@arcis/node 1.3.0 → 1.4.0

package/dist/middleware/main.d.ts

@@ -0,0 +1,40 @@
+/**
+ * @module @arcis/node/middleware/main
+ * Main arcis() middleware factory
+ */
+import type { ArcisOptions, ArcisFunction, ArcisMiddlewareStack } from '../core/types';
+/**
+ * Create Arcis middleware with all protections enabled.
+ *
+ * @param options - Configuration options
+ * @returns Array of Express middleware
+ *
+ * @example
+ * // Full protection (recommended)
+ * app.use(arcis());
+ *
+ * @example
+ * // Custom configuration
+ * app.use(arcis({
+ *   rateLimit: { max: 50 },
+ *   headers: { frameOptions: 'SAMEORIGIN' }
+ * }));
+ *
+ * @example
+ * // Disable specific features
+ * app.use(arcis({
+ *   rateLimit: false,
+ *   sanitize: { sql: false }
+ * }));
+ *
+ * @example
+ * // Cleanup on shutdown
+ * const middleware = arcis();
+ * app.use(middleware);
+ * process.on('SIGTERM', () => middleware.close());
+ */
+export declare function arcis(options?: ArcisOptions): ArcisMiddlewareStack;
+declare const arcisWithMethods: ArcisFunction;
+export { arcisWithMethods as arcisFunction };
+export default arcisWithMethods;
+//# sourceMappingURL=main.d.ts.map

package/dist/middleware/main.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../../src/middleware/main.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EACV,YAAY,EACZ,aAAa,EACb,oBAAoB,EAIrB,MAAM,eAAe,CAAC;AAQvB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,KAAK,CAAC,OAAO,GAAE,YAAiB,GAAG,oBAAoB,CAuCtE;AAGD,QAAA,MAAM,gBAAgB,EAAY,aAAa,CAAC;AAQhD,OAAO,EAAE,gBAAgB,IAAI,aAAa,EAAE,CAAC;AAC7C,eAAe,gBAAgB,CAAC"}

package/dist/middleware/rate-limit-sliding.d.ts

@@ -0,0 +1,46 @@
+/**
+ * @module @arcis/node/middleware/rate-limit-sliding
+ * Sliding window rate limiting middleware.
+ *
+ * More accurate than fixed window — uses a weighted sum of the previous
+ * and current window to approximate a true sliding window.
+ *
+ * Algorithm:
+ *   weight = (windowMs - elapsed) / windowMs
+ *   count = (prevWindow * weight) + currentWindow
+ *   allow = count < limit
+ *
+ * @example
+ * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));
+ */
+import type { Request, RequestHandler } from 'express';
+export interface SlidingWindowOptions {
+    /** Maximum requests per window. Default: 100 */
+    max?: number;
+    /** Window size in ms or duration string. Default: '1m' */
+    window?: string | number;
+    /** Error message when limit exceeded */
+    message?: string;
+    /** HTTP status code for rate limited responses. Default: 429 */
+    statusCode?: number;
+    /** Function to generate rate limit key from request */
+    keyGenerator?: (req: Request) => string;
+    /** Function to skip rate limiting for certain requests */
+    skip?: (req: Request) => boolean;
+}
+export interface SlidingWindowMiddleware extends RequestHandler {
+    close: () => void;
+}
+/**
+ * Create sliding window rate limiter middleware.
+ *
+ * @example
+ * // 100 requests per 15 minutes
+ * app.use(createSlidingWindowLimiter({ max: 100, window: '15m' }));
+ *
+ * @example
+ * // Strict API limit
+ * app.use('/api', createSlidingWindowLimiter({ max: 30, window: '1m' }));
+ */
+export declare function createSlidingWindowLimiter(options?: SlidingWindowOptions): SlidingWindowMiddleware;
+//# sourceMappingURL=rate-limit-sliding.d.ts.map

