@iskra-bun/web-kit 0.1.0 → 0.2.0

package/dist/index.js

@@ -1,7 +1,3 @@
-import {
-  BaseStorageAdapter
-} from "./chunk-POXNRNTC.js";
-
 // src/kernel.ts
 import { Hono } from "hono";
 import { HTTPException } from "hono/http-exception";
@@ -263,9 +259,21 @@ var WebDriver = class {
   }
   init(app) {
     this.app = app;
+    this.setupSecurityHeaders();
     this.setupRoutes();
     this.setupOpenApi();
   }
+  // Apply the same standard security headers as the Kernel HTTP stack
+  // (web-kit/src/kernel.ts) so the standalone WebDriver server is at parity.
+  setupSecurityHeaders() {
+    this.server.use("*", async (c, next) => {
+      await next();
+      c.res.headers.set("X-Frame-Options", "SAMEORIGIN");
+      c.res.headers.set("X-Content-Type-Options", "nosniff");
+      c.res.headers.set("X-XSS-Protection", "1; mode=block");
+      c.res.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+    });
+  }
   setupOpenApi() {
     if (this.options.openApi) {
       this.server.doc(this.options.openApi.path, {
@@ -334,7 +342,7 @@ var WebDriver = class {
           return c.json(result);
         } catch (err) {
           this.app.logger.error(err);
-          return c.json({ error: err.message }, 500);
+          return c.json({ error: "Internal Server Error" }, 500);
         }
       });
     }
@@ -549,14 +557,20 @@ var HealthCheckFeature = class {
   name = "health";
   kernel;
   config;
+  readinessChecks;
   constructor(config = {}) {
     this.config = {
       path: config.path || "/health",
       readinessPath: config.readinessPath || "/health/ready",
       livenessPath: config.livenessPath || "/health/live",
-      includeDetails: config.includeDetails !== void 0 ? config.includeDetails : true,
+      includeDetails: config.includeDetails !== void 0 ? config.includeDetails : false,
       checks: config.checks
     };
+    const initial = config.readinessChecks ?? {};
+    this.readinessChecks = new Map(Object.entries(initial));
+  }
+  addReadinessCheck(name, check) {
+    this.readinessChecks = new Map([...this.readinessChecks, [name, check]]);
   }
   async initialize(kernel) {
     this.kernel = kernel;
@@ -587,7 +601,8 @@ var HealthCheckFeature = class {
           try {
             customChecks[name] = await check(c);
           } catch (error) {
-            customChecks[name] = { status: "error", error: String(error) };
+            console.error(`Health custom check "${name}" failed:`, error);
+            customChecks[name] = { status: "error" };
           }
         }
         response.customChecks = customChecks;
@@ -603,11 +618,30 @@ var HealthCheckFeature = class {
         report[key] = { status: "ok" };
       }
     } catch (e) {
-      report[key] = { status: "error", error: String(e) };
+      console.error(`Health feature check "${key}" failed:`, e);
+      report[key] = { status: "error" };
     }
   }
   async handleReadinessCheck(c) {
-    return c.json({ status: "ready" });
+    if (this.readinessChecks.size === 0) {
+      return c.json({ status: "ready" });
+    }
+    const results = {};
+    const failed = [];
+    for (const [name, check] of this.readinessChecks) {
+      try {
+        const passed = await check();
+        results[name] = passed;
+        if (!passed) failed.push(name);
+      } catch {
+        results[name] = false;
+        failed.push(name);
+      }
+    }
+    if (failed.length > 0) {
+      return c.json({ status: "not ready", checks: results, failed }, 503);
+    }
+    return c.json({ status: "ready", checks: results });
   }
   async handleLivenessCheck(c) {
     return c.json({
@@ -698,120 +732,9 @@ var RequestIdFeature = class {
   }
 };
 
-// src/features/storage/adapters/local.ts
-import path from "path";
-import fs from "fs/promises";
-var LocalStorageAdapter = class extends BaseStorageAdapter {
-  basePath;
-  constructor(config) {
-    super();
-    this.basePath = config.basePath || "./storage";
-  }
-  async connect() {
-    await fs.mkdir(this.basePath, { recursive: true });
-    this.connected = true;
-    console.log(`\u2705 Local storage connected at: ${this.basePath}`);
-  }
-  async disconnect() {
-    this.connected = false;
-  }
-  async put(filePath, data, options) {
-    this.ensureConnected();
