webpeel 0.1.0

package/dist/mcp/server.js

@@ -0,0 +1,248 @@
+#!/usr/bin/env node
+/**
+ * MCP Server for WebPeel
+ * Provides webpeel_fetch and webpeel_search tools for Claude Desktop / Cursor
+ */
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { CallToolRequestSchema, ListToolsRequestSchema, } from '@modelcontextprotocol/sdk/types.js';
+import { peel } from '../index.js';
+import { fetch as undiciFetch } from 'undici';
+import { load } from 'cheerio';
+const server = new Server({
+    name: 'webpeel',
+    version: '1.0.0',
+}, {
+    capabilities: {
+        tools: {},
+    },
+});
+/**
+ * Search DuckDuckGo HTML and return structured results
+ */
+async function searchWeb(query, count = 5) {
+    const searchUrl = `https://html.duckduckgo.com/html/?q=${encodeURIComponent(query)}`;
+    try {
+        const response = await undiciFetch(searchUrl, {
+            headers: {
+                'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36',
+            },
+        });
+        if (!response.ok) {
+            throw new Error(`Search failed: HTTP ${response.status}`);
+        }
+        const html = await response.text();
+        const $ = load(html);
+        const results = [];
+        $('.result').each((_i, elem) => {
+            if (results.length >= count)
+                return;
+            const $result = $(elem);
+            let title = $result.find('.result__title').text().trim();
+            let url = $result.find('.result__url').attr('href') || '';
+            let snippet = $result.find('.result__snippet').text().trim();
+            // SECURITY: Validate and sanitize results
+            if (!title || !url)
+                return;
+            // Only allow HTTP/HTTPS URLs
+            try {
+                const parsed = new URL(url);
+                if (!['http:', 'https:'].includes(parsed.protocol)) {
+                    return;
+                }
+            }
+            catch {
+                return;
+            }
+            // Limit text lengths to prevent bloat
+            title = title.slice(0, 200);
+            snippet = snippet.slice(0, 500);
+            results.push({ title, url, snippet });
+        });
+        return results;
+    }
+    catch (error) {
+        const err = error;
+        throw new Error(`Search failed: ${err.message}`);
+    }
+}
+const tools = [
+    {
+        name: 'webpeel_fetch',
+        description: 'Fetch a URL and return clean, AI-ready markdown content. Handles JavaScript rendering and anti-bot protections automatically. Use this when you need to read the content of a web page.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                url: {
+                    type: 'string',
+                    description: 'The URL to fetch',
+                },
+                render: {
+                    type: 'boolean',
+                    description: 'Force browser rendering (slower but handles JavaScript-heavy sites)',
+                    default: false,
+                },
+                wait: {
+                    type: 'number',
+                    description: 'Milliseconds to wait for dynamic content (only used with render=true)',
+                    default: 0,
+                },
+                format: {
+                    type: 'string',
+                    enum: ['markdown', 'text', 'html'],
+                    description: 'Output format: markdown (default), text, or html',
+                    default: 'markdown',
+                },
+            },
+            required: ['url'],
+        },
+    },
+    {
+        name: 'webpeel_search',
+        description: 'Search the web using DuckDuckGo and return results with titles, URLs, and snippets. Use this to find relevant web pages before fetching them.',
+        inputSchema: {
+            type: 'object',
+            properties: {
+                query: {
+                    type: 'string',
+                    description: 'Search query',
+                },
+                count: {
+                    type: 'number',
+                    description: 'Number of results to return (1-10)',
+                    default: 5,
+                    minimum: 1,
+                    maximum: 10,
+                },
+            },
+            required: ['query'],
+        },
+    },
+];
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools,
+}));
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+    try {
+        if (name === 'webpeel_fetch') {
