npm - @intranefr/superbackend - Versions diffs - 1.5.0 → 1.5.1 - Mend

@intranefr/superbackend 1.5.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/.env.example +5 -0
package/README.md +11 -0
package/index.js +23 -0
package/package.json +7 -2
package/src/admin/endpointRegistry.js +120 -0
package/src/controllers/admin.controller.js +22 -5
package/src/controllers/adminBlockDefinitions.controller.js +127 -0
package/src/controllers/adminBlockDefinitionsAi.controller.js +54 -0
package/src/controllers/adminCache.controller.js +342 -0
package/src/controllers/adminContextBlockDefinitions.controller.js +141 -0
package/src/controllers/adminCrons.controller.js +388 -0
package/src/controllers/adminDbBrowser.controller.js +124 -0
package/src/controllers/adminEjsVirtual.controller.js +13 -3
package/src/controllers/adminHeadless.controller.js +9 -2
package/src/controllers/adminHealthChecks.controller.js +570 -0
package/src/controllers/adminI18n.controller.js +51 -29
package/src/controllers/adminLlm.controller.js +126 -2
package/src/controllers/adminPages.controller.js +720 -0
package/src/controllers/adminPagesContextBlocksAi.controller.js +54 -0
package/src/controllers/adminProxy.controller.js +113 -0
package/src/controllers/adminRateLimits.controller.js +138 -0
package/src/controllers/adminRbac.controller.js +803 -0
package/src/controllers/adminScripts.controller.js +93 -2
package/src/controllers/adminSeoConfig.controller.js +71 -48
package/src/controllers/blogAdmin.controller.js +279 -0
package/src/controllers/blogAiAdmin.controller.js +224 -0
package/src/controllers/blogAutomationAdmin.controller.js +141 -0
package/src/controllers/blogInternal.controller.js +26 -0
package/src/controllers/blogPublic.controller.js +89 -0
package/src/controllers/fileManager.controller.js +190 -0
package/src/controllers/fileManagerStoragePolicy.controller.js +23 -0
package/src/controllers/healthChecksPublic.controller.js +196 -0
package/src/controllers/metrics.controller.js +64 -4
package/src/controllers/orgAdmin.controller.js +80 -0
package/src/middleware/internalCronAuth.js +29 -0
package/src/middleware/rbac.js +62 -0
package/src/middleware.js +756 -48
package/src/models/BlockDefinition.js +27 -0
package/src/models/BlogAutomationLock.js +14 -0
package/src/models/BlogAutomationRun.js +39 -0
package/src/models/BlogPost.js +42 -0
package/src/models/CacheEntry.js +26 -0
package/src/models/ConsoleEntry.js +32 -0
package/src/models/ConsoleLog.js +23 -0
package/src/models/ContextBlockDefinition.js +33 -0
package/src/models/CronExecution.js +47 -0
package/src/models/CronJob.js +70 -0
package/src/models/ExternalDbConnection.js +49 -0
package/src/models/FileEntry.js +22 -0
package/src/models/HealthAutoHealAttempt.js +57 -0
package/src/models/HealthCheck.js +132 -0
package/src/models/HealthCheckRun.js +51 -0
package/src/models/HealthIncident.js +49 -0
package/src/models/Page.js +95 -0
package/src/models/PageCollection.js +42 -0
package/src/models/ProxyEntry.js +66 -0
package/src/models/RateLimitCounter.js +19 -0
package/src/models/RateLimitMetricBucket.js +20 -0
package/src/models/RbacGrant.js +25 -0
package/src/models/RbacGroup.js +16 -0
package/src/models/RbacGroupMember.js +13 -0
package/src/models/RbacGroupRole.js +13 -0
package/src/models/RbacRole.js +25 -0
package/src/models/RbacUserRole.js +13 -0
package/src/routes/adminBlog.routes.js +21 -0
package/src/routes/adminBlogAi.routes.js +16 -0
