@aigne/afs-dns 1.11.0-beta.10

package/dist/index.mjs

@@ -0,0 +1,2013 @@
+import { createRequire } from "node:module";
+import { minimatch } from "minimatch";
+import { z } from "zod";
+import { ChangeResourceRecordSetsCommand, GetHostedZoneCommand, ListHostedZonesCommand, ListResourceRecordSetsCommand, Route53Client } from "@aws-sdk/client-route-53";
+
+//#region rolldown:runtime
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+//#endregion
+//#region src/clouddns/adapter.ts
+var CloudDNSAdapter = class {
+	client;
+	zoneCache = /* @__PURE__ */ new Map();
+	constructor(options = {}) {
+		if (options.client) this.client = options.client;
+		else {
+			const { DNS } = __require("@google-cloud/dns");
+			this.client = new DNS({
+				projectId: options.projectId,
+				keyFilename: options.keyFilename
+			});
+		}
+	}
+	/**
+	* List all managed zones
+	*/
+	async listZones() {
+		const [zones] = await this.client.getZones();
+		return zones.map((zone) => ({
+			domain: zone.meta.dnsName.replace(/\.$/, ""),
+			id: zone.meta.id,
+			provider: "clouddns",
+			nameservers: zone.meta.nameServers ?? [],
+			recordCount: void 0
+		}));
+	}
+	/**
+	* List all record names in a zone
+	*/
+	async listRecords(zoneDomain) {
+		const [records] = await (await this.getZone(zoneDomain)).getRecords();
+		const normalizedDomain = zoneDomain.endsWith(".") ? zoneDomain : `${zoneDomain}.`;
+		const names = /* @__PURE__ */ new Set();
+		for (const record of records) {
+			const name = this.extractRecordName(record.name, normalizedDomain);
+			names.add(name);
+		}
+		names.add("_zone");
+		return Array.from(names);
+	}
+	/**
+	* Get all records for a specific name
+	*/
+	async getRecord(zoneDomain, name) {
+		const [records] = await (await this.getZone(zoneDomain)).getRecords();
+		const normalizedDomain = zoneDomain.endsWith(".") ? zoneDomain : `${zoneDomain}.`;
+		const fqdn = name === "@" ? zoneDomain : `${name}.${zoneDomain}`;
+		const targetName = name === "@" ? normalizedDomain : `${name}.${normalizedDomain}`;
+		return {
+			fqdn,
+			records: records.filter((r) => r.name === targetName).map((r) => this.parseRecord(r))
+		};
+	}
+	/**
+	* Get zone metadata
+	*/
+	async getZoneMetadata(zoneDomain) {
+		const zone = await this.getZone(zoneDomain);
+		return {
+			domain: zone.meta.dnsName.replace(/\.$/, ""),
+			id: zone.meta.id,
+			provider: "clouddns",
+			nameservers: zone.meta.nameServers ?? [],
+			recordCount: void 0
+		};
+	}
+	/**
+	* Set records for a name (create or update)
+	*/
+	async setRecord(zoneDomain, name, records, _options) {
+		const zone = await this.getZone(zoneDomain);
+		const normalizedDomain = zoneDomain.endsWith(".") ? zoneDomain : `${zoneDomain}.`;
+		const fqdn = name === "@" ? normalizedDomain : `${name}.${normalizedDomain}`;
+		const [existingRecords] = await zone.getRecords();
+		const toDelete = existingRecords.filter((r) => {
+			if (r.name !== fqdn) return false;
+			return records.some((newRec) => newRec.type === r.type);
+		});
+		for (const record of records) {
+			const changeConfig = { add: this.buildCloudRecord(zone, fqdn, record) };
+			const matchingDeletes = toDelete.filter((r) => r.type === record.type);
+			if (matchingDeletes.length > 0) changeConfig.delete = matchingDeletes;
+			await zone.createChange(changeConfig);
+		}
+	}
+	/**
+	* Delete records for a name
+	*/
+	async deleteRecord(zoneDomain, name, type, _options) {
+		const zone = await this.getZone(zoneDomain);
+		const normalizedDomain = zoneDomain.endsWith(".") ? zoneDomain : `${zoneDomain}.`;
+		const fqdn = name === "@" ? normalizedDomain : `${name}.${normalizedDomain}`;
+		const [existingRecords] = await zone.getRecords();
+		const toDelete = existingRecords.filter((r) => {
+			if (r.name !== fqdn) return false;
+			if (type && r.type !== type) return false;
+			return true;
+		});
+		if (toDelete.length === 0) return;
+		await zone.createChange({ delete: toDelete });
+	}
+	/**
+	* Get zone by domain name
+	*/
+	async getZone(zoneDomain) {
+		if (this.zoneCache.has(zoneDomain)) return this.zoneCache.get(zoneDomain);
+		const [zones] = await this.client.getZones();
+		const normalizedDomain = zoneDomain.endsWith(".") ? zoneDomain : `${zoneDomain}.`;
+		const zone = zones.find((z$1) => z$1.meta.dnsName === normalizedDomain);
+		if (!zone) {
+			const error = /* @__PURE__ */ new Error(`Zone not found: ${zoneDomain}`);
+			error.name = "ZoneNotFound";
+			throw error;
+		}
+		this.zoneCache.set(zoneDomain, zone);
+		return zone;
+	}
+	/**
+	* Extract record name from FQDN
+	*/
+	extractRecordName(fqdn, zoneDomain) {
+		const normalizedFqdn = fqdn.endsWith(".") ? fqdn : `${fqdn}.`;
+		const normalizedZone = zoneDomain.endsWith(".") ? zoneDomain : `${zoneDomain}.`;
+		if (normalizedFqdn === normalizedZone) return "@";
+		return normalizedFqdn.replace(/* @__PURE__ */ new RegExp(`\\.?${normalizedZone.replace(/\./g, "\\.")}$`), "") || "@";
+	}
+	/**
+	* Parse Cloud DNS record to DNSRecord
+	*/
+	parseRecord(record) {
+		const { type, ttl, data } = record;
+		switch (type) {
+			case "A":
+			case "AAAA":
+			case "NS":
+			case "TXT":
+			case "PTR": return {
+				type,
+				ttl,
+				values: data
+			};
+			case "CNAME": return {
+				type: "CNAME",
+				ttl,
+				values: data[0] ?? ""
+			};
+			case "MX": return {
+				type: "MX",
+				ttl,
+				values: data.map((v) => {
+					const [priority, value] = v.split(" ", 2);
+					return {
+						priority: Number.parseInt(priority ?? "0", 10),
+						value: value ?? ""
+					};
+				})
+			};
+			case "SRV": return {
+				type: "SRV",
+				ttl,
+				values: data.map((v) => {
+					const [priority, weight, port, target] = v.split(" ", 4);
+					return {
+						priority: Number.parseInt(priority ?? "0", 10),
+						weight: Number.parseInt(weight ?? "0", 10),
+						port: Number.parseInt(port ?? "0", 10),
+						target: target ?? ""
+					};
+				})
+			};
+			case "CAA": return {
+				type: "CAA",
+				ttl,
+				values: data.map((v) => {
+					const match = v.match(/^(\d+)\s+(\w+)\s+"?(.+?)"?$/);
+					if (match) return {
+						flags: Number.parseInt(match[1] ?? "0", 10),
+						tag: match[2] ?? "",
+						value: match[3] ?? ""
+					};
+					return {
+						flags: 0,
+						tag: "",
+						value: v
+					};
+				})
+			};
+			case "SOA": {
+				const soaParts = data[0]?.split(" ") ?? [];
+				return {
+					type: "SOA",
+					ttl,
+					values: {
+						mname: soaParts[0] ?? "",
+						rname: soaParts[1] ?? "",
+						serial: Number.parseInt(soaParts[2] ?? "0", 10),
+						refresh: Number.parseInt(soaParts[3] ?? "0", 10),
+						retry: Number.parseInt(soaParts[4] ?? "0", 10),
+						expire: Number.parseInt(soaParts[5] ?? "0", 10),
+						minimum: Number.parseInt(soaParts[6] ?? "0", 10)
+					}
+				};
+			}
+			default: return {
+				type,
+				ttl,
+				values: data
+			};
+		}
+	}
+	/**
+	* Build Cloud DNS record from DNSRecord
+	*/
+	buildCloudRecord(zone, fqdn, record) {
+		const { type, ttl, values } = record;
+		let data;
+		switch (type) {
+			case "A":
+			case "AAAA":
+			case "NS":
+			case "TXT":
+			case "PTR":
+				data = Array.isArray(values) ? values : [values];
+				break;
+			case "CNAME":
+				data = [typeof values === "string" ? values : values[0] ?? ""];
+				break;
+			case "MX":
+				data = values.map((mx) => `${mx.priority} ${mx.value}`);
+				break;
+			case "SRV":
+				data = values.map((srv) => `${srv.priority} ${srv.weight} ${srv.port} ${srv.target}`);
+				break;
+			case "CAA":
+				data = values.map((caa) => `${caa.flags} ${caa.tag} "${caa.value}"`);
+				break;
+			default: data = Array.isArray(values) ? values : [values];
+		}
+		return zone.record(type.toLowerCase(), {
+			name: fqdn,
+			ttl,
+			data
+		});
+	}
+};
+
+//#endregion
+//#region src/errors/index.ts
+/**
+* DNS Provider Errors
+*
+* Custom error types and Route53 error mapping.
