nextjs-secure 0.3.0 → 0.6.0

package/dist/index.cjs

@@ -869,8 +869,8 @@ function withRateLimit(handler, config) {
     };
     try {
       if (finalConfig.skip) {
-        const shouldSkip = await finalConfig.skip(request);
-        if (shouldSkip) {
+        const shouldSkip2 = await finalConfig.skip(request);
+        if (shouldSkip2) {
           debug("Skipping rate limit check");
           return handler(request, ctx);
         }
@@ -946,8 +946,8 @@ async function checkRateLimit(request, config) {
   const windowMs = parseDuration(finalConfig.window);
   const algorithm = getAlgorithm(finalConfig.algorithm);
   if (finalConfig.skip) {
-    const shouldSkip = await finalConfig.skip(request);
-    if (shouldSkip) {
+    const shouldSkip2 = await finalConfig.skip(request);
+    if (shouldSkip2) {
       const info2 = {
         limit: finalConfig.limit,
         remaining: finalConfig.limit,
@@ -1123,8 +1123,8 @@ function withCSRF(handler, config = {}) {
       return handler(req);
     }
     if (config.skip) {
-      const shouldSkip = await config.skip(req);
-      if (shouldSkip) return handler(req);
+      const shouldSkip2 = await config.skip(req);
+      if (shouldSkip2) return handler(req);
     }
     const cookieName = cookieOpts.name || "__csrf";
     const cookieToken = req.cookies.get(cookieName)?.value;
@@ -1446,20 +1446,3692 @@ function createSecurityHeadersObject(options = {}) {
   });
   return obj;
 }
+var encoder2 = new TextEncoder();
+var decoder = new TextDecoder();
+function base64UrlDecode(str) {
+  const pad = str.length % 4;
+  if (pad) {
+    str += "=".repeat(4 - pad);
+  }
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function decodeJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const header = JSON.parse(decoder.decode(base64UrlDecode(parts[0])));
+    const payload = JSON.parse(decoder.decode(base64UrlDecode(parts[1])));
+    const signature = base64UrlDecode(parts[2]);
+    return { header, payload, signature };
+  } catch {
+    return null;
+  }
+}
+function getAlgorithmParams(alg) {
+  switch (alg) {
+    case "HS256":
+      return { name: "HMAC", hash: "SHA-256" };
+    case "HS384":
+      return { name: "HMAC", hash: "SHA-384" };
+    case "HS512":
+      return { name: "HMAC", hash: "SHA-512" };
+    case "RS256":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+    case "RS384":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-384" };
+    case "RS512":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-512" };
+    case "ES256":
+      return { name: "ECDSA", hash: "SHA-256", namedCurve: "P-256" };
+    case "ES384":
+      return { name: "ECDSA", hash: "SHA-384", namedCurve: "P-384" };
+    case "ES512":
+      return { name: "ECDSA", hash: "SHA-512", namedCurve: "P-521" };
+    default:
+      return null;
+  }
+}
+async function verifyHMAC(data, signature, secret, hash2) {
+  const key = await crypto$1.webcrypto.subtle.importKey(
+    "raw",
+    encoder2.encode(secret),
+    { name: "HMAC", hash: hash2 },
+    false,
+    ["verify"]
+  );
+  return crypto$1.webcrypto.subtle.verify("HMAC", key, signature, encoder2.encode(data));
+}
+async function importPublicKey(pem, algorithm) {
+  const pemContents = pem.replace(/-----BEGIN.*-----/, "").replace(/-----END.*-----/, "").replace(/\s/g, "");
+  const binaryDer = base64UrlDecode(pemContents.replace(/\+/g, "-").replace(/\//g, "_"));
+  const keyUsages = ["verify"];
+  if (algorithm.name === "RSASSA-PKCS1-v1_5") {
+    return crypto$1.webcrypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      { name: algorithm.name, hash: algorithm.hash },
+      false,
+      keyUsages
+    );
+  }
+  if (algorithm.name === "ECDSA") {
+    return crypto$1.webcrypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      { name: algorithm.name, namedCurve: algorithm.namedCurve },
+      false,
+      keyUsages
+    );
+  }
+  throw new Error(`Unsupported algorithm: ${algorithm.name}`);
+}
+async function verifyAsymmetric(data, signature, publicKey, algorithm) {
+  const key = await importPublicKey(publicKey, algorithm);
+  const params = algorithm.name === "ECDSA" ? { name: "ECDSA", hash: algorithm.hash } : algorithm.name;
+  return crypto$1.webcrypto.subtle.verify(params, key, signature, encoder2.encode(data));
+}
+function validateClaims(payload, config) {
+  const now = Math.floor(Date.now() / 1e3);
+  const tolerance = config.clockTolerance || 0;
+  if (payload.exp !== void 0 && payload.exp < now - tolerance) {
+    return {
+      code: "expired_token",
+      message: "Token has expired",
+      status: 401
+    };
+  }
+  if (payload.nbf !== void 0 && payload.nbf > now + tolerance) {
+    return {
+      code: "invalid_token",
+      message: "Token not yet valid",
+      status: 401
+    };
+  }
+  if (config.issuer) {
+    const issuers = Array.isArray(config.issuer) ? config.issuer : [config.issuer];
+    if (!payload.iss || !issuers.includes(payload.iss)) {
+      return {
+        code: "invalid_token",
+        message: "Invalid token issuer",
+        status: 401
+      };
+    }
+  }
+  if (config.audience) {
+    const audiences = Array.isArray(config.audience) ? config.audience : [config.audience];
+    const tokenAudiences = Array.isArray(payload.aud) ? payload.aud : payload.aud ? [payload.aud] : [];
+    const hasValidAudience = audiences.some((aud) => tokenAudiences.includes(aud));
+    if (!hasValidAudience) {
+      return {
+        code: "invalid_token",
+        message: "Invalid token audience",
+        status: 401
+      };
+    }
+  }
+  return null;
+}
+async function verifyJWT(token, config) {
+  const decoded = decodeJWT(token);
+  if (!decoded) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: "Malformed token",
+        status: 401
+      }
+    };
+  }
+  const { header, payload, signature } = decoded;
+  const alg = header.alg;
+  const allowedAlgorithms = config.algorithms || ["HS256"];
+  if (!allowedAlgorithms.includes(alg)) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: `Algorithm ${alg} not allowed`,
+        status: 401
+      }
+    };
+  }
+  const algorithmParams = getAlgorithmParams(alg);
+  if (!algorithmParams) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: `Unsupported algorithm: ${alg}`,
+        status: 401
+      }
+    };
+  }
+  const parts = token.split(".");
+  const signedData = `${parts[0]}.${parts[1]}`;
+  let isValid = false;
+  try {
+    if (algorithmParams.name === "HMAC") {
+      if (!config.secret) {
+        return {
+          payload: null,
+          error: {
+            code: "invalid_token",
+            message: "Secret required for HMAC algorithms",
+            status: 500
+          }
+        };
+      }
+      isValid = await verifyHMAC(signedData, signature, config.secret, algorithmParams.hash);
+    } else {
+      if (!config.publicKey) {
+        return {
+          payload: null,
+          error: {
+            code: "invalid_token",
+            message: "Public key required for asymmetric algorithms",
+            status: 500
+          }
+        };
+      }
+      isValid = await verifyAsymmetric(signedData, signature, config.publicKey, algorithmParams);
+    }
+  } catch {
+    isValid = false;
+  }
+  if (!isValid) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_signature",
+        message: "Invalid token signature",
+        status: 401
+      }
+    };
+  }
+  const claimsError = validateClaims(payload, config);
+  if (claimsError) {
+    return { payload: null, error: claimsError };
+  }
+  return { payload, error: null };
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  return authHeader.slice(7);
+}
+
+// src/middleware/auth/middleware.ts
+function defaultErrorResponse2(_req, error) {
+  return new Response(
+    JSON.stringify({
+      error: error.code,
+      message: error.message
+    }),
+    {
+      status: error.status,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+async function getTokenFromRequest(req, config) {
+  if (config?.getToken) {
+    return config.getToken(req);
+  }
+  return extractBearerToken(req.headers.get("authorization"));
+}
+function withJWT(handler, config) {
+  const secret = config.secret || process.env.JWT_SECRET;
+  const effectiveConfig = { ...config, secret };
+  return async (req) => {
+    const token = await getTokenFromRequest(req, effectiveConfig);
+    if (!token) {
+      return defaultErrorResponse2(req, {
+        code: "missing_token",
+        message: "Authentication required",
+        status: 401
+      });
+    }
+    const { payload, error } = await verifyJWT(token, effectiveConfig);
+    if (error) {
+      return defaultErrorResponse2(req, error);
+    }
+    const user = effectiveConfig.mapUser ? await effectiveConfig.mapUser(payload) : {
+      id: payload.sub || "",
+      email: payload.email,
+      name: payload.name,
+      roles: payload.roles,
+      permissions: payload.permissions
+    };
+    return handler(req, { user, token });
+  };
+}
+function withAPIKey(handler, config) {
+  const headerName = config.headerName || "x-api-key";
+  const queryParam = config.queryParam || "api_key";
+  return async (req) => {
+    let apiKey = req.headers.get(headerName);
+    if (!apiKey) {
+      const url = new URL(req.url);
+      apiKey = url.searchParams.get(queryParam);
+    }
+    if (!apiKey) {
+      return defaultErrorResponse2(req, {
+        code: "missing_api_key",
+        message: "API key required",
+        status: 401
+      });
+    }
+    const user = await config.validate(apiKey, req);
+    if (!user) {
+      return defaultErrorResponse2(req, {
+        code: "invalid_api_key",
+        message: "Invalid API key",
+        status: 401
+      });
+    }
+    return handler(req, { user });
+  };
+}
+function withSession(handler, config) {
+  const cookieName = config.cookieName || "session";
+  return async (req) => {
+    const sessionId = req.cookies.get(cookieName)?.value;
+    if (!sessionId) {
+      return defaultErrorResponse2(req, {
+        code: "missing_session",
+        message: "Session required",
+        status: 401
+      });
+    }
+    const user = await config.validate(sessionId, req);
+    if (!user) {
+      return defaultErrorResponse2(req, {
+        code: "invalid_session",
+        message: "Invalid or expired session",
+        status: 401
+      });
+    }
+    return handler(req, { user });
+  };
+}
+function withRoles(handler, config) {
+  return async (req, ctx) => {
+    const { user } = ctx;
+    const userRoles = config.getUserRoles ? config.getUserRoles(user) : user.roles || [];
+    if (config.roles && config.roles.length > 0) {
+      const hasRole = config.roles.some((role) => userRoles.includes(role));
+      if (!hasRole) {
+        return defaultErrorResponse2(req, {
+          code: "insufficient_roles",
+          message: "Insufficient permissions",
+          status: 403
+        });
+      }
+    }
+    const userPermissions = config.getUserPermissions ? config.getUserPermissions(user) : user.permissions || [];
+    if (config.permissions && config.permissions.length > 0) {
+      const hasAllPermissions = config.permissions.every(
+        (perm) => userPermissions.includes(perm)
+      );
+      if (!hasAllPermissions) {
+        return defaultErrorResponse2(req, {
+          code: "insufficient_permissions",
+          message: "Insufficient permissions",
+          status: 403
+        });
+      }
+    }
+    if (config.authorize) {
+      const authorized = await config.authorize(user, req);
+      if (!authorized) {
+        return defaultErrorResponse2(req, {
+          code: "unauthorized",
+          message: "Unauthorized",
+          status: 403
+        });
+      }
+    }
+    return handler(req, ctx);
+  };
+}
+function withAuth(handler, config) {
+  const onError = config.onError || defaultErrorResponse2;
+  return async (req) => {
+    let user = null;
+    let token;
+    if (config.jwt) {
+      const secret = config.jwt.secret || process.env.JWT_SECRET;
+      const jwtConfig = { ...config.jwt, secret };
+      const jwtToken = await getTokenFromRequest(req, jwtConfig);
+      if (jwtToken) {
+        const { payload, error } = await verifyJWT(jwtToken, jwtConfig);
+        if (!error && payload) {
+          user = jwtConfig.mapUser ? await jwtConfig.mapUser(payload) : {
+            id: payload.sub || "",
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles
+          };
+          token = jwtToken;
+        }
+      }
+    }
+    if (!user && config.apiKey) {
+      const headerName = config.apiKey.headerName || "x-api-key";
+      const queryParam = config.apiKey.queryParam || "api_key";
+      let apiKey = req.headers.get(headerName);
+      if (!apiKey) {
+        const url = new URL(req.url);
+        apiKey = url.searchParams.get(queryParam);
+      }
+      if (apiKey) {
+        const apiUser = await config.apiKey.validate(apiKey, req);
+        if (apiUser) {
+          user = apiUser;
+        }
+      }
+    }
+    if (!user && config.session) {
+      const cookieName = config.session.cookieName || "session";
+      const sessionId = req.cookies.get(cookieName)?.value;
+      if (sessionId) {
+        const sessionUser = await config.session.validate(sessionId, req);
+        if (sessionUser) {
+          user = sessionUser;
+        }
+      }
+    }
+    if (!user) {
