@digilogiclabs/platform-core 1.3.0 → 1.5.0

package/dist/index.d.mts

@@ -1,15 +1,16 @@
-import { p as ILogger, q as IMetrics, I as IPlatform, P as PlatformHealthStatus, u as MetricsSummary, e as IDatabase, k as IQueryBuilder, Q as QueryResult, l as ICache, m as IStorage, U as UploadOptions, S as StorageFile, n as IEmail, t as EmailMessage, v as EmailResult, o as IQueue, s as JobOptions, J as Job, R as RepeatOptions, w as JobState, x as JobEventType, y as JobEventHandler, z as IAI, A as AIConfig, B as AIChatRequest, D as AIChatResponse, F as AIStreamChunk, G as AIStreamCallback, H as AICompletionRequest, K as AICompletionResponse, L as AIEmbeddingRequest, O as AIEmbeddingResponse, T as AIModelConfig, V as AIModelType, W as AIProvider, X as IRAG, Y as RAGConfig, Z as CreateCollectionOptions, _ as RAGCollection, $ as RAGDocument, a0 as IngestionOptions, a1 as BulkIngestionResult, a2 as IngestionResult, a3 as DocumentStatus, a4 as RAGChunk, a5 as RAGSearchQuery, a6 as RAGSearchResponse, a7 as RAGSearchResult, a8 as ContextAssemblyConfig, a9 as AssembledContext, aa as RAGPipeline } from './ConsoleEmail-hUDFsKoA.mjs';
-export { aC as AIChatChoice, bj as AIConfigSchema, aI as AIError, aH as AIErrorCode, aw as AIErrorMessages, aD as AIFinishReason, az as AIMessage, bc as AIProviderSchema, ay as AIRole, aG as AIRouterConfig, aB as AITool, aA as AIToolCall, aE as AIUsageInfo, ag as BackoffOptions, bo as BulkheadConfigSchema, by as CacheConfig, bf as CacheConfigSchema, b6 as CacheProviderSchema, aM as ChunkingConfig, aK as ChunkingPresets, aL as ChunkingStrategy, bm as CircuitBreakerConfigSchema, C as ConsoleEmail, h as ConsoleLogger, bx as DatabaseConfig, be as DatabaseConfigSchema, b5 as DatabaseProviderSchema, a$ as EmailAddress, b0 as EmailAttachment, bA as EmailConfig, bh as EmailConfigSchema, b8 as EmailProviderSchema, E as EnvSecrets, aq as GetSecretOptions, am as HistogramStats, ab as ICacheOptions, r as ISecrets, aV as ISpan, aU as ITracing, ad as JobContext, ae as JobEvent, ac as JobResult, aj as LogEntry, ah as LogLevel, bb as LogLevelSchema, ai as LogMeta, ak as LoggerConfig, bq as LoggingConfigSchema, ax as MemoryAI, a as MemoryCache, M as MemoryDatabase, c as MemoryEmail, i as MemoryMetrics, d as MemoryQueue, aJ as MemoryRAG, f as MemorySecrets, b as MemoryStorage, aS as MemoryTracing, al as MetricTags, br as MetricsConfigSchema, bE as MiddlewareConfig, bu as MiddlewareConfigSchema, N as NoopLogger, j as NoopMetrics, aT as NoopTracing, bD as ObservabilityConfig, bt as ObservabilityConfigSchema, bw as PlatformConfig, bv as PlatformConfigSchema, bB as QueueConfig, bi as QueueConfigSchema, b9 as QueueProviderSchema, af as QueueStats, bk as RAGConfigSchema, aO as RAGFilter, aP as RAGPipelineStep, bd as RAGProviderSchema, bC as ResilienceConfig, bp as ResilienceConfigSchema, bl as RetryConfigSchema, as as RotateSecretOptions, at as RotationResult, aF as RoutingStrategy, aN as SearchMode, ao as Secret, ap as SecretMetadata, ar as SetSecretOptions, aW as SpanContext, b4 as SpanEvent, aZ as SpanKind, aX as SpanOptions, aY as SpanStatus, b3 as SpanStatusCode, bz as StorageConfig, bg as StorageConfigSchema, b7 as StorageProviderSchema, bn as TimeoutConfigSchema, an as TimingStats, a_ as TracingConfig, bs as TracingConfigSchema, ba as TracingProviderSchema, b1 as calculateBackoff, au as createAIError, g as createPlatform, aQ as createPlatformAsync, aR as createScopedMetrics, b2 as generateJobId, bI as getDefaultConfig, av as isAIError, bF as loadConfig, bH as safeValidateConfig, bG as validateConfig } from './ConsoleEmail-hUDFsKoA.mjs';
+import { p as ILogger, q as IMetrics, I as IPlatform, P as PlatformHealthStatus, u as MetricsSummary, v as ICrypto, w as EncryptOptions, x as EncryptedField, D as DeterministicEncryptedField, K as KeyRotationResult, y as CryptoKeyMetadata, e as IDatabase, k as IQueryBuilder, Q as QueryResult, l as ICache, m as IStorage, U as UploadOptions, S as StorageFile, n as IEmail, t as EmailMessage, z as EmailResult, o as IQueue, s as JobOptions, J as Job, R as RepeatOptions, A as JobState, B as JobEventType, F as JobEventHandler, G as IAI, H as AIConfig, L as AIChatRequest, O as AIChatResponse, T as AIStreamChunk, V as AIStreamCallback, W as AICompletionRequest, X as AICompletionResponse, Y as AIEmbeddingRequest, Z as AIEmbeddingResponse, _ as AIModelConfig, $ as AIModelType, a0 as AIProvider, a1 as IRAG, a2 as RAGConfig, a3 as CreateCollectionOptions, a4 as RAGCollection, a5 as RAGDocument, a6 as IngestionOptions, a7 as BulkIngestionResult, a8 as IngestionResult, a9 as DocumentStatus, aa as RAGChunk, ab as RAGSearchQuery, ac as RAGSearchResponse, ad as RAGSearchResult, ae as ContextAssemblyConfig, af as AssembledContext, ag as RAGPipeline } from './ConsoleEmail-ubSVWgTa.mjs';
+export { aI as AIChatChoice, br as AIConfigSchema, aO as AIError, aN as AIErrorCode, aC as AIErrorMessages, aJ as AIFinishReason, aF as AIMessage, bk as AIProviderSchema, aE as AIRole, aM as AIRouterConfig, aH as AITool, aG as AIToolCall, aK as AIUsageInfo, am as BackoffOptions, by as BulkheadConfigSchema, bI as CacheConfig, bn as CacheConfigSchema, be as CacheProviderSchema, aS as ChunkingConfig, aQ as ChunkingPresets, aR as ChunkingStrategy, bw as CircuitBreakerConfigSchema, C as ConsoleEmail, h as ConsoleLogger, aX as CryptoAlgorithm, bP as CryptoConfig, bt as CryptoConfigSchema, aW as CryptoKeyStatus, bH as DatabaseConfig, bm as DatabaseConfigSchema, bd as DatabaseProviderSchema, b7 as EmailAddress, b8 as EmailAttachment, bK as EmailConfig, bp as EmailConfigSchema, bg as EmailProviderSchema, E as EnvSecrets, aw as GetSecretOptions, as as HistogramStats, ah as ICacheOptions, r as ISecrets, b1 as ISpan, b0 as ITracing, aj as JobContext, ak as JobEvent, ai as JobResult, ap as LogEntry, an as LogLevel, bj as LogLevelSchema, ao as LogMeta, aq as LoggerConfig, bA as LoggingConfigSchema, aD as MemoryAI, a as MemoryCache, M as MemoryDatabase, c as MemoryEmail, i as MemoryMetrics, d as MemoryQueue, aP as MemoryRAG, f as MemorySecrets, b as MemoryStorage, a_ as MemoryTracing, ar as MetricTags, bB as MetricsConfigSchema, bO as MiddlewareConfig, bE as MiddlewareConfigSchema, N as NoopLogger, j as NoopMetrics, a$ as NoopTracing, bN as ObservabilityConfig, bD as ObservabilityConfigSchema, bG as PlatformConfig, bF as PlatformConfigSchema, bL as QueueConfig, bq as QueueConfigSchema, bh as QueueProviderSchema, al as QueueStats, bs as RAGConfigSchema, aU as RAGFilter, aV as RAGPipelineStep, bl as RAGProviderSchema, bM as ResilienceConfig, bz as ResilienceConfigSchema, bv as RetryConfigSchema, ay as RotateSecretOptions, az as RotationResult, aL as RoutingStrategy, aT as SearchMode, au as Secret, av as SecretMetadata, bQ as SecurityConfig, bu as SecurityConfigSchema, ax as SetSecretOptions, b2 as SpanContext, bc as SpanEvent, b5 as SpanKind, b3 as SpanOptions, b4 as SpanStatus, bb as SpanStatusCode, bJ as StorageConfig, bo as StorageConfigSchema, bf as StorageProviderSchema, bx as TimeoutConfigSchema, at as TimingStats, b6 as TracingConfig, bC as TracingConfigSchema, bi as TracingProviderSchema, b9 as calculateBackoff, aA as createAIError, g as createPlatform, aY as createPlatformAsync, aZ as createScopedMetrics, ba as generateJobId, bU as getDefaultConfig, aB as isAIError, bR as loadConfig, bT as safeValidateConfig, bS as validateConfig } from './ConsoleEmail-ubSVWgTa.mjs';
 export { t as IMigrationDatabase, I as IMigrator, n as Migration, o as MigrationRecord, p as MigrationResult, q as MigrationStatus, M as Migrator, r as MigratorConfig, S as SQL, f as createDomainVerificationsTable, c as createMigration, b as createSsoOidcConfigsTable, m as createSsoSessionsTable, k as createTenantInvitationsTable, j as createTenantMembersTable, l as createTenantUsageTable, i as createTenantsTable, h as createVerifiedDomainsTable, d as defineMigration, e as enterpriseMigrations, g as generateVersion, a as getEnterpriseMigrations, s as sqlMigration } from './index-CepDdu7h.mjs';
+export { NextHeaderEntry, SecurityHeaderPresets, SecurityHeadersConfig, generateSecurityHeaders } from './security-headers.mjs';
+import { z } from 'zod';
 import { SupabaseClient } from '@supabase/supabase-js';
 import { Pool } from 'pg';
 import { Redis } from '@upstash/redis';
-import { Redis as Redis$1 } from 'ioredis';
+import Redis$2, { Redis as Redis$1 } from 'ioredis';
 import { S3Client } from '@aws-sdk/client-s3';
 import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { Resend } from 'resend';
 import Stripe from 'stripe';
-import 'zod';
 
 /**
  * Health Check Interface
@@ -945,7 +946,7 @@ type DeliveryStatus = "pending" | "success" | "failed" | "skipped";
 /**
  * Signature algorithm
  */
-type SignatureAlgorithm = "sha256" | "sha512" | "sha1";
+type SignatureAlgorithm = "sha256" | "sha512";
 /**
  * Registered webhook endpoint
  */
@@ -9009,7 +9010,7 @@ type RateLimitAlgorithm = "fixed-window" | "sliding-window" | "token-bucket";
 /**
  * Rate limiting options
  */
-interface RateLimitOptions {
+interface RateLimitOptions$1 {
     /** Maximum requests per window */
     limit: number;
     /** Time window in milliseconds */
@@ -9033,7 +9034,7 @@ interface RateLimitOptions {
  * Rate limiting middleware
  * Prevents abuse by limiting request frequency
  */
-declare function createRateLimitMiddleware(options: RateLimitOptions): Middleware;
+declare function createRateLimitMiddleware(options: RateLimitOptions$1): Middleware;
 /**
  * Create an IP-based rate limiter key generator
  */
@@ -9045,7 +9046,7 @@ declare function createUserKeyGenerator(getUserId: (ctx: MiddlewareContext) => s
 /**
  * Sliding window rate limiter options
  */
-interface SlidingWindowRateLimitOptions extends Omit<RateLimitOptions, "algorithm"> {
+interface SlidingWindowRateLimitOptions extends Omit<RateLimitOptions$1, "algorithm"> {
     /** Number of sub-windows (more = more accurate, more memory) */
     precision?: number;
 }
@@ -9235,7 +9236,6 @@ declare const runWithContext: <T>(data: CorrelationData, fn: () => T) => T;
 declare const runWithContextAsync: <T>(data: CorrelationData, fn: () => Promise<T>) => Promise<T>;
 declare const getContext: () => CorrelationData | undefined;
 declare const getTraceId: () => string | undefined;
-declare const getCorrelationId: () => string | undefined;
 declare const getRequestId: () => string | undefined;
 declare const getUserId: () => string | undefined;
 declare const getTenantId: () => string | undefined;
@@ -10161,144 +10161,1306 @@ declare function withFallbackChain<T>(primary: () => Promise<T>, fallbacks: Arra
 /**
  * Common fallback strategies
  */
-declare const FallbackStrategies: {
-    /**
-     * Return empty array
-     */
-    emptyArray: <T>() => FallbackOptions<T[]>;
-    /**
-     * Return null
-     */
-    nullable: <T>() => FallbackOptions<T | null>;
-    /**
-     * Return default value
-     */
-    defaultValue: <T>(value: T) => FallbackOptions<T>;
+declare const FallbackStrategies: {
+    /**
+     * Return empty array
+     */
+    emptyArray: <T>() => FallbackOptions<T[]>;
+    /**
+     * Return null
+     */
+    nullable: <T>() => FallbackOptions<T | null>;
+    /**
+     * Return default value
+     */
+    defaultValue: <T>(value: T) => FallbackOptions<T>;
+    /**
+     * Return cached value from a cache function
+     */
+    fromCache: <T>(getCached: () => Promise<T | null>, defaultValue: T) => FallbackOptions<T>;
+    /**
+     * Degrade gracefully with partial data
+     */
+    degrade: <T>(getDegraded: (error: Error) => T) => FallbackOptions<T>;
+};
+
+/**
+ * Security Utilities
+ *
+ * HTML escaping, input detection, sanitization helpers,
+ * timing-safe comparison, error sanitization, and request
+ * correlation for safe, consistent security across all apps.
