@frontmcp/utils 0.7.2 → 0.8.1

package/index.js

@@ -57,219 +57,8 @@ var init_jwt_alg = __esm({
   }
 });
 
-// libs/utils/src/crypto/node.ts
-var node_exports = {};
-__export(node_exports, {
-  createSignedJwt: () => createSignedJwt,
-  generateRsaKeyPair: () => generateRsaKeyPair,
-  isRsaPssAlg: () => isRsaPssAlg,
-  jwtAlgToNodeAlg: () => jwtAlgToNodeAlg,
-  nodeCrypto: () => nodeCrypto,
-  rsaSign: () => rsaSign,
-  rsaVerify: () => rsaVerify
-});
-function toUint8Array(buf) {
-  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
-}
-function toBuffer(data) {
-  if (typeof data === "string") {
-    return Buffer.from(data, "utf8");
-  }
-  return Buffer.from(data);
-}
-function generateRsaKeyPair(modulusLength = 2048, alg = "RS256") {
-  const kid = `rsa-key-${Date.now()}-${import_node_crypto.default.randomBytes(8).toString("hex")}`;
-  const { privateKey, publicKey } = import_node_crypto.default.generateKeyPairSync("rsa", {
-    modulusLength
-  });
-  const exported = publicKey.export({ format: "jwk" });
-  const publicJwk = {
-    ...exported,
-    kid,
-    alg,
-    use: "sig",
-    kty: "RSA"
-  };
-  return { privateKey, publicKey, publicJwk };
-}
-function rsaSign(algorithm, data, privateKey, options) {
-  const signingKey = options ? { key: privateKey, ...options } : privateKey;
-  return import_node_crypto.default.sign(algorithm, data, signingKey);
-}
-function rsaVerify(jwtAlg, data, publicJwk, signature) {
-  const publicKey = import_node_crypto.default.createPublicKey({ key: publicJwk, format: "jwk" });
-  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
-  const verifyKey = isRsaPssAlg(jwtAlg) ? {
-    key: publicKey,
-    padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
-    saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
-  } : publicKey;
-  return import_node_crypto.default.verify(nodeAlgorithm, data, verifyKey, signature);
-}
-function createSignedJwt(payload, privateKey, kid, alg = "RS256") {
-  const header = { alg, typ: "JWT", kid };
-  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
-  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
-  const signatureInput = `${headerB64}.${payloadB64}`;
-  const nodeAlgorithm = jwtAlgToNodeAlg(alg);
-  const signature = rsaSign(
-    nodeAlgorithm,
-    Buffer.from(signatureInput),
-    privateKey,
-    isRsaPssAlg(alg) ? {
-      padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
-      saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
-    } : void 0
-  );
-  const signatureB64 = signature.toString("base64url");
-  return `${headerB64}.${payloadB64}.${signatureB64}`;
-}
-var import_node_crypto, nodeCrypto;
-var init_node = __esm({
-  "libs/utils/src/crypto/node.ts"() {
-    "use strict";
-    import_node_crypto = __toESM(require("node:crypto"));
-    init_jwt_alg();
-    init_jwt_alg();
-    nodeCrypto = {
-      randomUUID() {
-        return import_node_crypto.default.randomUUID();
-      },
-      randomBytes(length) {
-        return toUint8Array(import_node_crypto.default.randomBytes(length));
-      },
-      sha256(data) {
-        const hash = import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest();
-        return toUint8Array(hash);
-      },
-      sha256Hex(data) {
-        return import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest("hex");
-      },
-      hmacSha256(key, data) {
-        const hmac2 = import_node_crypto.default.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
-        return toUint8Array(hmac2);
-      },
-      hkdfSha256(ikm, salt, info, length) {
-        const ikmBuf = Buffer.from(ikm);
-        const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
-        const prk = import_node_crypto.default.createHmac("sha256", saltBuf).update(ikmBuf).digest();
-        const hashLen = 32;
-        const n = Math.ceil(length / hashLen);
-        const chunks = [];
-        let prev = Buffer.alloc(0);
-        for (let i = 1; i <= n; i++) {
-          prev = import_node_crypto.default.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
-          chunks.push(prev);
-        }
-        return toUint8Array(Buffer.concat(chunks).subarray(0, length));
-      },
-      encryptAesGcm(key, plaintext, iv) {
-        const cipher = import_node_crypto.default.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
-        const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
-        const tag = cipher.getAuthTag();
-        return {
-          ciphertext: toUint8Array(encrypted),
-          tag: toUint8Array(tag)
-        };
-      },
-      decryptAesGcm(key, ciphertext, iv, tag) {
-        const decipher = import_node_crypto.default.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
-        decipher.setAuthTag(Buffer.from(tag));
-        const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
-        return toUint8Array(decrypted);
-      },
-      timingSafeEqual(a, b) {
-        if (a.length !== b.length) return false;
-        return import_node_crypto.default.timingSafeEqual(Buffer.from(a), Buffer.from(b));
-      }
-    };
-  }
-});
-
-// libs/utils/src/crypto/browser.ts
-var browser_exports = {};
-__export(browser_exports, {
-  browserCrypto: () => browserCrypto
-});
-function toBytes(data) {
-  if (typeof data === "string") {
-    return new TextEncoder().encode(data);
-  }
-  return data;
-}
-function toHex(bytes) {
-  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-function generateUUID() {
-  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
-    return crypto.randomUUID();
-  }
-  const bytes = (0, import_utils.randomBytes)(16);
-  bytes[6] = bytes[6] & 15 | 64;
-  bytes[8] = bytes[8] & 63 | 128;
-  const hex = toHex(bytes);
-  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
-}
-function constantTimeEqual(a, b) {
-  if (a.length !== b.length) return false;
-  let result = 0;
-  for (let i = 0; i < a.length; i++) {
-    result |= a[i] ^ b[i];
-  }
-  return result === 0;
-}
-var import_sha2, import_hmac, import_hkdf, import_utils, import_aes, browserCrypto;
-var init_browser = __esm({
-  "libs/utils/src/crypto/browser.ts"() {
-    "use strict";
-    import_sha2 = require("@noble/hashes/sha2.js");
-    import_hmac = require("@noble/hashes/hmac.js");
-    import_hkdf = require("@noble/hashes/hkdf.js");
-    import_utils = require("@noble/hashes/utils.js");
-    import_aes = require("@noble/ciphers/aes.js");
-    browserCrypto = {
-      randomUUID() {
-        return generateUUID();
-      },
-      randomBytes(length) {
-        return (0, import_utils.randomBytes)(length);
-      },
-      sha256(data) {
-        return (0, import_sha2.sha256)(toBytes(data));
-      },
-      sha256Hex(data) {
-        return toHex((0, import_sha2.sha256)(toBytes(data)));
-      },
-      hmacSha256(key, data) {
-        return (0, import_hmac.hmac)(import_sha2.sha256, key, data);
-      },
-      hkdfSha256(ikm, salt, info, length) {
-        const effectiveSalt = salt.length > 0 ? salt : new Uint8Array(32);
-        return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, effectiveSalt, info, length);
-      },
-      encryptAesGcm(key, plaintext, iv) {
-        const cipher = (0, import_aes.gcm)(key, iv);
-        const sealed = cipher.encrypt(plaintext);
-        const ciphertext = sealed.slice(0, -16);
-        const tag = sealed.slice(-16);
-        return { ciphertext, tag };
-      },
-      decryptAesGcm(key, ciphertext, iv, tag) {
-        const cipher = (0, import_aes.gcm)(key, iv);
-        const sealed = new Uint8Array(ciphertext.length + tag.length);
-        sealed.set(ciphertext);
-        sealed.set(tag, ciphertext.length);
-        return cipher.decrypt(sealed);
-      },
-      timingSafeEqual(a, b) {
-        return constantTimeEqual(a, b);
-      }
-    };
-  }
-});
-
 // libs/utils/src/storage/errors.ts
-var StorageError, StorageConnectionError, StorageOperationError, StorageNotSupportedError, StorageConfigError, StorageTTLError, StoragePatternError, StorageNotConnectedError;
+var StorageError, StorageConnectionError, StorageOperationError, StorageNotSupportedError, StorageConfigError, StorageTTLError, StoragePatternError, StorageNotConnectedError, EncryptedStorageError;
 var init_errors = __esm({
   "libs/utils/src/storage/errors.ts"() {
     "use strict";
@@ -287,7 +76,8 @@ var init_errors = __esm({
     };
     StorageConnectionError = class extends StorageError {
       constructor(message, cause, backend) {
-        super(message, cause);
+        const fullMessage = cause ? `${message}: ${cause.message}` : message;
+        super(fullMessage, cause);
         this.backend = backend;
         this.name = "StorageConnectionError";
       }
@@ -337,6 +127,12 @@ var init_errors = __esm({
         this.name = "StorageNotConnectedError";
       }
     };
+    EncryptedStorageError = class extends StorageError {
+      constructor(message) {
+        super(message);
+        this.name = "EncryptedStorageError";
+      }
+    };
   }
 });
 
@@ -502,15 +298,309 @@ var init_base = __esm({
   }
 });
 
-// libs/utils/src/storage/adapters/redis.ts
-var redis_exports = {};
-__export(redis_exports, {
-  RedisStorageAdapter: () => RedisStorageAdapter
-});
-function getRedisClass() {
+// libs/utils/src/storage/utils/pattern.ts
+function globToRegex(pattern) {
+  if (pattern.length > MAX_PATTERN_LENGTH) {
+    throw new StoragePatternError(
+      pattern.substring(0, 50) + "...",
+      `Pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`
+    );
+  }
+  const wildcardCount = (pattern.match(/[*?]/g) || []).length;
+  if (wildcardCount > MAX_WILDCARDS) {
+    throw new StoragePatternError(pattern, `Pattern has too many wildcards (max: ${MAX_WILDCARDS})`);
+  }
+  if (pattern === "" || pattern === "*") {
+    return /^.*$/;
+  }
+  let regexStr = "^";
+  let prevChar = "";
+  for (let i = 0; i < pattern.length; i++) {
+    const char = pattern[i];
+    switch (char) {
+      case "*":
+        if (prevChar !== "*") {
+          regexStr += ".*";
+        }
+        break;
+      case "?":
+        regexStr += ".";
+        break;
+      default:
+        regexStr += char.replace(REGEX_SPECIAL_CHARS, "\\$&");
+    }
+    prevChar = char;
+  }
+  regexStr += "$";
   try {
-    return require("ioredis").default || require("ioredis");
+    return new RegExp(regexStr);
   } catch {
+    throw new StoragePatternError(pattern, "Failed to compile pattern to regex");
+  }
+}
+function matchesPattern(key, pattern) {
+  const regex = globToRegex(pattern);
+  return regex.test(key);
+}
+function validatePattern(pattern) {
+  try {
+    globToRegex(pattern);
+    return { valid: true };
+  } catch (e) {
+    return {
+      valid: false,
+      error: e instanceof Error ? e.message : "Invalid pattern"
+    };
+  }
+}
+function escapeGlob(literal) {
+  return literal.replace(/[*?\\]/g, "\\$&");
+}
+var MAX_PATTERN_LENGTH, MAX_WILDCARDS, REGEX_SPECIAL_CHARS;
+var init_pattern = __esm({
+  "libs/utils/src/storage/utils/pattern.ts"() {
+    "use strict";
+    init_errors();
+    MAX_PATTERN_LENGTH = 500;
+    MAX_WILDCARDS = 20;
+    REGEX_SPECIAL_CHARS = /[.+^${}()|[\]\\]/g;
+  }
+});
+
+// libs/utils/src/crypto/node.ts
+var node_exports = {};
+__export(node_exports, {
+  createSignedJwt: () => createSignedJwt,
+  generateRsaKeyPair: () => generateRsaKeyPair,
+  isRsaPssAlg: () => isRsaPssAlg,
