@digilogiclabs/platform-core 1.9.0 → 1.10.0

package/dist/auth.d.mts

@@ -1,5 +1,5 @@
-import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-DHPZR3Lv.mjs';
-export { al as AllowlistConfig, A as ApiError, d as ApiErrorCode, f as ApiErrorCodeType, h as ApiPaginatedResponse, Q as ApiSecurityConfig, V as ApiSecurityContext, g as ApiSuccessResponse, aD as AuditRequest, H as AuthCookiesConfig, N as AuthMethod, aL as BetaClientConfig, C as CommonApiErrors, ar as CommonRateLimits, ac as DateRangeInput, a6 as DateRangeSchema, ag as DeploymentStage, aa as EmailInput, $ as EmailSchema, E as EnvValidationConfig, p as EnvValidationResult, ai as FlagDefinition, aj as FlagDefinitions, ah as FlagValue, r as KEYCLOAK_DEFAULT_ROLES, F as KeycloakCallbacksConfig, K as KeycloakConfig, G as KeycloakJwtFields, q as KeycloakTokenSet, ae as LoginInput, a8 as LoginSchema, ay as OpsAuditActor, aA as OpsAuditEvent, aC as OpsAuditLoggerOptions, aB as OpsAuditRecord, az as OpsAuditResource, ab as PaginationInput, a5 as PaginationSchema, a0 as PasswordSchema, a3 as PersonNameSchema, a2 as PhoneSchema, aq as RateLimitCheckResult, P as RateLimitPreset, J as RedirectCallbackConfig, ak as ResolvedFlags, O as RouteAuditConfig, ad as SearchQueryInput, a7 as SearchQuerySchema, U as SecuritySession, af as SignupInput, a9 as SignupSchema, a1 as SlugSchema, aF as StandardAuditActionType, aE as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, _ as WrapperPresets, ao as buildAllowlist, I as buildAuthCookies, Z as buildErrorBody, M as buildKeycloakCallbacks, e as buildPagination, Y as buildRateLimitHeaders, aw as buildRateLimitResponseHeaders, L as buildRedirectCallback, y as buildTokenRefreshParams, n as checkEnvVars, at as checkRateLimit, c as classifyError, aR as clearStoredBetaCode, aJ as createAuditActor, aK as createAuditLogger, aM as createBetaClient, an as createFeatureFlags, as as createMemoryRateLimitStore, a4 as createSafeTextSchema, am as detectStage, aG as extractAuditIp, aI as extractAuditRequestId, aH as extractAuditUserAgent, X as extractClientIp, aN as fetchBetaSettings, l as getBoolEnv, B as getEndSessionEndpoint, o as getEnvSummary, m as getIntEnv, k as getOptionalEnv, au as getRateLimitStatus, j as getRequiredEnv, aQ as getStoredBetaCode, z as getTokenEndpoint, w as hasAllRoles, u as hasAnyRole, t as hasRole, ap as isAllowlisted, i as isApiError, x as isTokenExpired, s as parseKeycloakRoles, D as refreshKeycloakToken, av as resetRateLimitForKey, ax as resolveIdentifier, W as resolveRateLimitIdentifier, aP as storeBetaCode, aO as validateBetaCode, v as validateEnvVars } from './env-DHPZR3Lv.mjs';
+import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-CYKVNpLl.mjs';
+export { al as AllowlistConfig, A as ApiError, d as ApiErrorCode, f as ApiErrorCodeType, h as ApiPaginatedResponse, Q as ApiSecurityConfig, V as ApiSecurityContext, g as ApiSuccessResponse, aD as AuditRequest, H as AuthCookiesConfig, N as AuthMethod, aL as BetaClientConfig, C as CommonApiErrors, ar as CommonRateLimits, ac as DateRangeInput, a6 as DateRangeSchema, ag as DeploymentStage, aa as EmailInput, $ as EmailSchema, E as EnvValidationConfig, p as EnvValidationResult, ai as FlagDefinition, aj as FlagDefinitions, ah as FlagValue, r