theokit 0.4.0-beta.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{actions-virtual-module-HWNTIEPI.js → actions-virtual-module-IY46EEEX.js} +2 -2
- package/dist/{actions-virtual-module-SEIPACG5.js → actions-virtual-module-XNHDNCZ6.js} +2 -2
- package/dist/add-2ZFFGGE4.js +0 -0
- package/dist/{app-typed-client-ITIYTBXO.js → app-typed-client-OUJO3V5J.js} +10 -5
- package/dist/{app-typed-client-62FYBLVJ.js.map → app-typed-client-OUJO3V5J.js.map} +1 -1
- package/dist/{app-typed-client-62FYBLVJ.js → app-typed-client-YOMWSA3F.js} +11 -6
- package/dist/{app-typed-client-ITIYTBXO.js.map → app-typed-client-YOMWSA3F.js.map} +1 -1
- package/dist/audit-log-BQWM5YLG.d.ts +60 -0
- package/dist/{aws-lambda-XYCGZH3I.js → aws-lambda-GKSTX6HD.js} +3 -3
- package/dist/body-parser-web-MUWBKZ3F.js +70 -0
- package/dist/body-parser-web-MUWBKZ3F.js.map +1 -0
- package/dist/broadcast-QOQGUNNK.js +0 -0
- package/dist/{build-HIGHJQQV.js → build-D4J7XECU.js} +31 -22
- package/dist/build-D4J7XECU.js.map +1 -0
- package/dist/build-request-body-preview-II2235E6.js +0 -0
- package/dist/{bun-K73TQEWC.js → bun-ISHSNFIO.js} +3 -3
- package/dist/{check-PZR67OY5.js → check-NXYPLM6M.js} +2 -2
- package/dist/{chunk-WZ7CPVQB.js → chunk-27LWMYNK.js} +28 -24
- package/dist/chunk-27LWMYNK.js.map +1 -0
- package/dist/{chunk-BIGBFZSU.js → chunk-2F4FROEQ.js} +1689 -1521
- package/dist/chunk-2F4FROEQ.js.map +1 -0
- package/dist/chunk-4HBI7DHP.js +20 -0
- package/dist/chunk-4HBI7DHP.js.map +1 -0
- package/dist/{chunk-X4JAX2U3.js → chunk-4S2UCILN.js} +180 -125
- package/dist/chunk-4S2UCILN.js.map +1 -0
- package/dist/{chunk-C52GSJPF.js → chunk-4S6YHNG2.js} +11 -8
- package/dist/chunk-4S6YHNG2.js.map +1 -0
- package/dist/chunk-5ODOE6EF.js +0 -0
- package/dist/{chunk-KJVEJILQ.js → chunk-5PU65T5W.js} +9 -3
- package/dist/chunk-5PU65T5W.js.map +1 -0
- package/dist/chunk-5QW7IQQU.js +36 -0
- package/dist/chunk-5QW7IQQU.js.map +1 -0
- package/dist/chunk-5Z2727GV.js +1324 -0
- package/dist/chunk-5Z2727GV.js.map +1 -0
- package/dist/{chunk-YLBSSEHX.js → chunk-6NEXVBPY.js} +5 -15
- package/dist/chunk-6NEXVBPY.js.map +1 -0
- package/dist/chunk-7MQOHNHE.js +36 -0
- package/dist/chunk-7MQOHNHE.js.map +1 -0
- package/dist/{chunk-TPCT3MXV.js → chunk-ABVITXFH.js} +405 -272
- package/dist/chunk-ABVITXFH.js.map +1 -0
- package/dist/chunk-ASDXVRJD.js +185 -0
- package/dist/chunk-ASDXVRJD.js.map +1 -0
- package/dist/chunk-B3L3TJVF.js +406 -0
- package/dist/chunk-B3L3TJVF.js.map +1 -0
- package/dist/{chunk-PB4GR7EP.js → chunk-C3ZZ56YZ.js} +1 -18
- package/dist/chunk-C3ZZ56YZ.js.map +1 -0
- package/dist/{chunk-O7335ZGH.js → chunk-CG563V5M.js} +5 -3
- package/dist/chunk-CG563V5M.js.map +1 -0
- package/dist/{chunk-5OFPQK6N.js → chunk-COXLEZCN.js} +2 -1
- package/dist/chunk-COXLEZCN.js.map +1 -0
- package/dist/{chunk-O4BLVPML.js → chunk-DNMSV3R3.js} +22 -28
- package/dist/chunk-DNMSV3R3.js.map +1 -0
- package/dist/chunk-E3JH6YUM.js +1 -0
- package/dist/chunk-ESC54TAK.js +220 -0
- package/dist/chunk-ESC54TAK.js.map +1 -0
- package/dist/chunk-FI7MPTJW.js +77 -0
- package/dist/chunk-FI7MPTJW.js.map +1 -0
- package/dist/chunk-H4J2LECY.js +201 -0
- package/dist/chunk-H4J2LECY.js.map +1 -0
- package/dist/chunk-IAJ2JVEH.js +256 -0
- package/dist/chunk-IAJ2JVEH.js.map +1 -0
- package/dist/{chunk-F3TG5FJV.js → chunk-IEZCAT2I.js} +7 -1
- package/dist/{chunk-F3TG5FJV.js.map → chunk-IEZCAT2I.js.map} +1 -1
- package/dist/chunk-JHEAWR3L.js +1 -0
- package/dist/chunk-JQSKBMXP.js +17 -0
- package/dist/chunk-JQSKBMXP.js.map +1 -0
- package/dist/{chunk-4QTKSLTO.js → chunk-K4M64WD6.js} +9 -5
- package/dist/{chunk-4QTKSLTO.js.map → chunk-K4M64WD6.js.map} +1 -1
- package/dist/chunk-KI7OWQUX.js +293 -0
- package/dist/chunk-KI7OWQUX.js.map +1 -0
- package/dist/chunk-KT3MWNZG.js +0 -0
- package/dist/{chunk-ZJW5FFYJ.js → chunk-LC5PYNJP.js} +2 -2
- package/dist/{chunk-JAAHOGKI.js → chunk-M2EY7KDR.js} +1223 -1124
- package/dist/chunk-M2EY7KDR.js.map +1 -0
- package/dist/{chunk-2VQKDRVF.js → chunk-MR7OLIC6.js} +3 -3
- package/dist/chunk-NM4WF3XD.js +63 -0
- package/dist/chunk-NM4WF3XD.js.map +1 -0
- package/dist/chunk-NPMCKOX4.js +1 -0
- package/dist/{chunk-VRHXOKRP.js → chunk-NZXH2LQQ.js} +86 -83
- package/dist/chunk-NZXH2LQQ.js.map +1 -0
- package/dist/{chunk-B6RP57M3.js → chunk-OLPB36O2.js} +4 -4
- package/dist/chunk-PIVX3DYW.js +142 -0
- package/dist/chunk-PIVX3DYW.js.map +1 -0
- package/dist/{chunk-7TOMTMHT.js → chunk-R7OC6UDK.js} +2 -1
- package/dist/chunk-R7OC6UDK.js.map +1 -0
- package/dist/chunk-RESN62GB.js +269 -0
- package/dist/chunk-RESN62GB.js.map +1 -0
- package/dist/{chunk-64JI5LTO.js → chunk-RMU7EBRO.js} +2 -2
- package/dist/chunk-RMU7EBRO.js.map +1 -0
- package/dist/chunk-TQYSPYKU.js +131 -0
- package/dist/chunk-TQYSPYKU.js.map +1 -0
- package/dist/chunk-TSLSIRBR.js +107 -0
- package/dist/chunk-TSLSIRBR.js.map +1 -0
- package/dist/{chunk-XP7YXRHO.js → chunk-U6TPSW4L.js} +37 -5
- package/dist/chunk-U6TPSW4L.js.map +1 -0
- package/dist/chunk-UD3LFGDL.js +45 -0
- package/dist/chunk-UD3LFGDL.js.map +1 -0
- package/dist/chunk-UUFYP2UM.js +161 -0
- package/dist/chunk-UUFYP2UM.js.map +1 -0
- package/dist/{chunk-OXIQI2XZ.js → chunk-VBZCVFSA.js} +2 -2
- package/dist/chunk-VMEWD57H.js +137 -0
- package/dist/chunk-VMEWD57H.js.map +1 -0
- package/dist/{chunk-TRH2L3FI.js → chunk-WEGALZEU.js} +3 -3
- package/dist/{chunk-ZOXNJV2O.js → chunk-WGHJD6I7.js} +35 -138
- package/dist/chunk-WGHJD6I7.js.map +1 -0
- package/dist/chunk-XMS5VRIK.js +0 -0
