api-turnstile 0.1.0 → 0.1.1

package/README.md

@@ -1,27 +1,7 @@
-# 🛡️ api-turnstile
+# api-turnstile
 
-> **Cloudflare Turnstile protects browsers — not APIs.**  
-> **Sentinel is a Turnstile for APIs.**  
-> **Block bots, scripts, and automation without CAPTCHAs.**
-
----
-
-## Why This Exists
-
-Your API endpoints are under constant attack from:
-- ✅ Credential stuffing bots
-- ✅ Automated account creation
-- ✅ Payment fraud scripts
-- ✅ API scrapers
-
-Traditional solutions force you to choose between:
-- ❌ **CAPTCHAs** (user-hostile, kills conversion)
-- ❌ **Rate limiting** (blocks legitimate users during traffic spikes)
-- ❌ **IP blocking** (trivial to bypass with proxies)
-
-**api-turnstile** is different. It's **drop-in API armor** that makes trust decisions in under 50ms using infrastructure and behavioral signals.
-
----
+Cloudflare Turnstile protects browsers. Sentinel protects APIs.
+Block bots, scrapers, and automated attacks in under 50ms using infrastructure and behavioral signals. No CAPTCHAs required.
 
 ## Installation
 
@@ -29,350 +9,50 @@ Traditional solutions force you to choose between:
 npm install api-turnstile
 ```
 
----
-
-## Quick Start
-
-Protect your signup endpoint in **under 60 seconds**:
+## Quick Start (Express)
 
 ```javascript
-import express from 'express';
 import { sentinel } from 'api-turnstile';
 
-const app = express();
-
 app.use(sentinel({
   apiKey: process.env.SENTINEL_KEY,
-  protect: ['/login', '/signup']
+  protect: ['/login', '/api/*']
 }));
-
-app.post('/signup', (req, res) => {
-  // Only legitimate traffic reaches here
-  res.json({ success: true });
-});
 ```
 
-That's it. **92% of bot signups blocked automatically.**
-
----
-
-## How It Works
+## Features
 
-```
-Client Request
-    ↓
-api-turnstile middleware
-    ↓
-Sentinel Decision Engine (< 50ms)
-    ├─ ASN Analysis (Datacenter? VPN? Mobile?)
-    ├─ Velocity Tracking (IP rotation? Burst traffic?)
-    └─ Behavioral Signals (Trust tokens? PoW?)
-    ↓
-PASS → Your handler
-BLOCK → 403 Forbidden
-```
+- **Multi-Framework**: Native support for Express, Fastify, Hono, and Bun.
+- **Edge Native**: Specialized middleware for Next.js Edge Runtime and Vercel.
+- **Sentinel CLI**: Terminal-based monitoring (`sentinel tail`) and forensics.
+- **Economic Defenses**: Behavioral Work Tokens (BWT) to increase bot costs.
+- **Real-time Alerts**: Webhook notifications for blocked incidents.
 
-No JavaScript required. No browser fingerprinting. **Pure API-native security.**
+## Supported Adapters
 
----
+| Framework | Middleware |
+|-----------|------------|
+| Express / Node | `sentinel(config)` |
+| Fastify | `sentinelFastify(config)` |
+| Hono / Bun | `sentinelHono(config)` |
+| Next.js Edge | `sentinelEdge(config)` |
 
 ## Configuration
 
-### Basic (Recommended)
-
-```javascript
-app.use(sentinel({
-  apiKey: process.env.SENTINEL_KEY,
-  protect: ['/login', '/signup', '/api/payment']
-}));
-```
-
-### Advanced (Per-Path Modes)
-
-```javascript
-app.use(sentinel({
-  apiKey: process.env.SENTINEL_KEY,
-  
-  protect: {
-    '/login': 'strict',        // Zero tolerance
-    '/signup': 'strict',        // Zero tolerance
-    '/api/search': 'balanced',  // Block obvious abuse
-    '/api/public/*': 'monitor'  // Log only, never block
-  },
-
-  profile: 'signup',  // Optimized for account creation
-
-  fail: 'closed',  // Block if Sentinel is unreachable (secure default)
-
-  onBlock: (req, res, decision) => {
-    res.status(403).json({
-      error: 'Access denied',
-      reason: decision.reason,
-      // Optionally show widget for redemption
-      widget_url: decision.remediation?.widget_required 
-        ? 'https://yoursite.com/verify' 
-        : null
-    });
-  }
-}));
-```
-
----
-
-## Modes
-
-| Mode | Behavior | Use Case |
-|------|----------|----------|
-| **monitor** | Never blocks, logs only | Testing, analytics |
-| **balanced** | Blocks obvious abuse | General API protection |
-| **strict** | Fail-closed, no mercy | Login, payments, crypto |
-
----
-
-## Security Profiles
+| Option | Description |
+|--------|-------------|
+| `apiKey` | Your API key from the dashboard |
+| `protect` | Array of paths or path-to-mode mapping |
+| `profile` | Security profile (`api`, `signup`, `payments`, `crypto`) |
+| `webhooks` | Optional URL for block notifications |
+| `fail` | Strategy if API is down (`open`, `closed`) |
 
-Optimize decision thresholds for your use case:
+## Links
 
-```javascript
-profile: 'api'       // General API protection (default)
-profile: 'signup'    // Account creation (stricter on datacenter IPs)
-profile: 'payments'  // Financial transactions (maximum scrutiny)
-profile: 'crypto'    // Cryptocurrency operations (zero tolerance)
-```
-
----
-
-## Fail Strategies
-
-### Fail Closed (Default - Recommended)
-
-```javascript
-fail: 'closed'  // If Sentinel is unreachable, block requests
-```
-
-**Why this matters:** This is security infrastructure, not analytics. If the trust engine is down, attackers shouldn't get in.
