@guardcore/core 1.0.0

package/dist/index.js

@@ -0,0 +1,2533 @@
+import {
+  CloudHandler
+} from "./chunk-LK7N5CAQ.js";
+import {
+  ContentPreprocessor,
+  PatternCompiler,
+  PerformanceMonitor,
+  SemanticAnalyzer,
+  SusPatternsManager
+} from "./chunk-I634N6VV.js";
+import {
+  checkIpCountry,
+  detectPenetrationAttempt,
+  extractClientIp,
+  isIpAllowed,
+  isUserAgentAllowed,
+  logActivity,
+  sanitizeForLog,
+  sendAgentEvent
+} from "./chunk-4HBVN5N7.js";
+import "./chunk-DGUM43GV.js";
+
+// src/models/behavior-rule.ts
+var BehaviorRule = class {
+  ruleType;
+  threshold;
+  window;
+  pattern;
+  action;
+  customAction;
+  constructor(ruleType, threshold, window = 3600, pattern = null, action = "log", customAction = null) {
+    this.ruleType = ruleType;
+    this.threshold = threshold;
+    this.window = window;
+    this.pattern = pattern;
+    this.action = action;
+    this.customAction = customAction;
+  }
+};
+
+// src/models/config.ts
+import * as ipaddr from "ipaddr.js";
+import { z } from "zod";
+function isValidIpOrCidr(value) {
+  if (value.includes("/")) {
+    try {
+      ipaddr.parseCIDR(value);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  return ipaddr.isValid(value);
+}
+var VALID_CLOUD_PROVIDERS = ["AWS", "GCP", "Azure"];
+var IpOrCidrSchema = z.string().refine(isValidIpOrCidr, "Invalid IP or CIDR");
+var LogLevel = z.enum(["INFO", "DEBUG", "WARNING", "ERROR", "CRITICAL"]);
+var SecurityConfigSchema = z.object({
+  trustedProxies: z.array(IpOrCidrSchema).default([]),
+  trustedProxyDepth: z.number().int().min(1).default(1),
+  trustXForwardedProto: z.boolean().default(false),
+  passiveMode: z.boolean().default(false),
+  geoIpHandler: z.custom().optional(),
+  geoResolver: z.custom().optional(),
+  enableRedis: z.boolean().default(true),
+  redisUrl: z.string().default("redis://localhost:6379"),
+  redisPrefix: z.string().default("guard_core:"),
+  whitelist: z.array(IpOrCidrSchema).nullable().default(null),
+  blacklist: z.array(IpOrCidrSchema).default([]),
+  whitelistCountries: z.array(z.string().length(2)).default([]),
+  blockedCountries: z.array(z.string().length(2)).default([]),
+  blockedUserAgents: z.array(z.string()).default([]),
+  autoBanThreshold: z.number().int().positive().default(10),
+  autoBanDuration: z.number().int().positive().default(3600),
+  logger: z.custom().optional(),
+  customLogFile: z.string().nullable().default(null),
+  logSuspiciousLevel: LogLevel.nullable().default("WARNING"),
+  logRequestLevel: LogLevel.nullable().default(null),
+  logFormat: z.enum(["text", "json"]).default("text"),
+  customErrorResponses: z.record(z.coerce.number(), z.string()).default({}),
+  rateLimit: z.number().int().positive().default(10),
+  rateLimitWindow: z.number().int().positive().default(60),
+  enforceHttps: z.boolean().default(false),
+  securityHeaders: z.object({
+    enabled: z.boolean().default(true),
+    hsts: z.object({
+      maxAge: z.number().default(31536e3),
+      includeSubdomains: z.boolean().default(true),
+      preload: z.boolean().default(false)
+    }).optional(),
+    csp: z.record(z.string(), z.array(z.string())).nullable().default(null),
+    frameOptions: z.enum(["DENY", "SAMEORIGIN"]).default("SAMEORIGIN"),
+    contentTypeOptions: z.string().default("nosniff"),
+    xssProtection: z.string().default("1; mode=block"),
+    referrerPolicy: z.string().default("strict-origin-when-cross-origin"),
+    permissionsPolicy: z.string().default("geolocation=(), microphone=(), camera=()"),
+    custom: z.record(z.string(), z.string()).nullable().default(null)
+  }).nullable().default({
+    enabled: true,
+    hsts: { maxAge: 31536e3, includeSubdomains: true, preload: false },
+    frameOptions: "SAMEORIGIN",
+    contentTypeOptions: "nosniff",
+    xssProtection: "1; mode=block",
+    referrerPolicy: "strict-origin-when-cross-origin",
+    permissionsPolicy: "geolocation=(), microphone=(), camera=()",
+    csp: null,
+    custom: null
+  }),
+  customRequestCheck: z.custom().optional(),
+  customResponseModifier: z.custom().optional(),
+  enableCors: z.boolean().default(false),
+  corsAllowOrigins: z.array(z.string()).default(["*"]),
+  corsAllowMethods: z.array(z.string()).default(["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]),
+  corsAllowHeaders: z.array(z.string()).default(["*"]),
+  corsAllowCredentials: z.boolean().default(false),
+  corsExposeHeaders: z.array(z.string()).default([]),
+  corsMaxAge: z.number().int().positive().default(600),
+  blockCloudProviders: z.array(z.enum(VALID_CLOUD_PROVIDERS)).default([]).transform((arr) => new Set(arr)),
+  cloudIpRefreshInterval: z.number().int().min(60).max(86400).default(3600),
+  excludePaths: z.array(z.string()).default([]),
+  enableIpBanning: z.boolean().default(true),
+  enableRateLimiting: z.boolean().default(true),
+  enablePenetrationDetection: z.boolean().default(true),
+  emergencyMode: z.boolean().default(false),
+  emergencyWhitelist: z.array(z.string()).default([]),
+  endpointRateLimits: z.record(z.string(), z.tuple([z.number(), z.number()])).default({}),
+  detectionCompilerTimeout: z.number().min(0.1).max(10).default(2),
+  detectionMaxContentLength: z.number().int().min(1e3).max(1e5).default(1e4),
+  detectionPreserveAttackPatterns: z.boolean().default(true),
+  detectionSemanticThreshold: z.number().min(0).max(1).default(0.7),
+  detectionAnomalyThreshold: z.number().min(1).max(10).default(3),
+  detectionSlowPatternThreshold: z.number().min(0.01).max(1).default(0.1),
+  detectionMonitorHistorySize: z.number().int().min(100).max(1e4).default(1e3),
+  detectionMaxTrackedPatterns: z.number().int().min(100).max(5e3).default(1e3),
+  enableAgent: z.boolean().default(false),
+  agentApiKey: z.string().nullable().default(null),
+  agentEndpoint: z.string().url().default("https://api.fastapi-guard.com"),
+  agentProjectId: z.string().nullable().default(null),
+  agentBufferSize: z.number().int().positive().default(100),
+  agentFlushInterval: z.number().int().positive().default(30),
+  agentEnableEvents: z.boolean().default(true),
+  agentEnableMetrics: z.boolean().default(true),
+  agentTimeout: z.number().int().positive().default(30),
+  agentRetryAttempts: z.number().int().nonnegative().default(3),
+  enableDynamicRules: z.boolean().default(false),
+  dynamicRuleInterval: z.number().int().positive().default(300)
+}).superRefine((data, ctx) => {
+  if (data.enableAgent && !data.agentApiKey) {
+    ctx.addIssue({
+      code: "custom",
+      message: "agentApiKey is required when enableAgent is true",
+      path: ["agentApiKey"]
+    });
+  }
+  if (data.enableDynamicRules && !data.enableAgent) {
+    ctx.addIssue({
+      code: "custom",
+      message: "enableAgent must be true when enableDynamicRules is true",
+      path: ["enableDynamicRules"]
+    });
+  }
+  if ((data.blockedCountries.length > 0 || data.whitelistCountries.length > 0) && !data.geoIpHandler && !data.geoResolver) {
+    ctx.addIssue({
+      code: "custom",
+      message: "geoIpHandler or geoResolver is required when using country filtering",
+      path: ["geoIpHandler"]
+    });
+  }
+});
+
+// src/models/dynamic-rules.ts
+import { z as z2 } from "zod";
+var VALID_CLOUD_PROVIDERS2 = ["AWS", "GCP", "Azure"];
+var DynamicRulesSchema = z2.object({
+  ruleId: z2.string(),
+  version: z2.number().int(),
+  timestamp: z2.string().datetime(),
+  expiresAt: z2.string().datetime().nullable().default(null),
+  ttl: z2.number().int().default(300),
+  ipBlacklist: z2.array(z2.string()).default([]),
+  ipWhitelist: z2.array(z2.string()).default([]),
+  ipBanDuration: z2.number().int().default(3600),
+  blockedCountries: z2.array(z2.string().length(2)).default([]),
+  whitelistCountries: z2.array(z2.string().length(2)).default([]),
+  globalRateLimit: z2.number().int().nullable().default(null),
+  globalRateWindow: z2.number().int().nullable().default(null),
+  endpointRateLimits: z2.record(z2.string(), z2.tuple([z2.number(), z2.number()])).default({}),
+  blockedCloudProviders: z2.array(z2.enum(VALID_CLOUD_PROVIDERS2)).default([]).transform((arr) => new Set(arr)),
+  blockedUserAgents: z2.array(z2.string()).default([]),
+  suspiciousPatterns: z2.array(z2.string()).default([]),
+  enablePenetrationDetection: z2.boolean().nullable().default(null),
+  enableIpBanning: z2.boolean().nullable().default(null),
+  enableRateLimiting: z2.boolean().nullable().default(null),
+  emergencyMode: z2.boolean().default(false),
+  emergencyWhitelist: z2.array(z2.string()).default([])
+});
+
+// src/models/logger.ts
+var defaultLogger = {
+  info: (msg, ...args) => console.info(`[guard-core] ${msg}`, ...args),
+  warn: (msg, ...args) => console.warn(`[guard-core] ${msg}`, ...args),
+  error: (msg, ...args) => console.error(`[guard-core] ${msg}`, ...args),
+  debug: (msg, ...args) => console.debug(`[guard-core] ${msg}`, ...args)
+};
+
+// src/models/route-config.ts
+var RouteConfig = class {
+  rateLimit = null;
+  rateLimitWindow = null;
+  ipWhitelist = null;
+  ipBlacklist = null;
+  blockedCountries = null;
+  whitelistCountries = null;
+  bypassedChecks = /* @__PURE__ */ new Set();
+  requireHttps = false;
+  authRequired = null;
+  customValidators = [];
+  blockedUserAgents = [];
+  requiredHeaders = {};
+  behaviorRules = [];
+  blockCloudProviders = /* @__PURE__ */ new Set();
+  maxRequestSize = null;
+  allowedContentTypes = null;
+  timeRestrictions = null;
+  enableSuspiciousDetection = true;
+  requireReferrer = null;
+  apiKeyRequired = false;
+  sessionLimits = null;
+  geoRateLimits = null;
+};
+
+// src/core/events/event-bus.ts
+var SecurityEventBus = class {
+  constructor(agentHandler, config, logger, geoIpHandler = null) {
+    this.agentHandler = agentHandler;
+    this.config = config;
+    this.logger = logger;
+    this.geoIpHandler = geoIpHandler;
+  }
+  async sendMiddlewareEvent(eventType, request, actionTaken, reason, metadata) {
+    if (!this.agentHandler || !this.config.agentEnableEvents) return;
+    try {
+      const clientIp = request.clientHost ?? "unknown";
+      let country = null;
+      if (this.geoIpHandler) {
+        try {
+          country = this.geoIpHandler.getCountry(clientIp);
+        } catch {
+        }
+      }
+      await this.agentHandler.sendEvent({
+        timestamp: /* @__PURE__ */ new Date(),
+        eventType,
+        ipAddress: clientIp,
+        country,
+        userAgent: request.headers["user-agent"] ?? null,
+        actionTaken,
+        reason,
+        endpoint: request.urlPath,
+        method: request.method,
