@digilogiclabs/platform-core 1.4.0 → 1.5.0

package/dist/index.mjs

@@ -1745,7 +1745,7 @@ var init_RedisCache = __esm({
        * Create a RedisCache from configuration
        */
       static async create(config) {
-        const { default: Redis } = await import("ioredis");
+        const { default: Redis2 } = await import("ioredis");
         let client;
         if (config.cluster) {
           const { Cluster } = await import("ioredis");
@@ -1758,7 +1758,7 @@ var init_RedisCache = __esm({
             }
           });
         } else if (config.sentinel) {
-          client = new Redis({
+          client = new Redis2({
             sentinels: config.sentinel.sentinels,
             name: config.sentinel.name,
             password: config.password,
@@ -1767,7 +1767,7 @@ var init_RedisCache = __esm({
           });
         } else {
           const options = toIORedisOptions(config);
-          client = typeof options === "string" ? new Redis(options) : new Redis(options);
+          client = typeof options === "string" ? new Redis2(options) : new Redis2(options);
         }
         if (!config.lazyConnect) {
           await new Promise((resolve, reject) => {
@@ -1901,9 +1901,9 @@ var init_RedisCache = __esm({
       }
       async subscribe(channel, callback) {
         if (!this.subscriberClient) {
-          const { default: Redis } = await import("ioredis");
+          const { default: Redis2 } = await import("ioredis");
           const options = toIORedisOptions(this.config);
-          this.subscriberClient = typeof options === "string" ? new Redis(options) : new Redis(options);
+          this.subscriberClient = typeof options === "string" ? new Redis2(options) : new Redis2(options);
           this.subscriberClient.on("message", (ch, message) => {
             const callbacks = this.subscriptions.get(ch);
             if (callbacks) {
@@ -6974,9 +6974,7 @@ var init_NodeCrypto = __esm({
           );
         }
         this.masterKey = Buffer.from(config.masterKey, "hex");
-        this.hmacKey = config.hmacKey ? Buffer.from(config.hmacKey, "hex") : Buffer.from(
-          hkdfSync("sha256", this.masterKey, "", "hmac-key", 32)
-        );
+        this.hmacKey = config.hmacKey ? Buffer.from(config.hmacKey, "hex") : Buffer.from(hkdfSync("sha256", this.masterKey, "", "hmac-key", 32));
         const keyId = this.generateKeyId();
         const dek = this.deriveDEK(keyId);
         this.keys.set(keyId, {
@@ -14095,7 +14093,9 @@ var RAGConfigSchema = z.object({
 var CryptoConfigSchema = z.object({
   enabled: z.boolean().default(false).describe("Enable field-level encryption"),
   masterKey: z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
-  hmacKey: z.string().optional().describe("HMAC key for deterministic hashing (derived from master key if not provided)")
+  hmacKey: z.string().optional().describe(
+    "HMAC key for deterministic hashing (derived from master key if not provided)"
+  )
 }).refine(
   (data) => {
     if (data.enabled) {
@@ -15416,7 +15416,12 @@ init_IAI();
 init_IRAG();
 
 // src/adapters/memory/MemoryCrypto.ts
-import { randomBytes as randomBytes21, createCipheriv, createDecipheriv, createHmac } from "crypto";
+import {
+  randomBytes as randomBytes21,
+  createCipheriv,
+  createDecipheriv,
+  createHmac
+} from "crypto";
 var MemoryCrypto = class {
   keys = /* @__PURE__ */ new Map();
   activeKeyId;
@@ -15610,9 +15615,9 @@ async function createCacheAdapter(config) {
           "Upstash requires UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN environment variables"
         );
       }
-      const { Redis } = await import("@upstash/redis");
+      const { Redis: Redis2 } = await import("@upstash/redis");
       const { UpstashCache: UpstashCache2 } = await Promise.resolve().then(() => (init_UpstashCache(), UpstashCache_exports));
-      const client = new Redis({
+      const client = new Redis2({
         url: config.cache.upstashUrl,
         token: config.cache.upstashToken
       });
@@ -15911,15 +15916,17 @@ function validateTlsSecurity(config) {
 async function createPlatformAsync(config) {
   const finalConfig = config ? deepMerge(loadConfig(), config) : loadConfig();
   validateTlsSecurity(finalConfig);
-  const [db, cache, storage, email, queue, tracing, crypto2] = await Promise.all([
-    createDatabaseAdapter(finalConfig),
-    createCacheAdapter(finalConfig),
-    createStorageAdapter(finalConfig),
-    createEmailAdapter(finalConfig),
-    createQueueAdapter(finalConfig),
-    createTracingAdapter(finalConfig),
-    createCryptoAdapter(finalConfig)
-  ]);
+  const [db, cache, storage, email, queue, tracing, crypto2] = await Promise.all(
+    [
+      createDatabaseAdapter(finalConfig),
+      createCacheAdapter(finalConfig),
+      createStorageAdapter(finalConfig),
+      createEmailAdapter(finalConfig),
+      createQueueAdapter(finalConfig),
+      createTracingAdapter(finalConfig),
+      createCryptoAdapter(finalConfig)
+    ]
+  );
   const logger = createLogger(finalConfig);
   const metrics = createMetrics(finalConfig);
   const ai = await createAIAdapter(finalConfig);
@@ -17499,6 +17506,7 @@ var FallbackStrategies = {
 };
 
 // src/security.ts
+import { timingSafeEqual } from "crypto";
 var URL_PROTOCOL_PATTERN = /(https?:\/\/|ftp:\/\/|www\.)\S+/i;
 var URL_DOMAIN_PATTERN = /\b[\w.-]+\.(com|net|org|io|co|dev|app|xyz|info|biz|me|us|uk|edu|gov)\b/i;
 var HTML_TAG_PATTERN = /<[^>]*>/;
@@ -17523,6 +17531,37 @@ function defangUrl(str) {
 function sanitizeForEmail(str) {
   return escapeHtml(str);
 }
+function constantTimeEqual(a, b) {
+  try {
+    const aBuf = Buffer.from(a, "utf-8");
+    const bBuf = Buffer.from(b, "utf-8");
+    if (aBuf.length !== bBuf.length) return false;
+    return timingSafeEqual(aBuf, bBuf);