+ */
+/** Regex for protocol-prefixed URLs */
+declare const URL_PROTOCOL_PATTERN: RegExp;
+/** Regex for bare domain names with common TLDs */
+declare const URL_DOMAIN_PATTERN: RegExp;
+/** Regex for HTML tags */
+declare const HTML_TAG_PATTERN: RegExp;
+/**
+ * Escape HTML special characters to prevent injection.
+ * Use when inserting user content into HTML email templates or rendered HTML.
+ */
+declare function escapeHtml(str: string): string;
+/** Check if a string contains protocol-prefixed URLs or bare domains */
+declare function containsUrls(str: string): boolean;
+/** Check if a string contains HTML tags */
+declare function containsHtml(str: string): boolean;
+/** Strip all HTML tags from a string */
+declare function stripHtml(str: string): string;
+/**
+ * Defang URLs to prevent auto-linking in email clients.
+ * Converts https://evil.com → hxxps://evil[.]com
+ */
+declare function defangUrl(str: string): string;
+/**
+ * Sanitize user content for safe insertion into HTML email templates.
+ * Escapes HTML entities AND defangs any URLs that slipped through validation.
+ */
+declare function sanitizeForEmail(str: string): string;
+/**
+ * Constant-time string comparison to prevent timing side-channel attacks.
+ * Use for comparing secrets, tokens, API keys, HMAC signatures, etc.
+ *
+ * Returns false (not throws) for length mismatches — still constant-time
+ * relative to the shorter string to avoid leaking length info.
+ *
+ * @example
+ * ```typescript
+ * if (!constantTimeEqual(providedToken, expectedSecret)) {
+ *   return { status: 401, error: 'Invalid token' }
+ * }
+ * ```
+ */
+declare function constantTimeEqual(a: string, b: string): boolean;
+/**
+ * Sanitize an error for client-facing API responses.
+ *
+ * - 4xx errors: returns the actual message (client needs to know what went wrong)
+ * - 5xx errors: returns a generic message (never leak internals to clients)
+ * - Development mode: optionally includes stack trace for debugging
+ *
+ * @example
+ * ```typescript
+ * catch (error) {
+ *   const { message, code } = sanitizeApiError(error, 500)
+ *   return Response.json({ error: message, code }, { status: 500 })
+ * }
+ * ```
+ */
+declare function sanitizeApiError(error: unknown, statusCode: number, isDevelopment?: boolean): {
+    message: string;
+    code?: string;
+    stack?: string;
+};
+/**
+ * Extract a correlation/request ID from standard headers, or generate one.
+ *
+ * Checks (in order): X-Request-ID, X-Correlation-ID, then falls back to
+ * crypto.randomUUID(). Works with any headers-like object (plain object,
+ * Headers API, or a getter function).
+ *
+ * @example
+ * ```typescript
+ * // With Next.js request
+ * const id = getCorrelationId((name) => request.headers.get(name))
+ *
+ * // With plain object
+ * const id = getCorrelationId({ 'x-request-id': 'abc-123' })
+ * ```
+ */
+declare function getCorrelationId(headers: Record<string, string | string[] | undefined> | ((name: string) => string | null | undefined)): string;
+
+/**
+ * API Utilities
+ *
+ * Framework-agnostic error codes, error class, response types,
+ * and database error mapping for consistent API behavior across apps.
+ */
+/** Standard API error codes */
+declare const ApiErrorCode: {
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly UNAUTHORIZED: "UNAUTHORIZED";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly CONFLICT: "CONFLICT";
+    readonly RATE_LIMIT_EXCEEDED: "RATE_LIMIT_EXCEEDED";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+    readonly DATABASE_ERROR: "DATABASE_ERROR";
+    readonly EXTERNAL_SERVICE_ERROR: "EXTERNAL_SERVICE_ERROR";
+    readonly CONFIGURATION_ERROR: "CONFIGURATION_ERROR";
+};
+type ApiErrorCodeType = (typeof ApiErrorCode)[keyof typeof ApiErrorCode];
+/** Custom API Error class with status code and error code */
+declare class ApiError extends Error {
+    readonly statusCode: number;
+    readonly code: ApiErrorCodeType;
+    readonly details?: unknown;
+    constructor(statusCode: number, message: string, code?: ApiErrorCodeType, details?: unknown);
+}
+/** Type guard for ApiError */
+declare function isApiError(error: unknown): error is ApiError;
+/** Pre-built error factories */
+declare const CommonApiErrors: {
+    unauthorized: (msg?: string) => ApiError;
+    forbidden: (msg?: string) => ApiError;
+    notFound: (resource?: string) => ApiError;
+    conflict: (msg?: string) => ApiError;
+    rateLimitExceeded: (msg?: string) => ApiError;
+    validationError: (details?: unknown) => ApiError;
+    internalError: (msg?: string) => ApiError;
+};
+/** PostgreSQL error code → HTTP status mapping */
+declare const PG_ERROR_MAP: Record<string, {
+    status: number;
+    code: ApiErrorCodeType;
+    message: string;
+}>;
+/**
+ * Classify any error into a standardized shape.
+ * Framework-agnostic — returns a plain object, not an HTTP response.
+ */
+declare function classifyError(error: unknown, isDev?: boolean): {
+    status: number;
+    body: {
+        error: string;
+        code: string;
+        details?: unknown;
+    };
+};
+/** Standard success response shape */
+interface ApiSuccessResponse<T = unknown> {
+    success: true;
+    data: T;
+    message?: string;
+    timestamp?: string;
+}
+/** Standard paginated response shape */
+interface ApiPaginatedResponse<T = unknown> extends ApiSuccessResponse<T[]> {
+    pagination: {
+        page: number;
+        limit: number;
+        total: number;
+        totalPages: number;
+        hasMore: boolean;
+    };
+}
+/** Build a pagination metadata object */
+declare function buildPagination(page: number, limit: number, total: number): {
+    page: number;
+    limit: number;
+    total: number;
+    totalPages: number;
+    hasMore: boolean;
+};
+
+/**
+ * Keycloak Authentication Utilities
+ *
+ * Framework-agnostic helpers for working with Keycloak OIDC tokens.
+ * Used by Next.js apps (Auth.js middleware + API routes) and .NET services
+ * share the same role model — these helpers ensure consistent behavior.
+ *
+ * Edge-runtime compatible: uses atob() for JWT decoding, not Buffer.
+ */
+/**
+ * Keycloak provider configuration for Auth.js / NextAuth.
+ * Everything needed to configure the Keycloak OIDC provider.
+ */
+interface KeycloakConfig {
+    /** Keycloak issuer URL (e.g. https://auth.example.com/realms/my-realm) */
+    issuer: string;
+    /** OAuth client ID registered in Keycloak */
+    clientId: string;
+    /** OAuth client secret */
+    clientSecret: string;
+}
+/**
+ * Token set returned by Keycloak after authentication or refresh.
+ */
+interface KeycloakTokenSet {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    /** Expiry as epoch milliseconds */
+    expiresAt: number;
+    /** Parsed realm roles (filtered, no Keycloak defaults) */
+    roles: string[];
+}
+/**
+ * Result of a token refresh attempt.
+ */
+type TokenRefreshResult = {
+    ok: true;
+    tokens: KeycloakTokenSet;
+} | {
+    ok: false;
+    error: string;
+};
+/**
+ * Default Keycloak roles that should be filtered out when checking
+ * application-level roles. These are always present and not meaningful
+ * for authorization decisions.
+ */
+declare const KEYCLOAK_DEFAULT_ROLES: readonly ["offline_access", "uma_authorization"];
+/**
+ * Parse realm roles from a Keycloak JWT access token.
+ *
+ * Supports two token formats:
+ * - `realm_roles` (flat array) — Custom client mapper configuration
+ * - `realm_access.roles` (nested) — Keycloak default format
+ *
+ * Uses atob() for Edge runtime compatibility (not Buffer.from).
+ * Filters out Keycloak default roles automatically.
+ *
+ * @param accessToken - Raw JWT string from Keycloak
+ * @param additionalDefaultRoles - Extra role names to filter (e.g. realm-specific defaults)
+ * @returns Array of meaningful role names
+ *
+ * @example
+ * ```typescript
+ * const roles = parseKeycloakRoles(account.access_token)
+ * // ['admin', 'editor']
+ *
+ * // With realm-specific defaults
+ * const roles = parseKeycloakRoles(token, ['default-roles-my-realm'])
+ * ```
+ */
+declare function parseKeycloakRoles(accessToken: string | undefined | null, additionalDefaultRoles?: string[]): string[];
+/**
+ * Check if a user has a specific role.
+ *
+ * @example
+ * ```typescript
+ * if (hasRole(session.user.roles, 'admin')) {
+ *   // grant access
+ * }
+ * ```
+ */
+declare function hasRole(roles: string[] | undefined | null, role: string): boolean;
+/**
+ * Check if a user has ANY of the specified roles (OR logic).
+ *
+ * @example
+ * ```typescript
+ * if (hasAnyRole(session.user.roles, ['admin', 'editor'])) {
+ *   // grant access
+ * }
+ * ```
+ */
+declare function hasAnyRole(roles: string[] | undefined | null, requiredRoles: string[]): boolean;
+/**
+ * Check if a user has ALL of the specified roles (AND logic).
+ *
+ * @example
+ * ```typescript
+ * if (hasAllRoles(session.user.roles, ['admin', 'billing'])) {
+ *   // grant access to billing admin
+ * }
+ * ```
+ */
+declare function hasAllRoles(roles: string[] | undefined | null, requiredRoles: string[]): boolean;
+/**
+ * Check if a token needs refreshing.
+ *
+ * @param expiresAt - Token expiry as epoch milliseconds
+ * @param bufferMs - Refresh this many ms before actual expiry (default: 60s)
+ * @returns true if the token should be refreshed
+ */
+declare function isTokenExpired(expiresAt: number | undefined | null, bufferMs?: number): boolean;
+/**
+ * Build the URLSearchParams for a Keycloak token refresh request.
+ *
+ * This is the body for POST to `{issuer}/protocol/openid-connect/token`.
+ * Framework-agnostic — use with fetch(), axios, or any HTTP client.
+ *
+ * @example
+ * ```typescript
+ * const params = buildTokenRefreshParams(config, refreshToken)
+ * const response = await fetch(`${config.issuer}/protocol/openid-connect/token`, {
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+ *   body: params,
+ * })
+ * ```
+ */
+declare function buildTokenRefreshParams(config: KeycloakConfig, refreshToken: string): URLSearchParams;
+/**
+ * Get the Keycloak token endpoint URL for a given issuer.
+ */
+declare function getTokenEndpoint(issuer: string): string;
+/**
+ * Get the Keycloak end session (logout) endpoint URL.
+ */
+declare function getEndSessionEndpoint(issuer: string): string;
+/**
+ * Perform a token refresh against Keycloak and parse the result.
+ *
+ * Returns a discriminated union — check `result.ok` before accessing tokens.
+ * Automatically parses roles from the new access token.
+ *
+ * @example
+ * ```typescript
+ * const result = await refreshKeycloakToken(config, currentRefreshToken)
+ * if (result.ok) {
+ *   token.accessToken = result.tokens.accessToken
+ *   token.roles = result.tokens.roles
+ * } else {
+ *   // Force re-login
+ *   token.error = 'RefreshTokenError'
+ * }
+ * ```
+ */
+declare function refreshKeycloakToken(config: KeycloakConfig, refreshToken: string, additionalDefaultRoles?: string[]): Promise<TokenRefreshResult>;
+
+/**
+ * Next.js Auth.js + Keycloak Configuration Builder
+ *
+ * Generates Auth.js callbacks for Keycloak OIDC integration.
+ * Handles JWT token storage, role parsing, token refresh, and session mapping.
+ *
+ * Edge-runtime compatible: uses only atob() and fetch(), no Node.js-only APIs.
