@guardcore/core 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/dist/chunk-4HBVN5N7.js +256 -0
  2. package/dist/chunk-4HBVN5N7.js.map +1 -0
  3. package/dist/chunk-DGUM43GV.js +11 -0
  4. package/dist/chunk-DGUM43GV.js.map +1 -0
  5. package/dist/chunk-I634N6VV.js +1099 -0
  6. package/dist/chunk-I634N6VV.js.map +1 -0
  7. package/dist/chunk-LK7N5CAQ.js +132 -0
  8. package/dist/chunk-LK7N5CAQ.js.map +1 -0
  9. package/dist/cloud-46J7XK7I.js +8 -0
  10. package/dist/cloud-46J7XK7I.js.map +1 -0
  11. package/dist/index.cjs +4120 -0
  12. package/dist/index.cjs.map +1 -0
  13. package/dist/index.d.cts +898 -0
  14. package/dist/index.d.ts +898 -0
  15. package/dist/index.js +2533 -0
  16. package/dist/index.js.map +1 -0
  17. package/dist/sus-patterns-YZFPGJEF.js +8 -0
  18. package/dist/sus-patterns-YZFPGJEF.js.map +1 -0
  19. package/dist/utils-5L6SNIYK.js +22 -0
  20. package/dist/utils-5L6SNIYK.js.map +1 -0
  21. package/package.json +76 -0
package/dist/index.d.cts ADDED
@@ -0,0 +1,898 @@
1
+ import { z } from 'zod';
2
+
3
+ interface RedisHandlerProtocol {
4
+ getKey(namespace: string, key: string): Promise<unknown>;
5
+ setKey(namespace: string, key: string, value: unknown, ttl?: number | null): Promise<boolean | null>;
6
+ delete(namespace: string, key: string): Promise<number | null>;
7
+ keys(pattern: string): Promise<string[] | null>;
8
+ initialize(): Promise<void>;
9
+ getConnection(): AsyncDisposable;
10
+ }
11
+
12
+ interface AgentHandlerProtocol {
13
+ initializeRedis(redisHandler: RedisHandlerProtocol): Promise<void>;
14
+ sendEvent(event: unknown): Promise<void>;
15
+ sendMetric(metric: unknown): Promise<void>;
16
+ start(): Promise<void>;
17
+ stop(): Promise<void>;
18
+ flushBuffer(): Promise<void>;
19
+ getDynamicRules(): Promise<unknown | null>;
20
+ healthCheck(): Promise<boolean>;
21
+ }
22
+
23
+ interface GeoIPHandler {
24
+ readonly isInitialized: boolean;
25
+ initialize(): Promise<void>;
26
+ initializeRedis(redisHandler: RedisHandlerProtocol): Promise<void>;
27
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
28
+ getCountry(ip: string): string | null;
29
+ }
30
+
31
+ interface GuardRequestState {
32
+ guardRouteId?: string;
33
+ guardEndpointId?: string;
34
+ guardDecorator?: unknown;
35
+ [key: string]: unknown;
36
+ }
37
+ interface GuardRequest {
38
+ readonly urlPath: string;
39
+ readonly urlScheme: string;
40
+ readonly urlFull: string;
41
+ urlReplaceScheme(scheme: string): string;
42
+ readonly method: string;
43
+ readonly clientHost: string | null;
44
+ readonly headers: Readonly<Record<string, string>>;
45
+ readonly queryParams: Readonly<Record<string, string>>;
46
+ body(): Promise<Uint8Array>;
47
+ readonly state: GuardRequestState;
48
+ readonly scope: Readonly<Record<string, unknown>>;
49
+ }
50
+
51
+ interface GuardResponse {
52
+ readonly statusCode: number;
53
+ readonly headers: Record<string, string>;
54
+ setHeader(name: string, value: string): void;
55
+ readonly body: Uint8Array | null;
56
+ readonly bodyText: string | null;
57
+ }
58
+ interface GuardResponseFactory {
59
+ createResponse(content: string, statusCode: number): GuardResponse;
60
+ createRedirectResponse(url: string, statusCode: number): GuardResponse;
61
+ }
62
+
63
+ interface Logger {
64
+ info(message: string, ...args: unknown[]): void;
65
+ warn(message: string, ...args: unknown[]): void;
66
+ error(message: string, ...args: unknown[]): void;
67
+ debug(message: string, ...args: unknown[]): void;
68
+ }
69
+ declare const defaultLogger: Logger;
70
+
71
+ declare const SecurityConfigSchema: z.ZodObject<{
72
+ trustedProxies: z.ZodDefault<z.ZodArray<z.ZodString>>;
73
+ trustedProxyDepth: z.ZodDefault<z.ZodNumber>;
74
+ trustXForwardedProto: z.ZodDefault<z.ZodBoolean>;
75
+ passiveMode: z.ZodDefault<z.ZodBoolean>;
76
+ geoIpHandler: z.ZodOptional<z.ZodCustom<GeoIPHandler, GeoIPHandler>>;
77
+ geoResolver: z.ZodOptional<z.ZodCustom<(ip: string) => string | null, (ip: string) => string | null>>;
78
+ enableRedis: z.ZodDefault<z.ZodBoolean>;
79
+ redisUrl: z.ZodDefault<z.ZodString>;
80
+ redisPrefix: z.ZodDefault<z.ZodString>;
81
+ whitelist: z.ZodDefault<z.ZodNullable<z.ZodArray<z.ZodString>>>;
82
+ blacklist: z.ZodDefault<z.ZodArray<z.ZodString>>;
83
+ whitelistCountries: z.ZodDefault<z.ZodArray<z.ZodString>>;
84
+ blockedCountries: z.ZodDefault<z.ZodArray<z.ZodString>>;
85
+ blockedUserAgents: z.ZodDefault<z.ZodArray<z.ZodString>>;
86
+ autoBanThreshold: z.ZodDefault<z.ZodNumber>;
87
+ autoBanDuration: z.ZodDefault<z.ZodNumber>;
88
+ logger: z.ZodOptional<z.ZodCustom<Logger, Logger>>;
89
+ customLogFile: z.ZodDefault<z.ZodNullable<z.ZodString>>;
90
+ logSuspiciousLevel: z.ZodDefault<z.ZodNullable<z.ZodEnum<{
91
+ INFO: "INFO";
92
+ DEBUG: "DEBUG";
93
+ WARNING: "WARNING";
94
+ ERROR: "ERROR";
95
+ CRITICAL: "CRITICAL";
96
+ }>>>;
97
+ logRequestLevel: z.ZodDefault<z.ZodNullable<z.ZodEnum<{
98
+ INFO: "INFO";
99
+ DEBUG: "DEBUG";
100
+ WARNING: "WARNING";
101
+ ERROR: "ERROR";
102
+ CRITICAL: "CRITICAL";
103
+ }>>>;
104
+ logFormat: z.ZodDefault<z.ZodEnum<{
105
+ text: "text";
106
+ json: "json";
107
+ }>>;
108
+ customErrorResponses: z.ZodDefault<z.ZodRecord<z.ZodCoercedNumber<unknown>, z.ZodString>>;
109
+ rateLimit: z.ZodDefault<z.ZodNumber>;
110
+ rateLimitWindow: z.ZodDefault<z.ZodNumber>;
111
+ enforceHttps: z.ZodDefault<z.ZodBoolean>;
112
+ securityHeaders: z.ZodDefault<z.ZodNullable<z.ZodObject<{
113
+ enabled: z.ZodDefault<z.ZodBoolean>;
114
+ hsts: z.ZodOptional<z.ZodObject<{
115
+ maxAge: z.ZodDefault<z.ZodNumber>;
116
+ includeSubdomains: z.ZodDefault<z.ZodBoolean>;
117
+ preload: z.ZodDefault<z.ZodBoolean>;
118
+ }, z.core.$strip>>;
119
+ csp: z.ZodDefault<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>>>;
120
+ frameOptions: z.ZodDefault<z.ZodEnum<{
121
+ DENY: "DENY";
122
