theokit 0.4.0-beta.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (297) hide show
  1. package/dist/{actions-virtual-module-HWNTIEPI.js → actions-virtual-module-IY46EEEX.js} +2 -2
  2. package/dist/{actions-virtual-module-SEIPACG5.js → actions-virtual-module-XNHDNCZ6.js} +2 -2
  3. package/dist/add-2ZFFGGE4.js +0 -0
  4. package/dist/{app-typed-client-ITIYTBXO.js → app-typed-client-OUJO3V5J.js} +10 -5
  5. package/dist/{app-typed-client-62FYBLVJ.js.map → app-typed-client-OUJO3V5J.js.map} +1 -1
  6. package/dist/{app-typed-client-62FYBLVJ.js → app-typed-client-YOMWSA3F.js} +11 -6
  7. package/dist/{app-typed-client-ITIYTBXO.js.map → app-typed-client-YOMWSA3F.js.map} +1 -1
  8. package/dist/audit-log-BQWM5YLG.d.ts +60 -0
  9. package/dist/{aws-lambda-XYCGZH3I.js → aws-lambda-GKSTX6HD.js} +3 -3
  10. package/dist/body-parser-web-MUWBKZ3F.js +70 -0
  11. package/dist/body-parser-web-MUWBKZ3F.js.map +1 -0
  12. package/dist/broadcast-QOQGUNNK.js +0 -0
  13. package/dist/{build-HIGHJQQV.js → build-D4J7XECU.js} +31 -22
  14. package/dist/build-D4J7XECU.js.map +1 -0
  15. package/dist/build-request-body-preview-II2235E6.js +0 -0
  16. package/dist/{bun-K73TQEWC.js → bun-ISHSNFIO.js} +3 -3
  17. package/dist/{check-PZR67OY5.js → check-NXYPLM6M.js} +2 -2
  18. package/dist/{chunk-WZ7CPVQB.js → chunk-27LWMYNK.js} +28 -24
  19. package/dist/chunk-27LWMYNK.js.map +1 -0
  20. package/dist/{chunk-BIGBFZSU.js → chunk-2F4FROEQ.js} +1689 -1521
  21. package/dist/chunk-2F4FROEQ.js.map +1 -0
  22. package/dist/chunk-4HBI7DHP.js +20 -0
  23. package/dist/chunk-4HBI7DHP.js.map +1 -0
  24. package/dist/{chunk-X4JAX2U3.js → chunk-4S2UCILN.js} +180 -125
  25. package/dist/chunk-4S2UCILN.js.map +1 -0
  26. package/dist/{chunk-C52GSJPF.js → chunk-4S6YHNG2.js} +11 -8
  27. package/dist/chunk-4S6YHNG2.js.map +1 -0
  28. package/dist/chunk-5ODOE6EF.js +0 -0
  29. package/dist/{chunk-KJVEJILQ.js → chunk-5PU65T5W.js} +9 -3
  30. package/dist/chunk-5PU65T5W.js.map +1 -0
  31. package/dist/chunk-5QW7IQQU.js +36 -0
  32. package/dist/chunk-5QW7IQQU.js.map +1 -0
  33. package/dist/chunk-5Z2727GV.js +1324 -0
  34. package/dist/chunk-5Z2727GV.js.map +1 -0
  35. package/dist/{chunk-YLBSSEHX.js → chunk-6NEXVBPY.js} +5 -15
  36. package/dist/chunk-6NEXVBPY.js.map +1 -0
  37. package/dist/chunk-7MQOHNHE.js +36 -0
  38. package/dist/chunk-7MQOHNHE.js.map +1 -0
  39. package/dist/{chunk-TPCT3MXV.js → chunk-ABVITXFH.js} +405 -272
  40. package/dist/chunk-ABVITXFH.js.map +1 -0
  41. package/dist/chunk-ASDXVRJD.js +185 -0
  42. package/dist/chunk-ASDXVRJD.js.map +1 -0
  43. package/dist/chunk-B3L3TJVF.js +406 -0
  44. package/dist/chunk-B3L3TJVF.js.map +1 -0
  45. package/dist/{chunk-PB4GR7EP.js → chunk-C3ZZ56YZ.js} +1 -18
  46. package/dist/chunk-C3ZZ56YZ.js.map +1 -0
  47. package/dist/{chunk-O7335ZGH.js → chunk-CG563V5M.js} +5 -3
  48. package/dist/chunk-CG563V5M.js.map +1 -0
  49. package/dist/{chunk-5OFPQK6N.js → chunk-COXLEZCN.js} +2 -1
  50. package/dist/chunk-COXLEZCN.js.map +1 -0
  51. package/dist/{chunk-O4BLVPML.js → chunk-DNMSV3R3.js} +22 -28
  52. package/dist/chunk-DNMSV3R3.js.map +1 -0
  53. package/dist/chunk-E3JH6YUM.js +1 -0
  54. package/dist/chunk-ESC54TAK.js +220 -0
  55. package/dist/chunk-ESC54TAK.js.map +1 -0
  56. package/dist/chunk-FI7MPTJW.js +77 -0
  57. package/dist/chunk-FI7MPTJW.js.map +1 -0
  58. package/dist/chunk-H4J2LECY.js +201 -0
  59. package/dist/chunk-H4J2LECY.js.map +1 -0
  60. package/dist/chunk-IAJ2JVEH.js +256 -0
  61. package/dist/chunk-IAJ2JVEH.js.map +1 -0
  62. package/dist/{chunk-F3TG5FJV.js → chunk-IEZCAT2I.js} +7 -1
  63. package/dist/{chunk-F3TG5FJV.js.map → chunk-IEZCAT2I.js.map} +1 -1
  64. package/dist/chunk-JHEAWR3L.js +1 -0
  65. package/dist/chunk-JQSKBMXP.js +17 -0
  66. package/dist/chunk-JQSKBMXP.js.map +1 -0
  67. package/dist/{chunk-4QTKSLTO.js → chunk-K4M64WD6.js} +9 -5
  68. package/dist/{chunk-4QTKSLTO.js.map → chunk-K4M64WD6.js.map} +1 -1
  69. package/dist/chunk-KI7OWQUX.js +293 -0
  70. package/dist/chunk-KI7OWQUX.js.map +1 -0
  71. package/dist/chunk-KT3MWNZG.js +0 -0
  72. package/dist/{chunk-ZJW5FFYJ.js → chunk-LC5PYNJP.js} +2 -2
  73. package/dist/{chunk-JAAHOGKI.js → chunk-M2EY7KDR.js} +1223 -1124
  74. package/dist/chunk-M2EY7KDR.js.map +1 -0
  75. package/dist/{chunk-2VQKDRVF.js → chunk-MR7OLIC6.js} +3 -3
  76. package/dist/chunk-NM4WF3XD.js +63 -0
  77. package/dist/chunk-NM4WF3XD.js.map +1 -0
  78. package/dist/chunk-NPMCKOX4.js +1 -0
  79. package/dist/{chunk-VRHXOKRP.js → chunk-NZXH2LQQ.js} +86 -83
  80. package/dist/chunk-NZXH2LQQ.js.map +1 -0
  81. package/dist/{chunk-B6RP57M3.js → chunk-OLPB36O2.js} +4 -4
  82. package/dist/chunk-PIVX3DYW.js +142 -0
  83. package/dist/chunk-PIVX3DYW.js.map +1 -0
  84. package/dist/{chunk-7TOMTMHT.js → chunk-R7OC6UDK.js} +2 -1
  85. package/dist/chunk-R7OC6UDK.js.map +1 -0
  86. package/dist/chunk-RESN62GB.js +269 -0
  87. package/dist/chunk-RESN62GB.js.map +1 -0
  88. package/dist/{chunk-64JI5LTO.js → chunk-RMU7EBRO.js} +2 -2
  89. package/dist/chunk-RMU7EBRO.js.map +1 -0
