@zintrust/core 0.1.46 → 0.1.49

package/src/orm/adapters/SqlServerProxyAdapter.js

@@ -2,46 +2,40 @@
 /**
  * SQL Server Proxy Adapter (HTTP)
  */
-import { Env } from '../../config/env.js';
 import { ErrorFactory } from '../../exceptions/ZintrustError.js';
 import { AdaptersEnum } from '../../migrations/enum/index.js';
 import { QueryBuilder } from '../QueryBuilder.js';
-import { ensureSignedSettings, isRecord, requestSignedProxy, } from '../adapters/SqlProxyAdapterUtils.js';
-import { createStatementPayload, getExecMetaWithLastRowId, resolveSqlProxyMode, } from '../adapters/SqlProxyRegistryMode.js';
+import { ensureSignedSettings, isRecord, } from '../adapters/SqlProxyAdapterUtils.js';
+import { SqlProxyHttpAdapterShared } from '../adapters/SqlProxyHttpAdapterShared.js';
+import { createStatementPayload, getExecMetaWithLastRowId, } from '../adapters/SqlProxyRegistryMode.js';
 const resolveProxyMode = () => {
-    return resolveSqlProxyMode('SQLSERVER_PROXY_MODE');
-};
-const resolveBaseUrl = () => {
-    const explicit = Env.get('SQLSERVER_PROXY_URL', '').trim();
-    if (explicit !== '')
-        return explicit;
-    const host = Env.get('SQLSERVER_PROXY_HOST', '127.0.0.1');
-    const port = Env.getInt('SQLSERVER_PROXY_PORT', 8793);
-    return `http://${host}:${port}`;
+    return SqlProxyHttpAdapterShared.resolveProxyModeFromEnv('SQLSERVER_PROXY_MODE');
 };
 const buildProxySettings = () => {
-    const baseUrl = resolveBaseUrl();
-    const keyId = Env.get('SQLSERVER_PROXY_KEY_ID', '');
-    const secret = Env.get('SQLSERVER_PROXY_SECRET', '');
-    const timeoutMs = Env.getInt('SQLSERVER_PROXY_TIMEOUT_MS', Env.ZT_PROXY_TIMEOUT_MS ?? 30000);
-    return { baseUrl, keyId, secret, timeoutMs };
+    return SqlProxyHttpAdapterShared.buildProxySettingsFromEnv({
+        urlKey: 'SQLSERVER_PROXY_URL',
+        hostKey: 'SQLSERVER_PROXY_HOST',
+        portKey: 'SQLSERVER_PROXY_PORT',
+        defaultHost: '127.0.0.1',
+        defaultPort: 8793,
+        keyIdKey: 'SQLSERVER_PROXY_KEY_ID',
+        secretKey: 'SQLSERVER_PROXY_SECRET',
+        timeoutKey: 'SQLSERVER_PROXY_TIMEOUT_MS',
+        sharedTimeoutKey: 'ZT_PROXY_TIMEOUT_MS',
+    });
+};
+const buildSignedProxyConfig = (settings) => {
+    return SqlProxyHttpAdapterShared.buildStandardSignedProxyConfig({
+        settings,
+        label: 'SQL Server',
+        urlKey: 'SQLSERVER_PROXY_URL',
+        keyIdKey: 'SQLSERVER_PROXY_KEY_ID',
+        secretKey: 'SQLSERVER_PROXY_SECRET',
+    });
 };
-const buildSignedProxyConfig = (settings) => ({
-    settings,
-    missingUrlMessage: 'SQL Server proxy URL is missing (SQLSERVER_PROXY_URL)',
-    missingCredentialsMessage: 'SQL Server proxy signing credentials are missing (SQLSERVER_PROXY_KEY_ID / SQLSERVER_PROXY_SECRET)',
-    messages: {
-        unauthorized: 'SQL Server proxy unauthorized',
-        forbidden: 'SQL Server proxy forbidden',
-        rateLimited: 'SQL Server proxy rate limited',
-        rejected: 'SQL Server proxy rejected request',
-        error: 'SQL Server proxy error',
-        timedOut: 'SQL Server proxy request timed out',
-    },
-});
 const isQueryResponse = (value) => isRecord(value) && Array.isArray(value['rows']) && typeof value['rowCount'] === 'number';
 const isQueryOneResponse = (value) => isRecord(value) && 'row' in value;
-const requestProxy = async (settings, path, payload) => requestSignedProxy(buildSignedProxyConfig(settings), path, payload);
+const requestProxy = async (signed, path, payload) => SqlProxyHttpAdapterShared.requestProxy(signed, path, payload);
 const requireConnected = (state) => {
     if (!state.connected)
         throw ErrorFactory.createConnectionError('Database not connected');
@@ -61,8 +55,8 @@ const createQuery = (state) => async (sql, parameters) => {
     requireConnected(state);
     const mode = resolveProxyMode();
     const out = mode === 'registry'
-        ? await requestProxy(state.settings, '/zin/sqlserver/statement', await createStatementPayload(sql, parameters))
-        : await requestProxy(state.settings, '/zin/sqlserver/query', {
+        ? await requestProxy(state.signed, '/zin/sqlserver/statement', await createStatementPayload(sql, parameters))
+        : await requestProxy(state.signed, '/zin/sqlserver/query', {
             sql,
             params: parameters,
         });
@@ -72,13 +66,13 @@ const createQueryOne = (state) => async (sql, parameters) => {
     requireConnected(state);
     const mode = resolveProxyMode();
     if (mode !== 'registry') {
-        const out = await requestProxy(state.settings, '/zin/sqlserver/queryOne', {
+        const out = await requestProxy(state.signed, '/zin/sqlserver/queryOne', {
             sql,
             params: parameters,
         });
         return out.row ?? null;
     }
-    const out = await requestProxy(state.settings, '/zin/sqlserver/statement', await createStatementPayload(sql, parameters));
+    const out = await requestProxy(state.signed, '/zin/sqlserver/statement', await createStatementPayload(sql, parameters));
     if (isQueryOneResponse(out))
         return out.row ?? null;
     if (isQueryResponse(out))
@@ -123,7 +117,7 @@ const createAdapter = (state) => {
     const queryOne = createQueryOne(state);
     const adapter = {
         async connect() {
-            ensureSignedSettings(buildSignedProxyConfig(state.settings));
+            ensureSignedSettings(state.signed);
             state.connected = true;
         },
         async disconnect() {
@@ -135,6 +129,28 @@ const createAdapter = (state) => {
         ping: createPing(query),
         transaction: createTransaction(state, () => adapter),
         rawQuery: createRawQuery(query),
+        async ensureMigrationsTable() {
+            requireConnected(state);
+            try {
+                await query(`IF OBJECT_ID(N'migrations', N'U') IS NULL
+BEGIN
+  CREATE TABLE migrations (
+    id INT IDENTITY(1,1) PRIMARY KEY,
+    name NVARCHAR(255) NOT NULL,
+    scope NVARCHAR(255) NOT NULL DEFAULT 'global',
+    service NVARCHAR(255) NOT NULL DEFAULT '',
+    batch INT NOT NULL,
+    status NVARCHAR(255) NOT NULL,
+    applied_at DATETIME2 NULL,
+    created_at DATETIME2 NOT NULL DEFAULT SYSUTCDATETIME(),
+    CONSTRAINT UQ_migrations_name_scope_service UNIQUE (name, scope, service)
+  );
+END`, []);
+            }
+            catch (error) {
+                throw SqlProxyHttpAdapterShared.createProxyNotReachableCliError('SQL Server proxy', state.settings.baseUrl, error);
+            }
+        },
         getType() {
             return AdaptersEnum.sqlserver;
         },
@@ -149,6 +165,7 @@ const createAdapter = (state) => {
 };
 export function createSqlServerProxyAdapter() {
     const settings = buildProxySettings();
-    const state = { connected: false, inTransaction: false, settings };
+    const signed = buildSignedProxyConfig(settings);
+    const state = { connected: false, inTransaction: false, settings, signed };
     return createAdapter(state);
 }

