURL=ProxySigningRequest.d.ts.map

package/src/proxy/ProxySigningRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProxySigningRequest.d.ts","sourceRoot":"","sources":["../../../src/proxy/ProxySigningRequest.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAG7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,KAAG,MAAM,GAAG,SAGpF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAChC,KAAK,eAAe,KACnB,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAMlC,CAAC;AAEH,eAAO,MAAM,4BAA4B,GACvC,KAAK,eAAe,EACpB,MAAM,MAAM,EACZ,SAAS,kBAAkB,KAC1B,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,CAqBtE,CAAC"}

package/src/proxy/ProxySigningRequest.js

@@ -0,0 +1,31 @@
+import { SigningService } from './SigningService.js';
+export const normalizeHeaderValue = (value) => {
+    if (Array.isArray(value))
+        return value.join(',');
+    return value;
+};
+export const extractSigningHeaders = (req) => ({
+    'x-zt-key-id': normalizeHeaderValue(req.headers['x-zt-key-id']),
+    'x-zt-timestamp': normalizeHeaderValue(req.headers['x-zt-timestamp']),
+    'x-zt-nonce': normalizeHeaderValue(req.headers['x-zt-nonce']),
+    'x-zt-body-sha256': normalizeHeaderValue(req.headers['x-zt-body-sha256']),
+    'x-zt-signature': normalizeHeaderValue(req.headers['x-zt-signature']),
+});
+export const verifyProxySignatureIfNeeded = async (req, body, signing) => {
+    const headers = extractSigningHeaders(req);
+    if (!SigningService.shouldVerify(signing, headers)) {
+        return { ok: true };
+    }
+    const url = new URL(req.url ?? '/', `http://${req.headers.host ?? 'localhost'}`);
+    const verified = await SigningService.verify({
+        method: req.method ?? 'POST',
+        url,
+        body,
+        headers,
+        signing,
+    });
+    if (!verified.ok) {
+        return { ok: false, error: { status: verified.status, message: verified.message } };
+    }
+    return { ok: true };
+};

package/src/proxy/RequestValidator.d.ts

@@ -0,0 +1,15 @@
+export type ValidationError = Readonly<{
+    code: string;
+    message: string;
+}>;
+export declare const RequestValidator: Readonly<{
+    parseJson: (body: string) => {
+        ok: true;
+        value: Record<string, unknown>;
+    } | {
+        ok: false;
+        error: ValidationError;
+    };
+    requirePost: (method: string | undefined) => ValidationError | null;
+}>;
+//# sourceMappingURL=RequestValidator.d.ts.map

package/src/proxy/RequestValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequestValidator.d.ts","sourceRoot":"","sources":["../../../src/proxy/RequestValidator.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,eAAe,GAAG,QAAQ,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC;AA2B1E,eAAO,MAAM,gBAAgB;sBAtBrB,MAAM,KACX;QAAE,EAAE,EAAE,IAAI,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,KAAK,EAAE,eAAe,CAAA;KAAE;0BAgB1D,MAAM,GAAG,SAAS,KAAG,eAAe,GAAG,IAAI;EAQtE,CAAC"}

package/src/proxy/RequestValidator.js

@@ -0,0 +1,26 @@
+import { isObject } from '../helper/index.js';
+const isRecord = (value) => isObject(value);
+const parseJson = (body) => {
+    if (body.trim() === '') {
+        return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'Body is required' } };
+    }
+    try {
+        const parsed = JSON.parse(body);
+        if (!isRecord(parsed)) {
+            return { ok: false, error: { code: 'VALIDATION_ERROR', message: 'Body must be an object' } };
+        }
+        return { ok: true, value: parsed };
+    }
+    catch (error) {
+        return { ok: false, error: { code: 'INVALID_JSON', message: String(error) } };
+    }
+};
+const requirePost = (method) => {
+    if (method === 'POST')
+        return null;
+    return { code: 'METHOD_NOT_ALLOWED', message: 'POST only' };
+};
+export const RequestValidator = Object.freeze({
+    parseJson,
+    requirePost,
+});

