npm - @digilogiclabs/platform-core - Versions diffs - 1.4.0 → 1.5.0 - Mend

@digilogiclabs/platform-core 1.4.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.d.mts +1513 -132
package/dist/index.d.ts +1513 -132
package/dist/index.js +1322 -58
package/dist/index.js.map +1 -1
package/dist/index.mjs +1233 -24
package/dist/index.mjs.map +1 -1
package/dist/migrate.js +0 -0
package/dist/security-headers.js.map +1 -1
package/dist/security-headers.mjs.map +1 -1
package/dist/testing.js +3 -1
package/dist/testing.js.map +1 -1
package/dist/testing.mjs +9 -2
package/dist/testing.mjs.map +1 -1
package/package.json +11 -11

package/dist/index.js CHANGED Viewed

@@ -1761,7 +1761,7 @@ var init_RedisCache = __esm({
        * Create a RedisCache from configuration
        */
       static async create(config) {
-        const { default: Redis } = await import("ioredis");
+        const { default: Redis2 } = await import("ioredis");
         let client;
         if (config.cluster) {
           const { Cluster } = await import("ioredis");
@@ -1774,7 +1774,7 @@ var init_RedisCache = __esm({
             }
           });
         } else if (config.sentinel) {
-          client = new Redis({
+          client = new Redis2({
             sentinels: config.sentinel.sentinels,
             name: config.sentinel.name,
             password: config.password,
@@ -1783,7 +1783,7 @@ var init_RedisCache = __esm({
           });
         } else {
           const options = toIORedisOptions(config);
-          client = typeof options === "string" ? new Redis(options) : new Redis(options);
+          client = typeof options === "string" ? new Redis2(options) : new Redis2(options);
         }
         if (!config.lazyConnect) {
           await new Promise((resolve, reject) => {
@@ -1917,9 +1917,9 @@ var init_RedisCache = __esm({
       }
       async subscribe(channel, callback) {
         if (!this.subscriberClient) {
-          const { default: Redis } = await import("ioredis");
+          const { default: Redis2 } = await import("ioredis");
           const options = toIORedisOptions(this.config);
-          this.subscriberClient = typeof options === "string" ? new Redis(options) : new Redis(options);
+          this.subscriberClient = typeof options === "string" ? new Redis2(options) : new Redis2(options);
           this.subscriberClient.on("message", (ch, message) => {
             const callbacks = this.subscriptions.get(ch);
             if (callbacks) {
@@ -6984,9 +6984,7 @@ var init_NodeCrypto = __esm({
           );
         }
         this.masterKey = Buffer.from(config.masterKey, "hex");
-        this.hmacKey = config.hmacKey ? Buffer.from(config.hmacKey, "hex") : Buffer.from(
-          (0, import_crypto25.hkdfSync)("sha256", this.masterKey, "", "hmac-key", 32)
-        );
+        this.hmacKey = config.hmacKey ? Buffer.from(config.hmacKey, "hex") : Buffer.from((0, import_crypto25.hkdfSync)("sha256", this.masterKey, "", "hmac-key", 32));
         const keyId = this.generateKeyId();
         const dek = this.deriveDEK(keyId);
         this.keys.set(keyId, {
@@ -7156,6 +7154,7 @@ __export(src_exports, {
   CircuitBreakerRegistry: () => CircuitBreakerRegistry,
   CircuitOpenError: () => CircuitOpenError,
   CommonApiErrors: () => CommonApiErrors,
+  CommonRateLimits: () => CommonRateLimits,
   ConsoleEmail: () => ConsoleEmail,
   ConsoleLogger: () => ConsoleLogger,
   CronPresets: () => CronPresets,
@@ -7172,17 +7171,21 @@ __export(src_exports, {
   DatabaseNotification: () => DatabaseNotification,
   DatabasePromptStore: () => DatabasePromptStore,
   DatabaseProviderSchema: () => DatabaseProviderSchema,
+  DateRangeSchema: () => DateRangeSchema,
   DefaultTimeouts: () => DefaultTimeouts,
   EmailConfigSchema: () => EmailConfigSchema,
   EmailProviderSchema: () => EmailProviderSchema,
+  EmailSchema: () => EmailSchema,
   EnvSecrets: () => EnvSecrets,
   FallbackStrategies: () => FallbackStrategies,
   GenericOIDCAuthSSO: () => GenericOIDCAuthSSO,
   GoogleAIAdapter: () => GoogleAIAdapter,
   HTML_TAG_PATTERN: () => HTML_TAG_PATTERN,
   HttpWebhook: () => HttpWebhook,
+  KEYCLOAK_DEFAULT_ROLES: () => KEYCLOAK_DEFAULT_ROLES,
   LogLevelSchema: () => LogLevelSchema,
   LoggingConfigSchema: () => LoggingConfigSchema,
+  LoginSchema: () => LoginSchema,
   MemoryAI: () => MemoryAI,
   MemoryAIUsage: () => MemoryAIUsage,
   MemoryAuditLog: () => MemoryAuditLog,
@@ -7221,7 +7224,11 @@ __export(src_exports, {
   ObservabilityConfigSchema: () => ObservabilityConfigSchema,
   OpenAIAdapter: () => OpenAIAdapter,
   PG_ERROR_MAP: () => PG_ERROR_MAP,
+  PaginationSchema: () => PaginationSchema,
+  PasswordSchema: () => PasswordSchema,
   PaymentErrorMessages: () => PaymentErrorMessages,
+  PersonNameSchema: () => PersonNameSchema,
+  PhoneSchema: () => PhoneSchema,
   PineconeRAG: () => PineconeRAG,
   PlatformConfigSchema: () => PlatformConfigSchema,
   PostgresDatabase: () => PostgresDatabase,
@@ -7241,9 +7248,14 @@ __export(src_exports, {
   RetryPredicates: () => RetryPredicates,
   S3Storage: () => S3Storage,
   SQL: () => SQL,
+  SearchQuerySchema: () => SearchQuerySchema,
   SecurityConfigSchema: () => SecurityConfigSchema,
   SecurityHeaderPresets: () => SecurityHeaderPresets,
+  SignupSchema: () => SignupSchema,
+  SlugSchema: () => SlugSchema,
   SmtpEmail: () => SmtpEmail,
+  StandardAuditActions: () => StandardAuditActions,
+  StandardRateLimitPresets: () => StandardRateLimitPresets,
   StorageConfigSchema: () => StorageConfigSchema,
   StorageProviderSchema: () => StorageProviderSchema,
   StripePayment: () => StripePayment,
@@ -7259,16 +7271,32 @@ __export(src_exports, {
   UpstashCache: () => UpstashCache,
   WeaviateRAG: () => WeaviateRAG,
   WebhookEventTypes: () => WebhookEventTypes,
+  WrapperPresets: () => WrapperPresets,
+  buildAllowlist: () => buildAllowlist,
+  buildAuthCookies: () => buildAuthCookies,
+  buildErrorBody: () => buildErrorBody,
+  buildKeycloakCallbacks: () => buildKeycloakCallbacks,
   buildPagination: () => buildPagination,
+  buildRateLimitHeaders: () => buildRateLimitHeaders,
+  buildRateLimitResponseHeaders: () => buildRateLimitResponseHeaders,
+  buildRedirectCallback: () => buildRedirectCallback,
+  buildTokenRefreshParams: () => buildTokenRefreshParams,
   calculateBackoff: () => calculateBackoff,
   calculateRetryDelay: () => calculateRetryDelay,
+  checkEnvVars: () => checkEnvVars,
+  checkRateLimit: () => checkRateLimit,
   classifyError: () => classifyError,
+  closeSharedRedis: () => closeSharedRedis,
   composeHookRegistries: () => composeHookRegistries,
+  constantTimeEqual: () => constantTimeEqual,
   containsHtml: () => containsHtml,
   containsUrls: () => containsUrls,
   correlationContext: () => correlationContext,
   createAIError: () => createAIError,
   createAnthropicAdapter: () => createAnthropicAdapter,
+  createAppLogger: () => createAppLogger,
+  createAuditActor: () => createAuditActor,
+  createAuditLogger: () => createAuditLogger,
   createAuthError: () => createAuthError,
   createBulkhead: () => createBulkhead,
   createCacheMiddleware: () => createCacheMiddleware,
@@ -7279,6 +7307,7 @@ __export(src_exports, {
   createErrorReport: () => createErrorReport,
   createExpressHealthHandlers: () => createExpressHealthHandlers,
   createExpressMetricsHandler: () => createExpressMetricsHandler,
