@zintrust/core 0.4.29 → 0.4.31

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.4.29",
+  "version": "0.4.31",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {

package/src/cli/commands/D1ProxyCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"D1ProxyCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/D1ProxyCommand.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,YAAY,EAAE,MAAM,kBAAkB,CAAC;AA4PrE,eAAO,MAAM,cAAc;cACf,YAAY;EAwCtB,CAAC;AAEH,eAAe,cAAc,CAAC"}
+{"version":3,"file":"D1ProxyCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/D1ProxyCommand.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,YAAY,EAAE,MAAM,kBAAkB,CAAC;AA6PrE,eAAO,MAAM,cAAc;cACf,YAAY;EAwCtB,CAAC;AAEH,eAAe,cAAc,CAAC"}

package/src/cli/commands/D1ProxyCommand.js

@@ -14,6 +14,7 @@ const DEFAULT_DATABASE_NAME = 'd1-proxy-db';
 const DEFAULT_DATABASE_ID = '<your-d1-database-id>';
 const DEFAULT_MIGRATIONS_DIR = 'database/migrations/d1';
 const DEFAULT_ENTRY_FILE = 'src/proxy/d1/ZintrustD1Proxy.ts';
+const CORE_PROXY_MODULE = ['@zintrust', 'core', 'proxy'].join('/');
 const trimOption = (value) => {
     if (!isNonEmptyString(value))
         return undefined;
@@ -135,8 +136,8 @@ const ensureProxyEntrypoint = (cwd) => {
     }
     mkdirSync(join(cwd, 'src/proxy/d1'), { recursive: true });
     writeFileSync(entryFilePath, [
-        "export { ZintrustD1Proxy } from '../../proxy.js';",
-        "export { ZintrustD1Proxy as default } from '../../proxy.js';",
+        `export { ZintrustD1Proxy } from '${CORE_PROXY_MODULE}';`,
+        `export { ZintrustD1Proxy as default } from '${CORE_PROXY_MODULE}';`,
         '',
     ].join('\n'), 'utf-8');
     return { created: true, entryFilePath };

package/src/cli/commands/KvProxyCommand.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"KvProxyCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/KvProxyCommand.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAyOrE,eAAO,MAAM,cAAc;cACf,YAAY;EAwCtB,CAAC;AAEH,eAAe,cAAc,CAAC"}
+{"version":3,"file":"KvProxyCommand.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/KvProxyCommand.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,YAAY,EAAE,MAAM,kBAAkB,CAAC;AA0OrE,eAAO,MAAM,cAAc;cACf,YAAY;EAwCtB,CAAC;AAEH,eAAe,cAAc,CAAC"}

package/src/cli/commands/KvProxyCommand.js

@@ -12,6 +12,7 @@ const DEFAULT_COMPATIBILITY_DATE = '2026-03-12';
 const DEFAULT_BINDING = 'ZIN_KV';
 const DEFAULT_NAMESPACE_ID = '<your-kv-namespace-id>';
 const DEFAULT_ENTRY_FILE = 'src/proxy/kv/ZintrustKvProxy.ts';
+const CORE_PROXY_MODULE = ['@zintrust', 'core', 'proxy'].join('/');
 const trimOption = (value) => {
     if (!isNonEmptyString(value))
         return undefined;
@@ -124,8 +125,8 @@ const ensureProxyEntrypoint = (cwd) => {
     }
     mkdirSync(join(cwd, 'src/proxy/kv'), { recursive: true });
     writeFileSync(entryFilePath, [
-        "export { ZintrustKvProxy } from '../../proxy.js';",
-        "export { ZintrustKvProxy as default } from '../../proxy.js';",
+        `export { ZintrustKvProxy } from '${CORE_PROXY_MODULE}';`,
+        `export { ZintrustKvProxy as default } from '${CORE_PROXY_MODULE}';`,
         '',
     ].join('\n'), 'utf-8');
     return { created: true, entryFilePath };