+*/
+var AFSDNSError = class extends Error {
+	code;
+	cause;
+	constructor(message, options) {
+		super(message);
+		this.name = "AFSDNSError";
+		this.code = options?.code ?? "DNS_ERROR";
+		this.cause = options?.cause;
+	}
+};
+var AFSDNSNotFoundError = class extends AFSDNSError {
+	constructor(message, options) {
+		super(message, {
+			code: "DNS_NOT_FOUND",
+			...options
+		});
+		this.name = "AFSDNSNotFoundError";
+	}
+};
+var AFSDNSPermissionDeniedError = class extends AFSDNSError {
+	constructor(message, options) {
+		super(message, {
+			code: "DNS_PERMISSION_DENIED",
+			...options
+		});
+		this.name = "AFSDNSPermissionDeniedError";
+	}
+};
+var AFSDNSRateLimitError = class extends AFSDNSError {
+	retryAfter;
+	constructor(message, options) {
+		super(message, {
+			code: "DNS_RATE_LIMIT",
+			...options
+		});
+		this.name = "AFSDNSRateLimitError";
+		this.retryAfter = options?.retryAfter ?? 1;
+	}
+};
+var AFSDNSInvalidArgumentError = class extends AFSDNSError {
+	constructor(message, options) {
+		super(message, {
+			code: "DNS_INVALID_ARGUMENT",
+			...options
+		});
+		this.name = "AFSDNSInvalidArgumentError";
+	}
+};
+var AFSDNSConflictError = class extends AFSDNSError {
+	constructor(message, options) {
+		super(message, {
+			code: "DNS_CONFLICT",
+			...options
+		});
+		this.name = "AFSDNSConflictError";
+	}
+};
+var AFSDNSNetworkError = class extends AFSDNSError {
+	constructor(message, options) {
+		super(message, {
+			code: "DNS_NETWORK_ERROR",
+			...options
+		});
+		this.name = "AFSDNSNetworkError";
+	}
+};
+/**
+* Map Route53 error to AFS DNS error
+*/
+function mapRoute53Error(error) {
+	const errorName = error.name;
+	const sanitizedMessage = sanitizeErrorMessage(error.message);
+	switch (errorName) {
+		case "NoSuchHostedZone": return new AFSDNSNotFoundError("Zone not found", { cause: error });
+		case "AccessDenied":
+		case "AccessDeniedException": return new AFSDNSPermissionDeniedError("Access denied to DNS zone", { cause: error });
+		case "Throttling":
+		case "ThrottlingException": return new AFSDNSRateLimitError("Rate limit exceeded, please retry", {
+			cause: error,
+			retryAfter: extractRetryAfter(error)
+		});
+		case "InvalidInput":
+		case "InvalidChangeBatch": return new AFSDNSInvalidArgumentError(`Invalid DNS record: ${sanitizedMessage}`, { cause: error });
+		case "PriorRequestNotComplete": return new AFSDNSConflictError("Previous DNS change is still processing, please retry", { cause: error });
+		case "NetworkingError":
+		case "ECONNREFUSED":
+		case "ETIMEDOUT": return new AFSDNSNetworkError("Network error connecting to DNS service", { cause: error });
+		case "ServiceUnavailable": return new AFSDNSNetworkError("DNS service temporarily unavailable", { cause: error });
+		default: return new AFSDNSError(`DNS operation failed: ${sanitizedMessage}`, { cause: error });
+	}
+}
+/**
+* Check if an error is retryable
+*/
+function isRetryableError(error) {
+	return [
+		"Throttling",
+		"ThrottlingException",
+		"PriorRequestNotComplete",
+		"ServiceUnavailable",
+		"ETIMEDOUT",
+		"ECONNRESET"
+	].includes(error.name);
+}
+/**
+* Sanitize error message to remove sensitive information
+*/
+function sanitizeErrorMessage(message) {
+	let sanitized = message;
+	sanitized = sanitized.replace(/\b\d{12}\b/g, "***");
+	sanitized = sanitized.replace(/arn:aws:[^:\s]+:[^:\s]*:[^:\s]*:[^\s]+/g, "arn:aws:***");
+	sanitized = sanitized.replace(/\/hostedzone\/[A-Z0-9]+/g, "/hostedzone/***");
+	sanitized = sanitized.replace(/\bZ[A-Z0-9]{10,}\b/g, "***");
+	sanitized = sanitized.replace(/user\/[^\s,]+/g, "user/***");
+	sanitized = sanitized.replace(/role\/[^\s,]+/g, "role/***");
+	return sanitized;
+}
+/**
+* Extract retry-after hint from error if available
+*/
+function extractRetryAfter(_error) {
+	return 1;
+}
+
+//#endregion
+//#region src/permissions/types.ts
+/**
+* Preset definitions
+*/
+const PRESETS = {
+	safe: {
+		allowDelete: false,
+		dangerous: {
+			modify_ns: false,
+			modify_root: false,
+			modify_wildcard: false,
+			delete_zone: false
+		}
+	},
+	standard: {
+		allowDelete: true,
+		dangerous: {
+			modify_ns: false,
+			modify_root: false,
+			modify_wildcard: false,
+			delete_zone: false
+		}
+	},
+	full: {
+		allowDelete: true,
+		dangerous: {
+			modify_ns: true,
+			modify_root: true,
+			modify_wildcard: true,
+			delete_zone: false
+		}
+	}
+};
+
+//#endregion
+//#region src/permissions/checker.ts
+/**
+* DNS Permission Checker
+*
+* Validates operations against configured permissions.
