@zintrust/core 0.9.5 → 1.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zintrust/core",
-  "version": "0.9.5",
+  "version": "1.2.0",
   "description": "Production-grade TypeScript backend framework for JavaScript",
   "homepage": "https://zintrust.com",
   "repository": {
@@ -73,9 +73,9 @@
     "axios": "^1.15.0",
     "@eslint/plugin-kit": "^0.7.1",
     "follow-redirects": "^1.16.0",
-    "@tootallnate/once": "^3.0.1",
+    "@tootallnate/once": "3.0.1",
     "node-forge": "^1.4.0",
-    "fast-xml-parser": "^5.7.1",
+    "fast-xml-parser": "5.7.1",
     "brace-expansion": "^5.0.5",
     "picomatch": "^4.0.4",
     "cross-spawn": "^7.0.5",
@@ -84,7 +84,7 @@
     "rollup": "^4.59.0",
     "vite": "^8.0.5",
     "flatted": "^3.4.2",
-    "uuid": "^14.0.0",
+    "uuid": "14.0.0",
     "@actions/github": {
       "undici": "^6.24.0"
     },
@@ -94,24 +94,10 @@
     "miniflare": {
       "undici": "^7.24.4"
     },
-    "@aws-sdk/xml-builder": {
-      "fast-xml-parser": "^5.7.1"
-    },
-    "@aws-sdk/xml-builder@3.972.18": {
-      "fast-xml-parser": "^5.7.1"
-    },
-    "@google-cloud/storage": {
-      "uuid": "^14.0.0"
-    },
-    "@google-cloud/storage@7.19.0": {
-      "uuid": "^14.0.0"
-    },
-    "gaxios": {
-      "uuid": "^14.0.0"
-    },
-    "teeny-request": {
-      "uuid": "^14.0.0"
-    }
+    "http-proxy-agent": "7.0.2",
+    "retry-request": "8.0.2",
+    "gaxios": "7.1.4",
+    "teeny-request": "10.1.2"
   },
   "bin": {
     "zintrust": "bin/zintrust.js",

package/src/cli/commands/EnvKeyGenerateCommand.js

@@ -78,7 +78,7 @@ export const EnvKeyGenerateCommand = Object.freeze({
                     }
                     envContent = upsertEnvValue(envContent, envKey, key);
                     await fs.writeFile(envPath, envContent);
-                    Logger.info(`${envKey} set successfully. [${key}]`);
+                    Logger.info(`${envKey} set successfully.`);
                 }
                 catch (error) {
                     Logger.error(`Failed to update ${envKey} in .env`, error);

package/src/index.js

@@ -1,11 +1,11 @@
 /**
- * @zintrust/core v0.9.5
+ * @zintrust/core v1.2.0
  *
  * ZinTrust Framework - Production-Grade TypeScript Backend
  * Built for performance, type safety, and exceptional developer experience
  *
  * Build Information:
- *   Built: 2026-04-23T13:02:57.049Z
+ *   Built: 2026-04-24T08:45:23.492Z
  *   Node: >=20.0.0
  *   License: MIT
  *
@@ -21,7 +21,7 @@
  * Available at runtime for debugging and health checks
  */
 export const ZINTRUST_VERSION = '0.1.41';
-export const ZINTRUST_BUILD_DATE = '2026-04-23T13:02:57.015Z'; // Replaced during build
+export const ZINTRUST_BUILD_DATE = '2026-04-24T08:45:23.460Z'; // Replaced during build
 export { Application } from './boot/Application.js';
 export { AwsSigV4 } from './common/index.js';
 export { SignedRequest } from './security/SignedRequest.js';

