
//#region src/v2/runtime/handlers/header-utils.d.ts
/**
 * Fully-resolved inbound-header forwarding policy read by the call sites.
 *
 * Distinct from the public `ForwardHeadersConfig` option an integrator passes:
 * the runtime resolves that option ONCE in its constructor into this shape
 * (lowercasing names/prefixes, defaulting `useDefaultDenylist`, building the
 * `allow` set) so the predicate stays branch-simple and the policy can never be
 * re-resolved divergently at a call site. See `resolveForwardHeadersPolicy`.
 */
interface ResolvedForwardHeadersPolicy {
  /** When true, the built-in infra/platform denylist is active. */
  useDefaultDenylist: boolean;
  /** Extra exact names to strip (lowercased). */
  denyNames: ReadonlySet<string>;
  /** Extra prefixes to strip (lowercased). */
  denyPrefixes: readonly string[];
  /**
   * If set, allowlist mode: ONLY these (lowercased) names are candidates to
   * forward — and `denyNames` / `denyPrefixes` still subtract from them.
   */
  allow?: ReadonlySet<string>;
}
/**
 * Public, integrator-facing config for inbound-header forwarding. Resolved into
 * a {@link ResolvedForwardHeadersPolicy} by {@link resolveForwardHeadersPolicy}.
 */
interface ForwardHeadersConfig {
  /** Strip the built-in infra/platform denylist. @default true */
  useDefaultDenylist?: boolean;
  /** Additional exact header names to strip (case-insensitive). */
  deny?: string[];
  /** Additional header-name prefixes to strip (case-insensitive). */
  denyPrefixes?: string[];
  /**
   * If set (with at least one non-empty entry), switch to allowlist mode: ONLY
   * these headers are candidates to forward, overriding the default `x-*` /
   * `authorization` eligibility (case-insensitive). `deny` / `denyPrefixes`
   * still apply and subtract from this set — a header listed in both `allow` and
   * `deny` is NOT forwarded.
   *
   * Footgun: in allowlist mode the built-in DEFAULT denylist (and
   * `useDefaultDenylist`) is BYPASSED — only your `allow` set, minus your own
   * `deny` / `denyPrefixes`, is forwarded. Do NOT allow-list protected/platform
   * headers (e.g. `x-copilotcloud-public-api-key`, `x-forwarded-*`) unless you
   * truly intend to forward them, since the default protection does not apply
   * here.
   */
  allow?: string[];
}
//#endregion
export { ForwardHeadersConfig, ResolvedForwardHeadersPolicy };
//# sourceMappingURL=header-utils.d.cts.map