fraim-framework 2.0.177 → 2.0.180

package/dist/src/middleware/auth.js

@@ -0,0 +1,266 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthMiddleware = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+const cookie_service_1 = require("../services/cookie-service");
+const audit_log_1 = require("../services/audit-log");
+function resolveFraimProFilePath(fileName) {
+    const candidates = [
+        (0, path_1.join)(process.cwd(), 'fraim-pro', fileName),
+        (0, path_1.resolve)(__dirname, '..', '..', 'fraim-pro', fileName),
+        (0, path_1.resolve)(__dirname, '..', '..', '..', 'fraim-pro', fileName),
+    ];
+    for (const candidate of candidates) {
+        if ((0, fs_1.existsSync)(candidate))
+            return candidate;
+    }
+    return null;
+}
+class AuthMiddleware {
+    constructor(dbService, skipTestBypass = false) {
+        this.dbService = dbService;
+        this.skipTestBypass = skipTestBypass;
+    }
+    /**
+     * Middleware to authenticate requests via API key
+     */
+    async handle(req, res, next) {
+        // Note: Payment routes are registered BEFORE this middleware is applied
+        // Skip auth for public health check, admin routes, website signup, sales inquiries, and self-serve access flow
+        const rawPath = req.path ?? req.originalUrl ?? req.url ?? '';
+        const p = (typeof rawPath === 'string' ? rawPath : '').split('?')[0].replace(/\/$/, '') || '';
+        const publicPrefixes = ['/admin', '/dashboard', '/health', '/pricing', '/fraim-brain', '/api/signup', '/api/sales', '/api/request-access', '/api/installer-key', '/api/installer-download', '/api/installer-availability', '/api/payment/bypass', '/api/pricing', '/api/personas/catalog', '/auth', '/portfolio'];
+        // Analytics dashboard is public, but API routes are protected
+        const isAnalyticsPublic = p === '/analytics' || p === '/analytics/' || p.startsWith('/analytics/') && p.endsWith('.html');
+        // Homepage is public
+        if (p === '' || p === '/')
+            return next();
+        const publicExtensions = ['.css', '.js', '.png', '.jpg', '.jpeg', '.svg', '.ico', '.woff', '.woff2', '.ttf'];
+        const isPublic = publicPrefixes.some(prefix => p === prefix || p.startsWith(prefix + '/'))
+            || publicExtensions.some(ext => p.endsWith(ext))
+            || p.startsWith('/css/') || p.startsWith('/js/') || p.startsWith('/images/')
+            || isAnalyticsPublic;
+        if (isPublic) {
+            return next();
+        }
+        // Header-only API key transport. Query-string transport was removed because credentials
+        // in URLs leak through access logs, browser history, and HTTP Referer headers.
+        // Reject any request that attempts to use ?api-key= so silent fallback to header doesn't mask the misuse.
+        if (req.query && typeof req.query['api-key'] !== 'undefined') {
+            console.error(`[FRAIM AUTH] Rejected query-string api-key for ${req.method} ${req.path}`);
+            return res.status(401).json({
+                jsonrpc: '2.0',
+                error: { code: -32001, message: 'Unauthorized: API keys must be sent in the x-api-key header, not in the query string [AUTH-QUERY-FORBIDDEN]' },
+                id: req.body?.id || null
+            });
+        }
+        // Issue #359 — accept FraimAuthSession via cookie or Authorization: Bearer in addition to x-api-key.
+        // Priority: x-api-key (programmatic clients) → cookie (web) → bearer (mobile/native).
+        const apiKey = req.headers['x-api-key'];
+        const sessionFromCookie = (0, cookie_service_1.readSessionCookie)(req);
+        const sessionFromBearer = (0, cookie_service_1.readBearerToken)(req);
+        const sessionToken = sessionFromCookie || sessionFromBearer;
+        // If a session token is present and there's no API key, resolve it.
+        if (!apiKey && sessionToken) {
+            try {
+                const session = await this.dbService.getAuthSession(sessionToken);
+                if (!session || session.revoked || session.expiresAt < new Date()) {
+                    // MCP clients (claude.ai Connectors, Office add-ins, Claude Design) send the
+                    // FRAIM API key as Authorization: Bearer <key>. The bearer value arrives here
+                    // as sessionToken but is not a session UUID — it's the raw key. Try it as a
+                    // direct API key before returning 401.