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.4.29
+ * @zintrust/core v0.4.31
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-03-29T12:19:31.273Z
+ *   Built: 2026-03-29T12:34:52.815Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,7 +21,7 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.41';
-export const ZINTRUST_BUILD_DATE = '2026-03-29T12:19:31.239Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-03-29T12:34:52.781Z'; // Replaced during build
 export { Application } from './boot/Application.js';
 export { AwsSigV4 } from './common/index.js';
 export { SignedRequest } from './security/SignedRequest.js';

package/src/proxy/d1/ZintrustD1Proxy.d.ts

@@ -1,3 +1,48 @@
-export declare const ZintrustD1Proxy: Record<string, unknown>;
+type KvGetType = 'text' | 'json' | 'arrayBuffer';
+type KVNamespacePutOptions = {
+    expirationTtl?: number;
+};
+type KVNamespace = {
+    get: {
+        (key: string): Promise<string | null>;
+        (key: string, type: 'json'): Promise<Record<string, unknown> | null>;
+        (key: string, type: 'arrayBuffer'): Promise<ArrayBuffer | null>;
+        (key: string, type: KvGetType): Promise<Record<string, unknown> | ArrayBuffer | string | null>;
+    };
+    put: (key: string, value: string, options?: KVNamespacePutOptions) => Promise<void>;
+};
+type D1AllResult<T> = {
+    results?: T[];
+};
+type D1RunResult = {
+    meta?: unknown;
+};
+type D1PreparedStatement = {
+    bind: (...values: unknown[]) => D1PreparedStatement;
+    all: <T = unknown>() => Promise<D1AllResult<T>>;
+    first: <T = unknown>() => Promise<T | null>;
+    run: () => Promise<D1RunResult>;
+};
+type D1Database = {
+    prepare: (sql: string) => D1PreparedStatement;
+};
+type D1Env = {
+    DB?: D1Database;
+    D1_BINDING?: string;
+    APP_KEY?: string;
+    D1_REMOTE_SECRET?: string;
+    ZT_PROXY_SIGNING_WINDOW_MS?: string;
+    ZT_NONCES?: KVNamespace;
+    ZT_PROXY_DEBUG?: string;
+    ZT_MAX_BODY_BYTES?: string;
+    ZT_MAX_SQL_BYTES?: string;
+    ZT_MAX_PARAMS?: string;
+    ZT_D1_STATEMENTS_JSON?: string;
+};
+export declare const ZintrustD1Proxy: Readonly<{
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION: "0.1.15";
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE: "__BUILD_DATE__";
+    fetch(request: Request, env: D1Env): Promise<Response>;
+}>;
 export default ZintrustD1Proxy;
 //# sourceMappingURL=ZintrustD1Proxy.d.ts.map

package/src/proxy/d1/ZintrustD1Proxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AA2BA,eAAO,MAAM,eAAe,EAyBZ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAExC,eAAe,eAAe,CAAC"}
+{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AAMA,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChG,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrF,CAAC;AAEF,KAAK,WAAW,CAAC,CAAC,IAAI;IACpB,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;CACf,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,IAAI,EAAE,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,KAAK,mBAAmB,CAAC;IACpD,GAAG,EAAE,CAAC,CAAC,GAAG,OAAO,OAAO,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,KAAK,EAAE,CAAC,CAAC,GAAG,OAAO,OAAO,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5C,GAAG,EAAE,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;CACjC,CAAC;AAEF,KAAK,UAAU,GAAG;IAChB,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,mBAAmB,CAAC;CAC/C,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC,CAAC;AAkZF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/proxy/d1/ZintrustD1Proxy.js