+        metadata: metadata ?? {}
+      });
+    } catch (e) {
+      this.logger.error(`Failed to send security event: ${e}`);
+    }
+  }
+  async sendHttpsViolationEvent(request, isRouteSpecific) {
+    const httpsUrl = request.urlReplaceScheme("https");
+    if (isRouteSpecific) {
+      await this.sendMiddlewareEvent(
+        "decorator_violation",
+        request,
+        "https_redirect",
+        "Route requires HTTPS but request was HTTP",
+        { decoratorType: "authentication", violationType: "require_https", redirectUrl: httpsUrl }
+      );
+    } else {
+      await this.sendMiddlewareEvent(
+        "https_enforced",
+        request,
+        "https_redirect",
+        "HTTP request redirected to HTTPS for security",
+        { originalScheme: request.urlScheme, redirectUrl: httpsUrl }
+      );
+    }
+  }
+  async sendCloudDetectionEvents(request, clientIp, providers, passiveMode) {
+    await this.sendMiddlewareEvent(
+      "cloud_detection",
+      request,
+      /* v8 ignore next -- V8 cannot track ternary branch coverage inside string template literal */
+      passiveMode ? "logged_only" : "request_blocked",
+      `Cloud provider IP ${clientIp} detected`,
+      { blockedProviders: providers }
+    );
+  }
+};
+
+// src/core/events/metrics.ts
+var MetricsCollector = class {
+  constructor(agentHandler, config, logger) {
+    this.agentHandler = agentHandler;
+    this.config = config;
+    this.logger = logger;
+  }
+  async sendMetric(metricType, value, tags) {
+    if (!this.agentHandler || !this.config.agentEnableMetrics) return;
+    try {
+      await this.agentHandler.sendMetric({
+        timestamp: /* @__PURE__ */ new Date(),
+        metricType,
+        value,
+        tags: tags ?? {}
+      });
+    } catch (e) {
+      this.logger.error(`Failed to send metric: ${e}`);
+    }
+  }
+  async collectRequestMetrics(request, responseTime, statusCode) {
+    if (!this.agentHandler || !this.config.agentEnableMetrics) return;
+    const endpoint = request.urlPath;
+    const method = request.method;
+    const tags = { endpoint, method, status: String(statusCode) };
+    await this.sendMetric("response_time", responseTime, tags);
+    await this.sendMetric("request_count", 1, { endpoint, method });
+    if (statusCode >= 400) {
+      await this.sendMetric("error_rate", 1, tags);
+    }
+  }
+};
+
+// src/handlers/behavior.ts
+var BehaviorTracker = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+  }
+  usageCounts = /* @__PURE__ */ new Map();
+  returnPatterns = /* @__PURE__ */ new Map();
+  redisHandler = null;
+  agentHandler = null;
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  async trackEndpointUsage(endpointId, clientIp, rule) {
+    const now = Date.now() / 1e3;
+    const windowStart = now - rule.window;
+    if (!this.usageCounts.has(endpointId)) {
+      this.usageCounts.set(endpointId, /* @__PURE__ */ new Map());
+    }
+    const endpointMap = this.usageCounts.get(endpointId);
+    if (!endpointMap.has(clientIp)) {
+      endpointMap.set(clientIp, []);
+    }
+    const timestamps = endpointMap.get(clientIp);
+    const validIdx = timestamps.findIndex((t) => t > windowStart);
+    if (validIdx > 0) timestamps.splice(0, validIdx);
+    else if (validIdx === -1) timestamps.length = 0;
+    timestamps.push(now);
+    return timestamps.length > rule.threshold;
+  }
+  async trackReturnPattern(endpointId, clientIp, response, rule) {
+    if (!rule.pattern) return false;
+    const matched = this.checkResponsePattern(response, rule.pattern);
+    if (!matched) return false;
+    const now = Date.now() / 1e3;
+    const windowStart = now - rule.window;
+    const key = `${endpointId}:${rule.pattern}`;
+    if (!this.returnPatterns.has(key)) {
+      this.returnPatterns.set(key, /* @__PURE__ */ new Map());
+    }
+    const patternMap = this.returnPatterns.get(key);
+    if (!patternMap.has(clientIp)) {
+      patternMap.set(clientIp, []);
+    }
+    const timestamps = patternMap.get(clientIp);
+    const validIdx = timestamps.findIndex((t) => t > windowStart);
+    if (validIdx > 0) timestamps.splice(0, validIdx);
+    else if (validIdx === -1) timestamps.length = 0;
+    timestamps.push(now);
+    return timestamps.length > rule.threshold;
+  }
+  checkResponsePattern(response, pattern) {
+    if (pattern.startsWith("status:")) {
+      const code = parseInt(pattern.slice(7), 10);
+      return response.statusCode === code;
+    }
+    if (pattern.startsWith("regex:")) {
+      const re = new RegExp(pattern.slice(6), "i");
+      return response.bodyText ? re.test(response.bodyText) : false;
+    }
+    if (pattern.startsWith("json:")) {
+      if (!response.bodyText) return false;
+      try {
+        const data = JSON.parse(response.bodyText);
+        const path = pattern.slice(5);
+        const parts = path.split(".");
+        let current = data;
+        for (const part of parts) {
+          if (current === null || current === void 0) return false;
+          current = current[part];
+        }
+        return current !== void 0 && current !== null;
+      } catch {
+        return false;
+      }
+    }
+    return response.bodyText ? response.bodyText.includes(pattern) : false;
+  }
+  async applyAction(rule, clientIp, endpointId, details) {
+    if (this.config.passiveMode) {
+      this.logger.info(`[PASSIVE] Would ${rule.action} ${clientIp} for ${details}`);
+      return;
+    }
+    switch (rule.action) {
+      case "ban":
+        this.logger.warn(`Behavioral ban: ${clientIp} - ${details}`);
+        break;
+      case "log":
+        this.logger.info(`Behavioral log: ${clientIp} - ${details}`);
+        break;
+      case "throttle":
+        this.logger.info(`Behavioral throttle: ${clientIp} - ${details}`);
+        break;
+      case "alert":
+        this.logger.warn(`Behavioral alert: ${clientIp} - ${details}`);
+        break;
+    }
+    if (rule.customAction) {
+      try {
+        rule.customAction(rule.action, clientIp, endpointId, details);
+      } catch {
+      }
+    }
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "behavioral_action",
+          ipAddress: clientIp,
+          actionTaken: rule.action,
+          reason: details,
+          metadata: { endpointId, ruleType: rule.ruleType, threshold: rule.threshold }
+        });
+      } catch {
+      }
+    }
+  }
+  async reset() {
+    this.usageCounts.clear();
+    this.returnPatterns.clear();
+  }
+};
+
+// src/handlers/dynamic-rules.ts
+var DynamicRuleManager = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+  }
+  currentRules = null;
+  updateTimer = null;
+  lastUpdate = 0;
+  agentHandler = null;
+  redisHandler = null;
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+    if (this.config.enableDynamicRules) {
+      this.startUpdateLoop();
+    }
+  }
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+  }
+  startUpdateLoop() {
+    if (this.updateTimer) return;
+    this.updateTimer = setInterval(
+      () => {
+        this.updateRules().catch((e) => this.logger.error(`Rule update failed: ${e}`));
+      },
+      this.config.dynamicRuleInterval * 1e3
+    );
+  }
+  async updateRules() {
+    if (!this.agentHandler) return;
+    try {
+      const rawRules = await this.agentHandler.getDynamicRules();
+      if (!rawRules) return;
+      const parsed = DynamicRulesSchema.safeParse(rawRules);
+      if (!parsed.success) {
+        this.logger.warn(`Invalid dynamic rules: ${parsed.error.message}`);
+        return;
+      }
+      const rules = parsed.data;
+      if (this.currentRules && this.currentRules.ruleId === rules.ruleId && this.currentRules.version >= rules.version) {
+        return;
+      }
+      this.currentRules = rules;
+      this.lastUpdate = Date.now() / 1e3;
+      this.logger.info(`Applied dynamic rules: ${rules.ruleId} v${rules.version}`);
+      if (this.agentHandler) {
+        try {
+          await this.agentHandler.sendEvent({
+            eventType: "dynamic_rule_applied",
+            ipAddress: "system",
+            actionTaken: "rules_updated",
+            reason: `Applied rules ${rules.ruleId} v${rules.version}`
+          });
+        } catch {
+        }
+      }
+    } catch (e) {
+      this.logger.error(`Failed to fetch dynamic rules: ${e}`);
+    }
+  }
+  getCurrentRules() {
+    return this.currentRules;
+  }
+  async forceUpdate() {
+    await this.updateRules();
+  }
+  async stop() {
+    if (this.updateTimer) {
+      clearInterval(this.updateTimer);
+      this.updateTimer = null;
+    }
+  }
+};
+
+// src/handlers/ip-ban.ts
+var IPBanManager = class {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  bannedIps = /* @__PURE__ */ new Map();
+  redisHandler = null;
+  agentHandler = null;
+  maxSize = 1e4;
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  async banIp(ip, duration, reason) {
+    const now = Date.now() / 1e3;
+    const expiresAt = now + duration;
+    if (this.bannedIps.size >= this.maxSize) {
+      const oldestKey = this.bannedIps.keys().next().value;
+      if (oldestKey) this.bannedIps.delete(oldestKey);
+    }
+    this.bannedIps.set(ip, { expiresAt, reason, bannedAt: now });
+    if (this.redisHandler) {
+      await this.redisHandler.setKey("banned_ips", ip, String(expiresAt), duration);
+    }
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "ip_banned",
+          ipAddress: ip,
+          actionTaken: "ip_banned",
+          reason,
+          metadata: { duration, expiresAt }
+        });
+      } catch {
+      }
+    }
+    this.logger.info(`IP banned: ${ip} for ${duration}s - ${reason}`);
+  }
+  async isIpBanned(ip) {
+    const now = Date.now() / 1e3;
+    const entry = this.bannedIps.get(ip);
+    if (entry) {
+      if (now <= entry.expiresAt) return true;
+      this.bannedIps.delete(ip);
+    }
+    if (this.redisHandler) {
+      const expiryStr = await this.redisHandler.getKey("banned_ips", ip);
+      if (typeof expiryStr === "string") {
+        const expiresAt = parseFloat(expiryStr);
+        if (now <= expiresAt) {
+          this.bannedIps.set(ip, {
+            expiresAt,
+            reason: "restored_from_redis",
+            bannedAt: now
+          });
+          return true;
+        }
+        await this.redisHandler.delete("banned_ips", ip);
+      }
+    }
+    return false;
+  }
+  async unbanIp(ip) {
+    this.bannedIps.delete(ip);
+    if (this.redisHandler) {
+      await this.redisHandler.delete("banned_ips", ip);
+    }
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "ip_unbanned",
