npm - @frontmcp/utils - Versions diffs - 0.7.2 → 0.8.1 - Mend

@frontmcp/utils 0.7.2 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/crypto/hmac-signing.d.ts +96 -0
package/crypto/index.d.ts +11 -0
package/crypto/key-persistence/factory.d.ts +58 -0
package/crypto/key-persistence/index.d.ts +35 -0
package/crypto/key-persistence/key-persistence.d.ts +143 -0
package/crypto/key-persistence/schemas.d.ts +180 -0
package/crypto/key-persistence/types.d.ts +120 -0
package/esm/index.mjs +1778 -583
package/esm/package.json +17 -2
package/fs/fs.d.ts +16 -0
package/fs/index.d.ts +1 -1
package/index.d.ts +3 -3
package/index.js +1802 -585
package/package.json +17 -2
package/regex/safe-regex.d.ts +1 -1
package/storage/adapters/filesystem.d.ts +144 -0
package/storage/adapters/index.d.ts +2 -0
package/storage/encrypted-typed-storage.d.ts +196 -0
package/storage/encrypted-typed-storage.types.d.ts +139 -0
package/storage/errors.d.ts +11 -0
package/storage/index.d.ts +7 -2
package/storage/typed-storage.d.ts +129 -0
package/storage/typed-storage.types.d.ts +47 -0

package/esm/index.mjs CHANGED Viewed

@@ -52,219 +52,8 @@ var init_jwt_alg = __esm({
   }
 });
-// libs/utils/src/crypto/node.ts
-var node_exports = {};
-__export(node_exports, {
-  createSignedJwt: () => createSignedJwt,
-  generateRsaKeyPair: () => generateRsaKeyPair,
-  isRsaPssAlg: () => isRsaPssAlg,
-  jwtAlgToNodeAlg: () => jwtAlgToNodeAlg,
-  nodeCrypto: () => nodeCrypto,
-  rsaSign: () => rsaSign,
-  rsaVerify: () => rsaVerify
-});
-import crypto2 from "node:crypto";
-function toUint8Array(buf) {
-  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
-}
-function toBuffer(data) {
-  if (typeof data === "string") {
-    return Buffer.from(data, "utf8");
-  }
-  return Buffer.from(data);
-}
-function generateRsaKeyPair(modulusLength = 2048, alg = "RS256") {
-  const kid = `rsa-key-${Date.now()}-${crypto2.randomBytes(8).toString("hex")}`;
-  const { privateKey, publicKey } = crypto2.generateKeyPairSync("rsa", {
-    modulusLength
-  });
-  const exported = publicKey.export({ format: "jwk" });
-  const publicJwk = {
-    ...exported,
-    kid,
-    alg,
-    use: "sig",
-    kty: "RSA"
-  };
-  return { privateKey, publicKey, publicJwk };
-}
-function rsaSign(algorithm, data, privateKey, options) {
-  const signingKey = options ? { key: privateKey, ...options } : privateKey;
-  return crypto2.sign(algorithm, data, signingKey);
-}
-function rsaVerify(jwtAlg, data, publicJwk, signature) {
-  const publicKey = crypto2.createPublicKey({ key: publicJwk, format: "jwk" });
-  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
-  const verifyKey = isRsaPssAlg(jwtAlg) ? {
-    key: publicKey,
-    padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
-    saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
-  } : publicKey;
-  return crypto2.verify(nodeAlgorithm, data, verifyKey, signature);
-}
-function createSignedJwt(payload, privateKey, kid, alg = "RS256") {
-  const header = { alg, typ: "JWT", kid };
-  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
-  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
-  const signatureInput = `${headerB64}.${payloadB64}`;
-  const nodeAlgorithm = jwtAlgToNodeAlg(alg);
-  const signature = rsaSign(
-    nodeAlgorithm,
-    Buffer.from(signatureInput),
-    privateKey,
-    isRsaPssAlg(alg) ? {
-      padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
-      saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
-    } : void 0
-  );
-  const signatureB64 = signature.toString("base64url");
-  return `${headerB64}.${payloadB64}.${signatureB64}`;
-}
-var nodeCrypto;
-var init_node = __esm({
-  "libs/utils/src/crypto/node.ts"() {
-    "use strict";
-    init_jwt_alg();
-    init_jwt_alg();
-    nodeCrypto = {
-      randomUUID() {
-        return crypto2.randomUUID();
-      },
-      randomBytes(length) {
-        return toUint8Array(crypto2.randomBytes(length));
-      },
-      sha256(data) {
-        const hash = crypto2.createHash("sha256").update(toBuffer(data)).digest();
-        return toUint8Array(hash);
-      },
-      sha256Hex(data) {
-        return crypto2.createHash("sha256").update(toBuffer(data)).digest("hex");
-      },
-      hmacSha256(key, data) {
-        const hmac2 = crypto2.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
-        return toUint8Array(hmac2);
-      },
-      hkdfSha256(ikm, salt, info, length) {
-        const ikmBuf = Buffer.from(ikm);
-        const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
-        const prk = crypto2.createHmac("sha256", saltBuf).update(ikmBuf).digest();
-        const hashLen = 32;
-        const n = Math.ceil(length / hashLen);
-        const chunks = [];
-        let prev = Buffer.alloc(0);
-        for (let i = 1; i <= n; i++) {
-          prev = crypto2.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
-          chunks.push(prev);
-        }
-        return toUint8Array(Buffer.concat(chunks).subarray(0, length));
-      },
-      encryptAesGcm(key, plaintext, iv) {
-        const cipher = crypto2.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
-        const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
-        const tag = cipher.getAuthTag();
-        return {
-          ciphertext: toUint8Array(encrypted),
-          tag: toUint8Array(tag)
-        };
-      },
-      decryptAesGcm(key, ciphertext, iv, tag) {
-        const decipher = crypto2.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
-        decipher.setAuthTag(Buffer.from(tag));
-        const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
-        return toUint8Array(decrypted);
-      },
-      timingSafeEqual(a, b) {
-        if (a.length !== b.length) return false;
-        return crypto2.timingSafeEqual(Buffer.from(a), Buffer.from(b));
-      }
-    };
-  }
-});
-// libs/utils/src/crypto/browser.ts
-var browser_exports = {};
-__export(browser_exports, {
-  browserCrypto: () => browserCrypto
-});
-import { sha256 as sha256Hash } from "@noble/hashes/sha2.js";
-import { hmac } from "@noble/hashes/hmac.js";
-import { hkdf } from "@noble/hashes/hkdf.js";
-import { randomBytes as nobleRandomBytes } from "@noble/hashes/utils.js";
-import { gcm } from "@noble/ciphers/aes.js";
-function toBytes(data) {
-  if (typeof data === "string") {
-    return new TextEncoder().encode(data);
-  }
-  return data;
-}
-function toHex(bytes) {
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateUUID() {
-  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
-    return crypto.randomUUID();
-  }
-  const bytes = nobleRandomBytes(16);
-  bytes[6] = bytes[6] & 15 | 64;
-  bytes[8] = bytes[8] & 63 | 128;
-  const hex = toHex(bytes);
-  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
-}
-function constantTimeEqual(a, b) {
-  if (a.length !== b.length) return false;
-  let result = 0;
-  for (let i = 0; i < a.length; i++) {
-    result |= a[i] ^ b[i];
-  }
-  return result === 0;
-}
-var browserCrypto;
-var init_browser = __esm({
-  "libs/utils/src/crypto/browser.ts"() {
-    "use strict";
-    browserCrypto = {
-      randomUUID() {
-        return generateUUID();
-      },
-      randomBytes(length) {
-        return nobleRandomBytes(length);
-      },
-      sha256(data) {
-        return sha256Hash(toBytes(data));
-      },
-      sha256Hex(data) {
-        return toHex(sha256Hash(toBytes(data)));
-      },
-      hmacSha256(key, data) {
-        return hmac(sha256Hash, key, data);
-      },
-      hkdfSha256(ikm, salt, info, length) {
-        const effectiveSalt = salt.length > 0 ? salt : new Uint8Array(32);
-        return hkdf(sha256Hash, ikm, effectiveSalt, info, length);
-      },
-      encryptAesGcm(key, plaintext, iv) {
-        const cipher = gcm(key, iv);
-        const sealed = cipher.encrypt(plaintext);
-        const ciphertext = sealed.slice(0, -16);
-        const tag = sealed.slice(-16);
-        return { ciphertext, tag };
-      },
-      decryptAesGcm(key, ciphertext, iv, tag) {
-        const cipher = gcm(key, iv);
-        const sealed = new Uint8Array(ciphertext.length + tag.length);
-        sealed.set(ciphertext);
-        sealed.set(tag, ciphertext.length);
-        return cipher.decrypt(sealed);
-      },
-      timingSafeEqual(a, b) {
-        return constantTimeEqual(a, b);
-      }
-    };
-  }
-});
 // libs/utils/src/storage/errors.ts
-var StorageError, StorageConnectionError, StorageOperationError, StorageNotSupportedError, StorageConfigError, StorageTTLError, StoragePatternError, StorageNotConnectedError;
+var StorageError, StorageConnectionError, StorageOperationError, StorageNotSupportedError, StorageConfigError, StorageTTLError, StoragePatternError, StorageNotConnectedError, EncryptedStorageError;
 var init_errors = __esm({
   "libs/utils/src/storage/errors.ts"() {
     "use strict";
@@ -282,7 +71,8 @@ var init_errors = __esm({
     };
     StorageConnectionError = class extends StorageError {
       constructor(message, cause, backend) {
-        super(message, cause);
+        const fullMessage = cause ? `${message}: ${cause.message}` : message;
+        super(fullMessage, cause);
         this.backend = backend;
         this.name = "StorageConnectionError";
       }
@@ -332,6 +122,12 @@ var init_errors = __esm({
         this.name = "StorageNotConnectedError";
       }
     };
+    EncryptedStorageError = class extends StorageError {
+      constructor(message) {
+        super(message);
+        this.name = "EncryptedStorageError";
+      }
+    };
   }
 });
@@ -497,15 +293,309 @@ var init_base = __esm({
   }
 });
-// libs/utils/src/storage/adapters/redis.ts
-var redis_exports = {};
-__export(redis_exports, {
-  RedisStorageAdapter: () => RedisStorageAdapter
-});
-function getRedisClass() {
+// libs/utils/src/storage/utils/pattern.ts
