npm - @revealui/security - Versions diffs - 0.0.1-pre.1 → 0.2.0 - Mend

@revealui/security 0.0.1-pre.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -1,1841 +1,2434 @@
-// src/SecurityValidation.ts
-import { z } from "zod";
-var EnvironmentSchema = z.object({
-  PAYLOAD_SECRET: z.string().min(32, "PAYLOAD_SECRET must be at least 32 characters"),
-  MCP_ENCRYPTION_KEY: z.string().min(64, "MCP_ENCRYPTION_KEY must be at least 64 characters"),
-  TURSO_URL: z.string().url().optional(),
-  TURSO_AUTH_TOKEN: z.string().optional(),
-  SUPPORT_EMAIL: z.string().email().optional()
-});
-var RATE_LIMITS = {
-  CHAT: { windowMs: 60 * 1e3, maxRequests: 10 },
-  // 10 requests per minute
-  CONTENT: { windowMs: 60 * 1e3, maxRequests: 5 },
-  // 5 requests per minute
-  CONTACT: { windowMs: 15 * 60 * 1e3, maxRequests: 3 },
-  // 3 requests per 15 minutes
-  RECOMMENDATIONS: { windowMs: 60 * 1e3, maxRequests: 20 }
-  // 20 requests per minute
-};
-var rateLimitStore = /* @__PURE__ */ new Map();
-async function validateEnvironment() {
-  const validation = EnvironmentSchema.safeParse(process.env);
-  if (!validation.success) {
-    const errors = validation.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join(", ");
-    throw new Error(`Environment validation failed: ${errors}`);
-  }
-}
-async function checkRateLimit(key, config) {
-  const now = Date.now();
-  for (const [k, v] of rateLimitStore.entries()) {
-    if (v.resetTime < now) {
-      rateLimitStore.delete(k);
-    }
-  }
-  const entry = rateLimitStore.get(key);
-  if (!entry || entry.resetTime < now) {
-    rateLimitStore.set(key, { count: 1, resetTime: now + config.windowMs });
-    return {
-      allowed: true,
-      remaining: config.maxRequests - 1,
-      resetTime: now + config.windowMs
-    };
-  }
-  if (entry.count >= config.maxRequests) {
-    return {
-      allowed: false,
-      remaining: 0,
-      resetTime: entry.resetTime
-    };
+// src/audit.ts
+var AuditSystem = class {
+  storage;
+  filters = [];
+  constructor(storage) {
+    this.storage = storage;
   }
-  entry.count++;
-  rateLimitStore.set(key, entry);
-  return {
-    allowed: true,
-    remaining: config.maxRequests - entry.count,
-    resetTime: entry.resetTime
-  };
-}
-function generateRateLimitKey(userId, action) {
-  return `rate_limit:${action}:${userId}`;
-}
-function generateIPRateLimitKey(ip, action) {
-  return `rate_limit:${action}:ip:${ip}`;
-}
-async function validateCSRFToken(token, sessionToken) {
-  return token === sessionToken && token.length > 0;
-}
-function sanitizeInput(input) {
-  return input.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "").trim();
-}
-function validateAndSanitizeInput(input, schema) {
-  try {
-    const validation = schema.safeParse(input);
-    if (!validation.success) {
-      return {
-        success: false,
-        error: validation.error.issues.map((i) => i.message).join(", ")
-      };
-    }
-    const sanitized = sanitizeObject(validation.data);
-    return {
-      success: true,
-      data: sanitized
-    };
-  } catch (error) {
-    return {
-      success: false,
-      error: error instanceof Error ? error.message : "Validation failed"
+  /**
+   * Log audit event
+   */
+  async log(event) {
+    const fullEvent = {
+      ...event,
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
     };
-  }
-}
-function sanitizeObject(obj) {
-  if (typeof obj === "string") {
-    return sanitizeInput(obj);
-  }
-  if (Array.isArray(obj)) {
-    return obj.map(sanitizeObject);
-  }
-  if (obj && typeof obj === "object") {
-    const sanitized = {};
-    for (const [key, value] of Object.entries(obj)) {
-      sanitized[key] = sanitizeObject(value);
+    const shouldLog = this.filters.every((filter) => filter(fullEvent));
+    if (!shouldLog) {
+      return;
     }
-    return sanitized;
-  }
-  return obj;
-}
-var SECURITY_HEADERS = {
-  "X-Content-Type-Options": "nosniff",
-  "X-Frame-Options": "DENY",
-  "X-XSS-Protection": "1; mode=block",
-  "Referrer-Policy": "strict-origin-when-cross-origin",
-  "Permissions-Policy": "camera=(), microphone=(), geolocation=()"
-};
-function logSecurityEvent(event, details, severity = "medium") {
-  console.log(`[SECURITY-${severity.toUpperCase()}] ${event}:`, {
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    severity,
-    ...details
-  });
-}
-// src/RateLimiterService.ts
-var devLogger = {
-  debug: (...args) => console.debug("[security]", ...args),
-  info: (...args) => console.log("[security]", ...args),
-  warn: (...args) => console.warn("[security]", ...args),
-  error: (...args) => console.error("[security]", ...args),
-  forService: (_name) => ({
-    debug: (...args) => console.debug("[security]", ...args),
-    info: (...args) => console.log("[security]", ...args),
-    warn: (...args) => console.warn("[security]", ...args),
-    error: (...args) => console.error("[security]", ...args)
-  })
-};
-var RateLimiterService = class {
-  config;
-  inMemoryStore = /* @__PURE__ */ new Map();
-  cleanupInterval = null;
-  constructor(config) {
-    this.config = {
-      windowMs: config.windowMs ?? 15 * 60 * 1e3,
-      // 15 minutes
-      maxRequests: config.maxRequests ?? 100,
-      skipSuccessfulRequests: config.skipSuccessfulRequests ?? false,
-      skipFailedRequests: config.skipFailedRequests ?? false,
-      standardHeaders: config.standardHeaders ?? true,
-      legacyHeaders: config.legacyHeaders ?? false
-    };
-    this.startCleanupInterval();
-  }
-  setPayload(_payload) {
+    await this.storage.write(fullEvent);
   }
   /**
-   * Check rate limit using token bucket algorithm
+   * Log authentication event
    */
-  checkTokenBucket(key, tokens = 1, capacity = 10, refillRate = 1, refillTime = 100) {
-    try {
-      const now = Date.now();
-      const bucketKey = `rate_limit:token_bucket:${key}`;
-      const current = this.inMemoryStore.get(bucketKey);
-      let currentTokens = capacity;
-      let lastRefill = now;
-      if (current) {
-        currentTokens = current.count;
-        lastRefill = current.lastRequestTime;
-      }
-      const timePassed = now - lastRefill;
-      const refillAmount = Math.floor(timePassed / refillTime) * refillRate;
-      currentTokens = Math.min(capacity, currentTokens + refillAmount);
-      if (currentTokens >= tokens) {
-        currentTokens = currentTokens - tokens;
-        this.inMemoryStore.set(bucketKey, {
-          count: currentTokens,
-          resetTime: now + refillTime,
-          lastRequestTime: now
-        });
-        devLogger.debug("Rate limit check", {
-          key,
-          algorithm: "token_bucket",
-          allowed: true,
-          remaining: currentTokens,
-          resetTime: now + refillTime,
-          tokens,
-          capacity,
-          refillRate
-        });
-        return {
-          allowed: true,
-          remaining: currentTokens,
-          resetTime: now + refillTime
-        };
-      }
-      const resetTime = lastRefill + refillTime;
-      devLogger.warn("Rate limit blocked", {
-        key,
-        algorithm: "token_bucket",
-        remaining: currentTokens,
-        resetTime,
-        tokens
-      });
-      return {
-        allowed: false,
-        remaining: currentTokens,
-        resetTime,
-        retryAfter: Math.ceil((resetTime - now) / 1e3)
-      };
-    } catch (error) {
-      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
-        key,
-        algorithm: "token_bucket",
-        error: error instanceof Error ? error.message : "Unknown error"
-      });
-      return {
-        allowed: true,
-        remaining: capacity,
-        resetTime: Date.now() + refillTime
-      };
-    }
+  async logAuth(type, actorId, result, metadata) {
+    await this.log({
+      type,
+      severity: result === "failure" ? "medium" : "low",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type.replace("auth.", ""),
+      result,
+      metadata
+    });
   }
   /**
-   * Check rate limit using sliding window algorithm
+   * Log data access event
    */
-  checkSlidingWindow(key, windowMs = this.config.windowMs, maxRequests = this.config.maxRequests) {
-    try {
-      const now = Date.now();
-      const windowKey = `rate_limit:sliding_window:${key}`;
-      const current = this.inMemoryStore.get(windowKey);
-      let requests = [];
-      if (current) {
-        requests = [current.count];
-      }
-      const windowStart = now - windowMs;
-      requests = requests.filter((timestamp) => timestamp >= windowStart);
-      if (requests.length < maxRequests) {
-        requests.push(now);
-        this.inMemoryStore.set(windowKey, {
-          count: requests.length,
-          resetTime: now + windowMs,
-          lastRequestTime: now
-        });
-        devLogger.debug("Rate limit check", {
-          key,
-          algorithm: "sliding_window",
-          allowed: true,
-          remaining: maxRequests - requests.length,
-          resetTime: now + windowMs
-        });
-        return {
-          allowed: true,
-          remaining: maxRequests - requests.length,
-          resetTime: now + windowMs
-        };
-      }
-      const oldest = Math.min(...requests);
-      const resetTime = oldest + windowMs;
-      devLogger.warn("Rate limit blocked", {
-        key,
-        algorithm: "sliding_window",
-        remaining: 0,
-        resetTime
-      });
-      return {
-        allowed: false,
-        remaining: 0,
-        resetTime,
-        retryAfter: Math.ceil((resetTime - now) / 1e3)
-      };
-    } catch (error) {
-      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
-        key,
-        algorithm: "sliding_window",
-        error: error instanceof Error ? error.message : "Unknown error"
-      });
-      return {
-        allowed: true,
-        remaining: maxRequests,
-        resetTime: Date.now() + windowMs
-      };
-    }
+  async logDataAccess(action, actorId, resourceType, resourceId, result, changes) {
+    await this.log({
+      type: `data.${action}`,
+      severity: action === "delete" ? "high" : "medium",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      resource: {
+        type: resourceType,
+        id: resourceId
+      },
+      action,
+      result,
+      changes
+    });
   }
   /**
-   * Check rate limit using leaky bucket algorithm
+   * Log permission change
    */
-  checkLeakyBucket(key, capacity = 10, leakRate = 1, leakTime = 100) {
-    try {
-      const now = Date.now();
-      const bucketKey = `rate_limit:leaky_bucket:${key}`;
-      const current = this.inMemoryStore.get(bucketKey);
-      let currentLevel = 0;
-      let lastLeak = now;
-      if (current) {
-        currentLevel = current.count;
-        lastLeak = current.lastRequestTime;
-      }
-      const timePassed = now - lastLeak;
-      const leakAmount = Math.floor(timePassed / leakTime) * leakRate;
-      currentLevel = Math.max(0, currentLevel - leakAmount);
-      if (currentLevel < capacity) {
-        currentLevel++;
-        this.inMemoryStore.set(bucketKey, {
-          count: currentLevel,
-          resetTime: now + leakTime,
-          lastRequestTime: now
-        });
-        devLogger.debug("Rate limit check", {
-          key,
-          algorithm: "leaky_bucket",
-          allowed: true,
-          remaining: capacity - currentLevel,
-          resetTime: now + leakTime
-        });
-        return {
-          allowed: true,
-          remaining: capacity - currentLevel,
-          resetTime: now + leakTime
-        };
+  async logPermissionChange(action, actorId, targetUserId, permission, result) {
+    await this.log({
+      type: `permission.${action}`,
+      severity: "high",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      resource: {
+        type: "user",
+        id: targetUserId
+      },
+      action,
+      result,
+      metadata: {
+        permission
       }
-      const resetTime = lastLeak + leakTime;
-      devLogger.warn("Rate limit blocked", {
-        key,
-        algorithm: "leaky_bucket",
-        remaining: 0,
-        resetTime
-      });
-      return {
-        allowed: false,
-        remaining: 0,
-        resetTime,
-        retryAfter: Math.ceil((resetTime - now) / 1e3)
-      };
-    } catch (error) {
-      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
-        key,
-        algorithm: "leaky_bucket",
-        error: error instanceof Error ? error.message : "Unknown error"
-      });
-      return {
-        allowed: true,
-        remaining: capacity,
-        resetTime: Date.now() + leakTime
-      };
-    }
+    });
   }
   /**
-   * Reset rate limit for a key
+   * Log security event
    */
-  resetRateLimit(key) {
-    const patterns = [
-      `rate_limit:token_bucket:${key}`,
-      `rate_limit:sliding_window:${key}`,
-      `rate_limit:leaky_bucket:${key}`
-    ];
-    for (const pattern of patterns) {
-      this.inMemoryStore.delete(pattern);
-    }
-    devLogger.debug("Rate limit reset", { key });
+  async logSecurityEvent(type, severity, actorId, message, metadata) {
+    await this.log({
+      type: `security.${type}`,
+      severity,
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type,
+      result: "failure",
+      message,
+      metadata
+    });
   }
   /**
-   * Get current rate limit state
+   * Log GDPR event
    */
-  getRateLimitState(key) {
-    const patterns = [
-      `rate_limit:token_bucket:${key}`,
-      `rate_limit:sliding_window:${key}`,
-      `rate_limit:leaky_bucket:${key}`
-    ];
-    for (const pattern of patterns) {
-      const state = this.inMemoryStore.get(pattern);
-      if (state) {
-        return state;
-      }
-    }
-    return null;
+  async logGDPREvent(type, actorId, result, metadata) {
+    await this.log({
+      type: `gdpr.${type}`,
+      severity: "high",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type,
+      result,
+      metadata
+    });
   }
   /**
-   * Update rate limit state
+   * Query audit logs
    */
-  updateRateLimitState(key, state) {
-    this.inMemoryStore.set(key, state);
+  async query(query) {
+    return this.storage.query(query);
   }
   /**
-   * Get rate limiter statistics
+   * Count audit logs
    */
-  getStats() {
-    return {
-      totalKeys: this.inMemoryStore.size,
-      memoryUsage: this.inMemoryStore.size
-    };
+  async count(query) {
+    return this.storage.count(query);
   }
   /**
-   * Clean up expired entries
+   * Add filter
    */
-  cleanup() {
-    const now = Date.now();
