@zintrust/core 0.4.33 → 0.4.36

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.4.33
+ * @zintrust/core v0.4.36
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-03-29T18:23:05.480Z
+ *   Built: 2026-03-30T17:16:50.879Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,13 +21,13 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.41';
-export const ZINTRUST_BUILD_DATE = '2026-03-29T18:23:05.446Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-03-30T17:16:50.845Z'; // Replaced during build
 export { Application } from './boot/Application.js';
 export { AwsSigV4 } from './common/index.js';
 export { SignedRequest } from './security/SignedRequest.js';
 export { Server } from './boot/Server.js';
 export { ServiceContainer } from './container/ServiceContainer.js';
-export { Paginator, createPaginator, getNextPageUrl, getPrevPageUrl } from './database/Paginator.js';
+export { createPaginator, getNextPageUrl, getPrevPageUrl, Paginator } from './database/Paginator.js';
 export { Controller } from './http/Controller.js';
 export { FileUpload } from './http/FileUpload.js';
 export { Kernel } from './http/Kernel.js';
@@ -39,7 +39,7 @@ export { MultipartParserRegistry } from './http/parsers/MultipartParserRegistry.
 export { Request } from './http/Request.js';
 export { RequestContext } from './http/RequestContext.js';
 export { Response } from './http/Response.js';
-export { ValidationHelper, getValidatedBody, getValidatedHeaders, getValidatedParams, getValidatedQuery, hasValidatedBody, requireValidatedBody, } from './http/ValidationHelper.js';
+export { getValidatedBody, getValidatedHeaders, getValidatedParams, getValidatedQuery, hasValidatedBody, requireValidatedBody, ValidationHelper, } from './http/ValidationHelper.js';
 export { CsrfMiddleware } from './middleware/CsrfMiddleware.js';
 export { ErrorHandlerMiddleware } from './middleware/ErrorHandlerMiddleware.js';
 export { LoggingMiddleware } from './middleware/LoggingMiddleware.js';
@@ -64,13 +64,13 @@ export { Schema as MigrationSchema } from './migrations/schema/index.js';
 // Adapter registry (for external adapter packages)
 export { OpenApiGenerator } from './openapi/OpenApiGenerator.js';
 export { Router } from './routes/Router.js';
-export { RouteRegistry, normalizeRouteMeta } from './routes/RouteRegistry.js';
+export { normalizeRouteMeta, RouteRegistry } from './routes/RouteRegistry.js';
 export { DatabaseAdapterRegistry } from './orm/DatabaseAdapterRegistry.js';
 // Common
-export { Utilities, generateSecureJobId, generateUuid, getString, } from './common/utility.js';
+export { generateSecureJobId, generateUuid, getString, Utilities, } from './common/utility.js';
 export { delay, ensureDirSafe } from './common/index.js';
 // Collections
-export { Collection, collect } from './collections/index.js';
+export { collect, Collection } from './collections/index.js';
 // HTTP Client
 export { HttpClient } from './tools/http/Http.js';
 // Profiling
@@ -94,14 +94,14 @@ export { Hash } from './security/Hash.js';
 export { JwtManager } from './security/JwtManager.js';
 export { JwtSessions } from './security/JwtSessions.js';
 export { PasswordResetTokenBroker } from './security/PasswordResetTokenBroker.js';
-export { Sanitizer, createSanitizer } from './security/Sanitizer.js';
+export { createSanitizer, Sanitizer } from './security/Sanitizer.js';
 export { TokenRevocation } from './security/TokenRevocation.js';
 export { Xss } from './security/Xss.js';
 export { XssProtection } from './security/XssProtection.js';
 // Exceptions
 export { ErrorFactory } from './exceptions/ZintrustError.js';
 // Runtime services
-export { RUNTIME_PLATFORM, RuntimeServices, detectCloudflareWorkers, detectRuntimePlatform, } from './runtime/RuntimeServices.js';
+export { detectCloudflareWorkers, detectRuntimePlatform, RUNTIME_PLATFORM, RuntimeServices, } from './runtime/RuntimeServices.js';
 // Events
 export { EventDispatcher } from './events/EventDispatcher.js';
 // Sessions
@@ -132,7 +132,7 @@ export { ServiceAuthMiddleware } from './microservices/ServiceAuthMiddleware.js'
