@digilogiclabs/platform-core 1.6.0 → 1.8.0

package/dist/auth.d.mts

@@ -1,2 +1,175 @@
-export { aq as AllowlistConfig, j as ApiError, A as ApiErrorCode, n as ApiErrorCodeType, p as ApiPaginatedResponse, Z as ApiSecurityConfig, $ as ApiSecurityContext, o as ApiSuccessResponse, aN as AuditRequest, L as AuthCookiesConfig, V as AuthMethod, C as CommonApiErrors, ax as CommonRateLimits, ad as DateRangeInput, a6 as DateRangeSchema, al as DeploymentStage, ab as EmailInput, a0 as EmailSchema, aW as EnvValidationConfig, aX as EnvValidationResult, an as FlagDefinition, ao as FlagDefinitions, am as FlagValue, K as KEYCLOAK_DEFAULT_ROLES, I as KeycloakCallbacksConfig, B as KeycloakConfig, J as KeycloakJwtFields, D as KeycloakTokenSet, af as LoginInput, a8 as LoginSchema, aI as OpsAuditActor, aK as OpsAuditEvent, aM as OpsAuditLoggerOptions, aL as OpsAuditRecord, aJ as OpsAuditResource, ac as PaginationInput, a5 as PaginationSchema, a1 as PasswordSchema, a4 as PersonNameSchema, a3 as PhoneSchema, az as RateLimitCheckResult, aB as RateLimitOptions, Y as RateLimitPreset, ay as RateLimitRule, aA as RateLimitStore, R as RedirectCallbackConfig, ap as ResolvedFlags, X as RouteAuditConfig, ae as SearchQueryInput, a7 as SearchQuerySchema, _ as SecuritySession, ag as SignupInput, a9 as SignupSchema, a2 as SlugSchema, aO as StandardAuditActionType, aH as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, W as WrapperPresets, aj as buildAllowlist, F as buildAuthCookies, Q as buildErrorBody, E as buildKeycloakCallbacks, m as buildPagination, O as buildRateLimitHeaders, av as buildRateLimitResponseHeaders, G as buildRedirectCallback, w as buildTokenRefreshParams, aU as checkEnvVars, ar as checkRateLimit, l as classifyError, f as constantTimeEqual, a as containsHtml, c as containsUrls, aD as createAuditActor, aC as createAuditLogger, ah as createFeatureFlags, au as createMemoryRateLimitStore, aa as createSafeTextSchema, ai as detectStage, e as escapeHtml, aE as extractAuditIp, aG as extractAuditRequestId, aF as extractAuditUserAgent, N as extractClientIp, aR as getBoolEnv, h as getCorrelationId, y as getEndSessionEndpoint, aV as getEnvSummary, aS as getIntEnv, aQ as getOptionalEnv, as as getRateLimitStatus, aP as getRequiredEnv, x as getTokenEndpoint, u as hasAllRoles, t as hasAnyRole, r as hasRole, ak as isAllowlisted, k as isApiError, v as isTokenExpired, q as parseKeycloakRoles, z as refreshKeycloakToken, at as resetRateLimitForKey, aw as resolveIdentifier, M as resolveRateLimitIdentifier, g as sanitizeApiError, s as stripHtml, aT as validateEnvVars } from './index-CkyVz0hQ.mjs';
+import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-jqNJdZVt.mjs';
+export { as as AllowlistConfig, A as ApiError, k as ApiErrorCode, m as ApiErrorCodeType, o as ApiPaginatedResponse, _ as ApiSecurityConfig, a0 as ApiSecurityContext, n as ApiSuccessResponse, aK as AuditRequest, P as AuthCookiesConfig, W as AuthMethod, aS as BetaClientConfig, C as CommonApiErrors, ay as CommonRateLimits, aj as DateRangeInput, ad as DateRangeSchema, an as DeploymentStage, ah as EmailInput, a6 as EmailSchema, E as EnvValidationConfig, x as EnvValidationResult, ap as FlagDefinition, aq as FlagDefinitions, ao as FlagValue, z as KEYCLOAK_DEFAULT_ROLES, N as KeycloakCallbacksConfig, K as KeycloakConfig, O as KeycloakJwtFields, y as KeycloakTokenSet, al as LoginInput, af as LoginSchema, aF as OpsAuditActor, aH as OpsAuditEvent, aJ as OpsAuditLoggerOptions, aI