+                    if (sessionFromBearer) {
+                        const directKeyData = await this.dbService.verifyApiKey(sessionFromBearer).catch(() => null);
+                        const isDirectKeyValid = directKeyData
+                            && directKeyData.status !== 'suspended'
+                            && !(directKeyData.status === 'expired' || (directKeyData.expiresAt && new Date() > directKeyData.expiresAt));
+                        if (isDirectKeyValid) {
+                            this.dbService.updateApiKeyLastUsed(directKeyData.key).catch(() => undefined);
+                            req.apiKeyData = directKeyData;
+                            req.authSource = 'bearer-api-key';
+                            return next();
+                        }
+                    }
+                    console.error(`[FRAIM AUTH] Invalid/revoked/expired session for ${req.method} ${req.path}`);
+                    if (sessionFromCookie)
+                        (0, cookie_service_1.clearSessionCookie)(res);
+                    (0, audit_log_1.auditLog)('SESSION_REVOKED', {
+                        userId: session?.userId ?? null,
+                        sessionId: sessionToken,
+                        reason: !session ? 'not_found' : session.revoked ? 'revoked' : 'expired',
+                        outcome: 'failure',
+                    }).catch(() => undefined);
+                    return res.status(401).json({
+                        jsonrpc: '2.0',
+                        error: { code: -32001, message: 'Unauthorized: Session expired or revoked [AUTH-SESSION-INVALID]' },
+                        id: req.body?.id || null
+                    });
+                }
+                const apiKeyData = await this.dbService.getApiKeyByUserId(session.userId, false);
+                if (!apiKeyData) {
+                    console.error(`[FRAIM AUTH] Session valid but no API key for user ${session.userId}`);
+                    return res.status(401).json({
+                        jsonrpc: '2.0',
+                        error: { code: -32001, message: 'Unauthorized: No identity for session [AUTH-NO-IDENTITY]' },
+                        id: req.body?.id || null
+                    });
+                }
+                this.dbService.touchAuthSession(session.sessionId).catch(err => {
+                    console.warn('[FRAIM AUTH] Failed to update auth session lastSeenAt:', err);
+                });
+                req.apiKeyData = apiKeyData;
+                req.authSession = session;
+                req.authSource = sessionFromCookie ? 'session-cookie' : 'session-bearer';
+                return next();
+            }
+            catch (err) {
+                const msg = err instanceof Error ? err.message : String(err);
+                console.error('[FRAIM AUTH] Error resolving session:', msg);
+                return res.status(500).json({ error: 'Internal Server Error', details: msg });
+            }
+        }
+        // Mixed-identity check: if both a session AND an api key are presented, they must agree.
+        if (apiKey && sessionToken) {
+            try {
+                const [keyData, session] = await Promise.all([
+                    this.dbService.verifyApiKey(apiKey),
+                    this.dbService.getAuthSession(sessionToken),
+                ]);
+                if (keyData && session && !session.revoked && keyData.userId !== session.userId) {
+                    console.error(`[FRAIM AUTH] MIXED_IDENTITY: api-key user=${keyData.userId} session user=${session.userId}`);
+                    (0, audit_log_1.auditLog)('MIXED_IDENTITY', {
+                        userId: keyData.userId,
+                        sessionId: sessionToken,
+                        outcome: 'failure',
+                        reason: `session_user=${session.userId}`,
+                    }).catch(() => undefined);
+                    return res.status(401).json({
+                        jsonrpc: '2.0',
+                        error: { code: -32001, message: 'Unauthorized: Mixed identity [AUTH-MIXED-IDENTITY]' },
