@voltrix/security 0.3.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Randy stiven Valentin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,147 @@
+# 🔐 `@voltrix/security`
+
+High-performance, zero-allocation, distributed security suite natively optimized for `uWebSockets.js` and `@voltrix/server`.
+
+---
+
+## 🚀 Overview
+
+`@voltrix/security` is a production-grade security package designed from the ground up for extreme throughput and minimal latency. By combining pre-compiled structures, startup-baked security configurations, and zero-allocation hot paths, it adds virtually **0% framework overhead** while providing complete protection against common web vulnerabilities.
+
+It implements 6 robust, state-of-the-art security modules that can be registered globally or declaratively via decorators.
+
+### 🛡️ Features
+
+1. **Helmet**: Pre-baked static HTTP security headers (CSP, HSTS, CSP, X-Frame) compiled at startup into frozen arrays for zero-allocation flushes.
+2. **CORS**: dynamic pre-normalized cross-origin protection with sub-millisecond OPTIONS preflight short-circuiting.
+3. **Rate Limiting**: IP-based or proxy-aware sliding window limiter with support for local `MemoryStore` or distributed `RedisStore` atomic Lua scripts.
+4. **IP Filter**: Nanosecond-level binary IPv4/IPv6 CIDR bitwise firewall supporting Whitelists and Blacklists with early connection termination.
+5. **CSRF**: Timing-attack safe Double Submit Cookie pattern using authenticated base64url cookies and timingSafeEqual header verification.
+6. **Sessions**: Cookie-based stateful and stateless session containers secured via AES-256-GCM authenticated encryption with automatic response save interception.
+
+---
+
+## 📦 Installation
+
+```bash
+npm install @voltrix/security
+# or
+pnpm add @voltrix/security
+```
+
+---
+
+## 🛠️ Usage
+
+### Global Integration
+
+The package exposes a unified `security` middleware factory that acts both as a standard middleware and a native `VoltrixPlugin`. It chains active security modules in the optimal execution order: **IP Filter ➔ CORS ➔ Helmet ➔ Rate Limiter ➔ CSRF ➔ Sessions**.
+
+```typescript
+import { createServer } from '@voltrix/server';
+import { security, RedisStore } from '@voltrix/security';
+
+const server = createServer();
+
+// Register the security suite globally
+server.register(security({
+  helmet: true,
+  cors: {
+    origin: ['https://app.voltrix.com', 'https://admin.voltrix.com'],
+    credentials: true,
+  },
+  rateLimit: {
+    limit: 100,
+    windowMs: 60000,
+    store: new RedisStore({ host: '127.0.0.1', port: 6379 }) // Clustered sliding-window!
+  },
+  ipFilter: {
+    blacklist: ['192.168.1.0/24', '10.0.0.0/8'] // Block internal CIDR blocks
+  },
+  csrf: true,
+  session: {
+    secret: 'super-secure-cryptographic-signing-key-32chars',
+    cookieName: 'voltrix_session',
+    ttlMs: 86400000 // 24h
+  }
+}));
+```
+
+### Declarative Route-level Decorators
+
