@actuate-media/cms-core 0.10.4 → 0.11.1

package/dist/security/safe-fetch.js

@@ -0,0 +1,45 @@
+import { validateWebhookUrl } from './webhook.js';
+export class SsrfBlockedError extends Error {
+    url;
+    reason;
+    constructor(url, reason) {
+        super(`SSRF blocked: ${reason} (url=${url})`);
+        this.name = 'SsrfBlockedError';
+        this.url = url;
+        this.reason = reason;
+    }
+}
+export async function safeFetch(url, options = {}) {
+    const { timeoutMs = 5000, followRedirects = false, maxRedirects = 3, ...init } = options;
+    let currentUrl = url;
+    let hops = 0;
+    while (true) {
+        const check = validateWebhookUrl(currentUrl);
+        if (!check.valid) {
+            throw new SsrfBlockedError(currentUrl, check.error ?? 'URL rejected by SSRF policy');
+        }
+        const response = await fetch(currentUrl, {
+            ...init,
+            redirect: 'manual',
+            signal: init.signal ?? AbortSignal.timeout(timeoutMs),
+        });
+        const isRedirect = response.status >= 300 && response.status < 400;
+        if (!isRedirect || !followRedirects) {
+            return response;
+        }
+        if (hops >= maxRedirects) {
+            throw new SsrfBlockedError(currentUrl, `exceeded ${maxRedirects} redirects`);
+        }
+        const location = response.headers.get('location');
+        if (!location)
+            return response;
+        try {
+            currentUrl = new URL(location, currentUrl).toString();
+        }
+        catch {
+            throw new SsrfBlockedError(location, 'invalid Location header');
+        }
+        hops += 1;
+    }
+}
+//# sourceMappingURL=safe-fetch.js.map

package/dist/security/safe-fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safe-fetch.js","sourceRoot":"","sources":["../../src/security/safe-fetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AA+BjD,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAChC,GAAG,CAAQ;IACX,MAAM,CAAQ;IACvB,YAAY,GAAW,EAAE,MAAc;QACrC,KAAK,CAAC,iBAAiB,MAAM,SAAS,GAAG,GAAG,CAAC,CAAA;QAC7C,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;QAC9B,IAAI,CAAC,GAAG,GAAG,GAAG,CAAA;QACd,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;IACtB,CAAC;CACF;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,UAA4B,EAAE;IACzE,MAAM,EAAE,SAAS,GAAG,IAAI,EAAE,eAAe,GAAG,KAAK,EAAE,YAAY,GAAG,CAAC,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAA;IAExF,IAAI,UAAU,GAAG,GAAG,CAAA;IACpB,IAAI,IAAI,GAAG,CAAC,CAAA;IAEZ,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAA;QAC5C,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACjB,MAAM,IAAI,gBAAgB,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,IAAI,6BAA6B,CAAC,CAAA;QACtF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,UAAU,EAAE;YACvC,GAAG,IAAI;YACP,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC;SACtD,CAAC,CAAA;QAEF,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,CAAA;QAClE,IAAI,CAAC,UAAU,IAAI,CAAC,eAAe,EAAE,CAAC;YACpC,OAAO,QAAQ,CAAA;QACjB,CAAC;QAED,IAAI,IAAI,IAAI,YAAY,EAAE,CAAC;YACzB,MAAM,IAAI,gBAAgB,CAAC,UAAU,EAAE,YAAY,YAAY,YAAY,CAAC,CAAA;QAC9E,CAAC;QAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;QACjD,IAAI,CAAC,QAAQ;YAAE,OAAO,QAAQ,CAAA;QAE9B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,EAAE,CAAA;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,gBAAgB,CAAC,QAAQ,EAAE,yBAAyB,CAAC,CAAA;QACjE,CAAC;QAED,IAAI,IAAI,CAAC,CAAA;IACX,CAAC;AACH,CAAC"}

package/dist/security/sanitize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,QAAA,MAAM,oBAAoB,UAKzB,CAAC;AAEF,QAAA,MAAM,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAKnD,CAAC;AAEF,6FAA6F;AAC7F,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,eAAe,GACxB,MAAM,CAaR;AAED,iDAAiD;AACjD,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,CAAC"}
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IACtB,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;IAC5C,QAAQ,CAAC,EAAE,OAAO,CAAA;CACnB;AAED,QAAA,MAAM,oBAAoB,UAqCzB,CAAA;AAED,QAAA,MAAM,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAKnD,CAAA;AAED,6FAA6F;AAC7F,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,eAAe,GAAG,MAAM,CAa5E;AAED,iDAAiD;AACjD,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE9C;AAED,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,CAAA"}