+                        id: req.body?.id || null
+                    });
+                }
+            }
+            catch (err) {
+                console.warn('[FRAIM AUTH] Mixed-identity check failed:', err instanceof Error ? err.message : String(err));
+            }
+        }
+        // Check for missing API key first
+        if (!apiKey) {
+            // For browser navigation (HTML Accept, non-API path), serve 404 page instead of 401 JSON
+            const acceptsHtml = (req.headers.accept || '').includes('text/html');
+            const isApiPath = p.startsWith('/api/') || p.startsWith('/mcp') || p.startsWith('/admin');
+            if (acceptsHtml && !isApiPath) {
+                const page404 = resolveFraimProFilePath('404.html');
+                if (page404)
+                    return res.status(404).sendFile(page404);
+                return res.status(404).send('<h1>404</h1><p>Page not found.</p>');
+            }
+            console.error(`[FRAIM AUTH] Missing API key for ${req.method} ${req.path}`);
+            return res.status(401).json({
+                jsonrpc: '2.0',
+                error: { code: -32001, message: 'Unauthorized: Missing API key [AUTH-MISSING]' },
+                id: req.body?.id || null
+            });
+        }
+        // Auth bypass for Local Sync and Tests
+        const rawAuthMode = req.headers['x-fraim-auth-mode'];
+        const authMode = Array.isArray(rawAuthMode) ? rawAuthMode[0] : rawAuthMode;
+        const strictTestAuth = typeof authMode === 'string' && authMode.toLowerCase() === 'strict';
+        const isTestBypass = process.env.NODE_ENV === 'test' && !this.skipTestBypass && !strictTestAuth && apiKey !== 'invalid-key';
+        const isLocalDev = apiKey === 'local-dev' && process.env.NODE_ENV !== 'production';
+        if (isLocalDev || isTestBypass) {
+            req.apiKeyData = {
+                key: apiKey,
+                userId: isLocalDev ? 'local-dev-user' : 'test-user',
+                orgId: isLocalDev ? 'local-dev-org' : 'test-org',
+                isActive: true
+            };
+            return next();
+        }
+        try {
+            const apiKeyData = await this.dbService.verifyApiKey(apiKey);
+            if (!apiKeyData) {
+                console.error(`❌ FRAIM AUTH: Invalid API key: ${apiKey}`);
+                return res.status(401).json({
+                    jsonrpc: '2.0',
+                    error: { code: -32001, message: 'Unauthorized: Invalid x-api-key [AUTH-INVALID]' },
+                    id: req.body?.id || null
+                });
+            }
+            // Check if key is suspended
+            if (apiKeyData.status === 'suspended') {
+                const reason = apiKeyData.suspensionReason || 'payment failure';
+                console.error(`❌ FRAIM AUTH: Suspended API key: ${apiKey} (reason: ${reason})`);
+                return res.status(402).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32002,
+                        message: `API key suspended due to ${reason}. Please update your payment method.`,
+                        data: {
+                            status: 'suspended',
+                            reason,
+                            paymentUrl: process.env.STRIPE_BILLING_PORTAL_URL || 'https://fraimworks.ai/billing'
+                        }
+                    },
+                    id: req.body?.id || null
+                });
+            }
+            // Check if key is expired
+            if (apiKeyData.status === 'expired' || (apiKeyData.expiresAt && new Date() > apiKeyData.expiresAt)) {
+                // Update status to expired if not already
+                if (apiKeyData.status !== 'expired') {
+                    await this.dbService.updateApiKey(apiKey, { status: 'expired' });
+                }
+                const tier = apiKeyData.tier;
+                const message = tier === 'trial'
+                    ? 'Your 14-day free trial has expired. Please upgrade to continue using FRAIM.'