- package/dist/chunk-Y4H3JNVK.js +18 -0
- package/dist/chunk-Y4H3JNVK.js.map +1 -0
- package/dist/chunk-Z5IGLBWE.js +329 -0
- package/dist/chunk-Z5IGLBWE.js.map +1 -0
- package/dist/chunk-ZEGYW52B.js +26 -0
- package/dist/chunk-ZEGYW52B.js.map +1 -0
- package/dist/chunk-ZJQ4O76G.js +87 -0
- package/dist/chunk-ZJQ4O76G.js.map +1 -0
- package/dist/cli/index.js +32 -21
- package/dist/cli/index.js.map +1 -1
- package/dist/client/index.d.ts +107 -1
- package/dist/client/index.js +152 -6
- package/dist/client/index.js.map +1 -1
- package/dist/{cloudflare-LCAOTRYZ.js → cloudflare-OJGJ7R2D.js} +3 -3
- package/dist/configure-agent-registry-6YGTJYBC.js +0 -0
- package/dist/cookies-MJKMGJ7N.js +22 -0
- package/dist/csrf-BBrEZSBW.d.ts +107 -0
- package/dist/csrf-readiness-store-CjIoub3U.d.ts +43 -0
- package/dist/define-websocket-CdK94O-D.d.ts +64 -0
- package/dist/{deno-deploy-ZN4RE5HF.js → deno-deploy-BHWKFTOW.js} +3 -3
- package/dist/{dev-266MVCVA.js → dev-MJVSRZGF.js} +11 -11
- package/dist/{dev-emit-RBSFZZNO.js → dev-emit-5VPRCHOD.js} +39 -142
- package/dist/dev-emit-5VPRCHOD.js.map +1 -0
- package/dist/{dev-emit-NO6OZJOQ.js → dev-emit-HHP2XJXE.js} +5 -5
- package/dist/devtools/entry.js +185 -131
- package/dist/devtools/entry.js.map +1 -1
- package/dist/{dispatcher-AQJGI3HU.js → dispatcher-63LBXYLE.js} +2 -2
- package/dist/{dispatcher-E6QV32BO.js → dispatcher-EJME6C6M.js} +5 -2
- package/dist/dispatcher-EJME6C6M.js.map +1 -0
- package/dist/{dist-5V77Z223.js → dist-KRW6OVD4.js} +7 -7
- package/dist/dist-KRW6OVD4.js.map +1 -0
- package/dist/docker-EZDA5FT7.js +0 -0
- package/dist/error-envelope-BsNzzAV5.d.ts +62 -0
- package/dist/{generate-DT4IIAHF.js → generate-AZ2K6Z2Z.js} +75 -2
- package/dist/generate-AZ2K6Z2Z.js.map +1 -0
- package/dist/index-DWWEdFh5.d.ts +399 -0
- package/dist/index.d.ts +161 -1391
- package/dist/index.js +20 -8
- package/dist/index.js.map +1 -1
- package/dist/{info-FJ4NXKTB.js → info-47VB62MV.js} +5 -5
- package/dist/job-backend-CgC8Xf33.d.ts +68 -0
- package/dist/{lib-NL5JXGEB.js → lib-NST3PNZX.js} +31 -31
- package/dist/lib-NST3PNZX.js.map +1 -0
- package/dist/module-loader-Cfz7dgCP.d.ts +26 -0
- package/dist/{netlify-5VQ22Z2P.js → netlify-GSNSJGMN.js} +3 -3
- package/dist/{node-3APTLGWB.js → node-6I5B6RL3.js} +3 -3
- package/dist/node-6I5B6RL3.js.map +1 -0
- package/dist/{openapi-FNVSWZOL.js → openapi-NFLSNNVQ.js} +10 -10
- package/dist/plugin-runner-BGBkzgi0.d.ts +95 -0
- package/dist/plugin-types-DNJGxr4Z.d.ts +79 -0
- package/dist/{proper-lockfile-4Y3DP3RP.js → proper-lockfile-MVKMQGFK.js} +27 -27
- package/dist/proper-lockfile-MVKMQGFK.js.map +1 -0
- package/dist/rate-limit-BdNDZ3vt.d.ts +58 -0
- package/dist/registry-QHEZ3BWB.js +25 -0
- package/dist/router-RGZFX75G.js +0 -0
- package/dist/{routes-H4SPLFHJ.js → routes-3A4XGIEJ.js} +6 -6
- package/dist/{scan-C2BOKLSY.js → scan-NQFI5S7P.js} +2 -2
- package/dist/scan-NQFI5S7P.js.map +1 -0
- package/dist/schema-D3v8VB7o.d.ts +76 -0
- package/dist/{schema-VR6YNVLQ.js → schema-KZVOV333.js} +5 -3
- package/dist/schema-KZVOV333.js.map +1 -0
- package/dist/server/agent/index.d.ts +229 -0
- package/dist/server/agent/index.js +16 -0
- package/dist/server/agent/index.js.map +1 -0
- package/dist/server/auth/index.d.ts +46 -1
- package/dist/server/auth/index.js +10 -3
- package/dist/server/cost/index.d.ts +1 -3
- package/dist/server/cost/index.js +1 -1
- package/dist/server/cron/index.js +4 -2
- package/dist/server/define/index.d.ts +281 -0
- package/dist/server/define/index.js +26 -0
- package/dist/server/define/index.js.map +1 -0
- package/dist/server/http/index.d.ts +10 -0
- package/dist/server/http/index.js +74 -0
- package/dist/server/http/index.js.map +1 -0
- package/dist/server/index.d.ts +151 -1677
- package/dist/server/index.js +558 -1102
- package/dist/server/index.js.map +1 -1
- package/dist/server/jobs/index.d.ts +348 -2
- package/dist/server/jobs/index.js +5 -3
- package/dist/server/observability/index.d.ts +324 -0
- package/dist/server/observability/index.js +48 -0
- package/dist/server/observability/index.js.map +1 -0
- package/dist/server/plugins/index.d.ts +17 -0
- package/dist/server/plugins/index.js +17 -0
- package/dist/server/plugins/index.js.map +1 -0
- package/dist/server/rate-limit/index.d.ts +105 -0
- package/dist/server/rate-limit/index.js +25 -0
- package/dist/server/rate-limit/index.js.map +1 -0
- package/dist/server/realtime/index.d.ts +15 -0
- package/dist/server/realtime/index.js +8 -0
- package/dist/server/realtime/index.js.map +1 -0
- package/dist/server/scan/index.d.ts +106 -0
- package/dist/server/scan/index.js +43 -0
- package/dist/server/scan/index.js.map +1 -0
- package/dist/server/security/index.d.ts +193 -0
- package/dist/server/security/index.js +50 -0
- package/dist/server/security/index.js.map +1 -0
- package/dist/server/storage/index.d.ts +22 -0
- package/dist/server/storage/index.js +14 -0
- package/dist/server/storage/index.js.map +1 -0
- package/dist/server/webhook/index.d.ts +148 -0
- package/dist/server/webhook/index.js +19 -0
- package/dist/server/webhook/index.js.map +1 -0
- package/dist/server-error-to-envelope-NO4CCAFQ.js +8 -0
- package/dist/server-error-to-envelope-NO4CCAFQ.js.map +1 -0
- package/dist/server-error-to-envelope-UJK6OWDJ.js +134 -0
- package/dist/server-error-to-envelope-UJK6OWDJ.js.map +1 -0
- package/dist/server-routes-hmr-GZJGPWMS.js +0 -0
- package/dist/services-json-Z2QNGVPW.js +142 -0
- package/dist/services-json-Z2QNGVPW.js.map +1 -0
