@mars-stack/core 0.4.0

package/dist/plugin/builtin/index.js

@@ -0,0 +1,324 @@
+import { importOptional } from '../../chunk-CTYAVMOF.js';
+
+// src/plugin/builtin/email-plugins.ts
+function createSendGridPlugin() {
+  let appName = "";
+  return {
+    name: "sendgrid",
+    version: "1.0.0",
+    type: "email",
+    configure(config) {
+      appName = config.appName;
+    },
+    validate() {
+      const errors = [];
+      const warnings = [];
+      if (!process.env.SENDGRID_API_KEY) {
+        errors.push("SENDGRID_API_KEY environment variable is not set");
+      }
+      if (!process.env.SENDGRID_FROM_EMAIL) {
+        errors.push("SENDGRID_FROM_EMAIL environment variable is not set");
+      }
+      if (!appName) {
+        warnings.push("Plugin not configured \u2014 call configure() with appName");
+      }
+      return { valid: errors.length === 0, errors, warnings };
+    },
+    async send(params) {
+      const sgMail = await importOptional("@sendgrid/mail");
+      const apiKey = process.env.SENDGRID_API_KEY;
+      const fromEmail = process.env.SENDGRID_FROM_EMAIL;
+      if (!apiKey) throw new Error("SENDGRID_API_KEY is not set");
+      if (!fromEmail) throw new Error("SENDGRID_FROM_EMAIL is not set");
+      sgMail.default.setApiKey(apiKey);
+      await sgMail.default.send({
+        to: params.to,
+        from: { email: fromEmail, name: appName },
+        subject: params.subject,
+        text: params.text ?? params.html.replace(/<[^>]*>/g, " ").replace(/\s+/g, " ").trim(),
+        html: params.html,
+        mailSettings: {
+          bypassListManagement: { enable: true },
+          sandboxMode: { enable: false }
+        },
+        trackingSettings: {
+          clickTracking: { enable: false },
+          openTracking: { enable: false },
+          subscriptionTracking: { enable: false }
+        }
+      });
+    }
+  };
+}
+function createResendPlugin() {
+  let appName = "";
+  return {
+    name: "resend",
+    version: "1.0.0",
+    type: "email",
+    configure(config) {
+      appName = config.appName;
+    },
+    validate() {
+      const errors = [];
+      const warnings = [];
+      if (!process.env.RESEND_API_KEY) {
+        errors.push("RESEND_API_KEY environment variable is not set");
+      }
+      if (!process.env.RESEND_FROM_EMAIL) {
+        errors.push("RESEND_FROM_EMAIL environment variable is not set");
+      }
+      if (!appName) {
+        warnings.push("Plugin not configured \u2014 call configure() with appName");
+      }
+      return { valid: errors.length === 0, errors, warnings };
+    },
+    async send(params) {
+      const { Resend } = await importOptional("resend");
+      const apiKey = process.env.RESEND_API_KEY;
+      const fromEmail = process.env.RESEND_FROM_EMAIL;
+      if (!apiKey) throw new Error("RESEND_API_KEY is not set");
+      if (!fromEmail) throw new Error("RESEND_FROM_EMAIL is not set");
+      const resend = new Resend(apiKey);
+      await resend.emails.send({
+        from: `${appName} <${fromEmail}>`,
+        to: params.to,
+        subject: params.subject,
+        html: params.html,
+        text: params.text
+      });
+    }
+  };
+}
+function createConsoleEmailPlugin() {
+  return {
+    name: "console",
+    version: "1.0.0",
+    type: "email",
+    configure() {
+    },
+    validate() {
+      return { valid: true, errors: [], warnings: ["Console email provider is for development only"] };
+    },
+    async send(params) {
+      const { formatConsoleEmail } = await import('../../email/index.js');
+      console.log(formatConsoleEmail(params));
+    }
+  };
+}
+
+// src/plugin/builtin/payment-plugins.ts
+function createStripePlugin() {
+  return {
+    name: "stripe",
+    version: "1.0.0",
+    type: "payment",
+    configure() {
+    },
+    validate() {
+      const errors = [];
+      const warnings = [];
+      if (!process.env.STRIPE_SECRET_KEY) {