+  } catch {
+    return false;
+  }
+}
+function sanitizeApiError(error, statusCode, isDevelopment = false) {
+  if (statusCode >= 400 && statusCode < 500) {
+    const message = error instanceof Error ? error.message : String(error || "Bad request");
+    return { message };
+  }
+  const result = {
+    message: "An internal error occurred. Please try again later.",
+    code: "INTERNAL_ERROR"
+  };
+  if (isDevelopment && error instanceof Error) {
+    result.stack = error.stack;
+  }
+  return result;
+}
+function getCorrelationId2(headers) {
+  const get = typeof headers === "function" ? headers : (name) => {
+    const val = headers[name] ?? headers[name.toLowerCase()];
+    return Array.isArray(val) ? val[0] : val;
+  };
+  return get("x-request-id") || get("X-Request-ID") || get("x-correlation-id") || get("X-Correlation-ID") || crypto.randomUUID();
+}
 
 // src/security-headers.ts
 var SecurityHeaderPresets = {
@@ -17756,6 +17795,850 @@ function buildPagination(page, limit, total) {
   };
 }
 
+// src/auth/keycloak.ts
+var KEYCLOAK_DEFAULT_ROLES = [
+  "offline_access",
+  "uma_authorization"
+];
+function parseKeycloakRoles(accessToken, additionalDefaultRoles = []) {
+  if (!accessToken) return [];
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3) return [];
+    const payload = parts[1];
+    const decoded = JSON.parse(atob(payload));
+    const realmRoles = decoded.realm_roles ?? decoded.realm_access?.roles;
+    if (!Array.isArray(realmRoles)) return [];
+    const filterSet = /* @__PURE__ */ new Set([
+      ...KEYCLOAK_DEFAULT_ROLES,
+      ...additionalDefaultRoles
+    ]);
+    return realmRoles.filter(
+      (role) => typeof role === "string" && !filterSet.has(role)
+    );
+  } catch {
+    return [];
+  }
+}
+function hasRole(roles, role) {
+  return roles?.includes(role) ?? false;
+}
+function hasAnyRole(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.some((role) => roles.includes(role));
+}
+function hasAllRoles(roles, requiredRoles) {
+  if (!roles || roles.length === 0) return false;
+  return requiredRoles.every((role) => roles.includes(role));
+}
+function isTokenExpired(expiresAt, bufferMs = 6e4) {
+  if (!expiresAt) return true;
+  return Date.now() >= expiresAt - bufferMs;
+}
+function buildTokenRefreshParams(config, refreshToken) {
+  return new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: config.clientId,
+    client_secret: config.clientSecret,
+    refresh_token: refreshToken
+  });
+}
+function getTokenEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/token`;
+}
+function getEndSessionEndpoint(issuer) {
+  const base = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+  return `${base}/protocol/openid-connect/logout`;
+}
+async function refreshKeycloakToken(config, refreshToken, additionalDefaultRoles) {
+  try {
+    const endpoint = getTokenEndpoint(config.issuer);
+    const params = buildTokenRefreshParams(config, refreshToken);
+    const response = await fetch(endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: params
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      return {
+        ok: false,
+        error: `Token refresh failed: HTTP ${response.status} - ${body}`
+      };
+    }
+    const data = await response.json();
+    return {
+      ok: true,
+      tokens: {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token ?? refreshToken,
+        idToken: data.id_token,
+        expiresAt: Date.now() + data.expires_in * 1e3,
+        roles: parseKeycloakRoles(data.access_token, additionalDefaultRoles)
+      }
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      error: error instanceof Error ? error.message : "Token refresh failed"
+    };
+  }
+}
+
+// src/auth/nextjs-keycloak.ts
+function buildAuthCookies(config = {}) {
+  const { domain, sessionToken = true, callbackUrl = true } = config;
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieDomain = isProduction ? domain : void 0;
+  const baseOptions = {
+    httpOnly: true,
+    sameSite: "lax",
+    path: "/",
+    secure: isProduction,
+    domain: cookieDomain
+  };
+  const cookies = {
+    pkceCodeVerifier: {
+      name: "authjs.pkce.code_verifier",
+      options: { ...baseOptions }
+    },
+    state: {
+      name: "authjs.state",
+      options: { ...baseOptions }
+    }
+  };
+  if (sessionToken) {
+    cookies.sessionToken = {
+      name: isProduction ? "__Secure-authjs.session-token" : "authjs.session-token",
+      options: { ...baseOptions }
+    };
+  }
+  if (callbackUrl) {
+    cookies.callbackUrl = {
+      name: isProduction ? "__Secure-authjs.callback-url" : "authjs.callback-url",
+      options: { ...baseOptions }
+    };
+  }
+  return cookies;
+}
+function buildRedirectCallback(config = {}) {
+  const { allowWwwVariant = false } = config;
+  return async ({ url, baseUrl }) => {
+    if (url.startsWith("/")) return `${baseUrl}${url}`;
+    try {
+      if (new URL(url).origin === baseUrl) return url;
+    } catch {
+      return baseUrl;
+    }
+    if (allowWwwVariant) {
+      try {
+        const urlHost = new URL(url).hostname;
+        const baseHost = new URL(baseUrl).hostname;
+        if (urlHost === `www.${baseHost}` || baseHost === `www.${urlHost}`) {
+          return url;
+        }
+      } catch {
+      }
+    }
+    return baseUrl;
+  };
+}
+function buildKeycloakCallbacks(config) {
+  const {
+    issuer,
+    clientId,
+    clientSecret,
+    defaultRoles = [],
+    debug = process.env.NODE_ENV === "development"
+  } = config;
+  const kcConfig = { issuer, clientId, clientSecret };
+  function log(message, meta) {
+    if (debug) {
+      console.log(`[Auth] ${message}`, meta ? JSON.stringify(meta) : "");
+    }
+  }
+  return {
+    /**
+     * JWT callback — stores Keycloak tokens and handles refresh.
