@revealui/security 0.0.1-pre.0

package/dist/index.js

@@ -0,0 +1,1841 @@
+// src/SecurityValidation.ts
+import { z } from "zod";
+var EnvironmentSchema = z.object({
+  PAYLOAD_SECRET: z.string().min(32, "PAYLOAD_SECRET must be at least 32 characters"),
+  MCP_ENCRYPTION_KEY: z.string().min(64, "MCP_ENCRYPTION_KEY must be at least 64 characters"),
+  TURSO_URL: z.string().url().optional(),
+  TURSO_AUTH_TOKEN: z.string().optional(),
+  SUPPORT_EMAIL: z.string().email().optional()
+});
+var RATE_LIMITS = {
+  CHAT: { windowMs: 60 * 1e3, maxRequests: 10 },
+  // 10 requests per minute
+  CONTENT: { windowMs: 60 * 1e3, maxRequests: 5 },
+  // 5 requests per minute
+  CONTACT: { windowMs: 15 * 60 * 1e3, maxRequests: 3 },
+  // 3 requests per 15 minutes
+  RECOMMENDATIONS: { windowMs: 60 * 1e3, maxRequests: 20 }
+  // 20 requests per minute
+};
+var rateLimitStore = /* @__PURE__ */ new Map();
+async function validateEnvironment() {
+  const validation = EnvironmentSchema.safeParse(process.env);
+  if (!validation.success) {
+    const errors = validation.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join(", ");
+    throw new Error(`Environment validation failed: ${errors}`);
+  }
+}
+async function checkRateLimit(key, config) {
+  const now = Date.now();
+  for (const [k, v] of rateLimitStore.entries()) {
+    if (v.resetTime < now) {
+      rateLimitStore.delete(k);
+    }
+  }
+  const entry = rateLimitStore.get(key);
+  if (!entry || entry.resetTime < now) {
+    rateLimitStore.set(key, { count: 1, resetTime: now + config.windowMs });
+    return {
+      allowed: true,
+      remaining: config.maxRequests - 1,
+      resetTime: now + config.windowMs
+    };
+  }
+  if (entry.count >= config.maxRequests) {
+    return {
+      allowed: false,
+      remaining: 0,
+      resetTime: entry.resetTime
+    };
+  }
+  entry.count++;
+  rateLimitStore.set(key, entry);
+  return {
+    allowed: true,
+    remaining: config.maxRequests - entry.count,
+    resetTime: entry.resetTime
+  };
+}
+function generateRateLimitKey(userId, action) {
+  return `rate_limit:${action}:${userId}`;
+}
+function generateIPRateLimitKey(ip, action) {
+  return `rate_limit:${action}:ip:${ip}`;
+}
+async function validateCSRFToken(token, sessionToken) {
+  return token === sessionToken && token.length > 0;
+}
+function sanitizeInput(input) {
+  return input.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "").trim();
+}
+function validateAndSanitizeInput(input, schema) {
+  try {
+    const validation = schema.safeParse(input);
+    if (!validation.success) {
+      return {
+        success: false,
+        error: validation.error.issues.map((i) => i.message).join(", ")
+      };
+    }
+    const sanitized = sanitizeObject(validation.data);
+    return {
+      success: true,
+      data: sanitized
+    };
+  } catch (error) {
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : "Validation failed"
+    };
+  }
+}
+function sanitizeObject(obj) {
+  if (typeof obj === "string") {
+    return sanitizeInput(obj);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map(sanitizeObject);
+  }
+  if (obj && typeof obj === "object") {
+    const sanitized = {};
+    for (const [key, value] of Object.entries(obj)) {
+      sanitized[key] = sanitizeObject(value);
+    }
+    return sanitized;
+  }
+  return obj;
+}
+var SECURITY_HEADERS = {
+  "X-Content-Type-Options": "nosniff",
+  "X-Frame-Options": "DENY",
+  "X-XSS-Protection": "1; mode=block",
+  "Referrer-Policy": "strict-origin-when-cross-origin",
+  "Permissions-Policy": "camera=(), microphone=(), geolocation=()"
+};
+function logSecurityEvent(event, details, severity = "medium") {
+  console.log(`[SECURITY-${severity.toUpperCase()}] ${event}:`, {
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    severity,
+    ...details
+  });
+}
+
+// src/RateLimiterService.ts
+var devLogger = {
+  debug: (...args) => console.debug("[security]", ...args),
+  info: (...args) => console.log("[security]", ...args),
+  warn: (...args) => console.warn("[security]", ...args),
+  error: (...args) => console.error("[security]", ...args),
+  forService: (_name) => ({
+    debug: (...args) => console.debug("[security]", ...args),
+    info: (...args) => console.log("[security]", ...args),
+    warn: (...args) => console.warn("[security]", ...args),
+    error: (...args) => console.error("[security]", ...args)
+  })
+};
+var RateLimiterService = class {
+  config;
+  inMemoryStore = /* @__PURE__ */ new Map();
+  cleanupInterval = null;
+  constructor(config) {
+    this.config = {
+      windowMs: config.windowMs ?? 15 * 60 * 1e3,
+      // 15 minutes
+      maxRequests: config.maxRequests ?? 100,
+      skipSuccessfulRequests: config.skipSuccessfulRequests ?? false,
+      skipFailedRequests: config.skipFailedRequests ?? false,
+      standardHeaders: config.standardHeaders ?? true,
+      legacyHeaders: config.legacyHeaders ?? false
+    };
+    this.startCleanupInterval();
+  }
+  setPayload(_payload) {
+  }
+  /**
+   * Check rate limit using token bucket algorithm
+   */
+  checkTokenBucket(key, tokens = 1, capacity = 10, refillRate = 1, refillTime = 100) {
+    try {
+      const now = Date.now();
+      const bucketKey = `rate_limit:token_bucket:${key}`;
+      const current = this.inMemoryStore.get(bucketKey);
+      let currentTokens = capacity;
+      let lastRefill = now;
+      if (current) {
+        currentTokens = current.count;
+        lastRefill = current.lastRequestTime;
+      }
+      const timePassed = now - lastRefill;
+      const refillAmount = Math.floor(timePassed / refillTime) * refillRate;
+      currentTokens = Math.min(capacity, currentTokens + refillAmount);
+      if (currentTokens >= tokens) {
+        currentTokens = currentTokens - tokens;
+        this.inMemoryStore.set(bucketKey, {
+          count: currentTokens,
+          resetTime: now + refillTime,
+          lastRequestTime: now
+        });
+        devLogger.debug("Rate limit check", {
+          key,
+          algorithm: "token_bucket",
+          allowed: true,
+          remaining: currentTokens,
+          resetTime: now + refillTime,
+          tokens,
+          capacity,
+          refillRate
+        });
+        return {
+          allowed: true,
+          remaining: currentTokens,
+          resetTime: now + refillTime
+        };
+      }
+      const resetTime = lastRefill + refillTime;
+      devLogger.warn("Rate limit blocked", {
+        key,
+        algorithm: "token_bucket",
+        remaining: currentTokens,
+        resetTime,
+        tokens
+      });
+      return {
+        allowed: false,
+        remaining: currentTokens,
+        resetTime,
+        retryAfter: Math.ceil((resetTime - now) / 1e3)
+      };
+    } catch (error) {
+      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
+        key,
+        algorithm: "token_bucket",
+        error: error instanceof Error ? error.message : "Unknown error"
+      });
+      return {
+        allowed: true,