package/src/routes/adminBlogAutomation.routes.js +27 -0
package/src/routes/adminCache.routes.js +20 -0
package/src/routes/adminConsoleManager.routes.js +302 -0
package/src/routes/adminCrons.routes.js +25 -0
package/src/routes/adminDbBrowser.routes.js +65 -0
package/src/routes/adminEjsVirtual.routes.js +2 -1
package/src/routes/adminHeadless.routes.js +2 -1
package/src/routes/adminHealthChecks.routes.js +28 -0
package/src/routes/adminI18n.routes.js +4 -3
package/src/routes/adminLlm.routes.js +4 -2
package/src/routes/adminPages.routes.js +55 -0
package/src/routes/adminProxy.routes.js +15 -0
package/src/routes/adminRateLimits.routes.js +17 -0
package/src/routes/adminRbac.routes.js +38 -0
package/src/routes/adminSeoConfig.routes.js +5 -4
package/src/routes/adminUiComponents.routes.js +2 -1
package/src/routes/blogInternal.routes.js +14 -0
package/src/routes/blogPublic.routes.js +9 -0
package/src/routes/fileManager.routes.js +62 -0
package/src/routes/fileManagerStoragePolicy.routes.js +9 -0
package/src/routes/healthChecksPublic.routes.js +9 -0
package/src/routes/log.routes.js +43 -60
package/src/routes/metrics.routes.js +4 -2
package/src/routes/orgAdmin.routes.js +1 -0
package/src/routes/pages.routes.js +123 -0
package/src/routes/proxy.routes.js +46 -0
package/src/routes/rbac.routes.js +47 -0
package/src/routes/webhook.routes.js +2 -1
package/src/routes/workflows.routes.js +4 -0
package/src/services/blockDefinitionsAi.service.js +247 -0
package/src/services/blog.service.js +99 -0
package/src/services/blogAutomation.service.js +978 -0
package/src/services/blogCronsBootstrap.service.js +184 -0
package/src/services/blogPublishing.service.js +58 -0
package/src/services/cacheLayer.service.js +696 -0
package/src/services/consoleManager.service.js +700 -0
package/src/services/consoleOverride.service.js +6 -1
package/src/services/cronScheduler.service.js +350 -0
package/src/services/dbBrowser.service.js +536 -0
package/src/services/ejsVirtual.service.js +102 -32
package/src/services/fileManager.service.js +475 -0
package/src/services/fileManagerStoragePolicy.service.js +285 -0
package/src/services/healthChecks.service.js +650 -0
package/src/services/healthChecksBootstrap.service.js +109 -0
package/src/services/healthChecksScheduler.service.js +106 -0
package/src/services/llmDefaults.service.js +190 -0
package/src/services/migrationAssets/s3.js +2 -2
package/src/services/pages.service.js +602 -0
package/src/services/pagesContext.service.js +331 -0
package/src/services/pagesContextBlocksAi.service.js +349 -0
package/src/services/proxy.service.js +535 -0
package/src/services/rateLimiter.service.js +623 -0
package/src/services/rbac.service.js +212 -0
package/src/services/scriptsRunner.service.js +1 -1
package/src/services/uiComponentsAi.service.js +6 -19
package/src/services/workflow.service.js +23 -8
package/src/utils/orgRoles.js +14 -0
package/src/utils/rbac/engine.js +60 -0
package/src/utils/rbac/rightsRegistry.js +29 -0
package/views/admin-blog-automation.ejs +877 -0
package/views/admin-blog-edit.ejs +542 -0
package/views/admin-blog.ejs +399 -0
package/views/admin-cache.ejs +681 -0
package/views/admin-console-manager.ejs +680 -0
package/views/admin-crons.ejs +645 -0
package/views/admin-db-browser.ejs +445 -0
package/views/admin-ejs-virtual.ejs +16 -10
package/views/admin-file-manager.ejs +942 -0
package/views/admin-health-checks.ejs +725 -0
package/views/admin-i18n.ejs +59 -5
package/views/admin-llm.ejs +99 -1