-
-### Fail Open (High Availability)
-
-```javascript
-fail: 'open'  // If Sentinel is unreachable, allow requests
-```
-
-Use this if uptime is more critical than security (e.g., public read-only APIs).
-
----
-
-## Path Matching
-
-Supports wildcards for flexible protection:
-
-```javascript
-protect: {
-  '/api/*': 'monitor',           // All /api routes
-  '/admin/**': 'strict',          // All admin routes (recursive)
-  '/auth/login': 'strict',        // Exact match
-  '/public/search': 'balanced'    // Specific endpoint
-}
-```
-
----
-
-## Getting Your API Key
-
-1. Visit [Sentinel Dashboard](https://sentinel-engine.onrender.com)
-2. Sign in with GitHub (OAuth, no password needed)
-3. Copy your API key from the dashboard
-4. Add to `.env`:
-
-```bash
-SENTINEL_KEY=your_api_key_here
-```
-
----
-
-## Pricing
-
-### Free Tier
-- ✅ 1,000 decisions/month
-- ✅ All protection modes
-- ✅ Fast-path decisions (<50ms)
-- ✅ Community support
-
-### Premium ($6/mo)
-- ✅ 500,000 decisions/month
-- ✅ Real-time analytics dashboard
-- ✅ Conditional widget (only show for high-risk IPs)
-- ✅ Priority support
-
-[Upgrade on Dashboard →](https://sentinel-engine.onrender.com/dashboard)
-
----
-
-## Advanced Usage
-
-### Custom IP Extraction
-
-```javascript
-import { sentinel, SentinelClient } from 'api-turnstile';
-
-// Use the client directly for custom logic
-const client = new SentinelClient(process.env.SENTINEL_KEY);
-
-app.post('/custom', async (req, res) => {
-  const ip = req.headers['cf-connecting-ip']; // Cloudflare
-  
-  const decision = await client.check({
-    target: ip,
-    profile: 'payments'
-  });
-
-  if (!decision.allow) {
-    return res.status(403).json({ error: decision.reason });
-  }
-
-  // Continue with handler
-});
-```
-
-### Debug Mode
-
-```javascript
-app.use(sentinel({
-  apiKey: process.env.SENTINEL_KEY,
-  protect: ['/api/*'],
-  debug: true  // Logs all decisions to console
-}));
-```
-
----
-
-## TypeScript Support
-
-Fully typed out of the box:
-
-```typescript
-import { sentinel, SentinelConfig, SentinelDecision } from 'api-turnstile';
-
-const config: SentinelConfig = {
-  apiKey: process.env.SENTINEL_KEY!,
-  protect: {
-    '/login': 'strict'
-  },
-  onBlock: (req, res, decision: SentinelDecision) => {
-    res.status(403).json({ blocked: true });
-  }
-};
-
-app.use(sentinel(config));
-```
-
----
-
-## Performance
-
-- **Decision Latency:** <50ms (p99)
-- **Overhead:** ~2-5ms per protected request
-- **Caching:** Intelligent ASN-based caching reduces API calls
-- **Fail-Safe:** Timeout after 2 seconds (configurable)
-
----
-
-## How This Beats Cloudflare
-
-| Feature | Cloudflare Turnstile | api-turnstile |
-|---------|---------------------|---------------|
-| **Protects** | Browser pages | APIs |
-| **Requires JS** | Yes | No |
-| **CAPTCHA fallback** | Yes | Never |
-| **API-native** | No | Yes |
-| **Decision latency** | ~200ms | <50ms |
-| **Per-endpoint modes** | No | Yes |
-
----
-
-## Examples
-
-### Protect Login Endpoint
-
-```javascript
-app.use(sentinel({
-  apiKey: process.env.SENTINEL_KEY,
-  protect: { '/auth/login': 'strict' },
-  profile: 'signup'
-}));
-```
-
-### Monitor Public API
-
-```javascript
-app.use(sentinel({
-  apiKey: process.env.SENTINEL_KEY,
-  protect: { '/api/public/*': 'monitor' },
-  fail: 'open'  // Never block public endpoints
-}));
-```
-
-### Multi-Tier Protection
-
-```javascript
-app.use(sentinel({
-  apiKey: process.env.SENTINEL_KEY,
-  protect: {
-    '/auth/*': 'strict',
-    '/api/write/*': 'balanced',
-    '/api/read/*': 'monitor'
-  }
-}));
-```
-
----
-
-## FAQ
-
-### Does this work with serverless?
-
-Yes. Works with Vercel, Netlify, AWS Lambda, and any Node.js environment.
-
-### What about GDPR?
-
-Sentinel is **stateless** and stores no PII. Only temporary IP reputation data (ASN, geolocation) is processed.
-
-### Can I self-host Sentinel?
-
-The engine is open-source. [See repo →](https://github.com/risksignal/sentinel)
-
-### What happens if Sentinel is down?