+        errors.push("STRIPE_SECRET_KEY environment variable is not set");
+      }
+      if (!process.env.STRIPE_WEBHOOK_SECRET) {
+        warnings.push("STRIPE_WEBHOOK_SECRET is not set \u2014 webhooks will fail");
+      }
+      if (!process.env.NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY) {
+        warnings.push("NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY is not set \u2014 client-side Stripe will fail");
+      }
+      return { valid: errors.length === 0, errors, warnings };
+    },
+    async createCheckoutSession(params) {
+      const Stripe = (await importOptional("stripe")).default;
+      const secretKey = process.env.STRIPE_SECRET_KEY;
+      if (!secretKey) throw new Error("STRIPE_SECRET_KEY is not set");
+      const stripe = new Stripe(secretKey);
+      const session = await stripe.checkout.sessions.create({
+        customer: params.customerId,
+        mode: "subscription",
+        line_items: [{ price: params.priceId, quantity: 1 }],
+        success_url: params.successUrl,
+        cancel_url: params.cancelUrl,
+        metadata: params.metadata
+      });
+      if (!session.url) {
+        throw new Error("Stripe checkout session created without a URL");
+      }
+      return { url: session.url };
+    },
+    async createPortalSession(params) {
+      const Stripe = (await importOptional("stripe")).default;
+      const secretKey = process.env.STRIPE_SECRET_KEY;
+      if (!secretKey) throw new Error("STRIPE_SECRET_KEY is not set");
+      const stripe = new Stripe(secretKey);
+      const session = await stripe.billingPortal.sessions.create({
+        customer: params.customerId,
+        return_url: params.returnUrl
+      });
+      return { url: session.url };
+    },
+    async constructWebhookEvent(body, signature) {
+      const Stripe = (await importOptional("stripe")).default;
+      const secretKey = process.env.STRIPE_SECRET_KEY;
+      if (!secretKey) throw new Error("STRIPE_SECRET_KEY is not set");
+      const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
+      if (!webhookSecret) throw new Error("STRIPE_WEBHOOK_SECRET is not set");
+      const stripe = new Stripe(secretKey);
+      return stripe.webhooks.constructEvent(body, signature, webhookSecret);
+    }
+  };
+}
+
+// src/plugin/builtin/storage-plugins.ts
+function createVercelBlobPlugin() {
+  return {
+    name: "vercel-blob",
+    version: "1.0.0",
+    type: "storage",
+    configure() {
+    },
+    validate() {
+      const errors = [];
+      if (!process.env.BLOB_READ_WRITE_TOKEN) {
+        errors.push("BLOB_READ_WRITE_TOKEN environment variable is not set");
+      }
+      return { valid: errors.length === 0, errors, warnings: [] };
+    },
+    async upload(params) {
+      const { put } = await importOptional("@vercel/blob");
+      const safe = sanitizeFilename(params.filename);
+      const blob = await put(safe, params.data, {
+        access: "public",
+        contentType: params.contentType,
+        addRandomSuffix: true
+      });
+      return {
+        url: blob.url,
+        pathname: blob.pathname,
+        contentType: params.contentType,
+        size: getDataSize(params.data) ?? 0
+      };
+    },
+    async delete(url) {
+      const { del } = await importOptional("@vercel/blob");
+      await del(url);
+    }
+  };
+}
+function createS3Plugin() {
+  return {
+    name: "s3",
+    version: "1.0.0",
+    type: "storage",
+    configure() {
+    },
+    validate() {
+      const errors = [];
+      if (!process.env.AWS_REGION) errors.push("AWS_REGION environment variable is not set");
+      if (!process.env.S3_BUCKET_NAME) errors.push("S3_BUCKET_NAME environment variable is not set");
+      if (!process.env.AWS_ACCESS_KEY_ID) errors.push("AWS_ACCESS_KEY_ID environment variable is not set");
+      if (!process.env.AWS_SECRET_ACCESS_KEY) errors.push("AWS_SECRET_ACCESS_KEY environment variable is not set");