-    const sanitizedPath = this.sanitizePath(filePath);
-    const fullPath = path.join(this.basePath, sanitizedPath);
-    await fs.mkdir(path.dirname(fullPath), { recursive: true });
-    await fs.writeFile(fullPath, data);
-    const stat = await fs.stat(fullPath);
-    return {
-      name: path.basename(sanitizedPath),
-      path: sanitizedPath,
-      size: stat.size,
-      mimeType: options?.contentType || this.getMimeType(sanitizedPath),
-      lastModified: stat.mtime,
-      url: await this.url(sanitizedPath)
-    };
-  }
-  async get(filePath) {
-    this.ensureConnected();
-    const sanitizedPath = this.sanitizePath(filePath);
-    const fullPath = path.join(this.basePath, sanitizedPath);
-    try {
-      return await fs.readFile(fullPath);
-    } catch (error) {
-      if (error.code === "ENOENT") return null;
-      throw error;
-    }
-  }
-  async delete(filePath) {
-    this.ensureConnected();
-    const sanitizedPath = this.sanitizePath(filePath);
-    const fullPath = path.join(this.basePath, sanitizedPath);
-    try {
-      await fs.unlink(fullPath);
-    } catch (error) {
-      if (error.code !== "ENOENT") throw error;
-    }
-  }
-  async exists(filePath) {
-    this.ensureConnected();
-    const sanitizedPath = this.sanitizePath(filePath);
-    const fullPath = path.join(this.basePath, sanitizedPath);
-    try {
-      await fs.access(fullPath);
-      return true;
-    } catch {
-      return false;
-    }
-  }
-  async isDirectory(filePath) {
-    this.ensureConnected();
-    const sanitizedPath = this.sanitizePath(filePath);
-    const fullPath = path.join(this.basePath, sanitizedPath);
-    try {
-      const stat = await fs.stat(fullPath);
-      return stat.isDirectory();
-    } catch {
-      return false;
-    }
-  }
-  async list(prefix) {
-    this.ensureConnected();
-    const searchPath = prefix ? path.join(this.basePath, this.sanitizePath(prefix)) : this.basePath;
-    const files = [];
-    const walk = async (dir) => {
-      try {
-        const entries = await fs.readdir(dir, { withFileTypes: true });
-        for (const entry of entries) {
-          const fullPath = path.join(dir, entry.name);
-          if (entry.isDirectory()) {
-            await walk(fullPath);
-          } else {
-            const relativePath = path.relative(this.basePath, fullPath);
-            const stat = await fs.stat(fullPath);
-            files.push({
-              name: entry.name,
-              path: this.sanitizePath(relativePath),
-              size: stat.size,
-              mimeType: this.getMimeType(entry.name),
-              lastModified: stat.mtime,
-              url: await this.url(this.sanitizePath(relativePath))
-            });
-          }
-        }
-      } catch (e) {
-        if (e.code !== "ENOENT") throw e;
-      }
-    };
-    await walk(searchPath);
-    return files;
-  }
-  async url(filePath, _expiresIn) {
-    const sanitizedPath = this.sanitizePath(filePath);
-    return `/storage/${sanitizedPath}`;
-  }
-};
-
 // src/features/storage/index.ts
+import { createStorageAdapter } from "@iskra-bun/storage-kit";
+import { BaseStorageAdapter as BaseStorageAdapter2, LocalStorageAdapter } from "@iskra-bun/storage-kit";
 var StorageFeature = class {
   constructor(config) {
     this.config = config;
@@ -820,14 +743,7 @@ var StorageFeature = class {
   name = "storage";
   adapter;
   async initialize(kernel) {
-    if (this.config.adapter === "local") {
-      this.adapter = new LocalStorageAdapter(this.config);
-    } else if (this.config.adapter === "s3" || this.config.adapter === "minio") {
-      const { S3StorageAdapter } = await import("./s3-7IG4ESFW.js");
-      this.adapter = new S3StorageAdapter(this.config);
-    } else {
-      throw new Error(`Adapter ${this.config.adapter} not supported.`);
-    }
+    this.adapter = await createStorageAdapter(this.config);
     await this.adapter.connect();
     const app = kernel.getApp();
     app.use("*", async (c, next) => {
@@ -905,7 +821,8 @@ var DbFeature = class {
       }
       console.log("\u2705 DB connected successfully.");
     } catch (error) {
-      console.error("\u274C Failed to connect to DB", error);
+      const message = error instanceof Error ? error.message : String(error);