+ SAMEORIGIN: "SAMEORIGIN";
123
+ }>>;
124
+ contentTypeOptions: z.ZodDefault<z.ZodString>;
125
+ xssProtection: z.ZodDefault<z.ZodString>;
126
+ referrerPolicy: z.ZodDefault<z.ZodString>;
127
+ permissionsPolicy: z.ZodDefault<z.ZodString>;
128
+ custom: z.ZodDefault<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodString>>>;
129
+ }, z.core.$strip>>>;
130
+ customRequestCheck: z.ZodOptional<z.ZodCustom<(req: GuardRequest) => Promise<GuardResponse | null>, (req: GuardRequest) => Promise<GuardResponse | null>>>;
131
+ customResponseModifier: z.ZodOptional<z.ZodCustom<(res: GuardResponse) => Promise<GuardResponse>, (res: GuardResponse) => Promise<GuardResponse>>>;
132
+ enableCors: z.ZodDefault<z.ZodBoolean>;
133
+ corsAllowOrigins: z.ZodDefault<z.ZodArray<z.ZodString>>;
134
+ corsAllowMethods: z.ZodDefault<z.ZodArray<z.ZodString>>;
135
+ corsAllowHeaders: z.ZodDefault<z.ZodArray<z.ZodString>>;
136
+ corsAllowCredentials: z.ZodDefault<z.ZodBoolean>;
137
+ corsExposeHeaders: z.ZodDefault<z.ZodArray<z.ZodString>>;
138
+ corsMaxAge: z.ZodDefault<z.ZodNumber>;
139
+ blockCloudProviders: z.ZodPipe<z.ZodDefault<z.ZodArray<z.ZodEnum<{
140
+ AWS: "AWS";
141
+ GCP: "GCP";
142
+ Azure: "Azure";
143
+ }>>>, z.ZodTransform<Set<"AWS" | "GCP" | "Azure">, ("AWS" | "GCP" | "Azure")[]>>;
144
+ cloudIpRefreshInterval: z.ZodDefault<z.ZodNumber>;
145
+ excludePaths: z.ZodDefault<z.ZodArray<z.ZodString>>;
146
+ enableIpBanning: z.ZodDefault<z.ZodBoolean>;
147
+ enableRateLimiting: z.ZodDefault<z.ZodBoolean>;
148
+ enablePenetrationDetection: z.ZodDefault<z.ZodBoolean>;
149
+ emergencyMode: z.ZodDefault<z.ZodBoolean>;
150
+ emergencyWhitelist: z.ZodDefault<z.ZodArray<z.ZodString>>;
151
+ endpointRateLimits: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodTuple<[z.ZodNumber, z.ZodNumber], null>>>;
152
+ detectionCompilerTimeout: z.ZodDefault<z.ZodNumber>;
153
+ detectionMaxContentLength: z.ZodDefault<z.ZodNumber>;
154
+ detectionPreserveAttackPatterns: z.ZodDefault<z.ZodBoolean>;
155
+ detectionSemanticThreshold: z.ZodDefault<z.ZodNumber>;
156
+ detectionAnomalyThreshold: z.ZodDefault<z.ZodNumber>;
157
+ detectionSlowPatternThreshold: z.ZodDefault<z.ZodNumber>;
158
+ detectionMonitorHistorySize: z.ZodDefault<z.ZodNumber>;
159
+ detectionMaxTrackedPatterns: z.ZodDefault<z.ZodNumber>;
160
+ enableAgent: z.ZodDefault<z.ZodBoolean>;
161
+ agentApiKey: z.ZodDefault<z.ZodNullable<z.ZodString>>;
162
+ agentEndpoint: z.ZodDefault<z.ZodString>;
163
+ agentProjectId: z.ZodDefault<z.ZodNullable<z.ZodString>>;
164
+ agentBufferSize: z.ZodDefault<z.ZodNumber>;
165
+ agentFlushInterval: z.ZodDefault<z.ZodNumber>;
166
+ agentEnableEvents: z.ZodDefault<z.ZodBoolean>;
167
+ agentEnableMetrics: z.ZodDefault<z.ZodBoolean>;
168
+ agentTimeout: z.ZodDefault<z.ZodNumber>;
169
+ agentRetryAttempts: z.ZodDefault<z.ZodNumber>;
170
+ enableDynamicRules: z.ZodDefault<z.ZodBoolean>;
171
+ dynamicRuleInterval: z.ZodDefault<z.ZodNumber>;
172
+ }, z.core.$strip>;
173
+ type SecurityConfig = z.input<typeof SecurityConfigSchema>;
174
+ type ResolvedSecurityConfig = z.output<typeof SecurityConfigSchema>;
175
+
176
+ interface GuardMiddlewareProtocol {
177
+ readonly config: ResolvedSecurityConfig;
178
+ readonly logger: Logger;
179
+ lastCloudIpRefresh: number;
180
+ suspiciousRequestCounts: Map<string, number>;
181
+ readonly eventBus: unknown;
182
+ readonly routeResolver: unknown;
183
+ readonly responseFactory: unknown;
184
+ readonly rateLimitHandler: unknown;
185
+ readonly agentHandler: AgentHandlerProtocol | null;
186
+ readonly geoIpHandler: GeoIPHandler | null;
187
+ readonly guardResponseFactory: GuardResponseFactory;
188
+ createErrorResponse(statusCode: number, defaultMessage: string): Promise<GuardResponse>;
189
+ refreshCloudIpRanges(): Promise<void>;
190
+ }
191
+
192
+ type BehaviorRuleType = 'usage' | 'return_pattern' | 'frequency';
193
+ type BehaviorAction = 'ban' | 'log' | 'throttle' | 'alert';
194
+ declare class BehaviorRule {
195
+ readonly ruleType: BehaviorRuleType;
196
+ readonly threshold: number;
197
+ readonly window: number;
198
+ readonly pattern: string | null;
199
+ readonly action: BehaviorAction;
200
+ readonly customAction: ((...args: unknown[]) => unknown) | null;
201
+ constructor(ruleType: BehaviorRuleType, threshold: number, window?: number, pattern?: string | null, action?: BehaviorAction, customAction?: ((...args: unknown[]) => unknown) | null);
202
+ }
203
+
204
+ declare const DynamicRulesSchema: z.ZodObject<{
205
+ ruleId: z.ZodString;
206
+ version: z.ZodNumber;
207
+ timestamp: z.ZodString;
208
+ expiresAt: z.ZodDefault<z.ZodNullable<z.ZodString>>;
209
+ ttl: z.ZodDefault<z.ZodNumber>;
210
+ ipBlacklist: z.ZodDefault<z.ZodArray<z.ZodString>>;
211
+ ipWhitelist: z.ZodDefault<z.ZodArray<z.ZodString>>;
212
+ ipBanDuration: z.ZodDefault<z.ZodNumber>;
213
+ blockedCountries: z.ZodDefault<z.ZodArray<z.ZodString>>;
214
+ whitelistCountries: z.ZodDefault<z.ZodArray<z.ZodString>>;
215
+ globalRateLimit: z.ZodDefault<z.ZodNullable<z.ZodNumber>>;
216
+ globalRateWindow: z.ZodDefault<z.ZodNullable<z.ZodNumber>>;
217
+ endpointRateLimits: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodTuple<[z.ZodNumber, z.ZodNumber], null>>>;
218
+ blockedCloudProviders: z.ZodPipe<z.ZodDefault<z.ZodArray<z.ZodEnum<{
219
+ AWS: "AWS";
220
+ GCP: "GCP";
221
+ Azure: "Azure";
222
+ }>>>, z.ZodTransform<Set<"AWS" | "GCP" | "Azure">, ("AWS" | "GCP" | "Azure")[]>>;
223
+ blockedUserAgents: z.ZodDefault<z.ZodArray<z.ZodString>>;
224
+ suspiciousPatterns: z.ZodDefault<z.ZodArray<z.ZodString>>;
225
+ enablePenetrationDetection: z.ZodDefault<z.ZodNullable<z.ZodBoolean>>;
226
+ enableIpBanning: z.ZodDefault<z.ZodNullable<z.ZodBoolean>>;
227
+ enableRateLimiting: z.ZodDefault<z.ZodNullable<z.ZodBoolean>>;
228
+ emergencyMode: z.ZodDefault<z.ZodBoolean>;
229
