@devshub198211/devguard 2.0.1 → 2.0.3

package/dist/index.cjs

@@ -1,2655 +0,0 @@
-'use strict';
-
-var fs = require('fs');
-var crypto6 = require('crypto');
-var path = require('path');
-var os = require('os');
-var https = require('https');
-var http = require('http');
-
-function _interopNamespace(e) {
-  if (e && e.__esModule) return e;
-  var n = Object.create(null);
-  if (e) {
-    Object.keys(e).forEach(function (k) {
-      if (k !== 'default') {
-        var d = Object.getOwnPropertyDescriptor(e, k);
-        Object.defineProperty(n, k, d.get ? d : {
-          enumerable: true,
-          get: function () { return e[k]; }
-        });
-      }
-    });
-  }
-  n.default = e;
-  return Object.freeze(n);
-}
-
-var fs__namespace = /*#__PURE__*/_interopNamespace(fs);
-var crypto6__namespace = /*#__PURE__*/_interopNamespace(crypto6);
-var path__namespace = /*#__PURE__*/_interopNamespace(path);
-var os__namespace = /*#__PURE__*/_interopNamespace(os);
-var https__namespace = /*#__PURE__*/_interopNamespace(https);
-var http__namespace = /*#__PURE__*/_interopNamespace(http);
-
-// src/security/lockfile-guardian.ts
-var LOCKFILES = ["package-lock.json", "yarn.lock", "pnpm-lock.yaml", "bun.lockb"];
-var MAX_LOCKFILE_SIZE = 100 * 1024 * 1024;
-function safeResolve(root, ...segments) {
-  const resolvedRoot = path__namespace.resolve(root);
-  const resolved = path__namespace.resolve(resolvedRoot, ...segments);
-  if (!resolved.startsWith(resolvedRoot + path__namespace.sep) && resolved !== resolvedRoot) {
-    throw new Error(`Path traversal detected: ${segments.join("/")} escapes root ${resolvedRoot}`);
-  }
-  return resolved;
-}
-function hashFile(filePath) {
-  const stat = fs__namespace.statSync(filePath);
-  if (stat.size > MAX_LOCKFILE_SIZE) {
-    throw new Error(`File too large to hash (${stat.size} bytes, max ${MAX_LOCKFILE_SIZE}): ${filePath}`);
-  }
-  const buf = fs__namespace.readFileSync(filePath);
-  return "sha512-" + crypto6__namespace.createHash("sha512").update(buf).digest("base64");
-}
-function verifyLockfile(root = process.cwd(), snapshotPath) {
-  const resolvedRoot = path__namespace.resolve(root);
-  const snap = snapshotPath ? path__namespace.resolve(snapshotPath) : path__namespace.join(resolvedRoot, ".lockguard-snapshot.json");
-  let snapshot = null;
-  if (fs__namespace.existsSync(snap)) {
-    try {
-      const raw = JSON.parse(fs__namespace.readFileSync(snap, "utf-8"));
-      if (raw && typeof raw === "object" && raw.version === 2 && typeof raw.entries === "object" && raw.entries !== null) {
-        snapshot = raw;
-      }
-    } catch {
-    }
-  }
-  const tampered = [];
-  const missing = [];
-  const added = [];
-  const entries = [];
-  const known = new Set(Object.keys(snapshot?.entries ?? {}));
-  for (const lf of LOCKFILES) {
-    const full = safeResolve(resolvedRoot, lf);
-    if (!fs__namespace.existsSync(full)) {
-      if (known.has(lf)) missing.push(lf);
-      continue;
-    }
-    try {
-      const stat = fs__namespace.statSync(full);
-      if (!stat.isFile()) continue;
-      const hash = hashFile(full);
-      entries.push({ file: lf, hash, size: stat.size, mtime: stat.mtimeMs });
-      if (snapshot) {
-        const prev = snapshot.entries[lf];
-        if (!prev) {
-          added.push(lf);
-        } else if (prev.hash !== hash) {
-          tampered.push(lf);
-        }
-      }
-    } catch {
-    }
-  }
-  return {
-    valid: tampered.length === 0 && missing.length === 0,
-    tampered,
-    missing,
-    added,
-    entries,
-    scannedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-function createSnapshot(root = process.cwd(), snapshotPath) {
-  const resolvedRoot = path__namespace.resolve(root);
-  const snap = snapshotPath ? path__namespace.resolve(snapshotPath) : path__namespace.join(resolvedRoot, ".lockguard-snapshot.json");
-  const entries = {};
-  for (const lf of LOCKFILES) {
-    const full = safeResolve(resolvedRoot, lf);
-    if (!fs__namespace.existsSync(full)) continue;
-    try {
-      const stat = fs__namespace.statSync(full);
-      if (!stat.isFile()) continue;
-      entries[lf] = { hash: hashFile(full), size: stat.size };
-    } catch {
-    }
-  }
-  const snapshot = {
-    version: 2,
-    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-    host: os__namespace.hostname(),
-    entries
-  };
-  const tmpPath = snap + ".tmp." + crypto6__namespace.randomBytes(4).toString("hex");
-  try {
-    fs__namespace.writeFileSync(tmpPath, JSON.stringify(snapshot, null, 2));
-    fs__namespace.renameSync(tmpPath, snap);
-  } catch (e) {
-    try {
-      fs__namespace.unlinkSync(tmpPath);
-    } catch {
-    }
-    throw e;
-  }
-  return snapshot;
-}
-function extractTransitiveDeps(root = process.cwd()) {
-  const resolvedRoot = path__namespace.resolve(root);
-  const pkgLock = path__namespace.join(resolvedRoot, "package-lock.json");
-  if (!fs__namespace.existsSync(pkgLock)) return {};
-  try {
-    const lock = JSON.parse(fs__namespace.readFileSync(pkgLock, "utf-8"));
-    const deps = {};
-    const packages = lock.packages;
-    if (typeof packages !== "object" || packages === null) return {};
-    for (const [k, v] of Object.entries(packages)) {
-      if (k && typeof v === "object" && v !== null && typeof v.version === "string") {
-        const name = k.replace(/^node_modules\//, "");
-        if (name === "__proto__" || name === "constructor" || name === "prototype") continue;
-        deps[name] = v.version;
-      }
-    }
-    return deps;
-  } catch {
-    return {};
-  }
-}
-var MAX_PKG_JSON_SIZE = 2 * 1024 * 1024;
-var MAX_SCRIPT_LENGTH = 1e4;
-var MAX_SCAN_DEPTH = 5;
-var RULES = [
-  { id: "R001", label: "Curl-to-shell pipe", severity: "critical", test: (s) => /curl\s+.+\|.*(ba)?sh/i.test(s) },
-  { id: "R002", label: "Wget-to-shell pipe", severity: "critical", test: (s) => /wget\s+.+\|.*(ba)?sh/i.test(s) },
-  { id: "R003", label: "Netcat reverse shell", severity: "critical", test: (s) => /\bnc(at)?\b.+-e\b|\bncat\b.+\bsh\b/i.test(s) },
-  { id: "R004", label: "System credential access", severity: "critical", test: (s) => /\/etc\/(passwd|shadow|sudoers)/i.test(s) },
-  { id: "R005", label: "SSH key exfiltration", severity: "critical", test: (s) => /\.ssh\/(id_rsa|authorized_keys|config)/i.test(s) },
-  { id: "R006", label: "Crypto miner binary", severity: "critical", test: (s) => /\b(xmrig|minerd|cpuminer|ethminer|claymore)\b/i.test(s) },
-  { id: "R007", label: "Stratum mining pool URL", severity: "critical", test: (s) => /stratum\+tcp:\/\//i.test(s) },
-  { id: "R008", label: "eval() usage", severity: "high", test: (s) => /\beval\s*\(/.test(s) },
-  { id: "R009", label: "Base64 decode + exec", severity: "high", test: (s) => /base64.*(decode|--decode|-d).*exec|exec.*base64.*(decode|--decode|-d)/i.test(s) },
-  { id: "R010", label: "Dynamic require from URL", severity: "high", test: (s) => /require\s*\(\s*['"]https?:/i.test(s) },
-  { id: "R011", label: "child_process exec in hook", severity: "high", test: (s) => /child_process.*\.(exec|spawn|execSync|spawnSync)/i.test(s) },
-  { id: "R012", label: "Function constructor exec", severity: "high", test: (s) => /new\s+Function\s*\(/.test(s) },
-  { id: "R013", label: "setTimeout with string arg", severity: "high", test: (s) => /setTimeout\s*\(\s*['"`]/.test(s) },
-  { id: "R014", label: "Unauthorized npm publish", severity: "high", test: (s) => /npm\s+(publish|adduser|login)/.test(s) },
-  { id: "R015", label: "HOME/USERPROFILE exfiltration", severity: "medium", test: (s) => /process\.env\.(HOME|USERPROFILE|APPDATA)/i.test(s) },
-  { id: "R016", label: "PATH env manipulation", severity: "medium", test: (s) => /process\.env\.PATH\s*=/.test(s) },
-  { id: "R017", label: "Outbound HTTP in hook", severity: "medium", test: (s) => /https?\.get|axios\.|fetch\s*\(|request\s*\(/i.test(s) },
-  { id: "R018", label: "Filesystem write in hook", severity: "medium", test: (s) => /fs\.(writeFile|writeFileSync|appendFile|unlink|rmdir|rm\b)/i.test(s) },
-  { id: "R019", label: "Registry credential file read", severity: "medium", test: (s) => /\.npmrc|\.yarnrc|\.gradle|\.m2\/settings/i.test(s) },
-  { id: "R020", label: "Hex string obfuscation", severity: "high", test: (s) => /(\\x[0-9a-f]{2}){6,}/i.test(s) },
-  { id: "R021", label: "Unicode escape obfuscation", severity: "high", test: (s) => /(\\u[0-9a-f]{4}){4,}/i.test(s) },
-  { id: "R022", label: "String.fromCharCode array", severity: "high", test: (s) => /String\.fromCharCode\s*\(.{20,}\)/i.test(s) },
-  { id: "R023", label: "Excessive base64 payload", severity: "high", test: (_s, d) => d !== void 0 && d.length > 200 }
-];
-var HOOK_NAMES = ["preinstall", "install", "postinstall", "preuninstall", "postuninstall", "prepare", "prepublish", "prepack", "postpack"];
-function tryDecodeBase64(script) {
-  const match = script.match(/[A-Za-z0-9+/]{60,}={0,2}/);
-  if (!match) return void 0;
-  try {
-    return Buffer.from(match[0], "base64").toString("utf-8");
-  } catch {
-    return void 0;
-  }
-}
-function safeTruncate(script) {
-  return script.length > MAX_SCRIPT_LENGTH ? script.slice(0, MAX_SCRIPT_LENGTH) : script;
-}
-function scanPackage(pkgJsonPath) {
-  if (!fs__namespace.existsSync(pkgJsonPath)) return [];
-  try {
-    const stat = fs__namespace.statSync(pkgJsonPath);
-    if (!stat.isFile()) return [];
-    if (stat.size > MAX_PKG_JSON_SIZE) return [];
-  } catch {
-    return [];
-  }
-  let pkg;
-  try {
-    pkg = JSON.parse(fs__namespace.readFileSync(pkgJsonPath, "utf-8"));
-  } catch {
-    return [];
-  }
-  if (typeof pkg !== "object" || pkg === null) return [];
-  const scripts = pkg.scripts ?? {};
-  if (typeof scripts !== "object" || scripts === null) return [];
-  const findings = [];
-  const pkgName = typeof pkg.name === "string" ? pkg.name : path__namespace.dirname(pkgJsonPath);
-  const version = typeof pkg.version === "string" ? pkg.version : "unknown";
-  for (const hook of HOOK_NAMES) {
-    const script = scripts[hook];
-    if (!script || typeof script !== "string") continue;
-    const truncated = safeTruncate(script);
-    const decoded = tryDecodeBase64(truncated);
-    for (const rule of RULES) {
-      if (rule.test(truncated, decoded) || decoded && rule.test(decoded, void 0)) {
-        findings.push({
-          package: pkgName,
-          version,
-          script: hook,
-          ruleId: rule.id,
-          pattern: rule.label,
-          severity: rule.severity,
-          raw: script.slice(0, 300),
-          deobfuscated: decoded?.slice(0, 300)
-        });
-      }
-    }
-  }
-  return findings;
-}
-function scanNodeModules(root = process.cwd()) {
-  const resolvedRoot = path__namespace.resolve(root);
-  const nmPath = path__namespace.join(resolvedRoot, "node_modules");
-  if (!fs__namespace.existsSync(nmPath)) return [];
-  if (!nmPath.startsWith(resolvedRoot + path__namespace.sep) && nmPath !== resolvedRoot) return [];
-  const all = [];
-  function scanDir(dir, depth) {
-    if (depth > MAX_SCAN_DEPTH) return;
-    let entries;
-    try {
-      entries = fs__namespace.readdirSync(dir, { withFileTypes: true });
-    } catch {
-      return;
-    }
-    for (const e of entries) {
-      if (e.isSymbolicLink()) continue;
-      if (!e.isDirectory()) continue;
-      const full = path__namespace.join(dir, e.name);
-      const resolvedFull = path__namespace.resolve(full);
-      if (!resolvedFull.startsWith(nmPath)) continue;
-      if (e.name.startsWith("@")) {
-        scanDir(full, depth + 1);
-        continue;
-      }
-      const pkgJson = path__namespace.join(full, "package.json");
-      if (fs__namespace.existsSync(pkgJson)) all.push(...scanPackage(pkgJson));
-    }
-  }
-  scanDir(nmPath, 0);
-  return all;
-}
-function scanProject(root = process.cwd()) {
-  const resolvedRoot = path__namespace.resolve(root);
-  return [...scanPackage(path__namespace.join(resolvedRoot, "package.json")), ...scanNodeModules(resolvedRoot)];
-}
-var MAX_RESPONSE_SIZE = 1 * 1024 * 1024;
-var ALLOWED_HOSTS = /* @__PURE__ */ new Set(["api.github.com", "registry.npmjs.org"]);
-function validateHost(url) {
-  const parsed = new URL(url);
-  if (parsed.protocol !== "https:") {
-    throw new Error("Only HTTPS URLs are allowed");
-  }
-  if (!ALLOWED_HOSTS.has(parsed.hostname)) {
-    throw new Error(`Host not allowed: ${parsed.hostname}`);
-  }
-  return parsed;
-}
-function httpsGet(url, headers) {
-  return new Promise((resolve7, reject) => {
-    const u = validateHost(url);
-    const req = https__namespace.request({ hostname: u.hostname, path: u.pathname + u.search, headers, method: "GET" }, (res) => {
-      let body = "";
-      let size = 0;
-      res.on("data", (d) => {
-        size += typeof d === "string" ? d.length : d.length;
-        if (size > MAX_RESPONSE_SIZE) {
-          req.destroy();
-          reject(new Error("Response too large"));
-          return;
-        }
-        body += d;
-      });
-      res.on("end", () => resolve7({ status: res.statusCode ?? 0, body }));
-    });
-    req.on("error", (e) => reject(new Error(`Network error: ${e.message}`)));
-    req.setTimeout(8e3, () => {
-      req.destroy();
-      reject(new Error("Request timeout"));
-    });