+     *
+     * Compatible with Auth.js v5 JWT callback signature.
+     */
+    async jwt({
+      token,
+      user,
+      account
+    }) {
+      if (user) {
+        token.id = token.sub ?? user.id;
+      }
+      if (account?.provider === "keycloak") {
+        token.accessToken = account.access_token;
+        token.refreshToken = account.refresh_token;
+        token.idToken = account.id_token;
+        token.roles = parseKeycloakRoles(
+          account.access_token,
+          defaultRoles
+        );
+        token.accessTokenExpires = account.expires_at ? account.expires_at * 1e3 : Date.now() + 3e5;
+        return token;
+      }
+      if (!isTokenExpired(token.accessTokenExpires)) {
+        return token;
+      }
+      if (token.refreshToken) {
+        log("Token expired, attempting refresh...");
+        const result = await refreshKeycloakToken(
+          kcConfig,
+          token.refreshToken,
+          defaultRoles
+        );
+        if (result.ok) {
+          token.accessToken = result.tokens.accessToken;
+          token.idToken = result.tokens.idToken ?? token.idToken;
+          token.refreshToken = result.tokens.refreshToken ?? token.refreshToken;
+          token.accessTokenExpires = result.tokens.expiresAt;
+          token.roles = result.tokens.roles;
+          delete token.error;
+          log("Token refreshed OK");
+          return token;
+        }
+        log("Token refresh failed", { error: result.error });
+        return { ...token, error: "RefreshTokenError" };
+      }
+      log("Token expired but no refresh token available");
+      return { ...token, error: "RefreshTokenError" };
+    },
+    /**
+     * Session callback — maps JWT fields to the session object.
+     *
+     * Compatible with Auth.js v5 session callback signature.
+     */
+    async session({
+      session,
+      token
+    }) {
+      const user = session.user;
+      if (user) {
+        user.id = token.id || token.sub;
+        user.roles = token.roles || [];
+      }
+      session.idToken = token.idToken;
+      session.accessToken = token.accessToken;
+      if (token.error) {
+        session.error = token.error;
+      }
+      return session;
+    }
+  };
+}
+
+// src/auth/api-security.ts
+var StandardRateLimitPresets = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin operations: 100/min (admins are trusted) */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** AI/expensive operations: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Auth attempts: 5/15min with 15min block */
+  authAttempt: {
+    limit: 5,
+    windowSeconds: 900,
+    blockDurationSeconds: 900
+  },
+  /** Contact/public forms: 10/hour */
+  publicForm: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 1800
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function resolveRateLimitIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp}`, isAuthenticated: false };
+}
+function extractClientIp(getHeader) {
+  return getHeader("cf-connecting-ip") || getHeader("x-real-ip") || getHeader("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function buildRateLimitHeaders(limit, remaining, resetAtMs) {
+  return {
+    "X-RateLimit-Limit": String(limit),
+    "X-RateLimit-Remaining": String(Math.max(0, remaining)),
+    "X-RateLimit-Reset": String(Math.ceil(resetAtMs / 1e3))
+  };
+}
+function buildErrorBody(error, extra) {
+  return { error, ...extra };
+}
+var WrapperPresets = {
+  /** Public route: no auth, rate limited */
+  public: {
+    requireAuth: false,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Authenticated route: requires session */
+  authenticated: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "apiGeneral"
+  },
+  /** Admin route: requires session with admin role */
+  admin: {
+    requireAuth: true,
+    requireAdmin: true,
+    rateLimit: "adminAction"
+  },
+  /** Legacy admin: accepts session OR bearer token */
+  legacyAdmin: {
+    requireAuth: true,
+    requireAdmin: true,
+    allowBearerToken: true,
+    rateLimit: "adminAction"
+  },
+  /** AI/expensive: requires auth, strict rate limit */
+  ai: {
+    requireAuth: true,
+    requireAdmin: false,
+    rateLimit: "aiRequest"
+  },
+  /** Cron: no rate limit, admin-level access */
+  cron: {
+    requireAuth: true,
+    requireAdmin: false,
+    skipRateLimit: true,
+    skipAudit: false
+  }
+};
+
+// src/auth/schemas.ts
+import { z as z2 } from "zod";
+var EmailSchema = z2.string().trim().toLowerCase().email("Invalid email address");
+var PasswordSchema = z2.string().min(8, "Password must be at least 8 characters").max(100, "Password must be less than 100 characters");
+var SlugSchema = z2.string().min(1, "Slug is required").max(100, "Slug must be less than 100 characters").regex(
+  /^[a-z0-9-]+$/,
+  "Slug can only contain lowercase letters, numbers, and hyphens"
+);
+var PhoneSchema = z2.string().regex(/^[\d\s()+.\-]{7,20}$/, "Invalid phone number format");
+var PersonNameSchema = z2.string().min(2, "Name must be at least 2 characters").max(100, "Name must be less than 100 characters").regex(
+  /^[a-zA-Z\s\-']+$/,
+  "Name can only contain letters, spaces, hyphens and apostrophes"
+);
+function createSafeTextSchema(options) {
+  const {
+    min,
+    max,