+        remaining: capacity,
+        resetTime: Date.now() + refillTime
+      };
+    }
+  }
+  /**
+   * Check rate limit using sliding window algorithm
+   */
+  checkSlidingWindow(key, windowMs = this.config.windowMs, maxRequests = this.config.maxRequests) {
+    try {
+      const now = Date.now();
+      const windowKey = `rate_limit:sliding_window:${key}`;
+      const current = this.inMemoryStore.get(windowKey);
+      let requests = [];
+      if (current) {
+        requests = [current.count];
+      }
+      const windowStart = now - windowMs;
+      requests = requests.filter((timestamp) => timestamp >= windowStart);
+      if (requests.length < maxRequests) {
+        requests.push(now);
+        this.inMemoryStore.set(windowKey, {
+          count: requests.length,
+          resetTime: now + windowMs,
+          lastRequestTime: now
+        });
+        devLogger.debug("Rate limit check", {
+          key,
+          algorithm: "sliding_window",
+          allowed: true,
+          remaining: maxRequests - requests.length,
+          resetTime: now + windowMs
+        });
+        return {
+          allowed: true,
+          remaining: maxRequests - requests.length,
+          resetTime: now + windowMs
+        };
+      }
+      const oldest = Math.min(...requests);
+      const resetTime = oldest + windowMs;
+      devLogger.warn("Rate limit blocked", {
+        key,
+        algorithm: "sliding_window",
+        remaining: 0,
+        resetTime
+      });
+      return {
+        allowed: false,
+        remaining: 0,
+        resetTime,
+        retryAfter: Math.ceil((resetTime - now) / 1e3)
+      };
+    } catch (error) {
+      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
+        key,
+        algorithm: "sliding_window",
+        error: error instanceof Error ? error.message : "Unknown error"
+      });
+      return {
+        allowed: true,
+        remaining: maxRequests,
+        resetTime: Date.now() + windowMs
+      };
+    }
+  }
+  /**
+   * Check rate limit using leaky bucket algorithm
+   */
+  checkLeakyBucket(key, capacity = 10, leakRate = 1, leakTime = 100) {
+    try {
+      const now = Date.now();
+      const bucketKey = `rate_limit:leaky_bucket:${key}`;
+      const current = this.inMemoryStore.get(bucketKey);
+      let currentLevel = 0;
+      let lastLeak = now;
+      if (current) {
+        currentLevel = current.count;
+        lastLeak = current.lastRequestTime;
+      }
+      const timePassed = now - lastLeak;
+      const leakAmount = Math.floor(timePassed / leakTime) * leakRate;
+      currentLevel = Math.max(0, currentLevel - leakAmount);
+      if (currentLevel < capacity) {
+        currentLevel++;
+        this.inMemoryStore.set(bucketKey, {
+          count: currentLevel,
+          resetTime: now + leakTime,
+          lastRequestTime: now
+        });
+        devLogger.debug("Rate limit check", {
+          key,
+          algorithm: "leaky_bucket",
+          allowed: true,
+          remaining: capacity - currentLevel,
+          resetTime: now + leakTime
+        });
+        return {
+          allowed: true,
+          remaining: capacity - currentLevel,
+          resetTime: now + leakTime
+        };
+      }
+      const resetTime = lastLeak + leakTime;
+      devLogger.warn("Rate limit blocked", {
+        key,
+        algorithm: "leaky_bucket",
+        remaining: 0,
+        resetTime
+      });
+      return {
+        allowed: false,
+        remaining: 0,
+        resetTime,
+        retryAfter: Math.ceil((resetTime - now) / 1e3)
+      };
+    } catch (error) {
+      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
+        key,
+        algorithm: "leaky_bucket",
+        error: error instanceof Error ? error.message : "Unknown error"
+      });
+      return {
+        allowed: true,
+        remaining: capacity,
+        resetTime: Date.now() + leakTime
+      };
+    }
+  }
+  /**
+   * Reset rate limit for a key
+   */
+  resetRateLimit(key) {
+    const patterns = [
+      `rate_limit:token_bucket:${key}`,
+      `rate_limit:sliding_window:${key}`,
+      `rate_limit:leaky_bucket:${key}`
+    ];
+    for (const pattern of patterns) {
+      this.inMemoryStore.delete(pattern);
+    }
+    devLogger.debug("Rate limit reset", { key });
+  }
+  /**
+   * Get current rate limit state
+   */
+  getRateLimitState(key) {
+    const patterns = [
+      `rate_limit:token_bucket:${key}`,
+      `rate_limit:sliding_window:${key}`,
+      `rate_limit:leaky_bucket:${key}`
+    ];
+    for (const pattern of patterns) {
+      const state = this.inMemoryStore.get(pattern);
+      if (state) {
+        return state;
+      }
+    }
+    return null;
+  }
+  /**
+   * Update rate limit state
+   */
+  updateRateLimitState(key, state) {
+    this.inMemoryStore.set(key, state);
+  }
+  /**
+   * Get rate limiter statistics
+   */
+  getStats() {
+    return {
+      totalKeys: this.inMemoryStore.size,
+      memoryUsage: this.inMemoryStore.size
+    };
+  }
+  /**
+   * Clean up expired entries
+   */
+  cleanup() {
+    const now = Date.now();
+    const maxAge = 24 * 60 * 60 * 1e3;
+    for (const [key, state] of this.inMemoryStore.entries()) {
+      if (now - state.lastRequestTime > maxAge) {
+        this.inMemoryStore.delete(key);
+      }
+    }
+    devLogger.debug("Cleaned up expired rate limit entries", {
+      remaining: this.inMemoryStore.size
+    });
+  }
+  /**
+   * Start cleanup interval
+   */
+  startCleanupInterval() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+    }
+    this.cleanupInterval = setInterval(
+      () => {
+        this.cleanup();
+      },
+      60 * 60 * 1e3
+    );
+  }
+  /**
+   * Stop cleanup interval
+   */
+  stopCleanupInterval() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+  /**
+   * Dispose of the service
+   */
+  dispose() {
+    this.stopCleanupInterval();
+    this.inMemoryStore.clear();
+  }
+};
+var getRateLimiterService = (config) => {
+  return new RateLimiterService(config ?? {});
+};
+
+// src/RateLimitingService.ts
+import { headers } from "next/headers";
+var RATE_LIMITS2 = { default: { limit: 100, windowMs: 6e4 } };
+var generateRateLimitKey2 = (id) => `rate:${id}`;
+var generateIPRateLimitKey2 = (ip) => `rate:ip:${ip}`;
+async function checkRateLimit2(_key, _limit, _windowMs) {
+  return { allowed: true, remaining: _limit, resetTime: Date.now() + _windowMs };
+}
+async function withRateLimit(action, config) {
+  return async (...args) => {
+    const headersList = await headers();
+    const ip = headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
+    const key = config.customKey ?? (config.userId ? generateRateLimitKey2(config.userId) : generateIPRateLimitKey2(ip));
+    const rateLimitResult = await checkRateLimit2(
+      key,
+      RATE_LIMITS2[config.type].limit,
+      RATE_LIMITS2[config.type].windowMs
+    );
+    if (!rateLimitResult.allowed) {
+      throw new Error(
+        `Rate limit exceeded. Try again in ${Math.ceil((rateLimitResult.resetTime - Date.now()) / 1e3)} seconds.`
