@copilotkit/runtime
Version:
<img src="https://github.com/user-attachments/assets/0a6b64d9-e193-4940-a3f6-60334ac34084" alt="banner" style="border-radius: 12px; border: 2px solid #d6d4fa;" />
54 lines • 2.45 kB
text/typescript
import "reflect-metadata";
//#region src/v2/runtime/handlers/header-utils.d.ts
/**
* Fully-resolved inbound-header forwarding policy read by the call sites.
*
* Distinct from the public `ForwardHeadersConfig` option an integrator passes:
* the runtime resolves that option ONCE in its constructor into this shape
* (lowercasing names/prefixes, defaulting `useDefaultDenylist`, building the
* `allow` set) so the predicate stays branch-simple and the policy can never be
* re-resolved divergently at a call site. See `resolveForwardHeadersPolicy`.
*/
interface ResolvedForwardHeadersPolicy {
/** When true, the built-in infra/platform denylist is active. */
useDefaultDenylist: boolean;
/** Extra exact names to strip (lowercased). */
denyNames: ReadonlySet<string>;
/** Extra prefixes to strip (lowercased). */
denyPrefixes: readonly string[];
/**
* If set, allowlist mode: ONLY these (lowercased) names are candidates to
* forward — and `denyNames` / `denyPrefixes` still subtract from them.
*/
allow?: ReadonlySet<string>;
}
/**
* Public, integrator-facing config for inbound-header forwarding. Resolved into
* a {@link ResolvedForwardHeadersPolicy} by {@link resolveForwardHeadersPolicy}.
*/
interface ForwardHeadersConfig {
/** Strip the built-in infra/platform denylist. @default true */
useDefaultDenylist?: boolean;
/** Additional exact header names to strip (case-insensitive). */
deny?: string[];
/** Additional header-name prefixes to strip (case-insensitive). */
denyPrefixes?: string[];
/**
* If set (with at least one non-empty entry), switch to allowlist mode: ONLY
* these headers are candidates to forward, overriding the default `x-*` /
* `authorization` eligibility (case-insensitive). `deny` / `denyPrefixes`
* still apply and subtract from this set — a header listed in both `allow` and
* `deny` is NOT forwarded.
*
* Footgun: in allowlist mode the built-in DEFAULT denylist (and
* `useDefaultDenylist`) is BYPASSED — only your `allow` set, minus your own
* `deny` / `denyPrefixes`, is forwarded. Do NOT allow-list protected/platform
* headers (e.g. `x-copilotcloud-public-api-key`, `x-forwarded-*`) unless you
* truly intend to forward them, since the default protection does not apply
* here.
*/
allow?: string[];
}
//#endregion
export { ForwardHeadersConfig, ResolvedForwardHeadersPolicy };
//# sourceMappingURL=header-utils.d.mts.map