+          ipAddress: ip,
+          actionTaken: "ip_unbanned",
+          reason: "Manual unban"
+        });
+      } catch {
+      }
+    }
+    this.logger.info(`IP unbanned: ${ip}`);
+  }
+  async reset() {
+    this.bannedIps.clear();
+    if (this.redisHandler) {
+      await this.redisHandler.deletePattern("banned_ips:*");
+    }
+  }
+};
+
+// src/handlers/rate-limit.ts
+var RATE_LIMIT_SCRIPT = `
+local key = KEYS[1]
+local now = tonumber(ARGV[1])
+local window = tonumber(ARGV[2])
+local limit = tonumber(ARGV[3])
+local window_start = now - window
+
+redis.call('ZADD', key, now, now)
+redis.call('ZREMRANGEBYSCORE', key, 0, window_start)
+local count = redis.call('ZCARD', key)
+redis.call('EXPIRE', key, window * 2)
+
+return count
+`;
+var RateLimitManager = class {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  requestTimestamps = /* @__PURE__ */ new Map();
+  redisHandler = null;
+  agentHandler = null;
+  rateLimitScriptSha = null;
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+    const client = redisHandler.getRawClient();
+    if (client) {
+      try {
+        this.rateLimitScriptSha = await client.script("load", RATE_LIMIT_SCRIPT);
+      } catch (e) {
+        this.logger.warn(`Failed to load rate limit Lua script: ${e}`);
+      }
+    }
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  async checkRateLimit(request, clientIp, createErrorResponse, endpointPath = null, rateLimit = 10, rateLimitWindow = 60) {
+    const key = endpointPath ? `${clientIp}:${endpointPath}` : clientIp;
+    const now = Date.now() / 1e3;
+    let count = null;
+    if (this.redisHandler) {
+      count = await this.getRedisRequestCount(key, now, rateLimitWindow, rateLimit);
+    }
+    if (count === null) {
+      count = this.getInMemoryRequestCount(key, now, rateLimitWindow);
+    }
+    if (count > rateLimit) {
+      return this.handleRateLimitExceeded(
+        request,
+        clientIp,
+        count,
+        createErrorResponse,
+        rateLimitWindow
+      );
+    }
+    return null;
+  }
+  async getRedisRequestCount(key, now, window, _limit) {
+    const client = this.redisHandler?.getRawClient();
+    if (!client) return null;
+    const redisKey = `rate_limit:rate:${key}`;
+    const prefix = this.redisHandler["prefix"];
+    const fullKey = `${prefix}${redisKey}`;
+    try {
+      if (this.rateLimitScriptSha) {
+        const count2 = await client.evalsha(
+          this.rateLimitScriptSha,
+          1,
+          fullKey,
+          now,
+          window,
+          _limit
+        );
+        return Number(count2);
+      }
+      await client.zadd(fullKey, now, String(now));
+      await client.zremrangebyscore(fullKey, 0, now - window);
+      const count = await client.zcard(fullKey);
+      await client.eval('redis.call("EXPIRE", KEYS[1], ARGV[1])', 1, fullKey, window * 2);
+      return count;
+    } catch (e) {
+      this.logger.warn(`Redis rate limit check failed, falling back to in-memory: ${e}`);
+      return null;
+    }
+  }
+  getInMemoryRequestCount(key, now, window) {
+    let timestamps = this.requestTimestamps.get(key);
+    if (!timestamps) {
+      timestamps = [];
+      this.requestTimestamps.set(key, timestamps);
+    }
+    const windowStart = now - window;
+    const validIndex = timestamps.findIndex((t) => t > windowStart);
+    if (validIndex > 0) {
+      timestamps.splice(0, validIndex);
+    } else if (validIndex === -1) {
+      timestamps.length = 0;
+    }
+    timestamps.push(now);
+    return timestamps.length;
+  }
+  async handleRateLimitExceeded(request, clientIp, count, createErrorResponse, window) {
+    this.logger.warn(`Rate limit exceeded for ${clientIp}: ${count} requests`);
+    if (this.agentHandler) {
+      try {
+        await this.agentHandler.sendEvent({
+          eventType: "rate_limit_exceeded",
+          ipAddress: clientIp,
+          actionTaken: "request_blocked",
+          reason: `Rate limit exceeded: ${count} requests in ${window}s window`,
+          metadata: {
+            endpoint: request.urlPath,
+            method: request.method,
+            requestCount: count,
+            window
+          }
+        });
+      } catch {
+      }
+    }
+    return createErrorResponse(429, "Rate limit exceeded");
+  }
+  async reset() {
+    this.requestTimestamps.clear();
+    if (this.redisHandler) {
+      await this.redisHandler.deletePattern("rate_limit:rate:*");
+    }
+  }
+};
+
+// src/handlers/redis.ts
+var RedisManager = class {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+    this.prefix = config.redisPrefix;
+  }
+  client = null;
+  closed = false;
+  agentHandler = null;
+  prefix;
+  async initialize() {
+    if (!this.config.enableRedis || this.closed) return;
+    try {
+      const { default: Redis } = await import("ioredis");
+      this.client = new Redis(this.config.redisUrl);
+      await this.client.ping();
+      this.logger.info("Redis connection established");
+    } catch (e) {
+      this.logger.error(`Redis connection failed: ${e}`);
+      this.client = null;
+    }
+  }
+  async close() {
+    this.closed = true;
+    if (this.client) {
+      try {
+        await this.client.quit();
+      } catch {
+      }
+      this.client = null;
+    }
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  /* v8 ignore start -- getConnection returns pooled disposable; V8 cannot track inline Symbol.asyncDispose */
+  getConnection() {
+    const client = this.client;
+    return {
+      [Symbol.asyncDispose]: async () => {
+      },
+      get client() {
+        return client;
+      }
+    };
+  }
+  /* v8 ignore stop */
+  formatKey(namespace, key) {
+    return `${this.prefix}${namespace}:${key}`;
+  }
+  async getKey(namespace, key) {
+    if (!this.client) return null;
+    try {
+      return await this.client.get(this.formatKey(namespace, key));
+    } catch (e) {
+      this.logger.error(`Redis get failed: ${e}`);
+      return null;
+    }
+  }
+  async setKey(namespace, key, value, ttl) {
+    if (!this.client) return null;
+    try {
+      const fullKey = this.formatKey(namespace, key);
+      const strValue = typeof value === "string" ? value : JSON.stringify(value);
+      if (ttl && ttl > 0) {
+        await this.client.setex(fullKey, ttl, strValue);
+      } else {
+        await this.client.set(fullKey, strValue);
+      }
+      return true;
+    } catch (e) {
+      this.logger.error(`Redis set failed: ${e}`);
+      return null;
+    }
+  }
+  async incr(namespace, key, ttl) {
+    if (!this.client) return null;
+    try {
+      const fullKey = this.formatKey(namespace, key);
+      const count = await this.client.incr(fullKey);
+      if (ttl && ttl > 0) {
+        await this.client.expire(fullKey, ttl);
+      }
+      return count;
+    } catch (e) {
+      this.logger.error(`Redis incr failed: ${e}`);
+      return null;
+    }
+  }
+  async exists(namespace, key) {
+    if (!this.client) return null;
+    try {
+      const result = await this.client.exists(this.formatKey(namespace, key));
+      return result > 0;
+    } catch (e) {
+      this.logger.error(`Redis exists failed: ${e}`);
+      return null;
+    }
+  }
+  async delete(namespace, key) {
+    if (!this.client) return null;
+    try {
+      return await this.client.del(this.formatKey(namespace, key));
+    } catch (e) {
+      this.logger.error(`Redis delete failed: ${e}`);
+      return null;
+    }
+  }
+  async keys(pattern) {
+    if (!this.client) return null;
+    try {
+      return await this.client.keys(`${this.prefix}${pattern}`);
+    } catch (e) {
+      this.logger.error(`Redis keys failed: ${e}`);
+      return null;
+    }
+  }
+  async deletePattern(pattern) {
+    if (!this.client) return null;
+    try {
+      const matchedKeys = await this.client.keys(`${this.prefix}${pattern}`);
+      if (matchedKeys.length === 0) return 0;
+      return await this.client.del(...matchedKeys);
+    } catch (e) {
+      this.logger.error(`Redis deletePattern failed: ${e}`);
+      return null;
+    }
+  }
+  getRawClient() {
+    return this.client;
+  }
+};
+
+// src/handlers/security-headers.ts
+var DEFAULT_HEADERS = {
+  "X-Content-Type-Options": "nosniff",
+  "X-Frame-Options": "SAMEORIGIN",
+  "X-XSS-Protection": "1; mode=block",
+  "Referrer-Policy": "strict-origin-when-cross-origin",
+  "Permissions-Policy": "geolocation=(), microphone=(), camera=()",
+  "X-Permitted-Cross-Domain-Policies": "none",
+  "X-Download-Options": "noopen",
+  "Cross-Origin-Embedder-Policy": "require-corp",
+  "Cross-Origin-Opener-Policy": "same-origin",
+  "Cross-Origin-Resource-Policy": "same-origin"
+};
+var MAX_HEADER_VALUE_LENGTH = 8192;
+function validateHeaderValue(value) {
+  if (value.includes("\r") || value.includes("\n")) {
+    throw new Error("Header value must not contain CR or LF characters");
+  }
+  if (value.length > MAX_HEADER_VALUE_LENGTH) {
+    throw new Error(`Header value exceeds maximum length of ${MAX_HEADER_VALUE_LENGTH}`);
+  }
+  return value.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, "");
+}
+function generateCacheKey(requestPath) {
+  const normalized = requestPath.toLowerCase().replace(/\/+$/, "");
+  let hash = 0;
+  for (let i = 0; i < normalized.length; i++) {
+    hash = (hash << 5) - hash + normalized.charCodeAt(i);
+    hash |= 0;
+  }
+  return String(Math.abs(hash)).padStart(16, "0").slice(0, 16);
+}
+var SecurityHeadersManager = class {
+  constructor(logger) {
+    this.logger = logger;
+  }
+  headersCache = /* @__PURE__ */ new Map();
+  defaultHeaders = { ...DEFAULT_HEADERS };
+  customHeaders = {};
+  cspConfig = null;
+  hstsConfig = null;
+  corsConfig = null;
+  redisHandler = null;
+  agentHandler = null;
+  cacheMaxSize = 1e3;
+  cacheTtlMs = 3e5;
+  cacheTimestamps = /* @__PURE__ */ new Map();
+  async initializeRedis(redisHandler) {
+    this.redisHandler = redisHandler;
+    await this.loadCachedConfig();
+  }
+  /* v8 ignore start -- initializeAgent assignment; tested via handler tests but V8 misses when called from mock */
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+  }
+  /* v8 ignore stop */
+  async loadCachedConfig() {
+    if (!this.redisHandler) return;
+    const cspJson = await this.redisHandler.getKey("security_headers", "csp_config");
+    if (typeof cspJson === "string") {
+      try {
+        this.cspConfig = JSON.parse(cspJson);
+      } catch {
+      }
+    }
+    const hstsJson = await this.redisHandler.getKey("security_headers", "hsts_config");
+    if (typeof hstsJson === "string") {