package/dist/security/sanitize.js

@@ -1,15 +1,47 @@
 import sanitize from 'sanitize-html';
 const DEFAULT_ALLOWED_TAGS = [
-    "p", "br", "b", "i", "em", "strong", "a", "ul", "ol", "li",
-    "h1", "h2", "h3", "h4", "h5", "h6", "blockquote", "code", "pre",
-    "img", "figure", "figcaption", "table", "thead", "tbody", "tr", "th", "td",
-    "span", "div", "hr", "sub", "sup", "s", "u", "mark",
+    'p',
+    'br',
+    'b',
+    'i',
+    'em',
+    'strong',
+    'a',
+    'ul',
+    'ol',
+    'li',
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'h6',
+    'blockquote',
+    'code',
+    'pre',
+    'img',
+    'figure',
+    'figcaption',
+    'table',
+    'thead',
+    'tbody',
+    'tr',
+    'th',
+    'td',
+    'span',
+    'div',
+    'hr',
+    'sub',
+    'sup',
+    's',
+    'u',
+    'mark',
 ];
 const DEFAULT_ALLOWED_ATTRS = {
-    a: ["href", "title", "target", "rel"],
-    img: ["src", "alt", "title", "width", "height", "loading"],
-    td: ["colspan", "rowspan"],
-    th: ["colspan", "rowspan", "scope"],
+    a: ['href', 'title', 'target', 'rel'],
+    img: ['src', 'alt', 'title', 'width', 'height', 'loading'],
+    td: ['colspan', 'rowspan'],
+    th: ['colspan', 'rowspan', 'scope'],
 };
 /** Sanitize HTML content. Strips dangerous tags/attributes while preserving safe content. */
 export function sanitizeHtml(html, options) {

package/dist/security/sanitize.js.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,eAAe,CAAC;AAQrC,MAAM,oBAAoB,GAAG;IAC3B,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IAC1D,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK;IAC/D,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IAC1E,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM;CACpD,CAAC;AAEF,MAAM,qBAAqB,GAA6B;IACtD,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC;IACrC,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC;IAC1D,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;IAC1B,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;CACpC,CAAC;AAEF,6FAA6F;AAC7F,MAAM,UAAU,YAAY,CAC1B,IAAY,EACZ,OAAyB;IAEzB,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,OAAO,QAAQ,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,EAAE,WAAW,IAAI,oBAAoB,CAAC;IAC1D,MAAM,KAAK,GAAG,OAAO,EAAE,iBAAiB,IAAI,qBAAqB,CAAC;IAElE,OAAO,QAAQ,CAAC,IAAI,EAAE;QACpB,WAAW,EAAE,IAAI;QACjB,iBAAiB,EAAE,KAAK;QACxB,kBAAkB,EAAE,SAAS;KAC9B,CAAC,CAAC;AACL,CAAC;AAED,iDAAiD;AACjD,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,QAAQ,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;AAC3E,CAAC;AAED,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,CAAC"}
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,eAAe,CAAA;AAQpC,MAAM,oBAAoB,GAAG;IAC3B,GAAG;IACH,IAAI;IACJ,GAAG;IACH,GAAG;IACH,IAAI;IACJ,QAAQ;IACR,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,YAAY;IACZ,MAAM;IACN,KAAK;IACL,KAAK;IACL,QAAQ;IACR,YAAY;IACZ,OAAO;IACP,OAAO;IACP,OAAO;IACP,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,KAAK;IACL,IAAI;IACJ,KAAK;IACL,KAAK;IACL,GAAG;IACH,GAAG;IACH,MAAM;CACP,CAAA;AAED,MAAM,qBAAqB,GAA6B;IACtD,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC;IACrC,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC;IAC1D,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;IAC1B,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;CACpC,CAAA;AAED,6FAA6F;AAC7F,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,OAAyB;IAClE,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;QACtB,OAAO,QAAQ,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC,CAAA;IACnE,CAAC;IAED,MAAM,IAAI,GAAG,OAAO,EAAE,WAAW,IAAI,oBAAoB,CAAA;IACzD,MAAM,KAAK,GAAG,OAAO,EAAE,iBAAiB,IAAI,qBAAqB,CAAA;IAEjE,OAAO,QAAQ,CAAC,IAAI,EAAE;QACpB,WAAW,EAAE,IAAI;QACjB,iBAAiB,EAAE,KAAK;QACxB,kBAAkB,EAAE,SAAS;KAC9B,CAAC,CAAA;AACJ,CAAC;AAED,iDAAiD;AACjD,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,QAAQ,CAAC,IAAI,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;AAC1E,CAAC;AAED,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,CAAA"}

package/dist/security/secret-storage.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Encrypt a value for storage. Returns the original value unchanged when no
+ * encryption key is configured (development convenience). Production deployments
+ * MUST set `CMS_ENCRYPTION_KEY` — see `security.mdc`.
+ */
+export declare function encryptSecret(plaintext: string): Promise<string>;
+/**
+ * Decrypt a value that was stored via `encryptSecret`. Plaintext values
+ * (written before encryption was enabled, or written by a deployment without
+ * the key) are returned unchanged.
+ */
+export declare function decryptSecret(stored: string): Promise<string>;
+/** True when the value is stored encrypted (and therefore needs decryption). */
+export declare function isEncrypted(value: string): boolean;
+/**
+ * Encrypt each string element in an array. Returns the array unchanged when
+ * encryption is disabled. Used for things like TOTP backup codes.
+ */
+export declare function encryptStringArray(values: string[]): Promise<string[]>;
+/** Decrypt each element in an array stored via `encryptStringArray`. */
+export declare function decryptStringArray(values: string[]): Promise<string[]>;
+//# sourceMappingURL=secret-storage.d.ts.map

package/dist/security/secret-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-storage.d.ts","sourceRoot":"","sources":["../../src/security/secret-storage.ts"],"names":[],"mappings":"AAiCA;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAMtE;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAWnE;AAED,gFAAgF;AAChF,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElD;AAED;;;GAGG;AACH,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAE5E;AAED,wEAAwE;AACxE,wBAAsB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAE5E"}