+      return onError(req, {
+        code: "unauthorized",
+        message: "Authentication required",
+        status: 401
+      });
+    }
+    if (config.rbac) {
+      const userRoles = config.rbac.getUserRoles ? config.rbac.getUserRoles(user) : user.roles || [];
+      if (config.rbac.roles && config.rbac.roles.length > 0) {
+        const hasRole = config.rbac.roles.some((role) => userRoles.includes(role));
+        if (!hasRole) {
+          return onError(req, {
+            code: "insufficient_roles",
+            message: "Insufficient permissions",
+            status: 403
+          });
+        }
+      }
+      const userPermissions = config.rbac.getUserPermissions ? config.rbac.getUserPermissions(user) : user.permissions || [];
+      if (config.rbac.permissions && config.rbac.permissions.length > 0) {
+        const hasAllPermissions = config.rbac.permissions.every(
+          (perm) => userPermissions.includes(perm)
+        );
+        if (!hasAllPermissions) {
+          return onError(req, {
+            code: "insufficient_permissions",
+            message: "Insufficient permissions",
+            status: 403
+          });
+        }
+      }
+      if (config.rbac.authorize) {
+        const authorized = await config.rbac.authorize(user, req);
+        if (!authorized) {
+          return onError(req, {
+            code: "unauthorized",
+            message: "Unauthorized",
+            status: 403
+          });
+        }
+      }
+    }
+    if (config.onSuccess) {
+      await config.onSuccess(req, user);
+    }
+    return handler(req, { user, token });
+  };
+}
+function withOptionalAuth(handler, config) {
+  return async (req) => {
+    let user = null;
+    let token;
+    if (config.jwt) {
+      const secret = config.jwt.secret || process.env.JWT_SECRET;
+      const jwtConfig = { ...config.jwt, secret };
+      const jwtToken = await getTokenFromRequest(req, jwtConfig);
+      if (jwtToken) {
+        const { payload, error } = await verifyJWT(jwtToken, jwtConfig);
+        if (!error && payload) {
+          user = jwtConfig.mapUser ? await jwtConfig.mapUser(payload) : {
+            id: payload.sub || "",
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles
+          };
+          token = jwtToken;
+        }
+      }
+    }
+    if (!user && config.apiKey) {
+      const headerName = config.apiKey.headerName || "x-api-key";
+      let apiKey = req.headers.get(headerName);
+      if (apiKey) {
+        const apiUser = await config.apiKey.validate(apiKey, req);
+        if (apiUser) user = apiUser;
+      }
+    }
+    if (!user && config.session) {
+      const cookieName = config.session.cookieName || "session";
+      const sessionId = req.cookies.get(cookieName)?.value;
+      if (sessionId) {
+        const sessionUser = await config.session.validate(sessionId, req);
+        if (sessionUser) user = sessionUser;
+      }
+    }
+    return handler(req, { user, token });
+  };
+}
+
+// src/middleware/validation/utils.ts
+function isZodSchema(schema) {
+  return typeof schema === "object" && schema !== null && "safeParse" in schema && typeof schema.safeParse === "function";
+}
+function isCustomSchema(schema) {
+  if (typeof schema !== "object" || schema === null) return false;
+  if ("safeParse" in schema) return false;
+  const entries = Object.entries(schema);
+  if (entries.length === 0) return false;
+  return entries.every(([_, rule]) => {
+    return typeof rule === "object" && rule !== null && "type" in rule;
+  });
+}
+var EMAIL_PATTERN = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+var URL_PATTERN = /^https?:\/\/(?:(?:www\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}|localhost|(?:\d{1,3}\.){3}\d{1,3})(?::\d{1,5})?(?:[-a-zA-Z0-9()@:%_+.~#?&/=]*)$/;
+var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+var DATE_PATTERN = /^\d{4}-\d{2}-\d{2}(?:T\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:Z|[+-]\d{2}:?\d{2})?)?$/;
+function validateField(value, rule, fieldName) {
+  if (value === void 0 || value === null || value === "") {
+    if (rule.required) {
+      return {
+        field: fieldName,
+        code: "required",
+        message: rule.message || `${fieldName} is required`,
+        received: value
+      };
+    }
+    return null;
+  }
+  switch (rule.type) {
+    case "string":
+      if (typeof value !== "string") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a string`,
+          expected: "string",
+          received: typeof value
+        };
+      }
+      if (rule.minLength !== void 0 && value.length < rule.minLength) {
+        return {
+          field: fieldName,
+          code: "too_short",
+          message: rule.message || `${fieldName} must be at least ${rule.minLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.maxLength !== void 0 && value.length > rule.maxLength) {
+        return {
+          field: fieldName,
+          code: "too_long",
+          message: rule.message || `${fieldName} must be at most ${rule.maxLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.pattern && !rule.pattern.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_pattern",
+          message: rule.message || `${fieldName} has invalid format`,
+          received: value
+        };
+      }
+      break;
+    case "number":
+      const num = typeof value === "number" ? value : Number(value);
+      if (isNaN(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a number`,
+          expected: "number",
+          received: typeof value
+        };
+      }
+      if (rule.integer && !Number.isInteger(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_integer",
+          message: rule.message || `${fieldName} must be an integer`,
+          received: num
+        };
+      }
+      if (rule.min !== void 0 && num < rule.min) {
+        return {
+          field: fieldName,
+          code: "too_small",
+          message: rule.message || `${fieldName} must be at least ${rule.min}`,
+          received: num
+        };
+      }
+      if (rule.max !== void 0 && num > rule.max) {
+        return {
+          field: fieldName,
+          code: "too_large",
+          message: rule.message || `${fieldName} must be at most ${rule.max}`,
+          received: num
+        };
+      }
+      break;
+    case "boolean":
+      if (typeof value !== "boolean" && value !== "true" && value !== "false") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a boolean`,
+          expected: "boolean",
+          received: typeof value
+        };
+      }
+      break;
+    case "email":
+      if (typeof value !== "string" || !EMAIL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_email",
+          message: rule.message || `${fieldName} must be a valid email address`,
+          received: value
+        };
+      }
+      break;
+    case "url":
+      if (typeof value !== "string" || !URL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_url",
+          message: rule.message || `${fieldName} must be a valid URL`,
+          received: value
+        };
+      }
+      break;
+    case "uuid":
+      if (typeof value !== "string" || !UUID_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_uuid",
+          message: rule.message || `${fieldName} must be a valid UUID`,
+          received: value
+        };
+      }
+      break;
+    case "date":
+      if (typeof value !== "string" || !DATE_PATTERN.test(value)) {
+        const parsed = new Date(value);
+        if (isNaN(parsed.getTime())) {
+          return {
+            field: fieldName,
+            code: "invalid_date",
+            message: rule.message || `${fieldName} must be a valid date`,
+            received: value
+          };
+        }
+      }
+      break;
+    case "array":
+      if (!Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an array`,
+          expected: "array",
+          received: typeof value
+        };
+      }
+      if (rule.minItems !== void 0 && value.length < rule.minItems) {
+        return {
+          field: fieldName,
+          code: "too_few_items",
+          message: rule.message || `${fieldName} must have at least ${rule.minItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.maxItems !== void 0 && value.length > rule.maxItems) {
+        return {
+          field: fieldName,
+          code: "too_many_items",
+          message: rule.message || `${fieldName} must have at most ${rule.maxItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.items) {
+        for (let i = 0; i < value.length; i++) {
+          const itemError = validateField(value[i], rule.items, `${fieldName}[${i}]`);
+          if (itemError) return itemError;
+        }
+      }
+      break;
+    case "object":
+      if (typeof value !== "object" || value === null || Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an object`,
+          expected: "object",
+          received: Array.isArray(value) ? "array" : typeof value
+        };
+      }
+      break;
+  }
+  if (rule.custom) {
+    const result = rule.custom(value);
+    if (result !== true) {
+      return {
+        field: fieldName,
+        code: "custom_validation",
+        message: typeof result === "string" ? result : rule.message || `${fieldName} failed validation`,
+        received: value
+      };
+    }
+  }
+  return null;
+}
+function validateCustomSchema(data, schema) {
+  if (typeof data !== "object" || data === null) {
+    return {
+      success: false,
+      errors: [{
+        field: "_root",
+        code: "invalid_type",
+        message: "Expected an object",
+        received: data
+      }]
+    };
+  }
+  const errors = [];
+  const record = data;
+  for (const [fieldName, rule] of Object.entries(schema)) {
+    const error = validateField(record[fieldName], rule, fieldName);
+    if (error) {
+      errors.push(error);
+    }
+  }
+  if (errors.length > 0) {
+    return { success: false, errors };
+  }
+  return { success: true, data };
+}
+function validateZodSchema(data, schema) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  const errors = result.error.issues.map((issue) => ({
+    field: issue.path.join(".") || "_root",
+    code: issue.code,
+    message: issue.message,
+    path: issue.path.map(String)
+  }));
+  return { success: false, errors };
+}
+function walkObject(obj, fn, path = "") {
+  if (typeof obj === "string") {
+    return fn(obj, path);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => walkObject(item, fn, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = walkObject(value, fn, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function parseQueryString(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    for (const [key, value] of urlObj.searchParams.entries()) {
+      if (key in result) {
+        const existing = result[key];
+        if (Array.isArray(existing)) {
+          existing.push(value);
+        } else {
+          result[key] = [existing, value];
+        }
+      } else {
+        result[key] = value;
+      }
+    }
+  } catch {
+  }
+  return result;
+}
+
+// src/middleware/validation/validators/schema.ts
+function validate(data, schema) {
+  if (isZodSchema(schema)) {
+    return validateZodSchema(data, schema);
+  }
+  if (isCustomSchema(schema)) {
+    return validateCustomSchema(data, schema);
+  }
+  return {
+    success: false,
+    errors: [{
+      field: "_schema",
+      code: "invalid_schema",
+      message: "Invalid schema provided"
+    }]
+  };
+}
+async function validateBody(request, schema) {
+  let body;
+  try {
+    const contentType = request.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+      body = await request.json();
+    } else if (contentType.includes("application/x-www-form-urlencoded")) {
+      const text = await request.text();
+      body = Object.fromEntries(new URLSearchParams(text));
+    } else if (contentType.includes("multipart/form-data")) {
+      const formData = await request.formData();
+      const obj = {};
+      formData.forEach((value, key) => {
+        if (typeof value === "string") {
+          obj[key] = value;
+        }
+      });
+      body = obj;
+    } else {
+      try {
+        body = await request.json();
+      } catch {
+        body = {};
+      }
+    }
+  } catch (error) {
+    return {
+      success: false,
+      errors: [{
+        field: "_body",
+        code: "parse_error",
+        message: "Failed to parse request body"
+      }]
+    };
+  }
+  return validate(body, schema);
+}
+function validateQuery(request, schema) {
+  const query = parseQueryString(request.url);
+  return validate(query, schema);
+}
+function validateParams(params, schema) {
+  return validate(params, schema);
+}
+async function validateRequest(request, config) {
+  const allErrors = [];
+  const data = {};
+  if (config.body) {
+    const bodyResult = await validateBody(request, config.body);
+    if (!bodyResult.success) {
+      allErrors.push(...(bodyResult.errors || []).map((e) => ({
+        ...e,
+        field: `body.${e.field}`.replace("body._root", "body")
+      })));
+    } else {
+      data.body = bodyResult.data;
+    }
+  } else {
+    data.body = {};
+  }
+  if (config.query) {
+    const queryResult = validateQuery(request, config.query);
+    if (!queryResult.success) {
+      allErrors.push(...(queryResult.errors || []).map((e) => ({
+        ...e,
+        field: `query.${e.field}`.replace("query._root", "query")