-    const maxAge = 24 * 60 * 60 * 1e3;
-    for (const [key, state] of this.inMemoryStore.entries()) {
-      if (now - state.lastRequestTime > maxAge) {
-        this.inMemoryStore.delete(key);
-      }
-    }
-    devLogger.debug("Cleaned up expired rate limit entries", {
-      remaining: this.inMemoryStore.size
-    });
+  addFilter(filter) {
+    this.filters.push(filter);
   }
   /**
-   * Start cleanup interval
+   * Remove filter
    */
-  startCleanupInterval() {
-    if (this.cleanupInterval) {
-      clearInterval(this.cleanupInterval);
+  removeFilter(filter) {
+    const index = this.filters.indexOf(filter);
+    if (index > -1) {
+      this.filters.splice(index, 1);
     }
-    this.cleanupInterval = setInterval(
-      () => {
-        this.cleanup();
-      },
-      60 * 60 * 1e3
-    );
+  }
+};
+var InMemoryAuditStorage = class {
+  events = [];
+  maxEvents;
+  constructor(maxEvents = 1e4) {
+    this.maxEvents = maxEvents;
+  }
+  async write(event) {
+    this.events.push(event);
+    if (this.events.length > this.maxEvents) {
+      this.events.shift();
+    }
+  }
+  async query(query) {
+    let results = [...this.events];
+    if (query.types && query.types.length > 0) {
+      results = results.filter((e) => query.types?.includes(e.type));
+    }
+    if (query.actorId) {
+      results = results.filter((e) => e.actor.id === query.actorId);
+    }
+    if (query.resourceType) {
+      results = results.filter((e) => e.resource?.type === query.resourceType);
+    }
+    if (query.resourceId) {
+      results = results.filter((e) => e.resource?.id === query.resourceId);
+    }
+    if (query.startDate) {
+      const startDate = query.startDate;
+      results = results.filter((e) => new Date(e.timestamp) >= startDate);
+    }
+    if (query.endDate) {
+      const endDate = query.endDate;
+      results = results.filter((e) => new Date(e.timestamp) <= endDate);
+    }
+    if (query.severity && query.severity.length > 0) {
+      results = results.filter((e) => query.severity?.includes(e.severity));
+    }
+    if (query.result && query.result.length > 0) {
+      results = results.filter((e) => query.result?.includes(e.result));
+    }
+    results.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    const offset = query.offset || 0;
+    const limit = query.limit || 100;
+    return results.slice(offset, offset + limit);
+  }
+  async count(query) {
+    const results = await this.query({ ...query, limit: void 0, offset: void 0 });
+    return results.length;
   }
   /**
-   * Stop cleanup interval
+   * Clear all events
    */
-  stopCleanupInterval() {
-    if (this.cleanupInterval) {
-      clearInterval(this.cleanupInterval);
-      this.cleanupInterval = null;
-    }
+  clear() {
+    this.events = [];
   }
   /**
-   * Dispose of the service
+   * Get all events
    */
-  dispose() {
-    this.stopCleanupInterval();
-    this.inMemoryStore.clear();
+  getAll() {
+    return [...this.events];
   }
 };
-var getRateLimiterService = (config) => {
-  return new RateLimiterService(config ?? {});
-};
-// src/RateLimitingService.ts
-import { headers } from "next/headers";
-var RATE_LIMITS2 = { default: { limit: 100, windowMs: 6e4 } };
-var generateRateLimitKey2 = (id) => `rate:${id}`;
-var generateIPRateLimitKey2 = (ip) => `rate:ip:${ip}`;
-async function checkRateLimit2(_key, _limit, _windowMs) {
-  return { allowed: true, remaining: _limit, resetTime: Date.now() + _windowMs };
-}
-async function withRateLimit(action, config) {
-  return async (...args) => {
-    const headersList = await headers();
-    const ip = headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
-    const key = config.customKey ?? (config.userId ? generateRateLimitKey2(config.userId) : generateIPRateLimitKey2(ip));
-    const rateLimitResult = await checkRateLimit2(
-      key,
-      RATE_LIMITS2[config.type].limit,
-      RATE_LIMITS2[config.type].windowMs
-    );
-    if (!rateLimitResult.allowed) {
-      throw new Error(
-        `Rate limit exceeded. Try again in ${Math.ceil((rateLimitResult.resetTime - Date.now()) / 1e3)} seconds.`
-      );
-    }
-    return await action(...args);
-  };
-}
-function RateLimited(type, userId) {
+function AuditTrail(type, action, options) {
   return (_target, _propertyKey, descriptor) => {
     const originalMethod = descriptor.value;
     descriptor.value = async function(...args) {
-      const headersList = await headers();
-      const ip = headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
-      const key = userId ? generateRateLimitKey2(userId) : generateIPRateLimitKey2(ip);
-      const rateLimitResult = await checkRateLimit2(
-        key,
-        RATE_LIMITS2[type].limit,
-        RATE_LIMITS2[type].windowMs
-      );
-      if (!rateLimitResult.allowed) {
-        throw new Error(
-          `Rate limit exceeded. Try again in ${Math.ceil((rateLimitResult.resetTime - Date.now()) / 1e3)} seconds.`
-        );
+      const actorId = this.user?.id || "system";
+      const before = options?.captureChanges ? args[0] : void 0;
+      let result = "success";
+      let error;
+      try {
+        const returnValue = await originalMethod.apply(this, args);
+        if (this.audit) {
+          await this.audit.log({
+            type,
+            severity: options?.severity || "medium",
+            actor: {
+              id: actorId,
+              type: "user"
+            },
+            resource: options?.resourceType ? {
+              type: options.resourceType,
+              id: args[0]?.id || "unknown"
+            } : void 0,
+            action,
+            result,
+            changes: options?.captureChanges ? {
+              before,
+              after: returnValue
+            } : void 0
+          });
+        }
+        return returnValue;
+      } catch (err) {
+        result = "failure";
+        error = err;
+        if (this.audit) {
+          await this.audit.log({
+            type,
+            severity: "high",
+            actor: {
+              id: actorId,
+              type: "user"
+            },
+            resource: options?.resourceType ? {
+              type: options.resourceType,
+              id: args[0]?.id || "unknown"
+            } : void 0,
+            action,
+            result,
+            message: error.message
+          });
+        }
+        throw error;
       }
-      return await originalMethod.apply(this, args);
     };
     return descriptor;
   };
 }
-async function getClientIP() {
-  const headersList = await headers();
-  return headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
-}
-async function isTrustedSource() {
-  const headersList = await headers();
-  const userAgent = headersList.get("user-agent") || "";
-  const origin = headersList.get("origin") || "";
-  const botPatterns = [/bot/i, /crawler/i, /spider/i, /scraper/i, /curl/i, /wget/i];
-  const isBot = botPatterns.some((pattern) => pattern.test(userAgent));
-  const trustedOrigins = [
-    process.env.NEXT_PUBLIC_APP_URL,
-    "http://localhost:3000",
-    "https://localhost:3000"
-  ].filter(Boolean);
-  const isTrustedOrigin = trustedOrigins.includes(origin);
-  return !isBot && isTrustedOrigin;
-}
-async function checkUserRateLimit(userId, action, customConfig) {
-  const config = { ...RATE_LIMITS2[action], ...customConfig };
-  const key = generateRateLimitKey2(userId);
-  return await checkRateLimit2(key, config.limit, config.windowMs);
-}
-async function checkAnonymousRateLimit(action, customConfig) {
-  const ip = await getClientIP();
-  const config = { ...RATE_LIMITS2[action], ...customConfig };
-  const key = generateIPRateLimitKey2(ip);
-  return await checkRateLimit2(key, config.limit, config.windowMs);
-}
-// src/CSRFService.ts
-import { createHmac, randomBytes } from "crypto";
-var CSRFService = class {
-  constructor(payload, options = {}) {
-    this.payload = payload;
-    this.options = {
-      algorithm: options.algorithm ?? "sha256",
-      encoding: options.encoding ?? "hex",
-      tokenLength: options.tokenLength ?? 32,
-      tokenExpiry: options.tokenExpiry ?? 24 * 60 * 60 * 1e3
-      // 24 hours
-    };
-  }
-  options;
-  async generateCsrfToken(sessionId) {
+function createAuditMiddleware(audit2, getUser) {
+  return async (request, next) => {
+    const user = getUser(request);
+    const startTime = Date.now();
     try {
-      const token = randomBytes(this.options.tokenLength);
-      const hmac = createHmac(this.options.algorithm, process.env.PAYLOAD_SECRET ?? "");
-      hmac.update(sessionId);
-      hmac.update(token);
-      const signature = hmac.digest(this.options.encoding);
-      const csrfToken = `${token.toString(this.options.encoding)}.${signature}`;
-      this.payload.logger.debug("CSRF token generated successfully");
-      return csrfToken;
+      const response = await next();
+      await audit2.log({
+        type: "data.read",
+        severity: "low",
+        actor: {
+          id: user.id,
+          type: "user",
+          ip: user.ip,
+          userAgent: user.userAgent
+        },
+        action: request.method,
+        result: "success",
+        metadata: {
+          path: request.url,
+          duration: Date.now() - startTime,
+          status: response.status
+        }
+      });
+      return response;
     } catch (error) {
-      this.payload.logger.error("Failed to generate CSRF token", error);
+      await audit2.log({
+        type: "data.read",
+        severity: "medium",
+        actor: {
+          id: user.id,
+          type: "user",
+          ip: user.ip,
+          userAgent: user.userAgent
+        },
+        action: request.method,
+        result: "failure",
+        message: error instanceof Error ? error.message : "Unknown error",
+        metadata: {
+          path: request.url,
+          duration: Date.now() - startTime
+        }
+      });
       throw error;
     }
-  }
-  async validateCsrfToken(token, sessionId) {
-    try {
-      const [tokenPart, signature] = token.split(".");
-      if (!tokenPart || !signature) {
-        this.payload.logger.warn("Invalid CSRF token format");
-        return false;
-      }
-      const hmac = createHmac(this.options.algorithm, process.env.PAYLOAD_SECRET ?? "");
-      hmac.update(sessionId);
-      hmac.update(Buffer.from(tokenPart, this.options.encoding));
-      const expectedSignature = hmac.digest(this.options.encoding);
-      const isValid = signature === expectedSignature;
-      if (isValid) {
-        this.payload.logger.debug("CSRF token validated successfully");
-      } else {
-        this.payload.logger.warn("CSRF token validation failed");
-      }
-      return isValid;
-    } catch (error) {
-      this.payload.logger.error("Failed to validate CSRF token", error);
-      return false;
-    }
-  }
-};
-// src/EncryptionService.ts
-import { InfrastructureService } from "@revealui/core";
-import {
-  createCipheriv,
-  createDecipheriv,
-  randomBytes as randomBytes2,
-  scrypt as scryptCallback
-} from "crypto";
-import { promisify } from "util";
-var scryptAsync = promisify(scryptCallback);
-function isAuthenticatedCipher(cipher) {
-  return typeof cipher.getAuthTag === "function";
-}
-function isAuthenticatedDecipher(decipher) {
-  return typeof decipher.setAuthTag === "function";
+  };
 }
-var EncryptionService = class extends InfrastructureService {
-  options;
-  constructor(payload, options = {}) {
-    super(payload, "EncryptionService");
-    this.options = {
-      algorithm: options.algorithm ?? "aes-256-gcm",
-      keyLength: options.keyLength ?? 32,
-      saltLength: options.saltLength ?? 16,
-      ivLength: options.ivLength ?? 12,
-      iterations: options.iterations ?? 1e5,
-      encoding: options.encoding ?? "hex"
-    };
+var AuditReportGenerator = class {
+  constructor(audit2) {
+    this.audit = audit2;
   }
   /**
-   * Encrypts data using the configured algorithm with comprehensive error handling.
+   * Generate security report
    */
-  async encrypt(data, customOptions) {
-    return this.executeInfrastructureOperation(async () => {
-      if (typeof data !== "string" || data.length === 0) {
-        throw new Error("Data to encrypt must be a non-empty string");
-      }
-      const effectiveOptions = { ...this.options, ...customOptions };
-      this.logger.debug("Starting data encryption", {
-        algorithm: effectiveOptions.algorithm,
-        dataLength: data.length,
-        serviceName: this.serviceName,
-        operation: "encrypt"
-      });
-      const salt = randomBytes2(effectiveOptions.saltLength);
-      const iv = randomBytes2(effectiveOptions.ivLength);
-      const key = await this.deriveKey(salt, effectiveOptions);
-      const cipher = createCipheriv(effectiveOptions.algorithm, key, iv);
-      const encrypted = Buffer.concat([cipher.update(data, "utf8"), cipher.final()]);
-      if (isAuthenticatedCipher(cipher) !== true) {
-        throw new Error("Cipher does not support authentication");
-      }
-      const authTag = cipher.getAuthTag();
-      const result = {
-        data: encrypted.toString(effectiveOptions.encoding),
-        metadata: {
-          algorithm: effectiveOptions.algorithm,
-          iv: iv.toString(effectiveOptions.encoding),
-          authTag: authTag.toString(effectiveOptions.encoding),
-          salt: salt.toString(effectiveOptions.encoding)
-        }
-      };
-      this.logger.debug("Data encrypted successfully", {
-        algorithm: effectiveOptions.algorithm,
-        originalLength: data.length,
-        encryptedLength: result.data.length,
-        serviceName: this.serviceName
-      });
-      return result;
-    }, "encrypt");
+  async generateSecurityReport(startDate, endDate) {
+    const allEvents = await this.audit.query({
+      startDate,
+      endDate
+    });
+    const securityViolations = allEvents.filter((e) => e.type.startsWith("security.")).length;
+    const failedLogins = allEvents.filter((e) => e.type === "auth.failed_login").length;
+    const permissionChanges = allEvents.filter((e) => e.type.startsWith("permission.")).length;
+    const dataExports = allEvents.filter((e) => e.type === "data.export").length;
+    const criticalEvents = allEvents.filter((e) => e.severity === "critical");
+    return {
+      totalEvents: allEvents.length,
+      securityViolations,
+      failedLogins,
+      permissionChanges,
+      dataExports,
+      criticalEvents
+    };
   }
   /**
-   * Decrypts data using the metadata provided with comprehensive validation.
