@arcis/node 1.0.0 → 1.2.0

package/dist/logging/index.d.mts

@@ -1,4 +1,4 @@
-import { L as LogOptions, S as SafeLogger } from '../types-BOdL3ZWo.mjs';
+import { L as LogOptions, S as SafeLogger } from '../types-CsOFHoD9.mjs';
 import 'express';
 
 /**

package/dist/logging/index.d.ts

@@ -1,4 +1,4 @@
-import { L as LogOptions, S as SafeLogger } from '../types-BOdL3ZWo.js';
+import { L as LogOptions, S as SafeLogger } from '../types-CsOFHoD9.js';
 import 'express';
 
 /**

package/dist/logging/index.js

@@ -48,12 +48,21 @@ var REDACTION = {
 };
 
 // src/logging/redactor.ts
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  silent: 4
+};
 function createSafeLogger(options = {}) {
   const {
     redactKeys = [],
     maxLength = REDACTION.DEFAULT_MAX_LENGTH,
-    redactPatterns = []
+    redactPatterns = [],
+    level: minLevel = "debug"
   } = options;
+  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
   const allRedactKeys = /* @__PURE__ */ new Set([
     ...Array.from(REDACTION.SENSITIVE_KEYS),
     ...redactKeys.map((k) => k.toLowerCase())
@@ -79,6 +88,8 @@ function createSafeLogger(options = {}) {
     return result;
   }
   function log(level, message, data) {
+    const levelNum = LOG_LEVELS[level] ?? 0;
+    if (levelNum < minLevelNum) return;
     const entry = {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       level,

