@guardcore/core 1.0.0

package/dist/index.cjs

@@ -0,0 +1,4120 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/detection-engine/compiler.ts
+async function loadRE2() {
+  if (RE2Ctor) return RE2Ctor;
+  try {
+    const mod = await import("re2-wasm");
+    RE2Ctor = mod.RE2 ?? mod.default?.RE2 ?? mod.default;
+    return RE2Ctor;
+  } catch {
+    return null;
+  }
+}
+var DANGEROUS_PATTERNS, DEFAULT_TEST_STRINGS, RE2Ctor, PatternCompiler;
+var init_compiler = __esm({
+  "src/detection-engine/compiler.ts"() {
+    "use strict";
+    DANGEROUS_PATTERNS = [
+      /\(\.\*\)\+/,
+      /\(\.\+\)\+/,
+      /\([^)]*\*\)\+/,
+      /\([^)]*\+\)\+/,
+      /(?:\.\*){2,}/,
+      /(?:\.\+){2,}/
+    ];
+    DEFAULT_TEST_STRINGS = [
+      "a".repeat(10),
+      "a".repeat(100),
+      "a".repeat(1e3),
+      "x".repeat(50) + "y".repeat(50),
+      "<".repeat(100) + ">".repeat(100)
+    ];
+    RE2Ctor = null;
+    PatternCompiler = class {
+      constructor(defaultTimeoutMs = 2e3, maxCacheSize = 1e3) {
+        this.defaultTimeoutMs = defaultTimeoutMs;
+        this.maxCacheSize = maxCacheSize;
+        this.maxCacheSize = Math.min(maxCacheSize, 5e3);
+      }
+      cache = /* @__PURE__ */ new Map();
+      cacheOrder = [];
+      re2Available = null;
+      async ensureRE2() {
+        if (this.re2Available !== null) return this.re2Available;
+        const ctor = await loadRE2();
+        this.re2Available = ctor !== null;
+        return this.re2Available;
+      }
+      async compile(pattern, flags = "gi") {
+        const key = `${pattern}:${flags}`;
+        if (this.cache.has(key)) {
+          const idx = this.cacheOrder.indexOf(key);
+          if (idx !== -1) {
+            this.cacheOrder.splice(idx, 1);
+            this.cacheOrder.push(key);
+          }
+          return this.cache.get(key);
+        }
+        if (this.cache.size >= this.maxCacheSize) {
+          const oldest = this.cacheOrder.shift();
+          if (oldest) this.cache.delete(oldest);
+        }
+        let compiled;
+        if (await this.ensureRE2()) {
+          try {
+            compiled = new RE2Ctor(pattern, flags);
+          } catch {
+            compiled = new RegExp(pattern, flags);
+          }
+        } else {
+          compiled = new RegExp(pattern, flags);
+        }
+        this.cache.set(key, compiled);
+        this.cacheOrder.push(key);
+        return compiled;
+      }
+      compileSync(pattern, flags = "gi") {
+        return new RegExp(pattern, flags);
+      }
+      async safeMatch(pattern, content, timeoutMs) {
+        try {
+          const compiled = await this.compile(pattern);
+          return compiled.exec(content);
+        } catch {
+          return this.fallbackMatch(pattern, content, timeoutMs ?? this.defaultTimeoutMs);
+        }
+      }
+      async fallbackMatch(pattern, content, timeoutMs) {
+        try {
+          const { Worker } = await import("worker_threads");
+          return new Promise((resolve) => {
+            const workerCode = `
+          const { parentPort, workerData } = require('node:worker_threads');
+          try {
+            const re = new RegExp(workerData.pattern, workerData.flags);
+            const result = re.exec(workerData.content);
+            parentPort.postMessage({ result });
+          } catch (e) {
+            parentPort.postMessage({ result: null });
+          }
+        `;
+            const worker = new Worker(workerCode, {
+              eval: true,
+              workerData: { pattern, content, flags: "gi" }
+            });
+            const timer = setTimeout(() => {
+              worker.terminate();
+              resolve(null);
+            }, timeoutMs);
+            worker.on("message", (msg) => {
+              clearTimeout(timer);
+              worker.terminate();
+              resolve(msg.result);
+            });
+            worker.on("error", () => {
+              clearTimeout(timer);
+              worker.terminate();
+              resolve(null);
+            });
+          });
+        } catch {
+          try {
+            const re = new RegExp(pattern, "gi");
+            return re.exec(content);
+          } catch {
+            return null;
+          }
+        }
+      }
+      validatePatternSafety(pattern, testStrings) {
+        for (const dangerous of DANGEROUS_PATTERNS) {
+          if (dangerous.test(pattern)) {
+            return [false, `Pattern contains dangerous construct: ${dangerous.source}`];
+          }
+        }
+        const strings = testStrings ?? DEFAULT_TEST_STRINGS;
+        try {
+          const compiled = this.compileSync(pattern);
+          for (const testStr of strings) {
+            const start = performance.now();
+            compiled.exec(testStr);
+            const elapsed = performance.now() - start;
+            if (elapsed > 50) {
+              return [false, `Pattern timed out on test string of length ${testStr.length}`];
+            }
+          }
+        } catch (e) {
+          return [false, `Pattern validation failed: ${String(e)}`];
+        }
+        return [true, "Pattern appears safe"];
+      }
+      async batchCompile(patterns, validate = true) {
+        const compiled = /* @__PURE__ */ new Map();
+        for (const pattern of patterns) {
+          if (validate) {
+            const [isSafe] = this.validatePatternSafety(pattern);
+            if (!isSafe) continue;
+          }
+          try {
+            compiled.set(pattern, await this.compile(pattern));
+          } catch {
+            continue;
+          }
+        }
+        return compiled;
+      }
+      async clearCache() {
+        this.cache.clear();
+        this.cacheOrder = [];
+      }
+    };
+  }
+});
+
+// src/detection-engine/preprocessor.ts
+var ATTACK_INDICATORS, LOOKALIKES, CONTROL_CHARS_RE, ContentPreprocessor;
+var init_preprocessor = __esm({
+  "src/detection-engine/preprocessor.ts"() {
+    "use strict";
+    ATTACK_INDICATORS = [
+      /<script/i,
+      /javascript:/i,
+      /on\w+=/i,
+      /SELECT\s+.{0,50}?\s+FROM/i,
+      /UNION\s+SELECT/i,
+      /\.\.\//,
+      /eval\s*\(/i,
+      /exec\s*\(/i,
+      /system\s*\(/i,
+      /<\?php/i,
+      /<%%/,
+      /\{\{/,
+      /\{%/,
+      /<iframe/i,
+      /<object/i,
+      /<embed/i,
+      /onerror\s*=/i,
+      /onload\s*=/i,
+      /\$\{/,
+      /\\x[0-9a-fA-F]{2}/,
+      /%[0-9a-fA-F]{2}/
+    ];
+    LOOKALIKES = {
+      "\u2044": "/",
+      "\uFF0F": "/",
+      "\u29F8": "/",
+      "\u0130": "I",
+      "\u0131": "i",
+      "\u200B": "",
+      "\u200C": "",
+      "\u200D": "",
+      "\uFEFF": "",
+      "\xAD": "",
+      "\u034F": "",
+      "\u180E": "",
+      "\u2028": "\n",
+      "\u2029": "\n",
+      "\uE000": "",
+      "\uFFF0": "",
+      "\u01C0": "|",
+      "\u037E": ";",
+      "\u2215": "/",
+      "\u2216": "\\",
+      "\uFF1C": "<",
+      "\uFF1E": ">"
+    };
+    CONTROL_CHARS_RE = /[\x00-\x08\x0b\x0c\x0e-\x1f]/g;
+    ContentPreprocessor = class {
+      maxContentLength;
+      preserveAttackPatterns;
+      constructor(maxContentLength = 1e4, preserveAttackPatterns = true) {
+        this.maxContentLength = maxContentLength;
+        this.preserveAttackPatterns = preserveAttackPatterns;
+      }
+      normalizeUnicode(content) {
+        let normalized = content.normalize("NFKC");
+        for (const [char, replacement] of Object.entries(LOOKALIKES)) {
+          normalized = normalized.replaceAll(char, replacement);
+        }
+        return normalized;
+      }
+      removeNullBytes(content) {
+        return content.replace(/\x00/g, "").replace(CONTROL_CHARS_RE, "");
+      }
+      removeExcessiveWhitespace(content) {
+        return content.replace(/\s+/g, " ").trim();
+      }
+      decodeCommonEncodings(content) {
+        const maxIterations = 3;
+        let current = content;
+        for (let i = 0; i < maxIterations; i++) {
+          const original = current;
+          try {
+            const decoded = decodeURIComponent(current);
+            if (decoded !== current) current = decoded;
+          } catch {
+          }
+          try {
+            current = this.decodeHtmlEntities(current);
+          } catch {
+          }
+          if (current === original) break;
+        }
+        return current;
+      }
+      decodeHtmlEntities(content) {
+        const entityMap = {
+          "&amp;": "&",
+          "&lt;": "<",
+          "&gt;": ">",
+          "&quot;": '"',
+          "&#39;": "'",
+          "&apos;": "'",
+          "&#x27;": "'",
+          "&#x2F;": "/",
+          "&#47;": "/",
+          "&nbsp;": " "
+        };
+        let result = content;
+        for (const [entity, char] of Object.entries(entityMap)) {
+          result = result.replaceAll(entity, char);
+        }
+        result = result.replace(
+          /&#x([0-9a-fA-F]+);/g,
+          (_, hex) => String.fromCharCode(parseInt(hex, 16))
+        );
+        result = result.replace(
+          /&#(\d+);/g,
+          (_, dec) => String.fromCharCode(parseInt(dec, 10))
+        );
+        return result;
+      }
+      extractAttackRegions(content) {
+        const maxRegions = Math.min(100, Math.floor(this.maxContentLength / 100));
+        const regions = [];
+        for (const indicator of ATTACK_INDICATORS) {
+          const regex = new RegExp(indicator.source, indicator.flags + "g");
+          let match;
+          while ((match = regex.exec(content)) !== null) {
+            if (regions.length >= maxRegions) break;
+            const start = Math.max(0, match.index - 100);
+            const end = Math.min(content.length, match.index + match[0].length + 100);
+            regions.push([start, end]);
+          }
+          if (regions.length >= maxRegions) break;
+        }
+        if (regions.length === 0) return [];
+        regions.sort((a, b) => a[0] - b[0]);
+        const merged = [regions[0]];
+        for (let i = 1; i < regions.length; i++) {
+          const [start, end] = regions[i];
+          const last = merged[merged.length - 1];
+          if (start <= last[1]) {
+            last[1] = Math.max(last[1], end);
+          } else {
+            merged.push([start, end]);
+          }
+        }
+        return merged.slice(0, maxRegions);
+      }
+      truncateSafely(content) {
+        if (content.length <= this.maxContentLength) return content;
+        if (!this.preserveAttackPatterns) return content.slice(0, this.maxContentLength);
+        const attackRegions = this.extractAttackRegions(content);
+        if (attackRegions.length === 0) return content.slice(0, this.maxContentLength);
+        const attackLength = attackRegions.reduce((sum, [s, e]) => sum + (e - s), 0);
+        if (attackLength >= this.maxContentLength) {
+          let result = "";
+          let remaining2 = this.maxContentLength;
+          for (const [start, end] of attackRegions) {
+            const chunkLen = Math.min(end - start, remaining2);
+            result += content.slice(start, start + chunkLen);
+            remaining2 -= chunkLen;
+            if (remaining2 <= 0) break;
+          }
+          return result;
+        }
+        const parts = [];
+        for (const [start, end] of attackRegions) {
+          parts.push(content.slice(start, end));
+        }
+        let remaining = this.maxContentLength - attackLength;
+        let lastEnd = 0;
+        const contextParts = [];
+        for (const [start, end] of attackRegions) {
+          if (lastEnd < start && remaining > 0) {
+            const chunkLen = Math.min(start - lastEnd, remaining);
+            contextParts.push(content.slice(lastEnd, lastEnd + chunkLen));
+            remaining -= chunkLen;
+          }
+          lastEnd = end;
+        }
+        return [...contextParts, ...parts].join("");
+      }
+      async preprocess(content) {
+        if (!content) return "";
+        let result = this.normalizeUnicode(content);
+        result = this.decodeCommonEncodings(result);
+        result = this.removeNullBytes(result);
+        result = this.removeExcessiveWhitespace(result);
+        result = this.truncateSafely(result);
+        return result;
+      }
+      async preprocessBatch(contents) {
+        return Promise.all(contents.map((c) => this.preprocess(c)));
+      }
+    };
+  }
+});
+
+// src/detection-engine/monitor.ts
+function mean(values) {
+  if (values.length === 0) return 0;
+  return values.reduce((a, b) => a + b, 0) / values.length;
+}
+function stdev(values) {
+  if (values.length <= 1) return 0;
+  const avg = mean(values);
+  const squareDiffs = values.map((v) => (v - avg) ** 2);
+  return Math.sqrt(squareDiffs.reduce((a, b) => a + b, 0) / (values.length - 1));
+}
+function truncatePattern(pattern) {
+  return pattern.length > 50 ? pattern.slice(0, 50) + "..." : pattern;
+}
+function patternHash(pattern) {
+  let hash = 0;
+  for (let i = 0; i < pattern.length; i++) {
+    hash = (hash << 5) - hash + pattern.charCodeAt(i);
+    hash |= 0;
+  }
+  return String(hash).slice(0, 8);
+}
+var MAX_RECENT_TIMES, MAX_PATTERN_LENGTH, MIN_SAMPLES_FOR_STATS, PerformanceMonitor;
+var init_monitor = __esm({
+  "src/detection-engine/monitor.ts"() {
+    "use strict";
+    MAX_RECENT_TIMES = 100;
+    MAX_PATTERN_LENGTH = 100;
+    MIN_SAMPLES_FOR_STATS = 10;
+    PerformanceMonitor = class {
+      anomalyThreshold;
+      slowPatternThreshold;
+      historySize;
+      maxTrackedPatterns;
+      patternStats = /* @__PURE__ */ new Map();
+      recentMetrics = [];
+      anomalyCallbacks = [];
+      constructor(anomalyThreshold = 3, slowPatternThreshold = 0.1, historySize = 1e3, maxTrackedPatterns = 1e3) {
+        this.anomalyThreshold = Math.max(1, Math.min(10, anomalyThreshold));
+        this.slowPatternThreshold = Math.max(0.01, Math.min(10, slowPatternThreshold));
+        this.historySize = Math.max(100, Math.min(1e4, historySize));
+        this.maxTrackedPatterns = Math.max(100, Math.min(5e3, maxTrackedPatterns));
+      }
+      async recordMetric(pattern, executionTime, contentLength, matched, timeout = false, agentHandler = null, correlationId = null) {
+        let truncatedPattern = pattern;
+        if (pattern.length > MAX_PATTERN_LENGTH) {
+          truncatedPattern = pattern.slice(0, MAX_PATTERN_LENGTH) + "...[truncated]";
+        }
+        executionTime = Math.max(0, executionTime);
+        contentLength = Math.max(0, contentLength);
+        const metric = {
+          pattern: truncatedPattern,
+          executionTime,
+          contentLength,
+          timestamp: /* @__PURE__ */ new Date(),
+          matched,
+          timeout
+        };
+        this.recentMetrics.push(metric);
+        if (this.recentMetrics.length > this.historySize) {
+          this.recentMetrics.shift();
+        }
+        if (!this.patternStats.has(truncatedPattern)) {
+          if (this.patternStats.size >= this.maxTrackedPatterns) {
+            const oldestKey = this.patternStats.keys().next().value;
+            this.patternStats.delete(oldestKey);
+          }
+          this.patternStats.set(truncatedPattern, {
+            pattern: truncatedPattern,
+            totalExecutions: 0,
+            totalMatches: 0,
+            totalTimeouts: 0,
+            avgExecutionTime: 0,
+            maxExecutionTime: 0,
+            minExecutionTime: Infinity,
+            recentTimes: []
+          });
+        }
+        const stats = this.patternStats.get(truncatedPattern);
+        stats.totalExecutions++;
+        if (matched) stats.totalMatches++;
+        if (timeout) stats.totalTimeouts++;
+        if (!timeout) {
+          stats.recentTimes.push(executionTime);
+          if (stats.recentTimes.length > MAX_RECENT_TIMES) {
+            stats.recentTimes.shift();
+          }
+          stats.maxExecutionTime = Math.max(stats.maxExecutionTime, executionTime);
+          stats.minExecutionTime = Math.min(stats.minExecutionTime, executionTime);
+          if (stats.recentTimes.length > 0) {
+            stats.avgExecutionTime = mean(stats.recentTimes);
+          }
+        }
+        await this.checkAnomalies(metric, agentHandler, correlationId);
+      }
+      async checkAnomalies(metric, agentHandler, correlationId) {
+        const anomalies = [];
+        if (metric.timeout) {
+          anomalies.push({
+            type: "timeout",
+            pattern: metric.pattern,
+            contentLength: metric.contentLength
+          });
+        } else if (metric.executionTime > this.slowPatternThreshold) {
+          anomalies.push({
+            type: "slow_execution",
+            pattern: metric.pattern,
+            executionTime: metric.executionTime,
+            contentLength: metric.contentLength
+          });
+        }
+        const stats = this.patternStats.get(metric.pattern);
+        if (stats && stats.recentTimes.length >= MIN_SAMPLES_FOR_STATS) {
+          const avgTime = mean(stats.recentTimes);
+          const stdTime = stdev(stats.recentTimes);
+          if (stdTime > 0) {
+            const zScore = (metric.executionTime - avgTime) / stdTime;
+            if (Math.abs(zScore) > this.anomalyThreshold) {
+              anomalies.push({
+                type: "statistical_anomaly",
+                pattern: metric.pattern,
+                executionTime: metric.executionTime,
+                zScore,
+                avgTime,
+                stdTime
+              });
+            }
+          }
+        }
+        if (agentHandler) {
+          for (const anomaly of anomalies) {
+            try {
+              await agentHandler.sendEvent({
+                timestamp: /* @__PURE__ */ new Date(),
+                eventType: `pattern_anomaly_${anomaly["type"]}`,
+                ipAddress: "system",
+                actionTaken: "anomaly_detected",
+                reason: `Pattern performance anomaly: ${anomaly["type"]}`,
+                metadata: { component: "PerformanceMonitor", correlationId, ...anomaly }
+              });
+            } catch {
+            }
+          }
+        }
+        for (const anomaly of anomalies) {
+          const safe = { ...anomaly };
+          if (typeof safe["pattern"] === "string") {
+            safe["pattern"] = truncatePattern(safe["pattern"]);
+            safe["patternHash"] = patternHash(anomaly["pattern"]);
+          }
+          for (const callback of this.anomalyCallbacks) {
+            try {
+              callback(safe);
+            } catch {
+            }
+          }
+        }
+      }