+            const { url, render, wait, format } = args;
+            // SECURITY: Validate input parameters
+            if (!url || typeof url !== 'string') {
+                throw new Error('Invalid URL parameter');
+            }
+            if (url.length > 2048) {
+                throw new Error('URL too long (max 2048 characters)');
+            }
+            if (wait !== undefined) {
+                if (typeof wait !== 'number' || isNaN(wait) || wait < 0 || wait > 60000) {
+                    throw new Error('Invalid wait parameter: must be between 0 and 60000ms');
+                }
+            }
+            if (format !== undefined && !['markdown', 'text', 'html'].includes(format)) {
+                throw new Error('Invalid format parameter: must be "markdown", "text", or "html"');
+            }
+            const options = {
+                render: render || false,
+                wait: wait || 0,
+                format: format || 'markdown',
+            };
+            // SECURITY: Wrap in timeout (60 seconds max)
+            const timeoutPromise = new Promise((_, reject) => {
+                setTimeout(() => reject(new Error('MCP operation timed out after 60s')), 60000);
+            });
+            const result = await Promise.race([
+                peel(url, options),
+                timeoutPromise,
+            ]);
+            // SECURITY: Handle JSON serialization errors
+            let resultText;
+            try {
+                resultText = JSON.stringify(result, null, 2);
+            }
+            catch (jsonError) {
+                resultText = JSON.stringify({
+                    error: 'serialization_error',
+                    message: 'Failed to serialize result',
+                });
+            }
+            return {
+                content: [
+                    {
+                        type: 'text',
+                        text: resultText,
+                    },
+                ],
+            };
+        }
+        if (name === 'webpeel_search') {
+            const { query, count } = args;
+            // SECURITY: Validate input parameters
+            if (!query || typeof query !== 'string') {
+                throw new Error('Invalid query parameter');
+            }
+            if (query.length > 500) {
+                throw new Error('Query too long (max 500 characters)');
+            }
+            if (count !== undefined) {
+                if (typeof count !== 'number' || isNaN(count) || count < 1 || count > 10) {
+                    throw new Error('Invalid count parameter: must be between 1 and 10');
+                }
+            }
+            const resultCount = Math.min(Math.max(count || 5, 1), 10);
+            // SECURITY: Wrap in timeout (30 seconds max)
+            const timeoutPromise = new Promise((_, reject) => {
+                setTimeout(() => reject(new Error('Search operation timed out after 30s')), 30000);
+            });
+            const results = await Promise.race([
+                searchWeb(query, resultCount),
+                timeoutPromise,
+            ]);
+            // SECURITY: Handle JSON serialization errors
+            let resultText;
+            try {
+                resultText = JSON.stringify(results, null, 2);
+            }
+            catch (jsonError) {
+                resultText = JSON.stringify({
+                    error: 'serialization_error',
+                    message: 'Failed to serialize results',
+                });
+            }
+            return {
+                content: [
+                    {
+                        type: 'text',
+                        text: resultText,
+                    },
+                ],
+            };
+        }
+        throw new Error(`Unknown tool: ${name}`);
+    }
+    catch (error) {
+        const err = error;
+        return {
+            content: [
+                {
+                    type: 'text',
+                    text: JSON.stringify({
+                        error: err.name || 'Error',
+                        message: err.message || 'Unknown error occurred',
+                    }, null, 2),
+                },
+            ],
+            isError: true,
+        };
+    }
+});
+async function main() {
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+    console.error('WebPeel MCP server running on stdio');
+}
+main().catch((error) => {
+    console.error('Fatal error:', error);
+    process.exit(1);
+});
+//# sourceMappingURL=server.js.map