-    req.end();
-  });
-}
-function httpsPost(url, headers, payload) {
-  return new Promise((resolve7, reject) => {
-    const u = validateHost(url);
-    const body = Buffer.from(payload);
-    if (body.length > MAX_RESPONSE_SIZE) {
-      reject(new Error("Payload too large"));
-      return;
-    }
-    const req = https__namespace.request({
-      hostname: u.hostname,
-      path: u.pathname + u.search,
-      method: "POST",
-      headers: { ...headers, "Content-Length": String(body.length) }
-    }, (res) => {
-      let b = "";
-      let size = 0;
-      res.on("data", (d) => {
-        size += typeof d === "string" ? d.length : d.length;
-        if (size > MAX_RESPONSE_SIZE) {
-          req.destroy();
-          reject(new Error("Response too large"));
-          return;
-        }
-        b += d;
-      });
-      res.on("end", () => resolve7({ status: res.statusCode ?? 0, body: b }));
-    });
-    req.on("error", (e) => reject(new Error(`Network error: ${e.message}`)));
-    req.setTimeout(1e4, () => {
-      req.destroy();
-      reject(new Error("Request timeout"));
-    });
-    req.write(body);
-    req.end();
-  });
-}
-async function inspectGitHubToken(token, name = "GITHUB_TOKEN") {
-  if (!token || typeof token !== "string" || token.length < 4) {
-    return { name, provider: "github", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token is empty or too short" };
-  }
-  try {
-    const res = await httpsGet("https://api.github.com/user", {
-      "Authorization": `Bearer ${token}`,
-      "User-Agent": "devguard/2.0",
-      "Accept": "application/vnd.github+json",
-      "X-GitHub-Api-Version": "2022-11-28"
-    });
-    if (res.status === 401) return { name, provider: "github", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token is invalid or revoked" };
-    if (res.status !== 200) return { name, provider: "github", status: "unknown", ageDays: null, maxAgeDays: 90, message: `API returned ${res.status}` };
-    return { name, provider: "github", status: "ok", ageDays: null, maxAgeDays: 90, message: "Token valid \u2014 use fine-grained PATs with expiry for age tracking" };
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : "Unknown error";
-    return { name, provider: "github", status: "unknown", ageDays: null, maxAgeDays: 90, message: `Check failed: ${msg}` };
-  }
-}
-async function inspectNpmToken(token, name = "NPM_TOKEN") {
-  if (!token || typeof token !== "string" || token.length < 4) {
-    return { name, provider: "npm", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token is empty or too short" };
-  }
-  try {
-    const res = await httpsGet("https://registry.npmjs.org/-/npm/v1/tokens", { "Authorization": `Bearer ${token}`, "Accept": "application/json" });
-    if (res.status === 401) return { name, provider: "npm", status: "invalid", ageDays: null, maxAgeDays: 90, message: "Token invalid or revoked" };
-    if (res.status === 200) {
-      let data;
-      try {
-        data = JSON.parse(res.body);
-      } catch {
-        return { name, provider: "npm", status: "unknown", ageDays: null, maxAgeDays: 90, message: "Invalid JSON response from registry" };
-      }
-      const tokens = Array.isArray(data.objects) ? data.objects : [];
-      const prefix = token.slice(0, 6);
-      const found = tokens.find((t) => t.key?.startsWith(prefix) || t.token?.startsWith(prefix));
-      const extra = [found?.readonly ? "read-only" : "", found?.cidr_whitelist?.length ? "CIDR-restricted" : ""].filter(Boolean).join(", ");
-      return { name, provider: "npm", status: "ok", ageDays: null, maxAgeDays: 90, message: `Valid npm token${extra ? " (" + extra + ")" : ""}` };
-    }
-    return { name, provider: "npm", status: "unknown", ageDays: null, maxAgeDays: 90, message: `Registry returned ${res.status}` };
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : "Unknown error";
-    return { name, provider: "npm", status: "unknown", ageDays: null, maxAgeDays: 90, message: `Check failed: ${msg}` };
-  }
-}
-async function createNpmToken(existingToken, opts) {
-  if (!existingToken || typeof existingToken !== "string") {
-    return { success: false, error: "Token is required" };
-  }
-  try {
-    const payload = JSON.stringify({ password: existingToken, readonly: opts?.readonly ?? false, cidr_whitelist: opts?.cidr ?? [] });
-    const res = await httpsPost("https://registry.npmjs.org/-/npm/v1/tokens", { "Authorization": `Bearer ${existingToken}`, "Content-Type": "application/json" }, payload);
-    if (res.status === 200 || res.status === 201) {
-      let parsed;
-      try {
-        parsed = JSON.parse(res.body);
-      } catch {
-        return { success: false, error: "Invalid JSON in npm response" };
-      }
-      if (typeof parsed.token !== "string") return { success: false, error: "No token in response" };
-      return { success: true, newToken: parsed.token };
-    }
-    return { success: false, error: `npm registry returned ${res.status}` };
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : "Unknown error";
-    return { success: false, error: msg };
-  }
-}
-function checkTokenAge(configs) {
-  return configs.map((cfg) => {
-    const maxAgeDays = cfg.maxAgeDays ?? 90;
-    if (!cfg.createdAt) return { name: cfg.name, provider: cfg.provider, status: "unknown", ageDays: null, maxAgeDays, message: "Creation date unknown \u2014 set createdAt to enable age tracking" };
-    if (typeof cfg.createdAt !== "number" || cfg.createdAt < 0) return { name: cfg.name, provider: cfg.provider, status: "unknown", ageDays: null, maxAgeDays, message: "Invalid createdAt timestamp" };
-    const ageDays = Math.floor((Date.now() - cfg.createdAt) / 864e5);
-    if (ageDays < 0) return { name: cfg.name, provider: cfg.provider, status: "unknown", ageDays: null, maxAgeDays, message: "Token creation date is in the future" };
-    const status = ageDays >= maxAgeDays ? "stale" : ageDays >= maxAgeDays * 0.8 ? "expiring_soon" : "ok";
-    return { name: cfg.name, provider: cfg.provider, status, ageDays, maxAgeDays, message: `${ageDays}/${maxAgeDays} days old` };
-  });
-}
-function maskToken(token) {
-  if (!token || typeof token !== "string") return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
-  if (token.length <= 8) return "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022";
-  return token.slice(0, 4) + "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022" + token.slice(-4);
-}
-function loadTokensFromEnv(names, maxAgeDays = 90) {
-  if (!Array.isArray(names)) return [];
-  return names.filter((n) => typeof n === "string" && n.length > 0 && process.env[n]).map((n) => {
-    const value = process.env[n];
-    const provider = /github|gh_/i.test(n) ? "github" : /npm/i.test(n) ? "npm" : "generic";
-    return { name: n, value, provider, maxAgeDays };
-  });
-}
-var RANGE_CHARS = /^[\^~*]|^latest$|^next$|^>=|^>/;
-var DEP_FIELDS = ["dependencies", "devDependencies", "peerDependencies", "optionalDependencies"];
-var MAX_PKG_JSON_SIZE2 = 5 * 1024 * 1024;
-var MAX_RESPONSE_SIZE2 = 2 * 1024 * 1024;
-var MAX_REDIRECTS = 3;
-function enforceExactPins(pkgJsonPath) {
-  const resolved = path__namespace.resolve(pkgJsonPath);
-  if (!fs__namespace.existsSync(resolved)) return [];
-  try {
-    const stat = fs__namespace.statSync(resolved);
-    if (!stat.isFile() || stat.size > MAX_PKG_JSON_SIZE2) return [];
-  } catch {
-    return [];
-  }
-  let pkg;
-  try {
-    pkg = JSON.parse(fs__namespace.readFileSync(resolved, "utf-8"));
-  } catch {
-    return [];
-  }
-  if (typeof pkg !== "object" || pkg === null) return [];
-  const violations = [];
-  for (const field of DEP_FIELDS) {
-    const deps = pkg[field];
-    if (!deps || typeof deps !== "object") continue;
-    for (const [name, ver] of Object.entries(deps)) {
-      if (typeof ver !== "string") continue;
-      if (RANGE_CHARS.test(ver.trim())) {
-        const suggestion = resolveExactVersion(path__namespace.dirname(resolved), name) ?? ver.replace(/^[\^~]/, "");
-        violations.push({ name, specifier: ver, field, suggestion });
-      }
-    }
-  }
-  return violations;
-}
-function resolveExactVersion(root, pkgName) {
-  const lockPath = path__namespace.join(root, "package-lock.json");
-  if (!fs__namespace.existsSync(lockPath)) return null;
-  try {
-    const stat = fs__namespace.statSync(lockPath);
-    if (stat.size > MAX_PKG_JSON_SIZE2 * 10) return null;
-    const lock = JSON.parse(fs__namespace.readFileSync(lockPath, "utf-8"));
-    const packages = lock.packages;
-    if (typeof packages !== "object" || packages === null) return null;
-    const entry = packages["node_modules/" + pkgName];
-    return typeof entry?.version === "string" ? entry.version : null;
-  } catch {
-    return null;
-  }
-}
-function extractLockfileSRI(root = process.cwd()) {
-  const resolvedRoot = path__namespace.resolve(root);
-  const lockPath = path__namespace.join(resolvedRoot, "package-lock.json");
-  if (!fs__namespace.existsSync(lockPath)) return {};
-  try {
-    const lock = JSON.parse(fs__namespace.readFileSync(lockPath, "utf-8"));
-    const packages = lock.packages;
-    if (typeof packages !== "object" || packages === null) return {};
-    const result = {};
-    for (const [key, val] of Object.entries(packages)) {
-      if (key && typeof val === "object" && val !== null && typeof val.version === "string" && typeof val.integrity === "string") {
-        const name = key.replace(/^node_modules\//, "");
-        if (name === "__proto__" || name === "constructor" || name === "prototype") continue;
-        result[name] = { version: val.version, integrity: val.integrity };
-      }
-    }
-    return result;
-  } catch {
-    return {};
-  }
-}
-function httpsGet2(url, redirectCount = 0) {
-  return new Promise((resolve7, reject) => {
-    if (redirectCount > MAX_REDIRECTS) {
-      reject(new Error("Too many redirects"));
-      return;
-    }
-    let parsed;
-    try {
-      parsed = new URL(url);
-    } catch {
-      reject(new Error("Invalid URL"));
-      return;
-    }
-    if (parsed.protocol !== "https:") {
-      reject(new Error("Only HTTPS URLs are allowed"));
-      return;
-    }
-    if (parsed.hostname !== "registry.npmjs.org") {
-      reject(new Error(`Host not allowed: ${parsed.hostname}`));
-      return;
-    }
-    const req = https__namespace.get(url, { headers: { "Accept": "application/json", "User-Agent": "devguard/2.0" } }, (res) => {
-      if ((res.statusCode === 301 || res.statusCode === 302) && res.headers.location) {
-        try {
-          const redirectUrl = new URL(res.headers.location);
-          if (redirectUrl.protocol !== "https:" || redirectUrl.hostname !== "registry.npmjs.org") {
-            reject(new Error("Redirect to disallowed host"));
-            return;
-          }
-        } catch {
-          reject(new Error("Invalid redirect URL"));
-          return;
-        }
-        httpsGet2(res.headers.location, redirectCount + 1).then(resolve7).catch(reject);
-        return;
-      }
-      let body = "";
-      let size = 0;
-      res.on("data", (d) => {
-        size += typeof d === "string" ? d.length : d.length;
-        if (size > MAX_RESPONSE_SIZE2) {
-          req.destroy();
-          reject(new Error("Response too large"));
-          return;
-        }
-        body += d;
-      });
-      res.on("end", () => resolve7(body));
-    });
-    req.on("error", (e) => reject(new Error(`Network error: ${e.message}`)));
-    req.setTimeout(8e3, () => {
-      req.destroy();
-      reject(new Error("Request timeout"));
-    });
-  });
-}
-async function fetchRegistrySRI(name, version) {
-  if (!name || !version || typeof name !== "string" || typeof version !== "string") return null;
-  try {
-    const encoded = encodeURIComponent(name).replace(/%40/g, "@").replace(/%2F/gi, "/");
-    const encodedVersion = encodeURIComponent(version);
-    const body = await httpsGet2(`https://registry.npmjs.org/${encoded}/${encodedVersion}`);
-    const parsed = JSON.parse(body);
-    const integrity = parsed?.dist?.integrity;
-    return typeof integrity === "string" ? integrity : null;
-  } catch {
-    return null;
-  }
-}
-async function verifySRI(root = process.cwd(), sampleSize = 20) {
-  const lockEntries = extractLockfileSRI(root);
-  const names = Object.keys(lockEntries).sort();
-  const toCheck = sampleSize < names.length ? names.slice(0, sampleSize) : names;
-  return Promise.all(toCheck.map(async (name) => {
-    const { version, integrity } = lockEntries[name];
-    const registryHash = await fetchRegistrySRI(name, version);
-    return { name, version, lockfileHash: integrity, registryHash, match: registryHash === null ? null : registryHash === integrity };
-  }));
-}
-function autoPin(pkgJsonPath, dryRun = false) {
-  const resolved = path__namespace.resolve(pkgJsonPath);
-  let rawContent;
-  try {
-    rawContent = fs__namespace.readFileSync(resolved, "utf-8");
-  } catch {
-    return { fixed: 0 };
-  }
-  let pkg;
-  try {
-    pkg = JSON.parse(rawContent);
-  } catch {
-    return { fixed: 0 };
-  }
-  if (typeof pkg !== "object" || pkg === null) return { fixed: 0 };
-  const root = path__namespace.dirname(resolved);
-  let fixed = 0;