+ emergencyWhitelist: z.ZodDefault<z.ZodArray<z.ZodString>>;
230
+ }, z.core.$strip>;
231
+ type DynamicRules = z.output<typeof DynamicRulesSchema>;
232
+
233
+ declare class RouteConfig {
234
+ rateLimit: number | null;
235
+ rateLimitWindow: number | null;
236
+ ipWhitelist: string[] | null;
237
+ ipBlacklist: string[] | null;
238
+ blockedCountries: string[] | null;
239
+ whitelistCountries: string[] | null;
240
+ bypassedChecks: Set<string>;
241
+ requireHttps: boolean;
242
+ authRequired: string | null;
243
+ customValidators: Array<(request: GuardRequest) => Promise<GuardResponse | null>>;
244
+ blockedUserAgents: string[];
245
+ requiredHeaders: Record<string, string>;
246
+ behaviorRules: BehaviorRule[];
247
+ blockCloudProviders: Set<string>;
248
+ maxRequestSize: number | null;
249
+ allowedContentTypes: string[] | null;
250
+ timeRestrictions: {
251
+ start: string;
252
+ end: string;
253
+ } | null;
254
+ enableSuspiciousDetection: boolean;
255
+ requireReferrer: string[] | null;
256
+ apiKeyRequired: boolean;
257
+ sessionLimits: Record<string, number> | null;
258
+ geoRateLimits: Record<string, [number, number]> | null;
259
+ }
260
+
261
+ interface MatchResult {
262
+ [index: number]: string | undefined;
263
+ index: number;
264
+ input: string;
265
+ length: number;
266
+ groups?: Record<string, string>;
267
+ }
268
+ interface RE2Instance {
269
+ exec(str: string): MatchResult | null;
270
+ lastIndex: number;
271
+ }
272
+ declare class PatternCompiler {
273
+ private readonly defaultTimeoutMs;
274
+ private readonly maxCacheSize;
275
+ private cache;
276
+ private cacheOrder;
277
+ private re2Available;
278
+ constructor(defaultTimeoutMs?: number, maxCacheSize?: number);
279
+ private ensureRE2;
280
+ compile(pattern: string, flags?: string): Promise<RE2Instance | RegExp>;
281
+ compileSync(pattern: string, flags?: string): RegExp;
282
+ safeMatch(pattern: string, content: string, timeoutMs?: number): Promise<MatchResult | null>;
283
+ private fallbackMatch;
284
+ validatePatternSafety(pattern: string, testStrings?: string[]): [boolean, string];
285
+ batchCompile(patterns: string[], validate?: boolean): Promise<Map<string, RE2Instance | RegExp>>;
286
+ clearCache(): Promise<void>;
287
+ }
288
+
289
+ declare class ContentPreprocessor {
290
+ private readonly maxContentLength;
291
+ private readonly preserveAttackPatterns;
292
+ constructor(maxContentLength?: number, preserveAttackPatterns?: boolean);
293
+ normalizeUnicode(content: string): string;
294
+ removeNullBytes(content: string): string;
295
+ removeExcessiveWhitespace(content: string): string;
296
+ decodeCommonEncodings(content: string): string;
297
+ private decodeHtmlEntities;
298
+ extractAttackRegions(content: string): Array<[number, number]>;
299
+ truncateSafely(content: string): string;
300
+ preprocess(content: string): Promise<string>;
301
+ preprocessBatch(contents: string[]): Promise<string[]>;
302
+ }
303
+
304
+ interface PerformanceMetric {
305
+ pattern: string;
306
+ executionTime: number;
307
+ contentLength: number;
308
+ timestamp: Date;
309
+ matched: boolean;
310
+ timeout: boolean;
311
+ }
312
+ interface PatternStats {
313
+ pattern: string;
314
+ totalExecutions: number;
315
+ totalMatches: number;
316
+ totalTimeouts: number;
317
+ avgExecutionTime: number;
318
+ maxExecutionTime: number;
319
+ minExecutionTime: number;
320
+ recentTimes: number[];
321
+ }
322
+ interface PatternReport {
323
+ pattern: string;
324
+ patternHash: string;
325
+ totalExecutions: number;
326
+ totalMatches: number;
327
+ totalTimeouts: number;
328
+ matchRate: number;
329
+ timeoutRate: number;
330
+ avgExecutionTime: number;
331
+ maxExecutionTime: number;
332
+ minExecutionTime: number;
333
+ issue?: string;
334
+ }
335
+ type AnomalyCallback = (anomaly: Record<string, unknown>) => void;
336
+ declare class PerformanceMonitor {
337
+ private readonly anomalyThreshold;
338
+ private readonly slowPatternThreshold;
339
+ private readonly historySize;
340
+ private readonly maxTrackedPatterns;
341
+ private patternStats;
342
+ private recentMetrics;
343
+ private anomalyCallbacks;
344
+ constructor(anomalyThreshold?: number, slowPatternThreshold?: number, historySize?: number, maxTrackedPatterns?: number);
345
+ recordMetric(pattern: string, executionTime: number, contentLength: number, matched: boolean, timeout?: boolean, agentHandler?: AgentHandlerProtocol | null, correlationId?: string | null): Promise<void>;
346
+ private checkAnomalies;
347
+ getPatternReport(pattern: string): PatternReport | null;
348
+ getSlowPatterns(limit?: number): PatternReport[];
349
+ getProblematicPatterns(): PatternReport[];
350
+ getSummaryStats(): Record<string, unknown>;
351
+ registerAnomalyCallback(callback: AnomalyCallback): void;
352
+ clearStats(): Promise<void>;
353
+ removePatternStats(pattern: string): Promise<void>;
354
+ }
355
+
356
+ interface SemanticAnalysis {
357
+ attackProbabilities: Record<string, number>;
358
+ entropy: number;
359
+ encodingLayers: number;
360
+ isObfuscated: boolean;
361
+ suspiciousPatterns: Array<{
362
+ type: string;
363
+ pattern: string;
364
+ position: number;
365
+ context: string;
366
+ }>;
367
+ codeInjectionRisk: number;
368
+ tokenCount: number;
369
+ }
370
+ declare class SemanticAnalyzer {
371
+ extractTokens(content: string): string[];
372
+ calculateEntropy(content: string): number;
373
+ detectEncodingLayers(content: string): number;
374
+ analyzeAttackProbability(content: string): Record<string, number>;
375
+ detectObfuscation(content: string): boolean;
376
+ extractSuspiciousPatterns(content: string): SemanticAnalysis['suspiciousPatterns'];
377
+ analyzeCodeInjectionRisk(content: string): number;
378
+ analyze(content: string): SemanticAnalysis;
379
+ getThreatScore(analysis: SemanticAnalysis): number;
380
+ }
381
+
382
