specra 0.1.13 → 0.2.0

package/dist/middleware/index.d.ts

@@ -0,0 +1 @@
+export * from './security.js';

package/dist/middleware/index.js

@@ -0,0 +1,2 @@
+// Security Middleware
+export * from './security.js';

package/dist/middleware/security.d.ts

@@ -1,82 +1,57 @@
-import { NextResponse, NextRequest } from 'next/server';
-
 /**
- * Security Middleware for Next.js
+ * Security Middleware for SvelteKit
  *
  * Implements:
  * - Content Security Policy (CSP)
  * - Additional security headers
  * - Path traversal protection
+ *
+ * Usage in hooks.server.ts:
+ * ```typescript
+ * import { sequence } from '@sveltejs/kit/hooks'
+ * import { createSecurityHandle } from 'specra/middleware/security'
+ *
+ * export const handle = sequence(
+ *   createSecurityHandle(),
+ *   // ... other handles
+ * )
+ * ```
  */
-
+import type { Handle } from '@sveltejs/kit';
 /**
  * Security headers configuration
  */
-declare const SECURITY_HEADERS: {
-    "X-Frame-Options": string;
-    "X-Content-Type-Options": string;
-    "X-XSS-Protection": string;
-    "Referrer-Policy": string;
-    "Permissions-Policy": string;
-};
+export declare const SECURITY_HEADERS: Record<string, string>;
 /**
- * Apply security headers to response
+ * Apply security headers to a Response
  */
-declare function applySecurityHeaders(response: NextResponse, options?: {
+export declare function applySecurityHeaders(response: Response, options?: {
     customCSP?: string;
     production?: boolean;
-}): NextResponse;
+}): Response;
 /**
  * Validate request path for security issues
  */
-declare function validateRequestPath(pathname: string): {
+export declare function validateRequestPath(pathname: string): {
     valid: boolean;
     reason?: string;
 };
 /**
- * Security proxy function (Next.js 16+)
- * Add this to your Next.js proxy.ts file
+ * Create a SvelteKit handle for security middleware
  */
-declare function createSecurityProxy(options?: {
+export declare function createSecurityHandle(options?: {
     customCSP?: string;
     production?: boolean;
     strictPathValidation?: boolean;
-}): (request: NextRequest) => NextResponse;
-/**
- * @deprecated Use createSecurityProxy instead. Middleware is renamed to Proxy in Next.js 16+
- */
-declare const createSecurityMiddleware: typeof createSecurityProxy;
-/**
- * Example proxy configuration for your project
- *
- * Create this file: proxy.ts (at root of your Next.js app)
- *
- * ```typescript
- * import { createSecurityProxy } from 'specra/middleware/security'
- *
- * export const proxy = createSecurityProxy({
- *   production: process.env.NODE_ENV === 'production',
- *   strictPathValidation: true,
- * })
- *
- * export const config = {
- *   matcher: [
- *     // Match all paths except static files
- *     '/((?!_next/static|_next/image|favicon.ico).*)',
- *   ],
- * }
- * ```
- */
+}): Handle;
 /**
  * Validate subdomain/organization isolation
  * Use this if you're building a multi-tenant system
  */
-declare function validateSubdomainIsolation(request: NextRequest, options: {
+export declare function validateSubdomainIsolation(hostname: string, pathname: string, options: {
     allowedSubdomains?: string[];
     currentOrg?: string;
 }): {
     valid: boolean;
     reason?: string;
 };
-
-export { SECURITY_HEADERS, applySecurityHeaders, createSecurityMiddleware, createSecurityProxy, validateRequestPath, validateSubdomainIsolation };