+ *
+ * @example
+ * ```typescript
+ * // auth.config.ts (Edge-compatible)
+ * import { buildKeycloakCallbacks } from '@digilogiclabs/platform-core'
+ * import Keycloak from 'next-auth/providers/keycloak'
+ *
+ * const callbacks = buildKeycloakCallbacks({
+ *   issuer: process.env.AUTH_KEYCLOAK_ISSUER!,
+ *   clientId: process.env.AUTH_KEYCLOAK_ID!,
+ *   clientSecret: process.env.AUTH_KEYCLOAK_SECRET!,
+ *   defaultRoles: ['default-roles-my-realm'],
+ * })
+ *
+ * export const authConfig = {
+ *   providers: [Keycloak({ ... })],
+ *   session: { strategy: 'jwt' },
+ *   callbacks,
+ * }
+ * ```
+ */
+interface KeycloakCallbacksConfig {
+    /** Keycloak issuer URL */
+    issuer: string;
+    /** OAuth client ID */
+    clientId: string;
+    /** OAuth client secret */
+    clientSecret: string;
+    /** Realm-specific default roles to filter (e.g. ['default-roles-my-realm']) */
+    defaultRoles?: string[];
+    /** Enable debug logging (default: NODE_ENV === 'development') */
+    debug?: boolean;
+}
+/**
+ * Extended JWT token shape used by the Keycloak callbacks.
+ * These fields are added to the Auth.js JWT token during sign-in and refresh.
+ */
+interface KeycloakJwtFields {
+    id?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    idToken?: string;
+    accessTokenExpires?: number;
+    roles?: string[];
+    error?: string;
+}
+interface AuthCookiesConfig {
+    /** Production cookie domain (e.g. '.digilogiclabs.com'). Omit for default domain. */
+    domain?: string;
+    /** Include session token cookie config (default: true) */
+    sessionToken?: boolean;
+    /** Include callback URL cookie config (default: true) */
+    callbackUrl?: boolean;
+}
+/**
+ * Build Auth.js cookie configuration for cross-domain OIDC.
+ *
+ * Handles the common pattern of configuring cookies to work across
+ * www and non-www domains (e.g. digilogiclabs.com and www.digilogiclabs.com).
+ *
+ * PKCE and state cookies are always included for OAuth security.
+ * Session token and callback URL cookies are included by default.
+ *
+ * @example
+ * ```typescript
+ * import { buildAuthCookies } from '@digilogiclabs/platform-core'
+ *
+ * export const authConfig = {
+ *   cookies: buildAuthCookies({ domain: '.digilogiclabs.com' }),
+ *   // ...
+ * }
+ * ```
+ */
+declare function buildAuthCookies(config?: AuthCookiesConfig): Record<string, {
+    name: string;
+    options: {
+        httpOnly: boolean;
+        sameSite: "lax";
+        path: string;
+        secure: boolean;
+        domain: string | undefined;
+    };
+}>;
+interface RedirectCallbackConfig {
+    /** Allow www variant redirects (e.g. www.example.com ↔ example.com) */
+    allowWwwVariant?: boolean;
+}
+/**
+ * Build a standard Auth.js redirect callback.
+ *
+ * Handles common redirect patterns:
+ * - Relative URLs → prefixed with baseUrl
+ * - Same-origin URLs → allowed
+ * - www variant URLs → optionally allowed
+ * - Everything else → baseUrl
+ *
+ * @example
+ * ```typescript
+ * import { buildRedirectCallback } from '@digilogiclabs/platform-core'
+ *
+ * export const authConfig = {
+ *   callbacks: {
+ *     redirect: buildRedirectCallback({ allowWwwVariant: true }),
+ *   },
+ * }
+ * ```
+ */
+declare function buildRedirectCallback(config?: RedirectCallbackConfig): ({ url, baseUrl }: {
+    url: string;
+    baseUrl: string;
+}) => Promise<string>;
+/**
+ * Build Auth.js JWT and session callbacks for Keycloak.
+ *
+ * Returns an object with `jwt` and `session` callbacks that handle:
+ * - Storing Keycloak tokens on initial sign-in
+ * - Parsing realm roles from the access token
+ * - Automatic token refresh when expired
+ * - Mapping tokens/roles to the session object
+ *
+ * The callbacks are Edge-runtime compatible.
+ */
+declare function buildKeycloakCallbacks(config: KeycloakCallbacksConfig): {
+    /**
+     * JWT callback — stores Keycloak tokens and handles refresh.
+     *
+     * Compatible with Auth.js v5 JWT callback signature.
+     */
+    jwt({ token, user, account, }: {
+        token: Record<string, unknown>;
+        user?: Record<string, unknown>;
+        account?: Record<string, unknown> | null;
+    }): Promise<Record<string, unknown>>;
+    /**
+     * Session callback — maps JWT fields to the session object.
+     *
+     * Compatible with Auth.js v5 session callback signature.
+     */
+    session({ session, token, }: {
+        session: Record<string, unknown>;
+        token: Record<string, unknown>;
+    }): Promise<Record<string, unknown>>;
+};
+
+/**
+ * API Security Types & Helpers
+ *
+ * Framework-agnostic types and utilities for building composable
+ * API security wrappers. These define the shared contract that
+ * framework-specific implementations (Next.js, Express, .NET) follow.
+ *
+ * The actual wrappers (withPublicApi, withAdminApi, etc.) live in each
+ * app because they depend on framework-specific request/response types.
+ * This module provides the shared types and logic they all use.
+ */
+/**
+ * How a request was authenticated.
+ * Used by audit logging and authorization decisions.
+ */
+type AuthMethod = "session" | "bearer_token" | "api_key" | "webhook_signature" | "cron_secret" | "none";
+/**
+ * Audit configuration for a secured route.
+ * Tells the security wrapper what to log.
+ */
+interface RouteAuditConfig {
+    /** The action being performed (e.g. 'game.server.create') */
+    action: string;
+    /** The resource type being acted on (e.g. 'game_server') */
+    resourceType: string;
+}
+/**
+ * Rate limit preset configuration.
+ * Matches the structure used by all apps.
+ */
+interface RateLimitPreset {
+    /** Maximum requests allowed in the window */
+    limit: number;
+    /** Window duration in seconds */
+    windowSeconds: number;
+    /** Higher limit for authenticated users */
+    authenticatedLimit?: number;
+    /** Block duration when limit exceeded (seconds) */
+    blockDurationSeconds?: number;
+}
+/**
+ * Standard rate limit presets shared across all apps.
+ *
+ * Apps can extend with their own domain-specific presets:
+ * ```typescript
+ * const APP_RATE_LIMITS = {
+ *   ...StandardRateLimitPresets,
+ *   gameServerCreate: { limit: 5, windowSeconds: 3600, blockDurationSeconds: 3600 },
+ * }
+ * ```
+ */
+declare const StandardRateLimitPresets: {
+    /** General API: 100/min, 200/min authenticated */
+    readonly apiGeneral: {
+        readonly limit: 100;
+        readonly windowSeconds: 60;
+        readonly authenticatedLimit: 200;
+    };
+    /** Admin operations: 100/min (admins are trusted) */
+    readonly adminAction: {
+        readonly limit: 100;
+        readonly windowSeconds: 60;
+    };
+    /** AI/expensive operations: 20/hour, 50/hour authenticated */
+    readonly aiRequest: {
+        readonly limit: 20;
+        readonly windowSeconds: 3600;
+        readonly authenticatedLimit: 50;
+    };
+    /** Auth attempts: 5/15min with 15min block */
+    readonly authAttempt: {
+        readonly limit: 5;
+        readonly windowSeconds: 900;
+        readonly blockDurationSeconds: 900;
+    };
+    /** Contact/public forms: 10/hour */
+    readonly publicForm: {
+        readonly limit: 10;
+        readonly windowSeconds: 3600;
+        readonly blockDurationSeconds: 1800;
+    };
+    /** Checkout/billing: 10/hour with 1hr block */
+    readonly checkout: {
+        readonly limit: 10;
+        readonly windowSeconds: 3600;
+        readonly blockDurationSeconds: 3600;
+    };
+};
+/**
+ * Configuration for a secured API handler.
+ *
+ * This is the framework-agnostic config shape. Each framework's
+ * wrapper (withPublicApi, withAdminApi, etc.) maps to this structure.
+ */
+interface ApiSecurityConfig {
+    /** Whether authentication is required */
+    requireAuth: boolean;
+    /** Whether admin role is required */
+    requireAdmin: boolean;
+    /** Required roles (user must have at least one) */
+    requireRoles?: string[];
+    /** Allow legacy bearer token as alternative to session auth */
+    allowBearerToken?: boolean;
+    /** Rate limit preset name or custom config */
+    rateLimit?: string | RateLimitPreset;
+    /** Audit logging config */
+    audit?: RouteAuditConfig;
+    /** Human-readable operation name for logging */
+    operation?: string;
+    /** Skip rate limiting */
+    skipRateLimit?: boolean;
+    /** Skip audit logging */
+    skipAudit?: boolean;
+}
+/**
+ * Minimal session shape that all auth systems provide.
+ * Maps to Auth.js Session, .NET ClaimsPrincipal, etc.
+ */
+interface SecuritySession {
+    user: {
+        id: string;
+        email?: string | null;
+        name?: string | null;
+        roles?: string[];
+    };
+}
+/**
+ * Context available to secured route handlers after all security
+ * checks have passed. Framework wrappers extend this with their
+ * own fields (e.g. NextRequest, validated body, etc.).
+ */
+interface ApiSecurityContext {
+    /** Authenticated session (null for public routes or token auth) */
+    session: SecuritySession | null;
+    /** How the request was authenticated */
+    authMethod: AuthMethod;
+    /** Whether the user has admin privileges */
+    isAdmin: boolean;
+    /** Request correlation ID */
+    requestId: string;
+}
+/**
+ * Determine the appropriate rate limit key for a request.
+ *
+ * Priority: user ID > email > IP address.
+ * Authenticated users get their own bucket (and potentially higher limits).
+ *
+ * @param session - Current session (if any)
+ * @param clientIp - Client IP address
+ * @returns { identifier, isAuthenticated }
+ */
+declare function resolveRateLimitIdentifier(session: SecuritySession | null, clientIp: string): {
+    identifier: string;
+    isAuthenticated: boolean;
+};
+/**
+ * Extract the client IP from standard proxy headers.
+ *
+ * Checks (in order): CF-Connecting-IP, X-Real-IP, X-Forwarded-For.
+ * Use this to ensure consistent IP extraction across all apps.
+ *
+ * @param getHeader - Header getter function
+ * @returns Client IP or 'unknown'
+ */
+declare function extractClientIp(getHeader: (name: string) => string | null | undefined): string;
+/**
+ * Build the standard rate limit response headers.
+ *
+ * @returns Headers object with X-RateLimit-* headers
+ */
+declare function buildRateLimitHeaders(limit: number, remaining: number, resetAtMs: number): Record<string, string>;
+/**
+ * Build a standard error response body.
+ * Ensures consistent error shape across all apps.
+ */
+declare function buildErrorBody(error: string, extra?: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Pre-built security configurations for common route types.
+ *
+ * Use these as the base for framework-specific wrappers:
+ * ```typescript
+ * // In your app's api-security.ts
+ * export function withPublicApi(config, handler) {
+ *   return createSecureHandler({
+ *     ...WrapperPresets.public,
+ *     ...config,
+ *   }, handler)
+ * }
+ * ```
+ */
+declare const WrapperPresets: {
+    /** Public route: no auth, rate limited */
+    readonly public: {
+        readonly requireAuth: false;
+        readonly requireAdmin: false;
+        readonly rateLimit: "apiGeneral";
+    };
+    /** Authenticated route: requires session */
+    readonly authenticated: {
+        readonly requireAuth: true;
+        readonly requireAdmin: false;
+        readonly rateLimit: "apiGeneral";
+    };
+    /** Admin route: requires session with admin role */
+    readonly admin: {
+        readonly requireAuth: true;
+        readonly requireAdmin: true;
+        readonly rateLimit: "adminAction";
+    };
+    /** Legacy admin: accepts session OR bearer token */
+    readonly legacyAdmin: {
+        readonly requireAuth: true;
+        readonly requireAdmin: true;
+        readonly allowBearerToken: true;
+        readonly rateLimit: "adminAction";
+    };
+    /** AI/expensive: requires auth, strict rate limit */
+    readonly ai: {
+        readonly requireAuth: true;
+        readonly requireAdmin: false;
+        readonly rateLimit: "aiRequest";
+    };
+    /** Cron: no rate limit, admin-level access */
+    readonly cron: {
+        readonly requireAuth: true;
+        readonly requireAdmin: false;
+        readonly skipRateLimit: true;
+        readonly skipAudit: false;
+    };
+};
+
+/**
+ * Common Validation Schemas
+ *
+ * Reusable Zod schemas for request validation across all apps.
+ * These are the building blocks — apps compose them into
+ * route-specific schemas for their own domain logic.
+ *
+ * Requires `zod` as a peer dependency (already in platform-core).
+ */
+
+/** Validated, normalized email address */
+declare const EmailSchema: z.ZodString;
+/** Password with minimum security requirements */
+declare const PasswordSchema: z.ZodString;
+/** URL-safe slug (lowercase alphanumeric + hyphens) */
+declare const SlugSchema: z.ZodString;
+/** Phone number (international format, flexible) */
+declare const PhoneSchema: z.ZodString;
+/** Human name (letters, spaces, hyphens, apostrophes) */
+declare const PersonNameSchema: z.ZodString;
+/**
+ * Create a text schema that blocks HTML tags and links.
+ * Use for user-facing text fields (contact forms, comments, etc.)