@@ -1,39 +1,364 @@
-import { isUndefinedOrNull } from '../../helper/index.js';
 import { Logger } from '../../config/logger.js';
-let cached = null;
-const load = async () => {
-    if (cached !== null)
-        return cached;
+import { isArray, isObject, isString } from '../../helper/index.js';
+import { ErrorHandler } from '../ErrorHandler.js';
+import { RequestValidator } from '../RequestValidator.js';
+import { SigningService } from '../SigningService.js';
+const DEFAULT_SIGNING_WINDOW_MS = 60_000;
+const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
+const DEFAULT_MAX_SQL_BYTES = 32 * 1024;
+const DEFAULT_MAX_PARAMS = 256;
+const json = (status, body) => new Response(JSON.stringify(body), {
+    status,
+    headers: {
+        'Content-Type': 'application/json; charset=utf-8',
+        'Cache-Control': 'no-store',
+    },
+});
+const toErrorResponse = (status, code, message) => {
+    const error = ErrorHandler.toProxyError(status, code, message);
+    return json(error.status, error.body);
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = env[name];
+    if (!isString(raw))
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const isDebugEnabled = (env) => {
+    const raw = env.ZT_PROXY_DEBUG;
+    if (!isString(raw))
+        return false;
+    const normalized = raw.trim().toLowerCase();
+    return normalized === 'true' || normalized === '1' || normalized === 'yes';
+};
+const safeErrorMessage = (error) => {
+    if (error instanceof Error)
+        return error.message;
+    if (isString(error))
+        return error;
+    try {
+        return JSON.stringify(error);
+    }
+    catch {
+        return 'Unknown D1 error';
+    }
+};
+const logProxyError = (env, context, error) => {
+    if (!isDebugEnabled(env))
+        return;
+    Logger.error('[ZintrustD1Proxy] error', {
+        ...context,
+        message: safeErrorMessage(error).slice(0, 800),
+    });
+};
+const normalizeBindingName = (value) => {
+    if (!isString(value))
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+};
+const resolveD1Binding = (env) => {
+    const candidates = ['DB', 'zintrust_db', normalizeBindingName(env.D1_BINDING)].filter((value, index, values) => isString(value) && value.trim() !== '' && values.indexOf(value) === index);
+    const record = env;
+    for (const name of candidates) {
+        const binding = record[name];
+        if (binding !== undefined && binding !== null && typeof binding.prepare === 'function') {
+            return binding;
+        }
+    }
+    return null;
+};
+const readBodyBytes = async (request, maxBytes) => {
+    const buf = await request.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+        return {
+            ok: false,
+            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
+        };
+    }
+    const bytes = new Uint8Array(buf);
+    const text = new TextDecoder().decode(bytes);
+    return { ok: true, bytes, text };
+};
+const parseOptionalJson = (text) => {
+    if (text.trim() === '')
+        return { ok: true, payload: null };
+    const parsed = RequestValidator.parseJson(text);
+    if (!parsed.ok) {
+        let message = parsed.error.message;
+        if (parsed.error.code === 'INVALID_JSON') {
+            message = 'Invalid JSON body';
+        }
+        else if (parsed.error.code === 'VALIDATION_ERROR') {
+            message = 'Invalid body';
+        }
+        return { ok: false, response: toErrorResponse(400, parsed.error.code, message) };
+    }
+    return { ok: true, payload: parsed.value };
+};
+const loadSigningSecret = (env) => {
+    const direct = isString(env.D1_REMOTE_SECRET) ? env.D1_REMOTE_SECRET.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallback = isString(env.APP_KEY) ? env.APP_KEY.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const loadStatements = (env) => {
+    const raw = env.ZT_D1_STATEMENTS_JSON;
+    if (!isString(raw) || raw.trim() === '')
+        return null;
     try {
-        // Non-literal specifier to avoid tsconfig path alias rewriting in dist builds.
-        const pkgName = '@zintrust/cloudflare-d1-proxy';
-        cached = (await import(pkgName));
-        return cached;
+        const parsed = JSON.parse(raw);
+        if (!isObject(parsed))
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+};
+const isMutatingSql = (sql) => {
+    const normalized = sql.trimStart().toLowerCase();
+    return (normalized.startsWith('insert') ||
+        normalized.startsWith('update') ||
+        normalized.startsWith('delete') ||
+        normalized.startsWith('create') ||
+        normalized.startsWith('drop') ||
+        normalized.startsWith('alter') ||
+        normalized.startsWith('replace'));
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes) => {
+    const secret = loadSigningSecret(env);
+    if (secret === null) {
+        return toErrorResponse(401, 'CONFIG_ERROR', 'Missing signing secret (D1_REMOTE_SECRET or APP_KEY)');
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
+    const verifyResult = await SigningService.verifyWithKeyProvider({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: (_keyId) => secret,
+        verifyNonce: env.ZT_NONCES === undefined
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
+    });
+    if (!verifyResult.ok) {
+        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
+    }
+    return { ok: true };
+};
+const requireDb = (env) => {
+    const db = resolveD1Binding(env);
+    if (db === null) {
+        return toErrorResponse(400, 'CONFIG_ERROR', 'Missing D1 binding (DB) or binding name via D1_BINDING');
+    }
+    return db;
+};
+const toD1ExceptionResponse = (error) => {
+    const message = safeErrorMessage(error);
+    return toErrorResponse(500, 'D1_ERROR', message);
+};
+const parseSqlPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const sql = payload['sql'];
+    const params = payload['params'];
+    if (!isString(sql)) {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'sql must be a string'),
+        };
+    }
+    return { ok: true, sql, params: isArray(params) ? params : [] };
+};
+const enforceSqlLimits = (env, sql, params) => {
