@digilogiclabs/platform-core 1.3.0 → 1.5.0

package/dist/index.mjs

@@ -1,5 +1,11 @@
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
@@ -387,6 +393,7 @@ var init_IAI = __esm({
 });
 
 // src/interfaces/IRAG.ts
+import { randomBytes as randomBytes13 } from "crypto";
 var ChunkingPresets, MemoryRAG;
 var init_IRAG = __esm({
   "src/interfaces/IRAG.ts"() {
@@ -516,7 +523,7 @@ var init_IRAG = __esm({
       }
       async ingestOne(collection, document, options) {
         const startTime = Date.now();
-        const docId = `doc_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+        const docId = `doc_${Date.now()}_${randomBytes13(4).toString("hex")}`;
         const now = /* @__PURE__ */ new Date();
         try {
           const col = await this.getCollection(collection);
@@ -1059,6 +1066,7 @@ var PostgresDatabase_exports = {};
 __export(PostgresDatabase_exports, {
   PostgresDatabase: () => PostgresDatabase
 });
+import { randomBytes as randomBytes22 } from "crypto";
 function toPoolConfig(config) {
   const poolConfig = {};
   if (config.connectionString) {
@@ -1209,7 +1217,7 @@ var init_PostgresDatabase = __esm({
         }
       }
       async transaction(fn) {
-        const savepointName = `sp_${Date.now()}_${Math.random().toString(36).slice(2)}`;
+        const savepointName = `sp_${Date.now()}_${randomBytes22(4).toString("hex")}`;
         try {
           await this.client.query(`SAVEPOINT ${savepointName}`);
           const result = await fn(this);
@@ -1737,7 +1745,7 @@ var init_RedisCache = __esm({
        * Create a RedisCache from configuration
        */
       static async create(config) {
-        const { default: Redis } = await import("ioredis");
+        const { default: Redis2 } = await import("ioredis");
         let client;
         if (config.cluster) {
           const { Cluster } = await import("ioredis");
@@ -1750,7 +1758,7 @@ var init_RedisCache = __esm({
             }
           });
         } else if (config.sentinel) {
-          client = new Redis({
+          client = new Redis2({
             sentinels: config.sentinel.sentinels,
             name: config.sentinel.name,
             password: config.password,
@@ -1759,7 +1767,7 @@ var init_RedisCache = __esm({
           });
         } else {
           const options = toIORedisOptions(config);
-          client = typeof options === "string" ? new Redis(options) : new Redis(options);
+          client = typeof options === "string" ? new Redis2(options) : new Redis2(options);
         }
         if (!config.lazyConnect) {
           await new Promise((resolve, reject) => {
@@ -1893,9 +1901,9 @@ var init_RedisCache = __esm({
       }
       async subscribe(channel, callback) {
         if (!this.subscriberClient) {
-          const { default: Redis } = await import("ioredis");
+          const { default: Redis2 } = await import("ioredis");
           const options = toIORedisOptions(this.config);
-          this.subscriberClient = typeof options === "string" ? new Redis(options) : new Redis(options);
+          this.subscriberClient = typeof options === "string" ? new Redis2(options) : new Redis2(options);
           this.subscriberClient.on("message", (ch, message) => {
             const callbacks = this.subscriptions.get(ch);
             if (callbacks) {
@@ -5445,6 +5453,7 @@ __export(PineconeRAG_exports, {
   PineconeRAG: () => PineconeRAG,
   createPineconeRAG: () => createPineconeRAG
 });
+import { randomBytes as randomBytes23 } from "crypto";
 function createPineconeRAG(config) {
   return new PineconeRAG(config);
 }
@@ -5602,7 +5611,7 @@ var init_PineconeRAG = __esm({
           throw new Error(`Collection ${collection} not found`);
         }
         const now = /* @__PURE__ */ new Date();
-        const documentId = `doc_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+        const documentId = `doc_${Date.now()}_${randomBytes23(4).toString("hex")}`;
         const doc = {
           id: documentId,
           source: document.source,
@@ -6166,6 +6175,7 @@ __export(WeaviateRAG_exports, {
   WeaviateRAG: () => WeaviateRAG,
   createWeaviateRAG: () => createWeaviateRAG
 });
+import { randomBytes as randomBytes24 } from "crypto";
 function createWeaviateRAG(config) {
   return new WeaviateRAG(config);
 }
@@ -6360,7 +6370,7 @@ var init_WeaviateRAG = __esm({
         const client = await this.getClient();
         const className = this.getClassName(collection);
         const now = /* @__PURE__ */ new Date();
-        const documentId = `doc_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+        const documentId = `doc_${Date.now()}_${randomBytes24(4).toString("hex")}`;
         const doc = {
           id: documentId,
           source: document.source,
@@ -6935,7 +6945,183 @@ var init_WeaviateRAG = __esm({
   }
 });
 
+// src/adapters/node-crypto/NodeCrypto.ts
+var NodeCrypto_exports = {};
+__export(NodeCrypto_exports, {
+  NodeCrypto: () => NodeCrypto
+});
+import {
+  randomBytes as randomBytes25,
+  createCipheriv as createCipheriv2,
+  createDecipheriv as createDecipheriv2,
+  createHmac as createHmac2,
+  hkdfSync
+} from "crypto";
+var NodeCrypto;
+var init_NodeCrypto = __esm({
+  "src/adapters/node-crypto/NodeCrypto.ts"() {
+    "use strict";
+    NodeCrypto = class {
+      masterKey;
+      hmacKey;
+      keys = /* @__PURE__ */ new Map();
+      activeKeyId;
+      keyCounter = 0;
+      constructor(config) {
+        if (!config.masterKey || config.masterKey.length < 64) {
+          throw new Error(
+            "NodeCrypto requires a 256-bit master key (64 hex characters)"
+          );
+        }
+        this.masterKey = Buffer.from(config.masterKey, "hex");
+        this.hmacKey = config.hmacKey ? Buffer.from(config.hmacKey, "hex") : Buffer.from(hkdfSync("sha256", this.masterKey, "", "hmac-key", 32));
+        const keyId = this.generateKeyId();
+        const dek = this.deriveDEK(keyId);
+        this.keys.set(keyId, {
+          id: keyId,
+          dek,
+          status: "active",
+          createdAt: /* @__PURE__ */ new Date()
+        });
+        this.activeKeyId = keyId;
+      }
+      async encrypt(plaintext, options) {
+        const keyId = options?.keyId || this.activeKeyId;
+        const stored = this.keys.get(keyId);
+        if (!stored) {
+          throw new Error(`Key not found: ${keyId}`);
+        }
+        if (stored.status === "retired") {
+          throw new Error(`Key is retired and cannot encrypt: ${keyId}`);
+        }
+        if (stored.status === "decrypt-only" && !options?.keyId) {
+          throw new Error(`Key is decrypt-only: ${keyId}`);
+        }
+        const iv = randomBytes25(12);
+        const cipher = createCipheriv2("aes-256-gcm", stored.dek, iv);
+        if (options?.aad) {
+          cipher.setAAD(Buffer.from(options.aad, "utf8"));
+        }
+        const encrypted = Buffer.concat([
+          cipher.update(plaintext, "utf8"),
+          cipher.final()
+        ]);
+        const tag = cipher.getAuthTag();
+        return {
+          ciphertext: encrypted.toString("base64"),
+          iv: iv.toString("base64"),
+          tag: tag.toString("base64"),
+          keyId,
+          algorithm: "aes-256-gcm",
+          version: 1
+        };
+      }
+      async decrypt(field, options) {
+        const stored = this.keys.get(field.keyId);
+        if (!stored) {
+          throw new Error(`Key not found: ${field.keyId}`);
+        }
+        if (stored.status === "retired") {
+          throw new Error(`Key is retired and cannot decrypt: ${field.keyId}`);
+        }
+        const decipher = createDecipheriv2(
+          "aes-256-gcm",
+          stored.dek,
+          Buffer.from(field.iv, "base64")
+        );
+        decipher.setAuthTag(Buffer.from(field.tag, "base64"));
+        if (options?.aad) {
+          decipher.setAAD(Buffer.from(options.aad, "utf8"));
+        }
+        const decrypted = Buffer.concat([
+          decipher.update(Buffer.from(field.ciphertext, "base64")),
+          decipher.final()
+        ]);
+        return decrypted.toString("utf8");
+      }
+      async encryptDeterministic(plaintext, options) {
+        const hash = await this.computeHash(plaintext);
+        const encrypted = await this.encrypt(plaintext, options);
+        return { hash, encrypted };
+      }
+      async computeHash(plaintext) {
+        return createHmac2("sha256", this.hmacKey).update(plaintext, "utf8").digest("hex");
+      }
+      async encryptBatch(fields, options) {
+        const result = {};
+        for (const [key, value] of Object.entries(fields)) {
+          result[key] = await this.encrypt(value, options);
+        }
+        return result;
+      }
+      async decryptBatch(fields, options) {
+        const result = {};
+        for (const [key, value] of Object.entries(fields)) {
+          result[key] = await this.decrypt(value, options);
+        }
+        return result;
+      }
+      async rotateKey() {
+        const previousKeyId = this.activeKeyId;
+        const currentKey = this.keys.get(previousKeyId);
+        if (currentKey) {
+          currentKey.status = "decrypt-only";
+        }
+        const newKeyId = this.generateKeyId();
+        const dek = this.deriveDEK(newKeyId);
+        this.keys.set(newKeyId, {
+          id: newKeyId,
+          dek,
+          status: "active",
+          createdAt: /* @__PURE__ */ new Date()
+        });
+        this.activeKeyId = newKeyId;
+        return { newKeyId, previousKeyId };
+      }
+      async reEncrypt(field, options) {
+        const plaintext = await this.decrypt(field);
+        return this.encrypt(plaintext, options);
+      }
+      async listKeys() {
+        return Array.from(this.keys.values()).map((k) => ({
+          keyId: k.id,
+          createdAt: k.createdAt,
+          status: k.status
+        }));
+      }
+      async getActiveKeyId() {
+        return this.activeKeyId;
+      }
+      async healthCheck() {
+        try {
+          const testPlain = "health-check-" + randomBytes25(4).toString("hex");
+          const encrypted = await this.encrypt(testPlain);
+          const decrypted = await this.decrypt(encrypted);
+          return decrypted === testPlain;
+        } catch {
+          return false;
+        }
+      }
+      /**
+       * Derive a Data Encryption Key from the master key using HKDF.
+       */
+      deriveDEK(keyId) {
+        return Buffer.from(
+          hkdfSync("sha256", this.masterKey, keyId, "dek-derivation", 32)
+        );
+      }
+      generateKeyId() {
+        this.keyCounter++;
+        const timestamp = Date.now().toString(36);
+        const random = randomBytes25(4).toString("hex");
+        return `dek_${timestamp}_${random}_${this.keyCounter}`;
+      }
+    };
+  }
+});
+
 // src/interfaces/IQueue.ts
+import { randomBytes } from "crypto";
 function calculateBackoff(attempt, options) {
   if (options.type === "fixed") {
     return options.delay;
@@ -6946,7 +7132,7 @@ function calculateBackoff(attempt, options) {
 }
 function generateJobId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes(4).toString("hex");
   return `job_${timestamp}_${random}`;
 }
 
@@ -7297,6 +7483,7 @@ function createScopedMetrics(metrics, prefix, defaultTags = {}) {
 }
 
 // src/interfaces/ISecrets.ts
+import { randomBytes as randomBytes2 } from "crypto";
 var EnvSecrets = class {
   prefix;
   cache = /* @__PURE__ */ new Map();
@@ -7497,12 +7684,7 @@ var MemorySecrets = class {
     return true;
   }
   generateSecureValue(length = 32) {
-    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
-    let result = "";
-    for (let i = 0; i < length; i++) {
-      result += chars[Math.floor(Math.random() * chars.length)];
-    }
-    return result;
+    return randomBytes2(length).toString("base64url").slice(0, length);
   }
   /**
    * Clear all secrets (for testing)
@@ -7520,6 +7702,7 @@ var MemorySecrets = class {
 };
 
 // src/interfaces/ITracing.ts
+import { randomBytes as randomBytes3 } from "crypto";
 var MemorySpan = class {
   name;
   context;
@@ -7539,7 +7722,7 @@ var MemorySpan = class {
     };
   }
   generateSpanId() {
-    return Math.random().toString(16).substring(2, 18).padStart(16, "0");
+    return randomBytes3(8).toString("hex");
   }
   setAttribute(key, value) {
     this._attributes[key] = value;
@@ -7599,7 +7782,7 @@ var MemoryTracing = class {
     this.traceId = this.generateTraceId();
   }
   generateTraceId() {
-    return Math.random().toString(16).substring(2, 34).padStart(32, "0");
+    return randomBytes3(16).toString("hex");
   }
   startSpan(name, options) {
     const span = new MemorySpan(
@@ -7752,9 +7935,10 @@ var NoopTracing = class {
 };
 
 // src/interfaces/IErrorReporter.ts
+import { randomBytes as randomBytes4 } from "crypto";
 function generateErrorId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes4(4).toString("hex");
   return `err_${timestamp}_${random}`;
 }
 function generateFingerprint(error) {
@@ -7798,9 +7982,10 @@ function createErrorReport(error, context, options) {
 }
 
 // src/interfaces/IAuditLog.ts
+import { randomBytes as randomBytes5 } from "crypto";
 function generateAuditId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes5(4).toString("hex");
   return `aud_${timestamp}${random}`;
 }
 function generateChecksum(event) {
@@ -7966,9 +8151,10 @@ var AuditEvents = {
 };
 
 // src/interfaces/IScheduler.ts
+import { randomBytes as randomBytes6 } from "crypto";
 function generateScheduleId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 8);
+  const random = randomBytes6(4).toString("hex");
   return `sch_${timestamp}${random}`;
 }
 function getNextCronRun(cron, after = /* @__PURE__ */ new Date(), timezone) {
@@ -8027,28 +8213,24 @@ function describeCron(cron) {
 }
 
