@arcis/node 1.0.0

package/dist/core/index.js

@@ -0,0 +1,327 @@
+'use strict';
+
+// src/core/constants.ts
+var INPUT = {
+  /** Default maximum input size (1MB) */
+  DEFAULT_MAX_SIZE: 1e6,
+  /** Maximum recursion depth for nested objects */
+  MAX_RECURSION_DEPTH: 10
+};
+var RATE_LIMIT = {
+  /** Default window size (1 minute) */
+  DEFAULT_WINDOW_MS: 6e4,
+  /** Default max requests per window */
+  DEFAULT_MAX_REQUESTS: 100,
+  /** Default HTTP status code for rate limited responses */
+  DEFAULT_STATUS_CODE: 429,
+  /** Default error message */
+  DEFAULT_MESSAGE: "Too many requests, please try again later.",
+  /** Minimum window size (1 second) */
+  MIN_WINDOW_MS: 1e3,
+  /** Maximum window size (24 hours) */
+  MAX_WINDOW_MS: 864e5
+};
+var HEADERS = {
+  /** Default Content Security Policy */
+  DEFAULT_CSP: [
+    "default-src 'self'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https:",
+    "font-src 'self'",
+    "object-src 'none'",
+    "frame-ancestors 'none'"
+  ].join("; "),
+  /** Default HSTS max age (1 year in seconds) */
+  HSTS_MAX_AGE: 31536e3,
+  /** Default X-Frame-Options value */
+  FRAME_OPTIONS: "DENY",
+  /** Default X-Content-Type-Options value */
+  CONTENT_TYPE_OPTIONS: "nosniff",
+  /** Default Referrer-Policy value */
+  REFERRER_POLICY: "strict-origin-when-cross-origin",
+  /** Default Permissions-Policy value */
+  PERMISSIONS_POLICY: "geolocation=(), microphone=(), camera=()",
+  /** Default Cache-Control value for security */
+  CACHE_CONTROL: "no-store, no-cache, must-revalidate, proxy-revalidate"
+};
+var XSS_PATTERNS = [
+  /** Script tags (ReDoS-safe version) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** javascript: protocol (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /** vbscript: protocol */
+  /vbscript\s*:/gi,
+  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */
+  /(?:[\s/])on\w+\s*=/gi,
+  /** iframe tags */
+  /<iframe/gi,
+  /** object tags */
+  /<object/gi,
+  /** embed tags */
+  /<embed/gi,
+  /** data: URIs (only dangerous ones, avoid false positives) */
+  /(?:^|[\s"'=])data:/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** SVG with onload */
+  /<svg[^>]*onload/gi
+];
+var SQL_PATTERNS = [
+  /** SQL keywords */
+  /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
+  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
+  /(--|\/\*|\*\/|#)/g,
+  /** SQL statement separators */
+  /(;|\|\||&&)/g,
+  /** Boolean injection: OR 1=1 */
+  /\bOR\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: OR 'a'='a' or OR "a"="a" (including mixed quotes) */
+  /\bOR\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bOR\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Boolean injection: AND 1=1 */
+  /\bAND\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: AND 'a'='a' or AND "a"="a" (including mixed quotes) */
+  /\bAND\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bAND\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Time-based blind: SLEEP() */
+  /\bSLEEP\s*\(\s*\d+\s*\)/gi,
+  /** Time-based blind: BENCHMARK() */
+  /\bBENCHMARK\s*\(/gi
+];
+var PATH_PATTERNS = [
+  /** Unix path traversal */
+  /\.\.\//g,
+  /** Windows path traversal */
+  /\.\.\\/g,
+  /** URL-encoded traversal (%2e%2e) */
+  /%2e%2e/gi,
+  /** Double URL-encoded traversal (%252e) */
+  /%252e/gi,
+  /** Mixed encoding: ..%2F */
+  /\.\.%2F/gi,
+  /** Mixed encoding: %2e./ and .%2e/ */
+  /%2e\.[\\/]/gi,
+  /\.%2e[\\/]/gi,
+  /** Fully URL-encoded: %2e%2e%2f */
+  /%2e%2e%2f/gi,
+  /** Null byte injection in paths */
+  /\0/g
+];
+var COMMAND_PATTERNS = [
+  /**
+   * Shell metacharacters that enable command chaining/substitution.
