@revealui/security 0.0.1-pre.1 → 0.2.1

package/dist/index.js

@@ -1,1841 +1,2429 @@
-// src/SecurityValidation.ts
-import { z } from "zod";
-var EnvironmentSchema = z.object({
-  PAYLOAD_SECRET: z.string().min(32, "PAYLOAD_SECRET must be at least 32 characters"),
-  MCP_ENCRYPTION_KEY: z.string().min(64, "MCP_ENCRYPTION_KEY must be at least 64 characters"),
-  TURSO_URL: z.string().url().optional(),
-  TURSO_AUTH_TOKEN: z.string().optional(),
-  SUPPORT_EMAIL: z.string().email().optional()
-});
-var RATE_LIMITS = {
-  CHAT: { windowMs: 60 * 1e3, maxRequests: 10 },
-  // 10 requests per minute
-  CONTENT: { windowMs: 60 * 1e3, maxRequests: 5 },
-  // 5 requests per minute
-  CONTACT: { windowMs: 15 * 60 * 1e3, maxRequests: 3 },
-  // 3 requests per 15 minutes
-  RECOMMENDATIONS: { windowMs: 60 * 1e3, maxRequests: 20 }
-  // 20 requests per minute
-};
-var rateLimitStore = /* @__PURE__ */ new Map();
-async function validateEnvironment() {
-  const validation = EnvironmentSchema.safeParse(process.env);
-  if (!validation.success) {
-    const errors = validation.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join(", ");
-    throw new Error(`Environment validation failed: ${errors}`);
-  }
-}
-async function checkRateLimit(key, config) {
-  const now = Date.now();
-  for (const [k, v] of rateLimitStore.entries()) {
-    if (v.resetTime < now) {
-      rateLimitStore.delete(k);
-    }
-  }
-  const entry = rateLimitStore.get(key);
-  if (!entry || entry.resetTime < now) {
-    rateLimitStore.set(key, { count: 1, resetTime: now + config.windowMs });
-    return {
-      allowed: true,
-      remaining: config.maxRequests - 1,
-      resetTime: now + config.windowMs
-    };
-  }
-  if (entry.count >= config.maxRequests) {
-    return {
-      allowed: false,
-      remaining: 0,
-      resetTime: entry.resetTime
-    };
+// src/audit.ts
+var AuditSystem = class {
+  storage;
+  filters = [];
+  constructor(storage) {
+    this.storage = storage;
   }
-  entry.count++;
-  rateLimitStore.set(key, entry);
-  return {
-    allowed: true,
-    remaining: config.maxRequests - entry.count,
-    resetTime: entry.resetTime
-  };
-}
-function generateRateLimitKey(userId, action) {
-  return `rate_limit:${action}:${userId}`;
-}
-function generateIPRateLimitKey(ip, action) {
-  return `rate_limit:${action}:ip:${ip}`;
-}
-async function validateCSRFToken(token, sessionToken) {
-  return token === sessionToken && token.length > 0;
-}
-function sanitizeInput(input) {
-  return input.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, "").replace(/on\w+\s*=\s*["'][^"']*["']/gi, "").replace(/javascript:/gi, "").trim();
-}
-function validateAndSanitizeInput(input, schema) {
-  try {
-    const validation = schema.safeParse(input);
-    if (!validation.success) {
-      return {
-        success: false,
-        error: validation.error.issues.map((i) => i.message).join(", ")
-      };
-    }
-    const sanitized = sanitizeObject(validation.data);
-    return {
-      success: true,
-      data: sanitized
-    };
-  } catch (error) {
-    return {
-      success: false,
-      error: error instanceof Error ? error.message : "Validation failed"
+  /**
+   * Log audit event
+   */
+  async log(event) {
+    const fullEvent = {
+      ...event,
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
     };
-  }
-}
-function sanitizeObject(obj) {
-  if (typeof obj === "string") {
-    return sanitizeInput(obj);
-  }
-  if (Array.isArray(obj)) {
-    return obj.map(sanitizeObject);
-  }
-  if (obj && typeof obj === "object") {
-    const sanitized = {};
-    for (const [key, value] of Object.entries(obj)) {
-      sanitized[key] = sanitizeObject(value);
+    const shouldLog = this.filters.every((filter) => filter(fullEvent));
+    if (!shouldLog) {
+      return;
     }
-    return sanitized;
-  }
-  return obj;
-}
-var SECURITY_HEADERS = {
-  "X-Content-Type-Options": "nosniff",
-  "X-Frame-Options": "DENY",
-  "X-XSS-Protection": "1; mode=block",
-  "Referrer-Policy": "strict-origin-when-cross-origin",
-  "Permissions-Policy": "camera=(), microphone=(), geolocation=()"
-};
-function logSecurityEvent(event, details, severity = "medium") {
-  console.log(`[SECURITY-${severity.toUpperCase()}] ${event}:`, {
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    severity,
-    ...details
-  });
-}
-
-// src/RateLimiterService.ts
-var devLogger = {
-  debug: (...args) => console.debug("[security]", ...args),
-  info: (...args) => console.log("[security]", ...args),
-  warn: (...args) => console.warn("[security]", ...args),
-  error: (...args) => console.error("[security]", ...args),
-  forService: (_name) => ({
-    debug: (...args) => console.debug("[security]", ...args),
-    info: (...args) => console.log("[security]", ...args),
-    warn: (...args) => console.warn("[security]", ...args),
-    error: (...args) => console.error("[security]", ...args)
-  })
-};
-var RateLimiterService = class {
-  config;
-  inMemoryStore = /* @__PURE__ */ new Map();
-  cleanupInterval = null;
-  constructor(config) {
-    this.config = {
-      windowMs: config.windowMs ?? 15 * 60 * 1e3,
-      // 15 minutes
-      maxRequests: config.maxRequests ?? 100,
-      skipSuccessfulRequests: config.skipSuccessfulRequests ?? false,
-      skipFailedRequests: config.skipFailedRequests ?? false,
-      standardHeaders: config.standardHeaders ?? true,
-      legacyHeaders: config.legacyHeaders ?? false
-    };
-    this.startCleanupInterval();
-  }
-  setPayload(_payload) {
+    await this.storage.write(fullEvent);
   }
   /**
-   * Check rate limit using token bucket algorithm
+   * Log authentication event
    */
-  checkTokenBucket(key, tokens = 1, capacity = 10, refillRate = 1, refillTime = 100) {
-    try {
-      const now = Date.now();
-      const bucketKey = `rate_limit:token_bucket:${key}`;
-      const current = this.inMemoryStore.get(bucketKey);
-      let currentTokens = capacity;
-      let lastRefill = now;
-      if (current) {
-        currentTokens = current.count;
-        lastRefill = current.lastRequestTime;
-      }
-      const timePassed = now - lastRefill;
-      const refillAmount = Math.floor(timePassed / refillTime) * refillRate;
-      currentTokens = Math.min(capacity, currentTokens + refillAmount);
-      if (currentTokens >= tokens) {
-        currentTokens = currentTokens - tokens;
-        this.inMemoryStore.set(bucketKey, {
-          count: currentTokens,
-          resetTime: now + refillTime,
-          lastRequestTime: now
-        });
-        devLogger.debug("Rate limit check", {
-          key,
-          algorithm: "token_bucket",
-          allowed: true,
-          remaining: currentTokens,
-          resetTime: now + refillTime,
-          tokens,
-          capacity,
-          refillRate
-        });
-        return {
-          allowed: true,
-          remaining: currentTokens,
-          resetTime: now + refillTime
-        };
-      }
-      const resetTime = lastRefill + refillTime;
-      devLogger.warn("Rate limit blocked", {
-        key,
-        algorithm: "token_bucket",
-        remaining: currentTokens,
-        resetTime,
-        tokens
-      });
-      return {
-        allowed: false,
-        remaining: currentTokens,
-        resetTime,
-        retryAfter: Math.ceil((resetTime - now) / 1e3)
-      };
-    } catch (error) {
-      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
-        key,
-        algorithm: "token_bucket",
-        error: error instanceof Error ? error.message : "Unknown error"
-      });
-      return {
-        allowed: true,
-        remaining: capacity,
-        resetTime: Date.now() + refillTime
-      };
-    }
+  async logAuth(type, actorId, result, metadata) {
+    await this.log({
+      type,
+      severity: result === "failure" ? "medium" : "low",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type.replace("auth.", ""),
+      result,
+      metadata
+    });
   }
   /**
-   * Check rate limit using sliding window algorithm
+   * Log data access event
    */
-  checkSlidingWindow(key, windowMs = this.config.windowMs, maxRequests = this.config.maxRequests) {
-    try {
-      const now = Date.now();
-      const windowKey = `rate_limit:sliding_window:${key}`;
-      const current = this.inMemoryStore.get(windowKey);
-      let requests = [];
-      if (current) {
-        requests = [current.count];
-      }
-      const windowStart = now - windowMs;
-      requests = requests.filter((timestamp) => timestamp >= windowStart);
-      if (requests.length < maxRequests) {
-        requests.push(now);
-        this.inMemoryStore.set(windowKey, {
-          count: requests.length,
-          resetTime: now + windowMs,
-          lastRequestTime: now
-        });
-        devLogger.debug("Rate limit check", {
-          key,
-          algorithm: "sliding_window",
-          allowed: true,
-          remaining: maxRequests - requests.length,
-          resetTime: now + windowMs
-        });
-        return {
-          allowed: true,
-          remaining: maxRequests - requests.length,
-          resetTime: now + windowMs
-        };
-      }
-      const oldest = Math.min(...requests);
-      const resetTime = oldest + windowMs;
-      devLogger.warn("Rate limit blocked", {
-        key,
-        algorithm: "sliding_window",
-        remaining: 0,
-        resetTime
-      });
-      return {
-        allowed: false,
-        remaining: 0,
-        resetTime,
-        retryAfter: Math.ceil((resetTime - now) / 1e3)
-      };
-    } catch (error) {
-      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
-        key,
-        algorithm: "sliding_window",
-        error: error instanceof Error ? error.message : "Unknown error"
-      });
-      return {
-        allowed: true,
-        remaining: maxRequests,
-        resetTime: Date.now() + windowMs
-      };
-    }
+  async logDataAccess(action, actorId, resourceType, resourceId, result, changes) {
+    await this.log({
+      type: `data.${action}`,
+      severity: action === "delete" ? "high" : "medium",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      resource: {
+        type: resourceType,
+        id: resourceId
+      },
+      action,
+      result,
+      changes
+    });
   }
   /**
-   * Check rate limit using leaky bucket algorithm
+   * Log permission change
    */
-  checkLeakyBucket(key, capacity = 10, leakRate = 1, leakTime = 100) {
-    try {
-      const now = Date.now();
-      const bucketKey = `rate_limit:leaky_bucket:${key}`;
-      const current = this.inMemoryStore.get(bucketKey);
-      let currentLevel = 0;
-      let lastLeak = now;
-      if (current) {
-        currentLevel = current.count;
-        lastLeak = current.lastRequestTime;
-      }
-      const timePassed = now - lastLeak;
-      const leakAmount = Math.floor(timePassed / leakTime) * leakRate;
-      currentLevel = Math.max(0, currentLevel - leakAmount);
-      if (currentLevel < capacity) {
-        currentLevel++;
-        this.inMemoryStore.set(bucketKey, {
-          count: currentLevel,
-          resetTime: now + leakTime,
-          lastRequestTime: now
-        });
-        devLogger.debug("Rate limit check", {
-          key,
-          algorithm: "leaky_bucket",
-          allowed: true,
-          remaining: capacity - currentLevel,
-          resetTime: now + leakTime
-        });
-        return {
-          allowed: true,
-          remaining: capacity - currentLevel,
-          resetTime: now + leakTime
-        };
+  async logPermissionChange(action, actorId, targetUserId, permission, result) {
+    await this.log({
+      type: `permission.${action}`,
+      severity: "high",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      resource: {
+        type: "user",
+        id: targetUserId
+      },
+      action,
+      result,
+      metadata: {
+        permission
       }
-      const resetTime = lastLeak + leakTime;
-      devLogger.warn("Rate limit blocked", {
-        key,
-        algorithm: "leaky_bucket",
-        remaining: 0,
-        resetTime
-      });
-      return {
-        allowed: false,
-        remaining: 0,
-        resetTime,
-        retryAfter: Math.ceil((resetTime - now) / 1e3)
-      };
-    } catch (error) {
-      devLogger.error("Rate limiter error", error instanceof Error ? error : void 0, {
-        key,
-        algorithm: "leaky_bucket",
-        error: error instanceof Error ? error.message : "Unknown error"
-      });
-      return {
-        allowed: true,
-        remaining: capacity,
-        resetTime: Date.now() + leakTime
-      };
-    }
+    });
   }
   /**
-   * Reset rate limit for a key
+   * Log security event
    */
-  resetRateLimit(key) {
-    const patterns = [
-      `rate_limit:token_bucket:${key}`,
-      `rate_limit:sliding_window:${key}`,
-      `rate_limit:leaky_bucket:${key}`
-    ];
-    for (const pattern of patterns) {
-      this.inMemoryStore.delete(pattern);
-    }
-    devLogger.debug("Rate limit reset", { key });
+  async logSecurityEvent(type, severity, actorId, message, metadata) {
+    await this.log({
+      type: `security.${type}`,
+      severity,
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type,
+      result: "failure",
+      message,
+      metadata
+    });
   }
   /**
-   * Get current rate limit state
+   * Log GDPR event
    */
-  getRateLimitState(key) {
-    const patterns = [
-      `rate_limit:token_bucket:${key}`,
-      `rate_limit:sliding_window:${key}`,
-      `rate_limit:leaky_bucket:${key}`
-    ];
-    for (const pattern of patterns) {
-      const state = this.inMemoryStore.get(pattern);
-      if (state) {
-        return state;
-      }
-    }
-    return null;
+  async logGDPREvent(type, actorId, result, metadata) {
+    await this.log({
+      type: `gdpr.${type}`,
+      severity: "high",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type,
+      result,
+      metadata
+    });
   }
   /**
-   * Update rate limit state
+   * Query audit logs
    */
-  updateRateLimitState(key, state) {
-    this.inMemoryStore.set(key, state);
+  async query(query) {
+    return this.storage.query(query);
   }
   /**
-   * Get rate limiter statistics
+   * Count audit logs
    */
-  getStats() {
-    return {
-      totalKeys: this.inMemoryStore.size,
-      memoryUsage: this.inMemoryStore.size
-    };
+  async count(query) {
+    return this.storage.count(query);
   }
   /**
-   * Clean up expired entries
+   * Add filter
    */
-  cleanup() {
-    const now = Date.now();
-    const maxAge = 24 * 60 * 60 * 1e3;
-    for (const [key, state] of this.inMemoryStore.entries()) {
-      if (now - state.lastRequestTime > maxAge) {
-        this.inMemoryStore.delete(key);
-      }
-    }
-    devLogger.debug("Cleaned up expired rate limit entries", {
-      remaining: this.inMemoryStore.size
-    });
+  addFilter(filter) {
+    this.filters.push(filter);
   }
   /**
-   * Start cleanup interval
+   * Remove filter
    */
-  startCleanupInterval() {
-    if (this.cleanupInterval) {
-      clearInterval(this.cleanupInterval);
+  removeFilter(filter) {
+    const index = this.filters.indexOf(filter);
+    if (index > -1) {
+      this.filters.splice(index, 1);
     }
-    this.cleanupInterval = setInterval(
-      () => {
-        this.cleanup();
-      },
-      60 * 60 * 1e3
-    );
+  }
+};
+var InMemoryAuditStorage = class {
+  events = [];
+  maxEvents;
+  constructor(maxEvents = 1e4) {
+    this.maxEvents = maxEvents;
+  }
+  async write(event) {
+    this.events.push(event);
+    if (this.events.length > this.maxEvents) {
+      this.events.shift();
+    }
+  }
+  async query(query) {
+    let results = [...this.events];
+    if (query.types && query.types.length > 0) {
+      results = results.filter((e) => query.types?.includes(e.type));
+    }
