@pawells/nestjs-shared 1.0.0-dev.4c8c698

package/build/common/services/csrf.service.js

@@ -0,0 +1,478 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var CSRFService_1;
+import { Injectable, Logger, HttpException, HttpStatus, Inject, Optional } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { doubleCsrf } from 'csrf-csrf';
+import { escapeNewlines } from '../utils/sanitization.utils.js';
+/**
+ * CSRF Service.
+ * Provides CSRF token generation and validation using the Double Submit Cookie pattern.
+ * Uses cryptographic signing and per-session/IP binding for secure token verification.
+ *
+ * Features:
+ * - Double-CSRF token pattern (cookie + request header/body)
+ * - Per-IP rate limiting: 10 tokens per 60 seconds
+ * - Session binding (when available) or IP-based fallback
+ * - Automatic pruning of stale timestamps
+ * - Capacity monitoring with safety margin (80% threshold)
+ * - SSL-only, HTTPOnly cookies in production
+ *
+ * Configuration requirements:
+ * - CSRF_SECRET: Min 32 characters, cryptographically random, high entropy
+ * - Express app with cookie parser middleware
+ * - Optional: trustProxy for reverse proxy environments
+ *
+ * @remarks
+ * - In-memory rate limiting supports ~10,000 concurrent IPs per instance
+ * - For distributed deployments, use Redis-backed SharedThrottlerModule instead
+ * - Token generation timeout: 30 seconds (queue timeout)
+ * - Token timestamp pruning interval: 10 seconds
+ * - IP map capacity threshold: 80% (8,000 IPs) before pruning
+ * - Returns 503 Service Unavailable if at capacity after pruning
+ * - Returns 429 Too Many Requests if rate limit exceeded
+ *
+ * @example
+ * ```typescript
+ * // Generate token for form
+ * const token = await csrfService.generateToken(req, res);
+ * res.render('form', { csrfToken: token });
+ *
+ * // Validate incoming request (done automatically by CSRFGuard)
+ * const isValid = csrfService.validateToken(req);
+ *
+ * // Refresh token after sensitive operation (login, password change)
+ * const newToken = await csrfService.refreshToken(req, res);
+ * ```
+ */
+let CSRFService = class CSRFService {
+    static { CSRFService_1 = this; }
+    configService;
+    // Configuration constants
+    // eslint-disable-next-line no-magic-numbers
+    static MIN_SECRET_LENGTH = 32;
+    // eslint-disable-next-line no-magic-numbers
+    static MIN_CHARACTER_SET_DIVERSITY = 3;
+    // eslint-disable-next-line no-magic-numbers
+    static ANONYMOUS_TOKEN_RANDOMNESS_BYTES = 4;
+    // eslint-disable-next-line no-magic-numbers
+    static RATE_LIMIT_WINDOW_MS = 60_000; // 60 seconds
+    // eslint-disable-next-line no-magic-numbers
+    static RATE_LIMIT_COUNT = 10;
+    /**
+     * Maximum number of unique IP addresses tracked for rate limiting.
+     * This in-memory strategy supports ~10,000 concurrent IPs per instance.
+     *
+     * **Scaling guidance**: For deployments exceeding 10,000 concurrent unique IPs,
+     * migrate to a Redis-backed rate limiting solution via SharedThrottlerModule:
+     * - Configure SharedThrottlerModule with Redis backend
+     * - Adjust limits and TTL for your traffic pattern
+     *
+     * **Memory management**: When the tracked IPs map reaches 80% capacity
+     * (8,000 IPs), the pruning logic removes stale entries (>60s old).
+     * If after pruning the map remains >= 10,000 IPs, token generation is
+     * rejected with HTTP 503 to prevent unbounded memory growth.
+     * The 80% threshold provides a safety margin before hard limits are hit.
