npm - @arcis/node - Versions diffs - 1.1.0 → 1.2.0 - Mend

@arcis/node 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/README.md +156 -211
package/dist/core/index.d.mts +4 -4
package/dist/core/index.d.ts +4 -4
package/dist/core/index.js +13 -2
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +13 -2
package/dist/core/index.mjs.map +1 -1
package/dist/{index-CslcoZUN.d.mts → index-A-m-pPeW.d.mts} +1 -1
package/dist/{index-CCcPuTBo.d.mts → index-CgK94hY_.d.mts} +96 -2
package/dist/{index-iCOw8Fcg.d.ts → index-Co5kPRZz.d.ts} +1 -1
package/dist/{index-BvcFpoR3.d.ts → index-D_bdJcF0.d.ts} +96 -2
package/dist/index.d.mts +4 -4
package/dist/index.d.ts +4 -4
package/dist/index.js +553 -5
package/dist/index.js.map +1 -1
package/dist/index.mjs +540 -7
package/dist/index.mjs.map +1 -1
package/dist/logging/index.d.mts +1 -1
package/dist/logging/index.d.ts +1 -1
package/dist/logging/index.js +12 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs +12 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/index.d.mts +2 -2
package/dist/middleware/index.d.ts +2 -2
package/dist/middleware/index.js +146 -4
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +143 -5
package/dist/middleware/index.mjs.map +1 -1
package/dist/{headers-DBQedhrb.d.mts → pii-CXcHMlnX.d.mts} +156 -2
package/dist/{headers-BJq2OA0i.d.ts → pii-DhNpl7M3.d.ts} +156 -2
package/dist/sanitizers/index.d.mts +2 -2
package/dist/sanitizers/index.d.ts +2 -2
package/dist/sanitizers/index.js +331 -3
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +321 -4
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/stores/index.d.mts +1 -1
package/dist/stores/index.d.ts +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/{types-BOdL3ZWo.d.mts → types-CsOFHoD9.d.mts} +6 -1
package/dist/{types-BOdL3ZWo.d.ts → types-CsOFHoD9.d.ts} +6 -1
package/dist/validation/index.d.mts +2 -2
package/dist/validation/index.d.ts +2 -2
package/dist/validation/index.js +105 -3
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs +105 -3
package/dist/validation/index.mjs.map +1 -1
package/package.json +114 -114

package/dist/core/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF;AAuCO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA;AACF;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEzD,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;AC3ShB,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF","file":"index.mjs","sourcesContent":["/*\r\n @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n /\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n /* Default maximum input size (1MB) /\r\n DEFAULT_MAX_SIZE: 1_000_000,\r\n /* Maximum recursion depth for nested objects /\r\n MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n /* Default window size (1 minute) /\r\n DEFAULT_WINDOW_MS: 60_000,\r\n /* Default max requests per window /\r\n DEFAULT_MAX_REQUESTS: 100,\r\n /* Default HTTP status code for rate limited responses /\r\n DEFAULT_STATUS_CODE: 429,\r\n /* Default error message /\r\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n /* Minimum window size (1 second) /\r\n MIN_WINDOW_MS: 1_000,\r\n /* Maximum window size (24 hours) /\r\n MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n /* Default Content Security Policy /\r\n DEFAULT_CSP: [\r\n \"default-src 'self'\",\r\n \"script-src 'self'\",\r\n \"style-src 'self' 'unsafe-inline'\",\r\n \"img-src 'self' data: https:\",\r\n \"font-src 'self'\",\r\n \"object-src 'none'\",\r\n \"frame-ancestors 'none'\",\r\n ].join('; '),\r\n /* Default HSTS max age (1 year in seconds) /\r\n HSTS_MAX_AGE: 31_536_000,\r\n /* Default X-Frame-Options value /\r\n FRAME_OPTIONS: 'DENY' as const,\r\n /* Default X-Content-Type-Options value /\r\n CONTENT_TYPE_OPTIONS: 'nosniff',\r\n /* Default Referrer-Policy value /\r\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n /* Default Permissions-Policy value /\r\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n /* Default Cache-Control value for security /\r\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/\r\n Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n /\r\nexport const XSS_PATTERNS = [\r\n /* Script tags (ReDoS-safe version) /\r\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\r\n /* javascript: protocol (allow optional spaces before colon) /\r\n /javascript\\s:/gi,\r\n /** vbscript: protocol /\r\n /vbscript\\s:/gi,\r\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute /\r\n /(?:[\\s/])on\\w+\\s=/gi,\r\n /** iframe tags /\r\n /<iframe/gi,\r\n /* object tags /\r\n /<object/gi,\r\n /* embed tags /\r\n /<embed/gi,\r\n /* data: URIs (only dangerous ones, avoid false positives) /\r\n /(?:^\|[\\s\"'=])data:/gi,\r\n /* URL-encoded script tags /\r\n /%3Cscript/gi,\r\n /* SVG with onload /\r\n /<svg[^>]onload/gi,\r\n] as const;\r\n\r\n/*\r\n Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n /\r\nexport const XSS_REMOVE_PATTERNS = [\r\n /* Full script blocks (content + tags) /\r\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\r\n /* Standalone/unclosed script tags /\r\n /<script[^>]>/gi,\r\n /** iframe — full block and partial/unclosed /\r\n /<iframe[^>]>[\\s\\S]?