+      return { valid: errors.length === 0, errors, warnings: [] };
+    },
+    async upload(params) {
+      const { PutObjectCommand, S3Client } = await importOptional("@aws-sdk/client-s3");
+      const config = getS3Config();
+      const client = new S3Client({
+        region: config.region,
+        credentials: {
+          accessKeyId: config.accessKeyId,
+          secretAccessKey: config.secretAccessKey
+        }
+      });
+      const safe = sanitizeFilename(params.filename);
+      const key = `uploads/${Date.now()}-${safe}`;
+      let body;
+      if (Buffer.isBuffer(params.data)) {
+        body = params.data;
+      } else if (params.data instanceof Blob) {
+        body = params.data;
+      } else {
+        const chunks = [];
+        const reader = params.data.getReader();
+        let done = false;
+        while (!done) {
+          const result = await reader.read();
+          done = result.done;
+          if (result.value) chunks.push(result.value);
+        }
+        body = Buffer.concat(chunks);
+      }
+      await client.send(
+        new PutObjectCommand({
+          Bucket: config.bucket,
+          Key: key,
+          Body: body,
+          ContentType: params.contentType,
+          ACL: params.access === "public" ? "public-read" : "private"
+        })
+      );
+      const url = `https://${config.bucket}.s3.${config.region}.amazonaws.com/${key}`;
+      return {
+        url,
+        pathname: key,
+        contentType: params.contentType,
+        size: Buffer.isBuffer(body) ? body.byteLength : body.size
+      };
+    },
+    async delete(url) {
+      const { DeleteObjectCommand, S3Client } = await importOptional("@aws-sdk/client-s3");
+      const config = getS3Config();
+      const client = new S3Client({
+        region: config.region,
+        credentials: {
+          accessKeyId: config.accessKeyId,
+          secretAccessKey: config.secretAccessKey
+        }
+      });
+      const urlObj = new URL(url);
+      const key = urlObj.pathname.slice(1);
+      await client.send(
+        new DeleteObjectCommand({ Bucket: config.bucket, Key: key })
+      );
+    },
+    async getSignedUrl(url, expiresIn = 3600) {
+      const { GetObjectCommand, S3Client } = await importOptional("@aws-sdk/client-s3");
+      const { getSignedUrl: s3GetSignedUrl } = await importOptional("@aws-sdk/s3-request-presigner");
+      const config = getS3Config();
+      const client = new S3Client({
+        region: config.region,
+        credentials: {
+          accessKeyId: config.accessKeyId,
+          secretAccessKey: config.secretAccessKey
+        }
+      });
+      const urlObj = new URL(url);
+      const key = urlObj.pathname.slice(1);
+      return s3GetSignedUrl(client, new GetObjectCommand({ Bucket: config.bucket, Key: key }), {
+        expiresIn
+      });
+    }
+  };
+}
+function sanitizeFilename(filename) {
+  return filename.replace(/[^\w.\-]/g, "_").replace(/\.{2,}/g, ".").slice(0, 255);
+}
+function getDataSize(data) {
+  if (Buffer.isBuffer(data)) return data.byteLength;
+  if (data instanceof Blob) return data.size;
+  return null;
+}
+function getS3Config() {
+  const region = process.env.AWS_REGION;
+  const bucket = process.env.S3_BUCKET_NAME;
+  const accessKeyId = process.env.AWS_ACCESS_KEY_ID;
+  const secretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
+  if (!region) throw new Error("AWS_REGION is not set");
+  if (!bucket) throw new Error("S3_BUCKET_NAME is not set");
+  if (!accessKeyId) throw new Error("AWS_ACCESS_KEY_ID is not set");
+  if (!secretAccessKey) throw new Error("AWS_SECRET_ACCESS_KEY is not set");
+  return { region, bucket, accessKeyId, secretAccessKey };
+}
+
+export { createConsoleEmailPlugin, createResendPlugin, createS3Plugin, createSendGridPlugin, createStripePlugin, createVercelBlobPlugin };