package/dist/mcp/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../../src/mcp/server.ts"],"names":[],"mappings":";AAEA;;;GAGG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,oCAAoC,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAEnC,OAAO,EAAE,KAAK,IAAI,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAE/B,MAAM,MAAM,GAAG,IAAI,MAAM,CACvB;IACE,IAAI,EAAE,SAAS;IACf,OAAO,EAAE,OAAO;CACjB,EACD;IACE,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;KACV;CACF,CACF,CAAC;AAEF;;GAEG;AACH,KAAK,UAAU,SAAS,CAAC,KAAa,EAAE,QAAgB,CAAC;IAKvD,MAAM,SAAS,GAAG,uCAAuC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;IAErF,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,SAAS,EAAE;YAC5C,OAAO,EAAE;gBACP,YAAY,EAAE,oEAAoE;aACnF;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC;QAErB,MAAM,OAAO,GAA2D,EAAE,CAAC;QAE3E,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE;YAC7B,IAAI,OAAO,CAAC,MAAM,IAAI,KAAK;gBAAE,OAAO;YAEpC,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC;YACxB,IAAI,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;YACzD,IAAI,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC1D,IAAI,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;YAE7D,0CAA0C;YAC1C,IAAI,CAAC,KAAK,IAAI,CAAC,GAAG;gBAAE,OAAO;YAE3B,6BAA6B;YAC7B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC5B,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACnD,OAAO;gBACT,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;YACT,CAAC;YAED,sCAAsC;YACtC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC5B,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAEhC,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAc,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,kBAAkB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACnD,CAAC;AACH,CAAC;AAED,MAAM,KAAK,GAAW;IACpB;QACE,IAAI,EAAE,eAAe;QACrB,WAAW,EAAE,yLAAyL;QACtM,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kBAAkB;iBAChC;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,qEAAqE;oBAClF,OAAO,EAAE,KAAK;iBACf;gBACD,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,uEAAuE;oBACpF,OAAO,EAAE,CAAC;iBACX;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC;oBAClC,WAAW,EAAE,kDAAkD;oBAC/D,OAAO,EAAE,UAAU;iBACpB;aACF;YACD,QAAQ,EAAE,CAAC,KAAK,CAAC;SAClB;KACF;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,WAAW,EAAE,+IAA+I;QAC5J,WAAW,EAAE;YACX,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,KAAK,EAAE;oBACL,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,cAAc;iBAC5B;gBACD,KAAK,EAAE;oBACL,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,oCAAoC;oBACjD,OAAO,EAAE,CAAC;oBACV,OAAO,EAAE,CAAC;oBACV,OAAO,EAAE,EAAE;iBACZ;aACF;YACD,QAAQ,EAAE,CAAC,OAAO,CAAC;SACpB;KACF;CACF,CAAC;AAEF,MAAM,CAAC,iBAAiB,CAAC,sBAAsB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;IAC5D,KAAK;CACN,CAAC,CAAC,CAAC;AAEJ,MAAM,CAAC,iBAAiB,CAAC,qBAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;IAChE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAEjD,IAAI,CAAC;QACH,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;YAC7B,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,IAKrC,CAAC;YAEF,sCAAsC;YACtC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACpC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,CAAC;YAED,IAAI,GAAG,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YAED,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,IAAI,GAAG,KAAK,EAAE,CAAC;oBACxE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;gBAC3E,CAAC;YACH,CAAC;YAED,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC3E,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;YACrF,CAAC;YAED,MAAM,OAAO,GAAgB;gBAC3B,MAAM,EAAE,MAAM,IAAI,KAAK;gBACvB,IAAI,EAAE,IAAI,IAAI,CAAC;gBACf,MAAM,EAAE,MAAM,IAAI,UAAU;aAC7B,CAAC;YAEF,6CAA6C;YAC7C,MAAM,cAAc,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;gBAC/C,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YAClF,CAAC,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBAChC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC;gBAClB,cAAc;aACf,CAAQ,CAAC;YAEV,6CAA6C;YAC7C,IAAI,UAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAC/C,CAAC;YAAC,OAAO,SAAS,EAAE,CAAC;gBACnB,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC1B,KAAK,EAAE,qBAAqB;oBAC5B,OAAO,EAAE,4BAA4B;iBACtC,CAAC,CAAC;YACL,CAAC;YAED,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,UAAU;qBACjB;iBACF;aACF,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;YAC9B,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,IAGxB,CAAC;YAEF,sCAAsC;YACtC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;YAC7C,CAAC;YAED,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;YACzD,CAAC;YAED,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;oBACzE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBACvE,CAAC;YACH,CAAC;YAED,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAE1D,6CAA6C;YAC7C,MAAM,cAAc,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE;gBAC/C,UAAU,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YACrF,CAAC,CAAC,CAAC;YAEH,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;gBACjC,SAAS,CAAC,KAAK,EAAE,WAAW,CAAC;gBAC7B,cAAc;aACf,CAAQ,CAAC;YAEV,6CAA6C;YAC7C,IAAI,UAAkB,CAAC;YACvB,IAAI,CAAC;gBACH,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YAChD,CAAC;YAAC,OAAO,SAAS,EAAE,CAAC;gBACnB,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC;oBAC1B,KAAK,EAAE,qBAAqB;oBAC5B,OAAO,EAAE,6BAA6B;iBACvC,CAAC,CAAC;YACL,CAAC;YAED,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,UAAU;qBACjB;iBACF;aACF,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,iBAAiB,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAc,CAAC;QAC3B,OAAO;YACL,OAAO,EAAE;gBACP;oBACE,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;wBACnB,KAAK,EAAE,GAAG,CAAC,IAAI,IAAI,OAAO;wBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,wBAAwB;qBACjD,EAAE,IAAI,EAAE,CAAC,CAAC;iBACZ;aACF;YACD,OAAO,EAAE,IAAI;SACd,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEhC,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;AACvD,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/server/app.d.ts