-  for (const field of DEP_FIELDS) {
-    const deps = pkg[field];
-    if (!deps || typeof deps !== "object") continue;
-    for (const [name, ver] of Object.entries(deps)) {
-      if (typeof ver !== "string") continue;
-      if (RANGE_CHARS.test(ver.trim())) {
-        const exact = resolveExactVersion(root, name);
-        if (exact) {
-          deps[name] = exact;
-          fixed++;
-        }
-      }
-    }
-  }
-  const content = JSON.stringify(pkg, null, 2) + "\n";
-  if (!dryRun && fixed > 0) {
-    const tmpPath = resolved + ".tmp." + crypto6__namespace.randomBytes(4).toString("hex");
-    try {
-      fs__namespace.writeFileSync(tmpPath, content);
-      fs__namespace.renameSync(tmpPath, resolved);
-    } catch (e) {
-      try {
-        fs__namespace.unlinkSync(tmpPath);
-      } catch {
-      }
-      throw e;
-    }
-  }
-  return { fixed, content };
-}
-
-// src/dx/api-contract.ts
-var Schema = class {
-  constructor() {
-    /** @internal */
-    this._isOptional = false;
-  }
-  safeParse(val) {
-    try {
-      let result = this._parse(val === void 0 ? this._default : val, "");
-      if (this._transform) result = this._transform(result);
-      return { success: true, data: result, errors: [] };
-    } catch (e) {
-      return { success: false, errors: parseErrors(e) };
-    }
-  }
-  parse(val) {
-    const r = this.safeParse(val);
-    if (!r.success) throw new Error(r.errors.map((e) => (e.path ? `${e.path}: ` : "") + e.message).join("; "));
-    return r.data;
-  }
-  optional() {
-    return new OptionalSchema(this);
-  }
-  nullable() {
-    return new NullableSchema(this);
-  }
-  default(val) {
-    const c2 = Object.create(this);
-    c2._default = val;
-    return c2;
-  }
-  describe(desc) {
-    const c2 = Object.create(this);
-    c2._description = desc;
-    return c2;
-  }
-  transform(fn) {
-    const c2 = Object.create(this);
-    c2._transform = fn;
-    return c2;
-  }
-  toJSONSchema() {
-    return {};
-  }
-};
-function parseErrors(e) {
-  if (e instanceof ValidationException) return e.errors;
-  return [{ path: "", message: e?.message ?? "Unknown error" }];
-}
-var ValidationException = class extends Error {
-  constructor(errors) {
-    super(errors.map((e) => e.message).join("; "));
-    this.errors = errors;
-  }
-};
-function fail(path7, message) {
-  throw new ValidationException([{ path: path7, message }]);
-}
-var OptionalSchema = class extends Schema {
-  constructor(inner) {
-    super();
-    this.inner = inner;
-  }
-  _parse(val, path7) {
-    if (val === void 0 || val === null) return void 0;
-    return this.inner._parse(val, path7);
-  }
-};
-var NullableSchema = class extends Schema {
-  constructor(inner) {
-    super();
-    this.inner = inner;
-  }
-  _parse(val, path7) {
-    if (val === null || val === void 0) return null;
-    return this.inner._parse(val, path7);
-  }
-};
-var StringSchema = class extends Schema {
-  constructor() {
-    super(...arguments);
-    this._email = false;
-    this._url = false;
-    this._trim = false;
-  }
-  _parse(val, path7) {
-    if (typeof val !== "string") fail(path7, `Expected string, got ${typeof val}`);
-    let s = val;
-    if (this._trim) s = s.trim();
-    if (this._min !== void 0 && s.length < this._min) fail(path7, `Too short (min ${this._min})`);
-    if (this._max !== void 0 && s.length > this._max) fail(path7, `Too long (max ${this._max})`);
-    if (this._enum && !this._enum.includes(s)) fail(path7, `Must be one of: ${this._enum.join(", ")}`);
-    if (this._regex && !this._regex.test(s)) fail(path7, `Does not match ${this._regex}`);
-    if (this._email && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(s)) fail(path7, "Invalid email address");
-    if (this._url) {
-      try {
-        new URL(s);
-      } catch {
-        fail(path7, "Invalid URL");
-      }
-    }
-    return s;
-  }
-  min(n) {
-    const c2 = Object.create(this);
-    c2._min = n;
-    return c2;
-  }
-  max(n) {
-    const c2 = Object.create(this);
-    c2._max = n;
-    return c2;
-  }
-  length(n) {
-    return this.min(n).max(n);
-  }
-  enum(vals) {
-    const c2 = Object.create(this);
-    c2._enum = vals;
-    return c2;
-  }
-  regex(r) {
-    const c2 = Object.create(this);
-    c2._regex = r;
-    return c2;
-  }
-  email() {
-    const c2 = Object.create(this);
-    c2._email = true;
-    return c2;
-  }
-  url() {
-    const c2 = Object.create(this);
-    c2._url = true;
-    return c2;
-  }
-  trim() {
-    const c2 = Object.create(this);
-    c2._trim = true;
-    return c2;
-  }
-  toJSONSchema() {
-    return { type: "string", ...this._min ? { minLength: this._min } : {}, ...this._max ? { maxLength: this._max } : {}, ...this._enum ? { enum: this._enum } : {}, ...this._email ? { format: "email" } : {}, ...this._url ? { format: "uri" } : {} };
-  }
-};
-var NumberSchema = class extends Schema {
-  constructor() {
-    super(...arguments);
-    this._int = false;
-    this._positive = false;
-  }
-  _parse(val, path7) {
-    const n = typeof val === "string" ? parseFloat(val) : val;
-    if (typeof n !== "number" || isNaN(n)) fail(path7, `Expected number, got ${typeof val}`);
-    if (this._int && !Number.isInteger(n)) fail(path7, "Expected integer");
-    if (this._positive && n <= 0) fail(path7, "Must be positive");
-    if (this._min !== void 0 && n < this._min) fail(path7, `Too small (min ${this._min})`);
-    if (this._max !== void 0 && n > this._max) fail(path7, `Too large (max ${this._max})`);
-    return n;
-  }
-  min(n) {
-    const c2 = Object.create(this);
-    c2._min = n;
-    return c2;
-  }
-  max(n) {
-    const c2 = Object.create(this);
-    c2._max = n;
-    return c2;
-  }
-  int() {
-    const c2 = Object.create(this);
-    c2._int = true;
-    return c2;
-  }
-  positive() {
-    const c2 = Object.create(this);
-    c2._positive = true;
-    return c2;
-  }
-  toJSONSchema() {
-    return { type: this._int ? "integer" : "number", ...this._min !== void 0 ? { minimum: this._min } : {}, ...this._max !== void 0 ? { maximum: this._max } : {} };
-  }
-};
-var BooleanSchema = class extends Schema {
-  _parse(val, path7) {
-    if (val === "true" || val === 1 || val === "1") return true;
-    if (val === "false" || val === 0 || val === "0") return false;
-    if (typeof val !== "boolean") fail(path7, `Expected boolean, got ${typeof val}`);
-    return val;
-  }
-  toJSONSchema() {
-    return { type: "boolean" };
-  }
-};
-var ObjectSchema = class _ObjectSchema extends Schema {
-  constructor(shape, isStrict = false) {
-    super();
-    this.shape = shape;
-    this._isStrict = isStrict;
-  }
-  _parse(val, path7) {
-    if (typeof val !== "object" || val === null || Array.isArray(val)) fail(path7, `Expected object`);
-    const obj = val;
-    const result = {};
-    const errors = [];
-    for (const [key, schema] of Object.entries(this.shape)) {
-      try {
-        result[key] = schema._parse(obj[key], path7 ? `${path7}.${key}` : key);
-      } catch (e) {
-        errors.push(...parseErrors(e));
-      }
-    }
-    if (this._isStrict) {
-      const knownKeys = new Set(Object.keys(this.shape));
-      for (const k of Object.keys(obj)) if (!knownKeys.has(k)) errors.push({ path: path7 ? `${path7}.${k}` : k, message: "Unknown field" });
-    }
-    if (errors.length) throw new ValidationException(errors);
-    return result;
-  }
-  extend(extra) {
-    return new _ObjectSchema({ ...this.shape, ...extra });
-  }
-  pick(keys) {
-    const s = {};
-    keys.forEach((k) => s[k] = this.shape[k]);
-    return new _ObjectSchema(s);
-  }
-  omit(keys) {
-    const s = { ...this.shape };
-    keys.forEach((k) => delete s[k]);
-    return new _ObjectSchema(s);
-  }
-  strict() {
-    return new _ObjectSchema(this.shape, true);
-  }
-  toJSONSchema() {
-    const props = {};
-    const required = [];
-    for (const [k, v] of Object.entries(this.shape)) {
-      props[k] = v.toJSONSchema?.() ?? {};
-      if (!(v instanceof OptionalSchema) && !(v instanceof NullableSchema)) required.push(k);
-    }
-    return { type: "object", properties: props, ...required.length ? { required } : {} };
-  }
-};
-var ArraySchema = class extends Schema {
-  constructor(item) {
-    super();
-    this.item = item;
-  }
-  _parse(val, path7) {
-    if (!Array.isArray(val)) fail(path7, `Expected array`);
-    if (this._min !== void 0 && val.length < this._min) fail(path7, `Too few items (min ${this._min})`);
-    if (this._max !== void 0 && val.length > this._max) fail(path7, `Too many items (max ${this._max})`);
-    const errors = [];
-    const result = [];
-    val.forEach((item, i) => {
-      try {
-        result.push(this.item._parse(item, `${path7}[${i}]`));
-      } catch (e) {
-        errors.push(...parseErrors(e));
-      }
-    });
-    if (errors.length) throw new ValidationException(errors);
-    return result;
-  }
-  min(n) {
-    const c2 = Object.create(this);
-    c2._min = n;
-    return c2;
-  }
-  max(n) {
-    const c2 = Object.create(this);
-    c2._max = n;
-    return c2;
-  }
-  nonempty() {
-    return this.min(1);
-  }
-  toJSONSchema() {
-    return { type: "array", items: this.item.toJSONSchema?.() ?? {} };
-  }
-};
-var RecordSchema = class extends Schema {
-  constructor(valueSchema) {
-    super();
-    this.valueSchema = valueSchema;
-  }
-  _parse(val, path7) {
-    if (typeof val !== "object" || val === null || Array.isArray(val)) fail(path7, "Expected object");
-    const result = {};
-    for (const [k, v] of Object.entries(val)) {
-      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-      result[k] = this.valueSchema._parse(v, `${path7}.${k}`);
-    }
-    return result;
-  }
-};
-var LiteralSchema = class extends Schema {
-  constructor(literal) {
-    super();
-    this.literal = literal;
-  }
-  _parse(val, path7) {
-    if (val !== this.literal) fail(path7, `Expected ${JSON.stringify(this.literal)}, got ${JSON.stringify(val)}`);
-    return val;
-  }
-};
-var UnionSchema = class extends Schema {
-  constructor(options) {
-    super();
-    this.options = options;
-  }
-  _parse(val, path7) {
-    for (const opt of this.options) {
-      try {
-        return opt._parse(val, path7);
-      } catch {
-        continue;
-      }
-    }
-    fail(path7, `Value does not match any union variant`);
-  }
-};
-var c = {
-  string: () => new StringSchema(),
-  number: () => new NumberSchema(),
-  boolean: () => new BooleanSchema(),
-  object: (shape) => new ObjectSchema(shape),
-  array: (item) => new ArraySchema(item),
-  record: (val) => new RecordSchema(val),
-  literal: (v) => new LiteralSchema(v),
-  union: (opts) => new UnionSchema(opts),
-  any: () => new class extends Schema {
-    _parse(v) {
-      return v;
-    }
-  }()
-};
-function validateBody(schema) {
-  return function(req, res, next) {
-    const result = schema.safeParse(req.body);
-    if (!result.success) return res.status(400).json({ error: "Validation failed", details: result.errors });
-    req.body = result.data;
-    next();
-  };
-}
-function validateQuery(schema) {
-  return function(req, res, next) {
-    const result = schema.safeParse(req.query);
-    if (!result.success) return res.status(400).json({ error: "Invalid query parameters", details: result.errors });
-    req.query = result.data;
-    next();
-  };
-}
-async function typedFetch(url, schema, init) {
-  if (typeof fetch === "undefined") throw new Error("[devguard] typedFetch requires Node.js >= 18 or a global fetch polyfill. See: https://nodejs.org/en/blog/announcements/v18-release-announce");
-  const response = await fetch(url, init);
-  if (!response.ok) throw new Error(`HTTP ${response.status}: ${response.statusText}`);
-  const json = await response.json();
-  const data = schema.parse(json);
-  return { data, response };
-}
-
-// src/ai/agent-schema.ts
-function cleanLLMOutput(raw) {
-  let s = raw.trim();
-  s = s.replace(/^```(?:json|JSON)?\s*/m, "").replace(/```\s*$/m, "").trim();
-  const openBrace = s.indexOf("{");
-  const openBracket = s.indexOf("[");
-  let startIdx = -1;
-  let openChar = "", closeChar = "";
-  if (openBrace === -1 && openBracket === -1) return s;
-  if (openBrace === -1) {
-    startIdx = openBracket;
-    openChar = "[";
-    closeChar = "]";
-  } else if (openBracket === -1) {
-    startIdx = openBrace;
-    openChar = "{";
-    closeChar = "}";
-  } else if (openBrace < openBracket) {
-    startIdx = openBrace;
-    openChar = "{";
-    closeChar = "}";
-  } else {
-    startIdx = openBracket;
-    openChar = "[";
-    closeChar = "]";
-  }
-  let depth = 0, inString = false, escape = false, end = -1;
-  for (let i = startIdx; i < s.length; i++) {
-    const ch = s[i];
-    if (escape) {
-      escape = false;
-      continue;
-    }
-    if (ch === "\\" && inString) {
-      escape = true;
-      continue;
-    }
-    if (ch === '"') {
-      inString = !inString;
-      continue;
-    }
-    if (inString) continue;
-    if (ch === openChar) depth++;
-    else if (ch === closeChar) {
-      depth--;
-      if (depth === 0) {
-        end = i;
-        break;
-      }
-    }
-  }
-  return end !== -1 ? s.slice(startIdx, end + 1) : s;
-}
-function repairJSON(raw) {
-  let result = "";