package/dist/middleware/rate-limit-sliding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-sliding.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit-sliding.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAI/E,MAAM,WAAW,oBAAoB;IACnC,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC;IACxC,0DAA0D;IAC1D,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;CAClC;AAOD,MAAM,WAAW,uBAAwB,SAAQ,cAAc;IAC7D,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,0BAA0B,CAAC,OAAO,GAAE,oBAAyB,GAAG,uBAAuB,CAiGtG"}

package/dist/middleware/rate-limit-token.d.ts

@@ -0,0 +1,51 @@
+/**
+ * @module @arcis/node/middleware/rate-limit-token
+ * Token bucket rate limiting middleware.
+ *
+ * Allows burst traffic while enforcing an average rate.
+ * Tokens refill at a steady rate. Each request costs 1 token.
+ *
+ * Algorithm:
+ *   tokens = min(capacity, tokens + elapsed * refillRate)
+ *   if tokens >= cost: allow, subtract cost
+ *   else: deny
+ *
+ * @example
+ * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));
+ */
+import type { Request, RequestHandler } from 'express';
+export interface TokenBucketOptions {
+    /** Maximum tokens (burst size). Default: 100 */
+    capacity?: number;
+    /** Tokens added per second. Default: 10 */
+    refillRate?: number;
+    /** Tokens consumed per request. Default: 1 */
+    cost?: number;
+    /** Error message when limit exceeded */
+    message?: string;
+    /** HTTP status code for rate limited responses. Default: 429 */
+    statusCode?: number;
+    /** Function to generate rate limit key from request */
+    keyGenerator?: (req: Request) => string;
+    /** Function to skip rate limiting for certain requests */
+    skip?: (req: Request) => boolean;
+}
+export interface TokenBucketMiddleware extends RequestHandler {
+    close: () => void;
+}
+/**
+ * Create token bucket rate limiter middleware.
+ *
+ * @example
+ * // Allow bursts of 50, sustained rate of 10/sec
+ * app.use(createTokenBucketLimiter({ capacity: 50, refillRate: 10 }));
+ *
+ * @example
+ * // Strict API: 5 requests burst, 1/sec sustained
+ * app.use('/api/expensive', createTokenBucketLimiter({
+ *   capacity: 5,
+ *   refillRate: 1,
+ * }));
+ */
+export declare function createTokenBucketLimiter(options?: TokenBucketOptions): TokenBucketMiddleware;
+//# sourceMappingURL=rate-limit-token.d.ts.map

package/dist/middleware/rate-limit-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit-token.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit-token.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,OAAO,EAA0B,cAAc,EAAE,MAAM,SAAS,CAAC;AAG/E,MAAM,WAAW,kBAAkB;IACjC,gDAAgD;IAChD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2CAA2C;IAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wCAAwC;IACxC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,gEAAgE;IAChE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uDAAuD;IACvD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,CAAC;IACxC,0DAA0D;IAC1D,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;CAClC;AAOD,MAAM,WAAW,qBAAsB,SAAQ,cAAc;IAC3D,KAAK,EAAE,MAAM,IAAI,CAAC;CACnB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,wBAAwB,CAAC,OAAO,GAAE,kBAAuB,GAAG,qBAAqB,CA2FhG"}

package/dist/middleware/rate-limit.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @module @arcis/node/middleware/rate-limit
+ * Rate limiting middleware
+ */
+import type { RateLimitOptions, RateLimiterMiddleware } from '../core/types';
+/**
+ * Create Express middleware for rate limiting.
+ *
+ * @param options - Rate limit configuration
+ * @returns Express middleware with cleanup method
+ *
+ * @example
+ * app.use(createRateLimiter({ max: 100, windowMs: 60000 }));
+ *
+ * @example
+ * // Skip rate limiting for certain routes
+ * app.use(createRateLimiter({
+ *   max: 50,
+ *   skip: (req) => req.path === '/health'
+ * }));
+ *
+ * @example
+ * // Cleanup on shutdown
+ * const limiter = createRateLimiter();
+ * app.use(limiter);
+ * process.on('SIGTERM', () => limiter.close());
+ */
+export declare function createRateLimiter(options?: RateLimitOptions): RateLimiterMiddleware;
+/**
+ * Alias for createRateLimiter
+ * @see createRateLimiter
+ */
+export declare const rateLimit: typeof createRateLimiter;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/middleware/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limit.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,gBAAgB,EAAE,qBAAqB,EAAkB,MAAM,eAAe,CAAC;AAO7F;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,GAAG,qBAAqB,CAiHvF;AAED;;;GAGG;AACH,eAAO,MAAM,SAAS,0BAAoB,CAAC"}

