paygate-mcp 8.88.0 → 8.90.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/server.d.ts.map +1 -1
  2. package/dist/server.js +90 -58
  3. package/dist/server.js.map +1 -1
  4. package/package.json +1 -1
package/dist/server.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAgB,eAAe,EAA0B,MAAM,MAAM,CAAC;AAI7E,OAAO,EAAE,aAAa,EAAkB,mBAAmB,EAAkB,MAAM,SAAS,CAAC;AAE7F,OAAO,EAAE,MAAM,EAAiC,MAAM,UAAU,CAAC;AASjE,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAE9B,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAE7C,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,cAAc,EAAqD,MAAM,WAAW,CAAC;AAC9F,OAAO,EAAE,WAAW,EAAmB,MAAM,SAAS,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAE7C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAS,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEtC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,eAAe,EAA6B,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,aAAa,EAAqB,MAAM,UAAU,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAG3C,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAmCrD,0EAA0E;AAC1E,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,sFAAsF;AACtF,wBAAgB,YAAY,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM,GAAG,SAAS,CAErE;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,EAAE,cAAc,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAsBvF;AAyCD,yCAAyC;AACzC,KAAK,YAAY,GAAG,QAAQ,GAAG,YAAY,CAAC;AAa5C,qBAAa,aAAa;IACxB,iDAAiD;IACjD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,CAAC,KAAK,EAAE,YAAY,GAAG,IAAI,CAAC;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC1C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,oEAAoE;IACpE,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,mEAAmE;IACnE,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,aAAa,CAAqC;IAC1D,wDAAwD;IACxD,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAAQ;IAC5C,oDAAoD;IACpD,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,2BAA2B;IAC3B,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,0CAA0C;IAC1C,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,8CAA8C;IAC9C,QAAQ,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACnC,mCAAmC;IACnC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,4CAA4C;IAC5C,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B,gCAAgC;IAChC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,yEAAyE;IACzE,QAAQ,CAAC,SAAS,EAAE,SAAS,GAAG,IAAI,CAAQ;IAC5C,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,EAAE,kBAAkB,CAAC;IACpC,qDAAqD;IACrD,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,oCAAoC;IACpC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,oDAAoD;IACpD,QAAQ,CAAC,SAAS,EAAE,kBAAkB,CAAC;IACvC,sCAAsC;IACtC,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,oEAAoE;IACpE,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAc;IAC/C,yCAAyC;IACzC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAsB;IAChD,gEAAgE;IAChE,OAAO,CAAC,QAAQ,CAAS;IACzB,wEAAwE;IACxE,OAAO,CAAC,eAAe,CAAS;IAChC,mDAAmD;IACnD,OAAO,CAAC,kBAAkB,CAAiC;IAC3D,kDAAkD;IAClD,OAAO,CAAC,gBAAgB,CAAuB;IAC/C,gDAAgD;IAChD,OAAO,CAAC,iBAAiB,CAAqF;IAC9G,8CAA8C;IAC9C,OAAO,CAAC,wBAAwB,CAA+C;IAC/E,8BAA8B;IAC9B,OAAO,CAAC,gBAAgB,CAOhB;IACR,2CAA2C;IAC3C,OAAO,CAAC,aAAa,CAA+C;IACpE,4CAA4C;IAC5C,OAAO,CAAC,cAAc,CAAK;IAC3B,kCAAkC;IAClC,OAAO,CAAC,kBAAkB,CAOX;IACf,+CAA+C;IAC/C,OAAO,CAAC,iBAAiB,CAAK;IAC9B,qDAAqD;IACrD,OAAO,CAAC,UAAU,CAUV;IACR,gCAAgC;IAChC,OAAO,CAAC,gBAAgB,CAAK;IAC7B,4CAA4C;IAC5C,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAQ;IAC7C,wCAAwC;IACxC,OAAO,CAAC,QAAQ,CAAK;IACrB,sEAAsE;IACtE,OAAO,CAAC,UAAU,CAAuB;IAEzC,0DAA0D;IAC1D,OAAO,KAAK,OAAO,GAElB;gBAGC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,EAC1D,QAAQ,CAAC,EAAE,MAAM,EACjB,SAAS,CAAC,EAAE,MAAM,EAClB,SAAS,CAAC,EAAE,MAAM,EAClB,mBAAmB,CAAC,EAAE,MAAM,EAC5B,OAAO,CAAC,EAAE,mBAAmB,EAAE,EAC/B,QAAQ,CAAC,EAAE,MAAM;IAkNnB;;;OAGG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAIjC;;;;;;;;;;;OAWG;IACH,GAAG,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;IAK1B,KAAK,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAiF1D,0EAA0E;IAC1E,OAAO,CAAC,iBAAiB;IA4BzB,uDAAuD;IACvD,OAAO,CAAC,QAAQ;IAKhB,wDAAwD;IACxD,OAAO,CAAC,SAAS;YAWH,aAAa;YA8kBb,SAAS;IA0RvB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IA6C1B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAsB9B;;;;OAIG;IACH,OAAO,CAAC,aAAa;IAyCrB;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAuC7B,OAAO,CAAC,UAAU;IAgLlB,OAAO,CAAC,YAAY;IAepB,OAAO,CAAC,YAAY;IAwCpB,OAAO,CAAC,UAAU;IA4ElB,OAAO,CAAC,kBAAkB;IAwD1B,kEAAkE;IAClE,OAAO,CAAC,OAAO;YAWD,eAAe;IAuH7B,OAAO,CAAC,cAAc;YA0DR,WAAW;YAiEX,oBAAoB;YA4GpB,oBAAoB;IAuIlC,OAAO,CAAC,eAAe;YA4DT,eAAe;YAiEf,eAAe;YAiDf,gBAAgB;YA2DhB,eAAe;YAwDf,cAAc;YAgFd,cAAc;YA8Dd,eAAe;YAqDf,YAAY;YA6CZ,eAAe;YA6Df,cAAc;YAwDd,aAAa;YAgDb,oBAAoB;YAgDpB,qBAAqB;IA4BnC,OAAO,CAAC,cAAc;IAwCtB,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,cAAc;IAuEtB,OAAO,CAAC,qBAAqB;IAkD7B,OAAO,CAAC,iBAAiB;IAmEzB,OAAO,CAAC,mBAAmB;IA2C3B,OAAO,CAAC,sBAAsB;IAoD9B,OAAO,CAAC,mBAAmB;IA+F3B,OAAO,CAAC,eAAe;IA6IvB,OAAO,CAAC,kBAAkB;YAyLZ,kBAAkB;IA4EhC,OAAO,CAAC,aAAa;YAmDP,YAAY;IA6C1B,OAAO,CAAC,WAAW;YA8CL,mBAAmB;IAgCjC,OAAO,CAAC,eAAe;IAcvB,+EAA+E;IAC/E,OAAO,CAAC,mBAAmB;IAS3B,oEAAoE;YACtD,mBAAmB;IAwDjC,yDAAyD;YAC3C,oBAAoB;IAoFlC,yCAAyC;YAC3B,gBAAgB;IA2E9B,uDAAuD;YACzC,iBAAiB;IA8B/B,sEAAsE;IACtE,OAAO,CAAC,kBAAkB;IAmB1B,OAAO,CAAC,qBAAqB;IAO7B,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,eAAe;IAyBvB,OAAO,CAAC,eAAe;YAWT,qBAAqB;IA8CnC,OAAO,CAAC,oBAAoB;IAe5B,OAAO,CAAC,sBAAsB;YAsBhB,mBAAmB;IA+CjC,OAAO,CAAC,oBAAoB;YAcd,oBAAoB;IA0DlC,OAAO,CAAC,sBAAsB;IA2D9B,OAAO,CAAC,wBAAwB;IAuJhC,OAAO,CAAC,qBAAqB;IA6G7B,OAAO,CAAC,wBAAwB;IAuGhC,OAAO,CAAC,kBAAkB;IAqH1B,OAAO,CAAC,uBAAuB;IAkH/B,OAAO,CAAC,mBAAmB;IAgH3B,OAAO,CAAC,oBAAoB;IA4H5B,OAAO,CAAC,qBAAqB;IAkI7B,OAAO,CAAC,mBAAmB;IAuH3B,OAAO,CAAC,qBAAqB;IAgF7B,OAAO,CAAC,uBAAuB;IAuF/B,OAAO,CAAC,sBAAsB;IAqG9B,OAAO,CAAC,sBAAsB;IAsF9B,OAAO,CAAC,sBAAsB;IA2G9B,OAAO,CAAC,mBAAmB;IA8E3B,OAAO,CAAC,sBAAsB;IA6F9B,OAAO,CAAC,mBAAmB;IAmE3B,OAAO,CAAC,qBAAqB;IAqF7B,OAAO,CAAC,iBAAiB;IAwEzB,OAAO,CAAC,gBAAgB;IAqExB,OAAO,CAAC,YAAY;IAiEpB,OAAO,CAAC,oBAAoB;IAiD5B,OAAO,CAAC,kBAAkB;IAiD1B,OAAO,CAAC,sBAAsB;IAmE9B,OAAO,CAAC,mBAAmB;IAgF3B,OAAO,CAAC,eAAe;IAiEvB,OAAO,CAAC,mBAAmB;IAoD3B,OAAO,CAAC,sBAAsB;IA4E9B,OAAO,CAAC,kBAAkB;IAoF1B,OAAO,CAAC,kBAAkB;IA0D1B,OAAO,CAAC,sBAAsB;IA+E9B,OAAO,CAAC,mBAAmB;IA2D3B,OAAO,CAAC,cAAc;IAqDtB,OAAO,CAAC,qBAAqB;IAwD7B,OAAO,CAAC,0BAA0B;IA+DlC,OAAO,CAAC,wBAAwB;IAyEhC,OAAO,CAAC,8BAA8B;IAiFtC,OAAO,CAAC,2BAA2B;IAsEnC,OAAO,CAAC,iBAAiB;IAqDzB,OAAO,CAAC,uBAAuB;IA4D/B,OAAO,CAAC,oBAAoB;IA+C5B,OAAO,CAAC,uBAAuB;IAoE/B,OAAO,CAAC,sBAAsB;IAsD9B,OAAO,CAAC,kBAAkB;IA6D1B,OAAO,CAAC,eAAe;IA4DvB,OAAO,CAAC,sBAAsB;IA8D9B,OAAO,CAAC,oBAAoB;IAmD5B,OAAO,CAAC,oBAAoB;IAqD5B,OAAO,CAAC,uBAAuB;IA0D/B,OAAO,CAAC,yBAAyB;IAuDjC,OAAO,CAAC,oBAAoB;IAqD5B,OAAO,CAAC,uBAAuB;IAmD/B,OAAO,CAAC,iBAAiB;IA+CzB,OAAO,CAAC,mBAAmB;IA8D3B,OAAO,CAAC,qBAAqB;IA0D7B,OAAO,CAAC,uBAAuB;IAkE/B,OAAO,CAAC,oBAAoB;IAoE5B,OAAO,CAAC,uBAAuB;IAwD/B,OAAO,CAAC,2BAA2B;IAyDnC,OAAO,CAAC,mBAAmB;IAwE3B,OAAO,CAAC,mBAAmB;IAsF3B,OAAO,CAAC,gBAAgB;IAsDxB,OAAO,CAAC,kBAAkB;IAsF1B,OAAO,CAAC,sBAAsB;IAiF9B,OAAO,CAAC,cAAc;YAsBR,aAAa;IA8D3B,OAAO,CAAC,gBAAgB;IA6CxB,OAAO,CAAC,kBAAkB;YA2BZ,oBAAoB;IA2FlC,OAAO,CAAC,oBAAoB;IAgC5B,gFAAgF;IAChF,OAAO,CAAC,uBAAuB;IAiD/B,OAAO,CAAC,iBAAiB;IAgGzB,OAAO,CAAC,sBAAsB;YA8BhB,uBAAuB;YA+FvB,uBAAuB;YAmEvB,wBAAwB;IA+CtC,uEAAuE;IACvE,OAAO,CAAC,cAAc;IAQtB,mCAAmC;IACnC,OAAO,CAAC,0BAA0B;YAWpB,kBAAkB;IAiIhC,OAAO,CAAC,kBAAkB;IA2B1B,OAAO,CAAC,gBAAgB;IAyCxB,OAAO,CAAC,kBAAkB;IA4B1B,OAAO,CAAC,mBAAmB;YA6Bb,iBAAiB;IA6H/B,OAAO,CAAC,wBAAwB;YAYlB,yBAAyB;YA0CzB,yBAAyB;YAoDzB,yBAAyB;IAsCvC,OAAO,CAAC,WAAW;IAyBnB,OAAO,CAAC,iBAAiB;IA2CzB,OAAO,CAAC,gBAAgB;IAaxB,OAAO,CAAC,UAAU;IA2ClB,OAAO,CAAC,eAAe;YAeT,gBAAgB;YAwChB,gBAAgB;YAwChB,gBAAgB;YAiChB,mBAAmB;YA+CnB,mBAAmB;IAwCjC,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,oBAAoB;YAed,iBAAiB;YAqDjB,iBAAiB;IA2D/B,OAAO,CAAC,uBAAuB;IAuB/B,OAAO,CAAC,iBAAiB;IAazB,OAAO,CAAC,gBAAgB;YAMV,iBAAiB;YAwCjB,iBAAiB;YAkDjB,iBAAiB;YAoCjB,sBAAsB;YAgDtB,wBAAwB;IA4CtC,OAAO,CAAC,mBAAmB;YAoBb,oBAAoB;YAoDpB,oBAAoB;YAgDpB,wBAAwB;IAqCtC,OAAO,CAAC,mBAAmB;YAOb,oBAAoB;YAoCpB,oBAAoB;IAmClC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAQxB,OAAO,CAAC,eAAe;IAUvB,iFAAiF;IACjF,OAAO,CAAC,iBAAiB;IAuBzB,OAAO,CAAC,QAAQ;IA0DV,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqC3B;;;;;;;OAOG;IACG,YAAY,CAAC,SAAS,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAiErD,OAAO,CAAC,gBAAgB;IAsExB,OAAO,CAAC,eAAe;YA6GT,mBAAmB;YAoInB,wBAAwB;IA0ItC,OAAO,CAAC,sBAAsB;IA8F9B,OAAO,CAAC,sBAAsB;IA0E9B,qDAAqD;IACrD,OAAO,CAAC,UAAU;CAMnB"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAgB,eAAe,EAA0B,MAAM,MAAM,CAAC;AAI7E,OAAO,EAAE,aAAa,EAAkB,mBAAmB,EAAkB,MAAM,SAAS,CAAC;AAE7F,OAAO,EAAE,MAAM,EAAiC,MAAM,UAAU,CAAC;AASjE,OAAO,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC;AAE9B,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AACnC,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAE7C,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,cAAc,EAAqD,MAAM,WAAW,CAAC;AAC9F,OAAO,EAAE,WAAW,EAAmB,MAAM,SAAS,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAE7C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAS,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAEtC,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAC9C,OAAO,EAAE,eAAe,EAA6B,MAAM,cAAc,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,aAAa,EAAqB,MAAM,UAAU,CAAC;AAC3E,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAG3C,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AA6DrD,0EAA0E;AAC1E,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C;AAED,sFAAsF;AACtF,wBAAgB,YAAY,CAAC,GAAG,EAAE,eAAe,GAAG,MAAM,GAAG,SAAS,CAErE;AAED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,eAAe,EAAE,cAAc,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAsBvF;AAyCD,yCAAyC;AACzC,KAAK,YAAY,GAAG,QAAQ,GAAG,YAAY,CAAC;AAa5C,qBAAa,aAAa;IACxB,iDAAiD;IACjD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,0DAA0D;IAC1D,QAAQ,CAAC,KAAK,EAAE,YAAY,GAAG,IAAI,CAAC;IACpC,8DAA8D;IAC9D,QAAQ,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAC1C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,oEAAoE;IACpE,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,mEAAmE;IACnE,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,aAAa,CAAqC;IAC1D,wDAAwD;IACxD,QAAQ,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAAQ;IAC5C,oDAAoD;IACpD,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,2BAA2B;IAC3B,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,0CAA0C;IAC1C,QAAQ,CAAC,QAAQ,EAAE,YAAY,CAAC;IAChC,8CAA8C;IAC9C,QAAQ,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACnC,mCAAmC;IACnC,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IACpC,4CAA4C;IAC5C,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B,gCAAgC;IAChC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,yEAAyE;IACzE,QAAQ,CAAC,SAAS,EAAE,SAAS,GAAG,IAAI,CAAQ;IAC5C,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,EAAE,kBAAkB,CAAC;IACpC,qDAAqD;IACrD,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;IAChC,QAAQ,CAAC,MAAM,EAAE,eAAe,CAAC;IACjC,oCAAoC;IACpC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,oDAAoD;IACpD,QAAQ,CAAC,SAAS,EAAE,kBAAkB,CAAC;IACvC,sCAAsC;IACtC,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,oEAAoE;IACpE,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAc;IAC/C,yCAAyC;IACzC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAsB;IAChD,gEAAgE;IAChE,OAAO,CAAC,QAAQ,CAAS;IACzB,wEAAwE;IACxE,OAAO,CAAC,eAAe,CAAS;IAChC,mDAAmD;IACnD,OAAO,CAAC,kBAAkB,CAAiC;IAC3D,kDAAkD;IAClD,OAAO,CAAC,gBAAgB,CAAuB;IAC/C,gDAAgD;IAChD,OAAO,CAAC,iBAAiB,CAAqF;IAC9G,8CAA8C;IAC9C,OAAO,CAAC,wBAAwB,CAA+C;IAC/E,8BAA8B;IAC9B,OAAO,CAAC,gBAAgB,CAOhB;IACR,2CAA2C;IAC3C,OAAO,CAAC,aAAa,CAA+C;IACpE,4CAA4C;IAC5C,OAAO,CAAC,cAAc,CAAK;IAC3B,kCAAkC;IAClC,OAAO,CAAC,kBAAkB,CAOX;IACf,+CAA+C;IAC/C,OAAO,CAAC,iBAAiB,CAAK;IAC9B,qDAAqD;IACrD,OAAO,CAAC,UAAU,CAUV;IACR,gCAAgC;IAChC,OAAO,CAAC,gBAAgB,CAAK;IAC7B,4CAA4C;IAC5C,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAQ;IAC7C,wCAAwC;IACxC,OAAO,CAAC,QAAQ,CAAK;IACrB,sEAAsE;IACtE,OAAO,CAAC,UAAU,CAAuB;IAEzC,0DAA0D;IAC1D,OAAO,KAAK,OAAO,GAElB;gBAGC,MAAM,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,EAC1D,QAAQ,CAAC,EAAE,MAAM,EACjB,SAAS,CAAC,EAAE,MAAM,EAClB,SAAS,CAAC,EAAE,MAAM,EAClB,mBAAmB,CAAC,EAAE,MAAM,EAC5B,OAAO,CAAC,EAAE,mBAAmB,EAAE,EAC/B,QAAQ,CAAC,EAAE,MAAM;IAkNnB;;;OAGG;IACH,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAIjC;;;;;;;;;;;OAWG;IACH,GAAG,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;IAK1B,KAAK,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAiF1D,0EAA0E;IAC1E,OAAO,CAAC,iBAAiB;IA4BzB,uDAAuD;IACvD,OAAO,CAAC,QAAQ;IAKhB,wDAAwD;IACxD,OAAO,CAAC,SAAS;YAWH,aAAa;YA8kBb,SAAS;IA0RvB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IA6C1B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAsB9B;;;;OAIG;IACH,OAAO,CAAC,aAAa;IAyCrB;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAuC7B,OAAO,CAAC,UAAU;IAgLlB,OAAO,CAAC,YAAY;IAepB,OAAO,CAAC,YAAY;IAwCpB,OAAO,CAAC,UAAU;IA4ElB,OAAO,CAAC,kBAAkB;IAwD1B,kEAAkE;IAClE,OAAO,CAAC,OAAO;YAWD,eAAe;IAyH7B,OAAO,CAAC,cAAc;YA0DR,WAAW;YAkEX,oBAAoB;YA6GpB,oBAAoB;IAwIlC,OAAO,CAAC,eAAe;YA4DT,eAAe;YAiEf,eAAe;YAiDf,gBAAgB;YA2DhB,eAAe;YAwDf,cAAc;YAgFd,cAAc;YA8Dd,eAAe;YAqDf,YAAY;YAiDZ,eAAe;YA6Df,cAAc;YAwDd,aAAa;YAgDb,oBAAoB;YAgDpB,qBAAqB;IA4BnC,OAAO,CAAC,cAAc;IAwCtB,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,cAAc;IAuEtB,OAAO,CAAC,qBAAqB;IAkD7B,OAAO,CAAC,iBAAiB;IAmEzB,OAAO,CAAC,mBAAmB;IA2C3B,OAAO,CAAC,sBAAsB;IAoD9B,OAAO,CAAC,mBAAmB;IA+F3B,OAAO,CAAC,eAAe;IA6IvB,OAAO,CAAC,kBAAkB;YAyLZ,kBAAkB;IA4EhC,OAAO,CAAC,aAAa;YAmDP,YAAY;IA6C1B,OAAO,CAAC,WAAW;YA8CL,mBAAmB;IAgCjC,OAAO,CAAC,eAAe;IAcvB,+EAA+E;IAC/E,OAAO,CAAC,mBAAmB;IAS3B,oEAAoE;YACtD,mBAAmB;IAwDjC,yDAAyD;YAC3C,oBAAoB;IAoFlC,yCAAyC;YAC3B,gBAAgB;IA2E9B,uDAAuD;YACzC,iBAAiB;IA8B/B,sEAAsE;IACtE,OAAO,CAAC,kBAAkB;IAmB1B,OAAO,CAAC,qBAAqB;IAO7B,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,eAAe;IAyBvB,OAAO,CAAC,eAAe;YAWT,qBAAqB;IA8CnC,OAAO,CAAC,oBAAoB;IAe5B,OAAO,CAAC,sBAAsB;YAsBhB,mBAAmB;IA+CjC,OAAO,CAAC,oBAAoB;YAcd,oBAAoB;IA0DlC,OAAO,CAAC,sBAAsB;IA2D9B,OAAO,CAAC,wBAAwB;IAuJhC,OAAO,CAAC,qBAAqB;IA6G7B,OAAO,CAAC,wBAAwB;IAuGhC,OAAO,CAAC,kBAAkB;IAqH1B,OAAO,CAAC,uBAAuB;IAkH/B,OAAO,CAAC,mBAAmB;IAgH3B,OAAO,CAAC,oBAAoB;IA4H5B,OAAO,CAAC,qBAAqB;IAkI7B,OAAO,CAAC,mBAAmB;IAuH3B,OAAO,CAAC,qBAAqB;IAgF7B,OAAO,CAAC,uBAAuB;IAuF/B,OAAO,CAAC,sBAAsB;IAqG9B,OAAO,CAAC,sBAAsB;IAsF9B,OAAO,CAAC,sBAAsB;IA2G9B,OAAO,CAAC,mBAAmB;IA8E3B,OAAO,CAAC,sBAAsB;IA6F9B,OAAO,CAAC,mBAAmB;IAmE3B,OAAO,CAAC,qBAAqB;IAqF7B,OAAO,CAAC,iBAAiB;IAwEzB,OAAO,CAAC,gBAAgB;IAqExB,OAAO,CAAC,YAAY;IAiEpB,OAAO,CAAC,oBAAoB;IAiD5B,OAAO,CAAC,kBAAkB;IAiD1B,OAAO,CAAC,sBAAsB;IAmE9B,OAAO,CAAC,mBAAmB;IAgF3B,OAAO,CAAC,eAAe;IAiEvB,OAAO,CAAC,mBAAmB;IAoD3B,OAAO,CAAC,sBAAsB;IA4E9B,OAAO,CAAC,kBAAkB;IAoF1B,OAAO,CAAC,kBAAkB;IA0D1B,OAAO,CAAC,sBAAsB;IA+E9B,OAAO,CAAC,mBAAmB;IA2D3B,OAAO,CAAC,cAAc;IAqDtB,OAAO,CAAC,qBAAqB;IAwD7B,OAAO,CAAC,0BAA0B;IA+DlC,OAAO,CAAC,wBAAwB;IAyEhC,OAAO,CAAC,8BAA8B;IAiFtC,OAAO,CAAC,2BAA2B;IAsEnC,OAAO,CAAC,iBAAiB;IAqDzB,OAAO,CAAC,uBAAuB;IA4D/B,OAAO,CAAC,oBAAoB;IA+C5B,OAAO,CAAC,uBAAuB;IAoE/B,OAAO,CAAC,sBAAsB;IAsD9B,OAAO,CAAC,kBAAkB;IA6D1B,OAAO,CAAC,eAAe;IA4DvB,OAAO,CAAC,sBAAsB;IA8D9B,OAAO,CAAC,oBAAoB;IAmD5B,OAAO,CAAC,oBAAoB;IAqD5B,OAAO,CAAC,uBAAuB;IA0D/B,OAAO,CAAC,yBAAyB;IAuDjC,OAAO,CAAC,oBAAoB;IAqD5B,OAAO,CAAC,uBAAuB;IAmD/B,OAAO,CAAC,iBAAiB;IA+CzB,OAAO,CAAC,mBAAmB;IA8D3B,OAAO,CAAC,qBAAqB;IA0D7B,OAAO,CAAC,uBAAuB;IAkE/B,OAAO,CAAC,oBAAoB;IAoE5B,OAAO,CAAC,uBAAuB;IAwD/B,OAAO,CAAC,2BAA2B;IAyDnC,OAAO,CAAC,mBAAmB;IAwE3B,OAAO,CAAC,mBAAmB;IAsF3B,OAAO,CAAC,gBAAgB;IAsDxB,OAAO,CAAC,kBAAkB;IAsF1B,OAAO,CAAC,sBAAsB;IAiF9B,OAAO,CAAC,cAAc;YAsBR,aAAa;IA8D3B,OAAO,CAAC,gBAAgB;IA6CxB,OAAO,CAAC,kBAAkB;YA2BZ,oBAAoB;IA4FlC,OAAO,CAAC,oBAAoB;IAgC5B,gFAAgF;IAChF,OAAO,CAAC,uBAAuB;IAiD/B,OAAO,CAAC,iBAAiB;IAgGzB,OAAO,CAAC,sBAAsB;YA8BhB,uBAAuB;YAiGvB,uBAAuB;YAmEvB,wBAAwB;IA+CtC,uEAAuE;IACvE,OAAO,CAAC,cAAc;IAQtB,mCAAmC;IACnC,OAAO,CAAC,0BAA0B;YAWpB,kBAAkB;IAiIhC,OAAO,CAAC,kBAAkB;IA2B1B,OAAO,CAAC,gBAAgB;IAyCxB,OAAO,CAAC,kBAAkB;IA4B1B,OAAO,CAAC,mBAAmB;YA6Bb,iBAAiB;IA6H/B,OAAO,CAAC,wBAAwB;YAYlB,yBAAyB;YA0CzB,yBAAyB;YAoDzB,yBAAyB;IAsCvC,OAAO,CAAC,WAAW;IAyBnB,OAAO,CAAC,iBAAiB;IA2CzB,OAAO,CAAC,gBAAgB;IAaxB,OAAO,CAAC,UAAU;IA2ClB,OAAO,CAAC,eAAe;YAeT,gBAAgB;YAwChB,gBAAgB;YAwChB,gBAAgB;YAiChB,mBAAmB;YA+CnB,mBAAmB;IAwCjC,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,oBAAoB;YAed,iBAAiB;YAsDjB,iBAAiB;IA2D/B,OAAO,CAAC,uBAAuB;IAuB/B,OAAO,CAAC,iBAAiB;IAazB,OAAO,CAAC,gBAAgB;YAMV,iBAAiB;YAwCjB,iBAAiB;YAkDjB,iBAAiB;YAoCjB,sBAAsB;YAgDtB,wBAAwB;IA4CtC,OAAO,CAAC,mBAAmB;YAoBb,oBAAoB;YAoDpB,oBAAoB;YAgDpB,wBAAwB;IAqCtC,OAAO,CAAC,mBAAmB;YAOb,oBAAoB;YAoCpB,oBAAoB;IAmClC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAQxB,OAAO,CAAC,eAAe;IAUvB,iFAAiF;IACjF,OAAO,CAAC,iBAAiB;IAuBzB,OAAO,CAAC,QAAQ;IA0DV,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqC3B;;;;;;;OAOG;IACG,YAAY,CAAC,SAAS,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC;IAiErD,OAAO,CAAC,gBAAgB;IAsExB,OAAO,CAAC,eAAe;YA6GT,mBAAmB;YAoInB,wBAAwB;IA0ItC,OAAO,CAAC,sBAAsB;IA8F9B,OAAO,CAAC,sBAAsB;IA0E9B,qDAAqD;IACrD,OAAO,CAAC,UAAU;CAMnB"}
package/dist/server.js CHANGED
@@ -111,6 +111,30 @@ function safeJsonParse(text) {
111
111
  }
112
112
  /** Max length for user-supplied string fields (names, reasons, messages, memos) */
113
113
  const MAX_STRING_FIELD = 500;
114
+ /**
115
+ * Upper bounds for numeric admin inputs.
116
+ * Prevents absurd values that could cause issues in downstream systems,
117
+ * audit log bloat, or unexpected behavior in quota/credit arithmetic.
118
+ */
119
+ const MAX_CREDITS = 1_000_000_000; // 1 billion credits
120
+ const MAX_QUOTA_LIMIT = 1_000_000_000; // 1 billion calls/credits per period
121
+ const MAX_SPENDING_LIMIT = 1_000_000_000; // 1 billion credits lifetime cap
122
+ const MAX_TOPUP_AMOUNT = 100_000_000; // 100 million credits per auto-topup
123
+ const MAX_TOPUP_THRESHOLD = 100_000_000; // 100 million credits threshold
124
+ const MAX_RATE_LIMIT = 100_000; // 100k requests per window
125
+ /**
126
+ * Upper bounds for array-type admin inputs.
127
+ * Prevents memory exhaustion from unbounded lists and O(n) validation overhead.
128
+ */
129
+ const MAX_ACL_ITEMS = 1_000; // Max tools in allowedTools/deniedTools per key/group
130
+ const MAX_IP_ALLOWLIST = 200; // Max IPs per key/group allowlist
131
