@bonginkan/maria 4.2.6 → 4.2.8

package/dist/index.js

@@ -7,8 +7,8 @@ import * as path2 from 'path';
 import path2__default, { join } from 'path';
 import { promisify } from 'util';
 import { spawn } from 'child_process';
-import * as crypto3 from 'crypto';
-import crypto3__default, { createHash } from 'crypto';
+import * as crypto2 from 'crypto';
+import crypto2__default, { createHash } from 'crypto';
 import * as jwt from 'jsonwebtoken';
 import * as fs3 from 'fs/promises';
 import { mkdir, writeFile } from 'fs/promises';
@@ -18770,14 +18770,14 @@ var require_view = __commonJS({
 var require_etag = __commonJS({
   "node_modules/.pnpm/etag@1.8.1/node_modules/etag/index.js"(exports, module) {
     module.exports = etag;
-    var crypto9 = __require("crypto");
+    var crypto8 = __require("crypto");
     var Stats = __require("fs").Stats;
     var toString = Object.prototype.toString;
     function entitytag(entity) {
       if (entity.length === 0) {
         return '"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"';
       }
-      var hash = crypto9.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
+      var hash = crypto8.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
       var len = typeof entity === "string" ? Buffer.byteLength(entity, "utf8") : entity.length;
       return '"' + len.toString(16) + "-" + hash + '"';
     }
@@ -22233,17 +22233,17 @@ var require_content_disposition = __commonJS({
 // node_modules/.pnpm/cookie-signature@1.2.2/node_modules/cookie-signature/index.js
 var require_cookie_signature = __commonJS({
   "node_modules/.pnpm/cookie-signature@1.2.2/node_modules/cookie-signature/index.js"(exports) {
-    var crypto9 = __require("crypto");
+    var crypto8 = __require("crypto");
     exports.sign = function(val, secret) {
       if ("string" != typeof val) throw new TypeError("Cookie value must be provided as a string.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
-      return val + "." + crypto9.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
+      return val + "." + crypto8.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
     };
     exports.unsign = function(input2, secret) {
       if ("string" != typeof input2) throw new TypeError("Signed cookie string must be provided.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
       var tentativeValue = input2.slice(0, input2.lastIndexOf(".")), expectedInput = exports.sign(tentativeValue, secret), expectedBuffer = Buffer.from(expectedInput), inputBuffer = Buffer.from(input2);
-      return expectedBuffer.length === inputBuffer.length && crypto9.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
+      return expectedBuffer.length === inputBuffer.length && crypto8.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
     };
   }
 });
@@ -29968,12 +29968,12 @@ var DualMemoryEngine = class {
   async query(memoryQuery) {
     const _startTime = Date.now();
     const cacheKey = this.generateCacheKey(memoryQuery);
-    const cached2 = this.performanceCache.get(cacheKey);
-    if (cached2 && this.isCacheValid(cached2)) {
-      cached2.hits++;
+    const cached = this.performanceCache.get(cacheKey);
+    if (cached && this.isCacheValid(cached)) {
+      cached.hits++;
       this.operationMetrics.totalOperations++;
       return {
-        _data: cached2._result,
+        _data: cached._result,
         source: "both",
         confidence: 0.9,
         latency: Date.now() - _startTime,
@@ -30175,8 +30175,8 @@ var DualMemoryEngine = class {
   }
   getCacheStatus(query) {
     const cacheKey = this.generateCacheKey(query);
-    const cached2 = this.performanceCache.get(cacheKey);
-    return cached2 ? 0.8 : 0.2;
+    const cached = this.performanceCache.get(cacheKey);
+    return cached ? 0.8 : 0.2;
   }
   calculateSystem1Score(_factors) {
     const _urgencyWeight = _factors.urgency * 0.4;
@@ -30427,9 +30427,9 @@ var DualMemoryEngine = class {
   cleanupCache() {
     const _now = /* @__PURE__ */ new Date();
     const _maxAge = 30 * 60 * 1e3;
-    for (const [key, cached2] of this.performanceCache.entries()) {
-      const age = _now.getTime() - cached2.timestamp.getTime();
-      if (age > _maxAge || cached2.hits < 2) {
+    for (const [key, cached] of this.performanceCache.entries()) {
+      const age = _now.getTime() - cached.timestamp.getTime();
+      if (age > _maxAge || cached.hits < 2) {
         this.performanceCache.delete(key);
       }
     }
@@ -30470,8 +30470,8 @@ var DualMemoryEngine = class {
     const _embeddingStr = query.embedding ? query.embedding.slice(0, 5).join(",") : "";
     return `${query.type}:${query.query}:${_contextStr}:${_embeddingStr}:${query.limit || 10}`;
   }
-  isCacheValid(cached2) {
-    const age = Date.now() - cached2.timestamp.getTime();
+  isCacheValid(cached) {
+    const age = Date.now() - cached.timestamp.getTime();
     const _maxAge = 10 * 60 * 1e3;
     return age < _maxAge;
   }
@@ -30502,7 +30502,7 @@ var DualMemoryEngine = class {
   // ========== Public API for Monitoring ==========
   getMetrics() {
     const _totalCacheAccess = Array.from(this.performanceCache.values()).reduce(
-      (sum, cached2) => sum + cached2.hits,
+      (sum, cached) => sum + cached.hits,
       0
     );
     this.operationMetrics.cacheHitRate = this.operationMetrics.totalOperations > 0 ? _totalCacheAccess / this.operationMetrics.totalOperations : 0;
@@ -34994,11 +34994,11 @@ var SlashCommandHandler = class {
    * Get all categories
    */
   getCategories() {
-    const categories = /* @__PURE__ */ new Set();
+    const categories2 = /* @__PURE__ */ new Set();
     for (const command of this.commands.values()) {
-      categories.add(command.category);
+      categories2.add(command.category);
     }
-    return Array.from(categories);
+    return Array.from(categories2);
   }
   /**
    * Validate command arguments
@@ -35338,9 +35338,9 @@ var RBACCommandGuard = class extends EventEmitter {
   async getUserPermissions(user2) {
     const cacheKey = `${user2.id}:${user2.roles.join(",")}:${this.policyVersion}`;
     if (this.config.cachePermissions) {
-      const cached2 = this.permissionCache.get(cacheKey);
-      if (cached2 && cached2.expires > /* @__PURE__ */ new Date()) {
-        return cached2.permissions;
+      const cached = this.permissionCache.get(cacheKey);
+      if (cached && cached.expires > /* @__PURE__ */ new Date()) {
+        return cached.permissions;
       }
     }
     const permissions = await this.computePermissions(user2);
@@ -35362,14 +35362,14 @@ var RBACCommandGuard = class extends EventEmitter {
   async computePermissions(user2) {
     const commandPermissions = [];
     const allPermissions = /* @__PURE__ */ new Set();
-    const userRoles = user2.roles.map((roleId) => this.roles.get(roleId)).filter((role2) => role2 && role2.active).sort((a2, b) => (b?.priority || 0) - (a2?.priority || 0));
-    for (const role2 of userRoles) {
-      if (!role2) continue;
-      for (const permission of role2.permissions) {
+    const userRoles = user2.roles.map((roleId) => this.roles.get(roleId)).filter((role) => role && role.active).sort((a2, b) => (b?.priority || 0) - (a2?.priority || 0));
+    for (const role of userRoles) {
+      if (!role) continue;
+      for (const permission of role.permissions) {
         allPermissions.add(permission);
       }
-      if (this.config.inheritanceEnabled && role2.inheritsFrom.length > 0) {
-        for (const parentRoleId of role2.inheritsFrom) {
+      if (this.config.inheritanceEnabled && role.inheritsFrom.length > 0) {
+        for (const parentRoleId of role.inheritsFrom) {
           const parentRole = this.roles.get(parentRoleId);
           if (parentRole && parentRole.active) {
             for (const permission of parentRole.permissions) {
@@ -35441,22 +35441,22 @@ var RBACCommandGuard = class extends EventEmitter {
     const failedConditions = [];
     let mfaRequired = false;
     for (const roleId of user2.roles) {
-      const role2 = this.roles.get(roleId);
-      if (!role2) continue;
-      for (const condition2 of role2.conditions) {
-        if (!condition2.enforced) continue;
-        switch (condition2.type) {
+      const role = this.roles.get(roleId);
+      if (!role) continue;
+      for (const condition of role.conditions) {
+        if (!condition.enforced) continue;
+        switch (condition.type) {
           case "mfa":
             if (!user2.mfaVerified) {
               mfaRequired = true;
-              if (condition2.requirement.required) {
-                failedConditions.push(`MFA required for role ${role2.name}`);
+              if (condition.requirement.required) {
+                failedConditions.push(`MFA required for role ${role.name}`);
               }
             }
             break;
           case "time":
-            if (!this.evaluateTimeCondition(condition2.requirement)) {
-              failedConditions.push(`Time restriction for role ${role2.name}`);
+            if (!this.evaluateTimeCondition(condition.requirement)) {
+              failedConditions.push(`Time restriction for role ${role.name}`);
             }
             break;
         }
@@ -35559,1224 +35559,6 @@ var RBACCommandGuard = class extends EventEmitter {
     };
   }
 };
-var AccessControlManager = class extends EventEmitter {
-  config;
-  users;
-  roles;
-  cache;
-  auditLog;
-  policyEngine;
-  encryptionKey;
-  gdprCompliance;
-  hipaaCompliance;
-  constructor(_config) {
-    super();
-    this._config = _config;
-    this.users = /* @__PURE__ */ new Map();
-    this.roles = /* @__PURE__ */ new Map();
-    this.auditLog = [];
-    this.cache = this.initializeCache();
-    this.policyEngine = new PolicyEngine(_config);
-    this.encryptionKey = this.generateEncryptionKey();
-    this.initializeDefaultRoles();
-  }
-  // ========== Access Control Methods ==========
-  async enforceHierarchicalAccess(_user, resource, operation) {
-    if (!this.hasOrganizationAccess(_user, resource)) {
-      return {
-        allowed: false,
-        reason: "User does not have organization-_level access to this resource"
-      };
-    }
-    if (resource.type === "memory" && resource.path?.includes("/projects/")) {
-      const _projectId = this.extractProjectId(resource._path);
-      if (_projectId && !user.projects.includes(_projectId)) {
-        return {
-          allowed: false,
-          reason: `User does not have access to project: ${_projectId}`
-        };
-      }
-    }
-    if (resource.type === "memory" && resource.path?.includes("/teams/")) {
-      const _teamId = this.extractTeamId(resource._path);
-      if (_teamId && !user.teams.includes(_teamId)) {
-        return {
-          allowed: false,
-          reason: `User does not have access to team: ${_teamId}`
-        };
-      }
-    }
-    const _inheritedPermissions = this.calculateInheritedPermissions(_user, resource);
-    const _hasRequiredPermission = this.checkPermissionAtAllLevels(
-      _user,
-      _inheritedPermissions,
-      operation
-    );
-    if (!_hasRequiredPermission) {
-      return {
-        allowed: false,
