@digilogiclabs/platform-core 1.6.0 → 1.7.0

package/dist/auth.d.mts

@@ -1,2 +1,175 @@
-export { aq as AllowlistConfig, j as ApiError, A as ApiErrorCode, n as ApiErrorCodeType, p as ApiPaginatedResponse, Z as ApiSecurityConfig, $ as ApiSecurityContext, o as ApiSuccessResponse, aN as AuditRequest, L as AuthCookiesConfig, V as AuthMethod, C as CommonApiErrors, ax as CommonRateLimits, ad as DateRangeInput, a6 as DateRangeSchema, al as DeploymentStage, ab as EmailInput, a0 as EmailSchema, aW as EnvValidationConfig, aX as EnvValidationResult, an as FlagDefinition, ao as FlagDefinitions, am as FlagValue, K as KEYCLOAK_DEFAULT_ROLES, I as KeycloakCallbacksConfig, B as KeycloakConfig, J as KeycloakJwtFields, D as KeycloakTokenSet, af as LoginInput, a8 as LoginSchema, aI as OpsAuditActor, aK as OpsAuditEvent, aM as OpsAuditLoggerOptions, aL as OpsAuditRecord, aJ as OpsAuditResource, ac as PaginationInput, a5 as PaginationSchema, a1 as PasswordSchema, a4 as PersonNameSchema, a3 as PhoneSchema, az as RateLimitCheckResult, aB as RateLimitOptions, Y as RateLimitPreset, ay as RateLimitRule, aA as RateLimitStore, R as RedirectCallbackConfig, ap as ResolvedFlags, X as RouteAuditConfig, ae as SearchQueryInput, a7 as SearchQuerySchema, _ as SecuritySession, ag as SignupInput, a9 as SignupSchema, a2 as SlugSchema, aO as StandardAuditActionType, aH as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, W as WrapperPresets, aj as buildAllowlist, F as buildAuthCookies, Q as buildErrorBody, E as buildKeycloakCallbacks, m as buildPagination, O as buildRateLimitHeaders, av as buildRateLimitResponseHeaders, G as buildRedirectCallback, w as buildTokenRefreshParams, aU as checkEnvVars, ar as checkRateLimit, l as classifyError, f as constantTimeEqual, a as containsHtml, c as containsUrls, aD as createAuditActor, aC as createAuditLogger, ah as createFeatureFlags, au as createMemoryRateLimitStore, aa as createSafeTextSchema, ai as detectStage, e as escapeHtml, aE as extractAuditIp, aG as extractAuditRequestId, aF as extractAuditUserAgent, N as extractClientIp, aR as getBoolEnv, h as getCorrelationId, y as getEndSessionEndpoint, aV as getEnvSummary, aS as getIntEnv, aQ as getOptionalEnv, as as getRateLimitStatus, aP as getRequiredEnv, x as getTokenEndpoint, u as hasAllRoles, t as hasAnyRole, r as hasRole, ak as isAllowlisted, k as isApiError, v as isTokenExpired, q as parseKeycloakRoles, z as refreshKeycloakToken, at as resetRateLimitForKey, aw as resolveIdentifier, M as resolveRateLimitIdentifier, g as sanitizeApiError, s as stripHtml, aT as validateEnvVars } from './index-CkyVz0hQ.mjs';
+import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-DerQ7Da-.mjs';
+export { as as AllowlistConfig, A as ApiError, k as ApiErrorCode, m as ApiErrorCodeType, o as ApiPaginatedResponse, _ as ApiSecurityConfig, a0 as ApiSecurityContext, n as ApiSuccessResponse, aK as AuditRequest, P as AuthCookiesConfig, W as AuthMethod, C as CommonApiErrors, ay as CommonRateLimits, aj as DateRangeInput, ad as DateRangeSchema, an as DeploymentStage, ah as EmailInput, a6 as EmailSchema, E as EnvValidationConfig, x as EnvValidationResult, ap as FlagDefinition, aq as FlagDefinitions, ao as FlagValue, z as KEYCLOAK_DEFAULT_ROLES, N as KeycloakCallbacksConfig, K as KeycloakConfig, O as KeycloakJwtFields, y as KeycloakTokenSet, al as LoginInput, af as LoginSchema, aF as OpsAuditActor, aH as OpsAuditEvent, aJ as OpsAuditLoggerOptions, aI as OpsAuditRecord, aG as OpsAuditResource, ai as PaginationInput, ac as PaginationSchema, a7 as PasswordSchema, aa as PersonNameSchema, a9 as PhoneSchema, ax as RateLimitCheckResult, Y as RateLimitPreset, S as RedirectCallbackConfig, ar as ResolvedFlags, X