npm - nextjs-secure - Versions diffs - 0.5.0 → 0.7.0 - Mend

nextjs-secure 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/audit.js ADDED Viewed

@@ -0,0 +1,1300 @@
+// src/middleware/audit/stores/memory.ts
+var MemoryStore = class {
+  entries = [];
+  maxEntries;
+  ttl;
+  constructor(options = {}) {
+    this.maxEntries = options.maxEntries || 1e3;
+    this.ttl = options.ttl || 0;
+  }
+  async write(entry) {
+    this.entries.push(entry);
+    if (this.entries.length > this.maxEntries) {
+      this.entries = this.entries.slice(-this.maxEntries);
+    }
+    if (this.ttl > 0) {
+      this.cleanExpired();
+    }
+  }
+  async query(options = {}) {
+    let result = [...this.entries];
+    if (options.level) {
+      const levels = Array.isArray(options.level) ? options.level : [options.level];
+      result = result.filter((e) => levels.includes(e.level));
+    }
+    if (options.type) {
+      result = result.filter((e) => e.type === options.type);
+    }
+    if (options.event) {
+      const events = Array.isArray(options.event) ? options.event : [options.event];
+      result = result.filter(
+        (e) => e.type === "security" && events.includes(e.event)
+      );
+    }
+    if (options.startTime) {
+      result = result.filter((e) => e.timestamp >= options.startTime);
+    }
+    if (options.endTime) {
+      result = result.filter((e) => e.timestamp <= options.endTime);
+    }
+    if (options.ip) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.request.ip === options.ip;
+        if (e.type === "security") return e.source.ip === options.ip;
+        return false;
+      });
+    }
+    if (options.userId) {
+      result = result.filter((e) => {
+        if (e.type === "request") return e.user?.id === options.userId;
+        if (e.type === "security") return e.source.userId === options.userId;
+        return false;
+      });
+    }
+    if (options.offset) {
+      result = result.slice(options.offset);
+    }
+    if (options.limit) {
+      result = result.slice(0, options.limit);
+    }
+    return result;
+  }
+  async flush() {
+  }
+  async close() {
+    this.entries = [];
+  }
+  /**
+   * Get all entries (for testing)
+   */
+  getEntries() {
+    return [...this.entries];
+  }
+  /**
+   * Clear all entries
+   */
+  clear() {
+    this.entries = [];
+  }
+  /**
+   * Get entry count
+   */
+  size() {
+    return this.entries.length;
+  }
+  /**
+   * Clean expired entries
+   */
+  cleanExpired() {
+    if (this.ttl <= 0) return;
+    const now = Date.now();
+    this.entries = this.entries.filter((e) => {
+      const age = now - e.timestamp.getTime();
+      return age < this.ttl;
+    });
+  }
+};
+function createMemoryStore(options) {
+  return new MemoryStore(options);
+}
+// src/middleware/audit/stores/console.ts
+var COLORS = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  // Log levels
+  debug: "\x1B[36m",
+  // Cyan
+  info: "\x1B[32m",
+  // Green
+  warn: "\x1B[33m",
+  // Yellow
+  error: "\x1B[31m",
+  // Red
+  critical: "\x1B[35m",
+  // Magenta
+  // Security severity
+  low: "\x1B[36m",
+  // Cyan
+  medium: "\x1B[33m",
+  // Yellow
+  high: "\x1B[31m",
+  // Red
+  // Other
+  timestamp: "\x1B[90m",
+  // Gray
+  method: "\x1B[34m",
+  // Blue
+  status2xx: "\x1B[32m",
+  // Green
+  status3xx: "\x1B[36m",
+  // Cyan
+  status4xx: "\x1B[33m",
+  // Yellow
+  status5xx: "\x1B[31m"
+  // Red
+};
+var LEVEL_PRIORITY = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  critical: 4
+};
+var ConsoleStore = class {
+  colorize;
+  showTimestamp;
+  pretty;
+  minLevel;
+  constructor(options = {}) {
+    this.colorize = options.colorize ?? process.env.NODE_ENV !== "production";
+    this.showTimestamp = options.timestamp ?? true;
+    this.pretty = options.pretty ?? false;
+    this.minLevel = options.level || "info";
+  }
+  async write(entry) {
+    if (LEVEL_PRIORITY[entry.level] < LEVEL_PRIORITY[this.minLevel]) {
+      return;
+    }
+    const output = this.pretty ? this.formatPretty(entry) : this.formatCompact(entry);
+    switch (entry.level) {
+      case "debug":
+        console.debug(output);
+        break;
+      case "info":
+        console.info(output);
+        break;
+      case "warn":
+        console.warn(output);
+        break;
+      case "error":
+      case "critical":
+        console.error(output);
+        break;
+      default:
+        console.log(output);
+    }
+  }
+  async flush() {
+  }
+  async close() {
+  }
+  /**
+   * Format entry in compact single-line format