  90. package/dist/chunk-TQYSPYKU.js +131 -0
  91. package/dist/chunk-TQYSPYKU.js.map +1 -0
  92. package/dist/chunk-TSLSIRBR.js +107 -0
  93. package/dist/chunk-TSLSIRBR.js.map +1 -0
  94. package/dist/{chunk-XP7YXRHO.js → chunk-U6TPSW4L.js} +37 -5
  95. package/dist/chunk-U6TPSW4L.js.map +1 -0
  96. package/dist/chunk-UD3LFGDL.js +45 -0
  97. package/dist/chunk-UD3LFGDL.js.map +1 -0
  98. package/dist/chunk-UUFYP2UM.js +161 -0
  99. package/dist/chunk-UUFYP2UM.js.map +1 -0
  100. package/dist/{chunk-OXIQI2XZ.js → chunk-VBZCVFSA.js} +2 -2
  101. package/dist/chunk-VMEWD57H.js +137 -0
  102. package/dist/chunk-VMEWD57H.js.map +1 -0
  103. package/dist/{chunk-TRH2L3FI.js → chunk-WEGALZEU.js} +3 -3
  104. package/dist/{chunk-ZOXNJV2O.js → chunk-WGHJD6I7.js} +35 -138
  105. package/dist/chunk-WGHJD6I7.js.map +1 -0
  106. package/dist/chunk-XMS5VRIK.js +0 -0
  107. package/dist/chunk-Y4H3JNVK.js +18 -0
  108. package/dist/chunk-Y4H3JNVK.js.map +1 -0
  109. package/dist/chunk-Z5IGLBWE.js +329 -0
  110. package/dist/chunk-Z5IGLBWE.js.map +1 -0
  111. package/dist/chunk-ZEGYW52B.js +26 -0
  112. package/dist/chunk-ZEGYW52B.js.map +1 -0
  113. package/dist/chunk-ZJQ4O76G.js +87 -0
  114. package/dist/chunk-ZJQ4O76G.js.map +1 -0
  115. package/dist/cli/index.js +32 -21
  116. package/dist/cli/index.js.map +1 -1
  117. package/dist/client/index.d.ts +107 -1
  118. package/dist/client/index.js +152 -6
  119. package/dist/client/index.js.map +1 -1
  120. package/dist/{cloudflare-LCAOTRYZ.js → cloudflare-OJGJ7R2D.js} +3 -3
  121. package/dist/configure-agent-registry-6YGTJYBC.js +0 -0
  122. package/dist/cookies-MJKMGJ7N.js +22 -0
  123. package/dist/csrf-BBrEZSBW.d.ts +107 -0
  124. package/dist/csrf-readiness-store-CjIoub3U.d.ts +43 -0
  125. package/dist/define-websocket-CdK94O-D.d.ts +64 -0
  126. package/dist/{deno-deploy-ZN4RE5HF.js → deno-deploy-BHWKFTOW.js} +3 -3
  127. package/dist/{dev-266MVCVA.js → dev-MJVSRZGF.js} +11 -11
  128. package/dist/{dev-emit-RBSFZZNO.js → dev-emit-5VPRCHOD.js} +39 -142
  129. package/dist/dev-emit-5VPRCHOD.js.map +1 -0
  130. package/dist/{dev-emit-NO6OZJOQ.js → dev-emit-HHP2XJXE.js} +5 -5
  131. package/dist/devtools/entry.js +185 -131
  132. package/dist/devtools/entry.js.map +1 -1
  133. package/dist/{dispatcher-AQJGI3HU.js → dispatcher-63LBXYLE.js} +2 -2
  134. package/dist/{dispatcher-E6QV32BO.js → dispatcher-EJME6C6M.js} +5 -2
  135. package/dist/dispatcher-EJME6C6M.js.map +1 -0
  136. package/dist/{dist-5V77Z223.js → dist-KRW6OVD4.js} +7 -7
  137. package/dist/dist-KRW6OVD4.js.map +1 -0
  138. package/dist/docker-EZDA5FT7.js +0 -0
  139. package/dist/error-envelope-BsNzzAV5.d.ts +62 -0
  140. package/dist/{generate-DT4IIAHF.js → generate-AZ2K6Z2Z.js} +75 -2
  141. package/dist/generate-AZ2K6Z2Z.js.map +1 -0
  142. package/dist/index-DWWEdFh5.d.ts +399 -0
  143. package/dist/index.d.ts +161 -1391
  144. package/dist/index.js +20 -8
  145. package/dist/index.js.map +1 -1
  146. package/dist/{info-FJ4NXKTB.js → info-47VB62MV.js} +5 -5
  147. package/dist/job-backend-CgC8Xf33.d.ts +68 -0
  148. package/dist/{lib-NL5JXGEB.js → lib-NST3PNZX.js} +31 -31
  149. package/dist/lib-NST3PNZX.js.map +1 -0
  150. package/dist/module-loader-Cfz7dgCP.d.ts +26 -0
  151. package/dist/{netlify-5VQ22Z2P.js → netlify-GSNSJGMN.js} +3 -3
  152. package/dist/{node-3APTLGWB.js → node-6I5B6RL3.js} +3 -3
  153. package/dist/node-6I5B6RL3.js.map +1 -0
  154. package/dist/{openapi-FNVSWZOL.js → openapi-NFLSNNVQ.js} +10 -10
  155. package/dist/plugin-runner-BGBkzgi0.d.ts +95 -0
  156. package/dist/plugin-types-DNJGxr4Z.d.ts +79 -0
  157. package/dist/{proper-lockfile-4Y3DP3RP.js → proper-lockfile-MVKMQGFK.js} +27 -27
  158. package/dist/proper-lockfile-MVKMQGFK.js.map +1 -0
  159. package/dist/rate-limit-BdNDZ3vt.d.ts +58 -0
  160. package/dist/registry-QHEZ3BWB.js +25 -0
  161. package/dist/router-RGZFX75G.js +0 -0
  162. package/dist/{routes-H4SPLFHJ.js → routes-3A4XGIEJ.js} +6 -6
  163. package/dist/{scan-C2BOKLSY.js → scan-NQFI5S7P.js} +2 -2
  164. package/dist/scan-NQFI5S7P.js.map +1 -0
  165. package/dist/schema-D3v8VB7o.d.ts +76 -0
  166. package/dist/{schema-VR6YNVLQ.js → schema-KZVOV333.js} +5 -3
  167. package/dist/schema-KZVOV333.js.map +1 -0
  168. package/dist/server/agent/index.d.ts +229 -0
  169. package/dist/server/agent/index.js +16 -0
  170. package/dist/server/agent/index.js.map +1 -0
  171. package/dist/server/auth/index.d.ts +46 -1
  172. package/dist/server/auth/index.js +10 -3
  173. package/dist/server/cost/index.d.ts +1 -3
  174. package/dist/server/cost/index.js +1 -1
  175. package/dist/server/cron/index.js +4 -2
  176. package/dist/server/define/index.d.ts +281 -0
  177. package/dist/server/define/index.js +26 -0
  178. package/dist/server/define/index.js.map +1 -0
  179. package/dist/server/http/index.d.ts +10 -0
  180. package/dist/server/http/index.js +74 -0
  181. package/dist/server/http/index.js.map +1 -0
  182. package/dist/server/index.d.ts +151 -1677
  183. package/dist/server/index.js +558 -1102