as RouteAuditConfig, ak as SearchQueryInput, ae as SearchQuerySchema, $ as SecuritySession, am as SignupInput, ag as SignupSchema, a8 as SlugSchema, aM as StandardAuditActionType, aL as StandardAuditActions, Z as StandardRateLimitPresets, T as TokenRefreshResult, a5 as WrapperPresets, av as buildAllowlist, Q as buildAuthCookies, a4 as buildErrorBody, V as buildKeycloakCallbacks, l as buildPagination, a3 as buildRateLimitHeaders, aD as buildRateLimitResponseHeaders, U as buildRedirectCallback, I as buildTokenRefreshParams, u as checkEnvVars, aA as checkRateLimit, i as classifyError, c as constantTimeEqual, f as containsHtml, d as containsUrls, aQ as createAuditActor, aR as createAuditLogger, au as createFeatureFlags, az as createMemoryRateLimitStore, ab as createSafeTextSchema, at as detectStage, e as escapeHtml, aN as extractAuditIp, aP as extractAuditRequestId, aO as extractAuditUserAgent, a2 as extractClientIp, r as getBoolEnv, h as getCorrelationId, L as getEndSessionEndpoint, w as getEnvSummary, t as getIntEnv, q as getOptionalEnv, aB as getRateLimitStatus, p as getRequiredEnv, J as getTokenEndpoint, G as hasAllRoles, F as hasAnyRole, D as hasRole, aw as isAllowlisted, j as isApiError, H as isTokenExpired, B as parseKeycloakRoles, M as refreshKeycloakToken, aC as resetRateLimitForKey, aE as resolveIdentifier, a1 as resolveRateLimitIdentifier, g as sanitizeApiError, s as stripHtml, v as validateEnvVars } from './env-DerQ7Da-.mjs';
 import 'zod';
+
+/**
+ * Redis Rate Limit Store
+ *
+ * Production-ready `RateLimitStore` implementation using Redis sorted sets
+ * for accurate sliding window rate limiting. Works with ioredis or any
+ * Redis client that supports the required commands.
+ *
+ * @example
+ * ```typescript
+ * import Redis from 'ioredis'
+ * import {
+ *   createRedisRateLimitStore,
+ *   checkRateLimit,
+ *   CommonRateLimits,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * const redis = new Redis(process.env.REDIS_URL)
+ * const store = createRedisRateLimitStore(redis, { keyPrefix: 'myapp:' })
+ *
+ * const result = await checkRateLimit('api-call', 'user:123', CommonRateLimits.apiGeneral, { store })
+ * ```
+ */
+
+/**
+ * Minimal Redis client interface.
+ *
+ * Compatible with ioredis, node-redis v4, and @upstash/redis.
+ * Only the commands used by the rate limiter are required.
+ */
+interface RedisRateLimitClient {
+    zremrangebyscore(key: string, min: number | string, max: number | string): Promise<number>;
+    zadd(key: string, score: number, member: string): Promise<number>;
+    zcard(key: string): Promise<number>;
+    expire(key: string, seconds: number): Promise<number>;
+    get(key: string): Promise<string | null>;
+    ttl(key: string): Promise<number>;
+    setex(key: string, seconds: number, value: string): Promise<string>;
+    del(...keys: string[]): Promise<number>;
+}
+interface RedisRateLimitStoreOptions {
+    /** Prefix for all Redis keys (e.g., 'myapp:') */
+    keyPrefix?: string;
+}
+/**
+ * Create a Redis-backed rate limit store using sorted sets.
+ *
+ * Uses the sliding window algorithm:
+ * - Each request adds a timestamped entry to a sorted set
+ * - Old entries (outside the window) are pruned on each check
+ * - The set cardinality gives the request count
+ *
+ * Blocks use simple key-value with TTL.
+ */
+declare function createRedisRateLimitStore(redis: RedisRateLimitClient, options?: RedisRateLimitStoreOptions): RateLimitStore;
+
+/**
+ * Next.js API Route Helpers
+ *
+ * Shared utilities for Next.js API routes that all apps need.
+ * These wrap platform-core's framework-agnostic primitives into
+ * Next.js-specific patterns (NextResponse, NextRequest).