+      console.error(`\u274C Failed to connect to DB: ${message}`);
       throw error;
     }
     const app = kernel.getApp();
@@ -1278,266 +1195,7 @@ var SessionFeature = class {
 
 // src/features/auth/index.ts
 import { HTTPException as HTTPException4 } from "hono/http-exception";
-
-// src/features/auth/better-auth-config.ts
-import { betterAuth } from "better-auth";
-import { drizzleAdapter } from "better-auth/adapters/drizzle";
-import { genericOAuth } from "better-auth/plugins/generic-oauth";
-
-// src/features/auth/schema.ts
-import { pgTable as pgTable2, text, timestamp, boolean } from "drizzle-orm/pg-core";
-import { mysqlTable as mysqlTable2, varchar, timestamp as mysqlTimestamp, boolean as mysqlBoolean, text as mysqlText } from "drizzle-orm/mysql-core";
-import { sqliteTable as sqliteTable2, text as sqliteText2, integer } from "drizzle-orm/sqlite-core";
-var pgUser = pgTable2("user", {
-  id: text("id").primaryKey(),
-  name: text("name"),
-  email: text("email").notNull().unique(),
-  emailVerified: boolean("emailVerified").notNull(),
-  image: text("image"),
-  createdAt: timestamp("createdAt").notNull(),
-  updatedAt: timestamp("updatedAt").notNull()
-});
-var pgSession = pgTable2("session", {
-  id: text("id").primaryKey(),
-  expiresAt: timestamp("expiresAt").notNull(),
-  token: text("token").notNull().unique(),
-  createdAt: timestamp("createdAt").notNull(),
-  updatedAt: timestamp("updatedAt").notNull(),
-  ipAddress: text("ipAddress"),
-  userAgent: text("userAgent"),
-  userId: text("userId").notNull().references(() => pgUser.id)
-});
-var pgAccount = pgTable2("account", {
-  id: text("id").primaryKey(),
-  accountId: text("accountId").notNull(),
-  providerId: text("providerId").notNull(),
-  userId: text("userId").notNull().references(() => pgUser.id),
-  accessToken: text("accessToken"),
-  refreshToken: text("refreshToken"),
-  idToken: text("idToken"),
-  accessTokenExpiresAt: timestamp("accessTokenExpiresAt"),
-  refreshTokenExpiresAt: timestamp("refreshTokenExpiresAt"),
-  scope: text("scope"),
-  password: text("password"),
-  createdAt: timestamp("createdAt").notNull(),
-  updatedAt: timestamp("updatedAt").notNull()
-});
-var pgVerification = pgTable2("verification", {
-  id: text("id").primaryKey(),
-  identifier: text("identifier").notNull(),
-  value: text("value").notNull(),
-  expiresAt: timestamp("expiresAt").notNull(),
-  createdAt: timestamp("createdAt"),
-  updatedAt: timestamp("updatedAt")
-});
-var pgSchema = {
-  user: pgUser,
-  session: pgSession,
-  account: pgAccount,
-  verification: pgVerification
-};
-var mysqlUser = mysqlTable2("user", {
-  id: varchar("id", { length: 36 }).primaryKey(),
-  name: varchar("name", { length: 255 }),
-  email: varchar("email", { length: 255 }).notNull().unique(),
-  emailVerified: mysqlBoolean("emailVerified").notNull(),
-  image: varchar("image", { length: 255 }),
-  createdAt: mysqlTimestamp("createdAt").notNull(),
-  updatedAt: mysqlTimestamp("updatedAt").notNull()
-});
-var mysqlSession = mysqlTable2("session", {
-  id: varchar("id", { length: 36 }).primaryKey(),
-  expiresAt: mysqlTimestamp("expiresAt").notNull(),
-  token: varchar("token", { length: 255 }).notNull().unique(),
-  createdAt: mysqlTimestamp("createdAt").notNull(),
-  updatedAt: mysqlTimestamp("updatedAt").notNull(),
-  ipAddress: varchar("ipAddress", { length: 45 }),
-  userAgent: mysqlText("userAgent"),
-  userId: varchar("userId", { length: 36 }).notNull().references(() => mysqlUser.id)
-});
-var mysqlAccount = mysqlTable2("account", {
-  id: varchar("id", { length: 36 }).primaryKey(),
-  accountId: varchar("accountId", { length: 255 }).notNull(),
-  providerId: varchar("providerId", { length: 255 }).notNull(),
-  userId: varchar("userId", { length: 36 }).notNull().references(() => mysqlUser.id),
-  accessToken: mysqlText("accessToken"),
-  refreshToken: mysqlText("refreshToken"),
-  idToken: mysqlText("idToken"),
-  accessTokenExpiresAt: mysqlTimestamp("accessTokenExpiresAt"),
-  refreshTokenExpiresAt: mysqlTimestamp("refreshTokenExpiresAt"),
-  scope: mysqlText("scope"),
-  password: varchar("password", { length: 255 }),
-  createdAt: mysqlTimestamp("createdAt").notNull(),
-  updatedAt: mysqlTimestamp("updatedAt").notNull()
-});
