@arcis/node 1.0.0

package/dist/stores/index.mjs

@@ -0,0 +1,145 @@
+// src/core/constants.ts
+var RATE_LIMIT = {
+  /** Default window size (1 minute) */
+  DEFAULT_WINDOW_MS: 6e4,
+  /** Minimum window size (1 second) */
+  MIN_WINDOW_MS: 1e3};
+
+// src/stores/memory.ts
+var MemoryStore = class {
+  constructor(windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS) {
+    this.store = /* @__PURE__ */ new Map();
+    this.cleanupInterval = null;
+    if (!Number.isFinite(windowMs) || windowMs < RATE_LIMIT.MIN_WINDOW_MS) {
+      throw new RangeError(
+        `MemoryStore: windowMs must be a finite number >= ${RATE_LIMIT.MIN_WINDOW_MS} (got ${windowMs})`
+      );
+    }
+    this.windowMs = windowMs;
+    this.startCleanup();
+  }
+  /**
+   * Start the cleanup interval to remove expired entries.
+   */
+  startCleanup() {
+    const CLEANUP_MIN_MS = 3e4;
+    const CLEANUP_MAX_MS = 3e5;
+    const cleanupMs = Math.min(Math.max(this.windowMs, CLEANUP_MIN_MS), CLEANUP_MAX_MS);
+    this.cleanupInterval = setInterval(() => {
+      const now = Date.now();
+      for (const [key, entry] of this.store.entries()) {
+        if (entry.resetTime < now) {
+          this.store.delete(key);
+        }
+      }
+    }, cleanupMs);
+    if (typeof this.cleanupInterval.unref === "function") {
+      this.cleanupInterval.unref();
+    }
+  }
+  async get(key) {
+    const entry = this.store.get(key);
+    if (!entry) return null;
+    if (entry.resetTime < Date.now()) {
+      this.store.delete(key);
+      return null;
+    }
+    return entry;
+  }
+  async set(key, entry) {
+    this.store.set(key, entry);
+  }
+  async increment(key) {
+    const now = Date.now();
+    const entry = this.store.get(key);
+    if (!entry || entry.resetTime < now) {
+      this.store.set(key, { count: 1, resetTime: now + this.windowMs });
+      return 1;
+    }
+    entry.count++;
+    return entry.count;
+  }
+  async decrement(key) {
+    const entry = this.store.get(key);
+    if (entry && entry.count > 0) {
+      entry.count--;
+    }
+  }
+  async reset(key) {
+    this.store.delete(key);
+  }
+  async close() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+    this.store.clear();
+  }
+  /**
+   * Get current store size (for monitoring).
+   */
+  get size() {
+    return this.store.size;
+  }
+};
+
+// src/stores/redis.ts
+var RedisStore = class {
+  constructor(options) {
+    this.client = options.client;
+    this.prefix = options.prefix ?? "arcis:rl:";
+    this.windowMs = options.windowMs ?? RATE_LIMIT.DEFAULT_WINDOW_MS;
+    this.windowSec = Math.ceil(this.windowMs / 1e3);
+  }
+  getKey(key) {
+    return `${this.prefix}${key}`;
+  }
+  async get(key) {
+    const redisKey = this.getKey(key);
+    const [countStr, ttl] = await Promise.all([
+      this.client.get(redisKey),
+      this.client.ttl(redisKey)
+    ]);
+    if (!countStr || ttl < 0) {
+      return null;
+    }
+    const count = parseInt(countStr, 10);
+    if (isNaN(count)) {
+      return null;
+    }
+    return {
+      count,
+      resetTime: Date.now() + ttl * 1e3
+    };
+  }
+  async set(key, entry) {
+    const redisKey = this.getKey(key);
+    const ttlSec = Math.max(1, Math.ceil((entry.resetTime - Date.now()) / 1e3));
+    await this.client.setex(redisKey, ttlSec, entry.count.toString());
+  }
+  async increment(key) {
+    const redisKey = this.getKey(key);
+    const count = await this.client.incr(redisKey);
+    if (count === 1) {
+      await this.client.expire(redisKey, this.windowSec);
+    }
+    return count;
+  }
+  async decrement(key) {
+    const redisKey = this.getKey(key);
+    await this.client.decr(redisKey);
+  }
+  async reset(key) {
+    const redisKey = this.getKey(key);
+    await this.client.del(redisKey);
+  }
+  async close() {
+  }
+};
+function createRedisStore(options) {
+  return new RedisStore(options);
+}
+
+export { MemoryStore, RedisStore, createRedisStore };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map