+ const MAX_ALERT_RULES = 100; // Max alert rules
132
+ /** Truncate user-supplied arrays to a maximum length, returning the sliced array. */
133
+ function clampArray(arr, maxLen) {
134
+ if (!arr || !Array.isArray(arr))
135
+ return arr;
136
+ return arr.slice(0, maxLen);
137
+ }
114
138
  /** Truncate user-supplied strings to MAX_STRING_FIELD to prevent log injection and memory abuse. */
115
139
  function sanitizeString(value, maxLen = MAX_STRING_FIELD) {
116
140
  if (!value)
@@ -2080,11 +2104,12 @@ class PayGateServer {
2080
2104
  }
2081
2105
  }
2082
2106
  const name = String(params.name || 'unnamed').slice(0, 200);
2083
- const credits = Math.floor(Number(params.credits ?? tpl?.credits ?? 100));
2084
- if (!Number.isFinite(credits) || credits <= 0) {
2107
+ const rawCredits = Math.floor(Number(params.credits ?? tpl?.credits ?? 100));
2108
+ if (!Number.isFinite(rawCredits) || rawCredits <= 0) {
2085
2109
  this.sendError(res, 400, 'Credits must be a positive integer');
2086
2110
  return;
2087
2111
  }
2112
+ const credits = clampInt(rawCredits, 1, MAX_CREDITS);
2088
2113
  // Calculate expiry: expiresIn (seconds) takes priority over expiresAt (ISO date), template TTL is fallback
2089
2114
  let expiresAt = null;
2090
2115
  const expiresInNum = Number(params.expiresIn);
@@ -2106,22 +2131,22 @@ class PayGateServer {
2106
2131
  let quota = undefined;
2107
2132
  if (params.quota) {
2108
2133
  quota = {
2109
- dailyCallLimit: Math.max(0, Math.floor(Number(params.quota.dailyCallLimit) || 0)),
2110
- monthlyCallLimit: Math.max(0, Math.floor(Number(params.quota.monthlyCallLimit) || 0)),
2111
- dailyCreditLimit: Math.max(0, Math.floor(Number(params.quota.dailyCreditLimit) || 0)),
2112
- monthlyCreditLimit: Math.max(0, Math.floor(Number(params.quota.monthlyCreditLimit) || 0)),
2134
+ dailyCallLimit: clampInt(Number(params.quota.dailyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
2135
+ monthlyCallLimit: clampInt(Number(params.quota.monthlyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
2136
+ dailyCreditLimit: clampInt(Number(params.quota.dailyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
2137
+ monthlyCreditLimit: clampInt(Number(params.quota.monthlyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
2113
2138
  };
2114
2139
  }
2115
2140
  else if (tpl?.quota) {
2116
2141
  quota = { ...tpl.quota };
2117
2142
  }
2118
2143
  const record = this.gate.store.createKey(name, credits, {
2119
- allowedTools: params.allowedTools || (tpl ? [...tpl.allowedTools] : undefined),
2120
- deniedTools: params.deniedTools || (tpl ? [...tpl.deniedTools] : undefined),
2144
+ allowedTools: clampArray(params.allowedTools, MAX_ACL_ITEMS) || (tpl ? [...tpl.allowedTools] : undefined),
2145
+ deniedTools: clampArray(params.deniedTools, MAX_ACL_ITEMS) || (tpl ? [...tpl.deniedTools] : undefined),
2121
2146
  expiresAt,
2122
2147
  quota,
2123
2148
  tags: params.tags || (tpl ? { ...tpl.tags } : undefined),
2124
- ipAllowlist: params.ipAllowlist || (tpl ? [...tpl.ipAllowlist] : undefined),
2149
+ ipAllowlist: clampArray(params.ipAllowlist, MAX_IP_ALLOWLIST) || (tpl ? [...tpl.ipAllowlist] : undefined),
2125
2150
  namespace: params.namespace || tpl?.namespace,
2126
2151
  });
2127
2152
  // Apply template spending limit if not explicitly set
@@ -2239,11 +2264,12 @@ class PayGateServer {
2239
2264
  this.sendError(res, 400, 'Missing key or credits');
2240
2265
  return;
2241
2266
  }
2242
- const credits = Math.floor(Number(params.credits));
2243
- if (!Number.isFinite(credits) || credits <= 0) {
2267
+ const rawCredits = Number(params.credits);
2268
+ if (!Number.isFinite(rawCredits) || rawCredits <= 0) {
2244
2269
  this.sendError(res, 400, 'Credits must be a positive integer');
2245
2270
  return;
2246
2271
  }
2272
+ const credits = clampInt(rawCredits, 1, MAX_CREDITS);
2247
2273
  // Resolve alias to actual key
2248
2274
  const resolved = this.gate.store.resolveKey(params.key);
2249
2275
  const actualKey = resolved ? resolved.key : params.key;
@@ -2299,11 +2325,12 @@ class PayGateServer {
2299
2325
  this.sendError(res, 400, 'Cannot transfer credits to the same key');
2300
2326
  return;
2301
2327
  }
2302
- const credits = Math.floor(Number(params.credits));
2303
- if (!Number.isFinite(credits) || credits <= 0) {
2328
+ const rawXferCredits = Number(params.credits);
2329
+ if (!Number.isFinite(rawXferCredits) || rawXferCredits <= 0) {
2304
2330
  this.sendError(res, 400, 'Credits must be a positive integer');
2305
2331
  return;
2306
2332
  }
2333
+ const credits = clampInt(rawXferCredits, 1, MAX_CREDITS);
