ingenium 0.0.1 → 0.0.2

package/dist/index.cjs

@@ -242,7 +242,10 @@ function parseMultipart(buffer$1, contentType, opts = {}) {
   const maxFields = opts.maxFields ?? DEFAULT_MAX_FIELDS;
   const allowed = opts.allowedMimePrefixes;
   const boundary = extractBoundary(contentType);
-  const result = { fields: {}, files: {} };
+  const result = {
+    fields: /* @__PURE__ */ Object.create(null),
+    files: /* @__PURE__ */ Object.create(null)
+  };
   if (buffer$1.length === 0) return result;
   const dashBoundary = buffer.Buffer.concat([DASH_DASH, buffer.Buffer.from(boundary)]);
   let cursor = buffer$1.indexOf(dashBoundary);
@@ -669,6 +672,8 @@ function makeIngeniumCookies(ctx) {
 }
 
 // src/proxy/trust.ts
+var IS_DEV = process.env.NODE_ENV !== "production";
+var warnedTrustTrue = false;
 function resolveForwarded(trust, remoteAddress, headers, defaultProtocol = "http") {
   if (trust === false || trust === 0 || trust === void 0 || trust === null) {
     return {
@@ -683,6 +688,16 @@ function resolveForwarded(trust, remoteAddress, headers, defaultProtocol = "http
   const fullChain = [...xff, remoteAddress];
   let trustedIp = remoteAddress;
   if (typeof trust === "boolean" && trust === true) {
+    if (IS_DEV && !warnedTrustTrue) {
+      warnedTrustTrue = true;
+      try {
+        process.emitWarning(
+          "trustProxy: true fully trusts the client-supplied X-Forwarded-For header, so ctx.ip can be spoofed by any caller. This bypasses IP rate-limits/allowlists and poisons audit logs. For production, set trustProxy to a hop count (e.g. 1) or a CIDR/subnet trust list (e.g. ['loopback', '10.0.0.0/8']) so only your reverse proxy is trusted.",
+          { code: "INGENIUM_TRUST_PROXY_TRUE" }
+        );
+      } catch {
+      }
+    }
     trustedIp = fullChain[0] ?? remoteAddress;
   } else if (typeof trust === "number") {
     const idx = Math.max(0, fullChain.length - 1 - trust);
@@ -1105,7 +1120,7 @@ function respondJsonWithEtag(ctx, body, opts = {}) {
 }
 
 // src/context/context.ts
-var IS_DEV = process.env.NODE_ENV !== "production";
+var IS_DEV2 = process.env.NODE_ENV !== "production";
 var _trustProxyWarned = false;
 var CRLF_RE = /[\r\n]/;
 function assertHeaderNameSafe(name) {
@@ -1314,7 +1329,7 @@ var IngeniumContext = class {
         this.headers,
         this.baseProtocol
       );
-      if (IS_DEV && !_trustProxyWarned && this._trustProxy === false) {
+      if (IS_DEV2 && !_trustProxyWarned && this._trustProxy === false) {
         if (this.headers["x-forwarded-for"] !== void 0) {
           _trustProxyWarned = true;
           try {
@@ -1387,7 +1402,7 @@ var IngeniumContext = class {
    * eliminates the branch body behind the `IS_DEV` gate.