package/src/proxy/SigningService.d.ts

@@ -0,0 +1,39 @@
+import type { ProxySigningConfig } from './ProxyConfig';
+export type SigningHeaders = Headers | Record<string, string | undefined>;
+export type SigningVerificationResult = {
+    ok: true;
+} | {
+    ok: false;
+    status: number;
+    code: string;
+    message: string;
+};
+export type SigningCredentials = Readonly<{
+    keyId: string;
+    secret: string;
+}>;
+type SigningServiceApi = Readonly<{
+    normalizeConfig: (signing: ProxySigningConfig) => ProxySigningConfig;
+    shouldVerify: (signing: ProxySigningConfig, headers: SigningHeaders) => boolean;
+    verify: (params: {
+        method: string;
+        url: string | URL;
+        body: string | Uint8Array;
+        headers: SigningHeaders;
+        signing: ProxySigningConfig;
+    }) => Promise<SigningVerificationResult>;
+    verifyWithKeyProvider: (params: {
+        method: string;
+        url: string | URL;
+        body: string | Uint8Array;
+        headers: SigningHeaders;
+        windowMs: number;
+        getSecretForKeyId: (keyId: string) => string | undefined | Promise<string | undefined>;
+        verifyNonce?: (keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+    }) => Promise<SigningVerificationResult>;
+}>;
+export declare const normalizeSigningConfig: (signing: ProxySigningConfig) => ProxySigningConfig;
+export declare const normalizeSigningCredentials: (input: SigningCredentials) => SigningCredentials;
+export declare const SigningService: SigningServiceApi;
+export {};
+//# sourceMappingURL=SigningService.d.ts.map

package/src/proxy/SigningService.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SigningService.d.ts","sourceRoot":"","sources":["../../../src/proxy/SigningService.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAI7D,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;AAE1E,MAAM,MAAM,yBAAyB,GACjC;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAEjE,MAAM,MAAM,kBAAkB,GAAG,QAAQ,CAAC;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC,CAAC;AAEH,KAAK,iBAAiB,GAAG,QAAQ,CAAC;IAChC,eAAe,EAAE,CAAC,OAAO,EAAE,kBAAkB,KAAK,kBAAkB,CAAC;IACrE,YAAY,EAAE,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,cAAc,KAAK,OAAO,CAAC;IAChF,MAAM,EAAE,CAAC,MAAM,EAAE;QACf,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;QAClB,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;QAC1B,OAAO,EAAE,cAAc,CAAC;QACxB,OAAO,EAAE,kBAAkB,CAAC;KAC7B,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;IACzC,qBAAqB,EAAE,CAAC,MAAM,EAAE;QAC9B,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;QAClB,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;QAC1B,OAAO,EAAE,cAAc,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,iBAAiB,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;QACvF,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;KACjF,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAC1C,CAAC,CAAC;AAyCH,eAAO,MAAM,sBAAsB,EAAE,CAAC,OAAO,EAAE,kBAAkB,KAAK,kBAErB,CAAC;AAElD,eAAO,MAAM,2BAA2B,EAAE,CAAC,KAAK,EAAE,kBAAkB,KAAK,kBAKvE,CAAC;AA0FH,eAAO,MAAM,cAAc,EAAE,iBAK3B,CAAC"}

