nextjs-secure 0.3.0 → 0.6.0

package/dist/index.js

@@ -867,8 +867,8 @@ function withRateLimit(handler, config) {
     };
     try {
       if (finalConfig.skip) {
-        const shouldSkip = await finalConfig.skip(request);
-        if (shouldSkip) {
+        const shouldSkip2 = await finalConfig.skip(request);
+        if (shouldSkip2) {
           debug("Skipping rate limit check");
           return handler(request, ctx);
         }
@@ -944,8 +944,8 @@ async function checkRateLimit(request, config) {
   const windowMs = parseDuration(finalConfig.window);
   const algorithm = getAlgorithm(finalConfig.algorithm);
   if (finalConfig.skip) {
-    const shouldSkip = await finalConfig.skip(request);
-    if (shouldSkip) {
+    const shouldSkip2 = await finalConfig.skip(request);
+    if (shouldSkip2) {
       const info2 = {
         limit: finalConfig.limit,
         remaining: finalConfig.limit,
@@ -1121,8 +1121,8 @@ function withCSRF(handler, config = {}) {
       return handler(req);
     }
     if (config.skip) {
-      const shouldSkip = await config.skip(req);
-      if (shouldSkip) return handler(req);
+      const shouldSkip2 = await config.skip(req);
+      if (shouldSkip2) return handler(req);
     }
     const cookieName = cookieOpts.name || "__csrf";
     const cookieToken = req.cookies.get(cookieName)?.value;
@@ -1444,10 +1444,3670 @@ function createSecurityHeadersObject(options = {}) {
   });
   return obj;
 }
+var encoder2 = new TextEncoder();
+var decoder = new TextDecoder();
+function base64UrlDecode(str) {
+  const pad = str.length % 4;
+  if (pad) {
+    str += "=".repeat(4 - pad);
+  }
+  const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+function decodeJWT(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const header = JSON.parse(decoder.decode(base64UrlDecode(parts[0])));
+    const payload = JSON.parse(decoder.decode(base64UrlDecode(parts[1])));
+    const signature = base64UrlDecode(parts[2]);
+    return { header, payload, signature };
+  } catch {
+    return null;
+  }
+}
+function getAlgorithmParams(alg) {
+  switch (alg) {
+    case "HS256":
+      return { name: "HMAC", hash: "SHA-256" };
+    case "HS384":
+      return { name: "HMAC", hash: "SHA-384" };
+    case "HS512":
+      return { name: "HMAC", hash: "SHA-512" };
+    case "RS256":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" };
+    case "RS384":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-384" };
+    case "RS512":
+      return { name: "RSASSA-PKCS1-v1_5", hash: "SHA-512" };
+    case "ES256":
+      return { name: "ECDSA", hash: "SHA-256", namedCurve: "P-256" };
+    case "ES384":
+      return { name: "ECDSA", hash: "SHA-384", namedCurve: "P-384" };
+    case "ES512":
+      return { name: "ECDSA", hash: "SHA-512", namedCurve: "P-521" };
+    default:
+      return null;
+  }
+}
+async function verifyHMAC(data, signature, secret, hash2) {
+  const key = await webcrypto.subtle.importKey(
+    "raw",
+    encoder2.encode(secret),
+    { name: "HMAC", hash: hash2 },
+    false,
+    ["verify"]
+  );
+  return webcrypto.subtle.verify("HMAC", key, signature, encoder2.encode(data));
+}
+async function importPublicKey(pem, algorithm) {
+  const pemContents = pem.replace(/-----BEGIN.*-----/, "").replace(/-----END.*-----/, "").replace(/\s/g, "");
+  const binaryDer = base64UrlDecode(pemContents.replace(/\+/g, "-").replace(/\//g, "_"));
+  const keyUsages = ["verify"];
+  if (algorithm.name === "RSASSA-PKCS1-v1_5") {
+    return webcrypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      { name: algorithm.name, hash: algorithm.hash },
+      false,
+      keyUsages
+    );
+  }
+  if (algorithm.name === "ECDSA") {
+    return webcrypto.subtle.importKey(
+      "spki",
+      binaryDer,
+      { name: algorithm.name, namedCurve: algorithm.namedCurve },
+      false,
+      keyUsages
+    );
+  }
+  throw new Error(`Unsupported algorithm: ${algorithm.name}`);
+}
+async function verifyAsymmetric(data, signature, publicKey, algorithm) {
+  const key = await importPublicKey(publicKey, algorithm);
+  const params = algorithm.name === "ECDSA" ? { name: "ECDSA", hash: algorithm.hash } : algorithm.name;
+  return webcrypto.subtle.verify(params, key, signature, encoder2.encode(data));
+}
+function validateClaims(payload, config) {
+  const now = Math.floor(Date.now() / 1e3);
+  const tolerance = config.clockTolerance || 0;
+  if (payload.exp !== void 0 && payload.exp < now - tolerance) {
+    return {
+      code: "expired_token",
+      message: "Token has expired",
+      status: 401
+    };
+  }
+  if (payload.nbf !== void 0 && payload.nbf > now + tolerance) {
+    return {
+      code: "invalid_token",
+      message: "Token not yet valid",
+      status: 401
+    };
+  }
+  if (config.issuer) {
+    const issuers = Array.isArray(config.issuer) ? config.issuer : [config.issuer];
+    if (!payload.iss || !issuers.includes(payload.iss)) {
+      return {
+        code: "invalid_token",
+        message: "Invalid token issuer",
+        status: 401
+      };
+    }
+  }
+  if (config.audience) {
+    const audiences = Array.isArray(config.audience) ? config.audience : [config.audience];
+    const tokenAudiences = Array.isArray(payload.aud) ? payload.aud : payload.aud ? [payload.aud] : [];
+    const hasValidAudience = audiences.some((aud) => tokenAudiences.includes(aud));
+    if (!hasValidAudience) {
+      return {
+        code: "invalid_token",
+        message: "Invalid token audience",
+        status: 401
+      };
+    }
+  }
+  return null;
+}
+async function verifyJWT(token, config) {
+  const decoded = decodeJWT(token);
+  if (!decoded) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: "Malformed token",
+        status: 401
+      }
+    };
+  }
+  const { header, payload, signature } = decoded;
+  const alg = header.alg;
+  const allowedAlgorithms = config.algorithms || ["HS256"];
+  if (!allowedAlgorithms.includes(alg)) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: `Algorithm ${alg} not allowed`,
+        status: 401
+      }
+    };
+  }
+  const algorithmParams = getAlgorithmParams(alg);
+  if (!algorithmParams) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_token",
+        message: `Unsupported algorithm: ${alg}`,
+        status: 401
+      }
+    };
+  }
+  const parts = token.split(".");
+  const signedData = `${parts[0]}.${parts[1]}`;
+  let isValid = false;
+  try {
+    if (algorithmParams.name === "HMAC") {
+      if (!config.secret) {
+        return {
+          payload: null,
+          error: {
+            code: "invalid_token",
+            message: "Secret required for HMAC algorithms",
+            status: 500
+          }
+        };
+      }
+      isValid = await verifyHMAC(signedData, signature, config.secret, algorithmParams.hash);
+    } else {
+      if (!config.publicKey) {
+        return {
+          payload: null,
+          error: {
+            code: "invalid_token",
+            message: "Public key required for asymmetric algorithms",
+            status: 500
+          }
+        };
+      }
+      isValid = await verifyAsymmetric(signedData, signature, config.publicKey, algorithmParams);
+    }
+  } catch {
+    isValid = false;
+  }
+  if (!isValid) {
+    return {
+      payload: null,
+      error: {
+        code: "invalid_signature",
+        message: "Invalid token signature",
+        status: 401
+      }
+    };
+  }
+  const claimsError = validateClaims(payload, config);
+  if (claimsError) {
+    return { payload: null, error: claimsError };
+  }
+  return { payload, error: null };
+}
+function extractBearerToken(authHeader) {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  return authHeader.slice(7);
+}
+
+// src/middleware/auth/middleware.ts
+function defaultErrorResponse2(_req, error) {
+  return new Response(
+    JSON.stringify({
+      error: error.code,
+      message: error.message
+    }),
+    {
+      status: error.status,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+async function getTokenFromRequest(req, config) {
+  if (config?.getToken) {
+    return config.getToken(req);
+  }
+  return extractBearerToken(req.headers.get("authorization"));
+}
+function withJWT(handler, config) {
+  const secret = config.secret || process.env.JWT_SECRET;
+  const effectiveConfig = { ...config, secret };
+  return async (req) => {
+    const token = await getTokenFromRequest(req, effectiveConfig);
+    if (!token) {
+      return defaultErrorResponse2(req, {
+        code: "missing_token",
+        message: "Authentication required",
+        status: 401
+      });
+    }
+    const { payload, error } = await verifyJWT(token, effectiveConfig);
+    if (error) {
+      return defaultErrorResponse2(req, error);
+    }
+    const user = effectiveConfig.mapUser ? await effectiveConfig.mapUser(payload) : {
+      id: payload.sub || "",
+      email: payload.email,
+      name: payload.name,
+      roles: payload.roles,
+      permissions: payload.permissions
+    };
+    return handler(req, { user, token });
+  };
+}
+function withAPIKey(handler, config) {
+  const headerName = config.headerName || "x-api-key";
+  const queryParam = config.queryParam || "api_key";
+  return async (req) => {
+    let apiKey = req.headers.get(headerName);
+    if (!apiKey) {
+      const url = new URL(req.url);
+      apiKey = url.searchParams.get(queryParam);
+    }
+    if (!apiKey) {
+      return defaultErrorResponse2(req, {
+        code: "missing_api_key",
+        message: "API key required",
+        status: 401
+      });
+    }
+    const user = await config.validate(apiKey, req);
+    if (!user) {
+      return defaultErrorResponse2(req, {
+        code: "invalid_api_key",
+        message: "Invalid API key",
+        status: 401
+      });
+    }
+    return handler(req, { user });
+  };
+}
+function withSession(handler, config) {
+  const cookieName = config.cookieName || "session";
+  return async (req) => {
+    const sessionId = req.cookies.get(cookieName)?.value;
+    if (!sessionId) {
+      return defaultErrorResponse2(req, {
+        code: "missing_session",
+        message: "Session required",
+        status: 401
+      });
+    }
+    const user = await config.validate(sessionId, req);
+    if (!user) {
+      return defaultErrorResponse2(req, {
+        code: "invalid_session",
+        message: "Invalid or expired session",
+        status: 401
+      });
+    }
+    return handler(req, { user });
+  };
+}
+function withRoles(handler, config) {
+  return async (req, ctx) => {
+    const { user } = ctx;
+    const userRoles = config.getUserRoles ? config.getUserRoles(user) : user.roles || [];
+    if (config.roles && config.roles.length > 0) {
+      const hasRole = config.roles.some((role) => userRoles.includes(role));
+      if (!hasRole) {
+        return defaultErrorResponse2(req, {
+          code: "insufficient_roles",
+          message: "Insufficient permissions",
+          status: 403
+        });
+      }
+    }
+    const userPermissions = config.getUserPermissions ? config.getUserPermissions(user) : user.permissions || [];
+    if (config.permissions && config.permissions.length > 0) {
+      const hasAllPermissions = config.permissions.every(
+        (perm) => userPermissions.includes(perm)
+      );
+      if (!hasAllPermissions) {
+        return defaultErrorResponse2(req, {
+          code: "insufficient_permissions",
+          message: "Insufficient permissions",
+          status: 403
+        });
+      }
+    }
+    if (config.authorize) {
+      const authorized = await config.authorize(user, req);
+      if (!authorized) {
+        return defaultErrorResponse2(req, {
+          code: "unauthorized",
+          message: "Unauthorized",
+          status: 403
+        });
+      }
+    }
+    return handler(req, ctx);
+  };
+}
+function withAuth(handler, config) {
+  const onError = config.onError || defaultErrorResponse2;
+  return async (req) => {
+    let user = null;
+    let token;
+    if (config.jwt) {
+      const secret = config.jwt.secret || process.env.JWT_SECRET;
+      const jwtConfig = { ...config.jwt, secret };
+      const jwtToken = await getTokenFromRequest(req, jwtConfig);
+      if (jwtToken) {
+        const { payload, error } = await verifyJWT(jwtToken, jwtConfig);
+        if (!error && payload) {
+          user = jwtConfig.mapUser ? await jwtConfig.mapUser(payload) : {
+            id: payload.sub || "",
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles
+          };
+          token = jwtToken;
+        }
+      }
+    }
+    if (!user && config.apiKey) {
+      const headerName = config.apiKey.headerName || "x-api-key";
+      const queryParam = config.apiKey.queryParam || "api_key";
+      let apiKey = req.headers.get(headerName);
+      if (!apiKey) {
+        const url = new URL(req.url);
+        apiKey = url.searchParams.get(queryParam);
+      }
+      if (apiKey) {
+        const apiUser = await config.apiKey.validate(apiKey, req);
+        if (apiUser) {
+          user = apiUser;
+        }
+      }
+    }
+    if (!user && config.session) {
+      const cookieName = config.session.cookieName || "session";
+      const sessionId = req.cookies.get(cookieName)?.value;
+      if (sessionId) {
+        const sessionUser = await config.session.validate(sessionId, req);