+   */
+  formatCompact(entry) {
+    const parts = [];
+    if (this.showTimestamp) {
+      const ts = entry.timestamp.toISOString();
+      parts.push(this.color(ts, "timestamp"));
+    }
+    parts.push(this.colorLevel(entry.level));
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      parts.push(this.color(req.method, "method"));
+      parts.push(req.path);
+      if (res) {
+        parts.push(this.colorStatus(res.status));
+        parts.push(this.color(`${res.duration}ms`, "dim"));
+      }
+      if (req.ip) {
+        parts.push(this.color(`[${req.ip}]`, "dim"));
+      }
+      if (entry.user?.id) {
+        parts.push(this.color(`user:${entry.user.id}`, "dim"));
+      }
+      if (entry.error) {
+        parts.push(this.color(`ERROR: ${entry.error.message}`, "error"));
+      }
+    } else if (entry.type === "security") {
+      parts.push(this.colorSeverity(entry.severity));
+      parts.push(entry.event);
+      if (entry.source.ip) {
+        parts.push(this.color(`[${entry.source.ip}]`, "dim"));
+      }
+      if (entry.source.userId) {
+        parts.push(this.color(`user:${entry.source.userId}`, "dim"));
+      }
+      parts.push(entry.message);
+    }
+    return parts.join(" ");
+  }
+  /**
+   * Format entry in pretty multi-line format
+   */
+  formatPretty(entry) {
+    const lines = [];
+    const header = [
+      this.color(entry.timestamp.toISOString(), "timestamp"),
+      this.colorLevel(entry.level),
+      `[${entry.type.toUpperCase()}]`
+    ].join(" ");
+    lines.push(header);
+    if (entry.type === "request") {
+      const req = entry.request;
+      const res = entry.response;
+      lines.push(`  ${this.color(req.method, "method")} ${req.url}`);
+      if (req.ip) lines.push(`  IP: ${req.ip}`);
+      if (req.userAgent) lines.push(`  UA: ${req.userAgent}`);
+      if (res) {
+        lines.push(`  Status: ${this.colorStatus(res.status)} (${res.duration}ms)`);
+      }
+      if (entry.user) {
+        lines.push(`  User: ${JSON.stringify(entry.user)}`);
+      }
+      if (entry.error) {
+        lines.push(`  ${this.color("Error:", "error")} ${entry.error.message}`);
+        if (entry.error.stack) {
+          lines.push(`  ${this.color(entry.error.stack, "dim")}`);
+        }
+      }
+    } else if (entry.type === "security") {
+      lines.push(`  Event: ${entry.event}`);
+      lines.push(`  Severity: ${this.colorSeverity(entry.severity)}`);
+      lines.push(`  Message: ${entry.message}`);
+      if (entry.source.ip) lines.push(`  Source IP: ${entry.source.ip}`);
+      if (entry.source.userId) lines.push(`  Source User: ${entry.source.userId}`);
+      if (entry.target) {
+        lines.push(`  Target: ${JSON.stringify(entry.target)}`);
+      }
+      if (entry.details) {
+        lines.push(`  Details: ${JSON.stringify(entry.details)}`);
+      }
+    }
+    if (entry.metadata && Object.keys(entry.metadata).length > 0) {
+      lines.push(`  Metadata: ${JSON.stringify(entry.metadata)}`);
+    }
+    return lines.join("\n");
+  }
+  /**
+   * Apply color if enabled
+   */
+  color(text, colorName) {
+    if (!this.colorize) return text;
+    return `${COLORS[colorName]}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color log level
+   */
+  colorLevel(level) {
+    const text = level.toUpperCase().padEnd(8);
+    if (!this.colorize) return `[${text}]`;
+    return `[${COLORS[level]}${text}${COLORS.reset}]`;
+  }
+  /**
+   * Color HTTP status
+   */
+  colorStatus(status) {
+    const text = status.toString();
+    if (!this.colorize) return text;
+    if (status >= 500) return `${COLORS.status5xx}${text}${COLORS.reset}`;
+    if (status >= 400) return `${COLORS.status4xx}${text}${COLORS.reset}`;
+    if (status >= 300) return `${COLORS.status3xx}${text}${COLORS.reset}`;
+    return `${COLORS.status2xx}${text}${COLORS.reset}`;
+  }
+  /**
+   * Color severity
+   */
+  colorSeverity(severity) {
+    const text = `[${severity.toUpperCase()}]`;
+    if (!this.colorize) return text;
+    const colorKey = severity === "critical" ? "critical" : severity;
+    return `${COLORS[colorKey]}${text}${COLORS.reset}`;
+  }
+};
+function createConsoleStore(options) {
+  return new ConsoleStore(options);
+}
+// src/middleware/audit/stores/external.ts
+var ExternalStore = class {
+  endpoint;
+  headers;
+  batchSize;
+  flushInterval;
+  retryAttempts;
+  timeout;
+  buffer = [];
+  flushTimer = null;
+  isFlushing = false;
+  constructor(options) {
+    this.endpoint = options.endpoint;