+      getPatternReport(pattern) {
+        let key = pattern;
+        if (key.length > MAX_PATTERN_LENGTH) {
+          key = key.slice(0, MAX_PATTERN_LENGTH) + "...[truncated]";
+        }
+        const stats = this.patternStats.get(key);
+        if (!stats) return null;
+        return {
+          pattern: truncatePattern(key),
+          patternHash: patternHash(key),
+          totalExecutions: stats.totalExecutions,
+          totalMatches: stats.totalMatches,
+          totalTimeouts: stats.totalTimeouts,
+          matchRate: stats.totalMatches / Math.max(stats.totalExecutions, 1),
+          timeoutRate: stats.totalTimeouts / Math.max(stats.totalExecutions, 1),
+          avgExecutionTime: Math.round(stats.avgExecutionTime * 1e4) / 1e4,
+          maxExecutionTime: Math.round(stats.maxExecutionTime * 1e4) / 1e4,
+          minExecutionTime: Math.round(
+            (stats.minExecutionTime === Infinity ? 0 : stats.minExecutionTime) * 1e4
+          ) / 1e4
+        };
+      }
+      getSlowPatterns(limit = 10) {
+        const entries = [...this.patternStats.entries()].filter(([, s]) => s.recentTimes.length > 0).sort(([, a], [, b]) => b.avgExecutionTime - a.avgExecutionTime).slice(0, limit);
+        const reports = [];
+        for (const [pattern] of entries) {
+          const report = this.getPatternReport(pattern);
+          if (report) reports.push(report);
+        }
+        return reports;
+      }
+      getProblematicPatterns() {
+        const problematic = [];
+        for (const [pattern, stats] of this.patternStats) {
+          if (stats.totalExecutions === 0) continue;
+          const timeoutRate = stats.totalTimeouts / stats.totalExecutions;
+          if (timeoutRate > 0.1) {
+            const report = this.getPatternReport(pattern);
+            if (report) {
+              report.issue = "high_timeout_rate";
+              problematic.push(report);
+            }
+          } else if (stats.avgExecutionTime > this.slowPatternThreshold) {
+            const report = this.getPatternReport(pattern);
+            if (report) {
+              report.issue = "consistently_slow";
+              problematic.push(report);
+            }
+          }
+        }
+        return problematic;
+      }
+      getSummaryStats() {
+        if (this.recentMetrics.length === 0) {
+          return { totalExecutions: 0, avgExecutionTime: 0, timeoutRate: 0, matchRate: 0 };
+        }
+        const recentTimes = this.recentMetrics.filter((m) => !m.timeout).map((m) => m.executionTime);
+        const timeouts = this.recentMetrics.filter((m) => m.timeout).length;
+        const matches = this.recentMetrics.filter((m) => m.matched).length;
+        const total = this.recentMetrics.length;
+        return {
+          totalExecutions: total,
+          avgExecutionTime: recentTimes.length > 0 ? mean(recentTimes) : 0,
+          maxExecutionTime: recentTimes.length > 0 ? Math.max(...recentTimes) : 0,
+          minExecutionTime: recentTimes.length > 0 ? Math.min(...recentTimes) : 0,
+          timeoutRate: timeouts / total,
+          matchRate: matches / total,
+          totalPatterns: this.patternStats.size
+        };
+      }
+      registerAnomalyCallback(callback) {
+        this.anomalyCallbacks.push(callback);
+      }
+      async clearStats() {
+        this.patternStats.clear();
+        this.recentMetrics = [];
+      }
+      async removePatternStats(pattern) {
+        this.patternStats.delete(pattern);
+      }
+    };
+  }
+});
+
+// src/detection-engine/semantic.ts
+var ATTACK_KEYWORDS, ATTACK_STRUCTURES, PATTERN_CHECKS, INJECTION_KEYWORDS, MAX_CONTENT_LENGTH, MAX_TOKENS, MAX_ENTROPY_LENGTH, MAX_SCAN_LENGTH, MAX_AST_LENGTH, SemanticAnalyzer;
+var init_semantic = __esm({
+  "src/detection-engine/semantic.ts"() {
+    "use strict";
+    ATTACK_KEYWORDS = {
+      xss: /* @__PURE__ */ new Set([
+        "script",
+        "javascript",
+        "onerror",
+        "onload",
+        "onclick",
+        "onmouseover",
+        "alert",
+        "eval",
+        "document",
+        "cookie",
+        "window",
+        "location"
+      ]),
+      sql: /* @__PURE__ */ new Set([
+        "select",
+        "union",
+        "insert",
+        "update",
+        "delete",
+        "drop",
+        "from",
+        "where",
+        "order",
+        "group",
+        "having",
+        "concat",
+        "substring",
+        "database",
+        "table",
+        "column"
+      ]),
+      command: /* @__PURE__ */ new Set([
+        "exec",
+        "system",
+        "shell",
+        "cmd",
+        "bash",
+        "powershell",
+        "wget",
+        "curl",
+        "nc",
+        "netcat",
+        "chmod",
+        "chown",
+        "sudo",
+        "passwd"
+      ]),
+      path: /* @__PURE__ */ new Set(["etc", "passwd", "shadow", "hosts", "proc", "boot", "win", "ini"]),
+      template: /* @__PURE__ */ new Set([
+        "render",
+        "template",
+        "jinja",
+        "mustache",
+        "handlebars",
+        "ejs",
+        "pug",
+        "twig"
+      ])
+    };
+    ATTACK_STRUCTURES = {
+      tag_like: /<[^>]+>/gi,
+      function_call: /\w+\s*\([^)]*\)/gi,
+      command_chain: /[;&|]{1,2}/g,
+      path_traversal: /\.{2,}[/\\]/g,
+      url_pattern: /[a-z]+:\/\//gi
+    };
+    PATTERN_CHECKS = {
+      xss: [/<[^>]+>/g, ""],
+      sql: [/\b(?:union|select|from|where)\b/gi, ""],
+      command: [/[;&|]/g, ""],
+      path: [/\.{2,}[/\\]/g, ""]
+    };
+    INJECTION_KEYWORDS = ["eval", "exec", "compile", "__import__", "globals", "locals"];
+    MAX_CONTENT_LENGTH = 5e4;
+    MAX_TOKENS = 1e3;
+    MAX_ENTROPY_LENGTH = 1e4;
+    MAX_SCAN_LENGTH = 1e4;
+    MAX_AST_LENGTH = 1e3;
+    SemanticAnalyzer = class {
+      extractTokens(content) {
+        let truncated = content;
+        if (truncated.length > MAX_CONTENT_LENGTH) {
+          truncated = truncated.slice(0, MAX_CONTENT_LENGTH);
+        }
+        truncated = truncated.replace(/\s+/g, " ");
+        const wordTokens = (truncated.toLowerCase().match(/\b\w+\b/g) ?? []).slice(0, MAX_TOKENS);
+        const specialPatterns = [];
+        for (const [, regex] of Object.entries(ATTACK_STRUCTURES)) {
+          const re = new RegExp(regex.source, regex.flags);
+          let match;
+          while ((match = re.exec(truncated)) !== null && specialPatterns.length < 50) {
+            specialPatterns.push(match[0]);
+          }
+          if (specialPatterns.length >= 50) break;
+        }
+        return [...wordTokens, ...specialPatterns].slice(0, MAX_TOKENS);
+      }
+      calculateEntropy(content) {
+        if (!content) return 0;
+        const truncated = content.length > MAX_ENTROPY_LENGTH ? content.slice(0, MAX_ENTROPY_LENGTH) : content;
+        const counts = /* @__PURE__ */ new Map();
+        for (const char of truncated) {
+          counts.set(char, (counts.get(char) ?? 0) + 1);
+        }
+        const length = truncated.length;
+        let entropy = 0;
+        for (const count of counts.values()) {
+          const probability = count / length;
+          if (probability > 0) {
+            entropy -= probability * Math.log2(probability);
+          }
+        }
+        return entropy;
+      }
+      detectEncodingLayers(content) {
+        const truncated = content.length > MAX_SCAN_LENGTH ? content.slice(0, MAX_SCAN_LENGTH) : content;
+        let layers = 0;
+        if (/%[0-9a-fA-F]{2}/.test(truncated)) layers++;
+        if (/[A-Za-z0-9+/]{4,}={0,2}/.test(truncated)) layers++;
+        if (/(?:0x)?[0-9a-fA-F]{4,}/.test(truncated)) layers++;
+        if (/\\u[0-9a-fA-F]{4}/.test(truncated)) layers++;
+        if (/&[#\w]+;/.test(truncated)) layers++;
+        return layers;
+      }
+      analyzeAttackProbability(content) {
+        const tokens = this.extractTokens(content);
+        const tokenSet = new Set(tokens);
+        const probabilities = {};
+        for (const [attackType, keywords] of Object.entries(ATTACK_KEYWORDS)) {
+          let matches = 0;
+          for (const token of tokenSet) {
+            if (keywords.has(token)) matches++;
+          }
+          const baseScore = keywords.size > 0 ? matches / keywords.size : 0;
+          let patternBoost = 0;
+          const check = PATTERN_CHECKS[attackType];
+          if (check) {
+            const [re] = check;
+            if (new RegExp(re.source, re.flags).test(content)) {
+              patternBoost = 0.3;
+            }
+          }
+          probabilities[attackType] = Math.min(baseScore + patternBoost, 1);
+        }
+        return probabilities;
+      }
+      detectObfuscation(content) {
+        if (this.calculateEntropy(content) > 4.5) return true;
+        if (this.detectEncodingLayers(content) > 2) return true;
+        const specialChars = (content.match(/[^a-zA-Z0-9\s]/g) ?? []).length;
+        if (specialChars / Math.max(content.length, 1) > 0.4) return true;
+        if (/\S{100,}/.test(content)) return true;
+        return false;
+      }
+      extractSuspiciousPatterns(content) {
+        const patterns = [];
+        for (const [name, regex] of Object.entries(ATTACK_STRUCTURES)) {
+          const re = new RegExp(regex.source, regex.flags);
+          let match;
+          while ((match = re.exec(content)) !== null) {
+            const contextStart = Math.max(0, match.index - 20);
+            const contextEnd = Math.min(content.length, match.index + match[0].length + 20);
+            patterns.push({
+              type: name,
+              pattern: match[0],
+              position: match.index,
+              context: content.slice(contextStart, contextEnd)
+            });
+          }
+        }
+        return patterns;
+      }
+      analyzeCodeInjectionRisk(content) {
+        let riskScore = 0;
+        if (/[{}].*[{}]/.test(content)) riskScore += 0.2;
+        if (/\w+\s*\([^)]*\)/.test(content)) riskScore += 0.2;
+        if (/[$@]\w+/.test(content)) riskScore += 0.1;
+        if (/[=+\-*/]{2,}/.test(content)) riskScore += 0.1;
+        if (content.length <= MAX_AST_LENGTH) {
+          try {
+            const acorn = require("acorn");
+            acorn.parse(content, { ecmaVersion: "latest", sourceType: "module" });
+            riskScore += 0.3;
+          } catch {
+          }
+        }
+        for (const keyword of INJECTION_KEYWORDS) {
+          if (new RegExp(`\\b${keyword}\\b`, "i").test(content)) {
+            riskScore += 0.2;
+            break;
+          }
+        }
+        return Math.min(riskScore, 1);
+      }
+      analyze(content) {
+        return {
+          attackProbabilities: this.analyzeAttackProbability(content),
+          entropy: this.calculateEntropy(content),
+          encodingLayers: this.detectEncodingLayers(content),
+          isObfuscated: this.detectObfuscation(content),
+          suspiciousPatterns: this.extractSuspiciousPatterns(content),
+          codeInjectionRisk: this.analyzeCodeInjectionRisk(content),
+          tokenCount: this.extractTokens(content).length
+        };
+      }
+      getThreatScore(analysis) {
+        let score = 0;
+        const probs = analysis.attackProbabilities;
+        const maxProb = Object.values(probs).length > 0 ? Math.max(...Object.values(probs)) : 0;
+        score += maxProb * 0.3;
+        if (analysis.isObfuscated) score += 0.2;
+        if (analysis.encodingLayers > 0) {
+          score += Math.min(analysis.encodingLayers * 0.1, 0.2);
+        }
+        score += analysis.codeInjectionRisk * 0.2;
+        if (analysis.suspiciousPatterns.length > 0) {
+          score += Math.min(analysis.suspiciousPatterns.length * 0.05, 0.1);
+        }
+        return Math.min(score, 1);
+      }
+    };
+  }
+});
+
+// src/handlers/cloud.ts
+var cloud_exports = {};
+__export(cloud_exports, {
+  CloudHandler: () => CloudHandler
+});
+var ipaddr2, AWS_RANGES_URL, GCP_RANGES_URL, AZURE_DOWNLOAD_PAGE, AZURE_JSON_HREF_RE, CloudHandler;
+var init_cloud = __esm({
+  "src/handlers/cloud.ts"() {
+    "use strict";
+    ipaddr2 = __toESM(require("ipaddr.js"), 1);
+    AWS_RANGES_URL = "https://ip-ranges.amazonaws.com/ip-ranges.json";
+    GCP_RANGES_URL = "https://www.gstatic.com/ipranges/cloud.json";
+    AZURE_DOWNLOAD_PAGE = "https://www.microsoft.com/en-us/download/details.aspx?id=56519";
+    AZURE_JSON_HREF_RE = /href=["'](https:\/\/download\.microsoft\.com\/.{1,500}?\.json)["']/;
+    CloudHandler = class {
+      constructor(logger) {
+        this.logger = logger;
+      }
+      ipRanges = /* @__PURE__ */ new Map();
+      lastUpdated = /* @__PURE__ */ new Map();
+      redisHandler = null;
+      agentHandler = null;
+      async initializeRedis(redisHandler, providers, ttl = 3600) {
+        this.redisHandler = redisHandler;
+        await this.refreshAsync(providers, ttl);
+      }
+      async initializeAgent(agentHandler) {
+        this.agentHandler = agentHandler;
+      }
+      async refreshAsync(providers, ttl = 3600) {
+        for (const provider of providers) {
+          try {
+            const ranges = await this.fetchProviderRanges(provider);
+            this.ipRanges.set(provider, ranges);
+            this.lastUpdated.set(provider, /* @__PURE__ */ new Date());
+            if (this.redisHandler) {
+              await this.redisHandler.setKey("cloud_ranges", provider, ranges.join(","), ttl);
+            }
+            this.logger.info(`Refreshed ${ranges.length} IP ranges for ${provider}`);
+          } catch (e) {
+            this.logger.error(`Failed to refresh ${provider} IP ranges: ${e}`);
+            if (this.redisHandler) {
+              const cached = await this.redisHandler.getKey("cloud_ranges", provider);
+              if (typeof cached === "string" && cached.length > 0) {
+                this.ipRanges.set(provider, cached.split(","));
+                this.logger.info(`Loaded ${provider} IP ranges from Redis cache`);
+              }
+            }
+          }
+        }
+      }
+      async fetchProviderRanges(provider) {
+        switch (provider) {
+          case "AWS":
+            return this.fetchAwsRanges();
+          case "GCP":
+            return this.fetchGcpRanges();
+          case "Azure":
+            return this.fetchAzureRanges();
+          default:
+            return [];
+        }
+      }
+      async fetchAwsRanges() {
+        const resp = await fetch(AWS_RANGES_URL);
+        const data = await resp.json();
+        return data.prefixes.filter((p) => p.service === "AMAZON").map((p) => p.ip_prefix);
+      }
+      async fetchGcpRanges() {
+        const resp = await fetch(GCP_RANGES_URL);
+        const data = await resp.json();
+        return data.prefixes.map((p) => p.ipv4Prefix ?? p.ipv6Prefix).filter((p) => p !== void 0);
+      }
+      async fetchAzureRanges() {
+        const pageResp = await fetch(AZURE_DOWNLOAD_PAGE);
+        const html = await pageResp.text();
+        const match = AZURE_JSON_HREF_RE.exec(html);
+        if (!match) {
+          this.logger.warn("Could not find Azure IP ranges download URL");
+          return [];
+        }
+        const jsonResp = await fetch(match[1]);
+        const data = await jsonResp.json();
+        return data.values.flatMap((v) => v.properties.addressPrefixes);
+      }
+      isCloudIp(ip, providers) {
+        try {
+          const parsed = ipaddr2.parse(ip);
+          for (const provider of providers) {
+            const ranges = this.ipRanges.get(provider);
+            if (!ranges) continue;
+            for (const cidr of ranges) {
+              try {
+                const [addr, prefixLen] = ipaddr2.parseCIDR(cidr);
+                if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) {
+                  return true;
+                }
+              } catch {
+                continue;
+              }
+            }
+          }
+        } catch {
+        }
+        return false;
+      }
+      getCloudProviderDetails(ip, providers) {
+        try {
+          const parsed = ipaddr2.parse(ip);
+          for (const provider of providers) {
+            const ranges = this.ipRanges.get(provider);
+            if (!ranges) continue;
+            for (const cidr of ranges) {
+              try {
+                const [addr, prefixLen] = ipaddr2.parseCIDR(cidr);
+                if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) {
+                  return [provider, cidr];
+                }
+              } catch {
+                continue;
+              }
+            }
+          }
+        } catch {
+        }
+        return null;
+      }
+      async reset() {
+        this.ipRanges.clear();
+        this.lastUpdated.clear();
+        if (this.redisHandler) {
+          await this.redisHandler.deletePattern("cloud_ranges:*");
+        }
+      }
+    };
+  }
+});
+
+// src/handlers/sus-patterns.ts
+var sus_patterns_exports = {};
+__export(sus_patterns_exports, {
+  SusPatternsManager: () => SusPatternsManager
+});
+var CTX_XSS, CTX_SQLI, CTX_DIR_TRAVERSAL, CTX_CMD_INJECTION, CTX_FILE_INCLUSION, CTX_LDAP, CTX_XML, CTX_SSRF, CTX_NOSQL, CTX_FILE_UPLOAD, CTX_PATH_TRAVERSAL, CTX_TEMPLATE, CTX_HTTP_SPLIT, CTX_SENSITIVE_FILE, CTX_CMS_PROBING, CTX_RECON, CTX_ALL, KNOWN_CONTEXTS, PATTERN_DEFINITIONS, SusPatternsManager;
+var init_sus_patterns = __esm({
+  "src/handlers/sus-patterns.ts"() {
+    "use strict";
+    init_preprocessor();
+    init_compiler();
+    init_monitor();
+    init_semantic();
+    CTX_XSS = /* @__PURE__ */ new Set(["query_param", "header", "request_body", "unknown"]);
+    CTX_SQLI = /* @__PURE__ */ new Set(["query_param", "request_body", "unknown"]);
+    CTX_DIR_TRAVERSAL = /* @__PURE__ */ new Set(["url_path", "query_param", "request_body", "unknown"]);
+    CTX_CMD_INJECTION = /* @__PURE__ */ new Set(["query_param", "request_body", "unknown"]);
+    CTX_FILE_INCLUSION = /* @__PURE__ */ new Set(["url_path", "query_param", "request_body", "unknown"]);
+    CTX_LDAP = /* @__PURE__ */ new Set(["query_param", "request_body", "unknown"]);
+    CTX_XML = /* @__PURE__ */ new Set(["header", "request_body", "unknown"]);
+    CTX_SSRF = /* @__PURE__ */ new Set(["query_param", "request_body", "unknown"]);
+    CTX_NOSQL = /* @__PURE__ */ new Set(["query_param", "request_body", "unknown"]);
+    CTX_FILE_UPLOAD = /* @__PURE__ */ new Set(["header", "request_body", "unknown"]);
+    CTX_PATH_TRAVERSAL = /* @__PURE__ */ new Set(["url_path", "query_param", "request_body", "unknown"]);
+    CTX_TEMPLATE = /* @__PURE__ */ new Set(["query_param", "request_body", "unknown"]);
