@digilogiclabs/platform-core 1.3.0 → 1.5.0

package/dist/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/**\n * Shared Security Headers Utility\n * Generates consistent security headers for all Next.js apps.\n * Zero heavy dependencies — pure utility function.\n */\n\n// ═══════════════════════════════════════════════════════════════\n// TYPES\n// ═══════════════════════════════════════════════════════════════\n\nexport interface SecurityHeadersConfig {\n  /** Enable Content-Security-Policy (default: true) */\n  csp?: boolean;\n  /** Additional allowed script-src domains */\n  cspScriptSrc?: string[];\n  /** Additional allowed connect-src domains */\n  cspConnectSrc?: string[];\n  /** Additional allowed frame-src domains */\n  cspFrameSrc?: string[];\n  /** Additional allowed style-src domains */\n  cspStyleSrc?: string[];\n  /** Additional allowed img-src domains */\n  cspImgSrc?: string[];\n  /** X-Frame-Options value (default: 'DENY') */\n  frameOptions?: \"DENY\" | \"SAMEORIGIN\";\n  /** Enable HSTS in production (default: true) */\n  hsts?: boolean;\n  /** HSTS max-age in seconds (default: 31536000 = 1 year) */\n  hstsMaxAge?: number;\n  /** Whether this is a production build (default: auto-detect from NODE_ENV) */\n  isProduction?: boolean;\n}\n\nexport interface NextHeaderEntry {\n  source: string;\n  headers: Array<{ key: string; value: string }>;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// PRESETS\n// ═══════════════════════════════════════════════════════════════\n\nexport const SecurityHeaderPresets = {\n  /** Minimal: basic headers only, no CSP */\n  minimal: {\n    csp: false,\n    hsts: false,\n  } satisfies SecurityHeadersConfig,\n\n  /** Standard: full CSP + HSTS for most apps */\n  standard: {\n    csp: true,\n    hsts: true,\n    frameOptions: \"DENY\",\n  } satisfies SecurityHeadersConfig,\n\n  /** Strict: deny all permissions, strict CSP, no frame embedding */\n  strict: {\n    csp: true,\n    hsts: true,\n    hstsMaxAge: 63072000, // 2 years\n    frameOptions: \"DENY\",\n  } satisfies SecurityHeadersConfig,\n} as const;\n\n// ═══════════════════════════════════════════════════════════════\n// MAIN FUNCTION\n// ═══════════════════════════════════════════════════════════════\n\n/**\n * Generate security headers array compatible with Next.js `headers()` config.\n *\n * Usage in next.config.mjs:\n * ```js\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\n *\n * module.exports = {\n *   async headers() {\n *     return generateSecurityHeaders({\n *       isProduction: process.env.NODE_ENV === 'production',\n *       cspScriptSrc: ['https://js.stripe.com'],\n *       cspConnectSrc: ['https://api.stripe.com'],\n *     });\n *   },\n * };\n * ```\n */\nexport function generateSecurityHeaders(\n  config: SecurityHeadersConfig = {},\n): NextHeaderEntry[] {\n  const isProduction =\n    config.isProduction ?? process.env.NODE_ENV === \"production\";\n  const frameOptions = config.frameOptions ?? \"DENY\";\n  const enableCsp = config.csp ?? true;\n  const enableHsts = config.hsts ?? true;\n  const hstsMaxAge = config.hstsMaxAge ?? 31536000;\n\n  // Base headers applied to all routes in all environments\n  const baseHeaders: Array<{ key: string; value: string }> = [\n    { key: \"X-Frame-Options\", value: frameOptions },\n    { key: \"X-Content-Type-Options\", value: \"nosniff\" },\n    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\n    // legacy filter which can itself introduce vulnerabilities.\n    { key: \"X-XSS-Protection\", value: \"0\" },\n    {\n      key: \"Referrer-Policy\",\n      value: \"strict-origin-when-cross-origin\",\n    },\n    {\n      key: \"Permissions-Policy\",\n      value: \"camera=(), microphone=(), geolocation=()\",\n    },\n  ];\n\n  const entries: NextHeaderEntry[] = [\n    { source: \"/:path*\", headers: baseHeaders },\n  ];\n\n  // Production-only headers\n  if (isProduction) {\n    const prodHeaders: Array<{ key: string; value: string }> = [];\n\n    // HSTS\n    if (enableHsts) {\n      prodHeaders.push({\n        key: \"Strict-Transport-Security\",\n        value: `max-age=${hstsMaxAge}; includeSubDomains`,\n      });\n    }\n\n    // Content-Security-Policy\n    if (enableCsp) {\n      const csp = buildCsp(config);\n      prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\n    }\n\n    if (prodHeaders.length > 0) {\n      entries.push({ source: \"/:path*\", headers: prodHeaders });\n    }\n  }\n\n  return entries;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// CSP BUILDER\n// ═══════════════════════════════════════════════════════════════\n\nfunction buildCsp(config: SecurityHeadersConfig): string {\n  const scriptSrc = [\n    \"'self'\",\n    \"'unsafe-inline'\",\n    \"'unsafe-eval'\",\n    ...(config.cspScriptSrc ?? []),\n  ];\n\n  const styleSrc = [\n    \"'self'\",\n    \"'unsafe-inline'\",\n    \"https://fonts.googleapis.com\",\n    ...(config.cspStyleSrc ?? []),\n  ];\n\n  const imgSrc = [\n    \"'self'\",\n    \"data:\",\n    \"https:\",\n    \"blob:\",\n    ...(config.cspImgSrc ?? []),\n  ];\n\n  const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\n\n  const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\n\n  const frameSrc = [...(config.cspFrameSrc ?? [])];\n\n  const directives = [\n    `default-src 'self'`,\n    `script-src ${scriptSrc.join(\" \")}`,\n    `style-src ${styleSrc.join(\" \")}`,\n    `img-src ${imgSrc.join(\" \")}`,\n    `font-src ${fontSrc.join(\" \")}`,\n    `connect-src ${connectSrc.join(\" \")}`,\n  ];\n\n  if (frameSrc.length > 0) {\n    directives.push(`frame-src ${frameSrc.join(\" \")}`);\n  }\n\n  directives.push(\n    `object-src 'none'`,\n    `base-uri 'self'`,\n    `form-action 'self'`,\n    `frame-ancestors 'none'`,\n  );\n\n  return directives.join(\"; \");\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}