 export { HealthCheckHandler, ServiceHealthMonitor } from './microservices/ServiceHealthMonitor.js';
 export { getServiceId, isCanonicalServiceId, normalizeServiceManifest, } from './microservices/ServiceManifest.js';
 export { ProjectRuntime } from './runtime/ProjectRuntime.js';
-export { MiddlewareKeys, clearMiddlewareConfigCache, middlewareConfig } from './config/middleware.js';
+export { clearMiddlewareConfigCache, middlewareConfig, MiddlewareKeys } from './config/middleware.js';
 export { createBaseDrivers, queueConfig } from './config/queue.js';
 export { default as broadcastConfig } from './config/broadcast.js';
 export { default as notificationConfig } from './config/notification.js';
@@ -143,7 +143,7 @@ export { startupConfig } from './config/startup.js';
 export { Constants, DEFAULTS, ENV_KEYS, HTTP_HEADERS, MIME_TYPES } from './config/constants.js';
 export { FeatureFlags } from './config/features.js';
 export { Cloudflare } from './config/cloudflare.js';
-export { SECRETS, SecretsManager, getDatabaseCredentials, getJwtSecrets, } from './config/SecretsManager.js';
+export { getDatabaseCredentials, getJwtSecrets, SECRETS, SecretsManager, } from './config/SecretsManager.js';
 // Config (validation)
 export { StartupConfigValidator } from './config/StartupConfigValidator.js';
 export { Mail } from './tools/mail/index.js';
@@ -225,7 +225,7 @@ export { ZintrustLang } from './lang/lang.js';
 // Workers config
 export { createRedisConnection, workersConfig } from './config/workers.js';
 // Redis config key - Singleton exports
-export { RedisKeys, createRedisKey, extractOriginalKey, getBullMQSafeQueueName, getPrefix, isAppKey, } from './tools/redis/RedisKeyManager.js';
+export { createRedisKey, extractOriginalKey, getBullMQSafeQueueName, getPrefix, isAppKey, RedisKeys, } from './tools/redis/RedisKeyManager.js';
 export { CloudflareSocket } from './sockets/CloudflareSocket.js';
 export { detectRuntime } from './runtime/detectRuntime.js';
 // NOTE: Node-only exports (like FileLogWriter, process) are intentionally not

package/src/proxy/CloudflareProxyShared.d.ts

@@ -0,0 +1,50 @@
+export type ProxyNoncePutOptions = {
+    expirationTtl?: number;
+};
+export type ProxyNonceNamespace = {
+    get: (key: string) => Promise<string | null>;
+    put: (key: string, value: string, options?: ProxyNoncePutOptions) => Promise<void>;
+};
+type SignedRequestOptions = Readonly<{
+    secretEnvVar: string;
+    missingSecretStatus: number;
+    missingSecretMessage: string;
+    defaultSigningWindowMs: number;
+}>;
+type ReadAndVerifyJsonOptions = SignedRequestOptions & Readonly<{
+    defaultMaxBodyBytes: number;
+}>;
+type ProxyRequestEnv = object;
+export declare const json: (status: number, body: unknown) => Response;
+export declare const toErrorResponse: (status: number, code: string, message: string) => Response;
+export declare const getEnvInt: (env: ProxyRequestEnv, name: string, fallback: number) => number;
+export declare const normalizeBindingName: (value: unknown) => string | null;
+export declare const readBodyBytes: (request: Request, maxBytes: number) => Promise<{
+    ok: true;
+    bytes: Uint8Array;
+    text: string;
+} | {
+    ok: false;
+    response: Response;
+}>;
+export declare const parseOptionalJson: (text: string) => {
+    ok: true;
+    payload: Record<string, unknown> | null;
+} | {
+    ok: false;
+    response: Response;
+};
+export declare const verifyNonceKv: (kv: ProxyNonceNamespace, keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+export declare const verifySignedRequest: (request: Request, env: ProxyRequestEnv, bodyBytes: Uint8Array, options: SignedRequestOptions) => Promise<Response | {
+    ok: true;
+}>;
+export declare const readAndVerifyJson: (request: Request, env: ProxyRequestEnv, options: ReadAndVerifyJsonOptions) => Promise<{
+    ok: true;
+    payload: Record<string, unknown> | null;
+    bodyBytes: Uint8Array;
+} | {
+    ok: false;
+    response: Response;
+}>;
+export {};
+//# sourceMappingURL=CloudflareProxyShared.d.ts.map