as OpsAuditRecord, aG as OpsAuditResource, ai as PaginationInput, ac as PaginationSchema, a7 as PasswordSchema, aa as PersonNameSchema, a9 as PhoneSchema, ax as RateLimitCheckResult, Y as RateLimitPreset, S as RedirectCallbackConfig, ar as ResolvedFlags, X as RouteAuditConfig, ak as SearchQueryInput, ae as SearchQuerySchema, $ as SecuritySession, am as SignupInput, ag as SignupSchema, a8 as SlugSchema, aM as StandardAuditActionType, aL as StandardAuditActions, Z as StandardRateLimitPresets, T as TokenRefreshResult, a5 as WrapperPresets, av as buildAllowlist, Q as buildAuthCookies, a4 as buildErrorBody, V as buildKeycloakCallbacks, l as buildPagination, a3 as buildRateLimitHeaders, aD as buildRateLimitResponseHeaders, U as buildRedirectCallback, I as buildTokenRefreshParams, u as checkEnvVars, aA as checkRateLimit, i as classifyError, aY as clearStoredBetaCode, c as constantTimeEqual, f as containsHtml, d as containsUrls, aQ as createAuditActor, aR as createAuditLogger, aT as createBetaClient, au as createFeatureFlags, az as createMemoryRateLimitStore, ab as createSafeTextSchema, at as detectStage, e as escapeHtml, aN as extractAuditIp, aP as extractAuditRequestId, aO as extractAuditUserAgent, a2 as extractClientIp, aU as fetchBetaSettings, r as getBoolEnv, h as getCorrelationId, L as getEndSessionEndpoint, w as getEnvSummary, t as getIntEnv, q as getOptionalEnv, aB as getRateLimitStatus, p as getRequiredEnv, aX as getStoredBetaCode, J as getTokenEndpoint, G as hasAllRoles, F as hasAnyRole, D as hasRole, aw as isAllowlisted, j as isApiError, H as isTokenExpired, B as parseKeycloakRoles, M as refreshKeycloakToken, aC as resetRateLimitForKey, aE as resolveIdentifier, a1 as resolveRateLimitIdentifier, g as sanitizeApiError, aW as storeBetaCode, s as stripHtml, aV as validateBetaCode, v as validateEnvVars } from './env-jqNJdZVt.mjs';
 import 'zod';
+
+/**
+ * Redis Rate Limit Store
+ *
+ * Production-ready `RateLimitStore` implementation using Redis sorted sets
+ * for accurate sliding window rate limiting. Works with ioredis or any
+ * Redis client that supports the required commands.
+ *
+ * @example
+ * ```typescript
+ * import Redis from 'ioredis'
+ * import {
+ *   createRedisRateLimitStore,
+ *   checkRateLimit,
+ *   CommonRateLimits,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * const redis = new Redis(process.env.REDIS_URL)
+ * const store = createRedisRateLimitStore(redis, { keyPrefix: 'myapp:' })
+ *
+ * const result = await checkRateLimit('api-call', 'user:123', CommonRateLimits.apiGeneral, { store })
+ * ```
+ */
+
+/**
+ * Minimal Redis client interface.
+ *
+ * Compatible with ioredis, node-redis v4, and @upstash/redis.
+ * Only the commands used by the rate limiter are required.
+ */
+interface RedisRateLimitClient {
+    zremrangebyscore(key: string, min: number | string, max: number | string): Promise<number>;
+    zadd(key: string, score: number, member: string): Promise<number>;
+    zcard(key: string): Promise<number>;
+    expire(key: string, seconds: number): Promise<number>;
+    get(key: string): Promise<string | null>;
+    ttl(key: string): Promise<number>;
+    setex(key: string, seconds: number, value: string): Promise<string>;
+    del(...keys: string[]): Promise<number>;
+}
+interface RedisRateLimitStoreOptions {
+    /** Prefix for all Redis keys (e.g., 'myapp:') */
+    keyPrefix?: string;
+}
+/**
+ * Create a Redis-backed rate limit store using sorted sets.
