@forklaunch/core 0.19.5 → 1.0.2

package/lib/http/index.d.ts

@@ -3,8 +3,8 @@ export { ParsedQs } from 'qs';
 import { Prettify, SanitizePathSlashes, PrettyCamelCase, TypeSafeFunction, UnionToIntersection, EmptyObject } from '@forklaunch/common';
 import { AnySchemaValidator } from '@forklaunch/validator';
 import { ServerOptions, IncomingMessage, ServerResponse } from 'node:http';
-import { M as Method, P as PathParamHttpContractDetails, H as HttpContractDetails, E as ExpressLikeRouterOptions, a as SessionObject, b as ParamsObject, R as ResponsesObject, B as Body, Q as QueryObject, c as HeadersObject, V as VersionSchema, d as SchemaAuthMethods, e as ExpressLikeSchemaHandler, f as ResolvedSessionObject, C as ContractDetails, g as PathMatch, L as LiveTypeFunction, h as LiveSdkFunction, A as AuthMethodsBase, O as OpenTelemetryCollector, i as MetricsDefinition, j as ExpressLikeApplicationOptions, k as ParamsDictionary, l as VersionedRequests, m as AuthMethods, D as DecodeResource, n as BasicAuthMethods, F as ForklaunchRequest, o as MiddlewareContractDetails, p as ExpressLikeSchemaAuthMapper, q as ForklaunchNextFunction, r as ForklaunchResponse, s as ForklaunchResHeaders, t as ForklaunchStatusResponse, u as ForklaunchSendableData, T as TelemetryOptions, v as LoggerMeta, w as LogFn } from '../apiDefinition.types-DnUkFmfT.js';
-export { x as BodyObject, y as DefaultSubscriptionData, z as DocsConfiguration, G as ErrorContainer, I as ExpressLikeAuthMapper, J as ExpressLikeGlobalAuthOptions, K as ExpressLikeHandler, N as ExpressLikeSchemaGlobalAuthOptions, U as ExtractBody, W as ExtractContentType, X as ExtractResponseBody, Y as ExtractedParamsObject, Z as FileBody, _ as ForklaunchBaseRequest, $ as ForklaunchResErrors, a0 as HmacMethods, a1 as HttpMethod, a2 as JsonBody, a3 as JwtAuthMethods, a4 as LiveTypeFunctionRequestInit, a5 as MapParamsSchema, a6 as MapReqBodySchema, a7 as MapReqHeadersSchema, a8 as MapReqQuerySchema, a9 as MapResBodyMapSchema, aa as MapResHeadersSchema, ab as MapSchema, ac as MapSessionSchema, ad as MapVersionedReqsSchema, ae as MapVersionedRespsSchema, af as MetricType, ag as MultipartForm, ah as NumberOnlyObject, ai as PathParamMethod, aj as RawTypedResponseBody, ak as RequestContext, al as ResolvedForklaunchAuthRequest, am as ResolvedForklaunchRequest, an as ResolvedForklaunchResponse, ao as ResponseBody, ap as ResponseCompiledSchema, aq as ResponseShape, ar as ServerSentEventBody, S as StringOnlyObject, as as TextBody, at as TypedBody, au as TypedRequestBody, av as TypedResponseBody, aw as UnknownBody, ax as UnknownResponseBody, ay as UrlEncodedForm, az as VersionedResponses, aA as httpRequestsTotalCounter, aB as httpServerDurationHistogram } from '../apiDefinition.types-DnUkFmfT.js';
+import { M as Method, P as PathParamHttpContractDetails, H as HttpContractDetails, E as ExpressLikeRouterOptions, a as SessionObject, b as ParamsObject, R as ResponsesObject, B as Body, Q as QueryObject, c as HeadersObject, V as VersionSchema, d as SchemaAuthMethods, e as ExpressLikeSchemaHandler, f as ResolvedSessionObject, C as ContractDetails, g as PathMatch, L as LiveTypeFunction, h as LiveSdkFunction, A as AuthMethodsBase, O as OpenTelemetryCollector, i as MetricsDefinition, j as ExpressLikeApplicationOptions, k as ParamsDictionary, l as VersionedRequests, m as AuthMethods, D as DecodeResource, n as BasicAuthMethods, F as ForklaunchRequest, o as MiddlewareContractDetails, p as ExpressLikeSchemaAuthMapper, q as ForklaunchNextFunction, r as ForklaunchResponse, s as ForklaunchResHeaders, t as ForklaunchStatusResponse, u as ForklaunchSendableData, T as TelemetryOptions, v as LoggerMeta, w as LogFn } from '../apiDefinition.types-Br0fDuBQ.js';