2307
2334
  // Validate source key exists and has enough credits
2308
2335
  const sourceRecord = this.gate.store.resolveKey(params.from);
2309
2336
  if (!sourceRecord) {
@@ -2403,14 +2430,14 @@ class PayGateServer {
2403
2430
  switch (op.action) {
2404
2431
  case 'create': {
2405
2432
  const name = String(op.name || 'unnamed').slice(0, 200);
2406
- const credits = Math.max(0, Math.floor(Number(op.credits) || 100));
2433
+ const credits = clampInt(Number(op.credits) || 100, 0, MAX_CREDITS);
2407
2434
  if (credits <= 0) {
2408
2435
  results.push({ index: i, action: 'create', success: false, error: 'Credits must be positive' });
2409
2436
  break;
2410
2437
  }
2411
2438
  const record = this.gate.store.createKey(name, credits, {
2412
- allowedTools: op.allowedTools,
2413
- deniedTools: op.deniedTools,
2439
+ allowedTools: clampArray(op.allowedTools, MAX_ACL_ITEMS),
2440
+ deniedTools: clampArray(op.deniedTools, MAX_ACL_ITEMS),
2414
2441
  tags: op.tags,
2415
2442
  namespace: op.namespace,
2416
2443
  });
@@ -2428,7 +2455,8 @@ class PayGateServer {
2428
2455
  }
2429
2456
  case 'topup': {
2430
2457
  const key = op.key;
2431
- const amount = Math.floor(Number(op.credits));
2458
+ const rawAmount = Number(op.credits);
2459
+ const amount = Number.isFinite(rawAmount) ? clampInt(rawAmount, 0, MAX_CREDITS) : NaN;
2432
2460
  if (!key) {
2433
2461
  results.push({ index: i, action: 'topup', success: false, error: 'Missing key' });
2434
2462
  break;
@@ -2950,7 +2978,7 @@ class PayGateServer {
2950
2978
  this.sendError(res, 400, 'Missing key');
2951
2979
  return;
2952
2980
  }
2953
- const success = this.gate.store.setAcl(params.key, params.allowedTools, params.deniedTools);
2981
+ const success = this.gate.store.setAcl(params.key, clampArray(params.allowedTools, MAX_ACL_ITEMS), clampArray(params.deniedTools, MAX_ACL_ITEMS));
2954
2982
  if (!success) {
2955
2983
  this.sendError(res, 404, 'Key not found or inactive');
2956
2984
  return;
@@ -3056,10 +3084,10 @@ class PayGateServer {
3056
3084
  return;
3057
3085
  }
3058
3086
  const quota = {
3059
- dailyCallLimit: Math.max(0, Math.floor(Number(params.dailyCallLimit) || 0)),
3060
- monthlyCallLimit: Math.max(0, Math.floor(Number(params.monthlyCallLimit) || 0)),
3061
- dailyCreditLimit: Math.max(0, Math.floor(Number(params.dailyCreditLimit) || 0)),
3062
- monthlyCreditLimit: Math.max(0, Math.floor(Number(params.monthlyCreditLimit) || 0)),
3087
+ dailyCallLimit: clampInt(Number(params.dailyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
3088
+ monthlyCallLimit: clampInt(Number(params.monthlyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
3089
+ dailyCreditLimit: clampInt(Number(params.dailyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
3090
+ monthlyCreditLimit: clampInt(Number(params.monthlyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
3063
3091
  };
3064
3092
  const success = this.gate.store.setQuota(params.key, quota);
3065
3093
  if (!success) {
@@ -3139,7 +3167,7 @@ class PayGateServer {
3139
3167
  this.sendError(res, 400, 'Missing or invalid ips array');
3140
3168
  return;
3141
3169
  }
3142
- const success = this.gate.store.setIpAllowlist(params.key, params.ips);
3170
+ const success = this.gate.store.setIpAllowlist(params.key, params.ips.slice(0, MAX_IP_ALLOWLIST));
3143
3171
  if (!success) {
3144
3172
  this.sendError(res, 404, 'Key not found');
3145
3173
  return;
@@ -3949,10 +3977,10 @@ class PayGateServer {
3949
3977
  this.sendJson(res, 200, { autoTopup: null, message: 'Auto-topup disabled' });
3950
3978
  return;
3951
3979
  }
3952
- // Validate params
3953
- const threshold = Math.max(0, Math.floor(Number(params.threshold) || 0));
3954
- const amount = Math.max(0, Math.floor(Number(params.amount) || 0));
3955
- const maxDaily = Math.max(0, Math.floor(Number(params.maxDaily) || 0));
3980
+ // Validate params (clamp to reasonable upper bounds)
3981
+ const threshold = clampInt(Number(params.threshold) || 0, 0, MAX_TOPUP_THRESHOLD);
3982
+ const amount = clampInt(Number(params.amount) || 0, 0, MAX_TOPUP_AMOUNT);
3983
+ const maxDaily = clampInt(Number(params.maxDaily) || 0, 0, MAX_TOPUP_AMOUNT * 10);
3956
3984
  if (threshold <= 0) {
3957
3985
  this.sendError(res, 400, 'threshold must be a positive integer');
3958
3986
  return;
@@ -4047,7 +4075,7 @@ class PayGateServer {
4047
4075
  this.sendError(res, 404, 'Key not found or inactive');
4048
4076
  return;
4049
4077
  }
4050
- const limit = Math.max(0, Math.floor(Number(params.spendingLimit) || 0));
4078
