@actuate-media/cms-core 0.1.0

package/dist/security/middleware.d.ts

@@ -0,0 +1,20 @@
+import { type SecurityHeadersConfig } from "./headers";
+import type { RateLimiter } from "./rate-limit";
+export interface SecurityMiddlewareConfig {
+    headers?: SecurityHeadersConfig;
+    csrf?: {
+        enabled: boolean;
+        cookieName?: string;
+    };
+    rateLimit?: RateLimiter;
+    rateLimitKey?: (request: Request) => string;
+}
+export interface SecurityMiddlewareResult {
+    allowed: boolean;
+    headers: Record<string, string>;
+    error?: string;
+    status?: number;
+}
+/** Compose a security middleware pipeline that applies headers, CSRF, and rate limiting. */
+export declare function applySecurityMiddleware(request: Request, config: SecurityMiddlewareConfig): Promise<SecurityMiddlewareResult>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/security/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAsB,KAAK,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAE3E,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,qBAAqB,CAAC;IAChC,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjD,SAAS,CAAC,EAAE,WAAW,CAAC;IACxB,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,MAAM,CAAC;CAC7C;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,4FAA4F;AAC5F,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,OAAO,EAChB,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,wBAAwB,CAAC,CAiCnC"}

package/dist/security/middleware.js

@@ -0,0 +1,45 @@
+import { getSecurityHeaders } from "./headers";
+import { validateToken as validateCsrf } from "./csrf";
+/** Compose a security middleware pipeline that applies headers, CSRF, and rate limiting. */
+export async function applySecurityMiddleware(request, config) {
+    const responseHeaders = getSecurityHeaders(config.headers);
+    if (config.rateLimit) {
+        const key = config.rateLimitKey?.(request) ?? getClientIp(request);
+        const result = await config.rateLimit.check(key);
+        if (!result.allowed) {
+            return {
+                allowed: false,
+                headers: responseHeaders,
+                error: "Rate limit exceeded",
+                status: 429,
+            };
+        }
+        responseHeaders["X-RateLimit-Remaining"] = String(result.remaining);
+        responseHeaders["X-RateLimit-Reset"] = result.resetAt.toISOString();
+    }
+    if (config.csrf?.enabled && isMutatingMethod(request.method)) {
+        const csrfToken = request.headers.get("x-csrf-token") ?? "";
+        const cookieName = config.csrf.cookieName ?? "__actuate_csrf";
+        const storedToken = parseCookie(request.headers.get("cookie") ?? "", cookieName);
+        if (!storedToken || !validateCsrf(csrfToken, storedToken)) {
+            return {
+                allowed: false,
+                headers: responseHeaders,
+                error: "Invalid CSRF token",
+                status: 403,
+            };
+        }
+    }
+    return { allowed: true, headers: responseHeaders };
+}
+function isMutatingMethod(method) {
+    return ["POST", "PUT", "PATCH", "DELETE"].includes(method.toUpperCase());
+}
+function getClientIp(request) {
+    return request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ?? "unknown";
+}
+function parseCookie(cookieHeader, name) {
+    const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
+    return match?.[1];
+}
+//# sourceMappingURL=middleware.js.map

package/dist/security/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/security/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAA8B,MAAM,WAAW,CAAC;AAC3E,OAAO,EAAE,aAAa,IAAI,YAAY,EAAE,MAAM,QAAQ,CAAC;AAiBvD,4FAA4F;AAC5F,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAgB,EAChB,MAAgC;IAEhC,MAAM,eAAe,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE3D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,EAAE,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,qBAAqB;gBAC5B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;QACD,eAAe,CAAC,uBAAuB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACpE,eAAe,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IACtE,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,EAAE,OAAO,IAAI,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;QAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,IAAI,gBAAgB,CAAC;QAC9D,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,UAAU,CAAC,CAAC;QACjF,IAAI,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC,EAAE,CAAC;YAC1D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,eAAe;gBACxB,KAAK,EAAE,oBAAoB;gBAC3B,MAAM,EAAE,GAAG;aACZ,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAc;IACtC,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,WAAW,CAAC,OAAgB;IACnC,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,SAAS,CAAC;AACpF,CAAC;AAED,SAAS,WAAW,CAAC,YAAoB,EAAE,IAAY;IACrD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,cAAc,IAAI,UAAU,CAAC,CAAC,CAAC;IAC3E,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC"}

