@vorionsys/platform-core 0.1.0

package/dist/common/config.d.ts

@@ -0,0 +1,2053 @@
+/**
+ * Configuration management for Vorion
+ */
+import { z } from 'zod';
+/**
+ * Environment configuration schema
+ */
+declare const configSchema: z.ZodEffects<z.ZodObject<{
+    env: z.ZodDefault<z.ZodEnum<["development", "staging", "production"]>>;
+    logLevel: z.ZodDefault<z.ZodEnum<["debug", "info", "warn", "error"]>>;
+    app: z.ZodObject<{
+        name: z.ZodDefault<z.ZodString>;
+        version: z.ZodDefault<z.ZodString>;
+        environment: z.ZodDefault<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        version?: string;
+        name?: string;
+        environment?: string;
+    }, {
+        version?: string;
+        name?: string;
+        environment?: string;
+    }>;
+    telemetry: z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        serviceName: z.ZodDefault<z.ZodString>;
+        otlpEndpoint: z.ZodDefault<z.ZodString>;
+        otlpHeaders: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
+        sampleRate: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        enabled?: boolean;
+        serviceName?: string;
+        otlpEndpoint?: string;
+        otlpHeaders?: Record<string, string>;
+        sampleRate?: number;
+    }, {
+        enabled?: boolean;
+        serviceName?: string;
+        otlpEndpoint?: string;
+        otlpHeaders?: Record<string, string>;
+        sampleRate?: number;
+    }>;
+    api: z.ZodObject<{
+        port: z.ZodDefault<z.ZodNumber>;
+        host: z.ZodDefault<z.ZodString>;
+        basePath: z.ZodDefault<z.ZodString>;
+        timeout: z.ZodDefault<z.ZodNumber>;
+        rateLimit: z.ZodDefault<z.ZodNumber>;
+        /** Separate rate limit for bulk operations (default: 10 requests per minute) */
+        bulkRateLimit: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        timeout?: number;
+        port?: number;
+        host?: string;
+        basePath?: string;
+        rateLimit?: number;
+        bulkRateLimit?: number;
+    }, {
+        timeout?: number;
+        port?: number;
+        host?: string;
+        basePath?: string;
+        rateLimit?: number;
+        bulkRateLimit?: number;
+    }>;
+    cors: z.ZodDefault<z.ZodObject<{
+        /** Allowed origins for CORS (used in non-production environments) */
+        allowedOrigins: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        allowedOrigins?: string[];
+    }, {
+        allowedOrigins?: string[];
+    }>>;
+    health: z.ZodObject<{
+        checkTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        readyTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        livenessTimeoutMs: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        checkTimeoutMs?: number;
+        readyTimeoutMs?: number;
+        livenessTimeoutMs?: number;
+    }, {
+        checkTimeoutMs?: number;
+        readyTimeoutMs?: number;
+        livenessTimeoutMs?: number;
+    }>;
+    database: z.ZodObject<{
+        host: z.ZodDefault<z.ZodString>;
+        port: z.ZodDefault<z.ZodNumber>;
+        name: z.ZodDefault<z.ZodString>;
+        user: z.ZodDefault<z.ZodString>;
+        password: z.ZodDefault<z.ZodString>;
+        poolMin: z.ZodDefault<z.ZodNumber>;
+        poolMax: z.ZodDefault<z.ZodNumber>;
+        poolIdleTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        poolConnectionTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        metricsIntervalMs: z.ZodDefault<z.ZodNumber>;
+        /**
+         * Default statement timeout for database queries in milliseconds.
+         * Queries exceeding this timeout will be cancelled by PostgreSQL.
+         * Default: 30000 (30 seconds)
+         */
+        statementTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        /**
+         * Extended timeout for long-running queries (reports, exports) in milliseconds.
+         * Default: 120000 (2 minutes)
+         */
+        longQueryTimeoutMs: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        user?: string;
+        password?: string;
+        name?: string;
+        port?: number;
+        host?: string;
+        poolMin?: number;
+        poolMax?: number;
+        poolIdleTimeoutMs?: number;
+        poolConnectionTimeoutMs?: number;
+        metricsIntervalMs?: number;
+        statementTimeoutMs?: number;
+        longQueryTimeoutMs?: number;
+    }, {
+        user?: string;
+        password?: string;
+        name?: string;
+        port?: number;
+        host?: string;
+        poolMin?: number;
+        poolMax?: number;
+        poolIdleTimeoutMs?: number;
+        poolConnectionTimeoutMs?: number;
+        metricsIntervalMs?: number;
+        statementTimeoutMs?: number;
+        longQueryTimeoutMs?: number;
+    }>;
+    redis: z.ZodObject<{
+        host: z.ZodDefault<z.ZodString>;
+        port: z.ZodDefault<z.ZodNumber>;
+        password: z.ZodOptional<z.ZodString>;
+        db: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        password?: string;
+        port?: number;
+        host?: string;
+        db?: number;
+    }, {
+        password?: string;
+        port?: number;
+        host?: string;
+        db?: number;
+    }>;
+    jwt: z.ZodEffects<z.ZodObject<{
+        secret: z.ZodString;
+        expiration: z.ZodDefault<z.ZodString>;
+        refreshExpiration: z.ZodDefault<z.ZodString>;
+        requireJti: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    }, {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    }>, {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    }, {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    }>;
+    proof: z.ZodObject<{
+        storage: z.ZodDefault<z.ZodEnum<["local", "s3", "gcs"]>>;
+        localPath: z.ZodDefault<z.ZodString>;
+        retentionDays: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        storage?: "local" | "s3" | "gcs";
+        localPath?: string;
+        retentionDays?: number;
+    }, {
+        storage?: "local" | "s3" | "gcs";
+        localPath?: string;
+        retentionDays?: number;
+    }>;
+    trust: z.ZodObject<{
+        calcInterval: z.ZodDefault<z.ZodNumber>;
+        cacheTtl: z.ZodDefault<z.ZodNumber>;
+        /** @deprecated Inactivity decay now uses stepped milestones. See DECAY_MILESTONES in trust-engine. */
+        decayRate: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
+    }, "strip", z.ZodTypeAny, {
+        calcInterval?: number;
+        cacheTtl?: number;
+        decayRate?: number;
+    }, {
+        calcInterval?: number;
+        cacheTtl?: number;
+        decayRate?: number;
+    }>;
+    basis: z.ZodObject<{
+        evalTimeout: z.ZodDefault<z.ZodNumber>;
+        maxRules: z.ZodDefault<z.ZodNumber>;
+        cacheEnabled: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        evalTimeout?: number;
+        maxRules?: number;
+        cacheEnabled?: boolean;
+    }, {
+        evalTimeout?: number;
+        maxRules?: number;
+        cacheEnabled?: boolean;
+    }>;
+    cognigate: z.ZodObject<{
+        timeout: z.ZodDefault<z.ZodNumber>;
+        maxConcurrent: z.ZodDefault<z.ZodNumber>;
+        maxMemoryMb: z.ZodDefault<z.ZodNumber>;
+        maxCpuPercent: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        timeout?: number;
+        maxConcurrent?: number;
+        maxMemoryMb?: number;
+        maxCpuPercent?: number;
+    }, {
+        timeout?: number;
+        maxConcurrent?: number;
+        maxMemoryMb?: number;
+        maxCpuPercent?: number;
+    }>;
+    intent: z.ZodObject<{
+        defaultNamespace: z.ZodDefault<z.ZodString>;
+        namespaceRouting: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodString>>;
+        dedupeTtlSeconds: z.ZodDefault<z.ZodNumber>;
+        /**
+         * HMAC secret for secure deduplication hash computation.