+    if (query.actorId) {
+      results = results.filter((e) => e.actor.id === query.actorId);
+    }
+    if (query.resourceType) {
+      results = results.filter((e) => e.resource?.type === query.resourceType);
+    }
+    if (query.resourceId) {
+      results = results.filter((e) => e.resource?.id === query.resourceId);
+    }
+    if (query.startDate) {
+      const startDate = query.startDate;
+      results = results.filter((e) => new Date(e.timestamp) >= startDate);
+    }
+    if (query.endDate) {
+      const endDate = query.endDate;
+      results = results.filter((e) => new Date(e.timestamp) <= endDate);
+    }
+    if (query.severity && query.severity.length > 0) {
+      results = results.filter((e) => query.severity?.includes(e.severity));
+    }
+    if (query.result && query.result.length > 0) {
+      results = results.filter((e) => query.result?.includes(e.result));
+    }
+    results.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    const offset = query.offset || 0;
+    const limit = query.limit || 100;
+    return results.slice(offset, offset + limit);
+  }
+  async count(query) {
+    const results = await this.query({ ...query, limit: void 0, offset: void 0 });
+    return results.length;
   }
   /**
-   * Stop cleanup interval
+   * Clear all events
    */
-  stopCleanupInterval() {
-    if (this.cleanupInterval) {
-      clearInterval(this.cleanupInterval);
-      this.cleanupInterval = null;
-    }
+  clear() {
+    this.events = [];
   }
   /**
-   * Dispose of the service
+   * Get all events
    */
-  dispose() {
-    this.stopCleanupInterval();
-    this.inMemoryStore.clear();
+  getAll() {
+    return [...this.events];
   }
 };
-var getRateLimiterService = (config) => {
-  return new RateLimiterService(config ?? {});
-};
-
-// src/RateLimitingService.ts
-import { headers } from "next/headers";
-var RATE_LIMITS2 = { default: { limit: 100, windowMs: 6e4 } };
-var generateRateLimitKey2 = (id) => `rate:${id}`;
-var generateIPRateLimitKey2 = (ip) => `rate:ip:${ip}`;
-async function checkRateLimit2(_key, _limit, _windowMs) {
-  return { allowed: true, remaining: _limit, resetTime: Date.now() + _windowMs };
-}
-async function withRateLimit(action, config) {
-  return async (...args) => {
-    const headersList = await headers();
-    const ip = headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
-    const key = config.customKey ?? (config.userId ? generateRateLimitKey2(config.userId) : generateIPRateLimitKey2(ip));
-    const rateLimitResult = await checkRateLimit2(
-      key,
-      RATE_LIMITS2[config.type].limit,
-      RATE_LIMITS2[config.type].windowMs
-    );
-    if (!rateLimitResult.allowed) {
-      throw new Error(
-        `Rate limit exceeded. Try again in ${Math.ceil((rateLimitResult.resetTime - Date.now()) / 1e3)} seconds.`
-      );
-    }
-    return await action(...args);
-  };
-}
-function RateLimited(type, userId) {
+function AuditTrail(type, action, options) {
   return (_target, _propertyKey, descriptor) => {
     const originalMethod = descriptor.value;
     descriptor.value = async function(...args) {
-      const headersList = await headers();
-      const ip = headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
-      const key = userId ? generateRateLimitKey2(userId) : generateIPRateLimitKey2(ip);
-      const rateLimitResult = await checkRateLimit2(
-        key,
-        RATE_LIMITS2[type].limit,
-        RATE_LIMITS2[type].windowMs
-      );
-      if (!rateLimitResult.allowed) {
-        throw new Error(
-          `Rate limit exceeded. Try again in ${Math.ceil((rateLimitResult.resetTime - Date.now()) / 1e3)} seconds.`
-        );
+      const actorId = this.user?.id || "system";
+      const before = options?.captureChanges ? args[0] : void 0;
+      let result = "success";
+      let error;
+      try {
+        const returnValue = await originalMethod.apply(this, args);
+        if (this.audit) {
+          await this.audit.log({
+            type,
+            severity: options?.severity || "medium",
+            actor: {
+              id: actorId,
+              type: "user"
+            },
+            resource: options?.resourceType ? {
+              type: options.resourceType,
+              id: args[0]?.id || "unknown"
+            } : void 0,
+            action,
+            result,
+            changes: options?.captureChanges ? {
+              before,
+              after: returnValue
+            } : void 0
+          });
+        }
+        return returnValue;
+      } catch (err) {
+        result = "failure";
+        error = err;
+        if (this.audit) {
+          await this.audit.log({
+            type,
+            severity: "high",
+            actor: {
+              id: actorId,
+              type: "user"
+            },
+            resource: options?.resourceType ? {
+              type: options.resourceType,
+              id: args[0]?.id || "unknown"
+            } : void 0,
+            action,
+            result,
+            message: error.message
+          });
+        }
+        throw error;
       }
-      return await originalMethod.apply(this, args);
     };
     return descriptor;
   };
 }
-async function getClientIP() {
-  const headersList = await headers();
-  return headersList.get("x-forwarded-for") ?? headersList.get("x-real-ip") ?? "unknown";
-}
-async function isTrustedSource() {
-  const headersList = await headers();
-  const userAgent = headersList.get("user-agent") || "";
-  const origin = headersList.get("origin") || "";
-  const botPatterns = [/bot/i, /crawler/i, /spider/i, /scraper/i, /curl/i, /wget/i];
-  const isBot = botPatterns.some((pattern) => pattern.test(userAgent));
-  const trustedOrigins = [
-    process.env.NEXT_PUBLIC_APP_URL,
-    "http://localhost:3000",
-    "https://localhost:3000"
-  ].filter(Boolean);
-  const isTrustedOrigin = trustedOrigins.includes(origin);
-  return !isBot && isTrustedOrigin;
-}
-async function checkUserRateLimit(userId, action, customConfig) {
-  const config = { ...RATE_LIMITS2[action], ...customConfig };
-  const key = generateRateLimitKey2(userId);
-  return await checkRateLimit2(key, config.limit, config.windowMs);
-}
-async function checkAnonymousRateLimit(action, customConfig) {
-  const ip = await getClientIP();
-  const config = { ...RATE_LIMITS2[action], ...customConfig };
-  const key = generateIPRateLimitKey2(ip);
-  return await checkRateLimit2(key, config.limit, config.windowMs);
-}
-
-// src/CSRFService.ts
-import { createHmac, randomBytes } from "crypto";
-var CSRFService = class {
-  constructor(payload, options = {}) {
-    this.payload = payload;
-    this.options = {
-      algorithm: options.algorithm ?? "sha256",
-      encoding: options.encoding ?? "hex",
-      tokenLength: options.tokenLength ?? 32,
-      tokenExpiry: options.tokenExpiry ?? 24 * 60 * 60 * 1e3
-      // 24 hours
-    };
-  }
-  options;
-  async generateCsrfToken(sessionId) {
+function createAuditMiddleware(audit2, getUser) {
+  return async (request, next) => {
+    const user = getUser(request);
+    const startTime = Date.now();
     try {
-      const token = randomBytes(this.options.tokenLength);
-      const hmac = createHmac(this.options.algorithm, process.env.PAYLOAD_SECRET ?? "");
-      hmac.update(sessionId);
-      hmac.update(token);
-      const signature = hmac.digest(this.options.encoding);
-      const csrfToken = `${token.toString(this.options.encoding)}.${signature}`;
-      this.payload.logger.debug("CSRF token generated successfully");
-      return csrfToken;
+      const response = await next();
+      await audit2.log({
+        type: "data.read",
+        severity: "low",
+        actor: {
+          id: user.id,
+          type: "user",
+          ip: user.ip,
+          userAgent: user.userAgent
+        },
+        action: request.method,
+        result: "success",
+        metadata: {
+          path: request.url,
+          duration: Date.now() - startTime,
+          status: response.status
+        }
+      });
+      return response;
     } catch (error) {
-      this.payload.logger.error("Failed to generate CSRF token", error);
+      await audit2.log({
+        type: "data.read",
+        severity: "medium",
+        actor: {
+          id: user.id,
+          type: "user",
+          ip: user.ip,
+          userAgent: user.userAgent
+        },
+        action: request.method,
+        result: "failure",
+        message: error instanceof Error ? error.message : "Unknown error",
+        metadata: {
+          path: request.url,
+          duration: Date.now() - startTime
+        }
+      });
       throw error;
     }
-  }
-  async validateCsrfToken(token, sessionId) {
-    try {
-      const [tokenPart, signature] = token.split(".");
-      if (!tokenPart || !signature) {
-        this.payload.logger.warn("Invalid CSRF token format");
-        return false;
-      }
-      const hmac = createHmac(this.options.algorithm, process.env.PAYLOAD_SECRET ?? "");
-      hmac.update(sessionId);
-      hmac.update(Buffer.from(tokenPart, this.options.encoding));
-      const expectedSignature = hmac.digest(this.options.encoding);
-      const isValid = signature === expectedSignature;
-      if (isValid) {
-        this.payload.logger.debug("CSRF token validated successfully");
-      } else {
-        this.payload.logger.warn("CSRF token validation failed");
-      }
-      return isValid;
-    } catch (error) {
-      this.payload.logger.error("Failed to validate CSRF token", error);
-      return false;
-    }
-  }
-};
-
-// src/EncryptionService.ts
-import { InfrastructureService } from "@revealui/core";
-import {
-  createCipheriv,
-  createDecipheriv,
-  randomBytes as randomBytes2,
-  scrypt as scryptCallback
-} from "crypto";
-import { promisify } from "util";
-var scryptAsync = promisify(scryptCallback);
-function isAuthenticatedCipher(cipher) {
-  return typeof cipher.getAuthTag === "function";
-}
-function isAuthenticatedDecipher(decipher) {
-  return typeof decipher.setAuthTag === "function";
+  };
 }
-var EncryptionService = class extends InfrastructureService {
-  options;
-  constructor(payload, options = {}) {
-    super(payload, "EncryptionService");
-    this.options = {
-      algorithm: options.algorithm ?? "aes-256-gcm",
-      keyLength: options.keyLength ?? 32,
-      saltLength: options.saltLength ?? 16,
-      ivLength: options.ivLength ?? 12,
-      iterations: options.iterations ?? 1e5,
-      encoding: options.encoding ?? "hex"
-    };
+var AuditReportGenerator = class {
+  constructor(audit2) {
+    this.audit = audit2;
   }
   /**
-   * Encrypts data using the configured algorithm with comprehensive error handling.
+   * Generate security report
    */
-  async encrypt(data, customOptions) {
-    return this.executeInfrastructureOperation(async () => {
-      if (typeof data !== "string" || data.length === 0) {
-        throw new Error("Data to encrypt must be a non-empty string");
-      }
-      const effectiveOptions = { ...this.options, ...customOptions };
-      this.logger.debug("Starting data encryption", {
-        algorithm: effectiveOptions.algorithm,
-        dataLength: data.length,
-        serviceName: this.serviceName,
-        operation: "encrypt"
-      });
-      const salt = randomBytes2(effectiveOptions.saltLength);
-      const iv = randomBytes2(effectiveOptions.ivLength);
-      const key = await this.deriveKey(salt, effectiveOptions);
-      const cipher = createCipheriv(effectiveOptions.algorithm, key, iv);
-      const encrypted = Buffer.concat([cipher.update(data, "utf8"), cipher.final()]);
-      if (isAuthenticatedCipher(cipher) !== true) {
-        throw new Error("Cipher does not support authentication");
-      }
-      const authTag = cipher.getAuthTag();
-      const result = {
-        data: encrypted.toString(effectiveOptions.encoding),
-        metadata: {
-          algorithm: effectiveOptions.algorithm,
-          iv: iv.toString(effectiveOptions.encoding),
-          authTag: authTag.toString(effectiveOptions.encoding),
-          salt: salt.toString(effectiveOptions.encoding)
-        }
-      };
-      this.logger.debug("Data encrypted successfully", {
-        algorithm: effectiveOptions.algorithm,
-        originalLength: data.length,
-        encryptedLength: result.data.length,
-        serviceName: this.serviceName
-      });
-      return result;
-    }, "encrypt");
+  async generateSecurityReport(startDate, endDate) {
+    const allEvents = await this.audit.query({
+      startDate,
+      endDate
+    });
+    const securityViolations = allEvents.filter((e) => e.type.startsWith("security.")).length;
+    const failedLogins = allEvents.filter((e) => e.type === "auth.failed_login").length;
+    const permissionChanges = allEvents.filter((e) => e.type.startsWith("permission.")).length;
+    const dataExports = allEvents.filter((e) => e.type === "data.export").length;
+    const criticalEvents = allEvents.filter((e) => e.severity === "critical");
+    return {
+      totalEvents: allEvents.length,
+      securityViolations,
+      failedLogins,
+      permissionChanges,
+      dataExports,
+      criticalEvents
+    };
   }
   /**
-   * Decrypts data using the metadata provided with comprehensive validation.
+   * Generate user activity report
    */
-  async decrypt(encryptedData) {
-    return this.executeInfrastructureOperation(async () => {
-      if (!encryptedData || !encryptedData.data || !encryptedData.metadata) {
-        throw new Error("Invalid encrypted data structure");
-      }
-      const { data, metadata } = encryptedData;
-      const requiredFields = ["algorithm", "iv", "authTag", "salt"];
-      for (const field of requiredFields) {
-        const fieldValue = metadata[field];
-        if (fieldValue === void 0 || fieldValue === null || fieldValue === "") {
-          throw new Error(`Missing required encryption metadata field: ${field}`);
-        }
-      }
-      this.logger.debug("Starting data decryption", {
-        algorithm: metadata.algorithm,
-        encryptedLength: data.length,
-        serviceName: this.serviceName,
-        operation: "decrypt"
-      });
-      const key = await this.deriveKey(Buffer.from(metadata.salt, this.options.encoding), {
-        ...this.options,
-        algorithm: metadata.algorithm
-      });
-      const decipher = createDecipheriv(
-        metadata.algorithm,
-        key,
-        Buffer.from(metadata.iv, this.options.encoding)
-      );
-      if (isAuthenticatedDecipher(decipher) !== true) {
-        throw new Error("Decipher does not support authentication");
-      }
-      decipher.setAuthTag(Buffer.from(metadata.authTag, this.options.encoding));
-      const decrypted = Buffer.concat([
-        decipher.update(Buffer.from(data, this.options.encoding)),
-        decipher.final()
-      ]);
-      const result = decrypted.toString("utf8");
-      this.logger.debug("Data decrypted successfully", {
-        algorithm: metadata.algorithm,
-        encryptedLength: data.length,
-        decryptedLength: result.length,
-        serviceName: this.serviceName
-      });
-      return result;
-    }, "decrypt");
+  async generateUserActivityReport(userId, startDate, endDate) {
+    const events = await this.audit.query({
+      actorId: userId,
+      startDate,
+      endDate
+    });
+    const actionsByType = events.reduce(
+      (acc, event) => {
+        acc[event.type] = (acc[event.type] || 0) + 1;
+        return acc;
+      },
+      {}
+    );
+    const failedActions = events.filter((e) => e.result === "failure").length;
+    return {
+      totalActions: events.length,
+      actionsByType,
+      failedActions,
+      recentActions: events.slice(0, 10)
+    };
   }
   /**
-   * Encrypts multiple data items in batch with optimized processing.