@@ -0,0 +1,13 @@
+/**
+ * WebPeel API Server
+ * Express-based REST API for hosted deployments
+ */
+import { Express } from 'express';
+export interface ServerConfig {
+    port?: number;
+    corsOrigins?: string[];
+    rateLimitWindowMs?: number;
+}
+export declare function createApp(config?: ServerConfig): Express;
+export declare function startServer(config?: ServerConfig): void;
+//# sourceMappingURL=app.d.ts.map

package/dist/server/app.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../../src/server/app.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAgB,EAAE,OAAO,EAAmC,MAAM,SAAS,CAAC;AAS5E,MAAM,WAAW,YAAY;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,wBAAgB,SAAS,CAAC,MAAM,GAAE,YAAiB,GAAG,OAAO,CA0D5D;AAED,wBAAgB,WAAW,CAAC,MAAM,GAAE,YAAiB,GAAG,IAAI,CA4B3D"}

package/dist/server/app.js

@@ -0,0 +1,89 @@
+/**
+ * WebPeel API Server
+ * Express-based REST API for hosted deployments
+ */
+import express from 'express';
+import cors from 'cors';
+import { InMemoryAuthStore } from './auth-store.js';
+import { createAuthMiddleware } from './middleware/auth.js';
+import { createRateLimitMiddleware, RateLimiter } from './middleware/rate-limit.js';
+import { createHealthRouter } from './routes/health.js';
+import { createFetchRouter } from './routes/fetch.js';
+import { createSearchRouter } from './routes/search.js';
+export function createApp(config = {}) {
+    const app = express();
+    // Middleware
+    // SECURITY: Limit request body size to prevent DoS
+    app.use(express.json({ limit: '1mb' }));
+    // SECURITY: Restrict CORS - require explicit origin whitelist
+    const corsOrigins = config.corsOrigins || [];
+    app.use(cors({
+        origin: corsOrigins.length > 0 ? corsOrigins : false,
+        credentials: true,
+    }));
+    // Trust proxy (for rate limiting by IP in production)
+    app.set('trust proxy', 1);
+    // Auth store (in-memory for now, swap to PostgreSQL later)
+    const authStore = new InMemoryAuthStore();
+    // Rate limiter
+    const rateLimiter = new RateLimiter(config.rateLimitWindowMs || 60000);
+    // Clean up rate limiter every 5 minutes
+    setInterval(() => {
+        rateLimiter.cleanup();
+    }, 5 * 60 * 1000);
+    // Apply auth middleware globally
+    app.use(createAuthMiddleware(authStore));
+    // Apply rate limiting middleware globally
+    app.use(createRateLimitMiddleware(rateLimiter));
+    // Routes
+    app.use(createHealthRouter());
+    app.use(createFetchRouter(authStore));
+    app.use(createSearchRouter(authStore));
+    // 404 handler
+    app.use((req, res) => {
+        res.status(404).json({
+            error: 'not_found',
+            message: `Route not found: ${req.method} ${req.path}`,
+        });
+    });
+    // Error handler
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    app.use((err, _req, res, _next) => {
+        console.error('Unhandled error:', err);
+        res.status(500).json({
+            error: 'internal_error',
+            message: err.message || 'An unexpected error occurred',
+        });
+    });
+    return app;
+}
+export function startServer(config = {}) {
+    const app = createApp(config);
+    const port = config.port || parseInt(process.env.PORT || '3000', 10);
+    const server = app.listen(port, () => {
+        console.log(`WebPeel API server listening on port ${port}`);
+        console.log(`Health check: http://localhost:${port}/health`);
+        console.log(`Fetch: http://localhost:${port}/v1/fetch?url=<url>`);
+        console.log(`Search: http://localhost:${port}/v1/search?q=<query>`);
+    });
+    // Graceful shutdown
+    const shutdown = () => {
