@frontmcp/utils 0.0.1 → 0.7.1

package/esm/index.mjs

@@ -0,0 +1,3264 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// libs/utils/src/crypto/jwt-alg.ts
+function jwtAlgToNodeAlg(jwtAlg) {
+  const nodeAlg = JWT_ALG_TO_NODE_DIGEST[jwtAlg];
+  if (!nodeAlg) {
+    throw new Error(`Unsupported JWT algorithm: ${jwtAlg}`);
+  }
+  return nodeAlg;
+}
+function isRsaPssAlg(jwtAlg) {
+  return jwtAlg.startsWith("PS");
+}
+var JWT_ALG_TO_NODE_DIGEST;
+var init_jwt_alg = __esm({
+  "libs/utils/src/crypto/jwt-alg.ts"() {
+    "use strict";
+    JWT_ALG_TO_NODE_DIGEST = {
+      RS256: "RSA-SHA256",
+      RS384: "RSA-SHA384",
+      RS512: "RSA-SHA512",
+      // For RSA-PSS, Node's crypto.sign/verify uses the digest algorithm + explicit PSS padding options.
+      PS256: "RSA-SHA256",
+      PS384: "RSA-SHA384",
+      PS512: "RSA-SHA512"
+    };
+  }
+});
+
+// libs/utils/src/crypto/node.ts
+var node_exports = {};
+__export(node_exports, {
+  createSignedJwt: () => createSignedJwt,
+  generateRsaKeyPair: () => generateRsaKeyPair,
+  isRsaPssAlg: () => isRsaPssAlg,
+  jwtAlgToNodeAlg: () => jwtAlgToNodeAlg,
+  nodeCrypto: () => nodeCrypto,
+  rsaSign: () => rsaSign,
+  rsaVerify: () => rsaVerify
+});
+import crypto2 from "node:crypto";
+function toUint8Array(buf) {
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function toBuffer(data) {
+  if (typeof data === "string") {
+    return Buffer.from(data, "utf8");
+  }
+  return Buffer.from(data);
+}
+function generateRsaKeyPair(modulusLength = 2048, alg = "RS256") {
+  const kid = `rsa-key-${Date.now()}-${crypto2.randomBytes(8).toString("hex")}`;
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("rsa", {
+    modulusLength
+  });
+  const exported = publicKey.export({ format: "jwk" });
+  const publicJwk = {
+    ...exported,
+    kid,
+    alg,
+    use: "sig",
+    kty: "RSA"
+  };
+  return { privateKey, publicKey, publicJwk };
+}
+function rsaSign(algorithm, data, privateKey, options) {
+  const signingKey = options ? { key: privateKey, ...options } : privateKey;
+  return crypto2.sign(algorithm, data, signingKey);
+}
+function rsaVerify(jwtAlg, data, publicJwk, signature) {
+  const publicKey = crypto2.createPublicKey({ key: publicJwk, format: "jwk" });
+  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
+  const verifyKey = isRsaPssAlg(jwtAlg) ? {
+    key: publicKey,
+    padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
+  } : publicKey;
+  return crypto2.verify(nodeAlgorithm, data, verifyKey, signature);
+}
+function createSignedJwt(payload, privateKey, kid, alg = "RS256") {
+  const header = { alg, typ: "JWT", kid };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signatureInput = `${headerB64}.${payloadB64}`;
+  const nodeAlgorithm = jwtAlgToNodeAlg(alg);
+  const signature = rsaSign(
+    nodeAlgorithm,
+    Buffer.from(signatureInput),
+    privateKey,
+    isRsaPssAlg(alg) ? {
+      padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
+    } : void 0
+  );
+  const signatureB64 = signature.toString("base64url");
+  return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+var nodeCrypto;
+var init_node = __esm({
+  "libs/utils/src/crypto/node.ts"() {
+    "use strict";
+    init_jwt_alg();
+    init_jwt_alg();
+    nodeCrypto = {
+      randomUUID() {
+        return crypto2.randomUUID();
+      },
+      randomBytes(length) {
+        return toUint8Array(crypto2.randomBytes(length));
+      },
+      sha256(data) {
+        const hash = crypto2.createHash("sha256").update(toBuffer(data)).digest();
+        return toUint8Array(hash);
+      },
+      sha256Hex(data) {
+        return crypto2.createHash("sha256").update(toBuffer(data)).digest("hex");
+      },
+      hmacSha256(key, data) {
+        const hmac2 = crypto2.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
+        return toUint8Array(hmac2);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const ikmBuf = Buffer.from(ikm);
+        const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
+        const prk = crypto2.createHmac("sha256", saltBuf).update(ikmBuf).digest();
+        const hashLen = 32;
+        const n = Math.ceil(length / hashLen);
+        const chunks = [];
+        let prev = Buffer.alloc(0);
+        for (let i = 1; i <= n; i++) {
+          prev = crypto2.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
+          chunks.push(prev);
+        }
+        return toUint8Array(Buffer.concat(chunks).subarray(0, length));
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = crypto2.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return {
+          ciphertext: toUint8Array(encrypted),
+          tag: toUint8Array(tag)
+        };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const decipher = crypto2.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        decipher.setAuthTag(Buffer.from(tag));
+        const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
+        return toUint8Array(decrypted);
+      },
+      timingSafeEqual(a, b) {
+        if (a.length !== b.length) return false;
+        return crypto2.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+      }
+    };
+  }
+});
+
+// libs/utils/src/crypto/browser.ts
+var browser_exports = {};
+__export(browser_exports, {
+  browserCrypto: () => browserCrypto
+});
+import { sha256 as sha256Hash } from "@noble/hashes/sha2.js";
+import { hmac } from "@noble/hashes/hmac.js";
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { randomBytes as nobleRandomBytes } from "@noble/hashes/utils.js";
+import { gcm } from "@noble/ciphers/aes.js";
+function toBytes(data) {
+  if (typeof data === "string") {
+    return new TextEncoder().encode(data);
+  }
+  return data;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateUUID() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = nobleRandomBytes(16);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = toHex(bytes);
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a[i] ^ b[i];
+  }
+  return result === 0;
+}
+var browserCrypto;
+var init_browser = __esm({
+  "libs/utils/src/crypto/browser.ts"() {
+    "use strict";
+    browserCrypto = {
+      randomUUID() {
+        return generateUUID();
+      },
+      randomBytes(length) {
+        return nobleRandomBytes(length);
+      },
+      sha256(data) {
+        return sha256Hash(toBytes(data));
+      },
+      sha256Hex(data) {
+        return toHex(sha256Hash(toBytes(data)));
+      },
+      hmacSha256(key, data) {
+        return hmac(sha256Hash, key, data);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const effectiveSalt = salt.length > 0 ? salt : new Uint8Array(32);
+        return hkdf(sha256Hash, ikm, effectiveSalt, info, length);
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = gcm(key, iv);
+        const sealed = cipher.encrypt(plaintext);
+        const ciphertext = sealed.slice(0, -16);
+        const tag = sealed.slice(-16);
+        return { ciphertext, tag };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const cipher = gcm(key, iv);
+        const sealed = new Uint8Array(ciphertext.length + tag.length);
+        sealed.set(ciphertext);
+        sealed.set(tag, ciphertext.length);
+        return cipher.decrypt(sealed);
+      },
+      timingSafeEqual(a, b) {
+        return constantTimeEqual(a, b);
+      }
+    };
+  }
+});
+
+// libs/utils/src/storage/errors.ts
+var StorageError, StorageConnectionError, StorageOperationError, StorageNotSupportedError, StorageConfigError, StorageTTLError, StoragePatternError, StorageNotConnectedError;
+var init_errors = __esm({
+  "libs/utils/src/storage/errors.ts"() {
+    "use strict";
+    StorageError = class extends Error {
+      cause;
+      constructor(message, cause) {
+        super(message);
+        this.cause = cause;
+        this.name = "StorageError";
+        Object.setPrototypeOf(this, new.target.prototype);
+        if (Error.captureStackTrace) {
+          Error.captureStackTrace(this, this.constructor);
+        }
+      }
+    };
+    StorageConnectionError = class extends StorageError {
+      constructor(message, cause, backend) {
+        super(message, cause);
+        this.backend = backend;
+        this.name = "StorageConnectionError";
+      }
+    };
+    StorageOperationError = class extends StorageError {
+      constructor(operation, key, message, cause) {
+        super(`${operation} failed for key "${key}": ${message}`, cause);
+        this.operation = operation;
+        this.key = key;
+        this.name = "StorageOperationError";
+      }
+    };
+    StorageNotSupportedError = class extends StorageError {
+      constructor(operation, backend, suggestion) {
+        const msg = suggestion ? `${operation} is not supported by ${backend}. ${suggestion}` : `${operation} is not supported by ${backend}`;
+        super(msg);
+        this.operation = operation;
+        this.backend = backend;
+        this.name = "StorageNotSupportedError";
+      }
+    };
+    StorageConfigError = class extends StorageError {
+      constructor(backend, message) {
+        super(`Invalid ${backend} configuration: ${message}`);
+        this.backend = backend;
+        this.name = "StorageConfigError";
+      }
+    };
+    StorageTTLError = class extends StorageError {
+      constructor(ttl, message) {
+        super(message ?? `Invalid TTL value: ${ttl}. TTL must be a positive integer.`);
+        this.ttl = ttl;
+        this.name = "StorageTTLError";
+      }
+    };
+    StoragePatternError = class extends StorageError {
+      constructor(pattern, message) {
+        super(`Invalid pattern "${pattern}": ${message}`);
+        this.pattern = pattern;
+        this.name = "StoragePatternError";
+      }
+    };
+    StorageNotConnectedError = class extends StorageError {
+      constructor(backend) {
+        super(`Storage backend "${backend}" is not connected. Call connect() first.`);
+        this.backend = backend;
+        this.name = "StorageNotConnectedError";
+      }
+    };
+  }
+});
+
+// libs/utils/src/storage/utils/ttl.ts
+function validateTTL(ttlSeconds) {
+  if (typeof ttlSeconds !== "number") {
+    throw new StorageTTLError(ttlSeconds, `TTL must be a number, got ${typeof ttlSeconds}`);
+  }
+  if (!Number.isFinite(ttlSeconds)) {
+    throw new StorageTTLError(ttlSeconds, "TTL must be a finite number");
+  }
+  if (!Number.isInteger(ttlSeconds)) {
+    throw new StorageTTLError(ttlSeconds, `TTL must be an integer, got ${ttlSeconds}`);
+  }
+  if (ttlSeconds <= 0) {
+    throw new StorageTTLError(ttlSeconds, `TTL must be positive, got ${ttlSeconds}`);
+  }
+  if (ttlSeconds > MAX_TTL_SECONDS) {
+    throw new StorageTTLError(ttlSeconds, `TTL exceeds maximum of ${MAX_TTL_SECONDS} seconds`);
+  }
+}
+function validateOptionalTTL(ttlSeconds) {
+  if (ttlSeconds !== void 0) {
+    validateTTL(ttlSeconds);
+  }
+}
+function ttlToExpiresAt(ttlSeconds) {
+  return Date.now() + ttlSeconds * 1e3;
+}
+function expiresAtToTTL(expiresAt) {
+  const remaining = Math.ceil((expiresAt - Date.now()) / 1e3);
+  return Math.max(0, remaining);
+}
+function isExpired(expiresAt) {
+  if (expiresAt === void 0) return false;
+  return Date.now() >= expiresAt;
+}
+function normalizeTTL(ttl, unit) {
+  return unit === "milliseconds" ? Math.ceil(ttl / 1e3) : ttl;
+}
+var MAX_TTL_SECONDS;
+var init_ttl = __esm({
+  "libs/utils/src/storage/utils/ttl.ts"() {
+    "use strict";
+    init_errors();
+    MAX_TTL_SECONDS = 31536e5;
+  }
+});
+
+// libs/utils/src/storage/adapters/base.ts
+var BaseStorageAdapter;
+var init_base = __esm({
+  "libs/utils/src/storage/adapters/base.ts"() {
+    "use strict";
+    init_errors();
+    init_ttl();
+    BaseStorageAdapter = class {
+      /**
+       * Whether the adapter is currently connected.
+       */
+      connected = false;
+      /**
+       * Ensure adapter is connected before operations.
+       * @throws StorageNotConnectedError if not connected
+       */
+      ensureConnected() {
+        if (!this.connected) {
+          throw new StorageNotConnectedError(this.backendName);
+        }
+      }
+      /**
+       * Set with validation.
+       */
+      async set(key, value, options) {
+        this.ensureConnected();
+        this.validateSetOptions(options);
+        return this.doSet(key, value, options);
+      }
+      // ============================================
+      // Batch Operations (default implementations)
+      // ============================================
+      /**
+       * Default mget: sequential gets.