-var mysqlVerification = mysqlTable2("verification", {
-  id: varchar("id", { length: 36 }).primaryKey(),
-  identifier: varchar("identifier", { length: 255 }).notNull(),
-  value: varchar("value", { length: 255 }).notNull(),
-  expiresAt: mysqlTimestamp("expiresAt").notNull(),
-  createdAt: mysqlTimestamp("createdAt"),
-  updatedAt: mysqlTimestamp("updatedAt")
-});
-var mysqlSchema = {
-  user: mysqlUser,
-  session: mysqlSession,
-  account: mysqlAccount,
-  verification: mysqlVerification
-};
-var sqliteUser = sqliteTable2("user", {
-  id: sqliteText2("id").primaryKey(),
-  name: sqliteText2("name"),
-  email: sqliteText2("email").notNull().unique(),
-  emailVerified: integer("emailVerified", { mode: "boolean" }).notNull(),
-  image: sqliteText2("image"),
-  createdAt: integer("createdAt", { mode: "timestamp" }).notNull(),
-  updatedAt: integer("updatedAt", { mode: "timestamp" }).notNull()
-});
-var sqliteSession = sqliteTable2("session", {
-  id: sqliteText2("id").primaryKey(),
-  expiresAt: integer("expiresAt", { mode: "timestamp" }).notNull(),
-  token: sqliteText2("token").notNull().unique(),
-  createdAt: integer("createdAt", { mode: "timestamp" }).notNull(),
-  updatedAt: integer("updatedAt", { mode: "timestamp" }).notNull(),
-  ipAddress: sqliteText2("ipAddress"),
-  userAgent: sqliteText2("userAgent"),
-  userId: sqliteText2("userId").notNull().references(() => sqliteUser.id)
-});
-var sqliteAccount = sqliteTable2("account", {
-  id: sqliteText2("id").primaryKey(),
-  accountId: sqliteText2("accountId").notNull(),
-  providerId: sqliteText2("providerId").notNull(),
-  userId: sqliteText2("userId").notNull().references(() => sqliteUser.id),
-  accessToken: sqliteText2("accessToken"),
-  refreshToken: sqliteText2("refreshToken"),
-  idToken: sqliteText2("idToken"),
-  accessTokenExpiresAt: integer("accessTokenExpiresAt", { mode: "timestamp" }),
-  refreshTokenExpiresAt: integer("refreshTokenExpiresAt", { mode: "timestamp" }),
-  scope: sqliteText2("scope"),
-  password: sqliteText2("password"),
-  createdAt: integer("createdAt", { mode: "timestamp" }).notNull(),
-  updatedAt: integer("updatedAt", { mode: "timestamp" }).notNull()
-});
-var sqliteVerification = sqliteTable2("verification", {
-  id: sqliteText2("id").primaryKey(),
-  identifier: sqliteText2("identifier").notNull(),
-  value: sqliteText2("value").notNull(),
-  expiresAt: integer("expiresAt", { mode: "timestamp" }).notNull(),
-  createdAt: integer("createdAt", { mode: "timestamp" }),
-  updatedAt: integer("updatedAt", { mode: "timestamp" })
-});
-var sqliteSchema = {
-  user: sqliteUser,
-  session: sqliteSession,
-  account: sqliteAccount,
-  verification: sqliteVerification
-};
-
-// src/features/auth/better-auth-config.ts
-function createBetterAuth(options) {
-  const {
-    db,
-    adapterType,
-    secret,
-    baseURL = "http://localhost:3000",
-    basePath = "/api/auth",
-    trustedOrigins = [],
-    enableEmailPassword = true,
-    disableCSRFCheck = false,
-    socialProviders,
-    oidcConfig
-  } = options;
-  const baseOrigin = new URL(baseURL).origin;
-  const allTrustedOrigins = trustedOrigins.includes(baseOrigin) ? trustedOrigins : [baseOrigin, ...trustedOrigins];
-  console.log("[BetterAuth Config] Creating Drizzle adapter...");
-  let schema;
-  let provider;
-  switch (adapterType) {
-    case "postgres":
-      schema = pgSchema;
-      provider = "pg";
-      break;
-    case "mysql":
-      schema = mysqlSchema;
-      provider = "mysql";
-      break;
-    case "sqlite":
-      schema = sqliteSchema;
-      provider = "sqlite";
-      break;
-    default:
-      throw new Error(`Unsupported adapter type: ${adapterType}`);
-  }
-  const database = drizzleAdapter(db, {
-    provider,
-    schema
-  });
-  console.log("[BetterAuth Config] Initializing betterAuth with config:", {
-    baseURL,
-    basePath,
-    provider,
-    enableEmailPassword
-  });
-  const plugins = [];
-  if (oidcConfig) {
-    const authorizationUrl = oidcConfig.authorizationEndpoint || `${oidcConfig.issuer}/protocol/openid-connect/auth`;
-    const tokenUrl = oidcConfig.tokenEndpoint || `${oidcConfig.issuer}/protocol/openid-connect/token`;
-    const userInfoUrl = oidcConfig.userinfoEndpoint || `${oidcConfig.issuer}/protocol/openid-connect/userinfo`;