package/dist/plugin/builtin/payment-plugins.d.ts

@@ -0,0 +1,4 @@
+import type { MarsPlugin } from '../index';
+import type { PaymentProvider } from '../../payments/index';
+export declare function createStripePlugin(): MarsPlugin & PaymentProvider;
+//# sourceMappingURL=payment-plugins.d.ts.map

package/dist/plugin/builtin/payment-plugins.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"payment-plugins.d.ts","sourceRoot":"","sources":["../../../src/plugin/builtin/payment-plugins.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAA0B,MAAM,UAAU,CAAC;AACnE,OAAO,KAAK,EAAE,eAAe,EAAgC,MAAM,sBAAsB,CAAC;AAG1F,wBAAgB,kBAAkB,IAAI,UAAU,GAAG,eAAe,CAiFjE"}

package/dist/plugin/builtin/storage-plugins.d.ts

@@ -0,0 +1,5 @@
+import type { MarsPlugin } from '../index';
+import type { StorageProvider } from '../../storage/index';
+export declare function createVercelBlobPlugin(): MarsPlugin & StorageProvider;
+export declare function createS3Plugin(): MarsPlugin & StorageProvider;
+//# sourceMappingURL=storage-plugins.d.ts.map

package/dist/plugin/builtin/storage-plugins.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage-plugins.d.ts","sourceRoot":"","sources":["../../../src/plugin/builtin/storage-plugins.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAA0B,MAAM,UAAU,CAAC;AACnE,OAAO,KAAK,EAAE,eAAe,EAA8B,MAAM,qBAAqB,CAAC;AAGvF,wBAAgB,sBAAsB,IAAI,UAAU,GAAG,eAAe,CA2CrE;AAED,wBAAgB,cAAc,IAAI,UAAU,GAAG,eAAe,CAkH7D"}

package/dist/plugin/index.d.ts

@@ -0,0 +1,21 @@
+export type PluginType = 'email' | 'payment' | 'storage' | 'auth' | 'analytics' | 'monitoring' | 'search' | 'realtime' | 'jobs';
+export interface MarsPlugin<TConfig = unknown> {
+    name: string;
+    version: string;
+    type: PluginType;
+    configure(config: TConfig): void;
+    validate?(): PluginValidationResult;
+}
+export interface PluginValidationResult {
+    valid: boolean;
+    errors: string[];
+    warnings: string[];
+}
+export interface PluginRegistry {
+    register<T>(plugin: MarsPlugin<T>): void;
+    get(type: string, name: string): MarsPlugin | undefined;
+    getByType(type: string): MarsPlugin[];
+    validate(): PluginValidationResult;
+}
+export declare function createPluginRegistry(): PluginRegistry;
+//# sourceMappingURL=index.d.ts.map

package/dist/plugin/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/plugin/index.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,UAAU,GAClB,OAAO,GACP,SAAS,GACT,SAAS,GACT,MAAM,GACN,WAAW,GACX,YAAY,GACZ,QAAQ,GACR,UAAU,GACV,MAAM,CAAC;AAEX,MAAM,WAAW,UAAU,CAAC,OAAO,GAAG,OAAO;IAC3C,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,UAAU,CAAC;IACjB,SAAS,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CAAC;IACjC,QAAQ,CAAC,IAAI,sBAAsB,CAAC;CACrC;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IACzC,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAAC;IACxD,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,EAAE,CAAC;IACtC,QAAQ,IAAI,sBAAsB,CAAC;CACpC;AAED,wBAAgB,oBAAoB,IAAI,cAAc,CAgCrD"}

