@arcis/node 1.0.0 → 1.2.0

package/dist/stores/index.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/core/constants.ts","../../src/stores/memory.ts","../../src/stores/redis.ts"],"names":[],"mappings":";AAkBO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA,EAMF;AAAA,EAEjB,aAAA,EAAe,GAGjB,CAAA;;;ACdO,IAAM,cAAN,MAA4C;AAAA,EAKjD,WAAA,CAAY,QAAA,GAAmB,UAAA,CAAW,iBAAA,EAAmB;AAJ7D,IAAA,IAAA,CAAQ,KAAA,uBAAyC,GAAA,EAAI;AACrD,IAAA,IAAA,CAAQ,eAAA,GAAyD,IAAA;AAI/D,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,IAAK,QAAA,GAAW,WAAW,aAAA,EAAe;AACrE,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,CAAA,iDAAA,EAAoD,UAAA,CAAW,aAAa,CAAA,MAAA,EAAS,QAAQ,CAAA,CAAA;AAAA,OAC/F;AAAA,IACF;AACA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,YAAA,EAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAA,GAAqB;AAI3B,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,CAAI,IAAA,CAAK,IAAI,IAAA,CAAK,QAAA,EAAU,cAAc,CAAA,EAAG,cAAc,CAAA;AAElF,IAAA,IAAA,CAAK,eAAA,GAAkB,YAAY,MAAM;AACvC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,KAAA,CAAM,SAAQ,EAAG;AAC/C,QAAA,IAAI,KAAA,CAAM,YAAY,GAAA,EAAK;AACzB,UAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,QACvB;AAAA,MACF;AAAA,IACF,GAAG,SAAS,CAAA;AAGZ,IAAA,IAAI,OAAO,IAAA,CAAK,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AACpD,MAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,IAC7B;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AAChC,MAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,EAC3B;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAEhC,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AAEnC,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,EAAE,KAAA,EAAO,GAAG,SAAA,EAAW,GAAA,GAAM,IAAA,CAAK,QAAA,EAAU,CAAA;AAChE,MAAA,OAAO,CAAA;AAAA,IACT;AAEA,IAAA,KAAA,CAAM,KAAA,EAAA;AACN,IAAA,OAAO,KAAA,CAAM,KAAA;AAAA,EACf;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,KAAA,GAAQ,CAAA,EAAG;AAC5B,MAAA,KAAA,CAAM,KAAA,EAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACvB;AAAA,EAEA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,aAAA,CAAc,KAAK,eAAe,CAAA;AAClC,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AAAA,IACzB;AACA,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,KAAA,CAAM,IAAA;AAAA,EACpB;AACF;;;ACjEO,IAAM,aAAN,MAA2C;AAAA,EAMhD,YAAY,OAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,MAAA,GAAS,QAAQ,MAAA,IAAU,WAAA;AAChC,IAAA,IAAA,CAAK,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,UAAA,CAAW,iBAAA;AAC/C,IAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,GAAI,CAAA;AAAA,EACjD;AAAA,EAEQ,OAAO,GAAA,EAAqB;AAClC,IAAA,OAAO,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,GAAG,CAAA,CAAA;AAAA,EAC7B;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAEhC,IAAA,MAAM,CAAC,QAAA,EAAU,GAAG,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,MACxC,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,MACxB,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ;AAAA,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,QAAA,IAAY,GAAA,GAAM,CAAA,EAAG;AACxB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,QAAA,EAAU,EAAE,CAAA;AACnC,IAAA,IAAI,KAAA,CAAM,KAAK,CAAA,EAAG;AAEhB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAK,GAAA,GAAM;AAAA,KACjC;AAAA,EACF;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,IAAA,CAAK,IAAA,CAAA,CAAM,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,IAAK,GAAI,CAAC,CAAA;AAC3E,IAAA,MAAM,IAAA,CAAK,OAAO,KAAA,CAAM,QAAA,EAAU,QAAQ,KAAA,CAAM,KAAA,CAAM,UAAU,CAAA;AAAA,EAClE;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,MAAA,CAAO,KAAK,QAAQ,CAAA;AAK7C,IAAA,IAAI,UAAU,CAAA,EAAG;AACf,MAAA,MAAM,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,QAAA,EAAU,KAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,KAAA,GAAuB;AAAA,EAG7B;AACF;AASO,SAAS,iBAAiB,OAAA,EAAwC;AACvE,EAAA,OAAO,IAAI,WAAW,OAAO,CAAA;AAC/B","file":"index.mjs","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n  /** Default maximum input size (1MB) */\r\n  DEFAULT_MAX_SIZE: 1_000_000,\r\n  /** Maximum recursion depth for nested objects */\r\n  MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n  /** Default window size (1 minute) */\r\n  DEFAULT_WINDOW_MS: 60_000,\r\n  /** Default max requests per window */\r\n  DEFAULT_MAX_REQUESTS: 100,\r\n  /** Default HTTP status code for rate limited responses */\r\n  DEFAULT_STATUS_CODE: 429,\r\n  /** Default error message */\r\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n  /** Minimum window size (1 second) */\r\n  MIN_WINDOW_MS: 1_000,\r\n  /** Maximum window size (24 hours) */\r\n  MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n  /** Default Content Security Policy */\r\n  DEFAULT_CSP: [\r\n    \"default-src 'self'\",\r\n    \"script-src 'self'\",\r\n    \"style-src 'self' 'unsafe-inline'\",\r\n    \"img-src 'self' data: https:\",\r\n    \"font-src 'self'\",\r\n    \"object-src 'none'\",\r\n    \"frame-ancestors 'none'\",\r\n  ].join('; '),\r\n  /** Default HSTS max age (1 year in seconds) */\r\n  HSTS_MAX_AGE: 31_536_000,\r\n  /** Default X-Frame-Options value */\r\n  FRAME_OPTIONS: 'DENY' as const,\r\n  /** Default X-Content-Type-Options value */\r\n  CONTENT_TYPE_OPTIONS: 'nosniff',\r\n  /** Default Referrer-Policy value */\r\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n  /** Default Permissions-Policy value */\r\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n  /** Default Cache-Control value for security */\r\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n  /** Script tags (ReDoS-safe version) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** javascript: protocol (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /** vbscript: protocol */\r\n  /vbscript\\s*:/gi,\r\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n  /(?:[\\s/])on\\w+\\s*=/gi,\r\n  /** iframe tags */\r\n  /<iframe/gi,\r\n  /** object tags */\r\n  /<object/gi,\r\n  /** embed tags */\r\n  /<embed/gi,\r\n  /** data: URIs (only dangerous ones, avoid false positives) */\r\n  /(?:^|[\\s\"'=])data:/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** SVG with onload */\r\n  /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n  /** Full script blocks (content + tags) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** Standalone/unclosed script tags */\r\n  /<script[^>]*>/gi,\r\n  /** iframe — full block and partial/unclosed */\r\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n  /<iframe[^>]*/gi,\r\n  /** object — full block and partial/unclosed */\r\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n  /<object[^>]*/gi,\r\n  /** embed tags */\r\n  /<embed[^>]*/gi,\r\n  /** SVG with inline event handlers */\r\n  /<svg[^>]*onload[^>]*>/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n  /** Event handlers with unquoted values: onload=value */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /vbscript\\s*:/gi,\r\n  /** data: URIs with HTML/script content */\r\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n  /** SQL keywords */\r\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n  /(--|\\/\\*|\\*\\/|#)/g,\r\n  /** SQL statement separators */\r\n  /(;|\\|\\||&&)/g,\r\n  /** Boolean injection: OR 1=1 */\r\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Boolean injection: AND 1=1 */\r\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Time-based blind: SLEEP() */\r\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n  /** Time-based blind: BENCHMARK() */\r\n  /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n  /** Unix path traversal */\r\n  /\\.\\.\\//g,\r\n  /** Windows path traversal */\r\n  /\\.\\.\\\\/g,\r\n  /** URL-encoded traversal (%2e%2e) */\r\n  /%2e%2e/gi,\r\n  /** Double URL-encoded traversal (%252e) */\r\n  /%252e/gi,\r\n  /** Mixed encoding: ..%2F */\r\n  /\\.\\.%2F/gi,\r\n  /** Mixed encoding: %2e./ and .%2e/ */\r\n  /%2e\\.[\\\\/]/gi,\r\n  /\\.%2e[\\\\/]/gi,\r\n  /** Fully URL-encoded: %2e%2e%2f */\r\n  /%2e%2e%2f/gi,\r\n  /** Null byte injection in paths */\r\n  /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n  /**\r\n   * Shell metacharacters that enable command chaining/substitution.\r\n   * Bare ( and ) are excluded — they appear in common legitimate values\r\n   * (function calls in code fields, math expressions, etc.).\r\n   * Command substitution is caught by the $( combined pattern below.\r\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n   * and Markdown; consider disabling command checking (command: false)\r\n   * for fields that intentionally allow those characters.