package/dist/sanitizers/command.d.ts

@@ -0,0 +1,28 @@
+/**
+ * @module @arcis/node/sanitizers/command
+ * Command injection prevention
+ */
+import type { SanitizeResult } from '../core/types';
+/**
+ * Sanitizes a string to prevent command injection attacks.
+ * Replaces shell metacharacters and dangerous commands with [BLOCKED].
+ *
+ * @param input - The string to sanitize
+ * @param collectThreats - Whether to collect threat information (default: false for performance)
+ * @returns Sanitized string or SanitizeResult if collectThreats is true
+ *
+ * @example
+ * sanitizeCommand("file.txt; rm -rf /")
+ * // Returns: "file.txt  rm -rf /"
+ */
+export declare function sanitizeCommand(input: string, collectThreats?: false): string;
+export declare function sanitizeCommand(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Checks if a string contains command injection patterns.
+ * Does not sanitize — use sanitizeCommand() for that.
+ *
+ * @param input - The string to check
+ * @returns True if command injection patterns detected
+ */
+export declare function detectCommandInjection(input: string): boolean;
+//# sourceMappingURL=command.d.ts.map

package/dist/sanitizers/command.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command.d.ts","sourceRoot":"","sources":["../../src/sanitizers/command.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;AAC/E,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,GAAG,cAAc,CAAC;AA4CrF;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW7D"}

package/dist/sanitizers/encode.d.ts

@@ -0,0 +1,46 @@
+/**
+ * @module @arcis/node/sanitizers/encode
+ * Context-aware output encoding for XSS prevention.
+ *
+ * Wrong-context encoding is the #1 cause of XSS bypasses in "protected" apps.
+ * A single sanitize() is not enough when output goes to JS, CSS, or attribute contexts.
+ */
+/**
+ * Encodes for HTML body context. Entity-encodes & < > " '
+ *
+ * Use when outputting to HTML element content:
+ *   `<p>${encodeForHtml(userInput)}</p>`
+ */
+export declare function encodeForHtml(value: string): string;
+/**
+ * Encodes for HTML attribute context.
+ * All non-alphanumeric characters are encoded as `&#xHH;` hex entities.
+ *
+ * Use when outputting to HTML attributes:
+ *   `<div title="${encodeForAttribute(userInput)}">`
+ */
+export declare function encodeForAttribute(value: string): string;
+/**
+ * Encodes for JavaScript string context.
+ * Non-alphanumeric characters are escaped as `\xHH` (ASCII) or `\uHHHH` (Unicode).
+ *
+ * Use when embedding in JS string literals:
+ *   `var x = '${encodeForJs(userInput)}';`
+ */
+export declare function encodeForJs(value: string): string;
+/**
+ * Encodes for URL parameter context. Percent-encodes all non-unreserved chars.
+ *
+ * Use when building query strings:
+ *   `?q=${encodeForUrl(userInput)}`
+ */
+export declare function encodeForUrl(value: string): string;
+/**
+ * Encodes for CSS value context.
+ * Non-alphanumeric characters are hex-escaped as `\HH ` (trailing space per CSS spec).
+ *
+ * Use when embedding in CSS values:
+ *   `content: '${encodeForCss(userInput)}';`
+ */
+export declare function encodeForCss(value: string): string;
+//# sourceMappingURL=encode.d.ts.map