package/dist/security/rate-limit.d.ts

@@ -0,0 +1,24 @@
+export interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: Date;
+    retryAfter?: number;
+}
+export interface RateLimiter {
+    check(key: string): Promise<RateLimitResult>;
+    reset(key: string): Promise<void>;
+}
+export interface RateLimitConfig {
+    windowMs: number;
+    maxRequests: number;
+}
+/** Create a rate limiter backed by an in-memory sliding window (for dev/single-process). */
+export declare function createInMemoryRateLimiter(config: RateLimitConfig): RateLimiter;
+/** Create a rate limiter backed by Upstash Redis (for serverless/production). */
+export declare function createUpstashRateLimiter(config: RateLimitConfig): RateLimiter;
+/**
+ * Create a rate limiter with automatic backend detection.
+ * Uses Upstash Redis if UPSTASH_REDIS_REST_URL is set, otherwise falls back to in-memory.
+ */
+export declare function createRateLimiter(config: RateLimitConfig): RateLimiter;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/security/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,IAAI,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAC7C,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,4FAA4F;AAC5F,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CA4B9E;AAED,iFAAiF;AACjF,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAiD7E;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAStE"}

package/dist/security/rate-limit.js

@@ -0,0 +1,84 @@
+/** Create a rate limiter backed by an in-memory sliding window (for dev/single-process). */
+export function createInMemoryRateLimiter(config) {
+    const windows = new Map();
+    return {
+        async check(key) {
+            const now = Date.now();
+            const entry = windows.get(key);
+            if (!entry || now > entry.resetAt) {
+                const resetAt = now + config.windowMs;
+                windows.set(key, { count: 1, resetAt });
+                return { allowed: true, remaining: config.maxRequests - 1, resetAt: new Date(resetAt) };
+            }
+            entry.count++;
+            const allowed = entry.count <= config.maxRequests;
+            return {
+                allowed,
+                remaining: Math.max(0, config.maxRequests - entry.count),
+                resetAt: new Date(entry.resetAt),
+                retryAfter: allowed ? undefined : Math.ceil((entry.resetAt - now) / 1000),
+            };
+        },
+        async reset(key) {
+            windows.delete(key);
+        },
+    };
+}
+/** Create a rate limiter backed by Upstash Redis (for serverless/production). */
+export function createUpstashRateLimiter(config) {
+    const url = process.env.UPSTASH_REDIS_REST_URL;
+    const token = process.env.UPSTASH_REDIS_REST_TOKEN;
+    if (!url || !token) {
+        throw new Error('UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN are required');
+    }
+    async function redisCommand(command) {
+        const response = await fetch(`${url}`, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${token}`,
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(command),
+        });
+        const data = await response.json();
+        return data?.result;
+    }
+    const windowSec = Math.ceil(config.windowMs / 1000);
+    return {
+        async check(key) {
+            const redisKey = `ratelimit:${key}`;
+            const count = await redisCommand(['INCR', redisKey]);
+            if (count === 1) {
+                await redisCommand(['EXPIRE', redisKey, String(windowSec)]);
+            }
+            const ttl = await redisCommand(['TTL', redisKey]);
+            const resetAt = new Date(Date.now() + (ttl > 0 ? ttl * 1000 : config.windowMs));
+            const allowed = count <= config.maxRequests;
+            return {
+                allowed,
+                remaining: Math.max(0, config.maxRequests - count),
+                resetAt,
+                retryAfter: allowed ? undefined : ttl > 0 ? ttl : Math.ceil(config.windowMs / 1000),
+            };
+        },
+        async reset(key) {
+            await redisCommand(['DEL', `ratelimit:${key}`]);
+        },
+    };
+}
+/**
+ * Create a rate limiter with automatic backend detection.
+ * Uses Upstash Redis if UPSTASH_REDIS_REST_URL is set, otherwise falls back to in-memory.
+ */
+export function createRateLimiter(config) {
+    if (process.env.UPSTASH_REDIS_REST_URL && process.env.UPSTASH_REDIS_REST_TOKEN) {
+        try {
+            return createUpstashRateLimiter(config);
+        }
+        catch {
+            // Fallback to in-memory if Upstash init fails
+        }
+    }
+    return createInMemoryRateLimiter(config);
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/security/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAiBA,4FAA4F;AAC5F,MAAM,UAAU,yBAAyB,CAAC,MAAuB;IAC/D,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8C,CAAC;IAEtE,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAE/B,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,OAAO,GAAG,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,WAAW,GAAG,CAAC,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1F,CAAC;YAED,KAAK,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;YAClD,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC;gBACxD,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;gBAChC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC;aAC1E,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,wBAAwB,CAAC,MAAuB;IAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;IAEnD,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IAED,KAAK,UAAU,YAAY,CAAC,OAAiB;QAC3C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,EAAE,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,KAAK,EAAE;gBAChC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,OAAO,IAAI,EAAE,MAAM,CAAC;IACtB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IAEpD,OAAO;QACL,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,QAAQ,GAAG,aAAa,GAAG,EAAE,CAAC;YAEpC,MAAM,KAAK,GAAG,MAAM,YAAY,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;YAErD,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,MAAM,YAAY,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC;YAClD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;YAChF,MAAM,OAAO,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC;YAE5C,OAAO;gBACL,OAAO;gBACP,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;gBAClD,OAAO;gBACP,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;aACpF,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW;YACrB,MAAM,YAAY,CAAC,CAAC,KAAK,EAAE,aAAa,GAAG,EAAE,CAAC,CAAC,CAAC;QAClD,CAAC;KACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAuB;IACvD,IAAI,OAAO,CAAC,GAAG,CAAC,sBAAsB,IAAI,OAAO,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAC/E,IAAI,CAAC;YACH,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,8CAA8C;QAChD,CAAC;IACH,CAAC;IACD,OAAO,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAC3C,CAAC"}