+    this.headers = {
+      "Content-Type": "application/json",
+      ...options.apiKey ? { "Authorization": `Bearer ${options.apiKey}` } : {},
+      ...options.headers
+    };
+    this.batchSize = options.batchSize || 100;
+    this.flushInterval = options.flushInterval || 5e3;
+    this.retryAttempts = options.retryAttempts || 3;
+    this.timeout = options.timeout || 1e4;
+    if (this.flushInterval > 0) {
+      this.flushTimer = setInterval(() => this.flush(), this.flushInterval);
+    }
+  }
+  async write(entry) {
+    this.buffer.push(entry);
+    if (this.buffer.length >= this.batchSize) {
+      await this.flush();
+    }
+  }
+  async flush() {
+    if (this.isFlushing || this.buffer.length === 0) return;
+    this.isFlushing = true;
+    const entries = [...this.buffer];
+    this.buffer = [];
+    try {
+      await this.send(entries);
+    } catch (error) {
+      this.buffer = [...entries, ...this.buffer];
+      console.error("[ExternalStore] Failed to flush logs:", error);
+    } finally {
+      this.isFlushing = false;
+    }
+  }
+  async close() {
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+    await this.flush();
+  }
+  /**
+   * Send entries to external endpoint
+   */
+  async send(entries) {
+    let lastError = null;
+    for (let attempt = 0; attempt < this.retryAttempts; attempt++) {
+      try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+        const response = await fetch(this.endpoint, {
+          method: "POST",
+          headers: this.headers,
+          body: JSON.stringify({
+            logs: entries.map((e) => this.serialize(e)),
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            count: entries.length
+          }),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+          throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        return;
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        if (attempt < this.retryAttempts - 1) {
+          await this.sleep(Math.pow(2, attempt) * 1e3);
+        }
+      }
+    }
+    throw lastError || new Error("Failed to send logs");
+  }
+  /**
+   * Serialize entry for transmission
+   */
+  serialize(entry) {
+    return {
+      ...entry,
+      timestamp: entry.timestamp.toISOString()
+    };
+  }
+  /**
+   * Sleep helper
+   */
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+  /**
+   * Get buffer size (for monitoring)
+   */
+  getBufferSize() {
+    return this.buffer.length;
+  }
+};
+function createExternalStore(options) {
+  return new ExternalStore(options);
+}
+function createDatadogStore(options) {
+  const site = options.site || "datadoghq.com";
+  const endpoint = `https://http-intake.logs.${site}/api/v2/logs`;
+  return new ExternalStore({
+    endpoint,
+    headers: {
+      "DD-API-KEY": options.apiKey,
+      "Content-Type": "application/json"
+    },
+    batchSize: options.batchSize || 100,
+    flushInterval: options.flushInterval || 5e3
+  });
+}
+var MultiStore = class {
+  stores;
+  constructor(stores) {
+    this.stores = stores;
+  }
+  async write(entry) {
+    await Promise.all(this.stores.map((store) => store.write(entry)));
+  }
+  async query(options) {
+    for (const store of this.stores) {
+      if (store.query) {
+        return store.query(options);
+      }
+    }
+    return [];
+  }
+  async flush() {
+    await Promise.all(this.stores.map((store) => store.flush?.()));
+  }
+  async close() {
+    await Promise.all(this.stores.map((store) => store.close?.()));
+  }
+};
+function createMultiStore(stores) {
+  return new MultiStore(stores);
+}
+// src/middleware/audit/formatters.ts
+var JSONFormatter = class {
+  pretty;
+  includeTimestamp;
+  constructor(options = {}) {
+    this.pretty = options.pretty ?? false;
+    this.includeTimestamp = options.includeTimestamp ?? true;
+  }
+  format(entry) {
+    const output = {
+      ...entry,
+      timestamp: this.includeTimestamp ? entry.timestamp.toISOString() : void 0
+    };
+    return this.pretty ? JSON.stringify(output, null, 2) : JSON.stringify(output);
+  }
+};
+var TextFormatter = class {
+  template;
+  dateFormat;
+  constructor(options = {}) {
+    this.template = options.template || "{timestamp} [{level}] {message}";
+    this.dateFormat = options.dateFormat || "iso";
+  }
+  format(entry) {
+    let output = this.template;
+    output = output.replace("{timestamp}", this.formatDate(entry.timestamp));
+    output = output.replace("{level}", entry.level.toUpperCase().padEnd(8));