+       * Override for more efficient implementations.
+       */
+      async mget(keys) {
+        this.ensureConnected();
+        return Promise.all(keys.map((k) => this.get(k)));
+      }
+      /**
+       * Default mset: sequential sets.
+       * Override for atomic/pipelined implementations.
+       */
+      async mset(entries) {
+        this.ensureConnected();
+        for (const entry of entries) {
+          this.validateSetOptions(entry.options);
+        }
+        await Promise.all(entries.map((e) => this.doSet(e.key, e.value, e.options)));
+      }
+      /**
+       * Default mdelete: sequential deletes.
+       * Override for more efficient implementations.
+       */
+      async mdelete(keys) {
+        this.ensureConnected();
+        const results = await Promise.all(keys.map((k) => this.delete(k)));
+        return results.filter(Boolean).length;
+      }
+      /**
+       * Default count: keys().length.
+       * Override for more efficient implementations.
+       */
+      async count(pattern = "*") {
+        const matchedKeys = await this.keys(pattern);
+        return matchedKeys.length;
+      }
+      // ============================================
+      // Pub/Sub (default: not supported)
+      // ============================================
+      /**
+       * Default: pub/sub not supported.
+       * Override in adapters that support it.
+       */
+      supportsPubSub() {
+        return false;
+      }
+      /**
+       * Default: throw not supported error.
+       * Override in adapters that support pub/sub.
+       */
+      async publish(_channel, _message) {
+        throw new StorageNotSupportedError("publish", this.backendName, this.getPubSubSuggestion());
+      }
+      /**
+       * Default: throw not supported error.
+       * Override in adapters that support pub/sub.
+       */
+      async subscribe(_channel, _handler) {
+        throw new StorageNotSupportedError("subscribe", this.backendName, this.getPubSubSuggestion());
+      }
+      /**
+       * Get suggestion message for pub/sub not supported error.
+       * Override in specific adapters.
+       */
+      getPubSubSuggestion() {
+        return "Use Redis or Upstash adapter for pub/sub support.";
+      }
+      // ============================================
+      // Validation Helpers
+      // ============================================
+      /**
+       * Validate set options.
+       */
+      validateSetOptions(options) {
+        if (!options) return;
+        validateOptionalTTL(options.ttlSeconds);
+        if (options.ifNotExists && options.ifExists) {
+          throw new Error("ifNotExists and ifExists are mutually exclusive");
+        }
+      }
+    };
+  }
+});
+
+// libs/utils/src/storage/adapters/redis.ts
+var redis_exports = {};
+__export(redis_exports, {
+  RedisStorageAdapter: () => RedisStorageAdapter
+});
+function getRedisClass() {
+  try {
+    return __require("ioredis").default || __require("ioredis");
+  } catch {
+    throw new Error("ioredis is required for Redis storage adapter. Install it with: npm install ioredis");
+  }
+}
+var RedisStorageAdapter;
+var init_redis = __esm({
+  "libs/utils/src/storage/adapters/redis.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_ttl();
+    RedisStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "redis";
+      client;
+      subscriber;
+      options;
+      ownsClient;
+      keyPrefix;
+      subscriptionHandlers = /* @__PURE__ */ new Map();
+      constructor(options = {}) {
+        super();
+        const hasClient = options.client !== void 0;
+        const hasConfig = options.config !== void 0 || options.url !== void 0;
+        if (hasClient && hasConfig) {
+          throw new StorageConfigError("redis", 'Cannot specify both "client" and "config"/"url". Use one or the other.');
+        }
+        if (!hasClient && !hasConfig) {
+          const envUrl = process.env["REDIS_URL"] || process.env["REDIS_HOST"];
+          if (envUrl) {
+            options = { ...options, url: envUrl };
+          } else {
+            throw new StorageConfigError(
+              "redis",
+              'Either "client", "config", "url", or REDIS_URL environment variable must be provided.'
+            );
+          }
+        }
+        this.options = options;
+        this.ownsClient = !hasClient;
+        this.keyPrefix = options.keyPrefix ?? "";
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        try {
+          if (this.options.client) {
+            this.client = this.options.client;
+          } else {
+            const RedisClass = getRedisClass();
+            if (this.options.url) {
+              this.client = new RedisClass(this.options.url, this.buildRedisOptions());
+            } else {
+              this.client = new RedisClass(this.buildRedisOptions());
+            }
+          }
+          await this.client.ping();
+          this.connected = true;
+        } catch (e) {
+          throw new StorageConnectionError("Failed to connect to Redis", e instanceof Error ? e : void 0, "redis");
+        }
+      }
+      async disconnect() {
+        if (!this.connected) return;
+        if (this.subscriber) {
+          await this.subscriber.quit();
+          this.subscriber = void 0;
+        }
+        if (this.ownsClient && this.client) {
+          await this.client.quit();
+        }
+        this.client = void 0;
+        this.connected = false;
+        this.subscriptionHandlers.clear();
+      }
+      async ping() {
+        if (!this.client) return false;
+        try {
+          const result = await this.client.ping();
+          return result === "PONG";
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // Connection Helpers
+      // ============================================
+      /**
+       * Get the connected Redis client, throwing if not connected.
+       */
+      getConnectedClient() {
+        this.ensureConnected();
+        if (!this.client) {
+          throw new StorageConnectionError("Redis client not connected", void 0, "redis");
+        }
+        return this.client;
+      }
+      /**
+       * Get the connected Redis subscriber, throwing if not created.
+       */
+      getConnectedSubscriber() {
+        if (!this.subscriber) {
+          throw new StorageConnectionError("Redis subscriber not created", void 0, "redis");
+        }
+        return this.subscriber;
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        return this.getConnectedClient().get(this.prefixKey(key));
+      }
+      async doSet(key, value, options) {
+        const client = this.getConnectedClient();
+        const prefixedKey = this.prefixKey(key);
+        if (options?.ttlSeconds) {
+          if (options.ifNotExists) {
+            await client.set(prefixedKey, value, "EX", options.ttlSeconds, "NX");
+          } else if (options.ifExists) {
+            await client.set(prefixedKey, value, "EX", options.ttlSeconds, "XX");
+          } else {
+            await client.set(prefixedKey, value, "EX", options.ttlSeconds);
+          }
+        } else if (options?.ifNotExists) {
+          await client.set(prefixedKey, value, "NX");
+        } else if (options?.ifExists) {
+          await client.set(prefixedKey, value, "XX");
+        } else {
+          await client.set(prefixedKey, value);
+        }
+      }
+      async delete(key) {
+        const result = await this.getConnectedClient().del(this.prefixKey(key));
+        return result > 0;
+      }
+      async exists(key) {
+        const result = await this.getConnectedClient().exists(this.prefixKey(key));
+        return result > 0;
+      }
+      // ============================================
+      // Batch Operations (pipelined)
+      // ============================================
+      async mget(keys) {
+        if (keys.length === 0) return [];
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().mget(...prefixedKeys);
+      }
+      async mset(entries) {
+        if (entries.length === 0) return;
+        for (const entry of entries) {
+          this.validateSetOptions(entry.options);
+        }
+        const pipeline = this.getConnectedClient().pipeline();
+        for (const entry of entries) {
+          const prefixedKey = this.prefixKey(entry.key);
+          if (entry.options?.ttlSeconds) {
+            if (entry.options.ifNotExists) {
+              pipeline.set(prefixedKey, entry.value, "EX", entry.options.ttlSeconds, "NX");
+            } else if (entry.options.ifExists) {
+              pipeline.set(prefixedKey, entry.value, "EX", entry.options.ttlSeconds, "XX");
+            } else {
+              pipeline.set(prefixedKey, entry.value, "EX", entry.options.ttlSeconds);
+            }
+          } else if (entry.options?.ifNotExists) {
+            pipeline.set(prefixedKey, entry.value, "NX");
+          } else if (entry.options?.ifExists) {
+            pipeline.set(prefixedKey, entry.value, "XX");
+          } else {
+            pipeline.set(prefixedKey, entry.value);
+          }
+        }
+        await pipeline.exec();
+      }
+      async mdelete(keys) {
+        if (keys.length === 0) return 0;
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().del(...prefixedKeys);
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        validateTTL(ttlSeconds);
+        const result = await this.getConnectedClient().expire(this.prefixKey(key), ttlSeconds);
+        return result === 1;
+      }
+      async ttl(key) {
+        const result = await this.getConnectedClient().ttl(this.prefixKey(key));
+        if (result === -2) return null;
+        return result;
+      }
+      // ============================================
+      // Key Enumeration (SCAN)
+      // ============================================
+      async keys(pattern = "*") {
+        const client = this.getConnectedClient();
+        const prefixedPattern = this.prefixKey(pattern);
+        const result = [];
+        let cursor = "0";
+        do {
+          const [nextCursor, keys] = await client.scan(cursor, "MATCH", prefixedPattern, "COUNT", 100);
+          cursor = nextCursor;
+          for (const key of keys) {
+            result.push(this.unprefixKey(key));
+          }
+        } while (cursor !== "0");
+        return result;
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.getConnectedClient().incr(this.prefixKey(key));
+      }
+      async decr(key) {
+        return this.getConnectedClient().decr(this.prefixKey(key));
+      }
+      async incrBy(key, amount) {
+        return this.getConnectedClient().incrby(this.prefixKey(key), amount);
+      }
+      // ============================================
+      // Pub/Sub
+      // ============================================
+      supportsPubSub() {
+        return true;
+      }
+      async publish(channel, message) {
+        const prefixedChannel = this.prefixKey(channel);
+        return this.getConnectedClient().publish(prefixedChannel, message);
+      }
+      async subscribe(channel, handler) {
+        this.ensureConnected();
+        const prefixedChannel = this.prefixKey(channel);
+        if (!this.subscriber) {
+          await this.createSubscriber();
+        }
+        const subscriber = this.getConnectedSubscriber();
+        if (!this.subscriptionHandlers.has(prefixedChannel)) {
+          this.subscriptionHandlers.set(prefixedChannel, /* @__PURE__ */ new Set());
+          await subscriber.subscribe(prefixedChannel);
+        }
+        const handlers = this.subscriptionHandlers.get(prefixedChannel);
+        if (handlers) {
+          handlers.add(handler);
+        }
+        return async () => {
+          const handlers2 = this.subscriptionHandlers.get(prefixedChannel);
+          if (handlers2) {
+            handlers2.delete(handler);
+            if (handlers2.size === 0) {
+              this.subscriptionHandlers.delete(prefixedChannel);
+              await this.subscriber?.unsubscribe(prefixedChannel);
+            }
+          }
+        };
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Build Redis options from config.
+       */
+      buildRedisOptions() {
+        if (this.options.url) {
+          return {
+            lazyConnect: false,
+            maxRetriesPerRequest: 3
+          };
+        }
+        const config = this.options.config;
+        if (!config) {
+          throw new StorageConfigError("redis", "Redis config is required when URL is not provided");
+        }
+        return {
+          host: config.host,
+          port: config.port ?? 6379,
+          password: config.password,
+          db: config.db ?? 0,
+          tls: config.tls ? {} : void 0,
+          lazyConnect: false,
+          maxRetriesPerRequest: 3
+        };
+      }
+      /**
+       * Create subscriber connection.
+       */
+      async createSubscriber() {
+        const RedisClass = getRedisClass();
+        let subscriber;
+        if (this.options.url) {
+          subscriber = new RedisClass(this.options.url);
+        } else if (this.options.config) {
+          subscriber = new RedisClass(this.buildRedisOptions());
+        } else if (this.options.client) {
+          subscriber = this.options.client.duplicate();
+        } else {
+          throw new StorageConfigError("redis", "Cannot create subscriber without url, config, or client");
+        }
+        subscriber.on("message", (channel, message) => {
+          const handlers = this.subscriptionHandlers.get(channel);
+          if (handlers) {
+            const unprefixedChannel = this.unprefixKey(channel);
+            for (const handler of handlers) {
+              try {
+                handler(message, unprefixedChannel);
+              } catch {
+              }
+            }
+          }
+        });
+        this.subscriber = subscriber;
+      }
+      /**
+       * Add prefix to a key.
+       */
+      prefixKey(key) {
+        return this.keyPrefix + key;
+      }
+      /**
+       * Remove prefix from a key.
+       */
+      unprefixKey(key) {
+        if (this.keyPrefix && key.startsWith(this.keyPrefix)) {
+          return key.slice(this.keyPrefix.length);
+        }
+        return key;
+      }
+      /**
+       * Get the underlying Redis client (for advanced use).