+        console.log('\nShutting down gracefully...');
+        server.close(() => {
+            console.log('Server closed');
+            process.exit(0);
+        });
+        // Force shutdown after 10 seconds
+        setTimeout(() => {
+            console.error('Forced shutdown after timeout');
+            process.exit(1);
+        }, 10000);
+    };
+    process.on('SIGTERM', shutdown);
+    process.on('SIGINT', shutdown);
+}
+// Start server if run directly
+if (import.meta.url === `file://${process.argv[1]}`) {
+    startServer();
+}
+//# sourceMappingURL=app.js.map

package/dist/server/app.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.js","sourceRoot":"","sources":["../../src/server/app.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,OAAqD,MAAM,SAAS,CAAC;AAC5E,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AACpD,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAC5D,OAAO,EAAE,yBAAyB,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AACpF,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAQxD,MAAM,UAAU,SAAS,CAAC,SAAuB,EAAE;IACjD,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IAEtB,aAAa;IACb,mDAAmD;IACnD,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IAExC,8DAA8D;IAC9D,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC;IAC7C,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;QACX,MAAM,EAAE,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK;QACpD,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC,CAAC;IAEJ,sDAAsD;IACtD,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;IAE1B,2DAA2D;IAC3D,MAAM,SAAS,GAAG,IAAI,iBAAiB,EAAE,CAAC;IAE1C,eAAe;IACf,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,iBAAiB,IAAI,KAAK,CAAC,CAAC;IAEvE,wCAAwC;IACxC,WAAW,CAAC,GAAG,EAAE;QACf,WAAW,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAElB,iCAAiC;IACjC,GAAG,CAAC,GAAG,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC,CAAC;IAEzC,0CAA0C;IAC1C,GAAG,CAAC,GAAG,CAAC,yBAAyB,CAAC,WAAW,CAAC,CAAC,CAAC;IAEhD,SAAS;IACT,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC;IACtC,GAAG,CAAC,GAAG,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,CAAC;IAEvC,cAAc;IACd,GAAG,CAAC,GAAG,CAAC,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,oBAAoB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE;SACtD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,gBAAgB;IAChB,6DAA6D;IAC7D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAU,EAAE,IAAa,EAAE,GAAa,EAAE,KAAmB,EAAE,EAAE;QACxE,OAAO,CAAC,KAAK,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,gBAAgB;YACvB,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,8BAA8B;SACvD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,SAAuB,EAAE;IACnD,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;IAC9B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IAErE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACnC,OAAO,CAAC,GAAG,CAAC,wCAAwC,IAAI,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,kCAAkC,IAAI,SAAS,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,qBAAqB,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,sBAAsB,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,oBAAoB;IACpB,MAAM,QAAQ,GAAG,GAAG,EAAE;QACpB,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE;YAChB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,kCAAkC;QAClC,UAAU,CAAC,GAAG,EAAE;YACd,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,EAAE,KAAK,CAAC,CAAC;IACZ,CAAC,CAAC;IAEF,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAChC,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,+BAA+B;AAC/B,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;IACpD,WAAW,EAAE,CAAC;AAChB,CAAC"}