+        if (sessionUser) {
+          user = sessionUser;
+        }
+      }
+    }
+    if (!user) {
+      return onError(req, {
+        code: "unauthorized",
+        message: "Authentication required",
+        status: 401
+      });
+    }
+    if (config.rbac) {
+      const userRoles = config.rbac.getUserRoles ? config.rbac.getUserRoles(user) : user.roles || [];
+      if (config.rbac.roles && config.rbac.roles.length > 0) {
+        const hasRole = config.rbac.roles.some((role) => userRoles.includes(role));
+        if (!hasRole) {
+          return onError(req, {
+            code: "insufficient_roles",
+            message: "Insufficient permissions",
+            status: 403
+          });
+        }
+      }
+      const userPermissions = config.rbac.getUserPermissions ? config.rbac.getUserPermissions(user) : user.permissions || [];
+      if (config.rbac.permissions && config.rbac.permissions.length > 0) {
+        const hasAllPermissions = config.rbac.permissions.every(
+          (perm) => userPermissions.includes(perm)
+        );
+        if (!hasAllPermissions) {
+          return onError(req, {
+            code: "insufficient_permissions",
+            message: "Insufficient permissions",
+            status: 403
+          });
+        }
+      }
+      if (config.rbac.authorize) {
+        const authorized = await config.rbac.authorize(user, req);
+        if (!authorized) {
+          return onError(req, {
+            code: "unauthorized",
+            message: "Unauthorized",
+            status: 403
+          });
+        }
+      }
+    }
+    if (config.onSuccess) {
+      await config.onSuccess(req, user);
+    }
+    return handler(req, { user, token });
+  };
+}
+function withOptionalAuth(handler, config) {
+  return async (req) => {
+    let user = null;
+    let token;
+    if (config.jwt) {
+      const secret = config.jwt.secret || process.env.JWT_SECRET;
+      const jwtConfig = { ...config.jwt, secret };
+      const jwtToken = await getTokenFromRequest(req, jwtConfig);
+      if (jwtToken) {
+        const { payload, error } = await verifyJWT(jwtToken, jwtConfig);
+        if (!error && payload) {
+          user = jwtConfig.mapUser ? await jwtConfig.mapUser(payload) : {
+            id: payload.sub || "",
+            email: payload.email,
+            name: payload.name,
+            roles: payload.roles
+          };
+          token = jwtToken;
+        }
+      }
+    }
+    if (!user && config.apiKey) {
+      const headerName = config.apiKey.headerName || "x-api-key";
+      let apiKey = req.headers.get(headerName);
+      if (apiKey) {
+        const apiUser = await config.apiKey.validate(apiKey, req);
+        if (apiUser) user = apiUser;
+      }
+    }
+    if (!user && config.session) {
+      const cookieName = config.session.cookieName || "session";
+      const sessionId = req.cookies.get(cookieName)?.value;
+      if (sessionId) {
+        const sessionUser = await config.session.validate(sessionId, req);
+        if (sessionUser) user = sessionUser;
+      }
+    }
+    return handler(req, { user, token });
+  };
+}
+
+// src/middleware/validation/utils.ts
+function isZodSchema(schema) {
+  return typeof schema === "object" && schema !== null && "safeParse" in schema && typeof schema.safeParse === "function";
+}
+function isCustomSchema(schema) {
+  if (typeof schema !== "object" || schema === null) return false;
+  if ("safeParse" in schema) return false;
+  const entries = Object.entries(schema);
+  if (entries.length === 0) return false;
+  return entries.every(([_, rule]) => {
+    return typeof rule === "object" && rule !== null && "type" in rule;
+  });
+}
+var EMAIL_PATTERN = /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;
+var URL_PATTERN = /^https?:\/\/(?:(?:www\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}|localhost|(?:\d{1,3}\.){3}\d{1,3})(?::\d{1,5})?(?:[-a-zA-Z0-9()@:%_+.~#?&/=]*)$/;
+var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+var DATE_PATTERN = /^\d{4}-\d{2}-\d{2}(?:T\d{2}:\d{2}:\d{2}(?:\.\d{3})?(?:Z|[+-]\d{2}:?\d{2})?)?$/;
+function validateField(value, rule, fieldName) {
+  if (value === void 0 || value === null || value === "") {
+    if (rule.required) {
+      return {
+        field: fieldName,
+        code: "required",
+        message: rule.message || `${fieldName} is required`,
+        received: value
+      };
+    }
+    return null;
+  }
+  switch (rule.type) {
+    case "string":
+      if (typeof value !== "string") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a string`,
+          expected: "string",
+          received: typeof value
+        };
+      }
+      if (rule.minLength !== void 0 && value.length < rule.minLength) {
+        return {
+          field: fieldName,
+          code: "too_short",
+          message: rule.message || `${fieldName} must be at least ${rule.minLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.maxLength !== void 0 && value.length > rule.maxLength) {
+        return {
+          field: fieldName,
+          code: "too_long",
+          message: rule.message || `${fieldName} must be at most ${rule.maxLength} characters`,
+          received: value.length
+        };
+      }
+      if (rule.pattern && !rule.pattern.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_pattern",
+          message: rule.message || `${fieldName} has invalid format`,
+          received: value
+        };
+      }
+      break;
+    case "number":
+      const num = typeof value === "number" ? value : Number(value);
+      if (isNaN(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a number`,
+          expected: "number",
+          received: typeof value
+        };
+      }
+      if (rule.integer && !Number.isInteger(num)) {
+        return {
+          field: fieldName,
+          code: "invalid_integer",
+          message: rule.message || `${fieldName} must be an integer`,
+          received: num
+        };
+      }
+      if (rule.min !== void 0 && num < rule.min) {
+        return {
+          field: fieldName,
+          code: "too_small",
+          message: rule.message || `${fieldName} must be at least ${rule.min}`,
+          received: num
+        };
+      }
+      if (rule.max !== void 0 && num > rule.max) {
+        return {
+          field: fieldName,
+          code: "too_large",
+          message: rule.message || `${fieldName} must be at most ${rule.max}`,
+          received: num
+        };
+      }
+      break;
+    case "boolean":
+      if (typeof value !== "boolean" && value !== "true" && value !== "false") {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be a boolean`,
+          expected: "boolean",
+          received: typeof value
+        };
+      }
+      break;
+    case "email":
+      if (typeof value !== "string" || !EMAIL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_email",
+          message: rule.message || `${fieldName} must be a valid email address`,
+          received: value
+        };
+      }
+      break;
+    case "url":
+      if (typeof value !== "string" || !URL_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_url",
+          message: rule.message || `${fieldName} must be a valid URL`,
+          received: value
+        };
+      }
+      break;
+    case "uuid":
+      if (typeof value !== "string" || !UUID_PATTERN.test(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_uuid",
+          message: rule.message || `${fieldName} must be a valid UUID`,
+          received: value
+        };
+      }
+      break;
+    case "date":
+      if (typeof value !== "string" || !DATE_PATTERN.test(value)) {
+        const parsed = new Date(value);
+        if (isNaN(parsed.getTime())) {
+          return {
+            field: fieldName,
+            code: "invalid_date",
+            message: rule.message || `${fieldName} must be a valid date`,
+            received: value
+          };
+        }
+      }
+      break;
+    case "array":
+      if (!Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an array`,
+          expected: "array",
+          received: typeof value
+        };
+      }
+      if (rule.minItems !== void 0 && value.length < rule.minItems) {
+        return {
+          field: fieldName,
+          code: "too_few_items",
+          message: rule.message || `${fieldName} must have at least ${rule.minItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.maxItems !== void 0 && value.length > rule.maxItems) {
+        return {
+          field: fieldName,
+          code: "too_many_items",
+          message: rule.message || `${fieldName} must have at most ${rule.maxItems} items`,
+          received: value.length
+        };
+      }
+      if (rule.items) {
+        for (let i = 0; i < value.length; i++) {
+          const itemError = validateField(value[i], rule.items, `${fieldName}[${i}]`);
+          if (itemError) return itemError;
+        }
+      }
+      break;
+    case "object":
+      if (typeof value !== "object" || value === null || Array.isArray(value)) {
+        return {
+          field: fieldName,
+          code: "invalid_type",
+          message: rule.message || `${fieldName} must be an object`,
+          expected: "object",
+          received: Array.isArray(value) ? "array" : typeof value
+        };
+      }
+      break;
+  }
+  if (rule.custom) {
+    const result = rule.custom(value);
+    if (result !== true) {
+      return {
+        field: fieldName,
+        code: "custom_validation",
+        message: typeof result === "string" ? result : rule.message || `${fieldName} failed validation`,
+        received: value
+      };
+    }
+  }
+  return null;
+}
+function validateCustomSchema(data, schema) {
+  if (typeof data !== "object" || data === null) {
+    return {
+      success: false,
+      errors: [{
+        field: "_root",
+        code: "invalid_type",
+        message: "Expected an object",
+        received: data
+      }]
+    };
+  }
+  const errors = [];
+  const record = data;
+  for (const [fieldName, rule] of Object.entries(schema)) {
+    const error = validateField(record[fieldName], rule, fieldName);
+    if (error) {
+      errors.push(error);
+    }
+  }
+  if (errors.length > 0) {
+    return { success: false, errors };
+  }
+  return { success: true, data };
+}
+function validateZodSchema(data, schema) {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  const errors = result.error.issues.map((issue) => ({
+    field: issue.path.join(".") || "_root",
+    code: issue.code,
+    message: issue.message,
+    path: issue.path.map(String)
+  }));
+  return { success: false, errors };
+}
+function walkObject(obj, fn, path = "") {
+  if (typeof obj === "string") {
+    return fn(obj, path);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => walkObject(item, fn, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = walkObject(value, fn, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function parseQueryString(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    for (const [key, value] of urlObj.searchParams.entries()) {
+      if (key in result) {
+        const existing = result[key];
+        if (Array.isArray(existing)) {
+          existing.push(value);
+        } else {
+          result[key] = [existing, value];
+        }
+      } else {
+        result[key] = value;
+      }
+    }
+  } catch {
+  }
+  return result;
+}
+
+// src/middleware/validation/validators/schema.ts
+function validate(data, schema) {
+  if (isZodSchema(schema)) {
+    return validateZodSchema(data, schema);
+  }
+  if (isCustomSchema(schema)) {
+    return validateCustomSchema(data, schema);
+  }
+  return {
+    success: false,
+    errors: [{
+      field: "_schema",
+      code: "invalid_schema",
+      message: "Invalid schema provided"
+    }]
+  };
+}
+async function validateBody(request, schema) {
+  let body;
+  try {
+    const contentType = request.headers.get("content-type") || "";
+    if (contentType.includes("application/json")) {
+      body = await request.json();
+    } else if (contentType.includes("application/x-www-form-urlencoded")) {
+      const text = await request.text();
+      body = Object.fromEntries(new URLSearchParams(text));
+    } else if (contentType.includes("multipart/form-data")) {
+      const formData = await request.formData();
+      const obj = {};
+      formData.forEach((value, key) => {
+        if (typeof value === "string") {
+          obj[key] = value;
+        }
+      });
+      body = obj;
+    } else {
+      try {
+        body = await request.json();
+      } catch {
+        body = {};
+      }
+    }
+  } catch (error) {
+    return {
+      success: false,
+      errors: [{
+        field: "_body",
+        code: "parse_error",
+        message: "Failed to parse request body"
+      }]
+    };
+  }
+  return validate(body, schema);
+}
+function validateQuery(request, schema) {
+  const query = parseQueryString(request.url);
+  return validate(query, schema);
+}
+function validateParams(params, schema) {
+  return validate(params, schema);
+}
+async function validateRequest(request, config) {
+  const allErrors = [];
+  const data = {};
+  if (config.body) {
+    const bodyResult = await validateBody(request, config.body);
+    if (!bodyResult.success) {
+      allErrors.push(...(bodyResult.errors || []).map((e) => ({