+function globToRegex(pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    throw new StoragePatternError(
+      pattern.substring(0, 50) + "...",
+      `Pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`
+    );
+  }
+  const wildcardCount = (pattern.match(/[*?]/g) || []).length;
+  if (wildcardCount > MAX_WILDCARDS) {
+    throw new StoragePatternError(pattern, `Pattern has too many wildcards (max: ${MAX_WILDCARDS})`);
+  }
+  if (pattern === "" || pattern === "*") {
+    return /^.*$/;
+  }
+  let regexStr = "^";
+  let prevChar = "";
+  for (let i = 0; i < pattern.length; i++) {
+    const char = pattern[i];
+    switch (char) {
+      case "*":
+        if (prevChar !== "*") {
+          regexStr += ".*";
+        }
+        break;
+      case "?":
+        regexStr += ".";
+        break;
+      default:
+        regexStr += char.replace(REGEX_SPECIAL_CHARS, "\\$&");
+    }
+    prevChar = char;
+  }
+  regexStr += "$";
   try {
-    return __require("ioredis").default || __require("ioredis");
+    return new RegExp(regexStr);
   } catch {
+    throw new StoragePatternError(pattern, "Failed to compile pattern to regex");
+  }
+}
+function matchesPattern(key, pattern) {
+  const regex = globToRegex(pattern);
+  return regex.test(key);
+}
+function validatePattern(pattern) {
+  try {
+    globToRegex(pattern);
+    return { valid: true };
+  } catch (e) {
+    return {
+      valid: false,
+      error: e instanceof Error ? e.message : "Invalid pattern"
+    };
+  }
+}
+function escapeGlob(literal) {
+  return literal.replace(/[*?\\]/g, "\\$&");
+}
+var MAX_PATTERN_LENGTH, MAX_WILDCARDS, REGEX_SPECIAL_CHARS;
+var init_pattern = __esm({
+  "libs/utils/src/storage/utils/pattern.ts"() {
+    "use strict";
+    init_errors();
+    MAX_PATTERN_LENGTH = 500;
+    MAX_WILDCARDS = 20;
+    REGEX_SPECIAL_CHARS = /[.+^${}()|[\]\\]/g;
+  }
+});
+// libs/utils/src/crypto/node.ts
+var node_exports = {};
+__export(node_exports, {
+  createSignedJwt: () => createSignedJwt,
+  generateRsaKeyPair: () => generateRsaKeyPair,
+  isRsaPssAlg: () => isRsaPssAlg,
+  jwtAlgToNodeAlg: () => jwtAlgToNodeAlg,
+  nodeCrypto: () => nodeCrypto,
+  rsaSign: () => rsaSign,
+  rsaVerify: () => rsaVerify
+});
+import crypto2 from "node:crypto";
+function toUint8Array(buf) {
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function toBuffer(data) {
+  if (typeof data === "string") {
+    return Buffer.from(data, "utf8");
+  }
+  return Buffer.from(data);
+}
+function generateRsaKeyPair(modulusLength = 2048, alg = "RS256") {
+  const kid = `rsa-key-${Date.now()}-${crypto2.randomBytes(8).toString("hex")}`;
+  const { privateKey, publicKey } = crypto2.generateKeyPairSync("rsa", {
+    modulusLength
+  });
+  const exported = publicKey.export({ format: "jwk" });
+  const publicJwk = {
+    ...exported,
+    kid,
+    alg,
+    use: "sig",
+    kty: "RSA"
+  };
+  return { privateKey, publicKey, publicJwk };
+}
+function rsaSign(algorithm, data, privateKey, options) {
+  const signingKey = options ? { key: privateKey, ...options } : privateKey;
+  return crypto2.sign(algorithm, data, signingKey);
+}
+function rsaVerify(jwtAlg, data, publicJwk, signature) {
+  const publicKey = crypto2.createPublicKey({ key: publicJwk, format: "jwk" });
+  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
+  const verifyKey = isRsaPssAlg(jwtAlg) ? {
+    key: publicKey,
+    padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
+  } : publicKey;
+  return crypto2.verify(nodeAlgorithm, data, verifyKey, signature);
+}
+function createSignedJwt(payload, privateKey, kid, alg = "RS256") {
+  const header = { alg, typ: "JWT", kid };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signatureInput = `${headerB64}.${payloadB64}`;
+  const nodeAlgorithm = jwtAlgToNodeAlg(alg);
+  const signature = rsaSign(
+    nodeAlgorithm,
+    Buffer.from(signatureInput),
+    privateKey,
+    isRsaPssAlg(alg) ? {
+      padding: crypto2.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: crypto2.constants.RSA_PSS_SALTLEN_DIGEST
+    } : void 0
+  );
+  const signatureB64 = signature.toString("base64url");
+  return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+var nodeCrypto;
+var init_node = __esm({
+  "libs/utils/src/crypto/node.ts"() {
+    "use strict";
+    init_jwt_alg();
+    init_jwt_alg();
+    nodeCrypto = {
+      randomUUID() {
+        return crypto2.randomUUID();
+      },
+      randomBytes(length) {
+        return toUint8Array(crypto2.randomBytes(length));
+      },
+      sha256(data) {
+        const hash = crypto2.createHash("sha256").update(toBuffer(data)).digest();
+        return toUint8Array(hash);
+      },
+      sha256Hex(data) {
+        return crypto2.createHash("sha256").update(toBuffer(data)).digest("hex");
+      },
+      hmacSha256(key, data) {
+        const hmac2 = crypto2.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
+        return toUint8Array(hmac2);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const ikmBuf = Buffer.from(ikm);
+        const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
+        const prk = crypto2.createHmac("sha256", saltBuf).update(ikmBuf).digest();
+        const hashLen = 32;
+        const n = Math.ceil(length / hashLen);
+        const chunks = [];
+        let prev = Buffer.alloc(0);
+        for (let i = 1; i <= n; i++) {
+          prev = crypto2.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
+          chunks.push(prev);
+        }
+        return toUint8Array(Buffer.concat(chunks).subarray(0, length));
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = crypto2.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return {
+          ciphertext: toUint8Array(encrypted),
+          tag: toUint8Array(tag)
+        };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const decipher = crypto2.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        decipher.setAuthTag(Buffer.from(tag));
+        const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
+        return toUint8Array(decrypted);
+      },
+      timingSafeEqual(a, b) {
+        if (a.length !== b.length) return false;
+        return crypto2.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+      }
+    };
+  }
+});
+// libs/utils/src/crypto/browser.ts
+var browser_exports = {};
+__export(browser_exports, {
+  browserCrypto: () => browserCrypto
+});
+import { sha256 as sha256Hash } from "@noble/hashes/sha2.js";
+import { hmac } from "@noble/hashes/hmac.js";
+import { hkdf } from "@noble/hashes/hkdf.js";
+import { randomBytes as nobleRandomBytes } from "@noble/hashes/utils.js";
+import { gcm } from "@noble/ciphers/aes.js";
+function toBytes(data) {
+  if (typeof data === "string") {
+    return new TextEncoder().encode(data);
+  }
+  return data;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateUUID() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = nobleRandomBytes(16);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = toHex(bytes);
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a[i] ^ b[i];
+  }
+  return result === 0;
+}
+var browserCrypto;
+var init_browser = __esm({
+  "libs/utils/src/crypto/browser.ts"() {
+    "use strict";
+    browserCrypto = {
+      randomUUID() {
+        return generateUUID();
+      },
+      randomBytes(length) {
+        return nobleRandomBytes(length);
+      },
+      sha256(data) {
+        return sha256Hash(toBytes(data));
+      },
+      sha256Hex(data) {
+        return toHex(sha256Hash(toBytes(data)));
+      },
+      hmacSha256(key, data) {
+        return hmac(sha256Hash, key, data);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const effectiveSalt = salt.length > 0 ? salt : new Uint8Array(32);
+        return hkdf(sha256Hash, ikm, effectiveSalt, info, length);
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = gcm(key, iv);
+        const sealed = cipher.encrypt(plaintext);
+        const ciphertext = sealed.slice(0, -16);
+        const tag = sealed.slice(-16);
+        return { ciphertext, tag };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const cipher = gcm(key, iv);
+        const sealed = new Uint8Array(ciphertext.length + tag.length);
+        sealed.set(ciphertext);
+        sealed.set(tag, ciphertext.length);
+        return cipher.decrypt(sealed);
+      },
+      timingSafeEqual(a, b) {
+        return constantTimeEqual(a, b);
+      }
+    };
+  }
+});
+// libs/utils/src/storage/utils/index.ts
+var init_utils = __esm({
+  "libs/utils/src/storage/utils/index.ts"() {
+    "use strict";
+    init_ttl();
+  }
+});
+// libs/utils/src/storage/adapters/redis.ts
+var redis_exports = {};
+__export(redis_exports, {
+  RedisStorageAdapter: () => RedisStorageAdapter
+});
+function getRedisClass() {
+  try {
+    return __require("ioredis").default || __require("ioredis");
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    if (msg.includes("Dynamic require") || msg.includes("require is not defined")) {
+      throw new Error(
+        `Failed to load ioredis: ${msg}. This typically happens with ESM bundlers (esbuild, Vite). Ensure your bundler externalizes ioredis or use CJS mode.`
+      );
+    }
     throw new Error("ioredis is required for Redis storage adapter. Install it with: npm install ioredis");
   }
 }
@@ -515,7 +605,7 @@ var init_redis = __esm({
     "use strict";
     init_base();
     init_errors();
-    init_ttl();
+    init_utils();
     RedisStorageAdapter = class extends BaseStorageAdapter {
       backendName = "redis";
       client;
@@ -1345,7 +1435,7 @@ var init_upstash = __esm({
 });
 // libs/utils/src/regex/safe-regex.ts
-import { analyzeForReDoS, REDOS_THRESHOLDS } from "ast-guard";
+import { analyzeForReDoS, REDOS_THRESHOLDS } from "@enclave-vm/ast";
 var DEFAULT_MAX_INPUT_LENGTH = 5e4;