package/src/proxy/CloudflareProxyShared.d.ts

@@ -1,17 +1,6 @@
-export type ProxyNoncePutOptions = {
-    expirationTtl?: number;
-};
-export type ProxyNonceNamespace = {
-    get: (key: string) => Promise<string | null>;
-    put: (key: string, value: string, options?: ProxyNoncePutOptions) => Promise<void>;
-};
-type SignedRequestOptions = Readonly<{
-    secretEnvVar: string;
-    missingSecretStatus: number;
-    missingSecretMessage: string;
-    defaultSigningWindowMs: number;
-}>;
-type ReadAndVerifyJsonOptions = SignedRequestOptions & Readonly<{
+import type { WorkerSigningOptions } from './WorkerSigning';
+export type { ProxyNonceNamespace, ProxyNoncePutOptions, WorkerSigningOptions, } from './WorkerSigning';
+type ReadAndVerifyJsonOptions = WorkerSigningOptions & Readonly<{
     defaultMaxBodyBytes: number;
 }>;
 type ProxyRequestEnv = object;
@@ -34,8 +23,7 @@ export declare const parseOptionalJson: (text: string) => {
     ok: false;
     response: Response;
 };
-export declare const verifyNonceKv: (kv: ProxyNonceNamespace, keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
-export declare const verifySignedRequest: (request: Request, env: ProxyRequestEnv, bodyBytes: Uint8Array, options: SignedRequestOptions) => Promise<Response | {
+export declare const verifySignedRequest: (request: Request, env: ProxyRequestEnv, bodyBytes: Uint8Array, options: WorkerSigningOptions) => Promise<Response | {
     ok: true;
 }>;
 export declare const readAndVerifyJson: (request: Request, env: ProxyRequestEnv, options: ReadAndVerifyJsonOptions) => Promise<{
@@ -46,5 +34,4 @@ export declare const readAndVerifyJson: (request: Request, env: ProxyRequestEnv,
     ok: false;
     response: Response;
 }>;
-export {};
 //# sourceMappingURL=CloudflareProxyShared.d.ts.map

package/src/proxy/CloudflareProxyShared.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"CloudflareProxyShared.d.ts","sourceRoot":"","sources":["../../../src/proxy/CloudflareProxyShared.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACpF,CAAC;AAEF,KAAK,oBAAoB,GAAG,QAAQ,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,sBAAsB,EAAE,MAAM,CAAC;CAChC,CAAC,CAAC;AAEH,KAAK,wBAAwB,GAAG,oBAAoB,GAClD,QAAQ,CAAC;IACP,mBAAmB,EAAE,MAAM,CAAC;CAC7B,CAAC,CAAC;AAEL,KAAK,eAAe,GAAG,MAAM,CAAC;AAE9B,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,EAAE,MAAM,OAAO,KAAG,QAQpD,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,QAAQ,MAAM,EAAE,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,QAG/E,CAAC;AAMF,eAAO,MAAM,SAAS,GAAI,KAAK,eAAe,EAAE,MAAM,MAAM,EAAE,UAAU,MAAM,KAAG,MAKhF,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,OAAO,OAAO,KAAG,MAAM,GAAG,IAI9D,CAAC;AAEF,eAAO,MAAM,aAAa,GACxB,SAAS,OAAO,EAChB,UAAU,MAAM,KACf,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAY3F,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,MAAM,MAAM,KACX;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAezF,CAAC;AAcF,eAAO,MAAM,aAAa,GACxB,IAAI,mBAAmB,EACvB,OAAO,MAAM,EACb,OAAO,MAAM,EACb,OAAO,MAAM,KACZ,OAAO,CAAC,OAAO,CAOjB,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,WAAW,UAAU,EACrB,SAAS,oBAAoB,KAC5B,OAAO,CAAC,QAAQ,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,CA+BjC,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,SAAS,wBAAwB,KAChC,OAAO,CACN;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAAC,SAAS,EAAE,UAAU,CAAA;CAAE,GAC5E;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAapC,CAAC"}
+{"version":3,"file":"CloudflareProxyShared.d.ts","sourceRoot":"","sources":["../../../src/proxy/CloudflareProxyShared.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAGjE,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,sBAAsB,CAAC;AAE9B,KAAK,wBAAwB,GAAG,oBAAoB,GAClD,QAAQ,CAAC;IACP,mBAAmB,EAAE,MAAM,CAAC;CAC7B,CAAC,CAAC;AAEL,KAAK,eAAe,GAAG,MAAM,CAAC;AAE9B,eAAO,MAAM,IAAI,GAAI,QAAQ,MAAM,EAAE,MAAM,OAAO,KAAG,QAQpD,CAAC;AAEF,eAAO,MAAM,eAAe,GAAI,QAAQ,MAAM,EAAE,MAAM,MAAM,EAAE,SAAS,MAAM,KAAG,QAG/E,CAAC;AAMF,eAAO,MAAM,SAAS,GAAI,KAAK,eAAe,EAAE,MAAM,MAAM,EAAE,UAAU,MAAM,KAAG,MAKhF,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAI,OAAO,OAAO,KAAG,MAAM,GAAG,IAI9D,CAAC;AAEF,eAAO,MAAM,aAAa,GACxB,SAAS,OAAO,EAChB,UAAU,MAAM,KACf,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAY3F,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,MAAM,MAAM,KACX;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAezF,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAC9B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,WAAW,UAAU,EACrB,SAAS,oBAAoB,KAC5B,OAAO,CAAC,QAAQ,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,CAQjC,CAAC;AAEF,eAAO,MAAM,iBAAiB,GAC5B,SAAS,OAAO,EAChB,KAAK,eAAe,EACpB,SAAS,wBAAwB,KAChC,OAAO,CACN;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAAC,SAAS,EAAE,UAAU,CAAA;CAAE,GAC5E;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,QAAQ,EAAE,QAAQ,CAAA;CAAE,CAapC,CAAC"}