+export { x as AccessLevel, y as BodyObject, z as DefaultSubscriptionData, G as DocsConfiguration, I as ErrorContainer, J as ExpressLikeAuthMapper, K as ExpressLikeGlobalAuthOptions, N as ExpressLikeHandler, U as ExpressLikeSchemaGlobalAuthOptions, W as ExtractBody, X as ExtractContentType, Y as ExtractResponseBody, Z as ExtractedParamsObject, _ as FileBody, $ as ForklaunchBaseRequest, a0 as ForklaunchResErrors, a1 as HmacMethods, a2 as HttpMethod, a3 as JsonBody, a4 as JwtAuthMethods, a5 as LiveTypeFunctionRequestInit, a6 as MapParamsSchema, a7 as MapReqBodySchema, a8 as MapReqHeadersSchema, a9 as MapReqQuerySchema, aa as MapResBodyMapSchema, ab as MapResHeadersSchema, ac as MapSchema, ad as MapSessionSchema, ae as MapVersionedReqsSchema, af as MapVersionedRespsSchema, ag as MetricType, ah as MultipartForm, ai as NumberOnlyObject, aj as PathParamMethod, ak as PermissionSet, al as RawTypedResponseBody, am as RequestContext, an as ResolvedForklaunchAuthRequest, ao as ResolvedForklaunchRequest, ap as ResolvedForklaunchResponse, aq as ResponseBody, ar as ResponseCompiledSchema, as as ResponseShape, at as RoleSet, au as ServerSentEventBody, S as StringOnlyObject, av as TextBody, aw as TypedBody, ax as TypedRequestBody, ay as TypedResponseBody, az as UnknownBody, aA as UnknownResponseBody, aB as UrlEncodedForm, aC as VersionedResponses, aD as httpRequestsTotalCounter, aE as httpServerDurationHistogram } from '../apiDefinition.types-Br0fDuBQ.js';
 import { JWTPayload, JWK } from 'jose';
 import { ZodSchemaValidator } from '@forklaunch/validator/zod';
 import { FastMCP } from 'fastmcp';
@@ -13,6 +13,7 @@ import { OpenAPIObject } from 'openapi3-ts/oas31';
 import pino, { LevelWithSilentOrString, LevelWithSilent } from 'pino';
 export { LevelWithSilent, LevelWithSilentOrString, Logger } from 'pino';
 import { AnyValueMap } from '@opentelemetry/api-logs';
+import { T as TtlCache } from '../ttlCache.interface-DClm-lSa.js';
 export { ATTR_HTTP_REQUEST_METHOD, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, ATTR_SERVICE_NAME } from '@opentelemetry/semantic-conventions';
 import '@opentelemetry/api';
 import 'stream';
@@ -1125,6 +1126,25 @@ declare function discriminateResponseBodies<SV extends AnySchemaValidator>(schem
     schema: SV["_ValidSchemaObject"];
 }>;
 
+type AuditEntry = {
+    timestamp: string;
+    userId: string | null;
+    tenantId: string | null;
+    route: string;
+    method: string;
+    bodyHash: string;
+    status: number;
+    duration: number;
+    redactedFields: string[];
+    eventType: 'http' | 'ws' | 'auth_failure' | 'rate_limit' | 'rbac_deny' | 'super_admin_bypass';
+};
+declare class AuditLogger {
+    #private;
+    constructor(otel: OpenTelemetryCollector<MetricsDefinition>);
+    append(entry: AuditEntry): void;
+    static hashBody(body: string | Buffer | undefined | null): string;
+}
+
 declare const ATTR_API_NAME = "api.name";
 declare const ATTR_CORRELATION_ID = "correlation.id";
 declare const ATTR_APPLICATION_ID = "application_id";
@@ -1158,4 +1178,69 @@ declare function logger(level: LevelWithSilentOrString, meta?: AnyValueMap): Pin
 
