@voltrix/security 0.3.0

package/dist/modules/ip-filter.d.ts

@@ -0,0 +1,21 @@
+import type { IpFilterOptions } from '../types/index.js';
+import type { Middleware } from '@voltrix/core';
+/**
+ * Compiled IP and CIDR matching engine.
+ * Converts IPv4 CIDR blocks into 32-bit binary integer boundaries for nanosecond-level bitwise matching.
+ */
+export declare class IpMatcher {
+    private readonly _v4Ranges;
+    private readonly _v6Ranges;
+    constructor(cidrs: string[]);
+    private ipToLong;
+    /**
+     * Matches an IP address against compiled ranges.
+     */
+    match(ip: string): boolean;
+}
+/**
+ * Hyper-performance IP Filtering Middleware.
+ * Rejects requests from unauthorized IPs or subnets in the earliest onRequest hook.
+ */
+export declare function ipFilter(options?: IpFilterOptions | boolean): Middleware;

package/dist/modules/ip-filter.js

@@ -0,0 +1,99 @@
+import { getClientIp } from './rate-limit.js';
+/**
+ * Compiled IP and CIDR matching engine.
+ * Converts IPv4 CIDR blocks into 32-bit binary integer boundaries for nanosecond-level bitwise matching.
+ */
+export class IpMatcher {
+    _v4Ranges = [];
+    _v6Ranges = [];
+    constructor(cidrs) {
+        for (const cidr of cidrs) {
+            const trimmed = cidr.trim();
+            if (trimmed.includes(':')) {
+                // Simple exact matching for IPv6
+                this._v6Ranges.push(trimmed);
+            }
+            else {
+                // IPv4 Bitwise compile
+                const parts = trimmed.split('/');
+                const ip = parts[0].trim();
+                const maskBits = parts[1] ? parseInt(parts[1], 10) : 32;
+                try {
+                    const base = this.ipToLong(ip);
+                    const mask = maskBits === 0 ? 0 : (~0 << (32 - maskBits)) >>> 0;
+                    this._v4Ranges.push({ base: (base & mask) >>> 0, mask });
+                }
+                catch {
+                    // Ignore invalid IP strings during parsing
+                }
+            }
+        }
+    }
+    ipToLong(ip) {
+        const parts = ip.split('.');
+        if (parts.length !== 4)
+            throw new Error('Invalid IPv4');
+        return ((parseInt(parts[0], 10) << 24) >>> 0) +
+            ((parseInt(parts[1], 10) << 16) >>> 0) +
+            ((parseInt(parts[2], 10) << 8) >>> 0) +
+            (parseInt(parts[3], 10) >>> 0);
+    }
+    /**
+     * Matches an IP address against compiled ranges.
+     */
+    match(ip) {
+        const cleanIp = ip.trim();
+        if (cleanIp.includes(':')) {
+            return this._v6Ranges.includes(cleanIp);
+        }
+        try {
+            const ipLong = this.ipToLong(cleanIp);
+            const ranges = this._v4Ranges;
+            for (let i = 0; i < ranges.length; i++) {
+                const r = ranges[i];
+                if ((ipLong & r.mask) === r.base) {
+                    return true;
+                }
+            }
+        }
+        catch { }
+        return false;
+    }
+}
+/**
+ * Hyper-performance IP Filtering Middleware.
+ * Rejects requests from unauthorized IPs or subnets in the earliest onRequest hook.
+ */
+export function ipFilter(options) {
+    if (options === false || !options) {
+        return (req, res, next) => next();
+    }
+    const opts = typeof options === 'object' ? options : {};
+    const whitelistMatcher = opts.whitelist ? new IpMatcher(opts.whitelist) : null;
+    const blacklistMatcher = opts.blacklist ? new IpMatcher(opts.blacklist) : null;
+    const handler = opts.handler ?? ((req, res) => {
+        res.status(403).end('Forbidden');
+    });
+    return async (req, res, next) => {
+        const ip = getClientIp(req);
+        let allowed = true;
+        // 1. Whitelist logic: IP MUST match whitelist if whitelist is defined
+        if (whitelistMatcher) {
+            allowed = whitelistMatcher.match(ip);
+        }
+        // 2. Blacklist logic: IP MUST NOT match blacklist if blacklist is defined
+        else if (blacklistMatcher) {
+            allowed = !blacklistMatcher.match(ip);
+        }
+        if (!allowed) {
+            // Abort pipeline immediately
+            const result = handler(req, res);
+            if (result instanceof Promise) {
+                await result;
+            }
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=ip-filter.js.map