-        reason: `Insufficient _permissions for operation: ${operation}`
-      };
-    }
-    return {
-      allowed: true,
-      _permissions: _inheritedPermissions
-    };
-  }
-  hasOrganizationAccess(_user, _resource) {
-    return _user.organizationId === this.config.organizationId;
-  }
-  extractProjectId(_path) {
-    const _match = _path._match(/\/projects\/([^\/]+)/);
-    return _match ? _match[1] : null;
-  }
-  extractTeamId(_path) {
-    const _match = _path._match(/\/teams\/([^\/]+)/);
-    return _match ? _match[1] : null;
-  }
-  calculateInheritedPermissions(_user, _resource) {
-    let _inheritedPermissions = { ...this.config.defaultPermissions };
-    _inheritedPermissions = this.mergePermissions(_inheritedPermissions, _user.permissions);
-    const _sortedRoles = _user.roles.sort((a2, b) => b.priority - a2.priority);
-    for (const _role of _sortedRoles) {
-      const _level = this.config.hierarchyLevels.find((l) => l._level === _role._level);
-      if (_level?.inheritFromParent) {
-        _inheritedPermissions = this.mergePermissions(_inheritedPermissions, _role.permissions);
-      } else if (_level?.overrideChild) {
-        _inheritedPermissions = _role.permissions;
-      }
-    }
-    return _inheritedPermissions;
-  }
-  checkPermissionAtAllLevels(_user, _permissions, operation) {
-    if (this.hasPermissionAtLevel(_permissions, operation, "personal")) {
-      return true;
-    }
-    if (this.hasPermissionAtLevel(_permissions, operation, "team")) {
-      return true;
-    }
-    if (this.hasPermissionAtLevel(_permissions, operation, "project")) {
-      return true;
-    }
-    if (this.hasPermissionAtLevel(_permissions, operation, "organization")) {
-      return true;
-    }
-    return false;
-  }
-  hasPermissionAtLevel(_permissions, operation, _level) {
-    const operationMap = {
-      read: "read",
-      write: "write",
-      delete: "delete",
-      share: "share",
-      export: "export"
-    };
-    const _permissionKey = operationMap[operation];
-    if (!_permissionKey) {
-      return false;
-    }
-    const _scopes = _permissions.memory[_permissionKey] || [];
-    return _scopes.some((scope) => scope.type === _level);
-  }
-  mergePermissions(base, additional) {
-    return {
-      memory: {
-        read: [...base.memory.read || [], ...additional.memory.read || []],
-        write: [...base.memory.write || [], ...additional.memory.write || []],
-        delete: [...base.memory.delete || [], ...additional.memory.delete || []],
-        share: [...base.memory.share || [], ...additional.memory.share || []],
-        export: [...base.memory.export || [], ...additional.memory.export || []]
-      },
-      data: {
-        classification: [
-          ...base.data.classification || [],
-          ...additional.data.classification || []
-        ],
-        sensitivity: [...base.data.sensitivity || [], ...additional.data.sensitivity || []],
-        categories: [...base.data.categories || [], ...additional.data.categories || []],
-        tags: [...base.data.tags || [], ...additional.data.tags || []],
-        excludedFields: [
-          ...base.data.excludedFields || [],
-          ...additional.data.excludedFields || []
-        ]
-      },
-      operations: { ...base.operations, ...additional.operations },
-      administration: { ...base.administration, ...additional.administration }
-    };
-  }
-  async checkAccess(request) {
-    const _startTime = Date.now();
-    console.log(
-      `Access request: _user=${request.userId}, resource=${request.resource.id}, operation=${request.operation}`
-    );
-    const _cacheKey = this.generateCacheKey(request);
-    const _cached = this.cache.decisions.get(_cacheKey);
-    if (_cached && _cached.expires > /* @__PURE__ */ new Date()) {
-      _cached.hits++;
-      this.cache.hitRate++;
-      this.emit("accessChecked", {
-        request,
-        decision: _cached.decision,
-        _cached: true
-      });
-      return _cached.decision;
-    }
-    this.cache.missRate++;
-    const _user = this.users.get(request.userId);
-    if (!_user) {
-      console.log(`User not found: ${request.userId}`);
-      return this.createDeniedDecision(request, "User not found");
-    }
-    console.log(`User found: ${_user.email}, clearance: ${_user.attributes.clearanceLevel}`);
-    console.log(`User _permissions:`, JSON.stringify(_user._permissions.memory, null, 2));
-    const _restrictionCheck = await this.checkRestrictions(_user, request);
-    console.log(`Restriction check: passed=${_restrictionCheck.passed}`);
-    if (!_restrictionCheck.passed) {
-      console.log(`Access denied due to restrictions: ${_restrictionCheck.reason}`);
-      return this.createDeniedDecision(request, _restrictionCheck.reason);
-    }
-    const _permissions = await this.evaluatePermissions(_user, request);
-    console.log(`Evaluated _permissions:`, JSON.stringify(_permissions.data.classification, null, 2));
-    const _classificationCheck = await this.checkDataClassification(
-      _user,
-      request.resource,
-      _permissions
-    );
-    console.log(
-      `Resource classification:`,
-      JSON.stringify(request.resource.classification, null, 2)
-    );
-    console.log(`Classification check: allowed=${_classificationCheck.allowed}`);
-    if (!_classificationCheck.allowed) {
-      console.log(`Access denied due to classification: ${_classificationCheck.reason}`);
-      return this.createDeniedDecision(request, _classificationCheck.reason);
-    }
-    const _isPublicResource = request.resource.classification?.level === "public";
-    const _hasAnyReadPermission = _permissions.memory.read && _permissions.memory.read.length > 0;
-    console.log(
-      `Permission check: isPublic=${_isPublicResource}, operation=${request.operation}, hasAnyRead=${_hasAnyReadPermission}`
-    );
-    console.log(`Final _permissions:`, JSON.stringify(_permissions.memory, null, 2));
-    let hasPermission = false;
-    if (_isPublicResource && request.operation === "read" && _hasAnyReadPermission) {
-      hasPermission = true;
-      console.log(`Granted access to public resource`);
-    } else {
-      hasPermission = this.checkPermissionAtAllLevels(_user, _permissions, request.operation);
-      console.log(`Permission check result: ${hasPermission}`);
-    }
-    if (!hasPermission) {
-      console.log(`Access denied: Insufficient _permissions for operation: ${request.operation}`);
-      return this.createDeniedDecision(
-        request,
-        `Insufficient _permissions for operation: ${request.operation}`
-      );
-    }
-    const _modifications = await this.determineDataModifications(
-      _user,
-      request.resource,
-      _permissions
-    );
-    const decision = {
-      requestId: request.id,
-      granted: true,
-      _permissions,
-      restrictions: _restrictionCheck.activeRestrictions,
-      audit: this.createAuditEntry(
-        request,
-        "granted",
-        void 0,
-        _modifications,
-        Date.now() - _startTime
-      ),
-      ttl: this.calculateTTL(_permissions)
-    };
-    this.cacheDecision(_cacheKey, decision);
-    if (this.config.auditEnabled) {
-      this.auditLog.push(decision.audit);
-      this.emit("auditLogged", decision.audit);
-    }
-    this.emit("accessChecked", { request, decision, _cached: false });
-    return decision;
-  }
-  async checkRestrictions(_user, request) {
-    const activeRestrictions = [];
-    for (const restriction of user.restrictions) {
-      if (restriction.expires && restriction.expires < /* @__PURE__ */ new Date()) {
-        continue;
-      }
-      const _applies = await this.evaluateRestriction(restriction, _user, request);
-      if (_applies) {
-        activeRestrictions.push(restriction);
-        if (restriction.action === "deny") {
-          return {
-            passed: false,
-            reason: `Access denied by restriction: ${restriction.type}`
-          };
-        }
-        if (restriction.action === "require-mfa" && !request.context.mfaVerified) {
-          return {
-            passed: false,
-            reason: "MFA verification required"
-          };
-        }
-      }
-    }
-    return { passed: true, activeRestrictions };
-  }
-  async evaluateRestriction(restriction, _user, request) {
-    const _condition = restriction._condition;
-    if (_condition.temporal) {
-      if (!this.checkTemporalCondition(_condition.temporal)) {
-        return false;
-      }
-    }
-    if (_condition.geographical) {
-      if (!this.checkGeographicalCondition(_condition.geographical, request.context)) {
-        return false;
-      }
-    }
-    if (_condition.conditional) {
-      if (!await this.evaluateConditionalExpression(_condition.conditional, _user, request)) {
-        return false;
-      }
-    }
-    if (_condition.compliance) {
-      if (!this.checkComplianceRequirement(_condition.compliance, _user)) {
-        return false;
-      }
-    }
-    return true;
-  }
-  checkTemporalCondition(_condition) {
-    const _now = /* @__PURE__ */ new Date();
-    const _timezone = _condition._timezone || "UTC";
-    if (_condition.allowedDays) {
-      const _dayName = _now.toLocaleDateString("en-US", {
-        weekday: "lowercase",
-        timeZone: _timezone
-      });
-      if (!_condition.allowedDays.includes(_dayName)) {
-        return false;
-      }
-    }
-    if (_condition.allowedHours) {
-      const _currentTime = _now.toLocaleTimeString("en-US", {
-        hour12: false,
-        timeZone: _timezone
-      });
-      if (_currentTime < _condition.allowedHours.start || _currentTime > _condition.allowedHours.end) {
-        return false;
-      }
-    }
-    if (_condition.blackoutDates) {
-      const _today = _now.toDateString();
-      if (_condition.blackoutDates.some((date) => date.toDateString() === _today)) {
-        return false;
-      }
-    }
-    return true;
-  }
-  checkGeographicalCondition(_condition, _context) {
-    if (_context.location) {
-      if (condition.allowedCountries && !_condition.allowedCountries.includes(_context.location.country)) {
-        return false;
-      }
-      if (_condition.deniedCountries && condition.deniedCountries.includes(_context.location.country)) {
-        return false;
-      }
-    }
-    if (_context.ip) {
-      if (_condition.allowedIPs && !_condition.allowedIPs.includes(_context.ip)) {
-        return false;
-      }
-      if (_condition.deniedIPs && _condition.deniedIPs.includes(_context.ip)) {
-        return false;
-      }
-    }
-    if (_condition.requireVPN && !this.isVPNConnection(_context.ip)) {
-      return false;
-    }
-    return true;
-  }
-  async evaluateConditionalExpression(_condition, _user, request) {
-    ({
-      ...condition.variables
-    });
-    try {
-      return true;
-    } catch (_error) {
-      this.emit("evaluationError", { _condition, _error });
-      return false;
-    }
-  }
-  checkComplianceRequirement(_requirement, _user) {
-    if (_requirement.certificationExpiry && _requirement.certificationExpiry < /* @__PURE__ */ new Date()) {
-      return false;
-    }
-    return true;
-  }