+    allowHtml = false,
+    allowUrls = false,
+    fieldName = "Text"
+  } = options ?? {};
+  let schema = z2.string();
+  if (min !== void 0)
+    schema = schema.min(min, `${fieldName} must be at least ${min} characters`);
+  if (max !== void 0)
+    schema = schema.max(
+      max,
+      `${fieldName} must be less than ${max} characters`
+    );
+  if (!allowHtml && !allowUrls) {
+    return schema.refine((val) => !HTML_TAG_PATTERN.test(val), "HTML tags are not allowed").refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  if (!allowHtml) {
+    return schema.refine(
+      (val) => !HTML_TAG_PATTERN.test(val),
+      "HTML tags are not allowed"
+    );
+  }
+  if (!allowUrls) {
+    return schema.refine(
+      (val) => !URL_PROTOCOL_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    ).refine(
+      (val) => !URL_DOMAIN_PATTERN.test(val),
+      "Links are not allowed for security reasons"
+    );
+  }
+  return schema;
+}
+var PaginationSchema = z2.object({
+  page: z2.coerce.number().int().positive().default(1),
+  limit: z2.coerce.number().int().positive().max(100).default(20),
+  sortBy: z2.string().optional(),
+  sortOrder: z2.enum(["asc", "desc"]).default("desc")
+});
+var DateRangeSchema = z2.object({
+  startDate: z2.string().datetime(),
+  endDate: z2.string().datetime()
+}).refine((data) => new Date(data.startDate) <= new Date(data.endDate), {
+  message: "Start date must be before end date"
+});
+var SearchQuerySchema = z2.object({
+  query: z2.string().min(1).max(200).trim(),
+  page: z2.coerce.number().int().positive().default(1),
+  limit: z2.coerce.number().int().positive().max(50).default(10)
+});
+var LoginSchema = z2.object({
+  email: EmailSchema,
+  password: PasswordSchema
+});
+var SignupSchema = z2.object({
+  email: EmailSchema,
+  password: PasswordSchema,
+  name: z2.string().min(2).max(100).optional()
+});
+
+// src/auth/feature-flags.ts
+function detectStage() {
+  const stage = process.env.DEPLOYMENT_STAGE;
+  if (stage === "staging" || stage === "preview") return stage;
+  if (process.env.NODE_ENV === "production") return "production";
+  return "development";
+}
+function resolveFlagValue(value) {
+  if (typeof value === "boolean") return value;
+  const envValue = process.env[value.envVar];
+  if (envValue === void 0 || envValue === "") {
+    return value.default ?? false;
+  }
+  return envValue === "true" || envValue === "1";
+}
+function createFeatureFlags(definitions) {
+  return {
+    /**
+     * Resolve all flags for the current environment.
+     * Call this once at startup or per-request for dynamic flags.
+     */
+    resolve(stage) {
+      const currentStage = stage ?? detectStage();
+      const resolved = {};
+      for (const [key, def] of Object.entries(definitions)) {
+        const stageKey = currentStage === "preview" ? "staging" : currentStage;
+        resolved[key] = resolveFlagValue(def[stageKey]);
+      }
+      return resolved;
+    },
+    /**
+     * Check if a single flag is enabled.
+     */
+    isEnabled(flag, stage) {
+      const currentStage = stage ?? detectStage();
+      const def = definitions[flag];
+      const stageKey = currentStage === "preview" ? "staging" : currentStage;
+      return resolveFlagValue(def[stageKey]);
+    },
+    /**
+     * Get the flag definitions (for introspection/admin UI).
+     */
+    definitions
+  };
+}
+function buildAllowlist(config) {
+  const fromEnv = config.envVar ? process.env[config.envVar]?.split(",").map((e) => e.trim().toLowerCase()).filter(Boolean) ?? [] : [];
+  const fallback = config.fallback?.map((e) => e.toLowerCase()) ?? [];
+  return [.../* @__PURE__ */ new Set([...fromEnv, ...fallback])];
+}
+function isAllowlisted(email, allowlist) {
+  return allowlist.includes(email.toLowerCase());
+}
+
+// src/auth/rate-limiter.ts
+var CommonRateLimits = {
+  /** General API: 100/min, 200/min authenticated */
+  apiGeneral: {
+    limit: 100,
+    windowSeconds: 60,
+    authenticatedLimit: 200
+  },
+  /** Admin actions: 100/min */
+  adminAction: {
+    limit: 100,
+    windowSeconds: 60
+  },
+  /** Auth attempts: 10/15min with 30min block */
+  authAttempt: {
+    limit: 10,
+    windowSeconds: 900,
+    blockDurationSeconds: 1800
+  },
+  /** AI/expensive requests: 20/hour, 50/hour authenticated */
+  aiRequest: {
+    limit: 20,
+    windowSeconds: 3600,
+    authenticatedLimit: 50
+  },
+  /** Public form submissions: 5/hour with 1hr block */
+  publicForm: {
+    limit: 5,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  },
+  /** Checkout/billing: 10/hour with 1hr block */
+  checkout: {
+    limit: 10,
+    windowSeconds: 3600,
+    blockDurationSeconds: 3600
+  }
+};
+function createMemoryRateLimitStore() {
+  const windows = /* @__PURE__ */ new Map();
+  const blocks = /* @__PURE__ */ new Map();
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of windows) {
+      if (entry.expiresAt < now) windows.delete(key);
+    }
+    for (const [key, expiry] of blocks) {
+      if (expiry < now) blocks.delete(key);
+    }
+  }, 60 * 1e3);
+  if (cleanupInterval.unref) {
+    cleanupInterval.unref();
+  }
+  return {
+    async increment(key, windowMs, now) {
+      const windowStart = now - windowMs;
+      let entry = windows.get(key);