package/dist/security/reauth.d.ts

@@ -0,0 +1,15 @@
+export interface ReauthConfig {
+    maxAgeSeconds: number;
+    requiredForActions: string[];
+}
+export interface ReauthContext {
+    lastAuthAt: Date;
+    action: string;
+}
+/** Check whether a sensitive action requires re-authentication. */
+export declare function requiresReauth(context: ReauthContext, config: ReauthConfig): boolean;
+/** Verify re-authentication credentials (password). */
+export declare function verifyReauth(userId: string, credential: string, method: "password" | "totp", db?: any): Promise<boolean>;
+/** Default configuration for sensitive actions requiring re-auth. */
+export declare const DEFAULT_REAUTH_CONFIG: ReauthConfig;
+//# sourceMappingURL=reauth.d.ts.map

package/dist/security/reauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reauth.d.ts","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,YAAY;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,UAAU,EAAE,IAAI,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,mEAAmE;AACnE,wBAAgB,cAAc,CAC5B,OAAO,EAAE,aAAa,EACtB,MAAM,EAAE,YAAY,GACnB,OAAO,CAIT;AAED,uDAAuD;AACvD,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,UAAU,GAAG,MAAM,EAC3B,EAAE,CAAC,EAAE,GAAG,GACP,OAAO,CAAC,OAAO,CAAC,CAoBlB;AAED,qEAAqE;AACrE,eAAO,MAAM,qBAAqB,EAAE,YASnC,CAAC"}

package/dist/security/reauth.js

@@ -0,0 +1,38 @@
+import { verifyPassword } from '../auth/password';
+/** Check whether a sensitive action requires re-authentication. */
+export function requiresReauth(context, config) {
+    if (!config.requiredForActions.includes(context.action))
+        return false;
+    const elapsed = (Date.now() - context.lastAuthAt.getTime()) / 1000;
+    return elapsed > config.maxAgeSeconds;
+}
+/** Verify re-authentication credentials (password). */
+export async function verifyReauth(userId, credential, method, db) {
+    if (method === 'totp') {
+        return false;
+    }
+    if (!db) {
+        const { getDB } = await import('../db');
+        db = getDB();
+    }
+    const user = await db.user.findUnique({
+        where: { id: userId },
+        select: { passwordHash: true, isActive: true },
+    });
+    if (!user || !user.isActive || !user.passwordHash) {
+        return false;
+    }
+    return verifyPassword(credential, user.passwordHash);
+}
+/** Default configuration for sensitive actions requiring re-auth. */
+export const DEFAULT_REAUTH_CONFIG = {
+    maxAgeSeconds: 300,
+    requiredForActions: [
+        'delete_user',
+        'change_user_role',
+        'change_settings',
+        'export_data',
+        'reset_password_other',
+    ],
+};
+//# sourceMappingURL=reauth.js.map

