@zintrust/core 0.9.5 → 0.9.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.9.5",
+  "version": "0.9.6",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.9.5
+ * @zintrust/core v0.9.6
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-04-23T13:02:57.049Z
+ *   Built: 2026-04-23T13:47:55.338Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,7 +21,7 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.41';
-export const ZINTRUST_BUILD_DATE = '2026-04-23T13:02:57.015Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-04-23T13:47:55.277Z'; // Replaced during build
 export { Application } from './boot/Application.js';
 export { AwsSigV4 } from './common/index.js';
 export { SignedRequest } from './security/SignedRequest.js';

package/src/proxy/CloudflareProxyShared.d.ts

@@ -1,17 +1,6 @@
-export type ProxyNoncePutOptions = {
-    expirationTtl?: number;
-};
-export type ProxyNonceNamespace = {
-    get: (key: string) => Promise<string | null>;
-    put: (key: string, value: string, options?: ProxyNoncePutOptions) => Promise<void>;
-};
-type SignedRequestOptions = Readonly<{
-    secretEnvVar: string;
-    missingSecretStatus: number;
-    missingSecretMessage: string;
-    defaultSigningWindowMs: number;
-}>;
-type ReadAndVerifyJsonOptions = SignedRequestOptions & Readonly<{
+import type { WorkerSigningOptions } from './WorkerSigning';
+export type { ProxyNonceNamespace, ProxyNoncePutOptions, WorkerSigningOptions, } from './WorkerSigning';
+type ReadAndVerifyJsonOptions = WorkerSigningOptions & Readonly<{
     defaultMaxBodyBytes: number;
 }>;
 type ProxyRequestEnv = object;
@@ -34,8 +23,7 @@ export declare const parseOptionalJson: (text: string) => {
     ok: false;
     response: Response;
 };
-export declare const verifyNonceKv: (kv: ProxyNonceNamespace, keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
-export declare const verifySignedRequest: (request: Request, env: ProxyRequestEnv, bodyBytes: Uint8Array, options: SignedRequestOptions) => Promise<Response | {
+export declare const verifySignedRequest: (request: Request, env: ProxyRequestEnv, bodyBytes: Uint8Array, options: WorkerSigningOptions) => Promise<Response | {
     ok: true;
 }>;
 export declare const readAndVerifyJson: (request: Request, env: ProxyRequestEnv, options: ReadAndVerifyJsonOptions) => Promise<{
@@ -46,5 +34,4 @@ export declare const readAndVerifyJson: (request: Request, env: ProxyRequestEnv,
     ok: false;
     response: Response;
 }>;
-export {};
 //# sourceMappingURL=CloudflareProxyShared.d.ts.map

package/src/proxy/CloudflareProxyShared.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CloudflareProxyShared.d.ts","sourceRoot":"","sources":["../../../src/proxy/CloudflareProxyShared.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACpF,CAAC;AAEF,KAAK,oBAAoB,GAAG,QAAQ,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,sBAAsB,EAAE,MAAM,CAAC;CAChC,CAAC,CAAC;AAEH,KAAK,wBAAwB,GAAG,oBAAoB,GAClD,QAAQ,CAAC;IACP,mBAAmB,EAAE,MAAM,CAAC;CAC7B,CAAC,CAAC;AAEL,KAAK,eAAe,GAAG,MAAM,CAAC;AAE9B,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,EAAE,MAAM,OAAO,KAAG,QAQpD,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,QAAQ,MAAM,EAAE,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,QAG/E,CAAC;AAMF,eAAO,MAAM,SAAS,GAAI,KAAK,eAAe,EAAE,MAAM,MAAM,EAAE,UAAU,MAAM,KAAG,MAKhF,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,OAAO,OAAO,KAAG,MAAM,GAAG,IAI9D,CAAC;AAEF,eAAO,MAAM,aAAa,GACxB,SAAS,OAAO,EAChB,UAAU,MAAM,KACf,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAY3F,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,MAAM,MAAM,KACX;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAezF,CAAC;AAcF,eAAO,MAAM,aAAa,GACxB,IAAI,mBAAmB,EACvB,OAAO,MAAM,EACb,OAAO,MAAM,EACb,OAAO,MAAM,KACZ,OAAO,CAAC,OAAO,CAOjB,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,WAAW,UAAU,EACrB,SAAS,oBAAoB,KAC5B,OAAO,CAAC,QAAQ,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,CA+BjC,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,SAAS,wBAAwB,KAChC,OAAO,CACN;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAAC,SAAS,EAAE,UAAU,CAAA;CAAE,GAC5E;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAapC,CAAC"}
+{"version":3,"file":"CloudflareProxyShared.d.ts","sourceRoot":"","sources":["../../../src/proxy/CloudflareProxyShared.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGjE,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAE9B,KAAK,wBAAwB,GAAG,oBAAoB,GAClD,QAAQ,CAAC;IACP,mBAAmB,EAAE,MAAM,CAAC;CAC7B,CAAC,CAAC;AAEL,KAAK,eAAe,GAAG,MAAM,CAAC;AAE9B,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,EAAE,MAAM,OAAO,KAAG,QAQpD,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,QAAQ,MAAM,EAAE,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,QAG/E,CAAC;AAMF,eAAO,MAAM,SAAS,GAAI,KAAK,eAAe,EAAE,MAAM,MAAM,EAAE,UAAU,MAAM,KAAG,MAKhF,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,OAAO,OAAO,KAAG,MAAM,GAAG,IAI9D,CAAC;AAEF,eAAO,MAAM,aAAa,GACxB,SAAS,OAAO,EAChB,UAAU,MAAM,KACf,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAY3F,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,MAAM,MAAM,KACX;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAezF,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,WAAW,UAAU,EACrB,SAAS,oBAAoB,KAC5B,OAAO,CAAC,QAAQ,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,CAQjC,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,SAAS,wBAAwB,KAChC,OAAO,CACN;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAAC,SAAS,EAAE,UAAU,CAAA;CAAE,GAC5E;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAapC,CAAC"}