 // src/interfaces/IWebhook.ts
+import { randomBytes as randomBytes7 } from "crypto";
 function generateWebhookId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes7(6).toString("hex");
   return `wh_${timestamp}${random}`;
 }
 function generateDeliveryId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes7(6).toString("hex");
   return `del_${timestamp}${random}`;
 }
 function generateEventId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes7(6).toString("hex");
   return `evt_${timestamp}${random}`;
 }
 function generateWebhookSecret(length = 32) {
-  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-  let secret = "whsec_";
-  for (let i = 0; i < length; i++) {
-    secret += chars.charAt(Math.floor(Math.random() * chars.length));
-  }
-  return secret;
+  return `whsec_${randomBytes7(length).toString("base64url").slice(0, length)}`;
 }
 function matchEventType(eventType, pattern) {
   if (eventType === pattern || pattern === "*" || pattern === "**") {
@@ -8125,9 +8307,10 @@ var WebhookEventTypes = {
 };
 
 // src/interfaces/INotification.ts
+import { randomBytes as randomBytes8 } from "crypto";
 function generateNotificationId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes8(4).toString("hex");
   return `notif_${timestamp}${random}`;
 }
 function isInQuietHours(preferences) {
@@ -8617,6 +8800,7 @@ var MemoryAuth = class {
 };
 
 // src/interfaces/IPayment.ts
+import { randomBytes as randomBytes9 } from "crypto";
 function createPaymentError(code, message, originalError) {
   return { code, message, originalError };
 }
@@ -8648,7 +8832,7 @@ function formatAmount(amount, currency, locale = "en-US") {
 }
 function generatePaymentId(prefix = "pi") {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes9(8).toString("hex");
   return `${prefix}_${timestamp}${random}`;
 }
 var MemoryPayment = class {
@@ -8706,7 +8890,7 @@ var MemoryPayment = class {
       amount: options.amount,
       currency: options.currency,
       status: options.paymentMethodId ? "requires_confirmation" : "requires_payment_method",
-      clientSecret: `${id}_secret_${Math.random().toString(36).substring(2, 15)}`,
+      clientSecret: `${id}_secret_${randomBytes9(16).toString("base64url")}`,
       metadata: options.metadata,
       description: options.description,
       receiptEmail: options.receiptEmail,
@@ -9021,6 +9205,7 @@ var MemoryPayment = class {
 };
 
 // src/interfaces/IAuthSSO.ts
+import { randomBytes as randomBytes10 } from "crypto";
 var MemoryAuthSSO = class {
   samlConfigs = /* @__PURE__ */ new Map();
   oidcConfigs = /* @__PURE__ */ new Map();
@@ -9052,7 +9237,7 @@ var MemoryAuthSSO = class {
     if (!config) {
       throw new Error("SAML not configured for tenant");
     }
-    const id = `_${Math.random().toString(36).substring(2)}`;
+    const id = `_${randomBytes10(8).toString("hex")}`;
     return {
       id,
       redirectUrl: `${config.ssoUrl}?SAMLRequest=mock_request&RelayState=${options.relayState ?? ""}`,
@@ -9064,7 +9249,7 @@ var MemoryAuthSSO = class {
   }
   async processSamlResponse(_samlResponse, _relayState) {
     const user = {
-      id: `saml_${Math.random().toString(36).substring(2)}`,
+      id: `saml_${randomBytes10(8).toString("hex")}`,
       email: "saml.user@example.com",
       emailVerified: true,
       metadata: { ssoProvider: "saml" },
@@ -9074,7 +9259,7 @@ var MemoryAuthSSO = class {
       success: true,
       user,
       session: {
-        accessToken: `saml_token_${Math.random().toString(36)}`,
+        accessToken: `saml_token_${randomBytes10(8).toString("hex")}`,
         expiresAt: new Date(Date.now() + 36e5),
         user
       },
@@ -9111,8 +9296,8 @@ var MemoryAuthSSO = class {
   }
   // OIDC Authentication
   async initiateOidcLogin(options) {
-    const state = options.state ?? Math.random().toString(36).substring(2);
-    const nonce = Math.random().toString(36).substring(2);
+    const state = options.state ?? randomBytes10(8).toString("hex");
+    const nonce = randomBytes10(8).toString("hex");
     return {
       state,
       redirectUrl: `https://idp.example.com/authorize?client_id=mock&redirect_uri=${encodeURIComponent(options.redirectUri)}&state=${state}`,
@@ -9123,7 +9308,7 @@ var MemoryAuthSSO = class {
   }
   async processOidcCallback(_code, _state, _codeVerifier) {
     const user = {
-      id: `oidc_${Math.random().toString(36).substring(2)}`,
+      id: `oidc_${randomBytes10(8).toString("hex")}`,
       email: "oidc.user@example.com",
       emailVerified: true,
       metadata: { ssoProvider: "oidc" },
@@ -9133,7 +9318,7 @@ var MemoryAuthSSO = class {
       success: true,
       user,
       session: {
-        accessToken: `oidc_token_${Math.random().toString(36)}`,
+        accessToken: `oidc_token_${randomBytes10(8).toString("hex")}`,
         expiresAt: new Date(Date.now() + 36e5),
         user
       },
@@ -9142,7 +9327,7 @@ var MemoryAuthSSO = class {
   }
   async refreshOidcTokens(_refreshToken, _tenantId) {
     return {
-      accessToken: `refreshed_token_${Math.random().toString(36)}`,
+      accessToken: `refreshed_token_${randomBytes10(8).toString("hex")}`,
       expiresIn: 3600
     };
   }
@@ -9172,7 +9357,7 @@ var MemoryAuthSSO = class {
   }
   // SCIM
   async configureScim(config) {
-    const token = `scim_token_${Math.random().toString(36)}`;
+    const token = `scim_token_${randomBytes10(8).toString("hex")}`;
     this.scimConfigs.set(config.tenantId, { ...config, bearerToken: token });
     return { bearerToken: token };
   }
@@ -9185,7 +9370,7 @@ var MemoryAuthSSO = class {
   async regenerateScimToken(tenantId) {
     const config = this.scimConfigs.get(tenantId);
     if (!config) throw new Error("SCIM not configured");
-    const token = `scim_token_${Math.random().toString(36)}`;
+    const token = `scim_token_${randomBytes10(8).toString("hex")}`;
     config.bearerToken = token;
     return { bearerToken: token };
   }
@@ -9194,7 +9379,7 @@ var MemoryAuthSSO = class {
   }
   // Domain Verification
   async initiateDomainVerification(tenantId, domain) {
-    const token = `dll-verify-${Math.random().toString(36).substring(2)}`;
+    const token = `dll-verify-${randomBytes10(8).toString("hex")}`;
     this.pendingVerifications.set(`${tenantId}:${domain}`, { domain, token });
     return {
       verificationMethod: "dns_txt",
@@ -9260,6 +9445,7 @@ var MemoryAuthSSO = class {
 };
 
 // src/interfaces/ITenant.ts
+import { randomBytes as randomBytes11 } from "crypto";
 var tenantContextStorage = /* @__PURE__ */ new Map();
 var contextIdCounter = 0;
 var currentContextId = null;
@@ -9327,7 +9513,7 @@ var MemoryTenant = class {
   // Tenant CRUD
   async createTenant(options) {
     const tenant = {
-      id: `tenant_${Math.random().toString(36).substring(2)}`,
+      id: `tenant_${randomBytes11(8).toString("hex")}`,
       slug: options.slug,
       name: options.name,
       status: "active",
@@ -9448,7 +9634,7 @@ var MemoryTenant = class {
   }
   async addMember(tenantId, userId, role) {
     const member = {
-      id: `member_${Math.random().toString(36).substring(2)}`,
+      id: `member_${randomBytes11(8).toString("hex")}`,
       tenantId,
       userId,
       role,
@@ -9489,12 +9675,12 @@ var MemoryTenant = class {
   }
   async inviteMember(tenantId, options) {
     const invitation = {
-      id: `inv_${Math.random().toString(36).substring(2)}`,
+      id: `inv_${randomBytes11(8).toString("hex")}`,
       tenantId,
       email: options.email,
       role: options.role,
       invitedBy: "system",
-      token: Math.random().toString(36).substring(2),
+      token: randomBytes11(16).toString("base64url"),
       status: "pending",
       createdAt: /* @__PURE__ */ new Date(),
       expiresAt: new Date(
@@ -9655,6 +9841,7 @@ var MemoryTenant = class {
 init_IAI();
 
 // src/interfaces/IPromptStore.ts
+import { randomBytes as randomBytes12 } from "crypto";
 var MemoryPromptStore = class {
   // userId -> variantId
   constructor(config = {}) {
@@ -9670,7 +9857,7 @@ var MemoryPromptStore = class {
   // Prompt CRUD
   // ─────────────────────────────────────────────────────────────
   async create(prompt) {
-    const id = `prompt_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `prompt_${Date.now()}_${randomBytes12(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newPrompt = {
       ...prompt,
@@ -9685,7 +9872,7 @@ var MemoryPromptStore = class {
     this.prompts.set(id, newPrompt);
     this.prompts.set(prompt.slug, newPrompt);
     const version = {
-      id: `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `pv_${Date.now()}_${randomBytes12(4).toString("hex")}`,
       promptId: id,
       version: 1,
       content: prompt.content,
@@ -9720,7 +9907,7 @@ var MemoryPromptStore = class {
         latestVersion.isLatest = false;
       }
       const newVersion = {
-        id: `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+        id: `pv_${Date.now()}_${randomBytes12(4).toString("hex")}`,
         promptId: prompt.id,
         version: versions.length + 1,
         content: updates.content,
@@ -9965,7 +10152,7 @@ ${v2.content}`;
   // A/B Testing
   // ─────────────────────────────────────────────────────────────
   async createExperiment(experiment) {
-    const id = `exp_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `exp_${Date.now()}_${randomBytes12(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newExperiment = {
       ...experiment,
@@ -10042,7 +10229,7 @@ ${v2.content}`;
   // Prompt Chains
   // ─────────────────────────────────────────────────────────────
   async createChain(chain) {
-    const id = `chain_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `chain_${Date.now()}_${randomBytes12(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newChain = {
       ...chain,
@@ -10133,7 +10320,7 @@ ${v2.content}`;
   async recordUsage(record) {
     const usageRecord = {
       ...record,
-      id: `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `usage_${Date.now()}_${randomBytes12(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date()
     };
     if (this.config.trackUsage !== false) {
@@ -10237,6 +10424,7 @@ ${v2.content}`;
 init_IRAG();
 
 // src/interfaces/IAIUsage.ts
+import { randomBytes as randomBytes14 } from "crypto";
 var MemoryAIUsage = class {
   constructor(config = {}) {
     this.config = config;
@@ -10270,7 +10458,7 @@ var MemoryAIUsage = class {
   async record(record) {
     const newRecord = {
       ...record,
-      id: `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `usage_${Date.now()}_${randomBytes14(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date()
     };
     this.records.push(newRecord);
@@ -10351,7 +10539,7 @@ var MemoryAIUsage = class {
     const period = this.getPeriodBounds(quota.period, /* @__PURE__ */ new Date());
     const newQuota = {
       ...quota,
-      id: existingQuota?.id || `quota_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: existingQuota?.id || `quota_${Date.now()}_${randomBytes14(4).toString("hex")}`,
       used: existingQuota?.used || 0,
       periodStart: period.start,
       periodEnd: period.end
@@ -10445,7 +10633,7 @@ var MemoryAIUsage = class {
     const period = this.getPeriodBounds(budget.period, /* @__PURE__ */ new Date());
     const newBudget = {
       ...budget,
-      id: existingBudget?.id || `budget_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: existingBudget?.id || `budget_${Date.now()}_${randomBytes14(4).toString("hex")}`,
       spent: existingBudget?.spent || 0,
       periodStart: period.start,
       periodEnd: period.end
@@ -10709,7 +10897,7 @@ var MemoryAIUsage = class {
     const items = Array.from(itemsMap.values());
     const subtotal = items.reduce((sum, item) => sum + item.costUsd, 0);
     const invoice = {
-      id: `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `inv_${Date.now()}_${randomBytes14(4).toString("hex")}`,
       tenantId,
       periodStart,
       periodEnd,
@@ -10922,7 +11110,7 @@ var MemoryAIUsage = class {
     );
     if (existingAlert) return;
     this.alerts.push({
-      id: `alert_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `alert_${Date.now()}_${randomBytes14(4).toString("hex")}`,
       tenantId,
       type,
       severity,
@@ -11051,6 +11239,7 @@ var MemoryAIUsage = class {
 };
 