  184. package/dist/server/index.js.map +1 -1
  185. package/dist/server/jobs/index.d.ts +348 -2
  186. package/dist/server/jobs/index.js +5 -3
  187. package/dist/server/observability/index.d.ts +324 -0
  188. package/dist/server/observability/index.js +48 -0
  189. package/dist/server/observability/index.js.map +1 -0
  190. package/dist/server/plugins/index.d.ts +17 -0
  191. package/dist/server/plugins/index.js +17 -0
  192. package/dist/server/plugins/index.js.map +1 -0
  193. package/dist/server/rate-limit/index.d.ts +105 -0
  194. package/dist/server/rate-limit/index.js +25 -0
  195. package/dist/server/rate-limit/index.js.map +1 -0
  196. package/dist/server/realtime/index.d.ts +15 -0
  197. package/dist/server/realtime/index.js +8 -0
  198. package/dist/server/realtime/index.js.map +1 -0
  199. package/dist/server/scan/index.d.ts +106 -0
  200. package/dist/server/scan/index.js +43 -0
  201. package/dist/server/scan/index.js.map +1 -0
  202. package/dist/server/security/index.d.ts +193 -0
  203. package/dist/server/security/index.js +50 -0
  204. package/dist/server/security/index.js.map +1 -0
  205. package/dist/server/storage/index.d.ts +22 -0
  206. package/dist/server/storage/index.js +14 -0
  207. package/dist/server/storage/index.js.map +1 -0
  208. package/dist/server/webhook/index.d.ts +148 -0
  209. package/dist/server/webhook/index.js +19 -0
  210. package/dist/server/webhook/index.js.map +1 -0
  211. package/dist/server-error-to-envelope-NO4CCAFQ.js +8 -0
  212. package/dist/server-error-to-envelope-NO4CCAFQ.js.map +1 -0
  213. package/dist/server-error-to-envelope-UJK6OWDJ.js +134 -0
  214. package/dist/server-error-to-envelope-UJK6OWDJ.js.map +1 -0
  215. package/dist/server-routes-hmr-GZJGPWMS.js +0 -0
  216. package/dist/services-json-Z2QNGVPW.js +142 -0
  217. package/dist/services-json-Z2QNGVPW.js.map +1 -0
  218. package/dist/{services-typed-client-XWYYBWGW.js → services-typed-client-KK6RHRDG.js} +2 -2
  219. package/dist/{services-typed-client-ZX5JUHH3.js → services-typed-client-T7M5VPBP.js} +2 -2
  220. package/dist/{sqlite-vec-ARPNUBWT.js → sqlite-vec-54KB4RD3.js} +2 -2
  221. package/dist/sqlite-vec-54KB4RD3.js.map +1 -0
  222. package/dist/{start-HX3QUSOS.js → start-CGSZPBAG.js} +23 -23
  223. package/dist/start-CGSZPBAG.js.map +1 -0
  224. package/dist/{static-TZBVBDTB.js → static-QI5NQT2X.js} +6 -6
  225. package/dist/storage-manager-C4jsO0Tp.d.ts +89 -0
  226. package/dist/storage-manager-D5KBXXKB.js +0 -0
  227. package/dist/{storage-types-DtIVejC1.d.ts → storage-types-DsDTCPbp.d.ts} +1 -1
  228. package/dist/{theo-cloud-3K4DGB3S.js → theo-cloud-RSQCBNXL.js} +4 -4
  229. package/dist/theo-cloud-RSQCBNXL.js.map +1 -0
  230. package/dist/upgrade-readiness-GUJBCJIS.js +0 -0
  231. package/dist/{vercel-MWW24ABC.js → vercel-TKPZK62A.js} +3 -3
  232. package/dist/vite-plugin/index.d.ts +3 -1
  233. package/dist/vite-plugin/index.js +20 -8
  234. package/dist/{vite-plugin-IK3NOWXS.js → vite-plugin-CR4JDFUQ.js} +9 -9
  235. package/dist/vite-plugin-CR4JDFUQ.js.map +1 -0
  236. package/package.json +61 -9
  237. package/LICENSE +0 -201
  238. package/dist/build-HIGHJQQV.js.map +0 -1
  239. package/dist/chunk-5OFPQK6N.js.map +0 -1
  240. package/dist/chunk-64JI5LTO.js.map +0 -1
  241. package/dist/chunk-7TOMTMHT.js.map +0 -1
  242. package/dist/chunk-BIGBFZSU.js.map +0 -1
  243. package/dist/chunk-C52GSJPF.js.map +0 -1
  244. package/dist/chunk-CZM6WWWS.js +0 -2450
  245. package/dist/chunk-CZM6WWWS.js.map +0 -1
  246. package/dist/chunk-JAAHOGKI.js.map +0 -1
  247. package/dist/chunk-KJVEJILQ.js.map +0 -1
  248. package/dist/chunk-O4BLVPML.js.map +0 -1
  249. package/dist/chunk-O7335ZGH.js.map +0 -1
  250. package/dist/chunk-PB4GR7EP.js.map +0 -1
  251. package/dist/chunk-TPCT3MXV.js.map +0 -1
  252. package/dist/chunk-VRHXOKRP.js.map +0 -1
  253. package/dist/chunk-WZ7CPVQB.js.map +0 -1
  254. package/dist/chunk-X4JAX2U3.js.map +0 -1
  255. package/dist/chunk-XP7YXRHO.js.map +0 -1
  256. package/dist/chunk-YLBSSEHX.js.map +0 -1
  257. package/dist/chunk-ZOXNJV2O.js.map +0 -1
  258. package/dist/dev-emit-RBSFZZNO.js.map +0 -1
  259. package/dist/dispatcher-E6QV32BO.js.map +0 -1
  260. package/dist/dist-5V77Z223.js.map +0 -1
  261. package/dist/generate-DT4IIAHF.js.map +0 -1
  262. package/dist/index-li83Swxa.d.ts +0 -506
  263. package/dist/lib-NL5JXGEB.js.map +0 -1
  264. package/dist/proper-lockfile-4Y3DP3RP.js.map +0 -1
  265. package/dist/registry-4MZ26TZD.js +0 -25
  266. package/dist/schema-CjVly9c_.d.ts +0 -274
  267. package/dist/sqlite-vec-ARPNUBWT.js.map +0 -1
  268. package/dist/start-HX3QUSOS.js.map +0 -1
  269. package/dist/theo-cloud-3K4DGB3S.js.map +0 -1
  270. /package/dist/{actions-virtual-module-HWNTIEPI.js.map → actions-virtual-module-IY46EEEX.js.map} +0 -0
  271. /package/dist/{actions-virtual-module-SEIPACG5.js.map → actions-virtual-module-XNHDNCZ6.js.map} +0 -0
  272. /package/dist/{aws-lambda-XYCGZH3I.js.map → aws-lambda-GKSTX6HD.js.map} +0 -0