-  async evaluatePermissions(_user, request) {
-    let _permissions = this.clonePermissions(user._permissions);
-    console.log(`Base _user _permissions:`, JSON.stringify(_permissions.data.classification, null, 2));
-    for (const _role of user.roles) {
-      _permissions = this.mergePermissions(_permissions, _role._permissions);
-    }
-    console.log(
-      `After _role _permissions:`,
-      JSON.stringify(_permissions.data.classification, null, 2)
-    );
-    _permissions = await this.applyHierarchicalPermissions(_permissions, _user, request);
-    console.log(
-      `After hierarchical _permissions:`,
-      JSON.stringify(_permissions.data.classification, null, 2)
-    );
-    _permissions = await this.applyResourcePermissions(_permissions, request.resource);
-    console.log(
-      `After resource _permissions:`,
-      JSON.stringify(_permissions.data.classification, null, 2)
-    );
-    return _permissions;
-  }
-  async applyHierarchicalPermissions(_permissions, _user, _request) {
-    for (const _level of this.config.hierarchyLevels) {
-      const _levelPermissions = await this.getHierarchyPermissions(_level, _user);
-      if (_level.inheritFromParent) {
-        _permissions = this.mergePermissions(_permissions, _levelPermissions);
-      }
-      if (_level.overrideChild) {
-        _permissions = this.overridePermissions(_permissions, _levelPermissions);
-      }
-    }
-    return _permissions;
-  }
-  async getHierarchyPermissions(_level, _user) {
-    if (_level.overrideChild) {
-      return this.config.defaultPermissions;
-    }
-    return this.createEmptyPermissions();
-  }
-  async applyResourcePermissions(_permissions, _resource) {
-    return _permissions;
-  }
-  async checkDataClassification(_user, resource, _permissions) {
-    if (!resource.classification) {
-      return { allowed: true };
-    }
-    const _userClassifications = _permissions.data.classification;
-    const _hasAccess = _userClassifications.some(
-      (c) => c.level === resource.classification.level || this.isHigherClassification(c.level, resource.classification.level)
-    );
-    if (!_hasAccess) {
-      return {
-        allowed: false,
-        reason: `Insufficient clearance for ${resource.classification.level} data`
-      };
-    }
-    return { allowed: true };
-  }
-  isHigherClassification(_userLevel, resourceLevel) {
-    const _levels = ["public", "internal", "confidential", "restricted", "secret"];
-    return _levels.indexOf(_userLevel) >= _levels.indexOf(resourceLevel);
-  }
-  async determineDataModifications(_user, _resource, _permissions) {
-    const _modifications = [];
-    if (_permissions.data.excludedFields) {
-      for (const field of _permissions.data.excludedFields) {
-        modifications.push({
-          field,
-          action: "masked",
-          reason: "Field excluded by _permissions"
-        });
-      }
-    }
-    for (const sensitivity of _permissions.data.sensitivity) {
-      if (sensitivity.accessLevel === "masked") {
-        modifications.push({
-          field: sensitivity.type,
-          action: "masked",
-          reason: `${sensitivity.type} requires masking`
-        });
-      } else if (sensitivity.accessLevel === "none") {
-        modifications.push({
-          field: sensitivity.type,
-          action: "removed",
-          reason: `${sensitivity.type} access denied`
-        });
-      }
-    }
-    return _modifications;
-  }
-  // ========== GDPR Compliance Methods ==========
-  enableGDPRCompliance(gdprConfig) {
-    this.gdprCompliance = gdprConfig;
-    this.emit("gdprEnabled", gdprConfig);
-  }
-  async validateGDPRCompliance(request, _user) {
-    const violations2 = [];
-    const requirements = [];
-    if (!this.gdprCompliance?.enabled) {
-      return { compliant: true, violations: violations2, requirements };
-    }
-    const _dataTypes = this.extractDataTypes(request.resource);
-    for (const dataType of _dataTypes) {
-      const _basis = this.gdprCompliance.dataProcessingBasis.find(
-        (b) => b._dataTypes.includes(dataType)
-      );
-      if (!_basis) {
-        violations2.push(`No legal _basis found for processing data type: ${dataType}`);
-      } else if (_basis.validUntil && _basis.validUntil < /* @__PURE__ */ new Date()) {
-        violations2.push(`Legal _basis expired for data type: ${dataType}`);
-      }
-    }
-    if (this.gdprCompliance.consentManagement.required) {
-      const _consent = await this.checkUserConsent(_user.id, _dataTypes);
-      if (!_consent.valid) {
-        violations2.push("Valid _consent required but not found");
-      }
-    }
-    const _retentionCheck = await this.checkRetentionCompliance(request.resource);
-    if (!_retentionCheck.compliant) {
-      violations2.push(`Data retention policy violated: ${_retentionCheck.reason}`);
-    }
-    if (this.gdprCompliance.rightToErasure && request.operation === "delete") {
-      requirements.push("Data must be permanently deleted per GDPR Article 17");
-    }
-    if (this.gdprCompliance.privacyByDesign) {
-      const _privacyCheck = this.checkPrivacyByDesign(request);
-      if (!_privacyCheck.compliant) {
-        violations2.push(`Privacy by design violation: ${_privacyCheck.issue}`);
-      }
-    }
-    return {
-      compliant: violations2.length === 0,
-      violations: violations2,
-      requirements
-    };
-  }
-  async handleGDPRDataSubjectRequest(type, subjectId, details) {
-    if (!this.gdprCompliance?.enabled) {
-      return { success: false, _error: "GDPR compliance not enabled" };
-    }
-    switch (type) {
-      case "access":
-        return this.handleDataAccess(subjectId);
-      case "rectification":
-        if (!this.gdprCompliance.rightToRectification) {
-          return { success: false, _error: "Right to rectification not enabled" };
-        }
-        return this.handleDataRectification(subjectId, details);
-      case "erasure":
-        if (!this.gdprCompliance.rightToErasure) {
-          return { success: false, _error: "Right to erasure not enabled" };
-        }
-        return this.handleDataErasure(subjectId);
-      case "portability":
-        if (!this.gdprCompliance.rightToPortability) {
-          return { success: false, _error: "Right to portability not enabled" };
-        }
-        return this.handleDataPortability(subjectId);
-      case "restriction":
-        return this.handleProcessingRestriction(subjectId, details);
-      default:
-        return { success: false, _error: "Invalid request type" };
-    }
-  }
-  async checkUserConsent(_userId, _dataTypes) {
-    return {
-      valid: true,
-      consentDate: /* @__PURE__ */ new Date(),
-      expiryDate: this.gdprCompliance?.consentManagement.consentExpiry ? new Date(
-        Date.now() + this.gdprCompliance.consentManagement.consentExpiry * 24 * 60 * 60 * 1e3
-      ) : void 0
-    };
-  }
-  async checkRetentionCompliance(_resource) {
-    const _policies = this.gdprCompliance?.retentionPolicies || [];
-    for (const policy of _policies) {
-      if (policy.retentionPeriod && policy.enforcementDate) {
-        const _cutoffDate = new Date(
-          policy.enforcementDate.getTime() + policy.retentionPeriod * 24 * 60 * 60 * 1e3
-        );
-        if (/* @__PURE__ */ new Date() > _cutoffDate) {
-          return {
-            compliant: false,
-            reason: `Data exceeds retention period of ${policy.retentionPeriod} days`
-          };
-        }
-      }
-    }
-    return { compliant: true };
-  }
-  checkPrivacyByDesign(request) {
-    if (request.operation === "read" && !request.context?.mfaVerified) {
-      return {
-        compliant: false,
-        issue: "Multi-factor authentication required for data access"
-      };
-    }
-    return { compliant: true };
-  }
-  async handleDataAccess(subjectId) {
-    try {
-      const _userData = this.users.get(subjectId);
-      if (!_userData) {
-        return { success: false, _error: "User data not found" };
-      }
-      const _exportData = {
-        personalData: _userData,
-        accessLogs: this.auditLog.filter((log) => log.userId === subjectId),
-        processingActivities: this.getProcessingActivities(subjectId)
-      };
-      return { success: true, data: _exportData };
-    } catch (_error) {
-      return { success: false, _error: "Failed to retrieve data" };
-    }
-  }
-  async handleDataRectification(subjectId, updates) {
-    try {
-      await this.updateUser(subjectId, updates);
-      return { success: true };
-    } catch (_error) {
-      return { success: false, _error: "Failed to update data" };
-    }
-  }
-  async handleDataErasure(subjectId) {
-    try {
-      await this.deleteUser(subjectId);
-      this.auditLog = this.auditLog.map(
-        (entry) => entry.userId === subjectId ? { ...entry, _userId: "ANONYMIZED" } : entry
-      );
-      return { success: true };
-    } catch (_error) {
-      return { success: false, _error: "Failed to erase data" };
-    }
-  }
-  async handleDataPortability(subjectId) {
-    const _accessResult = await this.handleDataAccess(subjectId);
-    if (!_accessResult.success) {
-      return _accessResult;
-    }
-    const _portableData = {
-      format: "JSON",
-      version: "1.0",
-      exported: (/* @__PURE__ */ new Date()).toISOString(),
-      data: _accessResult.data
-    };
-    return { success: true, data: _portableData };
-  }
-  async handleProcessingRestriction(subjectId, details) {
-    const _user = this.users.get(subjectId);
-    if (!_user) {
-      return { success: false, _error: "User not found" };
-    }
-    const restriction = {
-      type: "gdpr_processing_restriction",
-      reason: details.reason || "Data subject requested processing restriction",
-      _startTime: /* @__PURE__ */ new Date(),
-      conditions: details.conditions || []
-    };
-    _user.restrictions = _user.restrictions || [];
-    user.restrictions.push(restriction);
-    return { success: true };
-  }
-  // ========== HIPAA Compliance Methods ==========
-  enableHIPAACompliance(hipaaConfig) {
-    this.hipaaCompliance = hipaaConfig;
-    this.emit("hipaaEnabled", hipaaConfig);
-  }
-  async validateHIPAACompliance(request, _user) {
-    const violations2 = [];
-    const requirements = [];
-    if (!this.hipaaCompliance?.enabled) {
-      return { compliant: true, violations: violations2, requirements };
-    }
-    const _isPHI = this.isPHIData(request.resource);
-    if (!_isPHI) {
-      return { compliant: true, violations: violations2, requirements };
-    }
-    if (this.hipaaCompliance.phi.minimumNecessary && request.operation === "read") {
-      const _minimumCheck = this.checkMinimumNecessary(request, _user);
-      if (!_minimumCheck.compliant) {
-        violations2.push(`Minimum necessary standard violated: ${_minimumCheck.reason}`);
-      }
-    }
-    if (this.hipaaCompliance.technicalSafeguards.accessControl) {
-      const _accessControlCheck = this.checkHIPAAAccessControl(_user, request);
-      if (!_accessControlCheck.compliant) {
-        violations2.push(`HIPAA access control violation: ${_accessControlCheck.reason}`);