+  jwtAlgToNodeAlg: () => jwtAlgToNodeAlg,
+  nodeCrypto: () => nodeCrypto,
+  rsaSign: () => rsaSign,
+  rsaVerify: () => rsaVerify
+});
+function toUint8Array(buf) {
+  return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
+}
+function toBuffer(data) {
+  if (typeof data === "string") {
+    return Buffer.from(data, "utf8");
+  }
+  return Buffer.from(data);
+}
+function generateRsaKeyPair(modulusLength = 2048, alg = "RS256") {
+  const kid = `rsa-key-${Date.now()}-${import_node_crypto.default.randomBytes(8).toString("hex")}`;
+  const { privateKey, publicKey } = import_node_crypto.default.generateKeyPairSync("rsa", {
+    modulusLength
+  });
+  const exported = publicKey.export({ format: "jwk" });
+  const publicJwk = {
+    ...exported,
+    kid,
+    alg,
+    use: "sig",
+    kty: "RSA"
+  };
+  return { privateKey, publicKey, publicJwk };
+}
+function rsaSign(algorithm, data, privateKey, options) {
+  const signingKey = options ? { key: privateKey, ...options } : privateKey;
+  return import_node_crypto.default.sign(algorithm, data, signingKey);
+}
+function rsaVerify(jwtAlg, data, publicJwk, signature) {
+  const publicKey = import_node_crypto.default.createPublicKey({ key: publicJwk, format: "jwk" });
+  const nodeAlgorithm = jwtAlgToNodeAlg(jwtAlg);
+  const verifyKey = isRsaPssAlg(jwtAlg) ? {
+    key: publicKey,
+    padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+    saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+  } : publicKey;
+  return import_node_crypto.default.verify(nodeAlgorithm, data, verifyKey, signature);
+}
+function createSignedJwt(payload, privateKey, kid, alg = "RS256") {
+  const header = { alg, typ: "JWT", kid };
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
+  const signatureInput = `${headerB64}.${payloadB64}`;
+  const nodeAlgorithm = jwtAlgToNodeAlg(alg);
+  const signature = rsaSign(
+    nodeAlgorithm,
+    Buffer.from(signatureInput),
+    privateKey,
+    isRsaPssAlg(alg) ? {
+      padding: import_node_crypto.default.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: import_node_crypto.default.constants.RSA_PSS_SALTLEN_DIGEST
+    } : void 0
+  );
+  const signatureB64 = signature.toString("base64url");
+  return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+var import_node_crypto, nodeCrypto;
+var init_node = __esm({
+  "libs/utils/src/crypto/node.ts"() {
+    "use strict";
+    import_node_crypto = __toESM(require("node:crypto"));
+    init_jwt_alg();
+    init_jwt_alg();
+    nodeCrypto = {
+      randomUUID() {
+        return import_node_crypto.default.randomUUID();
+      },
+      randomBytes(length) {
+        return toUint8Array(import_node_crypto.default.randomBytes(length));
+      },
+      sha256(data) {
+        const hash = import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest();
+        return toUint8Array(hash);
+      },
+      sha256Hex(data) {
+        return import_node_crypto.default.createHash("sha256").update(toBuffer(data)).digest("hex");
+      },
+      hmacSha256(key, data) {
+        const hmac2 = import_node_crypto.default.createHmac("sha256", Buffer.from(key)).update(Buffer.from(data)).digest();
+        return toUint8Array(hmac2);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const ikmBuf = Buffer.from(ikm);
+        const saltBuf = salt.length > 0 ? Buffer.from(salt) : Buffer.alloc(32);
+        const prk = import_node_crypto.default.createHmac("sha256", saltBuf).update(ikmBuf).digest();
+        const hashLen = 32;
+        const n = Math.ceil(length / hashLen);
+        const chunks = [];
+        let prev = Buffer.alloc(0);
+        for (let i = 1; i <= n; i++) {
+          prev = import_node_crypto.default.createHmac("sha256", prk).update(Buffer.concat([prev, Buffer.from(info), Buffer.from([i])])).digest();
+          chunks.push(prev);
+        }
+        return toUint8Array(Buffer.concat(chunks).subarray(0, length));
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = import_node_crypto.default.createCipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        const encrypted = Buffer.concat([cipher.update(Buffer.from(plaintext)), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return {
+          ciphertext: toUint8Array(encrypted),
+          tag: toUint8Array(tag)
+        };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const decipher = import_node_crypto.default.createDecipheriv("aes-256-gcm", Buffer.from(key), Buffer.from(iv));
+        decipher.setAuthTag(Buffer.from(tag));
+        const decrypted = Buffer.concat([decipher.update(Buffer.from(ciphertext)), decipher.final()]);
+        return toUint8Array(decrypted);
+      },
+      timingSafeEqual(a, b) {
+        if (a.length !== b.length) return false;
+        return import_node_crypto.default.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+      }
+    };
+  }
+});
+
+// libs/utils/src/crypto/browser.ts
+var browser_exports = {};
+__export(browser_exports, {
+  browserCrypto: () => browserCrypto
+});
+function toBytes(data) {
+  if (typeof data === "string") {
+    return new TextEncoder().encode(data);
+  }
+  return data;
+}
+function toHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function generateUUID() {
+  if (typeof crypto !== "undefined" && typeof crypto.randomUUID === "function") {
+    return crypto.randomUUID();
+  }
+  const bytes = (0, import_utils.randomBytes)(16);
+  bytes[6] = bytes[6] & 15 | 64;
+  bytes[8] = bytes[8] & 63 | 128;
+  const hex = toHex(bytes);
+  return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let result = 0;
+  for (let i = 0; i < a.length; i++) {
+    result |= a[i] ^ b[i];
+  }
+  return result === 0;
+}
+var import_sha2, import_hmac, import_hkdf, import_utils, import_aes, browserCrypto;
+var init_browser = __esm({
+  "libs/utils/src/crypto/browser.ts"() {
+    "use strict";
+    import_sha2 = require("@noble/hashes/sha2.js");
+    import_hmac = require("@noble/hashes/hmac.js");
+    import_hkdf = require("@noble/hashes/hkdf.js");
+    import_utils = require("@noble/hashes/utils.js");
+    import_aes = require("@noble/ciphers/aes.js");
+    browserCrypto = {
+      randomUUID() {
+        return generateUUID();
+      },
+      randomBytes(length) {
+        return (0, import_utils.randomBytes)(length);
+      },
+      sha256(data) {
+        return (0, import_sha2.sha256)(toBytes(data));
+      },
+      sha256Hex(data) {
+        return toHex((0, import_sha2.sha256)(toBytes(data)));
+      },
+      hmacSha256(key, data) {
+        return (0, import_hmac.hmac)(import_sha2.sha256, key, data);
+      },
+      hkdfSha256(ikm, salt, info, length) {
+        const effectiveSalt = salt.length > 0 ? salt : new Uint8Array(32);
+        return (0, import_hkdf.hkdf)(import_sha2.sha256, ikm, effectiveSalt, info, length);
+      },
+      encryptAesGcm(key, plaintext, iv) {
+        const cipher = (0, import_aes.gcm)(key, iv);
+        const sealed = cipher.encrypt(plaintext);
+        const ciphertext = sealed.slice(0, -16);
+        const tag = sealed.slice(-16);
+        return { ciphertext, tag };
+      },
+      decryptAesGcm(key, ciphertext, iv, tag) {
+        const cipher = (0, import_aes.gcm)(key, iv);
+        const sealed = new Uint8Array(ciphertext.length + tag.length);
+        sealed.set(ciphertext);
+        sealed.set(tag, ciphertext.length);
+        return cipher.decrypt(sealed);
+      },
+      timingSafeEqual(a, b) {
+        return constantTimeEqual(a, b);
+      }
+    };
+  }
+});
+
+// libs/utils/src/storage/utils/index.ts
+var init_utils = __esm({
+  "libs/utils/src/storage/utils/index.ts"() {
+    "use strict";
+    init_ttl();
+  }
+});
+
+// libs/utils/src/storage/adapters/redis.ts
+var redis_exports = {};
+__export(redis_exports, {
+  RedisStorageAdapter: () => RedisStorageAdapter
+});
+function getRedisClass() {
+  try {
+    return require("ioredis").default || require("ioredis");
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    if (msg.includes("Dynamic require") || msg.includes("require is not defined")) {
+      throw new Error(
+        `Failed to load ioredis: ${msg}. This typically happens with ESM bundlers (esbuild, Vite). Ensure your bundler externalizes ioredis or use CJS mode.`
+      );
+    }
     throw new Error("ioredis is required for Redis storage adapter. Install it with: npm install ioredis");
   }
 }
@@ -520,7 +610,7 @@ var init_redis = __esm({
     "use strict";
     init_base();
     init_errors();
-    init_ttl();
+    init_utils();
     RedisStorageAdapter = class extends BaseStorageAdapter {
       backendName = "redis";
       client;
@@ -1356,6 +1446,10 @@ __export(index_exports, {
   DEFAULT_CODE_VERIFIER_LENGTH: () => DEFAULT_CODE_VERIFIER_LENGTH,
   DEFAULT_MAX_INPUT_LENGTH: () => DEFAULT_MAX_INPUT_LENGTH,
   EncryptedBlobError: () => EncryptedBlobError,
+  EncryptedStorageError: () => EncryptedStorageError,
+  EncryptedTypedStorage: () => EncryptedTypedStorage,
+  FileSystemStorageAdapter: () => FileSystemStorageAdapter,
+  KeyPersistence: () => KeyPersistence,
   MAX_CODE_VERIFIER_LENGTH: () => MAX_CODE_VERIFIER_LENGTH,
   MAX_TTL_SECONDS: () => MAX_TTL_SECONDS,
   MIN_CODE_VERIFIER_LENGTH: () => MIN_CODE_VERIFIER_LENGTH,
@@ -1363,7 +1457,7 @@ __export(index_exports, {
   NAMESPACE_SEPARATOR: () => NAMESPACE_SEPARATOR,
   NamespacedStorageImpl: () => NamespacedStorageImpl,
   PkceError: () => PkceError,
-  REDOS_THRESHOLDS: () => import_ast_guard.REDOS_THRESHOLDS,
+  REDOS_THRESHOLDS: () => import_ast.REDOS_THRESHOLDS,
   RedisStorageAdapter: () => RedisStorageAdapter,
   StorageConfigError: () => StorageConfigError,
   StorageConnectionError: () => StorageConnectionError,
@@ -1373,11 +1467,17 @@ __export(index_exports, {
   StorageOperationError: () => StorageOperationError,
   StoragePatternError: () => StoragePatternError,
   StorageTTLError: () => StorageTTLError,
+  TypedStorage: () => TypedStorage,
   UpstashStorageAdapter: () => UpstashStorageAdapter,
   VercelKvStorageAdapter: () => VercelKvStorageAdapter,
   access: () => access,
   analyzePattern: () => analyzePattern,
+  anyKeyDataSchema: () => anyKeyDataSchema,
   assertNode: () => assertNode,
+  asymmetricAlgSchema: () => asymmetricAlgSchema,
+  asymmetricKeyDataSchema: () => asymmetricKeyDataSchema,
+  base64Decode: () => base64Decode,
+  base64Encode: () => base64Encode,
   base64urlDecode: () => base64urlDecode,
   base64urlEncode: () => base64urlEncode,
   buildPrefix: () => buildPrefix,
@@ -1387,6 +1487,8 @@ __export(index_exports, {
   collapseWhitespace: () => collapseWhitespace,
   copyFile: () => copyFile,
   cp: () => cp,
+  createKeyPersistence: () => createKeyPersistence,
+  createKeyPersistenceWithStorage: () => createKeyPersistenceWithStorage,
   createMemoryStorage: () => createMemoryStorage,
   createNamespacedStorage: () => createNamespacedStorage,
   createRootStorage: () => createRootStorage,
@@ -1428,6 +1530,7 @@ __export(index_exports, {
   hmacSha256: () => hmacSha256,
   idFromString: () => idFromString,
   inferMimeType: () => inferMimeType,
+  isAsymmetricKeyData: () => isAsymmetricKeyData,
   isBrowser: () => isBrowser,
   isDirEmpty: () => isDirEmpty,
   isExpired: () => isExpired,
@@ -1436,7 +1539,9 @@ __export(index_exports, {
   isPatternSafe: () => isPatternSafe,
   isRsaPssAlg: () => isRsaPssAlg,
   isSecretCached: () => isSecretCached,