<\\/iframe>/gi,\r\n /<iframe[^>]/gi,\r\n /** object — full block and partial/unclosed /\r\n /<object[^>]>[\\s\\S]?<\\/object>/gi,\r\n /<object[^>]/gi,\r\n /** embed tags /\r\n /<embed[^>]/gi,\r\n /** SVG with inline event handlers /\r\n /<svg[^>]onload[^>]>/gi,\r\n /* URL-encoded script tags /\r\n /%3Cscript/gi,\r\n /* Event handlers with quoted values: onclick=\"...\", onerror='...' /\r\n /(?:[\\s/])on\\w+\\s=\\s[\"'][^\"'][\"']/gi,\r\n /** Event handlers with unquoted values: onload=value /\r\n /(?:[\\s/])on\\w+\\s=\\s[^\\s>]/gi,\r\n /** javascript: and vbscript: protocols (allow optional spaces before colon) /\r\n /javascript\\s:/gi,\r\n /vbscript\\s:/gi,\r\n /* data: URIs with HTML/script content /\r\n /data\\s:\\stext\\/html[^>\\s]/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n /** SQL keywords /\r\n /(\\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|TRUNCATE\|EXEC\|EXECUTE)\\b)/gi,\r\n /* SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) /\r\n /(--\|\\/\\\|\\\\/\|#)/g,\r\n /* SQL statement separators /\r\n /(;\|\\\|\\\|\|&&)/g,\r\n /* Boolean injection: OR 1=1 /\r\n /\\bOR\\s+\\d+\\s=\\s\\d+/gi,\r\n /* Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) /\r\n /\\bOR\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\r\n /\\bOR\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\r\n /* Boolean injection: AND 1=1 /\r\n /\\bAND\\s+\\d+\\s=\\s\\d+/gi,\r\n /* Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) /\r\n /\\bAND\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\r\n /\\bAND\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\r\n /* Time-based blind: SLEEP() /\r\n /\\bSLEEP\\s\$\\s\\d+\\s\$/gi,\r\n /** Time-based blind: BENCHMARK() /\r\n /\\bBENCHMARK\\s\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n /** Unix path traversal /\r\n /\\.\\.\\//g,\r\n /* Windows path traversal /\r\n /\\.\\.\\\\/g,\r\n /* URL-encoded traversal (%2e%2e) /\r\n /%2e%2e/gi,\r\n /* Double URL-encoded traversal (%252e) /\r\n /%252e/gi,\r\n /* Mixed encoding: ..%2F /\r\n /\\.\\.%2F/gi,\r\n /* Mixed encoding: %2e./ and .%2e/ /\r\n /%2e\\.[\\\\/]/gi,\r\n /\\.%2e[\\\\/]/gi,\r\n /* Fully URL-encoded: %2e%2e%2f /\r\n /%2e%2e%2f/gi,\r\n /* Null byte injection in paths /\r\n /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n /\r\n Shell metacharacters that enable command chaining/substitution.\r\n * Bare ( and ) are excluded — they appear in common legitimate values\r\n * (function calls in code fields, math expressions, etc.).\r\n * Command substitution is caught by the $( combined pattern below.\r\n * NOTE: ';', '&', '\|' may appear in legitimate URL query strings\r\n * and Markdown; consider disabling command checking (command: false)\r\n * for fields that intentionally allow those characters.\r\n /\r\n /[;&\|`]/g,\r\n /* Command substitution: $( ... ) — matched as a pair to reduce false positives /\r\n /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/\r\n Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n \r\n Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n /\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n '__proto__',\r\n 'constructor',\r\n 'prototype',\r\n '__definegetter__',\r\n '__definesetter__',\r\n '__lookupgetter__',\r\n '__lookupsetter__',\r\n]);\r\n\r\n/* MongoDB operators to block /\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n // Comparison\r\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n // Logical\r\n '$and', '$or', '$not', '$nor',\r\n // Element / evaluation\r\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n // Array\r\n '$elemMatch', '$all', '$size',\r\n // JavaScript execution (critical)\r\n '$function', '$accumulator',\r\n // Aggregation pipeline operators (injectable via $lookup etc.)\r\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n /* Replacement text for redacted values /\r\n REPLACEMENT: '[REDACTED]',\r\n /* Truncation indicator /\r\n TRUNCATED: '[TRUNCATED]',\r\n /* Max depth indicator /\r\n MAX_DEPTH: '[MAX_DEPTH]',\r\n /* Default max message length /\r\n DEFAULT_MAX_LENGTH: 10_000,\r\n /* Default sensitive keys to redact /\r\n SENSITIVE_KEYS: new Set([\r\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n 'credentials', 'x-api-key', 'x-auth-token',\r\n ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n /\r\n Email regex pattern.\r\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n * leading/trailing dots, and other common invalid forms.\r\n /\r\n EMAIL: /^[^\\s@.][^\\s@](?:\\.[^\\s@.][^\\s@])@[^\\s@]+\\.[^\\s@]+$/,\r\n /*\r\n URL regex pattern.\r\n * Only allows http:// and https:// — explicitly rejects javascript:,\r\n * data:, vbscript:, and other dangerous URI schemes.