package/dist/logging/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAiOO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACzOO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB;AAAC,GACpB,GAAI,OAAA;AAGJ,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AACjE,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.js","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n  /** Default maximum input size (1MB) */\r\n  DEFAULT_MAX_SIZE: 1_000_000,\r\n  /** Maximum recursion depth for nested objects */\r\n  MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n  /** Default window size (1 minute) */\r\n  DEFAULT_WINDOW_MS: 60_000,\r\n  /** Default max requests per window */\r\n  DEFAULT_MAX_REQUESTS: 100,\r\n  /** Default HTTP status code for rate limited responses */\r\n  DEFAULT_STATUS_CODE: 429,\r\n  /** Default error message */\r\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n  /** Minimum window size (1 second) */\r\n  MIN_WINDOW_MS: 1_000,\r\n  /** Maximum window size (24 hours) */\r\n  MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n  /** Default Content Security Policy */\r\n  DEFAULT_CSP: [\r\n    \"default-src 'self'\",\r\n    \"script-src 'self'\",\r\n    \"style-src 'self' 'unsafe-inline'\",\r\n    \"img-src 'self' data: https:\",\r\n    \"font-src 'self'\",\r\n    \"object-src 'none'\",\r\n    \"frame-ancestors 'none'\",\r\n  ].join('; '),\r\n  /** Default HSTS max age (1 year in seconds) */\r\n  HSTS_MAX_AGE: 31_536_000,\r\n  /** Default X-Frame-Options value */\r\n  FRAME_OPTIONS: 'DENY' as const,\r\n  /** Default X-Content-Type-Options value */\r\n  CONTENT_TYPE_OPTIONS: 'nosniff',\r\n  /** Default Referrer-Policy value */\r\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n  /** Default Permissions-Policy value */\r\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n  /** Default Cache-Control value for security */\r\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n  /** Script tags (ReDoS-safe version) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** javascript: protocol (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /** vbscript: protocol */\r\n  /vbscript\\s*:/gi,\r\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n  /(?:[\\s/])on\\w+\\s*=/gi,\r\n  /** iframe tags */\r\n  /<iframe/gi,\r\n  /** object tags */\r\n  /<object/gi,\r\n  /** embed tags */\r\n  /<embed/gi,\r\n  /** data: URIs (only dangerous ones, avoid false positives) */\r\n  /(?:^|[\\s\"'=])data:/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** SVG with onload */\r\n  /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n  /** Full script blocks (content + tags) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** Standalone/unclosed script tags */\r\n  /<script[^>]*>/gi,\r\n  /** iframe — full block and partial/unclosed */\r\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n  /<iframe[^>]*/gi,\r\n  /** object — full block and partial/unclosed */\r\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n  /<object[^>]*/gi,\r\n  /** embed tags */\r\n  /<embed[^>]*/gi,\r\n  /** SVG with inline event handlers */\r\n  /<svg[^>]*onload[^>]*>/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n  /** Event handlers with unquoted values: onload=value */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /vbscript\\s*:/gi,\r\n  /** data: URIs with HTML/script content */\r\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n  /** SQL keywords */\r\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n  /(--|\\/\\*|\\*\\/|#)/g,\r\n  /** SQL statement separators */\r\n  /(;|\\|\\||&&)/g,\r\n  /** Boolean injection: OR 1=1 */\r\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Boolean injection: AND 1=1 */\r\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Time-based blind: SLEEP() */\r\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n  /** Time-based blind: BENCHMARK() */\r\n  /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n  /** Unix path traversal */\r\n  /\\.\\.\\//g,\r\n  /** Windows path traversal */\r\n  /\\.\\.\\\\/g,\r\n  /** URL-encoded traversal (%2e%2e) */\r\n  /%2e%2e/gi,\r\n  /** Double URL-encoded traversal (%252e) */\r\n  /%252e/gi,\r\n  /** Mixed encoding: ..%2F */\r\n  /\\.\\.%2F/gi,\r\n  /** Mixed encoding: %2e./ and .%2e/ */\r\n  /%2e\\.[\\\\/]/gi,\r\n  /\\.%2e[\\\\/]/gi,\r\n  /** Fully URL-encoded: %2e%2e%2f */\r\n  /%2e%2e%2f/gi,\r\n  /** Null byte injection in paths */\r\n  /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n  /**\r\n   * Shell metacharacters that enable command chaining/substitution.\r\n   * Bare ( and ) are excluded — they appear in common legitimate values\r\n   * (function calls in code fields, math expressions, etc.).\r\n   * Command substitution is caught by the $( combined pattern below.\r\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n   * and Markdown; consider disabling command checking (command: false)\r\n   * for fields that intentionally allow those characters.