@frontmcp/edge 0.0.1

package/index.js

@@ -0,0 +1,4011 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJS = (cb, mod) => function __require2() {
+  try {
+    return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+  } catch (e) {
+    throw mod = 0, e;
+  }
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// libs/utils/dist/event-emitter/node-event-emitter.js
+var require_node_event_emitter = __commonJS({
+  "libs/utils/dist/event-emitter/node-event-emitter.js"(exports2, module2) {
+    "use strict";
+    var __defProp3 = Object.defineProperty;
+    var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
+    var __getOwnPropNames3 = Object.getOwnPropertyNames;
+    var __hasOwnProp2 = Object.prototype.hasOwnProperty;
+    var __export3 = (target, all) => {
+      for (var name in all)
+        __defProp3(target, name, { get: all[name], enumerable: true });
+    };
+    var __copyProps2 = (to, from, except, desc) => {
+      if (from && typeof from === "object" || typeof from === "function") {
+        for (let key of __getOwnPropNames3(from))
+          if (!__hasOwnProp2.call(to, key) && key !== except)
+            __defProp3(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable });
+      }
+      return to;
+    };
+    var __toCommonJS2 = (mod) => __copyProps2(__defProp3({}, "__esModule", { value: true }), mod);
+    var node_event_emitter_exports = {};
+    __export3(node_event_emitter_exports, {
+      EventEmitter: () => import_events.EventEmitter
+    });
+    module2.exports = __toCommonJS2(node_event_emitter_exports);
+    var import_events = require("events");
+  }
+});
+
+// libs/utils/dist/crypto/node.js
+var require_node = __commonJS({
+  "libs/utils/dist/crypto/node.js"(exports2, module2) {
+    "use strict";
+    var __create2 = Object.create;
+    var __defProp3 = Object.defineProperty;
+    var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
+    var __getOwnPropNames3 = Object.getOwnPropertyNames;
+    var __getProtoOf2 = Object.getPrototypeOf;
+    var __hasOwnProp2 = Object.prototype.hasOwnProperty;
+    var __export3 = (target, all) => {
+      for (var name in all)
+        __defProp3(target, name, { get: all[name], enumerable: true });
+    };
+    var __copyProps2 = (to, from, except, desc) => {
+      if (from && typeof from === "object" || typeof from === "function") {
+        for (let key of __getOwnPropNames3(from))
+          if (!__hasOwnProp2.call(to, key) && key !== except)
+            __defProp3(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable });
+      }
+      return to;
+    };
+    var __toESM2 = (mod, isNodeMode, target) => (target = mod != null ? __create2(__getProtoOf2(mod)) : {}, __copyProps2(
+      // If the importer is in node compatibility mode or this is not an ESM
+      // file that has been converted to a CommonJS file using a Babel-
+      // compatible transform (i.e. "__esModule" has not been set), then set
+      // "default" to the CommonJS "module.exports" for node compatibility.
+      isNodeMode || !mod || !mod.__esModule ? __defProp3(target, "default", { value: mod, enumerable: true }) : target,
+      mod
+    ));
+    var __toCommonJS2 = (mod) => __copyProps2(__defProp3({}, "__esModule", { value: true }), mod);
+    var node_exports2 = {};
+    __export3(node_exports2, {
+      createSignedJwt: () => createSignedJwt2,
+      cryptoProvider: () => nodeCrypto2,
+      generateRsaKeyPair: () => generateRsaKeyPair2,
+      isRsaPssAlg: () => isRsaPssAlg2,
+      jwtAlgToNodeAlg: () => jwtAlgToNodeAlg2,
+      nodeCrypto: () => nodeCrypto2,
+      pemToPublicJwk: () => pemToPublicJwk2,
+      rsaSign: () => rsaSign2,
+      rsaSignBase64Url: () => rsaSignBase64Url2,
+      rsaVerify: () => rsaVerify2,
+      rsaVerifySync: () => rsaVerifySync2
+    });
+    module2.exports = __toCommonJS2(node_exports2);
+    var import_node_crypto2 = __toESM2(require("node:crypto"));
+    var JWT_ALG_TO_NODE_DIGEST2 = {
+      RS256: "RSA-SHA256",
+      RS384: "RSA-SHA384",
+      RS512: "RSA-SHA512",
+      // For RSA-PSS, Node's crypto.sign/verify uses the digest algorithm + explicit PSS padding options.
+      PS256: "RSA-SHA256",
+      PS384: "RSA-SHA384",
+      PS512: "RSA-SHA512"
+    };
+    function jwtAlgToNodeAlg2(jwtAlg) {
+      const nodeAlg = JWT_ALG_TO_NODE_DIGEST2[jwtAlg];
+      if (!nodeAlg) {
+        throw new Error(`Unsupported JWT algorithm: ${jwtAlg}`);
+      }
+      return nodeAlg;
+    }
+    function isRsaPssAlg2(jwtAlg) {
+      return jwtAlg.startsWith("PS");
+    }
+    function toUint8Array2(buf) {
+      return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+    }
+    function toBuffer2(data) {
+      if (typeof data === "string") {
+        return Buffer.from(data, "utf8");
+      }
+      return Buffer.from(data);
+    }
+    var nodeCrypto2 = {
+      randomUUID() {
+        return import_node_crypto2.default.randomUUID();
+      },
+      randomBytes(length) {
+        return toUint8Array2(import_node_crypto2.default.randomBytes(length));
+      },
+      sha256(data) {
+        const hash = import_node_crypto2.default.createHash("sha256").update(toBuffer2(data)).digest();
+        return toUint8Array2(hash);
+      },
+      sha256Hex(data) {
+        return import_node_crypto2.default.createHash("sha256").update(toBuffer2(data)).digest("hex");
+      },
+      hmacSha256(key, data) {
+        const hmac2 = import_node_crypto2.default.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
+        return toUint8Array2(hmac2);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const ikmBuf = Buffer.from(ikm);
+        const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
+        const prk = import_node_crypto2.default.createHmac("sha256", saltBuf).update(ikmBuf).digest();
+        const hashLen = 32;
+        const n = Math.ceil(length / hashLen);
+        const chunks = [];
+        let prev = Buffer.alloc(0);
+        for (let i = 1; i <= n; i++) {
+          prev = import_node_crypto2.default.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
+          chunks.push(prev);
+        }
+        return toUint8Array2(Buffer.concat(chunks).subarray(0, length));
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = import_node_crypto2.default.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return {
+          ciphertext: toUint8Array2(encrypted),
+          tag: toUint8Array2(tag)
+        };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const decipher = import_node_crypto2.default.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        decipher.setAuthTag(Buffer.from(tag));
+        const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
+        return toUint8Array2(decrypted);
+      },
+      timingSafeEqual(a, b) {
+        if (a.length !== b.length) return false;
+        return import_node_crypto2.default.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+      }
+    };
+    function generateRsaKeyPair2(modulusLength = 2048, alg = "RS256") {
+      const kid = `rsa-key-${Date.now()}-${import_node_crypto2.default.randomBytes(8).toString("hex")}`;
+      const { privateKey, publicKey } = import_node_crypto2.default.generateKeyPairSync("rsa", {
+        modulusLength
+      });
+      const exported = publicKey.export({ format: "jwk" });
+      const publicJwk = {
+        ...exported,
+        kid,
+        alg,
+        use: "sig",
+        kty: "RSA"
+      };
+      return { privateKey, publicKey, publicJwk };
+    }
+    function rsaSign2(algorithm, data, privateKey, options) {
+      const signingKey = options ? { key: privateKey, ...options } : privateKey;
+      return import_node_crypto2.default.sign(algorithm, data, signingKey);
+    }
+    function rsaVerify2(jwtAlg, data, publicJwk, signature) {
+      const publicKey = import_node_crypto2.default.createPublicKey({ key: publicJwk, format: "jwk" });
+      const nodeAlgorithm = jwtAlgToNodeAlg2(jwtAlg);
+      const verifyKey = isRsaPssAlg2(jwtAlg) ? {
+        key: publicKey,
+        padding: import_node_crypto2.default.constants.RSA_PKCS1_PSS_PADDING,
+        saltLength: import_node_crypto2.default.constants.RSA_PSS_SALTLEN_DIGEST
+      } : publicKey;
+      return import_node_crypto2.default.verify(nodeAlgorithm, data, verifyKey, signature);
+    }
+    function rsaSignBase64Url2(jwtAlg, data, privateJwk) {
+      const privateKey = import_node_crypto2.default.createPrivateKey({ key: privateJwk, format: "jwk" });
+      const nodeAlgorithm = jwtAlgToNodeAlg2(jwtAlg);
+      const buf = Buffer.isBuffer(data) ? data : Buffer.from(data);
+      const sig = isRsaPssAlg2(jwtAlg) ? rsaSign2(nodeAlgorithm, buf, privateKey, {
+        padding: import_node_crypto2.default.constants.RSA_PKCS1_PSS_PADDING,
+        saltLength: import_node_crypto2.default.constants.RSA_PSS_SALTLEN_DIGEST
+      }) : rsaSign2(nodeAlgorithm, buf, privateKey);
+      return sig.toString("base64url");
+    }
+    function rsaVerifySync2(jwtAlg, data, publicJwk, signature) {
+      try {
+        const publicKey = import_node_crypto2.default.createPublicKey({ key: publicJwk, format: "jwk" });
+        const dataBuf = Buffer.isBuffer(data) ? data : Buffer.from(data);
+        const sigBuf = Buffer.isBuffer(signature) ? signature : Buffer.from(signature);
+        if (jwtAlg === "EdDSA") {
+          return import_node_crypto2.default.verify(null, dataBuf, publicKey, sigBuf);
+        }
+        const nodeAlgorithm = jwtAlgToNodeAlg2(jwtAlg);
+        const verifyKey = isRsaPssAlg2(jwtAlg) ? {
+          key: publicKey,
+          padding: import_node_crypto2.default.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: import_node_crypto2.default.constants.RSA_PSS_SALTLEN_DIGEST
+        } : publicKey;
+        return import_node_crypto2.default.verify(nodeAlgorithm, dataBuf, verifyKey, sigBuf);
+      } catch {
+        return false;
+      }
+    }
+    function pemToPublicJwk2(pem) {
+      const key = import_node_crypto2.default.createPublicKey({ key: pem, format: "pem" });
+      return key.export({ format: "jwk" });
+    }
+    function createSignedJwt2(payload, privateKey, kid, alg = "RS256") {
+      const header = { alg, typ: "JWT", kid };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+      const signatureInput = `${headerB64}.${payloadB64}`;
+      const nodeAlgorithm = jwtAlgToNodeAlg2(alg);
+      const signature = rsaSign2(
+        nodeAlgorithm,
+        Buffer.from(signatureInput),
+        privateKey,
+        isRsaPssAlg2(alg) ? {
+          padding: import_node_crypto2.default.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: import_node_crypto2.default.constants.RSA_PSS_SALTLEN_DIGEST
+        } : void 0
+      );
+      const signatureB64 = signature.toString("base64url");
+      return `${headerB64}.${payloadB64}.${signatureB64}`;
+    }
+  }
+});
+
+// libs/edge/src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  buildManagedOpenApiPluginOptions: () => buildManagedOpenApiPluginOptions,
+  createEdgeMcp: () => createEdgeMcp,
+  createKvBundleCache: () => createKvBundleCache,
+  createKvSkillIndexCache: () => createKvSkillIndexCache,
+  kvBundleCacheFromEnv: () => kvBundleCacheFromEnv,
+  kvSkillIndexCacheFromEnv: () => kvSkillIndexCacheFromEnv
+});
+module.exports = __toCommonJS(index_exports);
+var import_sdk2 = require("@frontmcp/sdk");
+
+// libs/edge/src/managed.ts
+function buildManagedOpenApiPluginOptions(managed) {
+  const source = {
+    type: "saas",
+    endpoint: managed.endpoint,
+    authToken: managed.authToken,
+    expectedAudience: managed.expectedAudience,
+    jwksUrl: managed.jwksUrl,
+    expectedIssuer: managed.expectedIssuer
+  };
+  if (managed.pollIntervalMs !== void 0) source["pollIntervalMs"] = managed.pollIntervalMs;
+  if (managed.enableWebhook !== void 0) source["enableWebhook"] = managed.enableWebhook;
+  const options = { source };
+  if (managed.requireSignature !== void 0) options["requireSignature"] = managed.requireSignature;
+  if (managed.trustedKeys !== void 0) options["trustedKeys"] = managed.trustedKeys;
+  if (managed.dev !== void 0) options["dev"] = managed.dev;
+  if (managed.credentials !== void 0) options["credentials"] = managed.credentials;
+  if (managed.outbound !== void 0) options["outbound"] = managed.outbound;
+  if (managed.bundleCacheDir !== void 0) options["bundleCacheDir"] = managed.bundleCacheDir;
+  return options;
+}
+
+// libs/edge/src/session-host.ts
+var import_sdk = require("@frontmcp/sdk");
+
+// libs/utils/dist/esm/index.mjs
+var import_module = require("module");
+
+// libs/lazy-zod/dist/esm/index.mjs
+var import_zod = require("zod");
+var import_zod2 = require("zod");
+var import_zod3 = require("zod");
+var import_zod4 = require("zod");
+var HEAVY_FACTORIES = /* @__PURE__ */ new Set([
+  "object",
+  "strictObject",
+  "looseObject",
+  "union",
+  "discriminatedUnion",
+  "intersection",
+  "record",
+  "tuple"
+]);
+var CHAIN_METHODS = /* @__PURE__ */ new Set([
+  // ZodType generic
+  "optional",
+  "nullable",
+  "nullish",
+  "default",
+  "prefault",
+  "describe",
+  "refine",
+  "superRefine",
+  "transform",
+  "pipe",
+  "or",
+  "and",
+  "readonly",
+  "brand",
+  "catch",
+  "array",
+  "promise",
+  // ZodString
+  "email",
+  "url",
+  "uuid",
+  "cuid",
+  "cuid2",
+  "ulid",
+  "regex",
+  "startsWith",
+  "endsWith",
+  "trim",
+  "toLowerCase",
+  "toUpperCase",
+  "datetime",
+  "date",
+  "time",
+  "ip",
+  "cidr",
+  "base64",
+  "base64url",
+  "jwt",
+  "nanoid",
+  "emoji",
+  "includes",
+  "normalize",
+  // ZodString / ZodNumber / ZodArray — shared (`Set` dedupes)
+  "min",
+  "max",
+  "length",
+  "gt",
+  "gte",
+  "lt",
+  "lte",
+  // ZodNumber
+  "int",
+  "positive",
+  "negative",
+  "nonnegative",
+  "nonpositive",
+  "finite",
+  "safe",
+  "multipleOf",
+  "step",
+  // ZodObject
+  "extend",
+  "merge",
+  "pick",
+  "omit",
+  "partial",
+  "deepPartial",
+  "required",
+  "passthrough",
+  "strict",
+  "strip",
+  "catchall",
+  "keyof",
+  // ZodArray
+  "nonempty",
+  "element",
+  // ZodEnum
+  "extract",