+   * Bare ( and ) are excluded — they appear in common legitimate values
+   * (function calls in code fields, math expressions, etc.).
+   * Command substitution is caught by the $( combined pattern below.
+   * NOTE: ';', '&', '|' may appear in legitimate URL query strings
+   * and Markdown; consider disabling command checking (command: false)
+   * for fields that intentionally allow those characters.
+   */
+  /[;&|`]/g,
+  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
+  /\$\(/g
+];
+var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
+  "__proto__",
+  "constructor",
+  "prototype",
+  "__definegetter__",
+  "__definesetter__",
+  "__lookupgetter__",
+  "__lookupsetter__"
+]);
+var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
+  // Comparison
+  "$gt",
+  "$gte",
+  "$lt",
+  "$lte",
+  "$ne",
+  "$eq",
+  "$in",
+  "$nin",
+  // Logical
+  "$and",
+  "$or",
+  "$not",
+  "$nor",
+  // Element / evaluation
+  "$exists",
+  "$type",
+  "$regex",
+  "$where",
+  "$expr",
+  "$mod",
+  "$text",
+  // Array
+  "$elemMatch",
+  "$all",
+  "$size",
+  // JavaScript execution (critical)
+  "$function",
+  "$accumulator",
+  // Aggregation pipeline operators (injectable via $lookup etc.)
+  "$lookup",
+  "$match",
+  "$project",
+  "$group",
+  "$sort",
+  "$limit",
+  "$skip",
+  "$unwind",
+  "$addFields",
+  "$replaceRoot"
+]);
+var REDACTION = {
+  /** Replacement text for redacted values */
+  REPLACEMENT: "[REDACTED]",
+  /** Truncation indicator */
+  TRUNCATED: "[TRUNCATED]",
+  /** Max depth indicator */
+  MAX_DEPTH: "[MAX_DEPTH]",
+  /** Default max message length */
+  DEFAULT_MAX_LENGTH: 1e4,
+  /** Default sensitive keys to redact */
+  SENSITIVE_KEYS: /* @__PURE__ */ new Set([
+    "password",
+    "passwd",
+    "pwd",
+    "secret",
+    "token",
+    "apikey",
+    "api_key",
+    "apiKey",
+    "auth",
+    "authorization",
+    "credit_card",
+    "creditcard",
+    "cc",
+    "ssn",
+    "social_security",
+    "private_key",
+    "privateKey",
+    "access_token",
+    "accessToken",
+    "refresh_token",
+    "refreshToken",
+    "bearer",
+    "jwt",
+    "session",
+    "cookie",
+    "credentials",
+    "x-api-key",
+    "x-auth-token"
+  ])
+};
+var VALIDATION = {
+  /**
+   * Email regex pattern.
+   * Rejects consecutive dots in local part (e.g. test..foo@example.com),
+   * leading/trailing dots, and other common invalid forms.
+   */
+  EMAIL: /^[^\s@.][^\s@]*(?:\.[^\s@.][^\s@]*)*@[^\s@]+\.[^\s@]+$/,
+  /**
+   * URL regex pattern.
+   * Only allows http:// and https:// — explicitly rejects javascript:,
+   * data:, vbscript:, and other dangerous URI schemes.