\r\n /\r\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]$/,\r\n /** UUID regex pattern (v4) /\r\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n /* Generic error message (production) /\r\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n /* Input too large error /\r\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n /* Validation error messages /\r\n VALIDATION: {\r\n REQUIRED: (field: string) => `${field} is required`,\r\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/\r\n @module @arcis/node/core/errors\r\n * Custom error classes for Arcis\r\n /\r\n\r\n/\r\n Base class for all Arcis errors\r\n /\r\nexport class ArcisError extends Error {\r\n public readonly statusCode: number;\r\n public readonly code: string;\r\n /* Whether the error message is safe to expose to API clients. /\r\n public readonly expose: boolean;\r\n\r\n constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\r\n super(message);\r\n this.name = 'ArcisError';\r\n this.statusCode = statusCode;\r\n this.code = code;\r\n // Client errors (4xx) have controlled messages — safe to expose.\r\n // Server errors (5xx) may contain internal details — hide by default.\r\n this.expose = statusCode < 500;\r\n\r\n // Maintains proper stack trace for where error was thrown (V8 engines)\r\n if (Error.captureStackTrace) {\r\n Error.captureStackTrace(this, this.constructor);\r\n }\r\n }\r\n}\r\n\r\n/\r\n Error thrown when input validation fails\r\n /\r\nexport class ValidationError extends ArcisError {\r\n public readonly errors: string[];\r\n\r\n constructor(errors: string[]) {\r\n super('Validation failed', 400, 'VALIDATION_ERROR');\r\n this.name = 'ValidationError';\r\n this.errors = errors;\r\n }\r\n}\r\n\r\n/* Alias for ValidationError (backwards compatibility) /\r\nexport { ValidationError as ArcisValidationError };\r\n\r\n/\r\n Error thrown when rate limit is exceeded\r\n /\r\nexport class RateLimitError extends ArcisError {\r\n public readonly retryAfter: number;\r\n\r\n constructor(message: string, retryAfter: number) {\r\n super(message, 429, 'RATE_LIMIT_EXCEEDED');\r\n this.name = 'RateLimitError';\r\n this.retryAfter = retryAfter;\r\n }\r\n}\r\n\r\n/\r\n Error thrown when input is too large\r\n /\r\nexport class InputTooLargeError extends ArcisError {\r\n public readonly maxSize: number;\r\n public readonly actualSize: number;\r\n\r\n constructor(maxSize: number, actualSize: number) {\r\n super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\r\n this.name = 'InputTooLargeError';\r\n this.maxSize = maxSize;\r\n this.actualSize = actualSize;\r\n }\r\n}\r\n\r\n/\r\n Error thrown when security threat is detected\r\n /\r\nexport class SecurityThreatError extends ArcisError {\r\n public readonly threatType: string;\r\n public readonly pattern: string;\r\n\r\n constructor(threatType: string, pattern: string) {\r\n super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\r\n this.name = 'SecurityThreatError';\r\n this.threatType = threatType;\r\n this.pattern = pattern;\r\n }\r\n}\r\n\r\n/\r\n Error thrown when sanitization fails\r\n */\r\nexport class SanitizationError extends ArcisError {\r\n constructor(message: string) {\r\n super(message, 400, 'SANITIZATION_ERROR');\r\n this.name = 'SanitizationError';\r\n }\r\n}\r\n"]}
1	+ {"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF;AAuCO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA,oBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA,OAAA;AAAA;AAAA,EAEA;AACF;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,aAAA;AAAA;AAAA,EAElE,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;ACrThB,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF","file":"index.mjs","sourcesContent":["/*\n @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n /\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n /* Default maximum input size (1MB) /\n DEFAULT_MAX_SIZE: 1_000_000,\n /* Maximum recursion depth for nested objects /\n MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n /* Default window size (1 minute) /\n DEFAULT_WINDOW_MS: 60_000,\n /* Default max requests per window /\n DEFAULT_MAX_REQUESTS: 100,\n /* Default HTTP status code for rate limited responses /\n DEFAULT_STATUS_CODE: 429,\n /* Default error message /\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n /* Minimum window size (1 second) /\n MIN_WINDOW_MS: 1_000,\n /* Maximum window size (24 hours) /\n MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n /* Default Content Security Policy /\n DEFAULT_CSP: [\n \"default-src 'self'\",\n \"script-src 'self'\",\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n ].join('; '),\n /* Default HSTS max age (1 year in seconds) /\n HSTS_MAX_AGE: 31_536_000,\n /* Default X-Frame-Options value /\n FRAME_OPTIONS: 'DENY' as const,\n /* Default X-Content-Type-Options value /\n CONTENT_TYPE_OPTIONS: 'nosniff',\n /* Default Referrer-Policy value /\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\n /* Default Permissions-Policy value /\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n /* Default Cache-Control value for security /\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/\n Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n /\nexport const XSS_PATTERNS = [\n /* Script tags (ReDoS-safe version) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* javascript: protocol (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /** vbscript: protocol /\n /vbscript\\s:/gi,\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute /\n /(?:[\\s/])on\\w+\\s=/gi,\n /** iframe tags /\n /<iframe/gi,\n /* object tags /\n /<object/gi,\n /* embed tags /\n /<embed/gi,\n /* data: URIs (only dangerous ones, avoid false positives) /\n /(?:^\|[\\s\"'=])data:/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* SVG with onload /\n /<svg[^>]onload/gi,\n] as const;\n\n/*\n Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n /\nexport const XSS_REMOVE_PATTERNS = [\n /* Full script blocks (content + tags) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* Standalone/unclosed script tags /\n /<script[^>]>/gi,\n /** iframe — full block and partial/unclosed /\n /<iframe[^>]>[\\s\\S]?