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   enforceRateLimit,
+ *   zodErrorResponse,
+ *   errorResponse,
+ *   extractBearerToken,
+ *   isValidBearerToken,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * export async function POST(request: NextRequest) {
+ *   const rl = await enforceRateLimit(request, 'submit', CommonRateLimits.publicForm)
+ *   if (rl) return rl
+ *
+ *   const parsed = schema.safeParse(await request.json())
+ *   if (!parsed.success) return zodErrorResponse(parsed.error)
+ *
+ *   try { ... }
+ *   catch (error) { return errorResponse(error) }
+ * }
+ * ```
+ */
+
+/**
+ * Enforce rate limiting on a Next.js API request.
+ *
+ * Returns a 429 NextResponse if the limit is exceeded, or `null` if allowed.
+ * Apps use this at the top of route handlers for early rejection.
+ *
+ * @example
+ * ```typescript
+ * const rateLimited = await enforceRateLimit(request, 'sync', CommonRateLimits.adminAction)
+ * if (rateLimited) return rateLimited
+ * ```
+ */
+declare function enforceRateLimit(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, operation: string, rule: RateLimitRule, options?: {
+    /** Override identifier (default: extracted from x-forwarded-for) */
+    identifier?: string;
+    /** User ID for per-user limiting */
+    userId?: string;
+    /** Rate limit store and options */
+    rateLimitOptions?: RateLimitOptions;
+}): Promise<Response | null>;
+/**
+ * Convert any error into a structured JSON response.
+ *
+ * Uses platform-core's `classifyError()` to handle ApiError,
+ * Zod errors, PostgreSQL errors, and generic errors consistently.
+ *
+ * @example
+ * ```typescript
+ * catch (error) {
+ *   return errorResponse(error)
+ * }
+ * ```
+ */
+declare function errorResponse(error: unknown, options?: {
+    isDevelopment?: boolean;
+}): Response;
+/**
+ * Convert a Zod validation error into a user-friendly 400 response.
+ *
+ * Extracts the first issue and returns a clear error message
+ * with the field path (e.g., "email: Invalid email").
+ *
+ * @example
+ * ```typescript
+ * const parsed = schema.safeParse(await request.json())
+ * if (!parsed.success) return zodErrorResponse(parsed.error)
+ * ```
+ */
+declare function zodErrorResponse(error: {
+    issues: Array<{
+        path: (string | number)[];
+        message: string;
+    }>;
+}): Response;
+/**
+ * Extract a bearer token from the Authorization header.
+ *
+ * @returns The token string, or null if not present/malformed.
+ */
+declare function extractBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}): string | null;
+/**
+ * Check if a request's bearer token matches a secret.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @example
+ * ```typescript
+ * if (!isValidBearerToken(request, process.env.ADMIN_SECRET)) {
+ *   return new Response('Unauthorized', { status: 401 })
+ * }
+ * ```
+ */
+declare function isValidBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, secret: string | undefined): boolean;
+
+export { RateLimitOptions, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, isValidBearerToken, zodErrorResponse };

package/dist/auth.d.ts

@@ -1,2 +1,175 @@
-export { aq as AllowlistConfig, j as ApiError, A as ApiErrorCode, n as ApiErrorCodeType, p as ApiPaginatedResponse, Z as ApiSecurityConfig, $ as ApiSecurityContext, o as ApiSuccessResponse, aN as AuditRequest, L as AuthCookiesConfig, V as AuthMethod, C as CommonApiErrors, ax as CommonRateLimits, ad as DateRangeInput, a6 as DateRangeSchema, al as DeploymentStage, ab as EmailInput, a0 as EmailSchema, aW as EnvValidationConfig, aX as EnvValidationResult, an as FlagDefinition, ao as FlagDefinitions, am as FlagValue, K as KEYCLOAK_DEFAULT_ROLES, I as KeycloakCallbacksConfig, B as KeycloakConfig, J as KeycloakJwtFields, D as KeycloakTokenSet, af as LoginInput, a8 as LoginSchema, aI as OpsAuditActor, aK as OpsAuditEvent, aM as OpsAuditLoggerOptions, aL as OpsAuditRecord, aJ as OpsAuditResource, ac as PaginationInput, a5 as PaginationSchema, a1 as PasswordSchema, a4 as PersonNameSchema, a3 as PhoneSchema, az as RateLimitCheckResult, aB as RateLimitOptions, Y as RateLimitPreset, ay as RateLimitRule, aA as RateLimitStore, R as RedirectCallbackConfig, ap as ResolvedFlags, X as