@hadi_ali/warden 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 hadiali
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,209 @@
+Warden 🛡️
+
+A high-performance Layer 7 Web Application Firewall (WAF) and bot-mitigation middleware for Express.js.
+
+Warden doesn't just look at rate limits; it analyzes how a client interacts with your server. By combining header heuristics, Chromium fingerprinting, honeypot traps(including SubDomains), and intelligent error tracking, it blocks automated scanners, scrapers, and brute-force tools while letting legitimate users and verified search engines pass through with near-zero overhead.
+🚀 Installation
+```bash
+npm install warden
+```
+
+(Optional) Install drivers if you plan to use persistent storage:
+```bash
+npm install pg redis
+```
+
+Requires Node.js 18+
+🛡️ What it Protects Against
+
+Warden acts as a behavioral firewall. It instantly detects and blocks:
+
+    Directory Fuzzers (Gobuster, ffuf, Nikto): Traps scanners hitting common sensitive paths (/.env, /wp-admin) and uses intelligent 404-tracking (which safely ignores missing images/CSS) to block rapid discovery attempts.
+
+    Headless Browsers & Scrapers (Puppeteer, Playwright, Selenium): Analyzes Chromium header anomalies. If a script claims to be Chrome 120 but is missing modern sec-ch-ua headers, or spoofs a Windows OS on a Linux machine, it is penalized and blocked.
+
+    Credential Stuffing & Brute-Forcing (Hydra, Intruder): Tracks repeated 401 Unauthorized and 400 Bad Request errors natively in the background, locking out attackers attempting to guess passwords.
+
+    Reconnaissance Bots: Penalizes requests targeting sensitive subdomains (e.g., admin.*, dev.*, vpn.*) to stop infrastructure mapping.
+
+    L7 Application DDoS: Implements dynamic rate limiting. Legitimate users get generous limits, while suspicious IPs are aggressively throttled.
+
+    Fake Search Engine Bots: Attackers spoofing Googlebot or Bingbot user-agents are blocked. Warden verifies true search engine IPs directly against Google and Bing's official CIDR ranges using high-speed bitwise math.
+
+⚠️ What it Does Not Do (Limitations)
+
+To maintain sub-millisecond performance, Warden is designed as a behavioral WAF. You should be aware of what it does not cover:
+
+    Volumetric L3/L4 DDoS Attacks: If a botnet sends 50 Gbps of junk TCP traffic, Warden cannot save you. You still need Cloudflare or AWS Shield at the edge.
+
+    Payload Inspection (SQLi / XSS): Warden does not parse req.body to look for SQL injection or Cross-Site Scripting strings.
+    
+💻 Usage
+
+Warden is designed to be highly resilient. You can run it entirely in memory (Zero-Config), or attach Redis and PostgreSQL for cross-server rate-limiting and long-term IP reputation tracking.
+Option A: Zero-Config (In-Memory)
+
+Perfect for single-server setups or quick deployments. Features a self-cleaning LRU cache to prevent memory leaks.
+```javascript
+const express = require('express');
+const { warden, syncVerifiedBots, reloadRanges } = require('warden');
+
+const app = express();
+
+// 1. Trust your proxy if behind AWS ELB, Heroku, or Cloudflare
+app.set('trust proxy', 1);
+
+// 2. Sync Google/Bing verified IPs into memory
+syncVerifiedBots().then(success => {
+  if (success) reloadRanges();
+});
+
+// 3. Attach middleware
+app.use(warden({
+  scorethreshold: 30,
+  knownSubdomains: ['api', 'www'] // Whitelist your legit subdomains
+}));
+
+app.get('/', (req, res) => res.send('Protected by Warden!'));
+app.listen(3000);
+```
+
+Option B: Production (Postgres + Redis)
+
+For distributed setups. Redis handles cross-server rate limiting, and Postgres remembers bad IPs for days/weeks. If either database goes down, Warden safely fails open to memory.
+```javascript
+const express = require('express');
+const { Pool } = require('pg');
+const { createClient } = require('redis');
+const { warden, syncVerifiedBots, reloadRanges, migrate } = require('warden');
+
+const app = express();
+app.set('trust proxy', 1);
+
+async function start() {
+  const db = new Pool({ connectionString: process.env.DATABASE_URL });
+  const redis = createClient({ url: process.env.REDIS_URL });
+  await redis.connect();
+
+  // Auto-create necessary tables (warden_reputation, etc.)
+  await migrate(db);
+
+  // Sync verified bots (Stores them in DB/Redis so other servers don't have to fetch)
+  const success = await syncVerifiedBots();
+  if (success) reloadRanges();
