@angular-helpers/security 21.2.0 → 21.4.1

package/types/angular-helpers-security.d.ts

@@ -1,5 +1,7 @@
 import * as i0 from '@angular/core';
-import { InjectionToken, EnvironmentProviders } from '@angular/core';
+import { InjectionToken, Signal, EnvironmentProviders } from '@angular/core';
+import { Observable } from 'rxjs';
+import { HttpInterceptorFn } from '@angular/common/http';
 
 interface RegexSecurityConfig {
     timeout?: number;
@@ -273,6 +275,9 @@ declare const SANITIZER_CONFIG: InjectionToken<SanitizerConfig>;
  * This service is defense-in-depth and DOES NOT replace a Content Security Policy (CSP).
  * Always configure a proper CSP alongside using this service.
  *
+ * Delegates to shared pure helpers in `internal/validators-core` so Signal Forms and Reactive Forms
+ * validators share the exact same sanitization logic.
+ *
  * @example
  * const clean = sanitizer.sanitizeHtml('<b>Hello</b><script>alert(1)</script>');
  * // → '<b>Hello</b>'
@@ -310,22 +315,89 @@ declare class InputSanitizerService {
      * Does NOT use `eval` or `Function` — uses JSON.parse only.
      */
     sanitizeJson(input: string): unknown | null;
-    private processNode;
-    private sanitizeAttributes;
     static ɵfac: i0.ɵɵFactoryDeclaration<InputSanitizerService, never>;
     static ɵprov: i0.ɵɵInjectableDeclaration<InputSanitizerService>;
 }
 
-interface PasswordStrengthResult {
-    score: 0 | 1 | 2 | 3 | 4;
-    label: 'very-weak' | 'weak' | 'fair' | 'strong' | 'very-strong';
+/**
+ * Internal validator helpers shared by both Reactive Forms validators
+ * (`SecurityValidators`) and Signal Forms validators (`@angular-helpers/security/signal-forms`).
+ *
+ * All helpers in this module are pure and side-effect free. Browser-only helpers
+ * (those using DOMParser) are clearly marked and throw when called outside a browser.
+ *
+ * This module is INTERNAL — not part of the public API surface.
+ */
+type PasswordScore = 0 | 1 | 2 | 3 | 4;
+type PasswordLabel = 'very-weak' | 'weak' | 'fair' | 'strong' | 'very-strong';
+interface PasswordAssessment {
+    score: PasswordScore;
+    label: PasswordLabel;
     entropy: number;
     feedback: string[];
 }
+/**
+ * Entropy-based password assessment. Pure function — safe to call outside Angular context.
+ *
+ * Thresholds (bits of entropy):
+ * - 0 (very-weak):  < 28
+ * - 1 (weak):       28–35
+ * - 2 (fair):       36–49
+ * - 3 (strong):     50–69
+ * - 4 (very-strong): ≥ 70
+ */
+declare function assessPasswordStrength(password: string): PasswordAssessment;
+/**
+ * URL safety check. Returns the normalized URL when the scheme is allowed, `null` otherwise.
+ * Malformed URLs, relative URLs, and blocked schemes all return `null`.
+ */
+declare function sanitizeUrlString(input: string, allowedSchemes?: readonly string[]): string | null;
+/**
+ * Boolean helper around `sanitizeUrlString`. `true` when the URL is well-formed and allowed.
+ */
+declare function isUrlSafe(input: string, allowedSchemes?: readonly string[]): boolean;
+/**
+ * Lightweight check for common script-injection sentinels. Complements (does NOT replace)
+ * a full HTML sanitizer or Content Security Policy.
+ */
+declare function containsScriptInjection(input: string): boolean;
+/**
+ * Heuristic check for SQL-injection sentinel strings.
+ * Intended as defense-in-depth for client-side form inputs; never a substitute for parameterized queries.
+ */
+declare function containsSqlInjectionHints(input: string): boolean;
+declare const DEFAULT_ALLOWED_TAGS: readonly string[];
+declare const DEFAULT_ALLOWED_ATTRIBUTES: Readonly<Record<string, readonly string[]>>;
+interface HtmlSanitizerOptions {
+    allowedTags?: readonly string[];
+    allowedAttributes?: Readonly<Record<string, readonly string[]>>;
+}
+/**
+ * Sanitizes an HTML string by allowlist. Browser-only: requires DOMParser.