package/dist/security-headers.mjs

@@ -0,0 +1,111 @@
+// src/security-headers.ts
+var SecurityHeaderPresets = {
+  /** Minimal: basic headers only, no CSP */
+  minimal: {
+    csp: false,
+    hsts: false
+  },
+  /** Standard: full CSP + HSTS for most apps */
+  standard: {
+    csp: true,
+    hsts: true,
+    frameOptions: "DENY"
+  },
+  /** Strict: deny all permissions, strict CSP, no frame embedding */
+  strict: {
+    csp: true,
+    hsts: true,
+    hstsMaxAge: 63072e3,
+    // 2 years
+    frameOptions: "DENY"
+  }
+};
+function generateSecurityHeaders(config = {}) {
+  const isProduction = config.isProduction ?? process.env.NODE_ENV === "production";
+  const frameOptions = config.frameOptions ?? "DENY";
+  const enableCsp = config.csp ?? true;
+  const enableHsts = config.hsts ?? true;
+  const hstsMaxAge = config.hstsMaxAge ?? 31536e3;
+  const baseHeaders = [
+    { key: "X-Frame-Options", value: frameOptions },
+    { key: "X-Content-Type-Options", value: "nosniff" },
+    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the
+    // legacy filter which can itself introduce vulnerabilities.
+    { key: "X-XSS-Protection", value: "0" },
+    {
+      key: "Referrer-Policy",
+      value: "strict-origin-when-cross-origin"
+    },
+    {
+      key: "Permissions-Policy",
+      value: "camera=(), microphone=(), geolocation=()"
+    }
+  ];
+  const entries = [
+    { source: "/:path*", headers: baseHeaders }
+  ];
+  if (isProduction) {
+    const prodHeaders = [];
+    if (enableHsts) {
+      prodHeaders.push({
+        key: "Strict-Transport-Security",
+        value: `max-age=${hstsMaxAge}; includeSubDomains`
+      });
+    }
+    if (enableCsp) {
+      const csp = buildCsp(config);
+      prodHeaders.push({ key: "Content-Security-Policy", value: csp });
+    }
+    if (prodHeaders.length > 0) {
+      entries.push({ source: "/:path*", headers: prodHeaders });
+    }
+  }
+  return entries;
+}
+function buildCsp(config) {
+  const scriptSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "'unsafe-eval'",
+    ...config.cspScriptSrc ?? []
+  ];
+  const styleSrc = [
+    "'self'",
+    "'unsafe-inline'",
+    "https://fonts.googleapis.com",
+    ...config.cspStyleSrc ?? []
+  ];
+  const imgSrc = [
+    "'self'",
+    "data:",
+    "https:",
+    "blob:",
+    ...config.cspImgSrc ?? []
+  ];
+  const fontSrc = ["'self'", "data:", "https://fonts.gstatic.com"];
+  const connectSrc = ["'self'", ...config.cspConnectSrc ?? []];
+  const frameSrc = [...config.cspFrameSrc ?? []];
+  const directives = [
+    `default-src 'self'`,
+    `script-src ${scriptSrc.join(" ")}`,
+    `style-src ${styleSrc.join(" ")}`,
+    `img-src ${imgSrc.join(" ")}`,
+    `font-src ${fontSrc.join(" ")}`,
+    `connect-src ${connectSrc.join(" ")}`
+  ];
+  if (frameSrc.length > 0) {
+    directives.push(`frame-src ${frameSrc.join(" ")}`);
+  }
+  directives.push(
+    `object-src 'none'`,
+    `base-uri 'self'`,
+    `form-action 'self'`,
+    `frame-ancestors 'none'`
+  );
+  return directives.join("; ");
+}
+export {
+  SecurityHeaderPresets,
+  generateSecurityHeaders
+};
+//# sourceMappingURL=security-headers.mjs.map