package/views/admin-organizations.ejs +163 -1
package/views/admin-pages.ejs +2424 -0
package/views/admin-proxy.ejs +491 -0
package/views/admin-rate-limiter.ejs +625 -0
package/views/admin-rbac.ejs +1331 -0
package/views/admin-scripts.ejs +1 -1
package/views/admin-seo-config.ejs +61 -7
package/views/admin-ui-components.ejs +57 -25
package/views/admin-workflows.ejs +7 -7
package/views/file-manager.ejs +866 -0
package/views/pages/blocks/contact.ejs +27 -0
package/views/pages/blocks/cta.ejs +18 -0
package/views/pages/blocks/faq.ejs +20 -0
package/views/pages/blocks/features.ejs +19 -0
package/views/pages/blocks/hero.ejs +13 -0
package/views/pages/blocks/html.ejs +5 -0
package/views/pages/blocks/image.ejs +14 -0
package/views/pages/blocks/testimonials.ejs +26 -0
package/views/pages/blocks/text.ejs +10 -0
package/views/pages/layouts/default.ejs +51 -0
package/views/pages/layouts/minimal.ejs +42 -0
package/views/pages/layouts/sidebar.ejs +54 -0
package/views/pages/partials/footer.ejs +13 -0
package/views/pages/partials/header.ejs +12 -0
package/views/pages/partials/sidebar.ejs +8 -0
package/views/pages/runtime/page.ejs +10 -0
package/views/pages/templates/article.ejs +20 -0
package/views/pages/templates/default.ejs +12 -0
package/views/pages/templates/landing.ejs +14 -0
package/views/pages/templates/listing.ejs +15 -0
package/views/partials/admin-image-upload-modal.ejs +221 -0
package/views/partials/dashboard/nav-items.ejs +11 -0
package/views/partials/llm-provider-model-picker.ejs +183 -0
package/src/routes/llmUi.routes.js +0 -26

package/src/services/rateLimiter.service.js ADDED Viewed

@@ -0,0 +1,623 @@
+const crypto = require('crypto');
+const mongoose = require('mongoose');
+const JsonConfig = require('../models/JsonConfig');
+const RateLimitCounter = require('../models/RateLimitCounter');
+const RateLimitMetricBucket = require('../models/RateLimitMetricBucket');
+const { parseJsonOrThrow, clearJsonConfigCache } = require('./jsonConfigs.service');
+const { verifyAccessToken } = require('../utils/jwt');
+const RATE_LIMITS_KEY = 'rate-limits';
+const registry = new Map();
+const bootstrapState = new Map();
+function deepMerge(base, override) {
+  if (!override || typeof override !== 'object') return base;
+  if (!base || typeof base !== 'object') return override;
+  if (Array.isArray(base) || Array.isArray(override)) return override;
+  const out = { ...base };
+  for (const [k, v] of Object.entries(override)) {
+    if (v && typeof v === 'object' && !Array.isArray(v) && base[k] && typeof base[k] === 'object' && !Array.isArray(base[k])) {
+      out[k] = deepMerge(base[k], v);
+    } else {
+      out[k] = v;
+    }
+  }
+  return out;
+}
+function sha256(value) {
+  return crypto.createHash('sha256').update(String(value || ''), 'utf8').digest('hex');
+}
+function getClientIp(req) {
+  const fromExpress = req.ip;
+  if (fromExpress) return String(fromExpress);
+  const forwarded = req.headers['x-forwarded-for'];
+  if (forwarded) return String(forwarded).split(',')[0].trim();
+  return 'unknown';
+}
+function tryExtractUserIdFromBearer(req) {
+  try {
+    if (req.user?._id) return String(req.user._id);
+    const authHeader = req.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) return null;
+    const token = authHeader.slice(7).trim();
+    if (!token) return null;
+    const decoded = verifyAccessToken(token);
+    if (!decoded?.userId) return null;
+    return String(decoded.userId);