package/src/proxy/CloudflareProxyShared.js

@@ -1,7 +1,7 @@
 import { isString } from '../helper/index.js';
 import { ErrorHandler } from './ErrorHandler.js';
 import { RequestValidator } from './RequestValidator.js';
-import { SigningService } from './SigningService.js';
+import { WorkerSigning } from './WorkerSigning.js';
 export const json = (status, body) => {
     return new Response(JSON.stringify(body), {
         status,
@@ -59,44 +59,8 @@ export const parseOptionalJson = (text) => {
     }
     return { ok: true, payload: parsed.value };
 };
-const loadSigningSecret = (env, secretEnvVar) => {
-    const directValue = getEnvValue(env, secretEnvVar);
-    const direct = isString(directValue) ? directValue.trim() : '';
-    if (direct !== '')
-        return direct;
-    const fallbackValue = getEnvValue(env, 'APP_KEY');
-    const fallback = isString(fallbackValue) ? fallbackValue.trim() : '';
-    if (fallback !== '')
-        return fallback;
-    return null;
-};
-export const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
-    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
-    const storageKey = `nonce:${keyId}:${nonce}`;
-    const existing = await kv.get(storageKey);
-    if (existing !== null)
-        return false;
-    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
-    return true;
-};
 export const verifySignedRequest = async (request, env, bodyBytes, options) => {
-    const secret = loadSigningSecret(env, options.secretEnvVar);
-    if (secret === null) {
-        return toErrorResponse(options.missingSecretStatus, 'CONFIG_ERROR', options.missingSecretMessage);
-    }
-    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', options.defaultSigningWindowMs);
-    const nonceStore = getEnvValue(env, 'ZT_NONCES');
-    const verifyResult = await SigningService.verifyWithKeyProvider({
-        method: request.method,
-        url: request.url,
-        body: bodyBytes,
-        headers: request.headers,
-        windowMs,
-        getSecretForKeyId: (_keyId) => secret,
-        verifyNonce: nonceStore === undefined || nonceStore === null
-            ? undefined
-            : async (keyId, nonce, ttlMs) => verifyNonceKv(nonceStore, keyId, nonce, ttlMs),
-    });
+    const verifyResult = await WorkerSigning.verifySignedRequest(request, env, bodyBytes, options);
     if (!verifyResult.ok) {
         return toErrorResponse(verifyResult.status, verifyResult.code, verifyResult.message);
     }

package/src/proxy/WorkerSigning.d.ts

@@ -0,0 +1,33 @@
+export type ProxyNoncePutOptions = {
+    expirationTtl?: number;
+};
+export type ProxyNonceNamespace = {
+    get: (key: string) => Promise<string | null>;
+    put: (key: string, value: string, options?: ProxyNoncePutOptions) => Promise<void>;
+};
+export type WorkerSigningOptions = Readonly<{
+    secretEnvVar: string;
+    missingSecretStatus: number;
+    missingSecretMessage: string;
+    defaultSigningWindowMs: number;
+}>;
+type WorkerRequestEnv = object;
+type WorkerSigningResult = {
+    ok: true;
+} | {
+    ok: false;
+    status: number;
+    code: string;
+    message: string;
+};
+export declare const WorkerSigning: Readonly<{
+    verifyNonceKv: (kv: ProxyNonceNamespace, keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+    verifySignedRequest: (request: Request, env: WorkerRequestEnv, bodyBytes: Uint8Array, options: WorkerSigningOptions) => Promise<WorkerSigningResult | {
+        ok: false;
+        status: number;
+        code: "CONFIG_ERROR";
+        message: string;
+    }>;
+}>;
+export {};
+//# sourceMappingURL=WorkerSigning.d.ts.map

