nextjs-secure 0.3.0 → 0.5.0

package/dist/index.js

@@ -1444,10 +1444,2373 @@ function createSecurityHeadersObject(options = {}) {
   });
   return obj;
 }
+var encoder2 = new TextEncoder();
+var decoder = new TextDecoder();
+function base64UrlDecode(str) {
+  const pad = str.length % 4;
+  if (pad) {
+    str += "=".repeat(4 - pad);
+  }
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function decodeJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const header = JSON.parse(decoder.decode(base64UrlDecode(parts[0])));
+    const payload = JSON.parse(decoder.decode(base64UrlDecode(parts[1])));
+    const signature = base64UrlDecode(parts[2]);
+    return { header, payload, signature };
+  } catch {
+    return null;
+  }
+}
+function getAlgorithmParams(alg) {
+  switch (alg) {
+    case "HS256":
+      return { name: "HMAC", hash: "SHA-256" };
+    case "HS384":
+      return { name: "HMAC", hash: "SHA-384" };
+    case "HS512":
+      return { name: "HMAC", hash: "SHA-512" };
+    case "RS256":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+    case "RS384":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-384" };
+    case "RS512":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-512" };
+    case "ES256":
+      return { name: "ECDSA", hash: "SHA-256", namedCurve: "P-256" };
+    case "ES384":
+      return { name: "ECDSA", hash: "SHA-384", namedCurve: "P-384" };
+    case "ES512":
+      return { name: "ECDSA", hash: "SHA-512", namedCurve: "P-521" };
+    default:
+      return null;
+  }
+}
+async function verifyHMAC(data, signature, secret, hash) {
+  const key = await webcrypto.subtle.importKey(
+    "raw",
+    encoder2.encode(secret),
+    { name: "HMAC", hash },
+    false,
+    ["verify"]
+  );
+  return webcrypto.subtle.verify("HMAC", key, signature, encoder2.encode(data));
+}
+async function importPublicKey(pem, algorithm) {
+  const pemContents = pem.replace(/-----BEGIN.*-----/, "").replace(/-----END.*-----/, "").replace(/\s/g, "");
+  const binaryDer = base64UrlDecode(pemContents.replace(/\+/g, "-").replace(/\//g, "_"));
+  const keyUsages = ["verify"];
+  if (algorithm.name === "RSASSA-PKCS1-v1_5") {
+    return webcrypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      { name: algorithm.name, hash: algorithm.hash },
+      false,
+      keyUsages
+    );
+  }
+  if (algorithm.name === "ECDSA") {
+    return webcrypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      { name: algorithm.name, namedCurve: algorithm.namedCurve },
+      false,
+      keyUsages
+    );
+  }
+  throw new Error(`Unsupported algorithm: ${algorithm.name}`);
+}
+async function verifyAsymmetric(data, signature, publicKey, algorithm) {
+  const key = await importPublicKey(publicKey, algorithm);
+  const params = algorithm.name === "ECDSA" ? { name: "ECDSA", hash: algorithm.hash } : algorithm.name;
+  return webcrypto.subtle.verify(params, key, signature, encoder2.encode(data));
+}
+function validateClaims(payload, config) {
+  const now = Math.floor(Date.now() / 1e3);
+  const tolerance = config.clockTolerance || 0;
+  if (payload.exp !== void 0 && payload.exp < now - tolerance) {
+    return {
+      code: "expired_token",
+      message: "Token has expired",
+      status: 401
+    };
+  }
+  if (payload.nbf !== void 0 && payload.nbf > now + tolerance) {
+    return {
+      code: "invalid_token",
+      message: "Token not yet valid",
+      status: 401
+    };
+  }
+  if (config.issuer) {
+    const issuers = Array.isArray(config.issuer) ? config.issuer : [config.issuer];
+    if (!payload.iss || !issuers.includes(payload.iss)) {
+      return {
+        code: "invalid_token",
+        message: "Invalid token issuer",
+        status: 401
+      };
+    }
+  }
+  if (config.audience) {
+    const audiences = Array.isArray(config.audience) ? config.audience : [config.audience];
+    const tokenAudiences = Array.isArray(payload.aud) ? payload.aud : payload.aud ? [payload.aud] : [];
+    const hasValidAudience = audiences.some((aud) => tokenAudiences.includes(aud));
+    if (!hasValidAudience) {
+      return {
+        code: "invalid_token",
+        message: "Invalid token audience",
+        status: 401
+      };
+    }
+  }
+  return null;
+}
+async function verifyJWT(token, config) {
+  const decoded = decodeJWT(token);
+  if (!decoded) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: "Malformed token",
+        status: 401
+      }
+    };
+  }
+  const { header, payload, signature } = decoded;
+  const alg = header.alg;
+  const allowedAlgorithms = config.algorithms || ["HS256"];
+  if (!allowedAlgorithms.includes(alg)) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: `Algorithm ${alg} not allowed`,
+        status: 401
+      }
+    };
+  }
+  const algorithmParams = getAlgorithmParams(alg);
+  if (!algorithmParams) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: `Unsupported algorithm: ${alg}`,
+        status: 401
+      }
+    };
+  }
+  const parts = token.split(".");
+  const signedData = `${parts[0]}.${parts[1]}`;
+  let isValid = false;
+  try {
+    if (algorithmParams.name === "HMAC") {
+      if (!config.secret) {
+        return {
+          payload: null,
+          error: {
+            code: "invalid_token",
+            message: "Secret required for HMAC algorithms",
+            status: 500
+          }
+        };
+      }
+      isValid = await verifyHMAC(signedData, signature, config.secret, algorithmParams.hash);
+    } else {
+      if (!config.publicKey) {
+        return {
+          payload: null,
+          error: {
+            code: "invalid_token",
+            message: "Public key required for asymmetric algorithms",
+            status: 500
+          }
+        };
+      }
+      isValid = await verifyAsymmetric(signedData, signature, config.publicKey, algorithmParams);
+    }
+  } catch {
+    isValid = false;
+  }
+  if (!isValid) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_signature",
+        message: "Invalid token signature",
+        status: 401
+      }
+    };
+  }
+  const claimsError = validateClaims(payload, config);
+  if (claimsError) {
+    return { payload: null, error: claimsError };
+  }
+  return { payload, error: null };
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  return authHeader.slice(7);
+}
+
+// src/middleware/auth/middleware.ts
+function defaultErrorResponse2(_req, error) {
+  return new Response(
+    JSON.stringify({
+      error: error.code,
+      message: error.message
+    }),
+    {
+      status: error.status,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+async function getTokenFromRequest(req, config) {
+  if (config?.getToken) {
+    return config.getToken(req);
+  }
+  return extractBearerToken(req.headers.get("authorization"));
+}
+function withJWT(handler, config) {
+  const secret = config.secret || process.env.JWT_SECRET;
+  const effectiveConfig = { ...config, secret };
+  return async (req) => {
+    const token = await getTokenFromRequest(req, effectiveConfig);
+    if (!token) {
+      return defaultErrorResponse2(req, {
+        code: "missing_token",
+        message: "Authentication required",
+        status: 401
+      });
+    }
+    const { payload, error } = await verifyJWT(token, effectiveConfig);
+    if (error) {
+      return defaultErrorResponse2(req, error);
+    }
+    const user = effectiveConfig.mapUser ? await effectiveConfig.mapUser(payload) : {
+      id: payload.sub || "",
+      email: payload.email,
+      name: payload.name,
+      roles: payload.roles,
+      permissions: payload.permissions
+    };
+    return handler(req, { user, token });
+  };
+}
+function withAPIKey(handler, config) {
+  const headerName = config.headerName || "x-api-key";
+  const queryParam = config.queryParam || "api_key";
+  return async (req) => {
+    let apiKey = req.headers.get(headerName);
+    if (!apiKey) {
+      const url = new URL(req.url);
+      apiKey = url.searchParams.get(queryParam);
+    }
+    if (!apiKey) {
+      return defaultErrorResponse2(req, {
+        code: "missing_api_key",
+        message: "API key required",
+        status: 401
+      });
+    }
+    const user = await config.validate(apiKey, req);
+    if (!user) {
+      return defaultErrorResponse2(req, {
+        code: "invalid_api_key",
+        message: "Invalid API key",
+        status: 401
+      });
+    }
+    return handler(req, { user });
+  };
+}
+function withSession(handler, config) {
+  const cookieName = config.cookieName || "session";
+  return async (req) => {