+     *
+     * @see SharedThrottlerModule for Redis-backed distributed rate limiting
+     */
+    // eslint-disable-next-line no-magic-numbers
+    static MAX_TRACKED_IPS = 10000;
+    // eslint-disable-next-line no-magic-numbers
+    static TIMESTAMP_PRUNING_INTERVAL_MS = 10 * 1000; // Prune every 10 seconds
+    // eslint-disable-next-line no-magic-numbers
+    static IP_LOCK_TIMEOUT_MS = 30_000; // 30 second timeout for queued requests
+    // eslint-disable-next-line no-magic-numbers
+    static CAPACITY_THRESHOLD_PERCENT = 0.8;
+    csrfProtection;
+    logger = new Logger('CSRFService');
+    tokenGenTimestamps = new Map();
+    ipLocks = new Map();
+    trustProxy;
+    capacityThresholdCrossedCount = 0;
+    pruneIntervalHandle;
+    _isPruning = false;
+    constructor(configService, options) {
+        this.configService = configService;
+        // Note: CSRF_SECRET validation is deferred to onModuleInit() to ensure
+        // NestJS surfaces the error at bootstrap time rather than during DI resolution
+        this.trustProxy = options?.trustProxy ?? false;
+    }
+    /**
+     * NestJS lifecycle hook: validate required CSRF_SECRET environment variable
+     * at application bootstrap time
+     */
+    onModuleInit() {
+        const csrfSecret = this.configService?.get('CSRF_SECRET') ?? process.env['CSRF_SECRET'];
+        if (!csrfSecret) {
+            throw new Error('CSRF_SECRET environment variable is required but not set. ' +
+                'Set it in your .env file or as an environment variable before starting the application.');
+        }
+        // Validate CSRF_SECRET entropy
+        if (csrfSecret.length < CSRFService_1.MIN_SECRET_LENGTH) {
+            throw new Error(`CSRF_SECRET must be at least ${CSRFService_1.MIN_SECRET_LENGTH} characters long for adequate entropy. ` +
+                `Current length: ${csrfSecret.length}. ` +
+                'Generate a cryptographically secure value with: openssl rand -base64 32');
+        }
+        // Check for obviously weak patterns as secondary check
+        if (this.isWeakSecret(csrfSecret)) {
+            throw new Error('CSRF_SECRET contains obviously weak pattern. ' +
+                'Must have a mix of different characters, not repeated or common strings. ' +
+                'Generate a cryptographically secure value with: openssl rand -base64 32');
+        }
+        // Validate entropy (primary check)
+        const entropy = this.calculateEntropy(csrfSecret);
+        const MIN_ENTROPY = 4.0;
+        if (entropy < MIN_ENTROPY) {
+            throw new Error(`CSRF_SECRET entropy is insufficient (${entropy.toFixed(2)} bits/char). ` +
+                `Minimum required: ${MIN_ENTROPY} bits/char. ` +
+                'Generate a cryptographically secure value with: openssl rand -base64 32');
+        }
+        // Initialize CSRF protection now that we know the secret is available and valid
+        this.csrfProtection = doubleCsrf({
+            getSecret: () => csrfSecret,
+            getSessionIdentifier: (req) => this.getSessionIdentifier(req),
+            cookieName: '__Host-psifi.x-csrf-token',
+            cookieOptions: {
+                httpOnly: true,
+                secure: process.env['NODE_ENV'] === 'production',
+                sameSite: 'strict',
+                path: '/',
+            },
+        });
+        // Check for trust proxy misconfiguration at boot time
+        this.validateTrustProxyConfiguration();
+        // Prune old token generation timestamps more frequently to prevent unbounded growth
+        // More aggressive pruning than 5 minutes to handle high-traffic scenarios
+        this.pruneIntervalHandle = setInterval(() => this.pruneTokenTimestamps(), CSRFService_1.TIMESTAMP_PRUNING_INTERVAL_MS);
+    }
+    /**
+     * NestJS lifecycle hook: clear the pruning interval on module destroy
+     */
+    onModuleDestroy() {
+        if (this.pruneIntervalHandle !== undefined) {
+            clearInterval(this.pruneIntervalHandle);
+            this.pruneIntervalHandle = undefined;
+        }
+        // Clear maps to release memory on shutdown
+        this.tokenGenTimestamps.clear();
+        this.ipLocks.clear();
+    }
+    /**
+     * Validate trust proxy configuration to detect mismatches early
+     * Checks if X-Forwarded-For header support is configured correctly in both directions:
+     * - If trustProxy=false but X-Forwarded-For is present: may miss real client IP
+     * - If trustProxy=true but X-Forwarded-For is absent: proxy may not be configured correctly
+     */
+    validateTrustProxyConfiguration() {
+        // Check direction 1: trustProxy=false but service is likely behind a proxy
+        // We detect this by checking if the NODE_ENV and common proxy environments are misconfigured.
+        // Note: We do NOT call extractClientIp here to avoid spurious "X-Forwarded-For detected" warnings
+        // during module initialization with synthetic sample requests.
+        if (!this.trustProxy) {
+            // Nothing to warn about at init time — the runtime warning in extractClientIp
+            // will fire if real requests arrive with X-Forwarded-For headers.
+            return;
+        }
+        // Check direction 2: trustProxy=true but X-Forwarded-For absent (reverse proxy may not be configured)
+        // Use a sample request without X-Forwarded-For to detect this early
+        const sampleRequestWithoutHeader = { headers: {}, socket: { remoteAddress: '127.0.0.1' } };
+        const extractedIpWithoutHeader = this.extractClientIp(sampleRequestWithoutHeader);
+        if (extractedIpWithoutHeader === undefined || extractedIpWithoutHeader === null) {
+            this.logger.warn('Trust proxy is enabled but X-Forwarded-For header is not present in sample request. ' +
+                'Your reverse proxy may not be configured to set X-Forwarded-For correctly. ' +
+                'Verify your proxy (nginx, Apache, load balancer, etc.) is setting this header.');
+        }
+    }
+    /**
+     * Calculate Shannon entropy of a string to measure randomness.
+     * Higher entropy indicates better randomness quality.