package/src/orm/migrations/MigrationStore.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"MigrationStore.d.ts","sourceRoot":"","sources":["../../../../src/orm/migrations/MigrationStore.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAI/C,OAAO,KAAK,EAAE,eAAe,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AA8ChG,eAAO,MAAM,cAAc;oBACH,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;8BASzC,SAAS,UACN,cAAc,YACZ,MAAM,GACd,OAAO,CAAC,MAAM,CAAC;sBAiBZ,SAAS,SACN,cAAc,WACZ,MAAM,GACd,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;sBAyBlC,SAAS,UACL;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAC9E,OAAO,CAAC,IAAI,CAAC;mBAuCV,SAAS,UACL;QACN,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,cAAc,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,qBAAqB,CAAC;QAC9B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KAC3B,GACA,OAAO,CAAC,IAAI,CAAC;kCAiBV,SAAS,UACL;QAAE,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GACnE,OAAO,CAAC,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;8BAyB5C,SAAS,UACL;QAAE,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GACjD,OAAO,CAAC,MAAM,EAAE,CAAC;qBAgBd,SAAS,UACL;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GAC/D,OAAO,CAAC,IAAI,CAAC;EAShB,CAAC"}
+{"version":3,"file":"MigrationStore.d.ts","sourceRoot":"","sources":["../../../../src/orm/migrations/MigrationStore.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAI/C,OAAO,KAAK,EAAE,eAAe,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AA0DhG,eAAO,MAAM,cAAc;oBACH,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;8BAkBzC,SAAS,UACN,cAAc,YACZ,MAAM,GACd,OAAO,CAAC,MAAM,CAAC;sBAiBZ,SAAS,SACN,cAAc,WACZ,MAAM,GACd,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;sBAyBlC,SAAS,UACL;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAC9E,OAAO,CAAC,IAAI,CAAC;mBAuCV,SAAS,UACL;QACN,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,EAAE,cAAc,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,MAAM,EAAE,qBAAqB,CAAC;QAC9B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KAC3B,GACA,OAAO,CAAC,IAAI,CAAC;kCAiBV,SAAS,UACL;QAAE,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,GACnE,OAAO,CAAC,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;8BAyB5C,SAAS,UACL;QAAE,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GACjD,OAAO,CAAC,MAAM,EAAE,CAAC;qBAgBd,SAAS,UACL;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,GAC/D,OAAO,CAAC,IAAI,CAAC;EAShB,CAAC"}