+    output = output.replace("{message}", entry.message);
+    output = output.replace("{type}", entry.type);
+    output = output.replace("{id}", entry.id);
+    if (entry.category) {
+      output = output.replace("{category}", entry.category);
+    }
+    if (entry.type === "request") {
+      output = output.replace("{method}", entry.request.method);
+      output = output.replace("{path}", entry.request.path);
+      output = output.replace("{url}", entry.request.url);
+      output = output.replace("{ip}", entry.request.ip || "-");
+      output = output.replace("{status}", entry.response?.status?.toString() || "-");
+      output = output.replace("{duration}", entry.response?.duration?.toString() || "-");
+    }
+    if (entry.type === "security") {
+      output = output.replace("{event}", entry.event);
+      output = output.replace("{severity}", entry.severity);
+    }
+    return output;
+  }
+  formatDate(date) {
+    switch (this.dateFormat) {
+      case "utc":
+        return date.toUTCString();
+      case "local":
+        return date.toLocaleString();
+      case "iso":
+      default:
+        return date.toISOString();
+    }
+  }
+};
+var CLFFormatter = class {
+  format(entry) {
+    if (entry.type !== "request") {
+      return `[${entry.timestamp.toISOString()}] ${entry.level.toUpperCase()} ${entry.message}`;
+    }
+    const req = entry.request;
+    const res = entry.response;
+    const host = req.ip || "-";
+    const ident = "-";
+    const authuser = entry.user?.id || "-";
+    const date = this.formatCLFDate(entry.timestamp);
+    const request = `${req.method} ${req.path} HTTP/1.1`;
+    const status = res?.status || 0;
+    const bytes = res?.contentLength || 0;
+    return `${host} ${ident} ${authuser} [${date}] "${request}" ${status} ${bytes}`;
+  }
+  formatCLFDate(date) {
+    const months = [
+      "Jan",
+      "Feb",
+      "Mar",
+      "Apr",
+      "May",
+      "Jun",
+      "Jul",
+      "Aug",
+      "Sep",
+      "Oct",
+      "Nov",
+      "Dec"
+    ];
+    const day = date.getDate().toString().padStart(2, "0");
+    const month = months[date.getMonth()];
+    const year = date.getFullYear();
+    const hours = date.getHours().toString().padStart(2, "0");
+    const minutes = date.getMinutes().toString().padStart(2, "0");
+    const seconds = date.getSeconds().toString().padStart(2, "0");
+    const offset = -date.getTimezoneOffset();
+    const offsetSign = offset >= 0 ? "+" : "-";
+    const offsetHours = Math.floor(Math.abs(offset) / 60).toString().padStart(2, "0");
+    const offsetMins = (Math.abs(offset) % 60).toString().padStart(2, "0");
+    return `${day}/${month}/${year}:${hours}:${minutes}:${seconds} ${offsetSign}${offsetHours}${offsetMins}`;
+  }
+};
+var StructuredFormatter = class {
+  delimiter;
+  kvSeparator;
+  constructor(options = {}) {
+    this.delimiter = options.delimiter || " ";
+    this.kvSeparator = options.kvSeparator || "=";
+  }
+  format(entry) {
+    const pairs = [];
+    pairs.push(this.pair("timestamp", entry.timestamp.toISOString()));
+    pairs.push(this.pair("level", entry.level));
+    pairs.push(this.pair("type", entry.type));
+    pairs.push(this.pair("id", entry.id));
+    pairs.push(this.pair("message", this.escape(entry.message)));
+    if (entry.category) {
+      pairs.push(this.pair("category", entry.category));
+    }
+    if (entry.type === "request") {
+      pairs.push(this.pair("method", entry.request.method));
+      pairs.push(this.pair("path", entry.request.path));
+      if (entry.request.ip) pairs.push(this.pair("ip", entry.request.ip));
+      if (entry.response) {
+        pairs.push(this.pair("status", entry.response.status.toString()));
+        pairs.push(this.pair("duration_ms", entry.response.duration.toString()));
+      }
+      if (entry.user?.id) pairs.push(this.pair("user_id", entry.user.id));
+      if (entry.error) {
+        pairs.push(this.pair("error", this.escape(entry.error.message)));
+      }
+    }
+    if (entry.type === "security") {
+      pairs.push(this.pair("event", entry.event));
+      pairs.push(this.pair("severity", entry.severity));
+      if (entry.source.ip) pairs.push(this.pair("source_ip", entry.source.ip));
+      if (entry.source.userId) pairs.push(this.pair("source_user", entry.source.userId));
+    }
+    return pairs.join(this.delimiter);
+  }
+  pair(key, value) {
+    return `${key}${this.kvSeparator}${value}`;
+  }
+  escape(value) {
+    if (value.includes(" ") || value.includes('"')) {