RouteAuditConfig, ae as SearchQueryInput, a7 as SearchQuerySchema, _ as SecuritySession, ag as SignupInput, a9 as SignupSchema, a2 as SlugSchema, aO as StandardAuditActionType, aH as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, W as WrapperPresets, aj as buildAllowlist, F as buildAuthCookies, Q as buildErrorBody, E as buildKeycloakCallbacks, m as buildPagination, O as buildRateLimitHeaders, av as buildRateLimitResponseHeaders, G as buildRedirectCallback, w as buildTokenRefreshParams, aU as checkEnvVars, ar as checkRateLimit, l as classifyError, f as constantTimeEqual, a as containsHtml, c as containsUrls, aD as createAuditActor, aC as createAuditLogger, ah as createFeatureFlags, au as createMemoryRateLimitStore, aa as createSafeTextSchema, ai as detectStage, e as escapeHtml, aE as extractAuditIp, aG as extractAuditRequestId, aF as extractAuditUserAgent, N as extractClientIp, aR as getBoolEnv, h as getCorrelationId, y as getEndSessionEndpoint, aV as getEnvSummary, aS as getIntEnv, aQ as getOptionalEnv, as as getRateLimitStatus, aP as getRequiredEnv, x as getTokenEndpoint, u as hasAllRoles, t as hasAnyRole, r as hasRole, ak as isAllowlisted, k as isApiError, v as isTokenExpired, q as parseKeycloakRoles, z as refreshKeycloakToken, at as resetRateLimitForKey, aw as resolveIdentifier, M as resolveRateLimitIdentifier, g as sanitizeApiError, s as stripHtml, aT as validateEnvVars } from './index-CkyVz0hQ.js';
+import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-DerQ7Da-.js';
+export { as as AllowlistConfig, A as ApiError, k as ApiErrorCode, m as ApiErrorCodeType, o as ApiPaginatedResponse, _ as ApiSecurityConfig, a0 as ApiSecurityContext, n as ApiSuccessResponse, aK as AuditRequest, P as AuthCookiesConfig, W as AuthMethod, C as CommonApiErrors, ay as CommonRateLimits, aj as DateRangeInput, ad as DateRangeSchema, an as DeploymentStage, ah as EmailInput, a6 as EmailSchema, E as EnvValidationConfig, x as EnvValidationResult, ap as FlagDefinition, aq as FlagDefinitions, ao as FlagValue, z as KEYCLOAK_DEFAULT_ROLES, N as KeycloakCallbacksConfig, K as KeycloakConfig, O as KeycloakJwtFields, y as KeycloakTokenSet, al as LoginInput, af as LoginSchema, aF as OpsAuditActor, aH as OpsAuditEvent, aJ as OpsAuditLoggerOptions, aI as OpsAuditRecord, aG as OpsAuditResource, ai as PaginationInput, ac as PaginationSchema, a7 as PasswordSchema, aa as PersonNameSchema, a9 as PhoneSchema, ax as RateLimitCheckResult, Y as RateLimitPreset, S as RedirectCallbackConfig, ar as ResolvedFlags, X as RouteAuditConfig, ak as SearchQueryInput, ae as SearchQuerySchema, $ as SecuritySession, am as SignupInput, ag as SignupSchema, a8 as SlugSchema, aM as StandardAuditActionType, aL as StandardAuditActions, Z as StandardRateLimitPresets, T as TokenRefreshResult, a5 as WrapperPresets, av as buildAllowlist, Q as buildAuthCookies, a4 as buildErrorBody, V as buildKeycloakCallbacks, l as buildPagination, a3 as buildRateLimitHeaders, aD as buildRateLimitResponseHeaders, U as buildRedirectCallback, I as buildTokenRefreshParams, u as checkEnvVars, aA as checkRateLimit, i as classifyError, c as constantTimeEqual, f as containsHtml, d as containsUrls, aQ as createAuditActor, aR as createAuditLogger, au as createFeatureFlags, az as createMemoryRateLimitStore, ab as createSafeTextSchema, at as detectStage, e as escapeHtml, aN as extractAuditIp, aP as extractAuditRequestId, aO as extractAuditUserAgent, a2 as extractClientIp, r as getBoolEnv, h as getCorrelationId, L as getEndSessionEndpoint, w as getEnvSummary, t as getIntEnv, q as getOptionalEnv, aB as getRateLimitStatus, p as getRequiredEnv, J as getTokenEndpoint, G as hasAllRoles, F as hasAnyRole, D as hasRole, aw as isAllowlisted, j as isApiError, H as isTokenExpired, B as parseKeycloakRoles, M as refreshKeycloakToken, aC as resetRateLimitForKey, aE as resolveIdentifier, a1 as resolveRateLimitIdentifier, g as sanitizeApiError, s as stripHtml, v as validateEnvVars } from './env-DerQ7Da-.js';
 import 'zod';
+
+/**
+ * Redis Rate Limit Store
+ *
+ * Production-ready `RateLimitStore` implementation using Redis sorted sets
+ * for accurate sliding window rate limiting. Works with ioredis or any
+ * Redis client that supports the required commands.