-
-Depends on your `fail` strategy:
-- `fail: 'closed'` → Blocks requests (secure default)
-- `fail: 'open'` → Allows requests (high availability)
-
----
-
-## Roadmap
-
-- [x] Fastify middleware
-- [ ] Next.js Edge Runtime support
-- [ ] Hono adapter
-- [ ] Bun native support
-- [ ] Custom webhook notifications
-
----
-
-## Support
-
-- 📖 [Documentation](https://sentinel.risksignal.name.ng/docs)
-- 💬 [GitHub Issues](https://github.com/risksignal/sentinel/issues)
-- 🐦 [Twitter Updates](https://twitter.com/risksignal)
-
----
+- [Dashboard & API Keys](https://sentinel.risksignal.name.ng)
+- [Full Documentation](https://sentinel.risksignal.name.ng/docs)
+- [GitHub Repository](https://github.com/risksignal/sentinel)
 
 ## License
 
 MIT
-
----
-
-**Built by developers who are tired of CAPTCHAs ruining conversion rates.**
-
-If this saved you from bot attacks, [⭐ star the repo](https://github.com/risksignal/sentinel).

package/dist/cli/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":""}

package/dist/cli/index.js

@@ -0,0 +1,176 @@
+#!/usr/bin/env node
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const sentinel_1 = require("../client/sentinel");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, '../../package.json'), 'utf8'));
+const usage = `
+Sentinel CLI v${pkg.version}
+The deterministic trust layer for modern APIs.
+
+Usage:
+  sentinel <command> [options]
+
+Commands:
+  check <ip>      Perform a real-time reputation and trust check on an IP
+  stats           View aggregate security outcomes and mitigation rates
+  tail            Stream live trust decisions to your terminal
+  scan <url>      Simulate a security audit on an endpoint (CI/CD ready)
+  version         Show current version
+
+Options:
+  --key <key>     Specify API key (defaults to SENTINEL_API_KEY env var)
+  --mock <ip>     Mock IP for the scan (default: 1.1.1.1)
+  --profile <p>   Decision profile (default: api)
+  --debug         Enable verbose logging
+`;
+async function main() {
+    const args = process.argv.slice(2);
+    const command = args[0];
+    if (!command || command === 'help' || command === '--help') {
+        console.log(usage);
+        return;
+    }
+    if (command === 'version' || command === '--version' || command === '-v') {
+        console.log(`sentinel v${pkg.version}`);
+        return;
+    }
+    let apiKey = process.env.SENTINEL_API_KEY;
+    const keyIndex = args.indexOf('--key');
+    if (keyIndex !== -1 && args[keyIndex + 1]) {
+        apiKey = args[keyIndex + 1];
+    }
+    if (!apiKey) {
+        console.error('Error: No API key found. Set SENTINEL_API_KEY or use --key.');
+        process.exit(1);
+    }
+    const debug = args.includes('--debug');
+    const client = new sentinel_1.SentinelClient(apiKey, 'https://sentinel.risksignal.name.ng', 5000, debug);
+    try {
+        switch (command) {
+            case 'scan':
+                const url = args[1];
+                if (!url) {
+                    console.error('Error: Please specify a target URL.');
+                    process.exit(1);
+                }
+                const mockIp = args.includes('--mock') ? args[args.indexOf('--mock') + 1] : '1.1.1.1';
+                console.log(`Scanning security layer at ${url}`);
+                console.log(`Simulating origin: ${mockIp}\n`);
+                const start = Date.now();
+                const scanRes = await fetch(url, {
+                    headers: {
+                        'x-sentinel-mock-ip': mockIp,
+                        'x-forwarded-for': mockIp
+                    }
+                });
+                const duration = Date.now() - start;
+                if (scanRes.status === 403) {
+                    console.log(`PASS: Sentinel correctly blocked the request.`);
+                    console.log(`Latency: ${duration}ms`);
+                }
+                else {
+                    console.log(`FAIL: Hostile traffic reached the origin (HTTP ${scanRes.status}).`);
+                    console.log(`Check if your middleware is correctly applied to this path.`);
+                }
+                break;
+            case 'check':
+                const ip = args[1];
+                if (!ip) {
+                    console.error('Error: Please specify an IP address.');
+                    process.exit(1);
+                }
+                const profile = args.includes('--profile') ? args[args.indexOf('--profile') + 1] : 'api';
+                console.log(`Checking trust for ${ip} [Profile: ${profile}]...`);
+                const decision = await client.check({ target: ip, profile: profile });
+                console.log(`Verdict:    ${decision.allow ? 'PASS' : 'BLOCK'}`);
+                console.log(`Confidence: ${(decision.confidence * 100).toFixed(1)}%`);
+                console.log(`Reason:     ${decision.reason.toUpperCase()}`);
+                console.log(`Latency:    ${decision.latency_ms}ms`);
+                break;
+            case 'stats':
+                const statsRes = await fetch('https://sentinel.risksignal.name.ng/api/analytics', {
+                    headers: { 'Authorization': `Bearer ${apiKey}` }