package/dist/security-headers.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/security-headers.ts"],"sourcesContent":["/**\n * Shared Security Headers Utility\n * Generates consistent security headers for all Next.js apps.\n * Zero heavy dependencies — pure utility function.\n */\n\n// ═══════════════════════════════════════════════════════════════\n// TYPES\n// ═══════════════════════════════════════════════════════════════\n\nexport interface SecurityHeadersConfig {\n  /** Enable Content-Security-Policy (default: true) */\n  csp?: boolean;\n  /** Additional allowed script-src domains */\n  cspScriptSrc?: string[];\n  /** Additional allowed connect-src domains */\n  cspConnectSrc?: string[];\n  /** Additional allowed frame-src domains */\n  cspFrameSrc?: string[];\n  /** Additional allowed style-src domains */\n  cspStyleSrc?: string[];\n  /** Additional allowed img-src domains */\n  cspImgSrc?: string[];\n  /** X-Frame-Options value (default: 'DENY') */\n  frameOptions?: \"DENY\" | \"SAMEORIGIN\";\n  /** Enable HSTS in production (default: true) */\n  hsts?: boolean;\n  /** HSTS max-age in seconds (default: 31536000 = 1 year) */\n  hstsMaxAge?: number;\n  /** Whether this is a production build (default: auto-detect from NODE_ENV) */\n  isProduction?: boolean;\n}\n\nexport interface NextHeaderEntry {\n  source: string;\n  headers: Array<{ key: string; value: string }>;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// PRESETS\n// ═══════════════════════════════════════════════════════════════\n\nexport const SecurityHeaderPresets = {\n  /** Minimal: basic headers only, no CSP */\n  minimal: {\n    csp: false,\n    hsts: false,\n  } satisfies SecurityHeadersConfig,\n\n  /** Standard: full CSP + HSTS for most apps */\n  standard: {\n    csp: true,\n    hsts: true,\n    frameOptions: \"DENY\",\n  } satisfies SecurityHeadersConfig,\n\n  /** Strict: deny all permissions, strict CSP, no frame embedding */\n  strict: {\n    csp: true,\n    hsts: true,\n    hstsMaxAge: 63072000, // 2 years\n    frameOptions: \"DENY\",\n  } satisfies SecurityHeadersConfig,\n} as const;\n\n// ═══════════════════════════════════════════════════════════════\n// MAIN FUNCTION\n// ═══════════════════════════════════════════════════════════════\n\n/**\n * Generate security headers array compatible with Next.js `headers()` config.