package/dist/plugin/index.js

@@ -0,0 +1,30 @@
+// src/plugin/index.ts
+function createPluginRegistry() {
+  const plugins = /* @__PURE__ */ new Map();
+  return {
+    register(plugin) {
+      const key = `${plugin.type}:${plugin.name}`;
+      plugins.set(key, plugin);
+    },
+    get(type, name) {
+      return plugins.get(`${type}:${name}`);
+    },
+    getByType(type) {
+      return Array.from(plugins.values()).filter((p) => p.type === type);
+    },
+    validate() {
+      const errors = [];
+      const warnings = [];
+      for (const plugin of plugins.values()) {
+        if (plugin.validate) {
+          const result = plugin.validate();
+          errors.push(...result.errors.map((e) => `[${plugin.name}] ${e}`));
+          warnings.push(...result.warnings.map((w) => `[${plugin.name}] ${w}`));
+        }
+      }
+      return { valid: errors.length === 0, errors, warnings };
+    }
+  };
+}
+
+export { createPluginRegistry };

package/dist/rate-limit/index.d.ts

@@ -0,0 +1,89 @@
+import 'server-only';
+import { NextResponse } from 'next/server';
+export interface RateLimitConfig {
+    limit: number;
+    windowSeconds: number;
+    identifier: string;
+    /** Use sliding window instead of fixed window. Recommended for auth endpoints. */
+    sliding?: boolean;
+}
+interface RateLimitResult {
+    success: boolean;
+    remaining: number;
+    resetAt: number;
+}
+/**
+ * Checks whether a request from the given IP is within the rate limit.
+ * Tries Upstash Redis first, falling back to an in-memory store.
+ *
+ * @param ip - The client IP address
+ * @param config - Rate limit configuration (limit, window, identifier, sliding)
+ * @returns A result indicating success, remaining requests, and reset timestamp
+ * @example
+ * const result = await checkRateLimit(clientIp, RATE_LIMITS.login);
+ * if (!result.success) return rateLimitResponse(result.resetAt);
+ */
+export declare function checkRateLimit(ip: string, config: RateLimitConfig): Promise<RateLimitResult>;
+export interface GetClientIPOptions {
+    /** Index into x-forwarded-for (0 = leftmost/client, 1 = first proxy). Default 0. */
+    trustProxyDepth?: number;
+}
+/**
+ * Extracts the client IP address from request headers, supporting proxied environments.
+ * Reads `x-forwarded-for` (respecting proxy depth) then falls back to `x-real-ip`.
+ *
+ * @param request - The incoming Request object
+ * @param options - Options controlling proxy trust depth
+ * @returns The client IP string, or 'unknown' if not determinable
+ * @example
+ * const ip = getClientIP(request, { trustProxyDepth: 0 });
+ */
+export declare function getClientIP(request: Request, options?: GetClientIPOptions): string;
+/**
+ * Builds a 429 Too Many Requests response with standard rate-limit headers.
+ *
+ * @param resetAt - Unix timestamp (ms) when the rate limit window resets
+ * @returns A NextResponse with status 429, Retry-After, and X-RateLimit-* headers
+ * @example
+ * if (!result.success) return rateLimitResponse(result.resetAt);
+ */
+export declare function rateLimitResponse(resetAt: number): NextResponse;
+export declare const RATE_LIMITS: {
+    readonly login: {
+        readonly limit: 5;
+        readonly windowSeconds: 60;
+        readonly identifier: "login";
+        readonly sliding: true;
+    };
+    readonly signup: {
+        readonly limit: 3;
+        readonly windowSeconds: 60;
+        readonly identifier: "signup";
+        readonly sliding: true;
+    };
+    readonly forgotPassword: {
+        readonly limit: 3;
+        readonly windowSeconds: 300;
+        readonly identifier: "forgot-password";
+        readonly sliding: true;
+    };
+    readonly resetPassword: {
+        readonly limit: 5;
+        readonly windowSeconds: 300;
+        readonly identifier: "reset-password";
+        readonly sliding: true;
+    };
+    readonly emailVerification: {
+        readonly limit: 5;
+        readonly windowSeconds: 300;
+        readonly identifier: "email-verification";
+        readonly sliding: true;
+    };
+    readonly api: {
+        readonly limit: 60;
+        readonly windowSeconds: 60;
+        readonly identifier: "api";
+    };
+};
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/rate-limit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rate-limit/index.ts"],"names":[],"mappings":"AAAA,OAAO,aAAa,CAAC;AAErB,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAkC3C,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,kFAAkF;IAClF,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,UAAU,eAAe;IACvB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAqED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,EAAE,EAAE,MAAM,EACV,MAAM,EAAE,eAAe,GACtB,OAAO,CAAC,eAAe,CAAC,CAuC1B;AAED,MAAM,WAAW,kBAAkB;IACjC,oFAAoF;IACpF,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,OAAO,EAChB,OAAO,GAAE,kBAAuB,GAC/B,MAAM,CAYR;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,YAAY,CAa/D;AAED,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAsBd,CAAC"}