+       */
+      getClient() {
+        return this.client;
+      }
+    };
+  }
+});
+
+// libs/utils/src/storage/adapters/vercel-kv.ts
+var vercel_kv_exports = {};
+__export(vercel_kv_exports, {
+  VercelKvStorageAdapter: () => VercelKvStorageAdapter
+});
+function getVercelKv() {
+  try {
+    return __require("@vercel/kv");
+  } catch {
+    throw new Error("@vercel/kv is required for Vercel KV storage adapter. Install it with: npm install @vercel/kv");
+  }
+}
+var VercelKvStorageAdapter;
+var init_vercel_kv = __esm({
+  "libs/utils/src/storage/adapters/vercel-kv.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_ttl();
+    VercelKvStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "vercel-kv";
+      client;
+      options;
+      keyPrefix;
+      constructor(options = {}) {
+        super();
+        const url = options.url ?? process.env["KV_REST_API_URL"];
+        const token = options.token ?? process.env["KV_REST_API_TOKEN"];
+        if (!url || !token) {
+          throw new StorageConfigError(
+            "vercel-kv",
+            "KV_REST_API_URL and KV_REST_API_TOKEN must be provided via options or environment variables."
+          );
+        }
+        this.options = { ...options, url, token };
+        this.keyPrefix = options.keyPrefix ?? "";
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        try {
+          const { createClient, kv } = getVercelKv();
+          if (this.options.url === process.env["KV_REST_API_URL"]) {
+            this.client = kv;
+          } else {
+            const url = this.options.url;
+            const token = this.options.token;
+            if (!url || !token) {
+              throw new StorageConfigError("vercel-kv", "URL and token are required");
+            }
+            this.client = createClient({ url, token });
+          }
+          await this.client.exists("__healthcheck__");
+          this.connected = true;
+        } catch (e) {
+          throw new StorageConnectionError(
+            "Failed to connect to Vercel KV",
+            e instanceof Error ? e : void 0,
+            "vercel-kv"
+          );
+        }
+      }
+      async disconnect() {
+        this.client = void 0;
+        this.connected = false;
+      }
+      async ping() {
+        if (!this.client) return false;
+        try {
+          await this.client.exists("__healthcheck__");
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // Connection Helpers
+      // ============================================
+      /**
+       * Get the connected Vercel KV client, throwing if not connected.
+       */
+      getConnectedClient() {
+        this.ensureConnected();
+        if (!this.client) {
+          throw new StorageConnectionError("Vercel KV client not connected", void 0, "vercel-kv");
+        }
+        return this.client;
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        const result = await this.getConnectedClient().get(this.prefixKey(key));
+        return result;
+      }
+      async doSet(key, value, options) {
+        const client = this.getConnectedClient();
+        const prefixedKey = this.prefixKey(key);
+        const setOptions = {};
+        if (options?.ttlSeconds) {
+          setOptions.ex = options.ttlSeconds;
+        }
+        if (options?.ifNotExists) {
+          setOptions.nx = true;
+        } else if (options?.ifExists) {
+          setOptions.xx = true;
+        }
+        await client.set(prefixedKey, value, Object.keys(setOptions).length > 0 ? setOptions : void 0);
+      }
+      async delete(key) {
+        const result = await this.getConnectedClient().del(this.prefixKey(key));
+        return result > 0;
+      }
+      async exists(key) {
+        const result = await this.getConnectedClient().exists(this.prefixKey(key));
+        return result > 0;
+      }
+      // ============================================
+      // Batch Operations
+      // ============================================
+      async mget(keys) {
+        if (keys.length === 0) return [];
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().mget(...prefixedKeys);
+      }
+      async mdelete(keys) {
+        if (keys.length === 0) return 0;
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().del(...prefixedKeys);
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        validateTTL(ttlSeconds);
+        const result = await this.getConnectedClient().expire(this.prefixKey(key), ttlSeconds);
+        return result === 1;
+      }
+      async ttl(key) {
+        const result = await this.getConnectedClient().ttl(this.prefixKey(key));
+        if (result === -2) return null;
+        return result;
+      }
+      // ============================================
+      // Key Enumeration
+      // ============================================
+      async keys(pattern = "*") {
+        const client = this.getConnectedClient();
+        const prefixedPattern = this.prefixKey(pattern);
+        try {
+          const result = [];
+          let cursor = 0;
+          do {
+            const [nextCursor, keys] = await client.scan(cursor, {
+              match: prefixedPattern,
+              count: 100
+            });
+            const parsedCursor = typeof nextCursor === "string" ? parseInt(nextCursor, 10) : nextCursor;
+            cursor = Number.isNaN(parsedCursor) ? 0 : parsedCursor;
+            for (const key of keys) {
+              result.push(this.unprefixKey(key));
+            }
+          } while (cursor !== 0);
+          return result;
+        } catch {
+          const allKeys = await client.keys(prefixedPattern);
+          return allKeys.map((k) => this.unprefixKey(k));
+        }
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.getConnectedClient().incr(this.prefixKey(key));
+      }
+      async decr(key) {
+        return this.getConnectedClient().decr(this.prefixKey(key));
+      }
+      async incrBy(key, amount) {
+        return this.getConnectedClient().incrby(this.prefixKey(key), amount);
+      }
+      // ============================================
+      // Pub/Sub (NOT SUPPORTED)
+      // ============================================
+      supportsPubSub() {
+        return false;
+      }
+      getPubSubSuggestion() {
+        return "Vercel KV is REST-based and does not support pub/sub. Use Upstash adapter for pub/sub support.";
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Add prefix to a key.
+       */
+      prefixKey(key) {
+        return this.keyPrefix + key;
+      }
+      /**
+       * Remove prefix from a key.
+       */
+      unprefixKey(key) {
+        if (this.keyPrefix && key.startsWith(this.keyPrefix)) {
+          return key.slice(this.keyPrefix.length);
+        }
+        return key;
+      }
+    };
+  }
+});
+
+// libs/utils/src/storage/adapters/upstash.ts
+var upstash_exports = {};
+__export(upstash_exports, {
+  UpstashStorageAdapter: () => UpstashStorageAdapter
+});
+function getUpstashRedis() {
+  try {
+    return __require("@upstash/redis");
+  } catch {
+    throw new Error(
+      "@upstash/redis is required for Upstash storage adapter. Install it with: npm install @upstash/redis"
+    );
+  }
+}
+var PUBSUB_POLL_INTERVAL_MS, UpstashStorageAdapter;
+var init_upstash = __esm({
+  "libs/utils/src/storage/adapters/upstash.ts"() {
+    "use strict";
+    init_base();
+    init_errors();
+    init_ttl();
+    PUBSUB_POLL_INTERVAL_MS = 100;
+    UpstashStorageAdapter = class extends BaseStorageAdapter {
+      backendName = "upstash";
+      client;
+      options;
+      keyPrefix;
+      pubSubEnabled;
+      // Pub/sub state
+      subscriptionHandlers = /* @__PURE__ */ new Map();
+      pollingIntervals = /* @__PURE__ */ new Map();
+      constructor(options = {}) {
+        super();
+        const url = options.url ?? process.env["UPSTASH_REDIS_REST_URL"];
+        const token = options.token ?? process.env["UPSTASH_REDIS_REST_TOKEN"];
+        if (!url || !token) {
+          throw new StorageConfigError(
+            "upstash",
+            "UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN must be provided via options or environment variables."
+          );
+        }
+        this.options = { ...options, url, token };
+        this.keyPrefix = options.keyPrefix ?? "";
+        this.pubSubEnabled = options.enablePubSub ?? false;
+      }
+      // ============================================
+      // Connection Lifecycle
+      // ============================================
+      async connect() {
+        if (this.connected) return;
+        try {
+          const { Redis } = getUpstashRedis();
+          const url = this.options.url;
+          const token = this.options.token;
+          if (!url || !token) {
+            throw new StorageConfigError("upstash", "URL and token are required");
+          }
+          this.client = new Redis({ url, token });
+          await this.client.exists("__healthcheck__");
+          this.connected = true;
+        } catch (e) {
+          throw new StorageConnectionError(
+            "Failed to connect to Upstash Redis",
+            e instanceof Error ? e : void 0,
+            "upstash"
+          );
+        }
+      }
+      async disconnect() {
+        if (!this.connected) return;
+        for (const interval of this.pollingIntervals.values()) {
+          clearInterval(interval);
+        }
+        this.pollingIntervals.clear();
+        this.subscriptionHandlers.clear();
+        this.client = void 0;
+        this.connected = false;
+      }
+      async ping() {
+        if (!this.client) return false;
+        try {
+          await this.client.exists("__healthcheck__");
+          return true;
+        } catch {
+          return false;
+        }
+      }
+      // ============================================
+      // Connection Helpers
+      // ============================================
+      /**
+       * Get the connected Upstash client, throwing if not connected.
+       */
+      getConnectedClient() {
+        this.ensureConnected();
+        if (!this.client) {
+          throw new StorageConnectionError("Upstash client not connected", void 0, "upstash");
+        }
+        return this.client;
+      }
+      // ============================================
+      // Core Operations
+      // ============================================
+      async get(key) {
+        const result = await this.getConnectedClient().get(this.prefixKey(key));
+        return result;
+      }
+      async doSet(key, value, options) {
+        const client = this.getConnectedClient();
+        const prefixedKey = this.prefixKey(key);
+        const setOptions = {};
+        if (options?.ttlSeconds) {
+          setOptions.ex = options.ttlSeconds;
+        }
+        if (options?.ifNotExists) {
+          setOptions.nx = true;
+        } else if (options?.ifExists) {
+          setOptions.xx = true;
+        }
+        await client.set(prefixedKey, value, Object.keys(setOptions).length > 0 ? setOptions : void 0);
+      }
+      async delete(key) {
+        const result = await this.getConnectedClient().del(this.prefixKey(key));
+        return result > 0;
+      }
+      async exists(key) {
+        const result = await this.getConnectedClient().exists(this.prefixKey(key));
+        return result > 0;
+      }
+      // ============================================
+      // Batch Operations
+      // ============================================
+      async mget(keys) {
+        if (keys.length === 0) return [];
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().mget(...prefixedKeys);
+      }
+      async mdelete(keys) {
+        if (keys.length === 0) return 0;
+        const prefixedKeys = keys.map((k) => this.prefixKey(k));
+        return this.getConnectedClient().del(...prefixedKeys);
+      }
+      // ============================================
+      // TTL Operations
+      // ============================================
+      async expire(key, ttlSeconds) {
+        validateTTL(ttlSeconds);
+        const result = await this.getConnectedClient().expire(this.prefixKey(key), ttlSeconds);
+        return result === 1;
+      }
+      async ttl(key) {
+        const result = await this.getConnectedClient().ttl(this.prefixKey(key));
+        if (result === -2) return null;
+        return result;
+      }
+      // ============================================
+      // Key Enumeration
+      // ============================================
+      async keys(pattern = "*") {
+        const client = this.getConnectedClient();
+        const prefixedPattern = this.prefixKey(pattern);
+        const result = [];
+        let cursor = 0;
+        do {
+          const [nextCursor, keys] = await client.scan(cursor, {
+            match: prefixedPattern,
+            count: 100
+          });
+          const parsedCursor = typeof nextCursor === "string" ? parseInt(nextCursor, 10) : nextCursor;
+          cursor = Number.isNaN(parsedCursor) ? 0 : parsedCursor;
+          for (const key of keys) {
+            result.push(this.unprefixKey(key));
+          }
+        } while (cursor !== 0);
+        return result;
+      }
+      // ============================================
+      // Atomic Operations
+      // ============================================
+      async incr(key) {
+        return this.getConnectedClient().incr(this.prefixKey(key));
+      }
+      async decr(key) {
+        return this.getConnectedClient().decr(this.prefixKey(key));
+      }
+      async incrBy(key, amount) {
+        return this.getConnectedClient().incrby(this.prefixKey(key), amount);
+      }
+      // ============================================
+      // Pub/Sub (via list-based polling)
+      // ============================================
+      supportsPubSub() {
+        return this.pubSubEnabled;
+      }
+      async publish(channel, message) {
+        if (!this.pubSubEnabled) {
+          return super.publish(channel, message);
+        }
+        const prefixedChannel = this.prefixKey(`__pubsub__:${channel}`);
+        const listKey = `${prefixedChannel}:queue`;
+        await this.getConnectedClient().lpush(listKey, message);
+        return 1;
+      }
+      async subscribe(channel, handler) {
+        const client = this.getConnectedClient();
+        if (!this.pubSubEnabled) {
+          return super.subscribe(channel, handler);
+        }
+        const prefixedChannel = this.prefixKey(`__pubsub__:${channel}`);
+        if (!this.subscriptionHandlers.has(prefixedChannel)) {
+          this.subscriptionHandlers.set(prefixedChannel, /* @__PURE__ */ new Set());
+          const listKey = `${prefixedChannel}:queue`;
+          const interval = setInterval(async () => {
+            try {
+              const message = await client.rpop(listKey);
+              if (message) {
+                const handlers2 = this.subscriptionHandlers.get(prefixedChannel);
+                if (handlers2) {
+                  for (const h of handlers2) {
+                    try {
+                      h(message, channel);
+                    } catch {
+                    }
+                  }
+                }
+              }
+            } catch {
+            }
+          }, PUBSUB_POLL_INTERVAL_MS);
+          if (interval.unref) {
+            interval.unref();
+          }
+          this.pollingIntervals.set(prefixedChannel, interval);
+        }
+        const handlers = this.subscriptionHandlers.get(prefixedChannel);
+        if (handlers) {
+          handlers.add(handler);
+        }
+        return async () => {
+          const handlers2 = this.subscriptionHandlers.get(prefixedChannel);
+          if (handlers2) {
+            handlers2.delete(handler);
+            if (handlers2.size === 0) {
+              this.subscriptionHandlers.delete(prefixedChannel);
+              const interval = this.pollingIntervals.get(prefixedChannel);
+              if (interval) {
+                clearInterval(interval);
+                this.pollingIntervals.delete(prefixedChannel);
+              }
+            }
+          }
+        };
+      }
+      /**
+       * Publish using list-based approach (for polling subscribers).