\n *\n * Usage in next.config.mjs:\n * ```js\n * const { generateSecurityHeaders } = require('@digilogiclabs/platform-core');\n *\n * module.exports = {\n *   async headers() {\n *     return generateSecurityHeaders({\n *       isProduction: process.env.NODE_ENV === 'production',\n *       cspScriptSrc: ['https://js.stripe.com'],\n *       cspConnectSrc: ['https://api.stripe.com'],\n *     });\n *   },\n * };\n * ```\n */\nexport function generateSecurityHeaders(\n  config: SecurityHeadersConfig = {},\n): NextHeaderEntry[] {\n  const isProduction =\n    config.isProduction ?? process.env.NODE_ENV === \"production\";\n  const frameOptions = config.frameOptions ?? \"DENY\";\n  const enableCsp = config.csp ?? true;\n  const enableHsts = config.hsts ?? true;\n  const hstsMaxAge = config.hstsMaxAge ?? 31536000;\n\n  // Base headers applied to all routes in all environments\n  const baseHeaders: Array<{ key: string; value: string }> = [\n    { key: \"X-Frame-Options\", value: frameOptions },\n    { key: \"X-Content-Type-Options\", value: \"nosniff\" },\n    // Modern browsers use CSP, not XSS-Protection. Value '0' disables the\n    // legacy filter which can itself introduce vulnerabilities.\n    { key: \"X-XSS-Protection\", value: \"0\" },\n    {\n      key: \"Referrer-Policy\",\n      value: \"strict-origin-when-cross-origin\",\n    },\n    {\n      key: \"Permissions-Policy\",\n      value: \"camera=(), microphone=(), geolocation=()\",\n    },\n  ];\n\n  const entries: NextHeaderEntry[] = [\n    { source: \"/:path*\", headers: baseHeaders },\n  ];\n\n  // Production-only headers\n  if (isProduction) {\n    const prodHeaders: Array<{ key: string; value: string }> = [];\n\n    // HSTS\n    if (enableHsts) {\n      prodHeaders.push({\n        key: \"Strict-Transport-Security\",\n        value: `max-age=${hstsMaxAge}; includeSubDomains`,\n      });\n    }\n\n    // Content-Security-Policy\n    if (enableCsp) {\n      const csp = buildCsp(config);\n      prodHeaders.push({ key: \"Content-Security-Policy\", value: csp });\n    }\n\n    if (prodHeaders.length > 0) {\n      entries.push({ source: \"/:path*\", headers: prodHeaders });\n    }\n  }\n\n  return entries;\n}\n\n// ═══════════════════════════════════════════════════════════════\n// CSP BUILDER\n// ═══════════════════════════════════════════════════════════════\n\nfunction buildCsp(config: SecurityHeadersConfig): string {\n  const scriptSrc = [\n    \"'self'\",\n    \"'unsafe-inline'\",\n    \"'unsafe-eval'\",\n    ...(config.cspScriptSrc ?? []),\n  ];\n\n  const styleSrc = [\n    \"'self'\",\n    \"'unsafe-inline'\",\n    \"https://fonts.googleapis.com\",\n    ...(config.cspStyleSrc ?? []),\n  ];\n\n  const imgSrc = [\n    \"'self'\",\n    \"data:\",\n    \"https:\",\n    \"blob:\",\n    ...(config.cspImgSrc ?? []),\n  ];\n\n  const fontSrc = [\"'self'\", \"data:\", \"https://fonts.gstatic.com\"];\n\n  const connectSrc = [\"'self'\", ...(config.cspConnectSrc ?? [])];\n\n  const frameSrc = [...