 function analyzePattern(pattern, level = "polynomial") {
   const patternStr = typeof pattern === "string" ? pattern : pattern.source;
@@ -1841,6 +1931,7 @@ function assertNode(feature) {
 // libs/utils/src/fs/fs.ts
 var _fsp = null;
+var _fs = null;
 var _spawn = null;
 function getFsp() {
   if (!_fsp) {
@@ -1849,8 +1940,15 @@ function getFsp() {
   }
   return _fsp;
 }
-function getSpawn() {
-  if (!_spawn) {
+function getFs() {
+  if (!_fs) {
+    assertNode("File system operations");
+    _fs = __require("fs");
+  }
+  return _fs;
+}
+function getSpawn() {
+  if (!_spawn) {
     assertNode("Child process operations");
     _spawn = __require("child_process").spawn;
   }
@@ -1861,6 +1959,10 @@ async function readFile(p, encoding = "utf8") {
   const fsp = getFsp();
   return fsp.readFile(p, encoding);
 }
+function readFileSync(p, encoding = "utf8") {
+  const fs = getFs();
+  return fs.readFileSync(p, encoding);
+}
 async function readFileBuffer(p) {
   const fsp = getFsp();
   return fsp.readFile(p);
@@ -2356,379 +2458,372 @@ function isSecretCached(options) {
   return secretCache.has(cacheKey);
 }
-// libs/utils/src/crypto/index.ts
-var _provider = null;
-function getCrypto() {
-  if (!_provider) {
-    if (isNode()) {
-      _provider = (init_node(), __toCommonJS(node_exports)).nodeCrypto;
-    } else {
-      _provider = (init_browser(), __toCommonJS(browser_exports)).browserCrypto;
-    }
-  }
-  return _provider;
-}
-function rsaVerify2(jwtAlg, data, publicJwk, signature) {
-  assertNode("rsaVerify");
-  return (init_node(), __toCommonJS(node_exports)).rsaVerify(jwtAlg, data, publicJwk, signature);
-}
-function randomUUID() {
-  return getCrypto().randomUUID();
+// libs/utils/src/crypto/hmac-signing.ts
+function computeSignature(data, secret) {
+  const encoder = new TextEncoder();
+  const keyBytes = encoder.encode(secret);
+  const dataBytes = encoder.encode(data);
+  const hmac2 = hmacSha256(keyBytes, dataBytes);
+  return base64urlEncode(hmac2);
+}
+function signData(data, config) {
+  const jsonData = JSON.stringify(data);
+  const sig = computeSignature(jsonData, config.secret);
+  const signed = {
+    data,
+    sig,
+    v: 1
+  };
+  return JSON.stringify(signed);
 }
-function randomBytes(length) {
-  if (!Number.isInteger(length) || length <= 0) {
-    throw new Error(`randomBytes length must be a positive integer, got ${length}`);
+function verifyData(signedJson, config) {
+  try {
+    const parsed = JSON.parse(signedJson);
+    if (!parsed || typeof parsed !== "object" || !("sig" in parsed)) {
+      return null;
+    }
+    const signed = parsed;
+    if (signed.v !== 1) {
+      return null;
+    }
+    const jsonData = JSON.stringify(signed.data);
+    const expectedSig = computeSignature(jsonData, config.secret);
+    const sigBytes = base64urlDecode(signed.sig);
+    const expectedBytes = base64urlDecode(expectedSig);
+    if (sigBytes.length !== expectedBytes.length) {
+      return null;
+    }
+    if (!timingSafeEqual(sigBytes, expectedBytes)) {
+      return null;
+    }
+    return signed.data;
+  } catch {
+    return null;
   }
-  return getCrypto().randomBytes(length);
-}
-function sha256(data) {
-  return getCrypto().sha256(data);
-}
-function sha256Hex(data) {
-  return getCrypto().sha256Hex(data);
-}
-function hmacSha256(key, data) {
-  return getCrypto().hmacSha256(key, data);
 }
-var HKDF_SHA256_MAX_LENGTH = 255 * 32;
-function hkdfSha256(ikm, salt, info, length) {
-  if (!Number.isInteger(length) || length <= 0) {
-    throw new Error(`HKDF length must be a positive integer, got ${length}`);
-  }
-  if (length > HKDF_SHA256_MAX_LENGTH) {
-    throw new Error(`HKDF-SHA256 length cannot exceed ${HKDF_SHA256_MAX_LENGTH} bytes, got ${length}`);
+function isSignedData(json) {
+  try {
+    const parsed = JSON.parse(json);
+    return parsed && typeof parsed === "object" && "sig" in parsed && "v" in parsed;
+  } catch {
+    return false;
   }
-  return getCrypto().hkdfSha256(ikm, salt, info, length);
 }
-function encryptAesGcm(key, plaintext, iv) {
-  if (key.length !== 32) {
-    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+function verifyOrParseData(json, config) {
+  if (isSignedData(json)) {
+    return verifyData(json, config);
   }
-  if (iv.length !== 12) {
-    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  try {
+    return JSON.parse(json);
+  } catch {
+    return null;
   }
-  return getCrypto().encryptAesGcm(key, plaintext, iv);
 }
-function decryptAesGcm(key, ciphertext, iv, tag) {
-  if (key.length !== 32) {
-    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+// libs/utils/src/crypto/key-persistence/schemas.ts
+import { z as z2 } from "zod";
+var MAX_CLOCK_DRIFT_MS2 = 6e4;
+var MAX_KEY_AGE_MS = 100 * 365 * 24 * 60 * 60 * 1e3;
+var asymmetricAlgSchema = z2.enum(["RS256", "RS384", "RS512", "ES256", "ES384", "ES512"]);
+var baseKeyDataSchema = z2.object({
+  kid: z2.string().min(1),
+  createdAt: z2.number().positive().int(),
+  version: z2.number().positive().int()
+});
+var jsonWebKeySchema = z2.object({
+  kty: z2.string().optional(),
+  use: z2.string().optional(),
+  alg: z2.string().optional(),
+  kid: z2.string().optional(),
+  n: z2.string().optional(),
+  e: z2.string().optional(),
+  d: z2.string().optional(),
+  p: z2.string().optional(),
+  q: z2.string().optional(),
+  dp: z2.string().optional(),
+  dq: z2.string().optional(),
+  qi: z2.string().optional(),
+  x: z2.string().optional(),
+  y: z2.string().optional(),
+  crv: z2.string().optional()
+}).passthrough();
+var secretKeyDataSchema = baseKeyDataSchema.extend({
+  type: z2.literal("secret"),
+  secret: z2.string().min(1),
+  bytes: z2.number().positive().int()
+});
+var asymmetricKeyDataSchema = baseKeyDataSchema.extend({
+  type: z2.literal("asymmetric"),
+  alg: asymmetricAlgSchema,
+  privateKey: jsonWebKeySchema,
+  publicJwk: z2.object({
+    keys: z2.array(jsonWebKeySchema).min(1)
+  })
+});
+var anyKeyDataSchema = z2.discriminatedUnion("type", [secretKeyDataSchema, asymmetricKeyDataSchema]);
+function validateKeyData(data) {
+  const result = anyKeyDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      valid: false,
+      error: result.error.issues[0]?.message ?? "Invalid key structure"
+    };
   }
-  if (iv.length !== 12) {
-    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  const parsed = result.data;
+  const now = Date.now();
+  if (parsed.createdAt > now + MAX_CLOCK_DRIFT_MS2) {
+    return { valid: false, error: "createdAt is in the future" };
   }
-  if (tag.length !== 16) {
-    throw new Error(`AES-GCM requires a 16-byte authentication tag, got ${tag.length} bytes`);
+  if (parsed.createdAt < now - MAX_KEY_AGE_MS) {
+    return { valid: false, error: "createdAt is too old" };
   }
-  return getCrypto().decryptAesGcm(key, ciphertext, iv, tag);
+  return { valid: true, data: parsed };
 }
-function timingSafeEqual(a, b) {
-  if (a.length !== b.length) {
-    throw new Error(`timingSafeEqual requires equal-length arrays, got ${a.length} and ${b.length} bytes`);
+function parseKeyData(data) {
+  const validation = validateKeyData(data);
+  if (!validation.valid) {
+    return null;
   }
-  return getCrypto().timingSafeEqual(a, b);
+  return validation.data;
 }
-function bytesToHex(data) {
-  return Array.from(data).map((b) => b.toString(16).padStart(2, "0")).join("");
+function isSecretKeyData(data) {
+  return data.type === "secret";
 }
-function base64urlEncode(data) {
-  let base64;
-  if (typeof Buffer !== "undefined") {
-    base64 = Buffer.from(data).toString("base64");
-  } else {
-    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
-    base64 = btoa(binString);
-  }
-  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+function isAsymmetricKeyData(data) {
+  return data.type === "asymmetric";
 }
-function base64urlDecode(data) {
-  let base64 = data.replace(/-/g, "+").replace(/_/g, "/");
-  const pad = base64.length % 4;
-  if (pad) {
-    base64 += "=".repeat(4 - pad);
+// libs/utils/src/crypto/key-persistence/key-persistence.ts
+var KeyPersistence = class {
+  storage;
+  cache = /* @__PURE__ */ new Map();
+  enableCache;
+  throwOnInvalid;
+  constructor(options) {
+    this.storage = options.storage;
+    this.enableCache = options.enableCache ?? true;
+    this.throwOnInvalid = options.throwOnInvalid ?? false;
   }
-  if (typeof Buffer !== "undefined") {
-    return new Uint8Array(Buffer.from(base64, "base64"));
-  } else {
-    const binString = atob(base64);
-    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  /**
+   * Get a key by ID.
+   *
+   * @param kid - Key identifier
+   * @returns Key data or null if not found
+   */
+  async get(kid) {
+    if (this.enableCache) {
+      const cached = this.cache.get(kid);
+      if (cached) return cached;
+    }
+    const raw = await this.storage.get(kid);
+    if (!raw) return null;
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      if (this.throwOnInvalid) {
+        throw new Error(`Invalid JSON for key "${kid}"`);
+      }
+      return null;
+    }
+    const validation = validateKeyData(parsed);
+    if (!validation.valid) {
+      if (this.throwOnInvalid) {
+        throw new Error(`Invalid key data for "${kid}": ${validation.error}`);
+      }
+      return null;
+    }
+    const key = validation.data;
+    if (this.enableCache) {
+      this.cache.set(kid, key);
+    }
+    return key;
   }
-}
-function sha256Base64url(data) {
-  return base64urlEncode(sha256(data));
-}
-// libs/utils/src/storage/factory.ts
-init_errors();
-// libs/utils/src/storage/namespace.ts
-var NAMESPACE_SEPARATOR = ":";
-function buildPrefix(name, id) {
-  if (id) {
-    return `${name}${NAMESPACE_SEPARATOR}${id}${NAMESPACE_SEPARATOR}`;
+  /**
+   * Get a secret key by ID.