+  createFeatureFlags: () => createFeatureFlags,
   createGoogleAIAdapter: () => createGoogleAIAdapter,
   createHealthEndpoints: () => createHealthEndpoints,
   createHealthServer: () => createHealthServer,
@@ -7286,6 +7315,7 @@ __export(src_exports, {
   createIpKeyGenerator: () => createIpKeyGenerator,
   createJobContext: () => createJobContext,
   createLoggingMiddleware: () => createLoggingMiddleware,
+  createMemoryRateLimitStore: () => createMemoryRateLimitStore,
   createMetricsEndpoint: () => createMetricsEndpoint,
   createMetricsMiddleware: () => createMetricsMiddleware,
   createMetricsServer: () => createMetricsServer,
@@ -7299,8 +7329,10 @@ __export(src_exports, {
   createPlatform: () => createPlatform,
   createPlatformAsync: () => createPlatformAsync,
   createRateLimitMiddleware: () => createRateLimitMiddleware,
+  createRedisClient: () => createRedisClient,
   createRequestContext: () => createRequestContext,
   createRequestIdMiddleware: () => createRequestIdMiddleware,
+  createSafeTextSchema: () => createSafeTextSchema,
   createScopedMetrics: () => createScopedMetrics,
   createSlowQueryMiddleware: () => createSlowQueryMiddleware,
   createSsoOidcConfigsTable: () => createSsoOidcConfigsTable,
@@ -7317,8 +7349,13 @@ __export(src_exports, {
   defangUrl: () => defangUrl,
   defineMigration: () => defineMigration,
   describeCron: () => describeCron,
+  detectStage: () => detectStage,
   enterpriseMigrations: () => enterpriseMigrations,
   escapeHtml: () => escapeHtml,
+  extractAuditIp: () => extractAuditIp,
+  extractAuditRequestId: () => extractAuditRequestId,
+  extractAuditUserAgent: () => extractAuditUserAgent,
+  extractClientIp: () => extractClientIp,
   filterChannelsByPreferences: () => filterChannelsByPreferences,
   formatAmount: () => formatAmount,
   generateAuditId: () => generateAuditId,
@@ -7336,37 +7373,58 @@ __export(src_exports, {
   generateVersion: () => generateVersion,
   generateWebhookId: () => generateWebhookId,
   generateWebhookSecret: () => generateWebhookSecret,
+  getBoolEnv: () => getBoolEnv,
   getContext: () => getContext,
-  getCorrelationId: () => getCorrelationId,
+  getCorrelationId: () => getCorrelationId2,
   getDefaultConfig: () => getDefaultConfig,
+  getEndSessionEndpoint: () => getEndSessionEndpoint,
   getEnterpriseMigrations: () => getEnterpriseMigrations,
+  getEnvSummary: () => getEnvSummary,
+  getIntEnv: () => getIntEnv,
   getLogMeta: () => getLogMeta,
   getNextCronRun: () => getNextCronRun,
+  getOptionalEnv: () => getOptionalEnv,
+  getRateLimitStatus: () => getRateLimitStatus,
   getRequestId: () => getRequestId,
+  getRequiredEnv: () => getRequiredEnv,
+  getSharedRedis: () => getSharedRedis,
   getTenantId: () => getTenantId,
+  getTokenEndpoint: () => getTokenEndpoint,
   getTraceId: () => getTraceId,
   getUserId: () => getUserId,
+  hasAllRoles: () => hasAllRoles,
+  hasAnyRole: () => hasAnyRole,
+  hasRole: () => hasRole,
   isAIError: () => isAIError,
+  isAllowlisted: () => isAllowlisted,
   isApiError: () => isApiError,
   isAuthError: () => isAuthError,
   isInContext: () => isInContext,
   isInQuietHours: () => isInQuietHours,
   isPaymentError: () => isPaymentError,
+  isTokenExpired: () => isTokenExpired,
   isValidCron: () => isValidCron,
   loadConfig: () => loadConfig,
   matchAction: () => matchAction,
   matchEventType: () => matchEventType,
+  parseKeycloakRoles: () => parseKeycloakRoles,
   raceTimeout: () => raceTimeout,
+  refreshKeycloakToken: () => refreshKeycloakToken,
+  resetRateLimitForKey: () => resetRateLimitForKey,
+  resolveIdentifier: () => resolveIdentifier,
+  resolveRateLimitIdentifier: () => resolveRateLimitIdentifier,
   retryable: () => retryable,
   runWithContext: () => runWithContext,
   runWithContextAsync: () => runWithContextAsync,
   safeValidateConfig: () => safeValidateConfig,
+  sanitizeApiError: () => sanitizeApiError,
   sanitizeForEmail: () => sanitizeForEmail,
   sqlMigration: () => sqlMigration,
   stripHtml: () => stripHtml,
   timedHealthCheck: () => timedHealthCheck,
   toHealthCheckResult: () => toHealthCheckResult,
   validateConfig: () => validateConfig,
+  validateEnvVars: () => validateEnvVars,
   withCorrelation: () => withCorrelation,
   withCorrelationAsync: () => withCorrelationAsync,
   withFallback: () => withFallback,
@@ -14352,7 +14410,9 @@ var RAGConfigSchema = import_zod.z.object({
 var CryptoConfigSchema = import_zod.z.object({
   enabled: import_zod.z.boolean().default(false).describe("Enable field-level encryption"),
   masterKey: import_zod.z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
-  hmacKey: import_zod.z.string().optional().describe("HMAC key for deterministic hashing (derived from master key if not provided)")
+  hmacKey: import_zod.z.string().optional().describe(
+    "HMAC key for deterministic hashing (derived from master key if not provided)"
+  )
 }).refine(
   (data) => {
     if (data.enabled) {
@@ -15867,9 +15927,9 @@ async function createCacheAdapter(config) {
           "Upstash requires UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN environment variables"
         );
       }
-      const { Redis } = await import("@upstash/redis");
+      const { Redis: Redis2 } = await import("@upstash/redis");
       const { UpstashCache: UpstashCache2 } = await Promise.resolve().then(() => (init_UpstashCache(), UpstashCache_exports));
-      const client = new Redis({
+      const client = new Redis2({
         url: config.cache.upstashUrl,
         token: config.cache.upstashToken
       });
@@ -16168,15 +16228,17 @@ function validateTlsSecurity(config) {
 async function createPlatformAsync(config) {
   const finalConfig = config ? deepMerge(loadConfig(), config) : loadConfig();
   validateTlsSecurity(finalConfig);
-  const [db, cache, storage, email, queue, tracing, crypto2] = await Promise.all([
-    createDatabaseAdapter(finalConfig),
-    createCacheAdapter(finalConfig),
-    createStorageAdapter(finalConfig),
-    createEmailAdapter(finalConfig),
-    createQueueAdapter(finalConfig),
-    createTracingAdapter(finalConfig),
-    createCryptoAdapter(finalConfig)
-  ]);
+  const [db, cache, storage, email, queue, tracing, crypto2] = await Promise.all(
+    [
+      createDatabaseAdapter(finalConfig),
+      createCacheAdapter(finalConfig),
+      createStorageAdapter(finalConfig),
+      createEmailAdapter(finalConfig),
+      createQueueAdapter(finalConfig),
+      createTracingAdapter(finalConfig),
+      createCryptoAdapter(finalConfig)
+    ]
+  );
   const logger = createLogger(finalConfig);
   const metrics = createMetrics(finalConfig);
   const ai = await createAIAdapter(finalConfig);
@@ -17756,6 +17818,7 @@ var FallbackStrategies = {
 };
 // src/security.ts
+var import_crypto27 = require("crypto");
 var URL_PROTOCOL_PATTERN = /(https?:\/\/|ftp:\/\/|www\.)\S+/i;
 var URL_DOMAIN_PATTERN = /\b[\w.-]+\.(com|net|org|io|co|dev|app|xyz|info|biz|me|us|uk|edu|gov)\b/i;
 var HTML_TAG_PATTERN = /<[^>]*>/;
@@ -17780,6 +17843,37 @@ function defangUrl(str) {
 function sanitizeForEmail(str) {
   return escapeHtml(str);
 }
+function constantTimeEqual(a, b) {
+  try {
+    const aBuf = Buffer.from(a, "utf-8");
+    const bBuf = Buffer.from(b, "utf-8");
+    if (aBuf.length !== bBuf.length) return false;
+    return (0, import_crypto27.timingSafeEqual)(aBuf, bBuf);
+  } catch {