(config.cspFrameSrc ?? [])];\n\n  const directives = [\n    `default-src 'self'`,\n    `script-src ${scriptSrc.join(\" \")}`,\n    `style-src ${styleSrc.join(\" \")}`,\n    `img-src ${imgSrc.join(\" \")}`,\n    `font-src ${fontSrc.join(\" \")}`,\n    `connect-src ${connectSrc.join(\" \")}`,\n  ];\n\n  if (frameSrc.length > 0) {\n    directives.push(`frame-src ${frameSrc.join(\" \")}`);\n  }\n\n  directives.push(\n    `object-src 'none'`,\n    `base-uri 'self'`,\n    `form-action 'self'`,\n    `frame-ancestors 'none'`,\n  );\n\n  return directives.join(\"; \");\n}\n"],"mappings":";AA0CO,IAAM,wBAAwB;AAAA;AAAA,EAEnC,SAAS;AAAA,IACP,KAAK;AAAA,IACL,MAAM;AAAA,EACR;AAAA;AAAA,EAGA,UAAU;AAAA,IACR,KAAK;AAAA,IACL,MAAM;AAAA,IACN,cAAc;AAAA,EAChB;AAAA;AAAA,EAGA,QAAQ;AAAA,IACN,KAAK;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA;AAAA,IACZ,cAAc;AAAA,EAChB;AACF;AAwBO,SAAS,wBACd,SAAgC,CAAC,GACd;AACnB,QAAM,eACJ,OAAO,gBAAgB,QAAQ,IAAI,aAAa;AAClD,QAAM,eAAe,OAAO,gBAAgB;AAC5C,QAAM,YAAY,OAAO,OAAO;AAChC,QAAM,aAAa,OAAO,QAAQ;AAClC,QAAM,aAAa,OAAO,cAAc;AAGxC,QAAM,cAAqD;AAAA,IACzD,EAAE,KAAK,mBAAmB,OAAO,aAAa;AAAA,IAC9C,EAAE,KAAK,0BAA0B,OAAO,UAAU;AAAA;AAAA;AAAA,IAGlD,EAAE,KAAK,oBAAoB,OAAO,IAAI;AAAA,IACtC;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,IACA;AAAA,MACE,KAAK;AAAA,MACL,OAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,UAA6B;AAAA,IACjC,EAAE,QAAQ,WAAW,SAAS,YAAY;AAAA,EAC5C;AAGA,MAAI,cAAc;AAChB,UAAM,cAAqD,CAAC;AAG5D,QAAI,YAAY;AACd,kBAAY,KAAK;AAAA,QACf,KAAK;AAAA,QACL,OAAO,WAAW,UAAU;AAAA,MAC9B,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,YAAM,MAAM,SAAS,MAAM;AAC3B,kBAAY,KAAK,EAAE,KAAK,2BAA2B,OAAO,IAAI,CAAC;AAAA,IACjE;AAEA,QAAI,YAAY,SAAS,GAAG;AAC1B,cAAQ,KAAK,EAAE,QAAQ,WAAW,SAAS,YAAY,CAAC;AAAA,IAC1D;AAAA,EACF;AAEA,SAAO;AACT;AAMA,SAAS,SAAS,QAAuC;AACvD,QAAM,YAAY;AAAA,IAChB;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,CAAC;AAAA,EAC9B;AAEA,QAAM,WAAW;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,eAAe,CAAC;AAAA,EAC7B;AAEA,QAAM,SAAS;AAAA,IACb;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,GAAI,OAAO,aAAa,CAAC;AAAA,EAC3B;AAEA,QAAM,UAAU,CAAC,UAAU,SAAS,2BAA2B;AAE/D,QAAM,aAAa,CAAC,UAAU,GAAI,OAAO,iBAAiB,CAAC,CAAE;AAE7D,QAAM,WAAW,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE;AAE/C,QAAM,aAAa;AAAA,IACjB;AAAA,IACA,cAAc,UAAU,KAAK,GAAG,CAAC;AAAA,IACjC,aAAa,SAAS,KAAK,GAAG,CAAC;AAAA,IAC/B,WAAW,OAAO,KAAK,GAAG,CAAC;AAAA,IAC3B,YAAY,QAAQ,KAAK,GAAG,CAAC;AAAA,IAC7B,eAAe,WAAW,KAAK,GAAG,CAAC;AAAA,EACrC;AAEA,MAAI,SAAS,SAAS,GAAG;AACvB,eAAW,KAAK,aAAa,SAAS,KAAK,GAAG,CAAC,EAAE;AAAA,EACnD;AAEA,aAAW;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAEA,SAAO,WAAW,KAAK,IAAI;AAC7B;","names":[]}