package/src/proxy/WorkerSigning.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"WorkerSigning.d.ts","sourceRoot":"","sources":["../../../src/proxy/WorkerSigning.ts"],"names":[],"mappings":"AAIA,MAAM,MAAM,oBAAoB,GAAG;IACjC,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG;IAChC,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,oBAAoB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACpF,CAAC;AAEF,MAAM,MAAM,oBAAoB,GAAG,QAAQ,CAAC;IAC1C,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,sBAAsB,EAAE,MAAM,CAAC;CAChC,CAAC,CAAC;AAEH,KAAK,gBAAgB,GAAG,MAAM,CAAC;AAE/B,KAAK,mBAAmB,GACpB;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAkGjE,eAAO,MAAM,aAAa;wBAlDpB,mBAAmB,SAChB,MAAM,SACN,MAAM,SACN,MAAM,KACZ,OAAO,CAAC,OAAO,CAAC;mCAUR,OAAO,OACX,gBAAgB,aACV,UAAU,WACZ,oBAAoB,KAC5B,OAAO,CACR,mBAAmB,GAAG;QAAE,EAAE,EAAE,KAAK,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,cAAc,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAC3F;EAiCC,CAAC"}

package/src/proxy/WorkerSigning.js

@@ -0,0 +1,77 @@
+import { isString } from '../helper/index.js';
+import { SignedRequest } from '../security/SignedRequest.js';
+const getEnvValue = (env, name) => {
+    return env[name];
+};
+const getEnvInt = (env, name, fallback) => {
+    const raw = getEnvValue(env, name);
+    if (!isString(raw))
+        return fallback;
+    const parsed = Number.parseInt(raw, 10);
+    return Number.isFinite(parsed) ? parsed : fallback;
+};
+const loadSigningSecret = (env, secretEnvVar) => {
+    const directValue = getEnvValue(env, secretEnvVar);
+    const direct = isString(directValue) ? directValue.trim() : '';
+    if (direct !== '')
+        return direct;
+    const fallbackValue = getEnvValue(env, 'APP_KEY');
+    const fallback = isString(fallbackValue) ? fallbackValue.trim() : '';
+    if (fallback !== '')
+        return fallback;
+    return null;
+};
+const mapVerifyResult = (result) => {
+    if (result.ok)
+        return { ok: true };
+    if (result.code === 'MISSING_HEADER' || result.code === 'INVALID_TIMESTAMP') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'EXPIRED') {
+        return { ok: false, status: 401, code: result.code, message: result.message };
+    }
+    if (result.code === 'UNKNOWN_KEY') {
+        return { ok: false, status: 403, code: result.code, message: result.message };
+    }
+    if (result.code === 'REPLAYED') {
+        return { ok: false, status: 409, code: result.code, message: result.message };
+    }
+    return { ok: false, status: 403, code: result.code, message: result.message };
+};
+const verifyNonceKv = async (kv, keyId, nonce, ttlMs) => {
+    const ttlSeconds = Math.max(1, Math.ceil(ttlMs / 1000));
+    const storageKey = `nonce:${keyId}:${nonce}`;
+    const existing = await kv.get(storageKey);
+    if (existing !== null)
+        return false;
+    await kv.put(storageKey, '1', { expirationTtl: ttlSeconds });
+    return true;
+};
+const verifySignedRequest = async (request, env, bodyBytes, options) => {
+    const secret = loadSigningSecret(env, options.secretEnvVar);
+    if (secret === null) {
+        return {
+            ok: false,
+            status: options.missingSecretStatus,
+            code: 'CONFIG_ERROR',
+            message: options.missingSecretMessage,
+        };
+    }
+    const windowMs = getEnvInt(env, 'ZT_PROXY_SIGNING_WINDOW_MS', options.defaultSigningWindowMs);
+    const nonceStore = getEnvValue(env, 'ZT_NONCES');
+    return mapVerifyResult(await SignedRequest.verify({
+        method: request.method,
+        url: request.url,
+        body: bodyBytes,
+        headers: request.headers,
+        windowMs,
+        getSecretForKeyId: (_keyId) => secret,
+        verifyNonce: nonceStore === undefined || nonceStore === null
+            ? undefined
+            : async (keyId, nonce, ttlMs) => verifyNonceKv(nonceStore, keyId, nonce, ttlMs),
+    }));
+};
+export const WorkerSigning = Object.freeze({
+    verifyNonceKv,
+    verifySignedRequest,
+});