+     *
+     * The minimum threshold of 4.0 bits/char is chosen because:
+     * - A uniformly random string from a 16-character alphabet (hex: 0-9a-f) has log2(16) = 4.0 bits/char
+     * - This ensures the CSRF_SECRET has sufficient entropy for cryptographic purposes
+     * - Values below 4.0 bits/char indicate the secret uses a limited character set or has patterns
+     *
+     * @param str - Input string to analyze
+     * @returns Entropy in bits per character
+     */
+    calculateEntropy(str) {
+        const freq = new Map();
+        for (const char of str) {
+            freq.set(char, (freq.get(char) ?? 0) + 1);
+        }
+        let entropy = 0;
+        for (const count of freq.values()) {
+            const p = count / str.length;
+            entropy -= p * Math.log2(p);
+        }
+        return entropy;
+    }
+    /**
+     * Check if the secret contains obviously weak patterns
+     */
+    isWeakSecret(secret) {
+        // Check if all characters are the same (e.g., 'aaaaa...')
+        if (/^(.)\1+$/.test(secret)) {
+            return true;
+        }
+        // Check for repeated character sequences (e.g., 'aaaa' or 'bbbb')
+        // Indicates low entropy and predictable patterns
+        if (/(.)\1{4,}/.test(secret)) {
+            return true;
+        }
+        // Check for common weak strings (case-insensitive)
+        const lowerSecret = secret.toLowerCase();
+        const weakPatterns = ['password', 'secret', '12345678', 'qwerty', '00000000', '11111111', '88888888', '99999999'];
+        if (weakPatterns.some(pattern => lowerSecret.includes(pattern))) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Get session identifier for CSRF token binding
+     * Prefers session ID if available, falls back to IP address
+     * @param req - Express request object
+     * @returns Session identifier
+     */
+    getSessionIdentifier(req) {
+        const sessionId = req.session?.id;
+        if (sessionId)
+            return sessionId;
+        const ip = this.extractClientIp(req);
+        if (!ip) {
+            // Log warning — do not silently fall through to 'unknown'
+            this.logger.warn('CSRF session identifier unavailable: no session and no IP. ' +
+                'Using fixed fallback bucket to enforce rate limiting on anonymous requests.');
+            // Use fixed fallback bucket so all anonymous requests share the same rate limit
+            return 'anon';
+        }
+        return ip;
+    }
+    /**
+     * Extract client IP address from request, respecting trustProxy setting
+     *
+     * **Note on Express vs Fastify**: This implementation uses `req.ip` (Express-specific).
+     * For Fastify deployments, ensure the `trustProxy` option is properly configured:
+     * - In Fastify, use `app.register(require('@fastify/proxy'), { ...config })`
+     * - Or set the Fastify instance option: `fastify({ trustProxy: true })`
+     * - Without correct Fastify configuration, IP detection will fail
+     *
+     * @param req - Express request object
+     * @returns Client IP address or null if unavailable
+     */
+    extractClientIp(req) {
+        // If trustProxy is enabled, use X-Forwarded-For header (first IP only)
+        if (this.trustProxy) {
+            const forwardedFor = req.headers['x-forwarded-for'];
+            if (forwardedFor) {
+                // X-Forwarded-For can contain multiple IPs: client, proxy1, proxy2...
+                // We only trust the first one (the original client)
+                const firstIp = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor.split(',')[0];
+                return firstIp?.trim() ?? null;
+            }
+        }
+        else {
+            // Warn if X-Forwarded-For is present but trustProxy is false
+            // This may indicate a misconfiguration where the service is behind a reverse proxy
+            const forwardedFor = req.headers['x-forwarded-for'];
+            if (forwardedFor) {
+                this.logger.warn('X-Forwarded-For header detected but trustProxy is false. ' +
+                    'If this service is behind a reverse proxy (nginx, Apache, load balancer, etc.), ' +
+                    'enable trustProxy in CSRFService options to correctly identify client IPs. ' +
+                    'Otherwise, client IP detection will use direct socket IP.');
+            }
+        }
+        // Fall back to direct socket IP
+        return req.ip ?? (req.socket?.remoteAddress) ?? null;
+    }
+    /**
+     * Prune old token generation timestamps to prevent unbounded map growth
+     * Removes entries older than 60 seconds and cleans up idle IPs from both
+     * tokenGenTimestamps and ipLocks to prevent memory accumulation.
+     */
+    pruneTokenTimestamps() {
+        const now = Date.now();
+        const TIMESTAMP_TTL = 60_000; // 60 seconds
+        for (const [ip, timestamps] of this.tokenGenTimestamps.entries()) {
+            const recentTimestamps = timestamps.filter(ts => now - ts < TIMESTAMP_TTL);
+            if (recentTimestamps.length === 0) {
+                this.tokenGenTimestamps.delete(ip);
+                // Clean up corresponding ipLocks entry when IP has no timestamps
+                this.ipLocks.delete(ip);
+            }
+            else {
+                this.tokenGenTimestamps.set(ip, recentTimestamps);
+            }
+        }
+    }
+    /**
+     * Generate CSRF token with per-IP rate limiting
+     * Limits to 10 token generations per IP per 60 seconds
+     * Uses per-IP locking to serialize concurrent requests from the same IP,
+     * preventing race conditions in rate limit checks.