+Apply granular restrictions to specific Controllers or route methods using declarative class and method decorators.
+
+```typescript
+import { Controller, GET, POST } from '@voltrix/decorator';
+import { RateLimit, IpFilter } from '@voltrix/security';
+
+@Controller('admin')
+@IpFilter({ whitelist: ['10.0.0.0/8', '127.0.0.1'] }) // CIDR-filtered admin panel
+export class AdminController {
+  
+  @GET('/logs')
+  @RateLimit({ limit: 5, windowMs: 60000 }) // Strictly rate-limited endpoint
+  async getLogs() {
+    return { logs: ['Server booted successfully'] };
+  }
+}
+```
+
+---
+
+## 📖 Module Reference & Options
+
+### 1. IP Filter
+Nanosecond bitwise matcher for IPv4 CIDRs and IPv6 exact ranges. It operates in the earliest hook and closes the underlying socket instantly if blacklisted, saving CPU cycles under DDoS.
+
+* **whitelist**: String array of permitted ranges. If specified, only matches here will pass.
+* **blacklist**: String array of prohibited ranges.
+* **handler**: Custom block handler `(req, res) => void`.
+
+### 2. CORS
+Intercepts preflight `OPTIONS` requests before they hit the app router.
+* **origin**: Allowlist origins (string, array of strings, or a dynamic async function `(origin) => boolean`).
+* **methods**: Allowed HTTP methods.
+* **allowedHeaders** / **exposedHeaders**: Custom headers array.
+* **credentials**: Enables Cookies over CORS.
+* **maxAge**: Cache lifetime in seconds.
+
+### 3. Helmet
+Pre-renders HSTS, CSP, X-Frame-Options, X-Content-Type, and Referrer headers.
+* **csp**: CSP Directives object.
+* **hsts**: HSTS settings (maxAge, includeSubDomains, preload).
+* **xFrame**: 'DENY' or 'SAMEORIGIN'.
+* **xContentType**: Boolean (defaults to `nosniff`).
+
+### 4. Rate Limiting
+Proxy-aware rate counter.
+* **limit**: Max requests in the window.
+* **windowMs**: Window length in milliseconds.
+* **store**: Store instance (defaults to local map-based `MemoryStore`).
+* **keyGenerator**: Custom client key resolution `(req) => string`.
+
+### 5. CSRF
+Timing-safe Double Submit Cookie validator.
+* **cookieName** / **headerName**: Defaults to `_csrf` and `x-csrf-token`.
+* **ignoreMethods**: Methods exempted (defaults to `['GET', 'HEAD', 'OPTIONS']`).
+
+### 6. Sessions
+AES-256-GCM cookie session container with zero-cost response hijacking (json/send/end) and fire-and-forget background state saves.
+* **secret**: 32-byte signing key.
+* **cookieName**: Default session cookie name.
+* **ttlMs**: Time to live.
+* **store**: Optional stateful session store (defaults to stateless GCM cookie session).
+
+---
+
+## 🚀 Performance Guidelines
+
+* Use **`MemoryStore`** for single-instance applications where zero latency is the ultimate goal.
+* Use **`RedisStore`** for horizontally-scalable, multi-node clustered servers. It runs sliding-window increments atomically using dedicated custom Lua scripts to prevent racing conditions under extreme loads.
+* The Helmet module pre-renders headers at startup, making its per-request impact exactly **0% CPU**.
+
+---
+
+## 📄 License
+
+MIT