+      })));
+    } else {
+      data.query = queryResult.data;
+    }
+  } else {
+    data.query = {};
+  }
+  if (config.params && config.routeParams) {
+    const paramsResult = validateParams(config.routeParams, config.params);
+    if (!paramsResult.success) {
+      allErrors.push(...(paramsResult.errors || []).map((e) => ({
+        ...e,
+        field: `params.${e.field}`.replace("params._root", "params")
+      })));
+    } else {
+      data.params = paramsResult.data;
+    }
+  } else {
+    data.params = {};
+  }
+  if (allErrors.length > 0) {
+    return { success: false, errors: allErrors };
+  }
+  return {
+    success: true,
+    data
+  };
+}
+function defaultValidationErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "validation_error",
+      message: "Request validation failed",
+      details: errors.map((e) => ({
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function createValidator(schema) {
+  return (data) => validate(data, schema);
+}
+
+// src/middleware/validation/validators/content-type.ts
+var MIME_TYPES = {
+  // Text
+  TEXT_PLAIN: "text/plain",
+  TEXT_HTML: "text/html",
+  TEXT_CSS: "text/css",
+  TEXT_JAVASCRIPT: "text/javascript",
+  // Application
+  JSON: "application/json",
+  FORM_URLENCODED: "application/x-www-form-urlencoded",
+  MULTIPART_FORM: "multipart/form-data",
+  XML: "application/xml",
+  PDF: "application/pdf",
+  ZIP: "application/zip",
+  GZIP: "application/gzip",
+  OCTET_STREAM: "application/octet-stream",
+  // Image
+  IMAGE_PNG: "image/png",
+  IMAGE_JPEG: "image/jpeg",
+  IMAGE_GIF: "image/gif",
+  IMAGE_WEBP: "image/webp",
+  IMAGE_SVG: "image/svg+xml",
+  // Audio
+  AUDIO_MP3: "audio/mpeg",
+  AUDIO_WAV: "audio/wav",
+  AUDIO_OGG: "audio/ogg",
+  // Video
+  VIDEO_MP4: "video/mp4",
+  VIDEO_WEBM: "video/webm"
+};
+function parseContentType(header) {
+  if (!header) {
+    return {
+      type: "",
+      subtype: "",
+      mediaType: "",
+      parameters: {}
+    };
+  }
+  const parts = header.split(";").map((p) => p.trim());
+  const mediaType = parts[0].toLowerCase();
+  const [type = "", subtype = ""] = mediaType.split("/");
+  const parameters = {};
+  for (let i = 1; i < parts.length; i++) {
+    const [key, value] = parts[i].split("=").map((p) => p.trim());
+    if (key && value) {
+      parameters[key.toLowerCase()] = value.replace(/^["']|["']$/g, "");
+    }
+  }
+  return {
+    type,
+    subtype,
+    mediaType,
+    charset: parameters["charset"],
+    boundary: parameters["boundary"],
+    parameters
+  };
+}
+function isAllowedContentType(contentType, allowedTypes, strict = false) {
+  if (!contentType) {
+    return !strict;
+  }
+  const { mediaType } = parseContentType(contentType);
+  return allowedTypes.some((allowed) => {
+    const normalizedAllowed = allowed.toLowerCase().trim();
+    if (mediaType === normalizedAllowed) {
+      return true;
+    }
+    if (normalizedAllowed.endsWith("/*")) {
+      const prefix = normalizedAllowed.slice(0, -2);
+      return mediaType.startsWith(prefix + "/");
+    }
+    if (!normalizedAllowed.includes("/")) {
+      const { type } = parseContentType(contentType);
+      return type === normalizedAllowed;
+    }
+    return false;
+  });
+}
+function validateContentType(request, config) {
+  const contentType = request.headers.get("content-type");
+  const { allowed, strict = false, charset } = config;
+  if (strict && !contentType) {
+    return {
+      valid: false,
+      contentType: null,
+      reason: "Content-Type header is required"
+    };
+  }
+  if (contentType && !isAllowedContentType(contentType, allowed, strict)) {
+    return {
+      valid: false,
+      contentType,
+      reason: `Content-Type '${contentType}' is not allowed`
+    };
+  }
+  if (charset && contentType) {
+    const parsed = parseContentType(contentType);
+    if (parsed.charset && parsed.charset.toLowerCase() !== charset.toLowerCase()) {
+      return {
+        valid: false,
+        contentType,
+        reason: `Charset '${parsed.charset}' is not allowed, expected '${charset}'`
+      };
+    }
+  }
+  return { valid: true, contentType };
+}
+function defaultContentTypeErrorResponse(contentType, reason) {
+  return new Response(
+    JSON.stringify({
+      error: "invalid_content_type",
+      message: reason,
+      received: contentType
+    }),
+    {
+      status: 415,
+      // Unsupported Media Type
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function isJsonRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.JSON]
+  );
+}
+function isFormRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.FORM_URLENCODED, MIME_TYPES.MULTIPART_FORM]
+  );
+}
+
+// src/middleware/validation/sanitizers/path.ts
+var DANGEROUS_PATTERNS = [
+  // Unix path traversal
+  /\.\.\//g,
+  /\.\./g,
+  // Windows path traversal
+  /\.\.\\/g,
+  // Null byte (can truncate paths in some systems)
+  /%00/g,
+  /\0/g,
+  // URL encoded traversal
+  /%2e%2e%2f/gi,
+  // ../
+  /%2e%2e\//gi,
+  // ../
+  /%2e%2e%5c/gi,
+  // ..\
+  /%2e%2e\\/gi,
+  // ..\
+  // Double URL encoding
+  /%252e%252e%252f/gi,
+  /%252e%252e%255c/gi,
+  // Unicode encoding
+  /\.%u002e\//gi,
+  /%u002e%u002e%u002f/gi,
+  // Overlong UTF-8 encoding
+  /%c0%ae%c0%ae%c0%af/gi,
+  /%c1%9c/gi
+  // Backslash variant
+];
+var DEFAULT_BLOCKED_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  // Executables
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  // Scripts
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  // Server scripts
+  ".htaccess",
+  ".htpasswd",
+  // Apache config
+  ".env",
+  ".git",
+  ".svn"
+  // Config/VCS
+];
+function normalizePathSeparators(path) {
+  return path.replace(/\\/g, "/");
+}
+function decodePathComponent(path) {
+  let result = path;
+  let previous = "";
+  while (result !== previous) {
+    previous = result;
+    try {
+      result = decodeURIComponent(result);
+    } catch {
+      break;
+    }
+  }
+  return result;
+}
+function hasPathTraversal(path) {
+  if (!path || typeof path !== "string") return false;
+  const normalized = normalizePathSeparators(decodePathComponent(path));
+  for (const pattern of DANGEROUS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  if (normalized.includes("..")) {
+    return true;
+  }
+  return false;
+}
+function validatePath(path, config = {}) {
+  if (!path || typeof path !== "string") {
+    return { valid: false, reason: "Path is empty or not a string" };
+  }
+  const {
+    allowAbsolute = false,
+    allowedPrefixes = [],
+    allowedExtensions,
+    blockedExtensions = DEFAULT_BLOCKED_EXTENSIONS,
+    maxDepth = 10,
+    maxLength = 255,
+    normalize = true
+  } = config;
+  if (path.length > maxLength) {
+    return { valid: false, reason: `Path exceeds maximum length of ${maxLength}` };
+  }
+  let normalized = decodePathComponent(path);
+  if (normalize) {
+    normalized = normalizePathSeparators(normalized);
+  }
+  if (normalized.includes("\0") || path.includes("%00")) {
+    return { valid: false, reason: "Path contains null bytes" };
+  }
+  if (hasPathTraversal(path)) {
+    return { valid: false, reason: "Path contains traversal sequences" };
+  }
+  const isAbsolute = normalized.startsWith("/") || /^[a-zA-Z]:/.test(normalized) || // Windows drive letter
+  normalized.startsWith("\\\\");
+  if (isAbsolute && !allowAbsolute) {
+    return { valid: false, reason: "Absolute paths are not allowed" };
+  }
+  if (allowedPrefixes.length > 0) {
+    const hasValidPrefix = allowedPrefixes.some((prefix) => {
+      const normalizedPrefix = normalizePathSeparators(prefix);
+      return normalized.startsWith(normalizedPrefix);
+    });
+    if (!hasValidPrefix) {
+      return { valid: false, reason: "Path does not start with an allowed prefix" };
+    }
+  }
+  const segments = normalized.split("/").filter((s) => s && s !== ".");
+  if (segments.length > maxDepth) {
+    return { valid: false, reason: `Path depth exceeds maximum of ${maxDepth}` };
+  }
+  const lastSegment = segments[segments.length - 1] || "";
+  const dotIndex = lastSegment.lastIndexOf(".");
+  const extension = dotIndex > 0 ? lastSegment.slice(dotIndex).toLowerCase() : "";
+  if (extension && blockedExtensions.length > 0) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not allowed` };
+    }
+  }
+  if (extension && allowedExtensions && allowedExtensions.length > 0) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not in allowed list` };
+    }
+  }
+  const sanitized = normalized.replace(/\/+/g, "/");
+  return { valid: true, sanitized };
+}
+function sanitizePath(path, config = {}) {
+  if (!path || typeof path !== "string") return "";
+  const { normalize = true, maxLength = 255 } = config;
+  let result = decodePathComponent(path);
+  if (normalize) {
+    result = normalizePathSeparators(result);
+  }
+  result = result.replace(/\0/g, "").replace(/%00/g, "");
+  result = result.replace(/\.\.\//g, "").replace(/\.\.\\/g, "");
+  if (!config.allowAbsolute) {
+    result = result.replace(/^\/+/, "");
+    result = result.replace(/^[a-zA-Z]:/, "");
+    result = result.replace(/^\\\\/, "");
+  }
+  result = result.replace(/\/+/g, "/");
+  result = result.replace(/\/+$/, "");
+  if (result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function getExtension(path) {
+  if (!path || typeof path !== "string") return "";
+  const normalized = normalizePathSeparators(path);
+  const segments = normalized.split("/");
+  const filename = segments[segments.length - 1] || "";
+  const dotIndex = filename.lastIndexOf(".");
+  if (dotIndex <= 0) return "";
+  return filename.slice(dotIndex).toLowerCase();
+}
+function sanitizeFilename(filename) {
+  if (typeof filename !== "string") return "file";
+  if (!filename) return "file";
+  let result = filename;
+  result = result.replace(/[/\\]/g, "");
+  result = result.replace(/\0/g, "");
+  result = result.replace(/[\x00-\x1f\x7f]/g, "");
+  result = result.replace(/[<>:"|?*]/g, "");
+  result = result.replace(/^[.\s]+|[.\s]+$/g, "");
+  if (result.length > 255) {
+    const ext = getExtension(result);
+    const name = result.slice(0, 255 - ext.length);
+    result = name + ext;
+  }
+  return result || "file";
+}
+
+// src/middleware/validation/validators/file.ts
+var MAGIC_NUMBERS = [
+  // Images
+  { type: "image/jpeg", extension: ".jpg", signature: [255, 216, 255] },
+  { type: "image/png", extension: ".png", signature: [137, 80, 78, 71, 13, 10, 26, 10] },
+  { type: "image/gif", extension: ".gif", signature: [71, 73, 70, 56] },
+  // GIF87a or GIF89a
+  { type: "image/webp", extension: ".webp", signature: [82, 73, 70, 70], offset: 0 },
+  // RIFF
+  { type: "image/bmp", extension: ".bmp", signature: [66, 77] },
+  { type: "image/tiff", extension: ".tiff", signature: [73, 73, 42, 0] },
+  // Little endian
+  { type: "image/tiff", extension: ".tiff", signature: [77, 77, 0, 42] },
+  // Big endian
+  { type: "image/x-icon", extension: ".ico", signature: [0, 0, 1, 0] },
+  { type: "image/svg+xml", extension: ".svg", signature: [60, 63, 120, 109, 108] },
+  // <?xml
+  // Documents
+  { type: "application/pdf", extension: ".pdf", signature: [37, 80, 68, 70] },
+  // %PDF
+  { type: "application/zip", extension: ".zip", signature: [80, 75, 3, 4] },
+  // PK
+  { type: "application/gzip", extension: ".gz", signature: [31, 139] },
+  { type: "application/x-rar-compressed", extension: ".rar", signature: [82, 97, 114, 33] },
+  { type: "application/x-7z-compressed", extension: ".7z", signature: [55, 122, 188, 175, 39, 28] },
+  // Microsoft Office (new format - zip based)
+  { type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", extension: ".xlsx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.wordprocessingml.document", extension: ".docx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.presentationml.presentation", extension: ".pptx", signature: [80, 75, 3, 4] },
+  // Microsoft Office (old format)
+  { type: "application/msword", extension: ".doc", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  { type: "application/vnd.ms-excel", extension: ".xls", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  // Audio
+  { type: "audio/mpeg", extension: ".mp3", signature: [255, 251] },
+  // MP3 frame sync
+  { type: "audio/mpeg", extension: ".mp3", signature: [73, 68, 51] },
+  // ID3
+  { type: "audio/wav", extension: ".wav", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "audio/ogg", extension: ".ogg", signature: [79, 103, 103, 83] },
+  { type: "audio/flac", extension: ".flac", signature: [102, 76, 97, 67] },
+  // Video
+  { type: "video/mp4", extension: ".mp4", signature: [0, 0, 0], offset: 0 },
+  // Partial match
+  { type: "video/webm", extension: ".webm", signature: [26, 69, 223, 163] },
+  { type: "video/avi", extension: ".avi", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "video/quicktime", extension: ".mov", signature: [0, 0, 0, 20, 102, 116, 121, 112] },
+  // Web
+  { type: "application/wasm", extension: ".wasm", signature: [0, 97, 115, 109] },
+  // \0asm
+  // Fonts
+  { type: "font/woff", extension: ".woff", signature: [119, 79, 70, 70] },
+  { type: "font/woff2", extension: ".woff2", signature: [119, 79, 70, 50] }
+];
+var DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_MAX_FILES = 10;
+var DANGEROUS_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  ".vbs",