+                });
+                if (!statsRes.ok) {
+                    const err = await statsRes.text();
+                    console.error(`Error: Failed to fetch stats: ${err}`);
+                    return;
+                }
+                const stats = await statsRes.json();
+                console.log(`System Statistics`);
+                console.log(`-----------------`);
+                console.log(`Total Signals:     ${stats.total_signals.toLocaleString()}`);
+                console.log(`Mitigation Rate:   ${stats.outcomes.reduction}`);
+                console.log(`Blocked Attacks:   ${stats.outcomes.blocked.toLocaleString()}`);
+                console.log(`Capital Saved:     $${stats.outcomes.saved}`);
+                break;
+            case 'tail':
+                let lastSeen = new Date().toISOString();
+                console.log('Streaming live decisions (Press Ctrl+C to stop)...');
+                setInterval(async () => {
+                    try {
+                        const tailRes = await fetch('https://sentinel.risksignal.name.ng/api/analytics', {
+                            headers: { 'Authorization': `Bearer ${apiKey}` }
+                        });
+                        if (!tailRes.ok)
+                            return;
+                        const data = await tailRes.json();
+                        const logs = (data.recent_logs || []).reverse();
+                        for (const log of logs) {
+                            if (new Date(log.time) > new Date(lastSeen)) {
+                                const v = log.verdict.toUpperCase();
+                                const label = v === 'TRUSTED' ? 'PASS' : v === 'UNSTABLE' ? 'FLAG' : 'BLOCK';
+                                console.log(`${new Date(log.time).toLocaleTimeString()} [${label}] ${log.target.padEnd(15)} | ${log.reason} (${log.latency}ms)`);
+                                lastSeen = log.time;
+                            }
+                        }
+                    }
+                    catch (e) { }
+                }, 2000);
+                break;
+            default:
+                console.log(`Error: Unknown command: ${command}`);
+                console.log(usage);
+        }
+    }
+    catch (error) {
+        console.error(`Error: ${error.message}`);
+        process.exit(1);
+    }
+}
+main();

package/dist/client/sentinel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/client/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAiB,MAAM,UAAU,CAAC;AAExE;;GAEG;AACH,qBAAa,cAAc;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAU;gBAG5B,MAAM,EAAE,MAAM,EACd,QAAQ,GAAE,MAA8C,EACxD,OAAO,GAAE,MAAa,EACtB,KAAK,GAAE,OAAe;IAQ1B;;OAEG;IACG,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAwE3D;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;CAWxC"}
+{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/client/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAiB,MAAM,UAAU,CAAC;AAExE;;GAEG;AACH,qBAAa,cAAc;IACvB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAU;gBAG5B,MAAM,EAAE,MAAM,EACd,QAAQ,GAAE,MAA8C,EACxD,OAAO,GAAE,MAAa,EACtB,KAAK,GAAE,OAAe;IAQ1B;;OAEG;IACG,KAAK,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAyE3D;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;CAWxC"}

package/dist/client/sentinel.js

@@ -34,7 +34,8 @@ class SentinelClient {
                 body: JSON.stringify({
                     target: params.target,
                     profile: params.profile,
-                    privacy_mode: params.privacy_mode || 'full'
+                    privacy_mode: params.privacy_mode || 'full',
+                    bwt_enabled: !!params.bwtNonce
                 }),
                 signal: controller.signal
             });

package/dist/index.d.ts

@@ -1,12 +1,7 @@
-/**
- * api-turnstile
- *
- * Cloudflare Turnstile protects browsers — not APIs.
- * Sentinel is a Turnstile for APIs.
- * Block bots, scripts, and automation without CAPTCHAs.
- */
 export { sentinel } from './middleware/express';
 export { sentinelFastify } from './middleware/fastify';
+export { sentinelEdge } from './middleware/next';
+export { sentinelHono } from './middleware/hono';
 export { SentinelClient } from './client/sentinel';
 export type { SentinelConfig, SentinelDecision, SecurityProfile, ProtectionMode, FailStrategy, PathProtection, CheckParams, Verdict } from './types';
 export { SentinelError, ConfigurationError } from './types';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAGvD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD,YAAY,EACR,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,YAAY,EACZ,cAAc,EACd,WAAW,EACX,OAAO,EACV,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGjD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD,YAAY,EACR,cAAc,EACd,gBAAgB,EAChB,eAAe,EACf,cAAc,EACd,YAAY,EACZ,cAAc,EACd,WAAW,EACX,OAAO,EACV,MAAM,SAAS,CAAC;AAEjB,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -1,22 +1,18 @@
 "use strict";
-/**
- * api-turnstile
- *
- * Cloudflare Turnstile protects browsers — not APIs.
- * Sentinel is a Turnstile for APIs.
- * Block bots, scripts, and automation without CAPTCHAs.