package/dist/decorators/index.d.ts

@@ -0,0 +1,26 @@
+import type { RateLimitOptions, IpFilterOptions } from '../types/index.js';
+/**
+ * Decorator to attach Rate Limiting policies to a Controller class or individual route methods.
+ *
+ * @example
+ * ```ts
+ * @Controller('auth')
+ * class AuthController {
+ *   @POST('/login')
+ *   @RateLimit({ limit: 5, windowMs: 60000 })
+ *   async login() { ... }
+ * }
+ * ```
+ */
+export declare function RateLimit(options: RateLimitOptions): ClassDecorator & MethodDecorator;
+/**
+ * Decorator to apply IP and CIDR whitelist/blacklist policies to a Controller class or individual route methods.
+ *
+ * @example
+ * ```ts
+ * @Controller('admin')
+ * @IpFilter({ whitelist: ['10.0.0.0/8'] })
+ * class AdminController { ... }
+ * ```
+ */
+export declare function IpFilter(options: IpFilterOptions): ClassDecorator & MethodDecorator;

package/dist/decorators/index.js

@@ -0,0 +1,37 @@
+import { Metadata } from '@voltrix/core';
+/**
+ * Decorator to attach Rate Limiting policies to a Controller class or individual route methods.
+ *
+ * @example
+ * ```ts
+ * @Controller('auth')
+ * class AuthController {
+ *   @POST('/login')
+ *   @RateLimit({ limit: 5, windowMs: 60000 })
+ *   async login() { ... }
+ * }
+ * ```
+ */
+export function RateLimit(options) {
+    return (target, propertyKey) => {
+        const actualTarget = propertyKey ? target : target.prototype;
+        Metadata.prefix('security').set(actualTarget, propertyKey, { rateLimit: options });
+    };
+}
+/**
+ * Decorator to apply IP and CIDR whitelist/blacklist policies to a Controller class or individual route methods.
+ *
+ * @example
+ * ```ts
+ * @Controller('admin')
+ * @IpFilter({ whitelist: ['10.0.0.0/8'] })
+ * class AdminController { ... }
+ * ```
+ */
+export function IpFilter(options) {
+    return (target, propertyKey) => {
+        const actualTarget = propertyKey ? target : target.prototype;
+        Metadata.prefix('security').set(actualTarget, propertyKey, { ipFilter: options });
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/decorators/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/decorators/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGzC;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,SAAS,CAAC,OAAyB;IACjD,OAAO,CAAC,MAAW,EAAE,WAA6B,EAAE,EAAE;QACpD,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;QAC7D,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;IACrF,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAwB;IAC/C,OAAO,CAAC,MAAW,EAAE,WAA6B,EAAE,EAAE;QACpD,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;QAC7D,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;IACpF,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+import type { SecurityOptions } from './types/index.js';
+export * from './types/index.js';
+export * from './store/index.js';
+export * from './decorators/index.js';
+export * from './modules/ip-filter.js';
+export * from './modules/cors.js';
+export * from './modules/helmet.js';
+export * from './modules/rate-limit.js';
+export * from './modules/csrf.js';
+export * from './modules/session.js';
+export declare function security(options?: SecurityOptions): any;