package/dist/middleware/security.js

@@ -1,144 +1,118 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
+/**
+ * Security Middleware for SvelteKit
+ *
+ * Implements:
+ * - Content Security Policy (CSP)
+ * - Additional security headers
+ * - Path traversal protection
+ *
+ * Usage in hooks.server.ts:
+ * ```typescript
+ * import { sequence } from '@sveltejs/kit/hooks'
+ * import { createSecurityHandle } from 'specra/middleware/security'
+ *
+ * export const handle = sequence(
+ *   createSecurityHandle(),
+ *   // ... other handles
+ * )
+ * ```
+ */
+import { generateCSPHeader } from '../mdx-security.js';
+/**
+ * Security headers configuration
+ */
+export const SECURITY_HEADERS = {
+    // Prevent clickjacking
+    'X-Frame-Options': 'SAMEORIGIN',
+    // Prevent MIME type sniffing
+    'X-Content-Type-Options': 'nosniff',
+    // Enable XSS protection (legacy browsers)
+    'X-XSS-Protection': '1; mode=block',
+    // Control referrer information
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    // Permissions Policy (formerly Feature Policy)
+    'Permissions-Policy': 'camera=(), microphone=(), geolocation=()',
 };
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-
-// src/middleware/security.ts
-var security_exports = {};
-__export(security_exports, {
-  SECURITY_HEADERS: () => SECURITY_HEADERS,
-  applySecurityHeaders: () => applySecurityHeaders,
-  createSecurityMiddleware: () => createSecurityMiddleware,
-  createSecurityProxy: () => createSecurityProxy,
-  validateRequestPath: () => validateRequestPath,
-  validateSubdomainIsolation: () => validateSubdomainIsolation
-});
-module.exports = __toCommonJS(security_exports);
-var import_server = require("next/server");
-
-// src/lib/mdx-security.ts
-var CSP_DIRECTIVES = {
-  "default-src": ["'self'"],
-  "script-src": [
-    "'self'",
-    "'unsafe-inline'",
-    // Required for Next.js
-    "'unsafe-eval'"
-    // Required for dev mode - remove in production
-  ],
-  "style-src": ["'self'", "'unsafe-inline'"],
-  // Required for styled-components/emotion
-  "img-src": ["'self'", "data:", "https:"],
-  "font-src": ["'self'", "data:"],
-  "connect-src": ["'self'"],
-  "frame-src": ["'self'"],
-  "object-src": ["'none'"],
-  "base-uri": ["'self'"],
-  "form-action": ["'self'"],
-  "frame-ancestors": ["'self'"],
-  "upgrade-insecure-requests": []
-};
-function generateCSPHeader(customDirectives, production = true) {
-  const directives = { ...CSP_DIRECTIVES, ...customDirectives };
-  if (production && directives["script-src"]) {
-    directives["script-src"] = directives["script-src"].filter(
-      (src) => src !== "'unsafe-eval'"
-    );
-  }
-  return Object.entries(directives).map(([key, values]) => `${key} ${values.join(" ")}`).join("; ");
+/**
+ * Apply security headers to a Response
+ */
+export function applySecurityHeaders(response, options) {
+    const { customCSP, production = true } = options || {};
+    // Apply standard security headers
+    for (const [key, value] of Object.entries(SECURITY_HEADERS)) {
+        response.headers.set(key, value);
+    }
+    // Apply CSP
+    const csp = customCSP || generateCSPHeader(undefined, production);
+    response.headers.set('Content-Security-Policy', csp);
+    return response;
 }
-
-// src/middleware/security.ts
-var SECURITY_HEADERS = {
-  // Prevent clickjacking
-  "X-Frame-Options": "SAMEORIGIN",
-  // Prevent MIME type sniffing
-  "X-Content-Type-Options": "nosniff",
-  // Enable XSS protection (legacy browsers)
-  "X-XSS-Protection": "1; mode=block",
-  // Control referrer information
-  "Referrer-Policy": "strict-origin-when-cross-origin",
-  // Permissions Policy (formerly Feature Policy)
-  "Permissions-Policy": "camera=(), microphone=(), geolocation=()"
-};
-function applySecurityHeaders(response, options) {
-  const { customCSP, production = process.env.NODE_ENV === "production" } = options || {};
-  Object.entries(SECURITY_HEADERS).forEach(([key, value]) => {
-    response.headers.set(key, value);
-  });
-  const csp = customCSP || generateCSPHeader(void 0, production);
-  response.headers.set("Content-Security-Policy", csp);
-  return response;
+/**
+ * Validate request path for security issues
+ */
+export function validateRequestPath(pathname) {
+    // Decode the pathname to catch encoded attacks
+    const decoded = decodeURIComponent(pathname);
+    // Check for path traversal
+    if (decoded.includes('../') || decoded.includes('..\\')) {
+        return { valid: false, reason: 'Path traversal detected' };
+    }
+    // Check for encoded path traversal
+    if (decoded.includes('%2e%2e') ||
