npm - @arcis/node - Versions diffs - 1.0.0 → 1.2.0 - Mend

@arcis/node 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/README.md +156 -222
package/dist/core/index.d.mts +4 -4
package/dist/core/index.d.ts +4 -4
package/dist/core/index.js +13 -2
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +13 -2
package/dist/core/index.mjs.map +1 -1
package/dist/index-A-m-pPeW.d.mts +340 -0
package/dist/index-CgK94hY_.d.mts +532 -0
package/dist/index-Co5kPRZz.d.ts +340 -0
package/dist/index-D_bdJcF0.d.ts +532 -0
package/dist/index.d.mts +144 -108
package/dist/index.d.ts +144 -108
package/dist/index.js +1541 -211
package/dist/index.js.map +1 -1
package/dist/index.mjs +1515 -212
package/dist/index.mjs.map +1 -1
package/dist/logging/index.d.mts +1 -1
package/dist/logging/index.d.ts +1 -1
package/dist/logging/index.js +12 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs +12 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/index.d.mts +2 -2
package/dist/middleware/index.d.ts +2 -2
package/dist/middleware/index.js +524 -4
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +517 -5
package/dist/middleware/index.mjs.map +1 -1
package/dist/{headers-DBQedhrb.d.mts → pii-CXcHMlnX.d.mts} +156 -2
package/dist/{headers-BJq2OA0i.d.ts → pii-DhNpl7M3.d.ts} +156 -2
package/dist/sanitizers/index.d.mts +2 -2
package/dist/sanitizers/index.d.ts +2 -2
package/dist/sanitizers/index.js +331 -3
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +321 -4
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/stores/index.d.mts +1 -1
package/dist/stores/index.d.ts +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/{types-BOdL3ZWo.d.mts → types-CsOFHoD9.d.mts} +6 -1
package/dist/{types-BOdL3ZWo.d.ts → types-CsOFHoD9.d.ts} +6 -1
package/dist/validation/index.d.mts +2 -2
package/dist/validation/index.d.ts +2 -2
package/dist/validation/index.js +504 -2
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +498 -3
package/dist/validation/index.mjs.map +1 -1
package/package.json +114 -109
package/dist/index-BgHPM7LC.d.ts +0 -129
package/dist/index-BpT7flAQ.d.ts +0 -255
package/dist/index-JaFOUKyK.d.mts +0 -255
package/dist/index-nAgXexwD.d.mts +0 -129

package/dist/middleware/index.js CHANGED Viewed

@@ -2,6 +2,8 @@
 Object.defineProperty(exports, '__esModule', { value: true });
+var crypto = require('crypto');
 // src/core/constants.ts
 var INPUT = {
   /** Default maximum input size (1MB) */
@@ -89,7 +91,11 @@ var SQL_PATTERNS = [
   /** Time-based blind: SLEEP() */
   /\bSLEEP\s*\(\s*\d+\s*\)/gi,
   /** Time-based blind: BENCHMARK() */
-  /\bBENCHMARK\s*\(/gi
+  /\bBENCHMARK\s*\(/gi,
+  /** Time-based blind: PostgreSQL pg_sleep() */
+  /\bpg_sleep\s*\(/gi,
+  /** Time-based blind: MSSQL WAITFOR DELAY */
+  /\bWAITFOR\s+DELAY\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -107,6 +113,10 @@ var PATH_PATTERNS = [
   /\.%2e[\\/]/gi,
   /** Fully URL-encoded: %2e%2e%2f */
   /%2e%2e%2f/gi,
+  /** Double URL-encoded forward slash: %252f */
+  /%252f/gi,
+  /** Dotdotslash bypass: ....// or ....\\ */
+  /\.{2,}[/\\]{2,}/g,
   /** Null byte injection in paths */
   /\0/g
 ];
@@ -122,7 +132,9 @@ var COMMAND_PATTERNS = [
    */
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
-  /\$\(/g
+  /\$\(/g,
+  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
+  /%0[ad]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",