package/dist/security/reauth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reauth.js","sourceRoot":"","sources":["../../src/security/reauth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAYlD,mEAAmE;AACnE,MAAM,UAAU,cAAc,CAC5B,OAAsB,EACtB,MAAoB;IAEpB,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACtE,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC;IACnE,OAAO,OAAO,GAAG,MAAM,CAAC,aAAa,CAAC;AACxC,CAAC;AAED,uDAAuD;AACvD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,UAAkB,EAClB,MAA2B,EAC3B,EAAQ;IAER,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAC;QACxC,EAAE,GAAG,KAAK,EAAE,CAAC;IACf,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC;QACpC,KAAK,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QACrB,MAAM,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;KAC/C,CAAC,CAAC;IAEH,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;AACvD,CAAC;AAED,qEAAqE;AACrE,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,aAAa,EAAE,GAAG;IAClB,kBAAkB,EAAE;QAClB,aAAa;QACb,kBAAkB;QAClB,iBAAiB;QACjB,aAAa;QACb,sBAAsB;KACvB;CACF,CAAC"}

package/dist/security/sanitize.d.ts

@@ -0,0 +1,13 @@
+export interface SanitizeOptions {
+    allowedTags?: string[];
+    allowedAttributes?: Record<string, string[]>;
+    stripAll?: boolean;
+}
+declare const DEFAULT_ALLOWED_TAGS: string[];
+declare const DEFAULT_ALLOWED_ATTRS: Record<string, string[]>;
+/** Sanitize HTML content using DOMPurify. Strips dangerous tags/attributes while preserving safe content. */
+export declare function sanitizeHtml(html: string, options?: SanitizeOptions): string;
+/** Strip all HTML tags, returning plain text. */
+export declare function stripHtml(html: string): string;
+export { DEFAULT_ALLOWED_TAGS, DEFAULT_ALLOWED_ATTRS };
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/security/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,QAAA,MAAM,oBAAoB,UAKzB,CAAC;AAEF,QAAA,MAAM,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAKnD,CAAC;AAEF,6GAA6G;AAC7G,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,eAAe,GACxB,MAAM,CAgBR;AAED,iDAAiD;AACjD,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,CAAC"}

package/dist/security/sanitize.js

@@ -0,0 +1,34 @@
+import DOMPurify from 'isomorphic-dompurify';
+const DEFAULT_ALLOWED_TAGS = [
+    "p", "br", "b", "i", "em", "strong", "a", "ul", "ol", "li",
+    "h1", "h2", "h3", "h4", "h5", "h6", "blockquote", "code", "pre",
+    "img", "figure", "figcaption", "table", "thead", "tbody", "tr", "th", "td",
+    "span", "div", "hr", "sub", "sup", "s", "u", "mark",
+];
+const DEFAULT_ALLOWED_ATTRS = {
+    a: ["href", "title", "target", "rel"],
+    img: ["src", "alt", "title", "width", "height", "loading"],
+    td: ["colspan", "rowspan"],
+    th: ["colspan", "rowspan", "scope"],
+};
+/** Sanitize HTML content using DOMPurify. Strips dangerous tags/attributes while preserving safe content. */
+export function sanitizeHtml(html, options) {
+    if (options?.stripAll) {
+        return DOMPurify.sanitize(html, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] });
+    }
+    const tags = options?.allowedTags ?? DEFAULT_ALLOWED_TAGS;
+    const attrConfig = options?.allowedAttributes ?? DEFAULT_ALLOWED_ATTRS;
+    const allAttrs = [...new Set(Object.values(attrConfig).flat())];
+    return DOMPurify.sanitize(html, {
+        ALLOWED_TAGS: tags,
+        ALLOWED_ATTR: allAttrs,
+        ALLOW_DATA_ATTR: false,
+        ADD_ATTR: ['target'],
+    });
+}
+/** Strip all HTML tags, returning plain text. */
+export function stripHtml(html) {
+    return DOMPurify.sanitize(html, { ALLOWED_TAGS: [], ALLOWED_ATTR: [] }).trim();
+}
+export { DEFAULT_ALLOWED_TAGS, DEFAULT_ALLOWED_ATTRS };
+//# sourceMappingURL=sanitize.js.map