-  let inString = false;
-  let escape = false;
-  for (let i = 0; i < raw.length; i++) {
-    const ch = raw[i];
-    if (escape) {
-      result += ch;
-      escape = false;
-      continue;
-    }
-    if (ch === "\\" && inString) {
-      result += ch;
-      escape = true;
-      continue;
-    }
-    if (ch === '"') {
-      inString = !inString;
-      result += ch;
-      continue;
-    }
-    if (inString) {
-      result += ch;
-      continue;
-    }
-    if (ch === ",") {
-      let j = i + 1;
-      while (j < raw.length && /\s/.test(raw[j])) j++;
-      if (j < raw.length && (raw[j] === "}" || raw[j] === "]")) {
-        continue;
-      }
-    }
-    result += ch;
-  }
-  return result;
-}
-function parseSchema(schema, raw) {
-  const cleaned = cleanLLMOutput(raw);
-  try {
-    const parsed = JSON.parse(cleaned);
-    const r = schema.safeParse(parsed);
-    if (r.success) return { success: true, data: r.data, raw: cleaned, errors: [], attempts: 1 };
-    return { success: false, raw: cleaned, errors: r.errors.map((e) => (e.path ? e.path + ": " : "") + e.message), attempts: 1 };
-  } catch {
-    const repaired = repairJSON(cleaned);
-    if (repaired !== cleaned) {
-      try {
-        const parsed = JSON.parse(repaired);
-        const r = schema.safeParse(parsed);
-        if (r.success) return { success: true, data: r.data, raw: repaired, errors: [], attempts: 2 };
-        return { success: false, raw: repaired, errors: r.errors.map((e) => (e.path ? e.path + ": " : "") + e.message), attempts: 2 };
-      } catch {
-      }
-    }
-    return { success: false, errors: ["Could not parse LLM output as JSON"], attempts: 2 };
-  }
-}
-async function parseWithRetry(schema, promptFn, maxRetries = 3) {
-  let context = "Respond with valid JSON only. No markdown fences, no explanation, just the JSON.";
-  let totalAttempts = 0;
-  for (let i = 0; i <= maxRetries; i++) {
-    const raw = await promptFn(context);
-    totalAttempts++;
-    const result = parseSchema(schema, raw);
-    if (result.success) return { ...result, attempts: totalAttempts };
-    context = `Your response failed validation: ${result.errors.join("; ")}. Fix these and respond with valid JSON only.`;
-  }
-  return { success: false, errors: [`Max retries (${maxRetries}) exceeded`], attempts: totalAttempts };
-}
-
-// src/ai/mcp-server-kit.ts
-var ERR = { PARSE: -32700, INVALID: -32600, NOT_FOUND: -32601, PARAMS: -32602, INTERNAL: -32603 };
-var MAX_MESSAGE_SIZE = 10 * 1024 * 1024;
-var MAX_NAME_LENGTH = 256;
-var HANDLER_TIMEOUT_MS = 3e4;
-function validateToolInput(args, schema) {
-  if (typeof args !== "object" || args === null || Array.isArray(args)) {
-    return "Arguments must be an object";
-  }
-  if (schema.required) {
-    for (const req of schema.required) {
-      if (!(req in args) || args[req] === void 0 || args[req] === null) {
-        return `Missing required argument: ${req}`;
-      }
-    }
-  }
-  for (const [key, val] of Object.entries(args)) {
-    if (key === "__proto__" || key === "constructor" || key === "prototype") {
-      return `Invalid argument name: ${key}`;
-    }
-    const propSchema = schema.properties[key];
-    if (propSchema) {
-      const expectedType = propSchema.type;
-      if (expectedType === "string" && typeof val !== "string") return `Argument '${key}' must be a string`;
-      if (expectedType === "number" && typeof val !== "number") return `Argument '${key}' must be a number`;
-      if (expectedType === "boolean" && typeof val !== "boolean") return `Argument '${key}' must be a boolean`;
-      if (expectedType === "integer" && (typeof val !== "number" || !Number.isInteger(val))) return `Argument '${key}' must be an integer`;
-      if (propSchema.enum && !propSchema.enum.includes(val)) return `Argument '${key}' must be one of: ${propSchema.enum.join(", ")}`;
-    }
-  }
-  return null;
-}
-var MCPServerBuilder = class {
-  constructor(name, version = "1.0.0", description = "") {
-    this.name = name;
-    this.version = version;
-    this.description = description;
-    this.tools = /* @__PURE__ */ new Map();
-    this.resources = /* @__PURE__ */ new Map();
-    this.prompts = /* @__PURE__ */ new Map();
-    this.capabilities = {};
-    this.initialized = false;
-    if (!name || typeof name !== "string") throw new Error("Server name is required");
-  }
-  addTool(tool) {
-    if (!tool.name || typeof tool.name !== "string" || tool.name.length > MAX_NAME_LENGTH) throw new Error("Tool must have a valid name");
-    if (typeof tool.handler !== "function") throw new Error("Tool must have a handler function");
-    if (!tool.inputSchema || tool.inputSchema.type !== "object") throw new Error("Tool must have a valid inputSchema with type: 'object'");
-    this.tools.set(tool.name, tool);
-    this.capabilities.tools = {};
-    return this;
-  }
-  addResource(resource) {
-    if (!resource.uri || typeof resource.uri !== "string") throw new Error("Resource must have a URI");
-    if (typeof resource.fetch !== "function") throw new Error("Resource must have a fetch function");
-    this.resources.set(resource.uri, resource);
-    this.capabilities.resources = {};
-    return this;
-  }
-  addPrompt(prompt) {
-    if (!prompt.name || typeof prompt.name !== "string") throw new Error("Prompt must have a name");
-    if (typeof prompt.handler !== "function") throw new Error("Prompt must have a handler function");
-    this.prompts.set(prompt.name, prompt);
-    this.capabilities.prompts = {};
-    return this;
-  }
-  respond(id, result) {
-    return JSON.stringify({ jsonrpc: "2.0", id, result }) + "\n";
-  }
-  error(id, code, message, data) {
-    return JSON.stringify({ jsonrpc: "2.0", id, error: { code, message, data } }) + "\n";
-  }
-  /** Run a handler with a timeout */
-  async runWithTimeout(fn, timeoutMs) {
-    return new Promise((resolve7, reject) => {
-      const timer = setTimeout(() => reject(new Error("Handler execution timeout")), timeoutMs);
-      fn().then(
-        (result) => {
-          clearTimeout(timer);
-          resolve7(result);
-        },
-        (err) => {
-          clearTimeout(timer);
-          reject(err);
-        }
-      );
-    });
-  }
-  async dispatch(req) {
-    const { id, method, params } = req;
-    if (req.jsonrpc !== "2.0") {
-      if (id !== null && id !== void 0) return this.error(id, ERR.INVALID, "Invalid JSON-RPC version \u2014 must be '2.0'");
-      return null;
-    }
-    if (typeof method !== "string" || method.length === 0) {
-      if (id !== null && id !== void 0) return this.error(id, ERR.INVALID, "Method must be a non-empty string");
-      return null;
-    }
-    if (method === "initialize") {
-      this.initialized = true;
-      return this.respond(id, {
-        protocolVersion: "2024-11-05",
-        capabilities: this.capabilities,
-        serverInfo: { name: this.name, version: this.version },
-        instructions: this.description || void 0
-      });
-    }
-    if (method === "initialized") return null;
-    if (method === "ping") return this.respond(id, {});
-    if (method === "tools/list") {
-      return this.respond(id, {
-        tools: [...this.tools.values()].map((t) => ({
-          name: t.name,
-          description: t.description,
-          inputSchema: t.inputSchema
-        }))
-      });
-    }
-    if (method === "tools/call") {
-      const toolName = params?.name;
-      if (typeof toolName !== "string") return this.error(id, ERR.PARAMS, "Tool name is required");
-      const tool = this.tools.get(toolName);
-      if (!tool) return this.error(id, ERR.NOT_FOUND, `Tool not found: ${toolName}`);
-      const args = params?.arguments ?? {};
-      const validationError = validateToolInput(args, tool.inputSchema);
-      if (validationError) return this.error(id, ERR.PARAMS, validationError);
-      try {
-        const result = await this.runWithTimeout(
-          () => tool.handler(args, { progressToken: params?._meta?.progressToken }),
-          HANDLER_TIMEOUT_MS
-        );
-        const content = typeof result === "string" ? [{ type: "text", text: result }] : [{ type: "text", text: JSON.stringify(result) }];
-        return this.respond(id, { content, isError: false });
-      } catch (e) {
-        const msg = e?.message ?? String(e);
-        return this.respond(id, { content: [{ type: "text", text: msg.slice(0, 4096) }], isError: true });
-      }
-    }
-    if (method === "resources/list") {
-      return this.respond(id, {
-        resources: [...this.resources.values()].map((r) => ({
-          uri: r.uri,
-          name: r.name,
-          description: r.description,
-          mimeType: r.mimeType
-        }))
-      });
-    }
-    if (method === "resources/read") {
-      const uri = params?.uri;
-      if (typeof uri !== "string") return this.error(id, ERR.PARAMS, "Resource URI is required");
-      const resource = this.resources.get(uri);
-      if (!resource) return this.error(id, ERR.NOT_FOUND, `Resource not found: ${uri}`);
-      try {
-        const raw = await this.runWithTimeout(() => resource.fetch(), HANDLER_TIMEOUT_MS);
-        const content = typeof raw === "string" ? { uri: resource.uri, mimeType: resource.mimeType ?? "text/plain", text: raw } : { uri: resource.uri, mimeType: raw.mimeType ?? resource.mimeType ?? "text/plain", ...raw.text ? { text: raw.text } : { blob: raw.blob } };
-        return this.respond(id, { contents: [content] });
-      } catch (e) {
-        return this.error(id, ERR.INTERNAL, `Resource fetch failed: ${(e?.message ?? "Unknown error").slice(0, 1024)}`);
-      }
-    }
-    if (method === "prompts/list") {
-      return this.respond(id, {
-        prompts: [...this.prompts.values()].map((p) => ({ name: p.name, description: p.description, arguments: p.arguments }))
-      });
-    }
-    if (method === "prompts/get") {
-      const promptName = params?.name;
-      if (typeof promptName !== "string") return this.error(id, ERR.PARAMS, "Prompt name is required");
-      const prompt = this.prompts.get(promptName);
-      if (!prompt) return this.error(id, ERR.NOT_FOUND, `Prompt not found: ${promptName}`);
-      try {
-        const messages = await this.runWithTimeout(
-          () => prompt.handler(params?.arguments ?? {}),
-          HANDLER_TIMEOUT_MS
-        );
-        return this.respond(id, { description: prompt.description, messages });
-      } catch (e) {
-        return this.error(id, ERR.INTERNAL, `Prompt handler failed: ${(e?.message ?? "Unknown error").slice(0, 1024)}`);
-      }
-    }
-    if (id !== null && id !== void 0) return this.error(id, ERR.NOT_FOUND, `Method not found: ${method}`);
-    return null;
-  }
-  startStdio() {
-    process.stdin.setEncoding("utf-8");
-    let buf = "";
-    let processing = Promise.resolve();
-    process.stdin.on("data", (chunk) => {
-      buf += chunk;
-      if (buf.length > MAX_MESSAGE_SIZE) {
-        process.stdout.write(this.error(null, ERR.PARSE, "Message too large") + "\n");
-        buf = "";
-        return;
-      }
-      const lines = buf.split("\n");
-      buf = lines.pop() ?? "";
-      for (const line of lines) {
-        const trimmed = line.trim();
-        if (!trimmed) continue;
-        processing = processing.then(async () => {
-          let req;
-          try {
-            req = JSON.parse(trimmed);
-          } catch {
-            process.stdout.write(this.error(null, ERR.PARSE, "Parse error") + "\n");
-            return;
-          }
-          if (typeof req !== "object" || req === null || Array.isArray(req)) {
-            process.stdout.write(this.error(null, ERR.INVALID, "Request must be a JSON object") + "\n");
-            return;
-          }
-          try {
-            const response = await this.dispatch(req);
-            if (response) process.stdout.write(response);
-          } catch (e) {
-            const reqId = req?.id;
-            if (reqId !== null && reqId !== void 0) {
-              process.stdout.write(this.error(reqId, ERR.INTERNAL, (e?.message ?? "Internal error").slice(0, 1024)) + "\n");
-            }
-          }
-        });
-      }
-    });
-    process.stdin.on("end", () => process.exit(0));
-    process.stderr.write(`[devguard/mcp] "${this.name}" v${this.version} started
-`);
-  }
-};
-var FileSystemAdapter = class {
-  constructor(dir = ".devguard-memory") {
-    this.keyIndex = /* @__PURE__ */ new Map();
-    this.baseDir = path__namespace.resolve(dir);
-    if (!fs__namespace.existsSync(this.baseDir)) {
-      fs__namespace.mkdirSync(this.baseDir, { recursive: true });
-    }
-  }
-  getFilePath(agentId) {
-    const safeId = crypto6__namespace.createHash("sha256").update(agentId).digest("hex");
-    return path__namespace.join(this.baseDir, `${safeId}.json`);
-  }
-  async save(agentId, entry) {
-    const file = this.getFilePath(agentId);
-    let history = [];
-    if (fs__namespace.existsSync(file)) {
-      try {
-        const raw = fs__namespace.readFileSync(file, "utf-8");
-        history = JSON.parse(raw);
-        if (!Array.isArray(history)) history = [];
-      } catch {
-        history = [];
-      }
-    }
-    history.push(entry);
-    const tmp = `${file}.tmp.${crypto6__namespace.randomBytes(4).toString("hex")}`;