+    return false;
+  }
+}
+function sanitizeApiError(error, statusCode, isDevelopment = false) {
+  if (statusCode >= 400 && statusCode < 500) {
+    const message = error instanceof Error ? error.message : String(error || "Bad request");
+    return { message };
+  }
+  const result = {
+    message: "An internal error occurred. Please try again later.",
+    code: "INTERNAL_ERROR"
+  };
+  if (isDevelopment && error instanceof Error) {
+    result.stack = error.stack;
+  }
+  return result;
+}
+function getCorrelationId2(headers) {
+  const get = typeof headers === "function" ? headers : (name) => {
+    const val = headers[name] ?? headers[name.toLowerCase()];
+    return Array.isArray(val) ? val[0] : val;
+  };
+  return get("x-request-id") || get("X-Request-ID") || get("x-correlation-id") || get("X-Correlation-ID") || crypto.randomUUID();
+}
 // src/security-headers.ts
 var SecurityHeaderPresets = {
@@ -18013,6 +18107,850 @@ function buildPagination(page, limit, total) {
   };
 }
+// src/auth/keycloak.ts
+var KEYCLOAK_DEFAULT_ROLES = [
+  "offline_access",
+  "uma_authorization"
+];
+function parseKeycloakRoles(accessToken, additionalDefaultRoles = []) {
+  if (!accessToken) return [];
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) return [];
+    const payload = parts[1];
+    const decoded = JSON.parse(atob(payload));
+    const realmRoles = decoded.realm_roles ?? decoded.realm_access?.roles;
+    if (!Array.isArray(realmRoles)) return [];
+    const filterSet = /* @__PURE__ */ new Set([
+      ...KEYCLOAK_DEFAULT_ROLES,
+      ...additionalDefaultRoles
+    ]);
+    return realmRoles.filter(
+      (role) => typeof role === "string" && !filterSet.has(role)
+    );
+  } catch {
+    return [];
+  }
+}
+function hasRole(roles, role) {
+  return roles?.includes(role) ?? false;
+}
+function hasAnyRole(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.some((role) => roles.includes(role));
+}
+function hasAllRoles(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.every((role) => roles.includes(role));
+}
+function isTokenExpired(expiresAt, bufferMs = 6e4) {
+  if (!expiresAt) return true;
+  return Date.now() >= expiresAt - bufferMs;
+}
+function buildTokenRefreshParams(config, refreshToken) {
+  return new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.clientId,
+    client_secret: config.clientSecret,
+    refresh_token: refreshToken
+  });
+}
+function getTokenEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/token`;
+}
+function getEndSessionEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/logout`;
+}
+async function refreshKeycloakToken(config, refreshToken, additionalDefaultRoles) {
+  try {
+    const endpoint = getTokenEndpoint(config.issuer);
+    const params = buildTokenRefreshParams(config, refreshToken);
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      return {
+        ok: false,
+        error: `Token refresh failed: HTTP ${response.status} - ${body}`
+      };
+    }
+    const data = await response.json();
+    return {
+      ok: true,
+      tokens: {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token ?? refreshToken,
+        idToken: data.id_token,
+        expiresAt: Date.now() + data.expires_in * 1e3,
+        roles: parseKeycloakRoles(data.access_token, additionalDefaultRoles)
+      }
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      error: error instanceof Error ? error.message : "Token refresh failed"
+    };
+  }
+}
+// src/auth/nextjs-keycloak.ts
+function buildAuthCookies(config = {}) {
+  const { domain, sessionToken = true, callbackUrl = true } = config;
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieDomain = isProduction ? domain : void 0;
+  const baseOptions = {
+    httpOnly: true,
+    sameSite: "lax",
+    path: "/",
+    secure: isProduction,
+    domain: cookieDomain
+  };
+  const cookies = {
+    pkceCodeVerifier: {
+      name: "authjs.pkce.code_verifier",
+      options: { ...baseOptions }
+    },
+    state: {
+      name: "authjs.state",
+      options: { ...baseOptions }
+    }
+  };
+  if (sessionToken) {
+    cookies.sessionToken = {
+      name: isProduction ? "__Secure-authjs.session-token" : "authjs.session-token",
+      options: { ...baseOptions }
+    };
+  }
+  if (callbackUrl) {
+    cookies.callbackUrl = {
+      name: isProduction ? "__Secure-authjs.callback-url" : "authjs.callback-url",
+      options: { ...baseOptions }
+    };
+  }
+  return cookies;
+}
+function buildRedirectCallback(config = {}) {
+  const { allowWwwVariant = false } = config;
+  return async ({ url, baseUrl }) => {
+    if (url.startsWith("/")) return `${baseUrl}${url}`;
+    try {
+      if (new URL(url).origin === baseUrl) return url;
+    } catch {
+      return baseUrl;
+    }
+    if (allowWwwVariant) {
+      try {
+        const urlHost = new URL(url).hostname;
+        const baseHost = new URL(baseUrl).hostname;
+        if (urlHost === `www.${baseHost}` || baseHost === `www.${urlHost}`) {
+          return url;
+        }
+      } catch {
+      }
+    }
+    return baseUrl;
+  };
+}
+function buildKeycloakCallbacks(config) {
+  const {
+    issuer,
+    clientId,
+    clientSecret,
+    defaultRoles = [],
+    debug = process.env.NODE_ENV === "development"
+  } = config;
+  const kcConfig = { issuer, clientId, clientSecret };
+  function log(message, meta) {
+    if (debug) {
+      console.log(`[Auth] ${message}`, meta ? JSON.stringify(meta) : "");
+    }
+  }
+  return {
+    /**
+     * JWT callback — stores Keycloak tokens and handles refresh.
+     *
+     * Compatible with Auth.js v5 JWT callback signature.
+     */
+    async jwt({
+      token,
+      user,
+      account
+    }) {
+      if (user) {
+        token.id = token.sub ?? user.id;
+      }
+      if (account?.provider === "keycloak") {
+        token.accessToken = account.access_token;
+        token.refreshToken = account.refresh_token;
+        token.idToken = account.id_token;
+        token.roles = parseKeycloakRoles(
+          account.access_token,
+          defaultRoles
+        );
+        token.accessTokenExpires = account.expires_at ? account.expires_at * 1e3 : Date.now() + 3e5;
+        return token;
+      }
+      if (!isTokenExpired(token.accessTokenExpires)) {
+        return token;
+      }
+      if (token.refreshToken) {
+        log("Token expired, attempting refresh...");
+        const result = await refreshKeycloakToken(
+          kcConfig,
+          token.refreshToken,
+          defaultRoles
+        );
+        if (result.ok) {
+          token.accessToken = result.tokens.accessToken;
+          token.idToken = result.tokens.idToken ?? token.idToken;
+          token.refreshToken = result.tokens.refreshToken ?? token.refreshToken;
+          token.accessTokenExpires = result.tokens.expiresAt;
+          token.roles = result.tokens.roles;
+          delete token.error;
+          log("Token refreshed OK");
+          return token;
+        }
+        log("Token refresh failed", { error: result.error });
+        return { ...token, error: "RefreshTokenError" };
+      }
+      log("Token expired but no refresh token available");
+      return { ...token, error: "RefreshTokenError" };
+    },
+    /**
+     * Session callback — maps JWT fields to the session object.
+     *
+     * Compatible with Auth.js v5 session callback signature.