+         * REQUIRED in production/staging to prevent hash prediction attacks.
+         * Generate with: openssl rand -base64 32
+         */
+        dedupeSecret: z.ZodOptional<z.ZodString>;
+        /**
+         * Timestamp window for deduplication in seconds.
+         * Hashes are computed with a time bucket to prevent replay attacks
+         * while allowing legitimate retries within the window.
+         * Default: 300 seconds (5 minutes)
+         */
+        dedupeTimestampWindowSeconds: z.ZodDefault<z.ZodNumber>;
+        sensitivePaths: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        defaultMaxInFlight: z.ZodDefault<z.ZodNumber>;
+        tenantMaxInFlight: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodNumber>>;
+        queueConcurrency: z.ZodDefault<z.ZodNumber>;
+        jobTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        maxRetries: z.ZodDefault<z.ZodNumber>;
+        retryBackoffMs: z.ZodDefault<z.ZodNumber>;
+        queueDepthThreshold: z.ZodDefault<z.ZodNumber>;
+        eventRetentionDays: z.ZodDefault<z.ZodNumber>;
+        encryptContext: z.ZodDefault<z.ZodBoolean>;
+        trustGates: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodNumber>>;
+        defaultMinTrustLevel: z.ZodDefault<z.ZodNumber>;
+        revalidateTrustAtDecision: z.ZodDefault<z.ZodBoolean>;
+        softDeleteRetentionDays: z.ZodDefault<z.ZodNumber>;
+        escalationTimeout: z.ZodDefault<z.ZodString>;
+        escalationDefaultRecipient: z.ZodDefault<z.ZodString>;
+        cleanupCronSchedule: z.ZodDefault<z.ZodString>;
+        timeoutCheckCronSchedule: z.ZodDefault<z.ZodString>;
+        shutdownTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        rateLimits: z.ZodDefault<z.ZodObject<{
+            default: z.ZodDefault<z.ZodObject<{
+                limit: z.ZodDefault<z.ZodNumber>;
+                windowSeconds: z.ZodDefault<z.ZodNumber>;
+            }, "strip", z.ZodTypeAny, {
+                limit?: number;
+                windowSeconds?: number;
+            }, {
+                limit?: number;
+                windowSeconds?: number;
+            }>>;
+            highRisk: z.ZodDefault<z.ZodObject<{
+                limit: z.ZodDefault<z.ZodNumber>;
+                windowSeconds: z.ZodDefault<z.ZodNumber>;
+            }, "strip", z.ZodTypeAny, {
+                limit?: number;
+                windowSeconds?: number;
+            }, {
+                limit?: number;
+                windowSeconds?: number;
+            }>>;
+            dataExport: z.ZodDefault<z.ZodObject<{
+                limit: z.ZodDefault<z.ZodNumber>;
+                windowSeconds: z.ZodDefault<z.ZodNumber>;
+            }, "strip", z.ZodTypeAny, {
+                limit?: number;
+                windowSeconds?: number;
+            }, {
+                limit?: number;
+                windowSeconds?: number;
+            }>>;
+            adminAction: z.ZodDefault<z.ZodObject<{
+                limit: z.ZodDefault<z.ZodNumber>;
+                windowSeconds: z.ZodDefault<z.ZodNumber>;
+            }, "strip", z.ZodTypeAny, {
+                limit?: number;
+                windowSeconds?: number;
+            }, {
+                limit?: number;
+                windowSeconds?: number;
+            }>>;
+        }, "strip", z.ZodTypeAny, {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        }, {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        }>>;
+        policyCircuitBreaker: z.ZodDefault<z.ZodObject<{
+            /** Number of consecutive failures before opening the circuit (default: 5) */
+            failureThreshold: z.ZodDefault<z.ZodNumber>;
+            /** Time in milliseconds before attempting to close the circuit (default: 30000) */
+            resetTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        }, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        defaultNamespace?: string;
+        namespaceRouting?: Record<string, string>;
+        dedupeTtlSeconds?: number;
+        dedupeSecret?: string;
+        dedupeTimestampWindowSeconds?: number;
+        sensitivePaths?: string[];
+        defaultMaxInFlight?: number;
+        tenantMaxInFlight?: Record<string, number>;
+        queueConcurrency?: number;
+        jobTimeoutMs?: number;
+        maxRetries?: number;
+        retryBackoffMs?: number;
+        queueDepthThreshold?: number;
+        eventRetentionDays?: number;
+        encryptContext?: boolean;
+        trustGates?: Record<string, number>;
+        defaultMinTrustLevel?: number;
+        revalidateTrustAtDecision?: boolean;
+        softDeleteRetentionDays?: number;
+        escalationTimeout?: string;
+        escalationDefaultRecipient?: string;
+        cleanupCronSchedule?: string;
+        timeoutCheckCronSchedule?: string;
+        shutdownTimeoutMs?: number;
+        rateLimits?: {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        };
+        policyCircuitBreaker?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        };
+    }, {
+        defaultNamespace?: string;
+        namespaceRouting?: Record<string, string>;
+        dedupeTtlSeconds?: number;
+        dedupeSecret?: string;
+        dedupeTimestampWindowSeconds?: number;
+        sensitivePaths?: string[];
+        defaultMaxInFlight?: number;
+        tenantMaxInFlight?: Record<string, number>;
+        queueConcurrency?: number;
+        jobTimeoutMs?: number;
+        maxRetries?: number;
+        retryBackoffMs?: number;
+        queueDepthThreshold?: number;
+        eventRetentionDays?: number;
+        encryptContext?: boolean;
+        trustGates?: Record<string, number>;
+        defaultMinTrustLevel?: number;
+        revalidateTrustAtDecision?: boolean;
+        softDeleteRetentionDays?: number;
+        escalationTimeout?: string;
+        escalationDefaultRecipient?: string;
+        cleanupCronSchedule?: string;
+        timeoutCheckCronSchedule?: string;
+        shutdownTimeoutMs?: number;
+        rateLimits?: {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        };
+        policyCircuitBreaker?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        };
+    }>;
+    circuitBreaker: z.ZodDefault<z.ZodObject<{
+        database: z.ZodDefault<z.ZodObject<{
+            /** Number of failures before opening the circuit (default: 5) */
+            failureThreshold: z.ZodDefault<z.ZodNumber>;
+            /** Time in ms before attempting to close the circuit (default: 30000) */
+            resetTimeoutMs: z.ZodDefault<z.ZodNumber>;
+            /** Maximum attempts in half-open state before reopening (default: 3) */
+            halfOpenMaxAttempts: z.ZodDefault<z.ZodNumber>;
+            /** Time window in ms to monitor for failures (default: 60000) */
+            monitorWindowMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }>>;
+        redis: z.ZodDefault<z.ZodObject<{
+            /** Number of failures before opening the circuit (default: 10) */
+            failureThreshold: z.ZodDefault<z.ZodNumber>;
+            /** Time in ms before attempting to close the circuit (default: 10000) */
+            resetTimeoutMs: z.ZodDefault<z.ZodNumber>;
+            /** Maximum attempts in half-open state before reopening (default: 5) */
+            halfOpenMaxAttempts: z.ZodDefault<z.ZodNumber>;
+            /** Time window in ms to monitor for failures (default: 30000) */
+            monitorWindowMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }>>;
+        webhook: z.ZodDefault<z.ZodObject<{
+            /** Number of failures before opening the circuit (default: 3) */
+            failureThreshold: z.ZodDefault<z.ZodNumber>;