+ *
+ * @param options - Customize min/max length and error messages
+ *
+ * @example
+ * ```typescript
+ * const MessageSchema = createSafeTextSchema({ min: 10, max: 1000 })
+ * const CommentSchema = createSafeTextSchema({ max: 500, allowUrls: true })
+ * ```
+ */
+declare function createSafeTextSchema(options?: {
+    min?: number;
+    max?: number;
+    allowHtml?: boolean;
+    allowUrls?: boolean;
+    fieldName?: string;
+}): z.ZodType<string, z.ZodTypeDef, string>;
+/** Standard pagination query parameters */
+declare const PaginationSchema: z.ZodObject<{
+    page: z.ZodDefault<z.ZodNumber>;
+    limit: z.ZodDefault<z.ZodNumber>;
+    sortBy: z.ZodOptional<z.ZodString>;
+    sortOrder: z.ZodDefault<z.ZodEnum<["asc", "desc"]>>;
+}, "strip", z.ZodTypeAny, {
+    limit: number;
+    page: number;
+    sortOrder: "asc" | "desc";
+    sortBy?: string | undefined;
+}, {
+    sortBy?: string | undefined;
+    limit?: number | undefined;
+    page?: number | undefined;
+    sortOrder?: "asc" | "desc" | undefined;
+}>;
+/** Date range filter (ISO 8601 datetime strings) */
+declare const DateRangeSchema: z.ZodEffects<z.ZodObject<{
+    startDate: z.ZodString;
+    endDate: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    startDate: string;
+    endDate: string;
+}, {
+    startDate: string;
+    endDate: string;
+}>, {
+    startDate: string;
+    endDate: string;
+}, {
+    startDate: string;
+    endDate: string;
+}>;
+/** Search query with optional filters */
+declare const SearchQuerySchema: z.ZodObject<{
+    query: z.ZodString;
+    page: z.ZodDefault<z.ZodNumber>;
+    limit: z.ZodDefault<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    query: string;
+    limit: number;
+    page: number;
+}, {
+    query: string;
+    limit?: number | undefined;
+    page?: number | undefined;
+}>;
+/** Login credentials */
+declare const LoginSchema: z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    email: string;
+    password: string;
+}, {
+    email: string;
+    password: string;
+}>;
+/** Signup with optional name */
+declare const SignupSchema: z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodString;
+    name: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    email: string;
+    password: string;
+    name?: string | undefined;
+}, {
+    email: string;
+    password: string;
+    name?: string | undefined;
+}>;
+type EmailInput = z.infer<typeof EmailSchema>;
+type PaginationInput = z.infer<typeof PaginationSchema>;
+type DateRangeInput = z.infer<typeof DateRangeSchema>;
+type SearchQueryInput = z.infer<typeof SearchQuerySchema>;
+type LoginInput = z.infer<typeof LoginSchema>;
+type SignupInput = z.infer<typeof SignupSchema>;
+
+/**
+ * Feature Flag System
+ *
+ * Generic, type-safe feature flag builder for staged rollout.
+ * Each app defines its own flags; this module provides the
+ * infrastructure for evaluating them by environment.
+ *
+ * @example
+ * ```typescript
+ * // Define your app's flags
+ * const flags = createFeatureFlags({
+ *   STRIPE_PAYMENTS: {
+ *     development: true,
+ *     staging: true,
+ *     production: { envVar: 'ENABLE_PAYMENTS' },
+ *   },
+ *   PUBLIC_SIGNUP: {
+ *     development: true,
+ *     staging: false,
+ *     production: { envVar: 'ENABLE_PUBLIC_SIGNUP' },
+ *   },
+ *   AI_FEATURES: {
+ *     development: true,
+ *     staging: { envVar: 'ENABLE_AI' },
+ *     production: false,
+ *   },
+ * })
+ *
+ * // Evaluate at runtime
+ * const resolved = flags.resolve() // reads NODE_ENV + DEPLOYMENT_STAGE
+ * if (resolved.STRIPE_PAYMENTS) { ... }
+ *
+ * // Check a single flag
+ * if (flags.isEnabled('AI_FEATURES')) { ... }
+ * ```
+ */
+type DeploymentStage = "development" | "staging" | "preview" | "production";
+/**
+ * How a flag is resolved in a given environment.
+ * - `true` / `false` — hardcoded on/off
+ * - `{ envVar: string }` — read from environment variable (truthy = "true")
+ * - `{ envVar: string, default: boolean }` — with fallback
+ */
+type FlagValue = boolean | {
+    envVar: string;
+    default?: boolean;
+};
+/**
+ * Flag definition across deployment stages.
+ */
+interface FlagDefinition {
+    development: FlagValue;
+    staging: FlagValue;
+    production: FlagValue;
+}
+/**
+ * Map of flag name to definition.
+ */
+type FlagDefinitions<T extends string = string> = Record<T, FlagDefinition>;
+/**
+ * Resolved flags — all booleans.
+ */
+type ResolvedFlags<T extends string = string> = Record<T, boolean>;
+/**
+ * Allowlist configuration for tester-gated access.
+ */
+interface AllowlistConfig {
+    /** Environment variable containing comma-separated emails */
+    envVar?: string;
+    /** Hardcoded fallback emails */
+    fallback?: string[];
+}
+/**
+ * Detect the current deployment stage from environment variables.
+ */
+declare function detectStage(): DeploymentStage;
+/**
+ * Create a type-safe feature flag system.
+ *
+ * @param definitions - Flag definitions per environment
+ * @returns Feature flag accessor with resolve() and isEnabled()
+ */
+declare function createFeatureFlags<T extends string>(definitions: FlagDefinitions<T>): {
+    /**
+     * Resolve all flags for the current environment.
+     * Call this once at startup or per-request for dynamic flags.
+     */
+    resolve(stage?: DeploymentStage): ResolvedFlags<T>;
+    /**
+     * Check if a single flag is enabled.
+     */
+    isEnabled(flag: T, stage?: DeploymentStage): boolean;
+    /**
+     * Get the flag definitions (for introspection/admin UI).
+     */
+    definitions: FlagDefinitions<T>;
+};
+/**
+ * Build an allowlist from environment variable + fallback emails.
+ *
+ * @example
+ * ```typescript
+ * const testers = buildAllowlist({
+ *   envVar: 'ADMIN_EMAILS',
+ *   fallback: ['admin@example.com'],
+ * })
+ * if (testers.includes(userEmail)) { ... }
+ * ```
+ */
+declare function buildAllowlist(config: AllowlistConfig): string[];
+/**
+ * Check if an email is in the allowlist (case-insensitive).
+ */
+declare function isAllowlisted(email: string, allowlist: string[]): boolean;
+
+/**
+ * Standalone Rate Limiter
+ *
+ * Framework-agnostic sliding window rate limiter that works with
+ * any storage backend (Redis, memory, etc.). Apps provide a storage
+ * adapter; this module handles the algorithm and types.
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   checkRateLimit,
+ *   createMemoryRateLimitStore,
+ *   CommonRateLimits,
+ * } from '@digilogiclabs/platform-core'
+ *
+ * const store = createMemoryRateLimitStore()
+ *
+ * const result = await checkRateLimit('api-call', 'user:123', CommonRateLimits.apiGeneral, { store })
+ * if (!result.allowed) {
+ *   // Return 429 with result.retryAfterSeconds
+ * }
+ * ```
+ */
+/** Configuration for a rate limit rule */
+interface RateLimitRule {
+    /** Maximum requests allowed in the window */
+    limit: number;
+    /** Time window in seconds */
+    windowSeconds: number;
+    /** Different limit for authenticated users (optional) */
+    authenticatedLimit?: number;
+    /** Block duration in seconds when limit is exceeded (optional) */
+    blockDurationSeconds?: number;
+}
+/** Result of a rate limit check */
+interface RateLimitCheckResult {
+    /** Whether the request is allowed */
+    allowed: boolean;
+    /** Remaining requests in the current window */
+    remaining: number;
+    /** Unix timestamp (ms) when the window resets */
+    resetAt: number;
+    /** Current request count in the window */
+    current: number;
+    /** The limit that was applied */
+    limit: number;
+    /** Seconds until retry is allowed (for 429 Retry-After header) */
+    retryAfterSeconds: number;
+}
+/**
+ * Storage backend for rate limiting.
+ *
+ * Implementations should support sorted-set-like semantics for
+ * accurate sliding window rate limiting.
+ */
+interface RateLimitStore {
+    /**
+     * Add an entry to the sliding window and return the current count.
+     * Should atomically: remove entries older than windowStart,
+     * add the new entry, and return the total count.
+     */
+    increment(key: string, windowMs: number, now: number): Promise<{
+        count: number;
+    }>;
+    /** Check if a key is blocked and return remaining TTL */
+    isBlocked(key: string): Promise<{
+        blocked: boolean;
+        ttlMs: number;
+    }>;
+    /** Set a temporary block on a key */
+    setBlock(key: string, durationSeconds: number): Promise<void>;
+    /** Remove all entries for a key (for reset/testing) */
+    reset(key: string): Promise<void>;
+}
+/** Options for checkRateLimit */
+interface RateLimitOptions {
+    /** Storage backend (defaults to in-memory if not provided) */
+    store?: RateLimitStore;
+    /** Whether the user is authenticated (uses authenticatedLimit if available) */
+    isAuthenticated?: boolean;
+    /** Logger for warnings/errors (optional) */
+    logger?: {
+        warn: (msg: string, meta?: Record<string, unknown>) => void;
+        error: (msg: string, meta?: Record<string, unknown>) => void;
+    };
+}
+/**
+ * Common rate limit rules for typical operations.
+ * Apps can extend with domain-specific presets.
+ *
+ * @example
+ * ```typescript
+ * const APP_LIMITS = {
+ *   ...CommonRateLimits,
+ *   serverCreate: { limit: 5, windowSeconds: 3600, blockDurationSeconds: 3600 },
+ * }
+ * ```
+ */
+declare const CommonRateLimits: {
+    /** General API: 100/min, 200/min authenticated */
+    readonly apiGeneral: {
+        readonly limit: 100;
+        readonly windowSeconds: 60;
+        readonly authenticatedLimit: 200;
+    };
+    /** Admin actions: 100/min */
+    readonly adminAction: {
+        readonly limit: 100;
+        readonly windowSeconds: 60;
+    };
+    /** Auth attempts: 10/15min with 30min block */
+    readonly authAttempt: {
+        readonly limit: 10;
+        readonly windowSeconds: 900;
+        readonly blockDurationSeconds: 1800;
+    };
+    /** AI/expensive requests: 20/hour, 50/hour authenticated */
+    readonly aiRequest: {
+        readonly limit: 20;
+        readonly windowSeconds: 3600;
+        readonly authenticatedLimit: 50;
+    };
+    /** Public form submissions: 5/hour with 1hr block */
+    readonly publicForm: {
+        readonly limit: 5;
+        readonly windowSeconds: 3600;
+        readonly blockDurationSeconds: 3600;
+    };
+    /** Checkout/billing: 10/hour with 1hr block */
+    readonly checkout: {
+        readonly limit: 10;
+        readonly windowSeconds: 3600;
+        readonly blockDurationSeconds: 3600;
+    };
+};
+/**
+ * In-memory rate limit store for testing and graceful degradation.
+ * Not suitable for multi-process or distributed environments.
+ */
+declare function createMemoryRateLimitStore(): RateLimitStore;
+/**
+ * Check rate limit for an operation.
+ *
+ * @param operation - Name of the operation (e.g., 'server-create', 'api-call')
+ * @param identifier - Who is making the request (e.g., 'user:123', 'ip:1.2.3.4')
+ * @param rule - Rate limit configuration
+ * @param options - Storage, auth status, logger
+ * @returns Rate limit check result
+ */
+declare function checkRateLimit(operation: string, identifier: string, rule: RateLimitRule, options?: RateLimitOptions): Promise<RateLimitCheckResult>;
+/**
+ * Get current rate limit status without incrementing the counter.
+ */
+declare function getRateLimitStatus(operation: string, identifier: string, rule: RateLimitRule, store?: RateLimitStore): Promise<RateLimitCheckResult | null>;
+/**
+ * Reset rate limit for an identifier (for admin/testing).
+ */
+declare function resetRateLimitForKey(operation: string, identifier: string, store?: RateLimitStore): Promise<void>;
+/**
+ * Build standard rate limit headers for HTTP responses.
+ */
+declare function buildRateLimitResponseHeaders(result: RateLimitCheckResult): Record<string, string>;
+/**
+ * Resolve a rate limit identifier from a request-like context.
+ * Prefers user ID > email > IP for most accurate limiting.
+ */
+declare function resolveIdentifier(session: {
+    user?: {
+        id?: string;
+        email?: string;
+    };
+} | null | undefined, clientIp?: string): {
+    identifier: string;
+    isAuthenticated: boolean;
+};
+
+/**
+ * Audit Logging System
+ *
+ * Framework-agnostic audit logging for security-sensitive operations.
+ * Provides structured audit events with actor, action, resource, and
+ * outcome tracking. Apps provide their own persistence (Redis, DB, etc.)
+ * via a simple callback; this module handles the event model and helpers.