package/dist/modules/ip-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-filter.js","sourceRoot":"","sources":["../../src/modules/ip-filter.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C;;;GAGG;AACH,MAAM,OAAO,SAAS;IACH,SAAS,GAA0C,EAAE,CAAC;IACtD,SAAS,GAAa,EAAE,CAAC;IAE1C,YAAY,KAAe;QACzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1B,iCAAiC;gBACjC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,uBAAuB;gBACvB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACjC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3B,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAExD,IAAI,CAAC;oBACH,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;oBAC/B,MAAM,IAAI,GAAG,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC;oBAChE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC3D,CAAC;gBAAC,MAAM,CAAC;oBACP,2CAA2C;gBAC7C,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAEO,QAAQ,CAAC,EAAU;QACzB,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QACxD,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC;YACtC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC;YACtC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,EAAU;QACd,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;QAC1B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC1C,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACtC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;YAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;gBACpB,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;oBACjC,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;QAEV,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,QAAQ,CAAC,OAAmC;IAC1D,IAAI,OAAO,KAAK,KAAK,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IACxD,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/E,MAAM,gBAAgB,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC/E,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;IAEH,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAE5B,IAAI,OAAO,GAAG,IAAI,CAAC;QAEnB,sEAAsE;QACtE,IAAI,gBAAgB,EAAE,CAAC;YACrB,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACvC,CAAC;QACD,0EAA0E;aACrE,IAAI,gBAAgB,EAAE,CAAC;YAC1B,OAAO,GAAG,CAAC,gBAAgB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACxC,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,6BAA6B;YAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACjC,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;gBAC9B,MAAM,MAAM,CAAC;YACf,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/modules/rate-limit.d.ts

@@ -0,0 +1,11 @@
+import type { RateLimitOptions } from '../types/index.js';
+import type { IRequest, Middleware } from '@voltrix/core';
+/**
+ * Standard utility to resolve the client IP address from proxy-aware HTTP headers.
+ */
+export declare function getClientIp(req: IRequest): string;
+/**
+ * Hyper-performance Rate Limiter Middleware.
+ * Restricts request frequency per IP or custom key dynamically.
+ */
+export declare function rateLimit(options?: RateLimitOptions | boolean): Middleware;