+      );
+    }
+    return await action(...args);
+  };
+}
+function RateLimited(type, userId) {
+  return (_target, _propertyKey, descriptor) => {
+    const originalMethod = descriptor.value;
+    descriptor.value = async function(...args) {
+      const headersList = await headers();
+      const ip = headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
+      const key = userId ? generateRateLimitKey2(userId) : generateIPRateLimitKey2(ip);
+      const rateLimitResult = await checkRateLimit2(
+        key,
+        RATE_LIMITS2[type].limit,
+        RATE_LIMITS2[type].windowMs
+      );
+      if (!rateLimitResult.allowed) {
+        throw new Error(
+          `Rate limit exceeded. Try again in ${Math.ceil((rateLimitResult.resetTime - Date.now()) / 1e3)} seconds.`
+        );
+      }
+      return await originalMethod.apply(this, args);
+    };
+    return descriptor;
+  };
+}
+async function getClientIP() {
+  const headersList = await headers();
+  return headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
+}
+async function isTrustedSource() {
+  const headersList = await headers();
+  const userAgent = headersList.get("user-agent") || "";
+  const origin = headersList.get("origin") || "";
+  const botPatterns = [/bot/i, /crawler/i, /spider/i, /scraper/i, /curl/i, /wget/i];
+  const isBot = botPatterns.some((pattern) => pattern.test(userAgent));
+  const trustedOrigins = [
+    process.env.NEXT_PUBLIC_APP_URL,
+    "http://localhost:3000",
+    "https://localhost:3000"
+  ].filter(Boolean);
+  const isTrustedOrigin = trustedOrigins.includes(origin);
+  return !isBot && isTrustedOrigin;
+}
+async function checkUserRateLimit(userId, action, customConfig) {
+  const config = { ...RATE_LIMITS2[action], ...customConfig };
+  const key = generateRateLimitKey2(userId);
+  return await checkRateLimit2(key, config.limit, config.windowMs);
+}
+async function checkAnonymousRateLimit(action, customConfig) {
+  const ip = await getClientIP();
+  const config = { ...RATE_LIMITS2[action], ...customConfig };
+  const key = generateIPRateLimitKey2(ip);
+  return await checkRateLimit2(key, config.limit, config.windowMs);
+}
+
+// src/CSRFService.ts
+import { createHmac, randomBytes } from "crypto";
+var CSRFService = class {
+  constructor(payload, options = {}) {
+    this.payload = payload;
+    this.options = {
+      algorithm: options.algorithm ?? "sha256",
+      encoding: options.encoding ?? "hex",
+      tokenLength: options.tokenLength ?? 32,
+      tokenExpiry: options.tokenExpiry ?? 24 * 60 * 60 * 1e3
+      // 24 hours
+    };
+  }
+  options;
+  async generateCsrfToken(sessionId) {
+    try {
+      const token = randomBytes(this.options.tokenLength);
+      const hmac = createHmac(this.options.algorithm, process.env.PAYLOAD_SECRET ?? "");
+      hmac.update(sessionId);
+      hmac.update(token);
+      const signature = hmac.digest(this.options.encoding);
+      const csrfToken = `${token.toString(this.options.encoding)}.${signature}`;
+      this.payload.logger.debug("CSRF token generated successfully");
+      return csrfToken;
+    } catch (error) {
+      this.payload.logger.error("Failed to generate CSRF token", error);
+      throw error;
+    }
+  }
+  async validateCsrfToken(token, sessionId) {
+    try {
+      const [tokenPart, signature] = token.split(".");
+      if (!tokenPart || !signature) {
+        this.payload.logger.warn("Invalid CSRF token format");
+        return false;
+      }
+      const hmac = createHmac(this.options.algorithm, process.env.PAYLOAD_SECRET ?? "");
+      hmac.update(sessionId);
+      hmac.update(Buffer.from(tokenPart, this.options.encoding));
+      const expectedSignature = hmac.digest(this.options.encoding);
+      const isValid = signature === expectedSignature;
+      if (isValid) {
+        this.payload.logger.debug("CSRF token validated successfully");
+      } else {
+        this.payload.logger.warn("CSRF token validation failed");
+      }
+      return isValid;
+    } catch (error) {
+      this.payload.logger.error("Failed to validate CSRF token", error);
+      return false;
+    }
+  }
+};
+
+// src/EncryptionService.ts
+import { InfrastructureService } from "@revealui/core";
+import {
+  createCipheriv,
+  createDecipheriv,
+  randomBytes as randomBytes2,
+  scrypt as scryptCallback
+} from "crypto";
+import { promisify } from "util";
+var scryptAsync = promisify(scryptCallback);
+function isAuthenticatedCipher(cipher) {
+  return typeof cipher.getAuthTag === "function";
+}
+function isAuthenticatedDecipher(decipher) {
+  return typeof decipher.setAuthTag === "function";
+}
+var EncryptionService = class extends InfrastructureService {
+  options;
+  constructor(payload, options = {}) {
+    super(payload, "EncryptionService");
+    this.options = {
+      algorithm: options.algorithm ?? "aes-256-gcm",
+      keyLength: options.keyLength ?? 32,
+      saltLength: options.saltLength ?? 16,
+      ivLength: options.ivLength ?? 12,
+      iterations: options.iterations ?? 1e5,
+      encoding: options.encoding ?? "hex"
+    };
+  }
+  /**
+   * Encrypts data using the configured algorithm with comprehensive error handling.
+   */
+  async encrypt(data, customOptions) {
+    return this.executeInfrastructureOperation(async () => {
+      if (typeof data !== "string" || data.length === 0) {
+        throw new Error("Data to encrypt must be a non-empty string");
+      }
+      const effectiveOptions = { ...this.options, ...customOptions };
+      this.logger.debug("Starting data encryption", {
+        algorithm: effectiveOptions.algorithm,
+        dataLength: data.length,
+        serviceName: this.serviceName,
+        operation: "encrypt"
+      });
+      const salt = randomBytes2(effectiveOptions.saltLength);
+      const iv = randomBytes2(effectiveOptions.ivLength);
+      const key = await this.deriveKey(salt, effectiveOptions);
+      const cipher = createCipheriv(effectiveOptions.algorithm, key, iv);
+      const encrypted = Buffer.concat([cipher.update(data, "utf8"), cipher.final()]);
+      if (isAuthenticatedCipher(cipher) !== true) {
+        throw new Error("Cipher does not support authentication");
+      }
+      const authTag = cipher.getAuthTag();
+      const result = {
+        data: encrypted.toString(effectiveOptions.encoding),
+        metadata: {
+          algorithm: effectiveOptions.algorithm,
+          iv: iv.toString(effectiveOptions.encoding),
+          authTag: authTag.toString(effectiveOptions.encoding),
+          salt: salt.toString(effectiveOptions.encoding)
+        }
+      };
+      this.logger.debug("Data encrypted successfully", {
+        algorithm: effectiveOptions.algorithm,
+        originalLength: data.length,
+        encryptedLength: result.data.length,
+        serviceName: this.serviceName
+      });
+      return result;
+    }, "encrypt");
+  }
+  /**
+   * Decrypts data using the metadata provided with comprehensive validation.