-    fs__namespace.writeFileSync(tmp, JSON.stringify(history, null, 2));
-    fs__namespace.renameSync(tmp, file);
-  }
-  async getHistory(agentId, limit = 50) {
-    const file = this.getFilePath(agentId);
-    if (!fs__namespace.existsSync(file)) return [];
-    try {
-      const raw = fs__namespace.readFileSync(file, "utf-8");
-      const history = JSON.parse(raw);
-      if (!Array.isArray(history)) return [];
-      return history.slice(-limit);
-    } catch {
-      return [];
-    }
-  }
-  async clear(agentId) {
-    const file = this.getFilePath(agentId);
-    if (fs__namespace.existsSync(file)) fs__namespace.unlinkSync(file);
-  }
-};
-var RedisAdapter = class {
-  constructor(redisClient) {
-    this.client = redisClient;
-  }
-  async save(agentId, entry) {
-    const key = `devguard:mem:${agentId}`;
-    await this.client.rPush(key, JSON.stringify(entry));
-    await this.client.lTrim(key, -100, -1);
-  }
-  async getHistory(agentId, limit = 50) {
-    const key = `devguard:mem:${agentId}`;
-    const raw = await this.client.lRange(key, -limit, -1);
-    return raw.map((r) => {
-      try {
-        return JSON.parse(r);
-      } catch {
-        return null;
-      }
-    }).filter(Boolean);
-  }
-  async clear(agentId) {
-    await this.client.del(`devguard:mem:${agentId}`);
-  }
-};
-var AgentMemory = class {
-  constructor(adapter) {
-    this.adapter = adapter ?? new FileSystemAdapter();
-  }
-  async track(agentId, role, content, metadata) {
-    const entry = {
-      id: crypto6__namespace.randomUUID(),
-      role,
-      content,
-      metadata,
-      timestamp: Date.now()
-    };
-    await this.adapter.save(agentId, entry);
-    return entry;
-  }
-  async getContext(agentId, limit = 10) {
-    const history = await this.adapter.getHistory(agentId, limit);
-    return history.map((h) => `${h.role.toUpperCase()}: ${h.content}`).join("\n");
-  }
-  async clear(agentId) {
-    await this.adapter.clear(agentId);
-  }
-};
-var MAX_RECORDS = 5e3;
-var LLMBudget = class {
-  constructor(config) {
-    this.records = [];
-    this.totalCost = 0;
-    this.config = config;
-  }
-  track(usage) {
-    const record = {
-      ...usage,
-      id: crypto6__namespace.randomUUID(),
-      timestamp: Date.now()
-    };
-    this.records.push(record);
-    this.totalCost += record.costUSD;
-    if (this.records.length > MAX_RECORDS) {
-      this.records.shift();
-    }
-    if (this.totalCost >= this.config.monthlyLimitUSD) {
-      console.warn(`[devguard] LLM Budget Exceeded: $${this.totalCost.toFixed(4)} / $${this.config.monthlyLimitUSD}`);
-    } else if (this.config.warnAtUSD && this.totalCost >= this.config.warnAtUSD) {
-      console.warn(`[devguard] LLM Budget Warning: $${this.totalCost.toFixed(4)} / $${this.config.monthlyLimitUSD}`);
-    }
-    return record;
-  }
-  getSummary() {
-    return {
-      totalCost: this.totalCost,
-      recordCount: this.records.length,
-      limit: this.config.monthlyLimitUSD,
-      remaining: Math.max(0, this.config.monthlyLimitUSD - this.totalCost),
-      isExceeded: this.totalCost >= this.config.monthlyLimitUSD
-    };
-  }
-  getHistory(limit = 100) {
-    return this.records.slice(-limit);
-  }
-  reset() {
-    this.records = [];
-    this.totalCost = 0;
-  }
-};
-var MIN_SECRET_LENGTH = 16;
-var CLOCK_SKEW_TOLERANCE = 30;
-function b64urlDecode(s) {
-  const base64 = s.replace(/-/g, "+").replace(/_/g, "/");
-  const padLen = (4 - base64.length % 4) % 4;
-  const padded = base64 + "=".repeat(padLen);
-  return Buffer.from(padded, "base64");
-}
-function b64urlEncode(buf) {
-  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-}
-function decodeJWT(token) {
-  if (typeof token !== "string") return null;
-  const parts = token.split(".");
-  if (parts.length !== 3) return null;
-  if (!parts[0] || !parts[1] || !parts[2]) return null;
-  try {
-    const header = JSON.parse(b64urlDecode(parts[0]).toString());
-    const payload = JSON.parse(b64urlDecode(parts[1]).toString());
-    if (typeof header !== "object" || header === null) return null;
-    if (typeof payload !== "object" || payload === null) return null;
-    return { header, payload, sig: parts[2], signingInput: `${parts[0]}.${parts[1]}` };
-  } catch {
-    return null;
-  }
-}
-function signHMAC(payload, secret, algorithm = "HS256") {
-  if (!secret || typeof secret !== "string") throw new Error("JWT secret is required");
-  if (secret.length < MIN_SECRET_LENGTH) throw new Error(`JWT secret must be at least ${MIN_SECRET_LENGTH} characters (got ${secret.length})`);
-  if (typeof payload !== "object" || payload === null) throw new Error("Payload must be a non-null object");
-  const h = b64urlEncode(Buffer.from(JSON.stringify({ alg: algorithm, typ: "JWT" })));
-  const p = b64urlEncode(Buffer.from(JSON.stringify(payload)));
-  const input = `${h}.${p}`;
-  const sig = b64urlEncode(crypto6__namespace.createHmac(algorithm === "HS512" ? "sha512" : "sha256", secret).update(input).digest());
-  return `${input}.${sig}`;
-}
-function verifyHMAC(token, secret, expectedAlg) {
-  if (!secret || typeof secret !== "string") return { valid: false, error: "Secret is required" };
-  const decoded = decodeJWT(token);
-  if (!decoded) return { valid: false, error: "Malformed JWT" };
-  const alg = decoded.header.alg;
-  if (!["HS256", "HS512"].includes(alg)) return { valid: false, error: `Unsupported algorithm: ${alg}` };
-  if (expectedAlg && alg !== expectedAlg) return { valid: false, error: `Algorithm mismatch: expected ${expectedAlg}, got ${alg}` };
-  const expected = b64urlEncode(crypto6__namespace.createHmac(alg === "HS512" ? "sha512" : "sha256", secret).update(decoded.signingInput).digest());
-  const sigBuf = Buffer.from(decoded.sig);
-  const expBuf = Buffer.from(expected);
-  if (sigBuf.length !== expBuf.length || !crypto6__namespace.timingSafeEqual(sigBuf, expBuf)) return { valid: false, error: "Invalid signature" };
-  const now = Math.floor(Date.now() / 1e3);
-  if (decoded.payload.exp && now > decoded.payload.exp + CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token expired" };
-  if (decoded.payload.nbf && now < decoded.payload.nbf - CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token not yet valid" };
-  return { valid: true, payload: decoded.payload };
-}
-var JWKS_TTL_MS = 5 * 60 * 1e3;
-var JWKS_MAX_ENTRIES = 50;
-var BoundedJWKSCache = class {
-  constructor() {
-    this.cache = /* @__PURE__ */ new Map();
-    this.pruneTimer = null;
-    this.pruneTimer = setInterval(() => this.prune(), 6e4);
-    if (this.pruneTimer.unref) this.pruneTimer.unref();
-  }
-  get(uri) {
-    const entry = this.cache.get(uri);
-    if (!entry) return null;
-    if (Date.now() - entry.fetchedAt > JWKS_TTL_MS) {
-      this.cache.delete(uri);
-      return null;
-    }
-    return entry.keys;
-  }
-  set(uri, keys) {
-    if (this.cache.size >= JWKS_MAX_ENTRIES) {
-      let oldestKey = null;
-      let oldestTime = Infinity;
-      for (const [k, v] of this.cache) {
-        if (v.fetchedAt < oldestTime) {
-          oldestTime = v.fetchedAt;
-          oldestKey = k;
-        }
-      }
-      if (oldestKey) this.cache.delete(oldestKey);
-    }
-    this.cache.set(uri, { keys, fetchedAt: Date.now() });
-  }
-  prune() {
-    const now = Date.now();
-    let pruned = 0;
-    for (const [uri, entry] of this.cache) {
-      if (now - entry.fetchedAt > JWKS_TTL_MS) {
-        this.cache.delete(uri);
-        pruned++;
-      }
-    }
-    return pruned;
-  }
-  size() {
-    return this.cache.size;
-  }
-  destroy() {
-    if (this.pruneTimer) {
-      clearInterval(this.pruneTimer);
-      this.pruneTimer = null;
-    }
-    this.cache.clear();
-  }
-};
-var jwksCache = new BoundedJWKSCache();
-var MAX_JWKS_SIZE = 512 * 1024;
-function httpsGet3(url) {
-  return new Promise((resolve7, reject) => {
-    let parsed;
-    try {
-      parsed = new URL(url);
-    } catch {
-      reject(new Error("Invalid JWKS URL"));
-      return;
-    }
-    if (parsed.protocol !== "https:") {
-      reject(new Error("JWKS URL must use HTTPS"));
-      return;
-    }
-    const req = https__namespace.get(url, { headers: { "Accept": "application/json" } }, (res) => {
-      let body = "";
-      let size = 0;
-      res.on("data", (d) => {
-        size += typeof d === "string" ? d.length : d.length;
-        if (size > MAX_JWKS_SIZE) {
-          req.destroy();
-          reject(new Error("JWKS response too large"));
-          return;
-        }
-        body += d;
-      });
-      res.on("end", () => resolve7(body));
-    });
-    req.on("error", (e) => reject(new Error(`JWKS fetch failed: ${e.message}`)));
-    req.setTimeout(5e3, () => {
-      req.destroy();
-      reject(new Error("JWKS fetch timeout"));
-    });
-  });
-}
-async function fetchJWKS(jwksUri) {
-  const cached = jwksCache.get(jwksUri);
-  if (cached) return cached;
-  const body = await httpsGet3(jwksUri);
-  let parsed;
-  try {
-    parsed = JSON.parse(body);
-  } catch {
-    throw new Error("Invalid JWKS JSON response");
-  }
-  if (!parsed || !Array.isArray(parsed.keys)) throw new Error("JWKS response missing 'keys' array");
-  const keys = parsed.keys;
-  jwksCache.set(jwksUri, keys);
-  return keys;
-}
-var jwksCacheUtils = {
-  prune: () => jwksCache.prune(),
-  size: () => jwksCache.size(),
-  destroy: () => jwksCache.destroy()
-};
-function jwkToPublicKey(jwk) {
-  if (jwk.kty !== "RSA" || !jwk.n || !jwk.e) throw new Error("Unsupported JWK type \u2014 only RSA is supported");
-  return crypto6__namespace.createPublicKey({ key: { kty: "RSA", n: jwk.n, e: jwk.e }, format: "jwk" });
-}
-async function verifyRS256(token, jwksUri) {
-  const decoded = decodeJWT(token);
-  if (!decoded) return { valid: false, error: "Malformed JWT" };
-  if (decoded.header.alg !== "RS256") return { valid: false, error: "Expected RS256" };
-  let keys;
-  try {
-    keys = await fetchJWKS(jwksUri);
-  } catch (e) {
-    return { valid: false, error: `JWKS fetch failed: ${e instanceof Error ? e.message : "Unknown error"}` };
-  }
-  const matching = decoded.header.kid ? keys.filter((k) => k.kid === decoded.header.kid) : keys;
-  if (!matching.length) return { valid: false, error: "No matching JWK found" };
-  for (const jwk of matching) {
-    try {
-      const pubKey = jwkToPublicKey(jwk);
-      const isValid = crypto6__namespace.verify("sha256", Buffer.from(decoded.signingInput), { key: pubKey, padding: crypto6__namespace.constants.RSA_PKCS1_PADDING }, b64urlDecode(decoded.sig));
-      if (isValid) {
-        const now = Math.floor(Date.now() / 1e3);
-        if (decoded.payload.exp && now > decoded.payload.exp + CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token expired" };
-        if (decoded.payload.nbf && now < decoded.payload.nbf - CLOCK_SKEW_TOLERANCE) return { valid: false, error: "Token not yet valid" };
-        return { valid: true, payload: decoded.payload };
-      }
-    } catch {
-      continue;
-    }
-  }
-  return { valid: false, error: "Signature verification failed" };
-}
-var MAX_REVOCATION_SIZE = 1e5;
-var RevocationList = class {
-  constructor() {
-    this.revoked = /* @__PURE__ */ new Map();
-  }
-  revoke(jti) {
-    if (!jti || typeof jti !== "string") return;
-    if (this.revoked.size >= MAX_REVOCATION_SIZE && !this.revoked.has(jti)) {
-      let oldestKey = null;
-      let oldestTime = Infinity;
-      for (const [k, ts] of this.revoked) {
-        if (ts < oldestTime) {
-          oldestTime = ts;
-          oldestKey = k;
-        }
-      }
-      if (oldestKey) this.revoked.delete(oldestKey);
-    }
-    this.revoked.set(jti, Date.now());
-  }
-  isRevoked(jti) {
-    return jti ? this.revoked.has(jti) : false;
-  }
-  revokedCount() {
-    return this.revoked.size;
-  }
-  prune(maxAgeMs = 30 * 24 * 60 * 60 * 1e3) {
-    const cutoff = Date.now() - maxAgeMs;
-    let pruned = 0;
-    for (const [jti, ts] of this.revoked) if (ts < cutoff) {
-      this.revoked.delete(jti);
-      pruned++;
-    }
-    return pruned;
-  }
-  exportJSON() {
-    return JSON.stringify([...this.revoked.entries()]);
-  }
-  importJSON(json) {
-    let data;
-    try {
-      data = JSON.parse(json);
-    } catch {
-      return;
-    }
-    if (!Array.isArray(data)) return;
-    for (const entry of data) {
-      if (Array.isArray(entry) && entry.length === 2 && typeof entry[0] === "string" && typeof entry[1] === "number") {
-        if (this.revoked.size >= MAX_REVOCATION_SIZE) break;
-        this.revoked.set(entry[0], entry[1]);
-      }
-    }
-  }
-};
-function detectAnomalies(payload, ctx) {
-  const warnings = [];
-  let score = 0;
-  if (!payload.iat) {
-    warnings.push("Missing iat");
-    score += 20;
-  }
-  if (!payload.jti) {
-    warnings.push("Missing jti \u2014 revocation not possible");
-    score += 15;
-  }
-  if (!payload.iss) {
-    warnings.push("Missing iss");
-    score += 10;
-  }
-  if (!payload.sub) {
-    warnings.push("Missing sub");
-    score += 10;
-  }
-  if (ctx?.expectedIss && payload.iss !== ctx.expectedIss) {
-    warnings.push(`Issuer mismatch: ${payload.iss}`);
-    score += 40;
-  }
-  if (ctx?.expectedAud) {