+                    : 'Your subscription has expired. Please renew to continue using FRAIM.';
+                console.error(`❌ FRAIM AUTH: Expired API key: ${apiKey} (tier: ${tier})`);
+                return res.status(402).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32003,
+                        message,
+                        data: {
+                            status: 'expired',
+                            tier,
+                            expiresAt: apiKeyData.expiresAt?.toISOString(),
+                            paymentUrl: tier === 'trial'
+                                ? (process.env.STRIPE_CHECKOUT_URL || 'https://fraimworks.ai/pricing')
+                                : (process.env.STRIPE_BILLING_PORTAL_URL || 'https://fraimworks.ai/billing')
+                        }
+                    },
+                    id: req.body?.id || null
+                });
+            }
+            // Update last used timestamp (async, don't await)
+            this.dbService.updateApiKeyLastUsed(apiKey).catch(err => {
+                console.warn('[FRAIM AUTH] Failed to update lastUsedAt:', err);
+            });
+            req.apiKeyData = apiKeyData;
+            return next();
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            console.error('❌ FRAIM AUTH: Error during verification:', msg);
+            if (error instanceof Error && error.stack)
+                console.error(error.stack);
+            return res.status(500).json({ error: 'Internal Server Error', details: msg });
+        }
+    }
+    handleAdmin(req, res, next) {
+        const adminKey = process.env.FRAIM_ADMIN_KEY;
+        if (!adminKey) {
+            console.error('⚠️ FRAIM_ADMIN_KEY not configured on server');
+            return res.status(503).json({ error: 'Management API disabled (key not set)' });
+        }
+        const providedKey = req.headers['x-admin-key'];
+        if (providedKey !== adminKey) {
+            return res.status(403).json({ error: 'Forbidden: Invalid admin key' });
+        }
+        return next();
+    }
+}
+exports.AuthMiddleware = AuthMiddleware;

package/dist/src/middleware/cors-config.js

@@ -0,0 +1,111 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildCorsOptions = buildCorsOptions;
+exports.resolveSseAllowedOrigin = resolveSseAllowedOrigin;
+const git_utils_1 = require("../core/utils/git-utils");
+/**
+ * CORS allowlist configuration for the FRAIM server.
+ *
+ * Lives in its own module (not src/fraim-mcp-server.ts) so tests can import
+ * `buildCorsOptions` and `resolveSseAllowedOrigin` without running the
+ * top-level server bootstrap as a side effect.
+ *
+ * Allowlist sources (merged):
+ *   - FRAIM_CORS_ALLOWED_ORIGINS (comma-separated absolute origins, e.g.
+ *     "https://app.example.com,https://staging.example.com")
+ *   - Built-in production origins for fraimworks.ai
+ *   - Localhost dev origins when NODE_ENV !== 'production'
+ *
+ * Requests without an Origin header are allowed for curl/server-to-server
+ * callers. Browser POST/fetch requests can still include Origin on same-origin
+ * requests, so the active local FRAIM port must be allowlisted in development.
+ */
+function buildAllowlist() {
+    const fromEnv = (process.env.FRAIM_CORS_ALLOWED_ORIGINS || '')
+        .split(',')
+        .map(o => o.trim())
+        .filter(Boolean);
+    const publicBaseUrl = (process.env.FRAIM_PUBLIC_BASE_URL || '').replace(/\/+$/, '').trim();
+    const allowed = new Set([
+        ...fromEnv,
+        'https://fraimworks.ai',
+        'https://www.fraimworks.ai',
+        'https://fraim.wellnessatwork.me',
+        // Claude surfaces — browser-originated requests from claude.ai web app,
+        // Claude Design, and claude.ai settings pages (Connectors setup flow).
+        // Anthropic's backend MCP calls have no Origin header so don't need listing.
+        'https://claude.ai',
+        'https://www.claude.ai',
+        'https://design.claude.ai',
+        'https://api.anthropic.com',
+    ]);
+    if (publicBaseUrl && /^https?:\/\//i.test(publicBaseUrl)) {
+        allowed.add(publicBaseUrl);
+    }
+    if (process.env.NODE_ENV !== 'production') {
+        const localPorts = new Set([3000, 3002, 8080, 8765]);
+        const addPort = (value) => {
+            if (!value)
+                return;
+            const parsed = Number(value);
+            if (Number.isInteger(parsed) && parsed > 0) {
+                localPorts.add(parsed);
+            }
+        };
+        addPort(String((0, git_utils_1.getPort)()));
+        addPort(process.env.FRAIM_MCP_PORT);
+        addPort(process.env.PORT);
+        addPort(process.env.WEBSITES_PORT);
+        addPort(process.env.PLAYWRIGHT_FRAIM_MCP_PORT);
+        addPort(process.env.PLAYWRIGHT_WEBSITE_PORT);
+        const playwrightBaseUrl = (process.env.PLAYWRIGHT_BASE_URL || '').trim();
+        if (playwrightBaseUrl) {
+            try {
+                const parsed = new URL(playwrightBaseUrl);
+                if (parsed.protocol === 'http:' || parsed.protocol === 'https:') {
+                    allowed.add(parsed.origin);
+                }
+            }
+            catch {
+                // Ignore invalid PLAYWRIGHT_BASE_URL values and fall back to the static allowlist.