package/dist/stores/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/core/constants.ts","../../src/stores/memory.ts","../../src/stores/redis.ts"],"names":[],"mappings":";AAkBO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA,EAMF;AAAA,EAEjB,aAAA,EAAe,GAGjB,CAAA;;;ACdO,IAAM,cAAN,MAA4C;AAAA,EAKjD,WAAA,CAAY,QAAA,GAAmB,UAAA,CAAW,iBAAA,EAAmB;AAJ7D,IAAA,IAAA,CAAQ,KAAA,uBAAyC,GAAA,EAAI;AACrD,IAAA,IAAA,CAAQ,eAAA,GAAyD,IAAA;AAI/D,IAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA,IAAK,QAAA,GAAW,WAAW,aAAA,EAAe;AACrE,MAAA,MAAM,IAAI,UAAA;AAAA,QACR,CAAA,iDAAA,EAAoD,UAAA,CAAW,aAAa,CAAA,MAAA,EAAS,QAAQ,CAAA,CAAA;AAAA,OAC/F;AAAA,IACF;AACA,IAAA,IAAA,CAAK,QAAA,GAAW,QAAA;AAChB,IAAA,IAAA,CAAK,YAAA,EAAa;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAA,GAAqB;AAI3B,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,cAAA,GAAiB,GAAA;AACvB,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,CAAI,IAAA,CAAK,IAAI,IAAA,CAAK,QAAA,EAAU,cAAc,CAAA,EAAG,cAAc,CAAA;AAElF,IAAA,IAAA,CAAK,eAAA,GAAkB,YAAY,MAAM;AACvC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,KAAA,CAAM,SAAQ,EAAG;AAC/C,QAAA,IAAI,KAAA,CAAM,YAAY,GAAA,EAAK;AACzB,UAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,QACvB;AAAA,MACF;AAAA,IACF,GAAG,SAAS,CAAA;AAGZ,IAAA,IAAI,OAAO,IAAA,CAAK,eAAA,CAAgB,KAAA,KAAU,UAAA,EAAY;AACpD,MAAA,IAAA,CAAK,gBAAgB,KAAA,EAAM;AAAA,IAC7B;AAAA,EACF;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,EAAG;AAChC,MAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,KAAK,CAAA;AAAA,EAC3B;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAEhC,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,SAAA,GAAY,GAAA,EAAK;AAEnC,MAAA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAA,EAAK,EAAE,KAAA,EAAO,GAAG,SAAA,EAAW,GAAA,GAAM,IAAA,CAAK,QAAA,EAAU,CAAA;AAChE,MAAA,OAAO,CAAA;AAAA,IACT;AAEA,IAAA,KAAA,CAAM,KAAA,EAAA;AACN,IAAA,OAAO,KAAA,CAAM,KAAA;AAAA,EACf;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAChC,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,KAAA,GAAQ,CAAA,EAAG;AAC5B,MAAA,KAAA,CAAM,KAAA,EAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACvB;AAAA,EAEA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,MAAA,aAAA,CAAc,KAAK,eAAe,CAAA;AAClC,MAAA,IAAA,CAAK,eAAA,GAAkB,IAAA;AAAA,IACzB;AACA,IAAA,IAAA,CAAK,MAAM,KAAA,EAAM;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,IAAA,GAAe;AACjB,IAAA,OAAO,KAAK,KAAA,CAAM,IAAA;AAAA,EACpB;AACF;;;ACjEO,IAAM,aAAN,MAA2C;AAAA,EAMhD,YAAY,OAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AACtB,IAAA,IAAA,CAAK,MAAA,GAAS,QAAQ,MAAA,IAAU,WAAA;AAChC,IAAA,IAAA,CAAK,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAY,UAAA,CAAW,iBAAA;AAC/C,IAAA,IAAA,CAAK,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,WAAW,GAAI,CAAA;AAAA,EACjD;AAAA,EAEQ,OAAO,GAAA,EAAqB;AAClC,IAAA,OAAO,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,EAAG,GAAG,CAAA,CAAA;AAAA,EAC7B;AAAA,EAEA,MAAM,IAAI,GAAA,EAA6C;AACrD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAEhC,IAAA,MAAM,CAAC,QAAA,EAAU,GAAG,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,MACxC,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,MACxB,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ;AAAA,KACzB,CAAA;AAED,IAAA,IAAI,CAAC,QAAA,IAAY,GAAA,GAAM,CAAA,EAAG;AACxB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,KAAA,GAAQ,QAAA,CAAS,QAAA,EAAU,EAAE,CAAA;AACnC,IAAA,IAAI,KAAA,CAAM,KAAK,CAAA,EAAG;AAEhB,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAO;AAAA,MACL,KAAA;AAAA,MACA,SAAA,EAAW,IAAA,CAAK,GAAA,EAAI,GAAK,GAAA,GAAM;AAAA,KACjC;AAAA,EACF;AAAA,EAEA,MAAM,GAAA,CAAI,GAAA,EAAa,KAAA,EAAsC;AAC3D,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,IAAA,CAAK,IAAA,CAAA,CAAM,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,IAAK,GAAI,CAAC,CAAA;AAC3E,IAAA,MAAM,IAAA,CAAK,OAAO,KAAA,CAAM,QAAA,EAAU,QAAQ,KAAA,CAAM,KAAA,CAAM,UAAU,CAAA;AAAA,EAClE;AAAA,EAEA,MAAM,UAAU,GAAA,EAA8B;AAC5C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAGhC,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,MAAA,CAAO,KAAK,QAAQ,CAAA;AAK7C,IAAA,IAAI,UAAU,CAAA,EAAG;AACf,MAAA,MAAM,IAAA,CAAK,MAAA,CAAO,MAAA,CAAO,QAAA,EAAU,KAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA,EAEA,MAAM,UAAU,GAAA,EAA4B;AAC1C,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,IAAA,CAAK,QAAQ,CAAA;AAAA,EACjC;AAAA,EAEA,MAAM,MAAM,GAAA,EAA4B;AACtC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,GAAG,CAAA;AAChC,IAAA,MAAM,IAAA,CAAK,MAAA,CAAO,GAAA,CAAI,QAAQ,CAAA;AAAA,EAChC;AAAA,EAEA,MAAM,KAAA,GAAuB;AAAA,EAG7B;AACF;AASO,SAAS,iBAAiB,OAAA,EAAwC;AACvE,EAAA,OAAO,IAAI,WAAW,OAAO,CAAA;AAC/B","file":"index.mjs","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n  /** Default maximum input size (1MB) */\r\n  DEFAULT_MAX_SIZE: 1_000_000,\r\n  /** Maximum recursion depth for nested objects */\r\n  MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n  /** Default window size (1 minute) */\r\n  DEFAULT_WINDOW_MS: 60_000,\r\n  /** Default max requests per window */\r\n  DEFAULT_MAX_REQUESTS: 100,\r\n  /** Default HTTP status code for rate limited responses */\r\n  DEFAULT_STATUS_CODE: 429,\r\n  /** Default error message */\r\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n  /** Minimum window size (1 second) */\r\n  MIN_WINDOW_MS: 1_000,\r\n  /** Maximum window size (24 hours) */\r\n  MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n  /** Default Content Security Policy */\r\n  DEFAULT_CSP: [\r\n    \"default-src 'self'\",\r\n    \"script-src 'self'\",\r\n    \"style-src 'self' 'unsafe-inline'\",\r\n    \"img-src 'self' data: https:\",\r\n    \"font-src 'self'\",\r\n    \"object-src 'none'\",\r\n    \"frame-ancestors 'none'\",\r\n  ].join('; '),\r\n  /** Default HSTS max age (1 year in seconds) */\r\n  HSTS_MAX_AGE: 31_536_000,\r\n  /** Default X-Frame-Options value */\r\n  FRAME_OPTIONS: 'DENY' as const,\r\n  /** Default X-Content-Type-Options value */\r\n  CONTENT_TYPE_OPTIONS: 'nosniff',\r\n  /** Default Referrer-Policy value */\r\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n  /** Default Permissions-Policy value */\r\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n  /** Default Cache-Control value for security */\r\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n  /** Script tags (ReDoS-safe version) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** javascript: protocol (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /** vbscript: protocol */\r\n  /vbscript\\s*:/gi,\r\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n  /(?:[\\s/])on\\w+\\s*=/gi,\r\n  /** iframe tags */\r\n  /<iframe/gi,\r\n  /** object tags */\r\n  /<object/gi,\r\n  /** embed tags */\r\n  /<embed/gi,\r\n  /** data: URIs (only dangerous ones, avoid false positives) */\r\n  /(?:^|[\\s\"'=])data:/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** SVG with onload */\r\n  /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n  /** Full script blocks (content + tags) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** Standalone/unclosed script tags */\r\n  /<script[^>]*>/gi,\r\n  /** iframe — full block and partial/unclosed */\r\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n  /<iframe[^>]*/gi,\r\n  /** object — full block and partial/unclosed */\r\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n  /<object[^>]*/gi,\r\n  /** embed tags */\r\n  /<embed[^>]*/gi,\r\n  /** SVG with inline event handlers */\r\n  /<svg[^>]*onload[^>]*>/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n  /** Event handlers with unquoted values: onload=value */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /vbscript\\s*:/gi,\r\n  /** data: URIs with HTML/script content */\r\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n  /** SQL keywords */\r\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n  /(--|\\/\\*|\\*\\/|#)/g,\r\n  /** SQL statement separators */\r\n  /(;|\\|\\||&&)/g,\r\n  /** Boolean injection: OR 1=1 */\r\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Boolean injection: AND 1=1 */\r\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Time-based blind: SLEEP() */\r\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n  /** Time-based blind: BENCHMARK() */\r\n  /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n  /** Unix path traversal */\r\n  /\\.\\.\\//g,\r\n  /** Windows path traversal */\r\n  /\\.\\.\\\\/g,\r\n  /** URL-encoded traversal (%2e%2e) */\r\n  /%2e%2e/gi,\r\n  /** Double URL-encoded traversal (%252e) */\r\n  /%252e/gi,\r\n  /** Mixed encoding: ..%2F */\r\n  /\\.\\.%2F/gi,\r\n  /** Mixed encoding: %2e./ and .%2e/ */\r\n  /%2e\\.[\\\\/]/gi,\r\n  /\\.