as KEYCLOAK_DEFAULT_ROLES, F as KeycloakCallbacksConfig, K as KeycloakConfig, G as KeycloakJwtFields, q as KeycloakTokenSet, ae as LoginInput, a8 as LoginSchema, ay as OpsAuditActor, aA as OpsAuditEvent, aC as OpsAuditLoggerOptions, aB as OpsAuditRecord, az as OpsAuditResource, ab as PaginationInput, a5 as PaginationSchema, a0 as PasswordSchema, a3 as PersonNameSchema, a2 as PhoneSchema, aq as RateLimitCheckResult, P as RateLimitPreset, J as RedirectCallbackConfig, ak as ResolvedFlags, O as RouteAuditConfig, ad as SearchQueryInput, a7 as SearchQuerySchema, U as SecuritySession, af as SignupInput, a9 as SignupSchema, a1 as SlugSchema, aF as StandardAuditActionType, aE as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, _ as WrapperPresets, ao as buildAllowlist, I as buildAuthCookies, Z as buildErrorBody, M as buildKeycloakCallbacks, e as buildPagination, Y as buildRateLimitHeaders, aw as buildRateLimitResponseHeaders, L as buildRedirectCallback, y as buildTokenRefreshParams, n as checkEnvVars, at as checkRateLimit, c as classifyError, aR as clearStoredBetaCode, aJ as createAuditActor, aK as createAuditLogger, aM as createBetaClient, an as createFeatureFlags, as as createMemoryRateLimitStore, a4 as createSafeTextSchema, am as detectStage, aG as extractAuditIp, aI as extractAuditRequestId, aH as extractAuditUserAgent, X as extractClientIp, aN as fetchBetaSettings, l as getBoolEnv, B as getEndSessionEndpoint, o as getEnvSummary, m as getIntEnv, k as getOptionalEnv, au as getRateLimitStatus, j as getRequiredEnv, aQ as getStoredBetaCode, z as getTokenEndpoint, w as hasAllRoles, u as hasAnyRole, t as hasRole, ap as isAllowlisted, i as isApiError, x as isTokenExpired, s as parseKeycloakRoles, D as refreshKeycloakToken, av as resetRateLimitForKey, ax as resolveIdentifier, W as resolveRateLimitIdentifier, aP as storeBetaCode, aO as validateBetaCode, v as validateEnvVars } from './env-CYKVNpLl.mjs';
 export { c as constantTimeEqual, b as containsHtml, a as containsUrls, e as escapeHtml, g as getCorrelationId, d as sanitizeApiError, s as stripHtml } from './security-BvLXaQkv.mjs';
 import 'zod';
 
@@ -172,5 +172,117 @@ declare function isValidBearerToken(request: {
         get(name: string): string | null;
     };
 }, secret: string | undefined): boolean;
+/**
+ * Verify cron/sync endpoint authentication using a bearer token.
+ *
+ * Extracts the Bearer token from the Authorization header and compares
+ * it against `CRON_SECRET` (or a custom secret) using timing-safe comparison.
+ * Returns a 401/500 Response on failure, or `null` on success.
+ *
+ * @param request - Incoming request (must have headers.get)
+ * @param secret - Custom secret to compare against. Defaults to `process.env.CRON_SECRET`.
+ * @returns `null` if authorized, or a JSON Response (401/500) if not.
+ *
+ * @example
+ * ```typescript
+ * export async function POST(request: NextRequest) {
+ *   const authError = verifyCronAuth(request)
+ *   if (authError) return authError
+ *   // ... handle cron job
+ * }
+ * ```
+ */
+declare function verifyCronAuth(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, secret?: string): Response | null;
+/**
+ * Extract the client IP address from a request, checking proxy headers.
