@digilogiclabs/platform-core 1.3.0 → 1.5.0

package/dist/index.js

@@ -409,10 +409,11 @@ var init_IAI = __esm({
 });
 
 // src/interfaces/IRAG.ts
-var ChunkingPresets, MemoryRAG;
+var import_crypto13, ChunkingPresets, MemoryRAG;
 var init_IRAG = __esm({
   "src/interfaces/IRAG.ts"() {
     "use strict";
+    import_crypto13 = require("crypto");
     ChunkingPresets = {
       default: {
         strategy: "recursive",
@@ -538,7 +539,7 @@ var init_IRAG = __esm({
       }
       async ingestOne(collection, document, options) {
         const startTime = Date.now();
-        const docId = `doc_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+        const docId = `doc_${Date.now()}_${(0, import_crypto13.randomBytes)(4).toString("hex")}`;
         const now = /* @__PURE__ */ new Date();
         try {
           const col = await this.getCollection(collection);
@@ -1107,10 +1108,11 @@ function toPoolConfig(config) {
   }
   return poolConfig;
 }
-var PostgresDatabase, TransactionDatabase, PostgresQueryBuilder;
+var import_crypto22, PostgresDatabase, TransactionDatabase, PostgresQueryBuilder;
 var init_PostgresDatabase = __esm({
   "src/adapters/postgres/PostgresDatabase.ts"() {
     "use strict";
+    import_crypto22 = require("crypto");
     PostgresDatabase = class _PostgresDatabase {
       pool;
       config;
@@ -1231,7 +1233,7 @@ var init_PostgresDatabase = __esm({
         }
       }
       async transaction(fn) {
-        const savepointName = `sp_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+        const savepointName = `sp_${Date.now()}_${(0, import_crypto22.randomBytes)(4).toString("hex")}`;
         try {
           await this.client.query(`SAVEPOINT ${savepointName}`);
           const result = await fn(this);
@@ -1759,7 +1761,7 @@ var init_RedisCache = __esm({
        * Create a RedisCache from configuration
        */
       static async create(config) {
-        const { default: Redis } = await import("ioredis");
+        const { default: Redis2 } = await import("ioredis");
         let client;
         if (config.cluster) {
           const { Cluster } = await import("ioredis");
@@ -1772,7 +1774,7 @@ var init_RedisCache = __esm({
             }
           });
         } else if (config.sentinel) {
-          client = new Redis({
+          client = new Redis2({
             sentinels: config.sentinel.sentinels,
             name: config.sentinel.name,
             password: config.password,
@@ -1781,7 +1783,7 @@ var init_RedisCache = __esm({
           });
         } else {
           const options = toIORedisOptions(config);
-          client = typeof options === "string" ? new Redis(options) : new Redis(options);
+          client = typeof options === "string" ? new Redis2(options) : new Redis2(options);
         }
         if (!config.lazyConnect) {
           await new Promise((resolve, reject) => {
@@ -1915,9 +1917,9 @@ var init_RedisCache = __esm({
       }
       async subscribe(channel, callback) {
         if (!this.subscriberClient) {
-          const { default: Redis } = await import("ioredis");
+          const { default: Redis2 } = await import("ioredis");
           const options = toIORedisOptions(this.config);
-          this.subscriberClient = typeof options === "string" ? new Redis(options) : new Redis(options);
+          this.subscriberClient = typeof options === "string" ? new Redis2(options) : new Redis2(options);
           this.subscriberClient.on("message", (ch, message) => {
             const callbacks = this.subscriptions.get(ch);
             if (callbacks) {
@@ -5470,11 +5472,12 @@ __export(PineconeRAG_exports, {
 function createPineconeRAG(config) {
   return new PineconeRAG(config);
 }
-var PineconeRAG;
+var import_crypto23, PineconeRAG;
 var init_PineconeRAG = __esm({
   "src/adapters/pinecone/PineconeRAG.ts"() {
     "use strict";
     init_IRAG();
+    import_crypto23 = require("crypto");
     PineconeRAG = class {
       client = null;
       index = null;
@@ -5624,7 +5627,7 @@ var init_PineconeRAG = __esm({
           throw new Error(`Collection ${collection} not found`);
         }
         const now = /* @__PURE__ */ new Date();
-        const documentId = `doc_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+        const documentId = `doc_${Date.now()}_${(0, import_crypto23.randomBytes)(4).toString("hex")}`;
         const doc = {
           id: documentId,
           source: document.source,
@@ -6191,11 +6194,12 @@ __export(WeaviateRAG_exports, {
 function createWeaviateRAG(config) {
   return new WeaviateRAG(config);
 }
-var WeaviateRAG;
+var import_crypto24, WeaviateRAG;
 var init_WeaviateRAG = __esm({
   "src/adapters/weaviate/WeaviateRAG.ts"() {
     "use strict";
     init_IRAG();
+    import_crypto24 = require("crypto");
     WeaviateRAG = class {
       client = null;
       config;
@@ -6382,7 +6386,7 @@ var init_WeaviateRAG = __esm({
         const client = await this.getClient();
         const className = this.getClassName(collection);
         const now = /* @__PURE__ */ new Date();
-        const documentId = `doc_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+        const documentId = `doc_${Date.now()}_${(0, import_crypto24.randomBytes)(4).toString("hex")}`;
         const doc = {
           id: documentId,
           source: document.source,
@@ -6957,6 +6961,175 @@ var init_WeaviateRAG = __esm({
   }
 });
 
+// src/adapters/node-crypto/NodeCrypto.ts
+var NodeCrypto_exports = {};
+__export(NodeCrypto_exports, {
+  NodeCrypto: () => NodeCrypto
+});
+var import_crypto25, NodeCrypto;
+var init_NodeCrypto = __esm({
+  "src/adapters/node-crypto/NodeCrypto.ts"() {
+    "use strict";
+    import_crypto25 = require("crypto");
+    NodeCrypto = class {
+      masterKey;
+      hmacKey;
+      keys = /* @__PURE__ */ new Map();
+      activeKeyId;
+      keyCounter = 0;
+      constructor(config) {
+        if (!config.masterKey || config.masterKey.length < 64) {
+          throw new Error(
+            "NodeCrypto requires a 256-bit master key (64 hex characters)"
+          );
+        }
+        this.masterKey = Buffer.from(config.masterKey, "hex");
+        this.hmacKey = config.hmacKey ? Buffer.from(config.hmacKey, "hex") : Buffer.from((0, import_crypto25.hkdfSync)("sha256", this.masterKey, "", "hmac-key", 32));
+        const keyId = this.generateKeyId();
+        const dek = this.deriveDEK(keyId);
+        this.keys.set(keyId, {
+          id: keyId,
+          dek,
+          status: "active",
+          createdAt: /* @__PURE__ */ new Date()
+        });
+        this.activeKeyId = keyId;
+      }
+      async encrypt(plaintext, options) {
+        const keyId = options?.keyId || this.activeKeyId;
+        const stored = this.keys.get(keyId);
+        if (!stored) {
+          throw new Error(`Key not found: ${keyId}`);
+        }
+        if (stored.status === "retired") {
+          throw new Error(`Key is retired and cannot encrypt: ${keyId}`);
+        }
+        if (stored.status === "decrypt-only" && !options?.keyId) {
+          throw new Error(`Key is decrypt-only: ${keyId}`);
+        }
+        const iv = (0, import_crypto25.randomBytes)(12);
+        const cipher = (0, import_crypto25.createCipheriv)("aes-256-gcm", stored.dek, iv);
+        if (options?.aad) {
+          cipher.setAAD(Buffer.from(options.aad, "utf8"));
+        }
+        const encrypted = Buffer.concat([
+          cipher.update(plaintext, "utf8"),
+          cipher.final()
+        ]);
+        const tag = cipher.getAuthTag();
+        return {
+          ciphertext: encrypted.toString("base64"),
+          iv: iv.toString("base64"),
+          tag: tag.toString("base64"),
+          keyId,
+          algorithm: "aes-256-gcm",
+          version: 1
+        };
+      }
+      async decrypt(field, options) {
+        const stored = this.keys.get(field.keyId);
+        if (!stored) {
+          throw new Error(`Key not found: ${field.keyId}`);
+        }
+        if (stored.status === "retired") {
+          throw new Error(`Key is retired and cannot decrypt: ${field.keyId}`);
+        }
+        const decipher = (0, import_crypto25.createDecipheriv)(
+          "aes-256-gcm",
+          stored.dek,
+          Buffer.from(field.iv, "base64")
+        );
+        decipher.setAuthTag(Buffer.from(field.tag, "base64"));
+        if (options?.aad) {
+          decipher.setAAD(Buffer.from(options.aad, "utf8"));
+        }
+        const decrypted = Buffer.concat([
+          decipher.update(Buffer.from(field.ciphertext, "base64")),
+          decipher.final()
+        ]);
+        return decrypted.toString("utf8");
+      }
+      async encryptDeterministic(plaintext, options) {
+        const hash = await this.computeHash(plaintext);
+        const encrypted = await this.encrypt(plaintext, options);
+        return { hash, encrypted };
+      }
+      async computeHash(plaintext) {
+        return (0, import_crypto25.createHmac)("sha256", this.hmacKey).update(plaintext, "utf8").digest("hex");
+      }
+      async encryptBatch(fields, options) {
+        const result = {};
+        for (const [key, value] of Object.entries(fields)) {
+          result[key] = await this.encrypt(value, options);
+        }
+        return result;
+      }
+      async decryptBatch(fields, options) {
+        const result = {};
+        for (const [key, value] of Object.entries(fields)) {
+          result[key] = await this.decrypt(value, options);
+        }
+        return result;
+      }
+      async rotateKey() {
+        const previousKeyId = this.activeKeyId;
+        const currentKey = this.keys.get(previousKeyId);
+        if (currentKey) {
+          currentKey.status = "decrypt-only";
+        }
+        const newKeyId = this.generateKeyId();
+        const dek = this.deriveDEK(newKeyId);
+        this.keys.set(newKeyId, {
+          id: newKeyId,
+          dek,
+          status: "active",
+          createdAt: /* @__PURE__ */ new Date()
+        });
+        this.activeKeyId = newKeyId;
+        return { newKeyId, previousKeyId };
+      }
+      async reEncrypt(field, options) {
+        const plaintext = await this.decrypt(field);
+        return this.encrypt(plaintext, options);
+      }
+      async listKeys() {
+        return Array.from(this.keys.values()).map((k) => ({
+          keyId: k.id,
+          createdAt: k.createdAt,
+          status: k.status
+        }));
+      }
+      async getActiveKeyId() {
+        return this.activeKeyId;
+      }
+      async healthCheck() {
+        try {
+          const testPlain = "health-check-" + (0, import_crypto25.randomBytes)(4).toString("hex");
+          const encrypted = await this.encrypt(testPlain);
+          const decrypted = await this.decrypt(encrypted);
+          return decrypted === testPlain;
+        } catch {
+          return false;
+        }
+      }
+      /**
+       * Derive a Data Encryption Key from the master key using HKDF.
+       */
+      deriveDEK(keyId) {
+        return Buffer.from(
+          (0, import_crypto25.hkdfSync)("sha256", this.masterKey, keyId, "dek-derivation", 32)
+        );
+      }
+      generateKeyId() {
+        this.keyCounter++;
+        const timestamp = Date.now().toString(36);
+        const random = (0, import_crypto25.randomBytes)(4).toString("hex");
+        return `dek_${timestamp}_${random}_${this.keyCounter}`;
+      }
+    };
+  }
+});
+
 // src/index.ts
 var src_exports = {};
 __export(src_exports, {
@@ -6981,9 +7154,11 @@ __export(src_exports, {
   CircuitBreakerRegistry: () => CircuitBreakerRegistry,
   CircuitOpenError: () => CircuitOpenError,
   CommonApiErrors: () => CommonApiErrors,
+  CommonRateLimits: () => CommonRateLimits,
   ConsoleEmail: () => ConsoleEmail,
   ConsoleLogger: () => ConsoleLogger,
   CronPresets: () => CronPresets,
+  CryptoConfigSchema: () => CryptoConfigSchema,
   DEFAULT_BULKHEAD_OPTIONS: () => DEFAULT_BULKHEAD_OPTIONS,
   DEFAULT_CIRCUIT_BREAKER_OPTIONS: () => DEFAULT_CIRCUIT_BREAKER_OPTIONS,
   DEFAULT_RETRY_OPTIONS: () => DEFAULT_RETRY_OPTIONS,
@@ -6996,17 +7171,21 @@ __export(src_exports, {
   DatabaseNotification: () => DatabaseNotification,
   DatabasePromptStore: () => DatabasePromptStore,
   DatabaseProviderSchema: () => DatabaseProviderSchema,
+  DateRangeSchema: () => DateRangeSchema,
   DefaultTimeouts: () => DefaultTimeouts,
   EmailConfigSchema: () => EmailConfigSchema,
   EmailProviderSchema: () => EmailProviderSchema,
+  EmailSchema: () => EmailSchema,
   EnvSecrets: () => EnvSecrets,
   FallbackStrategies: () => FallbackStrategies,
   GenericOIDCAuthSSO: () => GenericOIDCAuthSSO,
   GoogleAIAdapter: () => GoogleAIAdapter,
   HTML_TAG_PATTERN: () => HTML_TAG_PATTERN,
   HttpWebhook: () => HttpWebhook,
+  KEYCLOAK_DEFAULT_ROLES: () => KEYCLOAK_DEFAULT_ROLES,
   LogLevelSchema: () => LogLevelSchema,
   LoggingConfigSchema: () => LoggingConfigSchema,
+  LoginSchema: () => LoginSchema,
   MemoryAI: () => MemoryAI,
   MemoryAIUsage: () => MemoryAIUsage,
   MemoryAuditLog: () => MemoryAuditLog,
@@ -7015,6 +7194,7 @@ __export(src_exports, {
   MemoryBilling: () => MemoryBilling,
   MemoryCache: () => MemoryCache,
   MemoryCompliance: () => MemoryCompliance,
+  MemoryCrypto: () => MemoryCrypto,
   MemoryDatabase: () => MemoryDatabase,
   MemoryDevPortal: () => MemoryDevPortal,
   MemoryDevice: () => MemoryDevice,
@@ -7036,6 +7216,7 @@ __export(src_exports, {
   MetricsConfigSchema: () => MetricsConfigSchema,
   MiddlewareConfigSchema: () => MiddlewareConfigSchema,
   Migrator: () => Migrator,
+  NodeCrypto: () => NodeCrypto,
   NoopLogger: () => NoopLogger,
   NoopMetrics: () => NoopMetrics,
   NoopTracing: () => NoopTracing,
@@ -7043,7 +7224,11 @@ __export(src_exports, {
   ObservabilityConfigSchema: () => ObservabilityConfigSchema,
   OpenAIAdapter: () => OpenAIAdapter,
   PG_ERROR_MAP: () => PG_ERROR_MAP,
+  PaginationSchema: () => PaginationSchema,
+  PasswordSchema: () => PasswordSchema,
   PaymentErrorMessages: () => PaymentErrorMessages,
+  PersonNameSchema: () => PersonNameSchema,
+  PhoneSchema: () => PhoneSchema,
   PineconeRAG: () => PineconeRAG,
   PlatformConfigSchema: () => PlatformConfigSchema,
   PostgresDatabase: () => PostgresDatabase,
@@ -7063,7 +7248,14 @@ __export(src_exports, {
   RetryPredicates: () => RetryPredicates,
   S3Storage: () => S3Storage,
   SQL: () => SQL,
+  SearchQuerySchema: () => SearchQuerySchema,
+  SecurityConfigSchema: () => SecurityConfigSchema,
+  SecurityHeaderPresets: () => SecurityHeaderPresets,
+  SignupSchema: () => SignupSchema,
+  SlugSchema: () => SlugSchema,
   SmtpEmail: () => SmtpEmail,
+  StandardAuditActions: () => StandardAuditActions,
+  StandardRateLimitPresets: () => StandardRateLimitPresets,
   StorageConfigSchema: () => StorageConfigSchema,
   StorageProviderSchema: () => StorageProviderSchema,
   StripePayment: () => StripePayment,
@@ -7079,16 +7271,32 @@ __export(src_exports, {
   UpstashCache: () => UpstashCache,
   WeaviateRAG: () => WeaviateRAG,
   WebhookEventTypes: () => WebhookEventTypes,
+  WrapperPresets: () => WrapperPresets,
+  buildAllowlist: () => buildAllowlist,
+  buildAuthCookies: () => buildAuthCookies,
+  buildErrorBody: () => buildErrorBody,
+  buildKeycloakCallbacks: () => buildKeycloakCallbacks,
   buildPagination: () => buildPagination,
+  buildRateLimitHeaders: () => buildRateLimitHeaders,
+  buildRateLimitResponseHeaders: () => buildRateLimitResponseHeaders,
+  buildRedirectCallback: () => buildRedirectCallback,
+  buildTokenRefreshParams: () => buildTokenRefreshParams,
   calculateBackoff: () => calculateBackoff,
   calculateRetryDelay: () => calculateRetryDelay,
+  checkEnvVars: () => checkEnvVars,
+  checkRateLimit: () => checkRateLimit,
   classifyError: () => classifyError,
+  closeSharedRedis: () => closeSharedRedis,
   composeHookRegistries: () => composeHookRegistries,
+  constantTimeEqual: () => constantTimeEqual,
   containsHtml: () => containsHtml,
   containsUrls: () => containsUrls,
   correlationContext: () => correlationContext,
   createAIError: () => createAIError,
   createAnthropicAdapter: () => createAnthropicAdapter,
+  createAppLogger: () => createAppLogger,
+  createAuditActor: () => createAuditActor,
+  createAuditLogger: () => createAuditLogger,
   createAuthError: () => createAuthError,
   createBulkhead: () => createBulkhead,
   createCacheMiddleware: () => createCacheMiddleware,
@@ -7099,6 +7307,7 @@ __export(src_exports, {
   createErrorReport: () => createErrorReport,
   createExpressHealthHandlers: () => createExpressHealthHandlers,
   createExpressMetricsHandler: () => createExpressMetricsHandler,
+  createFeatureFlags: () => createFeatureFlags,
   createGoogleAIAdapter: () => createGoogleAIAdapter,
   createHealthEndpoints: () => createHealthEndpoints,
   createHealthServer: () => createHealthServer,
@@ -7106,6 +7315,7 @@ __export(src_exports, {
   createIpKeyGenerator: () => createIpKeyGenerator,
   createJobContext: () => createJobContext,
   createLoggingMiddleware: () => createLoggingMiddleware,
+  createMemoryRateLimitStore: () => createMemoryRateLimitStore,
   createMetricsEndpoint: () => createMetricsEndpoint,
   createMetricsMiddleware: () => createMetricsMiddleware,
   createMetricsServer: () => createMetricsServer,
@@ -7119,8 +7329,10 @@ __export(src_exports, {
   createPlatform: () => createPlatform,
   createPlatformAsync: () => createPlatformAsync,
   createRateLimitMiddleware: () => createRateLimitMiddleware,
+  createRedisClient: () => createRedisClient,
   createRequestContext: () => createRequestContext,
   createRequestIdMiddleware: () => createRequestIdMiddleware,
+  createSafeTextSchema: () => createSafeTextSchema,
   createScopedMetrics: () => createScopedMetrics,
   createSlowQueryMiddleware: () => createSlowQueryMiddleware,
   createSsoOidcConfigsTable: () => createSsoOidcConfigsTable,
@@ -7137,8 +7349,13 @@ __export(src_exports, {
   defangUrl: () => defangUrl,
   defineMigration: () => defineMigration,
   describeCron: () => describeCron,
+  detectStage: () => detectStage,
   enterpriseMigrations: () => enterpriseMigrations,
   escapeHtml: () => escapeHtml,
+  extractAuditIp: () => extractAuditIp,
+  extractAuditRequestId: () => extractAuditRequestId,
+  extractAuditUserAgent: () => extractAuditUserAgent,
+  extractClientIp: () => extractClientIp,
   filterChannelsByPreferences: () => filterChannelsByPreferences,
   formatAmount: () => formatAmount,
   generateAuditId: () => generateAuditId,
@@ -7152,40 +7369,62 @@ __export(src_exports, {
   generatePaymentId: () => generatePaymentId,
   generateScheduleId: () => generateScheduleId,
   generateSecureToken: () => generateSecureToken,
+  generateSecurityHeaders: () => generateSecurityHeaders,
   generateVersion: () => generateVersion,
   generateWebhookId: () => generateWebhookId,
   generateWebhookSecret: () => generateWebhookSecret,
+  getBoolEnv: () => getBoolEnv,
   getContext: () => getContext,
-  getCorrelationId: () => getCorrelationId,
+  getCorrelationId: () => getCorrelationId2,
   getDefaultConfig: () => getDefaultConfig,
+  getEndSessionEndpoint: () => getEndSessionEndpoint,
   getEnterpriseMigrations: () => getEnterpriseMigrations,
+  getEnvSummary: () => getEnvSummary,
+  getIntEnv: () => getIntEnv,
   getLogMeta: () => getLogMeta,
   getNextCronRun: () => getNextCronRun,
+  getOptionalEnv: () => getOptionalEnv,
+  getRateLimitStatus: () => getRateLimitStatus,
   getRequestId: () => getRequestId,
+  getRequiredEnv: () => getRequiredEnv,
+  getSharedRedis: () => getSharedRedis,
   getTenantId: () => getTenantId,
+  getTokenEndpoint: () => getTokenEndpoint,
   getTraceId: () => getTraceId,
   getUserId: () => getUserId,
+  hasAllRoles: () => hasAllRoles,
+  hasAnyRole: () => hasAnyRole,
+  hasRole: () => hasRole,
   isAIError: () => isAIError,
+  isAllowlisted: () => isAllowlisted,
   isApiError: () => isApiError,
   isAuthError: () => isAuthError,
   isInContext: () => isInContext,
   isInQuietHours: () => isInQuietHours,
   isPaymentError: () => isPaymentError,
+  isTokenExpired: () => isTokenExpired,
   isValidCron: () => isValidCron,
   loadConfig: () => loadConfig,
   matchAction: () => matchAction,
   matchEventType: () => matchEventType,
+  parseKeycloakRoles: () => parseKeycloakRoles,
   raceTimeout: () => raceTimeout,
+  refreshKeycloakToken: () => refreshKeycloakToken,
+  resetRateLimitForKey: () => resetRateLimitForKey,
+  resolveIdentifier: () => resolveIdentifier,
+  resolveRateLimitIdentifier: () => resolveRateLimitIdentifier,
   retryable: () => retryable,
   runWithContext: () => runWithContext,
   runWithContextAsync: () => runWithContextAsync,
   safeValidateConfig: () => safeValidateConfig,
+  sanitizeApiError: () => sanitizeApiError,
   sanitizeForEmail: () => sanitizeForEmail,
   sqlMigration: () => sqlMigration,
   stripHtml: () => stripHtml,
   timedHealthCheck: () => timedHealthCheck,
   toHealthCheckResult: () => toHealthCheckResult,
   validateConfig: () => validateConfig,
+  validateEnvVars: () => validateEnvVars,
   withCorrelation: () => withCorrelation,
   withCorrelationAsync: () => withCorrelationAsync,
   withFallback: () => withFallback,
@@ -7199,6 +7438,7 @@ __export(src_exports, {
 module.exports = __toCommonJS(src_exports);
 