package/src/proxy.d.ts

@@ -1,7 +1,6 @@
-export { RemoteSignedJson } from './common/RemoteSignedJson';
 export { ZintrustD1Proxy } from './proxy/d1/ZintrustD1Proxy';
 export { ErrorHandler } from './proxy/ErrorHandler';
 export { ZintrustKvProxy } from './proxy/kv/ZintrustKvProxy';
 export { RequestValidator } from './proxy/RequestValidator';
-export { SigningService } from './proxy/SigningService';
+export { WorkerSigning } from './proxy/WorkerSigning';
 //# sourceMappingURL=proxy.d.ts.map

package/src/proxy.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../../src/proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"proxy.d.ts","sourceRoot":"","sources":["../../src/proxy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC"}

package/src/proxy.js

@@ -1,6 +1,5 @@
-export { RemoteSignedJson } from './common/RemoteSignedJson.js';
 export { ZintrustD1Proxy } from './proxy/d1/ZintrustD1Proxy.js';
 export { ErrorHandler } from './proxy/ErrorHandler.js';
 export { ZintrustKvProxy } from './proxy/kv/ZintrustKvProxy.js';
 export { RequestValidator } from './proxy/RequestValidator.js';
-export { SigningService } from './proxy/SigningService.js';
+export { WorkerSigning } from './proxy/WorkerSigning.js';

package/src/runtime/WorkerAdapterImports.d.ts

@@ -1,5 +1,5 @@
 export declare const WorkerAdapterImports: Readonly<{
-    loaded: true;
-    ready: Promise<void>;
+    loaded: boolean;
+    ready: void;
 }>;
 //# sourceMappingURL=WorkerAdapterImports.d.ts.map

package/src/runtime/WorkerAdapterImports.js

@@ -22,7 +22,7 @@ const tryImportOptional = async () => {
     await tryImportProjectRuntime();
     await import('./WorkerProjectPlugins.js');
 };
-const ready = tryImportOptional();
+const ready = await tryImportOptional();
 export const WorkerAdapterImports = Object.freeze({
     loaded: true,
     ready,

package/src/templates/project/basic/routes/storage.ts.tpl

@@ -8,6 +8,31 @@ import {
 } from '@zintrust/core';
 
 export function registerStorageRoutes(router: IRouter): void {
+  // Public file serving: /storage/<path>
+  Router.get(router, '/storage/:path*', async (req, res) => {
+    const raw = req.getParam('path') ?? '';
+    const key = typeof raw === 'string' ? decodeURIComponent(raw).replaceAll('\\\u005C', '/') : '';
+
+    if (key.trim() === '') {
+      res.setStatus(400).json({ message: 'Missing path' });
+      return;
+    }
+
+    // Respect private folder convention: do not expose keys under `private/`
+    if (key.startsWith('private/') || key === 'private') {
+      res.setStatus(404).json({ message: 'Not Found' });
+      return;
+    }
+
+    try {
+      const contents = await Storage.get('local', key);
+      res.setHeader(HTTP_HEADERS.CONTENT_TYPE, 'application/octet-stream');
+      res.setStatus(200).send(contents);
+    } catch {
+      res.setStatus(404).json({ message: 'Not Found' });
+    }
+  });
+
   Router.get(router, '/storage/download', async (req, res) => {
     const tokenRaw = req.getQueryParam('token');
     const token = typeof tokenRaw === 'string' ? tokenRaw : '';