package/src/proxy/CloudflareProxyShared.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CloudflareProxyShared.d.ts","sourceRoot":"","sources":["../../../src/proxy/CloudflareProxyShared.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACpF,CAAC;AAEF,KAAK,oBAAoB,GAAG,QAAQ,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,sBAAsB,EAAE,MAAM,CAAC;CAChC,CAAC,CAAC;AAEH,KAAK,wBAAwB,GAAG,oBAAoB,GAClD,QAAQ,CAAC;IACP,mBAAmB,EAAE,MAAM,CAAC;CAC7B,CAAC,CAAC;AAEL,KAAK,eAAe,GAAG,MAAM,CAAC;AAE9B,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,EAAE,MAAM,OAAO,KAAG,QAQpD,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,QAAQ,MAAM,EAAE,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,QAG/E,CAAC;AAMF,eAAO,MAAM,SAAS,GAAI,KAAK,eAAe,EAAE,MAAM,MAAM,EAAE,UAAU,MAAM,KAAG,MAKhF,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,OAAO,OAAO,KAAG,MAAM,GAAG,IAI9D,CAAC;AAEF,eAAO,MAAM,aAAa,GACxB,SAAS,OAAO,EAChB,UAAU,MAAM,KACf,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAY3F,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,MAAM,MAAM,KACX;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAezF,CAAC;AAcF,eAAO,MAAM,aAAa,GACxB,IAAI,mBAAmB,EACvB,OAAO,MAAM,EACb,OAAO,MAAM,EACb,OAAO,MAAM,KACZ,OAAO,CAAC,OAAO,CAOjB,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,WAAW,UAAU,EACrB,SAAS,oBAAoB,KAC5B,OAAO,CAAC,QAAQ,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,CA+BjC,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,SAAS,wBAAwB,KAChC,OAAO,CACN;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAAC,SAAS,EAAE,UAAU,CAAA;CAAE,GAC5E;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAapC,CAAC"}

package/src/proxy/CloudflareProxyShared.js

@@ -0,0 +1,117 @@
+import { isString } from '../helper/index.js';
+import { ErrorHandler } from './ErrorHandler.js';
+import { RequestValidator } from './RequestValidator.js';
+import { SigningService } from './SigningService.js';
+export const json = (status, body) => {
+    return new Response(JSON.stringify(body), {
+        status,
+        headers: {
+            'Content-Type': 'application/json; charset=utf-8',
+            'Cache-Control': 'no-store',
+        },
+    });
+};
+export const toErrorResponse = (status, code, message) => {
+    const error = ErrorHandler.toProxyError(status, code, message);
+    return json(error.status, error.body);
+};
+const getEnvValue = (env, name) => {
+    return env[name];
+};
+export const getEnvInt = (env, name, fallback) => {
+    const raw = getEnvValue(env, name);
+    if (!isString(raw))
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+export const normalizeBindingName = (value) => {
+    if (!isString(value))
+        return null;
+    const trimmed = value.trim();
+    return trimmed === '' ? null : trimmed;
+};
+export const readBodyBytes = async (request, maxBytes) => {
+    const buf = await request.arrayBuffer();
+    if (buf.byteLength > maxBytes) {
+        return {
+            ok: false,
+            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
+        };
+    }
+    const bytes = new Uint8Array(buf);
+    const text = new TextDecoder().decode(bytes);
+    return { ok: true, bytes, text };
+};
+export const parseOptionalJson = (text) => {
+    if (text.trim() === '')
+        return { ok: true, payload: null };
+    const parsed = RequestValidator.parseJson(text);
+    if (!parsed.ok) {
+        let message = parsed.error.message;
+        if (parsed.error.code === 'INVALID_JSON') {
+            message = 'Invalid JSON body';
+        }
+        else if (parsed.error.code === 'VALIDATION_ERROR') {
+            message = 'Invalid body';
+        }
+        return { ok: false, response: toErrorResponse(400, parsed.error.code, message) };
+    }
+    return { ok: true, payload: parsed.value };
+};
+const loadSigningSecret = (env, secretEnvVar) => {
+    const directValue = getEnvValue(env, secretEnvVar);
+    const direct = isString(directValue) ? directValue.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallbackValue = getEnvValue(env, 'APP_KEY');
+    const fallback = isString(fallbackValue) ? fallbackValue.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+export const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+export const verifySignedRequest = async (request, env, bodyBytes, options) => {