+        ...e,
+        field: `body.${e.field}`.replace("body._root", "body")
+      })));
+    } else {
+      data.body = bodyResult.data;
+    }
+  } else {
+    data.body = {};
+  }
+  if (config.query) {
+    const queryResult = validateQuery(request, config.query);
+    if (!queryResult.success) {
+      allErrors.push(...(queryResult.errors || []).map((e) => ({
+        ...e,
+        field: `query.${e.field}`.replace("query._root", "query")
+      })));
+    } else {
+      data.query = queryResult.data;
+    }
+  } else {
+    data.query = {};
+  }
+  if (config.params && config.routeParams) {
+    const paramsResult = validateParams(config.routeParams, config.params);
+    if (!paramsResult.success) {
+      allErrors.push(...(paramsResult.errors || []).map((e) => ({
+        ...e,
+        field: `params.${e.field}`.replace("params._root", "params")
+      })));
+    } else {
+      data.params = paramsResult.data;
+    }
+  } else {
+    data.params = {};
+  }
+  if (allErrors.length > 0) {
+    return { success: false, errors: allErrors };
+  }
+  return {
+    success: true,
+    data
+  };
+}
+function defaultValidationErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "validation_error",
+      message: "Request validation failed",
+      details: errors.map((e) => ({
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function createValidator(schema) {
+  return (data) => validate(data, schema);
+}
+
+// src/middleware/validation/validators/content-type.ts
+var MIME_TYPES = {
+  // Text
+  TEXT_PLAIN: "text/plain",
+  TEXT_HTML: "text/html",
+  TEXT_CSS: "text/css",
+  TEXT_JAVASCRIPT: "text/javascript",
+  // Application
+  JSON: "application/json",
+  FORM_URLENCODED: "application/x-www-form-urlencoded",
+  MULTIPART_FORM: "multipart/form-data",
+  XML: "application/xml",
+  PDF: "application/pdf",
+  ZIP: "application/zip",
+  GZIP: "application/gzip",
+  OCTET_STREAM: "application/octet-stream",
+  // Image
+  IMAGE_PNG: "image/png",
+  IMAGE_JPEG: "image/jpeg",
+  IMAGE_GIF: "image/gif",
+  IMAGE_WEBP: "image/webp",
+  IMAGE_SVG: "image/svg+xml",
+  // Audio
+  AUDIO_MP3: "audio/mpeg",
+  AUDIO_WAV: "audio/wav",
+  AUDIO_OGG: "audio/ogg",
+  // Video
+  VIDEO_MP4: "video/mp4",
+  VIDEO_WEBM: "video/webm"
+};
+function parseContentType(header) {
+  if (!header) {
+    return {
+      type: "",
+      subtype: "",
+      mediaType: "",
+      parameters: {}
+    };
+  }
+  const parts = header.split(";").map((p) => p.trim());
+  const mediaType = parts[0].toLowerCase();
+  const [type = "", subtype = ""] = mediaType.split("/");
+  const parameters = {};
+  for (let i = 1; i < parts.length; i++) {
+    const [key, value] = parts[i].split("=").map((p) => p.trim());
+    if (key && value) {
+      parameters[key.toLowerCase()] = value.replace(/^["']|["']$/g, "");
+    }
+  }
+  return {
+    type,
+    subtype,
+    mediaType,
+    charset: parameters["charset"],
+    boundary: parameters["boundary"],
+    parameters
+  };
+}
+function isAllowedContentType(contentType, allowedTypes, strict = false) {
+  if (!contentType) {
+    return !strict;
+  }
+  const { mediaType } = parseContentType(contentType);
+  return allowedTypes.some((allowed) => {
+    const normalizedAllowed = allowed.toLowerCase().trim();
+    if (mediaType === normalizedAllowed) {
+      return true;
+    }
+    if (normalizedAllowed.endsWith("/*")) {
+      const prefix = normalizedAllowed.slice(0, -2);
+      return mediaType.startsWith(prefix + "/");
+    }
+    if (!normalizedAllowed.includes("/")) {
+      const { type } = parseContentType(contentType);
+      return type === normalizedAllowed;
+    }
+    return false;
+  });
+}
+function validateContentType(request, config) {
+  const contentType = request.headers.get("content-type");
+  const { allowed, strict = false, charset } = config;
+  if (strict && !contentType) {
+    return {
+      valid: false,
+      contentType: null,
+      reason: "Content-Type header is required"
+    };
+  }
+  if (contentType && !isAllowedContentType(contentType, allowed, strict)) {
+    return {
+      valid: false,
+      contentType,
+      reason: `Content-Type '${contentType}' is not allowed`
+    };
+  }
+  if (charset && contentType) {
+    const parsed = parseContentType(contentType);
+    if (parsed.charset && parsed.charset.toLowerCase() !== charset.toLowerCase()) {
+      return {
+        valid: false,
+        contentType,
+        reason: `Charset '${parsed.charset}' is not allowed, expected '${charset}'`
+      };
+    }
+  }
+  return { valid: true, contentType };
+}
+function defaultContentTypeErrorResponse(contentType, reason) {
+  return new Response(
+    JSON.stringify({
+      error: "invalid_content_type",
+      message: reason,
+      received: contentType
+    }),
+    {
+      status: 415,
+      // Unsupported Media Type
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function isJsonRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.JSON]
+  );
+}
+function isFormRequest(request) {
+  return isAllowedContentType(
+    request.headers.get("content-type"),
+    [MIME_TYPES.FORM_URLENCODED, MIME_TYPES.MULTIPART_FORM]
+  );
+}
+
+// src/middleware/validation/sanitizers/path.ts
+var DANGEROUS_PATTERNS = [
+  // Unix path traversal
+  /\.\.\//g,
+  /\.\./g,
+  // Windows path traversal
+  /\.\.\\/g,
+  // Null byte (can truncate paths in some systems)
+  /%00/g,
+  /\0/g,
+  // URL encoded traversal
+  /%2e%2e%2f/gi,
+  // ../
+  /%2e%2e\//gi,
+  // ../
+  /%2e%2e%5c/gi,
+  // ..\
+  /%2e%2e\\/gi,
+  // ..\
+  // Double URL encoding
+  /%252e%252e%252f/gi,
+  /%252e%252e%255c/gi,
+  // Unicode encoding
+  /\.%u002e\//gi,
+  /%u002e%u002e%u002f/gi,
+  // Overlong UTF-8 encoding
+  /%c0%ae%c0%ae%c0%af/gi,
+  /%c1%9c/gi
+  // Backslash variant
+];
+var DEFAULT_BLOCKED_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  // Executables
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  // Scripts
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  // Server scripts
+  ".htaccess",
+  ".htpasswd",
+  // Apache config
+  ".env",
+  ".git",
+  ".svn"
+  // Config/VCS
+];
+function normalizePathSeparators(path) {
+  return path.replace(/\\/g, "/");
+}
+function decodePathComponent(path) {
+  let result = path;
+  let previous = "";
+  while (result !== previous) {
+    previous = result;
+    try {
+      result = decodeURIComponent(result);
+    } catch {
+      break;
+    }
+  }
+  return result;
+}
+function hasPathTraversal(path) {
+  if (!path || typeof path !== "string") return false;
+  const normalized = normalizePathSeparators(decodePathComponent(path));
+  for (const pattern of DANGEROUS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  if (normalized.includes("..")) {
+    return true;
+  }
+  return false;
+}
+function validatePath(path, config = {}) {
+  if (!path || typeof path !== "string") {
+    return { valid: false, reason: "Path is empty or not a string" };
+  }
+  const {
+    allowAbsolute = false,
+    allowedPrefixes = [],
+    allowedExtensions,
+    blockedExtensions = DEFAULT_BLOCKED_EXTENSIONS,
+    maxDepth = 10,
+    maxLength = 255,
+    normalize = true
+  } = config;
+  if (path.length > maxLength) {
+    return { valid: false, reason: `Path exceeds maximum length of ${maxLength}` };
+  }
+  let normalized = decodePathComponent(path);
+  if (normalize) {
+    normalized = normalizePathSeparators(normalized);
+  }
+  if (normalized.includes("\0") || path.includes("%00")) {
+    return { valid: false, reason: "Path contains null bytes" };
+  }
+  if (hasPathTraversal(path)) {
+    return { valid: false, reason: "Path contains traversal sequences" };
+  }
+  const isAbsolute = normalized.startsWith("/") || /^[a-zA-Z]:/.test(normalized) || // Windows drive letter
+  normalized.startsWith("\\\\");
+  if (isAbsolute && !allowAbsolute) {
+    return { valid: false, reason: "Absolute paths are not allowed" };
+  }
+  if (allowedPrefixes.length > 0) {
+    const hasValidPrefix = allowedPrefixes.some((prefix) => {
+      const normalizedPrefix = normalizePathSeparators(prefix);
+      return normalized.startsWith(normalizedPrefix);
+    });
+    if (!hasValidPrefix) {
+      return { valid: false, reason: "Path does not start with an allowed prefix" };
+    }
+  }
+  const segments = normalized.split("/").filter((s) => s && s !== ".");
+  if (segments.length > maxDepth) {
+    return { valid: false, reason: `Path depth exceeds maximum of ${maxDepth}` };
+  }
+  const lastSegment = segments[segments.length - 1] || "";
+  const dotIndex = lastSegment.lastIndexOf(".");
+  const extension = dotIndex > 0 ? lastSegment.slice(dotIndex).toLowerCase() : "";
+  if (extension && blockedExtensions.length > 0) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not allowed` };
+    }
+  }
+  if (extension && allowedExtensions && allowedExtensions.length > 0) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension)) {
+      return { valid: false, reason: `Extension ${extension} is not in allowed list` };
+    }
+  }
+  const sanitized = normalized.replace(/\/+/g, "/");
+  return { valid: true, sanitized };
+}
+function sanitizePath(path, config = {}) {
+  if (!path || typeof path !== "string") return "";
+  const { normalize = true, maxLength = 255 } = config;
+  let result = decodePathComponent(path);
+  if (normalize) {
+    result = normalizePathSeparators(result);
+  }
+  result = result.replace(/\0/g, "").replace(/%00/g, "");
+  result = result.replace(/\.\.\//g, "").replace(/\.\.\\/g, "");
+  if (!config.allowAbsolute) {
+    result = result.replace(/^\/+/, "");
+    result = result.replace(/^[a-zA-Z]:/, "");
+    result = result.replace(/^\\\\/, "");
+  }
+  result = result.replace(/\/+/g, "/");
+  result = result.replace(/\/+$/, "");
+  if (result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function getExtension(path) {
+  if (!path || typeof path !== "string") return "";
+  const normalized = normalizePathSeparators(path);
+  const segments = normalized.split("/");
+  const filename = segments[segments.length - 1] || "";
+  const dotIndex = filename.lastIndexOf(".");
+  if (dotIndex <= 0) return "";
+  return filename.slice(dotIndex).toLowerCase();
+}
+function sanitizeFilename(filename) {
+  if (typeof filename !== "string") return "file";
+  if (!filename) return "file";
+  let result = filename;
+  result = result.replace(/[/\\]/g, "");
+  result = result.replace(/\0/g, "");
+  result = result.replace(/[\x00-\x1f\x7f]/g, "");
+  result = result.replace(/[<>:"|?*]/g, "");
+  result = result.replace(/^[.\s]+|[.\s]+$/g, "");
+  if (result.length > 255) {
+    const ext = getExtension(result);
+    const name = result.slice(0, 255 - ext.length);
+    result = name + ext;
+  }
+  return result || "file";
+}
+
+// src/middleware/validation/validators/file.ts
+var MAGIC_NUMBERS = [
+  // Images
+  { type: "image/jpeg", extension: ".jpg", signature: [255, 216, 255] },
+  { type: "image/png", extension: ".png", signature: [137, 80, 78, 71, 13, 10, 26, 10] },
+  { type: "image/gif", extension: ".gif", signature: [71, 73, 70, 56] },
+  // GIF87a or GIF89a
+  { type: "image/webp", extension: ".webp", signature: [82, 73, 70, 70], offset: 0 },
+  // RIFF
+  { type: "image/bmp", extension: ".bmp", signature: [66, 77] },
+  { type: "image/tiff", extension: ".tiff", signature: [73, 73, 42, 0] },
+  // Little endian
+  { type: "image/tiff", extension: ".tiff", signature: [77, 77, 0, 42] },
+  // Big endian
+  { type: "image/x-icon", extension: ".ico", signature: [0, 0, 1, 0] },
+  { type: "image/svg+xml", extension: ".svg", signature: [60, 63, 120, 109, 108] },
+  // <?xml
+  // Documents
+  { type: "application/pdf", extension: ".pdf", signature: [37, 80, 68, 70] },
+  // %PDF
+  { type: "application/zip", extension: ".zip", signature: [80, 75, 3, 4] },
+  // PK
+  { type: "application/gzip", extension: ".gz", signature: [31, 139] },
+  { type: "application/x-rar-compressed", extension: ".rar", signature: [82, 97, 114, 33] },
+  { type: "application/x-7z-compressed", extension: ".7z", signature: [55, 122, 188, 175, 39, 28] },
+  // Microsoft Office (new format - zip based)
+  { type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", extension: ".xlsx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.wordprocessingml.document", extension: ".docx", signature: [80, 75, 3, 4] },
+  { type: "application/vnd.openxmlformats-officedocument.presentationml.presentation", extension: ".pptx", signature: [80, 75, 3, 4] },
+  // Microsoft Office (old format)
+  { type: "application/msword", extension: ".doc", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  { type: "application/vnd.ms-excel", extension: ".xls", signature: [208, 207, 17, 224, 161, 177, 26, 225] },
+  // Audio
+  { type: "audio/mpeg", extension: ".mp3", signature: [255, 251] },
+  // MP3 frame sync
+  { type: "audio/mpeg", extension: ".mp3", signature: [73, 68, 51] },
+  // ID3
+  { type: "audio/wav", extension: ".wav", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "audio/ogg", extension: ".ogg", signature: [79, 103, 103, 83] },
+  { type: "audio/flac", extension: ".flac", signature: [102, 76, 97, 67] },
+  // Video
+  { type: "video/mp4", extension: ".mp4", signature: [0, 0, 0], offset: 0 },
+  // Partial match
+  { type: "video/webm", extension: ".webm", signature: [26, 69, 223, 163] },