 // src/interfaces/IDevice.ts
+import { randomBytes as randomBytes15 } from "crypto";
 var MemoryDevice = class {
   constructor(config = {}) {
     this.config = config;
@@ -11075,7 +11264,7 @@ var MemoryDevice = class {
     const now = /* @__PURE__ */ new Date();
     const newDevice = {
       ...device,
-      id: `dev_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `dev_${Date.now()}_${randomBytes15(4).toString("hex")}`,
       status: "active",
       connectionState: "disconnected",
       tags: device.tags || [],
@@ -11198,7 +11387,7 @@ var MemoryDevice = class {
   // Provisioning
   // ─────────────────────────────────────────────────────────────
   async provision(request) {
-    const id = `prov_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `prov_${Date.now()}_${randomBytes15(4).toString("hex")}`;
     const newRequest = {
       ...request,
       id,
@@ -11210,7 +11399,7 @@ var MemoryDevice = class {
       const result = {
         credentials: {
           type: request.config.authMethod || "token",
-          token: `tok_${Date.now()}_${Math.random().toString(36).substring(7)}`
+          token: `tok_${Date.now()}_${randomBytes15(16).toString("hex")}`
         },
         endpoint: "mqtt://localhost:1883",
         mqttBroker: "mqtt://localhost:1883"
@@ -11253,7 +11442,7 @@ var MemoryDevice = class {
     }
   }
   async generateRegistrationCode(deviceType, tenantId, expiresInHours = 24) {
-    const code = `REG_${Math.random().toString(36).substring(2, 10).toUpperCase()}`;
+    const code = `REG_${randomBytes15(4).toString("hex").toUpperCase()}`;
     this.registrationCodes.set(code, {
       deviceType,
       tenantId,
@@ -11353,7 +11542,7 @@ var MemoryDevice = class {
   async ingestTelemetry(message) {
     const newMessage = {
       ...message,
-      id: `tel_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `tel_${Date.now()}_${randomBytes15(4).toString("hex")}`,
       receivedAt: /* @__PURE__ */ new Date()
     };
     if (this.config.storeTelemetry !== false) {
@@ -11433,7 +11622,7 @@ var MemoryDevice = class {
   // ─────────────────────────────────────────────────────────────
   async sendCommand(deviceId, name, payload, options) {
     const command = {
-      id: `cmd_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `cmd_${Date.now()}_${randomBytes15(4).toString("hex")}`,
       deviceId,
       name,
       payload,
@@ -11496,7 +11685,7 @@ var MemoryDevice = class {
   async createFirmware(firmware) {
     const newFirmware = {
       ...firmware,
-      id: `fw_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `fw_${Date.now()}_${randomBytes15(4).toString("hex")}`,
       status: "draft",
       createdAt: /* @__PURE__ */ new Date()
     };
@@ -11548,7 +11737,7 @@ var MemoryDevice = class {
       throw new Error(`Firmware not found: ${firmwareVersionId}`);
     }
     const update = {
-      id: `upd_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `upd_${Date.now()}_${randomBytes15(4).toString("hex")}`,
       deviceId,
       firmwareVersionId,
       targetVersion: firmware.version,
@@ -11602,7 +11791,7 @@ var MemoryDevice = class {
     const now = /* @__PURE__ */ new Date();
     const newGroup = {
       ...group,
-      id: `grp_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `grp_${Date.now()}_${randomBytes15(4).toString("hex")}`,
       deviceCount: 0,
       tags: group.tags || [],
       attributes: group.attributes || {},
@@ -11722,6 +11911,7 @@ var MemoryDevice = class {
 };
 
 // src/interfaces/IBilling.ts
+import { randomBytes as randomBytes16 } from "crypto";
 var MemoryBilling = class {
   constructor(config = {}) {
     this.config = config;
@@ -11742,7 +11932,7 @@ var MemoryBilling = class {
   async createProduct(product) {
     const newProduct = {
       ...product,
-      id: `prod_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `prod_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       features: product.features || [],
       metadata: product.metadata || {},
       createdAt: /* @__PURE__ */ new Date(),
@@ -11770,7 +11960,7 @@ var MemoryBilling = class {
   async createPrice(price) {
     const newPrice = {
       ...price,
-      id: `price_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `price_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       metadata: price.metadata || {},
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
@@ -11801,7 +11991,7 @@ var MemoryBilling = class {
   async createMeter(meter) {
     const newMeter = {
       ...meter,
-      id: `meter_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `meter_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
     };
@@ -11835,13 +12025,13 @@ var MemoryBilling = class {
     const trialDays = options.trialDays ?? price.trialDays ?? 0;
     const periodEnd = this.addPeriod(now, price.billingPeriod);
     const subscription = {
-      id: `sub_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `sub_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       customerId: options.customerId,
       tenantId: options.tenantId,
       status: trialDays > 0 ? "trialing" : "active",
       items: [
         {
-          id: `si_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+          id: `si_${Date.now()}_${randomBytes16(4).toString("hex")}`,
           priceId: options.priceId,
           quantity: options.quantity || 1
         }
@@ -11932,7 +12122,7 @@ var MemoryBilling = class {
     const sub = await this.getSubscription(subscriptionId);
     if (!sub) throw new Error(`Subscription not found: ${subscriptionId}`);
     sub.items.push({
-      id: `si_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `si_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       priceId,
       quantity: quantity || 1
     });
@@ -11984,7 +12174,7 @@ var MemoryBilling = class {
       if (existing) return existing;
     }
     const event = {
-      id: `ue_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `ue_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       subscriptionId,
       customerId: sub.customerId,
       meterId: meter.id,
@@ -12055,7 +12245,7 @@ var MemoryBilling = class {
       if (price) {
         const unitAmount = price.unitAmount || 0;
         lineItems.push({
-          id: `ii_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+          id: `ii_${Date.now()}_${randomBytes16(4).toString("hex")}`,
           priceId: item.priceId,
           description: price.name,
           quantity: item.quantity,
@@ -12070,7 +12260,7 @@ var MemoryBilling = class {
     const usageSummary = await this.getUsageSummary(subscriptionId);
     for (const usage of usageSummary) {
       lineItems.push({
-        id: `ii_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+        id: `ii_${Date.now()}_${randomBytes16(4).toString("hex")}`,
         description: `${usage.meterName}: ${usage.total} ${usage.unit}`,
         quantity: usage.total,
         unitAmount: usage.cost / usage.total,
@@ -12093,7 +12283,7 @@ var MemoryBilling = class {
     const tax = (subtotal - discount) * (taxRate / 100);
     const total = subtotal - discount + tax;
     const invoice = {
-      id: `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `inv_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       customerId: sub.customerId,
       subscriptionId,
       tenantId: sub.tenantId,
@@ -12124,14 +12314,14 @@ var MemoryBilling = class {
   async createInvoice(options) {
     const lineItems = options.lineItems.map((item) => ({
       ...item,
-      id: `ii_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `ii_${Date.now()}_${randomBytes16(4).toString("hex")}`
     }));
     const subtotal = lineItems.reduce((sum, item) => sum + item.amount, 0);
     const taxRate = this.config.defaultTaxRate || 0;
     const tax = subtotal * (taxRate / 100);
     const total = subtotal + tax;
     const invoice = {
-      id: `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `inv_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       customerId: options.customerId,
       tenantId: options.tenantId,
       number: `${this.config.invoiceNumberPrefix || "INV-"}${++this.invoiceCounter}`,
@@ -12220,7 +12410,7 @@ var MemoryBilling = class {
   async createDunningConfig(config) {
     const newConfig = {
       ...config,
-      id: `dun_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `dun_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
     };
@@ -12246,7 +12436,7 @@ var MemoryBilling = class {
     const invoice = await this.getInvoice(invoiceId);
     if (!invoice) throw new Error(`Invoice not found: ${invoiceId}`);
     const attempt = {
-      id: `da_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `da_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       invoiceId,
       attemptNumber: invoice.attemptCount + 1,
       action: "retry_payment",
@@ -12278,7 +12468,7 @@ var MemoryBilling = class {
     balance.updatedAt = /* @__PURE__ */ new Date();
     this.creditBalances.set(customerId, balance);
     const transaction = {
-      id: `ct_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `ct_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       customerId,
       type: options?.type || "manual",
       amount,
@@ -12303,7 +12493,7 @@ var MemoryBilling = class {
     balance.updatedAt = /* @__PURE__ */ new Date();
     this.creditBalances.set(customerId, balance);
     const transaction = {
-      id: `ct_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `ct_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       customerId,
       type: "manual",
       amount: -amount,
@@ -12327,7 +12517,7 @@ var MemoryBilling = class {
   async createCoupon(coupon) {
     const newCoupon = {
       ...coupon,
-      id: `coup_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `coup_${Date.now()}_${randomBytes16(4).toString("hex")}`,
       timesRedeemed: 0,
       createdAt: /* @__PURE__ */ new Date(),
       updatedAt: /* @__PURE__ */ new Date()
@@ -12563,6 +12753,7 @@ var MemoryBilling = class {
 };
 
 // src/interfaces/IDevPortal.ts
+import { randomBytes as randomBytes17 } from "crypto";
 var MemoryDevPortal = class {
   constructor(config = {}) {
     this.config = config;
@@ -12575,8 +12766,9 @@ var MemoryDevPortal = class {
   usageRecords = [];
   // API Key Management
   async createApiKey(options, userId) {
-    const id = `key_${Date.now()}_${Math.random().toString(36).substring(7)}`;
-    const secret = `sk_${options.type}_${Math.random().toString(36).substring(2)}${Math.random().toString(36).substring(2)}`;
+    const { randomBytes: randomBytes37, createHash: createHash2 } = await import("crypto");
+    const id = `key_${Date.now()}_${randomBytes37(8).toString("hex")}`;
+    const secret = `sk_${options.type}_${randomBytes37(24).toString("base64url")}`;
     const prefix = secret.substring(0, 12);
     const key = {
       id,
@@ -12663,7 +12855,7 @@ var MemoryDevPortal = class {
   // API Documentation
   async generateDocumentation(endpoints, config) {
     const doc = {
-      id: `doc_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `doc_${Date.now()}_${randomBytes17(4).toString("hex")}`,
       title: config.title,
       version: config.version,
       baseUrl: config.baseUrl,
@@ -12719,7 +12911,7 @@ var MemoryDevPortal = class {
     if (!doc) throw new Error(`Documentation not found: ${docId}`);
     const newEndpoint = {
       ...endpoint,
-      id: `ep_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `ep_${Date.now()}_${randomBytes17(4).toString("hex")}`
     };
     doc.endpoints.push(newEndpoint);
     return newEndpoint;
@@ -12815,7 +13007,7 @@ SDK for ${documentation.title}`,
         });
     }
     const sdk = {
-      id: `sdk_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `sdk_${Date.now()}_${randomBytes17(4).toString("hex")}`,
       language: config.language,
       packageName: config.packageName,
       version: config.version,
@@ -12842,7 +13034,7 @@ SDK for ${documentation.title}`,
   }
   // Sandbox / Playground
   async createSandbox(options, userId) {
-    const id = `sandbox_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `sandbox_${Date.now()}_${randomBytes17(4).toString("hex")}`;
     const lifetimeHours = options.lifetimeHours || this.config.sandboxDefaultLifetimeHours || 24;
     const sandbox = {
       id,
@@ -12851,7 +13043,7 @@ SDK for ${documentation.title}`,
       tenantId: options.tenantId,
       status: "active",
       baseUrl: `https://sandbox-${id}.example.com`,
-      apiKey: `sandbox_${Math.random().toString(36).substring(2)}`,
+      apiKey: `sandbox_${randomBytes17(8).toString("hex")}`,
       seedDataLoaded: options.seedData || [],
       config: options.config || {},
       limits: {
@@ -12988,7 +13180,7 @@ SDK for ${documentation.title}`,
   }
   // Webhook Testing
   async createWebhookTestEndpoint(userId, maxEvents = 100) {
-    const id = `wh_test_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `wh_test_${Date.now()}_${randomBytes17(4).toString("hex")}`;
     const endpoint = {
       id,
       url: `https://webhook-test.example.com/${id}`,
@@ -13025,18 +13217,13 @@ SDK for ${documentation.title}`,
       statusCode: 200,
       headers: { "content-type": "application/json" },
       body: { received: true },
-      latencyMs: Math.random() * 100
+      latencyMs: 0
     };
   }
   // Private helpers
   hashKey(key) {
-    let hash = 0;
-    for (let i = 0; i < key.length; i++) {
-      const char = key.charCodeAt(i);
-      hash = (hash << 5) - hash + char;
-      hash = hash & hash;
-    }
-    return `hashed_${Math.abs(hash).toString(36)}`;
+    const { createHash: createHash2 } = __require("crypto");
+    return createHash2("sha256").update(key).digest("hex");
   }
   endpointsToOpenApiPaths(endpoints) {
     const paths = {};
@@ -13128,6 +13315,7 @@ class ApiClient:
 };
 