    */
   _warnDoubleWrite(method) {
-    if (!IS_DEV) return;
+    if (!IS_DEV2) return;
     if (!this._written) return;
     try {
       process.emitWarning(
@@ -1597,7 +1612,7 @@ var IngeniumContextPool = class {
     return this.pool.length;
   }
 };
-var IS_DEV2 = process.env.NODE_ENV !== "production";
+var IS_DEV3 = process.env.NODE_ENV !== "production";
 var _responseObjectWarned = false;
 function reflectReturn(ctx, value) {
   if (ctx._written) return;
@@ -1605,7 +1620,7 @@ function reflectReturn(ctx, value) {
     ctx.status(204);
     return;
   }
-  if (IS_DEV2 && typeof Response !== "undefined" && value instanceof Response) {
+  if (IS_DEV3 && typeof Response !== "undefined" && value instanceof Response) {
     if (!_responseObjectWarned) {
       _responseObjectWarned = true;
       try {
@@ -3892,8 +3907,9 @@ var IngeniumApp = class {
       throw miss;
     }
     const applicable = [...flat.globalMiddleware];
+    const normalizedPath = ctx.path.includes("//") ? ctx.path.replace(/\/{2,}/g, "/") : ctx.path;
     for (const scoped of flat.scopedMiddleware) {
-      if (pathStartsWith(ctx.path, scoped.prefix)) applicable.push(scoped.mw);
+      if (pathStartsWith(normalizedPath, scoped.prefix)) applicable.push(scoped.mw);
     }
     if (applicable.length === 0) {
       throw miss;
@@ -4331,6 +4347,14 @@ function mimeFor(file) {
   const ext = path__namespace.extname(file).slice(1).toLowerCase();
   return MIME_TYPES[ext] ?? "application/octet-stream";
 }
+function isUnderRoot(absRoot, target) {
+  return target === absRoot || target.startsWith(absRoot + path__namespace.sep);
+}
+function hasDotfileSegment(absRoot, target) {
+  const rel = path__namespace.relative(absRoot, target);
+  if (rel.length === 0) return false;
+  return rel.split(/[/\\]/).some((s) => s.length > 0 && s.startsWith("."));
+}
 function makeEtag(stats) {
   return `W/"${stats.size.toString(16)}-${Math.floor(stats.mtimeMs).toString(16)}"`;
 }
@@ -4380,15 +4404,11 @@ function staticMiddleware(root, opts = {}) {
     }
     const joined = path__namespace.join(absRoot, urlPath);
     const resolved = path__namespace.resolve(joined);
-    const isUnderRoot = resolved === absRoot || resolved.startsWith(absRoot + path__namespace.sep);
-    if (!isUnderRoot) {
+    if (!isUnderRoot(absRoot, resolved)) {
       ctx.status(403).text("Forbidden");
       return;
     }
-    const rel = path__namespace.relative(absRoot, resolved);
-    const segments = rel.length === 0 ? [] : rel.split(/[/\\]/);
-    const hasDot = segments.some((s) => s.length > 0 && s.startsWith("."));
-    if (hasDot) {
+    if (hasDotfileSegment(absRoot, resolved)) {
       if (dotfiles === "deny") {
         ctx.status(403).text("Forbidden");
         return;
@@ -4436,6 +4456,19 @@ function staticMiddleware(root, opts = {}) {
     if (!stats || !stats.isFile()) {
       return next();
     }
+    if (!isUnderRoot(absRoot, target)) {
+      ctx.status(403).text("Forbidden");
+      return;
+    }
+    if (hasDotfileSegment(absRoot, target)) {
+      if (dotfiles === "deny") {
+        ctx.status(403).text("Forbidden");
+        return;
+      }
+      if (dotfiles === "ignore") {
+        return next();
+      }
+    }
     const etag = makeEtag(stats);
     const lastModified = new Date(stats.mtimeMs).toUTCString();
     ctx.set("etag", etag);
@@ -4494,6 +4527,7 @@ function staticMiddleware(root, opts = {}) {
 }
 
 // src/cors/middleware.ts
+var IS_DEV4 = process.env.NODE_ENV !== "production";
 var DEFAULT_METHODS = [
   "GET",
   "HEAD",
@@ -4519,7 +4553,9 @@ async function resolveOrigin(spec, reqOrigin, ctx) {
   if (typeof reqOrigin !== "string" || reqOrigin.length === 0) {
     return { value: null, reflected: false };
   }
-  if (spec === true) return { value: reqOrigin, reflected: true };
+  if (spec === true) {
+    return reqOrigin === "null" ? { value: null, reflected: true } : { value: reqOrigin, reflected: true };
+  }
   if (typeof spec === "string") {
     return spec === reqOrigin ? { value: reqOrigin, reflected: true } : { value: null, reflected: true };
   }
@@ -4549,10 +4585,29 @@ function corsMiddleware(opts = {}) {
   const maxAge = opts.maxAge;
   const optionsSuccessStatus = opts.optionsSuccessStatus ?? 204;
   if (credentials && origin === "*") {
-    throw new Error(
+    throw new IngeniumError(
+      500,
+      "CORS_CREDENTIALS_WILDCARD",
       "ingenium.cors: `credentials: true` is incompatible with `origin: '*'`. Specify an explicit origin (string, array, regex, or function) instead."
