npm - @revealui/security - Versions diffs - 0.0.0-canary-20260409021642 - Mend

@revealui/security 0.0.0-canary-20260409021642

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/LICENSE +22 -0
package/README.md +96 -0
package/dist/audit-UF7PIYBU.js +21 -0
package/dist/audit-UF7PIYBU.js.map +1 -0
package/dist/chunk-Q5KAPSST.js +429 -0
package/dist/chunk-Q5KAPSST.js.map +1 -0
package/dist/index.d.ts +1507 -0
package/dist/index.js +2284 -0
package/dist/index.js.map +1 -0
package/package.json +47 -0

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,1507 @@
+/**
+ * Audit Logging System
+ *
+ * Track security-relevant events and user actions for compliance
+ */
+type AuditEventType = 'auth.login' | 'auth.logout' | 'auth.failed_login' | 'auth.password_change' | 'auth.password_reset' | 'auth.mfa_enabled' | 'auth.mfa_disabled' | 'user.create' | 'user.update' | 'user.delete' | 'user.view' | 'data.create' | 'data.read' | 'data.update' | 'data.delete' | 'data.export' | 'permission.grant' | 'permission.revoke' | 'role.assign' | 'role.remove' | 'config.change' | 'security.violation' | 'security.alert' | 'gdpr.consent' | 'gdpr.data_request' | 'gdpr.data_deletion' | `data.${string}` | `permission.${string}` | `security.${string}` | `gdpr.${string}`;
+type AuditSeverity = 'low' | 'medium' | 'high' | 'critical';
+interface AuditEvent {
+    id: string;
+    timestamp: string;
+    type: AuditEventType;
+    severity: AuditSeverity;
+    actor: {
+        id: string;
+        type: 'user' | 'system' | 'api';
+        ip?: string;
+        userAgent?: string;
+    };
+    resource?: {
+        type: string;
+        id: string;
+        name?: string;
+    };
+    action: string;
+    result: 'success' | 'failure' | 'partial';
+    changes?: {
+        before?: Record<string, unknown>;
+        after?: Record<string, unknown>;
+    };
+    metadata?: Record<string, unknown>;
+    message?: string;
+}
+interface AuditQuery {
+    types?: AuditEventType[];
+    actorId?: string;
+    resourceType?: string;
+    resourceId?: string;
+    startDate?: Date;
+    endDate?: Date;
+    severity?: AuditSeverity[];
+    result?: ('success' | 'failure' | 'partial')[];
+    limit?: number;
+    offset?: number;
+}
+interface AuditStorage {
+    write(event: AuditEvent): Promise<void>;
+    query(query: AuditQuery): Promise<AuditEvent[]>;
+    count(query: AuditQuery): Promise<number>;
+}
+/**
+ * Audit logging system
+ */
+declare class AuditSystem {
+    private storage;
+    private filters;
+    constructor(storage: AuditStorage);
+    /**
+     * Replace the backing storage (e.g. swap InMemory for Postgres at startup).
+     * Events already written to the old storage are NOT migrated.
+     */
+    setStorage(storage: AuditStorage): void;
+    /**
+     * Log audit event
+     */
+    log(event: Omit<AuditEvent, 'id' | 'timestamp'>): Promise<void>;
+    /**
+     * Log authentication event
+     */
+    logAuth(type: Extract<AuditEventType, 'auth.login' | 'auth.logout' | 'auth.failed_login' | 'auth.password_change'>, actorId: string, result: 'success' | 'failure', metadata?: Record<string, unknown>): Promise<void>;
+    /**
+     * Log data access event
+     */
+    logDataAccess(action: 'create' | 'read' | 'update' | 'delete', actorId: string, resourceType: string, resourceId: string, result: 'success' | 'failure', changes?: {
+        before?: Record<string, unknown>;
+        after?: Record<string, unknown>;
+    }): Promise<void>;
+    /**
+     * Log permission change
+     */
+    logPermissionChange(action: 'grant' | 'revoke', actorId: string, targetUserId: string, permission: string, result: 'success' | 'failure'): Promise<void>;
+    /**
+     * Log security event
+     */
+    logSecurityEvent(type: 'violation' | 'alert', severity: AuditSeverity, actorId: string, message: string, metadata?: Record<string, unknown>): Promise<void>;
+    /**
+     * Log GDPR event
+     */
+    logGDPREvent(type: 'consent' | 'data_request' | 'data_deletion', actorId: string, result: 'success' | 'failure', metadata?: Record<string, unknown>): Promise<void>;
+    /**
+     * Query audit logs
+     */
+    query(query: AuditQuery): Promise<AuditEvent[]>;
+    /**
+     * Count audit logs
+     */
+    count(query: AuditQuery): Promise<number>;
+    /**
+     * Add filter
+     */
+    addFilter(filter: (event: AuditEvent) => boolean): void;
+    /**
+     * Remove filter
+     */
+    removeFilter(filter: (event: AuditEvent) => boolean): void;
+}
+/**
+ * In-memory audit storage (for development)
+ */
+declare class InMemoryAuditStorage implements AuditStorage {
+    private events;
+    private maxEvents;
+    constructor(maxEvents?: number);
+    write(event: AuditEvent): Promise<void>;
+    query(query: AuditQuery): Promise<AuditEvent[]>;
+    count(query: AuditQuery): Promise<number>;
+    /**
+     * Clear all events
+     */
+    clear(): void;
+    /**
+     * Get all events
+     */
+    getAll(): AuditEvent[];
+}
+/**
+ * Audit trail decorator
+ */
+declare function AuditTrail(type: AuditEventType, action: string, options?: {
+    severity?: AuditSeverity;
+    captureChanges?: boolean;
+    resourceType?: string;
+}): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+/**
+ * Audit middleware
+ */
+declare function createAuditMiddleware<TRequest = unknown, TResponse = unknown>(audit: AuditSystem, getUser: (request: TRequest) => {
+    id: string;
+    ip?: string;
+    userAgent?: string;
+}): (request: TRequest & {
+    method: string;
+    url: string;
+}, next: () => Promise<TResponse & {
+    status?: number;
+}>) => Promise<TResponse & {
+    status?: number;
+}>;
+/**
+ * Audit report generator
+ */
+declare class AuditReportGenerator {
+    private audit;
+    constructor(audit: AuditSystem);
+    /**
+     * Generate security report
+     */
+    generateSecurityReport(startDate: Date, endDate: Date): Promise<{
+        totalEvents: number;
+        securityViolations: number;
+        failedLogins: number;
+        permissionChanges: number;
+        dataExports: number;
+        criticalEvents: AuditEvent[];
+    }>;
+    /**
+     * Generate user activity report
+     */
+    generateUserActivityReport(userId: string, startDate: Date, endDate: Date): Promise<{
+        totalActions: number;
+        actionsByType: Record<string, number>;
+        failedActions: number;
+        recentActions: AuditEvent[];
+    }>;
+    /**
+     * Generate compliance report
+     */
+    generateComplianceReport(startDate: Date, endDate: Date): Promise<{
+        dataAccesses: number;
+        dataModifications: number;
+        dataDeletions: number;
+        gdprRequests: number;
+        auditTrailComplete: boolean;
+    }>;
+    /**
+     * Check audit trail continuity
+     */
+    private checkAuditTrailContinuity;
+}
+/** Fields included in the HMAC signature for tamper detection. */
+interface SignableFields {
+    timestamp: string;
+    eventType: string;
+    severity: string;
+    agentId: string;
+    payload: unknown;
+}
+/**
+ * Compute an HMAC-SHA256 signature over the canonical fields of an audit entry.