+      try {
+        this.hstsConfig = JSON.parse(hstsJson);
+      } catch {
+      }
+    }
+    const customJson = await this.redisHandler.getKey("security_headers", "custom_headers");
+    if (typeof customJson === "string") {
+      try {
+        this.customHeaders = JSON.parse(customJson);
+      } catch {
+      }
+    }
+  }
+  configure(options) {
+    if (options.enabled === false) {
+      this.defaultHeaders = {};
+      return;
+    }
+    if (options.csp) this.cspConfig = options.csp;
+    if (options.hstsMaxAge !== void 0) {
+      this.hstsConfig = {
+        maxAge: options.hstsMaxAge,
+        includeSubdomains: options.hstsIncludeSubdomains ?? true,
+        preload: options.hstsPreload ?? false
+      };
+    }
+    if (options.frameOptions) this.defaultHeaders["X-Frame-Options"] = validateHeaderValue(options.frameOptions);
+    if (options.contentTypeOptions) this.defaultHeaders["X-Content-Type-Options"] = validateHeaderValue(options.contentTypeOptions);
+    if (options.xssProtection) this.defaultHeaders["X-XSS-Protection"] = validateHeaderValue(options.xssProtection);
+    if (options.referrerPolicy) this.defaultHeaders["Referrer-Policy"] = validateHeaderValue(options.referrerPolicy);
+    if (options.permissionsPolicy) this.defaultHeaders["Permissions-Policy"] = validateHeaderValue(options.permissionsPolicy);
+    if (options.customHeaders) {
+      for (const [key, value] of Object.entries(options.customHeaders)) {
+        this.customHeaders[key] = validateHeaderValue(value);
+      }
+    }
+    if (options.corsOrigins) {
+      this.corsConfig = {
+        origins: options.corsOrigins,
+        allowCredentials: options.corsAllowCredentials ?? false,
+        allowMethods: options.corsAllowMethods ?? ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+        allowHeaders: options.corsAllowHeaders ?? ["*"]
+      };
+    }
+    this.cacheConfiguration();
+  }
+  async cacheConfiguration() {
+    if (!this.redisHandler) return;
+    const ttl = 86400;
+    if (this.cspConfig) await this.redisHandler.setKey("security_headers", "csp_config", JSON.stringify(this.cspConfig), ttl);
+    if (this.hstsConfig) await this.redisHandler.setKey("security_headers", "hsts_config", JSON.stringify(this.hstsConfig), ttl);
+    if (Object.keys(this.customHeaders).length > 0) {
+      await this.redisHandler.setKey("security_headers", "custom_headers", JSON.stringify(this.customHeaders), ttl);
+    }
+  }
+  buildCsp() {
+    if (!this.cspConfig) return null;
+    return Object.entries(this.cspConfig).map(([directive, values]) => `${directive} ${values.join(" ")}`).join("; ");
+  }
+  buildHsts() {
+    if (!this.hstsConfig) return null;
+    let header = `max-age=${this.hstsConfig.maxAge}`;
+    if (this.hstsConfig.includeSubdomains) header += "; includeSubDomains";
+    if (this.hstsConfig.preload) header += "; preload";
+    return header;
+  }
+  async getHeaders(requestPath) {
+    const cacheKey = generateCacheKey(requestPath);
+    const now = Date.now();
+    const cachedTimestamp = this.cacheTimestamps.get(cacheKey);
+    if (cachedTimestamp && now - cachedTimestamp < this.cacheTtlMs) {
+      const cached = this.headersCache.get(cacheKey);
+      if (cached) return { ...cached };
+    }
+    const headers = { ...this.defaultHeaders };
+    const csp = this.buildCsp();
+    if (csp) headers["Content-Security-Policy"] = csp;
+    const hsts = this.buildHsts();
+    if (hsts) headers["Strict-Transport-Security"] = hsts;
+    for (const [key, value] of Object.entries(this.customHeaders)) {
+      headers[key] = value;
+    }
+    if (this.headersCache.size >= this.cacheMaxSize) {
+      const oldestKey = this.headersCache.keys().next().value;
+      if (oldestKey) {
+        this.headersCache.delete(oldestKey);
+        this.cacheTimestamps.delete(oldestKey);
+      }
+    }
+    this.headersCache.set(cacheKey, headers);
+    this.cacheTimestamps.set(cacheKey, now);
+    return { ...headers };
+  }
+  getCorsHeaders(origin) {
+    if (!this.corsConfig) return {};
+    const isAllowed = this.corsConfig.origins.includes("*") || this.corsConfig.origins.includes(origin);
+    if (!isAllowed) return {};
+    const headers = {
+      "Access-Control-Allow-Origin": this.corsConfig.origins.includes("*") ? "*" : origin,
+      "Access-Control-Allow-Methods": this.corsConfig.allowMethods.join(", "),
+      "Access-Control-Allow-Headers": this.corsConfig.allowHeaders.join(", ")
+    };
+    if (this.corsConfig.allowCredentials) {
+      headers["Access-Control-Allow-Credentials"] = "true";
+    }
+    return headers;
+  }
+  async reset() {
+    this.headersCache.clear();
+    this.cacheTimestamps.clear();
+    this.defaultHeaders = { ...DEFAULT_HEADERS };
+    this.customHeaders = {};
+    this.cspConfig = null;
+    this.hstsConfig = null;
+    this.corsConfig = null;
+    if (this.redisHandler) {
+      await this.redisHandler.deletePattern("security_headers:*");
+    }
+  }
+};
+
+// src/core/initialization/handler-initializer.ts
+var HandlerInitializer = class {
+  constructor(config, logger, agentHandler = null, geoIpHandler = null, guardDecorator = null) {
+    this.config = config;
+    this.logger = logger;
+    this.agentHandler = agentHandler;
+    this.geoIpHandler = geoIpHandler;
+    this.guardDecorator = guardDecorator;
+  }
+  async initialize() {
+    const ipBanHandler = new IPBanManager(this.logger);
+    const rateLimitHandler = new RateLimitManager(this.logger);
+    const cloudHandler = new CloudHandler(this.logger);
+    const susPatternsHandler = new SusPatternsManager(this.config, this.logger);
+    const securityHeadersHandler = new SecurityHeadersManager(this.logger);
+    const behaviorTracker = new BehaviorTracker(this.config, this.logger);
+    const dynamicRuleHandler = new DynamicRuleManager(this.config, this.logger);
+    let redisHandler = null;
+    if (this.config.enableRedis) {
+      try {
+        redisHandler = new RedisManager(this.config, this.logger);
+        await redisHandler.initialize();
+        await ipBanHandler.initializeRedis(redisHandler);
+        await rateLimitHandler.initializeRedis(redisHandler);
+        await susPatternsHandler.initializeRedis(redisHandler);
+        await securityHeadersHandler.initializeRedis(redisHandler);
+        await behaviorTracker.initializeRedis(redisHandler);
+        await dynamicRuleHandler.initializeRedis(redisHandler);
+        if (this.config.blockCloudProviders.size > 0) {
+          await cloudHandler.initializeRedis(
+            redisHandler,
+            this.config.blockCloudProviders,
+            this.config.cloudIpRefreshInterval
+          );
+        }
+        if (this.geoIpHandler) {
+          await this.geoIpHandler.initializeRedis(redisHandler);
+        }
+      } catch (e) {
+        this.logger.warn(`Redis initialization failed, falling back to in-memory: ${e}`);
+        redisHandler = null;
+      }
+    }
+    if (this.geoIpHandler && !this.geoIpHandler.isInitialized) {
+      await this.geoIpHandler.initialize();
+    }
+    if (this.agentHandler) {
+      await this.initializeAgentIntegrations(
+        ipBanHandler,
+        rateLimitHandler,
+        cloudHandler,
+        susPatternsHandler,
+        dynamicRuleHandler,
+        redisHandler
+      );
+    }
+    this.configureSecurityHeaders(securityHeadersHandler);
+    return {
+      redisHandler,
+      ipBanHandler,
+      rateLimitHandler,
+      cloudHandler,
+      susPatternsHandler,
+      securityHeadersHandler,
+      behaviorTracker,
+      dynamicRuleHandler,
+      geoIpHandler: this.geoIpHandler
+    };
+  }
+  async initializeAgentIntegrations(ipBanHandler, rateLimitHandler, cloudHandler, susPatternsHandler, dynamicRuleHandler, redisHandler) {
+    if (!this.agentHandler) return;
+    await this.agentHandler.start();
+    if (redisHandler) {
+      await this.agentHandler.initializeRedis(redisHandler);
+      await redisHandler.initializeAgent(this.agentHandler);
+    }
+    await ipBanHandler.initializeAgent(this.agentHandler);
+    await rateLimitHandler.initializeAgent(this.agentHandler);
+    await susPatternsHandler.initializeAgent(this.agentHandler);
+    if (this.config.blockCloudProviders.size > 0) {
+      await cloudHandler.initializeAgent(this.agentHandler);
+    }
+    if (this.geoIpHandler) {
+      await this.geoIpHandler.initializeAgent(this.agentHandler);
+    }
+    if (this.config.enableDynamicRules) {
+      await dynamicRuleHandler.initializeAgent(this.agentHandler);
+    }
+    if (this.guardDecorator && typeof this.guardDecorator["initializeAgent"] === "function") {
+      await this.guardDecorator.initializeAgent(this.agentHandler);
+    }
+  }
+  configureSecurityHeaders(manager) {
+    const headers = this.config.securityHeaders;
+    if (!headers) return;
+    manager.configure({
+      enabled: headers.enabled,
+      csp: headers.csp,
+      hstsMaxAge: headers.hsts?.maxAge,
+      hstsIncludeSubdomains: headers.hsts?.includeSubdomains,
+      hstsPreload: headers.hsts?.preload,
+      frameOptions: headers.frameOptions,
+      contentTypeOptions: headers.contentTypeOptions,
+      xssProtection: headers.xssProtection,
+      referrerPolicy: headers.referrerPolicy,
+      permissionsPolicy: headers.permissionsPolicy,
+      customHeaders: headers.custom ?? void 0,
+      corsOrigins: this.config.enableCors ? this.config.corsAllowOrigins : void 0,
+      corsAllowCredentials: this.config.corsAllowCredentials,
+      corsAllowMethods: this.config.corsAllowMethods,
+      corsAllowHeaders: this.config.corsAllowHeaders
+    });
+  }
+};
+
+// src/core/validation/validator.ts
+import * as ipaddr2 from "ipaddr.js";
+var RequestValidator = class {
+  constructor(config, logger, eventBus) {
+    this.config = config;
+    this.logger = logger;
+    this.eventBus = eventBus;
+  }
+  isRequestHttps(request) {
+    let isHttps = request.urlScheme === "https";
+    if (this.config.trustXForwardedProto && this.config.trustedProxies.length > 0 && request.clientHost) {
+      if (this.isTrustedProxy(request.clientHost)) {
+        const forwardedProto = request.headers["x-forwarded-proto"] ?? "";
+        isHttps = isHttps || forwardedProto.toLowerCase() === "https";
+      }
+    }
+    return isHttps;
+  }
+  isTrustedProxy(connectingIp) {
+    for (const proxy of this.config.trustedProxies) {
+      if (!proxy.includes("/")) {
+        if (connectingIp === proxy) return true;
+      } else {
+        try {
+          const parsed = ipaddr2.parse(connectingIp);