@@ -156,6 +168,7 @@ var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
   "$expr",
   "$mod",
   "$text",
+  "$jsonSchema",
   // Array
   "$elemMatch",
   "$all",
@@ -709,7 +722,8 @@ function sanitizeObject(obj, options = {}) {
   if (typeof obj === "string") return sanitizeString(obj, options);
   if (typeof obj !== "object") return obj;
   if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
-  return sanitizeObjectDepth(obj, options, 0);
+  const result = sanitizeObjectDepth(obj, options, 0);
+  return options.freeze ? Object.freeze(result) : result;
 }
 function sanitizeObjectDepth(obj, options, depth) {
   if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
@@ -930,12 +944,21 @@ function validateField(field, value, rules) {
   "audio/mpeg": [Buffer.from([255, 251]), Buffer.from([255, 243]), Buffer.from([73, 68, 51])]});
 // src/logging/redactor.ts
+var LOG_LEVELS = {
+  debug: 0,
+  info: 1,
+  warn: 2,
+  error: 3,
+  silent: 4
+};
 function createSafeLogger(options = {}) {
   const {
     redactKeys = [],
     maxLength = REDACTION.DEFAULT_MAX_LENGTH,
-    redactPatterns = []
+    redactPatterns = [],
+    level: minLevel = "debug"
   } = options;
+  const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
   const allRedactKeys = /* @__PURE__ */ new Set([
     ...Array.from(REDACTION.SENSITIVE_KEYS),
     ...redactKeys.map((k) => k.toLowerCase())
@@ -961,6 +984,8 @@ function createSafeLogger(options = {}) {
     return result;
   }
   function log(level, message, data) {
+    const levelNum = LOG_LEVELS[level] ?? 0;
+    if (levelNum < minLevelNum) return;
     const entry = {
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       level,
@@ -1025,6 +1050,187 @@ arcisWithMethods.logger = createSafeLogger;
 arcisWithMethods.errorHandler = createErrorHandler;
 var main_default = arcisWithMethods;
+// src/utils/duration.ts
+var MAX_DURATION_MS = 4294967295;
+var DURATION_REGEX = /^(\d+(?:\.\d+)?)\s*(ms|s|m|h|d)$/i;
+var UNIT_TO_MS = {
+  ms: 1,
+  s: 1e3,
+  m: 6e4,
+  h: 36e5,
+  d: 864e5
+};
+function parseDuration(value) {
+  if (typeof value === "number") {
+    if (!Number.isFinite(value) || value < 0) {
+      throw new Error(`Invalid duration: ${value}. Must be a non-negative finite number.`);
+    }
+    return Math.min(Math.floor(value), MAX_DURATION_MS);
+  }
+  if (typeof value !== "string" || value.trim() === "") {
+    throw new Error(`Invalid duration: "${value}". Expected a duration string (e.g. "5m", "2h") or number.`);
+  }
+  const match = value.trim().match(DURATION_REGEX);
+  if (!match) {
+    throw new Error(
+      `Invalid duration: "${value}". Expected format: <number><unit> where unit is ms, s, m, h, or d.`
+    );
+  }
+  const amount = parseFloat(match[1]);
+  const unit = match[2].toLowerCase();
+  const ms = Math.floor(amount * UNIT_TO_MS[unit]);
+  if (ms < 0 || ms > MAX_DURATION_MS) {
+    throw new Error(`Duration "${value}" exceeds maximum allowed (${MAX_DURATION_MS}ms / ~49.7 days).`);
+  }
+  return ms;
+}
+// src/middleware/rate-limit-sliding.ts
+function createSlidingWindowLimiter(options = {}) {
+  const {
+    max = RATE_LIMIT.DEFAULT_MAX_REQUESTS,
+    window: windowOpt = RATE_LIMIT.DEFAULT_WINDOW_MS,
+    message = RATE_LIMIT.DEFAULT_MESSAGE,
+    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,