+     * @param req - Express request object
+     * @param res - Express response object
+     * @returns CSRF token
+     * @throws Error if CSRF_SECRET was not initialized in onModuleInit
+     * @throws {HttpException} 429 - When rate limit exceeded for this IP
+     * @throws {HttpException} 503 - When service is at capacity
+     */
+    async generateToken(req, res) {
+        if (!this.csrfProtection) {
+            throw new Error('CSRFService not initialized — call onModuleInit() first');
+        }
+        const ip = this.extractClientIp(req) ?? 'unknown';
+        // Serialize rate-limit check + token generation per IP to prevent race conditions
+        // Chain this request's work after any pending work for the same IP
+        const pendingWork = this.ipLocks.get(ip) ?? Promise.resolve();
+        // Wrap with a timeout to prevent indefinite waits in the queue
+        const currentWork = pendingWork.then(() => {
+            return new Promise((resolve, reject) => {
+                const timer = setTimeout(() => {
+                    reject(new HttpException('CSRF token generation timed out waiting in queue', HttpStatus.SERVICE_UNAVAILABLE));
+                }, CSRFService_1.IP_LOCK_TIMEOUT_MS);
+                try {
+                    const token = this.performRateLimitedTokenGeneration(req, res);
+                    clearTimeout(timer);
+                    resolve(token);
+                }
+                catch (err) {
+                    clearTimeout(timer);
+                    reject(err);
+                }
+            });
+        });
+        this.ipLocks.set(ip, currentWork);
+        // Clean up the lock after this work completes (only if no new work queued)
+        currentWork.finally(() => {
+            if (this.ipLocks.get(ip) === currentWork) {
+                this.ipLocks.delete(ip);
+            }
+        });
+        // eslint-disable-next-line @typescript-eslint/return-await
+        return await currentWork;
+    }
+    /**
+     * Perform rate-limited token generation for a single IP.
+     * This method is called within an IP-serialized lock to ensure atomicity.
+     * @param req - Express request object
+     * @param res - Express response object
+     * @returns CSRF token
+     * @throws HttpException with 429 status if rate limit exceeded
+     */
+    performRateLimitedTokenGeneration(req, res) {
+        // Check per-IP rate limit
+        const ip = this.extractClientIp(req) ?? 'unknown';
+        const now = Date.now();
+        // Check if map is approaching capacity (at 80% threshold with 20% safety margin)
+        // This safety margin prevents race conditions where concurrent requests might insert
+        // new IPs between the pruning step and the final capacity check.
+        const capacityThreshold = CSRFService_1.MAX_TRACKED_IPS * CSRFService_1.CAPACITY_THRESHOLD_PERCENT;
+        if (this.tokenGenTimestamps.size >= capacityThreshold) {
+            this.capacityThresholdCrossedCount++;
+            // eslint-disable-next-line no-magic-numbers
+            const capacityPercent = (this.tokenGenTimestamps.size / CSRFService_1.MAX_TRACKED_IPS * 100).toFixed(1);
+            this.logger.warn(`CSRF token generation approaching capacity (${capacityPercent}% of ${CSRFService_1.MAX_TRACKED_IPS} max IPs). ` +
+                `Threshold crossed ${this.capacityThresholdCrossedCount} times.`);
+            if (!this._isPruning) {
+                this._isPruning = true;
+                this.pruneTokenTimestamps();
+                this._isPruning = false;
+            }
+            // Check again after pruning
+            if (this.tokenGenTimestamps.size >= CSRFService_1.MAX_TRACKED_IPS) {
+                // eslint-disable-next-line no-magic-numbers
+                const finalCapacityPercent = (this.tokenGenTimestamps.size / CSRFService_1.MAX_TRACKED_IPS * 100).toFixed(1);
+                this.logger.error(`CSRF service at maximum capacity (${finalCapacityPercent}% of ${CSRFService_1.MAX_TRACKED_IPS} max IPs). ` +
+                    'Token generation rejected.');
+                throw new HttpException('CSRF token generation service is temporarily unavailable', HttpStatus.SERVICE_UNAVAILABLE);
+            }
+        }
+        let timestamps = this.tokenGenTimestamps.get(ip) ?? [];
+        // Filter to only timestamps within the last 60 seconds
+        timestamps = timestamps.filter(ts => now - ts < CSRFService_1.RATE_LIMIT_WINDOW_MS);
+        if (timestamps.length >= CSRFService_1.RATE_LIMIT_COUNT) {
+            this.logger.warn(`CSRF token rate limit exceeded for IP: ${escapeNewlines(ip)}`);
+            throw new HttpException('Rate limit exceeded for CSRF token generation', HttpStatus.TOO_MANY_REQUESTS);
+        }
+        // Record this generation
+        timestamps.push(now);
+        this.tokenGenTimestamps.set(ip, timestamps);
+        // Generate and return the token
+        // csrfProtection is guaranteed non-null: generateToken (our caller) checks it,
+        // and performRateLimitedTokenGeneration is only called from generateToken's chain.