%2e[\\\\/]/gi,\r\n  /** Fully URL-encoded: %2e%2e%2f */\r\n  /%2e%2e%2f/gi,\r\n  /** Null byte injection in paths */\r\n  /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n  /**\r\n   * Shell metacharacters that enable command chaining/substitution.\r\n   * Bare ( and ) are excluded — they appear in common legitimate values\r\n   * (function calls in code fields, math expressions, etc.).\r\n   * Command substitution is caught by the $( combined pattern below.\r\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n   * and Markdown; consider disabling command checking (command: false)\r\n   * for fields that intentionally allow those characters.\r\n   */\r\n  /[;&|`]/g,\r\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n  /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n  '__proto__',\r\n  'constructor',\r\n  'prototype',\r\n  '__definegetter__',\r\n  '__definesetter__',\r\n  '__lookupgetter__',\r\n  '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n  // Comparison\r\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n  // Logical\r\n  '$and', '$or', '$not', '$nor',\r\n  // Element / evaluation\r\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n  // Array\r\n  '$elemMatch', '$all', '$size',\r\n  // JavaScript execution (critical)\r\n  '$function', '$accumulator',\r\n  // Aggregation pipeline operators (injectable via $lookup etc.)\r\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n  '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n  /** Replacement text for redacted values */\r\n  REPLACEMENT: '[REDACTED]',\r\n  /** Truncation indicator */\r\n  TRUNCATED: '[TRUNCATED]',\r\n  /** Max depth indicator */\r\n  MAX_DEPTH: '[MAX_DEPTH]',\r\n  /** Default max message length */\r\n  DEFAULT_MAX_LENGTH: 10_000,\r\n  /** Default sensitive keys to redact */\r\n  SENSITIVE_KEYS: new Set([\r\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n    'credentials', 'x-api-key', 'x-auth-token',\r\n  ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n  /**\r\n   * Email regex pattern.\r\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n   * leading/trailing dots, and other common invalid forms.\r\n   */\r\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n  /**\r\n   * URL regex pattern.\r\n   * Only allows http:// and https:// — explicitly rejects javascript:,\r\n   * data:, vbscript:, and other dangerous URI schemes.\r\n   */\r\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n  /** UUID regex pattern (v4) */\r\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n  /** Generic error message (production) */\r\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n  /** Input too large error */\r\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n  /** Validation error messages */\r\n  VALIDATION: {\r\n    REQUIRED: (field: string) => `${field} is required`,\r\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n  },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/stores/memory\r\n * In-memory rate limit store\r\n */\r\n\r\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\r\nimport { RATE_LIMIT } from '../core/constants';\r\n\r\n/**\r\n * In-memory rate limit store.\r\n * Suitable for single-instance deployments.\r\n * For distributed systems, use RedisStore or a custom store.\r\n * \r\n * @example\r\n * const store = new MemoryStore(60000); // 1 minute window\r\n * const limiter = createRateLimiter({ store });\r\n */\r\nexport class MemoryStore implements RateLimitStore {\r\n  private store: Map<string, RateLimitEntry> = new Map();\r\n  private cleanupInterval: ReturnType<typeof setInterval> | null = null;\r\n  private windowMs: number;\r\n\r\n  constructor(windowMs: number = RATE_LIMIT.DEFAULT_WINDOW_MS) {\r\n    if (!Number.isFinite(windowMs) || windowMs < RATE_LIMIT.MIN_WINDOW_MS) {\r\n      throw new RangeError(\r\n        `MemoryStore: windowMs must be a finite number >= ${RATE_LIMIT.MIN_WINDOW_MS} (got ${windowMs})`\r\n      );\r\n    }\r\n    this.windowMs = windowMs;\r\n    this.startCleanup();\r\n  }\r\n\r\n  /**\r\n   * Start the cleanup interval to remove expired entries.\r\n   */\r\n  private startCleanup(): void {\r\n    // Clamp the cleanup interval between 30 s and 5 min regardless of windowMs.