-    const aud = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
-    if (!aud.includes(ctx.expectedAud)) {
-      warnings.push("Audience mismatch");
-      score += 40;
-    }
-  }
-  if (payload.exp && payload.iat && payload.exp - payload.iat > 86400 * 30) {
-    warnings.push(`Token lifetime > 30 days`);
-    score += 25;
-  }
-  if (payload.nbf && payload.iat && payload.nbf > payload.iat + 86400) {
-    warnings.push("nbf is more than 1 day after iat");
-    score += 10;
-  }
-  if (!payload.exp) {
-    warnings.push("Missing exp \u2014 token never expires");
-    score += 20;
-  }
-  return { score: Math.min(100, score), warnings, level: score >= 50 ? "dangerous" : score >= 20 ? "suspicious" : "safe" };
-}
-var JWTVerifier = class {
-  constructor(opts) {
-    this.opts = opts;
-    this.revocation = new RevocationList();
-  }
-  async verify(token) {
-    if (!token || typeof token !== "string") return { valid: false, error: "Token is required" };
-    let result;
-    if (this.opts.secret) result = verifyHMAC(token, this.opts.secret, this.opts.expectedAlg);
-    else if (this.opts.jwksUri) result = await verifyRS256(token, this.opts.jwksUri);
-    else return { valid: false, error: "No secret or jwksUri configured" };
-    if (!result.valid || !result.payload) return result;
-    if (this.revocation.isRevoked(result.payload.jti)) return { valid: false, error: "Token has been revoked" };
-    return { ...result, anomalies: detectAnomalies(result.payload, { expectedIss: this.opts.expectedIss, expectedAud: this.opts.expectedAud }) };
-  }
-  revoke(jti) {
-    this.revocation.revoke(jti);
-  }
-  getRevocationList() {
-    return this.revocation;
-  }
-};
-
-// src/auth/bot-fence.ts
-var BOT_UA = /bot|crawl|spider|scraper|python-?requests|axios\/|node-?fetch|undici|got\/|superagent|aiohttp|httpx|libwww|java\/|curl\/|wget\//i;
-var HEADLESS_UA = /headlesschrome|playwright|puppeteer|selenium|phantomjs|zombie|slimer|cypress/i;
-var AI_UA = /GPTBot|ChatGPT|Claude-Web|anthropic-ai|cohere-ai|meta-externalagent|Bytespider|CCBot/i;
-var KNOWN_GOOD_UA = /Mozilla\/5\.[01].+(Chrome\/[1-9]\d{2}|Firefox\/[1-9]\d{2}|Safari\/[0-9]+)/;
-var SIGNALS = [
-  { signal: "Bot user-agent", weight: 65, test: (fp) => BOT_UA.test(fp.userAgent ?? "") },
-  { signal: "Headless browser UA", weight: 80, test: (fp) => HEADLESS_UA.test(fp.userAgent ?? "") },
-  { signal: "Known AI crawler", weight: 70, test: (fp) => AI_UA.test(fp.userAgent ?? "") },
-  { signal: "Missing user-agent", weight: 45, test: (fp) => !fp.userAgent?.trim() },
-  { signal: "No Accept-Language", weight: 20, test: (fp) => !fp.acceptLanguage && !fp.headers?.["accept-language"] },
-  { signal: "No Accept-Encoding", weight: 15, test: (fp) => !fp.acceptEncoding && !fp.headers?.["accept-encoding"] },
-  { signal: "Missing Referer on form", weight: 10, test: (fp) => !fp.referer && !fp.headers?.["referer"] },
-  { signal: "Suspicious timing <80ms", weight: 30, test: (fp) => fp.timingMs !== void 0 && fp.timingMs < 80 },
-  { signal: "Zero mouse events", weight: 25, test: (fp) => fp.mouseEvents !== void 0 && fp.mouseEvents === 0 },
-  { signal: "No keyboard entropy", weight: 20, test: (fp) => fp.keystrokeIntervals !== void 0 && fp.keystrokeIntervals.length === 0 },
-  { signal: "Non-browser UA format", weight: 20, test: (fp) => !!fp.userAgent && !KNOWN_GOOD_UA.test(fp.userAgent) && !BOT_UA.test(fp.userAgent) },
-  { signal: "Duplicate headers", weight: 15, test: (fp) => fp.headers ? Object.values(fp.headers).some((v) => Array.isArray(v) && v.length > 1) : false }
-];
-function scoreRequest(fp) {
-  const results = SIGNALS.map((s) => ({ signal: s.signal, weight: s.weight, matched: s.test(fp) }));
-  const raw = results.filter((r) => r.matched).reduce((acc, r) => acc + r.weight, 0);
-  const score = Math.min(100, raw);
-  const verdict = score >= 70 ? "bot" : score >= 45 ? "suspicious" : score >= 20 ? "likely_human" : "human";
-  const recommendation = score >= 70 ? "block" : score >= 45 ? "challenge" : "allow";
-  return { score, verdict, signals: results, recommendation };
-}
-function normalizeIP(ip) {
-  if (!ip || typeof ip !== "string") return "";
-  const trimmed = ip.trim();
-  const v4mapped = trimmed.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i);
-  if (v4mapped) return v4mapped[1];
-  return trimmed;
-}
-var MAX_TRACKED_IPS = 1e5;
-var PRUNE_INTERVAL = 100;
-var IPRateLimiter = class {
-  constructor(maxRequests = 60, windowMs = 6e4, blockDurationMs = 5 * 6e4) {
-    this.maxRequests = maxRequests;
-    this.windowMs = windowMs;
-    this.blockDurationMs = blockDurationMs;
-    this.windows = /* @__PURE__ */ new Map();
-    this.blocked = /* @__PURE__ */ new Map();
-    // ip → blockedUntil timestamp
-    this.checkCount = 0;
-  }
-  check(ip) {
-    const normalizedIp = normalizeIP(ip);
-    if (!normalizedIp) return { allowed: false, remaining: 0, retryAfterMs: this.blockDurationMs };
-    this.checkCount++;
-    if (this.checkCount % PRUNE_INTERVAL === 0) this.prune();
-    const blockedUntil = this.blocked.get(normalizedIp);
-    if (blockedUntil !== void 0) {
-      if (Date.now() < blockedUntil) {
-        return { allowed: false, remaining: 0, retryAfterMs: blockedUntil - Date.now() };
-      }
-      this.blocked.delete(normalizedIp);
-    }
-    const now = Date.now();
-    let w = this.windows.get(normalizedIp);
-    if (!w || now - w.windowStart >= this.windowMs) {
-      w = { count: 0, windowStart: now };
-      this.windows.set(normalizedIp, w);
-    }
-    w.count++;
-    if (w.count > this.maxRequests) {
-      this.blocked.set(normalizedIp, Date.now() + this.blockDurationMs);
-      return { allowed: false, remaining: 0, retryAfterMs: this.blockDurationMs };
-    }
-    return { allowed: true, remaining: this.maxRequests - w.count };
-  }
-  /** Prune stale windows and expired blocks to prevent memory growth */
-  prune() {
-    const now = Date.now();
-    const windowCutoff = now - this.windowMs * 2;
-    for (const [ip, w] of this.windows) if (w.windowStart < windowCutoff) this.windows.delete(ip);
-    for (const [ip, until] of this.blocked) if (now >= until) this.blocked.delete(ip);
-    if (this.windows.size > MAX_TRACKED_IPS) {
-      const sorted = [...this.windows.entries()].sort((a, b) => a[1].windowStart - b[1].windowStart);
-      const toRemove = sorted.slice(0, this.windows.size - MAX_TRACKED_IPS);
-      for (const [ip] of toRemove) this.windows.delete(ip);
-    }
-  }
-};
-function createMiddleware(opts = {}) {
-  const { blockThreshold = 70, challengeThreshold = 50, whitelist = [], blacklist = [] } = opts;
-  const wSet = new Set(whitelist.map(normalizeIP));
-  const bSet = new Set(blacklist.map(normalizeIP));
-  return function botFenceMiddleware(req, res, next) {
-    const rawIp = req.ip ?? req.connection?.remoteAddress ?? "";
-    const ip = normalizeIP(rawIp);
-    if (wSet.has(ip)) return next();
-    if (bSet.has(ip)) return res.status(403).json({ error: "Access denied" });
-    if (opts.rateLimiter) {
-      const rl = opts.rateLimiter.check(ip);
-      if (!rl.allowed) {
-        res.setHeader("Retry-After", Math.ceil((rl.retryAfterMs ?? 6e4) / 1e3));
-        return res.status(429).json({ error: "Too many requests" });
-      }
-    }
-    const fp = {
-      ip,
-      userAgent: req.headers["user-agent"],
-      headers: req.headers,
-      acceptLanguage: req.headers["accept-language"],
-      acceptEncoding: req.headers["accept-encoding"],
-      referer: req.headers["referer"],
-      origin: req.headers["origin"]
-    };
-    const botScore = scoreRequest(fp);
-    req.botScore = botScore;
-    if (botScore.score >= blockThreshold) {
-      opts.onBlock?.(fp, botScore);
-      return res.status(403).json({ error: "Automated request detected", verdict: botScore.verdict });
-    }
-    if (botScore.score >= challengeThreshold) {
-      res.setHeader("X-Bot-Challenge", "true");
-    }
-    next();
-  };
-}
-var MAX_CBOR_DEPTH = 20;
-var MAX_CBOR_SIZE = 1 * 1024 * 1024;
-function cborDecode(buf) {
-  if (buf.length > MAX_CBOR_SIZE) throw new Error("CBOR input too large");
-  let offset = 0;
-  function read(depth) {
-    if (depth > MAX_CBOR_DEPTH) throw new Error("CBOR nesting too deep");
-    if (offset >= buf.length) throw new Error("CBOR: unexpected end of input");
-    const b = buf[offset++];
-    const mt = b >> 5 & 7;
-    let ai = b & 31;
-    let val = ai;
-    if (ai === 24) {
-      if (offset >= buf.length) throw new Error("CBOR: unexpected end of input");
-      val = buf[offset++];
-    } else if (ai === 25) {
-      if (offset + 2 > buf.length) throw new Error("CBOR: unexpected end of input");
-      val = buf.readUInt16BE(offset);
-      offset += 2;
-    } else if (ai === 26) {
-      if (offset + 4 > buf.length) throw new Error("CBOR: unexpected end of input");
-      val = buf.readUInt32BE(offset);
-      offset += 4;
-    } else if (ai >= 28) {
-      if (ai === 31 && (mt === 2 || mt === 3)) throw new Error("CBOR: indefinite length not supported");
-      if (ai >= 28 && ai <= 30) throw new Error("CBOR: reserved additional info");
-    }
-    if (mt === 0) return val;
-    if (mt === 1) return -1 - val;
-    if (mt === 2) {
-      if (offset + val > buf.length) throw new Error("CBOR: byte string exceeds buffer");
-      const s = buf.slice(offset, offset + val);
-      offset += val;
-      return s;
-    }
-    if (mt === 3) {
-      if (offset + val > buf.length) throw new Error("CBOR: text string exceeds buffer");
-      const s = buf.slice(offset, offset + val).toString("utf8");
-      offset += val;
-      return s;
-    }
-    if (mt === 4) {
-      if (val > 1e4) throw new Error("CBOR: array too large");
-      const arr = [];
-      for (let i = 0; i < val; i++) arr.push(read(depth + 1));
-      return arr;
-    }
-    if (mt === 5) {
-      if (val > 1e4) throw new Error("CBOR: map too large");
-      const obj = {};
-      for (let i = 0; i < val; i++) {
-        const k = read(depth + 1);
-        const v = read(depth + 1);
-        if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-        obj[k] = v;
-      }
-      return obj;
-    }
-    if (mt === 7) {
-      if (ai === 20) return false;
-      if (ai === 21) return true;
-      if (ai === 22) return null;
-      if (ai === 23) return void 0;
-    }
-    return null;
-  }
-  return read(0);
-}
-var MAX_CHALLENGES = 1e4;
-var ChallengeStore = class {
-  constructor() {
-    this.challenges = /* @__PURE__ */ new Map();
-  }
-  create(ttlMs = 3e5) {
-    if (this.challenges.size >= MAX_CHALLENGES) {
-      this._prune();
-      if (this.challenges.size >= MAX_CHALLENGES) {
-        throw new Error("Challenge store capacity exceeded \u2014 too many pending challenges");
-      }
-    }
-    const challenge = crypto6__namespace.randomBytes(32).toString("base64url");
-    this.challenges.set(challenge, { challenge, expiresAt: Date.now() + ttlMs });
-    return challenge;
-  }
-  consume(challenge) {
-    if (!challenge || typeof challenge !== "string") return false;
-    const entry = this.challenges.get(challenge);
-    if (!entry) return false;
-    this.challenges.delete(challenge);
-    return Date.now() <= entry.expiresAt;
-  }
-  _prune() {
-    const now = Date.now();
-    for (const [k, v] of this.challenges) if (v.expiresAt < now) this.challenges.delete(k);
-  }
-  /** Get the number of active challenges */
-  size() {
-    return this.challenges.size;
-  }
-};
-var MAX_CREDENTIALS_PER_USER = 50;
-var CredentialStore = class {
-  constructor() {
-    this.creds = /* @__PURE__ */ new Map();
-    this.byUser = /* @__PURE__ */ new Map();
-  }
-  save(cred) {
-    const userCreds = this.byUser.get(cred.userId);
-    if (userCreds && !userCreds.has(cred.credentialId) && userCreds.size >= MAX_CREDENTIALS_PER_USER) {
-      throw new Error(`User ${cred.userId} has reached the maximum credential limit (${MAX_CREDENTIALS_PER_USER})`);
-    }
-    this.creds.set(cred.credentialId, cred);
-    if (!this.byUser.has(cred.userId)) this.byUser.set(cred.userId, /* @__PURE__ */ new Set());
-    this.byUser.get(cred.userId).add(cred.credentialId);
-  }
-  get(credentialId) {
-    return this.creds.get(credentialId);
-  }
-  getByUser(userId) {
-    const ids = this.byUser.get(userId) ?? /* @__PURE__ */ new Set();
-    return [...ids].map((id) => this.creds.get(id)).filter(Boolean);
-  }
-  update(credentialId, patch) {
-    const existing = this.creds.get(credentialId);
-    if (existing) {
-      const safeUpdate = {};
-      if (typeof patch.signCount === "number") safeUpdate.signCount = patch.signCount;
-      if (typeof patch.lastUsedAt === "number") safeUpdate.lastUsedAt = patch.lastUsedAt;
-      if (Array.isArray(patch.transports)) safeUpdate.transports = patch.transports;
-      this.creds.set(credentialId, { ...existing, ...safeUpdate });
-    }
-  }
-  delete(credentialId) {
-    const cred = this.creds.get(credentialId);
-    if (cred) {
-      this.byUser.get(cred.userId)?.delete(credentialId);
-      this.creds.delete(credentialId);
-    }
-  }
-  exportJSON() {
-    return JSON.stringify([...this.creds.values()], null, 2);
-  }
-  importJSON(json) {
-    let creds;
-    try {
-      creds = JSON.parse(json);
-    } catch {
