@arcis/node 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/README.md +156 -211
  2. package/dist/core/index.d.mts +4 -4
  3. package/dist/core/index.d.ts +4 -4
  4. package/dist/core/index.js +13 -2
  5. package/dist/core/index.js.map +1 -1
  6. package/dist/core/index.mjs +13 -2
  7. package/dist/core/index.mjs.map +1 -1
  8. package/dist/{index-CslcoZUN.d.mts → index-A-m-pPeW.d.mts} +1 -1
  9. package/dist/{index-CCcPuTBo.d.mts → index-CgK94hY_.d.mts} +96 -2
  10. package/dist/{index-iCOw8Fcg.d.ts → index-Co5kPRZz.d.ts} +1 -1
  11. package/dist/{index-BvcFpoR3.d.ts → index-D_bdJcF0.d.ts} +96 -2
  12. package/dist/index.d.mts +4 -4
  13. package/dist/index.d.ts +4 -4
  14. package/dist/index.js +553 -5
  15. package/dist/index.js.map +1 -1
  16. package/dist/index.mjs +540 -7
  17. package/dist/index.mjs.map +1 -1
  18. package/dist/logging/index.d.mts +1 -1
  19. package/dist/logging/index.d.ts +1 -1
  20. package/dist/logging/index.js +12 -1
  21. package/dist/logging/index.js.map +1 -1
  22. package/dist/logging/index.mjs +12 -1
  23. package/dist/logging/index.mjs.map +1 -1
  24. package/dist/middleware/index.d.mts +2 -2
  25. package/dist/middleware/index.d.ts +2 -2
  26. package/dist/middleware/index.js +146 -4
  27. package/dist/middleware/index.js.map +1 -1
  28. package/dist/middleware/index.mjs +143 -5
  29. package/dist/middleware/index.mjs.map +1 -1
  30. package/dist/{headers-DBQedhrb.d.mts → pii-CXcHMlnX.d.mts} +156 -2
  31. package/dist/{headers-BJq2OA0i.d.ts → pii-DhNpl7M3.d.ts} +156 -2
  32. package/dist/sanitizers/index.d.mts +2 -2
  33. package/dist/sanitizers/index.d.ts +2 -2
  34. package/dist/sanitizers/index.js +331 -3
  35. package/dist/sanitizers/index.js.map +1 -1
  36. package/dist/sanitizers/index.mjs +321 -4
  37. package/dist/sanitizers/index.mjs.map +1 -1
  38. package/dist/stores/index.d.mts +1 -1
  39. package/dist/stores/index.d.ts +1 -1
  40. package/dist/stores/index.js.map +1 -1
  41. package/dist/stores/index.mjs.map +1 -1
  42. package/dist/{types-BOdL3ZWo.d.mts → types-CsOFHoD9.d.mts} +6 -1
  43. package/dist/{types-BOdL3ZWo.d.ts → types-CsOFHoD9.d.ts} +6 -1
  44. package/dist/validation/index.d.mts +2 -2
  45. package/dist/validation/index.d.ts +2 -2
  46. package/dist/validation/index.js +105 -3
  47. package/dist/validation/index.js.map +1 -1
  48. package/dist/validation/index.mjs +105 -3
  49. package/dist/validation/index.mjs.map +1 -1
  50. package/package.json +114 -114
package/dist/logging/index.d.mts CHANGED
@@ -1,4 +1,4 @@
1
- import { L as LogOptions, S as SafeLogger } from '../types-BOdL3ZWo.mjs';
1
+ import { L as LogOptions, S as SafeLogger } from '../types-CsOFHoD9.mjs';
2
2
  import 'express';
3
3
 
4
4
  /**
package/dist/logging/index.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { L as LogOptions, S as SafeLogger } from '../types-BOdL3ZWo.js';
1
+ import { L as LogOptions, S as SafeLogger } from '../types-CsOFHoD9.js';
2
2
  import 'express';
3
3
 
4
4
  /**
package/dist/logging/index.js CHANGED
@@ -48,12 +48,21 @@ var REDACTION = {
48
48
  };
49
49
 
50
50
  // src/logging/redactor.ts
51
+ var LOG_LEVELS = {
52
+ debug: 0,
53
+ info: 1,
54
+ warn: 2,
55
+ error: 3,
56
+ silent: 4
57
+ };
51
58
  function createSafeLogger(options = {}) {
52
59
  const {
53
60
  redactKeys = [],
54
61
  maxLength = REDACTION.DEFAULT_MAX_LENGTH,
55
- redactPatterns = []
62
+ redactPatterns = [],
63
+ level: minLevel = "debug"
56
64
  } = options;
65
+ const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
57
66
  const allRedactKeys = /* @__PURE__ */ new Set([
58
67
  ...Array.from(REDACTION.SENSITIVE_KEYS),
59
68
  ...redactKeys.map((k) => k.toLowerCase())
@@ -79,6 +88,8 @@ function createSafeLogger(options = {}) {
79
88
  return result;
80
89
  }
81
90
  function log(level, message, data) {
91
+ const levelNum = LOG_LEVELS[level] ?? 0;
92
+ if (levelNum < minLevelNum) return;
82
93
  const entry = {
83
94
  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
84
95
  level,
package/dist/logging/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAiOO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACzOO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB;AAAC,GACpB,GAAI,OAAA;AAGJ,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AACjE,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.js","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n /** Default maximum input size (1MB) */\r\n DEFAULT_MAX_SIZE: 1_000_000,\r\n /** Maximum recursion depth for nested objects */\r\n MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n /** Default window size (1 minute) */\r\n DEFAULT_WINDOW_MS: 60_000,\r\n /** Default max requests per window */\r\n DEFAULT_MAX_REQUESTS: 100,\r\n /** Default HTTP status code for rate limited responses */\r\n DEFAULT_STATUS_CODE: 429,\r\n /** Default error message */\r\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n /** Minimum window size (1 second) */\r\n MIN_WINDOW_MS: 1_000,\r\n /** Maximum window size (24 hours) */\r\n MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n /** Default Content Security Policy */\r\n DEFAULT_CSP: [\r\n \"default-src 'self'\",\r\n \"script-src 'self'\",\r\n \"style-src 'self' 'unsafe-inline'\",\r\n \"img-src 'self' data: https:\",\r\n \"font-src 'self'\",\r\n \"object-src 'none'\",\r\n \"frame-ancestors 'none'\",\r\n ].join('; '),\r\n /** Default HSTS max age (1 year in seconds) */\r\n HSTS_MAX_AGE: 31_536_000,\r\n /** Default X-Frame-Options value */\r\n FRAME_OPTIONS: 'DENY' as const,\r\n /** Default X-Content-Type-Options value */\r\n CONTENT_TYPE_OPTIONS: 'nosniff',\r\n /** Default Referrer-Policy value */\r\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n /** Default Permissions-Policy value */\r\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n /** Default Cache-Control value for security */\r\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n /** Script tags (ReDoS-safe version) */\r\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n /** javascript: protocol (allow optional spaces before colon) */\r\n /javascript\\s*:/gi,\r\n /** vbscript: protocol */\r\n /vbscript\\s*:/gi,\r\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n /(?:[\\s/])on\\w+\\s*=/gi,\r\n /** iframe tags */\r\n /<iframe/gi,\r\n /** object tags */\r\n /<object/gi,\r\n /** embed tags */\r\n /<embed/gi,\r\n /** data: URIs (only dangerous ones, avoid false positives) */\r\n /(?:^|[\\s\"'=])data:/gi,\r\n /** URL-encoded script tags */\r\n /%3Cscript/gi,\r\n /** SVG with onload */\r\n /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n /** Full script blocks (content + tags) */\r\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n /** Standalone/unclosed script tags */\r\n /<script[^>]*>/gi,\r\n /** iframe — full block and partial/unclosed */\r\n /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n /<iframe[^>]*/gi,\r\n /** object — full block and partial/unclosed */\r\n /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n /<object[^>]*/gi,\r\n /** embed tags */\r\n /<embed[^>]*/gi,\r\n /** SVG with inline event handlers */\r\n /<svg[^>]*onload[^>]*>/gi,\r\n /** URL-encoded script tags */\r\n /%3Cscript/gi,\r\n /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n /** Event handlers with unquoted values: onload=value */\r\n /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n /javascript\\s*:/gi,\r\n /vbscript\\s*:/gi,\r\n /** data: URIs with HTML/script content */\r\n /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n /** SQL keywords */\r\n /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n /(--|\\/\\*|\\*\\/|#)/g,\r\n /** SQL statement separators */\r\n /(;|\\|\\||&&)/g,\r\n /** Boolean injection: OR 1=1 */\r\n /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n /** Boolean injection: AND 1=1 */\r\n /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n /** Time-based blind: SLEEP() */\r\n /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n /** Time-based blind: BENCHMARK() */\r\n /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n /** Unix path traversal */\r\n /\\.