- package/dist/{services-typed-client-XWYYBWGW.js → services-typed-client-KK6RHRDG.js} +2 -2
- package/dist/{services-typed-client-ZX5JUHH3.js → services-typed-client-T7M5VPBP.js} +2 -2
- package/dist/{sqlite-vec-ARPNUBWT.js → sqlite-vec-54KB4RD3.js} +2 -2
- package/dist/sqlite-vec-54KB4RD3.js.map +1 -0
- package/dist/{start-HX3QUSOS.js → start-CGSZPBAG.js} +23 -23
- package/dist/start-CGSZPBAG.js.map +1 -0
- package/dist/{static-TZBVBDTB.js → static-QI5NQT2X.js} +6 -6
- package/dist/storage-manager-C4jsO0Tp.d.ts +89 -0
- package/dist/storage-manager-D5KBXXKB.js +0 -0
- package/dist/{storage-types-DtIVejC1.d.ts → storage-types-DsDTCPbp.d.ts} +1 -1
- package/dist/{theo-cloud-3K4DGB3S.js → theo-cloud-RSQCBNXL.js} +4 -4
- package/dist/theo-cloud-RSQCBNXL.js.map +1 -0
- package/dist/upgrade-readiness-GUJBCJIS.js +0 -0
- package/dist/{vercel-MWW24ABC.js → vercel-TKPZK62A.js} +3 -3
- package/dist/vite-plugin/index.d.ts +3 -1
- package/dist/vite-plugin/index.js +20 -8
- package/dist/{vite-plugin-IK3NOWXS.js → vite-plugin-CR4JDFUQ.js} +9 -9
- package/dist/vite-plugin-CR4JDFUQ.js.map +1 -0
- package/package.json +61 -9
- package/LICENSE +0 -201
- package/dist/build-HIGHJQQV.js.map +0 -1
- package/dist/chunk-5OFPQK6N.js.map +0 -1
- package/dist/chunk-64JI5LTO.js.map +0 -1
- package/dist/chunk-7TOMTMHT.js.map +0 -1
- package/dist/chunk-BIGBFZSU.js.map +0 -1
- package/dist/chunk-C52GSJPF.js.map +0 -1
- package/dist/chunk-CZM6WWWS.js +0 -2450
- package/dist/chunk-CZM6WWWS.js.map +0 -1
- package/dist/chunk-JAAHOGKI.js.map +0 -1
- package/dist/chunk-KJVEJILQ.js.map +0 -1
- package/dist/chunk-O4BLVPML.js.map +0 -1
- package/dist/chunk-O7335ZGH.js.map +0 -1
- package/dist/chunk-PB4GR7EP.js.map +0 -1
- package/dist/chunk-TPCT3MXV.js.map +0 -1
- package/dist/chunk-VRHXOKRP.js.map +0 -1
- package/dist/chunk-WZ7CPVQB.js.map +0 -1
- package/dist/chunk-X4JAX2U3.js.map +0 -1
- package/dist/chunk-XP7YXRHO.js.map +0 -1
- package/dist/chunk-YLBSSEHX.js.map +0 -1
- package/dist/chunk-ZOXNJV2O.js.map +0 -1
- package/dist/dev-emit-RBSFZZNO.js.map +0 -1
- package/dist/dispatcher-E6QV32BO.js.map +0 -1
- package/dist/dist-5V77Z223.js.map +0 -1
- package/dist/generate-DT4IIAHF.js.map +0 -1
- package/dist/index-li83Swxa.d.ts +0 -506
- package/dist/lib-NL5JXGEB.js.map +0 -1
- package/dist/proper-lockfile-4Y3DP3RP.js.map +0 -1
- package/dist/registry-4MZ26TZD.js +0 -25
- package/dist/schema-CjVly9c_.d.ts +0 -274
- package/dist/sqlite-vec-ARPNUBWT.js.map +0 -1
- package/dist/start-HX3QUSOS.js.map +0 -1
- package/dist/theo-cloud-3K4DGB3S.js.map +0 -1
- /package/dist/{actions-virtual-module-HWNTIEPI.js.map → actions-virtual-module-IY46EEEX.js.map} +0 -0
- /package/dist/{actions-virtual-module-SEIPACG5.js.map → actions-virtual-module-XNHDNCZ6.js.map} +0 -0
- /package/dist/{aws-lambda-XYCGZH3I.js.map → aws-lambda-GKSTX6HD.js.map} +0 -0
- /package/dist/{bun-K73TQEWC.js.map → bun-ISHSNFIO.js.map} +0 -0
- /package/dist/{check-PZR67OY5.js.map → check-NXYPLM6M.js.map} +0 -0
- /package/dist/{dispatcher-AQJGI3HU.js.map → chunk-E3JH6YUM.js.map} +0 -0
- /package/dist/{node-3APTLGWB.js.map → chunk-JHEAWR3L.js.map} +0 -0
- /package/dist/{chunk-ZJW5FFYJ.js.map → chunk-LC5PYNJP.js.map} +0 -0
- /package/dist/{chunk-2VQKDRVF.js.map → chunk-MR7OLIC6.js.map} +0 -0
- /package/dist/{scan-C2BOKLSY.js.map → chunk-NPMCKOX4.js.map} +0 -0
- /package/dist/{chunk-B6RP57M3.js.map → chunk-OLPB36O2.js.map} +0 -0
- /package/dist/{chunk-OXIQI2XZ.js.map → chunk-VBZCVFSA.js.map} +0 -0
- /package/dist/{chunk-TRH2L3FI.js.map → chunk-WEGALZEU.js.map} +0 -0
- /package/dist/{cloudflare-LCAOTRYZ.js.map → cloudflare-OJGJ7R2D.js.map} +0 -0
- /package/dist/{schema-VR6YNVLQ.js.map → cookies-MJKMGJ7N.js.map} +0 -0
- /package/dist/{deno-deploy-ZN4RE5HF.js.map → deno-deploy-BHWKFTOW.js.map} +0 -0
- /package/dist/{dev-266MVCVA.js.map → dev-MJVSRZGF.js.map} +0 -0
- /package/dist/{dev-emit-NO6OZJOQ.js.map → dev-emit-HHP2XJXE.js.map} +0 -0
- /package/dist/{vite-plugin-IK3NOWXS.js.map → dispatcher-63LBXYLE.js.map} +0 -0
- /package/dist/{info-FJ4NXKTB.js.map → info-47VB62MV.js.map} +0 -0
- /package/dist/{netlify-5VQ22Z2P.js.map → netlify-GSNSJGMN.js.map} +0 -0
- /package/dist/{openapi-FNVSWZOL.js.map → openapi-NFLSNNVQ.js.map} +0 -0
- /package/dist/{registry-4MZ26TZD.js.map → registry-QHEZ3BWB.js.map} +0 -0
- /package/dist/{routes-H4SPLFHJ.js.map → routes-3A4XGIEJ.js.map} +0 -0
- /package/dist/{services-typed-client-XWYYBWGW.js.map → services-typed-client-KK6RHRDG.js.map} +0 -0
- /package/dist/{services-typed-client-ZX5JUHH3.js.map → services-typed-client-T7M5VPBP.js.map} +0 -0
- /package/dist/{static-TZBVBDTB.js.map → static-QI5NQT2X.js.map} +0 -0
- /package/dist/{vercel-MWW24ABC.js.map → vercel-TKPZK62A.js.map} +0 -0
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import {
|
|
2
|
+
ConsoleObservabilityAdapter,
|
|
3
|
+
NoopObservabilityAdapter,
|
|
4
|
+
NoopSpan,
|
|
5
|
+
SpanImpl,
|
|
6
|
+
TheoCloudObservabilityAdapter,
|
|
7
|
+
createObservabilityPlugin,
|
|
8
|
+
defineObservabilityAdapter,
|
|
9
|
+
resolveAdapter,
|
|
10
|
+
serializeSpansToOtlp
|
|
11
|
+
} from "../../chunk-KI7OWQUX.js";
|
|
12
|
+
import {
|
|
13
|
+
findSuggestion,
|
|
14
|
+
levenshtein
|
|
15
|
+
} from "../../chunk-5QW7IQQU.js";
|
|
16
|
+
import {
|
|
17
|
+
_resetWarnOnceForTests,
|
|
18
|
+
createLogger,
|
|
19
|
+
logRequest,
|
|
20
|
+
warnOnce
|
|
21
|
+
} from "../../chunk-Z5IGLBWE.js";
|
|
22
|
+
import {
|
|
23
|
+
JsonStdoutSink,