+ *
+ * @throws {Error} When called in a non-browser environment.
+ */
+declare function sanitizeHtmlString(input: string, options?: HtmlSanitizerOptions): string;
+/**
+ * Returns `true` when sanitizing `input` produces the same string (i.e. nothing was stripped).
+ * Empty strings are considered safe.
+ *
+ * @throws {Error} When called in a non-browser environment.
+ */
+declare function isHtmlSafe(input: string, options?: HtmlSanitizerOptions): boolean;
+
+/**
+ * Backwards-compatible alias for the shared {@link PasswordAssessment} type.
+ * Kept to preserve the `21.2.0` public API surface.
+ */
+type PasswordStrengthResult = PasswordAssessment;
 /**
  * Service for entropy-based password strength evaluation.
  * All methods are synchronous and side-effect free — safely wrappable in Angular `computed()`.
  *
+ * Delegates to the shared {@link assessPasswordStrength} helper so Reactive Forms validators,
+ * Signal Forms validators, and direct service consumers all share identical logic.
+ *
  * Score thresholds (bits of entropy):
  * - 0 (very-weak):  < 28 bits
  * - 1 (weak):       28–35 bits
@@ -345,18 +417,427 @@ declare class PasswordStrengthService {
      * Never throws — returns score 0 for empty or null-like input.
      */
     assess(password: string): PasswordStrengthResult;
-    private entropyToScore;
-    private containsSequence;
     static ɵfac: i0.ɵɵFactoryDeclaration<PasswordStrengthService, never>;
     static ɵprov: i0.ɵɵInjectableDeclaration<PasswordStrengthService>;
 }
 
+/**
+ * Thrown when a string is not a well-formed JWT (wrong number of segments,
+ * malformed base64url payload, or non-JSON payload).
+ */
+declare class InvalidJwtError extends Error {
+    constructor(message: string);
+}
+/**
+ * Standard JWT registered claims. See RFC 7519.
+ */
+interface JwtStandardClaims {
+    iss?: string;
+    sub?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+/**
+ * Client-side JWT inspection utilities.
+ *
+ * **This service decodes JWT payloads for client-side inspection only. Signature verification
+ * MUST happen server-side** — this service never validates signatures, issuer, audience,
+ * or any trust-related property.
+ *
+ * Use cases:
+ * - Reading the expiration to schedule refresh
+ * - Extracting user-facing claims (e.g. `name`, `email`) for UX
+ * - Detecting expired tokens to redirect to login
+ *
+ * @example
+ * const token = localStorage.getItem('access_token');
+ * if (!token || jwt.isExpired(token, 30)) {
+ *   router.navigate(['/login']);
+ * }
+ * const userId = jwt.claim<string>(token, 'sub');
+ */
+declare class JwtService {
+    /**
+     * Decodes the payload segment of a JWT and returns it typed.
+     *
+     * @throws {InvalidJwtError} When the token is not three dot-separated segments,
+     *   or when the payload cannot be base64url-decoded and parsed as JSON.
+     */
+    decode<T extends JwtStandardClaims = JwtStandardClaims>(token: string): T;
+    /**
+     * Returns `true` when the token is expired relative to `Date.now()`.
+     * Missing or non-numeric `exp` counts as expired (fail-secure).
+     *
+     * @param leewaySeconds Optional clock-skew tolerance in seconds. Default: `0`.
+     */
+    isExpired(token: string, leewaySeconds?: number): boolean;
+    /**
+     * Returns milliseconds until the token expires.
+     * Negative when already expired. `0` when `exp` is missing.
+     */
+    expiresIn(token: string): number;
+    /**
+     * Extracts a single claim from the payload. Returns `null` when the claim is absent
+     * or the token is malformed.