+   *
+   * @param kid - Key identifier
+   * @returns Secret key data or null if not found or wrong type
+   */
+  async getSecret(kid) {
+    const key = await this.get(kid);
+    if (!key || !isSecretKeyData(key)) return null;
+    return key;
   }
-  return `${name}${NAMESPACE_SEPARATOR}`;
-}
-var NamespacedStorageImpl = class _NamespacedStorageImpl {
-  constructor(adapter, prefix = "", root = adapter) {
-    this.adapter = adapter;
-    this.prefix = prefix;
-    this.root = root;
+  /**
+   * Get an asymmetric key by ID.
+   *
+   * @param kid - Key identifier
+   * @returns Asymmetric key data or null if not found or wrong type
+   */
+  async getAsymmetric(kid) {
+    const key = await this.get(kid);
+    if (!key || !isAsymmetricKeyData(key)) return null;
+    return key;
   }
-  // ============================================
-  // Key Prefixing Helpers
-  // ============================================
   /**
-   * Add prefix to a key.
+   * Store a key.
+   *
+   * @param key - Key data to store
    */
-  prefixKey(key) {
-    return this.prefix + key;
+  async set(key) {
+    const validation = validateKeyData(key);
+    if (!validation.valid) {
+      throw new Error(`Invalid key data: ${validation.error}`);
+    }
+    await this.storage.set(key.kid, JSON.stringify(key, null, 2));
+    if (this.enableCache) {
+      this.cache.set(key.kid, key);
+    }
   }
   /**
-   * Remove prefix from a key.
+   * Delete a key.
+   *
+   * @param kid - Key identifier
+   * @returns true if key existed and was deleted
    */
-  unprefixKey(key) {
-    if (this.prefix && key.startsWith(this.prefix)) {
-      return key.slice(this.prefix.length);
+  async delete(kid) {
+    this.cache.delete(kid);
+    return this.storage.delete(kid);
+  }
+  /**
+   * Check if a key exists.
+   *
+   * @param kid - Key identifier
+   * @returns true if key exists
+   */
+  async has(kid) {
+    if (this.enableCache && this.cache.has(kid)) {
+      return true;
     }
-    return key;
+    return this.storage.exists(kid);
   }
   /**
-   * Add prefix to a pattern (for keys() operation).
+   * List all key IDs.
+   *
+   * @returns Array of key identifiers
    */
-  prefixPattern(pattern) {
-    return this.prefix + pattern;
+  async list() {
+    return this.storage.keys();
   }
   /**
-   * Add prefix to a channel (for pub/sub).
+   * Get or create a secret key.
+   *
+   * If a key with the given ID exists and is a valid secret key,
+   * it is returned. Otherwise, a new secret key is generated.
+   *
+   * @param kid - Key identifier
+   * @param options - Options for key creation
+   * @returns Secret key data
+   *
+   * @example
+   * ```typescript
+   * const secret = await keys.getOrCreateSecret('encryption-key');
+   * const bytes = base64urlDecode(secret.secret);
+   * ```
    */
-  prefixChannel(channel) {
-    return this.prefix + channel;
+  async getOrCreateSecret(kid, options) {
+    const existing = await this.getSecret(kid);
+    if (existing) {
+      return existing;
+    }
+    const bytes = options?.bytes ?? 32;
+    const secret = {
+      type: "secret",
+      kid,
+      secret: base64urlEncode(randomBytes(bytes)),
+      bytes,
+      createdAt: Date.now(),
+      version: 1
+    };
+    await this.set(secret);
+    return secret;
   }
-  // ============================================
-  // Namespace API
-  // ============================================
-  namespace(name, id) {
-    const newPrefix = this.prefix + buildPrefix(name, id);
-    return new _NamespacedStorageImpl(this.adapter, newPrefix, this.root);
+  /**
+   * Clear the in-memory cache.
+   *
+   * Useful when you want to force a reload from storage.
+   */
+  clearCache() {
+    this.cache.clear();
+  }
+  /**
+   * Clear cache for a specific key.
+   *
+   * @param kid - Key identifier
+   */
+  clearCacheFor(kid) {
+    this.cache.delete(kid);
+  }
+  /**
+   * Check if a key is in the cache.
+   *
+   * @param kid - Key identifier
+   * @returns true if key is cached
+   */
+  isCached(kid) {
+    return this.cache.has(kid);
+  }
+  /**
+   * Get the underlying storage adapter.
+   *
+   * Use with caution - direct storage access bypasses validation.
+   */
+  getAdapter() {
+    return this.storage;
+  }
+};
+// libs/utils/src/storage/adapters/memory.ts
+init_base();
+init_errors();
+init_pattern();
+init_ttl();
+import { EventEmitter } from "events";
+var DEFAULT_SWEEP_INTERVAL_SECONDS = 60;
+var MAX_TIMEOUT_MS = 2147483647;
+var MemoryStorageAdapter = class extends BaseStorageAdapter {
+  backendName = "memory";
+  store = /* @__PURE__ */ new Map();
+  emitter = new EventEmitter();
+  sweepInterval;
+  options;
+  // LRU tracking (simple linked list via insertion order in Map)
+  accessOrder = [];
+  constructor(options = {}) {
+    super();
+    this.options = {
+      enableSweeper: options.enableSweeper ?? true,
+      sweepIntervalSeconds: options.sweepIntervalSeconds ?? DEFAULT_SWEEP_INTERVAL_SECONDS,
+      maxEntries: options.maxEntries ?? 0
+      // 0 = unlimited
+    };
+    this.emitter.setMaxListeners(1e3);
   }
   // ============================================
-  // Connection Lifecycle (delegated to root)
+  // Connection Lifecycle
   // ============================================
   async connect() {
-    return this.adapter.connect();
+    if (this.connected) return;
+    this.connected = true;
+    if (this.options.enableSweeper && this.options.sweepIntervalSeconds > 0) {
+      this.startSweeper();
+    }
   }
   async disconnect() {
-    return this.adapter.disconnect();
+    if (!this.connected) return;
+    this.stopSweeper();
+    this.clearAllTimeouts();
+    this.store.clear();
+    this.accessOrder = [];
+    this.emitter.removeAllListeners();
+    this.connected = false;
   }
   async ping() {
-    return this.adapter.ping();
+    return this.connected;
   }
   // ============================================
-  // Core Operations (with prefixing)
-  // ============================================
-  async get(key) {
-    return this.adapter.get(this.prefixKey(key));
-  }
-  async set(key, value, options) {
-    return this.adapter.set(this.prefixKey(key), value, options);
-  }
-  async delete(key) {
-    return this.adapter.delete(this.prefixKey(key));
-  }
-  async exists(key) {
-    return this.adapter.exists(this.prefixKey(key));
-  }
-  // ============================================
-  // Batch Operations (with prefixing)
-  // ============================================
-  async mget(keys) {
-    const prefixedKeys = keys.map((k) => this.prefixKey(k));
-    return this.adapter.mget(prefixedKeys);
-  }
-  async mset(entries) {
-    const prefixedEntries = entries.map((e) => ({
-      ...e,
-      key: this.prefixKey(e.key)
-    }));
-    return this.adapter.mset(prefixedEntries);
-  }
-  async mdelete(keys) {
-    const prefixedKeys = keys.map((k) => this.prefixKey(k));
-    return this.adapter.mdelete(prefixedKeys);
-  }
-  // ============================================
-  // TTL Operations (with prefixing)
-  // ============================================
-  async expire(key, ttlSeconds) {
-    return this.adapter.expire(this.prefixKey(key), ttlSeconds);
-  }
-  async ttl(key) {
-    return this.adapter.ttl(this.prefixKey(key));
-  }
-  // ============================================
-  // Key Enumeration (with prefixing)
-  // ============================================
-  async keys(pattern = "*") {
-    const prefixedPattern = this.prefixPattern(pattern);
-    const keys = await this.adapter.keys(prefixedPattern);
-    return keys.map((k) => this.unprefixKey(k));
-  }
-  async count(pattern = "*") {
-    const prefixedPattern = this.prefixPattern(pattern);
-    return this.adapter.count(prefixedPattern);
-  }
-  // ============================================
-  // Atomic Operations (with prefixing)
-  // ============================================
-  async incr(key) {
-    return this.adapter.incr(this.prefixKey(key));
-  }
-  async decr(key) {
-    return this.adapter.decr(this.prefixKey(key));
-  }
-  async incrBy(key, amount) {
-    return this.adapter.incrBy(this.prefixKey(key), amount);
-  }
-  // ============================================
-  // Pub/Sub (with channel prefixing)
-  // ============================================
-  async publish(channel, message) {
-    return this.adapter.publish(this.prefixChannel(channel), message);
-  }
-  async subscribe(channel, handler) {
-    const prefixedChannel = this.prefixChannel(channel);
-    const wrappedHandler = (message, ch) => {
-      const unprefixedChannel = ch.startsWith(this.prefix) ? ch.slice(this.prefix.length) : ch;
-      handler(message, unprefixedChannel);
-    };
-    return this.adapter.subscribe(prefixedChannel, wrappedHandler);
-  }
-  supportsPubSub() {
-    return this.adapter.supportsPubSub();
-  }
-};
-function createRootStorage(adapter) {
-  return new NamespacedStorageImpl(adapter, "", adapter);
-}
-function createNamespacedStorage(adapter, prefix) {
-  const normalizedPrefix = prefix && !prefix.endsWith(NAMESPACE_SEPARATOR) ? prefix + NAMESPACE_SEPARATOR : prefix;
-  return new NamespacedStorageImpl(adapter, normalizedPrefix, adapter);
-}
-// libs/utils/src/storage/adapters/memory.ts
-init_base();
-init_errors();
-import { EventEmitter } from "events";
-// libs/utils/src/storage/utils/pattern.ts
-init_errors();
-var MAX_PATTERN_LENGTH = 500;
-var MAX_WILDCARDS = 20;
-var REGEX_SPECIAL_CHARS = /[.+^${}()|[\]\\]/g;
-function globToRegex(pattern) {
-  if (pattern.length > MAX_PATTERN_LENGTH) {
-    throw new StoragePatternError(
-      pattern.substring(0, 50) + "...",
-      `Pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`
-    );
-  }
-  const wildcardCount = (pattern.match(/[*?]/g) || []).length;
-  if (wildcardCount > MAX_WILDCARDS) {
-    throw new StoragePatternError(pattern, `Pattern has too many wildcards (max: ${MAX_WILDCARDS})`);