+  "exclude"
+]);
+var LAZY_BRAND = /* @__PURE__ */ Symbol.for("@frontmcp/lazy-zod.LazyZodSchema");
+var LAZY_TARGET = /* @__PURE__ */ Symbol.for("@frontmcp/lazy-zod.LazyZodSchema.target");
+var HOT_PATH_METHODS = /* @__PURE__ */ new Set(["parse", "safeParse", "parseAsync", "safeParseAsync"]);
+var LazyZodSchema = class {
+  constructor(_materialize) {
+    this._materialize = _materialize;
+    Object.defineProperty(this, LAZY_BRAND, {
+      value: true,
+      enumerable: false,
+      writable: false,
+      configurable: false
+    });
+  }
+  _materialize;
+  _resolved;
+  /** Materialize (and memoize) the underlying real zod schema. */
+  materialize() {
+    return this._resolved ?? (this._resolved = this._materialize());
+  }
+  /** True once the underlying schema has been constructed. */
+  get isMaterialized() {
+    return this._resolved !== void 0;
+  }
+};
+function wrapLazy(schema) {
+  const proxy = new Proxy(schema, {
+    get(target, key, _receiver) {
+      if (key === LAZY_BRAND) return true;
+      if (key === LAZY_TARGET) return target;
+      if (typeof key !== "symbol" && Object.prototype.hasOwnProperty.call(target, key)) {
+        return target[key];
+      }
+      if (typeof key === "string" && HOT_PATH_METHODS.has(key)) {
+        return (...args) => {
+          const real2 = target.materialize();
+          const bound = real2[key].bind(real2);
+          Object.defineProperty(target, key, {
+            value: bound,
+            writable: true,
+            configurable: true,
+            enumerable: false
+          });
+          return bound(...args);
+        };
+      }
+      if (typeof key === "string" && CHAIN_METHODS.has(key)) {
+        return (...args) => wrapLazy(
+          new LazyZodSchema(() => {
+            const real2 = target.materialize();
+            return real2[key](...args);
+          })
+        );
+      }
+      const real = target.materialize();
+      const val = real[key];
+      if (typeof val === "function") {
+        if (key === "constructor") return val;
+        const maybeCtor = val;
+        if (typeof maybeCtor.prototype === "object" && maybeCtor.prototype !== null && Object.getOwnPropertyNames(maybeCtor.prototype).length > 1) {
+          return val;
+        }
+        return val.bind(real);
+      }
+      return val;
+    },
+    has(target, key) {
+      if (key === LAZY_BRAND) return true;
+      if (typeof key === "string" && (HOT_PATH_METHODS.has(key) || CHAIN_METHODS.has(key))) {
+        return true;
+      }
+      return Reflect.has(target.materialize(), key);
+    },
+    getPrototypeOf(target) {
+      return Object.getPrototypeOf(target.materialize());
+    }
+  });
+  return proxy;
+}
+var lazyProxy = new Proxy(import_zod.z, {
+  get(target, key, receiver) {
+    if (typeof key === "string" && HEAVY_FACTORIES.has(key)) {
+      const realFactory = target[key];
+      return (...args) => wrapLazy(new LazyZodSchema(() => realFactory.call(target, ...args)));
+    }
+    return Reflect.get(target, key, receiver);
+  }
+});
+var z = lazyProxy;
+
+// libs/utils/dist/esm/index.mjs
+var import_event_emitter = __toESM(require_node_event_emitter(), 1);
+var import_node_crypto = __toESM(require("node:crypto"), 1);
+var import_sha2 = require("@noble/hashes/sha2.js");
+var import_hmac = require("@noble/hashes/hmac.js");
+var import_hkdf = require("@noble/hashes/hkdf.js");
+var import_utils = require("@noble/hashes/utils.js");
+var import_aes = require("@noble/ciphers/aes.js");
+var import_crypto_provider = __toESM(require_node(), 1);
+var import_ast = require("@enclave-vm/ast");
+var import_meta = {};
+var require2 = (0, import_module.createRequire)(import_meta.url || "file:///");
+var __defProp2 = Object.defineProperty;
+var __getOwnPropNames2 = Object.getOwnPropertyNames;
+var __require = /* @__PURE__ */ ((x) => typeof require2 !== "undefined" ? require2 : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require2 !== "undefined" ? require2 : a)[b]
+}) : x)(function(x) {
+  if (typeof require2 !== "undefined") return require2.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res, err) => function __init() {
+  if (err) throw err[0];
+  try {
+    return fn && (res = (0, fn[__getOwnPropNames2(fn)[0]])(fn = 0)), res;
+  } catch (e) {
+    throw err = [e], e;
+  }
+};
+var __export2 = (target, all) => {
+  for (var name in all)
+    __defProp2(target, name, { get: all[name], enumerable: true });
+};
+function isNode() {
+  return typeof process !== "undefined" && !!process.versions?.node;
+}
+function assertNode(feature) {
+  if (!isNode()) {
+    throw new Error(`${feature} is not supported in the browser. Requires Node.js.`);
+  }
+}
+var init_runtime = __esm({
+  "libs/utils/src/crypto/runtime.ts"() {
+    "use strict";
+  }
+});
+function getFsp() {
+  if (!_fsp) {
+    assertNode("File system operations");
+    _fsp = __require("fs").promises;
+  }
+  return _fsp;
+}
+async function writeFile(p, content, options) {
+  const fsp = getFsp();
+  await fsp.writeFile(p, content, { encoding: "utf8", mode: options?.mode });
+}
+async function mkdir(p, options) {
+  const fsp = getFsp();
+  await fsp.mkdir(p, options);
+}
+async function rename(oldPath, newPath) {
+  const fsp = getFsp();
+  await fsp.rename(oldPath, newPath);
+}
+async function unlink(p) {
+  const fsp = getFsp();
+  await fsp.unlink(p);
+}
+async function fileExists(p) {
+  try {
+    const fsp = getFsp();
+    await fsp.access(p, F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function readJSON(jsonPath) {
+  try {
+    const fsp = getFsp();
+    const buf = await fsp.readFile(jsonPath, "utf8");
+    return JSON.parse(buf);
+  } catch {
+    return null;
+  }
+}
+async function ensureDir(p) {
+  const fsp = getFsp();
+  await fsp.mkdir(p, { recursive: true });
+}
+async function readdir(p) {
+  const fsp = getFsp();
+  return fsp.readdir(p);
+}
+var _fsp;
+var _fs;
+var _spawn;
+var F_OK;
+var init_fs = __esm({
+  "libs/utils/src/fs/fs.ts"() {
+    "use strict";
+    init_runtime();
+    _fsp = null;
+    _fs = null;
+    _spawn = null;
+    F_OK = 0;
+  }
+});
+var init_fs2 = __esm({
+  "libs/utils/src/fs/index.ts"() {
+    "use strict";
+    init_fs();
+  }
+});
+function jwtAlgToNodeAlg(jwtAlg) {
+  const nodeAlg = JWT_ALG_TO_NODE_DIGEST[jwtAlg];
+  if (!nodeAlg) {
+    throw new Error(`Unsupported JWT algorithm: ${jwtAlg}`);
+  }
+  return nodeAlg;
+}
+function isRsaPssAlg(jwtAlg) {
+  return jwtAlg.startsWith("PS");
+}
+function jwtAlgToWebCryptoAlg(jwtAlg) {
+  const webAlg = JWT_ALG_TO_WEB_CRYPTO[jwtAlg];
+  if (!webAlg) {
+    throw new Error(`Unsupported JWT algorithm for WebCrypto: ${jwtAlg}`);
+  }
+  return webAlg;
+}
+var JWT_ALG_TO_NODE_DIGEST;
+var JWT_ALG_TO_WEB_CRYPTO;
+var init_jwt_alg = __esm({
+  "libs/utils/src/crypto/jwt-alg.ts"() {
+    "use strict";
+    JWT_ALG_TO_NODE_DIGEST = {
+      RS256: "RSA-SHA256",
+      RS384: "RSA-SHA384",
+      RS512: "RSA-SHA512",
+      // For RSA-PSS, Node's crypto.sign/verify uses the digest algorithm + explicit PSS padding options.
+      PS256: "RSA-SHA256",
+      PS384: "RSA-SHA384",
+      PS512: "RSA-SHA512"
+    };
+    JWT_ALG_TO_WEB_CRYPTO = {
+      RS256: "SHA-256",
+      RS384: "SHA-384",
+      RS512: "SHA-512",
+      PS256: "SHA-256",
+      PS384: "SHA-384",
+      PS512: "SHA-512"
+    };
+  }
+});
+var textEncoder;
+var textDecoder;
+var EncryptedBlobError;
+var init_encrypted_blob = __esm({
+  "libs/utils/src/crypto/encrypted-blob.ts"() {
+    "use strict";
+    init_crypto();
+    textEncoder = new TextEncoder();
+    textDecoder = new TextDecoder();
+    EncryptedBlobError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "EncryptedBlobError";
+      }
+    };
+  }
+});
+var MIN_CODE_VERIFIER_LENGTH;
+var MAX_CODE_VERIFIER_LENGTH;
+var DEFAULT_CODE_VERIFIER_LENGTH;
+var PkceError;
+var init_pkce = __esm({
+  "libs/utils/src/crypto/pkce/pkce.ts"() {
+    "use strict";
+    init_crypto();
+    MIN_CODE_VERIFIER_LENGTH = 43;
+    MAX_CODE_VERIFIER_LENGTH = 128;
+    DEFAULT_CODE_VERIFIER_LENGTH = 64;
+    PkceError = class extends Error {
+      constructor(message) {
+        super(message);
+        this.name = "PkceError";
+      }
+    };
+  }
+});
+var init_pkce2 = __esm({
+  "libs/utils/src/crypto/pkce/index.ts"() {
+    "use strict";
+    init_pkce();
+  }
+});
+var secretDataSchema;
+var MAX_CLOCK_DRIFT_MS;
+var MAX_SECRET_AGE_MS;
+var init_schema = __esm({
+  "libs/utils/src/crypto/secret-persistence/schema.ts"() {
+    "use strict";
+    secretDataSchema = z.object({
+      secret: z.string().base64url().length(43),
+      // base64url of 32 bytes is exactly 43 chars
+      createdAt: z.number().positive().int(),
+      version: z.number().positive().int()
+    }).strict();
+    MAX_CLOCK_DRIFT_MS = 6e4;
+    MAX_SECRET_AGE_MS = 100 * 365 * 24 * 60 * 60 * 1e3;
+  }
+});
+var DEFAULT_SECRET_BYTES;
+var DEFAULT_SECRET_DIR;
+var noop;
+var secretCache;
+var generationPromises;
+var init_persistence = __esm({
+  "libs/utils/src/crypto/secret-persistence/persistence.ts"() {
+    "use strict";
+    init_fs2();
+    init_crypto();
+    init_schema();
+    DEFAULT_SECRET_BYTES = 32;
+    DEFAULT_SECRET_DIR = ".frontmcp";
+    noop = () => {
+    };
+    secretCache = /* @__PURE__ */ new Map();
+    generationPromises = /* @__PURE__ */ new Map();
+  }
+});
+var init_secret_persistence = __esm({
+  "libs/utils/src/crypto/secret-persistence/index.ts"() {
+    "use strict";
+    init_schema();
+    init_persistence();
+  }
+});
+var init_hmac_signing = __esm({
+  "libs/utils/src/crypto/hmac-signing.ts"() {
+    "use strict";
+    init_crypto();
+    init_crypto();
+    init_crypto();
+  }
+});
+function validateKeyData(data) {
+  const result = anyKeyDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      valid: false,
+      error: result.error.issues[0]?.message ?? "Invalid key structure"
+    };
+  }
+  const parsed = result.data;
+  const now = Date.now();
+  if (parsed.createdAt > now + MAX_CLOCK_DRIFT_MS2) {
+    return { valid: false, error: "createdAt is in the future" };
+  }
+  if (parsed.createdAt < now - MAX_KEY_AGE_MS) {
+    return { valid: false, error: "createdAt is too old" };
+  }
+  return { valid: true, data: parsed };
+}
+function isSecretKeyData(data) {
+  return data.type === "secret";
+}
+function isAsymmetricKeyData(data) {
+  return data.type === "asymmetric";
+}
+var MAX_CLOCK_DRIFT_MS2;
+var MAX_KEY_AGE_MS;
+var asymmetricAlgSchema;
+var baseKeyDataSchema;
+var jsonWebKeySchema;
+var secretKeyDataSchema;
+var asymmetricKeyDataSchema;
+var anyKeyDataSchema;
+var init_schemas = __esm({
+  "libs/utils/src/crypto/key-persistence/schemas.ts"() {
+    "use strict";
+    MAX_CLOCK_DRIFT_MS2 = 6e4;
+    MAX_KEY_AGE_MS = 100 * 365 * 24 * 60 * 60 * 1e3;
+    asymmetricAlgSchema = z.enum(["RS256", "RS384", "RS512", "ES256", "ES384", "ES512"]);
+    baseKeyDataSchema = z.object({
+      kid: z.string().min(1),
+      createdAt: z.number().positive().int(),
+      version: z.number().positive().int()
+    });
+    jsonWebKeySchema = z.object({
+      kty: z.string().optional(),
+      use: z.string().optional(),
+      alg: z.string().optional(),
+      kid: z.string().optional(),
+      n: z.string().optional(),
+      e: z.string().optional(),
+      d: z.string().optional(),
+      p: z.string().optional(),
+      q: z.string().optional(),
+      dp: z.string().optional(),
+      dq: z.string().optional(),
+      qi: z.string().optional(),
+      x: z.string().optional(),
+      y: z.string().optional(),
+      crv: z.string().optional()
+    }).passthrough();
+    secretKeyDataSchema = baseKeyDataSchema.extend({
+      type: z.literal("secret"),
+      secret: z.string().min(1),
+      bytes: z.number().positive().int()
+    });
+    asymmetricKeyDataSchema = baseKeyDataSchema.extend({
+      type: z.literal("asymmetric"),
+      alg: asymmetricAlgSchema,
+      privateKey: jsonWebKeySchema,
+      publicJwk: z.object({
+        keys: z.array(jsonWebKeySchema).min(1)
+      })
+    });
+    anyKeyDataSchema = z.discriminatedUnion("type", [secretKeyDataSchema, asymmetricKeyDataSchema]);
+  }
+});
+var KeyPersistence;
+var init_key_persistence = __esm({
+  "libs/utils/src/crypto/key-persistence/key-persistence.ts"() {
+    "use strict";
+    init_crypto();
+    init_schemas();
+    KeyPersistence = class {
+      storage;
+      cache = /* @__PURE__ */ new Map();
+      enableCache;
+      throwOnInvalid;
+      constructor(options) {
+        this.storage = options.storage;
+        this.enableCache = options.enableCache ?? true;
+        this.throwOnInvalid = options.throwOnInvalid ?? false;
+      }
+      /**
+       * Get a key by ID.
+       *
+       * @param kid - Key identifier
+       * @returns Key data or null if not found
+       */
+      async get(kid) {
+        if (this.enableCache) {
+          const cached4 = this.cache.get(kid);
+          if (cached4) return cached4;
+        }
+        const raw = await this.storage.get(kid);
+        if (!raw) return null;
+        let parsed;
+        try {
+          parsed = JSON.parse(raw);
+        } catch {
+          if (this.throwOnInvalid) {
+            throw new Error(`Invalid JSON for key "${kid}"`);
+          }
+          return null;
+        }
+        const validation = validateKeyData(parsed);
+        if (!validation.valid) {
+          if (this.throwOnInvalid) {
+            throw new Error(`Invalid key data for "${kid}": ${validation.error}`);
+          }
+          return null;
+        }
+        const key = validation.data;
+        if (this.enableCache) {
+          this.cache.set(kid, key);
+        }
+        return key;
+      }
+      /**
+       * Get a secret key by ID.
+       *
+       * @param kid - Key identifier
+       * @returns Secret key data or null if not found or wrong type
+       */
+      async getSecret(kid) {
+        const key = await this.get(kid);
+        if (!key || !isSecretKeyData(key)) return null;
+        return key;
+      }
+      /**
+       * Get an asymmetric key by ID.