+  { type: "video/avi", extension: ".avi", signature: [82, 73, 70, 70] },
+  // RIFF
+  { type: "video/quicktime", extension: ".mov", signature: [0, 0, 0, 20, 102, 116, 121, 112] },
+  // Web
+  { type: "application/wasm", extension: ".wasm", signature: [0, 97, 115, 109] },
+  // \0asm
+  // Fonts
+  { type: "font/woff", extension: ".woff", signature: [119, 79, 70, 70] },
+  { type: "font/woff2", extension: ".woff2", signature: [119, 79, 70, 50] }
+];
+var DEFAULT_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_MAX_FILES = 10;
+var DANGEROUS_EXTENSIONS = [
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".sh",
+  ".bash",
+  ".bat",
+  ".cmd",
+  ".ps1",
+  ".vbs",
+  ".php",
+  ".asp",
+  ".aspx",
+  ".jsp",
+  ".cgi",
+  ".pl",
+  ".py",
+  ".rb",
+  ".jar",
+  ".class",
+  ".msi",
+  ".dmg",
+  ".pkg",
+  ".deb",
+  ".rpm",
+  ".scr",
+  ".pif",
+  ".com",
+  ".hta"
+];
+function checkMagicNumber(bytes, magicNumber) {
+  const offset = magicNumber.offset || 0;
+  const signature = magicNumber.signature;
+  if (bytes.length < offset + signature.length) {
+    return false;
+  }
+  for (let i = 0; i < signature.length; i++) {
+    if (bytes[offset + i] !== signature[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function detectFileType(bytes) {
+  for (const magic of MAGIC_NUMBERS) {
+    if (checkMagicNumber(bytes, magic)) {
+      return { type: magic.type, extension: magic.extension };
+    }
+  }
+  return null;
+}
+async function validateFile(file, config = {}) {
+  const {
+    maxSize = DEFAULT_MAX_FILE_SIZE,
+    minSize = 0,
+    allowedTypes = [],
+    blockedTypes = [],
+    allowedExtensions = [],
+    blockedExtensions = DANGEROUS_EXTENSIONS,
+    validateMagicNumbers = true,
+    sanitizeFilename: doSanitize = true
+  } = config;
+  const errors = [];
+  const extension = getExtension(file.name);
+  const info = {
+    filename: doSanitize ? sanitizeFilename(file.name) : file.name,
+    size: file.size,
+    type: file.type,
+    extension
+  };
+  if (file.size > maxSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_exceeded",
+      message: `File size (${formatBytes(file.size)}) exceeds maximum allowed (${formatBytes(maxSize)})`,
+      details: { size: file.size, maxSize }
+    });
+  }
+  if (file.size < minSize) {
+    errors.push({
+      filename: file.name,
+      code: "size_too_small",
+      message: `File size (${formatBytes(file.size)}) is below minimum required (${formatBytes(minSize)})`,
+      details: { size: file.size, minSize }
+    });
+  }
+  if (blockedExtensions.length > 0 && extension) {
+    if (blockedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not allowed`,
+        details: { extension, blockedExtensions }
+      });
+    }
+  }
+  if (allowedExtensions.length > 0 && extension) {
+    if (!allowedExtensions.map((e) => e.toLowerCase()).includes(extension.toLowerCase())) {
+      errors.push({
+        filename: file.name,
+        code: "extension_not_allowed",
+        message: `File extension '${extension}' is not in allowed list`,
+        details: { extension, allowedExtensions }
+      });
+    }
+  }
+  if (blockedTypes.length > 0 && file.type) {
+    if (blockedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not allowed`,
+        details: { type: file.type, blockedTypes }
+      });
+    }
+  }
+  if (allowedTypes.length > 0) {
+    if (!allowedTypes.includes(file.type)) {
+      errors.push({
+        filename: file.name,
+        code: "type_not_allowed",
+        message: `File type '${file.type}' is not in allowed list`,
+        details: { type: file.type, allowedTypes }
+      });
+    }
+  }
+  if (validateMagicNumbers && errors.length === 0) {
+    try {
+      const buffer = await file.arrayBuffer();
+      const bytes = new Uint8Array(buffer.slice(0, 32));
+      const detected = detectFileType(bytes);
+      if (detected) {
+        if (file.type && detected.type !== file.type) {
+          const isSimilar = detected.type.startsWith("image/") && file.type.startsWith("image/") || detected.type.startsWith("audio/") && file.type.startsWith("audio/") || detected.type.startsWith("video/") && file.type.startsWith("video/");
+          if (!isSimilar) {
+            errors.push({
+              filename: file.name,
+              code: "invalid_content",
+              message: `File content doesn't match declared type (claimed: ${file.type}, detected: ${detected.type})`,
+              details: { claimed: file.type, detected: detected.type }
+            });
+          }
+        }
+      }
+    } catch {
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    info,
+    errors
+  };
+}
+async function validateFiles(files, config = {}) {
+  const { maxFiles = DEFAULT_MAX_FILES } = config;
+  const allErrors = [];
+  const infos = [];
+  if (files.length > maxFiles) {
+    allErrors.push({
+      filename: "",
+      code: "too_many_files",
+      message: `Too many files (${files.length}), maximum allowed is ${maxFiles}`,
+      details: { count: files.length, maxFiles }
+    });
+  }
+  for (const file of files) {
+    const result = await validateFile(file, config);
+    infos.push(result.info);
+    allErrors.push(...result.errors);
+  }
+  return {
+    valid: allErrors.length === 0,
+    infos,
+    errors: allErrors
+  };
+}
+function extractFilesFromFormData(formData) {
+  const files = /* @__PURE__ */ new Map();
+  formData.forEach((value, key) => {
+    if (value instanceof File) {
+      const existing = files.get(key) || [];
+      existing.push(value);
+      files.set(key, existing);
+    }
+  });
+  return files;
+}
+async function validateFilesFromRequest(request, config = {}) {
+  const contentType = request.headers.get("content-type") || "";
+  if (!contentType.includes("multipart/form-data")) {
+    return { valid: true, files: /* @__PURE__ */ new Map(), errors: [] };
+  }
+  try {
+    const formData = await request.formData();
+    const fileMap = extractFilesFromFormData(formData);
+    const allInfos = /* @__PURE__ */ new Map();
+    const allErrors = [];
+    let totalFileCount = 0;
+    for (const [field, files] of fileMap.entries()) {
+      totalFileCount += files.length;
+      const result = await validateFiles(files, { ...config, maxFiles: Infinity });
+      allInfos.set(field, result.infos);
+      allErrors.push(...result.errors.map((e) => ({ ...e, field })));
+    }
+    const maxFiles = config.maxFiles ?? DEFAULT_MAX_FILES;
+    if (totalFileCount > maxFiles) {
+      allErrors.push({
+        filename: "",
+        code: "too_many_files",
+        message: `Total file count (${totalFileCount}) exceeds maximum (${maxFiles})`,
+        details: { count: totalFileCount, maxFiles }
+      });
+    }
+    return {
+      valid: allErrors.length === 0,
+      files: allInfos,
+      errors: allErrors
+    };
+  } catch {
+    return {
+      valid: false,
+      files: /* @__PURE__ */ new Map(),
+      errors: [{
+        filename: "",
+        code: "invalid_content",
+        message: "Failed to parse multipart form data"
+      }]
+    };
+  }
+}
+function defaultFileErrorResponse(errors) {
+  return new Response(
+    JSON.stringify({
+      error: "file_validation_error",
+      message: "File validation failed",
+      details: errors.map((e) => ({
+        filename: e.filename,
+        field: e.field,
+        code: e.code,
+        message: e.message
+      }))
+    }),
+    {
+      status: 400,
+      headers: { "Content-Type": "application/json" }
+    }
+  );
+}
+function formatBytes(bytes) {
+  if (bytes === 0) return "0 B";
+  const units = ["B", "KB", "MB", "GB"];
+  const k = 1024;
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${parseFloat((bytes / Math.pow(k, i)).toFixed(2))} ${units[i]}`;
+}
+
+// src/middleware/validation/sanitizers/xss.ts
+var DEFAULT_ALLOWED_TAGS = [
+  "a",
+  "abbr",
+  "b",
+  "blockquote",
+  "br",
+  "code",
+  "del",
+  "em",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "hr",
+  "i",
+  "ins",
+  "li",
+  "mark",
+  "ol",
+  "p",
+  "pre",
+  "q",
+  "s",
+  "small",
+  "span",
+  "strong",
+  "sub",
+  "sup",
+  "u",
+  "ul"
+];
+var DEFAULT_ALLOWED_ATTRIBUTES = {
+  a: ["href", "title", "target", "rel"],
+  img: ["src", "alt", "title", "width", "height"],
+  abbr: ["title"],
+  q: ["cite"],
+  blockquote: ["cite"]
+};
+var DEFAULT_SAFE_PROTOCOLS = ["http:", "https:", "mailto:", "tel:"];
+var DANGEROUS_PATTERNS2 = [
+  // Event handlers
+  /\bon\w+\s*=/gi,
+  // JavaScript protocol
+  /javascript\s*:/gi,
+  // VBScript protocol
+  /vbscript\s*:/gi,
+  // Data URI with scripts
+  /data\s*:[^,]*(?:text\/html|application\/javascript|text\/javascript)/gi,
+  // Expression in CSS
+  /expression\s*\(/gi,
+  // Binding in CSS (Firefox)
+  /-moz-binding\s*:/gi,
+  // Behavior in CSS (IE)
+  /behavior\s*:/gi,
+  // Import in CSS
+  /@import/gi,
+  // Script tags
+  /<\s*script/gi,
+  // Style tags with expressions
+  /<\s*style[^>]*>[^<]*expression/gi,
+  // SVG with scripts
+  /<\s*svg[^>]*onload/gi,
+  // Object/embed/applet tags
+  /<\s*(object|embed|applet)/gi,
+  // Base tag (can redirect resources)
+  /<\s*base/gi,
+  // Meta refresh
+  /<\s*meta[^>]*http-equiv\s*=\s*["']?refresh/gi,
+  // Form action hijacking
+  /<\s*form[^>]*action\s*=\s*["']?javascript/gi,
+  // Link tag with import
+  /<\s*link[^>]*rel\s*=\s*["']?import/gi
+];
+var HTML_ENTITIES = {
+  "&": "&amp;",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;",
+  "/": "&#x2F;",
+  "`": "&#x60;",
+  "=": "&#x3D;"
+};
+function escapeHtml(str) {
+  return str.replace(/[&<>"'`=/]/g, (char) => HTML_ENTITIES[char] || char);
+}
+function unescapeHtml(str) {
+  const entityMap = {
+    "&amp;": "&",
+    "&lt;": "<",
+    "&gt;": ">",
+    "&quot;": '"',
+    "&#x27;": "'",
+    "&#x2F;": "/",
+    "&#x60;": "`",
+    "&#x3D;": "=",
+    "&#39;": "'",
+    "&#47;": "/"
+  };
+  return str.replace(/&(?:amp|lt|gt|quot|#x27|#x2F|#x60|#x3D|#39|#47);/gi, (entity) => {
+    return entityMap[entity.toLowerCase()] || entity;
+  });
+}
+function stripHtml(str) {
+  let result = str.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<[^>]*>/g, "");
+  result = unescapeHtml(result);
+  result = result.replace(/\0/g, "");
+  return result.trim();
+}
+function isSafeUrl(url, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  if (!url) return true;
+  const trimmed = url.trim().toLowerCase();
+  if (trimmed.startsWith("javascript:")) return false;
+  if (trimmed.startsWith("vbscript:")) return false;
+  if (trimmed.startsWith("data:image/")) return true;
+  if (trimmed.startsWith("data:")) return false;
+  try {
+    const parsed = new URL(url, "https://example.com");
+    if (parsed.protocol && !allowedProtocols.includes(parsed.protocol)) {
+      if (!url.includes(":")) return true;
+      return false;
+    }
+  } catch {
+    return true;
+  }
+  return true;
+}
+function sanitizeHtml(str, allowedTags = DEFAULT_ALLOWED_TAGS, allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES, allowedProtocols = DEFAULT_SAFE_PROTOCOLS) {
+  let result = str.replace(/\0/g, "");
+  result = result.replace(/<script[^>]*>[\s\S]*?<\/script>/gi, "");
+  result = result.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, "");
+  result = result.replace(/<!--[\s\S]*?-->/g, "");
+  result = result.replace(/<\/?([a-z][a-z0-9]*)\b([^>]*)>/gi, (match, tagName, attributes) => {
+    const lowerTag = tagName.toLowerCase();
+    const isClosing = match.startsWith("</");
+    if (!allowedTags.includes(lowerTag)) {
+      return "";
+    }
+    if (isClosing) {
+      return `</${lowerTag}>`;
+    }
+    const allowedAttrs = allowedAttributes[lowerTag] || [];
+    const safeAttrs = [];
+    const attrRegex = /([a-z][a-z0-9-]*)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]*))/gi;
+    let attrMatch;
+    while ((attrMatch = attrRegex.exec(attributes)) !== null) {
+      const attrName = attrMatch[1].toLowerCase();
+      const attrValue = attrMatch[2] || attrMatch[3] || attrMatch[4] || "";
+      if (!allowedAttrs.includes(attrName)) continue;
+      if (DANGEROUS_PATTERNS2.some((pattern) => pattern.test(attrValue))) continue;
+      if (["href", "src", "action", "formaction"].includes(attrName)) {
+        if (!isSafeUrl(attrValue, allowedProtocols)) continue;
+      }
+      const safeValue = escapeHtml(attrValue);
+      safeAttrs.push(`${attrName}="${safeValue}"`);
+    }
+    const attrStr = safeAttrs.length > 0 ? " " + safeAttrs.join(" ") : "";
+    return `<${lowerTag}${attrStr}>`;
+  });
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    result = result.replace(pattern, "");
+  }
+  return result;
+}
+function detectXSS(str) {
+  if (!str || typeof str !== "string") return false;
+  const normalized = str.replace(/\\x([0-9a-f]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/\\u([0-9a-f]{4})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10)));
+  for (const pattern of DANGEROUS_PATTERNS2) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
+function sanitize(input, config = {}) {
+  if (!input || typeof input !== "string") return "";
+  const {
+    mode = "escape",
+    allowedTags = DEFAULT_ALLOWED_TAGS,
+    allowedAttributes = DEFAULT_ALLOWED_ATTRIBUTES,
+    allowedProtocols = DEFAULT_SAFE_PROTOCOLS,
+    maxLength,
+    stripNull = true
+  } = config;
+  let result = input;