+      if (!entry) {
+        entry = { timestamps: [], expiresAt: now + windowMs + 6e4 };
+        windows.set(key, entry);
+      }
+      entry.timestamps = entry.timestamps.filter((t) => t > windowStart);
+      entry.timestamps.push(now);
+      entry.expiresAt = now + windowMs + 6e4;
+      return { count: entry.timestamps.length };
+    },
+    async isBlocked(key) {
+      const expiry = blocks.get(key);
+      if (!expiry || expiry < Date.now()) {
+        blocks.delete(key);
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: expiry - Date.now() };
+    },
+    async setBlock(key, durationSeconds) {
+      blocks.set(key, Date.now() + durationSeconds * 1e3);
+    },
+    async reset(key) {
+      windows.delete(key);
+      blocks.delete(`block:${key}`);
+      blocks.delete(key);
+    }
+  };
+}
+var defaultStore;
+function getDefaultStore() {
+  if (!defaultStore) {
+    defaultStore = createMemoryRateLimitStore();
+  }
+  return defaultStore;
+}
+async function checkRateLimit(operation, identifier, rule, options = {}) {
+  const store = options.store ?? getDefaultStore();
+  const limit = options.isAuthenticated && rule.authenticatedLimit ? rule.authenticatedLimit : rule.limit;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  const resetAt = now + windowMs;
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  try {
+    if (rule.blockDurationSeconds) {
+      const blockStatus = await store.isBlocked(blockKey);
+      if (blockStatus.blocked) {
+        return {
+          allowed: false,
+          remaining: 0,
+          resetAt: now + blockStatus.ttlMs,
+          current: limit + 1,
+          limit,
+          retryAfterSeconds: Math.ceil(blockStatus.ttlMs / 1e3)
+        };
+      }
+    }
+    const { count } = await store.increment(key, windowMs, now);
+    if (count > limit) {
+      options.logger?.warn("Rate limit exceeded", {
+        operation,
+        identifier,
+        current: count,
+        limit
+      });
+      if (rule.blockDurationSeconds) {
+        await store.setBlock(blockKey, rule.blockDurationSeconds);
+      }
+      return {
+        allowed: false,
+        remaining: 0,
+        resetAt,
+        current: count,
+        limit,
+        retryAfterSeconds: Math.ceil(windowMs / 1e3)
+      };
+    }
+    return {
+      allowed: true,
+      remaining: limit - count,
+      resetAt,
+      current: count,
+      limit,
+      retryAfterSeconds: 0
+    };
+  } catch (error) {
+    options.logger?.error("Rate limit check failed, allowing request", {
+      error: error instanceof Error ? error.message : String(error),
+      operation,
+      identifier
+    });
+    return {
+      allowed: true,
+      remaining: limit,
+      resetAt,
+      current: 0,
+      limit,
+      retryAfterSeconds: 0
+    };
+  }
+}
+async function getRateLimitStatus(operation, identifier, rule, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const now = Date.now();
+  const windowMs = rule.windowSeconds * 1e3;
+  try {
+    const { count } = await s.increment(key, windowMs, now);
+    return {
+      allowed: count <= rule.limit,
+      remaining: Math.max(0, rule.limit - count),
+      resetAt: now + windowMs,
+      current: count,
+      limit: rule.limit,
+      retryAfterSeconds: count > rule.limit ? Math.ceil(windowMs / 1e3) : 0
+    };
+  } catch {
+    return null;
+  }
+}
+async function resetRateLimitForKey(operation, identifier, store) {
+  const s = store ?? getDefaultStore();
+  const key = `ratelimit:${operation}:${identifier}`;
+  const blockKey = `ratelimit:block:${operation}:${identifier}`;
+  await s.reset(key);
+  await s.reset(blockKey);
+}
+function buildRateLimitResponseHeaders(result) {
+  const headers = {
+    "X-RateLimit-Limit": String(result.limit),
+    "X-RateLimit-Remaining": String(result.remaining),
+    "X-RateLimit-Reset": String(Math.ceil(result.resetAt / 1e3))
+  };
+  if (!result.allowed) {
+    headers["Retry-After"] = String(result.retryAfterSeconds);
+  }
+  return headers;
+}
+function resolveIdentifier(session, clientIp) {
+  if (session?.user?.id) {
+    return { identifier: `user:${session.user.id}`, isAuthenticated: true };
+  }
+  if (session?.user?.email) {
+    return {
+      identifier: `email:${session.user.email}`,
+      isAuthenticated: true
+    };
+  }
+  return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
+}
+
+// src/auth/audit.ts
+var StandardAuditActions = {
+  // Authentication
+  LOGIN_SUCCESS: "auth.login.success",
+  LOGIN_FAILURE: "auth.login.failure",
+  LOGOUT: "auth.logout",
+  SESSION_REFRESH: "auth.session.refresh",
+  PASSWORD_CHANGE: "auth.password.change",
+  PASSWORD_RESET: "auth.password.reset",
+  // Billing
+  CHECKOUT_START: "billing.checkout.start",
+  CHECKOUT_COMPLETE: "billing.checkout.complete",
+  SUBSCRIPTION_CREATE: "billing.subscription.create",
+  SUBSCRIPTION_CANCEL: "billing.subscription.cancel",
+  SUBSCRIPTION_UPDATE: "billing.subscription.update",
+  PAYMENT_FAILED: "billing.payment.failed",
+  // Admin
+  ADMIN_LOGIN: "admin.login",
+  ADMIN_USER_VIEW: "admin.user.view",
+  ADMIN_USER_UPDATE: "admin.user.update",
+  ADMIN_CONFIG_CHANGE: "admin.config.change",
+  // Security Events
+  RATE_LIMIT_EXCEEDED: "security.rate_limit.exceeded",
