nextjs-secure 0.5.0 → 0.7.0

package/dist/audit.cjs

@@ -0,0 +1,1337 @@
+'use strict';
+
+// src/middleware/audit/stores/memory.ts
+var MemoryStore = class {
+  entries = [];
+  maxEntries;
+  ttl;
+  constructor(options = {}) {
+    this.maxEntries = options.maxEntries || 1e3;
+    this.ttl = options.ttl || 0;
+  }
+  async write(entry) {
+    this.entries.push(entry);
+    if (this.entries.length > this.maxEntries) {
+      this.entries = this.entries.slice(-this.maxEntries);
+    }
+    if (this.ttl > 0) {
+      this.cleanExpired();
+    }
+  }
+  async query(options = {}) {
+    let result = [...this.entries];
+    if (options.level) {
+      const levels = Array.isArray(options.level) ? options.level : [options.level];
+      result = result.filter((e) => levels.includes(e.level));
+    }
+    if (options.type) {
+      result = result.filter((e) => e.type === options.type);
+    }
+    if (options.event) {
+      const events = Array.isArray(options.event) ? options.event : [options.event];
+      result = result.filter(
+        (e) => e.type === "security" && events.includes(e.event)
+      );
+    }
+    if (options.startTime) {
+      result = result.filter((e) => e.timestamp >= options.startTime);
+    }
+    if (options.endTime) {
+      result = result.filter((e) => e.timestamp <= options.endTime);
+    }
+    if (options.ip) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.request.ip === options.ip;
+        if (e.type === "security") return e.source.ip === options.ip;
+        return false;
+      });
+    }
+    if (options.userId) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.user?.id === options.userId;
+        if (e.type === "security") return e.source.userId === options.userId;
+        return false;
+      });
+    }
+    if (options.offset) {
+      result = result.slice(options.offset);
+    }
+    if (options.limit) {
+      result = result.slice(0, options.limit);
+    }
+    return result;
+  }
+  async flush() {
+  }
+  async close() {
+    this.entries = [];
+  }
+  /**
+   * Get all entries (for testing)
+   */
+  getEntries() {
+    return [...this.entries];
+  }
+  /**
+   * Clear all entries
+   */
+  clear() {
+    this.entries = [];
+  }
+  /**
+   * Get entry count
+   */
+  size() {
+    return this.entries.length;
+  }
+  /**
+   * Clean expired entries
+   */
+  cleanExpired() {
+    if (this.ttl <= 0) return;
+    const now = Date.now();
+    this.entries = this.entries.filter((e) => {
+      const age = now - e.timestamp.getTime();
+      return age < this.ttl;
+    });
+  }
+};
+function createMemoryStore(options) {
+  return new MemoryStore(options);
+}
+
+// src/middleware/audit/stores/console.ts
+var COLORS = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  // Log levels
+  debug: "\x1B[36m",
+  // Cyan
+  info: "\x1B[32m",
+  // Green
+  warn: "\x1B[33m",
+  // Yellow
+  error: "\x1B[31m",
+  // Red
+  critical: "\x1B[35m",
+  // Magenta
+  // Security severity
+  low: "\x1B[36m",
+  // Cyan
+  medium: "\x1B[33m",
+  // Yellow
+  high: "\x1B[31m",
+  // Red
+  // Other
+  timestamp: "\x1B[90m",
+  // Gray
+  method: "\x1B[34m",
+  // Blue
+  status2xx: "\x1B[32m",
+  // Green
+  status3xx: "\x1B[36m",
+  // Cyan
+  status4xx: "\x1B[33m",
+  // Yellow
+  status5xx: "\x1B[31m"
+  // Red
+};
+var LEVEL_PRIORITY = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  critical: 4
+};
+var ConsoleStore = class {
+  colorize;
+  showTimestamp;
+  pretty;
+  minLevel;
+  constructor(options = {}) {
+    this.colorize = options.colorize ?? process.env.NODE_ENV !== "production";
+    this.showTimestamp = options.timestamp ?? true;
+    this.pretty = options.pretty ?? false;
+    this.minLevel = options.level || "info";
+  }
+  async write(entry) {
+    if (LEVEL_PRIORITY[entry.level] < LEVEL_PRIORITY[this.minLevel]) {
+      return;
+    }
+    const output = this.pretty ? this.formatPretty(entry) : this.formatCompact(entry);
+    switch (entry.level) {
+      case "debug":
+        console.debug(output);
+        break;
+      case "info":
+        console.info(output);
+        break;
+      case "warn":
+        console.warn(output);
+        break;
+      case "error":
+      case "critical":
+        console.error(output);
+        break;
+      default:
+        console.log(output);
+    }
+  }
+  async flush() {
+  }
+  async close() {
+  }
+  /**
+   * Format entry in compact single-line format
+   */
+  formatCompact(entry) {
+    const parts = [];
+    if (this.showTimestamp) {