+        decoded.includes('%252e%252e') ||
+        pathname.includes('%2e%2e') ||
+        pathname.includes('%252e%252e')) {
+        return { valid: false, reason: 'Encoded path traversal detected' };
+    }
+    // Check for null bytes
+    if (decoded.includes('\0') || pathname.includes('%00')) {
+        return { valid: false, reason: 'Null byte injection detected' };
+    }
+    return { valid: true };
 }
-function validateRequestPath(pathname) {
-  const decoded = decodeURIComponent(pathname);
-  if (decoded.includes("../") || decoded.includes("..\\")) {
-    return { valid: false, reason: "Path traversal detected" };
-  }
-  if (decoded.includes("%2e%2e") || decoded.includes("%252e%252e") || pathname.includes("%2e%2e") || pathname.includes("%252e%252e")) {
-    return { valid: false, reason: "Encoded path traversal detected" };
-  }
-  if (decoded.includes("\0") || pathname.includes("%00")) {
-    return { valid: false, reason: "Null byte injection detected" };
-  }
-  return { valid: true };
+/**
+ * Create a SvelteKit handle for security middleware
+ */
+export function createSecurityHandle(options) {
+    return async ({ event, resolve }) => {
+        const { strictPathValidation = true } = options || {};
+        // Validate request path
+        if (strictPathValidation) {
+            const pathValidation = validateRequestPath(event.url.pathname);
+            if (!pathValidation.valid) {
+                const ip = event.request.headers.get('x-forwarded-for') ||
+                    event.request.headers.get('x-real-ip') ||
+                    'unknown';
+                console.warn(`[Security] Blocked request: ${pathValidation.reason}`, {
+                    path: event.url.pathname,
+                    ip,
+                });
+                return new Response('Bad Request', { status: 400 });
+            }
+        }
+        // Continue with the request and apply security headers
+        const response = await resolve(event);
+        return applySecurityHeaders(response, options);
+    };
 }
-function createSecurityProxy(options) {
-  return function securityProxy(request) {
-    const { strictPathValidation = true } = options || {};
-    if (strictPathValidation) {
-      const pathValidation = validateRequestPath(request.nextUrl.pathname);
-      if (!pathValidation.valid) {
-        const ip = request.headers.get("x-forwarded-for") || request.headers.get("x-real-ip") || "unknown";
-        console.warn(`[Security] Blocked request: ${pathValidation.reason}`, {
-          path: request.nextUrl.pathname,
-          ip
-        });
-        return new import_server.NextResponse("Bad Request", { status: 400 });
-      }
+/**
+ * Validate subdomain/organization isolation
+ * Use this if you're building a multi-tenant system
+ */
+export function validateSubdomainIsolation(hostname, pathname, options) {
+    const { allowedSubdomains, currentOrg } = options;
+    const subdomain = hostname.split('.')[0];
+    // If allowlist is provided, validate against it
+    if (allowedSubdomains && !allowedSubdomains.includes(subdomain)) {
+        return { valid: false, reason: 'Subdomain not in allowlist' };
     }
-    const response = import_server.NextResponse.next();
-    return applySecurityHeaders(response, options);
-  };
-}
-var createSecurityMiddleware = createSecurityProxy;
-function validateSubdomainIsolation(request, options) {
-  const { allowedSubdomains, currentOrg } = options;
-  const hostname = request.headers.get("host") || "";
-  const subdomain = hostname.split(".")[0];
-  if (allowedSubdomains && !allowedSubdomains.includes(subdomain)) {
-    return { valid: false, reason: "Subdomain not in allowlist" };
-  }
-  const pathMatch = request.nextUrl.pathname.match(/\/(static|assets|_.*?)\/([^/]+)/);
-  if (pathMatch && currentOrg) {
-    const pathOrg = pathMatch[2];
-    if (pathOrg !== currentOrg) {
-      return { valid: false, reason: "Cross-organization access detected" };
+    // Check for subdomain mismatch in paths
+    const pathMatch = pathname.match(/\/(static|assets|_.*?)\/([^/]+)/);
+    if (pathMatch && currentOrg) {
+        const pathOrg = pathMatch[2];
+        if (pathOrg !== currentOrg) {
+            return { valid: false, reason: 'Cross-organization access detected' };
+        }
     }
-  }
-  return { valid: true };
+    return { valid: true };
 }
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  SECURITY_HEADERS,
-  applySecurityHeaders,
-  createSecurityMiddleware,
-  createSecurityProxy,
-  validateRequestPath,
-  validateSubdomainIsolation
-});
-//# sourceMappingURL=security.js.map