package/dist/index.js

@@ -0,0 +1,86 @@
+import { ipFilter } from './modules/ip-filter.js';
+import { cors } from './modules/cors.js';
+import { helmet } from './modules/helmet.js';
+import { rateLimit } from './modules/rate-limit.js';
+import { csrf } from './modules/csrf.js';
+import { session } from './modules/session.js';
+// Export everything for public consumption
+export * from './types/index.js';
+export * from './store/index.js';
+export * from './decorators/index.js';
+export * from './modules/ip-filter.js';
+export * from './modules/cors.js';
+export * from './modules/helmet.js';
+export * from './modules/rate-limit.js';
+export * from './modules/csrf.js';
+export * from './modules/session.js';
+export function security(options) {
+    const opts = options ?? {};
+    const pipeline = [];
+    // 1. IP Filter runs first to immediately discard blacklisted IPs in onRequest
+    if (opts.ipFilter !== false && opts.ipFilter !== undefined) {
+        pipeline.push(ipFilter(opts.ipFilter));
+    }
+    // 2. CORS runs early to capture OPTIONS Preflight requests directly
+    if (opts.cors !== false && opts.cors !== undefined) {
+        pipeline.push(cors(opts.cors));
+    }
+    // 3. Helmet sets security headers
+    if (opts.helmet !== false && opts.helmet !== undefined) {
+        pipeline.push(helmet(opts.helmet));
+    }
+    // 4. Rate Limit limits frequencies
+    if (opts.rateLimit !== false && opts.rateLimit !== undefined) {
+        pipeline.push(rateLimit(opts.rateLimit));
+    }
+    // 5. CSRF checks mutative endpoints
+    if (opts.csrf !== false && opts.csrf !== undefined) {
+        pipeline.push(csrf(opts.csrf));
+    }
+    // 6. Session reads and writes state
+    if (opts.session !== false && opts.session !== undefined) {
+        pipeline.push(session(opts.session));
+    }
+    // Freeze pipeline to enforce zero state bleed and maximum CPU optimization
+    const frozenPipeline = Object.freeze(pipeline);
+    const middleware = (req, res, next) => {
+        let index = 0;
+        function nextStep(err) {
+            if (err) {
+                return next(err);
+            }
+            if (index >= frozenPipeline.length) {
+                return next();
+            }
+            const mw = frozenPipeline[index++];
+            try {
+                const resVal = mw(req, res, nextStep);
+                if (resVal instanceof Promise) {
+                    resVal.catch(nextStep);
+                }
+            }
+            catch (mwErr) {
+                nextStep(mwErr);
+            }
+        }
+        nextStep();
+    };
+    // Hybrid Plugin Interface support
+    Object.defineProperty(middleware, 'name', { value: 'security', configurable: true });
+    middleware.version = '0.2.1';
+    middleware.register = (api, pluginOpts) => {
+        const activeMw = pluginOpts ? security(pluginOpts) : middleware;
+        api.addHook('onRequest', async (ctx) => {
+            await new Promise((resolve, reject) => {
+                activeMw(ctx, ctx, (err) => {
+                    if (err)
+                        reject(err);
+                    else
+                        resolve();
+                });
+            });
+        });
+    };
+    return middleware;
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AACzC,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAE/C,2CAA2C;AAC3C,cAAc,kBAAkB,CAAC;AACjC,cAAc,kBAAkB,CAAC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,wBAAwB,CAAC;AACvC,cAAc,mBAAmB,CAAC;AAClC,cAAc,qBAAqB,CAAC;AACpC,cAAc,yBAAyB,CAAC;AACxC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AAErC,MAAM,UAAU,QAAQ,CAAC,OAAyB;IAChD,MAAM,IAAI,GAAG,OAAO,IAAI,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAiB,EAAE,CAAC;IAElC,8EAA8E;IAC9E,IAAI,IAAI,CAAC,QAAQ,KAAK,KAAK,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3D,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzC,CAAC;IACD,oEAAoE;IACpE,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACnD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACjC,CAAC;IACD,kCAAkC;IAClC,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QACvD,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IACD,mCAAmC;IACnC,IAAI,IAAI,CAAC,SAAS,KAAK,KAAK,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC7D,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,oCAAoC;IACpC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACnD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IACjC,CAAC;IACD,oCAAoC;IACpC,IAAI,IAAI,CAAC,OAAO,KAAK,KAAK,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACzD,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,OAAc,CAAC,CAAC,CAAC;IAC9C,CAAC;IAED,2EAA2E;IAC3E,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE/C,MAAM,UAAU,GAAQ,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;QACxD,IAAI,KAAK,GAAG,CAAC,CAAC;QAEd,SAAS,QAAQ,CAAC,GAAS;YACzB,IAAI,GAAG,EAAE,CAAC;gBACR,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;YACnB,CAAC;YACD,IAAI,KAAK,IAAI,cAAc,CAAC,MAAM,EAAE,CAAC;gBACnC,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YAED,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,CAAC,CAAC;YACnC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,QAAQ,CAAQ,CAAC;gBAC7C,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;oBAC9B,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,QAAQ,CAAC,KAAK,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,QAAQ,EAAE,CAAC;IACb,CAAC,CAAC;IAEF,kCAAkC;IAClC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;IACrF,UAAU,CAAC,OAAO,GAAG,OAAO,CAAC;IAC7B,UAAU,CAAC,QAAQ,GAAG,CAAC,GAAQ,EAAE,UAAgB,EAAE,EAAE;QACnD,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;QAChE,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,GAAQ,EAAE,EAAE;YAC1C,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC1C,QAAQ,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAS,EAAE,EAAE;oBAC/B,IAAI,GAAG;wBAAE,MAAM,CAAC,GAAG,CAAC,CAAC;;wBAChB,OAAO,EAAE,CAAC;gBACjB,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/dist/modules/cors.d.ts

@@ -0,0 +1,8 @@
+import type { CorsOptions } from '../types/index.js';
+import type { Middleware } from '@voltrix/core';
+/**
+ * Hyper-performance CORS Middleware.
+ * Captures, processes, and validates cross-origin accesses.
+ * Short-circuits preflight OPTIONS requests immediately to prevent them from reaching app-level routers.
+ */
+export declare function cors(options?: CorsOptions | boolean): Middleware;