+    const sessionId = req.cookies.get(cookieName)?.value;
+    if (!sessionId) {
+      return defaultErrorResponse2(req, {
+        code: "missing_session",
+        message: "Session required",
+        status: 401
+      });
+    }
+    const user = await config.validate(sessionId, req);
+    if (!user) {
+      return defaultErrorResponse2(req, {
+        code: "invalid_session",
+        message: "Invalid or expired session",
+        status: 401
+      });
+    }
+    return handler(req, { user });
+  };
+}
+function withRoles(handler, config) {
+  return async (req, ctx) => {
+    const { user } = ctx;
+    const userRoles = config.getUserRoles ? config.getUserRoles(user) : user.roles || [];
+    if (config.roles && config.roles.length > 0) {
+      const hasRole = config.roles.some((role) => userRoles.includes(role));
+      if (!hasRole) {
+        return defaultErrorResponse2(req, {
+          code: "insufficient_roles",
+          message: "Insufficient permissions",
+          status: 403
+        });
+      }
+    }
+    const userPermissions = config.getUserPermissions ? config.getUserPermissions(user) : user.permissions || [];
+    if (config.permissions && config.permissions.length > 0) {
+      const hasAllPermissions = config.permissions.every(
+        (perm) => userPermissions.includes(perm)
+      );
+      if (!hasAllPermissions) {
+        return defaultErrorResponse2(req, {
+          code: "insufficient_permissions",
+          message: "Insufficient permissions",
+          status: 403
+        });
+      }
+    }
+    if (config.authorize) {
+      const authorized = await config.authorize(user, req);
+      if (!authorized) {
+        return defaultErrorResponse2(req, {
+          code: "unauthorized",
+          message: "Unauthorized",
+          status: 403
+        });
+      }
+    }
+    return handler(req, ctx);
+  };
+}
+function withAuth(handler, config) {
+  const onError = config.onError || defaultErrorResponse2;
+  return async (req) => {
+    let user = null;
+    let token;
+    if (config.jwt) {
+      const secret = config.jwt.secret || process.env.JWT_SECRET;
+      const jwtConfig = { ...config.jwt, secret };
+      const jwtToken = await getTokenFromRequest(req, jwtConfig);
+      if (jwtToken) {
+        const { payload, error } = await verifyJWT(jwtToken, jwtConfig);
+        if (!error && payload) {
+          user = jwtConfig.mapUser ? await jwtConfig.mapUser(payload) : {
+            id: payload.sub || "",
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles
+          };
+          token = jwtToken;
+        }
+      }
+    }
+    if (!user && config.apiKey) {
+      const headerName = config.apiKey.headerName || "x-api-key";
+      const queryParam = config.apiKey.queryParam || "api_key";
+      let apiKey = req.headers.get(headerName);
+      if (!apiKey) {
+        const url = new URL(req.url);
+        apiKey = url.searchParams.get(queryParam);
+      }
+      if (apiKey) {
+        const apiUser = await config.apiKey.validate(apiKey, req);
+        if (apiUser) {
+          user = apiUser;
+        }
+      }
+    }
+    if (!user && config.session) {
+      const cookieName = config.session.cookieName || "session";
+      const sessionId = req.cookies.get(cookieName)?.value;
+      if (sessionId) {
+        const sessionUser = await config.session.validate(sessionId, req);
+        if (sessionUser) {
+          user = sessionUser;
+        }
+      }
+    }
+    if (!user) {
+      return onError(req, {
+        code: "unauthorized",
+        message: "Authentication required",
+        status: 401
+      });
+    }
+    if (config.rbac) {
+      const userRoles = config.rbac.getUserRoles ? config.rbac.getUserRoles(user) : user.roles || [];
+      if (config.rbac.roles && config.rbac.roles.length > 0) {
+        const hasRole = config.rbac.roles.some((role) => userRoles.includes(role));
+        if (!hasRole) {
+          return onError(req, {
+            code: "insufficient_roles",
+            message: "Insufficient permissions",
+            status: 403
+          });
+        }
+      }
+      const userPermissions = config.rbac.getUserPermissions ? config.rbac.getUserPermissions(user) : user.permissions || [];
+      if (config.rbac.permissions && config.rbac.permissions.length > 0) {
+        const hasAllPermissions = config.rbac.permissions.every(
+          (perm) => userPermissions.includes(perm)
+        );
+        if (!hasAllPermissions) {
+          return onError(req, {
+            code: "insufficient_permissions",
+            message: "Insufficient permissions",
+            status: 403
+          });
+        }
+      }
+      if (config.rbac.authorize) {
+        const authorized = await config.rbac.authorize(user, req);
+        if (!authorized) {
+          return onError(req, {
+            code: "unauthorized",
+            message: "Unauthorized",
+            status: 403
+          });
+        }
+      }
+    }
+    if (config.onSuccess) {
+      await config.onSuccess(req, user);
+    }
+    return handler(req, { user, token });
+  };
+}
+function withOptionalAuth(handler, config) {
+  return async (req) => {
+    let user = null;
+    let token;
+    if (config.jwt) {
+      const secret = config.jwt.secret || process.env.JWT_SECRET;
+      const jwtConfig = { ...config.jwt, secret };
+      const jwtToken = await getTokenFromRequest(req, jwtConfig);
+      if (jwtToken) {
+        const { payload, error } = await verifyJWT(jwtToken, jwtConfig);
+        if (!error && payload) {
+          user = jwtConfig.mapUser ? await jwtConfig.mapUser(payload) : {
+            id: payload.sub || "",
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles
+          };
+          token = jwtToken;
+        }
+      }
+    }
+    if (!user && config.apiKey) {
+      const headerName = config.apiKey.headerName || "x-api-key";
+      let apiKey = req.headers.get(headerName);
+      if (apiKey) {
+        const apiUser = await config.apiKey.validate(apiKey, req);
+        if (apiUser) user = apiUser;
+      }
+    }
+    if (!user && config.session) {
+      const cookieName = config.session.cookieName || "session";
+      const sessionId = req.cookies.get(cookieName)?.value;
+      if (sessionId) {
+        const sessionUser = await config.session.validate(sessionId, req);
+        if (sessionUser) user = sessionUser;
+      }
+    }
+    return handler(req, { user, token });
+  };
+}
+
+// src/middleware/validation/utils.ts
+function isZodSchema(schema) {
+  return typeof schema === "object" && schema !== null && "safeParse" in schema && typeof schema.safeParse === "function";
+}
+function isCustomSchema(schema) {
+  if (typeof schema !== "object" || schema === null) return false;
+  if ("safeParse" in schema) return false;
+  const entries = Object.entries(schema);
+  if (entries.length === 0) return false;
+  return entries.every(([_, rule]) => {
+    return typeof rule === "object" && rule !== null && "type" in rule;
+  });
+}
+var EMAIL_PATTERN = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+var URL_PATTERN = /^https?:\/\/(?:(?:www\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}|localhost|(?:\d{1,3}\.){3}\d{1,3})(?::\d{1,5})?(?:[-a-zA-Z0-9()@:%_+.~#?&/=]*)$/;
+var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+var DATE_PATTERN = /^\d{4}-\d{2}-\d{2}(?:T\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:Z|[+-]\d{2}:?\d{2})?)?$/;
+function validateField(value, rule, fieldName) {
+  if (value === void 0 || value === null || value === "") {
+    if (rule.required) {
+      return {
+        field: fieldName,
+        code: "required",
+        message: rule.message || `${fieldName} is required`,
+        received: value
+      };
+    }
+    return null;
+  }
+  switch (rule.type) {
+    case "string":
+      if (typeof value !== "string") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a string`,
+          expected: "string",
+          received: typeof value
+        };
+      }
+      if (rule.minLength !== void 0 && value.length < rule.minLength) {
+        return {
+          field: fieldName,
+          code: "too_short",
+          message: rule.message || `${fieldName} must be at least ${rule.minLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.maxLength !== void 0 && value.length > rule.maxLength) {
+        return {
+          field: fieldName,
+          code: "too_long",
+          message: rule.message || `${fieldName} must be at most ${rule.maxLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.pattern && !rule.pattern.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_pattern",