package/src/orm/migrations/MigrationStore.js

@@ -1,3 +1,4 @@
+import { Env } from '../../config/env.js';
 import { ErrorFactory } from '../../exceptions/ZintrustError.js';
 import { QueryBuilder } from '../QueryBuilder.js';
 function nowIso() {
@@ -21,7 +22,19 @@ const hasMigrationsTableSupport = (adapter) => {
 };
 const requireMigrationsTableSupport = (adapter) => {
     if (!hasMigrationsTableSupport(adapter)) {
-        throw ErrorFactory.createCliError('Migrations tracking is not supported for this database adapter yet.');
+        const isSqlProxyEnabled = Env.getBool('USE_POSTGRES_PROXY', false) ||
+            Env.getBool('USE_MYSQL_PROXY', false) ||
+            Env.getBool('USE_SQLSERVER_PROXY', false) ||
+            Env.get('POSTGRES_PROXY_URL', '').trim() !== '' ||
+            Env.get('MYSQL_PROXY_URL', '').trim() !== '' ||
+            Env.get('SQLSERVER_PROXY_URL', '').trim() !== '';
+        const hint = isSqlProxyEnabled
+            ? 'If you are using SQL proxy adapters, ensure the proxy stack is running (e.g. `zin cp up` or `docker compose -f docker-compose.proxy.yml up -d`).'
+            : undefined;
+        let message = 'Migrations tracking is not supported for this database adapter yet.';
+        if (hint)
+            message = `${message} ${hint}`;
+        throw ErrorFactory.createCliError(message);
     }
     return async () => {
         await adapter.ensureMigrationsTable();
@@ -32,6 +45,14 @@ export const MigrationStore = Object.freeze({
         assertDbSupportsMigrations(db);
         const adapter = db.getAdapterInstance(false);
         const ensure = requireMigrationsTableSupport(adapter);
+        // getAdapterInstance(false) returns a raw adapter without going through Database.query()
+        // which auto-connects; ensure we're connected before creating the migrations table.
+        if (typeof db.connect === 'function') {
+            await db.connect();
+        }
+        else if (typeof adapter.connect === 'function') {
+            await adapter.connect();
+        }
         await ensure();
     },
     async getLastCompletedBatch(db, scope = 'global', service = '') {