+        const protection = this.csrfProtection;
+        if (!protection) {
+            throw new Error('CSRFService not initialized — call onModuleInit() first');
+        }
+        return protection.generateToken(req, res);
+    }
+    /**
+     * Validate CSRF token
+     * @param req - Express request object
+     * @returns true if token is valid, false otherwise
+     * @throws Error if CSRF_SECRET was not initialized in onModuleInit
+     */
+    validateToken(req) {
+        if (!this.csrfProtection) {
+            throw new Error('CSRFService not initialized — call onModuleInit() first');
+        }
+        try {
+            this.csrfProtection.validateRequest(req);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Refresh CSRF token by invalidating the current one and generating a new one
+     * Use this after sensitive operations like login, password change, or privilege escalation
+     * to ensure the user has a fresh token that cannot be replayed from before the operation
+     * @param req - Express request object
+     * @param res - Express response object
+     * @returns New CSRF token
+     * @throws Error if CSRF_SECRET was not initialized in onModuleInit
+     */
+    // eslint-disable-next-line @typescript-eslint/promise-function-async
+    refreshToken(req, res) {
+        if (!this.csrfProtection) {
+            throw new Error('CSRFService not initialized — call onModuleInit() first');
+        }
+        // Route through rate limiting to enforce per-IP token generation limits
+        // Clear any session-bound CSRF state by generating a fresh token
+        // The doubleCsrf library handles invalidation through cookie/session updates
+        return this.generateToken(req, res);
+    }
+    /**
+     * Get CSRF middleware
+     * @returns CSRF protection middleware
+     * @throws Error if CSRF_SECRET was not initialized in onModuleInit
+     */
+    getMiddleware() {
+        if (!this.csrfProtection) {
+            throw new Error('CSRFService not initialized — call onModuleInit() first');
+        }
+        return this.csrfProtection.doubleCsrfProtection;
+    }
+};
+CSRFService = CSRFService_1 = __decorate([
+    Injectable(),
+    __param(0, Inject(ConfigService)),
+    __param(0, Optional()),
+    __param(1, Optional()),
+    __metadata("design:paramtypes", [ConfigService, Object])
+], CSRFService);
+export { CSRFService };
+//# sourceMappingURL=csrf.service.js.map

package/build/common/services/csrf.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.service.js","sourceRoot":"","sources":["../../../src/common/services/csrf.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;AAAA,OAAO,EAAE,UAAU,EAAiC,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAChI,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,UAAU,EAA4B,MAAM,WAAW,CAAC;AAEjE,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAmBhE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;;IAgD8B;IA/CrD,0BAA0B;IAC1B,4CAA4C;IACpC,MAAM,CAAU,iBAAiB,GAAG,EAAE,CAAC;IAC/C,4CAA4C;IACpC,MAAM,CAAU,2BAA2B,GAAG,CAAC,CAAC;IACxD,4CAA4C;IACpC,MAAM,CAAU,gCAAgC,GAAG,CAAC,CAAC;IAC7D,4CAA4C;IACpC,MAAM,CAAU,oBAAoB,GAAG,MAAM,CAAC,CAAC,aAAa;IACpE,4CAA4C;IACpC,MAAM,CAAU,gBAAgB,GAAG,EAAE,CAAC;IAC9C;;;;;;;;;;;;;;;;OAgBG;IACH,4CAA4C;IACpC,MAAM,CAAU,eAAe,GAAG,KAAK,CAAC;IAChD,4CAA4C;IACpC,MAAM,CAAU,6BAA6B,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,yBAAyB;IAC5F,4CAA4C;IACpC,MAAM,CAAU,kBAAkB,GAAG,MAAM,CAAC,CAAC,wCAAwC;IAC7F,4CAA4C;IACpC,MAAM,CAAU,0BAA0B,GAAG,GAAG,CAAC;IAEjD,cAAc,CAAkC;IACvC,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,CAAC;IACnC,kBAAkB,GAAG,IAAI,GAAG,EAAoB,CAAC;IACjD,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;IAC9C,UAAU,CAAU;IAC7B,6BAA6B,GAAG,CAAC,CAAC;IAClC,mBAAmB,CAA6C;IAChE,UAAU,GAAG,KAAK,CAAC;IAE3B,YACqD,aAA6B,EACrE,OAA4B;QADY,kBAAa,GAAb,aAAa,CAAgB;QAGjF,uEAAuE;QACvE,+EAA+E;QAC/E,IAAI,CAAC,UAAU,GAAG,OAAO,EAAE,UAAU,IAAI,KAAK,CAAC;IAChD,CAAC;IAED;;;OAGG;IACI,YAAY;QAClB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,GAAG,CAAS,aAAa,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAChG,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACd,4DAA4D;gBAC7D,yFAAyF,CACxF,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,UAAU,CAAC,MAAM,GAAG,aAAW,CAAC,iBAAiB,EAAE,CAAC;YACvD,MAAM,IAAI,KAAK,CACd,gCAAgC,aAAW,CAAC,iBAAiB,yCAAyC;gBACvG,mBAAmB,UAAU,CAAC,MAAM,IAAI;gBACxC,yEAAyE,CACxE,