+ *
+ * Checks in order:
+ * 1. `cf-connecting-ip` (Cloudflare)
+ * 2. `x-real-ip` (Nginx)
+ * 3. `x-forwarded-for` (first IP from comma-separated list)
+ * 4. Falls back to `'unknown'`
+ *
+ * @example
+ * ```typescript
+ * const ip = getClientIp(request)
+ * await auditLog({ action: 'login', ip })
+ * ```
+ */
+declare function getClientIp(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}): string;
+/** Shape expected by rate limit response helpers. */
+interface RateLimitResult {
+    limit: number;
+    remaining: number;
+    resetMs: number;
+}
+/**
+ * Create a 429 "Too Many Requests" response with RFC-compliant rate limit headers.
+ *
+ * @example
+ * ```typescript
+ * if (!result.allowed) {
+ *   return rateLimitResponse(result)
+ * }
+ * ```
+ */
+declare function rateLimitResponse(result: RateLimitResult): Response;
+/**
+ * Add rate limit headers to an existing response.
+ *
+ * Use this to attach rate limit info to successful responses so clients
+ * can see their remaining quota.
+ *
+ * @example
+ * ```typescript
+ * const response = new Response(JSON.stringify(data), { status: 200 })
+ * return addRateLimitHeaders(response, result)
+ * ```
+ */
+declare function addRateLimitHeaders(response: Response, result: RateLimitResult): Response;
+/**
+ * Safe Zod validation — returns { success, data?, errors? } without throwing.
+ * Useful for API routes where you want to return validation errors as JSON.
+ *
+ * Uses structural typing for the schema parameter so platform-core
+ * doesn't depend on Zod directly.
+ *
+ * @example
+ * ```typescript
+ * const result = safeValidate(MySchema, await request.json())
+ * if (!result.success) {
+ *   return new Response(JSON.stringify({ errors: result.errors }), { status: 400 })
+ * }
+ * const data = result.data // fully typed
+ * ```
+ */
+declare function safeValidate<T>(schema: {
+    safeParse: (data: unknown) => {
+        success: boolean;
+        data?: T;
+        error?: {
+            issues: Array<{
+                path: (string | number)[];
+                message: string;
+            }>;
+        };
+    };
+}, data: unknown): {
+    success: true;
+    data: T;
+} | {
+    success: false;
+    errors: Array<{
+        field: string;
+        message: string;
+    }>;
+};
 
-export { RateLimitOptions, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, isValidBearerToken, zodErrorResponse };
+export { RateLimitOptions, type RateLimitResult, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, addRateLimitHeaders, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, getClientIp, isValidBearerToken, rateLimitResponse, safeValidate, verifyCronAuth, zodErrorResponse };

package/dist/auth.d.ts

@@ -1,5 +1,5 @@
-import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-DHPZR3Lv.js';
-export { al as AllowlistConfig, A as ApiError, d as ApiErrorCode, f as ApiErrorCodeType, h as ApiPaginatedResponse, Q as ApiSecurityConfig, V as ApiSecurityContext, g as ApiSuccessResponse, aD as AuditRequest, H as AuthCookiesConfig, N as AuthMethod, aL as BetaClientConfig, C as CommonApiErrors, ar as CommonRateLimits, ac as DateRangeInput, a6 as DateRangeSchema, ag as DeploymentStage, aa as EmailInput, $ as EmailSchema, E as EnvValidationConfig, p as EnvValidationResult, ai as FlagDefinition, aj as FlagDefinitions, ah as FlagValue, r as KEYCLOAK_DEFAULT_ROLES, F as KeycloakCallbacksConfig, K