+    keyGenerator = (req) => req.ip ?? req.socket?.remoteAddress ?? "unknown",
+    skip
+  } = options;
+  const windowMs = parseDuration(windowOpt);
+  const currentWindows = /* @__PURE__ */ Object.create(null);
+  const previousWindows = /* @__PURE__ */ Object.create(null);
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    const cutoff = now - windowMs * 2;
+    for (const key of Object.keys(previousWindows)) {
+      if (previousWindows[key].startTime < cutoff) {
+        delete previousWindows[key];
+      }
+    }
+    for (const key of Object.keys(currentWindows)) {
+      if (currentWindows[key].startTime < cutoff) {
+        delete currentWindows[key];
+      }
+    }
+  }, windowMs);
+  if (typeof cleanupInterval.unref === "function") {
+    cleanupInterval.unref();
+  }
+  const handler = (req, res, next) => {
+    try {
+      if (skip?.(req)) return next();
+      const key = keyGenerator(req);
+      const now = Date.now();
+      const windowStart = Math.floor(now / windowMs) * windowMs;
+      if (!currentWindows[key] || currentWindows[key].startTime < windowStart) {
+        if (currentWindows[key]) {
+          previousWindows[key] = currentWindows[key];
+        }
+        currentWindows[key] = { count: 0, startTime: windowStart };
+      }
+      const elapsed = now - windowStart;
+      const weight = Math.max(0, (windowMs - elapsed) / windowMs);
+      const prevCount = previousWindows[key]?.count ?? 0;
+      const estimatedCount = prevCount * weight + currentWindows[key].count + 1;
+      const remaining = Math.max(0, Math.floor(max - estimatedCount));
+      const resetMs = windowStart + windowMs - now;
+      const resetSeconds = Math.max(1, Math.ceil(resetMs / 1e3));
+      res.setHeader("X-RateLimit-Limit", max.toString());
+      res.setHeader("X-RateLimit-Remaining", remaining.toString());
+      res.setHeader("X-RateLimit-Reset", resetSeconds.toString());
+      res.setHeader("X-RateLimit-Policy", `${max};w=${Math.floor(windowMs / 1e3)}`);
+      if (estimatedCount > max) {
+        res.setHeader("Retry-After", resetSeconds.toString());
+        res.status(statusCode).json({
+          error: message,
+          retryAfter: resetSeconds
+        });
+        return;
+      }
+      currentWindows[key].count++;
+      next();
+    } catch (error) {
+      console.error("[arcis] Sliding window rate limiter error:", error);
+      next();
+    }
+  };
+  const middleware = handler;
+  middleware.close = () => {
+    clearInterval(cleanupInterval);
+  };
+  return middleware;
+}
+// src/middleware/rate-limit-token.ts
+function createTokenBucketLimiter(options = {}) {
+  const {
+    capacity = 100,
+    refillRate = 10,
+    cost = 1,
+    message = RATE_LIMIT.DEFAULT_MESSAGE,
+    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,
+    keyGenerator = (req) => req.ip ?? req.socket?.remoteAddress ?? "unknown",
+    skip
+  } = options;
+  if (capacity < 1) throw new RangeError(`Token bucket capacity must be >= 1, got ${capacity}`);
+  if (refillRate <= 0) throw new RangeError(`Token bucket refillRate must be > 0, got ${refillRate}`);
+  if (cost < 1) throw new RangeError(`Token bucket cost must be >= 1, got ${cost}`);
+  if (cost > capacity) throw new RangeError(`Token bucket cost (${cost}) must be <= capacity (${capacity}), otherwise all requests are permanently denied`);