 declare function recordMetric<SV extends AnySchemaValidator, P extends ParamsDictionary, ReqBody extends Record<string, unknown>, ReqQuery extends ParsedQs, ResBodyMap extends Record<string, unknown>, ReqHeaders extends Record<string, string>, ResHeaders extends Record<string, unknown>, LocalsObj extends Record<string, unknown>, VersionedReqs extends VersionedRequests, SessionSchema extends Record<string, unknown>>(req: ForklaunchRequest<SV, P, ReqBody, ReqQuery, ReqHeaders, Extract<keyof VersionedReqs, string>, SessionSchema>, res: ForklaunchResponse<unknown, ResBodyMap, ResHeaders, LocalsObj, Extract<keyof VersionedReqs, string>>): void;
 
-export { ATTR_API_NAME, ATTR_APPLICATION_ID, ATTR_CORRELATION_ID, AuthMethods, AuthMethodsBase, BasicAuthMethods, Body, type ClusterConfig, type ConstrainedForklaunchRouter, ContractDetails, type ContractDetailsExpressLikeSchemaHandler, type ContractDetailsOrMiddlewareOrTypedHandler, DecodeResource, ExpressLikeApplicationOptions, type ExpressLikeRouter, ExpressLikeRouterOptions, ExpressLikeSchemaAuthMapper, ExpressLikeSchemaHandler, type ExpressLikeTypedHandler, type ExtractLiveTypeFn, type FetchFunction, ForklaunchExpressLikeApplication, ForklaunchExpressLikeRouter, ForklaunchNextFunction, ForklaunchRequest, ForklaunchResHeaders, ForklaunchResponse, type ForklaunchRoute, type ForklaunchRouter, ForklaunchSendableData, ForklaunchStatusResponse, HTTPStatuses, HeadersObject, HttpContractDetails, LiveSdkFunction, LiveTypeFunction, type LiveTypeRouteDefinition, LogFn, LoggerMeta, type MapHandlerToLiveSdk, type MapToFetch, type MapToSdk, Method, MetricsDefinition, MiddlewareContractDetails, type MiddlewareOrMiddlewareWithTypedHandler, type NestableRouterBasedHandler, OPENAPI_DEFAULT_VERSION, OpenTelemetryCollector, ParamsDictionary, ParamsObject, type PathBasedHandler, PathMatch, type PathOrMiddlewareBasedHandler, PathParamHttpContractDetails, PinoLogger, QueryObject, ResolvedSessionObject, ResponsesObject, type RouterMap, type RoutingStrategy, SchemaAuthMethods, type SdkHandler, type SdkHandlerObject, type SdkRouter, SessionObject, type StatusCode, TelemetryOptions, type ToFetchMap, type TypedHandler, type TypedMiddlewareDefinition, type TypedNestableMiddlewareDefinition, VersionSchema, VersionedRequests, createContext, createHmacToken, delete_, discriminateAuthMethod, discriminateBody, discriminateResponseBodies, enrichExpressLikeSend, evaluateTelemetryOptions, extractRouteHandlers, generateHmacAuthHeaders, generateMcpServer, generateOpenApiSpecs, get, getCachedJwks, getCodeForStatus, head, isClientError, isForklaunchRequest, isForklaunchRouter, isInformational, isPortBound, isRedirection, isServerError, isSuccessful, isValidStatusCode, logger, meta, metricsDefinitions, middleware, options, patch, post, put, recordMetric, trace, typedAuthHandler, typedHandler };
+/**
+ * Configuration for rate limiting with separate read/write limits.
+ */
+type RateLimitConfig = {
+    /** Max requests per window for GET/HEAD/OPTIONS */
+    read: number;
+    /** Max requests per window for POST/PUT/PATCH/DELETE */
+    write: number;
+    /** Window duration in milliseconds */
+    windowMs: number;
+};
+/**
+ * Result of a rate limit check.
+ */
+type RateLimitResult = {
+    /** Whether the request is allowed */
+    allowed: boolean;
+    /** Number of remaining requests in the current window */
+    remaining: number;
+    /** Unix timestamp (ms) when the current window resets */
+    resetAt: number;
+};
+/**
+ * Rate limiter backed by a TtlCache.
+ *
+ * Uses a sliding-window counter pattern: each unique key maps to a
+ * {@link RateLimitCounter} stored in the cache with a TTL equal to the
+ * configured window duration.
+ */
+declare class RateLimiter {
+    private cache;
+    constructor(cache: TtlCache);
+    /**
+     * Check whether the given key is within its rate limit.