as KeycloakConfig, G as KeycloakJwtFields, q as KeycloakTokenSet, ae as LoginInput, a8 as LoginSchema, ay as OpsAuditActor, aA as OpsAuditEvent, aC as OpsAuditLoggerOptions, aB as OpsAuditRecord, az as OpsAuditResource, ab as PaginationInput, a5 as PaginationSchema, a0 as PasswordSchema, a3 as PersonNameSchema, a2 as PhoneSchema, aq as RateLimitCheckResult, P as RateLimitPreset, J as RedirectCallbackConfig, ak as ResolvedFlags, O as RouteAuditConfig, ad as SearchQueryInput, a7 as SearchQuerySchema, U as SecuritySession, af as SignupInput, a9 as SignupSchema, a1 as SlugSchema, aF as StandardAuditActionType, aE as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, _ as WrapperPresets, ao as buildAllowlist, I as buildAuthCookies, Z as buildErrorBody, M as buildKeycloakCallbacks, e as buildPagination, Y as buildRateLimitHeaders, aw as buildRateLimitResponseHeaders, L as buildRedirectCallback, y as buildTokenRefreshParams, n as checkEnvVars, at as checkRateLimit, c as classifyError, aR as clearStoredBetaCode, aJ as createAuditActor, aK as createAuditLogger, aM as createBetaClient, an as createFeatureFlags, as as createMemoryRateLimitStore, a4 as createSafeTextSchema, am as detectStage, aG as extractAuditIp, aI as extractAuditRequestId, aH as extractAuditUserAgent, X as extractClientIp, aN as fetchBetaSettings, l as getBoolEnv, B as getEndSessionEndpoint, o as getEnvSummary, m as getIntEnv, k as getOptionalEnv, au as getRateLimitStatus, j as getRequiredEnv, aQ as getStoredBetaCode, z as getTokenEndpoint, w as hasAllRoles, u as hasAnyRole, t as hasRole, ap as isAllowlisted, i as isApiError, x as isTokenExpired, s as parseKeycloakRoles, D as refreshKeycloakToken, av as resetRateLimitForKey, ax as resolveIdentifier, W as resolveRateLimitIdentifier, aP as storeBetaCode, aO as validateBetaCode, v as validateEnvVars } from './env-DHPZR3Lv.js';
+import { R as RateLimitStore, a as RateLimitRule, b as RateLimitOptions } from './env-CYKVNpLl.js';
+export { al as AllowlistConfig, A as ApiError, d as ApiErrorCode, f as ApiErrorCodeType, h as ApiPaginatedResponse, Q as ApiSecurityConfig, V as ApiSecurityContext, g as ApiSuccessResponse, aD as AuditRequest, H as AuthCookiesConfig, N as AuthMethod, aL as BetaClientConfig, C as CommonApiErrors, ar as CommonRateLimits, ac as DateRangeInput, a6 as DateRangeSchema, ag as DeploymentStage, aa as EmailInput, $ as EmailSchema, E as EnvValidationConfig, p as EnvValidationResult, ai as FlagDefinition, aj as FlagDefinitions, ah as FlagValue, r as KEYCLOAK_DEFAULT_ROLES, F as KeycloakCallbacksConfig, K as KeycloakConfig, G as KeycloakJwtFields, q as KeycloakTokenSet, ae as LoginInput, a8 as LoginSchema, ay as OpsAuditActor, aA as OpsAuditEvent, aC as OpsAuditLoggerOptions, aB as OpsAuditRecord, az as OpsAuditResource, ab as PaginationInput, a5 as PaginationSchema, a0 as PasswordSchema, a3 as PersonNameSchema, a2 as PhoneSchema, aq as RateLimitCheckResult, P as RateLimitPreset, J as RedirectCallbackConfig, ak as ResolvedFlags, O as RouteAuditConfig, ad as SearchQueryInput, a7 as SearchQuerySchema, U as SecuritySession, af as SignupInput, a9 as SignupSchema, a1 as SlugSchema, aF as StandardAuditActionType, aE as StandardAuditActions, S as StandardRateLimitPresets, T as TokenRefreshResult, _ as WrapperPresets, ao as buildAllowlist, I as buildAuthCookies, Z as buildErrorBody, M as buildKeycloakCallbacks, e as buildPagination, Y