@arcis/node 1.0.0

package/dist/index.js

@@ -0,0 +1,1860 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+// src/core/constants.ts
+var INPUT = {
+  /** Default maximum input size (1MB) */
+  DEFAULT_MAX_SIZE: 1e6,
+  /** Maximum recursion depth for nested objects */
+  MAX_RECURSION_DEPTH: 10
+};
+var RATE_LIMIT = {
+  /** Default window size (1 minute) */
+  DEFAULT_WINDOW_MS: 6e4,
+  /** Default max requests per window */
+  DEFAULT_MAX_REQUESTS: 100,
+  /** Default HTTP status code for rate limited responses */
+  DEFAULT_STATUS_CODE: 429,
+  /** Default error message */
+  DEFAULT_MESSAGE: "Too many requests, please try again later.",
+  /** Minimum window size (1 second) */
+  MIN_WINDOW_MS: 1e3,
+  /** Maximum window size (24 hours) */
+  MAX_WINDOW_MS: 864e5
+};
+var HEADERS = {
+  /** Default Content Security Policy */
+  DEFAULT_CSP: [
+    "default-src 'self'",
+    "script-src 'self'",
+    "style-src 'self' 'unsafe-inline'",
+    "img-src 'self' data: https:",
+    "font-src 'self'",
+    "object-src 'none'",
+    "frame-ancestors 'none'"
+  ].join("; "),
+  /** Default HSTS max age (1 year in seconds) */
+  HSTS_MAX_AGE: 31536e3,
+  /** Default X-Frame-Options value */
+  FRAME_OPTIONS: "DENY",
+  /** Default X-Content-Type-Options value */
+  CONTENT_TYPE_OPTIONS: "nosniff",
+  /** Default Referrer-Policy value */
+  REFERRER_POLICY: "strict-origin-when-cross-origin",
+  /** Default Permissions-Policy value */
+  PERMISSIONS_POLICY: "geolocation=(), microphone=(), camera=()",
+  /** Default Cache-Control value for security */
+  CACHE_CONTROL: "no-store, no-cache, must-revalidate, proxy-revalidate"
+};
+var XSS_PATTERNS = [
+  /** Script tags (ReDoS-safe version) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** javascript: protocol (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /** vbscript: protocol */
+  /vbscript\s*:/gi,
+  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */
+  /(?:[\s/])on\w+\s*=/gi,
+  /** iframe tags */
+  /<iframe/gi,
+  /** object tags */
+  /<object/gi,
+  /** embed tags */
+  /<embed/gi,
+  /** data: URIs (only dangerous ones, avoid false positives) */
+  /(?:^|[\s"'=])data:/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** SVG with onload */
+  /<svg[^>]*onload/gi
+];
+var XSS_REMOVE_PATTERNS = [
+  /** Full script blocks (content + tags) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** Standalone/unclosed script tags */
+  /<script[^>]*>/gi,
+  /** iframe — full block and partial/unclosed */
+  /<iframe[^>]*>[\s\S]*?<\/iframe>/gi,
+  /<iframe[^>]*/gi,
+  /** object — full block and partial/unclosed */
+  /<object[^>]*>[\s\S]*?<\/object>/gi,
+  /<object[^>]*/gi,
+  /** embed tags */
+  /<embed[^>]*/gi,
+  /** SVG with inline event handlers */
+  /<svg[^>]*onload[^>]*>/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** Event handlers with quoted values: onclick="...", onerror='...' */
+  /(?:[\s/])on\w+\s*=\s*["'][^"']*["']/gi,
+  /** Event handlers with unquoted values: onload=value */
+  /(?:[\s/])on\w+\s*=\s*[^\s>]*/gi,
+  /** javascript: and vbscript: protocols (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /vbscript\s*:/gi,
+  /** data: URIs with HTML/script content */
+  /data\s*:\s*text\/html[^>\s]*/gi
+];
+var SQL_PATTERNS = [
+  /** SQL keywords */
+  /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\b)/gi,
+  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */
+  /(--|\/\*|\*\/|#)/g,
+  /** SQL statement separators */
+  /(;|\|\||&&)/g,
+  /** Boolean injection: OR 1=1 */
+  /\bOR\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: OR 'a'='a' or OR "a"="a" (including mixed quotes) */
+  /\bOR\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bOR\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Boolean injection: AND 1=1 */
+  /\bAND\s+\d+\s*=\s*\d+/gi,
+  /** Boolean injection: AND 'a'='a' or AND "a"="a" (including mixed quotes) */
+  /\bAND\s+(['"])[^'"]*\1\s*=\s*(['"])[^'"]*\2/gi,
+  /\bAND\s+('[^']*'|"[^"]*")\s*=\s*('[^']*'|"[^"]*")/gi,
+  /** Time-based blind: SLEEP() */
+  /\bSLEEP\s*\(\s*\d+\s*\)/gi,
+  /** Time-based blind: BENCHMARK() */
+  /\bBENCHMARK\s*\(/gi
+];
+var PATH_PATTERNS = [
+  /** Unix path traversal */
+  /\.\.\//g,
+  /** Windows path traversal */
+  /\.\.\\/g,
+  /** URL-encoded traversal (%2e%2e) */
+  /%2e%2e/gi,
+  /** Double URL-encoded traversal (%252e) */
+  /%252e/gi,
+  /** Mixed encoding: ..%2F */
+  /\.\.%2F/gi,
+  /** Mixed encoding: %2e./ and .%2e/ */
+  /%2e\.[\\/]/gi,
+  /\.%2e[\\/]/gi,
+  /** Fully URL-encoded: %2e%2e%2f */
+  /%2e%2e%2f/gi,
+  /** Null byte injection in paths */
+  /\0/g
+];
+var COMMAND_PATTERNS = [
+  /**
+   * Shell metacharacters that enable command chaining/substitution.
+   * Bare ( and ) are excluded — they appear in common legitimate values
+   * (function calls in code fields, math expressions, etc.).
+   * Command substitution is caught by the $( combined pattern below.
+   * NOTE: ';', '&', '|' may appear in legitimate URL query strings
+   * and Markdown; consider disabling command checking (command: false)
+   * for fields that intentionally allow those characters.
+   */
+  /[;&|`]/g,
+  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
+  /\$\(/g
+];
+var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
+  "__proto__",
+  "constructor",
+  "prototype",
+  "__definegetter__",
+  "__definesetter__",
+  "__lookupgetter__",
+  "__lookupsetter__"
+]);
+var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
+  // Comparison
+  "$gt",
+  "$gte",
+  "$lt",
+  "$lte",
+  "$ne",
+  "$eq",
+  "$in",
+  "$nin",
+  // Logical
+  "$and",
+  "$or",
+  "$not",
+  "$nor",
+  // Element / evaluation
+  "$exists",
+  "$type",
+  "$regex",
+  "$where",
+  "$expr",
+  "$mod",
+  "$text",
+  // Array
+  "$elemMatch",
+  "$all",
+  "$size",
+  // JavaScript execution (critical)
+  "$function",
+  "$accumulator",
+  // Aggregation pipeline operators (injectable via $lookup etc.)