+  if (stripNull) {
+    result = result.replace(/\0/g, "");
+  }
+  switch (mode) {
+    case "escape":
+      result = escapeHtml(result);
+      break;
+    case "strip":
+      result = stripHtml(result);
+      break;
+    case "allow-safe":
+      result = sanitizeHtml(result, allowedTags, allowedAttributes, allowedProtocols);
+      break;
+  }
+  if (maxLength !== void 0 && result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function sanitizeObject(obj, config = {}) {
+  if (typeof obj === "string") {
+    return sanitize(obj, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => sanitizeObject(item, config));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = sanitizeObject(value, config);
+    }
+    return result;
+  }
+  return obj;
+}
+function sanitizeFields(obj, fields, config = {}) {
+  const result = { ...obj };
+  for (const field of fields) {
+    if (field in result && typeof result[field] === "string") {
+      result[field] = sanitize(result[field], config);
+    }
+  }
+  return result;
+}
+
+// src/middleware/validation/sanitizers/sql.ts
+var SQL_PATTERNS = [
+  // High severity - Definite attacks
+  {
+    pattern: /'\s*OR\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "OR '1'='1' attack",
+    severity: "high"
+  },
+  {
+    pattern: /'\s*OR\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "OR 'x'='x' attack",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DROP\s+(TABLE|DATABASE|INDEX|VIEW)/gi,
+    name: "DROP statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*DELETE\s+FROM/gi,
+    name: "DELETE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*TRUNCATE\s+/gi,
+    name: "TRUNCATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*INSERT\s+INTO/gi,
+    name: "INSERT statement",
+    severity: "high"
+  },
+  {
+    pattern: /;\s*UPDATE\s+\w+\s+SET/gi,
+    name: "UPDATE statement",
+    severity: "high"
+  },
+  {
+    pattern: /UNION\s+(ALL\s+)?SELECT/gi,
+    name: "UNION SELECT attack",
+    severity: "high"
+  },
+  {
+    pattern: /EXEC(\s+|\()+(sp_|xp_)/gi,
+    name: "SQL Server stored procedure",
+    severity: "high"
+  },
+  {
+    pattern: /EXECUTE\s+IMMEDIATE/gi,
+    name: "Oracle EXECUTE IMMEDIATE",
+    severity: "high"
+  },
+  {
+    pattern: /INTO\s+(OUT|DUMP)FILE/gi,
+    name: "MySQL file write",
+    severity: "high"
+  },
+  {
+    pattern: /LOAD_FILE\s*\(/gi,
+    name: "MySQL file read",
+    severity: "high"
+  },
+  {
+    pattern: /BENCHMARK\s*\(\s*\d+\s*,/gi,
+    name: "MySQL BENCHMARK DoS",
+    severity: "high"
+  },
+  {
+    pattern: /SLEEP\s*\(\s*\d+\s*\)/gi,
+    name: "SQL SLEEP time-based attack",
+    severity: "high"
+  },
+  {
+    pattern: /WAITFOR\s+DELAY/gi,
+    name: "SQL Server WAITFOR DELAY",
+    severity: "high"
+  },
+  {
+    pattern: /PG_SLEEP\s*\(/gi,
+    name: "PostgreSQL pg_sleep",
+    severity: "high"
+  },
+  // Medium severity - Likely attacks
+  {
+    pattern: /'\s*--/g,
+    name: "SQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*#/g,
+    name: "MySQL comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\/\*[\s\S]*?\*\//g,
+    name: "Block comment",
+    severity: "medium"
+  },
+  {
+    pattern: /'\s*;\s*$/g,
+    name: "Statement terminator",
+    severity: "medium"
+  },
+  {
+    pattern: /HAVING\s+\d+\s*=\s*\d+/gi,
+    name: "HAVING clause injection",
+    severity: "medium"
+  },
+  {
+    pattern: /GROUP\s+BY\s+\d+/gi,
+    name: "GROUP BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /ORDER\s+BY\s+\d+/gi,
+    name: "ORDER BY injection",
+    severity: "medium"
+  },
+  {
+    pattern: /CONCAT\s*\(/gi,
+    name: "CONCAT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CHAR\s*\(\s*\d+\s*\)/gi,
+    name: "CHAR function bypass",
+    severity: "medium"
+  },
+  {
+    pattern: /0x[0-9a-f]{2,}/gi,
+    name: "Hex encoded value",
+    severity: "medium"
+  },
+  {
+    pattern: /CONVERT\s*\(/gi,
+    name: "CONVERT function",
+    severity: "medium"
+  },
+  {
+    pattern: /CAST\s*\(/gi,
+    name: "CAST function",
+    severity: "medium"
+  },
+  // Low severity - Suspicious but may be false positives
+  {
+    pattern: /'\s*AND\s+'?\d+'?\s*=\s*'?\d+'?/gi,
+    name: "AND '1'='1' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*AND\s+'[^']*'\s*=\s*'[^']*'/gi,
+    name: "AND 'x'='x' pattern",
+    severity: "low"
+  },
+  {
+    pattern: /SELECT\s+[\w\s,*]+\s+FROM/gi,
+    name: "SELECT statement",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\+\s*'/g,
+    name: "String concatenation",
+    severity: "low"
+  },
+  {
+    pattern: /'\s*\|\|\s*'/g,
+    name: "Oracle string concatenation",
+    severity: "low"
+  }
+];
+var ENCODED_PATTERNS = [
+  {
+    pattern: /%27\s*%4f%52\s*%27/gi,
+    // URL encoded ' OR '
+    name: "URL encoded OR injection",
+    severity: "high"
+  },
+  {
+    pattern: /%27\s*%2d%2d/gi,
+    // URL encoded ' --
+    name: "URL encoded comment injection",
+    severity: "medium"
+  },
+  {
+    pattern: /\0|%00/g,
+    // Null byte (decoded or encoded)
+    name: "Null byte injection",
+    severity: "high"
+  },
+  {
+    pattern: /\\x27/gi,
+    // Hex escape
+    name: "Hex escaped quote",
+    severity: "medium"
+  },
+  {
+    pattern: /\\u0027/gi,
+    // Unicode escape
+    name: "Unicode escaped quote",
+    severity: "medium"
+  }
+];
+function normalizeInput(input) {
+  let result = input;
+  try {
+    result = decodeURIComponent(result);
+  } catch {
+  }
+  result = result.replace(/&#x([0-9a-f]+);?/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&#(\d+);?/gi, (_, dec) => String.fromCharCode(parseInt(dec, 10))).replace(/&quot;/gi, '"').replace(/&apos;/gi, "'").replace(/&lt;/gi, "<").replace(/&gt;/gi, ">").replace(/&amp;/gi, "&");
+  result = result.replace(
+    /\\x([0-9a-f]{2})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  result = result.replace(
+    /\\u([0-9a-f]{4})/gi,
+    (_, hex) => String.fromCharCode(parseInt(hex, 16))
+  );
+  return result;
+}
+function detectSQLInjection(input, options = {}) {
+  if (!input || typeof input !== "string") return [];
+  const {
+    customPatterns = [],
+    checkEncoded = true,
+    minSeverity = "low"
+  } = options;
+  const severityOrder = { low: 0, medium: 1, high: 2 };
+  const minSeverityLevel = severityOrder[minSeverity];
+  const detections = [];
+  const seenPatterns = /* @__PURE__ */ new Set();
+  const normalizedInput = checkEncoded ? normalizeInput(input) : input;
+  const allPatterns = [
+    ...SQL_PATTERNS,
+    ...checkEncoded ? ENCODED_PATTERNS : [],
+    ...customPatterns.map((p) => ({ pattern: p, name: "Custom pattern", severity: "high" }))
+  ];
+  for (const { pattern, name, severity } of allPatterns) {
+    if (severityOrder[severity] < minSeverityLevel) continue;
+    pattern.lastIndex = 0;
+    const testInput = checkEncoded ? normalizedInput : input;
+    if (pattern.test(testInput)) {
+      const key = `${name}:${severity}`;
+      if (!seenPatterns.has(key)) {
+        seenPatterns.add(key);
+        detections.push({
+          field: "",
+          // Will be set by caller
+          value: input,
+          pattern: name,
+          severity
+        });
+      }
+    }
+  }
+  return detections;
+}
+function hasSQLInjection(input, minSeverity = "medium") {
+  return detectSQLInjection(input, { minSeverity }).length > 0;
+}
+function sanitizeSQLInput(input) {
+  if (!input || typeof input !== "string") return "";
+  let result = input;
+  result = result.replace(/\0/g, "");
+  result = result.replace(/'/g, "''");
+  result = result.replace(/;/g, "");
+  result = result.replace(/--/g, "");
+  result = result.replace(/\/\*/g, "");
+  result = result.replace(/\*\//g, "");
+  result = result.replace(/0x[0-9a-f]+/gi, "");
+  return result;
+}
+function detectSQLInjectionInObject(obj, options = {}) {
+  const { fields, deep = true, customPatterns, minSeverity } = options;
+  const detections = [];
+  function walk(value, path) {
+    if (typeof value === "string") {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) return;
+      }
+      const detected = detectSQLInjection(value, { customPatterns, minSeverity });
+      for (const d of detected) {
+        detections.push({ ...d, field: path });
+      }
+    } else if (deep && Array.isArray(value)) {
+      value.forEach((item, i) => walk(item, `${path}[${i}]`));
+    } else if (deep && typeof value === "object" && value !== null) {
+      for (const [key, val] of Object.entries(value)) {
+        walk(val, path ? `${path}.${key}` : key);
+      }
+    }
+  }
+  walk(obj, "");
+  return detections;
+}
+
+// src/middleware/validation/middleware.ts
+function withValidation(handler, config) {
+  const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+  return async (req) => {
+    const result = await validateRequest(req, {
+      body: config.body,
+      query: config.query,
+      params: config.params,
+      routeParams: config.routeParams
+    });
+    if (!result.success) {
+      return onError(req, result.errors || []);
+    }
+    return handler(req, { validated: result.data });
+  };
+}
+function withSanitization(handler, config = {}) {
+  const {
+    fields,
+    mode = "escape",
+    allowedTags,
+    skip,
+    onSanitized
+  } = config;
+  return async (req) => {
+    if (skip && await skip(req)) {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req, { sanitized: null, changes: [] });
+    }
+    const changes = [];
+    const sanitized = walkObject(body, (value, path) => {
+      if (fields && fields.length > 0) {
+        const fieldName = path.split(".").pop() || path;
+        if (!fields.includes(fieldName)) {
+          return value;
+        }
+      }
+      const cleaned = sanitize(value, { mode, allowedTags });
+      if (cleaned !== value) {
+        changes.push({
+          field: path,
+          original: value,
+          sanitized: cleaned
+        });
+      }
+      return cleaned;
+    }, "");
+    if (onSanitized && changes.length > 0) {
+      onSanitized(req, changes);
+    }
+    return handler(req, { sanitized, changes });
+  };
+}
+function withXSSProtection(handler, config = {}) {
+  const { fields, onDetection, checkQuery = true } = config;
+  return async (req) => {
+    const detections = [];
+    if (checkQuery) {
+      const url = new URL(req.url);
+      for (const [key, value] of url.searchParams.entries()) {
+        if (detectXSS(value)) {
+          detections.push({ field: `query.${key}`, value });
+        }
+      }
+    }
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      body = null;
+    }
+    if (body) {
+      walkObject(body, (value, path) => {
+        if (fields && fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          detections.push({ field: path, value });
+        }
+        return value;
+      }, "");
+    }
+    if (detections.length > 0) {
+      if (onDetection) {
+        for (const { field, value } of detections) {
+          const result = await onDetection(req, field, value);
+          if (result instanceof Response) {
+            return result;
+          }
+        }
+      }
+      return new Response(
+        JSON.stringify({
+          error: "xss_detected",
+          message: "Potentially malicious content detected",
+          fields: detections.map((d) => d.field)
+        }),
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return handler(req);
+  };
+}
+function withSQLProtection(handler, config = {}) {
+  const {
+    fields,
+    deep = true,
+    mode = "block",
+    customPatterns,
+    allowList = [],
+    onDetection
+  } = config;
+  return async (req) => {
+    let body;
+    try {
+      body = await req.json();
+    } catch {
+      return handler(req);
+    }
+    const detections = detectSQLInjectionInObject(body, {
+      fields,
+      deep,
+      customPatterns,
+      minSeverity: mode === "detect" ? "low" : "medium"
+    });
+    const filtered = detections.filter((d) => !allowList.includes(d.value));
+    if (filtered.length > 0) {
+      if (onDetection) {
+        const result = await onDetection(req, filtered);
+        if (result instanceof Response) {
+          return result;
+        }
+      }
+      if (mode === "block") {
+        return new Response(
+          JSON.stringify({
+            error: "sql_injection_detected",
+            message: "Potentially malicious SQL detected",
+            detections: filtered.map((d) => ({
+              field: d.field,
+              pattern: d.pattern,
+              severity: d.severity
+            }))
+          }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json" }
+          }
+        );
+      }
+    }
+    return handler(req);
+  };
+}
+function withContentType(handler, config) {
+  const onInvalid = config.onInvalid || ((_, contentType) => defaultContentTypeErrorResponse(contentType, `Content-Type '${contentType}' is not allowed`));
+  return async (req) => {
+    const result = validateContentType(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.contentType);
+    }
+    return handler(req);
+  };
+}
+function withFileValidation(handler, config = {}) {
+  const onInvalid = config.onInvalid || ((_, errors) => defaultFileErrorResponse(errors));
+  return async (req) => {
+    const result = await validateFilesFromRequest(req, config);
+    if (!result.valid) {