package/dist/security/sanitize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,sBAAsB,CAAC;AAQ7C,MAAM,oBAAoB,GAAG;IAC3B,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IAC1D,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK;IAC/D,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IAC1E,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM;CACpD,CAAC;AAEF,MAAM,qBAAqB,GAA6B;IACtD,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC;IACrC,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC;IAC1D,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;IAC1B,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;CACpC,CAAC;AAEF,6GAA6G;AAC7G,MAAM,UAAU,YAAY,CAC1B,IAAY,EACZ,OAAyB;IAEzB,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,EAAE,WAAW,IAAI,oBAAoB,CAAC;IAE1D,MAAM,UAAU,GAAG,OAAO,EAAE,iBAAiB,IAAI,qBAAqB,CAAC;IACvE,MAAM,QAAQ,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAEhE,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE;QAC9B,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,QAAQ;QACtB,eAAe,EAAE,KAAK;QACtB,QAAQ,EAAE,CAAC,QAAQ,CAAC;KACrB,CAAC,CAAC;AACL,CAAC;AAED,iDAAiD;AACjD,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AACjF,CAAC;AAED,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,CAAC"}

package/dist/security/security-txt.d.ts

@@ -0,0 +1,12 @@
+export interface SecurityTxtConfig {
+    contact: string;
+    expires: Date;
+    encryption?: string;
+    acknowledgments?: string;
+    preferredLanguages?: string[];
+    canonical?: string;
+    policy?: string;
+}
+/** Generate a security.txt file contents per RFC 9116. */
+export declare function generateSecurityTxt(config: SecurityTxtConfig): string;
+//# sourceMappingURL=security-txt.d.ts.map

package/dist/security/security-txt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-txt.d.ts","sourceRoot":"","sources":["../../src/security/security-txt.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,IAAI,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,0DAA0D;AAC1D,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAerE"}

package/dist/security/security-txt.js

@@ -0,0 +1,19 @@
+/** Generate a security.txt file contents per RFC 9116. */
+export function generateSecurityTxt(config) {
+    const lines = [];
+    lines.push(`Contact: ${config.contact}`);
+    lines.push(`Expires: ${config.expires.toISOString()}`);
+    if (config.encryption)
+        lines.push(`Encryption: ${config.encryption}`);
+    if (config.acknowledgments)
+        lines.push(`Acknowledgments: ${config.acknowledgments}`);
+    if (config.preferredLanguages?.length) {
+        lines.push(`Preferred-Languages: ${config.preferredLanguages.join(", ")}`);
+    }
+    if (config.canonical)
+        lines.push(`Canonical: ${config.canonical}`);
+    if (config.policy)
+        lines.push(`Policy: ${config.policy}`);
+    return lines.join("\n") + "\n";
+}
+//# sourceMappingURL=security-txt.js.map

package/dist/security/security-txt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-txt.js","sourceRoot":"","sources":["../../src/security/security-txt.ts"],"names":[],"mappings":"AAUA,0DAA0D;AAC1D,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAEvD,IAAI,MAAM,CAAC,UAAU;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IACtE,IAAI,MAAM,CAAC,eAAe;QAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;IACrF,IAAI,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACnE,IAAI,MAAM,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAE1D,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC"}