package/src/routes/doc.js

@@ -16,7 +16,7 @@ export { MIME_TYPES_MAP } from './common.js';
  */
 // Backward-compatible re-exports
 export { findPackageRoot, findPackageRootAsync, getFrameworkPublicRoots, getFrameworkPublicRootsAsync, getPublicRoot, getPublicRootAsync, } from './publicRoot.js';
-const PUBLIC_ROOT_CACHE_TTL_MS = 3000000000; //50 minutes, effectively caching for the duration of typical dev sessions
+const PUBLIC_ROOT_CACHE_TTL_MS = 3000000000; // 50 minutes, can be adjusted as needed
 let cachedPublicRoot = null;
 const getCachedPublicRootAsync = async () => {
     const now = Date.now();

package/src/routes/errorPages.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errorPages.d.ts","sourceRoot":"","sources":["../../../src/routes/errorPages.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AA8JhD,eAAO,MAAM,mBAAmB,GAAI,SAAS,MAAM,EAAE,UAAU,SAAS,KAAG,OAkD1E,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,SAAS,MAAM,EACf,UAAU,SAAS,KAClB,OAAO,CAAC,OAAO,CA4CjB,CAAC;AAmBF,eAAO,MAAM,oBAAoB,GAAI,UAAU,SAAS,KAAG,OAE1D,CAAC;AAEF,eAAO,MAAM,yBAAyB,GAAU,UAAU,SAAS,KAAG,OAAO,CAAC,OAAO,CAKpF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GAAI,QAAQ,OAAO,KAAG,IAO1D,CAAC;;uCAP+C,OAAO,KAAG,IAAI;mCAjIlB,MAAM,YAAY,SAAS,KAAG,OAAO;;AA0IlF,wBAAiE"}
+{"version":3,"file":"errorPages.d.ts","sourceRoot":"","sources":["../../../src/routes/errorPages.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAuKhD,eAAO,MAAM,mBAAmB,GAAI,SAAS,MAAM,EAAE,UAAU,SAAS,KAAG,OAkD1E,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,SAAS,MAAM,EACf,UAAU,SAAS,KAClB,OAAO,CAAC,OAAO,CA4CjB,CAAC;AAmBF,eAAO,MAAM,oBAAoB,GAAI,UAAU,SAAS,KAAG,OAE1D,CAAC;AAEF,eAAO,MAAM,yBAAyB,GAAU,UAAU,SAAS,KAAG,OAAO,CAAC,OAAO,CAKpF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GAAI,QAAQ,OAAO,KAAG,IAO1D,CAAC;;uCAP+C,OAAO,KAAG,IAAI;mCAjIlB,MAAM,YAAY,SAAS,KAAG,OAAO;;AA0IlF,wBAAiE"}

package/src/routes/errorPages.js

@@ -10,10 +10,17 @@ import { Router } from './Router.js';
 import { ErrorFactory } from '../exceptions/ZintrustError.js';
 import * as fs from '../node-singletons/fs.js';
 import * as path from '../node-singletons/path.js';
+let cachedCandidateRoots = null;
 const getCandidatePublicRoots = () => {
-    const roots = [path.join(process.cwd(), 'public'), ...getFrameworkPublicRoots()];
+    const cwd = process.cwd();
+    if (cachedCandidateRoots !== null && cachedCandidateRoots.cwd === cwd) {
+        return cachedCandidateRoots.roots;
+    }
+    const roots = [path.join(cwd, 'public'), ...getFrameworkPublicRoots()];
     const unique = new Set(roots.map((root) => root.trim()).filter((root) => root !== ''));
-    return [...unique];
+    const resolved = [...unique];
+    cachedCandidateRoots = { cwd, roots: resolved };
+    return resolved;
 };
 const pathExistsAsync = async (candidate) => {
     try {

package/src/security/CsrfTokenManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CsrfTokenManager.d.ts","sourceRoot":"","sources":["../../../src/security/CsrfTokenManager.ts"],"names":[],"mappings":"AACA;;;GAGG;AAQH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClE,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC/D,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACxD,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,iBAAiB,CAAC;CAC9D;AAED,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE/C,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAkSF;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,oBAE7B,CAAC"}
+{"version":3,"file":"CsrfTokenManager.d.ts","sourceRoot":"","sources":["../../../src/security/CsrfTokenManager.ts"],"names":[],"mappings":"AACA;;;GAGG;AAQH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAClE,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAC/D,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACxD,OAAO,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3B,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACvB,aAAa,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,OAAO,CAAC,EAAE,uBAAuB,GAAG,iBAAiB,CAAC;CAC9D;AAED,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE/C,MAAM,MAAM,uBAAuB,GAAG;IACpC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CAAC;AAyVF;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,oBAE7B,CAAC"}