package/src/proxy/SigningService.js

@@ -0,0 +1,107 @@
+import { Env } from '../config/env.js';
+import { SignedRequest } from '../security/SignedRequest.js';
+const getHeader = (headers, name) => {
+    if (typeof headers.get === 'function') {
+        const value = headers.get(name);
+        return value ?? undefined;
+    }
+    return headers[name];
+};
+const hasSigningHeaders = (headers) => Boolean((getHeader(headers, 'x-zt-key-id') ?? '') ||
+    (getHeader(headers, 'x-zt-timestamp') ?? '') ||
+    (getHeader(headers, 'x-zt-nonce') ?? '') ||
+    (getHeader(headers, 'x-zt-body-sha256') ?? '') ||
+    getHeader(headers, 'x-zt-signature'));
+const normalizeKeyId = (keyId) => {
+    const trimmed = keyId.trim();
+    if (trimmed !== '')
+        return trimmed.toLowerCase();
+    const appNameRaw = Env.get('APP_NAME', 'zintrust');
+    const normalized = (appNameRaw.trim() === '' ? 'zintrust' : appNameRaw)
+        .toLowerCase()
+        .replaceAll(/\s+/g, '_');
+    return normalized;
+};
+const normalizeSecret = (secret) => {
+    const trimmed = secret.trim();
+    if (trimmed !== '')
+        return trimmed;
+    return Env.get('APP_KEY', '');
+};
+const normalizeConfig = (signing) => ({
+    ...signing,
+    keyId: normalizeKeyId(signing.keyId),
+    secret: normalizeSecret(signing.secret),
+});
+export const normalizeSigningConfig = (signing) => normalizeConfig(signing);
+export const normalizeSigningCredentials = (input) => ({
+    keyId: normalizeKeyId(input.keyId),
+    secret: normalizeSecret(input.secret),
+});
+const shouldVerify = (signing, headers) => {
+    const normalized = normalizeConfig(signing);
+    if (normalized.require)
+        return true;
+    if (normalized.keyId.trim() !== '' &&
+        normalized.secret.trim() !== '' &&
+        hasSigningHeaders(headers)) {
+        return true;
+    }
+    return false;
+};
+const mapVerifyResult = (result) => {
+    if (result.ok)
+        return { ok: true };
+    if (result.code === 'MISSING_HEADER' || result.code === 'INVALID_TIMESTAMP') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'EXPIRED') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'UNKNOWN_KEY') {
+        return { ok: false, status: 403, code: result.code, message: result.message };
+    }
+    if (result.code === 'REPLAYED') {
+        return { ok: false, status: 409, code: result.code, message: result.message };
+    }
+    return { ok: false, status: 403, code: result.code, message: result.message };
+};
+const verify = async (params) => {
+    const signing = normalizeConfig(params.signing);
+    if (signing.require && (signing.keyId.trim() === '' || signing.secret.trim() === '')) {
+        return {
+            ok: false,
+            status: 500,
+            code: 'SIGNING_REQUIRED',
+            message: 'Proxy signing is required but not configured',
+        };
+    }
+    const result = await SignedRequest.verify({
+        method: params.method,
+        url: params.url,
+        body: params.body,
+        headers: params.headers,
+        // eslint-disable-next-line @typescript-eslint/require-await
+        getSecretForKeyId: async (keyId) => keyId.trim().toLowerCase() === signing.keyId ? signing.secret : undefined,
+        windowMs: signing.windowMs,
+    });
+    return mapVerifyResult(result);
+};
+const verifyWithKeyProvider = async (params) => {
+    const result = await SignedRequest.verify({
+        method: params.method,
+        url: params.url,
+        body: params.body,
+        headers: params.headers,
+        windowMs: params.windowMs,
+        getSecretForKeyId: params.getSecretForKeyId,
+        verifyNonce: params.verifyNonce,
+    });
+    return mapVerifyResult(result);
+};
+export const SigningService = Object.freeze({
+    normalizeConfig,
+    shouldVerify,
+    verify,
+    verifyWithKeyProvider,
+});

package/src/proxy/SqlPayloadValidator.d.ts

@@ -0,0 +1,13 @@
+export type SqlPayloadValidation = {
+    valid: true;
+    sql: string;
+    params: unknown[];
+} | {
+    valid: false;
+    error: {
+        code: string;
+        message: string;
+    };
+};
+export declare const validateSqlPayload: (payload: Record<string, unknown>) => SqlPayloadValidation;
+//# sourceMappingURL=SqlPayloadValidator.d.ts.map

package/src/proxy/SqlPayloadValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlPayloadValidator.d.ts","sourceRoot":"","sources":["../../../src/proxy/SqlPayloadValidator.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,oBAAoB,GAC5B;IACE,KAAK,EAAE,IAAI,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,OAAO,EAAE,CAAC;CACnB,GACD;IACE,KAAK,EAAE,KAAK,CAAC;IACb,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEN,eAAO,MAAM,kBAAkB,GAAI,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAG,oBAerE,CAAC"}

package/src/proxy/SqlPayloadValidator.js

@@ -0,0 +1,14 @@
+export const validateSqlPayload = (payload) => {
+    const sql = payload['sql'];
+    const params = Array.isArray(payload['params']) ? payload['params'] : [];
+    if (typeof sql !== 'string') {
+        return {
+            valid: false,
+            error: {
+                code: 'VALIDATION_ERROR',
+                message: 'sql must be a string',
+            },
+        };
+    }
+    return { valid: true, sql, params };
+};