+ *
+ * @example
+ * ```typescript
+ * import Redis from 'ioredis'
+ * import {
+ *   createRedisRateLimitStore,
+ *   checkRateLimit,
+ *   CommonRateLimits,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * const redis = new Redis(process.env.REDIS_URL)
+ * const store = createRedisRateLimitStore(redis, { keyPrefix: 'myapp:' })
+ *
+ * const result = await checkRateLimit('api-call', 'user:123', CommonRateLimits.apiGeneral, { store })
+ * ```
+ */
+
+/**
+ * Minimal Redis client interface.
+ *
+ * Compatible with ioredis, node-redis v4, and @upstash/redis.
+ * Only the commands used by the rate limiter are required.
+ */
+interface RedisRateLimitClient {
+    zremrangebyscore(key: string, min: number | string, max: number | string): Promise<number>;
+    zadd(key: string, score: number, member: string): Promise<number>;
+    zcard(key: string): Promise<number>;
+    expire(key: string, seconds: number): Promise<number>;
+    get(key: string): Promise<string | null>;
+    ttl(key: string): Promise<number>;
+    setex(key: string, seconds: number, value: string): Promise<string>;
+    del(...keys: string[]): Promise<number>;
+}
+interface RedisRateLimitStoreOptions {
+    /** Prefix for all Redis keys (e.g., 'myapp:') */
+    keyPrefix?: string;
+}
+/**
+ * Create a Redis-backed rate limit store using sorted sets.
+ *
+ * Uses the sliding window algorithm:
+ * - Each request adds a timestamped entry to a sorted set
+ * - Old entries (outside the window) are pruned on each check
+ * - The set cardinality gives the request count
+ *
+ * Blocks use simple key-value with TTL.
+ */
+declare function createRedisRateLimitStore(redis: RedisRateLimitClient, options?: RedisRateLimitStoreOptions): RateLimitStore;
+
+/**
+ * Next.js API Route Helpers
+ *
+ * Shared utilities for Next.js API routes that all apps need.
+ * These wrap platform-core's framework-agnostic primitives into
+ * Next.js-specific patterns (NextResponse, NextRequest).
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   enforceRateLimit,
+ *   zodErrorResponse,
+ *   errorResponse,
+ *   extractBearerToken,
+ *   isValidBearerToken,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * export async function POST(request: NextRequest) {
+ *   const rl = await enforceRateLimit(request, 'submit', CommonRateLimits.publicForm)
+ *   if (rl) return rl
+ *
+ *   const parsed = schema.safeParse(await request.json())
+ *   if (!parsed.success) return zodErrorResponse(parsed.error)
+ *
+ *   try { ... }
+ *   catch (error) { return errorResponse(error) }
+ * }
+ * ```
+ */
+
+/**
+ * Enforce rate limiting on a Next.js API request.
+ *
+ * Returns a 429 NextResponse if the limit is exceeded, or `null` if allowed.
+ * Apps use this at the top of route handlers for early rejection.
+ *
+ * @example
+ * ```typescript
+ * const rateLimited = await enforceRateLimit(request, 'sync', CommonRateLimits.adminAction)
+ * if (rateLimited) return rateLimited
+ * ```
+ */
+declare function enforceRateLimit(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, operation: string, rule: RateLimitRule, options?: {
+    /** Override identifier (default: extracted from x-forwarded-for) */
+    identifier?: string;
+    /** User ID for per-user limiting */
+    userId?: string;
+    /** Rate limit store and options */
+    rateLimitOptions?: RateLimitOptions;
+}): Promise<Response | null>;
+/**
+ * Convert any error into a structured JSON response.