+       *
+       * @param kid - Key identifier
+       * @returns Asymmetric key data or null if not found or wrong type
+       */
+      async getAsymmetric(kid) {
+        const key = await this.get(kid);
+        if (!key || !isAsymmetricKeyData(key)) return null;
+        return key;
+      }
+      /**
+       * Store a key.
+       *
+       * @param key - Key data to store
+       */
+      async set(key) {
+        const validation = validateKeyData(key);
+        if (!validation.valid) {
+          throw new Error(`Invalid key data: ${validation.error}`);
+        }
+        await this.storage.set(key.kid, JSON.stringify(key, null, 2));
+        if (this.enableCache) {
+          this.cache.set(key.kid, key);
+        }
+      }
+      /**
+       * Delete a key.
+       *
+       * @param kid - Key identifier
+       * @returns true if key existed and was deleted
+       */
+      async delete(kid) {
+        this.cache.delete(kid);
+        return this.storage.delete(kid);
+      }
+      /**
+       * Check if a key exists.
+       *
+       * @param kid - Key identifier
+       * @returns true if key exists
+       */
+      async has(kid) {
+        if (this.enableCache && this.cache.has(kid)) {
+          return true;
+        }
+        return this.storage.exists(kid);
+      }
+      /**
+       * List all key IDs.
+       *
+       * @returns Array of key identifiers
+       */
+      async list() {
+        return this.storage.keys();
+      }
+      /**
+       * Get or create a secret key.
+       *
+       * If a key with the given ID exists and is a valid secret key,
+       * it is returned. Otherwise, a new secret key is generated.
+       *
+       * @param kid - Key identifier
+       * @param options - Options for key creation
+       * @returns Secret key data
+       *
+       * @example
+       * ```typescript
+       * const secret = await keys.getOrCreateSecret('encryption-key');
+       * const bytes = base64urlDecode(secret.secret);
+       * ```
+       */
+      async getOrCreateSecret(kid, options) {
+        const existing = await this.getSecret(kid);
+        if (existing) {
+          return existing;
+        }
+        const bytes = options?.bytes ?? 32;
+        const secret = {
+          type: "secret",
+          kid,
+          secret: base64urlEncode(randomBytes(bytes)),
+          bytes,
+          createdAt: Date.now(),
+          version: 1
+        };
+        await this.set(secret);
+        return secret;
+      }
+      /**
+       * Clear the in-memory cache.
+       *
+       * Useful when you want to force a reload from storage.
+       */
+      clearCache() {
+        this.cache.clear();
+      }
+      /**
+       * Clear cache for a specific key.
+       *
+       * @param kid - Key identifier
+       */
+      clearCacheFor(kid) {
+        this.cache.delete(kid);
+      }
+      /**
+       * Check if a key is in the cache.
+       *
+       * @param kid - Key identifier
+       * @returns true if key is cached
+       */
+      isCached(kid) {
+        return this.cache.has(kid);
+      }
+      /**
+       * Get the underlying storage adapter.
+       *
+       * Use with caution - direct storage access bypasses validation.
+       */
+      getAdapter() {
+        return this.storage;
+      }
+    };
+  }
+});
+var StorageError;
+var StorageConnectionError;
+var StorageOperationError;
+var StorageNotSupportedError;
+var StorageConfigError;
+var StorageTTLError;
+var StoragePatternError;
+var StorageNotConnectedError;
+var EncryptedStorageError;
+var init_errors = __esm({
+  "libs/utils/src/storage/errors.ts"() {
+    "use strict";
+    StorageError = class extends Error {
+      cause;
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "StorageError";
+        Object.setPrototypeOf(this, new.target.prototype);
+        if (Error.captureStackTrace) {
+          Error.captureStackTrace(this, this.constructor);
+        }
+      }
+    };
+    StorageConnectionError = class extends StorageError {
+      constructor(message, cause, backend) {
+        const fullMessage = cause ? `${message}: ${cause.message}` : message;
+        super(fullMessage, cause);
+        this.backend = backend;
+        this.name = "StorageConnectionError";
+      }
+      backend;
+    };
+    StorageOperationError = class extends StorageError {
+      constructor(operation, key, message, cause) {
+        super(`${operation} failed for key "${key}": ${message}`, cause);
+        this.operation = operation;
+        this.key = key;
+        this.name = "StorageOperationError";
+      }
+      operation;
+      key;
+    };
+    StorageNotSupportedError = class extends StorageError {
+      constructor(operation, backend, suggestion) {
+        const msg = suggestion ? `${operation} is not supported by ${backend}. ${suggestion}` : `${operation} is not supported by ${backend}`;
+        super(msg);
+        this.operation = operation;
+        this.backend = backend;
+        this.name = "StorageNotSupportedError";
+      }
+      operation;
+      backend;
+    };
+    StorageConfigError = class extends StorageError {
+      constructor(backend, message) {
+        super(`Invalid ${backend} configuration: ${message}`);
+        this.backend = backend;
+        this.name = "StorageConfigError";
+      }
+      backend;
+    };
+    StorageTTLError = class extends StorageError {
+      constructor(ttl, message) {
+        super(message ?? `Invalid TTL value: ${ttl}. TTL must be a positive integer.`);
+        this.ttl = ttl;
+        this.name = "StorageTTLError";
+      }
+      ttl;
+    };
+    StoragePatternError = class extends StorageError {
+      constructor(pattern, message) {
+        super(`Invalid pattern "${pattern}": ${message}`);
+        this.pattern = pattern;
+        this.name = "StoragePatternError";
+      }
+      pattern;
+    };
+    StorageNotConnectedError = class extends StorageError {
+      constructor(backend) {
+        super(`Storage backend "${backend}" is not connected. Call connect() first.`);
+        this.backend = backend;
+        this.name = "StorageNotConnectedError";
+      }
+      backend;
+    };
+    EncryptedStorageError = class extends StorageError {
+      constructor(message) {
+        super(message);
+        this.name = "EncryptedStorageError";
+      }
+    };
+  }
+});
+function validateTTL(ttlSeconds) {
+  if (typeof ttlSeconds !== "number") {
+    throw new StorageTTLError(ttlSeconds, `TTL must be a number, got ${typeof ttlSeconds}`);
+  }
+  if (!Number.isFinite(ttlSeconds)) {
+    throw new StorageTTLError(ttlSeconds, "TTL must be a finite number");
+  }
+  if (!Number.isInteger(ttlSeconds)) {
+    throw new StorageTTLError(ttlSeconds, `TTL must be an integer, got ${ttlSeconds}`);
+  }
+  if (ttlSeconds <= 0) {
+    throw new StorageTTLError(ttlSeconds, `TTL must be positive, got ${ttlSeconds}`);
+  }
+  if (ttlSeconds > MAX_TTL_SECONDS) {
+    throw new StorageTTLError(ttlSeconds, `TTL exceeds maximum of ${MAX_TTL_SECONDS} seconds`);
+  }
+}
+function validateOptionalTTL(ttlSeconds) {
+  if (ttlSeconds !== void 0) {
+    validateTTL(ttlSeconds);
+  }
+}
+function ttlToExpiresAt(ttlSeconds) {
+  return Date.now() + ttlSeconds * 1e3;
+}
+function expiresAtToTTL(expiresAt) {
+  const remaining = Math.ceil((expiresAt - Date.now()) / 1e3);
+  return Math.max(0, remaining);
+}
+function isExpired(expiresAt) {
+  if (expiresAt === void 0) return false;
+  return Date.now() >= expiresAt;
+}
+var MAX_TTL_SECONDS;
+var init_ttl = __esm({
+  "libs/utils/src/storage/utils/ttl.ts"() {
+    "use strict";
+    init_errors();
+    MAX_TTL_SECONDS = 31536e5;
+  }
+});
+var BaseStorageAdapter;
+var init_base = __esm({
+  "libs/utils/src/storage/adapters/base.ts"() {
+    "use strict";
+    init_errors();
+    init_ttl();
+    BaseStorageAdapter = class {
+      /**
+       * Whether the adapter is currently connected.
+       */
+      connected = false;
+      /**
+       * Ensure adapter is connected before operations.
+       * @throws StorageNotConnectedError if not connected
+       */
+      ensureConnected() {
+        if (!this.connected) {
+          throw new StorageNotConnectedError(this.backendName);
+        }
+      }
+      /**
+       * Set with validation.
+       */
+      async set(key, value, options) {
+        this.ensureConnected();
+        this.validateSetOptions(options);
+        return this.doSet(key, value, options);
+      }
+      // ============================================
+      // Batch Operations (default implementations)
+      // ============================================
+      /**
+       * Default mget: sequential gets.
+       * Override for more efficient implementations.
+       */
+      async mget(keys) {
+        this.ensureConnected();
+        return Promise.all(keys.map((k) => this.get(k)));
+      }
+      /**
+       * Default mset: sequential sets.
+       * Override for atomic/pipelined implementations.
+       */
+      async mset(entries) {
+        this.ensureConnected();
+        for (const entry of entries) {
+          this.validateSetOptions(entry.options);
+        }
+        await Promise.all(entries.map((e) => this.doSet(e.key, e.value, e.options)));
+      }
+      /**
+       * Default mdelete: sequential deletes.
+       * Override for more efficient implementations.
+       */
+      async mdelete(keys) {
+        this.ensureConnected();
+        const results = await Promise.all(keys.map((k) => this.delete(k)));
+        return results.filter(Boolean).length;
+      }
+      /**
+       * Default count: keys().length.
+       * Override for more efficient implementations.
+       */
+      async count(pattern = "*") {
+        const matchedKeys = await this.keys(pattern);
+        return matchedKeys.length;
+      }
+      // ============================================
+      // Pub/Sub (default: not supported)
+      // ============================================
+      /**
+       * Default: pub/sub not supported.
+       * Override in adapters that support it.
+       */
+      supportsPubSub() {
+        return false;
+      }
+      /**
+       * Default: throw not supported error.
+       * Override in adapters that support pub/sub.
+       */
+      async publish(_channel, _message) {
+        throw new StorageNotSupportedError("publish", this.backendName, this.getPubSubSuggestion());
+      }
+      /**
+       * Default: throw not supported error.
+       * Override in adapters that support pub/sub.
+       */
+      async subscribe(_channel, _handler) {
+        throw new StorageNotSupportedError("subscribe", this.backendName, this.getPubSubSuggestion());
+      }
+      /**
+       * Get suggestion message for pub/sub not supported error.
+       * Override in specific adapters.
+       */
+      getPubSubSuggestion() {
+        return "Use Redis or Upstash adapter for pub/sub support.";
+      }
+      // ============================================
+      // Validation Helpers
+      // ============================================
+      /**
+       * Validate set options.
+       */
+      validateSetOptions(options) {
+        if (!options) return;
+        validateOptionalTTL(options.ttlSeconds);
+        if (options.ifNotExists && options.ifExists) {
+          throw new Error("ifNotExists and ifExists are mutually exclusive");
+        }
+      }
+    };
+  }
+});
+function globToRegex(pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    throw new StoragePatternError(
+      pattern.substring(0, 50) + "...",
+      `Pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`
+    );
+  }
+  const wildcardCount = (pattern.match(/[*?]/g) || []).length;
+  if (wildcardCount > MAX_WILDCARDS) {
+    throw new StoragePatternError(pattern, `Pattern has too many wildcards (max: ${MAX_WILDCARDS})`);
+  }
+  if (pattern === "" || pattern === "*") {
+    return /^.*$/;
+  }
+  let regexStr = "^";
+  let prevChar = "";
+  for (let i = 0; i < pattern.length; i++) {
+    const char = pattern[i];
+    switch (char) {
+      case "*":
+        if (prevChar !== "*") {
+          regexStr += ".*";
+        }
+        break;
+      case "?":
+        regexStr += ".";
+        break;
+      default:
+        regexStr += char.replace(REGEX_SPECIAL_CHARS, "\\$&");
+    }
+    prevChar = char;
+  }
+  regexStr += "$";
+  try {
+    return new RegExp(regexStr);
+  } catch {
+    throw new StoragePatternError(pattern, "Failed to compile pattern to regex");
+  }
+}
+function matchesPattern(key, pattern) {
+  const regex = globToRegex(pattern);
+  return regex.test(key);
+}
+var MAX_PATTERN_LENGTH;
+var MAX_WILDCARDS;
+var REGEX_SPECIAL_CHARS;
+var init_pattern = __esm({
+  "libs/utils/src/storage/utils/pattern.ts"() {
+    "use strict";
+    init_errors();
+    MAX_PATTERN_LENGTH = 500;
+    MAX_WILDCARDS = 20;
+    REGEX_SPECIAL_CHARS = /[.+^${}()|[\]\\]/g;
+  }
+});
+var DEFAULT_SWEEP_INTERVAL_SECONDS;
+var MAX_TIMEOUT_MS;
+var MemoryStorageAdapter;
+var init_memory = __esm({
+  "libs/utils/src/storage/adapters/memory.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_pattern();
+    init_ttl();
+    DEFAULT_SWEEP_INTERVAL_SECONDS = 60;
+    MAX_TIMEOUT_MS = 2147483647;
+    MemoryStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "memory";
+      store = /* @__PURE__ */ new Map();
+      emitter = new import_event_emitter.EventEmitter();
+      sweepInterval;
+      options;
+      // LRU tracking (simple linked list via insertion order in Map)
+      accessOrder = [];
+      constructor(options = {}) {
+        super();
+        this.options = {
+          enableSweeper: options.enableSweeper ?? true,
+          sweepIntervalSeconds: options.sweepIntervalSeconds ?? DEFAULT_SWEEP_INTERVAL_SECONDS,
+          maxEntries: options.maxEntries ?? 0
+          // 0 = unlimited
+        };
+        this.emitter.setMaxListeners(1e3);
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        this.connected = true;
+        if (this.options.enableSweeper && this.options.sweepIntervalSeconds > 0) {
+          this.startSweeper();
+        }
+      }
+      async disconnect() {
+        if (!this.connected) return;
+        this.stopSweeper();
+        this.clearAllTimeouts();
+        this.store.clear();
+        this.accessOrder = [];
+        this.emitter.removeAllListeners();
+        this.connected = false;
+      }
+      async ping() {
+        return this.connected;
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        this.ensureConnected();
+        const entry = this.store.get(key);
+        if (!entry) return null;
+        if (isExpired(entry.expiresAt)) {
+          this.deleteEntry(key);
+          return null;
+        }
+        this.touchLRU(key);
+        return entry.value;
+      }
+      async doSet(key, value, options) {
+        const existingEntry = this.store.get(key);
+        const exists = existingEntry !== void 0 && !isExpired(existingEntry.expiresAt);
+        if (options?.ifNotExists && exists) {
+          return;
+        }
+        if (options?.ifExists && !exists) {
+          return;
+        }
+        this.clearEntryTimeout(key);
+        const entry = { value };
+        if (options?.ttlSeconds) {
+          entry.expiresAt = ttlToExpiresAt(options.ttlSeconds);
+          const ttlMs = options.ttlSeconds * 1e3;
+          if (ttlMs < MAX_TIMEOUT_MS) {
+            entry.timeout = setTimeout(() => {
+              this.deleteEntry(key);
+            }, ttlMs);
+            if (entry.timeout.unref) {
+              entry.timeout.unref();
+            }
+          }
+        }
+        if (this.options.maxEntries > 0 && !this.store.has(key)) {
+          while (this.store.size >= this.options.maxEntries) {
+            this.evictOldest();
+          }
+        }
+        this.store.set(key, entry);
+        this.touchLRU(key);
+      }
+      async delete(key) {
+        this.ensureConnected();
+        return this.deleteEntry(key);
+      }
+      async exists(key) {
+        this.ensureConnected();
+        const entry = this.store.get(key);
+        if (!entry) return false;
+        if (isExpired(entry.expiresAt)) {
+          this.deleteEntry(key);
+          return false;
+        }
+        return true;
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        this.ensureConnected();
+        validateTTL(ttlSeconds);
+        const entry = this.store.get(key);
+        if (!entry || isExpired(entry.expiresAt)) {
+          return false;
+        }
+        this.clearEntryTimeout(key);
+        entry.expiresAt = ttlToExpiresAt(ttlSeconds);
+        const ttlMs = ttlSeconds * 1e3;
+        if (ttlMs < MAX_TIMEOUT_MS) {
+          entry.timeout = setTimeout(() => {
+            this.deleteEntry(key);
+          }, ttlMs);
+          if (entry.timeout.unref) {
+            entry.timeout.unref();
+          }
+        }
+        return true;
+      }
+      async ttl(key) {
+        this.ensureConnected();
+        const entry = this.store.get(key);
+        if (!entry) return null;
+        if (isExpired(entry.expiresAt)) {
+          this.deleteEntry(key);
+          return null;
+        }
+        if (entry.expiresAt === void 0) {
+          return -1;
+        }
+        return expiresAtToTTL(entry.expiresAt);
+      }
+      // ============================================
+      // Key Enumeration
+      // ============================================
+      async keys(pattern = "*") {
+        this.ensureConnected();
+        const regex = globToRegex(pattern);
+        const result = [];
+        for (const [key, entry] of this.store) {
+          if (isExpired(entry.expiresAt)) {
+            this.deleteEntry(key);
+            continue;
+          }
+          if (regex.test(key)) {
+            result.push(key);
+          }
+        }
+        return result;
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.incrBy(key, 1);
+      }
+      async decr(key) {
+        return this.incrBy(key, -1);
+      }
+      async incrBy(key, amount) {
+        this.ensureConnected();
+        const entry = this.store.get(key);
+        let currentValue = 0;
+        if (entry && !isExpired(entry.expiresAt)) {
+          const parsed = parseInt(entry.value, 10);
+          if (isNaN(parsed)) {
+            throw new StorageOperationError("incrBy", key, "Value is not an integer");
+          }
+          currentValue = parsed;
+        }
+        const newValue = currentValue + amount;
+        const newEntry = { value: String(newValue) };
+        if (entry?.expiresAt && !isExpired(entry.expiresAt)) {
+          newEntry.expiresAt = entry.expiresAt;
+          const remainingMs = entry.expiresAt - Date.now();
+          if (remainingMs > 0 && remainingMs < MAX_TIMEOUT_MS) {
+            this.clearEntryTimeout(key);
+            newEntry.timeout = setTimeout(() => {
+              this.deleteEntry(key);
+            }, remainingMs);
+            if (newEntry.timeout.unref) {
+              newEntry.timeout.unref();
+            }
+          }
+        }
+        this.store.set(key, newEntry);
+        this.touchLRU(key);
+        return newValue;
+      }
+      // ============================================
+      // Pub/Sub
+      // ============================================
+      supportsPubSub() {
+        return true;
+      }
+      async publish(channel, message) {
+        this.ensureConnected();
+        return this.emitter.listenerCount(channel) > 0 ? (this.emitter.emit(channel, message, channel), this.emitter.listenerCount(channel)) : 0;
+      }
+      async subscribe(channel, handler) {
+        this.ensureConnected();
+        const wrappedHandler = (message, ch) => {
+          handler(message, ch);
+        };
+        this.emitter.on(channel, wrappedHandler);
+        return async () => {
+          this.emitter.off(channel, wrappedHandler);
+        };
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Delete an entry and clear its timeout.