package/src/security/CsrfTokenManager.js

@@ -121,12 +121,54 @@ const createRedisClientFactory = (options) => {
         return redisClient;
     };
 };
+const createRedisPrefixVersioner = (keyPrefix, getRedisClient) => {
+    const versionKey = `${keyPrefix}__v`;
+    let cachedVersion = null;
+    const getVersion = async () => {
+        if (cachedVersion !== null)
+            return cachedVersion;
+        const client = getRedisClient();
+        const raw = await client.get(versionKey);
+        const v = (raw ?? '1').trim();
+        cachedVersion = v === '' ? '1' : v;
+        return cachedVersion;
+    };
+    const getEffectivePrefix = async () => {
+        const v = await getVersion();
+        return `${keyPrefix}${v}:`;
+    };
+    const bumpPrefixVersion = async () => {
+        const client = getRedisClient();
+        // INCR creates the key if it does not exist.
+        const next = await client.incr(versionKey);
+        cachedVersion = String(next);
+    };
+    return {
+        getEffectivePrefix,
+        bumpPrefixVersion,
+    };
+};
+const scanRedisKeys = async (client, match) => {
+    const keys = [];
+    const stream = client.scanStream({ match, count: 200 });
+    return new Promise((resolve, reject) => {
+        stream.on('data', (resultKeys) => {
+            if (Array.isArray(resultKeys) && resultKeys.length) {
+                keys.push(...resultKeys);
+            }
+        });
+        stream.on('end', () => resolve(keys));
+        stream.on('error', (err) => reject(err));
+    });
+};
 const createRedisTokenOperations = (keyPrefix, tokenTtl, getRedisClient) => {
-    const buildKey = (sessionId) => `${keyPrefix}${sessionId}`;
+    const { getEffectivePrefix, bumpPrefixVersion } = createRedisPrefixVersioner(keyPrefix, getRedisClient);
+    const buildKey = (prefix, sessionId) => `${prefix}${sessionId}`;
     const fetchTokenData = async (sessionId) => {
         try {
             const client = getRedisClient();
-            const payload = await client.get(buildKey(sessionId));
+            const prefix = await getEffectivePrefix();
+            const payload = await client.get(buildKey(prefix, sessionId));
             if (payload === null || payload === '')
                 return null;
             const parsed = JSON.parse(payload);
@@ -140,13 +182,14 @@ const createRedisTokenOperations = (keyPrefix, tokenTtl, getRedisClient) => {
     const saveTokenData = async (data) => {
         try {
             const client = getRedisClient();
+            const prefix = await getEffectivePrefix();
             const stored = {
                 token: data.token,
                 sessionId: data.sessionId,
                 createdAt: data.createdAt.getTime(),
                 expiresAt: data.expiresAt.getTime(),
             };
-            await client.set(buildKey(data.sessionId), JSON.stringify(stored), 'PX', tokenTtl);
+            await client.set(buildKey(prefix, data.sessionId), JSON.stringify(stored), 'PX', tokenTtl);
         }
         catch (error) {
             Logger.error('CSRF Redis save failed', error);
@@ -155,37 +198,30 @@ const createRedisTokenOperations = (keyPrefix, tokenTtl, getRedisClient) => {
     const deleteToken = async (sessionId) => {
         try {
             const client = getRedisClient();
-            await client.del(buildKey(sessionId));
+            const prefix = await getEffectivePrefix();
+            await client.del(buildKey(prefix, sessionId));
         }
         catch (error) {
             Logger.error('CSRF Redis delete failed', error);
         }
     };
-    const scanKeys = async () => {
+    const scanKeys = async (effectivePrefix) => {
         const client = getRedisClient();
-        const keys = [];
-        const stream = client.scanStream({ match: `${keyPrefix}*`, count: 200 });
-        return new Promise((resolve, reject) => {
-            stream.on('data', (resultKeys) => {
-                if (Array.isArray(resultKeys) && resultKeys.length) {
-                    keys.push(...resultKeys);
-                }
-            });
-            stream.on('end', () => resolve(keys));
-            stream.on('error', (err) => reject(err));
-        });
+        return scanRedisKeys(client, `${effectivePrefix}*`);
     };
     return {
         fetchTokenData,
         saveTokenData,
         deleteToken,
         scanKeys,
+        getEffectivePrefix,
+        bumpPrefixVersion,
     };
 };
 const createRedisManager = (tokenLength, tokenTtl, options) => {
     const keyPrefix = options?.keyPrefix ?? RedisKeys.getCsrfPrefix();
     const getRedisClient = createRedisClientFactory(options);
-    const { fetchTokenData, saveTokenData, deleteToken, scanKeys } = createRedisTokenOperations(keyPrefix, tokenTtl, getRedisClient);
+    const { fetchTokenData, saveTokenData, deleteToken, scanKeys, getEffectivePrefix, bumpPrefixVersion, } = createRedisTokenOperations(keyPrefix, tokenTtl, getRedisClient);
     return {
         async generateToken(sessionId) {
             const token = randomBytes(tokenLength).toString('hex');
@@ -232,11 +268,8 @@ const createRedisManager = (tokenLength, tokenTtl, options) => {
         },
         async clear() {
             try {
-                const keys = await scanKeys();
-                if (keys.length === 0)
-                    return;
-                const client = getRedisClient();
-                await client.del(...keys);
+                // Logical clear: bump the version so future operations use a new prefix.
+                await bumpPrefixVersion();
             }
             catch (error) {
                 Logger.error('CSRF Redis clear failed', error);
@@ -244,7 +277,8 @@ const createRedisManager = (tokenLength, tokenTtl, options) => {
         },
         async getTokenCount() {
             try {
-                const keys = await scanKeys();
+                const prefix = await getEffectivePrefix();
+                const keys = await scanKeys(prefix);
                 return keys.length;
             }
             catch (error) {