package/dist/modules/cors.js

@@ -0,0 +1,71 @@
+/**
+ * Hyper-performance CORS Middleware.
+ * Captures, processes, and validates cross-origin accesses.
+ * Short-circuits preflight OPTIONS requests immediately to prevent them from reaching app-level routers.
+ */
+export function cors(options) {
+    if (options === false) {
+        return (req, res, next) => next();
+    }
+    const opts = typeof options === 'object' ? options : {};
+    // Pre-normalize standard methods and headers configurations
+    const methods = Array.isArray(opts.methods) ? opts.methods.join(', ') : opts.methods ?? 'GET,HEAD,PUT,PATCH,POST,DELETE';
+    const allowedHeaders = Array.isArray(opts.allowedHeaders) ? opts.allowedHeaders.join(', ') : opts.allowedHeaders;
+    const exposedHeaders = Array.isArray(opts.exposedHeaders) ? opts.exposedHeaders.join(', ') : opts.exposedHeaders;
+    const maxAge = opts.maxAge !== undefined ? String(opts.maxAge) : undefined;
+    return async (req, res, next) => {
+        const origin = req.header('origin');
+        if (!origin) {
+            return next();
+        }
+        let isAllowed = false;
+        if (!opts.origin || opts.origin === '*') {
+            isAllowed = true;
+        }
+        else if (typeof opts.origin === 'string') {
+            isAllowed = origin === opts.origin;
+        }
+        else if (Array.isArray(opts.origin)) {
+            isAllowed = opts.origin.includes(origin);
+        }
+        else if (typeof opts.origin === 'function') {
+            try {
+                const resVal = opts.origin(origin);
+                isAllowed = resVal instanceof Promise ? await resVal : resVal;
+            }
+            catch {
+                isAllowed = false;
+            }
+        }
+        if (!isAllowed) {
+            return next();
+        }
+        // Set standard CORS origin response headers
+        res.setHeader('Access-Control-Allow-Origin', opts.origin === '*' && !opts.credentials ? '*' : origin);
+        if (opts.credentials) {
+            res.setHeader('Access-Control-Allow-Credentials', 'true');
+        }
+        if (exposedHeaders) {
+            res.setHeader('Access-Control-Expose-Headers', exposedHeaders);
+        }
+        // ─── Preflight OPTIONS Intercept ─────────────────────────────────────────
+        if (req.method === 'OPTIONS') {
+            res.setHeader('Access-Control-Allow-Methods', methods);
+            const reqHeaders = req.header('access-control-request-headers');
+            if (allowedHeaders) {
+                res.setHeader('Access-Control-Allow-Headers', allowedHeaders);
+            }
+            else if (reqHeaders) {
+                res.setHeader('Access-Control-Allow-Headers', reqHeaders);
+            }
+            if (maxAge) {
+                res.setHeader('Access-Control-Max-Age', maxAge);
+            }
+            // Short-circuit: complete Preflight immediately (204 No Content)
+            res.status(204).end();
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=cors.js.map

package/dist/modules/cors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/modules/cors.ts"],"names":[],"mappings":"AAGA;;;;GAIG;AACH,MAAM,UAAU,IAAI,CAAC,OAA+B;IAClD,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IAExD,4DAA4D;IAC5D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,IAAI,gCAAgC,CAAC;IACzH,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;IACjH,MAAM,cAAc,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;IACjH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE3E,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YACxC,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC;aAAM,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC3C,SAAS,GAAG,MAAM,KAAK,IAAI,CAAC,MAAM,CAAC;QACrC,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC3C,CAAC;aAAM,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YAC7C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;gBACnC,SAAS,GAAG,MAAM,YAAY,OAAO,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;YAChE,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS,GAAG,KAAK,CAAC;YACpB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,4CAA4C;QAC5C,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,IAAI,CAAC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAEtG,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,kCAAkC,EAAE,MAAM,CAAC,CAAC;QAC5D,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACnB,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,cAAc,CAAC,CAAC;QACjE,CAAC;QAED,4EAA4E;QAC5E,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC7B,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,OAAO,CAAC,CAAC;YAEvD,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,gCAAgC,CAAC,CAAC;YAChE,IAAI,cAAc,EAAE,CAAC;gBACnB,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,cAAc,CAAC,CAAC;YAChE,CAAC;iBAAM,IAAI,UAAU,EAAE,CAAC;gBACtB,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,UAAU,CAAC,CAAC;YAC5D,CAAC;YAED,IAAI,MAAM,EAAE,CAAC;gBACX,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC;YAClD,CAAC;YAED,iEAAiE;YACjE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACtB,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/modules/csrf.d.ts