package/dist/sanitizers/encode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encode.d.ts","sourceRoot":"","sources":["../../src/sanitizers/encode.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAaH;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAiBxD;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAmBjD;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBlD"}

package/dist/sanitizers/headers.d.ts

@@ -0,0 +1,46 @@
+/**
+ * @module @arcis/node/sanitizers/headers
+ * HTTP Header Injection & CRLF Injection prevention
+ *
+ * Prevents attackers from injecting newline characters (\r\n) into HTTP header
+ * values, which can lead to response splitting, session fixation, XSS via
+ * injected headers, and cache poisoning.
+ */
+import type { SanitizeResult } from '../core/types';
+/**
+ * Sanitizes a header value by stripping CRLF sequences, bare CR/LF, and null bytes.
+ *
+ * @param input - The header value to sanitize
+ * @param collectThreats - Whether to collect threat information (default: false)
+ * @returns Sanitized string or SanitizeResult if collectThreats is true
+ *
+ * @example
+ * sanitizeHeaderValue("safe-value")
+ * // Returns: "safe-value"
+ *
+ * sanitizeHeaderValue("value\r\nX-Injected: evil")
+ * // Returns: "valueX-Injected: evil"
+ */
+export declare function sanitizeHeaderValue(input: string, collectThreats?: false): string;
+export declare function sanitizeHeaderValue(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Sanitizes an object of header key-value pairs.
+ * Strips CRLF/null bytes from both keys and values.
+ *
+ * @param headers - Object with header names as keys and header values as values
+ * @returns New object with sanitized header names and values
+ *
+ * @example
+ * sanitizeHeaders({ "X-Custom": "safe", "X-Bad\r\n": "value\r\ninjected" })
+ * // Returns: { "X-Custom": "safe", "X-Bad": "valueinjected" }
+ */
+export declare function sanitizeHeaders(headers: Record<string, string>): Record<string, string>;
+/**
+ * Checks if a string contains HTTP header injection patterns (CRLF, null bytes).
+ * Does not sanitize — use sanitizeHeaderValue() for that.
+ *
+ * @param input - The string to check
+ * @returns True if header injection patterns detected
+ */
+export declare function detectHeaderInjection(input: string): boolean;
+//# sourceMappingURL=headers.d.ts.map

package/dist/sanitizers/headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/sanitizers/headers.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAUhE;;;;;;;;;;;;;GAaG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;AACnF,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,GAAG,cAAc,CAAC;AAuCzF;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAcvF;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAK5D"}