\\.\\//g,\r\n /** Windows path traversal */\r\n /\\.\\.\\\\/g,\r\n /** URL-encoded traversal (%2e%2e) */\r\n /%2e%2e/gi,\r\n /** Double URL-encoded traversal (%252e) */\r\n /%252e/gi,\r\n /** Mixed encoding: ..%2F */\r\n /\\.\\.%2F/gi,\r\n /** Mixed encoding: %2e./ and .%2e/ */\r\n /%2e\\.[\\\\/]/gi,\r\n /\\.%2e[\\\\/]/gi,\r\n /** Fully URL-encoded: %2e%2e%2f */\r\n /%2e%2e%2f/gi,\r\n /** Null byte injection in paths */\r\n /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n /**\r\n * Shell metacharacters that enable command chaining/substitution.\r\n * Bare ( and ) are excluded — they appear in common legitimate values\r\n * (function calls in code fields, math expressions, etc.).\r\n * Command substitution is caught by the $( combined pattern below.\r\n * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n * and Markdown; consider disabling command checking (command: false)\r\n * for fields that intentionally allow those characters.\r\n */\r\n /[;&|`]/g,\r\n /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n '__proto__',\r\n 'constructor',\r\n 'prototype',\r\n '__definegetter__',\r\n '__definesetter__',\r\n '__lookupgetter__',\r\n '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n // Comparison\r\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n // Logical\r\n '$and', '$or', '$not', '$nor',\r\n // Element / evaluation\r\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n // Array\r\n '$elemMatch', '$all', '$size',\r\n // JavaScript execution (critical)\r\n '$function', '$accumulator',\r\n // Aggregation pipeline operators (injectable via $lookup etc.)\r\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n /** Replacement text for redacted values */\r\n REPLACEMENT: '[REDACTED]',\r\n /** Truncation indicator */\r\n TRUNCATED: '[TRUNCATED]',\r\n /** Max depth indicator */\r\n MAX_DEPTH: '[MAX_DEPTH]',\r\n /** Default max message length */\r\n DEFAULT_MAX_LENGTH: 10_000,\r\n /** Default sensitive keys to redact */\r\n SENSITIVE_KEYS: new Set([\r\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n 'credentials', 'x-api-key', 'x-auth-token',\r\n ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n /**\r\n * Email regex pattern.\r\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n * leading/trailing dots, and other common invalid forms.\r\n */\r\n EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n /**\r\n * URL regex pattern.\r\n * Only allows http:// and https:// — explicitly rejects javascript:,\r\n * data:, vbscript:, and other dangerous URI schemes.\r\n */\r\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n /** UUID regex pattern (v4) */\r\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n /** Generic error message (production) */\r\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n /** Input too large error */\r\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n /** Validation error messages */\r\n VALIDATION: {\r\n REQUIRED: (field: string) => `${field} is required`,\r\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/logging/redactor\r\n * Safe logging with PII/secret redaction\r\n */\r\n\r\nimport { REDACTION, INPUT } from '../core/constants';\r\nimport type { LogOptions, SafeLogger } from '../core/types';\r\n\r\n/**\r\n * Create a safe logger that redacts sensitive data and prevents log injection.\r\n * \r\n * @param options - Logger configuration\r\n * @returns SafeLogger instance\r\n * \r\n * @example\r\n * const logger = createSafeLogger();\r\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\r\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\r\n * \r\n * @example\r\n * // With custom redact keys\r\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\r\n */\r\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\r\n const { \r\n redactKeys = [], \r\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\r\n redactPatterns = [],\r\n } = options;\r\n\r\n // Combine default and custom keys (lowercase for case-insensitive matching)\r\n const allRedactKeys = new Set([\r\n ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n ...redactKeys.map(k => k.toLowerCase()),\r\n ]);\r\n\r\n /**\r\n * Redact sensitive data from an object recursively.\r\n */\r\n function redact(obj: unknown, depth = 0): unknown {\r\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n if (obj === null || obj === undefined) return obj;\r\n\r\n if (typeof obj === 'string') {\r\n return redactString(obj, maxLength, redactPatterns);\r\n }\r\n\r\n if (typeof obj !== 'object') return obj;\r\n\r\n if (Array.isArray(obj)) {\r\n return obj.map(item => redact(item, depth + 1));\r\n }\r\n\r\n const result: Record<string, unknown> = {};\r\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n if (allRedactKeys.has(key.toLowerCase())) {\r\n result[key] = REDACTION.REPLACEMENT;\r\n } else {\r\n result[key] = redact(value, depth + 1);\r\n }\r\n }\r\n return result;\r\n }\r\n\r\n /**\r\n * Log a message at the specified level.\r\n */\r\n function log(level: string, message: string, data?: unknown): void {\r\n const entry: Record<string, unknown> = {\r\n timestamp: new Date().toISOString(),\r\n level,\r\n message: redactString(message, maxLength, redactPatterns),\r\n };\r\n \r\n if (data !== undefined) {\r\n entry.data = redact(data);\r\n }\r\n \r\n console.log(JSON.stringify(entry));\r\n }\r\n\r\n return {\r\n log,\r\n info: (msg: string, data?: unknown) => log('info', msg, data),\r\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\r\n error: (msg: string, data?: unknown) => log('error', msg, data),\r\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\r\n };\r\n}\r\n\r\n/**\r\n * Redact a string value.\r\n * Removes newlines (log injection prevention), applies patterns, and truncates.\r\n */\r\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\r\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\r\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\r\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\r\n let safe = str\r\n .replace(/[\\r\\n\\t]/g, ' ')\r\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\r\n\r\n // Apply custom redaction patterns\r\n for (const pattern of patterns) {\r\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\r\n }\r\n\r\n // Truncate if too long\r\n if (safe.length > maxLength) {\r\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\r\n }\r\n\r\n return safe;\r\n}\r\n\r\n/**\r\n * Create a redactor function for custom use.\r\n * \r\n * @param sensitiveKeys - Keys to redact\r\n * @returns Redactor function\r\n */\r\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\r\n const allKeys = new Set([\r\n ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n ...sensitiveKeys.map(k => k.toLowerCase()),\r\n ]);\r\n\r\n function redact(obj: unknown, depth = 0): unknown {\r\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n if (obj === null || obj === undefined) return obj;\r\n if (typeof obj !== 'object') return obj;\r\n\r\n if (Array.isArray(obj)) {\r\n return obj.map(item => redact(item, depth + 1));\r\n }\r\n\r\n const result: Record<string, unknown> = {};\r\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n if (allKeys.has(key.toLowerCase())) {\r\n result[key] = REDACTION.REPLACEMENT;\r\n } else {\r\n result[key] = redact(value, depth + 1);\r\n }\r\n }\r\n return result;\r\n }\r\n\r\n return redact;\r\n}\r\n\r\n/**\r\n * Alias for createSafeLogger\r\n * @see createSafeLogger\r\n */\r\nexport const safeLog = createSafeLogger;\r\n"]}
1