+   */
+  async decrypt(encryptedData) {
+    return this.executeInfrastructureOperation(async () => {
+      if (!encryptedData || !encryptedData.data || !encryptedData.metadata) {
+        throw new Error("Invalid encrypted data structure");
+      }
+      const { data, metadata } = encryptedData;
+      const requiredFields = ["algorithm", "iv", "authTag", "salt"];
+      for (const field of requiredFields) {
+        const fieldValue = metadata[field];
+        if (fieldValue === void 0 || fieldValue === null || fieldValue === "") {
+          throw new Error(`Missing required encryption metadata field: ${field}`);
+        }
+      }
+      this.logger.debug("Starting data decryption", {
+        algorithm: metadata.algorithm,
+        encryptedLength: data.length,
+        serviceName: this.serviceName,
+        operation: "decrypt"
+      });
+      const key = await this.deriveKey(Buffer.from(metadata.salt, this.options.encoding), {
+        ...this.options,
+        algorithm: metadata.algorithm
+      });
+      const decipher = createDecipheriv(
+        metadata.algorithm,
+        key,
+        Buffer.from(metadata.iv, this.options.encoding)
+      );
+      if (isAuthenticatedDecipher(decipher) !== true) {
+        throw new Error("Decipher does not support authentication");
+      }
+      decipher.setAuthTag(Buffer.from(metadata.authTag, this.options.encoding));
+      const decrypted = Buffer.concat([
+        decipher.update(Buffer.from(data, this.options.encoding)),
+        decipher.final()
+      ]);
+      const result = decrypted.toString("utf8");
+      this.logger.debug("Data decrypted successfully", {
+        algorithm: metadata.algorithm,
+        encryptedLength: data.length,
+        decryptedLength: result.length,
+        serviceName: this.serviceName
+      });
+      return result;
+    }, "decrypt");
+  }
+  /**
+   * Encrypts multiple data items in batch with optimized processing.
+   */
+  async encryptBatch(dataItems, customOptions) {
+    return this.executeInfrastructureOperation(async () => {
+      if (!Array.isArray(dataItems) || dataItems.length === 0) {
+        throw new Error("Data items array must contain at least one item");
+      }
+      this.logger.info("Starting batch encryption", {
+        itemCount: dataItems.length,
+        serviceName: this.serviceName,
+        operation: "encryptBatch"
+      });
+      const successful = [];
+      const failed = [];
+      const encryptionPromises = dataItems.map(async (data) => {
+        try {
+          const result = await this.encrypt(data, customOptions);
+          if (result.success && result.data) {
+            successful.push(result.data);
+          } else {
+            failed.push({
+              data,
+              error: result.error ?? "Unknown encryption error"
+            });
+          }
+        } catch (error) {
+          failed.push({
+            data,
+            error: error instanceof Error ? error.message : "Unknown encryption error"
+          });
+        }
+      });
+      await Promise.allSettled(encryptionPromises);
+      this.logger.info("Batch encryption completed", {
+        totalItems: dataItems.length,
+        successful: successful.length,
+        failed: failed.length,
+        serviceName: this.serviceName
+      });
+      return { successful, failed };
+    }, "encryptBatch");
+  }
+  /**
+   * Generates cryptographically secure random data.
+   */
+  async generateRandomData(length = 32, encoding = "hex") {
+    return this.executeInfrastructureOperation(async () => {
+      if (length <= 0 || length > 1024) {
+        throw new Error("Random data length must be between 1 and 1024 bytes");
+      }
+      this.logger.debug("Generating random data", {
+        length,
+        encoding,
+        serviceName: this.serviceName,
+        operation: "generateRandomData"
+      });
+      const randomData = randomBytes2(length);
+      const result = randomData.toString(encoding);
+      this.logger.debug("Random data generated successfully", {
+        length,
+        encoding,
+        outputLength: result.length,
+        serviceName: this.serviceName
+      });
+      return result;
+    }, "generateRandomData");
+  }
+  /**
+   * Validates the integrity of encrypted data by attempting decryption.
+   */
+  async validateEncryptedData(encryptedData) {
+    return this.executeInfrastructureOperation(async () => {
+      if (!encryptedData) {
+        throw new Error("Encrypted data is required");
+      }
+      this.logger.debug("Validating encrypted data integrity", {
+        algorithm: encryptedData.metadata.algorithm,
+        serviceName: this.serviceName,
+        operation: "validateEncryptedData"
+      });
+      try {
+        const decryptResult = await this.decrypt(encryptedData);
+        const valid = decryptResult.success && !!decryptResult.data;
+        this.logger.debug("Encrypted data validation completed", {
+          valid,
+          serviceName: this.serviceName
+        });
+        return valid ? { valid, error: void 0 } : {
+          valid,
+          error: decryptResult.error ?? "Decryption failed"
+        };
+      } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : "Unknown validation error";
+        this.logger.debug("Encrypted data validation failed", {
+          error: errorMessage,
+          serviceName: this.serviceName
+        });
+        return { valid: false, error: errorMessage };
+      }
+    }, "validateEncryptedData");
+  }
+  /**
+   * Derives encryption key from password and salt using PBKDF2.