 // src/interfaces/IQueue.ts
+var import_crypto = require("crypto");
 function calculateBackoff(attempt, options) {
   if (options.type === "fixed") {
     return options.delay;
@@ -7209,7 +7449,7 @@ function calculateBackoff(attempt, options) {
 }
 function generateJobId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto.randomBytes)(4).toString("hex");
   return `job_${timestamp}_${random}`;
 }
 
@@ -7560,6 +7800,7 @@ function createScopedMetrics(metrics, prefix, defaultTags = {}) {
 }
 
 // src/interfaces/ISecrets.ts
+var import_crypto2 = require("crypto");
 var EnvSecrets = class {
   prefix;
   cache = /* @__PURE__ */ new Map();
@@ -7760,12 +8001,7 @@ var MemorySecrets = class {
     return true;
   }
   generateSecureValue(length = 32) {
-    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
-    let result = "";
-    for (let i = 0; i < length; i++) {
-      result += chars[Math.floor(Math.random() * chars.length)];
-    }
-    return result;
+    return (0, import_crypto2.randomBytes)(length).toString("base64url").slice(0, length);
   }
   /**
    * Clear all secrets (for testing)
@@ -7783,6 +8019,7 @@ var MemorySecrets = class {
 };
 
 // src/interfaces/ITracing.ts
+var import_crypto3 = require("crypto");
 var MemorySpan = class {
   name;
   context;
@@ -7802,7 +8039,7 @@ var MemorySpan = class {
     };
   }
   generateSpanId() {
-    return Math.random().toString(16).substring(2, 18).padStart(16, "0");
+    return (0, import_crypto3.randomBytes)(8).toString("hex");
   }
   setAttribute(key, value) {
     this._attributes[key] = value;
@@ -7862,7 +8099,7 @@ var MemoryTracing = class {
     this.traceId = this.generateTraceId();
   }
   generateTraceId() {
-    return Math.random().toString(16).substring(2, 34).padStart(32, "0");
+    return (0, import_crypto3.randomBytes)(16).toString("hex");
   }
   startSpan(name, options) {
     const span = new MemorySpan(
@@ -8015,9 +8252,10 @@ var NoopTracing = class {
 };
 
 // src/interfaces/IErrorReporter.ts
+var import_crypto4 = require("crypto");
 function generateErrorId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto4.randomBytes)(4).toString("hex");
   return `err_${timestamp}_${random}`;
 }
 function generateFingerprint(error) {
@@ -8061,9 +8299,10 @@ function createErrorReport(error, context, options) {
 }
 
 // src/interfaces/IAuditLog.ts
+var import_crypto5 = require("crypto");
 function generateAuditId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto5.randomBytes)(4).toString("hex");
   return `aud_${timestamp}${random}`;
 }
 function generateChecksum(event) {
@@ -8229,9 +8468,10 @@ var AuditEvents = {
 };
 
 // src/interfaces/IScheduler.ts
+var import_crypto6 = require("crypto");
 function generateScheduleId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 8);
+  const random = (0, import_crypto6.randomBytes)(4).toString("hex");
   return `sch_${timestamp}${random}`;
 }
 function getNextCronRun(cron, after = /* @__PURE__ */ new Date(), timezone) {
@@ -8290,28 +8530,24 @@ function describeCron(cron) {
 }
 
 // src/interfaces/IWebhook.ts
+var import_crypto7 = require("crypto");
 function generateWebhookId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto7.randomBytes)(6).toString("hex");
   return `wh_${timestamp}${random}`;
 }
 function generateDeliveryId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto7.randomBytes)(6).toString("hex");
   return `del_${timestamp}${random}`;
 }
 function generateEventId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto7.randomBytes)(6).toString("hex");
   return `evt_${timestamp}${random}`;
 }
 function generateWebhookSecret(length = 32) {
-  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-  let secret = "whsec_";
-  for (let i = 0; i < length; i++) {
-    secret += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
-  return secret;
+  return `whsec_${(0, import_crypto7.randomBytes)(length).toString("base64url").slice(0, length)}`;
 }
 function matchEventType(eventType, pattern) {
   if (eventType === pattern || pattern === "*" || pattern === "**") {
@@ -8388,9 +8624,10 @@ var WebhookEventTypes = {
 };
 
 // src/interfaces/INotification.ts
+var import_crypto8 = require("crypto");
 function generateNotificationId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto8.randomBytes)(4).toString("hex");
   return `notif_${timestamp}${random}`;
 }
 function isInQuietHours(preferences) {
@@ -8880,6 +9117,7 @@ var MemoryAuth = class {
 };
 
 // src/interfaces/IPayment.ts
+var import_crypto9 = require("crypto");
 function createPaymentError(code, message, originalError) {
   return { code, message, originalError };
 }
@@ -8911,7 +9149,7 @@ function formatAmount(amount, currency, locale = "en-US") {
 }
 function generatePaymentId(prefix = "pi") {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto9.randomBytes)(8).toString("hex");
   return `${prefix}_${timestamp}${random}`;
 }
 var MemoryPayment = class {
@@ -8969,7 +9207,7 @@ var MemoryPayment = class {
       amount: options.amount,
       currency: options.currency,
       status: options.paymentMethodId ? "requires_confirmation" : "requires_payment_method",
-      clientSecret: `${id}_secret_${Math.random().toString(36).substring(2, 15)}`,
+      clientSecret: `${id}_secret_${(0, import_crypto9.randomBytes)(16).toString("base64url")}`,
       metadata: options.metadata,
       description: options.description,
       receiptEmail: options.receiptEmail,
@@ -9284,6 +9522,7 @@ var MemoryPayment = class {
 };
 
 // src/interfaces/IAuthSSO.ts
+var import_crypto10 = require("crypto");
 var MemoryAuthSSO = class {
   samlConfigs = /* @__PURE__ */ new Map();
   oidcConfigs = /* @__PURE__ */ new Map();
@@ -9315,7 +9554,7 @@ var MemoryAuthSSO = class {
     if (!config) {
       throw new Error("SAML not configured for tenant");
     }
-    const id = `_${Math.random().toString(36).substring(2)}`;
+    const id = `_${(0, import_crypto10.randomBytes)(8).toString("hex")}`;
     return {
       id,
       redirectUrl: `${config.ssoUrl}?SAMLRequest=mock_request&RelayState=${options.relayState ?? ""}`,
@@ -9327,7 +9566,7 @@ var MemoryAuthSSO = class {
   }
   async processSamlResponse(_samlResponse, _relayState) {
     const user = {
-      id: `saml_${Math.random().toString(36).substring(2)}`,
+      id: `saml_${(0, import_crypto10.randomBytes)(8).toString("hex")}`,
       email: "saml.user@example.com",
       emailVerified: true,
       metadata: { ssoProvider: "saml" },
@@ -9337,7 +9576,7 @@ var MemoryAuthSSO = class {
       success: true,
       user,
       session: {
-        accessToken: `saml_token_${Math.random().toString(36)}`,
+        accessToken: `saml_token_${(0, import_crypto10.randomBytes)(8).toString("hex")}`,
         expiresAt: new Date(Date.now() + 36e5),
         user
       },
@@ -9374,8 +9613,8 @@ var MemoryAuthSSO = class {
   }
   // OIDC Authentication
   async initiateOidcLogin(options) {
-    const state = options.state ?? Math.random().toString(36).substring(2);
-    const nonce = Math.random().toString(36).substring(2);
+    const state = options.state ?? (0, import_crypto10.randomBytes)(8).toString("hex");
+    const nonce = (0, import_crypto10.randomBytes)(8).toString("hex");
     return {
       state,
       redirectUrl: `https://idp.example.com/authorize?client_id=mock&redirect_uri=${encodeURIComponent(options.redirectUri)}&state=${state}`,
@@ -9386,7 +9625,7 @@ var MemoryAuthSSO = class {
   }
   async processOidcCallback(_code, _state, _codeVerifier) {
     const user = {
-      id: `oidc_${Math.random().toString(36).substring(2)}`,
+      id: `oidc_${(0, import_crypto10.randomBytes)(8).toString("hex")}`,
       email: "oidc.user@example.com",
       emailVerified: true,
       metadata: { ssoProvider: "oidc" },
@@ -9396,7 +9635,7 @@ var MemoryAuthSSO = class {
       success: true,
       user,
       session: {
-        accessToken: `oidc_token_${Math.random().toString(36)}`,
+        accessToken: `oidc_token_${(0, import_crypto10.randomBytes)(8).toString("hex")}`,
         expiresAt: new Date(Date.now() + 36e5),
         user
       },
@@ -9405,7 +9644,7 @@ var MemoryAuthSSO = class {
   }
   async refreshOidcTokens(_refreshToken, _tenantId) {
     return {
-      accessToken: `refreshed_token_${Math.random().toString(36)}`,
+      accessToken: `refreshed_token_${(0, import_crypto10.randomBytes)(8).toString("hex")}`,
       expiresIn: 3600
     };
   }
@@ -9435,7 +9674,7 @@ var MemoryAuthSSO = class {
   }
   // SCIM
   async configureScim(config) {
-    const token = `scim_token_${Math.random().toString(36)}`;
+    const token = `scim_token_${(0, import_crypto10.randomBytes)(8).toString("hex")}`;
     this.scimConfigs.set(config.tenantId, { ...config, bearerToken: token });
     return { bearerToken: token };
   }
@@ -9448,7 +9687,7 @@ var MemoryAuthSSO = class {
   async regenerateScimToken(tenantId) {
     const config = this.scimConfigs.get(tenantId);
     if (!config) throw new Error("SCIM not configured");
-    const token = `scim_token_${Math.random().toString(36)}`;
+    const token = `scim_token_${(0, import_crypto10.randomBytes)(8).toString("hex")}`;
     config.bearerToken = token;
     return { bearerToken: token };
   }
@@ -9457,7 +9696,7 @@ var MemoryAuthSSO = class {
   }
   // Domain Verification
   async initiateDomainVerification(tenantId, domain) {
-    const token = `dll-verify-${Math.random().toString(36).substring(2)}`;
+    const token = `dll-verify-${(0, import_crypto10.randomBytes)(8).toString("hex")}`;
     this.pendingVerifications.set(`${tenantId}:${domain}`, { domain, token });
     return {
       verificationMethod: "dns_txt",
@@ -9523,6 +9762,7 @@ var MemoryAuthSSO = class {
 };
 