+       * This is an alternative to native PUBLISH when subscribers are polling.
+       */
+      async publishToQueue(channel, message) {
+        const prefixedChannel = this.prefixKey(`__pubsub__:${channel}`);
+        const listKey = `${prefixedChannel}:queue`;
+        await this.getConnectedClient().lpush(listKey, message);
+      }
+      getPubSubSuggestion() {
+        return "Enable pub/sub by setting enablePubSub: true in the adapter options.";
+      }
+      // ============================================
+      // Internal Helpers
+      // ============================================
+      /**
+       * Add prefix to a key.
+       */
+      prefixKey(key) {
+        return this.keyPrefix + key;
+      }
+      /**
+       * Remove prefix from a key.
+       */
+      unprefixKey(key) {
+        if (this.keyPrefix && key.startsWith(this.keyPrefix)) {
+          return key.slice(this.keyPrefix.length);
+        }
+        return key;
+      }
+    };
+  }
+});
+
+// libs/utils/src/regex/safe-regex.ts
+import { analyzeForReDoS, REDOS_THRESHOLDS } from "ast-guard";
+var DEFAULT_MAX_INPUT_LENGTH = 5e4;
+function analyzePattern(pattern, level = "polynomial") {
+  const patternStr = typeof pattern === "string" ? pattern : pattern.source;
+  try {
+    new RegExp(patternStr);
+  } catch {
+    return {
+      safe: false,
+      score: 100,
+      vulnerabilityType: "invalid_syntax",
+      explanation: "Pattern has invalid regex syntax"
+    };
+  }
+  try {
+    const result = analyzeForReDoS(patternStr, level);
+    return {
+      safe: !result.vulnerable,
+      score: result.score,
+      vulnerabilityType: result.vulnerabilityType,
+      explanation: result.explanation
+    };
+  } catch {
+    return {
+      safe: false,
+      score: 100,
+      vulnerabilityType: "analysis_failed",
+      explanation: "Pattern analysis failed - treating as potentially unsafe"
+    };
+  }
+}
+function isPatternSafe(pattern, level = "polynomial") {
+  return analyzePattern(pattern, level).safe;
+}
+function createSafeRegExp(pattern, flags, options = {}) {
+  const { level = "polynomial", throwOnVulnerable = false } = options;
+  const analysis = analyzePattern(pattern, level);
+  if (!analysis.safe) {
+    if (throwOnVulnerable) {
+      throw new Error(`Vulnerable regex pattern detected: ${analysis.explanation || analysis.vulnerabilityType}`);
+    }
+    return null;
+  }
+  try {
+    return new RegExp(pattern, flags);
+  } catch {
+    return null;
+  }
+}
+function safeTest(pattern, input, options = {}) {
+  const { maxInputLength = DEFAULT_MAX_INPUT_LENGTH } = options;
+  if (input.length > maxInputLength) {
+    return null;
+  }
+  return pattern.test(input);
+}
+function safeMatch(pattern, input, options = {}) {
+  const { maxInputLength = DEFAULT_MAX_INPUT_LENGTH } = options;
+  if (input.length > maxInputLength) {
+    return null;
+  }
+  return input.match(pattern);
+}
+function safeReplace(input, pattern, replacement, options = {}) {
+  const { maxInputLength = DEFAULT_MAX_INPUT_LENGTH } = options;
+  if (input.length > maxInputLength) {
+    return input;
+  }
+  return input.replace(pattern, replacement);
+}
+function safeExec(pattern, input, options = {}) {
+  const { maxInputLength = DEFAULT_MAX_INPUT_LENGTH } = options;
+  if (input.length > maxInputLength) {
+    return null;
+  }
+  return pattern.exec(input);
+}
+function isInputLengthSafe(input, maxLength = DEFAULT_MAX_INPUT_LENGTH) {
+  return input.length <= maxLength;
+}
+
+// libs/utils/src/regex/patterns.ts
+function trimLeading(input, char) {
+  if (!input || char.length !== 1) {
+    return input ?? "";
+  }
+  let start = 0;
+  while (start < input.length && input[start] === char) {
+    start++;
+  }
+  return start === 0 ? input : input.slice(start);
+}
+function trimTrailing(input, char) {
+  if (!input || char.length !== 1) {
+    return input ?? "";
+  }
+  let end = input.length;
+  while (end > 0 && input[end - 1] === char) {
+    end--;
+  }
+  return end === input.length ? input : input.slice(0, end);
+}
+function trimBoth(input, char) {
+  return trimTrailing(trimLeading(input, char), char);
+}
+function trimChars(input, chars) {
+  if (!input || chars.size === 0) {
+    return input ?? "";
+  }
+  let start = 0;
+  while (start < input.length && chars.has(input[start])) {
+    start++;
+  }
+  let end = input.length;
+  while (end > start && chars.has(input[end - 1])) {
+    end--;
+  }
+  return input.slice(start, end);
+}
+function extractBracedParams(template, maxLength = DEFAULT_MAX_INPUT_LENGTH) {
+  if (!template || template.length > maxLength) {
+    return [];
+  }
+  const params = [];
+  let i = 0;
+  while (i < template.length) {
+    const openBrace = template.indexOf("{", i);
+    if (openBrace === -1) {
+      break;
+    }
+    const closeBrace = template.indexOf("}", openBrace + 1);
+    if (closeBrace === -1) {
+      break;
+    }
+    const nestedOpen = template.indexOf("{", openBrace + 1);
+    if (nestedOpen !== -1 && nestedOpen < closeBrace) {
+      i = nestedOpen + 1;
+      continue;
+    }
+    const paramName = template.slice(openBrace + 1, closeBrace).trim();
+    if (paramName && !paramName.includes("{") && !paramName.includes("}")) {
+      params.push(paramName);
+    }
+    i = closeBrace + 1;
+  }
+  return params;
+}
+function expandTemplate(template, values, maxLength = DEFAULT_MAX_INPUT_LENGTH) {
+  if (!template || template.length > maxLength) {
+    return template ?? "";
+  }
+  let result = "";
+  let i = 0;
+  while (i < template.length) {
+    const openBrace = template.indexOf("{", i);
+    if (openBrace === -1) {
+      result += template.slice(i);
+      break;
+    }
+    result += template.slice(i, openBrace);
+    const closeBrace = template.indexOf("}", openBrace + 1);
+    if (closeBrace === -1) {
+      result += template.slice(openBrace);
+      break;
+    }
+    const nestedOpen = template.indexOf("{", openBrace + 1);
+    if (nestedOpen !== -1 && nestedOpen < closeBrace) {
+      result += "{";
+      i = openBrace + 1;
+      continue;
+    }
+    const paramName = template.slice(openBrace + 1, closeBrace).trim();
+    if (paramName in values) {
+      result += values[paramName];
+    } else {
+      result += template.slice(openBrace, closeBrace + 1);
+    }
+    i = closeBrace + 1;
+  }
+  return result;
+}
+function hasTemplatePlaceholders(str, maxLength = DEFAULT_MAX_INPUT_LENGTH) {
+  if (!str || str.length > maxLength) {
+    return false;
+  }
+  const openBrace = str.indexOf("{");
+  if (openBrace === -1) {
+    return false;
+  }
+  const closeBrace = str.indexOf("}", openBrace + 1);
+  return closeBrace > openBrace + 1;
+}
+function collapseChar(input, char) {
+  if (!input || char.length !== 1) {
+    return input ?? "";
+  }
+  let result = "";
+  let lastWasChar = false;
+  for (let i = 0; i < input.length; i++) {
+    const c = input[i];
+    if (c === char) {
+      if (!lastWasChar) {
+        result += c;
+        lastWasChar = true;
+      }
+    } else {
+      result += c;
+      lastWasChar = false;
+    }
+  }
+  return result;
+}
+function collapseWhitespace(input, maxLength = DEFAULT_MAX_INPUT_LENGTH) {
+  if (!input) {
+    return "";
+  }
+  if (input.length > maxLength) {
+    return input;
+  }
+  let result = "";
+  let lastWasWhitespace = false;
+  for (let i = 0; i < input.length; i++) {
+    const c = input[i];
+    const isWhitespace = c === " " || c === "	" || c === "\n" || c === "\r" || c === "\f" || c === "\v";
+    if (isWhitespace) {
+      if (!lastWasWhitespace) {
+        result += " ";
+        lastWasWhitespace = true;
+      }
+    } else {
+      result += c;
+      lastWasWhitespace = false;
+    }
+  }
+  return result;
+}
+
+// libs/utils/src/naming/naming.ts
+function splitWords(input) {
+  const parts = [];
+  let buff = "";
+  for (let i = 0; i < input.length; i++) {
+    const ch = input[i];
+    const isAlphaNum = /[A-Za-z0-9]/.test(ch);
+    if (!isAlphaNum) {
+      if (buff) {
+        parts.push(buff);
+        buff = "";
+      }
+      continue;
+    }
+    if (buff && /[a-z]/.test(buff[buff.length - 1]) && /[A-Z]/.test(ch)) {
+      parts.push(buff);
+      buff = ch;
+    } else {
+      buff += ch;
+    }
+  }
+  if (buff) parts.push(buff);
+  return parts;
+}
+function toCase(words, kind) {
+  const safe = words.filter(Boolean);
+  switch (kind) {
+    case "snake":
+      return safe.map((w) => w.toLowerCase()).join("_");
+    case "kebab":
+      return safe.map((w) => w.toLowerCase()).join("-");
+    case "dot":
+      return safe.map((w) => w.toLowerCase()).join(".");
+    case "camel":
+      if (safe.length === 0) return "";
+      return safe[0].toLowerCase() + safe.slice(1).map((w) => w.charAt(0).toUpperCase() + w.slice(1).toLowerCase()).join("");
+  }
+}
+function sepFor(kind) {
+  return kind === "snake" ? "_" : kind === "kebab" ? "-" : kind === "dot" ? "." : "";
+}
+function shortHash(s) {
+  let h = 5381;
+  for (let i = 0; i < s.length; i++) h = (h << 5) + h + s.charCodeAt(i);
+  return (h >>> 0).toString(16).slice(-6).padStart(6, "0");
+}
+function ensureMaxLen(name, max) {
+  if (name.length <= max) return name;
+  const hash = shortHash(name);
+  const lastSep = Math.max(name.lastIndexOf("_"), name.lastIndexOf("-"), name.lastIndexOf("."), name.lastIndexOf("/"));
+  const tail = lastSep > 0 ? name.slice(lastSep + 1) : name.slice(-Math.max(3, Math.min(16, Math.floor(max / 4))));
+  const budget = Math.max(1, max - (1 + hash.length + 1 + tail.length));
+  const prefix = name.slice(0, budget);
+  return `${prefix}-${hash}-${tail}`.slice(0, max);
+}
+function idFromString(name) {
+  const cleaned = name.replace(/[^A-Za-z0-9_-]+/g, "-");
+  return trimBoth(cleaned, "-").slice(0, 64);
+}
+
+// libs/utils/src/uri/uri-validation.ts
+var RFC_3986_SCHEME_PATTERN = /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\//;
+var SCHEME_EXTRACT_PATTERN = /^([a-zA-Z][a-zA-Z0-9+.-]*):/;
+function isValidMcpUri(uri) {
+  return RFC_3986_SCHEME_PATTERN.test(uri);
+}
+function extractUriScheme(uri) {
+  const match = uri.match(SCHEME_EXTRACT_PATTERN);
+  return match ? match[1].toLowerCase() : null;
+}
+function isValidMcpUriTemplate(uriTemplate) {
+  return RFC_3986_SCHEME_PATTERN.test(uriTemplate);
+}
+
+// libs/utils/src/uri/uri-template.ts
+function parseUriTemplate(template) {
+  if (template.length > 1e3) {
+    throw new Error("URI template too long (max 1000 characters)");
+  }
+  const paramCount = (template.match(/\{[^{}]+\}/g) || []).length;
+  if (paramCount > 50) {
+    throw new Error("URI template has too many parameters (max 50)");
+  }
+  const paramNames = [];
+  let regexStr = template.replace(/[.*+?^${}()|[\]\\]/g, (match) => {
+    if (match === "{" || match === "}") return match;
+    return "\\" + match;
+  });
+  regexStr = regexStr.replace(/\{([^{}]+)\}/g, (_, paramName) => {
+    paramNames.push(paramName);
+    return "([^/]+)";
+  });
+  return {
+    pattern: new RegExp(`^${regexStr}$`),
+    paramNames
+  };
+}
+function matchUriTemplate(template, uri) {
+  const { pattern, paramNames } = parseUriTemplate(template);
+  const match = uri.match(pattern);
+  if (!match) return null;
+  const params = {};
+  paramNames.forEach((name, index) => {
+    params[name] = decodeURIComponent(match[index + 1]);