package/dist/server/auth-store.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Auth store abstraction for API key validation and usage tracking
+ * Designed to easily swap from in-memory to PostgreSQL
+ */
+export interface ApiKeyInfo {
+    key: string;
+    tier: 'free' | 'starter' | 'pro' | 'enterprise';
+    rateLimit: number;
+    accountId?: string;
+    createdAt: Date;
+}
+export interface AuthStore {
+    validateKey(key: string): Promise<ApiKeyInfo | null>;
+    trackUsage(key: string, credits: number): Promise<void>;
+}
+/**
+ * In-memory auth store for development and self-hosted deployments
+ */
+export declare class InMemoryAuthStore implements AuthStore {
+    private keys;
+    private usage;
+    constructor();
+    validateKey(key: string): Promise<ApiKeyInfo | null>;
+    trackUsage(key: string, credits: number): Promise<void>;
+    addKey(keyInfo: ApiKeyInfo): void;
+    getUsage(key: string): number;
+}
+//# sourceMappingURL=auth-store.d.ts.map

package/dist/server/auth-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.d.ts","sourceRoot":"","sources":["../../src/server/auth-store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,KAAK,GAAG,YAAY,CAAC;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,SAAS;IACxB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACrD,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACzD;AAwCD;;GAEG;AACH,qBAAa,iBAAkB,YAAW,SAAS;IACjD,OAAO,CAAC,IAAI,CAAiC;IAC7C,OAAO,CAAC,KAAK,CAA6B;;IAepC,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAiBpD,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAK7D,MAAM,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI;IAQjC,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;CAG9B"}

package/dist/server/auth-store.js

@@ -0,0 +1,87 @@
+/**
+ * Auth store abstraction for API key validation and usage tracking
+ * Designed to easily swap from in-memory to PostgreSQL
+ */
+import { timingSafeEqual } from 'crypto';
+/**
+ * Validate API key format and strength
+ * SECURITY: Enforce minimum complexity
+ */
+function validateKeyFormat(key) {
+    // Minimum 32 characters
+    if (key.length < 32) {
+        return false;
+    }
+    // Must contain alphanumeric characters
+    if (!/^[a-zA-Z0-9_-]+$/.test(key)) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Timing-safe key comparison
+ * SECURITY: Prevent timing attacks on key validation
+ */
+function timingSafeKeyCompare(a, b) {
+    // Ensure equal length for comparison
+    if (a.length !== b.length) {
+        // Compare against dummy to prevent timing leak
+        const dummy = 'x'.repeat(Math.max(a.length, b.length));
+        timingSafeEqual(Buffer.from(dummy), Buffer.from(dummy));
+        return false;
+    }
+    try {
+        return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * In-memory auth store for development and self-hosted deployments
+ */
+export class InMemoryAuthStore {
+    keys = new Map();
+    usage = new Map();
+    constructor() {
+        // SECURITY: Demo key only in development mode
+        // Removed hardcoded demo key - use addKey() or environment variables
+        if (process.env.NODE_ENV === 'development' && process.env.DEMO_KEY) {
+            this.addKey({
+                key: process.env.DEMO_KEY,
+                tier: 'pro',
+                rateLimit: 300,
+                createdAt: new Date(),
+            });
+        }
+    }
+    async validateKey(key) {
+        // Basic validation
+        if (!key || typeof key !== 'string') {
+            return null;
+        }
+        // SECURITY: Timing-safe comparison to prevent timing attacks
+        for (const [storedKey, keyInfo] of this.keys.entries()) {
+            if (timingSafeKeyCompare(key, storedKey)) {
+                return keyInfo;
+            }
+        }
+        // Constant-time operation for invalid key
+        return null;
+    }
+    async trackUsage(key, credits) {
+        const current = this.usage.get(key) || 0;
+        this.usage.set(key, current + credits);
+    }
+    addKey(keyInfo) {
+        // SECURITY: Validate key format before adding
+        if (!validateKeyFormat(keyInfo.key)) {
+            throw new Error('Invalid API key format: must be at least 32 characters, alphanumeric with - or _');
+        }
+        this.keys.set(keyInfo.key, keyInfo);
+    }
+    getUsage(key) {
+        return this.usage.get(key) || 0;
+    }
+}
+//# sourceMappingURL=auth-store.js.map