+   * @private
+   */
+  async deriveKey(salt, options = {}) {
+    const effectiveOptions = { ...this.options, ...options };
+    const secret = process.env.PAYLOAD_SECRET;
+    if (!secret || secret === "") {
+      throw new Error("PAYLOAD_SECRET environment variable is required for encryption");
+    }
+    return scryptAsync(secret, salt, effectiveOptions.keyLength);
+  }
+  /**
+   * @inheritdoc
+   */
+  async onInitialize() {
+    this.logger.info("Initializing EncryptionService", {
+      algorithm: this.options.algorithm,
+      keyLength: this.options.keyLength,
+      serviceName: this.serviceName
+    });
+    if (!process.env.PAYLOAD_SECRET) {
+      throw new Error("PAYLOAD_SECRET environment variable is required for EncryptionService");
+    }
+    try {
+      const testData = "encryption-test-data";
+      const encrypted = await this.encrypt(testData);
+      if (!encrypted.success || !encrypted.data) {
+        throw new Error("Encryption test failed");
+      }
+      const decrypted = await this.decrypt(encrypted.data);
+      if (!decrypted.success || decrypted.data !== testData) {
+        throw new Error("Decryption test failed");
+      }
+      this.logger.debug("EncryptionService initialization test passed", {
+        serviceName: this.serviceName
+      });
+    } catch (error) {
+      throw new Error(
+        `EncryptionService initialization failed: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * @inheritdoc
+   */
+  async onCleanup() {
+    this.logger.info("Cleaning up EncryptionService", {
+      serviceName: this.serviceName
+    });
+  }
+  /**
+   * @inheritdoc
+   */
+  async onHealthCheck() {
+    try {
+      const testData = "health-check-data";
+      const encrypted = await this.encrypt(testData);
+      if (!encrypted.success || !encrypted.data) {
+        throw new Error("Health check encryption failed");
+      }
+      const decrypted = await this.decrypt(encrypted.data);
+      if (!decrypted.success || decrypted.data !== testData) {
+        throw new Error("Health check decryption failed");
+      }
+    } catch (error) {
+      throw new Error(
+        `EncryptionService health check failed: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+};
+
+// src/SecurityMonitoringService.ts
+var devLogger2 = {
+  info: (...args) => console.log("[security]", ...args),
+  warn: (...args) => console.warn("[security]", ...args),
+  error: (...args) => console.error("[security]", ...args)
+};
+var createSecurityEvent = (type, severity, message, options) => {
+  const baseEvent = {
+    id: crypto.randomUUID(),
+    type,
+    severity,
+    message,
+    timestamp: /* @__PURE__ */ new Date(),
+    ...options?.metadata ? { metadata: options.metadata } : {},
+    ...options?.userId !== void 0 ? { userId: options.userId } : {},
+    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
+    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {}
+  };
+  return baseEvent;
+};
+var calculateSecurityMetrics = (events2) => {
+  if (events2.length === 0) {
+    return {
+      totalEvents: 0,
+      eventsByType: {},
+      eventsBySeverity: {},
+      averageResponseTime: 0
+    };
+  }
+  const eventsByType = events2.reduce((acc, event) => {
+    acc[event.type] = (acc[event.type] || 0) + 1;
+    return acc;
+  }, {});
+  const eventsBySeverity = events2.reduce((acc, event) => {
+    acc[event.severity] = (acc[event.severity] || 0) + 1;
+    return acc;
+  }, {});
+  const lastEventTime = events2.length > 0 ? new Date(Math.max(...events2.map((e) => e.timestamp.getTime()))) : void 0;
+  return {
+    totalEvents: events2.length,
+    eventsByType,
+    eventsBySeverity,
+    averageResponseTime: 0,
+    // Would be calculated from actual response times
+    ...lastEventTime !== void 0 ? { lastEventTime } : {}
+  };
+};
+var shouldTriggerAlert = (event, thresholds) => {
+  const now = /* @__PURE__ */ new Date();
+  const timeWindowStart = new Date(now.getTime() - thresholds.timeWindowMs);
+  const recentEvents = events.filter(
+    (event2) => event2.timestamp >= timeWindowStart && event2.timestamp <= now
+  );
+  const criticalCount = recentEvents.filter((e) => e.severity === "critical").length;
+  const highCount = recentEvents.filter((e) => e.severity === "high").length;
+  const mediumCount = recentEvents.filter((e) => e.severity === "medium").length;
+  if (criticalCount >= thresholds.criticalCount) return true;
+  if (highCount >= thresholds.highCount) return true;
+  if (mediumCount >= thresholds.mediumCount) return true;
+  if (event.severity === "critical") return true;
+  return false;
+};
+var createSecurityAlert = (event, alertType = "threshold_exceeded") => ({
+  id: crypto.randomUUID(),
+  type: alertType,
+  severity: event.severity,
+  message: `Security alert: ${event.message}`,
+  timestamp: /* @__PURE__ */ new Date(),
+  metadata: {
+    originalEventId: event.id,
+    originalEventType: event.type,
+    ...event.metadata
+  }
+});
+var filterEvents = (events2, criteria) => {
+  return events2.filter((event) => {
+    if (criteria.type && event.type !== criteria.type) return false;
+    if (criteria.severity && event.severity !== criteria.severity) return false;
+    if (criteria.userId && event.userId !== criteria.userId) return false;
+    if (criteria.timeRange) {
+      const eventTime = event.timestamp.getTime();
+      const startTime = criteria.timeRange.start.getTime();
+      const endTime = criteria.timeRange.end.getTime();
+      if (eventTime < startTime || eventTime > endTime) return false;
+    }
+    return true;
+  });
+};
+var events = [];
+var alerts = [];
+var addSecurityEvent = (event) => {
+  events.push(event);
+  devLogger2.info("Security event recorded", {
+    eventId: event.id,
+    type: event.type,
+    severity: event.severity,
+    message: event.message,
+    userId: event.userId,
+    timestamp: event.timestamp.toISOString()
+  });
+  if (shouldTriggerAlert(event, {
+    criticalCount: 1,
+    highCount: 5,
+    mediumCount: 10,
+    timeWindowMs: 6e4
+    // 1 minute
+  })) {
+    const alert = createSecurityAlert(event);
+    alerts.push(alert);
+    devLogger2.warn("Security alert triggered", {
+      alertId: alert.id,
+      eventId: event.id,
+      severity: alert.severity,
+      message: alert.message
+    });
+  }
+};
+var getSecurityEvents = () => [...events];
+var getSecurityAlerts = () => [...alerts];
+var getSecurityMetrics = () => calculateSecurityMetrics(events);
+var clearSecurityData = () => {
+  events = [];
+  alerts = [];
+};
+var logAuthenticationEvent = (userId, success, options) => {
+  const eventOptions = {
+    userId,
+    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
+    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
+    metadata: {
+      success,
+      ...options?.metadata
+    }
+  };
+  const event = createSecurityEvent(
+    "authentication",
+    success ? "low" : "high",
+    `Authentication ${success ? "successful" : "failed"} for user ${userId}`,
+    eventOptions
+  );
+  addSecurityEvent(event);
+};
+var logAuthorizationEvent = (userId, resource, action, granted, options) => {
+  const eventOptions = {
+    userId,
+    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
+    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
+    metadata: {
+      resource,
+      action,
+      granted,
+      ...options?.metadata
+    }
+  };
+  const event = createSecurityEvent(
+    "authorization",
+    granted ? "low" : "medium",
+    `Authorization ${granted ? "granted" : "denied"} for user ${userId} on ${resource}:${action}`,
+    eventOptions
+  );
+  addSecurityEvent(event);
+};
+var logDataAccessEvent = (userId, collection, operation, recordId, options) => {
+  const eventOptions = {
+    userId,
+    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
+    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
+    metadata: {
+      collection,
+      operation,
+      recordId,
+      ...options?.metadata
+    }
+  };
+  const event = createSecurityEvent(
+    "data_access",
+    operation === "delete" ? "medium" : "low",
+    `Data access: ${operation} on ${collection}${recordId ? ` (${recordId})` : ""} by user ${userId}`,
+    eventOptions
+  );
+  addSecurityEvent(event);
+};
+var getUserEvents = (userId) => filterEvents(events, { userId });
+var getEventsBySeverity = (severity) => filterEvents(events, { severity });