+ *
+ * @example
+ * ```typescript
+ * import { createAuditLogger, StandardAuditActions } from '@digilogiclabs/platform-core'
+ *
+ * const audit = createAuditLogger({
+ *   persist: async (record) => {
+ *     await redis.setex(`audit:${record.id}`, 90 * 86400, JSON.stringify(record))
+ *   },
+ * })
+ *
+ * await audit.log({
+ *   actor: { id: userId, email, type: 'user' },
+ *   action: StandardAuditActions.LOGIN_SUCCESS,
+ *   outcome: 'success',
+ * })
+ * ```
+ */
+/** Who performed the action */
+interface OpsAuditActor {
+    id: string;
+    email?: string;
+    type: "user" | "admin" | "system" | "api_key" | "anonymous";
+    sessionId?: string;
+}
+/** What resource was affected */
+interface OpsAuditResource {
+    type: string;
+    id: string;
+    name?: string;
+}
+/** The audit event to log */
+interface OpsAuditEvent {
+    actor: OpsAuditActor;
+    action: string;
+    resource?: OpsAuditResource;
+    outcome: "success" | "failure" | "blocked" | "pending";
+    metadata?: Record<string, unknown>;
+    reason?: string;
+}
+/** Complete audit record with context */
+interface OpsAuditRecord extends OpsAuditEvent {
+    id: string;
+    timestamp: string;
+    ip?: string;
+    userAgent?: string;
+    requestId?: string;
+    duration?: number;
+}
+/** Options for creating an audit logger */
+interface OpsAuditLoggerOptions {
     /**
-     * Return cached value from a cache function
+     * Persist an audit record to storage (Redis, DB, etc.).
+     * Called after console logging. Errors are caught and logged,
+     * never thrown — audit failures must not break operations.
      */
-    fromCache: <T>(getCached: () => Promise<T | null>, defaultValue: T) => FallbackOptions<T>;
+    persist?: (record: OpsAuditRecord) => Promise<void>;
     /**
-     * Degrade gracefully with partial data
+     * Console logger for structured output.
+     * Defaults to console.log/console.warn.
      */
-    degrade: <T>(getDegraded: (error: Error) => T) => FallbackOptions<T>;
-};
-
+    logger?: {
+        info: (msg: string, meta?: Record<string, unknown>) => void;
+        warn: (msg: string, meta?: Record<string, unknown>) => void;
+        error: (msg: string, meta?: Record<string, unknown>) => void;
+    };
+}
+/** Request-like object for extracting IP, user agent, request ID */
+interface AuditRequest {
+    headers: {
+        get(name: string): string | null;
+    };
+}
 /**
- * Security Utilities
+ * Standard audit action constants.
+ * Apps should extend with domain-specific actions:
  *
- * HTML escaping, input detection, and sanitization helpers
- * for safe rendering of user content in emails, templates, and HTML output.
+ * @example
+ * ```typescript
+ * const AppAuditActions = {
+ *   ...StandardAuditActions,
+ *   SERVER_CREATE: 'game.server.create',
+ *   SERVER_DELETE: 'game.server.delete',
+ * } as const
+ * ```
  */
-/** Regex for protocol-prefixed URLs */
-declare const URL_PROTOCOL_PATTERN: RegExp;
-/** Regex for bare domain names with common TLDs */
-declare const URL_DOMAIN_PATTERN: RegExp;
-/** Regex for HTML tags */
-declare const HTML_TAG_PATTERN: RegExp;
+declare const StandardAuditActions: {
+    readonly LOGIN_SUCCESS: "auth.login.success";
+    readonly LOGIN_FAILURE: "auth.login.failure";
+    readonly LOGOUT: "auth.logout";
+    readonly SESSION_REFRESH: "auth.session.refresh";
+    readonly PASSWORD_CHANGE: "auth.password.change";
+    readonly PASSWORD_RESET: "auth.password.reset";
+    readonly CHECKOUT_START: "billing.checkout.start";
+    readonly CHECKOUT_COMPLETE: "billing.checkout.complete";
+    readonly SUBSCRIPTION_CREATE: "billing.subscription.create";
+    readonly SUBSCRIPTION_CANCEL: "billing.subscription.cancel";
+    readonly SUBSCRIPTION_UPDATE: "billing.subscription.update";
+    readonly PAYMENT_FAILED: "billing.payment.failed";
+    readonly ADMIN_LOGIN: "admin.login";
+    readonly ADMIN_USER_VIEW: "admin.user.view";
+    readonly ADMIN_USER_UPDATE: "admin.user.update";
+    readonly ADMIN_CONFIG_CHANGE: "admin.config.change";
+    readonly RATE_LIMIT_EXCEEDED: "security.rate_limit.exceeded";
+    readonly INVALID_INPUT: "security.input.invalid";
+    readonly UNAUTHORIZED_ACCESS: "security.access.unauthorized";
+    readonly OWNERSHIP_VIOLATION: "security.ownership.violation";
+    readonly WEBHOOK_SIGNATURE_INVALID: "security.webhook.signature_invalid";
+    readonly DATA_EXPORT: "data.export";
+    readonly DATA_DELETE: "data.delete";
+    readonly DATA_UPDATE: "data.update";
+};
+type StandardAuditActionType = (typeof StandardAuditActions)[keyof typeof StandardAuditActions];
 /**
- * Escape HTML special characters to prevent injection.
- * Use when inserting user content into HTML email templates or rendered HTML.
+ * Extract client IP from request headers.
+ * Checks common proxy headers in order of reliability.
  */
-declare function escapeHtml(str: string): string;
-/** Check if a string contains protocol-prefixed URLs or bare domains */
-declare function containsUrls(str: string): boolean;
-/** Check if a string contains HTML tags */
-declare function containsHtml(str: string): boolean;
-/** Strip all HTML tags from a string */
-declare function stripHtml(str: string): string;
+declare function extractAuditIp(request?: AuditRequest): string | undefined;
 /**
- * Defang URLs to prevent auto-linking in email clients.
- * Converts https://evil.com → hxxps://evil[.]com
+ * Extract user agent from request.
  */
-declare function defangUrl(str: string): string;
+declare function extractAuditUserAgent(request?: AuditRequest): string | undefined;
 /**
- * Sanitize user content for safe insertion into HTML email templates.
- * Escapes HTML entities AND defangs any URLs that slipped through validation.
+ * Extract or generate request ID.
  */
-declare function sanitizeForEmail(str: string): string;
-
+declare function extractAuditRequestId(request?: AuditRequest): string;
 /**
- * API Utilities
- *
- * Framework-agnostic error codes, error class, response types,
- * and database error mapping for consistent API behavior across apps.
+ * Create an AuditActor from a session object.
+ * Works with Auth.js/NextAuth session shape.
  */
-/** Standard API error codes */
-declare const ApiErrorCode: {
-    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
-    readonly UNAUTHORIZED: "UNAUTHORIZED";
-    readonly FORBIDDEN: "FORBIDDEN";
-    readonly NOT_FOUND: "NOT_FOUND";
-    readonly CONFLICT: "CONFLICT";
-    readonly RATE_LIMIT_EXCEEDED: "RATE_LIMIT_EXCEEDED";
-    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
-    readonly DATABASE_ERROR: "DATABASE_ERROR";
-    readonly EXTERNAL_SERVICE_ERROR: "EXTERNAL_SERVICE_ERROR";
-    readonly CONFIGURATION_ERROR: "CONFIGURATION_ERROR";
-};
-type ApiErrorCodeType = (typeof ApiErrorCode)[keyof typeof ApiErrorCode];
-/** Custom API Error class with status code and error code */
-declare class ApiError extends Error {
-    readonly statusCode: number;
-    readonly code: ApiErrorCodeType;
-    readonly details?: unknown;
-    constructor(statusCode: number, message: string, code?: ApiErrorCodeType, details?: unknown);
-}
-/** Type guard for ApiError */
-declare function isApiError(error: unknown): error is ApiError;
-/** Pre-built error factories */
-declare const CommonApiErrors: {
-    unauthorized: (msg?: string) => ApiError;
-    forbidden: (msg?: string) => ApiError;
-    notFound: (resource?: string) => ApiError;
-    conflict: (msg?: string) => ApiError;
-    rateLimitExceeded: (msg?: string) => ApiError;
-    validationError: (details?: unknown) => ApiError;
-    internalError: (msg?: string) => ApiError;
-};
-/** PostgreSQL error code → HTTP status mapping */
-declare const PG_ERROR_MAP: Record<string, {
-    status: number;
-    code: ApiErrorCodeType;
-    message: string;
-}>;
+declare function createAuditActor(session: {
+    user?: {
+        id?: string;
+        email?: string | null;
+    };
+} | null | undefined): OpsAuditActor;
 /**
- * Classify any error into a standardized shape.
- * Framework-agnostic — returns a plain object, not an HTTP response.
+ * Create an audit logger instance.
+ *
+ * @param options - Persistence callback and optional logger
+ * @returns Audit logger with log() and createTimedAudit() methods
  */
-declare function classifyError(error: unknown, isDev?: boolean): {
-    status: number;
-    body: {
-        error: string;
-        code: string;
-        details?: unknown;
-    };
-};
-/** Standard success response shape */
-interface ApiSuccessResponse<T = unknown> {
-    success: true;
-    data: T;
-    message?: string;
-    timestamp?: string;
-}
-/** Standard paginated response shape */
-interface ApiPaginatedResponse<T = unknown> extends ApiSuccessResponse<T[]> {
-    pagination: {
-        page: number;
-        limit: number;
-        total: number;
-        totalPages: number;
-        hasMore: boolean;
+declare function createAuditLogger(options?: OpsAuditLoggerOptions): {
+    log: (event: OpsAuditEvent, request?: AuditRequest) => Promise<OpsAuditRecord>;
+    createTimedAudit: (event: Omit<OpsAuditEvent, "outcome">, request?: AuditRequest) => {
+        success: (metadata?: Record<string, unknown>) => Promise<OpsAuditRecord>;
+        failure: (reason: string, metadata?: Record<string, unknown>) => Promise<OpsAuditRecord>;
+        blocked: (reason: string, metadata?: Record<string, unknown>) => Promise<OpsAuditRecord>;
     };
-}
-/** Build a pagination metadata object */
-declare function buildPagination(page: number, limit: number, total: number): {
-    page: number;
-    limit: number;
-    total: number;
-    totalPages: number;
-    hasMore: boolean;
 };
 
 /**
@@ -10838,6 +12000,33 @@ declare class MemoryScheduler implements IScheduler {
     private completeExecution;
 }
 
+/**
+ * MemoryCrypto - In-memory ICrypto adapter for testing
+ * Uses Node.js built-in crypto module with keys stored in memory.
+ */
+
+declare class MemoryCrypto implements ICrypto {
+    private keys;
+    private activeKeyId;
+    private hmacKey;
+    constructor(options?: {
+        masterKey?: string;
+        hmacKey?: string;
+    });
+    encrypt(plaintext: string, options?: EncryptOptions): Promise<EncryptedField>;
+    decrypt(field: EncryptedField, options?: EncryptOptions): Promise<string>;
+    encryptDeterministic(plaintext: string, options?: EncryptOptions): Promise<DeterministicEncryptedField>;
+    computeHash(plaintext: string): Promise<string>;
+    encryptBatch(fields: Record<string, string>, options?: EncryptOptions): Promise<Record<string, EncryptedField>>;
+    decryptBatch(fields: Record<string, EncryptedField>, options?: EncryptOptions): Promise<Record<string, string>>;
+    rotateKey(): Promise<KeyRotationResult>;
+    reEncrypt(field: EncryptedField, options?: EncryptOptions): Promise<EncryptedField>;
+    listKeys(): Promise<CryptoKeyMetadata[]>;
+    getActiveKeyId(): Promise<string>;
+    healthCheck(): Promise<boolean>;
+    private generateKeyId;
+}
+
 /**
  * Supabase Database Adapter
  * Production implementation using Supabase as the database provider
@@ -12795,6 +13984,50 @@ declare class WeaviateRAG implements IRAG {
  */
 declare function createWeaviateRAG(config: WeaviateRAGConfig): WeaviateRAG;
 
+/**
+ * NodeCrypto - Production ICrypto adapter using Node.js built-in crypto
+ *
+ * Architecture:
+ * - Master key (from env/ISecrets) → HKDF → per-deployment DEKs
+ * - AES-256-GCM with 96-bit random IVs for encryption
+ * - HMAC-SHA256 for deterministic/searchable encryption
+ * - Envelope encryption: master key wraps DEKs
+ * - Key rotation: new DEK generated, old marked decrypt-only
+ *
+ * Zero external dependencies — only uses node:crypto.
+ */
+
+interface NodeCryptoConfig {
+    /** Master key as hex string (64 hex chars = 32 bytes). Required. */
+    masterKey: string;
+    /** HMAC key as hex string for deterministic hashing. If not provided, derived from master key. */
+    hmacKey?: string;
+}
+declare class NodeCrypto implements ICrypto {
+    private masterKey;
+    private hmacKey;
+    private keys;
+    private activeKeyId;
+    private keyCounter;
+    constructor(config: NodeCryptoConfig);
+    encrypt(plaintext: string, options?: EncryptOptions): Promise<EncryptedField>;
+    decrypt(field: EncryptedField, options?: EncryptOptions): Promise<string>;
+    encryptDeterministic(plaintext: string, options?: EncryptOptions): Promise<DeterministicEncryptedField>;
+    computeHash(plaintext: string): Promise<string>;
+    encryptBatch(fields: Record<string, string>, options?: EncryptOptions): Promise<Record<string, EncryptedField>>;
+    decryptBatch(fields: Record<string, EncryptedField>, options?: EncryptOptions): Promise<Record<string, string>>;
+    rotateKey(): Promise<KeyRotationResult>;
+    reEncrypt(field: EncryptedField, options?: EncryptOptions): Promise<EncryptedField>;
+    listKeys(): Promise<CryptoKeyMetadata[]>;
+    getActiveKeyId(): Promise<string>;
+    healthCheck(): Promise<boolean>;
+    /**
+     * Derive a Data Encryption Key from the master key using HKDF.