+   */
+  URL: /^https?:\/\/[^\s/$.?#][^\s]*$/,
+  /** UUID regex pattern (v4) */
+  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+};
+var ERRORS = {
+  /** Generic error message (production) */
+  INTERNAL_SERVER_ERROR: "Internal Server Error",
+  /** Input too large error */
+  INPUT_TOO_LARGE: (maxSize) => `Input exceeds maximum size of ${maxSize} bytes`,
+  /** Validation error messages */
+  VALIDATION: {
+    REQUIRED: (field) => `${field} is required`,
+    INVALID_TYPE: (field, type) => `${field} must be a ${type}`,
+    MIN_LENGTH: (field, min) => `${field} must be at least ${min} characters`,
+    MAX_LENGTH: (field, max) => `${field} must be at most ${max} characters`,
+    MIN_VALUE: (field, min) => `${field} must be at least ${min}`,
+    MAX_VALUE: (field, max) => `${field} must be at most ${max}`,
+    INVALID_FORMAT: (field) => `${field} format is invalid`,
+    INVALID_EMAIL: (field) => `${field} must be a valid email`,
+    INVALID_URL: (field) => `${field} must be a valid URL`,
+    INVALID_UUID: (field) => `${field} must be a valid UUID`,
+    INVALID_ENUM: (field, values) => `${field} must be one of: ${values.join(", ")}`,
+    MIN_ITEMS: (field, min) => `${field} must have at least ${min} items`,
+    MAX_ITEMS: (field, max) => `${field} must have at most ${max} items`
+  }
+};
+var BLOCKED = "[BLOCKED]";
+
+// src/core/errors.ts
+var ArcisError = class extends Error {
+  constructor(message, statusCode = 500, code = "ARCIS_ERROR") {
+    super(message);
+    this.name = "ArcisError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.expose = statusCode < 500;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, this.constructor);
+    }
+  }
+};
+var ValidationError = class extends ArcisError {
+  constructor(errors) {
+    super("Validation failed", 400, "VALIDATION_ERROR");
+    this.name = "ValidationError";
+    this.errors = errors;
+  }
+};
+var RateLimitError = class extends ArcisError {
+  constructor(message, retryAfter) {
+    super(message, 429, "RATE_LIMIT_EXCEEDED");
+    this.name = "RateLimitError";
+    this.retryAfter = retryAfter;
+  }
+};
+var InputTooLargeError = class extends ArcisError {
+  constructor(maxSize, actualSize) {
+    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, "INPUT_TOO_LARGE");
+    this.name = "InputTooLargeError";
+    this.maxSize = maxSize;
+    this.actualSize = actualSize;
+  }
+};
+var SecurityThreatError = class extends ArcisError {
+  constructor(threatType, pattern) {
+    super("Request blocked for security reasons", 400, "SECURITY_THREAT");
+    this.name = "SecurityThreatError";
+    this.threatType = threatType;
+    this.pattern = pattern;
+  }
+};
+var SanitizationError = class extends ArcisError {
+  constructor(message) {
+    super(message, 400, "SANITIZATION_ERROR");
+    this.name = "SanitizationError";
+  }
+};
+
+exports.ArcisError = ArcisError;
+exports.ArcisValidationError = ValidationError;
+exports.BLOCKED = BLOCKED;
+exports.COMMAND_PATTERNS = COMMAND_PATTERNS;
+exports.DANGEROUS_PROTO_KEYS = DANGEROUS_PROTO_KEYS;
+exports.ERRORS = ERRORS;
+exports.HEADERS = HEADERS;
+exports.INPUT = INPUT;
+exports.InputTooLargeError = InputTooLargeError;
+exports.NOSQL_DANGEROUS_KEYS = NOSQL_DANGEROUS_KEYS;
+exports.PATH_PATTERNS = PATH_PATTERNS;
+exports.RATE_LIMIT = RATE_LIMIT;
+exports.REDACTION = REDACTION;
+exports.RateLimitError = RateLimitError;
+exports.SQL_PATTERNS = SQL_PATTERNS;
+exports.SanitizationError = SanitizationError;
+exports.SecurityThreatError = SecurityThreatError;
+exports.VALIDATION = VALIDATION;