+
+  app.use(warden({
+    db: db,
+    redis: redis,
+    scorethreshold: 30,
+    failopen: true, // If Redis/PG crashes, API stays online
+  }));
+
+  app.get('/', (req, res) => res.send('Enterprise protection active!'));
+  app.listen(3000);
+}
+
+start();
+```
+
+(Note: You can also run migrations via CLI: CONNECTION_STRING="..." node node_modules/warden/app/db_connection/migrate.js)
+
+## 🛠️ CLI
+
+After `npm install -g warden` (or `npx warden`) you get a `warden` command:
+
+```bash
+warden --help            # Show all commands
+warden --version         # Show version
+warden cleanup --help    # Cleanup options
+```
+
+### `warden cleanup` — Data Retention
+
+Warden never deletes your data automatically. The `cleanup` command is the supported way to purge old rows from the three Warden Postgres tables. Schedule it yourself — cron, Kubernetes CronJob, `pg_cron`, GitHub Actions schedule, anything.
+
+```bash
+# Defaults: reputation > 3 days, requests > 24 hours, sessions > 30 days
+warden cleanup
+
+# See what would be deleted without actually deleting
+warden cleanup --dry-run
+
+# Custom retention
+warden cleanup --reputation-days 7 --requests-hours 48 --sessions-days 90
+
+# Override the connection string
+warden cleanup --connection postgres://user:pass@host/db
+```
+
+**Schedule with cron** (Linux):
+
+```cron
+# Run every hour
+0 * * * * cd /srv/myapp && /usr/bin/warden cleanup >> /var/log/warden.log 2>&1
+```
+
+**Schedule with Kubernetes CronJob:**
+
+```yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: warden-cleanup
+spec:
+  schedule: "0 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: cleanup
+              image: node:20-alpine
+              command: ["warden", "cleanup"]
+              env:
+                - name: CONNECTION_STRING
+                  valueFrom:
+                    secretKeyRef:
+                      name: warden-db
+                      key: connection-string
+          restartPolicy: OnFailure
+```
+
+**Schedule with `pg_cron` (no app process needed):**
+
+```sql
+SELECT cron.schedule('warden-cleanup', '0 * * * *', $$
+  DELETE FROM warden_reputation WHERE score < 20 AND last_seen < NOW() - INTERVAL '3 days';
+  DELETE FROM warden_requests WHERE timestamp < NOW() - INTERVAL '24 hours';
+  DELETE FROM warden_sessions WHERE last_seen < NOW() - INTERVAL '30 days';
+$$);
+```
+
+## ⚙️ Configuration Options
+Option	Type	Default	Description
+db	pg.Pool	null	PostgreSQL pool for long-term reputation tracking and verified bot storage.
+redis	RedisClient	null	Redis client for distributed rate limiting. Falls back to in-memory LRU store.
+allowlist	string[]	[]	Array of exact IPs or CIDR ranges (e.g. ['10.0.0.0/8']) to always bypass checks.
+failopen	boolean	true	If true, errors within Warden allow the request to proceed. If false, returns 500.
+scorethreshold	number	30	The heuristic score at which a request is blocked with a 403 Forbidden.
+suspiciousThreshold	number	30	The score at which the onSuspicious webhook/callback fires.
+trustHeaders	boolean	false	Security: By default, Warden trusts req.ip. Set to true only if you safely parse X-Forwarded-For upstream.
+knownSubdomains	string[]	[]	Subdomains to ignore in the recon-scanner (e.g., ['api', 'app']).
+limits	object	{...}	Custom request limits for clean, suspicious, and hostile tiers.
+getSessionId	function	null	Custom function to extract a user session ID from req for session-based scoring.
+onBlock	function	null	Callback fired on block: (ipHash, score, reason, req) => {}
+onSuspicious	function	null	Callback fired on suspicious traffic: (ipHash, score, req) => {}
+onRateLimit	function	null	Callback fired on 429: (ipHash, score, req) => {}
+⚡ Performance & Architecture
+
+Warden is engineered to add < 2ms of latency to legitimate requests.
+
+    Zero-Score DB Bypass: If a user connects with a standard, valid browser, their heuristic score evaluates to 0. Warden immediately skips the PostgreSQL reputation UPSERT entirely, saving heavy database I/O.
+
+    Post-Response Math: Brute-force calculations (like tracking 404s/401s) are executed asynchronously via res.on('finish'). The user receives their HTTP response instantly; the math happens in the background.
+
+    Bitwise CIDR Matching: Verified bots are resolved using 32-bit integer conversion and bitwise masking, allowing hundreds of Google/Bing CIDR ranges to be evaluated in fractions of a millisecond.
+
+📝 License
+
+MIT License © 2025