-      return;
-    }
-    if (!Array.isArray(creds)) return;
-    for (const c2 of creds) {
-      if (c2 && typeof c2 === "object" && typeof c2.credentialId === "string" && typeof c2.publicKeyPem === "string") {
-        try {
-          this.save(c2);
-        } catch {
-        }
-      }
-    }
-  }
-};
-function generateRegistrationOptions(opts) {
-  if (!opts.rpId || !opts.rpName || !opts.userId || !opts.userName) {
-    throw new Error("rpId, rpName, userId, and userName are required");
-  }
-  const store = opts.challengeStore ?? new ChallengeStore();
-  return {
-    challenge: store.create(),
-    rp: { id: opts.rpId, name: opts.rpName },
-    user: { id: Buffer.from(opts.userId).toString("base64url"), name: opts.userName, displayName: opts.userDisplayName ?? opts.userName },
-    pubKeyCredParams: [{ type: "public-key", alg: -7 }, { type: "public-key", alg: -257 }],
-    timeout: 6e4,
-    attestation: "none",
-    authenticatorSelection: { userVerification: "preferred", residentKey: "preferred" }
-  };
-}
-function parseAuthenticatorData(buf) {
-  if (buf.length < 37) throw new Error("AuthenticatorData too short");
-  let offset = 0;
-  const rpIdHash = buf.slice(offset, offset + 32);
-  offset += 32;
-  const flags = buf[offset++];
-  const signCount = buf.readUInt32BE(offset);
-  offset += 4;
-  let aaguid;
-  let credentialId;
-  let coseKey;
-  if (flags & 64) {
-    if (offset + 18 > buf.length) throw new Error("AuthenticatorData truncated (attested credential data)");
-    aaguid = buf.slice(offset, offset + 16).toString("hex");
-    offset += 16;
-    const credIdLen = buf.readUInt16BE(offset);
-    offset += 2;
-    if (credIdLen > 1024) throw new Error("Credential ID too large");
-    if (offset + credIdLen > buf.length) throw new Error("AuthenticatorData truncated (credential ID)");
-    credentialId = buf.slice(offset, offset + credIdLen);
-    offset += credIdLen;
-    if (offset >= buf.length) throw new Error("AuthenticatorData truncated (COSE key)");
-    coseKey = cborDecode(buf.slice(offset));
-  }
-  return { rpIdHash, flags, signCount, aaguid, credentialId, coseKey };
-}
-function coseToPublicKeyPem(coseKey) {
-  if (!coseKey || typeof coseKey !== "object") throw new Error("Invalid COSE key");
-  const kty = coseKey[1];
-  coseKey[3];
-  if (kty === 2) {
-    const x = Buffer.isBuffer(coseKey[-2]) ? coseKey[-2] : Buffer.from(coseKey[-2]);
-    const y = Buffer.isBuffer(coseKey[-3]) ? coseKey[-3] : Buffer.from(coseKey[-3]);
-    if (x.length !== 32 || y.length !== 32) throw new Error("Invalid EC2 key coordinates");
-    const key = crypto6__namespace.createPublicKey({ key: { kty: "EC", crv: "P-256", x: x.toString("base64url"), y: y.toString("base64url") }, format: "jwk" });
-    return { pem: key.export({ type: "spki", format: "pem" }), alg: -7 };
-  }
-  if (kty === 3) {
-    const n = Buffer.isBuffer(coseKey[-1]) ? coseKey[-1] : Buffer.from(coseKey[-1]);
-    const e = Buffer.isBuffer(coseKey[-2]) ? coseKey[-2] : Buffer.from(coseKey[-2]);
-    if (n.length < 128) throw new Error("RSA key modulus too short");
-    const key = crypto6__namespace.createPublicKey({ key: { kty: "RSA", n: n.toString("base64url"), e: e.toString("base64url") }, format: "jwk" });
-    return { pem: key.export({ type: "spki", format: "pem" }), alg: -257 };
-  }
-  throw new Error(`Unsupported COSE key type: ${kty}`);
-}
-async function verifyRegistration(opts) {
-  try {
-    if (!opts.response || !opts.expectedChallenge || !opts.expectedOrigin || !opts.expectedRpId || !opts.userId) {
-      return { verified: false, error: "Missing required parameters" };
-    }
-    const clientDataBuf = Buffer.from(opts.response.clientDataJSON, "base64url");
-    if (clientDataBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "clientDataJSON too large" };
-    const clientData = JSON.parse(clientDataBuf.toString());
-    if (clientData.type !== "webauthn.create") return { verified: false, error: "Wrong clientData type" };
-    if (clientData.challenge !== opts.expectedChallenge) return { verified: false, error: "Challenge mismatch" };
-    if (clientData.origin !== opts.expectedOrigin) return { verified: false, error: "Origin mismatch" };
-    const attObjBuf = Buffer.from(opts.response.attestationObject, "base64url");
-    if (attObjBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "attestationObject too large" };
-    const attObj = cborDecode(attObjBuf);
-    const authData = parseAuthenticatorData(Buffer.isBuffer(attObj.authData) ? attObj.authData : Buffer.from(attObj.authData));
-    const expectedHash = crypto6__namespace.createHash("sha256").update(opts.expectedRpId).digest();
-    if (!expectedHash.equals(authData.rpIdHash)) return { verified: false, error: "RP ID hash mismatch" };
-    if (!(authData.flags & 1)) return { verified: false, error: "User presence not verified" };
-    if (!authData.credentialId || !authData.coseKey) return { verified: false, error: "No credential in authData" };
-    const { pem, alg } = coseToPublicKeyPem(authData.coseKey);
-    const credential = {
-      credentialId: authData.credentialId.toString("base64url"),
-      publicKeyPem: pem,
-      publicKeyAlg: alg,
-      userId: opts.userId,
-      userHandle: opts.userId,
-      signCount: authData.signCount,
-      createdAt: Date.now(),
-      lastUsedAt: Date.now(),
-      aaguid: authData.aaguid
-    };
-    return { verified: true, credential };
-  } catch (e) {
-    return { verified: false, error: e?.message ?? "Verification failed" };
-  }
-}
-function generateAuthenticationOptions(opts) {
-  if (!opts.rpId) throw new Error("rpId is required");
-  const store = opts.challengeStore ?? new ChallengeStore();
-  return {
-    challenge: store.create(),
-    rpId: opts.rpId,
-    timeout: 6e4,
-    userVerification: opts.userVerification ?? "preferred",
-    allowCredentials: opts.allowCredentialIds?.map((id) => ({ type: "public-key", id }))
-  };
-}
-async function verifyAuthentication(opts) {
-  try {
-    if (!opts.response || !opts.expectedChallenge || !opts.expectedOrigin || !opts.expectedRpId || !opts.storedCredential) {
-      return { verified: false, error: "Missing required parameters" };
-    }
-    const { response, storedCredential } = opts;
-    const clientDataBuf = Buffer.from(response.clientDataJSON, "base64url");
-    if (clientDataBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "clientDataJSON too large" };
-    const clientData = JSON.parse(clientDataBuf.toString());
-    if (clientData.type !== "webauthn.get") return { verified: false, error: "Wrong clientData type" };
-    if (clientData.challenge !== opts.expectedChallenge) return { verified: false, error: "Challenge mismatch" };
-    if (clientData.origin !== opts.expectedOrigin) return { verified: false, error: "Origin mismatch" };
-    const authDataBuf = Buffer.from(response.authenticatorData, "base64url");
-    if (authDataBuf.length > MAX_CBOR_SIZE) return { verified: false, error: "authenticatorData too large" };
-    const authData = parseAuthenticatorData(authDataBuf);
-    const expectedHash = crypto6__namespace.createHash("sha256").update(opts.expectedRpId).digest();
-    if (!expectedHash.equals(authData.rpIdHash)) return { verified: false, error: "RP ID hash mismatch" };
-    if (!(authData.flags & 1)) return { verified: false, error: "User presence not verified" };
-    if (opts.requireUserVerification && !(authData.flags & 4)) {
-      return { verified: false, error: "User verification required but not performed" };
-    }
-    if (storedCredential.signCount > 0 && authData.signCount <= storedCredential.signCount) {
-      return { verified: false, error: `Sign count replay detected: got ${authData.signCount}, expected > ${storedCredential.signCount}` };
-    }
-    const clientDataHash = crypto6__namespace.createHash("sha256").update(Buffer.from(response.clientDataJSON, "base64url")).digest();
-    const signedData = Buffer.concat([authDataBuf, clientDataHash]);
-    const sigBuf = Buffer.from(response.signature, "base64url");
-    const pubKey = crypto6__namespace.createPublicKey(storedCredential.publicKeyPem);
-    const alg = storedCredential.publicKeyAlg === -7 ? "SHA256" : "RSA-SHA256";
-    const isValid = crypto6__namespace.verify(alg, signedData, pubKey, sigBuf);
-    if (!isValid) return { verified: false, error: "Signature verification failed" };
-    const updated = { ...storedCredential, signCount: authData.signCount, lastUsedAt: Date.now() };
-    return { verified: true, credential: updated };
-  } catch (e) {
-    return { verified: false, error: e?.message ?? "Authentication verification failed" };
-  }
-}
-function parseDotenv(content) {
-  const result = /* @__PURE__ */ Object.create(null);
-  if (typeof content !== "string") return result;
-  const lines = content.split(/\r?\n/);
-  for (const raw of lines) {
-    const line = raw.trim();
-    if (!line || line.startsWith("#")) continue;
-    const eqIdx = line.indexOf("=");
-    if (eqIdx === -1) continue;
-    const key = line.slice(0, eqIdx).trim();
-    let val = line.slice(eqIdx + 1).trim();
-    if (!key || key === "__proto__" || key === "constructor" || key === "prototype") continue;
-    if (!/^[a-zA-Z_][a-zA-Z0-9_.]*$/.test(key)) continue;
-    if (!val.startsWith('"') && !val.startsWith("'")) {
-      val = val.split(/\s+#/)[0].trim();
-    }
-    if (val.startsWith('"') && val.endsWith('"') || val.startsWith("'") && val.endsWith("'")) {
-      val = val.slice(1, -1).replace(/\\n/g, "\n").replace(/\\t/g, "	");
-    }
-    result[key] = val;
-  }
-  return result;
-}
-function loadDotenvFile(filePath) {
-  const resolved = path__namespace.resolve(filePath);
-  if (!fs__namespace.existsSync(resolved)) return /* @__PURE__ */ Object.create(null);
-  try {
-    const stat = fs__namespace.statSync(resolved);
-    if (!stat.isFile() || stat.size > 1 * 1024 * 1024) return /* @__PURE__ */ Object.create(null);
-    return parseDotenv(fs__namespace.readFileSync(resolved, "utf-8"));
-  } catch {
-    return /* @__PURE__ */ Object.create(null);
-  }
-}
-function coerce(key, raw, spec) {
-  const val = raw.trim();
-  if (spec.type === "string") {
-    if (spec.minLength !== void 0 && val.length < spec.minLength) throw new Error(`${key}: too short (min ${spec.minLength} chars)`);
-    if (spec.maxLength !== void 0 && val.length > spec.maxLength) throw new Error(`${key}: too long (max ${spec.maxLength} chars)`);
-    if (spec.enum && !spec.enum.includes(val)) throw new Error(`${key}: must be one of [${spec.enum.join(", ")}]`);
-    if (spec.regex && !spec.regex.test(val)) throw new Error(`${key}: does not match expected pattern`);
-    return val;
-  }
-  if (spec.type === "number" || spec.type === "integer") {
-    const n = spec.type === "integer" ? parseInt(val, 10) : parseFloat(val);
-    if (isNaN(n)) throw new Error(`${key}: expected ${spec.type}`);
-    if (!isFinite(n)) throw new Error(`${key}: value must be finite`);
-    if (spec.min !== void 0 && n < spec.min) throw new Error(`${key}: too small (min ${spec.min})`);
-    if (spec.max !== void 0 && n > spec.max) throw new Error(`${key}: too large (max ${spec.max})`);
-    return n;
-  }
-  if (spec.type === "boolean") {
-    if (["true", "1", "yes", "on"].includes(val.toLowerCase())) return true;
-    if (["false", "0", "no", "off"].includes(val.toLowerCase())) return false;
-    throw new Error(`${key}: expected boolean (true/false/1/0/yes/no)`);
-  }
-  if (spec.type === "url") {
-    try {
-      new URL(val);
-      return val;
-    } catch {
-      throw new Error(`${key}: invalid URL`);
-    }
-  }
-  if (spec.type === "email") {
-    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(val)) throw new Error(`${key}: invalid email`);
-    return val;
-  }
-  if (spec.type === "json") {
-    try {
-      return JSON.parse(val);
-    } catch {
-      throw new Error(`${key}: invalid JSON`);
-    }
-  }
-  if (spec.type === "csv") {
-    return val.split(",").map((s) => s.trim()).filter(Boolean);
-  }
-  return val;
-}
-function parseEnv(schema, source = process.env) {
-  const errors = [];
-  const result = /* @__PURE__ */ Object.create(null);
-  for (const [key, spec] of Object.entries(schema)) {
-    if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
-    const raw = source[key] ?? spec.default;
-    const isRequired = spec.required !== false && spec.default === void 0;
-    if (raw === void 0 || raw === "") {
-      if (isRequired) {
-        const hint = spec.example ? ` (example: ${spec.example})` : "";
-        const desc = spec.description ? ` \u2014 ${spec.description}` : "";
-        errors.push(`  \u2717 ${key}: required but missing${desc}${hint}`);
-      }
-      continue;
-    }
-    try {
-      result[key] = coerce(key, raw, spec);
-    } catch (e) {
-      const errorMsg = e.message ?? "validation failed";
-      if (spec.secret) {
-        errors.push(`  \u2717 ${key}: ${errorMsg}`);
-      } else {
-        errors.push(`  \u2717 ${errorMsg} (got: "${raw}")`);
-      }
-    }
-  }
-  if (errors.length > 0) {
-    const msg = `
-\u{1F6A8} env-safe: ${errors.length} environment variable error(s):
-
-${errors.join("\n")}
-
-Fix these in your .env file before starting.