+     *
+     * The counter is read from the cache, incremented, and written back.
+     * If the cache is unreachable the limiter **fails open** (allows the
+     * request) so that a cache outage does not take down the service.
+     *
+     * @param key - The rate limit key (see {@link RateLimiter.buildKey}).
+     * @param limit - Maximum number of requests allowed in the window.
+     * @param windowMs - Window duration in milliseconds.
+     */
+    check(key: string, limit: number, windowMs: number): Promise<RateLimitResult>;
+    /**
+     * Build a rate limit key from request context parts.
+     *
+     * Format: `ratelimit:{tenantId}:{route}:{userId}:{operationType}`
+     *
+     * When `tenantId` or `userId` is `null`, the placeholder `"anon"` is used.
+     */
+    static buildKey(parts: {
+        tenantId: string | null;
+        route: string;
+        userId: string | null;
+        operationType: 'read' | 'write';
+    }): string;
+    /**
+     * Determine whether an HTTP method is a read or write operation.
+     *
+     * GET, HEAD, and OPTIONS are reads; everything else is a write.
+     */
+    static operationType(method: string): 'read' | 'write';
+}
+
+export { ATTR_API_NAME, ATTR_APPLICATION_ID, ATTR_CORRELATION_ID, type AuditEntry, AuditLogger, AuthMethods, AuthMethodsBase, BasicAuthMethods, Body, type ClusterConfig, type ConstrainedForklaunchRouter, ContractDetails, type ContractDetailsExpressLikeSchemaHandler, type ContractDetailsOrMiddlewareOrTypedHandler, DecodeResource, ExpressLikeApplicationOptions, type ExpressLikeRouter, ExpressLikeRouterOptions, ExpressLikeSchemaAuthMapper, ExpressLikeSchemaHandler, type ExpressLikeTypedHandler, type ExtractLiveTypeFn, type FetchFunction, ForklaunchExpressLikeApplication, ForklaunchExpressLikeRouter, ForklaunchNextFunction, ForklaunchRequest, ForklaunchResHeaders, ForklaunchResponse, type ForklaunchRoute, type ForklaunchRouter, ForklaunchSendableData, ForklaunchStatusResponse, HTTPStatuses, HeadersObject, HttpContractDetails, LiveSdkFunction, LiveTypeFunction, type LiveTypeRouteDefinition, LogFn, LoggerMeta, type MapHandlerToLiveSdk, type MapToFetch, type MapToSdk, Method, MetricsDefinition, MiddlewareContractDetails, type MiddlewareOrMiddlewareWithTypedHandler, type NestableRouterBasedHandler, OPENAPI_DEFAULT_VERSION, OpenTelemetryCollector, ParamsDictionary, ParamsObject, type PathBasedHandler, PathMatch, type PathOrMiddlewareBasedHandler, PathParamHttpContractDetails, PinoLogger, QueryObject, type RateLimitConfig, type RateLimitResult, RateLimiter, ResolvedSessionObject, ResponsesObject, type RouterMap, type RoutingStrategy, SchemaAuthMethods, type SdkHandler, type SdkHandlerObject, type SdkRouter, SessionObject, type StatusCode, TelemetryOptions, type ToFetchMap, type TypedHandler, type TypedMiddlewareDefinition, type TypedNestableMiddlewareDefinition, VersionSchema, VersionedRequests, createContext, createHmacToken, delete_, discriminateAuthMethod, discriminateBody, discriminateResponseBodies, enrichExpressLikeSend, evaluateTelemetryOptions, extractRouteHandlers, generateHmacAuthHeaders, generateMcpServer, generateOpenApiSpecs, get, getCachedJwks, getCodeForStatus, head, isClientError, isForklaunchRequest, isForklaunchRouter, isInformational, isPortBound, isRedirection, isServerError, isSuccessful, isValidStatusCode, logger, meta, metricsDefinitions, middleware, options, patch, post, put, recordMetric, trace, typedAuthHandler, typedHandler };

package/lib/http/index.js

@@ -37,12 +37,14 @@ __export(http_exports, {
   ATTR_HTTP_RESPONSE_STATUS_CODE: () => import_semantic_conventions.ATTR_HTTP_RESPONSE_STATUS_CODE,
   ATTR_HTTP_ROUTE: () => import_semantic_conventions.ATTR_HTTP_ROUTE,
   ATTR_SERVICE_NAME: () => import_semantic_conventions.ATTR_SERVICE_NAME,
+  AuditLogger: () => AuditLogger,