+     */
+    async session({
+      session,
+      token
+    }) {
+      const user = session.user;
+      if (user) {
+        user.id = token.id || token.sub;
+        user.roles = token.roles || [];
+      }
+      session.idToken = token.idToken;
+      session.accessToken = token.accessToken;
+      if (token.error) {
+        session.error = token.error;
+      }
+      return session;
+    }
+  };
+}
+// src/auth/api-security.ts
+var StandardRateLimitPresets = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin operations: 100/min (admins are trusted) */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** AI/expensive operations: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Auth attempts: 5/15min with 15min block */
+  authAttempt: {
+    limit: 5,
+    windowSeconds: 900,
+    blockDurationSeconds: 900
+  },
+  /** Contact/public forms: 10/hour */
+  publicForm: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 1800
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function resolveRateLimitIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp}`, isAuthenticated: false };
+}
+function extractClientIp(getHeader) {
+  return getHeader("cf-connecting-ip") || getHeader("x-real-ip") || getHeader("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function buildRateLimitHeaders(limit, remaining, resetAtMs) {
+  return {
+    "X-RateLimit-Limit": String(limit),
+    "X-RateLimit-Remaining": String(Math.max(0, remaining)),
+    "X-RateLimit-Reset": String(Math.ceil(resetAtMs / 1e3))
+  };
+}
+function buildErrorBody(error, extra) {
+  return { error, ...extra };
+}
+var WrapperPresets = {
+  /** Public route: no auth, rate limited */
+  public: {
+    requireAuth: false,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Authenticated route: requires session */
+  authenticated: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Admin route: requires session with admin role */
+  admin: {
+    requireAuth: true,
+    requireAdmin: true,
+    rateLimit: "adminAction"
+  },
+  /** Legacy admin: accepts session OR bearer token */
+  legacyAdmin: {
+    requireAuth: true,
+    requireAdmin: true,
+    allowBearerToken: true,
+    rateLimit: "adminAction"
+  },
+  /** AI/expensive: requires auth, strict rate limit */
+  ai: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "aiRequest"
+  },
+  /** Cron: no rate limit, admin-level access */
+  cron: {
+    requireAuth: true,
+    requireAdmin: false,
+    skipRateLimit: true,
+    skipAudit: false
+  }
+};
+// src/auth/schemas.ts
+var import_zod2 = require("zod");
+var EmailSchema = import_zod2.z.string().trim().toLowerCase().email("Invalid email address");
+var PasswordSchema = import_zod2.z.string().min(8, "Password must be at least 8 characters").max(100, "Password must be less than 100 characters");
+var SlugSchema = import_zod2.z.string().min(1, "Slug is required").max(100, "Slug must be less than 100 characters").regex(
+  /^[a-z0-9-]+$/,
+  "Slug can only contain lowercase letters, numbers, and hyphens"
+);
+var PhoneSchema = import_zod2.z.string().regex(/^[\d\s()+.\-]{7,20}$/, "Invalid phone number format");
+var PersonNameSchema = import_zod2.z.string().min(2, "Name must be at least 2 characters").max(100, "Name must be less than 100 characters").regex(
+  /^[a-zA-Z\s\-']+$/,
+  "Name can only contain letters, spaces, hyphens and apostrophes"
+);
+function createSafeTextSchema(options) {
+  const {
+    min,
+    max,
+    allowHtml = false,
+    allowUrls = false,
+    fieldName = "Text"
+  } = options ?? {};
+  let schema = import_zod2.z.string();
+  if (min !== void 0)
+    schema = schema.min(min, `${fieldName} must be at least ${min} characters`);
+  if (max !== void 0)
+    schema = schema.max(
+      max,
+      `${fieldName} must be less than ${max} characters`
+    );
+  if (!allowHtml && !allowUrls) {
+    return schema.refine((val) => !HTML_TAG_PATTERN.test(val), "HTML tags are not allowed").refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  if (!allowHtml) {
+    return schema.refine(
+      (val) => !HTML_TAG_PATTERN.test(val),
+      "HTML tags are not allowed"
+    );
+  }
+  if (!allowUrls) {
+    return schema.refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  return schema;
+}
+var PaginationSchema = import_zod2.z.object({
+  page: import_zod2.z.coerce.number().int().positive().default(1),
+  limit: import_zod2.z.coerce.number().int().positive().max(100).default(20),
+  sortBy: import_zod2.z.string().optional(),
+  sortOrder: import_zod2.z.enum(["asc", "desc"]).default("desc")
+});
+var DateRangeSchema = import_zod2.z.object({
+  startDate: import_zod2.z.string().datetime(),
+  endDate: import_zod2.z.string().datetime()
+}).refine((data) => new Date(data.startDate) <= new Date(data.endDate), {
+  message: "Start date must be before end date"
+});
+var SearchQuerySchema = import_zod2.z.object({
+  query: import_zod2.z.string().min(1).max(200).trim(),
+  page: import_zod2.z.coerce.number().int().positive().default(1),
+  limit: import_zod2.z.coerce.number().int().positive().max(50).default(10)
+});
+var LoginSchema = import_zod2.z.object({
+  email: EmailSchema,
+  password: PasswordSchema
+});
+var SignupSchema = import_zod2.z.object({
+  email: EmailSchema,
+  password: PasswordSchema,
+  name: import_zod2.z.string().min(2).max(100).optional()
+});
+// src/auth/feature-flags.ts
+function detectStage() {
+  const stage = process.env.DEPLOYMENT_STAGE;
+  if (stage === "staging" || stage === "preview") return stage;
+  if (process.env.NODE_ENV === "production") return "production";
+  return "development";
+}
+function resolveFlagValue(value) {
+  if (typeof value === "boolean") return value;
+  const envValue = process.env[value.envVar];
+  if (envValue === void 0 || envValue === "") {
+    return value.default ?? false;
+  }
+  return envValue === "true" || envValue === "1";
+}
+function createFeatureFlags(definitions) {
+  return {
+    /**
+     * Resolve all flags for the current environment.
+     * Call this once at startup or per-request for dynamic flags.
+     */
+    resolve(stage) {
+      const currentStage = stage ?? detectStage();
+      const resolved = {};
+      for (const [key, def] of Object.entries(definitions)) {
+        const stageKey = currentStage === "preview" ? "staging" : currentStage;
+        resolved[key] = resolveFlagValue(def[stageKey]);
+      }
+      return resolved;
+    },
+    /**
+     * Check if a single flag is enabled.
+     */
+    isEnabled(flag, stage) {
+      const currentStage = stage ?? detectStage();
+      const def = definitions[flag];
+      const stageKey = currentStage === "preview" ? "staging" : currentStage;
+      return resolveFlagValue(def[stageKey]);
+    },
+    /**
+     * Get the flag definitions (for introspection/admin UI).
+     */
+    definitions
+  };
+}
+function buildAllowlist(config) {
+  const fromEnv = config.envVar ? process.env[config.envVar]?.split(",").map((e) => e.trim().toLowerCase()).filter(Boolean) ?? [] : [];
+  const fallback = config.fallback?.map((e) => e.toLowerCase()) ?? [];
+  return [.../* @__PURE__ */ new Set([...fromEnv, ...fallback])];
+}
+function isAllowlisted(email, allowlist) {
+  return allowlist.includes(email.toLowerCase());
+}
+// src/auth/rate-limiter.ts
+var CommonRateLimits = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin actions: 100/min */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** Auth attempts: 10/15min with 30min block */
+  authAttempt: {
+    limit: 10,
+    windowSeconds: 900,
+    blockDurationSeconds: 1800
+  },
+  /** AI/expensive requests: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Public form submissions: 5/hour with 1hr block */
+  publicForm: {
+    limit: 5,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function createMemoryRateLimitStore() {
+  const windows = /* @__PURE__ */ new Map();
+  const blocks = /* @__PURE__ */ new Map();
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of windows) {
+      if (entry.expiresAt < now) windows.delete(key);
+    }
+    for (const [key, expiry] of blocks) {
+      if (expiry < now) blocks.delete(key);
+    }
+  }, 60 * 1e3);
+  if (cleanupInterval.unref) {
+    cleanupInterval.unref();
+  }
+  return {
+    async increment(key, windowMs, now) {
+      const windowStart = now - windowMs;
+      let entry = windows.get(key);
+      if (!entry) {
+        entry = { timestamps: [], expiresAt: now + windowMs + 6e4 };
+        windows.set(key, entry);
+      }