+  isSecretKeyData: () => isSecretKeyData,
   isSecretPersistenceEnabled: () => isSecretPersistenceEnabled,
+  isSignedData: () => isSignedData,
   isUriTemplate: () => isUriTemplate,
   isValidCodeChallenge: () => isValidCodeChallenge,
   isValidCodeVerifier: () => isValidCodeVerifier,
@@ -1451,12 +1556,14 @@ __export(index_exports, {
   mkdir: () => mkdir,
   mkdtemp: () => mkdtemp,
   normalizeTTL: () => normalizeTTL,
+  parseKeyData: () => parseKeyData,
   parseSecretData: () => parseSecretData,
   parseUriTemplate: () => parseUriTemplate,
   randomBytes: () => randomBytes,
   randomUUID: () => randomUUID,
   readFile: () => readFile,
   readFileBuffer: () => readFileBuffer,
+  readFileSync: () => readFileSync,
   readJSON: () => readJSON,
   readdir: () => readdir,
   rename: () => rename,
@@ -1473,12 +1580,14 @@ __export(index_exports, {
   sanitizeToJson: () => sanitizeToJson,
   saveSecret: () => saveSecret,
   secretDataSchema: () => secretDataSchema,
+  secretKeyDataSchema: () => secretKeyDataSchema,
   sepFor: () => sepFor,
   serializeBlob: () => serializeBlob,
   sha256: () => sha256,
   sha256Base64url: () => sha256Base64url,
   sha256Hex: () => sha256Hex,
   shortHash: () => shortHash,
+  signData: () => signData,
   splitWords: () => splitWords,
   stat: () => stat,
   timingSafeEqual: () => timingSafeEqual,
@@ -1494,18 +1603,21 @@ __export(index_exports, {
   ttlToExpiresAt: () => ttlToExpiresAt,
   unlink: () => unlink,
   validateBaseUrl: () => validateBaseUrl,
+  validateKeyData: () => validateKeyData,
   validateOptionalTTL: () => validateOptionalTTL,
   validatePattern: () => validatePattern,
   validateSecretData: () => validateSecretData,
   validateTTL: () => validateTTL,
   verifyCodeChallenge: () => verifyCodeChallenge,
+  verifyData: () => verifyData,
+  verifyOrParseData: () => verifyOrParseData,
   writeFile: () => writeFile,
   writeJSON: () => writeJSON
 });
 module.exports = __toCommonJS(index_exports);
 
 // libs/utils/src/regex/safe-regex.ts
-var import_ast_guard = require("ast-guard");
+var import_ast = require("@enclave-vm/ast");
 var DEFAULT_MAX_INPUT_LENGTH = 5e4;
 function analyzePattern(pattern, level = "polynomial") {
   const patternStr = typeof pattern === "string" ? pattern : pattern.source;
@@ -1520,7 +1632,7 @@ function analyzePattern(pattern, level = "polynomial") {
     };
   }
   try {
-    const result = (0, import_ast_guard.analyzeForReDoS)(patternStr, level);
+    const result = (0, import_ast.analyzeForReDoS)(patternStr, level);
     return {
       safe: !result.vulnerable,
       score: result.score,
@@ -2001,6 +2113,7 @@ function assertNode(feature) {
 
 // libs/utils/src/fs/fs.ts
 var _fsp = null;
+var _fs = null;
 var _spawn = null;
 function getFsp() {
   if (!_fsp) {
@@ -2009,8 +2122,15 @@ function getFsp() {
   }
   return _fsp;
 }
-function getSpawn() {
-  if (!_spawn) {
+function getFs() {
+  if (!_fs) {
+    assertNode("File system operations");
+    _fs = require("fs");
+  }
+  return _fs;
+}
+function getSpawn() {
+  if (!_spawn) {
     assertNode("Child process operations");
     _spawn = require("child_process").spawn;
   }
@@ -2021,6 +2141,10 @@ async function readFile(p, encoding = "utf8") {
   const fsp = getFsp();
   return fsp.readFile(p, encoding);
 }
+function readFileSync(p, encoding = "utf8") {
+  const fs = getFs();
+  return fs.readFileSync(p, encoding);
+}
 async function readFileBuffer(p) {
   const fsp = getFsp();
   return fsp.readFile(p);
@@ -2516,379 +2640,372 @@ function isSecretCached(options) {
   return secretCache.has(cacheKey);
 }
 
-// libs/utils/src/crypto/index.ts
-var _provider = null;
-function getCrypto() {
-  if (!_provider) {
-    if (isNode()) {
-      _provider = (init_node(), __toCommonJS(node_exports)).nodeCrypto;
-    } else {
-      _provider = (init_browser(), __toCommonJS(browser_exports)).browserCrypto;
-    }
-  }
-  return _provider;
-}
-function rsaVerify2(jwtAlg, data, publicJwk, signature) {
-  assertNode("rsaVerify");
-  return (init_node(), __toCommonJS(node_exports)).rsaVerify(jwtAlg, data, publicJwk, signature);
-}
-function randomUUID() {
-  return getCrypto().randomUUID();
+// libs/utils/src/crypto/hmac-signing.ts
+function computeSignature(data, secret) {
+  const encoder = new TextEncoder();
+  const keyBytes = encoder.encode(secret);
+  const dataBytes = encoder.encode(data);
+  const hmac2 = hmacSha256(keyBytes, dataBytes);
+  return base64urlEncode(hmac2);
+}
+function signData(data, config) {
+  const jsonData = JSON.stringify(data);
+  const sig = computeSignature(jsonData, config.secret);
+  const signed = {
+    data,
+    sig,
+    v: 1
+  };
+  return JSON.stringify(signed);
 }
-function randomBytes(length) {
-  if (!Number.isInteger(length) || length <= 0) {
-    throw new Error(`randomBytes length must be a positive integer, got ${length}`);
+function verifyData(signedJson, config) {
+  try {
+    const parsed = JSON.parse(signedJson);
+    if (!parsed || typeof parsed !== "object" || !("sig" in parsed)) {
+      return null;
+    }
+    const signed = parsed;
+    if (signed.v !== 1) {
+      return null;
+    }
+    const jsonData = JSON.stringify(signed.data);
+    const expectedSig = computeSignature(jsonData, config.secret);
+    const sigBytes = base64urlDecode(signed.sig);
+    const expectedBytes = base64urlDecode(expectedSig);
+    if (sigBytes.length !== expectedBytes.length) {
+      return null;
+    }
+    if (!timingSafeEqual(sigBytes, expectedBytes)) {
+      return null;
+    }
+    return signed.data;
+  } catch {
+    return null;
   }
-  return getCrypto().randomBytes(length);
-}
-function sha256(data) {
-  return getCrypto().sha256(data);
-}
-function sha256Hex(data) {
-  return getCrypto().sha256Hex(data);
-}
-function hmacSha256(key, data) {
-  return getCrypto().hmacSha256(key, data);
 }
-var HKDF_SHA256_MAX_LENGTH = 255 * 32;
-function hkdfSha256(ikm, salt, info, length) {
-  if (!Number.isInteger(length) || length <= 0) {
-    throw new Error(`HKDF length must be a positive integer, got ${length}`);
-  }
-  if (length > HKDF_SHA256_MAX_LENGTH) {
-    throw new Error(`HKDF-SHA256 length cannot exceed ${HKDF_SHA256_MAX_LENGTH} bytes, got ${length}`);
+function isSignedData(json) {
+  try {
+    const parsed = JSON.parse(json);
+    return parsed && typeof parsed === "object" && "sig" in parsed && "v" in parsed;
+  } catch {
+    return false;
   }
-  return getCrypto().hkdfSha256(ikm, salt, info, length);
 }
-function encryptAesGcm(key, plaintext, iv) {
-  if (key.length !== 32) {
-    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+function verifyOrParseData(json, config) {
+  if (isSignedData(json)) {
+    return verifyData(json, config);
   }
-  if (iv.length !== 12) {
-    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  try {
+    return JSON.parse(json);
+  } catch {
+    return null;
   }
-  return getCrypto().encryptAesGcm(key, plaintext, iv);
 }
-function decryptAesGcm(key, ciphertext, iv, tag) {
-  if (key.length !== 32) {
-    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+
+// libs/utils/src/crypto/key-persistence/schemas.ts
+var import_zod2 = require("zod");
+var MAX_CLOCK_DRIFT_MS2 = 6e4;
+var MAX_KEY_AGE_MS = 100 * 365 * 24 * 60 * 60 * 1e3;
+var asymmetricAlgSchema = import_zod2.z.enum(["RS256", "RS384", "RS512", "ES256", "ES384", "ES512"]);
+var baseKeyDataSchema = import_zod2.z.object({
+  kid: import_zod2.z.string().min(1),
+  createdAt: import_zod2.z.number().positive().int(),
+  version: import_zod2.z.number().positive().int()
+});
+var jsonWebKeySchema = import_zod2.z.object({
+  kty: import_zod2.z.string().optional(),
+  use: import_zod2.z.string().optional(),
+  alg: import_zod2.z.string().optional(),
+  kid: import_zod2.z.string().optional(),
+  n: import_zod2.z.string().optional(),
+  e: import_zod2.z.string().optional(),
+  d: import_zod2.z.string().optional(),
+  p: import_zod2.z.string().optional(),
+  q: import_zod2.z.string().optional(),
+  dp: import_zod2.z.string().optional(),
+  dq: import_zod2.z.string().optional(),
+  qi: import_zod2.z.string().optional(),
+  x: import_zod2.z.string().optional(),
+  y: import_zod2.z.string().optional(),
+  crv: import_zod2.z.string().optional()
+}).passthrough();
+var secretKeyDataSchema = baseKeyDataSchema.extend({
+  type: import_zod2.z.literal("secret"),
+  secret: import_zod2.z.string().min(1),
+  bytes: import_zod2.z.number().positive().int()
+});
+var asymmetricKeyDataSchema = baseKeyDataSchema.extend({
+  type: import_zod2.z.literal("asymmetric"),
+  alg: asymmetricAlgSchema,
+  privateKey: jsonWebKeySchema,
+  publicJwk: import_zod2.z.object({
+    keys: import_zod2.z.array(jsonWebKeySchema).min(1)
+  })
+});
+var anyKeyDataSchema = import_zod2.z.discriminatedUnion("type", [secretKeyDataSchema, asymmetricKeyDataSchema]);
+function validateKeyData(data) {
+  const result = anyKeyDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      valid: false,
+      error: result.error.issues[0]?.message ?? "Invalid key structure"
+    };
   }
-  if (iv.length !== 12) {
-    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  const parsed = result.data;
+  const now = Date.now();
+  if (parsed.createdAt > now + MAX_CLOCK_DRIFT_MS2) {
+    return { valid: false, error: "createdAt is in the future" };
   }
-  if (tag.length !== 16) {
-    throw new Error(`AES-GCM requires a 16-byte authentication tag, got ${tag.length} bytes`);
+  if (parsed.createdAt < now - MAX_KEY_AGE_MS) {
+    return { valid: false, error: "createdAt is too old" };
   }
-  return getCrypto().decryptAesGcm(key, ciphertext, iv, tag);
+  return { valid: true, data: parsed };
 }
-function timingSafeEqual(a, b) {
-  if (a.length !== b.length) {
-    throw new Error(`timingSafeEqual requires equal-length arrays, got ${a.length} and ${b.length} bytes`);
+function parseKeyData(data) {
+  const validation = validateKeyData(data);
+  if (!validation.valid) {
+    return null;
   }
-  return getCrypto().timingSafeEqual(a, b);
+  return validation.data;
 }
-function bytesToHex(data) {
-  return Array.from(data).map((b) => b.toString(16).padStart(2, "0")).join("");
+function isSecretKeyData(data) {
+  return data.type === "secret";
 }
-function base64urlEncode(data) {
-  let base64;
-  if (typeof Buffer !== "undefined") {
-    base64 = Buffer.from(data).toString("base64");
-  } else {
-    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
-    base64 = btoa(binString);
-  }
-  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+function isAsymmetricKeyData(data) {
+  return data.type === "asymmetric";
 }
-function base64urlDecode(data) {
-  let base64 = data.replace(/-/g, "+").replace(/_/g, "/");
-  const pad = base64.length % 4;
-  if (pad) {
-    base64 += "=".repeat(4 - pad);
+
+// libs/utils/src/crypto/key-persistence/key-persistence.ts
+var KeyPersistence = class {
+  storage;
+  cache = /* @__PURE__ */ new Map();
+  enableCache;
+  throwOnInvalid;
+  constructor(options) {
+    this.storage = options.storage;
+    this.enableCache = options.enableCache ?? true;
+    this.throwOnInvalid = options.throwOnInvalid ?? false;
   }
-  if (typeof Buffer !== "undefined") {
-    return new Uint8Array(Buffer.from(base64, "base64"));
-  } else {
-    const binString = atob(base64);
-    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  /**
+   * Get a key by ID.