+  const buckets = /* @__PURE__ */ Object.create(null);
+  const cleanupInterval = setInterval(() => {
+    const now = Date.now();
+    const staleThreshold = capacity / refillRate * 1e3 * 2;
+    for (const key of Object.keys(buckets)) {
+      if (now - buckets[key].lastRefill > staleThreshold) {
+        delete buckets[key];
+      }
+    }
+  }, 6e4);
+  if (typeof cleanupInterval.unref === "function") {
+    cleanupInterval.unref();
+  }
+  function refillBucket(bucket, now) {
+    const elapsed = (now - bucket.lastRefill) / 1e3;
+    const tokensToAdd = elapsed * refillRate;
+    bucket.tokens = Math.min(capacity, bucket.tokens + tokensToAdd);
+    bucket.lastRefill = now;
+  }
+  const handler = (req, res, next) => {
+    try {
+      if (skip?.(req)) return next();
+      const key = keyGenerator(req);
+      const now = Date.now();
+      if (!buckets[key]) {
+        buckets[key] = { tokens: capacity, lastRefill: now };
+      }
+      const bucket = buckets[key];
+      refillBucket(bucket, now);
+      const retryAfterSec = bucket.tokens < cost ? Math.ceil((cost - bucket.tokens) / refillRate) : 0;
+      res.setHeader("X-RateLimit-Limit", capacity.toString());
+      res.setHeader("X-RateLimit-Remaining", Math.floor(Math.max(0, bucket.tokens - cost)).toString());
+      res.setHeader("X-RateLimit-Policy", `${capacity};w=${Math.floor(capacity / refillRate)};burst=${capacity}`);
+      if (bucket.tokens < cost) {
+        res.setHeader("Retry-After", retryAfterSec.toString());
+        res.setHeader("X-RateLimit-Reset", retryAfterSec.toString());
+        res.status(statusCode).json({
+          error: message,
+          retryAfter: retryAfterSec
+        });
+        return;
+      }
+      bucket.tokens -= cost;
+      next();
+    } catch (error) {
+      console.error("[arcis] Token bucket rate limiter error:", error);
+      next();
+    }
+  };
+  const middleware = handler;
+  middleware.close = () => {
+    clearInterval(cleanupInterval);
+  };
+  return middleware;
+}
 // src/middleware/cors.ts
 var DEFAULT_METHODS = ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"];
 var DEFAULT_HEADERS = ["Content-Type", "Authorization"];
@@ -1155,19 +1361,333 @@ function secureCookieDefaults(options = {}) {
 }
 var createSecureCookies = secureCookieDefaults;
+// src/middleware/bot-detection.ts
+var BOT_PATTERNS = [
+  // --- SEARCH ENGINES (specific variants before generic) ---
+  { pattern: /Googlebot-Image/i, name: "Googlebot-Image", category: "SEARCH_ENGINE" },
+  { pattern: /Googlebot-Video/i, name: "Googlebot-Video", category: "SEARCH_ENGINE" },
+  { pattern: /Googlebot-News/i, name: "Googlebot-News", category: "SEARCH_ENGINE" },
+  { pattern: /Googlebot/i, name: "Googlebot", category: "SEARCH_ENGINE" },
+  { pattern: /AdsBot-Google/i, name: "AdsBot-Google", category: "SEARCH_ENGINE" },
+  { pattern: /Mediapartners-Google/i, name: "Mediapartners-Google", category: "SEARCH_ENGINE" },
+  { pattern: /Bingbot/i, name: "Bingbot", category: "SEARCH_ENGINE" },
+  { pattern: /msnbot/i, name: "msnbot", category: "SEARCH_ENGINE" },
+  { pattern: /Slurp/i, name: "Yahoo Slurp", category: "SEARCH_ENGINE" },
+  { pattern: /DuckDuckBot/i, name: "DuckDuckBot", category: "SEARCH_ENGINE" },
+  { pattern: /Baiduspider/i, name: "Baiduspider", category: "SEARCH_ENGINE" },