package/dist/modules/rate-limit.js

@@ -0,0 +1,58 @@
+import { MemoryStore } from '../store/memory-store.js';
+/**
+ * Standard utility to resolve the client IP address from proxy-aware HTTP headers.
+ */
+export function getClientIp(req) {
+    const xForwardedFor = req.header('x-forwarded-for');
+    if (xForwardedFor) {
+        const first = xForwardedFor.split(',')[0].trim();
+        if (first)
+            return first;
+    }
+    return req.header('x-real-ip') || req.header('cf-connecting-ip') || '127.0.0.1';
+}
+// Share a single global MemoryStore instance by default
+const defaultStore = new MemoryStore();
+/**
+ * Hyper-performance Rate Limiter Middleware.
+ * Restricts request frequency per IP or custom key dynamically.
+ */
+export function rateLimit(options) {
+    if (options === false) {
+        return (req, res, next) => next();
+    }
+    const opts = typeof options === 'object' ? options : {};
+    const windowMs = opts.windowMs ?? 60000;
+    const limit = opts.limit ?? 100;
+    const store = opts.store ?? defaultStore;
+    const keyGenerator = opts.keyGenerator ?? getClientIp;
+    const handler = opts.handler ?? ((req, res) => {
+        res.status(429).json({ error: 'Too Many Requests' });
+    });
+    return async (req, res, next) => {
+        try {
+            const idKey = await keyGenerator(req);
+            const storeKey = `voltrix:security:rate-limit:${idKey}`;
+            const current = await store.increment(storeKey, windowMs);
+            const remaining = Math.max(0, limit - current);
+            const resetTimeSec = Math.ceil((Date.now() + windowMs) / 1000);
+            // Append standard Rate Limit headers
+            res.setHeader('RateLimit-Limit', String(limit));
+            res.setHeader('RateLimit-Remaining', String(remaining));
+            res.setHeader('RateLimit-Reset', String(resetTimeSec));
+            if (current > limit) {
+                // Exceeded limit: invoke handler and abort pipeline
+                const result = handler(req, res);
+                if (result instanceof Promise) {
+                    await result;
+                }
+                return;
+            }
+            next();
+        }
+        catch (err) {
+            next(err);
+        }
+    };
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/modules/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/modules/rate-limit.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAa;IACvC,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACpD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,IAAI,KAAK;YAAE,OAAO,KAAK,CAAC;IAC1B,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,WAAW,CAAC;AAClF,CAAC;AAED,wDAAwD;AACxD,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC;AAEvC;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,OAAoC;IAC5D,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;IACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,GAAG,CAAC;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,YAAY,CAAC;IACzC,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,WAAW,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;YACtC,MAAM,QAAQ,GAAG,+BAA+B,KAAK,EAAE,CAAC;YAExD,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;YAC/C,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;YAE/D,qCAAqC;YACrC,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YAChD,GAAG,CAAC,SAAS,CAAC,qBAAqB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;YACxD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;YAEvD,IAAI,OAAO,GAAG,KAAK,EAAE,CAAC;gBACpB,oDAAoD;gBACpD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACjC,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;oBAC9B,MAAM,MAAM,CAAC;gBACf,CAAC;gBACD,OAAO;YACT,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/modules/session.d.ts

@@ -0,0 +1,16 @@
+import type { SessionOptions } from '../types/index.js';
+import type { Middleware } from '@voltrix/core';
+/**
+ * AES-256-GCM Authenticated Encryption helper.
+ */
+export declare function encrypt(plainText: string, key: Buffer): string;
+/**
+ * AES-256-GCM Authenticated Decryption helper.
+ * Strictly checks integrity tags to prevent tamper/oracle attacks.
+ */
+export declare function decrypt(cipherText: string, key: Buffer): string | null;
+/**
+ * High-performance Secure Session Middleware.
+ * Supports stateless encrypted cookies (AES-256-GCM) and stateful shared session stores.
+ */
+export declare function session(options: SessionOptions): Middleware;