+   *
+   * @param kid - Key identifier
+   * @returns Key data or null if not found
+   */
+  async get(kid) {
+    if (this.enableCache) {
+      const cached = this.cache.get(kid);
+      if (cached) return cached;
+    }
+    const raw = await this.storage.get(kid);
+    if (!raw) return null;
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      if (this.throwOnInvalid) {
+        throw new Error(`Invalid JSON for key "${kid}"`);
+      }
+      return null;
+    }
+    const validation = validateKeyData(parsed);
+    if (!validation.valid) {
+      if (this.throwOnInvalid) {
+        throw new Error(`Invalid key data for "${kid}": ${validation.error}`);
+      }
+      return null;
+    }
+    const key = validation.data;
+    if (this.enableCache) {
+      this.cache.set(kid, key);
+    }
+    return key;
   }
-}
-function sha256Base64url(data) {
-  return base64urlEncode(sha256(data));
-}
-
-// libs/utils/src/storage/factory.ts
-init_errors();
-
-// libs/utils/src/storage/namespace.ts
-var NAMESPACE_SEPARATOR = ":";
-function buildPrefix(name, id) {
-  if (id) {
-    return `${name}${NAMESPACE_SEPARATOR}${id}${NAMESPACE_SEPARATOR}`;
+  /**
+   * Get a secret key by ID.
+   *
+   * @param kid - Key identifier
+   * @returns Secret key data or null if not found or wrong type
+   */
+  async getSecret(kid) {
+    const key = await this.get(kid);
+    if (!key || !isSecretKeyData(key)) return null;
+    return key;
   }
-  return `${name}${NAMESPACE_SEPARATOR}`;
-}
-var NamespacedStorageImpl = class _NamespacedStorageImpl {
-  constructor(adapter, prefix = "", root = adapter) {
-    this.adapter = adapter;
-    this.prefix = prefix;
-    this.root = root;
+  /**
+   * Get an asymmetric key by ID.
+   *
+   * @param kid - Key identifier
+   * @returns Asymmetric key data or null if not found or wrong type
+   */
+  async getAsymmetric(kid) {
+    const key = await this.get(kid);
+    if (!key || !isAsymmetricKeyData(key)) return null;
+    return key;
   }
-  // ============================================
-  // Key Prefixing Helpers
-  // ============================================
   /**
-   * Add prefix to a key.
+   * Store a key.
+   *
+   * @param key - Key data to store
    */
-  prefixKey(key) {
-    return this.prefix + key;
+  async set(key) {
+    const validation = validateKeyData(key);
+    if (!validation.valid) {
+      throw new Error(`Invalid key data: ${validation.error}`);
+    }
+    await this.storage.set(key.kid, JSON.stringify(key, null, 2));
+    if (this.enableCache) {
+      this.cache.set(key.kid, key);
+    }
   }
   /**
-   * Remove prefix from a key.
+   * Delete a key.
+   *
+   * @param kid - Key identifier
+   * @returns true if key existed and was deleted
    */
-  unprefixKey(key) {
-    if (this.prefix && key.startsWith(this.prefix)) {
-      return key.slice(this.prefix.length);
+  async delete(kid) {
+    this.cache.delete(kid);
+    return this.storage.delete(kid);
+  }
+  /**
+   * Check if a key exists.
+   *
+   * @param kid - Key identifier
+   * @returns true if key exists
+   */
+  async has(kid) {
+    if (this.enableCache && this.cache.has(kid)) {
+      return true;
     }
-    return key;
+    return this.storage.exists(kid);
   }
   /**
-   * Add prefix to a pattern (for keys() operation).
+   * List all key IDs.
+   *
+   * @returns Array of key identifiers
    */
-  prefixPattern(pattern) {
-    return this.prefix + pattern;
+  async list() {
+    return this.storage.keys();
   }
   /**
-   * Add prefix to a channel (for pub/sub).
+   * Get or create a secret key.
+   *
+   * If a key with the given ID exists and is a valid secret key,
+   * it is returned. Otherwise, a new secret key is generated.
+   *
+   * @param kid - Key identifier
+   * @param options - Options for key creation
+   * @returns Secret key data
+   *
+   * @example
+   * ```typescript
+   * const secret = await keys.getOrCreateSecret('encryption-key');
+   * const bytes = base64urlDecode(secret.secret);
+   * ```
    */
-  prefixChannel(channel) {
-    return this.prefix + channel;
+  async getOrCreateSecret(kid, options) {
+    const existing = await this.getSecret(kid);
+    if (existing) {
+      return existing;
+    }
+    const bytes = options?.bytes ?? 32;
+    const secret = {
+      type: "secret",
+      kid,
+      secret: base64urlEncode(randomBytes(bytes)),
+      bytes,
+      createdAt: Date.now(),
+      version: 1
+    };
+    await this.set(secret);
+    return secret;
   }
-  // ============================================
-  // Namespace API
-  // ============================================
-  namespace(name, id) {
-    const newPrefix = this.prefix + buildPrefix(name, id);
-    return new _NamespacedStorageImpl(this.adapter, newPrefix, this.root);
+  /**
+   * Clear the in-memory cache.
+   *
+   * Useful when you want to force a reload from storage.
+   */
+  clearCache() {
+    this.cache.clear();
+  }
+  /**
+   * Clear cache for a specific key.
+   *
+   * @param kid - Key identifier
+   */
+  clearCacheFor(kid) {
+    this.cache.delete(kid);
+  }
+  /**
+   * Check if a key is in the cache.
+   *
+   * @param kid - Key identifier
+   * @returns true if key is cached
+   */
+  isCached(kid) {
+    return this.cache.has(kid);
+  }
+  /**
+   * Get the underlying storage adapter.
+   *
+   * Use with caution - direct storage access bypasses validation.