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  ".pl",
+  ".py",
+  ".rb",
+  ".jar",
+  ".class",
+  ".msi",
+  ".dmg",
+  ".pkg",
+  ".deb",
+  ".rpm",
+  ".scr",
+  ".pif",
+  ".com",
+  ".hta"
+];
+function checkMagicNumber(bytes, magicNumber) {
+  const offset = magicNumber.offset || 0;
+  const signature = magicNumber.signature;
+  if (bytes.length < offset + signature.length) {
+    return false;
+  }
+  for (let i = 0; i < signature.length; i++) {
+    if (bytes[offset + i] !== signature[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function detectFileType(bytes) {
+  for (const magic of MAGIC_NUMBERS) {
+    if (checkMagicNumber(bytes, magic)) {
+      return { type: magic.type, extension: magic.extension };
+    }
+  }
+  return null;
+}
+async function validateFile(file, config = {}) {
+  const {
+    maxSize = DEFAULT_MAX_FILE_SIZE,
+    minSize = 0,
+    allowedTypes = [],
+    blockedTypes = [],
+    allowedExtensions = [],
+    blockedExtensions = DANGEROUS_EXTENSIONS,
+    validateMagicNumbers = true,
+    sanitizeFilename: doSanitize = true
+  } = config;
+  const errors = [];
+  const extension = getExtension(file.name);
+  const info = {
+    filename: doSanitize ? sanitizeFilename(file.name) : file.name,
+    size: file.size,
+    type: file.type,
+    extension
+  };
+  if (file.size > maxSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_exceeded",
+      message: `File size (${formatBytes(file.size)}) exceeds maximum allowed (${formatBytes(maxSize)})`,
+      details: { size: file.size, maxSize }
+    });
+  }
+  if (file.size < minSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_too_small",
+      message: `File size (${formatBytes(file.size)}) is below minimum required (${formatBytes(minSize)})`,
+      details: { size: file.size, minSize }
+    });
+  }
+  if (blockedExtensions.length > 0 && extension) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not allowed`,
+        details: { extension, blockedExtensions }
+      });
+    }
+  }
+  if (allowedExtensions.length > 0 && extension) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not in allowed list`,
+        details: { extension, allowedExtensions }
+      });
+    }
+  }
+  if (blockedTypes.length > 0 && file.type) {
+    if (blockedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not allowed`,
+        details: { type: file.type, blockedTypes }
+      });
+    }
+  }
+  if (allowedTypes.length > 0) {
+    if (!allowedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not in allowed list`,
+        details: { type: file.type, allowedTypes }
+      });
+    }
+  }
+  if (validateMagicNumbers && errors.length === 0) {
+    try {
+      const buffer = await file.arrayBuffer();
+      const bytes = new Uint8Array(buffer.slice(0, 32));
+      const detected = detectFileType(bytes);
+      if (detected) {
+        if (file.type && detected.type !== file.type) {
+          const isSimilar = detected.type.startsWith("image/") && file.type.startsWith("image/") || detected.type.startsWith("audio/") && file.type.startsWith("audio/") || detected.type.startsWith("video/") && file.type.startsWith("video/");
+          if (!isSimilar) {
+            errors.push({
+              filename: file.name,
+              code: "invalid_content",
+              message: `File content doesn't match declared type (claimed: ${file.type}, detected: ${detected.type})`,
+              details: { claimed: file.type, detected: detected.type }
+            });
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    info,
+    errors
+  };
+}
+async function validateFiles(files, config = {}) {
+  const { maxFiles = DEFAULT_MAX_FILES } = config;
+  const allErrors = [];
+  const infos = [];
+  if (files.length > maxFiles) {
+    allErrors.push({
+      filename: "",
+      code: "too_many_files",
+      message: `Too many files (${files.length}), maximum allowed is ${maxFiles}`,
+      details: { count: files.length, maxFiles }
+    });
+  }
+  for (const file of files) {
+    const result = await validateFile(file, config);
+    infos.push(result.info);
+    allErrors.push(...result.errors);
+  }
+  return {
+    valid: allErrors.length === 0,
+    infos,
+    errors: allErrors
+  };
+}
+function extractFilesFromFormData(formData) {
+  const files = /* @__PURE__ */ new Map();
+  formData.forEach((value, key) => {
+    if (value instanceof File) {
+      const existing = files.get(key) || [];
+      existing.push(value);
+      files.set(key, existing);
+    }
+  });
+  return files;
+}
+async function validateFilesFromRequest(request, config = {}) {
+  const contentType = request.headers.get("content-type") || "";
+  if (!contentType.includes("multipart/form-data")) {
+    return { valid: true, files: /* @__PURE__ */ new Map(), errors: [] };
+  }
+  try {
+    const formData = await request.formData();
+    const fileMap = extractFilesFromFormData(formData);
+    const allInfos = /* @__PURE__ */ new Map();
+    const allErrors = [];
+    let totalFileCount = 0;
+    for (const [field, files] of fileMap.entries()) {
+      totalFileCount += files.length;
+      const result = await validateFiles(files, { ...config, maxFiles: Infinity });
+      allInfos.set(field, result.infos);
+      allErrors.push(...result.errors.map((e) => ({ ...e, field })));
+    }
+    const maxFiles = config.maxFiles ?? DEFAULT_MAX_FILES;
+    if (totalFileCount > maxFiles) {
+      allErrors.push({
+        filename: "",
+        code: "too_many_files",
+        message: `Total file count (${totalFileCount}) exceeds maximum (${maxFiles})`,
+        details: { count: totalFileCount, maxFiles }
+      });
+    }
+    return {
+      valid: allErrors.length === 0,
+      files: allInfos,
+      errors: allErrors
+    };
+  } catch {
+    return {
+      valid: false,
+      files: /* @__PURE__ */ new Map(),
+      errors: [{
+        filename: "",
+        code: "invalid_content",
+        message: "Failed to parse multipart form data"
+      }]
+    };
+  }
+}
+function defaultFileErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "file_validation_error",
+      message: "File validation failed",
+      details: errors.map((e) => ({
+        filename: e.filename,
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function formatBytes(bytes) {
+  if (bytes === 0) return "0 B";
+  const units = ["B", "KB", "MB", "GB"];
+  const k = 1024;
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${parseFloat((bytes / Math.pow(k, i)).toFixed(2))} ${units[i]}`;
+}
+
+// src/middleware/validation/sanitizers/xss.ts
+var DEFAULT_ALLOWED_TAGS = [
+  "a",
+  "abbr",
+  "b",
+  "blockquote",
+  "br",
+  "code",
+  "del",
+  "em",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "hr",
+  "i",
+  "ins",
+  "li",
+  "mark",
+  "ol",
+  "p",
+  "pre",
+  "q",
+  "s",
+  "small",
+  "span",
+  "strong",
+  "sub",
+  "sup",
+  "u",
+  "ul"
+];
+var DEFAULT_ALLOWED_ATTRIBUTES = {
+  a: ["href", "title", "target", "rel"],
+  img: ["src", "alt", "title", "width", "height"],
+  abbr: ["title"],
+  q: ["cite"],
+  blockquote: ["cite"]
+};
+var DEFAULT_SAFE_PROTOCOLS = ["http:", "https:", "mailto:", "tel:"];
+var DANGEROUS_PATTERNS2 = [
+  // Event handlers
+  /\bon\w+\s*=/gi,
+  // JavaScript protocol
+  /javascript\s*:/gi,
+  // VBScript protocol
+  /vbscript\s*:/gi,
+  // Data URI with scripts
+  /data\s*:[^,]*(?:text\/html|application\/javascript|text\/javascript)/gi,
+  // Expression in CSS
+  /expression\s*\(/gi,
+  // Binding in CSS (Firefox)
+  /-moz-binding\s*:/gi,
+  // Behavior in CSS (IE)
+  /behavior\s*:/gi,
+  // Import in CSS
+  /@import/gi,
+  // Script tags
+  /<\s*script/gi,
+  // Style tags with expressions
+  /<\s*style[^>]*>[^<]*expression/gi,
+  // SVG with scripts
+  /<\s*svg[^>]*onload/gi,
+  // Object/embed/applet tags
+  /<\s*(object|embed|applet)/gi,
+  // Base tag (can redirect resources)
+  /<\s*base/gi,
+  // Meta refresh
+  /<\s*meta[^>]*http-equiv\s*=\s*["']?refresh/gi,
+  // Form action hijacking
+  /<\s*form[^>]*action\s*=\s*["']?javascript/gi,
+  // Link tag with import
+  /<\s*link[^>]*rel\s*=\s*["']?import/gi
+];
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;",
+  "/": "&#x2F;",
+  "`": "&#x60;",
+  "=": "&#x3D;"
+};
+function escapeHtml(str) {
+  return str.replace(/[&<>"'`=/]/g, (char) => HTML_ENTITIES[char] || char);
+}
+function unescapeHtml(str) {
+  const entityMap = {
+    "&amp;": "&",
+    "&lt;": "<",
+    "&gt;": ">",
+    "&quot;": '"',
+    "&#x27;": "'",
+    "&#x2F;": "/",
+    "&#x60;": "`",
+    "&#x3D;": "=",
+    "&#39;": "'",
+    "&#47;": "/"
+  };
+  return str.replace(/&(?:amp|lt|gt|quot|#x27|#x2F|#x60|#x3D|#39|#47);/gi, (entity) => {
+    return entityMap[entity.toLowerCase()] || entity;
+  });
+}
+function stripHtml(str) {
+  let result = str.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<[^>]*>/g, "");
+  result = unescapeHtml(result);
+  result = result.replace(/\0/g, "");
+  return result.trim();
+}
+function isSafeUrl(url, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  if (!url) return true;
+  const trimmed = url.trim().toLowerCase();
+  if (trimmed.startsWith("javascript:")) return false;
+  if (trimmed.startsWith("vbscript:")) return false;
+  if (trimmed.startsWith("data:image/")) return true;
+  if (trimmed.startsWith("data:")) return false;
+  try {
+    const parsed = new URL(url, "https://example.com");
+    if (parsed.protocol && !allowedProtocols.includes(parsed.protocol)) {
+      if (!url.includes(":")) return true;
+      return false;
+    }
+  } catch {
+    return true;
+  }
+  return true;
+}
+function sanitizeHtml(str, allowedTags = DEFAULT_ALLOWED_TAGS, allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  let result = str.replace(/\0/g, "");
+  result = result.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<!--[\s\S]*?-->/g, "");
+  result = result.replace(/<\/?([a-z][a-z0-9]*)\b([^>]*)>/gi, (match, tagName, attributes) => {
+    const lowerTag = tagName.toLowerCase();
+    const isClosing = match.startsWith("</");
+    if (!allowedTags.includes(lowerTag)) {
+      return "";
+    }
+    if (isClosing) {
+      return `</${lowerTag}>`;
+    }
+    const allowedAttrs = allowedAttributes[lowerTag] || [];
+    const safeAttrs = [];
+    const attrRegex = /([a-z][a-z0-9-]*)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]*))/gi;
+    let attrMatch;
+    while ((attrMatch = attrRegex.exec(attributes)) !== null) {
+      const attrName = attrMatch[1].toLowerCase();
+      const attrValue = attrMatch[2] || attrMatch[3] || attrMatch[4] || "";
+      if (!allowedAttrs.includes(attrName)) continue;
+      if (DANGEROUS_PATTERNS2.some((pattern) => pattern.test(attrValue))) continue;
+      if (["href", "src", "action", "formaction"].includes(attrName)) {
+        if (!isSafeUrl(attrValue, allowedProtocols)) continue;
+      }
+      const safeValue = escapeHtml(attrValue);
+      safeAttrs.push(`${attrName}="${safeValue}"`);
+    }
+    const attrStr = safeAttrs.length > 0 ? " " + safeAttrs.join(" ") : "";
+    return `<${lowerTag}${attrStr}>`;
+  });
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    result = result.replace(pattern, "");
+  }
+  return result;
+}
+function detectXSS(str) {
+  if (!str || typeof str !== "string") return false;
+  const normalized = str.replace(/\\x([0-9a-f]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/\\u([0-9a-f]{4})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10)));
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
+function sanitize(input, config = {}) {
+  if (!input || typeof input !== "string") return "";
+  const {
+    mode = "escape",
+    allowedTags = DEFAULT_ALLOWED_TAGS,
+    allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES,
+    allowedProtocols = DEFAULT_SAFE_PROTOCOLS,
+    maxLength,
+    stripNull = true
+  } = config;
+  let result = input;
+  if (stripNull) {
+    result = result.replace(/\0/g, "");
+  }
+  switch (mode) {
+    case "escape":
+      result = escapeHtml(result);
+      break;
+    case "strip":
+      result = stripHtml(result);
+      break;
+    case "allow-safe":
+      result = sanitizeHtml(result, allowedTags, allowedAttributes, allowedProtocols);
+      break;
+  }
+  if (maxLength !== void 0 && result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function sanitizeObject(obj, config = {}) {
+  if (typeof obj === "string") {
+    return sanitize(obj, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => sanitizeObject(item, config));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = sanitizeObject(value, config);
+    }
+    return result;
+  }
+  return obj;
+}
+function sanitizeFields(obj, fields, config = {}) {
+  const result = { ...obj };
+  for (const field of fields) {
+    if (field in result && typeof result[field] === "string") {
+      result[field] = sanitize(result[field], config);
+    }
+  }
+  return result;
+}
+
+// src/middleware/validation/sanitizers/sql.ts
+var SQL_PATTERNS = [
+  // High severity - Definite attacks
+  {
+    pattern: /'\s*OR\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "OR '1'='1' attack",
+    severity: "high"
+  },
+  {
+    pattern: /'\s*OR\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "OR 'x'='x' attack",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DROP\s+(TABLE|DATABASE|INDEX|VIEW)/gi,
+    name: "DROP statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DELETE\s+FROM/gi,