+   * Generate compliance report
    */
-  async encryptBatch(dataItems, customOptions) {
-    return this.executeInfrastructureOperation(async () => {
-      if (!Array.isArray(dataItems) || dataItems.length === 0) {
-        throw new Error("Data items array must contain at least one item");
-      }
-      this.logger.info("Starting batch encryption", {
-        itemCount: dataItems.length,
-        serviceName: this.serviceName,
-        operation: "encryptBatch"
-      });
-      const successful = [];
-      const failed = [];
-      const encryptionPromises = dataItems.map(async (data) => {
-        try {
-          const result = await this.encrypt(data, customOptions);
-          if (result.success && result.data) {
-            successful.push(result.data);
-          } else {
-            failed.push({
-              data,
-              error: result.error ?? "Unknown encryption error"
-            });
-          }
-        } catch (error) {
-          failed.push({
-            data,
-            error: error instanceof Error ? error.message : "Unknown encryption error"
-          });
-        }
-      });
-      await Promise.allSettled(encryptionPromises);
-      this.logger.info("Batch encryption completed", {
-        totalItems: dataItems.length,
-        successful: successful.length,
-        failed: failed.length,
-        serviceName: this.serviceName
-      });
-      return { successful, failed };
-    }, "encryptBatch");
+  async generateComplianceReport(startDate, endDate) {
+    const events = await this.audit.query({
+      startDate,
+      endDate
+    });
+    const dataAccesses = events.filter((e) => e.type === "data.read").length;
+    const dataModifications = events.filter(
+      (e) => e.type === "data.update" || e.type === "data.create"
+    ).length;
+    const dataDeletions = events.filter((e) => e.type === "data.delete").length;
+    const gdprRequests = events.filter((e) => e.type.startsWith("gdpr.")).length;
+    const auditTrailComplete = this.checkAuditTrailContinuity(events);
+    return {
+      dataAccesses,
+      dataModifications,
+      dataDeletions,
+      gdprRequests,
+      auditTrailComplete
+    };
   }
   /**
-   * Generates cryptographically secure random data.
+   * Check audit trail continuity
    */
-  async generateRandomData(length = 32, encoding = "hex") {
-    return this.executeInfrastructureOperation(async () => {
-      if (length <= 0 || length > 1024) {
-        throw new Error("Random data length must be between 1 and 1024 bytes");
-      }
-      this.logger.debug("Generating random data", {
-        length,
-        encoding,
-        serviceName: this.serviceName,
-        operation: "generateRandomData"
-      });
-      const randomData = randomBytes2(length);
-      const result = randomData.toString(encoding);
-      this.logger.debug("Random data generated successfully", {
-        length,
-        encoding,
-        outputLength: result.length,
-        serviceName: this.serviceName
-      });
-      return result;
-    }, "generateRandomData");
+  checkAuditTrailContinuity(events) {
+    if (events.length === 0) return true;
+    const sorted = events.sort(
+      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+    );
+    return sorted.length > 0;
   }
-  /**
-   * Validates the integrity of encrypted data by attempting decryption.
-   */
-  async validateEncryptedData(encryptedData) {
-    return this.executeInfrastructureOperation(async () => {
-      if (!encryptedData) {
-        throw new Error("Encrypted data is required");
-      }
-      this.logger.debug("Validating encrypted data integrity", {
-        algorithm: encryptedData.metadata.algorithm,
-        serviceName: this.serviceName,
-        operation: "validateEncryptedData"
-      });
-      try {
-        const decryptResult = await this.decrypt(encryptedData);
-        const valid = decryptResult.success && !!decryptResult.data;
-        this.logger.debug("Encrypted data validation completed", {
-          valid,
-          serviceName: this.serviceName
-        });
-        return valid ? { valid, error: void 0 } : {
-          valid,
-          error: decryptResult.error ?? "Decryption failed"
-        };
-      } catch (error) {
-        const errorMessage = error instanceof Error ? error.message : "Unknown validation error";
-        this.logger.debug("Encrypted data validation failed", {
-          error: errorMessage,
-          serviceName: this.serviceName
-        });
-        return { valid: false, error: errorMessage };
-      }
-    }, "validateEncryptedData");
+};
+var audit = new AuditSystem(new InMemoryAuditStorage());
+
+// src/auth.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var OAuthProviders = {
+  google: {
+    authorizationUrl: "https://accounts.google.com/o/oauth2/v2/auth",
+    tokenUrl: "https://oauth2.googleapis.com/token",
+    userInfoUrl: "https://www.googleapis.com/oauth2/v2/userinfo",
+    scope: ["openid", "email", "profile"]
+  },
+  github: {
+    authorizationUrl: "https://github.com/login/oauth/authorize",
+    tokenUrl: "https://github.com/login/oauth/access_token",
+    userInfoUrl: "https://api.github.com/user",
+    scope: ["user:email"]
+  },
+  microsoft: {
+    authorizationUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+    tokenUrl: "https://login.microsoftonline.com/common/oauth2/v2.0/token",
+    userInfoUrl: "https://graph.microsoft.com/v1.0/me",
+    scope: ["openid", "email", "profile"]
   }
-  /**
-   * Derives encryption key from password and salt using PBKDF2.
-   * @private
-   */
-  async deriveKey(salt, options = {}) {
-    const effectiveOptions = { ...this.options, ...options };
-    const secret = process.env.PAYLOAD_SECRET;
-    if (!secret || secret === "") {
-      throw new Error("PAYLOAD_SECRET environment variable is required for encryption");
-    }
-    return scryptAsync(secret, salt, effectiveOptions.keyLength);
+};
+var OAuthClient = class {
+  config;
+  constructor(config) {
+    this.config = {
+      ...OAuthProviders[config.provider],
+      ...config
+    };
   }
   /**
-   * @inheritdoc
+   * Get authorization URL
    */
-  async onInitialize() {
-    this.logger.info("Initializing EncryptionService", {
-      algorithm: this.options.algorithm,
-      keyLength: this.options.keyLength,
-      serviceName: this.serviceName
+  getAuthorizationUrl(state) {
+    const params = new URLSearchParams({
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: (this.config.scope || []).join(" ")
     });
-    if (!process.env.PAYLOAD_SECRET) {
-      throw new Error("PAYLOAD_SECRET environment variable is required for EncryptionService");
-    }
-    try {
-      const testData = "encryption-test-data";
-      const encrypted = await this.encrypt(testData);
-      if (!encrypted.success || !encrypted.data) {
-        throw new Error("Encryption test failed");
-      }
-      const decrypted = await this.decrypt(encrypted.data);
-      if (!decrypted.success || decrypted.data !== testData) {
-        throw new Error("Decryption test failed");
-      }
-      this.logger.debug("EncryptionService initialization test passed", {
-        serviceName: this.serviceName
-      });
-    } catch (error) {
-      throw new Error(
-        `EncryptionService initialization failed: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
+    if (state) {
+      params.append("state", state);
     }
+    return `${this.config.authorizationUrl}?${params.toString()}`;
   }
   /**
-   * @inheritdoc
+   * Exchange code for token
    */
-  async onCleanup() {
-    this.logger.info("Cleaning up EncryptionService", {
-      serviceName: this.serviceName
+  async exchangeCodeForToken(code) {
+    if (!this.config.tokenUrl) throw new Error("tokenUrl is required for OAuth");
+    const response = await fetch(this.config.tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        client_id: this.config.clientId,
+        client_secret: this.config.clientSecret,
+        code,
+        grant_type: "authorization_code",
+        redirect_uri: this.config.redirectUri
+      })
     });
+    if (!response.ok) {
+      let detail = "";
+      try {
+        const body = await response.text();
+        detail = `: ${response.status} ${body.slice(0, 200)}`;
+      } catch {
+        detail = `: ${response.status}`;
+      }
+      throw new Error(`Failed to exchange code for token${detail}`);
+    }
+    return response.json();
   }
   /**
-   * @inheritdoc
+   * Get user info
    */
-  async onHealthCheck() {
-    try {
-      const testData = "health-check-data";
-      const encrypted = await this.encrypt(testData);
-      if (!encrypted.success || !encrypted.data) {
-        throw new Error("Health check encryption failed");
+  async getUserInfo(accessToken) {
+    if (!this.config.userInfoUrl) throw new Error("userInfoUrl is required for OAuth");
+    const response = await fetch(this.config.userInfoUrl, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`
       }
-      const decrypted = await this.decrypt(encrypted.data);
-      if (!decrypted.success || decrypted.data !== testData) {
-        throw new Error("Health check decryption failed");
+    });
+    if (!response.ok) {
+      let detail = "";
+      try {
+        const body = await response.text();
+        detail = `: ${response.status} ${body.slice(0, 200)}`;
+      } catch {
+        detail = `: ${response.status}`;
       }
-    } catch (error) {
-      throw new Error(
-        `EncryptionService health check failed: ${error instanceof Error ? error.message : "Unknown error"}`
-      );
+      throw new Error(`Failed to fetch user info${detail}`);
     }
+    return response.json();
   }
 };
-
-// src/SecurityMonitoringService.ts
-var devLogger2 = {
-  info: (...args) => console.log("[security]", ...args),
-  warn: (...args) => console.warn("[security]", ...args),
-  error: (...args) => console.error("[security]", ...args)
-};
-var createSecurityEvent = (type, severity, message, options) => {
-  const baseEvent = {
-    id: crypto.randomUUID(),
-    type,
-    severity,
-    message,
-    timestamp: /* @__PURE__ */ new Date(),
-    ...options?.metadata ? { metadata: options.metadata } : {},
-    ...options?.userId !== void 0 ? { userId: options.userId } : {},
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {}
-  };
-  return baseEvent;
-};
-var calculateSecurityMetrics = (events2) => {
-  if (events2.length === 0) {
-    return {
-      totalEvents: 0,
-      eventsByType: {},
-      eventsBySeverity: {},
-      averageResponseTime: 0
-    };
-  }
-  const eventsByType = events2.reduce((acc, event) => {
-    acc[event.type] = (acc[event.type] || 0) + 1;
-    return acc;
-  }, {});
-  const eventsBySeverity = events2.reduce((acc, event) => {
-    acc[event.severity] = (acc[event.severity] || 0) + 1;
-    return acc;
-  }, {});
-  const lastEventTime = events2.length > 0 ? new Date(Math.max(...events2.map((e) => e.timestamp.getTime()))) : void 0;
-  return {
-    totalEvents: events2.length,
-    eventsByType,
-    eventsBySeverity,
-    averageResponseTime: 0,
-    // Would be calculated from actual response times
-    ...lastEventTime !== void 0 ? { lastEventTime } : {}
-  };
-};
-var shouldTriggerAlert = (event, thresholds) => {
-  const now = /* @__PURE__ */ new Date();
-  const timeWindowStart = new Date(now.getTime() - thresholds.timeWindowMs);
-  const recentEvents = events.filter(
-    (event2) => event2.timestamp >= timeWindowStart && event2.timestamp <= now
-  );
-  const criticalCount = recentEvents.filter((e) => e.severity === "critical").length;
-  const highCount = recentEvents.filter((e) => e.severity === "high").length;
-  const mediumCount = recentEvents.filter((e) => e.severity === "medium").length;
-  if (criticalCount >= thresholds.criticalCount) return true;
-  if (highCount >= thresholds.highCount) return true;
-  if (mediumCount >= thresholds.mediumCount) return true;
-  if (event.severity === "critical") return true;
-  return false;
-};
-var createSecurityAlert = (event, alertType = "threshold_exceeded") => ({
-  id: crypto.randomUUID(),
-  type: alertType,
-  severity: event.severity,
-  message: `Security alert: ${event.message}`,
-  timestamp: /* @__PURE__ */ new Date(),
-  metadata: {
-    originalEventId: event.id,
-    originalEventType: event.type,
-    ...event.metadata
-  }
-});
-var filterEvents = (events2, criteria) => {
-  return events2.filter((event) => {
-    if (criteria.type && event.type !== criteria.type) return false;
-    if (criteria.severity && event.severity !== criteria.severity) return false;
-    if (criteria.userId && event.userId !== criteria.userId) return false;
-    if (criteria.timeRange) {
-      const eventTime = event.timestamp.getTime();
-      const startTime = criteria.timeRange.start.getTime();
-      const endTime = criteria.timeRange.end.getTime();
-      if (eventTime < startTime || eventTime > endTime) return false;
-    }
-    return true;
-  });
-};
-var events = [];
-var alerts = [];
-var addSecurityEvent = (event) => {
-  events.push(event);
-  devLogger2.info("Security event recorded", {
-    eventId: event.id,
-    type: event.type,
-    severity: event.severity,
-    message: event.message,
-    userId: event.userId,
-    timestamp: event.timestamp.toISOString()
+var PH_ITERATIONS = 1e5;
+var PH_KEY_LENGTH = 64;
+var PH_DIGEST = "sha512";
+async function hashPassword(password) {
+  const { pbkdf2, randomBytes: rb } = await import("crypto");
+  const salt = rb(16).toString("hex");
+  return new Promise((resolve, reject) => {
+    pbkdf2(password, salt, PH_ITERATIONS, PH_KEY_LENGTH, PH_DIGEST, (err, derivedKey) => {
+      if (err) reject(err);
+      else resolve(`${salt}:${derivedKey.toString("hex")}`);
+    });
   });
-  if (shouldTriggerAlert(event, {
-    criticalCount: 1,
-    highCount: 5,
-    mediumCount: 10,
-    timeWindowMs: 6e4
-    // 1 minute
-  })) {
-    const alert = createSecurityAlert(event);
-    alerts.push(alert);
-    devLogger2.warn("Security alert triggered", {
-      alertId: alert.id,
-      eventId: event.id,
-      severity: alert.severity,
-      message: alert.message
+}
+async function verifyPassword(password, storedHash) {
+  const { pbkdf2, timingSafeEqual: tse } = await import("crypto");
+  const [salt, hash] = storedHash.split(":");
+  if (!(salt && hash)) {