-  }
-  if (pattern === "" || pattern === "*") {
-    return /^.*$/;
-  }
-  let regexStr = "^";
-  let prevChar = "";
-  for (let i = 0; i < pattern.length; i++) {
-    const char = pattern[i];
-    switch (char) {
-      case "*":
-        if (prevChar !== "*") {
-          regexStr += ".*";
-        }
-        break;
-      case "?":
-        regexStr += ".";
-        break;
-      default:
-        regexStr += char.replace(REGEX_SPECIAL_CHARS, "\\$&");
-    }
-    prevChar = char;
-  }
-  regexStr += "$";
-  try {
-    return new RegExp(regexStr);
-  } catch {
-    throw new StoragePatternError(pattern, "Failed to compile pattern to regex");
-  }
-}
-function matchesPattern(key, pattern) {
-  const regex = globToRegex(pattern);
-  return regex.test(key);
-}
-function validatePattern(pattern) {
-  try {
-    globToRegex(pattern);
-    return { valid: true };
-  } catch (e) {
-    return {
-      valid: false,
-      error: e instanceof Error ? e.message : "Invalid pattern"
-    };
-  }
-}
-function escapeGlob(literal) {
-  return literal.replace(/[*?\\]/g, "\\$&");
-}
-// libs/utils/src/storage/adapters/memory.ts
-init_ttl();
-var DEFAULT_SWEEP_INTERVAL_SECONDS = 60;
-var MAX_TIMEOUT_MS = 2147483647;
-var MemoryStorageAdapter = class extends BaseStorageAdapter {
-  backendName = "memory";
-  store = /* @__PURE__ */ new Map();
-  emitter = new EventEmitter();
-  sweepInterval;
-  options;
-  // LRU tracking (simple linked list via insertion order in Map)
-  accessOrder = [];
-  constructor(options = {}) {
-    super();
-    this.options = {
-      enableSweeper: options.enableSweeper ?? true,
-      sweepIntervalSeconds: options.sweepIntervalSeconds ?? DEFAULT_SWEEP_INTERVAL_SECONDS,
-      maxEntries: options.maxEntries ?? 0
-      // 0 = unlimited
-    };
-    this.emitter.setMaxListeners(1e3);
-  }
-  // ============================================
-  // Connection Lifecycle
-  // ============================================
-  async connect() {
-    if (this.connected) return;
-    this.connected = true;
-    if (this.options.enableSweeper && this.options.sweepIntervalSeconds > 0) {
-      this.startSweeper();
-    }
-  }
-  async disconnect() {
-    if (!this.connected) return;
-    this.stopSweeper();
-    this.clearAllTimeouts();
-    this.store.clear();
-    this.accessOrder = [];
-    this.emitter.removeAllListeners();
-    this.connected = false;
-  }
-  async ping() {
-    return this.connected;
-  }
-  // ============================================
-  // Core Operations
+  // Core Operations
   // ============================================
   async get(key) {
     this.ensureConnected();
@@ -3008,42 +3103,624 @@ var MemoryStorageAdapter = class extends BaseStorageAdapter {
   }
 };
-// libs/utils/src/storage/factory.ts
-function isProduction() {
-  return process.env["NODE_ENV"] === "production";
-}
-function detectStorageType() {
-  if (process.env["UPSTASH_REDIS_REST_URL"] && process.env["UPSTASH_REDIS_REST_TOKEN"]) {
-    return "upstash";
+// libs/utils/src/storage/adapters/filesystem.ts
+init_base();
+init_errors();
+init_pattern();
+var FileSystemStorageAdapter = class extends BaseStorageAdapter {
+  backendName = "filesystem";
+  baseDir;
+  extension;
+  dirMode;
+  fileMode;
+  constructor(options) {
+    super();
+    this.baseDir = options.baseDir;
+    this.extension = options.extension ?? ".json";
+    this.dirMode = options.dirMode ?? 448;
+    this.fileMode = options.fileMode ?? 384;
   }
-  if (process.env["KV_REST_API_URL"] && process.env["KV_REST_API_TOKEN"]) {
-    return "vercel-kv";
+  // ============================================
+  // Connection Lifecycle
+  // ============================================
+  async connect() {
+    if (this.connected) return;
+    await ensureDir(this.baseDir);
+    try {
+      await mkdir(this.baseDir, { recursive: true, mode: this.dirMode });
+    } catch {
+    }
+    this.connected = true;
   }
-  if (process.env["REDIS_URL"] || process.env["REDIS_HOST"]) {
-    return "redis";
+  async disconnect() {
+    if (!this.connected) return;
+    this.connected = false;
   }
-  return "memory";
-}
-async function createAdapter(type, config) {
-  switch (type) {
-    case "memory": {
-      return new MemoryStorageAdapter(config.memory);
+  async ping() {
+    if (!this.connected) return false;
+    try {
+      return await fileExists(this.baseDir);
+    } catch {
+      return false;
     }
-    case "redis": {
-      const { RedisStorageAdapter: RedisStorageAdapter2 } = await Promise.resolve().then(() => (init_redis(), redis_exports));
-      return new RedisStorageAdapter2(config.redis);
+  }
+  // ============================================
+  // Core Operations
+  // ============================================
+  async get(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    try {
+      const entry = await readJSON(filePath);
+      if (!entry) return null;
+      if (entry.expiresAt && Date.now() >= entry.expiresAt) {
+        await this.deleteFile(filePath);
+        return null;
+      }
+      return entry.value;
+    } catch (e) {
+      const error = e;
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw e;
     }
-    case "vercel-kv": {
-      const { VercelKvStorageAdapter: VercelKvStorageAdapter2 } = await Promise.resolve().then(() => (init_vercel_kv(), vercel_kv_exports));
-      return new VercelKvStorageAdapter2(config.vercelKv);
+  }
+  async doSet(key, value, options) {
+    const filePath = this.keyToPath(key);
+    const existingEntry = await this.readEntry(filePath);
+    const exists = existingEntry !== null && !this.isExpired(existingEntry);
+    if (options?.ifNotExists && exists) {
+      return;
     }
-    case "upstash": {
-      const { UpstashStorageAdapter: UpstashStorageAdapter2 } = await Promise.resolve().then(() => (init_upstash(), upstash_exports));
-      return new UpstashStorageAdapter2(config.upstash);
+    if (options?.ifExists && !exists) {
+      return;
     }
-    case "auto":
-      throw new StorageConfigError("auto", "Auto type should be resolved before calling createAdapter");
-    default:
+    const entry = { value };
+    if (options?.ttlSeconds) {
+      entry.expiresAt = Date.now() + options.ttlSeconds * 1e3;
+    }
+    await this.atomicWrite(filePath, entry);
+  }
+  async delete(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    return this.deleteFile(filePath);
+  }
+  async exists(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    try {
+      const entry = await this.readEntry(filePath);
+      if (!entry) return false;
+      if (this.isExpired(entry)) {
+        await this.deleteFile(filePath);
+        return false;
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  // ============================================
+  // TTL Operations
+  // ============================================
+  async expire(key, ttlSeconds) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    const entry = await this.readEntry(filePath);
+    if (!entry || this.isExpired(entry)) {
+      return false;
+    }
+    entry.expiresAt = Date.now() + ttlSeconds * 1e3;
+    await this.atomicWrite(filePath, entry);
+    return true;
+  }
+  async ttl(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    const entry = await this.readEntry(filePath);
+    if (!entry) return null;
+    if (this.isExpired(entry)) {
+      await this.deleteFile(filePath);
+      return null;
+    }
+    if (entry.expiresAt === void 0) {
+      return -1;
+    }
+    return Math.max(0, Math.ceil((entry.expiresAt - Date.now()) / 1e3));
+  }
+  // ============================================
+  // Key Enumeration
+  // ============================================
+  async keys(pattern = "*") {
+    this.ensureConnected();
+    const regex = globToRegex(pattern);
+    const result = [];
+    try {
+      const files = await readdir(this.baseDir);
+      for (const file of files) {
+        if (!file.endsWith(this.extension)) continue;
+        const key = this.pathToKey(file);
+        if (!regex.test(key)) continue;
+        const filePath = this.keyToPath(key);
+        const entry = await this.readEntry(filePath);
+        if (entry && !this.isExpired(entry)) {
+          result.push(key);
+        } else if (entry && this.isExpired(entry)) {
+          await this.deleteFile(filePath);
+        }
+      }
+    } catch (e) {
+      const error = e;
+      if (error.code === "ENOENT") {
+        return [];
+      }
+      throw e;
+    }
+    return result;
+  }
+  // ============================================
+  // Atomic Operations
+  // ============================================
+  async incr(key) {
+    return this.incrBy(key, 1);
+  }
+  async decr(key) {
+    return this.incrBy(key, -1);
+  }
+  async incrBy(key, amount) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    const entry = await this.readEntry(filePath);
+    let currentValue = 0;
+    if (entry && !this.isExpired(entry)) {
+      const parsed = parseInt(entry.value, 10);
+      if (isNaN(parsed)) {
+        throw new StorageOperationError("incrBy", key, "Value is not an integer");
+      }
+      currentValue = parsed;
+    }
+    const newValue = currentValue + amount;
+    const newEntry = { value: String(newValue) };
+    if (entry?.expiresAt && !this.isExpired(entry)) {
+      newEntry.expiresAt = entry.expiresAt;
+    }
+    await this.atomicWrite(filePath, newEntry);
+    return newValue;
+  }
+  // ============================================
+  // Internal Helpers
+  // ============================================
+  /**
+   * Convert a storage key to a file path.
+   * Sanitizes the key to be filesystem-safe.
+   */
+  keyToPath(key) {
+    const safeKey = this.encodeKey(key);
+    return `${this.baseDir}/${safeKey}${this.extension}`;
+  }
+  /**
+   * Convert a filename back to a storage key.