+*/
+/**
+* Check if an operation is allowed
+*/
+function checkPermission(context, config) {
+	if (context.operation === "read") return { allowed: true };
+	const effective = getEffectivePermissions(config);
+	if (context.operation === "delete" && !effective.allowDelete) return {
+		allowed: false,
+		reason: "Delete operations are not allowed with 'safe' preset",
+		requiredConfig: "preset = \"standard\" or \"full\"",
+		deniedOperation: "delete"
+	};
+	const dangerousOp = detectDangerousOperation(context);
+	if (dangerousOp) {
+		if (!effective.dangerous[dangerousOp]) return {
+			allowed: false,
+			reason: `Operation '${dangerousOp}' is not allowed`,
+			requiredConfig: `[mounts.options.dangerous]\n${dangerousOp} = true`,
+			deniedOperation: dangerousOp
+		};
+	}
+	return { allowed: true };
+}
+/**
+* Get effective permissions by merging preset with explicit config
+*/
+function getEffectivePermissions(config) {
+	const presetConfig = PRESETS[config.preset ?? "standard"];
+	const result = {
+		allowDelete: presetConfig.allowDelete,
+		dangerous: { ...presetConfig.dangerous }
+	};
+	if (config.dangerous) {
+		for (const [key, value] of Object.entries(config.dangerous)) if (value !== void 0) result.dangerous[key] = value;
+	}
+	return result;
+}
+/**
+* Detect if an operation is dangerous
+*/
+function detectDangerousOperation(context) {
+	const { name, type, operation } = context;
+	if (operation === "read") return null;
+	if (name === "@") return "modify_root";
+	if (type === "NS") return "modify_ns";
+	if (name === "*" || name.startsWith("*.")) return "modify_wildcard";
+	return null;
+}
+/**
+* Create a user-friendly error message for permission denial
+*/
+function formatPermissionError(result) {
+	let message = `Permission denied: ${result.reason}`;
+	if (result.requiredConfig) message += `\n\nTo enable this operation, add to your config:\n${result.requiredConfig}`;
+	return message;
+}
+
+//#endregion
+//#region src/security/audit-log.ts
+var AuditLogger = class {
+	config;
+	entries = [];
+	constructor(config = {}) {
+		this.config = config;
+	}
+	/**
+	* Log a write operation
+	*/
+	logWrite(params) {
+		const entry = {
+			timestamp: Date.now(),
+			action: params.action,
+			zone: params.zone,
+			recordName: params.recordName,
+			recordType: params.recordType,
+			values: this.config.maskValues ? this.maskValues(params.values) : params.values,
+			recordCount: Array.isArray(params.values) ? params.values.length : 1,
+			context: params.context
+		};
+		this.emit(entry);
+	}
+	/**
+	* Log a delete operation
+	*/
+	logDelete(params) {
+		const entry = {
+			timestamp: Date.now(),
+			action: "delete",
+			zone: params.zone,
+			recordName: params.recordName,
+			recordType: params.recordType,
+			context: params.context
+		};
+		this.emit(entry);
+	}
+	/**
+	* Log a permission denied event
+	*/
+	logPermissionDenied(params) {
+		const entry = {
+			timestamp: Date.now(),
+			action: "denied",
+			zone: params.zone,
+			recordName: params.recordName,
+			operation: params.operation,
+			reason: params.reason,
+			context: params.context
+		};
+		this.emit(entry);
+	}
+	/**
+	* Get recent log entries (if storeInMemory is enabled)
+	*/
+	getRecentEntries(count) {
+		return this.entries.slice(-count).reverse();
+	}
+	/**
+	* Get entries by zone (if storeInMemory is enabled)
+	*/
+	getEntriesByZone(zone) {
+		return this.entries.filter((e) => e.zone === zone);
+	}
+	/**
+	* Emit a log entry
+	*/
+	emit(entry) {
+		if (this.config.handler) this.config.handler(entry);
+		if (this.config.storeInMemory) {
+			this.entries.push(entry);
+			if (this.config.maxEntries && this.entries.length > this.config.maxEntries) this.entries = this.entries.slice(-this.config.maxEntries);
+		}
+	}
+	/**
+	* Mask sensitive values
+	*/
+	maskValues(values) {
+		return values.map((v) => {
+			if (typeof v === "string") return this.maskString(v);
+			return v;
+		});
+	}
+	/**
+	* Mask sensitive parts of a string
+	*/
+	maskString(value) {
+		return value.replace(/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g, "***@***.***");
+	}
+};
+
+//#endregion
+//#region src/security/input-sanitizer.ts
+/**
+* Sanitize a TXT record value
+*/
+function sanitizeTXTValue(value) {
+	return value;
+}
+/**
+* Reject strings containing null bytes
+*/
+function rejectNullBytes(value) {
+	const values = Array.isArray(value) ? value : [value];
+	for (const v of values) if (v.includes("\0")) throw new Error("Value contains null byte which is not allowed");
+}
+/**
+* Validate input length based on type
+*/
+function validateInputLength(value, type) {
+	switch (type) {
+		case "domain":
+			if (value.length > 253) return {
+				valid: false,
+				error: "Domain name exceeds 253 characters"
+			};
+			break;
+		case "label": {
+			const labels = value.split(".");
+			for (const label of labels) if (label.length > 63) return {
+				valid: false,
+				error: "Label exceeds 63 characters"
+			};
+			break;
+		}
+		case "txt":
+			if (value.length > 4e3) return {
+				valid: false,
+				error: "TXT value exceeds 4000 characters"
+			};
+			break;
+	}
+	return { valid: true };
+}
+/**
+* Escape special characters based on record type
+*/
+function escapeSpecialCharacters(value, recordType) {
+	if (!value) return "";
+	switch (recordType) {
+		case "TXT": return value;
+		default: return value;
+	}
+}
+/**
+* Sanitize a record value based on type
+*/
+function sanitizeRecordValue(value, recordType) {
+	try {
+		rejectNullBytes(value);
+	} catch (e) {
+		return {
+			valid: false,
+			error: e.message
+		};
+	}
+	const lengthResult = validateInputLength(value, recordType === "TXT" ? "txt" : "domain");
+	if (!lengthResult.valid) return {
+		valid: false,
+		error: lengthResult.error
+	};
+	return {
+		valid: true,
+		value: escapeSpecialCharacters(value, recordType)
+	};
+}
+
+//#endregion
+//#region src/security/rate-limiter.ts
+var RateLimiter = class {
+	tokens;
+	lastRefill;
+	config;
+	queue = [];
+	constructor(config) {
+		this.config = config;
+		this.tokens = config.maxRequests;
+		this.lastRefill = Date.now();
+	}
+	/**
+	* Try to acquire a token without waiting
+	* @returns true if token acquired, false if rate limited
+	*/
+	async tryAcquire() {
+		this.refillTokens();
+		if (this.tokens > 0) {
+			this.tokens--;
+			return true;
+		}
+		return false;
+	}
+	/**
+	* Acquire a token, waiting if necessary
+	* Only works if queueRequests is enabled
+	*/
+	async acquire() {
+		this.refillTokens();
+		if (this.tokens > 0) {
+			this.tokens--;
+			return;
+		}
+		if (!this.config.queueRequests) throw new Error("Rate limit exceeded");
+		return new Promise((resolve) => {
+			this.queue.push(resolve);
+			this.scheduleQueueProcessing();
+		});
+	}
+	/**
+	* Get remaining tokens
+	*/
+	getRemaining() {
+		this.refillTokens();
+		return this.tokens;
+	}
+	/**
+	* Get time until next refill in milliseconds
+	*/
+	getResetTime() {
+		const elapsed = Date.now() - this.lastRefill;
+		return Math.max(0, this.config.windowMs - elapsed);
+	}
+	/**
+	* Refill tokens based on elapsed time
+	*/
+	refillTokens() {
+		const now = Date.now();
+		if (now - this.lastRefill >= this.config.windowMs) {
+			this.tokens = this.config.maxRequests;
+			this.lastRefill = now;
+		}
+	}
+	/**
+	* Schedule processing of queued requests
+	*/
+	scheduleQueueProcessing() {
+		if (this.queue.length === 0) return;
+		const delay = this.getResetTime();
+		setTimeout(() => {
+			this.refillTokens();
+			this.processQueue();
+		}, delay);
+	}
+	/**
+	* Process queued requests
+	*/
+	processQueue() {
+		while (this.queue.length > 0 && this.tokens > 0) {
+			const resolve = this.queue.shift();
+			if (resolve) {
+				this.tokens--;
+				resolve();
+			}
+		}
+		if (this.queue.length > 0) this.scheduleQueueProcessing();
+	}
+};
+/**
+* Create a rate limiter with Route53 defaults
+*/
+function createRoute53RateLimiter(overrides) {
+	return new RateLimiter({
+		maxRequests: 5,
+		windowMs: 1e3,
+		queueRequests: false,
+		...overrides
+	});
+}
+
+//#endregion
+//#region src/types/record.ts
+const IPV4_REGEX = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/;
+/**
+* Check if string is a valid IPv4 address
+*/
+function isValidIPv4(ip) {