package/dist/parsers/base-parser.d.ts

@@ -0,0 +1,14 @@
+import type { SpecraApiSpec } from "../api-parser.types";
+/**
+ * Base interface for all API spec parsers
+ */
+export interface ApiSpecParser {
+    /**
+     * Parse the input spec and convert to Specra format
+     */
+    parse(input: any): SpecraApiSpec;
+    /**
+     * Validate if the input is in the expected format
+     */
+    validate(input: any): boolean;
+}

package/dist/parsers/base-parser.js

@@ -0,0 +1 @@
+export {};

package/dist/parsers/index.d.ts

@@ -0,0 +1,16 @@
+import type { SpecraApiSpec } from "../api-parser.types";
+import type { ApiSpecParser } from "./base-parser";
+import { SpecraParser } from "./specra-parser";
+import { OpenApiParser } from "./openapi-parser";
+import { PostmanParser } from "./postman-parser";
+export type ParserType = "auto" | "specra" | "openapi" | "postman";
+/**
+ * Auto-detect the parser type based on the input structure
+ */
+export declare function detectParserType(input: any): ParserType;
+/**
+ * Parse an API spec using the specified or auto-detected parser
+ */
+export declare function parseApiSpec(input: any, parserType?: ParserType): SpecraApiSpec;
+export { SpecraParser, OpenApiParser, PostmanParser };
+export type { ApiSpecParser };

package/dist/parsers/index.js

@@ -0,0 +1,51 @@
+import { SpecraParser } from "./specra-parser";
+import { OpenApiParser } from "./openapi-parser";
+import { PostmanParser } from "./postman-parser";
+/**
+ * Registry of all available parsers
+ */
+const parsers = new Map([
+    ["specra", new SpecraParser()],
+    ["openapi", new OpenApiParser()],
+    ["postman", new PostmanParser()],
+]);
+/**
+ * Auto-detect the parser type based on the input structure
+ */
+export function detectParserType(input) {
+    if (!input || typeof input !== "object") {
+        throw new Error("Invalid API spec: input must be an object");
+    }
+    // Check for Postman Collection
+    if (input.info?.schema?.includes("v2")) {
+        return "postman";
+    }
+    // Check for OpenAPI/Swagger
+    if (input.openapi || input.swagger) {
+        return "openapi";
+    }
+    // Check for Specra format
+    if (input.endpoints && Array.isArray(input.endpoints)) {
+        return "specra";
+    }
+    throw new Error("Unable to auto-detect API spec format. Supported formats: Specra, OpenAPI 3.x, Postman Collection v2.x");
+}
+/**
+ * Parse an API spec using the specified or auto-detected parser
+ */
+export function parseApiSpec(input, parserType = "auto") {
+    // Auto-detect if needed
+    const actualType = parserType === "auto" ? detectParserType(input) : parserType;
+    // Get the parser
+    const parser = parsers.get(actualType);
+    if (!parser) {
+        throw new Error(`Unknown parser type: ${actualType}`);
+    }
+    // Validate and parse
+    if (!parser.validate(input)) {
+        throw new Error(`Input does not match ${actualType} format`);
+    }
+    return parser.parse(input);
+}
+// Export parsers for direct use
+export { SpecraParser, OpenApiParser, PostmanParser };

package/dist/parsers/openapi-parser.d.ts

@@ -0,0 +1,18 @@
+import type { SpecraApiSpec } from "../api-parser.types";
+import type { ApiSpecParser } from "./base-parser";
+/**
+ * Parser for OpenAPI 3.0/3.1 specifications
+ */
+export declare class OpenApiParser implements ApiSpecParser {
+    validate(input: any): boolean;
+    parse(input: any): SpecraApiSpec;
+    private extractBaseUrl;
+    private extractAuth;
+    private parseOperation;
+    private convertPathParams;
+    private parseParameters;
+    private parseRequestBody;
+    private parseResponses;
+    private generateExample;
+    private resolveRef;
+}