+            /** Time in ms before attempting to close the circuit (default: 60000) */
+            resetTimeoutMs: z.ZodDefault<z.ZodNumber>;
+            /** Maximum attempts in half-open state before reopening (default: 2) */
+            halfOpenMaxAttempts: z.ZodDefault<z.ZodNumber>;
+            /** Time window in ms to monitor for failures (default: 120000) */
+            monitorWindowMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }>>;
+        policyEngine: z.ZodDefault<z.ZodObject<{
+            /** Number of failures before opening the circuit (default: 5) */
+            failureThreshold: z.ZodDefault<z.ZodNumber>;
+            /** Time in ms before attempting to close the circuit (default: 15000) */
+            resetTimeoutMs: z.ZodDefault<z.ZodNumber>;
+            /** Maximum attempts in half-open state before reopening (default: 3) */
+            halfOpenMaxAttempts: z.ZodDefault<z.ZodNumber>;
+            /** Time window in ms to monitor for failures (default: 60000) */
+            monitorWindowMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }>>;
+        trustEngine: z.ZodDefault<z.ZodObject<{
+            /** Number of failures before opening the circuit (default: 5) */
+            failureThreshold: z.ZodDefault<z.ZodNumber>;
+            /** Time in ms before attempting to close the circuit (default: 15000) */
+            resetTimeoutMs: z.ZodDefault<z.ZodNumber>;
+            /** Maximum attempts in half-open state before reopening (default: 3) */
+            halfOpenMaxAttempts: z.ZodDefault<z.ZodNumber>;
+            /** Time window in ms to monitor for failures (default: 60000) */
+            monitorWindowMs: z.ZodDefault<z.ZodNumber>;
+        }, "strip", z.ZodTypeAny, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }, {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        database?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        redis?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        webhook?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        policyEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        trustEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+    }, {
+        database?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        redis?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        webhook?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        policyEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        trustEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+    }>>;
+    webhook: z.ZodObject<{
+        timeoutMs: z.ZodDefault<z.ZodNumber>;
+        retryAttempts: z.ZodDefault<z.ZodNumber>;
+        retryDelayMs: z.ZodDefault<z.ZodNumber>;
+        allowDnsChange: z.ZodDefault<z.ZodBoolean>;
+        circuitFailureThreshold: z.ZodDefault<z.ZodNumber>;
+        circuitResetTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        deliveryConcurrency: z.ZodDefault<z.ZodNumber>;
+        allowedDomains: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        blockedDomains: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        enforceAllowlist: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        timeoutMs?: number;
+        retryAttempts?: number;
+        retryDelayMs?: number;
+        allowDnsChange?: boolean;
+        circuitFailureThreshold?: number;
+        circuitResetTimeoutMs?: number;
+        deliveryConcurrency?: number;
+        allowedDomains?: string[];
+        blockedDomains?: string[];
+        enforceAllowlist?: boolean;
+    }, {
+        timeoutMs?: number;
+        retryAttempts?: number;
+        retryDelayMs?: number;
+        allowDnsChange?: boolean;
+        circuitFailureThreshold?: number;
+        circuitResetTimeoutMs?: number;
+        deliveryConcurrency?: number;
+        allowedDomains?: string[];
+        blockedDomains?: string[];
+        enforceAllowlist?: boolean;
+    }>;
+    gdpr: z.ZodDefault<z.ZodObject<{
+        /** Concurrency for GDPR export worker (default: max(2, CPU count)) */
+        exportConcurrency: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        exportConcurrency?: number;
+    }, {
+        exportConcurrency?: number;
+    }>>;
+    audit: z.ZodObject<{
+        retentionDays: z.ZodDefault<z.ZodNumber>;
+        archiveEnabled: z.ZodDefault<z.ZodBoolean>;
+        archiveAfterDays: z.ZodDefault<z.ZodNumber>;
+        cleanupBatchSize: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        retentionDays?: number;
+        archiveEnabled?: boolean;
+        archiveAfterDays?: number;
+        cleanupBatchSize?: number;
+    }, {
+        retentionDays?: number;
+        archiveEnabled?: boolean;
+        archiveAfterDays?: number;
+        cleanupBatchSize?: number;
+    }>;
+    encryption: z.ZodDefault<z.ZodObject<{
+        /**
+         * Dedicated encryption key for data at rest (required in production/staging)
+         * MUST be at least 32 characters. Generate with: openssl rand -base64 32
+         */
+        key: z.ZodOptional<z.ZodString>;
+        /**
+         * Salt for PBKDF2 key derivation (required in production/staging)
+         * MUST be at least 16 characters. Generate with: openssl rand -base64 16
+         */
+        salt: z.ZodOptional<z.ZodString>;
+        algorithm: z.ZodDefault<z.ZodString>;
+        /**
+         * PBKDF2 iterations - higher is more secure but slower
+         * Minimum 100,000 recommended by OWASP
+         */
+        pbkdf2Iterations: z.ZodDefault<z.ZodNumber>;
+        /**
+         * Key derivation version for future algorithm changes
+         * v1 = SHA-256 (legacy, insecure)
+         * v2 = PBKDF2-SHA512 (current)
+         */
+        kdfVersion: z.ZodDefault<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        key?: string;
+        salt?: string;
+        algorithm?: string;
+        pbkdf2Iterations?: number;
+        kdfVersion?: number;
+    }, {
+        key?: string;
+        salt?: string;
+        algorithm?: string;
+        pbkdf2Iterations?: number;
+        kdfVersion?: number;
+    }>>;
+    csrf: z.ZodDefault<z.ZodObject<{
+        /** Whether CSRF protection is enabled */
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        /** Secret key for HMAC signing (min 32 chars, auto-generated if not provided) */
+        secret: z.ZodOptional<z.ZodString>;
+        /** Name of the CSRF cookie */
+        cookieName: z.ZodDefault<z.ZodString>;
+        /** Name of the header containing the CSRF token */
+        headerName: z.ZodDefault<z.ZodString>;
+        /** Token validity duration in milliseconds */
+        tokenTTL: z.ZodDefault<z.ZodNumber>;
+        /** Paths to exclude from CSRF protection (supports glob patterns) */
+        excludePaths: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        /** HTTP methods to exclude from CSRF validation */
+        excludeMethods: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        secret?: string;
+        enabled?: boolean;
+        cookieName?: string;
+        headerName?: string;
+        tokenTTL?: number;
+        excludePaths?: string[];
+        excludeMethods?: string[];
+    }, {
+        secret?: string;
+        enabled?: boolean;
+        cookieName?: string;
+        headerName?: string;
+        tokenTTL?: number;
+        excludePaths?: string[];
+        excludeMethods?: string[];
+    }>>;
+    session: z.ZodDefault<z.ZodObject<{
+        /** Whether server-side fingerprint validation is enabled */
+        fingerprintEnabled: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * Strictness level for fingerprint validation: 'warn' logs mismatches, 'block' rejects the request.