+ *
+ * Uses the sliding window algorithm:
+ * - Each request adds a timestamped entry to a sorted set
+ * - Old entries (outside the window) are pruned on each check
+ * - The set cardinality gives the request count
+ *
+ * Blocks use simple key-value with TTL.
+ */
+declare function createRedisRateLimitStore(redis: RedisRateLimitClient, options?: RedisRateLimitStoreOptions): RateLimitStore;
+
+/**
+ * Next.js API Route Helpers
+ *
+ * Shared utilities for Next.js API routes that all apps need.
+ * These wrap platform-core's framework-agnostic primitives into
+ * Next.js-specific patterns (NextResponse, NextRequest).
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   enforceRateLimit,
+ *   zodErrorResponse,
+ *   errorResponse,
+ *   extractBearerToken,
+ *   isValidBearerToken,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * export async function POST(request: NextRequest) {
+ *   const rl = await enforceRateLimit(request, 'submit', CommonRateLimits.publicForm)
+ *   if (rl) return rl
+ *
+ *   const parsed = schema.safeParse(await request.json())
+ *   if (!parsed.success) return zodErrorResponse(parsed.error)
+ *
+ *   try { ... }
+ *   catch (error) { return errorResponse(error) }
+ * }
+ * ```
+ */
+
+/**
+ * Enforce rate limiting on a Next.js API request.
+ *
+ * Returns a 429 NextResponse if the limit is exceeded, or `null` if allowed.
+ * Apps use this at the top of route handlers for early rejection.
+ *
+ * @example
+ * ```typescript
+ * const rateLimited = await enforceRateLimit(request, 'sync', CommonRateLimits.adminAction)
+ * if (rateLimited) return rateLimited
+ * ```
+ */
+declare function enforceRateLimit(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, operation: string, rule: RateLimitRule, options?: {
+    /** Override identifier (default: extracted from x-forwarded-for) */
+    identifier?: string;
+    /** User ID for per-user limiting */
+    userId?: string;
+    /** Rate limit store and options */
+    rateLimitOptions?: RateLimitOptions;
+}): Promise<Response | null>;
+/**
+ * Convert any error into a structured JSON response.
+ *
+ * Uses platform-core's `classifyError()` to handle ApiError,
+ * Zod errors, PostgreSQL errors, and generic errors consistently.
+ *
+ * @example
+ * ```typescript
+ * catch (error) {
+ *   return errorResponse(error)
+ * }
+ * ```
+ */
+declare function errorResponse(error: unknown, options?: {
+    isDevelopment?: boolean;
+}): Response;
+/**
+ * Convert a Zod validation error into a user-friendly 400 response.
+ *
+ * Extracts the first issue and returns a clear error message
+ * with the field path (e.g., "email: Invalid email").
+ *
+ * @example
+ * ```typescript
+ * const parsed = schema.safeParse(await request.json())
+ * if (!parsed.success) return zodErrorResponse(parsed.error)
+ * ```
+ */
+declare function zodErrorResponse(error: {
+    issues: Array<{
+        path: (string | number)[];
+        message: string;
+    }>;
+}): Response;
+/**
+ * Extract a bearer token from the Authorization header.
+ *
+ * @returns The token string, or null if not present/malformed.