+  "$lookup",
+  "$match",
+  "$project",
+  "$group",
+  "$sort",
+  "$limit",
+  "$skip",
+  "$unwind",
+  "$addFields",
+  "$replaceRoot"
+]);
+var REDACTION = {
+  /** Replacement text for redacted values */
+  REPLACEMENT: "[REDACTED]",
+  /** Truncation indicator */
+  TRUNCATED: "[TRUNCATED]",
+  /** Max depth indicator */
+  MAX_DEPTH: "[MAX_DEPTH]",
+  /** Default max message length */
+  DEFAULT_MAX_LENGTH: 1e4,
+  /** Default sensitive keys to redact */
+  SENSITIVE_KEYS: /* @__PURE__ */ new Set([
+    "password",
+    "passwd",
+    "pwd",
+    "secret",
+    "token",
+    "apikey",
+    "api_key",
+    "apiKey",
+    "auth",
+    "authorization",
+    "credit_card",
+    "creditcard",
+    "cc",
+    "ssn",
+    "social_security",
+    "private_key",
+    "privateKey",
+    "access_token",
+    "accessToken",
+    "refresh_token",
+    "refreshToken",
+    "bearer",
+    "jwt",
+    "session",
+    "cookie",
+    "credentials",
+    "x-api-key",
+    "x-auth-token"
+  ])
+};
+var VALIDATION = {
+  /**
+   * Email regex pattern.
+   * Rejects consecutive dots in local part (e.g. test..foo@example.com),
+   * leading/trailing dots, and other common invalid forms.
+   */
+  EMAIL: /^[^\s@.][^\s@]*(?:\.[^\s@.][^\s@]*)*@[^\s@]+\.[^\s@]+$/,
+  /**
+   * URL regex pattern.
+   * Only allows http:// and https:// — explicitly rejects javascript:,
+   * data:, vbscript:, and other dangerous URI schemes.
+   */
+  URL: /^https?:\/\/[^\s/$.?#][^\s]*$/,
+  /** UUID regex pattern (v4) */
+  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+};
+var ERRORS = {
+  /** Generic error message (production) */
+  INTERNAL_SERVER_ERROR: "Internal Server Error",
+  /** Input too large error */
+  INPUT_TOO_LARGE: (maxSize) => `Input exceeds maximum size of ${maxSize} bytes`,
+  /** Validation error messages */
+  VALIDATION: {
+    REQUIRED: (field) => `${field} is required`,
+    INVALID_TYPE: (field, type) => `${field} must be a ${type}`,
+    MIN_LENGTH: (field, min) => `${field} must be at least ${min} characters`,
+    MAX_LENGTH: (field, max) => `${field} must be at most ${max} characters`,
+    MIN_VALUE: (field, min) => `${field} must be at least ${min}`,
+    MAX_VALUE: (field, max) => `${field} must be at most ${max}`,
+    INVALID_FORMAT: (field) => `${field} format is invalid`,
+    INVALID_EMAIL: (field) => `${field} must be a valid email`,
+    INVALID_URL: (field) => `${field} must be a valid URL`,
+    INVALID_UUID: (field) => `${field} must be a valid UUID`,
+    INVALID_ENUM: (field, values) => `${field} must be one of: ${values.join(", ")}`,
+    MIN_ITEMS: (field, min) => `${field} must have at least ${min} items`,
+    MAX_ITEMS: (field, max) => `${field} must have at most ${max} items`
+  }
+};
+var BLOCKED = "[BLOCKED]";
+
+// src/middleware/headers.ts
+function createHeaders(options = {}) {
+  const {
+    contentSecurityPolicy = true,
+    xssFilter = true,
+    noSniff = true,
+    frameOptions = HEADERS.FRAME_OPTIONS,
+    hsts = true,
+    referrerPolicy = HEADERS.REFERRER_POLICY,
+    permissionsPolicy = HEADERS.PERMISSIONS_POLICY,
+    cacheControl = true
+  } = options;
+  return (req, res, next) => {
+    if (contentSecurityPolicy) {
+      const csp = typeof contentSecurityPolicy === "string" ? contentSecurityPolicy : HEADERS.DEFAULT_CSP;
+      res.setHeader("Content-Security-Policy", csp);
+    }
+    if (xssFilter) {
+      res.setHeader("X-XSS-Protection", "1; mode=block");
+    }
+    if (noSniff) {
+      res.setHeader("X-Content-Type-Options", HEADERS.CONTENT_TYPE_OPTIONS);
+    }
+    if (frameOptions) {
+      res.setHeader("X-Frame-Options", frameOptions);
+    }
+    const forwardedProto = req.headers["x-forwarded-proto"]?.split(",")[0].trim().toLowerCase();
+    const trustedForwardedProto = forwardedProto === "https" || forwardedProto === "http" ? forwardedProto : void 0;
+    const isHttps = req.secure || trustedForwardedProto === "https";
+    if (hsts && isHttps) {
+      const hstsOpts = typeof hsts === "object" ? hsts : {};
+      const maxAge = hstsOpts.maxAge ?? HEADERS.HSTS_MAX_AGE;
+      const includeSubDomains = hstsOpts.includeSubDomains !== false;
+      const preload = hstsOpts.preload === true;
+      let hstsValue = `max-age=${maxAge}`;
+      if (includeSubDomains) hstsValue += "; includeSubDomains";
+      if (preload) hstsValue += "; preload";
+      res.setHeader("Strict-Transport-Security", hstsValue);
+    }
+    if (referrerPolicy) {
+      res.setHeader("Referrer-Policy", referrerPolicy);
+    }
+    if (permissionsPolicy) {
+      res.setHeader("Permissions-Policy", permissionsPolicy);
+    }
+    res.setHeader("X-Permitted-Cross-Domain-Policies", "none");
+    if (cacheControl) {
+      const cacheControlValue = typeof cacheControl === "string" ? cacheControl : HEADERS.CACHE_CONTROL;
+      res.setHeader("Cache-Control", cacheControlValue);
+      res.setHeader("Pragma", "no-cache");
+      res.setHeader("Expires", "0");
+    }
+    res.removeHeader("X-Powered-By");
+    next();
+  };
+}
+var securityHeaders = createHeaders;
+
+// src/middleware/rate-limit.ts
+function createRateLimiter(options = {}) {
+  const {
+    max = RATE_LIMIT.DEFAULT_MAX_REQUESTS,
+    windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS,
+    message = RATE_LIMIT.DEFAULT_MESSAGE,
+    statusCode = RATE_LIMIT.DEFAULT_STATUS_CODE,
+    keyGenerator = (req) => {
+      const ip = req.ip ?? req.socket?.remoteAddress;
+      if (!ip) {
+        console.warn(
+          "[arcis] Rate limiter: cannot resolve client IP. All unresolvable clients share one counter. Set Express trust proxy if behind a reverse proxy."