\r\n   */\r\n  /[;&|`]/g,\r\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n  /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n  '__proto__',\r\n  'constructor',\r\n  'prototype',\r\n  '__definegetter__',\r\n  '__definesetter__',\r\n  '__lookupgetter__',\r\n  '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n  // Comparison\r\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n  // Logical\r\n  '$and', '$or', '$not', '$nor',\r\n  // Element / evaluation\r\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n  // Array\r\n  '$elemMatch', '$all', '$size',\r\n  // JavaScript execution (critical)\r\n  '$function', '$accumulator',\r\n  // Aggregation pipeline operators (injectable via $lookup etc.)\r\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n  '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n  /** Replacement text for redacted values */\r\n  REPLACEMENT: '[REDACTED]',\r\n  /** Truncation indicator */\r\n  TRUNCATED: '[TRUNCATED]',\r\n  /** Max depth indicator */\r\n  MAX_DEPTH: '[MAX_DEPTH]',\r\n  /** Default max message length */\r\n  DEFAULT_MAX_LENGTH: 10_000,\r\n  /** Default sensitive keys to redact */\r\n  SENSITIVE_KEYS: new Set([\r\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n    'credentials', 'x-api-key', 'x-auth-token',\r\n  ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n  /**\r\n   * Email regex pattern.\r\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n   * leading/trailing dots, and other common invalid forms.\r\n   */\r\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n  /**\r\n   * URL regex pattern.\r\n   * Only allows http:// and https:// — explicitly rejects javascript:,\r\n   * data:, vbscript:, and other dangerous URI schemes.\r\n   */\r\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n  /** UUID regex pattern (v4) */\r\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n  /** Generic error message (production) */\r\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n  /** Input too large error */\r\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n  /** Validation error messages */\r\n  VALIDATION: {\r\n    REQUIRED: (field: string) => `${field} is required`,\r\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n  },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/logging/redactor\r\n * Safe logging with PII/secret redaction\r\n */\r\n\r\nimport { REDACTION, INPUT } from '../core/constants';\r\nimport type { LogOptions, SafeLogger } from '../core/types';\r\n\r\n/**\r\n * Create a safe logger that redacts sensitive data and prevents log injection.\r\n * \r\n * @param options - Logger configuration\r\n * @returns SafeLogger instance\r\n * \r\n * @example\r\n * const logger = createSafeLogger();\r\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\r\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\r\n * \r\n * @example\r\n * // With custom redact keys\r\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\r\n */\r\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\r\n  const { \r\n    redactKeys = [], \r\n    maxLength = REDACTION.DEFAULT_MAX_LENGTH,\r\n    redactPatterns = [],\r\n  } = options;\r\n\r\n  // Combine default and custom keys (lowercase for case-insensitive matching)\r\n  const allRedactKeys = new Set([\r\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n    ...redactKeys.map(k => k.toLowerCase()),\r\n  ]);\r\n\r\n  /**\r\n   * Redact sensitive data from an object recursively.\r\n   */\r\n  function redact(obj: unknown, depth = 0): unknown {\r\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n    if (obj === null || obj === undefined) return obj;\r\n\r\n    if (typeof obj === 'string') {\r\n      return redactString(obj, maxLength, redactPatterns);\r\n    }\r\n\r\n    if (typeof obj !== 'object') return obj;\r\n\r\n    if (Array.isArray(obj)) {\r\n      return obj.map(item => redact(item, depth + 1));\r\n    }\r\n\r\n    const result: Record<string, unknown> = {};\r\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n      if (allRedactKeys.has(key.toLowerCase())) {\r\n        result[key] = REDACTION.REPLACEMENT;\r\n      } else {\r\n        result[key] = redact(value, depth + 1);\r\n      }\r\n    }\r\n    return result;\r\n  }\r\n\r\n  /**\r\n   * Log a message at the specified level.\r\n   */\r\n  function log(level: string, message: string, data?: unknown): void {\r\n    const entry: Record<string, unknown> = {\r\n      timestamp: new Date().toISOString(),\r\n      level,\r\n      message: redactString(message, maxLength, redactPatterns),\r\n    };\r\n    \r\n    if (data !== undefined) {\r\n      entry.data = redact(data);\r\n    }\r\n    \r\n    console.log(JSON.stringify(entry));\r\n  }\r\n\r\n  return {\r\n    log,\r\n    info: (msg: string, data?: unknown) => log('info', msg, data),\r\n    warn: (msg: string, data?: unknown) => log('warn', msg, data),\r\n    error: (msg: string, data?: unknown) => log('error', msg, data),\r\n    debug: (msg: string, data?: unknown) => log('debug', msg, data),\r\n  };\r\n}\r\n\r\n/**\r\n * Redact a string value.\r\n * Removes newlines (log injection prevention), applies patterns, and truncates.\r\n */\r\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\r\n  // Remove newlines/tabs (log injection prevention) and genuine control characters.