|
|
24
|
+
createNoOpLogger,
|
|
25
|
+
safeAudit
|
|
26
|
+
} from "../../chunk-UD3LFGDL.js";
|
|
27
|
+
import "../../chunk-DGUM43GV.js";
|
|
28
|
+
export {
|
|
29
|
+
ConsoleObservabilityAdapter,
|
|
30
|
+
JsonStdoutSink,
|
|
31
|
+
NoopObservabilityAdapter,
|
|
32
|
+
NoopSpan,
|
|
33
|
+
SpanImpl,
|
|
34
|
+
TheoCloudObservabilityAdapter,
|
|
35
|
+
_resetWarnOnceForTests,
|
|
36
|
+
createLogger,
|
|
37
|
+
createNoOpLogger,
|
|
38
|
+
createObservabilityPlugin,
|
|
39
|
+
defineObservabilityAdapter,
|
|
40
|
+
findSuggestion,
|
|
41
|
+
levenshtein,
|
|
42
|
+
logRequest,
|
|
43
|
+
resolveAdapter,
|
|
44
|
+
safeAudit,
|
|
45
|
+
serializeSpansToOtlp,
|
|
46
|
+
warnOnce
|
|
47
|
+
};
|
|
48
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import { P as PluginRunner } from '../../plugin-runner-BGBkzgi0.js';
|
|
2
|
+
export { D as DuplicateDecorationError, a as DuplicatePluginError } from '../../plugin-runner-BGBkzgi0.js';
|
|
3
|
+
import '../../plugin-types-DNJGxr4Z.js';
|
|
4
|
+
import 'node:http';
|
|
5
|
+
|
|
6
|
+
declare class InvalidPluginShapeError extends Error {
|
|
7
|
+
constructor(index: number, reason: string);
|
|
8
|
+
}
|
|
9
|
+
/**
|
|
10
|
+
* Build a PluginRunner from a list of plugins typically declared in
|
|
11
|
+
* `theo.config.ts` under the `plugins` field. Returns `undefined` when no
|
|
12
|
+
* plugins are configured so callers can pass `undefined` to `executeRoute`
|
|
13
|
+
* and preserve the zero-overhead path.
|
|
14
|
+
*/
|
|
15
|
+
declare function createPluginRunnerFromConfig(plugins: unknown): Promise<PluginRunner | undefined>;
|
|
16
|
+
|
|
17
|
+
export { InvalidPluginShapeError, PluginRunner, createPluginRunnerFromConfig };
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import "../../chunk-NPMCKOX4.js";
|
|
2
|
+
import {
|
|
3
|
+
DuplicateDecorationError,
|
|
4
|
+
DuplicatePluginError,
|
|
5
|
+
InvalidPluginShapeError,
|
|
6
|
+
PluginRunner,
|
|
7
|
+
createPluginRunnerFromConfig
|
|
8
|
+
} from "../../chunk-IAJ2JVEH.js";
|
|
9
|
+
import "../../chunk-DGUM43GV.js";
|
|
10
|
+
export {
|
|
11
|
+
DuplicateDecorationError,
|
|
12
|
+
DuplicatePluginError,
|
|
13
|
+
InvalidPluginShapeError,
|
|
14
|
+
PluginRunner,
|
|
15
|
+
createPluginRunnerFromConfig
|
|
16
|
+
};
|
|
17
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
import { R as RateLimitConfig, a as RateLimitResult } from '../../rate-limit-BdNDZ3vt.js';
|
|
2
|
+
export { c as createRateLimiter, b as createRateLimiterWeb } from '../../rate-limit-BdNDZ3vt.js';
|
|
3
|
+
import { R as RateLimitStore } from '../../rate-limit-store-BEJnhWdw.js';
|
|
4
|
+
export { I as InMemoryStore, a as RateLimitState } from '../../rate-limit-store-BEJnhWdw.js';
|
|
5
|
+
import { IncomingMessage } from 'node:http';
|
|
6
|
+
|
|
7
|
+
/**
|
|
8
|
+
* T2.2 — Per-route + per-user rate limiting.
|
|
9
|
+
*
|
|
10
|
+
* Layered on top of `rate-limit-store.ts`. The route map allows
|
|
11
|
+
* declarative policies ("strict /api/login, loose everything else")
|
|
12
|
+
* driven by config, not handler-decorated. `keyBy` selects what
|
|
13
|
+
* identifier the limiter buckets on.
|
|
14
|
+
*
|
|
15
|
+
* ADR D2: per-route via path matching, NOT per-handler decorator.
|
|
16
|
+
* Operators can tune policies without touching route definitions.
|
|
17
|
+
*/
|
|
18
|
+
type KeyByMode = 'ip' | 'session' | 'user' | ((req: IncomingMessage) => string);
|
|
19
|
+
interface RouteRateLimitConfig {
|
|
20
|
+
/** Fallback config used when no per-route entry matches. */
|
|
21
|
+
default?: RateLimitConfig;
|
|
22
|
+
/** Map of path pattern → config. Exact-string keys (RegExp via API). */
|
|
23
|
+
routes?: Record<string, RateLimitConfig>;
|
|
24
|
+
/** Same as `routes` but each entry is a [pattern, config] tuple, RegExp allowed. */
|
|
25
|
+
routePatterns?: readonly [string | RegExp, RateLimitConfig][];
|
|
26
|
+
/** Bucket identifier strategy. Default 'ip'. */
|
|
27
|
+
keyBy?: KeyByMode;
|
|
28
|
+
/** Cookie name used by keyBy='session'. Defaults to 'theo_session'. */
|
|
29
|
+
cookieName?: string;
|
|
30
|
+
/** Optional shared store (for multi-route correlation). Default per-limiter InMemoryStore. */
|
|
31
|
+
store?: RateLimitStore;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Test whether `path` matches `pattern`. String patterns are compared
|
|
35
|
+
* after trailing-slash normalization (EC-5). RegExp uses `.test` after
|
|
36
|
+
* resetting `lastIndex` (defensive against `/g` flag).
|
|
37
|
+
*/
|
|
38
|
+
declare function matchRoutePattern(path: string, pattern: string | RegExp): boolean;
|
|
39
|
+
/**
|
|
40
|
+
* Build the rate-limit bucket key for the request based on `keyBy`.
|
|
41
|
+
*
|
|
42
|
+
* EC-6: session mode reads the configured `cookieName`. With the wrong
|
|
43
|
+
* cookie name (e.g., default 'theo_session' but app uses 'app_session'),
|
|
44
|
+
* we fall back to IP so anonymous users still get rate-limited rather
|
|
45
|
+
* than sharing an empty bucket.
|
|
46
|
+
*/
|
|
47
|
+
declare function deriveKey(req: IncomingMessage, keyBy: KeyByMode, cookieName: string): Promise<string>;
|
|
48
|
+
/**
|
|
49
|
+
* Per-route rate limiter factory. Returns a sync checker compatible with
|
|
50
|
+
* the existing api-middleware shape.
|
|
51
|
+
*
|
|
52
|
+
* Backwards-compatibility (ADR D2): a flat `{ windowMs, max }` config is
|
|
53
|
+
* accepted and treated as `default` (no per-route variants).