+      const ts = entry.timestamp.toISOString();
+      parts.push(this.color(ts, "timestamp"));
+    }
+    parts.push(this.colorLevel(entry.level));
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      parts.push(this.color(req.method, "method"));
+      parts.push(req.path);
+      if (res) {
+        parts.push(this.colorStatus(res.status));
+        parts.push(this.color(`${res.duration}ms`, "dim"));
+      }
+      if (req.ip) {
+        parts.push(this.color(`[${req.ip}]`, "dim"));
+      }
+      if (entry.user?.id) {
+        parts.push(this.color(`user:${entry.user.id}`, "dim"));
+      }
+      if (entry.error) {
+        parts.push(this.color(`ERROR: ${entry.error.message}`, "error"));
+      }
+    } else if (entry.type === "security") {
+      parts.push(this.colorSeverity(entry.severity));
+      parts.push(entry.event);
+      if (entry.source.ip) {
+        parts.push(this.color(`[${entry.source.ip}]`, "dim"));
+      }
+      if (entry.source.userId) {
+        parts.push(this.color(`user:${entry.source.userId}`, "dim"));
+      }
+      parts.push(entry.message);
+    }
+    return parts.join(" ");
+  }
+  /**
+   * Format entry in pretty multi-line format
+   */
+  formatPretty(entry) {
+    const lines = [];
+    const header = [
+      this.color(entry.timestamp.toISOString(), "timestamp"),
+      this.colorLevel(entry.level),
+      `[${entry.type.toUpperCase()}]`
+    ].join(" ");
+    lines.push(header);
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      lines.push(`  ${this.color(req.method, "method")} ${req.url}`);
+      if (req.ip) lines.push(`  IP: ${req.ip}`);
+      if (req.userAgent) lines.push(`  UA: ${req.userAgent}`);
+      if (res) {
+        lines.push(`  Status: ${this.colorStatus(res.status)} (${res.duration}ms)`);
+      }
+      if (entry.user) {
+        lines.push(`  User: ${JSON.stringify(entry.user)}`);
+      }
+      if (entry.error) {
+        lines.push(`  ${this.color("Error:", "error")} ${entry.error.message}`);
+        if (entry.error.stack) {
+          lines.push(`  ${this.color(entry.error.stack, "dim")}`);
+        }
+      }
+    } else if (entry.type === "security") {
+      lines.push(`  Event: ${entry.event}`);
+      lines.push(`  Severity: ${this.colorSeverity(entry.severity)}`);
+      lines.push(`  Message: ${entry.message}`);
+      if (entry.source.ip) lines.push(`  Source IP: ${entry.source.ip}`);
+      if (entry.source.userId) lines.push(`  Source User: ${entry.source.userId}`);
+      if (entry.target) {
+        lines.push(`  Target: ${JSON.stringify(entry.target)}`);
+      }
+      if (entry.details) {
+        lines.push(`  Details: ${JSON.stringify(entry.details)}`);
+      }
+    }
+    if (entry.metadata && Object.keys(entry.metadata).length > 0) {
+      lines.push(`  Metadata: ${JSON.stringify(entry.metadata)}`);
+    }
+    return lines.join("\n");
+  }
+  /**
+   * Apply color if enabled
+   */
+  color(text, colorName) {
+    if (!this.colorize) return text;
+    return `${COLORS[colorName]}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color log level
+   */
+  colorLevel(level) {
+    const text = level.toUpperCase().padEnd(8);
+    if (!this.colorize) return `[${text}]`;
+    return `[${COLORS[level]}${text}${COLORS.reset}]`;
+  }
+  /**
+   * Color HTTP status
+   */
+  colorStatus(status) {
+    const text = status.toString();
+    if (!this.colorize) return text;
+    if (status >= 500) return `${COLORS.status5xx}${text}${COLORS.reset}`;
+    if (status >= 400) return `${COLORS.status4xx}${text}${COLORS.reset}`;
+    if (status >= 300) return `${COLORS.status3xx}${text}${COLORS.reset}`;
+    return `${COLORS.status2xx}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color severity
+   */
+  colorSeverity(severity) {
+    const text = `[${severity.toUpperCase()}]`;
+    if (!this.colorize) return text;
+    const colorKey = severity === "critical" ? "critical" : severity;
+    return `${COLORS[colorKey]}${text}${COLORS.reset}`;
+  }
+};
+function createConsoleStore(options) {
+  return new ConsoleStore(options);
+}
+
+// src/middleware/audit/stores/external.ts
+var ExternalStore = class {
+  endpoint;
+  headers;
+  batchSize;
+  flushInterval;
+  retryAttempts;
+  timeout;
+  buffer = [];
+  flushTimer = null;
+  isFlushing = false;
+  constructor(options) {
+    this.endpoint = options.endpoint;
+    this.headers = {
+      "Content-Type": "application/json",
+      ...options.apiKey ? { "Authorization": `Bearer ${options.apiKey}` } : {},