     );
   }
+  if (credentials && origin === true) {
+    throw new IngeniumError(
+      500,
+      "CORS_CREDENTIALS_WILDCARD",
+      "ingenium.cors: `credentials: true` is incompatible with `origin: true` (reflecting any Origin with credentials lets any site read authenticated responses). Specify an explicit allowlist (string, array, regex, or function)."
+    );
+  }
+  if (IS_DEV4 && credentials && (typeof origin === "function" || origin instanceof RegExp)) {
+    try {
+      process.emitWarning(
+        "ingenium.cors: `credentials: true` with a function/RegExp origin reflects the request Origin when the predicate matches. Ensure it never matches untrusted origins, or you expose authenticated responses to them.",
+        { code: "INGENIUM_CORS_CREDENTIALS_REFLECT" }
+      );
+    } catch {
+    }
+  }
+  const originIsFunction = typeof origin === "function";
   const methodsHeader = methods.join(",");
   const exposedHeader = exposedHeaders && exposedHeaders.length > 0 ? exposedHeaders.join(",") : void 0;
   const allowedHeader = allowedHeaders && allowedHeaders.length > 0 ? allowedHeaders.join(",") : void 0;
@@ -4565,7 +4620,7 @@ function corsMiddleware(opts = {}) {
       reqOriginStr,
       ctx
     );
-    if (reflected) appendVary(ctx, "Origin");
+    if (reflected || originIsFunction) appendVary(ctx, "Origin");
     if (allowOrigin !== null) {
       ctx.set("access-control-allow-origin", allowOrigin);
       if (credentials) {
@@ -4778,6 +4833,8 @@ var IngeniumCsrfError = class extends IngeniumError {
     super(403, "CSRF_FAILED", message);
   }
 };
+var IS_DEV5 = process.env.NODE_ENV !== "production";
+var CRLF_RE2 = /[\r\n]/;
 var TOKEN_BYTES = 18;
 var SAFE_METHODS_DEFAULT = ["GET", "HEAD", "OPTIONS", "TRACE"];
 var COOKIE_NAME_DEFAULT = "ingenium.csrf";
@@ -4792,10 +4849,20 @@ function csrfMiddleware(opts = {}) {
       await next();
       return;
     }
-    let expected = readExpectedToken(ctx, resolved);
+    const binding = resolved.storage === "cookie" && resolved.sessionBinding ? resolved.sessionBinding(ctx) : void 0;
+    if (IS_DEV5 && resolved.storage === "cookie" && resolved.secrets.length > 0 && binding === void 0) {
+      try {
+        process.emitWarning(
+          "csrfMiddleware: cookie-mode token has no session binding. Double-submit without binding assumes no XSS and a strict SameSite cookie \u2014 any token the server mints is globally valid. Provide `sessionBinding` to tie the token to a session/user.",
+          { type: "IngeniumCsrfUnboundTokenWarning" }
+        );
+      } catch {
+      }
+    }
+    let expected = readExpectedToken(ctx, resolved, binding);
     let mintedThisRequest = false;
     if (!expected) {
-      expected = mintToken(resolved);
+      expected = mintToken(resolved, binding);
       mintedThisRequest = true;
     }
     ctx.state.csrfToken = expected;
@@ -4815,14 +4882,15 @@ function csrfMiddleware(opts = {}) {
     }
   };
 }
-function mintToken(opts) {
+function mintToken(opts, binding) {
   const raw = crypto.randomBytes(TOKEN_BYTES).toString("base64url");
   if (opts.storage === "session" || opts.secrets.length === 0) return raw;
-  const sig = signToken(raw, opts.secrets[0]);
+  const sig = signToken(raw, opts.secrets[0], binding);
   return `${raw}.${sig}`;
 }
-function signToken(raw, secret) {
-  return crypto.createHmac("sha256", secret).update(raw).digest("base64url");
+function signToken(raw, secret, binding) {
+  const message = binding === void 0 ? raw : `${raw}.${binding}`;
+  return crypto.createHmac("sha256", secret).update(message).digest("base64url");
 }
 function tokenMatches(submitted, expected) {
   const a = buffer.Buffer.from(submitted);