+  });
+  return params;
+}
+function expandUriTemplate(template, params) {
+  return template.replace(/\{([^{}]+)\}/g, (_, paramName) => {
+    const value = params[paramName];
+    if (value === void 0) {
+      throw new Error(`Missing parameter '${paramName}' for URI template '${template}'`);
+    }
+    return encodeURIComponent(value);
+  });
+}
+function extractTemplateParams(template) {
+  const params = [];
+  template.replace(/\{([^{}]+)\}/g, (_, paramName) => {
+    params.push(paramName);
+    return "";
+  });
+  return params;
+}
+function isUriTemplate(uri) {
+  return /\{[^{}]+\}/.test(uri);
+}
+
+// libs/utils/src/path/path.ts
+function trimSlashes(s) {
+  return trimBoth(s ?? "", "/");
+}
+function joinPath(...parts) {
+  const cleaned = parts.map((p) => trimSlashes(p)).filter(Boolean);
+  return cleaned.length ? `/${cleaned.join("/")}` : "";
+}
+
+// libs/utils/src/content/content.ts
+function sanitizeToJson(value) {
+  const seen = /* @__PURE__ */ new WeakSet();
+  function sanitize(val) {
+    if (typeof val === "function" || typeof val === "symbol") {
+      return void 0;
+    }
+    if (typeof val === "bigint") {
+      return val.toString();
+    }
+    if (val instanceof Date) {
+      return val.toISOString();
+    }
+    if (val instanceof Error) {
+      return {
+        name: val.name,
+        message: val.message,
+        stack: val.stack
+      };
+    }
+    if (val instanceof Map) {
+      const obj = {};
+      for (const [k, v] of val.entries()) {
+        obj[String(k)] = sanitize(v);
+      }
+      return obj;
+    }
+    if (val instanceof Set) {
+      return Array.from(val).map(sanitize);
+    }
+    if (Array.isArray(val)) {
+      if (seen.has(val)) {
+        return void 0;
+      }
+      seen.add(val);
+      return val.map(sanitize);
+    }
+    if (val && typeof val === "object") {
+      if (seen.has(val)) {
+        return void 0;
+      }
+      seen.add(val);
+      const sanitized = {};
+      for (const [key, value2] of Object.entries(val)) {
+        const clean = sanitize(value2);
+        if (clean !== void 0) {
+          sanitized[key] = clean;
+        }
+      }
+      return sanitized;
+    }
+    return val;
+  }
+  return sanitize(value);
+}
+var MIME_TYPES = {
+  json: "application/json",
+  xml: "application/xml",
+  html: "text/html",
+  htm: "text/html",
+  css: "text/css",
+  js: "application/javascript",
+  ts: "application/typescript",
+  txt: "text/plain",
+  md: "text/markdown",
+  yaml: "application/yaml",
+  yml: "application/yaml",
+  csv: "text/csv",
+  png: "image/png",
+  jpg: "image/jpeg",
+  jpeg: "image/jpeg",
+  gif: "image/gif",
+  svg: "image/svg+xml",
+  pdf: "application/pdf"
+};
+function inferMimeType(uri, content) {
+  const ext = uri.split(".").pop()?.toLowerCase();
+  if (ext && MIME_TYPES[ext]) {
+    return MIME_TYPES[ext];
+  }
+  if (typeof content === "string") {
+    if (content.trim().startsWith("{") || content.trim().startsWith("[")) {
+      return "application/json";
+    }
+    if (content.trim().startsWith("<")) {
+      return content.includes("<!DOCTYPE html") || content.includes("<html") ? "text/html" : "application/xml";
+    }
+  }
+  return "text/plain";
+}
+
+// libs/utils/src/http/http.ts
+function validateBaseUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (!["http:", "https:"].includes(parsed.protocol)) {
+      throw new Error(`Unsupported protocol: ${parsed.protocol}. Only http: and https: are supported.`);
+    }
+    return parsed;
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("Unsupported protocol")) {
+      throw err;
+    }
+    throw new Error(`Invalid base URL: ${url}`);
+  }
+}
+
+// libs/utils/src/crypto/runtime.ts
+function isNode() {
+  return typeof process !== "undefined" && !!process.versions?.node;
+}
+function isBrowser() {
+  return typeof globalThis !== "undefined" && typeof globalThis.crypto !== "undefined" && typeof globalThis.crypto.getRandomValues === "function";
+}
+function assertNode(feature) {
+  if (!isNode()) {
+    throw new Error(`${feature} is not supported in the browser. Requires Node.js.`);
+  }
+}
+
+// libs/utils/src/fs/fs.ts
+var _fsp = null;
+var _spawn = null;
+function getFsp() {
+  if (!_fsp) {
+    assertNode("File system operations");
+    _fsp = __require("fs").promises;
+  }
+  return _fsp;
+}
+function getSpawn() {
+  if (!_spawn) {
+    assertNode("Child process operations");
+    _spawn = __require("child_process").spawn;
+  }
+  return _spawn;
+}
+var F_OK = 0;
+async function readFile(p, encoding = "utf8") {
+  const fsp = getFsp();
+  return fsp.readFile(p, encoding);
+}
+async function readFileBuffer(p) {
+  const fsp = getFsp();
+  return fsp.readFile(p);
+}
+async function writeFile(p, content, options) {
+  const fsp = getFsp();
+  await fsp.writeFile(p, content, { encoding: "utf8", mode: options?.mode });
+}
+async function mkdir(p, options) {
+  const fsp = getFsp();
+  await fsp.mkdir(p, options);
+}
+async function rename(oldPath, newPath) {
+  const fsp = getFsp();
+  await fsp.rename(oldPath, newPath);
+}
+async function unlink(p) {
+  const fsp = getFsp();
+  await fsp.unlink(p);
+}
+async function fileExists(p) {
+  try {
+    const fsp = getFsp();
+    await fsp.access(p, F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function readJSON(jsonPath) {
+  try {
+    const fsp = getFsp();
+    const buf = await fsp.readFile(jsonPath, "utf8");
+    return JSON.parse(buf);
+  } catch {
+    return null;
+  }
+}
+async function writeJSON(p, obj) {
+  const fsp = getFsp();
+  await fsp.writeFile(p, JSON.stringify(obj, null, 2) + "\n", "utf8");
+}
+async function ensureDir(p) {
+  const fsp = getFsp();
+  await fsp.mkdir(p, { recursive: true });
+}
+async function stat(p) {
+  const fsp = getFsp();
+  return fsp.stat(p);
+}
+async function copyFile(src, dest) {
+  const fsp = getFsp();
+  await fsp.copyFile(src, dest);
+}
+async function cp(src, dest, options) {
+  const fsp = getFsp();
+  await fsp.cp(src, dest, options);
+}
+async function readdir(p) {
+  const fsp = getFsp();
+  return fsp.readdir(p);
+}
+async function rm(p, options) {
+  const fsp = getFsp();
+  await fsp.rm(p, options);
+}
+async function isDirEmpty(dir) {
+  try {
+    const fsp = getFsp();
+    const items = await fsp.readdir(dir);
+    return items.length === 0;
+  } catch (e) {
+    if (e?.code === "ENOENT") return true;
+    throw e;
+  }
+}
+async function mkdtemp(prefix) {
+  const fsp = getFsp();
+  return fsp.mkdtemp(prefix);
+}
+async function access(p, mode) {
+  const fsp = getFsp();
+  await fsp.access(p, mode ?? F_OK);
+}
+function runCmd(cmd, args, opts = {}) {
+  const spawn = getSpawn();
+  return new Promise((resolve2, reject) => {
+    const child = spawn(cmd, args, { stdio: "inherit", shell: false, ...opts });
+    child.on("close", (code) => code === 0 ? resolve2() : reject(new Error(`${cmd} exited with code ${code}`)));
+    child.on("error", reject);
+  });
+}
+
+// libs/utils/src/escape/escape.ts
+function escapeHtml(str) {
+  if (str === null || str === void 0) {
+    return "";
+  }
+  const s = String(str);
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+}
+function escapeHtmlAttr(str) {
+  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;");
+}
+function escapeJsString(str) {
+  return str.replace(/\\/g, "\\\\").replace(/'/g, "\\'").replace(/"/g, '\\"').replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(/\u2028/g, "\\u2028").replace(/\u2029/g, "\\u2029");
+}
+function escapeScriptClose(jsonString) {
+  return jsonString.replace(/<\//g, "<\\/");
+}
+function safeJsonForScript(value) {
+  if (value === void 0) {
+    return "null";
+  }
+  try {
+    const jsonString = JSON.stringify(value, (_key, val) => {
+      if (typeof val === "bigint") {
+        return val.toString();
+      }
+      return val;
+    });
+    if (jsonString === void 0) {
+      return "null";
+    }
+    return escapeScriptClose(jsonString);
+  } catch {
+    return '{"error":"Value could not be serialized"}';
+  }
+}
+
+// libs/utils/src/serialization/serialization.ts
+function safeStringify(value, space) {
+  const seen = /* @__PURE__ */ new WeakSet();
+  try {
+    return JSON.stringify(
+      value,
+      (_key, val) => {
+        if (typeof val === "object" && val !== null) {
+          if (seen.has(val)) return "[Circular]";
+          seen.add(val);
+        }
+        return val;
+      },
+      space
+    );
+  } catch {
+    return JSON.stringify({ error: "Output could not be serialized" });
+  }
+}
+
+// libs/utils/src/crypto/index.ts
+init_jwt_alg();
+
+// libs/utils/src/crypto/encrypted-blob.ts
+var textEncoder = new TextEncoder();
+var textDecoder = new TextDecoder();
+var EncryptedBlobError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EncryptedBlobError";
+  }
+};
+function encryptValue(data, key) {
+  if (key.length !== 32) {
+    throw new EncryptedBlobError(`Encryption key must be 32 bytes (AES-256), got ${key.length} bytes`);
+  }
+  let jsonString;
+  try {
+    jsonString = JSON.stringify(data);
+  } catch (error) {
+    throw new EncryptedBlobError(`Failed to serialize data: ${error.message}`);
+  }
+  const plaintext = textEncoder.encode(jsonString);
+  const iv = randomBytes(12);
+  const { ciphertext, tag } = encryptAesGcm(key, plaintext, iv);
+  return {
+    alg: "A256GCM",
+    iv: base64urlEncode(iv),
+    tag: base64urlEncode(tag),
+    data: base64urlEncode(ciphertext)
+  };
+}
+function decryptValue(blob, key) {
+  if (key.length !== 32) {
+    throw new EncryptedBlobError(`Decryption key must be 32 bytes (AES-256), got ${key.length} bytes`);
+  }
+  if (blob.alg !== "A256GCM") {
+    throw new EncryptedBlobError(`Unsupported algorithm: ${blob.alg}, expected A256GCM`);
+  }
+  let iv;
+  let tag;
+  let ciphertext;
+  try {
+    iv = base64urlDecode(blob.iv);
+    tag = base64urlDecode(blob.tag);
+    ciphertext = base64urlDecode(blob.data);
+  } catch (error) {
+    throw new EncryptedBlobError(`Failed to decode blob fields: ${error.message}`);
+  }
+  let decrypted;
+  try {
+    decrypted = decryptAesGcm(key, ciphertext, iv, tag);
+  } catch (error) {
+    throw new EncryptedBlobError(`Decryption failed: ${error.message}`);
+  }
+  try {
+    return JSON.parse(textDecoder.decode(decrypted));
+  } catch (error) {
+    throw new EncryptedBlobError(`Failed to parse decrypted data: ${error.message}`);
+  }
+}
+function tryDecryptValue(blob, key) {
+  try {
+    return decryptValue(blob, key);
+  } catch {
+    return null;
+  }
+}
+function serializeBlob(blob) {
+  return JSON.stringify(blob);
+}
+function deserializeBlob(str) {
+  let parsed;
+  try {
+    parsed = JSON.parse(str);
+  } catch (error) {
+    throw new EncryptedBlobError(`Failed to parse blob JSON: ${error.message}`);
+  }
+  if (!isValidEncryptedBlob(parsed)) {
+    throw new EncryptedBlobError("Invalid encrypted blob structure");
+  }
+  return parsed;
+}
+function tryDeserializeBlob(str) {
+  try {
+    return deserializeBlob(str);
+  } catch {
+    return null;
+  }
+}
+function isValidEncryptedBlob(value) {
+  return typeof value === "object" && value !== null && "alg" in value && "iv" in value && "tag" in value && "data" in value && value.alg === "A256GCM" && typeof value.iv === "string" && typeof value.tag === "string" && typeof value.data === "string";