  273. /package/dist/{bun-K73TQEWC.js.map → bun-ISHSNFIO.js.map} +0 -0
  274. /package/dist/{check-PZR67OY5.js.map → check-NXYPLM6M.js.map} +0 -0
  275. /package/dist/{dispatcher-AQJGI3HU.js.map → chunk-E3JH6YUM.js.map} +0 -0
  276. /package/dist/{node-3APTLGWB.js.map → chunk-JHEAWR3L.js.map} +0 -0
  277. /package/dist/{chunk-ZJW5FFYJ.js.map → chunk-LC5PYNJP.js.map} +0 -0
  278. /package/dist/{chunk-2VQKDRVF.js.map → chunk-MR7OLIC6.js.map} +0 -0
  279. /package/dist/{scan-C2BOKLSY.js.map → chunk-NPMCKOX4.js.map} +0 -0
  280. /package/dist/{chunk-B6RP57M3.js.map → chunk-OLPB36O2.js.map} +0 -0
  281. /package/dist/{chunk-OXIQI2XZ.js.map → chunk-VBZCVFSA.js.map} +0 -0
  282. /package/dist/{chunk-TRH2L3FI.js.map → chunk-WEGALZEU.js.map} +0 -0
  283. /package/dist/{cloudflare-LCAOTRYZ.js.map → cloudflare-OJGJ7R2D.js.map} +0 -0
  284. /package/dist/{schema-VR6YNVLQ.js.map → cookies-MJKMGJ7N.js.map} +0 -0
  285. /package/dist/{deno-deploy-ZN4RE5HF.js.map → deno-deploy-BHWKFTOW.js.map} +0 -0
  286. /package/dist/{dev-266MVCVA.js.map → dev-MJVSRZGF.js.map} +0 -0
  287. /package/dist/{dev-emit-NO6OZJOQ.js.map → dev-emit-HHP2XJXE.js.map} +0 -0
  288. /package/dist/{vite-plugin-IK3NOWXS.js.map → dispatcher-63LBXYLE.js.map} +0 -0
  289. /package/dist/{info-FJ4NXKTB.js.map → info-47VB62MV.js.map} +0 -0
  290. /package/dist/{netlify-5VQ22Z2P.js.map → netlify-GSNSJGMN.js.map} +0 -0
  291. /package/dist/{openapi-FNVSWZOL.js.map → openapi-NFLSNNVQ.js.map} +0 -0
  292. /package/dist/{registry-4MZ26TZD.js.map → registry-QHEZ3BWB.js.map} +0 -0
  293. /package/dist/{routes-H4SPLFHJ.js.map → routes-3A4XGIEJ.js.map} +0 -0
  294. /package/dist/{services-typed-client-XWYYBWGW.js.map → services-typed-client-KK6RHRDG.js.map} +0 -0
  295. /package/dist/{services-typed-client-ZX5JUHH3.js.map → services-typed-client-T7M5VPBP.js.map} +0 -0
  296. /package/dist/{static-TZBVBDTB.js.map → static-QI5NQT2X.js.map} +0 -0
  297. /package/dist/{vercel-MWW24ABC.js.map → vercel-TKPZK62A.js.map} +0 -0
@@ -0,0 +1,48 @@
1
+ import {
2
+ ConsoleObservabilityAdapter,
3
+ NoopObservabilityAdapter,
4
+ NoopSpan,
5
+ SpanImpl,
6
+ TheoCloudObservabilityAdapter,
7
+ createObservabilityPlugin,
8
+ defineObservabilityAdapter,
9
+ resolveAdapter,
10
+ serializeSpansToOtlp
11
+ } from "../../chunk-KI7OWQUX.js";
12
+ import {
13
+ findSuggestion,
14
+ levenshtein
15
+ } from "../../chunk-5QW7IQQU.js";
16
+ import {
17
+ _resetWarnOnceForTests,
18
+ createLogger,
19
+ logRequest,
20
+ warnOnce
21
+ } from "../../chunk-Z5IGLBWE.js";
22
+ import {
23
+ JsonStdoutSink,
24
+ createNoOpLogger,
25
+ safeAudit
26
+ } from "../../chunk-UD3LFGDL.js";
27
+ import "../../chunk-DGUM43GV.js";
28
+ export {
29
+ ConsoleObservabilityAdapter,
30
+ JsonStdoutSink,
31
+ NoopObservabilityAdapter,
32
+ NoopSpan,
33
+ SpanImpl,
34
+ TheoCloudObservabilityAdapter,
35
+ _resetWarnOnceForTests,
36
+ createLogger,
37
+ createNoOpLogger,
38
+ createObservabilityPlugin,
39
+ defineObservabilityAdapter,
40
+ findSuggestion,
41
+ levenshtein,
42
+ logRequest,
43
+ resolveAdapter,
44
+ safeAudit,
45
+ serializeSpansToOtlp,
46
+ warnOnce
47
+ };
48
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
@@ -0,0 +1,17 @@
1
+ import { P as PluginRunner } from '../../plugin-runner-BGBkzgi0.js';
2
+ export { D as DuplicateDecorationError, a as DuplicatePluginError } from '../../plugin-runner-BGBkzgi0.js';
3
+ import '../../plugin-types-DNJGxr4Z.js';
4
+ import 'node:http';
5
+
6
+ declare class InvalidPluginShapeError extends Error {
7
+ constructor(index: number, reason: string);
8
+ }
9
+ /**
10
+ * Build a PluginRunner from a list of plugins typically declared in
11
+ * `theo.config.ts` under the `plugins` field. Returns `undefined` when no
12
+ * plugins are configured so callers can pass `undefined` to `executeRoute`
13
+ * and preserve the zero-overhead path.
14
+ */
15
+ declare function createPluginRunnerFromConfig(plugins: unknown): Promise<PluginRunner | undefined>;
16
+
17
+ export { InvalidPluginShapeError, PluginRunner, createPluginRunnerFromConfig };
@@ -0,0 +1,17 @@
1
+ import "../../chunk-NPMCKOX4.js";
2
+ import {
3
+ DuplicateDecorationError,
4
+ DuplicatePluginError,
5
+ InvalidPluginShapeError,
6
+ PluginRunner,
7
+ createPluginRunnerFromConfig
8
+ } from "../../chunk-IAJ2JVEH.js";
9
+ import "../../chunk-DGUM43GV.js";
10
+ export {
11
+ DuplicateDecorationError,
12
+ DuplicatePluginError,
13
+ InvalidPluginShapeError,
14
+ PluginRunner,
15
+ createPluginRunnerFromConfig
16
+ };
17
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
@@ -0,0 +1,105 @@
1
+ import { R as RateLimitConfig, a as RateLimitResult } from '../../rate-limit-BdNDZ3vt.js';
2
+ export { c as createRateLimiter, b as createRateLimiterWeb } from '../../rate-limit-BdNDZ3vt.js';
3
+ import { R as RateLimitStore } from '../../rate-limit-store-BEJnhWdw.js';
4
+ export { I as InMemoryStore, a as RateLimitState } from '../../rate-limit-store-BEJnhWdw.js';
5
+ import { IncomingMessage } from 'node:http';
6
+
7
+ /**
8
+ * T2.2 — Per-route + per-user rate limiting.