+      entry.timestamps = entry.timestamps.filter((t) => t > windowStart);
+      entry.timestamps.push(now);
+      entry.expiresAt = now + windowMs + 6e4;
+      return { count: entry.timestamps.length };
+    },
+    async isBlocked(key) {
+      const expiry = blocks.get(key);
+      if (!expiry || expiry < Date.now()) {
+        blocks.delete(key);
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: expiry - Date.now() };
+    },
+    async setBlock(key, durationSeconds) {
+      blocks.set(key, Date.now() + durationSeconds * 1e3);
+    },
+    async reset(key) {
+      windows.delete(key);
+      blocks.delete(`block:${key}`);
+      blocks.delete(key);
+    }
+  };
+}
+var defaultStore;
+function getDefaultStore() {
+  if (!defaultStore) {
+    defaultStore = createMemoryRateLimitStore();
+  }
+  return defaultStore;
+}
+async function checkRateLimit(operation, identifier, rule, options = {}) {
+  const store = options.store ?? getDefaultStore();
+  const limit = options.isAuthenticated && rule.authenticatedLimit ? rule.authenticatedLimit : rule.limit;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  const resetAt = now + windowMs;
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  try {
+    if (rule.blockDurationSeconds) {
+      const blockStatus = await store.isBlocked(blockKey);
+      if (blockStatus.blocked) {
+        return {
+          allowed: false,
+          remaining: 0,
+          resetAt: now + blockStatus.ttlMs,
+          current: limit + 1,
+          limit,
+          retryAfterSeconds: Math.ceil(blockStatus.ttlMs / 1e3)
+        };
+      }
+    }
+    const { count } = await store.increment(key, windowMs, now);
+    if (count > limit) {
+      options.logger?.warn("Rate limit exceeded", {
+        operation,
+        identifier,
+        current: count,
+        limit
+      });
+      if (rule.blockDurationSeconds) {
+        await store.setBlock(blockKey, rule.blockDurationSeconds);
+      }
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        current: count,
+        limit,
+        retryAfterSeconds: Math.ceil(windowMs / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: limit - count,
+      resetAt,
+      current: count,
+      limit,
+      retryAfterSeconds: 0
+    };
+  } catch (error) {
+    options.logger?.error("Rate limit check failed, allowing request", {
+      error: error instanceof Error ? error.message : String(error),
+      operation,
+      identifier
+    });
+    return {
+      allowed: true,
+      remaining: limit,
+      resetAt,
+      current: 0,
+      limit,
+      retryAfterSeconds: 0
+    };
+  }
+}
+async function getRateLimitStatus(operation, identifier, rule, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  try {
+    const { count } = await s.increment(key, windowMs, now);
+    return {
+      allowed: count <= rule.limit,
+      remaining: Math.max(0, rule.limit - count),
+      resetAt: now + windowMs,
+      current: count,
+      limit: rule.limit,
+      retryAfterSeconds: count > rule.limit ? Math.ceil(windowMs / 1e3) : 0
+    };
+  } catch {
+    return null;
+  }
+}
+async function resetRateLimitForKey(operation, identifier, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  await s.reset(key);
+  await s.reset(blockKey);
+}
+function buildRateLimitResponseHeaders(result) {
+  const headers = {
+    "X-RateLimit-Limit": String(result.limit),
+    "X-RateLimit-Remaining": String(result.remaining),
+    "X-RateLimit-Reset": String(Math.ceil(result.resetAt / 1e3))
+  };
+  if (!result.allowed) {
+    headers["Retry-After"] = String(result.retryAfterSeconds);
+  }
+  return headers;
+}
+function resolveIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
+}
+// src/auth/audit.ts
+var StandardAuditActions = {
+  // Authentication
+  LOGIN_SUCCESS: "auth.login.success",
+  LOGIN_FAILURE: "auth.login.failure",
+  LOGOUT: "auth.logout",
+  SESSION_REFRESH: "auth.session.refresh",
+  PASSWORD_CHANGE: "auth.password.change",
+  PASSWORD_RESET: "auth.password.reset",
+  // Billing
+  CHECKOUT_START: "billing.checkout.start",
+  CHECKOUT_COMPLETE: "billing.checkout.complete",
+  SUBSCRIPTION_CREATE: "billing.subscription.create",
+  SUBSCRIPTION_CANCEL: "billing.subscription.cancel",
+  SUBSCRIPTION_UPDATE: "billing.subscription.update",
+  PAYMENT_FAILED: "billing.payment.failed",
+  // Admin
+  ADMIN_LOGIN: "admin.login",
+  ADMIN_USER_VIEW: "admin.user.view",
+  ADMIN_USER_UPDATE: "admin.user.update",
+  ADMIN_CONFIG_CHANGE: "admin.config.change",
+  // Security Events
+  RATE_LIMIT_EXCEEDED: "security.rate_limit.exceeded",
+  INVALID_INPUT: "security.input.invalid",
+  UNAUTHORIZED_ACCESS: "security.access.unauthorized",
+  OWNERSHIP_VIOLATION: "security.ownership.violation",
+  WEBHOOK_SIGNATURE_INVALID: "security.webhook.signature_invalid",
+  // Data
+  DATA_EXPORT: "data.export",
+  DATA_DELETE: "data.delete",
+  DATA_UPDATE: "data.update"
+};
+function extractAuditIp(request) {
+  if (!request) return void 0;
+  const headers = [
+    "cf-connecting-ip",
+    // Cloudflare
+    "x-real-ip",
+    // Nginx
+    "x-forwarded-for",
+    // Standard proxy
+    "x-client-ip"
+    // Apache
+  ];
+  for (const header of headers) {
+    const value = request.headers.get(header);
+    if (value) {
+      return value.split(",")[0]?.trim();
+    }
+  }
+  return void 0;
+}
+function extractAuditUserAgent(request) {
+  return request?.headers.get("user-agent") ?? void 0;
+}
+function extractAuditRequestId(request) {
+  return request?.headers.get("x-request-id") ?? crypto.randomUUID();
+}
+function createAuditActor(session) {
+  if (!session?.user) {
+    return { id: "anonymous", type: "anonymous" };
+  }
+  return {
+    id: session.user.id ?? session.user.email ?? "unknown",
+    email: session.user.email ?? void 0,
+    type: "user"
+  };
+}
+var defaultLogger = {
+  info: (msg, meta) => console.log(msg, meta ? JSON.stringify(meta) : ""),
+  warn: (msg, meta) => console.warn(msg, meta ? JSON.stringify(meta) : ""),
+  error: (msg, meta) => console.error(msg, meta ? JSON.stringify(meta) : "")
+};
+function createAuditLogger(options = {}) {
+  const { persist, logger = defaultLogger } = options;
+  async function log(event, request) {
+    const record = {
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      ip: extractAuditIp(request),
+      userAgent: extractAuditUserAgent(request),
+      requestId: extractAuditRequestId(request),
+      ...event
+    };
+    const logFn = event.outcome === "failure" || event.outcome === "blocked" ? logger.warn : logger.info;
+    logFn(`[AUDIT] ${event.action}`, {
+      auditId: record.id,
+      actor: record.actor,
+      action: record.action,
+      resource: record.resource,
+      outcome: record.outcome,
+      ip: record.ip,
+      metadata: record.metadata,
+      reason: record.reason
+    });
+    if (persist) {
+      try {
+        await persist(record);
+      } catch (error) {
+        logger.error("Failed to persist audit log", {
+          error: error instanceof Error ? error.message : String(error),
+          auditId: record.id
+        });
+      }
+    }
+    return record;
+  }
+  function createTimedAudit(event, request) {
+    const startTime = Date.now();
+    return {
+      success: async (metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "success",
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      failure: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "failure",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      blocked: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "blocked",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      }
+    };
+  }
+  return { log, createTimedAudit };
+}
 // src/http/health.ts
 function createHealthEndpoints(platform, options = {}) {
   const {
@@ -19091,7 +20029,7 @@ var MemoryAuditLog = class {
 };
 // src/adapters/memory/MemoryWebhook.ts
-var import_crypto27 = require("crypto");
+var import_crypto28 = require("crypto");
 var MemoryWebhook = class {
   endpoints = /* @__PURE__ */ new Map();
   deliveries = /* @__PURE__ */ new Map();
@@ -19478,7 +20416,7 @@ var MemoryWebhook = class {
     this.deliveries.set(delivery.id, delivery);
   }
   async executeDelivery(endpoint, event, attemptNumber) {
-    const attemptId = `att_${Date.now().toString(36)}${(0, import_crypto27.randomBytes)(4).toString("hex")}`;
+    const attemptId = `att_${Date.now().toString(36)}${(0, import_crypto28.randomBytes)(4).toString("hex")}`;
     const startTime = Date.now();
     if (this.config.simulatedDelay > 0) {