 // src/interfaces/ICompliance.ts
+import { randomBytes as randomBytes18 } from "crypto";
 var MemoryCompliance = class {
   constructor(config = {}) {
     this.config = config;
@@ -13144,13 +13332,13 @@ var MemoryCompliance = class {
   breaches = /* @__PURE__ */ new Map();
   // DSAR Management
   async createDsar(options) {
-    const id = `dsar_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `dsar_${Date.now()}_${randomBytes18(4).toString("hex")}`;
     const dsar = {
       id,
       type: options.type,
       subjectId: options.subjectId || options.subjectEmail,
       subjectEmail: options.subjectEmail,
-      verificationToken: `verify_${Math.random().toString(36).substring(2)}`,
+      verificationToken: `verify_${randomBytes18(8).toString("hex")}`,
       verified: false,
       status: "pending_verification",
       tenantId: options.tenantId,
@@ -13201,7 +13389,7 @@ var MemoryCompliance = class {
     dsar.updatedAt = /* @__PURE__ */ new Date();
     if (notes) {
       dsar.notes.push({
-        id: `note_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+        id: `note_${Date.now()}_${randomBytes18(4).toString("hex")}`,
         content: notes,
         authorId: "system",
         createdAt: /* @__PURE__ */ new Date()
@@ -13213,7 +13401,7 @@ var MemoryCompliance = class {
     const dsar = await this.getDsar(dsarId);
     if (!dsar) throw new Error(`DSAR not found: ${dsarId}`);
     const note = {
-      id: `note_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `note_${Date.now()}_${randomBytes18(4).toString("hex")}`,
       content,
       authorId,
       createdAt: /* @__PURE__ */ new Date()
@@ -13227,7 +13415,7 @@ var MemoryCompliance = class {
     if (!dsar) throw new Error(`DSAR not found: ${dsarId}`);
     const att = {
       ...attachment,
-      id: `att_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `att_${Date.now()}_${randomBytes18(4).toString("hex")}`,
       createdAt: /* @__PURE__ */ new Date()
     };
     dsar.attachments.push(att);
@@ -13268,7 +13456,7 @@ var MemoryCompliance = class {
   }
   // Consent Management
   async recordConsent(options) {
-    const id = `consent_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `consent_${Date.now()}_${randomBytes18(4).toString("hex")}`;
     const consent = {
       id,
       subjectId: options.subjectId,
@@ -13343,7 +13531,7 @@ var MemoryCompliance = class {
   }
   // Retention Policies
   async createRetentionPolicy(policy) {
-    const id = `rp_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `rp_${Date.now()}_${randomBytes18(4).toString("hex")}`;
     const newPolicy = {
       ...policy,
       id,
@@ -13376,7 +13564,7 @@ var MemoryCompliance = class {
     if (!policy) throw new Error(`Policy not found: ${policyId}`);
     const startedAt = /* @__PURE__ */ new Date();
     const execution = {
-      id: `re_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `re_${Date.now()}_${randomBytes18(4).toString("hex")}`,
       policyId,
       recordsProcessed: 100,
       recordsAffected: 15,
@@ -13395,7 +13583,7 @@ var MemoryCompliance = class {
   }
   // Data Inventory
   async addDataInventoryItem(item) {
-    const id = `di_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `di_${Date.now()}_${randomBytes18(4).toString("hex")}`;
     const newItem = {
       ...item,
       id,
@@ -13456,7 +13644,7 @@ var MemoryCompliance = class {
   }
   // Audit Evidence
   async addEvidence(evidence) {
-    const id = `ev_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `ev_${Date.now()}_${randomBytes18(4).toString("hex")}`;
     const newEvidence = {
       ...evidence,
       id,
@@ -13532,7 +13720,7 @@ var MemoryCompliance = class {
   }
   // PIAs
   async createPia(pia) {
-    const id = `pia_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `pia_${Date.now()}_${randomBytes18(4).toString("hex")}`;
     const newPia = {
       ...pia,
       id,
@@ -13564,7 +13752,7 @@ var MemoryCompliance = class {
     if (!pia) throw new Error(`PIA not found: ${piaId}`);
     const newRisk = {
       ...risk,
-      id: `risk_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `risk_${Date.now()}_${randomBytes18(4).toString("hex")}`
     };
     pia.risks.push(newRisk);
     pia.updatedAt = /* @__PURE__ */ new Date();
@@ -13575,7 +13763,7 @@ var MemoryCompliance = class {
     if (!pia) throw new Error(`PIA not found: ${piaId}`);
     const newMitigation = {
       ...mitigation,
-      id: `mit_${Date.now()}_${Math.random().toString(36).substring(7)}`
+      id: `mit_${Date.now()}_${randomBytes18(4).toString("hex")}`
     };
     pia.mitigations.push(newMitigation);
     pia.updatedAt = /* @__PURE__ */ new Date();
@@ -13612,7 +13800,7 @@ var MemoryCompliance = class {
       (c) => c.status === "non_compliant"
     ).length;
     const report = {
-      id: `report_${Date.now()}_${Math.random().toString(36).substring(7)}`,
+      id: `report_${Date.now()}_${randomBytes18(4).toString("hex")}`,
       title: `${framework.toUpperCase()} Compliance Report`,
       framework,
       period,
@@ -13663,7 +13851,7 @@ var MemoryCompliance = class {
   }
   // Breach Management
   async recordBreach(breach) {
-    const id = `breach_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `breach_${Date.now()}_${randomBytes18(4).toString("hex")}`;
     const newBreach = {
       ...breach,
       id,
@@ -13902,6 +14090,27 @@ var RAGConfigSchema = z.object({
     message: "Pinecone requires apiKey and indexName; Weaviate requires host"
   }
 );
+var CryptoConfigSchema = z.object({
+  enabled: z.boolean().default(false).describe("Enable field-level encryption"),
+  masterKey: z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
+  hmacKey: z.string().optional().describe(
+    "HMAC key for deterministic hashing (derived from master key if not provided)"
+  )
+}).refine(
+  (data) => {
+    if (data.enabled) {
+      return data.masterKey && data.masterKey.length >= 64;
+    }
+    return true;
+  },
+  {
+    message: "Crypto requires a 256-bit master key (64 hex characters) when enabled"
+  }
+);
+var SecurityConfigSchema = z.object({
+  enforceTls: z.boolean().default(true).describe("Enforce TLS for production connections"),
+  tlsWarnOnly: z.boolean().default(false).describe("Warn instead of throwing when TLS is missing in production")
+});
 var RetryConfigSchema = z.object({
   enabled: z.boolean().default(true).describe("Enable retry for failed operations"),
   maxAttempts: z.number().int().min(1).max(10).default(3).describe("Maximum retry attempts"),
@@ -13991,6 +14200,10 @@ var PlatformConfigSchema = z.object({
   // AI configurations
   ai: AIConfigSchema.default({ enabled: false }),
   rag: RAGConfigSchema.default({ enabled: false }),
+  // Crypto configuration
+  crypto: CryptoConfigSchema.default({ enabled: false }),
+  // Security configuration
+  security: SecurityConfigSchema.default({}),
   // Resilience configuration
   resilience: ResilienceConfigSchema.default({}),
   // Observability configuration
@@ -14068,6 +14281,15 @@ function loadConfig() {
       embeddingApiKey: process.env.EMBEDDING_API_KEY || process.env.OPENAI_API_KEY,
       embeddingModel: process.env.EMBEDDING_MODEL
     },
+    crypto: {
+      enabled: process.env.CRYPTO_ENABLED === "true",
+      masterKey: process.env.CRYPTO_MASTER_KEY,
+      hmacKey: process.env.CRYPTO_HMAC_KEY
+    },
+    security: {
+      enforceTls: process.env.SECURITY_ENFORCE_TLS !== "false",
+      tlsWarnOnly: process.env.SECURITY_TLS_WARN_ONLY === "true"
+    },
     resilience: {
       retry: {
         enabled: process.env.RESILIENCE_RETRY_ENABLED !== "false",
@@ -14474,13 +14696,14 @@ var MemoryEmail = class {
 
 // src/context/CorrelationContext.ts
 import { AsyncLocalStorage } from "async_hooks";
+import { randomBytes as randomBytes19 } from "crypto";
 var CorrelationContextManager = class {
   storage = new AsyncLocalStorage();
   idGenerator;
   constructor() {
     this.idGenerator = () => {
       const timestamp = Date.now().toString(36);
-      const random = Math.random().toString(36).substring(2, 10);
+      const random = randomBytes19(4).toString("hex");
       return `${timestamp}-${random}`;
     };
   }
@@ -15110,10 +15333,11 @@ var MemoryQueue = class {
 };
 
 // src/adapters/console/ConsoleEmail.ts
+import { randomBytes as randomBytes20 } from "crypto";
 var ConsoleEmail = class {
   sentEmails = [];
   async send(message) {
-    const id = `console_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+    const id = `console_${Date.now()}_${randomBytes20(4).toString("hex")}`;
     console.log("\n" + "=".repeat(60));
     console.log("\u{1F4E7} EMAIL SENT (Console Adapter)");
     console.log("=".repeat(60));
@@ -15190,6 +15414,152 @@ var ConsoleEmail = class {
 // src/factory.ts
 init_IAI();
 init_IRAG();
+
+// src/adapters/memory/MemoryCrypto.ts
+import {
+  randomBytes as randomBytes21,
+  createCipheriv,
+  createDecipheriv,
+  createHmac
+} from "crypto";
+var MemoryCrypto = class {
+  keys = /* @__PURE__ */ new Map();
+  activeKeyId;
+  hmacKey;
+  constructor(options) {
+    const masterKeyBuf = options?.masterKey ? Buffer.from(options.masterKey, "hex") : randomBytes21(32);
+    this.hmacKey = options?.hmacKey ? Buffer.from(options.hmacKey, "hex") : randomBytes21(32);
+    const keyId = this.generateKeyId();
+    this.keys.set(keyId, {
+      id: keyId,
+      key: masterKeyBuf,
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = keyId;
+  }
+  async encrypt(plaintext, options) {
+    const keyId = options?.keyId || this.activeKeyId;
+    const stored = this.keys.get(keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired: ${keyId}`);
+    }
+    if (stored.status === "decrypt-only" && !options?.keyId) {
+      throw new Error(`Key is decrypt-only: ${keyId}`);
+    }
+    const iv = randomBytes21(12);
+    const cipher = createCipheriv("aes-256-gcm", stored.key, iv);
+    if (options?.aad) {
+      cipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, "utf8"),
+      cipher.final()
+    ]);
+    const tag = cipher.getAuthTag();
+    return {
+      ciphertext: encrypted.toString("base64"),
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      keyId,
+      algorithm: "aes-256-gcm",
+      version: 1
+    };
+  }
+  async decrypt(field, options) {
+    const stored = this.keys.get(field.keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${field.keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired and cannot decrypt: ${field.keyId}`);
+    }
+    const decipher = createDecipheriv(
+      "aes-256-gcm",
+      stored.key,
+      Buffer.from(field.iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(field.tag, "base64"));
+    if (options?.aad) {
+      decipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(field.ciphertext, "base64")),
+      decipher.final()
+    ]);
+    return decrypted.toString("utf8");
+  }
+  async encryptDeterministic(plaintext, options) {
+    const hash = await this.computeHash(plaintext);
+    const encrypted = await this.encrypt(plaintext, options);
+    return { hash, encrypted };
+  }
+  async computeHash(plaintext) {
+    return createHmac("sha256", this.hmacKey).update(plaintext, "utf8").digest("hex");
+  }
+  async encryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.encrypt(value, options);
+    }
+    return result;
+  }
+  async decryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.decrypt(value, options);
+    }
+    return result;
+  }
+  async rotateKey() {
+    const previousKeyId = this.activeKeyId;
+    const currentKey = this.keys.get(previousKeyId);
+    if (currentKey) {
+      currentKey.status = "decrypt-only";
+    }
+    const newKeyId = this.generateKeyId();
+    this.keys.set(newKeyId, {
+      id: newKeyId,
+      key: randomBytes21(32),
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = newKeyId;
+    return { newKeyId, previousKeyId };
+  }
+  async reEncrypt(field, options) {
+    const plaintext = await this.decrypt(field);
+    return this.encrypt(plaintext, options);
+  }
+  async listKeys() {
+    return Array.from(this.keys.values()).map((k) => ({
+      keyId: k.id,
+      createdAt: k.createdAt,
+      status: k.status
+    }));
+  }
+  async getActiveKeyId() {
+    return this.activeKeyId;
+  }
+  async healthCheck() {
+    try {
+      const testPlain = "health-check-test";
+      const encrypted = await this.encrypt(testPlain);
+      const decrypted = await this.decrypt(encrypted);
+      return decrypted === testPlain;
+    } catch {
+      return false;
+    }
+  }
+  generateKeyId() {
+    return `key_${randomBytes21(8).toString("hex")}`;
+  }
+};
+
+// src/factory.ts
 async function createDatabaseAdapter(config) {
   switch (config.database.provider) {
     case "postgres": {
@@ -15245,9 +15615,9 @@ async function createCacheAdapter(config) {
           "Upstash requires UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN environment variables"
         );
       }
-      const { Redis } = await import("@upstash/redis");
+      const { Redis: Redis2 } = await import("@upstash/redis");
       const { UpstashCache: UpstashCache2 } = await Promise.resolve().then(() => (init_UpstashCache(), UpstashCache_exports));
-      const client = new Redis({
+      const client = new Redis2({
         url: config.cache.upstashUrl,
         token: config.cache.upstashToken
       });
@@ -15490,16 +15860,73 @@ async function createRAGAdapter(config, ai) {
       return new MemoryRAG();
   }
 }
+async function createCryptoAdapter(config) {
+  if (!config.crypto.enabled) {
+    return null;
+  }
+  if (config.crypto.masterKey && config.crypto.masterKey.length >= 64) {
+    const { NodeCrypto: NodeCrypto2 } = await Promise.resolve().then(() => (init_NodeCrypto(), NodeCrypto_exports));
+    return new NodeCrypto2({
+      masterKey: config.crypto.masterKey,
+      hmacKey: config.crypto.hmacKey
+    });
+  }
+  return new MemoryCrypto();
+}
+function validateTlsSecurity(config) {
+  const isProduction = process.env.NODE_ENV === "production";
+  if (!isProduction || !config.security.enforceTls) {
+    return;
+  }
+  const warnings = [];
+  if (config.database.provider === "postgres") {
+    const connStr = config.database.connectionString || config.database.url || "";
+    const hasSSL = config.database.ssl || connStr.includes("sslmode=require") || connStr.includes("sslmode=verify");
+    if (!hasSSL) {
+      warnings.push(
+        "PostgreSQL: TLS/SSL not configured. Set database.ssl=true or add sslmode=require to connection string."
+      );
+    }
+  }
+  if (config.cache.provider === "redis") {
+    const url = config.cache.url || "";
+    if (url && !url.startsWith("rediss://")) {
+      warnings.push(
+        "Redis: Connection URL uses redis:// instead of rediss:// (TLS). Consider enabling TLS."
+      );
+    }
+  }
+  if (config.email.provider === "smtp") {
+    if (!config.email.secure) {
+      warnings.push(
+        "SMTP: secure=false in production. Set email.secure=true for TLS."
+      );
+    }
+  }
+  if (warnings.length > 0) {
+    const message = `[Security] TLS warnings in production:
+  - ${warnings.join("\n  - ")}`;
+    if (config.security.tlsWarnOnly) {
+      console.warn(message);
+    } else {
+      throw new Error(message);
+    }
+  }
+}
 async function createPlatformAsync(config) {
   const finalConfig = config ? deepMerge(loadConfig(), config) : loadConfig();
-  const [db, cache, storage, email, queue, tracing] = await Promise.all([
-    createDatabaseAdapter(finalConfig),
-    createCacheAdapter(finalConfig),
-    createStorageAdapter(finalConfig),
-    createEmailAdapter(finalConfig),
-    createQueueAdapter(finalConfig),
-    createTracingAdapter(finalConfig)
-  ]);
+  validateTlsSecurity(finalConfig);
+  const [db, cache, storage, email, queue, tracing, crypto2] = await Promise.all(
+    [
+      createDatabaseAdapter(finalConfig),
+      createCacheAdapter(finalConfig),
+      createStorageAdapter(finalConfig),
+      createEmailAdapter(finalConfig),
+      createQueueAdapter(finalConfig),
+      createTracingAdapter(finalConfig),
+      createCryptoAdapter(finalConfig)
+    ]
+  );
   const logger = createLogger(finalConfig);
   const metrics = createMetrics(finalConfig);
   const ai = await createAIAdapter(finalConfig);
@@ -15514,7 +15941,8 @@ async function createPlatformAsync(config) {
     metrics,
     tracing,
     ai,
-    rag
+    rag,
+    crypto2
   );
 }
 function createPlatform(config) {
@@ -15535,6 +15963,7 @@ function createPlatform(config) {
   const tracing = finalConfig.observability.tracing.provider === "memory" ? new MemoryTracing() : new NoopTracing();
   const ai = finalConfig.ai.enabled ? new MemoryAI() : null;
   const rag = finalConfig.rag.enabled ? new MemoryRAG() : null;
+  const crypto2 = finalConfig.crypto.enabled ? new MemoryCrypto() : null;
   return createPlatformFromAdapters(
     db,
     cache,
@@ -15545,10 +15974,11 @@ function createPlatform(config) {
     metrics,
     tracing,
     ai,
-    rag
+    rag,
+    crypto2
   );
 }
-function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag) {
+function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag, crypto2) {
   const platform = {
     db,
     cache,
@@ -15602,6 +16032,9 @@ function createPlatformFromAdapters(db, cache, storage, email, queue, logger, me
   if (rag) {
     platform.rag = rag;
   }
+  if (crypto2) {
+    platform.crypto = crypto2;
+  }
   return platform;
 }
 function deepMerge(target, source) {
@@ -17073,6 +17506,7 @@ var FallbackStrategies = {
 };
 