\r\n   */\r\n  /[;&|`]/g,\r\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n  /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n  '__proto__',\r\n  'constructor',\r\n  'prototype',\r\n  '__definegetter__',\r\n  '__definesetter__',\r\n  '__lookupgetter__',\r\n  '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n  // Comparison\r\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n  // Logical\r\n  '$and', '$or', '$not', '$nor',\r\n  // Element / evaluation\r\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n  // Array\r\n  '$elemMatch', '$all', '$size',\r\n  // JavaScript execution (critical)\r\n  '$function', '$accumulator',\r\n  // Aggregation pipeline operators (injectable via $lookup etc.)\r\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n  '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n  /** Replacement text for redacted values */\r\n  REPLACEMENT: '[REDACTED]',\r\n  /** Truncation indicator */\r\n  TRUNCATED: '[TRUNCATED]',\r\n  /** Max depth indicator */\r\n  MAX_DEPTH: '[MAX_DEPTH]',\r\n  /** Default max message length */\r\n  DEFAULT_MAX_LENGTH: 10_000,\r\n  /** Default sensitive keys to redact */\r\n  SENSITIVE_KEYS: new Set([\r\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n    'credentials', 'x-api-key', 'x-auth-token',\r\n  ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n  /**\r\n   * Email regex pattern.\r\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n   * leading/trailing dots, and other common invalid forms.\r\n   */\r\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n  /**\r\n   * URL regex pattern.\r\n   * Only allows http:// and https:// — explicitly rejects javascript:,\r\n   * data:, vbscript:, and other dangerous URI schemes.\r\n   */\r\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n  /** UUID regex pattern (v4) */\r\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n  /** Generic error message (production) */\r\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n  /** Input too large error */\r\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n  /** Validation error messages */\r\n  VALIDATION: {\r\n    REQUIRED: (field: string) => `${field} is required`,\r\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n  },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/stores/memory\r\n * In-memory rate limit store\r\n */\r\n\r\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\r\nimport { RATE_LIMIT } from '../core/constants';\r\n\r\n/**\r\n * In-memory rate limit store.\r\n * Suitable for single-instance deployments.\r\n * For distributed systems, use RedisStore or a custom store.\r\n * \r\n * @example\r\n * const store = new MemoryStore(60000); // 1 minute window\r\n * const limiter = createRateLimiter({ store });\r\n */\r\nexport class MemoryStore implements RateLimitStore {\r\n  private store: Map<string, RateLimitEntry> = new Map();\r\n  private cleanupInterval: ReturnType<typeof setInterval> | null = null;\r\n  private windowMs: number;\r\n\r\n  constructor(windowMs: number = RATE_LIMIT.DEFAULT_WINDOW_MS) {\r\n    if (!Number.isFinite(windowMs) || windowMs < RATE_LIMIT.MIN_WINDOW_MS) {\r\n      throw new RangeError(\r\n        `MemoryStore: windowMs must be a finite number >= ${RATE_LIMIT.MIN_WINDOW_MS} (got ${windowMs})`\r\n      );\r\n    }\r\n    this.windowMs = windowMs;\r\n    this.startCleanup();\r\n  }\r\n\r\n  /**\r\n   * Start the cleanup interval to remove expired entries.\r\n   */\r\n  private startCleanup(): void {\r\n    // Clamp the cleanup interval between 30 s and 5 min regardless of windowMs.\r\n    // Running it every windowMs is fine for typical windows but would fire every\r\n    // second for short windows (e.g. windowMs: 1000), causing O(n) GC pressure.\r\n    const CLEANUP_MIN_MS = 30_000;\r\n    const CLEANUP_MAX_MS = 300_000;\r\n    const cleanupMs = Math.min(Math.max(this.windowMs, CLEANUP_MIN_MS), CLEANUP_MAX_MS);\r\n\r\n    this.cleanupInterval = setInterval(() => {\r\n      const now = Date.now();\r\n      for (const [key, entry] of this.store.entries()) {\r\n        if (entry.resetTime < now) {\r\n          this.store.delete(key);\r\n        }\r\n      }\r\n    }, cleanupMs);\r\n\r\n    // Prevent interval from keeping the process alive\r\n    if (typeof this.cleanupInterval.unref === 'function') {\r\n      this.cleanupInterval.unref();\r\n    }\r\n  }\r\n\r\n  async get(key: string): Promise<RateLimitEntry | null> {\r\n    const entry = this.store.get(key);\r\n    if (!entry) return null;\r\n    \r\n    // Check if expired\r\n    if (entry.resetTime < Date.now()) {\r\n      this.store.delete(key);\r\n      return null;\r\n    }\r\n    \r\n    return entry;\r\n  }\r\n\r\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\r\n    this.store.set(key, entry);\r\n  }\r\n\r\n  async increment(key: string): Promise<number> {\r\n    const now = Date.now();\r\n    const entry = this.store.get(key);\r\n    \r\n    if (!entry || entry.resetTime < now) {\r\n      // Start new window\r\n      this.store.set(key, { count: 1, resetTime: now + this.windowMs });\r\n      return 1;\r\n    }\r\n    \r\n    entry.count++;\r\n    return entry.count;\r\n  }\r\n\r\n  async decrement(key: string): Promise<void> {\r\n    const entry = this.store.get(key);\r\n    if (entry && entry.count > 0) {\r\n      entry.count--;\r\n    }\r\n  }\r\n\r\n  async reset(key: string): Promise<void> {\r\n    this.store.delete(key);\r\n  }\r\n\r\n  async close(): Promise<void> {\r\n    if (this.cleanupInterval) {\r\n      clearInterval(this.cleanupInterval);\r\n      this.cleanupInterval = null;\r\n    }\r\n    this.store.clear();\r\n  }\r\n\r\n  /**\r\n   * Get current store size (for monitoring).\r\n   */\r\n  get size(): number {\r\n    return this.store.size;\r\n  }\r\n}\r\n","/**\r\n * @module @arcis/node/stores/redis\r\n * Redis rate limit store\r\n * \r\n * Note: This is a reference implementation. You'll need to install\r\n * the 'ioredis' or 'redis' package and pass your client instance.\r\n */\r\n\r\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\r\nimport { RATE_LIMIT } from '../core/constants';\r\n\r\n/** Generic Redis client interface (works with ioredis, redis, etc.) */\r\nexport interface RedisClientLike {\r\n  get(key: string): Promise<string | null>;\r\n  set(key: string, value: string, mode?: string, duration?: number): Promise<unknown>;\r\n  setex(key: string, seconds: number, value: string): Promise<unknown>;\r\n  expire(key: string, seconds: number): Promise<unknown>;\r\n  incr(key: string): Promise<number>;\r\n  decr(key: string): Promise<number>;\r\n  del(key: string): Promise<number>;\r\n  ttl(key: string): Promise<number>;\r\n  quit?(): Promise<unknown>;\r\n  disconnect?(): Promise<unknown>;\r\n}\r\n\r\nexport interface RedisStoreOptions {\r\n  /** Redis client instance */\r\n  client: RedisClientLike;\r\n  /** Key prefix. Default: 'arcis:rl:' */\r\n  prefix?: string;\r\n  /** Window size in milliseconds. Default: 60000 */\r\n  windowMs?: number;\r\n}\r\n\r\n/**\r\n * Redis rate limit store for distributed deployments.\r\n * \r\n * @example\r\n * import Redis from 'ioredis';\r\n * \r\n * const redis = new Redis();\r\n * const store = new RedisStore({ client: redis });\r\n * const limiter = createRateLimiter({ store });\r\n * \r\n * // Cleanup on shutdown\r\n * process.on('SIGTERM', async () => {\r\n *   await store.close();\r\n * });\r\n */\r\nexport class RedisStore implements RateLimitStore {\r\n  private client: RedisClientLike;\r\n  private prefix: string;\r\n  private windowMs: number;\r\n  private windowSec: number;\r\n\r\n  constructor(options: RedisStoreOptions) {\r\n    this.client = options.client;\r\n    this.prefix = options.prefix ?? 'arcis:rl:';\r\n    this.windowMs = options.windowMs ?? RATE_LIMIT.DEFAULT_WINDOW_MS;\r\n    this.windowSec = Math.ceil(this.windowMs / 1000);\r\n  }\r\n\r\n  private getKey(key: string): string {\r\n    return `${this.prefix}${key}`;\r\n  }\r\n\r\n  async get(key: string): Promise<RateLimitEntry | null> {\r\n    const redisKey = this.getKey(key);\r\n    \r\n    const [countStr, ttl] = await Promise.all([\r\n      this.client.get(redisKey),\r\n      this.client.ttl(redisKey),\r\n    ]);\r\n    \r\n    if (!countStr || ttl < 0) {\r\n      return null;\r\n    }\r\n    \r\n    const count = parseInt(countStr, 10);\r\n    if (isNaN(count)) {\r\n      // Corrupt value in Redis — treat as if key doesn't exist\r\n      return null;\r\n    }\r\n\r\n    return {\r\n      count,\r\n      resetTime: Date.now() + (ttl * 1000),\r\n    };\r\n  }\r\n\r\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    // Clamp to at least 1 second — Math.ceil can produce 0 or negative values\r\n    // when entry.resetTime is in the past due to Redis latency or clock skew.