- */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ConfigurationError = exports.SentinelError = exports.SentinelClient = exports.sentinelFastify = exports.sentinel = void 0;
+exports.ConfigurationError = exports.SentinelError = exports.SentinelClient = exports.sentinelHono = exports.sentinelEdge = exports.sentinelFastify = exports.sentinel = void 0;
 // Export middleware
 var express_1 = require("./middleware/express");
 Object.defineProperty(exports, "sentinel", { enumerable: true, get: function () { return express_1.sentinel; } });
 var fastify_1 = require("./middleware/fastify");
 Object.defineProperty(exports, "sentinelFastify", { enumerable: true, get: function () { return fastify_1.sentinelFastify; } });
-// Export client (for advanced usage)
+var next_1 = require("./middleware/next");
+Object.defineProperty(exports, "sentinelEdge", { enumerable: true, get: function () { return next_1.sentinelEdge; } });
+var hono_1 = require("./middleware/hono");
+Object.defineProperty(exports, "sentinelHono", { enumerable: true, get: function () { return hono_1.sentinelHono; } });
+// Export client
 var sentinel_1 = require("./client/sentinel");
 Object.defineProperty(exports, "SentinelClient", { enumerable: true, get: function () { return sentinel_1.SentinelClient; } });
-// Export errors
 var types_1 = require("./types");
 Object.defineProperty(exports, "SentinelError", { enumerable: true, get: function () { return types_1.SentinelError; } });
 Object.defineProperty(exports, "ConfigurationError", { enumerable: true, get: function () { return types_1.ConfigurationError; } });

package/dist/middleware/express.d.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from 'express';
 import { SentinelConfig } from '../types';
 /**
- * Express middleware factory for Sentinel protection
+ * Sentinel Express Middleware
  */
 export declare function sentinel(config: SentinelConfig): (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
 //# sourceMappingURL=express.d.ts.map

package/dist/middleware/express.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/middleware/express.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAqD,MAAM,UAAU,CAAC;AA+G7F;;GAEG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,cAAc,IAwB7B,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAqFhE"}
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/middleware/express.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAqD,MAAM,UAAU,CAAC;AA0D7F;;GAEG;AACH,wBAAgB,QAAQ,CAAC,MAAM,EAAE,cAAc,IAa7B,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAqDhE"}

package/dist/middleware/express.js

@@ -3,192 +3,112 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.sentinel = sentinel;
 const types_1 = require("../types");
 const sentinel_1 = require("../client/sentinel");
-/**
- * Path matching utilities
- */
 class PathMatcher {
-    /**
-     * Check if a path matches a pattern (supports wildcards)
-     */
     static matches(path, pattern) {
-        // Exact match
         if (path === pattern)
             return true;
-        // Wildcard match (e.g., /api/*)
         if (pattern.includes('*')) {
-            const regexPattern = pattern
-                .replace(/\*/g, '.*')
-                .replace(/\//g, '\\/');
+            const regexPattern = pattern.replace(/\*/g, '.*').replace(/\//g, '\\/');
             const regex = new RegExp(`^${regexPattern}$`);
             return regex.test(path);
         }
         return false;
     }
-    /**
-     * Get the protection mode for a given path
-     */
     static getMode(path, protect) {
-        // Array format - default to 'balanced'
         if (Array.isArray(protect)) {
             const isProtected = protect.some(pattern => this.matches(path, pattern));
             return isProtected ? 'balanced' : null;
         }
-        // Object format - check each pattern
         for (const [pattern, mode] of Object.entries(protect)) {
-            if (this.matches(path, pattern)) {
+            if (this.matches(path, pattern))
                 return mode;
-            }
         }
         return null;
     }
 }
-/**
- * Validate Sentinel configuration
- */
 function validateConfig(config) {
     if (!config.apiKey || typeof config.apiKey !== 'string') {
-        throw new types_1.ConfigurationError('apiKey is required and must be a string');
+        throw new types_1.ConfigurationError('apiKey is required');
     }
     if (!config.protect) {
         throw new types_1.ConfigurationError('protect configuration is required');
     }
-    if (!Array.isArray(config.protect) && typeof config.protect !== 'object') {
-        throw new types_1.ConfigurationError('protect must be an array or object');
-    }
-    if (config.fail && !['open', 'closed'].includes(config.fail)) {
-        throw new types_1.ConfigurationError('fail must be either "open" or "closed"');
-    }
-    if (config.profile && !['api', 'signup', 'payments', 'crypto'].includes(config.profile)) {
-        throw new types_1.ConfigurationError('profile must be one of: api, signup, payments, crypto');
-    }
 }
-/**
- * Extract client IP from request
- */
 function getClientIP(req) {
-    // 0. Manual Mocking for Lab Testing
     const mockIp = req.headers['x-sentinel-mock-ip'];
-    if (mockIp && typeof mockIp === 'string') {
+    if (mockIp && typeof mockIp === 'string')
         return mockIp;
-    }
-    // 1. Check x-forwarded-for header
     const forwarded = req.headers['x-forwarded-for'];
     if (forwarded) {
         const ips = Array.isArray(forwarded) ? forwarded[0] : forwarded;
         return ips.split(',')[0].trim();
     }
-    // Check x-real-ip header
     const realIp = req.headers['x-real-ip'];
-    if (realIp && typeof realIp === 'string') {
+    if (realIp && typeof realIp === 'string')
         return realIp;
-    }
-    // Fall back to req.ip
     if (req.ip) {
-        // Remove IPv6 prefix if present
         let ip = req.ip;
-        if (ip.startsWith('::ffff:')) {