+      return `"${value.replace(/"/g, '\\"')}"`;
+    }
+    return value;
+  }
+};
+function createJSONFormatter(options) {
+  return new JSONFormatter(options);
+}
+function createTextFormatter(options) {
+  return new TextFormatter(options);
+}
+function createCLFFormatter() {
+  return new CLFFormatter();
+}
+function createStructuredFormatter(options) {
+  return new StructuredFormatter(options);
+}
+// src/middleware/audit/redaction.ts
+var DEFAULT_PII_FIELDS = [
+  // Authentication
+  "password",
+  "passwd",
+  "secret",
+  "token",
+  "api_key",
+  "apiKey",
+  "api-key",
+  "access_token",
+  "accessToken",
+  "refresh_token",
+  "refreshToken",
+  "authorization",
+  "auth",
+  // Personal information
+  "ssn",
+  "social_security",
+  "socialSecurity",
+  "credit_card",
+  "creditCard",
+  "card_number",
+  "cardNumber",
+  "cvv",
+  "cvc",
+  "pin",
+  // Contact
+  "email",
+  "phone",
+  "phone_number",
+  "phoneNumber",
+  "mobile",
+  "address",
+  "street",
+  "zip",
+  "zipcode",
+  "postal_code",
+  "postalCode",
+  // Identity
+  "date_of_birth",
+  "dateOfBirth",
+  "dob",
+  "birth_date",
+  "birthDate",
+  "passport",
+  "license",
+  "national_id",
+  "nationalId"
+];
+function mask(value, options = {}) {
+  const {
+    char = "*",
+    preserveLength = false,
+    showFirst = 0,
+    showLast = 0
+  } = options;
+  if (!value) return value;
+  const len = value.length;
+  if (preserveLength) {
+    const first2 = value.slice(0, showFirst);
+    const last2 = value.slice(-showLast || len);
+    const middle = char.repeat(Math.max(0, len - showFirst - showLast));
+    return first2 + middle + (showLast > 0 ? last2 : "");
+  }
+  const maskLen = 8;
+  const first = showFirst > 0 ? value.slice(0, showFirst) : "";
+  const last = showLast > 0 ? value.slice(-showLast) : "";
+  return first + char.repeat(maskLen) + last;
+}
+function hash(value, salt = "") {
+  const str = salt + value;
+  let hash2 = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash2 = (hash2 << 5) - hash2 + char;
+    hash2 = hash2 & hash2;
+  }
+  const hex = Math.abs(hash2).toString(16).padStart(8, "0");
+  return hex + hex.slice(0, 8);
+}
+function redactValue(value, field, config) {
+  if (typeof value !== "string") return value;
+  if (!value) return value;
+  const shouldRedact = config.fields.some((f) => {
+    const fieldLower = field.toLowerCase();
+    const fLower = f.toLowerCase();
+    return fieldLower === fLower || fieldLower.endsWith("." + fLower) || fieldLower.includes("[" + fLower + "]");
+  });
+  if (!shouldRedact) return value;
+  if (config.customRedactor) {
+    return config.customRedactor(value, field);
+  }
+  switch (config.mode) {
+    case "mask":
+      return mask(value, {
+        char: config.maskChar || "*",
+        preserveLength: config.preserveLength,
+        showFirst: 2,
+        showLast: 2
+      });
+    case "hash":
+      return `[HASH:${hash(value)}]`;
+    case "remove":
+      return "[REDACTED]";
+    default:
+      return "[REDACTED]";
+  }
+}
+function redactObject(obj, config, path = "") {
+  if (typeof obj === "string") {
+    return redactValue(obj, path, config);
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item, i) => redactObject(item, config, `${path}[${i}]`));
+  }
+  if (typeof obj === "object" && obj !== null) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      const newPath = path ? `${path}.${key}` : key;
+      result[key] = redactObject(value, config, newPath);
+    }
+    return result;
+  }
+  return obj;
+}
+function createRedactor(config = {}) {
+  const fullConfig = {
+    fields: config.fields || DEFAULT_PII_FIELDS,
+    mode: config.mode || "mask",
+    maskChar: config.maskChar || "*",
+    preserveLength: config.preserveLength || false,
+    customRedactor: config.customRedactor
+  };
+  return (obj) => redactObject(obj, fullConfig);
+}
+function redactHeaders(headers, sensitiveHeaders = ["authorization", "cookie", "x-api-key", "x-auth-token"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveHeaders.some((h) => keyLower === h.toLowerCase())) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactQuery(query, sensitiveParams = ["token", "key", "secret", "password", "auth"]) {
+  const result = {};
+  for (const [key, value] of Object.entries(query)) {
+    const keyLower = key.toLowerCase();
+    if (sensitiveParams.some((p) => keyLower.includes(p.toLowerCase()))) {
+      result[key] = "[REDACTED]";
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+function redactEmail(email) {