 // src/security.ts
+import { timingSafeEqual } from "crypto";
 var URL_PROTOCOL_PATTERN = /(https?:\/\/|ftp:\/\/|www\.)\S+/i;
 var URL_DOMAIN_PATTERN = /\b[\w.-]+\.(com|net|org|io|co|dev|app|xyz|info|biz|me|us|uk|edu|gov)\b/i;
 var HTML_TAG_PATTERN = /<[^>]*>/;
@@ -17097,6 +17531,144 @@ function defangUrl(str) {
 function sanitizeForEmail(str) {
   return escapeHtml(str);
 }
+function constantTimeEqual(a, b) {
+  try {
+    const aBuf = Buffer.from(a, "utf-8");
+    const bBuf = Buffer.from(b, "utf-8");
+    if (aBuf.length !== bBuf.length) return false;
+    return timingSafeEqual(aBuf, bBuf);
+  } catch {
+    return false;
+  }
+}
+function sanitizeApiError(error, statusCode, isDevelopment = false) {
+  if (statusCode >= 400 && statusCode < 500) {
+    const message = error instanceof Error ? error.message : String(error || "Bad request");
+    return { message };
+  }
+  const result = {
+    message: "An internal error occurred. Please try again later.",
+    code: "INTERNAL_ERROR"
+  };
+  if (isDevelopment && error instanceof Error) {
+    result.stack = error.stack;
+  }
+  return result;
+}
+function getCorrelationId2(headers) {
+  const get = typeof headers === "function" ? headers : (name) => {
+    const val = headers[name] ?? headers[name.toLowerCase()];
+    return Array.isArray(val) ? val[0] : val;
+  };
+  return get("x-request-id") || get("X-Request-ID") || get("x-correlation-id") || get("X-Correlation-ID") || crypto.randomUUID();
+}
+
+// src/security-headers.ts
+var SecurityHeaderPresets = {
+  /** Minimal: basic headers only, no CSP */
+  minimal: {
+    csp: false,
+    hsts: false
+  },
+  /** Standard: full CSP + HSTS for most apps */
+  standard: {
+    csp: true,
+    hsts: true,
+    frameOptions: "DENY"
+  },
+  /** Strict: deny all permissions, strict CSP, no frame embedding */
+  strict: {
+    csp: true,
+    hsts: true,
+    hstsMaxAge: 63072e3,
+    // 2 years
+    frameOptions: "DENY"
+  }
+};
+function generateSecurityHeaders(config = {}) {
+  const isProduction = config.isProduction ?? process.env.NODE_ENV === "production";
+  const frameOptions = config.frameOptions ?? "DENY";
+  const enableCsp = config.csp ?? true;
+  const enableHsts = config.hsts ?? true;
+  const hstsMaxAge = config.hstsMaxAge ?? 31536e3;
+  const baseHeaders = [
+    { key: "X-Frame-Options", value: frameOptions },
+    { key: "X-Content-Type-Options", value: "nosniff" },
+    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the
+    // legacy filter which can itself introduce vulnerabilities.
+    { key: "X-XSS-Protection", value: "0" },
+    {
+      key: "Referrer-Policy",
+      value: "strict-origin-when-cross-origin"
+    },
+    {
+      key: "Permissions-Policy",
+      value: "camera=(), microphone=(), geolocation=()"
+    }
+  ];
+  const entries = [
+    { source: "/:path*", headers: baseHeaders }
+  ];
+  if (isProduction) {
+    const prodHeaders = [];
+    if (enableHsts) {
+      prodHeaders.push({
+        key: "Strict-Transport-Security",
+        value: `max-age=${hstsMaxAge}; includeSubDomains`
+      });
+    }
+    if (enableCsp) {
+      const csp = buildCsp(config);
+      prodHeaders.push({ key: "Content-Security-Policy", value: csp });
+    }
+    if (prodHeaders.length > 0) {
+      entries.push({ source: "/:path*", headers: prodHeaders });
+    }
+  }
+  return entries;
+}
+function buildCsp(config) {
+  const scriptSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "'unsafe-eval'",
+    ...config.cspScriptSrc ?? []
+  ];
+  const styleSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "https://fonts.googleapis.com",
+    ...config.cspStyleSrc ?? []
+  ];
+  const imgSrc = [
+    "'self'",
+    "data:",
+    "https:",
+    "blob:",
+    ...config.cspImgSrc ?? []
+  ];
+  const fontSrc = ["'self'", "data:", "https://fonts.gstatic.com"];
+  const connectSrc = ["'self'", ...config.cspConnectSrc ?? []];
+  const frameSrc = [...config.cspFrameSrc ?? []];
+  const directives = [
+    `default-src 'self'`,
+    `script-src ${scriptSrc.join(" ")}`,
+    `style-src ${styleSrc.join(" ")}`,
+    `img-src ${imgSrc.join(" ")}`,
+    `font-src ${fontSrc.join(" ")}`,
+    `connect-src ${connectSrc.join(" ")}`
+  ];
+  if (frameSrc.length > 0) {
+    directives.push(`frame-src ${frameSrc.join(" ")}`);
+  }
+  directives.push(
+    `object-src 'none'`,
+    `base-uri 'self'`,
+    `form-action 'self'`,
+    `frame-ancestors 'none'`
+  );
+  return directives.join("; ");
+}
 
 // src/api.ts
 var ApiErrorCode = {
@@ -17223,6 +17795,850 @@ function buildPagination(page, limit, total) {
   };
 }
 
