@zintrust/core 0.4.89 → 0.4.91

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.4.89",
+  "version": "0.4.91",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {
@@ -69,7 +69,7 @@
   },
   "overrides": {
     "ajv": "^8.18.0",
-    "axios": "^1.13.5",
+    "axios": "^1.15.0",
     "@tootallnate/once": "^3.0.1",
     "node-forge": "^1.4.0",
     "brace-expansion": "^5.0.5",

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.4.89
+ * @zintrust/core v0.4.91
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-04-09T19:29:38.227Z
+ *   Built: 2026-04-10T08:00:44.737Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,7 +21,7 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.41';
-export const ZINTRUST_BUILD_DATE = '2026-04-09T19:29:38.185Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-04-10T08:00:44.703Z'; // Replaced during build
 export { Application } from './boot/Application.js';
 export { AwsSigV4 } from './common/index.js';
 export { SignedRequest } from './security/SignedRequest.js';

package/src/middleware/SecurityMiddleware.d.ts

@@ -17,6 +17,7 @@ export interface SecurityOptions {
         origin?: string | string[];
         methods?: string[];
         allowedHeaders?: string[];
+        exposedHeaders?: string[];
         credentials?: boolean;
         maxAge?: number;
     };

package/src/middleware/SecurityMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/SecurityMiddleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IACF,UAAU,CAAC,EAAE;QACX,MAAM,CAAC,EAAE,MAAM,GAAG,YAAY,CAAC;KAChC,CAAC;IACF,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;KACvC,CAAC;CACH;AAyID,eAAO,MAAM,kBAAkB;IAC7B;;OAEG;qBACa,eAAe,GAAQ,UAAU;EAgBjD,CAAC"}
+{"version":3,"file":"SecurityMiddleware.d.ts","sourceRoot":"","sources":["../../../src/middleware/SecurityMiddleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,WAAW,eAAe;IAC9B,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC;IACF,UAAU,CAAC,EAAE;QACX,MAAM,CAAC,EAAE,MAAM,GAAG,YAAY,CAAC;KAChC,CAAC;IACF,IAAI,CAAC,EAAE;QACL,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QAC3B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;QAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,GAAG,CAAC,EAAE;QACJ,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;KACvC,CAAC;CACH;AAkPD,eAAO,MAAM,kBAAkB;IAC7B;;OAEG;qBACa,eAAe,GAAQ,UAAU;EAgBjD,CAAC"}