package/dist/security/secret-storage.js

@@ -0,0 +1,75 @@
+import { encryptField, decryptField } from './encrypted-fields.js';
+/**
+ * High-level helpers for storing per-user secrets (TOTP secret, OAuth tokens,
+ * webhook signing keys) at rest. Wraps the raw `encryptField`/`decryptField`
+ * primitives so callers don't have to plumb `CMS_ENCRYPTION_KEY` through every
+ * code path.
+ *
+ * Encrypted values are tagged with a version prefix so we can rotate keys or
+ * change the encoding without breaking existing rows. Plaintext values written
+ * before encryption was enabled are passed through unchanged on read so
+ * upgrades don't break existing data — call `migrateSecret()` when you want
+ * to opportunistically re-encrypt them on next access.
+ */
+const PREFIX = 'enc:v1:';
+function getKey() {
+    const key = process.env.CMS_ENCRYPTION_KEY;
+    if (!key)
+        return null;
+    // 32 bytes = 64 hex chars
+    if (key.length !== 64) {
+        console.warn('[actuate][crypto] CMS_ENCRYPTION_KEY must be 64 hex characters (32 bytes); got ' +
+            key.length +
+            '. Falling back to plaintext storage. Generate with: ' +
+            "node -e \"console.log(require('crypto').randomBytes(32).toString('hex'))\"");
+        return null;
+    }
+    return key;
+}
+/**
+ * Encrypt a value for storage. Returns the original value unchanged when no
+ * encryption key is configured (development convenience). Production deployments
+ * MUST set `CMS_ENCRYPTION_KEY` — see `security.mdc`.
+ */
+export async function encryptSecret(plaintext) {
+    if (!plaintext)
+        return plaintext;
+    const key = getKey();
+    if (!key)
+        return plaintext;
+    const ciphertext = await encryptField(plaintext, key);
+    return PREFIX + ciphertext;
+}
+/**
+ * Decrypt a value that was stored via `encryptSecret`. Plaintext values
+ * (written before encryption was enabled, or written by a deployment without
+ * the key) are returned unchanged.
+ */
+export async function decryptSecret(stored) {
+    if (!stored)
+        return stored;
+    if (!stored.startsWith(PREFIX))
+        return stored;
+    const key = getKey();
+    if (!key) {
+        throw new Error('CMS_ENCRYPTION_KEY is required to decrypt this value but is not set. ' +
+            'Configure the same key used at write time.');
+    }
+    return decryptField(stored.slice(PREFIX.length), key);
+}
+/** True when the value is stored encrypted (and therefore needs decryption). */
+export function isEncrypted(value) {
+    return typeof value === 'string' && value.startsWith(PREFIX);
+}
+/**
+ * Encrypt each string element in an array. Returns the array unchanged when
+ * encryption is disabled. Used for things like TOTP backup codes.
+ */
+export async function encryptStringArray(values) {
+    return Promise.all(values.map((v) => encryptSecret(v)));
+}
+/** Decrypt each element in an array stored via `encryptStringArray`. */
+export async function decryptStringArray(values) {
+    return Promise.all(values.map((v) => decryptSecret(v)));
+}
+//# sourceMappingURL=secret-storage.js.map

package/dist/security/secret-storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-storage.js","sourceRoot":"","sources":["../../src/security/secret-storage.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAElE;;;;;;;;;;;GAWG;AAEH,MAAM,MAAM,GAAG,SAAS,CAAA;AAExB,SAAS,MAAM;IACb,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAA;IAC1C,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IACrB,0BAA0B;IAC1B,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,OAAO,CAAC,IAAI,CACV,iFAAiF;YAC/E,GAAG,CAAC,MAAM;YACV,sDAAsD;YACtD,4EAA4E,CAC/E,CAAA;QACD,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAA;IAChC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAA;IAC1B,MAAM,UAAU,GAAG,MAAM,YAAY,CAAC,SAAS,EAAE,GAAG,CAAC,CAAA;IACrD,OAAO,MAAM,GAAG,UAAU,CAAA;AAC5B,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc;IAChD,IAAI,CAAC,MAAM;QAAE,OAAO,MAAM,CAAA;IAC1B,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAA;IAC7C,MAAM,GAAG,GAAG,MAAM,EAAE,CAAA;IACpB,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,uEAAuE;YACrE,4CAA4C,CAC/C,CAAA;IACH,CAAC;IACD,OAAO,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,CAAA;AACvD,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;AAC9D,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAgB;IACvD,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;AACzD,CAAC;AAED,wEAAwE;AACxE,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAgB;IACvD,OAAO,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;AACzD,CAAC"}

package/dist/security/security-txt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-txt.d.ts","sourceRoot":"","sources":["../../src/security/security-txt.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,IAAI,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,0DAA0D;AAC1D,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAerE"}
+{"version":3,"file":"security-txt.d.ts","sourceRoot":"","sources":["../../src/security/security-txt.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,IAAI,CAAA;IACb,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,0DAA0D;AAC1D,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CAerE"}

package/dist/security/security-txt.js

@@ -8,12 +8,12 @@ export function generateSecurityTxt(config) {
     if (config.acknowledgments)
         lines.push(`Acknowledgments: ${config.acknowledgments}`);
     if (config.preferredLanguages?.length) {
-        lines.push(`Preferred-Languages: ${config.preferredLanguages.join(", ")}`);
+        lines.push(`Preferred-Languages: ${config.preferredLanguages.join(', ')}`);
     }
     if (config.canonical)
         lines.push(`Canonical: ${config.canonical}`);
     if (config.policy)
         lines.push(`Policy: ${config.policy}`);
-    return lines.join("\n") + "\n";
+    return lines.join('\n') + '\n';
 }
 //# sourceMappingURL=security-txt.js.map