-    plugins.push(
-      genericOAuth({
-        config: [
-          {
-            providerId: oidcConfig.providerId || "oidc",
-            clientId: oidcConfig.clientId,
-            clientSecret: oidcConfig.clientSecret,
-            authorizationUrl,
-            tokenUrl,
-            userInfoUrl,
-            discoveryUrl: oidcConfig.discoveryEndpoint || `${oidcConfig.issuer}/.well-known/openid-configuration`,
-            scopes: oidcConfig.scopes || ["openid", "email", "profile"],
-            pkce: oidcConfig.pkce !== void 0 ? oidcConfig.pkce : false,
-            mapProfileToUser: (profile) => {
-              return {
-                id: profile.sub || profile.id,
-                email: profile.email,
-                name: profile.name || profile.preferred_username,
-                image: profile.picture || profile.image,
-                emailVerified: profile.email_verified || false
-              };
-            }
-          }
-        ]
-      })
-    );
-  }
-  return betterAuth({
-    database,
-    secret,
-    baseURL,
-    basePath,
-    trustedOrigins: allTrustedOrigins,
-    emailAndPassword: enableEmailPassword ? {
-      enabled: true,
-      autoSignIn: true
-    } : void 0,
-    socialProviders: Object.keys(socialProviders || {}).length > 0 ? socialProviders : void 0,
-    plugins,
-    session: {
-      expiresIn: 60 * 60 * 24 * 7,
-      updateAge: 60 * 60 * 24,
-      cookieCache: {
-        enabled: true,
-        maxAge: 5 * 60
-      }
-    },
-    advanced: {
-      disableCSRFCheck,
-      generateId: () => crypto.randomUUID().replace(/-/g, "")
-    }
-  });
-}
-
-// src/features/auth/index.ts
+import { createBetterAuth } from "@iskra-bun/auth-kit";
 import { z as z2 } from "@hono/zod-openapi";
 var SignInSchema = z2.object({
   email: z2.string().email(),
@@ -1568,7 +1226,13 @@ var AuthFeature = class {
   config;
   kernel;
   authMode;
-  constructor(config) {
+  createAuth;
+  // The second parameter is an internal seam: it defaults to the real
+  // createBetterAuth and lets tests inject a fake without globally mocking the
+  // @iskra-bun/auth-kit module (bun's mock.module is process-global and cannot
+  // be restored, which would otherwise leak into auth-kit's own test suite).
+  constructor(config, createAuth = createBetterAuth) {
+    this.createAuth = createAuth;
     this.config = {
       ...config,
       basePath: config.basePath || "/api/sso",
@@ -1591,7 +1255,8 @@ var AuthFeature = class {
     if (!adapterType) {
       throw new Error("DbFeature must expose 'adapter' type (postgres, mysql, sqlite)");
     }
-    this.auth = createBetterAuth({
+    const disableCSRFCheck = process.env.NODE_ENV !== "production" ? this.config.disableCSRFCheck === true : false;
+    this.auth = this.createAuth({
       db,
       adapterType,
       secret: this.config.secret,
@@ -1599,11 +1264,12 @@ var AuthFeature = class {
       basePath: this.config.basePath,
       trustedOrigins: this.config.trustedOrigins,
       enableEmailPassword: true,
-      disableCSRFCheck: this.config.disableCSRFCheck,
+      disableCSRFCheck,
       socialProviders: this.config.socialProviders,
       oidcConfig: this.config.oidcConfig
     });
     const app = kernel.getApp();
+    app.use(`${this.config.basePath}/*`, this.authRateLimitMiddleware());
     app.use("*", async (c, next) => {
       try {
         const session = await this.auth.api.getSession({
@@ -1614,11 +1280,30 @@ var AuthFeature = class {
           c.set("authUser", session.user);
         }
       } catch (error) {
+        const logger = c.get("logger");
+        if (logger?.debug) logger.debug("Auth session read failed", { error });
       }
       await next();
     });
     console.log("\u2705 Auth feature initialized (better-auth)");
   }
+  // ─── Auth-route rate limiting ────────────────────────────────────────────
+  authRateLimitHits = /* @__PURE__ */ new Map();
+  authRateLimitWindowMs = 15 * 60 * 1e3;
+  authRateLimitMax = 20;
+  authRateLimitMiddleware() {
+    return async (c, next) => {
+      const ip = c.req.header("x-forwarded-for") || c.req.header("x-real-ip") || "unknown";
+      const now = Date.now();
+      const entry = this.authRateLimitHits.get(ip);