+       */
+      deleteEntry(key) {
+        const entry = this.store.get(key);
+        if (!entry) return false;
+        this.clearEntryTimeout(key);
+        this.store.delete(key);
+        this.removeLRU(key);
+        return true;
+      }
+      /**
+       * Clear timeout for an entry.
+       */
+      clearEntryTimeout(key) {
+        const entry = this.store.get(key);
+        if (entry?.timeout) {
+          clearTimeout(entry.timeout);
+          entry.timeout = void 0;
+        }
+      }
+      /**
+       * Clear all timeouts.
+       */
+      clearAllTimeouts() {
+        for (const [key] of this.store) {
+          this.clearEntryTimeout(key);
+        }
+      }
+      /**
+       * Update LRU access order.
+       */
+      touchLRU(key) {
+        if (this.options.maxEntries <= 0) return;
+        const idx = this.accessOrder.indexOf(key);
+        if (idx !== -1) {
+          this.accessOrder.splice(idx, 1);
+        }
+        this.accessOrder.push(key);
+      }
+      /**
+       * Remove key from LRU tracking.
+       */
+      removeLRU(key) {
+        if (this.options.maxEntries <= 0) return;
+        const idx = this.accessOrder.indexOf(key);
+        if (idx !== -1) {
+          this.accessOrder.splice(idx, 1);
+        }
+      }
+      /**
+       * Evict oldest entry (LRU).
+       */
+      evictOldest() {
+        if (this.accessOrder.length === 0) return;
+        const oldestKey = this.accessOrder.shift();
+        if (oldestKey) {
+          this.deleteEntry(oldestKey);
+        }
+      }
+      /**
+       * Start background sweeper.
+       */
+      startSweeper() {
+        this.sweepInterval = setInterval(() => {
+          this.sweep();
+        }, this.options.sweepIntervalSeconds * 1e3);
+        if (this.sweepInterval.unref) {
+          this.sweepInterval.unref();
+        }
+      }
+      /**
+       * Stop background sweeper.
+       */
+      stopSweeper() {
+        if (this.sweepInterval) {
+          clearInterval(this.sweepInterval);
+          this.sweepInterval = void 0;
+        }
+      }
+      /**
+       * Sweep expired entries.
+       */
+      sweep() {
+        const now = Date.now();
+        for (const [key, entry] of this.store) {
+          if (entry.expiresAt && now >= entry.expiresAt) {
+            this.deleteEntry(key);
+          }
+        }
+      }
+      // ============================================
+      // Stats (for debugging)
+      // ============================================
+      /**
+       * Get storage statistics.
+       */
+      getStats() {
+        return {
+          size: this.store.size,
+          maxEntries: this.options.maxEntries,
+          sweeperActive: this.sweepInterval !== void 0
+        };
+      }
+    };
+  }
+});
+var filesystem_exports = {};
+__export2(filesystem_exports, {
+  FileSystemStorageAdapter: () => FileSystemStorageAdapter
+});
+var FileSystemStorageAdapter;
+var init_filesystem = __esm({
+  "libs/utils/src/storage/adapters/filesystem.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_pattern();
+    init_fs2();
+    init_crypto();
+    FileSystemStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "filesystem";
+      baseDir;
+      extension;
+      dirMode;
+      fileMode;
+      constructor(options) {
+        super();
+        this.baseDir = options.baseDir;
+        this.extension = options.extension ?? ".json";
+        this.dirMode = options.dirMode ?? 448;
+        this.fileMode = options.fileMode ?? 384;
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        await ensureDir(this.baseDir);
+        try {
+          await mkdir(this.baseDir, { recursive: true, mode: this.dirMode });
+        } catch {
+        }
+        this.connected = true;
+      }
+      async disconnect() {
+        if (!this.connected) return;
+        this.connected = false;
+      }
+      async ping() {
+        if (!this.connected) return false;
+        try {
+          return await fileExists(this.baseDir);
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        this.ensureConnected();
+        const filePath = this.keyToPath(key);
+        try {
+          const entry = await readJSON(filePath);
+          if (!entry) return null;
+          if (entry.expiresAt && Date.now() >= entry.expiresAt) {
+            await this.deleteFile(filePath);
+            return null;
+          }
+          return entry.value;
+        } catch (e) {
+          const error = e;
+          if (error.code === "ENOENT") {
+            return null;
+          }
+          throw e;
+        }
+      }
+      async doSet(key, value, options) {
+        const filePath = this.keyToPath(key);
+        const existingEntry = await this.readEntry(filePath);
+        const exists = existingEntry !== null && !this.isExpired(existingEntry);
+        if (options?.ifNotExists && exists) {
+          return;
+        }
+        if (options?.ifExists && !exists) {
+          return;
+        }
+        const entry = { value };
+        if (options?.ttlSeconds) {
+          entry.expiresAt = Date.now() + options.ttlSeconds * 1e3;
+        }
+        await this.atomicWrite(filePath, entry);
+      }
+      async delete(key) {
+        this.ensureConnected();
+        const filePath = this.keyToPath(key);
+        return this.deleteFile(filePath);
+      }
+      async exists(key) {
+        this.ensureConnected();
+        const filePath = this.keyToPath(key);
+        try {
+          const entry = await this.readEntry(filePath);
+          if (!entry) return false;
+          if (this.isExpired(entry)) {
+            await this.deleteFile(filePath);
+            return false;
+          }
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        this.ensureConnected();
+        const filePath = this.keyToPath(key);
+        const entry = await this.readEntry(filePath);
+        if (!entry || this.isExpired(entry)) {
+          return false;
+        }
+        entry.expiresAt = Date.now() + ttlSeconds * 1e3;
+        await this.atomicWrite(filePath, entry);
+        return true;
+      }
+      async ttl(key) {
+        this.ensureConnected();
+        const filePath = this.keyToPath(key);
+        const entry = await this.readEntry(filePath);
+        if (!entry) return null;
+        if (this.isExpired(entry)) {
+          await this.deleteFile(filePath);
+          return null;
+        }
+        if (entry.expiresAt === void 0) {
+          return -1;
+        }
+        return Math.max(0, Math.ceil((entry.expiresAt - Date.now()) / 1e3));
+      }
+      // ============================================
+      // Key Enumeration
+      // ============================================
+      async keys(pattern = "*") {
+        this.ensureConnected();
+        const regex = globToRegex(pattern);
+        const result = [];
+        try {
+          const files = await readdir(this.baseDir);
+          for (const file of files) {
+            if (!file.endsWith(this.extension)) continue;
+            const key = this.pathToKey(file);
+            if (!regex.test(key)) continue;
+            const filePath = this.keyToPath(key);
+            const entry = await this.readEntry(filePath);
+            if (entry && !this.isExpired(entry)) {
+              result.push(key);
+            } else if (entry && this.isExpired(entry)) {
+              await this.deleteFile(filePath);
+            }
+          }
+        } catch (e) {
+          const error = e;
+          if (error.code === "ENOENT") {
+            return [];
+          }
+          throw e;
+        }
+        return result;
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.incrBy(key, 1);
+      }
+      async decr(key) {
+        return this.incrBy(key, -1);
+      }
+      async incrBy(key, amount) {
+        this.ensureConnected();
+        const filePath = this.keyToPath(key);
+        const entry = await this.readEntry(filePath);
+        let currentValue = 0;
+        if (entry && !this.isExpired(entry)) {
+          const parsed = parseInt(entry.value, 10);
+          if (isNaN(parsed)) {
+            throw new StorageOperationError("incrBy", key, "Value is not an integer");
+          }
+          currentValue = parsed;
+        }
+        const newValue = currentValue + amount;
+        const newEntry = { value: String(newValue) };
+        if (entry?.expiresAt && !this.isExpired(entry)) {
+          newEntry.expiresAt = entry.expiresAt;
+        }
+        await this.atomicWrite(filePath, newEntry);
+        return newValue;
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Convert a storage key to a file path.
+       * Sanitizes the key to be filesystem-safe.
+       */
+      keyToPath(key) {
+        const safeKey = this.encodeKey(key);
+        return `${this.baseDir}/${safeKey}${this.extension}`;
+      }
+      /**
+       * Convert a filename back to a storage key.
+       */
+      pathToKey(filename) {
+        const safeKey = filename.slice(0, -this.extension.length);
+        return this.decodeKey(safeKey);
+      }
+      /**
+       * Encode a key to be filesystem-safe.
+       * Uses URL encoding to handle special characters.
+       */
+      encodeKey(key) {
+        return encodeURIComponent(key).replace(/\./g, "%2E");
+      }
+      /**
+       * Decode a filesystem-safe key back to original.
+       */
+      decodeKey(encoded) {
+        return decodeURIComponent(encoded);
+      }
+      /**
+       * Read an entry from a file.
+       */
+      async readEntry(filePath) {
+        try {
+          return await readJSON(filePath);
+        } catch {
+          return null;
+        }
+      }
+      /**
+       * Check if an entry is expired.
+       */
+      isExpired(entry) {
+        return entry.expiresAt !== void 0 && Date.now() >= entry.expiresAt;
+      }
+      /**
+       * Delete a file, returning true if it existed.
+       */
+      async deleteFile(filePath) {
+        try {
+          await unlink(filePath);
+          return true;
+        } catch (e) {
+          const error = e;
+          if (error.code === "ENOENT") {
+            return false;
+          }
+          throw e;
+        }
+      }
+      /**
+       * Atomic write: write to temp file then rename.
+       * This ensures we don't corrupt the file if write is interrupted.
+       */
+      async atomicWrite(filePath, entry) {
+        const tempSuffix = bytesToHex(randomBytes(8));
+        const tempPath = `${filePath}.${tempSuffix}.tmp`;
+        try {
+          const content = JSON.stringify(entry, null, 2);
+          await writeFile(tempPath, content, { mode: this.fileMode });
+          await rename(tempPath, filePath);
+        } catch (e) {
+          try {
+            await unlink(tempPath);
+          } catch {
+          }
+          throw e;
+        }
+      }
+      /**
+       * Get suggestion message for pub/sub not supported error.