package/dist/security/security-txt.js.map

@@ -1 +1 @@
-{"version":3,"file":"security-txt.js","sourceRoot":"","sources":["../../src/security/security-txt.ts"],"names":[],"mappings":"AAUA,0DAA0D;AAC1D,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACzC,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAEvD,IAAI,MAAM,CAAC,UAAU;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IACtE,IAAI,MAAM,CAAC,eAAe;QAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;IACrF,IAAI,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7E,CAAC;IACD,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IACnE,IAAI,MAAM,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAE1D,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC"}
+{"version":3,"file":"security-txt.js","sourceRoot":"","sources":["../../src/security/security-txt.ts"],"names":[],"mappings":"AAUA,0DAA0D;AAC1D,MAAM,UAAU,mBAAmB,CAAC,MAAyB;IAC3D,MAAM,KAAK,GAAa,EAAE,CAAA;IAE1B,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;IACxC,KAAK,CAAC,IAAI,CAAC,YAAY,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;IAEtD,IAAI,MAAM,CAAC,UAAU;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;IACrE,IAAI,MAAM,CAAC,eAAe;QAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAA;IACpF,IAAI,MAAM,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAC5E,CAAC;IACD,IAAI,MAAM,CAAC,SAAS;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,CAAC,SAAS,EAAE,CAAC,CAAA;IAClE,IAAI,MAAM,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,MAAM,EAAE,CAAC,CAAA;IAEzD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;AAChC,CAAC"}

package/dist/security/session-limits.d.ts

@@ -7,7 +7,7 @@ export interface SessionInfo {
 }
 export interface SessionLimitConfig {
     maxConcurrentSessions: number;
-    strategy: "deny_new" | "revoke_oldest";
+    strategy: 'deny_new' | 'revoke_oldest';
 }
 /** Enforce concurrent session limits, returning sessions to revoke if any. */
 export declare function enforceSessionLimits(activeSessions: SessionInfo[], config: SessionLimitConfig): {

package/dist/security/session-limits.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"session-limits.d.ts","sourceRoot":"","sources":["../../src/security/session-limits.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE,UAAU,GAAG,eAAe,CAAC;CACxC;AAED,8EAA8E;AAC9E,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,WAAW,EAAE,EAC7B,MAAM,EAAE,kBAAkB,GACzB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,gBAAgB,EAAE,MAAM,EAAE,CAAA;CAAE,CAgBlD"}
+{"version":3,"file":"session-limits.d.ts","sourceRoot":"","sources":["../../src/security/session-limits.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,IAAI,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,qBAAqB,EAAE,MAAM,CAAA;IAC7B,QAAQ,EAAE,UAAU,GAAG,eAAe,CAAA;CACvC;AAED,8EAA8E;AAC9E,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,WAAW,EAAE,EAC7B,MAAM,EAAE,kBAAkB,GACzB;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,gBAAgB,EAAE,MAAM,EAAE,CAAA;CAAE,CAclD"}

package/dist/security/session-limits.js

@@ -3,7 +3,7 @@ export function enforceSessionLimits(activeSessions, config) {
     if (activeSessions.length < config.maxConcurrentSessions) {
         return { allowed: true, sessionsToRevoke: [] };
     }
-    if (config.strategy === "deny_new") {
+    if (config.strategy === 'deny_new') {
         return { allowed: false, sessionsToRevoke: [] };
     }
     const sorted = [...activeSessions].sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime());

package/dist/security/session-limits.js.map

@@ -1 +1 @@
-{"version":3,"file":"session-limits.js","sourceRoot":"","sources":["../../src/security/session-limits.ts"],"names":[],"mappings":"AAaA,8EAA8E;AAC9E,MAAM,UAAU,oBAAoB,CAClC,cAA6B,EAC7B,MAA0B;IAE1B,IAAI,cAAc,CAAC,MAAM,GAAG,MAAM,CAAC,qBAAqB,EAAE,CAAC;QACzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,EAAE,CAAC;IAClD,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,IAAI,CACrC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,CACxD,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,qBAAqB,GAAG,CAAC,CAAC;IAChE,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEjE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC;AACvD,CAAC"}
+{"version":3,"file":"session-limits.js","sourceRoot":"","sources":["../../src/security/session-limits.ts"],"names":[],"mappings":"AAaA,8EAA8E;AAC9E,MAAM,UAAU,oBAAoB,CAClC,cAA6B,EAC7B,MAA0B;IAE1B,IAAI,cAAc,CAAC,MAAM,GAAG,MAAM,CAAC,qBAAqB,EAAE,CAAC;QACzD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,CAAA;IAChD,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE,EAAE,CAAA;IACjD,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAA;IAChG,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,qBAAqB,GAAG,CAAC,CAAA;IAC/D,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IAEhE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAA;AACtD,CAAC"}