as buildRateLimitHeaders, aw as buildRateLimitResponseHeaders, L as buildRedirectCallback, y as buildTokenRefreshParams, n as checkEnvVars, at as checkRateLimit, c as classifyError, aR as clearStoredBetaCode, aJ as createAuditActor, aK as createAuditLogger, aM as createBetaClient, an as createFeatureFlags, as as createMemoryRateLimitStore, a4 as createSafeTextSchema, am as detectStage, aG as extractAuditIp, aI as extractAuditRequestId, aH as extractAuditUserAgent, X as extractClientIp, aN as fetchBetaSettings, l as getBoolEnv, B as getEndSessionEndpoint, o as getEnvSummary, m as getIntEnv, k as getOptionalEnv, au as getRateLimitStatus, j as getRequiredEnv, aQ as getStoredBetaCode, z as getTokenEndpoint, w as hasAllRoles, u as hasAnyRole, t as hasRole, ap as isAllowlisted, i as isApiError, x as isTokenExpired, s as parseKeycloakRoles, D as refreshKeycloakToken, av as resetRateLimitForKey, ax as resolveIdentifier, W as resolveRateLimitIdentifier, aP as storeBetaCode, aO as validateBetaCode, v as validateEnvVars } from './env-CYKVNpLl.js';
 export { c as constantTimeEqual, b as containsHtml, a as containsUrls, e as escapeHtml, g as getCorrelationId, d as sanitizeApiError, s as stripHtml } from './security-BvLXaQkv.js';
 import 'zod';
 
@@ -172,5 +172,117 @@ declare function isValidBearerToken(request: {
         get(name: string): string | null;
     };
 }, secret: string | undefined): boolean;
+/**
+ * Verify cron/sync endpoint authentication using a bearer token.
+ *
+ * Extracts the Bearer token from the Authorization header and compares
+ * it against `CRON_SECRET` (or a custom secret) using timing-safe comparison.
+ * Returns a 401/500 Response on failure, or `null` on success.
+ *
+ * @param request - Incoming request (must have headers.get)
+ * @param secret - Custom secret to compare against. Defaults to `process.env.CRON_SECRET`.
+ * @returns `null` if authorized, or a JSON Response (401/500) if not.
+ *
+ * @example
+ * ```typescript
+ * export async function POST(request: NextRequest) {
+ *   const authError = verifyCronAuth(request)
+ *   if (authError) return authError
+ *   // ... handle cron job
+ * }
+ * ```
+ */
+declare function verifyCronAuth(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}, secret?: string): Response | null;
+/**
+ * Extract the client IP address from a request, checking proxy headers.
+ *
+ * Checks in order:
+ * 1. `cf-connecting-ip` (Cloudflare)
+ * 2. `x-real-ip` (Nginx)
+ * 3. `x-forwarded-for` (first IP from comma-separated list)
+ * 4. Falls back to `'unknown'`
+ *
+ * @example
+ * ```typescript
+ * const ip = getClientIp(request)
+ * await auditLog({ action: 'login', ip })
+ * ```
+ */
+declare function getClientIp(request: {
+    headers: {
+        get(name: string): string | null;
+    };
+}): string;
+/** Shape expected by rate limit response helpers. */
+interface RateLimitResult {
+    limit: number;
+    remaining: number;
+    resetMs: number;
+}
+/**
+ * Create a 429 "Too Many Requests" response with RFC-compliant rate limit headers.
+ *
+ * @example
+ * ```typescript
+ * if (!result.allowed) {
+ *   return rateLimitResponse(result)
+ * }
+ * ```
+ */
+declare function rateLimitResponse(result: RateLimitResult): Response;
+/**
+ * Add rate limit headers to an existing response.
+ *
+ * Use this to attach rate limit info to successful responses so clients
+ * can see their remaining quota.