+      const next_entry = !entry || now > entry.expiresAt ? { count: 1, expiresAt: now + this.authRateLimitWindowMs } : { count: entry.count + 1, expiresAt: entry.expiresAt };
+      this.authRateLimitHits.set(ip, next_entry);
+      if (next_entry.count > this.authRateLimitMax) {
+        throw new HTTPException4(429, { message: "Too many authentication attempts" });
+      }
+      await next();
+    };
+  }
   routes(app) {
     if (!this.auth) {
       throw new Error("Auth not initialized");
@@ -1960,6 +1645,7 @@ function requireRole(role) {
 
 // src/features/api-key.ts
 import { HTTPException as HTTPException7 } from "hono/http-exception";
+import { createHash } from "crypto";
 var ApiKeyStore = class {
   constructor(config, kernel) {
     this.config = config;
@@ -2000,8 +1686,8 @@ var ApiKeyStore = class {
     }
     console.log(`\u2705 Loaded ${this.staticKeysMap.size} static API keys`);
   }
-  generateId(key) {
-    return key.substring(0, 8);
+  generateId(_key) {
+    return crypto.randomUUID();
   }
   compareKeys(a, b) {
     if (a.length !== b.length) return false;
@@ -2015,10 +1701,14 @@ var ApiKeyStore = class {
     if (!expiresAt) return false;
     return /* @__PURE__ */ new Date() > expiresAt;
   }
+  cacheKeyFor(key) {
+    const hash = createHash("sha256").update(key).digest("hex");
+    return `apikey:${hash}`;
+  }
   async validate(key) {
     if (!key) return { isValid: false, error: "API key is required" };
     const cache = this.getCache();
-    const cacheKey = `apikey:${key}`;
+    const cacheKey = this.cacheKeyFor(key);
     if (cache) {
       try {
         const cached = await cache.get(cacheKey);
@@ -2034,15 +1724,15 @@ var ApiKeyStore = class {
         if (this.isExpired(metadata.expiresAt)) {
           return { isValid: false, error: "API key has expired" };
         }
-        metadata.lastUsedAt = /* @__PURE__ */ new Date();
+        const usedMetadata = { ...metadata, lastUsedAt: /* @__PURE__ */ new Date() };
         if (cache) {
           const ttl = this.config.cacheTtl ? Math.floor(this.config.cacheTtl / 1e3) : 300;
           try {
-            await cache.set(cacheKey, JSON.stringify(metadata), ttl);
+            await cache.set(cacheKey, JSON.stringify(usedMetadata), ttl);
           } catch {
           }
         }
-        return { isValid: true, key: metadata };
+        return { isValid: true, key: usedMetadata };
       }
     }
     return { isValid: false, error: "Invalid API key" };
@@ -2068,14 +1758,13 @@ var ApiKeyFeature = class {
   store;
   config;
   constructor(config = {}) {
-    this.config = {
+    const defaults = {
       staticKeys: config.staticKeys || [],
       headerName: config.headerName || "X-API-Key",
       queryParamName: config.queryParamName || "api_key",
       extractStrategies: config.extractStrategies || ["header", "bearer"],
-      // Defaults for other optional properties
-      vaultService: void 0,
-      customExtractor: void 0,
+      vaultService: config.vaultService,
+      customExtractor: config.customExtractor,
       enableCache: config.enableCache ?? true,
       cacheTtl: config.cacheTtl ?? 3e5,
       requireScopes: config.requireScopes ?? false,
@@ -2083,6 +1772,7 @@ var ApiKeyFeature = class {
       onError: config.onError,
       onValidated: config.onValidated
     };
+    this.config = defaults;
   }
   async initialize(kernel) {
     this.store = new ApiKeyStore(this.config, kernel);
@@ -2103,6 +1793,9 @@ var ApiKeyFeature = class {
       if (!result.isValid) {
         throw new HTTPException7(401, { message: result.error || "Invalid API key" });
       }
+      if (this.config.requireScopes && !(result.key?.scopes && result.key.scopes.length > 0)) {
+        throw new HTTPException7(403, { message: "API key has no scopes" });
+      }
       c.set("apiKey", result.key);
       c.set("apiKeyScopes", result.key?.scopes || []);
       c.set("hasScope", (scope) => this.store.hasScopes(result.key, [scope]));
@@ -2112,11 +1805,11 @@ var ApiKeyFeature = class {
     });
     console.log("\u2705 API Key feature initialized");
   }
-  shouldSkipPath(path2) {
+  shouldSkipPath(path) {
     if (!this.config.skipPaths?.length) return false;
     return this.config.skipPaths.some((skip) => {
-      if (skip.endsWith("*")) return path2.startsWith(skip.slice(0, -1));