+    const maxSqlBytes = getEnvInt(env, 'ZT_MAX_SQL_BYTES', DEFAULT_MAX_SQL_BYTES);
+    const maxParams = getEnvInt(env, 'ZT_MAX_PARAMS', DEFAULT_MAX_PARAMS);
+    if (new TextEncoder().encode(sql).byteLength > maxSqlBytes) {
+        return toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'SQL too large');
+    }
+    if (params.length > maxParams) {
+        return toErrorResponse(400, 'VALIDATION_ERROR', 'Too many params');
+    }
+    return null;
+};
+const readAndVerifyJson = async (request, env) => {
+    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
+    const bodyResult = await readBodyBytes(request, maxBodyBytes);
+    if (!bodyResult.ok)
+        return { ok: false, response: bodyResult.response };
+    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
+    if (auth instanceof Response)
+        return { ok: false, response: auth };
+    const parsed = parseOptionalJson(bodyResult.text);
+    if (!parsed.ok)
+        return { ok: false, response: parsed.response };
+    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+};
+const handleQuery = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const result = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .all();
+        const rows = result.results ?? [];
+        return json(200, { rows, rowCount: rows.length });
     }
     catch (error) {
-        Logger.error(`Optional dependency not installed: @zintrust/cloudflare-d1-proxy. Install it to use ZintrustD1Proxy.`, { error: error instanceof Error ? error.message : String(error) });
-    }
-    return undefined;
-};
-// Proxy surface that defers loading until first usage.
-export const ZintrustD1Proxy = new Proxy({}, {
-    get(_target, prop) {
-        if (prop === Symbol.toStringTag)
-            return 'ZintrustD1Proxy';
-        return async (...args) => {
-            const mod = await load();
-            if (isUndefinedOrNull(mod) || typeof mod !== 'object')
-                return undefined;
-            const target = mod.ZintrustD1Proxy ?? mod.default;
-            if (!target || typeof target !== 'object') {
-                Logger.error(`Invalid module export from @zintrust/cloudflare-d1-proxy: missing ZintrustD1Proxy`);
-                return undefined;
-            }
-            const value = target[prop];
-            if (typeof value !== 'function')
-                return value;
-            return value(...args);
+        logProxyError(env, { op: 'query', path: '/zin/d1/query' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const handleQueryOne = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const row = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .first();
+        return json(200, { row: row ?? null });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'queryOne', path: '/zin/d1/queryOne' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const handleExec = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const parsed = parseSqlPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+        if (limit !== null)
+            return limit;
+        const out = await db
+            .prepare(parsed.sql)
+            .bind(...parsed.params)
+            .run();
+        return json(200, { ok: true, meta: out.meta });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'exec', path: '/zin/d1/exec' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+const parseStatementPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const statementId = payload['statementId'];
+    const params = payload['params'];
+    if (!isString(statementId) || statementId.trim() === '') {
+        return {
+            ok: false,
+            response: toErrorResponse(400, 'VALIDATION_ERROR', 'statementId must be a string'),
         };
+    }
+    return { ok: true, statementId, params: isArray(params) ? params : [] };
+};
+const handleStatement = async (request, env) => {
+    try {
+        const check = await readAndVerifyJson(request, env);
+        if (!check.ok)
+            return check.response;
+        const db = requireDb(env);
+        if (db instanceof Response)
+            return db;
+        const statements = loadStatements(env);
+        if (statements === null) {
+            return toErrorResponse(400, 'CONFIG_ERROR', 'Missing or invalid ZT_D1_STATEMENTS_JSON');
+        }
+        const parsed = parseStatementPayload(check.payload);
+        if (!parsed.ok)
+            return parsed.response;
+        const sql = statements[parsed.statementId];
+        if (!isString(sql) || sql.trim() === '') {
+            return toErrorResponse(404, 'NOT_FOUND', 'Unknown statementId');
+        }
+        if (isMutatingSql(sql)) {
+            const out = await db
+                .prepare(sql)
+                .bind(...parsed.params)
+                .run();
+            return json(200, { ok: true, meta: out.meta });
+        }
+        const out = await db
+            .prepare(sql)
+            .bind(...parsed.params)
+            .all();
+        const rows = out.results ?? [];
+        return json(200, { rows, rowCount: rows.length });
+    }
+    catch (error) {
+        logProxyError(env, { op: 'statement', path: '/zin/d1/statement' }, error);
+        return toD1ExceptionResponse(error);
+    }
+};
+export const ZintrustD1Proxy = Object.freeze({
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_VERSION: '0.1.15',
+    _ZINTRUST_CLOUDFLARE_D1_PROXY_BUILD_DATE: '__BUILD_DATE__',
+    async fetch(request, env) {
+        const url = new URL(request.url);
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError !== null) {
+            return toErrorResponse(405, methodError.code, 'Method not allowed');
+        }
+        switch (url.pathname) {
+            case '/zin/d1/query':
+                return handleQuery(request, env);
+            case '/zin/d1/queryOne':
+                return handleQueryOne(request, env);
+            case '/zin/d1/exec':
+                return handleExec(request, env);
+            case '/zin/d1/statement':
+                return handleStatement(request, env);
+            default:
+                return toErrorResponse(404, 'NOT_FOUND', 'Not found');
+        }
     },
 });
 export default ZintrustD1Proxy;