<\\/iframe>/gi,\n /<iframe[^>]/gi,\n /** object — full block and partial/unclosed /\n /<object[^>]>[\\s\\S]?<\\/object>/gi,\n /<object[^>]/gi,\n /** embed tags /\n /<embed[^>]/gi,\n /** SVG with inline event handlers /\n /<svg[^>]onload[^>]>/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* Event handlers with quoted values: onclick=\"...\", onerror='...' /\n /(?:[\\s/])on\\w+\\s=\\s[\"'][^\"'][\"']/gi,\n /** Event handlers with unquoted values: onload=value /\n /(?:[\\s/])on\\w+\\s=\\s[^\\s>]/gi,\n /** javascript: and vbscript: protocols (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /vbscript\\s:/gi,\n /* data: URIs with HTML/script content /\n /data\\s:\\stext\\/html[^>\\s]/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n /** SQL keywords /\n /(\\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|TRUNCATE\|EXEC\|EXECUTE)\\b)/gi,\n /* SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) /\n /(--\|\\/\\\|\\\\/\|#)/g,\n /* SQL statement separators /\n /(;\|\\\|\\\|\|&&)/g,\n /* Boolean injection: OR 1=1 /\n /\\bOR\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) /\n /\\bOR\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bOR\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Boolean injection: AND 1=1 /\n /\\bAND\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) /\n /\\bAND\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bAND\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Time-based blind: SLEEP() /\n /\\bSLEEP\\s\$\\s\\d+\\s\$/gi,\n /** Time-based blind: BENCHMARK() /\n /\\bBENCHMARK\\s\\(/gi,\n /** Time-based blind: PostgreSQL pg_sleep() /\n /\\bpg_sleep\\s\\(/gi,\n /** Time-based blind: MSSQL WAITFOR DELAY /\n /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n /* Unix path traversal /\n /\\.\\.\\//g,\n /* Windows path traversal /\n /\\.\\.\\\\/g,\n /* URL-encoded traversal (%2e%2e) /\n /%2e%2e/gi,\n /* Double URL-encoded traversal (%252e) /\n /%252e/gi,\n /* Mixed encoding: ..%2F /\n /\\.\\.%2F/gi,\n /* Mixed encoding: %2e./ and .%2e/ /\n /%2e\\.[\\\\/]/gi,\n /\\.%2e[\\\\/]/gi,\n /* Fully URL-encoded: %2e%2e%2f /\n /%2e%2e%2f/gi,\n /* Double URL-encoded forward slash: %252f /\n /%252f/gi,\n /* Dotdotslash bypass: ....// or ....\\\\ /\n /\\.{2,}[/\\\\]{2,}/g,\n /* Null byte injection in paths /\n /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n /\n Shell metacharacters that enable command chaining/substitution.\n * Bare ( and ) are excluded — they appear in common legitimate values\n * (function calls in code fields, math expressions, etc.).\n * Command substitution is caught by the $( combined pattern below.\n * NOTE: ';', '&', '\|' may appear in legitimate URL query strings\n * and Markdown; consider disabling command checking (command: false)\n * for fields that intentionally allow those characters.\n /\n /[;&\|`]/g,\n /* Command substitution: $( ... ) — matched as a pair to reduce false positives /\n /\\$\\(/g,\n /* URL-encoded newline/carriage-return injection (%0a, %0d) /\n /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/\n Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n \n Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n /\nexport const DANGEROUS_PROTO_KEYS = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n '__definegetter__',\n '__definesetter__',\n '__lookupgetter__',\n '__lookupsetter__',\n]);\n\n/* MongoDB operators to block /\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n // Comparison\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n // Logical\n '$and', '$or', '$not', '$nor',\n // Element / evaluation\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n // Array\n '$elemMatch', '$all', '$size',\n // JavaScript execution (critical)\n '$function', '$accumulator',\n // Aggregation pipeline operators (injectable via $lookup etc.)\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n /* Replacement text for redacted values /\n REPLACEMENT: '[REDACTED]',\n /* Truncation indicator /\n TRUNCATED: '[TRUNCATED]',\n /* Max depth indicator /\n MAX_DEPTH: '[MAX_DEPTH]',\n /* Default max message length /\n DEFAULT_MAX_LENGTH: 10_000,\n /* Default sensitive keys to redact /\n SENSITIVE_KEYS: new Set([\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n 'credentials', 'x-api-key', 'x-auth-token',\n ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n /\n Email regex pattern.\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n * leading/trailing dots, and other common invalid forms.\n /\n EMAIL: /^[^\\s@.][^\\s@](?:\\.[^\\s@.][^\\s@])@[^\\s@]+\\.