+  } catch (_) {
+    return null;
+  }
+}
+async function ensureRateLimitsJsonConfigExists() {
+  const existing = await JsonConfig.findOne({ $or: [{ slug: RATE_LIMITS_KEY }, { alias: RATE_LIMITS_KEY }] });
+  if (existing) return existing;
+  const defaultConfig = {
+    version: 1,
+    defaults: {
+      enabled: false,
+      mode: 'reportOnly',
+      algorithm: 'fixedWindow',
+      limit: { max: 600, windowMs: 60000 },
+      identity: { type: 'userIdOrIp' },
+      metrics: { enabled: true, bucketMs: 60000, retentionDays: 14 },
+      store: { ttlBufferMs: 60000, failOpen: true },
+    },
+    limiters: {},
+  };
+  const doc = await JsonConfig.create({
+    title: 'Rate Limits',
+    slug: RATE_LIMITS_KEY,
+    alias: RATE_LIMITS_KEY,
+    publicEnabled: false,
+    cacheTtlSeconds: 0,
+    jsonRaw: JSON.stringify(defaultConfig, null, 2),
+    jsonHash: sha256(JSON.stringify(defaultConfig)),
+  });
+  clearJsonConfigCache(RATE_LIMITS_KEY);
+  return doc;
+}
+async function getRateLimitsConfigDoc() {
+  const doc = await ensureRateLimitsJsonConfigExists();
+  return doc;
+}
+async function getRateLimitsConfigData() {
+  const doc = await ensureRateLimitsJsonConfigExists();
+  const jsonRaw = String(doc.jsonRaw || '');
+  const data = parseJsonOrThrow(jsonRaw);
+  return { doc, data };
+}
+function normalizeLimiterId(limiterId) {
+  const id = String(limiterId || '').trim();
+  if (!id) throw new Error('limiterId is required');
+  return id;
+}
+function registerLimiter(limiterId, { label, integration, inferredMountPath } = {}) {
+  const id = normalizeLimiterId(limiterId);
+  const existing = registry.get(id) || { id, label: id, integration: null };
+  const next = { ...existing };
+  if (label) next.label = String(label);
+  if (integration && typeof integration === 'object' && !Array.isArray(integration)) {
+    next.integration = { ...(existing.integration || {}), ...integration };
+  }
+  if (inferredMountPath && (!next.integration || !next.integration.mountPath)) {
+    next.integration = { ...(next.integration || {}), mountPath: String(inferredMountPath) };
+  }
+  registry.set(id, next);
+  return next;
+}
+async function ensureLimiterOverrideExists(limiterId) {
+  const id = normalizeLimiterId(limiterId);
+  const state = bootstrapState.get(id) || { inFlight: null, done: false, scheduled: false };
+  if (state.done) return;
+  if (state.inFlight) return state.inFlight;
+  if (mongoose.connection.readyState !== 1) {
+    if (!state.scheduled) {
+      state.scheduled = true;
+      bootstrapState.set(id, state);
+      if (mongoose.connection && typeof mongoose.connection.once === 'function') {
+        mongoose.connection.once('connected', () => {
+          ensureLimiterOverrideExists(id);
+        });
+      }
+    }
+    return;
+  }
+  const p = (async () => {
+    const { doc, data } = await getRateLimitsConfigData();
+    const existing = data?.limiters && data.limiters[id];
+    if (existing && typeof existing === 'object' && !Array.isArray(existing)) {
+      state.done = true;
+      return;
+    }
+    const updated = {
+      version: Number(data?.version || 1) || 1,
+      defaults: data?.defaults || {},
+      limiters: { ...(data?.limiters || {}), [id]: { enabled: false } },
+    };
+    doc.jsonRaw = JSON.stringify(updated, null, 2);
+    doc.jsonHash = sha256(doc.jsonRaw);
+    await doc.save();
+    clearJsonConfigCache(RATE_LIMITS_KEY);