|
|
54
|
+
*/
|
|
55
|
+
declare function createRouteRateLimiter(config: RouteRateLimitConfig | RateLimitConfig): (req: IncomingMessage) => Promise<RateLimitResult>;
|
|
56
|
+
/**
|
|
57
|
+
* T5a.2 Phase D slice 1/3 — Web-Standards rate-limiter inputs context.
|
|
58
|
+
*
|
|
59
|
+
* Web `Request` has no equivalent of `req.socket.remoteAddress` (Node
|
|
60
|
+
* runtime concept) or `req.user` (set by upstream middleware). The
|
|
61
|
+
* Web-shaped rate-limiter requires the caller to pass these explicitly:
|
|
62
|
+
*
|
|
63
|
+
* - `clientIp` — resolved per-runtime (Node: `socket.remoteAddress`;
|
|
64
|
+
* CF Workers: `request.headers.get('cf-connecting-ip')`; Vercel:
|
|
65
|
+
* `x-forwarded-for` first hop; Bun/Deno: adapter-specific).
|
|
66
|
+
* - `userId` — resolved by auth middleware (Phase D slice 3/3 ships
|
|
67
|
+
* the Web-shaped session helper).
|
|
68
|
+
*
|
|
69
|
+
* Defaults: `clientIp = 'unknown'`, `userId = undefined` (matches the
|
|
70
|
+
* IncomingMessage path's fallback semantics).
|
|
71
|
+
*/
|
|
72
|
+
interface DeriveKeyRequestContext {
|
|
73
|
+
clientIp?: string;
|
|
74
|
+
userId?: string;
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* T5a.2 Phase D slice 1/3 — Web-Standards-shaped key derivation.
|
|
78
|
+
*
|
|
79
|
+
* Mirror of `deriveKey(req: IncomingMessage, keyBy, cookieName)` for the
|
|
80
|
+
* Web `Request` shape. Same `'ip' | 'session' | 'user'` enum cases (the
|
|
81
|
+
* `function` callback case is IncomingMessage-only because the existing
|
|
82
|
+
* `KeyByMode` callback type is Node-shaped; Web callers use the enum
|
|
83
|
+
* cases or call a future `KeyByModeWeb` shape — out of T5a.2 Phase D scope).
|
|
84
|
+
*
|
|
85
|
+
* Uses `getCookieFromRequest` (Phase B slice 6/6) for session-mode cookie
|
|
86
|
+
* lookup. Cookie parsing has the same CR-009 percent-encoding safety.
|
|
87
|
+
*/
|
|
88
|
+
declare function deriveKeyFromRequest(request: Request, keyBy: Exclude<KeyByMode, (req: IncomingMessage) => string>, cookieName: string, ctx?: DeriveKeyRequestContext): Promise<string>;
|
|
89
|
+
/**
|
|
90
|
+
* T5a.2 Phase D slice 1/3 — Web-Standards rate-limiter factory.
|
|
91
|
+
*
|
|
92
|
+
* Mirror of `createRouteRateLimiter(config)` returning a checker that
|
|
93
|
+
* accepts `(request: Request, ctx?: DeriveKeyRequestContext)` instead of
|
|
94
|
+
* `(req: IncomingMessage)`. Same `RouteRateLimitConfig` accepted; same
|
|
95
|
+
* `keyBy` enum cases; same `InMemoryStore` constraint (CR-005 guard).
|
|
96
|
+
*
|
|
97
|
+
* Same returned `RateLimitResult` shape (headers + limited boolean).
|
|
98
|
+
*
|
|
99
|
+
* Web `Request` has no `req.url` path-only property — uses
|
|
100
|
+
* `new URL(request.url).pathname + search` to derive the URL the way the
|
|
101
|
+
* IncomingMessage path's `req.url ?? ''` would.
|
|
102
|
+
*/
|
|
103
|
+
declare function createRouteRateLimiterWeb(config: RouteRateLimitConfig | RateLimitConfig): (request: Request, ctx?: DeriveKeyRequestContext) => Promise<RateLimitResult>;
|
|
104
|
+
|
|
105
|
+
export { type DeriveKeyRequestContext, type KeyByMode, RateLimitConfig, RateLimitResult, RateLimitStore, type RouteRateLimitConfig, createRouteRateLimiter, createRouteRateLimiterWeb, deriveKey, deriveKeyFromRequest, matchRoutePattern };
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import {
|
|
2
|
+
createRouteRateLimiter,
|
|
3
|
+
createRouteRateLimiterWeb,
|
|
4
|
+
deriveKey,
|
|
5
|
+
deriveKeyFromRequest,
|
|
6
|
+
matchRoutePattern
|
|
7
|
+
} from "../../chunk-ASDXVRJD.js";
|
|
8
|
+
import {
|
|
9
|
+
InMemoryStore,
|
|
10
|
+
createRateLimiter,
|
|
11
|
+
createRateLimiterWeb
|
|
12
|
+
} from "../../chunk-VMEWD57H.js";
|
|
13
|
+
import "../../chunk-ZJQ4O76G.js";
|
|
14
|
+
import "../../chunk-DGUM43GV.js";
|
|
15
|
+
export {
|
|
16
|
+
InMemoryStore,
|
|
17
|
+
createRateLimiter,
|
|
18
|
+
createRateLimiterWeb,
|
|
19
|
+
createRouteRateLimiter,
|
|
20
|
+
createRouteRateLimiterWeb,
|
|
21
|
+
deriveKey,
|
|
22
|
+
deriveKeyFromRequest,
|
|
23
|
+
matchRoutePattern
|
|
24
|
+
};
|
|
25
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import { b as WebSocketLike } from '../../define-websocket-CdK94O-D.js';
|
|
2
|
+
import 'node:http';
|
|
3
|
+
|
|
4
|
+
declare class ChannelManager {
|
|
5
|
+
private rooms;
|
|
6
|
+
private wsRooms;
|
|
7
|
+
subscribe(ws: WebSocketLike, room: string): void;
|
|
8
|
+
unsubscribe(ws: WebSocketLike, room: string): void;
|
|
9
|
+
broadcast(room: string, data: unknown, exclude?: WebSocketLike): void;
|
|
10
|
+
broadcastAll(data: unknown): void;
|
|
11
|
+
getRoomSize(room: string): number;
|
|
12
|
+
cleanup(ws: WebSocketLike): void;
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
export { ChannelManager };
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
import { S as ServerRouteNode } from '../../module-loader-Cfz7dgCP.js';
|
|
2
|
+
export { L as LoadModule, c as compilePattern, a as createProductionLoader, b as createViteLoader, m as matchRoute } from '../../module-loader-Cfz7dgCP.js';
|
|
3
|
+
import 'vite';
|
|
4
|
+
|
|
5
|
+
declare function scanServerRoutes(serverDir: string): ServerRouteNode[];
|
|
6
|
+
|
|
7
|
+
interface ActionNode {
|
|
8
|
+
filePath: string;
|
|
9
|
+
actionPath: string;
|
|
10
|
+
}
|
|
11
|
+
/**
|
|
12
|
+
* Enriched manifest entry per plan g3-server-actions-and-useaction v1.2
|
|
13
|
+
* § Phase 1 / T1.4 + ADR D4. Consumed by virtual module `@theo/actions`
|
|
14
|
+
* (T3.1) and G4 devtools "Actions" tab (T5.1).
|
|
15
|
+
*/
|
|
16
|
+
interface ActionManifestEntry {
|
|
17
|
+
name: string;
|
|
18
|
+
filePath: string;
|
|
19
|
+
urlPath: string;
|
|
20
|
+
accept: 'form' | 'json';
|
|
21
|
+
hasInput: boolean;
|
|
22
|
+
/**
|
|
23
|
+
* P#4 plugin-forms shared-schema convention (per plan p4-plugin-forms v1.1 T1.1).
|
|
24
|
+
* When present, points to an isomorphic schema file at
|
|
25
|
+
* `<serverDir>/actions/schemas/<basename>.ts` exporting `export const schema = z.object(...)`.
|
|
26
|
+
* Virtual module emits `import {schema} from '<schemaFilePath>'` + attaches as
|
|
27
|
+
* `actions.X.__zodSchema` so client-side <TheoForm> can drive zodResolver.