+   */
+  getAdapter() {
+    return this.storage;
+  }
+};
+
+// libs/utils/src/storage/adapters/memory.ts
+var import_events = require("events");
+init_base();
+init_errors();
+init_pattern();
+init_ttl();
+var DEFAULT_SWEEP_INTERVAL_SECONDS = 60;
+var MAX_TIMEOUT_MS = 2147483647;
+var MemoryStorageAdapter = class extends BaseStorageAdapter {
+  backendName = "memory";
+  store = /* @__PURE__ */ new Map();
+  emitter = new import_events.EventEmitter();
+  sweepInterval;
+  options;
+  // LRU tracking (simple linked list via insertion order in Map)
+  accessOrder = [];
+  constructor(options = {}) {
+    super();
+    this.options = {
+      enableSweeper: options.enableSweeper ?? true,
+      sweepIntervalSeconds: options.sweepIntervalSeconds ?? DEFAULT_SWEEP_INTERVAL_SECONDS,
+      maxEntries: options.maxEntries ?? 0
+      // 0 = unlimited
+    };
+    this.emitter.setMaxListeners(1e3);
   }
   // ============================================
-  // Connection Lifecycle (delegated to root)
+  // Connection Lifecycle
   // ============================================
   async connect() {
-    return this.adapter.connect();
+    if (this.connected) return;
+    this.connected = true;
+    if (this.options.enableSweeper && this.options.sweepIntervalSeconds > 0) {
+      this.startSweeper();
+    }
   }
   async disconnect() {
-    return this.adapter.disconnect();
+    if (!this.connected) return;
+    this.stopSweeper();
+    this.clearAllTimeouts();
+    this.store.clear();
+    this.accessOrder = [];
+    this.emitter.removeAllListeners();
+    this.connected = false;
   }
   async ping() {
-    return this.adapter.ping();
+    return this.connected;
   }
   // ============================================
-  // Core Operations (with prefixing)
-  // ============================================
-  async get(key) {
-    return this.adapter.get(this.prefixKey(key));
-  }
-  async set(key, value, options) {
-    return this.adapter.set(this.prefixKey(key), value, options);
-  }
-  async delete(key) {
-    return this.adapter.delete(this.prefixKey(key));
-  }
-  async exists(key) {
-    return this.adapter.exists(this.prefixKey(key));
-  }
-  // ============================================
-  // Batch Operations (with prefixing)
-  // ============================================
-  async mget(keys) {
-    const prefixedKeys = keys.map((k) => this.prefixKey(k));
-    return this.adapter.mget(prefixedKeys);
-  }
-  async mset(entries) {
-    const prefixedEntries = entries.map((e) => ({
-      ...e,
-      key: this.prefixKey(e.key)
-    }));
-    return this.adapter.mset(prefixedEntries);
-  }
-  async mdelete(keys) {
-    const prefixedKeys = keys.map((k) => this.prefixKey(k));
-    return this.adapter.mdelete(prefixedKeys);
-  }
-  // ============================================
-  // TTL Operations (with prefixing)
-  // ============================================
-  async expire(key, ttlSeconds) {
-    return this.adapter.expire(this.prefixKey(key), ttlSeconds);
-  }
-  async ttl(key) {
-    return this.adapter.ttl(this.prefixKey(key));
-  }
-  // ============================================
-  // Key Enumeration (with prefixing)
-  // ============================================
-  async keys(pattern = "*") {
-    const prefixedPattern = this.prefixPattern(pattern);
-    const keys = await this.adapter.keys(prefixedPattern);
-    return keys.map((k) => this.unprefixKey(k));
-  }
-  async count(pattern = "*") {
-    const prefixedPattern = this.prefixPattern(pattern);
-    return this.adapter.count(prefixedPattern);
-  }
-  // ============================================
-  // Atomic Operations (with prefixing)
-  // ============================================
-  async incr(key) {
-    return this.adapter.incr(this.prefixKey(key));
-  }
-  async decr(key) {
-    return this.adapter.decr(this.prefixKey(key));
-  }
-  async incrBy(key, amount) {
-    return this.adapter.incrBy(this.prefixKey(key), amount);
-  }
-  // ============================================
-  // Pub/Sub (with channel prefixing)
-  // ============================================
-  async publish(channel, message) {
-    return this.adapter.publish(this.prefixChannel(channel), message);
-  }
-  async subscribe(channel, handler) {
-    const prefixedChannel = this.prefixChannel(channel);
-    const wrappedHandler = (message, ch) => {
-      const unprefixedChannel = ch.startsWith(this.prefix) ? ch.slice(this.prefix.length) : ch;
-      handler(message, unprefixedChannel);
-    };
-    return this.adapter.subscribe(prefixedChannel, wrappedHandler);
-  }
-  supportsPubSub() {
-    return this.adapter.supportsPubSub();
-  }
-};
-function createRootStorage(adapter) {
-  return new NamespacedStorageImpl(adapter, "", adapter);
-}
-function createNamespacedStorage(adapter, prefix) {
-  const normalizedPrefix = prefix && !prefix.endsWith(NAMESPACE_SEPARATOR) ? prefix + NAMESPACE_SEPARATOR : prefix;
-  return new NamespacedStorageImpl(adapter, normalizedPrefix, adapter);
-}
-
-// libs/utils/src/storage/adapters/memory.ts
-var import_events = require("events");
-init_base();
-init_errors();
-
-// libs/utils/src/storage/utils/pattern.ts
-init_errors();
-var MAX_PATTERN_LENGTH = 500;
-var MAX_WILDCARDS = 20;
-var REGEX_SPECIAL_CHARS = /[.+^${}()|[\]\\]/g;
-function globToRegex(pattern) {
-  if (pattern.length > MAX_PATTERN_LENGTH) {
-    throw new StoragePatternError(
-      pattern.substring(0, 50) + "...",
-      `Pattern exceeds maximum length of ${MAX_PATTERN_LENGTH} characters`
-    );
-  }
-  const wildcardCount = (pattern.match(/[*?]/g) || []).length;
-  if (wildcardCount > MAX_WILDCARDS) {
-    throw new StoragePatternError(pattern, `Pattern has too many wildcards (max: ${MAX_WILDCARDS})`);
-  }
-  if (pattern === "" || pattern === "*") {
-    return /^.*$/;
-  }
-  let regexStr = "^";
-  let prevChar = "";
-  for (let i = 0; i < pattern.length; i++) {
-    const char = pattern[i];
-    switch (char) {
-      case "*":
-        if (prevChar !== "*") {
-          regexStr += ".*";
-        }
-        break;
-      case "?":
-        regexStr += ".";
-        break;
-      default:
-        regexStr += char.replace(REGEX_SPECIAL_CHARS, "\\$&");
-    }
-    prevChar = char;
-  }
-  regexStr += "$";
-  try {
-    return new RegExp(regexStr);
-  } catch {
-    throw new StoragePatternError(pattern, "Failed to compile pattern to regex");
-  }
-}
-function matchesPattern(key, pattern) {
-  const regex = globToRegex(pattern);
-  return regex.test(key);
-}
-function validatePattern(pattern) {
-  try {
-    globToRegex(pattern);
-    return { valid: true };
-  } catch (e) {
-    return {
-      valid: false,
-      error: e instanceof Error ? e.message : "Invalid pattern"
-    };
-  }
-}
-function escapeGlob(literal) {
-  return literal.replace(/[*?\\]/g, "\\$&");
-}
-
-// libs/utils/src/storage/adapters/memory.ts
-init_ttl();
-var DEFAULT_SWEEP_INTERVAL_SECONDS = 60;
-var MAX_TIMEOUT_MS = 2147483647;
-var MemoryStorageAdapter = class extends BaseStorageAdapter {
-  backendName = "memory";
-  store = /* @__PURE__ */ new Map();
-  emitter = new import_events.EventEmitter();
-  sweepInterval;
-  options;
-  // LRU tracking (simple linked list via insertion order in Map)
-  accessOrder = [];
-  constructor(options = {}) {
-    super();
-    this.options = {
-      enableSweeper: options.enableSweeper ?? true,
-      sweepIntervalSeconds: options.sweepIntervalSeconds ?? DEFAULT_SWEEP_INTERVAL_SECONDS,
-      maxEntries: options.maxEntries ?? 0
-      // 0 = unlimited
-    };
-    this.emitter.setMaxListeners(1e3);
-  }
-  // ============================================
-  // Connection Lifecycle
-  // ============================================
-  async connect() {
-    if (this.connected) return;
-    this.connected = true;
-    if (this.options.enableSweeper && this.options.sweepIntervalSeconds > 0) {
-      this.startSweeper();
-    }
-  }
-  async disconnect() {
-    if (!this.connected) return;
-    this.stopSweeper();
-    this.clearAllTimeouts();
-    this.store.clear();
-    this.accessOrder = [];
-    this.emitter.removeAllListeners();
-    this.connected = false;
-  }
-  async ping() {
-    return this.connected;
-  }
-  // ============================================
-  // Core Operations
+  // Core Operations
   // ============================================
   async get(key) {
     this.ensureConnected();
@@ -3168,42 +3285,624 @@ var MemoryStorageAdapter = class extends BaseStorageAdapter {
   }
 };
 
-// libs/utils/src/storage/factory.ts
-function isProduction() {
-  return process.env["NODE_ENV"] === "production";
-}
-function detectStorageType() {
-  if (process.env["UPSTASH_REDIS_REST_URL"] && process.env["UPSTASH_REDIS_REST_TOKEN"]) {
-    return "upstash";
+// libs/utils/src/storage/adapters/filesystem.ts
+init_base();
+init_errors();
+init_pattern();
+var FileSystemStorageAdapter = class extends BaseStorageAdapter {
+  backendName = "filesystem";
+  baseDir;
+  extension;
+  dirMode;
+  fileMode;
+  constructor(options) {
+    super();
+    this.baseDir = options.baseDir;
+    this.extension = options.extension ?? ".json";
+    this.dirMode = options.dirMode ?? 448;
+    this.fileMode = options.fileMode ?? 384;
   }
-  if (process.env["KV_REST_API_URL"] && process.env["KV_REST_API_TOKEN"]) {
-    return "vercel-kv";
+  // ============================================
+  // Connection Lifecycle
+  // ============================================
+  async connect() {
+    if (this.connected) return;
+    await ensureDir(this.baseDir);
+    try {
+      await mkdir(this.baseDir, { recursive: true, mode: this.dirMode });
+    } catch {
+    }
+    this.connected = true;
   }
-  if (process.env["REDIS_URL"] || process.env["REDIS_HOST"]) {
-    return "redis";
+  async disconnect() {
+    if (!this.connected) return;
+    this.connected = false;
   }
-  return "memory";
-}
-async function createAdapter(type, config) {
-  switch (type) {
-    case "memory": {
-      return new MemoryStorageAdapter(config.memory);
+  async ping() {
+    if (!this.connected) return false;
+    try {
+      return await fileExists(this.baseDir);
+    } catch {
+      return false;
     }
-    case "redis": {
-      const { RedisStorageAdapter: RedisStorageAdapter2 } = await Promise.resolve().then(() => (init_redis(), redis_exports));
-      return new RedisStorageAdapter2(config.redis);
+  }
+  // ============================================
+  // Core Operations
+  // ============================================
+  async get(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    try {
+      const entry = await readJSON(filePath);
+      if (!entry) return null;
+      if (entry.expiresAt && Date.now() >= entry.expiresAt) {
+        await this.deleteFile(filePath);
+        return null;
+      }
+      return entry.value;
+    } catch (e) {
+      const error = e;
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw e;
     }
-    case "vercel-kv": {
-      const { VercelKvStorageAdapter: VercelKvStorageAdapter2 } = await Promise.resolve().then(() => (init_vercel_kv(), vercel_kv_exports));
-      return new VercelKvStorageAdapter2(config.vercelKv);
+  }
+  async doSet(key, value, options) {
+    const filePath = this.keyToPath(key);
+    const existingEntry = await this.readEntry(filePath);
+    const exists = existingEntry !== null && !this.isExpired(existingEntry);
+    if (options?.ifNotExists && exists) {
+      return;
     }
-    case "upstash": {
-      const { UpstashStorageAdapter: UpstashStorageAdapter2 } = await Promise.resolve().then(() => (init_upstash(), upstash_exports));
-      return new UpstashStorageAdapter2(config.upstash);
+    if (options?.ifExists && !exists) {
+      return;
     }
-    case "auto":
-      throw new StorageConfigError("auto", "Auto type should be resolved before calling createAdapter");
-    default:
+    const entry = { value };
+    if (options?.ttlSeconds) {
+      entry.expiresAt = Date.now() + options.ttlSeconds * 1e3;
+    }
+    await this.atomicWrite(filePath, entry);
+  }
+  async delete(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    return this.deleteFile(filePath);
+  }
+  async exists(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    try {
+      const entry = await this.readEntry(filePath);
+      if (!entry) return false;
+      if (this.isExpired(entry)) {
+        await this.deleteFile(filePath);
+        return false;
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  // ============================================
+  // TTL Operations
+  // ============================================
+  async expire(key, ttlSeconds) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    const entry = await this.readEntry(filePath);
+    if (!entry || this.isExpired(entry)) {
+      return false;
+    }
+    entry.expiresAt = Date.now() + ttlSeconds * 1e3;
+    await this.atomicWrite(filePath, entry);
+    return true;
+  }
+  async ttl(key) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    const entry = await this.readEntry(filePath);
+    if (!entry) return null;
+    if (this.isExpired(entry)) {
+      await this.deleteFile(filePath);
+      return null;
+    }
+    if (entry.expiresAt === void 0) {
+      return -1;
+    }
+    return Math.max(0, Math.ceil((entry.expiresAt - Date.now()) / 1e3));
+  }
+  // ============================================
+  // Key Enumeration
+  // ============================================
+  async keys(pattern = "*") {
+    this.ensureConnected();
+    const regex = globToRegex(pattern);
+    const result = [];
+    try {
+      const files = await readdir(this.baseDir);
+      for (const file of files) {
+        if (!file.endsWith(this.extension)) continue;
+        const key = this.pathToKey(file);
+        if (!regex.test(key)) continue;
+        const filePath = this.keyToPath(key);
+        const entry = await this.readEntry(filePath);
+        if (entry && !this.isExpired(entry)) {
+          result.push(key);
+        } else if (entry && this.isExpired(entry)) {
+          await this.deleteFile(filePath);
+        }
+      }
+    } catch (e) {
+      const error = e;
+      if (error.code === "ENOENT") {
+        return [];
+      }
+      throw e;
+    }
+    return result;
+  }
+  // ============================================
+  // Atomic Operations
+  // ============================================
+  async incr(key) {
+    return this.incrBy(key, 1);
+  }
+  async decr(key) {
+    return this.incrBy(key, -1);
+  }
+  async incrBy(key, amount) {
+    this.ensureConnected();
+    const filePath = this.keyToPath(key);
+    const entry = await this.readEntry(filePath);
+    let currentValue = 0;
+    if (entry && !this.isExpired(entry)) {
+      const parsed = parseInt(entry.value, 10);
+      if (isNaN(parsed)) {
+        throw new StorageOperationError("incrBy", key, "Value is not an integer");
+      }
+      currentValue = parsed;
+    }
+    const newValue = currentValue + amount;
+    const newEntry = { value: String(newValue) };
+    if (entry?.expiresAt && !this.isExpired(entry)) {
+      newEntry.expiresAt = entry.expiresAt;
+    }
+    await this.atomicWrite(filePath, newEntry);
+    return newValue;
+  }
+  // ============================================
+  // Internal Helpers
+  // ============================================
+  /**
+   * Convert a storage key to a file path.