+       */
+      getPubSubSuggestion() {
+        return "FileSystem adapter does not support pub/sub. Use Redis or Memory adapter for pub/sub support.";
+      }
+    };
+  }
+});
+var indexeddb_exports = {};
+__export2(indexeddb_exports, {
+  IndexedDBStorageAdapter: () => IndexedDBStorageAdapter
+});
+var IndexedDBStorageAdapter;
+var init_indexeddb = __esm({
+  "libs/utils/src/storage/adapters/indexeddb.ts"() {
+    "use strict";
+    init_base();
+    init_pattern();
+    IndexedDBStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "indexeddb";
+      dbName;
+      storeName;
+      prefix;
+      db = null;
+      constructor(options) {
+        super();
+        this.dbName = options?.dbName ?? "frontmcp";
+        this.storeName = options?.storeName ?? "kv";
+        this.prefix = options?.prefix ?? "frontmcp:";
+      }
+      assertAvailable() {
+        if (typeof indexedDB === "undefined") {
+          throw new Error("IndexedDB is not available in this environment");
+        }
+      }
+      key(k) {
+        return `${this.prefix}${k}`;
+      }
+      stripPrefix(fullKey) {
+        return fullKey.slice(this.prefix.length);
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        this.assertAvailable();
+        if (this.db) {
+          this.connected = true;
+          return;
+        }
+        this.db = await new Promise((resolve2, reject) => {
+          const request = indexedDB.open(this.dbName, 1);
+          request.onupgradeneeded = () => {
+            const db = request.result;
+            if (!db.objectStoreNames.contains(this.storeName)) {
+              db.createObjectStore(this.storeName, { keyPath: "k" });
+            }
+          };
+          request.onsuccess = () => resolve2(request.result);
+          request.onerror = () => reject(request.error);
+        });
+        this.connected = true;
+      }
+      async disconnect() {
+        if (this.db) {
+          this.db.close();
+          this.db = null;
+        }
+        this.connected = false;
+      }
+      async ping() {
+        return this.db !== null && this.connected;
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      getStore(mode) {
+        if (!this.db) {
+          throw new Error("IndexedDB adapter is not connected. Call connect() first.");
+        }
+        const tx = this.db.transaction(this.storeName, mode);
+        return tx.objectStore(this.storeName);
+      }
+      idbRequest(request) {
+        return new Promise((resolve2, reject) => {
+          request.onsuccess = () => resolve2(request.result);
+          request.onerror = () => reject(request.error);
+        });
+      }
+      idbTransaction(store) {
+        return new Promise((resolve2, reject) => {
+          const tx = store.transaction;
+          tx.oncomplete = () => resolve2();
+          tx.onerror = () => reject(tx.error);
+        });
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        this.ensureConnected();
+        const store = this.getStore("readonly");
+        const entry = await this.idbRequest(store.get(this.key(key)));
+        if (!entry) return null;
+        if (entry.e && entry.e < Date.now()) {
+          const writeStore = this.getStore("readwrite");
+          writeStore.delete(this.key(key));
+          return null;
+        }
+        return entry.v;
+      }
+      async doSet(key, value, options) {
+        if (options?.ifNotExists) {
+          const existing = await this.get(key);
+          if (existing !== null) return;
+        }
+        if (options?.ifExists) {
+          const existing = await this.get(key);
+          if (existing === null) return;
+        }
+        const entry = { k: this.key(key), v: value };
+        if (options?.ttlSeconds) {
+          entry.e = Date.now() + options.ttlSeconds * 1e3;
+        }
+        const store = this.getStore("readwrite");
+        await this.idbRequest(store.put(entry));
+      }
+      async delete(key) {
+        this.ensureConnected();
+        const existing = await this.get(key);
+        if (existing === null) return false;
+        const store = this.getStore("readwrite");
+        await this.idbRequest(store.delete(this.key(key)));
+        return true;
+      }
+      async exists(key) {
+        return await this.get(key) !== null;
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        this.ensureConnected();
+        const value = await this.get(key);
+        if (value === null) return false;
+        await this.doSet(key, value, { ttlSeconds });
+        return true;
+      }
+      async ttl(key) {
+        this.ensureConnected();
+        const store = this.getStore("readonly");
+        const entry = await this.idbRequest(store.get(this.key(key)));
+        if (!entry) return null;
+        if (entry.e) {
+          const remaining = Math.ceil((entry.e - Date.now()) / 1e3);
+          return remaining > 0 ? remaining : null;
+        }
+        return -1;
+      }
+      // ============================================
+      // Key Enumeration
+      // ============================================
+      async keys(pattern) {
+        this.ensureConnected();
+        const store = this.getStore("readonly");
+        const allKeys = await this.idbRequest(store.getAllKeys());
+        const now = Date.now();
+        const result = [];
+        for (const fullKey of allKeys) {
+          const keyStr = String(fullKey);
+          if (!keyStr.startsWith(this.prefix)) continue;
+          const key = this.stripPrefix(keyStr);
+          if (pattern && pattern !== "*" && !this.matchPattern(key, pattern)) continue;
+          const entry = await this.idbRequest(store.get(keyStr));
+          if (entry && (!entry.e || entry.e >= now)) {
+            result.push(key);
+          }
+        }
+        return result;
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.incrBy(key, 1);
+      }
+      async decr(key) {
+        return this.incrBy(key, -1);
+      }
+      /**
+       * Increment by amount. NOT atomic — uses read-then-write which can race
+       * under concurrent access (e.g., multiple browser tabs).
+       */
+      async incrBy(key, amount) {
+        this.ensureConnected();
+        const current = await this.get(key);
+        const value = current !== null ? parseInt(current, 10) + amount : amount;
+        if (Number.isNaN(value)) {
+          throw new Error(`Value at "${key}" is not an integer`);
+        }
+        await this.doSet(key, String(value));
+        return value;
+      }
+      // ============================================
+      // Pattern Matching
+      // ============================================
+      matchPattern(key, pattern) {
+        return matchesPattern(key, pattern);
+      }
+    };
+  }
+});
+var localstorage_exports = {};
+__export2(localstorage_exports, {
+  LocalStorageAdapter: () => LocalStorageAdapter
+});
+var LocalStorageAdapter;
+var init_localstorage = __esm({
+  "libs/utils/src/storage/adapters/localstorage.ts"() {
+    "use strict";
+    init_base();
+    init_crypto();
+    init_pattern();
+    LocalStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "localstorage";
+      prefix;
+      encryptionKey;
+      allowPlaintext;
+      encoder = new TextEncoder();
+      decoder = new TextDecoder();
+      constructor(options) {
+        super();
+        this.prefix = options?.prefix ?? "frontmcp:";
+        this.allowPlaintext = options?.allowPlaintext ?? true;
+        if (options?.encryptionKey) {
+          if (options.encryptionKey.length !== 32) {
+            throw new Error(`encryptionKey must be exactly 32 bytes, got ${options.encryptionKey.length}`);
+          }
+          this.encryptionKey = options.encryptionKey;
+        }
+      }
+      assertAvailable() {
+        if (typeof localStorage === "undefined") {
+          throw new Error("localStorage is not available in this environment");
+        }
+      }
+      key(k) {
+        return `${this.prefix}${k}`;
+      }
+      stripPrefix(fullKey) {
+        return fullKey.slice(this.prefix.length);
+      }
+      async connect() {
+        this.assertAvailable();
+        const probeKey = this.key("__probe__");
+        try {
+          localStorage.setItem(probeKey, "1");
+          const read = localStorage.getItem(probeKey);
+          if (read !== "1") {
+            throw new Error("localStorage probe: read-back mismatch");
+          }
+        } catch (err) {
+          throw new Error(`localStorage is not writable: ${err instanceof Error ? err.message : String(err)}`);
+        } finally {
+          try {
+            localStorage.removeItem(probeKey);
+          } catch {
+          }
+        }
+        this.connected = true;
+      }
+      async disconnect() {
+        this.connected = false;
+      }
+      async ping() {
+        const probeKey = this.key("__probe__");
+        try {
+          this.assertAvailable();
+          localStorage.setItem(probeKey, "1");
+          return localStorage.getItem(probeKey) === "1";
+        } catch {
+          return false;
+        } finally {
+          try {
+            localStorage.removeItem(probeKey);
+          } catch {
+          }
+        }
+      }
+      async get(key) {
+        const raw = localStorage.getItem(this.key(key));
+        if (raw === null) return null;
+        try {
+          const entry = JSON.parse(raw);
+          if (entry.e && entry.e < Date.now()) {
+            localStorage.removeItem(this.key(key));
+            return null;
+          }
+          if (entry._enc) {
+            if (!this.encryptionKey) return null;
+            const iv = base64urlDecode(entry._enc.iv);
+            const tag = base64urlDecode(entry._enc.tag);
+            const ciphertext = base64urlDecode(entry._enc.data);
+            const plainBytes = decryptAesGcm(this.encryptionKey, ciphertext, iv, tag);
+            return this.decoder.decode(plainBytes);
+          }
+          return entry.v;
+        } catch {
+          return null;
+        }
+      }
+      async set(key, value, options) {
+        if (options?.ifNotExists) {
+          const existing = await this.get(key);
+          if (existing !== null) return;
+        }
+        if (options?.ifExists) {
+          const existing = await this.get(key);
+          if (existing === null) return;
+        }
+        await this.doSet(key, value, options);
+      }
+      async doSet(key, value, options) {
+        const entry = { v: "" };
+        if (options?.ttlSeconds) {
+          entry.e = Date.now() + options.ttlSeconds * 1e3;
+        }
+        if (this.encryptionKey) {
+          const iv = randomBytes(12);
+          const plainBytes = this.encoder.encode(value);
+          const { ciphertext, tag } = encryptAesGcm(this.encryptionKey, plainBytes, iv);
+          entry._enc = {
+            alg: "A256GCM",
+            iv: base64urlEncode(iv),
+            tag: base64urlEncode(tag),
+            data: base64urlEncode(ciphertext)
+          };
+        } else {
+          if (!this.allowPlaintext) {
+            throw new Error("Plaintext storage is disabled. Provide an encryptionKey or set allowPlaintext: true.");
+          }
+          entry.v = value;
+        }
+        localStorage.setItem(this.key(key), JSON.stringify(entry));
+      }
+      async delete(key) {
+        const existed = await this.get(key) !== null;
+        localStorage.removeItem(this.key(key));
+        return existed;
+      }
+      async exists(key) {
+        return await this.get(key) !== null;
+      }
+      async mget(keys) {
+        return Promise.all(keys.map((k) => this.get(k)));
+      }
+      async mset(entries) {
+        for (const entry of entries) {
+          await this.set(entry.key, entry.value, entry.options);
+        }
+      }
+      async mdelete(keys) {
+        let count = 0;
+        for (const key of keys) {
+          if (await this.delete(key)) count++;
+        }
+        return count;
+      }
+      async expire(key, ttlSeconds) {
+        const value = await this.get(key);
+        if (value === null) return false;
+        await this.set(key, value, { ttlSeconds });
+        return true;
+      }
+      async ttl(key) {
+        const raw = localStorage.getItem(this.key(key));
+        if (raw === null) return null;
+        try {
+          const entry = JSON.parse(raw);
+          if (!entry.e) return -1;
+          const remaining = Math.ceil((entry.e - Date.now()) / 1e3);
+          return remaining > 0 ? remaining : null;
+        } catch {
+          return null;
+        }
+      }
+      async keys(pattern) {
+        const result = [];
+        const candidates = [];
+        for (let i = 0; i < localStorage.length; i++) {
+          const fullKey = localStorage.key(i);
+          if (fullKey && fullKey.startsWith(this.prefix)) {
+            candidates.push(this.stripPrefix(fullKey));
+          }
+        }
+        for (const key of candidates) {
+          if (!pattern || pattern === "*" || this.matchPattern(key, pattern)) {
+            if (await this.get(key) !== null) {
+              result.push(key);
+            }
+          }
+        }
+        return result;
+      }
+      async count(pattern) {
+        return (await this.keys(pattern)).length;
+      }
+      async incr(key) {
+        return this.incrBy(key, 1);
+      }
+      async decr(key) {
+        return this.incrBy(key, -1);
+      }
+      async incrBy(key, amount) {
+        if (!Number.isInteger(amount)) {
+          throw new Error(`amount must be an integer, got ${amount}`);
+        }
+        const current = await this.get(key);
+        if (current !== null && !/^-?\d+$/.test(current)) {
+          throw new Error(`Value at "${key}" is not an integer`);
+        }
+        const value = current !== null ? parseInt(current, 10) + amount : amount;
+        await this.set(key, String(value));
+        return value;
+      }
+      async publish() {
+        throw new Error("LocalStorage adapter does not support pub/sub");
+      }
+      async subscribe(_channel, _handler) {
+        throw new Error("LocalStorage adapter does not support pub/sub");
+      }
+      supportsPubSub() {
+        return false;
+      }
+      matchPattern(key, pattern) {
+        return matchesPattern(key, pattern);
+      }
+    };
+  }
+});
+var DEFAULT_BASE_DIR;
+var LS_HKDF_IKM;
+var INSTALL_SALT_KEY;
+var LEGACY_SALT_KEY;
+var init_factory = __esm({
+  "libs/utils/src/crypto/key-persistence/factory.ts"() {
+    "use strict";
+    init_runtime();
+    init_memory();
+    init_key_persistence();
+    init_crypto();
+    DEFAULT_BASE_DIR = ".frontmcp/keys";
+    LS_HKDF_IKM = new TextEncoder().encode("frontmcp:localstorage:v1");
+    INSTALL_SALT_KEY = "__frontmcp_internal__:install_salt";
+    LEGACY_SALT_KEY = "frontmcp:_install_salt";
+  }
+});
+var init_key_persistence2 = __esm({
+  "libs/utils/src/crypto/key-persistence/index.ts"() {
+    "use strict";
+    init_schemas();
+    init_key_persistence();
+    init_factory();
+  }
+});
+var node_exports = {};
+__export2(node_exports, {
+  createSignedJwt: () => createSignedJwt,
+  cryptoProvider: () => nodeCrypto,
+  generateRsaKeyPair: () => generateRsaKeyPair,
+  isRsaPssAlg: () => isRsaPssAlg,
+  jwtAlgToNodeAlg: () => jwtAlgToNodeAlg,
+  nodeCrypto: () => nodeCrypto,
+  pemToPublicJwk: () => pemToPublicJwk,
+  rsaSign: () => rsaSign,
+  rsaSignBase64Url: () => rsaSignBase64Url,
+  rsaVerify: () => rsaVerify,
+  rsaVerifySync: () => rsaVerifySync
+});
+function toUint8Array(buf) {
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function toBuffer(data) {
+  if (typeof data === "string") {
+    return Buffer.from(data, "utf8");
+  }
+  return Buffer.from(data);
+}
+function generateRsaKeyPair(modulusLength = 2048, alg = "RS256") {
+  const kid = `rsa-key-${Date.now()}-${import_node_crypto.default.randomBytes(8).toString("hex")}`;
+  const { privateKey, publicKey } = import_node_crypto.default.generateKeyPairSync("rsa", {
+    modulusLength
+  });
+  const exported = publicKey.export({ format: "jwk" });
+  const publicJwk = {
+    ...exported,
+    kid,
+    alg,
+    use: "sig",
+    kty: "RSA"
+  };
+  return { privateKey, publicKey, publicJwk };
+}
+function rsaSign(algorithm, data, privateKey, options) {
+  const signingKey = options ? { key: privateKey, ...options } : privateKey;
+  return import_node_crypto.default.sign(algorithm, data, signingKey);
+}
+function rsaVerify(jwtAlg, data, publicJwk, signature) {
+  const publicKey = import_node_crypto.default.createPublicKey({ key: publicJwk, format: "jwk" });
+  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
+  const verifyKey = isRsaPssAlg(jwtAlg) ? {
+    key: publicKey,
+    padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+  } : publicKey;
+  return import_node_crypto.default.verify(nodeAlgorithm, data, verifyKey, signature);
+}
+function rsaSignBase64Url(jwtAlg, data, privateJwk) {
+  const privateKey = import_node_crypto.default.createPrivateKey({ key: privateJwk, format: "jwk" });
+  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
+  const buf = Buffer.isBuffer(data) ? data : Buffer.from(data);
+  const sig = isRsaPssAlg(jwtAlg) ? rsaSign(nodeAlgorithm, buf, privateKey, {
+    padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+  }) : rsaSign(nodeAlgorithm, buf, privateKey);
+  return sig.toString("base64url");
+}
+function rsaVerifySync(jwtAlg, data, publicJwk, signature) {
+  try {
+    const publicKey = import_node_crypto.default.createPublicKey({ key: publicJwk, format: "jwk" });
+    const dataBuf = Buffer.isBuffer(data) ? data : Buffer.from(data);
+    const sigBuf = Buffer.isBuffer(signature) ? signature : Buffer.from(signature);
+    if (jwtAlg === "EdDSA") {
+      return import_node_crypto.default.verify(null, dataBuf, publicKey, sigBuf);
+    }
+    const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
+    const verifyKey = isRsaPssAlg(jwtAlg) ? {
+      key: publicKey,
+      padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+    } : publicKey;
+    return import_node_crypto.default.verify(nodeAlgorithm, dataBuf, verifyKey, sigBuf);