+         * SECURITY: Default is 'block' to actively prevent session hijacking attempts.
+         * Use 'warn' only during initial rollout to identify false positives before enforcement.
+         * In 'block' mode, requests with mismatched fingerprints are rejected with 403 Forbidden.
+         */
+        fingerprintStrictness: z.ZodDefault<z.ZodEnum<["warn", "block"]>>;
+        /** Components to include in fingerprint computation */
+        fingerprintComponents: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        fingerprintEnabled?: boolean;
+        fingerprintStrictness?: "warn" | "block";
+        fingerprintComponents?: string[];
+    }, {
+        fingerprintEnabled?: boolean;
+        fingerprintStrictness?: "warn" | "block";
+        fingerprintComponents?: string[];
+    }>>;
+    lite: z.ZodDefault<z.ZodObject<{
+        /**
+         * Enable lite mode for simplified single-instance deployments.
+         * When enabled, Vorion can run with reduced infrastructure requirements.
+         */
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * Automatically generate secure secrets for development when not provided.
+         * MUST be false in production.
+         */
+        autoGenerateSecrets: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * Directory for local data storage (proofs, temp files, etc.)
+         */
+        dataDirectory: z.ZodDefault<z.ZodString>;
+        /**
+         * Allow running without Redis using in-memory adapters.
+         * Useful for development and single-instance deployments.
+         * Note: In-memory state is NOT shared across instances.
+         */
+        redisOptional: z.ZodDefault<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        enabled?: boolean;
+        autoGenerateSecrets?: boolean;
+        dataDirectory?: string;
+        redisOptional?: boolean;
+    }, {
+        enabled?: boolean;
+        autoGenerateSecrets?: boolean;
+        dataDirectory?: string;
+        redisOptional?: boolean;
+    }>>;
+    hsm: z.ZodDefault<z.ZodObject<{
+        /**
+         * Enable HSM integration for FIPS 140-3 compliant key management.
+         * When enabled, cryptographic operations use HSM-backed keys.
+         */
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * HSM provider type: aws, azure, gcp, thales, softhsm, or pkcs11.
+         * Use 'softhsm' for development/testing.
+         */
+        provider: z.ZodDefault<z.ZodEnum<["aws", "azure", "gcp", "thales", "softhsm", "pkcs11"]>>;
+        /**
+         * Enable automatic failover to backup HSM providers.
+         */
+        enableFailover: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * Failover providers in priority order (comma-separated).
+         */
+        failoverProviders: z.ZodDefault<z.ZodArray<z.ZodEnum<["aws", "azure", "gcp", "thales", "softhsm"]>, "many">>;
+        /**
+         * Health check interval in milliseconds.
+         */
+        healthCheckIntervalMs: z.ZodDefault<z.ZodNumber>;
+        /**
+         * Enable key metadata caching.
+         */
+        enableKeyCache: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * Key cache TTL in seconds.
+         */
+        keyCacheTTLSeconds: z.ZodDefault<z.ZodNumber>;
+        /**
+         * Enable HSM operation audit logging.
+         */
+        enableAuditLogging: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * Enable FIPS 140-3 compliance mode (restricts to FIPS-approved algorithms).
+         */
+        fipsMode: z.ZodDefault<z.ZodBoolean>;
+        /**
+         * Connection timeout in milliseconds.
+         */
+        connectionTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        /**
+         * Operation timeout in milliseconds.
+         */
+        operationTimeoutMs: z.ZodDefault<z.ZodNumber>;
+        /**
+         * AWS CloudHSM configuration.
+         */
+        aws: z.ZodDefault<z.ZodObject<{
+            clusterId: z.ZodOptional<z.ZodString>;
+            region: z.ZodDefault<z.ZodString>;
+            cryptoUser: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        }, {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        }>>;
+        /**
+         * Azure Managed HSM configuration.
+         */
+        azure: z.ZodDefault<z.ZodObject<{
+            hsmName: z.ZodOptional<z.ZodString>;
+            region: z.ZodDefault<z.ZodString>;
+            tenantId: z.ZodOptional<z.ZodString>;
+            clientId: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        }, {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        }>>;
+        /**
+         * GCP Cloud HSM configuration.
+         */
+        gcp: z.ZodDefault<z.ZodObject<{
+            projectId: z.ZodOptional<z.ZodString>;
+            location: z.ZodDefault<z.ZodString>;
+            keyRing: z.ZodOptional<z.ZodString>;
+        }, "strip", z.ZodTypeAny, {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        }, {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        }>>;
+        /**
+         * Thales Luna HSM configuration.
+         */
+        thales: z.ZodDefault<z.ZodObject<{
+            partitionName: z.ZodOptional<z.ZodString>;
+            hsmIpAddresses: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+        }, "strip", z.ZodTypeAny, {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        }, {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        }>>;
+        /**
+         * PKCS#11 token configuration (for smart cards/hardware tokens).