+	const match = ip.match(IPV4_REGEX);
+	if (!match) return false;
+	for (let i = 1; i <= 4; i++) {
+		const octetStr = match[i];
+		if (!octetStr) return false;
+		const octet = Number.parseInt(octetStr, 10);
+		if (octet < 0 || octet > 255) return false;
+	}
+	return true;
+}
+/**
+* Check if string is a valid IPv6 address
+*/
+function isValidIPv6(ip) {
+	if (ip === "::1" || ip === "::") return true;
+	if ((ip.match(/::/g) || []).length > 1) return false;
+	const parts = ip.split(":");
+	if (parts.length < 3 || parts.length > 8) return false;
+	for (const part of parts) {
+		if (part === "") continue;
+		if (!/^[0-9a-fA-F]{1,4}$/.test(part)) return false;
+	}
+	return true;
+}
+/**
+* Check if string is a valid hostname (not IP)
+*/
+function isValidHostname(hostname) {
+	if (!hostname) return false;
+	if (isValidIPv4(hostname) || isValidIPv6(hostname)) return false;
+	const labels = (hostname.endsWith(".") ? hostname.slice(0, -1) : hostname).split(".");
+	for (const label of labels) {
+		if (!label) return false;
+		if (label.length > 63) return false;
+		if (label.startsWith("-") || label.endsWith("-")) return false;
+		if (!/^[a-zA-Z0-9-]+$/.test(label)) return false;
+	}
+	return true;
+}
+/**
+* Validate A record values
+*/
+function validateARecord(values) {
+	if (!values || values.length === 0) return {
+		valid: false,
+		error: "A record requires at least one IPv4 address"
+	};
+	for (const value of values) if (!isValidIPv4(value)) return {
+		valid: false,
+		error: `Invalid IPv4 address: ${value}`
+	};
+	return { valid: true };
+}
+/**
+* Validate AAAA record values
+*/
+function validateAAAARecord(values) {
+	if (!values || values.length === 0) return {
+		valid: false,
+		error: "AAAA record requires at least one IPv6 address"
+	};
+	for (const value of values) if (!isValidIPv6(value)) return {
+		valid: false,
+		error: `Invalid IPv6 address: ${value}`
+	};
+	return { valid: true };
+}
+/**
+* Validate CNAME record value
+*/
+function validateCNAMERecord(value) {
+	if (!value) return {
+		valid: false,
+		error: "CNAME record requires a hostname"
+	};
+	if (!isValidHostname(value)) return {
+		valid: false,
+		error: `Invalid hostname for CNAME: ${value}`
+	};
+	return { valid: true };
+}
+/**
+* Validate MX record values
+*/
+function validateMXRecord(values) {
+	if (!values || values.length === 0) return {
+		valid: false,
+		error: "MX record requires at least one value"
+	};
+	for (const mx of values) {
+		if (mx.priority < 0 || mx.priority > 65535) return {
+			valid: false,
+			error: `MX priority must be 0-65535, got: ${mx.priority}`
+		};
+		if (!isValidHostname(mx.value)) return {
+			valid: false,
+			error: `Invalid hostname for MX: ${mx.value}`
+		};
+	}
+	return { valid: true };
+}
+/**
+* Validate TXT record values
+*/
+function validateTXTRecord(values) {
+	if (!values) return {
+		valid: false,
+		error: "TXT record requires values array"
+	};
+	return { valid: true };
+}
+/**
+* Validate NS record values
+*/
+function validateNSRecord(values) {
+	if (!values || values.length === 0) return {
+		valid: false,
+		error: "NS record requires at least one nameserver"
+	};
+	for (const value of values) if (!isValidHostname(value)) return {
+		valid: false,
+		error: `Invalid hostname for NS: ${value}`
+	};
+	return { valid: true };
+}
+/**
+* Validate SRV record values
+*/
+function validateSRVRecord(values) {
+	if (!values || values.length === 0) return {
+		valid: false,
+		error: "SRV record requires at least one value"
+	};
+	for (const srv of values) {
+		if (srv.priority < 0 || srv.priority > 65535) return {
+			valid: false,
+			error: `SRV priority must be 0-65535, got: ${srv.priority}`
+		};
+		if (srv.weight < 0 || srv.weight > 65535) return {
+			valid: false,
+			error: `SRV weight must be 0-65535, got: ${srv.weight}`
+		};
+		if (srv.port < 0 || srv.port > 65535) return {
+			valid: false,
+			error: `SRV port must be 0-65535, got: ${srv.port}`
+		};
+		if (!isValidHostname(srv.target) && srv.target !== ".") return {
+			valid: false,
+			error: `Invalid hostname for SRV target: ${srv.target}`
+		};
+	}
+	return { valid: true };
+}
+/**
+* Validate CAA record values
+*/
+function validateCAARecord(values) {
+	if (!values || values.length === 0) return {
+		valid: false,
+		error: "CAA record requires at least one value"
+	};
+	for (const caa of values) {
+		if (caa.flags < 0 || caa.flags > 255) return {
+			valid: false,
+			error: `CAA flags must be 0-255, got: ${caa.flags}`
+		};
+		if (!caa.tag) return {
+			valid: false,
+			error: "CAA record requires a tag"
+		};
+	}
+	return { valid: true };
+}
+/**
+* Validate TTL value
+*/
+function validateTTL(ttl) {
+	if (!Number.isInteger(ttl)) return {
+		valid: false,
+		error: "TTL must be an integer"
+	};
+	if (ttl < 0) return {
+		valid: false,
+		error: "TTL cannot be negative"
+	};
+	if (ttl > 2147483647) return {
+		valid: false,
+		error: "TTL cannot exceed 2147483647"
+	};
+	return { valid: true };
+}
+/**
+* Validate a complete DNS record
+*/
+function validateRecord(record) {
+	const errors = [];
+	if (!record.type) {
+		errors.push("Record type is required");
+		return {
+			valid: false,
+			errors
+		};
+	}
+	if (record.ttl !== void 0) {
+		const ttlResult = validateTTL(record.ttl);
+		if (!ttlResult.valid) errors.push(ttlResult.error);
+	}
+	let valuesResult;
+	switch (record.type) {
+		case "A":
+			valuesResult = validateARecord(record.values);
+			break;
+		case "AAAA":
+			valuesResult = validateAAAARecord(record.values);
+			break;
+		case "CNAME":
+			valuesResult = validateCNAMERecord(Array.isArray(record.values) ? record.values[0] ?? "" : record.values);
+			break;
+		case "MX":
+			valuesResult = validateMXRecord(record.values);
+			break;
+		case "TXT":
+			valuesResult = validateTXTRecord(record.values);
+			break;
+		case "NS":
+			valuesResult = validateNSRecord(record.values);
+			break;
+		case "SRV":
+			valuesResult = validateSRVRecord(record.values);
+			break;
+		case "CAA":
+			valuesResult = validateCAARecord(record.values);
+			break;
+		case "PTR":
+			valuesResult = validateCNAMERecord(Array.isArray(record.values) ? record.values[0] ?? "" : record.values);
+			break;
+		case "SOA":
+			valuesResult = { valid: true };
+			break;
+		default: valuesResult = {
+			valid: false,
+			error: `Unknown record type: ${record.type}`
+		};
+	}
+	if (!valuesResult.valid) errors.push(valuesResult.error);
+	return {
+		valid: errors.length === 0,
+		errors: errors.length > 0 ? errors : void 0
+	};
+}
+
+//#endregion
+//#region src/provider/dns-provider.ts
+var DNSProvider = class {
+	name;
+	description;
+	accessMode;
+	zone;
+	adapter;
+	permissions;
+	auditLogger;
+	rateLimiter;
+	/**
+	* Schema for configuration validation
+	*/
+	static schema() {
+		return z.object({ zone: z.string() });
+	}
+	/**
+	* Provider manifest for URI-based discovery
+	*/
+	static manifest() {
+		return {
+			name: "dns",
+			description: "DNS zone management — Route53 and Google Cloud DNS.\n- List, create, update, and delete DNS records (A, AAAA, CNAME, MX, TXT, etc.)\n- Audit logging and rate limiting for safe zone modifications\n- Path structure: `/{zone}/{record-name}`",
+			uriTemplate: "dns://{zone}",
+			category: "cloud-dns",
+			schema: z.object({ zone: z.string() }),
+			tags: ["dns", "cloud"]
+		};
+	}
+	constructor(options) {
+		this.zone = options.zone;
+		this.adapter = options.adapter;
+		this.accessMode = options.accessMode ?? "readonly";
+		this.permissions = options.permissions ?? { preset: "standard" };
+		this.auditLogger = new AuditLogger(options.auditLog);
+		this.rateLimiter = options.rateLimiting !== false ? createRoute53RateLimiter() : null;
+		this.name = `dns:${this.zone}`;
+		this.description = `DNS zone: ${this.zone}`;
+	}
+	async list(path, options) {
+		const normalizedPath = this.normalizePath(path);
+		if ((options?.maxDepth ?? 1) === 0) return { data: [] };
+		if (normalizedPath === "/") {
+			const entries = [];
+			const names = await this.adapter.listRecords(this.zone);
+			for (const name of names) entries.push({
+				id: name,
+				path: `/${name}`,
+				summary: name === "_zone" ? "Zone metadata" : `DNS record: ${name}`,
+				meta: {