       await new Promise(
@@ -19532,7 +20470,7 @@ var MemoryWebhook = class {
     this.endpoints.set(endpoint.id, endpoint);
   }
   computeSignature(payload, secret, algorithm) {
-    return (0, import_crypto27.createHmac)(algorithm, secret).update(payload).digest("hex");
+    return (0, import_crypto28.createHmac)(algorithm, secret).update(payload).digest("hex");
   }
 };
@@ -19883,7 +20821,7 @@ var MemoryNotification = class {
 };
 // src/adapters/memory/MemoryScheduler.ts
-var import_crypto28 = require("crypto");
+var import_crypto29 = require("crypto");
 var MemoryScheduler = class {
   config;
   schedules = /* @__PURE__ */ new Map();
@@ -20167,7 +21105,7 @@ var MemoryScheduler = class {
     }
   }
   async executeSchedule(schedule) {
-    const executionId = `exec_${Date.now().toString(36)}${(0, import_crypto28.randomBytes)(4).toString("hex")}`;
+    const executionId = `exec_${Date.now().toString(36)}${(0, import_crypto29.randomBytes)(4).toString("hex")}`;
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
     const execution = {
       id: executionId,
@@ -20647,7 +21585,7 @@ CREATE INDEX IF NOT EXISTS idx_${tableName}_trace_id ON ${tableName}((context->>
 };
 // src/adapters/database/DatabaseErrorReporter.ts
-var import_crypto29 = require("crypto");
+var import_crypto30 = require("crypto");
 var DatabaseErrorReporter = class {
   db;
   errorsTable;
@@ -20942,7 +21880,7 @@ CREATE INDEX IF NOT EXISTS idx_${breadcrumbsTable}_error ON ${breadcrumbsTable}(
     if (report.breadcrumbs && report.breadcrumbs.length > 0) {
       for (const crumb of report.breadcrumbs) {
         await this.db.from(this.breadcrumbsTable).insert({
-          id: `bc_${Date.now().toString(36)}${(0, import_crypto29.randomBytes)(4).toString("hex")}`,
+          id: `bc_${Date.now().toString(36)}${(0, import_crypto30.randomBytes)(4).toString("hex")}`,
           error_id: report.id,
           category: crumb.category,
           message: crumb.message,
@@ -20982,7 +21920,7 @@ CREATE INDEX IF NOT EXISTS idx_${breadcrumbsTable}_error ON ${breadcrumbsTable}(
 };
 // src/adapters/database/DatabasePromptStore.ts
-var import_crypto30 = require("crypto");
+var import_crypto31 = require("crypto");
 var DatabasePromptStore = class {
   db;
   cache;
@@ -21122,7 +22060,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
   // Prompt CRUD
   // ═══════════════════════════════════════════════════════════════
   async create(prompt) {
-    const id = `prompt_${Date.now()}_${(0, import_crypto30.randomBytes)(4).toString("hex")}`;
+    const id = `prompt_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newPrompt = {
       ...prompt,
@@ -21150,7 +22088,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
       created_by: newPrompt.createdBy,
       updated_by: newPrompt.updatedBy
     }).execute();
-    const versionId = `pv_${Date.now()}_${(0, import_crypto30.randomBytes)(4).toString("hex")}`;
+    const versionId = `pv_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     await this.db.from(this.versionsTable).insert({
       id: versionId,
       prompt_id: id,
@@ -21219,7 +22157,7 @@ CREATE INDEX IF NOT EXISTS idx_${tablePrefix}usage_experiment ON ${tablePrefix}p
       await this.db.from(this.versionsTable).update({ is_latest: false }).where("prompt_id", "=", prompt.id).execute();
       const versionsResult = await this.db.from(this.versionsTable).where("prompt_id", "=", prompt.id).execute();
       const newVersionNum = versionsResult.data.length + 1;
-      const versionId = `pv_${Date.now()}_${(0, import_crypto30.randomBytes)(4).toString("hex")}`;
+      const versionId = `pv_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
       await this.db.from(this.versionsTable).insert({
         id: versionId,
         prompt_id: prompt.id,
@@ -21474,7 +22412,7 @@ ${v2.content}`;
   // A/B Testing
   // ═══════════════════════════════════════════════════════════════
   async createExperiment(experiment) {
-    const id = `exp_${Date.now()}_${(0, import_crypto30.randomBytes)(4).toString("hex")}`;
+    const id = `exp_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newExperiment = {
       ...experiment,
@@ -21588,7 +22526,7 @@ ${v2.content}`;
   // Prompt Chains
   // ═══════════════════════════════════════════════════════════════
   async createChain(chain) {
-    const id = `chain_${Date.now()}_${(0, import_crypto30.randomBytes)(4).toString("hex")}`;
+    const id = `chain_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const newChain = {
       ...chain,
@@ -21686,7 +22624,7 @@ ${v2.content}`;
   // Usage & Analytics
   // ═══════════════════════════════════════════════════════════════
   async recordUsage(record) {
-    const id = `usage_${Date.now()}_${(0, import_crypto30.randomBytes)(4).toString("hex")}`;
+    const id = `usage_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     const usageRecord = {
       ...record,
@@ -21872,9 +22810,9 @@ ${v2.content}`;
 };
 // src/adapters/database/DatabaseCompliance.ts
-var import_crypto31 = require("crypto");
+var import_crypto32 = require("crypto");
 function generateId(prefix) {
-  return `${prefix}_${Date.now()}_${(0, import_crypto31.randomBytes)(4).toString("hex")}`;
+  return `${prefix}_${Date.now()}_${(0, import_crypto32.randomBytes)(4).toString("hex")}`;
 }
 function toDate(value) {
   return value ? new Date(value) : void 0;
@@ -22065,7 +23003,7 @@ var DatabaseCompliance = class {
   async createDsar(options) {
     const id = generateId("dsar");
     const now = (/* @__PURE__ */ new Date()).toISOString();
-    const verificationToken = `verify_${(0, import_crypto31.randomBytes)(16).toString("hex")}`;
+    const verificationToken = `verify_${(0, import_crypto32.randomBytes)(16).toString("hex")}`;
     const result = await this.db.from("compliance_dsars").insert({
       id,
       type: options.type,
@@ -23004,7 +23942,7 @@ var DatabaseCompliance = class {
 };
 // src/adapters/database/DatabaseAIUsage.ts
-var import_crypto32 = require("crypto");
+var import_crypto33 = require("crypto");
 var DatabaseAIUsage = class {
   db;
   config;
@@ -23018,7 +23956,7 @@ var DatabaseAIUsage = class {
   // Usage Recording
   // ─────────────────────────────────────────────────────────────
   async record(record) {
-    const id = `usage_${Date.now()}_${(0, import_crypto32.randomBytes)(4).toString("hex")}`;
+    const id = `usage_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     await this.db.from(`${this.prefix}records`).insert({
       id,
@@ -23125,7 +24063,7 @@ var DatabaseAIUsage = class {
       quota.category
     );
     const period = this.getPeriodBounds(quota.period, /* @__PURE__ */ new Date());
-    const id = existing?.id || `quota_${Date.now()}_${(0, import_crypto32.randomBytes)(4).toString("hex")}`;
+    const id = existing?.id || `quota_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const data = {
       id,
       tenant_id: quota.tenantId,
@@ -23262,7 +24200,7 @@ var DatabaseAIUsage = class {
       existingResult.data[0]
     ) : null;
     const period = this.getPeriodBounds(budget.period, /* @__PURE__ */ new Date());
-    const id = existing?.id || `budget_${Date.now()}_${(0, import_crypto32.randomBytes)(4).toString("hex")}`;
+    const id = existing?.id || `budget_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const data = {
       id,
       tenant_id: budget.tenantId,
@@ -23561,7 +24499,7 @@ var DatabaseAIUsage = class {
     }
     const items = Array.from(itemsMap.values());
     const subtotal = items.reduce((sum, item) => sum + item.costUsd, 0);
-    const id = `inv_${Date.now()}_${(0, import_crypto32.randomBytes)(4).toString("hex")}`;
+    const id = `inv_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     const now = /* @__PURE__ */ new Date();
     await this.db.from(`${this.prefix}invoices`).insert({
       id,
@@ -23783,7 +24721,7 @@ var DatabaseAIUsage = class {
     }
   }
   async createAlert(tenantId, type, severity, message, metadata) {
-    const id = `alert_${Date.now()}_${(0, import_crypto32.randomBytes)(4).toString("hex")}`;
+    const id = `alert_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
     await this.db.from(`${this.prefix}alerts`).insert({
       id,
       tenant_id: tenantId,
@@ -23989,7 +24927,7 @@ var DatabaseAIUsage = class {
 };
 // src/adapters/database/DatabaseNotification.ts
-var import_crypto33 = require("crypto");
+var import_crypto34 = require("crypto");
 var DatabaseNotification = class {
   db;
   email;
@@ -24227,7 +25165,7 @@ var DatabaseNotification = class {