+    return false;
+  }
+  return new Promise((resolve, reject) => {
+    pbkdf2(password, salt, PH_ITERATIONS, PH_KEY_LENGTH, PH_DIGEST, (err, derivedKey) => {
+      if (err) reject(err);
+      else {
+        const derived = Buffer.from(derivedKey.toString("hex"), "utf-8");
+        const expected = Buffer.from(hash, "utf-8");
+        if (derived.length !== expected.length) {
+          resolve(false);
+        } else {
+          resolve(tse(derived, expected));
+        }
+      }
     });
-  }
+  });
+}
+var PasswordHasher = {
+  hash: hashPassword,
+  verify: verifyPassword
 };
-var getSecurityEvents = () => [...events];
-var getSecurityAlerts = () => [...alerts];
-var getSecurityMetrics = () => calculateSecurityMetrics(events);
-var clearSecurityData = () => {
-  events = [];
-  alerts = [];
-};
-var logAuthenticationEvent = (userId, success, options) => {
-  const eventOptions = {
-    userId,
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
-    metadata: {
-      success,
-      ...options?.metadata
+function base32Encode(buffer) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+  let result = "";
+  let bits = 0;
+  let value = 0;
+  for (const byte of buffer) {
+    if (byte === void 0) continue;
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      result += alphabet[value >>> bits - 5 & 31];
+      bits -= 5;
     }
-  };
-  const event = createSecurityEvent(
-    "authentication",
-    success ? "low" : "high",
-    `Authentication ${success ? "successful" : "failed"} for user ${userId}`,
-    eventOptions
-  );
-  addSecurityEvent(event);
+  }
+  if (bits > 0) {
+    result += alphabet[value << 5 - bits & 31];
+  }
+  return result;
+}
+function totpHmac(key, message) {
+  const hmacDigest = createHmac("sha1", key).update(message).digest();
+  return new Uint8Array(hmacDigest);
+}
+function generateSecret() {
+  const crypto2 = globalThis.crypto;
+  if (!crypto2) {
+    throw new Error("Crypto API not available");
+  }
+  const buffer = new Uint8Array(20);
+  crypto2.getRandomValues(buffer);
+  return base32Encode(buffer);
+}
+function generateCode(secret, timestamp) {
+  const time = Math.floor((timestamp || Date.now()) / 3e4);
+  const hmacDigest = totpHmac(secret, time.toString());
+  const offset = hmacDigest[hmacDigest.length - 1] & 15;
+  const b0 = hmacDigest[offset] & 127;
+  const b1 = hmacDigest[offset + 1] & 255;
+  const b2 = hmacDigest[offset + 2] & 255;
+  const b3 = hmacDigest[offset + 3] & 255;
+  const code = (b0 << 24 | b1 << 16 | b2 << 8 | b3) % 1e6;
+  return code.toString().padStart(6, "0");
+}
+function verifyCode(secret, code, window = 1) {
+  const timestamp = Date.now();
+  for (let i = -window; i <= window; i++) {
+    const testTime = timestamp + i * 3e4;
+    const testCode = generateCode(secret, testTime);
+    if (testCode.length === code.length && timingSafeEqual(Buffer.from(testCode), Buffer.from(code))) {
+      return true;
+    }
+  }
+  return false;
+}
+var TwoFactorAuth = {
+  generateSecret,
+  generateCode,
+  verifyCode
 };
-var logAuthorizationEvent = (userId, resource, action, granted, options) => {
-  const eventOptions = {
-    userId,
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
-    metadata: {
-      resource,
-      action,
-      granted,
-      ...options?.metadata
+
+// src/authorization.ts
+var AuthorizationSystem = class {
+  roles = /* @__PURE__ */ new Map();
+  policies = /* @__PURE__ */ new Map();
+  /**
+   * Register role
+   */
+  registerRole(role) {
+    this.roles.set(role.id, role);
+  }
+  /**
+   * Get role
+   */
+  getRole(roleId) {
+    return this.roles.get(roleId);
+  }
+  /**
+   * Register policy
+   */
+  registerPolicy(policy) {
+    this.policies.set(policy.id, policy);
+  }
+  /**
+   * Check if user has permission (RBAC)
+   */
+  hasPermission(userRoles, resource, action) {
+    const permissions = this.getUserPermissions(userRoles);
+    return permissions.some(
+      (permission) => this.matchesResource(permission.resource, resource) && this.matchesAction(permission.action, action)
+    );
+  }
+  /**
+   * Check access with policies (ABAC)
+   */
+  checkAccess(context, resource, action) {
+    if (this.hasPermission(context.user.roles, resource, action)) {
+      return { allowed: true };
     }
-  };
-  const event = createSecurityEvent(
-    "authorization",
-    granted ? "low" : "medium",
-    `Authorization ${granted ? "granted" : "denied"} for user ${userId} on ${resource}:${action}`,
-    eventOptions
-  );
-  addSecurityEvent(event);
+    const applicablePolicies = this.getApplicablePolicies(resource, action, context);
+    applicablePolicies.sort((a, b) => (b.priority || 0) - (a.priority || 0));
+    for (const policy of applicablePolicies) {
+      if (this.evaluateConditions(policy.conditions || [], context)) {
+        return {
+          allowed: policy.effect === "allow",
+          reason: policy.effect === "deny" ? `Denied by policy: ${policy.name}` : void 0
+        };
+      }
+    }
+    return { allowed: false, reason: "No matching policy" };
+  }
+  /**
+   * Get all permissions for roles
+   */
+  getUserPermissions(roleIds) {
+    const permissions = [];
+    const visited = /* @__PURE__ */ new Set();
+    const addRolePermissions = (roleId) => {
+      if (visited.has(roleId)) return;
+      visited.add(roleId);
+      const role = this.roles.get(roleId);
+      if (!role) return;
+      permissions.push(...role.permissions);
+      if (role.inherits) {
+        role.inherits.forEach((inheritedRoleId) => {
+          addRolePermissions(inheritedRoleId);
+        });
+      }
+    };
+    roleIds.forEach(addRolePermissions);
+    return permissions;
+  }
+  /**
+   * Get applicable policies
+   */
+  getApplicablePolicies(resource, action, _context) {
+    return Array.from(this.policies.values()).filter((policy) => {
+      const resourceMatches = policy.resources.some((r) => this.matchesResource(r, resource));
+      const actionMatches = policy.actions.some((a) => this.matchesAction(a, action));
+      return resourceMatches && actionMatches;
+    });
+  }
+  /**
+   * Match resource pattern
+   */
+  matchesResource(pattern, resource) {
+    if (pattern === "*") return true;
+    if (pattern === resource) return true;
+    const regex = new RegExp(
+      `^${pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+    );
+    return regex.test(resource);
+  }
+  /**
+   * Match action pattern
+   */
+  matchesAction(pattern, action) {
+    if (pattern === "*") return true;
+    if (pattern === action) return true;
+    const regex = new RegExp(
+      `^${pattern.replace(/\./g, "\\.").replace(/\*/g, ".*").replace(/\?/g, ".")}$`
+    );
+    return regex.test(action);
+  }
+  /**
+   * Evaluate policy conditions
+   */
+  evaluateConditions(conditions, context) {
+    return conditions.every((condition) => {
+      const value = this.getContextValue(condition.field, context);
+      return this.evaluateCondition(condition, value);
+    });
+  }
+  /**
+   * Get value from context
+   */
+  getContextValue(field, context) {
+    const parts = field.split(".");
+    let value = context;
+    for (const part of parts) {
+      if (value && typeof value === "object" && part in value) {
+        value = value[part];
+      } else {
+        return void 0;
+      }
+    }
+    return value;
+  }
+  /**
+   * Evaluate single condition
+   */
+  evaluateCondition(condition, value) {
+    switch (condition.operator) {
+      case "eq":
+        return value === condition.value;
+      case "ne":
+        return value !== condition.value;
+      case "gt":
+        return typeof value === "number" && value > condition.value;
+      case "gte":
+        return typeof value === "number" && value >= condition.value;
+      case "lt":
+        return typeof value === "number" && value < condition.value;
+      case "lte":
+        return typeof value === "number" && value <= condition.value;
+      case "in":
+        return Array.isArray(condition.value) && condition.value.includes(value);
+      case "contains":
+        return typeof value === "string" && typeof condition.value === "string" && value.includes(condition.value);
+      default:
+        return false;
+    }
+  }
+  /**
+   * Check if user owns resource
+   */
+  ownsResource(userId, resource) {
+    return resource.owner === userId;
+  }
+  /**
+   * Clear all roles and policies
+   */
+  clear() {
+    this.roles.clear();
+    this.policies.clear();
+  }
 };
-var logDataAccessEvent = (userId, collection, operation, recordId, options) => {
-  const eventOptions = {
-    userId,
-    ...options?.ipAddress !== void 0 ? { ipAddress: options.ipAddress } : {},
-    ...options?.userAgent !== void 0 ? { userAgent: options.userAgent } : {},
-    metadata: {
-      collection,
-      operation,
-      recordId,
-      ...options?.metadata
+var authorization = new AuthorizationSystem();
+var CommonRoles = {
+  owner: {
+    id: "owner",
+    name: "Owner",
+    description: "Full control \u2014 inherits admin",
+    permissions: [{ resource: "*", action: "*" }],
+    inherits: ["admin"]
+  },
+  admin: {
+    id: "admin",
+    name: "Administrator",
+    description: "Full system access",
+    permissions: [{ resource: "*", action: "*" }]
+  },
+  editor: {
+    id: "editor",
+    name: "Editor",
+    description: "Can read and modify content",
+    permissions: [
+      { resource: "content", action: "read" },
+      { resource: "content", action: "create" },
+      { resource: "content", action: "update" },
+      { resource: "profile", action: "read" },
+      { resource: "profile", action: "update" },
+      { resource: "sites", action: "read" },
+      { resource: "marketplace", action: "read" }
+    ]
+  },
+  viewer: {
+    id: "viewer",
+    name: "Viewer",
+    description: "Read-only access",
+    permissions: [
+      { resource: "content", action: "read" },
+      { resource: "profile", action: "read" },
+      { resource: "sites", action: "read" },
+      { resource: "public", action: "read" }
+    ]
+  },
+  agent: {
+    id: "agent",
+    name: "AI Agent",
+    description: "Can execute tasks and read content",
+    permissions: [
+      { resource: "tasks", action: "create" },
+      { resource: "tasks", action: "read" },
+      { resource: "content", action: "read" },
+      { resource: "rag", action: "read" },
+      { resource: "rag", action: "create" }
+    ]
+  },
+  contributor: {
+    id: "contributor",
+    name: "Contributor",
+    description: "Can suggest changes \u2014 create drafts but not publish or delete",
+    permissions: [
+      { resource: "content", action: "read" },
+      { resource: "content", action: "create" },
+      { resource: "profile", action: "read" },
+      { resource: "profile", action: "update" }
+    ]
+  }
+};
+var PermissionBuilder = class {
+  permission = {};
+  resource(resource) {
+    this.permission.resource = resource;
+    return this;
+  }
+  action(action) {
+    this.permission.action = action;
+    return this;
+  }
+  conditions(conditions) {
+    this.permission.conditions = conditions;
+    return this;
+  }
+  build() {
+    if (!(this.permission.resource && this.permission.action)) {
+      throw new Error("Resource and action are required");
     }
-  };
-  const event = createSecurityEvent(
-    "data_access",
-    operation === "delete" ? "medium" : "low",
-    `Data access: ${operation} on ${collection}${recordId ? ` (${recordId})` : ""} by user ${userId}`,
-    eventOptions
-  );
-  addSecurityEvent(event);
+    return this.permission;
+  }
 };
-var getUserEvents = (userId) => filterEvents(events, { userId });
-var getEventsBySeverity = (severity) => filterEvents(events, { severity });
-var getEventsInTimeRange = (start, end) => filterEvents(events, { timeRange: { start, end } });
-var SecurityMonitoringService = {
-  // Event management
-  addEvent: addSecurityEvent,
-  getEvents: getSecurityEvents,
-  getUserEvents,
-  getEventsBySeverity,
-  getEventsInTimeRange,
-  // Alert management
-  getAlerts: getSecurityAlerts,
-  // Metrics
-  getMetrics: getSecurityMetrics,
-  // Utility functions
-  logAuthenticationEvent,
-  logAuthorizationEvent,
-  logDataAccessEvent,
-  // Testing utilities
-  clearData: clearSecurityData,
-  // Pure functions for composition
-  createEvent: createSecurityEvent,
-  createAlert: createSecurityAlert,
-  filterEvents,
-  calculateMetrics: calculateSecurityMetrics
+var PolicyBuilder = class {
+  policy = {
+    effect: "allow",
+    resources: [],
+    actions: [],
+    conditions: []
+  };
+  id(id) {
+    this.policy.id = id;
+    return this;
+  }
+  name(name) {
+    this.policy.name = name;
+    return this;
+  }
+  allow() {
+    this.policy.effect = "allow";
+    return this;
+  }
+  deny() {
+    this.policy.effect = "deny";
+    return this;
+  }
+  resources(...resources) {
+    this.policy.resources = resources;
+    return this;
+  }
+  actions(...actions) {
+    this.policy.actions = actions;
+    return this;
+  }
+  condition(field, operator, value) {
+    if (!this.policy.conditions) {
+      this.policy.conditions = [];
+    }
+    this.policy.conditions.push({ field, operator, value });
+    return this;
+  }
+  priority(priority) {
+    this.policy.priority = priority;
+    return this;
+  }
+  build() {
+    if (!(this.policy.id && this.policy.name)) {
+      throw new Error("ID and name are required");
+    }
+    return this.policy;
+  }
 };
-
-// src/SecurityService.ts
-import { NextResponse } from "next/server";
-import { createHmac as createHmac2 } from "crypto";
-async function getPayloadClient() {
-  return { logger: console };
+function RequirePermission(resource, action) {
+  return (_target, _propertyKey, descriptor) => {
+    const originalMethod = descriptor.value;
+    descriptor.value = function(...args) {
+      const userRoles = this.user?.roles || [];
+      if (!authorization.hasPermission(userRoles, resource, action)) {
+        throw new Error(`Permission denied: ${resource}:${action}`);
+      }
+      return originalMethod.apply(this, args);
+    };
+    return descriptor;
+  };
 }
-var logger = {
-  info: (message, ...args) => console.log(`[SecurityService] ${message}`, ...args),
-  warn: (message, ...args) => console.warn(`[SecurityService] ${message}`, ...args),