package/src/proxy/kv/ZintrustKvProxy.d.ts

@@ -1,3 +1,44 @@
-export declare const ZintrustKvProxy: Record<string, unknown>;
+type KVNamespacePutOptions = {
+    expirationTtl?: number;
+};
+type KvGetType = 'text' | 'json' | 'arrayBuffer';
+type KVListResult = {
+    keys: Array<{
+        name: string;
+    }>;
+    cursor: string;
+    list_complete: boolean;
+};
+type KVNamespace = {
+    get: {
+        (key: string): Promise<string | null>;
+        (key: string, type: 'json'): Promise<Record<string, unknown> | null>;
+        (key: string, type: 'arrayBuffer'): Promise<ArrayBuffer | null>;
+        (key: string, type: KvGetType): Promise<Record<string, unknown> | ArrayBuffer | string | null>;
+    };
+    put: (key: string, value: string, options?: KVNamespacePutOptions) => Promise<void>;
+    delete: (key: string) => Promise<void>;
+    list: (options: {
+        prefix?: string;
+        limit?: number;
+        cursor?: string;
+    }) => Promise<KVListResult>;
+};
+type KvEnv = {
+    CACHE?: KVNamespace;
+    KV_NAMESPACE?: string;
+    APP_KEY?: string;
+    KV_REMOTE_SECRET?: string;
+    ZT_PROXY_SIGNING_WINDOW_MS?: string;
+    ZT_NONCES?: KVNamespace;
+    ZT_MAX_BODY_BYTES?: string;
+    ZT_KV_PREFIX?: string;
+    ZT_KV_LIST_LIMIT?: string;
+};
+export declare const ZintrustKvProxy: Readonly<{
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION: "0.1.15";
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE: "__BUILD_DATE__";
+    fetch(request: Request, env: KvEnv): Promise<Response>;
+}>;
 export default ZintrustKvProxy;
 //# sourceMappingURL=ZintrustKvProxy.d.ts.map