+     */
+    private deriveDEK;
+    private generateKeyId;
+}
+
 /**
  * Generic OIDC Enterprise SSO Adapter
  *
@@ -13086,4 +14319,224 @@ declare class PostgresTenant implements ITenant {
     private mapRowToInvitation;
 }
 
-export { AIChatRequest, AIChatResponse, AICompletionRequest, AICompletionResponse, AIConfig, AIEmbeddingRequest, AIEmbeddingResponse, AIModelConfig, AIModelType, AIProvider, AIStreamCallback, AIStreamChunk, type AIUsageConfig, type AccountCapabilities, type AccountLink, type AccountType, type Address, type AlertType, AnthropicAdapter, type AnthropicAdapterConfig, type ApiAuthentication, type ApiChangelog, type ApiDocumentation, type ApiEndpoint, ApiError, ApiErrorCode, type ApiErrorCodeType, type ApiExample, type ApiKey, type ApiKeyStatus, type ApiKeyType, type ApiKeyValidationResult, type ApiPaginatedResponse, type ApiParameter, type ApiResponse, type ApiSchema, type ApiSchemaProperty, type ApiSuccessResponse, type ApiUsageStats, type ApiUsageTimeSeries, AssembledContext, type AuditActor, type AuditCategory, type AuditEvent, AuditEvents, type AuditEvidence, type AuditLogConfig, type AuditOutcome, type AuditQuery, type AuditQueryResult, type AuditRetentionPolicy, type AuditStats, type AuditTarget, type AuthConfig, type AuthError, type AuthErrorCode, AuthErrorMessages, type AuthEventType, type AuthResult, type AuthSession, type AuthStateChangeCallback, type AuthStorage, type AuthUser, type Balance, type BalanceAmount, type BankAccountDetails, type BatchNotificationOptions, type BillingConfig, type BillingDetails, type BillingPeriod, type Breadcrumb, type Budget, type BudgetStatus, BulkIngestionResult, Bulkhead, type BulkheadOptions, BulkheadRegistry, BulkheadRejectedError, type BulkheadStats, type BullMQConfig, BullMQQueue, type BusinessProfile, type CancelationReason, type CaptureOptions, type CapturePaymentIntentOptions, type CardBrand, type CardDetails, type ChainExecutionResult, CircuitBreaker, type CircuitBreakerOptions, CircuitBreakerRegistry, type CircuitBreakerStats, CircuitOpenError, type CircuitState, type CommandStatus, CommonApiErrors, type ComplianceConfig, type ComplianceReport, type ConfirmPaymentIntentOptions, type ConnectedAccount, type ConnectedAccountStatus, type ConsentPreferences, type ConsentPurpose, type ConsentRecord, type ConsentStatus, ContextAssemblyConfig, type ControlFramework, type ControlStatus, type CorrelationData, type CostBreakdown, type Coupon, type CreateAccountLinkOptions, type CreateApiKeyOptions, CreateCollectionOptions, type CreateConnectedAccountOptions, type CreateCustomerOptions, type CreateDsarOptions, type CreatePaymentIntentOptions, type CreatePayoutOptions, type CreateRefundOptions, type CreateSandboxOptions, type CreateScheduleOptions, type CreateTenantOptions, type CreateTransferOptions, type CreateWebhookOptions, type CreditBalance, type CreditTransaction, type CreditType, type CronExpression, CronPresets, type Currency, type Customer, DEFAULT_BULKHEAD_OPTIONS, DEFAULT_CIRCUIT_BREAKER_OPTIONS, DEFAULT_RETRY_OPTIONS, type DataBreachRecord, type DataCategory, type DataInventoryItem, type DataMap, type DataSensitivity, type DataSubjectRequest, type DataType, DatabaseAIUsage, type DatabaseAIUsageConfig, DatabaseAuditLog, type DatabaseAuditLogConfig, DatabaseBilling, type DatabaseBillingConfig, DatabaseCompliance, DatabaseErrorReporter, type DatabaseErrorReporterConfig, DatabaseNotification, type DatabaseNotificationConfig, DatabasePromptStore, type DatabasePromptStoreConfig, DefaultTimeouts, type DeleteAccountOptions, type DeleteHookContext, type DeliveryAttempt, type DeliveryQuery, type DeliveryStatus, type DetailedHealthResponse, type DevPortalConfig, type DeveloperMetrics, type Device, type DeviceAuthMethod, type DeviceCommand, type DeviceConfig, type DeviceConnectionState, type DeviceCredentials, type DeviceGroup, type DeviceGroupQuery, type DeviceLocation, type DeviceQuery, type DeviceQueryResult, type DeviceShadow, type DeviceStatus, type DirectoryAttributeMapping, type DirectoryConfig, DocumentStatus, type DsarAttachment, type DsarNote, type DsarStatus, type DsarType, type DunningActionType, type DunningAttempt, type DunningConfig, type EmailHookContext, EmailMessage, EmailResult, type EnrollMfaOptions, type EnrollMfaResult, type ErrorContext, type ErrorHookContext, type ErrorLevel, type ErrorReport, type ErrorReporterConfig, type EvidenceType, type ExperimentMetrics, type FallbackOptions, type FallbackResult, FallbackStrategies, type FirmwareStatus, type FirmwareUpdate, type FirmwareVersion, type GeneratedSdk, GenericOIDCAuthSSO, type GenericOIDCConfig, GoogleAIAdapter, type GoogleAIAdapterConfig, HTML_TAG_PATTERN, type HealthCheckResult, type HealthEndpoints, type HealthEndpointsOptions, type HealthStatus, type HookRegistry, type HttpMethod, HttpWebhook, type HttpWebhookConfig, IAI, type IAIUsage, type IAuditLog, type IAuth, type IAuthSSO, type IBilling, ICache, type ICompliance, IDatabase, type IDevPortal, type IDevice, IEmail, type IErrorReporter, type IHealth, type IHealthCheckable, ILogger, IMetrics, type INotification, type IPayment, IPlatform, type IPromptStore, IQueryBuilder, IQueue, IRAG, type IScheduler, IStorage, type ITenant, type IWebhook, type InboundWebhookConfig, type InboundWebhookContext, IngestionOptions, IngestionResult, type InsertHookContext, type InviteMemberOptions, type Invoice, type InvoiceLineItem, type InvoiceQuery, type InvoiceStatus, Job, JobEventHandler, JobEventType, type JobHookContext, JobOptions, JobState, type ListTenantsOptions, type LivenessResponse, MemoryAIUsage, MemoryAuditLog, type MemoryAuditLogConfig, MemoryAuth, MemoryAuthSSO, MemoryBilling, MemoryCompliance, MemoryDevPortal, MemoryDevice, MemoryErrorReporter, type MemoryErrorReporterConfig, MemoryNotification, type MemoryNotificationConfig, MemoryPayment, MemoryPromptStore, MemoryRateLimiterStorage, MemoryScheduler, type MemorySchedulerConfig, MemoryTenant, MemoryWebhook, type MemoryWebhookConfig, type Meter, type MetricsEndpoint, type MetricsEndpointOptions, MetricsSummary, type MfaChallenge, type MfaFactor, type MfaFactorType, type Middleware, type MiddlewareChain, type MiddlewareChainOptions, type MiddlewareContext, type NotificationAction, type NotificationCategory, type NotificationChannel, type NotificationConfig, type NotificationData, type NotificationPreferences, type NotificationPriority, type NotificationQuery, type NotificationResult, type NotificationStats, type NotificationStatus, type NotificationTarget, NotificationTemplates, type OAuthOptions, type OAuthProvider, type OAuthResult, type OidcAuthRequest, type OidcAuthResponse, type OidcClaimMapping, type OidcIdpConfig, OpenAIAdapter, type OpenAIAdapterConfig, PG_ERROR_MAP, type ParameterLocation, type PaymentConfig, type PaymentError, type PaymentErrorCode, PaymentErrorMessages, type PaymentEventType, type PaymentIntent, type PaymentMethod, type PaymentMethodType, type PaymentStatus, type PaymentWebhookEvent, type Payout, type PayoutStatus, type PiaMitigation, type PiaRisk, type PiaStatus, PineconeRAG, type PineconeRAGConfig, type PlatformHealthResult, PlatformHealthStatus, type PlatformHooks, type PostgresConfig, PostgresDatabase, PostgresTenant, type PostgresTenantConfig, type Price, type PricingModel, type PricingTier, type PrivacyImpactAssessment, type Product, type Prompt, type PromptChain, type PromptChainStep, type PromptExperiment, type PromptQuery, type PromptQueryResult, type PromptStatus, type PromptStoreConfig, type PromptType, type PromptUsageRecord, type PromptUsageStats, type PromptVariable, type PromptVariant, type PromptVersion, type ProvisioningConfig, type ProvisioningRequest, type ProvisioningResult, type ProvisioningStatus, type PushSubscription, type QueryHookContext, QueryResult, QueueScheduler, type QueueSchedulerConfig, type Quota, type QuotaStatus, type QuotaType, RAGChunk, RAGCollection, RAGConfig, RAGDocument, RAGPipeline, RAGSearchQuery, RAGSearchResponse, RAGSearchResult, type RateLimitAlgorithm, RateLimitError, type RateLimitInfo, type RateLimitOptions, RateLimitPresets, type RateLimiterStorage, type ReadinessResponse, type RecordConsentOptions, RedisCache, type RedisConfig, type Refund, type RefundReason, type RefundStatus, type RenderOptions, type RenderedPrompt, RepeatOptions, ResendEmail, type ResetPasswordOptions, type RetentionAction, type RetentionExecution, type RetentionPolicy, RetryConfigs, type RetryOptions, RetryPredicates, type RetryResult, type RevenueMetrics, type RiskLevel, S3Storage, type SamlAssertion, type SamlAttributeMapping, type SamlAuthRequest, type SamlAuthResponse, type SamlIdpConfig, type SamlNameIdFormat, type SamlSpConfig, type Sandbox, type SandboxConfig, type SandboxLimits, type SandboxStatus, type SandboxUsage, type ScheduleContext, type ScheduleExecution, type ScheduleHandler, type ScheduleQuery, type ScheduleState, type ScheduleUpdateOptions, type ScheduledJob, type SchedulerConfig, type SchedulerStats, type ScimConfig, type ScimUser, type SdkConfig, type SdkFile, type SdkLanguage, type SendCommandOptions, type SendNotificationOptions, type ServiceHealth, type ShadowDelta, type ShadowMetadata, type ShadowUpdate, type SignInWithEmailOptions, type SignInWithMagicLinkOptions, type SignInWithPhoneOptions, type SignUpWithEmailOptions, type SignatureAlgorithm, type SlidingWindowRateLimitOptions, type SmtpConfig, SmtpEmail, type SsoSession, type StartupResponse, StorageFile, type StoredAuditEvent, type StoredNotification, StripePayment, type StripePaymentConfig, type Subscription, type SubscriptionDiscount, type SubscriptionItem, type SubscriptionMetrics, type SubscriptionQuery, type SubscriptionStatus, SupabaseAuth, type SupabaseAuthConfig, SupabaseDatabase, SupabaseStorage, type SupabaseStorageConfig, type TaxBreakdown, type TelemetryMessage, type TelemetryQuery, type TelemetryResult, type Tenant, type TenantBranding, type TenantContext, type TenantDatabaseConfig, type TenantInvitation, type TenantIsolationModel, type TenantMember, type TenantMemberStatus, type TenantQuotas, type TenantResolutionOptions, type TenantResolutionStrategy, type TenantRole, type TenantSecuritySettings, type TenantSettings, type TenantStatus, type TenantUsage, TimeoutError, type TimeoutOptions, type TokenBucketOptions, type TosAcceptance, type Transfer, type TransferStatus, URL_DOMAIN_PATTERN, URL_PROTOCOL_PATTERN, type Unsubscribe, type UpdateCustomerOptions, type UpdateHookContext, type UpdatePasswordOptions, type UpdatePaymentIntentOptions, type UpdateScheduleOptions, type UpdateStatus, type UpdateTenantOptions, type UpdateUserOptions, type UpdateWebhookOptions, type UploadHookContext, UploadOptions, UpstashCache, type UsageAlert, type UsageCategory, type UsageEvent, type UsageInterval, type UsageInvoice, type UsageInvoiceItem, type UsageQuery, type UsageQueryResult, type UsageRecord, type UsageSummary, type UsageSummaryRecord, type UsageTrend, type VerificationResult, type VerifyMfaOptions, type VerifyPhoneOtpOptions, type VerifyWebhookOptions, WeaviateRAG, type WeaviateRAGConfig, type WebhookConfig, type WebhookDelivery, type WebhookEndpoint, type WebhookEvent, WebhookEventTypes, type WebhookQuery, type WebhookState, type WebhookStats, type WebhookTestEndpoint, type WebhookTestEvent, buildPagination, calculateRetryDelay, classifyError, composeHookRegistries, containsHtml, containsUrls, correlationContext, createAnthropicAdapter, createAuthError, createBulkhead, createCacheMiddleware, createCachedFallback, createCircuitBreaker, createDefaultPreferences, createErrorReport, createExpressHealthHandlers, createExpressMetricsHandler, createGoogleAIAdapter, createHealthEndpoints, createHealthServer, createHookRegistry, createIpKeyGenerator, createJobContext, createLoggingMiddleware, createMetricsEndpoint, createMetricsMiddleware, createMetricsServer, createMiddlewareChain, createMiddlewareContext, createObservabilityServer, createOpenAIAdapter, createPaymentError, createPineconeRAG, createRateLimitMiddleware, createRequestContext, createRequestIdMiddleware, createSlowQueryMiddleware, createTenantMiddleware, createTimeoutMiddleware, createUserKeyGenerator, createWeaviateRAG, defangUrl, describeCron, escapeHtml, filterChannelsByPreferences, formatAmount, generateAuditId, generateChecksum, generateDeliveryId, generateErrorId, generateEventId, generateFingerprint, generateNotificationId, generatePaymentId, generateScheduleId, generateSecureToken, generateWebhookId, generateWebhookSecret, getContext, getCorrelationId, getLogMeta, getNextCronRun, getRequestId, getTenantId, getTraceId, getUserId, isApiError, isAuthError, isInContext, isInQuietHours, isPaymentError, isValidCron, matchAction, matchEventType, raceTimeout, retryable, runWithContext, runWithContextAsync, sanitizeForEmail, stripHtml, timedHealthCheck, toHealthCheckResult, withCorrelation, withCorrelationAsync, withFallback, withFallbackChain, withFallbackResult, withRetry, withRetryResult, withTimeout, withTimeoutWrapper };
+/**
+ * Environment Variable Helpers
+ *
+ * Type-safe, fail-fast utilities for reading environment variables.