+   */
+  pathToKey(filename) {
+    const safeKey = filename.slice(0, -this.extension.length);
+    return this.decodeKey(safeKey);
+  }
+  /**
+   * Encode a key to be filesystem-safe.
+   * Uses URL encoding to handle special characters.
+   */
+  encodeKey(key) {
+    return encodeURIComponent(key).replace(/\./g, "%2E");
+  }
+  /**
+   * Decode a filesystem-safe key back to original.
+   */
+  decodeKey(encoded) {
+    return decodeURIComponent(encoded);
+  }
+  /**
+   * Read an entry from a file.
+   */
+  async readEntry(filePath) {
+    try {
+      return await readJSON(filePath);
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Check if an entry is expired.
+   */
+  isExpired(entry) {
+    return entry.expiresAt !== void 0 && Date.now() >= entry.expiresAt;
+  }
+  /**
+   * Delete a file, returning true if it existed.
+   */
+  async deleteFile(filePath) {
+    try {
+      await unlink(filePath);
+      return true;
+    } catch (e) {
+      const error = e;
+      if (error.code === "ENOENT") {
+        return false;
+      }
+      throw e;
+    }
+  }
+  /**
+   * Atomic write: write to temp file then rename.
+   * This ensures we don't corrupt the file if write is interrupted.
+   */
+  async atomicWrite(filePath, entry) {
+    const tempSuffix = bytesToHex(randomBytes(8));
+    const tempPath = `${filePath}.${tempSuffix}.tmp`;
+    try {
+      const content = JSON.stringify(entry, null, 2);
+      await writeFile(tempPath, content, { mode: this.fileMode });
+      await rename(tempPath, filePath);
+    } catch (e) {
+      try {
+        await unlink(tempPath);
+      } catch {
+      }
+      throw e;
+    }
+  }
+  /**
+   * Get suggestion message for pub/sub not supported error.
+   */
+  getPubSubSuggestion() {
+    return "FileSystem adapter does not support pub/sub. Use Redis or Memory adapter for pub/sub support.";
+  }
+};
+// libs/utils/src/crypto/key-persistence/factory.ts
+var DEFAULT_BASE_DIR = ".frontmcp/keys";
+async function createKeyPersistence(options) {
+  const type = options?.type ?? "auto";
+  const baseDir = options?.baseDir ?? DEFAULT_BASE_DIR;
+  let adapter;
+  if (type === "memory") {
+    adapter = new MemoryStorageAdapter();
+  } else if (type === "filesystem") {
+    adapter = new FileSystemStorageAdapter({ baseDir });
+  } else {
+    if (isNode()) {
+      adapter = new FileSystemStorageAdapter({ baseDir });
+    } else {
+      adapter = new MemoryStorageAdapter();
+    }
+  }
+  await adapter.connect();
+  return new KeyPersistence({
+    storage: adapter,
+    throwOnInvalid: options?.throwOnInvalid ?? false,
+    enableCache: options?.enableCache ?? true
+  });
+}
+function createKeyPersistenceWithStorage(storage, options) {
+  return new KeyPersistence({
+    storage,
+    throwOnInvalid: options?.throwOnInvalid ?? false,
+    enableCache: options?.enableCache ?? true
+  });
+}
+// libs/utils/src/crypto/index.ts
+var _provider = null;
+function getCrypto() {
+  if (!_provider) {
+    if (isNode()) {
+      _provider = (init_node(), __toCommonJS(node_exports)).nodeCrypto;
+    } else {
+      _provider = (init_browser(), __toCommonJS(browser_exports)).browserCrypto;
+    }
+  }
+  return _provider;
+}
+function rsaVerify2(jwtAlg, data, publicJwk, signature) {
+  assertNode("rsaVerify");
+  return (init_node(), __toCommonJS(node_exports)).rsaVerify(jwtAlg, data, publicJwk, signature);
+}
+function randomUUID() {
+  return getCrypto().randomUUID();
+}
+function randomBytes(length) {
+  if (!Number.isInteger(length) || length <= 0) {
+    throw new Error(`randomBytes length must be a positive integer, got ${length}`);
+  }
+  return getCrypto().randomBytes(length);
+}
+function sha256(data) {
+  return getCrypto().sha256(data);
+}
+function sha256Hex(data) {
+  return getCrypto().sha256Hex(data);
+}
+function hmacSha256(key, data) {
+  return getCrypto().hmacSha256(key, data);
+}
+var HKDF_SHA256_MAX_LENGTH = 255 * 32;
+function hkdfSha256(ikm, salt, info, length) {
+  if (!Number.isInteger(length) || length <= 0) {
+    throw new Error(`HKDF length must be a positive integer, got ${length}`);
+  }
+  if (length > HKDF_SHA256_MAX_LENGTH) {
+    throw new Error(`HKDF-SHA256 length cannot exceed ${HKDF_SHA256_MAX_LENGTH} bytes, got ${length}`);
+  }
+  return getCrypto().hkdfSha256(ikm, salt, info, length);
+}
+function encryptAesGcm(key, plaintext, iv) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  return getCrypto().encryptAesGcm(key, plaintext, iv);
+}
+function decryptAesGcm(key, ciphertext, iv, tag) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  if (tag.length !== 16) {
+    throw new Error(`AES-GCM requires a 16-byte authentication tag, got ${tag.length} bytes`);
+  }
+  return getCrypto().decryptAesGcm(key, ciphertext, iv, tag);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    throw new Error(`timingSafeEqual requires equal-length arrays, got ${a.length} and ${b.length} bytes`);
+  }
+  return getCrypto().timingSafeEqual(a, b);
+}
+function bytesToHex(data) {
+  return Array.from(data).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function base64urlEncode(data) {
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(data).toString("base64");
+  } else {
+    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
+    base64 = btoa(binString);
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(data) {
+  let base64 = data.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  if (pad) {
+    base64 += "=".repeat(4 - pad);
+  }
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binString = atob(base64);
+    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  }
+}
+function base64Encode(data) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(data).toString("base64");
+  } else {
+    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
+    return btoa(binString);
+  }
+}
+function base64Decode(data) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(data, "base64"));
+  } else {
+    const binString = atob(data);
+    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  }
+}
+function sha256Base64url(data) {
+  return base64urlEncode(sha256(data));
+}
+// libs/utils/src/storage/factory.ts
+init_errors();
+// libs/utils/src/storage/namespace.ts
+var NAMESPACE_SEPARATOR = ":";
+function buildPrefix(name, id) {
+  if (id) {
+    return `${name}${NAMESPACE_SEPARATOR}${id}${NAMESPACE_SEPARATOR}`;
+  }
+  return `${name}${NAMESPACE_SEPARATOR}`;
+}
+var NamespacedStorageImpl = class _NamespacedStorageImpl {
+  constructor(adapter, prefix = "", root = adapter) {
+    this.adapter = adapter;
+    this.prefix = prefix;
+    this.root = root;
+  }
+  // ============================================
+  // Key Prefixing Helpers
+  // ============================================
+  /**
+   * Add prefix to a key.
+   */
+  prefixKey(key) {
+    return this.prefix + key;
+  }
+  /**
+   * Remove prefix from a key.
+   */
+  unprefixKey(key) {
+    if (this.prefix && key.startsWith(this.prefix)) {
+      return key.slice(this.prefix.length);
+    }
+    return key;
+  }
+  /**
+   * Add prefix to a pattern (for keys() operation).
+   */
+  prefixPattern(pattern) {
+    return this.prefix + pattern;
+  }
+  /**
+   * Add prefix to a channel (for pub/sub).