-  error: (message, ...args) => console.error(`[SecurityService] ${message}`, ...args)
-};
-async function securityMiddleware(req) {
-  const response = new NextResponse();
-  try {
-    const payload = await getPayloadClient();
-    payload.logger.info(`Security middleware started for ${req.method} ${req.url}`);
-  } catch {
-    logger.info(`Security middleware started for ${req.method} ${req.url}`);
-  }
-  response.headers.set("X-Content-Type-Options", "nosniff");
-  response.headers.set("X-Frame-Options", "DENY");
-  response.headers.set("X-XSS-Protection", "1; mode=block");
-  response.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
-  response.headers.set("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
-  const isApiRoute = req.nextUrl.pathname.startsWith("/api");
-  const csp = isApiRoute ? "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" : "default-src 'self'";
-  response.headers.set("Content-Security-Policy", csp);
-  try {
-    const payload = await getPayloadClient();
-    payload.logger.info("Security middleware completed");
-  } catch {
-    logger.info("Security middleware completed");
-  }
-  return;
+function RequireRole(requiredRole) {
+  return (_target, _propertyKey, descriptor) => {
+    const originalMethod = descriptor.value;
+    descriptor.value = function(...args) {
+      const userRoles = this.user?.roles || [];
+      if (!userRoles.includes(requiredRole)) {
+        throw new Error(`Role required: ${requiredRole}`);
+      }
+      return originalMethod.apply(this, args);
+    };
+    return descriptor;
+  };
 }
-function createSecurity(config) {
-  return {
-    generateCsrfToken(sessionId) {
-      return createHmac2("sha256", config.csrfSecret).update(sessionId).digest("hex");
-    },
-    isTokenExpired(exp) {
-      return Date.now() / 1e3 > exp;
-    },
-    getAccessTokenExpiry() {
-      return config.tokenExpiry.access;
-    },
-    getRefreshTokenExpiry() {
-      return config.tokenExpiry.refresh;
+function createAuthorizationMiddleware(getUser, resource, action) {
+  return (request, next) => {
+    const user = getUser(request);
+    if (!authorization.hasPermission(user.roles, resource, action)) {
+      throw new Error(`Permission denied: ${resource}:${action}`);
     }
+    return next();
   };
 }
+function canAccessResource(userId, userRoles, resource, action) {
+  if (authorization.hasPermission(userRoles, resource.type, action)) {
+    return true;
+  }
+  if (authorization.ownsResource(userId, resource)) {
+    return true;
+  }
+  return false;
+}
+function checkAttributeAccess(context, resource, action, requiredAttributes) {
+  const { allowed } = authorization.checkAccess(context, resource, action);
+  if (!allowed) {
+    return false;
+  }
+  if (requiredAttributes) {
+    const userAttributes = context.user.attributes || {};
+    return Object.entries(requiredAttributes).every(
+      ([key, value]) => userAttributes[key] === value
+    );
+  }
+  return true;
+}
+var PermissionCache = class {
+  cache = /* @__PURE__ */ new Map();
+  ttl;
+  maxEntries;
+  constructor(ttl = 3e5, maxEntries = 1e4) {
+    this.ttl = ttl;
+    this.maxEntries = maxEntries;
+  }
+  /**
+   * Get cached permission
+   */
+  get(userId, resource, action) {
+    const key = this.getCacheKey(userId, resource, action);
+    const cached = this.cache.get(key);
+    if (!cached) {
+      return void 0;
+    }
+    if (Date.now() > cached.expiresAt) {
+      this.cache.delete(key);
+      return void 0;
+    }
+    return cached.allowed;
+  }
+  /**
+   * Set cached permission
+   */
+  set(userId, resource, action, allowed) {
+    const key = this.getCacheKey(userId, resource, action);
+    if (this.cache.size >= this.maxEntries) {
+      const now = Date.now();
+      for (const [k, v] of this.cache) {
+        if (now > v.expiresAt) this.cache.delete(k);
+      }
+      if (this.cache.size >= this.maxEntries) {
+        const excess = this.cache.size - this.maxEntries + 1;
+        const keys = this.cache.keys();
+        for (let i = 0; i < excess; i++) {
+          const next = keys.next();
+          if (!next.done) this.cache.delete(next.value);
+        }
+      }
+    }
+    this.cache.set(key, {
+      allowed,
+      expiresAt: Date.now() + this.ttl
+    });
+  }
+  /**
+   * Clear cache for user
+   */
+  clearUser(userId) {
+    for (const key of this.cache.keys()) {
+      if (key.startsWith(`${userId}:`)) {
+        this.cache.delete(key);
+      }
+    }
+  }
+  /**
+   * Clear all cache
+   */
+  clear() {
+    this.cache.clear();
+  }
+  /**
+   * Get cache key
+   */
+  getCacheKey(userId, resource, action) {
+    return `${userId}:${resource}:${action}`;
+  }
+};
+var permissionCache = new PermissionCache();
 
-// src/SessionService.ts
-var logger2 = {
-  info: (message, ...args) => console.log(`[SessionService] ${message}`, ...args),
-  warn: (message, ...args) => console.warn(`[SessionService] ${message}`, ...args),
-  error: (message, ...args) => console.error(`[SessionService] ${message}`, ...args)
+// src/encryption.ts
+var DEFAULT_CONFIG = {
+  algorithm: "AES-GCM",
+  keySize: 256,
+  ivSize: 12
 };
-var devLogger3 = {
-  info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
-  warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
-  error: (...args) => logger2.error(String(args[0]), ...args.slice(1)),
-  forService: (_name) => ({
-    info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
-    warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
-    error: (...args) => logger2.error(String(args[0]), ...args.slice(1))
-  })
+var EncryptionSystem = class {
+  config;
+  keys = /* @__PURE__ */ new Map();
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+  }
+  /**
+   * Generate encryption key
+   */
+  async generateKey(keyId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = await crypto2.subtle.generateKey(
+      {
+        name: this.config.algorithm,
+        length: this.config.keySize
+      },
+      this.config.extractable ?? false,
+      // non-extractable by default — prevents key exfiltration
+      ["encrypt", "decrypt"]
+    );
+    if (keyId) {
+      this.keys.set(keyId, key);
+    }
+    return key;
+  }
+  /**
+   * Import key from raw data
+   */
+  async importKey(keyData, keyId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = await crypto2.subtle.importKey(
+      "raw",
+      keyData,
+      {
+        name: this.config.algorithm,
+        length: this.config.keySize
+      },
+      this.config.extractable ?? false,
+      // non-extractable by default — prevents key exfiltration
+      ["encrypt", "decrypt"]
+    );
+    if (keyId) {
+      this.keys.set(keyId, key);
+    }
+    return key;
+  }
+  /**
+   * Export key to raw data
+   */
+  async exportKey(key) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    return crypto2.subtle.exportKey("raw", key);
+  }
+  /**
+   * Encrypt data
+   */
+  async encrypt(data, keyOrId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = typeof keyOrId === "string" ? this.keys.get(keyOrId) : keyOrId;
+    if (!key) {
+      throw new Error("Key not found");
+    }
+    const iv = crypto2.getRandomValues(new Uint8Array(this.config.ivSize || 12));
+    const encoder = new TextEncoder();
+    const encodedData = encoder.encode(data);
+    const encrypted = await crypto2.subtle.encrypt(
+      {
+        name: this.config.algorithm,
+        iv
+      },
+      key,
+      encodedData
+    );
+    const encryptedArray = new Uint8Array(encrypted);
+    const ivArray = new Uint8Array(iv);
+    return {
+      data: this.arrayBufferToBase64(encryptedArray),
+      iv: this.arrayBufferToBase64(ivArray),
+      algorithm: this.config.algorithm
+    };
+  }
+  /**
+   * Decrypt data
+   */
+  async decrypt(encryptedData, keyOrId) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const key = typeof keyOrId === "string" ? this.keys.get(keyOrId) : keyOrId;
+    if (!key) {
+      throw new Error("Key not found");
+    }
+    const data = this.base64ToArrayBuffer(encryptedData.data);
+    const iv = this.base64ToArrayBuffer(encryptedData.iv);
+    const decrypted = await crypto2.subtle.decrypt(
+      {
+        name: encryptedData.algorithm,
+        iv
+      },
+      key,
+      data
+    );
+    const decoder = new TextDecoder();
+    return decoder.decode(decrypted);
+  }
+  /**
+   * Encrypt object
+   */
+  async encryptObject(obj, keyOrId) {
+    const json = JSON.stringify(obj);
+    return this.encrypt(json, keyOrId);
+  }
+  /**
+   * Decrypt object
+   */
+  async decryptObject(encryptedData, keyOrId) {
+    const json = await this.decrypt(encryptedData, keyOrId);
+    return JSON.parse(json);
+  }
+  /**
+   * Hash data
+   */
+  async hash(data, algorithm = "SHA-256") {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    const encoder = new TextEncoder();
+    const encodedData = encoder.encode(data);
+    const hashBuffer = await crypto2.subtle.digest(algorithm, encodedData);
+    return this.arrayBufferToBase64(new Uint8Array(hashBuffer));
+  }
+  /**
+   * Generate random bytes
+   */
+  randomBytes(length) {
+    const crypto2 = globalThis.crypto;
+    if (!crypto2) {
+      throw new Error("Crypto API not available");
+    }
+    return crypto2.getRandomValues(new Uint8Array(length));
+  }
+  /**
+   * Generate random string
+   */
+  randomString(length, charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") {
+    const maxValid = 256 - 256 % charset.length;
+    const result = [];
+    while (result.length < length) {
+      const bytes = this.randomBytes(length - result.length + 16);
+      for (const byte of bytes) {
+        if (byte < maxValid) {
+          result.push(charset[byte % charset.length]);
+          if (result.length === length) break;
+        }
+      }
+    }
+    return result.join("");
+  }
+  /**
+   * Convert ArrayBuffer to base64
+   */
+  arrayBufferToBase64(buffer) {
+    const bytes = Array.from(buffer);
+    const binary = bytes.map((byte) => String.fromCharCode(byte)).join("");
+    if (typeof btoa !== "undefined") {
+      return btoa(binary);
+    }
+    if (typeof Buffer !== "undefined") {
+      return Buffer.from(binary, "binary").toString("base64");
+    }
+    throw new Error("No base64 encoding available");
+  }
+  /**
+   * Convert base64 to ArrayBuffer
+   */
+  base64ToArrayBuffer(base64) {
+    let binary;
+    if (typeof atob !== "undefined") {
+      binary = atob(base64);
+    } else if (typeof Buffer !== "undefined") {
+      binary = Buffer.from(base64, "base64").toString("binary");
+    } else {
+      throw new Error("No base64 decoding available");
+    }
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+  /**
+   * Store key
+   */
+  storeKey(keyId, key) {
+    this.keys.set(keyId, key);
+  }
+  /**
+   * Get key
+   */
+  getKey(keyId) {
+    return this.keys.get(keyId);
+  }
+  /**
+   * Remove key
+   */
+  removeKey(keyId) {
+    this.keys.delete(keyId);
+  }
+  /**
+   * Clear all keys
+   */
+  clearKeys() {
+    this.keys.clear();
+  }
 };
-async function getPayloadClient2() {
-  return {
-    logger: {
-      info: (...args) => logger2.info(String(args[0]), ...args.slice(1)),
-      warn: (...args) => logger2.warn(String(args[0]), ...args.slice(1)),
-      error: (...args) => logger2.error(String(args[0]), ...args.slice(1))
+var encryption = new EncryptionSystem();
+var FieldEncryption = class {
+  encryption;
+  key = null;
+  constructor(encryption2) {
+    this.encryption = encryption2;
+  }
+  /**
+   * Initialize with key
+   */
+  async initialize(key) {
+    this.key = key;
+  }
+  /**
+   * Encrypt field
+   */
+  async encryptField(value) {
+    if (!this.key) {
+      throw new Error("Encryption not initialized");
     }
-  };
+    const stringValue = typeof value === "string" ? value : JSON.stringify(value);
+    return this.encryption.encrypt(stringValue, this.key);
+  }
+  /**
+   * Decrypt field
+   */
+  async decryptField(encryptedData) {
+    if (!this.key) {
+      throw new Error("Encryption not initialized");
+    }
+    const decrypted = await this.encryption.decrypt(encryptedData, this.key);
+    try {
+      return JSON.parse(decrypted);
+    } catch {
+      return decrypted;
+    }
+  }
+  /**
+   * Encrypt object fields
+   */
+  async encryptFields(obj, fields) {
+    const result = { ...obj };
+    for (const field of fields) {
+      if (field in result) {
+        result[field] = await this.encryptField(result[field]);
+      }
+    }
+    return result;
+  }
+  /**
+   * Decrypt object fields
+   */
+  async decryptFields(obj, fields) {
+    const result = { ...obj };
+    for (const field of fields) {
+      if (field in result && typeof result[field] === "object" && result[field] !== null) {
+        const encryptedData = result[field];
+        if ("data" in encryptedData && "iv" in encryptedData) {
+          result[field] = await this.decryptField(encryptedData);
+        }
+      }
+    }
+    return result;
+  }
+};
+var KeyRotationManager = class {
+  encryption;
+  currentKeyId;
+  oldKeys = /* @__PURE__ */ new Map();
+  keyCreationDates = /* @__PURE__ */ new Map();
+  constructor(encryption2, initialKeyId) {
+    this.encryption = encryption2;
+    this.currentKeyId = initialKeyId;
+    this.keyCreationDates.set(initialKeyId, /* @__PURE__ */ new Date());
+  }
+  /**
+   * Rotate to new key
+   */
+  async rotate(newKeyId, newKey) {
+    const oldKey = this.encryption.getKey(this.currentKeyId);
+    if (oldKey) {
+      this.oldKeys.set(this.currentKeyId, oldKey);
+    }
+    this.encryption.storeKey(newKeyId, newKey);
+    this.currentKeyId = newKeyId;
+    this.keyCreationDates.set(newKeyId, /* @__PURE__ */ new Date());
+  }
+  /**
+   * Re-encrypt data with new key
+   */
+  async reencrypt(encryptedData, oldKeyId) {
+    const oldKey = this.oldKeys.get(oldKeyId) || this.encryption.getKey(oldKeyId);
+    const newKey = this.encryption.getKey(this.currentKeyId);
+    if (!(oldKey && newKey)) {
+      throw new Error("Keys not found");
+    }
+    const decrypted = await this.encryption.decrypt(encryptedData, oldKey);
+    return this.encryption.encrypt(decrypted, newKey);
+  }
+  /**
+   * Get current key ID
+   */
+  getCurrentKeyId() {
+    return this.currentKeyId;
+  }
+  /**
+   * Clean up old keys created before the specified date.
+   * Never removes the current active key.