+var getEventsInTimeRange = (start, end) => filterEvents(events, { timeRange: { start, end } });
+var SecurityMonitoringService = {
+  // Event management
+  addEvent: addSecurityEvent,
+  getEvents: getSecurityEvents,
+  getUserEvents,
+  getEventsBySeverity,
+  getEventsInTimeRange,
+  // Alert management
+  getAlerts: getSecurityAlerts,
+  // Metrics
+  getMetrics: getSecurityMetrics,
+  // Utility functions
+  logAuthenticationEvent,
+  logAuthorizationEvent,
+  logDataAccessEvent,
+  // Testing utilities
+  clearData: clearSecurityData,
+  // Pure functions for composition
+  createEvent: createSecurityEvent,
+  createAlert: createSecurityAlert,
+  filterEvents,
+  calculateMetrics: calculateSecurityMetrics
+};
+
+// src/SecurityService.ts
+import { NextResponse } from "next/server";
+import { createHmac as createHmac2 } from "crypto";
+async function getPayloadClient() {
+  return { logger: console };
+}
+var logger = {
+  info: (message, ...args) => console.log(`[SecurityService] ${message}`, ...args),
+  warn: (message, ...args) => console.warn(`[SecurityService] ${message}`, ...args),
+  error: (message, ...args) => console.error(`[SecurityService] ${message}`, ...args)
+};
+async function securityMiddleware(req) {
+  const response = new NextResponse();
+  try {
+    const payload = await getPayloadClient();
+    payload.logger.info(`Security middleware started for ${req.method} ${req.url}`);
+  } catch {
+    logger.info(`Security middleware started for ${req.method} ${req.url}`);
+  }
+  response.headers.set("X-Content-Type-Options", "nosniff");
+  response.headers.set("X-Frame-Options", "DENY");
+  response.headers.set("X-XSS-Protection", "1; mode=block");
+  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+  response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
+  const isApiRoute = req.nextUrl.pathname.startsWith("/api");
+  const csp = isApiRoute ? "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" : "default-src 'self'";
+  response.headers.set("Content-Security-Policy", csp);
+  try {
+    const payload = await getPayloadClient();
+    payload.logger.info("Security middleware completed");
+  } catch {
+    logger.info("Security middleware completed");
+  }
+  return;
+}
+function createSecurity(config) {
+  return {
+    generateCsrfToken(sessionId) {
+      return createHmac2("sha256", config.csrfSecret).update(sessionId).digest("hex");
+    },
+    isTokenExpired(exp) {
+      return Date.now() / 1e3 > exp;
+    },
+    getAccessTokenExpiry() {
+      return config.tokenExpiry.access;
+    },
+    getRefreshTokenExpiry() {
+      return config.tokenExpiry.refresh;
+    }
+  };
+}
+
+// src/SessionService.ts
+var logger2 = {
+  info: (message, ...args) => console.log(`[SessionService] ${message}`, ...args),
+  warn: (message, ...args) => console.warn(`[SessionService] ${message}`, ...args),
+  error: (message, ...args) => console.error(`[SessionService] ${message}`, ...args)
+};
+var devLogger3 = {
+  info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
+  warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
+  error: (...args) => logger2.error(String(args[0]), ...args.slice(1)),
+  forService: (_name) => ({
+    info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
+    warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
+    error: (...args) => logger2.error(String(args[0]), ...args.slice(1))
+  })
+};
+async function getPayloadClient2() {
+  return {
+    logger: {
+      info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
+      warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
+      error: (...args) => logger2.error(String(args[0]), ...args.slice(1))
+    }
+  };
+}
+function generateUUID() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+  return `xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx`.replace(/[xy]/g, (c) => {
+    const r = Math.random() * 16 | 0;
+    const v = c === "x" ? r : r & 3 | 8;
+    return v.toString(16);
+  });
+}
+var SessionRepository = class {
+  constructor(payload) {
+    this.payload = payload;
+    void this.payload;
+  }
+  sessions = /* @__PURE__ */ new Map();
+  createSessionId() {
+    try {
+      return generateUUID();
+    } catch {
+      return `session_${Date.now().toString(36)}`;
+    }
+  }
+  createToken() {
+    try {
+      return `token_${generateUUID()}`;
+    } catch {
+      return `token_${Date.now().toString(36)}`;
+    }
+  }
+  async create(data) {
+    if (!data.userId) {
+      return {
+        success: false,
+        errors: [{ message: "userId is required", path: "create" }]
+      };
+    }
+    const now = /* @__PURE__ */ new Date();
+    const session = {
+      id: data.id ?? this.createSessionId(),
+      userId: data.userId,
+      token: data.token ?? this.createToken(),
+      expiresAt: data.expiresAt ? new Date(data.expiresAt) : new Date(now.getTime() + 1e3 * 60 * 60),
+      lastActiveAt: data.lastActiveAt ? new Date(data.lastActiveAt) : now,
+      isActive: data.isActive ?? true,
+      updatedAt: now,
+      createdAt: now,
+      ...data.device !== void 0 ? { device: data.device } : {}
+    };
+    this.sessions.set(session.id, session);
+    return { success: true, data: session };
+  }
+  async findById(id) {
+    const session = this.sessions.get(String(id));
+    if (!session) {
+      return {
+        success: false,
+        errors: [{ message: "Session not found", path: "findById" }]
+      };
+    }
+    return { success: true, data: session };
+  }
+  async delete(id) {
+    const key = String(id);
+    if (!this.sessions.has(key)) {
+      return {
+        success: false,
+        errors: [{ message: "Session not found", path: "delete" }]
+      };
+    }
+    this.sessions.delete(key);
+    return { success: true };
+  }
+  async revokeAllUserSessions(userId) {
+    let removed = false;
+    for (const [key, session] of this.sessions.entries()) {
+      if (session.userId === userId) {
+        this.sessions.delete(key);
+        removed = true;
+      }
+    }
+    if (!removed) {
+      return {
+        success: false,
+        errors: [{ message: "No sessions found for user", path: "revokeAllUserSessions" }]
+      };
+    }
+    return { success: true };
+  }
+  async findAll() {
+    return { success: true, data: Array.from(this.sessions.values()) };
+  }
+  async update(id, data) {
+    const existing = this.sessions.get(id);
+    if (!existing) {
+      return {
+        success: false,
+        errors: [{ message: "Session not found", path: "update" }]
+      };
+    }
+    const updated = {
+      ...existing,
+      ...data.userId !== void 0 ? { userId: data.userId } : {},
+      ...data.token !== void 0 ? { token: data.token } : {},
+      ...data.device !== void 0 ? { device: data.device } : {},
+      ...data.expiresAt !== void 0 ? { expiresAt: new Date(data.expiresAt) } : {},
+      ...data.lastActiveAt !== void 0 ? { lastActiveAt: new Date(data.lastActiveAt) } : {},
+      ...data.isActive !== void 0 ? { isActive: data.isActive } : {},
+      updatedAt: /* @__PURE__ */ new Date()
+    };
+    this.sessions.set(id, updated);
+    return { success: true, data: updated };
+  }
+};
+var SessionService = class {
+  repository = null;
+  constructor(repository) {
+    if (repository) {
+      this.repository = repository;
+    }
+  }
+  async getRepository() {
+    if (!this.repository) {
+      const payload = await getPayloadClient2();
+      this.repository = new SessionRepository(payload);
+    }
+    return this.repository;
+  }
+  /**
+   * Creates a new session for a user.
+   */
+  async createSession(data) {
+    if (!data.userId || typeof data.userId !== "string") {
+      return {
+        success: false,
+        errors: [
+          {
+            message: "userId is required",
+            path: "userId"
+          }
+        ]
+      };
+    }
+    const repository = await this.getRepository();
+    const result = await repository.create(data);
+    if (!result.success) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.error("Failed to create session", {
+          errors: result.errors
+        });
+      } catch {
+        devLogger3.error("Failed to create session", { errors: result.errors });
+      }
+    }
+    return result;
+  }
+  /**
+   * Validates a session by ID, checks for expiration, and deletes if expired.