[^\\s@]+$/,\n /*\n URL regex pattern.\n * Only allows http:// and https:// — explicitly rejects javascript:,\n * data:, vbscript:, and other dangerous URI schemes.\n /\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]$/,\n /** UUID regex pattern (v4) /\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n /* Generic error message (production) /\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\n /* Input too large error /\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n /* Validation error messages /\n VALIDATION: {\n REQUIRED: (field: string) => `${field} is required`,\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/\n @module @arcis/node/core/errors\n * Custom error classes for Arcis\n /\n\n/\n Base class for all Arcis errors\n /\nexport class ArcisError extends Error {\n public readonly statusCode: number;\n public readonly code: string;\n /* Whether the error message is safe to expose to API clients. /\n public readonly expose: boolean;\n\n constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\n super(message);\n this.name = 'ArcisError';\n this.statusCode = statusCode;\n this.code = code;\n // Client errors (4xx) have controlled messages — safe to expose.\n // Server errors (5xx) may contain internal details — hide by default.\n this.expose = statusCode < 500;\n\n // Maintains proper stack trace for where error was thrown (V8 engines)\n if (Error.captureStackTrace) {\n Error.captureStackTrace(this, this.constructor);\n }\n }\n}\n\n/\n Error thrown when input validation fails\n /\nexport class ValidationError extends ArcisError {\n public readonly errors: string[];\n\n constructor(errors: string[]) {\n super('Validation failed', 400, 'VALIDATION_ERROR');\n this.name = 'ValidationError';\n this.errors = errors;\n }\n}\n\n/* Alias for ValidationError (backwards compatibility) /\nexport { ValidationError as ArcisValidationError };\n\n/\n Error thrown when rate limit is exceeded\n /\nexport class RateLimitError extends ArcisError {\n public readonly retryAfter: number;\n\n constructor(message: string, retryAfter: number) {\n super(message, 429, 'RATE_LIMIT_EXCEEDED');\n this.name = 'RateLimitError';\n this.retryAfter = retryAfter;\n }\n}\n\n/\n Error thrown when input is too large\n /\nexport class InputTooLargeError extends ArcisError {\n public readonly maxSize: number;\n public readonly actualSize: number;\n\n constructor(maxSize: number, actualSize: number) {\n super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\n this.name = 'InputTooLargeError';\n this.maxSize = maxSize;\n this.actualSize = actualSize;\n }\n}\n\n/\n Error thrown when security threat is detected\n /\nexport class SecurityThreatError extends ArcisError {\n public readonly threatType: string;\n public readonly pattern: string;\n\n constructor(threatType: string, pattern: string) {\n super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\n this.name = 'SecurityThreatError';\n this.threatType = threatType;\n this.pattern = pattern;\n }\n}\n\n/\n Error thrown when sanitization fails\n */\nexport class SanitizationError extends ArcisError {\n constructor(message: string) {\n super(message, 400, 'SANITIZATION_ERROR');\n this.name = 'SanitizationError';\n }\n}\n"]}

package/dist/{index-CslcoZUN.d.mts → index-A-m-pPeW.d.mts} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { n as ValidationSchema } from './types-BOdL3ZWo.mjs';
+import { n as ValidationSchema } from './types-CsOFHoD9.mjs';
 /**
  * @module @arcis/node/validation/schema

package/dist/{index-CCcPuTBo.d.mts → index-CgK94hY_.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-BOdL3ZWo.mjs';
+import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-CsOFHoD9.mjs';
 import { RequestHandler, Request, Response, NextFunction } from 'express';
 /**
@@ -435,4 +435,98 @@ declare function detectBot(req: Request): BotDetectionResult;
  */
 declare function botProtection(options?: BotProtectionOptions): RequestHandler;
-export { type BotCategory as B, type CorsOptions as C, type SecureCookieOptions as S, type TokenBucketMiddleware as T, type BotDetectionResult as a, type BotProtectionOptions as b, type SlidingWindowMiddleware as c, type SlidingWindowOptions as d, type TokenBucketOptions as e, arcis as f, arcisWithMethods as g, botProtection as h, createCors as i, createErrorHandler as j, createHeaders as k, createRateLimiter as l, createSecureCookies as m, createSlidingWindowLimiter as n, createTokenBucketLimiter as o, detectBot as p, enforceSecureCookie as q, errorHandler as r, rateLimit as s, safeCors as t, secureCookieDefaults as u, securityHeaders as v };
+/**
+ * @module @arcis/node/middleware/csrf
+ * CSRF (Cross-Site Request Forgery) protection middleware
+ *
+ * Implements the double-submit cookie pattern:
+ * 1. Server sets a CSRF token in a cookie
+ * 2. Client must send the same token in a header or form field
+ * 3. Middleware rejects requests where cookie token !== header/field token
+ *
+ * This works because an attacker's cross-origin form submission will include
+ * the cookie automatically, but cannot read it (same-origin policy) to set
+ * the matching header.