+					kind: name === "_zone" ? "dns:zone-meta" : "dns:record",
+					childrenCount: 0
+				}
+			});
+			return { data: entries };
+		}
+		const recordName = this.extractRecordName(normalizedPath);
+		if ((await this.adapter.getRecord(this.zone, recordName)).records.length === 0 && recordName !== "_zone") return { data: [] };
+		return { data: [{
+			id: recordName,
+			path: normalizedPath,
+			summary: recordName === "_zone" ? "Zone metadata" : `DNS record: ${recordName}`,
+			meta: {
+				kind: recordName === "_zone" ? "dns:zone-meta" : "dns:record",
+				childrenCount: 0
+			}
+		}] };
+	}
+	async read(path, _options) {
+		const normalizedPath = this.normalizePath(path);
+		if (normalizedPath === "/.meta/.capabilities") return this.readCapabilities();
+		const { recordName, type } = this.parsePathWithQuery(normalizedPath);
+		if (recordName === "_zone") {
+			const metadata = await this.adapter.getZoneMetadata(this.zone);
+			return { data: {
+				id: "_zone",
+				path: "/_zone",
+				summary: `Zone metadata for ${this.zone}`,
+				meta: { kind: "dns:zone-meta" },
+				content: metadata
+			} };
+		}
+		const recordSet = await this.adapter.getRecord(this.zone, recordName);
+		let records = recordSet.records;
+		if (type) records = records.filter((r) => r.type === type);
+		if (records.length === 0) return { data: void 0 };
+		return { data: {
+			id: recordName,
+			path: normalizedPath.split("?")[0] ?? normalizedPath,
+			summary: `DNS records for ${recordSet.fqdn}`,
+			meta: { kind: "dns:record" },
+			content: {
+				fqdn: recordSet.fqdn,
+				records
+			}
+		} };
+	}
+	async write(path, content, _options) {
+		if (this.accessMode !== "readwrite") throw new Error(`DNS provider is readonly, cannot write to ${path}`);
+		const normalizedPath = this.normalizePath(path);
+		const recordName = this.extractRecordName(normalizedPath);
+		if (recordName === "validate-zone") return this.handleValidateZone();
+		if (recordName === "export-zone") return this.handleExportZone();
+		if (recordName === "_zone") throw new Error("Cannot write to _zone metadata");
+		const record = content.content;
+		if (!record || !record.type) throw new Error("Invalid record content: must include type");
+		this.sanitizeRecordValues(record);
+		const validation = validateRecord(record);
+		if (!validation.valid) throw new Error(`Invalid record: ${validation.errors?.join(", ")}`);
+		const permResult = checkPermission({
+			name: recordName,
+			type: record.type,
+			operation: "write"
+		}, this.permissions);
+		if (!permResult.allowed) {
+			this.auditLogger.logPermissionDenied({
+				zone: this.zone,
+				recordName,
+				operation: permResult.deniedOperation ?? "write",
+				reason: formatPermissionError(permResult)
+			});
+			throw new Error(formatPermissionError(permResult));
+		}
+		await this.acquireRateLimit();
+		const action = (await this.adapter.getRecord(this.zone, recordName)).records.length > 0 ? "update" : "create";
+		await this.adapter.setRecord(this.zone, recordName, [record]);
+		this.auditLogger.logWrite({
+			zone: this.zone,
+			recordName,
+			recordType: record.type,
+			action,
+			values: this.extractValues(record)
+		});
+		return { data: {
+			id: recordName,
+			path: normalizedPath,
+			summary: `Updated DNS record: ${recordName}`,
+			meta: { kind: "dns:record" },
+			content: record
+		} };
+	}
+	async delete(path, _options) {
+		if (this.accessMode !== "readwrite") throw new Error(`DNS provider is readonly, cannot delete ${path}`);
+		const normalizedPath = this.normalizePath(path);
+		const { recordName, type } = this.parsePathWithQuery(normalizedPath);
+		if (recordName === "_zone") throw new Error("Cannot delete _zone metadata");
+		const permResult = checkPermission({
+			name: recordName,
+			type,
+			operation: "delete"
+		}, this.permissions);
+		if (!permResult.allowed) {
+			this.auditLogger.logPermissionDenied({
+				zone: this.zone,
+				recordName,
+				operation: permResult.deniedOperation ?? "delete",
+				reason: formatPermissionError(permResult)
+			});
+			throw new Error(formatPermissionError(permResult));
+		}
+		await this.acquireRateLimit();
+		await this.adapter.deleteRecord(this.zone, recordName, type);
+		this.auditLogger.logDelete({
+			zone: this.zone,
+			recordName,
+			recordType: type
+		});
+		return { message: `Record ${recordName}${type ? ` (${type})` : ""} deleted` };
+	}
+	normalizePath(path) {
+		if (!path.startsWith("/")) return `/${path}`;
+		return path;
+	}
+	extractRecordName(path) {
+		return (path.replace(/^\//, "").split("?")[0] ?? "") || "@";
+	}
+	parsePathWithQuery(path) {
+		const [pathPart, queryPart] = path.split("?");
+		const recordName = this.extractRecordName(pathPart ?? path);
+		let type;
+		if (queryPart) type = new URLSearchParams(queryPart).get("type") ?? void 0;
+		return {
+			recordName,
+			type
+		};
+	}
+	/**
+	* Sanitize record values to prevent injection attacks
+	*/
+	sanitizeRecordValues(record) {
+		const { values } = record;
+		if (typeof values === "string") {
+			rejectNullBytes(values);
+			const result = sanitizeRecordValue(values, record.type);
+			if (!result.valid) throw new Error(`Invalid record value: ${result.error}`);
+		} else if (Array.isArray(values)) {
+			for (const value of values) if (typeof value === "string") {
+				rejectNullBytes(value);
+				const result = sanitizeRecordValue(value, record.type);
+				if (!result.valid) throw new Error(`Invalid record value: ${result.error}`);
+			}
+		}
+	}
+	/**
+	* Acquire rate limit token (waits if necessary)
+	*/
+	async acquireRateLimit() {
+		if (this.rateLimiter) {
+			if (!await this.rateLimiter.tryAcquire()) throw new Error("Rate limit exceeded. Please retry later.");
+		}
+	}
+	/**
+	* Extract values from a record for audit logging
+	*/
+	extractValues(record) {
+		const { values } = record;
+		if (typeof values === "string") return [values];
+		if (Array.isArray(values)) return values;
+		return [values];
+	}
+	async stat(path) {
+		const normalizedPath = this.normalizePath(path);
+		const recordName = this.extractRecordName(normalizedPath);
+		const recordSet = await this.adapter.getRecord(this.zone, recordName);
+		if (recordSet.records.length === 0 && recordName !== "_zone") throw new Error(`Record not found: ${recordName}`);
+		const firstRecord = recordSet.records[0];
+		return { data: {
+			id: recordName,
+			path: normalizedPath,
+			meta: {
+				kind: recordName === "_zone" ? "dns:zone-meta" : "dns:record",
+				recordType: firstRecord?.type,
+				ttl: firstRecord?.ttl,
+				valueCount: recordSet.records.reduce((count, r) => {
+					const v = r.values;
+					if (Array.isArray(v)) return count + v.length;
+					return count + 1;
+				}, 0)
+			}
+		} };
+	}
+	async explain(path) {
+		const normalizedPath = this.normalizePath(path);
+		const recordName = this.extractRecordName(normalizedPath);
+		if (normalizedPath === "/" || recordName === "@") return this.explainRoot();
+		if (recordName === "_zone") return this.explainZone();
+		throw new Error(`Cannot explain path: ${path}`);
+	}
+	async explainRoot() {
+		const metadata = await this.adapter.getZoneMetadata(this.zone);
+		const names = await this.adapter.listRecords(this.zone);
+		return {
+			format: "markdown",
+			content: `# DNS Zone: ${this.zone}
+
+- **Backend**: ${metadata.provider || "unknown"}
+- **Zone ID**: ${metadata.id || "unknown"}
+- **Record Count**: ${names.length}
+- **Nameservers**: ${(metadata.nameservers || []).join(", ") || "unknown"}
+`
+		};
+	}
+	async explainZone() {
+		const metadata = await this.adapter.getZoneMetadata(this.zone);
+		const apex = await this.adapter.getRecord(this.zone, "@");
+		const soaRecord = apex.records.find((r) => r.type === "SOA");
+		const nsRecords = apex.records.filter((r) => r.type === "NS");
+		const lines = [`# Zone Details: ${this.zone}`];
+		lines.push("");
+		lines.push(`- **Domain**: ${metadata.domain || this.zone}`);
+		lines.push(`- **Provider**: ${metadata.provider || "unknown"}`);
+		lines.push(`- **Record Count**: ${metadata.recordCount ?? "unknown"}`);
+		lines.push("");
+		if (soaRecord) {
+			lines.push("## SOA Record");
+			lines.push("");
+			const values = Array.isArray(soaRecord.values) ? soaRecord.values.join(" ") : String(soaRecord.values);