+    state.done = true;
+  })()
+    .catch((error) => {
+      console.error('Error bootstrapping rate limiter config:', error);
+    })
+    .finally(() => {
+      state.inFlight = null;
+      bootstrapState.set(id, state);
+    });
+  state.inFlight = p;
+  bootstrapState.set(id, state);
+  return p;
+}
+function baseDefaults() {
+  return {
+    enabled: false,
+    mode: 'reportOnly',
+    algorithm: 'fixedWindow',
+    limit: { max: 60, windowMs: 60000 },
+    identity: { type: 'userIdOrIp' },
+    metrics: { enabled: true, bucketMs: 60000, retentionDays: 14 },
+    store: { ttlBufferMs: 60000, failOpen: true },
+  };
+}
+function resolveEffectiveConfig({ registryConfig, globalDefaults, limiterOverride }) {
+  const merged = deepMerge(deepMerge(deepMerge(baseDefaults(), registryConfig || {}), globalDefaults || {}), limiterOverride || {});
+  if (merged.limit) {
+    merged.limit.max = Math.max(0, Number(merged.limit.max || 0) || 0);
+    merged.limit.windowMs = Math.max(1, Number(merged.limit.windowMs || 1) || 1);
+  }
+  if (merged.metrics) {
+    merged.metrics.bucketMs = Math.max(1000, Number(merged.metrics.bucketMs || 60000) || 60000);
+    merged.metrics.retentionDays = Math.max(1, Number(merged.metrics.retentionDays || 14) || 14);
+  }
+  if (!merged.store) merged.store = {};
+  merged.store.ttlBufferMs = Math.max(0, Number(merged.store.ttlBufferMs || 0) || 0);
+  merged.store.failOpen = merged.store.failOpen !== false;
+  if (!merged.identity) merged.identity = { type: 'userIdOrIp' };
+  return merged;
+}
+function computeIdentityKey(identityCfg, { req, identity } = {}) {
+  const cfg = identityCfg || { type: 'userIdOrIp' };
+  const id = identity && typeof identity === 'object' ? identity : {};
+  const userId = id.userId || tryExtractUserIdFromBearer(req);
+  const ip = id.ip || getClientIp(req);
+  const orgId = id.orgId || (req.org?._id ? String(req.org._id) : null);
+  if (id.identityKey) return String(id.identityKey);
+  const type = String(cfg.type || 'userIdOrIp');
+  if (type === 'userId') return userId ? `user:${userId}` : `ip:${ip}`;
+  if (type === 'ip') return `ip:${ip}`;
+  if (type === 'orgId') return orgId ? `org:${orgId}` : (userId ? `user:${userId}` : `ip:${ip}`);
+  if (type === 'header') {
+    const headerName = String(cfg.headerName || '').toLowerCase();
+    const headerValue = headerName ? req.get(headerName) : null;
+    if (headerValue) return `header:${headerName}:${String(headerValue)}`;
+    return userId ? `user:${userId}` : `ip:${ip}`;
+  }
+  return userId ? `user:${userId}` : `ip:${ip}`;
+}
+function computeWindowStart(now, windowMs) {
+  const ms = Number(windowMs || 60000) || 60000;
+  return new Date(Math.floor(now.getTime() / ms) * ms);
+}
+async function recordMetrics({ limiterId, bucketStart, allowed, blocked, checked, retentionDays }) {
+  const ttlDays = Math.max(1, Number(retentionDays || 14) || 14);
+  const expiresAt = new Date(bucketStart.getTime() + ttlDays * 24 * 60 * 60 * 1000);
+  await RateLimitMetricBucket.findOneAndUpdate(
+    { limiterId, bucketStart },
+    {
+      $inc: {
+        checked: checked ? 1 : 0,
+        allowed: allowed ? 1 : 0,
+        blocked: blocked ? 1 : 0,
+      },
+      $setOnInsert: { expiresAt },
+    },
+    { upsert: true },
+  );
+}
+async function check(limiterId, { req, identity } = {}) {
+  const id = normalizeLimiterId(limiterId);
+  registerLimiter(id);