+  if (!email || !email.includes("@")) return mask(email);
+  const [, domain] = email.split("@");
+  return `****@${domain}`;
+}
+function redactCreditCard(cardNumber) {
+  const cleaned = cardNumber.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(cardNumber);
+  return "**** **** **** " + cleaned.slice(-4);
+}
+function redactPhone(phone) {
+  const cleaned = phone.replace(/\D/g, "");
+  if (cleaned.length < 4) return mask(phone);
+  return mask(phone, { preserveLength: true, showLast: 4 });
+}
+function redactIP(ip) {
+  if (ip.includes(":")) {
+    const parts2 = ip.split(":");
+    return parts2[0] + ":****:****:****";
+  }
+  const parts = ip.split(".");
+  if (parts.length !== 4) return mask(ip);
+  return `${parts[0]}.${parts[1]}.*.*`;
+}
+// src/middleware/audit/events.ts
+function generateId() {
+  return `evt_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function severityToLevel(severity) {
+  switch (severity) {
+    case "low":
+      return "info";
+    case "medium":
+      return "warn";
+    case "high":
+      return "error";
+    case "critical":
+      return "critical";
+  }
+}
+var SecurityEventTracker = class {
+  store;
+  defaultSeverity;
+  onEvent;
+  constructor(config) {
+    this.store = config.store;
+    this.defaultSeverity = config.defaultSeverity || "medium";
+    this.onEvent = config.onEvent;
+  }
+  /**
+   * Track a security event
+   */
+  async track(options) {
+    const severity = options.severity || this.defaultSeverity;
+    const entry = {
+      id: generateId(),
+      timestamp: /* @__PURE__ */ new Date(),
+      type: "security",
+      level: severityToLevel(severity),
+      message: options.message,
+      event: options.event,
+      severity,
+      source: options.source || {},
+      target: options.target,
+      details: options.details,
+      mitigated: options.mitigated,
+      metadata: options.metadata
+    };
+    await this.store.write(entry);
+    if (this.onEvent) {
+      await this.onEvent(entry);
+    }
+    return entry;
+  }
+  // Convenience methods for common events
+  /**
+   * Track failed authentication
+   */
+  async authFailed(options) {
+    return this.track({
+      event: "auth.failed",
+      message: options.reason || "Authentication failed",
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent
+      },
+      details: {
+        attemptedEmail: options.email,
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track successful login
+   */
+  async authLogin(options) {
+    return this.track({
+      event: "auth.login",
+      message: `User ${options.userId} logged in`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userAgent: options.userAgent,
+        userId: options.userId
+      },
+      details: {
+        method: options.method || "credentials"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track logout
+   */
+  async authLogout(options) {
+    return this.track({
+      event: "auth.logout",
+      message: `User ${options.userId} logged out`,
+      severity: "low",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: {
+        reason: options.reason || "user"
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track permission denied
+   */
+  async permissionDenied(options) {
+    return this.track({
+      event: "auth.permission_denied",
+      message: `Permission denied for ${options.action} on ${options.resource}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.resource,
+        action: options.action
+      },
+      details: {
+        requiredRole: options.requiredRole
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track rate limit exceeded
+   */
+  async rateLimitExceeded(options) {
+    return this.track({
+      event: "ratelimit.exceeded",
+      message: `Rate limit exceeded for ${options.endpoint}`,
+      severity: "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        limit: options.limit,
+        window: options.window
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track CSRF validation failure
+   */
+  async csrfInvalid(options) {
+    return this.track({
+      event: "csrf.invalid",
+      message: `CSRF validation failed for ${options.endpoint}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        reason: options.reason
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track XSS detection
+   */
+  async xssDetected(options) {
+    return this.track({
+      event: "xss.detected",
+      message: `XSS payload detected in ${options.field}`,