package/dist/modules/session.js

@@ -0,0 +1,157 @@
+import { createHash, randomBytes, createCipheriv, createDecipheriv } from 'node:crypto';
+import { parseCookies, serializeCookie } from './csrf.js';
+/**
+ * Derives a robust 32-byte cryptographic key from any string using SHA-256.
+ */
+function deriveKey(secret) {
+    return createHash('sha256').update(secret).digest();
+}
+/**
+ * AES-256-GCM Authenticated Encryption helper.
+ */
+export function encrypt(plainText, key) {
+    const iv = randomBytes(12);
+    const cipher = createCipheriv('aes-256-gcm', key, iv);
+    let encrypted = cipher.update(plainText, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const tag = cipher.getAuthTag();
+    return `${iv.toString('hex')}:${encrypted}:${tag.toString('hex')}`;
+}
+/**
+ * AES-256-GCM Authenticated Decryption helper.
+ * Strictly checks integrity tags to prevent tamper/oracle attacks.
+ */
+export function decrypt(cipherText, key) {
+    try {
+        const parts = cipherText.split(':');
+        if (parts.length !== 3)
+            return null;
+        const iv = Buffer.from(parts[0], 'hex');
+        const encrypted = parts[1];
+        const tag = Buffer.from(parts[2], 'hex');
+        const decipher = createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(tag);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (err) {
+        // Return null on decryption/integrity failures
+        return null;
+    }
+}
+/**
+ * High-performance Secure Session Middleware.
+ * Supports stateless encrypted cookies (AES-256-GCM) and stateful shared session stores.
+ */
+export function session(options) {
+    if (!options || !options.secret) {
+        throw new Error('[@voltrix/security] Session secret is required');
+    }
+    const key = deriveKey(options.secret);
+    const cookieName = options.cookieName ?? 'voltrix_session';
+    const ttlMs = options.ttlMs ?? 86400000; // 24h
+    const store = options.store;
+    const cookieOpts = options.cookieOptions ?? {
+        path: '/',
+        secure: false, // Default false, developers toggle true in production
+        httpOnly: true, // Prevents XSS script execution reads
+        sameSite: 'Lax'
+    };
+    return async (req, res, next) => {
+        const cookies = parseCookies(req.header('cookie'));
+        const sessionCookie = cookies[cookieName];
+        let sessionData = {};
+        let sessionId = null;
+        let originalSessionJson = '{}';
+        try {
+            if (sessionCookie) {
+                if (store) {
+                    // Stateful Store Mode: sessionCookie holds the encrypted sessionId
+                    const decryptedId = decrypt(sessionCookie, key);
+                    if (decryptedId) {
+                        sessionId = decryptedId;
+                        const dataStr = await store.get(`voltrix:security:session:${sessionId}`);
+                        if (dataStr) {
+                            sessionData = JSON.parse(dataStr);
+                            originalSessionJson = dataStr;
+                        }
+                    }
+                }
+                else {
+                    // Stateless Cookie Mode: sessionCookie holds the encrypted session payload
+                    const decryptedData = decrypt(sessionCookie, key);
+                    if (decryptedData) {
+                        sessionData = JSON.parse(decryptedData);
+                        originalSessionJson = decryptedData;
+                    }
+                }
+            }
+        }
+        catch {
+            sessionData = {};
+        }
+        // Initialize session ID if not set (for store mode)
+        if (store && !sessionId) {
+            sessionId = randomBytes(24).toString('base64url');
+        }
+        // Attach session container to the request context
+        if (!req.context)
+            req.context = {};
+        req.context.session = sessionData;
+        // Hijack response flushing methods to automatically serialize and save the session if it changed
+        let isSaved = false;
+        const saveSessionSync = () => {
+            if (isSaved)
+                return;
+            isSaved = true;
+            try {
+                const currentSessionJson = JSON.stringify(req.context.session ?? {});
+                // Save only if session data was modified to eliminate redundant writes
+                if (currentSessionJson !== originalSessionJson) {
+                    if (store && sessionId) {
+                        // Stateful Save (Fire-and-forget in the background to ensure zero latency on network flushes)
+                        store.set(`voltrix:security:session:${sessionId}`, currentSessionJson, ttlMs).catch(() => { });
+                        const encryptedCookie = encrypt(sessionId, key);
+                        res.setHeader('Set-Cookie', serializeCookie(cookieName, encryptedCookie, {
+                            ...cookieOpts,
+                            maxAge: Math.floor(ttlMs / 1000)
+                        }));
+                    }
+                    else {
+                        // Stateless Save (purely synchronous GCM encryption)
+                        const encryptedCookie = encrypt(currentSessionJson, key);
+                        res.setHeader('Set-Cookie', serializeCookie(cookieName, encryptedCookie, {
+                            ...cookieOpts,
+                            maxAge: Math.floor(ttlMs / 1000)
+                        }));
+                    }
+                }
+            }
+            catch (err) {
+                // Suppress session saving crashes
+            }
+        };
+        const originalEnd = res.end;
+        res.end = function (chunk) {
+            saveSessionSync();
+            originalEnd.call(this, chunk);
+        };
+        if (res.json) {
+            const originalJson = res.json;
+            res.json = function (data, ...args) {
+                saveSessionSync();
+                originalJson.apply(this, [data, ...args]);
+            };
+        }
+        if (res.send) {
+            const originalSend = res.send;
+            res.send = function (body, ...args) {
+                saveSessionSync();
+                originalSend.apply(this, [body, ...args]);
+            };
+        }
+        next();
+    };
+}
+//# sourceMappingURL=session.js.map