package/src/middleware/SecurityMiddleware.js

@@ -10,6 +10,29 @@ const normalizeCorsList = (values, fallback) => {
         .filter((value) => value !== '');
     return normalized.length > 0 ? normalized : fallback;
 };
+const parseHeaderList = (value) => {
+    return String(value ?? '')
+        .split(',')
+        .map((element) => element.trim())
+        .filter((element) => element !== '');
+};
+const hasWildcard = (values) => {
+    if (typeof values === 'string')
+        return values.trim() === '*';
+    return (values ?? []).some((value) => value.trim() === '*');
+};
+const mergeCorsHeaders = (configured, requested) => {
+    const merged = new Map();
+    for (const header of [...(configured ?? []), ...(requested ?? [])]) {
+        const normalized = header.toLowerCase();
+        if (normalized === '')
+            continue;
+        if (!merged.has(normalized)) {
+            merged.set(normalized, header);
+        }
+    }
+    return Array.from(merged.values());
+};
 const getSecurityCorsConfig = () => {
     const config = securityConfig;
     return config?.cors ?? {};
@@ -18,6 +41,61 @@ const resolveCorsOrigin = () => {
     const origins = normalizeCorsList(getSecurityCorsConfig().origins, ['*']);
     return origins.includes('*') ? '*' : origins;
 };
+const resolveAllowedOrigin = (configuredOrigin, requestOrigin, credentials) => {
+    if (configuredOrigin === undefined)
+        return undefined;
+    if (typeof configuredOrigin === 'string') {
+        if (configuredOrigin.trim() === '*') {
+            return credentials === true && requestOrigin !== undefined ? requestOrigin : '*';
+        }
+        return configuredOrigin;
+    }
+    if (hasWildcard(configuredOrigin)) {
+        return credentials === true && requestOrigin !== undefined ? requestOrigin : '*';
+    }
+    if (requestOrigin === undefined || !configuredOrigin.includes(requestOrigin)) {
+        return undefined;
+    }
+    return requestOrigin;
+};
+const resolveAllowedMethods = (configuredMethods, requestMethod) => {
+    if (!hasWildcard(configuredMethods))
+        return configuredMethods ?? [];
+    if (requestMethod === undefined || requestMethod.trim() === '')
+        return ['*'];
+    return [requestMethod.trim()];
+};
+const resolveAllowedHeaders = (configuredHeaders, requestedHeaders) => {
+    if (hasWildcard(configuredHeaders)) {
+        return requestedHeaders.length > 0 ? requestedHeaders : ['*'];
+    }
+    return mergeCorsHeaders(configuredHeaders, requestedHeaders);
+};
+const resolveExposedHeaders = (configuredHeaders) => {
+    if (!hasWildcard(configuredHeaders))
+        return configuredHeaders ?? [];
+    return ['*'];
+};
+const applyCorsHeaders = (res, options) => {
+    if (options.origin !== undefined) {
+        res.setHeader('Access-Control-Allow-Origin', options.origin);
+    }
+    if (options.methods.length > 0) {
+        res.setHeader('Access-Control-Allow-Methods', options.methods.join(', '));
+    }
+    if (options.allowedHeaders.length > 0) {
+        res.setHeader('Access-Control-Allow-Headers', options.allowedHeaders.join(', '));
+    }
+    if (options.exposedHeaders.length > 0) {
+        res.setHeader('Access-Control-Expose-Headers', options.exposedHeaders.join(', '));
+    }
+    if (options.credentials !== undefined) {
+        res.setHeader('Access-Control-Allow-Credentials', options.credentials ? 'true' : 'false');
+    }
+    if (options.maxAge !== undefined) {
+        res.setHeader('Access-Control-Max-Age', options.maxAge.toString());
+    }
+};
 const DEFAULT_OPTIONS = {
     hsts: {
         maxAge: 15552000, // 180 days
@@ -43,6 +121,7 @@ const DEFAULT_OPTIONS = {
             'X-Requested-With',
             'X-CSRF-Token',
         ]),
+        exposedHeaders: normalizeCorsList(getSecurityCorsConfig().exposedHeaders, []),
         credentials: getSecurityCorsConfig().credentials,
         maxAge: getSecurityCorsConfig().maxAge,
     },
@@ -87,34 +166,23 @@ function applyCsp(res, csp) {
 function applyCors(req, res, cors) {
     if (!cors)
         return false;
+    const method = req.getMethod();
     const originHeader = req.getHeader('origin');
     const origin = typeof originHeader === 'string' ? originHeader : undefined;
-    let allowedOrigin = cors.origin;
-    if (Array.isArray(cors.origin)) {
-        if (origin === undefined || !cors.origin.includes(origin)) {
-            allowedOrigin = undefined;
-        }
-        else {
-            allowedOrigin = origin;
-        }
-    }
-    if (allowedOrigin !== null && allowedOrigin !== undefined) {
-        res.setHeader('Access-Control-Allow-Origin', allowedOrigin ?? '*');
-    }
-    if (cors.methods) {
-        res.setHeader('Access-Control-Allow-Methods', cors.methods.join(', '));
-    }
-    if (cors.allowedHeaders) {
-        res.setHeader('Access-Control-Allow-Headers', cors.allowedHeaders.join(', '));
-    }
-    if (cors.credentials !== undefined) {
-        res.setHeader('Access-Control-Allow-Credentials', cors.credentials ? 'true' : 'false');
-    }
-    if (cors.maxAge !== undefined) {
-        res.setHeader('Access-Control-Max-Age', cors.maxAge.toString());
-    }
+    const requestedMethodHeader = method === 'OPTIONS' ? req.getHeader('access-control-request-method') : undefined;
+    const requestedMethod = typeof requestedMethodHeader === 'string' ? requestedMethodHeader : undefined;
+    const requestedHeadersHeader = method === 'OPTIONS' ? req.getHeader('access-control-request-headers') : undefined;
+    const requestedHeaders = typeof requestedHeadersHeader === 'string' ? parseHeaderList(requestedHeadersHeader) : [];
+    applyCorsHeaders(res, {
+        origin: resolveAllowedOrigin(cors.origin, origin, cors.credentials),
+        methods: resolveAllowedMethods(cors.methods, requestedMethod),
+        allowedHeaders: resolveAllowedHeaders(cors.allowedHeaders, requestedHeaders),
+        exposedHeaders: resolveExposedHeaders(cors.exposedHeaders),
+        credentials: cors.credentials,
+        maxAge: cors.maxAge,
+    });
     // Handle Preflight
-    if (req.getMethod() === 'OPTIONS') {
+    if (method === 'OPTIONS') {
         res.setStatus(204);
         res.send('');
         return true;