package/src/tools/http/Http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"Http.d.ts","sourceRoot":"","sources":["../../../../src/tools/http/Http.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAQH,OAAO,EAAsB,KAAK,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAElF,YAAY,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAE9D,MAAM,MAAM,eAAe,GACvB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACvB,MAAM,GACN,WAAW,GACX,eAAe,GACf,IAAI,GACJ,QAAQ,GACR,eAAe,CAAC;AAEpB,MAAM,MAAM,qBAAqB,GAAG,QAAQ,CAAC;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,eAAe,GAAG,IAAI,GAAG,SAAS,KAAK,aAAa,GAAG,IAAI,GAAG,SAAS,CAAC;CAChG,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IACtD,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,YAAY,CAAC;IAC3D,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,GAAG,YAAY,CAAC;IACnE,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY,CAAC;IAChE,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,YAAY,CAAC;IACtC,MAAM,IAAI,YAAY,CAAC;IACvB,MAAM,IAAI,YAAY,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,qBAAqB,GAAG,YAAY,CAAC;IACpD,IAAI,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC;IAC/B,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7B,UAAU,IAAI,OAAO,CAAC;QAAE,QAAQ,EAAE,QAAQ,CAAC;QAAC,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,CAAA;KAAE,CAAC,CAAC;CAC1F;AAED;;GAEG;AACH,KAAK,aAAa,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;AAuXtD;;GAEG;AACH,eAAO,MAAM,UAAU;IACrB;;OAEG;aACM,MAAM,GAAG,YAAY;IAI9B;;OAEG;cACO,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;IAQ9D;;OAEG;aACM,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;IAQ7D;;OAEG;eACQ,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;IAQ/D;;OAEG;gBACS,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;EAOhE,CAAC;AAEH,eAAe,UAAU,CAAC"}
+{"version":3,"file":"Http.d.ts","sourceRoot":"","sources":["../../../../src/tools/http/Http.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAQH,OAAO,EAAsB,KAAK,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAElF,YAAY,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAE9D,MAAM,MAAM,eAAe,GACvB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACvB,MAAM,GACN,WAAW,GACX,eAAe,GACf,IAAI,GACJ,QAAQ,GACR,eAAe,CAAC;AAEpB,MAAM,MAAM,qBAAqB,GAAG,QAAQ,CAAC;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,eAAe,GAAG,IAAI,GAAG,SAAS,KAAK,aAAa,GAAG,IAAI,GAAG,SAAS,CAAC;CAChG,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,YAAY,CAAC;IACtD,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,YAAY,CAAC;IAC3D,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,OAAO,GAAG,YAAY,CAAC;IACnE,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY,CAAC;IAChE,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,YAAY,CAAC;IACtC,MAAM,IAAI,YAAY,CAAC;IACvB,MAAM,IAAI,YAAY,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,qBAAqB,GAAG,YAAY,CAAC;IACpD,IAAI,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC;IAC/B,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7B,UAAU,IAAI,OAAO,CAAC;QAAE,QAAQ,EAAE,QAAQ,CAAC;QAAC,MAAM,EAAE,cAAc,CAAC,UAAU,CAAC,GAAG,IAAI,CAAA;KAAE,CAAC,CAAC;CAC1F;AAED;;GAEG;AACH,KAAK,aAAa,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;AA8dtD;;GAEG;AACH,eAAO,MAAM,UAAU;IACrB;;OAEG;aACM,MAAM,GAAG,YAAY;IAI9B;;OAEG;cACO,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;IAQ9D;;OAEG;aACM,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;IAQ7D;;OAEG;eACQ,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;IAQ/D;;OAEG;gBACS,MAAM,SAAS,eAAe,GAAG,IAAI,GAAG,YAAY;EAOhE,CAAC;AAEH,eAAe,UAAU,CAAC"}