+      return onInvalid(req, result.errors);
+    }
+    return handler(req, { files: result.files });
+  };
+}
+function withSecureValidation(handler, config) {
+  return async (req) => {
+    const allErrors = [];
+    if (config.contentType) {
+      const ctResult = validateContentType(req, config.contentType);
+      if (!ctResult.valid) {
+        allErrors.push({
+          field: "Content-Type",
+          code: "invalid_content_type",
+          message: ctResult.reason || "Invalid Content-Type"
+        });
+      }
+    }
+    let files;
+    if (config.files) {
+      const fileResult = await validateFilesFromRequest(req, config.files);
+      if (!fileResult.valid) {
+        allErrors.push(...fileResult.errors.map((e) => ({
+          field: e.field || e.filename,
+          code: e.code,
+          message: e.message
+        })));
+      } else {
+        files = fileResult.files;
+      }
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    let validated;
+    if (config.schema) {
+      const schemaResult = await validateRequest(req, {
+        body: config.schema.body,
+        query: config.schema.query,
+        params: config.schema.params,
+        routeParams: config.routeParams
+      });
+      if (!schemaResult.success) {
+        allErrors.push(...schemaResult.errors || []);
+      } else {
+        validated = schemaResult.data;
+      }
+    } else {
+      validated = {
+        body: {},
+        query: {},
+        params: {}
+      };
+    }
+    if (config.sql && validated?.body) {
+      const sqlDetections = detectSQLInjectionInObject(validated.body, {
+        fields: config.sql.fields,
+        deep: config.sql.deep,
+        customPatterns: config.sql.customPatterns
+      });
+      if (sqlDetections.length > 0 && config.sql.mode !== "detect") {
+        allErrors.push(...sqlDetections.map((d) => ({
+          field: d.field,
+          code: "sql_injection",
+          message: `Potential SQL injection detected: ${d.pattern}`
+        })));
+      }
+    }
+    if (config.xss?.enabled && validated?.body) {
+      walkObject(validated.body, (value, path) => {
+        if (config.xss?.fields && config.xss.fields.length > 0) {
+          const fieldName = path.split(".").pop() || path;
+          if (!config.xss.fields.includes(fieldName)) {
+            return value;
+          }
+        }
+        if (detectXSS(value)) {
+          allErrors.push({
+            field: path,
+            code: "xss_detected",
+            message: "Potentially malicious content detected"
+          });
+        }
+        return value;
+      }, "");
+    }
+    if (allErrors.length > 0) {
+      const onError = config.onError || ((_, errors) => defaultValidationErrorResponse(errors));
+      return onError(req, allErrors);
+    }
+    return handler(req, { validated, files });
+  };
+}
+
+// src/middleware/audit/stores/memory.ts
+var MemoryStore2 = class {
+  entries = [];
+  maxEntries;
+  ttl;
+  constructor(options = {}) {
+    this.maxEntries = options.maxEntries || 1e3;
+    this.ttl = options.ttl || 0;
+  }
+  async write(entry) {
+    this.entries.push(entry);
+    if (this.entries.length > this.maxEntries) {
+      this.entries = this.entries.slice(-this.maxEntries);
+    }
+    if (this.ttl > 0) {
+      this.cleanExpired();
+    }
+  }
+  async query(options = {}) {
+    let result = [...this.entries];
+    if (options.level) {
+      const levels = Array.isArray(options.level) ? options.level : [options.level];
+      result = result.filter((e) => levels.includes(e.level));
+    }
+    if (options.type) {
+      result = result.filter((e) => e.type === options.type);
+    }
+    if (options.event) {
+      const events = Array.isArray(options.event) ? options.event : [options.event];
+      result = result.filter(
+        (e) => e.type === "security" && events.includes(e.event)
+      );
+    }
+    if (options.startTime) {
+      result = result.filter((e) => e.timestamp >= options.startTime);
+    }
+    if (options.endTime) {
+      result = result.filter((e) => e.timestamp <= options.endTime);
+    }
+    if (options.ip) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.request.ip === options.ip;
+        if (e.type === "security") return e.source.ip === options.ip;
+        return false;
+      });
+    }
+    if (options.userId) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.user?.id === options.userId;
+        if (e.type === "security") return e.source.userId === options.userId;
+        return false;
+      });
+    }
+    if (options.offset) {
+      result = result.slice(options.offset);
+    }
+    if (options.limit) {
+      result = result.slice(0, options.limit);
+    }
+    return result;
+  }
+  async flush() {
+  }
+  async close() {
+    this.entries = [];
+  }
+  /**
+   * Get all entries (for testing)
+   */
+  getEntries() {
+    return [...this.entries];
+  }
+  /**
+   * Clear all entries
+   */
+  clear() {
+    this.entries = [];
+  }
+  /**
+   * Get entry count
+   */
+  size() {
+    return this.entries.length;
+  }
+  /**
+   * Clean expired entries
+   */
+  cleanExpired() {
+    if (this.ttl <= 0) return;
+    const now = Date.now();
+    this.entries = this.entries.filter((e) => {
+      const age = now - e.timestamp.getTime();
+      return age < this.ttl;
+    });
+  }
+};
+function createMemoryStore2(options) {
+  return new MemoryStore2(options);
+}
+
+// src/middleware/audit/stores/console.ts
+var COLORS = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  // Log levels
+  debug: "\x1B[36m",
+  // Cyan
+  info: "\x1B[32m",
+  // Green
+  warn: "\x1B[33m",
+  // Yellow
+  error: "\x1B[31m",
+  // Red
+  critical: "\x1B[35m",
+  // Magenta
+  // Security severity
+  low: "\x1B[36m",
+  // Cyan
+  medium: "\x1B[33m",
+  // Yellow
+  high: "\x1B[31m",
+  // Red
+  // Other
+  timestamp: "\x1B[90m",
+  // Gray
+  method: "\x1B[34m",
+  // Blue
+  status2xx: "\x1B[32m",
+  // Green
+  status3xx: "\x1B[36m",
+  // Cyan
+  status4xx: "\x1B[33m",
+  // Yellow
+  status5xx: "\x1B[31m"
+  // Red
+};
+var LEVEL_PRIORITY = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  critical: 4
+};
+var ConsoleStore = class {
+  colorize;
+  showTimestamp;
+  pretty;
+  minLevel;
+  constructor(options = {}) {
+    this.colorize = options.colorize ?? process.env.NODE_ENV !== "production";
+    this.showTimestamp = options.timestamp ?? true;
+    this.pretty = options.pretty ?? false;
+    this.minLevel = options.level || "info";
+  }
+  async write(entry) {
+    if (LEVEL_PRIORITY[entry.level] < LEVEL_PRIORITY[this.minLevel]) {
+      return;
+    }
+    const output = this.pretty ? this.formatPretty(entry) : this.formatCompact(entry);
+    switch (entry.level) {
+      case "debug":
+        console.debug(output);
+        break;
+      case "info":
+        console.info(output);
+        break;
+      case "warn":
+        console.warn(output);
+        break;
+      case "error":
+      case "critical":
+        console.error(output);
+        break;
+      default:
+        console.log(output);
+    }
+  }
+  async flush() {
+  }
+  async close() {
+  }
+  /**
+   * Format entry in compact single-line format
+   */
+  formatCompact(entry) {
+    const parts = [];
+    if (this.showTimestamp) {
+      const ts = entry.timestamp.toISOString();
+      parts.push(this.color(ts, "timestamp"));
+    }
+    parts.push(this.colorLevel(entry.level));
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      parts.push(this.color(req.method, "method"));
+      parts.push(req.path);
+      if (res) {
+        parts.push(this.colorStatus(res.status));
+        parts.push(this.color(`${res.duration}ms`, "dim"));
+      }
+      if (req.ip) {
+        parts.push(this.color(`[${req.ip}]`, "dim"));
+      }
+      if (entry.user?.id) {
+        parts.push(this.color(`user:${entry.user.id}`, "dim"));
+      }
+      if (entry.error) {
+        parts.push(this.color(`ERROR: ${entry.error.message}`, "error"));
+      }
+    } else if (entry.type === "security") {
+      parts.push(this.colorSeverity(entry.severity));
+      parts.push(entry.event);
+      if (entry.source.ip) {
+        parts.push(this.color(`[${entry.source.ip}]`, "dim"));
+      }
+      if (entry.source.userId) {
+        parts.push(this.color(`user:${entry.source.userId}`, "dim"));
+      }
+      parts.push(entry.message);
+    }
+    return parts.join(" ");
+  }
+  /**
+   * Format entry in pretty multi-line format
+   */
+  formatPretty(entry) {
+    const lines = [];
+    const header = [
+      this.color(entry.timestamp.toISOString(), "timestamp"),
+      this.colorLevel(entry.level),
+      `[${entry.type.toUpperCase()}]`
+    ].join(" ");
+    lines.push(header);
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      lines.push(`  ${this.color(req.method, "method")} ${req.url}`);
+      if (req.ip) lines.push(`  IP: ${req.ip}`);
+      if (req.userAgent) lines.push(`  UA: ${req.userAgent}`);
+      if (res) {
+        lines.push(`  Status: ${this.colorStatus(res.status)} (${res.duration}ms)`);
+      }
+      if (entry.user) {
+        lines.push(`  User: ${JSON.stringify(entry.user)}`);
+      }
+      if (entry.error) {
+        lines.push(`  ${this.color("Error:", "error")} ${entry.error.message}`);
+        if (entry.error.stack) {
+          lines.push(`  ${this.color(entry.error.stack, "dim")}`);
+        }
+      }
+    } else if (entry.type === "security") {
+      lines.push(`  Event: ${entry.event}`);
+      lines.push(`  Severity: ${this.colorSeverity(entry.severity)}`);
+      lines.push(`  Message: ${entry.message}`);
+      if (entry.source.ip) lines.push(`  Source IP: ${entry.source.ip}`);
+      if (entry.source.userId) lines.push(`  Source User: ${entry.source.userId}`);
+      if (entry.target) {
+        lines.push(`  Target: ${JSON.stringify(entry.target)}`);
+      }
+      if (entry.details) {
+        lines.push(`  Details: ${JSON.stringify(entry.details)}`);
+      }
+    }
+    if (entry.metadata && Object.keys(entry.metadata).length > 0) {
+      lines.push(`  Metadata: ${JSON.stringify(entry.metadata)}`);
+    }
+    return lines.join("\n");
+  }
+  /**
+   * Apply color if enabled
+   */
+  color(text, colorName) {
+    if (!this.colorize) return text;
+    return `${COLORS[colorName]}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color log level
+   */
+  colorLevel(level) {
+    const text = level.toUpperCase().padEnd(8);
+    if (!this.colorize) return `[${text}]`;
+    return `[${COLORS[level]}${text}${COLORS.reset}]`;
+  }
+  /**
+   * Color HTTP status
+   */
+  colorStatus(status) {
+    const text = status.toString();
+    if (!this.colorize) return text;
+    if (status >= 500) return `${COLORS.status5xx}${text}${COLORS.reset}`;
+    if (status >= 400) return `${COLORS.status4xx}${text}${COLORS.reset}`;
+    if (status >= 300) return `${COLORS.status3xx}${text}${COLORS.reset}`;
+    return `${COLORS.status2xx}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color severity
+   */
+  colorSeverity(severity) {
+    const text = `[${severity.toUpperCase()}]`;
+    if (!this.colorize) return text;
+    const colorKey = severity === "critical" ? "critical" : severity;
+    return `${COLORS[colorKey]}${text}${COLORS.reset}`;
+  }
+};
+function createConsoleStore(options) {
+  return new ConsoleStore(options);
+}
+
+// src/middleware/audit/stores/external.ts
+var ExternalStore = class {
+  endpoint;
+  headers;
+  batchSize;
+  flushInterval;
+  retryAttempts;
+  timeout;
+  buffer = [];
+  flushTimer = null;
+  isFlushing = false;
+  constructor(options) {
+    this.endpoint = options.endpoint;
+    this.headers = {
+      "Content-Type": "application/json",
+      ...options.apiKey ? { "Authorization": `Bearer ${options.apiKey}` } : {},
+      ...options.headers
+    };
+    this.batchSize = options.batchSize || 100;
+    this.flushInterval = options.flushInterval || 5e3;
+    this.retryAttempts = options.retryAttempts || 3;
+    this.timeout = options.timeout || 1e4;
+    if (this.flushInterval > 0) {
+      this.flushTimer = setInterval(() => this.flush(), this.flushInterval);
+    }
+  }
+  async write(entry) {
+    this.buffer.push(entry);
+    if (this.buffer.length >= this.batchSize) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.isFlushing || this.buffer.length === 0) return;
+    this.isFlushing = true;
+    const entries = [...this.buffer];
+    this.buffer = [];
+    try {
+      await this.send(entries);
+    } catch (error) {
+      this.buffer = [...entries, ...this.buffer];
+      console.error("[ExternalStore] Failed to flush logs:", error);
+    } finally {
+      this.isFlushing = false;
+    }
+  }
+  async close() {
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+    await this.flush();
+  }
+  /**
+   * Send entries to external endpoint
+   */
+  async send(entries) {
+    let lastError = null;
+    for (let attempt = 0; attempt < this.retryAttempts; attempt++) {
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+        const response = await fetch(this.endpoint, {
+          method: "POST",
+          headers: this.headers,
+          body: JSON.stringify({
+            logs: entries.map((e) => this.serialize(e)),
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            count: entries.length