+ {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AA2OO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;AClQA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.js","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n /** Default maximum input size (1MB) */\n DEFAULT_MAX_SIZE: 1_000_000,\n /** Maximum recursion depth for nested objects */\n MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n /** Default window size (1 minute) */\n DEFAULT_WINDOW_MS: 60_000,\n /** Default max requests per window */\n DEFAULT_MAX_REQUESTS: 100,\n /** Default HTTP status code for rate limited responses */\n DEFAULT_STATUS_CODE: 429,\n /** Default error message */\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n /** Minimum window size (1 second) */\n MIN_WINDOW_MS: 1_000,\n /** Maximum window size (24 hours) */\n MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n /** Default Content Security Policy */\n DEFAULT_CSP: [\n \"default-src 'self'\",\n \"script-src 'self'\",\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n ].join('; '),\n /** Default HSTS max age (1 year in seconds) */\n HSTS_MAX_AGE: 31_536_000,\n /** Default X-Frame-Options value */\n FRAME_OPTIONS: 'DENY' as const,\n /** Default X-Content-Type-Options value */\n CONTENT_TYPE_OPTIONS: 'nosniff',\n /** Default Referrer-Policy value */\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\n /** Default Permissions-Policy value */\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n /** Default Cache-Control value for security */\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n /** Script tags (ReDoS-safe version) */\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n /** javascript: protocol (allow optional spaces before colon) */\n /javascript\\s*:/gi,\n /** vbscript: protocol */\n /vbscript\\s*:/gi,\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n /(?:[\\s/])on\\w+\\s*=/gi,\n /** iframe tags */\n /<iframe/gi,\n /** object tags */\n /<object/gi,\n /** embed tags */\n /<embed/gi,\n /** data: URIs (only dangerous ones, avoid false positives) */\n /(?:^|[\\s\"'=])data:/gi,\n /** URL-encoded script tags */\n /%3Cscript/gi,\n /** SVG with onload */\n /<svg[^>]*onload/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n /** Full script blocks (content + tags) */\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n /** Standalone/unclosed script tags */\n /<script[^>]*>/gi,\n /** iframe — full block and partial/unclosed */\n /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n /<iframe[^>]*/gi,\n /** object — full block and partial/unclosed */\n /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n /<object[^>]*/gi,\n /** embed tags */\n /<embed[^>]*/gi,\n /** SVG with inline event handlers */\n /<svg[^>]*onload[^>]*>/gi,\n /** URL-encoded script tags */\n /%3Cscript/gi,\n /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n /** Event handlers with unquoted values: onload=value */\n /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n /javascript\\s*:/gi,\n /vbscript\\s*:/gi,\n /** data: URIs with HTML/script content */\n /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n /** SQL keywords */\n /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n /(--|\\/\\*|\\*\\/|#)/g,\n /** SQL statement separators */\n /(;|\\|\\||&&)/g,\n /** Boolean injection: OR 1=1 */\n /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n /** Boolean injection: AND 1=1 */\n /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n /** Time-based blind: SLEEP() */\n /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n /** Time-based blind: BENCHMARK() */\n /\\bBENCHMARK\\s*\\(/gi,\n /** Time-based blind: PostgreSQL pg_sleep() */\n /\\bpg_sleep\\s*\\(/gi,\n /** Time-based blind: MSSQL WAITFOR DELAY */\n /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n /** Unix path traversal */\n /\\.\\.\\//g,\n /** Windows path traversal */\n /\\.\\.\\\\/g,\n /** URL-encoded traversal (%2e%2e) */\n /%2e%2e/gi,\n /** Double URL-encoded traversal (%252e) */\n /%252e/gi,\n /** Mixed encoding: ..%2F */\n /\\.\\.%2F/gi,\n /** Mixed encoding: %2e./ and .%2e/ */\n /%2e\\.[\\\\/]/gi,\n /\\.%2e[\\\\/]/gi,\n /** Fully URL-encoded: %2e%2e%2f */\n /%2e%2e%2f/gi,\n /** Double URL-encoded forward slash: %252f */\n /%252f/gi,\n /** Dotdotslash bypass: ....// or ....\\\\ */\n /\\.{2,}[/\\\\]{2,}/g,\n /** Null byte injection in paths */\n /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n /**\n * Shell metacharacters that enable command chaining/substitution.\n * Bare ( and ) are excluded — they appear in common legitimate values\n * (function calls in code fields, math expressions, etc.).\n * Command substitution is caught by the $( combined pattern below.\n * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n * and Markdown; consider disabling command checking (command: false)\n * for fields that intentionally allow those characters.\n */\n /[;&|`]/g,\n /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n /\\$\\(/g,\n /** URL-encoded newline/carriage-return injection (%0a, %0d) */\n /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n '__definegetter__',\n '__definesetter__',\n '__lookupgetter__',\n '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n // Comparison\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n // Logical\n '$and', '$or', '$not', '$nor',\n // Element / evaluation\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n // Array\n '$elemMatch', '$all', '$size',\n // JavaScript execution (critical)\n '$function', '$accumulator',\n // Aggregation pipeline operators (injectable via $lookup etc.)\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n /** Replacement text for redacted values */\n REPLACEMENT: '[REDACTED]',\n /** Truncation indicator */\n TRUNCATED: '[TRUNCATED]',\n /** Max depth indicator */\n MAX_DEPTH: '[MAX_DEPTH]',\n /** Default max message length */\n DEFAULT_MAX_LENGTH: 10_000,\n /** Default sensitive keys to redact */\n SENSITIVE_KEYS: new Set([\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n 'credentials', 'x-api-key', 'x-auth-token',\n ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n /**\n * Email regex pattern.\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n * leading/trailing dots, and other common invalid forms.\n */\n EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n /**\n * URL regex pattern.\n * Only allows http:// and https:// — explicitly rejects javascript:,\n * data:, vbscript:, and other dangerous URI schemes.\n */\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n /** UUID regex pattern (v4) */\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n /** Generic error message (production) */\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\n /** Input too large error */\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n /** Validation error messages */\n VALIDATION: {\n REQUIRED: (field: string) => `${field} is required`,\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n */\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n silent: 4,\n};\n\n/**\n * Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n */\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n const {\n redactKeys = [],\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n redactPatterns = [],\n level: minLevel = 'debug',\n } = options;\n\n const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n // Combine default and custom keys (lowercase for case-insensitive matching)\n const allRedactKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...redactKeys.map(k => k.toLowerCase()),\n ]);\n\n /**\n * Redact sensitive data from an object recursively.\n */\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null || obj === undefined) return obj;\n\n if (typeof obj === 'string') {\n return redactString(obj, maxLength, redactPatterns);\n }\n\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allRedactKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n /**\n * Log a message at the specified level.\n */\n function log(level: string, message: string, data?: unknown): void {\n // Early exit: skip all work if message level is below minimum\n const levelNum = LOG_LEVELS[level] ?? 