+  ensureLimiterOverrideExists(id);
+  const failOpen = true;
+  if (mongoose.connection.readyState !== 1) {
+    if (failOpen) {
+      return {
+        ok: false,
+        limiterId: String(id),
+        allowed: true,
+        enforced: false,
+        reason: 'DB_NOT_CONNECTED',
+      };
+    }
+    return {
+      ok: false,
+      limiterId: String(id),
+      allowed: false,
+      enforced: true,
+      reason: 'DB_NOT_CONNECTED',
+    };
+  }
+  let configDoc;
+  let configData;
+  try {
+    const cfg = await getRateLimitsConfigData();
+    configDoc = cfg.doc;
+    configData = cfg.data;
+  } catch (e) {
+    if (failOpen) {
+      return {
+        ok: false,
+        limiterId: String(id),
+        allowed: true,
+        enforced: false,
+        reason: 'CONFIG_ERROR',
+        error: e.message,
+      };
+    }
+    return {
+      ok: false,
+      limiterId: String(id),
+      allowed: false,
+      enforced: true,
+      reason: 'CONFIG_ERROR',
+      error: e.message,
+    };
+  }
+  const globalDefaults = configData?.defaults || {};
+  const hasOverride = configData?.limiters && Object.prototype.hasOwnProperty.call(configData.limiters, String(id));
+  const limiterOverrideRaw = hasOverride ? configData.limiters[String(id)] : null;
+  const limiterOverride = limiterOverrideRaw && typeof limiterOverrideRaw === 'object' && !Array.isArray(limiterOverrideRaw)
+    ? limiterOverrideRaw
+    : { enabled: false };
+  const effective = resolveEffectiveConfig({
+    registryConfig: {},
+    globalDefaults,
+    limiterOverride,
+  });
+  const enabled = effective.enabled !== false;
+  const mode = String(effective.mode || 'reportOnly');
+  if (!enabled || mode === 'disabled') {
+    return {
+      ok: true,
+      limiterId: String(id),
+      allowed: true,
+      enforced: false,
+      reason: 'DISABLED',
+      config: effective,
+      configDoc: configDoc?._id ? String(configDoc._id) : null,
+    };
+  }
+  const effectiveFailOpen = effective.store?.failOpen !== false;
+  const now = new Date();
+  const max = Number(effective.limit?.max || 0) || 0;
+  const windowMs = Number(effective.limit?.windowMs || 60000) || 60000;
+  const windowStart = computeWindowStart(now, windowMs);
+  const ttlBufferMs = Number(effective.store?.ttlBufferMs || 0) || 0;
+  const identityKey = computeIdentityKey(effective.identity, { req, identity });
+  let count;
+  try {
+    const expiresAt = new Date(windowStart.getTime() + windowMs + ttlBufferMs);
+    const updated = await RateLimitCounter.findOneAndUpdate(
+      { limiterId: String(limiterId), identityKey: String(identityKey), windowStart },
+      {
+        $inc: { count: 1 },
+        $setOnInsert: { expiresAt },
+      },
+      { upsert: true, new: true },
+    );
+    count = Number(updated?.count || 0) || 0;
+  } catch (e) {
+    if (effectiveFailOpen) {
+      return {
+        ok: false,
+        limiterId: String(id),
+        allowed: true,
+        enforced: false,
+        reason: 'STORE_ERROR',
+        error: e.message,
+        config: effective,
+      };
+    }
+    return {
+      ok: false,
+      limiterId: String(id),
+      allowed: false,
+      enforced: true,
+      reason: 'STORE_ERROR',
+      error: e.message,
+      config: effective,
+    };
+  }
+  const allowed = max <= 0 ? true : count <= max;
+  const enforced = mode === 'enforce';
+  if (effective.metrics?.enabled !== false) {