+ declare class SecurityEventBus {
383
+ private readonly agentHandler;
384
+ private readonly config;
385
+ private readonly logger;
386
+ private readonly geoIpHandler;
387
+ constructor(agentHandler: AgentHandlerProtocol | null, config: ResolvedSecurityConfig, logger: Logger, geoIpHandler?: GeoIPHandler | null);
388
+ sendMiddlewareEvent(eventType: string, request: GuardRequest, actionTaken: string, reason: string, metadata?: Record<string, unknown>): Promise<void>;
389
+ sendHttpsViolationEvent(request: GuardRequest, isRouteSpecific: boolean): Promise<void>;
390
+ sendCloudDetectionEvents(request: GuardRequest, clientIp: string, providers: string[], passiveMode: boolean): Promise<void>;
391
+ }
392
+
393
+ declare class MetricsCollector {
394
+ private readonly agentHandler;
395
+ private readonly config;
396
+ private readonly logger;
397
+ constructor(agentHandler: AgentHandlerProtocol | null, config: ResolvedSecurityConfig, logger: Logger);
398
+ sendMetric(metricType: string, value: number, tags?: Record<string, string>): Promise<void>;
399
+ collectRequestMetrics(request: GuardRequest, responseTime: number, statusCode: number): Promise<void>;
400
+ }
401
+
402
+ type RedisClient = {
403
+ get(key: string): Promise<string | null>;
404
+ set(key: string, value: string, ...args: unknown[]): Promise<unknown>;
405
+ setex(key: string, ttl: number, value: string): Promise<unknown>;
406
+ incr(key: string): Promise<number>;
407
+ expire(key: string, seconds: number): Promise<number>;
408
+ exists(key: string): Promise<number>;
409
+ del(...keys: string[]): Promise<number>;
410
+ keys(pattern: string): Promise<string[]>;
411
+ ping(): Promise<string>;
412
+ quit(): Promise<string>;
413
+ eval(script: string, numkeys: number, ...args: unknown[]): Promise<unknown>;
414
+ evalsha(sha: string, numkeys: number, ...args: unknown[]): Promise<unknown>;
415
+ script(cmd: string, ...args: unknown[]): Promise<any>;
416
+ zadd(key: string, ...args: unknown[]): Promise<number>;
417
+ zremrangebyscore(key: string, min: number | string, max: number | string): Promise<number>;
418
+ zcard(key: string): Promise<number>;
419
+ };
420
+ declare class RedisManager implements RedisHandlerProtocol {
421
+ private readonly config;
422
+ private readonly logger;
423
+ private client;
424
+ private closed;
425
+ private agentHandler;
426
+ private readonly prefix;
427
+ constructor(config: ResolvedSecurityConfig, logger: Logger);
428
+ initialize(): Promise<void>;
429
+ close(): Promise<void>;
430
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
431
+ getConnection(): AsyncDisposable;
432
+ private formatKey;
433
+ getKey(namespace: string, key: string): Promise<unknown>;
434
+ setKey(namespace: string, key: string, value: unknown, ttl?: number | null): Promise<boolean | null>;
435
+ incr(namespace: string, key: string, ttl?: number): Promise<number | null>;
436
+ exists(namespace: string, key: string): Promise<boolean | null>;
437
+ delete(namespace: string, key: string): Promise<number | null>;
438
+ keys(pattern: string): Promise<string[] | null>;
439
+ deletePattern(pattern: string): Promise<number | null>;
440
+ getRawClient(): RedisClient | null;
441
+ }
442
+
443
+ declare class BehaviorTracker {
444
+ private readonly config;
445
+ private readonly logger;
446
+ private usageCounts;
447
+ private returnPatterns;
448
+ private redisHandler;
449
+ private agentHandler;
450
+ constructor(config: ResolvedSecurityConfig, logger: Logger);
451
+ initializeRedis(redisHandler: RedisManager): Promise<void>;
452
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
453
+ trackEndpointUsage(endpointId: string, clientIp: string, rule: BehaviorRule): Promise<boolean>;
454
+ trackReturnPattern(endpointId: string, clientIp: string, response: GuardResponse, rule: BehaviorRule): Promise<boolean>;
455
+ private checkResponsePattern;
456
+ applyAction(rule: BehaviorRule, clientIp: string, endpointId: string, details: string): Promise<void>;
457
+ reset(): Promise<void>;
458
+ }
459
+
460
+ declare class CloudHandler {
461
+ private readonly logger;
462
+ private ipRanges;
463
+ private lastUpdated;
464
+ private redisHandler;
465
+ private agentHandler;
466
+ constructor(logger: Logger);
467
+ initializeRedis(redisHandler: RedisManager, providers: Set<string>, ttl?: number): Promise<void>;
468
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
469
+ refreshAsync(providers: Set<string>, ttl?: number): Promise<void>;
470
+ private fetchProviderRanges;
471
+ private fetchAwsRanges;
472
+ private fetchGcpRanges;
473
+ private fetchAzureRanges;
474
+ isCloudIp(ip: string, providers: Set<string>): boolean;
475
+ getCloudProviderDetails(ip: string, providers: Set<string>): [string, string] | null;
476
+ reset(): Promise<void>;
477
+ }
478
+
479
+ declare class DynamicRuleManager {
480
+ private readonly config;
481
+ private readonly logger;
482
+ private currentRules;
483
+ private updateTimer;
484
+ private lastUpdate;
485
+ private agentHandler;
486
+ private redisHandler;
487
+ constructor(config: ResolvedSecurityConfig, logger: Logger);
488
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
489
+ initializeRedis(redisHandler: RedisManager): Promise<void>;
490
+ private startUpdateLoop;
491
+ updateRules(): Promise<void>;
492
+ getCurrentRules(): DynamicRules | null;
493
+ forceUpdate(): Promise<void>;
494
+ stop(): Promise<void>;
495
+ }
496
+
497
+ declare class IPBanManager {
498
+ private readonly logger;
499
+ private bannedIps;
500
+ private redisHandler;
501
+ private agentHandler;
502
+ private readonly maxSize;
503
+ constructor(logger: Logger);
504
+ initializeRedis(redisHandler: RedisManager): Promise<void>;
505
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
506
+ banIp(ip: string, duration: number, reason: string): Promise<void>;
507