+ *
+ * Uses platform-core's `classifyError()` to handle ApiError,
+ * Zod errors, PostgreSQL errors, and generic errors consistently.
+ *
+ * @example
+ * ```typescript
+ * catch (error) {
+ *   return errorResponse(error)
+ * }
+ * ```
+ */
+declare function errorResponse(error: unknown, options?: {
+    isDevelopment?: boolean;
+}): Response;
+/**
+ * Convert a Zod validation error into a user-friendly 400 response.
+ *
+ * Extracts the first issue and returns a clear error message
+ * with the field path (e.g., "email: Invalid email").
+ *
+ * @example
+ * ```typescript
+ * const parsed = schema.safeParse(await request.json())
+ * if (!parsed.success) return zodErrorResponse(parsed.error)
+ * ```
+ */
+declare function zodErrorResponse(error: {
+    issues: Array<{
+        path: (string | number)[];
+        message: string;
+    }>;
+}): Response;
+/**
+ * Extract a bearer token from the Authorization header.
+ *
+ * @returns The token string, or null if not present/malformed.
+ */
+declare function extractBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}): string | null;
+/**
+ * Check if a request's bearer token matches a secret.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @example
+ * ```typescript
+ * if (!isValidBearerToken(request, process.env.ADMIN_SECRET)) {
+ *   return new Response('Unauthorized', { status: 401 })
+ * }
+ * ```
+ */
+declare function isValidBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, secret: string | undefined): boolean;
+
+export { RateLimitOptions, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, isValidBearerToken, zodErrorResponse };

package/dist/auth.js

@@ -57,12 +57,16 @@ __export(auth_exports, {
   createAuditLogger: () => createAuditLogger,
   createFeatureFlags: () => createFeatureFlags,
   createMemoryRateLimitStore: () => createMemoryRateLimitStore,
+  createRedisRateLimitStore: () => createRedisRateLimitStore,
   createSafeTextSchema: () => createSafeTextSchema,
   detectStage: () => detectStage,
+  enforceRateLimit: () => enforceRateLimit,
+  errorResponse: () => errorResponse,
   escapeHtml: () => escapeHtml,
   extractAuditIp: () => extractAuditIp,
   extractAuditRequestId: () => extractAuditRequestId,
   extractAuditUserAgent: () => extractAuditUserAgent,
+  extractBearerToken: () => extractBearerToken,
   extractClientIp: () => extractClientIp,
   getBoolEnv: () => getBoolEnv,
   getCorrelationId: () => getCorrelationId,
@@ -79,6 +83,7 @@ __export(auth_exports, {
   isAllowlisted: () => isAllowlisted,
   isApiError: () => isApiError,
   isTokenExpired: () => isTokenExpired,
+  isValidBearerToken: () => isValidBearerToken,
   parseKeycloakRoles: () => parseKeycloakRoles,
   refreshKeycloakToken: () => refreshKeycloakToken,
   resetRateLimitForKey: () => resetRateLimitForKey,
@@ -86,7 +91,8 @@ __export(auth_exports, {
   resolveRateLimitIdentifier: () => resolveRateLimitIdentifier,
   sanitizeApiError: () => sanitizeApiError,
   stripHtml: () => stripHtml,
-  validateEnvVars: () => validateEnvVars
+  validateEnvVars: () => validateEnvVars,
+  zodErrorResponse: () => zodErrorResponse
 });
 module.exports = __toCommonJS(auth_exports);
 
@@ -260,7 +266,11 @@ function buildKeycloakCallbacks(config) {
      * Compatible with Auth.js v5 JWT callback signature.