package/dist/sanitizers/index.d.ts

@@ -1,24 +1,19 @@
-export { c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, m as encodeForAttribute, n as encodeForCss, o as encodeForHtml, p as encodeForJs, q as encodeForUrl, r as getDangerousOperators, s as getDangerousProtoKeys, t as isDangerousNoSqlKey, u as isDangerousProtoKey, v as redactObjectPii, w as redactPii, x as sanitizeCommand, y as sanitizeHeaderValue, z as sanitizeHeaders, A as sanitizeJsonpCallback, B as sanitizeObject, C as sanitizePath, D as sanitizeSql, E as sanitizeSsti, F as sanitizeString, G as sanitizeXss, H as sanitizeXxe, I as scanObjectPii, J as scanPii } from '../encode-jl9sOwmA.js';
-import 'express';
-import '../types-BOkx5YJc.js';
-
 /**
- * @module @arcis/node/sanitizers/utils
- * Shared utilities for sanitizers
+ * @module @arcis/node/sanitizers
+ * All sanitization functions for Arcis
  */
-/**
- * Encodes HTML entities to prevent interpretation as markup.
- *
- * @param str - The string to encode
- * @returns The encoded string
- */
-declare function encodeHtmlEntities(str: string): string;
-/**
- * Checks if a value is a plain object (not null, array, Date, etc.)
- *
- * @param value - Value to check
- * @returns True if plain object
- */
-declare function isPlainObject(value: unknown): value is Record<string, unknown>;
-
-export { encodeHtmlEntities, isPlainObject };
+export { sanitizeString, sanitizeObject, createSanitizer } from './sanitize';
+export { sanitizeXss, detectXss } from './xss';
+export { sanitizeSql, detectSql } from './sql';
+export { sanitizePath, detectPathTraversal } from './path';
+export { sanitizeCommand, detectCommandInjection } from './command';
+export { isDangerousNoSqlKey, detectNoSqlInjection, getDangerousOperators } from './nosql';
+export { isDangerousProtoKey, detectPrototypePollution, getDangerousProtoKeys } from './prototype';
+export { sanitizeSsti, detectSsti } from './ssti';
+export { sanitizeXxe, detectXxe } from './xxe';
+export { sanitizeJsonpCallback, detectJsonpInjection } from './jsonp';
+export { sanitizeHeaderValue, sanitizeHeaders, detectHeaderInjection } from './headers';
+export { scanPii, detectPii, redactPii, scanObjectPii, redactObjectPii } from './pii';
+export { encodeForHtml, encodeForAttribute, encodeForJs, encodeForUrl, encodeForCss } from './encode';
+export { encodeHtmlEntities, isPlainObject } from './utils';
+//# sourceMappingURL=index.d.ts.map

package/dist/sanitizers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sanitizers/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG7E,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,QAAQ,CAAC;AAC3D,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAGpE,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG3F,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGnG,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGlD,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAG/C,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,SAAS,CAAC;AAGtE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAGxF,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AAGtF,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAGtG,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC"}

package/dist/sanitizers/jsonp.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @module @arcis/node/sanitizers/jsonp
+ * JSONP callback sanitization to prevent XSS via callback parameters
+ */
+/**
+ * Validates and sanitizes a JSONP callback parameter.
+ *
+ * Returns the callback name if safe, or null if the callback is dangerous.
+ * Use this to validate `?callback=` query parameters before wrapping responses.
+ *
+ * @param callback - The callback parameter value
+ * @param maxLength - Maximum allowed length (default: 128)
+ * @returns The safe callback name, or null if invalid
+ *
+ * @example
+ * ```ts
+ * const cb = sanitizeJsonpCallback(req.query.callback);
+ * if (cb) {
+ *   res.set('Content-Type', 'application/javascript');
+ *   res.send(`${cb}(${JSON.stringify(data)})`);
+ * } else {
+ *   res.status(400).json({ error: 'Invalid callback' });
+ * }
+ * ```
+ */
+export declare function sanitizeJsonpCallback(callback: string, maxLength?: number): string | null;
+/**
+ * Checks if a JSONP callback parameter contains potentially dangerous content.
+ *
+ * @param callback - The callback parameter value
+ * @returns True if the callback is dangerous / invalid
+ */
+export declare function detectJsonpInjection(callback: string): boolean;
+//# sourceMappingURL=jsonp.d.ts.map

package/dist/sanitizers/jsonp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonp.d.ts","sourceRoot":"","sources":["../../src/sanitizers/jsonp.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAiBH;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,SAAM,GAAG,MAAM,GAAG,IAAI,CAoBtF;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAiB9D"}

package/dist/sanitizers/nosql.d.ts

@@ -0,0 +1,31 @@
+/**
+ * @module @arcis/node/sanitizers/nosql
+ * NoSQL injection prevention (MongoDB operators)
+ */
+/**
+ * Checks if a key is a dangerous MongoDB operator.
+ *
+ * @param key - The key to check
+ * @returns True if the key is a MongoDB operator
+ *
+ * @example
+ * isDangerousNoSqlKey('$gt') // true
+ * isDangerousNoSqlKey('name') // false
+ */
+export declare function isDangerousNoSqlKey(key: string): boolean;
+/**
+ * Recursively checks if an object contains dangerous MongoDB operators.
+ *
+ * @param obj - The object to check
+ * @param maxDepth - Maximum recursion depth (default: 10)
+ * @returns True if dangerous operators found
+ */
+export declare function detectNoSqlInjection(obj: unknown, maxDepth?: number): boolean;
+/**
+ * Get list of all MongoDB operators considered dangerous.
+ * Useful for documentation or custom validation.
+ *
+ * @returns Array of dangerous operator strings
+ */
+export declare function getDangerousOperators(): string[];
+//# sourceMappingURL=nosql.d.ts.map