+    name: "DELETE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*TRUNCATE\s+/gi,
+    name: "TRUNCATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*INSERT\s+INTO/gi,
+    name: "INSERT statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*UPDATE\s+\w+\s+SET/gi,
+    name: "UPDATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /UNION\s+(ALL\s+)?SELECT/gi,
+    name: "UNION SELECT attack",
+    severity: "high"
+  },
+  {
+    pattern: /EXEC(\s+|\()+(sp_|xp_)/gi,
+    name: "SQL Server stored procedure",
+    severity: "high"
+  },
+  {
+    pattern: /EXECUTE\s+IMMEDIATE/gi,
+    name: "Oracle EXECUTE IMMEDIATE",
+    severity: "high"
+  },
+  {
+    pattern: /INTO\s+(OUT|DUMP)FILE/gi,
+    name: "MySQL file write",
+    severity: "high"
+  },
+  {
+    pattern: /LOAD_FILE\s*\(/gi,
+    name: "MySQL file read",
+    severity: "high"
+  },
+  {
+    pattern: /BENCHMARK\s*\(\s*\d+\s*,/gi,
+    name: "MySQL BENCHMARK DoS",
+    severity: "high"
+  },
+  {
+    pattern: /SLEEP\s*\(\s*\d+\s*\)/gi,
+    name: "SQL SLEEP time-based attack",
+    severity: "high"
+  },
+  {
+    pattern: /WAITFOR\s+DELAY/gi,
+    name: "SQL Server WAITFOR DELAY",
+    severity: "high"
+  },
+  {
+    pattern: /PG_SLEEP\s*\(/gi,
+    name: "PostgreSQL pg_sleep",
+    severity: "high"
+  },
+  // Medium severity - Likely attacks
+  {
+    pattern: /'\s*--/g,
+    name: "SQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*#/g,
+    name: "MySQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\/\*[\s\S]*?\*\//g,
+    name: "Block comment",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*;\s*$/g,
+    name: "Statement terminator",
+    severity: "medium"
+  },
+  {
+    pattern: /HAVING\s+\d+\s*=\s*\d+/gi,
+    name: "HAVING clause injection",
+    severity: "medium"
+  },
+  {
+    pattern: /GROUP\s+BY\s+\d+/gi,
+    name: "GROUP BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /ORDER\s+BY\s+\d+/gi,
+    name: "ORDER BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /CONCAT\s*\(/gi,
+    name: "CONCAT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CHAR\s*\(\s*\d+\s*\)/gi,
+    name: "CHAR function bypass",
+    severity: "medium"
+  },
+  {
+    pattern: /0x[0-9a-f]{2,}/gi,
+    name: "Hex encoded value",
+    severity: "medium"
+  },
+  {
+    pattern: /CONVERT\s*\(/gi,
+    name: "CONVERT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CAST\s*\(/gi,
+    name: "CAST function",
+    severity: "medium"
+  },
+  // Low severity - Suspicious but may be false positives
+  {
+    pattern: /'\s*AND\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "AND '1'='1' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*AND\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "AND 'x'='x' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /SELECT\s+[\w\s,*]+\s+FROM/gi,
+    name: "SELECT statement",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\+\s*'/g,
+    name: "String concatenation",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\|\|\s*'/g,
+    name: "Oracle string concatenation",
+    severity: "low"
+  }
+];
+var ENCODED_PATTERNS = [
+  {
+    pattern: /%27\s*%4f%52\s*%27/gi,
+    // URL encoded ' OR '
+    name: "URL encoded OR injection",
+    severity: "high"
+  },
+  {
+    pattern: /%27\s*%2d%2d/gi,
+    // URL encoded ' --
+    name: "URL encoded comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\0|%00/g,
+    // Null byte (decoded or encoded)
+    name: "Null byte injection",
+    severity: "high"
+  },
+  {
+    pattern: /\\x27/gi,
+    // Hex escape
+    name: "Hex escaped quote",
+    severity: "medium"
+  },
+  {
+    pattern: /\\u0027/gi,
+    // Unicode escape
+    name: "Unicode escaped quote",
+    severity: "medium"
+  }
+];
+function normalizeInput(input) {
+  let result = input;
+  try {
+    result = decodeURIComponent(result);
+  } catch {
+  }
+  result = result.replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10))).replace(/&quot;/gi, '"').replace(/&apos;/gi, "'").replace(/&lt;/gi, "<").replace(/&gt;/gi, ">").replace(/&amp;/gi, "&");
+  result = result.replace(
+    /\\x([0-9a-f]{2})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  result = result.replace(
+    /\\u([0-9a-f]{4})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  return result;
+}
+function detectSQLInjection(input, options = {}) {
+  if (!input || typeof input !== "string") return [];
+  const {
+    customPatterns = [],
+    checkEncoded = true,
+    minSeverity = "low"
+  } = options;
+  const severityOrder = { low: 0, medium: 1, high: 2 };
+  const minSeverityLevel = severityOrder[minSeverity];
+  const detections = [];
+  const seenPatterns = /* @__PURE__ */ new Set();
+  const normalizedInput = checkEncoded ? normalizeInput(input) : input;
+  const allPatterns = [
+    ...SQL_PATTERNS,
+    ...checkEncoded ? ENCODED_PATTERNS : [],
+    ...customPatterns.map((p) => ({ pattern: p, name: "Custom pattern", severity: "high" }))
+  ];
+  for (const { pattern, name, severity } of allPatterns) {
+    if (severityOrder[severity] < minSeverityLevel) continue;
+    pattern.lastIndex = 0;
+    const testInput = checkEncoded ? normalizedInput : input;
+    if (pattern.test(testInput)) {
+      const key = `${name}:${severity}`;
+      if (!seenPatterns.has(key)) {
+        seenPatterns.add(key);
+        detections.push({
+          field: "",
+          // Will be set by caller
+          value: input,
+          pattern: name,
+          severity
+        });
+      }
+    }
+  }
+  return detections;
+}
+function hasSQLInjection(input, minSeverity = "medium") {
+  return detectSQLInjection(input, { minSeverity }).length > 0;
+}
+function sanitizeSQLInput(input) {
+  if (!input || typeof input !== "string") return "";
+  let result = input;
+  result = result.replace(/\0/g, "");
+  result = result.replace(/'/g, "''");
+  result = result.replace(/;/g, "");
+  result = result.replace(/--/g, "");
+  result = result.replace(/\/\*/g, "");
+  result = result.replace(/\*\//g, "");
+  result = result.replace(/0x[0-9a-f]+/gi, "");
+  return result;
+}
+function detectSQLInjectionInObject(obj, options = {}) {
+  const { fields, deep = true, customPatterns, minSeverity } = options;
+  const detections = [];
+  function walk(value, path) {
+    if (typeof value === "string") {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) return;
+      }
+      const detected = detectSQLInjection(value, { customPatterns, minSeverity });
+      for (const d of detected) {
+        detections.push({ ...d, field: path });
+      }
+    } else if (deep && Array.isArray(value)) {
+      value.forEach((item, i) => walk(item, `${path}[${i}]`));
+    } else if (deep && typeof value === "object" && value !== null) {
+      for (const [key, val] of Object.entries(value)) {
+        walk(val, path ? `${path}.${key}` : key);
+      }
+    }
+  }
+  walk(obj, "");
+  return detections;
+}
+
+// src/middleware/validation/middleware.ts
+function withValidation(handler, config) {
+  const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+  return async (req) => {
+    const result = await validateRequest(req, {
+      body: config.body,
+      query: config.query,
+      params: config.params,
+      routeParams: config.routeParams
+    });
+    if (!result.success) {
+      return onError(req, result.errors || []);
+    }
+    return handler(req, { validated: result.data });
+  };
+}
+function withSanitization(handler, config = {}) {
+  const {
+    fields,
+    mode = "escape",
+    allowedTags,
+    skip,
+    onSanitized
+  } = config;
+  return async (req) => {
+    if (skip && await skip(req)) {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    const changes = [];
+    const sanitized = walkObject(body, (value, path) => {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) {
+          return value;
+        }
+      }
+      const cleaned = sanitize(value, { mode, allowedTags });
+      if (cleaned !== value) {
+        changes.push({
+          field: path,
+          original: value,
+          sanitized: cleaned
+        });
+      }
+      return cleaned;
+    }, "");
+    if (onSanitized && changes.length > 0) {
+      onSanitized(req, changes);
+    }
+    return handler(req, { sanitized, changes });
+  };
+}
+function withXSSProtection(handler, config = {}) {
+  const { fields, onDetection, checkQuery = true } = config;
+  return async (req) => {
+    const detections = [];
+    if (checkQuery) {
+      const url = new URL(req.url);
+      for (const [key, value] of url.searchParams.entries()) {
+        if (detectXSS(value)) {
+          detections.push({ field: `query.${key}`, value });
+        }
+      }
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      body = null;
+    }
+    if (body) {
+      walkObject(body, (value, path) => {
+        if (fields && fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          detections.push({ field: path, value });
+        }
+        return value;
+      }, "");
+    }
+    if (detections.length > 0) {
+      if (onDetection) {
+        for (const { field, value } of detections) {
+          const result = await onDetection(req, field, value);
+          if (result instanceof Response) {
+            return result;
+          }
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "xss_detected",
+          message: "Potentially malicious content detected",
+          fields: detections.map((d) => d.field)
+        }),
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return handler(req);
+  };
+}
+function withSQLProtection(handler, config = {}) {
+  const {
+    fields,
+    deep = true,
+    mode = "block",
+    customPatterns,
+    allowList = [],
+    onDetection
+  } = config;
+  return async (req) => {
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req);
+    }
+    const detections = detectSQLInjectionInObject(body, {
+      fields,
+      deep,
+      customPatterns,
+      minSeverity: mode === "detect" ? "low" : "medium"
+    });
+    const filtered = detections.filter((d) => !allowList.includes(d.value));
+    if (filtered.length > 0) {
+      if (onDetection) {
+        const result = await onDetection(req, filtered);
+        if (result instanceof Response) {
+          return result;
+        }
+      }
+      if (mode === "block") {
+        return new Response(
+          JSON.stringify({
+            error: "sql_injection_detected",
+            message: "Potentially malicious SQL detected",
+            detections: filtered.map((d) => ({
+              field: d.field,
+              pattern: d.pattern,
+              severity: d.severity
+            }))
+          }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      }
+    }
+    return handler(req);
+  };
+}
+function withContentType(handler, config) {
+  const onInvalid = config.onInvalid || ((_, contentType) => defaultContentTypeErrorResponse(contentType, `Content-Type '${contentType}' is not allowed`));
+  return async (req) => {
+    const result = validateContentType(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.contentType);
+    }
+    return handler(req);
+  };
+}
+function withFileValidation(handler, config = {}) {
+  const onInvalid = config.onInvalid || ((_, errors) => defaultFileErrorResponse(errors));
+  return async (req) => {
+    const result = await validateFilesFromRequest(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.errors);
+    }
+    return handler(req, { files: result.files });
+  };
+}
+function withSecureValidation(handler, config) {
+  return async (req) => {
+    const allErrors = [];
+    if (config.contentType) {
+      const ctResult = validateContentType(req, config.contentType);
+      if (!ctResult.valid) {
+        allErrors.push({
+          field: "Content-Type",
+          code: "invalid_content_type",
+          message: ctResult.reason || "Invalid Content-Type"
+        });
+      }
+    }
+    let files;
+    if (config.files) {
+      const fileResult = await validateFilesFromRequest(req, config.files);
+      if (!fileResult.valid) {
+        allErrors.push(...fileResult.errors.map((e) => ({
+          field: e.field || e.filename,
+          code: e.code,
+          message: e.message
+        })));
+      } else {
+        files = fileResult.files;
+      }
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    let validated;
+    if (config.schema) {
+      const schemaResult = await validateRequest(req, {
+        body: config.schema.body,
+        query: config.schema.query,
+        params: config.schema.params,
+        routeParams: config.routeParams
+      });
+      if (!schemaResult.success) {
+        allErrors.push(...schemaResult.errors || []);
+      } else {
+        validated = schemaResult.data;
+      }
+    } else {
+      validated = {
+        body: {},
+        query: {},
+        params: {}
+      };
+    }
+    if (config.sql && validated?.body) {
+      const sqlDetections = detectSQLInjectionInObject(validated.body, {
+        fields: config.sql.fields,
+        deep: config.sql.deep,
+        customPatterns: config.sql.customPatterns
+      });
+      if (sqlDetections.length > 0 && config.sql.mode !== "detect") {
+        allErrors.push(...sqlDetections.map((d) => ({
+          field: d.field,
+          code: "sql_injection",
+          message: `Potential SQL injection detected: ${d.pattern}`