+   */
+  prefixChannel(channel) {
+    return this.prefix + channel;
+  }
+  // ============================================
+  // Namespace API
+  // ============================================
+  namespace(name, id) {
+    const newPrefix = this.prefix + buildPrefix(name, id);
+    return new _NamespacedStorageImpl(this.adapter, newPrefix, this.root);
+  }
+  // ============================================
+  // Connection Lifecycle (delegated to root)
+  // ============================================
+  async connect() {
+    return this.adapter.connect();
+  }
+  async disconnect() {
+    return this.adapter.disconnect();
+  }
+  async ping() {
+    return this.adapter.ping();
+  }
+  // ============================================
+  // Core Operations (with prefixing)
+  // ============================================
+  async get(key) {
+    return this.adapter.get(this.prefixKey(key));
+  }
+  async set(key, value, options) {
+    return this.adapter.set(this.prefixKey(key), value, options);
+  }
+  async delete(key) {
+    return this.adapter.delete(this.prefixKey(key));
+  }
+  async exists(key) {
+    return this.adapter.exists(this.prefixKey(key));
+  }
+  // ============================================
+  // Batch Operations (with prefixing)
+  // ============================================
+  async mget(keys) {
+    const prefixedKeys = keys.map((k) => this.prefixKey(k));
+    return this.adapter.mget(prefixedKeys);
+  }
+  async mset(entries) {
+    const prefixedEntries = entries.map((e) => ({
+      ...e,
+      key: this.prefixKey(e.key)
+    }));
+    return this.adapter.mset(prefixedEntries);
+  }
+  async mdelete(keys) {
+    const prefixedKeys = keys.map((k) => this.prefixKey(k));
+    return this.adapter.mdelete(prefixedKeys);
+  }
+  // ============================================
+  // TTL Operations (with prefixing)
+  // ============================================
+  async expire(key, ttlSeconds) {
+    return this.adapter.expire(this.prefixKey(key), ttlSeconds);
+  }
+  async ttl(key) {
+    return this.adapter.ttl(this.prefixKey(key));
+  }
+  // ============================================
+  // Key Enumeration (with prefixing)
+  // ============================================
+  async keys(pattern = "*") {
+    const prefixedPattern = this.prefixPattern(pattern);
+    const keys = await this.adapter.keys(prefixedPattern);
+    return keys.map((k) => this.unprefixKey(k));
+  }
+  async count(pattern = "*") {
+    const prefixedPattern = this.prefixPattern(pattern);
+    return this.adapter.count(prefixedPattern);
+  }
+  // ============================================
+  // Atomic Operations (with prefixing)
+  // ============================================
+  async incr(key) {
+    return this.adapter.incr(this.prefixKey(key));
+  }
+  async decr(key) {
+    return this.adapter.decr(this.prefixKey(key));
+  }
+  async incrBy(key, amount) {
+    return this.adapter.incrBy(this.prefixKey(key), amount);
+  }
+  // ============================================
+  // Pub/Sub (with channel prefixing)
+  // ============================================
+  async publish(channel, message) {
+    return this.adapter.publish(this.prefixChannel(channel), message);
+  }
+  async subscribe(channel, handler) {
+    const prefixedChannel = this.prefixChannel(channel);
+    const wrappedHandler = (message, ch) => {
+      const unprefixedChannel = ch.startsWith(this.prefix) ? ch.slice(this.prefix.length) : ch;
+      handler(message, unprefixedChannel);
+    };
+    return this.adapter.subscribe(prefixedChannel, wrappedHandler);
+  }
+  supportsPubSub() {
+    return this.adapter.supportsPubSub();
+  }
+};
+function createRootStorage(adapter) {
+  return new NamespacedStorageImpl(adapter, "", adapter);
+}
+function createNamespacedStorage(adapter, prefix) {
+  const normalizedPrefix = prefix && !prefix.endsWith(NAMESPACE_SEPARATOR) ? prefix + NAMESPACE_SEPARATOR : prefix;
+  return new NamespacedStorageImpl(adapter, normalizedPrefix, adapter);
+}
+// libs/utils/src/storage/factory.ts
+function isProduction() {
+  return process.env["NODE_ENV"] === "production";
+}
+function detectStorageType() {
+  if (process.env["UPSTASH_REDIS_REST_URL"] && process.env["UPSTASH_REDIS_REST_TOKEN"]) {
+    return "upstash";
+  }
+  if (process.env["KV_REST_API_URL"] && process.env["KV_REST_API_TOKEN"]) {
+    return "vercel-kv";
+  }
+  if (process.env["REDIS_URL"] || process.env["REDIS_HOST"]) {
+    return "redis";
+  }
+  return "memory";
+}
+async function createAdapter(type, config) {
+  switch (type) {
+    case "memory": {
+      return new MemoryStorageAdapter(config.memory);
+    }
+    case "redis": {
+      const { RedisStorageAdapter: RedisStorageAdapter2 } = await Promise.resolve().then(() => (init_redis(), redis_exports));
+      return new RedisStorageAdapter2(config.redis);
+    }
+    case "vercel-kv": {
+      const { VercelKvStorageAdapter: VercelKvStorageAdapter2 } = await Promise.resolve().then(() => (init_vercel_kv(), vercel_kv_exports));
+      return new VercelKvStorageAdapter2(config.vercelKv);
+    }
+    case "upstash": {
+      const { UpstashStorageAdapter: UpstashStorageAdapter2 } = await Promise.resolve().then(() => (init_upstash(), upstash_exports));
+      return new UpstashStorageAdapter2(config.upstash);
+    }
+    case "auto":
+      throw new StorageConfigError("auto", "Auto type should be resolved before calling createAdapter");
+    default:
       throw new StorageConfigError("unknown", `Unknown storage type: ${type}`);
   }
 }
@@ -3103,6 +3780,501 @@ function getDetectedStorageType() {
 // libs/utils/src/storage/index.ts
 init_errors();
+// libs/utils/src/storage/typed-storage.ts
+var TypedStorage = class {
+  storage;
+  serialize;
+  deserialize;
+  schema;
+  throwOnInvalid;
+  constructor(storage, options = {}) {
+    this.storage = storage;
+    this.serialize = options.serialize ?? JSON.stringify;
+    this.deserialize = options.deserialize ?? JSON.parse;
+    this.schema = options.schema;
+    this.throwOnInvalid = options.throwOnInvalid ?? false;
+  }
+  /**
+   * Get a typed value by key.
+   *
+   * @param key - Storage key
+   * @returns The typed value, or null if not found or invalid
+   */
+  async get(key) {
+    const raw = await this.storage.get(key);
+    if (raw === null) {
+      return null;
+    }
+    return this.parseValue(raw, key);
+  }
+  /**
+   * Set a typed value with optional TTL.
+   *
+   * @param key - Storage key
+   * @param value - Typed value to store
+   * @param options - Optional TTL and conditional flags
+   */
+  async set(key, value, options) {
+    const serialized = this.serialize(value);
+    await this.storage.set(key, serialized, options);
+  }
+  /**
+   * Delete a key.
+   *
+   * @param key - Storage key
+   * @returns true if key existed and was deleted
+   */
+  async delete(key) {
+    return this.storage.delete(key);
+  }
+  /**
+   * Check if a key exists.
+   *
+   * @param key - Storage key
+   * @returns true if key exists
+   */
+  async exists(key) {
+    return this.storage.exists(key);
+  }
+  /**
+   * Get multiple typed values.
+   *
+   * @param keys - Array of storage keys
+   * @returns Array of typed values (null for missing/invalid keys)
+   */
+  async mget(keys) {
+    if (keys.length === 0) {
+      return [];
+    }
+    const rawValues = await this.storage.mget(keys);
+    return rawValues.map((raw, index) => {
+      if (raw === null) {
+        return null;
+      }
+      return this.parseValue(raw, keys[index]);
+    });
+  }
+  /**
+   * Set multiple typed values.
+   *
+   * @param entries - Array of key-value-options entries
+   */
+  async mset(entries) {
+    if (entries.length === 0) {
+      return;
+    }
+    const rawEntries = entries.map((entry) => ({
+      key: entry.key,
+      value: this.serialize(entry.value),
+      options: entry.options
+    }));
+    await this.storage.mset(rawEntries);
+  }
+  /**
+   * Delete multiple keys.
+   *
+   * @param keys - Array of storage keys
+   * @returns Number of keys actually deleted
+   */
+  async mdelete(keys) {
+    return this.storage.mdelete(keys);
+  }
+  /**
+   * Update TTL on an existing key.
+   *
+   * @param key - Storage key
+   * @param ttlSeconds - New TTL in seconds
+   * @returns true if key exists and TTL was set
+   */
+  async expire(key, ttlSeconds) {
+    return this.storage.expire(key, ttlSeconds);
+  }
+  /**
+   * Get remaining TTL for a key.
+   *
+   * @param key - Storage key
+   * @returns TTL in seconds, -1 if no TTL, or null if key doesn't exist
+   */
+  async ttl(key) {
+    return this.storage.ttl(key);
+  }
+  /**
+   * List keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Array of matching keys
+   */
+  async keys(pattern) {
+    return this.storage.keys(pattern);
+  }
+  /**
+   * Count keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Number of matching keys
+   */
+  async count(pattern) {
+    return this.storage.count(pattern);
+  }
+  /**
+   * Get the underlying storage adapter.
+   * Use with caution - operations bypass type safety.
+   */
+  get raw() {
+    return this.storage;
+  }
+  /**
+   * Parse and validate a raw value.
+   */
+  parseValue(raw, key) {
+    try {
+      const parsed = this.deserialize(raw);
+      if (this.schema) {
+        const result = this.schema.safeParse(parsed);
+        if (!result.success) {
+          if (this.throwOnInvalid) {
+            throw new Error(`TypedStorage validation failed for key "${key}": ${result.error.message}`);
+          }
+          return null;
+        }
+        return result.data;
+      }
+      return parsed;
+    } catch (error) {
+      if (this.throwOnInvalid) {
+        throw error;
+      }
+      return null;
+    }
+  }
+};
+// libs/utils/src/storage/encrypted-typed-storage.ts
+init_errors();
+var textEncoder2 = new TextEncoder();
+var textDecoder2 = new TextDecoder();
+var EncryptedTypedStorage = class {
+  storage;
+  activeKey;
+  keyMap;
+  schema;
+  throwOnError;
+  onKeyRotationNeeded;
+  clientBinding;
+  constructor(storage, options) {
+    if (!options.keys || options.keys.length === 0) {
+      throw new EncryptedStorageError("At least one encryption key is required");
+    }
+    for (const k of options.keys) {
+      if (k.key.length !== 32) {
+        throw new EncryptedStorageError(
+          `Encryption key "${k.kid}" must be 32 bytes (AES-256), got ${k.key.length} bytes`
+        );
+      }
+    }
+    this.storage = storage;
+    this.activeKey = options.keys[0];
+    this.keyMap = new Map(options.keys.map((k) => [k.kid, k.key]));
+    this.schema = options.schema;
+    this.throwOnError = options.throwOnError ?? false;
+    this.onKeyRotationNeeded = options.onKeyRotationNeeded;
+    this.clientBinding = options.clientBinding;
+  }
+  /**
+   * Get a decrypted value by key.
+   *
+   * @param key - Storage key
+   * @returns The decrypted value, or null if not found or decryption fails
+   */
+  async get(key) {
+    const raw = await this.storage.get(key);
+    if (raw === null) {
+      return null;
+    }
+    return this.decryptAndParse(raw, key);
+  }
+  /**
+   * Encrypt and store a value.
+   *
+   * @param key - Storage key
+   * @param value - Value to encrypt and store
+   * @param options - Optional TTL and conditional flags
+   */
+  async set(key, value, options) {
+    const encrypted = this.encryptValue(value);
+    const serialized = JSON.stringify(encrypted);
+    await this.storage.set(key, serialized, options);
+  }
+  /**
+   * Delete a key.
+   *
+   * @param key - Storage key
+   * @returns true if key existed and was deleted
+   */
+  async delete(key) {
+    return this.storage.delete(key);
+  }
+  /**
+   * Check if a key exists.
+   *
+   * @param key - Storage key
+   * @returns true if key exists
+   */
+  async exists(key) {
+    return this.storage.exists(key);
+  }
+  /**
+   * Get multiple decrypted values.
+   *
+   * @param keys - Array of storage keys
+   * @returns Array of decrypted values (null for missing/invalid keys)
+   */
+  async mget(keys) {
+    if (keys.length === 0) {
+      return [];
+    }
+    const rawValues = await this.storage.mget(keys);
+    return rawValues.map((raw, index) => {
+      if (raw === null) {
+        return null;
+      }
+      return this.decryptAndParse(raw, keys[index]);
+    });
+  }
+  /**
+   * Encrypt and store multiple values.
+   *
+   * @param entries - Array of key-value-options entries
+   */
+  async mset(entries) {
+    if (entries.length === 0) {
+      return;
+    }
+    const rawEntries = entries.map((entry) => ({
+      key: entry.key,
+      value: JSON.stringify(this.encryptValue(entry.value)),
+      options: entry.options
+    }));
+    await this.storage.mset(rawEntries);
+  }
+  /**
+   * Delete multiple keys.