package/dist/security/upload.d.ts

@@ -5,9 +5,28 @@ export interface FileValidationResult {
 }
 declare const ALLOWED_IMAGE_TYPES: Set<string>;
 declare const ALLOWED_DOCUMENT_TYPES: Set<string>;
-/** Validate a file's MIME type against an allowlist. */
-export declare function validateMimeType(mimeType: string, allowedTypes?: Set<string>): FileValidationResult;
-/** Check a file's magic bytes to detect its true MIME type. */
-export declare function checkMagicBytes(buffer: Uint8Array): string | undefined;
+/**
+ * Validate a file's declared MIME type against an allowlist.
+ *
+ * Accepts either an array (typical caller form) or a Set (legacy form).
+ * Returns a plain boolean to make call-sites read naturally:
+ *
+ *     if (!validateMimeType(file.type, ALLOWED)) return badRequest(...)
+ */
+export declare function validateMimeType(mimeType: string, allowedTypes?: ReadonlyArray<string> | ReadonlySet<string>): boolean;
+/**
+ * Check a file's magic bytes against the declared mime type. Returns
+ * `{ valid: true, detectedMimeType }` when the bytes match the declared type
+ * (or when we have no signature to check), and `{ valid: false, error }`
+ * otherwise.
+ *
+ * For container formats (WebP, AVIF) we additionally inspect the inner
+ * sub-type — a generic RIFF header would otherwise let `.wav` files masquerade
+ * as `.webp` and bypass image-only checks.
+ *
+ * For SVG (which is XML, not a binary signature) we look for `<svg` near the
+ * start of the file. A leading XML declaration or BOM is allowed.
+ */
+export declare function checkMagicBytes(input: ArrayBuffer | Uint8Array | Buffer, declaredMimeType: string): FileValidationResult;
 export { ALLOWED_IMAGE_TYPES, ALLOWED_DOCUMENT_TYPES };
 //# sourceMappingURL=upload.d.ts.map

package/dist/security/upload.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"upload.d.ts","sourceRoot":"","sources":["../../src/security/upload.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,QAAA,MAAM,mBAAmB,aAEvB,CAAC;AAEH,QAAA,MAAM,sBAAsB,aAI1B,CAAC;AAUH,wDAAwD;AACxD,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,YAAY,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,GACzB,oBAAoB,CAMtB;AAED,+DAA+D;AAC/D,wBAAgB,eAAe,CAC7B,MAAM,EAAE,UAAU,GACjB,MAAM,GAAG,SAAS,CAMpB;AAED,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,CAAC"}
+{"version":3,"file":"upload.d.ts","sourceRoot":"","sources":["../../src/security/upload.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,OAAO,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAC1B;AAED,QAAA,MAAM,mBAAmB,aAOvB,CAAA;AAEF,QAAA,MAAM,sBAAsB,aAM1B,CAAA;AAEF;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,YAAY,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,GACzD,OAAO,CAOT;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,WAAW,GAAG,UAAU,GAAG,MAAM,EACxC,gBAAgB,EAAE,MAAM,GACvB,oBAAoB,CA6BtB;AAgED,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,CAAA"}