+        })));
+      }
+    }
+    if (config.xss?.enabled && validated?.body) {
+      walkObject(validated.body, (value, path) => {
+        if (config.xss?.fields && config.xss.fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!config.xss.fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          allErrors.push({
+            field: path,
+            code: "xss_detected",
+            message: "Potentially malicious content detected"
+          });
+        }
+        return value;
+      }, "");
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    return handler(req, { validated, files });
+  };
+}
+
+// src/middleware/audit/stores/memory.ts
+var MemoryStore2 = class {
+  entries = [];
+  maxEntries;
+  ttl;
+  constructor(options = {}) {
+    this.maxEntries = options.maxEntries || 1e3;
+    this.ttl = options.ttl || 0;
+  }
+  async write(entry) {
+    this.entries.push(entry);
+    if (this.entries.length > this.maxEntries) {
+      this.entries = this.entries.slice(-this.maxEntries);
+    }
+    if (this.ttl > 0) {
+      this.cleanExpired();
+    }
+  }
+  async query(options = {}) {
+    let result = [...this.entries];
+    if (options.level) {
+      const levels = Array.isArray(options.level) ? options.level : [options.level];
+      result = result.filter((e) => levels.includes(e.level));
+    }
+    if (options.type) {
+      result = result.filter((e) => e.type === options.type);
+    }
+    if (options.event) {
+      const events = Array.isArray(options.event) ? options.event : [options.event];
+      result = result.filter(
+        (e) => e.type === "security" && events.includes(e.event)
+      );
+    }
+    if (options.startTime) {
+      result = result.filter((e) => e.timestamp >= options.startTime);
+    }
+    if (options.endTime) {
+      result = result.filter((e) => e.timestamp <= options.endTime);
+    }
+    if (options.ip) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.request.ip === options.ip;
+        if (e.type === "security") return e.source.ip === options.ip;
+        return false;
+      });
+    }
+    if (options.userId) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.user?.id === options.userId;
+        if (e.type === "security") return e.source.userId === options.userId;
+        return false;
+      });
+    }
+    if (options.offset) {
+      result = result.slice(options.offset);
+    }
+    if (options.limit) {
+      result = result.slice(0, options.limit);
+    }
+    return result;
+  }
+  async flush() {
+  }
+  async close() {
+    this.entries = [];
+  }
+  /**
+   * Get all entries (for testing)
+   */
+  getEntries() {
+    return [...this.entries];
+  }
+  /**
+   * Clear all entries
+   */
+  clear() {
+    this.entries = [];
+  }
+  /**
+   * Get entry count
+   */
+  size() {
+    return this.entries.length;
+  }
+  /**
+   * Clean expired entries
+   */
+  cleanExpired() {
+    if (this.ttl <= 0) return;
+    const now = Date.now();
+    this.entries = this.entries.filter((e) => {
+      const age = now - e.timestamp.getTime();
+      return age < this.ttl;
+    });
+  }
+};
+function createMemoryStore2(options) {
+  return new MemoryStore2(options);
+}
+
+// src/middleware/audit/stores/console.ts
+var COLORS = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  // Log levels
+  debug: "\x1B[36m",
+  // Cyan
+  info: "\x1B[32m",
+  // Green
+  warn: "\x1B[33m",
+  // Yellow
+  error: "\x1B[31m",
+  // Red
+  critical: "\x1B[35m",
+  // Magenta
+  // Security severity
+  low: "\x1B[36m",
+  // Cyan
+  medium: "\x1B[33m",
+  // Yellow
+  high: "\x1B[31m",
+  // Red
+  // Other
+  timestamp: "\x1B[90m",
+  // Gray
+  method: "\x1B[34m",
+  // Blue
+  status2xx: "\x1B[32m",
+  // Green
+  status3xx: "\x1B[36m",
+  // Cyan
+  status4xx: "\x1B[33m",
+  // Yellow
+  status5xx: "\x1B[31m"
+  // Red
+};
+var LEVEL_PRIORITY = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  critical: 4
+};
+var ConsoleStore = class {
+  colorize;
+  showTimestamp;
+  pretty;
+  minLevel;
+  constructor(options = {}) {
+    this.colorize = options.colorize ?? process.env.NODE_ENV !== "production";
+    this.showTimestamp = options.timestamp ?? true;
+    this.pretty = options.pretty ?? false;
+    this.minLevel = options.level || "info";
+  }
+  async write(entry) {
+    if (LEVEL_PRIORITY[entry.level] < LEVEL_PRIORITY[this.minLevel]) {
+      return;
+    }
+    const output = this.pretty ? this.formatPretty(entry) : this.formatCompact(entry);
+    switch (entry.level) {
+      case "debug":
+        console.debug(output);
+        break;
+      case "info":
+        console.info(output);
+        break;
+      case "warn":
+        console.warn(output);
+        break;
+      case "error":
+      case "critical":
+        console.error(output);
+        break;
+      default:
+        console.log(output);
+    }
+  }
+  async flush() {
+  }
+  async close() {
+  }
+  /**
+   * Format entry in compact single-line format
+   */
+  formatCompact(entry) {
+    const parts = [];
+    if (this.showTimestamp) {
+      const ts = entry.timestamp.toISOString();
+      parts.push(this.color(ts, "timestamp"));
+    }
+    parts.push(this.colorLevel(entry.level));
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      parts.push(this.color(req.method, "method"));
+      parts.push(req.path);
+      if (res) {
+        parts.push(this.colorStatus(res.status));
+        parts.push(this.color(`${res.duration}ms`, "dim"));
+      }
+      if (req.ip) {
+        parts.push(this.color(`[${req.ip}]`, "dim"));
+      }
+      if (entry.user?.id) {
+        parts.push(this.color(`user:${entry.user.id}`, "dim"));
+      }
+      if (entry.error) {
+        parts.push(this.color(`ERROR: ${entry.error.message}`, "error"));
+      }
+    } else if (entry.type === "security") {
+      parts.push(this.colorSeverity(entry.severity));
+      parts.push(entry.event);
+      if (entry.source.ip) {
+        parts.push(this.color(`[${entry.source.ip}]`, "dim"));
+      }
+      if (entry.source.userId) {
+        parts.push(this.color(`user:${entry.source.userId}`, "dim"));
+      }
+      parts.push(entry.message);
+    }
+    return parts.join(" ");
+  }
+  /**
+   * Format entry in pretty multi-line format
+   */
+  formatPretty(entry) {
+    const lines = [];
+    const header = [
+      this.color(entry.timestamp.toISOString(), "timestamp"),
+      this.colorLevel(entry.level),
+      `[${entry.type.toUpperCase()}]`
+    ].join(" ");
+    lines.push(header);
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      lines.push(`  ${this.color(req.method, "method")} ${req.url}`);
+      if (req.ip) lines.push(`  IP: ${req.ip}`);
+      if (req.userAgent) lines.push(`  UA: ${req.userAgent}`);
+      if (res) {
+        lines.push(`  Status: ${this.colorStatus(res.status)} (${res.duration}ms)`);
+      }
+      if (entry.user) {
+        lines.push(`  User: ${JSON.stringify(entry.user)}`);
+      }
+      if (entry.error) {
+        lines.push(`  ${this.color("Error:", "error")} ${entry.error.message}`);
+        if (entry.error.stack) {
+          lines.push(`  ${this.color(entry.error.stack, "dim")}`);
+        }
+      }
+    } else if (entry.type === "security") {
+      lines.push(`  Event: ${entry.event}`);
+      lines.push(`  Severity: ${this.colorSeverity(entry.severity)}`);
+      lines.push(`  Message: ${entry.message}`);
+      if (entry.source.ip) lines.push(`  Source IP: ${entry.source.ip}`);
+      if (entry.source.userId) lines.push(`  Source User: ${entry.source.userId}`);
+      if (entry.target) {
+        lines.push(`  Target: ${JSON.stringify(entry.target)}`);
+      }
+      if (entry.details) {
+        lines.push(`  Details: ${JSON.stringify(entry.details)}`);
+      }
+    }
+    if (entry.metadata && Object.keys(entry.metadata).length > 0) {
+      lines.push(`  Metadata: ${JSON.stringify(entry.metadata)}`);
+    }
+    return lines.join("\n");
+  }
+  /**
+   * Apply color if enabled
+   */
+  color(text, colorName) {
+    if (!this.colorize) return text;
+    return `${COLORS[colorName]}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color log level
+   */
+  colorLevel(level) {
+    const text = level.toUpperCase().padEnd(8);
+    if (!this.colorize) return `[${text}]`;
+    return `[${COLORS[level]}${text}${COLORS.reset}]`;
+  }
+  /**
+   * Color HTTP status
+   */
+  colorStatus(status) {
+    const text = status.toString();
+    if (!this.colorize) return text;
+    if (status >= 500) return `${COLORS.status5xx}${text}${COLORS.reset}`;
+    if (status >= 400) return `${COLORS.status4xx}${text}${COLORS.reset}`;
+    if (status >= 300) return `${COLORS.status3xx}${text}${COLORS.reset}`;
+    return `${COLORS.status2xx}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color severity
+   */
+  colorSeverity(severity) {
+    const text = `[${severity.toUpperCase()}]`;
+    if (!this.colorize) return text;
+    const colorKey = severity === "critical" ? "critical" : severity;
+    return `${COLORS[colorKey]}${text}${COLORS.reset}`;
+  }
+};
+function createConsoleStore(options) {
+  return new ConsoleStore(options);
+}
+
+// src/middleware/audit/stores/external.ts
+var ExternalStore = class {
+  endpoint;
+  headers;
+  batchSize;
+  flushInterval;
+  retryAttempts;
+  timeout;
+  buffer = [];
+  flushTimer = null;
+  isFlushing = false;
+  constructor(options) {
+    this.endpoint = options.endpoint;
+    this.headers = {
+      "Content-Type": "application/json",
+      ...options.apiKey ? { "Authorization": `Bearer ${options.apiKey}` } : {},
+      ...options.headers
+    };
+    this.batchSize = options.batchSize || 100;
+    this.flushInterval = options.flushInterval || 5e3;
+    this.retryAttempts = options.retryAttempts || 3;
+    this.timeout = options.timeout || 1e4;
+    if (this.flushInterval > 0) {
+      this.flushTimer = setInterval(() => this.flush(), this.flushInterval);
+    }
+  }
+  async write(entry) {
+    this.buffer.push(entry);
+    if (this.buffer.length >= this.batchSize) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.isFlushing || this.buffer.length === 0) return;
+    this.isFlushing = true;
+    const entries = [...this.buffer];
+    this.buffer = [];
+    try {
+      await this.send(entries);
+    } catch (error) {
+      this.buffer = [...entries, ...this.buffer];
+      console.error("[ExternalStore] Failed to flush logs:", error);
+    } finally {
+      this.isFlushing = false;
+    }
+  }
+  async close() {
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+    await this.flush();
+  }
+  /**
+   * Send entries to external endpoint
+   */
+  async send(entries) {
+    let lastError = null;
+    for (let attempt = 0; attempt < this.retryAttempts; attempt++) {
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+        const response = await fetch(this.endpoint, {
+          method: "POST",
+          headers: this.headers,
+          body: JSON.stringify({
+            logs: entries.map((e) => this.serialize(e)),
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            count: entries.length
+          }),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+          throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        return;
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        if (attempt < this.retryAttempts - 1) {
+          await this.sleep(Math.pow(2, attempt) * 1e3);
+        }
+      }
+    }
+    throw lastError || new Error("Failed to send logs");
+  }
+  /**
+   * Serialize entry for transmission
+   */
+  serialize(entry) {
+    return {
+      ...entry,
+      timestamp: entry.timestamp.toISOString()
+    };
+  }
+  /**
+   * Sleep helper
+   */
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+  /**
+   * Get buffer size (for monitoring)
+   */
+  getBufferSize() {
+    return this.buffer.length;
+  }
+};
+function createExternalStore(options) {
+  return new ExternalStore(options);
+}
+function createDatadogStore(options) {
+  const site = options.site || "datadoghq.com";
+  const endpoint = `https://http-intake.logs.${site}/api/v2/logs`;
+  return new ExternalStore({
+    endpoint,
+    headers: {
+      "DD-API-KEY": options.apiKey,
+      "Content-Type": "application/json"
+    },
+    batchSize: options.batchSize || 100,
+    flushInterval: options.flushInterval || 5e3
+  });
+}
+var MultiStore = class {
+  stores;
+  constructor(stores) {
+    this.stores = stores;
+  }
+  async write(entry) {
+    await Promise.all(this.stores.map((store) => store.write(entry)));
+  }
+  async query(options) {
+    for (const store of this.stores) {
+      if (store.query) {
+        return store.query(options);
+      }
+    }
+    return [];
+  }
+  async flush() {
+    await Promise.all(this.stores.map((store) => store.flush?.()));
+  }
+  async close() {
+    await Promise.all(this.stores.map((store) => store.close?.()));
+  }
+};
+function createMultiStore(stores) {
+  return new MultiStore(stores);
+}
+
+// src/middleware/audit/formatters.ts
+var JSONFormatter = class {
+  pretty;
+  includeTimestamp;
+  constructor(options = {}) {
+    this.pretty = options.pretty ?? false;
+    this.includeTimestamp = options.includeTimestamp ?? true;
+  }
+  format(entry) {
+    const output = {
+      ...entry,
+      timestamp: this.includeTimestamp ? entry.timestamp.toISOString() : void 0
+    };