@@ -4830,24 +4898,24 @@ function tokenMatches(submitted, expected) {
   if (a.length !== b.length) return false;
   return crypto.timingSafeEqual(a, b);
 }
-function verifySignedToken(token, secrets) {
+function verifySignedToken(token, secrets, binding) {
   const dot = token.lastIndexOf(".");
   if (dot <= 0) return false;
   const raw = token.slice(0, dot);
   const sig = token.slice(dot + 1);
   for (const secret of secrets) {
-    const expected = signToken(raw, secret);
+    const expected = signToken(raw, secret, binding);
     if (expected.length !== sig.length) continue;
     if (crypto.timingSafeEqual(buffer.Buffer.from(expected), buffer.Buffer.from(sig))) return true;
   }
   return false;
 }
-function readExpectedToken(ctx, opts) {
+function readExpectedToken(ctx, opts, binding) {
   if (opts.storage === "cookie") {
     const cookies = parseCookies(ctx.headers["cookie"]);
     const token2 = cookies[opts.cookie.name];
     if (!token2) return null;
-    if (opts.secrets.length > 0 && !verifySignedToken(token2, opts.secrets)) return null;
+    if (opts.secrets.length > 0 && !verifySignedToken(token2, opts.secrets, binding)) return null;
     return token2;
   }
   const session = ctx.session;
@@ -4873,6 +4941,11 @@ function writeSession(ctx, token) {
   session.set("csrfToken", token);
 }
 function appendSetCookie2(ctx, value) {
+  if (CRLF_RE2.test(value)) {
+    throw new IngeniumHeaderInjectionError(
+      "csrfMiddleware: Set-Cookie value contains CR/LF (possible header injection)"
+    );
+  }
   const existing = ctx._headers["set-cookie"];
   if (!existing) {
     ctx._headers["set-cookie"] = [value];
@@ -4908,13 +4981,37 @@ function resolveOptions(opts) {
     path: opts.cookie?.path ?? "/",
     domain: opts.cookie?.domain ?? "",
     sameSite: opts.cookie?.sameSite ?? "lax",
-    secure: opts.cookie?.secure ?? false,
+    // Secure-by-default: a plaintext CSRF cookie is readable by a network
+    // attacker, who can then forge the double-submit header.
+    secure: opts.cookie?.secure ?? true,
     httpOnly: opts.cookie?.httpOnly ?? false,
     maxAgeSeconds: opts.cookie?.maxAgeSeconds ?? 7 * 24 * 60 * 60
   };
+  if (CRLF_RE2.test(cookie.path) || CRLF_RE2.test(cookie.domain) || CRLF_RE2.test(cookie.name)) {
+    throw new IngeniumHeaderInjectionError(
+      "csrfMiddleware: cookie name/path/domain contains CR/LF (possible header injection)"
+    );
+  }
+  if (storage === "cookie" && cookie.secure === false && IS_DEV5) {
+    try {
+      process.emitWarning(
+        "csrfMiddleware: CSRF cookie issued with Secure=false \u2014 the token is sent over plaintext HTTP and can be read by a network attacker. Only disable Secure for local HTTP development.",
+        { type: "IngeniumCsrfInsecureCookieWarning" }
+      );
+    } catch {
+    }
+  }
   const ignoreMethods = new Set((opts.ignoreMethods ?? SAFE_METHODS_DEFAULT).map((m) => m.toUpperCase()));
   const value = opts.value ?? defaultValueReader;
-  return { secrets, storage, cookie, ignoreMethods, value, skip: opts.skip ?? null };
+  return {
+    secrets,
+    storage,
+    cookie,
+    ignoreMethods,
+    value,
+    skip: opts.skip ?? null,
+    sessionBinding: opts.sessionBinding ?? null
+  };
 }
 var defaultValueReader = (ctx) => {
   for (const name of HEADER_NAMES_DEFAULT) {
@@ -4926,6 +5023,7 @@ var defaultValueReader = (ctx) => {
 };
 
 // src/problem/serialize.ts
+var IS_DEV6 = process.env.NODE_ENV !== "production";
 var TITLES = Object.freeze({
   NOT_FOUND: "Not Found",
   UNAUTHORIZED: "Unauthorized",
@@ -4983,12 +5081,14 @@ function toProblemDetails(err, opts, ctx) {
     }
     return problem2;
   }
+  const exposeMessage = IS_DEV6 || opts.includeStack;
