AikidoSec
diff --git a/‎.github/CODE_OF_CONDUCT.md‎
Lines changed: 10 additions & 10 deletions b/‎.github/CODE_OF_CONDUCT.md‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎.github/ISSUE_TEMPLATE/bug_report.md‎
Lines changed: 2 additions & 0 deletions b/‎.github/ISSUE_TEMPLATE/bug_report.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/lint-code.yml‎
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/lint-code.yml‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎.prettierignore‎
Lines changed: 9 additions & 0 deletions b/‎.prettierignore‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.prettierrc‎
Lines changed: 1 addition & 1 deletion b/‎.prettierrc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 72 additions & 72 deletions b/‎README.md‎
Lines changed: 72 additions & 72 deletions
diff --git a/‎benchmarks/hono-pg/app/posts.js‎
Lines changed: 5 additions & 5 deletions b/‎benchmarks/hono-pg/app/posts.js‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎docs/fastify.md‎
Lines changed: 10 additions & 6 deletions b/‎docs/fastify.md‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎docs/markUnsafe.md‎
Lines changed: 9 additions & 9 deletions b/‎docs/markUnsafe.md‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎docs/restify.md‎
Lines changed: 1 addition & 1 deletion b/‎docs/restify.md‎
Lines changed: 1 addition & 1 deletion
@@ -17,23 +17,23 @@ diverse, inclusive, and healthy community.
 Examples of behavior that contributes to a positive environment for our
 community include:
 
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes,
   and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
+- Focusing on what is best not just for us as individuals, but for the overall
   community
 
 Examples of unacceptable behavior include:
 
-* The use of sexualized language or imagery, and sexual attention or advances of
+- The use of sexualized language or imagery, and sexual attention or advances of
   any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email address,
   without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
+- Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
 ## Enforcement Responsibilities
 
@@ -11,6 +11,7 @@ A clear and concise description of what went wrong.
 
 **To Reproduce**
 Steps to reproduce the behavior:
+
 1. …
 2. …
 3. …
@@ -22,6 +23,7 @@ What you expected to happen.
 What actually happened (include logs or error messages if possible).
 
 **Environment**
+
 - OS: [e.g. Ubuntu 22.04, macOS 15.0, Windows 11]
 - Language version: [e.g. 18, 20, 22]
 - Framework: [e.g. Express, Hono, Fastify]
 
@@ -33,7 +33,10 @@ jobs:
         run: npm i -g [email protected]
       - run: npm run install-lib-only
       - run: npm run build
-      - run: npm run lint
+      - name: Run Linter for JavaScript/TypeScript
+        run: npm run lint
+      - name: Check formatting
+        run: npm run format:check
       - name: Check Rust formatting
         run: cd instrumentation-wasm && cargo fmt --check
       - name: Run Rust Linter
 
@@ -0,0 +1,9 @@
+.tap/
+internals/
+wasm/
+.next/
+out/
+build/
+dist/
+coverage/
+.esm-tests/
@@ -4,4 +4,4 @@
   "useTabs": false,
   "semi": true,
   "singleQuote": false
-}
+}
@@ -2,12 +2,12 @@
 
 # Zen, in-app firewall for Node.js | by Aikido
 
-[![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Ffirewall?style=flat-square)](https://www.npmjs.com/package/@aikidosec/firewall) 
-[![Codecov](https://img.shields.io/codecov/c/github/AikidoSec/firewall-node?style=flat-square&token=AJK9LU35GY)](https://app.codecov.io/gh/aikidosec/firewall-node) 
-[![NPM License](https://img.shields.io/npm/l/%40aikidosec%2Ffirewall?style=flat-square)](https://github.com/AikidoSec/firewall-node/blob/main/LICENSE) 
-[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) 
-[![Unit tests](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml) 
-[![End to end tests](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml) 
+[![NPM Version](https://img.shields.io/npm/v/%40aikidosec%2Ffirewall?style=flat-square)](https://www.npmjs.com/package/@aikidosec/firewall)
+[![Codecov](https://img.shields.io/codecov/c/github/AikidoSec/firewall-node?style=flat-square&token=AJK9LU35GY)](https://app.codecov.io/gh/aikidosec/firewall-node)
+[![NPM License](https://img.shields.io/npm/l/%40aikidosec%2Ffirewall?style=flat-square)](https://github.com/AikidoSec/firewall-node/blob/main/LICENSE)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com)
+[![Unit tests](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/unit-test.yml)
+[![End to end tests](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml/badge.svg)](https://github.com/AikidoSec/firewall-node/actions/workflows/end-to-end-tests.yml)
 
 Zen, your in-app firewall for peace of mind– at runtime.
 