-      }
-    }
-    if (this.hipaaCompliance.auditControls) {
-      requirements.push("All PHI access must be logged per HIPAA Security Rule");
-    }
-    if (this.hipaaCompliance.technicalSafeguards.encryption.atRest && request.operation === "write") {
-      requirements.push("Data must be encrypted at rest per HIPAA Security Rule");
-    }
-    if (this.hipaaCompliance.technicalSafeguards.encryption.inTransit) {
-      requirements.push("Data transmission must be encrypted per HIPAA Security Rule");
-    }
-    if (!request.context?.mfaVerified) {
-      violations2.push("Multi-factor authentication required for PHI access");
-    }
-    return {
-      compliant: violations2.length === 0,
-      violations: violations2,
-      requirements
-    };
-  }
-  async handleHIPAABreach(breachDetails) {
-    if (!this.hipaaCompliance?.enabled || !this.hipaaCompliance.breachNotification.enabled) {
-      return { success: false, _error: "HIPAA breach notification not enabled" };
-    }
-    const notifications = [];
-    try {
-      if (breachDetails.individualsAffected > 500) {
-        notifications.push("HHS Secretary notified within 60 days");
-        notifications.push("Media notification required");
-      }
-      if (this.hipaaCompliance.breachNotification.individuals) {
-        notifications.push(
-          `${breachDetails.individualsAffected} individuals must be notified within 60 days`
-        );
-      }
-      const auditEntry = {
-        id: crypto3.randomUUID(),
-        timestamp: /* @__PURE__ */ new Date(),
-        _userId: "SYSTEM",
-        action: "HIPAA_BREACH_REPORTED",
-        resource: {
-          type: "configuration",
-          id: "breach_notification"
-        },
-        decision: "granted",
-        reason: breachDetails.description,
-        _context: {
-          sessionId: "breach_notification"
-        },
-        _modifications: []
-      };
-      this.auditLog.push(auditEntry);
-      this.emit("hipaaBreachReported", {
-        breachDetails,
-        notifications,
-        auditEntry
-      });
-      return { success: true, notifications };
-    } catch (_error) {
-      return { success: false, _error: "Failed to process HIPAA breach notification" };
-    }
-  }
-  isPHIData(resource) {
-    this.hipaaCompliance?.phi.identifiers || [];
-    return resource.classification?.level === "confidential" || resource.path?.includes("/phi/") || phiIdentifiers.some((identifier) => resource.path?.includes(identifier));
-  }
-  checkMinimumNecessary(request, _user) {
-    const _hasFullPHIAccess = _user.roles.some(
-      (_role) => _role.name.includes("Physician") || _role.name.includes("Nurse") || role.name.includes("Admin")
-    );
-    if (!_hasFullPHIAccess && request.operation === "read") {
-      return {
-        compliant: false,
-        reason: "User _role does not justify full PHI access - minimum necessary standard"
-      };
-    }
-    return { compliant: true };
-  }
-  checkHIPAAAccessControl(_user, _request) {
-    const _clearanceLevel = _user.attributes._clearanceLevel;
-    if (_clearanceLevel !== "confidential" && _clearanceLevel !== "secret") {
-      return {
-        compliant: false,
-        reason: "Insufficient clearance _level for PHI access"
-      };
-    }
-    const _hasRequiredTraining = _user.attributes.customAttributes?.hipaaTrainingCompleted;
-    if (!_hasRequiredTraining) {
-      return {
-        compliant: false,
-        reason: "HIPAA training required before PHI access"
-      };
-    }
-    return { compliant: true };
-  }
-  extractDataTypes(resource) {
-    const _dataTypes = [];
-    if (resource._path) {
-      if (resource.path.includes("/personal/")) {
-        _dataTypes.push("personal");
-      }
-      if (resource.path.includes("/financial/")) {
-        _dataTypes.push("financial");
-      }
-      if (resource.path.includes("/health/")) {
-        _dataTypes.push("health");
-      }
-      if (resource.path.includes("/phi/")) {
-        _dataTypes.push("phi");
-      }
-    }
-    return _dataTypes;
-  }
-  getProcessingActivities(_userId) {
-    return this.auditLog.filter((log) => log.userId === _userId).map((log) => ({
-      activity: log.action,
-      timestamp: log.timestamp,
-      resource: log.resource,
-      purpose: "Memory system access"
-    }));
-  }
-  // ========== User & Role Management ==========
-  async createUser(_userData) {
-    const _userId = this.generateUserId();
-    const _user = {
-      ..._userData,
-      id: _userId
-    };
-    this.users.set(_userId, _user);
-    this.emit("userCreated", { _userId, _user });
-    return _userId;
-  }
-  async updateUser(_userId, updates) {
-    const _user = this.users.get(_userId);
-    if (!_user) {
-      throw new Error(`User not found: ${_userId}`);
-    }
-    const _updatedUser = { ..._user, ...updates };
-    this.users.set(_userId, _updatedUser);
-    this.invalidateUserCache(_userId);
-    this.emit("userUpdated", { _userId, updates });
-  }
-  async deleteUser(_userId) {
-    const _user = this.users.get(_userId);
-    if (!_user) {
-      throw new Error(`User not found: ${_userId}`);
-    }
-    this.users.delete(_userId);
-    this.invalidateUserCache(_userId);
-    this.emit("userDeleted", { _userId });
-  }
-  async createRole(_roleData) {
-    const _roleId = this.generateRoleId();
-    const _role = {
-      ..._roleData,
-      id: _roleId
-    };
-    this.roles.set(_roleId, _role);
-    this.emit("roleCreated", { _roleId, _role });
-    return _roleId;
-  }
-  async assignRole(_userId, _roleId) {
-    const _user = this.users.get(_userId);
-    const _role = this.roles.get(_roleId);
-    if (!_user) {
-      throw new Error(`User not found: ${_userId}`);
-    }
-    if (!_role) {
-      throw new Error(`Role not found: ${_roleId}`);
-    }
-    if (!_user.roles.some((r) => r.id === _roleId)) {
-      user.roles.push(_role);
-      this.invalidateUserCache(_userId);
-      this.emit("roleAssigned", { _userId, _roleId });
-    }
-  }
-  async revokeRole(_userId, _roleId) {
-    const _user = this.users.get(_userId);
-    if (!_user) {
-      throw new Error(`User not found: ${_userId}`);
-    }
-    _user.roles = _user.roles.filter((r) => r.id !== _roleId);
-    this.invalidateUserCache(_userId);
-    this.emit("roleRevoked", { _userId, _roleId });
-  }
-  // ========== Utility Methods ==========
-  initializeCache() {
-    return {
-      decisions: /* @__PURE__ */ new Map(),
-      maxSize: 1e4,
-      ttl: 3e5,
-      // 5 minutes default
-      hitRate: 0,
-      missRate: 0
-    };
-  }
-  initializeDefaultRoles() {
-    const defaultRoles = [
-      {
-        name: "admin",
-        _level: "system",
-        _permissions: this.createAdminPermissions(),
-        priority: 100,
-        inherited: false
-      },
-      {
-        name: "_user",
-        _level: "system",
-        _permissions: this.createUserPermissions(),
-        priority: 10,
-        inherited: true
-      },
-      {
-        name: "guest",
-        _level: "system",
-        _permissions: this.createGuestPermissions(),
-        priority: 1,
-        inherited: true
-      }
-    ];
-    for (const roleData of defaultRoles) {
-      this.createRole(roleData);
-    }
-  }
-  createAdminPermissions() {
-    return {
-      memory: {
-        read: [{ type: "global" }],
-        write: [{ type: "global" }],
-        delete: [{ type: "global" }],
-        share: [{ type: "global" }],
-        export: [{ type: "global" }]
-      },
-      data: {
-        classification: [
-          {
-            _level: "secret",
-            handling: "standard",
-            retention: { duration: 365 }
-          }
-        ],
-        sensitivity: [],
-        categories: ["*"],
-        tags: ["*"]
-      },
-      operations: {
-        query: { maxResults: void 0, maxDepth: void 0 },
-        analyze: {
-          algorithms: ["*"],
-          mlModels: ["*"],
-          aggregations: ["*"],
-          exports: [{ format: "json" }, { format: "csv" }]
-        },
-        modify: {
-          create: true,
-          update: true,
-          delete: true,
-          bulkOperations: true
-        },
-        integrate: {
-          apis: ["*"],
-          webhooks: ["*"],
-          external: []
-        }
-      },
-      administration: {
-        manageUsers: true,
-        manageRoles: true,
-        managePermissions: true,
-        viewAudit: true,
-        configureSystem: true,
-        emergencyAccess: true
-      }
-    };
-  }
-  createUserPermissions() {
-    return {
-      memory: {
-        read: [{ type: "personal" }, { type: "team" }, { type: "project" }],
-        write: [{ type: "personal" }, { type: "team" }],
-        delete: [{ type: "personal" }],
-        share: [{ type: "personal" }],
-        export: [{ type: "personal" }]
-      },
-      data: {
-        classification: [
-          {
-            _level: "internal",
-            handling: "standard",
-            retention: { duration: 90 }
-          }
-        ],
-        sensitivity: [
-          {
-            type: "pii",
-            accessLevel: "masked",
-            auditRequired: true
-          }
-        ],
-        categories: ["general"],
-        tags: []
-      },
-      operations: {
-        query: { maxResults: 1e3, maxDepth: 3 },
-        analyze: {
-          algorithms: ["basic"],
-          mlModels: [],
-          aggregations: ["count", "sum", "average"],
-          exports: [{ format: "json", maxSize: 10 }]
-        },
-        modify: {
-          create: true,
-          update: true,
-          delete: false,
-          bulkOperations: false
-        },
-        integrate: {
-          apis: [],
-          webhooks: [],
-          external: []
-        }
-      },
-      administration: {
-        manageUsers: false,
-        manageRoles: false,
-        managePermissions: false,
-        viewAudit: false,
-        configureSystem: false,
-        emergencyAccess: false
-      }
-    };
-  }
-  createGuestPermissions() {
-    return {
-      memory: {
-        read: [{ type: "personal", timeRange: { rolling: 7 } }],
-        write: [],
-        delete: [],
-        share: [],
-        export: []
-      },
-      data: {
-        classification: [
-          {
-            _level: "public",
-            handling: "standard",
-            retention: { duration: 7 }
-          }
-        ],
-        sensitivity: [
-          {
-            type: "pii",
-            accessLevel: "none",
-            auditRequired: true
-          }
-        ],
-        categories: ["public"],
-        tags: []
-      },
-      operations: {
-        query: { maxResults: 100, maxDepth: 1, timeLimit: 10 },
-        analyze: {
-          algorithms: [],
-          mlModels: [],
-          aggregations: ["count"],
-          exports: []
-        },
-        modify: {
-          create: false,
-          update: false,
-          delete: false,
-          bulkOperations: false
-        },
-        integrate: {
-          apis: [],
-          webhooks: [],
-          external: []
-        }
-      },
-      administration: {