+ isIpBanned(ip: string): Promise<boolean>;
508
+ unbanIp(ip: string): Promise<void>;
509
+ reset(): Promise<void>;
510
+ }
511
+
512
+ declare class RateLimitManager {
513
+ private readonly logger;
514
+ private requestTimestamps;
515
+ private redisHandler;
516
+ private agentHandler;
517
+ private rateLimitScriptSha;
518
+ constructor(logger: Logger);
519
+ initializeRedis(redisHandler: RedisManager): Promise<void>;
520
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
521
+ checkRateLimit(request: GuardRequest, clientIp: string, createErrorResponse: (statusCode: number, message: string) => Promise<GuardResponse>, endpointPath?: string | null, rateLimit?: number, rateLimitWindow?: number): Promise<GuardResponse | null>;
522
+ private getRedisRequestCount;
523
+ private getInMemoryRequestCount;
524
+ private handleRateLimitExceeded;
525
+ reset(): Promise<void>;
526
+ }
527
+
528
+ declare class SecurityHeadersManager {
529
+ private readonly logger;
530
+ private headersCache;
531
+ private defaultHeaders;
532
+ private customHeaders;
533
+ private cspConfig;
534
+ private hstsConfig;
535
+ private corsConfig;
536
+ private redisHandler;
537
+ private agentHandler;
538
+ private cacheMaxSize;
539
+ private cacheTtlMs;
540
+ private cacheTimestamps;
541
+ constructor(logger: Logger);
542
+ initializeRedis(redisHandler: RedisManager): Promise<void>;
543
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
544
+ private loadCachedConfig;
545
+ configure(options: {
546
+ enabled?: boolean | undefined;
547
+ csp?: Record<string, string[]> | null | undefined;
548
+ hstsMaxAge?: number | undefined;
549
+ hstsIncludeSubdomains?: boolean | undefined;
550
+ hstsPreload?: boolean | undefined;
551
+ frameOptions?: string | undefined;
552
+ contentTypeOptions?: string | undefined;
553
+ xssProtection?: string | undefined;
554
+ referrerPolicy?: string | undefined;
555
+ permissionsPolicy?: string | undefined;
556
+ customHeaders?: Record<string, string> | null | undefined;
557
+ corsOrigins?: string[] | undefined;
558
+ corsAllowCredentials?: boolean | undefined;
559
+ corsAllowMethods?: string[] | undefined;
560
+ corsAllowHeaders?: string[] | undefined;
561
+ }): void;
562
+ private cacheConfiguration;
563
+ private buildCsp;
564
+ private buildHsts;
565
+ getHeaders(requestPath: string): Promise<Record<string, string>>;
566
+ getCorsHeaders(origin: string): Record<string, string>;
567
+ reset(): Promise<void>;
568
+ }
569
+
570
+ interface DetectionResult {
571
+ isThreat: boolean;
572
+ threatScore: number;
573
+ threats: Array<{
574
+ pattern: string;
575
+ context: string;
576
+ matchedContent: string;
577
+ detectionMethod: string;
578
+ }>;
579
+ executionTime: number;
580
+ timeouts: string[];
581
+ correlationId: string | null;
582
+ originalLength: number;
583
+ processedLength: number;
584
+ }
585
+ declare class SusPatternsManager {
586
+ private readonly logger;
587
+ private compiler;
588
+ private preprocessor;
589
+ private semantic;
590
+ private monitor;
591
+ private customPatterns;
592
+ private compiledCustomContexts;
593
+ private redisHandler;
594
+ private agentHandler;
595
+ private semanticThreshold;
596
+ constructor(config: ResolvedSecurityConfig, logger: Logger);
597
+ initializeRedis(redisHandler: RedisManager): Promise<void>;
598
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
599
+ private normalizeContext;
600
+ detect(content: string, ipAddress: string, context?: string, correlationId?: string | null): Promise<DetectionResult>;
601
+ detectPatternMatch(content: string, ipAddress: string, context?: string, correlationId?: string | null): Promise<[boolean, string | null]>;
602
+ addPattern(pattern: string, custom?: boolean): Promise<void>;
603
+ removePattern(pattern: string): Promise<void>;
604
+ getDefaultPatterns(): string[];
605
+ getCustomPatterns(): string[];
606
+ getAllPatterns(): string[];
607
+ getPerformanceStats(): Promise<Record<string, unknown> | null>;
608
+ getComponentStatus(): Record<string, boolean>;
609
+ configureSemanticThreshold(threshold: number): Promise<void>;
610
+ reset(): Promise<void>;
611
+ }
612
+
613
+ interface HandlerRegistry {
614
+ redisHandler: RedisManager | null;
615
+ ipBanHandler: IPBanManager;
616
+ rateLimitHandler: RateLimitManager;
617
+ cloudHandler: CloudHandler;
618
+ susPatternsHandler: SusPatternsManager;
619
+ securityHeadersHandler: SecurityHeadersManager;
620
+ behaviorTracker: BehaviorTracker;
621
+ dynamicRuleHandler: DynamicRuleManager;
622
+ geoIpHandler: GeoIPHandler | null;
623
+ }
624
+
625
+ declare class RequestValidator {
626
+ private readonly config;
627
+ private readonly logger;
628
+ private readonly eventBus;
629
+ constructor(config: ResolvedSecurityConfig, logger: Logger, eventBus: SecurityEventBus);
630
+ isRequestHttps(request: GuardRequest): boolean;
631
+ isTrustedProxy(connectingIp: string): boolean;
632
+ checkTimeWindow(timeRestrictions: {
633
+ start: string;
634
+ end: string;
635
+ }): Promise<boolean>;
636
+ isPathExcluded(request: GuardRequest): Promise<boolean>;
637
+ }
638
+
639
+ declare class RouteConfigResolver {
640
+ private readonly config;
641
+ private guardDecorator;
642
+ constructor(config: ResolvedSecurityConfig);
643
+ setGuardDecorator(decorator: unknown): void;
644
+ getRouteConfig(request: GuardRequest): RouteConfig | null;
645
+ shouldBypassCheck(checkName: string, routeConfig: RouteConfig | null): boolean;
646
+ getCloudProvidersToCheck(routeConfig: RouteConfig | null): string[] | null;
647
+ }
648
+
649
+ declare class ErrorResponseFactory {
650
+ private readonly config;
651
+ private readonly logger;
652
+ private readonly metricsCollector;
653
+ private readonly guardResponseFactory;
654
+ private readonly securityHeadersManager;
655
+ private readonly agentHandler;
656