+        );
+        return "unknown";
+      }
+      return ip;
+    },
+    skip,
+    store: externalStore
+  } = options;
+  const inMemoryStore = /* @__PURE__ */ Object.create(null);
+  let cleanupInterval = null;
+  if (!externalStore) {
+    cleanupInterval = setInterval(() => {
+      const now = Date.now();
+      for (const key of Object.keys(inMemoryStore)) {
+        if (inMemoryStore[key].resetTime < now) {
+          delete inMemoryStore[key];
+        }
+      }
+    }, windowMs);
+    if (typeof cleanupInterval.unref === "function") {
+      cleanupInterval.unref();
+    }
+  }
+  const handler = async (req, res, next) => {
+    try {
+      if (skip?.(req)) {
+        return next();
+      }
+      const key = keyGenerator(req);
+      const now = Date.now();
+      let count;
+      let resetTime;
+      if (externalStore) {
+        const entry = await externalStore.get(key);
+        if (!entry || entry.resetTime < now) {
+          await externalStore.set(key, { count: 1, resetTime: now + windowMs });
+          count = 1;
+          resetTime = now + windowMs;
+        } else {
+          count = await externalStore.increment(key);
+          resetTime = entry.resetTime;
+        }
+      } else {
+        if (!inMemoryStore[key] || inMemoryStore[key].resetTime < now) {
+          inMemoryStore[key] = { count: 1, resetTime: now + windowMs };
+        } else {
+          inMemoryStore[key].count++;
+        }
+        count = inMemoryStore[key].count;
+        resetTime = inMemoryStore[key].resetTime;
+      }
+      const remaining = Math.max(0, max - count);
+      const resetSeconds = Math.ceil((resetTime - now) / 1e3);
+      res.setHeader("X-RateLimit-Limit", max.toString());
+      res.setHeader("X-RateLimit-Remaining", remaining.toString());
+      res.setHeader("X-RateLimit-Reset", resetSeconds.toString());
+      if (count > max) {
+        res.setHeader("Retry-After", resetSeconds.toString());
+        res.status(statusCode).json({
+          error: message,
+          retryAfter: resetSeconds
+        });
+        return;
+      }
+      next();
+    } catch (error) {
+      console.error("[arcis] Rate limiter error:", error);
+      next();
+    }
+  };
+  const middleware = handler;
+  middleware.close = () => {
+    if (cleanupInterval) {
+      clearInterval(cleanupInterval);
+      cleanupInterval = null;
+    }
+  };
+  return middleware;
+}
+var rateLimit = createRateLimiter;
+
+// src/middleware/error-handler.ts
+var SENSITIVE_ERROR_PATTERNS = [
+  // SQL database errors
+  /\b(SQLITE_ERROR|SQLSTATE|ORA-\d|PG::|mysql_|pg_query|ECONNREFUSED)/i,
+  /\b(syntax error at or near|relation ".*" does not exist)/i,
+  /\b(column ".*" (does not exist|of relation))/i,
+  /\b(duplicate key value violates unique constraint)/i,
+  /\b(table .* doesn't exist|unknown column)/i,
+  // MongoDB errors
+  /\b(MongoError|MongoServerError|MongoNetworkError|E11000 duplicate key)/i,
+  // Redis errors
+  /\b(WRONGTYPE|CROSSSLOT|CLUSTERDOWN|READONLY|ReplyError)/i,
+  // Connection strings and DSNs
+  /\b(mongodb(\+srv)?:\/\/|postgres(ql)?:\/\/|mysql:\/\/|redis:\/\/)/i,
+  // Stack traces with file paths
+  /\bat\s+.*\.(js|ts|py|go|java):\d+/i,
+  // Internal IP addresses
+  /\b(127\.0\.0\.\d+|10\.\d+\.\d+\.\d+|192\.168\.\d+\.\d+|172\.(1[6-9]|2\d|3[01])\.\d+\.\d+)\b/
+];
+function containsSensitiveInfo(message) {
+  return SENSITIVE_ERROR_PATTERNS.some((pattern) => pattern.test(message));
+}
+function errorHandler(options = false) {
+  const isDev = typeof options === "boolean" ? options : options.isDev ?? false;
+  const logErrors = typeof options === "object" ? options.logErrors ?? true : true;
+  const logger = typeof options === "object" ? options.logger : void 0;
+  const customHandler = typeof options === "object" ? options.customHandler : void 0;
+  return (err, req, res, _next) => {
+    const statusCode = err.statusCode || err.status || 500;
+    if (customHandler) {
+      return customHandler(err, req, res);
+    }
+    if (logErrors) {
+      const logData = {
+        error: err.message,
+        stack: err.stack,
+        statusCode,
+        path: req.path,
+        method: req.method
+      };
+      if (logger) {
+        logger.error("Request error", logData);
+      } else {
+        console.error("[arcis] Request error:", logData);
+      }
+    }
+    const exposeMessage = isDev || err.expose === true;
+    let clientMessage;
+    if (!exposeMessage) {
+      clientMessage = ERRORS.INTERNAL_SERVER_ERROR;
+    } else if (containsSensitiveInfo(err.message)) {
+      clientMessage = isDev ? err.message : ERRORS.INTERNAL_SERVER_ERROR;
+    } else {
+      clientMessage = err.message;
+    }
+    const response = {
+      error: clientMessage
+    };
+    if (isDev) {
+      response.stack = err.stack;
+      response.details = err.message;
+    }
+    res.status(statusCode).json(response);
+  };
+}
+var createErrorHandler = errorHandler;
+
+// src/core/errors.ts
+var ArcisError = class extends Error {
+  constructor(message, statusCode = 500, code = "ARCIS_ERROR") {
+    super(message);
+    this.name = "ArcisError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.expose = statusCode < 500;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, this.constructor);
+    }
+  }
+};
+var ValidationError = class extends ArcisError {
+  constructor(errors) {
+    super("Validation failed", 400, "VALIDATION_ERROR");
+    this.name = "ValidationError";
+    this.errors = errors;
+  }
+};
+var RateLimitError = class extends ArcisError {
+  constructor(message, retryAfter) {
+    super(message, 429, "RATE_LIMIT_EXCEEDED");
+    this.name = "RateLimitError";
+    this.retryAfter = retryAfter;
+  }
+};
+var InputTooLargeError = class extends ArcisError {
+  constructor(maxSize, actualSize) {
+    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, "INPUT_TOO_LARGE");
+    this.name = "InputTooLargeError";
+    this.maxSize = maxSize;
+    this.actualSize = actualSize;
+  }
+};
+var SecurityThreatError = class extends ArcisError {
+  constructor(threatType, pattern) {
+    super("Request blocked for security reasons", 400, "SECURITY_THREAT");
+    this.name = "SecurityThreatError";
+    this.threatType = threatType;
+    this.pattern = pattern;
+  }
+};
+var SanitizationError = class extends ArcisError {
+  constructor(message) {
+    super(message, 400, "SANITIZATION_ERROR");
+    this.name = "SanitizationError";
+  }
+};
+
+// src/sanitizers/utils.ts
+function encodeHtmlEntities(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;");
+}
+
+// src/sanitizers/xss.ts
+function sanitizeXss(input, collectThreats = false, htmlEncode = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of XSS_REMOVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "xss",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (htmlEncode) {
+    const encoded = encodeHtmlEntities(value);
+    if (encoded !== value) {
+      wasSanitized = true;
+    }
+    value = encoded;
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectXss(input) {
+  if (typeof input !== "string") return false;
+  if (/\s+on\w+\s*=/i.test(input)) return true;
+  if (/javascript\s*:/i.test(input)) return true;
+  if (/vbscript\s*:/i.test(input)) return true;
+  if (/data\s*:\s*text\/html/i.test(input)) return true;
+  for (const pattern of XSS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/sql.ts
+function sanitizeSql(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of SQL_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "sql_injection",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, " ");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectSql(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SQL_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/path.ts