+   * Sanitizes the key to be filesystem-safe.
+   */
+  keyToPath(key) {
+    const safeKey = this.encodeKey(key);
+    return `${this.baseDir}/${safeKey}${this.extension}`;
+  }
+  /**
+   * Convert a filename back to a storage key.
+   */
+  pathToKey(filename) {
+    const safeKey = filename.slice(0, -this.extension.length);
+    return this.decodeKey(safeKey);
+  }
+  /**
+   * Encode a key to be filesystem-safe.
+   * Uses URL encoding to handle special characters.
+   */
+  encodeKey(key) {
+    return encodeURIComponent(key).replace(/\./g, "%2E");
+  }
+  /**
+   * Decode a filesystem-safe key back to original.
+   */
+  decodeKey(encoded) {
+    return decodeURIComponent(encoded);
+  }
+  /**
+   * Read an entry from a file.
+   */
+  async readEntry(filePath) {
+    try {
+      return await readJSON(filePath);
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Check if an entry is expired.
+   */
+  isExpired(entry) {
+    return entry.expiresAt !== void 0 && Date.now() >= entry.expiresAt;
+  }
+  /**
+   * Delete a file, returning true if it existed.
+   */
+  async deleteFile(filePath) {
+    try {
+      await unlink(filePath);
+      return true;
+    } catch (e) {
+      const error = e;
+      if (error.code === "ENOENT") {
+        return false;
+      }
+      throw e;
+    }
+  }
+  /**
+   * Atomic write: write to temp file then rename.
+   * This ensures we don't corrupt the file if write is interrupted.
+   */
+  async atomicWrite(filePath, entry) {
+    const tempSuffix = bytesToHex(randomBytes(8));
+    const tempPath = `${filePath}.${tempSuffix}.tmp`;
+    try {
+      const content = JSON.stringify(entry, null, 2);
+      await writeFile(tempPath, content, { mode: this.fileMode });
+      await rename(tempPath, filePath);
+    } catch (e) {
+      try {
+        await unlink(tempPath);
+      } catch {
+      }
+      throw e;
+    }
+  }
+  /**
+   * Get suggestion message for pub/sub not supported error.
+   */
+  getPubSubSuggestion() {
+    return "FileSystem adapter does not support pub/sub. Use Redis or Memory adapter for pub/sub support.";
+  }
+};
+
+// libs/utils/src/crypto/key-persistence/factory.ts
+var DEFAULT_BASE_DIR = ".frontmcp/keys";
+async function createKeyPersistence(options) {
+  const type = options?.type ?? "auto";
+  const baseDir = options?.baseDir ?? DEFAULT_BASE_DIR;
+  let adapter;
+  if (type === "memory") {
+    adapter = new MemoryStorageAdapter();
+  } else if (type === "filesystem") {
+    adapter = new FileSystemStorageAdapter({ baseDir });
+  } else {
+    if (isNode()) {
+      adapter = new FileSystemStorageAdapter({ baseDir });
+    } else {
+      adapter = new MemoryStorageAdapter();
+    }
+  }
+  await adapter.connect();
+  return new KeyPersistence({
+    storage: adapter,
+    throwOnInvalid: options?.throwOnInvalid ?? false,
+    enableCache: options?.enableCache ?? true
+  });
+}
+function createKeyPersistenceWithStorage(storage, options) {
+  return new KeyPersistence({
+    storage,
+    throwOnInvalid: options?.throwOnInvalid ?? false,
+    enableCache: options?.enableCache ?? true
+  });
+}
+
+// libs/utils/src/crypto/index.ts
+var _provider = null;
+function getCrypto() {
+  if (!_provider) {
+    if (isNode()) {
+      _provider = (init_node(), __toCommonJS(node_exports)).nodeCrypto;
+    } else {
+      _provider = (init_browser(), __toCommonJS(browser_exports)).browserCrypto;
+    }
+  }
+  return _provider;
+}
+function rsaVerify2(jwtAlg, data, publicJwk, signature) {
+  assertNode("rsaVerify");
+  return (init_node(), __toCommonJS(node_exports)).rsaVerify(jwtAlg, data, publicJwk, signature);
+}
+function randomUUID() {
+  return getCrypto().randomUUID();
+}
+function randomBytes(length) {
+  if (!Number.isInteger(length) || length <= 0) {
+    throw new Error(`randomBytes length must be a positive integer, got ${length}`);
+  }
+  return getCrypto().randomBytes(length);
+}
+function sha256(data) {
+  return getCrypto().sha256(data);
+}
+function sha256Hex(data) {
+  return getCrypto().sha256Hex(data);
+}
+function hmacSha256(key, data) {
+  return getCrypto().hmacSha256(key, data);
+}
+var HKDF_SHA256_MAX_LENGTH = 255 * 32;
+function hkdfSha256(ikm, salt, info, length) {
+  if (!Number.isInteger(length) || length <= 0) {
+    throw new Error(`HKDF length must be a positive integer, got ${length}`);
+  }
+  if (length > HKDF_SHA256_MAX_LENGTH) {
+    throw new Error(`HKDF-SHA256 length cannot exceed ${HKDF_SHA256_MAX_LENGTH} bytes, got ${length}`);
+  }
+  return getCrypto().hkdfSha256(ikm, salt, info, length);
+}
+function encryptAesGcm(key, plaintext, iv) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  return getCrypto().encryptAesGcm(key, plaintext, iv);
+}
+function decryptAesGcm(key, ciphertext, iv, tag) {
+  if (key.length !== 32) {
+    throw new Error(`AES-256-GCM requires a 32-byte key, got ${key.length} bytes`);
+  }
+  if (iv.length !== 12) {
+    throw new Error(`AES-GCM requires a 12-byte IV, got ${iv.length} bytes`);
+  }
+  if (tag.length !== 16) {
+    throw new Error(`AES-GCM requires a 16-byte authentication tag, got ${tag.length} bytes`);
+  }
+  return getCrypto().decryptAesGcm(key, ciphertext, iv, tag);
+}
+function timingSafeEqual(a, b) {
+  if (a.length !== b.length) {
+    throw new Error(`timingSafeEqual requires equal-length arrays, got ${a.length} and ${b.length} bytes`);
+  }
+  return getCrypto().timingSafeEqual(a, b);
+}
+function bytesToHex(data) {
+  return Array.from(data).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function base64urlEncode(data) {
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(data).toString("base64");
+  } else {
+    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
+    base64 = btoa(binString);
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(data) {
+  let base64 = data.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  if (pad) {
+    base64 += "=".repeat(4 - pad);
+  }
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binString = atob(base64);
+    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  }
+}
+function base64Encode(data) {
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(data).toString("base64");
+  } else {
+    const binString = Array.from(data, (byte) => String.fromCodePoint(byte)).join("");
+    return btoa(binString);
+  }
+}
+function base64Decode(data) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(data, "base64"));
+  } else {
+    const binString = atob(data);
+    return Uint8Array.from(binString, (c) => c.codePointAt(0) ?? 0);
+  }
+}
+function sha256Base64url(data) {
+  return base64urlEncode(sha256(data));
+}
+
+// libs/utils/src/storage/factory.ts
+init_errors();
+
+// libs/utils/src/storage/namespace.ts
+var NAMESPACE_SEPARATOR = ":";
+function buildPrefix(name, id) {
+  if (id) {
+    return `${name}${NAMESPACE_SEPARATOR}${id}${NAMESPACE_SEPARATOR}`;
+  }
+  return `${name}${NAMESPACE_SEPARATOR}`;
+}
+var NamespacedStorageImpl = class _NamespacedStorageImpl {
+  constructor(adapter, prefix = "", root = adapter) {
+    this.adapter = adapter;
+    this.prefix = prefix;
+    this.root = root;
+  }
+  // ============================================
+  // Key Prefixing Helpers
+  // ============================================
+  /**
+   * Add prefix to a key.
+   */
+  prefixKey(key) {
+    return this.prefix + key;
+  }
+  /**
+   * Remove prefix from a key.
+   */
+  unprefixKey(key) {
+    if (this.prefix && key.startsWith(this.prefix)) {
+      return key.slice(this.prefix.length);
+    }
+    return key;
+  }
+  /**
+   * Add prefix to a pattern (for keys() operation).
+   */
+  prefixPattern(pattern) {
+    return this.prefix + pattern;
+  }
+  /**
+   * Add prefix to a channel (for pub/sub).