9
+ *
10
+ * Layered on top of `rate-limit-store.ts`. The route map allows
11
+ * declarative policies ("strict /api/login, loose everything else")
12
+ * driven by config, not handler-decorated. `keyBy` selects what
13
+ * identifier the limiter buckets on.
14
+ *
15
+ * ADR D2: per-route via path matching, NOT per-handler decorator.
16
+ * Operators can tune policies without touching route definitions.
17
+ */
18
+ type KeyByMode = 'ip' | 'session' | 'user' | ((req: IncomingMessage) => string);
19
+ interface RouteRateLimitConfig {
20
+ /** Fallback config used when no per-route entry matches. */
21
+ default?: RateLimitConfig;
22
+ /** Map of path pattern → config. Exact-string keys (RegExp via API). */
23
+ routes?: Record<string, RateLimitConfig>;
24
+ /** Same as `routes` but each entry is a [pattern, config] tuple, RegExp allowed. */
25
+ routePatterns?: readonly [string | RegExp, RateLimitConfig][];
26
+ /** Bucket identifier strategy. Default 'ip'. */
27
+ keyBy?: KeyByMode;
28
+ /** Cookie name used by keyBy='session'. Defaults to 'theo_session'. */
29
+ cookieName?: string;
30
+ /** Optional shared store (for multi-route correlation). Default per-limiter InMemoryStore. */
31
+ store?: RateLimitStore;
32
+ }
33
+ /**
34
+ * Test whether `path` matches `pattern`. String patterns are compared
35
+ * after trailing-slash normalization (EC-5). RegExp uses `.test` after
36
+ * resetting `lastIndex` (defensive against `/g` flag).
37
+ */
38
+ declare function matchRoutePattern(path: string, pattern: string | RegExp): boolean;
39
+ /**
40
+ * Build the rate-limit bucket key for the request based on `keyBy`.
41
+ *
42
+ * EC-6: session mode reads the configured `cookieName`. With the wrong
43
+ * cookie name (e.g., default 'theo_session' but app uses 'app_session'),
44
+ * we fall back to IP so anonymous users still get rate-limited rather
45
+ * than sharing an empty bucket.
46
+ */
47
+ declare function deriveKey(req: IncomingMessage, keyBy: KeyByMode, cookieName: string): Promise<string>;
48
+ /**
49
+ * Per-route rate limiter factory. Returns a sync checker compatible with
50
+ * the existing api-middleware shape.
51
+ *
52
+ * Backwards-compatibility (ADR D2): a flat `{ windowMs, max }` config is
53
+ * accepted and treated as `default` (no per-route variants).
54
+ */
55
+ declare function createRouteRateLimiter(config: RouteRateLimitConfig | RateLimitConfig): (req: IncomingMessage) => Promise<RateLimitResult>;
56
+ /**
57
+ * T5a.2 Phase D slice 1/3 — Web-Standards rate-limiter inputs context.
58
+ *
59
+ * Web `Request` has no equivalent of `req.socket.remoteAddress` (Node
60
+ * runtime concept) or `req.user` (set by upstream middleware). The
61
+ * Web-shaped rate-limiter requires the caller to pass these explicitly:
62
+ *
63
+ * - `clientIp` — resolved per-runtime (Node: `socket.remoteAddress`;
64
+ * CF Workers: `request.headers.get('cf-connecting-ip')`; Vercel:
65
+ * `x-forwarded-for` first hop; Bun/Deno: adapter-specific).
66
+ * - `userId` — resolved by auth middleware (Phase D slice 3/3 ships
67
+ * the Web-shaped session helper).
68
+ *
69
+ * Defaults: `clientIp = 'unknown'`, `userId = undefined` (matches the
70
+ * IncomingMessage path's fallback semantics).
71
+ */
72
+ interface DeriveKeyRequestContext {
73
+ clientIp?: string;
74
+ userId?: string;
75
+ }
76
+ /**
77
+ * T5a.2 Phase D slice 1/3 — Web-Standards-shaped key derivation.
78
+ *
79
+ * Mirror of `deriveKey(req: IncomingMessage, keyBy, cookieName)` for the
80
+ * Web `Request` shape. Same `'ip' | 'session' | 'user'` enum cases (the
81
+ * `function` callback case is IncomingMessage-only because the existing
82
+ * `KeyByMode` callback type is Node-shaped; Web callers use the enum
83
+ * cases or call a future `KeyByModeWeb` shape — out of T5a.2 Phase D scope).
84
+ *
85
+ * Uses `getCookieFromRequest` (Phase B slice 6/6) for session-mode cookie
86
+ * lookup. Cookie parsing has the same CR-009 percent-encoding safety.
87
+ */
88
+ declare function deriveKeyFromRequest(request: Request, keyBy: Exclude<KeyByMode, (req: IncomingMessage) => string>, cookieName: string, ctx?: DeriveKeyRequestContext): Promise<string>;
89
+ /**
90
+ * T5a.2 Phase D slice 1/3 — Web-Standards rate-limiter factory.
91
+ *
92
+ * Mirror of `createRouteRateLimiter(config)` returning a checker that
93
+ * accepts `(request: Request, ctx?: DeriveKeyRequestContext)` instead of
94
+ * `(req: IncomingMessage)`. Same `RouteRateLimitConfig` accepted; same
95
+ * `keyBy` enum cases; same `InMemoryStore` constraint (CR-005 guard).
96
+ *
97
+ * Same returned `RateLimitResult` shape (headers + limited boolean).
98
+ *
99
+ * Web `Request` has no `req.url` path-only property — uses
100
+ * `new URL(request.url).pathname + search` to derive the URL the way the
101
+ * IncomingMessage path's `req.url ?? ''` would.