-        manageUsers: false,
-        manageRoles: false,
-        managePermissions: false,
-        viewAudit: false,
-        configureSystem: false,
-        emergencyAccess: false
-      }
-    };
-  }
-  createEmptyPermissions() {
-    return {
-      memory: {
-        read: [],
-        write: [],
-        delete: [],
-        share: [],
-        export: []
-      },
-      data: {
-        classification: [],
-        sensitivity: [],
-        categories: [],
-        tags: []
-      },
-      operations: {
-        query: Record,
-        analyze: { algorithms: [], mlModels: [], aggregations: [], exports: [] },
-        modify: {
-          create: false,
-          update: false,
-          delete: false,
-          bulkOperations: false
-        },
-        integrate: {
-          apis: [],
-          webhooks: [],
-          external: []
-        }
-      },
-      administration: {
-        manageUsers: false,
-        manageRoles: false,
-        managePermissions: false,
-        viewAudit: false,
-        configureSystem: false,
-        emergencyAccess: false
-      }
-    };
-  }
-  clonePermissions(_permissions) {
-    return JSON.parse(JSON.stringify(_permissions));
-  }
-  overridePermissions(_base, override) {
-    return override;
-  }
-  generateCacheKey(request) {
-    return crypto3.createHash("sha256").update(
-      `${request.userId}:${request.resource.type}:${request.resource.id}:${request.operation}`
-    ).digest("hex");
-  }
-  cacheDecision(_key, decision) {
-    if (this.cache.decisions.size >= this.cache.maxSize) {
-      const _firstKey = this.cache.decisions.keys().next().value;
-      this.cache.decisions.delete(_firstKey);
-    }
-    this.cache.decisions.set(_key, {
-      decision,
-      expires: new Date(Date.now() + (decision.ttl || this.cache.ttl)),
-      hits: 0,
-      created: /* @__PURE__ */ new Date()
-    });
-  }
-  invalidateUserCache(_userId) {
-    for (const [key, _cached] of this.cache.decisions) {
-      if (cached.decision.audit?.userId === _userId) {
-        this.cache.decisions.delete(key);
-      }
-    }
-  }
-  calculateTTL(_permissions) {
-    if (_permissions.administration.emergencyAccess) {
-      return 6e4;
-    }
-    if (_permissions.data.classification.some((c) => c.level === "secret")) {
-      return 18e4;
-    }
-    return 3e5;
-  }
-  createDeniedDecision(_request, reason) {
-    return {
-      requestId: _request.id,
-      granted: false,
-      reason,
-      audit: this.createAuditEntry(_request, "denied", reason)
-    };
-  }
-  createAuditEntry(request, decision, reason, _modifications, duration) {
-    return {
-      id: this.generateAuditId(),
-      timestamp: /* @__PURE__ */ new Date(),
-      _userId: request.userId,
-      action: request.operation,
-      resource: request.resource,
-      decision,
-      reason,
-      _context: request.context,
-      duration,
-      _modifications
-    };
-  }
-  isVPNConnection(_ip) {
-    return false;
-  }
-  generateUserId() {
-    return `user_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
-  }
-  generateRoleId() {
-    return `role_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
-  }
-  generateAuditId() {
-    return `audit_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
-  }
-  generateEncryptionKey() {
-    return crypto3.randomBytes(32);
-  }
-  // ========== Public API ==========
-  getUser(_userId) {
-    return this.users.get(_userId);
-  }
-  getRole(_roleId) {
-    return this.roles.get(_roleId);
-  }
-  getAuditLog(filters) {
-    let logs = [...this.auditLog];
-    if (filters?.userId) {
-      logs = logs.filter((l) => l.userId === filters.userId);
-    }
-    if (filters?.startDate) {
-      logs = logs.filter((l) => l.timestamp >= filters.startDate);
-    }
-    if (filters?.endDate) {
-      logs = logs.filter((l) => l.timestamp <= filters.endDate);
-    }
-    if (filters?.decision) {
-      logs = logs.filter((l) => l.decision === filters.decision);
-    }
-    return logs;
-  }
-  getCacheStatistics() {
-    const _total = this.cache.hitRate + this.cache.missRate;
-    return {
-      size: this.cache.decisions.size,
-      hitRate: this.cache.hitRate,
-      missRate: this.cache.missRate,
-      efficiency: _total > 0 ? this.cache.hitRate / _total : 0
-    };
-  }
-  async exportConfiguration() {
-    return JSON.stringify(
-      {
-        config: this.config,
-        roles: Array.from(this.roles.entries()),
-        statistics: this.getCacheStatistics(),
-        exportedAt: (/* @__PURE__ */ new Date()).toISOString()
-      },
-      null,
-      2
-    );
-  }
-  async importConfiguration(data2) {
-    const _imported = JSON.parse(data2);
-    if (_imported.config) {
-      this.config = _imported.config;
-    }
-    if (_imported.roles) {
-      this.roles = new Map(_imported.roles);
-    }
-    this.emit("configurationImported", { importedAt: /* @__PURE__ */ new Date() });
-  }
-};
-var PolicyEngine = class {
-  config;
-  constructor(_config) {
-    this._config = _config;
-  }
-  evaluatePolicy(_policy, _context) {
-    return true;
-  }
-  validatePolicy(_policy) {
-    return { valid: true };
-  }
-};
 var EnterpriseAuthManager = class extends EventEmitter {
   providers;
   users;
@@ -37494,8 +36276,8 @@ var EnterpriseAuthManager = class extends EventEmitter {
     if (!rule.actions.includes(action) && !rule.actions.includes("*")) {
       return false;
     }
-    for (const condition2 of rule.conditions) {
-      if (!this.conditionMatches(condition2, _user, resource, context2)) {
+    for (const condition of rule.conditions) {
+      if (!this.conditionMatches(condition, _user, resource, context2)) {
         return false;
       }
     }
@@ -37518,25 +36300,25 @@ var EnterpriseAuthManager = class extends EventEmitter {
   resourceMatches(_ruleResource, resource) {
     return this.matchesPattern(_ruleResource.pattern, resource);
   }
-  conditionMatches(condition2, _user, resource, context2) {
+  conditionMatches(condition, _user, resource, context2) {
     let value2;
-    switch (condition2.context) {
+    switch (condition.context) {
       case "_user":
-        value2 = _user[condition2.attribute] || user.attributes[condition2.attribute];
+        value2 = _user[condition.attribute] || user.attributes[condition.attribute];
         break;
       case "resource":
         value2 = resource;
         break;
       case "environment":
-        value2 = this.getEnvironmentValue(condition2.attribute);
+        value2 = this.getEnvironmentValue(condition.attribute);
         break;
       case "_session":
-        value2 = context2?.metadata?.[condition2.attribute];
+        value2 = context2?.metadata?.[condition.attribute];
         break;
       default:
-        value2 = context2?.metadata?.[condition2.attribute];
+        value2 = context2?.metadata?.[condition.attribute];
     }
-    return this.compareValues(value2, condition2.operator, condition2.value);
+    return this.compareValues(value2, condition.operator, condition.value);
   }
   hasAttribute(_user, _attributeName, expectedAttributes) {
     if (!expectedAttributes) {
@@ -37602,12 +36384,12 @@ var EnterpriseAuthManager = class extends EventEmitter {
     return `${prefix}_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
   }
   generateTOTPSecret() {
-    return crypto3.randomBytes(20).toString("hex");
+    return crypto2.randomBytes(20).toString("hex");
   }
   generateBackupCodes() {
     return Array.from(
       { length: 8 },
-      () => crypto3.randomBytes(4).toString("hex").toUpperCase()
+      () => crypto2.randomBytes(4).toString("hex").toUpperCase()
     );
   }
   generateQRCode(_email, _secret) {
@@ -37997,17 +36779,17 @@ var EnterpriseSecurityManager = class extends EventEmitter {
       }
     };
   }
-  evaluateDataCondition(condition2, data2, context2) {
-    const _value = this.getFieldValue(condition2.field, data2, context2);
-    switch (condition2.operator) {
+  evaluateDataCondition(condition, data2, context2) {
+    const _value = this.getFieldValue(condition.field, data2, context2);
+    switch (condition.operator) {
       case "equals":
-        return _value === condition2._value;
+        return _value === condition._value;
       case "contains":
-        return String(_value).includes(String(condition2._value));
+        return String(_value).includes(String(condition._value));
       case "matches":
-        return new RegExp(String(condition2._value)).test(String(_value));
+        return new RegExp(String(condition._value)).test(String(_value));
       case "in":
-        return Array.isArray(condition2._value) && condition2._value.includes(_value);
+        return Array.isArray(condition._value) && condition._value.includes(_value);
       default:
         return false;
     }
@@ -38028,8 +36810,8 @@ var EnterpriseSecurityManager = class extends EventEmitter {
     return _value;
   }
   async validateEncryptedData(encryptedData) {
-    const calculatedChecksum = crypto3.createHash("sha256").update(Buffer.from(encryptedData.ciphertext, "base64")).digest("hex");
-    if (!crypto3.timingSafeEqual(
+    const calculatedChecksum = crypto2.createHash("sha256").update(Buffer.from(encryptedData.ciphertext, "base64")).digest("hex");
+    if (!crypto2.timingSafeEqual(
       Buffer.from(calculatedChecksum, "hex"),
       Buffer.from(encryptedData.metadata._checksum, "hex")
     )) {
@@ -38057,8 +36839,8 @@ var EnterpriseSecurityManager = class extends EventEmitter {
     }
   }
   async verifyDataIntegrity(encryptedData) {
-    const calculatedChecksum = crypto3.createHash("sha256").update(Buffer.from(encryptedData.ciphertext, "base64")).digest("hex");
-    return crypto3.timingSafeEqual(
+    const calculatedChecksum = crypto2.createHash("sha256").update(Buffer.from(encryptedData.ciphertext, "base64")).digest("hex");
+    return crypto2.timingSafeEqual(
       Buffer.from(calculatedChecksum, "hex"),
       Buffer.from(encryptedData.metadata._checksum, "hex")
     );
@@ -38185,7 +36967,7 @@ var EnterpriseSecurityManager = class extends EventEmitter {
     this.emit("securityError", { type, _error, context: context2 });
   }
   generateTransferId() {
-    return crypto3.randomBytes(16).toString("hex");
+    return crypto2.randomBytes(16).toString("hex");
   }
 };
 var KeyManager = class extends EventEmitter {
@@ -38193,15 +36975,15 @@ var KeyManager = class extends EventEmitter {
     super();
     this.config = config;
     this.currentKeyIdValue = `key_${Date.now()}`;
-    this.dataKeys.set(this.currentKeyIdValue, crypto3.randomBytes(32));
-    this.signingKeyPair = crypto3.generateKeyPairSync("ed25519");
+    this.dataKeys.set(this.currentKeyIdValue, crypto2.randomBytes(32));
+    this.signingKeyPair = crypto2.generateKeyPairSync("ed25519");
   }
   currentKeyIdValue;
   dataKeys = /* @__PURE__ */ new Map();
   signingKeyPair = null;
   async rotateKey(keyId) {
     const id = keyId ?? `key_${Date.now()}`;
-    this.dataKeys.set(id, crypto3.randomBytes(32));
+    this.dataKeys.set(id, crypto2.randomBytes(32));
     this.currentKeyIdValue = id;
     this.emit("keyRotated", id);