+      ...options.headers
+    };
+    this.batchSize = options.batchSize || 100;
+    this.flushInterval = options.flushInterval || 5e3;
+    this.retryAttempts = options.retryAttempts || 3;
+    this.timeout = options.timeout || 1e4;
+    if (this.flushInterval > 0) {
+      this.flushTimer = setInterval(() => this.flush(), this.flushInterval);
+    }
+  }
+  async write(entry) {
+    this.buffer.push(entry);
+    if (this.buffer.length >= this.batchSize) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.isFlushing || this.buffer.length === 0) return;
+    this.isFlushing = true;
+    const entries = [...this.buffer];
+    this.buffer = [];
+    try {
+      await this.send(entries);
+    } catch (error) {
+      this.buffer = [...entries, ...this.buffer];
+      console.error("[ExternalStore] Failed to flush logs:", error);
+    } finally {
+      this.isFlushing = false;
+    }
+  }
+  async close() {
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+    await this.flush();
+  }
+  /**
+   * Send entries to external endpoint
+   */
+  async send(entries) {
+    let lastError = null;
+    for (let attempt = 0; attempt < this.retryAttempts; attempt++) {
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+        const response = await fetch(this.endpoint, {
+          method: "POST",
+          headers: this.headers,
+          body: JSON.stringify({
+            logs: entries.map((e) => this.serialize(e)),
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            count: entries.length
+          }),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+          throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        return;
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        if (attempt < this.retryAttempts - 1) {
+          await this.sleep(Math.pow(2, attempt) * 1e3);
+        }
+      }
+    }
+    throw lastError || new Error("Failed to send logs");
+  }
+  /**
+   * Serialize entry for transmission
+   */
+  serialize(entry) {
+    return {
+      ...entry,
+      timestamp: entry.timestamp.toISOString()
+    };
+  }
+  /**
+   * Sleep helper
+   */
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+  /**
+   * Get buffer size (for monitoring)
+   */
+  getBufferSize() {
+    return this.buffer.length;
+  }
+};
+function createExternalStore(options) {
+  return new ExternalStore(options);
+}
+function createDatadogStore(options) {
+  const site = options.site || "datadoghq.com";
+  const endpoint = `https://http-intake.logs.${site}/api/v2/logs`;
+  return new ExternalStore({
+    endpoint,
+    headers: {
+      "DD-API-KEY": options.apiKey,
+      "Content-Type": "application/json"
+    },
+    batchSize: options.batchSize || 100,
+    flushInterval: options.flushInterval || 5e3
+  });
+}
+var MultiStore = class {
+  stores;
+  constructor(stores) {
+    this.stores = stores;
+  }
+  async write(entry) {
+    await Promise.all(this.stores.map((store) => store.write(entry)));
+  }
+  async query(options) {
+    for (const store of this.stores) {
+      if (store.query) {
+        return store.query(options);
+      }
+    }
+    return [];
+  }
+  async flush() {
+    await Promise.all(this.stores.map((store) => store.flush?.()));
+  }
+  async close() {
+    await Promise.all(this.stores.map((store) => store.close?.()));
+  }
+};
+function createMultiStore(stores) {
+  return new MultiStore(stores);
+}
+
+// src/middleware/audit/formatters.ts
+var JSONFormatter = class {
+  pretty;
+  includeTimestamp;
+  constructor(options = {}) {
+    this.pretty = options.pretty ?? false;
+    this.includeTimestamp = options.includeTimestamp ?? true;
+  }
+  format(entry) {
+    const output = {
+      ...entry,
+      timestamp: this.includeTimestamp ? entry.timestamp.toISOString() : void 0
+    };
+    return this.pretty ? JSON.stringify(output, null, 2) : JSON.stringify(output);
+  }
+};
+var TextFormatter = class {
+  template;
+  dateFormat;
+  constructor(options = {}) {
+    this.template = options.template || "{timestamp} [{level}] {message}";
+    this.dateFormat = options.dateFormat || "iso";
+  }
+  format(entry) {
+    let output = this.template;
+    output = output.replace("{timestamp}", this.formatDate(entry.timestamp));
+    output = output.replace("{level}", entry.level.toUpperCase().padEnd(8));
+    output = output.replace("{message}", entry.message);
+    output = output.replace("{type}", entry.type);
+    output = output.replace("{id}", entry.id);