-`;
-    throw new Error(msg);
-  }
-  return result;
-}
-function loadEnv(schema, opts) {
-  const { envFiles = [".env", ".env.local"], override = false } = opts ?? {};
-  const merged = /* @__PURE__ */ Object.create(null);
-  for (const file of envFiles) {
-    if (typeof file !== "string") continue;
-    const fullPath = path__namespace.resolve(process.cwd(), file);
-    const parsed = loadDotenvFile(fullPath);
-    for (const [k, v] of Object.entries(parsed)) {
-      if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-      if (override || !(k in merged)) merged[k] = v;
-    }
-  }
-  const combined = { ...merged };
-  for (const [k, v] of Object.entries(process.env)) {
-    if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-    if (override || !(k in merged)) combined[k] = v;
-  }
-  return parseEnv(schema, combined);
-}
-function generateExample(schema) {
-  const lines = ["# Generated by devguard env-safe", ""];
-  for (const [key, spec] of Object.entries(schema)) {
-    if (key === "__proto__" || key === "constructor" || key === "prototype") continue;
-    if (spec.description) lines.push(`# ${spec.description}`);
-    const hint = spec.example ?? (spec.enum ? spec.enum[0] : spec.type.toUpperCase());
-    const req = spec.required !== false && !spec.default ? " (required)" : spec.default ? ` (default: ${spec.default})` : "";
-    lines.push(`# Type: ${spec.type}${req}`);
-    lines.push(`${key}=${hint}`);
-    lines.push("");
-  }
-  return lines.join("\n");
-}
-var LEVEL_NUM = { trace: 10, debug: 20, info: 30, warn: 40, error: 50, fatal: 60 };
-var LEVEL_COLOR = { trace: "\x1B[90m", debug: "\x1B[36m", info: "\x1B[32m", warn: "\x1B[33m", error: "\x1B[31m", fatal: "\x1B[35m" };
-var RESET = "\x1B[0m";
-var PROTECTED_FIELDS = /* @__PURE__ */ new Set(["level", "levelNum", "msg", "time", "pid", "hostname"]);
-function redactValue(val) {
-  if (typeof val === "string" && val.length > 4) return val.slice(0, 2) + "****";
-  return "****";
-}
-function safeStringify(obj) {
-  const seen = /* @__PURE__ */ new WeakSet();
-  try {
-    return JSON.stringify(obj, (_key, value) => {
-      if (typeof value === "object" && value !== null) {
-        if (seen.has(value)) return "[Circular]";
-        seen.add(value);
-      }
-      if (typeof value === "bigint") return value.toString();
-      return value;
-    });
-  } catch {
-    return '"[Unserializable]"';
-  }
-}
-var OTLPExporter = class {
-  constructor(cfg) {
-    this.batch = [];
-    this._warnCount = 0;
-    this._isFlushing = false;
-    this.timer = null;
-    this.cfg = { headers: {}, batchSize: 100, flushIntervalMs: 5e3, ...cfg };
-    try {
-      new URL(this.cfg.endpoint);
-    } catch {
-      throw new Error(`Invalid OTLP endpoint URL: ${cfg.endpoint}`);
-    }
-    this.timer = setInterval(() => this.flush(), this.cfg.flushIntervalMs);
-    if (this.timer.unref) this.timer.unref();
-  }
-  push(record) {
-    this.batch.push(record);
-    if (this.batch.length >= this.cfg.batchSize) this.flush();
-  }
-  flush() {
-    if (this.batch.length === 0) return;
-    if (this._isFlushing) return;
-    this._isFlushing = true;
-    const records = this.batch.splice(0);
-    try {
-      const body = JSON.stringify({ resourceLogs: [{ resource: {}, scopeLogs: [{ logRecords: records.map((r) => ({
-        timeUnixNano: String(Date.parse(r.time) * 1e6),
-        severityNumber: r.levelNum,
-        severityText: r.level.toUpperCase(),
-        body: { stringValue: r.msg },
-        attributes: Object.entries(r).filter(([k]) => !PROTECTED_FIELDS.has(k)).map(([k, v]) => ({ key: k, value: { stringValue: String(v) } }))
-      })) }] }] });
-      const url = new URL(this.cfg.endpoint);
-      const lib = url.protocol === "https:" ? https__namespace : http__namespace;
-      const req = lib.request({
-        hostname: url.hostname,
-        port: url.port,
-        path: url.pathname,
-        method: "POST",
-        headers: { "Content-Type": "application/json", ...this.cfg.headers }
-      });
-      req.on("error", (e) => {
-        if (this._warnCount++ < 3) {
-          process.stderr.write(`[devguard/log-otlp] OTLP export failed: ${e.message} (further errors suppressed)
-`);
-        }
-      });
-      req.write(body);
-      req.end();
-    } finally {
-      this._isFlushing = false;
-    }
-  }
-  destroy() {
-    if (this.timer) clearInterval(this.timer);
-    this.timer = null;
-    this.flush();
-  }
-};
-var _hostname = os__namespace.hostname();
-var Logger = class _Logger {
-  constructor(opts, bindings = {}) {
-    this.opts = opts;
-    this.minLevel = LEVEL_NUM[opts.level ?? "info"];
-    this.redactSet = new Set(opts.redact ?? []);
-    this.exporter = opts.otlp ? new OTLPExporter(opts.otlp) : null;
-    this.dest = opts.destination ?? process.stdout;
-    this.bindings = bindings;
-  }
-  log(level, msg, data) {
-    if (LEVEL_NUM[level] < this.minLevel) return;
-    if (this.opts.output === "silent") return;
-    let traceCtx = {};
-    try {
-      traceCtx = this.opts.traceContext?.() ?? {};
-    } catch {
-    }
-    const record = {
-      level,
-      levelNum: LEVEL_NUM[level],
-      msg,
-      time: (/* @__PURE__ */ new Date()).toISOString(),
-      pid: process.pid,
-      hostname: _hostname,
-      ...this.bindings,
-      ...traceCtx,
-      ...this.opts.service ? { service: this.opts.service } : {}
-    };
-    if (data) {
-      for (const [k, v] of Object.entries(data)) {
-        if (PROTECTED_FIELDS.has(k)) continue;
-        if (k === "__proto__" || k === "constructor" || k === "prototype") continue;
-        record[k] = this.redactSet.has(k) ? redactValue(v) : v;
-      }
-    }
-    const output = this.opts.output ?? (process.env.NODE_ENV === "development" || process.stdout.isTTY ? "pretty" : "json");
-    if (output === "pretty") {
-      const color = LEVEL_COLOR[level];
-      const ts = record.time.slice(11, 23);
-      const extras = Object.entries(record).filter(([k]) => !PROTECTED_FIELDS.has(k));
-      const extraStr = extras.length ? "  " + extras.map(([k, v]) => `${k}=${safeStringify(v)}`).join(" ") : "";
-      this.dest.write(`${color}${ts} ${level.toUpperCase().padEnd(5)}${RESET} ${msg}${extraStr}
-`);
-    } else {
-      this.dest.write(safeStringify(record) + "\n");
-    }
-    this.exporter?.push(record);
-  }
-  trace(msg, data) {
-    this.log("trace", msg, data);
-  }
-  debug(msg, data) {
-    this.log("debug", msg, data);
-  }
-  info(msg, data) {
-    this.log("info", msg, data);
-  }
-  warn(msg, data) {
-    this.log("warn", msg, data);
-  }
-  error(msg, data) {
-    this.log("error", msg, data);
-  }
-  fatal(msg, data) {
-    this.log("fatal", msg, data);
-  }
-  /** Create a child logger with additional bound fields */
-  child(bindings) {
-    return new _Logger(this.opts, { ...this.bindings, ...bindings });
-  }
-  /** Attach trace context for automatic injection */
-  withTrace(ctx) {
-    return new _Logger({ ...this.opts, traceContext: () => ctx }, this.bindings);
-  }
-  /** Flush OTLP buffer before process exit */
-  flush() {
-    this.exporter?.flush();
-  }
-  destroy() {
-    this.exporter?.destroy();
-  }
-  /** Middleware: log all HTTP requests */
-  requestMiddleware() {
-    const log = this;
-    return function logRequest(req, res, next) {
-      const start = Date.now();
-      res.on("finish", () => {
-        log.info("http request", {
-          method: req.method,
-          url: req.url,
-          status: res.statusCode,
-          durationMs: Date.now() - start,
-          ip: req.ip ?? req.connection?.remoteAddress,
-          userAgent: req.headers["user-agent"]
-        });
-      });
-      next();
-    };
-  }
-};
-function createLogger(opts = {}) {
-  return new Logger(opts);
-}
-async function runAllChecks(root = process.cwd()) {
-  const resolvedRoot = path__namespace.resolve(root);
-  const [lockfile, hookFindings, unpinned] = await Promise.all([
-    Promise.resolve(verifyLockfile(resolvedRoot)),
-    Promise.resolve(scanProject(resolvedRoot)),
-    Promise.resolve(enforceExactPins(path__namespace.join(resolvedRoot, "package.json")))
-  ]);
-  const tokenNames = (process.env.DEVGUARD_TOKENS ?? "NPM_TOKEN,GITHUB_TOKEN").split(",").map((s) => s.trim()).filter(Boolean);
-  const tokenAlerts = checkTokenAge(loadTokensFromEnv(tokenNames));
-  const stale = tokenAlerts.filter((a) => a.status === "stale").map((a) => a.name);
-  const expiringSoon = tokenAlerts.filter((a) => a.status === "expiring_soon").map((a) => a.name);
-  const criticals = hookFindings.filter((h) => h.severity === "critical").length;
-  const passedAll = lockfile.valid && hookFindings.length === 0 && unpinned.length === 0 && stale.length === 0;
-  let score = 100;
-  if (!lockfile.valid) score -= 30;
-  score -= Math.min(40, criticals * 15 + (hookFindings.length - criticals) * 5);
-  score -= Math.min(15, unpinned.length * 2);
-  score -= stale.length * 10;
-  score -= expiringSoon.length * 3;
-  score = Math.max(0, score);
-  return {
-    lockfile: { valid: lockfile.valid, tampered: lockfile.tampered, missing: lockfile.missing },
-    hooks: { count: hookFindings.length, criticals, findings: hookFindings },
-    pins: { unpinned: unpinned.map((v) => v.name + "@" + v.specifier), autoFixAvailable: true },
-    tokens: { stale, expiringSoon },
-    passedAll,
-    score,
-    scannedAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-}
-
-exports.AgentMemory = AgentMemory;
-exports.ChallengeStore = ChallengeStore;
-exports.CredentialStore = CredentialStore;
-exports.FileSystemAdapter = FileSystemAdapter;
-exports.IPRateLimiter = IPRateLimiter;
-exports.JWTVerifier = JWTVerifier;
-exports.LLMBudget = LLMBudget;
-exports.Logger = Logger;
-exports.MCPServerBuilder = MCPServerBuilder;
-exports.RedisAdapter = RedisAdapter;
-exports.RevocationList = RevocationList;
-exports.autoPin = autoPin;
-exports.c = c;
-exports.checkTokenAge = checkTokenAge;
-exports.cleanLLMOutput = cleanLLMOutput;
-exports.createLogger = createLogger;
-exports.createMiddleware = createMiddleware;
-exports.createNpmToken = createNpmToken;
-exports.createSnapshot = createSnapshot;
-exports.decodeJWT = decodeJWT;
-exports.detectAnomalies = detectAnomalies;
-exports.enforceExactPins = enforceExactPins;
-exports.extractLockfileSRI = extractLockfileSRI;
-exports.extractTransitiveDeps = extractTransitiveDeps;
-exports.fetchJWKS = fetchJWKS;
-exports.fetchRegistrySRI = fetchRegistrySRI;
-exports.generateAuthenticationOptions = generateAuthenticationOptions;
-exports.generateExample = generateExample;
-exports.generateRegistrationOptions = generateRegistrationOptions;
-exports.hashFile = hashFile;
-exports.inspectGitHubToken = inspectGitHubToken;
-exports.inspectNpmToken = inspectNpmToken;
-exports.jwksCacheUtils = jwksCacheUtils;
-exports.loadDotenvFile = loadDotenvFile;
-exports.loadEnv = loadEnv;
-exports.loadTokensFromEnv = loadTokensFromEnv;
-exports.maskToken = maskToken;
-exports.parseDotenv = parseDotenv;
-exports.parseEnv = parseEnv;
-exports.parseSchema = parseSchema;
-exports.parseWithRetry = parseWithRetry;
-exports.runAllChecks = runAllChecks;
-exports.s = c;
-exports.scanNodeModules = scanNodeModules;
-exports.scanPackage = scanPackage;
-exports.scanProject = scanProject;
-exports.scoreRequest = scoreRequest;
-exports.signHMAC = signHMAC;
-exports.typedFetch = typedFetch;
-exports.validateBody = validateBody;
-exports.validateQuery = validateQuery;
-exports.verifyAuthentication = verifyAuthentication;
-exports.verifyHMAC = verifyHMAC;
-exports.verifyLockfile = verifyLockfile;
-exports.verifyRS256 = verifyRS256;
-exports.verifyRegistration = verifyRegistration;
-exports.verifySRI = verifySRI;