+  INVALID_INPUT: "security.input.invalid",
+  UNAUTHORIZED_ACCESS: "security.access.unauthorized",
+  OWNERSHIP_VIOLATION: "security.ownership.violation",
+  WEBHOOK_SIGNATURE_INVALID: "security.webhook.signature_invalid",
+  // Data
+  DATA_EXPORT: "data.export",
+  DATA_DELETE: "data.delete",
+  DATA_UPDATE: "data.update"
+};
+function extractAuditIp(request) {
+  if (!request) return void 0;
+  const headers = [
+    "cf-connecting-ip",
+    // Cloudflare
+    "x-real-ip",
+    // Nginx
+    "x-forwarded-for",
+    // Standard proxy
+    "x-client-ip"
+    // Apache
+  ];
+  for (const header of headers) {
+    const value = request.headers.get(header);
+    if (value) {
+      return value.split(",")[0]?.trim();
+    }
+  }
+  return void 0;
+}
+function extractAuditUserAgent(request) {
+  return request?.headers.get("user-agent") ?? void 0;
+}
+function extractAuditRequestId(request) {
+  return request?.headers.get("x-request-id") ?? crypto.randomUUID();
+}
+function createAuditActor(session) {
+  if (!session?.user) {
+    return { id: "anonymous", type: "anonymous" };
+  }
+  return {
+    id: session.user.id ?? session.user.email ?? "unknown",
+    email: session.user.email ?? void 0,
+    type: "user"
+  };
+}
+var defaultLogger = {
+  info: (msg, meta) => console.log(msg, meta ? JSON.stringify(meta) : ""),
+  warn: (msg, meta) => console.warn(msg, meta ? JSON.stringify(meta) : ""),
+  error: (msg, meta) => console.error(msg, meta ? JSON.stringify(meta) : "")
+};
+function createAuditLogger(options = {}) {
+  const { persist, logger = defaultLogger } = options;
+  async function log(event, request) {
+    const record = {
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      ip: extractAuditIp(request),
+      userAgent: extractAuditUserAgent(request),
+      requestId: extractAuditRequestId(request),
+      ...event
+    };
+    const logFn = event.outcome === "failure" || event.outcome === "blocked" ? logger.warn : logger.info;
+    logFn(`[AUDIT] ${event.action}`, {
+      auditId: record.id,
+      actor: record.actor,
+      action: record.action,
+      resource: record.resource,
+      outcome: record.outcome,
+      ip: record.ip,
+      metadata: record.metadata,
+      reason: record.reason
+    });
+    if (persist) {
+      try {
+        await persist(record);
+      } catch (error) {
+        logger.error("Failed to persist audit log", {
+          error: error instanceof Error ? error.message : String(error),
+          auditId: record.id
+        });
+      }
+    }
+    return record;
+  }
+  function createTimedAudit(event, request) {
+    const startTime = Date.now();
+    return {
+      success: async (metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "success",
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      failure: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "failure",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      },
+      blocked: async (reason, metadata) => {
+        return log(
+          {
+            ...event,
+            outcome: "blocked",
+            reason,
+            metadata: {
+              ...event.metadata,
+              ...metadata,
+              durationMs: Date.now() - startTime
+            }
+          },
+          request
+        );
+      }
+    };
+  }
+  return { log, createTimedAudit };
+}
+
 // src/http/health.ts
 function createHealthEndpoints(platform, options = {}) {
   const {
@@ -26311,7 +27194,7 @@ CREATE INDEX IF NOT EXISTS idx_${executionsTable}_started ON ${executionsTable}(
 };
 
 // src/adapters/webhook/HttpWebhook.ts
-import { createHmac as createHmac4, timingSafeEqual, randomBytes as randomBytes35 } from "crypto";
+import { createHmac as createHmac4, timingSafeEqual as timingSafeEqual2, randomBytes as randomBytes35 } from "crypto";
 var HttpWebhook = class {
   db;
   queue;
@@ -26660,7 +27543,7 @@ var HttpWebhook = class {
       if (providedBuffer.length !== expectedBuffer.length) {
         return { valid: false, error: "Invalid signature" };
       }
-      if (!timingSafeEqual(providedBuffer, expectedBuffer)) {
+      if (!timingSafeEqual2(providedBuffer, expectedBuffer)) {
         return { valid: false, error: "Invalid signature" };
       }
     } catch {
@@ -29716,6 +30599,272 @@ function generateId2() {
   return randomBytes36(8).toString("hex") + Date.now().toString(36);
 }
 
+// src/env.ts
+function getRequiredEnv(key) {
+  const value = process.env[key];
+  if (!value) {
+    throw new Error(`Missing required environment variable: ${key}`);
+  }
+  return value;
+}
+function getOptionalEnv(key, defaultValue) {
+  return process.env[key] || defaultValue;
+}
+function getBoolEnv(key, defaultValue = false) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  return value === "true" || value === "1";
+}
+function getIntEnv(key, defaultValue) {
+  const value = process.env[key];
+  if (value === void 0 || value === "") return defaultValue;
+  const parsed = parseInt(value, 10);
+  return isNaN(parsed) ? defaultValue : parsed;
+}
+function validateEnvVars(config) {
+  const result = checkEnvVars(config);
+  if (!result.valid) {
+    const lines = [];
+    if (result.missing.length > 0) {
+      lines.push(
+        "Missing required environment variables:",