+    const secret = loadSigningSecret(env, options.secretEnvVar);
+    if (secret === null) {
+        return toErrorResponse(options.missingSecretStatus, 'CONFIG_ERROR', options.missingSecretMessage);
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', options.defaultSigningWindowMs);
+    const nonceStore = getEnvValue(env, 'ZT_NONCES');
+    const verifyResult = await SigningService.verifyWithKeyProvider({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: (_keyId) => secret,
+        verifyNonce: nonceStore === undefined || nonceStore === null
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(nonceStore, keyId, nonce, ttlMs),
+    });
+    if (!verifyResult.ok) {
+        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
+    }
+    return { ok: true };
+};
+export const readAndVerifyJson = async (request, env, options) => {
+    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', options.defaultMaxBodyBytes);
+    const bodyResult = await readBodyBytes(request, maxBodyBytes);
+    if (!bodyResult.ok)
+        return { ok: false, response: bodyResult.response };
+    const auth = await verifySignedRequest(request, env, bodyResult.bytes, options);
+    if (auth instanceof Response)
+        return { ok: false, response: auth };
+    const parsed = parseOptionalJson(bodyResult.text);
+    if (!parsed.ok)
+        return { ok: false, response: parsed.response };
+    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+};

package/src/proxy/d1/ZintrustD1Proxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AAMA,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChG,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrF,CAAC;AAEF,KAAK,WAAW,CAAC,CAAC,IAAI;IACpB,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;CACf,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,IAAI,EAAE,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,KAAK,mBAAmB,CAAC;IACpD,GAAG,EAAE,CAAC,CAAC,GAAG,OAAO,OAAO,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,KAAK,EAAE,CAAC,CAAC,GAAG,OAAO,OAAO,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5C,GAAG,EAAE,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;CACjC,CAAC;AAEF,KAAK,UAAU,GAAG;IAChB,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,mBAAmB,CAAC;CAC/C,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC,CAAC;AAkZF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}
+{"version":3,"file":"ZintrustD1Proxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/d1/ZintrustD1Proxy.ts"],"names":[],"mappings":"AAWA,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChG,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrF,CAAC;AAEF,KAAK,WAAW,CAAC,CAAC,IAAI;IACpB,OAAO,CAAC,EAAE,CAAC,EAAE,CAAC;CACf,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB,CAAC;AAEF,KAAK,mBAAmB,GAAG;IACzB,IAAI,EAAE,CAAC,GAAG,MAAM,EAAE,OAAO,EAAE,KAAK,mBAAmB,CAAC;IACpD,GAAG,EAAE,CAAC,CAAC,GAAG,OAAO,OAAO,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,KAAK,EAAE,CAAC,CAAC,GAAG,OAAO,OAAO,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5C,GAAG,EAAE,MAAM,OAAO,CAAC,WAAW,CAAC,CAAC;CACjC,CAAC;AAEF,KAAK,UAAU,GAAG;IAChB,OAAO,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,mBAAmB,CAAC;CAC/C,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,EAAE,CAAC,EAAE,UAAU,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC,CAAC;AA6QF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/proxy/d1/ZintrustD1Proxy.js

@@ -1,30 +1,11 @@
 import { Logger } from '../../config/logger.js';
 import { isArray, isObject, isString } from '../../helper/index.js';
-import { ErrorHandler } from '../ErrorHandler.js';
+import { getEnvInt, json, normalizeBindingName, readAndVerifyJson, toErrorResponse, } from '../CloudflareProxyShared.js';
 import { RequestValidator } from '../RequestValidator.js';
-import { SigningService } from '../SigningService.js';
 const DEFAULT_SIGNING_WINDOW_MS = 60_000;
 const DEFAULT_MAX_BODY_BYTES = 128 * 1024;
 const DEFAULT_MAX_SQL_BYTES = 32 * 1024;
 const DEFAULT_MAX_PARAMS = 256;
-const json = (status, body) => new Response(JSON.stringify(body), {