+// src/auth/keycloak.ts
+var KEYCLOAK_DEFAULT_ROLES = [
+  "offline_access",
+  "uma_authorization"
+];
+function parseKeycloakRoles(accessToken, additionalDefaultRoles = []) {
+  if (!accessToken) return [];
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) return [];
+    const payload = parts[1];
+    const decoded = JSON.parse(atob(payload));
+    const realmRoles = decoded.realm_roles ?? decoded.realm_access?.roles;
+    if (!Array.isArray(realmRoles)) return [];
+    const filterSet = /* @__PURE__ */ new Set([
+      ...KEYCLOAK_DEFAULT_ROLES,
+      ...additionalDefaultRoles
+    ]);
+    return realmRoles.filter(
+      (role) => typeof role === "string" && !filterSet.has(role)
+    );
+  } catch {
+    return [];
+  }
+}
+function hasRole(roles, role) {
+  return roles?.includes(role) ?? false;
+}
+function hasAnyRole(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.some((role) => roles.includes(role));
+}
+function hasAllRoles(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.every((role) => roles.includes(role));
+}
+function isTokenExpired(expiresAt, bufferMs = 6e4) {
+  if (!expiresAt) return true;
+  return Date.now() >= expiresAt - bufferMs;
+}
+function buildTokenRefreshParams(config, refreshToken) {
+  return new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.clientId,
+    client_secret: config.clientSecret,
+    refresh_token: refreshToken
+  });
+}
+function getTokenEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/token`;
+}
+function getEndSessionEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/logout`;
+}
+async function refreshKeycloakToken(config, refreshToken, additionalDefaultRoles) {
+  try {
+    const endpoint = getTokenEndpoint(config.issuer);
+    const params = buildTokenRefreshParams(config, refreshToken);
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      return {
+        ok: false,
+        error: `Token refresh failed: HTTP ${response.status} - ${body}`
+      };
+    }
+    const data = await response.json();
+    return {
+      ok: true,
+      tokens: {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token ?? refreshToken,
+        idToken: data.id_token,
+        expiresAt: Date.now() + data.expires_in * 1e3,
+        roles: parseKeycloakRoles(data.access_token, additionalDefaultRoles)
+      }
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      error: error instanceof Error ? error.message : "Token refresh failed"
+    };
+  }
+}
+
+// src/auth/nextjs-keycloak.ts
+function buildAuthCookies(config = {}) {
+  const { domain, sessionToken = true, callbackUrl = true } = config;
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieDomain = isProduction ? domain : void 0;
+  const baseOptions = {
+    httpOnly: true,
+    sameSite: "lax",
+    path: "/",
+    secure: isProduction,
+    domain: cookieDomain
+  };
+  const cookies = {
+    pkceCodeVerifier: {
+      name: "authjs.pkce.code_verifier",
+      options: { ...baseOptions }
+    },
+    state: {
+      name: "authjs.state",
+      options: { ...baseOptions }
+    }
+  };
+  if (sessionToken) {
+    cookies.sessionToken = {
+      name: isProduction ? "__Secure-authjs.session-token" : "authjs.session-token",
+      options: { ...baseOptions }
+    };
+  }
+  if (callbackUrl) {
+    cookies.callbackUrl = {
+      name: isProduction ? "__Secure-authjs.callback-url" : "authjs.callback-url",
+      options: { ...baseOptions }
+    };
+  }
+  return cookies;
+}
+function buildRedirectCallback(config = {}) {
+  const { allowWwwVariant = false } = config;
+  return async ({ url, baseUrl }) => {
+    if (url.startsWith("/")) return `${baseUrl}${url}`;
+    try {
+      if (new URL(url).origin === baseUrl) return url;
+    } catch {
+      return baseUrl;
+    }
+    if (allowWwwVariant) {
+      try {
+        const urlHost = new URL(url).hostname;
+        const baseHost = new URL(baseUrl).hostname;
+        if (urlHost === `www.${baseHost}` || baseHost === `www.${urlHost}`) {
+          return url;
+        }
+      } catch {
+      }
+    }
+    return baseUrl;
+  };
+}
+function buildKeycloakCallbacks(config) {
+  const {
+    issuer,
+    clientId,
+    clientSecret,
+    defaultRoles = [],
+    debug = process.env.NODE_ENV === "development"
+  } = config;
+  const kcConfig = { issuer, clientId, clientSecret };
+  function log(message, meta) {
+    if (debug) {
+      console.log(`[Auth] ${message}`, meta ? JSON.stringify(meta) : "");
+    }
+  }
+  return {
+    /**
+     * JWT callback — stores Keycloak tokens and handles refresh.
+     *
+     * Compatible with Auth.js v5 JWT callback signature.
+     */
+    async jwt({
+      token,
+      user,
+      account
+    }) {
+      if (user) {
+        token.id = token.sub ?? user.id;
+      }
+      if (account?.provider === "keycloak") {
+        token.accessToken = account.access_token;
+        token.refreshToken = account.refresh_token;
+        token.idToken = account.id_token;
+        token.roles = parseKeycloakRoles(
+          account.access_token,
+          defaultRoles
+        );
+        token.accessTokenExpires = account.expires_at ? account.expires_at * 1e3 : Date.now() + 3e5;
+        return token;
+      }
+      if (!isTokenExpired(token.accessTokenExpires)) {
+        return token;
+      }
+      if (token.refreshToken) {
+        log("Token expired, attempting refresh...");
+        const result = await refreshKeycloakToken(
+          kcConfig,
+          token.refreshToken,
+          defaultRoles
+        );
+        if (result.ok) {
+          token.accessToken = result.tokens.accessToken;
+          token.idToken = result.tokens.idToken ?? token.idToken;
+          token.refreshToken = result.tokens.refreshToken ?? token.refreshToken;
+          token.accessTokenExpires = result.tokens.expiresAt;
+          token.roles = result.tokens.roles;
+          delete token.error;
+          log("Token refreshed OK");
+          return token;
+        }
+        log("Token refresh failed", { error: result.error });
+        return { ...token, error: "RefreshTokenError" };
+      }
+      log("Token expired but no refresh token available");
+      return { ...token, error: "RefreshTokenError" };
+    },
+    /**
+     * Session callback — maps JWT fields to the session object.
+     *
+     * Compatible with Auth.js v5 session callback signature.
+     */
+    async session({
+      session,
+      token
+    }) {
+      const user = session.user;
+      if (user) {
+        user.id = token.id || token.sub;
+        user.roles = token.roles || [];
+      }
+      session.idToken = token.idToken;
+      session.accessToken = token.accessToken;
+      if (token.error) {
+        session.error = token.error;
+      }
+      return session;
+    }
+  };
+}
+
+// src/auth/api-security.ts
+var StandardRateLimitPresets = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin operations: 100/min (admins are trusted) */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** AI/expensive operations: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Auth attempts: 5/15min with 15min block */
+  authAttempt: {
+    limit: 5,
+    windowSeconds: 900,
+    blockDurationSeconds: 900
+  },
+  /** Contact/public forms: 10/hour */
+  publicForm: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 1800
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function resolveRateLimitIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp}`, isAuthenticated: false };
+}
+function extractClientIp(getHeader) {
+  return getHeader("cf-connecting-ip") || getHeader("x-real-ip") || getHeader("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function buildRateLimitHeaders(limit, remaining, resetAtMs) {
+  return {
+    "X-RateLimit-Limit": String(limit),
+    "X-RateLimit-Remaining": String(Math.max(0, remaining)),
+    "X-RateLimit-Reset": String(Math.ceil(resetAtMs / 1e3))
+  };
+}
+function buildErrorBody(error, extra) {
+  return { error, ...extra };
+}
+var WrapperPresets = {
+  /** Public route: no auth, rate limited */
+  public: {
+    requireAuth: false,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Authenticated route: requires session */
+  authenticated: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Admin route: requires session with admin role */
+  admin: {
+    requireAuth: true,
+    requireAdmin: true,
+    rateLimit: "adminAction"
+  },
+  /** Legacy admin: accepts session OR bearer token */
+  legacyAdmin: {
+    requireAuth: true,
+    requireAdmin: true,
+    allowBearerToken: true,
+    rateLimit: "adminAction"
+  },
+  /** AI/expensive: requires auth, strict rate limit */
+  ai: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "aiRequest"
+  },
+  /** Cron: no rate limit, admin-level access */
+  cron: {
+    requireAuth: true,
+    requireAdmin: false,
+    skipRateLimit: true,
+    skipAudit: false
+  }
+};
+
+// src/auth/schemas.ts
+import { z as z2 } from "zod";
+var EmailSchema = z2.string().trim().toLowerCase().email("Invalid email address");
+var PasswordSchema = z2.string().min(8, "Password must be at least 8 characters").max(100, "Password must be less than 100 characters");
+var SlugSchema = z2.string().min(1, "Slug is required").max(100, "Slug must be less than 100 characters").regex(
+  /^[a-z0-9-]+$/,
+  "Slug can only contain lowercase letters, numbers, and hyphens"
+);
+var PhoneSchema = z2.string().regex(/^[\d\s()+.\-]{7,20}$/, "Invalid phone number format");
+var PersonNameSchema = z2.string().min(2, "Name must be at least 2 characters").max(100, "Name must be less than 100 characters").regex(
+  /^[a-zA-Z\s\-']+$/,
+  "Name can only contain letters, spaces, hyphens and apostrophes"
+);
+function createSafeTextSchema(options) {
+  const {
+    min,
+    max,
+    allowHtml = false,
+    allowUrls = false,
+    fieldName = "Text"
+  } = options ?? {};
+  let schema = z2.string();
+  if (min !== void 0)
+    schema = schema.min(min, `${fieldName} must be at least ${min} characters`);
+  if (max !== void 0)
+    schema = schema.max(
+      max,
+      `${fieldName} must be less than ${max} characters`
+    );
+  if (!allowHtml && !allowUrls) {
+    return schema.refine((val) => !HTML_TAG_PATTERN.test(val), "HTML tags are not allowed").refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  if (!allowHtml) {
+    return schema.refine(
+      (val) => !HTML_TAG_PATTERN.test(val),
+      "HTML tags are not allowed"
+    );
+  }
+  if (!allowUrls) {
+    return schema.refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  return schema;
+}
+var PaginationSchema = z2.object({
+  page: z2.coerce.number().int().positive().default(1),
+  limit: z2.coerce.number().int().positive().max(100).default(20),
+  sortBy: z2.string().optional(),
+  sortOrder: z2.enum(["asc", "desc"]).default("desc")
+});
+var DateRangeSchema = z2.object({
+  startDate: z2.string().datetime(),
+  endDate: z2.string().datetime()
+}).refine((data) => new Date(data.startDate) <= new Date(data.endDate), {
+  message: "Start date must be before end date"
+});
+var SearchQuerySchema = z2.object({
+  query: z2.string().min(1).max(200).trim(),
+  page: z2.coerce.number().int().positive().default(1),
+  limit: z2.coerce.number().int().positive().max(50).default(10)
+});
+var LoginSchema = z2.object({
+  email: EmailSchema,
+  password: PasswordSchema
+});
+var SignupSchema = z2.object({
+  email: EmailSchema,
+  password: PasswordSchema,
+  name: z2.string().min(2).max(100).optional()
+});
+
+// src/auth/feature-flags.ts
+function detectStage() {
+  const stage = process.env.DEPLOYMENT_STAGE;
+  if (stage === "staging" || stage === "preview") return stage;
+  if (process.env.NODE_ENV === "production") return "production";
+  return "development";
+}
+function resolveFlagValue(value) {
+  if (typeof value === "boolean") return value;
+  const envValue = process.env[value.envVar];
+  if (envValue === void 0 || envValue === "") {
+    return value.default ?? false;
+  }
+  return envValue === "true" || envValue === "1";
+}
+function createFeatureFlags(definitions) {
+  return {
+    /**
+     * Resolve all flags for the current environment.
+     * Call this once at startup or per-request for dynamic flags.
+     */
+    resolve(stage) {
+      const currentStage = stage ?? detectStage();
+      const resolved = {};
+      for (const [key, def] of Object.entries(definitions)) {
+        const stageKey = currentStage === "preview" ? "staging" : currentStage;
+        resolved[key] = resolveFlagValue(def[stageKey]);
+      }
+      return resolved;
+    },
+    /**
+     * Check if a single flag is enabled.
+     */
+    isEnabled(flag, stage) {
+      const currentStage = stage ?? detectStage();
+      const def = definitions[flag];
+      const stageKey = currentStage === "preview" ? "staging" : currentStage;
+      return resolveFlagValue(def[stageKey]);
+    },
+    /**
+     * Get the flag definitions (for introspection/admin UI).
+     */
+    definitions
+  };
+}
+function buildAllowlist(config) {
+  const fromEnv = config.envVar ? process.env[config.envVar]?.split(",").map((e) => e.trim().toLowerCase()).filter(Boolean) ?? [] : [];
+  const fallback = config.fallback?.map((e) => e.toLowerCase()) ?? [];
+  return [.../* @__PURE__ */ new Set([...fromEnv, ...fallback])];
+}
+function isAllowlisted(email, allowlist) {
+  return allowlist.includes(email.toLowerCase());
+}
+
+// src/auth/rate-limiter.ts
+var CommonRateLimits = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin actions: 100/min */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** Auth attempts: 10/15min with 30min block */
+  authAttempt: {
+    limit: 10,
+    windowSeconds: 900,
+    blockDurationSeconds: 1800
+  },
+  /** AI/expensive requests: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Public form submissions: 5/hour with 1hr block */
+  publicForm: {
+    limit: 5,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function createMemoryRateLimitStore() {
+  const windows = /* @__PURE__ */ new Map();
+  const blocks = /* @__PURE__ */ new Map();
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of windows) {
+      if (entry.expiresAt < now) windows.delete(key);
+    }
+    for (const [key, expiry] of blocks) {
+      if (expiry < now) blocks.delete(key);
+    }
+  }, 60 * 1e3);
+  if (cleanupInterval.unref) {
+    cleanupInterval.unref();
+  }
+  return {
+    async increment(key, windowMs, now) {
+      const windowStart = now - windowMs;
+      let entry = windows.get(key);
+      if (!entry) {
+        entry = { timestamps: [], expiresAt: now + windowMs + 6e4 };
+        windows.set(key, entry);
+      }
+      entry.timestamps = entry.timestamps.filter((t) => t > windowStart);
+      entry.timestamps.push(now);
+      entry.expiresAt = now + windowMs + 6e4;
+      return { count: entry.timestamps.length };
+    },
+    async isBlocked(key) {
+      const expiry = blocks.get(key);
+      if (!expiry || expiry < Date.now()) {
+        blocks.delete(key);
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: expiry - Date.now() };
+    },
+    async setBlock(key, durationSeconds) {
+      blocks.set(key, Date.now() + durationSeconds * 1e3);
+    },
+    async reset(key) {
+      windows.delete(key);
+      blocks.delete(`block:${key}`);
+      blocks.delete(key);
+    }
+  };
+}
+var defaultStore;
+function getDefaultStore() {
+  if (!defaultStore) {
+    defaultStore = createMemoryRateLimitStore();
+  }
+  return defaultStore;
+}
+async function checkRateLimit(operation, identifier, rule, options = {}) {
+  const store = options.store ?? getDefaultStore();
+  const limit = options.isAuthenticated && rule.authenticatedLimit ? rule.authenticatedLimit : rule.limit;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  const resetAt = now + windowMs;
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  try {
+    if (rule.blockDurationSeconds) {
+      const blockStatus = await store.isBlocked(blockKey);
+      if (blockStatus.blocked) {
+        return {
+          allowed: false,
+          remaining: 0,
+          resetAt: now + blockStatus.ttlMs,
+          current: limit + 1,
+          limit,
+          retryAfterSeconds: Math.ceil(blockStatus.ttlMs / 1e3)
+        };
+      }
+    }
+    const { count } = await store.increment(key, windowMs, now);
+    if (count > limit) {
+      options.logger?.warn("Rate limit exceeded", {
+        operation,
+        identifier,
+        current: count,
+        limit
+      });
+      if (rule.blockDurationSeconds) {
+        await store.setBlock(blockKey, rule.blockDurationSeconds);
+      }
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        current: count,
+        limit,
+        retryAfterSeconds: Math.ceil(windowMs / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: limit - count,
+      resetAt,
+      current: count,
+      limit,
+      retryAfterSeconds: 0
+    };
+  } catch (error) {
+    options.logger?.error("Rate limit check failed, allowing request", {
+      error: error instanceof Error ? error.message : String(error),
+      operation,
+      identifier
+    });
+    return {
+      allowed: true,
+      remaining: limit,
+      resetAt,
+      current: 0,
+      limit,
+      retryAfterSeconds: 0
+    };
+  }
+}
+async function getRateLimitStatus(operation, identifier, rule, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  try {
+    const { count } = await s.increment(key, windowMs, now);
+    return {
+      allowed: count <= rule.limit,
+      remaining: Math.max(0, rule.limit - count),
+      resetAt: now + windowMs,
+      current: count,
+      limit: rule.limit,
+      retryAfterSeconds: count > rule.limit ? Math.ceil(windowMs / 1e3) : 0
+    };
+  } catch {
+    return null;
+  }
+}
+async function resetRateLimitForKey(operation, identifier, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  await s.reset(key);
+  await s.reset(blockKey);
+}
+function buildRateLimitResponseHeaders(result) {
+  const headers = {
+    "X-RateLimit-Limit": String(result.limit),
+    "X-RateLimit-Remaining": String(result.remaining),
+    "X-RateLimit-Reset": String(Math.ceil(result.resetAt / 1e3))
+  };
+  if (!result.allowed) {
+    headers["Retry-After"] = String(result.retryAfterSeconds);
+  }
+  return headers;
+}
+function resolveIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
+}
+
+// src/auth/audit.ts
+var StandardAuditActions = {
+  // Authentication
+  LOGIN_SUCCESS: "auth.login.success",
+  LOGIN_FAILURE: "auth.login.failure",
+  LOGOUT: "auth.logout",
+  SESSION_REFRESH: "auth.session.refresh",
+  PASSWORD_CHANGE: "auth.password.change",
+  PASSWORD_RESET: "auth.password.reset",
+  // Billing
+  CHECKOUT_START: "billing.checkout.start",
+  CHECKOUT_COMPLETE: "billing.checkout.complete",
+  SUBSCRIPTION_CREATE: "billing.subscription.create",
+  SUBSCRIPTION_CANCEL: "billing.subscription.cancel",
+  SUBSCRIPTION_UPDATE: "billing.subscription.update",
+  PAYMENT_FAILED: "billing.payment.failed",
+  // Admin
+  ADMIN_LOGIN: "admin.login",
+  ADMIN_USER_VIEW: "admin.user.view",
+  ADMIN_USER_UPDATE: "admin.user.update",
+  ADMIN_CONFIG_CHANGE: "admin.config.change",
+  // Security Events
+  RATE_LIMIT_EXCEEDED: "security.rate_limit.exceeded",
+  INVALID_INPUT: "security.input.invalid",
+  UNAUTHORIZED_ACCESS: "security.access.unauthorized",
+  OWNERSHIP_VIOLATION: "security.ownership.violation",
+  WEBHOOK_SIGNATURE_INVALID: "security.webhook.signature_invalid",
+  // Data
+  DATA_EXPORT: "data.export",
+  DATA_DELETE: "data.delete",
+  DATA_UPDATE: "data.update"
+};
+function extractAuditIp(request) {
+  if (!request) return void 0;
+  const headers = [
+    "cf-connecting-ip",
+    // Cloudflare
+    "x-real-ip",
+    // Nginx
+    "x-forwarded-for",
+    // Standard proxy
+    "x-client-ip"
+    // Apache
+  ];
+  for (const header of headers) {
+    const value = request.headers.get(header);
+    if (value) {
+      return value.split(",")[0]?.trim();
+    }
+  }
+  return void 0;
+}
+function extractAuditUserAgent(request) {
+  return request?.headers.get("user-agent") ?? void 0;
+}
+function extractAuditRequestId(request) {
+  return request?.headers.get("x-request-id") ?? crypto.randomUUID();
+}
+function createAuditActor(session) {
+  if (!session?.user) {
+    return { id: "anonymous", type: "anonymous" };
+  }
+  return {
+    id: session.user.id ?? session.user.email ?? "unknown",
+    email: session.user.email ?? void 0,
+    type: "user"
+  };
+}
+var defaultLogger = {
+  info: (msg, meta) => console.log(msg, meta ? JSON.stringify(meta) : ""),
+  warn: (msg, meta) => console.warn(msg, meta ? JSON.stringify(meta) : ""),
+  error: (msg, meta) => console.error(msg, meta ? JSON.stringify(meta) : "")
+};
+function createAuditLogger(options = {}) {
+  const { persist, logger = defaultLogger } = options;
+  async function log(event, request) {
+    const record = {
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      ip: extractAuditIp(request),
+      userAgent: extractAuditUserAgent(request),
+      requestId: extractAuditRequestId(request),
+      ...event
+    };
+    const logFn = event.outcome === "failure" || event.outcome === "blocked" ? logger.warn : logger.info;
+    logFn(`[AUDIT] ${event.action}`, {
+      auditId: record.id,
+      actor: record.actor,
+      action: record.action,
+      resource: record.resource,
+      outcome: record.outcome,
+      ip: record.ip,
+      metadata: record.metadata,
+      reason: record.reason
+    });
+    if (persist) {
+      try {
+        await persist(record);
+      } catch (error) {
+        logger.error("Failed to persist audit log", {
+          error: error instanceof Error ? error.message : String(error),
+          auditId: record.id
+        });
+      }
+    }
+    return record;
+  }
+  function createTimedAudit(event, request) {
+    const startTime = Date.now();
+    return {
+      success: async (metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "success",
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      failure: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "failure",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      blocked: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "blocked",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      }
+    };
+  }
+  return { log, createTimedAudit };
+}
+
 // src/http/health.ts
 function createHealthEndpoints(platform, options = {}) {
   const {
@@ -18301,7 +19717,7 @@ var MemoryAuditLog = class {
 };
 