package/dist/sanitizers/nosql.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nosql.d.ts","sourceRoot":"","sources":["../../src/sanitizers/nosql.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAExD;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,SAAK,GAAG,OAAO,CAsBzE;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,EAAE,CAEhD"}

package/dist/sanitizers/path.d.ts

@@ -0,0 +1,28 @@
+/**
+ * @module @arcis/node/sanitizers/path
+ * Path traversal prevention
+ */
+import type { SanitizeResult } from '../core/types';
+/**
+ * Sanitizes a string to prevent path traversal attacks.
+ * Removes ../ and ..\ patterns (including URL-encoded variants).
+ *
+ * @param input - The string to sanitize
+ * @param collectThreats - Whether to collect threat information (default: false for performance)
+ * @returns Sanitized string or SanitizeResult if collectThreats is true
+ *
+ * @example
+ * sanitizePath("../../etc/passwd")
+ * // Returns: "etc/passwd"
+ */
+export declare function sanitizePath(input: string, collectThreats?: false): string;
+export declare function sanitizePath(input: string, collectThreats: true): SanitizeResult;
+/**
+ * Checks if a string contains path traversal patterns.
+ * Does not sanitize — use sanitizePath() for that.
+ *
+ * @param input - The string to check
+ * @returns True if path traversal patterns detected
+ */
+export declare function detectPathTraversal(input: string): boolean;
+//# sourceMappingURL=path.d.ts.map

package/dist/sanitizers/path.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path.d.ts","sourceRoot":"","sources":["../../src/sanitizers/path.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAc,MAAM,eAAe,CAAC;AAEhE;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;AAC5E,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,GAAG,cAAc,CAAC;AA4ClF;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAW1D"}

package/dist/sanitizers/pii.d.ts

@@ -0,0 +1,80 @@
+/**
+ * @module @arcis/node/sanitizers/pii
+ * PII (Personally Identifiable Information) detection and redaction
+ *
+ * Detects: email addresses, phone numbers, credit card numbers, SSNs, IP addresses
+ */
+export type PiiType = 'email' | 'phone' | 'credit_card' | 'ssn' | 'ip_address';
+export interface PiiMatch {
+    type: PiiType;
+    value: string;
+    start: number;
+    end: number;
+}
+export interface PiiScanOptions {
+    /** PII types to scan for. Default: all types */
+    types?: PiiType[];
+}
+export interface PiiRedactOptions extends PiiScanOptions {
+    /** Replacement for redacted values. Default: '[REDACTED]' */
+    replacement?: string;
+    /** Use type-specific replacements like '[EMAIL]', '[SSN]'. Default: false */
+    typeLabels?: boolean;
+}
+/**
+ * Scan a string for PII and return all matches.
+ *
+ * @param input - String to scan
+ * @param options - Optional scan configuration
+ * @returns Array of PII matches with type, value, and position
+ *
+ * @example
+ * scanPii('Call me at 555-123-4567 or email john@example.com')
+ * // [
+ * //   { type: 'phone', value: '555-123-4567', start: 11, end: 23 },
+ * //   { type: 'email', value: 'john@example.com', start: 33, end: 49 }
+ * // ]
+ */
+export declare function scanPii(input: string, options?: PiiScanOptions): PiiMatch[];
+/**
+ * Check if a string contains any PII.
+ *
+ * @param input - String to check
+ * @param options - Optional scan configuration
+ * @returns true if PII is detected
+ */
+export declare function detectPii(input: string, options?: PiiScanOptions): boolean;
+/**
+ * Redact PII from a string, replacing matches with a placeholder.
+ *
+ * @param input - String to redact
+ * @param options - Redaction options
+ * @returns String with PII replaced
+ *
+ * @example
+ * redactPii('Email: john@example.com, SSN: 123-45-6789')
+ * // 'Email: [REDACTED], SSN: [REDACTED]'
+ *
+ * redactPii('Email: john@example.com', { typeLabels: true })
+ * // 'Email: [EMAIL]'
+ */
+export declare function redactPii(input: string, options?: PiiRedactOptions): string;
+/**
+ * Scan an object's string values for PII recursively.
+ *
+ * @param obj - Object to scan
+ * @param options - Optional scan configuration
+ * @returns Array of PII matches with the field path prepended
+ */
+export declare function scanObjectPii(obj: Record<string, unknown>, options?: PiiScanOptions, path?: string): (PiiMatch & {
+    field: string;
+})[];
+/**
+ * Redact PII from all string values in an object recursively.
+ *
+ * @param obj - Object to redact
+ * @param options - Redaction options
+ * @returns New object with PII redacted
+ */
+export declare function redactObjectPii<T extends Record<string, unknown>>(obj: T, options?: PiiRedactOptions): T;
+//# sourceMappingURL=pii.d.ts.map