+     */
+    claim<T = unknown>(token: string, name: string): T | null;
+    static ɵfac: i0.ɵɵFactoryDeclaration<JwtService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<JwtService>;
+}
+
+declare class ClipboardUnsupportedError extends Error {
+    constructor();
+}
+interface SensitiveCopyOptions {
+    /**
+     * Milliseconds before the clipboard is automatically cleared.
+     * Set to `0` to disable auto-clear. Default: `15000` (15 seconds).
+     */
+    clearAfterMs?: number;
+}
+type CopyStatus = 'copied' | 'cleared' | 'read-denied' | 'error';
+/**
+ * Copies sensitive strings to the clipboard with automatic, verified clearing.
+ *
+ * Mirrors the behaviour of password managers (1Password, Bitwarden): the clipboard is
+ * cleared only when its current content still matches what we wrote, preventing clobbering
+ * of unrelated user copies.
+ *
+ * Requires a secure context and `navigator.clipboard`. The auto-clear step additionally
+ * requires `navigator.clipboard.readText()` permission; when denied, the clear is skipped
+ * and the status emits `'read-denied'`.
+ *
+ * Any pending clear timer is cancelled automatically when the owning injector is destroyed.
+ *
+ * @example
+ * await sensitiveClipboard.copy(password, { clearAfterMs: 15_000 });
+ */
+declare class SensitiveClipboardService {
+    private readonly platformId;
+    private readonly destroyRef;
+    private pendingTimer;
+    constructor();
+    isSupported(): boolean;
+    /**
+     * Writes `text` to the clipboard and schedules an auto-clear.
+     *
+     * @throws {ClipboardUnsupportedError} When the Clipboard API is unavailable.
+     */
+    copy(text: string, options?: SensitiveCopyOptions): Promise<void>;
+    /**
+     * Reactive variant of {@link copy}. Emits `'copied'` immediately after writing, then
+     * `'cleared'` | `'read-denied'` | `'error'` once the auto-clear completes (or is skipped).
+     */
+    copy$(text: string, options?: SensitiveCopyOptions): Observable<CopyStatus>;
+    /**
+     * Cancels any pending auto-clear timer. The clipboard content is not modified.
+     */
+    cancelPendingClear(): void;
+    private safeClear;
+    /**
+     * Forcefully clears the clipboard unconditionally.
+     */
+    clear(): Promise<void>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SensitiveClipboardService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SensitiveClipboardService>;
+}
+
+interface HibpConfig {
+    /**
+     * Base URL for the HIBP Pwned Passwords range API.
+     * Default: `https://api.pwnedpasswords.com/range/`.
+     * Override when routing through an enterprise proxy or test fixture.
+     */
+    endpoint?: string;
+}
+declare const HIBP_CONFIG: InjectionToken<HibpConfig>;
+/**
+ * Result of a leaked-password lookup.
+ *
+ * - `leaked: true` — the password hash was found in the HIBP breach corpus
+ * - `leaked: false` — password is not known to be leaked (either truly safe, or the lookup failed)
+ * - `error: 'network'` — HIBP endpoint unreachable; defaults to `leaked: false` (fail-open)
+ * - `error: 'unsupported'` — running outside a secure browser context
+ */
+interface HibpResult {
+    leaked: boolean;
+    count: number;
+    error?: 'network' | 'unsupported';
+}
+/**
+ * Checks whether a password appears in the Have I Been Pwned breach corpus using the
+ * k-anonymity API. Only the first 5 hex characters of the SHA-1 hash leave the browser;
+ * the full password is never transmitted.
+ *
+ * The service is fail-open: network errors return `{ leaked: false, error: 'network' }`
+ * to avoid blocking form submissions when HIBP is unreachable. Use this signal to
+ * *complement* entropy-based checks, never as the sole gate.
+ *
+ * @example
+ * const { leaked, count } = await hibp.isPasswordLeaked(password);
+ * if (leaked) alert(`This password has appeared in ${count} breaches`);
+ */
+declare class HibpService {
+    private readonly platformId;
+    private readonly webCrypto;
+    private readonly endpoint;
+    constructor();
+    isSupported(): boolean;
+    /**
+     * Returns whether the given password is present in the HIBP breach corpus.