+          }),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+          throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        return;
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        if (attempt < this.retryAttempts - 1) {
+          await this.sleep(Math.pow(2, attempt) * 1e3);
+        }
+      }
+    }
+    throw lastError || new Error("Failed to send logs");
+  }
+  /**
+   * Serialize entry for transmission
+   */
+  serialize(entry) {
+    return {
+      ...entry,
+      timestamp: entry.timestamp.toISOString()
+    };
+  }
+  /**
+   * Sleep helper
+   */
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+  /**
+   * Get buffer size (for monitoring)
+   */
+  getBufferSize() {
+    return this.buffer.length;
+  }
+};
+function createExternalStore(options) {
+  return new ExternalStore(options);
+}
+function createDatadogStore(options) {
+  const site = options.site || "datadoghq.com";
+  const endpoint = `https://http-intake.logs.${site}/api/v2/logs`;
+  return new ExternalStore({
+    endpoint,
+    headers: {
+      "DD-API-KEY": options.apiKey,
+      "Content-Type": "application/json"
+    },
+    batchSize: options.batchSize || 100,
+    flushInterval: options.flushInterval || 5e3
+  });
+}
+var MultiStore = class {
+  stores;
+  constructor(stores) {
+    this.stores = stores;
+  }
+  async write(entry) {
+    await Promise.all(this.stores.map((store) => store.write(entry)));
+  }
+  async query(options) {
+    for (const store of this.stores) {
+      if (store.query) {
+        return store.query(options);
+      }
+    }
+    return [];
+  }
+  async flush() {
+    await Promise.all(this.stores.map((store) => store.flush?.()));
+  }
+  async close() {
+    await Promise.all(this.stores.map((store) => store.close?.()));
+  }
+};
+function createMultiStore(stores) {
+  return new MultiStore(stores);
+}
+
+// src/middleware/audit/formatters.ts
+var JSONFormatter = class {
+  pretty;
+  includeTimestamp;
+  constructor(options = {}) {
+    this.pretty = options.pretty ?? false;
+    this.includeTimestamp = options.includeTimestamp ?? true;
+  }
+  format(entry) {
+    const output = {
+      ...entry,
+      timestamp: this.includeTimestamp ? entry.timestamp.toISOString() : void 0
+    };
+    return this.pretty ? JSON.stringify(output, null, 2) : JSON.stringify(output);
+  }
+};
+var TextFormatter = class {
+  template;
+  dateFormat;
+  constructor(options = {}) {
+    this.template = options.template || "{timestamp} [{level}] {message}";
+    this.dateFormat = options.dateFormat || "iso";
+  }
+  format(entry) {
+    let output = this.template;
+    output = output.replace("{timestamp}", this.formatDate(entry.timestamp));
+    output = output.replace("{level}", entry.level.toUpperCase().padEnd(8));
+    output = output.replace("{message}", entry.message);
+    output = output.replace("{type}", entry.type);
+    output = output.replace("{id}", entry.id);
+    if (entry.category) {
+      output = output.replace("{category}", entry.category);
+    }
+    if (entry.type === "request") {
+      output = output.replace("{method}", entry.request.method);
+      output = output.replace("{path}", entry.request.path);
+      output = output.replace("{url}", entry.request.url);
+      output = output.replace("{ip}", entry.request.ip || "-");
+      output = output.replace("{status}", entry.response?.status?.toString() || "-");
+      output = output.replace("{duration}", entry.response?.duration?.toString() || "-");
+    }
+    if (entry.type === "security") {
+      output = output.replace("{event}", entry.event);
+      output = output.replace("{severity}", entry.severity);
+    }
+    return output;
+  }
+  formatDate(date) {
+    switch (this.dateFormat) {
+      case "utc":
+        return date.toUTCString();
+      case "local":
+        return date.toLocaleString();
+      case "iso":
+      default:
+        return date.toISOString();
+    }
+  }
+};
+var CLFFormatter = class {
+  format(entry) {
+    if (entry.type !== "request") {
+      return `[${entry.timestamp.toISOString()}] ${entry.level.toUpperCase()} ${entry.message}`;
+    }
+    const req = entry.request;
+    const res = entry.response;
+    const host = req.ip || "-";
+    const ident = "-";
+    const authuser = entry.user?.id || "-";
+    const date = this.formatCLFDate(entry.timestamp);
+    const request = `${req.method} ${req.path} HTTP/1.1`;
+    const status = res?.status || 0;
+    const bytes = res?.contentLength || 0;
+    return `${host} ${ident} ${authuser} [${date}] "${request}" ${status} ${bytes}`;
+  }
+  formatCLFDate(date) {
+    const months = [
+      "Jan",
+      "Feb",
+      "Mar",
+      "Apr",
+      "May",
+      "Jun",
+      "Jul",
+      "Aug",
+      "Sep",
+      "Oct",
+      "Nov",
+      "Dec"
+    ];
+    const day = date.getDate().toString().padStart(2, "0");
+    const month = months[date.getMonth()];
+    const year = date.getFullYear();
+    const hours = date.getHours().toString().padStart(2, "0");
+    const minutes = date.getMinutes().toString().padStart(2, "0");
+    const seconds = date.getSeconds().toString().padStart(2, "0");
+    const offset = -date.getTimezoneOffset();
+    const offsetSign = offset >= 0 ? "+" : "-";
+    const offsetHours = Math.floor(Math.abs(offset) / 60).toString().padStart(2, "0");
+    const offsetMins = (Math.abs(offset) % 60).toString().padStart(2, "0");
+    return `${day}/${month}/${year}:${hours}:${minutes}:${seconds} ${offsetSign}${offsetHours}${offsetMins}`;
+  }
+};
+var StructuredFormatter = class {
+  delimiter;
+  kvSeparator;
+  constructor(options = {}) {
+    this.delimiter = options.delimiter || " ";
+    this.kvSeparator = options.kvSeparator || "=";
+  }
+  format(entry) {
+    const pairs = [];
+    pairs.push(this.pair("timestamp", entry.timestamp.toISOString()));
+    pairs.push(this.pair("level", entry.level));
+    pairs.push(this.pair("type", entry.type));
+    pairs.push(this.pair("id", entry.id));
+    pairs.push(this.pair("message", this.escape(entry.message)));
+    if (entry.category) {
+      pairs.push(this.pair("category", entry.category));
+    }
+    if (entry.type === "request") {
+      pairs.push(this.pair("method", entry.request.method));
+      pairs.push(this.pair("path", entry.request.path));
+      if (entry.request.ip) pairs.push(this.pair("ip", entry.request.ip));
+      if (entry.response) {
+        pairs.push(this.pair("status", entry.response.status.toString()));
+        pairs.push(this.pair("duration_ms", entry.response.duration.toString()));
+      }
+      if (entry.user?.id) pairs.push(this.pair("user_id", entry.user.id));
+      if (entry.error) {
+        pairs.push(this.pair("error", this.escape(entry.error.message)));
+      }
+    }
+    if (entry.type === "security") {
+      pairs.push(this.pair("event", entry.event));
+      pairs.push(this.pair("severity", entry.severity));
+      if (entry.source.ip) pairs.push(this.pair("source_ip", entry.source.ip));
+      if (entry.source.userId) pairs.push(this.pair("source_user", entry.source.userId));
+    }
+    return pairs.join(this.delimiter);
+  }
+  pair(key, value) {
+    return `${key}${this.kvSeparator}${value}`;
+  }
+  escape(value) {
+    if (value.includes(" ") || value.includes('"')) {
+      return `"${value.replace(/"/g, '\\"')}"`;
+    }
+    return value;
+  }
+};
+function createJSONFormatter(options) {
+  return new JSONFormatter(options);
+}
+function createTextFormatter(options) {
+  return new TextFormatter(options);
+}
+function createCLFFormatter() {
+  return new CLFFormatter();
+}
+function createStructuredFormatter(options) {
+  return new StructuredFormatter(options);
+}
+
+// src/middleware/audit/redaction.ts
+var DEFAULT_PII_FIELDS = [
+  // Authentication
+  "password",
+  "passwd",
+  "secret",
+  "token",
+  "api_key",
+  "apiKey",
+  "api-key",
+  "access_token",
+  "accessToken",
+  "refresh_token",
+  "refreshToken",
+  "authorization",
+  "auth",
+  // Personal information
+  "ssn",
+  "social_security",
+  "socialSecurity",
+  "credit_card",
+  "creditCard",
+  "card_number",
+  "cardNumber",
+  "cvv",
+  "cvc",
+  "pin",
+  // Contact
+  "email",
+  "phone",
+  "phone_number",
+  "phoneNumber",
+  "mobile",
+  "address",
+  "street",
+  "zip",
+  "zipcode",
+  "postal_code",
+  "postalCode",
+  // Identity
+  "date_of_birth",
+  "dateOfBirth",
+  "dob",
+  "birth_date",
+  "birthDate",
+  "passport",
+  "license",
+  "national_id",
+  "nationalId"
+];
+function mask(value, options = {}) {
+  const {
+    char = "*",
+    preserveLength = false,
+    showFirst = 0,
+    showLast = 0
+  } = options;
+  if (!value) return value;
+  const len = value.length;
+  if (preserveLength) {
+    const first2 = value.slice(0, showFirst);
+    const last2 = value.slice(-showLast || len);
+    const middle = char.repeat(Math.max(0, len - showFirst - showLast));
+    return first2 + middle + (showLast > 0 ? last2 : "");
+  }
+  const maskLen = 8;
+  const first = showFirst > 0 ? value.slice(0, showFirst) : "";
+  const last = showLast > 0 ? value.slice(-showLast) : "";
+  return first + char.repeat(maskLen) + last;
+}
+function hash(value, salt = "") {
+  const str = salt + value;
+  let hash2 = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash2 = (hash2 << 5) - hash2 + char;
+    hash2 = hash2 & hash2;
+  }
+  const hex = Math.abs(hash2).toString(16).padStart(8, "0");
+  return hex + hex.slice(0, 8);
+}
+function redactValue(value, field, config) {
+  if (typeof value !== "string") return value;
+  if (!value) return value;
+  const shouldRedact = config.fields.some((f) => {
+    const fieldLower = field.toLowerCase();
+    const fLower = f.toLowerCase();
+    return fieldLower === fLower || fieldLower.endsWith("." + fLower) || fieldLower.includes("[" + fLower + "]");
+  });
+  if (!shouldRedact) return value;
+  if (config.customRedactor) {
+    return config.customRedactor(value, field);
+  }
+  switch (config.mode) {
+    case "mask":
+      return mask(value, {
+        char: config.maskChar || "*",
+        preserveLength: config.preserveLength,
+        showFirst: 2,
+        showLast: 2
+      });
+    case "hash":
+      return `[HASH:${hash(value)}]`;
+    case "remove":
+      return "[REDACTED]";
+    default:
+      return "[REDACTED]";
+  }
+}
+function redactObject(obj, config, path = "") {
+  if (typeof obj === "string") {
+    return redactValue(obj, path, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => redactObject(item, config, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = redactObject(value, config, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function createRedactor(config = {}) {
+  const fullConfig = {
+    fields: config.fields || DEFAULT_PII_FIELDS,
+    mode: config.mode || "mask",
+    maskChar: config.maskChar || "*",
+    preserveLength: config.preserveLength || false,
+    customRedactor: config.customRedactor
+  };
+  return (obj) => redactObject(obj, fullConfig);
+}
+function redactHeaders(headers, sensitiveHeaders = ["authorization", "cookie", "x-api-key", "x-auth-token"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveHeaders.some((h) => keyLower === h.toLowerCase())) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactQuery(query, sensitiveParams = ["token", "key", "secret", "password", "auth"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(query)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveParams.some((p) => keyLower.includes(p.toLowerCase()))) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactEmail(email) {
+  if (!email || !email.includes("@")) return mask(email);
+  const [, domain] = email.split("@");
+  return `****@${domain}`;
+}
+function redactCreditCard(cardNumber) {
+  const cleaned = cardNumber.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(cardNumber);
+  return "**** **** **** " + cleaned.slice(-4);
+}
+function redactPhone(phone) {
+  const cleaned = phone.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(phone);
+  return mask(phone, { preserveLength: true, showLast: 4 });
+}
+function redactIP(ip) {
+  if (ip.includes(":")) {
+    const parts2 = ip.split(":");
+    return parts2[0] + ":****:****:****";
+  }
+  const parts = ip.split(".");
+  if (parts.length !== 4) return mask(ip);
+  return `${parts[0]}.${parts[1]}.*.*`;
+}
+
+// src/middleware/audit/events.ts
+function generateId() {
+  return `evt_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function severityToLevel(severity) {
+  switch (severity) {
+    case "low":
+      return "info";
+    case "medium":
+      return "warn";
+    case "high":
+      return "error";
+    case "critical":
+      return "critical";
+  }
+}
+var SecurityEventTracker = class {
+  store;
+  defaultSeverity;
+  onEvent;
+  constructor(config) {
+    this.store = config.store;
+    this.defaultSeverity = config.defaultSeverity || "medium";
+    this.onEvent = config.onEvent;
+  }
+  /**
+   * Track a security event
+   */
+  async track(options) {
+    const severity = options.severity || this.defaultSeverity;
+    const entry = {
+      id: generateId(),
+      timestamp: /* @__PURE__ */ new Date(),
+      type: "security",
+      level: severityToLevel(severity),
+      message: options.message,
+      event: options.event,
+      severity,
+      source: options.source || {},
+      target: options.target,