+        if (ip.startsWith('::ffff:'))
             ip = ip.substring(7);
-        }
-        if (ip === '::1') {
+        if (ip === '::1')
             ip = '127.0.0.1';
-        }
         return ip;
     }
     return '127.0.0.1';
 }
 /**
- * Express middleware factory for Sentinel protection
+ * Sentinel Express Middleware
  */
 function sentinel(config) {
-    // Validate configuration at initialization
     validateConfig(config);
-    // Initialize client
     const client = new sentinel_1.SentinelClient(config.apiKey, config.endpoint, config.timeout, config.debug);
     const failStrategy = config.fail || 'closed';
     const defaultProfile = config.profile || 'api';
-    if (config.debug) {
-        console.log('[Sentinel] Middleware initialized', {
-            endpoint: config.endpoint || 'default',
-            fail: failStrategy,
-            profile: defaultProfile
-        });
-    }
-    // Return the actual middleware function
     return async (req, res, next) => {
         const path = req.path;
         const mode = PathMatcher.getMode(path, config.protect);
-        // Path is not protected - pass through
-        if (!mode) {
+        if (!mode)
             return next();
-        }
-        // Monitor mode - log but don't block
         if (mode === 'monitor') {
-            if (config.debug) {
-                console.log(`[Sentinel] Monitor mode for ${path} - logging only`);
-            }
-            // Fire and forget the check for logging purposes
             const ip = getClientIP(req);
-            client.check({ target: ip, profile: defaultProfile }).catch(() => {
-                // Silently fail in monitor mode
-            });
+            client.check({ target: ip, profile: defaultProfile }).catch(() => { });
             return next();
         }
-        // Get client IP and tokens
         const ip = getClientIP(req);
         const trustToken = req.headers['x-sentinel-trust'];
         const bwtNonce = req.headers['x-bwt-nonce'];
         try {
-            // Make decision request
             const decision = await client.check({
                 target: ip,
                 profile: defaultProfile,
                 trustToken,
                 bwtNonce
             });
-            // PASS - allow request through
-            if (decision.allow) {
-                if (config.debug) {
-                    console.log(`[Sentinel] PASS for ${ip} on ${path}`);
-                }
+            if (decision.allow)
                 return next();
+            if (config.webhooks?.onBlock) {
+                fetch(config.webhooks.onBlock, {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ event: 'SENTINEL_BLOCK', ip, path, decision })
+                }).catch(() => { });
             }
-            // BLOCK - reject request
-            if (config.debug) {
-                console.log(`[Sentinel] BLOCK for ${ip} on ${path}: ${decision.reason}`);
-            }
-            // Use custom block handler if provided
             if (config.onBlock) {
                 return config.onBlock(req, res, decision);
             }
-            // Default block response
             return res.status(403).json({
-                error: 'Request blocked by Sentinel',
+                error: 'Access denied',
                 reason: decision.reason,
                 remediation: decision.remediation
             });
         }
         catch (error) {
-            // Handle Sentinel API errors based on fail strategy
-            if (config.debug) {
-                console.error('[Sentinel] Error during check:', error);
-            }
-            if (failStrategy === 'open') {
-                // Fail open - allow request through
-                if (config.debug) {
-                    console.log('[Sentinel] Failing open - allowing request');
-                }
+            if (failStrategy === 'open')
                 return next();
-            }
-            else {
-                // Fail closed - block request (secure default)
-                if (config.debug) {
-                    console.log('[Sentinel] Failing closed - blocking request');
-                }
-                return res.status(503).json({
-                    error: 'Security verification unavailable',
-                    message: 'Please try again later'
-                });
-            }
+            return res.status(503).json({
+                error: 'Security verification unavailable',
+                message: 'Please try again later'
+            });
         }
     };
 }

package/dist/middleware/fastify.d.ts

@@ -2,9 +2,6 @@ import { FastifyRequest, FastifyReply } from 'fastify';
 import { SentinelConfig } from '../types';
 /**
  * Sentinel Fastify Middleware
- *
- * Cloudflare Turnstile protects browsers — not APIs.
- * Sentinel is a Turnstile for APIs.
  */
 export declare const sentinelFastify: (config: SentinelConfig) => (request: FastifyRequest, reply: FastifyReply) => Promise<void>;
 //# sourceMappingURL=fastify.d.ts.map

package/dist/middleware/fastify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fastify.d.ts","sourceRoot":"","sources":["../../src/middleware/fastify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,YAAY,EAA0C,MAAM,SAAS,CAAC;AAE/F,OAAO,EAAE,cAAc,EAAoB,MAAM,UAAU,CAAC;AAE5D;;;;;GAKG;AACH,eAAO,MAAM,eAAe,GAAI,QAAQ,cAAc,MA6BpC,SAAS,cAAc,EAAE,OAAO,YAAY,kBAgD7D,CAAC"}
+{"version":3,"file":"fastify.d.ts","sourceRoot":"","sources":["../../src/middleware/fastify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvD,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C;;GAEG;AACH,eAAO,MAAM,eAAe,GAAI,QAAQ,cAAc,MA2BpC,SAAS,cAAc,EAAE,OAAO,YAAY,kBAmC7D,CAAC"}

package/dist/middleware/fastify.js

@@ -4,9 +4,6 @@ exports.sentinelFastify = void 0;
 const sentinel_1 = require("../client/sentinel");
 /**
  * Sentinel Fastify Middleware
- *
- * Cloudflare Turnstile protects browsers — not APIs.
- * Sentinel is a Turnstile for APIs.