+ *
+ * The signature covers `timestamp`, `eventType`, `severity`, `agentId`, and
+ * `payload` — the immutable core of every audit record. Changing any of
+ * these fields after signing will cause verification to fail.
+ *
+ * @param entry - The audit entry fields to sign
+ * @param secret - The HMAC secret key
+ * @returns Hex-encoded HMAC-SHA256 signature
+ */
+declare function signAuditEntry(entry: SignableFields, secret: string): Promise<string>;
+/**
+ * Verify an HMAC-SHA256 signature against the canonical fields of an audit entry.
+ *
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @param entry - The audit entry fields to verify
+ * @param signature - The hex-encoded HMAC-SHA256 signature to verify
+ * @param secret - The HMAC secret key
+ * @returns True if the signature is valid
+ */
+declare function verifyAuditEntry(entry: SignableFields, signature: string, secret: string): Promise<boolean>;
+/**
+ * Global audit system
+ */
+declare const audit: AuditSystem;
+/**
+ * Security Alerting Service
+ *
+ * Evaluates audit events against configurable threshold rules and
+ * dispatches alerts through pluggable handlers (logging, audit trail,
+ * webhook / SIEM integration).
+ */
+/** A security alert produced when a threshold is breached. */
+interface SecurityAlert {
+    /** Alert rule that triggered (e.g. 'failedLogins', 'accountLockout'). */
+    type: string;
+    /** Severity of the alert. */
+    severity: AuditSeverity;
+    /** Human-readable description. */
+    message: string;
+    /** Contextual data attached to the alert. */
+    context: Record<string, unknown>;
+    /** When the alert was raised (ISO-8601). */
+    timestamp: string;
+}
+/** Handler that receives dispatched security alerts. */
+interface AlertHandler {
+    /** Process a single alert. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/** Configuration for a single threshold rule. */
+interface ThresholdRule {
+    /** Maximum event count before an alert fires. */
+    maxCount: number;
+    /** Sliding window duration in milliseconds. */
+    windowMs: number;
+    /** Severity assigned to alerts from this rule. */
+    severity: AuditSeverity;
+    /** Human-readable message template — `{count}` is replaced at runtime. */
+    messageTemplate: string;
+}
+/** Top-level configuration for the alerting service. */
+interface AlertingConfig {
+    /** Threshold rules keyed by rule name. */
+    thresholds: Record<string, ThresholdRule>;
+    /** Handlers that receive dispatched alerts. */
+    handlers: AlertHandler[];
+}
+/** Default threshold rules aligned with SOC2 6.2 requirements. */
+declare const DEFAULT_THRESHOLDS: Record<string, ThresholdRule>;
+/**
+ * Logs alerts to the structured security logger.
+ */
+declare class LogAlertHandler implements AlertHandler {
+    /** Write alert details to the configured security logger. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/**
+ * Writes alerts as critical audit events into the audit log.
+ */
+declare class AuditAlertHandler implements AlertHandler {
+    /** Record the alert in the audit trail with severity 'critical'. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/**
+ * POSTs alerts to a configurable webhook URL for SIEM integration.
+ */
+declare class WebhookAlertHandler implements AlertHandler {
+    private url;
+    private headers;
+    /**
+     * Create a webhook alert handler.
+     *
+     * @param url - The webhook endpoint URL
+     * @param headers - Additional HTTP headers (e.g. authorization)
+     */
+    constructor(url: string, headers?: Record<string, string>);
+    /** POST the alert payload to the configured webhook URL. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/**
+ * Evaluates audit events against threshold rules and dispatches alerts.
+ *
+ * Maintains an in-memory sliding window per rule/group key. When the
+ * event count within the window exceeds the threshold, an alert is
+ * dispatched to all configured handlers.
+ */
+declare class SecurityAlertService {
+    private config;
+    private windows;
+    /**
+     * Create a new SecurityAlertService.
+     *
+     * @param config - Alerting configuration with thresholds and handlers
+     */
+    constructor(config: AlertingConfig);
+    /**
+     * Evaluate a single audit event against all threshold rules.
+     * If a threshold is breached, dispatches alerts to all handlers.
+     *
+     * @param event - The audit event to evaluate
+     * @returns The alert that was dispatched, or null if no threshold was breached
+     */
+    evaluateEvent(event: AuditEvent): Promise<SecurityAlert | null>;
+    /**
+     * Clear all sliding window state. Useful for testing.
+     */
+    reset(): void;
+    /**
+     * Dispatch an alert to all configured handlers.
+     * Errors in individual handlers are logged but do not prevent
+     * other handlers from receiving the alert.
+     */
+    private dispatchAlert;
+}
+/**
+ * Authentication Utilities
+ *
+ * OAuth support, password hashing, and two-factor authentication.