+  } catch {
+    return false;
+  }
+}
+function pemToPublicJwk(pem) {
+  const key = import_node_crypto.default.createPublicKey({ key: pem, format: "pem" });
+  return key.export({ format: "jwk" });
+}
+function createSignedJwt(payload, privateKey, kid, alg = "RS256") {
+  const header = { alg, typ: "JWT", kid };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signatureInput = `${headerB64}.${payloadB64}`;
+  const nodeAlgorithm = jwtAlgToNodeAlg(alg);
+  const signature = rsaSign(
+    nodeAlgorithm,
+    Buffer.from(signatureInput),
+    privateKey,
+    isRsaPssAlg(alg) ? {
+      padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+    } : void 0
+  );
+  const signatureB64 = signature.toString("base64url");
+  return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+var nodeCrypto;
+var init_node = __esm({
+  "libs/utils/src/crypto/node.ts"() {
+    "use strict";
+    init_jwt_alg();
+    init_jwt_alg();
+    nodeCrypto = {
+      randomUUID() {
+        return import_node_crypto.default.randomUUID();
+      },
+      randomBytes(length) {
+        return toUint8Array(import_node_crypto.default.randomBytes(length));
+      },
+      sha256(data) {
+        const hash = import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest();
+        return toUint8Array(hash);
+      },
+      sha256Hex(data) {
+        return import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest("hex");
+      },
+      hmacSha256(key, data) {
+        const hmac2 = import_node_crypto.default.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
+        return toUint8Array(hmac2);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const ikmBuf = Buffer.from(ikm);
+        const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
+        const prk = import_node_crypto.default.createHmac("sha256", saltBuf).update(ikmBuf).digest();
+        const hashLen = 32;
+        const n = Math.ceil(length / hashLen);
+        const chunks = [];
+        let prev = Buffer.alloc(0);
+        for (let i = 1; i <= n; i++) {
+          prev = import_node_crypto.default.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
+          chunks.push(prev);
+        }
+        return toUint8Array(Buffer.concat(chunks).subarray(0, length));
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = import_node_crypto.default.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return {
+          ciphertext: toUint8Array(encrypted),
+          tag: toUint8Array(tag)
+        };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const decipher = import_node_crypto.default.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        decipher.setAuthTag(Buffer.from(tag));
+        const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
+        return toUint8Array(decrypted);
+      },
+      timingSafeEqual(a, b) {
+        if (a.length !== b.length) return false;
+        return import_node_crypto.default.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+      }
+    };
+  }
+});
+var browser_exports = {};
+__export2(browser_exports, {
+  browserCrypto: () => browserCrypto,
+  cryptoProvider: () => browserCrypto,
+  isRsaPssAlg: () => isRsaPssAlg,
+  jwtAlgToWebCryptoAlg: () => jwtAlgToWebCryptoAlg,
+  rsaVerifyBrowser: () => rsaVerifyBrowser
+});
+function toBytes(data) {
+  if (typeof data === "string") {
+    return new TextEncoder().encode(data);
+  }
+  return data;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateUUID() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = (0, import_utils.randomBytes)(16);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = toHex(bytes);
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a[i] ^ b[i];
+  }
+  return result === 0;
+}
+async function rsaVerifyBrowser(jwtAlg, data, publicJwk, signature) {
+  if (typeof globalThis.crypto?.subtle === "undefined") {
+    throw new Error("WebCrypto API (crypto.subtle) is not available in this environment");
+  }
+  const webAlg = jwtAlgToWebCryptoAlg(jwtAlg);
+  const isPss = isRsaPssAlg(jwtAlg);
+  const algorithm = {
+    name: isPss ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
+    hash: { name: webAlg }
+  };
+  const key = await globalThis.crypto.subtle.importKey("jwk", publicJwk, algorithm, false, ["verify"]);
+  const verifyAlgorithm = isPss ? { name: "RSA-PSS", saltLength: getSaltLength(jwtAlg) } : { name: "RSASSA-PKCS1-v1_5" };
+  const sigBuf = new Uint8Array(signature).buffer;
+  const dataBuf = new Uint8Array(data).buffer;
+  return globalThis.crypto.subtle.verify(verifyAlgorithm, key, sigBuf, dataBuf);
+}
+function getSaltLength(jwtAlg) {
+  switch (jwtAlg) {
+    case "PS256":
+      return 32;
+    // SHA-256 digest length
+    case "PS384":
+      return 48;
+    // SHA-384 digest length
+    case "PS512":
+      return 64;
+    // SHA-512 digest length
+    default:
+      return 32;
+  }
+}
+var browserCrypto;
+var init_browser = __esm({
+  "libs/utils/src/crypto/browser.ts"() {
+    "use strict";
+    init_jwt_alg();
+    init_jwt_alg();
+    browserCrypto = {
+      randomUUID() {
+        return generateUUID();
+      },
+      randomBytes(length) {
+        return (0, import_utils.randomBytes)(length);
+      },
+      sha256(data) {
+        return (0, import_sha2.sha256)(toBytes(data));
+      },
+      sha256Hex(data) {
+        return toHex((0, import_sha2.sha256)(toBytes(data)));
+      },
+      hmacSha256(key, data) {
+        return (0, import_hmac.hmac)(import_sha2.sha256, key, data);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const effectiveSalt = salt.length > 0 ? salt : new Uint8Array(32);
+        return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, effectiveSalt, info, length);
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = (0, import_aes.gcm)(key, iv);
+        const sealed = cipher.encrypt(plaintext);
+        const ciphertext = sealed.slice(0, -16);
+        const tag = sealed.slice(-16);
+        return { ciphertext, tag };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const cipher = (0, import_aes.gcm)(key, iv);
+        const sealed = new Uint8Array(ciphertext.length + tag.length);
+        sealed.set(ciphertext);
+        sealed.set(tag, ciphertext.length);
+        return cipher.decrypt(sealed);
+      },
+      timingSafeEqual(a, b) {
+        return constantTimeEqual(a, b);
+      }
+    };
+  }
+});
+function getCrypto() {
+  return import_crypto_provider.cryptoProvider;
+}
+function randomUUID() {
+  return getCrypto().randomUUID();
+}
+function randomBytes(length) {
+  if (!Number.isInteger(length) || length <= 0) {
+    throw new Error(`randomBytes length must be a positive integer, got ${length}`);
+  }
+  return getCrypto().randomBytes(length);
+}
+function encryptAesGcm(key, plaintext, iv) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  return getCrypto().encryptAesGcm(key, plaintext, iv);
+}
+function decryptAesGcm(key, ciphertext, iv, tag) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  if (tag.length !== 16) {
+    throw new Error(`AES-GCM requires a 16-byte authentication tag, got ${tag.length} bytes`);
+  }
+  return getCrypto().decryptAesGcm(key, ciphertext, iv, tag);
+}
+function bytesToHex(data) {
+  return Array.from(data).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function base64urlEncode(data) {
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(data).toString("base64");
+  } else {
+    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
+    base64 = btoa(binString);
+  }
+  const result = base64.replace(/\+/g, "-").replace(/\//g, "_");
+  let end = result.length;
+  while (end > 0 && result[end - 1] === "=") {
+    end--;
+  }
+  return result.slice(0, end);
+}
+function base64urlDecode(data) {
+  let base64 = data.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  if (pad) {
+    base64 += "=".repeat(4 - pad);
+  }
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binString = atob(base64);
+    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  }
+}
+var HKDF_SHA256_MAX_LENGTH;
+var init_crypto = __esm({
+  "libs/utils/src/crypto/index.ts"() {
+    "use strict";
+    init_runtime();
+    init_jwt_alg();
+    init_runtime();
+    init_encrypted_blob();
+    init_pkce2();
+    init_secret_persistence();
+    init_hmac_signing();
+    init_key_persistence2();
+    HKDF_SHA256_MAX_LENGTH = 255 * 32;
+  }
+});
+var init_utils = __esm({
+  "libs/utils/src/storage/utils/index.ts"() {
+    "use strict";
+    init_ttl();
+  }
+});
+var redis_exports = {};
+__export2(redis_exports, {
+  RedisStorageAdapter: () => RedisStorageAdapter
+});
+function getRedisClass() {
+  try {
+    return __require("ioredis").default || __require("ioredis");
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    if (msg.includes("Dynamic require") || msg.includes("require is not defined")) {
+      throw new Error(
+        `Failed to load ioredis: ${msg}. This typically happens with ESM bundlers (esbuild, Vite). Ensure your bundler externalizes ioredis or use CJS mode.`
+      );
+    }
+    throw new Error("ioredis is required for Redis storage adapter. Install it with: npm install ioredis");
+  }
+}
+var RedisStorageAdapter;
+var init_redis = __esm({
+  "libs/utils/src/storage/adapters/redis.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_utils();
+    RedisStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "redis";
+      client;
+      subscriber;
+      options;
+      ownsClient;
+      keyPrefix;
+      subscriptionHandlers = /* @__PURE__ */ new Map();
+      constructor(options = {}) {
+        super();
+        const hasClient = options.client !== void 0;
+        const hasConfig = options.config !== void 0 || options.url !== void 0;
+        if (hasClient && hasConfig) {
+          throw new StorageConfigError("redis", 'Cannot specify both "client" and "config"/"url". Use one or the other.');
+        }
+        if (!hasClient && !hasConfig) {
+          const envUrl = process.env["REDIS_URL"] || process.env["REDIS_HOST"];
+          if (envUrl) {
+            options = { ...options, url: envUrl };
+          } else {
+            throw new StorageConfigError(
+              "redis",
+              'Either "client", "config", "url", or REDIS_URL environment variable must be provided.'
+            );
+          }
+        }
+        this.options = options;
+        this.ownsClient = !hasClient;
+        this.keyPrefix = options.keyPrefix ?? "";
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        try {
+          if (this.options.client) {
+            this.client = this.options.client;
+          } else {
+            const RedisClass = getRedisClass();
+            if (this.options.url) {
+              this.client = new RedisClass(this.options.url, this.buildRedisOptions());
+            } else {
+              this.client = new RedisClass(this.buildRedisOptions());
+            }
+          }
+          await this.client.ping();
+          this.connected = true;
+        } catch (e) {
+          throw new StorageConnectionError("Failed to connect to Redis", e instanceof Error ? e : void 0, "redis");
+        }
+      }
+      async disconnect() {
+        if (!this.connected) return;
+        if (this.subscriber) {
+          await this.subscriber.quit();
+          this.subscriber = void 0;
+        }
+        if (this.ownsClient && this.client) {
+          await this.client.quit();
+        }
+        this.client = void 0;
+        this.connected = false;
+        this.subscriptionHandlers.clear();
+      }
+      async ping() {
+        if (!this.client) return false;
+        try {
+          const result = await this.client.ping();
+          return result === "PONG";
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // Connection Helpers
+      // ============================================
+      /**
+       * Get the connected Redis client, throwing if not connected.
+       */
+      getConnectedClient() {
+        this.ensureConnected();
+        if (!this.client) {
+          throw new StorageConnectionError("Redis client not connected", void 0, "redis");
+        }
+        return this.client;
+      }
+      /**
+       * Get the connected Redis subscriber, throwing if not created.
+       */
+      getConnectedSubscriber() {
+        if (!this.subscriber) {
+          throw new StorageConnectionError("Redis subscriber not created", void 0, "redis");
+        }
+        return this.subscriber;
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        return this.getConnectedClient().get(this.prefixKey(key));
+      }
+      async doSet(key, value, options) {
+        const client = this.getConnectedClient();
+        const prefixedKey = this.prefixKey(key);
+        if (options?.ttlSeconds) {
+          if (options.ifNotExists) {
+            await client.set(prefixedKey, value, "EX", options.ttlSeconds, "NX");
+          } else if (options.ifExists) {
+            await client.set(prefixedKey, value, "EX", options.ttlSeconds, "XX");
+          } else {
+            await client.set(prefixedKey, value, "EX", options.ttlSeconds);
+          }
+        } else if (options?.ifNotExists) {
+          await client.set(prefixedKey, value, "NX");
+        } else if (options?.ifExists) {
+          await client.set(prefixedKey, value, "XX");
+        } else {
+          await client.set(prefixedKey, value);
+        }
+      }
+      async delete(key) {
+        const result = await this.getConnectedClient().del(this.prefixKey(key));
+        return result > 0;
+      }
+      async exists(key) {
+        const result = await this.getConnectedClient().exists(this.prefixKey(key));
+        return result > 0;
+      }
+      // ============================================
+      // Batch Operations (pipelined)
+      // ============================================
+      async mget(keys) {
+        if (keys.length === 0) return [];
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().mget(...prefixedKeys);
+      }
+      async mset(entries) {
+        if (entries.length === 0) return;
+        for (const entry of entries) {
+          this.validateSetOptions(entry.options);
+        }
+        const pipeline = this.getConnectedClient().pipeline();
+        for (const entry of entries) {
+          const prefixedKey = this.prefixKey(entry.key);
+          if (entry.options?.ttlSeconds) {
+            if (entry.options.ifNotExists) {
+              pipeline.set(prefixedKey, entry.value, "EX", entry.options.ttlSeconds, "NX");
+            } else if (entry.options.ifExists) {
+              pipeline.set(prefixedKey, entry.value, "EX", entry.options.ttlSeconds, "XX");
+            } else {
+              pipeline.set(prefixedKey, entry.value, "EX", entry.options.ttlSeconds);
+            }
+          } else if (entry.options?.ifNotExists) {
+            pipeline.set(prefixedKey, entry.value, "NX");
+          } else if (entry.options?.ifExists) {
+            pipeline.set(prefixedKey, entry.value, "XX");
+          } else {
+            pipeline.set(prefixedKey, entry.value);
+          }
+        }
+        await pipeline.exec();
+      }
+      async mdelete(keys) {
+        if (keys.length === 0) return 0;
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().del(...prefixedKeys);
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        validateTTL(ttlSeconds);
+        const result = await this.getConnectedClient().expire(this.prefixKey(key), ttlSeconds);
+        return result === 1;
+      }
+      async ttl(key) {
+        const result = await this.getConnectedClient().ttl(this.prefixKey(key));
+        if (result === -2) return null;
+        return result;
+      }
+      // ============================================
+      // Key Enumeration (SCAN)
+      // ============================================
+      async keys(pattern = "*") {
+        const client = this.getConnectedClient();
+        const prefixedPattern = this.prefixKey(pattern);
+        const result = [];
+        let cursor = "0";
+        do {
+          const [nextCursor, keys] = await client.scan(cursor, "MATCH", prefixedPattern, "COUNT", 100);
+          cursor = nextCursor;
+          for (const key of keys) {
+            result.push(this.unprefixKey(key));
+          }
+        } while (cursor !== "0");
+        return result;
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.getConnectedClient().incr(this.prefixKey(key));
+      }
+      async decr(key) {
+        return this.getConnectedClient().decr(this.prefixKey(key));
+      }
+      async incrBy(key, amount) {
+        return this.getConnectedClient().incrby(this.prefixKey(key), amount);
+      }
+      // ============================================
+      // Pub/Sub
+      // ============================================
+      supportsPubSub() {
+        return true;
+      }
+      async publish(channel, message) {
+        const prefixedChannel = this.prefixKey(channel);
+        return this.getConnectedClient().publish(prefixedChannel, message);
+      }
+      async subscribe(channel, handler) {
+        this.ensureConnected();
+        const prefixedChannel = this.prefixKey(channel);
+        if (!this.subscriber) {
+          await this.createSubscriber();
+        }
+        const subscriber = this.getConnectedSubscriber();
+        if (!this.subscriptionHandlers.has(prefixedChannel)) {
+          this.subscriptionHandlers.set(prefixedChannel, /* @__PURE__ */ new Set());
+          await subscriber.subscribe(prefixedChannel);
+        }
+        const handlers = this.subscriptionHandlers.get(prefixedChannel);
+        if (handlers) {
+          handlers.add(handler);
+        }
+        return async () => {
+          const handlers2 = this.subscriptionHandlers.get(prefixedChannel);
+          if (handlers2) {
+            handlers2.delete(handler);
+            if (handlers2.size === 0) {
+              this.subscriptionHandlers.delete(prefixedChannel);
+              await this.subscriber?.unsubscribe(prefixedChannel);
+            }
+          }
+        };
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Build Redis options from config.