package/dist/security/upload.js

@@ -1,34 +1,129 @@
 const ALLOWED_IMAGE_TYPES = new Set([
-    "image/jpeg", "image/png", "image/gif", "image/webp", "image/svg+xml", "image/avif",
+    'image/jpeg',
+    'image/png',
+    'image/gif',
+    'image/webp',
+    'image/svg+xml',
+    'image/avif',
 ]);
 const ALLOWED_DOCUMENT_TYPES = new Set([
-    "application/pdf", "text/plain", "text/csv",
-    "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
-    "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    'application/pdf',
+    'text/plain',
+    'text/csv',
+    'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
 ]);
-const MAGIC_BYTES = [
-    { mime: "image/jpeg", bytes: [0xFF, 0xD8, 0xFF] },
-    { mime: "image/png", bytes: [0x89, 0x50, 0x4E, 0x47] },
-    { mime: "image/gif", bytes: [0x47, 0x49, 0x46] },
-    { mime: "image/webp", bytes: [0x52, 0x49, 0x46, 0x46] },
-    { mime: "application/pdf", bytes: [0x25, 0x50, 0x44, 0x46] },
-];
-/** Validate a file's MIME type against an allowlist. */
+/**
+ * Validate a file's declared MIME type against an allowlist.
+ *
+ * Accepts either an array (typical caller form) or a Set (legacy form).
+ * Returns a plain boolean to make call-sites read naturally:
+ *
+ *     if (!validateMimeType(file.type, ALLOWED)) return badRequest(...)
+ */
 export function validateMimeType(mimeType, allowedTypes) {
-    const allowed = allowedTypes ?? new Set([...ALLOWED_IMAGE_TYPES, ...ALLOWED_DOCUMENT_TYPES]);
-    if (!allowed.has(mimeType)) {
-        return { valid: false, error: `MIME type "${mimeType}" is not allowed` };
+    const allowed = allowedTypes
+        ? allowedTypes instanceof Set
+            ? allowedTypes
+            : new Set(allowedTypes)
+        : new Set([...ALLOWED_IMAGE_TYPES, ...ALLOWED_DOCUMENT_TYPES]);
+    return allowed.has(mimeType);
+}
+/**
+ * Check a file's magic bytes against the declared mime type. Returns
+ * `{ valid: true, detectedMimeType }` when the bytes match the declared type
+ * (or when we have no signature to check), and `{ valid: false, error }`
+ * otherwise.
+ *
+ * For container formats (WebP, AVIF) we additionally inspect the inner
+ * sub-type — a generic RIFF header would otherwise let `.wav` files masquerade
+ * as `.webp` and bypass image-only checks.
+ *
+ * For SVG (which is XML, not a binary signature) we look for `<svg` near the
+ * start of the file. A leading XML declaration or BOM is allowed.
+ */
+export function checkMagicBytes(input, declaredMimeType) {
+    const bytes = toUint8(input);
+    const detected = detectMimeType(bytes);
+    // No signature for the declared type — accept (caller is expected to have
+    // already checked the allowlist).
+    if (detected === null) {
+        return { valid: true };
+    }
+    if (detected === declaredMimeType) {
+        return { valid: true, detectedMimeType: detected };
+    }
+    // Some legitimate aliases:
+    //   image/jpg ↔ image/jpeg
+    //   image/x-png ↔ image/png
+    if ((detected === 'image/jpeg' && declaredMimeType === 'image/jpg') ||
+        (detected === 'image/png' && declaredMimeType === 'image/x-png')) {
+        return { valid: true, detectedMimeType: detected };
     }
-    return { valid: true };
+    return {
+        valid: false,
+        error: `Declared "${declaredMimeType}" but content looks like "${detected}"`,
+        detectedMimeType: detected,
+    };
 }
-/** Check a file's magic bytes to detect its true MIME type. */
-export function checkMagicBytes(buffer) {
-    for (const entry of MAGIC_BYTES) {
-        const matches = entry.bytes.every((byte, i) => buffer[i] === byte);
-        if (matches)
-            return entry.mime;
+function toUint8(input) {
+    if (input instanceof Uint8Array)
+        return input;
+    return new Uint8Array(input);
+}
+/** Returns the detected mime type, or null when the bytes don't match a known signature. */
+function detectMimeType(b) {
+    if (b.length < 4)
+        return null;
+    if (b[0] === 0xff && b[1] === 0xd8 && b[2] === 0xff)
+        return 'image/jpeg';
+    if (b[0] === 0x89 && b[1] === 0x50 && b[2] === 0x4e && b[3] === 0x47)
+        return 'image/png';
+    // GIF: full 6-byte signature ("GIF87a" or "GIF89a"), not just "GIF".
+    if (b[0] === 0x47 &&
+        b[1] === 0x49 &&
+        b[2] === 0x46 &&
+        b[3] === 0x38 &&
+        (b[4] === 0x37 || b[4] === 0x39) &&
+        b[5] === 0x61)
+        return 'image/gif';
+    // RIFF + 4-byte size + format identifier ("WEBP" / "WAVE" / "AVI ").
+    if (b.length >= 12 && b[0] === 0x52 && b[1] === 0x49 && b[2] === 0x46 && b[3] === 0x46) {
+        if (b[8] === 0x57 && b[9] === 0x45 && b[10] === 0x42 && b[11] === 0x50)
+            return 'image/webp';
+        if (b[8] === 0x57 && b[9] === 0x41 && b[10] === 0x56 && b[11] === 0x45)
+            return 'audio/wav';
+    }
+    // AVIF / HEIC: ISO BMFF "ftyp" box at offset 4 with brand at offset 8.
+    if (b.length >= 12 && b[4] === 0x66 && b[5] === 0x74 && b[6] === 0x79 && b[7] === 0x70) {
+        const brand = String.fromCharCode(b[8] ?? 0, b[9] ?? 0, b[10] ?? 0, b[11] ?? 0);
+        if (brand === 'avif' || brand === 'avis')
+            return 'image/avif';
+        if (brand === 'mp42' || brand === 'isom' || brand === 'iso2')
+            return 'video/mp4';
+    }
+    // PDF
+    if (b[0] === 0x25 && b[1] === 0x50 && b[2] === 0x44 && b[3] === 0x46)
+        return 'application/pdf';
+    // OGG
+    if (b[0] === 0x4f && b[1] === 0x67 && b[2] === 0x67 && b[3] === 0x53)
+        return 'audio/ogg';
+    // MP3 — either "ID3" tag or a frame sync (0xFFE).
+    if (b[0] === 0x49 && b[1] === 0x44 && b[2] === 0x33)
+        return 'audio/mpeg';
+    if (b[0] === 0xff && (b[1] & 0xe0) === 0xe0)
+        return 'audio/mpeg';
+    // WebM / Matroska EBML header
+    if (b[0] === 0x1a && b[1] === 0x45 && b[2] === 0xdf && b[3] === 0xa3)
+        return 'video/webm';
+    // SVG: scan the first 1024 bytes for a "<svg" tag. Accept optional XML
+    // declaration / BOM / whitespace / comments.
+    const head = new TextDecoder('utf-8', { fatal: false }).decode(b.slice(0, 1024)).trimStart();
+    if (head.toLowerCase().includes('<svg') ||
+        (head.startsWith('<?xml') && head.toLowerCase().includes('<svg'))) {
+        return 'image/svg+xml';
     }
-    return undefined;
+    return null;
 }
 export { ALLOWED_IMAGE_TYPES, ALLOWED_DOCUMENT_TYPES };
 //# sourceMappingURL=upload.js.map