@@ -0,0 +1,20 @@
+import type { CsrfOptions } from '../types/index.js';
+import type { Middleware } from '@voltrix/core';
+/**
+ * Fast, zero-allocation cookie parser.
+ * Extracts cookie pairs directly in a single pass without large array allocations.
+ */
+export declare function parseCookies(cookieHeader?: string): Record<string, string>;
+/**
+ * Utility to serialize a cookie name-value pair with options.
+ */
+export declare function serializeCookie(name: string, val: string, opts?: any): string;
+/**
+ * Timing-attack safe string comparison.
+ * Prevents side-channel timing analysis during token verification.
+ */
+export declare function timingSafeCompare(a: string, b: string): boolean;
+/**
+ * CSRF Protection Middleware using Double Submit Cookie pattern.
+ */
+export declare function csrf(options?: CsrfOptions | boolean): Middleware;

package/dist/modules/csrf.js

@@ -0,0 +1,98 @@
+import { randomBytes, timingSafeEqual } from 'node:crypto';
+/**
+ * Fast, zero-allocation cookie parser.
+ * Extracts cookie pairs directly in a single pass without large array allocations.
+ */
+export function parseCookies(cookieHeader) {
+    const cookies = {};
+    if (!cookieHeader)
+        return cookies;
+    const parts = cookieHeader.split(';');
+    for (let i = 0; i < parts.length; i++) {
+        const p = parts[i];
+        const eqIdx = p.indexOf('=');
+        if (eqIdx === -1)
+            continue;
+        const name = p.slice(0, eqIdx).trim();
+        const val = p.slice(eqIdx + 1).trim();
+        cookies[name] = val;
+    }
+    return cookies;
+}
+/**
+ * Utility to serialize a cookie name-value pair with options.
+ */
+export function serializeCookie(name, val, opts = {}) {
+    let str = `${name}=${val}`;
+    if (opts.path)
+        str += `; Path=${opts.path}`;
+    if (opts.domain)
+        str += `; Domain=${opts.domain}`;
+    if (opts.maxAge !== undefined)
+        str += `; Max-Age=${opts.maxAge}`;
+    if (opts.expires instanceof Date)
+        str += `; Expires=${opts.expires.toUTCString()}`;
+    if (opts.secure)
+        str += '; Secure';
+    if (opts.httpOnly)
+        str += '; HttpOnly';
+    if (opts.sameSite)
+        str += `; SameSite=${opts.sameSite}`;
+    return str;
+}
+/**
+ * Timing-attack safe string comparison.
+ * Prevents side-channel timing analysis during token verification.
+ */
+export function timingSafeCompare(a, b) {
+    const bufA = Buffer.from(a, 'utf-8');
+    const bufB = Buffer.from(b, 'utf-8');
+    if (bufA.length !== bufB.length)
+        return false;
+    return timingSafeEqual(bufA, bufB);
+}
+/**
+ * CSRF Protection Middleware using Double Submit Cookie pattern.
+ */
+export function csrf(options) {
+    if (options === false || !options) {
+        return (req, res, next) => next();
+    }
+    const opts = typeof options === 'object' ? options : {};
+    const cookieName = opts.cookieName ?? '_csrf';
+    const headerName = opts.headerName ?? 'x-csrf-token';
+    const cookieOpts = opts.cookieOptions ?? {
+        path: '/',
+        secure: false, // Default false, developers toggle true in production
+        httpOnly: false, // Must be readable by client script for double-submit
+        sameSite: 'Lax'
+    };
+    const ignoreMethods = opts.ignoreMethods ?? ['GET', 'HEAD', 'OPTIONS'];
+    return async (req, res, next) => {
+        const cookies = parseCookies(req.header('cookie'));
+        let token = cookies[cookieName];
+        // 1. Generate new CSRF token if not already present
+        if (!token) {
+            token = randomBytes(24).toString('base64url');
+            res.setHeader('Set-Cookie', serializeCookie(cookieName, token, cookieOpts));
+        }
+        // 2. Ignore non-mutative safe methods
+        if (ignoreMethods.includes(req.method)) {
+            return next();
+        }
+        // 3. Extract validation token from incoming header
+        const incomingToken = req.header(headerName);
+        if (!incomingToken) {
+            res.status(403).json({ error: 'Missing CSRF token' });
+            return;
+        }
+        // 4. Perform timing-safe validation check
+        const isValid = timingSafeCompare(token, incomingToken);
+        if (!isValid) {
+            res.status(403).json({ error: 'Invalid CSRF token' });
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=csrf.js.map