+       */
+      buildRedisOptions() {
+        if (this.options.url) {
+          return {
+            lazyConnect: false,
+            maxRetriesPerRequest: 3
+          };
+        }
+        const config = this.options.config;
+        if (!config) {
+          throw new StorageConfigError("redis", "Redis config is required when URL is not provided");
+        }
+        return {
+          host: config.host,
+          port: config.port ?? 6379,
+          password: config.password,
+          db: config.db ?? 0,
+          tls: config.tls ? {} : void 0,
+          lazyConnect: false,
+          maxRetriesPerRequest: 3
+        };
+      }
+      /**
+       * Create subscriber connection.
+       */
+      async createSubscriber() {
+        const RedisClass = getRedisClass();
+        let subscriber;
+        if (this.options.url) {
+          subscriber = new RedisClass(this.options.url);
+        } else if (this.options.config) {
+          subscriber = new RedisClass(this.buildRedisOptions());
+        } else if (this.options.client) {
+          subscriber = this.options.client.duplicate();
+        } else {
+          throw new StorageConfigError("redis", "Cannot create subscriber without url, config, or client");
+        }
+        subscriber.on("message", (channel, message) => {
+          const handlers = this.subscriptionHandlers.get(channel);
+          if (handlers) {
+            const unprefixedChannel = this.unprefixKey(channel);
+            for (const handler of handlers) {
+              try {
+                handler(message, unprefixedChannel);
+              } catch {
+              }
+            }
+          }
+        });
+        this.subscriber = subscriber;
+      }
+      /**
+       * Add prefix to a key.
+       */
+      prefixKey(key) {
+        return this.keyPrefix + key;
+      }
+      /**
+       * Remove prefix from a key.
+       */
+      unprefixKey(key) {
+        if (this.keyPrefix && key.startsWith(this.keyPrefix)) {
+          return key.slice(this.keyPrefix.length);
+        }
+        return key;
+      }
+      /**
+       * Get the underlying Redis client (for advanced use).
+       */
+      getClient() {
+        return this.client;
+      }
+    };
+  }
+});
+var vercel_kv_exports = {};
+__export2(vercel_kv_exports, {
+  VercelKvStorageAdapter: () => VercelKvStorageAdapter
+});
+function getVercelKv() {
+  try {
+    return __require("@vercel/kv");
+  } catch {
+    throw new Error("@vercel/kv is required for Vercel KV storage adapter. Install it with: npm install @vercel/kv");
+  }
+}
+var VercelKvStorageAdapter;
+var init_vercel_kv = __esm({
+  "libs/utils/src/storage/adapters/vercel-kv.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_ttl();
+    VercelKvStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "vercel-kv";
+      client;
+      options;
+      keyPrefix;
+      constructor(options = {}) {
+        super();
+        const url = options.url ?? process.env["KV_REST_API_URL"];
+        const token = options.token ?? process.env["KV_REST_API_TOKEN"];
+        if (!url || !token) {
+          throw new StorageConfigError(
+            "vercel-kv",
+            "KV_REST_API_URL and KV_REST_API_TOKEN must be provided via options or environment variables."
+          );
+        }
+        this.options = { ...options, url, token };
+        this.keyPrefix = options.keyPrefix ?? "";
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        try {
+          const { createClient, kv } = getVercelKv();
+          if (this.options.url === process.env["KV_REST_API_URL"]) {
+            this.client = kv;
+          } else {
+            const url = this.options.url;
+            const token = this.options.token;
+            if (!url || !token) {
+              throw new StorageConfigError("vercel-kv", "URL and token are required");
+            }
+            this.client = createClient({ url, token });
+          }
+          await this.client.exists("__healthcheck__");
+          this.connected = true;
+        } catch (e) {
+          throw new StorageConnectionError(
+            "Failed to connect to Vercel KV",
+            e instanceof Error ? e : void 0,
+            "vercel-kv"
+          );
+        }
+      }
+      async disconnect() {
+        this.client = void 0;
+        this.connected = false;
+      }
+      async ping() {
+        if (!this.client) return false;
+        try {
+          await this.client.exists("__healthcheck__");
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // Connection Helpers
+      // ============================================
+      /**
+       * Get the connected Vercel KV client, throwing if not connected.
+       */
+      getConnectedClient() {
+        this.ensureConnected();
+        if (!this.client) {
+          throw new StorageConnectionError("Vercel KV client not connected", void 0, "vercel-kv");
+        }
+        return this.client;
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        const result = await this.getConnectedClient().get(this.prefixKey(key));
+        return result;
+      }
+      async doSet(key, value, options) {
+        const client = this.getConnectedClient();
+        const prefixedKey = this.prefixKey(key);
+        const setOptions = {};
+        if (options?.ttlSeconds) {
+          setOptions.ex = options.ttlSeconds;
+        }
+        if (options?.ifNotExists) {
+          setOptions.nx = true;
+        } else if (options?.ifExists) {
+          setOptions.xx = true;
+        }
+        await client.set(prefixedKey, value, Object.keys(setOptions).length > 0 ? setOptions : void 0);
+      }
+      async delete(key) {
+        const result = await this.getConnectedClient().del(this.prefixKey(key));
+        return result > 0;
+      }
+      async exists(key) {
+        const result = await this.getConnectedClient().exists(this.prefixKey(key));
+        return result > 0;
+      }
+      // ============================================
+      // Batch Operations
+      // ============================================
+      async mget(keys) {
+        if (keys.length === 0) return [];
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().mget(...prefixedKeys);
+      }
+      async mdelete(keys) {
+        if (keys.length === 0) return 0;
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().del(...prefixedKeys);
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        validateTTL(ttlSeconds);
+        const result = await this.getConnectedClient().expire(this.prefixKey(key), ttlSeconds);
+        return result === 1;
+      }
+      async ttl(key) {
+        const result = await this.getConnectedClient().ttl(this.prefixKey(key));
+        if (result === -2) return null;
+        return result;
+      }
+      // ============================================
+      // Key Enumeration
+      // ============================================
+      async keys(pattern = "*") {
+        const client = this.getConnectedClient();
+        const prefixedPattern = this.prefixKey(pattern);
+        try {
+          const result = [];
+          let cursor = 0;
+          do {
+            const [nextCursor, keys] = await client.scan(cursor, {
+              match: prefixedPattern,
+              count: 100
+            });
+            const parsedCursor = typeof nextCursor === "string" ? parseInt(nextCursor, 10) : nextCursor;
+            cursor = Number.isNaN(parsedCursor) ? 0 : parsedCursor;
+            for (const key of keys) {
+              result.push(this.unprefixKey(key));
+            }
+          } while (cursor !== 0);
+          return result;
+        } catch {
+          const allKeys = await client.keys(prefixedPattern);
+          return allKeys.map((k) => this.unprefixKey(k));
+        }
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.getConnectedClient().incr(this.prefixKey(key));
+      }
+      async decr(key) {
+        return this.getConnectedClient().decr(this.prefixKey(key));
+      }
+      async incrBy(key, amount) {
+        return this.getConnectedClient().incrby(this.prefixKey(key), amount);
+      }
+      // ============================================
+      // Pub/Sub (NOT SUPPORTED)
+      // ============================================
+      supportsPubSub() {
+        return false;
+      }
+      getPubSubSuggestion() {
+        return "Vercel KV is REST-based and does not support pub/sub. Use Upstash adapter for pub/sub support.";
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Add prefix to a key.
+       */
+      prefixKey(key) {
+        return this.keyPrefix + key;
+      }
+      /**
+       * Remove prefix from a key.
+       */
+      unprefixKey(key) {
+        if (this.keyPrefix && key.startsWith(this.keyPrefix)) {
+          return key.slice(this.keyPrefix.length);
+        }
+        return key;
+      }
+    };
+  }
+});
+var upstash_exports = {};
+__export2(upstash_exports, {
+  UpstashStorageAdapter: () => UpstashStorageAdapter
+});
+function getUpstashRedis() {
+  try {
+    return __require("@upstash/redis");
+  } catch {
+    throw new Error(
+      "@upstash/redis is required for Upstash storage adapter. Install it with: npm install @upstash/redis"
+    );
+  }
+}
+var PUBSUB_POLL_INTERVAL_MS;
+var UpstashStorageAdapter;
+var init_upstash = __esm({
+  "libs/utils/src/storage/adapters/upstash.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_ttl();
+    PUBSUB_POLL_INTERVAL_MS = 100;
+    UpstashStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "upstash";
+      client;
+      options;
+      keyPrefix;
+      pubSubEnabled;
+      // Pub/sub state
+      subscriptionHandlers = /* @__PURE__ */ new Map();
+      pollingIntervals = /* @__PURE__ */ new Map();
+      constructor(options = {}) {
+        super();
+        const url = options.url ?? process.env["UPSTASH_REDIS_REST_URL"];
+        const token = options.token ?? process.env["UPSTASH_REDIS_REST_TOKEN"];
+        if (!url || !token) {
+          throw new StorageConfigError(
+            "upstash",
+            "UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN must be provided via options or environment variables."
+          );
+        }
+        this.options = { ...options, url, token };
+        this.keyPrefix = options.keyPrefix ?? "";
+        this.pubSubEnabled = options.enablePubSub ?? false;
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        try {
+          const { Redis } = getUpstashRedis();
+          const url = this.options.url;
+          const token = this.options.token;
+          if (!url || !token) {
+            throw new StorageConfigError("upstash", "URL and token are required");
+          }
+          this.client = new Redis({ url, token });
+          await this.client.exists("__healthcheck__");
+          this.connected = true;
+        } catch (e) {
+          throw new StorageConnectionError(
+            "Failed to connect to Upstash Redis",
+            e instanceof Error ? e : void 0,
+            "upstash"
+          );
+        }
+      }
+      async disconnect() {
+        if (!this.connected) return;
+        for (const interval of this.pollingIntervals.values()) {
+          clearInterval(interval);
+        }
+        this.pollingIntervals.clear();
+        this.subscriptionHandlers.clear();
+        this.client = void 0;
+        this.connected = false;
+      }
+      async ping() {
+        if (!this.client) return false;
+        try {
+          await this.client.exists("__healthcheck__");
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // Connection Helpers
+      // ============================================
+      /**
+       * Get the connected Upstash client, throwing if not connected.
+       */
+      getConnectedClient() {
+        this.ensureConnected();
+        if (!this.client) {
+          throw new StorageConnectionError("Upstash client not connected", void 0, "upstash");
+        }
+        return this.client;
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        const result = await this.getConnectedClient().get(this.prefixKey(key));
+        return result;
+      }
+      async doSet(key, value, options) {
+        const client = this.getConnectedClient();
+        const prefixedKey = this.prefixKey(key);
+        const setOptions = {};
+        if (options?.ttlSeconds) {
+          setOptions.ex = options.ttlSeconds;
+        }
+        if (options?.ifNotExists) {
+          setOptions.nx = true;
+        } else if (options?.ifExists) {
+          setOptions.xx = true;
+        }
+        await client.set(prefixedKey, value, Object.keys(setOptions).length > 0 ? setOptions : void 0);
+      }
+      async delete(key) {
+        const result = await this.getConnectedClient().del(this.prefixKey(key));
+        return result > 0;
+      }
+      async exists(key) {
+        const result = await this.getConnectedClient().exists(this.prefixKey(key));
+        return result > 0;
+      }
+      // ============================================
+      // Batch Operations
+      // ============================================
+      async mget(keys) {
+        if (keys.length === 0) return [];
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().mget(...prefixedKeys);
+      }
+      async mdelete(keys) {
+        if (keys.length === 0) return 0;
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().del(...prefixedKeys);
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        validateTTL(ttlSeconds);
+        const result = await this.getConnectedClient().expire(this.prefixKey(key), ttlSeconds);
+        return result === 1;
+      }
+      async ttl(key) {
+        const result = await this.getConnectedClient().ttl(this.prefixKey(key));
+        if (result === -2) return null;
+        return result;
+      }
+      // ============================================
+      // Key Enumeration
+      // ============================================
+      async keys(pattern = "*") {
+        const client = this.getConnectedClient();
+        const prefixedPattern = this.prefixKey(pattern);
+        const result = [];
+        let cursor = 0;
+        do {
+          const [nextCursor, keys] = await client.scan(cursor, {
+            match: prefixedPattern,
+            count: 100
+          });
+          const parsedCursor = typeof nextCursor === "string" ? parseInt(nextCursor, 10) : nextCursor;
+          cursor = Number.isNaN(parsedCursor) ? 0 : parsedCursor;
+          for (const key of keys) {
+            result.push(this.unprefixKey(key));
+          }
+        } while (cursor !== 0);
+        return result;
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.getConnectedClient().incr(this.prefixKey(key));
+      }
+      async decr(key) {
+        return this.getConnectedClient().decr(this.prefixKey(key));
+      }
+      async incrBy(key, amount) {
+        return this.getConnectedClient().incrby(this.prefixKey(key), amount);
+      }
+      // ============================================
+      // Pub/Sub (via list-based polling)
+      // ============================================
+      supportsPubSub() {
+        return this.pubSubEnabled;
+      }
+      async publish(channel, message) {
+        if (!this.pubSubEnabled) {
+          return super.publish(channel, message);
+        }
+        const prefixedChannel = this.prefixKey(`__pubsub__:${channel}`);
+        const listKey = `${prefixedChannel}:queue`;
+        await this.getConnectedClient().lpush(listKey, message);
+        return 1;
+      }
+      async subscribe(channel, handler) {
+        const client = this.getConnectedClient();
+        if (!this.pubSubEnabled) {
+          return super.subscribe(channel, handler);
+        }
+        const prefixedChannel = this.prefixKey(`__pubsub__:${channel}`);
+        if (!this.subscriptionHandlers.has(prefixedChannel)) {
+          this.subscriptionHandlers.set(prefixedChannel, /* @__PURE__ */ new Set());
+          const listKey = `${prefixedChannel}:queue`;
+          const interval = setInterval(async () => {
+            try {
+              const message = await client.rpop(listKey);
+              if (message) {
+                const handlers2 = this.subscriptionHandlers.get(prefixedChannel);
+                if (handlers2) {
+                  for (const h of handlers2) {
+                    try {
+                      h(message, channel);
+                    } catch {
+                    }
+                  }
+                }
+              }
+            } catch {
+            }
+          }, PUBSUB_POLL_INTERVAL_MS);
+          if (interval.unref) {
+            interval.unref();
+          }
+          this.pollingIntervals.set(prefixedChannel, interval);
+        }
+        const handlers = this.subscriptionHandlers.get(prefixedChannel);
+        if (handlers) {
+          handlers.add(handler);
+        }
+        return async () => {
+          const handlers2 = this.subscriptionHandlers.get(prefixedChannel);
+          if (handlers2) {
+            handlers2.delete(handler);
+            if (handlers2.size === 0) {
+              this.subscriptionHandlers.delete(prefixedChannel);
+              const interval = this.pollingIntervals.get(prefixedChannel);
+              if (interval) {
+                clearInterval(interval);
+                this.pollingIntervals.delete(prefixedChannel);
+              }
+            }
+          }
+        };
+      }
+      /**
+       * Publish using list-based approach (for polling subscribers).
+       * This is an alternative to native PUBLISH when subscribers are polling.
+       */
+      async publishToQueue(channel, message) {
+        const prefixedChannel = this.prefixKey(`__pubsub__:${channel}`);
+        const listKey = `${prefixedChannel}:queue`;
+        await this.getConnectedClient().lpush(listKey, message);
+      }
+      getPubSubSuggestion() {
+        return "Enable pub/sub by setting enablePubSub: true in the adapter options.";
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Add prefix to a key.