 // src/adapters/memory/MemoryWebhook.ts
-import { createHmac } from "crypto";
+import { createHmac as createHmac3, randomBytes as randomBytes26 } from "crypto";
 var MemoryWebhook = class {
   endpoints = /* @__PURE__ */ new Map();
   deliveries = /* @__PURE__ */ new Map();
@@ -18583,7 +19999,7 @@ var MemoryWebhook = class {
       config.secret,
       algorithm
     );
-    const providedSig = signature.replace(/^(sha256=|sha512=|sha1=)/, "");
+    const providedSig = signature.replace(/^(sha256=|sha512=)/, "");
     if (providedSig !== expectedSignature) {
       return { valid: false, error: "Invalid signature" };
     }
@@ -18688,7 +20104,7 @@ var MemoryWebhook = class {
     this.deliveries.set(delivery.id, delivery);
   }
   async executeDelivery(endpoint, event, attemptNumber) {
-    const attemptId = `att_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const attemptId = `att_${Date.now().toString(36)}${randomBytes26(4).toString("hex")}`;
     const startTime = Date.now();
     if (this.config.simulatedDelay > 0) {
       await new Promise(
@@ -18742,7 +20158,7 @@ var MemoryWebhook = class {
     this.endpoints.set(endpoint.id, endpoint);
   }
   computeSignature(payload, secret, algorithm) {
-    return createHmac(algorithm, secret).update(payload).digest("hex");
+    return createHmac3(algorithm, secret).update(payload).digest("hex");
   }
 };
 
@@ -19093,6 +20509,7 @@ var MemoryNotification = class {
 };
 
 // src/adapters/memory/MemoryScheduler.ts
+import { randomBytes as randomBytes27 } from "crypto";
 var MemoryScheduler = class {
   config;
   schedules = /* @__PURE__ */ new Map();
@@ -19376,7 +20793,7 @@ var MemoryScheduler = class {
     }
   }
   async executeSchedule(schedule) {
-    const executionId = `exec_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const executionId = `exec_${Date.now().toString(36)}${randomBytes27(4).toString("hex")}`;
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
     const execution = {
       id: executionId,
@@ -19856,6 +21273,7 @@ CREATE INDEX IF NOT EXISTS idx_${tableName}_trace_id ON ${tableName}((context->>
 };
 
 // src/adapters/database/DatabaseErrorReporter.ts
+import { randomBytes as randomBytes28 } from "crypto";
 var DatabaseErrorReporter = class {
   db;
   errorsTable;
@@ -20150,7 +21568,7 @@ CREATE INDEX IF NOT EXISTS idx_${breadcrumbsTable}_error ON ${breadcrumbsTable}(
     if (report.breadcrumbs && report.breadcrumbs.length > 0) {
       for (const crumb of report.breadcrumbs) {
         await this.db.from(this.breadcrumbsTable).insert({
-          id: `bc_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`,
+          id: `bc_${Date.now().toString(36)}${randomBytes28(4).toString("hex")}`,
           error_id: report.id,
           category: crumb.category,
           message: crumb.message,
@@ -20190,6 +21608,7 @@ CREATE INDEX IF NOT EXISTS idx_${breadcrumbsTable}_error ON ${breadcrumbsTable}(
 };
 
 // src/adapters/database/DatabasePromptStore.ts
+import { randomBytes as randomBytes29 } from "crypto";
 var DatabasePromptStore = class {
   db;
   cache;
@@ -20329,7 +21748,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
   // Prompt CRUD
   // ═══════════════════════════════════════════════════════════════
   async create(prompt) {
-    const id = `prompt_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `prompt_${Date.now()}_${randomBytes29(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newPrompt = {
       ...prompt,
@@ -20357,7 +21776,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
       created_by: newPrompt.createdBy,
       updated_by: newPrompt.updatedBy
     }).execute();
-    const versionId = `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const versionId = `pv_${Date.now()}_${randomBytes29(4).toString("hex")}`;
     await this.db.from(this.versionsTable).insert({
       id: versionId,
       prompt_id: id,
@@ -20426,7 +21845,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
       await this.db.from(this.versionsTable).update({ is_latest: false }).where("prompt_id", "=", prompt.id).execute();
       const versionsResult = await this.db.from(this.versionsTable).where("prompt_id", "=", prompt.id).execute();
       const newVersionNum = versionsResult.data.length + 1;
-      const versionId = `pv_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+      const versionId = `pv_${Date.now()}_${randomBytes29(4).toString("hex")}`;
       await this.db.from(this.versionsTable).insert({
         id: versionId,
         prompt_id: prompt.id,
@@ -20681,7 +22100,7 @@ ${v2.content}`;
   // A/B Testing
   // ═══════════════════════════════════════════════════════════════
   async createExperiment(experiment) {
-    const id = `exp_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `exp_${Date.now()}_${randomBytes29(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newExperiment = {
       ...experiment,
@@ -20795,7 +22214,7 @@ ${v2.content}`;
   // Prompt Chains
   // ═══════════════════════════════════════════════════════════════
   async createChain(chain) {
-    const id = `chain_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `chain_${Date.now()}_${randomBytes29(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newChain = {
       ...chain,
@@ -20893,7 +22312,7 @@ ${v2.content}`;
   // Usage & Analytics
   // ═══════════════════════════════════════════════════════════════
   async recordUsage(record) {
-    const id = `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `usage_${Date.now()}_${randomBytes29(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const usageRecord = {
       ...record,
@@ -21079,8 +22498,9 @@ ${v2.content}`;
 };
 
 // src/adapters/database/DatabaseCompliance.ts
+import { randomBytes as randomBytes30 } from "crypto";
 function generateId(prefix) {
-  return `${prefix}_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+  return `${prefix}_${Date.now()}_${randomBytes30(4).toString("hex")}`;
 }
 function toDate(value) {
   return value ? new Date(value) : void 0;
@@ -21271,7 +22691,7 @@ var DatabaseCompliance = class {
   async createDsar(options) {
     const id = generateId("dsar");
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const verificationToken = `verify_${Math.random().toString(36).substring(2)}`;
+    const verificationToken = `verify_${randomBytes30(16).toString("hex")}`;
     const result = await this.db.from("compliance_dsars").insert({
       id,
       type: options.type,
@@ -22210,6 +23630,7 @@ var DatabaseCompliance = class {
 };
 
 // src/adapters/database/DatabaseAIUsage.ts
+import { randomBytes as randomBytes31 } from "crypto";
 var DatabaseAIUsage = class {
   db;
   config;
@@ -22223,7 +23644,7 @@ var DatabaseAIUsage = class {
   // Usage Recording
   // ─────────────────────────────────────────────────────────────
   async record(record) {
-    const id = `usage_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `usage_${Date.now()}_${randomBytes31(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     await this.db.from(`${this.prefix}records`).insert({
       id,
@@ -22330,7 +23751,7 @@ var DatabaseAIUsage = class {
       quota.category
     );
     const period = this.getPeriodBounds(quota.period, /* @__PURE__ */ new Date());
-    const id = existing?.id || `quota_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = existing?.id || `quota_${Date.now()}_${randomBytes31(4).toString("hex")}`;
     const data = {
       id,
       tenant_id: quota.tenantId,
@@ -22467,7 +23888,7 @@ var DatabaseAIUsage = class {
       existingResult.data[0]
     ) : null;
     const period = this.getPeriodBounds(budget.period, /* @__PURE__ */ new Date());
-    const id = existing?.id || `budget_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = existing?.id || `budget_${Date.now()}_${randomBytes31(4).toString("hex")}`;
     const data = {
       id,
       tenant_id: budget.tenantId,
@@ -22766,7 +24187,7 @@ var DatabaseAIUsage = class {
     }
     const items = Array.from(itemsMap.values());
     const subtotal = items.reduce((sum, item) => sum + item.costUsd, 0);
-    const id = `inv_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `inv_${Date.now()}_${randomBytes31(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     await this.db.from(`${this.prefix}invoices`).insert({
       id,
@@ -22988,7 +24409,7 @@ var DatabaseAIUsage = class {
     }
   }
   async createAlert(tenantId, type, severity, message, metadata) {
-    const id = `alert_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `alert_${Date.now()}_${randomBytes31(4).toString("hex")}`;
     await this.db.from(`${this.prefix}alerts`).insert({
       id,
       tenant_id: tenantId,
@@ -23194,6 +24615,7 @@ var DatabaseAIUsage = class {
 };
 
 // src/adapters/database/DatabaseNotification.ts
+import { randomBytes as randomBytes32 } from "crypto";
 var DatabaseNotification = class {
   db;
   email;
@@ -23431,7 +24853,7 @@ var DatabaseNotification = class {
   // PUSH SUBSCRIPTIONS
   // ═══════════════════════════════════════════════════════════════
   async registerPushSubscription(userId, subscription) {
-    const id = `push_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `push_${Date.now()}_${randomBytes32(4).toString("hex")}`;
     const existing = await this.db.from(`${this.prefix}push_subscriptions`).where("user_id", "=", userId).where("endpoint", "=", subscription.endpoint).execute();
     if (existing.data && existing.data.length > 0) {
       await this.db.from(`${this.prefix}push_subscriptions`).where("user_id", "=", userId).where("endpoint", "=", subscription.endpoint).update({
@@ -23529,7 +24951,7 @@ var DatabaseNotification = class {
   // TOPICS
   // ═══════════════════════════════════════════════════════════════
   async subscribeToTopic(userId, topic) {
-    const id = `topic_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `topic_${Date.now()}_${randomBytes32(4).toString("hex")}`;
     const existing = await this.db.from(`${this.prefix}notification_topic_subs`).where("user_id", "=", userId).where("topic", "=", topic).execute();
     if (!existing.data || existing.data.length === 0) {
       await this.db.from(`${this.prefix}notification_topic_subs`).insert({
@@ -23610,7 +25032,7 @@ var DatabaseNotification = class {
   // PRIVATE HELPERS
   // ═══════════════════════════════════════════════════════════════
   async logDelivery(notificationId, channel, status, messageId, error) {
-    const id = `del_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    const id = `del_${Date.now()}_${randomBytes32(4).toString("hex")}`;
     try {
       await this.db.from(`${this.prefix}notification_delivery_log`).insert({
         id,
@@ -23672,6 +25094,7 @@ var DatabaseNotification = class {
 };
 
 // src/adapters/database/DatabaseBilling.ts
+import { randomBytes as randomBytes33 } from "crypto";
 var DatabaseBilling = class {
   db;
   prefix;
@@ -23694,7 +25117,7 @@ var DatabaseBilling = class {
     return `${this.prefix}${name}`;
   }
   generateId(prefix) {
-    return `${prefix}_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+    return `${prefix}_${Date.now()}_${randomBytes33(4).toString("hex")}`;
   }
   // ─────────────────────────────────────────────────────────────
   // Product & Price Management
@@ -25192,6 +26615,7 @@ var DatabaseBilling = class {
 };
 
 // src/adapters/scheduler/QueueScheduler.ts
+import { randomBytes as randomBytes34 } from "crypto";
 var QueueScheduler = class {
   queue;
   db;
@@ -25607,7 +27031,7 @@ CREATE INDEX IF NOT EXISTS idx_${executionsTable}_started ON ${executionsTable}(
     }
   }
   async executeSchedule(schedule) {
-    const executionId = `exec_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const executionId = `exec_${Date.now().toString(36)}${randomBytes34(4).toString("hex")}`;
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
     const execution = {
       id: executionId,
@@ -25770,7 +27194,7 @@ CREATE INDEX IF NOT EXISTS idx_${executionsTable}_started ON ${executionsTable}(
 };
 
 // src/adapters/webhook/HttpWebhook.ts
-import { createHmac as createHmac2, timingSafeEqual } from "crypto";
+import { createHmac as createHmac4, timingSafeEqual as timingSafeEqual2, randomBytes as randomBytes35 } from "crypto";
 var HttpWebhook = class {
   db;
   queue;
@@ -26112,14 +27536,14 @@ var HttpWebhook = class {
       config.secret,
       algorithm
     );
-    const providedSig = signature.replace(/^(sha256=|sha512=|sha1=)/, "");
+    const providedSig = signature.replace(/^(sha256=|sha512=)/, "");
     try {
       const providedBuffer = Buffer.from(providedSig, "hex");
       const expectedBuffer = Buffer.from(expectedSignature, "hex");
       if (providedBuffer.length !== expectedBuffer.length) {
         return { valid: false, error: "Invalid signature" };
       }
-      if (!timingSafeEqual(providedBuffer, expectedBuffer)) {
+      if (!timingSafeEqual2(providedBuffer, expectedBuffer)) {
         return { valid: false, error: "Invalid signature" };
       }
     } catch {
@@ -26368,7 +27792,7 @@ CREATE INDEX IF NOT EXISTS idx_${attemptsTable}_delivery ON ${attemptsTable}(del
     await this.saveDelivery(delivery);
   }
   async executeDelivery(endpoint, event, attemptNumber) {
-    const attemptId = `att_${Date.now().toString(36)}${Math.random().toString(36).substring(2, 8)}`;
+    const attemptId = `att_${Date.now().toString(36)}${randomBytes35(4).toString("hex")}`;
     const startTime = Date.now();
     const payloadStr = JSON.stringify(event);
     const signature = this.computeSignature(
@@ -26472,7 +27896,7 @@ CREATE INDEX IF NOT EXISTS idx_${attemptsTable}_delivery ON ${attemptsTable}(del
     await this.saveEndpoint(endpoint);
   }
   computeSignature(payload, secret, algorithm) {
-    return createHmac2(algorithm, secret).update(payload).digest("hex");
+    return createHmac4(algorithm, secret).update(payload).digest("hex");
   }
   endpointToRow(endpoint) {
     return {
@@ -27794,6 +29218,9 @@ init_PineconeRAG();
 // src/adapters/weaviate/index.ts
 init_WeaviateRAG();
 