package/dist/modules/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/modules/csrf.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAI3D;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,YAAqB;IAChD,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,IAAI,CAAC,YAAY;QAAE,OAAO,OAAO,CAAC;IAElC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACnB,MAAM,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,KAAK,CAAC,CAAC;YAAE,SAAS;QAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;IACtB,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,GAAW,EAAE,OAAY,EAAE;IACvE,IAAI,GAAG,GAAG,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC;IAC3B,IAAI,IAAI,CAAC,IAAI;QAAE,GAAG,IAAI,UAAU,IAAI,CAAC,IAAI,EAAE,CAAC;IAC5C,IAAI,IAAI,CAAC,MAAM;QAAE,GAAG,IAAI,YAAY,IAAI,CAAC,MAAM,EAAE,CAAC;IAClD,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;QAAE,GAAG,IAAI,aAAa,IAAI,CAAC,MAAM,EAAE,CAAC;IACjE,IAAI,IAAI,CAAC,OAAO,YAAY,IAAI;QAAE,GAAG,IAAI,aAAa,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;IACnF,IAAI,IAAI,CAAC,MAAM;QAAE,GAAG,IAAI,UAAU,CAAC;IACnC,IAAI,IAAI,CAAC,QAAQ;QAAE,GAAG,IAAI,YAAY,CAAC;IACvC,IAAI,IAAI,CAAC,QAAQ;QAAE,GAAG,IAAI,cAAc,IAAI,CAAC,QAAQ,EAAE,CAAC;IACxD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,CAAS,EAAE,CAAS;IACpD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACrC,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC9C,OAAO,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,IAAI,CAAC,OAA+B;IAClD,IAAI,OAAO,KAAK,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IACxD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,OAAO,CAAC;IAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,cAAc,CAAC;IACrD,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,IAAI;QACvC,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,KAAK,EAAE,sDAAsD;QACrE,QAAQ,EAAE,KAAK,EAAE,sDAAsD;QACvE,QAAQ,EAAE,KAAK;KAChB,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,CAAC,aAAa,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAEvE,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnD,IAAI,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAEhC,oDAAoD;QACpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC9C,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,eAAe,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC;QAC9E,CAAC;QAED,sCAAsC;QACtC,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACvC,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAED,mDAAmD;QACnD,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YACtD,OAAO;QACT,CAAC;QAED,0CAA0C;QAC1C,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YACtD,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/modules/helmet.d.ts

@@ -0,0 +1,7 @@
+import type { HelmetOptions } from '../types/index.js';
+import type { Middleware } from '@voltrix/core';
+/**
+ * Hyper-optimized, pre-baked Security Headers Middleware.
+ * Compiles static headers at startup into a frozen, flat array to achieve zero-overhead O(1) header writing.
+ */
+export declare function helmet(options?: HelmetOptions | boolean): Middleware;