+   *
+   * @param keys - Array of storage keys
+   * @returns Number of keys actually deleted
+   */
+  async mdelete(keys) {
+    return this.storage.mdelete(keys);
+  }
+  /**
+   * Update TTL on an existing key.
+   *
+   * @param key - Storage key
+   * @param ttlSeconds - New TTL in seconds
+   * @returns true if key exists and TTL was set
+   */
+  async expire(key, ttlSeconds) {
+    return this.storage.expire(key, ttlSeconds);
+  }
+  /**
+   * Get remaining TTL for a key.
+   *
+   * @param key - Storage key
+   * @returns TTL in seconds, -1 if no TTL, or null if key doesn't exist
+   */
+  async ttl(key) {
+    return this.storage.ttl(key);
+  }
+  /**
+   * List keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Array of matching keys
+   */
+  async keys(pattern) {
+    return this.storage.keys(pattern);
+  }
+  /**
+   * Count keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Number of matching keys
+   */
+  async count(pattern) {
+    return this.storage.count(pattern);
+  }
+  /**
+   * Re-encrypt a value with the active key.
+   * Useful for key rotation - reads with old key, writes with new key.
+   *
+   * @param key - Storage key to re-encrypt
+   * @param options - Optional TTL for the re-encrypted value
+   * @returns true if value was re-encrypted, false if not found
+   */
+  async reencrypt(key, options) {
+    const value = await this.get(key);
+    if (value === null) {
+      return false;
+    }
+    await this.set(key, value, options);
+    return true;
+  }
+  /**
+   * Rotate the active encryption key.
+   * New encryptions will use the new key; old keys remain for decryption.
+   *
+   * @param newKey - New encryption key to use for writes
+   */
+  rotateKey(newKey) {
+    if (newKey.key.length !== 32) {
+      throw new EncryptedStorageError(`New encryption key must be 32 bytes (AES-256), got ${newKey.key.length} bytes`);
+    }
+    if (!this.keyMap.has(newKey.kid)) {
+      this.keyMap.set(newKey.kid, newKey.key);
+    }
+    this.activeKey = newKey;
+  }
+  /**
+   * Get the active key ID.
+   */
+  get activeKeyId() {
+    return this.activeKey.kid;
+  }
+  /**
+   * Get all known key IDs.
+   */
+  get keyIds() {
+    return Array.from(this.keyMap.keys());
+  }
+  /**
+   * Get the underlying storage adapter.
+   * Use with caution - operations bypass encryption.
+   */
+  get raw() {
+    return this.storage;
+  }
+  /**
+   * Check if client-side key binding is enabled.
+   * When true, encryption keys are derived from both server key and client secret.
+   */
+  get hasClientBinding() {
+    return this.clientBinding !== void 0;
+  }
+  /**
+   * Derive the actual encryption key.
+   *
+   * If clientBinding is configured, combines server key with client secret
+   * using HKDF-SHA256 (RFC 5869) to produce the actual encryption key.
+   * Otherwise, returns the server key as-is.
+   *
+   * This provides zero-knowledge encryption where:
+   * - Server cannot decrypt without client secret (sessionId)
+   * - Client cannot decrypt without server key
+   * - Key derivation is deterministic (same inputs -> same derived key)
+   *
+   * @param serverKey - The server-side encryption key
+   * @returns The key to use for actual encryption/decryption
+   */
+  deriveKey(serverKey) {
+    if (!this.clientBinding) {
+      return serverKey;
+    }
+    const clientSecret = typeof this.clientBinding.secret === "string" ? textEncoder2.encode(this.clientBinding.secret) : this.clientBinding.secret;
+    const ikm = new Uint8Array(serverKey.length + clientSecret.length);
+    ikm.set(serverKey, 0);
+    ikm.set(clientSecret, serverKey.length);
+    const salt = this.clientBinding.salt ?? new Uint8Array(0);
+    const info = textEncoder2.encode(this.clientBinding.info ?? "frontmcp-client-bound-v1");
+    return hkdfSha256(ikm, salt, info, 32);
+  }
+  /**
+   * Encrypt a value using the active key.
+   * If client binding is configured, uses derived key from server key + client secret.
+   */
+  encryptValue(value) {
+    let jsonString;
+    try {
+      jsonString = JSON.stringify(value);
+    } catch (error) {
+      throw new EncryptedStorageError(`Failed to serialize value: ${error.message}`);
+    }
+    const plaintext = textEncoder2.encode(jsonString);
+    const iv = randomBytes(12);
+    const encryptionKey = this.deriveKey(this.activeKey.key);
+    const { ciphertext, tag } = encryptAesGcm(encryptionKey, plaintext, iv);
+    return {
+      alg: "A256GCM",
+      kid: this.activeKey.kid,
+      iv: base64urlEncode(iv),
+      tag: base64urlEncode(tag),
+      data: base64urlEncode(ciphertext)
+    };
+  }
+  /**
+   * Decrypt and parse a stored value.
+   */
+  decryptAndParse(raw, storageKey) {
+    let blob;
+    try {
+      blob = JSON.parse(raw);
+    } catch (_error) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(`Failed to parse stored blob for key "${storageKey}"`);
+      }
+      return null;
+    }
+    if (!this.isValidBlob(blob)) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(`Invalid encrypted blob structure for key "${storageKey}"`);
+      }
+      return null;
+    }
+    const serverKey = this.keyMap.get(blob.kid);
+    if (!serverKey) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(
+          `Unknown encryption key "${blob.kid}" for key "${storageKey}". Known keys: ${Array.from(this.keyMap.keys()).join(", ")}`
+        );
+      }
+      return null;
+    }
+    const decryptionKey = this.deriveKey(serverKey);
+    let decrypted;
+    try {
+      const iv = base64urlDecode(blob.iv);
+      const tag = base64urlDecode(blob.tag);
+      const ciphertext = base64urlDecode(blob.data);
+      const plaintext = decryptAesGcm(decryptionKey, ciphertext, iv, tag);
+      decrypted = JSON.parse(textDecoder2.decode(plaintext));
+    } catch (error) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(`Decryption failed for key "${storageKey}": ${error.message}`);
+      }
+      return null;
+    }
+    if (this.schema) {
+      const result = this.schema.safeParse(decrypted);
+      if (!result.success) {
+        if (this.throwOnError) {
+          throw new EncryptedStorageError(`Schema validation failed for key "${storageKey}": ${result.error.message}`);
+        }
+        return null;
+      }
+      decrypted = result.data;
+    }
+    if (blob.kid !== this.activeKey.kid && this.onKeyRotationNeeded) {
+      this.onKeyRotationNeeded(storageKey, blob.kid, this.activeKey.kid);
+    }
+    return decrypted;
+  }
+  /**
+   * Validate blob structure.
+   */
+  isValidBlob(blob) {
+    return typeof blob === "object" && blob !== null && "alg" in blob && "kid" in blob && "iv" in blob && "tag" in blob && "data" in blob && blob.alg === "A256GCM" && typeof blob.kid === "string" && typeof blob.iv === "string" && typeof blob.tag === "string" && typeof blob.data === "string";
+  }
+};
 // libs/utils/src/storage/adapters/index.ts
 init_base();
 init_redis();
@@ -3110,12 +4282,17 @@ init_vercel_kv();
 init_upstash();
 // libs/utils/src/storage/index.ts
+init_pattern();
 init_ttl();
 export {
   BaseStorageAdapter,
   DEFAULT_CODE_VERIFIER_LENGTH,
   DEFAULT_MAX_INPUT_LENGTH,
   EncryptedBlobError,
+  EncryptedStorageError,
+  EncryptedTypedStorage,
+  FileSystemStorageAdapter,
+  KeyPersistence,
   MAX_CODE_VERIFIER_LENGTH,
   MAX_TTL_SECONDS,
   MIN_CODE_VERIFIER_LENGTH,
@@ -3133,11 +4310,17 @@ export {
   StorageOperationError,
   StoragePatternError,
   StorageTTLError,
+  TypedStorage,
   UpstashStorageAdapter,
   VercelKvStorageAdapter,
   access,
   analyzePattern,
+  anyKeyDataSchema,
   assertNode,
+  asymmetricAlgSchema,
+  asymmetricKeyDataSchema,
+  base64Decode,
+  base64Encode,
   base64urlDecode,
   base64urlEncode,
   buildPrefix,
@@ -3147,6 +4330,8 @@ export {
   collapseWhitespace,
   copyFile,
   cp,
+  createKeyPersistence,
+  createKeyPersistenceWithStorage,
   createMemoryStorage,
   createNamespacedStorage,
   createRootStorage,
@@ -3188,6 +4373,7 @@ export {
   hmacSha256,
   idFromString,
   inferMimeType,
+  isAsymmetricKeyData,
   isBrowser,
   isDirEmpty,
   isExpired,
@@ -3196,7 +4382,9 @@ export {
   isPatternSafe,
   isRsaPssAlg,
   isSecretCached,
+  isSecretKeyData,
   isSecretPersistenceEnabled,
+  isSignedData,
   isUriTemplate,
   isValidCodeChallenge,
   isValidCodeVerifier,
@@ -3211,12 +4399,14 @@ export {
   mkdir,
   mkdtemp,
   normalizeTTL,
+  parseKeyData,
   parseSecretData,
   parseUriTemplate,
   randomBytes,
   randomUUID,
   readFile,
   readFileBuffer,
+  readFileSync,
   readJSON,
   readdir,
   rename,
@@ -3233,12 +4423,14 @@ export {
   sanitizeToJson,
   saveSecret,
   secretDataSchema,
+  secretKeyDataSchema,
   sepFor,
   serializeBlob,
   sha256,
   sha256Base64url,
   sha256Hex,
   shortHash,
+  signData,
   splitWords,
   stat,
   timingSafeEqual,
@@ -3254,11 +4446,14 @@ export {
   ttlToExpiresAt,
   unlink,
   validateBaseUrl,
+  validateKeyData,
   validateOptionalTTL,
   validatePattern,
   validateSecretData,
   validateTTL,
   verifyCodeChallenge,
+  verifyData,
+  verifyOrParseData,
   writeFile,
   writeJSON
 };