+    if (entry.category) {
+      output = output.replace("{category}", entry.category);
+    }
+    if (entry.type === "request") {
+      output = output.replace("{method}", entry.request.method);
+      output = output.replace("{path}", entry.request.path);
+      output = output.replace("{url}", entry.request.url);
+      output = output.replace("{ip}", entry.request.ip || "-");
+      output = output.replace("{status}", entry.response?.status?.toString() || "-");
+      output = output.replace("{duration}", entry.response?.duration?.toString() || "-");
+    }
+    if (entry.type === "security") {
+      output = output.replace("{event}", entry.event);
+      output = output.replace("{severity}", entry.severity);
+    }
+    return output;
+  }
+  formatDate(date) {
+    switch (this.dateFormat) {
+      case "utc":
+        return date.toUTCString();
+      case "local":
+        return date.toLocaleString();
+      case "iso":
+      default:
+        return date.toISOString();
+    }
+  }
+};
+var CLFFormatter = class {
+  format(entry) {
+    if (entry.type !== "request") {
+      return `[${entry.timestamp.toISOString()}] ${entry.level.toUpperCase()} ${entry.message}`;
+    }
+    const req = entry.request;
+    const res = entry.response;
+    const host = req.ip || "-";
+    const ident = "-";
+    const authuser = entry.user?.id || "-";
+    const date = this.formatCLFDate(entry.timestamp);
+    const request = `${req.method} ${req.path} HTTP/1.1`;
+    const status = res?.status || 0;
+    const bytes = res?.contentLength || 0;
+    return `${host} ${ident} ${authuser} [${date}] "${request}" ${status} ${bytes}`;
+  }
+  formatCLFDate(date) {
+    const months = [
+      "Jan",
+      "Feb",
+      "Mar",
+      "Apr",
+      "May",
+      "Jun",
+      "Jul",
+      "Aug",
+      "Sep",
+      "Oct",
+      "Nov",
+      "Dec"
+    ];
+    const day = date.getDate().toString().padStart(2, "0");
+    const month = months[date.getMonth()];
+    const year = date.getFullYear();
+    const hours = date.getHours().toString().padStart(2, "0");
+    const minutes = date.getMinutes().toString().padStart(2, "0");
+    const seconds = date.getSeconds().toString().padStart(2, "0");
+    const offset = -date.getTimezoneOffset();
+    const offsetSign = offset >= 0 ? "+" : "-";
+    const offsetHours = Math.floor(Math.abs(offset) / 60).toString().padStart(2, "0");
+    const offsetMins = (Math.abs(offset) % 60).toString().padStart(2, "0");
+    return `${day}/${month}/${year}:${hours}:${minutes}:${seconds} ${offsetSign}${offsetHours}${offsetMins}`;
+  }
+};
+var StructuredFormatter = class {
+  delimiter;
+  kvSeparator;
+  constructor(options = {}) {
+    this.delimiter = options.delimiter || " ";
+    this.kvSeparator = options.kvSeparator || "=";
+  }
+  format(entry) {
+    const pairs = [];
+    pairs.push(this.pair("timestamp", entry.timestamp.toISOString()));
+    pairs.push(this.pair("level", entry.level));
+    pairs.push(this.pair("type", entry.type));
+    pairs.push(this.pair("id", entry.id));
+    pairs.push(this.pair("message", this.escape(entry.message)));
+    if (entry.category) {
+      pairs.push(this.pair("category", entry.category));
+    }
+    if (entry.type === "request") {
+      pairs.push(this.pair("method", entry.request.method));
+      pairs.push(this.pair("path", entry.request.path));
+      if (entry.request.ip) pairs.push(this.pair("ip", entry.request.ip));
+      if (entry.response) {
+        pairs.push(this.pair("status", entry.response.status.toString()));
+        pairs.push(this.pair("duration_ms", entry.response.duration.toString()));
+      }
+      if (entry.user?.id) pairs.push(this.pair("user_id", entry.user.id));
+      if (entry.error) {
+        pairs.push(this.pair("error", this.escape(entry.error.message)));
+      }
+    }
+    if (entry.type === "security") {
+      pairs.push(this.pair("event", entry.event));
+      pairs.push(this.pair("severity", entry.severity));
+      if (entry.source.ip) pairs.push(this.pair("source_ip", entry.source.ip));
+      if (entry.source.userId) pairs.push(this.pair("source_user", entry.source.userId));
+    }
+    return pairs.join(this.delimiter);
+  }
+  pair(key, value) {
+    return `${key}${this.kvSeparator}${value}`;
+  }
+  escape(value) {
+    if (value.includes(" ") || value.includes('"')) {
+      return `"${value.replace(/"/g, '\\"')}"`;
+    }
+    return value;
+  }
+};
+function createJSONFormatter(options) {
+  return new JSONFormatter(options);