102
+ */
103
+ declare function createRouteRateLimiterWeb(config: RouteRateLimitConfig | RateLimitConfig): (request: Request, ctx?: DeriveKeyRequestContext) => Promise<RateLimitResult>;
104
+
105
+ export { type DeriveKeyRequestContext, type KeyByMode, RateLimitConfig, RateLimitResult, RateLimitStore, type RouteRateLimitConfig, createRouteRateLimiter, createRouteRateLimiterWeb, deriveKey, deriveKeyFromRequest, matchRoutePattern };
@@ -0,0 +1,25 @@
1
+ import {
2
+ createRouteRateLimiter,
3
+ createRouteRateLimiterWeb,
4
+ deriveKey,
5
+ deriveKeyFromRequest,
6
+ matchRoutePattern
7
+ } from "../../chunk-ASDXVRJD.js";
8
+ import {
9
+ InMemoryStore,
10
+ createRateLimiter,
11
+ createRateLimiterWeb
12
+ } from "../../chunk-VMEWD57H.js";
13
+ import "../../chunk-ZJQ4O76G.js";
14
+ import "../../chunk-DGUM43GV.js";
15
+ export {
16
+ InMemoryStore,
17
+ createRateLimiter,
18
+ createRateLimiterWeb,
19
+ createRouteRateLimiter,
20
+ createRouteRateLimiterWeb,
21
+ deriveKey,
22
+ deriveKeyFromRequest,
23
+ matchRoutePattern
24
+ };
25
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
@@ -0,0 +1,15 @@
1
+ import { b as WebSocketLike } from '../../define-websocket-CdK94O-D.js';
2
+ import 'node:http';
3
+
4
+ declare class ChannelManager {
5
+ private rooms;
6
+ private wsRooms;
7
+ subscribe(ws: WebSocketLike, room: string): void;
8
+ unsubscribe(ws: WebSocketLike, room: string): void;
9
+ broadcast(room: string, data: unknown, exclude?: WebSocketLike): void;
10
+ broadcastAll(data: unknown): void;
11
+ getRoomSize(room: string): number;
12
+ cleanup(ws: WebSocketLike): void;
13
+ }
14
+
15
+ export { ChannelManager };
@@ -0,0 +1,8 @@
1
+ import {
2
+ ChannelManager
3
+ } from "../../chunk-NM4WF3XD.js";
4
+ import "../../chunk-DGUM43GV.js";
5
+ export {
6
+ ChannelManager
7
+ };
8
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
@@ -0,0 +1,106 @@
1
+ import { S as ServerRouteNode } from '../../module-loader-Cfz7dgCP.js';
2
+ export { L as LoadModule, c as compilePattern, a as createProductionLoader, b as createViteLoader, m as matchRoute } from '../../module-loader-Cfz7dgCP.js';
3
+ import 'vite';
4
+
5
+ declare function scanServerRoutes(serverDir: string): ServerRouteNode[];
6
+
7
+ interface ActionNode {
8
+ filePath: string;
9
+ actionPath: string;
10
+ }
11
+ /**
12
+ * Enriched manifest entry per plan g3-server-actions-and-useaction v1.2
13
+ * § Phase 1 / T1.4 + ADR D4. Consumed by virtual module `@theo/actions`
14
+ * (T3.1) and G4 devtools "Actions" tab (T5.1).
15
+ */
16
+ interface ActionManifestEntry {
17
+ name: string;
18
+ filePath: string;
19
+ urlPath: string;
20
+ accept: 'form' | 'json';
21
+ hasInput: boolean;
22
+ /**
23
+ * P#4 plugin-forms shared-schema convention (per plan p4-plugin-forms v1.1 T1.1).
24
+ * When present, points to an isomorphic schema file at
25
+ * `<serverDir>/actions/schemas/<basename>.ts` exporting `export const schema = z.object(...)`.
26
+ * Virtual module emits `import {schema} from '<schemaFilePath>'` + attaches as
27
+ * `actions.X.__zodSchema` so client-side <TheoForm> can drive zodResolver.
28
+ * Undefined when convention not followed (graceful degrade — TheoForm still
29
+ * works via explicit `schema={...}` prop escape hatch).
30
+ */
31
+ schemaFilePath?: string;
32
+ }
33
+ /**
34
+ * EC-2: structured error for scan-time defects (name collision, reserved
35
+ * identifier, etc.). Throw at scan time to fail loud — silent shadowing is
36
+ * a security/correctness footgun.
37
+ */
38
+ declare class ActionScanError extends Error {
39
+ readonly code: 'NAME_COLLISION' | 'RESERVED_NAME';
40
+ readonly conflictingPaths: readonly string[];
41
+ constructor(code: 'NAME_COLLISION' | 'RESERVED_NAME', message: string, conflictingPaths: readonly string[]);
42
+ }
43
+ /**
44
+ * Backward-compatible: original simple-shape scanner used by existing
45
+ * consumers. Preserved verbatim; new consumers should call
46
+ * `scanServerActionsEnriched`.
47
+ */
48
+ declare function scanServerActions(serverDir: string): ActionNode[];
49
+ /**
50
+ * Enriched scan: light AST detection of `accept: 'form'|'json'` + `input:`
51
+ * presence via regex-after-comment-stripping (EC-9). Throws ActionScanError
52
+ * on file/dir name collision (EC-2) or reserved JS identifier names.
53
+ *
54
+ * Output `ActionManifestEntry[]` is sorted by `name` for deterministic
55
+ * `.theo/actions-manifest.json` emission.
56
+ */
57
+ declare function scanServerActionsEnriched(serverDir: string): ActionManifestEntry[];
58
+
59
+ interface WebSocketRouteNode {
60
+ filePath: string;
61
+ wsPath: string;
62
+ }
63
+ declare function scanWebSocketRoutes(serverDir: string): WebSocketRouteNode[];
64
+
65
+ /**
66
+ * Scan the server/middleware/ directory for middleware files.
67
+ * Files are returned sorted alphabetically — use numeric prefixes
68
+ * (e.g. 01-cors.ts, 02-auth.ts) to control execution order.
69
+ *
70
+ * Files starting with '_' or '.' are ignored (helpers, hidden files).
71
+ */
72
+ declare function scanMiddlewares(serverDir: string): string[];
73
+
74
+ interface ManifestRoute {
75
+ filePath: string;
76
+ routePath: string;
77
+ paramNames: string[];
78
+ /** HTTP methods (uppercase) the route file exports. Optional — manifests
79
+ * generated before G1 omit this; loaders treat absence as "unknown". */
80
+ methods?: string[];
81
+ }
82
+ interface ManifestAction {
83
+ filePath: string;
84
+ actionPath: string;
85
+ }
86
+ interface ManifestWebSocket {
87
+ filePath: string;
88
+ wsPath: string;
89
+ }
90
+ interface TheoManifest {
91
+ version: 1;
92
+ generatedAt: string;
93
+ routes: ManifestRoute[];
94
+ actions: ManifestAction[];
95
+ websockets: ManifestWebSocket[];
96
+ }
97
+ interface LoadedManifest {
98
+ routes: ServerRouteNode[];
99
+ actions: ActionNode[];
100
+ websockets: WebSocketRouteNode[];
101
+ }
102
+ declare function generateManifest(serverDir: string): TheoManifest;
103
+ declare function writeManifest(manifest: TheoManifest, outputDir: string): void;
104
+ declare function loadManifest(distDir: string, serverDir: string): LoadedManifest;
105
+
106
+ export { type ActionManifestEntry, type ActionNode, ActionScanError, type LoadedManifest, type ManifestAction, type ManifestRoute, type ManifestWebSocket, ServerRouteNode, type TheoManifest, type WebSocketRouteNode, generateManifest, loadManifest, scanMiddlewares, scanServerActions, scanServerActionsEnriched, scanServerRoutes, scanWebSocketRoutes, writeManifest };
@@ -0,0 +1,43 @@
1
+ import "../../chunk-E3JH6YUM.js";
2
+ import {
3
+ generateManifest,
4
+ loadManifest,
5
+ writeManifest
6
+ } from "../../chunk-MR7OLIC6.js";
7
+ import {
8
+ createProductionLoader,
9
+ createViteLoader
10
+ } from "../../chunk-JQSKBMXP.js";
11
+ import {
12
+ compilePattern,
13
+ matchRoute,
14
+ scanServerRoutes,
15
+ scanWebSocketRoutes
16
+ } from "../../chunk-OLPB36O2.js";
17
+ import {
18
+ ActionScanError,
19
+ scanServerActions,
20
+ scanServerActionsEnriched
21
+ } from "../../chunk-R7OC6UDK.js";
22
+ import "../../chunk-WSJKACWB.js";
23
+ import "../../chunk-X2VVCJ4V.js";
24
+ import {
25
+ scanMiddlewares
26
+ } from "../../chunk-ZEGYW52B.js";
27
+ import "../../chunk-DGUM43GV.js";
28
+ export {
29
+ ActionScanError,
30
+ compilePattern,
31
+ createProductionLoader,
32
+ createViteLoader,
33
+ generateManifest,
34
+ loadManifest,
35
+ matchRoute,
36
+ scanMiddlewares,
37
+ scanServerActions,
38
+ scanServerActionsEnriched,
39
+ scanServerRoutes,
40
+ scanWebSocketRoutes,
41
+ writeManifest
42
+ };
43
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
@@ -0,0 +1,193 @@
1
+ import { ServerResponse, IncomingMessage } from 'node:http';
2
+ import { A as AuditLogger } from '../../audit-log-BQWM5YLG.js';
3
+ export { C as CSRF_WARN_CODE, a as CSRF_WARN_DOCS_URL, b as CsrfLogger, c as CsrfMode, d as CsrfWarnPayload, D as DisallowedConfig, e as enforceCsrf, m as matchDisallowed, v as validateCsrf, f as validateCsrfRequest } from '../../csrf-BBrEZSBW.js';
4
+ import { C as CsrfReadinessStore } from '../../csrf-readiness-store-CjIoub3U.js';
5
+ export { a as CsrfReadinessRouteSummary, b as CsrfReadinessSummary, c as CsrfWarnRecord } from '../../csrf-readiness-store-CjIoub3U.js';
6
+
7
+ /**
8
+ * Phase 6 — Default Security Headers (D4 / EC-2).