+   */
+  prefixChannel(channel) {
+    return this.prefix + channel;
+  }
+  // ============================================
+  // Namespace API
+  // ============================================
+  namespace(name, id) {
+    const newPrefix = this.prefix + buildPrefix(name, id);
+    return new _NamespacedStorageImpl(this.adapter, newPrefix, this.root);
+  }
+  // ============================================
+  // Connection Lifecycle (delegated to root)
+  // ============================================
+  async connect() {
+    return this.adapter.connect();
+  }
+  async disconnect() {
+    return this.adapter.disconnect();
+  }
+  async ping() {
+    return this.adapter.ping();
+  }
+  // ============================================
+  // Core Operations (with prefixing)
+  // ============================================
+  async get(key) {
+    return this.adapter.get(this.prefixKey(key));
+  }
+  async set(key, value, options) {
+    return this.adapter.set(this.prefixKey(key), value, options);
+  }
+  async delete(key) {
+    return this.adapter.delete(this.prefixKey(key));
+  }
+  async exists(key) {
+    return this.adapter.exists(this.prefixKey(key));
+  }
+  // ============================================
+  // Batch Operations (with prefixing)
+  // ============================================
+  async mget(keys) {
+    const prefixedKeys = keys.map((k) => this.prefixKey(k));
+    return this.adapter.mget(prefixedKeys);
+  }
+  async mset(entries) {
+    const prefixedEntries = entries.map((e) => ({
+      ...e,
+      key: this.prefixKey(e.key)
+    }));
+    return this.adapter.mset(prefixedEntries);
+  }
+  async mdelete(keys) {
+    const prefixedKeys = keys.map((k) => this.prefixKey(k));
+    return this.adapter.mdelete(prefixedKeys);
+  }
+  // ============================================
+  // TTL Operations (with prefixing)
+  // ============================================
+  async expire(key, ttlSeconds) {
+    return this.adapter.expire(this.prefixKey(key), ttlSeconds);
+  }
+  async ttl(key) {
+    return this.adapter.ttl(this.prefixKey(key));
+  }
+  // ============================================
+  // Key Enumeration (with prefixing)
+  // ============================================
+  async keys(pattern = "*") {
+    const prefixedPattern = this.prefixPattern(pattern);
+    const keys = await this.adapter.keys(prefixedPattern);
+    return keys.map((k) => this.unprefixKey(k));
+  }
+  async count(pattern = "*") {
+    const prefixedPattern = this.prefixPattern(pattern);
+    return this.adapter.count(prefixedPattern);
+  }
+  // ============================================
+  // Atomic Operations (with prefixing)
+  // ============================================
+  async incr(key) {
+    return this.adapter.incr(this.prefixKey(key));
+  }
+  async decr(key) {
+    return this.adapter.decr(this.prefixKey(key));
+  }
+  async incrBy(key, amount) {
+    return this.adapter.incrBy(this.prefixKey(key), amount);
+  }
+  // ============================================
+  // Pub/Sub (with channel prefixing)
+  // ============================================
+  async publish(channel, message) {
+    return this.adapter.publish(this.prefixChannel(channel), message);
+  }
+  async subscribe(channel, handler) {
+    const prefixedChannel = this.prefixChannel(channel);
+    const wrappedHandler = (message, ch) => {
+      const unprefixedChannel = ch.startsWith(this.prefix) ? ch.slice(this.prefix.length) : ch;
+      handler(message, unprefixedChannel);
+    };
+    return this.adapter.subscribe(prefixedChannel, wrappedHandler);
+  }
+  supportsPubSub() {
+    return this.adapter.supportsPubSub();
+  }
+};
+function createRootStorage(adapter) {
+  return new NamespacedStorageImpl(adapter, "", adapter);
+}
+function createNamespacedStorage(adapter, prefix) {
+  const normalizedPrefix = prefix && !prefix.endsWith(NAMESPACE_SEPARATOR) ? prefix + NAMESPACE_SEPARATOR : prefix;
+  return new NamespacedStorageImpl(adapter, normalizedPrefix, adapter);
+}
+
+// libs/utils/src/storage/factory.ts
+function isProduction() {
+  return process.env["NODE_ENV"] === "production";
+}
+function detectStorageType() {
+  if (process.env["UPSTASH_REDIS_REST_URL"] && process.env["UPSTASH_REDIS_REST_TOKEN"]) {
+    return "upstash";
+  }
+  if (process.env["KV_REST_API_URL"] && process.env["KV_REST_API_TOKEN"]) {
+    return "vercel-kv";
+  }
+  if (process.env["REDIS_URL"] || process.env["REDIS_HOST"]) {
+    return "redis";
+  }
+  return "memory";
+}
+async function createAdapter(type, config) {
+  switch (type) {
+    case "memory": {
+      return new MemoryStorageAdapter(config.memory);
+    }
+    case "redis": {
+      const { RedisStorageAdapter: RedisStorageAdapter2 } = await Promise.resolve().then(() => (init_redis(), redis_exports));
+      return new RedisStorageAdapter2(config.redis);
+    }
+    case "vercel-kv": {
+      const { VercelKvStorageAdapter: VercelKvStorageAdapter2 } = await Promise.resolve().then(() => (init_vercel_kv(), vercel_kv_exports));
+      return new VercelKvStorageAdapter2(config.vercelKv);
+    }
+    case "upstash": {
+      const { UpstashStorageAdapter: UpstashStorageAdapter2 } = await Promise.resolve().then(() => (init_upstash(), upstash_exports));
+      return new UpstashStorageAdapter2(config.upstash);
+    }
+    case "auto":
+      throw new StorageConfigError("auto", "Auto type should be resolved before calling createAdapter");
+    default:
       throw new StorageConfigError("unknown", `Unknown storage type: ${type}`);
   }
 }
@@ -3263,6 +3962,501 @@ function getDetectedStorageType() {
 // libs/utils/src/storage/index.ts
 init_errors();
 
+// libs/utils/src/storage/typed-storage.ts
+var TypedStorage = class {
+  storage;
+  serialize;
+  deserialize;
+  schema;
+  throwOnInvalid;
+  constructor(storage, options = {}) {
+    this.storage = storage;
+    this.serialize = options.serialize ?? JSON.stringify;
+    this.deserialize = options.deserialize ?? JSON.parse;
+    this.schema = options.schema;
+    this.throwOnInvalid = options.throwOnInvalid ?? false;
+  }
+  /**
+   * Get a typed value by key.
+   *
+   * @param key - Storage key
+   * @returns The typed value, or null if not found or invalid
+   */
+  async get(key) {
+    const raw = await this.storage.get(key);
+    if (raw === null) {
+      return null;
+    }
+    return this.parseValue(raw, key);
+  }
+  /**
+   * Set a typed value with optional TTL.
+   *
+   * @param key - Storage key
+   * @param value - Typed value to store
+   * @param options - Optional TTL and conditional flags
+   */
+  async set(key, value, options) {
+    const serialized = this.serialize(value);
+    await this.storage.set(key, serialized, options);
+  }
+  /**
+   * Delete a key.
+   *
+   * @param key - Storage key
+   * @returns true if key existed and was deleted
+   */
+  async delete(key) {
+    return this.storage.delete(key);
+  }
+  /**
+   * Check if a key exists.
+   *
+   * @param key - Storage key
+   * @returns true if key exists
+   */
+  async exists(key) {
+    return this.storage.exists(key);
+  }
+  /**
+   * Get multiple typed values.
+   *
+   * @param keys - Array of storage keys
+   * @returns Array of typed values (null for missing/invalid keys)
+   */
+  async mget(keys) {
+    if (keys.length === 0) {
+      return [];
+    }
+    const rawValues = await this.storage.mget(keys);
+    return rawValues.map((raw, index) => {
+      if (raw === null) {
+        return null;
+      }
+      return this.parseValue(raw, keys[index]);
+    });
+  }
+  /**
+   * Set multiple typed values.
+   *
+   * @param entries - Array of key-value-options entries
+   */
+  async mset(entries) {
+    if (entries.length === 0) {
+      return;
+    }
+    const rawEntries = entries.map((entry) => ({
+      key: entry.key,
+      value: this.serialize(entry.value),
+      options: entry.options
+    }));
+    await this.storage.mset(rawEntries);
+  }
+  /**
+   * Delete multiple keys.
+   *
+   * @param keys - Array of storage keys
+   * @returns Number of keys actually deleted
+   */
+  async mdelete(keys) {
+    return this.storage.mdelete(keys);
+  }
+  /**
+   * Update TTL on an existing key.
+   *
+   * @param key - Storage key
+   * @param ttlSeconds - New TTL in seconds
+   * @returns true if key exists and TTL was set
+   */
+  async expire(key, ttlSeconds) {
+    return this.storage.expire(key, ttlSeconds);
+  }
+  /**
+   * Get remaining TTL for a key.
+   *
+   * @param key - Storage key
+   * @returns TTL in seconds, -1 if no TTL, or null if key doesn't exist
+   */
+  async ttl(key) {
+    return this.storage.ttl(key);
+  }
+  /**
+   * List keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Array of matching keys
+   */
+  async keys(pattern) {
+    return this.storage.keys(pattern);
+  }
+  /**
+   * Count keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Number of matching keys
+   */
+  async count(pattern) {
+    return this.storage.count(pattern);
+  }
+  /**
+   * Get the underlying storage adapter.
+   * Use with caution - operations bypass type safety.
+   */
+  get raw() {
+    return this.storage;
+  }
+  /**
+   * Parse and validate a raw value.
+   */
+  parseValue(raw, key) {
+    try {
+      const parsed = this.deserialize(raw);
+      if (this.schema) {
+        const result = this.schema.safeParse(parsed);
+        if (!result.success) {
+          if (this.throwOnInvalid) {
+            throw new Error(`TypedStorage validation failed for key "${key}": ${result.error.message}`);
+          }
+          return null;
+        }
+        return result.data;
+      }
+      return parsed;
+    } catch (error) {
+      if (this.throwOnInvalid) {
+        throw error;
+      }
+      return null;
+    }
+  }
+};
+
+// libs/utils/src/storage/encrypted-typed-storage.ts
+init_errors();
+var textEncoder2 = new TextEncoder();
+var textDecoder2 = new TextDecoder();
+var EncryptedTypedStorage = class {
+  storage;
+  activeKey;
+  keyMap;
+  schema;
+  throwOnError;
+  onKeyRotationNeeded;
+  clientBinding;
+  constructor(storage, options) {
+    if (!options.keys || options.keys.length === 0) {
+      throw new EncryptedStorageError("At least one encryption key is required");
+    }
+    for (const k of options.keys) {
+      if (k.key.length !== 32) {
+        throw new EncryptedStorageError(
+          `Encryption key "${k.kid}" must be 32 bytes (AES-256), got ${k.key.length} bytes`
+        );
+      }
+    }
+    this.storage = storage;
+    this.activeKey = options.keys[0];
+    this.keyMap = new Map(options.keys.map((k) => [k.kid, k.key]));
+    this.schema = options.schema;
+    this.throwOnError = options.throwOnError ?? false;
+    this.onKeyRotationNeeded = options.onKeyRotationNeeded;
+    this.clientBinding = options.clientBinding;
+  }
+  /**
+   * Get a decrypted value by key.
+   *
+   * @param key - Storage key
+   * @returns The decrypted value, or null if not found or decryption fails
+   */
+  async get(key) {
+    const raw = await this.storage.get(key);
+    if (raw === null) {
+      return null;
+    }
+    return this.decryptAndParse(raw, key);
+  }
+  /**
+   * Encrypt and store a value.
+   *
+   * @param key - Storage key
+   * @param value - Value to encrypt and store
+   * @param options - Optional TTL and conditional flags
+   */
+  async set(key, value, options) {
+    const encrypted = this.encryptValue(value);
+    const serialized = JSON.stringify(encrypted);
+    await this.storage.set(key, serialized, options);
+  }
+  /**
+   * Delete a key.
+   *
+   * @param key - Storage key
+   * @returns true if key existed and was deleted
+   */
+  async delete(key) {
+    return this.storage.delete(key);
+  }
+  /**
+   * Check if a key exists.
+   *
+   * @param key - Storage key
+   * @returns true if key exists
+   */
+  async exists(key) {
+    return this.storage.exists(key);
+  }
+  /**
+   * Get multiple decrypted values.