+}
+function createTextFormatter(options) {
+  return new TextFormatter(options);
+}
+function createCLFFormatter() {
+  return new CLFFormatter();
+}
+function createStructuredFormatter(options) {
+  return new StructuredFormatter(options);
+}
+
+// src/middleware/audit/redaction.ts
+var DEFAULT_PII_FIELDS = [
+  // Authentication
+  "password",
+  "passwd",
+  "secret",
+  "token",
+  "api_key",
+  "apiKey",
+  "api-key",
+  "access_token",
+  "accessToken",
+  "refresh_token",
+  "refreshToken",
+  "authorization",
+  "auth",
+  // Personal information
+  "ssn",
+  "social_security",
+  "socialSecurity",
+  "credit_card",
+  "creditCard",
+  "card_number",
+  "cardNumber",
+  "cvv",
+  "cvc",
+  "pin",
+  // Contact
+  "email",
+  "phone",
+  "phone_number",
+  "phoneNumber",
+  "mobile",
+  "address",
+  "street",
+  "zip",
+  "zipcode",
+  "postal_code",
+  "postalCode",
+  // Identity
+  "date_of_birth",
+  "dateOfBirth",
+  "dob",
+  "birth_date",
+  "birthDate",
+  "passport",
+  "license",
+  "national_id",
+  "nationalId"
+];
+function mask(value, options = {}) {
+  const {
+    char = "*",
+    preserveLength = false,
+    showFirst = 0,
+    showLast = 0
+  } = options;
+  if (!value) return value;
+  const len = value.length;
+  if (preserveLength) {
+    const first2 = value.slice(0, showFirst);
+    const last2 = value.slice(-showLast || len);
+    const middle = char.repeat(Math.max(0, len - showFirst - showLast));
+    return first2 + middle + (showLast > 0 ? last2 : "");
+  }
+  const maskLen = 8;
+  const first = showFirst > 0 ? value.slice(0, showFirst) : "";
+  const last = showLast > 0 ? value.slice(-showLast) : "";
+  return first + char.repeat(maskLen) + last;
+}
+function hash(value, salt = "") {
+  const str = salt + value;
+  let hash2 = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash2 = (hash2 << 5) - hash2 + char;
+    hash2 = hash2 & hash2;
+  }
+  const hex = Math.abs(hash2).toString(16).padStart(8, "0");
+  return hex + hex.slice(0, 8);
+}
+function redactValue(value, field, config) {
+  if (typeof value !== "string") return value;
+  if (!value) return value;
+  const shouldRedact = config.fields.some((f) => {
+    const fieldLower = field.toLowerCase();
+    const fLower = f.toLowerCase();
+    return fieldLower === fLower || fieldLower.endsWith("." + fLower) || fieldLower.includes("[" + fLower + "]");
+  });
+  if (!shouldRedact) return value;
+  if (config.customRedactor) {
+    return config.customRedactor(value, field);
+  }
+  switch (config.mode) {
+    case "mask":
+      return mask(value, {
+        char: config.maskChar || "*",
+        preserveLength: config.preserveLength,
+        showFirst: 2,
+        showLast: 2
+      });
+    case "hash":
+      return `[HASH:${hash(value)}]`;
+    case "remove":
+      return "[REDACTED]";
+    default:
+      return "[REDACTED]";
+  }
+}
+function redactObject(obj, config, path = "") {
+  if (typeof obj === "string") {
+    return redactValue(obj, path, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => redactObject(item, config, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = redactObject(value, config, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function createRedactor(config = {}) {
+  const fullConfig = {
+    fields: config.fields || DEFAULT_PII_FIELDS,
+    mode: config.mode || "mask",
+    maskChar: config.maskChar || "*",
+    preserveLength: config.preserveLength || false,
+    customRedactor: config.customRedactor
+  };
+  return (obj) => redactObject(obj, fullConfig);
+}
+function redactHeaders(headers, sensitiveHeaders = ["authorization", "cookie", "x-api-key", "x-auth-token"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveHeaders.some((h) => keyLower === h.toLowerCase())) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactQuery(query, sensitiveParams = ["token", "key", "secret", "password", "auth"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(query)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveParams.some((p) => keyLower.includes(p.toLowerCase()))) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactEmail(email) {
+  if (!email || !email.includes("@")) return mask(email);
+  const [, domain] = email.split("@");
+  return `****@${domain}`;
+}
+function redactCreditCard(cardNumber) {
+  const cleaned = cardNumber.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(cardNumber);
+  return "**** **** **** " + cleaned.slice(-4);
+}
+function redactPhone(phone) {