\r\n    const ttlSec = Math.max(1, Math.ceil((entry.resetTime - Date.now()) / 1000));\r\n    await this.client.setex(redisKey, ttlSec, entry.count.toString());\r\n  }\r\n\r\n  async increment(key: string): Promise<number> {\r\n    const redisKey = this.getKey(key);\r\n    \r\n    // INCR creates key with value 1 if it doesn't exist\r\n    const count = await this.client.incr(redisKey);\r\n\r\n    // Set expiry only on first increment using EXPIRE, which sets the TTL\r\n    // without overwriting the value (unlike SET ... EX which would reset the\r\n    // counter if two requests increment concurrently before expiry is set).\r\n    if (count === 1) {\r\n      await this.client.expire(redisKey, this.windowSec);\r\n    }\r\n\r\n    return count;\r\n  }\r\n\r\n  async decrement(key: string): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    await this.client.decr(redisKey);\r\n  }\r\n\r\n  async reset(key: string): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    await this.client.del(redisKey);\r\n  }\r\n\r\n  async close(): Promise<void> {\r\n    // Don't close the client - it may be shared\r\n    // The caller should manage the client lifecycle\r\n  }\r\n}\r\n\r\n/**\r\n * Create a Redis store with the given options.\r\n * Convenience function for functional programming style.\r\n * \r\n * @example\r\n * const store = createRedisStore({ client: redisClient });\r\n */\r\nexport function createRedisStore(options: RedisStoreOptions): RedisStore {\r\n  return new RedisStore(options);\r\n}\r\n"]}
+{"version":3,"sources":["../../src/core/constants.ts","../../src/stores/memory.ts","../../src/stores/redis.ts"],"names":[],"mappings":";AAkBO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA,EAMF;AAAA,EAEjB,aAAA,EAAe,GAGjB,CAAA;;;ACdO,IAAM,cAAN,MAA4C;AAAA,EAKjD,WAAA,CAAY,QAAA,GAAmB,UAAA,CAAW,iBAAA,EAAmB;AAJ7D,IAAA,IAAA,CAAQ,KAAA,uBAAyC,GAAA,EAAI;AACrD,IAAA,IAAA,CAAQ,eAAA,GAAyD,IAAA;AAI/D,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,IAAK,QAAA,GAAW,WAAW,aAAA,EAAe;AACrE,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,CAAA,iDAAA,EAAoD,UAAA,CAAW,aAAa,CAAA,MAAA,EAAS,QAAQ,CAAA,CAAA;AAAA,OAC/F;AAAA,IACF;AACA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,YAAA,EAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAA,GAAqB;AAI3B,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,CAAI,IAAA,CAAK,IAAI,IAAA,CAAK,QAAA,EAAU,cAAc,CAAA,EAAG,cAAc,CAAA;AAElF,IAAA,IAAA,CAAK,eAAA,GAAkB,YAAY,MAAM;AACvC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,KAAA,CAAM,SAAQ,EAAG;AAC/C,QAAA,IAAI,KAAA,CAAM,YAAY,GAAA,EAAK;AACzB,UAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,QACvB;AAAA,MACF;AAAA,IACF,GAAG,SAAS,CAAA;AAGZ,IAAA,IAAI,OAAO,IAAA,CAAK,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AACpD,MAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,IAC7B;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AAChC,MAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,EAC3B;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAEhC,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AAEnC,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,EAAE,KAAA,EAAO,GAAG,SAAA,EAAW,GAAA,GAAM,IAAA,CAAK,QAAA,EAAU,CAAA;AAChE,MAAA,OAAO,CAAA;AAAA,IACT;AAEA,IAAA,KAAA,CAAM,KAAA,EAAA;AACN,IAAA,OAAO,KAAA,CAAM,KAAA;AAAA,EACf;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,KAAA,GAAQ,CAAA,EAAG;AAC5B,MAAA,KAAA,CAAM,KAAA,EAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACvB;AAAA,EAEA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,aAAA,CAAc,KAAK,eAAe,CAAA;AAClC,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AAAA,IACzB;AACA,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,KAAA,CAAM,IAAA;AAAA,EACpB;AACF;;;ACjEO,IAAM,aAAN,MAA2C;AAAA,EAMhD,YAAY,OAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,MAAA,GAAS,QAAQ,MAAA,IAAU,WAAA;AAChC,IAAA,IAAA,CAAK,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,UAAA,CAAW,iBAAA;AAC/C,IAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,GAAI,CAAA;AAAA,EACjD;AAAA,EAEQ,OAAO,GAAA,EAAqB;AAClC,IAAA,OAAO,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,GAAG,CAAA,CAAA;AAAA,EAC7B;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAEhC,IAAA,MAAM,CAAC,QAAA,EAAU,GAAG,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,MACxC,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,MACxB,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ;AAAA,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,QAAA,IAAY,GAAA,GAAM,CAAA,EAAG;AACxB