package/app/Loger.js

@@ -0,0 +1,14 @@
+function log({ reqId, ip_hash, score, action, reason, path, duration_ms }) {
+  console.log(JSON.stringify({
+    reqId,
+    ip_hash,
+    score,
+    action,
+    reason,
+    path,
+    duration_ms,
+    timestamp: new Date().toISOString(),
+  }));
+}
+
+module.exports = { log };

package/app/allowlist.js

@@ -0,0 +1,43 @@
+const { getClientIP } = require("./getClientIP.js");
+const { normalizeIP } = require("./normalizeIP.js");
+const { Address6, Address4 } = require('ip-address');
+const net = require('net');
+
+function isInSubnet(ip, cidr) {
+  if (!ip || !cidr) return false;
+  
+  // Check if CIDR contains a slash
+  if (!cidr.includes('/')) {
+    return ip === cidr;
+  }
+  
+  const ipVersion = net.isIP(ip.split('/')[0]);
+  
+  try {
+    if (ipVersion === 6) {
+      const addr = new Address6(ip);
+      const subnet = new Address6(cidr);
+      return addr.isInSubnet(subnet);
+    } else if (ipVersion === 4) {
+      const addr = new Address4(ip);
+      const subnet = new Address4(cidr);
+      return addr.isInSubnet(subnet);
+    }
+  } catch (e) {
+    return false;
+  }
+  return false;
+}
+
+function checkAllowlist(req, allowlist=[]) {
+  const ip = normalizeIP(getClientIP(req));
+  if (!ip) return false;
+  
+  for (const entry of allowlist) {
+    if (isInSubnet(ip, entry)) {
+      return true;
+    }
+  }
+  return false;
+}
+module.exports = { checkAllowlist };

package/app/bruteforce.js

@@ -0,0 +1,13 @@
+const { store } = require('./store');
+
+const WINDOW_SECONDS = 5;
+
+async function trackFailure(ip_hash) {
+  
+  const key = `bf:${ip_hash}`;
+  const count = await store.increment(key, WINDOW_SECONDS);
+  return count;
+}
+
+
+module.exports = { trackFailure };