   ForklaunchExpressLikeApplication: () => ForklaunchExpressLikeApplication,
   ForklaunchExpressLikeRouter: () => ForklaunchExpressLikeRouter,
   HTTPStatuses: () => HTTPStatuses,
   OPENAPI_DEFAULT_VERSION: () => OPENAPI_DEFAULT_VERSION,
   OpenTelemetryCollector: () => OpenTelemetryCollector,
   PinoLogger: () => PinoLogger,
+  RateLimiter: () => RateLimiter,
   createContext: () => createContext,
   createHmacToken: () => createHmacToken,
   delete_: () => delete_,
@@ -318,11 +320,36 @@ function discriminateResponseBodies(schemaValidator, responses) {
 // src/http/router/routerSharedLogic.ts
 var import_common10 = require("@forklaunch/common");
 
+// src/http/guards/hasPermissionChecks.ts
+function hasPermissionChecks(maybePermissionedAuth) {
+  return typeof maybePermissionedAuth === "object" && maybePermissionedAuth !== null && ("allowedPermissions" in maybePermissionedAuth || "forbiddenPermissions" in maybePermissionedAuth);
+}
+
+// src/http/guards/hasRoleChecks.ts
+function hasRoleChecks(maybeRoledAuth) {
+  if (typeof maybeRoledAuth !== "object" || maybeRoledAuth === null) {
+    return false;
+  }
+  const hasAllowedRoles = "allowedRoles" in maybeRoledAuth && maybeRoledAuth.allowedRoles instanceof Set && maybeRoledAuth.allowedRoles.size > 0;
+  const hasForbiddenRoles = "forbiddenRoles" in maybeRoledAuth && maybeRoledAuth.forbiddenRoles instanceof Set && maybeRoledAuth.forbiddenRoles.size > 0;
+  return hasAllowedRoles || hasForbiddenRoles;
+}
+
+// src/http/guards/hasScopeChecks.ts
+function hasScopeChecks(maybePermissionedAuth) {
+  return typeof maybePermissionedAuth === "object" && maybePermissionedAuth !== null && "requiredScope" in maybePermissionedAuth && maybePermissionedAuth.requiredScope != null;
+}
+
 // src/http/guards/hasVersionedSchema.ts
 function hasVersionedSchema(contractDetails) {
   return typeof contractDetails === "object" && contractDetails !== null && "versions" in contractDetails && contractDetails.versions !== null;
 }
 
+// src/http/guards/isHmacMethod.ts
+function isHmacMethod(maybeHmacMethod) {
+  return typeof maybeHmacMethod === "object" && maybeHmacMethod !== null && "hmac" in maybeHmacMethod && maybeHmacMethod.hmac != null;
+}
+
 // src/http/guards/isPathParamContractDetails.ts
 function isPathParamHttpContractDetails(maybePathParamHttpContractDetails) {
   return maybePathParamHttpContractDetails != null && typeof maybePathParamHttpContractDetails === "object" && "name" in maybePathParamHttpContractDetails && "summary" in maybePathParamHttpContractDetails && maybePathParamHttpContractDetails.name != null && maybePathParamHttpContractDetails.summary != null && ("responses" in maybePathParamHttpContractDetails && maybePathParamHttpContractDetails.responses != null || "versions" in maybePathParamHttpContractDetails && typeof maybePathParamHttpContractDetails.versions === "object" && maybePathParamHttpContractDetails.versions != null && Object.values(maybePathParamHttpContractDetails.versions).every(
@@ -373,11 +400,6 @@ function isBasicAuthMethod(maybeBasicAuthMethod) {
   return typeof maybeBasicAuthMethod === "object" && maybeBasicAuthMethod !== null && "basic" in maybeBasicAuthMethod && maybeBasicAuthMethod.basic != null;
 }
 
-// src/http/guards/isHmacMethod.ts
-function isHmacMethod(maybeHmacMethod) {
-  return typeof maybeHmacMethod === "object" && maybeHmacMethod !== null && "hmac" in maybeHmacMethod && maybeHmacMethod.hmac != null;
-}
-
 // src/http/guards/isJwtAuthMethod.ts
 function isJwtAuthMethod(maybeJwtAuthMethod) {
   return typeof maybeJwtAuthMethod === "object" && maybeJwtAuthMethod !== null && "jwt" in maybeJwtAuthMethod && maybeJwtAuthMethod.jwt != null;
@@ -507,26 +529,6 @@ function hasFeatureChecks(maybeFeatureAuth) {