\r\n  // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\r\n  // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\r\n  let safe = str\r\n    .replace(/[\\r\\n\\t]/g, ' ')\r\n    .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\r\n\r\n  // Apply custom redaction patterns\r\n  for (const pattern of patterns) {\r\n    safe = safe.replace(pattern, REDACTION.REPLACEMENT);\r\n  }\r\n\r\n  // Truncate if too long\r\n  if (safe.length > maxLength) {\r\n    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\r\n  }\r\n\r\n  return safe;\r\n}\r\n\r\n/**\r\n * Create a redactor function for custom use.\r\n * \r\n * @param sensitiveKeys - Keys to redact\r\n * @returns Redactor function\r\n */\r\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\r\n  const allKeys = new Set([\r\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n    ...sensitiveKeys.map(k => k.toLowerCase()),\r\n  ]);\r\n\r\n  function redact(obj: unknown, depth = 0): unknown {\r\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n    if (obj === null || obj === undefined) return obj;\r\n    if (typeof obj !== 'object') return obj;\r\n\r\n    if (Array.isArray(obj)) {\r\n      return obj.map(item => redact(item, depth + 1));\r\n    }\r\n\r\n    const result: Record<string, unknown> = {};\r\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n      if (allKeys.has(key.toLowerCase())) {\r\n        result[key] = REDACTION.REPLACEMENT;\r\n      } else {\r\n        result[key] = redact(value, depth + 1);\r\n      }\r\n    }\r\n    return result;\r\n  }\r\n\r\n  return redact;\r\n}\r\n\r\n/**\r\n * Alias for createSafeLogger\r\n * @see createSafeLogger\r\n */\r\nexport const safeLog = createSafeLogger;\r\n"]}
+{"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AA2OO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;AClQA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.js","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded newline/carriage-return injection (%0a, %0d) */\n  /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n */\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n  debug: 0,\n  info: 1,\n  warn: 2,\n  error: 3,\n  silent: 4,\n};\n\n/**\n * Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n */\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n  const {\n    redactKeys = [],\n    maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n    redactPatterns = [],\n    level: minLevel = 'debug',\n  } = options;\n\n  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n  // Combine default and custom keys (lowercase for case-insensitive matching)\n  const allRedactKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...redactKeys.map(k => k.toLowerCase()),\n  ]);\n\n  /**\n   * Redact sensitive data from an object recursively.\n   */\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n\n    if (typeof obj === 'string') {\n      return redactString(obj, maxLength, redactPatterns);\n    }\n\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allRedactKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  /**\n   * Log a message at the specified level.\n   */\n  function log(level: string, message: string, data?: unknown): void {\n    // Early exit: skip all work if message level is below minimum\n    const levelNum = LOG_LEVELS[level] ?? 0;\n    if (levelNum < minLevelNum) return;\n\n    const entry: Record<string, unknown> = {\n      timestamp: new Date().toISOString(),\n      level,\n      message: redactString(message, maxLength, redactPatterns),\n    };\n\n    if (data !== undefined) {\n      entry.data = redact(data);\n    }\n\n    console.log(JSON.stringify(entry));\n  }\n\n  return {\n    log,\n    info: (msg: string, data?: unknown) => log('info', msg, data),\n    warn: (msg: string, data?: unknown) => log('warn', msg, data),\n    error: (msg: string, data?: unknown) => log('error', msg, data),\n    debug: (msg: string, data?: unknown) => log('debug', msg, data),\n  };\n}\n\n/**\n * Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n */\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n  // Remove newlines/tabs (log injection prevention) and genuine control characters.\n  // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n  // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n  let safe = str\n    .replace(/[\\r\\n\\t]/g, ' ')\n    .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n  // Apply custom redaction patterns\n  for (const pattern of patterns) {\n    safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n  }\n\n  // Truncate if too long\n  if (safe.length > maxLength) {\n    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n  }\n\n  return safe;\n}\n\n/**\n * Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n */\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n  const allKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...sensitiveKeys.map(k => k.toLowerCase()),\n  ]);\n\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  return redact;\n}\n\n/**\n * Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}