package/app/cli/cleanup.js

@@ -0,0 +1,167 @@
+#!/usr/bin/env node
+// Warden data-retention CLI.
+// Deletes old rows from the Warden Postgres tables. Run on your own schedule
+// (cron, Kubernetes CronJob, pg_cron, GitHub Actions schedule, etc.) — the
+// library itself NEVER deletes data automatically.
+//
+// Usage:
+//   warden cleanup [options]
+//
+// Options:
+//   --reputation-days <N>   Delete warden_reputation rows where last_seen > N days (default: 3)
+//   --requests-hours <N>    Delete warden_requests rows older than N hours (default: 24)
+//   --sessions-days <N>     Delete warden_sessions rows where last_seen > N days (default: 30)
+//   --dry-run               Count rows that WOULD be deleted, but don't delete anything
+//   --connection <string>   Postgres connection string (default: $CONNECTION_STRING)
+//   --help, -h              Show this message
+
+function parseArgs(argv) {
+  const opts = {
+    reputationDays: 3,
+    requestsHours: 24,
+    sessionsDays: 30,
+    dryRun: false,
+    connection: process.env.CONNECTION_STRING || null,
+  };
+
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    switch (a) {
+      case '--reputation-days':
+      case '--requests-hours':
+      case '--sessions-days': {
+        const key = a.slice(2).replace(/-([a-z])/g, (_, c) => c.toUpperCase());
+        const v = parseInt(argv[++i], 10);
+        if (!Number.isFinite(v) || v < 0) {
+          console.error(`Error: ${a} requires a non-negative integer`);
+          process.exit(2);
+        }
+        opts[key] = v;
+        break;
+      }
+      case '--dry-run':
+        opts.dryRun = true;
+        break;
+      case '--connection':
+        opts.connection = argv[++i];
+        if (!opts.connection) {
+          console.error('Error: --connection requires a value');
+          process.exit(2);
+        }
+        break;
+      case '--help':
+      case '-h':
+        printUsage();
+        process.exit(0);
+      default:
+        console.error(`Error: unknown option: ${a}`);
+        printUsage();
+        process.exit(2);
+    }
+  }
+
+  return opts;
+}
+
+function printUsage() {
+  process.stdout.write(`Warden cleanup CLI
+
+Usage: warden cleanup [options]
+
+Options:
+  --reputation-days <N>   Delete warden_reputation rows where last_seen > N days (default: 3)
+  --requests-hours <N>    Delete warden_requests rows older than N hours (default: 24)
+  --sessions-days <N>     Delete warden_sessions rows where last_seen > N days (default: 30)
+  --dry-run               Count rows that WOULD be deleted, but don't delete anything
+  --connection <string>   Postgres connection string (default: \$CONNECTION_STRING)
+  --help, -h              Show this message
+
+Examples:
+  warden cleanup --dry-run
+  warden cleanup --reputation-days 7 --requests-hours 48
+  CONNECTION_STRING=postgres://user:pass@host/db warden cleanup
+
+Schedule with cron:
+  0 * * * * cd /srv/myapp && /usr/bin/warden cleanup >> /var/log/warden.log 2>&1
+`);
+}
+
+function buildQueries(opts) {
+  const rep = parseInt(opts.reputationDays, 10);
+  const req = parseInt(opts.requestsHours, 10);
+  const ses = parseInt(opts.sessionsDays, 10);
+
+  return [
+    {
+      name: 'reputation',
+      label: `warden_reputation (score<20 AND last_seen > ${rep}d)`,
+      countSql: `SELECT COUNT(*)::int AS n FROM warden_reputation WHERE score < 20 AND last_seen < NOW() - INTERVAL '${rep} days'`,
+      deleteSql: `DELETE FROM warden_reputation WHERE score < 20 AND last_seen < NOW() - INTERVAL '${rep} days'`,
+    },
+    {
+      name: 'requests',
+      label: `warden_requests (timestamp > ${req}h)`,
+      countSql: `SELECT COUNT(*)::int AS n FROM warden_requests WHERE timestamp < NOW() - INTERVAL '${req} hours'`,
+      deleteSql: `DELETE FROM warden_requests WHERE timestamp < NOW() - INTERVAL '${req} hours'`,
+    },
+    {
+      name: 'sessions',
+      label: `warden_sessions (last_seen > ${ses}d)`,
+      countSql: `SELECT COUNT(*)::int AS n FROM warden_sessions WHERE last_seen < NOW() - INTERVAL '${ses} days'`,
+      deleteSql: `DELETE FROM warden_sessions WHERE last_seen < NOW() - INTERVAL '${ses} days'`,
+    },
+  ];
+}
+
+async function run(argv) {
+  const opts = parseArgs(argv);
+
+  if (!opts.connection) {
+    console.error('Error: --connection or CONNECTION_STRING environment variable required.');
+    process.exit(2);
+  }
+
+  const { Pool } = require('pg');
+  const pool = new Pool({ connectionString: opts.connection });
+  let hadError = false;
+
+  try {
+    const queries = buildQueries(opts);
+    const mode = opts.dryRun ? 'DRY RUN' : 'CLEANUP';
+    console.log(`[warden] ${mode} starting at ${new Date().toISOString()}`);
+
+    let totalAffected = 0;
+    for (const q of queries) {
+      try {
+        const sql = opts.dryRun ? q.countSql : q.deleteSql;
+        const res = await pool.query(sql);
+        const n = opts.dryRun ? res.rows[0].n : res.rowCount;
+        totalAffected += n;
+        const verb = opts.dryRun ? 'would delete' : 'deleted';
+        console.log(`[warden] ${q.label}: ${verb} ${n} row(s)`);
+      } catch (err) {
+        hadError = true;
+        console.error(`[warden] ${q.name} failed:`, err.message);
+      }
+    }
+
+    const summary = opts.dryRun
+      ? `[warden] DRY RUN complete. Would have deleted ${totalAffected} row(s) total.`
+      : `[warden] Cleanup complete. Deleted ${totalAffected} row(s) total.`;
+    console.log(summary);
+  } finally {
+    await pool.end().catch(() => {});
+  }
+
+  process.exit(hadError ? 1 : 0);
+}
+
+// Run when invoked directly. When required as a module, expose `run` for tests.
+if (require.main === module) {
+  run(process.argv.slice(2)).catch((err) => {
+    console.error('[warden] cleanup crashed:', err.message);
+    process.exit(1);
+  });
+}
+
+module.exports = { run, parseArgs, buildQueries };