+// src/index.ts
+init_NodeCrypto();
+
 // src/adapters/oidc/GenericOIDCAuthSSO.ts
 function generateRandomString(length) {
   const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
@@ -28387,6 +29814,7 @@ var GenericOIDCAuthSSO = class {
 };
 
 // src/adapters/postgres-tenant/PostgresTenant.ts
+import { randomBytes as randomBytes36 } from "crypto";
 var tenantContextMap = /* @__PURE__ */ new Map();
 var contextIdCounter2 = 0;
 var currentContextId2 = null;
@@ -29168,7 +30596,273 @@ var PostgresTenant = class {
   }
 };
 function generateId2() {
-  return Math.random().toString(36).substring(2) + Date.now().toString(36);
+  return randomBytes36(8).toString("hex") + Date.now().toString(36);
+}
+
+// src/env.ts
+function getRequiredEnv(key) {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+function getOptionalEnv(key, defaultValue) {
+  return process.env[key] || defaultValue;
+}
+function getBoolEnv(key, defaultValue = false) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  return value === "true" || value === "1";
+}
+function getIntEnv(key, defaultValue) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  const parsed = parseInt(value, 10);
+  return isNaN(parsed) ? defaultValue : parsed;
+}
+function validateEnvVars(config) {
+  const result = checkEnvVars(config);
+  if (!result.valid) {
+    const lines = [];
+    if (result.missing.length > 0) {
+      lines.push(
+        "Missing required environment variables:",
+        ...result.missing.map((v) => `  - ${v}`)
+      );
+    }
+    if (result.missingOneOf.length > 0) {
+      for (const group of result.missingOneOf) {
+        lines.push(`Missing one of: ${group.join(" | ")}`);
+      }
+    }
+    if (result.invalid.length > 0) {
+      lines.push(
+        "Invalid environment variables:",
+        ...result.invalid.map((v) => `  - ${v.key}: ${v.reason}`)
+      );
+    }
+    throw new Error(lines.join("\n"));
+  }
+}
+function checkEnvVars(config) {
+  const missing = [];
+  const invalid = [];
+  const missingOneOf = [];
+  if (config.required) {
+    for (const key of config.required) {
+      if (!process.env[key]) {
+        missing.push(key);
+      }
+    }
+  }
+  if (config.requireOneOf) {
+    for (const group of config.requireOneOf) {
+      const hasAny = group.some((key) => !!process.env[key]);
+      if (!hasAny) {
+        missingOneOf.push(group);
+      }
+    }
+  }
+  if (config.validators) {
+    for (const [key, validator] of Object.entries(config.validators)) {
+      const value = process.env[key];
+      if (value) {
+        const result = validator(value);
+        if (result !== true) {
+          invalid.push({ key, reason: result });
+        }
+      }
+    }
+  }
+  return {
+    valid: missing.length === 0 && invalid.length === 0 && missingOneOf.length === 0,
+    missing,
+    invalid,
+    missingOneOf
+  };
+}
+function getEnvSummary(keys) {
+  const summary = {};
+  for (const key of keys) {
+    summary[key] = !!process.env[key];
+  }
+  return summary;
+}
+
+// src/app-logger.ts
+var LEVEL_PRIORITY2 = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+function defaultOutput(level, message, context) {
+  const isProduction = process.env.NODE_ENV === "production";
+  if (isProduction) {
+    const entry = { level, message, ...context };
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : "log";
+    console[method](JSON.stringify(entry));
+  } else {
+    const prefix = `[${level.toUpperCase()}]`;
+    const ctx = Object.keys(context).length > 0 ? " " + JSON.stringify(context) : "";
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : level === "debug" ? "debug" : "log";
+    console[method](`${prefix} ${message}${ctx}`);
+  }
+}
+var AppLoggerImpl = class _AppLoggerImpl {
+  baseContext;
+  minLevelPriority;
+  outputFn;
+  onErrorFn;
+  constructor(baseContext, options) {
+    this.baseContext = baseContext;
+    this.minLevelPriority = LEVEL_PRIORITY2[options.minLevel] ?? 0;
+    this.outputFn = options.output;
+    this.onErrorFn = options.onError;
+  }
+  log(level, message, context) {
+    if ((LEVEL_PRIORITY2[level] ?? 0) < this.minLevelPriority) return;
+    const merged = {
+      ...this.baseContext,
+      ...context,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.outputFn(level, message, merged);
+  }
+  debug(message, context) {
+    this.log("debug", message, context);
+  }
+  info(message, context) {
+    this.log("info", message, context);
+  }
+  warn(message, context) {
+    this.log("warn", message, context);
+  }
+  error(message, context) {
+    this.log("error", message, context);
+    if (this.onErrorFn) {
+      try {
+        this.onErrorFn(message, { ...this.baseContext, ...context });
+      } catch {
+      }
+    }
+  }
+  child(context) {
+    return new _AppLoggerImpl(
+      { ...this.baseContext, ...context },
+      {
+        minLevel: Object.entries(LEVEL_PRIORITY2).find(
+          ([, v]) => v === this.minLevelPriority
+        )?.[0] ?? "debug",
+        output: this.outputFn,
+        onError: this.onErrorFn
+      }
+    );
+  }
+  forRequest(request, operation) {
+    const requestId = request.headers.get("x-request-id") ?? request.headers.get("x-correlation-id") ?? crypto.randomUUID();
+    let path;
+    try {
+      path = new URL(request.url).pathname;
+    } catch {
+      path = request.url;
+    }
+    return this.child({
+      requestId,
+      operation,
+      method: request.method,
+      path
+    });
+  }
+  forJob(jobType, jobId, context) {
+    return this.child({ jobType, jobId, ...context });
+  }
+  async timed(operation, fn, context) {
+    const opLogger = this.child({ operation, ...context });
+    opLogger.debug("Operation started");
+    const start = Date.now();
+    try {
+      const result = await fn();
+      opLogger.info("Operation completed", {
+        durationMs: Date.now() - start
+      });
+      return result;
+    } catch (error) {
+      opLogger.error("Operation failed", {
+        durationMs: Date.now() - start,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+};
+function createAppLogger(options) {
+  const {
+    service,
+    minLevel = process.env.NODE_ENV === "production" ? "info" : "debug",
+    output = defaultOutput,
+    onError
+  } = options;
+  return new AppLoggerImpl({ service }, { minLevel, output, onError });
+}
+
+// src/redis-client.ts
+import Redis from "ioredis";
+function createRedisClient(options) {
+  const {
+    url,
+    keyPrefix,
+    maxRetries = 3,
+    lazyConnect = true,
+    silent = false
+  } = options;
+  const logger = options.logger ?? {
+    error: console.error
+  };
+  const client = new Redis(url, {
+    keyPrefix,
+    maxRetriesPerRequest: maxRetries,
+    retryStrategy(times) {
+      if (times > maxRetries) return null;
+      return Math.min(times * 200, 2e3);
+    },
+    lazyConnect
+  });
+  if (!silent) {
+    client.on("error", (err) => {
+      logger.error("[redis] Connection error", { message: err.message });
+    });
+    if (logger.info) {
+      const logInfo = logger.info;
+      client.on("connect", () => {
+        logInfo("[redis] Connected");
+      });
+    }
+  }
+  if (lazyConnect) {
+    client.connect().catch(() => {
+    });
+  }
+  return client;
+}
+var sharedClient = null;
+function getSharedRedis() {
+  if (sharedClient) return sharedClient;
+  const url = process.env.REDIS_URL;
+  if (!url) return null;
+  sharedClient = createRedisClient({
+    url,
+    keyPrefix: process.env.REDIS_KEY_PREFIX,
+    silent: process.env.NODE_ENV === "test"
+  });
+  return sharedClient;
+}
+async function closeSharedRedis() {
+  if (sharedClient) {
+    await sharedClient.quit();
+    sharedClient = null;
+  }
 }
 
 // src/migrations/Migrator.ts
@@ -29947,9 +31641,11 @@ export {
   CircuitBreakerRegistry,
   CircuitOpenError,
   CommonApiErrors,
+  CommonRateLimits,
   ConsoleEmail,
   ConsoleLogger,
   CronPresets,
+  CryptoConfigSchema,
   DEFAULT_BULKHEAD_OPTIONS,
   DEFAULT_CIRCUIT_BREAKER_OPTIONS,
   DEFAULT_RETRY_OPTIONS,
@@ -29962,17 +31658,21 @@ export {
   DatabaseNotification,
   DatabasePromptStore,
   DatabaseProviderSchema,
+  DateRangeSchema,
   DefaultTimeouts,
   EmailConfigSchema,
   EmailProviderSchema,
+  EmailSchema,
   EnvSecrets,
   FallbackStrategies,
   GenericOIDCAuthSSO,
   GoogleAIAdapter,
   HTML_TAG_PATTERN,
   HttpWebhook,
+  KEYCLOAK_DEFAULT_ROLES,
   LogLevelSchema,
   LoggingConfigSchema,
+  LoginSchema,
   MemoryAI,
   MemoryAIUsage,
   MemoryAuditLog,
@@ -29981,6 +31681,7 @@ export {
   MemoryBilling,
   MemoryCache,
   MemoryCompliance,
+  MemoryCrypto,
   MemoryDatabase,
   MemoryDevPortal,
   MemoryDevice,
@@ -30002,6 +31703,7 @@ export {
   MetricsConfigSchema,
   MiddlewareConfigSchema,
   Migrator,
+  NodeCrypto,
   NoopLogger,
   NoopMetrics,
   NoopTracing,
@@ -30009,7 +31711,11 @@ export {
   ObservabilityConfigSchema,
   OpenAIAdapter,
   PG_ERROR_MAP,
+  PaginationSchema,
+  PasswordSchema,
   PaymentErrorMessages,
+  PersonNameSchema,
+  PhoneSchema,
   PineconeRAG,
   PlatformConfigSchema,
   PostgresDatabase,
@@ -30029,7 +31735,14 @@ export {
   RetryPredicates,
   S3Storage,
   SQL,
+  SearchQuerySchema,
+  SecurityConfigSchema,
+  SecurityHeaderPresets,
+  SignupSchema,
+  SlugSchema,
   SmtpEmail,
+  StandardAuditActions,
+  StandardRateLimitPresets,
   StorageConfigSchema,
   StorageProviderSchema,
   StripePayment,
@@ -30045,16 +31758,32 @@ export {
   UpstashCache,
   WeaviateRAG,
   WebhookEventTypes,
+  WrapperPresets,
+  buildAllowlist,
+  buildAuthCookies,
+  buildErrorBody,
+  buildKeycloakCallbacks,
   buildPagination,
+  buildRateLimitHeaders,
+  buildRateLimitResponseHeaders,
+  buildRedirectCallback,
+  buildTokenRefreshParams,
   calculateBackoff,
   calculateRetryDelay,
+  checkEnvVars,
+  checkRateLimit,
   classifyError,
+  closeSharedRedis,
   composeHookRegistries,
+  constantTimeEqual,
   containsHtml,
   containsUrls,
   correlationContext,
   createAIError,
   createAnthropicAdapter,
+  createAppLogger,
+  createAuditActor,
+  createAuditLogger,
   createAuthError,
   createBulkhead,
   createCacheMiddleware,
@@ -30065,6 +31794,7 @@ export {
   createErrorReport,
   createExpressHealthHandlers,
   createExpressMetricsHandler,
+  createFeatureFlags,
   createGoogleAIAdapter,
   createHealthEndpoints,
   createHealthServer,
@@ -30072,6 +31802,7 @@ export {
   createIpKeyGenerator,
   createJobContext,
   createLoggingMiddleware,
+  createMemoryRateLimitStore,
   createMetricsEndpoint,
   createMetricsMiddleware,
   createMetricsServer,
@@ -30085,8 +31816,10 @@ export {
   createPlatform,
   createPlatformAsync,
   createRateLimitMiddleware,
+  createRedisClient,
   createRequestContext,
   createRequestIdMiddleware,
+  createSafeTextSchema,
   createScopedMetrics,
   createSlowQueryMiddleware,
   createSsoOidcConfigsTable,
@@ -30103,8 +31836,13 @@ export {
   defangUrl,
   defineMigration,
   describeCron,
+  detectStage,
   enterpriseMigrations,
   escapeHtml,
+  extractAuditIp,
+  extractAuditRequestId,
+  extractAuditUserAgent,
+  extractClientIp,
   filterChannelsByPreferences,
   formatAmount,
   generateAuditId,
@@ -30118,40 +31856,62 @@ export {
   generatePaymentId,
   generateScheduleId,
   generateSecureToken,
+  generateSecurityHeaders,
   generateVersion,
   generateWebhookId,
   generateWebhookSecret,
+  getBoolEnv,
   getContext,
-  getCorrelationId,
+  getCorrelationId2 as getCorrelationId,
   getDefaultConfig,
+  getEndSessionEndpoint,
   getEnterpriseMigrations,
+  getEnvSummary,
+  getIntEnv,
   getLogMeta,
   getNextCronRun,
+  getOptionalEnv,
+  getRateLimitStatus,
   getRequestId,
+  getRequiredEnv,
+  getSharedRedis,
   getTenantId,
+  getTokenEndpoint,
   getTraceId,
   getUserId,
+  hasAllRoles,
+  hasAnyRole,
+  hasRole,
   isAIError,
+  isAllowlisted,
   isApiError,
   isAuthError,
   isInContext,
   isInQuietHours,
   isPaymentError,
+  isTokenExpired,
   isValidCron,
   loadConfig,
   matchAction,
   matchEventType,
+  parseKeycloakRoles,
   raceTimeout,
+  refreshKeycloakToken,
+  resetRateLimitForKey,
+  resolveIdentifier,
+  resolveRateLimitIdentifier,
   retryable,
   runWithContext,
   runWithContextAsync,
   safeValidateConfig,
+  sanitizeApiError,
   sanitizeForEmail,
   sqlMigration,
   stripHtml,
   timedHealthCheck,
   toHealthCheckResult,
   validateConfig,
+  validateEnvVars,
   withCorrelation,
   withCorrelationAsync,
   withFallback,