package/dist/modules/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../src/modules/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAGxF,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE1D;;GAEG;AACH,SAAS,SAAS,CAAC,MAAc;IAC/B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;AACtD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAW;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAEtD,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACxD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAEjC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEhC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,UAAkB,EAAE,GAAW;IACrD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACxC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAEzC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAC1D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAEzB,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,+CAA+C;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,OAAuB;IAC7C,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,iBAAiB,CAAC;IAC3D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,QAAQ,CAAC,CAAC,MAAM;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5B,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,IAAI;QAC1C,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,KAAK,EAAE,sDAAsD;QACrE,QAAQ,EAAE,IAAI,EAAE,sCAAsC;QACtD,QAAQ,EAAE,KAAK;KAChB,CAAC;IAEF,OAAO,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC9B,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnD,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QAE1C,IAAI,WAAW,GAAwB,EAAE,CAAC;QAC1C,IAAI,SAAS,GAAkB,IAAI,CAAC;QACpC,IAAI,mBAAmB,GAAG,IAAI,CAAC;QAE/B,IAAI,CAAC;YACH,IAAI,aAAa,EAAE,CAAC;gBAClB,IAAI,KAAK,EAAE,CAAC;oBACV,mEAAmE;oBACnE,MAAM,WAAW,GAAG,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;oBAChD,IAAI,WAAW,EAAE,CAAC;wBAChB,SAAS,GAAG,WAAW,CAAC;wBACxB,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,4BAA4B,SAAS,EAAE,CAAC,CAAC;wBACzE,IAAI,OAAO,EAAE,CAAC;4BACZ,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;4BAClC,mBAAmB,GAAG,OAAO,CAAC;wBAChC,CAAC;oBACH,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,2EAA2E;oBAC3E,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;oBAClD,IAAI,aAAa,EAAE,CAAC;wBAClB,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;wBACxC,mBAAmB,GAAG,aAAa,CAAC;oBACtC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,WAAW,GAAG,EAAE,CAAC;QACnB,CAAC;QAED,oDAAoD;QACpD,IAAI,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;YACxB,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACpD,CAAC;QAED,kDAAkD;QAClD,IAAI,CAAC,GAAG,CAAC,OAAO;YAAE,GAAG,CAAC,OAAO,GAAG,EAAE,CAAC;QACnC,GAAG,CAAC,OAAO,CAAC,OAAO,GAAG,WAAW,CAAC;QAElC,iGAAiG;QACjG,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,eAAe,GAAG,GAAG,EAAE;YAC3B,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;gBAErE,uEAAuE;gBACvE,IAAI,kBAAkB,KAAK,mBAAmB,EAAE,CAAC;oBAC/C,IAAI,KAAK,IAAI,SAAS,EAAE,CAAC;wBACvB,8FAA8F;wBAC9F,KAAK,CAAC,GAAG,CAAC,4BAA4B,SAAS,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;wBAE9F,MAAM,eAAe,GAAG,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;wBAChD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,eAAe,CAAC,UAAU,EAAE,eAAe,EAAE;4BACvE,GAAG,UAAU;4BACb,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;yBACjC,CAAC,CAAC,CAAC;oBACN,CAAC;yBAAM,CAAC;wBACN,qDAAqD;wBACrD,MAAM,eAAe,GAAG,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;wBACzD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,eAAe,CAAC,UAAU,EAAE,eAAe,EAAE;4BACvE,GAAG,UAAU;4BACb,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC;yBACjC,CAAC,CAAC,CAAC;oBACN,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,kCAAkC;YACpC,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,WAAW,GAAG,GAAG,CAAC,GAAG,CAAC;QAC5B,GAAG,CAAC,GAAG,GAAG,UAAqB,KAAW;YACxC,eAAe,EAAE,CAAC;YAClB,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAChC,CAAC,CAAC;QAEF,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC;YAC9B,GAAG,CAAC,IAAI,GAAG,UAAqB,IAAS,EAAE,GAAG,IAAW;gBACvD,eAAe,EAAE,CAAC;gBACjB,YAAoB,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;YACrD,CAAC,CAAC;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC;YAC9B,GAAG,CAAC,IAAI,GAAG,UAAqB,IAAS,EAAE,GAAG,IAAW;gBACvD,eAAe,EAAE,CAAC;gBACjB,YAAoB,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;YACrD,CAAC,CAAC;QACJ,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/store/index.d.ts