+ * JWT-based auth was removed — session auth is handled by @revealui/auth.
+ */
+interface User {
+    id: string;
+    email: string;
+    username?: string;
+    roles: string[];
+    permissions: string[];
+    metadata?: Record<string, unknown>;
+}
+/**
+ * OAuth configuration
+ */
+interface OAuthConfig {
+    provider: 'google' | 'github' | 'microsoft' | 'custom';
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scope?: string[];
+    authorizationUrl?: string;
+    tokenUrl?: string;
+    userInfoUrl?: string;
+}
+/**
+ * OAuth provider configurations
+ */
+declare const OAuthProviders: {
+    google: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        userInfoUrl: string;
+        scope: string[];
+    };
+    github: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        userInfoUrl: string;
+        scope: string[];
+    };
+    microsoft: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        userInfoUrl: string;
+        scope: string[];
+    };
+};
+/**
+ * OAuth client
+ */
+declare class OAuthClient {
+    private config;
+    constructor(config: OAuthConfig);
+    /**
+     * Get authorization URL
+     */
+    getAuthorizationUrl(state?: string): string;
+    /**
+     * Exchange code for token
+     */
+    exchangeCodeForToken(code: string): Promise<{
+        access_token: string;
+        refresh_token?: string;
+        expires_in: number;
+        token_type: string;
+    }>;
+    /**
+     * Get user info
+     */
+    getUserInfo(accessToken: string): Promise<{
+        id: string;
+        email: string;
+        name?: string;
+        picture?: string;
+    }>;
+}
+/**
+ * Hash password with PBKDF2 and random salt
+ */
+declare function hashPassword(password: string): Promise<string>;
+/**
+ * Verify password against stored hash
+ */
+declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
+declare const PasswordHasher: {
+    readonly hash: typeof hashPassword;
+    readonly verify: typeof verifyPassword;
+};
+/**
+ * Generate TOTP secret
+ */
+declare function generateSecret(): string;
+/**
+ * Generate TOTP code (RFC 6238 compliant).
+ * Secret is base32-encoded — decoded before HMAC.
+ * Counter is encoded as 8-byte big-endian — matches all standard authenticator apps.
+ */
+declare function generateCode(secret: string, timestamp?: number): string;
+/**
+ * Verify TOTP code
+ */
+declare function verifyCode(secret: string, code: string, window?: number): boolean;
+declare const TwoFactorAuth: {
+    readonly generateSecret: typeof generateSecret;
+    readonly generateCode: typeof generateCode;
+    readonly verifyCode: typeof verifyCode;
+};
+/**
+ * Authorization System
+ *
+ * Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
+ */
+interface Permission {
+    resource: string;
+    action: string;
+    conditions?: Record<string, unknown>;
+}
+interface Role {
+    id: string;
+    name: string;
+    description?: string;
+    permissions: Permission[];
+    inherits?: string[];
+}
+interface Policy {
+    id: string;
+    name: string;
+    effect: 'allow' | 'deny';
+    resources: string[];
+    actions: string[];
+    conditions?: PolicyCondition[];
+    priority?: number;
+}
+interface PolicyCondition {
+    field: string;
+    operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'contains';
+    value: unknown;
+}
+interface AuthorizationContext {
+    user: {
+        id: string;
+        roles: string[];
+        attributes?: Record<string, unknown>;
+    };
+    resource?: {
+        type: string;
+        id?: string;
+        owner?: string;
+        attributes?: Record<string, unknown>;
+    };
+    environment?: {
+        time?: Date;
+        ip?: string;
+        userAgent?: string;
+    };
+}
+/**
+ * Authorization system
+ */
+declare class AuthorizationSystem {
+    private roles;
+    private policies;
+    /**
+     * Register role
+     */
+    registerRole(role: Role): void;
+    /**
+     * Get role
+     */
+    getRole(roleId: string): Role | undefined;
+    /**
+     * Register policy
+     */
+    registerPolicy(policy: Policy): void;
+    /**
+     * Check if user has permission (RBAC)
+     */
+    hasPermission(userRoles: string[], resource: string, action: string): boolean;
+    /**
+     * Check access with policies (ABAC)
+     */
+    checkAccess(context: AuthorizationContext, resource: string, action: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Get all permissions for roles
+     */
+    private getUserPermissions;
+    /**
+     * Get applicable policies
+     */
+    private getApplicablePolicies;
+    /**
+     * Match resource pattern
+     */
+    private matchesResource;
+    /**
+     * Match action pattern
+     */
+    private matchesAction;
+    /**
+     * Evaluate policy conditions
+     */
+    private evaluateConditions;
+    /**
+     * Get value from context
+     */
+    private getContextValue;
+    /**
+     * Evaluate single condition
+     */
+    private evaluateCondition;
+    /**
+     * Check if user owns resource
+     */
+    ownsResource(userId: string, resource: {
+        owner?: string;
+    }): boolean;
+    /**
+     * Clear all roles and policies
+     */
+    clear(): void;
+}
+/**
+ * Global authorization instance
+ */
+declare const authorization: AuthorizationSystem;
+/**
+ * Common roles — aligned with DB schema (`users.role` column)
+ * and `UserRoleSchema` in @revealui/contracts.