package/dist/security/upload.js.map

@@ -1 +1 @@
-{"version":3,"file":"upload.js","sourceRoot":"","sources":["../../src/security/upload.ts"],"names":[],"mappings":"AAMA,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,YAAY,EAAE,WAAW,EAAE,WAAW,EAAE,YAAY,EAAE,eAAe,EAAE,YAAY;CACpF,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,iBAAiB,EAAE,YAAY,EAAE,UAAU;IAC3C,yEAAyE;IACzE,mEAAmE;CACpE,CAAC,CAAC;AAEH,MAAM,WAAW,GAA6C;IAC5D,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IACjD,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IACtD,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IAChD,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;IACvD,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE;CAC7D,CAAC;AAEF,wDAAwD;AACxD,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,YAA0B;IAE1B,MAAM,OAAO,GAAG,YAAY,IAAI,IAAI,GAAG,CAAC,CAAC,GAAG,mBAAmB,EAAE,GAAG,sBAAsB,CAAC,CAAC,CAAC;IAC7F,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,QAAQ,kBAAkB,EAAE,CAAC;IAC3E,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,+DAA+D;AAC/D,MAAM,UAAU,eAAe,CAC7B,MAAkB;IAElB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;QACnE,IAAI,OAAO;YAAE,OAAO,KAAK,CAAC,IAAI,CAAC;IACjC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,CAAC"}
+{"version":3,"file":"upload.js","sourceRoot":"","sources":["../../src/security/upload.ts"],"names":[],"mappings":"AAMA,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,YAAY;IACZ,WAAW;IACX,WAAW;IACX,YAAY;IACZ,eAAe;IACf,YAAY;CACb,CAAC,CAAA;AAEF,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IACrC,iBAAiB;IACjB,YAAY;IACZ,UAAU;IACV,yEAAyE;IACzE,mEAAmE;CACpE,CAAC,CAAA;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,YAA0D;IAE1D,MAAM,OAAO,GAAG,YAAY;QAC1B,CAAC,CAAC,YAAY,YAAY,GAAG;YAC3B,CAAC,CAAC,YAAY;YACd,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC;QACzB,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,mBAAmB,EAAE,GAAG,sBAAsB,CAAC,CAAC,CAAA;IAChE,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;AAC9B,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAwC,EACxC,gBAAwB;IAExB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,CAAA;IAC5B,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,CAAA;IAEtC,0EAA0E;IAC1E,kCAAkC;IAClC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;IACxB,CAAC;IAED,IAAI,QAAQ,KAAK,gBAAgB,EAAE,CAAC;QAClC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAA;IACpD,CAAC;IAED,2BAA2B;IAC3B,2BAA2B;IAC3B,4BAA4B;IAC5B,IACE,CAAC,QAAQ,KAAK,YAAY,IAAI,gBAAgB,KAAK,WAAW,CAAC;QAC/D,CAAC,QAAQ,KAAK,WAAW,IAAI,gBAAgB,KAAK,aAAa,CAAC,EAChE,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAA;IACpD,CAAC;IAED,OAAO;QACL,KAAK,EAAE,KAAK;QACZ,KAAK,EAAE,aAAa,gBAAgB,6BAA6B,QAAQ,GAAG;QAC5E,gBAAgB,EAAE,QAAQ;KAC3B,CAAA;AACH,CAAC;AAED,SAAS,OAAO,CAAC,KAAwC;IACvD,IAAI,KAAK,YAAY,UAAU;QAAE,OAAO,KAAK,CAAA;IAC7C,OAAO,IAAI,UAAU,CAAC,KAAoB,CAAC,CAAA;AAC7C,CAAC;AAED,4FAA4F;AAC5F,SAAS,cAAc,CAAC,CAAa;IACnC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAE7B,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,OAAO,YAAY,CAAA;IACxE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,OAAO,WAAW,CAAA;IAExF,qEAAqE;IACrE,IACE,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QACb,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QACb,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QACb,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QACb,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;QAChC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QAEb,OAAO,WAAW,CAAA;IAEpB,qEAAqE;IACrE,IAAI,CAAC,CAAC,MAAM,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvF,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI;YAAE,OAAO,YAAY,CAAA;QAC3F,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI;YAAE,OAAO,WAAW,CAAA;IAC5F,CAAC;IAED,uEAAuE;IACvE,IAAI,CAAC,CAAC,MAAM,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvF,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAA;QAC/E,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,MAAM;YAAE,OAAO,YAAY,CAAA;QAC7D,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,MAAM;YAAE,OAAO,WAAW,CAAA;IAClF,CAAC;IAED,MAAM;IACN,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,OAAO,iBAAiB,CAAA;IAE9F,MAAM;IACN,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,OAAO,WAAW,CAAA;IAExF,kDAAkD;IAClD,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,OAAO,YAAY,CAAA;IACxE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,YAAY,CAAA;IAEjE,8BAA8B;IAC9B,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,OAAO,YAAY,CAAA;IAEzF,uEAAuE;IACvE,6CAA6C;IAC7C,MAAM,IAAI,GAAG,IAAI,WAAW,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,SAAS,EAAE,CAAA;IAC5F,IACE,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QACnC,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EACjE,CAAC;QACD,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED,OAAO,EAAE,mBAAmB,EAAE,sBAAsB,EAAE,CAAA"}

package/dist/security/webhook.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAYA,+FAA+F;AAC/F,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBlF;AAED,+EAA+E;AAC/E,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA0BjE"}
+{"version":3,"file":"webhook.d.ts","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAYA,+FAA+F;AAC/F,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAsBlF;AAED,+EAA+E;AAC/E,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA8BjE"}