package/src/security/JwtManager.d.ts

@@ -3,6 +3,7 @@
  * JSON Web Token generation, verification, and claims management
  * Uses native Node.js crypto module (zero external dependencies)
  */
+import type { AuthorizationHeader } from './JwtSessions';
 export type JwtAlgorithm = 'HS256' | 'HS512' | 'RS256';
 export interface JwtPayload {
     sub?: string;
@@ -33,7 +34,9 @@ export interface IJwtManager {
 }
 export interface JwtManagerType {
     create(): IJwtManager;
-    signAccessToken: (payload: JwtPayload, expiresIn?: number) => string;
+    signAccessToken: (payload: JwtPayload, expiresIn?: number) => Promise<string>;
+    logout: (authHeader: AuthorizationHeader) => Promise<void>;
+    logoutAll: (sub: string) => Promise<void>;
 }
 /**
  * JwtManager namespace - sealed for immutability

package/src/security/JwtManager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"JwtManager.d.ts","sourceRoot":"","sources":["../../../src/security/JwtManager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAEvD,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,EAAE,YAAY,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,UAAU,GAAG,MAAM,CAAC;IACxD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,YAAY,GAAG,UAAU,CAAC;IAC5D,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAAC;IAClC,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,aAAa,IAAI,MAAM,CAAC;CACzB;AAQD,MAAM,WAAW,cAAc;IAC7B,MAAM,IAAI,WAAW,CAAC;IACtB,eAAe,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;CACtE;AA6ED;;GAEG;AACH,eAAO,MAAM,UAAU,EAAE,cAGvB,CAAC"}
+{"version":3,"file":"JwtManager.d.ts","sourceRoot":"","sources":["../../../src/security/JwtManager.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAGjE,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAEvD,MAAM,WAAW,UAAU;IACzB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,CAAC,EAAE,YAAY,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACpC,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACxD,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE,UAAU,GAAG,MAAM,CAAC;IACxD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,YAAY,GAAG,UAAU,CAAC;IAC5D,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAAC;IAClC,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,aAAa,IAAI,MAAM,CAAC;CACzB;AAQD,MAAM,WAAW,cAAc;IAC7B,MAAM,IAAI,WAAW,CAAC;IACtB,eAAe,EAAE,CAAC,OAAO,EAAE,UAAU,EAAE,SAAS,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAC9E,MAAM,EAAE,CAAC,UAAU,EAAE,mBAAmB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3C;AAyFD;;GAEG;AACH,eAAO,MAAM,UAAU,EAAE,cAKvB,CAAC"}