+     * Never throws: network failures return `{ leaked: false, error: 'network' }`,
+     * unsupported environments return `{ leaked: false, error: 'unsupported' }`.
+     */
+    isPasswordLeaked(password: string): Promise<HibpResult>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<HibpService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<HibpService>;
+}
+
+type RateLimitPolicy = {
+    type: 'token-bucket';
+    capacity: number;
+    refillPerSecond: number;
+} | {
+    type: 'sliding-window';
+    max: number;
+    windowMs: number;
+};
+interface RateLimiterConfig {
+    /**
+     * Policies registered at bootstrap. Can also be set at runtime via
+     * {@link RateLimiterService.configure}.
+     */
+    defaults?: Record<string, RateLimitPolicy>;
+}
+declare const RATE_LIMITER_CONFIG: InjectionToken<RateLimiterConfig>;
+/**
+ * Thrown by {@link RateLimiterService.consume} when the configured capacity is exhausted.
+ */
+declare class RateLimitExceededError extends Error {
+    readonly key: string;
+    readonly retryAfterMs: number;
+    constructor(key: string, retryAfterMs: number);
+}
+/**
+ * Client-side rate limiter with per-key policies. Use to protect the user's own backend
+ * from accidental bursts (search-as-you-type, button mashing, automated retries) or to
+ * pace client-side operations.
+ *
+ * Two policies are supported:
+ * - **Token bucket**: smooth rate limiting with burst capacity.
+ * - **Sliding window**: strict max operations per time window.
+ *
+ * Unknown keys are fail-open: `canExecute` returns `true`, `consume` is a no-op. Register
+ * policies explicitly with {@link configure} or via the `RATE_LIMITER_CONFIG` token.
+ *
+ * All state is kept in memory for the lifetime of the service instance — cross-tab
+ * synchronization is out of scope for v1.
+ *
+ * @example
+ * rateLimiter.configure('search', { type: 'token-bucket', capacity: 5, refillPerSecond: 1 });
+ *
+ * async search(query: string) {
+ *   await rateLimiter.consume('search'); // throws RateLimitExceededError when exhausted
+ *   return this.api.search(query);
+ * }
+ */
+declare class RateLimiterService {
+    private readonly destroyRef;
+    private readonly buckets;
+    constructor();
+    /**
+     * Registers or updates the policy for `key`. Re-configuring an existing key resets its state.
+     */
+    configure(key: string, policy: RateLimitPolicy): void;
+    /**
+     * Attempts to consume `tokens` units from the bucket. Resolves on success; rejects with
+     * {@link RateLimitExceededError} when the bucket is exhausted.
+     *
+     * For undeclared keys, this method resolves immediately without consuming anything
+     * (fail-open behaviour — intentional to avoid silent failures when a policy is missing).
+     */
+    consume(key: string, tokens?: number): Promise<void>;
+    /**
+     * Reactive signal indicating whether a single unit can be consumed from `key` right now.
+     * For undeclared keys, returns `signal(true)`.
+     */
+    canExecute(key: string): Signal<boolean>;
+    /**
+     * Reactive signal holding the remaining capacity for `key`.
+     * For undeclared keys, returns `signal(Infinity)`.
+     */
+    remaining(key: string): Signal<number>;
+    /**
+     * Resets the counter for `key` to its maximum. No-op for undeclared keys.
+     */
+    reset(key: string): void;
+    private refillTokenBucket;
+    static ɵfac: i0.ɵɵFactoryDeclaration<RateLimiterService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<RateLimiterService>;
+}
+
+type CsrfStorageTarget = 'local' | 'session';
+type HttpMethod = 'POST' | 'PUT' | 'PATCH' | 'DELETE';
+interface CsrfConfig {
+    /** Storage used to persist the token. Default: `'session'`. */
+    storage?: CsrfStorageTarget;
+    /** Storage key. Default: `'__csrf_token__'`. */
+    storageKey?: string;
+}
+declare const CSRF_CONFIG: InjectionToken<CsrfConfig>;
+/**
+ * CSRF token helper using the double-submit cookie / header pattern.