package/dist/server/auth-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-store.js","sourceRoot":"","sources":["../../src/server/auth-store.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AAezC;;;GAGG;AACH,SAAS,iBAAiB,CAAC,GAAW;IACpC,wBAAwB;IACxB,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,CAAS,EAAE,CAAS;IAChD,qCAAqC;IACrC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,+CAA+C;QAC/C,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QACvD,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,OAAO,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACpB,IAAI,GAAG,IAAI,GAAG,EAAsB,CAAC;IACrC,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE1C;QACE,8CAA8C;QAC9C,qEAAqE;QACrE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YACnE,IAAI,CAAC,MAAM,CAAC;gBACV,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ;gBACzB,IAAI,EAAE,KAAK;gBACX,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAW;QAC3B,mBAAmB;QACnB,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,6DAA6D;QAC7D,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,oBAAoB,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,CAAC;gBACzC,OAAO,OAAO,CAAC;YACjB,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAW,EAAE,OAAe;QAC3C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,OAAmB;QACxB,8CAA8C;QAC9C,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,kFAAkF,CAAC,CAAC;QACtG,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACtC,CAAC;IAED,QAAQ,CAAC,GAAW;QAClB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;CACF"}

package/dist/server/middleware/auth.d.ts

@@ -0,0 +1,18 @@
+/**
+ * API key authentication middleware
+ */
+import { Request, Response, NextFunction } from 'express';
+import { AuthStore, ApiKeyInfo } from '../auth-store.js';
+declare global {
+    namespace Express {
+        interface Request {
+            auth?: {
+                keyInfo: ApiKeyInfo | null;
+                tier: 'free' | 'starter' | 'pro' | 'enterprise';
+                rateLimit: number;
+            };
+        }
+    }
+}
+export declare function createAuthMiddleware(authStore: AuthStore): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=auth.d.ts.map

package/dist/server/middleware/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAEzD,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE;gBACL,OAAO,EAAE,UAAU,GAAG,IAAI,CAAC;gBAC3B,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,KAAK,GAAG,YAAY,CAAC;gBAChD,SAAS,EAAE,MAAM,CAAC;aACnB,CAAC;SACH;KACF;CACF;AAED,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,SAAS,IACzC,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,mBAsD9D"}