+exports.XSS_PATTERNS = XSS_PATTERNS;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/core/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF;AAuCO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA;AACF;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEzD,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;AC3ShB,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF","file":"index.js","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n  /** Default maximum input size (1MB) */\r\n  DEFAULT_MAX_SIZE: 1_000_000,\r\n  /** Maximum recursion depth for nested objects */\r\n  MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n  /** Default window size (1 minute) */\r\n  DEFAULT_WINDOW_MS: 60_000,\r\n  /** Default max requests per window */\r\n  DEFAULT_MAX_REQUESTS: 100,\r\n  /** Default HTTP status code for rate limited responses */\r\n  DEFAULT_STATUS_CODE: 429,\r\n  /** Default error message */\r\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n  /** Minimum window size (1 second) */\r\n  MIN_WINDOW_MS: 1_000,\r\n  /** Maximum window size (24 hours) */\r\n  MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n  /** Default Content Security Policy */\r\n  DEFAULT_CSP: [\r\n    \"default-src 'self'\",\r\n    \"script-src 'self'\",\r\n    \"style-src 'self' 'unsafe-inline'\",\r\n    \"img-src 'self' data: https:\",\r\n    \"font-src 'self'\",\r\n    \"object-src 'none'\",\r\n    \"frame-ancestors 'none'\",\r\n  ].join('; '),\r\n  /** Default HSTS max age (1 year in seconds) */\r\n  HSTS_MAX_AGE: 31_536_000,\r\n  /** Default X-Frame-Options value */\r\n  FRAME_OPTIONS: 'DENY' as const,\r\n  /** Default X-Content-Type-Options value */\r\n  CONTENT_TYPE_OPTIONS: 'nosniff',\r\n  /** Default Referrer-Policy value */\r\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n  /** Default Permissions-Policy value */\r\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n  /** Default Cache-Control value for security */\r\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n  /** Script tags (ReDoS-safe version) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** javascript: protocol (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /** vbscript: protocol */\r\n  /vbscript\\s*:/gi,\r\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n  /(?:[\\s/])on\\w+\\s*=/gi,\r\n  /** iframe tags */\r\n  /<iframe/gi,\r\n  /** object tags */\r\n  /<object/gi,\r\n  /** embed tags */\r\n  /<embed/gi,\r\n  /** data: URIs (only dangerous ones, avoid false positives) */\r\n  /(?:^|[\\s\"'=])data:/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** SVG with onload */\r\n  /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n  /** Full script blocks (content + tags) */\r\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n  /** Standalone/unclosed script tags */\r\n  /<script[^>]*>/gi,\r\n  /** iframe — full block and partial/unclosed */\r\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n  /<iframe[^>]*/gi,\r\n  /** object — full block and partial/unclosed */\r\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n  /<object[^>]*/gi,\r\n  /** embed tags */\r\n  /<embed[^>]*/gi,\r\n  /** SVG with inline event handlers */\r\n  /<svg[^>]*onload[^>]*>/gi,\r\n  /** URL-encoded script tags */\r\n  /%3Cscript/gi,\r\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n  /** Event handlers with unquoted values: onload=value */\r\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n  /javascript\\s*:/gi,\r\n  /vbscript\\s*:/gi,\r\n  /** data: URIs with HTML/script content */\r\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n  /** SQL keywords */\r\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n  /(--|\\/\\*|\\*\\/|#)/g,\r\n  /** SQL statement separators */\r\n  /(;|\\|\\||&&)/g,\r\n  /** Boolean injection: OR 1=1 */\r\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Boolean injection: AND 1=1 */\r\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n  /** Time-based blind: SLEEP() */\r\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n  /** Time-based blind: BENCHMARK() */\r\n  /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n  /** Unix path traversal */\r\n  /\\.\\.\\//g,\r\n  /** Windows path traversal */\r\n  /\\.\\.\\\\/g,\r\n  /** URL-encoded traversal (%2e%2e) */\r\n  /%2e%2e/gi,\r\n  /** Double URL-encoded traversal (%252e) */\r\n  /%252e/gi,\r\n  /** Mixed encoding: ..