+   * Generate user activity report
    */
-  async decrypt(encryptedData) {
-    return this.executeInfrastructureOperation(async () => {
-      if (!encryptedData || !encryptedData.data || !encryptedData.metadata) {
-        throw new Error("Invalid encrypted data structure");
-      }
-      const { data, metadata } = encryptedData;
-      const requiredFields = ["algorithm", "iv", "authTag", "salt"];
-      for (const field of requiredFields) {
-        const fieldValue = metadata[field];
-        if (fieldValue === void 0 || fieldValue === null || fieldValue === "") {
-          throw new Error(`Missing required encryption metadata field: ${field}`);
-        }
-      }
-      this.logger.debug("Starting data decryption", {
-        algorithm: metadata.algorithm,
-        encryptedLength: data.length,
-        serviceName: this.serviceName,
-        operation: "decrypt"
-      });
-      const key = await this.deriveKey(Buffer.from(metadata.salt, this.options.encoding), {
-        ...this.options,
-        algorithm: metadata.algorithm
-      });
-      const decipher = createDecipheriv(
-        metadata.algorithm,
-        key,
-        Buffer.from(metadata.iv, this.options.encoding)
-      );
-      if (isAuthenticatedDecipher(decipher) !== true) {
-        throw new Error("Decipher does not support authentication");
-      }
-      decipher.setAuthTag(Buffer.from(metadata.authTag, this.options.encoding));
-      const decrypted = Buffer.concat([
-        decipher.update(Buffer.from(data, this.options.encoding)),
-        decipher.final()
-      ]);
-      const result = decrypted.toString("utf8");
-      this.logger.debug("Data decrypted successfully", {
-        algorithm: metadata.algorithm,
-        encryptedLength: data.length,
-        decryptedLength: result.length,
-        serviceName: this.serviceName
-      });
-      return result;
-    }, "decrypt");
+  async generateUserActivityReport(userId, startDate, endDate) {
+    const events = await this.audit.query({
+      actorId: userId,
+      startDate,
+      endDate
+    });
+    const actionsByType = events.reduce(
+      (acc, event) => {
+        acc[event.type] = (acc[event.type] || 0) + 1;
+        return acc;
+      },
+      {}
+    );
+    const failedActions = events.filter((e) => e.result === "failure").length;
+    return {
+      totalActions: events.length,
+      actionsByType,
+      failedActions,
+      recentActions: events.slice(0, 10)
+    };
   }
   /**
-   * Encrypts multiple data items in batch with optimized processing.
+   * Generate compliance report
    */
-  async encryptBatch(dataItems, customOptions) {
-    return this.executeInfrastructureOperation(async () => {
-      if (!Array.isArray(dataItems) || dataItems.length === 0) {
-        throw new Error("Data items array must contain at least one item");
-      }
-      this.logger.info("Starting batch encryption", {
-        itemCount: dataItems.length,
-        serviceName: this.serviceName,
-        operation: "encryptBatch"
-      });
-      const successful = [];
-      const failed = [];
-      const encryptionPromises = dataItems.map(async (data) => {
-        try {
-          const result = await this.encrypt(data, customOptions);
-          if (result.success && result.data) {
-            successful.push(result.data);
-          } else {
-            failed.push({
-              data,
-              error: result.error ?? "Unknown encryption error"
-            });
-          }
-        } catch (error) {
-          failed.push({
-            data,
-            error: error instanceof Error ? error.message : "Unknown encryption error"
-          });
-        }
-      });
-      await Promise.allSettled(encryptionPromises);
-      this.logger.info("Batch encryption completed", {
-        totalItems: dataItems.length,
-        successful: successful.length,
-        failed: failed.length,
-        serviceName: this.serviceName
-      });
-      return { successful, failed };
-    }, "encryptBatch");
+  async generateComplianceReport(startDate, endDate) {
+    const events = await this.audit.query({
+      startDate,
+      endDate
+    });
+    const dataAccesses = events.filter((e) => e.type === "data.read").length;
+    const dataModifications = events.filter(
+      (e) => e.type === "data.update" || e.type === "data.create"
+    ).length;
+    const dataDeletions = events.filter((e) => e.type === "data.delete").length;
+    const gdprRequests = events.filter((e) => e.type.startsWith("gdpr.")).length;
+    const auditTrailComplete = this.checkAuditTrailContinuity(events);
+    return {
+      dataAccesses,
+      dataModifications,
+      dataDeletions,
+      gdprRequests,
+      auditTrailComplete
+    };
   }
   /**
-   * Generates cryptographically secure random data.
+   * Check audit trail continuity
    */
-  async generateRandomData(length = 32, encoding = "hex") {
-    return this.executeInfrastructureOperation(async () => {
-      if (length <= 0 || length > 1024) {
-        throw new Error("Random data length must be between 1 and 1024 bytes");
-      }
-      this.logger.debug("Generating random data", {
-        length,
-        encoding,
-        serviceName: this.serviceName,
-        operation: "generateRandomData"
-      });
-      const randomData = randomBytes2(length);
-      const result = randomData.toString(encoding);
-      this.logger.debug("Random data generated successfully", {
-        length,
-        encoding,
-        outputLength: result.length,
-        serviceName: this.serviceName
-      });
-      return result;
-    }, "generateRandomData");
+  checkAuditTrailContinuity(events) {
+    if (events.length === 0) return true;
+    const sorted = events.sort(
+      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+    );
+    return sorted.length > 0;
   }
-  /**
-   * Validates the integrity of encrypted data by attempting decryption.
-   */
-  async validateEncryptedData(encryptedData) {
-    return this.executeInfrastructureOperation(async () => {
-      if (!encryptedData) {
-        throw new Error("Encrypted data is required");
-      }
-      this.logger.debug("Validating encrypted data integrity", {
-        algorithm: encryptedData.metadata.algorithm,
-        serviceName: this.serviceName,
-        operation: "validateEncryptedData"
-      });
-      try {
-        const decryptResult = await this.decrypt(encryptedData);
-        const valid = decryptResult.success && !!decryptResult.data;
-        this.logger.debug("Encrypted data validation completed", {
-          valid,
-          serviceName: this.serviceName
-        });
-        return valid ? { valid, error: void 0 } : {
-          valid,
-          error: decryptResult.error ?? "Decryption failed"
-        };
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : "Unknown validation error";
-        this.logger.debug("Encrypted data validation failed", {
-          error: errorMessage,
-          serviceName: this.serviceName
-        });
-        return { valid: false, error: errorMessage };
-      }
-    }, "validateEncryptedData");
+};
+var audit = new AuditSystem(new InMemoryAuditStorage());
+// src/auth.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var OAuthProviders = {
+  google: {
+    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+    scope: ["openid", "email", "profile"]
+  },
+  github: {
+    authorizationUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    userInfoUrl: "https://api.github.com/user",
+    scope: ["user:email"]
+  },
+  microsoft: {
+    authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+    tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+    userInfoUrl: "https://graph.microsoft.com/v1.0/me",
+    scope: ["openid", "email", "profile"]
   }
-  /**
-   * Derives encryption key from password and salt using PBKDF2.
-   * @private
-   */
-  async deriveKey(salt, options = {}) {
-    const effectiveOptions = { ...this.options, ...options };
-    const secret = process.env.PAYLOAD_SECRET;
-    if (!secret || secret === "") {
-      throw new Error("PAYLOAD_SECRET environment variable is required for encryption");
-    }
-    return scryptAsync(secret, salt, effectiveOptions.keyLength);
+};
+var OAuthClient = class {
+  config;
+  constructor(config) {
+    this.config = {
+      ...OAuthProviders[config.provider],
+      ...config
+    };
   }
   /**
-   * @inheritdoc
+   * Get authorization URL
    */
-  async onInitialize() {
-    this.logger.info("Initializing EncryptionService", {
-      algorithm: this.options.algorithm,
-      keyLength: this.options.keyLength,
-      serviceName: this.serviceName
+  getAuthorizationUrl(state) {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: (this.config.scope || []).join(" ")
     });
-    if (!process.env.PAYLOAD_SECRET) {
-      throw new Error("PAYLOAD_SECRET environment variable is required for EncryptionService");
-    }
-    try {
-      const testData = "encryption-test-data";
-      const encrypted = await this.encrypt(testData);
-      if (!encrypted.success || !encrypted.data) {
-        throw new Error("Encryption test failed");
-      }
-      const decrypted = await this.decrypt(encrypted.data);
-      if (!decrypted.success || decrypted.data !== testData) {
-        throw new Error("Decryption test failed");
-      }
-      this.logger.debug("EncryptionService initialization test passed", {
-        serviceName: this.serviceName
-      });
-    } catch (error) {
-      throw new Error(
-        `EncryptionService initialization failed: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
+    if (state) {
+      params.append("state", state);
     }
+    return `${this.config.authorizationUrl}?${params.toString()}`;
   }
   /**
-   * @inheritdoc
+   * Exchange code for token
    */
-  async onCleanup() {
-    this.logger.info("Cleaning up EncryptionService", {
-      serviceName: this.serviceName
+  async exchangeCodeForToken(code) {
+    if (!this.config.tokenUrl) throw new Error("tokenUrl is required for OAuth");
+    const response = await fetch(this.config.tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        grant_type: "authorization_code",
+        redirect_uri: this.config.redirectUri
+      })
     });
+    if (!response.ok) {
+      let detail = "";
+      try {
+        const body = await response.text();
+        detail = `: ${response.status} ${body.slice(0, 200)}`;
+      } catch {
+        detail = `: ${response.status}`;
+      }
+      throw new Error(`Failed to exchange code for token${detail}`);
+    }
+    return response.json();
   }
   /**
-   * @inheritdoc
+   * Get user info
    */
-  async onHealthCheck() {
-    try {
-      const testData = "health-check-data";
-      const encrypted = await this.encrypt(testData);
-      if (!encrypted.success || !encrypted.data) {
-        throw new Error("Health check encryption failed");
+  async getUserInfo(accessToken) {
+    if (!this.config.userInfoUrl) throw new Error("userInfoUrl is required for OAuth");
+    const response = await fetch(this.config.userInfoUrl, {
+      headers: {
+        // biome-ignore lint/style/useNamingConvention: HTTP header convention
+        Authorization: `Bearer ${accessToken}`
       }
-      const decrypted = await this.decrypt(encrypted.data);
-      if (!decrypted.success || decrypted.data !== testData) {
-        throw new Error("Health check decryption failed");
+    });
+    if (!response.ok) {
+      let detail = "";
+      try {
+        const body = await response.text();
+        detail = `: ${response.status} ${body.slice(0, 200)}`;
+      } catch {
+        detail = `: ${response.status}`;
       }
-    } catch (error) {
-      throw new Error(
-        `EncryptionService health check failed: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
+      throw new Error(`Failed to fetch user info${detail}`);
     }
+    return response.json();
   }
 };
-// src/SecurityMonitoringService.ts
-var devLogger2 = {
-  info: (...args) => console.log("[security]", ...args),
-  warn: (...args) => console.warn("[security]", ...args),
-  error: (...args) => console.error("[security]", ...args)
-};
-var createSecurityEvent = (type, severity, message, options) => {
-  const baseEvent = {
-    id: crypto.randomUUID(),
-    type,
-    severity,
-    message,
-    timestamp: /* @__PURE__ */ new Date(),
-    ...options?.metadata ? { metadata: options.metadata } : {},
-    ...options?.userId !== void 0 ? { userId: options.userId } : {},
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {}
-  };
-  return baseEvent;
-};
-var calculateSecurityMetrics = (events2) => {
-  if (events2.length === 0) {
-    return {
-      totalEvents: 0,
-      eventsByType: {},
-      eventsBySeverity: {},
-      averageResponseTime: 0
-    };
-  }
-  const eventsByType = events2.reduce((acc, event) => {
-    acc[event.type] = (acc[event.type] || 0) + 1;
-    return acc;
-  }, {});
-  const eventsBySeverity = events2.reduce((acc, event) => {
-    acc[event.severity] = (acc[event.severity] || 0) + 1;
-    return acc;
-  }, {});
-  const lastEventTime = events2.length > 0 ? new Date(Math.max(...events2.map((e) => e.timestamp.getTime()))) : void 0;
-  return {
-    totalEvents: events2.length,
-    eventsByType,
-    eventsBySeverity,
-    averageResponseTime: 0,
-    // Would be calculated from actual response times
-    ...lastEventTime !== void 0 ? { lastEventTime } : {}
-  };
-};
-var shouldTriggerAlert = (event, thresholds) => {
-  const now = /* @__PURE__ */ new Date();
-  const timeWindowStart = new Date(now.getTime() - thresholds.timeWindowMs);
-  const recentEvents = events.filter(
-    (event2) => event2.timestamp >= timeWindowStart && event2.timestamp <= now
-  );
-  const criticalCount = recentEvents.filter((e) => e.severity === "critical").length;
-  const highCount = recentEvents.filter((e) => e.severity === "high").length;
-  const mediumCount = recentEvents.filter((e) => e.severity === "medium").length;
-  if (criticalCount >= thresholds.criticalCount) return true;