package/dist/testing.d.mts

@@ -1,5 +1,5 @@
-import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-hUDFsKoA.mjs';
-export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-hUDFsKoA.mjs';
+import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-ubSVWgTa.mjs';
+export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-ubSVWgTa.mjs';
 import 'zod';
 
 /**

package/dist/testing.d.ts

@@ -1,5 +1,5 @@
-import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-hUDFsKoA.js';
-export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-hUDFsKoA.js';
+import { I as IPlatform, M as MemoryDatabase, a as MemoryCache, b as MemoryStorage, c as MemoryEmail, d as MemoryQueue, e as IDatabase } from './ConsoleEmail-ubSVWgTa.js';
+export { C as ConsoleEmail, h as ConsoleLogger, t as EmailMessage, E as EnvSecrets, l as ICache, n as IEmail, p as ILogger, q as IMetrics, k as IQueryBuilder, o as IQueue, r as ISecrets, m as IStorage, J as Job, s as JobOptions, i as MemoryMetrics, f as MemorySecrets, N as NoopLogger, j as NoopMetrics, Q as QueryResult, S as StorageFile, g as createPlatform } from './ConsoleEmail-ubSVWgTa.js';
 import 'zod';
 
 /**

package/dist/testing.js

@@ -363,10 +363,11 @@ var init_IAI = __esm({
 });
 
 // src/interfaces/IRAG.ts
-var ChunkingPresets, MemoryRAG;
+var import_crypto6, ChunkingPresets, MemoryRAG;
 var init_IRAG = __esm({
   "src/interfaces/IRAG.ts"() {
     "use strict";
+    import_crypto6 = require("crypto");
     ChunkingPresets = {
       default: {
         strategy: "recursive",
@@ -492,7 +493,7 @@ var init_IRAG = __esm({
       }
       async ingestOne(collection, document, options) {
         const startTime = Date.now();
-        const docId = `doc_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+        const docId = `doc_${Date.now()}_${(0, import_crypto6.randomBytes)(4).toString("hex")}`;
         const now = /* @__PURE__ */ new Date();
         try {
           const col = await this.getCollection(collection);
@@ -1399,6 +1400,7 @@ var MemoryEmail = class {
 };
 
 // src/interfaces/IQueue.ts
+var import_crypto = require("crypto");
 function calculateBackoff(attempt, options) {
   if (options.type === "fixed") {
     return options.delay;
@@ -1409,19 +1411,20 @@ function calculateBackoff(attempt, options) {
 }
 function generateJobId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = (0, import_crypto.randomBytes)(4).toString("hex");
   return `job_${timestamp}_${random}`;
 }
 
 // src/context/CorrelationContext.ts
 var import_async_hooks = require("async_hooks");
+var import_crypto2 = require("crypto");
 var CorrelationContextManager = class {
   storage = new import_async_hooks.AsyncLocalStorage();
   idGenerator;
   constructor() {
     this.idGenerator = () => {
       const timestamp = Date.now().toString(36);
-      const random = Math.random().toString(36).substring(2, 10);
+      const random = (0, import_crypto2.randomBytes)(4).toString("hex");
       return `${timestamp}-${random}`;
     };
   }
@@ -2027,10 +2030,11 @@ var MemoryQueue = class {
 };
 
 // src/adapters/console/ConsoleEmail.ts
+var import_crypto3 = require("crypto");
 var ConsoleEmail = class {
   sentEmails = [];
   async send(message) {
-    const id = `console_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+    const id = `console_${Date.now()}_${(0, import_crypto3.randomBytes)(4).toString("hex")}`;
     console.log("\n" + "=".repeat(60));
     console.log("\u{1F4E7} EMAIL SENT (Console Adapter)");
     console.log("=".repeat(60));
@@ -2105,6 +2109,7 @@ var ConsoleEmail = class {
 };
 