|
|
28
|
+
* Undefined when convention not followed (graceful degrade — TheoForm still
|
|
29
|
+
* works via explicit `schema={...}` prop escape hatch).
|
|
30
|
+
*/
|
|
31
|
+
schemaFilePath?: string;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* EC-2: structured error for scan-time defects (name collision, reserved
|
|
35
|
+
* identifier, etc.). Throw at scan time to fail loud — silent shadowing is
|
|
36
|
+
* a security/correctness footgun.
|
|
37
|
+
*/
|
|
38
|
+
declare class ActionScanError extends Error {
|
|
39
|
+
readonly code: 'NAME_COLLISION' | 'RESERVED_NAME';
|
|
40
|
+
readonly conflictingPaths: readonly string[];
|
|
41
|
+
constructor(code: 'NAME_COLLISION' | 'RESERVED_NAME', message: string, conflictingPaths: readonly string[]);
|
|
42
|
+
}
|
|
43
|
+
/**
|
|
44
|
+
* Backward-compatible: original simple-shape scanner used by existing
|
|
45
|
+
* consumers. Preserved verbatim; new consumers should call
|
|
46
|
+
* `scanServerActionsEnriched`.
|
|
47
|
+
*/
|
|
48
|
+
declare function scanServerActions(serverDir: string): ActionNode[];
|
|
49
|
+
/**
|
|
50
|
+
* Enriched scan: light AST detection of `accept: 'form'|'json'` + `input:`
|
|
51
|
+
* presence via regex-after-comment-stripping (EC-9). Throws ActionScanError
|
|
52
|
+
* on file/dir name collision (EC-2) or reserved JS identifier names.
|
|
53
|
+
*
|
|
54
|
+
* Output `ActionManifestEntry[]` is sorted by `name` for deterministic
|
|
55
|
+
* `.theo/actions-manifest.json` emission.
|
|
56
|
+
*/
|
|
57
|
+
declare function scanServerActionsEnriched(serverDir: string): ActionManifestEntry[];
|
|
58
|
+
|
|
59
|
+
interface WebSocketRouteNode {
|
|
60
|
+
filePath: string;
|
|
61
|
+
wsPath: string;
|
|
62
|
+
}
|
|
63
|
+
declare function scanWebSocketRoutes(serverDir: string): WebSocketRouteNode[];
|
|
64
|
+
|
|
65
|
+
/**
|
|
66
|
+
* Scan the server/middleware/ directory for middleware files.
|
|
67
|
+
* Files are returned sorted alphabetically — use numeric prefixes
|
|
68
|
+
* (e.g. 01-cors.ts, 02-auth.ts) to control execution order.
|
|
69
|
+
*
|
|
70
|
+
* Files starting with '_' or '.' are ignored (helpers, hidden files).
|
|
71
|
+
*/
|
|
72
|
+
declare function scanMiddlewares(serverDir: string): string[];
|
|
73
|
+
|
|
74
|
+
interface ManifestRoute {
|
|
75
|
+
filePath: string;
|
|
76
|
+
routePath: string;
|
|
77
|
+
paramNames: string[];
|
|
78
|
+
/** HTTP methods (uppercase) the route file exports. Optional — manifests
|
|
79
|
+
* generated before G1 omit this; loaders treat absence as "unknown". */
|
|
80
|
+
methods?: string[];
|
|
81
|
+
}
|
|
82
|
+
interface ManifestAction {
|
|
83
|
+
filePath: string;
|
|
84
|
+
actionPath: string;
|
|
85
|
+
}
|
|
86
|
+
interface ManifestWebSocket {
|
|
87
|
+
filePath: string;
|
|
88
|
+
wsPath: string;
|
|
89
|
+
}
|
|
90
|
+
interface TheoManifest {
|
|
91
|
+
version: 1;
|
|
92
|
+
generatedAt: string;
|
|
93
|
+
routes: ManifestRoute[];
|
|
94
|
+
actions: ManifestAction[];
|
|
95
|
+
websockets: ManifestWebSocket[];
|
|
96
|
+
}
|
|
97
|
+
interface LoadedManifest {
|
|
98
|
+
routes: ServerRouteNode[];
|
|
99
|
+
actions: ActionNode[];
|
|
100
|
+
websockets: WebSocketRouteNode[];
|
|
101
|
+
}
|
|
102
|
+
declare function generateManifest(serverDir: string): TheoManifest;
|
|
103
|
+
declare function writeManifest(manifest: TheoManifest, outputDir: string): void;
|
|
104
|
+
declare function loadManifest(distDir: string, serverDir: string): LoadedManifest;
|
|
105
|
+
|
|
106
|
+
export { type ActionManifestEntry, type ActionNode, ActionScanError, type LoadedManifest, type ManifestAction, type ManifestRoute, type ManifestWebSocket, ServerRouteNode, type TheoManifest, type WebSocketRouteNode, generateManifest, loadManifest, scanMiddlewares, scanServerActions, scanServerActionsEnriched, scanServerRoutes, scanWebSocketRoutes, writeManifest };
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import "../../chunk-E3JH6YUM.js";
|
|
2
|
+
import {
|
|
3
|
+
generateManifest,
|
|
4
|
+
loadManifest,
|
|
5
|
+
writeManifest
|
|
6
|
+
} from "../../chunk-MR7OLIC6.js";
|
|
7
|
+
import {
|
|
8
|
+
createProductionLoader,
|
|
9
|
+
createViteLoader
|
|
10
|
+
} from "../../chunk-JQSKBMXP.js";
|
|
11
|
+
import {
|
|
12
|
+
compilePattern,
|
|
13
|
+
matchRoute,
|
|
14
|
+
scanServerRoutes,
|
|
15
|
+
scanWebSocketRoutes
|
|
16
|
+
} from "../../chunk-OLPB36O2.js";
|
|
17
|
+
import {
|
|
18
|
+
ActionScanError,
|
|
19
|
+
scanServerActions,
|
|
20
|
+
scanServerActionsEnriched
|
|
21
|
+
} from "../../chunk-R7OC6UDK.js";
|
|
22
|
+
import "../../chunk-WSJKACWB.js";
|
|
23
|
+
import "../../chunk-X2VVCJ4V.js";
|
|
24
|
+
import {
|
|
25
|
+
scanMiddlewares
|
|
26
|
+
} from "../../chunk-ZEGYW52B.js";
|
|
27
|
+
import "../../chunk-DGUM43GV.js";
|
|
28
|
+
export {
|
|
29
|
+
ActionScanError,
|
|
30
|
+
compilePattern,
|
|
31
|
+
createProductionLoader,
|
|
32
|
+
createViteLoader,
|
|
33
|
+
generateManifest,
|
|
34
|
+
loadManifest,
|
|
35
|
+
matchRoute,
|
|
36
|
+
scanMiddlewares,
|
|
37
|
+
scanServerActions,
|
|
38
|
+
scanServerActionsEnriched,
|
|
39
|
+
scanServerRoutes,
|
|
40
|
+
scanWebSocketRoutes,
|
|
41
|
+
writeManifest
|
|
42
|
+
};
|
|
43
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
|
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
import { ServerResponse, IncomingMessage } from 'node:http';
|
|
2
|
+
import { A as AuditLogger } from '../../audit-log-BQWM5YLG.js';
|
|
3
|
+
export { C as CSRF_WARN_CODE, a as CSRF_WARN_DOCS_URL, b as CsrfLogger, c as CsrfMode, d as CsrfWarnPayload, D as DisallowedConfig, e as enforceCsrf, m as matchDisallowed, v as validateCsrf, f as validateCsrfRequest } from '../../csrf-BBrEZSBW.js';
|
|
4
|
+
import { C as CsrfReadinessStore } from '../../csrf-readiness-store-CjIoub3U.js';
|
|
5
|
+
export { a as CsrfReadinessRouteSummary, b as CsrfReadinessSummary, c as CsrfWarnRecord } from '../../csrf-readiness-store-CjIoub3U.js';
|
|
6
|
+
|
|
7
|
+
/**
|
|
8
|
+
* Phase 6 — Default Security Headers (D4 / EC-2).