-  if (highCount >= thresholds.highCount) return true;
-  if (mediumCount >= thresholds.mediumCount) return true;
-  if (event.severity === "critical") return true;
-  return false;
-};
-var createSecurityAlert = (event, alertType = "threshold_exceeded") => ({
-  id: crypto.randomUUID(),
-  type: alertType,
-  severity: event.severity,
-  message: `Security alert: ${event.message}`,
-  timestamp: /* @__PURE__ */ new Date(),
-  metadata: {
-    originalEventId: event.id,
-    originalEventType: event.type,
-    ...event.metadata
-  }
-});
-var filterEvents = (events2, criteria) => {
-  return events2.filter((event) => {
-    if (criteria.type && event.type !== criteria.type) return false;
-    if (criteria.severity && event.severity !== criteria.severity) return false;
-    if (criteria.userId && event.userId !== criteria.userId) return false;
-    if (criteria.timeRange) {
-      const eventTime = event.timestamp.getTime();
-      const startTime = criteria.timeRange.start.getTime();
-      const endTime = criteria.timeRange.end.getTime();
-      if (eventTime < startTime || eventTime > endTime) return false;
-    }
-    return true;
-  });
-};
-var events = [];
-var alerts = [];
-var addSecurityEvent = (event) => {
-  events.push(event);
-  devLogger2.info("Security event recorded", {
-    eventId: event.id,
-    type: event.type,
-    severity: event.severity,
-    message: event.message,
-    userId: event.userId,
-    timestamp: event.timestamp.toISOString()
+var PH_ITERATIONS = 1e5;
+var PH_KEY_LENGTH = 64;
+var PH_DIGEST = "sha512";
+async function hashPassword(password) {
+  const { pbkdf2, randomBytes: rb } = await import("crypto");
+  const salt = rb(16).toString("hex");
+  return new Promise((resolve, reject) => {
+    pbkdf2(password, salt, PH_ITERATIONS, PH_KEY_LENGTH, PH_DIGEST, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(`${salt}:${derivedKey.toString("hex")}`);
+    });
   });
-  if (shouldTriggerAlert(event, {
-    criticalCount: 1,
-    highCount: 5,
-    mediumCount: 10,
-    timeWindowMs: 6e4
-    // 1 minute
-  })) {
-    const alert = createSecurityAlert(event);
-    alerts.push(alert);
-    devLogger2.warn("Security alert triggered", {
-      alertId: alert.id,
-      eventId: event.id,
-      severity: alert.severity,
-      message: alert.message
+}
+async function verifyPassword(password, storedHash) {
+  const { pbkdf2, timingSafeEqual: tse } = await import("crypto");
+  const [salt, hash] = storedHash.split(":");
+  if (!(salt && hash)) {
+    return false;
+  }
+  return new Promise((resolve, reject) => {
+    pbkdf2(password, salt, PH_ITERATIONS, PH_KEY_LENGTH, PH_DIGEST, (err, derivedKey) => {
+      if (err) reject(err);
+      else {
+        const derived = Buffer.from(derivedKey.toString("hex"), "utf-8");
+        const expected = Buffer.from(hash, "utf-8");
+        if (derived.length !== expected.length) {
+          resolve(false);
+        } else {
+          resolve(tse(derived, expected));
+        }
+      }
     });
-  }
+  });
+}
+var PasswordHasher = {
+  hash: hashPassword,
+  verify: verifyPassword
 };
-var getSecurityEvents = () => [...events];
-var getSecurityAlerts = () => [...alerts];
-var getSecurityMetrics = () => calculateSecurityMetrics(events);
-var clearSecurityData = () => {
-  events = [];
-  alerts = [];
+function base32Encode(buffer) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  let result = "";
+  let bits = 0;
+  let value = 0;
+  for (const byte of buffer) {
+    if (byte === void 0) continue;
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      result += alphabet[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) {
+    result += alphabet[value << 5 - bits & 31];
+  }
+  return result;
+}
+function totpHmac(key, message) {
+  const hmacDigest = createHmac("sha1", key).update(message).digest();
+  return new Uint8Array(hmacDigest);
+}
+function generateSecret() {
+  const crypto2 = globalThis.crypto;
+  if (!crypto2) {
+    throw new Error("Crypto API not available");
+  }
+  const buffer = new Uint8Array(20);
+  crypto2.getRandomValues(buffer);
+  return base32Encode(buffer);
+}
+function generateCode(secret, timestamp) {
+  const time = Math.floor((timestamp || Date.now()) / 3e4);
+  const hmacDigest = totpHmac(secret, time.toString());
+  const offset = hmacDigest[hmacDigest.length - 1] & 15;
+  const b0 = hmacDigest[offset] & 127;
+  const b1 = hmacDigest[offset + 1] & 255;
+  const b2 = hmacDigest[offset + 2] & 255;
+  const b3 = hmacDigest[offset + 3] & 255;
+  const code = (b0 << 24 | b1 << 16 | b2 << 8 | b3) % 1e6;
+  return code.toString().padStart(6, "0");
+}
+function verifyCode(secret, code, window = 1) {
+  const timestamp = Date.now();
+  for (let i = -window; i <= window; i++) {
+    const testTime = timestamp + i * 3e4;
+    const testCode = generateCode(secret, testTime);
+    if (testCode.length === code.length && timingSafeEqual(Buffer.from(testCode), Buffer.from(code))) {
+      return true;
+    }
+  }
+  return false;
+}
+var TwoFactorAuth = {
+  generateSecret,
+  generateCode,
+  verifyCode
 };
-var logAuthenticationEvent = (userId, success, options) => {
-  const eventOptions = {
-    userId,
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
-    metadata: {
-      success,
-      ...options?.metadata
+// src/authorization.ts
+var AuthorizationSystem = class {
+  roles = /* @__PURE__ */ new Map();
+  policies = /* @__PURE__ */ new Map();
+  /**
+   * Register role
+   */
+  registerRole(role) {
+    this.roles.set(role.id, role);
+  }
+  /**
+   * Get role
+   */
+  getRole(roleId) {
+    return this.roles.get(roleId);
+  }
+  /**
+   * Register policy
+   */
+  registerPolicy(policy) {
+    this.policies.set(policy.id, policy);
+  }
+  /**
+   * Check if user has permission (RBAC)
+   */
+  hasPermission(userRoles, resource, action) {
+    const permissions = this.getUserPermissions(userRoles);
+    return permissions.some(
+      (permission) => this.matchesResource(permission.resource, resource) && this.matchesAction(permission.action, action)
+    );
+  }
+  /**
+   * Check access with policies (ABAC)
+   */
+  checkAccess(context, resource, action) {
+    if (this.hasPermission(context.user.roles, resource, action)) {
+      return { allowed: true };
     }
-  };
-  const event = createSecurityEvent(
-    "authentication",
-    success ? "low" : "high",
-    `Authentication ${success ? "successful" : "failed"} for user ${userId}`,
-    eventOptions
-  );
-  addSecurityEvent(event);
+    const applicablePolicies = this.getApplicablePolicies(resource, action, context);
+    applicablePolicies.sort((a, b) => (b.priority || 0) - (a.priority || 0));
+    for (const policy of applicablePolicies) {
+      if (this.evaluateConditions(policy.conditions || [], context)) {
+        return {
+          allowed: policy.effect === "allow",
+          reason: policy.effect === "deny" ? `Denied by policy: ${policy.name}` : void 0
+        };
+      }
+    }
+    return { allowed: false, reason: "No matching policy" };
+  }
+  /**
+   * Get all permissions for roles
+   */
+  getUserPermissions(roleIds) {
+    const permissions = [];
+    const visited = /* @__PURE__ */ new Set();
+    const addRolePermissions = (roleId) => {
+      if (visited.has(roleId)) return;
+      visited.add(roleId);
+      const role = this.roles.get(roleId);
+      if (!role) return;
+      permissions.push(...role.permissions);
+      if (role.inherits) {
+        role.inherits.forEach((inheritedRoleId) => {
+          addRolePermissions(inheritedRoleId);
+        });
+      }
+    };
+    roleIds.forEach(addRolePermissions);
+    return permissions;
+  }
+  /**
+   * Get applicable policies
+   */
+  getApplicablePolicies(resource, action, _context) {
+    return Array.from(this.policies.values()).filter((policy) => {
+      const resourceMatches = policy.resources.some((r) => this.matchesResource(r, resource));
+      const actionMatches = policy.actions.some((a) => this.matchesAction(a, action));
+      return resourceMatches && actionMatches;
+    });
+  }
+  /**
+   * Match resource pattern
+   */
+  matchesResource(pattern, resource) {
+    if (pattern === "*") return true;
+    if (pattern === resource) return true;
+    const regex = new RegExp(
+      `^${pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+    );
+    return regex.test(resource);
+  }
+  /**
+   * Match action pattern
+   */
+  matchesAction(pattern, action) {
+    if (pattern === "*") return true;
+    if (pattern === action) return true;
+    const regex = new RegExp(
+      `^${pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+    );
+    return regex.test(action);
+  }
+  /**
+   * Evaluate policy conditions
+   */
+  evaluateConditions(conditions, context) {
+    return conditions.every((condition) => {
+      const value = this.getContextValue(condition.field, context);
+      return this.evaluateCondition(condition, value);
+    });
+  }
+  /**
+   * Get value from context
+   */
+  getContextValue(field, context) {
+    const parts = field.split(".");
+    let value = context;
+    for (const part of parts) {
+      if (value && typeof value === "object" && part in value) {
+        value = value[part];
+      } else {
+        return void 0;
+      }
+    }
+    return value;
+  }
+  /**
+   * Evaluate single condition
+   */
+  evaluateCondition(condition, value) {
+    switch (condition.operator) {
+      case "eq":
+        return value === condition.value;
+      case "ne":
+        return value !== condition.value;
+      case "gt":
+        return typeof value === "number" && value > condition.value;
+      case "gte":
+        return typeof value === "number" && value >= condition.value;
+      case "lt":
+        return typeof value === "number" && value < condition.value;
+      case "lte":
+        return typeof value === "number" && value <= condition.value;
+      case "in":
+        return Array.isArray(condition.value) && condition.value.includes(value);
+      case "contains":
+        return typeof value === "string" && typeof condition.value === "string" && value.includes(condition.value);
+      default:
+        return false;
+    }
+  }
+  /**
+   * Check if user owns resource
+   */
+  ownsResource(userId, resource) {
+    return resource.owner === userId;
+  }
+  /**
+   * Clear all roles and policies
+   */
+  clear() {
+    this.roles.clear();
+    this.policies.clear();
+  }
 };
-var logAuthorizationEvent = (userId, resource, action, granted, options) => {
-  const eventOptions = {
-    userId,
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
-    metadata: {
-      resource,
-      action,
-      granted,
-      ...options?.metadata
+var authorization = new AuthorizationSystem();
+var CommonRoles = {
+  owner: {
+    id: "owner",
+    name: "Owner",
+    description: "Full control \u2014 inherits admin",
+    permissions: [{ resource: "*", action: "*" }],
+    inherits: ["admin"]
+  },
+  admin: {
+    id: "admin",
+    name: "Administrator",
+    description: "Full system access",
+    permissions: [{ resource: "*", action: "*" }]
+  },
+  editor: {
+    id: "editor",
+    name: "Editor",
+    description: "Can read and modify content",
+    permissions: [
+      { resource: "content", action: "read" },
+      { resource: "content", action: "create" },
+      { resource: "content", action: "update" },
+      { resource: "profile", action: "read" },
+      { resource: "profile", action: "update" },
+      { resource: "sites", action: "read" },
+      { resource: "marketplace", action: "read" }
+    ]
+  },
+  viewer: {
+    id: "viewer",
+    name: "Viewer",
+    description: "Read-only access",
+    permissions: [
+      { resource: "content", action: "read" },
+      { resource: "profile", action: "read" },
+      { resource: "sites", action: "read" },
+      { resource: "public", action: "read" }
+    ]
+  },
+  agent: {
+    id: "agent",
+    name: "AI Agent",
+    description: "Can execute tasks and read content",
+    permissions: [
+      { resource: "tasks", action: "create" },
+      { resource: "tasks", action: "read" },
+      { resource: "content", action: "read" },
+      { resource: "rag", action: "read" },
+      { resource: "rag", action: "create" }
+    ]
+  },
+  contributor: {
+    id: "contributor",
+    name: "Contributor",
+    description: "Can suggest changes \u2014 create drafts but not publish or delete",
+    permissions: [
+      { resource: "content", action: "read" },
+      { resource: "content", action: "create" },
+      { resource: "profile", action: "read" },
+      { resource: "profile", action: "update" }
+    ]
+  }
+};
+var PermissionBuilder = class {
+  permission = {};
+  resource(resource) {
+    this.permission.resource = resource;
+    return this;
+  }
+  action(action) {
+    this.permission.action = action;
+    return this;
+  }
+  conditions(conditions) {
+    this.permission.conditions = conditions;
+    return this;
+  }
+  build() {
+    if (!(this.permission.resource && this.permission.action)) {
+      throw new Error("Resource and action are required");
     }
+    return this.permission;
+  }
+};
+var PolicyBuilder = class {
+  policy = {
+    effect: "allow",
+    resources: [],
+    actions: [],
+    conditions: []
   };
-  const event = createSecurityEvent(
-    "authorization",
-    granted ? "low" : "medium",
-    `Authorization ${granted ? "granted" : "denied"} for user ${userId} on ${resource}:${action}`,
-    eventOptions
-  );
-  addSecurityEvent(event);
+  id(id) {
+    this.policy.id = id;
+    return this;
+  }
+  name(name) {
+    this.policy.name = name;
+    return this;
+  }
+  allow() {
+    this.policy.effect = "allow";
+    return this;
+  }
+  deny() {
+    this.policy.effect = "deny";
+    return this;
+  }
+  resources(...resources) {
+    this.policy.resources = resources;
+    return this;
+  }
+  actions(...actions) {
+    this.policy.actions = actions;
+    return this;
+  }
+  condition(field, operator, value) {