+ *
+ * The service stores a cryptographically secure token in the configured storage and exposes
+ * it to HTTP interceptors ({@link withCsrfHeader}). Token lifecycle (creation, rotation,
+ * clearing) is the application's responsibility — typically the token is issued by the
+ * backend at login and stored via {@link storeToken}.
+ *
+ * Use a different header name than Angular's built-in XSRF ({@link `X-XSRF-TOKEN`}) to avoid
+ * interaction with `HttpClientXsrfModule`. Default: {@link `X-CSRF-Token`}.
+ */
+declare class CsrfService {
+    private readonly platformId;
+    private readonly webCrypto;
+    private readonly storageKey;
+    private readonly storageTarget;
+    constructor();
+    isSupported(): boolean;
+    /**
+     * Generates a new CSRF token as a 32-byte hex string. The token is NOT persisted
+     * automatically — call {@link storeToken} to save it.
+     */
+    generateToken(): string;
+    /**
+     * Persists the token to the configured storage.
+     */
+    storeToken(token: string): void;
+    /**
+     * Returns the stored token, or `null` when unset or outside a browser environment.
+     */
+    getToken(): string | null;
+    /**
+     * Removes the stored token.
+     */
+    clearToken(): void;
+    private get nativeStorage();
+    static ɵfac: i0.ɵɵFactoryDeclaration<CsrfService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<CsrfService>;
+}
+interface CsrfHeaderOptions {
+    /** Header name to inject. Default: `'X-CSRF-Token'`. */
+    headerName?: string;
+    /** HTTP methods on which the header is injected. Default: `['POST','PUT','PATCH','DELETE']`. */
+    methods?: readonly HttpMethod[];
+}
+/**
+ * Functional HTTP interceptor that injects the current CSRF token as a request header on
+ * state-changing methods. When the token is absent, the header is omitted silently.
+ *
+ * Register via `provideHttpClient(withInterceptors([withCsrfHeader()]))`.
+ *
+ * @example
+ * bootstrapApplication(App, {
+ *   providers: [
+ *     provideSecurity({ enableCsrf: true }),
+ *     provideHttpClient(withInterceptors([withCsrfHeader()])),
+ *   ],
+ * });
+ */
+declare function withCsrfHeader(options?: CsrfHeaderOptions): HttpInterceptorFn;
+
+interface SessionIdleConfig {
+    timeoutMs: number;
+    warningThresholdMs?: number;
+    autoClearStorage?: boolean;
+    autoClearClipboard?: boolean;
+    events?: string[];
+}
+declare class SessionIdleService {
+    private ngZone;
+    private document;
+    private injector;
+    private destroyRef;
+    private _isIdle;
+    private _isWarning;
+    private _timeRemaining;
+    private _timeoutSubject;
+    readonly isIdle: Signal<boolean>;
+    readonly isWarning: Signal<boolean>;
+    readonly timeRemaining: Signal<number | null>;
+    readonly onTimeout: Observable<void>;
+    private config;
+    private lastActivityTime;
+    private timerInterval;
+    private eventSubscription?;
+    constructor();
+    start(config: SessionIdleConfig): void;
+    stop(): void;
+    reset(): void;
+    private checkIdle;
+    private triggerTimeout;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SessionIdleService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SessionIdleService>;
+}
+
+interface SecureMessageConfig {
+    allowedOrigins: string[];
+    signingKey: CryptoKey;
+}
+interface SecureMessage<T = unknown> {
+    data: T;
+    origin: string;
+    timestamp: number;
+}
+declare class SecureMessageService {
+    private readonly ngZone;
+    private readonly platformId;
+    private readonly document;
+    private readonly crypto;
+    private config;
+    private _lastMessage;
+    private _messages$;
+    private messageHandler;
+    private get targetWindow();
+    /** Returns a new HMAC-SHA-256 CryptoKey ready to use in `configure()`. */
+    generateChannelKey(): Promise<CryptoKey>;
+    /**
+     * Configures the service with a signing key and allowed origins.
+     * Starts listening for incoming messages.
+     */
+    configure(config: SecureMessageConfig): void;
+    /**
+     * Signs and sends a payload to a target window.