+       */
+      prefixKey(key) {
+        return this.keyPrefix + key;
+      }
+      /**
+       * Remove prefix from a key.
+       */
+      unprefixKey(key) {
+        if (this.keyPrefix && key.startsWith(this.keyPrefix)) {
+          return key.slice(this.keyPrefix.length);
+        }
+        return key;
+      }
+    };
+  }
+});
+var cloudflare_kv_exports = {};
+__export2(cloudflare_kv_exports, {
+  CloudflareKvStorageAdapter: () => CloudflareKvStorageAdapter
+});
+function literalPrefix(pattern) {
+  const star = pattern.indexOf("*");
+  const q = pattern.indexOf("?");
+  const idx = star === -1 ? q : q === -1 ? star : Math.min(star, q);
+  return idx === -1 ? pattern : pattern.slice(0, idx);
+}
+var CF_KV_MIN_TTL_SECONDS;
+var CloudflareKvStorageAdapter;
+var init_cloudflare_kv = __esm({
+  "libs/utils/src/storage/adapters/cloudflare-kv.ts"() {
+    "use strict";
+    init_errors();
+    init_pattern();
+    init_ttl();
+    init_base();
+    CF_KV_MIN_TTL_SECONDS = 60;
+    CloudflareKvStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "cloudflare-kv";
+      kv;
+      keyPrefix;
+      constructor(options) {
+        super();
+        if (!options?.namespace) {
+          throw new Error("CloudflareKvStorageAdapter: a bound KV `namespace` is required (resolve it from the Worker `env`).");
+        }
+        this.kv = options.namespace;
+        this.keyPrefix = options.keyPrefix ?? "";
+      }
+      // ── Lifecycle ──────────────────────────────────────────────────────────
+      // A KV binding is always available; "connection" is just a readiness flag.
+      async connect() {
+        this.connected = true;
+      }
+      async disconnect() {
+        this.connected = false;
+      }
+      async ping() {
+        if (!this.connected) return false;
+        try {
+          await this.kv.list({ limit: 1 });
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      // ── Core ───────────────────────────────────────────────────────────────
+      async get(key) {
+        this.ensureConnected();
+        return this.kv.get(this.prefixKey(key), "text");
+      }
+      async doSet(key, value, options) {
+        if (options?.ifNotExists || options?.ifExists) {
+          throw new StorageNotSupportedError(
+            "conditional set (ifNotExists/ifExists)",
+            this.backendName,
+            "Cloudflare KV has no compare-and-set; use a Durable Object for atomic conditional writes."
+          );
+        }
+        const putOptions = options?.ttlSeconds !== void 0 ? { expirationTtl: this.toExpirationTtl(options.ttlSeconds, key) } : void 0;
+        await this.kv.put(this.prefixKey(key), value, putOptions);
+      }
+      async delete(key) {
+        this.ensureConnected();
+        const existed = await this.exists(key);
+        await this.kv.delete(this.prefixKey(key));
+        return existed;
+      }
+      async exists(key) {
+        this.ensureConnected();
+        return await this.kv.get(this.prefixKey(key), "text") !== null;
+      }
+      // ── TTL ────────────────────────────────────────────────────────────────
+      async expire(key, ttlSeconds) {
+        this.ensureConnected();
+        const ttl = this.toExpirationTtl(ttlSeconds, key);
+        const value = await this.kv.get(this.prefixKey(key), "text");
+        if (value === null) return false;
+        await this.kv.put(this.prefixKey(key), value, { expirationTtl: ttl });
+        return true;
+      }
+      async ttl(_key) {
+        throw new StorageNotSupportedError(
+          "ttl",
+          this.backendName,
+          "Cloudflare KV does not expose a key's remaining TTL. Track expiry alongside the value if you need it."
+        );
+      }
+      // ── Enumeration ──────────────────────────────────────────────────────────
+      async keys(pattern = "*") {
+        this.ensureConnected();
+        const prefixedPattern = this.prefixKey(pattern);
+        const listPrefix = literalPrefix(prefixedPattern);
+        const out = [];
+        let cursor;
+        do {
+          const page = await this.kv.list({ prefix: listPrefix || void 0, cursor });
+          for (const { name } of page.keys) {
+            if (matchesPattern(name, prefixedPattern)) out.push(this.unprefixKey(name));
+          }
+          cursor = page.list_complete ? void 0 : page.cursor;
+        } while (cursor);
+        return out;
+      }
+      // ── Atomic (unsupported on KV) ───────────────────────────────────────────
+      async incr(key) {
+        return this.incrBy(key, 1);
+      }
+      async decr(key) {
+        return this.incrBy(key, -1);
+      }
+      async incrBy(_key, _amount) {
+        throw new StorageNotSupportedError(
+          "incr/decr/incrBy",
+          this.backendName,
+          "Cloudflare KV has no atomic increment (a get+put is racy under eventual consistency). Use a Durable Object for atomic counters."
+        );
+      }
+      // ── Pub/Sub (unsupported) ────────────────────────────────────────────────
+      getPubSubSuggestion() {
+        return "Cloudflare KV does not support pub/sub. Use a Durable Object (or Queues) for fan-out.";
+      }
+      // ── Helpers ──────────────────────────────────────────────────────────────
+      /** Validate + enforce KV's 60s minimum `expirationTtl`. */
+      toExpirationTtl(ttlSeconds, key) {
+        validateTTL(ttlSeconds);
+        if (ttlSeconds < CF_KV_MIN_TTL_SECONDS) {
+          throw new StorageOperationError(
+            "set",
+            key,
+            `cloudflare-kv: expirationTtl must be >= ${CF_KV_MIN_TTL_SECONDS}s (Cloudflare KV minimum); got ${ttlSeconds}s.`
+          );
+        }
+        return ttlSeconds;
+      }
+      prefixKey(key) {
+        return this.keyPrefix + key;
+      }
+      unprefixKey(key) {
+        return this.keyPrefix && key.startsWith(this.keyPrefix) ? key.slice(this.keyPrefix.length) : key;
+      }
+    };
+  }
+});
+init_runtime();
+init_fs2();
+init_crypto();
+var entryAvailabilitySchema = z.object({
+  os: z.array(z.string().min(1)).optional(),
+  platform: z.array(z.string().min(1)).optional(),
+  runtime: z.array(z.string().min(1)).optional(),
+  deployment: z.array(z.string().min(1)).optional(),
+  provider: z.array(z.string().min(1)).optional(),
+  target: z.array(z.string().min(1)).optional(),
+  surface: z.array(z.enum(["mcp", "cli", "http-trigger", "job", "agent"])).optional(),
+  env: z.array(z.string().min(1)).optional()
+}).strict();
+init_errors();
+init_memory();
+init_errors();
+init_crypto();
+init_errors();
+var textEncoder2 = new TextEncoder();
+var textDecoder2 = new TextDecoder();
+init_base();
+init_memory();
+init_redis();
+init_vercel_kv();
+init_upstash();
+init_filesystem();
+init_pattern();
+init_ttl();
+init_crypto();
+init_runtime();
+
+// libs/edge/src/session-host.ts
+var SESSION_ID_HEADER = "x-frontmcp-session-id";
+function createEdgeSessionRouter(bindingName) {
+  return async (request, env) => {
+    const ns = env?.[bindingName];
+    if (!ns || typeof ns.idFromName !== "function" || typeof ns.get !== "function") return void 0;
+    if (request.method.toUpperCase() === "OPTIONS") return void 0;
+    const sessionId = request.headers.get("mcp-session-id") ?? randomUUID();
+    const headers = new Headers(request.headers);
+    headers.set(SESSION_ID_HEADER, sessionId);
+    const stub = ns.get(ns.idFromName(sessionId));
+    return stub.fetch(new Request(request, { headers }));
+  };
+}
+function createEdgeSessionDurableObject(buildScope, bridgeEnv) {
+  return class FrontMcpSessionDurableObject {
+    #scopePromise;
+    #pair;
+    #doEnv;
+    constructor(_state, env) {
+      this.#doEnv = env;
+    }
+    async fetch(request) {
+      bridgeEnv(this.#doEnv);
+      const sessionId = request.headers.get(SESSION_ID_HEADER) ?? request.headers.get("mcp-session-id") ?? randomUUID();
+      let scope;
+      try {
+        scope = await (this.#scopePromise ??= buildScope(this.#doEnv));
+      } catch (error) {
+        this.#scopePromise = void 0;
+        throw error;
+      }
+      if (!this.#pair) {
+        this.#pair = await (0, import_sdk.buildPersistentWebStandardMcp)(scope, { sessionId });
+      }
+      const response = await (0, import_sdk.runHttpRequestFlowWeb)(scope, request, { persistent: this.#pair });
+      return response ?? new Response(JSON.stringify({ error: "Not Found" }), {
+        status: 404,
+        headers: { "content-type": "application/json" }
+      });
+    }
+  };
+}
+
+// libs/edge/src/skill-index-cache.ts
+var DEFAULT_KEY_PREFIX = "frontmcp:skill-index:";
+function createKvSkillIndexCache(kv, options = {}) {
+  const prefix = options.keyPrefix ?? DEFAULT_KEY_PREFIX;
+  return {
+    async get(key) {
+      const raw = await kv.get(prefix + key, "text");
+      if (raw == null) return void 0;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return void 0;
+      }
+    },
+    async set(key, snapshot) {
+      const value = JSON.stringify(snapshot);
+      await kv.put(prefix + key, value, options.expirationTtl != null ? { expirationTtl: options.expirationTtl } : void 0);
+    }
+  };
+}
+function kvSkillIndexCacheFromEnv(binding, options) {
+  return (env) => {
+    const ns = env?.[binding];
+    if (!ns) return void 0;
+    return createKvSkillIndexCache(ns, options);
+  };
+}
+
+// libs/edge/src/kv-cache.ts
+var DEFAULT_KEY = "frontmcp:bundle:last-good";
+function createKvBundleCache(kv, options = {}) {
+  const key = options.key ?? DEFAULT_KEY;
+  return {
+    async read() {
+      const raw = await kv.get(key, "text");
+      if (raw == null) return void 0;
+      try {
+        return JSON.parse(raw);
+      } catch {
+        return void 0;
+      }
+    },
+    async write(bundle) {
+      const value = JSON.stringify(bundle);
+      await kv.put(key, value, options.expirationTtl != null ? { expirationTtl: options.expirationTtl } : void 0);
+    }
+  };
+}
+function kvBundleCacheFromEnv(binding, options) {
+  return (env) => {
+    const ns = env?.[binding];
+    if (!ns) return void 0;
+    return createKvBundleCache(ns, options);
+  };
+}
+
+// libs/edge/src/index.ts
+var RUNTIME_DEPS_TOKEN = /* @__PURE__ */ Symbol.for("frontmcp:skilled-openapi:runtime-deps");
+var EdgeRefreshController = class {
+  constructor(cache, disablePolling = true) {
+    this.cache = cache;
+    this.disablePolling = disablePolling;
+  }
+  cache;
+  disablePolling;
+  source;
+  attach(source) {
+    this.source = source;
+  }
+  async refresh() {
+    if (!this.source) {
+      throw new Error(
+        "createEdgeMcp(managed): no bundle source attached \u2014 the skilled-openapi plugin failed to construct it; Cron refresh cannot run."
+      );
+    }
+    return this.source.refresh?.();
+  }
+};
+function resolveCache(cache, env) {
+  if (!cache) return void 0;
+  return typeof cache === "function" ? cache(env) : cache;
+}
+var envBridged = false;
+function bridgeEnvToProcessEnv(env) {
+  if (envBridged || !env || typeof env !== "object") return;
+  const proc = globalThis.process;
+  if (!proc?.env) return;
+  for (const [key, value] of Object.entries(env)) {
+    if (typeof value === "string" && proc.env[key] === void 0) proc.env[key] = value;
+  }
+  envBridged = true;
+}
+var DEFAULT_SESSION_BINDING = "FRONTMCP_SESSIONS";
+var DEFAULT_SKILL_INDEX_BINDING = "FRONTMCP_SKILL_INDEX";
+function resolveSkillIndexCache(config, env) {
+  const cfg = config.skillIndex;
+  if (!cfg) return void 0;
+  if (typeof cfg === "function") return cfg(env);
+  const factory = kvSkillIndexCacheFromEnv(
+    cfg.binding ?? DEFAULT_SKILL_INDEX_BINDING,
+    cfg.ttlSeconds != null ? { expirationTtl: cfg.ttlSeconds } : void 0
+  );
+  return factory(env);
+}
+async function wireSkillIndexCache(scope, config, env) {
+  const cache = resolveSkillIndexCache(config, env);
+  if (!cache) return;
+  const skills = scope.skills;
+  if (typeof skills?.setIndexCache !== "function" || typeof skills.warmIndex !== "function") return;
+  skills.setIndexCache(cache);
+  try {
+    await skills.warmIndex();
+  } catch {
+  }
+}
+function createEdgeMcp(config) {
+  let handlerPromise;
+  let controller;
+  const buildScope = async (env) => {
+    const { managed, sessions: _sessions, skillIndex: _skillIndex, ...rest } = config;
+    const base = { ...rest, serve: false };
+    let frontmcpConfig = base;
+    if (managed) {
+      controller = new EdgeRefreshController(resolveCache(managed.cache, env));
+      const mod = await import("@frontmcp/plugin-skilled-openapi");
+      const SkilledOpenApiPlugin = mod.default;
+      const plugin = SkilledOpenApiPlugin.init(buildManagedOpenApiPluginOptions(managed));
+      const existingPlugins = base.plugins ?? [];
+      const existingProviders = base.providers ?? [];
+      frontmcpConfig = {
+        ...base,
+        plugins: [...existingPlugins, plugin],
+        providers: [
+          ...existingProviders,
+          { name: "edge:skilled-openapi-runtime-deps", provide: RUNTIME_DEPS_TOKEN, useValue: controller }
+        ]
+      };
+    }
+    const instance = await import_sdk2.FrontMcpInstance.createForGraph(frontmcpConfig);
+    const scope = instance.getScopes()[0];
+    if (!scope) {
+      throw new Error("createEdgeMcp: the config produced no scope \u2014 declare an app/tool or `managed`.");
+    }
+    await wireSkillIndexCache(scope, config, env);
+    return scope;
+  };
+  const sessionRouter = config.sessions ? createEdgeSessionRouter(config.sessions.binding ?? DEFAULT_SESSION_BINDING) : void 0;
+  const build = async (env) => {
+    const scope = await buildScope(env);
+    return (0, import_sdk2.createWebFetchHandler)(scope, sessionRouter ? { sessionRouter } : {});
+  };
+  const ensureHandler = async (env) => {
+    if (!handlerPromise) handlerPromise = build(env);
+    try {
+      return await handlerPromise;
+    } catch (e) {
+      handlerPromise = void 0;
+      throw e;
+    }
+  };
+  const mcp = {
+    async fetch(request, env, ctx) {
+      bridgeEnvToProcessEnv(env);
+      const handler = await ensureHandler(env);
+      return handler(request, ctx, env);
+    },
+    // The DO builds its own session-local scope (in its isolate) via buildScope,
+    // and bridges `env`→`process.env` the same way the worker does.
+    SessionDurableObject: createEdgeSessionDurableObject(buildScope, bridgeEnvToProcessEnv)
+  };
+  if (config.managed) {
+    mcp.scheduled = async (_event, env) => {
+      bridgeEnvToProcessEnv(env);
+      await ensureHandler(env);
+      await controller?.refresh();
+    };
+  }
+  return mcp;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  buildManagedOpenApiPluginOptions,
+  createEdgeMcp,
+  createKvBundleCache,
+  createKvSkillIndexCache,
+  kvBundleCacheFromEnv,
+  kvSkillIndexCacheFromEnv
+});