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,IAAI,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CACd,+CAA+C;gBAChD,2EAA2E;gBAC3E,yEAAyE,CACxE,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAClD,MAAM,WAAW,GAAG,GAAG,CAAC;QACxB,IAAI,OAAO,GAAG,WAAW,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACd,wCAAwC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;gBAC1E,qBAAqB,WAAW,cAAc;gBAC9C,yEAAyE,CACxE,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC;YAChC,SAAS,EAAE,GAAG,EAAE,CAAC,UAAU;YAC3B,oBAAoB,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC;YAC7D,UAAU,EAAE,2BAA2B;YACvC,aAAa,EAAE;gBACd,QAAQ,EAAE,IAAI;gBACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,YAAY;gBAChD,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,GAAG;aACT;SACD,CAAC,CAAC;QAEH,sDAAsD;QACtD,IAAI,CAAC,+BAA+B,EAAE,CAAC;QAEvC,oFAAoF;QACpF,0EAA0E;QAC1E,IAAI,CAAC,mBAAmB,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,aAAW,CAAC,6BAA6B,CAAC,CAAC;IACtH,CAAC;IAED;;OAEG;IACI,eAAe;QACrB,IAAI,IAAI,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;YAC5C,aAAa,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;YACxC,IAAI,CAAC,mBAAmB,GAAG,SAAS,CAAC;QACtC,CAAC;QACD,2CAA2C;QAC3C,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QAChC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED;;;;;OAKG;IACK,+BAA+B;QACtC,2EAA2E;QAC3E,8FAA8F;QAC9F,kGAAkG;QAClG,+DAA+D;QAC/D,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACtB,8EAA8E;YAC9E,kEAAkE;YAClE,OAAO;QACR,CAAC;QAED,sGAAsG;QACtG,oEAAoE;QACpE,MAAM,0BAA0B,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,aAAa,EAAE,WAAW,EAAE,EAAwB,CAAC;QACjH,MAAM,wBAAwB,GAAG,IAAI,CAAC,eAAe,CAAC,0BAA0B,CAAC,CAAC;QAElF,IAAI,wBAAwB,KAAK,SAAS,IAAI,wBAAwB,KAAK,IAAI,EAAE,CAAC;YACjF,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,sFAAsF;gBACtF,6EAA6E;gBAC7E,gFAAgF,CAChF,CAAC;QACH,CAAC;IACF,CAAC;IAED;;;;;;;;;;;OAWG;IACK,gBAAgB,CAAC,GAAW;QACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;QACvC,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;YACxB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3C,CAAC;QACD,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC;YAC7B,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,OAAO,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,MAAc;QAClC,0DAA0D;QAC1D,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC;QACb,CAAC;QAED,kEAAkE;QAClE,iDAAiD;QACjD,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC;QACb,CAAC;QAED,mDAAmD;QACnD,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACzC,MAAM,YAAY,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAClH,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACjE,OAAO,IAAI,CAAC;QACb,CAAC;QAED,OAAO,KAAK,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACK,oBAAoB,CAAC,GAAY;QACxC,MAAM,SAAS,GAAI,GAAqC,CAAC,OAAO,EAAE,EAAE,CAAC;QACrE,IAAI,SAAS;YAAE,OAAO,SAAS,CAAC;QAEhC,MAAM,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,GAAc,CAAC,CAAC;QAChD,IAAI,CAAC,EAAE,EAAE,CAAC;YACT,0DAA0D;YAC1D,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,6DAA6D;gBAC7D,6EAA6E,CAC7E,CAAC;YACF,gFAAgF;YAChF,OAAO,MAAM,CAAC;QACf,CAAC;QACD,OAAO,EAAE,CAAC;IACX,CAAC;IAED;;;;;;;;;;;OAWG;IACK,eAAe,CAAC,GAAY;QACnC,uEAAuE;QACvE,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YACpD,IAAI,YAAY,EAAE,CAAC;gBAClB,sEAAsE;gBACtE,oDAAoD;gBACpD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC3F,OAAO,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC;YAChC,CAAC;QACF,CAAC;aAAM,CAAC;YACP,6DAA6D;YAC7D,mFAAmF;YACnF,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YACpD,IAAI,YAAY,EAAE,CAAC;gBAClB,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,2DAA2D;oBAC3D,kFAAkF;oBAClF,6EAA6E;oBAC7E,2DAA2D,CAC3D,CAAC;YACH,CAAC;QACF,CAAC;QAED,gCAAgC;QAChC,OAAQ,GAAkC,CAAC,EAAE,IAAI,CAAE,GAAG,CAAC,MAAiD,EAAE,aAAa,CAAC,IAAI,IAAI,CAAC;IAClI,CAAC;IAED;;;;OAIG;IACK,oBAAoB;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,aAAa,GAAG,MAAM,CAAC,CAAC,aAAa;QAE3C,KAAK,MAAM,CAAC,EAAE,EAAE,UAAU,CAAC,IAAI,IAAI,CAAC,kBAAkB,CAAC,OAAO,EAAE,EAAE,CAAC;YAClE,MAAM,gBAAgB,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,GAAG,aAAa,CAAC,CAAC;YAC3E,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACnC,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBACnC,iEAAiE;gBACjE,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACP,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,EAAE,gBAAgB,CAAC,CAAC;YACnD,CAAC;QACF,CAAC;IACF