+ const limit = clampInt(Number(params.spendingLimit) || 0, 0, MAX_SPENDING_LIMIT);
4051
4079
  record.spendingLimit = limit;
4052
4080
  this.gate.store.save();
4053
4081
  this.syncKeyMutation(params.key);
@@ -9165,13 +9193,14 @@ class PayGateServer {
9165
9193
  this.sendError(res, 400, 'executeAt must be in the future');
9166
9194
  return;
9167
9195
  }
9168
- // Topup requires credits param
9196
+ // Topup requires credits param (clamp to MAX_CREDITS)
9169
9197
  if (params.action === 'topup') {
9170
9198
  const credits = params.params?.credits;
9171
9199
  if (!credits || typeof credits !== 'number' || credits <= 0) {
9172
9200
  this.sendError(res, 400, 'topup action requires params.credits (positive number)');
9173
9201
  return;
9174
9202
  }
9203
+ params.params.credits = clampInt(credits, 1, MAX_CREDITS);
9175
9204
  }
9176
9205
  const record = this.gate.store.resolveKeyRaw(params.key);
9177
9206
  if (!record) {
@@ -9409,6 +9438,8 @@ class PayGateServer {
9409
9438
  this.sendError(res, 400, 'Missing or invalid credits (must be positive number)');
9410
9439
  return;
9411
9440
  }
9441
+ // Clamp credits to max bound
9442
+ params.credits = clampInt(params.credits, 1, MAX_CREDITS);
9412
9443
  const record = this.gate.store.resolveKeyRaw(params.key);
9413
9444
  if (!record) {
9414
9445
  this.sendError(res, 404, 'Key not found');
@@ -9659,10 +9690,10 @@ class PayGateServer {
9659
9690
  if (fileConfig.globalQuota !== undefined) {
9660
9691
  const q = fileConfig.globalQuota;
9661
9692
  patch.globalQuota = {
9662
- dailyCallLimit: Math.max(0, Math.floor(Number(q.dailyCallLimit) || 0)),
9663
- monthlyCallLimit: Math.max(0, Math.floor(Number(q.monthlyCallLimit) || 0)),
9664
- dailyCreditLimit: Math.max(0, Math.floor(Number(q.dailyCreditLimit) || 0)),
9665
- monthlyCreditLimit: Math.max(0, Math.floor(Number(q.monthlyCreditLimit) || 0)),
9693
+ dailyCallLimit: clampInt(Number(q.dailyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
9694
+ monthlyCallLimit: clampInt(Number(q.monthlyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
9695
+ dailyCreditLimit: clampInt(Number(q.dailyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
9696
+ monthlyCreditLimit: clampInt(Number(q.monthlyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
9666
9697
  };
9667
9698
  }
9668
9699
  if (fileConfig.alertRules !== undefined) {
@@ -10200,7 +10231,7 @@ class PayGateServer {
10200
10231
  const team = this.teams.createTeam({
10201
10232
  name: sanitizeString(params.name) || 'unnamed',
10202
10233
  description: sanitizeString(params.description) || undefined,
10203
- budget: params.budget,
10234
+ budget: params.budget ? clampInt(Number(params.budget), 0, MAX_CREDITS) : undefined,
10204
10235
  quota: params.quota,
10205
10236
  tags: params.tags,
10206
10237
  });
@@ -10235,7 +10266,7 @@ class PayGateServer {
10235
10266
  const success = this.teams.updateTeam(params.teamId, {
10236
10267
  name: params.name ? sanitizeString(params.name) : undefined,
10237
10268
  description: params.description !== undefined ? (sanitizeString(params.description) || undefined) : undefined,
10238
- budget: params.budget,
10269
+ budget: params.budget !== undefined ? clampInt(Number(params.budget), 0, MAX_CREDITS) : undefined,
10239
10270
  quota: params.quota,
10240
10271
  tags: params.tags,
10241
10272
  });
@@ -10411,16 +10442,17 @@ class PayGateServer {
10411
10442
  return;
10412
10443
  }
10413
10444
  const ttl = Math.max(1, Math.min(86400, Math.floor(Number(params.ttl) || 3600)));
10445
+ const clampedTokenTools = clampArray(params.allowedTools, MAX_ACL_ITEMS);
10414
10446
  const token = this.tokens.create({
10415
10447
  apiKey: params.key,
10416
10448
  ttlSeconds: ttl,
10417
- allowedTools: params.allowedTools,
10449
+ allowedTools: clampedTokenTools,
10418
10450
  label: params.label,
10419
10451
  });
10420
10452
  this.audit.log('token.created', 'admin', `Scoped token created for key: ${keyRecord.name}`, {
10421
10453
  keyMasked: (0, audit_1.maskKeyForAudit)(params.key),
10422
10454
  ttl,
10423
- allowedTools: params.allowedTools,
10455
+ allowedTools: clampedTokenTools,
10424
10456
  label: params.label,
10425
10457
  });
10426
10458
  this.sendJson(res, 201, {
@@ -10428,7 +10460,7 @@ class PayGateServer {
10428
10460
  expiresAt: new Date(Date.now() + ttl * 1000).toISOString(),
10429
10461
  ttl,
10430
10462
  parentKey: keyRecord.name,
10431
- allowedTools: params.allowedTools || [],
10463
+ allowedTools: clampedTokenTools || [],
10432
10464
  label: params.label || null,
10433
10465