+         */
+        pkcs11: z.ZodDefault<z.ZodObject<{
+            libraryPath: z.ZodOptional<z.ZodString>;
+            slot: z.ZodOptional<z.ZodNumber>;
+            fipsMode: z.ZodDefault<z.ZodBoolean>;
+        }, "strip", z.ZodTypeAny, {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        }, {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        }>>;
+    }, "strip", z.ZodTypeAny, {
+        enabled?: boolean;
+        aws?: {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        };
+        azure?: {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        };
+        gcp?: {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        };
+        thales?: {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        };
+        pkcs11?: {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        };
+        provider?: "aws" | "azure" | "gcp" | "thales" | "softhsm" | "pkcs11";
+        enableFailover?: boolean;
+        failoverProviders?: ("aws" | "azure" | "gcp" | "thales" | "softhsm")[];
+        healthCheckIntervalMs?: number;
+        enableKeyCache?: boolean;
+        keyCacheTTLSeconds?: number;
+        enableAuditLogging?: boolean;
+        fipsMode?: boolean;
+        connectionTimeoutMs?: number;
+        operationTimeoutMs?: number;
+    }, {
+        enabled?: boolean;
+        aws?: {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        };
+        azure?: {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        };
+        gcp?: {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        };
+        thales?: {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        };
+        pkcs11?: {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        };
+        provider?: "aws" | "azure" | "gcp" | "thales" | "softhsm" | "pkcs11";
+        enableFailover?: boolean;
+        failoverProviders?: ("aws" | "azure" | "gcp" | "thales" | "softhsm")[];
+        healthCheckIntervalMs?: number;
+        enableKeyCache?: boolean;
+        keyCacheTTLSeconds?: number;
+        enableAuditLogging?: boolean;
+        fipsMode?: boolean;
+        connectionTimeoutMs?: number;
+        operationTimeoutMs?: number;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    basis?: {
+        evalTimeout?: number;
+        maxRules?: number;
+        cacheEnabled?: boolean;
+    };
+    env?: "production" | "development" | "staging";
+    logLevel?: "error" | "warn" | "info" | "debug";
+    app?: {
+        version?: string;
+        name?: string;
+        environment?: string;
+    };
+    telemetry?: {
+        enabled?: boolean;
+        serviceName?: string;
+        otlpEndpoint?: string;
+        otlpHeaders?: Record<string, string>;
+        sampleRate?: number;
+    };
+    api?: {
+        timeout?: number;
+        port?: number;
+        host?: string;
+        basePath?: string;
+        rateLimit?: number;
+        bulkRateLimit?: number;
+    };
+    cors?: {
+        allowedOrigins?: string[];
+    };
+    health?: {
+        checkTimeoutMs?: number;
+        readyTimeoutMs?: number;
+        livenessTimeoutMs?: number;
+    };
+    database?: {
+        user?: string;
+        password?: string;
+        name?: string;
+        port?: number;
+        host?: string;
+        poolMin?: number;
+        poolMax?: number;
+        poolIdleTimeoutMs?: number;
+        poolConnectionTimeoutMs?: number;
+        metricsIntervalMs?: number;
+        statementTimeoutMs?: number;
+        longQueryTimeoutMs?: number;
+    };
+    redis?: {
+        password?: string;
+        port?: number;
+        host?: string;
+        db?: number;
+    };
+    jwt?: {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    };
+    proof?: {
+        storage?: "local" | "s3" | "gcs";
+        localPath?: string;
+        retentionDays?: number;
+    };
+    trust?: {
+        calcInterval?: number;
+        cacheTtl?: number;
+        decayRate?: number;
+    };
+    cognigate?: {
+        timeout?: number;
+        maxConcurrent?: number;
+        maxMemoryMb?: number;
+        maxCpuPercent?: number;
+    };
+    intent?: {
+        defaultNamespace?: string;
+        namespaceRouting?: Record<string, string>;
+        dedupeTtlSeconds?: number;
+        dedupeSecret?: string;
+        dedupeTimestampWindowSeconds?: number;
+        sensitivePaths?: string[];
+        defaultMaxInFlight?: number;
+        tenantMaxInFlight?: Record<string, number>;
+        queueConcurrency?: number;
+        jobTimeoutMs?: number;
+        maxRetries?: number;
+        retryBackoffMs?: number;
+        queueDepthThreshold?: number;
+        eventRetentionDays?: number;
+        encryptContext?: boolean;
+        trustGates?: Record<string, number>;
+        defaultMinTrustLevel?: number;
+        revalidateTrustAtDecision?: boolean;
+        softDeleteRetentionDays?: number;
+        escalationTimeout?: string;
+        escalationDefaultRecipient?: string;
+        cleanupCronSchedule?: string;
+        timeoutCheckCronSchedule?: string;
+        shutdownTimeoutMs?: number;
+        rateLimits?: {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        };
+        policyCircuitBreaker?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        };
+    };
+    webhook?: {
+        timeoutMs?: number;
+        retryAttempts?: number;
+        retryDelayMs?: number;
+        allowDnsChange?: boolean;
+        circuitFailureThreshold?: number;
+        circuitResetTimeoutMs?: number;
+        deliveryConcurrency?: number;
+        allowedDomains?: string[];
+        blockedDomains?: string[];
+        enforceAllowlist?: boolean;
+    };
+    circuitBreaker?: {
+        database?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        redis?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        webhook?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        policyEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        trustEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+    };
+    gdpr?: {
+        exportConcurrency?: number;
+    };
+    audit?: {
+        retentionDays?: number;
+        archiveEnabled?: boolean;
+        archiveAfterDays?: number;
+        cleanupBatchSize?: number;
+    };
+    encryption?: {
+        key?: string;
+        salt?: string;
+        algorithm?: string;
+        pbkdf2Iterations?: number;
+        kdfVersion?: number;
+    };
+    csrf?: {
+        secret?: string;
+        enabled?: boolean;
+        cookieName?: string;
+        headerName?: string;
+        tokenTTL?: number;
+        excludePaths?: string[];
+        excludeMethods?: string[];
+    };
+    session?: {
+        fingerprintEnabled?: boolean;
+        fingerprintStrictness?: "warn" | "block";
+        fingerprintComponents?: string[];
+    };
+    lite?: {
+        enabled?: boolean;
+        autoGenerateSecrets?: boolean;
+        dataDirectory?: string;
+        redisOptional?: boolean;
+    };
+    hsm?: {
+        enabled?: boolean;
+        aws?: {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        };