+			lines.push(`\`${values}\``);
+			lines.push("");
+		}
+		if (nsRecords.length > 0) {
+			lines.push("## NS Records");
+			lines.push("");
+			for (const ns of nsRecords) {
+				const values = Array.isArray(ns.values) ? ns.values : [ns.values];
+				for (const v of values) lines.push(`- ${v}`);
+			}
+			lines.push("");
+		}
+		return {
+			format: "markdown",
+			content: lines.join("\n")
+		};
+	}
+	async search(_path, query) {
+		const names = await this.adapter.listRecords(this.zone);
+		const results = [];
+		for (const name of names) {
+			if (name === "_zone") continue;
+			const nameMatches = minimatch(name, query);
+			let valueMatches = false;
+			if (!nameMatches) {
+				const recordSet = await this.adapter.getRecord(this.zone, name);
+				for (const record of recordSet.records) {
+					const values = Array.isArray(record.values) ? record.values : [record.values];
+					for (const v of values) if (String(v).includes(query)) {
+						valueMatches = true;
+						break;
+					}
+					if (valueMatches) break;
+				}
+			}
+			if (nameMatches || valueMatches) results.push({
+				id: name,
+				path: `/${name}`,
+				summary: `DNS record: ${name}`,
+				meta: { kind: "dns:record" }
+			});
+		}
+		return { data: results };
+	}
+	readCapabilities() {
+		const actionCatalogs = [];
+		actionCatalogs.push({
+			kind: "dns:zone",
+			description: "Zone-level operations",
+			catalog: [{
+				name: "validate-zone",
+				description: "Validate zone integrity (SOA, NS records)",
+				inputSchema: {
+					type: "object",
+					properties: {},
+					description: "No parameters required"
+				}
+			}, {
+				name: "export-zone",
+				description: "Export zone as BIND zone file format",
+				inputSchema: {
+					type: "object",
+					properties: {},
+					description: "No parameters required"
+				}
+			}],
+			discovery: {
+				pathTemplate: "/{action}",
+				note: "Write to /validate-zone or /export-zone to execute"
+			}
+		});
+		const operations = {
+			read: true,
+			list: true,
+			write: this.accessMode === "readwrite",
+			delete: this.accessMode === "readwrite",
+			search: true,
+			exec: false,
+			stat: true,
+			explain: true
+		};
+		return { data: {
+			id: "/.meta/.capabilities",
+			path: "/.meta/.capabilities",
+			content: {
+				schemaVersion: 1,
+				provider: this.name,
+				version: "1.0.0",
+				description: this.description,
+				tools: [],
+				actions: actionCatalogs,
+				operations
+			},
+			meta: { kind: "afs:capabilities" }
+		} };
+	}
+	async handleValidateZone() {
+		const apex = await this.adapter.getRecord(this.zone, "@");
+		const checks = [];
+		const soaRecord = apex.records.find((r) => r.type === "SOA");
+		checks.push({
+			name: "SOA",
+			type: "SOA",
+			valid: !!soaRecord,
+			message: soaRecord ? "SOA record present" : "Missing SOA record"
+		});
+		const nsRecords = apex.records.filter((r) => r.type === "NS");
+		checks.push({
+			name: "NS",
+			type: "NS",
+			valid: nsRecords.length > 0,
+			message: nsRecords.length > 0 ? `${nsRecords.length} NS record(s) present` : "Missing NS records"
+		});
+		const allValid = checks.every((c) => c.valid);
+		return { data: {
+			id: "validate-zone",
+			path: "/validate-zone",
+			summary: `Zone validation: ${allValid ? "PASSED" : "FAILED"}`,
+			meta: { kind: "dns:action-result" },
+			content: {
+				valid: allValid,
+				checks,
+				zone: this.zone
+			}
+		} };
+	}
+	async handleExportZone() {
+		const names = await this.adapter.listRecords(this.zone);
+		const lines = [];
+		lines.push(`; Zone file for ${this.zone}`);
+		lines.push(`$ORIGIN ${this.zone}.`);
+		lines.push("");
+		for (const name of names) {
+			if (name === "_zone") continue;
+			const recordSet = await this.adapter.getRecord(this.zone, name);
+			const displayName = name === "@" ? "@" : name;
+			for (const record of recordSet.records) {
+				const ttl = record.ttl ?? 300;
+				const values = Array.isArray(record.values) ? record.values : [record.values];
+				for (const value of values) lines.push(`${displayName}\t${ttl}\tIN\t${record.type}\t${value}`);
+			}
+		}
+		lines.push("");
+		return { data: {
+			id: "export-zone",
+			path: "/export-zone",
+			summary: `BIND zone file for ${this.zone}`,
+			meta: { kind: "dns:action-result" },
+			content: lines.join("\n")
+		} };
+	}
+};
+
+//#endregion
+//#region src/route53/parser.ts
+/**
+* Parse Route53 hosted zones into DNSZone format
+*/
+function parseHostedZones(zones) {
+	return zones.map((zone) => ({
+		domain: zone.Name.replace(/\.$/, ""),
+		id: zone.Id.replace("/hostedzone/", ""),
+		provider: "route53",
+		nameservers: [],
+		recordCount: zone.ResourceRecordSetCount
+	}));
+}
+/**
+* Parse Route53 resource record sets into grouped records by name
+*/
+function parseResourceRecordSets(recordSets, zoneName) {
+	const grouped = /* @__PURE__ */ new Map();
+	for (const rs of recordSets) {
+		const name = normalizeRecordName(rs.Name, zoneName);
+		const record = parseResourceRecordSet(rs);
+		if (!grouped.has(name)) grouped.set(name, []);
+		grouped.get(name).push(record);
+	}
+	return Array.from(grouped.entries()).map(([name, records]) => ({
+		name,
+		records
+	}));
+}
+/**
+* Parse a single Route53 resource record set
+*/
+function parseResourceRecordSet(rs) {
+	const type = rs.Type;
+	if (rs.AliasTarget) return {
+		type,
+		ttl: 0,
+		values: [],
+		alias: {
+			hostedZoneId: rs.AliasTarget.HostedZoneId,
+			dnsName: rs.AliasTarget.DNSName,
+			evaluateTargetHealth: rs.AliasTarget.EvaluateTargetHealth
+		}
+	};
+	return {
+		type,
+		ttl: rs.TTL ?? 0,
+		values: parseRecordValues(type, rs.ResourceRecords?.map((r) => r.Value) ?? [])
+	};
+}
+/**
+* Parse record values based on type
+*/
+function parseRecordValues(type, rawValues) {
+	switch (type) {
+		case "A":
+		case "AAAA":
+		case "NS":
+		case "TXT":
+		case "PTR": return rawValues;
+		case "CNAME": return rawValues[0] ?? "";
+		case "MX": return rawValues.map(parseMXValue);
+		case "SRV": return rawValues.map(parseSRVValue);
+		case "CAA": return rawValues.map(parseCAAValue);
+		case "SOA": return parseSOAValue(rawValues[0] ?? "");
+		default: return rawValues;
+	}
+}
+/**
+* Parse MX record value: "10 mail.example.com"
+*/
+function parseMXValue(value) {
+	const parts = value.split(/\s+/, 2);
+	return {
+		priority: Number.parseInt(parts[0] ?? "0", 10),
+		value: parts[1] ?? ""
+	};
+}
+/**
+* Parse SRV record value: "10 5 5060 sip.example.com"
+*/
+function parseSRVValue(value) {
+	const parts = value.split(/\s+/, 4);
+	return {
+		priority: Number.parseInt(parts[0] ?? "0", 10),
+		weight: Number.parseInt(parts[1] ?? "0", 10),
+		port: Number.parseInt(parts[2] ?? "0", 10),
+		target: parts[3] ?? ""
+	};
+}
+/**
+* Parse CAA record value: '0 issue "letsencrypt.org"'
+*/
+function parseCAAValue(value) {
+	const match = value.match(/^(\d+)\s+(\w+)\s+"?([^"]*)"?$/);
+	if (!match) return {
+		flags: 0,
+		tag: "",
+		value: ""
+	};
+	return {
+		flags: Number.parseInt(match[1] ?? "0", 10),
+		tag: match[2] ?? "",
+		value: match[3] ?? ""
+	};
+}
+/**
+* Parse SOA record value
+*/
+function parseSOAValue(value) {
+	const parts = value.split(/\s+/);
+	return {
+		mname: parts[0] ?? "",
+		rname: parts[1] ?? "",
+		serial: Number.parseInt(parts[2] ?? "0", 10) || 0,
+		refresh: Number.parseInt(parts[3] ?? "0", 10) || 0,
+		retry: Number.parseInt(parts[4] ?? "0", 10) || 0,
+		expire: Number.parseInt(parts[5] ?? "0", 10) || 0,
+		minimum: Number.parseInt(parts[6] ?? "0", 10) || 0
+	};
+}
+/**
+* Normalize a Route53 record name to our format
+*
+* - Removes trailing dot
+* - Converts apex to @
+* - Extracts subdomain part
+*/
+function normalizeRecordName(fqdn, zoneName) {
+	const name = fqdn.endsWith(".") ? fqdn.slice(0, -1) : fqdn;
+	const normalizedZone = zoneName.endsWith(".") ? zoneName.slice(0, -1) : zoneName;
+	if (name.toLowerCase() === normalizedZone.toLowerCase()) return "@";
+	const suffix = `.${normalizedZone}`;
+	if (name.toLowerCase().endsWith(suffix.toLowerCase())) return name.slice(0, -suffix.length);
+	return name;
+}
+
+//#endregion
+//#region src/route53/adapter.ts
+/**
+* Route53 DNS Adapter
+*
+* AWS Route53 implementation of the DNS provider interface.