   const message = err?.message;
+  const detail = exposeMessage && typeof message === "string" && message.length > 0 ? message : "Internal Server Error";
   const problem = {
     type: "about:blank",
     title: STATUS_REASON[500],
     status: 500,
-    detail: typeof message === "string" && message.length > 0 ? message : "Internal Server Error"
+    detail
   };
   const instance = opts.instance(ctx);
   if (instance !== void 0) problem.instance = instance;
@@ -5071,14 +5171,23 @@ var IdempotencyMemoryStore = class {
 };
 
 // src/idempotency/middleware.ts
+var IS_DEV7 = process.env.NODE_ENV !== "production";
 var DEFAULT_METHODS2 = ["POST", "PATCH", "DELETE"];
 var DEFAULT_CACHEABLE = (status) => status >= 200 && status < 500;
+var ANON_SCOPE = /* @__PURE__ */ Symbol("ingenium.idempotency.anon");
 function defaultScope(ctx) {
   const auth = ctx.headers["authorization"];
   if (typeof auth === "string" && auth.length > 0) return auth;
   if (Array.isArray(auth) && auth.length > 0 && typeof auth[0] === "string") return auth[0];
-  return "anon";
-}
+  return ANON_SCOPE;
+}
+var SENSITIVE_REPLAY_HEADERS = [
+  "set-cookie",
+  "authorization",
+  "proxy-authorization",
+  "www-authenticate",
+  "proxy-authenticate"
+];
 function readHeader2(ctx, lowerName) {
   const v = ctx.headers[lowerName];
   if (typeof v === "string") return v;
@@ -5116,6 +5225,7 @@ function replay(ctx, cached) {
   for (const k of Object.keys(cached.headers)) {
     const v = cached.headers[k];
     if (v === void 0) continue;
+    if (SENSITIVE_REPLAY_HEADERS.includes(k.toLowerCase())) continue;
     ctx._headers[k] = Array.isArray(v) ? [...v] : v;
   }
   ctx._headers["idempotent-replayed"] = "true";
@@ -5131,17 +5241,20 @@ function replay(ctx, cached) {
   ctx._written = true;
 }
 function idempotencyMiddleware(opts = {}) {
+  const usingDefaultScope = opts.scope === void 0;
+  const scopeFn = opts.scope ?? defaultScope;
   const resolved = {
     header: (opts.header ?? "Idempotency-Key").toLowerCase(),
     store: opts.store ?? new IdempotencyMemoryStore(),
     ttlMs: (opts.ttlSeconds ?? 86400) * 1e3,
-    scope: opts.scope ?? defaultScope,
+    scope: scopeFn,
     methodSet: new Set(opts.methods ?? DEFAULT_METHODS2),
     cacheable: opts.cacheable ?? DEFAULT_CACHEABLE
   };
   if (resolved.ttlMs <= 0) {
     throw new Error("idempotency: ttlSeconds must be > 0");
   }
+  let anonBypassWarned = false;
   const inflight = /* @__PURE__ */ new Map();
   return async (ctx, next) => {
     if (!resolved.methodSet.has(ctx.method)) {
@@ -5151,7 +5264,20 @@ function idempotencyMiddleware(opts = {}) {
     if (!headerValue || headerValue.length === 0) {
       return next();
     }
-    const scope = resolved.scope(ctx);
+    const scope = scopeFn(ctx);
+    if (scope === ANON_SCOPE) {
+      if (IS_DEV7 && usingDefaultScope && !anonBypassWarned) {
+        anonBypassWarned = true;
+        try {
+          process.emitWarning(
+            "idempotency: request to a cacheable route has no Authorization header, so the default scope cannot isolate clients. Idempotency caching was bypassed for this request to avoid serving one client the cached response of another. Supply an explicit `scope` function for unauthenticated endpoints.",
+            { type: "IngeniumIdempotencyWarning" }
+          );
+        } catch {
+        }
+      }
+      return next();
+    }
     const cacheKey = `${scope}:${ctx.method}:${ctx.path}:${headerValue}`;
     const existing = await resolved.store.get(cacheKey);
     if (existing) {
@@ -5216,11 +5342,23 @@ function decodeJsonSegment(segment) {
     return null;
   }
 }
+function isSymmetricKey(key) {