+    if (!this.policy.conditions) {
+      this.policy.conditions = [];
+    }
+    this.policy.conditions.push({ field, operator, value });
+    return this;
+  }
+  priority(priority) {
+    this.policy.priority = priority;
+    return this;
+  }
+  build() {
+    if (!(this.policy.id && this.policy.name)) {
+      throw new Error("ID and name are required");
+    }
+    return this.policy;
+  }
 };
-var logDataAccessEvent = (userId, collection, operation, recordId, options) => {
-  const eventOptions = {
-    userId,
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
-    metadata: {
-      collection,
-      operation,
-      recordId,
-      ...options?.metadata
+function RequirePermission(resource, action) {
+  return (_target, _propertyKey, descriptor) => {
+    const originalMethod = descriptor.value;
+    descriptor.value = function(...args) {
+      const userRoles = this.user?.roles || [];
+      if (!authorization.hasPermission(userRoles, resource, action)) {
+        throw new Error(`Permission denied: ${resource}:${action}`);
+      }
+      return originalMethod.apply(this, args);
+    };
+    return descriptor;
+  };
+}
+function RequireRole(requiredRole) {
+  return (_target, _propertyKey, descriptor) => {
+    const originalMethod = descriptor.value;
+    descriptor.value = function(...args) {
+      const userRoles = this.user?.roles || [];
+      if (!userRoles.includes(requiredRole)) {
+        throw new Error(`Role required: ${requiredRole}`);
+      }
+      return originalMethod.apply(this, args);
+    };
+    return descriptor;
+  };
+}
+function createAuthorizationMiddleware(getUser, resource, action) {
+  return (request, next) => {
+    const user = getUser(request);
+    if (!authorization.hasPermission(user.roles, resource, action)) {
+      throw new Error(`Permission denied: ${resource}:${action}`);
     }
+    return next();
   };
-  const event = createSecurityEvent(
-    "data_access",
-    operation === "delete" ? "medium" : "low",
-    `Data access: ${operation} on ${collection}${recordId ? ` (${recordId})` : ""} by user ${userId}`,
-    eventOptions
-  );
-  addSecurityEvent(event);
-};
-var getUserEvents = (userId) => filterEvents(events, { userId });
-var getEventsBySeverity = (severity) => filterEvents(events, { severity });
-var getEventsInTimeRange = (start, end) => filterEvents(events, { timeRange: { start, end } });
-var SecurityMonitoringService = {
-  // Event management
-  addEvent: addSecurityEvent,
-  getEvents: getSecurityEvents,
-  getUserEvents,
-  getEventsBySeverity,
-  getEventsInTimeRange,
-  // Alert management
-  getAlerts: getSecurityAlerts,
-  // Metrics
-  getMetrics: getSecurityMetrics,
-  // Utility functions
-  logAuthenticationEvent,
-  logAuthorizationEvent,
-  logDataAccessEvent,
-  // Testing utilities
-  clearData: clearSecurityData,
-  // Pure functions for composition
-  createEvent: createSecurityEvent,
-  createAlert: createSecurityAlert,
-  filterEvents,
-  calculateMetrics: calculateSecurityMetrics
+}
+function canAccessResource(userId, userRoles, resource, action) {
+  if (authorization.hasPermission(userRoles, resource.type, action)) {
+    return true;
+  }
+  if (authorization.ownsResource(userId, resource)) {
+    return true;
+  }
+  return false;
+}
+function checkAttributeAccess(context, resource, action, requiredAttributes) {
+  const { allowed } = authorization.checkAccess(context, resource, action);
+  if (!allowed) {
+    return false;
+  }
+  if (requiredAttributes) {
+    const userAttributes = context.user.attributes || {};
+    return Object.entries(requiredAttributes).every(
+      ([key, value]) => userAttributes[key] === value
+    );
+  }
+  return true;
+}
+var PermissionCache = class {
+  cache = /* @__PURE__ */ new Map();
+  ttl;
+  maxEntries;
+  constructor(ttl = 3e5, maxEntries = 1e4) {
+    this.ttl = ttl;
+    this.maxEntries = maxEntries;
+  }
+  /**
+   * Get cached permission
+   */
+  get(userId, resource, action) {
+    const key = this.getCacheKey(userId, resource, action);
+    const cached = this.cache.get(key);
+    if (!cached) {
+      return void 0;
+    }
+    if (Date.now() > cached.expiresAt) {
+      this.cache.delete(key);
+      return void 0;
+    }
+    return cached.allowed;
+  }
+  /**
+   * Set cached permission
+   */
+  set(userId, resource, action, allowed) {
+    const key = this.getCacheKey(userId, resource, action);
+    if (this.cache.size >= this.maxEntries) {
+      const now = Date.now();
+      for (const [k, v] of this.cache) {
+        if (now > v.expiresAt) this.cache.delete(k);
+      }
+      if (this.cache.size >= this.maxEntries) {
+        const excess = this.cache.size - this.maxEntries + 1;
+        const keys = this.cache.keys();
+        for (let i = 0; i < excess; i++) {
+          const next = keys.next();
+          if (!next.done) this.cache.delete(next.value);
+        }
+      }
+    }
+    this.cache.set(key, {
+      allowed,
+      expiresAt: Date.now() + this.ttl
+    });
+  }
+  /**
+   * Clear cache for user
+   */
+  clearUser(userId) {
+    for (const key of this.cache.keys()) {
+      if (key.startsWith(`${userId}:`)) {
+        this.cache.delete(key);
+      }
+    }
+  }
+  /**
+   * Clear all cache
+   */
+  clear() {
+    this.cache.clear();
+  }
+  /**
+   * Get cache key
+   */
+  getCacheKey(userId, resource, action) {
+    return `${userId}:${resource}:${action}`;
+  }
 };
+var permissionCache = new PermissionCache();
-// src/SecurityService.ts
-import { NextResponse } from "next/server";
-import { createHmac as createHmac2 } from "crypto";
-async function getPayloadClient() {
-  return { logger: console };
+// src/encryption.ts
+var DEFAULT_CONFIG = {
+  algorithm: "AES-GCM",
+  keySize: 256,
+  ivSize: 12
+};
+var EncryptionSystem = class {
+  config;
+  keys = /* @__PURE__ */ new Map();
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+  }
+  /**
+   * Generate encryption key
+   */
+  async generateKey(keyId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = await crypto2.subtle.generateKey(
+      {
+        name: this.config.algorithm,
+        length: this.config.keySize
+      },
+      this.config.extractable ?? false,
+      // non-extractable by default — prevents key exfiltration
+      ["encrypt", "decrypt"]
+    );
+    if (keyId) {
+      this.keys.set(keyId, key);
+    }
+    return key;
+  }
+  /**
+   * Import key from raw data
+   */
+  async importKey(keyData, keyId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = await crypto2.subtle.importKey(
+      "raw",
+      keyData,
+      {
+        name: this.config.algorithm,
+        length: this.config.keySize
+      },
+      true,
+      ["encrypt", "decrypt"]
+    );
+    if (keyId) {
+      this.keys.set(keyId, key);
+    }
+    return key;
+  }
+  /**
+   * Export key to raw data
+   */
+  async exportKey(key) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    return crypto2.subtle.exportKey("raw", key);
+  }
+  /**
+   * Encrypt data
+   */
+  async encrypt(data, keyOrId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = typeof keyOrId === "string" ? this.keys.get(keyOrId) : keyOrId;
+    if (!key) {
+      throw new Error("Key not found");
+    }
+    const iv = crypto2.getRandomValues(new Uint8Array(this.config.ivSize || 12));
+    const encoder = new TextEncoder();
+    const encodedData = encoder.encode(data);
+    const encrypted = await crypto2.subtle.encrypt(
+      {
+        name: this.config.algorithm,
+        iv
+      },
+      key,
+      encodedData
+    );
+    const encryptedArray = new Uint8Array(encrypted);
+    const ivArray = new Uint8Array(iv);
+    return {
+      data: this.arrayBufferToBase64(encryptedArray),
+      iv: this.arrayBufferToBase64(ivArray),
+      algorithm: this.config.algorithm
+    };
+  }
+  /**
+   * Decrypt data
+   */
+  async decrypt(encryptedData, keyOrId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = typeof keyOrId === "string" ? this.keys.get(keyOrId) : keyOrId;
+    if (!key) {
+      throw new Error("Key not found");
+    }
+    const data = this.base64ToArrayBuffer(encryptedData.data);
+    const iv = this.base64ToArrayBuffer(encryptedData.iv);
+    const decrypted = await crypto2.subtle.decrypt(
+      {
+        name: encryptedData.algorithm,
+        iv
+      },
+      key,
+      data
+    );
+    const decoder = new TextDecoder();
+    return decoder.decode(decrypted);
+  }
+  /**
+   * Encrypt object
+   */
+  async encryptObject(obj, keyOrId) {
+    const json = JSON.stringify(obj);
+    return this.encrypt(json, keyOrId);
+  }
+  /**
+   * Decrypt object
+   */
+  async decryptObject(encryptedData, keyOrId) {
+    const json = await this.decrypt(encryptedData, keyOrId);
+    return JSON.parse(json);
+  }
+  /**
+   * Hash data
+   */
+  async hash(data, algorithm = "SHA-256") {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const encoder = new TextEncoder();
+    const encodedData = encoder.encode(data);
+    const hashBuffer = await crypto2.subtle.digest(algorithm, encodedData);
+    return this.arrayBufferToBase64(new Uint8Array(hashBuffer));
+  }
+  /**
+   * Generate random bytes
+   */
+  randomBytes(length) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    return crypto2.getRandomValues(new Uint8Array(length));
+  }
+  /**
+   * Generate random string
+   */
+  randomString(length, charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") {
+    const maxValid = 256 - 256 % charset.length;
+    const result = [];
+    while (result.length < length) {
+      const bytes = this.randomBytes(length - result.length + 16);
+      for (const byte of bytes) {
+        if (byte < maxValid) {
+          result.push(charset[byte % charset.length]);
+          if (result.length === length) break;
+        }
+      }
+    }
+    return result.join("");
+  }
+  /**
+   * Convert ArrayBuffer to base64
+   */
+  arrayBufferToBase64(buffer) {
+    const bytes = Array.from(buffer);
+    const binary = bytes.map((byte) => String.fromCharCode(byte)).join("");
+    if (typeof btoa !== "undefined") {
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(binary, "binary").toString("base64");
+    }
+    throw new Error("No base64 encoding available");
+  }
+  /**
+   * Convert base64 to ArrayBuffer
+   */
+  base64ToArrayBuffer(base64) {
+    let binary;
+    if (typeof atob !== "undefined") {
+      binary = atob(base64);
+    } else if (typeof Buffer !== "undefined") {
+      binary = Buffer.from(base64, "base64").toString("binary");
+    } else {
+      throw new Error("No base64 decoding available");
+    }
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+  /**
+   * Store key
+   */
+  storeKey(keyId, key) {
+    this.keys.set(keyId, key);
+  }
+  /**
+   * Get key
+   */
+  getKey(keyId) {
+    return this.keys.get(keyId);
+  }
+  /**
+   * Remove key
+   */
+  removeKey(keyId) {
+    this.keys.delete(keyId);
+  }
+  /**
+   * Clear all keys
+   */
+  clearKeys() {
+    this.keys.clear();
+  }
+};
+var encryption = new EncryptionSystem();
+var FieldEncryption = class {
+  encryption;
+  key = null;
+  constructor(encryption2) {
+    this.encryption = encryption2;
+  }
+  /**
+   * Initialize with key
+   */
+  async initialize(key) {
+    this.key = key;
+  }
+  /**
+   * Encrypt field
+   */
+  async encryptField(value) {
+    if (!this.key) {
+      throw new Error("Encryption not initialized");
+    }
+    const stringValue = typeof value === "string" ? value : JSON.stringify(value);
+    return this.encryption.encrypt(stringValue, this.key);
+  }
+  /**
+   * Decrypt field
+   */
+  async decryptField(encryptedData) {
+    if (!this.key) {
+      throw new Error("Encryption not initialized");
+    }
+    const decrypted = await this.encryption.decrypt(encryptedData, this.key);
+    try {
+      return JSON.parse(decrypted);
+    } catch {
+      return decrypted;
+    }
+  }
+  /**
+   * Encrypt object fields
+   */
+  async encryptFields(obj, fields) {
+    const result = { ...obj };
+    for (const field of fields) {
+      if (field in result) {
+        result[field] = await this.encryptField(result[field]);
+      }
+    }
+    return result;
+  }
+  /**
+   * Decrypt object fields
+   */
+  async decryptFields(obj, fields) {
+    const result = { ...obj };
+    for (const field of fields) {
+      if (field in result && typeof result[field] === "object" && result[field] !== null) {
+        const encryptedData = result[field];
+        if ("data" in encryptedData && "iv" in encryptedData) {
+          result[field] = await this.decryptField(encryptedData);
+        }
+      }
+    }
+    return result;
+  }
+};
+var KeyRotationManager = class {
+  encryption;
+  currentKeyId;
+  oldKeys = /* @__PURE__ */ new Map();
+  keyCreationDates = /* @__PURE__ */ new Map();
+  constructor(encryption2, initialKeyId) {
+    this.encryption = encryption2;
+    this.currentKeyId = initialKeyId;
+    this.keyCreationDates.set(initialKeyId, /* @__PURE__ */ new Date());
+  }
+  /**
+   * Rotate to new key
+   */
+  async rotate(newKeyId, newKey) {
+    const oldKey = this.encryption.getKey(this.currentKeyId);
+    if (oldKey) {
+      this.oldKeys.set(this.currentKeyId, oldKey);
+    }
+    this.encryption.storeKey(newKeyId, newKey);
+    this.currentKeyId = newKeyId;
+    this.keyCreationDates.set(newKeyId, /* @__PURE__ */ new Date());
+  }
+  /**
+   * Re-encrypt data with new key
+   */
+  async reencrypt(encryptedData, oldKeyId) {
+    const oldKey = this.oldKeys.get(oldKeyId) || this.encryption.getKey(oldKeyId);
+    const newKey = this.encryption.getKey(this.currentKeyId);
+    if (!(oldKey && newKey)) {
+      throw new Error("Keys not found");
+    }
+    const decrypted = await this.encryption.decrypt(encryptedData, oldKey);
+    return this.encryption.encrypt(decrypted, newKey);
+  }
+  /**
+   * Get current key ID
+   */
+  getCurrentKeyId() {
+    return this.currentKeyId;
+  }
+  /**
+   * Clean up old keys created before the specified date.
+   * Never removes the current active key.