package/src/proxy/SqlProxyDbOverrides.d.ts

@@ -0,0 +1,17 @@
+export type SqlProxyDatabaseOverrides = Partial<{
+    dbHost: string;
+    dbPort: number;
+    dbName: string;
+    dbUser: string;
+    dbPass: string;
+    connectionLimit: number;
+}>;
+export type SqlProxyDatabaseConfig = Readonly<{
+    dbHost: string;
+    dbPort: number;
+    dbName: string;
+    dbUser: string;
+    dbPass: string;
+    connectionLimit: number;
+}>;
+//# sourceMappingURL=SqlProxyDbOverrides.d.ts.map

package/src/proxy/SqlProxyDbOverrides.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlProxyDbOverrides.d.ts","sourceRoot":"","sources":["../../../src/proxy/SqlProxyDbOverrides.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,yBAAyB,GAAG,OAAO,CAAC;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC;AAEH,MAAM,MAAM,sBAAsB,GAAG,QAAQ,CAAC;IAC5C,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,eAAe,EAAE,MAAM,CAAC;CACzB,CAAC,CAAC"}

package/src/proxy/SqlProxyDbOverrides.js

@@ -0,0 +1 @@
+export {};

package/src/proxy/SqlProxyServerDeps.d.ts

@@ -0,0 +1,12 @@
+export { Env } from '../config/env';
+export { Logger } from '../config/logger';
+export { ErrorHandler } from './ErrorHandler';
+export type { ProxyBackend, ProxyResponse } from './ProxyBackend';
+export type { ProxySigningConfig } from './ProxyConfig';
+export { parseJsonBody, validateProxyRequest } from './ProxyRequestParsing';
+export { createProxyServer } from './ProxyServer';
+export { resolveBaseConfig, resolveBaseSigningConfig, verifyRequestSignature, type BaseProxyOverrides, } from './ProxyServerUtils';
+export { validateSqlPayload } from './SqlPayloadValidator';
+export { loadStatementRegistry } from './StatementRegistryLoader';
+export { resolveStatementOrError } from './StatementRegistryResolver';
+//# sourceMappingURL=SqlProxyServerDeps.d.ts.map

package/src/proxy/SqlProxyServerDeps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SqlProxyServerDeps.d.ts","sourceRoot":"","sources":["../../../src/proxy/SqlProxyServerDeps.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACxC,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACvE,YAAY,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AACjF,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EACxB,sBAAsB,EACtB,KAAK,kBAAkB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC"}

package/src/proxy/SqlProxyServerDeps.js

@@ -0,0 +1,9 @@
+export { Env } from '../config/env.js';
+export { Logger } from '../config/logger.js';
+export { ErrorHandler } from './ErrorHandler.js';
+export { parseJsonBody, validateProxyRequest } from './ProxyRequestParsing.js';
+export { createProxyServer } from './ProxyServer.js';
+export { resolveBaseConfig, resolveBaseSigningConfig, verifyRequestSignature, } from './ProxyServerUtils.js';
+export { validateSqlPayload } from './SqlPayloadValidator.js';
+export { loadStatementRegistry } from './StatementRegistryLoader.js';
+export { resolveStatementOrError } from './StatementRegistryResolver.js';

package/src/proxy/StatementPayloadValidator.d.ts

@@ -0,0 +1,13 @@
+export type StatementPayloadValidation = {
+    valid: true;
+    statementId: string;
+    params: unknown[];
+} | {
+    valid: false;
+    error: {
+        code: string;
+        message: string;
+    };
+};
+export declare const validateStatementPayload: (payload: Record<string, unknown>) => StatementPayloadValidation;
+//# sourceMappingURL=StatementPayloadValidator.d.ts.map

package/src/proxy/StatementPayloadValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StatementPayloadValidator.d.ts","sourceRoot":"","sources":["../../../src/proxy/StatementPayloadValidator.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,0BAA0B,GAClC;IACE,KAAK,EAAE,IAAI,CAAC;IACZ,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,OAAO,EAAE,CAAC;CACnB,GACD;IACE,KAAK,EAAE,KAAK,CAAC;IACb,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAC1C,CAAC;AAEN,eAAO,MAAM,wBAAwB,GACnC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC/B,0BAoBF,CAAC"}