+  if (typeof key === "string") return !looksLikePem(key);
+  if (buffer.Buffer.isBuffer(key)) return !looksLikePem(key.toString("latin1"));
+  return key.type === "secret";
+}
+function looksLikePem(s) {
+  return s.trimStart().startsWith("-----BEGIN");
+}
 function hmacVerifies(digest, secret, signingInput, sig) {
-  const secretInput = typeof secret === "string" || buffer.Buffer.isBuffer(secret) ? secret : secret.export({ format: "buffer" });
-  const expected = crypto.createHmac(digest, secretInput).update(signingInput).digest();
-  if (sig.length !== expected.length) return false;
-  return crypto.timingSafeEqual(sig, expected);
+  try {
+    const secretInput = typeof secret === "string" || buffer.Buffer.isBuffer(secret) ? secret : secret.export({ format: "buffer" });
+    const expected = crypto.createHmac(digest, secretInput).update(signingInput).digest();
+    if (sig.length !== expected.length) return false;
+    return crypto.timingSafeEqual(sig, expected);
+  } catch {
+    return false;
+  }
 }
 function asymmetricVerifies(spec, keyMaterial, signingInput, sig) {
   let key;
@@ -5258,6 +5396,9 @@ function asymmetricVerifies(spec, keyMaterial, signingInput, sig) {
     return false;
   }
 }
+function isFiniteNumber(v) {
+  return typeof v === "number" && Number.isFinite(v);
+}
 function audienceMatches(claim, expected) {
   const wanted = typeof expected === "string" ? [expected] : expected;
   if (typeof claim === "string") return wanted.includes(claim);
@@ -5309,12 +5450,15 @@ function verifyJwt(token, keys, opts) {
   }
   let signatureOk = false;
   for (const candidate of candidates) {
+    const candidateIsSymmetric = isSymmetricKey(candidate);
     if (spec.family === "hmac") {
+      if (!candidateIsSymmetric) continue;
       if (hmacVerifies(spec.digest, candidate, signingInput, sig)) {
         signatureOk = true;
         break;
       }
     } else {
+      if (candidateIsSymmetric) continue;
       if (asymmetricVerifies(spec, candidate, signingInput, sig)) {
         signatureOk = true;
         break;
@@ -5325,14 +5469,20 @@ function verifyJwt(token, keys, opts) {
   const now = (opts.nowSeconds ?? (() => Math.floor(Date.now() / 1e3)))();
   const skew = opts.clockSkewSeconds ?? 5;
   const claims = payload;
-  if (typeof claims.exp === "number") {
+  if ("exp" in claims && !isFiniteNumber(claims.exp)) return { error: "malformed" };
+  if ("nbf" in claims && !isFiniteNumber(claims.nbf)) return { error: "malformed" };
+  if ("iat" in claims && !isFiniteNumber(claims.iat)) return { error: "malformed" };
+  const requireExp = opts.requireExp ?? true;
+  if (isFiniteNumber(claims.exp)) {
     if (claims.exp <= now - skew) return { error: "expired" };
+  } else if (requireExp) {
+    return { error: "missing_exp" };
   }
-  if (typeof claims.nbf === "number") {
+  if (isFiniteNumber(claims.nbf)) {
     if (claims.nbf > now + skew) return { error: "not_yet_valid" };
   }
   if (typeof opts.maxAgeSeconds === "number") {
-    if (typeof claims.iat !== "number") return { error: "too_old" };
+    if (!isFiniteNumber(claims.iat)) return { error: "too_old" };
     if (claims.iat + opts.maxAgeSeconds <= now - skew) return { error: "too_old" };
   }
   if (opts.audience !== void 0) {
@@ -5440,6 +5590,7 @@ async function doFetch(url) {
 
 // src/jwt/middleware.ts
 var DEFAULT_ALGORITHMS = ["HS256"];
+var DEFAULT_ASYMMETRIC_ALGORITHMS = ["RS256"];
 var DEFAULT_JWKS_TTL_MS = 10 * 60 * 1e3;
 var SUPPORTED = /* @__PURE__ */ new Set([
   "HS256",
@@ -5455,6 +5606,14 @@ var SUPPORTED = /* @__PURE__ */ new Set([
   "ES384",
   "ES512"
 ]);
+var IngeniumJwtKeyAlgMismatchError = class extends IngeniumError {
+  constructor(message) {