-      return path2 === skip;
+      if (skip.endsWith("*")) return path.startsWith(skip.slice(0, -1));
+      return path === skip;
     });
   }
   extractApiKey(c) {
@@ -2158,6 +1851,24 @@ function requireScope(...scopes) {
 // src/features/csrf.ts
 import { HTTPException as HTTPException8 } from "hono/http-exception";
 import { getCookie as getCookie2, setCookie as setCookie2 } from "hono/cookie";
+import { createHmac as createHmac2, timingSafeEqual, randomUUID } from "crypto";
+function constantTimeEqual(a, b) {
+  const aBuf = Buffer.from(a);
+  const bBuf = Buffer.from(b);
+  if (aBuf.length !== bBuf.length) return false;
+  return timingSafeEqual(aBuf, bBuf);
+}
+function signCsrfToken(random, secret) {
+  const signature = createHmac2("sha256", secret).update(random).digest("base64url");
+  return `${random}.${signature}`;
+}
+function verifyCsrfToken(token, secret) {
+  const lastDot = token.lastIndexOf(".");
+  if (lastDot === -1) return false;
+  const random = token.substring(0, lastDot);
+  const expected = signCsrfToken(random, secret);
+  return constantTimeEqual(token, expected);
+}
 var CsrfFeature = class {
   name = "csrf";
   config;
@@ -2188,7 +1899,7 @@ var CsrfFeature = class {
     const method = c.req.method.toUpperCase();
     let token = getCookie2(c, this.config.cookieName);
     if (!token) {
-      token = crypto.randomUUID().replace(/-/g, "");
+      token = signCsrfToken(randomUUID().replace(/-/g, ""), this.config.secret);
       setCookie2(c, this.config.cookieName, token, {
         httpOnly: this.config.cookieOptions.httpOnly,
         secure: this.config.cookieOptions.secure,
@@ -2209,16 +1920,19 @@ var CsrfFeature = class {
     await next();
   }
   async validateToken(c, expectedToken) {
+    if (!verifyCsrfToken(expectedToken, this.config.secret)) return false;
     const headerToken = c.req.header(this.config.headerName);
-    if (headerToken === expectedToken) return true;
+    if (headerToken && constantTimeEqual(headerToken, expectedToken)) return true;
     try {
       const contentType = c.req.header("content-type");
       if (contentType?.includes("application/x-www-form-urlencoded")) {
         const body = await c.req.parseBody();
         const bodyToken = body._csrf || body[this.config.cookieName];
-        if (String(bodyToken) === expectedToken) return true;
+        if (bodyToken && constantTimeEqual(String(bodyToken), expectedToken)) return true;
       }
-    } catch {
+    } catch (error) {
+      const logger = c.get("logger");
+      if (logger?.debug) logger.debug("CSRF body token parse failed", { error });
     }
     return false;
   }
@@ -2295,9 +2009,9 @@ function createValidationMiddleware(schema, options = {}) {
 function extendHonoWithValidation(app) {
   const methods = ["get", "post", "put", "delete"];
   for (const method of methods) {
-    app[`${method}Validated`] = function(path2, schema, handler, options) {
+    app[`${method}Validated`] = function(path, schema, handler, options) {
       const middleware = createValidationMiddleware(schema, options);
-      this[method](path2, middleware, handler);
+      this[method](path, middleware, handler);
       return this;
     };
   }
@@ -2407,9 +2121,9 @@ function createJsonSchemaValidationMiddleware(schema, options = {}) {
 function extendHonoWithJsonSchemaValidation(app) {
   const methods = ["get", "post", "put", "delete"];
   for (const method of methods) {
-    app[`${method}JsonValidated`] = function(path2, schema, handler, options) {
+    app[`${method}JsonValidated`] = function(path, schema, handler, options) {
       const middleware = createJsonSchemaValidationMiddleware(schema, options);
-      this[method](path2, middleware, handler);
+      this[method](path, middleware, handler);
       return this;
     };
   }
@@ -2526,6 +2240,15 @@ var UploadHelper = class {
   getBasePath() {
     return this.basePath;
   }
+  // Defense-in-depth: reduce an attacker-controlled filename to a safe basename
+  // and strip it to an allowlisted charset so traversal segments ("../",
+  // "..\\", absolute paths) can never escape the project base path. storage-kit's
+  // sanitizePath remains the primary control; this is a second, independent gate.