package/dist/security/session-limits.d.ts

@@ -0,0 +1,17 @@
+export interface SessionInfo {
+    sessionId: string;
+    userId: string;
+    createdAt: Date;
+    ipAddress?: string;
+    userAgent?: string;
+}
+export interface SessionLimitConfig {
+    maxConcurrentSessions: number;
+    strategy: "deny_new" | "revoke_oldest";
+}
+/** Enforce concurrent session limits, returning sessions to revoke if any. */
+export declare function enforceSessionLimits(activeSessions: SessionInfo[], config: SessionLimitConfig): {
+    allowed: boolean;
+    sessionsToRevoke: string[];
+};
+//# sourceMappingURL=session-limits.d.ts.map

package/dist/security/session-limits.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-limits.d.ts","sourceRoot":"","sources":["../../src/security/session-limits.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,UAAU,GAAG,eAAe,CAAC;CACxC;AAED,8EAA8E;AAC9E,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,WAAW,EAAE,EAC7B,MAAM,EAAE,kBAAkB,GACzB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,gBAAgB,EAAE,MAAM,EAAE,CAAA;CAAE,CAgBlD"}

package/dist/security/session-limits.js

@@ -0,0 +1,14 @@
+/** Enforce concurrent session limits, returning sessions to revoke if any. */
+export function enforceSessionLimits(activeSessions, config) {
+    if (activeSessions.length < config.maxConcurrentSessions) {
+        return { allowed: true, sessionsToRevoke: [] };
+    }
+    if (config.strategy === "deny_new") {
+        return { allowed: false, sessionsToRevoke: [] };
+    }
+    const sorted = [...activeSessions].sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime());
+    const excess = sorted.length - config.maxConcurrentSessions + 1;
+    const toRevoke = sorted.slice(0, excess).map((s) => s.sessionId);
+    return { allowed: true, sessionsToRevoke: toRevoke };
+}
+//# sourceMappingURL=session-limits.js.map

package/dist/security/session-limits.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-limits.js","sourceRoot":"","sources":["../../src/security/session-limits.ts"],"names":[],"mappings":"AAaA,8EAA8E;AAC9E,MAAM,UAAU,oBAAoB,CAClC,cAA6B,EAC7B,MAA0B;IAE1B,IAAI,cAAc,CAAC,MAAM,GAAG,MAAM,CAAC,qBAAqB,EAAE,CAAC;QACzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,EAAE,CAAC;IAClD,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,IAAI,CACrC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,CACxD,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,qBAAqB,GAAG,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC;AACvD,CAAC"}

package/dist/security/upload.d.ts

@@ -0,0 +1,13 @@
+export interface FileValidationResult {
+    valid: boolean;
+    error?: string;
+    detectedMimeType?: string;
+}
+declare const ALLOWED_IMAGE_TYPES: Set<string>;
+declare const ALLOWED_DOCUMENT_TYPES: Set<string>;
+/** Validate a file's MIME type against an allowlist. */
+export declare function validateMimeType(mimeType: string, allowedTypes?: Set<string>): FileValidationResult;
+/** Check a file's magic bytes to detect its true MIME type. */
+export declare function checkMagicBytes(buffer: Uint8Array): string | undefined;
+export { ALLOWED_IMAGE_TYPES, ALLOWED_DOCUMENT_TYPES };
+//# sourceMappingURL=upload.d.ts.map

package/dist/security/upload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"upload.d.ts","sourceRoot":"","sources":["../../src/security/upload.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,QAAA,MAAM,mBAAmB,aAEvB,CAAC;AAEH,QAAA,MAAM,sBAAsB,aAI1B,CAAC;AAUH,wDAAwD;AACxD,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,YAAY,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,GACzB,oBAAoB,CAMtB;AAED,+DAA+D;AAC/D,wBAAgB,eAAe,CAC7B,MAAM,EAAE,UAAU,GACjB,MAAM,GAAG,SAAS,CAMpB;AAED,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,CAAC"}