0;\n if (levelNum < minLevelNum) return;\n\n const entry: Record<string, unknown> = {\n timestamp: new Date().toISOString(),\n level,\n message: redactString(message, maxLength, redactPatterns),\n };\n\n if (data !== undefined) {\n entry.data = redact(data);\n }\n\n console.log(JSON.stringify(entry));\n }\n\n return {\n log,\n info: (msg: string, data?: unknown) => log('info', msg, data),\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\n error: (msg: string, data?: unknown) => log('error', msg, data),\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\n };\n}\n\n/**\n * Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n */\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n let safe = str\n .replace(/[\\r\\n\\t]/g, ' ')\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n // Apply custom redaction patterns\n for (const pattern of patterns) {\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n }\n\n // Truncate if too long\n if (safe.length > maxLength) {\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n }\n\n return safe;\n}\n\n/**\n * Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n */\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n const allKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...sensitiveKeys.map(k => k.toLowerCase()),\n ]);\n\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null || obj === undefined) return obj;\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n return redact;\n}\n\n/**\n * Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}
package/dist/logging/index.mjs CHANGED
@@ -46,12 +46,21 @@ var REDACTION = {
46
46
  };
47
47
 
48
48
  // src/logging/redactor.ts
49
+ var LOG_LEVELS = {
50
+ debug: 0,
51
+ info: 1,
52
+ warn: 2,
53
+ error: 3,
54
+ silent: 4
55
+ };
49
56
  function createSafeLogger(options = {}) {
50
57
  const {
51
58
  redactKeys = [],
52
59
  maxLength = REDACTION.DEFAULT_MAX_LENGTH,
53
- redactPatterns = []
60
+ redactPatterns = [],
61
+ level: minLevel = "debug"
54
62
  } = options;
63
+ const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
55
64
  const allRedactKeys = /* @__PURE__ */ new Set([
56
65
  ...Array.from(REDACTION.SENSITIVE_KEYS),
57
66
  ...redactKeys.map((k) => k.toLowerCase())
@@ -77,6 +86,8 @@ function createSafeLogger(options = {}) {
77
86
  return result;
78
87
  }
79
88
  function log(level, message, data) {
89
+ const levelNum = LOG_LEVELS[level] ?? 0;
90
+ if (levelNum < minLevelNum) return;
80
91
  const entry = {
81
92
  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
82
93
  level,
package/dist/logging/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAiOO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACzOO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB;AAAC,GACpB,GAAI,OAAA;AAGJ,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AACjE,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.mjs","sourcesContent":["/**\r\n * @module @arcis/node/core/constants\r\n * Named constants for Arcis - no magic numbers\r\n */\r\n\r\n// =============================================================================\r\n// INPUT LIMITS\r\n// =============================================================================\r\nexport const INPUT = {\r\n /** Default maximum input size (1MB) */\r\n DEFAULT_MAX_SIZE: 1_000_000,\r\n /** Maximum recursion depth for nested objects */\r\n MAX_RECURSION_DEPTH: 10,\r\n} as const;\r\n\r\n// =============================================================================\r\n// RATE LIMITING\r\n// =============================================================================\r\nexport const RATE_LIMIT = {\r\n /** Default window size (1 minute) */\r\n DEFAULT_WINDOW_MS: 60_000,\r\n /** Default max requests per window */\r\n DEFAULT_MAX_REQUESTS: 100,\r\n /** Default HTTP status code for rate limited responses */\r\n DEFAULT_STATUS_CODE: 429,\r\n /** Default error message */\r\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\r\n /** Minimum window size (1 second) */\r\n MIN_WINDOW_MS: 1_000,\r\n /** Maximum window size (24 hours) */\r\n MAX_WINDOW_MS: 86_400_000,\r\n} as const;\r\n\r\n// =============================================================================\r\n// SECURITY HEADERS\r\n// =============================================================================\r\nexport const HEADERS = {\r\n /** Default Content Security Policy */\r\n DEFAULT_CSP: [\r\n \"default-src 'self'\",\r\n \"script-src 'self'\",\r\n \"style-src 'self' 'unsafe-inline'\",\r\n \"img-src 'self' data: https:\",\r\n \"font-src 'self'\",\r\n \"object-src 'none'\",\r\n \"frame-ancestors 'none'\",\r\n ].join('; '),\r\n /** Default HSTS max age (1 year in seconds) */\r\n HSTS_MAX_AGE: 31_536_000,\r\n /** Default X-Frame-Options value */\r\n FRAME_OPTIONS: 'DENY' as const,\r\n /** Default X-Content-Type-Options value */\r\n CONTENT_TYPE_OPTIONS: 'nosniff',\r\n /** Default Referrer-Policy value */\r\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\r\n /** Default Permissions-Policy value */\r\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\r\n /** Default Cache-Control value for security */\r\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\r\n} as const;\r\n\r\n// =============================================================================\r\n// XSS PATTERNS (ReDoS-safe)\r\n// =============================================================================\r\n\r\n/**\r\n * Detection patterns — used to flag whether a string contains XSS payloads.\r\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\r\n */\r\nexport const XSS_PATTERNS = [\r\n /** Script tags (ReDoS-safe version) */\r\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n /** javascript: protocol (allow optional spaces before colon) */\r\n /javascript\\s*:/gi,\r\n /** vbscript: protocol */\r\n /vbscript\\s*:/gi,\r\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\r\n /(?:[\\s/])on\\w+\\s*=/gi,\r\n /** iframe tags */\r\n /<iframe/gi,\r\n /** object tags */\r\n /<object/gi,\r\n /** embed tags */\r\n /<embed/gi,\r\n /** data: URIs (only dangerous ones, avoid false positives) */\r\n /(?:^|[\\s\"'=])data:/gi,\r\n /** URL-encoded script tags */\r\n /%3Cscript/gi,\r\n /** SVG with onload */\r\n /<svg[^>]*onload/gi,\r\n] as const;\r\n\r\n/**\r\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\r\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\r\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\r\n * Must stay in sync with XSS_PATTERNS above.\r\n */\r\nexport const XSS_REMOVE_PATTERNS = [\r\n /** Full script blocks (content + tags) */\r\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\r\n /** Standalone/unclosed script tags */\r\n /<script[^>]*>/gi,\r\n /** iframe — full block and partial/unclosed */\r\n /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\r\n /<iframe[^>]*/gi,\r\n /** object — full block and partial/unclosed */\r\n /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\r\n /<object[^>]*/gi,\r\n /** embed tags */\r\n /<embed[^>]*/gi,\r\n /** SVG with inline event handlers */\r\n /<svg[^>]*onload[^>]*>/gi,\r\n /** URL-encoded script tags */\r\n /%3Cscript/gi,\r\n /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\r\n /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\r\n /** Event handlers with unquoted values: onload=value */\r\n /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\r\n /** javascript: and vbscript: protocols (allow optional spaces before colon) */\r\n /javascript\\s*:/gi,\r\n /vbscript\\s*:/gi,\r\n /** data: URIs with HTML/script content */\r\n /data\\s*:\\s*text\\/html[^>\\s]*/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// SQL INJECTION PATTERNS\r\n// =============================================================================\r\nexport const SQL_PATTERNS = [\r\n /** SQL keywords */\r\n /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\r\n /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\r\n /(--|\\/\\*|\\*\\/|#)/g,\r\n /** SQL statement separators */\r\n /(;|\\|\\||&&)/g,\r\n /** Boolean injection: OR 1=1 */\r\n /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\r\n /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\r\n /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n /** Boolean injection: AND 1=1 */\r\n /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\r\n /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\r\n /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\r\n /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\r\n /** Time-based blind: SLEEP() */\r\n /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\r\n /** Time-based blind: BENCHMARK() */\r\n /\\bBENCHMARK\\s*\\(/gi,\r\n] as const;\r\n\r\n// =============================================================================\r\n// PATH TRAVERSAL PATTERNS\r\n// =============================================================================\r\nexport const PATH_PATTERNS = [\r\n /** Unix path traversal */\r\n /\\.