,CAAC;IAED;;;;;;;;;;;OAWG;IACI,KAAK,CAAC,aAAa,CAAC,GAAY,EAAE,GAAa;QACrD,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QAElD,kFAAkF;QAClF,mEAAmE;QACnE,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QAE9D,+DAA+D;QAC/D,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,EAAE;YACzC,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC9C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;oBAC7B,MAAM,CAAC,IAAI,aAAa,CACvB,kDAAkD,EAClD,UAAU,CAAC,mBAAmB,CAC9B,CAAC,CAAC;gBACJ,CAAC,EAAE,aAAW,CAAC,kBAAkB,CAAC,CAAC;gBAEnC,IAAI,CAAC;oBACJ,MAAM,KAAK,GAAG,IAAI,CAAC,iCAAiC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;oBAC/D,YAAY,CAAC,KAAK,CAAC,CAAC;oBACpB,OAAO,CAAC,KAAK,CAAC,CAAC;gBAChB,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACd,YAAY,CAAC,KAAK,CAAC,CAAC;oBACpB,MAAM,CAAC,GAAG,CAAC,CAAC;gBACb,CAAC;YACF,CAAC,CAAC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;QAElC,2EAA2E;QAC3E,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE;YACxB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,KAAK,WAAW,EAAE,CAAC;gBAC1C,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YACzB,CAAC;QACF,CAAC,CAAC,CAAC;QAEH,2DAA2D;QAC3D,OAAO,MAAM,WAAW,CAAC;IAC1B,CAAC;IAED;;;;;;;OAOG;IACK,iCAAiC,CAAC,GAAY,EAAE,GAAa;QACpE,0BAA0B;QAC1B,MAAM,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC;QAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,iFAAiF;QACjF,qFAAqF;QACrF,iEAAiE;QAEjE,MAAM,iBAAiB,GAAG,aAAW,CAAC,eAAe,GAAG,aAAW,CAAC,0BAA0B,CAAC;QAC/F,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,IAAI,iBAAiB,EAAE,CAAC;YACvD,IAAI,CAAC,6BAA6B,EAAE,CAAC;YACrC,4CAA4C;YAC5C,MAAM,eAAe,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,aAAW,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACtG,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,+CAA+C,eAAe,QAAQ,aAAW,CAAC,eAAe,aAAa;gBAC9G,qBAAqB,IAAI,CAAC,6BAA6B,SAAS,CAChE,CAAC;YAEF,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACtB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;gBACvB,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC5B,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,CAAC;YACD,4BAA4B;YAC5B,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,IAAI,aAAW,CAAC,eAAe,EAAE,CAAC;gBACjE,4CAA4C;gBAC5C,MAAM,oBAAoB,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,aAAW,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBAC3G,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,qCAAqC,oBAAoB,QAAQ,aAAW,CAAC,eAAe,aAAa;oBACzG,4BAA4B,CAC5B,CAAC;gBACF,MAAM,IAAI,aAAa,CACtB,0DAA0D,EAC1D,UAAU,CAAC,mBAAmB,CAC9B,CAAC;YACH,CAAC;QACF,CAAC;QAED,IAAI,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;QACvD,uDAAuD;QACvD,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,GAAG,aAAW,CAAC,oBAAoB,CAAC,CAAC;QAElF,IAAI,UAAU,CAAC,MAAM,IAAI,aAAW,CAAC,gBAAgB,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0CAA0C,cAAc,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YACjF,MAAM,IAAI,aAAa,CACtB,+CAA+C,EAC/C,UAAU,CAAC,iBAAiB,CAC5B,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;QAE5C,gCAAgC;QAChC,+EAA+E;QAC/E,mFAAmF;QACnF,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC;QACvC,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC5E,CAAC;QACD,OAAO,UAAU,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED;;;;;OAKG;IACI,aAAa,CAAC,GAAY;QAChC,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC5E,CAAC;QAED,IAAI,CAAC;YACJ,IAAI,CAAC,cAAc,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC;QACb,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,KAAK,CAAC;QACd,CAAC;IACF,CAAC;IAED;;;;;;;;OAQG;IACH,qEAAqE;IAC9D,YAAY,CAAC,GAAY,EAAE,GAAa;QAC9C,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC5E,CAAC;QAED,wEAAwE;QACxE,iEAAiE;QACjE,6EAA6E;QAC7E,OAAO,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,CAAC;IAED;;;;OAIG;IACI,aAAa;QACnB,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC5E,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC,oBAAoB,CAAC;IACjD,CAAC;;AA9dW,WAAW;IADvB,UAAU,EAAE;IAiDV,WAAA,MAAM,CAAC,aAAa,CAAC,CAAA;IAAE,WAAA,QAAQ,EAAE,CAAA;IACjC,WAAA,QAAQ,EAAE,CAAA;qCADyD,aAAa;GAhDtE,WAAW,CA+dvB"}

package/build/common/services/error-categorizer.service.d.ts

@@ -0,0 +1,82 @@
+import { ModuleRef } from '@nestjs/core';
+import { LazyModuleRefService } from '../utils/lazy-getter.types.js';
+import { AppLogger } from './logger.service.js';
+/**
+ * Error category classification for recovery strategy determination.