%2F */\r\n  /\\.\\.%2F/gi,\r\n  /** Mixed encoding: %2e./ and .%2e/ */\r\n  /%2e\\.[\\\\/]/gi,\r\n  /\\.%2e[\\\\/]/gi,\r\n  /** Fully URL-encoded: %2e%2e%2f */\r\n  /%2e%2e%2f/gi,\r\n  /** Null byte injection in paths */\r\n  /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n  /**\r\n   * Shell metacharacters that enable command chaining/substitution.\r\n   * Bare ( and ) are excluded — they appear in common legitimate values\r\n   * (function calls in code fields, math expressions, etc.).\r\n   * Command substitution is caught by the $( combined pattern below.\r\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n   * and Markdown; consider disabling command checking (command: false)\r\n   * for fields that intentionally allow those characters.\r\n   */\r\n  /[;&|`]/g,\r\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n  /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n  '__proto__',\r\n  'constructor',\r\n  'prototype',\r\n  '__definegetter__',\r\n  '__definesetter__',\r\n  '__lookupgetter__',\r\n  '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n  // Comparison\r\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n  // Logical\r\n  '$and', '$or', '$not', '$nor',\r\n  // Element / evaluation\r\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n  // Array\r\n  '$elemMatch', '$all', '$size',\r\n  // JavaScript execution (critical)\r\n  '$function', '$accumulator',\r\n  // Aggregation pipeline operators (injectable via $lookup etc.)\r\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n  '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n  /** Replacement text for redacted values */\r\n  REPLACEMENT: '[REDACTED]',\r\n  /** Truncation indicator */\r\n  TRUNCATED: '[TRUNCATED]',\r\n  /** Max depth indicator */\r\n  MAX_DEPTH: '[MAX_DEPTH]',\r\n  /** Default max message length */\r\n  DEFAULT_MAX_LENGTH: 10_000,\r\n  /** Default sensitive keys to redact */\r\n  SENSITIVE_KEYS: new Set([\r\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n    'credentials', 'x-api-key', 'x-auth-token',\r\n  ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n  /**\r\n   * Email regex pattern.\r\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n   * leading/trailing dots, and other common invalid forms.\r\n   */\r\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n  /**\r\n   * URL regex pattern.\r\n   * Only allows http:// and https:// — explicitly rejects javascript:,\r\n   * data:, vbscript:, and other dangerous URI schemes.\r\n   */\r\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n  /** UUID regex pattern (v4) */\r\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n  /** Generic error message (production) */\r\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n  /** Input too large error */\r\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n  /** Validation error messages */\r\n  VALIDATION: {\r\n    REQUIRED: (field: string) => `${field} is required`,\r\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n  },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/core/errors\r\n * Custom error classes for Arcis\r\n */\r\n\r\n/**\r\n * Base class for all Arcis errors\r\n */\r\nexport class ArcisError extends Error {\r\n  public readonly statusCode: number;\r\n  public readonly code: string;\r\n  /** Whether the error message is safe to expose to API clients. */\r\n  public readonly expose: boolean;\r\n\r\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\r\n    super(message);\r\n    this.name = 'ArcisError';\r\n    this.statusCode = statusCode;\r\n    this.code = code;\r\n    // Client errors (4xx) have controlled messages — safe to expose.\r\n    // Server errors (5xx) may contain internal details — hide by default.