+    const bucketMs = Number(effective.metrics?.bucketMs || 60000) || 60000;
+    const bucketStart = new Date(Math.floor(now.getTime() / bucketMs) * bucketMs);
+    try {
+      await recordMetrics({
+        limiterId: String(id),
+        bucketStart,
+        allowed,
+        blocked: !allowed,
+        checked: true,
+        retentionDays: effective.metrics?.retentionDays,
+      });
+    } catch (_) {
+    }
+  }
+  const remaining = max <= 0 ? null : Math.max(0, max - count);
+  const retryAfterMs = allowed ? 0 : Math.max(0, windowStart.getTime() + windowMs - now.getTime());
+  return {
+    ok: true,
+    limiterId: String(id),
+    allowed: enforced ? allowed : true,
+    enforced,
+    mode,
+    limit: max,
+    remaining,
+    retryAfterMs,
+    windowStart: windowStart.toISOString(),
+    windowMs,
+    identityKey,
+    config: effective,
+  };
+}
+function limit(limiterId, opts = {}) {
+  const getIdentity = typeof opts.getIdentity === 'function' ? opts.getIdentity : null;
+  const label = opts && typeof opts === 'object' ? opts.label : null;
+  const integration = opts && typeof opts === 'object' ? opts.integration : null;
+  const id = normalizeLimiterId(limiterId);
+  registerLimiter(id, { label, integration });
+  ensureLimiterOverrideExists(id);
+  let bootstrapAttemptedInRequest = false;
+  return async (req, res, next) => {
+    try {
+      if (!bootstrapAttemptedInRequest) {
+        bootstrapAttemptedInRequest = true;
+        const inferredMountPath = req?.baseUrl || req?.path || null;
+        registerLimiter(id, { inferredMountPath });
+        await ensureLimiterOverrideExists(id);
+      }
+      const identity = getIdentity ? getIdentity(req) : null;
+      const result = await check(id, { req, identity });
+      if (typeof result.limit === 'number') {
+        res.setHeader('X-RateLimit-Limit', String(result.limit));
+      }
+      if (result.remaining !== null && result.remaining !== undefined) {
+        res.setHeader('X-RateLimit-Remaining', String(result.remaining));
+      }
+      if (result.retryAfterMs && result.retryAfterMs > 0) {
+        res.setHeader('Retry-After', String(Math.ceil(result.retryAfterMs / 1000)));
+      }
+      if (result.mode) {
+        res.setHeader('X-RateLimit-Mode', String(result.mode));
+      }
+      if (!result.allowed) {
+        return res.status(429).json({ error: 'Too many requests' });
+      }
+      return next();
+    } catch (e) {
+      return next(e);
+    }
+  };
+}
+async function list() {
+  const { data } = await getRateLimitsConfigData();
+  const globalDefaults = data?.defaults || {};
+  const limiters = data?.limiters || {};
+  const ids = new Set([...Array.from(registry.keys()), ...Object.keys(limiters)]);
+  const items = [];
+  for (const id of ids) {
+    const entry = registry.get(id) || { id, label: id, integration: null };
+    const hasOverride = Object.prototype.hasOwnProperty.call(limiters, id);
+    const overrideRaw = hasOverride ? limiters[id] : null;
+    const override = overrideRaw && typeof overrideRaw === 'object' && !Array.isArray(overrideRaw) ? overrideRaw : (hasOverride ? {} : null);
+    const effectiveOverride = override || { enabled: false };
+    const effective = resolveEffectiveConfig({ registryConfig: {}, globalDefaults, limiterOverride: effectiveOverride });
+    items.push({
+      id,
+      label: entry.label,
+      integration: entry.integration,
+      registryConfig: {},