+    CTX_HTTP_SPLIT = /* @__PURE__ */ new Set(["header", "query_param", "request_body", "unknown"]);
+    CTX_SENSITIVE_FILE = /* @__PURE__ */ new Set(["url_path", "request_body", "unknown"]);
+    CTX_CMS_PROBING = /* @__PURE__ */ new Set(["url_path", "request_body", "unknown"]);
+    CTX_RECON = /* @__PURE__ */ new Set(["url_path", "unknown"]);
+    CTX_ALL = /* @__PURE__ */ new Set(["query_param", "header", "url_path", "request_body", "unknown"]);
+    KNOWN_CONTEXTS = /* @__PURE__ */ new Set(["query_param", "header", "url_path", "request_body", "unknown"]);
+    PATTERN_DEFINITIONS = [
+      [String.raw`<script[^>]*>[^<]*<\/script\s*>`, CTX_XSS],
+      [String.raw`javascript:\s*[^\s]+`, CTX_XSS],
+      [String.raw`(?:on(?:error|load|click|mouseover|submit|mouse|unload|change|focus|blur|drag))=(?:["'][^"']*["']|[^\s>]+)`, CTX_XSS],
+      [String.raw`(?:<[^>]+\s+(?:href|src|data|action)\s*=[\s"']*(?:javascript|vbscript|data):)`, CTX_XSS],
+      [String.raw`(?:<[^>]+style\s*=[\s"']*[^>"']*(?:expression|behavior|url)\s*\([^)]*\))`, CTX_XSS],
+      [String.raw`(?:<object[^>]*>[\s\S]*<\/object\s*>)`, CTX_XSS],
+      [String.raw`(?:<embed[^>]*>[\s\S]*<\/embed\s*>)`, CTX_XSS],
+      [String.raw`(?:<applet[^>]*>[\s\S]*<\/applet\s*>)`, CTX_XSS],
+      [String.raw`SELECT\s+[\w\s,*]+\s+FROM\s+[\w\s._]+`, CTX_SQLI],
+      [String.raw`UNION\s+(?:ALL\s+)?SELECT`, CTX_SQLI],
+      [String.raw`('\s*(?:OR|AND)\s*[(\s]*'?[\d\w]+\s*(?:=|LIKE|<|>|<=|>=)\s*[(\s]*'?[\d\w]+)`, CTX_SQLI],
+      [String.raw`(UNION\s+(?:ALL\s+)?SELECT\s+(?:NULL[,\s]*)+|\(\s*SELECT\s+(?:@@|VERSION))`, CTX_SQLI],
+      [String.raw`(?:INTO\s+(?:OUTFILE|DUMPFILE)\s+'[^']+')`, CTX_SQLI],
+      [String.raw`(?:LOAD_FILE\s*\([^)]+\))`, CTX_SQLI],
+      [String.raw`(?:BENCHMARK\s*\(\s*\d+\s*,)`, CTX_SQLI],
+      [String.raw`(?:SLEEP\s*\(\s*\d+\s*\))`, CTX_SQLI],
+      [String.raw`(?:\/\*![0-9]*\s*(?:OR|AND|UNION|SELECT|INSERT|DELETE|DROP|CONCAT|CHAR|UPDATE)\b)`, CTX_SQLI],
+      [String.raw`(?:\.\.\/|\.\.\\)(?:\.\.\/|\.\.\\)+`, CTX_DIR_TRAVERSAL],
+      [String.raw`(?:/etc/(?:passwd|shadow|group|hosts|motd|issue|mysql/my.cnf|ssh/ssh_config)$)`, CTX_DIR_TRAVERSAL],
+      [String.raw`(?:boot\.ini|win\.ini|system\.ini|config\.sys)\s*$`, CTX_DIR_TRAVERSAL],
+      [String.raw`(?:\/proc\/self\/environ$)`, CTX_DIR_TRAVERSAL],
+      [String.raw`(?:\/var\/log\/[^/]+$)`, CTX_DIR_TRAVERSAL],
+      [String.raw`;\s*(?:ls|cat|rm|chmod|chown|wget|curl|nc|netcat|ping|telnet)\s+-[a-zA-Z]+\s+`, CTX_CMD_INJECTION],
+      [String.raw`\|\s*(?:wget|curl|fetch|lwp-download|lynx|links|GET)\s+`, CTX_CMD_INJECTION],
+      [String.raw`(?:[;&|` + "`" + String.raw`]\s*(?:\$\([^)]+\)|\$\{[^}]+\}))`, CTX_CMD_INJECTION],
+      [String.raw`(?:^|;)\s*(?:bash|sh|ksh|csh|tsch|zsh|ash)\s+-[a-zA-Z]+`, CTX_CMD_INJECTION],
+      [String.raw`\b(?:eval|system|exec|shell_exec|passthru|popen|proc_open)\s*\(`, CTX_CMD_INJECTION],
+      [String.raw`(?:php|data|zip|rar|file|glob|expect|input|phpinfo|zlib|phar|ssh2|rar|ogg|expect)://[^\s]+`, CTX_FILE_INCLUSION],
+      [String.raw`(?:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:[0-9]+)?(?:\/?)?(?:[a-zA-Z0-9\-.,?'/\\+&amp;%$#_]*)?)`, CTX_FILE_INCLUSION],
+      [String.raw`\(\s*[|&]\s*\(\s*[^)]+=[*]`, CTX_LDAP],
+      [String.raw`(?:\*(?:[\s\d\w]+\s*=|=\s*[\d\w\s]+))`, CTX_LDAP],
+      [String.raw`(?:\(\s*[&|]\s*)`, CTX_LDAP],
+      [String.raw`<!(?:ENTITY|DOCTYPE)[^>]+SYSTEM[^>]+>`, CTX_XML],
+      [String.raw`(?:<!\[CDATA\[.*?\]\]>)`, CTX_XML],
+      [String.raw`(?:<\?xml.*?\?>)`, CTX_XML],
+      [String.raw`(?:^|\s|/)(?:localhost|127\.0\.0\.1|0\.0\.0\.0|\[::(?:\d*)\]|(?:169\.254|192\.168|10\.|172\.(?:1[6-9]|2[0-9]|3[01]))\.\d+)(?:\s|$|/)`, CTX_SSRF],
+      [String.raw`(?:file|dict|gopher|jar|tftp)://[^\s]+`, CTX_SSRF],
+      [String.raw`\{\s*\$(?:where|gt|lt|ne|eq|regex|in|nin|all|size|exists|type|mod|options):`, CTX_NOSQL],
+      [String.raw`(?:\{\s*\$[a-zA-Z]+\s*:\s*(?:\{|\[))`, CTX_NOSQL],
+      [String.raw`filename=["'].*?\.(?:php\d*|phar|phtml|exe|jsp|asp|aspx|sh|bash|rb|py|pl|cgi|com|bat|cmd|vbs|vbe|js|ws|wsf|msi|hta)["']`, CTX_FILE_UPLOAD],
+      [String.raw`(?:%2e%2e|%252e%252e|%uff0e%uff0e|%c0%ae%c0%ae|%e0%40%ae|%c0%ae%e0%80%ae|%25c0%25ae)/`, CTX_PATH_TRAVERSAL],
+      [String.raw`\{\{\s*[^}]+(?:system|exec|popen|eval|require|include)\s*\}\}`, CTX_TEMPLATE],
+      [String.raw`\{%\s*[^%]+(?:system|exec|popen|eval|require|include)\s*%\}`, CTX_TEMPLATE],
+      [String.raw`[\r\n]\s*(?:HTTP\/[0-9.]+|Location:|Set-Cookie:)`, CTX_HTTP_SPLIT],
+      [String.raw`(?:^|/)\.env(?:\.\w+)?(?:\?|$|/)`, CTX_SENSITIVE_FILE],
+      [String.raw`(?:^|/)[\w-]*config[\w-]*\.(?:env|yml|yaml|json|toml|ini|xml|conf)(?:\?|$)`, CTX_SENSITIVE_FILE],
+      [String.raw`(?:^|/)[\w./-]*\.map(?:\?|$)`, CTX_SENSITIVE_FILE],
+      [String.raw`(?:^|/)[\w./-]*\.(?:ts|tsx|jsx|py|rb|java|go|rs|php|pl|sh|sql)(?:\?|$)`, CTX_SENSITIVE_FILE],
+      [String.raw`(?:^|/)\.(?:git|svn|hg|bzr)(?:/|$)`, CTX_SENSITIVE_FILE],
+      [String.raw`(?:^|/)(?:wp-(?:admin|login|content|includes|config)|administrator|xmlrpc)\.?(?:php)?(?:/|$|\?)`, CTX_CMS_PROBING],
+      [String.raw`(?:^|/)(?:phpinfo|info|test|php_info)\.php(?:\?|$)`, CTX_CMS_PROBING],
+      [String.raw`(?:^|/)[\w./-]*\.(?:bak|backup|old|orig|save|swp|swo|tmp|temp)(?:\?|$)`, CTX_CMS_PROBING],
+      [String.raw`(?:^|/)(?:\.htaccess|\.htpasswd|\.DS_Store|Thumbs\.db|\.npmrc|\.dockerenv|web\.config)(?:\?|$)`, CTX_CMS_PROBING],
+      [String.raw`(?:^|/)[\w./-]*\.(?:asp|aspx|jsp|jsa|jhtml|shtml|cfm|cgi|do|action|lua|inc|woa|nsf|esp|html?|js|css|properties|png|gif|jpg|jpeg|svg|webp|bmp|pl)(?:\?|$)`, CTX_RECON],
+      [String.raw`^/(?:api|rest|v\d+|management|system|version|status|config|config_dump|credentials)(?:/|$|\?)`, CTX_RECON],
+      [String.raw`^/admin(?:istrator)?(?:[./?\-]|$)`, CTX_RECON],
+      [String.raw`^/(?:login|logon|signin)(?:[./?\-]|$|/)`, CTX_RECON],
+      [String.raw`(?:^|/)account/login(?:\?|$|/)`, CTX_RECON],
+      [String.raw`(?:^|/)(?:actuator|server-status|telescope)(?:/|$|\?)`, CTX_RECON],
+      [String.raw`(?:CSCOE|dana-(?:na|cached)|sslvpn|RDWeb|/owa/|/ecp/|global-protect|ssl-vpn/|svpn/|sonicui|/remote/login|myvpn|vpntunnel|versa/login)`, CTX_RECON],
+      [String.raw`(?:^|/)(?:geoserver|confluence|nifi|ScadaBR|pandora_console|centreon|kylin|decisioncenter|evox|MagicInfo|metasys|officescan|helpdesk|ignite)(?:/|$|\?|\.|\-)`, CTX_RECON],
+      [String.raw`(?:^|/)cgi-(?:bin|mod)/`, CTX_RECON],
+      [String.raw`(?:^|/)(?:HNAP1|IPCamDesc\.xml|SDK/webLanguage)(?:\?|$|/)`, CTX_RECON],
+      [String.raw`^/(?:scripts|language|languages|images|css|img)/`, CTX_RECON],
+      [String.raw`(?:^|/)(?:robots\.txt|sitemap\.xml|security\.txt|readme\.txt|README\.md|CHANGELOG|pom\.xml|build\.gradle|appsettings\.json|crossdomain\.xml)(?:\?|$|\.)`, CTX_RECON],
+      [String.raw`(?:^|/)(?:sap|ise|nidp|cslu|rustfs|developmentserver|fog/management|lms/db|json/login_session|sms_mp|plugin/webs_model|wsman|am_bin)(?:/|$|\?)`, CTX_RECON],
+      [String.raw`(?:nmaplowercheck|nice\s+ports|Trinity\.txt)`, CTX_RECON],
+      [String.raw`(?:^|/)\.(?:openclaw|clawdbot)(?:/|$)`, CTX_RECON],
+      [String.raw`^/(?:default|inicio|indice|localstart)(?:\.|/|$|\?)`, CTX_RECON],
+      [String.raw`(?:^|/)(?:\.streamlit|\.gpt-pilot|\.aider|\.cursor|\.windsurf|\.copilot|\.devcontainer)(?:/|$)`, CTX_RECON],
+      [String.raw`(?:^|/)(?:docker-compose|Dockerfile|Makefile|Vagrantfile|Jenkinsfile|Procfile)(?:\.ya?ml)?(?:\?|$)`, CTX_RECON],
+      [String.raw`(?:^|/)[\w./-]*(?:secrets?|credentials?)\.(?:py|json|yml|yaml|toml|txt|env|xml|conf|cfg)(?:\?|$)`, CTX_RECON],
+      [String.raw`(?:^|/)autodiscover/`, CTX_RECON],
+      [String.raw`^/dns-query(?:\?|$)`, CTX_RECON],
+      [String.raw`(?:^|/)\.git/(?:refs|index|HEAD|objects|logs)(?:/|$)`, CTX_RECON]
+    ];
+    SusPatternsManager = class {
+      constructor(config, logger) {
+        this.logger = logger;
+        this.compiler = new PatternCompiler(config.detectionCompilerTimeout * 1e3, config.detectionMaxTrackedPatterns);
+        this.preprocessor = new ContentPreprocessor(config.detectionMaxContentLength, config.detectionPreserveAttackPatterns);
+        this.semantic = new SemanticAnalyzer();
+        this.monitor = new PerformanceMonitor(
+          config.detectionAnomalyThreshold,
+          config.detectionSlowPatternThreshold,
+          config.detectionMonitorHistorySize,
+          config.detectionMaxTrackedPatterns
+        );
+        this.semanticThreshold = config.detectionSemanticThreshold;
+      }
+      compiler;
+      preprocessor;
+      semantic;
+      monitor;
+      customPatterns = /* @__PURE__ */ new Set();
+      compiledCustomContexts = /* @__PURE__ */ new Map();
+      redisHandler = null;
+      agentHandler = null;
+      semanticThreshold;
+      async initializeRedis(redisHandler) {
+        this.redisHandler = redisHandler;
+        const cached = await redisHandler.getKey("patterns", "custom");
+        if (typeof cached === "string" && cached.length > 0) {
+          for (const p of cached.split(",")) {
+            if (p.trim()) {
+              this.customPatterns.add(p.trim());
+              this.compiledCustomContexts.set(p.trim(), CTX_ALL);
+            }
+          }
+        }
+      }
+      async initializeAgent(agentHandler) {
+        this.agentHandler = agentHandler;
+      }
+      normalizeContext(context) {
+        const parts = context.split(":");
+        const normalized = parts[0].toLowerCase();
+        return KNOWN_CONTEXTS.has(normalized) ? normalized : "unknown";
+      }
+      async detect(content, ipAddress, context = "unknown", correlationId = null) {
+        const startTime = performance.now();
+        const originalLength = content.length;
+        const processed = await this.preprocessor.preprocess(content);
+        const normalizedCtx = this.normalizeContext(context);
+        const threats = [];
+        const timeouts = [];
+        for (const [pattern, contexts] of PATTERN_DEFINITIONS) {
+          if (!contexts.has(normalizedCtx)) continue;
+          const patternStart = performance.now();
+          try {
+            const match = await this.compiler.safeMatch(pattern, processed);
+            const elapsed = (performance.now() - patternStart) / 1e3;
+            await this.monitor.recordMetric(pattern, elapsed, processed.length, match !== null, false, this.agentHandler, correlationId);
+            if (match) {
+              threats.push({
+                pattern,
+                context: normalizedCtx,
+                matchedContent: String(match[0] ?? "").slice(0, 200),
+                detectionMethod: "regex"
+              });
+            }
+          } catch {
+            timeouts.push(pattern);
+            const elapsed = (performance.now() - patternStart) / 1e3;
+            await this.monitor.recordMetric(pattern, elapsed, processed.length, false, true, this.agentHandler, correlationId);
+          }
+        }
+        for (const customPattern of this.customPatterns) {
+          const ctxSet = this.compiledCustomContexts.get(customPattern) ?? CTX_ALL;
+          if (!ctxSet.has(normalizedCtx)) continue;
+          try {
+            const match = await this.compiler.safeMatch(customPattern, processed);
+            if (match) {
+              threats.push({
+                pattern: customPattern,
+                context: normalizedCtx,
+                matchedContent: String(match[0] ?? "").slice(0, 200),
+                detectionMethod: "regex_custom"
+              });
+            }
+          } catch {
+            timeouts.push(customPattern);
+          }
+        }
+        const analysis = this.semantic.analyze(processed);
+        const semanticScore = this.semantic.getThreatScore(analysis);
+        if (semanticScore >= this.semanticThreshold) {
+          const topAttack = Object.entries(analysis.attackProbabilities).sort(([, a], [, b]) => b - a)[0];
+          if (topAttack) {
+            threats.push({
+              pattern: `semantic:${topAttack[0]}`,
+              context: normalizedCtx,
+              matchedContent: `score=${semanticScore.toFixed(3)}`,
+              detectionMethod: "semantic"
+            });
+          }
+        }
+        const regexScore = threats.some((t) => t.detectionMethod.startsWith("regex")) ? 1 : 0;
+        const threatScore = Math.max(regexScore, semanticScore);
+        const executionTime = (performance.now() - startTime) / 1e3;
+        return {
+          isThreat: threats.length > 0,
+          threatScore,
+          threats,
+          executionTime,
+          timeouts,
+          correlationId,
+          originalLength,
+          processedLength: processed.length
+        };
+      }
+      async detectPatternMatch(content, ipAddress, context = "unknown", correlationId = null) {
+        const result = await this.detect(content, ipAddress, context, correlationId);
+        if (result.isThreat && result.threats.length > 0) {
+          return [true, result.threats[0].pattern];
+        }
+        return [false, null];
+      }
+      async addPattern(pattern, custom = true) {
+        this.customPatterns.add(pattern);
+        this.compiledCustomContexts.set(pattern, CTX_ALL);
+        if (custom && this.redisHandler) {
+          await this.redisHandler.setKey("patterns", "custom", [...this.customPatterns].join(","));
+        }
+      }
+      async removePattern(pattern) {
+        this.customPatterns.delete(pattern);
+        this.compiledCustomContexts.delete(pattern);
+        if (this.redisHandler) {
+          await this.redisHandler.setKey("patterns", "custom", [...this.customPatterns].join(","));
+        }
+        await this.compiler.clearCache();
+        await this.monitor.removePatternStats(pattern);
+      }
+      getDefaultPatterns() {
+        return PATTERN_DEFINITIONS.map(([p]) => p);
+      }
+      getCustomPatterns() {
+        return [...this.customPatterns];
+      }
+      getAllPatterns() {
+        return [...this.getDefaultPatterns(), ...this.getCustomPatterns()];
+      }
+      async getPerformanceStats() {
+        return {
+          summary: this.monitor.getSummaryStats(),
+          slowPatterns: this.monitor.getSlowPatterns(),
+          problematicPatterns: this.monitor.getProblematicPatterns()
+        };
+      }
+      getComponentStatus() {
+        return {
+          compiler: true,
+          preprocessor: true,
+          semanticAnalyzer: true,
+          performanceMonitor: true
+        };
+      }
+      async configureSemanticThreshold(threshold) {
+        this.semanticThreshold = Math.max(0, Math.min(1, threshold));
+      }
+      async reset() {
+        this.customPatterns.clear();
+        this.compiledCustomContexts.clear();
+        this.agentHandler = null;
+        await this.compiler.clearCache();
+        await this.monitor.clearStats();
+      }
+    };
+  }
+});
+
+// src/utils.ts
+var utils_exports = {};
+__export(utils_exports, {
+  checkIpCountry: () => checkIpCountry,
+  detectPenetrationAttempt: () => detectPenetrationAttempt,
+  extractClientIp: () => extractClientIp,
+  isIpAllowed: () => isIpAllowed,
+  isUserAgentAllowed: () => isUserAgentAllowed,
+  logActivity: () => logActivity,
+  sanitizeForLog: () => sanitizeForLog,
+  sendAgentEvent: () => sendAgentEvent
+});
+function sanitizeForLog(value) {
+  return value.replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t").replace(
+    /[\x00-\x08\x0b\x0c\x0e-\x1f]/g,
+    (ch) => `\\x${ch.charCodeAt(0).toString(16).padStart(2, "0")}`
+  );
+}
+async function sendAgentEvent(agentHandler, eventType, ipAddress, actionTaken, reason, request, metadata) {
+  if (!agentHandler) return;
+  try {
+    await agentHandler.sendEvent({
+      timestamp: /* @__PURE__ */ new Date(),
+      eventType,
+      ipAddress,
+      actionTaken,
+      reason,
+      endpoint: request?.urlPath ?? null,
+      method: request?.method ?? null,
+      userAgent: request?.headers["user-agent"] ?? null,
+      metadata: metadata ?? {}
+    });
+  } catch {
+  }
+}
+function isTrustedProxy(connectingIp, trustedProxies) {
+  for (const proxy of trustedProxies) {
+    if (!proxy.includes("/")) {
+      if (connectingIp === proxy) return true;
+    } else {
+      try {
+        const parsed = ipaddr4.parse(connectingIp);
+        const [addr, prefixLen] = ipaddr4.parseCIDR(proxy);
+        if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;
+      } catch {
+        continue;
+      }
+    }
+  }
+  return false;
+}
+function extractFromForwardedHeader(forwardedFor, proxyDepth) {
+  const ips = forwardedFor.split(",").map((ip) => ip.trim()).filter(Boolean);
+  if (ips.length === 0) return null;
+  const targetIndex = ips.length - proxyDepth;
+  if (targetIndex < 0) return ips[0];
+  return ips[targetIndex];
+}
+async function extractClientIp(request, config, agentHandler) {
+  const connectingIp = request.clientHost;
+  if (!connectingIp) return "unknown";
+  const forwardedFor = request.headers["x-forwarded-for"] ?? null;
+  if (forwardedFor && config.trustedProxies.length === 0) {
+    await sendAgentEvent(
+      agentHandler ?? null,
+      "suspicious_request",
+      connectingIp,
+      "spoofing_detected",
+      "X-Forwarded-For received from untrusted source",
+      request
+    );
+    return connectingIp;
+  }
+  if (forwardedFor && config.trustedProxies.length > 0 && isTrustedProxy(connectingIp, config.trustedProxies)) {
+    const extracted = extractFromForwardedHeader(forwardedFor, config.trustedProxyDepth);
+    if (extracted && ipaddr4.isValid(extracted)) return extracted;
+  }
+  return connectingIp;
+}
+async function isUserAgentAllowed(userAgent, config) {
+  for (const pattern of config.blockedUserAgents) {
+    if (new RegExp(pattern, "i").test(userAgent)) return false;
+  }
+  return true;
+}
+async function checkIpCountry(ip, config, geoIpHandler) {
+  if (config.blockedCountries.length === 0 && config.whitelistCountries.length === 0) {
+    return false;
+  }
+  if (!geoIpHandler.isInitialized) {
+    await geoIpHandler.initialize();
+  }
+  const country = geoIpHandler.getCountry(ip);
+  if (!country) return false;
+  if (config.whitelistCountries.length > 0) {
+    return !config.whitelistCountries.includes(country);
+  }
+  if (config.blockedCountries.length > 0) {
+    return config.blockedCountries.includes(country);
+  }
+  return false;
+}
+async function isIpAllowed(ip, config, geoIpHandler) {
+  try {
+    const parsed = ipaddr4.parse(ip);