+*/
+var Route53Adapter = class {
+	client;
+	zoneIdCache = /* @__PURE__ */ new Map();
+	constructor(options = {}) {
+		if (options.client) this.client = options.client;
+		else this.client = new Route53Client({
+			region: options.region ?? "us-east-1",
+			endpoint: options.endpoint,
+			credentials: options.credentials
+		});
+	}
+	/**
+	* List all hosted zones
+	*/
+	async listZones() {
+		const zones = [];
+		let marker;
+		do {
+			const response = await this.client.send(new ListHostedZonesCommand({ Marker: marker }));
+			if (response.HostedZones) zones.push(...response.HostedZones);
+			marker = response.IsTruncated ? response.NextMarker : void 0;
+		} while (marker);
+		return parseHostedZones(zones);
+	}
+	/**
+	* List all record names in a zone
+	*/
+	async listRecords(zoneDomain) {
+		const zoneId = await this.getZoneId(zoneDomain);
+		const parsed = parseResourceRecordSets(await this.fetchAllRecordSets(zoneId), zoneDomain);
+		const names = /* @__PURE__ */ new Set();
+		for (const rs of parsed) names.add(rs.name);
+		names.add("_zone");
+		return Array.from(names);
+	}
+	/**
+	* Get all records for a specific name
+	*/
+	async getRecord(zoneDomain, name) {
+		const zoneId = await this.getZoneId(zoneDomain);
+		const match = parseResourceRecordSets(await this.fetchAllRecordSets(zoneId), zoneDomain).find((rs) => rs.name === name);
+		return {
+			fqdn: name === "@" ? zoneDomain : `${name}.${zoneDomain}`,
+			records: match?.records ?? []
+		};
+	}
+	/**
+	* Get zone metadata
+	*/
+	async getZoneMetadata(zoneDomain) {
+		const zoneId = await this.getZoneId(zoneDomain);
+		const response = await this.client.send(new GetHostedZoneCommand({ Id: zoneId }));
+		const zone = response.HostedZone;
+		const nameservers = response.DelegationSet?.NameServers ?? [];
+		return {
+			domain: zone.Name.replace(/\.$/, ""),
+			id: zone.Id.replace("/hostedzone/", ""),
+			provider: "route53",
+			nameservers,
+			recordCount: zone.ResourceRecordSetCount
+		};
+	}
+	/**
+	* Set records for a name (create or update)
+	*/
+	async setRecord(zoneDomain, name, records, _options) {
+		const zoneId = await this.getZoneId(zoneDomain);
+		const fqdn = this.buildFQDN(name, zoneDomain);
+		const changes = [];
+		for (const record of records) changes.push({
+			Action: "UPSERT",
+			ResourceRecordSet: this.buildResourceRecordSet(fqdn, record)
+		});
+		await this.client.send(new ChangeResourceRecordSetsCommand({
+			HostedZoneId: zoneId,
+			ChangeBatch: {
+				Changes: changes,
+				Comment: `AFS DNS Provider: set ${name}`
+			}
+		}));
+	}
+	/**
+	* Delete records for a name
+	*/
+	async deleteRecord(zoneDomain, name, type, _options) {
+		const zoneId = await this.getZoneId(zoneDomain);
+		const fqdn = this.buildFQDN(name, zoneDomain);
+		const toDelete = (await this.fetchAllRecordSets(zoneId)).filter((rs) => {
+			if (rs.Name?.replace(/\.$/, "") !== fqdn.replace(/\.$/, "")) return false;
+			if (type && rs.Type !== type) return false;
+			return true;
+		});
+		if (toDelete.length === 0) return;
+		const changes = toDelete.map((rs) => ({
+			Action: "DELETE",
+			ResourceRecordSet: rs
+		}));
+		await this.client.send(new ChangeResourceRecordSetsCommand({
+			HostedZoneId: zoneId,
+			ChangeBatch: {
+				Changes: changes,
+				Comment: `AFS DNS Provider: delete ${name}`
+			}
+		}));
+	}
+	/**
+	* Get zone ID from domain name
+	*/
+	async getZoneId(zoneDomain) {
+		if (this.zoneIdCache.has(zoneDomain)) return this.zoneIdCache.get(zoneDomain);
+		const zone = (await this.listZones()).find((z$1) => z$1.domain.toLowerCase() === zoneDomain.toLowerCase());
+		if (!zone) {
+			const error = /* @__PURE__ */ new Error(`Zone not found: ${zoneDomain}`);
+			error.name = "NoSuchHostedZone";
+			throw error;
+		}
+		this.zoneIdCache.set(zoneDomain, zone.id);
+		return zone.id;
+	}
+	/**
+	* Fetch all record sets for a zone (handles pagination)
+	*/
+	async fetchAllRecordSets(zoneId) {
+		const recordSets = [];
+		let startRecordName;
+		let startRecordType;
+		do {
+			const response = await this.client.send(new ListResourceRecordSetsCommand({
+				HostedZoneId: zoneId,
+				StartRecordName: startRecordName,
+				StartRecordType: startRecordType
+			}));
+			if (response.ResourceRecordSets) recordSets.push(...response.ResourceRecordSets);
+			if (response.IsTruncated) {
+				startRecordName = response.NextRecordName;
+				startRecordType = response.NextRecordType;
+			} else startRecordName = void 0;
+		} while (startRecordName);
+		return recordSets;
+	}
+	/**
+	* Build FQDN from name and zone
+	*/
+	buildFQDN(name, zoneDomain) {
+		if (name === "@") return `${zoneDomain}.`;
+		return `${name}.${zoneDomain}.`;
+	}
+	/**
+	* Build Route53 ResourceRecordSet from DNSRecord
+	*/
+	buildResourceRecordSet(fqdn, record) {
+		const base = {
+			Name: fqdn,
+			Type: record.type,
+			TTL: record.ttl
+		};
+		const resourceRecords = this.buildResourceRecords(record);
+		if (resourceRecords.length > 0) base.ResourceRecords = resourceRecords;
+		return base;
+	}
+	/**
+	* Build Route53 ResourceRecords from DNSRecord values
+	*/
+	buildResourceRecords(record) {
+		const { type, values } = record;
+		switch (type) {
+			case "A":
+			case "AAAA":
+			case "NS":
+			case "TXT":
+			case "PTR": return values.map((v) => ({ Value: v }));
+			case "CNAME": return [{ Value: typeof values === "string" ? values : values[0] ?? "" }];
+			case "MX": return values.map((mx) => ({ Value: `${mx.priority} ${mx.value}` }));
+			case "SRV": return values.map((srv) => ({ Value: `${srv.priority} ${srv.weight} ${srv.port} ${srv.target}` }));
+			case "CAA": return values.map((caa) => ({ Value: `${caa.flags} ${caa.tag} "${caa.value}"` }));
+			default: return [];
+		}
+	}
+};
+
+//#endregion
+//#region src/validation/name-validator.ts
+const MAX_LABEL_LENGTH = 63;
+const MAX_DOMAIN_LENGTH = 253;
+const LABEL_REGEX = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
+const SERVICE_LABEL_REGEX = /^_[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^_[a-zA-Z0-9]$/;
+/**
+* Validate a domain name per RFC 1035
+*
+* @param domain - Domain name to validate (e.g., "example.com")
+* @returns Validation result
+*/
+function validateDomainName(domain) {
+	if (!domain) return {
+		valid: false,
+		error: "Domain name cannot be empty"
+	};
+	const normalized = domain.endsWith(".") ? domain.slice(0, -1) : domain;
+	if (normalized.length > MAX_DOMAIN_LENGTH) return {
+		valid: false,
+		error: `Domain name exceeds ${MAX_DOMAIN_LENGTH} characters`
+	};
+	const labels = normalized.split(".");
+	for (let i = 0; i < labels.length; i++) {
+		const label = labels[i];
+		if (!label) return {
+			valid: false,
+			error: "Domain name contains empty label"
+		};
+		if (label.length > MAX_LABEL_LENGTH) return {
+			valid: false,
+			error: `Label "${label}" exceeds ${MAX_LABEL_LENGTH} characters`
+		};
+		if (label.startsWith("-")) return {
+			valid: false,
+			error: `Label "${label}" cannot start with hyphen`
+		};
+		if (label.endsWith("-")) return {
+			valid: false,
+			error: `Label "${label}" cannot end with hyphen`
+		};
+		if (!LABEL_REGEX.test(label) && !label.startsWith("xn--")) return {
+			valid: false,
+			error: `Label "${label}" contains invalid characters`
+		};
+	}
+	return { valid: true };
+}
+/**
+* Normalize a domain name to lowercase
+*
+* DNS is case-insensitive per RFC 1035.