+    super(500, "JWT_KEY_ALG_MISMATCH", message);
+  }
+};
+function isHmacAlg(alg) {
+  return alg === "HS256" || alg === "HS384" || alg === "HS512";
+}
 var defaultGetToken = (ctx) => {
   const raw = ctx.headers["authorization"];
   if (!raw) return void 0;
@@ -5477,7 +5636,8 @@ function jwtMiddleware(opts) {
       throw new Error("jwtMiddleware: `secret` (or `jwksUrl`) is required");
     }
   }
-  const algorithms = (opts.algorithms ?? DEFAULT_ALGORITHMS).slice();
+  const defaultAlgorithms = hasJwks ? DEFAULT_ASYMMETRIC_ALGORITHMS : DEFAULT_ALGORITHMS;
+  const algorithms = (opts.algorithms ?? defaultAlgorithms).slice();
   if (algorithms.length === 0) {
     throw new Error("jwtMiddleware: `algorithms` must contain at least one algorithm");
   }
@@ -5491,6 +5651,7 @@ function jwtMiddleware(opts) {
   }
   const required = opts.required ?? true;
   const clockSkewSeconds = opts.clockSkewSeconds ?? 5;
+  const requireExp = opts.requireExp ?? true;
   const jwksCacheMs = opts.jwksCacheMs ?? DEFAULT_JWKS_TTL_MS;
   const jwksUrl = hasJwks ? opts.jwksUrl : null;
   const getToken = opts.getToken ?? defaultGetToken;
@@ -5499,6 +5660,15 @@ function jwtMiddleware(opts) {
   });
   const staticKeys = opts.secret != null && typeof opts.secret !== "function" ? normaliseStaticKeys(opts.secret) : [];
   const keyResolver = typeof opts.secret === "function" ? opts.secret : null;
+  if (algorithms.some(isHmacAlg)) {
+    for (const k of staticKeys) {
+      if (staticKeyIsAsymmetric(k)) {
+        throw new IngeniumJwtKeyAlgMismatchError(
+          "jwtMiddleware: an HMAC algorithm (HS256/384/512) was paired with an asymmetric key (PEM or public/private KeyObject). This enables an algorithm-confusion forgery \u2014 use an asymmetric algorithm (RS*/PS*/ES*) for asymmetric keys, or a raw shared secret for HMAC."
+        );
+      }
+    }
+  }
   return async (ctx, next) => {
     const token = await getToken(ctx);
     if (!token) {
@@ -5528,7 +5698,7 @@ function jwtMiddleware(opts) {
       logger({ reason: "no_keys_available" });
       throw new IngeniumUnauthorizedError("Invalid token");
     }
-    const verifyOpts = { algorithms, clockSkewSeconds };
+    const verifyOpts = { algorithms, clockSkewSeconds, requireExp };
     if (opts.audience !== void 0) verifyOpts.audience = opts.audience;
     if (opts.issuer !== void 0) verifyOpts.issuer = opts.issuer;
     if (opts.maxAgeSeconds !== void 0) verifyOpts.maxAgeSeconds = opts.maxAgeSeconds;
@@ -5574,6 +5744,15 @@ function coerceJwtKey(k) {
   }
   throw new Error("jwtMiddleware: invalid `secret` entry \u2014 expected string, Buffer, KeyObject, or { kid, key }");
 }
+function staticKeyIsAsymmetric(entry) {
+  const key = typeof entry === "object" && entry !== null && !buffer.Buffer.isBuffer(entry) && "key" in entry ? entry.key : entry;
+  if (typeof key === "string") return looksLikePem2(key);
+  if (buffer.Buffer.isBuffer(key)) return looksLikePem2(key.toString("latin1"));
+  return key.type === "public" || key.type === "private";
+}
+function looksLikePem2(s) {
+  return s.trimStart().startsWith("-----BEGIN");
+}
 function isKeyObject(v) {
   if (typeof v !== "object" || v === null) return false;
   const t = v.type;
@@ -6403,6 +6582,7 @@ var MemoryStore2 = class {
 };
 
 // src/session/middleware.ts
+var IS_DEV8 = process.env.NODE_ENV !== "production";
 var DEFAULT_COOKIE_NAME = "ingenium.sid";
 var DEFAULT_MAX_AGE_SECONDS = 60 * 60 * 24 * 7;
 var ID_BYTES = 18;
@@ -6538,8 +6718,19 @@ function sessionMiddleware(opts) {
   const cookieName = opts.cookieName ?? DEFAULT_COOKIE_NAME;
   const maxAgeSeconds = opts.maxAgeSeconds ?? DEFAULT_MAX_AGE_SECONDS;
   const rolling = opts.rolling ?? false;