@@ -0,0 +1,3 @@
+export { SecurityStore } from '../types/index.js';
+export * from './memory-store.js';
+export * from './redis-store.js';

package/dist/store/index.js

@@ -0,0 +1,3 @@
+export * from './memory-store.js';
+export * from './redis-store.js';
+//# sourceMappingURL=index.js.map

package/dist/store/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/store/index.ts"],"names":[],"mappings":"AACA,cAAc,mBAAmB,CAAC;AAClC,cAAc,kBAAkB,CAAC"}

package/dist/store/memory-store.d.ts

@@ -0,0 +1,23 @@
+import type { SecurityStore } from '../types/index.js';
+/**
+ * Zero-allocation, high-performance in-memory cache store.
+ * Incorporates a lazy-evaluation expiration check and background sweeps.
+ */
+export declare class MemoryStore implements SecurityStore {
+    private readonly _map;
+    private readonly _sweepInterval;
+    constructor(sweepMs?: number);
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string, ttlMs: number): Promise<void>;
+    increment(key: string, ttlMs: number): Promise<number>;
+    decrement(key: string): Promise<void>;
+    delete(key: string): Promise<void>;
+    /**
+     * Sweeps expired cache entries out of memory to prevent heap leaks.
+     */
+    sweep(): void;
+    /**
+     * Clean up background resources.
+     */
+    close(): void;
+}

package/dist/store/memory-store.js

@@ -0,0 +1,75 @@
+/**
+ * Zero-allocation, high-performance in-memory cache store.
+ * Incorporates a lazy-evaluation expiration check and background sweeps.
+ */
+export class MemoryStore {
+    _map = new Map();
+    _sweepInterval = null;
+    constructor(sweepMs = 30000) {
+        this._sweepInterval = setInterval(() => this.sweep(), sweepMs);
+        // Unref the timer so it doesn't prevent Node.js process from exiting cleanly
+        if (this._sweepInterval && typeof this._sweepInterval.unref === 'function') {
+            this._sweepInterval.unref();
+        }
+    }
+    async get(key) {
+        const entry = this._map.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() > entry.expiresAt) {
+            this._map.delete(key);
+            return null;
+        }
+        return entry.value;
+    }
+    async set(key, value, ttlMs) {
+        this._map.set(key, {
+            value,
+            expiresAt: Date.now() + ttlMs
+        });
+    }
+    async increment(key, ttlMs) {
+        const now = Date.now();
+        const entry = this._map.get(key);
+        if (!entry || now > entry.expiresAt) {
+            this._map.set(key, {
+                value: '1',
+                expiresAt: now + ttlMs
+            });
+            return 1;
+        }
+        const val = parseInt(entry.value, 10) + 1;
+        entry.value = String(val);
+        return val;
+    }
+    async decrement(key) {
+        const entry = this._map.get(key);
+        if (!entry || Date.now() > entry.expiresAt)
+            return;
+        const val = parseInt(entry.value, 10) - 1;
+        entry.value = String(val);
+    }
+    async delete(key) {
+        this._map.delete(key);
+    }
+    /**
+     * Sweeps expired cache entries out of memory to prevent heap leaks.
+     */
+    sweep() {
+        const now = Date.now();
+        for (const [key, entry] of this._map.entries()) {
+            if (now > entry.expiresAt) {
+                this._map.delete(key);
+            }
+        }
+    }
+    /**
+     * Clean up background resources.
+     */
+    close() {
+        if (this._sweepInterval) {
+            clearInterval(this._sweepInterval);
+        }
+    }
+}
+//# sourceMappingURL=memory-store.js.map

package/dist/store/memory-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"memory-store.js","sourceRoot":"","sources":["../../src/store/memory-store.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,OAAO,WAAW;IACL,IAAI,GAAG,IAAI,GAAG,EAAgD,CAAC;IAC/D,cAAc,GAA0B,IAAI,CAAC;IAE9D,YAAY,OAAO,GAAG,KAAK;QACzB,IAAI,CAAC,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,OAAO,CAAC,CAAC;QAC/D,6EAA6E;QAC7E,IAAI,IAAI,CAAC,cAAc,IAAI,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC3E,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC;IACrB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa,EAAE,KAAa;QACjD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE;YACjB,KAAK;YACL,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC9B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAa;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEjC,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;YACpC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE;gBACjB,KAAK,EAAE,GAAG;gBACV,SAAS,EAAE,GAAG,GAAG,KAAK;aACvB,CAAC,CAAC;YACH,OAAO,CAAC,CAAC;QACX,CAAC;QAED,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC;QAC1C,KAAK,CAAC,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1B,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS;YAAE,OAAO;QACnD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC;QAC1C,KAAK,CAAC,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YAC/C,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,aAAa,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;CACF"}