+            }
+        }
+        for (const localPort of localPorts) {
+            allowed.add(`http://localhost:${localPort}`);
+            allowed.add(`http://127.0.0.1:${localPort}`);
+        }
+    }
+    return allowed;
+}
+function buildCorsOptions() {
+    const allowed = buildAllowlist();
+    return {
+        origin: (origin, callback) => {
+            // Same-origin and non-browser tools have no Origin header.
+            // This covers Anthropic's cloud infrastructure making server-to-server
+            // MCP calls on behalf of claude.ai Connectors — no Origin header present.
+            if (!origin)
+                return callback(null, true);
+            if (allowed.has(origin))
+                return callback(null, true);
+            return callback(new Error(`CORS: origin ${origin} is not in the allowlist`));
+        },
+        credentials: false,
+        methods: ['GET', 'POST', 'OPTIONS'],
+        // Authorization: required by MCP HTTP transport for Bearer token auth
+        // mcp-session-id: required by MCP Streamable HTTP spec for session tracking
+        allowedHeaders: ['Content-Type', 'x-api-key', 'x-admin-key', 'x-fraim-auth-mode', 'x-fraim-local-version', 'x-fraim-session-id', 'Authorization', 'mcp-session-id'],
+        exposedHeaders: ['mcp-session-id'],
+    };
+}
+/**
+ * Resolve the SSE Access-Control-Allow-Origin value against the allowlist.
+ * Returns the request's Origin if it is allowed, otherwise undefined so the
+ * caller can omit the header entirely. Never returns the wildcard '*'.
+ */
+function resolveSseAllowedOrigin(origin) {
+    if (!origin)
+        return undefined;
+    const allowed = buildAllowlist();
+    return allowed.has(origin) ? origin : undefined;
+}

package/dist/src/middleware/logger.js

@@ -0,0 +1,116 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requestLogger = requestLogger;
+const crypto_1 = require("crypto");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const LOG_FILE = path.join(process.cwd(), 'server-direct.log');
+/**
+ * Extracts API key from request for logging purposes
+ */
+function getApiKeyForLogging(req) {
+    const fromContext = req.apiKeyData?.key;
+    if (typeof fromContext === 'string' && fromContext.trim().length > 0) {
+        return fromContext;
+    }
+    const fromHeader = Array.isArray(req.headers['x-api-key'])
+        ? req.headers['x-api-key'][0]
+        : req.headers['x-api-key'];
+    if (typeof fromHeader === 'string' && fromHeader.trim().length > 0) {
+        return fromHeader;
+    }
+    const fromQuery = req.query?.['api-key'];
+    if (typeof fromQuery === 'string' && fromQuery.trim().length > 0) {
+        return fromQuery;
+    }
+    return 'ANONYMOUS';
+}
+/**
+ * Middleware to log all requests
+ */
+function requestLogger(req, res, next) {
+    const start = Date.now();
+    const { method, path } = req;
+    const requestIdHeader = Array.isArray(req.headers['x-fraim-request-id'])
+        ? req.headers['x-fraim-request-id'][0]
+        : req.headers['x-fraim-request-id'];
+    const requestId = typeof requestIdHeader === 'string' && requestIdHeader.trim().length > 0
+        ? requestIdHeader
+        : (0, crypto_1.randomUUID)();
+    const localVersionHeader = Array.isArray(req.headers['x-fraim-local-version'])
+        ? req.headers['x-fraim-local-version'][0]
+        : req.headers['x-fraim-local-version'];
+    const localMcpVersion = typeof localVersionHeader === 'string' && localVersionHeader.trim().length > 0
+        ? localVersionHeader
+        : 'unknown';
+    req.requestId = requestId;
+    req.localMcpVersion = localMcpVersion;
+    res.setHeader('X-FRAIM-Request-ID', requestId);
+    let params = '';
+    if (method === 'POST') {
+        try {
+            params = JSON.stringify(req.body);
+        }
+        catch (e) {
+            params = '[Unserializable Body]';
+        }
+    }
+    const logEntry = (msg) => {
+        const timestamp = new Date().toISOString();
+        const entry = `[${timestamp}] ${msg}\n`;
+        try {
+            fs.appendFileSync(LOG_FILE, entry);
+        }
+        catch (e) {
+            console.error('Failed to write to log file:', e);
+        }