  message: 'Use this token as X-API-Key or Bearer token. It will expire automatically.',
10434
10466
  });
@@ -10539,19 +10571,19 @@ class PayGateServer {
10539
10571
  const group = this.groups.createGroup({
10540
10572
  name: sanitizeString(params.name) || '',
10541
10573
  description: sanitizeString(params.description) || undefined,
10542
- allowedTools: params.allowedTools,
10543
- deniedTools: params.deniedTools,
10544
- rateLimitPerMin: params.rateLimitPerMin,
10574
+ allowedTools: clampArray(params.allowedTools, MAX_ACL_ITEMS),
10575
+ deniedTools: clampArray(params.deniedTools, MAX_ACL_ITEMS),
10576
+ rateLimitPerMin: params.rateLimitPerMin ? clampInt(Number(params.rateLimitPerMin), 0, MAX_RATE_LIMIT) : undefined,
10545
10577
  toolPricing: params.toolPricing,
10546
10578
  quota: params.quota ? {
10547
- dailyCallLimit: Math.max(0, Math.floor(Number(params.quota.dailyCallLimit) || 0)),
10548
- monthlyCallLimit: Math.max(0, Math.floor(Number(params.quota.monthlyCallLimit) || 0)),
10549
- dailyCreditLimit: Math.max(0, Math.floor(Number(params.quota.dailyCreditLimit) || 0)),
10550
- monthlyCreditLimit: Math.max(0, Math.floor(Number(params.quota.monthlyCreditLimit) || 0)),
10579
+ dailyCallLimit: clampInt(Number(params.quota.dailyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
10580
+ monthlyCallLimit: clampInt(Number(params.quota.monthlyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
10581
+ dailyCreditLimit: clampInt(Number(params.quota.dailyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
10582
+ monthlyCreditLimit: clampInt(Number(params.quota.monthlyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
10551
10583
  } : undefined,
10552
- ipAllowlist: params.ipAllowlist,
10553
- defaultCredits: params.defaultCredits,
10554
- maxSpendingLimit: params.maxSpendingLimit,
10584
+ ipAllowlist: clampArray(params.ipAllowlist, MAX_IP_ALLOWLIST),
10585
+ defaultCredits: params.defaultCredits ? clampInt(Number(params.defaultCredits), 0, MAX_CREDITS) : undefined,
10586
+ maxSpendingLimit: params.maxSpendingLimit ? clampInt(Number(params.maxSpendingLimit), 0, MAX_SPENDING_LIMIT) : undefined,
10555
10587
  tags: params.tags,
10556
10588
  });
10557
10589
  this.audit.log('group.created', 'admin', `Group created: ${group.name}`, { groupId: group.id, name: group.name });
@@ -10589,19 +10621,19 @@ class PayGateServer {
10589
10621
  const group = this.groups.updateGroup(groupId, {
10590
10622
  name: params.name ? sanitizeString(params.name) : undefined,
10591
10623
  description: params.description !== undefined ? (sanitizeString(params.description) || undefined) : undefined,
10592
- allowedTools: params.allowedTools,
10593
- deniedTools: params.deniedTools,
10594
- rateLimitPerMin: params.rateLimitPerMin,
10624
+ allowedTools: clampArray(params.allowedTools, MAX_ACL_ITEMS),
10625
+ deniedTools: clampArray(params.deniedTools, MAX_ACL_ITEMS),
10626
+ rateLimitPerMin: params.rateLimitPerMin ? clampInt(Number(params.rateLimitPerMin), 0, MAX_RATE_LIMIT) : undefined,
10595
10627
  toolPricing: params.toolPricing,
10596
10628
  quota: params.quota === null ? null : params.quota ? {
10597
- dailyCallLimit: Math.max(0, Math.floor(Number(params.quota.dailyCallLimit) || 0)),
10598
- monthlyCallLimit: Math.max(0, Math.floor(Number(params.quota.monthlyCallLimit) || 0)),
10599
- dailyCreditLimit: Math.max(0, Math.floor(Number(params.quota.dailyCreditLimit) || 0)),
10600
- monthlyCreditLimit: Math.max(0, Math.floor(Number(params.quota.monthlyCreditLimit) || 0)),
10629
+ dailyCallLimit: clampInt(Number(params.quota.dailyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
10630
+ monthlyCallLimit: clampInt(Number(params.quota.monthlyCallLimit) || 0, 0, MAX_QUOTA_LIMIT),
10631
+ dailyCreditLimit: clampInt(Number(params.quota.dailyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
10632
+ monthlyCreditLimit: clampInt(Number(params.quota.monthlyCreditLimit) || 0, 0, MAX_QUOTA_LIMIT),
10601
10633
  } : undefined,
10602
- ipAllowlist: params.ipAllowlist,
10603
- defaultCredits: params.defaultCredits,
10604
- maxSpendingLimit: params.maxSpendingLimit,
10634
+ ipAllowlist: clampArray(params.ipAllowlist, MAX_IP_ALLOWLIST),
10635
+ defaultCredits: params.defaultCredits ? clampInt(Number(params.defaultCredits), 0, MAX_CREDITS) : undefined,
10636
+ maxSpendingLimit: params.maxSpendingLimit ? clampInt(Number(params.maxSpendingLimit), 0, MAX_SPENDING_LIMIT) : undefined,
10605
10637
  tags: params.tags,
10606
10638
  });
10607
10639
  this.audit.log('group.updated', 'admin', `Group updated: ${group.name}`, { groupId: group.id });