+   */
+  cleanupOldKeys(olderThan) {
+    for (const [keyId, createdAt] of this.keyCreationDates.entries()) {
+      if (keyId !== this.currentKeyId && createdAt < olderThan) {
+        this.oldKeys.delete(keyId);
+        this.encryption.removeKey(keyId);
+        this.keyCreationDates.delete(keyId);
+      }
+    }
+  }
+};
+var EnvelopeEncryption = class {
+  encryption;
+  masterKey;
+  constructor(encryption2, masterKey) {
+    this.encryption = encryption2;
+    this.masterKey = masterKey;
+  }
+  /**
+   * Encrypt with envelope encryption
+   */
+  async encrypt(data) {
+    const dek = await this.encryption.generateKey();
+    const encryptedData = await this.encryption.encrypt(data, dek);
+    const dekRaw = await this.encryption.exportKey(dek);
+    const dekBase64 = this.arrayBufferToBase64(new Uint8Array(dekRaw));
+    const encryptedKey = await this.encryption.encrypt(dekBase64, this.masterKey);
+    return { encryptedData, encryptedKey };
+  }
+  /**
+   * Decrypt with envelope encryption
+   */
+  async decrypt(encryptedData, encryptedKey) {
+    const dekBase64 = await this.encryption.decrypt(encryptedKey, this.masterKey);
+    const dekRaw = this.base64ToArrayBuffer(dekBase64);
+    const dek = await this.encryption.importKey(dekRaw.buffer);
+    return this.encryption.decrypt(encryptedData, dek);
+  }
+  arrayBufferToBase64(buffer) {
+    const bytes = Array.from(buffer);
+    const binary = bytes.map((byte) => String.fromCharCode(byte)).join("");
+    return typeof btoa !== "undefined" ? btoa(binary) : Buffer.from(binary, "binary").toString("base64");
+  }
+  base64ToArrayBuffer(base64) {
+    const binary = typeof atob !== "undefined" ? atob(base64) : Buffer.from(base64, "base64").toString("binary");
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+function maskEmail(email) {
+  const [local, domain] = email.split("@");
+  if (!(local && domain)) return email;
+  const maskedLocal = local.length > 2 ? local[0] + "*".repeat(local.length - 2) + local[local.length - 1] : `${local[0]}*`;
+  return `${maskedLocal}@${domain}`;
+}
+function maskPhone(phone) {
+  const digits = phone.replace(/\D/g, "");
+  if (digits.length < 4) return phone;
+  const lastFour = digits.slice(-4);
+  const masked = "*".repeat(digits.length - 4) + lastFour;
+  return phone.replace(/\d/g, (char, index) => {
+    const digitIndex = phone.slice(0, index + 1).replace(/\D/g, "").length - 1;
+    return masked[digitIndex] || char;
+  });
 }
-var logger = {
-  info: (message, ...args) => console.log(`[SecurityService] ${message}`, ...args),
-  warn: (message, ...args) => console.warn(`[SecurityService] ${message}`, ...args),
-  error: (message, ...args) => console.error(`[SecurityService] ${message}`, ...args)
+function maskCreditCard(card) {
+  const digits = card.replace(/\D/g, "");
+  if (digits.length < 4) return card;
+  const lastFour = digits.slice(-4);
+  return `****-****-****-${lastFour}`;
+}
+function maskSSN(ssn) {
+  const digits = ssn.replace(/\D/g, "");
+  if (digits.length !== 9) return ssn;
+  return `***-**-${digits.slice(-4)}`;
+}
+function maskString(str, keepChars = 1) {
+  if (str.length <= keepChars * 2) {
+    return "*".repeat(str.length);
+  }
+  const prefix = str.slice(0, keepChars);
+  const suffix = str.slice(-keepChars);
+  const masked = "*".repeat(str.length - keepChars * 2);
+  return `${prefix}${masked}${suffix}`;
+}
+var DataMasking = {
+  maskEmail,
+  maskPhone,
+  maskCreditCard,
+  maskSSN,
+  maskString
 };
-async function securityMiddleware(req) {
-  const response = new NextResponse();
-  try {
-    const payload = await getPayloadClient();
-    payload.logger.info(`Security middleware started for ${req.method} ${req.url}`);
-  } catch {
-    logger.info(`Security middleware started for ${req.method} ${req.url}`);
-  }
-  response.headers.set("X-Content-Type-Options", "nosniff");
-  response.headers.set("X-Frame-Options", "DENY");
-  response.headers.set("X-XSS-Protection", "1; mode=block");
-  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
-  response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-  const isApiRoute = req.nextUrl.pathname.startsWith("/api");
-  const csp = isApiRoute ? "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" : "default-src 'self'";
-  response.headers.set("Content-Security-Policy", csp);
-  try {
-    const payload = await getPayloadClient();
-    payload.logger.info("Security middleware completed");
-  } catch {
-    logger.info("Security middleware completed");
-  }
-  return;
+function generateToken(length = 32) {
+  const bytes = encryption.randomBytes(length);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
-function createSecurity(config) {
-  return {
-    generateCsrfToken(sessionId) {
-      return createHmac2("sha256", config.csrfSecret).update(sessionId).digest("hex");
-    },
-    isTokenExpired(exp) {
-      return Date.now() / 1e3 > exp;
-    },
-    getAccessTokenExpiry() {
-      return config.tokenExpiry.access;
-    },
-    getRefreshTokenExpiry() {
-      return config.tokenExpiry.refresh;
+function generateUUID() {
+  const crypto2 = globalThis.crypto;
+  if (!crypto2) {
+    throw new Error("Crypto API not available");
+  }
+  return crypto2.randomUUID();
+}
+function generateAPIKey(prefix = "sk") {
+  const token = generateToken(32);
+  return `${prefix}_${token}`;
+}
+function generateSessionID() {
+  return generateToken(64);
+}
+var TokenGenerator = {
+  generate: generateToken,
+  generateUUID,
+  generateAPIKey,
+  generateSessionID
+};
+// src/gdpr.ts
+import { createHash, createHmac as createHmac2 } from "crypto";
+// src/gdpr-storage.ts
+var InMemoryBreachStorage = class {
+  breaches = /* @__PURE__ */ new Map();
+  async setBreach(breach) {
+    this.breaches.set(breach.id, breach);
+  }
+  async getBreach(id) {
+    return this.breaches.get(id);
+  }
+  async getAllBreaches() {
+    return Array.from(this.breaches.values());
+  }
+  async updateBreach(id, updates) {
+    const existing = this.breaches.get(id);
+    if (existing) {
+      this.breaches.set(id, { ...existing, ...updates });
     }
-  };
+  }
+};
+var InMemoryGDPRStorage = class {
+  consents = /* @__PURE__ */ new Map();
+  deletionRequests = /* @__PURE__ */ new Map();
+  // ── Consent Records ──────────────────────────────────────────────
+  async setConsent(userId, type, record) {
+    this.consents.set(`${userId}:${type}`, record);
+  }
+  async getConsent(userId, type) {
+    return this.consents.get(`${userId}:${type}`);
+  }
+  async getConsentsByUser(userId) {
+    return Array.from(this.consents.values()).filter((c) => c.userId === userId);
+  }
+  async getAllConsents() {
+    return Array.from(this.consents.values());
+  }
+  // ── Deletion Requests ────────────────────────────────────────────
+  async setDeletionRequest(request) {
+    this.deletionRequests.set(request.id, request);
+  }
+  async getDeletionRequest(requestId) {
+    return this.deletionRequests.get(requestId);
+  }
+  async getDeletionRequestsByUser(userId) {
+    return Array.from(this.deletionRequests.values()).filter((r) => r.userId === userId);
+  }
+};
+// src/logger.ts
+var securityLogger = console;
+function configureSecurityLogger(logger) {
+  securityLogger = logger;
+}
+function getSecurityLogger() {
+  return securityLogger;
 }
-// src/SessionService.ts
-var logger2 = {
-  info: (message, ...args) => console.log(`[SessionService] ${message}`, ...args),
-  warn: (message, ...args) => console.warn(`[SessionService] ${message}`, ...args),
-  error: (message, ...args) => console.error(`[SessionService] ${message}`, ...args)
+// src/gdpr.ts
+var ConsentManager = class {
+  storage;
+  consentVersion = "1.0.0";
+  constructor(storage) {
+    this.storage = storage;
+  }
+  /**
+   * Grant consent
+   */
+  async grantConsent(userId, type, source = "explicit", expiresIn) {
+    const consent = {
+      id: crypto.randomUUID(),
+      userId,
+      type,
+      granted: true,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      expiresAt: expiresIn ? new Date(Date.now() + expiresIn).toISOString() : void 0,
+      source,
+      version: this.consentVersion
+    };
+    await this.storage.setConsent(userId, type, consent);
+    return consent;
+  }
+  /**
+   * Revoke consent
+   */
+  async revokeConsent(userId, type) {
+    const existing = await this.storage.getConsent(userId, type);
+    if (existing) {
+      existing.granted = false;
+      existing.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      await this.storage.setConsent(userId, type, existing);
+    }
+  }
+  /**
+   * Check if consent is granted
+   */
+  async hasConsent(userId, type) {
+    const consent = await this.storage.getConsent(userId, type);
+    if (!consent?.granted) {
+      return false;
+    }
+    if (consent.expiresAt && new Date(consent.expiresAt) < /* @__PURE__ */ new Date()) {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Get all consents for user
+   */
+  async getUserConsents(userId) {
+    return this.storage.getConsentsByUser(userId);
+  }
+  /**
+   * Update consent version
+   */
+  setConsentVersion(version) {
+    this.consentVersion = version;
+  }
+  /**
+   * Check if consent needs renewal
+   */
+  async needsRenewal(userId, type, maxAge) {
+    const consent = await this.storage.getConsent(userId, type);
+    if (!consent?.granted) {
+      return true;
+    }
+    const age = Date.now() - new Date(consent.timestamp).getTime();
+    return age >= maxAge;
+  }
+  /**
+   * Get consent statistics
+   */
+  async getStatistics() {
+    const consents = await this.storage.getAllConsents();
+    const now = /* @__PURE__ */ new Date();
+    const granted = consents.filter((c) => c.granted).length;
+    const revoked = consents.filter((c) => !c.granted).length;
+    const expired = consents.filter((c) => c.expiresAt && new Date(c.expiresAt) < now).length;
+    const byType = consents.reduce(
+      (acc, c) => {
+        acc[c.type] = (acc[c.type] || 0) + 1;
+        return acc;
+      },
+      {}
+    );
+    return {
+      total: consents.length,
+      granted,
+      revoked,
+      expired,
+      byType
+    };
+  }
 };
-var devLogger3 = {
-  info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
-  warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
-  error: (...args) => logger2.error(String(args[0]), ...args.slice(1)),
-  forService: (_name) => ({
-    info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
-    warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
-    error: (...args) => logger2.error(String(args[0]), ...args.slice(1))
-  })
+function escapeCsvField(value) {
+  let safe = /^[=+\-@\t\r]/.test(value) ? `'${value}` : value;
+  safe = safe.replace(/"/g, '""');
+  return `"${safe}"`;
+}
+var DataExportSystem = class {
+  /**
+   * Export user data
+   */
+  async exportUserData(userId, getUserData, format = "json") {
+    const data = await getUserData(userId);
+    const exportData = {
+      userId,
+      exportedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      data: {
+        profile: data.profile,
+        activities: data.activities,
+        consents: data.consents,
+        dataProcessing: []
+      },
+      format
+    };
+    return exportData;
+  }
+  /**
+   * Format export as JSON
+   */
+  formatAsJSON(exportData) {
+    return JSON.stringify(exportData, null, 2);
+  }
+  /**
+   * Format export as CSV
+   */
+  formatAsCSV(exportData) {
+    const lines = [];
+    lines.push("Type,Key,Value");
+    Object.entries(exportData.data.profile).forEach(([key, value]) => {
+      lines.push(`Profile,${escapeCsvField(key)},${escapeCsvField(String(value))}`);
+    });
+    exportData.data.activities.forEach((activity, index) => {
+      Object.entries(activity).forEach(([key, value]) => {
+        lines.push(`Activity ${index + 1},${escapeCsvField(key)},${escapeCsvField(String(value))}`);
+      });
+    });
+    return lines.join("\n");
+  }
+  /**
+   * Create download link
+   */
+  createDownloadLink(content, _filename, mimeType) {
+    const blob = new Blob([content], { type: mimeType });
+    return URL.createObjectURL(blob);
+  }
 };
-async function getPayloadClient2() {
-  return {
-    logger: {
-      info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
-      warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
-      error: (...args) => logger2.error(String(args[0]), ...args.slice(1))
+var DataDeletionSystem = class {
+  storage;
+  constructor(storage) {
+    this.storage = storage;
+  }
+  /**
+   * Request data deletion
+   */
+  async requestDeletion(userId, dataCategories, reason) {
+    const request = {
+      id: crypto.randomUUID(),
+      userId,
+      requestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "pending",
+      dataCategories,
+      reason
+    };
+    await this.storage.setDeletionRequest(request);
+    return request;
+  }
+  /**
+   * Process deletion request
+   */
+  async processDeletion(requestId, deleteData) {
+    const request = await this.storage.getDeletionRequest(requestId);
+    if (!request) {
+      throw new Error("Deletion request not found");
     }
+    request.status = "processing";
+    await this.storage.setDeletionRequest(request);
+    try {
+      const result = await deleteData(request.userId, request.dataCategories);
+      request.status = "completed";
+      request.processedAt = (/* @__PURE__ */ new Date()).toISOString();
+      request.deletedData = result.deleted;
+      request.retainedData = result.retained;
+      await this.storage.setDeletionRequest(request);
+    } catch (error) {
+      request.status = "failed";
+      await this.storage.setDeletionRequest(request);
+      throw error;
+    }
+  }
+  /**
+   * Get deletion request
+   */
+  async getRequest(requestId) {
+    return this.storage.getDeletionRequest(requestId);
+  }
+  /**
+   * Get user deletion requests
+   */
+  async getUserRequests(userId) {
+    return this.storage.getDeletionRequestsByUser(userId);
+  }
+  /**
+   * Check if data can be deleted
+   */
+  canDelete(_dataCategory, legalBasis) {
+    if (legalBasis === "legal_obligation" || legalBasis === "vital_interest") {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Calculate retention period
+   */
+  calculateRetentionEnd(createdAt, retentionPeriod) {
+    return new Date(createdAt.getTime() + retentionPeriod * 24 * 60 * 60 * 1e3);
+  }
+  /**
+   * Check if data should be deleted (retention period expired)
+   */
+  shouldDelete(createdAt, retentionPeriod) {
+    const retentionEnd = this.calculateRetentionEnd(createdAt, retentionPeriod);
+    return /* @__PURE__ */ new Date() > retentionEnd;
+  }
+};
+function hashValue(value) {
+  const digest = createHash("sha256").update(value).digest("hex");
+  return `hash_${digest}`;
+}
+function anonymizeUser(user) {
+  return {
+    ...user,
+    email: hashValue(user.email),
+    name: "Anonymous User",
+    phone: void 0,
+    address: void 0,
+    ip: void 0
   };
 }
-function generateUUID() {
-  if (typeof crypto !== "undefined" && crypto.randomUUID) {
-    return crypto.randomUUID();
-  }
-  return `xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx`.replace(/[xy]/g, (c) => {
-    const r = Math.random() * 16 | 0;
-    const v = c === "x" ? r : r & 3 | 8;
-    return v.toString(16);
+function pseudonymize(value, key) {
+  const hmac = createHmac2("sha256", key).update(value).digest("hex");
+  return `pseudo_${hmac.substring(0, 16)}`;
+}
+function anonymizeDataset(data, sensitiveFields) {
+  return data.map((item) => {
+    const anonymized = { ...item };
+    sensitiveFields.forEach((field) => {
+      if (field in anonymized && typeof anonymized[field] === "string") {
+        anonymized[field] = hashValue(anonymized[field]);
+      }
+    });
+    return anonymized;
+  });
+}
+function checkKAnonymity(data, quasiIdentifiers, k) {
+  const groups = /* @__PURE__ */ new Map();
+  data.forEach((item) => {
+    const key = quasiIdentifiers.map((field) => String(item[field])).join("|");
+    groups.set(key, (groups.get(key) || 0) + 1);
   });
+  return Array.from(groups.values()).every((count) => count >= k);
 }
-var SessionRepository = class {
-  constructor(payload) {
-    this.payload = payload;
-    void this.payload;
+var DataAnonymization = {
+  anonymizeUser,
+  pseudonymize,
+  hashValue,
+  anonymizeDataset,
+  checkKAnonymity
+};
+var PrivacyPolicyManager = class {
+  policies = /* @__PURE__ */ new Map();
+  currentVersion = "1.0.0";
+  /**
+   * Add policy version
+   */
+  addPolicy(version, content, effectiveDate) {
+    this.policies.set(version, { version, content, effectiveDate });
+    this.currentVersion = version;
   }
-  sessions = /* @__PURE__ */ new Map();
-  createSessionId() {
-    try {
-      return generateUUID();
-    } catch {
-      return `session_${Date.now().toString(36)}`;
-    }
+  /**
+   * Get current policy
+   */
+  getCurrentPolicy() {
+    return this.policies.get(this.currentVersion);
   }
-  createToken() {
-    try {
-      return `token_${generateUUID()}`;
-    } catch {
-      return `token_${Date.now().toString(36)}`;
-    }
+  /**
+   * Get policy by version
+   */
+  getPolicy(version) {
+    return this.policies.get(version);
   }
-  async create(data) {
-    if (!data.userId) {
-      return {
-        success: false,
-        errors: [{ message: "userId is required", path: "create" }]
-      };
-    }
-    const now = /* @__PURE__ */ new Date();
-    const session = {
-      id: data.id ?? this.createSessionId(),
-      userId: data.userId,
-      token: data.token ?? this.createToken(),
-      expiresAt: data.expiresAt ? new Date(data.expiresAt) : new Date(now.getTime() + 1e3 * 60 * 60),
-      lastActiveAt: data.lastActiveAt ? new Date(data.lastActiveAt) : now,
-      isActive: data.isActive ?? true,
-      updatedAt: now,
-      createdAt: now,
-      ...data.device !== void 0 ? { device: data.device } : {}
-    };
-    this.sessions.set(session.id, session);
-    return { success: true, data: session };
-  }
-  async findById(id) {
-    const session = this.sessions.get(String(id));
-    if (!session) {
-      return {
-        success: false,
-        errors: [{ message: "Session not found", path: "findById" }]
-      };
-    }
-    return { success: true, data: session };
-  }
-  async delete(id) {
-    const key = String(id);
-    if (!this.sessions.has(key)) {
-      return {
-        success: false,
-        errors: [{ message: "Session not found", path: "delete" }]
-      };
-    }
-    this.sessions.delete(key);
-    return { success: true };
-  }
-  async revokeAllUserSessions(userId) {
-    let removed = false;
-    for (const [key, session] of this.sessions.entries()) {
-      if (session.userId === userId) {
-        this.sessions.delete(key);
-        removed = true;
-      }
-    }
-    if (!removed) {
-      return {
-        success: false,
-        errors: [{ message: "No sessions found for user", path: "revokeAllUserSessions" }]
-      };
-    }
-    return { success: true };
-  }
-  async findAll() {
-    return { success: true, data: Array.from(this.sessions.values()) };
-  }
-  async update(id, data) {
-    const existing = this.sessions.get(id);
-    if (!existing) {
-      return {
-        success: false,
-        errors: [{ message: "Session not found", path: "update" }]
-      };
-    }
-    const updated = {
-      ...existing,
-      ...data.userId !== void 0 ? { userId: data.userId } : {},
-      ...data.token !== void 0 ? { token: data.token } : {},
-      ...data.device !== void 0 ? { device: data.device } : {},
-      ...data.expiresAt !== void 0 ? { expiresAt: new Date(data.expiresAt) } : {},
-      ...data.lastActiveAt !== void 0 ? { lastActiveAt: new Date(data.lastActiveAt) } : {},
-      ...data.isActive !== void 0 ? { isActive: data.isActive } : {},
-      updatedAt: /* @__PURE__ */ new Date()
-    };
-    this.sessions.set(id, updated);
-    return { success: true, data: updated };
+  /**
+   * Check if user accepted current policy
+   */
+  hasAcceptedCurrent(userAcceptedVersion) {
+    return userAcceptedVersion === this.currentVersion;
+  }
+  /**
+   * Get all versions
+   */
+  getAllVersions() {
+    return Array.from(this.policies.keys());
   }
 };
-var SessionService = class {
-  repository = null;
-  constructor(repository) {
-    if (repository) {
-      this.repository = repository;
-    }
+var CookieConsentManager = class {
+  config = {
+    necessary: true,
+    functional: false,
+    analytics: false,
+    marketing: false
+  };
+  /**
+   * Set consent configuration
+   */
+  setConsent(config) {
+    this.config = { ...this.config, ...config };
+    this.saveToStorage();
   }
-  async getRepository() {
-    if (!this.repository) {
-      const payload = await getPayloadClient2();
-      this.repository = new SessionRepository(payload);
-    }
-    return this.repository;
+  /**
+   * Get consent configuration
+   */
+  getConsent() {
+    return { ...this.config };
   }
   /**
-   * Creates a new session for a user.