+   */
+  cleanupOldKeys(olderThan) {
+    for (const [keyId, createdAt] of this.keyCreationDates.entries()) {
+      if (keyId !== this.currentKeyId && createdAt < olderThan) {
+        this.oldKeys.delete(keyId);
+        this.encryption.removeKey(keyId);
+        this.keyCreationDates.delete(keyId);
+      }
+    }
+  }
+};
+var EnvelopeEncryption = class {
+  encryption;
+  masterKey;
+  constructor(encryption2, masterKey) {
+    this.encryption = encryption2;
+    this.masterKey = masterKey;
+  }
+  /**
+   * Encrypt with envelope encryption
+   */
+  async encrypt(data) {
+    const dek = await this.encryption.generateKey();
+    const encryptedData = await this.encryption.encrypt(data, dek);
+    const dekRaw = await this.encryption.exportKey(dek);
+    const dekBase64 = this.arrayBufferToBase64(new Uint8Array(dekRaw));
+    const encryptedKey = await this.encryption.encrypt(dekBase64, this.masterKey);
+    return { encryptedData, encryptedKey };
+  }
+  /**
+   * Decrypt with envelope encryption
+   */
+  async decrypt(encryptedData, encryptedKey) {
+    const dekBase64 = await this.encryption.decrypt(encryptedKey, this.masterKey);
+    const dekRaw = this.base64ToArrayBuffer(dekBase64);
+    const dek = await this.encryption.importKey(dekRaw.buffer);
+    return this.encryption.decrypt(encryptedData, dek);
+  }
+  arrayBufferToBase64(buffer) {
+    const bytes = Array.from(buffer);
+    const binary = bytes.map((byte) => String.fromCharCode(byte)).join("");
+    return typeof btoa !== "undefined" ? btoa(binary) : Buffer.from(binary, "binary").toString("base64");
+  }
+  base64ToArrayBuffer(base64) {
+    const binary = typeof atob !== "undefined" ? atob(base64) : Buffer.from(base64, "base64").toString("binary");
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+};
+function maskEmail(email) {
+  const [local, domain] = email.split("@");
+  if (!(local && domain)) return email;
+  const maskedLocal = local.length > 2 ? local[0] + "*".repeat(local.length - 2) + local[local.length - 1] : `${local[0]}*`;
+  return `${maskedLocal}@${domain}`;
+}
+function maskPhone(phone) {
+  const digits = phone.replace(/\D/g, "");
+  if (digits.length < 4) return phone;
+  const lastFour = digits.slice(-4);
+  const masked = "*".repeat(digits.length - 4) + lastFour;
+  return phone.replace(/\d/g, (char, index) => {
+    const digitIndex = phone.slice(0, index + 1).replace(/\D/g, "").length - 1;
+    return masked[digitIndex] || char;
+  });
+}
+function maskCreditCard(card) {
+  const digits = card.replace(/\D/g, "");
+  if (digits.length < 4) return card;
+  const lastFour = digits.slice(-4);
+  return `****-****-****-${lastFour}`;
+}
+function maskSSN(ssn) {
+  const digits = ssn.replace(/\D/g, "");
+  if (digits.length !== 9) return ssn;
+  return `***-**-${digits.slice(-4)}`;
+}
+function maskString(str, keepChars = 1) {
+  if (str.length <= keepChars * 2) {
+    return "*".repeat(str.length);
+  }
+  const prefix = str.slice(0, keepChars);
+  const suffix = str.slice(-keepChars);
+  const masked = "*".repeat(str.length - keepChars * 2);
+  return `${prefix}${masked}${suffix}`;
+}
+var DataMasking = {
+  maskEmail,
+  maskPhone,
+  maskCreditCard,
+  maskSSN,
+  maskString
+};
+function generateToken(length = 32) {
+  const bytes = encryption.randomBytes(length);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
 }
 function generateUUID() {
-  if (typeof crypto !== "undefined" && crypto.randomUUID) {
-    return crypto.randomUUID();
+  const crypto2 = globalThis.crypto;
+  if (!crypto2) {
+    throw new Error("Crypto API not available");
   }
-  return `xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx`.replace(/[xy]/g, (c) => {
-    const r = Math.random() * 16 | 0;
-    const v = c === "x" ? r : r & 3 | 8;
-    return v.toString(16);
-  });
+  return crypto2.randomUUID();
+}
+function generateAPIKey(prefix = "sk") {
+  const token = generateToken(32);
+  return `${prefix}_${token}`;
+}
+function generateSessionID() {
+  return generateToken(64);
+}
+var TokenGenerator = {
+  generate: generateToken,
+  generateUUID,
+  generateAPIKey,
+  generateSessionID
+};
+
+// src/gdpr.ts
+import { createHash, createHmac as createHmac2 } from "crypto";
+
+// src/logger.ts
+var securityLogger = console;
+function configureSecurityLogger(logger) {
+  securityLogger = logger;
+}
+function getSecurityLogger() {
+  return securityLogger;
+}
+
+// src/gdpr.ts
+var ConsentManager = class {
+  storage;
+  consentVersion = "1.0.0";
+  constructor(storage) {
+    this.storage = storage;
+  }
+  /**
+   * Grant consent
+   */
+  async grantConsent(userId, type, source = "explicit", expiresIn) {
+    const consent = {
+      id: crypto.randomUUID(),
+      userId,
+      type,
+      granted: true,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      expiresAt: expiresIn ? new Date(Date.now() + expiresIn).toISOString() : void 0,
+      source,
+      version: this.consentVersion
+    };
+    await this.storage.setConsent(userId, type, consent);
+    return consent;
+  }
+  /**
+   * Revoke consent
+   */
+  async revokeConsent(userId, type) {
+    const existing = await this.storage.getConsent(userId, type);
+    if (existing) {
+      existing.granted = false;
+      existing.timestamp = (/* @__PURE__ */ new Date()).toISOString();
+      await this.storage.setConsent(userId, type, existing);
+    }
+  }
+  /**
+   * Check if consent is granted
+   */
+  async hasConsent(userId, type) {
+    const consent = await this.storage.getConsent(userId, type);
+    if (!consent?.granted) {
+      return false;
+    }
+    if (consent.expiresAt && new Date(consent.expiresAt) < /* @__PURE__ */ new Date()) {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Get all consents for user
+   */
+  async getUserConsents(userId) {
+    return this.storage.getConsentsByUser(userId);
+  }
+  /**
+   * Update consent version
+   */
+  setConsentVersion(version) {
+    this.consentVersion = version;
+  }
+  /**
+   * Check if consent needs renewal
+   */
+  async needsRenewal(userId, type, maxAge) {
+    const consent = await this.storage.getConsent(userId, type);
+    if (!consent?.granted) {
+      return true;
+    }
+    const age = Date.now() - new Date(consent.timestamp).getTime();
+    return age >= maxAge;
+  }
+  /**
+   * Get consent statistics
+   */
+  async getStatistics() {
+    const consents = await this.storage.getAllConsents();
+    const now = /* @__PURE__ */ new Date();
+    const granted = consents.filter((c) => c.granted).length;
+    const revoked = consents.filter((c) => !c.granted).length;
+    const expired = consents.filter((c) => c.expiresAt && new Date(c.expiresAt) < now).length;
+    const byType = consents.reduce(
+      (acc, c) => {
+        acc[c.type] = (acc[c.type] || 0) + 1;
+        return acc;
+      },
+      {}
+    );
+    return {
+      total: consents.length,
+      granted,
+      revoked,
+      expired,
+      byType
+    };
+  }
+};
+function escapeCsvField(value) {
+  let safe = /^[=+\-@\t\r]/.test(value) ? `'${value}` : value;
+  safe = safe.replace(/"/g, '""');
+  return `"${safe}"`;
 }
-var SessionRepository = class {
-  constructor(payload) {
-    this.payload = payload;
-    void this.payload;
+var DataExportSystem = class {
+  /**
+   * Export user data
+   */
+  async exportUserData(userId, getUserData, format = "json") {
+    const data = await getUserData(userId);
+    const exportData = {
+      userId,
+      exportedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      data: {
+        profile: data.profile,
+        activities: data.activities,
+        consents: data.consents,
+        dataProcessing: []
+      },
+      format
+    };
+    return exportData;
   }
-  sessions = /* @__PURE__ */ new Map();
-  createSessionId() {
+  /**
+   * Format export as JSON
+   */
+  formatAsJSON(exportData) {
+    return JSON.stringify(exportData, null, 2);
+  }
+  /**
+   * Format export as CSV
+   */
+  formatAsCSV(exportData) {
+    const lines = [];
+    lines.push("Type,Key,Value");
+    Object.entries(exportData.data.profile).forEach(([key, value]) => {
+      lines.push(`Profile,${escapeCsvField(key)},${escapeCsvField(String(value))}`);
+    });
+    exportData.data.activities.forEach((activity, index) => {
+      Object.entries(activity).forEach(([key, value]) => {
+        lines.push(`Activity ${index + 1},${escapeCsvField(key)},${escapeCsvField(String(value))}`);
+      });
+    });
+    return lines.join("\n");
+  }
+  /**
+   * Create download link
+   */
+  createDownloadLink(content, _filename, mimeType) {
+    const blob = new Blob([content], { type: mimeType });
+    return URL.createObjectURL(blob);
+  }
+};
+var DataDeletionSystem = class {
+  storage;
+  constructor(storage) {
+    this.storage = storage;
+  }
+  /**
+   * Request data deletion
+   */
+  async requestDeletion(userId, dataCategories, reason) {
+    const request = {
+      id: crypto.randomUUID(),
+      userId,
+      requestedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "pending",
+      dataCategories,
+      reason
+    };
+    await this.storage.setDeletionRequest(request);
+    return request;
+  }
+  /**
+   * Process deletion request
+   */
+  async processDeletion(requestId, deleteData) {
+    const request = await this.storage.getDeletionRequest(requestId);
+    if (!request) {
+      throw new Error("Deletion request not found");
+    }
+    request.status = "processing";
+    await this.storage.setDeletionRequest(request);
     try {
-      return generateUUID();
-    } catch {
-      return `session_${Date.now().toString(36)}`;
+      const result = await deleteData(request.userId, request.dataCategories);
+      request.status = "completed";
+      request.processedAt = (/* @__PURE__ */ new Date()).toISOString();
+      request.deletedData = result.deleted;
+      request.retainedData = result.retained;
+      await this.storage.setDeletionRequest(request);
+    } catch (error) {
+      request.status = "failed";
+      await this.storage.setDeletionRequest(request);
+      throw error;
     }
   }
-  createToken() {
-    try {
-      return `token_${generateUUID()}`;
-    } catch {
-      return `token_${Date.now().toString(36)}`;
-    }
+  /**
+   * Get deletion request
+   */
+  async getRequest(requestId) {
+    return this.storage.getDeletionRequest(requestId);
+  }
+  /**
+   * Get user deletion requests
+   */
+  async getUserRequests(userId) {
+    return this.storage.getDeletionRequestsByUser(userId);
+  }
+  /**
+   * Check if data can be deleted
+   */
+  canDelete(_dataCategory, legalBasis) {
+    if (legalBasis === "legal_obligation" || legalBasis === "vital_interest") {
+      return false;
+    }
+    return true;
+  }
+  /**
+   * Calculate retention period
+   */
+  calculateRetentionEnd(createdAt, retentionPeriod) {
+    return new Date(createdAt.getTime() + retentionPeriod * 24 * 60 * 60 * 1e3);
+  }
+  /**
+   * Check if data should be deleted (retention period expired)
+   */
+  shouldDelete(createdAt, retentionPeriod) {
+    const retentionEnd = this.calculateRetentionEnd(createdAt, retentionPeriod);
+    return /* @__PURE__ */ new Date() > retentionEnd;
+  }
+};
+function hashValue(value) {
+  const digest = createHash("sha256").update(value).digest("hex");
+  return `hash_${digest}`;
+}
+function anonymizeUser(user) {
+  return {
+    ...user,
+    email: hashValue(user.email),
+    name: "Anonymous User",
+    phone: void 0,
+    address: void 0,
+    ip: void 0
+  };
+}
+function pseudonymize(value, key) {
+  const hmac = createHmac2("sha256", key).update(value).digest("hex");
+  return `pseudo_${hmac.substring(0, 16)}`;
+}
+function anonymizeDataset(data, sensitiveFields) {
+  return data.map((item) => {
+    const anonymized = { ...item };
+    sensitiveFields.forEach((field) => {
+      if (field in anonymized && typeof anonymized[field] === "string") {
+        anonymized[field] = hashValue(anonymized[field]);
+      }
+    });
+    return anonymized;
+  });
+}
+function checkKAnonymity(data, quasiIdentifiers, k) {
+  const groups = /* @__PURE__ */ new Map();
+  data.forEach((item) => {
+    const key = quasiIdentifiers.map((field) => String(item[field])).join("|");
+    groups.set(key, (groups.get(key) || 0) + 1);
+  });
+  return Array.from(groups.values()).every((count) => count >= k);
+}
+var DataAnonymization = {
+  anonymizeUser,
+  pseudonymize,
+  hashValue,
+  anonymizeDataset,
+  checkKAnonymity
+};
+var PrivacyPolicyManager = class {
+  policies = /* @__PURE__ */ new Map();
+  currentVersion = "1.0.0";
+  /**
+   * Add policy version
+   */
+  addPolicy(version, content, effectiveDate) {
+    this.policies.set(version, { version, content, effectiveDate });
+    this.currentVersion = version;
+  }
+  /**
+   * Get current policy
+   */
+  getCurrentPolicy() {
+    return this.policies.get(this.currentVersion);
+  }
+  /**
+   * Get policy by version
+   */
+  getPolicy(version) {
+    return this.policies.get(version);
+  }
+  /**
+   * Check if user accepted current policy
+   */
+  hasAcceptedCurrent(userAcceptedVersion) {
+    return userAcceptedVersion === this.currentVersion;
   }
-  async create(data) {
-    if (!data.userId) {
-      return {
-        success: false,
-        errors: [{ message: "userId is required", path: "create" }]
-      };
-    }
-    const now = /* @__PURE__ */ new Date();
-    const session = {
-      id: data.id ?? this.createSessionId(),
-      userId: data.userId,
-      token: data.token ?? this.createToken(),
-      expiresAt: data.expiresAt ? new Date(data.expiresAt) : new Date(now.getTime() + 1e3 * 60 * 60),
-      lastActiveAt: data.lastActiveAt ? new Date(data.lastActiveAt) : now,
-      isActive: data.isActive ?? true,
-      updatedAt: now,
-      createdAt: now,
-      ...data.device !== void 0 ? { device: data.device } : {}
-    };
-    this.sessions.set(session.id, session);
-    return { success: true, data: session };
-  }
-  async findById(id) {
-    const session = this.sessions.get(String(id));
-    if (!session) {
-      return {
-        success: false,
-        errors: [{ message: "Session not found", path: "findById" }]
-      };
-    }
-    return { success: true, data: session };
-  }
-  async delete(id) {
-    const key = String(id);
-    if (!this.sessions.has(key)) {
-      return {
-        success: false,
-        errors: [{ message: "Session not found", path: "delete" }]
-      };
-    }
-    this.sessions.delete(key);
-    return { success: true };
-  }
-  async revokeAllUserSessions(userId) {
-    let removed = false;
-    for (const [key, session] of this.sessions.entries()) {
-      if (session.userId === userId) {
-        this.sessions.delete(key);
-        removed = true;
-      }
-    }
-    if (!removed) {
-      return {
-        success: false,
-        errors: [{ message: "No sessions found for user", path: "revokeAllUserSessions" }]
-      };
-    }
-    return { success: true };
-  }
-  async findAll() {
-    return { success: true, data: Array.from(this.sessions.values()) };
-  }
-  async update(id, data) {
-    const existing = this.sessions.get(id);
-    if (!existing) {
-      return {
-        success: false,
-        errors: [{ message: "Session not found", path: "update" }]
-      };
-    }
-    const updated = {
-      ...existing,
-      ...data.userId !== void 0 ? { userId: data.userId } : {},
-      ...data.token !== void 0 ? { token: data.token } : {},
-      ...data.device !== void 0 ? { device: data.device } : {},
-      ...data.expiresAt !== void 0 ? { expiresAt: new Date(data.expiresAt) } : {},
-      ...data.lastActiveAt !== void 0 ? { lastActiveAt: new Date(data.lastActiveAt) } : {},
-      ...data.isActive !== void 0 ? { isActive: data.isActive } : {},
-      updatedAt: /* @__PURE__ */ new Date()
-    };
-    this.sessions.set(id, updated);
-    return { success: true, data: updated };
+  /**
+   * Get all versions
+   */
+  getAllVersions() {
+    return Array.from(this.policies.keys());
   }
 };
-var SessionService = class {
-  repository = null;
-  constructor(repository) {
-    if (repository) {
-      this.repository = repository;
-    }
+var CookieConsentManager = class {
+  config = {
+    necessary: true,
+    functional: false,
+    analytics: false,
+    marketing: false
+  };
+  /**
+   * Set consent configuration
+   */
+  setConsent(config) {
+    this.config = { ...this.config, ...config };
+    this.saveToStorage();
   }
-  async getRepository() {
-    if (!this.repository) {
-      const payload = await getPayloadClient2();
-      this.repository = new SessionRepository(payload);
-    }
-    return this.repository;
+  /**
+   * Get consent configuration
+   */
+  getConsent() {
+    return { ...this.config };
   }
   /**
-   * Creates a new session for a user.