+          message: rule.message || `${fieldName} has invalid format`,
+          received: value
+        };
+      }
+      break;
+    case "number":
+      const num = typeof value === "number" ? value : Number(value);
+      if (isNaN(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a number`,
+          expected: "number",
+          received: typeof value
+        };
+      }
+      if (rule.integer && !Number.isInteger(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_integer",
+          message: rule.message || `${fieldName} must be an integer`,
+          received: num
+        };
+      }
+      if (rule.min !== void 0 && num < rule.min) {
+        return {
+          field: fieldName,
+          code: "too_small",
+          message: rule.message || `${fieldName} must be at least ${rule.min}`,
+          received: num
+        };
+      }
+      if (rule.max !== void 0 && num > rule.max) {
+        return {
+          field: fieldName,
+          code: "too_large",
+          message: rule.message || `${fieldName} must be at most ${rule.max}`,
+          received: num
+        };
+      }
+      break;
+    case "boolean":
+      if (typeof value !== "boolean" && value !== "true" && value !== "false") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a boolean`,
+          expected: "boolean",
+          received: typeof value
+        };
+      }
+      break;
+    case "email":
+      if (typeof value !== "string" || !EMAIL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_email",
+          message: rule.message || `${fieldName} must be a valid email address`,
+          received: value
+        };
+      }
+      break;
+    case "url":
+      if (typeof value !== "string" || !URL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_url",
+          message: rule.message || `${fieldName} must be a valid URL`,
+          received: value
+        };
+      }
+      break;
+    case "uuid":
+      if (typeof value !== "string" || !UUID_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_uuid",
+          message: rule.message || `${fieldName} must be a valid UUID`,
+          received: value
+        };
+      }
+      break;
+    case "date":
+      if (typeof value !== "string" || !DATE_PATTERN.test(value)) {
+        const parsed = new Date(value);
+        if (isNaN(parsed.getTime())) {
+          return {
+            field: fieldName,
+            code: "invalid_date",
+            message: rule.message || `${fieldName} must be a valid date`,
+            received: value
+          };
+        }
+      }
+      break;
+    case "array":
+      if (!Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an array`,
+          expected: "array",
+          received: typeof value
+        };
+      }
+      if (rule.minItems !== void 0 && value.length < rule.minItems) {
+        return {
+          field: fieldName,
+          code: "too_few_items",
+          message: rule.message || `${fieldName} must have at least ${rule.minItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.maxItems !== void 0 && value.length > rule.maxItems) {
+        return {
+          field: fieldName,
+          code: "too_many_items",
+          message: rule.message || `${fieldName} must have at most ${rule.maxItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.items) {
+        for (let i = 0; i < value.length; i++) {
+          const itemError = validateField(value[i], rule.items, `${fieldName}[${i}]`);
+          if (itemError) return itemError;
+        }
+      }
+      break;
+    case "object":
+      if (typeof value !== "object" || value === null || Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an object`,
+          expected: "object",
+          received: Array.isArray(value) ? "array" : typeof value
+        };
+      }
+      break;
+  }
+  if (rule.custom) {
+    const result = rule.custom(value);
+    if (result !== true) {
+      return {
+        field: fieldName,
+        code: "custom_validation",
+        message: typeof result === "string" ? result : rule.message || `${fieldName} failed validation`,
+        received: value
+      };
+    }
+  }
+  return null;
+}
+function validateCustomSchema(data, schema) {
+  if (typeof data !== "object" || data === null) {
+    return {
+      success: false,
+      errors: [{
+        field: "_root",
+        code: "invalid_type",
+        message: "Expected an object",
+        received: data
+      }]
+    };
+  }
+  const errors = [];
+  const record = data;
+  for (const [fieldName, rule] of Object.entries(schema)) {
+    const error = validateField(record[fieldName], rule, fieldName);
+    if (error) {
+      errors.push(error);
+    }
+  }
+  if (errors.length > 0) {
+    return { success: false, errors };
+  }
+  return { success: true, data };
+}
+function validateZodSchema(data, schema) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  const errors = result.error.issues.map((issue) => ({
+    field: issue.path.join(".") || "_root",
+    code: issue.code,
+    message: issue.message,
+    path: issue.path.map(String)
+  }));
+  return { success: false, errors };
+}
+function walkObject(obj, fn, path = "") {
+  if (typeof obj === "string") {
+    return fn(obj, path);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => walkObject(item, fn, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = walkObject(value, fn, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function parseQueryString(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    for (const [key, value] of urlObj.searchParams.entries()) {
+      if (key in result) {
+        const existing = result[key];
+        if (Array.isArray(existing)) {
+          existing.push(value);
+        } else {
+          result[key] = [existing, value];
+        }
+      } else {
+        result[key] = value;
+      }
+    }
+  } catch {
+  }
+  return result;
+}
+
+// src/middleware/validation/validators/schema.ts
+function validate(data, schema) {
+  if (isZodSchema(schema)) {
+    return validateZodSchema(data, schema);
+  }
+  if (isCustomSchema(schema)) {
+    return validateCustomSchema(data, schema);
+  }
+  return {
+    success: false,
+    errors: [{
+      field: "_schema",
+      code: "invalid_schema",
+      message: "Invalid schema provided"
+    }]
+  };
+}
+async function validateBody(request, schema) {
+  let body;
+  try {
+    const contentType = request.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+      body = await request.json();
+    } else if (contentType.includes("application/x-www-form-urlencoded")) {
+      const text = await request.text();
+      body = Object.fromEntries(new URLSearchParams(text));
+    } else if (contentType.includes("multipart/form-data")) {
+      const formData = await request.formData();
+      const obj = {};
+      formData.forEach((value, key) => {
+        if (typeof value === "string") {
+          obj[key] = value;
+        }
+      });
+      body = obj;
+    } else {
+      try {
+        body = await request.json();
+      } catch {
+        body = {};
+      }
+    }
+  } catch (error) {
+    return {
+      success: false,
+      errors: [{
+        field: "_body",
+        code: "parse_error",
+        message: "Failed to parse request body"
+      }]
+    };
+  }
+  return validate(body, schema);
+}
+function validateQuery(request, schema) {
+  const query = parseQueryString(request.url);
+  return validate(query, schema);
+}
+function validateParams(params, schema) {
+  return validate(params, schema);
+}
+async function validateRequest(request, config) {
+  const allErrors = [];
+  const data = {};
+  if (config.body) {
+    const bodyResult = await validateBody(request, config.body);
+    if (!bodyResult.success) {
+      allErrors.push(...(bodyResult.errors || []).map((e) => ({
+        ...e,
+        field: `body.${e.field}`.replace("body._root", "body")
+      })));
+    } else {
+      data.body = bodyResult.data;
+    }
+  } else {
+    data.body = {};
+  }
+  if (config.query) {
+    const queryResult = validateQuery(request, config.query);
+    if (!queryResult.success) {
+      allErrors.push(...(queryResult.errors || []).map((e) => ({
+        ...e,
+        field: `query.${e.field}`.replace("query._root", "query")
+      })));
+    } else {
+      data.query = queryResult.data;
+    }
+  } else {
+    data.query = {};
+  }
+  if (config.params && config.routeParams) {
+    const paramsResult = validateParams(config.routeParams, config.params);