   // PUSH SUBSCRIPTIONS
   // ═══════════════════════════════════════════════════════════════
   async registerPushSubscription(userId, subscription) {
-    const id = `push_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
+    const id = `push_${Date.now()}_${(0, import_crypto34.randomBytes)(4).toString("hex")}`;
     const existing = await this.db.from(`${this.prefix}push_subscriptions`).where("user_id", "=", userId).where("endpoint", "=", subscription.endpoint).execute();
     if (existing.data && existing.data.length > 0) {
       await this.db.from(`${this.prefix}push_subscriptions`).where("user_id", "=", userId).where("endpoint", "=", subscription.endpoint).update({
@@ -24325,7 +25263,7 @@ var DatabaseNotification = class {
   // TOPICS
   // ═══════════════════════════════════════════════════════════════
   async subscribeToTopic(userId, topic) {
-    const id = `topic_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
+    const id = `topic_${Date.now()}_${(0, import_crypto34.randomBytes)(4).toString("hex")}`;
     const existing = await this.db.from(`${this.prefix}notification_topic_subs`).where("user_id", "=", userId).where("topic", "=", topic).execute();
     if (!existing.data || existing.data.length === 0) {
       await this.db.from(`${this.prefix}notification_topic_subs`).insert({
@@ -24406,7 +25344,7 @@ var DatabaseNotification = class {
   // PRIVATE HELPERS
   // ═══════════════════════════════════════════════════════════════
   async logDelivery(notificationId, channel, status, messageId, error) {
-    const id = `del_${Date.now()}_${(0, import_crypto33.randomBytes)(4).toString("hex")}`;
+    const id = `del_${Date.now()}_${(0, import_crypto34.randomBytes)(4).toString("hex")}`;
     try {
       await this.db.from(`${this.prefix}notification_delivery_log`).insert({
         id,
@@ -24468,7 +25406,7 @@ var DatabaseNotification = class {
 };
 // src/adapters/database/DatabaseBilling.ts
-var import_crypto34 = require("crypto");
+var import_crypto35 = require("crypto");
 var DatabaseBilling = class {
   db;
   prefix;
@@ -24491,7 +25429,7 @@ var DatabaseBilling = class {
     return `${this.prefix}${name}`;
   }
   generateId(prefix) {
-    return `${prefix}_${Date.now()}_${(0, import_crypto34.randomBytes)(4).toString("hex")}`;
+    return `${prefix}_${Date.now()}_${(0, import_crypto35.randomBytes)(4).toString("hex")}`;
   }
   // ─────────────────────────────────────────────────────────────
   // Product & Price Management
@@ -25989,7 +26927,7 @@ var DatabaseBilling = class {
 };
 // src/adapters/scheduler/QueueScheduler.ts
-var import_crypto35 = require("crypto");
+var import_crypto36 = require("crypto");
 var QueueScheduler = class {
   queue;
   db;
@@ -26405,7 +27343,7 @@ CREATE INDEX IF NOT EXISTS idx_${executionsTable}_started ON ${executionsTable}(
     }
   }
   async executeSchedule(schedule) {
-    const executionId = `exec_${Date.now().toString(36)}${(0, import_crypto35.randomBytes)(4).toString("hex")}`;
+    const executionId = `exec_${Date.now().toString(36)}${(0, import_crypto36.randomBytes)(4).toString("hex")}`;
     const startedAt = (/* @__PURE__ */ new Date()).toISOString();
     const execution = {
       id: executionId,
@@ -26568,7 +27506,7 @@ CREATE INDEX IF NOT EXISTS idx_${executionsTable}_started ON ${executionsTable}(
 };
 // src/adapters/webhook/HttpWebhook.ts
-var import_crypto36 = require("crypto");
+var import_crypto37 = require("crypto");
 var HttpWebhook = class {
   db;
   queue;
@@ -26917,7 +27855,7 @@ var HttpWebhook = class {
       if (providedBuffer.length !== expectedBuffer.length) {
         return { valid: false, error: "Invalid signature" };
       }
-      if (!(0, import_crypto36.timingSafeEqual)(providedBuffer, expectedBuffer)) {
+      if (!(0, import_crypto37.timingSafeEqual)(providedBuffer, expectedBuffer)) {
         return { valid: false, error: "Invalid signature" };
       }
     } catch {
@@ -27166,7 +28104,7 @@ CREATE INDEX IF NOT EXISTS idx_${attemptsTable}_delivery ON ${attemptsTable}(del
     await this.saveDelivery(delivery);
   }
   async executeDelivery(endpoint, event, attemptNumber) {
-    const attemptId = `att_${Date.now().toString(36)}${(0, import_crypto36.randomBytes)(4).toString("hex")}`;
+    const attemptId = `att_${Date.now().toString(36)}${(0, import_crypto37.randomBytes)(4).toString("hex")}`;
     const startTime = Date.now();
     const payloadStr = JSON.stringify(event);
     const signature = this.computeSignature(
@@ -27270,7 +28208,7 @@ CREATE INDEX IF NOT EXISTS idx_${attemptsTable}_delivery ON ${attemptsTable}(del
     await this.saveEndpoint(endpoint);
   }
   computeSignature(payload, secret, algorithm) {
-    return (0, import_crypto36.createHmac)(algorithm, secret).update(payload).digest("hex");
+    return (0, import_crypto37.createHmac)(algorithm, secret).update(payload).digest("hex");
   }
   endpointToRow(endpoint) {
     return {
@@ -29188,7 +30126,7 @@ var GenericOIDCAuthSSO = class {
 };
 // src/adapters/postgres-tenant/PostgresTenant.ts
-var import_crypto37 = require("crypto");
+var import_crypto38 = require("crypto");
 var tenantContextMap = /* @__PURE__ */ new Map();
 var contextIdCounter2 = 0;
 var currentContextId2 = null;
@@ -29970,7 +30908,273 @@ var PostgresTenant = class {
   }
 };
 function generateId2() {
-  return (0, import_crypto37.randomBytes)(8).toString("hex") + Date.now().toString(36);
+  return (0, import_crypto38.randomBytes)(8).toString("hex") + Date.now().toString(36);
+}
+// src/env.ts
+function getRequiredEnv(key) {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+function getOptionalEnv(key, defaultValue) {
+  return process.env[key] || defaultValue;
+}
+function getBoolEnv(key, defaultValue = false) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  return value === "true" || value === "1";
+}
+function getIntEnv(key, defaultValue) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  const parsed = parseInt(value, 10);
+  return isNaN(parsed) ? defaultValue : parsed;
+}
+function validateEnvVars(config) {
+  const result = checkEnvVars(config);
+  if (!result.valid) {
+    const lines = [];
+    if (result.missing.length > 0) {
+      lines.push(
+        "Missing required environment variables:",
+        ...result.missing.map((v) => `  - ${v}`)
+      );
+    }
+    if (result.missingOneOf.length > 0) {
+      for (const group of result.missingOneOf) {
+        lines.push(`Missing one of: ${group.join(" | ")}`);
+      }
+    }
+    if (result.invalid.length > 0) {
+      lines.push(
+        "Invalid environment variables:",
+        ...result.invalid.map((v) => `  - ${v.key}: ${v.reason}`)
+      );
+    }
+    throw new Error(lines.join("\n"));
+  }
+}
+function checkEnvVars(config) {
+  const missing = [];
+  const invalid = [];
+  const missingOneOf = [];
+  if (config.required) {
+    for (const key of config.required) {
+      if (!process.env[key]) {
+        missing.push(key);
+      }
+    }
+  }
+  if (config.requireOneOf) {
+    for (const group of config.requireOneOf) {
+      const hasAny = group.some((key) => !!process.env[key]);
+      if (!hasAny) {
+        missingOneOf.push(group);
+      }
+    }
+  }
+  if (config.validators) {
+    for (const [key, validator] of Object.entries(config.validators)) {
+      const value = process.env[key];
+      if (value) {
+        const result = validator(value);
+        if (result !== true) {
+          invalid.push({ key, reason: result });
+        }
+      }
+    }
+  }
+  return {
+    valid: missing.length === 0 && invalid.length === 0 && missingOneOf.length === 0,
+    missing,
+    invalid,
+    missingOneOf
+  };
+}
+function getEnvSummary(keys) {
+  const summary = {};
+  for (const key of keys) {
+    summary[key] = !!process.env[key];
+  }
+  return summary;
+}
+// src/app-logger.ts
+var LEVEL_PRIORITY2 = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+function defaultOutput(level, message, context) {
+  const isProduction = process.env.NODE_ENV === "production";
+  if (isProduction) {
+    const entry = { level, message, ...context };
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : "log";
+    console[method](JSON.stringify(entry));
+  } else {
+    const prefix = `[${level.toUpperCase()}]`;
+    const ctx = Object.keys(context).length > 0 ? " " + JSON.stringify(context) : "";
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : level === "debug" ? "debug" : "log";
+    console[method](`${prefix} ${message}${ctx}`);
+  }
+}