+          const [addr, prefixLen] = ipaddr2.parseCIDR(proxy);
+          if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;
+        } catch {
+          continue;
+        }
+      }
+    }
+    return false;
+  }
+  async checkTimeWindow(timeRestrictions) {
+    try {
+      const { start, end } = timeRestrictions;
+      const now = /* @__PURE__ */ new Date();
+      const currentTime = now.toISOString().slice(11, 16);
+      if (start > end) {
+        return currentTime >= start || currentTime <= end;
+      }
+      return currentTime >= start && currentTime <= end;
+    } catch (e) {
+      this.logger.error(`Error checking time window: ${e}`);
+      return true;
+    }
+  }
+  async isPathExcluded(request) {
+    const excluded = this.config.excludePaths.some(
+      (path) => request.urlPath.startsWith(path)
+    );
+    if (excluded) {
+      await this.eventBus.sendMiddlewareEvent(
+        "path_excluded",
+        request,
+        "security_checks_bypassed",
+        `Path ${request.urlPath} excluded from security checks`,
+        { excludedPath: request.urlPath, configuredExclusions: this.config.excludePaths }
+      );
+    }
+    return excluded;
+  }
+};
+
+// src/core/routing/resolver.ts
+var RouteConfigResolver = class {
+  constructor(config) {
+    this.config = config;
+  }
+  guardDecorator = null;
+  setGuardDecorator(decorator) {
+    this.guardDecorator = decorator;
+  }
+  getRouteConfig(request) {
+    const decorator = this.guardDecorator ?? request.state.guardDecorator;
+    if (!decorator) return null;
+    const routeId = request.state.guardRouteId;
+    if (!routeId) return null;
+    const getConfig = decorator.getRouteConfig;
+    if (typeof getConfig !== "function") return null;
+    return getConfig.call(decorator, routeId) ?? null;
+  }
+  shouldBypassCheck(checkName, routeConfig) {
+    if (!routeConfig) return false;
+    return routeConfig.bypassedChecks.has(checkName) || routeConfig.bypassedChecks.has("all");
+  }
+  getCloudProvidersToCheck(routeConfig) {
+    if (routeConfig && routeConfig.blockCloudProviders.size > 0) {
+      return [...routeConfig.blockCloudProviders];
+    }
+    if (this.config.blockCloudProviders.size > 0) {
+      return [...this.config.blockCloudProviders];
+    }
+    return null;
+  }
+};
+
+// src/core/bypass/handler.ts
+var BypassHandler = class {
+  constructor(config, eventBus, routeResolver, responseFactory, validator) {
+    this.config = config;
+    this.eventBus = eventBus;
+    this.routeResolver = routeResolver;
+    this.responseFactory = responseFactory;
+    this.validator = validator;
+  }
+  async handlePassthrough(request, callNext) {
+    if (!request.clientHost) {
+      const response = await callNext(request);
+      return this.responseFactory.applyModifier(response);
+    }
+    if (await this.validator.isPathExcluded(request)) {
+      const response = await callNext(request);
+      return this.responseFactory.applyModifier(response);
+    }
+    return null;
+  }
+  async handleSecurityBypass(request, callNext, routeConfig) {
+    if (!routeConfig || !this.routeResolver.shouldBypassCheck("all", routeConfig)) {
+      return null;
+    }
+    await this.eventBus.sendMiddlewareEvent(
+      "security_bypass",
+      request,
+      "all_checks_bypassed",
+      "Route configured to bypass all security checks",
+      { bypassedChecks: [...routeConfig.bypassedChecks], endpoint: request.urlPath }
+    );
+    if (!this.config.passiveMode) {
+      const response = await callNext(request);
+      return this.responseFactory.applyModifier(response);
+    }
+    return null;
+  }
+};
+
+// src/core/responses/factory.ts
+var ErrorResponseFactory = class {
+  constructor(config, logger, metricsCollector, guardResponseFactory, securityHeadersManager, agentHandler = null) {
+    this.config = config;
+    this.logger = logger;
+    this.metricsCollector = metricsCollector;
+    this.guardResponseFactory = guardResponseFactory;
+    this.securityHeadersManager = securityHeadersManager;
+    this.agentHandler = agentHandler;
+  }
+  async createErrorResponse(statusCode, defaultMessage) {
+    const message = this.config.customErrorResponses[statusCode] ?? defaultMessage;
+    const response = this.guardResponseFactory.createResponse(message, statusCode);
+    await this.applySecurityHeaders(response, void 0);
+    return this.applyModifier(response);
+  }
+  async createHttpsRedirect(request) {
+    const httpsUrl = request.urlReplaceScheme("https");
+    const response = this.guardResponseFactory.createRedirectResponse(httpsUrl, 301);
+    return this.applyModifier(response);
+  }
+  async applySecurityHeaders(response, requestPath) {
+    const headersConfig = this.config.securityHeaders;
+    if (headersConfig && headersConfig.enabled) {
+      const securityHeaders = await this.securityHeadersManager.getHeaders(requestPath ?? "/");
+      for (const [name, value] of Object.entries(securityHeaders)) {
+        response.setHeader(name, value);
+      }
+    }
+    return response;
+  }
+  async applyCorsHeaders(response, origin) {
+    const corsHeaders = this.securityHeadersManager.getCorsHeaders(origin);
+    for (const [name, value] of Object.entries(corsHeaders)) {
+      response.setHeader(name, value);
+    }
+    return response;
+  }
+  async applyModifier(response) {
+    if (this.config.customResponseModifier) {
+      return this.config.customResponseModifier(response);
+    }
+    return response;
+  }
+  async processResponse(request, response, responseTime, routeConfig, processBehavioralRules) {
+    if (routeConfig && routeConfig.behaviorRules.length > 0 && processBehavioralRules) {
+      const clientIp = request.clientHost ?? "unknown";
+      await processBehavioralRules(request, response, clientIp, routeConfig);
+    }
+    await this.metricsCollector.collectRequestMetrics(request, responseTime, response.statusCode);
+    await this.applySecurityHeaders(response, request.urlPath);
+    const origin = request.headers["origin"];
+    if (origin) {
+      await this.applyCorsHeaders(response, origin);
+    }
+    return this.applyModifier(response);
+  }
+};
+
+// src/core/behavioral/processor.ts
+var BehavioralProcessor = class {
+  constructor(logger, eventBus) {
+    this.logger = logger;
+    this.eventBus = eventBus;
+  }
+  guardDecorator = null;
+  setGuardDecorator(decorator) {
+    this.guardDecorator = decorator;
+  }
+  async processUsageRules(request, clientIp, routeConfig) {
+    if (!this.guardDecorator) return;
+    const endpointId = this.getEndpointId(request);
+    const tracker = this.guardDecorator.behaviorTracker;
+    for (const rule of routeConfig.behaviorRules) {
+      if (rule.ruleType === "usage" || rule.ruleType === "frequency") {
+        const exceeded = await tracker.trackEndpointUsage(endpointId, clientIp, rule);
+        if (exceeded) {
+          const details = `${rule.threshold} calls in ${rule.window}s`;
+          await this.eventBus.sendMiddlewareEvent(
+            "decorator_violation",
+            request,
+            "behavioral_action_triggered",
+            `Behavioral ${rule.ruleType} threshold exceeded: ${details}`,
+            {
+              decoratorType: "behavioral",
+              violationType: rule.ruleType,
+              threshold: rule.threshold,
+              window: rule.window,
+              action: rule.action,
+              endpointId
+            }
+          );
+          await tracker.applyAction(rule, clientIp, endpointId, `Usage threshold exceeded: ${details}`);
+        }
+      }
+    }
+  }
+  async processReturnRules(request, response, clientIp, routeConfig) {
+    if (!this.guardDecorator) return;
+    const endpointId = this.getEndpointId(request);
+    const tracker = this.guardDecorator.behaviorTracker;
+    for (const rule of routeConfig.behaviorRules) {
+      if (rule.ruleType === "return_pattern") {
+        const detected = await tracker.trackReturnPattern(endpointId, clientIp, response, rule);
+        if (detected) {
+          const details = `${rule.threshold} for '${rule.pattern}' in ${rule.window}s`;
+          await this.eventBus.sendMiddlewareEvent(
+            "decorator_violation",
+            request,
+            "behavioral_action_triggered",
+            `Return pattern threshold exceeded: ${details}`,
+            {
+              decoratorType: "behavioral",
+              violationType: "return_pattern",
+              threshold: rule.threshold,
+              window: rule.window,
+              pattern: rule.pattern,
+              action: rule.action,
+              endpointId
+            }
+          );
+          await tracker.applyAction(rule, clientIp, endpointId, `Return pattern threshold exceeded: ${details}`);
+        }
+      }
+    }
+  }
+  getEndpointId(request) {
+    const endpointId = request.state.guardEndpointId;
+    if (typeof endpointId === "string") return endpointId;
+    return `${request.method}:${request.urlPath}`;
+  }
+};
+
+// src/core/checks/pipeline.ts
+var SecurityCheckPipeline = class {
+  constructor(checks, logger) {
+    this.checks = checks;
+    this.logger = logger;
+  }
+  async execute(request) {
+    for (const check of this.checks) {
+      try {
+        const response = await check.check(request);
+        if (response !== null) return response;
+      } catch (e) {
+        this.logger.error(`Security check '${check.checkName}' failed: ${e}`);
+      }
+    }
+    return null;
+  }
+  add(check) {
+    this.checks.push(check);
+  }
+  insert(index, check) {
+    this.checks.splice(index, 0, check);
+  }
+  remove(name) {
+    const idx = this.checks.findIndex((c) => c.checkName === name);
+    if (idx === -1) return false;
+    this.checks.splice(idx, 1);
+    return true;
+  }
+  getCheckNames() {
+    return this.checks.map((c) => c.checkName);
+  }
+  get length() {
+    return this.checks.length;
+  }
+};
+
+// src/core/checks/base.ts
+var SecurityCheck = class {
+  constructor(middleware) {
+    this.middleware = middleware;
+  }
+  get config() {
+    return this.middleware.config;
+  }
+  get logger() {
+    return this.middleware.logger;
+  }
+  async sendEvent(type, request, action, reason, meta) {
+    const eventBus = this.middleware.eventBus;
+    await eventBus.sendMiddlewareEvent(type, request, action, reason, meta);
+  }
+  async createErrorResponse(statusCode, message) {
+    return this.middleware.createErrorResponse(statusCode, message);
+  }
+  isPassiveMode() {
+    return this.config.passiveMode;