+ */
+/** CSRF protection configuration */
+interface CsrfOptions {
+    /** Cookie name for the CSRF token. Default: '_csrf' */
+    cookieName?: string;
+    /** Header name to check for the token. Default: 'x-csrf-token' */
+    headerName?: string;
+    /** Form field name to check for the token. Default: '_csrf' */
+    fieldName?: string;
+    /** Token byte length (hex-encoded = 2x chars). Default: 32 */
+    tokenLength?: number;
+    /** HTTP methods to protect. Default: ['POST', 'PUT', 'PATCH', 'DELETE'] */
+    protectedMethods?: string[];
+    /** Paths to exclude from CSRF checks (e.g., webhook endpoints) */
+    excludePaths?: string[];
+    /** Cookie options */
+    cookie?: {
+        /** Cookie path. Default: '/' */
+        path?: string;
+        /** HttpOnly — set false so client JS can read it for headers. Default: false */
+        httpOnly?: boolean;
+        /** Secure flag (HTTPS only). Default: true in production */
+        secure?: boolean;
+        /** SameSite attribute. Default: 'Lax' */
+        sameSite?: 'Strict' | 'Lax' | 'None';
+        /** Cookie domain */
+        domain?: string;
+    };
+    /** Custom error handler when CSRF validation fails */
+    onError?: (req: Request, res: Response, next: NextFunction) => void;
+}
+/**
+ * Generate a cryptographically random CSRF token.
+ *
+ * @param length - Byte length (output is hex, so 2x chars). Default: 32
+ * @returns Hex-encoded random token
+ *
+ * @example
+ * const token = generateCsrfToken(); // 64 hex chars
+ */
+declare function generateCsrfToken(length?: number): string;
+/**
+ * Validate that two CSRF tokens match using constant-time comparison.
+ *
+ * @param cookieToken - Token from the cookie
+ * @param requestToken - Token from the header or form field
+ * @returns true if tokens match
+ */
+declare function validateCsrfToken(cookieToken: string, requestToken: string): boolean;
+/**
+ * Create CSRF protection middleware using double-submit cookie pattern.
+ *
+ * For safe methods (GET, HEAD, OPTIONS), sets a CSRF token cookie if not present.
+ * For unsafe methods (POST, PUT, PATCH, DELETE), validates the token.
+ *
+ * @param options - CSRF configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Basic usage
+ * app.use(csrfProtection());
+ *
+ * @example
+ * // Exclude webhook paths
+ * app.use(csrfProtection({
+ *   excludePaths: ['/api/webhooks/stripe', '/api/webhooks/github']
+ * }));
+ *
+ * @example
+ * // Client-side: read cookie + set header
+ * const token = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+ * fetch('/api/data', {
+ *   method: 'POST',
+ *   headers: { 'X-CSRF-Token': token },
+ *   credentials: 'same-origin'
+ * });
+ */
+declare function csrfProtection(options?: CsrfOptions): RequestHandler;
+/** Alias for csrfProtection */
+declare const createCsrf: typeof csrfProtection;
+export { validateCsrfToken as A, type BotCategory as B, type CorsOptions as C, type SecureCookieOptions as S, type TokenBucketMiddleware as T, type BotDetectionResult as a, type BotProtectionOptions as b, type CsrfOptions as c, type SlidingWindowMiddleware as d, type SlidingWindowOptions as e, type TokenBucketOptions as f, arcis as g, arcisWithMethods as h, botProtection as i, createCors as j, createCsrf as k, createErrorHandler as l, createHeaders as m, createRateLimiter as n, createSecureCookies as o, createSlidingWindowLimiter as p, createTokenBucketLimiter as q, csrfProtection as r, detectBot as s, enforceSecureCookie as t, errorHandler as u, generateCsrfToken as v, rateLimit as w, safeCors as x, secureCookieDefaults as y, securityHeaders as z };

package/dist/{index-iCOw8Fcg.d.ts → index-Co5kPRZz.d.ts} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { n as ValidationSchema } from './types-BOdL3ZWo.js';
+import { n as ValidationSchema } from './types-CsOFHoD9.js';
 /**
  * @module @arcis/node/validation/schema

package/dist/{index-BvcFpoR3.d.ts → index-D_bdJcF0.d.ts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-BOdL3ZWo.js';
+import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-CsOFHoD9.js';
 import { RequestHandler, Request, Response, NextFunction } from 'express';
 /**
@@ -435,4 +435,98 @@ declare function detectBot(req: Request): BotDetectionResult;
  */
 declare function botProtection(options?: BotProtectionOptions): RequestHandler;
-export { type BotCategory as B, type CorsOptions as C, type SecureCookieOptions as S, type TokenBucketMiddleware as T, type BotDetectionResult as a, type BotProtectionOptions as b, type SlidingWindowMiddleware as c, type SlidingWindowOptions as d, type TokenBucketOptions as e, arcis as f, arcisWithMethods as g, botProtection as h, createCors as i, createErrorHandler as j, createHeaders as k, createRateLimiter as l, createSecureCookies as m, createSlidingWindowLimiter as n, createTokenBucketLimiter as o, detectBot as p, enforceSecureCookie as q, errorHandler as r, rateLimit as s, safeCors as t, secureCookieDefaults as u, securityHeaders as v };
+/**
+ * @module @arcis/node/middleware/csrf
+ * CSRF (Cross-Site Request Forgery) protection middleware
+ *
+ * Implements the double-submit cookie pattern:
+ * 1. Server sets a CSRF token in a cookie
+ * 2. Client must send the same token in a header or form field
+ * 3. Middleware rejects requests where cookie token !== header/field token
+ *
+ * This works because an attacker's cross-origin form submission will include
+ * the cookie automatically, but cannot read it (same-origin policy) to set
+ * the matching header.