+   * Check if specific consent is granted
    */
-  async createSession(data) {
-    if (!data.userId || typeof data.userId !== "string") {
-      return {
-        success: false,
-        errors: [
-          {
-            message: "userId is required",
-            path: "userId"
-          }
-        ]
-      };
-    }
-    const repository = await this.getRepository();
-    const result = await repository.create(data);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to create session", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to create session", { errors: result.errors });
-      }
-    }
-    return result;
+  hasConsent(type) {
+    return this.config[type];
   }
   /**
-   * Validates a session by ID, checks for expiration, and deletes if expired.
+   * Save to storage
    */
-  async validateSession(sessionId) {
-    try {
-      const repository = await this.getRepository();
-      const result = await repository.findById(sessionId);
-      if (!result.success || !result.data) {
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.warn("Invalid session", { sessionId, errors: result.errors });
-        } catch {
-          devLogger3.warn("Invalid session", { sessionId, errors: result.errors });
-        }
-        return {
-          success: false,
-          errors: result.errors ?? [{ message: "Session not found", path: "validateSession" }]
-        };
-      }
-      const session = result.data;
-      if (session.expiresAt.getTime() < Date.now()) {
-        await repository.delete(sessionId);
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.info("Session expired and deleted", { sessionId });
-        } catch {
-          devLogger3.info("Session expired and deleted", { sessionId });
-        }
-        return {
-          success: false,
-          errors: [{ message: "Session expired", path: "validateSession" }]
-        };
-      }
-      const userResult = { success: true, data: { id: session.userId } };
-      if (!userResult.success || !userResult.data) {
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.error("User not found for session", {
-            sessionId,
-            userId: session.userId
-          });
-        } catch {
-          devLogger3.error("User not found for session", {
-            sessionId,
-            userId: session.userId
-          });
-        }
-        return {
-          success: false,
-          errors: [{ message: "User not found for session", path: "validateSession" }]
-        };
-      }
-      return { success: true, data: session };
-    } catch (error) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Session validation failed", { error });
-      } catch {
-        devLogger3.error("Session validation failed", { error });
-      }
-      return {
-        success: false,
-        errors: [{ message: "Session validation failed", path: "validateSession" }]
-      };
+  saveToStorage() {
+    if (typeof localStorage !== "undefined") {
+      localStorage.setItem("cookie-consent", JSON.stringify(this.config));
     }
   }
   /**
-   * Invalidates (deletes) a session by ID.
+   * Load from storage
    */
-  async invalidateSession(sessionId) {
-    try {
-      const repository = await this.getRepository();
-      const result = await repository.delete(sessionId);
-      if (!result.success) {
+  loadFromStorage() {
+    if (typeof localStorage !== "undefined") {
+      const stored = localStorage.getItem("cookie-consent");
+      if (stored) {
         try {
-          const payload = await getPayloadClient2();
-          payload.logger.error("Session invalidation failed", {
-            errors: result.errors
-          });
+          const parsed = JSON.parse(stored);
+          if (typeof parsed === "object" && parsed !== null) {
+            this.config = {
+              necessary: true,
+              // always required
+              analytics: typeof parsed.analytics === "boolean" ? parsed.analytics : false,
+              marketing: typeof parsed.marketing === "boolean" ? parsed.marketing : false,
+              functional: typeof parsed.functional === "boolean" ? parsed.functional : true
+            };
+          }
         } catch {
-          devLogger3.error("Session invalidation failed", {
-            errors: result.errors
-          });
         }
-        return result;
-      }
-      return result;
-    } catch (error) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Session invalidation failed", { error });
-      } catch {
-        devLogger3.error("Session invalidation failed", { error });
       }
-      return {
-        success: false,
-        errors: [
-          {
-            message: "Session invalidation failed",
-            path: "invalidateSession"
-          }
-        ]
-      };
     }
   }
   /**
-   * Invalidates (deletes) all sessions for a user by userId.
+   * Clear consent
    */
-  async invalidateAllUserSessions(userId) {
-    try {
-      const repository = await this.getRepository();
-      const result = await repository.revokeAllUserSessions(userId);
-      if (!result.success) {
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.error("User sessions invalidation failed", {
-            errors: result.errors
-          });
-        } catch {
-          devLogger3.error("User sessions invalidation failed", {
-            errors: result.errors
-          });
-        }
-        return result;
-      }
-      return result;
-    } catch (error) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("User sessions invalidation failed", {
-          error
-        });
-      } catch {
-        devLogger3.error("User sessions invalidation failed", { error });
-      }
-      return {
-        success: false,
-        errors: [
-          {
-            message: "Failed to invalidate user sessions",
-            path: "invalidateAllUserSessions"
-          }
-        ]
-      };
+  clearConsent() {
+    this.config = {
+      necessary: true,
+      functional: false,
+      analytics: false,
+      marketing: false
+    };
+    if (typeof localStorage !== "undefined") {
+      localStorage.removeItem("cookie-consent");
     }
   }
-  async getSessionById(id) {
-    const repository = await this.getRepository();
-    const result = await repository.findById(id);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.warn("Session not found", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.warn("Session not found", { errors: result.errors });
-      }
+};
+var DataBreachManager = class {
+  storage;
+  constructor(storage) {
+    if (storage) {
+      this.storage = storage;
+    } else {
+      getSecurityLogger().warn(
+        "DataBreachManager: using in-memory storage \u2014 breach records will be lost on restart. For production GDPR compliance, pass a database-backed BreachStorage."
+      );
+      this.storage = new InMemoryBreachStorage();
     }
-    return result;
   }
-  async getAllSessions() {
-    const repository = await this.getRepository();
-    const result = await repository.findAll();
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to fetch sessions", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to fetch sessions", {
-          errors: result.errors
-        });
-      }
+  /**
+   * Report data breach
+   */
+  async reportBreach(breach) {
+    const fullBreach = {
+      ...breach,
+      id: crypto.randomUUID(),
+      detectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "detected"
+    };
+    await this.storage.setBreach(fullBreach);
+    if (fullBreach.severity === "critical") {
+      await this.notifyAuthorities(fullBreach);
     }
-    return result;
+    return fullBreach;
   }
-  async updateSession(id, data) {
-    const repository = await this.getRepository();
-    const result = await repository.update(id, data);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to update session", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to update session", { errors: result.errors });
-      }
-    }
-    return result;
+  /**
+   * Notify authorities (required within 72 hours under GDPR)
+   */
+  async notifyAuthorities(breach) {
+    await this.storage.updateBreach(breach.id, {
+      reportedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "notified"
+    });
+    getSecurityLogger().info("Breach reported to authorities", { breachId: breach.id });
   }
-  async deleteSession(id) {
-    const repository = await this.getRepository();
-    const result = await repository.delete(id);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to delete session", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to delete session", { errors: result.errors });
-      }
+  /**
+   * Notify affected users
+   */
+  async notifyAffectedUsers(breachId, notifyFn) {
+    const breach = await this.storage.getBreach(breachId);
+    if (!breach) {
+      throw new Error("Breach not found");
     }
-    return result;
+    for (const userId of breach.affectedUsers) {
+      await notifyFn(userId, breach);
+    }
+  }
+  /**
+   * Check if breach notification is required
+   */
+  requiresNotification(breach) {
+    return breach.severity === "high" || breach.severity === "critical" || breach.dataCategories.includes("sensitive") || breach.dataCategories.includes("financial");
+  }
+  /**
+   * Get breach
+   */
+  async getBreach(id) {
+    return this.storage.getBreach(id);
+  }
+  /**
+   * Get all breaches
+   */
+  async getAllBreaches() {
+    return this.storage.getAllBreaches();
   }
 };
-var sessionService = new SessionService();
+function createConsentManager(storage) {
+  return new ConsentManager(storage);
+}
+function createDataDeletionSystem(storage) {
+  return new DataDeletionSystem(storage);
+}
+var dataExportSystem = new DataExportSystem();
+var privacyPolicyManager = new PrivacyPolicyManager();
+var cookieConsentManager = new CookieConsentManager();
+function createDataBreachManager(storage) {
+  return new DataBreachManager(storage);
+}
+var dataBreachManager = new DataBreachManager();
-// src/TokenService.ts
-import { InfrastructureService as InfrastructureService2 } from "@revealui/core";
-var AppError = class extends Error {
-  constructor(code, message, cause) {
-    super(message);
-    this.code = code;
-    this.cause = cause;
-    this.name = "AppError";
-    if (cause) {
-      this.cause = cause;
-    }
+// src/headers.ts
+var SecurityHeaders = class {
+  config;
+  constructor(config = {}) {
+    this.config = config;
   }
-};
-var ErrorCode = {
-  TOKEN_INVALID: "TOKEN_INVALID",
-  TOKEN_EXPIRED: "TOKEN_EXPIRED",
-  AUTHENTICATION_ERROR: "AUTHENTICATION_ERROR",
-  INTERNAL_ERROR: "INTERNAL_ERROR"
-};
-var TokenService = class extends InfrastructureService2 {
-  constructor(payload) {
-    super(payload, "TokenService");
-    this.payload = payload;
+  /**
+   * Get all security headers
+   */
+  getHeaders() {
+    const headers = {};
+    if (this.config.contentSecurityPolicy) {
+      headers["Content-Security-Policy"] = this.buildCSP(this.config.contentSecurityPolicy);
+    }
+    if (this.config.strictTransportSecurity) {
+      headers["Strict-Transport-Security"] = this.buildHSTS(this.config.strictTransportSecurity);
+    }
+    if (this.config.xFrameOptions) {
+      headers["X-Frame-Options"] = this.config.xFrameOptions;
+    }
+    if (this.config.xContentTypeOptions !== false) {
+      headers["X-Content-Type-Options"] = "nosniff";
+    }
+    if (this.config.referrerPolicy) {
+      headers["Referrer-Policy"] = this.config.referrerPolicy;
+    }
+    if (this.config.permissionsPolicy) {
+      headers["Permissions-Policy"] = this.buildPermissionsPolicy(this.config.permissionsPolicy);
+    }
+    if (this.config.crossOriginEmbedderPolicy) {
+      headers["Cross-Origin-Embedder-Policy"] = this.config.crossOriginEmbedderPolicy;
+    }
+    if (this.config.crossOriginOpenerPolicy) {
+      headers["Cross-Origin-Opener-Policy"] = this.config.crossOriginOpenerPolicy;
+    }
+    if (this.config.crossOriginResourcePolicy) {
+      headers["Cross-Origin-Resource-Policy"] = this.config.crossOriginResourcePolicy;
+    }
+    return headers;
   }
   /**
-   * Authenticate user and generate access token using PayloadCMS native login
-   * @param credentials User login credentials
-   * @param req Optional PayloadRequest for context
-   * @returns Login result with user data and token
+   * Build Content Security Policy header
    */
-  async login(credentials, req) {
-    try {
-      this.logger.debug("Attempting user login", {
-        email: credentials.email,
-        serviceName: this.serviceName,
-        operation: "login"
-      });
-      const result = await this.payload.login({
-        collection: "users",
-        data: {
-          email: credentials.email,
-          password: credentials.password
-        },
-        ...req && { req }
-      });
-      this.logger.info("User login successful", {
-        userId: result.user.id,
-        email: result.user.email,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("User login failed", {
-        email: credentials.email,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "Login failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  buildCSP(config) {
+    if (typeof config === "string") {
+      return config;
+    }
+    const directives = [];
+    const addDirective = (name, values) => {
+      if (values && values.length > 0) {
+        directives.push(`${name} ${values.join(" ")}`);
+      }
+    };
+    addDirective("default-src", config.defaultSrc);
+    addDirective("script-src", config.scriptSrc);
+    addDirective("style-src", config.styleSrc);
+    addDirective("img-src", config.imgSrc);
+    addDirective("font-src", config.fontSrc);
+    addDirective("connect-src", config.connectSrc);
+    addDirective("frame-src", config.frameSrc);
+    addDirective("object-src", config.objectSrc);
+    addDirective("media-src", config.mediaSrc);
+    addDirective("worker-src", config.workerSrc);
+    addDirective("child-src", config.childSrc);
+    addDirective("form-action", config.formAction);
+    addDirective("frame-ancestors", config.frameAncestors);
+    addDirective("base-uri", config.baseUri);
+    addDirective("manifest-src", config.manifestSrc);
+    if (config.upgradeInsecureRequests) {
+      directives.push("upgrade-insecure-requests");
     }
+    if (config.blockAllMixedContent) {
+      directives.push("block-all-mixed-content");
+    }
+    if (config.reportUri) {
+      directives.push(`report-uri ${config.reportUri}`);
+    }
+    if (config.reportTo) {
+      directives.push(`report-to ${config.reportTo}`);
+    }
+    return directives.join("; ");
   }
   /**
-   * Verify user by ID using PayloadCMS native functionality
-   * @param userId User ID to verify
-   * @returns User data if exists
+   * Build HSTS header
    */
-  async verifyUser(userId) {
-    try {
-      this.logger.debug("Verifying user", {
-        userId,
-        serviceName: this.serviceName,
-        operation: "verifyUser"
-      });
-      const user = await this.payload.findByID({
-        collection: "users",
-        id: userId
-      });
-      this.logger.debug("User verification successful", {
-        userId: user.id,
-        serviceName: this.serviceName
-      });
-      return user;
-    } catch (error) {
-      this.logger.error("User verification failed", {
-        userId,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "User verification failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  buildHSTS(config) {
+    if (config === true) {
+      return "max-age=31536000; includeSubDomains";
+    }
+    if (config === false) {
+      return "";
+    }
+    const parts = [`max-age=${config.maxAge}`];
+    if (config.includeSubDomains) {
+      parts.push("includeSubDomains");
     }
+    if (config.preload) {
+      parts.push("preload");
+    }
+    return parts.join("; ");
   }
   /**
-   * Generate password reset token using PayloadCMS native functionality
-   * @param email User email address
-   * @returns Password reset token
+   * Build Permissions-Policy header
    */
-  async generatePasswordResetToken(email) {
-    try {
-      this.logger.debug("Generating password reset token", {
-        email,
-        serviceName: this.serviceName,
-        operation: "generatePasswordResetToken"
-      });
-      const token = await this.payload.forgotPassword({
-        collection: "users",
-        data: { email }
-      });
-      this.logger.info("Password reset token generated", {
-        email,
-        serviceName: this.serviceName
-      });
-      return token;
-    } catch (error) {
-      this.logger.error("Password reset token generation failed", {
-        email,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.INTERNAL_ERROR,
-        "Failed to generate password reset token",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  buildPermissionsPolicy(config) {
+    if (typeof config === "string") {
+      return config;
     }
+    const policies = [];
+    Object.entries(config).forEach(([feature, origins]) => {
+      if (!origins || origins.length === 0) {
+        policies.push(`${feature}=()`);
+      } else if (origins.includes("*")) {
+        policies.push(`${feature}=*`);
+      } else {
+        const originsList = origins.map((o) => `"${o}"`).join(" ");
+        policies.push(`${feature}=(${originsList})`);
+      }
+    });
+    return policies.join(", ");
   }
   /**
-   * Reset user password using PayloadCMS native functionality
-   * @param token Password reset token
-   * @param newPassword New password
-   * @returns Reset result with user and new token
-   *
-   * NOTE: Uses overrideAccess: true as this is a system-level password reset operation
-   * that requires bypassing normal access control for security token validation.