      */
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    async jwt({ token, user, account }) {
+    async jwt({
+      token,
+      user,
+      account
+    }) {
       if (user) {
         token.id = token.sub ?? user.id;
       }
@@ -821,6 +831,44 @@ function resolveIdentifier(session, clientIp) {
   return { identifier: `ip:${clientIp ?? "unknown"}`, isAuthenticated: false };
 }
 
+// src/auth/rate-limit-store-redis.ts
+function createRedisRateLimitStore(redis, options = {}) {
+  const prefix = options.keyPrefix ?? "";
+  return {
+    async increment(key, windowMs, now) {
+      const fullKey = `${prefix}${key}`;
+      const windowStart = now - windowMs;
+      const windowSeconds = Math.ceil(windowMs / 1e3) + 60;
+      await redis.zremrangebyscore(fullKey, 0, windowStart);
+      const current = await redis.zcard(fullKey);
+      const member = `${now}:${Math.random().toString(36).slice(2, 10)}`;
+      await redis.zadd(fullKey, now, member);
+      await redis.expire(fullKey, windowSeconds);
+      return { count: current + 1 };
+    },
+    async isBlocked(key) {
+      const fullKey = `${prefix}${key}`;
+      const value = await redis.get(fullKey);
+      if (!value) {
+        return { blocked: false, ttlMs: 0 };
+      }
+      const ttlSeconds = await redis.ttl(fullKey);
+      if (ttlSeconds <= 0) {
+        return { blocked: false, ttlMs: 0 };
+      }
+      return { blocked: true, ttlMs: ttlSeconds * 1e3 };
+    },
+    async setBlock(key, durationSeconds) {
+      const fullKey = `${prefix}${key}`;
+      await redis.setex(fullKey, durationSeconds, "1");
+    },
+    async reset(key) {
+      const fullKey = `${prefix}${key}`;
+      await redis.del(fullKey);
+    }
+  };
+}
+
 // src/auth/audit.ts
 var StandardAuditActions = {
   // Authentication
@@ -1105,6 +1153,57 @@ function buildPagination(page, limit, total) {
   };
 }
 
+// src/auth/nextjs-api.ts
+async function enforceRateLimit(request, operation, rule, options) {
+  const identifier = options?.identifier ?? (options?.userId ? `user:${options.userId}` : void 0) ?? `ip:${extractClientIp((name) => request.headers.get(name))}`;
+  const isAuthenticated = !!options?.userId;
+  const result = await checkRateLimit(operation, identifier, rule, {
+    ...options?.rateLimitOptions,
+    isAuthenticated
+  });
+  if (!result.allowed) {
+    const headers = buildRateLimitResponseHeaders(result);
+    return new Response(
+      JSON.stringify({
+        error: "Rate limit exceeded. Please try again later.",
+        retryAfter: result.retryAfterSeconds
+      }),
+      {
+        status: 429,
+        headers: { "Content-Type": "application/json", ...headers }
+      }
+    );
+  }
+  return null;
+}
+function errorResponse(error, options) {
+  const isDev = options?.isDevelopment ?? process.env.NODE_ENV === "development";
+  const { status, body } = classifyError(error, isDev);
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function zodErrorResponse(error) {
+  const firstIssue = error.issues[0];
+  const message = firstIssue ? `${firstIssue.path.join(".") || "input"}: ${firstIssue.message}` : "Validation error";
+  return new Response(JSON.stringify({ error: message }), {
+    status: 400,
+    headers: { "Content-Type": "application/json" }
+  });
+}
+function extractBearerToken(request) {
+  const auth = request.headers.get("authorization");
+  if (!auth?.startsWith("Bearer ")) return null;
+  return auth.slice(7).trim() || null;
+}
+function isValidBearerToken(request, secret) {
+  if (!secret) return false;
+  const token = extractBearerToken(request);
+  if (!token) return false;
+  return constantTimeEqual(token, secret);
+}
+
 // src/env.ts
 function getRequiredEnv(key) {
   const value = process.env[key];
@@ -1234,12 +1333,16 @@ function getEnvSummary(keys) {
   createAuditLogger,
   createFeatureFlags,
   createMemoryRateLimitStore,
+  createRedisRateLimitStore,
   createSafeTextSchema,
   detectStage,
+  enforceRateLimit,
+  errorResponse,
   escapeHtml,
   extractAuditIp,
   extractAuditRequestId,
   extractAuditUserAgent,
+  extractBearerToken,
   extractClientIp,
   getBoolEnv,
   getCorrelationId,
@@ -1256,6 +1359,7 @@ function getEnvSummary(keys) {
   isAllowlisted,
   isApiError,
   isTokenExpired,
+  isValidBearerToken,
   parseKeycloakRoles,
   refreshKeycloakToken,
   resetRateLimitForKey,
@@ -1263,6 +1367,7 @@ function getEnvSummary(keys) {
   resolveRateLimitIdentifier,
   sanitizeApiError,
   stripHtml,
-  validateEnvVars
+  validateEnvVars,
+  zodErrorResponse
 });
 //# sourceMappingURL=auth.js.map