+  const cleaned = phone.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(phone);
+  return mask(phone, { preserveLength: true, showLast: 4 });
+}
+function redactIP(ip) {
+  if (ip.includes(":")) {
+    const parts2 = ip.split(":");
+    return parts2[0] + ":****:****:****";
+  }
+  const parts = ip.split(".");
+  if (parts.length !== 4) return mask(ip);
+  return `${parts[0]}.${parts[1]}.*.*`;
+}
+
+// src/middleware/audit/events.ts
+function generateId() {
+  return `evt_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function severityToLevel(severity) {
+  switch (severity) {
+    case "low":
+      return "info";
+    case "medium":
+      return "warn";
+    case "high":
+      return "error";
+    case "critical":
+      return "critical";
+  }
+}
+var SecurityEventTracker = class {
+  store;
+  defaultSeverity;
+  onEvent;
+  constructor(config) {
+    this.store = config.store;
+    this.defaultSeverity = config.defaultSeverity || "medium";
+    this.onEvent = config.onEvent;
+  }
+  /**
+   * Track a security event
+   */
+  async track(options) {
+    const severity = options.severity || this.defaultSeverity;
+    const entry = {
+      id: generateId(),
+      timestamp: /* @__PURE__ */ new Date(),
+      type: "security",
+      level: severityToLevel(severity),
+      message: options.message,
+      event: options.event,
+      severity,
+      source: options.source || {},
+      target: options.target,
+      details: options.details,
+      mitigated: options.mitigated,
+      metadata: options.metadata
+    };
+    await this.store.write(entry);
+    if (this.onEvent) {
+      await this.onEvent(entry);
+    }
+    return entry;
+  }
+  // Convenience methods for common events
+  /**
+   * Track failed authentication
+   */
+  async authFailed(options) {
+    return this.track({
+      event: "auth.failed",
+      message: options.reason || "Authentication failed",
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent
+      },
+      details: {
+        attemptedEmail: options.email,
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track successful login
+   */
+  async authLogin(options) {
+    return this.track({
+      event: "auth.login",
+      message: `User ${options.userId} logged in`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent,
+        userId: options.userId
+      },
+      details: {
+        method: options.method || "credentials"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track logout
+   */
+  async authLogout(options) {
+    return this.track({
+      event: "auth.logout",
+      message: `User ${options.userId} logged out`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: {
+        reason: options.reason || "user"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track permission denied
+   */
+  async permissionDenied(options) {
+    return this.track({
+      event: "auth.permission_denied",
+      message: `Permission denied for ${options.action} on ${options.resource}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.resource,
+        action: options.action
+      },
+      details: {
+        requiredRole: options.requiredRole
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track rate limit exceeded
+   */
+  async rateLimitExceeded(options) {
+    return this.track({
+      event: "ratelimit.exceeded",
+      message: `Rate limit exceeded for ${options.endpoint}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        limit: options.limit,
+        window: options.window
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track CSRF validation failure
+   */
+  async csrfInvalid(options) {
+    return this.track({
+      event: "csrf.invalid",
+      message: `CSRF validation failed for ${options.endpoint}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track XSS detection
+   */
+  async xssDetected(options) {
+    return this.track({
+      event: "xss.detected",
+      message: `XSS payload detected in ${options.field}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        payload: options.payload?.slice(0, 100)
+        // Truncate
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track SQL injection detection
+   */
+  async sqliDetected(options) {
+    return this.track({
+      event: "sqli.detected",
+      message: `SQL injection attempt detected in ${options.field}`,
+      severity: options.severity || "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        pattern: options.pattern