 // src/interfaces/ITenant.ts
+var import_crypto11 = require("crypto");
 var tenantContextStorage = /* @__PURE__ */ new Map();
 var contextIdCounter = 0;
 var currentContextId = null;
@@ -9590,7 +9830,7 @@ var MemoryTenant = class {
   // Tenant CRUD
   async createTenant(options) {
     const tenant = {
-      id: `tenant_${Math.random().toString(36).substring(2)}`,
+      id: `tenant_${(0, import_crypto11.randomBytes)(8).toString("hex")}`,
       slug: options.slug,
       name: options.name,
       status: "active",
@@ -9711,7 +9951,7 @@ var MemoryTenant = class {
   }
   async addMember(tenantId, userId, role) {
     const member = {
-      id: `member_${Math.random().toString(36).substring(2)}`,
+      id: `member_${(0, import_crypto11.randomBytes)(8).toString("hex")}`,
       tenantId,
       userId,
       role,
@@ -9752,12 +9992,12 @@ var MemoryTenant = class {
   }
   async inviteMember(tenantId, options) {
     const invitation = {
-      id: `inv_${Math.random().toString(36).substring(2)}`,
+      id: `inv_${(0, import_crypto11.randomBytes)(8).toString("hex")}`,
       tenantId,
       email: options.email,
       role: options.role,
       invitedBy: "system",
-      token: Math.random().toString(36).substring(2),
+      token: (0, import_crypto11.randomBytes)(16).toString("base64url"),
       status: "pending",
       createdAt: /* @__PURE__ */ new Date(),
       expiresAt: new Date(
@@ -9918,6 +10158,7 @@ var MemoryTenant = class {
 init_IAI();
 
 // src/interfaces/IPromptStore.ts
+var import_crypto12 = require("crypto");
 var MemoryPromptStore = class {
   // userId -> variantId
   constructor(config = {}) {
@@ -9933,7 +10174,7 @@ var MemoryPromptStore = class {
   // Prompt CRUD
   // ─────────────────────────────────────────────────────────────
   async create(prompt) {
-    const id = `prompt_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `prompt_${Date.now()}_${(0, import_crypto12.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newPrompt = {
       ...prompt,
@@ -9948,7 +10189,7 @@ var MemoryPromptStore = class {
     this.prompts.set(id, newPrompt);
     this.prompts.set(prompt.slug, newPrompt);
     const version = {
-      id: `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `pv_${Date.now()}_${(0, import_crypto12.randomBytes)(4).toString("hex")}`,
       promptId: id,
       version: 1,
       content: prompt.content,
@@ -9983,7 +10224,7 @@ var MemoryPromptStore = class {
         latestVersion.isLatest = false;
       }
       const newVersion = {
-        id: `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+        id: `pv_${Date.now()}_${(0, import_crypto12.randomBytes)(4).toString("hex")}`,
         promptId: prompt.id,
         version: versions.length + 1,
         content: updates.content,
@@ -10228,7 +10469,7 @@ ${v2.content}`;
   // A/B Testing
   // ─────────────────────────────────────────────────────────────
   async createExperiment(experiment) {
-    const id = `exp_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `exp_${Date.now()}_${(0, import_crypto12.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newExperiment = {
       ...experiment,
@@ -10305,7 +10546,7 @@ ${v2.content}`;
   // Prompt Chains
   // ─────────────────────────────────────────────────────────────
   async createChain(chain) {
-    const id = `chain_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `chain_${Date.now()}_${(0, import_crypto12.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newChain = {
       ...chain,
@@ -10396,7 +10637,7 @@ ${v2.content}`;
   async recordUsage(record) {
     const usageRecord = {
       ...record,
-      id: `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `usage_${Date.now()}_${(0, import_crypto12.randomBytes)(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date()
     };
     if (this.config.trackUsage !== false) {
@@ -10500,6 +10741,7 @@ ${v2.content}`;
 init_IRAG();
 
 // src/interfaces/IAIUsage.ts
+var import_crypto14 = require("crypto");
 var MemoryAIUsage = class {
   constructor(config = {}) {
     this.config = config;
@@ -10533,7 +10775,7 @@ var MemoryAIUsage = class {
   async record(record) {
     const newRecord = {
       ...record,
-      id: `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `usage_${Date.now()}_${(0, import_crypto14.randomBytes)(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date()
     };
     this.records.push(newRecord);
@@ -10614,7 +10856,7 @@ var MemoryAIUsage = class {
     const period = this.getPeriodBounds(quota.period, /* @__PURE__ */ new Date());
     const newQuota = {
       ...quota,
-      id: existingQuota?.id || `quota_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: existingQuota?.id || `quota_${Date.now()}_${(0, import_crypto14.randomBytes)(4).toString("hex")}`,
       used: existingQuota?.used || 0,
       periodStart: period.start,
       periodEnd: period.end
@@ -10708,7 +10950,7 @@ var MemoryAIUsage = class {
     const period = this.getPeriodBounds(budget.period, /* @__PURE__ */ new Date());
     const newBudget = {
       ...budget,
-      id: existingBudget?.id || `budget_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: existingBudget?.id || `budget_${Date.now()}_${(0, import_crypto14.randomBytes)(4).toString("hex")}`,
       spent: existingBudget?.spent || 0,
       periodStart: period.start,
       periodEnd: period.end
@@ -10972,7 +11214,7 @@ var MemoryAIUsage = class {
     const items = Array.from(itemsMap.values());
     const subtotal = items.reduce((sum, item) => sum + item.costUsd, 0);
     const invoice = {
-      id: `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `inv_${Date.now()}_${(0, import_crypto14.randomBytes)(4).toString("hex")}`,
       tenantId,
       periodStart,
       periodEnd,
@@ -11185,7 +11427,7 @@ var MemoryAIUsage = class {
     );
     if (existingAlert) return;
     this.alerts.push({
-      id: `alert_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `alert_${Date.now()}_${(0, import_crypto14.randomBytes)(4).toString("hex")}`,
       tenantId,
       type,
       severity,
@@ -11314,6 +11556,7 @@ var MemoryAIUsage = class {
 };
 
 // src/interfaces/IDevice.ts
+var import_crypto15 = require("crypto");
 var MemoryDevice = class {
   constructor(config = {}) {
     this.config = config;
@@ -11338,7 +11581,7 @@ var MemoryDevice = class {
     const now = /* @__PURE__ */ new Date();
     const newDevice = {
       ...device,
-      id: `dev_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `dev_${Date.now()}_${(0, import_crypto15.randomBytes)(4).toString("hex")}`,
       status: "active",
       connectionState: "disconnected",
       tags: device.tags || [],
@@ -11461,7 +11704,7 @@ var MemoryDevice = class {
   // Provisioning
   // ─────────────────────────────────────────────────────────────
   async provision(request) {
-    const id = `prov_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `prov_${Date.now()}_${(0, import_crypto15.randomBytes)(4).toString("hex")}`;
     const newRequest = {
       ...request,
       id,
@@ -11473,7 +11716,7 @@ var MemoryDevice = class {
       const result = {
         credentials: {
           type: request.config.authMethod || "token",
-          token: `tok_${Date.now()}_${Math.random().toString(36).substring(7)}`
+          token: `tok_${Date.now()}_${(0, import_crypto15.randomBytes)(16).toString("hex")}`
         },
         endpoint: "mqtt://localhost:1883",
         mqttBroker: "mqtt://localhost:1883"
@@ -11516,7 +11759,7 @@ var MemoryDevice = class {
     }
   }
   async generateRegistrationCode(deviceType, tenantId, expiresInHours = 24) {
-    const code = `REG_${Math.random().toString(36).substring(2, 10).toUpperCase()}`;
+    const code = `REG_${(0, import_crypto15.randomBytes)(4).toString("hex").toUpperCase()}`;
     this.registrationCodes.set(code, {
       deviceType,
       tenantId,
@@ -11616,7 +11859,7 @@ var MemoryDevice = class {
   async ingestTelemetry(message) {
     const newMessage = {
       ...message,
-      id: `tel_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `tel_${Date.now()}_${(0, import_crypto15.randomBytes)(4).toString("hex")}`,
       receivedAt: /* @__PURE__ */ new Date()
     };
     if (this.config.storeTelemetry !== false) {
@@ -11696,7 +11939,7 @@ var MemoryDevice = class {
   // ─────────────────────────────────────────────────────────────
   async sendCommand(deviceId, name, payload, options) {
     const command = {
-      id: `cmd_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `cmd_${Date.now()}_${(0, import_crypto15.randomBytes)(4).toString("hex")}`,
       deviceId,
       name,
       payload,
@@ -11759,7 +12002,7 @@ var MemoryDevice = class {
   async createFirmware(firmware) {
     const newFirmware = {
       ...firmware,
-      id: `fw_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `fw_${Date.now()}_${(0, import_crypto15.randomBytes)(4).toString("hex")}`,
       status: "draft",
       createdAt: /* @__PURE__ */ new Date()
     };
@@ -11811,7 +12054,7 @@ var MemoryDevice = class {
       throw new Error(`Firmware not found: ${firmwareVersionId}`);
     }
     const update = {
-      id: `upd_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `upd_${Date.now()}_${(0, import_crypto15.randomBytes)(4).toString("hex")}`,
       deviceId,
       firmwareVersionId,
       targetVersion: firmware.version,
@@ -11865,7 +12108,7 @@ var MemoryDevice = class {
     const now = /* @__PURE__ */ new Date();
     const newGroup = {
       ...group,
-      id: `grp_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `grp_${Date.now()}_${(0, import_crypto15.randomBytes)(4).toString("hex")}`,
       deviceCount: 0,
       tags: group.tags || [],
       attributes: group.attributes || {},
@@ -11985,6 +12228,7 @@ var MemoryDevice = class {
 };
 
 // src/interfaces/IBilling.ts
+var import_crypto16 = require("crypto");
 var MemoryBilling = class {
   constructor(config = {}) {
     this.config = config;
@@ -12005,7 +12249,7 @@ var MemoryBilling = class {
   async createProduct(product) {
     const newProduct = {
       ...product,
-      id: `prod_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `prod_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       features: product.features || [],
       metadata: product.metadata || {},
       createdAt: /* @__PURE__ */ new Date(),
@@ -12033,7 +12277,7 @@ var MemoryBilling = class {
   async createPrice(price) {
     const newPrice = {
       ...price,
-      id: `price_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `price_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       metadata: price.metadata || {},
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
@@ -12064,7 +12308,7 @@ var MemoryBilling = class {
   async createMeter(meter) {
     const newMeter = {
       ...meter,
-      id: `meter_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `meter_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
     };
@@ -12098,13 +12342,13 @@ var MemoryBilling = class {
     const trialDays = options.trialDays ?? price.trialDays ?? 0;
     const periodEnd = this.addPeriod(now, price.billingPeriod);
     const subscription = {
-      id: `sub_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `sub_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       customerId: options.customerId,
       tenantId: options.tenantId,
       status: trialDays > 0 ? "trialing" : "active",
       items: [
         {
-          id: `si_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+          id: `si_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
           priceId: options.priceId,
           quantity: options.quantity || 1
         }
@@ -12195,7 +12439,7 @@ var MemoryBilling = class {
     const sub = await this.getSubscription(subscriptionId);
     if (!sub) throw new Error(`Subscription not found: ${subscriptionId}`);
     sub.items.push({
-      id: `si_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `si_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       priceId,
       quantity: quantity || 1
     });
@@ -12247,7 +12491,7 @@ var MemoryBilling = class {
       if (existing) return existing;
     }
     const event = {
-      id: `ue_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `ue_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       subscriptionId,
       customerId: sub.customerId,
       meterId: meter.id,
@@ -12318,7 +12562,7 @@ var MemoryBilling = class {
       if (price) {
         const unitAmount = price.unitAmount || 0;
         lineItems.push({
-          id: `ii_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+          id: `ii_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
           priceId: item.priceId,
           description: price.name,
           quantity: item.quantity,
@@ -12333,7 +12577,7 @@ var MemoryBilling = class {
     const usageSummary = await this.getUsageSummary(subscriptionId);
     for (const usage of usageSummary) {
       lineItems.push({
-        id: `ii_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+        id: `ii_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
         description: `${usage.meterName}: ${usage.total} ${usage.unit}`,
         quantity: usage.total,
         unitAmount: usage.cost / usage.total,
@@ -12356,7 +12600,7 @@ var MemoryBilling = class {
     const tax = (subtotal - discount) * (taxRate / 100);
     const total = subtotal - discount + tax;
     const invoice = {
-      id: `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `inv_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       customerId: sub.customerId,
       subscriptionId,
       tenantId: sub.tenantId,
@@ -12387,14 +12631,14 @@ var MemoryBilling = class {
   async createInvoice(options) {
     const lineItems = options.lineItems.map((item) => ({
       ...item,
-      id: `ii_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `ii_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`
     }));
     const subtotal = lineItems.reduce((sum, item) => sum + item.amount, 0);
     const taxRate = this.config.defaultTaxRate || 0;
     const tax = subtotal * (taxRate / 100);
     const total = subtotal + tax;
     const invoice = {
-      id: `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `inv_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       customerId: options.customerId,
       tenantId: options.tenantId,
       number: `${this.config.invoiceNumberPrefix || "INV-"}${++this.invoiceCounter}`,
@@ -12483,7 +12727,7 @@ var MemoryBilling = class {
   async createDunningConfig(config) {
     const newConfig = {
       ...config,
-      id: `dun_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `dun_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
     };
@@ -12509,7 +12753,7 @@ var MemoryBilling = class {
     const invoice = await this.getInvoice(invoiceId);
     if (!invoice) throw new Error(`Invoice not found: ${invoiceId}`);
     const attempt = {
-      id: `da_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `da_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       invoiceId,
       attemptNumber: invoice.attemptCount + 1,
       action: "retry_payment",
@@ -12541,7 +12785,7 @@ var MemoryBilling = class {
     balance.updatedAt = /* @__PURE__ */ new Date();
     this.creditBalances.set(customerId, balance);
     const transaction = {
-      id: `ct_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `ct_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       customerId,
       type: options?.type || "manual",
       amount,
@@ -12566,7 +12810,7 @@ var MemoryBilling = class {
     balance.updatedAt = /* @__PURE__ */ new Date();
     this.creditBalances.set(customerId, balance);
     const transaction = {
-      id: `ct_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `ct_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       customerId,
       type: "manual",
       amount: -amount,
@@ -12590,7 +12834,7 @@ var MemoryBilling = class {
   async createCoupon(coupon) {
     const newCoupon = {
       ...coupon,
-      id: `coup_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `coup_${Date.now()}_${(0, import_crypto16.randomBytes)(4).toString("hex")}`,
       timesRedeemed: 0,
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
@@ -12826,6 +13070,7 @@ var MemoryBilling = class {
 };
 