+ */
+/** CSRF protection configuration */
+interface CsrfOptions {
+    /** Cookie name for the CSRF token. Default: '_csrf' */
+    cookieName?: string;
+    /** Header name to check for the token. Default: 'x-csrf-token' */
+    headerName?: string;
+    /** Form field name to check for the token. Default: '_csrf' */
+    fieldName?: string;
+    /** Token byte length (hex-encoded = 2x chars). Default: 32 */
+    tokenLength?: number;
+    /** HTTP methods to protect. Default: ['POST', 'PUT', 'PATCH', 'DELETE'] */
+    protectedMethods?: string[];
+    /** Paths to exclude from CSRF checks (e.g., webhook endpoints) */
+    excludePaths?: string[];
+    /** Cookie options */
+    cookie?: {
+        /** Cookie path. Default: '/' */
+        path?: string;
+        /** HttpOnly — set false so client JS can read it for headers. Default: false */
+        httpOnly?: boolean;
+        /** Secure flag (HTTPS only). Default: true in production */
+        secure?: boolean;
+        /** SameSite attribute. Default: 'Lax' */
+        sameSite?: 'Strict' | 'Lax' | 'None';
+        /** Cookie domain */
+        domain?: string;
+    };
+    /** Custom error handler when CSRF validation fails */
+    onError?: (req: Request, res: Response, next: NextFunction) => void;
+}
+/**
+ * Generate a cryptographically random CSRF token.
+ *
+ * @param length - Byte length (output is hex, so 2x chars). Default: 32
+ * @returns Hex-encoded random token
+ *
+ * @example
+ * const token = generateCsrfToken(); // 64 hex chars
+ */
+declare function generateCsrfToken(length?: number): string;
+/**
+ * Validate that two CSRF tokens match using constant-time comparison.
+ *
+ * @param cookieToken - Token from the cookie
+ * @param requestToken - Token from the header or form field
+ * @returns true if tokens match
+ */
+declare function validateCsrfToken(cookieToken: string, requestToken: string): boolean;
+/**
+ * Create CSRF protection middleware using double-submit cookie pattern.
+ *
+ * For safe methods (GET, HEAD, OPTIONS), sets a CSRF token cookie if not present.
+ * For unsafe methods (POST, PUT, PATCH, DELETE), validates the token.
+ *
+ * @param options - CSRF configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Basic usage
+ * app.use(csrfProtection());
+ *
+ * @example
+ * // Exclude webhook paths
+ * app.use(csrfProtection({
+ *   excludePaths: ['/api/webhooks/stripe', '/api/webhooks/github']
+ * }));
+ *
+ * @example
+ * // Client-side: read cookie + set header
+ * const token = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+ * fetch('/api/data', {
+ *   method: 'POST',
+ *   headers: { 'X-CSRF-Token': token },
+ *   credentials: 'same-origin'
+ * });
+ */
+declare function csrfProtection(options?: CsrfOptions): RequestHandler;
+/** Alias for csrfProtection */
+declare const createCsrf: typeof csrfProtection;
+export { validateCsrfToken as A, type BotCategory as B, type CorsOptions as C, type SecureCookieOptions as S, type TokenBucketMiddleware as T, type BotDetectionResult as a, type BotProtectionOptions as b, type CsrfOptions as c, type SlidingWindowMiddleware as d, type SlidingWindowOptions as e, type TokenBucketOptions as f, arcis as g, arcisWithMethods as h, botProtection as i, createCors as j, createCsrf as k, createErrorHandler as l, createHeaders as m, createRateLimiter as n, createSecureCookies as o, createSlidingWindowLimiter as p, createTokenBucketLimiter as q, csrfProtection as r, detectBot as s, enforceSecureCookie as t, errorHandler as u, generateCsrfToken as v, rateLimit as w, safeCors as x, secureCookieDefaults as y, securityHeaders as z };

package/dist/index.d.mts CHANGED Viewed

@@ -1,10 +1,10 @@
-export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, S as SecureCookieOptions, c as SlidingWindowMiddleware, d as SlidingWindowOptions, T as TokenBucketMiddleware, e as TokenBucketOptions, f as arcis, g as arcisFunction, h as botProtection, i as createCors, j as createErrorHandler, k as createHeaders, l as createRateLimiter, m as createSecureCookies, n as createSlidingWindowLimiter, o as createTokenBucketLimiter, g as default, p as detectBot, q as enforceSecureCookie, r as errorHandler, s as rateLimit, t as safeCors, u as secureCookieDefaults, v as securityHeaders } from './index-CCcPuTBo.mjs';