+}
+function encryptAndSerialize(data, key) {
+  const blob = encryptValue(data, key);
+  return serializeBlob(blob);
+}
+function deserializeAndDecrypt(str, key) {
+  const blob = deserializeBlob(str);
+  return decryptValue(blob, key);
+}
+function tryDeserializeAndDecrypt(str, key) {
+  try {
+    return deserializeAndDecrypt(str, key);
+  } catch {
+    return null;
+  }
+}
+
+// libs/utils/src/crypto/pkce/pkce.ts
+var MIN_CODE_VERIFIER_LENGTH = 43;
+var MAX_CODE_VERIFIER_LENGTH = 128;
+var DEFAULT_CODE_VERIFIER_LENGTH = 64;
+var PkceError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "PkceError";
+  }
+};
+function generateCodeVerifier(length = DEFAULT_CODE_VERIFIER_LENGTH) {
+  if (length < MIN_CODE_VERIFIER_LENGTH || length > MAX_CODE_VERIFIER_LENGTH) {
+    throw new PkceError(
+      `Code verifier length must be between ${MIN_CODE_VERIFIER_LENGTH} and ${MAX_CODE_VERIFIER_LENGTH} characters (got ${length})`
+    );
+  }
+  const bytesNeeded = Math.ceil(length * 6 / 8);
+  const bytes = randomBytes(bytesNeeded);
+  return base64urlEncode(bytes).slice(0, length);
+}
+function generateCodeChallenge(codeVerifier) {
+  const verifierBytes = new TextEncoder().encode(codeVerifier);
+  const hash = sha256(verifierBytes);
+  return base64urlEncode(hash);
+}
+function verifyCodeChallenge(codeVerifier, codeChallenge) {
+  const computedChallenge = generateCodeChallenge(codeVerifier);
+  return computedChallenge === codeChallenge;
+}
+function generatePkcePair(length = DEFAULT_CODE_VERIFIER_LENGTH) {
+  const codeVerifier = generateCodeVerifier(length);
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  return { codeVerifier, codeChallenge };
+}
+function isValidCodeVerifier(value) {
+  if (value.length < MIN_CODE_VERIFIER_LENGTH || value.length > MAX_CODE_VERIFIER_LENGTH) {
+    return false;
+  }
+  return /^[A-Za-z0-9\-._~]+$/.test(value);
+}
+function isValidCodeChallenge(value) {
+  if (value.length !== 43) {
+    return false;
+  }
+  return /^[A-Za-z0-9\-_]+$/.test(value);
+}
+
+// libs/utils/src/crypto/secret-persistence/schema.ts
+import { z } from "zod";
+var secretDataSchema = z.object({
+  secret: z.string().base64url().length(43),
+  // base64url of 32 bytes is exactly 43 chars
+  createdAt: z.number().positive().int(),
+  version: z.number().positive().int()
+}).strict();
+var MAX_CLOCK_DRIFT_MS = 6e4;
+var MAX_SECRET_AGE_MS = 100 * 365 * 24 * 60 * 60 * 1e3;
+function validateSecretData(data) {
+  const result = secretDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      valid: false,
+      error: result.error.issues[0]?.message ?? "Invalid secret structure"
+    };
+  }
+  const parsed = result.data;
+  const now = Date.now();
+  if (parsed.createdAt > now + MAX_CLOCK_DRIFT_MS) {
+    return { valid: false, error: "createdAt is in the future" };
+  }
+  if (parsed.createdAt < now - MAX_SECRET_AGE_MS) {
+    return { valid: false, error: "createdAt is too old" };
+  }
+  return { valid: true };
+}
+function parseSecretData(data) {
+  const validation = validateSecretData(data);
+  if (!validation.valid) {
+    return null;
+  }
+  return data;
+}
+
+// libs/utils/src/crypto/secret-persistence/persistence.ts
+import * as path from "path";
+var DEFAULT_SECRET_BYTES = 32;
+var DEFAULT_SECRET_DIR = ".frontmcp";
+function isSecretPersistenceEnabled(options) {
+  const isProduction2 = process.env["NODE_ENV"] === "production";
+  if (isProduction2) {
+    return options?.forceEnable === true;
+  }
+  return true;
+}
+function resolveSecretPath(options) {
+  if (options?.secretPath) {
+    if (path.isAbsolute(options.secretPath)) {
+      return options.secretPath;
+    }
+    return path.resolve(process.cwd(), options.secretPath);
+  }
+  const name = options?.name ?? "default";
+  const defaultPath = `${DEFAULT_SECRET_DIR}/${name}-secret.json`;
+  return path.resolve(process.cwd(), defaultPath);
+}
+var noop = () => {
+};
+function getLogger(options) {
+  if (options?.enableLogging === false) {
+    return { warn: noop, error: noop };
+  }
+  return options?.logger ?? { warn: console.warn, error: console.error };
+}
+function getLogPrefix(options) {
+  const name = options?.name ?? "Secret";
+  return `[${name}Persistence]`;
+}
+async function loadSecret(options) {
+  if (!isSecretPersistenceEnabled(options)) {
+    return null;
+  }
+  const secretPath = resolveSecretPath(options);
+  const logger = getLogger(options);
+  const prefix = getLogPrefix(options);
+  try {
+    const content = await readFile(secretPath);
+    const data = JSON.parse(content);
+    const validation = validateSecretData(data);
+    if (!validation.valid) {
+      logger.warn(`${prefix} Invalid secret file format at ${secretPath}: ${validation.error}, will regenerate`);
+      return null;
+    }
+    return data;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    logger.warn(`${prefix} Failed to load secret from ${secretPath}: ${error.message}`);
+    return null;
+  }
+}
+async function saveSecret(secretData, options) {
+  if (!isSecretPersistenceEnabled(options)) {
+    return true;
+  }
+  const secretPath = resolveSecretPath(options);
+  const dir = path.dirname(secretPath);
+  const tempPath = `${secretPath}.tmp.${Date.now()}.${base64urlEncode(randomBytes(8))}`;
+  const logger = getLogger(options);
+  const prefix = getLogPrefix(options);
+  try {
+    await mkdir(dir, { recursive: true, mode: 448 });
+    const content = JSON.stringify(secretData, null, 2);
+    await writeFile(tempPath, content, { mode: 384 });
+    await rename(tempPath, secretPath);
+    return true;
+  } catch (error) {
+    logger.error(`${prefix} Failed to save secret to ${secretPath}: ${error.message}`);
+    try {
+      await unlink(tempPath);
+    } catch {
+    }
+    return false;
+  }
+}
+async function deleteSecret(options) {
+  const secretPath = resolveSecretPath(options);
+  const logger = getLogger(options);
+  const prefix = getLogPrefix(options);
+  try {
+    await unlink(secretPath);
+    return true;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return true;
+    }
+    logger.warn(`${prefix} Failed to delete secret at ${secretPath}: ${error.message}`);
+    return false;
+  }
+}
+function generateSecret(bytes = DEFAULT_SECRET_BYTES) {
+  return base64urlEncode(randomBytes(bytes));
+}
+function createSecretData(options) {
+  const secretBytes = options?.secretBytes ?? DEFAULT_SECRET_BYTES;
+  return {
+    secret: generateSecret(secretBytes),
+    createdAt: Date.now(),
+    version: 1
+  };
+}
+var secretCache = /* @__PURE__ */ new Map();
+var generationPromises = /* @__PURE__ */ new Map();
+async function getOrCreateSecret(options) {
+  const cacheKey = resolveSecretPath(options);
+  const cached = secretCache.get(cacheKey);
+  if (cached) {
+    return cached;
+  }
+  const existing = generationPromises.get(cacheKey);
+  if (existing) {
+    return existing;
+  }
+  const promise = (async () => {
+    try {
+      const loaded = await loadSecret(options);
+      if (loaded) {
+        secretCache.set(cacheKey, loaded.secret);
+        return loaded.secret;
+      }
+      const secretData = createSecretData(options);
+      if (isSecretPersistenceEnabled(options)) {
+        await saveSecret(secretData, options);
+      }
+      secretCache.set(cacheKey, secretData.secret);
+      return secretData.secret;
+    } finally {
+      generationPromises.delete(cacheKey);
+    }
+  })();
+  generationPromises.set(cacheKey, promise);
+  return promise;
+}
+function clearCachedSecret(options) {
+  if (options) {
+    const cacheKey = resolveSecretPath(options);
+    secretCache.delete(cacheKey);
+  } else {
+    secretCache.clear();
+  }
+}
+function isSecretCached(options) {
+  const cacheKey = resolveSecretPath(options);
+  return secretCache.has(cacheKey);
+}
+
+// libs/utils/src/crypto/index.ts
+var _provider = null;
+function getCrypto() {
+  if (!_provider) {
+    if (isNode()) {
+      _provider = (init_node(), __toCommonJS(node_exports)).nodeCrypto;
+    } else {
+      _provider = (init_browser(), __toCommonJS(browser_exports)).browserCrypto;
+    }
+  }
+  return _provider;
+}
+function rsaVerify2(jwtAlg, data, publicJwk, signature) {
+  assertNode("rsaVerify");
+  return (init_node(), __toCommonJS(node_exports)).rsaVerify(jwtAlg, data, publicJwk, signature);
+}
+function randomUUID() {
+  return getCrypto().randomUUID();
+}
+function randomBytes(length) {
+  if (!Number.isInteger(length) || length <= 0) {
+    throw new Error(`randomBytes length must be a positive integer, got ${length}`);
+  }
+  return getCrypto().randomBytes(length);
+}
+function sha256(data) {
+  return getCrypto().sha256(data);
+}
+function sha256Hex(data) {
+  return getCrypto().sha256Hex(data);
+}
+function hmacSha256(key, data) {
+  return getCrypto().hmacSha256(key, data);
+}
+var HKDF_SHA256_MAX_LENGTH = 255 * 32;
+function hkdfSha256(ikm, salt, info, length) {
+  if (!Number.isInteger(length) || length <= 0) {
+    throw new Error(`HKDF length must be a positive integer, got ${length}`);
+  }
+  if (length > HKDF_SHA256_MAX_LENGTH) {
+    throw new Error(`HKDF-SHA256 length cannot exceed ${HKDF_SHA256_MAX_LENGTH} bytes, got ${length}`);
+  }
+  return getCrypto().hkdfSha256(ikm, salt, info, length);
+}
+function encryptAesGcm(key, plaintext, iv) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  return getCrypto().encryptAesGcm(key, plaintext, iv);
+}
+function decryptAesGcm(key, ciphertext, iv, tag) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  if (tag.length !== 16) {
+    throw new Error(`AES-GCM requires a 16-byte authentication tag, got ${tag.length} bytes`);
+  }
+  return getCrypto().decryptAesGcm(key, ciphertext, iv, tag);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    throw new Error(`timingSafeEqual requires equal-length arrays, got ${a.length} and ${b.length} bytes`);
+  }
+  return getCrypto().timingSafeEqual(a, b);
+}
+function bytesToHex(data) {
+  return Array.from(data).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function base64urlEncode(data) {
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(data).toString("base64");
+  } else {
+    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
+    base64 = btoa(binString);
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(data) {
+  let base64 = data.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  if (pad) {
+    base64 += "=".repeat(4 - pad);
+  }
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binString = atob(base64);
+    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  }
+}
+function sha256Base64url(data) {
+  return base64urlEncode(sha256(data));
+}
+
+// libs/utils/src/storage/factory.ts
+init_errors();
+
+// libs/utils/src/storage/namespace.ts
+var NAMESPACE_SEPARATOR = ":";
+function buildPrefix(name, id) {
+  if (id) {
+    return `${name}${NAMESPACE_SEPARATOR}${id}${NAMESPACE_SEPARATOR}`;
+  }
+  return `${name}${NAMESPACE_SEPARATOR}`;
+}
+var NamespacedStorageImpl = class _NamespacedStorageImpl {
+  constructor(adapter, prefix = "", root = adapter) {
+    this.adapter = adapter;
+    this.prefix = prefix;
+    this.root = root;
+  }
+  // ============================================
+  // Key Prefixing Helpers
+  // ============================================
+  /**
+   * Add prefix to a key.