+        ...result.missing.map((v) => `  - ${v}`)
+      );
+    }
+    if (result.missingOneOf.length > 0) {
+      for (const group of result.missingOneOf) {
+        lines.push(`Missing one of: ${group.join(" | ")}`);
+      }
+    }
+    if (result.invalid.length > 0) {
+      lines.push(
+        "Invalid environment variables:",
+        ...result.invalid.map((v) => `  - ${v.key}: ${v.reason}`)
+      );
+    }
+    throw new Error(lines.join("\n"));
+  }
+}
+function checkEnvVars(config) {
+  const missing = [];
+  const invalid = [];
+  const missingOneOf = [];
+  if (config.required) {
+    for (const key of config.required) {
+      if (!process.env[key]) {
+        missing.push(key);
+      }
+    }
+  }
+  if (config.requireOneOf) {
+    for (const group of config.requireOneOf) {
+      const hasAny = group.some((key) => !!process.env[key]);
+      if (!hasAny) {
+        missingOneOf.push(group);
+      }
+    }
+  }
+  if (config.validators) {
+    for (const [key, validator] of Object.entries(config.validators)) {
+      const value = process.env[key];
+      if (value) {
+        const result = validator(value);
+        if (result !== true) {
+          invalid.push({ key, reason: result });
+        }
+      }
+    }
+  }
+  return {
+    valid: missing.length === 0 && invalid.length === 0 && missingOneOf.length === 0,
+    missing,
+    invalid,
+    missingOneOf
+  };
+}
+function getEnvSummary(keys) {
+  const summary = {};
+  for (const key of keys) {
+    summary[key] = !!process.env[key];
+  }
+  return summary;
+}
+
+// src/app-logger.ts
+var LEVEL_PRIORITY2 = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3
+};
+function defaultOutput(level, message, context) {
+  const isProduction = process.env.NODE_ENV === "production";
+  if (isProduction) {
+    const entry = { level, message, ...context };
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : "log";
+    console[method](JSON.stringify(entry));
+  } else {
+    const prefix = `[${level.toUpperCase()}]`;
+    const ctx = Object.keys(context).length > 0 ? " " + JSON.stringify(context) : "";
+    const method = level === "error" ? "error" : level === "warn" ? "warn" : level === "debug" ? "debug" : "log";
+    console[method](`${prefix} ${message}${ctx}`);
+  }
+}
+var AppLoggerImpl = class _AppLoggerImpl {
+  baseContext;
+  minLevelPriority;
+  outputFn;
+  onErrorFn;
+  constructor(baseContext, options) {
+    this.baseContext = baseContext;
+    this.minLevelPriority = LEVEL_PRIORITY2[options.minLevel] ?? 0;
+    this.outputFn = options.output;
+    this.onErrorFn = options.onError;
+  }
+  log(level, message, context) {
+    if ((LEVEL_PRIORITY2[level] ?? 0) < this.minLevelPriority) return;
+    const merged = {
+      ...this.baseContext,
+      ...context,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.outputFn(level, message, merged);
+  }
+  debug(message, context) {
+    this.log("debug", message, context);
+  }
+  info(message, context) {
+    this.log("info", message, context);
+  }
+  warn(message, context) {
+    this.log("warn", message, context);
+  }
+  error(message, context) {
+    this.log("error", message, context);
+    if (this.onErrorFn) {
+      try {
+        this.onErrorFn(message, { ...this.baseContext, ...context });
+      } catch {
+      }
+    }
+  }
+  child(context) {
+    return new _AppLoggerImpl(
+      { ...this.baseContext, ...context },
+      {
+        minLevel: Object.entries(LEVEL_PRIORITY2).find(
+          ([, v]) => v === this.minLevelPriority
+        )?.[0] ?? "debug",
+        output: this.outputFn,
+        onError: this.onErrorFn
+      }
+    );
+  }
+  forRequest(request, operation) {
+    const requestId = request.headers.get("x-request-id") ?? request.headers.get("x-correlation-id") ?? crypto.randomUUID();
+    let path;
+    try {
+      path = new URL(request.url).pathname;
+    } catch {
+      path = request.url;
+    }
+    return this.child({
+      requestId,
+      operation,
+      method: request.method,
+      path
+    });
+  }
+  forJob(jobType, jobId, context) {
+    return this.child({ jobType, jobId, ...context });
+  }
+  async timed(operation, fn, context) {
+    const opLogger = this.child({ operation, ...context });
+    opLogger.debug("Operation started");
+    const start = Date.now();
+    try {
+      const result = await fn();
+      opLogger.info("Operation completed", {
+        durationMs: Date.now() - start
+      });
+      return result;
+    } catch (error) {
+      opLogger.error("Operation failed", {
+        durationMs: Date.now() - start,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+};
+function createAppLogger(options) {
+  const {
+    service,
+    minLevel = process.env.NODE_ENV === "production" ? "info" : "debug",
+    output = defaultOutput,
+    onError
+  } = options;
+  return new AppLoggerImpl({ service }, { minLevel, output, onError });
+}
+
+// src/redis-client.ts
+import Redis from "ioredis";
+function createRedisClient(options) {
+  const {
+    url,
+    keyPrefix,
+    maxRetries = 3,
+    lazyConnect = true,
+    silent = false
+  } = options;
+  const logger = options.logger ?? {
+    error: console.error
+  };
+  const client = new Redis(url, {
+    keyPrefix,