package/dist/rate-limit/index.js

@@ -0,0 +1,166 @@
+import 'server-only';
+import { NextResponse } from 'next/server';
+import { Ratelimit } from '@upstash/ratelimit';
+import { Redis } from '@upstash/redis';
+
+// src/rate-limit/index.ts
+var MAX_IN_MEMORY_STORE_SIZE = 1e4;
+var rateLimitStore = /* @__PURE__ */ new Map();
+var lastCleanup = Date.now();
+var CLEANUP_INTERVAL_MS = 6e4;
+function evictOldestIfNeeded() {
+  if (rateLimitStore.size < MAX_IN_MEMORY_STORE_SIZE) return;
+  const entries = [...rateLimitStore.entries()].sort(([, a], [, b]) => a.resetAt - b.resetAt);
+  const toRemove = rateLimitStore.size - Math.floor(MAX_IN_MEMORY_STORE_SIZE * 0.9);
+  for (let i = 0; i < toRemove && i < entries.length; i++) {
+    rateLimitStore.delete(entries[i][0]);
+  }
+}
+function lazyCleanup() {
+  const now = Date.now();
+  if (now - lastCleanup < CLEANUP_INTERVAL_MS) return;
+  lastCleanup = now;
+  for (const [key, entry] of rateLimitStore.entries()) {
+    if (now > entry.resetAt) {
+      rateLimitStore.delete(key);
+    }
+  }
+}
+var hasWarnedMissingUpstashConfig = false;
+var hasWarnedUpstashFailure = false;
+var upstashRedisClient;
+var upstashLimiters = /* @__PURE__ */ new Map();
+function getUpstashRedisConfig() {
+  const url = process.env.UPSTASH_REDIS_REST_URL || process.env.KV_REST_API_URL;
+  const token = process.env.UPSTASH_REDIS_REST_TOKEN || process.env.KV_REST_API_TOKEN;
+  if (!url || !token) return null;
+  return { url, token };
+}
+function getUpstashRedisClient() {
+  if (upstashRedisClient !== void 0) return upstashRedisClient;
+  const config = getUpstashRedisConfig();
+  if (!config) {
+    if (process.env.NODE_ENV === "production" && !hasWarnedMissingUpstashConfig) {
+      hasWarnedMissingUpstashConfig = true;
+      console.error(
+        "SECURITY WARNING: Rate limiting is using in-memory fallback in production. This is NOT effective in serverless environments. Configure UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN."
+      );
+    }
+    upstashRedisClient = null;
+    return upstashRedisClient;
+  }
+  try {
+    upstashRedisClient = new Redis({ url: config.url, token: config.token });
+    return upstashRedisClient;
+  } catch (error) {
+    if (!hasWarnedUpstashFailure) {
+      hasWarnedUpstashFailure = true;
+      console.error("Failed to initialize Upstash Redis. Falling back to in-memory limiter.", error);
+    }
+    upstashRedisClient = null;
+    return upstashRedisClient;
+  }
+}
+function normalizeUpstashReset(reset) {
+  return reset < 1e12 ? reset * 1e3 : reset;
+}
+function getUpstashLimiter(config) {
+  const redis = getUpstashRedisClient();
+  if (!redis) return null;
+  const limiterKey = `${config.identifier}:${config.limit}:${config.windowSeconds}`;
+  const existing = upstashLimiters.get(limiterKey);
+  if (existing) return existing;
+  const window = `${config.windowSeconds} s`;
+  const limiter = new Ratelimit({
+    redis,
+    limiter: config.sliding ? Ratelimit.slidingWindow(config.limit, window) : Ratelimit.fixedWindow(config.limit, window),