+function sanitizePath(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of PATH_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "path_traversal",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, "");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectPathTraversal(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of PATH_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/command.ts
+function sanitizeCommand(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let value = input;
+  let wasSanitized = false;
+  for (const pattern of COMMAND_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(value)) {
+      pattern.lastIndex = 0;
+      if (collectThreats) {
+        const matches = value.match(pattern);
+        if (matches) {
+          for (const match of matches) {
+            threats.push({
+              type: "command_injection",
+              pattern: pattern.source,
+              original: match
+            });
+          }
+        }
+      }
+      value = value.replace(pattern, " ");
+      wasSanitized = true;
+    }
+  }
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function detectCommandInjection(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of COMMAND_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/sanitize.ts
+function sanitizeString(value, options = {}) {
+  if (typeof value !== "string") return value;
+  const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
+  if (value.length > maxSize) {
+    throw new InputTooLargeError(maxSize, value.length);
+  }
+  const reject = options.mode !== "sanitize";
+  let result = value;
+  if (options.sql !== false) {
+    if (reject) {
+      if (detectSql(result)) {
+        throw new SecurityThreatError("sql_injection", "SQL pattern detected in input");
+      }
+    } else {
+      result = sanitizeSql(result);
+    }
+  }
+  if (options.path !== false) {
+    result = sanitizePath(result);
+  }
+  if (options.command !== false) {
+    if (reject) {
+      if (detectCommandInjection(result)) {
+        throw new SecurityThreatError("command_injection", "Shell metacharacter detected in input");
+      }
+    } else {
+      result = sanitizeCommand(result);
+    }
+  }
+  if (options.xss !== false) {
+    result = sanitizeXss(result, false, options.htmlEncode ?? false);
+  }
+  return result;
+}
+function sanitizeObject(obj, options = {}) {
+  if (obj === null || obj === void 0) return obj;
+  if (typeof obj === "string") return sanitizeString(obj, options);
+  if (typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
+  return sanitizeObjectDepth(obj, options, 0);
+}
+function sanitizeObjectDepth(obj, options, depth) {
+  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
+  const result = {};
+  for (const key of Object.keys(obj)) {
+    if (options.proto !== false && DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      continue;
+    }
+    if (options.nosql !== false && NOSQL_DANGEROUS_KEYS.has(key)) {
+      continue;
+    }
+    const sanitizedKey = sanitizeString(key, options);
+    const value = obj[key];
+    if (value === null || value === void 0) {
+      result[sanitizedKey] = value;
+    } else if (typeof value === "string") {
+      result[sanitizedKey] = sanitizeString(value, options);
+    } else if (Array.isArray(value)) {
+      result[sanitizedKey] = value.map((item) => sanitizeObject(item, options));
+    } else if (typeof value === "object") {
+      result[sanitizedKey] = sanitizeObjectDepth(value, options, depth + 1);
+    } else {
+      result[sanitizedKey] = value;
+    }
+  }
+  return result;
+}
+function createSanitizer(options = {}) {
+  return (req, _res, next) => {
+    try {
+      if (req.body && typeof req.body === "object") {
+        req.body = sanitizeObject(req.body, options);
+      }
+      if (req.query && typeof req.query === "object") {
+        const sanitizedQuery = sanitizeObject(req.query, options);
+        Object.defineProperty(req, "query", { value: sanitizedQuery, writable: true, configurable: true });
+      }
+      if (req.params && typeof req.params === "object") {
+        const sanitizedParams = sanitizeObject(req.params, options);
+        Object.defineProperty(req, "params", { value: sanitizedParams, writable: true, configurable: true });
+      }
+      next();
+    } catch (err) {
+      next(err);
+    }
+  };
+}
+
+// src/sanitizers/nosql.ts
+function isDangerousNoSqlKey(key) {
+  return NOSQL_DANGEROUS_KEYS.has(key);
+}
+function detectNoSqlInjection(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectNoSqlInjection(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (isDangerousNoSqlKey(key)) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectNoSqlInjection(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/prototype.ts
+function isDangerousProtoKey(key) {
+  return DANGEROUS_PROTO_KEYS.has(key.toLowerCase());
+}
+function detectPrototypePollution(obj, maxDepth = 10) {
+  if (maxDepth <= 0) return false;
+  if (obj === null || typeof obj !== "object") return false;
+  if (Array.isArray(obj)) {
+    return obj.some((item) => detectPrototypePollution(item, maxDepth - 1));
+  }
+  for (const key of Object.keys(obj)) {
+    if (DANGEROUS_PROTO_KEYS.has(key.toLowerCase())) {
+      return true;
+    }
+    const value = obj[key];
+    if (typeof value === "object" && value !== null) {
+      if (detectPrototypePollution(value, maxDepth - 1)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+// src/sanitizers/headers.ts
+var HEADER_INJECTION_PATTERN = /\r\n|\r|\n|\0/g;
+function sanitizeHeaderValue(input, collectThreats = false) {
+  if (typeof input !== "string") {
+    return collectThreats ? { value: String(input), wasSanitized: false, threats: [] } : String(input);
+  }
+  const threats = [];
+  let wasSanitized = false;
+  if (HEADER_INJECTION_PATTERN.test(input)) {
+    HEADER_INJECTION_PATTERN.lastIndex = 0;
+    wasSanitized = true;
+    if (collectThreats) {
+      const matches = input.match(HEADER_INJECTION_PATTERN);
+      if (matches) {
+        for (const match of matches) {
+          threats.push({
+            type: "header_injection",
+            pattern: HEADER_INJECTION_PATTERN.source,
+            original: match
+          });
+        }
+      }
+    }
+  }
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  const value = input.replace(HEADER_INJECTION_PATTERN, "");
+  if (collectThreats) {
+    return { value, wasSanitized, threats };
+  }
+  return value;
+}
+function sanitizeHeaders(headers) {
+  if (!headers || typeof headers !== "object") {
+    return {};
+  }
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    const sanitizedKey = sanitizeHeaderValue(String(key));
+    const sanitizedValue = sanitizeHeaderValue(String(value));
+    result[sanitizedKey] = sanitizedValue;
+  }
+  return result;
+}
+function detectHeaderInjection(input) {
+  if (typeof input !== "string") return false;
+  HEADER_INJECTION_PATTERN.lastIndex = 0;
+  return HEADER_INJECTION_PATTERN.test(input);
+}
+
+// src/validation/schema.ts
+function validate(schema, source = "body") {
+  return (req, res, next) => {
+    const data = req[source] || {};
+    const errors = [];
+    const validated = {};
+    for (const [field, rules] of Object.entries(schema)) {
+      const value = data[field];
+      const result = validateField(field, value, rules);
+      if (result.errors.length > 0) {
+        errors.push(...result.errors);
+      } else if (result.value !== void 0) {
+        validated[field] = result.value;
+      }