+   */
+  prefixKey(key) {
+    return this.prefix + key;
+  }
+  /**
+   * Remove prefix from a key.
+   */
+  unprefixKey(key) {
+    if (this.prefix && key.startsWith(this.prefix)) {
+      return key.slice(this.prefix.length);
+    }
+    return key;
+  }
+  /**
+   * Add prefix to a pattern (for keys() operation).
+   */
+  prefixPattern(pattern) {
+    return this.prefix + pattern;
+  }
+  /**
+   * Add prefix to a channel (for pub/sub).
+   */
+  prefixChannel(channel) {
+    return this.prefix + channel;
+  }
+  // ============================================
+  // Namespace API
+  // ============================================
+  namespace(name, id) {
+    const newPrefix = this.prefix + buildPrefix(name, id);
+    return new _NamespacedStorageImpl(this.adapter, newPrefix, this.root);
+  }
+  // ============================================
+  // Connection Lifecycle (delegated to root)
+  // ============================================
+  async connect() {
+    return this.adapter.connect();
+  }
+  async disconnect() {
+    return this.adapter.disconnect();
+  }
+  async ping() {
+    return this.adapter.ping();
+  }
+  // ============================================
+  // Core Operations (with prefixing)
+  // ============================================
+  async get(key) {
+    return this.adapter.get(this.prefixKey(key));
+  }
+  async set(key, value, options) {
+    return this.adapter.set(this.prefixKey(key), value, options);
+  }
+  async delete(key) {
+    return this.adapter.delete(this.prefixKey(key));
+  }
+  async exists(key) {
+    return this.adapter.exists(this.prefixKey(key));
+  }
+  // ============================================
+  // Batch Operations (with prefixing)
+  // ============================================
+  async mget(keys) {
+    const prefixedKeys = keys.map((k) => this.prefixKey(k));
+    return this.adapter.mget(prefixedKeys);
+  }
+  async mset(entries) {
+    const prefixedEntries = entries.map((e) => ({
+      ...e,
+      key: this.prefixKey(e.key)
+    }));
+    return this.adapter.mset(prefixedEntries);
+  }
+  async mdelete(keys) {
+    const prefixedKeys = keys.map((k) => this.prefixKey(k));
+    return this.adapter.mdelete(prefixedKeys);
+  }
+  // ============================================
+  // TTL Operations (with prefixing)
+  // ============================================
+  async expire(key, ttlSeconds) {
+    return this.adapter.expire(this.prefixKey(key), ttlSeconds);
+  }
+  async ttl(key) {
+    return this.adapter.ttl(this.prefixKey(key));
+  }
+  // ============================================
+  // Key Enumeration (with prefixing)
+  // ============================================
+  async keys(pattern = "*") {
+    const prefixedPattern = this.prefixPattern(pattern);
+    const keys = await this.adapter.keys(prefixedPattern);
+    return keys.map((k) => this.unprefixKey(k));
+  }
+  async count(pattern = "*") {
+    const prefixedPattern = this.prefixPattern(pattern);
+    return this.adapter.count(prefixedPattern);
+  }
+  // ============================================
+  // Atomic Operations (with prefixing)
+  // ============================================
+  async incr(key) {
+    return this.adapter.incr(this.prefixKey(key));
+  }
+  async decr(key) {
+    return this.adapter.decr(this.prefixKey(key));
+  }
+  async incrBy(key, amount) {
+    return this.adapter.incrBy(this.prefixKey(key), amount);
+  }
+  // ============================================
+  // Pub/Sub (with channel prefixing)
+  // ============================================
+  async publish(channel, message) {
+    return this.adapter.publish(this.prefixChannel(channel), message);
+  }
+  async subscribe(channel, handler) {
+    const prefixedChannel = this.prefixChannel(channel);
+    const wrappedHandler = (message, ch) => {
+      const unprefixedChannel = ch.startsWith(this.prefix) ? ch.slice(this.prefix.length) : ch;
+      handler(message, unprefixedChannel);
+    };
+    return this.adapter.subscribe(prefixedChannel, wrappedHandler);
+  }
+  supportsPubSub() {
+    return this.adapter.supportsPubSub();
+  }
+};
+function createRootStorage(adapter) {
+  return new NamespacedStorageImpl(adapter, "", adapter);
+}
+function createNamespacedStorage(adapter, prefix) {
+  const normalizedPrefix = prefix && !prefix.endsWith(NAMESPACE_SEPARATOR) ? prefix + NAMESPACE_SEPARATOR : prefix;
+  return new NamespacedStorageImpl(adapter, normalizedPrefix, adapter);
+}
+
+// libs/utils/src/storage/adapters/memory.ts
+init_base();
+init_errors();
+import { EventEmitter } from "events";
+
+// libs/utils/src/storage/utils/pattern.ts
+init_errors();
+var MAX_PATTERN_LENGTH = 500;
+var MAX_WILDCARDS = 20;
+var REGEX_SPECIAL_CHARS = /[.+^${}()|[\]\\]/g;
+function globToRegex(pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    throw new StoragePatternError(
+      pattern.substring(0, 50) + "...",
+      `Pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`
+    );
+  }
+  const wildcardCount = (pattern.match(/[*?]/g) || []).length;
+  if (wildcardCount > MAX_WILDCARDS) {
+    throw new StoragePatternError(pattern, `Pattern has too many wildcards (max: ${MAX_WILDCARDS})`);
+  }
+  if (pattern === "" || pattern === "*") {
+    return /^.*$/;
+  }
+  let regexStr = "^";
+  let prevChar = "";
+  for (let i = 0; i < pattern.length; i++) {
+    const char = pattern[i];
+    switch (char) {
+      case "*":
+        if (prevChar !== "*") {
+          regexStr += ".*";
+        }
+        break;
+      case "?":
+        regexStr += ".";
+        break;
+      default:
+        regexStr += char.replace(REGEX_SPECIAL_CHARS, "\\$&");
+    }
+    prevChar = char;
+  }
+  regexStr += "$";
+  try {
+    return new RegExp(regexStr);
+  } catch {
+    throw new StoragePatternError(pattern, "Failed to compile pattern to regex");
+  }
+}
+function matchesPattern(key, pattern) {
+  const regex = globToRegex(pattern);
+  return regex.test(key);
+}
+function validatePattern(pattern) {
+  try {
+    globToRegex(pattern);
+    return { valid: true };
+  } catch (e) {
+    return {
+      valid: false,
+      error: e instanceof Error ? e.message : "Invalid pattern"
+    };
+  }
+}
+function escapeGlob(literal) {
+  return literal.replace(/[*?\\]/g, "\\$&");
+}
+
+// libs/utils/src/storage/adapters/memory.ts
+init_ttl();
+var DEFAULT_SWEEP_INTERVAL_SECONDS = 60;
+var MAX_TIMEOUT_MS = 2147483647;
+var MemoryStorageAdapter = class extends BaseStorageAdapter {
+  backendName = "memory";
+  store = /* @__PURE__ */ new Map();
+  emitter = new EventEmitter();
+  sweepInterval;
+  options;
+  // LRU tracking (simple linked list via insertion order in Map)
+  accessOrder = [];
+  constructor(options = {}) {
+    super();
+    this.options = {
+      enableSweeper: options.enableSweeper ?? true,
+      sweepIntervalSeconds: options.sweepIntervalSeconds ?? DEFAULT_SWEEP_INTERVAL_SECONDS,
+      maxEntries: options.maxEntries ?? 0
+      // 0 = unlimited
+    };
+    this.emitter.setMaxListeners(1e3);
+  }
+  // ============================================
+  // Connection Lifecycle
+  // ============================================
+  async connect() {
+    if (this.connected) return;
+    this.connected = true;
+    if (this.options.enableSweeper && this.options.sweepIntervalSeconds > 0) {
+      this.startSweeper();
+    }
+  }
+  async disconnect() {
+    if (!this.connected) return;
+    this.stopSweeper();
+    this.clearAllTimeouts();
+    this.store.clear();
+    this.accessOrder = [];
+    this.emitter.removeAllListeners();
+    this.connected = false;
+  }
+  async ping() {
+    return this.connected;
+  }
+  // ============================================
+  // Core Operations
+  // ============================================
+  async get(key) {
+    this.ensureConnected();
+    const entry = this.store.get(key);
+    if (!entry) return null;
+    if (isExpired(entry.expiresAt)) {
+      this.deleteEntry(key);
+      return null;
+    }
+    this.touchLRU(key);
+    return entry.value;
+  }
+  async doSet(key, value, options) {
+    const existingEntry = this.store.get(key);
+    const exists = existingEntry !== void 0 && !isExpired(existingEntry.expiresAt);
+    if (options?.ifNotExists && exists) {
+      return;
+    }
+    if (options?.ifExists && !exists) {
+      return;
+    }
+    this.clearEntryTimeout(key);
+    const entry = { value };
+    if (options?.ttlSeconds) {
+      entry.expiresAt = ttlToExpiresAt(options.ttlSeconds);
+      const ttlMs = options.ttlSeconds * 1e3;
+      if (ttlMs < MAX_TIMEOUT_MS) {
+        entry.timeout = setTimeout(() => {
+          this.deleteEntry(key);
+        }, ttlMs);
+        if (entry.timeout.unref) {
+          entry.timeout.unref();
+        }
+      }
+    }
+    if (this.options.maxEntries > 0 && !this.store.has(key)) {
+      while (this.store.size >= this.options.maxEntries) {
+        this.evictOldest();
+      }
+    }
+    this.store.set(key, entry);
+    this.touchLRU(key);
+  }
+  async delete(key) {
+    this.ensureConnected();
+    return this.deleteEntry(key);
+  }
+  async exists(key) {
+    this.ensureConnected();
+    const entry = this.store.get(key);
+    if (!entry) return false;
+    if (isExpired(entry.expiresAt)) {
+      this.deleteEntry(key);
+      return false;
+    }
+    return true;
+  }
+  // ============================================
+  // TTL Operations
+  // ============================================
+  async expire(key, ttlSeconds) {
+    this.ensureConnected();
+    validateTTL(ttlSeconds);
+    const entry = this.store.get(key);
+    if (!entry || isExpired(entry.expiresAt)) {
+      return false;
+    }
+    this.clearEntryTimeout(key);
+    entry.expiresAt = ttlToExpiresAt(ttlSeconds);
+    const ttlMs = ttlSeconds * 1e3;
+    if (ttlMs < MAX_TIMEOUT_MS) {
+      entry.timeout = setTimeout(() => {
+        this.deleteEntry(key);
+      }, ttlMs);
+      if (entry.timeout.unref) {
+        entry.timeout.unref();
+      }
+    }
+    return true;
+  }
+  async ttl(key) {
+    this.ensureConnected();
+    const entry = this.store.get(key);
+    if (!entry) return null;
+    if (isExpired(entry.expiresAt)) {
+      this.deleteEntry(key);
+      return null;
+    }
+    if (entry.expiresAt === void 0) {
+      return -1;
+    }
+    return expiresAtToTTL(entry.expiresAt);
+  }
+  // ============================================
+  // Key Enumeration
+  // ============================================
+  async keys(pattern = "*") {
+    this.ensureConnected();
+    const regex = globToRegex(pattern);
+    const result = [];
+    for (const [key, entry] of this.store) {
+      if (isExpired(entry.expiresAt)) {
+        this.deleteEntry(key);
+        continue;
+      }
+      if (regex.test(key)) {
+        result.push(key);
+      }
+    }
+    return result;
+  }
+  // ============================================
+  // Atomic Operations
+  // ============================================
+  async incr(key) {
+    return this.incrBy(key, 1);
+  }
+  async decr(key) {
+    return this.incrBy(key, -1);
+  }
+  async incrBy(key, amount) {
+    this.ensureConnected();
+    const entry = this.store.get(key);
+    let currentValue = 0;
+    if (entry && !isExpired(entry.expiresAt)) {
+      const parsed = parseInt(entry.value, 10);
+      if (isNaN(parsed)) {
+        throw new StorageOperationError("incrBy", key, "Value is not an integer");
+      }
+      currentValue = parsed;
+    }
+    const newValue = currentValue + amount;
+    const newEntry = { value: String(newValue) };
+    if (entry?.expiresAt && !isExpired(entry.expiresAt)) {
+      newEntry.expiresAt = entry.expiresAt;
+      const remainingMs = entry.expiresAt - Date.now();
+      if (remainingMs > 0 && remainingMs < MAX_TIMEOUT_MS) {
+        this.clearEntryTimeout(key);
+        newEntry.timeout = setTimeout(() => {
+          this.deleteEntry(key);
+        }, remainingMs);
+        if (newEntry.timeout.unref) {
+          newEntry.timeout.unref();
+        }
+      }
+    }
+    this.store.set(key, newEntry);
+    this.touchLRU(key);
+    return newValue;
+  }
+  // ============================================
+  // Pub/Sub
+  // ============================================
+  supportsPubSub() {
+    return true;
+  }
+  async publish(channel, message) {
+    this.ensureConnected();
+    return this.emitter.listenerCount(channel) > 0 ? (this.emitter.emit(channel, message, channel), this.emitter.listenerCount(channel)) : 0;
+  }
+  async subscribe(channel, handler) {
+    this.ensureConnected();
+    const wrappedHandler = (message, ch) => {
+      handler(message, ch);
+    };
+    this.emitter.on(channel, wrappedHandler);
+    return async () => {
+      this.emitter.off(channel, wrappedHandler);
+    };
+  }
+  // ============================================
+  // Internal Helpers
+  // ============================================
+  /**
+   * Delete an entry and clear its timeout.