+    return this.pretty ? JSON.stringify(output, null, 2) : JSON.stringify(output);
+  }
+};
+var TextFormatter = class {
+  template;
+  dateFormat;
+  constructor(options = {}) {
+    this.template = options.template || "{timestamp} [{level}] {message}";
+    this.dateFormat = options.dateFormat || "iso";
+  }
+  format(entry) {
+    let output = this.template;
+    output = output.replace("{timestamp}", this.formatDate(entry.timestamp));
+    output = output.replace("{level}", entry.level.toUpperCase().padEnd(8));
+    output = output.replace("{message}", entry.message);
+    output = output.replace("{type}", entry.type);
+    output = output.replace("{id}", entry.id);
+    if (entry.category) {
+      output = output.replace("{category}", entry.category);
+    }
+    if (entry.type === "request") {
+      output = output.replace("{method}", entry.request.method);
+      output = output.replace("{path}", entry.request.path);
+      output = output.replace("{url}", entry.request.url);
+      output = output.replace("{ip}", entry.request.ip || "-");
+      output = output.replace("{status}", entry.response?.status?.toString() || "-");
+      output = output.replace("{duration}", entry.response?.duration?.toString() || "-");
+    }
+    if (entry.type === "security") {
+      output = output.replace("{event}", entry.event);
+      output = output.replace("{severity}", entry.severity);
+    }
+    return output;
+  }
+  formatDate(date) {
+    switch (this.dateFormat) {
+      case "utc":
+        return date.toUTCString();
+      case "local":
+        return date.toLocaleString();
+      case "iso":
+      default:
+        return date.toISOString();
+    }
+  }
+};
+var CLFFormatter = class {
+  format(entry) {
+    if (entry.type !== "request") {
+      return `[${entry.timestamp.toISOString()}] ${entry.level.toUpperCase()} ${entry.message}`;
+    }
+    const req = entry.request;
+    const res = entry.response;
+    const host = req.ip || "-";
+    const ident = "-";
+    const authuser = entry.user?.id || "-";
+    const date = this.formatCLFDate(entry.timestamp);
+    const request = `${req.method} ${req.path} HTTP/1.1`;
+    const status = res?.status || 0;
+    const bytes = res?.contentLength || 0;
+    return `${host} ${ident} ${authuser} [${date}] "${request}" ${status} ${bytes}`;
+  }
+  formatCLFDate(date) {
+    const months = [
+      "Jan",
+      "Feb",
+      "Mar",
+      "Apr",
+      "May",
+      "Jun",
+      "Jul",
+      "Aug",
+      "Sep",
+      "Oct",
+      "Nov",
+      "Dec"
+    ];
+    const day = date.getDate().toString().padStart(2, "0");
+    const month = months[date.getMonth()];
+    const year = date.getFullYear();
+    const hours = date.getHours().toString().padStart(2, "0");
+    const minutes = date.getMinutes().toString().padStart(2, "0");
+    const seconds = date.getSeconds().toString().padStart(2, "0");
+    const offset = -date.getTimezoneOffset();
+    const offsetSign = offset >= 0 ? "+" : "-";
+    const offsetHours = Math.floor(Math.abs(offset) / 60).toString().padStart(2, "0");
+    const offsetMins = (Math.abs(offset) % 60).toString().padStart(2, "0");
+    return `${day}/${month}/${year}:${hours}:${minutes}:${seconds} ${offsetSign}${offsetHours}${offsetMins}`;
+  }
+};
+var StructuredFormatter = class {
+  delimiter;
+  kvSeparator;
+  constructor(options = {}) {
+    this.delimiter = options.delimiter || " ";
+    this.kvSeparator = options.kvSeparator || "=";
+  }
+  format(entry) {
+    const pairs = [];
+    pairs.push(this.pair("timestamp", entry.timestamp.toISOString()));
+    pairs.push(this.pair("level", entry.level));
+    pairs.push(this.pair("type", entry.type));
+    pairs.push(this.pair("id", entry.id));
+    pairs.push(this.pair("message", this.escape(entry.message)));
+    if (entry.category) {
+      pairs.push(this.pair("category", entry.category));
+    }
+    if (entry.type === "request") {
+      pairs.push(this.pair("method", entry.request.method));
+      pairs.push(this.pair("path", entry.request.path));
+      if (entry.request.ip) pairs.push(this.pair("ip", entry.request.ip));
+      if (entry.response) {
+        pairs.push(this.pair("status", entry.response.status.toString()));
+        pairs.push(this.pair("duration_ms", entry.response.duration.toString()));
+      }
+      if (entry.user?.id) pairs.push(this.pair("user_id", entry.user.id));
+      if (entry.error) {
+        pairs.push(this.pair("error", this.escape(entry.error.message)));
+      }
+    }
+    if (entry.type === "security") {
+      pairs.push(this.pair("event", entry.event));
+      pairs.push(this.pair("severity", entry.severity));
+      if (entry.source.ip) pairs.push(this.pair("source_ip", entry.source.ip));
+      if (entry.source.userId) pairs.push(this.pair("source_user", entry.source.userId));
+    }
+    return pairs.join(this.delimiter);
+  }
+  pair(key, value) {
+    return `${key}${this.kvSeparator}${value}`;
+  }
+  escape(value) {
+    if (value.includes(" ") || value.includes('"')) {
+      return `"${value.replace(/"/g, '\\"')}"`;
+    }
+    return value;
+  }
+};
+function createJSONFormatter(options) {
+  return new JSONFormatter(options);
+}
+function createTextFormatter(options) {
+  return new TextFormatter(options);
+}
+function createCLFFormatter() {
+  return new CLFFormatter();
+}
+function createStructuredFormatter(options) {
+  return new StructuredFormatter(options);
+}
+
+// src/middleware/audit/redaction.ts
+var DEFAULT_PII_FIELDS = [
+  // Authentication
+  "password",
+  "passwd",
+  "secret",
+  "token",
+  "api_key",
+  "apiKey",
+  "api-key",
+  "access_token",
+  "accessToken",
+  "refresh_token",
+  "refreshToken",
+  "authorization",
+  "auth",
+  // Personal information
+  "ssn",
+  "social_security",
+  "socialSecurity",
+  "credit_card",
+  "creditCard",
+  "card_number",
+  "cardNumber",
+  "cvv",
+  "cvc",
+  "pin",
+  // Contact
+  "email",
+  "phone",
+  "phone_number",
+  "phoneNumber",
+  "mobile",
+  "address",
+  "street",
+  "zip",
+  "zipcode",
+  "postal_code",
+  "postalCode",
+  // Identity
+  "date_of_birth",
+  "dateOfBirth",
+  "dob",
+  "birth_date",
+  "birthDate",
+  "passport",
+  "license",
+  "national_id",
+  "nationalId"
+];
+function mask(value, options = {}) {
+  const {
+    char = "*",
+    preserveLength = false,
+    showFirst = 0,
+    showLast = 0
+  } = options;
+  if (!value) return value;
+  const len = value.length;
+  if (preserveLength) {
+    const first2 = value.slice(0, showFirst);
+    const last2 = value.slice(-showLast || len);
+    const middle = char.repeat(Math.max(0, len - showFirst - showLast));
+    return first2 + middle + (showLast > 0 ? last2 : "");
+  }
+  const maskLen = 8;
+  const first = showFirst > 0 ? value.slice(0, showFirst) : "";
+  const last = showLast > 0 ? value.slice(-showLast) : "";
+  return first + char.repeat(maskLen) + last;
+}
+function hash(value, salt = "") {
+  const str = salt + value;
+  let hash2 = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash2 = (hash2 << 5) - hash2 + char;
+    hash2 = hash2 & hash2;
+  }
+  const hex = Math.abs(hash2).toString(16).padStart(8, "0");
+  return hex + hex.slice(0, 8);
+}
+function redactValue(value, field, config) {
+  if (typeof value !== "string") return value;
+  if (!value) return value;
+  const shouldRedact = config.fields.some((f) => {
+    const fieldLower = field.toLowerCase();
+    const fLower = f.toLowerCase();
+    return fieldLower === fLower || fieldLower.endsWith("." + fLower) || fieldLower.includes("[" + fLower + "]");
+  });
+  if (!shouldRedact) return value;
+  if (config.customRedactor) {
+    return config.customRedactor(value, field);
+  }
+  switch (config.mode) {
+    case "mask":
+      return mask(value, {
+        char: config.maskChar || "*",
+        preserveLength: config.preserveLength,
+        showFirst: 2,
+        showLast: 2
+      });
+    case "hash":
+      return `[HASH:${hash(value)}]`;
+    case "remove":
+      return "[REDACTED]";
+    default:
+      return "[REDACTED]";
+  }
+}
+function redactObject(obj, config, path = "") {
+  if (typeof obj === "string") {
+    return redactValue(obj, path, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => redactObject(item, config, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = redactObject(value, config, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function createRedactor(config = {}) {
+  const fullConfig = {
+    fields: config.fields || DEFAULT_PII_FIELDS,
+    mode: config.mode || "mask",
+    maskChar: config.maskChar || "*",
+    preserveLength: config.preserveLength || false,
+    customRedactor: config.customRedactor
+  };
+  return (obj) => redactObject(obj, fullConfig);
+}
+function redactHeaders(headers, sensitiveHeaders = ["authorization", "cookie", "x-api-key", "x-auth-token"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveHeaders.some((h) => keyLower === h.toLowerCase())) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactQuery(query, sensitiveParams = ["token", "key", "secret", "password", "auth"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(query)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveParams.some((p) => keyLower.includes(p.toLowerCase()))) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactEmail(email) {
+  if (!email || !email.includes("@")) return mask(email);
+  const [, domain] = email.split("@");
+  return `****@${domain}`;
+}
+function redactCreditCard(cardNumber) {
+  const cleaned = cardNumber.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(cardNumber);
+  return "**** **** **** " + cleaned.slice(-4);
+}
+function redactPhone(phone) {
+  const cleaned = phone.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(phone);
+  return mask(phone, { preserveLength: true, showLast: 4 });
+}
+function redactIP(ip) {
+  if (ip.includes(":")) {
+    const parts2 = ip.split(":");
+    return parts2[0] + ":****:****:****";
+  }
+  const parts = ip.split(".");
+  if (parts.length !== 4) return mask(ip);
+  return `${parts[0]}.${parts[1]}.*.*`;
+}
+
+// src/middleware/audit/events.ts
+function generateId() {
+  return `evt_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function severityToLevel(severity) {
+  switch (severity) {
+    case "low":
+      return "info";
+    case "medium":
+      return "warn";
+    case "high":
+      return "error";
+    case "critical":
+      return "critical";
+  }
+}
+var SecurityEventTracker = class {
+  store;
+  defaultSeverity;
+  onEvent;
+  constructor(config) {
+    this.store = config.store;
+    this.defaultSeverity = config.defaultSeverity || "medium";
+    this.onEvent = config.onEvent;
+  }
+  /**
+   * Track a security event
+   */
+  async track(options) {
+    const severity = options.severity || this.defaultSeverity;
+    const entry = {
+      id: generateId(),
+      timestamp: /* @__PURE__ */ new Date(),
+      type: "security",
+      level: severityToLevel(severity),
+      message: options.message,
+      event: options.event,
+      severity,
+      source: options.source || {},
+      target: options.target,
+      details: options.details,
+      mitigated: options.mitigated,
+      metadata: options.metadata
+    };
+    await this.store.write(entry);
+    if (this.onEvent) {
+      await this.onEvent(entry);
+    }
+    return entry;
+  }
+  // Convenience methods for common events
+  /**
+   * Track failed authentication
+   */
+  async authFailed(options) {
+    return this.track({
+      event: "auth.failed",
+      message: options.reason || "Authentication failed",
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent
+      },
+      details: {
+        attemptedEmail: options.email,
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track successful login
+   */
+  async authLogin(options) {
+    return this.track({
+      event: "auth.login",
+      message: `User ${options.userId} logged in`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent,
+        userId: options.userId
+      },
+      details: {
+        method: options.method || "credentials"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track logout
+   */
+  async authLogout(options) {
+    return this.track({
+      event: "auth.logout",
+      message: `User ${options.userId} logged out`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: {
+        reason: options.reason || "user"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track permission denied
+   */
+  async permissionDenied(options) {
+    return this.track({
+      event: "auth.permission_denied",
+      message: `Permission denied for ${options.action} on ${options.resource}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.resource,
+        action: options.action
+      },
+      details: {
+        requiredRole: options.requiredRole
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track rate limit exceeded
+   */
+  async rateLimitExceeded(options) {
+    return this.track({
+      event: "ratelimit.exceeded",
+      message: `Rate limit exceeded for ${options.endpoint}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        limit: options.limit,
+        window: options.window
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track CSRF validation failure
+   */
+  async csrfInvalid(options) {
+    return this.track({
+      event: "csrf.invalid",