|
|
9
|
+
*
|
|
10
|
+
* Per-response security baseline. The framework applies these BEFORE the
|
|
11
|
+
* route handler runs so a handler can still override via `res.setHeader`.
|
|
12
|
+
*
|
|
13
|
+
* EC-2 backward-compatibility: CSP ships in `report-only` mode by default
|
|
14
|
+
* for 0.2.0. Existing apps with inline scripts or third-party CDN scripts
|
|
15
|
+
* keep working but consumers see violation reports via their CSP report
|
|
16
|
+
* collector (or browser DevTools). 0.3.0 will flip the default to
|
|
17
|
+
* `enforce` after a release of visibility.
|
|
18
|
+
*/
|
|
19
|
+
/**
|
|
20
|
+
* Default Content-Security-Policy. Conservative-but-not-paralyzing:
|
|
21
|
+
*
|
|
22
|
+
* - default-src 'self' — every fetch falls back to same-origin
|
|
23
|
+
* - script-src 'self' — T6.1 (0.3.0): `'unsafe-inline'`
|
|
24
|
+
* dropped. The SSR pipeline issues a
|
|
25
|
+
* per-request nonce that REPLACES
|
|
26
|
+
* this directive at runtime
|
|
27
|
+
* (`'nonce-<token>'`). For static /
|
|
28
|
+
* non-SSR contexts where no nonce is
|
|
29
|
+
* available, the policy is strict-
|
|
30
|
+
* no-inline — user inline scripts
|
|
31
|
+
* must be migrated to external
|
|
32
|
+
* `<script src="...">` or threaded
|
|
33
|
+
* through `ctx.nonce`.
|
|
34
|
+
* - style-src 'self' 'unsafe-inline' — Tailwind + TheoUI use style attrs
|
|
35
|
+
* in animation directives
|
|
36
|
+
* - img-src 'self' data: blob: — supports inline data URIs, blobs
|
|
37
|
+
* from canvas exports
|
|
38
|
+
* - font-src 'self' data: — Geist fonts inline-base64
|
|
39
|
+
* - connect-src 'self' ws: wss: — WebSocket dev HMR + agent streams
|
|
40
|
+
* - frame-ancestors 'none' — clickjacking defense
|
|
41
|
+
*/
|
|
42
|
+
/**
|
|
43
|
+
* T5.1 — default CSP includes the built-in report endpoint so violations
|
|
44
|
+
* are visible without extra config. Apps that ship a custom `csp` string
|
|
45
|
+
* override the report-uri.
|
|
46
|
+
*/
|
|
47
|
+
declare const DEFAULT_CSP: string;
|
|
48
|
+
/**
|
|
49
|
+
* T1.1 — Default Permissions-Policy header (default-deny stance).
|
|
50
|
+
*
|
|
51
|
+
* Disables sensitive Web APIs that the vast majority of apps don't use.
|
|
52
|
+
* Apps that DO need any of these opt in by overriding `permissionsPolicy`
|
|
53
|
+
* in `config.security.headers`.
|
|
54
|
+
*
|
|
55
|
+
* The seven features listed are the most-abused for: tracking
|
|
56
|
+
* (geolocation, accelerometer, gyroscope), spyware (camera, microphone),
|
|
57
|
+
* fraud (payment), and hardware exfiltration (usb).
|
|
58
|
+
*
|
|
59
|
+
* Aligns with Mozilla baseline + OWASP Secure Headers + Lighthouse PWA.
|
|
60
|
+
*/
|
|
61
|
+
declare const DEFAULT_PERMISSIONS_POLICY = "geolocation=(), camera=(), microphone=(), payment=(), usb=(), accelerometer=(), gyroscope=()";
|
|
62
|
+
type CspMode = 'enforce' | 'report-only' | 'off';
|
|
63
|
+
interface SecurityHeadersConfig {
|
|
64
|
+
/**
|
|
65
|
+
* Custom CSP policy string. When set, replaces the default verbatim.
|
|
66
|
+
* Pass `false` to disable CSP entirely (alias for `cspMode: 'off'`).
|
|
67
|
+
*/
|
|
68
|
+
csp?: string | false;
|
|
69
|
+
/**
|
|
70
|
+
* Enforcement mode for CSP. Default `report-only` for 0.2.0 (EC-2).
|
|
71
|
+
* 0.3.0 will default to `enforce`.
|
|
72
|
+
*/
|
|
73
|
+
cspMode?: CspMode;
|
|
74
|
+
/**
|
|
75
|
+
* Strict-Transport-Security value. Defaults to
|
|
76
|
+
* `max-age=31536000; includeSubDomains` in production. Pass `false` to
|
|
77
|
+
* suppress (e.g. internal LANs without TLS).
|
|
78
|
+
*/
|
|
79
|
+
hsts?: string | false;
|
|
80
|
+
/** X-Frame-Options. Default DENY. */
|
|
81
|
+
frameOptions?: 'DENY' | 'SAMEORIGIN';
|
|
82
|
+
/** X-Content-Type-Options. Default `nosniff`. */
|
|
83
|
+
contentTypeOptions?: 'nosniff';
|
|
84
|
+
/** Referrer-Policy. Default `strict-origin-when-cross-origin`. */
|
|
85
|
+
referrerPolicy?: string;
|
|
86
|
+
/**
|
|
87
|
+
* T1.1 — Permissions-Policy directive string. When set, replaces the
|
|
88
|
+
* default verbatim (no merge — see ADR-EC-12). Pass `false` to disable
|
|
89
|
+
* the header entirely. Schema-level refinement rejects any string
|
|
90
|
+
* containing CR/LF (EC-3 — CWE-113 HTTP Response Splitting mitigation).
|
|
91
|
+
*/
|
|
92
|
+
permissionsPolicy?: string | false;
|
|
93
|
+
}
|
|
94
|
+
interface SecurityEnv {
|
|
95
|
+
production: boolean;
|
|
96
|
+
}
|
|
97
|
+
/**
|
|
98
|
+
* T4.1 — Per-request options passed by the SSR pipeline.
|
|
99
|
+
*
|
|
100
|
+
* - `nonce`: when set, the framework substitutes the `'unsafe-inline'`
|
|
101
|
+
* token in `script-src` with `'nonce-<nonce>'`. EC-3 forces
|
|
102
|
+
* `Cache-Control: private, no-store` so a CDN cannot cache the HTML
|
|
103
|
+
* (carrying one nonce) and re-serve it with a freshly-generated CSP
|
|
104
|
+
* header (carrying a different nonce).
|
|
105
|
+
* - `prerender`: when true, the nonce is IGNORED. Prerendered HTML is
|
|
106
|
+
* generated at build time with no nonce in the script tags; mixing a
|
|
107
|
+
* runtime nonce in the header would block every script. EC-4.
|
|
108
|
+
*/
|
|
109
|
+
interface SecurityHeadersOptions {
|
|
110
|
+
nonce?: string;
|
|
111
|
+
prerender?: boolean;
|
|
112
|
+
}
|
|
113
|
+
/**
|
|
114
|
+
* Build the security headers map for a given config + env. Pure function —
|
|
115
|
+
* returned object can be inspected, logged, or applied to a response.
|
|
116
|
+
*/
|
|
117
|
+
declare function buildSecurityHeaders(config: SecurityHeadersConfig, env: SecurityEnv, options?: SecurityHeadersOptions): Record<string, string>;
|
|
118
|
+
/**
|
|
119
|
+
* Apply security headers to a Node ServerResponse. Called by the
|
|
120
|
+
* api-middleware before the route handler runs. The handler can override
|
|
121
|
+
* any header via `res.setHeader()` — last write wins by Node convention.
|
|
122
|
+
*/
|
|
123
|
+
declare function applySecurityHeaders(res: ServerResponse, config: SecurityHeadersConfig, env: SecurityEnv, options?: SecurityHeadersOptions): void;
|
|
124
|
+
|
|
125
|
+
/**
|
|
126
|
+
* T5.1 — Built-in CSP report endpoint.