  */
 const sentinelFastify = (config) => {
     const client = new sentinel_1.SentinelClient(config.apiKey, config.endpoint, config.timeout, config.debug);
@@ -16,10 +13,8 @@ const sentinelFastify = (config) => {
         if (Array.isArray(config.protect)) {
             return config.protect.includes(path) ? 'balanced' : null;
         }
-        // Exact match
         if (config.protect[path])
             return config.protect[path];
-        // Search for wildcards (e.g. /api/*)
         for (const pattern in config.protect) {
             if (pattern.endsWith('*')) {
                 const base = pattern.slice(0, -1);
@@ -31,12 +26,8 @@ const sentinelFastify = (config) => {
     };
     return async (request, reply) => {
         const mode = isPathProtected(request.url);
-        if (!mode || mode === 'monitor') {
-            if (config.debug && mode === 'monitor') {
-                console.log(`[Sentinel] Monitoring: ${request.url}`);
-            }
+        if (!mode || mode === 'monitor')
             return;
-        }
         const ip = request.headers['x-forwarded-for'] || request.ip || '127.0.0.1';
         const cleanIp = ip.includes(',') ? ip.split(',')[0].trim() : ip;
         try {
@@ -46,9 +37,6 @@ const sentinelFastify = (config) => {
                 privacy_mode: 'full',
                 trustToken: request.headers['x-sentinel-trust']
             });
-            if (config.debug) {
-                console.log(`[Sentinel] Decision for ${cleanIp}: ${decision.allow ? 'ALLOW' : 'BLOCK'} (${decision.reason})`);
-            }
             if (!decision.allow) {
                 if (config.onBlock) {
                     return config.onBlock(request, reply, decision);
@@ -61,9 +49,6 @@ const sentinelFastify = (config) => {
             }
         }
         catch (error) {
-            if (config.debug) {
-                console.error('[Sentinel] Check failed:', error);
-            }
             if (config.fail === 'closed') {
                 return reply.code(403).send({
                     error: 'Security system unavailable',

package/dist/middleware/hono.d.ts

@@ -0,0 +1,6 @@
+import { SentinelConfig } from '../types';
+/**
+ * Sentinel Hono Middleware
+ */
+export declare const sentinelHono: (config: SentinelConfig) => (c: any, next: any) => Promise<any>;
+//# sourceMappingURL=hono.d.ts.map

package/dist/middleware/hono.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hono.d.ts","sourceRoot":"","sources":["../../src/middleware/hono.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C;;GAEG;AACH,eAAO,MAAM,YAAY,GAAI,QAAQ,cAAc,MA2BjC,GAAG,GAAG,EAAE,MAAM,GAAG,iBA6ClC,CAAC"}

package/dist/middleware/hono.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sentinelHono = void 0;
+const sentinel_1 = require("../client/sentinel");
+/**
+ * Sentinel Hono Middleware
+ */
+const sentinelHono = (config) => {
+    const client = new sentinel_1.SentinelClient(config.apiKey, config.endpoint, config.timeout, config.debug);
+    const isPathProtected = (path) => {
+        if (!config.protect)
+            return null;
+        if (Array.isArray(config.protect)) {
+            return config.protect.includes(path) ? 'balanced' : null;
+        }
+        if (config.protect[path])
+            return config.protect[path];
+        for (const pattern in config.protect) {
+            if (pattern.endsWith('*')) {
+                const base = pattern.slice(0, -1);
+                if (path.startsWith(base))
+                    return config.protect[pattern];
+            }
+        }
+        return null;
+    };
+    return async (c, next) => {
+        const path = c.req.path;
+        const mode = isPathProtected(path);
+        if (!mode || mode === 'monitor') {
+            await next();
+            return;
+        }
+        const ip = c.req.header('x-forwarded-for') ||
+            c.req.header('x-real-ip') ||
+            '127.0.0.1';
+        const cleanIp = ip.includes(',') ? ip.split(',')[0].trim() : ip;
+        try {
+            const decision = await client.check({
+                target: cleanIp,
+                profile: config.profile || 'api',
+                privacy_mode: 'full',
+                trustToken: c.req.header('x-sentinel-trust')
+            });
+            if (!decision.allow) {
+                if (config.onBlock) {
+                    return config.onBlock(c.req, c.res, decision);
+                }
+                return c.json({
+                    error: 'Access denied',
+                    reason: decision.reason,
+                    remediation: decision.remediation
+                }, 403);
+            }
+        }
+        catch (error) {
+            if (config.fail === 'closed') {
+                return c.json({
+                    error: 'Security system unavailable',
+                    code: 'SENTINEL_UNREACHABLE'
+                }, 403);
+            }
+        }
+        await next();
+    };
+};
+exports.sentinelHono = sentinelHono;

package/dist/middleware/next.d.ts

@@ -0,0 +1,16 @@
+import { SentinelConfig } from '../types';
+/**
+ * Sentinel Next.js Edge Middleware
+ */
+export declare const sentinelEdge: (config: SentinelConfig) => (request: any) => Promise<{
+    blocked: boolean;
+    status: number;
+    decision: import("../types").SentinelDecision;
+    response: import("undici-types").Response;
+} | {
+    blocked: boolean;
+    status: number;
+    response: import("undici-types").Response;
+    decision?: undefined;
+} | null>;
+//# sourceMappingURL=next.d.ts.map

package/dist/middleware/next.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"next.d.ts","sourceRoot":"","sources":["../../src/middleware/next.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C;;GAEG;AACH,eAAO,MAAM,YAAY,GAAI,QAAQ,cAAc,MA2BjC,SAAS,GAAG;;;;;;;;;;SAsD7B,CAAC"}

package/dist/middleware/next.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sentinelEdge = void 0;
+const sentinel_1 = require("../client/sentinel");
+/**
+ * Sentinel Next.js Edge Middleware
+ */
+const sentinelEdge = (config) => {
+    const client = new sentinel_1.SentinelClient(config.apiKey, config.endpoint, config.timeout, config.debug);
+    const isPathProtected = (path) => {
+        if (!config.protect)
+            return null;