\r\n    this.expose = statusCode < 500;\r\n\r\n    // Maintains proper stack trace for where error was thrown (V8 engines)\r\n    if (Error.captureStackTrace) {\r\n      Error.captureStackTrace(this, this.constructor);\r\n    }\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when input validation fails\r\n */\r\nexport class ValidationError extends ArcisError {\r\n  public readonly errors: string[];\r\n\r\n  constructor(errors: string[]) {\r\n    super('Validation failed', 400, 'VALIDATION_ERROR');\r\n    this.name = 'ValidationError';\r\n    this.errors = errors;\r\n  }\r\n}\r\n\r\n/** Alias for ValidationError (backwards compatibility) */\r\nexport { ValidationError as ArcisValidationError };\r\n\r\n/**\r\n * Error thrown when rate limit is exceeded\r\n */\r\nexport class RateLimitError extends ArcisError {\r\n  public readonly retryAfter: number;\r\n\r\n  constructor(message: string, retryAfter: number) {\r\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\r\n    this.name = 'RateLimitError';\r\n    this.retryAfter = retryAfter;\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when input is too large\r\n */\r\nexport class InputTooLargeError extends ArcisError {\r\n  public readonly maxSize: number;\r\n  public readonly actualSize: number;\r\n\r\n  constructor(maxSize: number, actualSize: number) {\r\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\r\n    this.name = 'InputTooLargeError';\r\n    this.maxSize = maxSize;\r\n    this.actualSize = actualSize;\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when security threat is detected\r\n */\r\nexport class SecurityThreatError extends ArcisError {\r\n  public readonly threatType: string;\r\n  public readonly pattern: string;\r\n\r\n  constructor(threatType: string, pattern: string) {\r\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\r\n    this.name = 'SecurityThreatError';\r\n    this.threatType = threatType;\r\n    this.pattern = pattern;\r\n  }\r\n}\r\n\r\n/**\r\n * Error thrown when sanitization fails\r\n */\r\nexport class SanitizationError extends ArcisError {\r\n  constructor(message: string) {\r\n    super(message, 400, 'SANITIZATION_ERROR');\r\n    this.name = 'SanitizationError';\r\n  }\r\n}\r\n"]}

package/dist/core/index.mjs

@@ -0,0 +1,307 @@
+// src/core/constants.ts
+var INPUT = {
+  /** Default maximum input size (1MB) */
+  DEFAULT_MAX_SIZE: 1e6,
+  /** Maximum recursion depth for nested objects */
+  MAX_RECURSION_DEPTH: 10
+};
+var RATE_LIMIT = {
+  /** Default window size (1 minute) */
+  DEFAULT_WINDOW_MS: 6e4,
+  /** Default max requests per window */
+  DEFAULT_MAX_REQUESTS: 100,
+  /** Default HTTP status code for rate limited responses */
+  DEFAULT_STATUS_CODE: 429,
+  /** Default error message */
+  DEFAULT_MESSAGE: "Too many requests, please try again later.",
+  /** Minimum window size (1 second) */
+  MIN_WINDOW_MS: 1e3,
+  /** Maximum window size (24 hours) */
+  MAX_WINDOW_MS: 864e5
+};
+var HEADERS = {
+  /** Default Content Security Policy */
+  DEFAULT_CSP: [
+    "default-src 'self'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https:",
+    "font-src 'self'",
+    "object-src 'none'",
+    "frame-ancestors 'none'"
+  ].join("; "),
+  /** Default HSTS max age (1 year in seconds) */
+  HSTS_MAX_AGE: 31536e3,
+  /** Default X-Frame-Options value */
+  FRAME_OPTIONS: "DENY",
+  /** Default X-Content-Type-Options value */
+  CONTENT_TYPE_OPTIONS: "nosniff",
+  /** Default Referrer-Policy value */
+  REFERRER_POLICY: "strict-origin-when-cross-origin",
+  /** Default Permissions-Policy value */
+  PERMISSIONS_POLICY: "geolocation=(), microphone=(), camera=()",
+  /** Default Cache-Control value for security */
+  CACHE_CONTROL: "no-store, no-cache, must-revalidate, proxy-revalidate"
+};
+var XSS_PATTERNS = [
+  /** Script tags (ReDoS-safe version) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** javascript: protocol (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /** vbscript: protocol */
+  /vbscript\s*:/gi,
+  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */
+  /(?:[\s/])on\w+\s*=/gi,
+  /** iframe tags */
+  /<iframe/gi,
+  /** object tags */
+  /<object/gi,
+  /** embed tags */