+      severity: "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        payload: options.payload?.slice(0, 100)
+        // Truncate
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track SQL injection detection
+   */
+  async sqliDetected(options) {
+    return this.track({
+      event: "sqli.detected",
+      message: `SQL injection attempt detected in ${options.field}`,
+      severity: options.severity || "high",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      target: {
+        resource: options.endpoint
+      },
+      details: {
+        field: options.field,
+        pattern: options.pattern
+      },
+      mitigated: true,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track IP block
+   */
+  async ipBlocked(options) {
+    return this.track({
+      event: "ip.blocked",
+      message: `IP ${options.ip} blocked: ${options.reason}`,
+      severity: "high",
+      source: {
+        ip: options.ip
+      },
+      details: {
+        reason: options.reason,
+        duration: options.duration
+      },
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track suspicious activity
+   */
+  async suspicious(options) {
+    return this.track({
+      event: "ip.suspicious",
+      message: options.activity,
+      severity: options.severity || "medium",
+      source: {
+        ip: options.ip,
+        userId: options.userId
+      },
+      details: options.details,
+      metadata: options.metadata
+    });
+  }
+  /**
+   * Track custom event
+   */
+  async custom(options) {
+    return this.track({
+      event: "custom",
+      ...options
+    });
+  }
+};
+function createSecurityTracker(config) {
+  return new SecurityEventTracker(config);
+}
+async function trackSecurityEvent(store, options) {
+  const tracker = new SecurityEventTracker({ store });
+  return tracker.track(options);
+}
+// src/middleware/audit/middleware.ts
+function generateRequestId() {
+  return `req_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 9)}`;
+}
+function getClientIP(req) {
+  return req.headers.get("x-forwarded-for")?.split(",")[0]?.trim() || req.headers.get("x-real-ip") || req.headers.get("cf-connecting-ip") || void 0;
+}
+function headersToRecord(headers, includeHeaders) {
+  if (!includeHeaders) return {};
+  const result = {};
+  if (includeHeaders === true) {
+    headers.forEach((value, key) => {
+      result[key] = value;
+    });
+  } else if (Array.isArray(includeHeaders)) {
+    for (const key of includeHeaders) {
+      const value = headers.get(key);
+      if (value) result[key] = value;
+    }
+  }
+  return result;
+}
+function parseQuery(url) {
+  const result = {};
+  try {
+    const urlObj = new URL(url);
+    urlObj.searchParams.forEach((value, key) => {
+      result[key] = value;
+    });
+  } catch {
+  }
+  return result;
+}
+function statusToLevel(status) {
+  if (status >= 500) return "error";
+  if (status >= 400) return "warn";
+  return "info";
+}
+function shouldSkip(req, status, exclude) {
+  if (!exclude) return false;
+  const url = new URL(req.url);
+  if (exclude.paths?.length) {
+    const matchesPath = exclude.paths.some((pattern) => {
+      if (pattern.includes("*")) {
+        const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+        return regex.test(url.pathname);
+      }
+      return url.pathname === pattern || url.pathname.startsWith(pattern);
+    });
+    if (matchesPath) return true;
+  }
+  if (exclude.methods?.includes(req.method)) {
+    return true;
+  }
+  if (exclude.statusCodes?.includes(status)) {
+    return true;
+  }
+  return false;
+}
+function withAuditLog(handler, config) {
+  const {
+    enabled = true,
+    store,
+    include = {},
+    exclude,
+    pii,
+    getUser,
+    requestIdHeader = "x-request-id",
+    generateRequestId: customGenerateId,
+    onError,
+    skip
+  } = config;
+  const includeSettings = {
+    ip: include.ip ?? true,
+    userAgent: include.userAgent ?? true,
+    headers: include.headers ?? false,
+    query: include.query ?? true,
+    body: include.body ?? false,
+    response: include.response ?? true,
+    responseBody: include.responseBody ?? false,
+    duration: include.duration ?? true,
+    user: include.user ?? true
+  };
+  const piiConfig = pii || {
+    fields: DEFAULT_PII_FIELDS,
+    mode: "mask"
+  };
+  return async (req) => {
+    if (!enabled) {
+      return handler(req);
+    }
+    if (skip && await skip(req)) {
+      return handler(req);
+    }
+    const startTime = Date.now();