+        if (msg.includes('END') && msg.includes(' 400')) {
+            console.error(msg); // Still log errors to console
+        }
+        else {
+            console.info(msg);
+        }
+    };
+    logEntry(`[req:${requestId}] START ${method} ${path}${params ? ' ' + params : ''}`);
+    res.on('finish', () => {
+        const duration = Date.now() - start;
+        const status = res.statusCode;
+        const keyStr = getApiKeyForLogging(req);
+        const logMsg = `[req:${requestId}] [local:${localMcpVersion}] ${keyStr} END ${method} ${path} ${status} ${duration}ms`;
+        logEntry(logMsg);
+    });
+    next();
+}

package/dist/src/middleware/rate-limit.js

@@ -0,0 +1,110 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sensitiveRateLimiter = exports.publicApiRateLimiter = void 0;
+exports.createRateLimiter = createRateLimiter;
+function createRateLimiter(options) {
+    const { windowMs, max, name } = options;
+    const buckets = new Map();
+    function cleanupExpired(now = Date.now()) {
+        let removed = 0;
+        for (const [key, bucket] of buckets) {
+            if (bucket.resetAt <= now) {
+                buckets.delete(key);
+                removed += 1;
+            }
+        }
+        return removed;
+    }
+    // Periodically sweep expired buckets so long-lived processes do not leak memory
+    // proportional to lifetime client-IP cardinality. unref() so the timer never holds
+    // the event loop open during shutdown.
+    let sweepTimer = null;
+    if (process.env.NODE_ENV !== 'test' || process.env.FRAIM_RATE_LIMIT_SWEEP === '1') {
+        sweepTimer = setInterval(() => {
+            const removed = cleanupExpired();
+            if (removed > 0) {
+                console.log(`[FRAIM RATE-LIMIT] ${name} swept ${removed} expired buckets (remaining=${buckets.size})`);
+            }
+        }, windowMs);
+        sweepTimer.unref();
+    }
+    const middleware = function rateLimitMiddleware(req, res, next) {
+        // Rate limits are skipped in test mode so the suite can run hundreds of requests
+        // against the same endpoint quickly. Production and dev still enforce them.
+        if (process.env.NODE_ENV === 'test' && process.env.FRAIM_TEST_RATE_LIMIT !== '1') {
+            return next();
+        }
+        const key = identifyClient(req);
+        const now = Date.now();
+        const bucket = buckets.get(key);
+        if (!bucket || bucket.resetAt <= now) {
+            buckets.set(key, { count: 1, resetAt: now + windowMs });
+            res.setHeader('X-RateLimit-Limit', String(max));
+            res.setHeader('X-RateLimit-Remaining', String(max - 1));
+            res.setHeader('X-RateLimit-Reset', String(Math.ceil((now + windowMs) / 1000)));
+            return next();
+        }
+        if (bucket.count >= max) {
+            const retryAfterSec = Math.max(1, Math.ceil((bucket.resetAt - now) / 1000));
+            res.setHeader('Retry-After', String(retryAfterSec));
+            res.setHeader('X-RateLimit-Limit', String(max));
+            res.setHeader('X-RateLimit-Remaining', '0');
+            res.setHeader('X-RateLimit-Reset', String(Math.ceil(bucket.resetAt / 1000)));
+            console.warn(`[FRAIM RATE-LIMIT] ${name} blocked ${key} on ${req.method} ${req.path}`);
+            return res.status(429).json({
+                error: 'Too many requests',
+                message: `Rate limit exceeded. Try again in ${retryAfterSec} seconds.`
+            });
+        }
+        bucket.count += 1;
+        res.setHeader('X-RateLimit-Limit', String(max));
+        res.setHeader('X-RateLimit-Remaining', String(max - bucket.count));
+        res.setHeader('X-RateLimit-Reset', String(Math.ceil(bucket.resetAt / 1000)));
+        return next();
+    };
+    middleware.reset = () => buckets.clear();
+    middleware.cleanupExpired = cleanupExpired;
+    middleware.stopCleanup = () => {
+        if (sweepTimer) {
+            clearInterval(sweepTimer);
+            sweepTimer = null;
+        }
+    };
+    Object.defineProperty(middleware, 'bucketCount', {
+        get: () => buckets.size
+    });
+    return middleware;
+}
+/**
+ * Identify the client for rate-limit bucketing.