|
|
127
|
+
*
|
|
128
|
+
* Browsers POST violation reports to `report-uri` (legacy `application/csp-report`)
|
|
129
|
+
* or `Reporting API` (`application/reports+json`). Framework auto-registers this
|
|
130
|
+
* endpoint so `cspMode: 'report-only'` is actually useful out of the box.
|
|
131
|
+
*
|
|
132
|
+
* Forwards normalized violations to:
|
|
133
|
+
* - audit logger (`csp.violation`)
|
|
134
|
+
* - devtools dispatcher (dev only, for Errors tab)
|
|
135
|
+
* - optional user hook (Sentry, etc.)
|
|
136
|
+
*
|
|
137
|
+
* EC-2: browser MAY send `{"csp-report": null}`, empty `{}`, or
|
|
138
|
+
* reports+json entries lacking `body`. Handler MUST short-circuit to
|
|
139
|
+
* 204 (valid format, no violation), NEVER crash via null deref.
|
|
140
|
+
*/
|
|
141
|
+
declare const CSP_REPORT_PATH = "/__theo/csp-report";
|
|
142
|
+
interface CspViolation {
|
|
143
|
+
blockedUrl: string;
|
|
144
|
+
documentUrl: string;
|
|
145
|
+
violatedDirective: string;
|
|
146
|
+
effectiveDirective?: string;
|
|
147
|
+
originalPolicy?: string;
|
|
148
|
+
disposition?: 'enforce' | 'report';
|
|
149
|
+
statusCode?: number;
|
|
150
|
+
sourceFile?: string;
|
|
151
|
+
lineNumber?: number;
|
|
152
|
+
columnNumber?: number;
|
|
153
|
+
}
|
|
154
|
+
interface CspReportHandlerOptions {
|
|
155
|
+
auditLogger?: AuditLogger;
|
|
156
|
+
devtoolsDispatcher?: {
|
|
157
|
+
onCspViolation?: (v: CspViolation) => void;
|
|
158
|
+
};
|
|
159
|
+
/** Optional user-provided sink (Sentry, custom log router). Errors here are swallowed. */
|
|
160
|
+
onViolation?: (v: CspViolation) => void;
|
|
161
|
+
}
|
|
162
|
+
declare function normalizeLegacy(raw: Record<string, unknown>): CspViolation;
|
|
163
|
+
/**
|
|
164
|
+
* Map a `reports+json` entry to the internal shape. Returns `null` if
|
|
165
|
+
* the entry lacks a usable `body` object (EC-2).
|
|
166
|
+
*/
|
|
167
|
+
declare function normalizeNew(entry: unknown): CspViolation | null;
|
|
168
|
+
declare function handleCspReport(req: IncomingMessage, res: ServerResponse, opts: CspReportHandlerOptions): Promise<void>;
|
|
169
|
+
declare function handleCspReportRequest(request: Request, opts: CspReportHandlerOptions): Promise<Response>;
|
|
170
|
+
|
|
171
|
+
/**
|
|
172
|
+
* T2.2 — `/__theo/csrf-readiness` endpoint.
|
|
173
|
+
*
|
|
174
|
+
* GET /__theo/csrf-readiness → 200 + JSON summary
|
|
175
|
+
* POST /__theo/csrf-readiness/reset → 204; clears the store
|
|
176
|
+
*
|
|
177
|
+
* The reset endpoint enforces CSRF (own dog food) — requires
|
|
178
|
+
* `X-Theo-Action: 1` AND a matching Origin header (EC-15). This avoids
|
|
179
|
+
* the endpoint being weaponizable from a cross-origin page when the
|
|
180
|
+
* endpoint is opt-in exposed in production.
|
|
181
|
+
*
|
|
182
|
+
* Mount opt-in: in dev mode, the host wires this in unconditionally. In
|
|
183
|
+
* production, only mount when `config.security.csrfTelemetry.exposeReadinessEndpoint === true`.
|
|
184
|
+
* EC-10 parallel: returns 404 (via boolean false return) when the URL
|
|
185
|
+
* does not match — the caller continues normal request handling.
|
|
186
|
+
*/
|
|
187
|
+
|
|
188
|
+
declare const CSRF_READINESS_PATH = "/__theo/csrf-readiness";
|
|
189
|
+
declare const CSRF_READINESS_RESET_PATH = "/__theo/csrf-readiness/reset";
|
|
190
|
+
declare function handleCsrfReadiness(req: IncomingMessage, res: ServerResponse, store: CsrfReadinessStore): Promise<boolean>;
|
|
191
|
+
declare function handleCsrfReadinessRequest(request: Request, store: CsrfReadinessStore): Promise<Response | null>;
|
|
192
|
+
|
|
193
|
+
export { CSP_REPORT_PATH, CSRF_READINESS_PATH, CSRF_READINESS_RESET_PATH, type CspMode, type CspReportHandlerOptions, type CspViolation, CsrfReadinessStore, DEFAULT_CSP, DEFAULT_PERMISSIONS_POLICY, type SecurityEnv, type SecurityHeadersConfig, type SecurityHeadersOptions, applySecurityHeaders, buildSecurityHeaders, handleCspReport, handleCspReportRequest, handleCsrfReadiness, handleCsrfReadinessRequest, normalizeLegacy, normalizeNew };
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
import "../../chunk-JHEAWR3L.js";
|
|
2
|
+
import {
|
|
3
|
+
CSP_REPORT_PATH,
|
|
4
|
+
CSRF_READINESS_PATH,
|
|
5
|
+
CSRF_READINESS_RESET_PATH,
|
|
6
|
+
CsrfReadinessStore,
|
|
7
|
+
DEFAULT_CSP,
|
|
8
|
+
DEFAULT_PERMISSIONS_POLICY,
|
|
9
|
+
applySecurityHeaders,
|
|
10
|
+
buildSecurityHeaders,
|
|
11
|
+
handleCspReport,
|
|
12
|
+
handleCspReportRequest,
|
|
13
|
+
handleCsrfReadiness,
|
|
14
|
+
handleCsrfReadinessRequest,
|
|
15
|
+
normalizeLegacy,
|
|
16
|
+
normalizeNew
|
|
17
|
+
} from "../../chunk-B3L3TJVF.js";
|
|
18
|
+
import {
|
|
19
|
+
CSRF_WARN_CODE,
|
|
20
|
+
CSRF_WARN_DOCS_URL,
|
|
21
|
+
enforceCsrf,
|
|
22
|
+
matchDisallowed,
|
|
23
|
+
validateCsrf,
|
|
24
|
+
validateCsrfRequest
|
|
25
|
+
} from "../../chunk-TSLSIRBR.js";
|
|
26
|
+
import "../../chunk-UD3LFGDL.js";
|
|
27
|
+
import "../../chunk-DGUM43GV.js";
|
|
28
|
+
export {
|
|
29
|
+
CSP_REPORT_PATH,
|
|
30
|
+
CSRF_READINESS_PATH,
|
|
31
|
+
CSRF_READINESS_RESET_PATH,
|
|
32
|
+
CSRF_WARN_CODE,
|
|
33
|
+
CSRF_WARN_DOCS_URL,
|
|
34
|
+
CsrfReadinessStore,
|
|
35
|
+
DEFAULT_CSP,
|
|
36
|
+
DEFAULT_PERMISSIONS_POLICY,
|
|
37
|
+
applySecurityHeaders,
|
|
38
|
+
buildSecurityHeaders,
|
|
39
|
+
enforceCsrf,
|
|
40
|
+
handleCspReport,
|
|
41
|
+
handleCspReportRequest,
|
|
42
|
+
handleCsrfReadiness,
|
|
43
|
+
handleCsrfReadinessRequest,
|
|
44
|
+
matchDisallowed,
|
|
45
|
+
normalizeLegacy,
|
|
46
|
+
normalizeNew,
|
|
47
|
+
validateCsrf,
|
|
48
|
+
validateCsrfRequest
|
|
49
|
+
};
|
|
50
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}
|