-  const cookieOpts = opts.cookie ?? {};
+  const baseCookieOpts = opts.cookie ?? {};
   const store = opts.store ?? new MemoryStore2();
+  const resolvedSecure = baseCookieOpts.secure ?? !IS_DEV8;
+  const cookieOpts = { ...baseCookieOpts, secure: resolvedSecure };
+  if (!IS_DEV8 && resolvedSecure === false) {
+    try {
+      process.emitWarning(
+        "ingenium: sessionMiddleware is issuing a session cookie WITHOUT the Secure attribute in production (cookie.secure === false). The cookie can be sent over plaintext HTTP and intercepted. Remove `cookie.secure: false` to use the safe production default, or terminate TLS in front of the app.",
+        { type: "IngeniumSessionInsecureCookieWarning" }
+      );
+    } catch {
+    }
+  }
   return async (ctx, next) => {
     const cookies = parseCookieHeader2(ctx.headers.cookie);
     const raw = cookies[cookieName];
@@ -6618,6 +6809,7 @@ async function commit(ctx, session, signingSecret, cookieName, maxAgeSeconds, ro
 }
 
 // src/ws/middleware.ts
+var IS_DEV9 = process.env.NODE_ENV !== "production";
 async function peerHasWs() {
   try {
     await import('ws');
@@ -6636,6 +6828,14 @@ function createWebSocketRegistrar() {
     if (routes.has(path2)) {
       throw new Error(`ingenium.ws: path "${path2}" already has a WebSocket handler`);
     }
+    if (IS_DEV9 && options2.origin === void 0) {
+      try {
+        process.emitWarning(
+          `ingenium.ws: WebSocket route "${path2}" registered without an \`origin\` option. WS handlers run outside the middleware pipeline and the browser sends the user's cookies on cross-origin upgrades \u2014 restrict the Origin (e.g. \`{ origin: true }\` for same-origin) or authenticate inside the handler to prevent Cross-Site WebSocket Hijacking (CSWSH).`
+        );
+      } catch {
+      }
+    }
     routes.set(path2, { path: path2, handler, options: options2 });
   }
   function attach(httpServer) {
@@ -6653,6 +6853,14 @@ function createWebSocketRegistrar() {
         socket.destroy();
         return;
       }
+      if (route.options.origin !== void 0) {
+        const origin = req.headers.origin;
+        if (!isOriginAllowed(route.options.origin, origin, req)) {
+          socket.write("HTTP/1.1 403 Forbidden\r\nConnection: close\r\n\r\n");
+          socket.destroy();
+          return;
+        }
+      }
       void (async () => {
         try {
           if (wsModule === null) wsModule = await import('ws');
@@ -6724,6 +6932,22 @@ function createWebSocketRegistrar() {
   }
   return { add, attach, close };
 }
+function isOriginAllowed(policy, origin, req) {
+  if (typeof policy === "function") return policy(origin, req);
+  if (policy === false) return true;
+  if (policy === true) {
+    if (origin === void 0) return false;
+    let originHost;
+    try {
+      originHost = new URL(origin).host;
+    } catch {
+      return false;
+    }
+    return originHost === req.headers.host;
+  }
+  if (origin === void 0) return false;
+  return Array.isArray(policy) ? policy.includes(origin) : policy === origin;
+}
 function buildMinimalContext(req, path2) {
   const ctx = new IngeniumContext();
   ctx.method = req.method ?? "GET";
@@ -6999,6 +7223,7 @@ exports.IngeniumCsrfError = IngeniumCsrfError;
 exports.IngeniumError = IngeniumError;
 exports.IngeniumHaltError = IngeniumHaltError;
 exports.IngeniumHeaderInjectionError = IngeniumHeaderInjectionError;
+exports.IngeniumJwtKeyAlgMismatchError = IngeniumJwtKeyAlgMismatchError;
 exports.IngeniumMethodNotAllowedError = IngeniumMethodNotAllowedError;
 exports.IngeniumNotFoundError = IngeniumNotFoundError;
 exports.IngeniumPayloadTooLargeError = IngeniumPayloadTooLargeError;