-    status,
-    headers: {
-        'Content-Type': 'application/json; charset=utf-8',
-        'Cache-Control': 'no-store',
-    },
-});
-const toErrorResponse = (status, code, message) => {
-    const error = ErrorHandler.toProxyError(status, code, message);
-    return json(error.status, error.body);
-};
-const getEnvInt = (env, name, fallback) => {
-    const raw = env[name];
-    if (!isString(raw))
-        return fallback;
-    const parsed = Number.parseInt(raw, 10);
-    return Number.isFinite(parsed) ? parsed : fallback;
-};
 const isDebugEnabled = (env) => {
     const raw = env.ZT_PROXY_DEBUG;
     if (!isString(raw))
@@ -52,12 +33,6 @@ const logProxyError = (env, context, error) => {
         message: safeErrorMessage(error).slice(0, 800),
     });
 };
-const normalizeBindingName = (value) => {
-    if (!isString(value))
-        return null;
-    const trimmed = value.trim();
-    return trimmed === '' ? null : trimmed;
-};
 const resolveD1Binding = (env) => {
     const candidates = ['DB', 'zintrust_db', normalizeBindingName(env.D1_BINDING)].filter((value, index, values) => isString(value) && value.trim() !== '' && values.indexOf(value) === index);
     const record = env;
@@ -69,43 +44,6 @@ const resolveD1Binding = (env) => {
     }
     return null;
 };
-const readBodyBytes = async (request, maxBytes) => {
-    const buf = await request.arrayBuffer();
-    if (buf.byteLength > maxBytes) {
-        return {
-            ok: false,
-            response: toErrorResponse(413, 'PAYLOAD_TOO_LARGE', 'Body too large'),
-        };
-    }
-    const bytes = new Uint8Array(buf);
-    const text = new TextDecoder().decode(bytes);
-    return { ok: true, bytes, text };
-};
-const parseOptionalJson = (text) => {
-    if (text.trim() === '')
-        return { ok: true, payload: null };
-    const parsed = RequestValidator.parseJson(text);
-    if (!parsed.ok) {
-        let message = parsed.error.message;
-        if (parsed.error.code === 'INVALID_JSON') {
-            message = 'Invalid JSON body';
-        }
-        else if (parsed.error.code === 'VALIDATION_ERROR') {
-            message = 'Invalid body';
-        }
-        return { ok: false, response: toErrorResponse(400, parsed.error.code, message) };
-    }
-    return { ok: true, payload: parsed.value };
-};
-const loadSigningSecret = (env) => {
-    const direct = isString(env.D1_REMOTE_SECRET) ? env.D1_REMOTE_SECRET.trim() : '';
-    if (direct !== '')
-        return direct;
-    const fallback = isString(env.APP_KEY) ? env.APP_KEY.trim() : '';
-    if (fallback !== '')
-        return fallback;
-    return null;
-};
 const loadStatements = (env) => {
     const raw = env.ZT_D1_STATEMENTS_JSON;
     if (!isString(raw) || raw.trim() === '')
@@ -130,37 +68,6 @@ const isMutatingSql = (sql) => {
         normalized.startsWith('alter') ||
         normalized.startsWith('replace'));
 };
-const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
-    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
-    const storageKey = `nonce:${keyId}:${nonce}`;
-    const existing = await kv.get(storageKey);
-    if (existing !== null)
-        return false;
-    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
-    return true;
-};
-const verifySignedRequest = async (request, env, bodyBytes) => {
-    const secret = loadSigningSecret(env);
-    if (secret === null) {
-        return toErrorResponse(401, 'CONFIG_ERROR', 'Missing signing secret (D1_REMOTE_SECRET or APP_KEY)');
-    }
-    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', DEFAULT_SIGNING_WINDOW_MS);
-    const verifyResult = await SigningService.verifyWithKeyProvider({
-        method: request.method,
-        url: request.url,
-        body: bodyBytes,
-        headers: request.headers,
-        windowMs,
-        getSecretForKeyId: (_keyId) => secret,
-        verifyNonce: env.ZT_NONCES === undefined
-            ? undefined
-            : async (keyId, nonce, ttlMs) => verifyNonceKv(env.ZT_NONCES, keyId, nonce, ttlMs),
-    });
-    if (!verifyResult.ok) {