+ * Every app needs these — extracted from DLL, WIAN, and OSS patterns.
+ *
+ * @example
+ * ```typescript
+ * import { getRequiredEnv, getOptionalEnv, getBoolEnv, validateEnvVars } from '@digilogiclabs/platform-core'
+ *
+ * const config = {
+ *   stripe: { secretKey: getRequiredEnv('STRIPE_SECRET_KEY') },
+ *   redis: { url: getOptionalEnv('REDIS_URL', '') },
+ *   features: { debug: getBoolEnv('DEBUG', false) },
+ * }
+ *
+ * // Validate at startup
+ * validateEnvVars({
+ *   required: ['STRIPE_SECRET_KEY', 'DATABASE_URL'],
+ *   requireOneOf: [['DATABASE_URL', 'SUPABASE_URL']], // at least one
+ *   validators: {
+ *     DATABASE_URL: (v) => v.startsWith('postgres') || 'must start with postgres://',
+ *     ADMIN_SECRET: (v) => v.length >= 32 || 'must be at least 32 characters',
+ *   },
+ * })
+ * ```
+ */
+/**
+ * Get a required environment variable.
+ * Throws immediately if not set — fail-fast at startup.
+ */
+declare function getRequiredEnv(key: string): string;
+/**
+ * Get an optional environment variable with a default value.
+ */
+declare function getOptionalEnv(key: string, defaultValue: string): string;
+/**
+ * Get a boolean environment variable.
+ * Treats "true" and "1" as true, everything else as false.
+ */
+declare function getBoolEnv(key: string, defaultValue?: boolean): boolean;
+/**
+ * Get a numeric environment variable with a default.
+ */
+declare function getIntEnv(key: string, defaultValue: number): number;
+/**
+ * Configuration for environment validation.
+ */
+interface EnvValidationConfig {
+    /** Variables that must be set (non-empty) */
+    required?: string[];
+    /** Groups where at least one must be set (e.g., DATABASE_URL or SUPABASE_URL) */
+    requireOneOf?: string[][];
+    /** Custom validators — return true or an error message */
+    validators?: Record<string, (value: string) => true | string>;
+}
+/**
+ * Validation result with categorized errors.
+ */
+interface EnvValidationResult {
+    valid: boolean;
+    missing: string[];
+    invalid: {
+        key: string;
+        reason: string;
+    }[];
+    missingOneOf: string[][];
+}
+/**
+ * Validate environment variables against a configuration.
+ *
+ * @throws Error with details about all missing/invalid variables
+ */
+declare function validateEnvVars(config: EnvValidationConfig): void;
+/**
+ * Check environment variables without throwing.
+ * Returns a result object for custom error handling.
+ */
+declare function checkEnvVars(config: EnvValidationConfig): EnvValidationResult;
+/**
+ * Get a redacted config summary for debugging.
+ * Shows which variables are configured without exposing values.
+ */
+declare function getEnvSummary(keys: string[]): Record<string, boolean>;
+
+/**
+ * Application Logger
+ *
+ * Structured logger with child loggers, request correlation,
+ * and operation timing. Builds on ConsoleLogger but adds the
+ * patterns every app needs: component loggers, request loggers,
+ * job loggers, and timing wrappers.
+ *
+ * @example
+ * ```typescript
+ * import { createAppLogger } from '@digilogiclabs/platform-core'
+ *
+ * const logger = createAppLogger({ service: 'my-app' })
+ *
+ * // Child loggers for components
+ * const authLogger = logger.child({ component: 'auth' })
+ * authLogger.info('User signed in', { userId: '123' })
+ *
+ * // Request-scoped logger with correlation ID
+ * const reqLogger = logger.forRequest(request, 'create-server')
+ * reqLogger.info('Processing request')
+ *
+ * // Timed operations
+ * const result = await logger.timed('fetchArticles', () => fetchArticles(), { count: 10 })
+ * ```
+ */
+interface AppLogContext {
+    [key: string]: unknown;
+}
+/**
+ * Structured logger interface shared across all apps.
+ */
+interface AppLogger {
+    debug(message: string, context?: AppLogContext): void;
+    info(message: string, context?: AppLogContext): void;
+    warn(message: string, context?: AppLogContext): void;
+    error(message: string, context?: AppLogContext): void;
+    /** Create a child logger with additional persistent context */
+    child(context: AppLogContext): AppLogger;
+    /** Create a request-scoped logger with correlation ID */
+    forRequest(request: Request, operation: string): AppLogger;
+    /** Create a job-scoped logger */
+    forJob(jobType: string, jobId: string, context?: AppLogContext): AppLogger;
+    /**
+     * Execute an async operation with automatic timing.
+     * Logs start (debug), success with duration (info), or failure with duration (error).
+     */
+    timed<T>(operation: string, fn: () => Promise<T>, context?: AppLogContext): Promise<T>;
+}
+interface AppLoggerOptions {
+    /** Service/app name for log context */
+    service: string;
+    /** Minimum log level (default: 'debug' in dev, 'info' in production) */
+    minLevel?: "debug" | "info" | "warn" | "error";
+    /** Custom output handler (default: console with JSON in prod, pretty in dev) */
+    output?: (level: string, message: string, context: AppLogContext) => void;
+    /** Error reporter callback — called on error() logs */
+    onError?: (message: string, context: AppLogContext) => void;
+}
+/**
+ * Create an application logger.
+ *
+ * @param options - Logger configuration
+ * @returns Structured logger with child, request, job, and timing support
+ */
+declare function createAppLogger(options: AppLoggerOptions): AppLogger;
+
+/**
+ * Redis Client Factory
+ *
+ * Shared ioredis singleton factory with retry strategy and graceful
+ * degradation. All self-hosted apps need a Redis client for rate
+ * limiting, caching, audit logging, webhook deduplication, etc.
+ *
+ * This provides a raw ioredis client — for higher-level cache
+ * operations, use RedisCache from the adapters module.
+ *
+ * @example
+ * ```typescript
+ * import { createRedisClient, getSharedRedis } from '@digilogiclabs/platform-core'
+ *
+ * // Option 1: Shared singleton (recommended for most apps)
+ * const redis = getSharedRedis() // null if REDIS_URL not set
+ *
+ * // Option 2: Custom client with options
+ * const redis = createRedisClient({
+ *   url: process.env.REDIS_URL,
+ *   keyPrefix: 'myapp:',
+ *   maxRetries: 5,
+ * })
+ * ```
+ */
+
+interface RedisClientOptions {
+    /** Redis connection URL (redis://...) */
+    url: string;
+    /** Key prefix for namespace isolation (e.g., 'dll:', 'wian:') */
+    keyPrefix?: string;
+    /** Max retries per request (default: 3) */
+    maxRetries?: number;
+    /** Use lazy connect — don't connect until first command (default: true) */
+    lazyConnect?: boolean;
+    /** Logger for connection events (default: console) */
+    logger?: {
+        error: (msg: string, meta?: Record<string, unknown>) => void;
+        info?: (msg: string, meta?: Record<string, unknown>) => void;
+    };
+    /** Suppress connection error logs (useful for tests) */
+    silent?: boolean;
+}
+/**
+ * Create a new ioredis client with sensible defaults.
+ *
+ * Features:
+ * - Exponential backoff retry strategy (200ms, 400ms, 600ms)
+ * - Automatic reconnection
+ * - Optional key prefix for multi-app isolation
+ * - Connection error logging (suppressible)
+ */
+declare function createRedisClient(options: RedisClientOptions): Redis$2;
+/**
+ * Get the shared Redis client singleton.
+ *
+ * Returns null if REDIS_URL is not configured — callers should
+ * handle this gracefully (fail-open pattern).
+ *
+ * Reads from `REDIS_URL` and optionally `REDIS_KEY_PREFIX`.
+ */
+declare function getSharedRedis(): Redis$2 | null;
+/**
+ * Close the shared Redis client.
+ * Call during graceful shutdown.