+  }
+};
+
+// src/core/checks/implementations/route-config.ts
+var RouteConfigCheck = class extends SecurityCheck {
+  get checkName() {
+    return "route_config";
+  }
+  async check(request) {
+    const routeResolver = this.middleware.routeResolver;
+    const routeConfig = routeResolver.getRouteConfig(request);
+    if (routeConfig) {
+      request.state["_routeConfig"] = routeConfig;
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/emergency-mode.ts
+var EmergencyModeCheck = class extends SecurityCheck {
+  get checkName() {
+    return "emergency_mode";
+  }
+  async check(request) {
+    if (!this.config.emergencyMode) return null;
+    const clientIp = request.clientHost ?? "";
+    if (this.config.emergencyWhitelist.includes(clientIp)) return null;
+    await this.sendEvent("emergency_mode", request, "request_blocked", "Emergency mode active");
+    return this.createErrorResponse(503, "Service temporarily unavailable");
+  }
+};
+
+// src/core/checks/implementations/https-enforcement.ts
+var HttpsEnforcementCheck = class extends SecurityCheck {
+  validator;
+  responseFactory;
+  constructor(middleware, validator, responseFactory) {
+    super(middleware);
+    this.validator = validator;
+    this.responseFactory = responseFactory;
+  }
+  get checkName() {
+    return "https_enforcement";
+  }
+  async check(request) {
+    if (!this.config.enforceHttps) return null;
+    if (this.validator.isRequestHttps(request)) return null;
+    if (this.isPassiveMode()) {
+      this.logger.info(`[PASSIVE] Would redirect to HTTPS: ${request.urlPath}`);
+      return null;
+    }
+    return this.responseFactory.createHttpsRedirect(request);
+  }
+};
+
+// src/core/checks/implementations/request-logging.ts
+var RequestLoggingCheck = class extends SecurityCheck {
+  get checkName() {
+    return "request_logging";
+  }
+  async check(request) {
+    if (this.config.logRequestLevel) {
+      logActivity(request, this.logger, "request", "", false, "", this.config.logRequestLevel);
+      await this.sendEvent("request_logged", request, "logged", "Request logged");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/request-size-content.ts
+var RequestSizeContentCheck = class extends SecurityCheck {
+  get checkName() {
+    return "request_size_content";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig) return null;
+    if (routeConfig.maxRequestSize !== null) {
+      const contentLength = parseInt(request.headers["content-length"] ?? "0", 10);
+      if (contentLength > routeConfig.maxRequestSize) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Request too large: ${contentLength} > ${routeConfig.maxRequestSize}`);
+          return null;
+        }
+        return this.createErrorResponse(413, "Request entity too large");
+      }
+    }
+    if (routeConfig.allowedContentTypes !== null) {
+      const contentType = request.headers["content-type"] ?? "";
+      if (contentType && !routeConfig.allowedContentTypes.some((t) => contentType.includes(t))) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Invalid content type: ${contentType}`);
+          return null;
+        }
+        return this.createErrorResponse(415, "Unsupported media type");
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/required-headers.ts
+var RequiredHeadersCheck = class extends SecurityCheck {
+  get checkName() {
+    return "required_headers";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig || Object.keys(routeConfig.requiredHeaders).length === 0) return null;
+    for (const [headerName, expectedValue] of Object.entries(routeConfig.requiredHeaders)) {
+      const actualValue = request.headers[headerName.toLowerCase()];
+      if (!actualValue || expectedValue && actualValue !== expectedValue) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Missing required header: ${headerName}`);
+          return null;
+        }
+        return this.createErrorResponse(400, `Missing or invalid required header: ${headerName}`);
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/helpers.ts
+import * as ipaddr3 from "ipaddr.js";
+function isIpInBlacklist(clientIp, blacklist) {
+  for (const blocked of blacklist) {
+    if (blocked.includes("/")) {
+      try {
+        const parsed = ipaddr3.parse(clientIp);
+        const [addr, prefixLen] = ipaddr3.parseCIDR(blocked);
+        if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;
+      } catch {
+        continue;
+      }
+    } else if (clientIp === blocked) {
+      return true;
+    }
+  }
+  return false;
+}
+function isIpInWhitelist(clientIp, whitelist) {
+  if (whitelist.length === 0) return null;
+  for (const allowed of whitelist) {
+    if (allowed.includes("/")) {
+      try {
+        const parsed = ipaddr3.parse(clientIp);
+        const [addr, prefixLen] = ipaddr3.parseCIDR(allowed);
+        if (parsed.kind() === addr.kind() && parsed.match([addr, prefixLen])) return true;
+      } catch {
+        continue;
+      }
+    } else if (clientIp === allowed) {
+      return true;
+    }
+  }
+  return false;
+}
+function checkCountryAccess(clientIp, routeConfig, geoIpHandler) {
+  if (!geoIpHandler) return null;
+  let country = null;
+  if (routeConfig.blockedCountries && routeConfig.blockedCountries.length > 0) {
+    country = geoIpHandler.getCountry(clientIp);
+    if (country && routeConfig.blockedCountries.includes(country)) return false;
+  }
+  if (routeConfig.whitelistCountries && routeConfig.whitelistCountries.length > 0) {
+    if (country === null) country = geoIpHandler.getCountry(clientIp);
+    if (country) return routeConfig.whitelistCountries.includes(country);
+    return false;
+  }
+  return null;
+}
+async function checkRouteIpAccess(clientIp, routeConfig, middleware) {
+  try {
+    if (routeConfig.ipBlacklist && routeConfig.ipBlacklist.length > 0) {
+      if (isIpInBlacklist(clientIp, routeConfig.ipBlacklist)) return false;
+    }
+    if (routeConfig.ipWhitelist && routeConfig.ipWhitelist.length > 0) {
+      const whitelistResult = isIpInWhitelist(clientIp, routeConfig.ipWhitelist);
+      if (whitelistResult !== null) return whitelistResult;
+    }
+    const countryResult = checkCountryAccess(clientIp, routeConfig, middleware.geoIpHandler);
+    if (countryResult !== null) return countryResult;
+    return null;
+  } catch {
+    return false;
+  }
+}
+async function checkUserAgentAllowed(userAgent, routeConfig, config) {
+  if (routeConfig && routeConfig.blockedUserAgents.length > 0) {
+    for (const pattern of routeConfig.blockedUserAgents) {
+      if (new RegExp(pattern, "i").test(userAgent)) return false;
+    }
+  }
+  for (const pattern of config.blockedUserAgents) {
+    if (new RegExp(pattern, "i").test(userAgent)) return false;
+  }
+  return true;
+}
+function validateAuthHeader(authHeader, authType) {
+  if (authType === "bearer") {
+    if (!authHeader.startsWith("Bearer ")) return [false, "Missing or invalid Bearer token"];
+  } else if (authType === "basic") {
+    if (!authHeader.startsWith("Basic ")) return [false, "Missing or invalid Basic authentication"];
+  } else {
+    if (!authHeader) return [false, `Missing ${authType} authentication`];
+  }
+  return [true, ""];
+}
+function isReferrerDomainAllowed(referrer, allowedDomains) {
+  try {
+    const url = new URL(referrer);
+    const referrerDomain = url.hostname.toLowerCase();
+    for (const allowed of allowedDomains) {
+      const lowerAllowed = allowed.toLowerCase();
+      if (referrerDomain === lowerAllowed || referrerDomain.endsWith(`.${lowerAllowed}`)) {
+        return true;
+      }
+    }
+    return false;
+  } catch {
+    return false;
+  }
+}
+async function detectPenetrationPatterns(request, routeConfig, config, shouldBypassCheckFn) {
+  let penetrationEnabled = config.enablePenetrationDetection;
+  let routeSpecificDetection = null;
+  if (routeConfig) {
+    routeSpecificDetection = routeConfig.enableSuspiciousDetection;
+    penetrationEnabled = routeSpecificDetection;
+  }
+  if (penetrationEnabled && !shouldBypassCheckFn("penetration", routeConfig)) {
+    const { detectPenetrationAttempt: detectPenetrationAttempt2 } = await import("./utils-5L6SNIYK.js");
+    return detectPenetrationAttempt2(request);
+  }
+  const reason = routeSpecificDetection === false && config.enablePenetrationDetection ? "disabled_by_decorator" : "not_enabled";
+  return [false, reason];
+}
+
+// src/core/checks/implementations/authentication.ts
+var AuthenticationCheck = class extends SecurityCheck {
+  get checkName() {
+    return "authentication";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig) return null;
+    if (routeConfig.authRequired) {
+      const authHeader = request.headers["authorization"] ?? "";
+      const [isValid2, message] = validateAuthHeader(authHeader, routeConfig.authRequired);
+      if (!isValid2) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Auth failed: ${message}`);
+          return null;
+        }
+        await this.sendEvent("authentication_failed", request, "request_blocked", message);
+        return this.createErrorResponse(401, message);
+      }
+    }
+    if (routeConfig.apiKeyRequired) {
+      const apiKey = request.headers["x-api-key"] ?? "";
+      if (!apiKey) {
+        if (this.isPassiveMode()) {
+          this.logger.info("[PASSIVE] Missing API key");
+          return null;
+        }
+        return this.createErrorResponse(401, "API key required");
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/referrer.ts
+var ReferrerCheck = class extends SecurityCheck {
+  get checkName() {
+    return "referrer";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig?.requireReferrer || routeConfig.requireReferrer.length === 0) return null;
+    const referrer = request.headers["referer"] ?? request.headers["referrer"] ?? "";
+    if (!referrer || !isReferrerDomainAllowed(referrer, routeConfig.requireReferrer)) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] Invalid referrer: ${referrer}`);
+        return null;
+      }
+      return this.createErrorResponse(403, "Invalid referrer");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/custom-validators.ts
+var CustomValidatorsCheck = class extends SecurityCheck {
+  get checkName() {
+    return "custom_validators";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig || routeConfig.customValidators.length === 0) return null;
+    for (const validator of routeConfig.customValidators) {
+      const response = await validator(request);
+      if (response !== null) return response;