+ *
+ * @example
+ * ```typescript
+ * const response = new Response(JSON.stringify(data), { status: 200 })
+ * return addRateLimitHeaders(response, result)
+ * ```
+ */
+declare function addRateLimitHeaders(response: Response, result: RateLimitResult): Response;
+/**
+ * Safe Zod validation — returns { success, data?, errors? } without throwing.
+ * Useful for API routes where you want to return validation errors as JSON.
+ *
+ * Uses structural typing for the schema parameter so platform-core
+ * doesn't depend on Zod directly.
+ *
+ * @example
+ * ```typescript
+ * const result = safeValidate(MySchema, await request.json())
+ * if (!result.success) {
+ *   return new Response(JSON.stringify({ errors: result.errors }), { status: 400 })
+ * }
+ * const data = result.data // fully typed
+ * ```
+ */
+declare function safeValidate<T>(schema: {
+    safeParse: (data: unknown) => {
+        success: boolean;
+        data?: T;
+        error?: {
+            issues: Array<{
+                path: (string | number)[];
+                message: string;
+            }>;
+        };
+    };
+}, data: unknown): {
+    success: true;
+    data: T;
+} | {
+    success: false;
+    errors: Array<{
+        field: string;
+        message: string;
+    }>;
+};
 
-export { RateLimitOptions, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, isValidBearerToken, zodErrorResponse };
+export { RateLimitOptions, type RateLimitResult, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, addRateLimitHeaders, createRedisRateLimitStore, enforceRateLimit, errorResponse, extractBearerToken, getClientIp, isValidBearerToken, rateLimitResponse, safeValidate, verifyCronAuth, zodErrorResponse };

package/dist/auth.js

@@ -38,6 +38,7 @@ __export(auth_exports, {
   StandardAuditActions: () => StandardAuditActions,
   StandardRateLimitPresets: () => StandardRateLimitPresets,
   WrapperPresets: () => WrapperPresets,
+  addRateLimitHeaders: () => addRateLimitHeaders,
   buildAllowlist: () => buildAllowlist,
   buildAuthCookies: () => buildAuthCookies,
   buildErrorBody: () => buildErrorBody,
@@ -72,6 +73,7 @@ __export(auth_exports, {
   extractClientIp: () => extractClientIp,
   fetchBetaSettings: () => fetchBetaSettings,
   getBoolEnv: () => getBoolEnv,
+  getClientIp: () => getClientIp,
   getCorrelationId: () => getCorrelationId,
   getEndSessionEndpoint: () => getEndSessionEndpoint,
   getEnvSummary: () => getEnvSummary,
@@ -89,15 +91,18 @@ __export(auth_exports, {
   isTokenExpired: () => isTokenExpired,
   isValidBearerToken: () => isValidBearerToken,
   parseKeycloakRoles: () => parseKeycloakRoles,
+  rateLimitResponse: () => rateLimitResponse,
   refreshKeycloakToken: () => refreshKeycloakToken,
   resetRateLimitForKey: () => resetRateLimitForKey,
   resolveIdentifier: () => resolveIdentifier,
   resolveRateLimitIdentifier: () => resolveRateLimitIdentifier,
+  safeValidate: () => safeValidate,
   sanitizeApiError: () => sanitizeApiError,
   storeBetaCode: () => storeBetaCode,
   stripHtml: () => stripHtml,
   validateBetaCode: () => validateBetaCode,
   validateEnvVars: () => validateEnvVars,
+  verifyCronAuth: () => verifyCronAuth,
   zodErrorResponse: () => zodErrorResponse
 });
 module.exports = __toCommonJS(auth_exports);
@@ -666,6 +671,12 @@ var CommonRateLimits = {
     limit: 10,
     windowSeconds: 3600,
     blockDurationSeconds: 3600
+  },
+  /** Beta code validation: 5/min with 5min block (prevents brute force guessing) */