package/src/proxy/CloudflareProxyShared.js

@@ -1,7 +1,7 @@
 import { isString } from '../helper/index.js';
 import { ErrorHandler } from './ErrorHandler.js';
 import { RequestValidator } from './RequestValidator.js';
-import { SigningService } from './SigningService.js';
+import { WorkerSigning } from './WorkerSigning.js';
 export const json = (status, body) => {
     return new Response(JSON.stringify(body), {
         status,
@@ -59,44 +59,8 @@ export const parseOptionalJson = (text) => {
     }
     return { ok: true, payload: parsed.value };
 };
-const loadSigningSecret = (env, secretEnvVar) => {
-    const directValue = getEnvValue(env, secretEnvVar);
-    const direct = isString(directValue) ? directValue.trim() : '';
-    if (direct !== '')
-        return direct;
-    const fallbackValue = getEnvValue(env, 'APP_KEY');
-    const fallback = isString(fallbackValue) ? fallbackValue.trim() : '';
-    if (fallback !== '')
-        return fallback;
-    return null;
-};
-export const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
-    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
-    const storageKey = `nonce:${keyId}:${nonce}`;
-    const existing = await kv.get(storageKey);
-    if (existing !== null)
-        return false;
-    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
-    return true;
-};
 export const verifySignedRequest = async (request, env, bodyBytes, options) => {
-    const secret = loadSigningSecret(env, options.secretEnvVar);
-    if (secret === null) {
-        return toErrorResponse(options.missingSecretStatus, 'CONFIG_ERROR', options.missingSecretMessage);
-    }
-    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', options.defaultSigningWindowMs);
-    const nonceStore = getEnvValue(env, 'ZT_NONCES');
-    const verifyResult = await SigningService.verifyWithKeyProvider({
-        method: request.method,
-        url: request.url,
-        body: bodyBytes,
-        headers: request.headers,
-        windowMs,
-        getSecretForKeyId: (_keyId) => secret,
-        verifyNonce: nonceStore === undefined || nonceStore === null
-            ? undefined
-            : async (keyId, nonce, ttlMs) => verifyNonceKv(nonceStore, keyId, nonce, ttlMs),
-    });
+    const verifyResult = await WorkerSigning.verifySignedRequest(request, env, bodyBytes, options);
     if (!verifyResult.ok) {
         return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
     }

package/src/proxy/WorkerSigning.d.ts

@@ -0,0 +1,33 @@
+export type ProxyNoncePutOptions = {
+    expirationTtl?: number;
+};
+export type ProxyNonceNamespace = {
+    get: (key: string) => Promise<string | null>;
+    put: (key: string, value: string, options?: ProxyNoncePutOptions) => Promise<void>;
+};
+export type WorkerSigningOptions = Readonly<{
+    secretEnvVar: string;
+    missingSecretStatus: number;
+    missingSecretMessage: string;
+    defaultSigningWindowMs: number;
+}>;
+type WorkerRequestEnv = object;
+type WorkerSigningResult = {
+    ok: true;
+} | {
+    ok: false;
+    status: number;
+    code: string;
+    message: string;
+};
+export declare const WorkerSigning: Readonly<{
+    verifyNonceKv: (kv: ProxyNonceNamespace, keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+    verifySignedRequest: (request: Request, env: WorkerRequestEnv, bodyBytes: Uint8Array, options: WorkerSigningOptions) => Promise<WorkerSigningResult | {
+        ok: false;
+        status: number;
+        code: "CONFIG_ERROR";
+        message: string;
+    }>;
+}>;
+export {};
+//# sourceMappingURL=WorkerSigning.d.ts.map