package/dist/security/webhook.js

@@ -13,21 +13,21 @@ const PRIVATE_RANGES = [
 export function validateWebhookUrl(url) {
     try {
         const parsed = new URL(url);
-        if (!["https:", "http:"].includes(parsed.protocol)) {
-            return { valid: false, error: "Only HTTP(S) protocols are allowed" };
+        if (!['https:', 'http:'].includes(parsed.protocol)) {
+            return { valid: false, error: 'Only HTTP(S) protocols are allowed' };
         }
-        if (parsed.hostname === "localhost" || parsed.hostname === "0.0.0.0") {
-            return { valid: false, error: "Localhost URLs are not allowed" };
+        if (parsed.hostname === 'localhost' || parsed.hostname === '0.0.0.0') {
+            return { valid: false, error: 'Localhost URLs are not allowed' };
         }
         for (const range of PRIVATE_RANGES) {
             if (range.test(parsed.hostname)) {
-                return { valid: false, error: "Private/internal IP addresses are not allowed" };
+                return { valid: false, error: 'Private/internal IP addresses are not allowed' };
             }
         }
         return { valid: true };
     }
     catch {
-        return { valid: false, error: "Invalid URL" };
+        return { valid: false, error: 'Invalid URL' };
     }
 }
 /** Resolve a hostname and verify the resulting IP isn't in a private range. */
@@ -38,12 +38,16 @@ export async function resolveAndCheck(hostname) {
         const v4 = await resolve4(hostname);
         ips.push(...v4);
     }
-    catch { /* no A records */ }
+    catch {
+        /* no A records */
+    }
     try {
         const v6 = await resolve6(hostname);
         ips.push(...v6);
     }
-    catch { /* no AAAA records */ }
+    catch {
+        /* no AAAA records */
+    }
     if (ips.length === 0) {
         return { safe: false, error: `DNS resolution failed for ${hostname}` };
     }

package/dist/security/webhook.js.map

@@ -1 +1 @@
-{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAAA,MAAM,cAAc,GAAG;IACrB,OAAO;IACP,4BAA4B;IAC5B,aAAa;IACb,QAAQ;IACR,MAAM;IACN,aAAa;IACb,OAAO;IACP,SAAS;IACT,SAAS;CACV,CAAC;AAEF,+FAA+F;AAC/F,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAE5B,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;QACvE,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC;QACnE,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAC;YAClF,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;IAChD,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB;IAEhB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAEjE,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC;IAEjC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,QAAQ,EAAE,EAAE,CAAC;IACzE,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBACnB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,wBAAwB,EAAE,CAAC;YAC3F,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5C,CAAC"}
+{"version":3,"file":"webhook.js","sourceRoot":"","sources":["../../src/security/webhook.ts"],"names":[],"mappings":"AAAA,MAAM,cAAc,GAAG;IACrB,OAAO;IACP,4BAA4B;IAC5B,aAAa;IACb,QAAQ;IACR,MAAM;IACN,aAAa;IACb,OAAO;IACP,SAAS;IACT,SAAS;CACV,CAAA;AAED,+FAA+F;AAC/F,MAAM,UAAU,kBAAkB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAA;QAE3B,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAA;QACtE,CAAC;QAED,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YACrE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAA;QAClE,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAChC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAA;YACjF,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAA;IAC/C,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB;IAEhB,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAA;IAEhE,MAAM,GAAG,GAAa,EAAE,CAAA;IACxB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACnC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAA;QACnC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAA;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,qBAAqB;IACvB,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,QAAQ,EAAE,EAAE,CAAA;IACxE,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,KAAK,MAAM,KAAK,IAAI,cAAc,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBACnB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,eAAe,EAAE,wBAAwB,EAAE,CAAA;YAC1F,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAA;AAC3C,CAAC"}

package/dist/seo/analysis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"analysis.d.ts","sourceRoot":"","sources":["../../src/seo/analysis.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,QAAQ,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAA;IACV,QAAQ,EAAE,WAAW,GAAG,aAAa,GAAG,KAAK,GAAG,QAAQ,CAAA;IACxD,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAAA;IAC1C,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,OAAO,CAAA;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,mBAAmB,EAAE,MAAM,CAAA;IAC3B,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;IACtB,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AA8DD,kDAAkD;AAClD,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAalD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsBnD;AAED,iDAAiD;AACjD,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAQ5D;AAED,uCAAuC;AACvC,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAOrD;AAED,8EAA8E;AAC9E,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAKtD;AA0FD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,iBAAiB,CA2YtE;AAID;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,CAwCpE"}
+{"version":3,"file":"analysis.d.ts","sourceRoot":"","sources":["../../src/seo/analysis.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,QAAQ,EAAE,CAAA;CACnB;AAED,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAA;IACV,QAAQ,EAAE,WAAW,GAAG,aAAa,GAAG,KAAK,GAAG,QAAQ,CAAA;IACxD,KAAK,EAAE,MAAM,CAAA;IACb,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAAA;IAC1C,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,cAAc,CAAC,EAAE,MAAM,CAAA;IACvB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,aAAa,CAAC,EAAE,OAAO,CAAA;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,MAAM,CAAA;IACrB,mBAAmB,EAAE,MAAM,CAAA;IAC3B,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;IACtB,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AA8DD,kDAAkD;AAClD,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAalD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAsBnD;AAED,iDAAiD;AACjD,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAa5D;AAED,uCAAuC;AACvC,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAOrD;AAED,8EAA8E;AAC9E,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAKtD;AA6FD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,GAAG,iBAAiB,CAsZtE;AAID;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,CAsCpE"}