+ *
+ * Values: owner | admin | editor | viewer | agent | contributor
+ */
+declare const CommonRoles: Record<string, Role>;
+/**
+ * Permission builder
+ */
+declare class PermissionBuilder {
+    private permission;
+    resource(resource: string): this;
+    action(action: string): this;
+    conditions(conditions: Record<string, unknown>): this;
+    build(): Permission;
+}
+/**
+ * Policy builder
+ */
+declare class PolicyBuilder {
+    private policy;
+    id(id: string): this;
+    name(name: string): this;
+    allow(): this;
+    deny(): this;
+    resources(...resources: string[]): this;
+    actions(...actions: string[]): this;
+    condition(field: string, operator: PolicyCondition['operator'], value: unknown): this;
+    priority(priority: number): this;
+    build(): Policy;
+}
+/**
+ * Authorization decorators
+ */
+declare function RequirePermission(resource: string, action: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+declare function RequireRole(requiredRole: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+/**
+ * Authorization middleware
+ */
+declare function createAuthorizationMiddleware<TRequest = unknown>(getUser: (request: TRequest) => {
+    id: string;
+    roles: string[];
+}, resource: string, action: string): (request: TRequest, next: () => Promise<unknown>) => Promise<unknown>;
+/**
+ * Resource ownership check
+ */
+declare function canAccessResource(userId: string, userRoles: string[], resource: {
+    type: string;
+    id?: string;
+    owner?: string;
+}, action: string): boolean;
+/**
+ * Attribute-based access control helper
+ */
+declare function checkAttributeAccess(context: AuthorizationContext, resource: string, action: string, requiredAttributes?: Record<string, unknown>): boolean;
+/**
+ * Permission cache for performance
+ */
+declare class PermissionCache {
+    private cache;
+    private ttl;
+    private maxEntries;
+    constructor(ttl?: number, maxEntries?: number);
+    /**
+     * Get cached permission
+     */
+    get(userId: string, resource: string, action: string): boolean | undefined;
+    /**
+     * Set cached permission
+     */
+    set(userId: string, resource: string, action: string, allowed: boolean): void;
+    /**
+     * Clear cache for user
+     */
+    clearUser(userId: string): void;
+    /**
+     * Clear all cache
+     */
+    clear(): void;
+    /**
+     * Get cache key
+     */
+    private getCacheKey;
+}
+/**
+ * Global permission cache
+ */
+declare const permissionCache: PermissionCache;
+/**
+ * Encryption Utilities
+ *
+ * Data encryption for at-rest and in-transit protection
+ */
+interface EncryptionConfig {
+    algorithm: 'AES-GCM' | 'AES-CTR';
+    keySize: 128 | 192 | 256;
+    ivSize?: number;
+    /** Allow key export via exportKey(). Default: false (keys are non-extractable). */
+    extractable?: boolean;
+}
+interface EncryptedData {
+    data: string;
+    iv: string;
+    tag?: string;
+    algorithm: string;
+}
+/**
+ * Encryption system
+ */
+declare class EncryptionSystem {
+    private config;
+    private keys;
+    constructor(config?: Partial<EncryptionConfig>);
+    /**
+     * Generate encryption key
+     */
+    generateKey(keyId?: string): Promise<CryptoKey>;
+    /**
+     * Import key from raw data
+     */
+    importKey(keyData: ArrayBuffer, keyId?: string): Promise<CryptoKey>;
+    /**
+     * Export key to raw data
+     */
+    exportKey(key: CryptoKey): Promise<ArrayBuffer>;
+    /**
+     * Encrypt data
+     */
+    encrypt(data: string, keyOrId: CryptoKey | string): Promise<EncryptedData>;
+    /**
+     * Decrypt data
+     */
+    decrypt(encryptedData: EncryptedData, keyOrId: CryptoKey | string): Promise<string>;
+    /**
+     * Encrypt object
+     */
+    encryptObject<T extends Record<string, unknown>>(obj: T, keyOrId: CryptoKey | string): Promise<EncryptedData>;
+    /**
+     * Decrypt object
+     */
+    decryptObject<T extends Record<string, unknown>>(encryptedData: EncryptedData, keyOrId: CryptoKey | string): Promise<T>;
+    /**
+     * Hash data
+     */
+    hash(data: string, algorithm?: 'SHA-256' | 'SHA-384' | 'SHA-512'): Promise<string>;
+    /**
+     * Generate random bytes
+     */
+    randomBytes(length: number): Uint8Array;
+    /**
+     * Generate random string
+     */
+    randomString(length: number, charset?: string): string;
+    /**
+     * Convert ArrayBuffer to base64
+     */
+    private arrayBufferToBase64;
+    /**
+     * Convert base64 to ArrayBuffer
+     */
+    private base64ToArrayBuffer;
+    /**
+     * Store key
+     */
+    storeKey(keyId: string, key: CryptoKey): void;
+    /**
+     * Get key
+     */
+    getKey(keyId: string): CryptoKey | undefined;
+    /**
+     * Remove key
+     */
+    removeKey(keyId: string): void;
+    /**
+     * Clear all keys
+     */
+    clearKeys(): void;
+}
+/**
+ * Global encryption instance
+ */
+declare const encryption: EncryptionSystem;
+/**
+ * Field-level encryption
+ */
+declare class FieldEncryption {
+    private encryption;
+    private key;
+    constructor(encryption: EncryptionSystem);
+    /**
+     * Initialize with key
+     */
+    initialize(key: CryptoKey): Promise<void>;
+    /**
+     * Encrypt field
+     */
+    encryptField(value: unknown): Promise<EncryptedData>;
+    /**
+     * Decrypt field
+     */
+    decryptField(encryptedData: EncryptedData): Promise<unknown>;
+    /**
+     * Encrypt object fields
+     */
+    encryptFields<T extends Record<string, unknown>>(obj: T, fields: (keyof T)[]): Promise<T>;
+    /**
+     * Decrypt object fields
+     */
+    decryptFields<T extends Record<string, unknown>>(obj: T, fields: (keyof T)[]): Promise<T>;
+}
+/**
+ * Key rotation
+ */
+declare class KeyRotationManager {
+    private encryption;
+    private currentKeyId;
+    private oldKeys;
+    private keyCreationDates;
+    constructor(encryption: EncryptionSystem, initialKeyId: string);
+    /**
+     * Rotate to new key
+     */
+    rotate(newKeyId: string, newKey: CryptoKey): Promise<void>;
+    /**
+     * Re-encrypt data with new key
+     */
+    reencrypt(encryptedData: EncryptedData, oldKeyId: string): Promise<EncryptedData>;
+    /**
+     * Get current key ID
+     */
+    getCurrentKeyId(): string;
+    /**
+     * Clean up old keys created before the specified date.
+     * Never removes the current active key.