package/src/proxy/kv/ZintrustKvProxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AA2BA,eAAO,MAAM,eAAe,EAuBZ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AAExC,eAAe,eAAe,CAAC"}
+{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AAKA,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,OAAO,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChG,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,EAAE,CAAC,OAAO,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;CAChG,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AA0WF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/proxy/kv/ZintrustKvProxy.js

@@ -1,38 +1,301 @@
-import { isUndefinedOrNull } from '../../helper/index.js';
-import { Logger } from '../../config/logger.js';
-const MODULE_ID = '@zintrust/cloudflare-kv-proxy';
-let cached = null;
-const load = async () => {
-    if (cached !== null)
-        return cached;
-    try {
-        // Non-literal specifier to avoid tsconfig path alias rewriting in dist builds.
-        cached = (await import(MODULE_ID));
-        return cached;
-    }
-    catch (error) {
-        Logger.error(`Optional dependency not installed: ${MODULE_ID}. Install it to use ZintrustKvProxy.`, { error: error instanceof Error ? error.message : String(error) });
-    }
-    return undefined;
-};
-export const ZintrustKvProxy = new Proxy({}, {
-    get(_target, prop) {
-        if (prop === Symbol.toStringTag)
-            return 'ZintrustKvProxy';
-        return async (...args) => {
-            const mod = await load();
-            if (isUndefinedOrNull(mod) || typeof mod !== 'object')
-                return undefined;
-            const target = mod.ZintrustKvProxy ?? mod.default;
-            if (!target || typeof target !== 'object') {
-                Logger.error(`Invalid module export from ${MODULE_ID}: missing ZintrustKvProxy`);
-                return undefined;
-            }
-            const value = target[prop];
-            if (typeof value !== 'function')
-                return value;
-            return value(...args);
+import { isObject, isString } from '../../helper/index.js';
+import { ErrorHandler } from '../ErrorHandler.js';
+import { RequestValidator } from '../RequestValidator.js';
+import { SigningService } from '../SigningService.js';
+const DEFAULT_SIGNING_WINDOW_MS = 60_000;
+const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
+const DEFAULT_LIST_LIMIT = 100;
+const json = (status, body) => {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: {
+            'Content-Type': 'application/json; charset=utf-8',
+            'Cache-Control': 'no-store',
+        },
+    });
+};
+const toErrorResponse = (status, code, message) => {
+    const error = ErrorHandler.toProxyError(status, code, message);
+    return json(error.status, error.body);
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = env[name];
+    if (!isString(raw))
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const normalizeBindingName = (value) => {
+    if (!isString(value))
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+};
+const readBodyBytes = async (request, maxBytes) => {
+    const buf = await request.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+        return {
+            ok: false,
+            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
         };
+    }
+    const bytes = new Uint8Array(buf);
+    const text = new TextDecoder().decode(bytes);
+    return { ok: true, bytes, text };
+};
+const parseOptionalJson = (text) => {
+    if (text.trim() === '')
+        return { ok: true, payload: null };
+    const parsed = RequestValidator.parseJson(text);
+    if (!parsed.ok) {
+        let message = parsed.error.message;
+        if (parsed.error.code === 'INVALID_JSON') {
+            message = 'Invalid JSON body';
+        }
+        else if (parsed.error.code === 'VALIDATION_ERROR') {
+            message = 'Invalid body';
+        }
+        return { ok: false, response: toErrorResponse(400, parsed.error.code, message) };
+    }
+    return { ok: true, payload: parsed.value };
+};
+const loadSigningSecret = (env) => {