+  safeBasename(filename) {
+    const base = filename.split(/[\\/]/).pop() || "";
+    const cleaned = base.replace(/[^a-zA-Z0-9._-]/g, "_").replace(/^\.+/, "");
+    return cleaned.length > 0 ? cleaned : "file";
+  }
   buildPath(filename, subfolder) {
     if (subfolder) {
       const normalized = subfolder.replace(/^\/+|\/+$/g, "");
@@ -2556,7 +2279,8 @@ var UploadHelper = class {
     if (!file || !(file instanceof File)) throw new Error(`No file found in field: ${fieldName}`);
     const data = new Uint8Array(await file.arrayBuffer());
     const opts = { ...options, contentType: options?.contentType || file.type };
-    return this.upload(file.name, data, subfolder, opts);
+    const safeName = this.safeBasename(file.name);
+    return this.upload(safeName, data, subfolder, opts);
   }
   async list(subfolder) {
     const prefix = subfolder ? `${this.basePath}${subfolder.replace(/^\/+|\/+$/g, "")}/` : this.basePath;
@@ -2719,15 +2443,44 @@ var OtelTracingFeature = class {
 };
 
 // src/features/email/index.ts
-var MockEmailAdapter = class {
-  async send(message) {
-    console.log("\u{1F4E7} [MOCK] Sent to", message.to, "Subject:", message.subject);
-    return { messageId: `mock-${Date.now()}`, success: true };
+import { createEmailAdapter } from "@iskra-bun/mailer-kit";
+import { MockEmailAdapter } from "@iskra-bun/mailer-kit";
+var CRLF = /[\r\n]/;
+function assertNoCrlf(value, label) {
+  if (CRLF.test(value)) {
+    throw new Error(`Invalid ${label}: control characters (CR/LF) are not allowed`);
   }
-  async sendTemplate(name, to, data) {
-    return this.send({ to, subject: `Template: ${name}`, html: `Template ${name} with data: ${JSON.stringify(data)}` });
+}
+function assertRecipients(to, label) {
+  if (to === void 0) return;
+  const recipients = Array.isArray(to) ? to : [to];
+  for (const recipient of recipients) assertNoCrlf(recipient, label);
+}
+function validateMessage(message) {
+  assertRecipients(message.to, "recipient");
+  assertRecipients(message.cc, "cc recipient");
+  assertRecipients(message.bcc, "bcc recipient");
+  if (message.replyTo !== void 0) assertNoCrlf(message.replyTo, "replyTo");
+  assertNoCrlf(message.subject, "subject");
+  if (message.headers) {
+    for (const [name, value] of Object.entries(message.headers)) {
+      assertNoCrlf(name, "header name");
+      assertNoCrlf(value, "header value");
+    }
   }
-};
+}
+function withValidation(adapter) {
+  return {
+    send: (message) => {
+      validateMessage(message);
+      return adapter.send(message);
+    },
+    sendTemplate: (templateName, to, data) => {
+      assertRecipients(to, "recipient");
+      return adapter.sendTemplate(templateName, to, data);
+    }
+  };
+}
 var EmailFeature = class {
   constructor(config) {
     this.config = config;
@@ -2736,33 +2489,12 @@ var EmailFeature = class {
   name = "email";
   adapter;
   async initialize(kernel) {
-    this.adapter = await this.createAdapter(this.config);
+    this.adapter = withValidation(await createEmailAdapter(this.config));
     const app = kernel.getApp();
     app.use("*", async (c, next) => {
       if (this.adapter) c.set("email", this.adapter);
       await next();
     });
-    console.log(`\u2705 EmailFeature initialized (${this.config.provider})`);
-  }
-  async createAdapter(config) {
-    switch (config.provider) {
-      case "mock":
-        return new MockEmailAdapter();
-      case "smtp": {
-        const { SmtpEmailAdapter } = await import("./smtp-WJDLYKD5.js");
-        return new SmtpEmailAdapter(config);
-      }
-      case "sendgrid": {
-        const { SendGridEmailAdapter } = await import("./sendgrid-UK2GSBEF.js");
-        return new SendGridEmailAdapter(config);
-      }
-      case "mailgun": {
-        const { MailgunEmailAdapter } = await import("./mailgun-Z46GZJNI.js");
-        return new MailgunEmailAdapter(config);
-      }
-      default:
-        throw new Error(`Provider ${config.provider} not implemented`);
-    }
   }
   getAdapter() {
     if (!this.adapter) throw new Error("Email not initialized");
@@ -2774,7 +2506,7 @@ export {
   ApiKeyStore,
   AuthError,
   AuthFeature,
-  BaseStorageAdapter,
+  BaseStorageAdapter2 as BaseStorageAdapter,
   CacheFeature,
   ConflictError,
   CorsFeature,