 // src/interfaces/IDevPortal.ts
+var import_crypto17 = require("crypto");
 var MemoryDevPortal = class {
   constructor(config = {}) {
     this.config = config;
@@ -12838,8 +13083,9 @@ var MemoryDevPortal = class {
   usageRecords = [];
   // API Key Management
   async createApiKey(options, userId) {
-    const id = `key_${Date.now()}_${Math.random().toString(36).substring(7)}`;
-    const secret = `sk_${options.type}_${Math.random().toString(36).substring(2)}${Math.random().toString(36).substring(2)}`;
+    const { randomBytes: randomBytes37, createHash: createHash2 } = await import("crypto");
+    const id = `key_${Date.now()}_${randomBytes37(8).toString("hex")}`;
+    const secret = `sk_${options.type}_${randomBytes37(24).toString("base64url")}`;
     const prefix = secret.substring(0, 12);
     const key = {
       id,
@@ -12926,7 +13172,7 @@ var MemoryDevPortal = class {
   // API Documentation
   async generateDocumentation(endpoints, config) {
     const doc = {
-      id: `doc_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `doc_${Date.now()}_${(0, import_crypto17.randomBytes)(4).toString("hex")}`,
       title: config.title,
       version: config.version,
       baseUrl: config.baseUrl,
@@ -12982,7 +13228,7 @@ var MemoryDevPortal = class {
     if (!doc) throw new Error(`Documentation not found: ${docId}`);
     const newEndpoint = {
       ...endpoint,
-      id: `ep_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `ep_${Date.now()}_${(0, import_crypto17.randomBytes)(4).toString("hex")}`
     };
     doc.endpoints.push(newEndpoint);
     return newEndpoint;
@@ -13078,7 +13324,7 @@ SDK for ${documentation.title}`,
         });
     }
     const sdk = {
-      id: `sdk_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `sdk_${Date.now()}_${(0, import_crypto17.randomBytes)(4).toString("hex")}`,
       language: config.language,
       packageName: config.packageName,
       version: config.version,
@@ -13105,7 +13351,7 @@ SDK for ${documentation.title}`,
   }
   // Sandbox / Playground
   async createSandbox(options, userId) {
-    const id = `sandbox_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `sandbox_${Date.now()}_${(0, import_crypto17.randomBytes)(4).toString("hex")}`;
     const lifetimeHours = options.lifetimeHours || this.config.sandboxDefaultLifetimeHours || 24;
     const sandbox = {
       id,
@@ -13114,7 +13360,7 @@ SDK for ${documentation.title}`,
       tenantId: options.tenantId,
       status: "active",
       baseUrl: `https://sandbox-${id}.example.com`,
-      apiKey: `sandbox_${Math.random().toString(36).substring(2)}`,
+      apiKey: `sandbox_${(0, import_crypto17.randomBytes)(8).toString("hex")}`,
       seedDataLoaded: options.seedData || [],
       config: options.config || {},
       limits: {
@@ -13251,7 +13497,7 @@ SDK for ${documentation.title}`,
   }
   // Webhook Testing
   async createWebhookTestEndpoint(userId, maxEvents = 100) {
-    const id = `wh_test_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `wh_test_${Date.now()}_${(0, import_crypto17.randomBytes)(4).toString("hex")}`;
     const endpoint = {
       id,
       url: `https://webhook-test.example.com/${id}`,
@@ -13288,18 +13534,13 @@ SDK for ${documentation.title}`,
       statusCode: 200,
       headers: { "content-type": "application/json" },
       body: { received: true },
-      latencyMs: Math.random() * 100
+      latencyMs: 0
     };
   }
   // Private helpers
   hashKey(key) {
-    let hash = 0;
-    for (let i = 0; i < key.length; i++) {
-      const char = key.charCodeAt(i);
-      hash = (hash << 5) - hash + char;
-      hash = hash & hash;
-    }
-    return `hashed_${Math.abs(hash).toString(36)}`;
+    const { createHash: createHash2 } = require("crypto");
+    return createHash2("sha256").update(key).digest("hex");
   }
   endpointsToOpenApiPaths(endpoints) {
     const paths = {};
@@ -13391,6 +13632,7 @@ class ApiClient:
 };
 
 // src/interfaces/ICompliance.ts
+var import_crypto18 = require("crypto");
 var MemoryCompliance = class {
   constructor(config = {}) {
     this.config = config;
@@ -13407,13 +13649,13 @@ var MemoryCompliance = class {
   breaches = /* @__PURE__ */ new Map();
   // DSAR Management
   async createDsar(options) {
-    const id = `dsar_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `dsar_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`;
     const dsar = {
       id,
       type: options.type,
       subjectId: options.subjectId || options.subjectEmail,
       subjectEmail: options.subjectEmail,
-      verificationToken: `verify_${Math.random().toString(36).substring(2)}`,
+      verificationToken: `verify_${(0, import_crypto18.randomBytes)(8).toString("hex")}`,
       verified: false,
       status: "pending_verification",
       tenantId: options.tenantId,
@@ -13464,7 +13706,7 @@ var MemoryCompliance = class {
     dsar.updatedAt = /* @__PURE__ */ new Date();
     if (notes) {
       dsar.notes.push({
-        id: `note_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+        id: `note_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`,
         content: notes,
         authorId: "system",
         createdAt: /* @__PURE__ */ new Date()
@@ -13476,7 +13718,7 @@ var MemoryCompliance = class {
     const dsar = await this.getDsar(dsarId);
     if (!dsar) throw new Error(`DSAR not found: ${dsarId}`);
     const note = {
-      id: `note_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `note_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`,
       content,
       authorId,
       createdAt: /* @__PURE__ */ new Date()
@@ -13490,7 +13732,7 @@ var MemoryCompliance = class {
     if (!dsar) throw new Error(`DSAR not found: ${dsarId}`);
     const att = {
       ...attachment,
-      id: `att_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `att_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date()
     };
     dsar.attachments.push(att);
@@ -13531,7 +13773,7 @@ var MemoryCompliance = class {
   }
   // Consent Management
   async recordConsent(options) {
-    const id = `consent_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `consent_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`;
     const consent = {
       id,
       subjectId: options.subjectId,
@@ -13606,7 +13848,7 @@ var MemoryCompliance = class {
   }
   // Retention Policies
   async createRetentionPolicy(policy) {
-    const id = `rp_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `rp_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`;
     const newPolicy = {
       ...policy,
       id,
@@ -13639,7 +13881,7 @@ var MemoryCompliance = class {
     if (!policy) throw new Error(`Policy not found: ${policyId}`);
     const startedAt = /* @__PURE__ */ new Date();
     const execution = {
-      id: `re_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `re_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`,
       policyId,
       recordsProcessed: 100,
       recordsAffected: 15,
@@ -13658,7 +13900,7 @@ var MemoryCompliance = class {
   }
   // Data Inventory
   async addDataInventoryItem(item) {
-    const id = `di_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `di_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`;
     const newItem = {
       ...item,
       id,
@@ -13719,7 +13961,7 @@ var MemoryCompliance = class {
   }
   // Audit Evidence
   async addEvidence(evidence) {
-    const id = `ev_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `ev_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`;
     const newEvidence = {
       ...evidence,
       id,
@@ -13795,7 +14037,7 @@ var MemoryCompliance = class {
   }
   // PIAs
   async createPia(pia) {
-    const id = `pia_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `pia_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`;
     const newPia = {
       ...pia,
       id,
@@ -13827,7 +14069,7 @@ var MemoryCompliance = class {
     if (!pia) throw new Error(`PIA not found: ${piaId}`);
     const newRisk = {
       ...risk,
-      id: `risk_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `risk_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`
     };
     pia.risks.push(newRisk);
     pia.updatedAt = /* @__PURE__ */ new Date();
@@ -13838,7 +14080,7 @@ var MemoryCompliance = class {
     if (!pia) throw new Error(`PIA not found: ${piaId}`);
     const newMitigation = {
       ...mitigation,
-      id: `mit_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `mit_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`
     };
     pia.mitigations.push(newMitigation);
     pia.updatedAt = /* @__PURE__ */ new Date();
@@ -13875,7 +14117,7 @@ var MemoryCompliance = class {
       (c) => c.status === "non_compliant"
     ).length;
     const report = {
-      id: `report_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `report_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`,
       title: `${framework.toUpperCase()} Compliance Report`,
       framework,
       period,
@@ -13926,7 +14168,7 @@ var MemoryCompliance = class {
   }
   // Breach Management
   async recordBreach(breach) {
-    const id = `breach_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `breach_${Date.now()}_${(0, import_crypto18.randomBytes)(4).toString("hex")}`;
     const newBreach = {
       ...breach,
       id,
@@ -14165,6 +14407,27 @@ var RAGConfigSchema = import_zod.z.object({
     message: "Pinecone requires apiKey and indexName; Weaviate requires host"
   }
 );
+var CryptoConfigSchema = import_zod.z.object({
+  enabled: import_zod.z.boolean().default(false).describe("Enable field-level encryption"),
+  masterKey: import_zod.z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
+  hmacKey: import_zod.z.string().optional().describe(
+    "HMAC key for deterministic hashing (derived from master key if not provided)"
+  )
+}).refine(
+  (data) => {
+    if (data.enabled) {
+      return data.masterKey && data.masterKey.length >= 64;
+    }
+    return true;
+  },
+  {
+    message: "Crypto requires a 256-bit master key (64 hex characters) when enabled"
+  }
+);
+var SecurityConfigSchema = import_zod.z.object({
+  enforceTls: import_zod.z.boolean().default(true).describe("Enforce TLS for production connections"),
+  tlsWarnOnly: import_zod.z.boolean().default(false).describe("Warn instead of throwing when TLS is missing in production")
+});
 var RetryConfigSchema = import_zod.z.object({
   enabled: import_zod.z.boolean().default(true).describe("Enable retry for failed operations"),
   maxAttempts: import_zod.z.number().int().min(1).max(10).default(3).describe("Maximum retry attempts"),
@@ -14254,6 +14517,10 @@ var PlatformConfigSchema = import_zod.z.object({
   // AI configurations
   ai: AIConfigSchema.default({ enabled: false }),
   rag: RAGConfigSchema.default({ enabled: false }),
+  // Crypto configuration
+  crypto: CryptoConfigSchema.default({ enabled: false }),
+  // Security configuration
+  security: SecurityConfigSchema.default({}),
   // Resilience configuration
   resilience: ResilienceConfigSchema.default({}),
   // Observability configuration
@@ -14331,6 +14598,15 @@ function loadConfig() {
       embeddingApiKey: process.env.EMBEDDING_API_KEY || process.env.OPENAI_API_KEY,
       embeddingModel: process.env.EMBEDDING_MODEL
     },
+    crypto: {
+      enabled: process.env.CRYPTO_ENABLED === "true",
+      masterKey: process.env.CRYPTO_MASTER_KEY,
+      hmacKey: process.env.CRYPTO_HMAC_KEY
+    },
+    security: {
+      enforceTls: process.env.SECURITY_ENFORCE_TLS !== "false",
+      tlsWarnOnly: process.env.SECURITY_TLS_WARN_ONLY === "true"
+    },
     resilience: {
       retry: {
         enabled: process.env.RESILIENCE_RETRY_ENABLED !== "false",
@@ -14737,13 +15013,14 @@ var MemoryEmail = class {
 
 // src/context/CorrelationContext.ts
 var import_async_hooks = require("async_hooks");
+var import_crypto19 = require("crypto");
 var CorrelationContextManager = class {
   storage = new import_async_hooks.AsyncLocalStorage();
   idGenerator;
   constructor() {
     this.idGenerator = () => {
       const timestamp = Date.now().toString(36);
-      const random = Math.random().toString(36).substring(2, 10);
+      const random = (0, import_crypto19.randomBytes)(4).toString("hex");
       return `${timestamp}-${random}`;
     };
   }
@@ -15373,10 +15650,11 @@ var MemoryQueue = class {
 };
 