+    for (const blocked of config.blacklist) {
+      if (blocked.includes("/")) {
+        const [addr, prefixLen] = ipaddr4.parseCIDR(blocked);
+        if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return false;
+      } else if (ip === blocked) {
+        return false;
+      }
+    }
+    if (config.whitelist && config.whitelist.length > 0) {
+      let found = false;
+      for (const allowed of config.whitelist) {
+        if (allowed.includes("/")) {
+          const [addr, prefixLen] = ipaddr4.parseCIDR(allowed);
+          if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) {
+            found = true;
+            break;
+          }
+        } else if (ip === allowed) {
+          found = true;
+          break;
+        }
+      }
+      if (!found) return false;
+    }
+    if (geoIpHandler) {
+      const blocked = await checkIpCountry(ip, config, geoIpHandler);
+      if (blocked) return false;
+    }
+  } catch {
+    return false;
+  }
+  return true;
+}
+async function detectPenetrationAttempt(request) {
+  const { SusPatternsManager: SusPatternsManager2 } = await Promise.resolve().then(() => (init_sus_patterns(), sus_patterns_exports));
+  const clientIp = request.clientHost ?? "unknown";
+  const correlationId = `${clientIp}:${Date.now()}`;
+  const queryString = Object.entries(request.queryParams).map(([k, v]) => `${k}=${v}`).join("&");
+  if (queryString) {
+    const result = await checkRequestComponent(queryString, "query_param", "query_params", clientIp, correlationId);
+    if (result[0]) return result;
+  }
+  const urlPath = request.urlPath;
+  if (urlPath && urlPath !== "/") {
+    const result = await checkRequestComponent(urlPath, "url_path", "url_path", clientIp, correlationId);
+    if (result[0]) return result;
+  }
+  for (const [headerName, headerValue] of Object.entries(request.headers)) {
+    if (EXCLUDED_HEADERS.has(headerName.toLowerCase())) continue;
+    if (headerName.toLowerCase().startsWith("sec-")) continue;
+    const result = await checkRequestComponent(headerValue, "header", `header:${headerName}`, clientIp, correlationId);
+    if (result[0]) return result;
+  }
+  try {
+    const bodyBytes = await request.body();
+    if (bodyBytes.length > 0) {
+      const bodyText = new TextDecoder().decode(bodyBytes);
+      if (bodyText.trim()) {
+        const result = await checkRequestComponent(bodyText, "request_body", "body", clientIp, correlationId);
+        if (result[0]) return result;
+      }
+    }
+  } catch {
+  }
+  return [false, ""];
+}
+async function checkRequestComponent(value, context, componentName, clientIp, correlationId) {
+  try {
+    const result = await checkValueEnhanced(value, context, clientIp, correlationId);
+    if (result[0]) {
+      return [true, `Suspicious ${componentName}: ${result[1]}`];
+    }
+  } catch {
+  }
+  return [false, ""];
+}
+async function checkValueEnhanced(value, context, clientIp, correlationId) {
+  const { SusPatternsManager: SusPatternsManager2 } = await Promise.resolve().then(() => (init_sus_patterns(), sus_patterns_exports));
+  try {
+    const jsonData = JSON.parse(value);
+    if (typeof jsonData === "object" && jsonData !== null) {
+      const result = await checkJsonFields(jsonData, context, clientIp, correlationId);
+      if (result[0]) return result;
+    }
+  } catch {
+  }
+  const dangerousPatterns = [
+    /<script/i,
+    /javascript:/i,
+    /UNION\s+SELECT/i,
+    /\.\.\//,
+    /eval\s*\(/i,
+    /exec\s*\(/i,
+    /system\s*\(/i
+  ];
+  for (const pattern of dangerousPatterns) {
+    if (pattern.test(value)) {
+      return [true, `Pattern match: ${pattern.source}`];
+    }
+  }
+  return [false, ""];
+}
+async function checkJsonFields(data, context, clientIp, correlationId) {
+  for (const [key, val] of Object.entries(data)) {
+    if (typeof val === "string") {
+      const result = await checkValueEnhanced(val, context, clientIp, correlationId);
+      if (result[0]) return [true, `JSON field '${key}': ${result[1]}`];
+    } else if (typeof val === "object" && val !== null && !Array.isArray(val)) {
+      const result = await checkJsonFields(val, context, clientIp, correlationId);
+      if (result[0]) return result;
+    }
+  }
+  return [false, ""];
+}
+function logActivity(request, logger, logType = "request", reason = "", passiveMode = false, triggerInfo = "", level = "WARNING") {
+  if (!level) return;
+  const clientIp = request.clientHost ?? "unknown";
+  const method = request.method;
+  const url = sanitizeForLog(request.urlPath);
+  const userAgent = sanitizeForLog(request.headers["user-agent"] ?? "");
+  let message;
+  if (logType === "request") {
+    message = `Request from ${clientIp}: ${method} ${url} [UA: ${userAgent}]`;
+  } else if (logType === "suspicious") {
+    const prefix = passiveMode ? "[PASSIVE MODE]" : "";
+    const trigger = triggerInfo ? ` | Trigger: ${triggerInfo}` : "";
+    message = `${prefix} Suspicious request from ${clientIp}: ${method} ${url} - ${reason}${trigger}`;
+  } else {
+    message = `${logType} from ${clientIp}: ${method} ${url} - ${reason}`;
+  }
+  const levelLower = level.toLowerCase();
+  const logMethod = levelLower === "warning" ? "warn" : levelLower === "critical" ? "error" : levelLower === "debug" ? "debug" : levelLower === "error" ? "error" : "info";
+  logger[logMethod](message);
+}
+var ipaddr4, EXCLUDED_HEADERS;
+var init_utils = __esm({
+  "src/utils.ts"() {
+    "use strict";
+    ipaddr4 = __toESM(require("ipaddr.js"), 1);
+    EXCLUDED_HEADERS = /* @__PURE__ */ new Set([
+      "host",
+      "user-agent",
+      "accept",
+      "accept-encoding",
+      "connection",
+      "origin",
+      "referer",
+      "sec-fetch-site",
+      "sec-fetch-mode",
+      "sec-fetch-dest",
+      "sec-ch-ua",
+      "sec-ch-ua-mobile",
+      "sec-ch-ua-platform"
+    ]);
+  }
+});
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  BaseSecurityDecorator: () => BaseSecurityDecorator,
+  BehaviorRule: () => BehaviorRule,
+  BehavioralProcessor: () => BehavioralProcessor,
+  BypassHandler: () => BypassHandler,
+  ContentPreprocessor: () => ContentPreprocessor,
+  DynamicRulesSchema: () => DynamicRulesSchema,
+  ErrorResponseFactory: () => ErrorResponseFactory,
+  MetricsCollector: () => MetricsCollector,
+  PatternCompiler: () => PatternCompiler,
+  PerformanceMonitor: () => PerformanceMonitor,
+  RequestValidator: () => RequestValidator,
+  RouteConfig: () => RouteConfig,
+  RouteConfigResolver: () => RouteConfigResolver,
+  SecurityCheckPipeline: () => SecurityCheckPipeline,
+  SecurityConfigSchema: () => SecurityConfigSchema,
+  SecurityDecorator: () => SecurityDecorator,
+  SecurityEventBus: () => SecurityEventBus,
+  SemanticAnalyzer: () => SemanticAnalyzer,
+  checkIpCountry: () => checkIpCountry,
+  defaultLogger: () => defaultLogger,
+  detectPenetrationAttempt: () => detectPenetrationAttempt,
+  extractClientIp: () => extractClientIp,
+  getRouteDecoratorConfig: () => getRouteDecoratorConfig,
+  initializeSecurityMiddleware: () => initializeSecurityMiddleware,
+  isIpAllowed: () => isIpAllowed,
+  isUserAgentAllowed: () => isUserAgentAllowed,
+  logActivity: () => logActivity,
+  sanitizeForLog: () => sanitizeForLog,
+  sendAgentEvent: () => sendAgentEvent
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/models/behavior-rule.ts
+var BehaviorRule = class {
+  ruleType;
+  threshold;
+  window;
+  pattern;
+  action;
+  customAction;
+  constructor(ruleType, threshold, window = 3600, pattern = null, action = "log", customAction = null) {
+    this.ruleType = ruleType;
+    this.threshold = threshold;
+    this.window = window;
+    this.pattern = pattern;
+    this.action = action;
+    this.customAction = customAction;
+  }
+};
+
+// src/models/config.ts
+var ipaddr = __toESM(require("ipaddr.js"), 1);
+var import_zod = require("zod");
+function isValidIpOrCidr(value) {
+  if (value.includes("/")) {
+    try {
+      ipaddr.parseCIDR(value);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  return ipaddr.isValid(value);
+}
+var VALID_CLOUD_PROVIDERS = ["AWS", "GCP", "Azure"];
+var IpOrCidrSchema = import_zod.z.string().refine(isValidIpOrCidr, "Invalid IP or CIDR");
+var LogLevel = import_zod.z.enum(["INFO", "DEBUG", "WARNING", "ERROR", "CRITICAL"]);
+var SecurityConfigSchema = import_zod.z.object({
+  trustedProxies: import_zod.z.array(IpOrCidrSchema).default([]),
+  trustedProxyDepth: import_zod.z.number().int().min(1).default(1),
+  trustXForwardedProto: import_zod.z.boolean().default(false),
+  passiveMode: import_zod.z.boolean().default(false),
+  geoIpHandler: import_zod.z.custom().optional(),
+  geoResolver: import_zod.z.custom().optional(),
+  enableRedis: import_zod.z.boolean().default(true),
+  redisUrl: import_zod.z.string().default("redis://localhost:6379"),
+  redisPrefix: import_zod.z.string().default("guard_core:"),
+  whitelist: import_zod.z.array(IpOrCidrSchema).nullable().default(null),
+  blacklist: import_zod.z.array(IpOrCidrSchema).default([]),
+  whitelistCountries: import_zod.z.array(import_zod.z.string().length(2)).default([]),
+  blockedCountries: import_zod.z.array(import_zod.z.string().length(2)).default([]),
+  blockedUserAgents: import_zod.z.array(import_zod.z.string()).default([]),
+  autoBanThreshold: import_zod.z.number().int().positive().default(10),
+  autoBanDuration: import_zod.z.number().int().positive().default(3600),
+  logger: import_zod.z.custom().optional(),
+  customLogFile: import_zod.z.string().nullable().default(null),
+  logSuspiciousLevel: LogLevel.nullable().default("WARNING"),
+  logRequestLevel: LogLevel.nullable().default(null),
+  logFormat: import_zod.z.enum(["text", "json"]).default("text"),
+  customErrorResponses: import_zod.z.record(import_zod.z.coerce.number(), import_zod.z.string()).default({}),
+  rateLimit: import_zod.z.number().int().positive().default(10),
+  rateLimitWindow: import_zod.z.number().int().positive().default(60),
+  enforceHttps: import_zod.z.boolean().default(false),
+  securityHeaders: import_zod.z.object({
+    enabled: import_zod.z.boolean().default(true),
+    hsts: import_zod.z.object({
+      maxAge: import_zod.z.number().default(31536e3),
+      includeSubdomains: import_zod.z.boolean().default(true),
+      preload: import_zod.z.boolean().default(false)
+    }).optional(),
+    csp: import_zod.z.record(import_zod.z.string(), import_zod.z.array(import_zod.z.string())).nullable().default(null),
+    frameOptions: import_zod.z.enum(["DENY", "SAMEORIGIN"]).default("SAMEORIGIN"),
+    contentTypeOptions: import_zod.z.string().default("nosniff"),
+    xssProtection: import_zod.z.string().default("1; mode=block"),
+    referrerPolicy: import_zod.z.string().default("strict-origin-when-cross-origin"),
+    permissionsPolicy: import_zod.z.string().default("geolocation=(), microphone=(), camera=()"),
+    custom: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).nullable().default(null)
+  }).nullable().default({
+    enabled: true,
+    hsts: { maxAge: 31536e3, includeSubdomains: true, preload: false },
+    frameOptions: "SAMEORIGIN",
+    contentTypeOptions: "nosniff",
+    xssProtection: "1; mode=block",
+    referrerPolicy: "strict-origin-when-cross-origin",
+    permissionsPolicy: "geolocation=(), microphone=(), camera=()",
+    csp: null,
+    custom: null
+  }),
+  customRequestCheck: import_zod.z.custom().optional(),
+  customResponseModifier: import_zod.z.custom().optional(),
+  enableCors: import_zod.z.boolean().default(false),
+  corsAllowOrigins: import_zod.z.array(import_zod.z.string()).default(["*"]),
+  corsAllowMethods: import_zod.z.array(import_zod.z.string()).default(["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]),
+  corsAllowHeaders: import_zod.z.array(import_zod.z.string()).default(["*"]),
+  corsAllowCredentials: import_zod.z.boolean().default(false),
+  corsExposeHeaders: import_zod.z.array(import_zod.z.string()).default([]),
+  corsMaxAge: import_zod.z.number().int().positive().default(600),
+  blockCloudProviders: import_zod.z.array(import_zod.z.enum(VALID_CLOUD_PROVIDERS)).default([]).transform((arr) => new Set(arr)),
+  cloudIpRefreshInterval: import_zod.z.number().int().min(60).max(86400).default(3600),
+  excludePaths: import_zod.z.array(import_zod.z.string()).default([]),
+  enableIpBanning: import_zod.z.boolean().default(true),
+  enableRateLimiting: import_zod.z.boolean().default(true),
+  enablePenetrationDetection: import_zod.z.boolean().default(true),
+  emergencyMode: import_zod.z.boolean().default(false),
+  emergencyWhitelist: import_zod.z.array(import_zod.z.string()).default([]),
+  endpointRateLimits: import_zod.z.record(import_zod.z.string(), import_zod.z.tuple([import_zod.z.number(), import_zod.z.number()])).default({}),
+  detectionCompilerTimeout: import_zod.z.number().min(0.1).max(10).default(2),
+  detectionMaxContentLength: import_zod.z.number().int().min(1e3).max(1e5).default(1e4),
+  detectionPreserveAttackPatterns: import_zod.z.boolean().default(true),
+  detectionSemanticThreshold: import_zod.z.number().min(0).max(1).default(0.7),
+  detectionAnomalyThreshold: import_zod.z.number().min(1).max(10).default(3),
+  detectionSlowPatternThreshold: import_zod.z.number().min(0.01).max(1).default(0.1),
+  detectionMonitorHistorySize: import_zod.z.number().int().min(100).max(1e4).default(1e3),
+  detectionMaxTrackedPatterns: import_zod.z.number().int().min(100).max(5e3).default(1e3),
+  enableAgent: import_zod.z.boolean().default(false),
+  agentApiKey: import_zod.z.string().nullable().default(null),
+  agentEndpoint: import_zod.z.string().url().default("https://api.fastapi-guard.com"),
+  agentProjectId: import_zod.z.string().nullable().default(null),
+  agentBufferSize: import_zod.z.number().int().positive().default(100),
+  agentFlushInterval: import_zod.z.number().int().positive().default(30),
+  agentEnableEvents: import_zod.z.boolean().default(true),
+  agentEnableMetrics: import_zod.z.boolean().default(true),
+  agentTimeout: import_zod.z.number().int().positive().default(30),
+  agentRetryAttempts: import_zod.z.number().int().nonnegative().default(3),
+  enableDynamicRules: import_zod.z.boolean().default(false),
+  dynamicRuleInterval: import_zod.z.number().int().positive().default(300)
+}).superRefine((data, ctx) => {
+  if (data.enableAgent && !data.agentApiKey) {
+    ctx.addIssue({
+      code: "custom",
+      message: "agentApiKey is required when enableAgent is true",
+      path: ["agentApiKey"]
+    });
+  }
+  if (data.enableDynamicRules && !data.enableAgent) {
+    ctx.addIssue({
+      code: "custom",
+      message: "enableAgent must be true when enableDynamicRules is true",
+      path: ["enableDynamicRules"]
+    });
+  }
+  if ((data.blockedCountries.length > 0 || data.whitelistCountries.length > 0) && !data.geoIpHandler && !data.geoResolver) {
+    ctx.addIssue({
+      code: "custom",
+      message: "geoIpHandler or geoResolver is required when using country filtering",
+      path: ["geoIpHandler"]
+    });
+  }
+});
+
+// src/models/dynamic-rules.ts
+var import_zod2 = require("zod");
+var VALID_CLOUD_PROVIDERS2 = ["AWS", "GCP", "Azure"];
+var DynamicRulesSchema = import_zod2.z.object({
+  ruleId: import_zod2.z.string(),
+  version: import_zod2.z.number().int(),
+  timestamp: import_zod2.z.string().datetime(),
+  expiresAt: import_zod2.z.string().datetime().nullable().default(null),
+  ttl: import_zod2.z.number().int().default(300),
+  ipBlacklist: import_zod2.z.array(import_zod2.z.string()).default([]),
+  ipWhitelist: import_zod2.z.array(import_zod2.z.string()).default([]),
+  ipBanDuration: import_zod2.z.number().int().default(3600),
+  blockedCountries: import_zod2.z.array(import_zod2.z.string().length(2)).default([]),
+  whitelistCountries: import_zod2.z.array(import_zod2.z.string().length(2)).default([]),
+  globalRateLimit: import_zod2.z.number().int().nullable().default(null),
+  globalRateWindow: import_zod2.z.number().int().nullable().default(null),
+  endpointRateLimits: import_zod2.z.record(import_zod2.z.string(), import_zod2.z.tuple([import_zod2.z.number(), import_zod2.z.number()])).default({}),
+  blockedCloudProviders: import_zod2.z.array(import_zod2.z.enum(VALID_CLOUD_PROVIDERS2)).default([]).transform((arr) => new Set(arr)),
+  blockedUserAgents: import_zod2.z.array(import_zod2.z.string()).default([]),
+  suspiciousPatterns: import_zod2.z.array(import_zod2.z.string()).default([]),
+  enablePenetrationDetection: import_zod2.z.boolean().nullable().default(null),
+  enableIpBanning: import_zod2.z.boolean().nullable().default(null),
+  enableRateLimiting: import_zod2.z.boolean().nullable().default(null),
+  emergencyMode: import_zod2.z.boolean().default(false),
+  emergencyWhitelist: import_zod2.z.array(import_zod2.z.string()).default([])
+});
+
+// src/models/logger.ts
+var defaultLogger = {
+  info: (msg, ...args) => console.info(`[guard-core] ${msg}`, ...args),
+  warn: (msg, ...args) => console.warn(`[guard-core] ${msg}`, ...args),
+  error: (msg, ...args) => console.error(`[guard-core] ${msg}`, ...args),
+  debug: (msg, ...args) => console.debug(`[guard-core] ${msg}`, ...args)
+};
+
+// src/models/route-config.ts
+var RouteConfig = class {
+  rateLimit = null;
+  rateLimitWindow = null;
+  ipWhitelist = null;
+  ipBlacklist = null;
+  blockedCountries = null;
+  whitelistCountries = null;
+  bypassedChecks = /* @__PURE__ */ new Set();
+  requireHttps = false;
+  authRequired = null;
+  customValidators = [];
+  blockedUserAgents = [];
+  requiredHeaders = {};
+  behaviorRules = [];
+  blockCloudProviders = /* @__PURE__ */ new Set();
+  maxRequestSize = null;
+  allowedContentTypes = null;
+  timeRestrictions = null;
+  enableSuspiciousDetection = true;
+  requireReferrer = null;
+  apiKeyRequired = false;
+  sessionLimits = null;
+  geoRateLimits = null;
+};
+
+// src/detection-engine/index.ts
+init_compiler();
+init_preprocessor();
+init_monitor();
+init_semantic();
+
+// src/core/events/event-bus.ts
+var SecurityEventBus = class {
+  constructor(agentHandler, config, logger, geoIpHandler = null) {
+    this.agentHandler = agentHandler;
+    this.config = config;
+    this.logger = logger;
+    this.geoIpHandler = geoIpHandler;
+  }
+  async sendMiddlewareEvent(eventType, request, actionTaken, reason, metadata) {
+    if (!this.agentHandler || !this.config.agentEnableEvents) return;
+    try {
+      const clientIp = request.clientHost ?? "unknown";
+      let country = null;
+      if (this.geoIpHandler) {
+        try {