+ */
+declare function closeSharedRedis(): Promise<void>;
+
+export { AIChatRequest, AIChatResponse, AICompletionRequest, AICompletionResponse, AIConfig, AIEmbeddingRequest, AIEmbeddingResponse, AIModelConfig, AIModelType, AIProvider, AIStreamCallback, AIStreamChunk, type AIUsageConfig, type AccountCapabilities, type AccountLink, type AccountType, type Address, type AlertType, type AllowlistConfig, AnthropicAdapter, type AnthropicAdapterConfig, type ApiAuthentication, type ApiChangelog, type ApiDocumentation, type ApiEndpoint, ApiError, ApiErrorCode, type ApiErrorCodeType, type ApiExample, type ApiKey, type ApiKeyStatus, type ApiKeyType, type ApiKeyValidationResult, type ApiPaginatedResponse, type ApiParameter, type ApiResponse, type ApiSchema, type ApiSchemaProperty, type ApiSecurityConfig, type ApiSecurityContext, type ApiSuccessResponse, type ApiUsageStats, type ApiUsageTimeSeries, type AppLogContext, type AppLogger, type AppLoggerOptions, AssembledContext, type AuditActor, type AuditCategory, type AuditEvent, AuditEvents, type AuditEvidence, type AuditLogConfig, type AuditOutcome, type AuditQuery, type AuditQueryResult, type AuditRequest, type AuditRetentionPolicy, type AuditStats, type AuditTarget, type AuthConfig, type AuthCookiesConfig, type AuthError, type AuthErrorCode, AuthErrorMessages, type AuthEventType, type AuthMethod, type AuthResult, type AuthSession, type AuthStateChangeCallback, type AuthStorage, type AuthUser, type Balance, type BalanceAmount, type BankAccountDetails, type BatchNotificationOptions, type BillingConfig, type BillingDetails, type BillingPeriod, type Breadcrumb, type Budget, type BudgetStatus, BulkIngestionResult, Bulkhead, type BulkheadOptions, BulkheadRegistry, BulkheadRejectedError, type BulkheadStats, type BullMQConfig, BullMQQueue, type BusinessProfile, type CancelationReason, type CaptureOptions, type CapturePaymentIntentOptions, type CardBrand, type CardDetails, type ChainExecutionResult, CircuitBreaker, type CircuitBreakerOptions, CircuitBreakerRegistry, type CircuitBreakerStats, CircuitOpenError, type CircuitState, type CommandStatus, CommonApiErrors, CommonRateLimits, type ComplianceConfig, type ComplianceReport, type ConfirmPaymentIntentOptions, type ConnectedAccount, type ConnectedAccountStatus, type ConsentPreferences, type ConsentPurpose, type ConsentRecord, type ConsentStatus, ContextAssemblyConfig, type ControlFramework, type ControlStatus, type CorrelationData, type CostBreakdown, type Coupon, type CreateAccountLinkOptions, type CreateApiKeyOptions, CreateCollectionOptions, type CreateConnectedAccountOptions, type CreateCustomerOptions, type CreateDsarOptions, type CreatePaymentIntentOptions, type CreatePayoutOptions, type CreateRefundOptions, type CreateSandboxOptions, type CreateScheduleOptions, type CreateTenantOptions, type CreateTransferOptions, type CreateWebhookOptions, type CreditBalance, type CreditTransaction, type CreditType, type CronExpression, CronPresets, CryptoKeyMetadata, type Currency, type Customer, DEFAULT_BULKHEAD_OPTIONS, DEFAULT_CIRCUIT_BREAKER_OPTIONS, DEFAULT_RETRY_OPTIONS, type DataBreachRecord, type DataCategory, type DataInventoryItem, type DataMap, type DataSensitivity, type DataSubjectRequest, type DataType, DatabaseAIUsage, type DatabaseAIUsageConfig, DatabaseAuditLog, type DatabaseAuditLogConfig, DatabaseBilling, type DatabaseBillingConfig, DatabaseCompliance, DatabaseErrorReporter, type DatabaseErrorReporterConfig, DatabaseNotification, type DatabaseNotificationConfig, DatabasePromptStore, type DatabasePromptStoreConfig, type DateRangeInput, DateRangeSchema, DefaultTimeouts, type DeleteAccountOptions, type DeleteHookContext, type DeliveryAttempt, type DeliveryQuery, type DeliveryStatus, type DeploymentStage, type DetailedHealthResponse, DeterministicEncryptedField, type DevPortalConfig, type DeveloperMetrics, type Device, type DeviceAuthMethod, type DeviceCommand, type DeviceConfig, type DeviceConnectionState, type DeviceCredentials, type DeviceGroup, type DeviceGroupQuery, type DeviceLocation, type DeviceQuery, type DeviceQueryResult, type DeviceShadow, type DeviceStatus, type DirectoryAttributeMapping, type DirectoryConfig, DocumentStatus, type DsarAttachment, type DsarNote, type DsarStatus, type DsarType, type DunningActionType, type DunningAttempt, type DunningConfig, type EmailHookContext, type EmailInput, EmailMessage, EmailResult, EmailSchema, EncryptOptions, EncryptedField, type EnrollMfaOptions, type EnrollMfaResult, type EnvValidationConfig, type EnvValidationResult, type ErrorContext, type ErrorHookContext, type ErrorLevel, type ErrorReport, type ErrorReporterConfig, type EvidenceType, type ExperimentMetrics, type FallbackOptions, type FallbackResult, FallbackStrategies, type FirmwareStatus, type FirmwareUpdate, type FirmwareVersion, type FlagDefinition, type FlagDefinitions, type FlagValue, type GeneratedSdk, GenericOIDCAuthSSO, type GenericOIDCConfig, GoogleAIAdapter, type GoogleAIAdapterConfig, HTML_TAG_PATTERN, type HealthCheckResult, type HealthEndpoints, type HealthEndpointsOptions, type HealthStatus, type HookRegistry, type HttpMethod, HttpWebhook, type HttpWebhookConfig, IAI, type IAIUsage, type IAuditLog, type IAuth, type IAuthSSO, type IBilling, ICache, type ICompliance, ICrypto, IDatabase, type IDevPortal, type IDevice, IEmail, type IErrorReporter, type IHealth, type IHealthCheckable, ILogger, IMetrics, type INotification, type IPayment, IPlatform, type IPromptStore, IQueryBuilder, IQueue, IRAG, type IScheduler, IStorage, type ITenant, type IWebhook, type InboundWebhookConfig, type InboundWebhookContext, IngestionOptions, IngestionResult, type InsertHookContext, type InviteMemberOptions, type Invoice, type InvoiceLineItem, type InvoiceQuery, type InvoiceStatus, Job, JobEventHandler, JobEventType, type JobHookContext, JobOptions, JobState, KEYCLOAK_DEFAULT_ROLES, KeyRotationResult, type KeycloakCallbacksConfig, type KeycloakConfig, type KeycloakJwtFields, type KeycloakTokenSet, type ListTenantsOptions, type LivenessResponse, type LoginInput, LoginSchema, MemoryAIUsage, MemoryAuditLog, type MemoryAuditLogConfig, MemoryAuth, MemoryAuthSSO, MemoryBilling, MemoryCompliance, MemoryCrypto, MemoryDevPortal, MemoryDevice, MemoryErrorReporter, type MemoryErrorReporterConfig, MemoryNotification, type MemoryNotificationConfig, MemoryPayment, MemoryPromptStore, MemoryRateLimiterStorage, MemoryScheduler, type MemorySchedulerConfig, MemoryTenant, MemoryWebhook, type MemoryWebhookConfig, type Meter, type MetricsEndpoint, type MetricsEndpointOptions, MetricsSummary, type MfaChallenge, type MfaFactor, type MfaFactorType, type Middleware, type MiddlewareChain, type MiddlewareChainOptions, type MiddlewareContext, NodeCrypto, type NodeCryptoConfig, type NotificationAction, type NotificationCategory, type NotificationChannel, type NotificationConfig, type NotificationData, type NotificationPreferences, type NotificationPriority, type NotificationQuery, type NotificationResult, type NotificationStats, type NotificationStatus, type NotificationTarget, NotificationTemplates, type OAuthOptions, type OAuthProvider, type OAuthResult, type OidcAuthRequest, type OidcAuthResponse, type OidcClaimMapping, type OidcIdpConfig, OpenAIAdapter, type OpenAIAdapterConfig, type OpsAuditActor, type OpsAuditEvent, type OpsAuditLoggerOptions, type OpsAuditRecord, type OpsAuditResource, PG_ERROR_MAP, type PaginationInput, PaginationSchema, type ParameterLocation, PasswordSchema, type PaymentConfig, type PaymentError, type PaymentErrorCode, PaymentErrorMessages, type PaymentEventType, type PaymentIntent, type PaymentMethod, type PaymentMethodType, type PaymentStatus, type PaymentWebhookEvent, type Payout, type PayoutStatus, PersonNameSchema, PhoneSchema, type PiaMitigation, type PiaRisk, type PiaStatus, PineconeRAG, type PineconeRAGConfig, type PlatformHealthResult, PlatformHealthStatus, type PlatformHooks, type PostgresConfig, PostgresDatabase, PostgresTenant, type PostgresTenantConfig, type Price, type PricingModel, type PricingTier, type PrivacyImpactAssessment, type Product, type Prompt, type PromptChain, type PromptChainStep, type PromptExperiment, type PromptQuery, type PromptQueryResult, type PromptStatus, type PromptStoreConfig, type PromptType, type PromptUsageRecord, type PromptUsageStats, type PromptVariable, type PromptVariant, type PromptVersion, type ProvisioningConfig, type ProvisioningRequest, type ProvisioningResult, type ProvisioningStatus, type PushSubscription, type QueryHookContext, QueryResult, QueueScheduler, type QueueSchedulerConfig, type Quota, type QuotaStatus, type QuotaType, RAGChunk, RAGCollection, RAGConfig, RAGDocument, RAGPipeline, RAGSearchQuery, RAGSearchResponse, RAGSearchResult, type RateLimitAlgorithm, type RateLimitCheckResult, RateLimitError, type RateLimitInfo, type RateLimitOptions, type RateLimitPreset, RateLimitPresets, type RateLimitRule, type RateLimitStore, type RateLimiterStorage, type ReadinessResponse, type RecordConsentOptions, type RedirectCallbackConfig, RedisCache, type RedisClientOptions, type RedisConfig, type Refund, type RefundReason, type RefundStatus, type RenderOptions, type RenderedPrompt, RepeatOptions, ResendEmail, type ResetPasswordOptions, type ResolvedFlags, type RetentionAction, type RetentionExecution, type RetentionPolicy, RetryConfigs, type RetryOptions, RetryPredicates, type RetryResult, type RevenueMetrics, type RiskLevel, type RouteAuditConfig, S3Storage, type SamlAssertion, type SamlAttributeMapping, type SamlAuthRequest, type SamlAuthResponse, type SamlIdpConfig, type SamlNameIdFormat, type SamlSpConfig, type Sandbox, type SandboxConfig, type SandboxLimits, type SandboxStatus, type SandboxUsage, type ScheduleContext, type ScheduleExecution, type ScheduleHandler, type ScheduleQuery, type ScheduleState, type ScheduleUpdateOptions, type ScheduledJob, type SchedulerConfig, type SchedulerStats, type ScimConfig, type ScimUser, type SdkConfig, type SdkFile, type SdkLanguage, type SearchQueryInput, SearchQuerySchema, type SecuritySession, type SendCommandOptions, type SendNotificationOptions, type ServiceHealth, type ShadowDelta, type ShadowMetadata, type ShadowUpdate, type SignInWithEmailOptions, type SignInWithMagicLinkOptions, type SignInWithPhoneOptions, type SignUpWithEmailOptions, type SignatureAlgorithm, type SignupInput, SignupSchema, type SlidingWindowRateLimitOptions, SlugSchema, type SmtpConfig, SmtpEmail, type SsoSession, type StandardAuditActionType, StandardAuditActions, StandardRateLimitPresets, type StartupResponse, StorageFile, type StoredAuditEvent, type StoredNotification, StripePayment, type StripePaymentConfig, type Subscription, type SubscriptionDiscount, type SubscriptionItem, type SubscriptionMetrics, type SubscriptionQuery, type SubscriptionStatus, SupabaseAuth, type SupabaseAuthConfig, SupabaseDatabase, SupabaseStorage, type SupabaseStorageConfig, type TaxBreakdown, type TelemetryMessage, type TelemetryQuery, type TelemetryResult, type Tenant, type TenantBranding, type TenantContext, type TenantDatabaseConfig, type TenantInvitation, type TenantIsolationModel, type TenantMember, type TenantMemberStatus, type TenantQuotas, type TenantResolutionOptions, type TenantResolutionStrategy, type TenantRole, type TenantSecuritySettings, type TenantSettings, type TenantStatus, type TenantUsage, TimeoutError, type TimeoutOptions, type TokenBucketOptions, type TokenRefreshResult, type TosAcceptance, type Transfer, type TransferStatus, URL_DOMAIN_PATTERN, URL_PROTOCOL_PATTERN, type Unsubscribe, type UpdateCustomerOptions, type UpdateHookContext, type UpdatePasswordOptions, type UpdatePaymentIntentOptions, type UpdateScheduleOptions, type UpdateStatus, type UpdateTenantOptions, type UpdateUserOptions, type UpdateWebhookOptions, type UploadHookContext, UploadOptions, UpstashCache, type UsageAlert, type UsageCategory, type UsageEvent, type UsageInterval, type UsageInvoice, type UsageInvoiceItem, type UsageQuery, type UsageQueryResult, type UsageRecord, type UsageSummary, type UsageSummaryRecord, type UsageTrend, type VerificationResult, type VerifyMfaOptions, type VerifyPhoneOtpOptions, type VerifyWebhookOptions, WeaviateRAG, type WeaviateRAGConfig, type WebhookConfig, type WebhookDelivery, type WebhookEndpoint, type WebhookEvent, WebhookEventTypes, type WebhookQuery, type WebhookState, type WebhookStats, type WebhookTestEndpoint, type WebhookTestEvent, WrapperPresets, buildAllowlist, buildAuthCookies, buildErrorBody, buildKeycloakCallbacks, buildPagination, buildRateLimitHeaders, buildRateLimitResponseHeaders, buildRedirectCallback, buildTokenRefreshParams, calculateRetryDelay, checkEnvVars, checkRateLimit, classifyError, closeSharedRedis, composeHookRegistries, constantTimeEqual, containsHtml, containsUrls, correlationContext, createAnthropicAdapter, createAppLogger, createAuditActor, createAuditLogger, createAuthError, createBulkhead, createCacheMiddleware, createCachedFallback, createCircuitBreaker, createDefaultPreferences, createErrorReport, createExpressHealthHandlers, createExpressMetricsHandler, createFeatureFlags, createGoogleAIAdapter, createHealthEndpoints, createHealthServer, createHookRegistry, createIpKeyGenerator, createJobContext, createLoggingMiddleware, createMemoryRateLimitStore, createMetricsEndpoint, createMetricsMiddleware, createMetricsServer, createMiddlewareChain, createMiddlewareContext, createObservabilityServer, createOpenAIAdapter, createPaymentError, createPineconeRAG, createRateLimitMiddleware, createRedisClient, createRequestContext, createRequestIdMiddleware, createSafeTextSchema, createSlowQueryMiddleware, createTenantMiddleware, createTimeoutMiddleware, createUserKeyGenerator, createWeaviateRAG, defangUrl, describeCron, detectStage, escapeHtml, extractAuditIp, extractAuditRequestId, extractAuditUserAgent, extractClientIp, filterChannelsByPreferences, formatAmount, generateAuditId, generateChecksum, generateDeliveryId, generateErrorId, generateEventId, generateFingerprint, generateNotificationId, generatePaymentId, generateScheduleId, generateSecureToken, generateWebhookId, generateWebhookSecret, getBoolEnv, getContext, getCorrelationId, getEndSessionEndpoint, getEnvSummary, getIntEnv, getLogMeta, getNextCronRun, getOptionalEnv, getRateLimitStatus, getRequestId, getRequiredEnv, getSharedRedis, getTenantId, getTokenEndpoint, getTraceId, getUserId, hasAllRoles, hasAnyRole, hasRole, isAllowlisted, isApiError, isAuthError, isInContext, isInQuietHours, isPaymentError, isTokenExpired, isValidCron, matchAction, matchEventType, parseKeycloakRoles, raceTimeout, refreshKeycloakToken, resetRateLimitForKey, resolveIdentifier, resolveRateLimitIdentifier, retryable, runWithContext, runWithContextAsync, sanitizeApiError, sanitizeForEmail, stripHtml, timedHealthCheck, toHealthCheckResult, validateEnvVars, withCorrelation, withCorrelationAsync, withFallback, withFallbackChain, withFallbackResult, withRetry, withRetryResult, withTimeout, withTimeoutWrapper };