 // src/adapters/console/ConsoleEmail.ts
+var import_crypto20 = require("crypto");
 var ConsoleEmail = class {
   sentEmails = [];
   async send(message) {
-    const id = `console_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+    const id = `console_${Date.now()}_${(0, import_crypto20.randomBytes)(4).toString("hex")}`;
     console.log("\n" + "=".repeat(60));
     console.log("\u{1F4E7} EMAIL SENT (Console Adapter)");
     console.log("=".repeat(60));
@@ -15453,6 +15731,147 @@ var ConsoleEmail = class {
 // src/factory.ts
 init_IAI();
 init_IRAG();
+
+// src/adapters/memory/MemoryCrypto.ts
+var import_crypto21 = require("crypto");
+var MemoryCrypto = class {
+  keys = /* @__PURE__ */ new Map();
+  activeKeyId;
+  hmacKey;
+  constructor(options) {
+    const masterKeyBuf = options?.masterKey ? Buffer.from(options.masterKey, "hex") : (0, import_crypto21.randomBytes)(32);
+    this.hmacKey = options?.hmacKey ? Buffer.from(options.hmacKey, "hex") : (0, import_crypto21.randomBytes)(32);
+    const keyId = this.generateKeyId();
+    this.keys.set(keyId, {
+      id: keyId,
+      key: masterKeyBuf,
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = keyId;
+  }
+  async encrypt(plaintext, options) {
+    const keyId = options?.keyId || this.activeKeyId;
+    const stored = this.keys.get(keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired: ${keyId}`);
+    }
+    if (stored.status === "decrypt-only" && !options?.keyId) {
+      throw new Error(`Key is decrypt-only: ${keyId}`);
+    }
+    const iv = (0, import_crypto21.randomBytes)(12);
+    const cipher = (0, import_crypto21.createCipheriv)("aes-256-gcm", stored.key, iv);
+    if (options?.aad) {
+      cipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, "utf8"),
+      cipher.final()
+    ]);
+    const tag = cipher.getAuthTag();
+    return {
+      ciphertext: encrypted.toString("base64"),
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      keyId,
+      algorithm: "aes-256-gcm",
+      version: 1
+    };
+  }
+  async decrypt(field, options) {
+    const stored = this.keys.get(field.keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${field.keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired and cannot decrypt: ${field.keyId}`);
+    }
+    const decipher = (0, import_crypto21.createDecipheriv)(
+      "aes-256-gcm",
+      stored.key,
+      Buffer.from(field.iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(field.tag, "base64"));
+    if (options?.aad) {
+      decipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(field.ciphertext, "base64")),
+      decipher.final()
+    ]);
+    return decrypted.toString("utf8");
+  }
+  async encryptDeterministic(plaintext, options) {
+    const hash = await this.computeHash(plaintext);
+    const encrypted = await this.encrypt(plaintext, options);
+    return { hash, encrypted };
+  }
+  async computeHash(plaintext) {
+    return (0, import_crypto21.createHmac)("sha256", this.hmacKey).update(plaintext, "utf8").digest("hex");
+  }
+  async encryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.encrypt(value, options);
+    }
+    return result;
+  }
+  async decryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.decrypt(value, options);
+    }
+    return result;
+  }
+  async rotateKey() {
+    const previousKeyId = this.activeKeyId;
+    const currentKey = this.keys.get(previousKeyId);
+    if (currentKey) {
+      currentKey.status = "decrypt-only";
+    }
+    const newKeyId = this.generateKeyId();
+    this.keys.set(newKeyId, {
+      id: newKeyId,
+      key: (0, import_crypto21.randomBytes)(32),
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = newKeyId;
+    return { newKeyId, previousKeyId };
+  }
+  async reEncrypt(field, options) {
+    const plaintext = await this.decrypt(field);
+    return this.encrypt(plaintext, options);
+  }
+  async listKeys() {
+    return Array.from(this.keys.values()).map((k) => ({
+      keyId: k.id,
+      createdAt: k.createdAt,
+      status: k.status
+    }));
+  }
+  async getActiveKeyId() {
+    return this.activeKeyId;
+  }
+  async healthCheck() {
+    try {
+      const testPlain = "health-check-test";
+      const encrypted = await this.encrypt(testPlain);
+      const decrypted = await this.decrypt(encrypted);
+      return decrypted === testPlain;
+    } catch {
+      return false;
+    }
+  }
+  generateKeyId() {
+    return `key_${(0, import_crypto21.randomBytes)(8).toString("hex")}`;
+  }
+};
+
+// src/factory.ts
 async function createDatabaseAdapter(config) {
   switch (config.database.provider) {
     case "postgres": {
@@ -15508,9 +15927,9 @@ async function createCacheAdapter(config) {
           "Upstash requires UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN environment variables"
         );
       }
-      const { Redis } = await import("@upstash/redis");
+      const { Redis: Redis2 } = await import("@upstash/redis");
       const { UpstashCache: UpstashCache2 } = await Promise.resolve().then(() => (init_UpstashCache(), UpstashCache_exports));
-      const client = new Redis({
+      const client = new Redis2({
         url: config.cache.upstashUrl,
         token: config.cache.upstashToken
       });
@@ -15753,16 +16172,73 @@ async function createRAGAdapter(config, ai) {
       return new MemoryRAG();
   }
 }
+async function createCryptoAdapter(config) {
+  if (!config.crypto.enabled) {
+    return null;
+  }
+  if (config.crypto.masterKey && config.crypto.masterKey.length >= 64) {
+    const { NodeCrypto: NodeCrypto2 } = await Promise.resolve().then(() => (init_NodeCrypto(), NodeCrypto_exports));
+    return new NodeCrypto2({
+      masterKey: config.crypto.masterKey,
+      hmacKey: config.crypto.hmacKey
+    });
+  }
+  return new MemoryCrypto();
+}
+function validateTlsSecurity(config) {
+  const isProduction = process.env.NODE_ENV === "production";
+  if (!isProduction || !config.security.enforceTls) {
+    return;
+  }
+  const warnings = [];
+  if (config.database.provider === "postgres") {
+    const connStr = config.database.connectionString || config.database.url || "";
+    const hasSSL = config.database.ssl || connStr.includes("sslmode=require") || connStr.includes("sslmode=verify");
+    if (!hasSSL) {
+      warnings.push(
+        "PostgreSQL: TLS/SSL not configured. Set database.ssl=true or add sslmode=require to connection string."
+      );
+    }
+  }
+  if (config.cache.provider === "redis") {
+    const url = config.cache.url || "";
+    if (url && !url.startsWith("rediss://")) {
+      warnings.push(
+        "Redis: Connection URL uses redis:// instead of rediss:// (TLS). Consider enabling TLS."
+      );
+    }
+  }
+  if (config.email.provider === "smtp") {
+    if (!config.email.secure) {
+      warnings.push(
+        "SMTP: secure=false in production. Set email.secure=true for TLS."
+      );
+    }
+  }
+  if (warnings.length > 0) {
+    const message = `[Security] TLS warnings in production:
+  - ${warnings.join("\n  - ")}`;
+    if (config.security.tlsWarnOnly) {
+      console.warn(message);
+    } else {
+      throw new Error(message);
+    }
+  }
+}
 async function createPlatformAsync(config) {
   const finalConfig = config ? deepMerge(loadConfig(), config) : loadConfig();
-  const [db, cache, storage, email, queue, tracing] = await Promise.all([
-    createDatabaseAdapter(finalConfig),
-    createCacheAdapter(finalConfig),
-    createStorageAdapter(finalConfig),
-    createEmailAdapter(finalConfig),
-    createQueueAdapter(finalConfig),
-    createTracingAdapter(finalConfig)
-  ]);
+  validateTlsSecurity(finalConfig);
+  const [db, cache, storage, email, queue, tracing, crypto2] = await Promise.all(
+    [
+      createDatabaseAdapter(finalConfig),
+      createCacheAdapter(finalConfig),
+      createStorageAdapter(finalConfig),
+      createEmailAdapter(finalConfig),
+      createQueueAdapter(finalConfig),
+      createTracingAdapter(finalConfig),
+      createCryptoAdapter(finalConfig)
+    ]
+  );
   const logger = createLogger(finalConfig);
   const metrics = createMetrics(finalConfig);
   const ai = await createAIAdapter(finalConfig);
@@ -15777,7 +16253,8 @@ async function createPlatformAsync(config) {
     metrics,
     tracing,
     ai,
-    rag
+    rag,
+    crypto2
   );
 }
 function createPlatform(config) {
@@ -15798,6 +16275,7 @@ function createPlatform(config) {
   const tracing = finalConfig.observability.tracing.provider === "memory" ? new MemoryTracing() : new NoopTracing();
   const ai = finalConfig.ai.enabled ? new MemoryAI() : null;
   const rag = finalConfig.rag.enabled ? new MemoryRAG() : null;
+  const crypto2 = finalConfig.crypto.enabled ? new MemoryCrypto() : null;
   return createPlatformFromAdapters(
     db,
     cache,
@@ -15808,10 +16286,11 @@ function createPlatform(config) {
     metrics,
     tracing,
     ai,
-    rag
+    rag,
+    crypto2
   );
 }
-function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag) {
+function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag, crypto2) {
   const platform = {
     db,
     cache,
@@ -15865,6 +16344,9 @@ function createPlatformFromAdapters(db, cache, storage, email, queue, logger, me
   if (rag) {
     platform.rag = rag;
   }
+  if (crypto2) {
+    platform.crypto = crypto2;
+  }
   return platform;
 }
 function deepMerge(target, source) {
@@ -15887,11 +16369,11 @@ function deepMerge(target, source) {
 }
 
 // src/middleware/chain.ts
-var import_crypto = require("crypto");
+var import_crypto26 = require("crypto");
 function createMiddlewareChain(options = {}) {
   const middlewares = [];
   const logger = options.logger ?? new NoopLogger();
-  const generateCorrelationId = options.generateCorrelationId ?? (() => (0, import_crypto.randomUUID)());
+  const generateCorrelationId = options.generateCorrelationId ?? (() => (0, import_crypto26.randomUUID)());
   function sortMiddleware() {
     middlewares.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));
   }
@@ -16008,7 +16490,7 @@ function createMiddlewareContext(service, operation, args, logger, options = {})
     args,
     logger,
     startTime: Date.now(),
-    correlationId: options.correlationId ?? (0, import_crypto.randomUUID)(),
+    correlationId: options.correlationId ?? (0, import_crypto26.randomUUID)(),
     tenantId: options.tenantId
   };
 }
@@ -17336,6 +17818,7 @@ var FallbackStrategies = {
 };
 
 // src/security.ts
+var import_crypto27 = require("crypto");
 var URL_PROTOCOL_PATTERN = /(https?:\/\/|ftp:\/\/|www\.)\S+/i;
 var URL_DOMAIN_PATTERN = /\b[\w.-]+\.(com|net|org|io|co|dev|app|xyz|info|biz|me|us|uk|edu|gov)\b/i;
 var HTML_TAG_PATTERN = /<[^>]*>/;
@@ -17360,6 +17843,144 @@ function defangUrl(str) {
 function sanitizeForEmail(str) {
   return escapeHtml(str);
 }
+function constantTimeEqual(a, b) {
+  try {
+    const aBuf = Buffer.from(a, "utf-8");
+    const bBuf = Buffer.from(b, "utf-8");
+    if (aBuf.length !== bBuf.length) return false;
+    return (0, import_crypto27.timingSafeEqual)(aBuf, bBuf);
+  } catch {
+    return false;
+  }
+}
+function sanitizeApiError(error, statusCode, isDevelopment = false) {
+  if (statusCode >= 400 && statusCode < 500) {
+    const message = error instanceof Error ? error.message : String(error || "Bad request");
+    return { message };
+  }
+  const result = {
+    message: "An internal error occurred. Please try again later.",
+    code: "INTERNAL_ERROR"
+  };
+  if (isDevelopment && error instanceof Error) {
+    result.stack = error.stack;
+  }
+  return result;
+}
+function getCorrelationId2(headers) {
+  const get = typeof headers === "function" ? headers : (name) => {
+    const val = headers[name] ?? headers[name.toLowerCase()];
+    return Array.isArray(val) ? val[0] : val;
+  };
+  return get("x-request-id") || get("X-Request-ID") || get("x-correlation-id") || get("X-Correlation-ID") || crypto.randomUUID();
+}
+
+// src/security-headers.ts
+var SecurityHeaderPresets = {
+  /** Minimal: basic headers only, no CSP */
+  minimal: {
+    csp: false,
+    hsts: false
+  },
+  /** Standard: full CSP + HSTS for most apps */
+  standard: {
+    csp: true,
+    hsts: true,
+    frameOptions: "DENY"
+  },
+  /** Strict: deny all permissions, strict CSP, no frame embedding */
+  strict: {
+    csp: true,
+    hsts: true,
+    hstsMaxAge: 63072e3,
+    // 2 years
+    frameOptions: "DENY"
+  }
+};
+function generateSecurityHeaders(config = {}) {
+  const isProduction = config.isProduction ?? process.env.NODE_ENV === "production";
+  const frameOptions = config.frameOptions ?? "DENY";
+  const enableCsp = config.csp ?? true;
+  const enableHsts = config.hsts ?? true;
+  const hstsMaxAge = config.hstsMaxAge ?? 31536e3;
+  const baseHeaders = [
+    { key: "X-Frame-Options", value: frameOptions },
+    { key: "X-Content-Type-Options", value: "nosniff" },
+    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the
+    // legacy filter which can itself introduce vulnerabilities.
+    { key: "X-XSS-Protection", value: "0" },
+    {
+      key: "Referrer-Policy",
+      value: "strict-origin-when-cross-origin"
+    },
+    {
+      key: "Permissions-Policy",
+      value: "camera=(), microphone=(), geolocation=()"
+    }
+  ];
+  const entries = [
+    { source: "/:path*", headers: baseHeaders }
+  ];
+  if (isProduction) {
+    const prodHeaders = [];
+    if (enableHsts) {
+      prodHeaders.push({
+        key: "Strict-Transport-Security",
+        value: `max-age=${hstsMaxAge}; includeSubDomains`
+      });
+    }
+    if (enableCsp) {
+      const csp = buildCsp(config);
+      prodHeaders.push({ key: "Content-Security-Policy", value: csp });
+    }
+    if (prodHeaders.length > 0) {
+      entries.push({ source: "/:path*", headers: prodHeaders });
+    }
+  }
+  return entries;
+}
+function buildCsp(config) {
+  const scriptSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "'unsafe-eval'",
+    ...config.cspScriptSrc ?? []
+  ];
+  const styleSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "https://fonts.googleapis.com",
+    ...config.cspStyleSrc ?? []
+  ];
+  const imgSrc = [
+    "'self'",
+    "data:",
+    "https:",
+    "blob:",
+    ...config.cspImgSrc ?? []
+  ];
+  const fontSrc = ["'self'", "data:", "https://fonts.gstatic.com"];
+  const connectSrc = ["'self'", ...config.cspConnectSrc ?? []];
+  const frameSrc = [...config.cspFrameSrc ?? []];
+  const directives = [
+    `default-src 'self'`,
+    `script-src ${scriptSrc.join(" ")}`,
+    `style-src ${styleSrc.join(" ")}`,
+    `img-src ${imgSrc.join(" ")}`,
+    `font-src ${fontSrc.join(" ")}`,
+    `connect-src ${connectSrc.join(" ")}`
+  ];
+  if (frameSrc.length > 0) {
+    directives.push(`frame-src ${frameSrc.join(" ")}`);
+  }
+  directives.push(
+    `object-src 'none'`,
+    `base-uri 'self'`,
+    `form-action 'self'`,
+    `frame-ancestors 'none'`
+  );
+  return directives.join("; ");
+}
 
 // src/api.ts
 var ApiErrorCode = {
@@ -17486,6 +18107,850 @@ function buildPagination(page, limit, total) {
   };
 }
 