+    }
+    if (errors.length > 0) {
+      res.status(400).json({ errors });
+      return;
+    }
+    req[source] = validated;
+    next();
+  };
+}
+function validateField(field, value, rules) {
+  const errors = [];
+  if (rules.required && (value === void 0 || value === null || value === "")) {
+    errors.push(ERRORS.VALIDATION.REQUIRED(field));
+    return { errors };
+  }
+  if (value === void 0 || value === null) {
+    return { errors: [] };
+  }
+  let typedValue = value;
+  let isValid = true;
+  switch (rules.type) {
+    case "string":
+      if (typeof value !== "string") {
+        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, "string"));
+        isValid = false;
+        break;
+      }
+      if (rules.min !== void 0 && value.length < rules.min) {
+        errors.push(ERRORS.VALIDATION.MIN_LENGTH(field, rules.min));
+        isValid = false;
+      }
+      if (rules.max !== void 0 && value.length > rules.max) {
+        errors.push(ERRORS.VALIDATION.MAX_LENGTH(field, rules.max));
+        isValid = false;
+      }
+      if (rules.pattern && !rules.pattern.test(value)) {
+        errors.push(ERRORS.VALIDATION.INVALID_FORMAT(field));
+        isValid = false;
+      }
+      if (isValid && rules.enum && !rules.enum.includes(value)) {
+        errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));
+        isValid = false;
+      }
+      if (isValid && rules.sanitize !== false) {
+        typedValue = sanitizeString(value);
+      }
+      break;
+    case "number":
+      typedValue = Number(value);
+      if (isNaN(typedValue)) {
+        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, "number"));
+        isValid = false;
+        break;
+      }
+      if (rules.min !== void 0 && typedValue < rules.min) {
+        errors.push(ERRORS.VALIDATION.MIN_VALUE(field, rules.min));
+        isValid = false;
+      }
+      if (rules.max !== void 0 && typedValue > rules.max) {
+        errors.push(ERRORS.VALIDATION.MAX_VALUE(field, rules.max));
+        isValid = false;
+      }
+      break;
+    case "boolean":
+      if (value === "true" || value === true || value === 1 || value === "1") {
+        typedValue = true;
+      } else if (value === "false" || value === false || value === 0 || value === "0") {
+        typedValue = false;
+      } else {
+        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, "boolean"));
+        isValid = false;
+      }
+      break;
+    case "email":
+      if (!VALIDATION.EMAIL.test(String(value))) {
+        errors.push(ERRORS.VALIDATION.INVALID_EMAIL(field));
+        isValid = false;
+      }
+      if (isValid) {
+        typedValue = sanitizeString(String(value).toLowerCase().trim());
+      }
+      break;
+    case "url":
+      if (!VALIDATION.URL.test(String(value))) {
+        errors.push(ERRORS.VALIDATION.INVALID_URL(field));
+        isValid = false;
+      }
+      if (isValid) {
+        typedValue = sanitizeString(String(value));
+      }
+      break;
+    case "uuid":
+      if (!VALIDATION.UUID.test(String(value))) {
+        errors.push(ERRORS.VALIDATION.INVALID_UUID(field));
+        isValid = false;
+      }
+      break;
+    case "array":
+      if (!Array.isArray(value)) {
+        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, "array"));
+        isValid = false;
+        break;
+      }
+      if (rules.min !== void 0 && value.length < rules.min) {
+        errors.push(ERRORS.VALIDATION.MIN_ITEMS(field, rules.min));
+        isValid = false;
+      }
+      if (rules.max !== void 0 && value.length > rules.max) {
+        errors.push(ERRORS.VALIDATION.MAX_ITEMS(field, rules.max));
+        isValid = false;
+      }
+      break;
+    case "object":
+      if (typeof value !== "object" || Array.isArray(value) || value === null) {
+        errors.push(ERRORS.VALIDATION.INVALID_TYPE(field, "object"));
+        isValid = false;
+      }
+      break;
+  }
+  if (isValid && rules.enum && rules.type !== "string" && !rules.enum.includes(typedValue)) {
+    errors.push(ERRORS.VALIDATION.INVALID_ENUM(field, rules.enum));
+    isValid = false;
+  }
+  if (isValid && rules.custom) {
+    const customResult = rules.custom(typedValue);
+    if (customResult === void 0) {
+      throw new TypeError(
+        `Custom validator for field "${field}" returned undefined. Return true to pass, false to fail, or a string error message.`
+      );
+    }
+    if (customResult !== true) {
+      errors.push(typeof customResult === "string" && customResult.length > 0 ? customResult : `${field} is invalid`);
+      isValid = false;
+    }
+  }
+  return {
+    value: isValid ? typedValue : void 0,
+    errors
+  };
+}
+var createValidator = validate;
+
+// src/validation/file.ts
+var MAGIC_BYTES = {
+  // Images
+  "image/jpeg": [Buffer.from([255, 216, 255])],
+  "image/png": [Buffer.from([137, 80, 78, 71])],
+  "image/gif": [Buffer.from("GIF87a"), Buffer.from("GIF89a")],
+  "image/webp": [Buffer.from("RIFF")],
+  // RIFF....WEBP
+  "image/bmp": [Buffer.from([66, 77])],
+  "image/svg+xml": [],
+  // text-based, check separately
+  // Documents
+  "application/pdf": [Buffer.from("%PDF")],
+  "application/zip": [Buffer.from([80, 75, 3, 4])],
+  // Audio/Video
+  "audio/mpeg": [Buffer.from([255, 251]), Buffer.from([255, 243]), Buffer.from([73, 68, 51])],
+  "video/mp4": []
+  // ftyp at offset 4
+};
+var DANGEROUS_EXTENSIONS = /* @__PURE__ */ new Set([
+  // Scripts
+  ".exe",
+  ".bat",
+  ".cmd",
+  ".com",
+  ".msi",
+  ".scr",
+  ".pif",
+  ".vbs",
+  ".vbe",
+  ".js",
+  ".jse",
+  ".ws",
+  ".wsf",
+  ".wsc",
+  ".wsh",
+  ".ps1",
+  ".ps1xml",
+  ".ps2",
+  ".ps2xml",
+  ".psc1",
+  ".psc2",
+  ".sh",
+  ".bash",
+  ".csh",
+  ".ksh",
+  // Server-side
+  ".php",
+  ".php3",
+  ".php4",
+  ".php5",
+  ".phtml",
+  ".pht",
+  ".asp",
+  ".aspx",
+  ".ashx",
+  ".asmx",
+  ".cer",
+  ".jsp",
+  ".jspx",
+  ".jsw",
+  ".jsv",
+  ".cgi",
+  ".pl",
+  ".py",
+  ".rb",
+  // Java
+  ".jar",
+  ".war",
+  ".ear",
+  ".class",
+  // Config that can execute
+  ".htaccess",
+  ".htpasswd",
+  // Template engines
+  ".ejs",
+  ".pug",
+  ".hbs",
+  ".handlebars",
+  ".njk",
+  ".twig",
+  // Shortcuts/links
+  ".lnk",
+  ".inf",
+  ".reg",
+  ".url",
+  // Office macros
+  ".docm",
+  ".xlsm",
+  ".pptm",
+  ".dotm"
+]);
+var DEFAULT_MAX_SIZE = 5 * 1024 * 1024;
+function sanitizeFilename(filename) {
+  let name = filename;
+  name = name.replace(/\0/g, "");
+  name = name.replace(/^.*[/\\]/, "");
+  name = name.replace(/[\x00-\x1F\x7F]/g, "");
+  name = name.replace(/[<>:"/\\|?*]/g, "");
+  name = name.replace(/[\s()]+/g, "_");
+  name = name.replace(/^\.+/, "");
+  name = name.replace(/_{2,}/g, "_");
+  name = name.replace(/\.{2,}/g, ".");
+  name = name.replace(/_+\./g, ".");
+  name = name.replace(/^_+|_+$/g, "");
+  if (!name || name === ".") {
+    name = "unnamed";
+  }
+  return name;
+}
+function matchesMagicBytes(buffer, mimetype) {
+  const signatures = MAGIC_BYTES[mimetype];
+  if (!signatures || signatures.length === 0) return true;
+  return signatures.some((sig) => {
+    if (buffer.length < sig.length) return false;
+    return buffer.subarray(0, sig.length).equals(sig);
+  });
+}
+function getExtension(filename) {
+  const lastDot = filename.lastIndexOf(".");
+  if (lastDot < 1) return "";
+  return filename.slice(lastDot).toLowerCase();
+}
+function hasDoubleExtension(filename) {
+  const parts = filename.split(".");
+  if (parts.length < 3) return false;
+  for (let i = 1; i < parts.length - 1; i++) {
+    const ext = "." + parts[i].toLowerCase();
+    if (DANGEROUS_EXTENSIONS.has(ext)) return true;
+  }
+  return false;
+}