+   */
+  async validateSession(sessionId) {
+    try {
+      const repository = await this.getRepository();
+      const result = await repository.findById(sessionId);
+      if (!result.success || !result.data) {
+        try {
+          const payload = await getPayloadClient2();
+          payload.logger.warn("Invalid session", { sessionId, errors: result.errors });
+        } catch {
+          devLogger3.warn("Invalid session", { sessionId, errors: result.errors });
+        }
+        return {
+          success: false,
+          errors: result.errors ?? [{ message: "Session not found", path: "validateSession" }]
+        };
+      }
+      const session = result.data;
+      if (session.expiresAt.getTime() < Date.now()) {
+        await repository.delete(sessionId);
+        try {
+          const payload = await getPayloadClient2();
+          payload.logger.info("Session expired and deleted", { sessionId });
+        } catch {
+          devLogger3.info("Session expired and deleted", { sessionId });
+        }
+        return {
+          success: false,
+          errors: [{ message: "Session expired", path: "validateSession" }]
+        };
+      }
+      const userResult = { success: true, data: { id: session.userId } };
+      if (!userResult.success || !userResult.data) {
+        try {
+          const payload = await getPayloadClient2();
+          payload.logger.error("User not found for session", {
+            sessionId,
+            userId: session.userId
+          });
+        } catch {
+          devLogger3.error("User not found for session", {
+            sessionId,
+            userId: session.userId
+          });
+        }
+        return {
+          success: false,
+          errors: [{ message: "User not found for session", path: "validateSession" }]
+        };
+      }
+      return { success: true, data: session };
+    } catch (error) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.error("Session validation failed", { error });
+      } catch {
+        devLogger3.error("Session validation failed", { error });
+      }
+      return {
+        success: false,
+        errors: [{ message: "Session validation failed", path: "validateSession" }]
+      };
+    }
+  }
+  /**
+   * Invalidates (deletes) a session by ID.
+   */
+  async invalidateSession(sessionId) {
+    try {
+      const repository = await this.getRepository();
+      const result = await repository.delete(sessionId);
+      if (!result.success) {
+        try {
+          const payload = await getPayloadClient2();
+          payload.logger.error("Session invalidation failed", {
+            errors: result.errors
+          });
+        } catch {
+          devLogger3.error("Session invalidation failed", {
+            errors: result.errors
+          });
+        }
+        return result;
+      }
+      return result;
+    } catch (error) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.error("Session invalidation failed", { error });
+      } catch {
+        devLogger3.error("Session invalidation failed", { error });
+      }
+      return {
+        success: false,
+        errors: [
+          {
+            message: "Session invalidation failed",
+            path: "invalidateSession"
+          }
+        ]
+      };
+    }
+  }
+  /**
+   * Invalidates (deletes) all sessions for a user by userId.
+   */
+  async invalidateAllUserSessions(userId) {
+    try {
+      const repository = await this.getRepository();
+      const result = await repository.revokeAllUserSessions(userId);
+      if (!result.success) {
+        try {
+          const payload = await getPayloadClient2();
+          payload.logger.error("User sessions invalidation failed", {
+            errors: result.errors
+          });
+        } catch {
+          devLogger3.error("User sessions invalidation failed", {
+            errors: result.errors
+          });
+        }
+        return result;
+      }
+      return result;
+    } catch (error) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.error("User sessions invalidation failed", {
+          error
+        });
+      } catch {
+        devLogger3.error("User sessions invalidation failed", { error });
+      }
+      return {
+        success: false,
+        errors: [
+          {
+            message: "Failed to invalidate user sessions",
+            path: "invalidateAllUserSessions"
+          }
+        ]
+      };
+    }
+  }
+  async getSessionById(id) {
+    const repository = await this.getRepository();
+    const result = await repository.findById(id);
+    if (!result.success) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.warn("Session not found", {
+          errors: result.errors
+        });
+      } catch {
+        devLogger3.warn("Session not found", { errors: result.errors });
+      }
+    }
+    return result;
+  }
+  async getAllSessions() {
+    const repository = await this.getRepository();
+    const result = await repository.findAll();
+    if (!result.success) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.error("Failed to fetch sessions", {
+          errors: result.errors
+        });
+      } catch {
+        devLogger3.error("Failed to fetch sessions", {
+          errors: result.errors
+        });
+      }
+    }
+    return result;
+  }
+  async updateSession(id, data) {
+    const repository = await this.getRepository();
+    const result = await repository.update(id, data);
+    if (!result.success) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.error("Failed to update session", {
+          errors: result.errors
+        });
+      } catch {
+        devLogger3.error("Failed to update session", { errors: result.errors });
+      }
+    }
+    return result;
+  }
+  async deleteSession(id) {
+    const repository = await this.getRepository();
+    const result = await repository.delete(id);
+    if (!result.success) {
+      try {
+        const payload = await getPayloadClient2();
+        payload.logger.error("Failed to delete session", {
+          errors: result.errors
+        });
+      } catch {
+        devLogger3.error("Failed to delete session", { errors: result.errors });
+      }
+    }
+    return result;
+  }
+};
+var sessionService = new SessionService();
+
+// src/TokenService.ts
+import { InfrastructureService as InfrastructureService2 } from "@revealui/core";
+var AppError = class extends Error {
+  constructor(code, message, cause) {
+    super(message);
+    this.code = code;
+    this.cause = cause;
+    this.name = "AppError";
+    if (cause) {
+      this.cause = cause;
+    }
+  }
+};
+var ErrorCode = {
+  TOKEN_INVALID: "TOKEN_INVALID",
+  TOKEN_EXPIRED: "TOKEN_EXPIRED",
+  AUTHENTICATION_ERROR: "AUTHENTICATION_ERROR",
+  INTERNAL_ERROR: "INTERNAL_ERROR"
+};
+var TokenService = class extends InfrastructureService2 {
+  constructor(payload) {
+    super(payload, "TokenService");
+    this.payload = payload;
+  }
+  /**
+   * Authenticate user and generate access token using PayloadCMS native login
+   * @param credentials User login credentials
+   * @param req Optional PayloadRequest for context
+   * @returns Login result with user data and token
+   */
+  async login(credentials, req) {
+    try {
+      this.logger.debug("Attempting user login", {
+        email: credentials.email,
+        serviceName: this.serviceName,
+        operation: "login"
+      });
+      const result = await this.payload.login({
+        collection: "users",
+        data: {
+          email: credentials.email,
+          password: credentials.password
+        },
+        ...req && { req }
+      });
+      this.logger.info("User login successful", {
+        userId: result.user.id,
+        email: result.user.email,
+        serviceName: this.serviceName
+      });
+      return result;