@@ -19,100 +19,100 @@ It protects your Node.js apps by scanning user input and where that data eventua
 
 Zen will autonomously protect your Node.js applications against:
 
-* 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities)
-* 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
-* 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
-* 🛡️ [Prototype pollution](./docs/prototype-pollution.md)
-* 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
-* 🛡️ [Server-side request forgery (SSRF)](./docs/ssrf.md)
-* 🛡️ [Attack wave detection](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)
-* 🛡️ JS injection
+- 🛡️ [NoSQL injection attacks](https://www.aikido.dev/blog/web-application-security-vulnerabilities)
+- 🛡️ [SQL injection attacks](https://www.aikido.dev/blog/the-state-of-sql-injections)
+- 🛡️ [Command injection attacks](https://www.aikido.dev/blog/command-injection-in-2024-unpacked)
+- 🛡️ [Prototype pollution](./docs/prototype-pollution.md)
+- 🛡️ [Path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal)
+- 🛡️ [Server-side request forgery (SSRF)](./docs/ssrf.md)
+- 🛡️ [Attack wave detection](https://help.aikido.dev/zen-firewall/zen-features/attack-wave-protection)
+- 🛡️ JS injection
 
 Zen operates autonomously on the same server as your Node.js app to:
 
-* ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
-* ✅ Auto-generate API specifications
-* ✅ Block known threat actors and bots.
-* ✅ Geo-fencing to block or allow a selection of countries
-* ✅ Rate limit specific API endpoints by IP or by user
-* ✅ Allows you to block specific users manually
+- ✅ Secure your app like a classic web application firewall (WAF), but with none of the infrastructure or cost.
+- ✅ Auto-generate API specifications
+- ✅ Block known threat actors and bots.
+- ✅ Geo-fencing to block or allow a selection of countries
+- ✅ Rate limit specific API endpoints by IP or by user
+- ✅ Allows you to block specific users manually
 
 ## Supported libraries and frameworks
 
 Zen for Node.js 16+ is compatible with:
 
 ### Web frameworks
 
-* ✅ [Express](docs/express.md) 4.x, 5.x
-* ✅ [Hono](docs/hono.md) 4.x
-* ✅ [hapi](docs/hapi.md) 21.x
-* ✅ [micro](docs/micro.md) 10.x
-* ✅ [Next.js](docs/next.md) 12.x, 13.x and 14.x
-* ✅ [Fastify](docs/fastify.md) 4.x and 5.x
-* ✅ [Koa](docs/koa.md) 3.x and 2.x
-* ✅ [NestJS](docs/nestjs.md) 10.x and 11.x
-* ✅ [Restify](docs/restify.md) 11.x, 10.x, 9.x and 8.x
+- ✅ [Express](docs/express.md) 4.x, 5.x
+- ✅ [Hono](docs/hono.md) 4.x
+- ✅ [hapi](docs/hapi.md) 21.x
+- ✅ [micro](docs/micro.md) 10.x
+- ✅ [Next.js](docs/next.md) 12.x, 13.x and 14.x
+- ✅ [Fastify](docs/fastify.md) 4.x and 5.x
+- ✅ [Koa](docs/koa.md) 3.x and 2.x
+- ✅ [NestJS](docs/nestjs.md) 10.x and 11.x
+- ✅ [Restify](docs/restify.md) 11.x, 10.x, 9.x and 8.x
 