+    if (!paramsResult.success) {
+      allErrors.push(...(paramsResult.errors || []).map((e) => ({
+        ...e,
+        field: `params.${e.field}`.replace("params._root", "params")
+      })));
+    } else {
+      data.params = paramsResult.data;
+    }
+  } else {
+    data.params = {};
+  }
+  if (allErrors.length > 0) {
+    return { success: false, errors: allErrors };
+  }
+  return {
+    success: true,
+    data
+  };
+}
+function defaultValidationErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "validation_error",
+      message: "Request validation failed",
+      details: errors.map((e) => ({
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function createValidator(schema) {
+  return (data) => validate(data, schema);
+}
+
+// src/middleware/validation/validators/content-type.ts
+var MIME_TYPES = {
+  // Text
+  TEXT_PLAIN: "text/plain",
+  TEXT_HTML: "text/html",
+  TEXT_CSS: "text/css",
+  TEXT_JAVASCRIPT: "text/javascript",
+  // Application
+  JSON: "application/json",
+  FORM_URLENCODED: "application/x-www-form-urlencoded",
+  MULTIPART_FORM: "multipart/form-data",
+  XML: "application/xml",
+  PDF: "application/pdf",
+  ZIP: "application/zip",
+  GZIP: "application/gzip",
+  OCTET_STREAM: "application/octet-stream",
+  // Image
+  IMAGE_PNG: "image/png",
+  IMAGE_JPEG: "image/jpeg",
+  IMAGE_GIF: "image/gif",
+  IMAGE_WEBP: "image/webp",
+  IMAGE_SVG: "image/svg+xml",
+  // Audio
+  AUDIO_MP3: "audio/mpeg",
+  AUDIO_WAV: "audio/wav",
+  AUDIO_OGG: "audio/ogg",
+  // Video
+  VIDEO_MP4: "video/mp4",
+  VIDEO_WEBM: "video/webm"
+};
+function parseContentType(header) {
+  if (!header) {
+    return {
+      type: "",
+      subtype: "",
+      mediaType: "",
+      parameters: {}
+    };
+  }
+  const parts = header.split(";").map((p) => p.trim());
+  const mediaType = parts[0].toLowerCase();
+  const [type = "", subtype = ""] = mediaType.split("/");
+  const parameters = {};
+  for (let i = 1; i < parts.length; i++) {
+    const [key, value] = parts[i].split("=").map((p) => p.trim());
+    if (key && value) {
+      parameters[key.toLowerCase()] = value.replace(/^["']|["']$/g, "");
+    }
+  }
+  return {
+    type,
+    subtype,
+    mediaType,
+    charset: parameters["charset"],
+    boundary: parameters["boundary"],
+    parameters
+  };
+}
+function isAllowedContentType(contentType, allowedTypes, strict = false) {
+  if (!contentType) {
+    return !strict;
+  }
+  const { mediaType } = parseContentType(contentType);
+  return allowedTypes.some((allowed) => {
+    const normalizedAllowed = allowed.toLowerCase().trim();
+    if (mediaType === normalizedAllowed) {
+      return true;
+    }
+    if (normalizedAllowed.endsWith("/*")) {
+      const prefix = normalizedAllowed.slice(0, -2);
+      return mediaType.startsWith(prefix + "/");
+    }
+    if (!normalizedAllowed.includes("/")) {
+      const { type } = parseContentType(contentType);
+      return type === normalizedAllowed;
+    }
+    return false;
+  });
+}
+function validateContentType(request, config) {
+  const contentType = request.headers.get("content-type");
+  const { allowed, strict = false, charset } = config;
+  if (strict && !contentType) {
+    return {
+      valid: false,
+      contentType: null,
+      reason: "Content-Type header is required"
+    };
+  }
+  if (contentType && !isAllowedContentType(contentType, allowed, strict)) {
+    return {
+      valid: false,
+      contentType,
+      reason: `Content-Type '${contentType}' is not allowed`
+    };
+  }
+  if (charset && contentType) {
+    const parsed = parseContentType(contentType);
+    if (parsed.charset && parsed.charset.toLowerCase() !== charset.toLowerCase()) {
+      return {
+        valid: false,
+        contentType,
+        reason: `Charset '${parsed.charset}' is not allowed, expected '${charset}'`
+      };
+    }
+  }
+  return { valid: true, contentType };
+}
+function defaultContentTypeErrorResponse(contentType, reason) {
+  return new Response(
+    JSON.stringify({
+      error: "invalid_content_type",
+      message: reason,
+      received: contentType
+    }),
+    {
+      status: 415,
+      // Unsupported Media Type
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function isJsonRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.JSON]
+  );
+}
+function isFormRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.FORM_URLENCODED, MIME_TYPES.MULTIPART_FORM]
+  );
+}
+
+// src/middleware/validation/sanitizers/path.ts
+var DANGEROUS_PATTERNS = [
+  // Unix path traversal
+  /\.\.\//g,
+  /\.\./g,
+  // Windows path traversal
+  /\.\.\\/g,
+  // Null byte (can truncate paths in some systems)
+  /%00/g,
+  /\0/g,
+  // URL encoded traversal
+  /%2e%2e%2f/gi,
+  // ../
+  /%2e%2e\//gi,
+  // ../
+  /%2e%2e%5c/gi,
+  // ..\
+  /%2e%2e\\/gi,
+  // ..\
+  // Double URL encoding
+  /%252e%252e%252f/gi,
+  /%252e%252e%255c/gi,
+  // Unicode encoding
+  /\.%u002e\//gi,
+  /%u002e%u002e%u002f/gi,
+  // Overlong UTF-8 encoding
+  /%c0%ae%c0%ae%c0%af/gi,
+  /%c1%9c/gi
+  // Backslash variant
+];
+var DEFAULT_BLOCKED_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  // Executables
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  // Scripts
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  // Server scripts
+  ".htaccess",
+  ".htpasswd",
+  // Apache config
+  ".env",
+  ".git",
+  ".svn"
+  // Config/VCS
+];
+function normalizePathSeparators(path) {
+  return path.replace(/\\/g, "/");
+}
+function decodePathComponent(path) {
+  let result = path;
+  let previous = "";
+  while (result !== previous) {
+    previous = result;
+    try {
+      result = decodeURIComponent(result);
+    } catch {
+      break;
+    }
+  }
+  return result;
+}
+function hasPathTraversal(path) {
+  if (!path || typeof path !== "string") return false;
+  const normalized = normalizePathSeparators(decodePathComponent(path));
+  for (const pattern of DANGEROUS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  if (normalized.includes("..")) {
+    return true;
+  }
+  return false;
+}
+function validatePath(path, config = {}) {
+  if (!path || typeof path !== "string") {
+    return { valid: false, reason: "Path is empty or not a string" };
+  }
+  const {
+    allowAbsolute = false,
+    allowedPrefixes = [],
+    allowedExtensions,
+    blockedExtensions = DEFAULT_BLOCKED_EXTENSIONS,
+    maxDepth = 10,
+    maxLength = 255,
+    normalize = true
+  } = config;
+  if (path.length > maxLength) {
+    return { valid: false, reason: `Path exceeds maximum length of ${maxLength}` };
+  }
+  let normalized = decodePathComponent(path);
+  if (normalize) {
+    normalized = normalizePathSeparators(normalized);
+  }
+  if (normalized.includes("\0") || path.includes("%00")) {
+    return { valid: false, reason: "Path contains null bytes" };
+  }
+  if (hasPathTraversal(path)) {
+    return { valid: false, reason: "Path contains traversal sequences" };
+  }
+  const isAbsolute = normalized.startsWith("/") || /^[a-zA-Z]:/.test(normalized) || // Windows drive letter
+  normalized.startsWith("\\\\");
+  if (isAbsolute && !allowAbsolute) {
+    return { valid: false, reason: "Absolute paths are not allowed" };
+  }
+  if (allowedPrefixes.length > 0) {
+    const hasValidPrefix = allowedPrefixes.some((prefix) => {
+      const normalizedPrefix = normalizePathSeparators(prefix);
+      return normalized.startsWith(normalizedPrefix);
+    });
+    if (!hasValidPrefix) {
+      return { valid: false, reason: "Path does not start with an allowed prefix" };
+    }
+  }
+  const segments = normalized.split("/").filter((s) => s && s !== ".");
+  if (segments.length > maxDepth) {
+    return { valid: false, reason: `Path depth exceeds maximum of ${maxDepth}` };
+  }
+  const lastSegment = segments[segments.length - 1] || "";
+  const dotIndex = lastSegment.lastIndexOf(".");
+  const extension = dotIndex > 0 ? lastSegment.slice(dotIndex).toLowerCase() : "";
+  if (extension && blockedExtensions.length > 0) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not allowed` };
+    }
+  }
+  if (extension && allowedExtensions && allowedExtensions.length > 0) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not in allowed list` };
+    }
+  }
+  const sanitized = normalized.replace(/\/+/g, "/");
+  return { valid: true, sanitized };
+}
+function sanitizePath(path, config = {}) {
+  if (!path || typeof path !== "string") return "";
+  const { normalize = true, maxLength = 255 } = config;
+  let result = decodePathComponent(path);
+  if (normalize) {