+ */
+declare function extractBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}): string | null;
+/**
+ * Check if a request's bearer token matches a secret.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @example
+ * ```typescript
+ * if (!isValidBearerToken(request, process.env.ADMIN_SECRET)) {
+ *   return new Response('Unauthorized', { status: 401 })
+ * }
+ * ```
+ */
+declare function isValidBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, secret: string | undefined): boolean;
+
+export { RateLimitOptions, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, isValidBearerToken, zodErrorResponse };

package/dist/auth.d.ts

@@ -1,2 +1,175 @@
-export { aq as AllowlistConfig, j as ApiError, A as ApiErrorCode, n as ApiErrorCodeType, p as ApiPaginatedResponse, Z as ApiSecurityConfig, $ as ApiSecurityContext, o as ApiSuccessResponse, aN as AuditRequest, L as AuthCookiesConfig, V as AuthMethod, C as CommonApiErrors, ax as CommonRateLimits, ad as DateRangeInput, a6 as DateRangeSchema, al as DeploymentStage, ab as EmailInput, a0 as EmailSchema, aW as EnvValidationConfig, aX as EnvValidationResult, an as FlagDefinition, ao as FlagDefinitions, am as FlagValue, K as KEYCLOAK_DEFAULT_ROLES, I as KeycloakCallbacksConfig, B as KeycloakConfig, J as KeycloakJwtFields, D as KeycloakTokenSet, af as LoginInput, a8 as LoginSchema, aI as OpsAuditActor, aK as OpsAuditEvent, aM as OpsAuditLoggerOptions, aL as OpsAuditRecord, aJ as OpsAuditResource, ac as PaginationInput, a5 as PaginationSchema, a1 as PasswordSchema, a4 as PersonNameSchema, a3 as PhoneSchema, az as RateLimitCheckResult, aB as RateLimitOptions, Y as RateLimitPreset, ay as RateLimitRule, aA as RateLimitStore, R as RedirectCallbackConfig, ap as ResolvedFlags, X as RouteAuditConfig, ae as SearchQueryInput, a7 as SearchQuerySchema, _ as SecuritySession, ag as SignupInput, a9 as SignupSchema, a2 as SlugSchema, aO as StandardAuditActionType, aH as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, W as WrapperPresets, aj as buildAllowlist, F as buildAuthCookies, Q as buildErrorBody, E as buildKeycloakCallbacks, m as buildPagination, O as buildRateLimitHeaders, av as buildRateLimitResponseHeaders, G as buildRedirectCallback, w as buildTokenRefreshParams, aU as checkEnvVars, ar as checkRateLimit, l as classifyError, f as constantTimeEqual, a as containsHtml, c as containsUrls, aD as createAuditActor, aC as createAuditLogger, ah as createFeatureFlags, au as createMemoryRateLimitStore, aa as createSafeTextSchema, ai as detectStage, e as escapeHtml, aE as extractAuditIp, aG as extractAuditRequestId, aF as extractAuditUserAgent, N as extractClientIp, aR as getBoolEnv, h as getCorrelationId, y as getEndSessionEndpoint, aV as getEnvSummary, aS as getIntEnv, aQ as getOptionalEnv, as as getRateLimitStatus, aP as getRequiredEnv, x as getTokenEndpoint, u as hasAllRoles, t as hasAnyRole, r as hasRole, ak as isAllowlisted, k as isApiError, v as isTokenExpired, q as parseKeycloakRoles, z as refreshKeycloakToken, at as resetRateLimitForKey, aw as resolveIdentifier, M as resolveRateLimitIdentifier, g as sanitizeApiError, s as stripHtml, aT as validateEnvVars } from './index-CkyVz0hQ.js';
+import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-jqNJdZVt.js';