   }
@@ -38226,11 +37008,11 @@ var KeyManager = class extends EventEmitter {
   async sign(data2) {
     if (!this.signingKeyPair)
       throw new SecurityError("NO_SIGNING_KEY", "signing key missing");
-    return crypto3.sign(null, data2, this.signingKeyPair.privateKey);
+    return crypto2.sign(null, data2, this.signingKeyPair.privateKey);
   }
   async verifySignature(data2, signature) {
     if (!this.signingKeyPair) return false;
-    return crypto3.verify(null, data2, this.signingKeyPair.publicKey, signature);
+    return crypto2.verify(null, data2, this.signingKeyPair.publicKey, signature);
   }
   async getKeyHealth() {
     return "low";
@@ -38249,13 +37031,13 @@ var EncryptionEngine = class {
     );
     if (key.length !== 32)
       throw new SecurityError("KEY_SIZE", "key must be 32 bytes");
-    const iv = crypto3.randomBytes(12);
-    const cipher2 = crypto3.createCipheriv("aes-256-gcm", key, iv);
+    const iv = crypto2.randomBytes(12);
+    const cipher2 = crypto2.createCipheriv("aes-256-gcm", key, iv);
     if (opts?.aad) cipher2.setAAD(Buffer.from(opts.aad, "utf8"));
     const plain = Buffer.from(JSON.stringify(data2), "utf8");
     const ct = Buffer.concat([cipher2.update(plain), cipher2.final()]);
     const tag = cipher2.getAuthTag();
-    const checksum = crypto3.createHash("sha256").update(ct).digest("hex");
+    const checksum = crypto2.createHash("sha256").update(ct).digest("hex");
     return {
       ciphertext: ct.toString("base64"),
       iv: iv.toString("base64"),
@@ -38278,7 +37060,7 @@ var EncryptionEngine = class {
     const iv = Buffer.from(enc.iv, "base64");
     const tag = Buffer.from(enc._tag, "base64");
     const ct = Buffer.from(enc.ciphertext, "base64");
-    const decipher = crypto3.createDecipheriv("aes-256-gcm", key, iv);
+    const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
     if (opts?.aad) decipher.setAAD(Buffer.from(opts.aad, "utf8"));
     decipher.setAuthTag(tag);
     const plain = Buffer.concat([decipher.update(ct), decipher.final()]);
@@ -38421,7 +37203,7 @@ var EnterpriseAuditLogger = class extends EventEmitter {
     this.hashChain = [];
     this.complianceRequirements = /* @__PURE__ */ new Map();
     this.realTimeMonitors = /* @__PURE__ */ new Set();
-    this.encryptionKey = encryptionKey ? Buffer.from(encryptionKey, "hex") : crypto3.randomBytes(32);
+    this.encryptionKey = encryptionKey ? Buffer.from(encryptionKey, "hex") : crypto2.randomBytes(32);
     this.immutableStorage = new ImmutableAuditStorage();
     this.retentionPolicies = /* @__PURE__ */ new Map([
       ["public", 90],
@@ -38671,7 +37453,7 @@ var EnterpriseAuditLogger = class extends EventEmitter {
       resource: _event.resource,
       result: _event.result
     });
-    const _hmac = crypto3.createHmac("sha256", this.encryptionKey);
+    const _hmac = crypto2.createHmac("sha256", this.encryptionKey);
     hmac.update(_data);
     return _hmac.digest("hex");
   }
@@ -38685,7 +37467,7 @@ var EnterpriseAuditLogger = class extends EventEmitter {
       ..._event,
       _hash: void 0
     });
-    return crypto3.createHash("sha256").update(_data).digest("hex");
+    return crypto2.createHash("sha256").update(_data).digest("hex");
   }
   async checkCompliance(_event) {
     for (const requirement of Array.from(
@@ -38964,7 +37746,7 @@ var EnterpriseAuditLogger = class extends EventEmitter {
     return "US";
   }
   getDeviceId() {
-    return `device_${crypto3.randomBytes(8).toString("hex")}`;
+    return `device_${crypto2.randomBytes(8).toString("hex")}`;
   }
   calculateRiskScore(metadata) {
     let score = 0.1;
@@ -39126,7 +37908,7 @@ var FeatureFlagController = class {
   healthHistory = [];
   MAX_HISTORY = 100;
   monitoringInterval;
-  hashSalt = crypto3__default.randomBytes(16).toString("hex");
+  hashSalt = crypto2__default.randomBytes(16).toString("hex");
   constructor(initialConfig) {
     this.config = this.mergeWithDefaults(initialConfig || {});
     this.status = this.initializeStatus();
@@ -39311,7 +38093,7 @@ var FeatureFlagController = class {
     if (this.userCache.has(cacheKey)) {
       return this.userCache.get(cacheKey);
     }
-    const hash = crypto3__default.createHash("sha256").update(`${userId}:${this.hashSalt}`).digest("hex");
+    const hash = crypto2__default.createHash("sha256").update(`${userId}:${this.hashSalt}`).digest("hex");
     const hashValue = parseInt(hash.slice(0, 8), 16);
     const bucket = hashValue % 100;
     const inRollout = bucket < this.config.rolloutPercentage;
@@ -39326,7 +38108,7 @@ var FeatureFlagController = class {
     if (this.commandCache.has(cacheKey)) {
       return this.commandCache.get(cacheKey);
     }
-    const hash = crypto3__default.createHash("sha256").update(`${commandName}:${this.hashSalt}`).digest("hex");
+    const hash = crypto2__default.createHash("sha256").update(`${commandName}:${this.hashSalt}`).digest("hex");
     const hashValue = parseInt(hash.slice(0, 8), 16);
     const bucket = hashValue % 100;
     const inRollout = bucket < this.config.rolloutPercentage;
@@ -39337,7 +38119,7 @@ var FeatureFlagController = class {
    * Determine if session should be in rollout
    */
   isSessionInRollout(sessionId) {
-    const hash = crypto3__default.createHash("sha256").update(`${sessionId}:${this.hashSalt}`).digest("hex");
+    const hash = crypto2__default.createHash("sha256").update(`${sessionId}:${this.hashSalt}`).digest("hex");
     const hashValue = parseInt(hash.slice(0, 8), 16);
     const bucket = hashValue % 100;
     return bucket < this.config.rolloutPercentage;
@@ -39580,6 +38362,7 @@ var EnterpriseSecurityIntegration = class extends EventEmitter {
   secureCommandAdapter;
   rbacGuard;
   accessControl;
+  // AccessControlManager - temporarily disabled
   authManager;
   securityManager;
   auditLogger;
@@ -39977,6 +38760,345 @@ async function createEnterpriseSecurityIntegration(config, dependencies) {
     integration.once("initialization_error", (error2) => reject(error2));
   });
 }
+var AccessControlManager2 = class extends EventEmitter {
+  config;
+  users = /* @__PURE__ */ new Map();
+  roles = /* @__PURE__ */ new Map();
+  sessions = /* @__PURE__ */ new Map();
+  cache = /* @__PURE__ */ new Map();
+  constructor(config) {
+    super();
+    this.config = config;
+    this.initialize();
+  }
+  initialize() {
+    this.config.hierarchyLevels.forEach((level) => {
+      const defaultRole = {
+        id: `default-${level.level}`,
+        name: `Default ${level.level} Role`,
+        level: level.level,
+        permissions: this.config.defaultPermissions,
+        priority: level.priority,
+        inheritFromParent: level.inheritFromParent,
+        overrideChild: level.overrideChild
+      };
+      this.roles.set(defaultRole.id, defaultRole);
+    });
+    this.emit("initialized", { organizationId: this.config.organizationId });
+  }
+  /**
+   * Check if a user has access to a resource
+   */
+  async checkAccess(userId, resource, action, context2) {
+    const cacheKey = `${userId}:${resource}:${action}`;
+    const cached = this.cache.get(cacheKey);
+    if (cached && cached.expiresAt > Date.now()) {
+      return cached.decision;
+    }
+    const user2 = this.users.get(userId);
+    if (!user2) {
+      return { allowed: false, reason: "User not found" };
+    }
+    const applicablePermissions = this.collectPermissions(user2);
+    const decision = this.evaluatePermissions(
+      applicablePermissions,
+      resource,
+      action,
+      context2
+    );
+    this.cache.set(cacheKey, {
+      decision,
+      expiresAt: Date.now() + 5 * 60 * 1e3
+      // 5 minutes
+    });
+    if (this.config.auditEnabled) {
+      this.emit("access-check", {
+        userId,
+        resource,
+        action,
+        decision,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+    }
+    return decision;
+  }
+  /**
+   * Grant a role to a user
+   */
+  async grantRole(userId, roleId) {
+    const user2 = this.users.get(userId);
+    const role = this.roles.get(roleId);
+    if (!user2 || !role) {
+      throw new Error("User or role not found");
+    }
+    if (!user2.roles.find((r) => r.id === roleId)) {
+      user2.roles.push(role);
+      this.clearUserCache(userId);
+      this.emit("role-granted", {
+        userId,
+        roleId,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+    }
+  }
+  /**
+   * Revoke a role from a user
+   */
+  async revokeRole(userId, roleId) {
+    const user2 = this.users.get(userId);
+    if (!user2) {
+      throw new Error("User not found");
+    }
+    const index = user2.roles.findIndex((r) => r.id === roleId);
+    if (index !== -1) {
+      user2.roles.splice(index, 1);
+      this.clearUserCache(userId);
+      this.emit("role-revoked", {
+        userId,
+        roleId,
+        timestamp: /* @__PURE__ */ new Date()
+      });
+    }
+  }
+  /**
+   * Register a new user
+   */
+  async registerUser(user2) {
+    this.users.set(user2.id, user2);
+    const defaultRole = this.roles.get("default-individual");
+    if (defaultRole && !user2.roles.find((r) => r.id === defaultRole.id)) {
+      user2.roles.push(defaultRole);
+    }
+    this.emit("user-registered", {
+      userId: user2.id,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+  }
+  /**
+   * Create a custom role
+   */
+  async createRole(role) {
+    this.roles.set(role.id, role);
+    this.emit("role-created", {
+      roleId: role.id,
+      timestamp: /* @__PURE__ */ new Date()
+    });
+  }
+  /**
+   * Get classification level for data
+   */
+  getDataClassification(data2) {
+    for (const rule of this.config.dataClassification.rules) {
+      const pattern2 = rule.pattern instanceof RegExp ? rule.pattern : new RegExp(rule.pattern, "i");
+      if (pattern2.test(data2)) {
+        return rule.level;
+      }
+    }
+    return this.config.dataClassification.defaultLevel;
+  }
+  /**
+   * Collect all permissions for a user
+   */
+  collectPermissions(user2) {
+    const permissions = [];
+    if (user2.permissions) {
+      permissions.push(user2.permissions);
+    }
+    const sortedRoles = [...user2.roles].sort((a2, b) => b.priority - a2.priority);
+    for (const role of sortedRoles) {
+      permissions.push(role.permissions);
+      if (role.inheritFromParent) {
+        const parentRole = this.findParentRole(role);
+        if (parentRole) {
+          permissions.push(parentRole.permissions);
+        }
+      }
+    }
+    return permissions;
+  }
+  /**
+   * Evaluate permissions against a resource and action
+   */
+  evaluatePermissions(permissions, resource, action, context2) {
+    for (const permSet of permissions) {
+      if (!permSet.actions.includes(action) && !permSet.actions.includes("*")) {
+        continue;
+      }
+      const resourcePerms = permSet.resources[resource] || permSet.resources["*"];
+      if (!resourcePerms) {
+        continue;
+      }
+      const hasPermission = this.mapActionToPermission(action, resourcePerms);
+      if (!hasPermission) {
+        continue;
+      }
+      if (permSet.conditions) {
+        const conditionsMet = this.evaluateConditions(permSet.conditions, context2);