package/src/security/JwtManager.js

@@ -6,6 +6,7 @@
 import { securityConfig } from '../config/index.js';
 import { ErrorFactory } from '../exceptions/ZintrustError.js';
 import { createHmac, createSign, createVerify, randomBytes } from '../node-singletons/crypto.js';
+import { JwtSessions } from './JwtSessions.js';
 const createJwt = () => {
     const algorithm = securityConfig.jwt.algorithm;
     const secret = securityConfig.jwt.secret;
@@ -15,27 +16,38 @@ const createJwt = () => {
     }
     return jwt;
 };
-const signAccessToken = (payload, expiresIn) => {
+const logout = async (authHeader) => {
+    await JwtSessions.logout(authHeader);
+};
+const logoutAll = async (sub) => {
+    await JwtSessions.logoutAll(sub);
+};
+const signAccessToken = async (payload, expiresIn) => {
     const algorithm = securityConfig.jwt.algorithm;
     const jwt = createJwt();
+    let token;
     // JwtManager currently supports HMAC secrets directly for HS algorithms.
     // For other algorithms, verify will still reject mismatched tokens.
     if (algorithm !== 'HS256' && algorithm !== 'HS512') {
-        return jwt.sign(payload, {
+        token = jwt.sign(payload, {
+            algorithm,
+            issuer: securityConfig.jwt.issuer,
+            audience: securityConfig.jwt.audience,
+            jwtId: jwt.generateJwtId(),
+        });
+    }
+    else {
+        token = jwt.sign(payload, {
             algorithm,
+            expiresIn: expiresIn ?? securityConfig.jwt.expiresIn,
             issuer: securityConfig.jwt.issuer,
             audience: securityConfig.jwt.audience,
+            subject: typeof payload.sub === 'string' ? payload.sub : undefined,
             jwtId: jwt.generateJwtId(),
         });
     }
-    return jwt.sign(payload, {
-        algorithm,
-        expiresIn: expiresIn ?? securityConfig.jwt.expiresIn,
-        issuer: securityConfig.jwt.issuer,
-        audience: securityConfig.jwt.audience,
-        subject: typeof payload.sub === 'string' ? payload.sub : undefined,
-        jwtId: jwt.generateJwtId(),
-    });
+    await JwtSessions.register(token);
+    return token;
 };
 /**
  * Create a new JWT manager instance
@@ -77,6 +89,8 @@ const create = () => {
 export const JwtManager = Object.freeze({
     create,
     signAccessToken,
+    logout,
+    logoutAll,
 });
 /**
  * Sign JWT token

package/src/security/JwtSessions.d.ts

@@ -0,0 +1,12 @@
+export type JwtSessionsDriverName = 'database' | 'memory' | 'redis' | 'kv' | 'kv-remote';
+export type AuthorizationHeader = string | string[] | undefined;
+export declare const JwtSessions: Readonly<{
+    register(token: string): Promise<void>;
+    isActive(token: string): Promise<boolean>;
+    logout(header: AuthorizationHeader): Promise<string | null>;
+    logoutAll(sub: string): Promise<void>;
+    getDriver(): JwtSessionsDriverName;
+    _resetForTests(): void;
+}>;
+export default JwtSessions;
+//# sourceMappingURL=JwtSessions.d.ts.map

package/src/security/JwtSessions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"JwtSessions.d.ts","sourceRoot":"","sources":["../../../src/security/JwtSessions.ts"],"names":[],"mappings":"AAUA,MAAM,MAAM,qBAAqB,GAAG,UAAU,GAAG,QAAQ,GAAG,OAAO,GAAG,IAAI,GAAG,WAAW,CAAC;AAEzF,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;AAqnBhE,eAAO,MAAM,WAAW;oBACA,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;oBAKtB,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;mBAM1B,mBAAmB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;mBAU5C,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;iBAQ9B,qBAAqB;sBAIhB,IAAI;EAItB,CAAC;AAEH,eAAe,WAAW,CAAC"}