+   * Check if specific consent is granted
    */
-  async createSession(data) {
-    if (!data.userId || typeof data.userId !== "string") {
-      return {
-        success: false,
-        errors: [
-          {
-            message: "userId is required",
-            path: "userId"
-          }
-        ]
-      };
-    }
-    const repository = await this.getRepository();
-    const result = await repository.create(data);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to create session", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to create session", { errors: result.errors });
-      }
-    }
-    return result;
+  hasConsent(type) {
+    return this.config[type];
   }
   /**
-   * Validates a session by ID, checks for expiration, and deletes if expired.
+   * Save to storage
    */
-  async validateSession(sessionId) {
-    try {
-      const repository = await this.getRepository();
-      const result = await repository.findById(sessionId);
-      if (!result.success || !result.data) {
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.warn("Invalid session", { sessionId, errors: result.errors });
-        } catch {
-          devLogger3.warn("Invalid session", { sessionId, errors: result.errors });
-        }
-        return {
-          success: false,
-          errors: result.errors ?? [{ message: "Session not found", path: "validateSession" }]
-        };
-      }
-      const session = result.data;
-      if (session.expiresAt.getTime() < Date.now()) {
-        await repository.delete(sessionId);
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.info("Session expired and deleted", { sessionId });
-        } catch {
-          devLogger3.info("Session expired and deleted", { sessionId });
-        }
-        return {
-          success: false,
-          errors: [{ message: "Session expired", path: "validateSession" }]
-        };
-      }
-      const userResult = { success: true, data: { id: session.userId } };
-      if (!userResult.success || !userResult.data) {
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.error("User not found for session", {
-            sessionId,
-            userId: session.userId
-          });
-        } catch {
-          devLogger3.error("User not found for session", {
-            sessionId,
-            userId: session.userId
-          });
-        }
-        return {
-          success: false,
-          errors: [{ message: "User not found for session", path: "validateSession" }]
-        };
-      }
-      return { success: true, data: session };
-    } catch (error) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Session validation failed", { error });
-      } catch {
-        devLogger3.error("Session validation failed", { error });
-      }
-      return {
-        success: false,
-        errors: [{ message: "Session validation failed", path: "validateSession" }]
-      };
+  saveToStorage() {
+    if (typeof localStorage !== "undefined") {
+      localStorage.setItem("cookie-consent", JSON.stringify(this.config));
     }
   }
   /**
-   * Invalidates (deletes) a session by ID.
+   * Load from storage
    */
-  async invalidateSession(sessionId) {
-    try {
-      const repository = await this.getRepository();
-      const result = await repository.delete(sessionId);
-      if (!result.success) {
+  loadFromStorage() {
+    if (typeof localStorage !== "undefined") {
+      const stored = localStorage.getItem("cookie-consent");
+      if (stored) {
         try {
-          const payload = await getPayloadClient2();
-          payload.logger.error("Session invalidation failed", {
-            errors: result.errors
-          });
+          const parsed = JSON.parse(stored);
+          if (typeof parsed === "object" && parsed !== null) {
+            this.config = {
+              necessary: true,
+              // always required
+              analytics: typeof parsed.analytics === "boolean" ? parsed.analytics : false,
+              marketing: typeof parsed.marketing === "boolean" ? parsed.marketing : false,
+              functional: typeof parsed.functional === "boolean" ? parsed.functional : true
+            };
+          }
         } catch {
-          devLogger3.error("Session invalidation failed", {
-            errors: result.errors
-          });
         }
-        return result;
-      }
-      return result;
-    } catch (error) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Session invalidation failed", { error });
-      } catch {
-        devLogger3.error("Session invalidation failed", { error });
       }
-      return {
-        success: false,
-        errors: [
-          {
-            message: "Session invalidation failed",
-            path: "invalidateSession"
-          }
-        ]
-      };
     }
   }
   /**
-   * Invalidates (deletes) all sessions for a user by userId.
+   * Clear consent
    */
-  async invalidateAllUserSessions(userId) {
-    try {
-      const repository = await this.getRepository();
-      const result = await repository.revokeAllUserSessions(userId);
-      if (!result.success) {
-        try {
-          const payload = await getPayloadClient2();
-          payload.logger.error("User sessions invalidation failed", {
-            errors: result.errors
-          });
-        } catch {
-          devLogger3.error("User sessions invalidation failed", {
-            errors: result.errors
-          });
-        }
-        return result;
-      }
-      return result;
-    } catch (error) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("User sessions invalidation failed", {
-          error
-        });
-      } catch {
-        devLogger3.error("User sessions invalidation failed", { error });
-      }
-      return {
-        success: false,
-        errors: [
-          {
-            message: "Failed to invalidate user sessions",
-            path: "invalidateAllUserSessions"
-          }
-        ]
-      };
+  clearConsent() {
+    this.config = {
+      necessary: true,
+      functional: false,
+      analytics: false,
+      marketing: false
+    };
+    if (typeof localStorage !== "undefined") {
+      localStorage.removeItem("cookie-consent");
     }
   }
-  async getSessionById(id) {
-    const repository = await this.getRepository();
-    const result = await repository.findById(id);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.warn("Session not found", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.warn("Session not found", { errors: result.errors });
-      }
-    }
-    return result;
+};
+var DataBreachManager = class {
+  storage;
+  constructor(storage) {
+    this.storage = storage;
   }
-  async getAllSessions() {
-    const repository = await this.getRepository();
-    const result = await repository.findAll();
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to fetch sessions", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to fetch sessions", {
-          errors: result.errors
-        });
-      }
+  /**
+   * Report data breach
+   */
+  async reportBreach(breach) {
+    const fullBreach = {
+      ...breach,
+      id: crypto.randomUUID(),
+      detectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "detected"
+    };
+    await this.storage.setBreach(fullBreach);
+    if (fullBreach.severity === "critical") {
+      await this.notifyAuthorities(fullBreach);
     }
-    return result;
+    return fullBreach;
   }
-  async updateSession(id, data) {
-    const repository = await this.getRepository();
-    const result = await repository.update(id, data);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to update session", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to update session", { errors: result.errors });
-      }
-    }
-    return result;
+  /**
+   * Notify authorities (required within 72 hours under GDPR)
+   */
+  async notifyAuthorities(breach) {
+    await this.storage.updateBreach(breach.id, {
+      reportedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      status: "notified"
+    });
+    getSecurityLogger().info("Breach reported to authorities", { breachId: breach.id });
   }
-  async deleteSession(id) {
-    const repository = await this.getRepository();
-    const result = await repository.delete(id);
-    if (!result.success) {
-      try {
-        const payload = await getPayloadClient2();
-        payload.logger.error("Failed to delete session", {
-          errors: result.errors
-        });
-      } catch {
-        devLogger3.error("Failed to delete session", { errors: result.errors });
-      }
+  /**
+   * Notify affected users
+   */
+  async notifyAffectedUsers(breachId, notifyFn) {
+    const breach = await this.storage.getBreach(breachId);
+    if (!breach) {
+      throw new Error("Breach not found");
     }
-    return result;
+    for (const userId of breach.affectedUsers) {
+      await notifyFn(userId, breach);
+    }
+  }
+  /**
+   * Check if breach notification is required
+   */
+  requiresNotification(breach) {
+    return breach.severity === "high" || breach.severity === "critical" || breach.dataCategories.includes("sensitive") || breach.dataCategories.includes("financial");
+  }
+  /**
+   * Get breach
+   */
+  async getBreach(id) {
+    return this.storage.getBreach(id);
+  }
+  /**
+   * Get all breaches
+   */
+  async getAllBreaches() {
+    return this.storage.getAllBreaches();
   }
 };
-var sessionService = new SessionService();
+function createConsentManager(storage) {
+  return new ConsentManager(storage);
+}
+function createDataDeletionSystem(storage) {
+  return new DataDeletionSystem(storage);
+}
+var dataExportSystem = new DataExportSystem();
+var privacyPolicyManager = new PrivacyPolicyManager();
+var cookieConsentManager = new CookieConsentManager();
+function createDataBreachManager(storage) {
+  return new DataBreachManager(storage);
+}
 
-// src/TokenService.ts
-import { InfrastructureService as InfrastructureService2 } from "@revealui/core";
-var AppError = class extends Error {
-  constructor(code, message, cause) {
-    super(message);
-    this.code = code;
-    this.cause = cause;
-    this.name = "AppError";
-    if (cause) {
-      this.cause = cause;
+// src/gdpr-storage.ts
+var InMemoryBreachStorage = class {
+  breaches = /* @__PURE__ */ new Map();
+  async setBreach(breach) {
+    this.breaches.set(breach.id, breach);
+  }
+  async getBreach(id) {
+    return this.breaches.get(id);
+  }
+  async getAllBreaches() {
+    return Array.from(this.breaches.values());
+  }
+  async updateBreach(id, updates) {
+    const existing = this.breaches.get(id);
+    if (existing) {
+      this.breaches.set(id, { ...existing, ...updates });
     }
   }
 };
-var ErrorCode = {
-  TOKEN_INVALID: "TOKEN_INVALID",
-  TOKEN_EXPIRED: "TOKEN_EXPIRED",
-  AUTHENTICATION_ERROR: "AUTHENTICATION_ERROR",
-  INTERNAL_ERROR: "INTERNAL_ERROR"
+var InMemoryGDPRStorage = class {
+  consents = /* @__PURE__ */ new Map();
+  deletionRequests = /* @__PURE__ */ new Map();
+  // ── Consent Records ──────────────────────────────────────────────
+  async setConsent(userId, type, record) {
+    this.consents.set(`${userId}:${type}`, record);
+  }
+  async getConsent(userId, type) {
+    return this.consents.get(`${userId}:${type}`);
+  }
+  async getConsentsByUser(userId) {
+    return Array.from(this.consents.values()).filter((c) => c.userId === userId);
+  }
+  async getAllConsents() {
+    return Array.from(this.consents.values());
+  }
+  // ── Deletion Requests ────────────────────────────────────────────
+  async setDeletionRequest(request) {
+    this.deletionRequests.set(request.id, request);
+  }
+  async getDeletionRequest(requestId) {
+    return this.deletionRequests.get(requestId);
+  }
+  async getDeletionRequestsByUser(userId) {
+    return Array.from(this.deletionRequests.values()).filter((r) => r.userId === userId);
+  }
 };
-var TokenService = class extends InfrastructureService2 {
-  constructor(payload) {
-    super(payload, "TokenService");
-    this.payload = payload;
+
+// src/headers.ts
+var SecurityHeaders = class {
+  config;
+  constructor(config = {}) {
+    this.config = config;
   }
   /**
-   * Authenticate user and generate access token using PayloadCMS native login
-   * @param credentials User login credentials
-   * @param req Optional PayloadRequest for context
-   * @returns Login result with user data and token
+   * Get all security headers
    */
-  async login(credentials, req) {
-    try {
-      this.logger.debug("Attempting user login", {
-        email: credentials.email,
-        serviceName: this.serviceName,
-        operation: "login"
-      });
-      const result = await this.payload.login({
-        collection: "users",
-        data: {
-          email: credentials.email,
-          password: credentials.password
-        },
-        ...req && { req }
-      });
-      this.logger.info("User login successful", {
-        userId: result.user.id,
-        email: result.user.email,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("User login failed", {
-        email: credentials.email,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "Login failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  getHeaders() {
+    const headers = {};
+    if (this.config.contentSecurityPolicy) {
+      headers["Content-Security-Policy"] = this.buildCSP(this.config.contentSecurityPolicy);
+    }
+    if (this.config.strictTransportSecurity) {
+      headers["Strict-Transport-Security"] = this.buildHSTS(this.config.strictTransportSecurity);
+    }
+    if (this.config.xFrameOptions) {
+      headers["X-Frame-Options"] = this.config.xFrameOptions;
+    }
+    if (this.config.xContentTypeOptions !== false) {
+      headers["X-Content-Type-Options"] = "nosniff";
+    }
+    if (this.config.referrerPolicy) {
+      headers["Referrer-Policy"] = this.config.referrerPolicy;
     }
+    if (this.config.permissionsPolicy) {
+      headers["Permissions-Policy"] = this.buildPermissionsPolicy(this.config.permissionsPolicy);
+    }
+    if (this.config.crossOriginEmbedderPolicy) {
+      headers["Cross-Origin-Embedder-Policy"] = this.config.crossOriginEmbedderPolicy;
+    }
+    if (this.config.crossOriginOpenerPolicy) {
+      headers["Cross-Origin-Opener-Policy"] = this.config.crossOriginOpenerPolicy;
+    }
+    if (this.config.crossOriginResourcePolicy) {
+      headers["Cross-Origin-Resource-Policy"] = this.config.crossOriginResourcePolicy;
+    }
+    return headers;
   }
   /**
-   * Verify user by ID using PayloadCMS native functionality
-   * @param userId User ID to verify
-   * @returns User data if exists
+   * Build Content Security Policy header
    */
-  async verifyUser(userId) {
-    try {
-      this.logger.debug("Verifying user", {
-        userId,
-        serviceName: this.serviceName,
-        operation: "verifyUser"
-      });
-      const user = await this.payload.findByID({
-        collection: "users",
-        id: userId
-      });
-      this.logger.debug("User verification successful", {
-        userId: user.id,
-        serviceName: this.serviceName
-      });
-      return user;
-    } catch (error) {
-      this.logger.error("User verification failed", {
-        userId,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "User verification failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  buildCSP(config) {
+    if (typeof config === "string") {
+      return config;
+    }
+    const directives = [];
+    const addDirective = (name, values) => {
+      if (values && values.length > 0) {
+        directives.push(`${name} ${values.join(" ")}`);
+      }
+    };
+    addDirective("default-src", config.defaultSrc);
+    addDirective("script-src", config.scriptSrc);
+    addDirective("style-src", config.styleSrc);
+    addDirective("img-src", config.imgSrc);
+    addDirective("font-src", config.fontSrc);
+    addDirective("connect-src", config.connectSrc);
+    addDirective("frame-src", config.frameSrc);
+    addDirective("object-src", config.objectSrc);
+    addDirective("media-src", config.mediaSrc);
+    addDirective("worker-src", config.workerSrc);
+    addDirective("child-src", config.childSrc);
+    addDirective("form-action", config.formAction);
+    addDirective("frame-ancestors", config.frameAncestors);
+    addDirective("base-uri", config.baseUri);
+    addDirective("manifest-src", config.manifestSrc);
+    if (config.upgradeInsecureRequests) {
+      directives.push("upgrade-insecure-requests");
+    }
+    if (config.blockAllMixedContent) {
+      directives.push("block-all-mixed-content");
+    }
+    if (config.reportUri) {
+      directives.push(`report-uri ${config.reportUri}`);
     }
+    if (config.reportTo) {
+      directives.push(`report-to ${config.reportTo}`);
+    }
+    return directives.join("; ");
   }
   /**
-   * Generate password reset token using PayloadCMS native functionality
-   * @param email User email address
-   * @returns Password reset token
+   * Build HSTS header
    */
-  async generatePasswordResetToken(email) {
-    try {
-      this.logger.debug("Generating password reset token", {
-        email,
-        serviceName: this.serviceName,
-        operation: "generatePasswordResetToken"
-      });
-      const token = await this.payload.forgotPassword({
-        collection: "users",
-        data: { email }
-      });
-      this.logger.info("Password reset token generated", {
-        email,
-        serviceName: this.serviceName
-      });
-      return token;
-    } catch (error) {
-      this.logger.error("Password reset token generation failed", {
-        email,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.INTERNAL_ERROR,
-        "Failed to generate password reset token",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  buildHSTS(config) {
+    if (config === true) {
+      return "max-age=31536000; includeSubDomains";
     }
+    if (config === false) {
+      return "";
+    }
+    const parts = [`max-age=${config.maxAge}`];
+    if (config.includeSubDomains) {
+      parts.push("includeSubDomains");
+    }
+    if (config.preload) {
+      parts.push("preload");
+    }
+    return parts.join("; ");
   }
   /**
-   * Reset user password using PayloadCMS native functionality
-   * @param token Password reset token
-   * @param newPassword New password
-   * @returns Reset result with user and new token
-   *
-   * NOTE: Uses overrideAccess: true as this is a system-level password reset operation
-   * that requires bypassing normal access control for security token validation.