+      override,
+      effective,
+    });
+  }
+  items.sort((a, b) => a.id.localeCompare(b.id));
+  return items;
+}
+async function bulkSetEnabled({ enabled, ids, all } = {}) {
+  const { doc, data } = await getRateLimitsConfigData();
+  const limiters = { ...(data?.limiters || {}) };
+  const targetIds = all
+    ? Array.from(new Set([...Object.keys(limiters), ...Array.from(registry.keys())]))
+    : (Array.isArray(ids) ? ids.map((x) => String(x)) : []);
+  for (const rawId of targetIds) {
+    const id = normalizeLimiterId(rawId);
+    const current = limiters[id] && typeof limiters[id] === 'object' && !Array.isArray(limiters[id]) ? limiters[id] : {};
+    limiters[id] = { ...current, enabled: Boolean(enabled) };
+  }
+  const updated = {
+    version: Number(data?.version || 1) || 1,
+    defaults: data?.defaults || {},
+    limiters,
+  };
+  doc.jsonRaw = JSON.stringify(updated, null, 2);
+  doc.jsonHash = sha256(doc.jsonRaw);
+  await doc.save();
+  clearJsonConfigCache(RATE_LIMITS_KEY);
+  return updated;
+}
+async function setLimiterOverride(limiterId, override) {
+  const { doc, data } = await getRateLimitsConfigData();
+  const id = String(limiterId);
+  const next = typeof override === 'object' && override ? override : {};
+  const updated = {
+    version: Number(data?.version || 1) || 1,
+    defaults: data?.defaults || {},
+    limiters: { ...(data?.limiters || {}), [id]: next },
+  };
+  doc.jsonRaw = JSON.stringify(updated, null, 2);
+  doc.jsonHash = sha256(doc.jsonRaw);
+  await doc.save();
+  clearJsonConfigCache(RATE_LIMITS_KEY);
+  return updated;
+}
+async function resetLimiterOverride(limiterId) {
+  const { doc, data } = await getRateLimitsConfigData();
+  const id = String(limiterId);
+  const limiters = { ...(data?.limiters || {}) };
+  limiters[id] = { enabled: false };
+  const updated = {
+    version: Number(data?.version || 1) || 1,
+    defaults: data?.defaults || {},
+    limiters,
+  };
+  doc.jsonRaw = JSON.stringify(updated, null, 2);
+  doc.jsonHash = sha256(doc.jsonRaw);
+  await doc.save();
+  clearJsonConfigCache(RATE_LIMITS_KEY);
+  return updated;
+}
+async function updateRawConfig({ jsonRaw }) {
+  const { doc } = await getRateLimitsConfigData();
+  parseJsonOrThrow(jsonRaw);
+  doc.jsonRaw = String(jsonRaw);
+  doc.jsonHash = sha256(doc.jsonRaw);
+  await doc.save();
+  clearJsonConfigCache(RATE_LIMITS_KEY);
+  return doc.toObject();
+}
+async function queryMetrics({ start, end } = {}) {
+  const endDate = end ? new Date(end) : new Date();
+  const startDate = start ? new Date(start) : new Date(endDate.getTime() - 24 * 60 * 60 * 1000);
+  const items = await RateLimitMetricBucket.find({
+    bucketStart: { $gte: startDate, $lte: endDate },
+  }).lean();
+  const totals = {};
+  for (const row of items) {
+    const id = String(row.limiterId);
+    if (!totals[id]) totals[id] = { checked: 0, allowed: 0, blocked: 0 };
+    totals[id].checked += Number(row.checked || 0) || 0;
+    totals[id].allowed += Number(row.allowed || 0) || 0;
+    totals[id].blocked += Number(row.blocked || 0) || 0;
+  }
+  return {
+    range: { start: startDate.toISOString(), end: endDate.toISOString() },
+    totals,
+    buckets: items,
+  };
+}
+module.exports = {
+  limit,
+  check,
+  list,
+  getRateLimitsConfigDoc,
+  getRateLimitsConfigData,
+  updateRawConfig,
+  setLimiterOverride,
+  resetLimiterOverride,
+  bulkSetEnabled,
+  queryMetrics,
+};