+    const direct = isString(env.KV_REMOTE_SECRET) ? env.KV_REMOTE_SECRET.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallback = isString(env.APP_KEY) ? env.APP_KEY.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes) => {
+    const secret = loadSigningSecret(env);
+    if (secret === null) {
+        return toErrorResponse(500, 'CONFIG_ERROR', 'Missing signing secret (KV_REMOTE_SECRET or APP_KEY)');
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
+    const verifyResult = await SigningService.verifyWithKeyProvider({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: async (_keyId) => secret,
+        verifyNonce: env.ZT_NONCES === undefined
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
+    });
+    if (!verifyResult.ok) {
+        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
+    }
+    return { ok: true };
+};
+const requireCache = (env) => {
+    if (env.CACHE !== undefined && env.CACHE !== null)
+        return env.CACHE;
+    const bindingName = normalizeBindingName(env.KV_NAMESPACE);
+    if (bindingName !== null) {
+        const record = env;
+        const kv = record[bindingName];
+        if (kv !== undefined && kv !== null)
+            return kv;
+    }
+    return toErrorResponse(500, 'CONFIG_ERROR', 'Missing KV binding (CACHE)');
+};
+const normalizeNamespace = (value) => {
+    if (!isString(value))
+        return undefined;
+    const trimmed = value.trim();
+    return trimmed === '' ? undefined : trimmed;
+};
+const buildStorageKey = (env, params) => {
+    const prefix = isString(env.ZT_KV_PREFIX) ? env.ZT_KV_PREFIX : '';
+    const namespace = normalizeNamespace(params.namespace);
+    const parts = [];
+    if (prefix.trim() !== '')
+        parts.push(prefix.trim());
+    if (namespace !== undefined)
+        parts.push(namespace);
+    parts.push(params.key);
+    return parts.join(':');
+};
+const readAndVerifyJson = async (request, env) => {
+    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
+    const bodyResult = await readBodyBytes(request, maxBodyBytes);
+    if (!bodyResult.ok)
+        return { ok: false, response: bodyResult.response };
+    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
+    if (auth instanceof Response)
+        return { ok: false, response: auth };
+    const parsed = parseOptionalJson(bodyResult.text);
+    if (!parsed.ok)
+        return { ok: false, response: parsed.response };
+    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+};
+const parseGetPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const key = payload['key'];
+    const type = payload['type'];
+    if (!isString(key) || key.trim() === '') {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required') };
+    }
+    const typeValue = type === 'text' || type === 'arrayBuffer' || type === 'json' ? type : 'text';
+    return { ok: true, namespace: normalizeNamespace(payload['namespace']), key, type: typeValue };
+};
+const handleGet = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseGetPayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    if (parsed.type === 'json') {
+        const value = await cache.get(storageKey, 'json');
+        return json(200, { value: value ?? null });
+    }
+    if (parsed.type === 'arrayBuffer') {
+        const value = await cache.get(storageKey, 'arrayBuffer');
+        return json(200, { value: value ?? null });
+    }
+    const value = await cache.get(storageKey);
+    return json(200, { value: value ?? null });
+};
+const parsePutPayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const key = payload['key'];
+    if (!isString(key) || key.trim() === '') {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required') };
+    }
+    const ttlSeconds = payload['ttlSeconds'];
+    const ttl = typeof ttlSeconds === 'number' && Number.isFinite(ttlSeconds) && ttlSeconds > 0
+        ? ttlSeconds
+        : undefined;
+    return {
+        ok: true,
+        namespace: normalizeNamespace(payload['namespace']),
+        key,
+        value: payload['value'],
+        ttlSeconds: ttl,
+    };
+};
+const handlePut = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parsePutPayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    const value = JSON.stringify(parsed.value);