+ constructor(config: ResolvedSecurityConfig, logger: Logger, metricsCollector: MetricsCollector, guardResponseFactory: GuardResponseFactory, securityHeadersManager: SecurityHeadersManager, agentHandler?: AgentHandlerProtocol | null);
657
+ createErrorResponse(statusCode: number, defaultMessage: string): Promise<GuardResponse>;
658
+ createHttpsRedirect(request: GuardRequest): Promise<GuardResponse>;
659
+ applySecurityHeaders(response: GuardResponse, requestPath?: string): Promise<GuardResponse>;
660
+ applyCorsHeaders(response: GuardResponse, origin: string): Promise<GuardResponse>;
661
+ applyModifier(response: GuardResponse): Promise<GuardResponse>;
662
+ processResponse(request: GuardRequest, response: GuardResponse, responseTime: number, routeConfig: RouteConfig | null, processBehavioralRules?: (request: GuardRequest, response: GuardResponse, clientIp: string, routeConfig: RouteConfig) => Promise<void>): Promise<GuardResponse>;
663
+ }
664
+
665
+ declare class BypassHandler {
666
+ private readonly config;
667
+ private readonly eventBus;
668
+ private readonly routeResolver;
669
+ private readonly responseFactory;
670
+ private readonly validator;
671
+ constructor(config: ResolvedSecurityConfig, eventBus: SecurityEventBus, routeResolver: RouteConfigResolver, responseFactory: ErrorResponseFactory, validator: RequestValidator);
672
+ handlePassthrough(request: GuardRequest, callNext: (req: GuardRequest) => Promise<GuardResponse>): Promise<GuardResponse | null>;
673
+ handleSecurityBypass(request: GuardRequest, callNext: (req: GuardRequest) => Promise<GuardResponse>, routeConfig: RouteConfig | null): Promise<GuardResponse | null>;
674
+ }
675
+
676
+ declare class BehavioralProcessor {
677
+ private readonly logger;
678
+ private readonly eventBus;
679
+ private guardDecorator;
680
+ constructor(logger: Logger, eventBus: SecurityEventBus);
681
+ setGuardDecorator(decorator: {
682
+ behaviorTracker: BehaviorTracker;
683
+ }): void;
684
+ processUsageRules(request: GuardRequest, clientIp: string, routeConfig: RouteConfig): Promise<void>;
685
+ processReturnRules(request: GuardRequest, response: GuardResponse, clientIp: string, routeConfig: RouteConfig): Promise<void>;
686
+ getEndpointId(request: GuardRequest): string;
687
+ }
688
+
689
+ declare abstract class SecurityCheck {
690
+ protected readonly middleware: GuardMiddlewareProtocol;
691
+ constructor(middleware: GuardMiddlewareProtocol);
692
+ abstract check(request: GuardRequest): Promise<GuardResponse | null>;
693
+ abstract get checkName(): string;
694
+ protected get config(): ResolvedSecurityConfig;
695
+ protected get logger(): Logger;
696
+ sendEvent(type: string, request: GuardRequest, action: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
697
+ createErrorResponse(statusCode: number, message: string): Promise<GuardResponse>;
698
+ isPassiveMode(): boolean;
699
+ }
700
+
701
+ declare class SecurityCheckPipeline {
702
+ private checks;
703
+ private readonly logger;
704
+ constructor(checks: SecurityCheck[], logger: Logger);
705
+ execute(request: GuardRequest): Promise<GuardResponse | null>;
706
+ add(check: SecurityCheck): void;
707
+ insert(index: number, check: SecurityCheck): void;
708
+ remove(name: string): boolean;
709
+ getCheckNames(): string[];
710
+ get length(): number;
711
+ }
712
+
713
+ interface SecurityMiddlewareComponents {
714
+ registry: HandlerRegistry;
715
+ pipeline: SecurityCheckPipeline;
716
+ eventBus: SecurityEventBus;
717
+ metricsCollector: MetricsCollector;
718
+ validator: RequestValidator;
719
+ routeResolver: RouteConfigResolver;
720
+ bypassHandler: BypassHandler;
721
+ errorResponseFactory: ErrorResponseFactory;
722
+ behavioralProcessor: BehavioralProcessor;
723
+ middlewareProtocol: GuardMiddlewareProtocol;
724
+ }
725
+ declare function initializeSecurityMiddleware(config: ResolvedSecurityConfig, logger: Logger, guardResponseFactory: GuardResponseFactory, agentHandler?: AgentHandlerProtocol | null, geoIpHandler?: GeoIPHandler | null, guardDecorator?: unknown): Promise<SecurityMiddlewareComponents>;
726
+
727
+ declare class BaseSecurityDecorator {
728
+ routeConfigs: Map<string, RouteConfig>;
729
+ behaviorTracker: BehaviorTracker;
730
+ agentHandler: AgentHandlerProtocol | null;
731
+ readonly config: ResolvedSecurityConfig;
732
+ readonly logger: Logger;
733
+ constructor(config: ResolvedSecurityConfig, logger?: Logger);
734
+ getRouteConfig(routeId: string): RouteConfig | undefined;
735
+ ensureRouteConfig(fn: Function): RouteConfig;
736
+ applyRouteConfig<T extends Function>(fn: T): T;
737
+ getRouteId(fn: Function): string;
738
+ initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void>;
739
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
740
+ sendDecoratorEvent(eventType: string, _request: GuardRequest, actionTaken: string, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
741
+ sendAccessDeniedEvent(request: GuardRequest, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
742
+ sendAuthenticationFailedEvent(request: GuardRequest, reason: string, authType: string, meta?: Record<string, unknown>): Promise<void>;
743
+ sendRateLimitEvent(request: GuardRequest, limit: number, window: number, meta?: Record<string, unknown>): Promise<void>;
744
+ sendDecoratorViolationEvent(request: GuardRequest, violationType: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
745
+ }
746
+ declare function getRouteDecoratorConfig(request: GuardRequest, decoratorHandler: BaseSecurityDecorator): RouteConfig | undefined;
747
+
748
+ declare const SecurityDecorator: {
749
+ new (...args: any[]): {
750
+ timeWindow(startTime: string, endTime: string, _timezone?: string): <F extends Function>(fn: F) => F;
751
+ suspiciousDetection(enabled?: boolean): <F extends Function>(fn: F) => F;
752
+ honeypotDetection(trapFields: string[]): <F extends Function>(fn: F) => F;
753