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/time-window.ts
+var TimeWindowCheck = class extends SecurityCheck {
+  validator;
+  constructor(middleware, validator) {
+    super(middleware);
+    this.validator = validator;
+  }
+  get checkName() {
+    return "time_window";
+  }
+  async check(request) {
+    const routeConfig = request.state["_routeConfig"];
+    if (!routeConfig?.timeRestrictions) return null;
+    const withinWindow = await this.validator.checkTimeWindow(routeConfig.timeRestrictions);
+    if (!withinWindow) {
+      if (this.isPassiveMode()) {
+        this.logger.info("[PASSIVE] Request outside time window");
+        return null;
+      }
+      return this.createErrorResponse(403, "Access denied: outside allowed time window");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/cloud-ip-refresh.ts
+var CloudIpRefreshCheck = class extends SecurityCheck {
+  get checkName() {
+    return "cloud_ip_refresh";
+  }
+  async check(_request) {
+    if (this.config.blockCloudProviders.size === 0) return null;
+    const now = Date.now() / 1e3;
+    const elapsed = now - this.middleware.lastCloudIpRefresh;
+    if (elapsed >= this.config.cloudIpRefreshInterval) {
+      this.middleware.lastCloudIpRefresh = now;
+      try {
+        await this.middleware.refreshCloudIpRanges();
+      } catch (e) {
+        this.logger.error(`Cloud IP refresh failed: ${e}`);
+      }
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/ip-security.ts
+var IpSecurityCheck = class extends SecurityCheck {
+  get checkName() {
+    return "ip_security";
+  }
+  async check(request) {
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const ipBanHandler = this.middleware.rateLimitHandler;
+    const routeConfig = request.state["_routeConfig"];
+    if (routeConfig) {
+      const routeResult = await checkRouteIpAccess(clientIp, routeConfig, this.middleware);
+      if (routeResult === false) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] IP blocked by route config: ${clientIp}`);
+          return null;
+        }
+        await this.sendEvent("ip_blocked", request, "request_blocked", `IP ${clientIp} blocked by route config`);
+        return this.createErrorResponse(403, "Access denied");
+      }
+    }
+    const allowed = await isIpAllowed(clientIp, this.config, this.middleware.geoIpHandler);
+    if (!allowed) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] IP not allowed: ${clientIp}`);
+        return null;
+      }
+      await this.sendEvent("ip_blocked", request, "request_blocked", `IP ${clientIp} not allowed`);
+      return this.createErrorResponse(403, "Access denied");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/cloud-provider.ts
+var CloudProviderCheck = class extends SecurityCheck {
+  get checkName() {
+    return "cloud_provider";
+  }
+  async check(request) {
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const routeConfig = request.state["_routeConfig"];
+    const resolver = this.middleware.routeResolver;
+    const providers = resolver.getCloudProvidersToCheck(routeConfig ?? null);
+    if (!providers || providers.length === 0) return null;
+    const { CloudHandler: CloudHandler2 } = await import("./cloud-46J7XK7I.js");
+    return null;
+  }
+};
+
+// src/core/checks/implementations/user-agent.ts
+var UserAgentCheck = class extends SecurityCheck {
+  get checkName() {
+    return "user_agent";
+  }
+  async check(request) {
+    const userAgent = request.headers["user-agent"] ?? "";
+    if (!userAgent) return null;
+    const routeConfig = request.state["_routeConfig"];
+    const allowed = await checkUserAgentAllowed(userAgent, routeConfig ?? null, this.config);
+    if (!allowed) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] Blocked user agent: ${userAgent}`);
+        return null;
+      }
+      await this.sendEvent("ua_blocked", request, "request_blocked", `Blocked user agent: ${userAgent}`);
+      return this.createErrorResponse(403, "Access denied");
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/rate-limit.ts
+var RateLimitCheck = class extends SecurityCheck {
+  get checkName() {
+    return "rate_limit";
+  }
+  async check(request) {
+    if (!this.config.enableRateLimiting) return null;
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const rateLimitHandler = this.middleware.rateLimitHandler;
+    const routeConfig = request.state["_routeConfig"];
+    const createError = this.createErrorResponse.bind(this);
+    if (routeConfig?.rateLimit !== null && routeConfig?.rateLimit !== void 0) {
+      const response2 = await rateLimitHandler.checkRateLimit(
+        request,
+        clientIp,
+        createError,
+        request.urlPath,
+        routeConfig.rateLimit,
+        routeConfig.rateLimitWindow ?? this.config.rateLimitWindow
+      );
+      if (response2) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Route rate limit exceeded for ${clientIp}`);
+          return null;
+        }
+        return response2;
+      }
+    }
+    const endpointLimit = this.config.endpointRateLimits[request.urlPath];
+    if (endpointLimit) {
+      const [limit, window] = endpointLimit;
+      const response2 = await rateLimitHandler.checkRateLimit(
+        request,
+        clientIp,
+        createError,
+        request.urlPath,
+        limit,
+        window
+      );
+      if (response2) {
+        if (this.isPassiveMode()) {
+          this.logger.info(`[PASSIVE] Endpoint rate limit exceeded for ${clientIp}`);
+          return null;
+        }
+        return response2;
+      }
+    }
+    const response = await rateLimitHandler.checkRateLimit(
+      request,
+      clientIp,
+      createError,
+      null,
+      this.config.rateLimit,
+      this.config.rateLimitWindow
+    );
+    if (response) {
+      if (this.isPassiveMode()) {
+        this.logger.info(`[PASSIVE] Global rate limit exceeded for ${clientIp}`);
+        return null;
+      }
+      return response;
+    }
+    return null;
+  }
+};
+
+// src/core/checks/implementations/suspicious-activity.ts
+var SuspiciousActivityCheck = class extends SecurityCheck {
+  get checkName() {
+    return "suspicious_activity";
+  }
+  async check(request) {
+    if (!this.config.enablePenetrationDetection) return null;
+    const clientIp = request.clientHost;
+    if (!clientIp) return null;
+    const routeConfig = request.state["_routeConfig"];
+    const resolver = this.middleware.routeResolver;
+    const [isThreat, triggerInfo] = await detectPenetrationPatterns(
+      request,
+      routeConfig ?? null,
+      this.config,
+      (check, rc) => resolver.shouldBypassCheck(check, rc)
+    );
+    if (!isThreat) return null;
+    const counts = this.middleware.suspiciousRequestCounts;
+    const currentCount = (counts.get(clientIp) ?? 0) + 1;
+    counts.set(clientIp, currentCount);
+    logActivity(
+      request,
+      this.logger,
+      "suspicious",
+      "Suspicious activity detected",
+      this.config.passiveMode,
+      triggerInfo,
+      this.config.logSuspiciousLevel
+    );
+    await this.sendEvent(
+      "penetration_attempt",
+      request,
+      "request_blocked",
+      `Suspicious activity: ${triggerInfo}`,
+      { triggerInfo, requestCount: currentCount }
+    );
+    if (this.isPassiveMode()) return null;
+    return this.createErrorResponse(403, "Suspicious activity detected");
+  }
+};
+
+// src/core/checks/implementations/custom-request.ts
+var CustomRequestCheck = class extends SecurityCheck {
+  get checkName() {
+    return "custom_request";
+  }
+  async check(request) {
+    if (!this.config.customRequestCheck) return null;
+    return this.config.customRequestCheck(request);
+  }
+};
+
+// src/middleware-support.ts
+async function initializeSecurityMiddleware(config, logger, guardResponseFactory, agentHandler, geoIpHandler, guardDecorator) {
+  const initializer = new HandlerInitializer(
+    config,
+    logger,
+    agentHandler ?? null,
+    geoIpHandler ?? null,
+    guardDecorator ?? null
+  );
+  const registry = await initializer.initialize();
+  const eventBus = new SecurityEventBus(
+    agentHandler ?? null,
+    config,
+    logger,
+    registry.geoIpHandler
+  );
+  const metricsCollector = new MetricsCollector(
+    agentHandler ?? null,
+    config,
+    logger
+  );
+  const validator = new RequestValidator(config, logger, eventBus);
+  const routeResolver = new RouteConfigResolver(config);
+  if (guardDecorator) routeResolver.setGuardDecorator(guardDecorator);
+  const errorResponseFactory = new ErrorResponseFactory(
+    config,
+    logger,
+    metricsCollector,
+    guardResponseFactory,
+    registry.securityHeadersHandler,
+    agentHandler ?? null
+  );
+  const bypassHandler = new BypassHandler(
+    config,
+    eventBus,
+    routeResolver,
+    errorResponseFactory,
+    validator
+  );
+  const behavioralProcessor = new BehavioralProcessor(logger, eventBus);
+  if (guardDecorator) {
+    behavioralProcessor.setGuardDecorator(
+      guardDecorator
+    );
+  }
+  const middlewareProtocol = {
+    get config() {
+      return config;
+    },
+    get logger() {
+      return logger;
+    },
+    lastCloudIpRefresh: 0,
+    suspiciousRequestCounts: /* @__PURE__ */ new Map(),
+    get eventBus() {
+      return eventBus;
+    },
+    get routeResolver() {
+      return routeResolver;
+    },
+    get responseFactory() {
+      return errorResponseFactory;
+    },
+    get rateLimitHandler() {
+      return registry.rateLimitHandler;
+    },
+    get agentHandler() {
+      return agentHandler ?? null;
+    },
+    get geoIpHandler() {
+      return registry.geoIpHandler ?? null;
+    },
+    get guardResponseFactory() {
+      return guardResponseFactory;
+    },
+    async createErrorResponse(statusCode, message) {
+      return errorResponseFactory.createErrorResponse(statusCode, message);
+    },
+    async refreshCloudIpRanges() {
+      if (registry.cloudHandler && config.blockCloudProviders.size > 0) {
+        await registry.cloudHandler.refreshAsync(config.blockCloudProviders);
+      }
+    }
+  };
+  const pipeline = new SecurityCheckPipeline([
+    new RouteConfigCheck(middlewareProtocol),
+    new EmergencyModeCheck(middlewareProtocol),
+    new HttpsEnforcementCheck(middlewareProtocol, validator, errorResponseFactory),
+    new RequestLoggingCheck(middlewareProtocol),
+    new RequestSizeContentCheck(middlewareProtocol),
+    new RequiredHeadersCheck(middlewareProtocol),
+    new AuthenticationCheck(middlewareProtocol),
+    new ReferrerCheck(middlewareProtocol),