package/dist/logging/index.mjs

@@ -46,12 +46,21 @@ var REDACTION = {
 };
 
 // src/logging/redactor.ts
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  silent: 4
+};
 function createSafeLogger(options = {}) {
   const {
     redactKeys = [],
     maxLength = REDACTION.DEFAULT_MAX_LENGTH,
-    redactPatterns = []
+    redactPatterns = [],
+    level: minLevel = "debug"
   } = options;
+  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
   const allRedactKeys = /* @__PURE__ */ new Set([
     ...Array.from(REDACTION.SENSITIVE_KEYS),
     ...redactKeys.map((k) => k.toLowerCase())
@@ -77,6 +86,8 @@ function createSafeLogger(options = {}) {
     return result;
   }
   function log(level, message, data) {
+    const levelNum = LOG_LEVELS[level] ?? 0;
+    if (levelNum < minLevelNum) return;
     const entry = {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       level,

package/dist/logging/index.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAiOO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACzOO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB;AAAC,GACpB,GAAI,OAAA;AAGJ,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AACjE,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.mjs","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n  /** Default maximum input size (1MB) */\r\n  DEFAULT_MAX_SIZE: 1_000_000,\r\n  /** Maximum recursion depth for nested objects */\r\n  MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n  /** Default window size (1 minute) */\r\n  DEFAULT_WINDOW_MS: 60_000,\r\n  /** Default max requests per window */\r\n  DEFAULT_MAX_REQUESTS: 100,\r\n  /** Default HTTP status code for rate limited responses */\r\n  DEFAULT_STATUS_CODE: 429,\r\n  /** Default error message */\r\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n  /** Minimum window size (1 second) */\r\n  MIN_WINDOW_MS: 1_000,\r\n  /** Maximum window size (24 hours) */\r\n  MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n  /** Default Content Security Policy */\r\n  DEFAULT_CSP: [\r\n    \"default-src 'self'\",\r\n    \"script-src 'self'\",\r\n    \"style-src 'self' 'unsafe-inline'\",\r\n    \"img-src 'self' data: https:\",\r\n    \"font-src 'self'\",\r\n    \"object-src 'none'\",\r\n    \"frame-ancestors 'none'\",\r\n  ].join('; '),\r\n  /** Default HSTS max age (1 year in seconds) */\r\n  HSTS_MAX_AGE: 31_536_000,\r\n  /** Default X-Frame-Options value */\r\n  FRAME_OPTIONS: 'DENY' as const,\r\n  /** Default X-Content-Type-Options value */\r\n  CONTENT_TYPE_OPTIONS: 'nosniff',\r\n  /** Default Referrer-Policy value */\r\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n  /** Default Permissions-Policy value */\r\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n  /** Default Cache-Control value for security */\r\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n  /** Script tags (ReDoS-safe version) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** javascript: protocol (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /** vbscript: protocol */\r\n  /vbscript\\s*:/gi,\r\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n  /(?:[\\s/])on\\w+\\s*=/gi,\r\n  /** iframe tags */\r\n  /<iframe/gi,\r\n  /** object tags */\r\n  /<object/gi,\r\n  /** embed tags */\r\n  /<embed/gi,\r\n  /** data: URIs (only dangerous ones, avoid false positives) */\r\n  /(?:^|[\\s\"'=])data:/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** SVG with onload */\r\n  /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n  /** Full script blocks (content + tags) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** Standalone/unclosed script tags */\r\n  /<script[^>]*>/gi,\r\n  /** iframe — full block and partial/unclosed */\r\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n  /<iframe[^>]*/gi,\r\n  /** object — full block and partial/unclosed */\r\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n  /<object[^>]*/gi,\r\n  /** embed tags */\r\n  /<embed[^>]*/gi,\r\n  /** SVG with inline event handlers */\r\n  /<svg[^>]*onload[^>]*>/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n  /** Event handlers with unquoted values: onload=value */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /vbscript\\s*:/gi,\r\n  /** data: URIs with HTML/script content */\r\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n  /** SQL keywords */\r\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n  /(--|\\/\\*|\\*\\/|#)/g,\r\n  /** SQL statement separators */\r\n  /(;|\\|\\||&&)/g,\r\n  /** Boolean injection: OR 1=1 */\r\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Boolean injection: AND 1=1 */\r\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Time-based blind: SLEEP() */\r\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n  /** Time-based blind: BENCHMARK() */\r\n  /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n  /** Unix path traversal */\r\n  /\\.