+ routeConfigs: Map<string, RouteConfig>;
754
+ behaviorTracker: BehaviorTracker;
755
+ agentHandler: AgentHandlerProtocol | null;
756
+ readonly config: ResolvedSecurityConfig;
757
+ readonly logger: Logger;
758
+ getRouteConfig(routeId: string): RouteConfig | undefined;
759
+ ensureRouteConfig(fn: Function): RouteConfig;
760
+ applyRouteConfig<T extends Function>(fn: T): T;
761
+ getRouteId(fn: Function): string;
762
+ initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void>;
763
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
764
+ sendDecoratorEvent(eventType: string, _request: GuardRequest, actionTaken: string, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
765
+ sendAccessDeniedEvent(request: GuardRequest, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
766
+ sendAuthenticationFailedEvent(request: GuardRequest, reason: string, authType: string, meta?: Record<string, unknown>): Promise<void>;
767
+ sendRateLimitEvent(request: GuardRequest, limit: number, window: number, meta?: Record<string, unknown>): Promise<void>;
768
+ sendDecoratorViolationEvent(request: GuardRequest, violationType: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
769
+ };
770
+ } & {
771
+ new (...args: any[]): {
772
+ blockUserAgents(patterns: string[]): <F extends Function>(fn: F) => F;
773
+ contentTypeFilter(allowedTypes: string[]): <F extends Function>(fn: F) => F;
774
+ maxRequestSize(sizeBytes: number): <F extends Function>(fn: F) => F;
775
+ requireReferrer(allowedDomains: string[]): <F extends Function>(fn: F) => F;
776
+ customValidation(validator: (request: GuardRequest) => Promise<GuardResponse | null>): <F extends Function>(fn: F) => F;
777
+ routeConfigs: Map<string, RouteConfig>;
778
+ behaviorTracker: BehaviorTracker;
779
+ agentHandler: AgentHandlerProtocol | null;
780
+ readonly config: ResolvedSecurityConfig;
781
+ readonly logger: Logger;
782
+ getRouteConfig(routeId: string): RouteConfig | undefined;
783
+ ensureRouteConfig(fn: Function): RouteConfig;
784
+ applyRouteConfig<T extends Function>(fn: T): T;
785
+ getRouteId(fn: Function): string;
786
+ initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void>;
787
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
788
+ sendDecoratorEvent(eventType: string, _request: GuardRequest, actionTaken: string, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
789
+ sendAccessDeniedEvent(request: GuardRequest, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
790
+ sendAuthenticationFailedEvent(request: GuardRequest, reason: string, authType: string, meta?: Record<string, unknown>): Promise<void>;
791
+ sendRateLimitEvent(request: GuardRequest, limit: number, window: number, meta?: Record<string, unknown>): Promise<void>;
792
+ sendDecoratorViolationEvent(request: GuardRequest, violationType: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
793
+ };
794
+ } & {
795
+ new (...args: any[]): {
796
+ usageMonitor(maxCalls: number, window?: number, action?: BehaviorAction): <F extends Function>(fn: F) => F;
797
+ returnMonitor(pattern: string, maxOccurrences: number, window?: number, action?: BehaviorAction): <F extends Function>(fn: F) => F;
798
+ behaviorAnalysis(rules: BehaviorRule[]): <F extends Function>(fn: F) => F;
799
+ suspiciousFrequency(maxFrequency: number, window?: number, action?: BehaviorAction): <F extends Function>(fn: F) => F;
800
+ routeConfigs: Map<string, RouteConfig>;
801
+ behaviorTracker: BehaviorTracker;
802
+ agentHandler: AgentHandlerProtocol | null;
803
+ readonly config: ResolvedSecurityConfig;
804
+ readonly logger: Logger;
805
+ getRouteConfig(routeId: string): RouteConfig | undefined;
806
+ ensureRouteConfig(fn: Function): RouteConfig;
807
+ applyRouteConfig<T extends Function>(fn: T): T;
808
+ getRouteId(fn: Function): string;
809
+ initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void>;
810
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
811
+ sendDecoratorEvent(eventType: string, _request: GuardRequest, actionTaken: string, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
812
+ sendAccessDeniedEvent(request: GuardRequest, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
813
+ sendAuthenticationFailedEvent(request: GuardRequest, reason: string, authType: string, meta?: Record<string, unknown>): Promise<void>;
814
+ sendRateLimitEvent(request: GuardRequest, limit: number, window: number, meta?: Record<string, unknown>): Promise<void>;
815
+ sendDecoratorViolationEvent(request: GuardRequest, violationType: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
816
+ };
817
+ } & {
818
+ new (...args: any[]): {
819
+ requireHttps(): <F extends Function>(fn: F) => F;
820
+ requireAuth(type?: string): <F extends Function>(fn: F) => F;
821
+ apiKeyAuth(headerName?: string): <F extends Function>(fn: F) => F;
822
+ requireHeaders(headers: Record<string, string>): <F extends Function>(fn: F) => F;
823
+ routeConfigs: Map<string, RouteConfig>;
824
+ behaviorTracker: BehaviorTracker;
825
+ agentHandler: AgentHandlerProtocol | null;
826
+ readonly config: ResolvedSecurityConfig;
827
+ readonly logger: Logger;
828
+ getRouteConfig(routeId: string): RouteConfig | undefined;
829
+ ensureRouteConfig(fn: Function): RouteConfig;
830
+ applyRouteConfig<T extends Function>(fn: T): T;
831
+ getRouteId(fn: Function): string;
832
+ initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void>;
833
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
834
+ sendDecoratorEvent(eventType: string, _request: GuardRequest, actionTaken: string, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
835
+ sendAccessDeniedEvent(request: GuardRequest, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
836
+ sendAuthenticationFailedEvent(request: GuardRequest, reason: string, authType: string, meta?: Record<string, unknown>): Promise<void>;