+  { pattern: /YandexBot/i, name: "YandexBot", category: "SEARCH_ENGINE" },
+  { pattern: /YandexImages/i, name: "YandexImages", category: "SEARCH_ENGINE" },
+  { pattern: /Sogou/i, name: "Sogou", category: "SEARCH_ENGINE" },
+  { pattern: /Exabot/i, name: "Exabot", category: "SEARCH_ENGINE" },
+  { pattern: /ia_archiver/i, name: "Alexa", category: "SEARCH_ENGINE" },
+  { pattern: /Applebot/i, name: "Applebot", category: "SEARCH_ENGINE" },
+  { pattern: /Qwantify/i, name: "Qwantify", category: "SEARCH_ENGINE" },
+  { pattern: /PetalBot/i, name: "PetalBot", category: "SEARCH_ENGINE" },
+  { pattern: /SeznamBot/i, name: "SeznamBot", category: "SEARCH_ENGINE" },
+  // --- SOCIAL ---
+  { pattern: /Twitterbot/i, name: "Twitterbot", category: "SOCIAL" },
+  { pattern: /facebookexternalhit/i, name: "Facebook", category: "SOCIAL" },
+  { pattern: /Facebot/i, name: "Facebot", category: "SOCIAL" },
+  { pattern: /LinkedInBot/i, name: "LinkedInBot", category: "SOCIAL" },
+  { pattern: /Pinterest/i, name: "Pinterest", category: "SOCIAL" },
+  { pattern: /Slackbot/i, name: "Slackbot", category: "SOCIAL" },
+  { pattern: /TelegramBot/i, name: "TelegramBot", category: "SOCIAL" },
+  { pattern: /WhatsApp/i, name: "WhatsApp", category: "SOCIAL" },
+  { pattern: /Discordbot/i, name: "Discordbot", category: "SOCIAL" },
+  { pattern: /Redditbot/i, name: "Redditbot", category: "SOCIAL" },
+  { pattern: /Embedly/i, name: "Embedly", category: "SOCIAL" },
+  { pattern: /Quora Link Preview/i, name: "Quora", category: "SOCIAL" },
+  { pattern: /Mastodon/i, name: "Mastodon", category: "SOCIAL" },
+  // --- MONITORING ---
+  { pattern: /UptimeRobot/i, name: "UptimeRobot", category: "MONITORING" },
+  { pattern: /Pingdom/i, name: "Pingdom", category: "MONITORING" },
+  { pattern: /Site24x7/i, name: "Site24x7", category: "MONITORING" },
+  { pattern: /StatusCake/i, name: "StatusCake", category: "MONITORING" },
+  { pattern: /Datadog/i, name: "Datadog", category: "MONITORING" },
+  { pattern: /NewRelicPinger/i, name: "New Relic", category: "MONITORING" },
+  { pattern: /Better Uptime Bot/i, name: "Better Uptime", category: "MONITORING" },
+  { pattern: /GTmetrix/i, name: "GTmetrix", category: "MONITORING" },
+  { pattern: /PageSpeed/i, name: "PageSpeed Insights", category: "MONITORING" },
+  // --- AI CRAWLERS ---
+  { pattern: /GPTBot/i, name: "GPTBot", category: "AI_CRAWLER" },
+  { pattern: /ChatGPT-User/i, name: "ChatGPT-User", category: "AI_CRAWLER" },
+  { pattern: /Claude-Web/i, name: "Claude-Web", category: "AI_CRAWLER" },
+  { pattern: /ClaudeBot/i, name: "ClaudeBot", category: "AI_CRAWLER" },
+  { pattern: /anthropic-ai/i, name: "Anthropic", category: "AI_CRAWLER" },
+  { pattern: /Bytespider/i, name: "Bytespider", category: "AI_CRAWLER" },
+  { pattern: /CCBot/i, name: "CCBot", category: "AI_CRAWLER" },
+  { pattern: /cohere-ai/i, name: "Cohere", category: "AI_CRAWLER" },
+  { pattern: /PerplexityBot/i, name: "PerplexityBot", category: "AI_CRAWLER" },
+  { pattern: /YouBot/i, name: "YouBot", category: "AI_CRAWLER" },
+  { pattern: /Google-Extended/i, name: "Google-Extended", category: "AI_CRAWLER" },
+  { pattern: /Diffbot/i, name: "Diffbot", category: "AI_CRAWLER" },
+  { pattern: /Amazonbot/i, name: "Amazonbot", category: "AI_CRAWLER" },
+  { pattern: /meta-externalagent/i, name: "Meta AI", category: "AI_CRAWLER" },