package/app/cli/index.js

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+// Warden CLI dispatcher.
+//
+// Usage: warden <command> [options]
+//
+// Commands:
+//   cleanup [options]    Delete old rows from Warden Postgres tables
+//                        (see `warden cleanup --help`)
+//   help                 Show this message
+//   --version, -v        Print the Warden version
+
+const path = require('path');
+const pkg = require(path.join(__dirname, '..', '..', 'package.json'));
+
+const args = process.argv.slice(2);
+const cmd = args[0];
+
+function printHelp() {
+  process.stdout.write(`Warden CLI v${pkg.version}
+
+Usage: warden <command> [options]
+
+Commands:
+  cleanup [options]    Delete old rows from Warden Postgres tables.
+                        Schedule this from your own cron / Kubernetes CronJob /
+                        pg_cron / GitHub Actions schedule.
+                        Run \`warden cleanup --help\` for options.
+  help                 Show this message
+  --version, -v        Print the Warden version
+
+Examples:
+  warden cleanup --dry-run
+  warden cleanup --reputation-days 7 --requests-hours 48
+  CONNECTION_STRING=postgres://user:pass@host/db warden cleanup
+
+More info: ${pkg.homepage}
+`);
+}
+
+function printVersion() {
+  process.stdout.write(`${pkg.version}\n`);
+}
+
+switch (cmd) {
+  case 'cleanup':
+    require('./cleanup').run(args.slice(1));
+    break;
+  case 'help':
+  case '--help':
+  case '-h':
+  case undefined:
+    printHelp();
+    break;
+  case '--version':
+  case '-v':
+    printVersion();
+    break;
+  default:
+    console.error(`Unknown command: ${cmd}`);
+    console.error(`Run \`warden help\` for usage.`);
+    process.exit(2);
+}