+          country = this.geoIpHandler.getCountry(clientIp);
+        } catch {
+        }
+      }
+      await this.agentHandler.sendEvent({
+        timestamp: /* @__PURE__ */ new Date(),
+        eventType,
+        ipAddress: clientIp,
+        country,
+        userAgent: request.headers["user-agent"] ?? null,
+        actionTaken,
+        reason,
+        endpoint: request.urlPath,
+        method: request.method,
+        metadata: metadata ?? {}
+      });
+    } catch (e) {
+      this.logger.error(`Failed to send security event: ${e}`);
+    }
+  }
+  async sendHttpsViolationEvent(request, isRouteSpecific) {
+    const httpsUrl = request.urlReplaceScheme("https");
+    if (isRouteSpecific) {
+      await this.sendMiddlewareEvent(
+        "decorator_violation",
+        request,
+        "https_redirect",
+        "Route requires HTTPS but request was HTTP",
+        { decoratorType: "authentication", violationType: "require_https", redirectUrl: httpsUrl }
+      );
+    } else {
+      await this.sendMiddlewareEvent(
+        "https_enforced",
+        request,
+        "https_redirect",
+        "HTTP request redirected to HTTPS for security",
+        { originalScheme: request.urlScheme, redirectUrl: httpsUrl }
+      );
+    }
+  }
+  async sendCloudDetectionEvents(request, clientIp, providers, passiveMode) {
+    await this.sendMiddlewareEvent(
+      "cloud_detection",
+      request,
+      /* v8 ignore next -- V8 cannot track ternary branch coverage inside string template literal */
+      passiveMode ? "logged_only" : "request_blocked",
+      `Cloud provider IP ${clientIp} detected`,
+      { blockedProviders: providers }
+    );
+  }
+};
+
+// src/core/events/metrics.ts
+var MetricsCollector = class {
+  constructor(agentHandler, config, logger) {
+    this.agentHandler = agentHandler;
+    this.config = config;
+    this.logger = logger;
+  }
+  async sendMetric(metricType, value, tags) {
+    if (!this.agentHandler || !this.config.agentEnableMetrics) return;
+    try {
+      await this.agentHandler.sendMetric({
+        timestamp: /* @__PURE__ */ new Date(),
+        metricType,
+        value,
+        tags: tags ?? {}
+      });
+    } catch (e) {
+      this.logger.error(`Failed to send metric: ${e}`);
+    }
+  }
+  async collectRequestMetrics(request, responseTime, statusCode) {
+    if (!this.agentHandler || !this.config.agentEnableMetrics) return;
+    const endpoint = request.urlPath;
+    const method = request.method;
+    const tags = { endpoint, method, status: String(statusCode) };
+    await this.sendMetric("response_time", responseTime, tags);
+    await this.sendMetric("request_count", 1, { endpoint, method });
+    if (statusCode >= 400) {
+      await this.sendMetric("error_rate", 1, tags);
+    }
+  }
+};
+
+// src/handlers/behavior.ts
+var BehaviorTracker = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+  }
+  usageCounts = /* @__PURE__ */ new Map();
+  returnPatterns = /* @__PURE__ */ new Map();
+  redisHandler = null;
+  agentHandler = null;
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  async trackEndpointUsage(endpointId, clientIp, rule) {
+    const now = Date.now() / 1e3;
+    const windowStart = now - rule.window;
+    if (!this.usageCounts.has(endpointId)) {
+      this.usageCounts.set(endpointId, /* @__PURE__ */ new Map());
+    }
+    const endpointMap = this.usageCounts.get(endpointId);
+    if (!endpointMap.has(clientIp)) {
+      endpointMap.set(clientIp, []);
+    }
+    const timestamps = endpointMap.get(clientIp);
+    const validIdx = timestamps.findIndex((t) => t > windowStart);
+    if (validIdx > 0) timestamps.splice(0, validIdx);
+    else if (validIdx === -1) timestamps.length = 0;
+    timestamps.push(now);
+    return timestamps.length > rule.threshold;
+  }
+  async trackReturnPattern(endpointId, clientIp, response, rule) {
+    if (!rule.pattern) return false;
+    const matched = this.checkResponsePattern(response, rule.pattern);
+    if (!matched) return false;
+    const now = Date.now() / 1e3;
+    const windowStart = now - rule.window;
+    const key = `${endpointId}:${rule.pattern}`;
+    if (!this.returnPatterns.has(key)) {
+      this.returnPatterns.set(key, /* @__PURE__ */ new Map());
+    }
+    const patternMap = this.returnPatterns.get(key);
+    if (!patternMap.has(clientIp)) {
+      patternMap.set(clientIp, []);
+    }
+    const timestamps = patternMap.get(clientIp);
+    const validIdx = timestamps.findIndex((t) => t > windowStart);
+    if (validIdx > 0) timestamps.splice(0, validIdx);
+    else if (validIdx === -1) timestamps.length = 0;
+    timestamps.push(now);
+    return timestamps.length > rule.threshold;
+  }
+  checkResponsePattern(response, pattern) {
+    if (pattern.startsWith("status:")) {
+      const code = parseInt(pattern.slice(7), 10);
+      return response.statusCode === code;
+    }
+    if (pattern.startsWith("regex:")) {
+      const re = new RegExp(pattern.slice(6), "i");
+      return response.bodyText ? re.test(response.bodyText) : false;
+    }
+    if (pattern.startsWith("json:")) {
+      if (!response.bodyText) return false;
+      try {
+        const data = JSON.parse(response.bodyText);
+        const path = pattern.slice(5);
+        const parts = path.split(".");
+        let current = data;
+        for (const part of parts) {
+          if (current === null || current === void 0) return false;
+          current = current[part];
+        }
+        return current !== void 0 && current !== null;
+      } catch {
+        return false;
+      }
+    }
+    return response.bodyText ? response.bodyText.includes(pattern) : false;
+  }
+  async applyAction(rule, clientIp, endpointId, details) {
+    if (this.config.passiveMode) {
+      this.logger.info(`[PASSIVE] Would ${rule.action} ${clientIp} for ${details}`);
+      return;
+    }
+    switch (rule.action) {
+      case "ban":
+        this.logger.warn(`Behavioral ban: ${clientIp} - ${details}`);
+        break;
+      case "log":
+        this.logger.info(`Behavioral log: ${clientIp} - ${details}`);
+        break;
+      case "throttle":
+        this.logger.info(`Behavioral throttle: ${clientIp} - ${details}`);
+        break;
+      case "alert":
+        this.logger.warn(`Behavioral alert: ${clientIp} - ${details}`);
+        break;
+    }
+    if (rule.customAction) {
+      try {
+        rule.customAction(rule.action, clientIp, endpointId, details);
+      } catch {
+      }
+    }
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "behavioral_action",
+          ipAddress: clientIp,
+          actionTaken: rule.action,
+          reason: details,
+          metadata: { endpointId, ruleType: rule.ruleType, threshold: rule.threshold }
+        });
+      } catch {
+      }
+    }
+  }
+  async reset() {
+    this.usageCounts.clear();
+    this.returnPatterns.clear();
+  }
+};
+
+// src/core/initialization/handler-initializer.ts
+init_cloud();
+
+// src/handlers/dynamic-rules.ts
+var DynamicRuleManager = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+  }
+  currentRules = null;
+  updateTimer = null;
+  lastUpdate = 0;
+  agentHandler = null;
+  redisHandler = null;
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+    if (this.config.enableDynamicRules) {
+      this.startUpdateLoop();
+    }
+  }
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+  }
+  startUpdateLoop() {
+    if (this.updateTimer) return;
+    this.updateTimer = setInterval(
+      () => {
+        this.updateRules().catch((e) => this.logger.error(`Rule update failed: ${e}`));
+      },
+      this.config.dynamicRuleInterval * 1e3
+    );
+  }
+  async updateRules() {
+    if (!this.agentHandler) return;
+    try {
+      const rawRules = await this.agentHandler.getDynamicRules();
+      if (!rawRules) return;
+      const parsed = DynamicRulesSchema.safeParse(rawRules);
+      if (!parsed.success) {
+        this.logger.warn(`Invalid dynamic rules: ${parsed.error.message}`);
+        return;
+      }
+      const rules = parsed.data;
+      if (this.currentRules && this.currentRules.ruleId === rules.ruleId && this.currentRules.version >= rules.version) {
+        return;
+      }
+      this.currentRules = rules;
+      this.lastUpdate = Date.now() / 1e3;
+      this.logger.info(`Applied dynamic rules: ${rules.ruleId} v${rules.version}`);
+      if (this.agentHandler) {
+        try {
+          await this.agentHandler.sendEvent({
+            eventType: "dynamic_rule_applied",
+            ipAddress: "system",
+            actionTaken: "rules_updated",
+            reason: `Applied rules ${rules.ruleId} v${rules.version}`
+          });
+        } catch {
+        }
+      }
+    } catch (e) {
+      this.logger.error(`Failed to fetch dynamic rules: ${e}`);
+    }
+  }
+  getCurrentRules() {
+    return this.currentRules;
+  }
+  async forceUpdate() {
+    await this.updateRules();
+  }
+  async stop() {
+    if (this.updateTimer) {
+      clearInterval(this.updateTimer);
+      this.updateTimer = null;
+    }
+  }
+};
+
+// src/handlers/ip-ban.ts
+var IPBanManager = class {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  bannedIps = /* @__PURE__ */ new Map();
+  redisHandler = null;
+  agentHandler = null;
+  maxSize = 1e4;
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  async banIp(ip, duration, reason) {
+    const now = Date.now() / 1e3;
+    const expiresAt = now + duration;
+    if (this.bannedIps.size >= this.maxSize) {
+      const oldestKey = this.bannedIps.keys().next().value;
+      if (oldestKey) this.bannedIps.delete(oldestKey);
+    }
+    this.bannedIps.set(ip, { expiresAt, reason, bannedAt: now });
+    if (this.redisHandler) {
+      await this.redisHandler.setKey("banned_ips", ip, String(expiresAt), duration);
+    }
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "ip_banned",
+          ipAddress: ip,
+          actionTaken: "ip_banned",
+          reason,
+          metadata: { duration, expiresAt }
+        });
+      } catch {
+      }
+    }
+    this.logger.info(`IP banned: ${ip} for ${duration}s - ${reason}`);
+  }
+  async isIpBanned(ip) {
+    const now = Date.now() / 1e3;
+    const entry = this.bannedIps.get(ip);
+    if (entry) {
+      if (now <= entry.expiresAt) return true;
+      this.bannedIps.delete(ip);
+    }
+    if (this.redisHandler) {
+      const expiryStr = await this.redisHandler.getKey("banned_ips", ip);
+      if (typeof expiryStr === "string") {
+        const expiresAt = parseFloat(expiryStr);
+        if (now <= expiresAt) {
+          this.bannedIps.set(ip, {
+            expiresAt,
+            reason: "restored_from_redis",
+            bannedAt: now
+          });
+          return true;
+        }
+        await this.redisHandler.delete("banned_ips", ip);
+      }
+    }
+    return false;
+  }
+  async unbanIp(ip) {
+    this.bannedIps.delete(ip);
+    if (this.redisHandler) {
+      await this.redisHandler.delete("banned_ips", ip);
+    }
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "ip_unbanned",
+          ipAddress: ip,
+          actionTaken: "ip_unbanned",
+          reason: "Manual unban"
+        });
+      } catch {
+      }
+    }
+    this.logger.info(`IP unbanned: ${ip}`);
+  }
+  async reset() {
+    this.bannedIps.clear();
+    if (this.redisHandler) {
+      await this.redisHandler.deletePattern("banned_ips:*");
+    }
+  }
+};
+
+// src/handlers/rate-limit.ts
+var RATE_LIMIT_SCRIPT = `
+local key = KEYS[1]
+local now = tonumber(ARGV[1])
+local window = tonumber(ARGV[2])
+local limit = tonumber(ARGV[3])
+local window_start = now - window
+
+redis.call('ZADD', key, now, now)
+redis.call('ZREMRANGEBYSCORE', key, 0, window_start)
+local count = redis.call('ZCARD', key)
+redis.call('EXPIRE', key, window * 2)
+
+return count
+`;
+var RateLimitManager = class {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  requestTimestamps = /* @__PURE__ */ new Map();
+  redisHandler = null;
+  agentHandler = null;
+  rateLimitScriptSha = null;
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+    const client = redisHandler.getRawClient();
+    if (client) {
+      try {
+        this.rateLimitScriptSha = await client.script("load", RATE_LIMIT_SCRIPT);
+      } catch (e) {
+        this.logger.warn(`Failed to load rate limit Lua script: ${e}`);
+      }
+    }
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  async checkRateLimit(request, clientIp, createErrorResponse, endpointPath = null, rateLimit = 10, rateLimitWindow = 60) {
+    const key = endpointPath ? `${clientIp}:${endpointPath}` : clientIp;
+    const now = Date.now() / 1e3;
+    let count = null;
+    if (this.redisHandler) {
+      count = await this.getRedisRequestCount(key, now, rateLimitWindow, rateLimit);
+    }
+    if (count === null) {
+      count = this.getInMemoryRequestCount(key, now, rateLimitWindow);
+    }
+    if (count > rateLimit) {
+      return this.handleRateLimitExceeded(
+        request,
+        clientIp,
+        count,
+        createErrorResponse,
+        rateLimitWindow
+      );
+    }
+    return null;
+  }
+  async getRedisRequestCount(key, now, window, _limit) {
+    const client = this.redisHandler?.getRawClient();
+    if (!client) return null;
+    const redisKey = `rate_limit:rate:${key}`;
+    const prefix = this.redisHandler["prefix"];
+    const fullKey = `${prefix}${redisKey}`;
+    try {
+      if (this.rateLimitScriptSha) {
+        const count2 = await client.evalsha(
+          this.rateLimitScriptSha,
+          1,
+          fullKey,
+          now,
+          window,
+          _limit
+        );
+        return Number(count2);
+      }
+      await client.zadd(fullKey, now, String(now));
+      await client.zremrangebyscore(fullKey, 0, now - window);
+      const count = await client.zcard(fullKey);
+      await client.eval('redis.call("EXPIRE", KEYS[1], ARGV[1])', 1, fullKey, window * 2);
+      return count;
+    } catch (e) {
+      this.logger.warn(`Redis rate limit check failed, falling back to in-memory: ${e}`);
+      return null;
+    }
+  }
+  getInMemoryRequestCount(key, now, window) {
+    let timestamps = this.requestTimestamps.get(key);
+    if (!timestamps) {
+      timestamps = [];
+      this.requestTimestamps.set(key, timestamps);
+    }
+    const windowStart = now - window;
+    const validIndex = timestamps.findIndex((t) => t > windowStart);
+    if (validIndex > 0) {
+      timestamps.splice(0, validIndex);
+    } else if (validIndex === -1) {
+      timestamps.length = 0;
+    }
+    timestamps.push(now);
+    return timestamps.length;
+  }
+  async handleRateLimitExceeded(request, clientIp, count, createErrorResponse, window) {
+    this.logger.warn(`Rate limit exceeded for ${clientIp}: ${count} requests`);
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "rate_limit_exceeded",
+          ipAddress: clientIp,
+          actionTaken: "request_blocked",
+          reason: `Rate limit exceeded: ${count} requests in ${window}s window`,
+          metadata: {
+            endpoint: request.urlPath,
+            method: request.method,
+            requestCount: count,
+            window
+          }
+        });
+      } catch {
+      }
+    }
+    return createErrorResponse(429, "Rate limit exceeded");
+  }
+  async reset() {
+    this.requestTimestamps.clear();
+    if (this.redisHandler) {
+      await this.redisHandler.deletePattern("rate_limit:rate:*");
+    }
+  }
+};
+
+// src/handlers/redis.ts
+var RedisManager = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+    this.prefix = config.redisPrefix;
+  }
+  client = null;
+  closed = false;
+  agentHandler = null;
+  prefix;
+  async initialize() {
+    if (!this.config.enableRedis || this.closed) return;
+    try {
+      const { default: Redis } = await import("ioredis");
+      this.client = new Redis(this.config.redisUrl);
+      await this.client.ping();
+      this.logger.info("Redis connection established");
+    } catch (e) {
+      this.logger.error(`Redis connection failed: ${e}`);
+      this.client = null;
+    }
+  }
+  async close() {
+    this.closed = true;
+    if (this.client) {
+      try {
+        await this.client.quit();
+      } catch {
+      }
+      this.client = null;
+    }
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  /* v8 ignore start -- getConnection returns pooled disposable; V8 cannot track inline Symbol.asyncDispose */
+  getConnection() {
+    const client = this.client;
+    return {
+      [Symbol.asyncDispose]: async () => {
+      },
+      get client() {
+        return client;
+      }
+    };
+  }
+  /* v8 ignore stop */
+  formatKey(namespace, key) {
+    return `${this.prefix}${namespace}:${key}`;
+  }
+  async getKey(namespace, key) {
+    if (!this.client) return null;
+    try {
+      return await this.client.get(this.formatKey(namespace, key));
+    } catch (e) {
+      this.logger.error(`Redis get failed: ${e}`);
+      return null;
+    }
+  }
+  async setKey(namespace, key, value, ttl) {
+    if (!this.client) return null;
+    try {
+      const fullKey = this.formatKey(namespace, key);
+      const strValue = typeof value === "string" ? value : JSON.stringify(value);
+      if (ttl && ttl > 0) {
+        await this.client.setex(fullKey, ttl, strValue);
+      } else {
+        await this.client.set(fullKey, strValue);
+      }
+      return true;
+    } catch (e) {
+      this.logger.error(`Redis set failed: ${e}`);
+      return null;
+    }
+  }
+  async incr(namespace, key, ttl) {
+    if (!this.client) return null;
+    try {
+      const fullKey = this.formatKey(namespace, key);
+      const count = await this.client.incr(fullKey);
+      if (ttl && ttl > 0) {
+        await this.client.expire(fullKey, ttl);
+      }
+      return count;
+    } catch (e) {
+      this.logger.error(`Redis incr failed: ${e}`);
+      return null;
+    }
+  }
+  async exists(namespace, key) {
+    if (!this.client) return null;
+    try {
+      const result = await this.client.exists(this.formatKey(namespace, key));
+      return result > 0;
+    } catch (e) {
+      this.logger.error(`Redis exists failed: ${e}`);
+      return null;
+    }
+  }
+  async delete(namespace, key) {
+    if (!this.client) return null;
+    try {
+      return await this.client.del(this.formatKey(namespace, key));
+    } catch (e) {
+      this.logger.error(`Redis delete failed: ${e}`);
+      return null;
+    }
+  }
+  async keys(pattern) {
+    if (!this.client) return null;
+    try {
+      return await this.client.keys(`${this.prefix}${pattern}`);