+        azure?: {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        };
+        gcp?: {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        };
+        thales?: {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        };
+        pkcs11?: {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        };
+        provider?: "aws" | "azure" | "gcp" | "thales" | "softhsm" | "pkcs11";
+        enableFailover?: boolean;
+        failoverProviders?: ("aws" | "azure" | "gcp" | "thales" | "softhsm")[];
+        healthCheckIntervalMs?: number;
+        enableKeyCache?: boolean;
+        keyCacheTTLSeconds?: number;
+        enableAuditLogging?: boolean;
+        fipsMode?: boolean;
+        connectionTimeoutMs?: number;
+        operationTimeoutMs?: number;
+    };
+}, {
+    basis?: {
+        evalTimeout?: number;
+        maxRules?: number;
+        cacheEnabled?: boolean;
+    };
+    env?: "production" | "development" | "staging";
+    logLevel?: "error" | "warn" | "info" | "debug";
+    app?: {
+        version?: string;
+        name?: string;
+        environment?: string;
+    };
+    telemetry?: {
+        enabled?: boolean;
+        serviceName?: string;
+        otlpEndpoint?: string;
+        otlpHeaders?: Record<string, string>;
+        sampleRate?: number;
+    };
+    api?: {
+        timeout?: number;
+        port?: number;
+        host?: string;
+        basePath?: string;
+        rateLimit?: number;
+        bulkRateLimit?: number;
+    };
+    cors?: {
+        allowedOrigins?: string[];
+    };
+    health?: {
+        checkTimeoutMs?: number;
+        readyTimeoutMs?: number;
+        livenessTimeoutMs?: number;
+    };
+    database?: {
+        user?: string;
+        password?: string;
+        name?: string;
+        port?: number;
+        host?: string;
+        poolMin?: number;
+        poolMax?: number;
+        poolIdleTimeoutMs?: number;
+        poolConnectionTimeoutMs?: number;
+        metricsIntervalMs?: number;
+        statementTimeoutMs?: number;
+        longQueryTimeoutMs?: number;
+    };
+    redis?: {
+        password?: string;
+        port?: number;
+        host?: string;
+        db?: number;
+    };
+    jwt?: {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    };
+    proof?: {
+        storage?: "local" | "s3" | "gcs";
+        localPath?: string;
+        retentionDays?: number;
+    };
+    trust?: {
+        calcInterval?: number;
+        cacheTtl?: number;
+        decayRate?: number;
+    };
+    cognigate?: {
+        timeout?: number;
+        maxConcurrent?: number;
+        maxMemoryMb?: number;
+        maxCpuPercent?: number;
+    };
+    intent?: {
+        defaultNamespace?: string;
+        namespaceRouting?: Record<string, string>;
+        dedupeTtlSeconds?: number;
+        dedupeSecret?: string;
+        dedupeTimestampWindowSeconds?: number;
+        sensitivePaths?: string[];
+        defaultMaxInFlight?: number;
+        tenantMaxInFlight?: Record<string, number>;
+        queueConcurrency?: number;
+        jobTimeoutMs?: number;
+        maxRetries?: number;
+        retryBackoffMs?: number;
+        queueDepthThreshold?: number;
+        eventRetentionDays?: number;
+        encryptContext?: boolean;
+        trustGates?: Record<string, number>;
+        defaultMinTrustLevel?: number;
+        revalidateTrustAtDecision?: boolean;
+        softDeleteRetentionDays?: number;
+        escalationTimeout?: string;
+        escalationDefaultRecipient?: string;
+        cleanupCronSchedule?: string;
+        timeoutCheckCronSchedule?: string;
+        shutdownTimeoutMs?: number;
+        rateLimits?: {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        };
+        policyCircuitBreaker?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        };
+    };
+    webhook?: {
+        timeoutMs?: number;
+        retryAttempts?: number;
+        retryDelayMs?: number;
+        allowDnsChange?: boolean;
+        circuitFailureThreshold?: number;
+        circuitResetTimeoutMs?: number;
+        deliveryConcurrency?: number;
+        allowedDomains?: string[];
+        blockedDomains?: string[];
+        enforceAllowlist?: boolean;
+    };
+    circuitBreaker?: {
+        database?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        redis?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        webhook?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        policyEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        trustEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+    };
+    gdpr?: {
+        exportConcurrency?: number;
+    };
+    audit?: {
+        retentionDays?: number;
+        archiveEnabled?: boolean;
+        archiveAfterDays?: number;
+        cleanupBatchSize?: number;
+    };
+    encryption?: {
+        key?: string;
+        salt?: string;
+        algorithm?: string;
+        pbkdf2Iterations?: number;
+        kdfVersion?: number;
+    };
+    csrf?: {
+        secret?: string;
+        enabled?: boolean;
+        cookieName?: string;
+        headerName?: string;
+        tokenTTL?: number;
+        excludePaths?: string[];
+        excludeMethods?: string[];
+    };
+    session?: {
+        fingerprintEnabled?: boolean;
+        fingerprintStrictness?: "warn" | "block";
+        fingerprintComponents?: string[];
+    };
+    lite?: {
+        enabled?: boolean;
+        autoGenerateSecrets?: boolean;
+        dataDirectory?: string;
+        redisOptional?: boolean;
+    };
+    hsm?: {
+        enabled?: boolean;
+        aws?: {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        };
+        azure?: {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        };
+        gcp?: {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        };
+        thales?: {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        };
+        pkcs11?: {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        };
+        provider?: "aws" | "azure" | "gcp" | "thales" | "softhsm" | "pkcs11";
+        enableFailover?: boolean;
+        failoverProviders?: ("aws" | "azure" | "gcp" | "thales" | "softhsm")[];
+        healthCheckIntervalMs?: number;
+        enableKeyCache?: boolean;
+        keyCacheTTLSeconds?: number;
+        enableAuditLogging?: boolean;
+        fipsMode?: boolean;
+        connectionTimeoutMs?: number;
+        operationTimeoutMs?: number;
+    };
+}>, {
+    basis?: {
+        evalTimeout?: number;
+        maxRules?: number;
+        cacheEnabled?: boolean;
+    };
+    env?: "production" | "development" | "staging";
+    logLevel?: "error" | "warn" | "info" | "debug";
+    app?: {
+        version?: string;
+        name?: string;
+        environment?: string;
+    };
+    telemetry?: {
+        enabled?: boolean;
+        serviceName?: string;
+        otlpEndpoint?: string;
+        otlpHeaders?: Record<string, string>;
+        sampleRate?: number;
+    };
+    api?: {
+        timeout?: number;
+        port?: number;
+        host?: string;