+    const requestId = req.headers.get(requestIdHeader) || (customGenerateId ? customGenerateId() : generateRequestId());
+    const url = new URL(req.url);
+    let requestInfo = {
+      id: requestId,
+      method: req.method,
+      url: req.url,
+      path: url.pathname
+    };
+    if (includeSettings.ip) {
+      requestInfo.ip = getClientIP(req);
+    }
+    if (includeSettings.userAgent) {
+      requestInfo.userAgent = req.headers.get("user-agent") || void 0;
+    }
+    if (includeSettings.headers) {
+      let headers = headersToRecord(req.headers, includeSettings.headers);
+      headers = redactHeaders(headers);
+      requestInfo.headers = headers;
+    }
+    if (includeSettings.query) {
+      let query = parseQuery(req.url);
+      query = redactQuery(query);
+      requestInfo.query = query;
+    }
+    requestInfo.contentType = req.headers.get("content-type") || void 0;
+    requestInfo.contentLength = parseInt(req.headers.get("content-length") || "0", 10) || void 0;
+    let user;
+    if (includeSettings.user && getUser) {
+      try {
+        user = await getUser(req) || void 0;
+      } catch {
+      }
+    }
+    let response;
+    let error;
+    try {
+      response = await handler(req);
+    } catch (err) {
+      error = err instanceof Error ? err : new Error(String(err));
+      throw err;
+    } finally {
+      const duration = Date.now() - startTime;
+      const status = response?.status || 500;
+      if (!shouldSkip(req, status, exclude)) {
+        const entry = {
+          id: requestId,
+          timestamp: /* @__PURE__ */ new Date(),
+          type: "request",
+          level: error ? "error" : statusToLevel(status),
+          message: `${req.method} ${url.pathname} ${status} ${duration}ms`,
+          request: requestInfo,
+          user
+        };
+        if (includeSettings.response && response) {
+          entry.response = {
+            status: response.status,
+            duration
+          };
+          if (includeSettings.headers) {
+            entry.response.headers = headersToRecord(response.headers, includeSettings.headers);
+          }
+        }
+        if (error) {
+          entry.error = {
+            name: error.name,
+            message: error.message,
+            stack: error.stack
+          };
+        }
+        const redactedEntry = redactObject(entry, piiConfig);
+        try {
+          await store.write(redactedEntry);
+        } catch (writeError) {
+          if (onError) {
+            onError(writeError instanceof Error ? writeError : new Error(String(writeError)), entry);
+          } else {
+            console.error("[AuditLog] Failed to write log:", writeError);
+          }
+        }
+      }
+    }
+    return response;
+  };
+}
+function createAuditMiddleware(config) {
+  return (handler) => withAuditLog(handler, config);
+}
+function withRequestId(handler, options = {}) {
+  const { headerName = "x-request-id", generateId: generateId2 = generateRequestId } = options;
+  return async (req) => {
+    const requestId = req.headers.get(headerName) || generateId2();
+    const response = await handler(req);
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, requestId);
+    return newResponse;
+  };
+}
+function withTiming(handler, options = {}) {
+  const { headerName = "x-response-time", log = false } = options;
+  return async (req) => {
+    const start = Date.now();
+    const response = await handler(req);
+    const duration = Date.now() - start;
+    const newResponse = new Response(response.body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+    newResponse.headers.set(headerName, `${duration}ms`);
+    if (log) {
+      const url = new URL(req.url);
+      console.log(`${req.method} ${url.pathname} ${response.status} ${duration}ms`);
+    }
+    return newResponse;
+  };
+}
+export { CLFFormatter, ConsoleStore, DEFAULT_PII_FIELDS, ExternalStore, JSONFormatter, MemoryStore, MultiStore, SecurityEventTracker, StructuredFormatter, TextFormatter, createAuditMiddleware, createCLFFormatter, createConsoleStore, createDatadogStore, createExternalStore, createJSONFormatter, createMemoryStore, createMultiStore, createRedactor, createSecurityTracker, createStructuredFormatter, createTextFormatter, hash, mask, redactCreditCard, redactEmail, redactHeaders, redactIP, redactObject, redactPhone, redactQuery, redactValue, trackSecurityEvent, withAuditLog, withRequestId, withTiming };
+//# sourceMappingURL=audit.js.map
+//# sourceMappingURL=audit.js.map