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track IP block
+   */
+  async ipBlocked(options) {
+    return this.track({
+      event: "ip.blocked",
+      message: `IP ${options.ip} blocked: ${options.reason}`,
+      severity: "high",
+      source: {
+        ip: options.ip
+      },
+      details: {
+        reason: options.reason,
+        duration: options.duration
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track suspicious activity
+   */
+  async suspicious(options) {
+    return this.track({
+      event: "ip.suspicious",
+      message: options.activity,
+      severity: options.severity || "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: options.details,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track custom event
+   */
+  async custom(options) {
+    return this.track({
+      event: "custom",
+      ...options
+    });
+  }
+};
+function createSecurityTracker(config) {
+  return new SecurityEventTracker(config);
+}
+async function trackSecurityEvent(store, options) {
+  const tracker = new SecurityEventTracker({ store });
+  return tracker.track(options);
+}
+
+// src/middleware/audit/middleware.ts
+function generateRequestId() {
+  return `req_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function getClientIP(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || void 0;
+}
+function headersToRecord(headers, includeHeaders) {
+  if (!includeHeaders) return {};
+  const result = {};
+  if (includeHeaders === true) {
+    headers.forEach((value, key) => {
+      result[key] = value;
+    });
+  } else if (Array.isArray(includeHeaders)) {
+    for (const key of includeHeaders) {
+      const value = headers.get(key);
+      if (value) result[key] = value;
+    }
+  }
+  return result;
+}
+function parseQuery(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    urlObj.searchParams.forEach((value, key) => {
+      result[key] = value;
+    });
+  } catch {
+  }
+  return result;
+}
+function statusToLevel(status) {
+  if (status >= 500) return "error";
+  if (status >= 400) return "warn";
+  return "info";
+}
+function shouldSkip(req, status, exclude) {
+  if (!exclude) return false;
+  const url = new URL(req.url);
+  if (exclude.paths?.length) {
+    const matchesPath = exclude.paths.some((pattern) => {
+      if (pattern.includes("*")) {
+        const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+        return regex.test(url.pathname);
+      }
+      return url.pathname === pattern || url.pathname.startsWith(pattern);
+    });
+    if (matchesPath) return true;
+  }
+  if (exclude.methods?.includes(req.method)) {
+    return true;
+  }
+  if (exclude.statusCodes?.includes(status)) {
+    return true;
+  }
+  return false;
+}
+function withAuditLog(handler, config) {
+  const {
+    enabled = true,
+    store,
+    include = {},
+    exclude,
+    pii,
+    getUser,
+    requestIdHeader = "x-request-id",
+    generateRequestId: customGenerateId,
+    onError,
+    skip
+  } = config;
+  const includeSettings = {
+    ip: include.ip ?? true,
+    userAgent: include.userAgent ?? true,
+    headers: include.headers ?? false,
+    query: include.query ?? true,
+    body: include.body ?? false,
+    response: include.response ?? true,
+    responseBody: include.responseBody ?? false,
+    duration: include.duration ?? true,
+    user: include.user ?? true
+  };
+  const piiConfig = pii || {
+    fields: DEFAULT_PII_FIELDS,
+    mode: "mask"
+  };
+  return async (req) => {
+    if (!enabled) {
+      return handler(req);
+    }
+    if (skip && await skip(req)) {
+      return handler(req);
+    }
+    const startTime = Date.now();
+    const requestId = req.headers.get(requestIdHeader) || (customGenerateId ? customGenerateId() : generateRequestId());
+    const url = new URL(req.url);
+    let requestInfo = {
+      id: requestId,
+      method: req.method,
+      url: req.url,
+      path: url.pathname
+    };
+    if (includeSettings.ip) {
+      requestInfo.ip = getClientIP(req);
+    }
+    if (includeSettings.userAgent) {
+      requestInfo.userAgent = req.headers.get("user-agent") || void 0;
+    }
+    if (includeSettings.headers) {
+      let headers = headersToRecord(req.headers, includeSettings.headers);
+      headers = redactHeaders(headers);
+      requestInfo.headers = headers;
+    }
+    if (includeSettings.query) {
+      let query = parseQuery(req.url);
+      query = redactQuery(query);
+      requestInfo.query = query;
+    }
+    requestInfo.contentType = req.headers.get("content-type") || void 0;