\r\n    // Running it every windowMs is fine for typical windows but would fire every\r\n    // second for short windows (e.g. windowMs: 1000), causing O(n) GC pressure.\r\n    const CLEANUP_MIN_MS = 30_000;\r\n    const CLEANUP_MAX_MS = 300_000;\r\n    const cleanupMs = Math.min(Math.max(this.windowMs, CLEANUP_MIN_MS), CLEANUP_MAX_MS);\r\n\r\n    this.cleanupInterval = setInterval(() => {\r\n      const now = Date.now();\r\n      for (const [key, entry] of this.store.entries()) {\r\n        if (entry.resetTime < now) {\r\n          this.store.delete(key);\r\n        }\r\n      }\r\n    }, cleanupMs);\r\n\r\n    // Prevent interval from keeping the process alive\r\n    if (typeof this.cleanupInterval.unref === 'function') {\r\n      this.cleanupInterval.unref();\r\n    }\r\n  }\r\n\r\n  async get(key: string): Promise<RateLimitEntry | null> {\r\n    const entry = this.store.get(key);\r\n    if (!entry) return null;\r\n    \r\n    // Check if expired\r\n    if (entry.resetTime < Date.now()) {\r\n      this.store.delete(key);\r\n      return null;\r\n    }\r\n    \r\n    return entry;\r\n  }\r\n\r\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\r\n    this.store.set(key, entry);\r\n  }\r\n\r\n  async increment(key: string): Promise<number> {\r\n    const now = Date.now();\r\n    const entry = this.store.get(key);\r\n    \r\n    if (!entry || entry.resetTime < now) {\r\n      // Start new window\r\n      this.store.set(key, { count: 1, resetTime: now + this.windowMs });\r\n      return 1;\r\n    }\r\n    \r\n    entry.count++;\r\n    return entry.count;\r\n  }\r\n\r\n  async decrement(key: string): Promise<void> {\r\n    const entry = this.store.get(key);\r\n    if (entry && entry.count > 0) {\r\n      entry.count--;\r\n    }\r\n  }\r\n\r\n  async reset(key: string): Promise<void> {\r\n    this.store.delete(key);\r\n  }\r\n\r\n  async close(): Promise<void> {\r\n    if (this.cleanupInterval) {\r\n      clearInterval(this.cleanupInterval);\r\n      this.cleanupInterval = null;\r\n    }\r\n    this.store.clear();\r\n  }\r\n\r\n  /**\r\n   * Get current store size (for monitoring).\r\n   */\r\n  get size(): number {\r\n    return this.store.size;\r\n  }\r\n}\r\n","/**\r\n * @module @arcis/node/stores/redis\r\n * Redis rate limit store\r\n * \r\n * Note: This is a reference implementation. You'll need to install\r\n * the 'ioredis' or 'redis' package and pass your client instance.\r\n */\r\n\r\nimport type { RateLimitStore, RateLimitEntry } from '../core/types';\r\nimport { RATE_LIMIT } from '../core/constants';\r\n\r\n/** Generic Redis client interface (works with ioredis, redis, etc.) */\r\nexport interface RedisClientLike {\r\n  get(key: string): Promise<string | null>;\r\n  set(key: string, value: string, mode?: string, duration?: number): Promise<unknown>;\r\n  setex(key: string, seconds: number, value: string): Promise<unknown>;\r\n  expire(key: string, seconds: number): Promise<unknown>;\r\n  incr(key: string): Promise<number>;\r\n  decr(key: string): Promise<number>;\r\n  del(key: string): Promise<number>;\r\n  ttl(key: string): Promise<number>;\r\n  quit?(): Promise<unknown>;\r\n  disconnect?(): Promise<unknown>;\r\n}\r\n\r\nexport interface RedisStoreOptions {\r\n  /** Redis client instance */\r\n  client: RedisClientLike;\r\n  /** Key prefix. Default: 'arcis:rl:' */\r\n  prefix?: string;\r\n  /** Window size in milliseconds. Default: 60000 */\r\n  windowMs?: number;\r\n}\r\n\r\n/**\r\n * Redis rate limit store for distributed deployments.\r\n * \r\n * @example\r\n * import Redis from 'ioredis';\r\n * \r\n * const redis = new Redis();\r\n * const store = new RedisStore({ client: redis });\r\n * const limiter = createRateLimiter({ store });\r\n * \r\n * // Cleanup on shutdown\r\n * process.on('SIGTERM', async () => {\r\n *   await store.close();\r\n * });\r\n */\r\nexport class RedisStore implements RateLimitStore {\r\n  private client: RedisClientLike;\r\n  private prefix: string;\r\n  private windowMs: number;\r\n  private windowSec: number;\r\n\r\n  constructor(options: RedisStoreOptions) {\r\n    this.client = options.client;\r\n    this.prefix = options.prefix ?? 