+      details: options.details,
+      mitigated: options.mitigated,
+      metadata: options.metadata
+    };
+    await this.store.write(entry);
+    if (this.onEvent) {
+      await this.onEvent(entry);
+    }
+    return entry;
+  }
+  // Convenience methods for common events
+  /**
+   * Track failed authentication
+   */
+  async authFailed(options) {
+    return this.track({
+      event: "auth.failed",
+      message: options.reason || "Authentication failed",
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent
+      },
+      details: {
+        attemptedEmail: options.email,
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track successful login
+   */
+  async authLogin(options) {
+    return this.track({
+      event: "auth.login",
+      message: `User ${options.userId} logged in`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent,
+        userId: options.userId
+      },
+      details: {
+        method: options.method || "credentials"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track logout
+   */
+  async authLogout(options) {
+    return this.track({
+      event: "auth.logout",
+      message: `User ${options.userId} logged out`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: {
+        reason: options.reason || "user"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track permission denied
+   */
+  async permissionDenied(options) {
+    return this.track({
+      event: "auth.permission_denied",
+      message: `Permission denied for ${options.action} on ${options.resource}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.resource,
+        action: options.action
+      },
+      details: {
+        requiredRole: options.requiredRole
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track rate limit exceeded
+   */
+  async rateLimitExceeded(options) {
+    return this.track({
+      event: "ratelimit.exceeded",
+      message: `Rate limit exceeded for ${options.endpoint}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        limit: options.limit,
+        window: options.window
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track CSRF validation failure
+   */
+  async csrfInvalid(options) {
+    return this.track({
+      event: "csrf.invalid",
+      message: `CSRF validation failed for ${options.endpoint}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track XSS detection
+   */
+  async xssDetected(options) {
+    return this.track({
+      event: "xss.detected",
+      message: `XSS payload detected in ${options.field}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        payload: options.payload?.slice(0, 100)
+        // Truncate
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track SQL injection detection
+   */
+  async sqliDetected(options) {
+    return this.track({
+      event: "sqli.detected",
+      message: `SQL injection attempt detected in ${options.field}`,
+      severity: options.severity || "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        pattern: options.pattern
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track IP block
+   */
+  async ipBlocked(options) {
+    return this.track({
+      event: "ip.blocked",
+      message: `IP ${options.ip} blocked: ${options.reason}`,
+      severity: "high",
+      source: {
+        ip: options.ip
+      },
+      details: {
+        reason: options.reason,
+        duration: options.duration
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track suspicious activity
+   */
+  async suspicious(options) {
+    return this.track({
+      event: "ip.suspicious",
+      message: options.activity,
+      severity: options.severity || "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: options.details,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track custom event
+   */
+  async custom(options) {
+    return this.track({
+      event: "custom",
+      ...options
+    });
+  }
+};
+function createSecurityTracker(config) {
+  return new SecurityEventTracker(config);
+}
+async function trackSecurityEvent(store, options) {
+  const tracker = new SecurityEventTracker({ store });
+  return tracker.track(options);
+}
+
+// src/middleware/audit/middleware.ts
+function generateRequestId() {
+  return `req_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function getClientIP(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || void 0;
+}
+function headersToRecord(headers, includeHeaders) {
+  if (!includeHeaders) return {};
+  const result = {};
+  if (includeHeaders === true) {
+    headers.forEach((value, key) => {
+      result[key] = value;
+    });
+  } else if (Array.isArray(includeHeaders)) {
+    for (const key of includeHeaders) {
+      const value = headers.get(key);
+      if (value) result[key] = value;
+    }
+  }
+  return result;
+}
+function parseQuery(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    urlObj.searchParams.forEach((value, key) => {
+      result[key] = value;
+    });
+  } catch {
+  }
+  return result;
+}
+function statusToLevel(status) {
+  if (status >= 500) return "error";
+  if (status >= 400) return "warn";
+  return "info";
+}
+function shouldSkip(req, status, exclude) {
+  if (!exclude) return false;
+  const url = new URL(req.url);
+  if (exclude.paths?.length) {
+    const matchesPath = exclude.paths.some((pattern) => {
+      if (pattern.includes("*")) {
+        const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+        return regex.test(url.pathname);
+      }
+      return url.pathname === pattern || url.pathname.startsWith(pattern);
+    });
+    if (matchesPath) return true;
+  }
+  if (exclude.methods?.includes(req.method)) {
+    return true;
+  }
+  if (exclude.statusCodes?.includes(status)) {
+    return true;
+  }
+  return false;
+}
+function withAuditLog(handler, config) {
+  const {
+    enabled = true,
+    store,
+    include = {},
+    exclude,
+    pii,
+    getUser,
+    requestIdHeader = "x-request-id",
+    generateRequestId: customGenerateId,
+    onError,
+    skip
+  } = config;
+  const includeSettings = {
+    ip: include.ip ?? true,
+    userAgent: include.userAgent ?? true,
+    headers: include.headers ?? false,
+    query: include.query ?? true,
+    body: include.body ?? false,
+    response: include.response ?? true,
+    responseBody: include.responseBody ?? false,
+    duration: include.duration ?? true,
+    user: include.user ?? true
+  };
+  const piiConfig = pii || {
+    fields: DEFAULT_PII_FIELDS,
+    mode: "mask"
+  };
+  return async (req) => {
+    if (!enabled) {
+      return handler(req);
+    }
+    if (skip && await skip(req)) {
+      return handler(req);
+    }
+    const startTime = Date.now();
+    const requestId = req.headers.get(requestIdHeader) || (customGenerateId ? customGenerateId() : generateRequestId());
+    const url = new URL(req.url);
+    let requestInfo = {
+      id: requestId,
+      method: req.method,
+      url: req.url,
+      path: url.pathname
+    };
+    if (includeSettings.ip) {
+      requestInfo.ip = getClientIP(req);
+    }
+    if (includeSettings.userAgent) {
+      requestInfo.userAgent = req.headers.get("user-agent") || void 0;
+    }
+    if (includeSettings.headers) {
+      let headers = headersToRecord(req.headers, includeSettings.headers);
+      headers = redactHeaders(headers);
+      requestInfo.headers = headers;
+    }
+    if (includeSettings.query) {
+      let query = parseQuery(req.url);
+      query = redactQuery(query);
+      requestInfo.query = query;
+    }
+    requestInfo.contentType = req.headers.get("content-type") || void 0;
+    requestInfo.contentLength = parseInt(req.headers.get("content-length") || "0", 10) || void 0;
+    let user;
+    if (includeSettings.user && getUser) {
+      try {
+        user = await getUser(req) || void 0;
+      } catch {
+      }
+    }
+    let response;
+    let error;
+    try {
+      response = await handler(req);
+    } catch (err) {
+      error = err instanceof Error ? err : new Error(String(err));
+      throw err;
+    } finally {
+      const duration = Date.now() - startTime;
+      const status = response?.status || 500;
+      if (!shouldSkip(req, status, exclude)) {
+        const entry = {
+          id: requestId,
+          timestamp: /* @__PURE__ */ new Date(),
+          type: "request",
+          level: error ? "error" : statusToLevel(status),
+          message: `${req.method} ${url.pathname} ${status} ${duration}ms`,
+          request: requestInfo,
+          user
+        };
+        if (includeSettings.response && response) {
+          entry.response = {
+            status: response.status,
+            duration
+          };
+          if (includeSettings.headers) {
+            entry.response.headers = headersToRecord(response.headers, includeSettings.headers);
+          }
+        }
+        if (error) {
+          entry.error = {
+            name: error.name,
+            message: error.message,
+            stack: error.stack
+          };
+        }
+        const redactedEntry = redactObject(entry, piiConfig);
+        try {
+          await store.write(redactedEntry);
+        } catch (writeError) {
+          if (onError) {
+            onError(writeError instanceof Error ? writeError : new Error(String(writeError)), entry);
+          } else {
+            console.error("[AuditLog] Failed to write log:", writeError);
+          }
+        }
+      }
+    }
+    return response;
+  };
+}
+function createAuditMiddleware(config) {
+  return (handler) => withAuditLog(handler, config);
+}
+function withRequestId(handler, options = {}) {
+  const { headerName = "x-request-id", generateId: generateId2 = generateRequestId } = options;
+  return async (req) => {
+    const requestId = req.headers.get(headerName) || generateId2();
+    const response = await handler(req);
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, requestId);
+    return newResponse;
+  };
+}
+function withTiming(handler, options = {}) {
+  const { headerName = "x-response-time", log = false } = options;
+  return async (req) => {
+    const start = Date.now();
+    const response = await handler(req);
+    const duration = Date.now() - start;
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, `${duration}ms`);
+    if (log) {
+      const url = new URL(req.url);
+      console.log(`${req.method} ${url.pathname} ${response.status} ${duration}ms`);
+    }
+    return newResponse;
+  };
+}
 
 // src/index.ts
-var VERSION = "0.3.0";
+var VERSION = "0.6.0";
 
-export { AuthenticationError, AuthorizationError, ConfigurationError, CsrfError, MemoryStore, PRESET_API, PRESET_RELAXED, PRESET_STRICT, RateLimitError, SecureError, VERSION, ValidationError, anonymizeIp, buildCSP, buildHSTS, buildPermissionsPolicy, checkRateLimit, clearAllRateLimits, createToken as createCSRFToken, createMemoryStore, createRateLimiter, createSecurityHeaders, createSecurityHeadersObject, formatDuration, generateCSRF, getClientIp, getGeoInfo, getGlobalMemoryStore, getPreset, getRateLimitStatus, isLocalhost, isPrivateIp, isSecureError, isValidIp, normalizeIp, nowInMs, nowInSeconds, parseDuration, resetRateLimit, sleep, toSecureError, tokensMatch, validateCSRF, verifyToken as verifyCSRFToken, withCSRF, withRateLimit, withSecurityHeaders };
+export { MemoryStore2 as AuditMemoryStore, AuthenticationError, AuthorizationError, CLFFormatter, ConfigurationError, ConsoleStore, CsrfError, DANGEROUS_EXTENSIONS, DEFAULT_PII_FIELDS, ExternalStore, JSONFormatter, MIME_TYPES, MemoryStore, MultiStore, PRESET_API, PRESET_RELAXED, PRESET_STRICT, RateLimitError, SecureError, SecurityEventTracker, StructuredFormatter, TextFormatter, VERSION, ValidationError, anonymizeIp, buildCSP, buildHSTS, buildPermissionsPolicy, checkRateLimit, clearAllRateLimits, createMemoryStore2 as createAuditMemoryStore, createAuditMiddleware, createCLFFormatter, createToken as createCSRFToken, createConsoleStore, createDatadogStore, createExternalStore, createJSONFormatter, createMemoryStore, createMultiStore, createRateLimiter, createRedactor, createSecurityHeaders, createSecurityHeadersObject, createSecurityTracker, createStructuredFormatter, createTextFormatter, createValidator, decodeJWT, detectFileType, detectSQLInjection, detectXSS, escapeHtml, extractBearerToken, formatDuration, generateCSRF, getClientIp, getGeoInfo, getGlobalMemoryStore, getPreset, getRateLimitStatus, hasPathTraversal, hasSQLInjection, isFormRequest, isJsonRequest, isLocalhost, isPrivateIp, isSecureError, isValidIp, mask, normalizeIp, nowInMs, nowInSeconds, parseDuration, redactCreditCard, redactEmail, redactHeaders, redactIP, redactObject, redactPhone, redactQuery, resetRateLimit, sanitize, sanitizeFields, sanitizeFilename, sanitizeObject, sanitizePath, sanitizeSQLInput, sleep, stripHtml, toSecureError, tokensMatch, trackSecurityEvent, validate, validateBody, validateCSRF, validateContentType, validateFile, validateFiles, validatePath, validateQuery, validateRequest, verifyToken as verifyCSRFToken, verifyJWT, withAPIKey, withAuditLog, withAuth, withCSRF, withContentType, withFileValidation, withJWT, withOptionalAuth, withRateLimit, withRequestId, withRoles, withSQLProtection, withSanitization, withSecureValidation, withSecurityHeaders, withSession, withTiming, withValidation, withXSSProtection };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map