package/src/proxy/StatementPayloadValidator.js

@@ -0,0 +1,18 @@
+export const validateStatementPayload = (payload) => {
+    const statementId = payload['statementId'];
+    const params = Array.isArray(payload['params']) ? payload['params'] : [];
+    if (typeof statementId !== 'string') {
+        return {
+            valid: false,
+            error: { code: 'VALIDATION_ERROR', message: 'statementId must be a string' },
+        };
+    }
+    const trimmed = statementId.trim();
+    if (trimmed === '') {
+        return {
+            valid: false,
+            error: { code: 'VALIDATION_ERROR', message: 'statementId is required' },
+        };
+    }
+    return { valid: true, statementId: trimmed, params };
+};

package/src/proxy/StatementRegistryLoader.d.ts

@@ -0,0 +1,2 @@
+export declare const loadStatementRegistry: (prefix: "MYSQL" | "POSTGRES" | "SQLSERVER") => Record<string, string> | undefined;
+//# sourceMappingURL=StatementRegistryLoader.d.ts.map

package/src/proxy/StatementRegistryLoader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StatementRegistryLoader.d.ts","sourceRoot":"","sources":["../../../src/proxy/StatementRegistryLoader.ts"],"names":[],"mappings":"AAgBA,eAAO,MAAM,qBAAqB,GAChC,QAAQ,OAAO,GAAG,UAAU,GAAG,WAAW,KACzC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAqB3B,CAAC"}

package/src/proxy/StatementRegistryLoader.js

@@ -0,0 +1,36 @@
+import { Env } from '../config/env.js';
+import { isObject } from '../helper/index.js';
+import fs from '../node-singletons/fs.js';
+const isRecord = (value) => isObject(value);
+const parseStatements = (input) => {
+    if (!isRecord(input))
+        return undefined;
+    const out = {};
+    for (const [key, value] of Object.entries(input)) {
+        if (typeof value === 'string')
+            out[key] = value;
+    }
+    return Object.keys(out).length > 0 ? out : undefined;
+};
+export const loadStatementRegistry = (prefix) => {
+    const file = Env.get(`ZT_${prefix}_STATEMENTS_FILE`, '').trim();
+    if (file !== '') {
+        try {
+            const text = fs.readFileSync(file, 'utf8');
+            return parseStatements(JSON.parse(text));
+        }
+        catch {
+            return undefined;
+        }
+    }
+    const json = Env.get(`ZT_${prefix}_STATEMENTS_JSON`, '').trim();
+    if (json !== '') {
+        try {
+            return parseStatements(JSON.parse(json));
+        }
+        catch {
+            return undefined;
+        }
+    }
+    return undefined;
+};

package/src/proxy/StatementRegistryResolver.d.ts

@@ -0,0 +1,15 @@
+import type { ProxyResponse } from './ProxyBackend';
+export type ResolvedStatement = Readonly<{
+    statementId: string;
+    sql: string;
+    params: unknown[];
+    mutating: boolean;
+}>;
+export declare const resolveStatementOrError: (statements: Record<string, string> | undefined, payload: Record<string, unknown>) => {
+    ok: true;
+    value: ResolvedStatement;
+} | {
+    ok: false;
+    response: ProxyResponse;
+};
+//# sourceMappingURL=StatementRegistryResolver.d.ts.map

package/src/proxy/StatementRegistryResolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"StatementRegistryResolver.d.ts","sourceRoot":"","sources":["../../../src/proxy/StatementRegistryResolver.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAIzD,MAAM,MAAM,iBAAiB,GAAG,QAAQ,CAAC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,OAAO,EAAE,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;CACnB,CAAC,CAAC;AAEH,eAAO,MAAM,uBAAuB,GAClC,YAAY,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,EAC9C,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC/B;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,iBAAiB,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,aAAa,CAAA;CAqC/E,CAAC"}