'arcis:rl:';\r\n    this.windowMs = options.windowMs ?? RATE_LIMIT.DEFAULT_WINDOW_MS;\r\n    this.windowSec = Math.ceil(this.windowMs / 1000);\r\n  }\r\n\r\n  private getKey(key: string): string {\r\n    return `${this.prefix}${key}`;\r\n  }\r\n\r\n  async get(key: string): Promise<RateLimitEntry | null> {\r\n    const redisKey = this.getKey(key);\r\n    \r\n    const [countStr, ttl] = await Promise.all([\r\n      this.client.get(redisKey),\r\n      this.client.ttl(redisKey),\r\n    ]);\r\n    \r\n    if (!countStr || ttl < 0) {\r\n      return null;\r\n    }\r\n    \r\n    const count = parseInt(countStr, 10);\r\n    if (isNaN(count)) {\r\n      // Corrupt value in Redis — treat as if key doesn't exist\r\n      return null;\r\n    }\r\n\r\n    return {\r\n      count,\r\n      resetTime: Date.now() + (ttl * 1000),\r\n    };\r\n  }\r\n\r\n  async set(key: string, entry: RateLimitEntry): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    // Clamp to at least 1 second — Math.ceil can produce 0 or negative values\r\n    // when entry.resetTime is in the past due to Redis latency or clock skew.\r\n    const ttlSec = Math.max(1, Math.ceil((entry.resetTime - Date.now()) / 1000));\r\n    await this.client.setex(redisKey, ttlSec, entry.count.toString());\r\n  }\r\n\r\n  async increment(key: string): Promise<number> {\r\n    const redisKey = this.getKey(key);\r\n    \r\n    // INCR creates key with value 1 if it doesn't exist\r\n    const count = await this.client.incr(redisKey);\r\n\r\n    // Set expiry only on first increment using EXPIRE, which sets the TTL\r\n    // without overwriting the value (unlike SET ... EX which would reset the\r\n    // counter if two requests increment concurrently before expiry is set).\r\n    if (count === 1) {\r\n      await this.client.expire(redisKey, this.windowSec);\r\n    }\r\n\r\n    return count;\r\n  }\r\n\r\n  async decrement(key: string): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    await this.client.decr(redisKey);\r\n  }\r\n\r\n  async reset(key: string): Promise<void> {\r\n    const redisKey = this.getKey(key);\r\n    await this.client.del(redisKey);\r\n  }\r\n\r\n  async close(): Promise<void> {\r\n    // Don't close the client - it may be shared\r\n    // The caller should manage the client lifecycle\r\n  }\r\n}\r\n\r\n/**\r\n * Create a Redis store with the given options.\r\n * Convenience function for functional programming style.\r\n * \r\n * @example\r\n * const store = createRedisStore({ client: redisClient });\r\n */\r\nexport function createRedisStore(options: RedisStoreOptions): RedisStore {\r\n  return new RedisStore(options);\r\n}\r\n"]}

package/dist/types-BOdL3ZWo.d.mts

@@ -0,0 +1,264 @@
+import { Request, RequestHandler, Response, NextFunction } from 'express';
+
+/**
+ * @module @arcis/node/core/types
+ * All TypeScript interfaces and types for Arcis
+ */
+
+/** Main Arcis configuration options */
+interface ArcisOptions {
+    /** Enable/configure input sanitization. Default: true */
+    sanitize?: boolean | SanitizeOptions;
+    /** Enable/configure rate limiting. Default: true */
+    rateLimit?: boolean | RateLimitOptions;
+    /** Enable/configure security headers. Default: true */
+    headers?: boolean | HeaderOptions;
+    /** Enable/configure safe logging. Default: true */
+    logging?: boolean | LogOptions;
+}
+/** Sanitization configuration */
+interface SanitizeOptions {
+    /** Sanitize XSS attempts. Default: true */
+    xss?: boolean;
+    /** Sanitize SQL injection attempts. Default: true */
+    sql?: boolean;
+    /** Sanitize NoSQL injection attempts. Default: true */
+    nosql?: boolean;
+    /** Sanitize path traversal attempts. Default: true */
+    path?: boolean;
+    /** Protect against prototype pollution. Default: true */
+    proto?: boolean;
+    /** Sanitize command injection attempts. Default: true */
+    command?: boolean;
+    /** Maximum input size in bytes. Default: 1000000 (1MB) */
+    maxSize?: number;
+    /**
+     * How to handle detected SQL and command injection threats.
+     * - 'reject': Throw SecurityThreatError (returns 400). Recommended for APIs. Default.