+    result = normalizePathSeparators(result);
+  }
+  result = result.replace(/\0/g, "").replace(/%00/g, "");
+  result = result.replace(/\.\.\//g, "").replace(/\.\.\\/g, "");
+  if (!config.allowAbsolute) {
+    result = result.replace(/^\/+/, "");
+    result = result.replace(/^[a-zA-Z]:/, "");
+    result = result.replace(/^\\\\/, "");
+  }
+  result = result.replace(/\/+/g, "/");
+  result = result.replace(/\/+$/, "");
+  if (result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function getExtension(path) {
+  if (!path || typeof path !== "string") return "";
+  const normalized = normalizePathSeparators(path);
+  const segments = normalized.split("/");
+  const filename = segments[segments.length - 1] || "";
+  const dotIndex = filename.lastIndexOf(".");
+  if (dotIndex <= 0) return "";
+  return filename.slice(dotIndex).toLowerCase();
+}
+function sanitizeFilename(filename) {
+  if (typeof filename !== "string") return "file";
+  if (!filename) return "file";
+  let result = filename;
+  result = result.replace(/[/\\]/g, "");
+  result = result.replace(/\0/g, "");
+  result = result.replace(/[\x00-\x1f\x7f]/g, "");
+  result = result.replace(/[<>:"|?*]/g, "");
+  result = result.replace(/^[.\s]+|[.\s]+$/g, "");
+  if (result.length > 255) {
+    const ext = getExtension(result);
+    const name = result.slice(0, 255 - ext.length);
+    result = name + ext;
+  }
+  return result || "file";
+}
+
+// src/middleware/validation/validators/file.ts
+var MAGIC_NUMBERS = [
+  // Images
+  { type: "image/jpeg", extension: ".jpg", signature: [255, 216, 255] },
+  { type: "image/png", extension: ".png", signature: [137, 80, 78, 71, 13, 10, 26, 10] },
+  { type: "image/gif", extension: ".gif", signature: [71, 73, 70, 56] },
+  // GIF87a or GIF89a
+  { type: "image/webp", extension: ".webp", signature: [82, 73, 70, 70], offset: 0 },
+  // RIFF
+  { type: "image/bmp", extension: ".bmp", signature: [66, 77] },
+  { type: "image/tiff", extension: ".tiff", signature: [73, 73, 42, 0] },
+  // Little endian
+  { type: "image/tiff", extension: ".tiff", signature: [77, 77, 0, 42] },
+  // Big endian
+  { type: "image/x-icon", extension: ".ico", signature: [0, 0, 1, 0] },
+  { type: "image/svg+xml", extension: ".svg", signature: [60, 63, 120, 109, 108] },
+  // <?xml
+  // Documents
+  { type: "application/pdf", extension: ".pdf", signature: [37, 80, 68, 70] },
+  // %PDF
+  { type: "application/zip", extension: ".zip", signature: [80, 75, 3, 4] },
+  // PK
+  { type: "application/gzip", extension: ".gz", signature: [31, 139] },
+  { type: "application/x-rar-compressed", extension: ".rar", signature: [82, 97, 114, 33] },
+  { type: "application/x-7z-compressed", extension: ".7z", signature: [55, 122, 188, 175, 39, 28] },
+  // Microsoft Office (new format - zip based)
+  { type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", extension: ".xlsx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.wordprocessingml.document", extension: ".docx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.presentationml.presentation", extension: ".pptx", signature: [80, 75, 3, 4] },
+  // Microsoft Office (old format)
+  { type: "application/msword", extension: ".doc", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  { type: "application/vnd.ms-excel", extension: ".xls", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  // Audio
+  { type: "audio/mpeg", extension: ".mp3", signature: [255, 251] },
+  // MP3 frame sync
+  { type: "audio/mpeg", extension: ".mp3", signature: [73, 68, 51] },
+  // ID3
+  { type: "audio/wav", extension: ".wav", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "audio/ogg", extension: ".ogg", signature: [79, 103, 103, 83] },
+  { type: "audio/flac", extension: ".flac", signature: [102, 76, 97, 67] },
+  // Video
+  { type: "video/mp4", extension: ".mp4", signature: [0, 0, 0], offset: 0 },
+  // Partial match
+  { type: "video/webm", extension: ".webm", signature: [26, 69, 223, 163] },
+  { type: "video/avi", extension: ".avi", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "video/quicktime", extension: ".mov", signature: [0, 0, 0, 20, 102, 116, 121, 112] },
+  // Web
+  { type: "application/wasm", extension: ".wasm", signature: [0, 97, 115, 109] },
+  // \0asm
+  // Fonts
+  { type: "font/woff", extension: ".woff", signature: [119, 79, 70, 70] },
+  { type: "font/woff2", extension: ".woff2", signature: [119, 79, 70, 50] }
+];
+var DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_MAX_FILES = 10;
+var DANGEROUS_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  ".vbs",
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  ".pl",
+  ".py",
+  ".rb",
+  ".jar",
+  ".class",
+  ".msi",
+  ".dmg",
+  ".pkg",
+  ".deb",
+  ".rpm",
+  ".scr",
+  ".pif",
+  ".com",
+  ".hta"
+];
+function checkMagicNumber(bytes, magicNumber) {
+  const offset = magicNumber.offset || 0;
+  const signature = magicNumber.signature;
+  if (bytes.length < offset + signature.length) {
+    return false;
+  }
+  for (let i = 0; i < signature.length; i++) {
+    if (bytes[offset + i] !== signature[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function detectFileType(bytes) {
+  for (const magic of MAGIC_NUMBERS) {
+    if (checkMagicNumber(bytes, magic)) {
+      return { type: magic.type, extension: magic.extension };
+    }
+  }
+  return null;
+}
+async function validateFile(file, config = {}) {
+  const {
+    maxSize = DEFAULT_MAX_FILE_SIZE,
+    minSize = 0,
+    allowedTypes = [],
+    blockedTypes = [],
+    allowedExtensions = [],
+    blockedExtensions = DANGEROUS_EXTENSIONS,
+    validateMagicNumbers = true,
+    sanitizeFilename: doSanitize = true
+  } = config;
+  const errors = [];
+  const extension = getExtension(file.name);
+  const info = {
+    filename: doSanitize ? sanitizeFilename(file.name) : file.name,
+    size: file.size,
+    type: file.type,
+    extension
+  };
+  if (file.size > maxSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_exceeded",
+      message: `File size (${formatBytes(file.size)}) exceeds maximum allowed (${formatBytes(maxSize)})`,
+      details: { size: file.size, maxSize }
+    });
+  }
+  if (file.size < minSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_too_small",
+      message: `File size (${formatBytes(file.size)}) is below minimum required (${formatBytes(minSize)})`,
+      details: { size: file.size, minSize }
+    });
+  }
+  if (blockedExtensions.length > 0 && extension) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not allowed`,
+        details: { extension, blockedExtensions }
+      });
+    }
+  }
+  if (allowedExtensions.length > 0 && extension) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not in allowed list`,
+        details: { extension, allowedExtensions }
+      });
+    }
+  }
+  if (blockedTypes.length > 0 && file.type) {
+    if (blockedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not allowed`,
+        details: { type: file.type, blockedTypes }
+      });
+    }
+  }
+  if (allowedTypes.length > 0) {
+    if (!allowedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not in allowed list`,
+        details: { type: file.type, allowedTypes }
+      });
+    }
+  }
+  if (validateMagicNumbers && errors.length === 0) {
+    try {
+      const buffer = await file.arrayBuffer();
+      const bytes = new Uint8Array(buffer.slice(0, 32));
+      const detected = detectFileType(bytes);
+      if (detected) {
+        if (file.type && detected.type !== file.type) {
+          const isSimilar = detected.type.startsWith("image/") && file.type.startsWith("image/") || detected.type.startsWith("audio/") && file.type.startsWith("audio/") || detected.type.startsWith("video/") && file.type.startsWith("video/");
+          if (!isSimilar) {
+            errors.push({
+              filename: file.name,
+              code: "invalid_content",
+              message: `File content doesn't match declared type (claimed: ${file.type}, detected: ${detected.type})`,
+              details: { claimed: file.type, detected: detected.type }
+            });
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    info,
+    errors
+  };
+}
+async function validateFiles(files, config = {}) {
+  const { maxFiles = DEFAULT_MAX_FILES } = config;
+  const allErrors = [];
+  const infos = [];
+  if (files.length > maxFiles) {
+    allErrors.push({
+      filename: "",
+      code: "too_many_files",
+      message: `Too many files (${files.length}), maximum allowed is ${maxFiles}`,
+      details: { count: files.length, maxFiles }
+    });
+  }
+  for (const file of files) {