+  /<embed/gi,
+  /** data: URIs (only dangerous ones, avoid false positives) */
+  /(?:^|[\s"'=])data:/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** SVG with onload */
+  /<svg[^>]*onload/gi
+];
+var SQL_PATTERNS = [
+  /** SQL keywords */
+  /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
+  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
+  /(--|\/\*|\*\/|#)/g,
+  /** SQL statement separators */
+  /(;|\|\||&&)/g,
+  /** Boolean injection: OR 1=1 */
+  /\bOR\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: OR 'a'='a' or OR "a"="a" (including mixed quotes) */
+  /\bOR\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bOR\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Boolean injection: AND 1=1 */
+  /\bAND\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: AND 'a'='a' or AND "a"="a" (including mixed quotes) */
+  /\bAND\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bAND\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Time-based blind: SLEEP() */
+  /\bSLEEP\s*\(\s*\d+\s*\)/gi,
+  /** Time-based blind: BENCHMARK() */
+  /\bBENCHMARK\s*\(/gi
+];
+var PATH_PATTERNS = [
+  /** Unix path traversal */
+  /\.\.\//g,
+  /** Windows path traversal */
+  /\.\.\\/g,
+  /** URL-encoded traversal (%2e%2e) */
+  /%2e%2e/gi,
+  /** Double URL-encoded traversal (%252e) */
+  /%252e/gi,
+  /** Mixed encoding: ..%2F */
+  /\.\.%2F/gi,
+  /** Mixed encoding: %2e./ and .%2e/ */
+  /%2e\.[\\/]/gi,
+  /\.%2e[\\/]/gi,
+  /** Fully URL-encoded: %2e%2e%2f */
+  /%2e%2e%2f/gi,
+  /** Null byte injection in paths */
+  /\0/g
+];
+var COMMAND_PATTERNS = [
+  /**
+   * Shell metacharacters that enable command chaining/substitution.
+   * Bare ( and ) are excluded — they appear in common legitimate values
+   * (function calls in code fields, math expressions, etc.).
+   * Command substitution is caught by the $( combined pattern below.
+   * NOTE: ';', '&', '|' may appear in legitimate URL query strings
+   * and Markdown; consider disabling command checking (command: false)
+   * for fields that intentionally allow those characters.
+   */
+  /[;&|`]/g,
+  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
+  /\$\(/g
+];
+var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
+  "__proto__",
+  "constructor",
+  "prototype",
+  "__definegetter__",
+  "__definesetter__",
+  "__lookupgetter__",
+  "__lookupsetter__"
+]);
+var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
+  // Comparison
+  "$gt",
+  "$gte",
+  "$lt",
+  "$lte",
+  "$ne",
+  "$eq",
+  "$in",
+  "$nin",
+  // Logical
+  "$and",
+  "$or",
+  "$not",
+  "$nor",
+  // Element / evaluation
+  "$exists",
+  "$type",
+  "$regex",
+  "$where",
+  "$expr",
+  "$mod",
+  "$text",
+  // Array
+  "$elemMatch",
+  "$all",
+  "$size",
+  // JavaScript execution (critical)
+  "$function",
+  "$accumulator",
+  // Aggregation pipeline operators (injectable via $lookup etc.)
+  "$lookup",
+  "$match",
+  "$project",
+  "$group",
+  "$sort",
+  "$limit",
+  "$skip",
+  "$unwind",
+  "$addFields",
+  "$replaceRoot"
+]);
+var REDACTION = {
+  /** Replacement text for redacted values */
+  REPLACEMENT: "[REDACTED]",
+  /** Truncation indicator */
+  TRUNCATED: "[TRUNCATED]",
+  /** Max depth indicator */
+  MAX_DEPTH: "[MAX_DEPTH]",
+  /** Default max message length */
+  DEFAULT_MAX_LENGTH: 1e4,
+  /** Default sensitive keys to redact */
+  SENSITIVE_KEYS: /* @__PURE__ */ new Set([
+    "password",
+    "passwd",
+    "pwd",
+    "secret",
+    "token",
+    "apikey",
+    "api_key",
+    "apiKey",
+    "auth",
+    "authorization",
+    "credit_card",
+    "creditcard",
+    "cc",
+    "ssn",
+    "social_security",
+    "private_key",
+    "privateKey",
+    "access_token",
+    "accessToken",
+    "refresh_token",
+    "refreshToken",
+    "bearer",
+    "jwt",
+    "session",
+    "cookie",
+    "credentials",
+    "x-api-key",
+    "x-auth-token"
+  ])
+};
+var VALIDATION = {
+  /**
+   * Email regex pattern.