+var AppLoggerImpl = class _AppLoggerImpl {
+  baseContext;
+  minLevelPriority;
+  outputFn;
+  onErrorFn;
+  constructor(baseContext, options) {
+    this.baseContext = baseContext;
+    this.minLevelPriority = LEVEL_PRIORITY2[options.minLevel] ?? 0;
+    this.outputFn = options.output;
+    this.onErrorFn = options.onError;
+  }
+  log(level, message, context) {
+    if ((LEVEL_PRIORITY2[level] ?? 0) < this.minLevelPriority) return;
+    const merged = {
+      ...this.baseContext,
+      ...context,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.outputFn(level, message, merged);
+  }
+  debug(message, context) {
+    this.log("debug", message, context);
+  }
+  info(message, context) {
+    this.log("info", message, context);
+  }
+  warn(message, context) {
+    this.log("warn", message, context);
+  }
+  error(message, context) {
+    this.log("error", message, context);
+    if (this.onErrorFn) {
+      try {
+        this.onErrorFn(message, { ...this.baseContext, ...context });
+      } catch {
+      }
+    }
+  }
+  child(context) {
+    return new _AppLoggerImpl(
+      { ...this.baseContext, ...context },
+      {
+        minLevel: Object.entries(LEVEL_PRIORITY2).find(
+          ([, v]) => v === this.minLevelPriority
+        )?.[0] ?? "debug",
+        output: this.outputFn,
+        onError: this.onErrorFn
+      }
+    );
+  }
+  forRequest(request, operation) {
+    const requestId = request.headers.get("x-request-id") ?? request.headers.get("x-correlation-id") ?? crypto.randomUUID();
+    let path;
+    try {
+      path = new URL(request.url).pathname;
+    } catch {
+      path = request.url;
+    }
+    return this.child({
+      requestId,
+      operation,
+      method: request.method,
+      path
+    });
+  }
+  forJob(jobType, jobId, context) {
+    return this.child({ jobType, jobId, ...context });
+  }
+  async timed(operation, fn, context) {
+    const opLogger = this.child({ operation, ...context });
+    opLogger.debug("Operation started");
+    const start = Date.now();
+    try {
+      const result = await fn();
+      opLogger.info("Operation completed", {
+        durationMs: Date.now() - start
+      });
+      return result;
+    } catch (error) {
+      opLogger.error("Operation failed", {
+        durationMs: Date.now() - start,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+};
+function createAppLogger(options) {
+  const {
+    service,
+    minLevel = process.env.NODE_ENV === "production" ? "info" : "debug",
+    output = defaultOutput,
+    onError
+  } = options;
+  return new AppLoggerImpl({ service }, { minLevel, output, onError });
+}
+// src/redis-client.ts
+var import_ioredis = __toESM(require("ioredis"));
+function createRedisClient(options) {
+  const {
+    url,
+    keyPrefix,
+    maxRetries = 3,
+    lazyConnect = true,
+    silent = false
+  } = options;
+  const logger = options.logger ?? {
+    error: console.error
+  };
+  const client = new import_ioredis.default(url, {
+    keyPrefix,
+    maxRetriesPerRequest: maxRetries,
+    retryStrategy(times) {
+      if (times > maxRetries) return null;
+      return Math.min(times * 200, 2e3);
+    },
+    lazyConnect
+  });
+  if (!silent) {
+    client.on("error", (err) => {
+      logger.error("[redis] Connection error", { message: err.message });
+    });
+    if (logger.info) {
+      const logInfo = logger.info;
+      client.on("connect", () => {
+        logInfo("[redis] Connected");
+      });
+    }
+  }
+  if (lazyConnect) {
+    client.connect().catch(() => {
+    });
+  }
+  return client;
+}
+var sharedClient = null;
+function getSharedRedis() {
+  if (sharedClient) return sharedClient;
+  const url = process.env.REDIS_URL;
+  if (!url) return null;
+  sharedClient = createRedisClient({
+    url,
+    keyPrefix: process.env.REDIS_KEY_PREFIX,
+    silent: process.env.NODE_ENV === "test"
+  });
+  return sharedClient;
+}
+async function closeSharedRedis() {
+  if (sharedClient) {
+    await sharedClient.quit();
+    sharedClient = null;
+  }
 }
 // src/migrations/Migrator.ts
@@ -30750,6 +31954,7 @@ function getEnterpriseMigrations(features) {
   CircuitBreakerRegistry,
   CircuitOpenError,
   CommonApiErrors,
+  CommonRateLimits,
   ConsoleEmail,
   ConsoleLogger,
   CronPresets,
@@ -30766,17 +31971,21 @@ function getEnterpriseMigrations(features) {
   DatabaseNotification,
   DatabasePromptStore,
   DatabaseProviderSchema,
+  DateRangeSchema,
   DefaultTimeouts,
   EmailConfigSchema,
   EmailProviderSchema,
+  EmailSchema,
   EnvSecrets,
   FallbackStrategies,
   GenericOIDCAuthSSO,
   GoogleAIAdapter,
   HTML_TAG_PATTERN,
   HttpWebhook,
+  KEYCLOAK_DEFAULT_ROLES,
   LogLevelSchema,
   LoggingConfigSchema,
+  LoginSchema,
   MemoryAI,
   MemoryAIUsage,
   MemoryAuditLog,
@@ -30815,7 +32024,11 @@ function getEnterpriseMigrations(features) {
   ObservabilityConfigSchema,
   OpenAIAdapter,
   PG_ERROR_MAP,
+  PaginationSchema,
+  PasswordSchema,
   PaymentErrorMessages,
+  PersonNameSchema,
+  PhoneSchema,
   PineconeRAG,
   PlatformConfigSchema,
   PostgresDatabase,
@@ -30835,9 +32048,14 @@ function getEnterpriseMigrations(features) {
   RetryPredicates,
   S3Storage,
   SQL,
+  SearchQuerySchema,
   SecurityConfigSchema,
   SecurityHeaderPresets,
+  SignupSchema,
+  SlugSchema,
   SmtpEmail,
+  StandardAuditActions,
+  StandardRateLimitPresets,
   StorageConfigSchema,
   StorageProviderSchema,
   StripePayment,
@@ -30853,16 +32071,32 @@ function getEnterpriseMigrations(features) {
   UpstashCache,
   WeaviateRAG,
   WebhookEventTypes,
+  WrapperPresets,
+  buildAllowlist,
+  buildAuthCookies,
+  buildErrorBody,
+  buildKeycloakCallbacks,
   buildPagination,
+  buildRateLimitHeaders,
+  buildRateLimitResponseHeaders,
+  buildRedirectCallback,
+  buildTokenRefreshParams,
   calculateBackoff,
   calculateRetryDelay,
+  checkEnvVars,
+  checkRateLimit,
   classifyError,
+  closeSharedRedis,
   composeHookRegistries,
+  constantTimeEqual,
   containsHtml,
   containsUrls,
   correlationContext,
   createAIError,
   createAnthropicAdapter,
+  createAppLogger,
+  createAuditActor,
+  createAuditLogger,
   createAuthError,
   createBulkhead,
   createCacheMiddleware,
@@ -30873,6 +32107,7 @@ function getEnterpriseMigrations(features) {
   createErrorReport,
   createExpressHealthHandlers,
   createExpressMetricsHandler,
+  createFeatureFlags,
   createGoogleAIAdapter,
   createHealthEndpoints,
   createHealthServer,
@@ -30880,6 +32115,7 @@ function getEnterpriseMigrations(features) {
   createIpKeyGenerator,
   createJobContext,
   createLoggingMiddleware,
+  createMemoryRateLimitStore,
   createMetricsEndpoint,
   createMetricsMiddleware,
   createMetricsServer,
@@ -30893,8 +32129,10 @@ function getEnterpriseMigrations(features) {
   createPlatform,
   createPlatformAsync,
   createRateLimitMiddleware,
+  createRedisClient,
   createRequestContext,
   createRequestIdMiddleware,
+  createSafeTextSchema,
   createScopedMetrics,
   createSlowQueryMiddleware,
   createSsoOidcConfigsTable,
@@ -30911,8 +32149,13 @@ function getEnterpriseMigrations(features) {
   defangUrl,
   defineMigration,
   describeCron,
+  detectStage,
   enterpriseMigrations,
   escapeHtml,
+  extractAuditIp,
+  extractAuditRequestId,
+  extractAuditUserAgent,
+  extractClientIp,
   filterChannelsByPreferences,
   formatAmount,
   generateAuditId,
@@ -30930,37 +32173,58 @@ function getEnterpriseMigrations(features) {
   generateVersion,
   generateWebhookId,
   generateWebhookSecret,
+  getBoolEnv,
   getContext,
   getCorrelationId,
   getDefaultConfig,
+  getEndSessionEndpoint,
   getEnterpriseMigrations,
+  getEnvSummary,
+  getIntEnv,
   getLogMeta,
   getNextCronRun,
+  getOptionalEnv,
+  getRateLimitStatus,
   getRequestId,
+  getRequiredEnv,
+  getSharedRedis,
   getTenantId,
+  getTokenEndpoint,
   getTraceId,
   getUserId,
+  hasAllRoles,
+  hasAnyRole,
+  hasRole,
   isAIError,
+  isAllowlisted,
   isApiError,
   isAuthError,
   isInContext,
   isInQuietHours,
   isPaymentError,
+  isTokenExpired,
   isValidCron,
   loadConfig,
   matchAction,
   matchEventType,
+  parseKeycloakRoles,
   raceTimeout,
+  refreshKeycloakToken,
+  resetRateLimitForKey,
+  resolveIdentifier,
+  resolveRateLimitIdentifier,
   retryable,
   runWithContext,
   runWithContextAsync,
   safeValidateConfig,
+  sanitizeApiError,
   sanitizeForEmail,
   sqlMigration,
   stripHtml,
   timedHealthCheck,
   toHealthCheckResult,
   validateConfig,
+  validateEnvVars,
   withCorrelation,
   withCorrelationAsync,
   withFallback,