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,QAAA,EAAU,EAAE,CAAA;AACnC,IAAA,IAAI,KAAA,CAAM,KAAK,CAAA,EAAG;AAEhB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAK,GAAA,GAAM;AAAA,KACjC;AAAA,EACF;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,IAAA,CAAK,IAAA,CAAA,CAAM,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,IAAK,GAAI,CAAC,CAAA;AAC3E,IAAA,MAAM,IAAA,CAAK,OAAO,KAAA,CAAM,QAAA,EAAU,QAAQ,KAAA,CAAM,KAAA,CAAM,UAAU,CAAA;AAAA,EAClE;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,MAAA,CAAO,KAAK,QAAQ,CAAA;AAK7C,IAAA,IAAI,UAAU,CAAA,EAAG;AACf,MAAA,MAAM,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,QAAA,EAAU,KAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,KAAA,GAAuB;AAAA,EAG7B;AACF;AASO,SAAS,iBAAiB,OAAA,EAAwC;AACvE,EAAA,OAAO,IAAI,WAAW,OAAO,CAAA;AAC/B","file":"index.mjs","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded newline/carriage-return injection (%0a, %0d) */\n  /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/stores/memory\n * In-memory rate limit store\n */\n\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\nimport { RATE_LIMIT } from '../core/constants';\n\n/**\n * In-memory rate limit store.\n * Suitable for single-instance deployments.\n * For distributed systems, use RedisStore or a custom store.\n * \n * @example\n * const store = new MemoryStore(60000); // 1 minute window\n * const limiter = createRateLimiter({ store });\n */\nexport class MemoryStore implements RateLimitStore {\n  private store: Map<string, RateLimitEntry> = new Map();\n  private cleanupInterval: ReturnType<typeof setInterval> | null = null;\n  private windowMs: number;\n\n  constructor(windowMs: number = RATE_LIMIT.DEFAULT_WINDOW_MS) {\n    if (!Number.isFinite(windowMs) || windowMs < RATE_LIMIT.MIN_WINDOW_MS) {\n      throw new RangeError(\n        `MemoryStore: windowMs must be a finite number >= ${RATE_LIMIT.MIN_WINDOW_MS} (got ${windowMs})`\n      );\n    }\n    this.windowMs = windowMs;\n    this.startCleanup();\n  }\n\n  /**\n   * Start the cleanup interval to remove expired entries.\n   */\n  private startCleanup(): void {\n    // Clamp the cleanup interval between 30 s and 5 min regardless of windowMs.\n    // Running it every windowMs is fine for typical windows but would fire every\n    // second for short windows (e.g. windowMs: 1000), causing O(n) GC pressure.\n    const CLEANUP_MIN_MS = 30_000;\n    const CLEANUP_MAX_MS = 300_000;\n    const cleanupMs = Math.min(Math.max(this.windowMs, CLEANUP_MIN_MS), CLEANUP_MAX_MS);\n\n    this.cleanupInterval = setInterval(() => {\n      const now = Date.now();\n      for (const [key, entry] of this.store.entries()) {\n        if (entry.resetTime < now) {\n          this.store.delete(key);\n        }\n      }\n    }, cleanupMs);\n\n    // Prevent interval from keeping the process alive\n    if (typeof this.cleanupInterval.unref === 'function') {\n      this.cleanupInterval.unref();\n    }\n  }\n\n  async get(key: string): Promise<RateLimitEntry | null> {\n    const entry = this.store.get(key);\n    if (!entry) return null;\n    \n    // Check if expired\n    if (entry.resetTime < Date.now()) {\n      this.store.delete(key);\n      return null;\n    }\n    \n    return entry;\n  }\n\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\n    this.store.set(key, entry);\n  }\n\n  async increment(key: string): Promise<number> {\n    const now = Date.now();\n    const entry = this.store.get(key);\n    \n    if (!entry || entry.resetTime < now) {\n      // Start new window\n      this.store.set(key, { count: 1, resetTime: now + this.windowMs });\n      return 1;\n    }\n    \n    entry.count++;\n    return entry.count;\n  }\n\n  async decrement(key: string): Promise<void> {\n    const entry = this.store.get(key);\n    if (entry && entry.count > 0) {\n      entry.count--;\n    }\n  }\n\n  async reset(key: string): Promise<void> {\n    this.store.delete(key);\n  }\n\n  async close(): Promise<void> {\n    if (this.cleanupInterval) {\n      clearInterval(this.cleanupInterval);\n      this.cleanupInterval = null;\n    }\n    this.store.clear();\n  }\n\n  /**\n   * Get current store size (for monitoring).\n   */\n  get size(): number {\n    return this.store.size;\n  }\n}\n","/**\n * @module @arcis/node/stores/redis\n * Redis rate limit store\n * \n * Note: This is a reference implementation. You'll need to install\n * the 'ioredis' or 'redis' package and pass your client instance.