package/app/db_connection/db.js

@@ -0,0 +1,43 @@
+const { Pool } = require('pg');
+
+// Users must set CONNECTION_STRING in their environment before requiring this module.
+// As an npm library, Warden does not call dotenv.config() so it will not overwrite
+// the consumer's environment variables or crash when a .env file is absent.
+//
+// IMPORTANT: The pg.Pool is created LAZILY. Importing this module does not open
+// a DB connection; the pool is only created when getPool() is called (i.e. when
+// a user passes a pool or calls test()).
+//
+// Data retention: Warden does NOT auto-delete rows. Use the CLI:
+//     warden cleanup [--reputation-days N] [--requests-hours N] [--sessions-days N] [--dry-run]
+// and run it from your own cron / Kubernetes CronJob / pg_cron.
+
+let pool = null;
+
+function getPool() {
+  if (pool) return pool;
+  pool = new Pool({
+    connectionString: process.env.CONNECTION_STRING,
+    ssl: { rejectUnauthorized: false },
+    max: 10,
+    idleTimeoutMillis: 30000,
+    connectionTimeoutMillis: 2000,
+  });
+  return pool;
+}
+
+async function test() {
+  try {
+    const p = getPool();
+    const res = await p.query('SELECT NOW()');
+    return res;
+  } catch (err) {
+    console.log("DB_ERROR", err);
+    throw err;
+  }
+}
+
+module.exports = {
+  get pool() { return getPool(); },
+  test,
+};

package/app/db_connection/migrate.js

@@ -0,0 +1,63 @@
+const { pool } = require('./db');
+
+async function migrate(db = pool) {
+  await Promise.all([
+    db.query(`CREATE TABLE IF NOT EXISTS warden_reputation (
+      ip_hash         VARCHAR(64)  PRIMARY KEY,
+      score           SMALLINT      NOT NULL DEFAULT 0,
+      last_seen       TIMESTAMPTZ   NOT NULL DEFAULT NOW(),
+      rdns_verified   BOOLEAN       DEFAULT NULL,
+      rdns_checked_at TIMESTAMPTZ   DEFAULT NULL,
+      blocked_until   TIMESTAMPTZ   DEFAULT NULL,
+      created_at      TIMESTAMPTZ   NOT NULL DEFAULT NOW()
+    )`),
+    db.query(`CREATE TABLE IF NOT EXISTS warden_requests (
+      id          BIGSERIAL    PRIMARY KEY,
+      ip_hash     VARCHAR(64)  NOT NULL,
+      timestamp   TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
+      path        TEXT,
+      score_delta SMALLINT,
+      action      VARCHAR(16),
+      reason      VARCHAR(32)
+    )`),
+
+    db.query(`CREATE TABLE IF NOT EXISTS warden_sessions (
+  session_hash  VARCHAR(64)  PRIMARY KEY,
+  score         SMALLINT     NOT NULL DEFAULT 0,
+  last_seen     TIMESTAMPTZ  NOT NULL DEFAULT NOW(),
+  created_at    TIMESTAMPTZ  NOT NULL DEFAULT NOW()
+)`),
+
+    db.query(`CREATE TABLE IF NOT EXISTS warden_verified_ranges (
+  key        VARCHAR(64)  PRIMARY KEY,
+  payload    JSONB        NOT NULL,
+  synced_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
+)`)
+  ]);
+
+  await Promise.all([
+    db.query(`CREATE INDEX IF NOT EXISTS idx_reputation_last_seen ON warden_reputation(last_seen)`),
+    db.query(`CREATE INDEX IF NOT EXISTS idx_reputation_blocked ON warden_reputation(blocked_until) WHERE blocked_until IS NOT NULL`),
+    db.query(`CREATE INDEX IF NOT EXISTS idx_requests_ip_time ON warden_requests(ip_hash, timestamp DESC)`),
+    db.query(`CREATE INDEX IF NOT EXISTS idx_requests_timestamp ON warden_requests(timestamp)`),
+    db.query(`CREATE INDEX IF NOT EXISTS idx_sessions_last_seen ON warden_sessions(last_seen)`),
+  ]);
+
+  console.log('Migration complete');
+}
+
+if (require.main === module) {
+  if (!process.env.CONNECTION_STRING) {
+    console.error('Error: CONNECTION_STRING environment variable is required.');
+    process.exit(1);
+  }
+
+  migrate()
+    .then(() => pool.end())
+    .catch((err) => {
+      console.error('Migration failed:', err);
+      process.exit(1);
+    });
+}
+
+module.exports = { migrate };