\\.\\//g,\r\n /** Windows path traversal */\r\n /\\.\\.\\\\/g,\r\n /** URL-encoded traversal (%2e%2e) */\r\n /%2e%2e/gi,\r\n /** Double URL-encoded traversal (%252e) */\r\n /%252e/gi,\r\n /** Mixed encoding: ..%2F */\r\n /\\.\\.%2F/gi,\r\n /** Mixed encoding: %2e./ and .%2e/ */\r\n /%2e\\.[\\\\/]/gi,\r\n /\\.%2e[\\\\/]/gi,\r\n /** Fully URL-encoded: %2e%2e%2f */\r\n /%2e%2e%2f/gi,\r\n /** Null byte injection in paths */\r\n /\\0/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// COMMAND INJECTION PATTERNS\r\n// =============================================================================\r\nexport const COMMAND_PATTERNS = [\r\n /**\r\n * Shell metacharacters that enable command chaining/substitution.\r\n * Bare ( and ) are excluded — they appear in common legitimate values\r\n * (function calls in code fields, math expressions, etc.).\r\n * Command substitution is caught by the $( combined pattern below.\r\n * NOTE: ';', '&', '|' may appear in legitimate URL query strings\r\n * and Markdown; consider disabling command checking (command: false)\r\n * for fields that intentionally allow those characters.\r\n */\r\n /[;&|`]/g,\r\n /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\r\n /\\$\\(/g,\r\n] as const;\r\n\r\n// =============================================================================\r\n// DANGEROUS KEYS\r\n// =============================================================================\r\n\r\n/**\r\n * Prototype pollution keys to block.\r\n * Stored lowercase — always compare with key.toLowerCase().\r\n *\r\n * Includes:\r\n * - __proto__: direct prototype assignment\r\n * - constructor: access to constructor.prototype chain\r\n * - prototype: direct prototype property\r\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\r\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\r\n */\r\nexport const DANGEROUS_PROTO_KEYS = new Set([\r\n '__proto__',\r\n 'constructor',\r\n 'prototype',\r\n '__definegetter__',\r\n '__definesetter__',\r\n '__lookupgetter__',\r\n '__lookupsetter__',\r\n]);\r\n\r\n/** MongoDB operators to block */\r\nexport const NOSQL_DANGEROUS_KEYS = new Set([\r\n // Comparison\r\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\r\n // Logical\r\n '$and', '$or', '$not', '$nor',\r\n // Element / evaluation\r\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text',\r\n // Array\r\n '$elemMatch', '$all', '$size',\r\n // JavaScript execution (critical)\r\n '$function', '$accumulator',\r\n // Aggregation pipeline operators (injectable via $lookup etc.)\r\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\r\n '$unwind', '$addFields', '$replaceRoot',\r\n]);\r\n\r\n// =============================================================================\r\n// REDACTION\r\n// =============================================================================\r\nexport const REDACTION = {\r\n /** Replacement text for redacted values */\r\n REPLACEMENT: '[REDACTED]',\r\n /** Truncation indicator */\r\n TRUNCATED: '[TRUNCATED]',\r\n /** Max depth indicator */\r\n MAX_DEPTH: '[MAX_DEPTH]',\r\n /** Default max message length */\r\n DEFAULT_MAX_LENGTH: 10_000,\r\n /** Default sensitive keys to redact */\r\n SENSITIVE_KEYS: new Set([\r\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\r\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\r\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\r\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\r\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\r\n 'credentials', 'x-api-key', 'x-auth-token',\r\n ]),\r\n} as const;\r\n\r\n// =============================================================================\r\n// VALIDATION PATTERNS\r\n// =============================================================================\r\nexport const VALIDATION = {\r\n /**\r\n * Email regex pattern.\r\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\r\n * leading/trailing dots, and other common invalid forms.\r\n */\r\n EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\r\n /**\r\n * URL regex pattern.\r\n * Only allows http:// and https:// — explicitly rejects javascript:,\r\n * data:, vbscript:, and other dangerous URI schemes.\r\n */\r\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\r\n /** UUID regex pattern (v4) */\r\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\r\n} as const;\r\n\r\n// =============================================================================\r\n// ERROR MESSAGES\r\n// =============================================================================\r\nexport const ERRORS = {\r\n /** Generic error message (production) */\r\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\r\n /** Input too large error */\r\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\r\n /** Validation error messages */\r\n VALIDATION: {\r\n REQUIRED: (field: string) => `${field} is required`,\r\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\r\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\r\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\r\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\r\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\r\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\r\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\r\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\r\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\r\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\r\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\r\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\r\n },\r\n} as const;\r\n\r\n// =============================================================================\r\n// BLOCKED TEXT (for sanitizer replacements)\r\n// =============================================================================\r\nexport const BLOCKED = '[BLOCKED]' as const;\r\n","/**\r\n * @module @arcis/node/logging/redactor\r\n * Safe logging with PII/secret redaction\r\n */\r\n\r\nimport { REDACTION, INPUT } from '../core/constants';\r\nimport type { LogOptions, SafeLogger } from '../core/types';\r\n\r\n/**\r\n * Create a safe logger that redacts sensitive data and prevents log injection.\r\n * \r\n * @param options - Logger configuration\r\n * @returns SafeLogger instance\r\n * \r\n * @example\r\n * const logger = createSafeLogger();\r\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\r\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\r\n * \r\n * @example\r\n * // With custom redact keys\r\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\r\n */\r\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\r\n const { \r\n redactKeys = [], \r\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\r\n redactPatterns = [],\r\n } = options;\r\n\r\n // Combine default and custom keys (lowercase for case-insensitive matching)\r\n const allRedactKeys = new Set([\r\n ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n ...redactKeys.map(k => k.toLowerCase()),\r\n ]);\r\n\r\n /**\r\n * Redact sensitive data from an object recursively.