+    const result = await validateFile(file, config);
+    infos.push(result.info);
+    allErrors.push(...result.errors);
+  }
+  return {
+    valid: allErrors.length === 0,
+    infos,
+    errors: allErrors
+  };
+}
+function extractFilesFromFormData(formData) {
+  const files = /* @__PURE__ */ new Map();
+  formData.forEach((value, key) => {
+    if (value instanceof File) {
+      const existing = files.get(key) || [];
+      existing.push(value);
+      files.set(key, existing);
+    }
+  });
+  return files;
+}
+async function validateFilesFromRequest(request, config = {}) {
+  const contentType = request.headers.get("content-type") || "";
+  if (!contentType.includes("multipart/form-data")) {
+    return { valid: true, files: /* @__PURE__ */ new Map(), errors: [] };
+  }
+  try {
+    const formData = await request.formData();
+    const fileMap = extractFilesFromFormData(formData);
+    const allInfos = /* @__PURE__ */ new Map();
+    const allErrors = [];
+    let totalFileCount = 0;
+    for (const [field, files] of fileMap.entries()) {
+      totalFileCount += files.length;
+      const result = await validateFiles(files, { ...config, maxFiles: Infinity });
+      allInfos.set(field, result.infos);
+      allErrors.push(...result.errors.map((e) => ({ ...e, field })));
+    }
+    const maxFiles = config.maxFiles ?? DEFAULT_MAX_FILES;
+    if (totalFileCount > maxFiles) {
+      allErrors.push({
+        filename: "",
+        code: "too_many_files",
+        message: `Total file count (${totalFileCount}) exceeds maximum (${maxFiles})`,
+        details: { count: totalFileCount, maxFiles }
+      });
+    }
+    return {
+      valid: allErrors.length === 0,
+      files: allInfos,
+      errors: allErrors
+    };
+  } catch {
+    return {
+      valid: false,
+      files: /* @__PURE__ */ new Map(),
+      errors: [{
+        filename: "",
+        code: "invalid_content",
+        message: "Failed to parse multipart form data"
+      }]
+    };
+  }
+}
+function defaultFileErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "file_validation_error",
+      message: "File validation failed",
+      details: errors.map((e) => ({
+        filename: e.filename,
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function formatBytes(bytes) {
+  if (bytes === 0) return "0 B";
+  const units = ["B", "KB", "MB", "GB"];
+  const k = 1024;
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${parseFloat((bytes / Math.pow(k, i)).toFixed(2))} ${units[i]}`;
+}
+
+// src/middleware/validation/sanitizers/xss.ts
+var DEFAULT_ALLOWED_TAGS = [
+  "a",
+  "abbr",
+  "b",
+  "blockquote",
+  "br",
+  "code",
+  "del",
+  "em",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "hr",
+  "i",
+  "ins",
+  "li",
+  "mark",
+  "ol",
+  "p",
+  "pre",
+  "q",
+  "s",
+  "small",
+  "span",
+  "strong",
+  "sub",
+  "sup",
+  "u",
+  "ul"
+];
+var DEFAULT_ALLOWED_ATTRIBUTES = {
+  a: ["href", "title", "target", "rel"],
+  img: ["src", "alt", "title", "width", "height"],
+  abbr: ["title"],
+  q: ["cite"],
+  blockquote: ["cite"]
+};
+var DEFAULT_SAFE_PROTOCOLS = ["http:", "https:", "mailto:", "tel:"];
+var DANGEROUS_PATTERNS2 = [
+  // Event handlers
+  /\bon\w+\s*=/gi,
+  // JavaScript protocol
+  /javascript\s*:/gi,
+  // VBScript protocol
+  /vbscript\s*:/gi,
+  // Data URI with scripts
+  /data\s*:[^,]*(?:text\/html|application\/javascript|text\/javascript)/gi,
+  // Expression in CSS
+  /expression\s*\(/gi,
+  // Binding in CSS (Firefox)
+  /-moz-binding\s*:/gi,
+  // Behavior in CSS (IE)
+  /behavior\s*:/gi,
+  // Import in CSS
+  /@import/gi,
+  // Script tags
+  /<\s*script/gi,
+  // Style tags with expressions
+  /<\s*style[^>]*>[^<]*expression/gi,
+  // SVG with scripts
+  /<\s*svg[^>]*onload/gi,
+  // Object/embed/applet tags
+  /<\s*(object|embed|applet)/gi,
+  // Base tag (can redirect resources)
+  /<\s*base/gi,
+  // Meta refresh
+  /<\s*meta[^>]*http-equiv\s*=\s*["']?refresh/gi,
+  // Form action hijacking
+  /<\s*form[^>]*action\s*=\s*["']?javascript/gi,
+  // Link tag with import
+  /<\s*link[^>]*rel\s*=\s*["']?import/gi
+];
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;",
+  "/": "&#x2F;",
+  "`": "&#x60;",
+  "=": "&#x3D;"
+};
+function escapeHtml(str) {
+  return str.replace(/[&<>"'`=/]/g, (char) => HTML_ENTITIES[char] || char);
+}
+function unescapeHtml(str) {
+  const entityMap = {
+    "&amp;": "&",
+    "&lt;": "<",
+    "&gt;": ">",
+    "&quot;": '"',
+    "&#x27;": "'",
+    "&#x2F;": "/",
+    "&#x60;": "`",
+    "&#x3D;": "=",
+    "&#39;": "'",
+    "&#47;": "/"
+  };
+  return str.replace(/&(?:amp|lt|gt|quot|#x27|#x2F|#x60|#x3D|#39|#47);/gi, (entity) => {
+    return entityMap[entity.toLowerCase()] || entity;
+  });
+}
+function stripHtml(str) {
+  let result = str.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<[^>]*>/g, "");
+  result = unescapeHtml(result);
+  result = result.replace(/\0/g, "");
+  return result.trim();
+}
+function isSafeUrl(url, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  if (!url) return true;
+  const trimmed = url.trim().toLowerCase();
+  if (trimmed.startsWith("javascript:")) return false;
+  if (trimmed.startsWith("vbscript:")) return false;
+  if (trimmed.startsWith("data:image/")) return true;
+  if (trimmed.startsWith("data:")) return false;
+  try {
+    const parsed = new URL(url, "https://example.com");
+    if (parsed.protocol && !allowedProtocols.includes(parsed.protocol)) {
+      if (!url.includes(":")) return true;
+      return false;
+    }
+  } catch {
+    return true;
+  }
+  return true;
+}
+function sanitizeHtml(str, allowedTags = DEFAULT_ALLOWED_TAGS, allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  let result = str.replace(/\0/g, "");
+  result = result.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<!--[\s\S]*?-->/g, "");
+  result = result.replace(/<\/?([a-z][a-z0-9]*)\b([^>]*)>/gi, (match, tagName, attributes) => {
+    const lowerTag = tagName.toLowerCase();
+    const isClosing = match.startsWith("</");
+    if (!allowedTags.includes(lowerTag)) {
+      return "";
+    }
+    if (isClosing) {
+      return `</${lowerTag}>`;
+    }
+    const allowedAttrs = allowedAttributes[lowerTag] || [];
+    const safeAttrs = [];
+    const attrRegex = /([a-z][a-z0-9-]*)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]*))/gi;
+    let attrMatch;
+    while ((attrMatch = attrRegex.exec(attributes)) !== null) {
+      const attrName = attrMatch[1].toLowerCase();
+      const attrValue = attrMatch[2] || attrMatch[3] || attrMatch[4] || "";
+      if (!allowedAttrs.includes(attrName)) continue;
+      if (DANGEROUS_PATTERNS2.some((pattern) => pattern.test(attrValue))) continue;
+      if (["href", "src", "action", "formaction"].includes(attrName)) {
+        if (!isSafeUrl(attrValue, allowedProtocols)) continue;
+      }
+      const safeValue = escapeHtml(attrValue);
+      safeAttrs.push(`${attrName}="${safeValue}"`);
+    }
+    const attrStr = safeAttrs.length > 0 ? " " + safeAttrs.join(" ") : "";
+    return `<${lowerTag}${attrStr}>`;
+  });
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    result = result.replace(pattern, "");
+  }
+  return result;
+}
+function detectXSS(str) {
+  if (!str || typeof str !== "string") return false;
+  const normalized = str.replace(/\\x([0-9a-f]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/\\u([0-9a-f]{4})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10)));
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
+function sanitize(input, config = {}) {
+  if (!input || typeof input !== "string") return "";
+  const {
+    mode = "escape",
+    allowedTags = DEFAULT_ALLOWED_TAGS,
+    allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES,
+    allowedProtocols = DEFAULT_SAFE_PROTOCOLS,
+    maxLength,
+    stripNull = true
+  } = config;
+  let result = input;
+  if (stripNull) {
+    result = result.replace(/\0/g, "");
+  }
+  switch (mode) {
+    case "escape":
+      result = escapeHtml(result);
+      break;
+    case "strip":
+      result = stripHtml(result);
+      break;
+    case "allow-safe":
+      result = sanitizeHtml(result, allowedTags, allowedAttributes, allowedProtocols);
+      break;
+  }
+  if (maxLength !== void 0 && result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function sanitizeObject(obj, config = {}) {
+  if (typeof obj === "string") {
+    return sanitize(obj, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => sanitizeObject(item, config));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = sanitizeObject(value, config);