package/src/tools/http/Http.js

@@ -80,6 +80,56 @@ const normalizeBodyInit = (body) => {
     }
     return body;
 };
+const hasAuthorizationHeader = (headers) => {
+    return Object.keys(headers).some((name) => name.toLowerCase() === 'authorization');
+};
+const decodeCredentialComponent = (value) => {
+    try {
+        return decodeURIComponent(value);
+    }
+    catch {
+        return value;
+    }
+};
+const encodeBase64Utf8 = (value) => {
+    if (typeof Buffer !== 'undefined') {
+        return Buffer.from(value, 'utf8').toString('base64');
+    }
+    if (typeof globalThis.btoa === 'function') {
+        const bytes = new TextEncoder().encode(value);
+        let binary = '';
+        for (const byte of bytes) {
+            binary += String.fromCodePoint(byte);
+        }
+        return globalThis.btoa(binary);
+    }
+    throw ErrorFactory.createTryCatchError('HTTP basic auth encoding is unavailable');
+};
+const normalizeCredentialUrl = (url, headers) => {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        return { url, headers };
+    }
+    const username = parsed.username;
+    const password = parsed.password;
+    if (username === '' && password === '') {
+        return { url, headers };
+    }
+    const nextHeaders = { ...headers };
+    if (!hasAuthorizationHeader(nextHeaders)) {
+        const credentials = encodeBase64Utf8(`${decodeCredentialComponent(username)}:${decodeCredentialComponent(password)}`);
+        nextHeaders['Authorization'] = `Basic ${credentials}`;
+    }
+    parsed.username = '';
+    parsed.password = '';
+    return {
+        url: parsed.toString(),
+        headers: nextHeaders,
+    };
+};
 const serializeFormBody = (body) => {
     if (body === null || body === undefined)
         return body;
@@ -153,8 +203,8 @@ const captureTraceResponseBody = async (response) => {
  * Perform the actual request for a given state. Separated to keep the builder small
  */
 async function performRequest(state) {
-    const { response, bodyText, durationMs } = await performRequestRaw(state);
-    Logger.debug(`HTTP ${state.method} ${state.url}`, {
+    const { response, bodyText, durationMs, effectiveState } = await performRequestRaw(state);
+    Logger.debug(`HTTP ${effectiveState.method} ${effectiveState.url}`, {
         status: response.status,
         duration: `${durationMs}ms`,
         size: bodyText.length,
@@ -162,31 +212,45 @@ async function performRequest(state) {
     return createHttpResponse(response, bodyText);
 }
 async function performRequestRaw(state) {
-    const { response, durationMs, requestBody } = await performFetch(state);
+    const { response, durationMs, requestBody, effectiveState } = await performFetch(state);
     const bodyText = await response.text();
-    emitHttpClientTrace({ state, requestBody, response, responseBody: bodyText, durationMs });
-    return { response, bodyText, durationMs, requestBody };
+    emitHttpClientTrace({
+        state: effectiveState,
+        requestBody,
+        response,
+        responseBody: bodyText,
+        durationMs,
+    });
+    return { response, bodyText, durationMs, requestBody, effectiveState };
 }
 async function performFetch(state) {
     const timeout = state.timeout ?? Env.getInt('HTTP_TIMEOUT', 30000);
     const controller = new AbortController();
+    const normalizedTarget = normalizeCredentialUrl(state.url, state.headers);
+    const effectiveState = normalizedTarget.url === state.url && normalizedTarget.headers === state.headers
+        ? state
+        : {
+            ...state,
+            url: normalizedTarget.url,
+            headers: normalizedTarget.headers,
+        };
     let timeoutId;
     if (timeout > 0) {
         timeoutId = globalThis.setTimeout(() => controller.abort(), timeout);
     }
     const buildInit = () => {
         if (OpenTelemetry.isEnabled()) {
-            OpenTelemetry.injectTraceHeaders(state.headers);
+            OpenTelemetry.injectTraceHeaders(effectiveState.headers);
         }
-        const requestBody = serializeRequestBody(state);
+        const requestBody = serializeRequestBody(effectiveState);
         const init = {
-            method: state.method,
-            headers: state.headers,
+            method: effectiveState.method,
+            headers: effectiveState.headers,
             signal: controller.signal,
         };
         if (requestBody !== undefined &&
             requestBody !== null &&
-            ['POST', 'PUT', 'PATCH', 'DELETE'].includes(state.method)) {
+            ['POST', 'PUT', 'PATCH', 'DELETE'].includes(effectiveState.method)) {
             init.body = requestBody;
         }
         return { init, requestBody };
@@ -194,28 +258,28 @@ async function performFetch(state) {
     const startTime = Date.now();
     try {
         const { init, requestBody } = buildInit();
-        const response = await globalThis.fetch(state.url, init);
+        const response = await globalThis.fetch(effectiveState.url, init);
         const duration = Date.now() - startTime;
-        return { response, durationMs: duration, requestBody };
+        return { response, durationMs: duration, requestBody, effectiveState };
     }
     catch (error) {
         const duration = Date.now() - startTime;
         emitHttpClientTrace({
-            state,
-            requestBody: serializeRequestBody(state),
+            state: effectiveState,
+            requestBody: serializeRequestBody(effectiveState),
             durationMs: duration,
             error: error instanceof Error ? error.message : String(error),
         });
         if (error instanceof Error && error.name === 'AbortError') {
             throw ErrorFactory.createConnectionError(`HTTP request timeout after ${timeout}ms`, {
-                url: state.url,
-                method: state.method,
+                url: effectiveState.url,
+                method: effectiveState.method,
                 timeout,
             });
         }
         throw ErrorFactory.createTryCatchError(`HTTP request failed: ${error.message}`, {
-            url: state.url,
-            method: state.method,
+            url: effectiveState.url,
+            method: effectiveState.method,
             error: error instanceof Error ? error.message : String(error),
         });
     }
@@ -225,6 +289,18 @@ async function performFetch(state) {
         }
     }
 }
+async function performFetchWithTrace(state) {
+    const result = await performFetch(state);
+    const responseBody = await captureTraceResponseBody(result.response);
+    emitHttpClientTrace({
+        state: result.effectiveState,
+        requestBody: result.requestBody,
+        response: result.response,
+        responseBody,
+        durationMs: result.durationMs,
+    });
+    return result;
+}
 /**
  * Create request builder with fluent API
  */
@@ -251,7 +327,7 @@ function createRequestBuilder(method, url, initialBody) {
             return self;
         },
         withBasicAuth(username, password) {
-            const credentials = Buffer.from(`${username}:${password}`).toString('base64');
+            const credentials = encodeBase64Utf8(`${username}:${password}`);
             state.headers['Authorization'] = `Basic ${credentials}`;
             return self;
         },
@@ -281,15 +357,11 @@ function createRequestBuilder(method, url, initialBody) {
             return performRequest(state);
         },
         async sendRaw() {
-            const { response, durationMs, requestBody } = await performFetch(state);
-            const responseBody = await captureTraceResponseBody(response);
-            emitHttpClientTrace({ state, requestBody, response, responseBody, durationMs });
+            const { response } = await performFetchWithTrace(state);
             return response;
         },
         async sendStream() {
-            const { response, durationMs, requestBody } = await performFetch(state);
-            const responseBody = await captureTraceResponseBody(response);
-            emitHttpClientTrace({ state, requestBody, response, responseBody, durationMs });
+            const { response } = await performFetchWithTrace(state);
             return { response, stream: response.body };
         },
     };