   return typeof maybeFeatureAuth === "object" && maybeFeatureAuth !== null && "requiredFeatures" in maybeFeatureAuth && Array.isArray(maybeFeatureAuth.requiredFeatures) && maybeFeatureAuth.requiredFeatures.length > 0;
 }
 
-// src/http/guards/hasPermissionChecks.ts
-function hasPermissionChecks(maybePermissionedAuth) {
-  return typeof maybePermissionedAuth === "object" && maybePermissionedAuth !== null && ("allowedPermissions" in maybePermissionedAuth || "forbiddenPermissions" in maybePermissionedAuth);
-}
-
-// src/http/guards/hasRoleChecks.ts
-function hasRoleChecks(maybeRoledAuth) {
-  if (typeof maybeRoledAuth !== "object" || maybeRoledAuth === null) {
-    return false;
-  }
-  const hasAllowedRoles = "allowedRoles" in maybeRoledAuth && maybeRoledAuth.allowedRoles instanceof Set && maybeRoledAuth.allowedRoles.size > 0;
-  const hasForbiddenRoles = "forbiddenRoles" in maybeRoledAuth && maybeRoledAuth.forbiddenRoles instanceof Set && maybeRoledAuth.forbiddenRoles.size > 0;
-  return hasAllowedRoles || hasForbiddenRoles;
-}
-
-// src/http/guards/hasScopeChecks.ts
-function hasScopeChecks(maybePermissionedAuth) {
-  return typeof maybePermissionedAuth === "object" && maybePermissionedAuth !== null && "requiredScope" in maybePermissionedAuth && maybePermissionedAuth.requiredScope != null;
-}
-
 // src/http/guards/hasSubscriptionChecks.ts
 function hasSubscriptionChecks(maybeSubscriptionAuth) {
   return typeof maybeSubscriptionAuth === "object" && maybeSubscriptionAuth !== null && "requireActiveSubscription" in maybeSubscriptionAuth && maybeSubscriptionAuth.requireActiveSubscription === true;
@@ -1315,6 +1317,40 @@ function validateContractDetails(contractDetails, schemaValidator) {
   if (!isHttpContractDetails(contractDetails) && !isPathParamHttpContractDetails(contractDetails)) {
     throw new Error("Contract details are malformed for route definition");
   }
+  const access = contractDetails["access"];
+  const auth = contractDetails["auth"];
+  if (access != null) {
+    const validAccess = ["public", "authenticated", "protected", "internal"];
+    if (!validAccess.includes(access)) {
+      throw new Error(
+        `Route '${contractDetails.name}': invalid access level '${access}'. Must be one of: ${validAccess.join(", ")}`
+      );
+    }
+    if (access === "public" && auth != null) {
+      throw new Error(
+        `Route '${contractDetails.name}': access 'public' cannot have auth configured`
+      );
+    }
+    if (access === "protected") {
+      if (!auth) {
+        throw new Error(
+          `Route '${contractDetails.name}': access 'protected' requires auth with roles, permissions, or scope`
+        );
+      }
+      if (!hasPermissionChecks(auth) && !hasRoleChecks(auth) && !hasScopeChecks(auth)) {
+        throw new Error(
+          `Route '${contractDetails.name}': access 'protected' requires at least one of allowedRoles, forbiddenRoles, allowedPermissions, forbiddenPermissions, or requiredScope`
+        );
+      }
+    }
+    if (access === "internal") {
+      if (!auth || !isHmacMethod(auth)) {
+        throw new Error(
+          `Route '${contractDetails.name}': access 'internal' requires HMAC auth`
+        );
+      }
+    }
+  }
   if (contractDetails.versions) {
     const parserTypes = Object.values(contractDetails.versions).map(
       (version) => discriminateBody(schemaValidator, version.body)?.parserType
@@ -4222,6 +4258,44 @@ function generateOpenApiSpecs(schemaValidator, serverUrls, serverDescriptions, a
   );
 }
 
+// src/http/telemetry/auditLogger.ts
+var import_crypto3 = require("crypto");
+var AuditLogger = class {
+  #otel;
+  constructor(otel) {
+    this.#otel = otel;
+  }
+  append(entry) {
+    try {
+      this.#otel.info(
+        {
+          "log.type": "audit",
+          "audit.timestamp": entry.timestamp,
+          "audit.userId": entry.userId ?? "",