package/dist/modules/helmet.js

@@ -0,0 +1,65 @@
+/**
+ * Hyper-optimized, pre-baked Security Headers Middleware.
+ * Compiles static headers at startup into a frozen, flat array to achieve zero-overhead O(1) header writing.
+ */
+export function helmet(options) {
+    if (options === false) {
+        return (req, res, next) => next();
+    }
+    const opts = typeof options === 'object' ? options : {};
+    const headers = {};
+    // 1. Content-Security-Policy (CSP)
+    if (opts.csp !== false) {
+        if (typeof opts.csp === 'object') {
+            const directives = Object.entries(opts.csp)
+                .map(([key, val]) => `${key} ${val.join(' ')}`)
+                .join('; ');
+            headers['Content-Security-Policy'] = directives;
+        }
+        else {
+            headers['Content-Security-Policy'] = "default-src 'self'";
+        }
+    }
+    // 2. Strict-Transport-Security (HSTS)
+    if (opts.hsts !== false) {
+        if (typeof opts.hsts === 'object') {
+            const maxAge = opts.hsts.maxAge ?? 15552000;
+            const sub = opts.hsts.includeSubDomains !== false ? '; includeSubDomains' : '';
+            const preload = opts.hsts.preload ? '; preload' : '';
+            headers['Strict-Transport-Security'] = `max-age=${maxAge}${sub}${preload}`;
+        }
+        else {
+            headers['Strict-Transport-Security'] = 'max-age=15552000; includeSubDomains';
+        }
+    }
+    // 3. X-Frame-Options (Clickjacking Protection)
+    if (opts.xFrame !== false) {
+        headers['X-Frame-Options'] = typeof opts.xFrame === 'string' ? opts.xFrame : 'SAMEORIGIN';
+    }
+    // 4. X-Content-Type-Options (MIME Sniffing Protection)
+    if (opts.xContentType !== false) {
+        headers['X-Content-Type-Options'] = 'nosniff';
+    }
+    // 5. Referrer-Policy
+    if (opts.referrerPolicy !== false) {
+        headers['Referrer-Policy'] = typeof opts.referrerPolicy === 'string' ? opts.referrerPolicy : 'no-referrer';
+    }
+    // 6. Permissions-Policy
+    if (opts.permissionsPolicy) {
+        const policy = Object.entries(opts.permissionsPolicy)
+            .map(([key, val]) => `${key}=(${val})`)
+            .join(', ');
+        headers['Permissions-Policy'] = policy;
+    }
+    // Pre-bake and freeze headers as a flat list of key-value pairs
+    const preBakedHeaders = Object.freeze(Object.entries(headers));
+    return (req, res, next) => {
+        // Zero-allocation loop directly sets pre-baked headers
+        for (let i = 0; i < preBakedHeaders.length; i++) {
+            const [key, val] = preBakedHeaders[i];
+            res.setHeader(key, val);
+        }
+        next();
+    };
+}
+//# sourceMappingURL=helmet.js.map

package/dist/modules/helmet.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helmet.js","sourceRoot":"","sources":["../../src/modules/helmet.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,UAAU,MAAM,CAAC,OAAiC;IACtD,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IACxD,MAAM,OAAO,GAA2B,EAAE,CAAC;IAE3C,mCAAmC;IACnC,IAAI,IAAI,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;QACvB,IAAI,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;iBACxC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;iBAC9C,IAAI,CAAC,IAAI,CAAC,CAAC;YACd,OAAO,CAAC,yBAAyB,CAAC,GAAG,UAAU,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,yBAAyB,CAAC,GAAG,oBAAoB,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACxB,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,QAAQ,CAAC;YAC5C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,KAAK,KAAK,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/E,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,OAAO,CAAC,2BAA2B,CAAC,GAAG,WAAW,MAAM,GAAG,GAAG,GAAG,OAAO,EAAE,CAAC;QAC7E,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,2BAA2B,CAAC,GAAG,qCAAqC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,+CAA+C;IAC/C,IAAI,IAAI,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAC1B,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC;IAC5F,CAAC;IAED,uDAAuD;IACvD,IAAI,IAAI,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;QAChC,OAAO,CAAC,wBAAwB,CAAC,GAAG,SAAS,CAAC;IAChD,CAAC;IAED,qBAAqB;IACrB,IAAI,IAAI,CAAC,cAAc,KAAK,KAAK,EAAE,CAAC;QAClC,OAAO,CAAC,iBAAiB,CAAC,GAAG,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,aAAa,CAAC;IAC7G,CAAC;IAED,wBAAwB;IACxB,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC;aAClD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,KAAK,GAAG,GAAG,CAAC;aACtC,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,OAAO,CAAC,oBAAoB,CAAC,GAAG,MAAM,CAAC;IACzC,CAAC;IAED,gEAAgE;IAChE,MAAM,eAAe,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAE/D,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,uDAAuD;QACvD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChD,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YACtC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC1B,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}