\r\n */\r\n function redact(obj: unknown, depth = 0): unknown {\r\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n if (obj === null || obj === undefined) return obj;\r\n\r\n if (typeof obj === 'string') {\r\n return redactString(obj, maxLength, redactPatterns);\r\n }\r\n\r\n if (typeof obj !== 'object') return obj;\r\n\r\n if (Array.isArray(obj)) {\r\n return obj.map(item => redact(item, depth + 1));\r\n }\r\n\r\n const result: Record<string, unknown> = {};\r\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n if (allRedactKeys.has(key.toLowerCase())) {\r\n result[key] = REDACTION.REPLACEMENT;\r\n } else {\r\n result[key] = redact(value, depth + 1);\r\n }\r\n }\r\n return result;\r\n }\r\n\r\n /**\r\n * Log a message at the specified level.\r\n */\r\n function log(level: string, message: string, data?: unknown): void {\r\n const entry: Record<string, unknown> = {\r\n timestamp: new Date().toISOString(),\r\n level,\r\n message: redactString(message, maxLength, redactPatterns),\r\n };\r\n \r\n if (data !== undefined) {\r\n entry.data = redact(data);\r\n }\r\n \r\n console.log(JSON.stringify(entry));\r\n }\r\n\r\n return {\r\n log,\r\n info: (msg: string, data?: unknown) => log('info', msg, data),\r\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\r\n error: (msg: string, data?: unknown) => log('error', msg, data),\r\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\r\n };\r\n}\r\n\r\n/**\r\n * Redact a string value.\r\n * Removes newlines (log injection prevention), applies patterns, and truncates.\r\n */\r\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\r\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\r\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\r\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\r\n let safe = str\r\n .replace(/[\\r\\n\\t]/g, ' ')\r\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\r\n\r\n // Apply custom redaction patterns\r\n for (const pattern of patterns) {\r\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\r\n }\r\n\r\n // Truncate if too long\r\n if (safe.length > maxLength) {\r\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\r\n }\r\n\r\n return safe;\r\n}\r\n\r\n/**\r\n * Create a redactor function for custom use.\r\n * \r\n * @param sensitiveKeys - Keys to redact\r\n * @returns Redactor function\r\n */\r\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\r\n const allKeys = new Set([\r\n ...Array.from(REDACTION.SENSITIVE_KEYS),\r\n ...sensitiveKeys.map(k => k.toLowerCase()),\r\n ]);\r\n\r\n function redact(obj: unknown, depth = 0): unknown {\r\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\r\n if (obj === null || obj === undefined) return obj;\r\n if (typeof obj !== 'object') return obj;\r\n\r\n if (Array.isArray(obj)) {\r\n return obj.map(item => redact(item, depth + 1));\r\n }\r\n\r\n const result: Record<string, unknown> = {};\r\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\r\n if (allKeys.has(key.toLowerCase())) {\r\n result[key] = REDACTION.REPLACEMENT;\r\n } else {\r\n result[key] = redact(value, depth + 1);\r\n }\r\n }\r\n return result;\r\n }\r\n\r\n return redact;\r\n}\r\n\r\n/**\r\n * Alias for createSafeLogger\r\n * @see createSafeLogger\r\n */\r\nexport const safeLog = createSafeLogger;\r\n"]}
1
+ {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AA2OO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;AClQA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.mjs","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n /** Default maximum input size (1MB) */\n DEFAULT_MAX_SIZE: 1_000_000,\n /** Maximum recursion depth for nested objects */\n MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n /** Default window size (1 minute) */\n DEFAULT_WINDOW_MS: 60_000,\n /** Default max requests per window */\n DEFAULT_MAX_REQUESTS: 100,\n /** Default HTTP status code for rate limited responses */\n DEFAULT_STATUS_CODE: 429,\n /** Default error message */\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n /** Minimum window size (1 second) */\n MIN_WINDOW_MS: 1_000,\n /** Maximum window size (24 hours) */\n MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n /** Default Content Security Policy */\n DEFAULT_CSP: [\n \"default-src 'self'\",\n \"script-src 'self'\",\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n ].join('; '),\n /** Default HSTS max age (1 year in seconds) */\n HSTS_MAX_AGE: 31_536_000,\n /** Default X-Frame-Options value */\n FRAME_OPTIONS: 'DENY' as const,\n /** Default X-Content-Type-Options value */\n CONTENT_TYPE_OPTIONS: 'nosniff',\n /** Default Referrer-Policy value */\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\n /** Default Permissions-Policy value */\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n /** Default Cache-Control value for security */\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n /** Script tags (ReDoS-safe version) */\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n /** javascript: protocol (allow optional spaces before colon) */\n /javascript\\s*:/gi,\n /** vbscript: protocol */\n /vbscript\\s*:/gi,\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n /(?:[\\s/])on\\w+\\s*=/gi,\n /** iframe tags */\n /<iframe/gi,\n /** object tags */\n /<object/gi,\n /** embed tags */\n /<embed/gi,\n /** data: URIs (only dangerous ones, avoid false positives) */\n /(?:^|[\\s\"'=])data:/gi,\n /** URL-encoded script tags */\n /%3Cscript/gi,\n /** SVG with onload */\n /<svg[^>]*onload/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n /** Full script blocks (content + tags) */\n /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n /** Standalone/unclosed script tags */\n /<script[^>]*>/gi,\n /** iframe — full block and partial/unclosed */\n /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n /<iframe[^>]*/gi,\n /** object — full block and partial/unclosed */\n /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n /<object[^>]*/gi,\n /** embed tags */\n /<embed[^>]*/gi,\n /** SVG with inline event handlers */\n /<svg[^>]*onload[^>]*>/gi,\n /** URL-encoded script tags */\n /%3Cscript/gi,\n /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n /** Event handlers with unquoted values: onload=value */\n /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n /javascript\\s*:/gi,\n /vbscript\\s*:/gi,\n /** data: URIs with HTML/script content */\n /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n /** SQL keywords */\n /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n /(--|\\/\\*|\\*\\/|#)/g,\n /** SQL statement separators */\n /(;|\\|\\||&&)/g,\n /** Boolean injection: OR 1=1 */\n /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n /** Boolean injection: AND 1=1 */\n /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n /** Time-based blind: SLEEP() */\n /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n /** Time-based blind: BENCHMARK() */\n /\\bBENCHMARK\\s*\\(/gi,\n /** Time-based blind: PostgreSQL pg_sleep() */\n /\\bpg_sleep\\s*\\(/gi,\n /** Time-based blind: MSSQL WAITFOR DELAY */\n /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n /** Unix path traversal */\n /\\.\\.\\//g,\n /** Windows path traversal */\n /\\.\\.\\\\/g,\n /** URL-encoded traversal (%2e%2e) */\n /%2e%2e/gi,\n /** Double URL-encoded traversal (%252e) */\n /%252e/gi,\n /** Mixed encoding: ..%2F */\n /\\.\\.%2F/gi,\n /** Mixed encoding: %2e./ and .%2e/ */\n /%2e\\.[\\\\/]/gi,\n /\\.%2e[\\\\/]/gi,\n /** Fully URL-encoded: %2e%2e%2f */\n /%2e%2e%2f/gi,\n /** Double URL-encoded forward slash: %252f */\n /%252f/gi,\n /** Dotdotslash bypass: ....// or ....\\\\ */\n /\\.{2,}[/\\\\]{2,}/g,\n /** Null byte injection in paths */\n /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n /**\n * Shell metacharacters that enable command chaining/substitution.\n * Bare ( and ) are excluded — they appear in common legitimate values\n * (function calls in code fields, math expressions, etc.).\n * Command substitution is caught by the $( combined pattern below.