\\.\\//g,\r\n  /** Windows path traversal */\r\n  /\\.\\.\\\\/g,\r\n  /** URL-encoded traversal (%2e%2e) */\r\n  /%2e%2e/gi,\r\n  /** Double URL-encoded traversal (%252e) */\r\n  /%252e/gi,\r\n  /** Mixed encoding: ..%2F */\r\n  /\\.\\.%2F/gi,\r\n  /** Mixed encoding: %2e./ and .%2e/ */\r\n  /%2e\\.[\\\\/]/gi,\r\n  /\\.%2e[\\\\/]/gi,\r\n  /** Fully URL-encoded: %2e%2e%2f */\r\n  /%2e%2e%2f/gi,\r\n  /** Null byte injection in paths */\r\n  /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n  /**\r\n   * Shell metacharacters that enable command chaining/substitution.\r\n   * Bare ( and ) are excluded — they appear in common legitimate values\r\n   * (function calls in code fields, math expressions, etc.).\r\n   * Command substitution is caught by the $( combined pattern below.\r\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n   * and Markdown; consider disabling command checking (command: false)\r\n   * for fields that intentionally allow those characters.\r\n   */\r\n  /[;&|`]/g,\r\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n  /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n  '__proto__',\r\n  'constructor',\r\n  'prototype',\r\n  '__definegetter__',\r\n  '__definesetter__',\r\n  '__lookupgetter__',\r\n  '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n  // Comparison\r\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n  // Logical\r\n  '$and', '$or', '$not', '$nor',\r\n  // Element / evaluation\r\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n  // Array\r\n  '$elemMatch', '$all', '$size',\r\n  // JavaScript execution (critical)\r\n  '$function', '$accumulator',\r\n  // Aggregation pipeline operators (injectable via $lookup etc.)\r\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n  '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n  /** Replacement text for redacted values */\r\n  REPLACEMENT: '[REDACTED]',\r\n  /** Truncation indicator */\r\n  TRUNCATED: '[TRUNCATED]',\r\n  /** Max depth indicator */\r\n  MAX_DEPTH: '[MAX_DEPTH]',\r\n  /** Default max message length */\r\n  DEFAULT_MAX_LENGTH: 10_000,\r\n  /** Default sensitive keys to redact */\r\n  SENSITIVE_KEYS: new Set([\r\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n    'credentials', 'x-api-key', 'x-auth-token',\r\n  ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n  /**\r\n   * Email regex pattern.\r\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n   * leading/trailing dots, and other common invalid forms.\r\n   */\r\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n  /**\r\n   * URL regex pattern.\r\n   * Only allows http:// and https:// — explicitly rejects javascript:,\r\n   * data:, vbscript:, and other dangerous URI schemes.\r\n   */\r\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n  /** UUID regex pattern (v4) */\r\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n  /** Generic error message (production) */\r\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n  /** Input too large error */\r\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n  /** Validation error messages */\r\n  VALIDATION: {\r\n    REQUIRED: (field: string) => `${field} is required`,\r\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n  },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/logging/redactor\r\n * Safe logging with PII/secret redaction\r\n */\r\n\r\nimport { REDACTION, INPUT } from '../core/constants';\r\nimport type { LogOptions, SafeLogger } from '../core/types';\r\n\r\n/**\r\n * Create a safe logger that redacts sensitive data and prevents log injection.\r\n * \r\n * @param options - Logger configuration\r\n * @returns SafeLogger instance\r\n * \r\n * @example\r\n * const logger = createSafeLogger();\r\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\r\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\r\n * \r\n * @example\r\n * // With custom redact keys\r\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\r\n */\r\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\r\n  const { \r\n    redactKeys = [], \r\n    maxLength = REDACTION.DEFAULT_MAX_LENGTH,\r\n    redactPatterns = [],\r\n  } = options;\r\n\r\n  // Combine default and custom keys (lowercase for case-insensitive matching)\r\n  const allRedactKeys = new Set([\r\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n    ...redactKeys.map(k => k.toLowerCase()),\r\n  ]);\r\n\r\n  /**\r\n   * Redact sensitive data from an object recursively.