+    prefix: `ratelimit:${config.identifier}`
+  });
+  upstashLimiters.set(limiterKey, limiter);
+  return limiter;
+}
+async function checkRateLimit(ip, config) {
+  lazyCleanup();
+  evictOldestIfNeeded();
+  const upstashLimiter = getUpstashLimiter(config);
+  if (upstashLimiter) {
+    try {
+      const result = await upstashLimiter.limit(ip);
+      return {
+        success: result.success,
+        remaining: Math.max(0, result.remaining),
+        resetAt: normalizeUpstashReset(result.reset)
+      };
+    } catch (error) {
+      if (!hasWarnedUpstashFailure) {
+        hasWarnedUpstashFailure = true;
+        console.error("Upstash rate limit check failed. Falling back to in-memory limiter.", error);
+      }
+    }
+  }
+  const effectiveIp = ip === "unknown" ? `unknown:${Math.floor(Date.now() / 6e4)}` : ip;
+  const key = `${config.identifier}:${effectiveIp}`;
+  const now = Date.now();
+  const windowMs = config.windowSeconds * 1e3;
+  const existing = rateLimitStore.get(key);
+  if (!existing || now > existing.resetAt) {
+    rateLimitStore.set(key, { count: 1, resetAt: now + windowMs });
+    return { success: true, remaining: config.limit - 1, resetAt: now + windowMs };
+  }
+  if (existing.count >= config.limit) {
+    return { success: false, remaining: 0, resetAt: existing.resetAt };
+  }
+  existing.count++;
+  rateLimitStore.set(key, existing);
+  return { success: true, remaining: config.limit - existing.count, resetAt: existing.resetAt };
+}
+function getClientIP(request, options = {}) {
+  const forwarded = request.headers.get("x-forwarded-for");
+  if (forwarded) {
+    const parts = forwarded.split(",").map((p) => p.trim());
+    const index = Math.min(options.trustProxyDepth ?? 0, parts.length - 1);
+    return parts[Math.max(0, index)] ?? "unknown";
+  }
+  const realIp = request.headers.get("x-real-ip");
+  if (realIp) return realIp.trim();
+  return "unknown";
+}
+function rateLimitResponse(resetAt) {
+  const retryAfter = Math.ceil((resetAt - Date.now()) / 1e3);
+  return NextResponse.json(
+    { error: "Too many requests. Please try again later.", retryAfter },
+    {
+      status: 429,
+      headers: {
+        "Retry-After": String(retryAfter),
+        "X-RateLimit-Remaining": "0",
+        "X-RateLimit-Reset": String(Math.ceil(resetAt / 1e3))
+      }
+    }
+  );
+}
+var RATE_LIMITS = {
+  login: { limit: 5, windowSeconds: 60, identifier: "login", sliding: true },
+  signup: { limit: 3, windowSeconds: 60, identifier: "signup", sliding: true },
+  forgotPassword: {
+    limit: 3,
+    windowSeconds: 300,
+    identifier: "forgot-password",
+    sliding: true
+  },
+  resetPassword: {
+    limit: 5,
+    windowSeconds: 300,
+    identifier: "reset-password",
+    sliding: true
+  },
+  emailVerification: {
+    limit: 5,
+    windowSeconds: 300,
+    identifier: "email-verification",
+    sliding: true
+  },
+  api: { limit: 60, windowSeconds: 60, identifier: "api" }
+};
+
+export { RATE_LIMITS, checkRateLimit, getClientIP, rateLimitResponse };