 ### Database drivers
 
-* ✅ [`mongodb`](https://www.npmjs.com/package/mongodb) 4.x, 5.x and 6.x _(npm package versions, not MongoDB server versions)_
-* ✅ [`mongoose`](https://www.npmjs.com/package/mongoose) 8.x, 7.x and 6.x
-* ✅ [`pg`](https://www.npmjs.com/package/pg) 8.x and 7.x
-* ✅ [`mysql`](https://www.npmjs.com/package/mysql) 2.x
-* ✅ [`mysql2`](https://www.npmjs.com/package/mysql2) 3.x
-* ✅ [`mariadb`](https://www.npmjs.com/package/mariadb) 3.x
-* ✅ [`sqlite3`](https://www.npmjs.com/package/sqlite3) 5.x
-* ✅ [`node:sqlite`](https://nodejs.org/api/sqlite.html)
-* ✅ [`better-sqlite3`](https://www.npmjs.com/package/better-sqlite3) 12.x, 11.x, 10.x, 9.x and 8.x
-* ✅ [`postgres`](https://www.npmjs.com/package/postgres) 3.x
-* ✅ [`@clickhouse/client`](https://www.npmjs.com/package/@clickhouse/client) 1.x
-* ✅ [`@prisma/client`](https://www.npmjs.com/package/@prisma/client) 5.x
+- ✅ [`mongodb`](https://www.npmjs.com/package/mongodb) 4.x, 5.x and 6.x _(npm package versions, not MongoDB server versions)_
+- ✅ [`mongoose`](https://www.npmjs.com/package/mongoose) 8.x, 7.x and 6.x
+- ✅ [`pg`](https://www.npmjs.com/package/pg) 8.x and 7.x
+- ✅ [`mysql`](https://www.npmjs.com/package/mysql) 2.x
+- ✅ [`mysql2`](https://www.npmjs.com/package/mysql2) 3.x
+- ✅ [`mariadb`](https://www.npmjs.com/package/mariadb) 3.x
+- ✅ [`sqlite3`](https://www.npmjs.com/package/sqlite3) 5.x
+- ✅ [`node:sqlite`](https://nodejs.org/api/sqlite.html)
+- ✅ [`better-sqlite3`](https://www.npmjs.com/package/better-sqlite3) 12.x, 11.x, 10.x, 9.x and 8.x
+- ✅ [`postgres`](https://www.npmjs.com/package/postgres) 3.x
+- ✅ [`@clickhouse/client`](https://www.npmjs.com/package/@clickhouse/client) 1.x
+- ✅ [`@prisma/client`](https://www.npmjs.com/package/@prisma/client) 5.x
 
 ### Cloud providers
 
-* ✅ [`@google-cloud/functions-framework`](https://www.npmjs.com/package/@google-cloud/functions-framework) 4.x, 3.x
-* ✅ [`@google-cloud/pubsub`](https://www.npmjs.com/package/@google-cloud/pubsub) 5.x, 4.x
-* ✅ Google Cloud Functions
-* ✅ AWS Lambda
+- ✅ [`@google-cloud/functions-framework`](https://www.npmjs.com/package/@google-cloud/functions-framework) 4.x, 3.x
+- ✅ [`@google-cloud/pubsub`](https://www.npmjs.com/package/@google-cloud/pubsub) 5.x, 4.x
+- ✅ Google Cloud Functions
+- ✅ AWS Lambda
 
 ### ORMs and query builders
 
 See list above for supported database drivers.
 
-* ✅ [`sequelize`](https://www.npmjs.com/package/sequelize)
-* ✅ [`knex`](https://www.npmjs.com/package/knex)
-* ✅ [`typeorm`](https://www.npmjs.com/package/typeorm)
-* ✅ [`bookshelf`](https://www.npmjs.com/package/bookshelf)
-* ✅ [`drizzle-orm`](https://www.npmjs.com/package/drizzle-orm)
+- ✅ [`sequelize`](https://www.npmjs.com/package/sequelize)
+- ✅ [`knex`](https://www.npmjs.com/package/knex)
+- ✅ [`typeorm`](https://www.npmjs.com/package/typeorm)
+- ✅ [`bookshelf`](https://www.npmjs.com/package/bookshelf)
+- ✅ [`drizzle-orm`](https://www.npmjs.com/package/drizzle-orm)
 