package/dist/sanitizers/pii.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii.d.ts","sourceRoot":"","sources":["../../src/sanitizers/pii.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,aAAa,GAAG,KAAK,GAAG,YAAY,CAAC;AAE/E,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,cAAc;IAC7B,gDAAgD;IAChD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,gBAAiB,SAAQ,cAAc;IACtD,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6EAA6E;IAC7E,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAkED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,cAAmB,GAAG,QAAQ,EAAE,CAuC/E;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,cAAmB,GAAG,OAAO,CAE9E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,gBAAqB,GAAG,MAAM,CAiB/E;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAC3B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5B,OAAO,GAAE,cAAmB,EAC5B,IAAI,SAAK,GACR,CAAC,QAAQ,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,EAAE,CA8BlC;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/D,GAAG,EAAE,CAAC,EACN,OAAO,GAAE,gBAAqB,GAC7B,CAAC,CAsBH"}

package/dist/sanitizers/prototype.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @module @arcis/node/sanitizers/prototype
+ * Prototype pollution prevention
+ */
+/**
+ * Checks if a key is dangerous for prototype pollution.
+ * Case-insensitive — catches __PROTO__, Constructor, etc.
+ *
+ * @param key - The key to check
+ * @returns True if the key could cause prototype pollution
+ *
+ * @example
+ * isDangerousProtoKey('__proto__')   // true
+ * isDangerousProtoKey('__PROTO__')   // true
+ * isDangerousProtoKey('Constructor') // true
+ * isDangerousProtoKey('name')        // false
+ */
+export declare function isDangerousProtoKey(key: string): boolean;
+/**
+ * Recursively checks if an object contains prototype pollution keys.
+ *
+ * @param obj - The object to check
+ * @param maxDepth - Maximum recursion depth (default: 10)
+ * @returns True if dangerous keys found
+ */
+export declare function detectPrototypePollution(obj: unknown, maxDepth?: number): boolean;
+/**
+ * Get list of all keys considered dangerous for prototype pollution.
+ * Useful for documentation or custom validation.
+ *
+ * @returns Array of dangerous key strings
+ */
+export declare function getDangerousProtoKeys(): string[];
+//# sourceMappingURL=prototype.d.ts.map

package/dist/sanitizers/prototype.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prototype.d.ts","sourceRoot":"","sources":["../../src/sanitizers/prototype.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;;;;;;;;;;GAYG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAExD;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,SAAK,GAAG,OAAO,CAsB7E;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,MAAM,EAAE,CAEhD"}