+     * - 'sanitize': Strip/replace threats in-place. Use only when rejection is not feasible.
+     */
+    mode?: 'sanitize' | 'reject';
+    /**
+     * HTML-encode output after XSS stripping.
+     * Enable for SSR/template rendering. Do NOT enable for JSON REST APIs
+     * — it corrupts stored data with HTML entities. Default: false.
+     */
+    htmlEncode?: boolean;
+}
+/** Result of sanitizing a string */
+interface SanitizeResult {
+    /** The sanitized value */
+    value: string;
+    /** Whether any sanitization was applied */
+    wasSanitized: boolean;
+    /** Details about detected threats */
+    threats: ThreatInfo[];
+}
+/** Information about a detected threat */
+interface ThreatInfo {
+    /** Type of threat detected */
+    type: ThreatType;
+    /** Pattern that matched */
+    pattern: string;
+    /** Original matched content */
+    original: string;
+    /** Location in the input (if applicable) */
+    location?: string;
+}
+/** Types of security threats */
+type ThreatType = 'xss' | 'sql_injection' | 'nosql_injection' | 'path_traversal' | 'command_injection' | 'prototype_pollution' | 'header_injection';
+/** Rate limiting configuration */
+interface RateLimitOptions {
+    /** Maximum requests per window. Default: 100 */
+    max?: number;
+    /** Window size in milliseconds. Default: 60000 (1 minute) */
+    windowMs?: number;
+    /** Error message when limit exceeded */
+    message?: string;
+    /** HTTP status code for rate limited responses. Default: 429 */
+    statusCode?: number;
+    /** Function to generate rate limit key from request */
+    keyGenerator?: (req: Request) => string;
+    /** Function to skip rate limiting for certain requests */
+    skip?: (req: Request) => boolean;
+    /** Optional external store for distributed rate limiting */
+    store?: RateLimitStore;
+}
+/** External store interface for distributed rate limiting */
+interface RateLimitStore {
+    /** Get current count for a key */
+    get(key: string): Promise<RateLimitEntry | null>;
+    /** Set entry for a key */
+    set(key: string, entry: RateLimitEntry): Promise<void>;
+    /** Increment count for a key */
+    increment(key: string): Promise<number>;
+    /** Decrement count for a key (for sliding window) */
+    decrement?(key: string): Promise<void>;
+    /** Reset count for a key */
+    reset?(key: string): Promise<void>;
+    /** Close the store (cleanup connections) */
+    close?(): Promise<void>;
+}
+/** Rate limit entry stored in a store */
+interface RateLimitEntry {
+    /** Number of requests in the current window */
+    count: number;
+    /** Timestamp when the window resets */
+    resetTime: number;
+}
+/** Result from incrementing a rate limit counter */
+interface RateLimitResult {
+    /** Current request count */
+    count: number;
+    /** When the window resets */
+    resetTime: Date;
+}
+/** Rate limiter middleware with cleanup support */
+interface RateLimiterMiddleware extends RequestHandler {
+    /** Clean up the rate limiter (clear intervals, close stores) */
+    close: () => void;
+}
+/** Security headers configuration */
+interface HeaderOptions {
+    /** Content Security Policy. true = default, string = custom, false = disabled */
+    contentSecurityPolicy?: boolean | string;
+    /** Enable X-XSS-Protection header. Default: true */
+    xssFilter?: boolean;
+    /** Enable X-Content-Type-Options: nosniff. Default: true */
+    noSniff?: boolean;
+    /** X-Frame-Options value. Default: 'DENY' */
+    frameOptions?: 'DENY' | 'SAMEORIGIN' | false;
+    /** HSTS configuration. Default: true */
+    hsts?: boolean | HstsOptions;
+    /** Referrer-Policy value. Default: 'strict-origin-when-cross-origin' */
+    referrerPolicy?: string | false;
+    /** Permissions-Policy value */
+    permissionsPolicy?: string | false;
+    /** Cache-Control configuration. Default: true (no-cache) */
+    cacheControl?: boolean | string;
+}
+/** HSTS (HTTP Strict Transport Security) options */
+interface HstsOptions {
+    /** Max age in seconds. Default: 31536000 (1 year) */
+    maxAge?: number;
+    /** Include subdomains. Default: true */
+    includeSubDomains?: boolean;
+    /** Enable HSTS preload. Default: false */
+    preload?: boolean;
+}
+/** Validation configuration */
+interface ValidationConfig {
+    /** Strip fields not in schema. Default: true (prevents mass assignment) */
+    stripUnknown?: boolean;
+    /** Stop on first error. Default: false */
+    abortEarly?: boolean;
+}
+/** Validation schema for request data */
+interface ValidationSchema {
+    [key: string]: FieldValidator;
+}
+/** Field validation rules */
+interface FieldValidator {
+    /** Expected data type */
+    type: 'string' | 'number' | 'boolean' | 'email' | 'url' | 'uuid' | 'array' | 'object';
+    /** Whether field is required. Default: false */
+    required?: boolean;
+    /** Minimum value (number) or length (string/array) */
+    min?: number;
+    /** Maximum value (number) or length (string/array) */
+    max?: number;
+    /** Regex pattern for string validation */
+    pattern?: RegExp;
+    /** Allowed values */
+    enum?: unknown[];
+    /** Whether to sanitize the value. Default: true */
+    sanitize?: boolean;
+    /**
+     * Custom validation function.