\r\n   */\r\n  function redact(obj: unknown, depth = 0): unknown {\r\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n    if (obj === null || obj === undefined) return obj;\r\n\r\n    if (typeof obj === 'string') {\r\n      return redactString(obj, maxLength, redactPatterns);\r\n    }\r\n\r\n    if (typeof obj !== 'object') return obj;\r\n\r\n    if (Array.isArray(obj)) {\r\n      return obj.map(item => redact(item, depth + 1));\r\n    }\r\n\r\n    const result: Record<string, unknown> = {};\r\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n      if (allRedactKeys.has(key.toLowerCase())) {\r\n        result[key] = REDACTION.REPLACEMENT;\r\n      } else {\r\n        result[key] = redact(value, depth + 1);\r\n      }\r\n    }\r\n    return result;\r\n  }\r\n\r\n  /**\r\n   * Log a message at the specified level.\r\n   */\r\n  function log(level: string, message: string, data?: unknown): void {\r\n    const entry: Record<string, unknown> = {\r\n      timestamp: new Date().toISOString(),\r\n      level,\r\n      message: redactString(message, maxLength, redactPatterns),\r\n    };\r\n    \r\n    if (data !== undefined) {\r\n      entry.data = redact(data);\r\n    }\r\n    \r\n    console.log(JSON.stringify(entry));\r\n  }\r\n\r\n  return {\r\n    log,\r\n    info: (msg: string, data?: unknown) => log('info', msg, data),\r\n    warn: (msg: string, data?: unknown) => log('warn', msg, data),\r\n    error: (msg: string, data?: unknown) => log('error', msg, data),\r\n    debug: (msg: string, data?: unknown) => log('debug', msg, data),\r\n  };\r\n}\r\n\r\n/**\r\n * Redact a string value.\r\n * Removes newlines (log injection prevention), applies patterns, and truncates.\r\n */\r\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\r\n  // Remove newlines/tabs (log injection prevention) and genuine control characters.\r\n  // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\r\n  // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\r\n  let safe = str\r\n    .replace(/[\\r\\n\\t]/g, ' ')\r\n    .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\r\n\r\n  // Apply custom redaction patterns\r\n  for (const pattern of patterns) {\r\n    safe = safe.replace(pattern, REDACTION.REPLACEMENT);\r\n  }\r\n\r\n  // Truncate if too long\r\n  if (safe.length > maxLength) {\r\n    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\r\n  }\r\n\r\n  return safe;\r\n}\r\n\r\n/**\r\n * Create a redactor function for custom use.\r\n * \r\n * @param sensitiveKeys - Keys to redact\r\n * @returns Redactor function\r\n */\r\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\r\n  const allKeys = new Set([\r\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n    ...sensitiveKeys.map(k => k.toLowerCase()),\r\n  ]);\r\n\r\n  function redact(obj: unknown, depth = 0): unknown {\r\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n    if (obj === null || obj === undefined) return obj;\r\n    if (typeof obj !== 'object') return obj;\r\n\r\n    if (Array.isArray(obj)) {\r\n      return obj.map(item => redact(item, depth + 1));\r\n    }\r\n\r\n    const result: Record<string, unknown> = {};\r\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n      if (allKeys.has(key.toLowerCase())) {\r\n        result[key] = REDACTION.REPLACEMENT;\r\n      } else {\r\n        result[key] = redact(value, depth + 1);\r\n      }\r\n    }\r\n    return result;\r\n  }\r\n\r\n  return redact;\r\n}\r\n\r\n/**\r\n * Alias for createSafeLogger\r\n * @see createSafeLogger\r\n */\r\nexport const safeLog = createSafeLogger;\r\n"]}