+        if (Array.isArray(config.protect)) {
+            return config.protect.includes(path) ? 'balanced' : null;
+        }
+        if (config.protect[path])
+            return config.protect[path];
+        for (const pattern in config.protect) {
+            if (pattern.endsWith('*')) {
+                const base = pattern.slice(0, -1);
+                if (path.startsWith(base))
+                    return config.protect[pattern];
+            }
+        }
+        return null;
+    };
+    return async (request) => {
+        const url = new URL(request.url);
+        const path = url.pathname;
+        const mode = isPathProtected(path);
+        if (!mode || mode === 'monitor')
+            return null;
+        const ip = request.headers.get('x-forwarded-for') ||
+            request.headers.get('x-real-ip') ||
+            '127.0.0.1';
+        const cleanIp = ip.includes(',') ? ip.split(',')[0].trim() : ip;
+        try {
+            const decision = await client.check({
+                target: cleanIp,
+                profile: config.profile || 'api',
+                privacy_mode: 'full',
+                trustToken: request.headers.get('x-sentinel-trust')
+            });
+            if (!decision.allow) {
+                return {
+                    blocked: true,
+                    status: 403,
+                    decision,
+                    response: new Response(JSON.stringify({
+                        error: 'Access denied',
+                        reason: decision.reason,
+                        remediation: decision.remediation
+                    }), {
+                        status: 403,
+                        headers: { 'Content-Type': 'application/json' }
+                    })
+                };
+            }
+        }
+        catch (error) {
+            if (config.fail === 'closed') {
+                return {
+                    blocked: true,
+                    status: 403,
+                    response: new Response(JSON.stringify({
+                        error: 'Security system unavailable',
+                        code: 'SENTINEL_UNREACHABLE'
+                    }), {
+                        status: 403,
+                        headers: { 'Content-Type': 'application/json' }
+                    })
+                };
+            }
+        }
+        return null;
+    };
+};
+exports.sentinelEdge = sentinelEdge;

package/dist/types.d.ts

@@ -74,6 +74,21 @@ export interface SentinelConfig {
      * Custom block handler
      */
     onBlock?: (req: any, res: any, decision: SentinelDecision) => void;
+    /**
+     * Webhook notifications for security events
+     */
+    webhooks?: {
+        onBlock?: string;
+        onFlag?: string;
+    };
+    /**
+     * Behavioral Work Token (BWT) options
+     * Enforces cryptographic proof-of-work for "Unstable" IPs
+     */
+    bwt?: {
+        enabled: boolean;
+        difficulty?: number;
+    };
     /**
      * Enable debug logging
      * @default false

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC;AAEvE;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;AAE/D;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,QAAQ,CAAC;AAE7C;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,cAAc,GACpB,MAAM,EAAE,GACR,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAErC;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE;QACV,eAAe,EAAE,OAAO,CAAC;QACzB,oBAAoB,EAAE,OAAO,CAAC;KACjC,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC3B;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;;OAIG;IACH,OAAO,EAAE,cAAc,CAAC;IAExB;;;OAGG;IACH,OAAO,CAAC,EAAE,eAAe,CAAC;IAE1B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IAEpB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAEnE;;;OAGG;IACH,KAAK,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,eAAe,CAAC;IACzB,YAAY,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;IAGzB,UAAU,CAAC,EAAE,MAAM;IACnB,aAAa,CAAC,EAAE,KAAK;gBAF5B,OAAO,EAAE,MAAM,EACR,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,aAAa,CAAC,EAAE,KAAK,YAAA;CAMnC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC7B,OAAO,EAAE,MAAM;CAK9B"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,QAAQ,GAAG,UAAU,GAAG,QAAQ,CAAC;AAEvE;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,UAAU,GAAG,QAAQ,CAAC;AAE/D;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,QAAQ,CAAC;AAE7C;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,cAAc,GACpB,MAAM,EAAE,GACR,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;AAErC;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC7B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,OAAO,GAAG,OAAO,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE;QACV,eAAe,EAAE,OAAO,CAAC;QACzB,oBAAoB,EAAE,OAAO,CAAC;KACjC,CAAC;IACF,UAAU,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC3B;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;;;OAIG;IACH,OAAO,EAAE,cAAc,CAAC;IAExB;;;OAGG;IACH,OAAO,CAAC,EAAE,eAAe,CAAC;IAE1B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,IAAI,CAAC,EAAE,YAAY,CAAC;IAEpB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,gBAAgB,KAAK,IAAI,CAAC;IAEnE;;OAEG;IACH,QAAQ,CAAC,EAAE;QACP,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,MAAM,CAAC,EAAE,MAAM,CAAC;KACnB,CAAC;IAEF;;;OAGG;IACH,GAAG,CAAC,EAAE;QACF,OAAO,EAAE,OAAO,CAAC;QACjB,UAAU,CAAC,EAAE,MAAM,CAAC;KACvB,CAAC;IAEF;;;OAGG;IACH,KAAK,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,eAAe,CAAC;IACzB,YAAY,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAC;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;IAGzB,UAAU,CAAC,EAAE,MAAM;IACnB,aAAa,CAAC,EAAE,KAAK;gBAF5B,OAAO,EAAE,MAAM,EACR,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,aAAa,CAAC,EAAE,KAAK,YAAA;CAMnC;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC7B,OAAO,EAAE,MAAM;CAK9B"}

package/package.json

@@ -1,9 +1,12 @@
 {
     "name": "api-turnstile",
-    "version": "0.1.0",
+    "version": "0.1.1",
     "description": "Cloudflare Turnstile protects browsers — not APIs. Sentinel is a Turnstile for APIs. Block bots, scripts, and automation without CAPTCHAs.",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
+    "bin": {
+        "sentinel": "dist/cli/index.js"
+    },
     "scripts": {
         "build": "tsc",
         "dev": "tsc --watch",