+ * Order: explicit Express-resolved req.ip → first X-Forwarded-For hop → socket address → 'unknown'.
+ */
+function identifyClient(req) {
+    if (req.ip)
+        return req.ip;
+    const xff = req.headers['x-forwarded-for'];
+    if (typeof xff === 'string' && xff.length > 0) {
+        const first = xff.split(',')[0].trim();
+        if (first)
+            return first;
+    }
+    else if (Array.isArray(xff) && xff.length > 0) {
+        const first = xff[0].split(',')[0].trim();
+        if (first)
+            return first;
+    }
+    return req.socket?.remoteAddress || 'unknown';
+}
+/**
+ * Standard public-API limiter: 60 requests per minute per IP.
+ * Suitable for read-only public endpoints (pricing config, session details).
+ */
+const publicApiRateLimiter = () => createRateLimiter({ windowMs: 60_000, max: 60, name: 'public-api' });
+exports.publicApiRateLimiter = publicApiRateLimiter;
+/**
+ * Sensitive-action limiter: 10 requests per minute per IP.
+ * Suitable for signup, contact, bypass, key-retrieval, and other endpoints
+ * whose abuse has direct cost or fraud impact.
+ */
+const sensitiveRateLimiter = () => createRateLimiter({ windowMs: 60_000, max: 10, name: 'sensitive' });
+exports.sensitiveRateLimiter = sensitiveRateLimiter;

package/dist/src/middleware/reject-query-api-key.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rejectQueryStringApiKey = rejectQueryStringApiKey;
+/**
+ * Reject any API/MCP/admin request that carries an api-key in the query string.
+ *
+ * Why this exists separately from the AuthMiddleware's same check:
+ *   The AuthMiddleware short-circuits on public prefixes (e.g. /api/pricing/config),
+ *   which means a request like `/api/pricing/config?api-key=secret` previously slipped
+ *   the credential into URLs and access logs even though the route did not actually
+ *   authenticate it. This middleware runs BEFORE routing, so it catches that case.
+ *
+ * Why it is scoped to API paths and not applied globally:
+ *   The analytics dashboard navigates between its public HTML pages with
+ *   `?api-key=` in the URL so the front-end can store the key in sessionStorage
+ *   and then send it via header on subsequent XHRs. That page-navigation pattern
+ *   is intentional and preserved. The leak we close here is the API-call pattern
+ *   where the credential ends up in proxy/access logs.
+ *
+ * Paths covered: /api/*, /mcp, /mcp/*, /admin, /admin/*.
+ */
+function rejectQueryStringApiKey() {
+    return function (req, res, next) {
+        const path = req.path || '';
+        const isApiPath = path.startsWith('/api/')
+            || path === '/mcp'
+            || path.startsWith('/mcp/')
+            || path === '/admin'
+            || path.startsWith('/admin/');
+        if (!isApiPath)
+            return next();
+        if (req.query && typeof req.query['api-key'] !== 'undefined') {
+            console.error(`[FRAIM AUTH] Rejected query-string api-key (pre-routing) for ${req.method} ${path}`);
+            return res.status(401).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32001,
+                    message: 'Unauthorized: API keys must be sent in the x-api-key header, not in the query string [AUTH-QUERY-FORBIDDEN]'
+                },
+                id: req.body?.id || null
+            });
+        }
+        return next();
+    };
+}