+export { as as AllowlistConfig, A as ApiError, k as ApiErrorCode, m as ApiErrorCodeType, o as ApiPaginatedResponse, _ as ApiSecurityConfig, a0 as ApiSecurityContext, n as ApiSuccessResponse, aK as AuditRequest, P as AuthCookiesConfig, W as AuthMethod, aS as BetaClientConfig, C as CommonApiErrors, ay as CommonRateLimits, aj as DateRangeInput, ad as DateRangeSchema, an as DeploymentStage, ah as EmailInput, a6 as EmailSchema, E as EnvValidationConfig, x as EnvValidationResult, ap as FlagDefinition, aq as FlagDefinitions, ao as FlagValue, z as KEYCLOAK_DEFAULT_ROLES, N as KeycloakCallbacksConfig, K as KeycloakConfig, O as KeycloakJwtFields, y as KeycloakTokenSet, al as LoginInput, af as LoginSchema, aF as OpsAuditActor, aH as OpsAuditEvent, aJ as OpsAuditLoggerOptions, aI as OpsAuditRecord, aG as OpsAuditResource, ai as PaginationInput, ac as PaginationSchema, a7 as PasswordSchema, aa as PersonNameSchema, a9 as PhoneSchema, ax as RateLimitCheckResult, Y as RateLimitPreset, S as RedirectCallbackConfig, ar as ResolvedFlags, X as RouteAuditConfig, ak as SearchQueryInput, ae as SearchQuerySchema, $ as SecuritySession, am as SignupInput, ag as SignupSchema, a8 as SlugSchema, aM as StandardAuditActionType, aL as StandardAuditActions, Z as StandardRateLimitPresets, T as TokenRefreshResult, a5 as WrapperPresets, av as buildAllowlist, Q as buildAuthCookies, a4 as buildErrorBody, V as buildKeycloakCallbacks, l as buildPagination, a3 as buildRateLimitHeaders, aD as buildRateLimitResponseHeaders, U as buildRedirectCallback, I as buildTokenRefreshParams, u as checkEnvVars, aA as checkRateLimit, i as classifyError, aY as clearStoredBetaCode, c as constantTimeEqual, f as containsHtml, d as containsUrls, aQ as createAuditActor, aR as createAuditLogger, aT as createBetaClient, au as createFeatureFlags, az as createMemoryRateLimitStore, ab as createSafeTextSchema, at as detectStage, e as escapeHtml, aN as extractAuditIp, aP as extractAuditRequestId, aO as extractAuditUserAgent, a2 as extractClientIp, aU as fetchBetaSettings, r as getBoolEnv, h as getCorrelationId, L as getEndSessionEndpoint, w as getEnvSummary, t as getIntEnv, q as getOptionalEnv, aB as getRateLimitStatus, p as getRequiredEnv, aX as getStoredBetaCode, J as getTokenEndpoint, G as hasAllRoles, F as hasAnyRole, D as hasRole, aw as isAllowlisted, j as isApiError, H as isTokenExpired, B as parseKeycloakRoles, M as refreshKeycloakToken, aC as resetRateLimitForKey, aE as resolveIdentifier, a1 as resolveRateLimitIdentifier, g as sanitizeApiError, aW as storeBetaCode, s as stripHtml, aV as validateBetaCode, v as validateEnvVars } from './env-jqNJdZVt.js';
 import 'zod';
+
+/**
+ * Redis Rate Limit Store
+ *
+ * Production-ready `RateLimitStore` implementation using Redis sorted sets
+ * for accurate sliding window rate limiting. Works with ioredis or any
+ * Redis client that supports the required commands.
+ *
+ * @example
+ * ```typescript
+ * import Redis from 'ioredis'
+ * import {
+ *   createRedisRateLimitStore,
+ *   checkRateLimit,
+ *   CommonRateLimits,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * const redis = new Redis(process.env.REDIS_URL)
+ * const store = createRedisRateLimitStore(redis, { keyPrefix: 'myapp:' })
+ *
+ * const result = await checkRateLimit('api-call', 'user:123', CommonRateLimits.apiGeneral, { store })
+ * ```
+ */
+
+/**
+ * Minimal Redis client interface.
+ *
+ * Compatible with ioredis, node-redis v4, and @upstash/redis.
+ * Only the commands used by the rate limiter are required.
+ */
+interface RedisRateLimitClient {
+    zremrangebyscore(key: string, min: number | string, max: number | string): Promise<number>;
+    zadd(key: string, score: number, member: string): Promise<number>;
+    zcard(key: string): Promise<number>;
+    expire(key: string, seconds: number): Promise<number>;
+    get(key: string): Promise<string | null>;
+    ttl(key: string): Promise<number>;
+    setex(key: string, seconds: number, value: string): Promise<string>;
+    del(...keys: string[]): Promise<number>;
+}
+interface RedisRateLimitStoreOptions {
+    /** Prefix for all Redis keys (e.g., 'myapp:') */
+    keyPrefix?: string;
+}
+/**
+ * Create a Redis-backed rate limit store using sorted sets.