+// src/auth/keycloak.ts
+var KEYCLOAK_DEFAULT_ROLES = [
+  "offline_access",
+  "uma_authorization"
+];
+function parseKeycloakRoles(accessToken, additionalDefaultRoles = []) {
+  if (!accessToken) return [];
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) return [];
+    const payload = parts[1];
+    const decoded = JSON.parse(atob(payload));
+    const realmRoles = decoded.realm_roles ?? decoded.realm_access?.roles;
+    if (!Array.isArray(realmRoles)) return [];
+    const filterSet = /* @__PURE__ */ new Set([
+      ...KEYCLOAK_DEFAULT_ROLES,
+      ...additionalDefaultRoles
+    ]);
+    return realmRoles.filter(
+      (role) => typeof role === "string" && !filterSet.has(role)
+    );
+  } catch {
+    return [];
+  }
+}
+function hasRole(roles, role) {
+  return roles?.includes(role) ?? false;
+}
+function hasAnyRole(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.some((role) => roles.includes(role));
+}
+function hasAllRoles(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.every((role) => roles.includes(role));
+}
+function isTokenExpired(expiresAt, bufferMs = 6e4) {
+  if (!expiresAt) return true;
+  return Date.now() >= expiresAt - bufferMs;
+}
+function buildTokenRefreshParams(config, refreshToken) {
+  return new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.clientId,
+    client_secret: config.clientSecret,
+    refresh_token: refreshToken
+  });
+}
+function getTokenEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/token`;
+}
+function getEndSessionEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/logout`;
+}
+async function refreshKeycloakToken(config, refreshToken, additionalDefaultRoles) {
+  try {
+    const endpoint = getTokenEndpoint(config.issuer);
+    const params = buildTokenRefreshParams(config, refreshToken);
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      return {
+        ok: false,
+        error: `Token refresh failed: HTTP ${response.status} - ${body}`
+      };
+    }
+    const data = await response.json();
+    return {
+      ok: true,
+      tokens: {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token ?? refreshToken,
+        idToken: data.id_token,
+        expiresAt: Date.now() + data.expires_in * 1e3,
+        roles: parseKeycloakRoles(data.access_token, additionalDefaultRoles)
+      }
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      error: error instanceof Error ? error.message : "Token refresh failed"
+    };
+  }
+}
+
+// src/auth/nextjs-keycloak.ts
+function buildAuthCookies(config = {}) {
+  const { domain, sessionToken = true, callbackUrl = true } = config;
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieDomain = isProduction ? domain : void 0;
+  const baseOptions = {
+    httpOnly: true,
+    sameSite: "lax",
+    path: "/",
+    secure: isProduction,
+    domain: cookieDomain
+  };
+  const cookies = {
+    pkceCodeVerifier: {
+      name: "authjs.pkce.code_verifier",
+      options: { ...baseOptions }
+    },
+    state: {
+      name: "authjs.state",
+      options: { ...baseOptions }
+    }
+  };
+  if (sessionToken) {
+    cookies.sessionToken = {
+      name: isProduction ? "__Secure-authjs.session-token" : "authjs.session-token",
+      options: { ...baseOptions }
+    };
+  }
+  if (callbackUrl) {
+    cookies.callbackUrl = {
+      name: isProduction ? "__Secure-authjs.callback-url" : "authjs.callback-url",
+      options: { ...baseOptions }
+    };
+  }
+  return cookies;
+}
+function buildRedirectCallback(config = {}) {
+  const { allowWwwVariant = false } = config;
+  return async ({ url, baseUrl }) => {
+    if (url.startsWith("/")) return `${baseUrl}${url}`;
+    try {
+      if (new URL(url).origin === baseUrl) return url;
+    } catch {
+      return baseUrl;
+    }
+    if (allowWwwVariant) {
+      try {
+        const urlHost = new URL(url).hostname;
+        const baseHost = new URL(baseUrl).hostname;
+        if (urlHost === `www.${baseHost}` || baseHost === `www.${urlHost}`) {
+          return url;
+        }
+      } catch {
+      }
+    }
+    return baseUrl;
+  };
+}
+function buildKeycloakCallbacks(config) {
+  const {
+    issuer,
+    clientId,
+    clientSecret,
+    defaultRoles = [],
+    debug = process.env.NODE_ENV === "development"
+  } = config;
+  const kcConfig = { issuer, clientId, clientSecret };
+  function log(message, meta) {
+    if (debug) {
+      console.log(`[Auth] ${message}`, meta ? JSON.stringify(meta) : "");
+    }
+  }
+  return {
+    /**
+     * JWT callback — stores Keycloak tokens and handles refresh.
+     *
+     * Compatible with Auth.js v5 JWT callback signature.
+     */
+    async jwt({
+      token,
+      user,
+      account
+    }) {
+      if (user) {
+        token.id = token.sub ?? user.id;
+      }
+      if (account?.provider === "keycloak") {
+        token.accessToken = account.access_token;
+        token.refreshToken = account.refresh_token;
+        token.idToken = account.id_token;
+        token.roles = parseKeycloakRoles(
+          account.access_token,
+          defaultRoles
+        );
+        token.accessTokenExpires = account.expires_at ? account.expires_at * 1e3 : Date.now() + 3e5;
+        return token;
+      }
+      if (!isTokenExpired(token.accessTokenExpires)) {
+        return token;
+      }
+      if (token.refreshToken) {
+        log("Token expired, attempting refresh...");
+        const result = await refreshKeycloakToken(
+          kcConfig,
+          token.refreshToken,
+          defaultRoles
+        );
+        if (result.ok) {
+          token.accessToken = result.tokens.accessToken;
+          token.idToken = result.tokens.idToken ?? token.idToken;
+          token.refreshToken = result.tokens.refreshToken ?? token.refreshToken;
+          token.accessTokenExpires = result.tokens.expiresAt;
+          token.roles = result.tokens.roles;
+          delete token.error;
+          log("Token refreshed OK");
+          return token;
+        }
+        log("Token refresh failed", { error: result.error });
+        return { ...token, error: "RefreshTokenError" };
+      }
+      log("Token expired but no refresh token available");
+      return { ...token, error: "RefreshTokenError" };
+    },
+    /**
+     * Session callback — maps JWT fields to the session object.
+     *
+     * Compatible with Auth.js v5 session callback signature.
+     */
+    async session({
+      session,
+      token
+    }) {
+      const user = session.user;
+      if (user) {
+        user.id = token.id || token.sub;
+        user.roles = token.roles || [];
+      }
+      session.idToken = token.idToken;
+      session.accessToken = token.accessToken;
+      if (token.error) {
+        session.error = token.error;
+      }
+      return session;
+    }
+  };
+}
+
+// src/auth/api-security.ts
+var StandardRateLimitPresets = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin operations: 100/min (admins are trusted) */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** AI/expensive operations: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Auth attempts: 5/15min with 15min block */
+  authAttempt: {
+    limit: 5,
+    windowSeconds: 900,
+    blockDurationSeconds: 900
+  },
+  /** Contact/public forms: 10/hour */
+  publicForm: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 1800
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function resolveRateLimitIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp}`, isAuthenticated: false };
+}
+function extractClientIp(getHeader) {
+  return getHeader("cf-connecting-ip") || getHeader("x-real-ip") || getHeader("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function buildRateLimitHeaders(limit, remaining, resetAtMs) {
+  return {
+    "X-RateLimit-Limit": String(limit),
+    "X-RateLimit-Remaining": String(Math.max(0, remaining)),
+    "X-RateLimit-Reset": String(Math.ceil(resetAtMs / 1e3))
+  };
+}
+function buildErrorBody(error, extra) {
+  return { error, ...extra };
+}
+var WrapperPresets = {
+  /** Public route: no auth, rate limited */
+  public: {
+    requireAuth: false,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Authenticated route: requires session */
+  authenticated: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Admin route: requires session with admin role */
+  admin: {
+    requireAuth: true,
+    requireAdmin: true,
+    rateLimit: "adminAction"
+  },
+  /** Legacy admin: accepts session OR bearer token */
+  legacyAdmin: {
+    requireAuth: true,
+    requireAdmin: true,
+    allowBearerToken: true,
+    rateLimit: "adminAction"
+  },
+  /** AI/expensive: requires auth, strict rate limit */
+  ai: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "aiRequest"
+  },
+  /** Cron: no rate limit, admin-level access */
+  cron: {
+    requireAuth: true,
+    requireAdmin: false,
+    skipRateLimit: true,
+    skipAudit: false
+  }
+};
+
+// src/auth/schemas.ts
+var import_zod2 = require("zod");
+var EmailSchema = import_zod2.z.string().trim().toLowerCase().email("Invalid email address");
+var PasswordSchema = import_zod2.z.string().min(8, "Password must be at least 8 characters").max(100, "Password must be less than 100 characters");
+var SlugSchema = import_zod2.z.string().min(1, "Slug is required").max(100, "Slug must be less than 100 characters").regex(
+  /^[a-z0-9-]+$/,
+  "Slug can only contain lowercase letters, numbers, and hyphens"
+);
+var PhoneSchema = import_zod2.z.string().regex(/^[\d\s()+.\-]{7,20}$/, "Invalid phone number format");
+var PersonNameSchema = import_zod2.z.string().min(2, "Name must be at least 2 characters").max(100, "Name must be less than 100 characters").regex(
+  /^[a-zA-Z\s\-']+$/,
+  "Name can only contain letters, spaces, hyphens and apostrophes"
+);
+function createSafeTextSchema(options) {
+  const {
+    min,
+    max,
+    allowHtml = false,
+    allowUrls = false,
+    fieldName = "Text"
+  } = options ?? {};
+  let schema = import_zod2.z.string();
+  if (min !== void 0)
+    schema = schema.min(min, `${fieldName} must be at least ${min} characters`);
+  if (max !== void 0)
+    schema = schema.max(
+      max,
+      `${fieldName} must be less than ${max} characters`
+    );
+  if (!allowHtml && !allowUrls) {
+    return schema.refine((val) => !HTML_TAG_PATTERN.test(val), "HTML tags are not allowed").refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  if (!allowHtml) {
+    return schema.refine(
+      (val) => !HTML_TAG_PATTERN.test(val),
+      "HTML tags are not allowed"
+    );
+  }
+  if (!allowUrls) {
+    return schema.refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  return schema;
+}
+var PaginationSchema = import_zod2.z.object({
+  page: import_zod2.z.coerce.number().int().positive().default(1),
+  limit: import_zod2.z.coerce.number().int().positive().max(100).default(20),
+  sortBy: import_zod2.z.string().optional(),
+  sortOrder: import_zod2.z.enum(["asc", "desc"]).default("desc")
+});
+var DateRangeSchema = import_zod2.z.object({
+  startDate: import_zod2.z.string().datetime(),
+  endDate: import_zod2.z.string().datetime()
+}).refine((data) => new Date(data.startDate) <= new Date(data.endDate), {
+  message: "Start date must be before end date"
+});
+var SearchQuerySchema = import_zod2.z.object({
+  query: import_zod2.z.string().min(1).max(200).trim(),
+  page: import_zod2.z.coerce.number().int().positive().default(1),
+  limit: import_zod2.z.coerce.number().int().positive().max(50).default(10)
+});
+var LoginSchema = import_zod2.z.object({
+  email: EmailSchema,
+  password: PasswordSchema
+});
+var SignupSchema = import_zod2.z.object({
+  email: EmailSchema,
+  password: PasswordSchema,
+  name: import_zod2.z.string().min(2).max(100).optional()
+});
+
+// src/auth/feature-flags.ts
+function detectStage() {
+  const stage = process.env.DEPLOYMENT_STAGE;
+  if (stage === "staging" || stage === "preview") return stage;
+  if (process.env.NODE_ENV === "production") return "production";
+  return "development";
+}
+function resolveFlagValue(value) {
+  if (typeof value === "boolean") return value;
+  const envValue = process.env[value.envVar];
+  if (envValue === void 0 || envValue === "") {
+    return value.default ?? false;
+  }
+  return envValue === "true" || envValue === "1";
+}
+function createFeatureFlags(definitions) {
+  return {
+    /**
+     * Resolve all flags for the current environment.
+     * Call this once at startup or per-request for dynamic flags.
+     */
+    resolve(stage) {
+      const currentStage = stage ?? detectStage();
+      const resolved = {};
+      for (const [key, def] of Object.entries(definitions)) {
+        const stageKey = currentStage === "preview" ? "staging" : currentStage;
+        resolved[key] = resolveFlagValue(def[stageKey]);
+      }
+      return resolved;
+    },
+    /**
+     * Check if a single flag is enabled.
+     */
+    isEnabled(flag, stage) {
+      const currentStage = stage ?? detectStage();
+      const def = definitions[flag];
+      const stageKey = currentStage === "preview" ? "staging" : currentStage;
+      return resolveFlagValue(def[stageKey]);
+    },
+    /**
+     * Get the flag definitions (for introspection/admin UI).
+     */
+    definitions
+  };
+}
+function buildAllowlist(config) {
+  const fromEnv = config.envVar ? process.env[config.envVar]?.split(",").map((e) => e.trim().toLowerCase()).filter(Boolean) ?? [] : [];
+  const fallback = config.fallback?.map((e) => e.toLowerCase()) ?? [];
+  return [.../* @__PURE__ */ new Set([...fromEnv, ...fallback])];
+}
+function isAllowlisted(email, allowlist) {
+  return allowlist.includes(email.toLowerCase());
+}
+
+// src/auth/rate-limiter.ts
+var CommonRateLimits = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin actions: 100/min */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** Auth attempts: 10/15min with 30min block */
+  authAttempt: {
+    limit: 10,
+    windowSeconds: 900,
+    blockDurationSeconds: 1800
+  },
+  /** AI/expensive requests: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Public form submissions: 5/hour with 1hr block */
+  publicForm: {
+    limit: 5,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function createMemoryRateLimitStore() {
+  const windows = /* @__PURE__ */ new Map();
+  const blocks = /* @__PURE__ */ new Map();
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of windows) {
+      if (entry.expiresAt < now) windows.delete(key);
+    }
+    for (const [key, expiry] of blocks) {
+      if (expiry < now) blocks.delete(key);
+    }
+  }, 60 * 1e3);
+  if (cleanupInterval.unref) {
+    cleanupInterval.unref();
+  }
+  return {
+    async increment(key, windowMs, now) {
+      const windowStart = now - windowMs;
+      let entry = windows.get(key);
+      if (!entry) {
+        entry = { timestamps: [], expiresAt: now + windowMs + 6e4 };
+        windows.set(key, entry);
+      }
+      entry.timestamps = entry.timestamps.filter((t) => t > windowStart);
+      entry.timestamps.push(now);
+      entry.expiresAt = now + windowMs + 6e4;
+      return { count: entry.timestamps.length };
+    },
+    async isBlocked(key) {
+      const expiry = blocks.get(key);
+      if (!expiry || expiry < Date.now()) {
+        blocks.delete(key);
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: expiry - Date.now() };
+    },
+    async setBlock(key, durationSeconds) {
+      blocks.set(key, Date.now() + durationSeconds * 1e3);
+    },
+    async reset(key) {
+      windows.delete(key);
+      blocks.delete(`block:${key}`);
+      blocks.delete(key);
+    }
+  };
+}
+var defaultStore;
+function getDefaultStore() {
+  if (!defaultStore) {
+    defaultStore = createMemoryRateLimitStore();
+  }
+  return defaultStore;
+}
+async function checkRateLimit(operation, identifier, rule, options = {}) {
+  const store = options.store ?? getDefaultStore();
+  const limit = options.isAuthenticated && rule.authenticatedLimit ? rule.authenticatedLimit : rule.limit;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  const resetAt = now + windowMs;
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  try {
+    if (rule.blockDurationSeconds) {
+      const blockStatus = await store.isBlocked(blockKey);
+      if (blockStatus.blocked) {
+        return {
+          allowed: false,
+          remaining: 0,
+          resetAt: now + blockStatus.ttlMs,
+          current: limit + 1,
+          limit,
+          retryAfterSeconds: Math.ceil(blockStatus.ttlMs / 1e3)
+        };
+      }
+    }
+    const { count } = await store.increment(key, windowMs, now);
+    if (count > limit) {
+      options.logger?.warn("Rate limit exceeded", {
+        operation,
+        identifier,
+        current: count,
+        limit
+      });
+      if (rule.blockDurationSeconds) {
+        await store.setBlock(blockKey, rule.blockDurationSeconds);
+      }
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        current: count,
+        limit,
+        retryAfterSeconds: Math.ceil(windowMs / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: limit - count,
+      resetAt,
+      current: count,
+      limit,
+      retryAfterSeconds: 0
+    };
+  } catch (error) {
+    options.logger?.error("Rate limit check failed, allowing request", {
+      error: error instanceof Error ? error.message : String(error),
+      operation,
+      identifier
+    });
+    return {
+      allowed: true,
+      remaining: limit,
+      resetAt,
+      current: 0,
+      limit,
+      retryAfterSeconds: 0
+    };
+  }
+}
+async function getRateLimitStatus(operation, identifier, rule, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  try {
+    const { count } = await s.increment(key, windowMs, now);
+    return {
+      allowed: count <= rule.limit,
+      remaining: Math.max(0, rule.limit - count),
+      resetAt: now + windowMs,
+      current: count,
+      limit: rule.limit,
+      retryAfterSeconds: count > rule.limit ? Math.ceil(windowMs / 1e3) : 0
+    };
+  } catch {
+    return null;
+  }
+}
+async function resetRateLimitForKey(operation, identifier, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  await s.reset(key);
+  await s.reset(blockKey);
+}
+function buildRateLimitResponseHeaders(result) {
+  const headers = {
+    "X-RateLimit-Limit": String(result.limit),
+    "X-RateLimit-Remaining": String(result.remaining),
+    "X-RateLimit-Reset": String(Math.ceil(result.resetAt / 1e3))
+  };
+  if (!result.allowed) {
+    headers["Retry-After"] = String(result.retryAfterSeconds);
+  }
+  return headers;
+}
+function resolveIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
+}
+
+// src/auth/audit.ts
+var StandardAuditActions = {
+  // Authentication
+  LOGIN_SUCCESS: "auth.login.success",
+  LOGIN_FAILURE: "auth.login.failure",
+  LOGOUT: "auth.logout",
+  SESSION_REFRESH: "auth.session.refresh",
+  PASSWORD_CHANGE: "auth.password.change",
+  PASSWORD_RESET: "auth.password.reset",
+  // Billing
+  CHECKOUT_START: "billing.checkout.start",
+  CHECKOUT_COMPLETE: "billing.checkout.complete",
+  SUBSCRIPTION_CREATE: "billing.subscription.create",
+  SUBSCRIPTION_CANCEL: "billing.subscription.cancel",
+  SUBSCRIPTION_UPDATE: "billing.subscription.update",
+  PAYMENT_FAILED: "billing.payment.failed",
+  // Admin
+  ADMIN_LOGIN: "admin.login",
+  ADMIN_USER_VIEW: "admin.user.view",
+  ADMIN_USER_UPDATE: "admin.user.update",
+  ADMIN_CONFIG_CHANGE: "admin.config.change",
+  // Security Events
+  RATE_LIMIT_EXCEEDED: "security.rate_limit.exceeded",
+  INVALID_INPUT: "security.input.invalid",
+  UNAUTHORIZED_ACCESS: "security.access.unauthorized",
+  OWNERSHIP_VIOLATION: "security.ownership.violation",
+  WEBHOOK_SIGNATURE_INVALID: "security.webhook.signature_invalid",
+  // Data
+  DATA_EXPORT: "data.export",
+  DATA_DELETE: "data.delete",
+  DATA_UPDATE: "data.update"
+};
+function extractAuditIp(request) {
+  if (!request) return void 0;
+  const headers = [
+    "cf-connecting-ip",
+    // Cloudflare
+    "x-real-ip",
+    // Nginx
+    "x-forwarded-for",
+    // Standard proxy
+    "x-client-ip"
+    // Apache
+  ];
+  for (const header of headers) {
+    const value = request.headers.get(header);
+    if (value) {
+      return value.split(",")[0]?.trim();
+    }
+  }
+  return void 0;
+}
+function extractAuditUserAgent(request) {
+  return request?.headers.get("user-agent") ?? void 0;
+}
+function extractAuditRequestId(request) {
+  return request?.headers.get("x-request-id") ?? crypto.randomUUID();
+}
+function createAuditActor(session) {
+  if (!session?.user) {
+    return { id: "anonymous", type: "anonymous" };
+  }
+  return {
+    id: session.user.id ?? session.user.email ?? "unknown",
+    email: session.user.email ?? void 0,
+    type: "user"
+  };
+}
+var defaultLogger = {
+  info: (msg, meta) => console.log(msg, meta ? JSON.stringify(meta) : ""),
+  warn: (msg, meta) => console.warn(msg, meta ? JSON.stringify(meta) : ""),
+  error: (msg, meta) => console.error(msg, meta ? JSON.stringify(meta) : "")
+};
+function createAuditLogger(options = {}) {
+  const { persist, logger = defaultLogger } = options;
+  async function log(event, request) {
+    const record = {
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      ip: extractAuditIp(request),
+      userAgent: extractAuditUserAgent(request),
+      requestId: extractAuditRequestId(request),
+      ...event
+    };
+    const logFn = event.outcome === "failure" || event.outcome === "blocked" ? logger.warn : logger.info;
+    logFn(`[AUDIT] ${event.action}`, {
+      auditId: record.id,
+      actor: record.actor,
+      action: record.action,
+      resource: record.resource,
+      outcome: record.outcome,
+      ip: record.ip,
+      metadata: record.metadata,
+      reason: record.reason
+    });
+    if (persist) {
+      try {
+        await persist(record);
+      } catch (error) {
+        logger.error("Failed to persist audit log", {
+          error: error instanceof Error ? error.message : String(error),
+          auditId: record.id
+        });
+      }
+    }
+    return record;
+  }
+  function createTimedAudit(event, request) {
+    const startTime = Date.now();
+    return {
+      success: async (metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "success",
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      failure: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "failure",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      blocked: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "blocked",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      }
+    };
+  }
+  return { log, createTimedAudit };
+}
+
 // src/http/health.ts
 function createHealthEndpoints(platform, options = {}) {
   const {
@@ -18564,7 +20029,7 @@ var MemoryAuditLog = class {
 };
 