+      message: `CSRF validation failed for ${options.endpoint}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track XSS detection
+   */
+  async xssDetected(options) {
+    return this.track({
+      event: "xss.detected",
+      message: `XSS payload detected in ${options.field}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        payload: options.payload?.slice(0, 100)
+        // Truncate
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track SQL injection detection
+   */
+  async sqliDetected(options) {
+    return this.track({
+      event: "sqli.detected",
+      message: `SQL injection attempt detected in ${options.field}`,
+      severity: options.severity || "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        pattern: options.pattern
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track IP block
+   */
+  async ipBlocked(options) {
+    return this.track({
+      event: "ip.blocked",
+      message: `IP ${options.ip} blocked: ${options.reason}`,
+      severity: "high",
+      source: {
+        ip: options.ip
+      },
+      details: {
+        reason: options.reason,
+        duration: options.duration
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track suspicious activity
+   */
+  async suspicious(options) {
+    return this.track({
+      event: "ip.suspicious",
+      message: options.activity,
+      severity: options.severity || "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: options.details,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track custom event
+   */
+  async custom(options) {
+    return this.track({
+      event: "custom",
+      ...options
+    });
+  }
+};
+function createSecurityTracker(config) {
+  return new SecurityEventTracker(config);
+}
+async function trackSecurityEvent(store, options) {
+  const tracker = new SecurityEventTracker({ store });
+  return tracker.track(options);
+}
+
+// src/middleware/audit/middleware.ts
+function generateRequestId() {
+  return `req_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function getClientIP(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || void 0;
+}
+function headersToRecord(headers, includeHeaders) {
+  if (!includeHeaders) return {};
+  const result = {};
+  if (includeHeaders === true) {
+    headers.forEach((value, key) => {
+      result[key] = value;
+    });
+  } else if (Array.isArray(includeHeaders)) {
+    for (const key of includeHeaders) {
+      const value = headers.get(key);
+      if (value) result[key] = value;
+    }
+  }
+  return result;
+}
+function parseQuery(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    urlObj.searchParams.forEach((value, key) => {
+      result[key] = value;
+    });
+  } catch {
+  }
+  return result;
+}
+function statusToLevel(status) {
+  if (status >= 500) return "error";
+  if (status >= 400) return "warn";
+  return "info";
+}
+function shouldSkip(req, status, exclude) {
+  if (!exclude) return false;
+  const url = new URL(req.url);
+  if (exclude.paths?.length) {
+    const matchesPath = exclude.paths.some((pattern) => {
+      if (pattern.includes("*")) {
+        const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+        return regex.test(url.pathname);
+      }
+      return url.pathname === pattern || url.pathname.startsWith(pattern);
+    });
+    if (matchesPath) return true;
+  }
+  if (exclude.methods?.includes(req.method)) {
+    return true;
+  }
+  if (exclude.statusCodes?.includes(status)) {
+    return true;
+  }
+  return false;
+}
+function withAuditLog(handler, config) {
+  const {
+    enabled = true,
+    store,
+    include = {},
+    exclude,
+    pii,
+    getUser,
+    requestIdHeader = "x-request-id",
+    generateRequestId: customGenerateId,
+    onError,
+    skip
+  } = config;
+  const includeSettings = {
+    ip: include.ip ?? true,
+    userAgent: include.userAgent ?? true,
+    headers: include.headers ?? false,
+    query: include.query ?? true,
+    body: include.body ?? false,
+    response: include.response ?? true,
+    responseBody: include.responseBody ?? false,
+    duration: include.duration ?? true,
+    user: include.user ?? true
+  };
+  const piiConfig = pii || {
+    fields: DEFAULT_PII_FIELDS,
+    mode: "mask"
+  };
+  return async (req) => {
+    if (!enabled) {
+      return handler(req);
+    }
+    if (skip && await skip(req)) {
+      return handler(req);
+    }
+    const startTime = Date.now();
+    const requestId = req.headers.get(requestIdHeader) || (customGenerateId ? customGenerateId() : generateRequestId());
+    const url = new URL(req.url);
+    let requestInfo = {
+      id: requestId,
+      method: req.method,
+      url: req.url,
+      path: url.pathname
+    };
+    if (includeSettings.ip) {
+      requestInfo.ip = getClientIP(req);
+    }
+    if (includeSettings.userAgent) {
+      requestInfo.userAgent = req.headers.get("user-agent") || void 0;
+    }
+    if (includeSettings.headers) {
+      let headers = headersToRecord(req.headers, includeSettings.headers);
+      headers = redactHeaders(headers);
+      requestInfo.headers = headers;
+    }
+    if (includeSettings.query) {
+      let query = parseQuery(req.url);
+      query = redactQuery(query);
+      requestInfo.query = query;
+    }
+    requestInfo.contentType = req.headers.get("content-type") || void 0;
+    requestInfo.contentLength = parseInt(req.headers.get("content-length") || "0", 10) || void 0;
+    let user;
+    if (includeSettings.user && getUser) {
+      try {
+        user = await getUser(req) || void 0;
+      } catch {
+      }
+    }
+    let response;
+    let error;
+    try {
+      response = await handler(req);
+    } catch (err) {
+      error = err instanceof Error ? err : new Error(String(err));
+      throw err;
+    } finally {
+      const duration = Date.now() - startTime;
+      const status = response?.status || 500;
+      if (!shouldSkip(req, status, exclude)) {
+        const entry = {
+          id: requestId,
+          timestamp: /* @__PURE__ */ new Date(),
+          type: "request",
+          level: error ? "error" : statusToLevel(status),
+          message: `${req.method} ${url.pathname} ${status} ${duration}ms`,
+          request: requestInfo,
+          user
+        };
+        if (includeSettings.response && response) {
+          entry.response = {
+            status: response.status,
+            duration
+          };
+          if (includeSettings.headers) {
+            entry.response.headers = headersToRecord(response.headers, includeSettings.headers);
+          }
+        }
+        if (error) {
+          entry.error = {
+            name: error.name,
+            message: error.message,
+            stack: error.stack
+          };
+        }
+        const redactedEntry = redactObject(entry, piiConfig);
+        try {
+          await store.write(redactedEntry);
+        } catch (writeError) {
+          if (onError) {
+            onError(writeError instanceof Error ? writeError : new Error(String(writeError)), entry);
+          } else {
+            console.error("[AuditLog] Failed to write log:", writeError);
+          }
+        }
+      }
+    }
+    return response;
+  };
+}
+function createAuditMiddleware(config) {
+  return (handler) => withAuditLog(handler, config);
+}
+function withRequestId(handler, options = {}) {
+  const { headerName = "x-request-id", generateId: generateId2 = generateRequestId } = options;
+  return async (req) => {
+    const requestId = req.headers.get(headerName) || generateId2();
+    const response = await handler(req);
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, requestId);
+    return newResponse;
+  };
+}
+function withTiming(handler, options = {}) {
+  const { headerName = "x-response-time", log = false } = options;
+  return async (req) => {
+    const start = Date.now();
+    const response = await handler(req);
+    const duration = Date.now() - start;
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, `${duration}ms`);
+    if (log) {
+      const url = new URL(req.url);
+      console.log(`${req.method} ${url.pathname} ${response.status} ${duration}ms`);
+    }
+    return newResponse;
+  };
+}
 
 // src/index.ts
-var VERSION = "0.3.0";
+var VERSION = "0.6.0";
 
+exports.AuditMemoryStore = MemoryStore2;
 exports.AuthenticationError = AuthenticationError;
 exports.AuthorizationError = AuthorizationError;
+exports.CLFFormatter = CLFFormatter;
 exports.ConfigurationError = ConfigurationError;
+exports.ConsoleStore = ConsoleStore;
 exports.CsrfError = CsrfError;
+exports.DANGEROUS_EXTENSIONS = DANGEROUS_EXTENSIONS;
+exports.DEFAULT_PII_FIELDS = DEFAULT_PII_FIELDS;
+exports.ExternalStore = ExternalStore;
+exports.JSONFormatter = JSONFormatter;
+exports.MIME_TYPES = MIME_TYPES;
 exports.MemoryStore = MemoryStore;
+exports.MultiStore = MultiStore;
 exports.PRESET_API = PRESET_API;
 exports.PRESET_RELAXED = PRESET_RELAXED;
 exports.PRESET_STRICT = PRESET_STRICT;
 exports.RateLimitError = RateLimitError;
 exports.SecureError = SecureError;
+exports.SecurityEventTracker = SecurityEventTracker;
+exports.StructuredFormatter = StructuredFormatter;
+exports.TextFormatter = TextFormatter;
 exports.VERSION = VERSION;
 exports.ValidationError = ValidationError;
 exports.anonymizeIp = anonymizeIp;
@@ -1468,11 +5140,30 @@ exports.buildHSTS = buildHSTS;
 exports.buildPermissionsPolicy = buildPermissionsPolicy;
 exports.checkRateLimit = checkRateLimit;
 exports.clearAllRateLimits = clearAllRateLimits;
+exports.createAuditMemoryStore = createMemoryStore2;
+exports.createAuditMiddleware = createAuditMiddleware;
+exports.createCLFFormatter = createCLFFormatter;
 exports.createCSRFToken = createToken;
+exports.createConsoleStore = createConsoleStore;
+exports.createDatadogStore = createDatadogStore;
+exports.createExternalStore = createExternalStore;
+exports.createJSONFormatter = createJSONFormatter;
 exports.createMemoryStore = createMemoryStore;
+exports.createMultiStore = createMultiStore;
 exports.createRateLimiter = createRateLimiter;
+exports.createRedactor = createRedactor;
 exports.createSecurityHeaders = createSecurityHeaders;
 exports.createSecurityHeadersObject = createSecurityHeadersObject;
+exports.createSecurityTracker = createSecurityTracker;
+exports.createStructuredFormatter = createStructuredFormatter;
+exports.createTextFormatter = createTextFormatter;
+exports.createValidator = createValidator;
+exports.decodeJWT = decodeJWT;
+exports.detectFileType = detectFileType;
+exports.detectSQLInjection = detectSQLInjection;
+exports.detectXSS = detectXSS;
+exports.escapeHtml = escapeHtml;
+exports.extractBearerToken = extractBearerToken;
 exports.formatDuration = formatDuration;
 exports.generateCSRF = generateCSRF;
 exports.getClientIp = getClientIp;
@@ -1480,22 +5171,67 @@ exports.getGeoInfo = getGeoInfo;
 exports.getGlobalMemoryStore = getGlobalMemoryStore;
 exports.getPreset = getPreset;
 exports.getRateLimitStatus = getRateLimitStatus;
+exports.hasPathTraversal = hasPathTraversal;
+exports.hasSQLInjection = hasSQLInjection;
+exports.isFormRequest = isFormRequest;
+exports.isJsonRequest = isJsonRequest;
 exports.isLocalhost = isLocalhost;
 exports.isPrivateIp = isPrivateIp;
 exports.isSecureError = isSecureError;
 exports.isValidIp = isValidIp;
+exports.mask = mask;
 exports.normalizeIp = normalizeIp;
 exports.nowInMs = nowInMs;
 exports.nowInSeconds = nowInSeconds;
 exports.parseDuration = parseDuration;
+exports.redactCreditCard = redactCreditCard;
+exports.redactEmail = redactEmail;
+exports.redactHeaders = redactHeaders;
+exports.redactIP = redactIP;
+exports.redactObject = redactObject;
+exports.redactPhone = redactPhone;
+exports.redactQuery = redactQuery;
 exports.resetRateLimit = resetRateLimit;
+exports.sanitize = sanitize;
+exports.sanitizeFields = sanitizeFields;
+exports.sanitizeFilename = sanitizeFilename;
+exports.sanitizeObject = sanitizeObject;
+exports.sanitizePath = sanitizePath;
+exports.sanitizeSQLInput = sanitizeSQLInput;
 exports.sleep = sleep;
+exports.stripHtml = stripHtml;
 exports.toSecureError = toSecureError;
 exports.tokensMatch = tokensMatch;
+exports.trackSecurityEvent = trackSecurityEvent;
+exports.validate = validate;
+exports.validateBody = validateBody;
 exports.validateCSRF = validateCSRF;
+exports.validateContentType = validateContentType;
+exports.validateFile = validateFile;
+exports.validateFiles = validateFiles;
+exports.validatePath = validatePath;
+exports.validateQuery = validateQuery;
+exports.validateRequest = validateRequest;
 exports.verifyCSRFToken = verifyToken;
+exports.verifyJWT = verifyJWT;
+exports.withAPIKey = withAPIKey;
+exports.withAuditLog = withAuditLog;
+exports.withAuth = withAuth;
 exports.withCSRF = withCSRF;
+exports.withContentType = withContentType;
+exports.withFileValidation = withFileValidation;
+exports.withJWT = withJWT;
+exports.withOptionalAuth = withOptionalAuth;
 exports.withRateLimit = withRateLimit;
+exports.withRequestId = withRequestId;
+exports.withRoles = withRoles;
+exports.withSQLProtection = withSQLProtection;
+exports.withSanitization = withSanitization;
+exports.withSecureValidation = withSecureValidation;
 exports.withSecurityHeaders = withSecurityHeaders;
+exports.withSession = withSession;
+exports.withTiming = withTiming;
+exports.withValidation = withValidation;
+exports.withXSSProtection = withXSSProtection;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map