+     */
+    cleanupOldKeys(olderThan: Date): void;
+}
+/**
+ * Envelope encryption for large data
+ */
+declare class EnvelopeEncryption {
+    private encryption;
+    private masterKey;
+    constructor(encryption: EncryptionSystem, masterKey: CryptoKey);
+    /**
+     * Encrypt with envelope encryption
+     */
+    encrypt(data: string): Promise<{
+        encryptedData: EncryptedData;
+        encryptedKey: EncryptedData;
+    }>;
+    /**
+     * Decrypt with envelope encryption
+     */
+    decrypt(encryptedData: EncryptedData, encryptedKey: EncryptedData): Promise<string>;
+    private arrayBufferToBase64;
+    private base64ToArrayBuffer;
+}
+/**
+ * Data masking utilities
+ */
+/**
+ * Mask email
+ */
+declare function maskEmail(email: string): string;
+/**
+ * Mask phone number
+ */
+declare function maskPhone(phone: string): string;
+/**
+ * Mask credit card
+ */
+declare function maskCreditCard(card: string): string;
+/**
+ * Mask SSN
+ */
+declare function maskSSN(ssn: string): string;
+/**
+ * Mask string (keep first and last character)
+ */
+declare function maskString(str: string, keepChars?: number): string;
+declare const DataMasking: {
+    readonly maskEmail: typeof maskEmail;
+    readonly maskPhone: typeof maskPhone;
+    readonly maskCreditCard: typeof maskCreditCard;
+    readonly maskSSN: typeof maskSSN;
+    readonly maskString: typeof maskString;
+};
+/**
+ * Secure random token generator
+ */
+/**
+ * Generate secure token. `length` is the number of random bytes;
+ * the returned string is hex-encoded, so it will be `length * 2` characters.
+ */
+declare function generateToken(length?: number): string;
+/**
+ * Generate UUID v4
+ */
+declare function generateUUID(): string;
+/**
+ * Generate API key
+ */
+declare function generateAPIKey(prefix?: string): string;
+/**
+ * Generate session ID
+ */
+declare function generateSessionID(): string;
+declare const TokenGenerator: {
+    readonly generate: typeof generateToken;
+    readonly generateUUID: typeof generateUUID;
+    readonly generateAPIKey: typeof generateAPIKey;
+    readonly generateSessionID: typeof generateSessionID;
+};
+/**
+ * GDPR Storage Abstraction
+ *
+ * Record-oriented storage interface for GDPR compliance data.
+ * Provides a clean seam for replacing the default in-memory implementation
+ * with a database-backed store in production.
+ */
+/**
+ * Storage interface for GDPR consent records and deletion requests.
+ *
+ * All methods are async to support database-backed implementations.
+ * The default `InMemoryGDPRStorage` is suitable for testing and development
+ * but must be replaced with a persistent store for production use.
+ */
+interface GDPRStorage {
+    /**
+     * Store or update a consent record, keyed by `userId:consentType`.
+     */
+    setConsent(userId: string, type: ConsentType, record: ConsentRecord): Promise<void>;
+    /**
+     * Retrieve a consent record by user and type. Returns `undefined` if not found.
+     */
+    getConsent(userId: string, type: ConsentType): Promise<ConsentRecord | undefined>;
+    /**
+     * Retrieve all consent records for a given user.
+     */
+    getConsentsByUser(userId: string): Promise<ConsentRecord[]>;
+    /**
+     * Retrieve every consent record in storage (used for aggregate statistics).
+     */
+    getAllConsents(): Promise<ConsentRecord[]>;
+    /**
+     * Store a deletion request, keyed by its `id`.
+     */
+    setDeletionRequest(request: DataDeletionRequest): Promise<void>;
+    /**
+     * Retrieve a deletion request by ID. Returns `undefined` if not found.
+     */
+    getDeletionRequest(requestId: string): Promise<DataDeletionRequest | undefined>;
+    /**
+     * Retrieve all deletion requests for a given user.
+     */
+    getDeletionRequestsByUser(userId: string): Promise<DataDeletionRequest[]>;
+}
+/**
+ * Storage interface for data breach records.
+ *
+ * All methods are async to support database-backed implementations.
+ * The default `InMemoryBreachStorage` is suitable for testing and development
+ * but must be replaced with a persistent store for production GDPR compliance.
+ */
+interface BreachStorage {
+    /**
+     * Store a data breach record.
+     */
+    setBreach(breach: DataBreach): Promise<void>;
+    /**
+     * Retrieve a breach by ID. Returns `undefined` if not found.
+     */
+    getBreach(id: string): Promise<DataBreach | undefined>;
+    /**
+     * Retrieve all breach records.
+     */
+    getAllBreaches(): Promise<DataBreach[]>;
+    /**
+     * Update an existing breach record (e.g., status change, add mitigation).
+     */
+    updateBreach(id: string, updates: Partial<DataBreach>): Promise<void>;
+}
+/**
+ * In-memory implementation of `BreachStorage`.
+ *
+ * WARNING: All data is lost on process restart or serverless cold start.
+ * GDPR requires breach records be retained — use database-backed storage in production.
+ */
+declare class InMemoryBreachStorage implements BreachStorage {
+    private breaches;
+    setBreach(breach: DataBreach): Promise<void>;
+    getBreach(id: string): Promise<DataBreach | undefined>;
+    getAllBreaches(): Promise<DataBreach[]>;
+    updateBreach(id: string, updates: Partial<DataBreach>): Promise<void>;
+}
+/**
+ * In-memory implementation of `GDPRStorage`.
+ *
+ * WARNING: All data is lost on process restart or serverless cold start.
+ * Use this only for development, testing, or as a reference implementation.
+ * Production deployments MUST supply a database-backed `GDPRStorage`.