+     * @throws if `targetOrigin` is `'*'`
+     */
+    send<T>(target: Window, payload: T, targetOrigin: string): Promise<void>;
+    /** Observable of verified incoming messages. */
+    messages$<T = unknown>(): Observable<SecureMessage<T>>;
+    /** Signal with the last verified incoming message (null before first message). */
+    lastMessage<T = unknown>(): Signal<SecureMessage<T> | null>;
+    /** Removes the window listener and completes the internal Subject. */
+    destroy(): void;
+    private handleMessage;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SecureMessageService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SecureMessageService>;
+}
+
 interface SecurityConfig {
     enableRegexSecurity?: boolean;
     enableWebCrypto?: boolean;
     enableSecureStorage?: boolean;
     enableInputSanitizer?: boolean;
     enablePasswordStrength?: boolean;
+    enableJwt?: boolean;
+    enableSensitiveClipboard?: boolean;
+    enableHibp?: boolean;
+    enableRateLimiter?: boolean;
+    enableCsrf?: boolean;
+    enableSessionIdle?: boolean;
+    enableSecureMessage?: boolean;
     defaultTimeout?: number;
     safeMode?: boolean;
 }
@@ -367,6 +848,13 @@ declare function provideWebCrypto(): EnvironmentProviders;
 declare function provideSecureStorage(config?: SecureStorageConfig): EnvironmentProviders;
 declare function provideInputSanitizer(config?: SanitizerConfig): EnvironmentProviders;
 declare function providePasswordStrength(): EnvironmentProviders;
+declare function provideJwt(): EnvironmentProviders;
+declare function provideSensitiveClipboard(): EnvironmentProviders;
+declare function provideHibp(config?: HibpConfig): EnvironmentProviders;
+declare function provideRateLimiter(config?: RateLimiterConfig): EnvironmentProviders;
+declare function provideCsrf(config?: CsrfConfig): EnvironmentProviders;
+declare function provideSessionIdle(): EnvironmentProviders;
+declare function provideSecureMessage(): EnvironmentProviders;
 
-export { InputSanitizerService, PasswordStrengthService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureStorageService, WebCryptoService, defaultSecurityConfig, provideInputSanitizer, providePasswordStrength, provideRegexSecurity, provideSecureStorage, provideSecurity, provideWebCrypto };
-export type { AesEncryptResult, AesKeyLength, HashAlgorithm, HmacAlgorithm, PasswordStrengthResult, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureStorageConfig, SecurityConfig, StorageTarget };
+export { CSRF_CONFIG, ClipboardUnsupportedError, CsrfService, DEFAULT_ALLOWED_ATTRIBUTES, DEFAULT_ALLOWED_TAGS, HIBP_CONFIG, HibpService, InputSanitizerService, InvalidJwtError, JwtService, PasswordStrengthService, RATE_LIMITER_CONFIG, RateLimitExceededError, RateLimiterService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureMessageService, SecureStorageService, SensitiveClipboardService, SessionIdleService, WebCryptoService, assessPasswordStrength, containsScriptInjection, containsSqlInjectionHints, defaultSecurityConfig, isHtmlSafe, isUrlSafe, provideCsrf, provideHibp, provideInputSanitizer, provideJwt, providePasswordStrength, provideRateLimiter, provideRegexSecurity, provideSecureMessage, provideSecureStorage, provideSecurity, provideSensitiveClipboard, provideSessionIdle, provideWebCrypto, sanitizeHtmlString, sanitizeUrlString, withCsrfHeader };
+export type { AesEncryptResult, AesKeyLength, CopyStatus, CsrfConfig, CsrfHeaderOptions, CsrfStorageTarget, HashAlgorithm, HibpConfig, HibpResult, HmacAlgorithm, HtmlSanitizerOptions, HttpMethod, JwtStandardClaims, PasswordAssessment, PasswordLabel, PasswordScore, PasswordStrengthResult, RateLimitPolicy, RateLimiterConfig, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureMessage, SecureMessageConfig, SecureStorageConfig, SecurityConfig, SensitiveCopyOptions, SessionIdleConfig, StorageTarget };