package/src/proxy/StatementRegistryResolver.js

@@ -0,0 +1,34 @@
+import { ErrorHandler } from './ErrorHandler.js';
+import { validateStatementPayload } from './StatementPayloadValidator.js';
+import { isMutatingSql } from './isMutatingSql.js';
+export const resolveStatementOrError = (statements, payload) => {
+    if (!statements) {
+        return {
+            ok: false,
+            response: ErrorHandler.toProxyError(400, 'CONFIG_ERROR', 'Missing statement registry'),
+        };
+    }
+    const stmtValidation = validateStatementPayload(payload);
+    if (!stmtValidation.valid) {
+        return {
+            ok: false,
+            response: ErrorHandler.toProxyError(400, stmtValidation.error.code, stmtValidation.error.message),
+        };
+    }
+    const sql = statements[stmtValidation.statementId];
+    if (typeof sql !== 'string' || sql.trim() === '') {
+        return {
+            ok: false,
+            response: ErrorHandler.toProxyError(404, 'NOT_FOUND', 'Unknown statementId'),
+        };
+    }
+    return {
+        ok: true,
+        value: {
+            statementId: stmtValidation.statementId,
+            sql,
+            params: stmtValidation.params,
+            mutating: isMutatingSql(sql),
+        },
+    };
+};

package/src/proxy/d1/ZintrustD1Proxy.d.ts

@@ -0,0 +1,3 @@
+export { ZintrustD1Proxy } from '../../../packages/cloudflare-d1-proxy/src/index.js';
+export { default } from '../../../packages/cloudflare-d1-proxy/src/index.js';
+//# sourceMappingURL=ZintrustD1Proxy.d.ts.map

package/src/proxy/d1/ZintrustD1Proxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,OAAO,EAAE,MAAM,+BAA+B,CAAC"}

package/src/proxy/d1/ZintrustD1Proxy.js

@@ -0,0 +1,2 @@
+export { ZintrustD1Proxy } from '../../../packages/cloudflare-d1-proxy/src/index.js';
+export { default } from '../../../packages/cloudflare-d1-proxy/src/index.js';

package/src/proxy/d1/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map

package/src/proxy/d1/register.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"register.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/register.ts"],"names":[],"mappings":""}

package/src/proxy/d1/register.js

@@ -0,0 +1,5 @@
+import { ProxyRegistry } from '../ProxyRegistry.js';
+ProxyRegistry.register({
+    name: 'd1',
+    description: 'Cloudflare D1 Worker proxy endpoint',
+});

package/src/proxy/isMutatingSql.d.ts

@@ -0,0 +1,2 @@
+export declare const isMutatingSql: (sql: string) => boolean;
+//# sourceMappingURL=isMutatingSql.d.ts.map

package/src/proxy/isMutatingSql.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isMutatingSql.d.ts","sourceRoot":"","sources":["../../../src/proxy/isMutatingSql.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,KAAG,OAa3C,CAAC"}

package/src/proxy/isMutatingSql.js

@@ -0,0 +1,12 @@
+export const isMutatingSql = (sql) => {
+    const s = sql.trimStart().toLowerCase();
+    return (s.startsWith('insert') ||
+        s.startsWith('update') ||
+        s.startsWith('delete') ||
+        s.startsWith('merge') ||
+        s.startsWith('create') ||
+        s.startsWith('drop') ||
+        s.startsWith('alter') ||
+        s.startsWith('replace') ||
+        s.startsWith('truncate'));
+};

package/src/proxy/kv/ZintrustKvProxy.d.ts

@@ -0,0 +1,3 @@
+export { ZintrustKvProxy } from '../../../packages/cloudflare-kv-proxy/src/index.js';
+export { default } from '../../../packages/cloudflare-kv-proxy/src/index.js';
+//# sourceMappingURL=ZintrustKvProxy.d.ts.map

package/src/proxy/kv/ZintrustKvProxy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAEhE,OAAO,EAAE,OAAO,EAAE,MAAM,+BAA+B,CAAC"}

package/src/proxy/kv/ZintrustKvProxy.js

@@ -0,0 +1,2 @@
+export { ZintrustKvProxy } from '../../../packages/cloudflare-kv-proxy/src/index.js';
+export { default } from '../../../packages/cloudflare-kv-proxy/src/index.js';

package/src/proxy/kv/register.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=register.d.ts.map