+    } catch (e) {
+      this.logger.error(`Redis keys failed: ${e}`);
+      return null;
+    }
+  }
+  async deletePattern(pattern) {
+    if (!this.client) return null;
+    try {
+      const matchedKeys = await this.client.keys(`${this.prefix}${pattern}`);
+      if (matchedKeys.length === 0) return 0;
+      return await this.client.del(...matchedKeys);
+    } catch (e) {
+      this.logger.error(`Redis deletePattern failed: ${e}`);
+      return null;
+    }
+  }
+  getRawClient() {
+    return this.client;
+  }
+};
+
+// src/handlers/security-headers.ts
+var DEFAULT_HEADERS = {
+  "X-Content-Type-Options": "nosniff",
+  "X-Frame-Options": "SAMEORIGIN",
+  "X-XSS-Protection": "1; mode=block",
+  "Referrer-Policy": "strict-origin-when-cross-origin",
+  "Permissions-Policy": "geolocation=(), microphone=(), camera=()",
+  "X-Permitted-Cross-Domain-Policies": "none",
+  "X-Download-Options": "noopen",
+  "Cross-Origin-Embedder-Policy": "require-corp",
+  "Cross-Origin-Opener-Policy": "same-origin",
+  "Cross-Origin-Resource-Policy": "same-origin"
+};
+var MAX_HEADER_VALUE_LENGTH = 8192;
+function validateHeaderValue(value) {
+  if (value.includes("\r") || value.includes("\n")) {
+    throw new Error("Header value must not contain CR or LF characters");
+  }
+  if (value.length > MAX_HEADER_VALUE_LENGTH) {
+    throw new Error(`Header value exceeds maximum length of ${MAX_HEADER_VALUE_LENGTH}`);
+  }
+  return value.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, "");
+}
+function generateCacheKey(requestPath) {
+  const normalized = requestPath.toLowerCase().replace(/\/+$/, "");
+  let hash = 0;
+  for (let i = 0; i < normalized.length; i++) {
+    hash = (hash << 5) - hash + normalized.charCodeAt(i);
+    hash |= 0;
+  }
+  return String(Math.abs(hash)).padStart(16, "0").slice(0, 16);
+}
+var SecurityHeadersManager = class {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  headersCache = /* @__PURE__ */ new Map();
+  defaultHeaders = { ...DEFAULT_HEADERS };
+  customHeaders = {};
+  cspConfig = null;
+  hstsConfig = null;
+  corsConfig = null;
+  redisHandler = null;
+  agentHandler = null;
+  cacheMaxSize = 1e3;
+  cacheTtlMs = 3e5;
+  cacheTimestamps = /* @__PURE__ */ new Map();
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+    await this.loadCachedConfig();
+  }
+  /* v8 ignore start -- initializeAgent assignment; tested via handler tests but V8 misses when called from mock */
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  /* v8 ignore stop */
+  async loadCachedConfig() {
+    if (!this.redisHandler) return;
+    const cspJson = await this.redisHandler.getKey("security_headers", "csp_config");
+    if (typeof cspJson === "string") {
+      try {
+        this.cspConfig = JSON.parse(cspJson);
+      } catch {
+      }
+    }
+    const hstsJson = await this.redisHandler.getKey("security_headers", "hsts_config");
+    if (typeof hstsJson === "string") {
+      try {
+        this.hstsConfig = JSON.parse(hstsJson);
+      } catch {
+      }
+    }
+    const customJson = await this.redisHandler.getKey("security_headers", "custom_headers");
+    if (typeof customJson === "string") {
+      try {
+        this.customHeaders = JSON.parse(customJson);
+      } catch {
+      }
+    }
+  }
+  configure(options) {
+    if (options.enabled === false) {
+      this.defaultHeaders = {};
+      return;
+    }
+    if (options.csp) this.cspConfig = options.csp;
+    if (options.hstsMaxAge !== void 0) {
+      this.hstsConfig = {
+        maxAge: options.hstsMaxAge,
+        includeSubdomains: options.hstsIncludeSubdomains ?? true,
+        preload: options.hstsPreload ?? false
+      };
+    }
+    if (options.frameOptions) this.defaultHeaders["X-Frame-Options"] = validateHeaderValue(options.frameOptions);
+    if (options.contentTypeOptions) this.defaultHeaders["X-Content-Type-Options"] = validateHeaderValue(options.contentTypeOptions);
+    if (options.xssProtection) this.defaultHeaders["X-XSS-Protection"] = validateHeaderValue(options.xssProtection);
+    if (options.referrerPolicy) this.defaultHeaders["Referrer-Policy"] = validateHeaderValue(options.referrerPolicy);
+    if (options.permissionsPolicy) this.defaultHeaders["Permissions-Policy"] = validateHeaderValue(options.permissionsPolicy);
+    if (options.customHeaders) {
+      for (const [key, value] of Object.entries(options.customHeaders)) {
+        this.customHeaders[key] = validateHeaderValue(value);
+      }
+    }
+    if (options.corsOrigins) {
+      this.corsConfig = {
+        origins: options.corsOrigins,
+        allowCredentials: options.corsAllowCredentials ?? false,
+        allowMethods: options.corsAllowMethods ?? ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+        allowHeaders: options.corsAllowHeaders ?? ["*"]
+      };
+    }
+    this.cacheConfiguration();
+  }
+  async cacheConfiguration() {
+    if (!this.redisHandler) return;
+    const ttl = 86400;
+    if (this.cspConfig) await this.redisHandler.setKey("security_headers", "csp_config", JSON.stringify(this.cspConfig), ttl);
+    if (this.hstsConfig) await this.redisHandler.setKey("security_headers", "hsts_config", JSON.stringify(this.hstsConfig), ttl);
+    if (Object.keys(this.customHeaders).length > 0) {
+      await this.redisHandler.setKey("security_headers", "custom_headers", JSON.stringify(this.customHeaders), ttl);
+    }
+  }
+  buildCsp() {
+    if (!this.cspConfig) return null;
+    return Object.entries(this.cspConfig).map(([directive, values]) => `${directive} ${values.join(" ")}`).join("; ");
+  }
+  buildHsts() {
+    if (!this.hstsConfig) return null;
+    let header = `max-age=${this.hstsConfig.maxAge}`;
+    if (this.hstsConfig.includeSubdomains) header += "; includeSubDomains";
+    if (this.hstsConfig.preload) header += "; preload";
+    return header;
+  }
+  async getHeaders(requestPath) {
+    const cacheKey = generateCacheKey(requestPath);
+    const now = Date.now();
+    const cachedTimestamp = this.cacheTimestamps.get(cacheKey);
+    if (cachedTimestamp && now - cachedTimestamp < this.cacheTtlMs) {
+      const cached = this.headersCache.get(cacheKey);
+      if (cached) return { ...cached };
+    }
+    const headers = { ...this.defaultHeaders };
+    const csp = this.buildCsp();
+    if (csp) headers["Content-Security-Policy"] = csp;
+    const hsts = this.buildHsts();
+    if (hsts) headers["Strict-Transport-Security"] = hsts;
+    for (const [key, value] of Object.entries(this.customHeaders)) {
+      headers[key] = value;
+    }
+    if (this.headersCache.size >= this.cacheMaxSize) {
+      const oldestKey = this.headersCache.keys().next().value;
+      if (oldestKey) {
+        this.headersCache.delete(oldestKey);
+        this.cacheTimestamps.delete(oldestKey);
+      }
+    }
+    this.headersCache.set(cacheKey, headers);
+    this.cacheTimestamps.set(cacheKey, now);
+    return { ...headers };
+  }
+  getCorsHeaders(origin) {
+    if (!this.corsConfig) return {};
+    const isAllowed = this.corsConfig.origins.includes("*") || this.corsConfig.origins.includes(origin);
+    if (!isAllowed) return {};
+    const headers = {
+      "Access-Control-Allow-Origin": this.corsConfig.origins.includes("*") ? "*" : origin,
+      "Access-Control-Allow-Methods": this.corsConfig.allowMethods.join(", "),
+      "Access-Control-Allow-Headers": this.corsConfig.allowHeaders.join(", ")
+    };
+    if (this.corsConfig.allowCredentials) {
+      headers["Access-Control-Allow-Credentials"] = "true";
+    }
+    return headers;
+  }
+  async reset() {
+    this.headersCache.clear();
+    this.cacheTimestamps.clear();
+    this.defaultHeaders = { ...DEFAULT_HEADERS };
+    this.customHeaders = {};
+    this.cspConfig = null;
+    this.hstsConfig = null;
+    this.corsConfig = null;
+    if (this.redisHandler) {
+      await this.redisHandler.deletePattern("security_headers:*");
+    }
+  }
+};
+
+// src/core/initialization/handler-initializer.ts
+init_sus_patterns();
+var HandlerInitializer = class {
+  constructor(config, logger, agentHandler = null, geoIpHandler = null, guardDecorator = null) {
+    this.config = config;
+    this.logger = logger;
+    this.agentHandler = agentHandler;
+    this.geoIpHandler = geoIpHandler;
+    this.guardDecorator = guardDecorator;
+  }
+  async initialize() {
+    const ipBanHandler = new IPBanManager(this.logger);
+    const rateLimitHandler = new RateLimitManager(this.logger);
+    const cloudHandler = new CloudHandler(this.logger);
+    const susPatternsHandler = new SusPatternsManager(this.config, this.logger);
+    const securityHeadersHandler = new SecurityHeadersManager(this.logger);
+    const behaviorTracker = new BehaviorTracker(this.config, this.logger);
+    const dynamicRuleHandler = new DynamicRuleManager(this.config, this.logger);
+    let redisHandler = null;
+    if (this.config.enableRedis) {
+      try {
+        redisHandler = new RedisManager(this.config, this.logger);
+        await redisHandler.initialize();
+        await ipBanHandler.initializeRedis(redisHandler);
+        await rateLimitHandler.initializeRedis(redisHandler);
+        await susPatternsHandler.initializeRedis(redisHandler);
+        await securityHeadersHandler.initializeRedis(redisHandler);
+        await behaviorTracker.initializeRedis(redisHandler);
+        await dynamicRuleHandler.initializeRedis(redisHandler);
+        if (this.config.blockCloudProviders.size > 0) {
+          await cloudHandler.initializeRedis(
+            redisHandler,
+            this.config.blockCloudProviders,
+            this.config.cloudIpRefreshInterval
+          );
+        }
+        if (this.geoIpHandler) {
+          await this.geoIpHandler.initializeRedis(redisHandler);
+        }
+      } catch (e) {
+        this.logger.warn(`Redis initialization failed, falling back to in-memory: ${e}`);
+        redisHandler = null;
+      }
+    }
+    if (this.geoIpHandler && !this.geoIpHandler.isInitialized) {
+      await this.geoIpHandler.initialize();
+    }
+    if (this.agentHandler) {
+      await this.initializeAgentIntegrations(
+        ipBanHandler,
+        rateLimitHandler,
+        cloudHandler,
+        susPatternsHandler,
+        dynamicRuleHandler,
+        redisHandler
+      );
+    }
+    this.configureSecurityHeaders(securityHeadersHandler);
+    return {
+      redisHandler,
+      ipBanHandler,
+      rateLimitHandler,
+      cloudHandler,
+      susPatternsHandler,
+      securityHeadersHandler,
+      behaviorTracker,
+      dynamicRuleHandler,
+      geoIpHandler: this.geoIpHandler
+    };
+  }
+  async initializeAgentIntegrations(ipBanHandler, rateLimitHandler, cloudHandler, susPatternsHandler, dynamicRuleHandler, redisHandler) {
+    if (!this.agentHandler) return;
+    await this.agentHandler.start();
+    if (redisHandler) {
+      await this.agentHandler.initializeRedis(redisHandler);
+      await redisHandler.initializeAgent(this.agentHandler);
+    }
+    await ipBanHandler.initializeAgent(this.agentHandler);
+    await rateLimitHandler.initializeAgent(this.agentHandler);
+    await susPatternsHandler.initializeAgent(this.agentHandler);
+    if (this.config.blockCloudProviders.size > 0) {
+      await cloudHandler.initializeAgent(this.agentHandler);
+    }
+    if (this.geoIpHandler) {
+      await this.geoIpHandler.initializeAgent(this.agentHandler);
+    }
+    if (this.config.enableDynamicRules) {
+      await dynamicRuleHandler.initializeAgent(this.agentHandler);
+    }
+    if (this.guardDecorator && typeof this.guardDecorator["initializeAgent"] === "function") {
+      await this.guardDecorator.initializeAgent(this.agentHandler);
+    }
+  }
+  configureSecurityHeaders(manager) {
+    const headers = this.config.securityHeaders;
+    if (!headers) return;
+    manager.configure({
+      enabled: headers.enabled,
+      csp: headers.csp,
+      hstsMaxAge: headers.hsts?.maxAge,
+      hstsIncludeSubdomains: headers.hsts?.includeSubdomains,
+      hstsPreload: headers.hsts?.preload,
+      frameOptions: headers.frameOptions,
+      contentTypeOptions: headers.contentTypeOptions,
+      xssProtection: headers.xssProtection,
+      referrerPolicy: headers.referrerPolicy,
+      permissionsPolicy: headers.permissionsPolicy,
+      customHeaders: headers.custom ?? void 0,
+      corsOrigins: this.config.enableCors ? this.config.corsAllowOrigins : void 0,
+      corsAllowCredentials: this.config.corsAllowCredentials,
+      corsAllowMethods: this.config.corsAllowMethods,
+      corsAllowHeaders: this.config.corsAllowHeaders
+    });
+  }
+};
+
+// src/core/validation/validator.ts
+var ipaddr3 = __toESM(require("ipaddr.js"), 1);
+var RequestValidator = class {
+  constructor(config, logger, eventBus) {
+    this.config = config;
+    this.logger = logger;
+    this.eventBus = eventBus;
+  }
+  isRequestHttps(request) {
+    let isHttps = request.urlScheme === "https";
+    if (this.config.trustXForwardedProto && this.config.trustedProxies.length > 0 && request.clientHost) {
+      if (this.isTrustedProxy(request.clientHost)) {
+        const forwardedProto = request.headers["x-forwarded-proto"] ?? "";
+        isHttps = isHttps || forwardedProto.toLowerCase() === "https";
+      }
+    }
+    return isHttps;
+  }
+  isTrustedProxy(connectingIp) {
+    for (const proxy of this.config.trustedProxies) {
+      if (!proxy.includes("/")) {
+        if (connectingIp === proxy) return true;
+      } else {
+        try {
+          const parsed = ipaddr3.parse(connectingIp);
+          const [addr, prefixLen] = ipaddr3.parseCIDR(proxy);
+          if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;
+        } catch {
+          continue;
+        }
+      }
+    }
+    return false;
+  }
+  async checkTimeWindow(timeRestrictions) {
+    try {
+      const { start, end } = timeRestrictions;
+      const now = /* @__PURE__ */ new Date();
+      const currentTime = now.toISOString().slice(11, 16);
+      if (start > end) {
+        return currentTime >= start || currentTime <= end;
+      }
+      return currentTime >= start && currentTime <= end;
+    } catch (e) {
+      this.logger.error(`Error checking time window: ${e}`);
+      return true;
+    }
+  }
+  async isPathExcluded(request) {
+    const excluded = this.config.excludePaths.some(
+      (path) => request.urlPath.startsWith(path)
+    );
+    if (excluded) {
+      await this.eventBus.sendMiddlewareEvent(
+        "path_excluded",
+        request,
+        "security_checks_bypassed",
+        `Path ${request.urlPath} excluded from security checks`,
+        { excludedPath: request.urlPath, configuredExclusions: this.config.excludePaths }
+      );
+    }
+    return excluded;
+  }
+};
+
+// src/core/routing/resolver.ts
+var RouteConfigResolver = class {
+  constructor(config) {
+    this.config = config;
+  }
+  guardDecorator = null;
+  setGuardDecorator(decorator) {
+    this.guardDecorator = decorator;
+  }
+  getRouteConfig(request) {
+    const decorator = this.guardDecorator ?? request.state.guardDecorator;
+    if (!decorator) return null;
+    const routeId = request.state.guardRouteId;
+    if (!routeId) return null;
+    const getConfig = decorator.getRouteConfig;
+    if (typeof getConfig !== "function") return null;
+    return getConfig.call(decorator, routeId) ?? null;
+  }
+  shouldBypassCheck(checkName, routeConfig) {
+    if (!routeConfig) return false;
+    return routeConfig.bypassedChecks.has(checkName) || routeConfig.bypassedChecks.has("all");
+  }
+  getCloudProvidersToCheck(routeConfig) {
+    if (routeConfig && routeConfig.blockCloudProviders.size > 0) {
+      return [...routeConfig.blockCloudProviders];
+    }
+    if (this.config.blockCloudProviders.size > 0) {
+      return [...this.config.blockCloudProviders];
+    }
+    return null;
+  }
+};
+
+// src/core/bypass/handler.ts
+var BypassHandler = class {
+  constructor(config, eventBus, routeResolver, responseFactory, validator) {
+    this.config = config;
+    this.eventBus = eventBus;
+    this.routeResolver = routeResolver;
+    this.responseFactory = responseFactory;
+    this.validator = validator;
+  }
+  async handlePassthrough(request, callNext) {
+    if (!request.clientHost) {
+      const response = await callNext(request);
+      return this.responseFactory.applyModifier(response);
+    }
+    if (await this.validator.isPathExcluded(request)) {
+      const response = await callNext(request);
+      return this.responseFactory.applyModifier(response);
+    }
+    return null;
+  }
+  async handleSecurityBypass(request, callNext, routeConfig) {
+    if (!routeConfig || !this.routeResolver.shouldBypassCheck("all", routeConfig)) {
+      return null;
+    }
+    await this.eventBus.sendMiddlewareEvent(
+      "security_bypass",
+      request,
+      "all_checks_bypassed",
+      "Route configured to bypass all security checks",
+      { bypassedChecks: [...routeConfig.bypassedChecks], endpoint: request.urlPath }
+    );
+    if (!this.config.passiveMode) {
+      const response = await callNext(request);
+      return this.responseFactory.applyModifier(response);
+    }
+    return null;
+  }
+};
+
+// src/core/responses/factory.ts
+var ErrorResponseFactory = class {
+  constructor(config, logger, metricsCollector, guardResponseFactory, securityHeadersManager, agentHandler = null) {
+    this.config = config;
+    this.logger = logger;
+    this.metricsCollector = metricsCollector;
+    this.guardResponseFactory = guardResponseFactory;
+    this.securityHeadersManager = securityHeadersManager;
+    this.agentHandler = agentHandler;
+  }
+  async createErrorResponse(statusCode, defaultMessage) {
+    const message = this.config.customErrorResponses[statusCode] ?? defaultMessage;
+    const response = this.guardResponseFactory.createResponse(message, statusCode);
+    await this.applySecurityHeaders(response, void 0);
+    return this.applyModifier(response);
+  }
+  async createHttpsRedirect(request) {
+    const httpsUrl = request.urlReplaceScheme("https");
+    const response = this.guardResponseFactory.createRedirectResponse(httpsUrl, 301);
+    return this.applyModifier(response);
+  }
+  async applySecurityHeaders(response, requestPath) {
+    const headersConfig = this.config.securityHeaders;
+    if (headersConfig && headersConfig.enabled) {
+      const securityHeaders = await this.securityHeadersManager.getHeaders(requestPath ?? "/");
+      for (const [name, value] of Object.entries(securityHeaders)) {
+        response.setHeader(name, value);