+        if (!conditionsMet) {
+          continue;
+        }
+      }
+      return {
+        allowed: true,
+        conditions: permSet.conditions
+      };
+    }
+    return {
+      allowed: false,
+      reason: "No matching permissions found"
+    };
+  }
+  /**
+   * Map an action to resource permissions
+   */
+  mapActionToPermission(action, perms) {
+    const actionMap = {
+      read: "read",
+      view: "read",
+      write: "write",
+      create: "write",
+      update: "write",
+      delete: "delete",
+      remove: "delete",
+      execute: "execute",
+      run: "execute",
+      share: "share",
+      admin: "admin",
+      manage: "admin"
+    };
+    const permKey = actionMap[action.toLowerCase()];
+    return permKey ? perms[permKey] === true : false;
+  }
+  /**
+   * Evaluate permission conditions
+   */
+  evaluateConditions(conditions, context2) {
+    if (!context2) return false;
+    for (const condition of conditions) {
+      if (!this.evaluateCondition(condition, context2)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  /**
+   * Evaluate a single condition
+   */
+  evaluateCondition(condition, context2) {
+    const value2 = context2[condition.type];
+    if (value2 === void 0) return false;
+    switch (condition.operator) {
+      case "equals":
+        return value2 === condition.value;
+      case "contains":
+        return String(value2).includes(String(condition.value));
+      case "matches":
+        return new RegExp(condition.value).test(String(value2));
+      case "between":
+        return value2 >= condition.value[0] && value2 <= condition.value[1];
+      default:
+        return false;
+    }
+  }
+  /**
+   * Find parent role in hierarchy
+   */
+  findParentRole(role) {
+    const currentLevel = this.config.hierarchyLevels.find(
+      (l) => l.level === role.level
+    );
+    if (!currentLevel) return void 0;
+    const parentLevel = this.config.hierarchyLevels.find(
+      (l) => l.priority === currentLevel.priority + 1
+    );
+    if (!parentLevel) return void 0;
+    return Array.from(this.roles.values()).find(
+      (r) => r.level === parentLevel.level
+    );
+  }
+  /**
+   * Clear cache for a user
+   */
+  clearUserCache(userId) {
+    const keysToDelete = [];
+    for (const key of this.cache.keys()) {
+      if (key.startsWith(`${userId}:`)) {
+        keysToDelete.push(key);
+      }
+    }
+    keysToDelete.forEach((key) => this.cache.delete(key));
+  }
+  /**
+   * Get user by ID
+   */
+  getUser(userId) {
+    return this.users.get(userId);
+  }
+  /**
+   * Get role by ID
+   */
+  getRole(roleId) {
+    return this.roles.get(roleId);
+  }
+  /**
+   * List all users
+   */
+  listUsers() {
+    return Array.from(this.users.values());
+  }
+  /**
+   * List all roles
+   */
+  listRoles() {
+    return Array.from(this.roles.values());
+  }
+};
+new AccessControlManager2({
+  organizationId: "default",
+  hierarchyLevels: [
+    {
+      level: "individual",
+      priority: 1,
+      inheritFromParent: false,
+      overrideChild: true
+    },
+    {
+      level: "team",
+      priority: 2,
+      inheritFromParent: true,
+      overrideChild: true
+    },
+    {
+      level: "department",
+      priority: 3,
+      inheritFromParent: true,
+      overrideChild: true
+    },
+    {
+      level: "organization",
+      priority: 4,
+      inheritFromParent: false,
+      overrideChild: false
+    }
+  ],
+  defaultPermissions: {
+    resources: {
+      "*": {
+        read: true,
+        write: false,
+        delete: false,
+        execute: false
+      }
+    },
+    actions: ["read", "view"]
+  },
+  dataClassification: {
+    levels: ["public", "internal", "confidential", "restricted"],
+    defaultLevel: "internal",
+    rules: []
+  },
+  auditEnabled: true
+});
 var MemoryPortabilityFramework = class extends EventEmitter {
   config;
   dataPorter;
@@ -43824,8 +42946,8 @@ var SafeEncryptionService = class extends EventEmitter {
     try {
       const dataBuffer = Buffer.isBuffer(data2) ? data2 : Buffer.from(data2, "utf8");
       const keyInfo = await this.getEncryptionKey();
-      const iv = crypto3.randomBytes(12);
-      const cipher2 = crypto3.createCipher("aes-256-gcm", keyInfo.key);
+      const iv = crypto2.randomBytes(12);
+      const cipher2 = crypto2.createCipher("aes-256-gcm", keyInfo.key);
       cipher2.setAAD(Buffer.from(keyInfo.version, "utf8"));
       const encrypted = Buffer.concat([
         cipher2.update(dataBuffer),
@@ -43861,7 +42983,7 @@ var SafeEncryptionService = class extends EventEmitter {
       const authTag = encryptedBuffer.subarray(12, 28);
       const encrypted = encryptedBuffer.subarray(28);
       const keyInfo = await this.getDecryptionKey(request.keyVersion);
-      const decipher = crypto3.createDecipher("aes-256-gcm", keyInfo.key);
+      const decipher = crypto2.createDecipher("aes-256-gcm", keyInfo.key);
       decipher.setAuthTag(authTag);
       decipher.setAAD(Buffer.from(keyInfo.version, "utf8"));
       const decrypted = Buffer.concat([
@@ -43943,11 +43065,11 @@ var SafeEncryptionService = class extends EventEmitter {
    * Derive encryption key using configured KDF
    */
   async deriveKey(input2) {
-    const salt = crypto3.randomBytes(this.config.kdf.saltSize);
+    const salt = crypto2.randomBytes(this.config.kdf.saltSize);
     switch (this.config.kdf.method) {
       case "scrypt":
         return new Promise((resolve3, reject) => {
-          crypto3.scrypt(
+          crypto2.scrypt(
             input2,
             salt,
             this.config.kdf.keySize,
@@ -43965,7 +43087,7 @@ var SafeEncryptionService = class extends EventEmitter {
         });
       case "PBKDF2":
         return new Promise((resolve3, reject) => {
-          crypto3.pbkdf2(
+          crypto2.pbkdf2(
             input2,
             salt,
             this.config.kdf.iterations || 1e5,
@@ -45210,14 +44332,14 @@ var EnterpriseDataPorter = class extends EventEmitter {
   async generateChecksums(data2) {
     const _dataStr = typeof data2 === "string" ? data2 : JSON.stringify(data2);
     return {
-      md5: crypto3.createHash("md5").update(_dataStr).digest("hex"),
-      sha256: crypto3.createHash("sha256").update(_dataStr).digest("hex"),
-      sha512: crypto3.createHash("sha512").update(_dataStr).digest("hex"),
+      md5: crypto2.createHash("md5").update(_dataStr).digest("hex"),
+      sha256: crypto2.createHash("sha256").update(_dataStr).digest("hex"),
+      sha512: crypto2.createHash("sha512").update(_dataStr).digest("hex"),
       crc32: this.calculateCRC32(_dataStr)
     };
   }
   calculateCRC32(data2) {
-    return crypto3.createHash("md5").update(data2).digest("hex").substring(0, 8);
+    return crypto2.createHash("md5").update(data2).digest("hex").substring(0, 8);
   }
   // Data writing implementations for different destination types
   async writeToDatabase(data2, connection, destination) {
@@ -46199,21 +45321,21 @@ var EncryptionService = class {
     }
   }
   async deriveKey(providedSalt, iterations) {
-    const salt = providedSalt || crypto3.randomBytes(this.config.keyDerivation.saltSize);
+    const salt = providedSalt || crypto2.randomBytes(this.config.keyDerivation.saltSize);
     const iterationCount = iterations || this.config.keyDerivation.iterations;
     const password = process.env.ENCRYPTION_PASSWORD || "default-encryption-key-maria-data-porter";
     let key;
     let iv;
     switch (this.config.keyDerivation.method) {
       case "PBKDF2":
-        key = crypto3.pbkdf2Sync(
+        key = crypto2.pbkdf2Sync(
           password,
           salt,
           iterationCount,
           this.config.keyDerivation.keySize,
           "sha256"
         );
-        iv = crypto3.pbkdf2Sync(
+        iv = crypto2.pbkdf2Sync(
           password + "iv",
           salt,
           Math.floor(iterationCount / 2),
@@ -46222,22 +45344,22 @@ var EncryptionService = class {
         );
         break;
       case "scrypt":
-        key = crypto3.scryptSync(
+        key = crypto2.scryptSync(
           password,
           salt,
           this.config.keyDerivation.keySize
         );
-        iv = crypto3.scryptSync(password + "iv", salt, 16);
+        iv = crypto2.scryptSync(password + "iv", salt, 16);
         break;
       case "Argon2":
-        key = crypto3.pbkdf2Sync(
+        key = crypto2.pbkdf2Sync(
           password,
           salt,
           iterationCount,
           this.config.keyDerivation.keySize,
           "sha256"
         );
-        iv = crypto3.pbkdf2Sync(
+        iv = crypto2.pbkdf2Sync(
           password + "iv",
           salt,
           Math.floor(iterationCount / 2),
@@ -46290,7 +45412,7 @@ var EncryptionService = class {
           `Unsupported encryption algorithm: ${this.config.algorithm}`
         );
     }
-    const decipher = crypto3.createDecipher(algorithm, key);
+    const decipher = crypto2.createDecipher(algorithm, key);
     let cipherData = encryptedData;
     if (this.config.algorithm === "AES-256-GCM") {
       const tag = encryptedData.slice(-16);
@@ -46377,13 +45499,13 @@ var EncryptionService = class {
    * Generate a secure random key for one-time use
    */
   generateRandomKey(length = 32) {
-    return crypto3.randomBytes(length);
+    return crypto2.randomBytes(length);
   }
   /**
    * Generate a secure hash of data for integrity verification
    */
   generateHash(data2, algorithm = "sha256") {
-    const hash = crypto3.createHash(algorithm);
+    const hash = crypto2.createHash(algorithm);
     hash.update(typeof data2 === "string" ? Buffer.from(data2) : data2);
     return hash.digest("hex");
   }
@@ -47119,9 +46241,9 @@ var ModelRegistry2 = class extends EventEmitter {
    */
   list(filters = {}) {
     const cacheKey = this.generateCacheKey(filters);
-    const cached2 = this.cache.get(cacheKey);
-    if (cached2 && Date.now() - cached2.timestamp < cached2.ttl) {
-      return cached2.result;
+    const cached = this.cache.get(cacheKey);
+    if (cached && Date.now() - cached.timestamp < cached.ttl) {
+      return cached.result;
     }
     let result2 = Array.from(this.models.values());
     if (filters.provider) {
@@ -47620,7 +46742,91 @@ function createModelSelector(options) {
   };
 }
 (/* @__PURE__ */ new Date()).toISOString();
-var PolicyEngine2 = class extends EventEmitter {
+
+// src/lib/command-groups.ts
+var commandGroups = {
+  core: [
+    "about",
+    "changelog",
+    "config",
+    "contact",
+    "doctor",
+    "examples",
+    "help",
+    "history",
+    "list",
+    "logout",
+    "model",
+    "ping",
+    "plan",
+    "plugins",
+    "status",
+    "tutorial",
+    "usage",
+    "verify",
+    "version"
+  ],
+  auth: ["login", "logout", "whoami"],
+  code: ["code", "mm", "multimodal"],
+  configuration: ["config", "hooks", "model", "permissions", "settings", "theme"],
+  multimodal: ["face", "image", "mm", "multimodal", "screenshot", "video", "voice"],
+  evolution: ["benchmark", "evolve", "quality"],
+  memory: ["forget", "memory", "recall", "remember"],
+  analysis: ["analyze", "diagram", "diff", "visualize"],