+ *
+ * Uses the sliding window algorithm:
+ * - Each request adds a timestamped entry to a sorted set
+ * - Old entries (outside the window) are pruned on each check
+ * - The set cardinality gives the request count
+ *
+ * Blocks use simple key-value with TTL.
+ */
+declare function createRedisRateLimitStore(redis: RedisRateLimitClient, options?: RedisRateLimitStoreOptions): RateLimitStore;
+
+/**
+ * Next.js API Route Helpers
+ *
+ * Shared utilities for Next.js API routes that all apps need.
+ * These wrap platform-core's framework-agnostic primitives into
+ * Next.js-specific patterns (NextResponse, NextRequest).
+ *
+ * @example
+ * ```typescript
+ * import {
+ *   enforceRateLimit,
+ *   zodErrorResponse,
+ *   errorResponse,
+ *   extractBearerToken,
+ *   isValidBearerToken,
+ * } from '@digilogiclabs/platform-core/auth'
+ *
+ * export async function POST(request: NextRequest) {
+ *   const rl = await enforceRateLimit(request, 'submit', CommonRateLimits.publicForm)
+ *   if (rl) return rl
+ *
+ *   const parsed = schema.safeParse(await request.json())
+ *   if (!parsed.success) return zodErrorResponse(parsed.error)
+ *
+ *   try { ... }
+ *   catch (error) { return errorResponse(error) }
+ * }
+ * ```
+ */
+
+/**
+ * Enforce rate limiting on a Next.js API request.
+ *
+ * Returns a 429 NextResponse if the limit is exceeded, or `null` if allowed.
+ * Apps use this at the top of route handlers for early rejection.
+ *
+ * @example
+ * ```typescript
+ * const rateLimited = await enforceRateLimit(request, 'sync', CommonRateLimits.adminAction)
+ * if (rateLimited) return rateLimited
+ * ```
+ */
+declare function enforceRateLimit(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, operation: string, rule: RateLimitRule, options?: {
+    /** Override identifier (default: extracted from x-forwarded-for) */
+    identifier?: string;
+    /** User ID for per-user limiting */
+    userId?: string;
+    /** Rate limit store and options */
+    rateLimitOptions?: RateLimitOptions;
+}): Promise<Response | null>;
+/**
+ * Convert any error into a structured JSON response.
+ *
+ * Uses platform-core's `classifyError()` to handle ApiError,
+ * Zod errors, PostgreSQL errors, and generic errors consistently.
+ *
+ * @example
+ * ```typescript
+ * catch (error) {
+ *   return errorResponse(error)
+ * }
+ * ```
+ */
+declare function errorResponse(error: unknown, options?: {
+    isDevelopment?: boolean;
+}): Response;
+/**
+ * Convert a Zod validation error into a user-friendly 400 response.
+ *
+ * Extracts the first issue and returns a clear error message
+ * with the field path (e.g., "email: Invalid email").
+ *
+ * @example
+ * ```typescript
+ * const parsed = schema.safeParse(await request.json())
+ * if (!parsed.success) return zodErrorResponse(parsed.error)
+ * ```
+ */
+declare function zodErrorResponse(error: {
+    issues: Array<{
+        path: (string | number)[];
+        message: string;
+    }>;
+}): Response;
+/**
+ * Extract a bearer token from the Authorization header.
+ *
+ * @returns The token string, or null if not present/malformed.
+ */
+declare function extractBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}): string | null;
+/**
+ * Check if a request's bearer token matches a secret.
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @example
+ * ```typescript
+ * if (!isValidBearerToken(request, process.env.ADMIN_SECRET)) {
+ *   return new Response('Unauthorized', { status: 401 })
+ * }
+ * ```
+ */
+declare function isValidBearerToken(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, secret: string | undefined): boolean;
+
+export { RateLimitOptions, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, isValidBearerToken, zodErrorResponse };