+  // --- AUTOMATED TOOLS (headless browsers, testing frameworks) ---
+  { pattern: /HeadlessChrome/i, name: "Headless Chrome", category: "AUTOMATED" },
+  { pattern: /PhantomJS/i, name: "PhantomJS", category: "AUTOMATED" },
+  { pattern: /Selenium/i, name: "Selenium", category: "AUTOMATED" },
+  { pattern: /Puppeteer/i, name: "Puppeteer", category: "AUTOMATED" },
+  { pattern: /Playwright/i, name: "Playwright", category: "AUTOMATED" },
+  { pattern: /Cypress/i, name: "Cypress", category: "AUTOMATED" },
+  { pattern: /webdriver/i, name: "WebDriver", category: "AUTOMATED" },
+  { pattern: /MSIE 6\.0/i, name: "Fake IE6", category: "AUTOMATED" },
+  // --- SCRAPERS / CLI TOOLS ---
+  { pattern: /^curl\//i, name: "curl", category: "SCRAPER" },
+  { pattern: /^wget\//i, name: "wget", category: "SCRAPER" },
+  { pattern: /^python-requests\//i, name: "python-requests", category: "SCRAPER" },
+  { pattern: /^python-httpx\//i, name: "python-httpx", category: "SCRAPER" },
+  { pattern: /^Python-urllib/i, name: "Python-urllib", category: "SCRAPER" },
+  { pattern: /^aiohttp\//i, name: "aiohttp", category: "SCRAPER" },
+  { pattern: /^Go-http-client/i, name: "Go-http-client", category: "SCRAPER" },
+  { pattern: /^Java\//i, name: "Java HttpClient", category: "SCRAPER" },
+  { pattern: /^Apache-HttpClient/i, name: "Apache HttpClient", category: "SCRAPER" },
+  { pattern: /^okhttp\//i, name: "OkHttp", category: "SCRAPER" },
+  { pattern: /^node-fetch\//i, name: "node-fetch", category: "SCRAPER" },
+  { pattern: /^axios\//i, name: "axios", category: "SCRAPER" },
+  { pattern: /^got\//i, name: "got", category: "SCRAPER" },
+  { pattern: /^libwww-perl/i, name: "libwww-perl", category: "SCRAPER" },
+  { pattern: /^Ruby/i, name: "Ruby", category: "SCRAPER" },
+  { pattern: /^PHP\//i, name: "PHP", category: "SCRAPER" },
+  { pattern: /Scrapy/i, name: "Scrapy", category: "SCRAPER" },
+  { pattern: /^Postman/i, name: "Postman", category: "SCRAPER" },
+  { pattern: /^Insomnia/i, name: "Insomnia", category: "SCRAPER" },
+  { pattern: /^HTTPie\//i, name: "HTTPie", category: "SCRAPER" }
+];
+function detectBehavioralSignals(req) {
+  const signals = [];
+  const headers = req.headers;
+  if (!headers["user-agent"]) {
+    signals.push("missing_user_agent");
+  }
+  if (!headers["accept"]) {
+    signals.push("missing_accept");
+  }
+  if (!headers["accept-language"]) {
+    signals.push("missing_accept_language");
+  }
+  if (!headers["accept-encoding"]) {
+    signals.push("missing_accept_encoding");
+  }
+  if (headers["connection"] === "close") {
+    signals.push("connection_close");
+  }
+  return signals;
+}
+function detectBot(req) {
+  const rawUa = req.headers["user-agent"] ?? "";
+  const ua = rawUa.length > 2048 ? rawUa.slice(0, 2048) : rawUa;
+  const signals = detectBehavioralSignals(req);
+  if (!ua) {
+    return {
+      isBot: true,
+      category: "UNKNOWN",
+      name: null,
+      confidence: 0.8,
+      signals
+    };
+  }
+  for (const bot of BOT_PATTERNS) {
+    if (bot.pattern.test(ua)) {
+      return {
+        isBot: true,
+        category: bot.category,
+        name: bot.name,
+        confidence: 0.95,
+        signals
+      };
+    }
+  }
+  const behaviorScore = signals.length;
+  if (behaviorScore >= 3) {
+    return {
+      isBot: true,
+      category: "UNKNOWN",
+      name: null,