+   * Build Permissions-Policy header
    */
-  async resetPassword(token, newPassword) {
-    try {
-      this.logger.debug("Resetting password", {
-        serviceName: this.serviceName,
-        operation: "resetPassword"
-      });
-      const result = await this.payload.resetPassword({
-        collection: "users",
-        data: {
-          token,
-          password: newPassword
-        },
-        overrideAccess: true
-        // System-level operation for password reset flow
-      });
-      this.logger.info("Password reset successful", {
-        userId: result.user?.id,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("Password reset failed", {
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "Password reset failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  buildPermissionsPolicy(config) {
+    if (typeof config === "string") {
+      return config;
     }
+    const policies = [];
+    Object.entries(config).forEach(([feature, origins]) => {
+      if (!origins || origins.length === 0) {
+        policies.push(`${feature}=()`);
+      } else if (origins.includes("*")) {
+        policies.push(`${feature}=*`);
+      } else {
+        const originsList = origins.map((o) => `"${o}"`).join(" ");
+        policies.push(`${feature}=(${originsList})`);
+      }
+    });
+    return policies.join(", ");
   }
   /**
-   * Verify email using PayloadCMS native functionality
-   * @param token Email verification token
-   * @returns Verification success status
+   * Apply headers to response
    */
-  async verifyEmail(token) {
-    try {
-      this.logger.debug("Verifying email", {
-        serviceName: this.serviceName,
-        operation: "verifyEmail"
-      });
-      const result = await this.payload.verifyEmail({
-        collection: "users",
-        token
-      });
-      this.logger.info("Email verification completed", {
-        success: result,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("Email verification failed", {
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "Email verification failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  applyHeaders(response) {
+    const headers = this.getHeaders();
+    Object.entries(headers).forEach(([name, value]) => {
+      response.headers.set(name, value);
+    });
+    return response;
+  }
+};
+var CORSManager = class {
+  config;
+  constructor(config = {}) {
+    this.config = {
+      origin: config.origin ?? [],
+      methods: config.methods || ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+      allowedHeaders: config.allowedHeaders || ["Content-Type", "Authorization"],
+      exposedHeaders: config.exposedHeaders || [],
+      credentials: config.credentials ?? false,
+      maxAge: config.maxAge || 86400,
+      preflightContinue: config.preflightContinue ?? false,
+      optionsSuccessStatus: config.optionsSuccessStatus || 204
+    };
+  }
+  /**
+   * Check if origin is allowed
+   */
+  isOriginAllowed(origin) {
+    const { origin: allowedOrigin } = this.config;
+    if (allowedOrigin === "*") {
+      return true;
+    }
+    if (typeof allowedOrigin === "function") {
+      return allowedOrigin(origin);
+    }
+    if (typeof allowedOrigin === "string") {
+      return origin === allowedOrigin;
     }
+    if (Array.isArray(allowedOrigin)) {
+      return allowedOrigin.includes(origin);
+    }
+    return false;
   }
   /**
-   * Unlock user account using PayloadCMS native functionality
-   * @param email User email address
-   * @param password User password
-   * @returns Unlock success status
-   *
-   * NOTE: Uses overrideAccess: true as this is a system-level account unlock operation
-   * that requires bypassing normal access control for account recovery.
+   * Get CORS headers
    */
-  async unlockUser(email, password) {
-    try {
-      this.logger.debug("Unlocking user account", {
-        email,
-        serviceName: this.serviceName,
-        operation: "unlockUser"
-      });
-      const result = await this.payload.unlock({
-        collection: "users",
-        data: { email, password },
-        overrideAccess: true
-        // System-level operation for account recovery
-      });
-      this.logger.info("User account unlock completed", {
-        email,
-        success: result,
-        serviceName: this.serviceName
-      });
-      return result;
-    } catch (error) {
-      this.logger.error("User account unlock failed", {
-        email,
-        error: error instanceof Error ? error.message : "Unknown error",
-        serviceName: this.serviceName
-      });
-      throw new AppError(
-        ErrorCode.AUTHENTICATION_ERROR,
-        "User account unlock failed",
-        error instanceof Error ? error : new Error(String(error))
-      );
+  getCORSHeaders(origin) {
+    const headers = {};
+    if (this.config.origin !== "*") {
+      headers.Vary = "Origin";
     }
+    if (!this.isOriginAllowed(origin)) {
+      return headers;
+    }
+    headers["Access-Control-Allow-Origin"] = this.config.origin === "*" ? "*" : origin;
+    if (this.config.credentials && this.config.origin !== "*") {
+      headers["Access-Control-Allow-Credentials"] = "true";
+    }
+    if (this.config.exposedHeaders.length > 0) {
+      headers["Access-Control-Expose-Headers"] = this.config.exposedHeaders.join(", ");
+    }
+    return headers;
   }
   /**
-   * @inheritdoc
+   * Get preflight headers
    */
-  onInitialize() {
-    this.logger.info("TokenService initialized with PayloadCMS native auth", {
-      serviceName: this.serviceName
-    });
+  getPreflightHeaders(origin) {
+    const headers = this.getCORSHeaders(origin);
+    if (!this.isOriginAllowed(origin)) {
+      return headers;
+    }
+    headers["Access-Control-Allow-Methods"] = this.config.methods.join(", ");
+    headers["Access-Control-Allow-Headers"] = this.config.allowedHeaders.join(", ");
+    headers["Access-Control-Max-Age"] = this.config.maxAge.toString();
+    return headers;
+  }
+  /**
+   * Handle CORS request
+   */
+  handleRequest(request) {
+    const origin = request.headers.get("Origin");
+    if (!origin) {
+      return null;
+    }
+    if (request.method === "OPTIONS") {
+      return this.handlePreflight(request, origin);
+    }
+    return null;
   }
   /**
-   * @inheritdoc
+   * Handle preflight request
    */
-  onCleanup() {
-    this.logger.info("TokenService cleaned up", {
-      serviceName: this.serviceName
+  handlePreflight(_request, origin) {
+    if (!this.isOriginAllowed(origin)) {
+      return new Response(null, { status: 403 });
+    }
+    const headers = this.getPreflightHeaders(origin);
+    return new Response(null, {
+      status: this.config.optionsSuccessStatus,
+      headers
     });
   }
   /**
-   * @inheritdoc
+   * Apply CORS headers to response
    */
-  onHealthCheck() {
-    this.logger.debug("TokenService health check passed", {
-      serviceName: this.serviceName
+  applyHeaders(response, origin) {
+    if (!this.isOriginAllowed(origin)) {
+      return response;
+    }
+    const headers = this.getCORSHeaders(origin);
+    Object.entries(headers).forEach(([name, value]) => {
+      response.headers.set(name, value);
     });
+    return response;
+  }
+};
+var SecurityPresets = {
+  /**
+   * Strict security (recommended for production)
+   */
+  strict: () => ({
+    contentSecurityPolicy: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      fontSrc: ["'self'", "data:"],
+      connectSrc: ["'self'"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+      baseUri: ["'self'"],
+      formAction: ["'self'"],
+      frameAncestors: ["'none'"],
+      upgradeInsecureRequests: true
+    },
+    strictTransportSecurity: {
+      maxAge: 31536e3,
+      includeSubDomains: true,
+      preload: true
+    },
+    xFrameOptions: "DENY",
+    xContentTypeOptions: true,
+    referrerPolicy: "strict-origin-when-cross-origin",
+    crossOriginEmbedderPolicy: "require-corp",
+    crossOriginOpenerPolicy: "same-origin",
+    crossOriginResourcePolicy: "same-origin"
+  }),
+  /**
+   * Moderate security (balanced)
+   */
+  moderate: () => ({
+    contentSecurityPolicy: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'unsafe-inline'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      fontSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'", "https:"],
+      frameAncestors: ["'self'"]
+    },
+    strictTransportSecurity: {
+      maxAge: 31536e3,
+      includeSubDomains: true
+    },
+    xFrameOptions: "SAMEORIGIN",
+    xContentTypeOptions: true,
+    referrerPolicy: "origin-when-cross-origin"
+  }),
+  /**
+   * Development (permissive)
+   */
+  development: () => ({
+    xContentTypeOptions: true,
+    referrerPolicy: "no-referrer-when-downgrade"
+  })
+};
+var CORSPresets = {
+  /**
+   * Strict CORS (same origin only)
+   */
+  strict: () => ({
+    origin: [],
+    methods: ["GET", "POST", "PUT", "DELETE"],
+    allowedHeaders: ["Content-Type", "Authorization"],
+    credentials: true,
+    maxAge: 86400
+  }),
+  /**
+   * Moderate CORS (specific origins)
+   */
+  moderate: (allowedOrigins) => ({
+    origin: allowedOrigins,
+    methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
+    allowedHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
+    exposedHeaders: ["X-Total-Count"],
+    credentials: true,
+    maxAge: 86400
+  }),
+  /**
+   * Permissive CORS (all origins) — development only.
+   * Logs a warning if used when NODE_ENV === 'production'.
+   */
+  permissive: () => {
+    if (process.env.NODE_ENV === "production") {
+      getSecurityLogger().warn(
+        "[SecurityPresets] CORS permissive preset used in production \u2014 this allows all origins. Use moderate() with explicit origins instead."
+      );
+    }
+    return {
+      origin: "*",
+      methods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+      allowedHeaders: ["*"],
+      credentials: false,
+      maxAge: 86400
+    };
+  },
+  /**
+   * API CORS (public read-only APIs) — credentials disabled.
+   * Logs a warning if used when NODE_ENV === 'production'.
+   */
+  api: () => {
+    if (process.env.NODE_ENV === "production") {
+      getSecurityLogger().warn(
+        '[SecurityPresets] CORS api preset uses origin:"*". For production, pass explicit origins to moderate() instead.'
+      );
+    }
+    return {
+      origin: "*",
+      methods: ["GET", "POST", "PUT", "DELETE", "PATCH"],
+      allowedHeaders: ["Content-Type", "Authorization", "X-API-Key"],
+      exposedHeaders: ["X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset"],
+      credentials: false,
+      maxAge: 86400
+    };
   }
 };
-function createTokenService(payload) {
-  return new TokenService(payload);
+function createSecurityMiddleware(securityConfig, corsConfig) {
+  const security = new SecurityHeaders(securityConfig);
+  const cors = new CORSManager(corsConfig);
+  return async (request, next) => {
+    const origin = request.headers.get("Origin");
+    if (origin && request.method === "OPTIONS") {
+      const preflightResponse = cors.handleRequest(request);
+      if (preflightResponse) {
+        return preflightResponse;
+      }
+    }
+    const response = await next();
+    security.applyHeaders(response);
+    if (origin) {
+      cors.applyHeaders(response, origin);
+    }
+    return response;
+  };
+}
+function setRateLimitHeaders(response, limit, remaining, reset) {
+  response.headers.set("X-RateLimit-Limit", limit.toString());
+  response.headers.set("X-RateLimit-Remaining", remaining.toString());
+  response.headers.set("X-RateLimit-Reset", reset.toString());
 }
 export {
-  CSRFService,
-  EncryptionService,
-  RATE_LIMITS,
-  RateLimited,
-  RateLimiterService,
-  SECURITY_HEADERS,
-  SecurityMonitoringService,
-  SessionService,
-  TokenService,
-  addSecurityEvent,
-  calculateSecurityMetrics,
-  checkAnonymousRateLimit,
-  checkRateLimit,
-  checkUserRateLimit,
-  clearSecurityData,
-  createSecurity,
-  createSecurityAlert,
-  createSecurityEvent,
-  createTokenService,
-  filterEvents,
-  generateIPRateLimitKey,
-  generateRateLimitKey,
-  getClientIP,
-  getEventsBySeverity,
-  getEventsInTimeRange,
-  getRateLimiterService,
-  getSecurityAlerts,
-  getSecurityEvents,
-  getSecurityMetrics,
-  getUserEvents,
-  isTrustedSource,
-  logAuthenticationEvent,
-  logAuthorizationEvent,
-  logDataAccessEvent,
-  logSecurityEvent,
-  sanitizeInput,
-  securityMiddleware,
-  sessionService,
-  shouldTriggerAlert,
-  validateAndSanitizeInput,
-  validateCSRFToken,
-  validateEnvironment,
-  withRateLimit
+  AuditReportGenerator,
+  AuditSystem,
+  AuditTrail,
+  AuthorizationSystem,
+  CORSManager,
+  CORSPresets,
+  CommonRoles,
+  ConsentManager,
+  CookieConsentManager,
+  DataAnonymization,
+  DataBreachManager,
+  DataDeletionSystem,
+  DataExportSystem,
+  DataMasking,
+  EncryptionSystem,
+  EnvelopeEncryption,
+  FieldEncryption,
+  InMemoryAuditStorage,
+  InMemoryBreachStorage,
+  InMemoryGDPRStorage,
+  KeyRotationManager,
+  OAuthClient,
+  OAuthProviders,
+  PasswordHasher,
+  PermissionBuilder,
+  PermissionCache,
+  PolicyBuilder,
+  PrivacyPolicyManager,
+  RequirePermission,
+  RequireRole,
+  SecurityHeaders,
+  SecurityPresets,
+  TokenGenerator,
+  TwoFactorAuth,
+  audit,
+  authorization,
+  canAccessResource,
+  checkAttributeAccess,
+  configureSecurityLogger,
+  cookieConsentManager,
+  createAuditMiddleware,
+  createAuthorizationMiddleware,
+  createConsentManager,
+  createDataBreachManager,
+  createDataDeletionSystem,
+  createSecurityMiddleware,
+  dataExportSystem,
+  encryption,
+  permissionCache,
+  privacyPolicyManager,
+  setRateLimitHeaders
 };
 //# sourceMappingURL=index.js.map