\n */\n\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\nimport { RATE_LIMIT } from '../core/constants';\n\n/** Generic Redis client interface (works with ioredis, redis, etc.) */\nexport interface RedisClientLike {\n  get(key: string): Promise<string | null>;\n  set(key: string, value: string, mode?: string, duration?: number): Promise<unknown>;\n  setex(key: string, seconds: number, value: string): Promise<unknown>;\n  expire(key: string, seconds: number): Promise<unknown>;\n  incr(key: string): Promise<number>;\n  decr(key: string): Promise<number>;\n  del(key: string): Promise<number>;\n  ttl(key: string): Promise<number>;\n  quit?(): Promise<unknown>;\n  disconnect?(): Promise<unknown>;\n}\n\nexport interface RedisStoreOptions {\n  /** Redis client instance */\n  client: RedisClientLike;\n  /** Key prefix. Default: 'arcis:rl:' */\n  prefix?: string;\n  /** Window size in milliseconds. Default: 60000 */\n  windowMs?: number;\n}\n\n/**\n * Redis rate limit store for distributed deployments.\n * \n * @example\n * import Redis from 'ioredis';\n * \n * const redis = new Redis();\n * const store = new RedisStore({ client: redis });\n * const limiter = createRateLimiter({ store });\n * \n * // Cleanup on shutdown\n * process.on('SIGTERM', async () => {\n *   await store.close();\n * });\n */\nexport class RedisStore implements RateLimitStore {\n  private client: RedisClientLike;\n  private prefix: string;\n  private windowMs: number;\n  private windowSec: number;\n\n  constructor(options: RedisStoreOptions) {\n    this.client = options.client;\n    this.prefix = options.prefix ?? 'arcis:rl:';\n    this.windowMs = options.windowMs ?? RATE_LIMIT.DEFAULT_WINDOW_MS;\n    this.windowSec = Math.ceil(this.windowMs / 1000);\n  }\n\n  private getKey(key: string): string {\n    return `${this.prefix}${key}`;\n  }\n\n  async get(key: string): Promise<RateLimitEntry | null> {\n    const redisKey = this.getKey(key);\n    \n    const [countStr, ttl] = await Promise.all([\n      this.client.get(redisKey),\n      this.client.ttl(redisKey),\n    ]);\n    \n    if (!countStr || ttl < 0) {\n      return null;\n    }\n    \n    const count = parseInt(countStr, 10);\n    if (isNaN(count)) {\n      // Corrupt value in Redis — treat as if key doesn't exist\n      return null;\n    }\n\n    return {\n      count,\n      resetTime: Date.now() + (ttl * 1000),\n    };\n  }\n\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\n    const redisKey = this.getKey(key);\n    // Clamp to at least 1 second — Math.ceil can produce 0 or negative values\n    // when entry.resetTime is in the past due to Redis latency or clock skew.\n    const ttlSec = Math.max(1, Math.ceil((entry.resetTime - Date.now()) / 1000));\n    await this.client.setex(redisKey, ttlSec, entry.count.toString());\n  }\n\n  async increment(key: string): Promise<number> {\n    const redisKey = this.getKey(key);\n    \n    // INCR creates key with value 1 if it doesn't exist\n    const count = await this.client.incr(redisKey);\n\n    // Set expiry only on first increment using EXPIRE, which sets the TTL\n    // without overwriting the value (unlike SET ... EX which would reset the\n    // counter if two requests increment concurrently before expiry is set).\n    if (count === 1) {\n      await this.client.expire(redisKey, this.windowSec);\n    }\n\n    return count;\n  }\n\n  async decrement(key: string): Promise<void> {\n    const redisKey = this.getKey(key);\n    await this.client.decr(redisKey);\n  }\n\n  async reset(key: string): Promise<void> {\n    const redisKey = this.getKey(key);\n    await this.client.del(redisKey);\n  }\n\n  async close(): Promise<void> {\n    // Don't close the client - it may be shared\n    // The caller should manage the client lifecycle\n  }\n}\n\n/**\n * Create a Redis store with the given options.\n * Convenience function for functional programming style.\n * \n * @example\n * const store = createRedisStore({ client: redisClient });\n */\nexport function createRedisStore(options: RedisStoreOptions): RedisStore {\n  return new RedisStore(options);\n}\n"]}

package/dist/{types-BOdL3ZWo.d.mts → types-CsOFHoD9.d.mts}

@@ -44,6 +44,8 @@ interface SanitizeOptions {
      * — it corrupts stored data with HTML entities. Default: false.