+    } catch (error) {
+      this.logger.error("User login failed", {
+        email: credentials.email,
+        error: error instanceof Error ? error.message : "Unknown error",
+        serviceName: this.serviceName
+      });
+      throw new AppError(
+        ErrorCode.AUTHENTICATION_ERROR,
+        "Login failed",
+        error instanceof Error ? error : new Error(String(error))
+      );
+    }
+  }
+  /**
+   * Verify user by ID using PayloadCMS native functionality
+   * @param userId User ID to verify
+   * @returns User data if exists
+   */
+  async verifyUser(userId) {
+    try {
+      this.logger.debug("Verifying user", {
+        userId,
+        serviceName: this.serviceName,
+        operation: "verifyUser"
+      });
+      const user = await this.payload.findByID({
+        collection: "users",
+        id: userId
+      });
+      this.logger.debug("User verification successful", {
+        userId: user.id,
+        serviceName: this.serviceName
+      });
+      return user;
+    } catch (error) {
+      this.logger.error("User verification failed", {
+        userId,
+        error: error instanceof Error ? error.message : "Unknown error",
+        serviceName: this.serviceName
+      });
+      throw new AppError(
+        ErrorCode.AUTHENTICATION_ERROR,
+        "User verification failed",
+        error instanceof Error ? error : new Error(String(error))
+      );
+    }
+  }
+  /**
+   * Generate password reset token using PayloadCMS native functionality
+   * @param email User email address
+   * @returns Password reset token
+   */
+  async generatePasswordResetToken(email) {
+    try {
+      this.logger.debug("Generating password reset token", {
+        email,
+        serviceName: this.serviceName,
+        operation: "generatePasswordResetToken"
+      });
+      const token = await this.payload.forgotPassword({
+        collection: "users",
+        data: { email }
+      });
+      this.logger.info("Password reset token generated", {
+        email,
+        serviceName: this.serviceName
+      });
+      return token;
+    } catch (error) {
+      this.logger.error("Password reset token generation failed", {
+        email,
+        error: error instanceof Error ? error.message : "Unknown error",
+        serviceName: this.serviceName
+      });
+      throw new AppError(
+        ErrorCode.INTERNAL_ERROR,
+        "Failed to generate password reset token",
+        error instanceof Error ? error : new Error(String(error))
+      );
+    }
+  }
+  /**
+   * Reset user password using PayloadCMS native functionality
+   * @param token Password reset token
+   * @param newPassword New password
+   * @returns Reset result with user and new token
+   *
+   * NOTE: Uses overrideAccess: true as this is a system-level password reset operation
+   * that requires bypassing normal access control for security token validation.
+   */
+  async resetPassword(token, newPassword) {
+    try {
+      this.logger.debug("Resetting password", {
+        serviceName: this.serviceName,
+        operation: "resetPassword"
+      });
+      const result = await this.payload.resetPassword({
+        collection: "users",
+        data: {
+          token,
+          password: newPassword
+        },
+        overrideAccess: true
+        // System-level operation for password reset flow
+      });
+      this.logger.info("Password reset successful", {
+        userId: result.user?.id,
+        serviceName: this.serviceName
+      });
+      return result;
+    } catch (error) {
+      this.logger.error("Password reset failed", {
+        error: error instanceof Error ? error.message : "Unknown error",
+        serviceName: this.serviceName
+      });
+      throw new AppError(
+        ErrorCode.AUTHENTICATION_ERROR,
+        "Password reset failed",
+        error instanceof Error ? error : new Error(String(error))
+      );
+    }
+  }
+  /**
+   * Verify email using PayloadCMS native functionality
+   * @param token Email verification token
+   * @returns Verification success status
+   */
+  async verifyEmail(token) {
+    try {
+      this.logger.debug("Verifying email", {
+        serviceName: this.serviceName,
+        operation: "verifyEmail"
+      });
+      const result = await this.payload.verifyEmail({
+        collection: "users",
+        token
+      });
+      this.logger.info("Email verification completed", {
+        success: result,
+        serviceName: this.serviceName
+      });
+      return result;
+    } catch (error) {
+      this.logger.error("Email verification failed", {
+        error: error instanceof Error ? error.message : "Unknown error",
+        serviceName: this.serviceName
+      });
+      throw new AppError(
+        ErrorCode.AUTHENTICATION_ERROR,
+        "Email verification failed",
+        error instanceof Error ? error : new Error(String(error))
+      );
+    }
+  }
+  /**
+   * Unlock user account using PayloadCMS native functionality
+   * @param email User email address
+   * @param password User password
+   * @returns Unlock success status
+   *
+   * NOTE: Uses overrideAccess: true as this is a system-level account unlock operation
+   * that requires bypassing normal access control for account recovery.
+   */
+  async unlockUser(email, password) {
+    try {
+      this.logger.debug("Unlocking user account", {
+        email,
+        serviceName: this.serviceName,
+        operation: "unlockUser"
+      });
+      const result = await this.payload.unlock({
+        collection: "users",
+        data: { email, password },
+        overrideAccess: true
+        // System-level operation for account recovery
+      });
+      this.logger.info("User account unlock completed", {
+        email,
+        success: result,
+        serviceName: this.serviceName
+      });
+      return result;
+    } catch (error) {
+      this.logger.error("User account unlock failed", {
+        email,
+        error: error instanceof Error ? error.message : "Unknown error",
+        serviceName: this.serviceName
+      });
+      throw new AppError(
+        ErrorCode.AUTHENTICATION_ERROR,
+        "User account unlock failed",
+        error instanceof Error ? error : new Error(String(error))
+      );
+    }
+  }
+  /**
+   * @inheritdoc
+   */
+  onInitialize() {
+    this.logger.info("TokenService initialized with PayloadCMS native auth", {
+      serviceName: this.serviceName
+    });
+  }
+  /**
+   * @inheritdoc
+   */
+  onCleanup() {
+    this.logger.info("TokenService cleaned up", {
+      serviceName: this.serviceName
+    });
+  }
+  /**
+   * @inheritdoc
+   */
+  onHealthCheck() {
+    this.logger.debug("TokenService health check passed", {
+      serviceName: this.serviceName
+    });
+  }
+};
+function createTokenService(payload) {
+  return new TokenService(payload);
+}
+export {
+  CSRFService,
+  EncryptionService,
+  RATE_LIMITS,
+  RateLimited,
+  RateLimiterService,
+  SECURITY_HEADERS,
+  SecurityMonitoringService,
+  SessionService,
+  TokenService,
+  addSecurityEvent,
+  calculateSecurityMetrics,
+  checkAnonymousRateLimit,
+  checkRateLimit,
+  checkUserRateLimit,
+  clearSecurityData,
+  createSecurity,
+  createSecurityAlert,
+  createSecurityEvent,
+  createTokenService,
+  filterEvents,
+  generateIPRateLimitKey,
+  generateRateLimitKey,
+  getClientIP,
+  getEventsBySeverity,
+  getEventsInTimeRange,
+  getRateLimiterService,
+  getSecurityAlerts,
+  getSecurityEvents,
+  getSecurityMetrics,
+  getUserEvents,
+  isTrustedSource,
+  logAuthenticationEvent,
+  logAuthorizationEvent,
+  logDataAccessEvent,
+  logSecurityEvent,
+  sanitizeInput,
+  securityMiddleware,
+  sessionService,
+  shouldTriggerAlert,
+  validateAndSanitizeInput,
+  validateCSRFToken,
+  validateEnvironment,
+  withRateLimit
+};
+//# sourceMappingURL=index.js.map