+        basePath?: string;
+        rateLimit?: number;
+        bulkRateLimit?: number;
+    };
+    cors?: {
+        allowedOrigins?: string[];
+    };
+    health?: {
+        checkTimeoutMs?: number;
+        readyTimeoutMs?: number;
+        livenessTimeoutMs?: number;
+    };
+    database?: {
+        user?: string;
+        password?: string;
+        name?: string;
+        port?: number;
+        host?: string;
+        poolMin?: number;
+        poolMax?: number;
+        poolIdleTimeoutMs?: number;
+        poolConnectionTimeoutMs?: number;
+        metricsIntervalMs?: number;
+        statementTimeoutMs?: number;
+        longQueryTimeoutMs?: number;
+    };
+    redis?: {
+        password?: string;
+        port?: number;
+        host?: string;
+        db?: number;
+    };
+    jwt?: {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    };
+    proof?: {
+        storage?: "local" | "s3" | "gcs";
+        localPath?: string;
+        retentionDays?: number;
+    };
+    trust?: {
+        calcInterval?: number;
+        cacheTtl?: number;
+        decayRate?: number;
+    };
+    cognigate?: {
+        timeout?: number;
+        maxConcurrent?: number;
+        maxMemoryMb?: number;
+        maxCpuPercent?: number;
+    };
+    intent?: {
+        defaultNamespace?: string;
+        namespaceRouting?: Record<string, string>;
+        dedupeTtlSeconds?: number;
+        dedupeSecret?: string;
+        dedupeTimestampWindowSeconds?: number;
+        sensitivePaths?: string[];
+        defaultMaxInFlight?: number;
+        tenantMaxInFlight?: Record<string, number>;
+        queueConcurrency?: number;
+        jobTimeoutMs?: number;
+        maxRetries?: number;
+        retryBackoffMs?: number;
+        queueDepthThreshold?: number;
+        eventRetentionDays?: number;
+        encryptContext?: boolean;
+        trustGates?: Record<string, number>;
+        defaultMinTrustLevel?: number;
+        revalidateTrustAtDecision?: boolean;
+        softDeleteRetentionDays?: number;
+        escalationTimeout?: string;
+        escalationDefaultRecipient?: string;
+        cleanupCronSchedule?: string;
+        timeoutCheckCronSchedule?: string;
+        shutdownTimeoutMs?: number;
+        rateLimits?: {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        };
+        policyCircuitBreaker?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        };
+    };
+    webhook?: {
+        timeoutMs?: number;
+        retryAttempts?: number;
+        retryDelayMs?: number;
+        allowDnsChange?: boolean;
+        circuitFailureThreshold?: number;
+        circuitResetTimeoutMs?: number;
+        deliveryConcurrency?: number;
+        allowedDomains?: string[];
+        blockedDomains?: string[];
+        enforceAllowlist?: boolean;
+    };
+    circuitBreaker?: {
+        database?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        redis?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        webhook?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        policyEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        trustEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+    };
+    gdpr?: {
+        exportConcurrency?: number;
+    };
+    audit?: {
+        retentionDays?: number;
+        archiveEnabled?: boolean;
+        archiveAfterDays?: number;
+        cleanupBatchSize?: number;
+    };
+    encryption?: {
+        key?: string;
+        salt?: string;
+        algorithm?: string;
+        pbkdf2Iterations?: number;
+        kdfVersion?: number;
+    };
+    csrf?: {
+        secret?: string;
+        enabled?: boolean;
+        cookieName?: string;
+        headerName?: string;
+        tokenTTL?: number;
+        excludePaths?: string[];
+        excludeMethods?: string[];
+    };
+    session?: {
+        fingerprintEnabled?: boolean;
+        fingerprintStrictness?: "warn" | "block";
+        fingerprintComponents?: string[];
+    };
+    lite?: {
+        enabled?: boolean;
+        autoGenerateSecrets?: boolean;
+        dataDirectory?: string;
+        redisOptional?: boolean;
+    };
+    hsm?: {
+        enabled?: boolean;
+        aws?: {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        };
+        azure?: {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        };
+        gcp?: {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        };
+        thales?: {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        };
+        pkcs11?: {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        };
+        provider?: "aws" | "azure" | "gcp" | "thales" | "softhsm" | "pkcs11";
+        enableFailover?: boolean;
+        failoverProviders?: ("aws" | "azure" | "gcp" | "thales" | "softhsm")[];
+        healthCheckIntervalMs?: number;
+        enableKeyCache?: boolean;
+        keyCacheTTLSeconds?: number;
+        enableAuditLogging?: boolean;
+        fipsMode?: boolean;
+        connectionTimeoutMs?: number;
+        operationTimeoutMs?: number;
+    };
+}, {
+    basis?: {
+        evalTimeout?: number;
+        maxRules?: number;
+        cacheEnabled?: boolean;
+    };
+    env?: "production" | "development" | "staging";
+    logLevel?: "error" | "warn" | "info" | "debug";
+    app?: {
+        version?: string;
+        name?: string;
+        environment?: string;
+    };
+    telemetry?: {
+        enabled?: boolean;
+        serviceName?: string;
+        otlpEndpoint?: string;
+        otlpHeaders?: Record<string, string>;
+        sampleRate?: number;
+    };
+    api?: {
+        timeout?: number;
+        port?: number;
+        host?: string;
+        basePath?: string;
+        rateLimit?: number;
+        bulkRateLimit?: number;
+    };
+    cors?: {
+        allowedOrigins?: string[];
+    };
+    health?: {
+        checkTimeoutMs?: number;
+        readyTimeoutMs?: number;
+        livenessTimeoutMs?: number;
+    };
+    database?: {
+        user?: string;
+        password?: string;
+        name?: string;
+        port?: number;
+        host?: string;
+        poolMin?: number;
+        poolMax?: number;
+        poolIdleTimeoutMs?: number;
+        poolConnectionTimeoutMs?: number;
+        metricsIntervalMs?: number;
+        statementTimeoutMs?: number;
+        longQueryTimeoutMs?: number;
+    };
+    redis?: {
+        password?: string;
+        port?: number;
+        host?: string;
+        db?: number;
+    };
+    jwt?: {
+        secret?: string;
+        expiration?: string;
+        refreshExpiration?: string;
+        requireJti?: boolean;
+    };
+    proof?: {
+        storage?: "local" | "s3" | "gcs";
+        localPath?: string;
+        retentionDays?: number;
+    };
+    trust?: {
+        calcInterval?: number;
+        cacheTtl?: number;
+        decayRate?: number;
+    };
+    cognigate?: {
+        timeout?: number;
+        maxConcurrent?: number;
+        maxMemoryMb?: number;
+        maxCpuPercent?: number;
+    };
+    intent?: {
+        defaultNamespace?: string;
+        namespaceRouting?: Record<string, string>;