      */
     htmlEncode?: boolean;
+    /** Freeze sanitized objects with Object.freeze() to prevent mutation. Default: false */
+    freeze?: boolean;
 }
 /** Result of sanitizing a string */
 interface SanitizeResult {
@@ -66,7 +68,7 @@ interface ThreatInfo {
     location?: string;
 }
 /** Types of security threats */
-type ThreatType = 'xss' | 'sql_injection' | 'nosql_injection' | 'path_traversal' | 'command_injection' | 'prototype_pollution' | 'header_injection';
+type ThreatType = 'xss' | 'sql_injection' | 'nosql_injection' | 'path_traversal' | 'command_injection' | 'prototype_pollution' | 'header_injection' | 'ssti' | 'xxe';
 /** Rate limiting configuration */
 interface RateLimitOptions {
     /** Maximum requests per window. Default: 100 */
@@ -200,6 +202,7 @@ interface ValidationError {
     code: string;
 }
 /** Safe logging configuration */
+type LogLevel = 'debug' | 'info' | 'warn' | 'error' | 'silent';
 interface LogOptions {
     /** Additional keys to redact beyond defaults */
     redactKeys?: string[];
@@ -207,6 +210,8 @@ interface LogOptions {
     maxLength?: number;
     /** Additional patterns to redact (e.g., custom tokens) */
     redactPatterns?: RegExp[];
+    /** Minimum log level. Messages below this level are skipped (no redaction work). Default: 'debug' */
+    level?: LogLevel;
 }
 /** Safe logger interface */
 interface SafeLogger {

package/dist/{types-BOdL3ZWo.d.ts → types-CsOFHoD9.d.ts}

@@ -44,6 +44,8 @@ interface SanitizeOptions {
      * — it corrupts stored data with HTML entities. Default: false.
      */
     htmlEncode?: boolean;
+    /** Freeze sanitized objects with Object.freeze() to prevent mutation. Default: false */
+    freeze?: boolean;
 }
 /** Result of sanitizing a string */
 interface SanitizeResult {
@@ -66,7 +68,7 @@ interface ThreatInfo {
     location?: string;
 }
 /** Types of security threats */
-type ThreatType = 'xss' | 'sql_injection' | 'nosql_injection' | 'path_traversal' | 'command_injection' | 'prototype_pollution' | 'header_injection';
+type ThreatType = 'xss' | 'sql_injection' | 'nosql_injection' | 'path_traversal' | 'command_injection' | 'prototype_pollution' | 'header_injection' | 'ssti' | 'xxe';
 /** Rate limiting configuration */
 interface RateLimitOptions {
     /** Maximum requests per window. Default: 100 */
@@ -200,6 +202,7 @@ interface ValidationError {
     code: string;
 }
 /** Safe logging configuration */
+type LogLevel = 'debug' | 'info' | 'warn' | 'error' | 'silent';
 interface LogOptions {
     /** Additional keys to redact beyond defaults */
     redactKeys?: string[];
@@ -207,6 +210,8 @@ interface LogOptions {
     maxLength?: number;
     /** Additional patterns to redact (e.g., custom tokens) */
     redactPatterns?: RegExp[];
+    /** Minimum log level. Messages below this level are skipped (no redaction work). Default: 'debug' */
+    level?: LogLevel;
 }
 /** Safe logger interface */
 interface SafeLogger {

package/dist/validation/index.d.mts

@@ -1,3 +1,3 @@
-export { c as createValidator, i as isDangerousExtension, s as sanitizeFilename, v as validate, b as validateFile } from '../index-nAgXexwD.mjs';
+export { g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from '../index-A-m-pPeW.mjs';
 import 'express';
-import '../types-BOdL3ZWo.mjs';
+import '../types-CsOFHoD9.mjs';

package/dist/validation/index.d.ts

@@ -1,3 +1,3 @@
-export { c as createValidator, i as isDangerousExtension, s as sanitizeFilename, v as validate, b as validateFile } from '../index-BgHPM7LC.js';
+export { g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from '../index-Co5kPRZz.js';
 import 'express';
-import '../types-BOdL3ZWo.js';
+import '../types-CsOFHoD9.js';