package/src/proxy/WorkerSigning.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"WorkerSigning.d.ts","sourceRoot":"","sources":["../../../src/proxy/WorkerSigning.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACpF,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,QAAQ,CAAC;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,sBAAsB,EAAE,MAAM,CAAC;CAChC,CAAC,CAAC;AAEH,KAAK,gBAAgB,GAAG,MAAM,CAAC;AAE/B,KAAK,mBAAmB,GACpB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAkGjE,eAAO,MAAM,aAAa;wBAlDpB,mBAAmB,SAChB,MAAM,SACN,MAAM,SACN,MAAM,KACZ,OAAO,CAAC,OAAO,CAAC;mCAUR,OAAO,OACX,gBAAgB,aACV,UAAU,WACZ,oBAAoB,KAC5B,OAAO,CACR,mBAAmB,GAAG;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAC3F;EAiCC,CAAC"}

package/src/proxy/WorkerSigning.js

@@ -0,0 +1,77 @@
+import { isString } from '../helper/index.js';
+import { SignedRequest } from '../security/SignedRequest.js';
+const getEnvValue = (env, name) => {
+    return env[name];
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = getEnvValue(env, name);
+    if (!isString(raw))
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const loadSigningSecret = (env, secretEnvVar) => {
+    const directValue = getEnvValue(env, secretEnvVar);
+    const direct = isString(directValue) ? directValue.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallbackValue = getEnvValue(env, 'APP_KEY');
+    const fallback = isString(fallbackValue) ? fallbackValue.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const mapVerifyResult = (result) => {
+    if (result.ok)
+        return { ok: true };
+    if (result.code === 'MISSING_HEADER' || result.code === 'INVALID_TIMESTAMP') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'EXPIRED') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'UNKNOWN_KEY') {
+        return { ok: false, status: 403, code: result.code, message: result.message };
+    }
+    if (result.code === 'REPLAYED') {
+        return { ok: false, status: 409, code: result.code, message: result.message };
+    }
+    return { ok: false, status: 403, code: result.code, message: result.message };
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes, options) => {
+    const secret = loadSigningSecret(env, options.secretEnvVar);
+    if (secret === null) {
+        return {
+            ok: false,
+            status: options.missingSecretStatus,
+            code: 'CONFIG_ERROR',
+            message: options.missingSecretMessage,
+        };
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', options.defaultSigningWindowMs);
+    const nonceStore = getEnvValue(env, 'ZT_NONCES');
+    return mapVerifyResult(await SignedRequest.verify({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: (_keyId) => secret,
+        verifyNonce: nonceStore === undefined || nonceStore === null
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(nonceStore, keyId, nonce, ttlMs),
+    }));
+};
+export const WorkerSigning = Object.freeze({
+    verifyNonceKv,
+    verifySignedRequest,
+});

package/src/proxy.d.ts

@@ -1,7 +1,6 @@
-export { RemoteSignedJson } from './common/RemoteSignedJson';
 export { ZintrustD1Proxy } from './proxy/d1/ZintrustD1Proxy';
 export { ErrorHandler } from './proxy/ErrorHandler';
 export { ZintrustKvProxy } from './proxy/kv/ZintrustKvProxy';
 export { RequestValidator } from './proxy/RequestValidator';
-export { SigningService } from './proxy/SigningService';
+export { WorkerSigning } from './proxy/WorkerSigning';
 //# sourceMappingURL=proxy.d.ts.map

package/src/proxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../../src/proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../../src/proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC"}

package/src/proxy.js

@@ -1,6 +1,5 @@
-export { RemoteSignedJson } from './common/RemoteSignedJson.js';
 export { ZintrustD1Proxy } from './proxy/d1/ZintrustD1Proxy.js';
 export { ErrorHandler } from './proxy/ErrorHandler.js';
 export { ZintrustKvProxy } from './proxy/kv/ZintrustKvProxy.js';
 export { RequestValidator } from './proxy/RequestValidator.js';
-export { SigningService } from './proxy/SigningService.js';
+export { WorkerSigning } from './proxy/WorkerSigning.js';

package/src/runtime/WorkerAdapterImports.d.ts

@@ -1,5 +1,5 @@
 export declare const WorkerAdapterImports: Readonly<{
-    loaded: true;
-    ready: Promise<void>;
+    loaded: boolean;
+    ready: void;
 }>;
 //# sourceMappingURL=WorkerAdapterImports.d.ts.map

package/src/runtime/WorkerAdapterImports.js

@@ -22,7 +22,7 @@ const tryImportOptional = async () => {
     await tryImportProjectRuntime();
     await import('./WorkerProjectPlugins.js');
 };
-const ready = tryImportOptional();
+const ready = await tryImportOptional();
 export const WorkerAdapterImports = Object.freeze({
     loaded: true,
     ready,