 ### API tools
 
-* ✅ [`graphql`](https://www.npmjs.com/package/graphql) 15.x, 16.x
+- ✅ [`graphql`](https://www.npmjs.com/package/graphql) 15.x, 16.x
 
 ### Data serialization tools
 
-* ✅ [`xml2js`](https://www.npmjs.com/package/xml2js) 0.6.x, 0.5.x, ^0.4.18
-* ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 5.x, 4.x
-* ✅ [`xml-js`](https://www.npmjs.com/package/xml-js) 1.x
+- ✅ [`xml2js`](https://www.npmjs.com/package/xml2js) 0.6.x, 0.5.x, ^0.4.18
+- ✅ [`fast-xml-parser`](https://www.npmjs.com/package/fast-xml-parser) 5.x, 4.x
+- ✅ [`xml-js`](https://www.npmjs.com/package/xml-js) 1.x
 
 ### Shell tools
 
-* ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x
+- ✅ [`ShellJS`](https://www.npmjs.com/package/shelljs) 0.9.x, 0.8.x, 0.7.x
 
 ### Routers
 
-* ✅ [`@koa/router`](https://www.npmjs.com/package/@koa/router) 14.x, 13.x, 12.x, 11.x and 10.x
+- ✅ [`@koa/router`](https://www.npmjs.com/package/@koa/router) 14.x, 13.x, 12.x, 11.x and 10.x
 
 ### AI SDKs
 
 Zen instruments the following AI SDKs to track which models are used and how many tokens are consumed, allowing you to monitor your AI usage and costs:
 
-* ✅ [`openai`](https://www.npmjs.com/package/openai) 5.x, 4.x
-* ✅ [`@mistralai/mistralai`](https://www.npmjs.com/package/@mistralai/mistralai) 1.x
-* ✅ [`@anthropic-ai/sdk`](https://www.npmjs.com/package/@anthropic-ai/sdk) ^0.40.x
-* ✅ [`@aws-sdk/client-bedrock-runtime`](https://www.npmjs.com/package/@aws-sdk/client-bedrock-runtime) 3.x
-* ✅ [`ai`](https://www.npmjs.com/package/ai) 5.x, 4.x
-* ✅ [`@google/genai`](https://www.npmjs.com/package/@google/genai) ^1.6.0
+- ✅ [`openai`](https://www.npmjs.com/package/openai) 5.x, 4.x
+- ✅ [`@mistralai/mistralai`](https://www.npmjs.com/package/@mistralai/mistralai) 1.x
+- ✅ [`@anthropic-ai/sdk`](https://www.npmjs.com/package/@anthropic-ai/sdk) ^0.40.x
+- ✅ [`@aws-sdk/client-bedrock-runtime`](https://www.npmjs.com/package/@aws-sdk/client-bedrock-runtime) 3.x
+- ✅ [`ai`](https://www.npmjs.com/package/ai) 5.x, 4.x
+- ✅ [`@google/genai`](https://www.npmjs.com/package/@google/genai) ^1.6.0
 
 _Note: Prompt injection attacks are currently not covered by Zen._
 
@@ -154,18 +154,18 @@ If an attack on your application is detected, we report immediately allowing you
 
 You can easily select which IP addresses and/or bots to block from curated lists inside our Dashboard.
 
-
 You will need an Aikido account and a token to report events to Aikido. If you don't have an account, you can [sign up for free](https://app.aikido.dev/login). (No credit card required)
 
 Here's how:
-* [Log in to your Aikido account](https://app.aikido.dev/login).
-* Go to [Zen](https://app.aikido.dev/runtime/services).
-* Go to apps.
-* Click on **Add app**.
-* Choose a name for your app.
-* Click **Generate token**.
-* Copy the token.
-* Set the token as an environment variable, `AIKIDO_TOKEN`, using [dotenv](https://github.com/motdotla/dotenv) or another method of your choosing.
+
+- [Log in to your Aikido account](https://app.aikido.dev/login).
+- Go to [Zen](https://app.aikido.dev/runtime/services).
+- Go to apps.
+- Click on **Add app**.
+- Choose a name for your app.
+- Click **Generate token**.
+- Copy the token.
+- Set the token as an environment variable, `AIKIDO_TOKEN`, using [dotenv](https://github.com/motdotla/dotenv) or another method of your choosing.
 