-        return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
-    }
-    return { ok: true };
-};
 const requireDb = (env) => {
     const db = resolveD1Binding(env);
     if (db === null) {
@@ -197,36 +104,41 @@ const enforceSqlLimits = (env, sql, params) => {
     }
     return null;
 };
-const readAndVerifyJson = async (request, env) => {
-    const maxBodyBytes = getEnvInt(env, 'ZT_MAX_BODY_BYTES', DEFAULT_MAX_BODY_BYTES);
-    const bodyResult = await readBodyBytes(request, maxBodyBytes);
-    if (!bodyResult.ok)
-        return { ok: false, response: bodyResult.response };
-    const auth = await verifySignedRequest(request, env, bodyResult.bytes);
-    if (auth instanceof Response)
-        return { ok: false, response: auth };
-    const parsed = parseOptionalJson(bodyResult.text);
+const resolveDbRequest = async (request, env) => {
+    const check = await readAndVerifyJson(request, env, {
+        secretEnvVar: 'D1_REMOTE_SECRET',
+        missingSecretStatus: 401,
+        missingSecretMessage: 'Missing signing secret (D1_REMOTE_SECRET or APP_KEY)',
+        defaultSigningWindowMs: DEFAULT_SIGNING_WINDOW_MS,
+        defaultMaxBodyBytes: DEFAULT_MAX_BODY_BYTES,
+    });
+    if (!check.ok)
+        return { ok: false, response: check.response };
+    const db = requireDb(env);
+    if (db instanceof Response)
+        return { ok: false, response: db };
+    return { ok: true, db, payload: check.payload };
+};
+const resolveSqlRequest = async (request, env) => {
+    const resolved = await resolveDbRequest(request, env);
+    if (!resolved.ok)
+        return { ok: false, response: resolved.response };
+    const parsed = parseSqlPayload(resolved.payload);
     if (!parsed.ok)
         return { ok: false, response: parsed.response };
-    return { ok: true, payload: parsed.payload, bodyBytes: bodyResult.bytes };
+    const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
+    if (limit !== null)
+        return { ok: false, response: limit };
+    return { ok: true, db: resolved.db, sql: parsed.sql, params: parsed.params };
 };
 const handleQuery = async (request, env) => {
     try {
-        const check = await readAndVerifyJson(request, env);
-        if (!check.ok)
-            return check.response;
-        const db = requireDb(env);
-        if (db instanceof Response)
-            return db;
-        const parsed = parseSqlPayload(check.payload);
-        if (!parsed.ok)
-            return parsed.response;
-        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
-        if (limit !== null)
-            return limit;
-        const result = await db
-            .prepare(parsed.sql)
-            .bind(...parsed.params)
+        const resolved = await resolveSqlRequest(request, env);
+        if (!resolved.ok)
+            return resolved.response;
+        const result = await resolved.db
+            .prepare(resolved.sql)
+            .bind(...resolved.params)
             .all();
         const rows = result.results ?? [];
         return json(200, { rows, rowCount: rows.length });
@@ -238,21 +150,12 @@ const handleQuery = async (request, env) => {
 };
 const handleQueryOne = async (request, env) => {
     try {
-        const check = await readAndVerifyJson(request, env);
-        if (!check.ok)
-            return check.response;
-        const db = requireDb(env);
-        if (db instanceof Response)
-            return db;
-        const parsed = parseSqlPayload(check.payload);
-        if (!parsed.ok)
-            return parsed.response;
-        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
-        if (limit !== null)
-            return limit;
-        const row = await db
-            .prepare(parsed.sql)
-            .bind(...parsed.params)
+        const resolved = await resolveSqlRequest(request, env);
+        if (!resolved.ok)
+            return resolved.response;
+        const row = await resolved.db
+            .prepare(resolved.sql)
+            .bind(...resolved.params)
             .first();
         return json(200, { row: row ?? null });
     }
@@ -263,21 +166,12 @@ const handleQueryOne = async (request, env) => {