837
+ sendRateLimitEvent(request: GuardRequest, limit: number, window: number, meta?: Record<string, unknown>): Promise<void>;
838
+ sendDecoratorViolationEvent(request: GuardRequest, violationType: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
839
+ };
840
+ } & {
841
+ new (...args: any[]): {
842
+ rateLimit(requests: number, window?: number): <// eslint-disable-next-line @typescript-eslint/no-explicit-any -- TS mixin composition requires any[]
843
+ F extends Function>(fn: F) => F;
844
+ geoRateLimit(limits: Record<string, [number, number]>): <F extends Function>(fn: F) => F;
845
+ routeConfigs: Map<string, RouteConfig>;
846
+ behaviorTracker: BehaviorTracker;
847
+ agentHandler: AgentHandlerProtocol | null;
848
+ readonly config: ResolvedSecurityConfig;
849
+ readonly logger: Logger;
850
+ getRouteConfig(routeId: string): RouteConfig | undefined;
851
+ ensureRouteConfig(fn: Function): RouteConfig;
852
+ applyRouteConfig<T extends Function>(fn: T): T;
853
+ getRouteId(fn: Function): string;
854
+ initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void>;
855
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
856
+ sendDecoratorEvent(eventType: string, _request: GuardRequest, actionTaken: string, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
857
+ sendAccessDeniedEvent(request: GuardRequest, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
858
+ sendAuthenticationFailedEvent(request: GuardRequest, reason: string, authType: string, meta?: Record<string, unknown>): Promise<void>;
859
+ sendRateLimitEvent(request: GuardRequest, limit: number, window: number, meta?: Record<string, unknown>): Promise<void>;
860
+ sendDecoratorViolationEvent(request: GuardRequest, violationType: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
861
+ };
862
+ } & {
863
+ new (...args: any[]): {
864
+ requireIp(whitelist?: string[], blacklist?: string[]): <F extends Function>(fn: F) => F;
865
+ blockCountries(countries: string[]): <F extends Function>(fn: F) => F;
866
+ allowCountries(countries: string[]): <F extends Function>(fn: F) => F;
867
+ blockClouds(providers?: string[]): <F extends Function>(fn: F) => F;
868
+ bypass(checks: string[]): <F extends Function>(fn: F) => F;
869
+ routeConfigs: Map<string, RouteConfig>;
870
+ behaviorTracker: BehaviorTracker;
871
+ agentHandler: AgentHandlerProtocol | null;
872
+ readonly config: ResolvedSecurityConfig;
873
+ readonly logger: Logger;
874
+ getRouteConfig(routeId: string): RouteConfig | undefined;
875
+ ensureRouteConfig(fn: Function): RouteConfig;
876
+ applyRouteConfig<T extends Function>(fn: T): T;
877
+ getRouteId(fn: Function): string;
878
+ initializeBehaviorTracking(redisHandler?: RedisHandlerProtocol): Promise<void>;
879
+ initializeAgent(agentHandler: AgentHandlerProtocol): Promise<void>;
880
+ sendDecoratorEvent(eventType: string, _request: GuardRequest, actionTaken: string, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
881
+ sendAccessDeniedEvent(request: GuardRequest, reason: string, decoratorType: string, meta?: Record<string, unknown>): Promise<void>;
882
+ sendAuthenticationFailedEvent(request: GuardRequest, reason: string, authType: string, meta?: Record<string, unknown>): Promise<void>;
883
+ sendRateLimitEvent(request: GuardRequest, limit: number, window: number, meta?: Record<string, unknown>): Promise<void>;
884
+ sendDecoratorViolationEvent(request: GuardRequest, violationType: string, reason: string, meta?: Record<string, unknown>): Promise<void>;
885
+ };
886
+ } & (new (...args: any[]) => BaseSecurityDecorator);
887
+ type SecurityDecorator = InstanceType<typeof SecurityDecorator>;
888
+
889
+ declare function sanitizeForLog(value: string): string;
890
+ declare function sendAgentEvent(agentHandler: AgentHandlerProtocol | null, eventType: string, ipAddress: string, actionTaken: string, reason: string, request?: GuardRequest | null, metadata?: Record<string, unknown>): Promise<void>;
891
+ declare function extractClientIp(request: GuardRequest, config: ResolvedSecurityConfig, agentHandler?: AgentHandlerProtocol | null): Promise<string>;
892
+ declare function isUserAgentAllowed(userAgent: string, config: ResolvedSecurityConfig): Promise<boolean>;
893
+ declare function checkIpCountry(ip: string, config: ResolvedSecurityConfig, geoIpHandler: GeoIPHandler): Promise<boolean>;
894
+ declare function isIpAllowed(ip: string, config: ResolvedSecurityConfig, geoIpHandler?: GeoIPHandler | null): Promise<boolean>;
895
+ declare function detectPenetrationAttempt(request: GuardRequest): Promise<[boolean, string]>;
896
+ declare function logActivity(request: GuardRequest, logger: Logger, logType?: string, reason?: string, passiveMode?: boolean, triggerInfo?: string, level?: 'INFO' | 'DEBUG' | 'WARNING' | 'ERROR' | 'CRITICAL' | null): void;
897
+
898
+ export { type AgentHandlerProtocol, BaseSecurityDecorator, type BehaviorAction, BehaviorRule, type BehaviorRuleType, BehavioralProcessor, BypassHandler, ContentPreprocessor, type DynamicRules, DynamicRulesSchema, ErrorResponseFactory, type GeoIPHandler, type GuardMiddlewareProtocol, type GuardRequest, type GuardRequestState, type GuardResponse, type GuardResponseFactory, type HandlerRegistry, type Logger, MetricsCollector, PatternCompiler, type PatternReport, type PatternStats, type PerformanceMetric, PerformanceMonitor, type RedisHandlerProtocol, RequestValidator, type ResolvedSecurityConfig, RouteConfig, RouteConfigResolver, SecurityCheckPipeline, type SecurityConfig, SecurityConfigSchema, SecurityDecorator, SecurityEventBus, type SecurityMiddlewareComponents, type SemanticAnalysis, SemanticAnalyzer, checkIpCountry, defaultLogger, detectPenetrationAttempt, extractClientIp, getRouteDecoratorConfig, initializeSecurityMiddleware, isIpAllowed, isUserAgentAllowed, logActivity, sanitizeForLog, sendAgentEvent };