+      }
+    }
+    return response;
+  }
+  async applyCorsHeaders(response, origin) {
+    const corsHeaders = this.securityHeadersManager.getCorsHeaders(origin);
+    for (const [name, value] of Object.entries(corsHeaders)) {
+      response.setHeader(name, value);
+    }
+    return response;
+  }
+  async applyModifier(response) {
+    if (this.config.customResponseModifier) {
+      return this.config.customResponseModifier(response);
+    }
+    return response;
+  }
+  async processResponse(request, response, responseTime, routeConfig, processBehavioralRules) {
+    if (routeConfig && routeConfig.behaviorRules.length > 0 && processBehavioralRules) {
+      const clientIp = request.clientHost ?? "unknown";
+      await processBehavioralRules(request, response, clientIp, routeConfig);
+    }
+    await this.metricsCollector.collectRequestMetrics(request, responseTime, response.statusCode);
+    await this.applySecurityHeaders(response, request.urlPath);
+    const origin = request.headers["origin"];
+    if (origin) {
+      await this.applyCorsHeaders(response, origin);
+    }
+    return this.applyModifier(response);
+  }
+};
+
+// src/core/behavioral/processor.ts
+var BehavioralProcessor = class {
+  constructor(logger, eventBus) {
+    this.logger = logger;
+    this.eventBus = eventBus;
+  }
+  guardDecorator = null;
+  setGuardDecorator(decorator) {
+    this.guardDecorator = decorator;
+  }
+  async processUsageRules(request, clientIp, routeConfig) {
+    if (!this.guardDecorator) return;
+    const endpointId = this.getEndpointId(request);
+    const tracker = this.guardDecorator.behaviorTracker;
+    for (const rule of routeConfig.behaviorRules) {
+      if (rule.ruleType === "usage" || rule.ruleType === "frequency") {
+        const exceeded = await tracker.trackEndpointUsage(endpointId, clientIp, rule);
+        if (exceeded) {
+          const details = `${rule.threshold} calls in ${rule.window}s`;
+          await this.eventBus.sendMiddlewareEvent(
+            "decorator_violation",
+            request,
+            "behavioral_action_triggered",
+            `Behavioral ${rule.ruleType} threshold exceeded: ${details}`,
+            {
+              decoratorType: "behavioral",
+              violationType: rule.ruleType,
+              threshold: rule.threshold,
+              window: rule.window,
+              action: rule.action,
+              endpointId
+            }
+          );
+          await tracker.applyAction(rule, clientIp, endpointId, `Usage threshold exceeded: ${details}`);
+        }
+      }
+    }
+  }
+  async processReturnRules(request, response, clientIp, routeConfig) {
+    if (!this.guardDecorator) return;
+    const endpointId = this.getEndpointId(request);
+    const tracker = this.guardDecorator.behaviorTracker;
+    for (const rule of routeConfig.behaviorRules) {
+      if (rule.ruleType === "return_pattern") {
+        const detected = await tracker.trackReturnPattern(endpointId, clientIp, response, rule);
+        if (detected) {
+          const details = `${rule.threshold} for '${rule.pattern}' in ${rule.window}s`;
+          await this.eventBus.sendMiddlewareEvent(
+            "decorator_violation",
+            request,
+            "behavioral_action_triggered",
+            `Return pattern threshold exceeded: ${details}`,
+            {
+              decoratorType: "behavioral",
+              violationType: "return_pattern",
+              threshold: rule.threshold,
+              window: rule.window,
+              pattern: rule.pattern,
+              action: rule.action,
+              endpointId
+            }
+          );
+          await tracker.applyAction(rule, clientIp, endpointId, `Return pattern threshold exceeded: ${details}`);
+        }
+      }
+    }
+  }
+  getEndpointId(request) {
+    const endpointId = request.state.guardEndpointId;
+    if (typeof endpointId === "string") return endpointId;
+    return `${request.method}:${request.urlPath}`;
+  }
+};
+
+// src/core/checks/pipeline.ts
+var SecurityCheckPipeline = class {
+  constructor(checks, logger) {
+    this.checks = checks;
+    this.logger = logger;
+  }
+  async execute(request) {
+    for (const check of this.checks) {
+      try {
+        const response = await check.check(request);
+        if (response !== null) return response;
+      } catch (e) {
+        this.logger.error(`Security check '${check.checkName}' failed: ${e}`);
+      }
+    }
+    return null;
+  }
+  add(check) {
+    this.checks.push(check);
+  }
+  insert(index, check) {
+    this.checks.splice(index, 0, check);
+  }
+  remove(name) {
+    const idx = this.checks.findIndex((c) => c.checkName === name);
+    if (idx === -1) return false;
+    this.checks.splice(idx, 1);
+    return true;
+  }
+  getCheckNames() {
+    return this.checks.map((c) => c.checkName);
+  }
+  get length() {
+    return this.checks.length;
+  }
+};
+
+// src/core/checks/base.ts
+var SecurityCheck = class {
+  constructor(middleware) {
+    this.middleware = middleware;
+  }
+  get config() {
+    return this.middleware.config;
+  }
+  get logger() {
+    return this.middleware.logger;
+  }
+  async sendEvent(type, request, action, reason, meta) {
+    const eventBus = this.middleware.eventBus;
+    await eventBus.sendMiddlewareEvent(type, request, action, reason, meta);
+  }
+  async createErrorResponse(statusCode, message) {
+    return this.middleware.createErrorResponse(statusCode, message);
+  }
+  isPassiveMode() {
+    return this.config.passiveMode;
+  }
+};
+
+// src/core/checks/implementations/route-config.ts
+var RouteConfigCheck = class extends SecurityCheck {
+  get checkName() {
+    return "route_config";
+  }
+  async check(request) {
+    const routeResolver = this.middleware.routeResolver;
+    const routeConfig = routeResolver.getRouteConfig(request);
+    if (routeConfig) {
+      request.state["_routeConfig"] = routeConfig;
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/emergency-mode.ts
+var EmergencyModeCheck = class extends SecurityCheck {
+  get checkName() {
+    return "emergency_mode";
+  }
+  async check(request) {
+    if (!this.config.emergencyMode) return null;
+    const clientIp = request.clientHost ?? "";
+    if (this.config.emergencyWhitelist.includes(clientIp)) return null;
+    await this.sendEvent("emergency_mode", request, "request_blocked", "Emergency mode active");
+    return this.createErrorResponse(503, "Service temporarily unavailable");
+  }
+};
+
+// src/core/checks/implementations/https-enforcement.ts
+var HttpsEnforcementCheck = class extends SecurityCheck {
+  validator;
+  responseFactory;
+  constructor(middleware, validator, responseFactory) {
+    super(middleware);
+    this.validator = validator;
+    this.responseFactory = responseFactory;
+  }
+  get checkName() {
+    return "https_enforcement";
+  }
+  async check(request) {
+    if (!this.config.enforceHttps) return null;
+    if (this.validator.isRequestHttps(request)) return null;
+    if (this.isPassiveMode()) {
+      this.logger.info(`[PASSIVE] Would redirect to HTTPS: ${request.urlPath}`);
+      return null;
+    }
+    return this.responseFactory.createHttpsRedirect(request);
+  }
+};
+
+// src/core/checks/implementations/request-logging.ts
+init_utils();
+var RequestLoggingCheck = class extends SecurityCheck {
+  get checkName() {
+    return "request_logging";
+  }
+  async check(request) {
+    if (this.config.logRequestLevel) {
+      logActivity(request, this.logger, "request", "", false, "", this.config.logRequestLevel);
+      await this.sendEvent("request_logged", request, "logged", "Request logged");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/request-size-content.ts
+var RequestSizeContentCheck = class extends SecurityCheck {
+  get checkName() {
+    return "request_size_content";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig) return null;
+    if (routeConfig.maxRequestSize !== null) {
+      const contentLength = parseInt(request.headers["content-length"] ?? "0", 10);
+      if (contentLength > routeConfig.maxRequestSize) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Request too large: ${contentLength} > ${routeConfig.maxRequestSize}`);
+          return null;
+        }
+        return this.createErrorResponse(413, "Request entity too large");
+      }
+    }
+    if (routeConfig.allowedContentTypes !== null) {
+      const contentType = request.headers["content-type"] ?? "";
+      if (contentType && !routeConfig.allowedContentTypes.some((t) => contentType.includes(t))) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Invalid content type: ${contentType}`);
+          return null;
+        }
+        return this.createErrorResponse(415, "Unsupported media type");
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/required-headers.ts
+var RequiredHeadersCheck = class extends SecurityCheck {
+  get checkName() {
+    return "required_headers";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig || Object.keys(routeConfig.requiredHeaders).length === 0) return null;
+    for (const [headerName, expectedValue] of Object.entries(routeConfig.requiredHeaders)) {
+      const actualValue = request.headers[headerName.toLowerCase()];
+      if (!actualValue || expectedValue && actualValue !== expectedValue) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Missing required header: ${headerName}`);
+          return null;
+        }
+        return this.createErrorResponse(400, `Missing or invalid required header: ${headerName}`);
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/helpers.ts
+var ipaddr5 = __toESM(require("ipaddr.js"), 1);
+function isIpInBlacklist(clientIp, blacklist) {
+  for (const blocked of blacklist) {
+    if (blocked.includes("/")) {
+      try {
+        const parsed = ipaddr5.parse(clientIp);
+        const [addr, prefixLen] = ipaddr5.parseCIDR(blocked);
+        if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;
+      } catch {
+        continue;
+      }
+    } else if (clientIp === blocked) {
+      return true;
+    }
+  }
+  return false;
+}
+function isIpInWhitelist(clientIp, whitelist) {
+  if (whitelist.length === 0) return null;
+  for (const allowed of whitelist) {
+    if (allowed.includes("/")) {
+      try {
+        const parsed = ipaddr5.parse(clientIp);
+        const [addr, prefixLen] = ipaddr5.parseCIDR(allowed);
+        if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;
+      } catch {
+        continue;
+      }
+    } else if (clientIp === allowed) {
+      return true;
+    }
+  }
+  return false;
+}
+function checkCountryAccess(clientIp, routeConfig, geoIpHandler) {
+  if (!geoIpHandler) return null;
+  let country = null;
+  if (routeConfig.blockedCountries && routeConfig.blockedCountries.length > 0) {
+    country = geoIpHandler.getCountry(clientIp);
+    if (country && routeConfig.blockedCountries.includes(country)) return false;
+  }
+  if (routeConfig.whitelistCountries && routeConfig.whitelistCountries.length > 0) {
+    if (country === null) country = geoIpHandler.getCountry(clientIp);
+    if (country) return routeConfig.whitelistCountries.includes(country);
+    return false;
+  }
+  return null;
+}
+async function checkRouteIpAccess(clientIp, routeConfig, middleware) {
+  try {
+    if (routeConfig.ipBlacklist && routeConfig.ipBlacklist.length > 0) {
+      if (isIpInBlacklist(clientIp, routeConfig.ipBlacklist)) return false;
+    }
+    if (routeConfig.ipWhitelist && routeConfig.ipWhitelist.length > 0) {
+      const whitelistResult = isIpInWhitelist(clientIp, routeConfig.ipWhitelist);
+      if (whitelistResult !== null) return whitelistResult;
+    }
+    const countryResult = checkCountryAccess(clientIp, routeConfig, middleware.geoIpHandler);
+    if (countryResult !== null) return countryResult;
+    return null;
+  } catch {
+    return false;
+  }
+}
+async function checkUserAgentAllowed(userAgent, routeConfig, config) {
+  if (routeConfig && routeConfig.blockedUserAgents.length > 0) {
+    for (const pattern of routeConfig.blockedUserAgents) {
+      if (new RegExp(pattern, "i").test(userAgent)) return false;
+    }
+  }
+  for (const pattern of config.blockedUserAgents) {
+    if (new RegExp(pattern, "i").test(userAgent)) return false;
+  }
+  return true;
+}
+function validateAuthHeader(authHeader, authType) {
+  if (authType === "bearer") {
+    if (!authHeader.startsWith("Bearer ")) return [false, "Missing or invalid Bearer token"];
+  } else if (authType === "basic") {
+    if (!authHeader.startsWith("Basic ")) return [false, "Missing or invalid Basic authentication"];
+  } else {
+    if (!authHeader) return [false, `Missing ${authType} authentication`];
+  }
+  return [true, ""];
+}
+function isReferrerDomainAllowed(referrer, allowedDomains) {
+  try {
+    const url = new URL(referrer);
+    const referrerDomain = url.hostname.toLowerCase();
+    for (const allowed of allowedDomains) {
+      const lowerAllowed = allowed.toLowerCase();
+      if (referrerDomain === lowerAllowed || referrerDomain.endsWith(`.${lowerAllowed}`)) {
+        return true;
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+async function detectPenetrationPatterns(request, routeConfig, config, shouldBypassCheckFn) {
+  let penetrationEnabled = config.enablePenetrationDetection;
+  let routeSpecificDetection = null;
+  if (routeConfig) {
+    routeSpecificDetection = routeConfig.enableSuspiciousDetection;
+    penetrationEnabled = routeSpecificDetection;
+  }
+  if (penetrationEnabled && !shouldBypassCheckFn("penetration", routeConfig)) {
+    const { detectPenetrationAttempt: detectPenetrationAttempt2 } = await Promise.resolve().then(() => (init_utils(), utils_exports));
+    return detectPenetrationAttempt2(request);
+  }
+  const reason = routeSpecificDetection === false && config.enablePenetrationDetection ? "disabled_by_decorator" : "not_enabled";
+  return [false, reason];
+}
+
+// src/core/checks/implementations/authentication.ts
+var AuthenticationCheck = class extends SecurityCheck {
+  get checkName() {
+    return "authentication";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig) return null;
+    if (routeConfig.authRequired) {
+      const authHeader = request.headers["authorization"] ?? "";
+      const [isValid3, message] = validateAuthHeader(authHeader, routeConfig.authRequired);
+      if (!isValid3) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Auth failed: ${message}`);
+          return null;
+        }
+        await this.sendEvent("authentication_failed", request, "request_blocked", message);
+        return this.createErrorResponse(401, message);
+      }
+    }
+    if (routeConfig.apiKeyRequired) {
+      const apiKey = request.headers["x-api-key"] ?? "";
+      if (!apiKey) {
+        if (this.isPassiveMode()) {
+          this.logger.info("[PASSIVE] Missing API key");
+          return null;
+        }
+        return this.createErrorResponse(401, "API key required");
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/referrer.ts
+var ReferrerCheck = class extends SecurityCheck {
+  get checkName() {
+    return "referrer";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig?.requireReferrer || routeConfig.requireReferrer.length === 0) return null;
+    const referrer = request.headers["referer"] ?? request.headers["referrer"] ?? "";
+    if (!referrer || !isReferrerDomainAllowed(referrer, routeConfig.requireReferrer)) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] Invalid referrer: ${referrer}`);
+        return null;
+      }
+      return this.createErrorResponse(403, "Invalid referrer");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/custom-validators.ts
+var CustomValidatorsCheck = class extends SecurityCheck {
+  get checkName() {
+    return "custom_validators";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig || routeConfig.customValidators.length === 0) return null;
+    for (const validator of routeConfig.customValidators) {
+      const response = await validator(request);
+      if (response !== null) return response;
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/time-window.ts
+var TimeWindowCheck = class extends SecurityCheck {
+  validator;
+  constructor(middleware, validator) {
+    super(middleware);
+    this.validator = validator;
+  }
+  get checkName() {
+    return "time_window";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig?.timeRestrictions) return null;
+    const withinWindow = await this.validator.checkTimeWindow(routeConfig.timeRestrictions);
+    if (!withinWindow) {
+      if (this.isPassiveMode()) {
+        this.logger.info("[PASSIVE] Request outside time window");
+        return null;
+      }
+      return this.createErrorResponse(403, "Access denied: outside allowed time window");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/cloud-ip-refresh.ts
+var CloudIpRefreshCheck = class extends SecurityCheck {
+  get checkName() {
+    return "cloud_ip_refresh";
+  }
+  async check(_request) {
+    if (this.config.blockCloudProviders.size === 0) return null;
+    const now = Date.now() / 1e3;
+    const elapsed = now - this.middleware.lastCloudIpRefresh;
+    if (elapsed >= this.config.cloudIpRefreshInterval) {
+      this.middleware.lastCloudIpRefresh = now;
+      try {
+        await this.middleware.refreshCloudIpRanges();
+      } catch (e) {
+        this.logger.error(`Cloud IP refresh failed: ${e}`);
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/ip-security.ts
+init_utils();
+var IpSecurityCheck = class extends SecurityCheck {
+  get checkName() {
+    return "ip_security";
+  }
+  async check(request) {
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const ipBanHandler = this.middleware.rateLimitHandler;
+    const routeConfig = request.state["_routeConfig"];
+    if (routeConfig) {
+      const routeResult = await checkRouteIpAccess(clientIp, routeConfig, this.middleware);
+      if (routeResult === false) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] IP blocked by route config: ${clientIp}`);
+          return null;
+        }
+        await this.sendEvent("ip_blocked", request, "request_blocked", `IP ${clientIp} blocked by route config`);
+        return this.createErrorResponse(403, "Access denied");
+      }
+    }
+    const allowed = await isIpAllowed(clientIp, this.config, this.middleware.geoIpHandler);
+    if (!allowed) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] IP not allowed: ${clientIp}`);
+        return null;
+      }