+ */
+export interface ErrorCategory {
+    type: 'transient' | 'permanent';
+    retryable: boolean;
+    strategy: 'retry' | 'fail' | 'backoff';
+    backoffMs?: number;
+}
+/**
+ * Error Categorizer Service.
+ * Classifies errors as transient or permanent and recommends recovery strategies.
+ *
+ * Categories:
+ * - **Transient** (retryable): Network errors, timeouts, database connection errors, rate limits, server errors (5xx)
+ * - **Permanent** (not retryable): Validation errors, bad requests (4xx), authentication/authorization, not found
+ *
+ * Recovery strategies:
+ * - **retry**: Immediate retry (for network errors)
+ * - **backoff**: Exponential backoff retry (for timeouts, database, rate limits)
+ * - **fail**: Fast failure without retry (for validation, authentication, not found)
+ *
+ * @remarks
+ * - Node.js error codes (ECONNRESET, ECONNREFUSED, ETIMEDOUT, ENOTFOUND, EAI_AGAIN) are always transient
+ * - Database connection errors are always transient with long backoff (5s)
+ * - Timeout errors get medium backoff (2s)
+ * - Rate limit errors get maximum backoff (10s)
+ * - Unknown errors default to permanent/fail strategy
+ *
+ * @example
+ * ```typescript
+ * const category = errorCategorizer.categorizeError(error);
+ * if (category.retryable) {
+ *   // Retry with backoff: category.backoffMs
+ * } else {
+ *   // Fail fast
+ * }
+ * ```
+ */
+export declare class ErrorCategorizerService implements LazyModuleRefService {
+    private _contextualLogger;
+    readonly Module: ModuleRef;
+    constructor(module: ModuleRef);
+    /**
+     * Get contextual logger for error categorizer
+     */
+    get Logger(): AppLogger;
+    /**
+     * Check if an error is retryable
+     */
+    isRetryable(error: unknown): boolean;
+    /**
+     * Categorize an error and determine recovery strategy
+     */
+    categorizeError(error: unknown): ErrorCategory;
+    /**
+     * Log error recovery attempt
+     */
+    logRecoveryAttempt(error: unknown, attempt: number, maxAttempts: number): void;
+    /**
+     * Log successful recovery
+     */
+    logRecoverySuccess(error: unknown, attempts: number): void;
+    /**
+     * Log failed recovery
+     */
+    logRecoveryFailed(error: unknown, attempts: number): void;
+    private isNetworkError;
+    private isTimeoutError;
+    private isDatabaseError;
+    private isBadRequestError;
+    private isValidationError;
+    private isAuthError;
+    private isAuthzError;
+    private isNotFoundError;
+    private isServerError;
+    private isRateLimitError;
+}
+//# sourceMappingURL=error-categorizer.service.d.ts.map

package/build/common/services/error-categorizer.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-categorizer.service.d.ts","sourceRoot":"","sources":["../../../src/common/services/error-categorizer.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAYzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAQhD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC7B,IAAI,EAAE,WAAW,GAAG,WAAW,CAAC;IAChC,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAAC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,qBACa,uBAAwB,YAAW,oBAAoB;IACnE,OAAO,CAAC,iBAAiB,CAAwB;IAEjD,SAAgB,MAAM,EAAE,SAAS,CAAC;gBAEtB,MAAM,EAAE,SAAS;IAI7B;;OAEG;IACH,IAAW,MAAM,IAAI,SAAS,CAM7B;IAED;;OAEG;IACI,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAK3C;;OAEG;IACI,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,aAAa;IAuLrD;;OAEG;IACI,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;IAYrF;;OAEG;IACI,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;IAOjE;;OAEG;IACI,iBAAiB,CAAC,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI;IAWhE,OAAO,CAAC,cAAc;IAMtB,OAAO,CAAC,cAAc;IAMtB,OAAO,CAAC,eAAe;IAUvB,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,iBAAiB;IAMzB,OAAO,CAAC,WAAW;IAMnB,OAAO,CAAC,YAAY;IAMpB,OAAO,CAAC,eAAe;IAKvB,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,gBAAgB;CAKxB"}