+    const options = {};
+    if (parsed.ttlSeconds !== undefined) {
+        options.expirationTtl = Math.floor(parsed.ttlSeconds);
+    }
+    await cache.put(storageKey, value, options);
+    return json(200, { ok: true });
+};
+const parseDeletePayload = (payload) => {
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const key = payload['key'];
+    if (!isString(key) || key.trim() === '') {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'key is required') };
+    }
+    return { ok: true, namespace: normalizeNamespace(payload['namespace']), key };
+};
+const handleDelete = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseDeletePayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const storageKey = buildStorageKey(env, { namespace: parsed.namespace, key: parsed.key });
+    await cache.delete(storageKey);
+    return json(200, { ok: true });
+};
+const parseListPayload = (payload) => {
+    if (payload === null)
+        return { ok: true, params: {} };
+    if (!isObject(payload)) {
+        return { ok: false, response: toErrorResponse(400, 'VALIDATION_ERROR', 'Invalid body') };
+    }
+    const namespace = normalizeNamespace(payload['namespace']);
+    const prefix = isString(payload['prefix']) ? payload['prefix'] : undefined;
+    const cursor = isString(payload['cursor']) ? payload['cursor'] : undefined;
+    const limitRaw = payload['limit'];
+    const limitParsed = typeof limitRaw === 'number' && Number.isFinite(limitRaw) ? Math.floor(limitRaw) : undefined;
+    return { ok: true, params: { namespace, prefix, cursor, limit: limitParsed } };
+};
+const handleList = async (request, env) => {
+    const check = await readAndVerifyJson(request, env);
+    if (!check.ok)
+        return check.response;
+    const cache = requireCache(env);
+    if (cache instanceof Response)
+        return cache;
+    const parsed = parseListPayload(check.payload);
+    if (!parsed.ok)
+        return parsed.response;
+    const envLimit = getEnvInt(env, 'ZT_KV_LIST_LIMIT', DEFAULT_LIST_LIMIT);
+    const requested = parsed.params.limit ?? envLimit;
+    const limit = Math.max(1, Math.min(requested, envLimit));
+    const prefixKey = parsed.params.prefix;
+    const namespacePrefix = normalizeNamespace(parsed.params.namespace);
+    const basePrefix = buildStorageKey(env, { namespace: namespacePrefix, key: '' });
+    const fullPrefix = prefixKey === undefined ? basePrefix : `${basePrefix}${prefixKey}`;
+    const out = await cache.list({ prefix: fullPrefix, limit, cursor: parsed.params.cursor });
+    return json(200, {
+        keys: out.keys.map((key) => key.name),
+        cursor: out.cursor,
+        listComplete: out.list_complete,
+    });
+};
+export const ZintrustKvProxy = Object.freeze({
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_VERSION: '0.1.15',
+    _ZINTRUST_CLOUDFLARE_KV_PROXY_BUILD_DATE: '__BUILD_DATE__',
+    async fetch(request, env) {
+        const url = new URL(request.url);
+        const methodError = RequestValidator.requirePost(request.method);
+        if (methodError !== null) {
+            return toErrorResponse(405, methodError.code, 'Method not allowed');
+        }
+        switch (url.pathname) {
+            case '/zin/kv/get':
+                return handleGet(request, env);
+            case '/zin/kv/put':
+                return handlePut(request, env);
+            case '/zin/kv/delete':
+                return handleDelete(request, env);
+            case '/zin/kv/list':
+                return handleList(request, env);
+            default:
+                return toErrorResponse(404, 'NOT_FOUND', 'Not found');
+        }
     },
 });
 export default ZintrustKvProxy;

package/src/zintrust.plugins.js

@@ -10,7 +10,7 @@
 // Uncomment and adapt to your project as needed.
 //
 // import { ZinTrustProcessor } from '../app/Workers/AdvancEmailWorker';
-// import { WorkerFactory, type WorkerFactoryConfig } from '@zintrust/workers';
+// import { WorkerFactory, type WorkerFactoryConfig } from '../packages/workers/src/index.js';
 //
 // type PreRegisteredProcessorSpec = {
 //   processorSpec: string;