+function validateFile(file, options = {}) {
+  const {
+    maxSize = DEFAULT_MAX_SIZE,
+    allowedTypes,
+    allowedExtensions,
+    blockExecutables = true,
+    validateMagicBytes = true,
+    blockNoExtension = true,
+    blockDoubleExtensions = true
+  } = options;
+  const errors = [];
+  const sanitizedFilename = sanitizeFilename(file.filename);
+  const extension = getExtension(sanitizedFilename);
+  if (file.size > maxSize) {
+    errors.push(`File size ${file.size} exceeds maximum ${maxSize} bytes`);
+  }
+  if (file.size === 0) {
+    errors.push("File is empty");
+  }
+  if (blockNoExtension && !extension) {
+    errors.push("File has no extension");
+  }
+  if (blockExecutables && extension && DANGEROUS_EXTENSIONS.has(extension)) {
+    errors.push(`Executable extension "${extension}" is not allowed`);
+  }
+  if (blockDoubleExtensions && hasDoubleExtension(sanitizedFilename)) {
+    errors.push("Double extensions with executable types are not allowed");
+  }
+  if (allowedExtensions && extension) {
+    const normalizedAllowed = allowedExtensions.map((e) => e.toLowerCase());
+    if (!normalizedAllowed.includes(extension)) {
+      errors.push(`Extension "${extension}" is not allowed. Allowed: ${normalizedAllowed.join(", ")}`);
+    }
+  }
+  if (allowedTypes && !allowedTypes.includes(file.mimetype)) {
+    errors.push(`MIME type "${file.mimetype}" is not allowed. Allowed: ${allowedTypes.join(", ")}`);
+  }
+  if (validateMagicBytes && file.buffer && file.buffer.length > 0) {
+    if (!matchesMagicBytes(file.buffer, file.mimetype)) {
+      errors.push(`File content does not match claimed MIME type "${file.mimetype}"`);
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+    sanitizedFilename
+  };
+}
+function isDangerousExtension(filename) {
+  const ext = getExtension(filename);
+  return ext !== "" && DANGEROUS_EXTENSIONS.has(ext);
+}
+
+// src/logging/redactor.ts
+function createSafeLogger(options = {}) {
+  const {
+    redactKeys = [],
+    maxLength = REDACTION.DEFAULT_MAX_LENGTH,
+    redactPatterns = []
+  } = options;
+  const allRedactKeys = /* @__PURE__ */ new Set([
+    ...Array.from(REDACTION.SENSITIVE_KEYS),
+    ...redactKeys.map((k) => k.toLowerCase())
+  ]);
+  function redact(obj, depth = 0) {
+    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;
+    if (obj === null || obj === void 0) return obj;
+    if (typeof obj === "string") {
+      return redactString(obj, maxLength, redactPatterns);
+    }
+    if (typeof obj !== "object") return obj;
+    if (Array.isArray(obj)) {
+      return obj.map((item) => redact(item, depth + 1));
+    }
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      if (allRedactKeys.has(key.toLowerCase())) {
+        result[key] = REDACTION.REPLACEMENT;
+      } else {
+        result[key] = redact(value, depth + 1);
+      }
+    }
+    return result;
+  }
+  function log(level, message, data) {
+    const entry = {
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      level,
+      message: redactString(message, maxLength, redactPatterns)
+    };
+    if (data !== void 0) {
+      entry.data = redact(data);
+    }
+    console.log(JSON.stringify(entry));
+  }
+  return {
+    log,
+    info: (msg, data) => log("info", msg, data),
+    warn: (msg, data) => log("warn", msg, data),
+    error: (msg, data) => log("error", msg, data),
+    debug: (msg, data) => log("debug", msg, data)
+  };
+}
+function redactString(str, maxLength, patterns) {
+  let safe = str.replace(/[\r\n\t]/g, " ").replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F\x80-\x9F]/g, "");
+  for (const pattern of patterns) {
+    safe = safe.replace(pattern, REDACTION.REPLACEMENT);
+  }
+  if (safe.length > maxLength) {
+    safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;
+  }
+  return safe;
+}
+function createRedactor(sensitiveKeys = []) {
+  const allKeys = /* @__PURE__ */ new Set([
+    ...Array.from(REDACTION.SENSITIVE_KEYS),
+    ...sensitiveKeys.map((k) => k.toLowerCase())
+  ]);
+  function redact(obj, depth = 0) {
+    if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;
+    if (obj === null || obj === void 0) return obj;
+    if (typeof obj !== "object") return obj;
+    if (Array.isArray(obj)) {
+      return obj.map((item) => redact(item, depth + 1));
+    }
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      if (allKeys.has(key.toLowerCase())) {
+        result[key] = REDACTION.REPLACEMENT;
+      } else {
+        result[key] = redact(value, depth + 1);
+      }
+    }
+    return result;
+  }
+  return redact;
+}
+var safeLog = createSafeLogger;
+
+// src/middleware/main.ts
+function arcis(options = {}) {
+  const middlewares = [];
+  const cleanupFns = [];
+  if (options.headers !== false) {
+    const headerOpts = typeof options.headers === "object" ? options.headers : {};
+    middlewares.push(createHeaders(headerOpts));
+  }
+  if (options.rateLimit !== false) {
+    const rateLimitOpts = typeof options.rateLimit === "object" ? options.rateLimit : {};
+    const rateLimiter = createRateLimiter(rateLimitOpts);
+    middlewares.push(rateLimiter);
+    cleanupFns.push(() => rateLimiter.close());
+  }
+  if (options.sanitize !== false) {
+    const sanitizeOpts = typeof options.sanitize === "object" ? options.sanitize : {};
+    middlewares.push(createSanitizer(sanitizeOpts));
+  }
+  const result = middlewares;
+  result.close = () => {
+    for (const fn of cleanupFns) {
+      fn();
+    }
+  };
+  return result;
+}
+var arcisWithMethods = arcis;
+arcisWithMethods.sanitize = createSanitizer;
+arcisWithMethods.rateLimit = createRateLimiter;
+arcisWithMethods.headers = createHeaders;
+arcisWithMethods.validate = validate;
+arcisWithMethods.logger = createSafeLogger;
+arcisWithMethods.errorHandler = createErrorHandler;
+var main_default = arcisWithMethods;
+
+// src/middleware/cors.ts
+var DEFAULT_METHODS = ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"];
+var DEFAULT_HEADERS = ["Content-Type", "Authorization"];
+var DEFAULT_MAX_AGE = 600;
+function isOriginAllowed(requestOrigin, allowed) {
+  if (requestOrigin === "null") return false;
+  if (allowed === true) return true;
+  if (typeof allowed === "string") {
+    return requestOrigin === allowed;
+  }
+  if (Array.isArray(allowed)) {
+    return allowed.includes(requestOrigin);
+  }
+  if (allowed instanceof RegExp) {
+    return allowed.test(requestOrigin);
+  }
+  if (typeof allowed === "function") {
+    return allowed(requestOrigin);
+  }
+  return false;
+}
+function safeCors(options) {
+  const {
+    origin,
+    methods = DEFAULT_METHODS,
+    allowedHeaders = DEFAULT_HEADERS,
+    exposedHeaders = [],
+    credentials = false,
+    maxAge = DEFAULT_MAX_AGE,
+    preflightContinue = true
+  } = options;
+  return (req, res, next) => {
+    const requestOrigin = req.headers.origin;
+    res.setHeader("Vary", "Origin");
+    if (!requestOrigin) {
+      return next();
+    }
+    const allowed = isOriginAllowed(requestOrigin, origin);
+    if (!allowed) {
+      return next();
+    }
+    res.setHeader("Access-Control-Allow-Origin", requestOrigin);
+    if (credentials) {
+      res.setHeader("Access-Control-Allow-Credentials", "true");
+    }
+    if (exposedHeaders.length > 0) {
+      res.setHeader("Access-Control-Expose-Headers", exposedHeaders.join(", "));
+    }
+    if (req.method === "OPTIONS") {
+      res.setHeader("Access-Control-Allow-Methods", methods.join(", "));
+      res.setHeader("Access-Control-Allow-Headers", allowedHeaders.join(", "));
+      res.setHeader("Access-Control-Max-Age", String(maxAge));
+      if (preflightContinue) {
+        res.status(204).end();
+        return;
+      }