+ */
+declare class InMemoryGDPRStorage implements GDPRStorage {
+    private consents;
+    private deletionRequests;
+    setConsent(userId: string, type: ConsentType, record: ConsentRecord): Promise<void>;
+    getConsent(userId: string, type: ConsentType): Promise<ConsentRecord | undefined>;
+    getConsentsByUser(userId: string): Promise<ConsentRecord[]>;
+    getAllConsents(): Promise<ConsentRecord[]>;
+    setDeletionRequest(request: DataDeletionRequest): Promise<void>;
+    getDeletionRequest(requestId: string): Promise<DataDeletionRequest | undefined>;
+    getDeletionRequestsByUser(userId: string): Promise<DataDeletionRequest[]>;
+}
+/**
+ * GDPR Compliance Utilities
+ *
+ * Data privacy, consent management, data export, and right to be forgotten
+ */
+type ConsentType = 'necessary' | 'functional' | 'analytics' | 'marketing' | 'personalization';
+type DataCategory = 'personal' | 'sensitive' | 'financial' | 'health' | 'behavioral' | 'location';
+interface ConsentRecord {
+    id: string;
+    userId: string;
+    type: ConsentType;
+    granted: boolean;
+    timestamp: string;
+    expiresAt?: string;
+    source: 'explicit' | 'implicit' | 'legitimate_interest';
+    version: string;
+    metadata?: Record<string, unknown>;
+}
+interface DataProcessingPurpose {
+    id: string;
+    name: string;
+    description: string;
+    legalBasis: 'consent' | 'contract' | 'legal_obligation' | 'vital_interest' | 'public_interest' | 'legitimate_interest';
+    dataCategories: DataCategory[];
+    retentionPeriod: number;
+    consentRequired: boolean;
+}
+interface PersonalDataExport {
+    userId: string;
+    exportedAt: string;
+    data: {
+        profile: Record<string, unknown>;
+        activities: Record<string, unknown>[];
+        consents: ConsentRecord[];
+        dataProcessing: DataProcessingPurpose[];
+    };
+    format: 'json' | 'csv' | 'pdf';
+}
+interface DataDeletionRequest {
+    id: string;
+    userId: string;
+    requestedAt: string;
+    processedAt?: string;
+    status: 'pending' | 'processing' | 'completed' | 'failed';
+    dataCategories: DataCategory[];
+    reason?: string;
+    retainedData?: string[];
+    deletedData?: string[];
+}
+/**
+ * Consent management system
+ */
+declare class ConsentManager {
+    private readonly storage;
+    private consentVersion;
+    constructor(storage: GDPRStorage);
+    /**
+     * Grant consent
+     */
+    grantConsent(userId: string, type: ConsentType, source?: ConsentRecord['source'], expiresIn?: number): Promise<ConsentRecord>;
+    /**
+     * Revoke consent
+     */
+    revokeConsent(userId: string, type: ConsentType): Promise<void>;
+    /**
+     * Check if consent is granted
+     */
+    hasConsent(userId: string, type: ConsentType): Promise<boolean>;
+    /**
+     * Get all consents for user
+     */
+    getUserConsents(userId: string): Promise<ConsentRecord[]>;
+    /**
+     * Update consent version
+     */
+    setConsentVersion(version: string): void;
+    /**
+     * Check if consent needs renewal
+     */
+    needsRenewal(userId: string, type: ConsentType, maxAge: number): Promise<boolean>;
+    /**
+     * Get consent statistics
+     */
+    getStatistics(): Promise<{
+        total: number;
+        granted: number;
+        revoked: number;
+        expired: number;
+        byType: Record<ConsentType, number>;
+    }>;
+}
+/**
+ * Data export system
+ */
+declare class DataExportSystem {
+    /**
+     * Export user data
+     */
+    exportUserData(userId: string, getUserData: (userId: string) => Promise<{
+        profile: Record<string, unknown>;
+        activities: Record<string, unknown>[];
+        consents: ConsentRecord[];
+    }>, format?: PersonalDataExport['format']): Promise<PersonalDataExport>;
+    /**
+     * Format export as JSON
+     */
+    formatAsJSON(exportData: PersonalDataExport): string;
+    /**
+     * Format export as CSV
+     */
+    formatAsCSV(exportData: PersonalDataExport): string;
+    /**
+     * Create download link
+     */
+    createDownloadLink(content: string, _filename: string, mimeType: string): string;
+}
+/**
+ * Data deletion system (Right to be Forgotten)
+ */
+declare class DataDeletionSystem {
+    private readonly storage;
+    constructor(storage: GDPRStorage);
+    /**
+     * Request data deletion
+     */
+    requestDeletion(userId: string, dataCategories: DataCategory[], reason?: string): Promise<DataDeletionRequest>;
+    /**
+     * Process deletion request
+     */
+    processDeletion(requestId: string, deleteData: (userId: string, categories: DataCategory[]) => Promise<{
+        deleted: string[];
+        retained: string[];
+    }>): Promise<void>;
+    /**
+     * Get deletion request
+     */
+    getRequest(requestId: string): Promise<DataDeletionRequest | undefined>;
+    /**
+     * Get user deletion requests
+     */
+    getUserRequests(userId: string): Promise<DataDeletionRequest[]>;
+    /**
+     * Check if data can be deleted
+     */
+    canDelete(_dataCategory: DataCategory, legalBasis: DataProcessingPurpose['legalBasis']): boolean;
+    /**
+     * Calculate retention period
+     */
+    calculateRetentionEnd(createdAt: Date, retentionPeriod: number): Date;
+    /**
+     * Check if data should be deleted (retention period expired)
+     */
+    shouldDelete(createdAt: Date, retentionPeriod: number): boolean;
+}
+/**
+ * Data anonymization utilities
+ */
+/**
+ * Hash value (irreversible) using SHA-256
+ */
+declare function hashValue(value: string): string;
+/**
+ * Anonymize user data
+ */
+declare function anonymizeUser(user: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Pseudonymize data (one-way, key-dependent)
+ *
+ * Uses HMAC-SHA256 — cryptographically bound to the key, resistant to
+ * length-extension attacks and GPU brute-force (unlike plain SHA-256).