package/src/zintrust.plugins.d.ts

@@ -1,10 +1,7 @@
 /**
- * ZinTrust plugin auto-imports
- *
- * In real projects, this file is managed by `zin plugin install` and contains
- * side-effect imports (e.g. `@zintrust/db-sqlite/register`) that register
- * optional adapters/drivers into core registries.
- *
+ * Auto-generated fallback module.
+ * This file is created by scripts/ensure-worker-plugins.mjs when missing.
+ * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
 export type {};
 export declare const __zintrustGeneratedPluginStub = "zintrust.plugins.ts";

package/src/zintrust.plugins.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"zintrust.plugins.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,YAAY,EAAE,CAAC;AAgBf,eAAO,MAAM,6BAA6B,wBAAwB,CAAC;;AACnE,wBAAkB"}
+{"version":3,"file":"zintrust.plugins.d.ts","sourceRoot":"","sources":["../../src/zintrust.plugins.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,YAAY,EAAE,CAAC;AAgBf,eAAO,MAAM,6BAA6B,wBAAwB,CAAC;;AACnE,wBAAkB"}

package/src/zintrust.plugins.js

@@ -1,10 +1,7 @@
 /**
- * ZinTrust plugin auto-imports
- *
- * In real projects, this file is managed by `zin plugin install` and contains
- * side-effect imports (e.g. `@zintrust/db-sqlite/register`) that register
- * optional adapters/drivers into core registries.
- *
+ * Auto-generated fallback module.
+ * This file is created by scripts/ensure-worker-plugins.mjs when missing.
+ * It allows optional runtime plugin imports to resolve in CI/scaffolded setups.
  */
 import * as TraceRuntime from './runtime/plugins/trace-runtime.js';
 globalThis.__zintrust_system_trace_plugin_requested__ = true;