+    }
+    next();
+  };
+}
+var createCors = safeCors;
+
+// src/middleware/cookies.ts
+var COOKIE_ATTRS = {
+  HTTP_ONLY: "; HttpOnly",
+  SECURE: "; Secure",
+  SAME_SITE_STRICT: "; SameSite=Strict",
+  SAME_SITE_LAX: "; SameSite=Lax",
+  SAME_SITE_NONE: "; SameSite=None"
+};
+function enforceSecureCookie(cookieStr, options) {
+  const lower = cookieStr.toLowerCase();
+  let result = cookieStr;
+  if (options.httpOnly && !lower.includes("httponly")) {
+    result += COOKIE_ATTRS.HTTP_ONLY;
+  }
+  if (options.secure && !lower.includes("; secure")) {
+    result += COOKIE_ATTRS.SECURE;
+  }
+  if (options.sameSite !== false && !lower.includes("samesite")) {
+    switch (options.sameSite) {
+      case "Strict":
+        result += COOKIE_ATTRS.SAME_SITE_STRICT;
+        break;
+      case "None":
+        result += COOKIE_ATTRS.SAME_SITE_NONE;
+        if (!result.toLowerCase().includes("; secure")) {
+          result += COOKIE_ATTRS.SECURE;
+        }
+        break;
+      case "Lax":
+      default:
+        result += COOKIE_ATTRS.SAME_SITE_LAX;
+        break;
+    }
+  }
+  if (options.path) {
+    if (lower.includes("path=")) {
+      result = result.replace(/;\s*path=[^;]*/i, `; Path=${options.path}`);
+    } else {
+      result += `; Path=${options.path}`;
+    }
+  }
+  return result;
+}
+function secureCookieDefaults(options = {}) {
+  const isProduction = process.env.NODE_ENV === "production";
+  const resolved = {
+    httpOnly: options.httpOnly ?? true,
+    secure: options.secure ?? isProduction,
+    sameSite: options.sameSite ?? "Lax",
+    path: options.path
+  };
+  return (_req, res, next) => {
+    const originalSetHeader = res.setHeader.bind(res);
+    res.setHeader = function patchedSetHeader(name, value) {
+      if (name.toLowerCase() === "set-cookie") {
+        if (Array.isArray(value)) {
+          value = value.map((v) => enforceSecureCookie(String(v), resolved));
+        } else {
+          value = enforceSecureCookie(String(value), resolved);
+        }
+      }
+      return originalSetHeader(name, value);
+    };
+    next();
+  };
+}
+var createSecureCookies = secureCookieDefaults;
+
+// src/validation/url.ts
+function validateUrl(url, options = {}) {
+  const {
+    allowedProtocols = ["http:", "https:"],
+    blockedHosts = [],
+    allowedHosts = [],
+    allowLocalhost = false,
+    allowPrivate = false
+  } = options;
+  if (typeof url !== "string" || url.trim() === "") {
+    return { safe: false, reason: "invalid URL: empty or not a string" };
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return { safe: false, reason: "invalid URL: failed to parse" };
+  }
+  if (!allowedProtocols.includes(parsed.protocol)) {
+    return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };
+  }
+  if (parsed.username || parsed.password) {
+    return { safe: false, reason: "URL contains credentials" };
+  }
+  const hostname = parsed.hostname.toLowerCase();
+  if (allowedHosts.some((h) => hostname === h.toLowerCase())) {
+    return { safe: true };
+  }
+  if (blockedHosts.some((h) => hostname === h.toLowerCase())) {
+    return { safe: false, reason: `blocked host: ${hostname}` };
+  }
+  if (!allowLocalhost) {
+    if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname === "::1" || hostname === "0.0.0.0" || hostname.endsWith(".localhost")) {
+      return { safe: false, reason: "loopback address" };
+    }
+    if (/^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+      return { safe: false, reason: "loopback address" };
+    }
+  }
+  if (!allowPrivate) {
+    const privateCheck = checkPrivateIp(hostname);
+    if (privateCheck) {
+      return { safe: false, reason: privateCheck };
+    }
+  }
+  return { safe: true };
+}
+function isUrlSafe(url, options = {}) {
+  return validateUrl(url, options).safe;
+}
+function checkPrivateIp(hostname) {
+  if (/^10\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "private address (10.0.0.0/8)";
+  }
+  const match172 = hostname.match(/^172\.(\d{1,3})\.\d{1,3}\.\d{1,3}$/);
+  if (match172) {
+    const second = parseInt(match172[1], 10);
+    if (second >= 16 && second <= 31) {
+      return "private address (172.16.0.0/12)";
+    }
+  }
+  if (/^192\.168\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "private address (192.168.0.0/16)";
+  }
+  if (/^169\.254\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "link-local address (169.254.0.0/16)";
+  }
+  if (/^0\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(hostname)) {
+    return "current network address (0.0.0.0/8)";
+  }
+  if (hostname === "metadata.google.internal" || hostname === "metadata.internal") {
+    return "cloud metadata endpoint";
+  }
+  const ipv6 = hostname.replace(/^\[|\]$/g, "");
+  if (ipv6 === "::1" || ipv6 === "::" || ipv6.startsWith("fc") || ipv6.startsWith("fd") || ipv6.startsWith("fe80")) {
+    return "private IPv6 address";
+  }
+  return null;
+}
+
+// src/validation/redirect.ts
+var DANGEROUS_PROTOCOLS = /^(javascript|data|vbscript|blob):/i;
+var CONTROL_CHARS = /[\t\n\r]/g;
+function validateRedirect(url, options = {}) {
+  const {
+    allowedHosts = [],
+    allowProtocolRelative = false,
+    allowedProtocols = ["http:", "https:"]
+  } = options;
+  if (typeof url !== "string" || url.trim() === "") {
+    return { safe: false, reason: "invalid redirect: empty or not a string" };
+  }
+  const cleaned = url.replace(CONTROL_CHARS, "");
+  if (DANGEROUS_PROTOCOLS.test(cleaned)) {
+    const proto = cleaned.match(DANGEROUS_PROTOCOLS);
+    return { safe: false, reason: `dangerous protocol: ${proto[0]}` };
+  }
+  if (cleaned.startsWith("\\")) {
+    return { safe: false, reason: "backslash-prefixed URL (browser treats as protocol-relative)" };
+  }
+  if (cleaned.startsWith("//")) {
+    if (!allowProtocolRelative) {
+      const host2 = extractHost(cleaned);
+      if (host2 && allowedHosts.some((h) => host2 === h.toLowerCase())) {
+        return { safe: true };
+      }
+      return { safe: false, reason: "protocol-relative URL not in allowed hosts" };
+    }
+    const host = extractHost(cleaned);
+    if (host && allowedHosts.length > 0 && !allowedHosts.some((h) => host === h.toLowerCase())) {
+      return { safe: false, reason: "protocol-relative URL not in allowed hosts" };
+    }
+    return { safe: true };
+  }
+  let parsed;
+  try {
+    parsed = new URL(cleaned);
+  } catch {
+    return { safe: true };
+  }
+  if (!allowedProtocols.includes(parsed.protocol)) {
+    return { safe: false, reason: `disallowed protocol: ${parsed.protocol}` };
+  }
+  const hostname = parsed.hostname.toLowerCase();
+  if (allowedHosts.length === 0) {
+    return { safe: false, reason: "absolute URL not in allowed hosts" };
+  }
+  if (!allowedHosts.some((h) => hostname === h.toLowerCase())) {
+    return { safe: false, reason: `host not allowed: ${hostname}` };
+  }
+  return { safe: true };
+}
+function isRedirectSafe(url, options = {}) {
+  return validateRedirect(url, options).safe;
+}
+function extractHost(url) {
+  const match = url.match(/^\/\/([^/:?#]+)/);
+  return match ? match[1].toLowerCase() : null;
+}
+
+// src/stores/memory.ts
+var MemoryStore = class {
+  constructor(windowMs = RATE_LIMIT.DEFAULT_WINDOW_MS) {
+    this.store = /* @__PURE__ */ new Map();
+    this.cleanupInterval = null;
+    if (!Number.isFinite(windowMs) || windowMs < RATE_LIMIT.MIN_WINDOW_MS) {
+      throw new RangeError(
+        `MemoryStore: windowMs must be a finite number >= ${RATE_LIMIT.MIN_WINDOW_MS} (got ${windowMs})`
+      );
+    }
+    this.windowMs = windowMs;
+    this.startCleanup();
+  }
+  /**
+   * Start the cleanup interval to remove expired entries.