+     * Return `true` to pass, `false` to fail with a default message,
+     * or a non-empty string to fail with that message.
+     * Returning `undefined` (i.e. forgetting to return) throws at runtime.
+     */
+    custom?: (value: unknown) => true | false | string;
+}
+/** Validation result */
+interface ValidationResult {
+    /** Whether validation passed */
+    valid: boolean;
+    /** Validation errors */
+    errors: ValidationError[];
+    /** Validated and sanitized data */
+    data: Record<string, unknown>;
+}
+/** Single validation error */
+interface ValidationError {
+    /** Field that failed validation */
+    field: string;
+    /** Human-readable error message */
+    message: string;
+    /** Error code for programmatic handling */
+    code: string;
+}
+/** Safe logging configuration */
+interface LogOptions {
+    /** Additional keys to redact beyond defaults */
+    redactKeys?: string[];
+    /** Maximum message length before truncation. Default: 10000 */
+    maxLength?: number;
+    /** Additional patterns to redact (e.g., custom tokens) */
+    redactPatterns?: RegExp[];
+}
+/** Safe logger interface */
+interface SafeLogger {
+    /** Log at specified level */
+    log: (level: string, message: string, data?: unknown) => void;
+    /** Log info message */
+    info: (message: string, data?: unknown) => void;
+    /** Log warning message */
+    warn: (message: string, data?: unknown) => void;
+    /** Log error message */
+    error: (message: string, data?: unknown) => void;
+    /** Log debug message */
+    debug: (message: string, data?: unknown) => void;
+}
+/** Error handler configuration */
+interface ErrorHandlerOptions {
+    /** Show stack traces and detailed errors. Default: false */
+    isDev?: boolean;
+    /** Log errors. Default: true */
+    logErrors?: boolean;
+    /** Custom error logger */
+    logger?: SafeLogger;
+    /** Custom error handler */
+    customHandler?: (err: Error, req: Request, res: Response) => void;
+}
+/** Extended Error with optional status code */
+interface HttpError extends Error {
+    statusCode?: number;
+    status?: number;
+    /**
+     * Whether the error message is safe to expose to API clients.
+     * Set to true for known client-facing errors (4xx with controlled messages).
+     * Defaults to false — message is hidden in production unless explicitly exposed.
+     */
+    expose?: boolean;
+}
+/** Generic Arcis middleware type */
+type ArcisMiddleware = (req: Request, res: Response, next: NextFunction) => void | Promise<void>;
+/** Array of middlewares returned by arcis() with an attached cleanup method */
+type ArcisMiddlewareStack = RequestHandler[] & {
+    /** Clean up resources created by arcis() (rate limiter intervals, etc.) */
+    close: () => void;
+};
+/** Arcis function with attached utilities */
+interface ArcisFunction {
+    (options?: ArcisOptions): ArcisMiddlewareStack;
+    sanitize: (options?: SanitizeOptions) => RequestHandler;
+    rateLimit: (options?: RateLimitOptions) => RateLimiterMiddleware;
+    headers: (options?: HeaderOptions) => RequestHandler;
+    validate: (schema: ValidationSchema, source?: 'body' | 'query' | 'params') => RequestHandler;
+    logger: (options?: LogOptions) => SafeLogger;
+    errorHandler: (options?: ErrorHandlerOptions | boolean) => (err: Error, req: Request, res: Response, next: NextFunction) => void;
+}
+
+export type { ArcisFunction as A, ErrorHandlerOptions as E, FieldValidator as F, HeaderOptions as H, LogOptions as L, RateLimitEntry as R, SafeLogger as S, ThreatInfo as T, ValidationConfig as V, ArcisMiddleware as a, ArcisOptions as b, HstsOptions as c, HttpError as d, RateLimitOptions as e, RateLimitResult as f, RateLimitStore as g, RateLimiterMiddleware as h, SanitizeOptions as i, SanitizeResult as j, ThreatType as k, ValidationError as l, ValidationResult as m, ValidationSchema as n, ArcisMiddlewareStack as o };