 ## Running in production (blocking) mode
 
@@ -185,7 +185,7 @@ This program is offered under a commercial and under the AGPL license.
 You can be released from the requirements of the AGPL license by purchasing
 a commercial license. Buying such a license is mandatory as soon as you
 develop commercial activities involving the Zen software without
-disclosing the source code of your own applications. 
+disclosing the source code of your own applications.
 
 For more information, please contact Aikido Security at this
 address: [email protected] or create an account at https://app.aikido.dev.
 
@@ -20,21 +20,21 @@ class Posts {
 
   async add(title, text, authors) {
     const articleRes = await this.db.query(
-      'INSERT INTO posts (title, text) VALUES ($1, $2) RETURNING id',
+      "INSERT INTO posts (title, text) VALUES ($1, $2) RETURNING id",
       [title, text]
     );
 
     const articleId = articleRes.rows[0].id;
 
     for (const author of authors) {
       const authorExists = await this.db.query(
-        'SELECT id FROM authors WHERE name = $1',
+        "SELECT id FROM authors WHERE name = $1",
         [author]
       );
       let authorId;
       if (authorExists.rows.length === 0) {
         const authorRes = await this.db.query(
-          'INSERT INTO authors (name) VALUES ($1) RETURNING id',
+          "INSERT INTO authors (name) VALUES ($1) RETURNING id",
           [author]
         );
         authorId = authorRes.rows[0].id;
@@ -43,15 +43,15 @@ class Posts {
       }
 
       await this.db.query(
-        'INSERT INTO post_authors (post_id, author_id) VALUES ($1, $2)',
+        "INSERT INTO post_authors (post_id, author_id) VALUES ($1, $2)",
         [articleId, authorId]
       );
     }
   }
 
   async find(title) {
     const post = await this.db.query(
-      'SELECT title, text FROM posts WHERE title = $1',
+      "SELECT title, text FROM posts WHERE title = $1",
       [title]
     );
 
 
@@ -80,12 +80,16 @@ async function authenticate(request, reply) {
   });
 }
 
-fastify.get('/dashboard', {
-  preHandler: [authenticate, Zen.fastifyHook],
-                          // ^ Add the Zen hook after your authentication logic
-}, async (request, reply) => {
-  return { message: "Welcome to your dashboard!" };
-});
+fastify.get(
+  "/dashboard",
+  {
+    preHandler: [authenticate, Zen.fastifyHook],
+    // ^ Add the Zen hook after your authentication logic
+  },
+  async (request, reply) => {
+    return { message: "Welcome to your dashboard!" };
+  }
+);
 ```
 
 This approach allows user blocking and rate limiting to work properly when authentication runs in the `preHandler` stage where the request body is parsed.
 
@@ -14,8 +14,8 @@ const completion = await openai.chat.completions.create({
   messages: [
     {
       role: "user",
-      content: "Read the contents of the config file"
-    }
+      content: "Read the contents of the config file",
+    },
   ],
   tools: [
     {
@@ -28,14 +28,14 @@ const completion = await openai.chat.completions.create({
           properties: {
             filepath: {
               type: "string",
-              description: "The path to the file to read"
-            }
+              description: "The path to the file to read",
+            },
           },
-          required: ["filepath"]
-        }
-      }
-    }
-  ]
+          required: ["filepath"],
+        },
+      },
+    },
+  ],
 });
 
 const toolCall = completion.choices[0].message.tool_calls[0];
 
@@ -85,4 +85,4 @@ Zen can also protect your application against prototype pollution attacks.
 Read [Protect against prototype pollution](./prototype-pollution.md) to learn how to set it up.
 
 That's it! Your app is now protected by Zen.  
-If you want to see a full example, check our [Restify sample app](../sample-apps/restify-postgres). 
+If you want to see a full example, check our [Restify sample app](../sample-apps/restify-postgres).