package/dist/server/middleware/auth.js

@@ -0,0 +1,55 @@
+/**
+ * API key authentication middleware
+ */
+export function createAuthMiddleware(authStore) {
+    return async (req, res, next) => {
+        try {
+            // Extract API key from Authorization header or X-API-Key header
+            const authHeader = req.headers.authorization;
+            const apiKeyHeader = req.headers['x-api-key'];
+            let apiKey = null;
+            if (authHeader?.startsWith('Bearer ')) {
+                apiKey = authHeader.slice(7);
+            }
+            else if (apiKeyHeader && typeof apiKeyHeader === 'string') {
+                apiKey = apiKeyHeader;
+            }
+            // SECURITY: Require API key for all non-health endpoints
+            const isHealthEndpoint = req.path === '/health';
+            if (!apiKey && !isHealthEndpoint) {
+                res.status(401).json({
+                    error: 'missing_key',
+                    message: 'API key is required. Provide via Authorization: Bearer <key> or X-API-Key header.',
+                });
+                return;
+            }
+            // Validate API key if provided
+            let keyInfo = null;
+            if (apiKey) {
+                keyInfo = await authStore.validateKey(apiKey);
+                if (!keyInfo) {
+                    res.status(401).json({
+                        error: 'invalid_key',
+                        message: 'Invalid API key',
+                    });
+                    return;
+                }
+            }
+            // Set auth context on request
+            req.auth = {
+                keyInfo,
+                tier: keyInfo?.tier || 'free',
+                rateLimit: keyInfo?.rateLimit || 10,
+            };
+            next();
+        }
+        catch (error) {
+            const err = error;
+            res.status(500).json({
+                error: 'auth_error',
+                message: err.message || 'Authentication failed',
+            });
+        }
+    };
+}
+//# sourceMappingURL=auth.js.map

package/dist/server/middleware/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/server/middleware/auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAiBH,MAAM,UAAU,oBAAoB,CAAC,SAAoB;IACvD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7C,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAE9C,IAAI,MAAM,GAAkB,IAAI,CAAC;YAEjC,IAAI,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACtC,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC;iBAAM,IAAI,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;gBAC5D,MAAM,GAAG,YAAY,CAAC;YACxB,CAAC;YAED,yDAAyD;YACzD,MAAM,gBAAgB,GAAG,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC;YAEhD,IAAI,CAAC,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACjC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACnB,KAAK,EAAE,aAAa;oBACpB,OAAO,EAAE,mFAAmF;iBAC7F,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,+BAA+B;YAC/B,IAAI,OAAO,GAAsB,IAAI,CAAC;YACtC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,GAAG,MAAM,SAAS,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;gBAC9C,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;wBACnB,KAAK,EAAE,aAAa;wBACpB,OAAO,EAAE,iBAAiB;qBAC3B,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;YACH,CAAC;YAED,8BAA8B;YAC9B,GAAG,CAAC,IAAI,GAAG;gBACT,OAAO;gBACP,IAAI,EAAE,OAAO,EAAE,IAAI,IAAI,MAAM;gBAC7B,SAAS,EAAE,OAAO,EAAE,SAAS,IAAI,EAAE;aACpC,CAAC;YAEF,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAc,CAAC;YAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,YAAY;gBACnB,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,uBAAuB;aAChD,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/middleware/rate-limit.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Sliding window rate limiting middleware
+ */
+import { Request, Response, NextFunction } from 'express';
+export declare class RateLimiter {
+    private store;
+    private windowMs;
+    constructor(windowMs?: number);
+    /**
+     * Check if request is allowed under rate limit
+     */
+    checkLimit(identifier: string, limit: number): {
+        allowed: boolean;
+        remaining: number;
+        retryAfter?: number;
+    };
+    /**
+     * Clean up old entries (call periodically)
+     */
+    cleanup(): void;
+}
+export declare function createRateLimitMiddleware(limiter: RateLimiter): (req: Request, res: Response, next: NextFunction) => void;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/server/middleware/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAM1D,qBAAa,WAAW;IACtB,OAAO,CAAC,KAAK,CAAqC;IAClD,OAAO,CAAC,QAAQ,CAAS;gBAEb,QAAQ,GAAE,MAAc;IAIpC;;OAEG;IACH,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG;QAC7C,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,EAAE,MAAM,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB;IAmCD;;OAEG;IACH,OAAO,IAAI,IAAI;CAWhB;AAED,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,WAAW,IACpD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,UA+BxD"}