package/dist/store/redis-store.d.ts

@@ -0,0 +1,20 @@
+import { Redis, type RedisOptions } from 'ioredis';
+import type { SecurityStore } from '../types/index.js';
+/**
+ * High-performance, distributed cache store utilizing Redis.
+ * Employs a custom atomic Lua script for sliding-window rate limiting increments.
+ */
+export declare class RedisStore implements SecurityStore {
+    readonly redis: Redis;
+    private readonly _ownConnection;
+    constructor(redisClient: RedisOptions | Redis);
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string, ttlMs: number): Promise<void>;
+    increment(key: string, ttlMs: number): Promise<number>;
+    decrement(key: string): Promise<void>;
+    delete(key: string): Promise<void>;
+    /**
+     * Close connections if this store initialized its own Redis client.
+     */
+    close(): Promise<void>;
+}

package/dist/store/redis-store.js

@@ -0,0 +1,55 @@
+import { Redis } from 'ioredis';
+/**
+ * High-performance, distributed cache store utilizing Redis.
+ * Employs a custom atomic Lua script for sliding-window rate limiting increments.
+ */
+export class RedisStore {
+    redis;
+    _ownConnection = false;
+    constructor(redisClient) {
+        if (redisClient instanceof Redis) {
+            this.redis = redisClient;
+            this._ownConnection = false;
+        }
+        else {
+            this.redis = new Redis(redisClient);
+            this._ownConnection = true;
+        }
+        // Register atomic Lua script for rate limiter increments
+        this.redis.defineCommand('voltrixSecurityIncrement', {
+            numberOfKeys: 1,
+            lua: `
+        local current = redis.call('INCR', KEYS[1])
+        if current == 1 then
+            redis.call('PEXPIRE', KEYS[1], ARGV[1])
+        end
+        return current
+      `
+        });
+    }
+    async get(key) {
+        return this.redis.get(key);
+    }
+    async set(key, value, ttlMs) {
+        await this.redis.set(key, value, 'PX', ttlMs);
+    }
+    async increment(key, ttlMs) {
+        // Invoke the custom registered atomic Lua command
+        return this.redis.voltrixSecurityIncrement(key, String(ttlMs));
+    }
+    async decrement(key) {
+        await this.redis.decr(key);
+    }
+    async delete(key) {
+        await this.redis.del(key);
+    }
+    /**
+     * Close connections if this store initialized its own Redis client.
+     */
+    async close() {
+        if (this._ownConnection) {
+            await this.redis.quit();
+        }
+    }
+}
+//# sourceMappingURL=redis-store.js.map

package/dist/store/redis-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redis-store.js","sourceRoot":"","sources":["../../src/store/redis-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAqB,MAAM,SAAS,CAAC;AAGnD;;;GAGG;AACH,MAAM,OAAO,UAAU;IACL,KAAK,CAAQ;IACZ,cAAc,GAAY,KAAK,CAAC;IAEjD,YAAY,WAAiC;QAC3C,IAAI,WAAW,YAAY,KAAK,EAAE,CAAC;YACjC,IAAI,CAAC,KAAK,GAAG,WAAW,CAAC;YACzB,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC;QAC9B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,WAA2B,CAAC,CAAC;YACpD,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC7B,CAAC;QAED,yDAAyD;QACzD,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,0BAA0B,EAAE;YACnD,YAAY,EAAE,CAAC;YACf,GAAG,EAAE;;;;;;OAMJ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa,EAAE,KAAa;QACjD,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAa;QACxC,kDAAkD;QAClD,OAAQ,IAAI,CAAC,KAAa,CAAC,wBAAwB,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAW;QACzB,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAK;QACT,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;CACF"}