+   */
+  deleteEntry(key) {
+    const entry = this.store.get(key);
+    if (!entry) return false;
+    this.clearEntryTimeout(key);
+    this.store.delete(key);
+    this.removeLRU(key);
+    return true;
+  }
+  /**
+   * Clear timeout for an entry.
+   */
+  clearEntryTimeout(key) {
+    const entry = this.store.get(key);
+    if (entry?.timeout) {
+      clearTimeout(entry.timeout);
+      entry.timeout = void 0;
+    }
+  }
+  /**
+   * Clear all timeouts.
+   */
+  clearAllTimeouts() {
+    for (const [key] of this.store) {
+      this.clearEntryTimeout(key);
+    }
+  }
+  /**
+   * Update LRU access order.
+   */
+  touchLRU(key) {
+    if (this.options.maxEntries <= 0) return;
+    const idx = this.accessOrder.indexOf(key);
+    if (idx !== -1) {
+      this.accessOrder.splice(idx, 1);
+    }
+    this.accessOrder.push(key);
+  }
+  /**
+   * Remove key from LRU tracking.
+   */
+  removeLRU(key) {
+    if (this.options.maxEntries <= 0) return;
+    const idx = this.accessOrder.indexOf(key);
+    if (idx !== -1) {
+      this.accessOrder.splice(idx, 1);
+    }
+  }
+  /**
+   * Evict oldest entry (LRU).
+   */
+  evictOldest() {
+    if (this.accessOrder.length === 0) return;
+    const oldestKey = this.accessOrder.shift();
+    if (oldestKey) {
+      this.deleteEntry(oldestKey);
+    }
+  }
+  /**
+   * Start background sweeper.
+   */
+  startSweeper() {
+    this.sweepInterval = setInterval(() => {
+      this.sweep();
+    }, this.options.sweepIntervalSeconds * 1e3);
+    if (this.sweepInterval.unref) {
+      this.sweepInterval.unref();
+    }
+  }
+  /**
+   * Stop background sweeper.
+   */
+  stopSweeper() {
+    if (this.sweepInterval) {
+      clearInterval(this.sweepInterval);
+      this.sweepInterval = void 0;
+    }
+  }
+  /**
+   * Sweep expired entries.
+   */
+  sweep() {
+    const now = Date.now();
+    for (const [key, entry] of this.store) {
+      if (entry.expiresAt && now >= entry.expiresAt) {
+        this.deleteEntry(key);
+      }
+    }
+  }
+  // ============================================
+  // Stats (for debugging)
+  // ============================================
+  /**
+   * Get storage statistics.
+   */
+  getStats() {
+    return {
+      size: this.store.size,
+      maxEntries: this.options.maxEntries,
+      sweeperActive: this.sweepInterval !== void 0
+    };
+  }
+};
+
+// libs/utils/src/storage/factory.ts
+function isProduction() {
+  return process.env["NODE_ENV"] === "production";
+}
+function detectStorageType() {
+  if (process.env["UPSTASH_REDIS_REST_URL"] && process.env["UPSTASH_REDIS_REST_TOKEN"]) {
+    return "upstash";
+  }
+  if (process.env["KV_REST_API_URL"] && process.env["KV_REST_API_TOKEN"]) {
+    return "vercel-kv";
+  }
+  if (process.env["REDIS_URL"] || process.env["REDIS_HOST"]) {
+    return "redis";
+  }
+  return "memory";
+}
+async function createAdapter(type, config) {
+  switch (type) {
+    case "memory": {
+      return new MemoryStorageAdapter(config.memory);
+    }
+    case "redis": {
+      const { RedisStorageAdapter: RedisStorageAdapter2 } = await Promise.resolve().then(() => (init_redis(), redis_exports));
+      return new RedisStorageAdapter2(config.redis);
+    }
+    case "vercel-kv": {
+      const { VercelKvStorageAdapter: VercelKvStorageAdapter2 } = await Promise.resolve().then(() => (init_vercel_kv(), vercel_kv_exports));
+      return new VercelKvStorageAdapter2(config.vercelKv);
+    }
+    case "upstash": {
+      const { UpstashStorageAdapter: UpstashStorageAdapter2 } = await Promise.resolve().then(() => (init_upstash(), upstash_exports));
+      return new UpstashStorageAdapter2(config.upstash);
+    }
+    case "auto":
+      throw new StorageConfigError("auto", "Auto type should be resolved before calling createAdapter");
+    default:
+      throw new StorageConfigError("unknown", `Unknown storage type: ${type}`);
+  }
+}
+async function createStorage(config = {}) {
+  let type = config.type ?? "auto";
+  const fallback = config.fallback ?? (isProduction() ? "error" : "memory");
+  if (type === "auto") {
+    type = detectStorageType();
+    if (type === "memory" && isProduction()) {
+      console.warn(
+        "[storage] Warning: No distributed storage backend detected in production. Using in-memory storage. Set REDIS_URL, UPSTASH_REDIS_REST_URL, or KV_REST_API_URL."
+      );
+    }
+  }
+  let adapter;
+  try {
+    adapter = await createAdapter(type, config);
+  } catch (e) {
+    if (fallback === "memory" && type !== "memory") {
+      console.warn(
+        `[storage] Warning: Failed to create ${type} adapter, falling back to memory. Error: ${e instanceof Error ? e.message : String(e)}`
+      );
+      adapter = new MemoryStorageAdapter(config.memory);
+    } else {
+      throw e;
+    }
+  }
+  try {
+    await adapter.connect();
+  } catch (e) {
+    if (fallback === "memory" && type !== "memory") {
+      console.warn(
+        `[storage] Warning: Failed to connect to ${type}, falling back to memory. Error: ${e instanceof Error ? e.message : String(e)}`
+      );
+      adapter = new MemoryStorageAdapter(config.memory);
+      await adapter.connect();
+    } else {
+      throw e;
+    }
+  }
+  if (config.prefix) {
+    return createNamespacedStorage(adapter, config.prefix);
+  }
+  return createRootStorage(adapter);
+}
+function createMemoryStorage(config = {}) {
+  const adapter = new MemoryStorageAdapter(config);
+  if (config.prefix) {
+    return createNamespacedStorage(adapter, config.prefix);
+  }
+  return createRootStorage(adapter);
+}
+function getDetectedStorageType() {
+  return detectStorageType();
+}
+
+// libs/utils/src/storage/index.ts
+init_errors();
+
+// libs/utils/src/storage/adapters/index.ts
+init_base();
+init_redis();
+init_vercel_kv();
+init_upstash();
+
+// libs/utils/src/storage/index.ts
+init_ttl();
+export {
+  BaseStorageAdapter,
+  DEFAULT_CODE_VERIFIER_LENGTH,
+  DEFAULT_MAX_INPUT_LENGTH,
+  EncryptedBlobError,
+  MAX_CODE_VERIFIER_LENGTH,
+  MAX_TTL_SECONDS,
+  MIN_CODE_VERIFIER_LENGTH,
+  MemoryStorageAdapter,
+  NAMESPACE_SEPARATOR,
+  NamespacedStorageImpl,
+  PkceError,
+  REDOS_THRESHOLDS,
+  RedisStorageAdapter,
+  StorageConfigError,
+  StorageConnectionError,
+  StorageError,
+  StorageNotConnectedError,
+  StorageNotSupportedError,
+  StorageOperationError,
+  StoragePatternError,
+  StorageTTLError,
+  UpstashStorageAdapter,
+  VercelKvStorageAdapter,
+  access,
+  analyzePattern,
+  assertNode,
+  base64urlDecode,
+  base64urlEncode,
+  buildPrefix,
+  bytesToHex,
+  clearCachedSecret,
+  collapseChar,
+  collapseWhitespace,
+  copyFile,
+  cp,
+  createMemoryStorage,
+  createNamespacedStorage,
+  createRootStorage,
+  createSafeRegExp,
+  createSecretData,
+  createStorage,
+  decryptAesGcm,
+  decryptValue,
+  deleteSecret,
+  deserializeAndDecrypt,
+  deserializeBlob,
+  encryptAesGcm,
+  encryptAndSerialize,
+  encryptValue,
+  ensureDir,
+  ensureMaxLen,
+  escapeGlob,
+  escapeHtml,
+  escapeHtmlAttr,
+  escapeJsString,
+  escapeScriptClose,
+  expandTemplate,
+  expandUriTemplate,
+  expiresAtToTTL,
+  extractBracedParams,
+  extractTemplateParams,
+  extractUriScheme,
+  fileExists,
+  generateCodeChallenge,
+  generateCodeVerifier,
+  generatePkcePair,
+  generateSecret,
+  getCrypto,
+  getDetectedStorageType,
+  getOrCreateSecret,
+  globToRegex,
+  hasTemplatePlaceholders,
+  hkdfSha256,
+  hmacSha256,
+  idFromString,
+  inferMimeType,
+  isBrowser,
+  isDirEmpty,
+  isExpired,
+  isInputLengthSafe,
+  isNode,
+  isPatternSafe,
+  isRsaPssAlg,
+  isSecretCached,
+  isSecretPersistenceEnabled,
+  isUriTemplate,
+  isValidCodeChallenge,
+  isValidCodeVerifier,
+  isValidEncryptedBlob,
+  isValidMcpUri,
+  isValidMcpUriTemplate,
+  joinPath,
+  jwtAlgToNodeAlg,
+  loadSecret,
+  matchUriTemplate,
+  matchesPattern,
+  mkdir,
+  mkdtemp,
+  normalizeTTL,
+  parseSecretData,
+  parseUriTemplate,
+  randomBytes,
+  randomUUID,
+  readFile,
+  readFileBuffer,
+  readJSON,
+  readdir,
+  rename,
+  resolveSecretPath,
+  rm,
+  rsaVerify2 as rsaVerify,
+  runCmd,
+  safeExec,
+  safeJsonForScript,
+  safeMatch,
+  safeReplace,
+  safeStringify,
+  safeTest,
+  sanitizeToJson,
+  saveSecret,
+  secretDataSchema,
+  sepFor,
+  serializeBlob,
+  sha256,
+  sha256Base64url,
+  sha256Hex,
+  shortHash,
+  splitWords,
+  stat,
+  timingSafeEqual,
+  toCase,
+  trimBoth,
+  trimChars,
+  trimLeading,
+  trimSlashes,
+  trimTrailing,
+  tryDecryptValue,
+  tryDeserializeAndDecrypt,
+  tryDeserializeBlob,
+  ttlToExpiresAt,
+  unlink,
+  validateBaseUrl,
+  validateOptionalTTL,
+  validatePattern,
+  validateSecretData,
+  validateTTL,
+  verifyCodeChallenge,
+  writeFile,
+  writeJSON
+};