 // src/adapters/memory/MemoryWebhook.ts
-var import_crypto2 = require("crypto");
+var import_crypto28 = require("crypto");
 var MemoryWebhook = class {
   endpoints = /* @__PURE__ */ new Map();
   deliveries = /* @__PURE__ */ new Map();
@@ -18846,7 +20311,7 @@ var MemoryWebhook = class {
       config.secret,
       algorithm
     );
-    const providedSig = signature.replace(/^(sha256=|sha512=|sha1=)/, "");
+    const providedSig = signature.replace(/^(sha256=|sha512=)/, "");
     if (providedSig !== expectedSignature) {
       return { valid: false, error: "Invalid signature" };
     }
@@ -18951,7 +20416,7 @@ var MemoryWebhook = class {
     this.deliveries.set(delivery.id, delivery);
   }
   async executeDelivery(endpoint, event, attemptNumber) {
-    const attemptId = `att_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const attemptId = `att_${Date.now().toString(36)}${(0, import_crypto28.randomBytes)(4).toString("hex")}`;
     const startTime = Date.now();
     if (this.config.simulatedDelay > 0) {
       await new Promise(
@@ -19005,7 +20470,7 @@ var MemoryWebhook = class {
     this.endpoints.set(endpoint.id, endpoint);
   }
   computeSignature(payload, secret, algorithm) {
-    return (0, import_crypto2.createHmac)(algorithm, secret).update(payload).digest("hex");
+    return (0, import_crypto28.createHmac)(algorithm, secret).update(payload).digest("hex");
   }
 };
 
@@ -19356,6 +20821,7 @@ var MemoryNotification = class {
 };
 
 // src/adapters/memory/MemoryScheduler.ts
+var import_crypto29 = require("crypto");
 var MemoryScheduler = class {
   config;
   schedules = /* @__PURE__ */ new Map();
@@ -19639,7 +21105,7 @@ var MemoryScheduler = class {
     }
   }
   async executeSchedule(schedule) {
-    const executionId = `exec_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const executionId = `exec_${Date.now().toString(36)}${(0, import_crypto29.randomBytes)(4).toString("hex")}`;
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
     const execution = {
       id: executionId,
@@ -20119,6 +21585,7 @@ CREATE INDEX IF NOT EXISTS idx_${tableName}_trace_id ON ${tableName}((context->>
 };
 
 // src/adapters/database/DatabaseErrorReporter.ts
+var import_crypto30 = require("crypto");
 var DatabaseErrorReporter = class {
   db;
   errorsTable;
@@ -20413,7 +21880,7 @@ CREATE INDEX IF NOT EXISTS idx_${breadcrumbsTable}_error ON ${breadcrumbsTable}(
     if (report.breadcrumbs && report.breadcrumbs.length > 0) {
       for (const crumb of report.breadcrumbs) {
         await this.db.from(this.breadcrumbsTable).insert({
-          id: `bc_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`,
+          id: `bc_${Date.now().toString(36)}${(0, import_crypto30.randomBytes)(4).toString("hex")}`,
           error_id: report.id,
           category: crumb.category,
           message: crumb.message,
@@ -20453,6 +21920,7 @@ CREATE INDEX IF NOT EXISTS idx_${breadcrumbsTable}_error ON ${breadcrumbsTable}(
 };
 
 // src/adapters/database/DatabasePromptStore.ts
+var import_crypto31 = require("crypto");
 var DatabasePromptStore = class {
   db;
   cache;
@@ -20592,7 +22060,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
   // Prompt CRUD
   // ═══════════════════════════════════════════════════════════════
   async create(prompt) {
-    const id = `prompt_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `prompt_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newPrompt = {
       ...prompt,
@@ -20620,7 +22088,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
       created_by: newPrompt.createdBy,
       updated_by: newPrompt.updatedBy
     }).execute();
-    const versionId = `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const versionId = `pv_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     await this.db.from(this.versionsTable).insert({
       id: versionId,
       prompt_id: id,
@@ -20689,7 +22157,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
       await this.db.from(this.versionsTable).update({ is_latest: false }).where("prompt_id", "=", prompt.id).execute();
       const versionsResult = await this.db.from(this.versionsTable).where("prompt_id", "=", prompt.id).execute();
       const newVersionNum = versionsResult.data.length + 1;
-      const versionId = `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+      const versionId = `pv_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
       await this.db.from(this.versionsTable).insert({
         id: versionId,
         prompt_id: prompt.id,
@@ -20944,7 +22412,7 @@ ${v2.content}`;
   // A/B Testing
   // ═══════════════════════════════════════════════════════════════
   async createExperiment(experiment) {
-    const id = `exp_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `exp_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newExperiment = {
       ...experiment,
@@ -21058,7 +22526,7 @@ ${v2.content}`;
   // Prompt Chains
   // ═══════════════════════════════════════════════════════════════
   async createChain(chain) {
-    const id = `chain_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `chain_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newChain = {
       ...chain,
@@ -21156,7 +22624,7 @@ ${v2.content}`;
   // Usage & Analytics
   // ═══════════════════════════════════════════════════════════════
   async recordUsage(record) {
-    const id = `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `usage_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const usageRecord = {
       ...record,
@@ -21342,8 +22810,9 @@ ${v2.content}`;
 };
 
 // src/adapters/database/DatabaseCompliance.ts
+var import_crypto32 = require("crypto");
 function generateId(prefix) {
-  return `${prefix}_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+  return `${prefix}_${Date.now()}_${(0, import_crypto32.randomBytes)(4).toString("hex")}`;
 }
 function toDate(value) {
   return value ? new Date(value) : void 0;
@@ -21534,7 +23003,7 @@ var DatabaseCompliance = class {
   async createDsar(options) {
     const id = generateId("dsar");
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const verificationToken = `verify_${Math.random().toString(36).substring(2)}`;
+    const verificationToken = `verify_${(0, import_crypto32.randomBytes)(16).toString("hex")}`;
     const result = await this.db.from("compliance_dsars").insert({
       id,
       type: options.type,
@@ -22473,6 +23942,7 @@ var DatabaseCompliance = class {
 };
 
 // src/adapters/database/DatabaseAIUsage.ts
+var import_crypto33 = require("crypto");
 var DatabaseAIUsage = class {
   db;
   config;
@@ -22486,7 +23956,7 @@ var DatabaseAIUsage = class {
   // Usage Recording
   // ─────────────────────────────────────────────────────────────
   async record(record) {
-    const id = `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `usage_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     await this.db.from(`${this.prefix}records`).insert({
       id,
@@ -22593,7 +24063,7 @@ var DatabaseAIUsage = class {
       quota.category
     );
     const period = this.getPeriodBounds(quota.period, /* @__PURE__ */ new Date());
-    const id = existing?.id || `quota_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = existing?.id || `quota_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const data = {
       id,
       tenant_id: quota.tenantId,
@@ -22730,7 +24200,7 @@ var DatabaseAIUsage = class {
       existingResult.data[0]
     ) : null;
     const period = this.getPeriodBounds(budget.period, /* @__PURE__ */ new Date());
-    const id = existing?.id || `budget_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = existing?.id || `budget_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const data = {
       id,
       tenant_id: budget.tenantId,
@@ -23029,7 +24499,7 @@ var DatabaseAIUsage = class {
     }
     const items = Array.from(itemsMap.values());
     const subtotal = items.reduce((sum, item) => sum + item.costUsd, 0);
-    const id = `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `inv_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     await this.db.from(`${this.prefix}invoices`).insert({
       id,
@@ -23251,7 +24721,7 @@ var DatabaseAIUsage = class {
     }
   }
   async createAlert(tenantId, type, severity, message, metadata) {
-    const id = `alert_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `alert_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     await this.db.from(`${this.prefix}alerts`).insert({
       id,
       tenant_id: tenantId,
@@ -23457,6 +24927,7 @@ var DatabaseAIUsage = class {
 };
 
 // src/adapters/database/DatabaseNotification.ts
+var import_crypto34 = require("crypto");
 var DatabaseNotification = class {
   db;
   email;
@@ -23694,7 +25165,7 @@ var DatabaseNotification = class {
   // PUSH SUBSCRIPTIONS
   // ═══════════════════════════════════════════════════════════════
   async registerPushSubscription(userId, subscription) {
-    const id = `push_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `push_${Date.now()}_${(0, import_crypto34.randomBytes)(4).toString("hex")}`;
     const existing = await this.db.from(`${this.prefix}push_subscriptions`).where("user_id", "=", userId).where("endpoint", "=", subscription.endpoint).execute();
     if (existing.data && existing.data.length > 0) {
       await this.db.from(`${this.prefix}push_subscriptions`).where("user_id", "=", userId).where("endpoint", "=", subscription.endpoint).update({
@@ -23792,7 +25263,7 @@ var DatabaseNotification = class {
   // TOPICS
   // ═══════════════════════════════════════════════════════════════
   async subscribeToTopic(userId, topic) {
-    const id = `topic_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `topic_${Date.now()}_${(0, import_crypto34.randomBytes)(4).toString("hex")}`;
     const existing = await this.db.from(`${this.prefix}notification_topic_subs`).where("user_id", "=", userId).where("topic", "=", topic).execute();
     if (!existing.data || existing.data.length === 0) {
       await this.db.from(`${this.prefix}notification_topic_subs`).insert({
@@ -23873,7 +25344,7 @@ var DatabaseNotification = class {
   // PRIVATE HELPERS
   // ═══════════════════════════════════════════════════════════════
   async logDelivery(notificationId, channel, status, messageId, error) {
-    const id = `del_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `del_${Date.now()}_${(0, import_crypto34.randomBytes)(4).toString("hex")}`;
     try {
       await this.db.from(`${this.prefix}notification_delivery_log`).insert({
         id,
@@ -23935,6 +25406,7 @@ var DatabaseNotification = class {
 };
 
 // src/adapters/database/DatabaseBilling.ts
+var import_crypto35 = require("crypto");
 var DatabaseBilling = class {
   db;
   prefix;
@@ -23957,7 +25429,7 @@ var DatabaseBilling = class {
     return `${this.prefix}${name}`;
   }
   generateId(prefix) {
-    return `${prefix}_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+    return `${prefix}_${Date.now()}_${(0, import_crypto35.randomBytes)(4).toString("hex")}`;
   }
   // ─────────────────────────────────────────────────────────────
   // Product & Price Management
@@ -25455,6 +26927,7 @@ var DatabaseBilling = class {
 };
 
 // src/adapters/scheduler/QueueScheduler.ts
+var import_crypto36 = require("crypto");
 var QueueScheduler = class {
   queue;
   db;
@@ -25870,7 +27343,7 @@ CREATE INDEX IF NOT EXISTS idx_${executionsTable}_started ON ${executionsTable}(
     }
   }
   async executeSchedule(schedule) {
-    const executionId = `exec_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const executionId = `exec_${Date.now().toString(36)}${(0, import_crypto36.randomBytes)(4).toString("hex")}`;
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
     const execution = {
       id: executionId,
@@ -26033,7 +27506,7 @@ CREATE INDEX IF NOT EXISTS idx_${executionsTable}_started ON ${executionsTable}(
 };
 