+      confidence: Math.min(1, 0.6 + behaviorScore * 0.1),
+      signals
+    };
+  }
+  return {
+    isBot: false,
+    category: "HUMAN",
+    name: null,
+    confidence: Math.max(0, 1 - behaviorScore * 0.15),
+    signals
+  };
+}
+function botProtection(options = {}) {
+  const {
+    allow = ["SEARCH_ENGINE", "SOCIAL", "MONITORING"],
+    deny = ["AUTOMATED"],
+    defaultAction = "allow",
+    statusCode = 403,
+    message = "Access denied.",
+    onDetected
+  } = options;
+  const allowSet = new Set(allow);
+  const denySet = new Set(deny);
+  return (req, res, next) => {
+    const result = detectBot(req);
+    req.botDetection = result;
+    if (!result.isBot) {
+      return next();
+    }
+    if (allowSet.has(result.category)) {
+      return next();
+    }
+    if (denySet.has(result.category)) {
+      if (onDetected) {
+        return onDetected(req, res, result);
+      }
+      res.status(statusCode).json({ error: message });
+      return;
+    }
+    if (defaultAction === "deny") {
+      if (onDetected) {
+        return onDetected(req, res, result);
+      }
+      res.status(statusCode).json({ error: message });
+      return;
+    }
+    next();
+  };
+}
+var DEFAULTS = {
+  cookieName: "_csrf",
+  headerName: "x-csrf-token",
+  fieldName: "_csrf",
+  tokenLength: 32,
+  protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
+};
+function generateCsrfToken(length = 32) {
+  return crypto.randomBytes(length).toString("hex");
+}
+function validateCsrfToken(cookieToken, requestToken) {
+  if (!cookieToken || !requestToken) return false;
+  if (cookieToken.length !== requestToken.length) return false;
+  let result = 0;
+  for (let i = 0; i < cookieToken.length; i++) {
+    result |= cookieToken.charCodeAt(i) ^ requestToken.charCodeAt(i);
+  }
+  return result === 0;
+}
+function getRequestToken(req, headerName, fieldName) {
+  const headerToken = req.headers[headerName.toLowerCase()];
+  if (typeof headerToken === "string" && headerToken) return headerToken;
+  if (req.body && typeof req.body === "object" && fieldName in req.body) {
+    const bodyToken = req.body[fieldName];
+    if (typeof bodyToken === "string" && bodyToken) return bodyToken;
+  }
+  if (req.query && fieldName in req.query) {
+    const queryToken = req.query[fieldName];
+    if (typeof queryToken === "string" && queryToken) return queryToken;
+  }
+  return void 0;
+}
+function csrfProtection(options = {}) {
+  const cookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const headerName = options.headerName ?? DEFAULTS.headerName;
+  const fieldName = options.fieldName ?? DEFAULTS.fieldName;
+  const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;
+  const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];
+  const excludePaths = options.excludePaths ?? [];
+  const isProduction = process.env.NODE_ENV === "production";
+  const cookieOpts = {
+    path: options.cookie?.path ?? "/",
+    httpOnly: options.cookie?.httpOnly ?? false,
+    // Must be readable by client JS
+    secure: options.cookie?.secure ?? isProduction,
+    sameSite: options.cookie?.sameSite ?? "Lax",
+    domain: options.cookie?.domain
+  };
+  const defaultOnError = (_req, res, _next) => {
+    res.status(403).json({
+      error: "CSRF token validation failed",
+      message: "Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header."