package/dist/security/upload.js

@@ -0,0 +1,34 @@
+const ALLOWED_IMAGE_TYPES = new Set([
+    "image/jpeg", "image/png", "image/gif", "image/webp", "image/svg+xml", "image/avif",
+]);
+const ALLOWED_DOCUMENT_TYPES = new Set([
+    "application/pdf", "text/plain", "text/csv",
+    "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+]);
+const MAGIC_BYTES = [
+    { mime: "image/jpeg", bytes: [0xFF, 0xD8, 0xFF] },
+    { mime: "image/png", bytes: [0x89, 0x50, 0x4E, 0x47] },
+    { mime: "image/gif", bytes: [0x47, 0x49, 0x46] },
+    { mime: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46] },
+    { mime: "application/pdf", bytes: [0x25, 0x50, 0x44, 0x46] },
+];
+/** Validate a file's MIME type against an allowlist. */
+export function validateMimeType(mimeType, allowedTypes) {
+    const allowed = allowedTypes ?? new Set([...ALLOWED_IMAGE_TYPES, ...ALLOWED_DOCUMENT_TYPES]);
+    if (!allowed.has(mimeType)) {
+        return { valid: false, error: `MIME type "${mimeType}" is not allowed` };
+    }
+    return { valid: true };
+}
+/** Check a file's magic bytes to detect its true MIME type. */
+export function checkMagicBytes(buffer) {
+    for (const entry of MAGIC_BYTES) {
+        const matches = entry.bytes.every((byte, i) => buffer[i] === byte);
+        if (matches)
+            return entry.mime;
+    }
+    return undefined;
+}
+export { ALLOWED_IMAGE_TYPES, ALLOWED_DOCUMENT_TYPES };
+//# sourceMappingURL=upload.js.map

package/dist/security/upload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"upload.js","sourceRoot":"","sources":["../../src/security/upload.ts"],"names":[],"mappings":"AAMA,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,YAAY;CACpF,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,iBAAiB,EAAE,YAAY,EAAE,UAAU;IAC3C,yEAAyE;IACzE,mEAAmE;CACpE,CAAC,CAAC;AAEH,MAAM,WAAW,GAA6C;IAC5D,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IACjD,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IACtD,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IAChD,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IACvD,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;CAC7D,CAAC;AAEF,wDAAwD;AACxD,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,YAA0B;IAE1B,MAAM,OAAO,GAAG,YAAY,IAAI,IAAI,GAAG,CAAC,CAAC,GAAG,mBAAmB,EAAE,GAAG,sBAAsB,CAAC,CAAC,CAAC;IAC7F,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,QAAQ,kBAAkB,EAAE,CAAC;IAC3E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,eAAe,CAC7B,MAAkB;IAElB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QACnE,IAAI,OAAO;YAAE,OAAO,KAAK,CAAC,IAAI,CAAC;IACjC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,CAAC"}

package/dist/security/webhook.d.ts

@@ -0,0 +1,12 @@
+/** Validate that a webhook URL does not target private/internal networks (SSRF prevention). */
+export declare function validateWebhookUrl(url: string): {
+    valid: boolean;
+    error?: string;
+};
+/** Resolve a hostname and verify the resulting IP isn't in a private range. */
+export declare function resolveAndCheck(_hostname: string): Promise<{
+    safe: boolean;
+    resolvedIp?: string;
+    error?: string;
+}>;
+//# sourceMappingURL=webhook.d.ts.map

package/dist/security/webhook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAYA,+FAA+F;AAC/F,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBlF;AAED,+EAA+E;AAC/E,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAGjE"}

package/dist/security/webhook.js

@@ -0,0 +1,38 @@
+const PRIVATE_RANGES = [
+    /^10\./,
+    /^172\.(1[6-9]|2\d|3[01])\./,
+    /^192\.168\./,
+    /^127\./,
+    /^0\./,
+    /^169\.254\./,
+    /^::1$/,
+    /^fc00:/i,
+    /^fe80:/i,
+];
+/** Validate that a webhook URL does not target private/internal networks (SSRF prevention). */
+export function validateWebhookUrl(url) {
+    try {
+        const parsed = new URL(url);
+        if (!["https:", "http:"].includes(parsed.protocol)) {
+            return { valid: false, error: "Only HTTP(S) protocols are allowed" };
+        }
+        if (parsed.hostname === "localhost" || parsed.hostname === "0.0.0.0") {
+            return { valid: false, error: "Localhost URLs are not allowed" };
+        }
+        for (const range of PRIVATE_RANGES) {
+            if (range.test(parsed.hostname)) {
+                return { valid: false, error: "Private/internal IP addresses are not allowed" };
+            }
+        }
+        return { valid: true };
+    }
+    catch {
+        return { valid: false, error: "Invalid URL" };
+    }
+}
+/** Resolve a hostname and verify the resulting IP isn't in a private range. */
+export async function resolveAndCheck(_hostname) {
+    // TODO: DNS resolution + private range check
+    throw new Error("Not implemented");
+}
+//# sourceMappingURL=webhook.js.map