 };
 const handleExec = async (request, env) => {
     try {
-        const check = await readAndVerifyJson(request, env);
-        if (!check.ok)
-            return check.response;
-        const db = requireDb(env);
-        if (db instanceof Response)
-            return db;
-        const parsed = parseSqlPayload(check.payload);
-        if (!parsed.ok)
-            return parsed.response;
-        const limit = enforceSqlLimits(env, parsed.sql, parsed.params);
-        if (limit !== null)
-            return limit;
-        const out = await db
-            .prepare(parsed.sql)
-            .bind(...parsed.params)
+        const resolved = await resolveSqlRequest(request, env);
+        if (!resolved.ok)
+            return resolved.response;
+        const out = await resolved.db
+            .prepare(resolved.sql)
+            .bind(...resolved.params)
             .run();
         return json(200, { ok: true, meta: out.meta });
     }
@@ -302,17 +196,14 @@ const parseStatementPayload = (payload) => {
 };
 const handleStatement = async (request, env) => {
     try {
-        const check = await readAndVerifyJson(request, env);
-        if (!check.ok)
-            return check.response;
-        const db = requireDb(env);
-        if (db instanceof Response)
-            return db;
+        const resolved = await resolveDbRequest(request, env);
+        if (!resolved.ok)
+            return resolved.response;
         const statements = loadStatements(env);
         if (statements === null) {
             return toErrorResponse(400, 'CONFIG_ERROR', 'Missing or invalid ZT_D1_STATEMENTS_JSON');
         }
-        const parsed = parseStatementPayload(check.payload);
+        const parsed = parseStatementPayload(resolved.payload);
         if (!parsed.ok)
             return parsed.response;
         const sql = statements[parsed.statementId];
@@ -320,13 +211,13 @@ const handleStatement = async (request, env) => {
             return toErrorResponse(404, 'NOT_FOUND', 'Unknown statementId');
         }
         if (isMutatingSql(sql)) {
-            const out = await db
+            const out = await resolved.db
                 .prepare(sql)
                 .bind(...parsed.params)
                 .run();
             return json(200, { ok: true, meta: out.meta });
         }
-        const out = await db
+        const out = await resolved.db
             .prepare(sql)
             .bind(...parsed.params)
             .all();

package/src/proxy/kv/ZintrustKvProxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AAKA,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,OAAO,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChG,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,EAAE,CAAC,OAAO,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;CAChG,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AA0WF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}
+{"version":3,"file":"ZintrustKvProxy.d.ts","sourceRoot":"","sources":["../../../../src/proxy/kv/ZintrustKvProxy.ts"],"names":[],"mappings":"AAUA,KAAK,qBAAqB,GAAG;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,SAAS,GAAG,MAAM,GAAG,MAAM,GAAG,aAAa,CAAC;AAEjD,KAAK,YAAY,GAAG;IAClB,IAAI,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,OAAO,CAAC;CACxB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,GAAG,EAAE;QACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QACtC,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;QAChE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,WAAW,GAAG,MAAM,GAAG,IAAI,CAAC,CAAC;KAChG,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,qBAAqB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACpF,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,EAAE,CAAC,OAAO,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;CAChG,CAAC;AAEF,KAAK,KAAK,GAAG;IACX,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,0BAA0B,CAAC,EAAE,MAAM,CAAC;IACpC,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,CAAC;AAwOF,eAAO,MAAM,eAAe;;;mBAGL,OAAO,OAAO,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC;EAqB5D,CAAC;AAEH,eAAe,eAAe,CAAC"}