9
+ *
10
+ * Per-response security baseline. The framework applies these BEFORE the
11
+ * route handler runs so a handler can still override via `res.setHeader`.
12
+ *
13
+ * EC-2 backward-compatibility: CSP ships in `report-only` mode by default
14
+ * for 0.2.0. Existing apps with inline scripts or third-party CDN scripts
15
+ * keep working but consumers see violation reports via their CSP report
16
+ * collector (or browser DevTools). 0.3.0 will flip the default to
17
+ * `enforce` after a release of visibility.
18
+ */
19
+ /**
20
+ * Default Content-Security-Policy. Conservative-but-not-paralyzing:
21
+ *
22
+ * - default-src 'self' — every fetch falls back to same-origin
23
+ * - script-src 'self' — T6.1 (0.3.0): `'unsafe-inline'`
24
+ * dropped. The SSR pipeline issues a
25
+ * per-request nonce that REPLACES
26
+ * this directive at runtime
27
+ * (`'nonce-<token>'`). For static /
28
+ * non-SSR contexts where no nonce is
29
+ * available, the policy is strict-
30
+ * no-inline — user inline scripts
31
+ * must be migrated to external
32
+ * `<script src="...">` or threaded
33
+ * through `ctx.nonce`.
34
+ * - style-src 'self' 'unsafe-inline' — Tailwind + TheoUI use style attrs
35
+ * in animation directives
36
+ * - img-src 'self' data: blob: — supports inline data URIs, blobs
37
+ * from canvas exports
38
+ * - font-src 'self' data: — Geist fonts inline-base64
39
+ * - connect-src 'self' ws: wss: — WebSocket dev HMR + agent streams
40
+ * - frame-ancestors 'none' — clickjacking defense
41
+ */
42
+ /**
43
+ * T5.1 — default CSP includes the built-in report endpoint so violations
44
+ * are visible without extra config. Apps that ship a custom `csp` string
45
+ * override the report-uri.
46
+ */
47
+ declare const DEFAULT_CSP: string;
48
+ /**
49
+ * T1.1 — Default Permissions-Policy header (default-deny stance).
50
+ *
51
+ * Disables sensitive Web APIs that the vast majority of apps don't use.
52
+ * Apps that DO need any of these opt in by overriding `permissionsPolicy`
53
+ * in `config.security.headers`.
54
+ *
55
+ * The seven features listed are the most-abused for: tracking
56
+ * (geolocation, accelerometer, gyroscope), spyware (camera, microphone),
57
+ * fraud (payment), and hardware exfiltration (usb).
58
+ *
59
+ * Aligns with Mozilla baseline + OWASP Secure Headers + Lighthouse PWA.
60
+ */
61
+ declare const DEFAULT_PERMISSIONS_POLICY = "geolocation=(), camera=(), microphone=(), payment=(), usb=(), accelerometer=(), gyroscope=()";
62
+ type CspMode = 'enforce' | 'report-only' | 'off';
63
+ interface SecurityHeadersConfig {
64
+ /**
65
+ * Custom CSP policy string. When set, replaces the default verbatim.
66
+ * Pass `false` to disable CSP entirely (alias for `cspMode: 'off'`).
67
+ */
68
+ csp?: string | false;
69
+ /**
70
+ * Enforcement mode for CSP. Default `report-only` for 0.2.0 (EC-2).
71
+ * 0.3.0 will default to `enforce`.
72
+ */
73
+ cspMode?: CspMode;
74
+ /**
75
+ * Strict-Transport-Security value. Defaults to
76
+ * `max-age=31536000; includeSubDomains` in production. Pass `false` to
77
+ * suppress (e.g. internal LANs without TLS).
78
+ */
79
+ hsts?: string | false;
80
+ /** X-Frame-Options. Default DENY. */
81
+ frameOptions?: 'DENY' | 'SAMEORIGIN';
82
+ /** X-Content-Type-Options. Default `nosniff`. */
83
+ contentTypeOptions?: 'nosniff';
84
+ /** Referrer-Policy. Default `strict-origin-when-cross-origin`. */
85
+ referrerPolicy?: string;
86
+ /**
87
+ * T1.1 — Permissions-Policy directive string. When set, replaces the
88
+ * default verbatim (no merge — see ADR-EC-12). Pass `false` to disable
89
+ * the header entirely. Schema-level refinement rejects any string
90
+ * containing CR/LF (EC-3 — CWE-113 HTTP Response Splitting mitigation).
91
+ */
92
+ permissionsPolicy?: string | false;
93
+ }
94
+ interface SecurityEnv {
95
+ production: boolean;
96
+ }
97
+ /**
98
+ * T4.1 — Per-request options passed by the SSR pipeline.
99
+ *
100
+ * - `nonce`: when set, the framework substitutes the `'unsafe-inline'`
101
+ * token in `script-src` with `'nonce-<nonce>'`. EC-3 forces
102
+ * `Cache-Control: private, no-store` so a CDN cannot cache the HTML
103
+ * (carrying one nonce) and re-serve it with a freshly-generated CSP
104
+ * header (carrying a different nonce).
105
+ * - `prerender`: when true, the nonce is IGNORED. Prerendered HTML is
106
+ * generated at build time with no nonce in the script tags; mixing a
107
+ * runtime nonce in the header would block every script. EC-4.