+   * Apply headers to response
    */
-  async resetPassword(token, newPassword) {
-    try {
-      this.logger.debug("Resetting password", {
-        serviceName: this.serviceName,
-        operation: "resetPassword"
-      });
-      const result = await this.payload.resetPassword({
-        collection: "users",
-        data: {
-          token,
-          password: newPassword
-        },
-        overrideAccess: true
-        // System-level operation for password reset flow
-      });
-      this.logger.info("Password reset successful", {
-        userId: result.user?.id,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("Password reset failed", {
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "Password reset failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  applyHeaders(response) {
+    const headers = this.getHeaders();
+    Object.entries(headers).forEach(([name, value]) => {
+      response.headers.set(name, value);
+    });
+    return response;
+  }
+};
+var CORSManager = class {
+  config;
+  constructor(config = {}) {
+    this.config = {
+      origin: config.origin ?? [],
+      methods: config.methods || ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+      allowedHeaders: config.allowedHeaders || ["Content-Type", "Authorization"],
+      exposedHeaders: config.exposedHeaders || [],
+      credentials: config.credentials ?? false,
+      maxAge: config.maxAge || 86400,
+      preflightContinue: config.preflightContinue ?? false,
+      optionsSuccessStatus: config.optionsSuccessStatus || 204
+    };
+  }
+  /**
+   * Check if origin is allowed
+   */
+  isOriginAllowed(origin) {
+    const { origin: allowedOrigin } = this.config;
+    if (allowedOrigin === "*") {
+      return true;
     }
+    if (typeof allowedOrigin === "function") {
+      return allowedOrigin(origin);
+    }
+    if (typeof allowedOrigin === "string") {
+      return origin === allowedOrigin;
+    }
+    if (Array.isArray(allowedOrigin)) {
+      return allowedOrigin.includes(origin);
+    }
+    return false;
   }
   /**
-   * Verify email using PayloadCMS native functionality
-   * @param token Email verification token
-   * @returns Verification success status
+   * Get CORS headers
    */
-  async verifyEmail(token) {
-    try {
-      this.logger.debug("Verifying email", {
-        serviceName: this.serviceName,
-        operation: "verifyEmail"
-      });
-      const result = await this.payload.verifyEmail({
-        collection: "users",
-        token
-      });
-      this.logger.info("Email verification completed", {
-        success: result,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("Email verification failed", {
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "Email verification failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  getCORSHeaders(origin) {
+    const headers = {};
+    if (this.isOriginAllowed(origin)) {
+      headers["Access-Control-Allow-Origin"] = this.config.origin === "*" ? "*" : origin;
+    }
+    if (this.config.origin !== "*") {
+      headers.Vary = "Origin";
+    }
+    if (this.config.credentials && this.config.origin !== "*") {
+      headers["Access-Control-Allow-Credentials"] = "true";
     }
+    if (this.config.exposedHeaders.length > 0) {
+      headers["Access-Control-Expose-Headers"] = this.config.exposedHeaders.join(", ");
+    }
+    return headers;
   }
   /**
-   * Unlock user account using PayloadCMS native functionality
-   * @param email User email address
-   * @param password User password
-   * @returns Unlock success status
-   *
-   * NOTE: Uses overrideAccess: true as this is a system-level account unlock operation
-   * that requires bypassing normal access control for account recovery.
+   * Get preflight headers
    */
-  async unlockUser(email, password) {
-    try {
-      this.logger.debug("Unlocking user account", {
-        email,
-        serviceName: this.serviceName,
-        operation: "unlockUser"
-      });
-      const result = await this.payload.unlock({
-        collection: "users",
-        data: { email, password },
-        overrideAccess: true
-        // System-level operation for account recovery
-      });
-      this.logger.info("User account unlock completed", {
-        email,
-        success: result,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("User account unlock failed", {
-        email,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "User account unlock failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  getPreflightHeaders(origin) {
+    const headers = this.getCORSHeaders(origin);
+    headers["Access-Control-Allow-Methods"] = this.config.methods.join(", ");
+    headers["Access-Control-Allow-Headers"] = this.config.allowedHeaders.join(", ");
+    headers["Access-Control-Max-Age"] = this.config.maxAge.toString();
+    return headers;
+  }
+  /**
+   * Handle CORS request
+   */
+  handleRequest(request) {
+    const origin = request.headers.get("Origin");
+    if (!origin) {
+      return null;
+    }
+    if (request.method === "OPTIONS") {
+      return this.handlePreflight(request, origin);
     }
+    return null;
   }
   /**
-   * @inheritdoc
+   * Handle preflight request
    */
-  onInitialize() {
-    this.logger.info("TokenService initialized with PayloadCMS native auth", {
-      serviceName: this.serviceName
+  handlePreflight(_request, origin) {
+    if (!this.isOriginAllowed(origin)) {
+      return new Response(null, { status: 403 });
+    }
+    const headers = this.getPreflightHeaders(origin);
+    return new Response(null, {
+      status: this.config.optionsSuccessStatus,
+      headers
     });
   }
   /**
-   * @inheritdoc
+   * Apply CORS headers to response
    */
-  onCleanup() {
-    this.logger.info("TokenService cleaned up", {
-      serviceName: this.serviceName
+  applyHeaders(response, origin) {
+    if (!this.isOriginAllowed(origin)) {
+      return response;
+    }
+    const headers = this.getCORSHeaders(origin);
+    Object.entries(headers).forEach(([name, value]) => {
+      response.headers.set(name, value);
     });
+    return response;
   }
+};
+var SecurityPresets = {
   /**
-   * @inheritdoc
+   * Strict security (recommended for production)
    */
-  onHealthCheck() {
-    this.logger.debug("TokenService health check passed", {
-      serviceName: this.serviceName
-    });
+  strict: () => ({
+    contentSecurityPolicy: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      fontSrc: ["'self'", "data:"],
+      connectSrc: ["'self'"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      baseUri: ["'self'"],
+      formAction: ["'self'"],
+      frameAncestors: ["'none'"],
+      upgradeInsecureRequests: true
+    },
+    strictTransportSecurity: {
+      maxAge: 31536e3,
+      includeSubDomains: true,
+      preload: true
+    },
+    xFrameOptions: "DENY",
+    xContentTypeOptions: true,
+    referrerPolicy: "strict-origin-when-cross-origin",
+    crossOriginEmbedderPolicy: "require-corp",
+    crossOriginOpenerPolicy: "same-origin",
+    crossOriginResourcePolicy: "same-origin"
+  }),
+  /**
+   * Moderate security (balanced)
+   */
+  moderate: () => ({
+    contentSecurityPolicy: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      fontSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'", "https:"],
+      frameAncestors: ["'self'"]
+    },
+    strictTransportSecurity: {
+      maxAge: 31536e3,
+      includeSubDomains: true
+    },
+    xFrameOptions: "SAMEORIGIN",
+    xContentTypeOptions: true,
+    referrerPolicy: "origin-when-cross-origin"
+  }),
+  /**
+   * Development (permissive)
+   */
+  development: () => ({
+    xContentTypeOptions: true,
+    referrerPolicy: "no-referrer-when-downgrade"
+  })
+};
+var CORSPresets = {
+  /**
+   * Strict CORS (same origin only)
+   */
+  strict: () => ({
+    origin: [],
+    methods: ["GET", "POST", "PUT", "DELETE"],
+    allowedHeaders: ["Content-Type", "Authorization"],
+    credentials: true,
+    maxAge: 86400
+  }),
+  /**
+   * Moderate CORS (specific origins)
+   */
+  moderate: (allowedOrigins) => ({
+    origin: allowedOrigins,
+    methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
+    allowedHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
+    exposedHeaders: ["X-Total-Count"],
+    credentials: true,
+    maxAge: 86400
+  }),
+  /**
+   * Permissive CORS (all origins) — development only.
+   * Logs a warning if used when NODE_ENV === 'production'.
+   */
+  permissive: () => {
+    if (process.env.NODE_ENV === "production") {
+      getSecurityLogger().warn(
+        "[SecurityPresets] CORS permissive preset used in production \u2014 this allows all origins. Use moderate() with explicit origins instead."
+      );
+    }
+    return {
+      origin: "*",
+      methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+      allowedHeaders: ["*"],
+      credentials: false,
+      maxAge: 86400
+    };
+  },
+  /**
+   * API CORS (public read-only APIs) — credentials disabled.
+   * Logs a warning if used when NODE_ENV === 'production'.
+   */
+  api: () => {
+    if (process.env.NODE_ENV === "production") {
+      getSecurityLogger().warn(
+        '[SecurityPresets] CORS api preset uses origin:"*". For production, pass explicit origins to moderate() instead.'
+      );
+    }
+    return {
+      origin: "*",
+      methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
+      allowedHeaders: ["Content-Type", "Authorization", "X-API-Key"],
+      exposedHeaders: ["X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset"],
+      credentials: false,
+      maxAge: 86400
+    };
   }
 };
-function createTokenService(payload) {
-  return new TokenService(payload);
+function createSecurityMiddleware(securityConfig, corsConfig) {
+  const security = new SecurityHeaders(securityConfig);
+  const cors = new CORSManager(corsConfig);
+  return async (request, next) => {
+    const origin = request.headers.get("Origin");
+    if (origin && request.method === "OPTIONS") {
+      const preflightResponse = cors.handleRequest(request);
+      if (preflightResponse) {
+        return preflightResponse;
+      }
+    }
+    const response = await next();
+    security.applyHeaders(response);
+    if (origin) {
+      cors.applyHeaders(response, origin);
+    }
+    return response;
+  };
+}
+function setRateLimitHeaders(response, limit, remaining, reset) {
+  response.headers.set("X-RateLimit-Limit", limit.toString());
+  response.headers.set("X-RateLimit-Remaining", remaining.toString());
+  response.headers.set("X-RateLimit-Reset", reset.toString());
 }
 export {
-  CSRFService,
-  EncryptionService,
-  RATE_LIMITS,
-  RateLimited,
-  RateLimiterService,
-  SECURITY_HEADERS,
-  SecurityMonitoringService,
-  SessionService,
-  TokenService,
-  addSecurityEvent,
-  calculateSecurityMetrics,
-  checkAnonymousRateLimit,
-  checkRateLimit,
-  checkUserRateLimit,
-  clearSecurityData,
-  createSecurity,
-  createSecurityAlert,
-  createSecurityEvent,
-  createTokenService,
-  filterEvents,
-  generateIPRateLimitKey,
-  generateRateLimitKey,
-  getClientIP,
-  getEventsBySeverity,
-  getEventsInTimeRange,
-  getRateLimiterService,
-  getSecurityAlerts,
-  getSecurityEvents,
-  getSecurityMetrics,
-  getUserEvents,
-  isTrustedSource,
-  logAuthenticationEvent,
-  logAuthorizationEvent,
-  logDataAccessEvent,
-  logSecurityEvent,
-  sanitizeInput,
-  securityMiddleware,
-  sessionService,
-  shouldTriggerAlert,
-  validateAndSanitizeInput,
-  validateCSRFToken,
-  validateEnvironment,
-  withRateLimit
+  AuditReportGenerator,
+  AuditSystem,
+  AuditTrail,
+  AuthorizationSystem,
+  CORSManager,
+  CORSPresets,
+  CommonRoles,
+  ConsentManager,
+  CookieConsentManager,
+  DataAnonymization,
+  DataBreachManager,
+  DataDeletionSystem,
+  DataExportSystem,
+  DataMasking,
+  EncryptionSystem,
+  EnvelopeEncryption,
+  FieldEncryption,
+  InMemoryAuditStorage,
+  InMemoryBreachStorage,
+  InMemoryGDPRStorage,
+  KeyRotationManager,
+  OAuthClient,
+  OAuthProviders,
+  PasswordHasher,
+  PermissionBuilder,
+  PermissionCache,
+  PolicyBuilder,
+  PrivacyPolicyManager,
+  RequirePermission,
+  RequireRole,
+  SecurityHeaders,
+  SecurityPresets,
+  TokenGenerator,
+  TwoFactorAuth,
+  audit,
+  authorization,
+  canAccessResource,
+  checkAttributeAccess,
+  configureSecurityLogger,
+  cookieConsentManager,
+  createAuditMiddleware,
+  createAuthorizationMiddleware,
+  createConsentManager,
+  createDataBreachManager,
+  createDataDeletionSystem,
+  createSecurityMiddleware,
+  dataBreachManager,
+  dataExportSystem,
+  encryption,
+  permissionCache,
+  privacyPolicyManager,
+  setRateLimitHeaders
 };
 //# sourceMappingURL=index.js.map