+  betaValidation: {
+    limit: 5,
+    windowSeconds: 60,
+    blockDurationSeconds: 300
   }
 };
 function createMemoryRateLimitStore() {
@@ -1209,6 +1220,71 @@ function isValidBearerToken(request, secret) {
   if (!token) return false;
   return constantTimeEqual(token, secret);
 }
+function verifyCronAuth(request, secret) {
+  const authHeader = request.headers.get("authorization");
+  if (!authHeader?.startsWith("Bearer ")) {
+    return new Response(
+      JSON.stringify({ error: "Missing authorization" }),
+      { status: 401, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  const token = authHeader.slice(7);
+  const expectedSecret = secret ?? process.env.CRON_SECRET;
+  if (!expectedSecret) {
+    console.error("[verifyCronAuth] CRON_SECRET not configured");
+    return new Response(
+      JSON.stringify({ error: "Server configuration error" }),
+      { status: 500, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  if (!constantTimeEqual(token, expectedSecret)) {
+    return new Response(
+      JSON.stringify({ error: "Invalid authorization" }),
+      { status: 401, headers: { "Content-Type": "application/json" } }
+    );
+  }
+  return null;
+}
+function getClientIp(request) {
+  return request.headers.get("cf-connecting-ip") || request.headers.get("x-real-ip") || request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || "unknown";
+}
+function rateLimitResponse(result) {
+  const retryAfter = Math.ceil(result.resetMs / 1e3);
+  const resetTimestamp = Math.ceil(Date.now() / 1e3 + result.resetMs / 1e3);
+  return new Response(
+    JSON.stringify({ error: "Too many requests", retryAfter }),
+    {
+      status: 429,
+      headers: {
+        "Content-Type": "application/json",
+        "X-RateLimit-Limit": String(result.limit),
+        "X-RateLimit-Remaining": "0",
+        "X-RateLimit-Reset": String(resetTimestamp),
+        "Retry-After": String(retryAfter)
+      }
+    }
+  );
+}
+function addRateLimitHeaders(response, result) {
+  const resetTimestamp = Math.ceil(Date.now() / 1e3 + result.resetMs / 1e3);
+  response.headers.set("X-RateLimit-Limit", String(result.limit));
+  response.headers.set("X-RateLimit-Remaining", String(result.remaining));
+  response.headers.set("X-RateLimit-Reset", String(resetTimestamp));
+  return response;
+}
+function safeValidate(schema, data) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  return {
+    success: false,
+    errors: (result.error?.issues || []).map((issue) => ({
+      field: issue.path.join("."),
+      message: issue.message
+    }))
+  };
+}
 
 // src/auth/beta-client.ts
 var DEFAULT_CONFIG = {
@@ -1427,6 +1503,7 @@ function getEnvSummary(keys) {
   StandardAuditActions,
   StandardRateLimitPresets,
   WrapperPresets,
+  addRateLimitHeaders,
   buildAllowlist,
   buildAuthCookies,
   buildErrorBody,
@@ -1461,6 +1538,7 @@ function getEnvSummary(keys) {
   extractClientIp,
   fetchBetaSettings,
   getBoolEnv,
+  getClientIp,
   getCorrelationId,
   getEndSessionEndpoint,
   getEnvSummary,
@@ -1478,15 +1556,18 @@ function getEnvSummary(keys) {
   isTokenExpired,
   isValidBearerToken,
   parseKeycloakRoles,
+  rateLimitResponse,
   refreshKeycloakToken,
   resetRateLimitForKey,
   resolveIdentifier,
   resolveRateLimitIdentifier,
+  safeValidate,
   sanitizeApiError,
   storeBetaCode,
   stripHtml,
   validateBetaCode,
   validateEnvVars,
+  verifyCronAuth,
   zodErrorResponse
 });
 //# sourceMappingURL=auth.js.map