+    maxRetriesPerRequest: maxRetries,
+    retryStrategy(times) {
+      if (times > maxRetries) return null;
+      return Math.min(times * 200, 2e3);
+    },
+    lazyConnect
+  });
+  if (!silent) {
+    client.on("error", (err) => {
+      logger.error("[redis] Connection error", { message: err.message });
+    });
+    if (logger.info) {
+      const logInfo = logger.info;
+      client.on("connect", () => {
+        logInfo("[redis] Connected");
+      });
+    }
+  }
+  if (lazyConnect) {
+    client.connect().catch(() => {
+    });
+  }
+  return client;
+}
+var sharedClient = null;
+function getSharedRedis() {
+  if (sharedClient) return sharedClient;
+  const url = process.env.REDIS_URL;
+  if (!url) return null;
+  sharedClient = createRedisClient({
+    url,
+    keyPrefix: process.env.REDIS_KEY_PREFIX,
+    silent: process.env.NODE_ENV === "test"
+  });
+  return sharedClient;
+}
+async function closeSharedRedis() {
+  if (sharedClient) {
+    await sharedClient.quit();
+    sharedClient = null;
+  }
+}
+
 // src/migrations/Migrator.ts
 var DEFAULT_CONFIG = {
   tableName: "_migrations",
@@ -30492,6 +31641,7 @@ export {
   CircuitBreakerRegistry,
   CircuitOpenError,
   CommonApiErrors,
+  CommonRateLimits,
   ConsoleEmail,
   ConsoleLogger,
   CronPresets,
@@ -30508,17 +31658,21 @@ export {
   DatabaseNotification,
   DatabasePromptStore,
   DatabaseProviderSchema,
+  DateRangeSchema,
   DefaultTimeouts,
   EmailConfigSchema,
   EmailProviderSchema,
+  EmailSchema,
   EnvSecrets,
   FallbackStrategies,
   GenericOIDCAuthSSO,
   GoogleAIAdapter,
   HTML_TAG_PATTERN,
   HttpWebhook,
+  KEYCLOAK_DEFAULT_ROLES,
   LogLevelSchema,
   LoggingConfigSchema,
+  LoginSchema,
   MemoryAI,
   MemoryAIUsage,
   MemoryAuditLog,
@@ -30557,7 +31711,11 @@ export {
   ObservabilityConfigSchema,
   OpenAIAdapter,
   PG_ERROR_MAP,
+  PaginationSchema,
+  PasswordSchema,
   PaymentErrorMessages,
+  PersonNameSchema,
+  PhoneSchema,
   PineconeRAG,
   PlatformConfigSchema,
   PostgresDatabase,
@@ -30577,9 +31735,14 @@ export {
   RetryPredicates,
   S3Storage,
   SQL,
+  SearchQuerySchema,
   SecurityConfigSchema,
   SecurityHeaderPresets,
+  SignupSchema,
+  SlugSchema,
   SmtpEmail,
+  StandardAuditActions,
+  StandardRateLimitPresets,
   StorageConfigSchema,
   StorageProviderSchema,
   StripePayment,
@@ -30595,16 +31758,32 @@ export {
   UpstashCache,
   WeaviateRAG,
   WebhookEventTypes,
+  WrapperPresets,
+  buildAllowlist,
+  buildAuthCookies,
+  buildErrorBody,
+  buildKeycloakCallbacks,
   buildPagination,
+  buildRateLimitHeaders,
+  buildRateLimitResponseHeaders,
+  buildRedirectCallback,
+  buildTokenRefreshParams,
   calculateBackoff,
   calculateRetryDelay,
+  checkEnvVars,
+  checkRateLimit,
   classifyError,
+  closeSharedRedis,
   composeHookRegistries,
+  constantTimeEqual,
   containsHtml,
   containsUrls,
   correlationContext,
   createAIError,
   createAnthropicAdapter,
+  createAppLogger,
+  createAuditActor,
+  createAuditLogger,
   createAuthError,
   createBulkhead,
   createCacheMiddleware,
@@ -30615,6 +31794,7 @@ export {
   createErrorReport,
   createExpressHealthHandlers,
   createExpressMetricsHandler,
+  createFeatureFlags,
   createGoogleAIAdapter,
   createHealthEndpoints,
   createHealthServer,
@@ -30622,6 +31802,7 @@ export {
   createIpKeyGenerator,
   createJobContext,
   createLoggingMiddleware,
+  createMemoryRateLimitStore,
   createMetricsEndpoint,
   createMetricsMiddleware,
   createMetricsServer,
@@ -30635,8 +31816,10 @@ export {
   createPlatform,
   createPlatformAsync,
   createRateLimitMiddleware,
+  createRedisClient,
   createRequestContext,
   createRequestIdMiddleware,
+  createSafeTextSchema,
   createScopedMetrics,
   createSlowQueryMiddleware,
   createSsoOidcConfigsTable,
@@ -30653,8 +31836,13 @@ export {
   defangUrl,
   defineMigration,
   describeCron,
+  detectStage,
   enterpriseMigrations,
   escapeHtml,
+  extractAuditIp,
+  extractAuditRequestId,
+  extractAuditUserAgent,
+  extractClientIp,
   filterChannelsByPreferences,
   formatAmount,
   generateAuditId,
@@ -30672,37 +31860,58 @@ export {
   generateVersion,
   generateWebhookId,
   generateWebhookSecret,
+  getBoolEnv,
   getContext,
-  getCorrelationId,
+  getCorrelationId2 as getCorrelationId,
   getDefaultConfig,
+  getEndSessionEndpoint,
   getEnterpriseMigrations,
+  getEnvSummary,
+  getIntEnv,
   getLogMeta,
   getNextCronRun,
+  getOptionalEnv,
+  getRateLimitStatus,
   getRequestId,
+  getRequiredEnv,
+  getSharedRedis,
   getTenantId,
+  getTokenEndpoint,
   getTraceId,
   getUserId,
+  hasAllRoles,
+  hasAnyRole,
+  hasRole,
   isAIError,
+  isAllowlisted,
   isApiError,
   isAuthError,
   isInContext,
   isInQuietHours,
   isPaymentError,
+  isTokenExpired,
   isValidCron,
   loadConfig,
   matchAction,
   matchEventType,
+  parseKeycloakRoles,
   raceTimeout,
+  refreshKeycloakToken,
+  resetRateLimitForKey,
+  resolveIdentifier,
+  resolveRateLimitIdentifier,
   retryable,
   runWithContext,
   runWithContextAsync,
   safeValidateConfig,
+  sanitizeApiError,
   sanitizeForEmail,
   sqlMigration,
   stripHtml,
   timedHealthCheck,
   toHealthCheckResult,
   validateConfig,
+  validateEnvVars,
   withCorrelation,
   withCorrelationAsync,
   withFallback,