package/dist/security/webhook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAAA,MAAM,cAAc,GAAG;IACrB,OAAO;IACP,4BAA4B;IAC5B,aAAa;IACb,QAAQ;IACR,MAAM;IACN,aAAa;IACb,OAAO;IACP,SAAS;IACT,SAAS;CACV,CAAC;AAEF,+FAA+F;AAC/F,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAE5B,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;QACvE,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC;QACnE,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAC;YAClF,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;IAChD,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,SAAiB;IAEjB,6CAA6C;IAC7C,MAAM,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC;AACrC,CAAC"}

package/dist/seo/analysis.d.ts

@@ -0,0 +1,66 @@
+export interface SEOAnalysisResult {
+    score: number;
+    checks: SEOCheck[];
+}
+export interface SEOCheck {
+    id: string;
+    category: 'keyphrase' | 'readability' | 'seo' | 'social';
+    title: string;
+    status: 'good' | 'improvement' | 'problem';
+    description: string;
+}
+export interface AnalysisInput {
+    title: string;
+    slug: string;
+    content: string;
+    metaTitle?: string;
+    metaDescription?: string;
+    focusKeyphrase?: string;
+    canonical?: string;
+    ogTitle?: string;
+    ogDescription?: string;
+    ogImage?: string;
+    isCornerstone?: boolean;
+}
+export interface ReadabilityResult {
+    fleschScore: number;
+    fleschLabel: string;
+    avgSentenceLength: number;
+    avgWordLength: number;
+    passiveVoicePercent: number;
+    wordCount: number;
+    sentenceCount: number;
+    paragraphCount: number;
+    readingTimeMinutes: number;
+}
+/** Remove all HTML tags, returning plain text. */
+export declare function stripHtmlTags(html: string): string;
+/**
+ * Estimate the syllable count of an English word.
+ *
+ * Heuristic: count vowel groups, subtract 1 for a trailing silent 'e',
+ * and clamp to a minimum of 1.
+ */
+export declare function countSyllables(word: string): number;
+/** Detect passive voice in a single sentence. */
+export declare function detectPassiveVoice(sentence: string): boolean;
+/** Split plain text into sentences. */
+export declare function splitSentences(text: string): string[];
+/** Split plain text into paragraphs (double newlines or `<p>` boundaries). */
+export declare function splitParagraphs(text: string): string[];
+/**
+ * Run a comprehensive SEO analysis on the given content and metadata.
+ *
+ * Returns a 0-100 score together with detailed per-check results across
+ * keyphrase, SEO, readability, and social categories.
+ */
+export declare function analyzeContent(input: AnalysisInput): SEOAnalysisResult;
+/**
+ * Calculate readability metrics for a block of plain text.
+ *
+ * Includes the Flesch reading ease score, average sentence/word lengths,
+ * passive voice percentage, word/sentence/paragraph counts, and estimated
+ * reading time.
+ */
+export declare function calculateReadability(text: string): ReadabilityResult;
+//# sourceMappingURL=analysis.d.ts.map

package/dist/seo/analysis.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analysis.d.ts","sourceRoot":"","sources":["../../src/seo/analysis.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,QAAQ,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAA;IACV,QAAQ,EAAE,WAAW,GAAG,aAAa,GAAG,KAAK,GAAG,QAAQ,CAAA;IACxD,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAAA;IAC1C,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,OAAO,CAAA;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,mBAAmB,EAAE,MAAM,CAAA;IAC3B,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;IACtB,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AA8DD,kDAAkD;AAClD,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAalD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsBnD;AAED,iDAAiD;AACjD,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQ5D;AAED,uCAAuC;AACvC,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAOrD;AAED,8EAA8E;AAC9E,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAKtD;AA0FD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,iBAAiB,CA2YtE;AAID;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,CAwCpE"}