\n * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n * and Markdown; consider disabling command checking (command: false)\n * for fields that intentionally allow those characters.\n */\n /[;&|`]/g,\n /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n /\\$\\(/g,\n /** URL-encoded newline/carriage-return injection (%0a, %0d) */\n /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n '__definegetter__',\n '__definesetter__',\n '__lookupgetter__',\n '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n // Comparison\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n // Logical\n '$and', '$or', '$not', '$nor',\n // Element / evaluation\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n // Array\n '$elemMatch', '$all', '$size',\n // JavaScript execution (critical)\n '$function', '$accumulator',\n // Aggregation pipeline operators (injectable via $lookup etc.)\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n /** Replacement text for redacted values */\n REPLACEMENT: '[REDACTED]',\n /** Truncation indicator */\n TRUNCATED: '[TRUNCATED]',\n /** Max depth indicator */\n MAX_DEPTH: '[MAX_DEPTH]',\n /** Default max message length */\n DEFAULT_MAX_LENGTH: 10_000,\n /** Default sensitive keys to redact */\n SENSITIVE_KEYS: new Set([\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n 'credentials', 'x-api-key', 'x-auth-token',\n ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n /**\n * Email regex pattern.\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n * leading/trailing dots, and other common invalid forms.\n */\n EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n /**\n * URL regex pattern.\n * Only allows http:// and https:// — explicitly rejects javascript:,\n * data:, vbscript:, and other dangerous URI schemes.\n */\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n /** UUID regex pattern (v4) */\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n /** Generic error message (production) */\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\n /** Input too large error */\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n /** Validation error messages */\n VALIDATION: {\n REQUIRED: (field: string) => `${field} is required`,\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n */\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n silent: 4,\n};\n\n/**\n * Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n */\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n const {\n redactKeys = [],\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n redactPatterns = [],\n level: minLevel = 'debug',\n } = options;\n\n const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n // Combine default and custom keys (lowercase for case-insensitive matching)\n const allRedactKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...redactKeys.map(k => k.toLowerCase()),\n ]);\n\n /**\n * Redact sensitive data from an object recursively.\n */\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null || obj === undefined) return obj;\n\n if (typeof obj === 'string') {\n return redactString(obj, maxLength, redactPatterns);\n }\n\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allRedactKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n /**\n * Log a message at the specified level.\n */\n function log(level: string, message: string, data?: unknown): void {\n // Early exit: skip all work if message level is below minimum\n const levelNum = LOG_LEVELS[level] ?? 0;\n if (levelNum < minLevelNum) return;\n\n const entry: Record<string, unknown> = {\n timestamp: new Date().toISOString(),\n level,\n message: redactString(message, maxLength, redactPatterns),\n };\n\n if (data !== undefined) {\n entry.data = redact(data);\n }\n\n console.log(JSON.stringify(entry));\n }\n\n return {\n log,\n info: (msg: string, data?: unknown) => log('info', msg, data),\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\n error: (msg: string, data?: unknown) => log('error', msg, data),\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\n };\n}\n\n/**\n * Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n */\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n let safe = str\n .replace(/[\\r\\n\\t]/g, ' ')\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n // Apply custom redaction patterns\n for (const pattern of patterns) {\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n }\n\n // Truncate if too long\n if (safe.length > maxLength) {\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n }\n\n return safe;\n}\n\n/**\n * Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n */\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n const allKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...sensitiveKeys.map(k => k.toLowerCase()),\n ]);\n\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null || obj === undefined) return obj;\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n return redact;\n}\n\n/**\n * Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}
package/dist/middleware/index.d.mts CHANGED
@@ -1,3 +1,3 @@
1
- export { f as arcis, g as arcisFunction, h as botProtection, i as createCors, j as createErrorHandler, k as createHeaders, l as createRateLimiter, m as createSecureCookies, n as createSlidingWindowLimiter, o as createTokenBucketLimiter, g as default, p as detectBot, q as enforceSecureCookie, r as errorHandler, s as rateLimit, t as safeCors, u as secureCookieDefaults, v as securityHeaders } from '../index-CCcPuTBo.mjs';
2
- import '../types-BOdL3ZWo.mjs';
1
+ export { g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from '../index-CgK94hY_.mjs';
2
+ import '../types-CsOFHoD9.mjs';
3
3
  import 'express';
package/dist/middleware/index.d.ts CHANGED
@@ -1,3 +1,3 @@
1
- export { f as arcis, g as arcisFunction, h as botProtection, i as createCors, j as createErrorHandler, k as createHeaders, l as createRateLimiter, m as createSecureCookies, n as createSlidingWindowLimiter, o as createTokenBucketLimiter, g as default, p as detectBot, q as enforceSecureCookie, r as errorHandler, s as rateLimit, t as safeCors, u as secureCookieDefaults, v as securityHeaders } from '../index-BvcFpoR3.js';
2
- import '../types-BOdL3ZWo.js';
1
+ export { g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from '../index-D_bdJcF0.js';
2
+ import '../types-CsOFHoD9.js';
3
3
  import 'express';
package/dist/middleware/index.js CHANGED
@@ -2,6 +2,8 @@
2
2
 
3
3
  Object.defineProperty(exports, '__esModule', { value: true });
4
4
 
5
+ var crypto = require('crypto');
6
+
5
7
  // src/core/constants.ts
6
8
  var INPUT = {
7
9
  /** Default maximum input size (1MB) */
@@ -89,7 +91,11 @@ var SQL_PATTERNS = [
89
91
  /** Time-based blind: SLEEP() */
90
92
  /\bSLEEP\s*\(\s*\d+\s*\)/gi,
91
93
  /** Time-based blind: BENCHMARK() */
92
- /\bBENCHMARK\s*\(/gi
94
+ /\bBENCHMARK\s*\(/gi,
95
+ /** Time-based blind: PostgreSQL pg_sleep() */
96
+ /\bpg_sleep\s*\(/gi,
97
+ /** Time-based blind: MSSQL WAITFOR DELAY */
98
+ /\bWAITFOR\s+DELAY\b/gi
93
99
  ];
94
100
  var PATH_PATTERNS = [
95
101
  /** Unix path traversal */
@@ -107,6 +113,10 @@ var PATH_PATTERNS = [
107
113
  /\.%2e[\\/]/gi,
108
114
  /** Fully URL-encoded: %2e%2e%2f */
109
115
  /%2e%2e%2f/gi,
116
+ /** Double URL-encoded forward slash: %252f */
117
+ /%252f/gi,
118
+ /** Dotdotslash bypass: ....// or ....\\ */
119
+ /\.{2,}[/\\]{2,}/g,
110
120
  /** Null byte injection in paths */
111
121
  /\0/g
112
122
  ];
@@ -122,7 +132,9 @@ var COMMAND_PATTERNS = [
122
132
  */
123
133
  /[;&|`]/g,
124
134
  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
125
- /\$\(/g
135
+ /\$\(/g,
136
+ /** URL-encoded newline/carriage-return injection (%0a, %0d) */
137
+ /%0[ad]/gi
126
138
  ];
127
139
  var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
128
140
  "__proto__",
@@ -156,6 +168,7 @@ var NOSQL_DANGEROUS_KEYS = /* @__PURE__ */ new Set([
156
168
  "$expr",
157
169
  "$mod",
158
170