+   *
+   * @param keys - Array of storage keys
+   * @returns Array of decrypted values (null for missing/invalid keys)
+   */
+  async mget(keys) {
+    if (keys.length === 0) {
+      return [];
+    }
+    const rawValues = await this.storage.mget(keys);
+    return rawValues.map((raw, index) => {
+      if (raw === null) {
+        return null;
+      }
+      return this.decryptAndParse(raw, keys[index]);
+    });
+  }
+  /**
+   * Encrypt and store multiple values.
+   *
+   * @param entries - Array of key-value-options entries
+   */
+  async mset(entries) {
+    if (entries.length === 0) {
+      return;
+    }
+    const rawEntries = entries.map((entry) => ({
+      key: entry.key,
+      value: JSON.stringify(this.encryptValue(entry.value)),
+      options: entry.options
+    }));
+    await this.storage.mset(rawEntries);
+  }
+  /**
+   * Delete multiple keys.
+   *
+   * @param keys - Array of storage keys
+   * @returns Number of keys actually deleted
+   */
+  async mdelete(keys) {
+    return this.storage.mdelete(keys);
+  }
+  /**
+   * Update TTL on an existing key.
+   *
+   * @param key - Storage key
+   * @param ttlSeconds - New TTL in seconds
+   * @returns true if key exists and TTL was set
+   */
+  async expire(key, ttlSeconds) {
+    return this.storage.expire(key, ttlSeconds);
+  }
+  /**
+   * Get remaining TTL for a key.
+   *
+   * @param key - Storage key
+   * @returns TTL in seconds, -1 if no TTL, or null if key doesn't exist
+   */
+  async ttl(key) {
+    return this.storage.ttl(key);
+  }
+  /**
+   * List keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Array of matching keys
+   */
+  async keys(pattern) {
+    return this.storage.keys(pattern);
+  }
+  /**
+   * Count keys matching a pattern.
+   *
+   * @param pattern - Glob pattern (default: '*' for all keys)
+   * @returns Number of matching keys
+   */
+  async count(pattern) {
+    return this.storage.count(pattern);
+  }
+  /**
+   * Re-encrypt a value with the active key.
+   * Useful for key rotation - reads with old key, writes with new key.
+   *
+   * @param key - Storage key to re-encrypt
+   * @param options - Optional TTL for the re-encrypted value
+   * @returns true if value was re-encrypted, false if not found
+   */
+  async reencrypt(key, options) {
+    const value = await this.get(key);
+    if (value === null) {
+      return false;
+    }
+    await this.set(key, value, options);
+    return true;
+  }
+  /**
+   * Rotate the active encryption key.
+   * New encryptions will use the new key; old keys remain for decryption.
+   *
+   * @param newKey - New encryption key to use for writes
+   */
+  rotateKey(newKey) {
+    if (newKey.key.length !== 32) {
+      throw new EncryptedStorageError(`New encryption key must be 32 bytes (AES-256), got ${newKey.key.length} bytes`);
+    }
+    if (!this.keyMap.has(newKey.kid)) {
+      this.keyMap.set(newKey.kid, newKey.key);
+    }
+    this.activeKey = newKey;
+  }
+  /**
+   * Get the active key ID.
+   */
+  get activeKeyId() {
+    return this.activeKey.kid;
+  }
+  /**
+   * Get all known key IDs.
+   */
+  get keyIds() {
+    return Array.from(this.keyMap.keys());
+  }
+  /**
+   * Get the underlying storage adapter.
+   * Use with caution - operations bypass encryption.
+   */
+  get raw() {
+    return this.storage;
+  }
+  /**
+   * Check if client-side key binding is enabled.
+   * When true, encryption keys are derived from both server key and client secret.
+   */
+  get hasClientBinding() {
+    return this.clientBinding !== void 0;
+  }
+  /**
+   * Derive the actual encryption key.
+   *
+   * If clientBinding is configured, combines server key with client secret
+   * using HKDF-SHA256 (RFC 5869) to produce the actual encryption key.
+   * Otherwise, returns the server key as-is.
+   *
+   * This provides zero-knowledge encryption where:
+   * - Server cannot decrypt without client secret (sessionId)
+   * - Client cannot decrypt without server key
+   * - Key derivation is deterministic (same inputs -> same derived key)
+   *
+   * @param serverKey - The server-side encryption key
+   * @returns The key to use for actual encryption/decryption
+   */
+  deriveKey(serverKey) {
+    if (!this.clientBinding) {
+      return serverKey;
+    }
+    const clientSecret = typeof this.clientBinding.secret === "string" ? textEncoder2.encode(this.clientBinding.secret) : this.clientBinding.secret;
+    const ikm = new Uint8Array(serverKey.length + clientSecret.length);
+    ikm.set(serverKey, 0);
+    ikm.set(clientSecret, serverKey.length);
+    const salt = this.clientBinding.salt ?? new Uint8Array(0);
+    const info = textEncoder2.encode(this.clientBinding.info ?? "frontmcp-client-bound-v1");
+    return hkdfSha256(ikm, salt, info, 32);
+  }
+  /**
+   * Encrypt a value using the active key.
+   * If client binding is configured, uses derived key from server key + client secret.
+   */
+  encryptValue(value) {
+    let jsonString;
+    try {
+      jsonString = JSON.stringify(value);
+    } catch (error) {
+      throw new EncryptedStorageError(`Failed to serialize value: ${error.message}`);
+    }
+    const plaintext = textEncoder2.encode(jsonString);
+    const iv = randomBytes(12);
+    const encryptionKey = this.deriveKey(this.activeKey.key);
+    const { ciphertext, tag } = encryptAesGcm(encryptionKey, plaintext, iv);
+    return {
+      alg: "A256GCM",
+      kid: this.activeKey.kid,
+      iv: base64urlEncode(iv),
+      tag: base64urlEncode(tag),
+      data: base64urlEncode(ciphertext)
+    };
+  }
+  /**
+   * Decrypt and parse a stored value.
+   */
+  decryptAndParse(raw, storageKey) {
+    let blob;
+    try {
+      blob = JSON.parse(raw);
+    } catch (_error) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(`Failed to parse stored blob for key "${storageKey}"`);
+      }
+      return null;
+    }
+    if (!this.isValidBlob(blob)) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(`Invalid encrypted blob structure for key "${storageKey}"`);
+      }
+      return null;
+    }
+    const serverKey = this.keyMap.get(blob.kid);
+    if (!serverKey) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(
+          `Unknown encryption key "${blob.kid}" for key "${storageKey}". Known keys: ${Array.from(this.keyMap.keys()).join(", ")}`
+        );
+      }
+      return null;
+    }
+    const decryptionKey = this.deriveKey(serverKey);
+    let decrypted;
+    try {
+      const iv = base64urlDecode(blob.iv);
+      const tag = base64urlDecode(blob.tag);
+      const ciphertext = base64urlDecode(blob.data);
+      const plaintext = decryptAesGcm(decryptionKey, ciphertext, iv, tag);
+      decrypted = JSON.parse(textDecoder2.decode(plaintext));
+    } catch (error) {
+      if (this.throwOnError) {
+        throw new EncryptedStorageError(`Decryption failed for key "${storageKey}": ${error.message}`);
+      }
+      return null;
+    }
+    if (this.schema) {
+      const result = this.schema.safeParse(decrypted);
+      if (!result.success) {
+        if (this.throwOnError) {
+          throw new EncryptedStorageError(`Schema validation failed for key "${storageKey}": ${result.error.message}`);
+        }
+        return null;
+      }
+      decrypted = result.data;
+    }
+    if (blob.kid !== this.activeKey.kid && this.onKeyRotationNeeded) {
+      this.onKeyRotationNeeded(storageKey, blob.kid, this.activeKey.kid);
+    }
+    return decrypted;
+  }
+  /**
+   * Validate blob structure.
+   */
+  isValidBlob(blob) {
+    return typeof blob === "object" && blob !== null && "alg" in blob && "kid" in blob && "iv" in blob && "tag" in blob && "data" in blob && blob.alg === "A256GCM" && typeof blob.kid === "string" && typeof blob.iv === "string" && typeof blob.tag === "string" && typeof blob.data === "string";
+  }
+};
+
 // libs/utils/src/storage/adapters/index.ts
 init_base();
 init_redis();
@@ -3270,6 +4464,7 @@ init_vercel_kv();
 init_upstash();
 
 // libs/utils/src/storage/index.ts
+init_pattern();
 init_ttl();
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
@@ -3277,6 +4472,10 @@ init_ttl();
   DEFAULT_CODE_VERIFIER_LENGTH,
   DEFAULT_MAX_INPUT_LENGTH,
   EncryptedBlobError,
+  EncryptedStorageError,
+  EncryptedTypedStorage,
+  FileSystemStorageAdapter,
+  KeyPersistence,
   MAX_CODE_VERIFIER_LENGTH,
   MAX_TTL_SECONDS,
   MIN_CODE_VERIFIER_LENGTH,
@@ -3294,11 +4493,17 @@ init_ttl();
   StorageOperationError,
   StoragePatternError,
   StorageTTLError,
+  TypedStorage,
   UpstashStorageAdapter,
   VercelKvStorageAdapter,
   access,
   analyzePattern,
+  anyKeyDataSchema,
   assertNode,
+  asymmetricAlgSchema,
+  asymmetricKeyDataSchema,
+  base64Decode,
+  base64Encode,
   base64urlDecode,
   base64urlEncode,
   buildPrefix,
@@ -3308,6 +4513,8 @@ init_ttl();
   collapseWhitespace,
   copyFile,
   cp,
+  createKeyPersistence,
+  createKeyPersistenceWithStorage,
   createMemoryStorage,
   createNamespacedStorage,
   createRootStorage,
@@ -3349,6 +4556,7 @@ init_ttl();
   hmacSha256,
   idFromString,
   inferMimeType,
+  isAsymmetricKeyData,
   isBrowser,
   isDirEmpty,
   isExpired,
@@ -3357,7 +4565,9 @@ init_ttl();
   isPatternSafe,
   isRsaPssAlg,
   isSecretCached,
+  isSecretKeyData,
   isSecretPersistenceEnabled,
+  isSignedData,
   isUriTemplate,
   isValidCodeChallenge,
   isValidCodeVerifier,
@@ -3372,12 +4582,14 @@ init_ttl();
   mkdir,
   mkdtemp,
   normalizeTTL,
+  parseKeyData,
   parseSecretData,
   parseUriTemplate,
   randomBytes,
   randomUUID,
   readFile,
   readFileBuffer,
+  readFileSync,
   readJSON,
   readdir,
   rename,
@@ -3394,12 +4606,14 @@ init_ttl();
   sanitizeToJson,
   saveSecret,
   secretDataSchema,
+  secretKeyDataSchema,
   sepFor,
   serializeBlob,
   sha256,
   sha256Base64url,
   sha256Hex,
   shortHash,
+  signData,
   splitWords,
   stat,
   timingSafeEqual,
@@ -3415,11 +4629,14 @@ init_ttl();
   ttlToExpiresAt,
   unlink,
   validateBaseUrl,
+  validateKeyData,
   validateOptionalTTL,
   validatePattern,
   validateSecretData,
   validateTTL,
   verifyCodeChallenge,
+  verifyData,
+  verifyOrParseData,
   writeFile,
   writeJSON
 });