+    }
+    return result;
+  }
+  return obj;
+}
+function sanitizeFields(obj, fields, config = {}) {
+  const result = { ...obj };
+  for (const field of fields) {
+    if (field in result && typeof result[field] === "string") {
+      result[field] = sanitize(result[field], config);
+    }
+  }
+  return result;
+}
+
+// src/middleware/validation/sanitizers/sql.ts
+var SQL_PATTERNS = [
+  // High severity - Definite attacks
+  {
+    pattern: /'\s*OR\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "OR '1'='1' attack",
+    severity: "high"
+  },
+  {
+    pattern: /'\s*OR\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "OR 'x'='x' attack",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DROP\s+(TABLE|DATABASE|INDEX|VIEW)/gi,
+    name: "DROP statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DELETE\s+FROM/gi,
+    name: "DELETE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*TRUNCATE\s+/gi,
+    name: "TRUNCATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*INSERT\s+INTO/gi,
+    name: "INSERT statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*UPDATE\s+\w+\s+SET/gi,
+    name: "UPDATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /UNION\s+(ALL\s+)?SELECT/gi,
+    name: "UNION SELECT attack",
+    severity: "high"
+  },
+  {
+    pattern: /EXEC(\s+|\()+(sp_|xp_)/gi,
+    name: "SQL Server stored procedure",
+    severity: "high"
+  },
+  {
+    pattern: /EXECUTE\s+IMMEDIATE/gi,
+    name: "Oracle EXECUTE IMMEDIATE",
+    severity: "high"
+  },
+  {
+    pattern: /INTO\s+(OUT|DUMP)FILE/gi,
+    name: "MySQL file write",
+    severity: "high"
+  },
+  {
+    pattern: /LOAD_FILE\s*\(/gi,
+    name: "MySQL file read",
+    severity: "high"
+  },
+  {
+    pattern: /BENCHMARK\s*\(\s*\d+\s*,/gi,
+    name: "MySQL BENCHMARK DoS",
+    severity: "high"
+  },
+  {
+    pattern: /SLEEP\s*\(\s*\d+\s*\)/gi,
+    name: "SQL SLEEP time-based attack",
+    severity: "high"
+  },
+  {
+    pattern: /WAITFOR\s+DELAY/gi,
+    name: "SQL Server WAITFOR DELAY",
+    severity: "high"
+  },
+  {
+    pattern: /PG_SLEEP\s*\(/gi,
+    name: "PostgreSQL pg_sleep",
+    severity: "high"
+  },
+  // Medium severity - Likely attacks
+  {
+    pattern: /'\s*--/g,
+    name: "SQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*#/g,
+    name: "MySQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\/\*[\s\S]*?\*\//g,
+    name: "Block comment",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*;\s*$/g,
+    name: "Statement terminator",
+    severity: "medium"
+  },
+  {
+    pattern: /HAVING\s+\d+\s*=\s*\d+/gi,
+    name: "HAVING clause injection",
+    severity: "medium"
+  },
+  {
+    pattern: /GROUP\s+BY\s+\d+/gi,
+    name: "GROUP BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /ORDER\s+BY\s+\d+/gi,
+    name: "ORDER BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /CONCAT\s*\(/gi,
+    name: "CONCAT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CHAR\s*\(\s*\d+\s*\)/gi,
+    name: "CHAR function bypass",
+    severity: "medium"
+  },
+  {
+    pattern: /0x[0-9a-f]{2,}/gi,
+    name: "Hex encoded value",
+    severity: "medium"
+  },
+  {
+    pattern: /CONVERT\s*\(/gi,
+    name: "CONVERT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CAST\s*\(/gi,
+    name: "CAST function",
+    severity: "medium"
+  },
+  // Low severity - Suspicious but may be false positives
+  {
+    pattern: /'\s*AND\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "AND '1'='1' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*AND\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "AND 'x'='x' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /SELECT\s+[\w\s,*]+\s+FROM/gi,
+    name: "SELECT statement",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\+\s*'/g,
+    name: "String concatenation",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\|\|\s*'/g,
+    name: "Oracle string concatenation",
+    severity: "low"
+  }
+];
+var ENCODED_PATTERNS = [
+  {
+    pattern: /%27\s*%4f%52\s*%27/gi,
+    // URL encoded ' OR '
+    name: "URL encoded OR injection",
+    severity: "high"
+  },
+  {
+    pattern: /%27\s*%2d%2d/gi,
+    // URL encoded ' --
+    name: "URL encoded comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\0|%00/g,
+    // Null byte (decoded or encoded)
+    name: "Null byte injection",
+    severity: "high"
+  },
+  {
+    pattern: /\\x27/gi,
+    // Hex escape
+    name: "Hex escaped quote",
+    severity: "medium"
+  },
+  {
+    pattern: /\\u0027/gi,
+    // Unicode escape
+    name: "Unicode escaped quote",
+    severity: "medium"
+  }
+];
+function normalizeInput(input) {
+  let result = input;
+  try {
+    result = decodeURIComponent(result);
+  } catch {
+  }
+  result = result.replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10))).replace(/&quot;/gi, '"').replace(/&apos;/gi, "'").replace(/&lt;/gi, "<").replace(/&gt;/gi, ">").replace(/&amp;/gi, "&");
+  result = result.replace(
+    /\\x([0-9a-f]{2})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  result = result.replace(
+    /\\u([0-9a-f]{4})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  return result;
+}
+function detectSQLInjection(input, options = {}) {
+  if (!input || typeof input !== "string") return [];
+  const {
+    customPatterns = [],
+    checkEncoded = true,
+    minSeverity = "low"
+  } = options;
+  const severityOrder = { low: 0, medium: 1, high: 2 };
+  const minSeverityLevel = severityOrder[minSeverity];
+  const detections = [];
+  const seenPatterns = /* @__PURE__ */ new Set();
+  const normalizedInput = checkEncoded ? normalizeInput(input) : input;
+  const allPatterns = [
+    ...SQL_PATTERNS,
+    ...checkEncoded ? ENCODED_PATTERNS : [],
+    ...customPatterns.map((p) => ({ pattern: p, name: "Custom pattern", severity: "high" }))
+  ];
+  for (const { pattern, name, severity } of allPatterns) {
+    if (severityOrder[severity] < minSeverityLevel) continue;
+    pattern.lastIndex = 0;
+    const testInput = checkEncoded ? normalizedInput : input;
+    if (pattern.test(testInput)) {
+      const key = `${name}:${severity}`;
+      if (!seenPatterns.has(key)) {
+        seenPatterns.add(key);
+        detections.push({
+          field: "",
+          // Will be set by caller
+          value: input,
+          pattern: name,
+          severity
+        });
+      }
+    }
+  }
+  return detections;
+}
+function hasSQLInjection(input, minSeverity = "medium") {
+  return detectSQLInjection(input, { minSeverity }).length > 0;
+}
+function sanitizeSQLInput(input) {
+  if (!input || typeof input !== "string") return "";
+  let result = input;
+  result = result.replace(/\0/g, "");
+  result = result.replace(/'/g, "''");
+  result = result.replace(/;/g, "");
+  result = result.replace(/--/g, "");
+  result = result.replace(/\/\*/g, "");
+  result = result.replace(/\*\//g, "");
+  result = result.replace(/0x[0-9a-f]+/gi, "");
+  return result;
+}
+function detectSQLInjectionInObject(obj, options = {}) {
+  const { fields, deep = true, customPatterns, minSeverity } = options;
+  const detections = [];
+  function walk(value, path) {
+    if (typeof value === "string") {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) return;
+      }
+      const detected = detectSQLInjection(value, { customPatterns, minSeverity });
+      for (const d of detected) {
+        detections.push({ ...d, field: path });
+      }
+    } else if (deep && Array.isArray(value)) {
+      value.forEach((item, i) => walk(item, `${path}[${i}]`));
+    } else if (deep && typeof value === "object" && value !== null) {
+      for (const [key, val] of Object.entries(value)) {
+        walk(val, path ? `${path}.${key}` : key);
+      }
+    }
+  }
+  walk(obj, "");
+  return detections;
+}
+
+// src/middleware/validation/middleware.ts
+function withValidation(handler, config) {
+  const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+  return async (req) => {
+    const result = await validateRequest(req, {
+      body: config.body,
+      query: config.query,
+      params: config.params,
+      routeParams: config.routeParams
+    });
+    if (!result.success) {
+      return onError(req, result.errors || []);
+    }
+    return handler(req, { validated: result.data });
+  };
+}
+function withSanitization(handler, config = {}) {
+  const {
+    fields,
+    mode = "escape",
+    allowedTags,
+    skip,
+    onSanitized
+  } = config;
+  return async (req) => {
+    if (skip && await skip(req)) {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    const changes = [];