  "$text",
171
+ "$jsonSchema",
159
172
  // Array
160
173
  "$elemMatch",
161
174
  "$all",
@@ -709,7 +722,8 @@ function sanitizeObject(obj, options = {}) {
709
722
  if (typeof obj === "string") return sanitizeString(obj, options);
710
723
  if (typeof obj !== "object") return obj;
711
724
  if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item, options));
712
- return sanitizeObjectDepth(obj, options, 0);
725
+ const result = sanitizeObjectDepth(obj, options, 0);
726
+ return options.freeze ? Object.freeze(result) : result;
713
727
  }
714
728
  function sanitizeObjectDepth(obj, options, depth) {
715
729
  if (depth >= INPUT.MAX_RECURSION_DEPTH) return obj;
@@ -930,12 +944,21 @@ function validateField(field, value, rules) {
930
944
  "audio/mpeg": [Buffer.from([255, 251]), Buffer.from([255, 243]), Buffer.from([73, 68, 51])]});
931
945
 
932
946
  // src/logging/redactor.ts
947
+ var LOG_LEVELS = {
948
+ debug: 0,
949
+ info: 1,
950
+ warn: 2,
951
+ error: 3,
952
+ silent: 4
953
+ };
933
954
  function createSafeLogger(options = {}) {
934
955
  const {
935
956
  redactKeys = [],
936
957
  maxLength = REDACTION.DEFAULT_MAX_LENGTH,
937
- redactPatterns = []
958
+ redactPatterns = [],
959
+ level: minLevel = "debug"
938
960
  } = options;
961
+ const minLevelNum = LOG_LEVELS[minLevel] ?? 0;
939
962
  const allRedactKeys = /* @__PURE__ */ new Set([
940
963
  ...Array.from(REDACTION.SENSITIVE_KEYS),
941
964
  ...redactKeys.map((k) => k.toLowerCase())
@@ -961,6 +984,8 @@ function createSafeLogger(options = {}) {
961
984
  return result;
962
985
  }
963
986
  function log(level, message, data) {
987
+ const levelNum = LOG_LEVELS[level] ?? 0;
988
+ if (levelNum < minLevelNum) return;
964
989
  const entry = {
965
990
  timestamp: (/* @__PURE__ */ new Date()).toISOString(),
966
991
  level,
@@ -1528,24 +1553,141 @@ function botProtection(options = {}) {
1528
1553
  next();
1529
1554
  };
1530
1555
  }
1556
+ var DEFAULTS = {
1557
+ cookieName: "_csrf",
1558
+ headerName: "x-csrf-token",
1559
+ fieldName: "_csrf",
1560
+ tokenLength: 32,
1561
+ protectedMethods: ["POST", "PUT", "PATCH", "DELETE"]
1562
+ };
1563
+ function generateCsrfToken(length = 32) {
1564
+ return crypto.randomBytes(length).toString("hex");
1565
+ }
1566
+ function validateCsrfToken(cookieToken, requestToken) {
1567
+ if (!cookieToken || !requestToken) return false;
1568
+ if (cookieToken.length !== requestToken.length) return false;
1569
+ let result = 0;
1570
+ for (let i = 0; i < cookieToken.length; i++) {
1571
+ result |= cookieToken.charCodeAt(i) ^ requestToken.charCodeAt(i);
1572
+ }
1573
+ return result === 0;
1574
+ }
1575
+ function getRequestToken(req, headerName, fieldName) {
1576
+ const headerToken = req.headers[headerName.toLowerCase()];
1577
+ if (typeof headerToken === "string" && headerToken) return headerToken;
1578
+ if (req.body && typeof req.body === "object" && fieldName in req.body) {
1579
+ const bodyToken = req.body[fieldName];
1580
+ if (typeof bodyToken === "string" && bodyToken) return bodyToken;
1581
+ }
1582
+ if (req.query && fieldName in req.query) {
1583
+ const queryToken = req.query[fieldName];
1584
+ if (typeof queryToken === "string" && queryToken) return queryToken;
1585
+ }
1586
+ return void 0;
1587
+ }
1588
+ function csrfProtection(options = {}) {
1589
+ const cookieName = options.cookieName ?? DEFAULTS.cookieName;
1590
+ const headerName = options.headerName ?? DEFAULTS.headerName;
1591
+ const fieldName = options.fieldName ?? DEFAULTS.fieldName;
1592
+ const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;
1593
+ const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];
1594
+ const excludePaths = options.excludePaths ?? [];
1595
+ const isProduction = process.env.NODE_ENV === "production";
1596
+ const cookieOpts = {
1597
+ path: options.cookie?.path ?? "/",
1598
+ httpOnly: options.cookie?.httpOnly ?? false,
1599
+ // Must be readable by client JS
1600
+ secure: options.cookie?.secure ?? isProduction,
1601
+ sameSite: options.cookie?.sameSite ?? "Lax",
1602
+ domain: options.cookie?.domain
1603
+ };
1604
+ const defaultOnError = (_req, res, _next) => {
1605
+ res.status(403).json({
1606
+ error: "CSRF token validation failed",
1607
+ message: "Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header."
1608
+ });
1609
+ };
1610
+ const onError = options.onError ?? defaultOnError;
1611
+ const protectedSet = new Set(protectedMethods.map((m) => m.toUpperCase()));
1612
+ return (req, res, next) => {
1613
+ const method = req.method.toUpperCase();
1614
+ const requestPath = req.path || req.url;
1615
+ if (excludePaths.some((p) => requestPath === p || requestPath.startsWith(p + "/"))) {
1616
+ return next();
1617
+ }
1618
+ req.csrfToken = () => {
1619
+ const existing = getCookieValue(req, cookieName);
1620
+ if (existing) return existing;
1621
+ const token = generateCsrfToken(tokenLength);
1622
+ setCsrfCookie(res, cookieName, token, cookieOpts);
1623
+ return token;
1624
+ };
1625
+ if (!protectedSet.has(method)) {
1626
+ const existing = getCookieValue(req, cookieName);
1627
+ if (!existing) {
1628
+ const token = generateCsrfToken(tokenLength);
1629
+ setCsrfCookie(res, cookieName, token, cookieOpts);
1630
+ }
1631
+ return next();
1632
+ }
1633
+ const cookieToken = getCookieValue(req, cookieName);
1634
+ if (!cookieToken) {
1635
+ return onError(req, res, next);
1636
+ }
1637
+ const requestToken = getRequestToken(req, headerName, fieldName);
1638
+ if (!requestToken) {
1639
+ return onError(req, res, next);
1640
+ }
1641
+ if (!validateCsrfToken(cookieToken, requestToken)) {
1642
+ return onError(req, res, next);
1643
+ }
1644
+ next();
1645
+ };
1646
+ }
1647
+ function getCookieValue(req, name) {
1648
+ if (req.cookies && typeof req.cookies === "object" && name in req.cookies) {
1649
+ return req.cookies[name];
1650
+ }
1651
+ const cookieHeader = req.headers.cookie;
1652
+ if (!cookieHeader) return void 0;
1653
+ const match = cookieHeader.match(new RegExp(`(?:^|;\\s*)${escapeRegex(name)}=([^;]*)`));
1654
+ return match ? decodeURIComponent(match[1]) : void 0;
1655
+ }
1656
+ function setCsrfCookie(res, name, token, opts) {
1657
+ const parts = [`${name}=${token}`];
1658
+ parts.push(`Path=${opts.path}`);
1659
+ if (opts.httpOnly) parts.push("HttpOnly");
1660
+ if (opts.secure) parts.push("Secure");
1661
+ parts.push(`SameSite=${opts.sameSite}`);
1662
+ if (opts.domain) parts.push(`Domain=${opts.domain}`);
1663
+ res.setHeader("Set-Cookie", parts.join("; "));
1664
+ }
1665
+ function escapeRegex(str) {
1666
+ return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
1667
+ }
1668
+ var createCsrf = csrfProtection;
1531
1669
 
1532
1670
  exports.arcis = arcis;
1533
1671
  exports.arcisFunction = arcisWithMethods;
1534
1672
  exports.botProtection = botProtection;
1535
1673
  exports.createCors = createCors;
1674
+ exports.createCsrf = createCsrf;
1536
1675
  exports.createErrorHandler = createErrorHandler;
1537
1676
  exports.createHeaders = createHeaders;
1538
1677
  exports.createRateLimiter = createRateLimiter;
1539
1678
  exports.createSecureCookies = createSecureCookies;
1540
1679
  exports.createSlidingWindowLimiter = createSlidingWindowLimiter;
1541
1680
  exports.createTokenBucketLimiter = createTokenBucketLimiter;
1681
+ exports.csrfProtection = csrfProtection;
1542
1682
  exports.default = main_default;
1543
1683
  exports.detectBot = detectBot;
1544
1684
  exports.enforceSecureCookie = enforceSecureCookie;
1545
1685
  exports.errorHandler = errorHandler;
1686
+ exports.generateCsrfToken = generateCsrfToken;
1546
1687
  exports.rateLimit = rateLimit;
1547
1688
  exports.safeCors = safeCors;
1548
1689
  exports.secureCookieDefaults = secureCookieDefaults;
1549
1690
  exports.securityHeaders = securityHeaders;
1691
+ exports.validateCsrfToken = validateCsrfToken;
1550
1692
  //# sourceMappingURL=index.js.map
1551
1693
  //# sourceMappingURL=index.js.map