+{"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AA2OO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;AClQA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.mjs","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded newline/carriage-return injection (%0a, %0d) */\n  /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n */\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n  debug: 0,\n  info: 1,\n  warn: 2,\n  error: 3,\n  silent: 4,\n};\n\n/**\n * Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n */\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n  const {\n    redactKeys = [],\n    maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n    redactPatterns = [],\n    level: minLevel = 'debug',\n  } = options;\n\n  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n  // Combine default and custom keys (lowercase for case-insensitive matching)\n  const allRedactKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...redactKeys.map(k => k.toLowerCase()),\n  ]);\n\n  /**\n   * Redact sensitive data from an object recursively.\n   */\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n\n    if (typeof obj === 'string') {\n      return redactString(obj, maxLength, redactPatterns);\n    }\n\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allRedactKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  /**\n   * Log a message at the specified level.\n   */\n  function log(level: string, message: string, data?: unknown): void {\n    // Early exit: skip all work if message level is below minimum\n    const levelNum = LOG_LEVELS[level] ?? 0;\n    if (levelNum < minLevelNum) return;\n\n    const entry: Record<string, unknown> = {\n      timestamp: new Date().toISOString(),\n      level,\n      message: redactString(message, maxLength, redactPatterns),\n    };\n\n    if (data !== undefined) {\n      entry.data = redact(data);\n    }\n\n    console.log(JSON.stringify(entry));\n  }\n\n  return {\n    log,\n    info: (msg: string, data?: unknown) => log('info', msg, data),\n    warn: (msg: string, data?: unknown) => log('warn', msg, data),\n    error: (msg: string, data?: unknown) => log('error', msg, data),\n    debug: (msg: string, data?: unknown) => log('debug', msg, data),\n  };\n}\n\n/**\n * Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n */\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n  // Remove newlines/tabs (log injection prevention) and genuine control characters.\n  // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n  // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n  let safe = str\n    .replace(/[\\r\\n\\t]/g, ' ')\n    .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n  // Apply custom redaction patterns\n  for (const pattern of patterns) {\n    safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n  }\n\n  // Truncate if too long\n  if (safe.length > maxLength) {\n    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n  }\n\n  return safe;\n}\n\n/**\n * Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n */\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n  const allKeys = new Set([\n    ...Array.from(REDACTION.SENSITIVE_KEYS),\n    ...sensitiveKeys.map(k => k.toLowerCase()),\n  ]);\n\n  function redact(obj: unknown, depth = 0): unknown {\n    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n    if (obj === null || obj === undefined) return obj;\n    if (typeof obj !== 'object') return obj;\n\n    if (Array.isArray(obj)) {\n      return obj.map(item => redact(item, depth + 1));\n    }\n\n    const result: Record<string, unknown> = {};\n    for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n      if (allKeys.has(key.toLowerCase())) {\n        result[key] = REDACTION.REPLACEMENT;\n      } else {\n        result[key] = redact(value, depth + 1);\n      }\n    }\n    return result;\n  }\n\n  return redact;\n}\n\n/**\n * Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}

package/dist/middleware/index.d.mts

@@ -1,3 +1,3 @@
-export { a as arcis, b as arcisFunction, c as createCors, d as createErrorHandler, e as createHeaders, f as createRateLimiter, g as createSecureCookies, b as default, h as enforceSecureCookie, i as errorHandler, r as rateLimit, s as safeCors, j as secureCookieDefaults, k as securityHeaders } from '../index-JaFOUKyK.mjs';
-import '../types-BOdL3ZWo.mjs';
+export { g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from '../index-CgK94hY_.mjs';
+import '../types-CsOFHoD9.mjs';
 import 'express';

package/dist/middleware/index.d.ts

@@ -1,3 +1,3 @@
-export { a as arcis, b as arcisFunction, c as createCors, d as createErrorHandler, e as createHeaders, f as createRateLimiter, g as createSecureCookies, b as default, h as enforceSecureCookie, i as errorHandler, r as rateLimit, s as safeCors, j as secureCookieDefaults, k as securityHeaders } from '../index-BpT7flAQ.js';
-import '../types-BOdL3ZWo.js';
+export { g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from '../index-D_bdJcF0.js';
+import '../types-CsOFHoD9.js';
 import 'express';