+          "audit.tenantId": entry.tenantId ?? "",
+          "audit.route": entry.route,
+          "audit.method": entry.method,
+          "audit.bodyHash": entry.bodyHash,
+          "audit.status": entry.status,
+          "audit.duration": entry.duration,
+          "audit.redactedFields": entry.redactedFields.join(","),
+          "audit.eventType": entry.eventType,
+          _meta: true
+        },
+        `audit:${entry.eventType} ${entry.method} ${entry.route} ${entry.status}`
+      );
+    } catch (error) {
+      console.error("Failed to emit audit log via OTEL:", error);
+    }
+  }
+  static hashBody(body) {
+    if (body === void 0 || body === null || body === "") {
+      return "";
+    }
+    return (0, import_crypto3.createHash)("sha256").update(body).digest("hex");
+  }
+};
+
 // src/http/telemetry/evaluateTelemetryOptions.ts
 function evaluateTelemetryOptions(telemetryOptions) {
   return {
@@ -4242,6 +4316,73 @@ function evaluateTelemetryOptions(telemetryOptions) {
 function metricsDefinitions(metrics2) {
   return metrics2;
 }
+
+// src/http/rateLimit/rateLimiter.ts
+var READ_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
+var RateLimiter = class {
+  constructor(cache) {
+    this.cache = cache;
+  }
+  /**
+   * Check whether the given key is within its rate limit.
+   *
+   * The counter is read from the cache, incremented, and written back.
+   * If the cache is unreachable the limiter **fails open** (allows the
+   * request) so that a cache outage does not take down the service.
+   *
+   * @param key - The rate limit key (see {@link RateLimiter.buildKey}).
+   * @param limit - Maximum number of requests allowed in the window.
+   * @param windowMs - Window duration in milliseconds.
+   */
+  async check(key, limit, windowMs) {
+    try {
+      const now = Date.now();
+      let counter;
+      try {
+        const record = await this.cache.readRecord(key);
+        counter = record.value;
+        if (now >= counter.resetAt) {
+          counter = { count: 0, resetAt: now + windowMs };
+        }
+      } catch {
+        counter = { count: 0, resetAt: now + windowMs };
+      }
+      counter.count += 1;
+      const ttl = Math.max(counter.resetAt - now, 1);
+      await this.cache.putRecord({
+        key,
+        value: counter,
+        ttlMilliseconds: ttl
+      });
+      const allowed = counter.count <= limit;
+      const remaining = Math.max(limit - counter.count, 0);
+      return { allowed, remaining, resetAt: counter.resetAt };
+    } catch {
+      console.warn(`[RateLimiter] Cache error for key "${key}". Failing open.`);
+      return { allowed: true, remaining: limit, resetAt: 0 };
+    }
+  }
+  /**
+   * Build a rate limit key from request context parts.
+   *
+   * Format: `ratelimit:{tenantId}:{route}:{userId}:{operationType}`
+   *
+   * When `tenantId` or `userId` is `null`, the placeholder `"anon"` is used.
+   */
+  static buildKey(parts) {
+    const tenant = parts.tenantId ?? "anon";
+    const user = parts.userId ?? "anon";
+    return `ratelimit:${tenant}:${parts.route}:${user}:${parts.operationType}`;
+  }
+  /**
+   * Determine whether an HTTP method is a read or write operation.
+   *
+   * GET, HEAD, and OPTIONS are reads; everything else is a write.
+   */
+  static operationType(method) {
+    return READ_METHODS.has(method.toUpperCase()) ? "read" : "write";
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ATTR_API_NAME,
@@ -4251,12 +4392,14 @@ function metricsDefinitions(metrics2) {
   ATTR_HTTP_RESPONSE_STATUS_CODE,
   ATTR_HTTP_ROUTE,
   ATTR_SERVICE_NAME,
+  AuditLogger,
   ForklaunchExpressLikeApplication,
   ForklaunchExpressLikeRouter,
   HTTPStatuses,
   OPENAPI_DEFAULT_VERSION,
   OpenTelemetryCollector,
   PinoLogger,
+  RateLimiter,
   createContext,
   createHmacToken,
   delete_,