+    const sanitized = walkObject(body, (value, path) => {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) {
+          return value;
+        }
+      }
+      const cleaned = sanitize(value, { mode, allowedTags });
+      if (cleaned !== value) {
+        changes.push({
+          field: path,
+          original: value,
+          sanitized: cleaned
+        });
+      }
+      return cleaned;
+    }, "");
+    if (onSanitized && changes.length > 0) {
+      onSanitized(req, changes);
+    }
+    return handler(req, { sanitized, changes });
+  };
+}
+function withXSSProtection(handler, config = {}) {
+  const { fields, onDetection, checkQuery = true } = config;
+  return async (req) => {
+    const detections = [];
+    if (checkQuery) {
+      const url = new URL(req.url);
+      for (const [key, value] of url.searchParams.entries()) {
+        if (detectXSS(value)) {
+          detections.push({ field: `query.${key}`, value });
+        }
+      }
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      body = null;
+    }
+    if (body) {
+      walkObject(body, (value, path) => {
+        if (fields && fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          detections.push({ field: path, value });
+        }
+        return value;
+      }, "");
+    }
+    if (detections.length > 0) {
+      if (onDetection) {
+        for (const { field, value } of detections) {
+          const result = await onDetection(req, field, value);
+          if (result instanceof Response) {
+            return result;
+          }
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "xss_detected",
+          message: "Potentially malicious content detected",
+          fields: detections.map((d) => d.field)
+        }),
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return handler(req);
+  };
+}
+function withSQLProtection(handler, config = {}) {
+  const {
+    fields,
+    deep = true,
+    mode = "block",
+    customPatterns,
+    allowList = [],
+    onDetection
+  } = config;
+  return async (req) => {
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req);
+    }
+    const detections = detectSQLInjectionInObject(body, {
+      fields,
+      deep,
+      customPatterns,
+      minSeverity: mode === "detect" ? "low" : "medium"
+    });
+    const filtered = detections.filter((d) => !allowList.includes(d.value));
+    if (filtered.length > 0) {
+      if (onDetection) {
+        const result = await onDetection(req, filtered);
+        if (result instanceof Response) {
+          return result;
+        }
+      }
+      if (mode === "block") {
+        return new Response(
+          JSON.stringify({
+            error: "sql_injection_detected",
+            message: "Potentially malicious SQL detected",
+            detections: filtered.map((d) => ({
+              field: d.field,
+              pattern: d.pattern,
+              severity: d.severity
+            }))
+          }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      }
+    }
+    return handler(req);
+  };
+}
+function withContentType(handler, config) {
+  const onInvalid = config.onInvalid || ((_, contentType) => defaultContentTypeErrorResponse(contentType, `Content-Type '${contentType}' is not allowed`));
+  return async (req) => {
+    const result = validateContentType(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.contentType);
+    }
+    return handler(req);
+  };
+}
+function withFileValidation(handler, config = {}) {
+  const onInvalid = config.onInvalid || ((_, errors) => defaultFileErrorResponse(errors));
+  return async (req) => {
+    const result = await validateFilesFromRequest(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.errors);
+    }
+    return handler(req, { files: result.files });
+  };
+}
+function withSecureValidation(handler, config) {
+  return async (req) => {
+    const allErrors = [];
+    if (config.contentType) {
+      const ctResult = validateContentType(req, config.contentType);
+      if (!ctResult.valid) {
+        allErrors.push({
+          field: "Content-Type",
+          code: "invalid_content_type",
+          message: ctResult.reason || "Invalid Content-Type"
+        });
+      }
+    }
+    let files;
+    if (config.files) {
+      const fileResult = await validateFilesFromRequest(req, config.files);
+      if (!fileResult.valid) {
+        allErrors.push(...fileResult.errors.map((e) => ({
+          field: e.field || e.filename,
+          code: e.code,
+          message: e.message
+        })));
+      } else {
+        files = fileResult.files;
+      }
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    let validated;
+    if (config.schema) {
+      const schemaResult = await validateRequest(req, {
+        body: config.schema.body,
+        query: config.schema.query,
+        params: config.schema.params,
+        routeParams: config.routeParams
+      });
+      if (!schemaResult.success) {
+        allErrors.push(...schemaResult.errors || []);
+      } else {
+        validated = schemaResult.data;
+      }
+    } else {
+      validated = {
+        body: {},
+        query: {},
+        params: {}
+      };
+    }
+    if (config.sql && validated?.body) {
+      const sqlDetections = detectSQLInjectionInObject(validated.body, {
+        fields: config.sql.fields,
+        deep: config.sql.deep,
+        customPatterns: config.sql.customPatterns
+      });
+      if (sqlDetections.length > 0 && config.sql.mode !== "detect") {
+        allErrors.push(...sqlDetections.map((d) => ({
+          field: d.field,
+          code: "sql_injection",
+          message: `Potential SQL injection detected: ${d.pattern}`
+        })));
+      }
+    }
+    if (config.xss?.enabled && validated?.body) {
+      walkObject(validated.body, (value, path) => {
+        if (config.xss?.fields && config.xss.fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!config.xss.fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          allErrors.push({
+            field: path,
+            code: "xss_detected",
+            message: "Potentially malicious content detected"
+          });
+        }
+        return value;
+      }, "");
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    return handler(req, { validated, files });
+  };
+}
 
 // src/index.ts
-var VERSION = "0.3.0";
+var VERSION = "0.5.0";
 
-export { AuthenticationError, AuthorizationError, ConfigurationError, CsrfError, MemoryStore, PRESET_API, PRESET_RELAXED, PRESET_STRICT, RateLimitError, SecureError, VERSION, ValidationError, anonymizeIp, buildCSP, buildHSTS, buildPermissionsPolicy, checkRateLimit, clearAllRateLimits, createToken as createCSRFToken, createMemoryStore, createRateLimiter, createSecurityHeaders, createSecurityHeadersObject, formatDuration, generateCSRF, getClientIp, getGeoInfo, getGlobalMemoryStore, getPreset, getRateLimitStatus, isLocalhost, isPrivateIp, isSecureError, isValidIp, normalizeIp, nowInMs, nowInSeconds, parseDuration, resetRateLimit, sleep, toSecureError, tokensMatch, validateCSRF, verifyToken as verifyCSRFToken, withCSRF, withRateLimit, withSecurityHeaders };
+export { AuthenticationError, AuthorizationError, ConfigurationError, CsrfError, DANGEROUS_EXTENSIONS, MIME_TYPES, MemoryStore, PRESET_API, PRESET_RELAXED, PRESET_STRICT, RateLimitError, SecureError, VERSION, ValidationError, anonymizeIp, buildCSP, buildHSTS, buildPermissionsPolicy, checkRateLimit, clearAllRateLimits, createToken as createCSRFToken, createMemoryStore, createRateLimiter, createSecurityHeaders, createSecurityHeadersObject, createValidator, decodeJWT, detectFileType, detectSQLInjection, detectXSS, escapeHtml, extractBearerToken, formatDuration, generateCSRF, getClientIp, getGeoInfo, getGlobalMemoryStore, getPreset, getRateLimitStatus, hasPathTraversal, hasSQLInjection, isFormRequest, isJsonRequest, isLocalhost, isPrivateIp, isSecureError, isValidIp, normalizeIp, nowInMs, nowInSeconds, parseDuration, resetRateLimit, sanitize, sanitizeFields, sanitizeFilename, sanitizeObject, sanitizePath, sanitizeSQLInput, sleep, stripHtml, toSecureError, tokensMatch, validate, validateBody, validateCSRF, validateContentType, validateFile, validateFiles, validatePath, validateQuery, validateRequest, verifyToken as verifyCSRFToken, verifyJWT, withAPIKey, withAuth, withCSRF, withContentType, withFileValidation, withJWT, withOptionalAuth, withRateLimit, withRoles, withSQLProtection, withSanitization, withSecureValidation, withSecurityHeaders, withSession, withValidation, withXSSProtection };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map