+    });
+  };
+  const onError = options.onError ?? defaultOnError;
+  const protectedSet = new Set(protectedMethods.map((m) => m.toUpperCase()));
+  return (req, res, next) => {
+    const method = req.method.toUpperCase();
+    const requestPath = req.path || req.url;
+    if (excludePaths.some((p) => requestPath === p || requestPath.startsWith(p + "/"))) {
+      return next();
+    }
+    req.csrfToken = () => {
+      const existing = getCookieValue(req, cookieName);
+      if (existing) return existing;
+      const token = generateCsrfToken(tokenLength);
+      setCsrfCookie(res, cookieName, token, cookieOpts);
+      return token;
+    };
+    if (!protectedSet.has(method)) {
+      const existing = getCookieValue(req, cookieName);
+      if (!existing) {
+        const token = generateCsrfToken(tokenLength);
+        setCsrfCookie(res, cookieName, token, cookieOpts);
+      }
+      return next();
+    }
+    const cookieToken = getCookieValue(req, cookieName);
+    if (!cookieToken) {
+      return onError(req, res, next);
+    }
+    const requestToken = getRequestToken(req, headerName, fieldName);
+    if (!requestToken) {
+      return onError(req, res, next);
+    }
+    if (!validateCsrfToken(cookieToken, requestToken)) {
+      return onError(req, res, next);
+    }
+    next();
+  };
+}
+function getCookieValue(req, name) {
+  if (req.cookies && typeof req.cookies === "object" && name in req.cookies) {
+    return req.cookies[name];
+  }
+  const cookieHeader = req.headers.cookie;
+  if (!cookieHeader) return void 0;
+  const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${escapeRegex(name)}=([^;]*)`));
+  return match ? decodeURIComponent(match[1]) : void 0;
+}
+function setCsrfCookie(res, name, token, opts) {
+  const parts = [`${name}=${token}`];
+  parts.push(`Path=${opts.path}`);
+  if (opts.httpOnly) parts.push("HttpOnly");
+  if (opts.secure) parts.push("Secure");
+  parts.push(`SameSite=${opts.sameSite}`);
+  if (opts.domain) parts.push(`Domain=${opts.domain}`);
+  res.setHeader("Set-Cookie", parts.join("; "));
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var createCsrf = csrfProtection;
 exports.arcis = arcis;
 exports.arcisFunction = arcisWithMethods;
+exports.botProtection = botProtection;
 exports.createCors = createCors;
+exports.createCsrf = createCsrf;
 exports.createErrorHandler = createErrorHandler;
 exports.createHeaders = createHeaders;
 exports.createRateLimiter = createRateLimiter;
 exports.createSecureCookies = createSecureCookies;
+exports.createSlidingWindowLimiter = createSlidingWindowLimiter;
+exports.createTokenBucketLimiter = createTokenBucketLimiter;
+exports.csrfProtection = csrfProtection;
 exports.default = main_default;
+exports.detectBot = detectBot;
 exports.enforceSecureCookie = enforceSecureCookie;
 exports.errorHandler = errorHandler;
+exports.generateCsrfToken = generateCsrfToken;
 exports.rateLimit = rateLimit;
 exports.safeCors = safeCors;
 exports.secureCookieDefaults = secureCookieDefaults;
 exports.securityHeaders = securityHeaders;
+exports.validateCsrfToken = validateCsrfToken;
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map