+ */
+declare function pseudonymize(value: string, key: string): string;
+/**
+ * Anonymize dataset
+ */
+declare function anonymizeDataset<T extends Record<string, unknown>>(data: T[], sensitiveFields: (keyof T)[]): T[];
+/**
+ * K-anonymity check
+ */
+declare function checkKAnonymity<T extends Record<string, unknown>>(data: T[], quasiIdentifiers: (keyof T)[], k: number): boolean;
+declare const DataAnonymization: {
+    readonly anonymizeUser: typeof anonymizeUser;
+    readonly pseudonymize: typeof pseudonymize;
+    readonly hashValue: typeof hashValue;
+    readonly anonymizeDataset: typeof anonymizeDataset;
+    readonly checkKAnonymity: typeof checkKAnonymity;
+};
+/**
+ * Privacy policy manager
+ */
+declare class PrivacyPolicyManager {
+    private policies;
+    private currentVersion;
+    /**
+     * Add policy version
+     */
+    addPolicy(version: string, content: string, effectiveDate: Date): void;
+    /**
+     * Get current policy
+     */
+    getCurrentPolicy(): {
+        version: string;
+        content: string;
+        effectiveDate: Date;
+    } | undefined;
+    /**
+     * Get policy by version
+     */
+    getPolicy(version: string): {
+        version: string;
+        content: string;
+        effectiveDate: Date;
+    } | undefined;
+    /**
+     * Check if user accepted current policy
+     */
+    hasAcceptedCurrent(userAcceptedVersion: string): boolean;
+    /**
+     * Get all versions
+     */
+    getAllVersions(): string[];
+}
+/**
+ * Cookie consent banner
+ */
+interface CookieConsentConfig {
+    necessary: boolean;
+    functional: boolean;
+    analytics: boolean;
+    marketing: boolean;
+}
+declare class CookieConsentManager {
+    private config;
+    /**
+     * Set consent configuration
+     */
+    setConsent(config: Partial<CookieConsentConfig>): void;
+    /**
+     * Get consent configuration
+     */
+    getConsent(): CookieConsentConfig;
+    /**
+     * Check if specific consent is granted
+     */
+    hasConsent(type: keyof CookieConsentConfig): boolean;
+    /**
+     * Save to storage
+     */
+    private saveToStorage;
+    /**
+     * Load from storage
+     */
+    loadFromStorage(): void;
+    /**
+     * Clear consent
+     */
+    clearConsent(): void;
+}
+/**
+ * Data breach notification system
+ */
+interface DataBreach {
+    id: string;
+    detectedAt: string;
+    reportedAt?: string;
+    type: 'unauthorized_access' | 'data_loss' | 'data_leak' | 'system_compromise';
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    affectedUsers: string[];
+    dataCategories: DataCategory[];
+    description: string;
+    mitigation?: string;
+    status: 'detected' | 'investigating' | 'notified' | 'resolved';
+}
+declare class DataBreachManager {
+    private readonly storage;
+    constructor(storage: BreachStorage);
+    /**
+     * Report data breach
+     */
+    reportBreach(breach: Omit<DataBreach, 'id' | 'detectedAt' | 'status'>): Promise<DataBreach>;
+    /**
+     * Notify authorities (required within 72 hours under GDPR)
+     */
+    notifyAuthorities(breach: DataBreach): Promise<void>;
+    /**
+     * Notify affected users
+     */
+    notifyAffectedUsers(breachId: string, notifyFn: (userId: string, breach: DataBreach) => Promise<void>): Promise<void>;
+    /**
+     * Check if breach notification is required
+     */
+    requiresNotification(breach: DataBreach): boolean;
+    /**
+     * Get breach
+     */
+    getBreach(id: string): Promise<DataBreach | undefined>;
+    /**
+     * Get all breaches
+     */
+    getAllBreaches(): Promise<DataBreach[]>;
+}
+/**
+ * Factory functions for GDPR subsystems.
+ *
+ * `ConsentManager` and `DataDeletionSystem` require a `GDPRStorage` implementation.
+ * Use `InMemoryGDPRStorage` only in tests — production MUST use a database-backed store.
+ *
+ * `DataExportSystem`, `PrivacyPolicyManager`, `CookieConsentManager`, and
+ * `DataBreachManager` are stateless or client-side only, so singletons are safe.
+ */
+declare function createConsentManager(storage: GDPRStorage): ConsentManager;
+declare function createDataDeletionSystem(storage: GDPRStorage): DataDeletionSystem;
+declare const dataExportSystem: DataExportSystem;
+declare const privacyPolicyManager: PrivacyPolicyManager;
+declare const cookieConsentManager: CookieConsentManager;
+declare function createDataBreachManager(storage: BreachStorage): DataBreachManager;
+/**
+ * Security Headers and CORS Configuration
+ *
+ * HTTP security headers and CORS policy management
+ */
+interface SecurityHeadersConfig {
+    contentSecurityPolicy?: string | ContentSecurityPolicyConfig;
+    strictTransportSecurity?: boolean | HSTSConfig;
+    xFrameOptions?: 'DENY' | 'SAMEORIGIN' | string;
+    xContentTypeOptions?: boolean;
+    referrerPolicy?: ReferrerPolicyValue;
+    permissionsPolicy?: string | PermissionsPolicyConfig;
+    crossOriginEmbedderPolicy?: 'require-corp' | 'credentialless';
+    crossOriginOpenerPolicy?: 'same-origin' | 'same-origin-allow-popups' | 'unsafe-none';
+    crossOriginResourcePolicy?: 'same-origin' | 'same-site' | 'cross-origin';
+}
+interface ContentSecurityPolicyConfig {
+    defaultSrc?: string[];
+    scriptSrc?: string[];
+    styleSrc?: string[];
+    imgSrc?: string[];
+    fontSrc?: string[];
+    connectSrc?: string[];
+    frameSrc?: string[];
+    objectSrc?: string[];
+    mediaSrc?: string[];
+    workerSrc?: string[];
+    childSrc?: string[];
+    formAction?: string[];
+    frameAncestors?: string[];
+    baseUri?: string[];
+    manifestSrc?: string[];
+    upgradeInsecureRequests?: boolean;
+    blockAllMixedContent?: boolean;
+    reportUri?: string;
+    reportTo?: string;
+}
+interface HSTSConfig {
+    maxAge: number;
+    includeSubDomains?: boolean;
+    preload?: boolean;
+}
+type ReferrerPolicyValue = 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';
+interface PermissionsPolicyConfig {
+    accelerometer?: string[];
+    ambientLightSensor?: string[];
+    autoplay?: string[];