+    requestInfo.contentLength = parseInt(req.headers.get("content-length") || "0", 10) || void 0;
+    let user;
+    if (includeSettings.user && getUser) {
+      try {
+        user = await getUser(req) || void 0;
+      } catch {
+      }
+    }
+    let response;
+    let error;
+    try {
+      response = await handler(req);
+    } catch (err) {
+      error = err instanceof Error ? err : new Error(String(err));
+      throw err;
+    } finally {
+      const duration = Date.now() - startTime;
+      const status = response?.status || 500;
+      if (!shouldSkip(req, status, exclude)) {
+        const entry = {
+          id: requestId,
+          timestamp: /* @__PURE__ */ new Date(),
+          type: "request",
+          level: error ? "error" : statusToLevel(status),
+          message: `${req.method} ${url.pathname} ${status} ${duration}ms`,
+          request: requestInfo,
+          user
+        };
+        if (includeSettings.response && response) {
+          entry.response = {
+            status: response.status,
+            duration
+          };
+          if (includeSettings.headers) {
+            entry.response.headers = headersToRecord(response.headers, includeSettings.headers);
+          }
+        }
+        if (error) {
+          entry.error = {
+            name: error.name,
+            message: error.message,
+            stack: error.stack
+          };
+        }
+        const redactedEntry = redactObject(entry, piiConfig);
+        try {
+          await store.write(redactedEntry);
+        } catch (writeError) {
+          if (onError) {
+            onError(writeError instanceof Error ? writeError : new Error(String(writeError)), entry);
+          } else {
+            console.error("[AuditLog] Failed to write log:", writeError);
+          }
+        }
+      }
+    }
+    return response;
+  };
+}
+function createAuditMiddleware(config) {
+  return (handler) => withAuditLog(handler, config);
+}
+function withRequestId(handler, options = {}) {
+  const { headerName = "x-request-id", generateId: generateId2 = generateRequestId } = options;
+  return async (req) => {
+    const requestId = req.headers.get(headerName) || generateId2();
+    const response = await handler(req);
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, requestId);
+    return newResponse;
+  };
+}
+function withTiming(handler, options = {}) {
+  const { headerName = "x-response-time", log = false } = options;
+  return async (req) => {
+    const start = Date.now();
+    const response = await handler(req);
+    const duration = Date.now() - start;
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, `${duration}ms`);
+    if (log) {
+      const url = new URL(req.url);
+      console.log(`${req.method} ${url.pathname} ${response.status} ${duration}ms`);
+    }
+    return newResponse;
+  };
+}
+
+exports.CLFFormatter = CLFFormatter;
+exports.ConsoleStore = ConsoleStore;
+exports.DEFAULT_PII_FIELDS = DEFAULT_PII_FIELDS;
+exports.ExternalStore = ExternalStore;
+exports.JSONFormatter = JSONFormatter;
+exports.MemoryStore = MemoryStore;
+exports.MultiStore = MultiStore;
+exports.SecurityEventTracker = SecurityEventTracker;
+exports.StructuredFormatter = StructuredFormatter;
+exports.TextFormatter = TextFormatter;
+exports.createAuditMiddleware = createAuditMiddleware;
+exports.createCLFFormatter = createCLFFormatter;
+exports.createConsoleStore = createConsoleStore;
+exports.createDatadogStore = createDatadogStore;
+exports.createExternalStore = createExternalStore;
+exports.createJSONFormatter = createJSONFormatter;
+exports.createMemoryStore = createMemoryStore;
+exports.createMultiStore = createMultiStore;
+exports.createRedactor = createRedactor;
+exports.createSecurityTracker = createSecurityTracker;
+exports.createStructuredFormatter = createStructuredFormatter;
+exports.createTextFormatter = createTextFormatter;
+exports.hash = hash;
+exports.mask = mask;
+exports.redactCreditCard = redactCreditCard;
+exports.redactEmail = redactEmail;
+exports.redactHeaders = redactHeaders;
+exports.redactIP = redactIP;
+exports.redactObject = redactObject;
+exports.redactPhone = redactPhone;
+exports.redactQuery = redactQuery;
+exports.redactValue = redactValue;
+exports.trackSecurityEvent = trackSecurityEvent;
+exports.withAuditLog = withAuditLog;
+exports.withRequestId = withRequestId;
+exports.withTiming = withTiming;
+//# sourceMappingURL=audit.cjs.map
+//# sourceMappingURL=audit.cjs.map