-export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectNoSqlInjection, e as detectPathTraversal, f as detectPrototypePollution, g as detectSql, h as detectXss, k as isDangerousNoSqlKey, l as isDangerousProtoKey, s as sanitizeCommand, m as sanitizeHeaderValue, n as sanitizeHeaders, o as sanitizeObject, p as sanitizePath, q as sanitizeSql, r as sanitizeString, t as sanitizeXss } from './headers-DBQedhrb.mjs';
-export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-CslcoZUN.mjs';
+export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, c as CsrfOptions, S as SecureCookieOptions, d as SlidingWindowMiddleware, e as SlidingWindowOptions, T as TokenBucketMiddleware, f as TokenBucketOptions, g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from './index-CgK94hY_.mjs';
+export { P as PiiMatch, F as PiiRedactOptions, G as PiiScanOptions, H as PiiType, c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, o as isDangerousNoSqlKey, p as isDangerousProtoKey, r as redactObjectPii, q as redactPii, s as sanitizeCommand, t as sanitizeHeaderValue, u as sanitizeHeaders, v as sanitizeJsonpCallback, w as sanitizeObject, x as sanitizePath, y as sanitizeSql, z as sanitizeSsti, A as sanitizeString, B as sanitizeXss, C as sanitizeXxe, D as scanObjectPii, E as scanPii } from './pii-CXcHMlnX.mjs';
+export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-A-m-pPeW.mjs';
 import { IncomingMessage } from 'http';
 export { createRedactor, createSafeLogger, safeLog } from './logging/index.mjs';
 export { MemoryStore, RedisClientLike, RedisStore, RedisStoreOptions, createRedisStore } from './stores/index.mjs';
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-BOdL3ZWo.mjs';
+export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-CsOFHoD9.mjs';
 export { ArcisError, ArcisValidationError, BLOCKED, ERRORS, HEADERS, INPUT, InputTooLargeError, RATE_LIMIT, REDACTION, RateLimitError, SanitizationError, SecurityThreatError, VALIDATION } from './core/index.mjs';
 import 'express';

package/dist/index.d.ts CHANGED Viewed

@@ -1,10 +1,10 @@
-export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, S as SecureCookieOptions, c as SlidingWindowMiddleware, d as SlidingWindowOptions, T as TokenBucketMiddleware, e as TokenBucketOptions, f as arcis, g as arcisFunction, h as botProtection, i as createCors, j as createErrorHandler, k as createHeaders, l as createRateLimiter, m as createSecureCookies, n as createSlidingWindowLimiter, o as createTokenBucketLimiter, g as default, p as detectBot, q as enforceSecureCookie, r as errorHandler, s as rateLimit, t as safeCors, u as secureCookieDefaults, v as securityHeaders } from './index-BvcFpoR3.js';
-export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectNoSqlInjection, e as detectPathTraversal, f as detectPrototypePollution, g as detectSql, h as detectXss, k as isDangerousNoSqlKey, l as isDangerousProtoKey, s as sanitizeCommand, m as sanitizeHeaderValue, n as sanitizeHeaders, o as sanitizeObject, p as sanitizePath, q as sanitizeSql, r as sanitizeString, t as sanitizeXss } from './headers-BJq2OA0i.js';
-export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-iCOw8Fcg.js';
+export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, c as CsrfOptions, S as SecureCookieOptions, d as SlidingWindowMiddleware, e as SlidingWindowOptions, T as TokenBucketMiddleware, f as TokenBucketOptions, g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from './index-D_bdJcF0.js';
+export { P as PiiMatch, F as PiiRedactOptions, G as PiiScanOptions, H as PiiType, c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, o as isDangerousNoSqlKey, p as isDangerousProtoKey, r as redactObjectPii, q as redactPii, s as sanitizeCommand, t as sanitizeHeaderValue, u as sanitizeHeaders, v as sanitizeJsonpCallback, w as sanitizeObject, x as sanitizePath, y as sanitizeSql, z as sanitizeSsti, A as sanitizeString, B as sanitizeXss, C as sanitizeXxe, D as scanObjectPii, E as scanPii } from './pii-DhNpl7M3.js';
+export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-Co5kPRZz.js';
 import { IncomingMessage } from 'http';
 export { createRedactor, createSafeLogger, safeLog } from './logging/index.js';
 export { MemoryStore, RedisClientLike, RedisStore, RedisStoreOptions, createRedisStore } from './stores/index.js';
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-BOdL3ZWo.js';
+export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-CsOFHoD9.js';
 export { ArcisError, ArcisValidationError, BLOCKED, ERRORS, HEADERS, INPUT, InputTooLargeError, RATE_LIMIT, REDACTION, RateLimitError, SanitizationError, SecurityThreatError, VALIDATION } from './core/index.js';
 import 'express';