+    battery?: string[];
+    camera?: string[];
+    displayCapture?: string[];
+    documentDomain?: string[];
+    encryptedMedia?: string[];
+    fullscreen?: string[];
+    geolocation?: string[];
+    gyroscope?: string[];
+    magnetometer?: string[];
+    microphone?: string[];
+    midi?: string[];
+    payment?: string[];
+    pictureInPicture?: string[];
+    publicKeyCredentials?: string[];
+    screenWakeLock?: string[];
+    syncXhr?: string[];
+    usb?: string[];
+    webShare?: string[];
+    xrSpatialTracking?: string[];
+}
+interface CORSConfig {
+    origin?: string | string[] | ((origin: string) => boolean);
+    methods?: string[];
+    allowedHeaders?: string[];
+    exposedHeaders?: string[];
+    credentials?: boolean;
+    maxAge?: number;
+    preflightContinue?: boolean;
+    optionsSuccessStatus?: number;
+}
+/**
+ * Security headers manager
+ */
+declare class SecurityHeaders {
+    private config;
+    constructor(config?: SecurityHeadersConfig);
+    /**
+     * Get all security headers
+     */
+    getHeaders(): Record<string, string>;
+    /**
+     * Build Content Security Policy header
+     */
+    private buildCSP;
+    /**
+     * Build HSTS header
+     */
+    private buildHSTS;
+    /**
+     * Build Permissions-Policy header
+     */
+    private buildPermissionsPolicy;
+    /**
+     * Apply headers to response
+     */
+    applyHeaders(response: Response): Response;
+}
+/**
+ * CORS manager
+ */
+declare class CORSManager {
+    private config;
+    constructor(config?: CORSConfig);
+    /**
+     * Check if origin is allowed
+     */
+    isOriginAllowed(origin: string): boolean;
+    /**
+     * Get CORS headers
+     */
+    getCORSHeaders(origin: string): Record<string, string>;
+    /**
+     * Get preflight headers
+     */
+    getPreflightHeaders(origin: string): Record<string, string>;
+    /**
+     * Handle CORS request
+     */
+    handleRequest(request: Request): Response | null;
+    /**
+     * Handle preflight request
+     */
+    handlePreflight(_request: Request, origin: string): Response;
+    /**
+     * Apply CORS headers to response
+     */
+    applyHeaders(response: Response, origin: string): Response;
+}
+/**
+ * Common security header presets
+ */
+declare const SecurityPresets: {
+    /**
+     * Strict security (recommended for production)
+     */
+    strict: () => SecurityHeadersConfig;
+    /**
+     * Moderate security (balanced)
+     */
+    moderate: () => SecurityHeadersConfig;
+    /**
+     * Development (permissive)
+     */
+    development: () => SecurityHeadersConfig;
+};
+/**
+ * Common CORS presets
+ */
+declare const CORSPresets: {
+    /**
+     * Strict CORS (same origin only)
+     */
+    strict: () => CORSConfig;
+    /**
+     * Moderate CORS (specific origins)
+     */
+    moderate: (allowedOrigins: string[]) => CORSConfig;
+    /**
+     * Permissive CORS (all origins) — development only.
+     * Logs a warning if used when NODE_ENV === 'production'.
+     */
+    permissive: () => CORSConfig;
+    /**
+     * API CORS (public read-only APIs) — credentials disabled.
+     * Logs a warning if used when NODE_ENV === 'production'.
+     */
+    api: () => CORSConfig;
+};
+/**
+ * Security middleware creator
+ */
+declare function createSecurityMiddleware(securityConfig?: SecurityHeadersConfig, corsConfig?: CORSConfig): (request: Request, next: () => Promise<Response>) => Promise<Response>;
+/**
+ * Rate limiting headers
+ */
+declare function setRateLimitHeaders(response: Response, limit: number, remaining: number, reset: number): void;
+/**
+ * Internal logger for @revealui/security.
+ *
+ * Defaults to `console`. Consumers should call `configureSecurityLogger()`
+ * to supply a structured logger (e.g. from `@revealui/utils/logger`).
+ */
+interface SecurityLogger {
+    warn(message: string, ...args: unknown[]): void;
+    error(message: string, ...args: unknown[]): void;
+    info(message: string, ...args: unknown[]): void;
+    debug(message: string, ...args: unknown[]): void;
+}
+/**
+ * Replace the default console logger with a structured logger.
+ */
+declare function configureSecurityLogger(logger: SecurityLogger): void;
+export { type AlertHandler, type AlertingConfig, AuditAlertHandler, type AuditEvent, type AuditEventType, type AuditQuery, AuditReportGenerator, type AuditSeverity, type AuditStorage, AuditSystem, AuditTrail, type AuthorizationContext, AuthorizationSystem, type BreachStorage, type CORSConfig, CORSManager, CORSPresets, CommonRoles, ConsentManager, type ConsentRecord, type ConsentType, type ContentSecurityPolicyConfig, type CookieConsentConfig, CookieConsentManager, DEFAULT_THRESHOLDS, DataAnonymization, type DataBreach, DataBreachManager, type DataCategory, type DataDeletionRequest, DataDeletionSystem, DataExportSystem, DataMasking, type DataProcessingPurpose, type EncryptedData, type EncryptionConfig, EncryptionSystem, EnvelopeEncryption, FieldEncryption, type GDPRStorage, type HSTSConfig, InMemoryAuditStorage, InMemoryBreachStorage, InMemoryGDPRStorage, KeyRotationManager, LogAlertHandler, OAuthClient, type OAuthConfig, OAuthProviders, PasswordHasher, type Permission, PermissionBuilder, PermissionCache, type PermissionsPolicyConfig, type PersonalDataExport, type Policy, PolicyBuilder, type PolicyCondition, PrivacyPolicyManager, type ReferrerPolicyValue, RequirePermission, RequireRole, type Role, type SecurityAlert, SecurityAlertService, SecurityHeaders, type SecurityHeadersConfig, type SecurityLogger, SecurityPresets, type ThresholdRule, TokenGenerator, TwoFactorAuth, type User, WebhookAlertHandler, audit, authorization, canAccessResource, checkAttributeAccess, configureSecurityLogger, cookieConsentManager, createAuditMiddleware, createAuthorizationMiddleware, createConsentManager, createDataBreachManager, createDataDeletionSystem, createSecurityMiddleware, dataExportSystem, encryption, permissionCache, privacyPolicyManager, setRateLimitHeaders, signAuditEntry, verifyAuditEntry };