+    new CustomValidatorsCheck(middlewareProtocol),
+    new TimeWindowCheck(middlewareProtocol, validator),
+    new CloudIpRefreshCheck(middlewareProtocol),
+    new IpSecurityCheck(middlewareProtocol),
+    new CloudProviderCheck(middlewareProtocol),
+    new UserAgentCheck(middlewareProtocol),
+    new RateLimitCheck(middlewareProtocol),
+    new SuspiciousActivityCheck(middlewareProtocol),
+    new CustomRequestCheck(middlewareProtocol)
+  ], logger);
+  return {
+    registry,
+    pipeline,
+    eventBus,
+    metricsCollector,
+    validator,
+    routeResolver,
+    bypassHandler,
+    errorResponseFactory,
+    behavioralProcessor,
+    middlewareProtocol
+  };
+}
+
+// src/decorators/base.ts
+var routeIdMap = /* @__PURE__ */ new WeakMap();
+var routeIdCounter = 0;
+var BaseSecurityDecorator = class {
+  routeConfigs = /* @__PURE__ */ new Map();
+  behaviorTracker;
+  agentHandler = null;
+  config;
+  logger;
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger ?? defaultLogger;
+    this.behaviorTracker = new BehaviorTracker(config, this.logger);
+  }
+  getRouteConfig(routeId) {
+    return this.routeConfigs.get(routeId);
+  }
+  ensureRouteConfig(fn) {
+    const id = this.getRouteId(fn);
+    if (!this.routeConfigs.has(id)) {
+      const rc = new RouteConfig();
+      rc.enableSuspiciousDetection = this.config.enablePenetrationDetection;
+      this.routeConfigs.set(id, rc);
+    }
+    return this.routeConfigs.get(id);
+  }
+  applyRouteConfig(fn) {
+    fn["_guardRouteId"] = this.getRouteId(fn);
+    return fn;
+  }
+  getRouteId(fn) {
+    if (!routeIdMap.has(fn)) {
+      routeIdMap.set(fn, `guard_route_${++routeIdCounter}`);
+    }
+    return routeIdMap.get(fn);
+  }
+  async initializeBehaviorTracking(redisHandler) {
+    if (redisHandler) await this.behaviorTracker.initializeRedis(redisHandler);
+  }
+  async initializeAgent(agentHandler) {
+    this.agentHandler = agentHandler;
+    await this.behaviorTracker.initializeAgent(agentHandler);
+  }
+  async sendDecoratorEvent(eventType, _request, actionTaken, reason, decoratorType, meta) {
+    if (!this.agentHandler) return;
+    try {
+      await this.agentHandler.sendEvent({
+        timestamp: /* @__PURE__ */ new Date(),
+        eventType,
+        actionTaken,
+        reason,
+        decoratorType,
+        metadata: meta ?? {}
+      });
+    } catch {
+    }
+  }
+  async sendAccessDeniedEvent(request, reason, decoratorType, meta) {
+    await this.sendDecoratorEvent("access_denied", request, "request_blocked", reason, decoratorType, meta);
+  }
+  async sendAuthenticationFailedEvent(request, reason, authType, meta) {
+    await this.sendDecoratorEvent("authentication_failed", request, "request_blocked", reason, "authentication", { authType, ...meta });
+  }
+  async sendRateLimitEvent(request, limit, window, meta) {
+    await this.sendDecoratorEvent("rate_limit_exceeded", request, "request_blocked", `Rate limit ${limit}/${window}s exceeded`, "rate_limit", { limit, window, ...meta });
+  }
+  async sendDecoratorViolationEvent(request, violationType, reason, meta) {
+    await this.sendDecoratorEvent("decorator_violation", request, "request_blocked", reason, violationType, meta);
+  }
+};
+function getRouteDecoratorConfig(request, decoratorHandler) {
+  const routeId = request.state.guardRouteId;
+  if (!routeId || typeof routeId !== "string") return void 0;
+  return decoratorHandler.getRouteConfig(routeId);
+}
+
+// src/decorators/access-control.ts
+function AccessControl(Base) {
+  return class extends Base {
+    requireIp(whitelist, blacklist) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        if (whitelist) rc.ipWhitelist = whitelist;
+        if (blacklist) rc.ipBlacklist = blacklist;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    blockCountries(countries) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.blockedCountries = countries;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    allowCountries(countries) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.whitelistCountries = countries;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    blockClouds(providers) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.blockCloudProviders = new Set(providers ?? ["AWS", "GCP", "Azure"]);
+        return this.applyRouteConfig(fn);
+      };
+    }
+    bypass(checks) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        for (const check of checks) rc.bypassedChecks.add(check);
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/rate-limiting.ts
+function RateLimiting(Base) {
+  return class extends Base {
+    rateLimit(requests, window = 60) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.rateLimit = requests;
+        rc.rateLimitWindow = window;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    geoRateLimit(limits) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.geoRateLimits = limits;
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/authentication.ts
+function Authentication(Base) {
+  return class extends Base {
+    requireHttps() {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.requireHttps = true;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    requireAuth(type = "bearer") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.authRequired = type;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    apiKeyAuth(headerName = "X-API-Key") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.apiKeyRequired = true;
+        rc.requiredHeaders[headerName] = "";
+        return this.applyRouteConfig(fn);
+      };
+    }
+    requireHeaders(headers) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        Object.assign(rc.requiredHeaders, headers);
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/content-filtering.ts
+function ContentFiltering(Base) {
+  return class extends Base {
+    blockUserAgents(patterns) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.blockedUserAgents.push(...patterns);
+        return this.applyRouteConfig(fn);
+      };
+    }
+    contentTypeFilter(allowedTypes) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.allowedContentTypes = allowedTypes;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    maxRequestSize(sizeBytes) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.maxRequestSize = sizeBytes;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    requireReferrer(allowedDomains) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.requireReferrer = allowedDomains;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    customValidation(validator) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.customValidators.push(validator);
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/behavioral.ts
+function Behavioral(Base) {
+  return class extends Base {
+    usageMonitor(maxCalls, window = 3600, action = "ban") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(new BehaviorRule("usage", maxCalls, window, null, action));
+        return this.applyRouteConfig(fn);
+      };
+    }
+    returnMonitor(pattern, maxOccurrences, window = 86400, action = "ban") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(new BehaviorRule("return_pattern", maxOccurrences, window, pattern, action));
+        return this.applyRouteConfig(fn);
+      };
+    }
+    behaviorAnalysis(rules) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(...rules);
+        return this.applyRouteConfig(fn);
+      };
+    }
+    suspiciousFrequency(maxFrequency, window = 300, action = "ban") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.behaviorRules.push(new BehaviorRule("frequency", maxFrequency, window, null, action));
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/advanced.ts
+function Advanced(Base) {
+  return class extends Base {
+    timeWindow(startTime, endTime, _timezone = "UTC") {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.timeRestrictions = { start: startTime, end: endTime };
+        return this.applyRouteConfig(fn);
+      };
+    }
+    suspiciousDetection(enabled = true) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.enableSuspiciousDetection = enabled;
+        return this.applyRouteConfig(fn);
+      };
+    }
+    honeypotDetection(trapFields) {
+      return (fn) => {
+        const rc = this.ensureRouteConfig(fn);
+        rc.customValidators.push(async (request) => {
+          try {
+            const bodyBytes = await request.body();
+            if (bodyBytes.length === 0) return null;
+            const bodyText = new TextDecoder().decode(bodyBytes);
+            let data = {};
+            const contentType = request.headers["content-type"] ?? "";
+            if (contentType.includes("json")) {
+              data = JSON.parse(bodyText);
+            } else if (contentType.includes("form")) {
+              for (const pair of bodyText.split("&")) {
+                const [key, value] = pair.split("=");
+                if (key && value) data[decodeURIComponent(key)] = decodeURIComponent(value);
+              }
+            }
+            for (const field of trapFields) {
+              if (data[field] !== void 0 && data[field] !== "" && data[field] !== null) {
+                return {
+                  statusCode: 403,
+                  headers: {},
+                  setHeader() {
+                  },
+                  body: new TextEncoder().encode("Forbidden"),
+                  bodyText: "Forbidden"
+                };
+              }
+            }
+          } catch {
+          }
+          return null;
+        });
+        return this.applyRouteConfig(fn);
+      };
+    }
+  };
+}
+
+// src/decorators/index.ts
+var SecurityDecorator = Advanced(
+  ContentFiltering(
+    Behavioral(
+      Authentication(
+        RateLimiting(
+          AccessControl(
+            BaseSecurityDecorator
+          )
+        )
+      )
+    )
+  )
+);
+export {
+  BaseSecurityDecorator,
+  BehaviorRule,
+  BehavioralProcessor,
+  BypassHandler,
+  ContentPreprocessor,
+  DynamicRulesSchema,
+  ErrorResponseFactory,
+  MetricsCollector,
+  PatternCompiler,
+  PerformanceMonitor,
+  RequestValidator,
+  RouteConfig,
+  RouteConfigResolver,
+  SecurityCheckPipeline,
+  SecurityConfigSchema,
+  SecurityDecorator,
+  SecurityEventBus,
+  SemanticAnalyzer,
+  checkIpCountry,
+  defaultLogger,
+  detectPenetrationAttempt,
+  extractClientIp,
+  getRouteDecoratorConfig,
+  initializeSecurityMiddleware,
+  isIpAllowed,
+  isUserAgentAllowed,
+  logActivity,
+  sanitizeForLog,
+  sendAgentEvent
+};
+//# sourceMappingURL=index.js.map