+   * Rejects consecutive dots in local part (e.g. test..foo@example.com),
+   * leading/trailing dots, and other common invalid forms.
+   */
+  EMAIL: /^[^\s@.][^\s@]*(?:\.[^\s@.][^\s@]*)*@[^\s@]+\.[^\s@]+$/,
+  /**
+   * URL regex pattern.
+   * Only allows http:// and https:// — explicitly rejects javascript:,
+   * data:, vbscript:, and other dangerous URI schemes.
+   */
+  URL: /^https?:\/\/[^\s/$.?#][^\s]*$/,
+  /** UUID regex pattern (v4) */
+  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+};
+var ERRORS = {
+  /** Generic error message (production) */
+  INTERNAL_SERVER_ERROR: "Internal Server Error",
+  /** Input too large error */
+  INPUT_TOO_LARGE: (maxSize) => `Input exceeds maximum size of ${maxSize} bytes`,
+  /** Validation error messages */
+  VALIDATION: {
+    REQUIRED: (field) => `${field} is required`,
+    INVALID_TYPE: (field, type) => `${field} must be a ${type}`,
+    MIN_LENGTH: (field, min) => `${field} must be at least ${min} characters`,
+    MAX_LENGTH: (field, max) => `${field} must be at most ${max} characters`,
+    MIN_VALUE: (field, min) => `${field} must be at least ${min}`,
+    MAX_VALUE: (field, max) => `${field} must be at most ${max}`,
+    INVALID_FORMAT: (field) => `${field} format is invalid`,
+    INVALID_EMAIL: (field) => `${field} must be a valid email`,
+    INVALID_URL: (field) => `${field} must be a valid URL`,
+    INVALID_UUID: (field) => `${field} must be a valid UUID`,
+    INVALID_ENUM: (field, values) => `${field} must be one of: ${values.join(", ")}`,
+    MIN_ITEMS: (field, min) => `${field} must have at least ${min} items`,
+    MAX_ITEMS: (field, max) => `${field} must have at most ${max} items`
+  }
+};
+var BLOCKED = "[BLOCKED]";
+
+// src/core/errors.ts
+var ArcisError = class extends Error {
+  constructor(message, statusCode = 500, code = "ARCIS_ERROR") {
+    super(message);
+    this.name = "ArcisError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.expose = statusCode < 500;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, this.constructor);
+    }
+  }
+};
+var ValidationError = class extends ArcisError {
+  constructor(errors) {
+    super("Validation failed", 400, "VALIDATION_ERROR");
+    this.name = "ValidationError";
+    this.errors = errors;
+  }
+};
+var RateLimitError = class extends ArcisError {
+  constructor(message, retryAfter) {
+    super(message, 429, "RATE_LIMIT_EXCEEDED");
+    this.name = "RateLimitError";
+    this.retryAfter = retryAfter;
+  }
+};
+var InputTooLargeError = class extends ArcisError {
+  constructor(maxSize, actualSize) {
+    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, "INPUT_TOO_LARGE");
+    this.name = "InputTooLargeError";
+    this.maxSize = maxSize;
+    this.actualSize = actualSize;
+  }
+};
+var SecurityThreatError = class extends ArcisError {
+  constructor(threatType, pattern) {
+    super("Request blocked for security reasons", 400, "SECURITY_THREAT");
+    this.name = "SecurityThreatError";
+    this.threatType = threatType;
+    this.pattern = pattern;
+  }
+};
+var SanitizationError = class extends ArcisError {
+  constructor(message) {
+    super(message, 400, "SANITIZATION_ERROR");
+    this.name = "SanitizationError";
+  }
+};
+
+export { ArcisError, ValidationError as ArcisValidationError, BLOCKED, COMMAND_PATTERNS, DANGEROUS_PROTO_KEYS, ERRORS, HEADERS, INPUT, InputTooLargeError, NOSQL_DANGEROUS_KEYS, PATH_PATTERNS, RATE_LIMIT, REDACTION, RateLimitError, SQL_PATTERNS, SanitizationError, SecurityThreatError, VALIDATION, XSS_PATTERNS };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map