 // src/adapters/webhook/HttpWebhook.ts
-var import_crypto3 = require("crypto");
+var import_crypto37 = require("crypto");
 var HttpWebhook = class {
   db;
   queue;
@@ -26375,14 +27848,14 @@ var HttpWebhook = class {
       config.secret,
       algorithm
     );
-    const providedSig = signature.replace(/^(sha256=|sha512=|sha1=)/, "");
+    const providedSig = signature.replace(/^(sha256=|sha512=)/, "");
     try {
       const providedBuffer = Buffer.from(providedSig, "hex");
       const expectedBuffer = Buffer.from(expectedSignature, "hex");
       if (providedBuffer.length !== expectedBuffer.length) {
         return { valid: false, error: "Invalid signature" };
       }
-      if (!(0, import_crypto3.timingSafeEqual)(providedBuffer, expectedBuffer)) {
+      if (!(0, import_crypto37.timingSafeEqual)(providedBuffer, expectedBuffer)) {
         return { valid: false, error: "Invalid signature" };
       }
     } catch {
@@ -26631,7 +28104,7 @@ CREATE INDEX IF NOT EXISTS idx_${attemptsTable}_delivery ON ${attemptsTable}(del
     await this.saveDelivery(delivery);
   }
   async executeDelivery(endpoint, event, attemptNumber) {
-    const attemptId = `att_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const attemptId = `att_${Date.now().toString(36)}${(0, import_crypto37.randomBytes)(4).toString("hex")}`;
     const startTime = Date.now();
     const payloadStr = JSON.stringify(event);
     const signature = this.computeSignature(
@@ -26735,7 +28208,7 @@ CREATE INDEX IF NOT EXISTS idx_${attemptsTable}_delivery ON ${attemptsTable}(del
     await this.saveEndpoint(endpoint);
   }
   computeSignature(payload, secret, algorithm) {
-    return (0, import_crypto3.createHmac)(algorithm, secret).update(payload).digest("hex");
+    return (0, import_crypto37.createHmac)(algorithm, secret).update(payload).digest("hex");
   }
   endpointToRow(endpoint) {
     return {
@@ -28057,6 +29530,9 @@ init_PineconeRAG();
 // src/adapters/weaviate/index.ts
 init_WeaviateRAG();
 
+// src/index.ts
+init_NodeCrypto();
+
 // src/adapters/oidc/GenericOIDCAuthSSO.ts
 function generateRandomString(length) {
   const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
@@ -28650,6 +30126,7 @@ var GenericOIDCAuthSSO = class {
 };
 
 // src/adapters/postgres-tenant/PostgresTenant.ts
+var import_crypto38 = require("crypto");
 var tenantContextMap = /* @__PURE__ */ new Map();
 var contextIdCounter2 = 0;
 var currentContextId2 = null;
@@ -29431,7 +30908,273 @@ var PostgresTenant = class {
   }
 };
 function generateId2() {
-  return Math.random().toString(36).substring(2) + Date.now().toString(36);
+  return (0, import_crypto38.randomBytes)(8).toString("hex") + Date.now().toString(36);
+}
+
+// src/env.ts
+function getRequiredEnv(key) {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+function getOptionalEnv(key, defaultValue) {
+  return process.env[key] || defaultValue;
+}
+function getBoolEnv(key, defaultValue = false) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  return value === "true" || value === "1";
+}
+function getIntEnv(key, defaultValue) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  const parsed = parseInt(value, 10);
+  return isNaN(parsed) ? defaultValue : parsed;
+}
+function validateEnvVars(config) {
+  const result = checkEnvVars(config);
+  if (!result.valid) {
+    const lines = [];
+    if (result.missing.length > 0) {
+      lines.push(
+        "Missing required environment variables:",
+        ...result.missing.map((v) => `  - ${v}`)
+      );
+    }
+    if (result.missingOneOf.length > 0) {
+      for (const group of result.missingOneOf) {
+        lines.push(`Missing one of: ${group.join(" | ")}`);
+      }
+    }
+    if (result.invalid.length > 0) {
+      lines.push(
+        "Invalid environment variables:",
+        ...result.invalid.map((v) => `  - ${v.key}: ${v.reason}`)
+      );
+    }
+    throw new Error(lines.join("\n"));
+  }
+}
+function checkEnvVars(config) {
+  const missing = [];
+  const invalid = [];
+  const missingOneOf = [];
+  if (config.required) {
+    for (const key of config.required) {
+      if (!process.env[key]) {
+        missing.push(key);
+      }
+    }
+  }
+  if (config.requireOneOf) {
+    for (const group of config.requireOneOf) {
+      const hasAny = group.some((key) => !!process.env[key]);
+      if (!hasAny) {
+        missingOneOf.push(group);
+      }
+    }
+  }
+  if (config.validators) {
+    for (const [key, validator] of Object.entries(config.validators)) {
+      const value = process.env[key];
+      if (value) {
+        const result = validator(value);
+        if (result !== true) {
+          invalid.push({ key, reason: result });
+        }
+      }
+    }
+  }
+  return {
+    valid: missing.length === 0 && invalid.length === 0 && missingOneOf.length === 0,
+    missing,
+    invalid,
+    missingOneOf
+  };
+}
+function getEnvSummary(keys) {
+  const summary = {};
+  for (const key of keys) {
+    summary[key] = !!process.env[key];
+  }
+  return summary;
+}
+
+// src/app-logger.ts
+var LEVEL_PRIORITY2 = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+function defaultOutput(level, message, context) {
+  const isProduction = process.env.NODE_ENV === "production";
+  if (isProduction) {
+    const entry = { level, message, ...context };
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : "log";
+    console[method](JSON.stringify(entry));
+  } else {
+    const prefix = `[${level.toUpperCase()}]`;
+    const ctx = Object.keys(context).length > 0 ? " " + JSON.stringify(context) : "";
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : level === "debug" ? "debug" : "log";
+    console[method](`${prefix} ${message}${ctx}`);
+  }
+}
+var AppLoggerImpl = class _AppLoggerImpl {
+  baseContext;
+  minLevelPriority;
+  outputFn;
+  onErrorFn;
+  constructor(baseContext, options) {
+    this.baseContext = baseContext;
+    this.minLevelPriority = LEVEL_PRIORITY2[options.minLevel] ?? 0;
+    this.outputFn = options.output;
+    this.onErrorFn = options.onError;
+  }
+  log(level, message, context) {
+    if ((LEVEL_PRIORITY2[level] ?? 0) < this.minLevelPriority) return;
+    const merged = {
+      ...this.baseContext,
+      ...context,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.outputFn(level, message, merged);
+  }
+  debug(message, context) {
+    this.log("debug", message, context);
+  }
+  info(message, context) {
+    this.log("info", message, context);
+  }
+  warn(message, context) {
+    this.log("warn", message, context);
+  }
+  error(message, context) {
+    this.log("error", message, context);
+    if (this.onErrorFn) {
+      try {
+        this.onErrorFn(message, { ...this.baseContext, ...context });
+      } catch {
+      }
+    }
+  }
+  child(context) {
+    return new _AppLoggerImpl(
+      { ...this.baseContext, ...context },
+      {
+        minLevel: Object.entries(LEVEL_PRIORITY2).find(
+          ([, v]) => v === this.minLevelPriority
+        )?.[0] ?? "debug",
+        output: this.outputFn,
+        onError: this.onErrorFn
+      }
+    );
+  }
+  forRequest(request, operation) {
+    const requestId = request.headers.get("x-request-id") ?? request.headers.get("x-correlation-id") ?? crypto.randomUUID();
+    let path;
+    try {
+      path = new URL(request.url).pathname;
+    } catch {
+      path = request.url;
+    }
+    return this.child({
+      requestId,
+      operation,
+      method: request.method,
+      path
+    });
+  }
+  forJob(jobType, jobId, context) {
+    return this.child({ jobType, jobId, ...context });
+  }
+  async timed(operation, fn, context) {
+    const opLogger = this.child({ operation, ...context });
+    opLogger.debug("Operation started");
+    const start = Date.now();
+    try {
+      const result = await fn();
+      opLogger.info("Operation completed", {
+        durationMs: Date.now() - start
+      });
+      return result;
+    } catch (error) {
+      opLogger.error("Operation failed", {
+        durationMs: Date.now() - start,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+};
+function createAppLogger(options) {
+  const {
+    service,
+    minLevel = process.env.NODE_ENV === "production" ? "info" : "debug",
+    output = defaultOutput,
+    onError
+  } = options;
+  return new AppLoggerImpl({ service }, { minLevel, output, onError });
+}
+
+// src/redis-client.ts
+var import_ioredis = __toESM(require("ioredis"));
+function createRedisClient(options) {
+  const {
+    url,
+    keyPrefix,
+    maxRetries = 3,
+    lazyConnect = true,
+    silent = false
+  } = options;
+  const logger = options.logger ?? {
+    error: console.error
+  };
+  const client = new import_ioredis.default(url, {
+    keyPrefix,
+    maxRetriesPerRequest: maxRetries,
+    retryStrategy(times) {
+      if (times > maxRetries) return null;
+      return Math.min(times * 200, 2e3);
+    },
+    lazyConnect
+  });
+  if (!silent) {
+    client.on("error", (err) => {
+      logger.error("[redis] Connection error", { message: err.message });
+    });
+    if (logger.info) {
+      const logInfo = logger.info;
+      client.on("connect", () => {
+        logInfo("[redis] Connected");
+      });
+    }
+  }
+  if (lazyConnect) {
+    client.connect().catch(() => {
+    });
+  }
+  return client;
+}
+var sharedClient = null;
+function getSharedRedis() {
+  if (sharedClient) return sharedClient;
+  const url = process.env.REDIS_URL;
+  if (!url) return null;
+  sharedClient = createRedisClient({
+    url,
+    keyPrefix: process.env.REDIS_KEY_PREFIX,
+    silent: process.env.NODE_ENV === "test"
+  });
+  return sharedClient;
+}
+async function closeSharedRedis() {
+  if (sharedClient) {
+    await sharedClient.quit();
+    sharedClient = null;
+  }
 }
 
 // src/migrations/Migrator.ts
@@ -30211,9 +31954,11 @@ function getEnterpriseMigrations(features) {
   CircuitBreakerRegistry,
   CircuitOpenError,
   CommonApiErrors,
+  CommonRateLimits,
   ConsoleEmail,
   ConsoleLogger,
   CronPresets,
+  CryptoConfigSchema,
   DEFAULT_BULKHEAD_OPTIONS,
   DEFAULT_CIRCUIT_BREAKER_OPTIONS,
   DEFAULT_RETRY_OPTIONS,
@@ -30226,17 +31971,21 @@ function getEnterpriseMigrations(features) {
   DatabaseNotification,
   DatabasePromptStore,
   DatabaseProviderSchema,
+  DateRangeSchema,
   DefaultTimeouts,
   EmailConfigSchema,
   EmailProviderSchema,
+  EmailSchema,
   EnvSecrets,
   FallbackStrategies,
   GenericOIDCAuthSSO,
   GoogleAIAdapter,
   HTML_TAG_PATTERN,
   HttpWebhook,
+  KEYCLOAK_DEFAULT_ROLES,
   LogLevelSchema,
   LoggingConfigSchema,
+  LoginSchema,
   MemoryAI,
   MemoryAIUsage,
   MemoryAuditLog,
@@ -30245,6 +31994,7 @@ function getEnterpriseMigrations(features) {
   MemoryBilling,
   MemoryCache,
   MemoryCompliance,
+  MemoryCrypto,
   MemoryDatabase,
   MemoryDevPortal,
   MemoryDevice,
@@ -30266,6 +32016,7 @@ function getEnterpriseMigrations(features) {
   MetricsConfigSchema,
   MiddlewareConfigSchema,
   Migrator,
+  NodeCrypto,
   NoopLogger,
   NoopMetrics,
   NoopTracing,
@@ -30273,7 +32024,11 @@ function getEnterpriseMigrations(features) {
   ObservabilityConfigSchema,
   OpenAIAdapter,
   PG_ERROR_MAP,
+  PaginationSchema,
+  PasswordSchema,
   PaymentErrorMessages,
+  PersonNameSchema,
+  PhoneSchema,
   PineconeRAG,
   PlatformConfigSchema,
   PostgresDatabase,
@@ -30293,7 +32048,14 @@ function getEnterpriseMigrations(features) {
   RetryPredicates,
   S3Storage,
   SQL,
+  SearchQuerySchema,
+  SecurityConfigSchema,
+  SecurityHeaderPresets,
+  SignupSchema,
+  SlugSchema,
   SmtpEmail,
+  StandardAuditActions,
+  StandardRateLimitPresets,
   StorageConfigSchema,
   StorageProviderSchema,
   StripePayment,
@@ -30309,16 +32071,32 @@ function getEnterpriseMigrations(features) {
   UpstashCache,
   WeaviateRAG,
   WebhookEventTypes,
+  WrapperPresets,
+  buildAllowlist,
+  buildAuthCookies,
+  buildErrorBody,
+  buildKeycloakCallbacks,
   buildPagination,
+  buildRateLimitHeaders,
+  buildRateLimitResponseHeaders,
+  buildRedirectCallback,
+  buildTokenRefreshParams,
   calculateBackoff,
   calculateRetryDelay,
+  checkEnvVars,
+  checkRateLimit,
   classifyError,
+  closeSharedRedis,
   composeHookRegistries,
+  constantTimeEqual,
   containsHtml,
   containsUrls,
   correlationContext,
   createAIError,
   createAnthropicAdapter,
+  createAppLogger,
+  createAuditActor,
+  createAuditLogger,
   createAuthError,
   createBulkhead,
   createCacheMiddleware,
@@ -30329,6 +32107,7 @@ function getEnterpriseMigrations(features) {
   createErrorReport,
   createExpressHealthHandlers,
   createExpressMetricsHandler,
+  createFeatureFlags,
   createGoogleAIAdapter,
   createHealthEndpoints,
   createHealthServer,
@@ -30336,6 +32115,7 @@ function getEnterpriseMigrations(features) {
   createIpKeyGenerator,
   createJobContext,
   createLoggingMiddleware,
+  createMemoryRateLimitStore,
   createMetricsEndpoint,
   createMetricsMiddleware,
   createMetricsServer,
@@ -30349,8 +32129,10 @@ function getEnterpriseMigrations(features) {
   createPlatform,
   createPlatformAsync,
   createRateLimitMiddleware,
+  createRedisClient,
   createRequestContext,
   createRequestIdMiddleware,
+  createSafeTextSchema,
   createScopedMetrics,
   createSlowQueryMiddleware,
   createSsoOidcConfigsTable,
@@ -30367,8 +32149,13 @@ function getEnterpriseMigrations(features) {
   defangUrl,
   defineMigration,
   describeCron,
+  detectStage,
   enterpriseMigrations,
   escapeHtml,
+  extractAuditIp,
+  extractAuditRequestId,
+  extractAuditUserAgent,
+  extractClientIp,
   filterChannelsByPreferences,
   formatAmount,
   generateAuditId,
@@ -30382,40 +32169,62 @@ function getEnterpriseMigrations(features) {
   generatePaymentId,
   generateScheduleId,
   generateSecureToken,
+  generateSecurityHeaders,
   generateVersion,
   generateWebhookId,
   generateWebhookSecret,
+  getBoolEnv,
   getContext,
   getCorrelationId,
   getDefaultConfig,
+  getEndSessionEndpoint,
   getEnterpriseMigrations,
+  getEnvSummary,
+  getIntEnv,
   getLogMeta,
   getNextCronRun,
+  getOptionalEnv,
+  getRateLimitStatus,
   getRequestId,
+  getRequiredEnv,
+  getSharedRedis,
   getTenantId,
+  getTokenEndpoint,
   getTraceId,
   getUserId,
+  hasAllRoles,
+  hasAnyRole,
+  hasRole,
   isAIError,
+  isAllowlisted,
   isApiError,
   isAuthError,
   isInContext,
   isInQuietHours,
   isPaymentError,
+  isTokenExpired,
   isValidCron,
   loadConfig,
   matchAction,
   matchEventType,
+  parseKeycloakRoles,
   raceTimeout,
+  refreshKeycloakToken,
+  resetRateLimitForKey,
+  resolveIdentifier,
+  resolveRateLimitIdentifier,
   retryable,
   runWithContext,
   runWithContextAsync,
   safeValidateConfig,
+  sanitizeApiError,
   sanitizeForEmail,
   sqlMigration,
   stripHtml,
   timedHealthCheck,
   toHealthCheckResult,
   validateConfig,
+  validateEnvVars,
   withCorrelation,
   withCorrelationAsync,
   withFallback,