 // src/interfaces/ISecrets.ts
+var import_crypto4 = require("crypto");
 var EnvSecrets = class {
   prefix;
   cache = /* @__PURE__ */ new Map();
@@ -2305,12 +2310,7 @@ var MemorySecrets = class {
     return true;
   }
   generateSecureValue(length = 32) {
-    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
-    let result = "";
-    for (let i = 0; i < length; i++) {
-      result += chars[Math.floor(Math.random() * chars.length)];
-    }
-    return result;
+    return (0, import_crypto4.randomBytes)(length).toString("base64url").slice(0, length);
   }
   /**
    * Clear all secrets (for testing)
@@ -2520,6 +2520,27 @@ var RAGConfigSchema = import_zod.z.object({
     message: "Pinecone requires apiKey and indexName; Weaviate requires host"
   }
 );
+var CryptoConfigSchema = import_zod.z.object({
+  enabled: import_zod.z.boolean().default(false).describe("Enable field-level encryption"),
+  masterKey: import_zod.z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
+  hmacKey: import_zod.z.string().optional().describe(
+    "HMAC key for deterministic hashing (derived from master key if not provided)"
+  )
+}).refine(
+  (data) => {
+    if (data.enabled) {
+      return data.masterKey && data.masterKey.length >= 64;
+    }
+    return true;
+  },
+  {
+    message: "Crypto requires a 256-bit master key (64 hex characters) when enabled"
+  }
+);
+var SecurityConfigSchema = import_zod.z.object({
+  enforceTls: import_zod.z.boolean().default(true).describe("Enforce TLS for production connections"),
+  tlsWarnOnly: import_zod.z.boolean().default(false).describe("Warn instead of throwing when TLS is missing in production")
+});
 var RetryConfigSchema = import_zod.z.object({
   enabled: import_zod.z.boolean().default(true).describe("Enable retry for failed operations"),
   maxAttempts: import_zod.z.number().int().min(1).max(10).default(3).describe("Maximum retry attempts"),
@@ -2609,6 +2630,10 @@ var PlatformConfigSchema = import_zod.z.object({
   // AI configurations
   ai: AIConfigSchema.default({ enabled: false }),
   rag: RAGConfigSchema.default({ enabled: false }),
+  // Crypto configuration
+  crypto: CryptoConfigSchema.default({ enabled: false }),
+  // Security configuration
+  security: SecurityConfigSchema.default({}),
   // Resilience configuration
   resilience: ResilienceConfigSchema.default({}),
   // Observability configuration
@@ -2686,6 +2711,15 @@ function loadConfig() {
       embeddingApiKey: process.env.EMBEDDING_API_KEY || process.env.OPENAI_API_KEY,
       embeddingModel: process.env.EMBEDDING_MODEL
     },
+    crypto: {
+      enabled: process.env.CRYPTO_ENABLED === "true",
+      masterKey: process.env.CRYPTO_MASTER_KEY,
+      hmacKey: process.env.CRYPTO_HMAC_KEY
+    },
+    security: {
+      enforceTls: process.env.SECURITY_ENFORCE_TLS !== "false",
+      tlsWarnOnly: process.env.SECURITY_TLS_WARN_ONLY === "true"
+    },
     resilience: {
       retry: {
         enabled: process.env.RESILIENCE_RETRY_ENABLED !== "false",
@@ -2736,6 +2770,7 @@ function loadConfig() {
 }
 