+      await this.sendEvent("ip_blocked", request, "request_blocked", `IP ${clientIp} not allowed`);
+      return this.createErrorResponse(403, "Access denied");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/cloud-provider.ts
+var CloudProviderCheck = class extends SecurityCheck {
+  get checkName() {
+    return "cloud_provider";
+  }
+  async check(request) {
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const routeConfig = request.state["_routeConfig"];
+    const resolver = this.middleware.routeResolver;
+    const providers = resolver.getCloudProvidersToCheck(routeConfig ?? null);
+    if (!providers || providers.length === 0) return null;
+    const { CloudHandler: CloudHandler2 } = await Promise.resolve().then(() => (init_cloud(), cloud_exports));
+    return null;
+  }
+};
+
+// src/core/checks/implementations/user-agent.ts
+var UserAgentCheck = class extends SecurityCheck {
+  get checkName() {
+    return "user_agent";
+  }
+  async check(request) {
+    const userAgent = request.headers["user-agent"] ?? "";
+    if (!userAgent) return null;
+    const routeConfig = request.state["_routeConfig"];
+    const allowed = await checkUserAgentAllowed(userAgent, routeConfig ?? null, this.config);
+    if (!allowed) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] Blocked user agent: ${userAgent}`);
+        return null;
+      }
+      await this.sendEvent("ua_blocked", request, "request_blocked", `Blocked user agent: ${userAgent}`);
+      return this.createErrorResponse(403, "Access denied");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/rate-limit.ts
+var RateLimitCheck = class extends SecurityCheck {
+  get checkName() {
+    return "rate_limit";
+  }
+  async check(request) {
+    if (!this.config.enableRateLimiting) return null;
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const rateLimitHandler = this.middleware.rateLimitHandler;
+    const routeConfig = request.state["_routeConfig"];
+    const createError = this.createErrorResponse.bind(this);
+    if (routeConfig?.rateLimit !== null && routeConfig?.rateLimit !== void 0) {
+      const response2 = await rateLimitHandler.checkRateLimit(
+        request,
+        clientIp,
+        createError,
+        request.urlPath,
+        routeConfig.rateLimit,
+        routeConfig.rateLimitWindow ?? this.config.rateLimitWindow
+      );
+      if (response2) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Route rate limit exceeded for ${clientIp}`);
+          return null;
+        }
+        return response2;
+      }
+    }
+    const endpointLimit = this.config.endpointRateLimits[request.urlPath];
+    if (endpointLimit) {
+      const [limit, window] = endpointLimit;
+      const response2 = await rateLimitHandler.checkRateLimit(
+        request,
+        clientIp,
+        createError,
+        request.urlPath,
+        limit,
+        window
+      );
+      if (response2) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Endpoint rate limit exceeded for ${clientIp}`);
+          return null;
+        }
+        return response2;
+      }
+    }
+    const response = await rateLimitHandler.checkRateLimit(
+      request,
+      clientIp,
+      createError,
+      null,
+      this.config.rateLimit,
+      this.config.rateLimitWindow
+    );
+    if (response) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] Global rate limit exceeded for ${clientIp}`);
+        return null;
+      }
+      return response;
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/suspicious-activity.ts
+init_utils();
+var SuspiciousActivityCheck = class extends SecurityCheck {
+  get checkName() {
+    return "suspicious_activity";
+  }
+  async check(request) {
+    if (!this.config.enablePenetrationDetection) return null;
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const routeConfig = request.state["_routeConfig"];
+    const resolver = this.middleware.routeResolver;
+    const [isThreat, triggerInfo] = await detectPenetrationPatterns(
+      request,
+      routeConfig ?? null,
+      this.config,
+      (check, rc) => resolver.shouldBypassCheck(check, rc)
+    );
+    if (!isThreat) return null;
+    const counts = this.middleware.suspiciousRequestCounts;
+    const currentCount = (counts.get(clientIp) ?? 0) + 1;
+    counts.set(clientIp, currentCount);
+    logActivity(
+      request,
+      this.logger,
+      "suspicious",
+      "Suspicious activity detected",
+      this.config.passiveMode,
+      triggerInfo,
+      this.config.logSuspiciousLevel
+    );
+    await this.sendEvent(
+      "penetration_attempt",
+      request,
+      "request_blocked",
+      `Suspicious activity: ${triggerInfo}`,
+      { triggerInfo, requestCount: currentCount }
+    );
+    if (this.isPassiveMode()) return null;
+    return this.createErrorResponse(403, "Suspicious activity detected");
+  }
+};
+
+// src/core/checks/implementations/custom-request.ts
+var CustomRequestCheck = class extends SecurityCheck {
+  get checkName() {
+    return "custom_request";
+  }
+  async check(request) {
+    if (!this.config.customRequestCheck) return null;
+    return this.config.customRequestCheck(request);
+  }
+};
+
+// src/middleware-support.ts
+async function initializeSecurityMiddleware(config, logger, guardResponseFactory, agentHandler, geoIpHandler, guardDecorator) {
+  const initializer = new HandlerInitializer(
+    config,
+    logger,
+    agentHandler ?? null,
+    geoIpHandler ?? null,
+    guardDecorator ?? null
+  );
+  const registry = await initializer.initialize();
+  const eventBus = new SecurityEventBus(
+    agentHandler ?? null,
+    config,
+    logger,
+    registry.geoIpHandler
+  );
+  const metricsCollector = new MetricsCollector(
+    agentHandler ?? null,
+    config,
+    logger
+  );
+  const validator = new RequestValidator(config, logger, eventBus);
+  const routeResolver = new RouteConfigResolver(config);
+  if (guardDecorator) routeResolver.setGuardDecorator(guardDecorator);
+  const errorResponseFactory = new ErrorResponseFactory(
+    config,
+    logger,
+    metricsCollector,
+    guardResponseFactory,
+    registry.securityHeadersHandler,
+    agentHandler ?? null
+  );
+  const bypassHandler = new BypassHandler(
+    config,
+    eventBus,
+    routeResolver,
+    errorResponseFactory,
+    validator
+  );
+  const behavioralProcessor = new BehavioralProcessor(logger, eventBus);
+  if (guardDecorator) {
+    behavioralProcessor.setGuardDecorator(
+      guardDecorator
+    );
+  }
+  const middlewareProtocol = {
+    get config() {
+      return config;
+    },
+    get logger() {
+      return logger;
+    },
+    lastCloudIpRefresh: 0,
+    suspiciousRequestCounts: /* @__PURE__ */ new Map(),
+    get eventBus() {
+      return eventBus;
+    },
+    get routeResolver() {
+      return routeResolver;
+    },
+    get responseFactory() {
+      return errorResponseFactory;
+    },
+    get rateLimitHandler() {
+      return registry.rateLimitHandler;
+    },
+    get agentHandler() {
+      return agentHandler ?? null;
+    },
+    get geoIpHandler() {
+      return registry.geoIpHandler ?? null;
+    },
+    get guardResponseFactory() {
+      return guardResponseFactory;
+    },
+    async createErrorResponse(statusCode, message) {
+      return errorResponseFactory.createErrorResponse(statusCode, message);
+    },
+    async refreshCloudIpRanges() {
+      if (registry.cloudHandler && config.blockCloudProviders.size > 0) {
+        await registry.cloudHandler.refreshAsync(config.blockCloudProviders);
+      }
+    }
+  };
+  const pipeline = new SecurityCheckPipeline([
+    new RouteConfigCheck(middlewareProtocol),
+    new EmergencyModeCheck(middlewareProtocol),
+    new HttpsEnforcementCheck(middlewareProtocol, validator, errorResponseFactory),
+    new RequestLoggingCheck(middlewareProtocol),
+    new RequestSizeContentCheck(middlewareProtocol),
+    new RequiredHeadersCheck(middlewareProtocol),
+    new AuthenticationCheck(middlewareProtocol),
+    new ReferrerCheck(middlewareProtocol),
+    new CustomValidatorsCheck(middlewareProtocol),
+    new TimeWindowCheck(middlewareProtocol, validator),
+    new CloudIpRefreshCheck(middlewareProtocol),
+    new IpSecurityCheck(middlewareProtocol),
+    new CloudProviderCheck(middlewareProtocol),
+    new UserAgentCheck(middlewareProtocol),
+    new RateLimitCheck(middlewareProtocol),
+    new SuspiciousActivityCheck(middlewareProtocol),
+    new CustomRequestCheck(middlewareProtocol)
+  ], logger);
+  return {
+    registry,
+    pipeline,
+    eventBus,
+    metricsCollector,
+    validator,
+    routeResolver,
+    bypassHandler,
+    errorResponseFactory,
+    behavioralProcessor,
+    middlewareProtocol
+  };
+}
+
+// src/decorators/base.ts
+var routeIdMap = /* @__PURE__ */ new WeakMap();
+var routeIdCounter = 0;
+var BaseSecurityDecorator = class {
+  routeConfigs = /* @__PURE__ */ new Map();
+  behaviorTracker;
+  agentHandler = null;
+  config;
+  logger;
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger ?? defaultLogger;
+    this.behaviorTracker = new BehaviorTracker(config, this.logger);
+  }
+  getRouteConfig(routeId) {
+    return this.routeConfigs.get(routeId);
+  }
+  ensureRouteConfig(fn) {
+    const id = this.getRouteId(fn);
+    if (!this.routeConfigs.has(id)) {
+      const rc = new RouteConfig();
+      rc.enableSuspiciousDetection = this.config.enablePenetrationDetection;
+      this.routeConfigs.set(id, rc);
+    }
+    return this.routeConfigs.get(id);
+  }
+  applyRouteConfig(fn) {
+    fn["_guardRouteId"] = this.getRouteId(fn);
+    return fn;
+  }
+  getRouteId(fn) {
+    if (!routeIdMap.has(fn)) {
+      routeIdMap.set(fn, `guard_route_${++routeIdCounter}`);
+    }
+    return routeIdMap.get(fn);
+  }
+  async initializeBehaviorTracking(redisHandler) {
+    if (redisHandler) await this.behaviorTracker.initializeRedis(redisHandler);
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+    await this.behaviorTracker.initializeAgent(agentHandler);
+  }
+  async sendDecoratorEvent(eventType, _request, actionTaken, reason, decoratorType, meta) {
+    if (!this.agentHandler) return;
+    try {
+      await this.agentHandler.sendEvent({
+        timestamp: /* @__PURE__ */ new Date(),
+        eventType,
+        actionTaken,
+        reason,
+        decoratorType,
+        metadata: meta ?? {}
+      });
+    } catch {
+    }
+  }
+  async sendAccessDeniedEvent(request, reason, decoratorType, meta) {
+    await this.sendDecoratorEvent("access_denied", request, "request_blocked", reason, decoratorType, meta);
+  }
+  async sendAuthenticationFailedEvent(request, reason, authType, meta) {
+    await this.sendDecoratorEvent("authentication_failed", request, "request_blocked", reason, "authentication", { authType, ...meta });
+  }
+  async sendRateLimitEvent(request, limit, window, meta) {
+    await this.sendDecoratorEvent("rate_limit_exceeded", request, "request_blocked", `Rate limit ${limit}/${window}s exceeded`, "rate_limit", { limit, window, ...meta });
+  }
+  async sendDecoratorViolationEvent(request, violationType, reason, meta) {
+    await this.sendDecoratorEvent("decorator_violation", request, "request_blocked", reason, violationType, meta);
+  }
+};
+function getRouteDecoratorConfig(request, decoratorHandler) {
+  const routeId = request.state.guardRouteId;
+  if (!routeId || typeof routeId !== "string") return void 0;
+  return decoratorHandler.getRouteConfig(routeId);
+}
+
+// src/decorators/access-control.ts
+function AccessControl(Base) {
+  return class extends Base {
+    requireIp(whitelist, blacklist) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        if (whitelist) rc.ipWhitelist = whitelist;
+        if (blacklist) rc.ipBlacklist = blacklist;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    blockCountries(countries) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.blockedCountries = countries;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    allowCountries(countries) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.whitelistCountries = countries;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    blockClouds(providers) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.blockCloudProviders = new Set(providers ?? ["AWS", "GCP", "Azure"]);
+        return this.applyRouteConfig(fn);
+      };
+    }
+    bypass(checks) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        for (const check of checks) rc.bypassedChecks.add(check);
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/rate-limiting.ts
+function RateLimiting(Base) {
+  return class extends Base {
+    rateLimit(requests, window = 60) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.rateLimit = requests;
+        rc.rateLimitWindow = window;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    geoRateLimit(limits) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.geoRateLimits = limits;
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/authentication.ts
+function Authentication(Base) {
+  return class extends Base {
+    requireHttps() {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.requireHttps = true;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    requireAuth(type = "bearer") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.authRequired = type;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    apiKeyAuth(headerName = "X-API-Key") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.apiKeyRequired = true;
+        rc.requiredHeaders[headerName] = "";
+        return this.applyRouteConfig(fn);
+      };
+    }
+    requireHeaders(headers) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        Object.assign(rc.requiredHeaders, headers);
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/content-filtering.ts
+function ContentFiltering(Base) {
+  return class extends Base {
+    blockUserAgents(patterns) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.blockedUserAgents.push(...patterns);
+        return this.applyRouteConfig(fn);
+      };
+    }
+    contentTypeFilter(allowedTypes) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.allowedContentTypes = allowedTypes;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    maxRequestSize(sizeBytes) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.maxRequestSize = sizeBytes;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    requireReferrer(allowedDomains) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.requireReferrer = allowedDomains;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    customValidation(validator) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.customValidators.push(validator);
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/behavioral.ts
+function Behavioral(Base) {
+  return class extends Base {
+    usageMonitor(maxCalls, window = 3600, action = "ban") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(new BehaviorRule("usage", maxCalls, window, null, action));
+        return this.applyRouteConfig(fn);
+      };
+    }
+    returnMonitor(pattern, maxOccurrences, window = 86400, action = "ban") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(new BehaviorRule("return_pattern", maxOccurrences, window, pattern, action));
+        return this.applyRouteConfig(fn);
+      };
+    }
+    behaviorAnalysis(rules) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(...rules);
+        return this.applyRouteConfig(fn);
+      };
+    }
+    suspiciousFrequency(maxFrequency, window = 300, action = "ban") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(new BehaviorRule("frequency", maxFrequency, window, null, action));
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/advanced.ts
+function Advanced(Base) {
+  return class extends Base {
+    timeWindow(startTime, endTime, _timezone = "UTC") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.timeRestrictions = { start: startTime, end: endTime };
+        return this.applyRouteConfig(fn);
+      };
+    }
+    suspiciousDetection(enabled = true) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.enableSuspiciousDetection = enabled;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    honeypotDetection(trapFields) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.customValidators.push(async (request) => {
+          try {
+            const bodyBytes = await request.body();
+            if (bodyBytes.length === 0) return null;
+            const bodyText = new TextDecoder().decode(bodyBytes);
+            let data = {};
+            const contentType = request.headers["content-type"] ?? "";
+            if (contentType.includes("json")) {
+              data = JSON.parse(bodyText);
+            } else if (contentType.includes("form")) {
+              for (const pair of bodyText.split("&")) {
+                const [key, value] = pair.split("=");
+                if (key && value) data[decodeURIComponent(key)] = decodeURIComponent(value);
+              }
+            }
+            for (const field of trapFields) {
+              if (data[field] !== void 0 && data[field] !== "" && data[field] !== null) {
+                return {
+                  statusCode: 403,
+                  headers: {},
+                  setHeader() {
+                  },
+                  body: new TextEncoder().encode("Forbidden"),
+                  bodyText: "Forbidden"
+                };
+              }
+            }
+          } catch {
+          }
+          return null;
+        });
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/index.ts
+var SecurityDecorator = Advanced(
+  ContentFiltering(
+    Behavioral(
+      Authentication(
+        RateLimiting(
+          AccessControl(
+            BaseSecurityDecorator
+          )
+        )
+      )
+    )
+  )
+);
+
+// src/index.ts
+init_utils();
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  BaseSecurityDecorator,
+  BehaviorRule,
+  BehavioralProcessor,
+  BypassHandler,
+  ContentPreprocessor,
+  DynamicRulesSchema,
+  ErrorResponseFactory,
+  MetricsCollector,
+  PatternCompiler,
+  PerformanceMonitor,
+  RequestValidator,
+  RouteConfig,
+  RouteConfigResolver,
+  SecurityCheckPipeline,
+  SecurityConfigSchema,
+  SecurityDecorator,
+  SecurityEventBus,
+  SemanticAnalyzer,
+  checkIpCountry,
+  defaultLogger,
+  detectPenetrationAttempt,
+  extractClientIp,
+  getRouteDecoratorConfig,
+  initializeSecurityMiddleware,
+  isIpAllowed,
+  isUserAgentAllowed,
+  logActivity,
+  sanitizeForLog,
+  sendAgentEvent
+});
+//# sourceMappingURL=index.cjs.map