+   */
+  startCleanup() {
+    const CLEANUP_MIN_MS = 3e4;
+    const CLEANUP_MAX_MS = 3e5;
+    const cleanupMs = Math.min(Math.max(this.windowMs, CLEANUP_MIN_MS), CLEANUP_MAX_MS);
+    this.cleanupInterval = setInterval(() => {
+      const now = Date.now();
+      for (const [key, entry] of this.store.entries()) {
+        if (entry.resetTime < now) {
+          this.store.delete(key);
+        }
+      }
+    }, cleanupMs);
+    if (typeof this.cleanupInterval.unref === "function") {
+      this.cleanupInterval.unref();
+    }
+  }
+  async get(key) {
+    const entry = this.store.get(key);
+    if (!entry) return null;
+    if (entry.resetTime < Date.now()) {
+      this.store.delete(key);
+      return null;
+    }
+    return entry;
+  }
+  async set(key, entry) {
+    this.store.set(key, entry);
+  }
+  async increment(key) {
+    const now = Date.now();
+    const entry = this.store.get(key);
+    if (!entry || entry.resetTime < now) {
+      this.store.set(key, { count: 1, resetTime: now + this.windowMs });
+      return 1;
+    }
+    entry.count++;
+    return entry.count;
+  }
+  async decrement(key) {
+    const entry = this.store.get(key);
+    if (entry && entry.count > 0) {
+      entry.count--;
+    }
+  }
+  async reset(key) {
+    this.store.delete(key);
+  }
+  async close() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+    this.store.clear();
+  }
+  /**
+   * Get current store size (for monitoring).
+   */
+  get size() {
+    return this.store.size;
+  }
+};
+
+// src/stores/redis.ts
+var RedisStore = class {
+  constructor(options) {
+    this.client = options.client;
+    this.prefix = options.prefix ?? "arcis:rl:";
+    this.windowMs = options.windowMs ?? RATE_LIMIT.DEFAULT_WINDOW_MS;
+    this.windowSec = Math.ceil(this.windowMs / 1e3);
+  }
+  getKey(key) {
+    return `${this.prefix}${key}`;
+  }
+  async get(key) {
+    const redisKey = this.getKey(key);
+    const [countStr, ttl] = await Promise.all([
+      this.client.get(redisKey),
+      this.client.ttl(redisKey)
+    ]);
+    if (!countStr || ttl < 0) {
+      return null;
+    }
+    const count = parseInt(countStr, 10);
+    if (isNaN(count)) {
+      return null;
+    }
+    return {
+      count,
+      resetTime: Date.now() + ttl * 1e3
+    };
+  }
+  async set(key, entry) {
+    const redisKey = this.getKey(key);
+    const ttlSec = Math.max(1, Math.ceil((entry.resetTime - Date.now()) / 1e3));
+    await this.client.setex(redisKey, ttlSec, entry.count.toString());
+  }
+  async increment(key) {
+    const redisKey = this.getKey(key);
+    const count = await this.client.incr(redisKey);
+    if (count === 1) {
+      await this.client.expire(redisKey, this.windowSec);
+    }
+    return count;
+  }
+  async decrement(key) {
+    const redisKey = this.getKey(key);
+    await this.client.decr(redisKey);
+  }
+  async reset(key) {
+    const redisKey = this.getKey(key);
+    await this.client.del(redisKey);
+  }
+  async close() {
+  }
+};
+function createRedisStore(options) {
+  return new RedisStore(options);
+}
+
+exports.ArcisError = ArcisError;
+exports.ArcisValidationError = ValidationError;
+exports.BLOCKED = BLOCKED;
+exports.ERRORS = ERRORS;
+exports.HEADERS = HEADERS;
+exports.INPUT = INPUT;
+exports.InputTooLargeError = InputTooLargeError;
+exports.MemoryStore = MemoryStore;
+exports.RATE_LIMIT = RATE_LIMIT;
+exports.REDACTION = REDACTION;
+exports.RateLimitError = RateLimitError;
+exports.RedisStore = RedisStore;
+exports.SanitizationError = SanitizationError;
+exports.SecurityThreatError = SecurityThreatError;
+exports.VALIDATION = VALIDATION;
+exports.arcis = arcis;
+exports.arcisFunction = arcisWithMethods;
+exports.createCors = createCors;
+exports.createErrorHandler = createErrorHandler;
+exports.createHeaders = createHeaders;
+exports.createRateLimiter = createRateLimiter;
+exports.createRedactor = createRedactor;
+exports.createRedisStore = createRedisStore;
+exports.createSafeLogger = createSafeLogger;
+exports.createSanitizer = createSanitizer;
+exports.createSecureCookies = createSecureCookies;
+exports.createValidator = createValidator;
+exports.default = main_default;
+exports.detectCommandInjection = detectCommandInjection;
+exports.detectHeaderInjection = detectHeaderInjection;
+exports.detectNoSqlInjection = detectNoSqlInjection;
+exports.detectPathTraversal = detectPathTraversal;
+exports.detectPrototypePollution = detectPrototypePollution;
+exports.detectSql = detectSql;
+exports.detectXss = detectXss;
+exports.enforceSecureCookie = enforceSecureCookie;
+exports.errorHandler = errorHandler;
+exports.isDangerousExtension = isDangerousExtension;
+exports.isDangerousNoSqlKey = isDangerousNoSqlKey;
+exports.isDangerousProtoKey = isDangerousProtoKey;
+exports.isRedirectSafe = isRedirectSafe;
+exports.isUrlSafe = isUrlSafe;
+exports.rateLimit = rateLimit;
+exports.safeCors = safeCors;
+exports.safeLog = safeLog;
+exports.sanitizeCommand = sanitizeCommand;
+exports.sanitizeFilename = sanitizeFilename;
+exports.sanitizeHeaderValue = sanitizeHeaderValue;
+exports.sanitizeHeaders = sanitizeHeaders;
+exports.sanitizeObject = sanitizeObject;
+exports.sanitizePath = sanitizePath;
+exports.sanitizeSql = sanitizeSql;
+exports.sanitizeString = sanitizeString;
+exports.sanitizeXss = sanitizeXss;
+exports.secureCookieDefaults = secureCookieDefaults;
+exports.securityHeaders = securityHeaders;
+exports.validate = validate;
+exports.validateFile = validateFile;
+exports.validateRedirect = validateRedirect;
+exports.validateUrl = validateUrl;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map