 // src/interfaces/ITracing.ts
+var import_crypto5 = require("crypto");
 var MemorySpan = class {
   name;
   context;
@@ -2755,7 +2790,7 @@ var MemorySpan = class {
     };
   }
   generateSpanId() {
-    return Math.random().toString(16).substring(2, 18).padStart(16, "0");
+    return (0, import_crypto5.randomBytes)(8).toString("hex");
   }
   setAttribute(key, value) {
     this._attributes[key] = value;
@@ -2815,7 +2850,7 @@ var MemoryTracing = class {
     this.traceId = this.generateTraceId();
   }
   generateTraceId() {
-    return Math.random().toString(16).substring(2, 34).padStart(32, "0");
+    return (0, import_crypto5.randomBytes)(16).toString("hex");
   }
   startSpan(name, options) {
     const span = new MemorySpan(
@@ -3255,6 +3290,147 @@ var NoopMetrics = class {
 // src/factory.ts
 init_IAI();
 init_IRAG();
+
+// src/adapters/memory/MemoryCrypto.ts
+var import_crypto7 = require("crypto");
+var MemoryCrypto = class {
+  keys = /* @__PURE__ */ new Map();
+  activeKeyId;
+  hmacKey;
+  constructor(options) {
+    const masterKeyBuf = options?.masterKey ? Buffer.from(options.masterKey, "hex") : (0, import_crypto7.randomBytes)(32);
+    this.hmacKey = options?.hmacKey ? Buffer.from(options.hmacKey, "hex") : (0, import_crypto7.randomBytes)(32);
+    const keyId = this.generateKeyId();
+    this.keys.set(keyId, {
+      id: keyId,
+      key: masterKeyBuf,
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = keyId;
+  }
+  async encrypt(plaintext, options) {
+    const keyId = options?.keyId || this.activeKeyId;
+    const stored = this.keys.get(keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired: ${keyId}`);
+    }
+    if (stored.status === "decrypt-only" && !options?.keyId) {
+      throw new Error(`Key is decrypt-only: ${keyId}`);
+    }
+    const iv = (0, import_crypto7.randomBytes)(12);
+    const cipher = (0, import_crypto7.createCipheriv)("aes-256-gcm", stored.key, iv);
+    if (options?.aad) {
+      cipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, "utf8"),
+      cipher.final()
+    ]);
+    const tag = cipher.getAuthTag();
+    return {
+      ciphertext: encrypted.toString("base64"),
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      keyId,
+      algorithm: "aes-256-gcm",
+      version: 1
+    };
+  }
+  async decrypt(field, options) {
+    const stored = this.keys.get(field.keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${field.keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired and cannot decrypt: ${field.keyId}`);
+    }
+    const decipher = (0, import_crypto7.createDecipheriv)(
+      "aes-256-gcm",
+      stored.key,
+      Buffer.from(field.iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(field.tag, "base64"));
+    if (options?.aad) {
+      decipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(field.ciphertext, "base64")),
+      decipher.final()
+    ]);
+    return decrypted.toString("utf8");
+  }
+  async encryptDeterministic(plaintext, options) {
+    const hash = await this.computeHash(plaintext);
+    const encrypted = await this.encrypt(plaintext, options);
+    return { hash, encrypted };
+  }
+  async computeHash(plaintext) {
+    return (0, import_crypto7.createHmac)("sha256", this.hmacKey).update(plaintext, "utf8").digest("hex");
+  }
+  async encryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.encrypt(value, options);
+    }
+    return result;
+  }
+  async decryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.decrypt(value, options);
+    }
+    return result;
+  }
+  async rotateKey() {
+    const previousKeyId = this.activeKeyId;
+    const currentKey = this.keys.get(previousKeyId);
+    if (currentKey) {
+      currentKey.status = "decrypt-only";
+    }
+    const newKeyId = this.generateKeyId();
+    this.keys.set(newKeyId, {
+      id: newKeyId,
+      key: (0, import_crypto7.randomBytes)(32),
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = newKeyId;
+    return { newKeyId, previousKeyId };
+  }
+  async reEncrypt(field, options) {
+    const plaintext = await this.decrypt(field);
+    return this.encrypt(plaintext, options);
+  }
+  async listKeys() {
+    return Array.from(this.keys.values()).map((k) => ({
+      keyId: k.id,
+      createdAt: k.createdAt,
+      status: k.status
+    }));
+  }
+  async getActiveKeyId() {
+    return this.activeKeyId;
+  }
+  async healthCheck() {
+    try {
+      const testPlain = "health-check-test";
+      const encrypted = await this.encrypt(testPlain);
+      const decrypted = await this.decrypt(encrypted);
+      return decrypted === testPlain;
+    } catch {
+      return false;
+    }
+  }
+  generateKeyId() {
+    return `key_${(0, import_crypto7.randomBytes)(8).toString("hex")}`;
+  }
+};
+
+// src/factory.ts
 function createLogger(config) {
   if (!config.observability.logging) {
     return new NoopLogger();
@@ -3289,6 +3465,7 @@ function createPlatform(config) {
   const tracing = finalConfig.observability.tracing.provider === "memory" ? new MemoryTracing() : new NoopTracing();
   const ai = finalConfig.ai.enabled ? new MemoryAI() : null;
   const rag = finalConfig.rag.enabled ? new MemoryRAG() : null;
+  const crypto2 = finalConfig.crypto.enabled ? new MemoryCrypto() : null;
   return createPlatformFromAdapters(
     db,
     cache,
@@ -3299,10 +3476,11 @@ function createPlatform(config) {
     metrics,
     tracing,
     ai,
-    rag
+    rag,
+    crypto2
   );
 }
-function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag) {
+function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag, crypto2) {
   const platform = {
     db,
     cache,
@@ -3356,6 +3534,9 @@ function createPlatformFromAdapters(db, cache, storage, email, queue, logger, me
   if (rag) {
     platform.rag = rag;
   }
+  if (crypto2) {
+    platform.crypto = crypto2;
+  }
   return platform;
 }
 function deepMerge(target, source) {