package/src/orm/adapters/SQLiteAdapter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SQLiteAdapter.d.ts","sourceRoot":"","sources":["../../../../src/orm/adapters/SQLiteAdapter.ts"],"names":[],"mappings":"AACA;;;GAGG;AAUH,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAe,MAAM,sBAAsB,CAAC;AA8M1F,iBAAS,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,gBAAgB,CA0FrE;AAED,eAAO,MAAM,aAAa;;EAExB,CAAC"}
+{"version":3,"file":"SQLiteAdapter.d.ts","sourceRoot":"","sources":["../../../../src/orm/adapters/SQLiteAdapter.ts"],"names":[],"mappings":"AACA;;;GAGG;AAUH,OAAO,KAAK,EAAE,cAAc,EAAE,gBAAgB,EAAe,MAAM,sBAAsB,CAAC;AA+N1F,iBAAS,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,gBAAgB,CA0FrE;AAED,eAAO,MAAM,aAAa;;EAExB,CAAC"}

package/src/orm/adapters/SQLiteAdapter.js

@@ -66,6 +66,18 @@ function isSelectQuery(sql) {
     const normalized = sql.trimStart().toLowerCase();
     return normalized.startsWith('select') || normalized.startsWith('pragma');
 }
+const TRACE_STORAGE_TABLE_NAMES = [
+    'zin_trace_entries',
+    'zin_trace_entries_tags',
+    'zin_trace_monitoring',
+];
+function isTraceStorageQuery(sql) {
+    const normalized = sql.toLowerCase();
+    return TRACE_STORAGE_TABLE_NAMES.some((tableName) => normalized.includes(tableName));
+}
+function shouldLogQuery(sql) {
+    return databaseConfig.logging.enabled && !isTraceStorageQuery(sql);
+}
 function requireDb(db) {
     if (db === null)
         throw ErrorFactory.createConnectionError('Database not connected');
@@ -76,13 +88,13 @@ function executeQuery(db, sql, parameters) {
     const stmt = db.prepare(sql);
     if (isSelectQuery(sql)) {
         const rows = stmt.all(parameters);
-        if (databaseConfig.logging.enabled) {
+        if (shouldLogQuery(sql)) {
             Logger.debug('SQLite query executed', { durationMs: performance.now() - start, sql });
         }
         return { rows, rowCount: rows.length };
     }
     const info = stmt.run(parameters);
-    if (databaseConfig.logging.enabled) {
+    if (shouldLogQuery(sql)) {
         Logger.debug('SQLite query executed', { durationMs: performance.now() - start, sql });
     }
     return { rows: [], rowCount: info.changes, lastInsertId: info.lastInsertRowid };
@@ -137,7 +149,9 @@ async function rawQuerySQLite(state, sql, parameters) {
         throw ErrorFactory.createConfigError('Raw SQL queries are disabled');
     }
     const currentDb = requireDb(state.db);
-    Logger.warn(`Raw SQL Query executed: ${sql}`);
+    if (!isTraceStorageQuery(sql)) {
+        Logger.warn(`Raw SQL Query executed: ${sql}`);
+    }
     try {
         return executeRawQuery(currentDb, sql, parameters);
     }