+        dedupeTtlSeconds?: number;
+        dedupeSecret?: string;
+        dedupeTimestampWindowSeconds?: number;
+        sensitivePaths?: string[];
+        defaultMaxInFlight?: number;
+        tenantMaxInFlight?: Record<string, number>;
+        queueConcurrency?: number;
+        jobTimeoutMs?: number;
+        maxRetries?: number;
+        retryBackoffMs?: number;
+        queueDepthThreshold?: number;
+        eventRetentionDays?: number;
+        encryptContext?: boolean;
+        trustGates?: Record<string, number>;
+        defaultMinTrustLevel?: number;
+        revalidateTrustAtDecision?: boolean;
+        softDeleteRetentionDays?: number;
+        escalationTimeout?: string;
+        escalationDefaultRecipient?: string;
+        cleanupCronSchedule?: string;
+        timeoutCheckCronSchedule?: string;
+        shutdownTimeoutMs?: number;
+        rateLimits?: {
+            default?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            highRisk?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            dataExport?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+            adminAction?: {
+                limit?: number;
+                windowSeconds?: number;
+            };
+        };
+        policyCircuitBreaker?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+        };
+    };
+    webhook?: {
+        timeoutMs?: number;
+        retryAttempts?: number;
+        retryDelayMs?: number;
+        allowDnsChange?: boolean;
+        circuitFailureThreshold?: number;
+        circuitResetTimeoutMs?: number;
+        deliveryConcurrency?: number;
+        allowedDomains?: string[];
+        blockedDomains?: string[];
+        enforceAllowlist?: boolean;
+    };
+    circuitBreaker?: {
+        database?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        redis?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        webhook?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        policyEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+        trustEngine?: {
+            failureThreshold?: number;
+            resetTimeoutMs?: number;
+            halfOpenMaxAttempts?: number;
+            monitorWindowMs?: number;
+        };
+    };
+    gdpr?: {
+        exportConcurrency?: number;
+    };
+    audit?: {
+        retentionDays?: number;
+        archiveEnabled?: boolean;
+        archiveAfterDays?: number;
+        cleanupBatchSize?: number;
+    };
+    encryption?: {
+        key?: string;
+        salt?: string;
+        algorithm?: string;
+        pbkdf2Iterations?: number;
+        kdfVersion?: number;
+    };
+    csrf?: {
+        secret?: string;
+        enabled?: boolean;
+        cookieName?: string;
+        headerName?: string;
+        tokenTTL?: number;
+        excludePaths?: string[];
+        excludeMethods?: string[];
+    };
+    session?: {
+        fingerprintEnabled?: boolean;
+        fingerprintStrictness?: "warn" | "block";
+        fingerprintComponents?: string[];
+    };
+    lite?: {
+        enabled?: boolean;
+        autoGenerateSecrets?: boolean;
+        dataDirectory?: string;
+        redisOptional?: boolean;
+    };
+    hsm?: {
+        enabled?: boolean;
+        aws?: {
+            clusterId?: string;
+            region?: string;
+            cryptoUser?: string;
+        };
+        azure?: {
+            region?: string;
+            hsmName?: string;
+            tenantId?: string;
+            clientId?: string;
+        };
+        gcp?: {
+            projectId?: string;
+            location?: string;
+            keyRing?: string;
+        };
+        thales?: {
+            partitionName?: string;
+            hsmIpAddresses?: string[];
+        };
+        pkcs11?: {
+            fipsMode?: boolean;
+            libraryPath?: string;
+            slot?: number;
+        };
+        provider?: "aws" | "azure" | "gcp" | "thales" | "softhsm" | "pkcs11";
+        enableFailover?: boolean;
+        failoverProviders?: ("aws" | "azure" | "gcp" | "thales" | "softhsm")[];
+        healthCheckIntervalMs?: number;
+        enableKeyCache?: boolean;
+        keyCacheTTLSeconds?: number;
+        enableAuditLogging?: boolean;
+        fipsMode?: boolean;
+        connectionTimeoutMs?: number;
+        operationTimeoutMs?: number;
+    };
+}>;
+export type Config = z.infer<typeof configSchema>;
+/**
+ * Load configuration from environment
+ */
+export declare function loadConfig(): Config;
+/**
+ * Get configuration (loads once)
+ */
+export declare function getConfig(): Config;
+/**
+ * Calculate Shannon entropy of a secret string in bits.
+ * Used to detect weak secrets like repeated characters, simple patterns, etc.
+ *
+ * SE-C1: Entropy check (not just length check) to prevent weak secrets
+ * that could bypass validation in production.
+ *
+ * @param secret - The secret string to analyze
+ * @returns Entropy in bits
+ */
+export declare function calculateSecretEntropy(secret: string): number;
+/**
+ * Generate a cryptographically secure secret with entropy validation.
+ *
+ * Uses Node.js crypto.randomBytes which is backed by the OS CSPRNG.
+ * Validates that the generated secret meets minimum entropy requirements.
+ *
+ * @param bytes - Number of random bytes to generate (default: 64)
+ * @param minEntropy - Minimum required entropy in bits (default: 128)
+ * @returns Base64-encoded secret string
+ * @throws Error if generated secret has insufficient entropy (indicates CSPRNG issue)
+ *
+ * @example
+ * ```typescript
+ * const secret = generateStrongSecret(64); // 64 bytes = 512 bits
+ * // Returns base64 string with ~340+ bits of entropy
+ * ```
+ */
+export declare function generateStrongSecret(bytes?: number, minEntropy?: number): string;
+/**
+ * Production configuration validation errors
+ */
+export interface ProductionConfigError {
+    field: string;
+    message: string;
+    critical: boolean;
+}
+/**
+ * Validate configuration for production deployment.
+ *
+ * This function performs comprehensive validation of all CRITICAL security
+ * fields required for production deployments. It should be called during
+ * application startup to ensure the deployment is properly configured.
+ *
+ * Validates:
+ * - JWT_SECRET: Not default, minimum 32 chars, minimum 128 bits entropy
+ * - ENCRYPTION_KEY: Minimum 32 chars, minimum 128 bits entropy
+ * - SIGNING_PRIVATE_KEY: Valid Ed25519/ECDSA key format
+ * - DATABASE_URL/connection: Valid PostgreSQL connection string
+ *
+ * @throws Error if any critical validation fails with detailed message
+ * @returns void on success
+ *
+ * @example
+ * ```typescript
+ * import { validateProductionConfig } from './config.js';
+ *
+ * // Call at application startup
+ * try {
+ *   validateProductionConfig();
+ *   console.log('Production configuration validated successfully');
+ * } catch (error) {
+ *   console.error('Configuration error:', error.message);
+ *   process.exit(1);
+ * }
+ * ```
+ */
+export declare function validateProductionConfig(): void;
+export {};
+//# sourceMappingURL=config.d.ts.map