108
+ */
109
+ interface SecurityHeadersOptions {
110
+ nonce?: string;
111
+ prerender?: boolean;
112
+ }
113
+ /**
114
+ * Build the security headers map for a given config + env. Pure function —
115
+ * returned object can be inspected, logged, or applied to a response.
116
+ */
117
+ declare function buildSecurityHeaders(config: SecurityHeadersConfig, env: SecurityEnv, options?: SecurityHeadersOptions): Record<string, string>;
118
+ /**
119
+ * Apply security headers to a Node ServerResponse. Called by the
120
+ * api-middleware before the route handler runs. The handler can override
121
+ * any header via `res.setHeader()` — last write wins by Node convention.
122
+ */
123
+ declare function applySecurityHeaders(res: ServerResponse, config: SecurityHeadersConfig, env: SecurityEnv, options?: SecurityHeadersOptions): void;
124
+
125
+ /**
126
+ * T5.1 — Built-in CSP report endpoint.
127
+ *
128
+ * Browsers POST violation reports to `report-uri` (legacy `application/csp-report`)
129
+ * or `Reporting API` (`application/reports+json`). Framework auto-registers this
130
+ * endpoint so `cspMode: 'report-only'` is actually useful out of the box.
131
+ *
132
+ * Forwards normalized violations to:
133
+ * - audit logger (`csp.violation`)
134
+ * - devtools dispatcher (dev only, for Errors tab)
135
+ * - optional user hook (Sentry, etc.)
136
+ *
137
+ * EC-2: browser MAY send `{"csp-report": null}`, empty `{}`, or
138
+ * reports+json entries lacking `body`. Handler MUST short-circuit to
139
+ * 204 (valid format, no violation), NEVER crash via null deref.
140
+ */
141
+ declare const CSP_REPORT_PATH = "/__theo/csp-report";
142
+ interface CspViolation {
143
+ blockedUrl: string;
144
+ documentUrl: string;
145
+ violatedDirective: string;
146
+ effectiveDirective?: string;
147
+ originalPolicy?: string;
148
+ disposition?: 'enforce' | 'report';
149
+ statusCode?: number;
150
+ sourceFile?: string;
151
+ lineNumber?: number;
152
+ columnNumber?: number;
153
+ }
154
+ interface CspReportHandlerOptions {
155
+ auditLogger?: AuditLogger;
156
+ devtoolsDispatcher?: {
157
+ onCspViolation?: (v: CspViolation) => void;
158
+ };
159
+ /** Optional user-provided sink (Sentry, custom log router). Errors here are swallowed. */
160
+ onViolation?: (v: CspViolation) => void;
161
+ }
162
+ declare function normalizeLegacy(raw: Record<string, unknown>): CspViolation;
163
+ /**
164
+ * Map a `reports+json` entry to the internal shape. Returns `null` if
165
+ * the entry lacks a usable `body` object (EC-2).
166
+ */
167
+ declare function normalizeNew(entry: unknown): CspViolation | null;
168
+ declare function handleCspReport(req: IncomingMessage, res: ServerResponse, opts: CspReportHandlerOptions): Promise<void>;
169
+ declare function handleCspReportRequest(request: Request, opts: CspReportHandlerOptions): Promise<Response>;
170
+
171
+ /**
172
+ * T2.2 — `/__theo/csrf-readiness` endpoint.
173
+ *
174
+ * GET /__theo/csrf-readiness → 200 + JSON summary
175
+ * POST /__theo/csrf-readiness/reset → 204; clears the store
176
+ *
177
+ * The reset endpoint enforces CSRF (own dog food) — requires
178
+ * `X-Theo-Action: 1` AND a matching Origin header (EC-15). This avoids
179
+ * the endpoint being weaponizable from a cross-origin page when the
180
+ * endpoint is opt-in exposed in production.
181
+ *
182
+ * Mount opt-in: in dev mode, the host wires this in unconditionally. In
183
+ * production, only mount when `config.security.csrfTelemetry.exposeReadinessEndpoint === true`.
184
+ * EC-10 parallel: returns 404 (via boolean false return) when the URL
185
+ * does not match — the caller continues normal request handling.
186
+ */
187
+
188
+ declare const CSRF_READINESS_PATH = "/__theo/csrf-readiness";
189
+ declare const CSRF_READINESS_RESET_PATH = "/__theo/csrf-readiness/reset";
190
+ declare function handleCsrfReadiness(req: IncomingMessage, res: ServerResponse, store: CsrfReadinessStore): Promise<boolean>;
191
+ declare function handleCsrfReadinessRequest(request: Request, store: CsrfReadinessStore): Promise<Response | null>;
192
+
193
+ export { CSP_REPORT_PATH, CSRF_READINESS_PATH, CSRF_READINESS_RESET_PATH, type CspMode, type CspReportHandlerOptions, type CspViolation, CsrfReadinessStore, DEFAULT_CSP, DEFAULT_PERMISSIONS_POLICY, type SecurityEnv, type SecurityHeadersConfig, type SecurityHeadersOptions, applySecurityHeaders, buildSecurityHeaders, handleCspReport, handleCspReportRequest, handleCsrfReadiness, handleCsrfReadinessRequest, normalizeLegacy, normalizeNew };
@@ -0,0 +1,50 @@
1
+ import "../../chunk-JHEAWR3L.js";
2
+ import {
3
+ CSP_REPORT_PATH,
4
+ CSRF_READINESS_PATH,
5
+ CSRF_READINESS_RESET_PATH,
6
+ CsrfReadinessStore,
7
+ DEFAULT_CSP,
8
+ DEFAULT_PERMISSIONS_POLICY,
9
+ applySecurityHeaders,
10
+ buildSecurityHeaders,
11
+ handleCspReport,
12
+ handleCspReportRequest,
13
+ handleCsrfReadiness,
14
+ handleCsrfReadinessRequest,
15
+ normalizeLegacy,
16
+ normalizeNew
17
+ } from "../../chunk-B3L3TJVF.js";
18
+ import {
19
+ CSRF_WARN_CODE,
20
+ CSRF_WARN_DOCS_URL,
21
+ enforceCsrf,
22
+ matchDisallowed,
23
+ validateCsrf,
24
+ validateCsrfRequest
25
+ } from "../../chunk-TSLSIRBR.js";
26
+ import "../../chunk-UD3LFGDL.js";
27
+ import "../../chunk-DGUM43GV.js";
28
+ export {
29
+ CSP_REPORT_PATH,
30
+ CSRF_READINESS_PATH,
31
+ CSRF_READINESS_RESET_PATH,
32
+ CSRF_WARN_CODE,
33
+ CSRF_WARN_DOCS_URL,
34
+ CsrfReadinessStore,
35
+ DEFAULT_CSP,
36
+ DEFAULT_PERMISSIONS_POLICY,
37
+ applySecurityHeaders,
38
+ buildSecurityHeaders,
39
+ enforceCsrf,
40
+ handleCspReport,
41
+ handleCspReportRequest,
42
+ handleCsrfReadiness,
43
+ handleCsrfReadinessRequest,
44
+ matchDisallowed,
45
+ normalizeLegacy,
46
+ normalizeNew,
47
+ validateCsrf,
48
+ validateCsrfRequest
49
+ };
50
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}