+*
+* @param domain - Domain name to normalize
+* @returns Normalized lowercase domain name
+*/
+function normalizeDomainName(domain) {
+	return (domain.endsWith(".") ? domain.slice(0, -1) : domain).toLowerCase();
+}
+/**
+* Validate a record name within a zone
+*
+* Record names can be:
+* - @ for apex (root domain)
+* - * for wildcard
+* - *.subdomain for scoped wildcard
+* - Simple names like "www", "api"
+* - Multi-level like "blog.dev"
+* - Service records like "_dmarc", "_acme-challenge"
+*
+* @param name - Record name to validate
+* @param zone - The zone this record belongs to
+* @returns Validation result
+*/
+function validateRecordName(name, zone) {
+	if (!name) return {
+		valid: false,
+		error: "Record name cannot be empty"
+	};
+	if (name === "@") return { valid: true };
+	if (name === "*") return { valid: true };
+	if (name.includes("*")) {
+		if (!name.startsWith("*.") && name !== "*") return {
+			valid: false,
+			error: "Wildcard (*) can only appear at the start of a record name"
+		};
+	}
+	const nameWithoutWildcard = name.startsWith("*.") ? name.slice(2) : name;
+	if (`${nameWithoutWildcard}.${zone}`.length > MAX_DOMAIN_LENGTH) return {
+		valid: false,
+		error: `Full domain name would exceed ${MAX_DOMAIN_LENGTH} characters`
+	};
+	const labels = nameWithoutWildcard.split(".");
+	for (const label of labels) {
+		if (!label) return {
+			valid: false,
+			error: "Record name contains empty label"
+		};
+		if (label.length > MAX_LABEL_LENGTH) return {
+			valid: false,
+			error: `Label "${label}" exceeds ${MAX_LABEL_LENGTH} characters`
+		};
+		if (label.startsWith("_")) {
+			if (!SERVICE_LABEL_REGEX.test(label)) return {
+				valid: false,
+				error: `Invalid service label: ${label}`
+			};
+		} else {
+			if (label.startsWith("-") || label.endsWith("-")) return {
+				valid: false,
+				error: `Label "${label}" cannot start or end with hyphen`
+			};
+			if (!LABEL_REGEX.test(label)) return {
+				valid: false,
+				error: `Label "${label}" contains invalid characters`
+			};
+		}
+	}
+	return { valid: true };
+}
+
+//#endregion
+//#region src/validation/write-validator.ts
+/**
+* Validate a complete write operation
+*/
+function validateWriteOperation(recordName, records) {
+	const setResult = validateRecordSet(records);
+	if (!setResult.valid) return setResult;
+	const soaResult = checkSOAProtection(records);
+	if (!soaResult.valid) return soaResult;
+	const apexResult = checkCNAMEAtApex(recordName, records);
+	if (!apexResult.valid) return apexResult;
+	const conflictResult = checkCNAMEConflict(records);
+	if (!conflictResult.valid) return conflictResult;
+	const dupeResult = checkDuplicateValues(records);
+	if (!dupeResult.valid) return dupeResult;
+	return { valid: true };
+}
+/**
+* Validate a record set (array of records)
+*/
+function validateRecordSet(records) {
+	if (!records || records.length === 0) return {
+		valid: false,
+		error: "Record set must contain at least one record"
+	};
+	for (const record of records) {
+		const result = validateRecord(record);
+		if (!result.valid) return {
+			valid: false,
+			error: result.errors?.join(", ")
+		};
+	}
+	return { valid: true };
+}
+/**
+* Check for CNAME conflicts - CNAME cannot coexist with other record types
+*/
+function checkCNAMEConflict(records) {
+	const hasCNAME = records.some((r) => r.type === "CNAME");
+	const hasOtherTypes = records.some((r) => r.type !== "CNAME");
+	if (hasCNAME && hasOtherTypes) return {
+		valid: false,
+		error: "CNAME cannot coexist with other record types at the same name"
+	};
+	if (records.filter((r) => r.type === "CNAME").length > 1) return {
+		valid: false,
+		error: "Only one CNAME record is allowed per name"
+	};
+	return { valid: true };
+}
+/**
+* Check CNAME at apex - CNAME is not allowed at the root domain
+*/
+function checkCNAMEAtApex(recordName, records) {
+	if (records.some((r) => r.type === "CNAME") && recordName === "@") return {
+		valid: false,
+		error: "CNAME records are not allowed at the apex (root domain)"
+	};
+	return { valid: true };
+}
+/**
+* Check SOA protection - SOA records cannot be written
+*/
+function checkSOAProtection(records) {
+	if (records.some((r) => r.type === "SOA")) return {
+		valid: false,
+		error: "SOA records are managed by the DNS provider and cannot be modified"
+	};
+	return { valid: true };
+}
+/**
+* Check for duplicate values within records
+*/
+function checkDuplicateValues(records) {
+	for (const record of records) {
+		const result = checkRecordForDuplicates(record);
+		if (!result.valid) return result;
+	}
+	return { valid: true };
+}
+/**
+* Check a single record for duplicate values
+*/
+function checkRecordForDuplicates(record) {
+	const { type, values } = record;
+	if (type === "CNAME" || type === "SOA") return { valid: true };
+	if (Array.isArray(values)) {
+		const seen = /* @__PURE__ */ new Set();
+		for (const value of values) {
+			const key = serializeValue(value, type);
+			if (seen.has(key)) return {
+				valid: false,
+				error: `Duplicate value found in ${type} record: ${key}`
+			};
+			seen.add(key);
+		}
+	}
+	return { valid: true };
+}
+/**
+* Serialize a record value to a string for comparison
+*/
+function serializeValue(value, type) {
+	if (typeof value === "string") return value;
+	if (type === "MX") {
+		const mx = value;
+		return `${mx.priority}:${mx.value}`;
+	}
+	if (type === "SRV") {
+		const srv = value;
+		return `${srv.priority}:${srv.weight}:${srv.port}:${srv.target}`;
+	}
+	if (type === "CAA") {
+		const caa = value;
+		return `${caa.flags}:${caa.tag}:${caa.value}`;
+	}
+	return JSON.stringify(value);
+}
+
+//#endregion
+export { AFSDNSConflictError, AFSDNSError, AFSDNSInvalidArgumentError, AFSDNSNetworkError, AFSDNSNotFoundError, AFSDNSPermissionDeniedError, AFSDNSRateLimitError, AuditLogger, CloudDNSAdapter, DNSProvider, PRESETS, RateLimiter, Route53Adapter, checkCNAMEAtApex, checkCNAMEConflict, checkDuplicateValues, checkPermission, checkSOAProtection, createRoute53RateLimiter, detectDangerousOperation, escapeSpecialCharacters, formatPermissionError, getEffectivePermissions, isRetryableError, mapRoute53Error, normalizeDomainName, normalizeRecordName, parseHostedZones, parseResourceRecordSets, rejectNullBytes, sanitizeErrorMessage, sanitizeRecordValue, sanitizeTXTValue, validateAAAARecord, validateARecord, validateCAARecord, validateCNAMERecord, validateDomainName, validateInputLength, validateMXRecord, validateNSRecord, validateRecord, validateRecordName, validateRecordSet, validateSRVRecord, validateTTL, validateTXTRecord, validateWriteOperation };
+//# sourceMappingURL=index.mjs.map