+  system: ["doctor", "health", "manifest", "selftest"],
+  workflow: ["nl", "nl-poc"],
+  safety: ["check"],
+  evaluation: ["run"],
+  assistant: ["ask", "chat", "think"],
+  data: ["db", "export", "import", "sync"],
+  utilities: ["alias", "clear", "history", "reset"],
+  experimental: ["preview", "test"],
+  business: ["battlecard", "sales-dashboard", "tune", "pilot-setup"],
+  plugins: ["plugins"],
+  search: ["search"],
+  enterprise: ["admin", "audit", "compliance", "security"],
+  development: ["debug", "profile", "trace"]
+};
+var allCommands = Object.values(commandGroups).flat();
+var categories = Object.keys(commandGroups);
+var commandCategories = {
+  core: "Core",
+  auth: "Authentication",
+  code: "Code Generation",
+  configuration: "Configuration",
+  multimodal: "Multimodal",
+  evolution: "Evolution",
+  memory: "Memory",
+  analysis: "Analysis",
+  system: "System",
+  workflow: "Workflow",
+  safety: "Safety",
+  evaluation: "Evaluation",
+  assistant: "Assistant",
+  data: "Data",
+  utilities: "Utilities",
+  experimental: "Experimental",
+  business: "Business",
+  plugins: "Plugins",
+  search: "Search",
+  enterprise: "Enterprise",
+  development: "Development"
+};
+var commandInfo = {};
+for (const [category, commands] of Object.entries(commandGroups)) {
+  for (const command of commands) {
+    commandInfo[command] = {
+      name: `/${command}`,
+      category
+    };
+  }
+}
+commandInfo["model"] = { ...commandInfo["model"], aliases: ["/m", "/models"] };
+commandInfo["memory"] = { ...commandInfo["memory"], aliases: ["/mem"] };
+commandInfo["login"] = { ...commandInfo["login"], aliases: ["/signin"] };
+commandInfo["logout"] = { ...commandInfo["logout"], aliases: ["/signout"] };
+commandInfo["evolve"] = { ...commandInfo["evolve"], aliases: ["/evolution", "/auto-evolve"] };
+var PolicyEngine = class extends EventEmitter {
   constructor(firestoreClient, options = {
     cacheExpirationMs: 3e5,
     // 5 minutes
@@ -47652,11 +46858,11 @@ var PolicyEngine2 = class extends EventEmitter {
    * Get policy with hot cache support
    */
   async getPolicy(policyId) {
-    const cached2 = this.policyCache.get(policyId);
-    if (cached2 && this.isCacheValid(cached2)) {
-      cached2.lastAccessedAt = /* @__PURE__ */ new Date();
-      cached2.hitCount++;
-      return cached2.policy;
+    const cached = this.policyCache.get(policyId);
+    if (cached && this.isCacheValid(cached)) {
+      cached.lastAccessedAt = /* @__PURE__ */ new Date();
+      cached.hitCount++;
+      return cached.policy;
     }
     const policy = await this.loadPolicyFromFirestore(policyId);
     this.updateCache(policyId, policy);
@@ -47850,31 +47056,31 @@ var PolicyEngine2 = class extends EventEmitter {
       hitCount: 0
     });
   }
-  evaluateRuleCondition(condition2, task) {
+  evaluateRuleCondition(condition, task) {
     const reasons = [];
-    if (condition2["task.kind"]) {
-      const allowedKinds = Array.isArray(condition2["task.kind"]) ? condition2["task.kind"] : [condition2["task.kind"]];
+    if (condition["task.kind"]) {
+      const allowedKinds = Array.isArray(condition["task.kind"]) ? condition["task.kind"] : [condition["task.kind"]];
       if (!allowedKinds.includes(task.task.kind)) {
         return { matched: false, reason: `Task kind ${task.task.kind} not in ${allowedKinds.join(", ")}` };
       }
       reasons.push(`Task kind matches: ${task.task.kind}`);
     }
-    if (condition2["task.subtype"] && task.task.subtype) {
-      const allowedSubtypes = Array.isArray(condition2["task.subtype"]) ? condition2["task.subtype"] : [condition2["task.subtype"]];
+    if (condition["task.subtype"] && task.task.subtype) {
+      const allowedSubtypes = Array.isArray(condition["task.subtype"]) ? condition["task.subtype"] : [condition["task.subtype"]];
       if (!allowedSubtypes.includes(task.task.subtype)) {
         return { matched: false, reason: `Task subtype ${task.task.subtype} not in ${allowedSubtypes.join(", ")}` };
       }
       reasons.push(`Task subtype matches: ${task.task.subtype}`);
     }
-    if (condition2["session.plan"]) {
-      const allowedPlans = Array.isArray(condition2["session.plan"]) ? condition2["session.plan"] : [condition2["session.plan"]];
+    if (condition["session.plan"]) {
+      const allowedPlans = Array.isArray(condition["session.plan"]) ? condition["session.plan"] : [condition["session.plan"]];
       if (!allowedPlans.includes(task.session.plan)) {
         return { matched: false, reason: `User plan ${task.session.plan} not in ${allowedPlans.join(", ")}` };
       }
       reasons.push(`User plan matches: ${task.session.plan}`);
     }
-    if (condition2["task.tokensIn"]) {
-      const tokenCondition = condition2["task.tokensIn"];
+    if (condition["task.tokensIn"]) {
+      const tokenCondition = condition["task.tokensIn"];
       const tokensIn = task.task.tokensIn;
       if (tokenCondition.gt !== void 0 && tokensIn <= tokenCondition.gt) {
         return { matched: false, reason: `Tokens ${tokensIn} not > ${tokenCondition.gt}` };
@@ -47890,10 +47096,10 @@ var PolicyEngine2 = class extends EventEmitter {
       }
       reasons.push(`Token count condition satisfied: ${tokensIn}`);
     }
-    if (condition2.timeOfDay) {
+    if (condition.timeOfDay) {
       const now = /* @__PURE__ */ new Date();
       const timeStr = now.toTimeString().slice(0, 5);
-      const { start, end } = condition2.timeOfDay;
+      const { start, end } = condition.timeOfDay;
       if (timeStr < start || timeStr > end) {
         return { matched: false, reason: `Current time ${timeStr} not between ${start} and ${end}` };
       }
@@ -48014,9 +47220,9 @@ var ModelPoolManager = class extends EventEmitter {
    * Get model pool with caching
    */
   async getModelPool(poolId) {
-    const cached2 = this.poolCache.get(poolId);
-    if (cached2 && this.isPoolCacheValid(cached2)) {
-      return cached2.pool;
+    const cached = this.poolCache.get(poolId);
+    if (cached && this.isPoolCacheValid(cached)) {
+      return cached.pool;
     }
     const pool = await this.loadPoolFromFirestore(poolId);
     this.updatePoolCache(poolId, pool);
@@ -48186,8 +47392,8 @@ var ModelPoolManager = class extends EventEmitter {
       version: pool.version
     });
   }
-  isPoolCacheValid(cached2) {
-    const age = Date.now() - cached2.cachedAt.getTime();
+  isPoolCacheValid(cached) {
+    const age = Date.now() - cached.cachedAt.getTime();
     return age < 3e5;
   }
   getCircuitBreakerState(modelId) {
@@ -49954,7 +49160,7 @@ var CompletePIIRedactor = class extends EventEmitter {
     };
   }
   generateEncryptionKey() {
-    return crypto3__default.randomBytes(32);
+    return crypto2__default.randomBytes(32);
   }
   /**
    * Get comprehensive audit trail for compliance reporting
@@ -51873,7 +51079,7 @@ var IMSRouter = class extends EventEmitter {
   constructor(config) {
     super();
     this.config = config;
-    this.policyEngine = new PolicyEngine2(config.firestoreClient);
+    this.policyEngine = new PolicyEngine(config.firestoreClient);
     this.poolManager = new ModelPoolManager(config.firestoreClient);
     this.piiRedactor = new CompletePIIRedactor();
     this.decisionEngine = new RoutingDecisionEngine(
@@ -53969,13 +53175,13 @@ var UnifiedProviderInterface = class extends EventEmitter {
     this.emit("cleanup");
   }
 };
-function RequireRole(role2) {
+function RequireRole(role) {
   return function(target, propertyName, descriptor) {
     const method = descriptor.value;
     descriptor.value = function(...args) {
       const req = args[0];
-      if (!req.user || !req.user.roles.includes(role2)) {
-        throw new Error(`Insufficient permissions. Required role: ${role2}`);
+      if (!req.user || !req.user.roles.includes(role)) {
+        throw new Error(`Insufficient permissions. Required role: ${role}`);
       }
       return method.apply(this, args);
     };
@@ -54133,13 +53339,13 @@ var AdminAPI = class extends EventEmitter {
     const { category, active } = req.query;
     const testCases = this.dependencies.goldenDatasetMonitor.getTestCases(category);
     const filteredCases = active === "true" ? testCases.filter((tc) => tc.isActive) : testCases;
-    const categories = [...new Set(testCases.map((tc) => tc.category))];
+    const categories2 = [...new Set(testCases.map((tc) => tc.category))];
     this.logAdminAction(req.user, "VIEW_GOLDEN_DATASET", { category, active });
     return {
       testCases: filteredCases,
       totalCount: testCases.length,
       activeCount: testCases.filter((tc) => tc.isActive).length,
-      categories
+      categories: categories2
     };
   }
   async runGoldenDatasetTests(req) {
@@ -54427,6 +53633,6 @@ __decorateClass([
   RequireRole("ims.viewer")
 ], AdminAPI.prototype, "getSystemHealth");
 
-export { AccessControlManager, AdaptiveSSEController, AdminAPI, DocumentType, DualMemoryEngine, EnterpriseDataPorter, EnterpriseSecurityIntegration, FileSystemService, FilenameInferenceService, HotCache, HysteresisHealthChecker, IMSAPIEndpoints, IMSRouter, IdempotencyManager, IntelligentDocumentSaveService, IntelligentRouterService, MemoryPortabilityFramework, ModelRegistry2 as ModelRegistry, ModelSelectorEngine2 as ModelSelectorEngine, ModelSelectorV2Facade2 as ModelSelectorV2Facade, MultimodalDeploymentConfig, MultimodalService, PreciseCostCalculator, RBACCommandGuard, RecommendationEngine, RunawayPreventionCircuitBreaker, SecureSlashCommandAdapter, System1MemoryManager, System2MemoryManager, TTFBAuditor, UnifiedProviderInterface, autoSaveDocument, autoSaveIntelligently, autoSaveMultipleDocuments, autoSaveMultipleIntelligently, classifyDocument, createEnterpriseSecurityIntegration, createMemoryPortabilityFramework, createModelSelector, generateDocumentFilename, getModelSelectorV2Config, intelligentSave, isModelSelectorV2Enabled, saveDocumentToFile };
+export { AccessControlManager2 as AccessControlManager, AdaptiveSSEController, AdminAPI, DocumentType, DualMemoryEngine, EnterpriseDataPorter, EnterpriseSecurityIntegration, FileSystemService, FilenameInferenceService, HotCache, HysteresisHealthChecker, IMSAPIEndpoints, IMSRouter, IdempotencyManager, IntelligentDocumentSaveService, IntelligentRouterService, MemoryPortabilityFramework, ModelRegistry2 as ModelRegistry, ModelSelectorEngine2 as ModelSelectorEngine, ModelSelectorV2Facade2 as ModelSelectorV2Facade, MultimodalDeploymentConfig, MultimodalService, PreciseCostCalculator, RBACCommandGuard, RecommendationEngine, RunawayPreventionCircuitBreaker, SecureSlashCommandAdapter, System1MemoryManager, System2MemoryManager, TTFBAuditor, UnifiedProviderInterface, allCommands, autoSaveDocument, autoSaveIntelligently, autoSaveMultipleDocuments, autoSaveMultipleIntelligently, categories, classifyDocument, commandCategories, commandGroups, commandInfo, createEnterpriseSecurityIntegration, createMemoryPortabilityFramework, createModelSelector, generateDocumentFilename, getModelSelectorV2Config, intelligentSave, isModelSelectorV2Enabled, saveDocumentToFile };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map