@arcis/node 1.3.0 → 1.4.0

package/dist/logging/index.d.ts

@@ -1,38 +1,6 @@
-import { L as LogOptions, S as SafeLogger } from '../types-BOkx5YJc.js';
-import 'express';
-
 /**
- * @module @arcis/node/logging/redactor
- * Safe logging with PII/secret redaction
+ * @module @arcis/node/logging
+ * Safe logging for Arcis
  */
-
-/**
- * Create a safe logger that redacts sensitive data and prevents log injection.
- *
- * @param options - Logger configuration
- * @returns SafeLogger instance
- *
- * @example
- * const logger = createSafeLogger();
- * logger.info('User login', { email: 'user@test.com', password: 'secret' });
- * // Logs: { "email": "user@test.com", "password": "[REDACTED]" }
- *
- * @example
- * // With custom redact keys
- * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });
- */
-declare function createSafeLogger(options?: LogOptions): SafeLogger;
-/**
- * Create a redactor function for custom use.
- *
- * @param sensitiveKeys - Keys to redact
- * @returns Redactor function
- */
-declare function createRedactor(sensitiveKeys?: string[]): (obj: unknown) => unknown;
-/**
- * Alias for createSafeLogger
- * @see createSafeLogger
- */
-declare const safeLog: typeof createSafeLogger;
-
-export { createRedactor, createSafeLogger, safeLog };
+export { createSafeLogger, createRedactor, safeLog } from './redactor';
+//# sourceMappingURL=index.d.ts.map

package/dist/logging/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/logging/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC"}

package/dist/logging/{index.d.mts → redactor.d.ts}

@@ -1,11 +1,8 @@
-import { L as LogOptions, S as SafeLogger } from '../types-BOkx5YJc.mjs';
-import 'express';
-
 /**
  * @module @arcis/node/logging/redactor
  * Safe logging with PII/secret redaction
  */
-
+import type { LogOptions, SafeLogger } from '../core/types';
 /**
  * Create a safe logger that redacts sensitive data and prevents log injection.
  *
@@ -21,18 +18,17 @@ import 'express';
  * // With custom redact keys
  * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });
  */
-declare function createSafeLogger(options?: LogOptions): SafeLogger;
+export declare function createSafeLogger(options?: LogOptions): SafeLogger;
 /**
  * Create a redactor function for custom use.
  *
  * @param sensitiveKeys - Keys to redact
  * @returns Redactor function
  */
-declare function createRedactor(sensitiveKeys?: string[]): (obj: unknown) => unknown;
+export declare function createRedactor(sensitiveKeys?: string[]): (obj: unknown) => unknown;
 /**
  * Alias for createSafeLogger
  * @see createSafeLogger
  */
-declare const safeLog: typeof createSafeLogger;
-
-export { createRedactor, createSafeLogger, safeLog };
+export declare const safeLog: typeof createSafeLogger;
+//# sourceMappingURL=redactor.d.ts.map

package/dist/logging/redactor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../src/logging/redactor.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAU5D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,GAAE,UAAe,GAAG,UAAU,CAwErE;AA2BD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,aAAa,GAAE,MAAM,EAAO,GAAG,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CA2BtF;AAED;;;GAGG;AACH,eAAO,MAAM,OAAO,yBAAmB,CAAC"}

package/dist/middleware/bot-detection.d.ts

@@ -0,0 +1,86 @@
+/**
+ * @module @arcis/node/middleware/bot-detection
+ * Local-only bot detection using User-Agent and behavioral signals.
+ *
+ * Categorizes requests into bot types and allows/denies based on config.
+ * No cloud calls — everything runs locally.
+ *
+ * @example
+ * // Block automated tools, allow search engines
+ * app.use(botProtection({
+ *   allow: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],
+ *   deny: ['AUTOMATED', 'SCRAPER'],
+ * }));
+ */
+import type { Request, Response, RequestHandler } from 'express';
+export type BotCategory = 'SEARCH_ENGINE' | 'SOCIAL' | 'MONITORING' | 'AI_CRAWLER' | 'SCRAPER' | 'AUTOMATED' | 'UNKNOWN' | 'HUMAN';
+export interface BotDetectionResult {
+    /** Whether the request appears to be from a bot */
+    isBot: boolean;
+    /** Bot category */
+    category: BotCategory;
+    /** Matched bot name (e.g. 'Googlebot', 'curl') or null */
+    name: string | null;
+    /** Confidence score: 0-1 */
+    confidence: number;
+    /** Behavioral signals detected */
+    signals: string[];
+}
+export interface BotProtectionOptions {
+    /** Categories to explicitly allow. Default: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'] */
+    allow?: BotCategory[];
+    /** Categories to explicitly deny. Default: ['AUTOMATED'] */
+    deny?: BotCategory[];
+    /** Action for categories not in allow or deny. Default: 'allow' */
+    defaultAction?: 'allow' | 'deny';
+    /** HTTP status code for denied bots. Default: 403 */
+    statusCode?: number;
+    /** Error message for denied bots */
+    message?: string;
+    /** Enable behavioral signal detection. Default: true */
+    detectBehavior?: boolean;
+    /** Custom handler called on detection (instead of default deny response) */
+    onDetected?: (req: Request, res: Response, result: BotDetectionResult) => void;
+}
+/**
+ * Detect what kind of bot (if any) is making the request.
+ *
+ * @param req - HTTP request object
+ * @returns Detection result with category, name, confidence, and signals
+ *
+ * @example
+ * const result = detectBot(req);
+ * if (result.isBot && result.category === 'AUTOMATED') {
+ *   // Block automated tools
+ * }
+ */
+export declare function detectBot(req: Request): BotDetectionResult;
+/**
+ * Create Express middleware for bot protection.
+ *
+ * @example
+ * // Block automated tools and scrapers
+ * app.use(botProtection({
+ *   allow: ['SEARCH_ENGINE', 'SOCIAL', 'MONITORING'],
+ *   deny: ['AUTOMATED', 'SCRAPER'],
+ * }));
+ *
+ * @example
+ * // Block everything except search engines
+ * app.use(botProtection({
+ *   allow: ['SEARCH_ENGINE'],
+ *   defaultAction: 'deny',
+ * }));
+ *
+ * @example
+ * // Custom handler
+ * app.use(botProtection({
+ *   deny: ['AUTOMATED'],
+ *   onDetected: (req, res, result) => {
+ *     console.log(`Bot blocked: ${result.name} (${result.category})`);
+ *     res.status(403).json({ error: 'Bots not allowed' });
+ *   },
+ * }));
+ */
+export declare function botProtection(options?: BotProtectionOptions): RequestHandler;
+//# sourceMappingURL=bot-detection.d.ts.map

package/dist/middleware/bot-detection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bot-detection.d.ts","sourceRoot":"","sources":["../../src/middleware/bot-detection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAgB,cAAc,EAAE,MAAM,SAAS,CAAC;AAM/E,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,QAAQ,GACR,YAAY,GACZ,YAAY,GACZ,SAAS,GACT,WAAW,GACX,SAAS,GACT,OAAO,CAAC;AAEZ,MAAM,WAAW,kBAAkB;IACjC,mDAAmD;IACnD,KAAK,EAAE,OAAO,CAAC;IACf,mBAAmB;IACnB,QAAQ,EAAE,WAAW,CAAC;IACtB,0DAA0D;IAC1D,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,4BAA4B;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,yFAAyF;IACzF,KAAK,CAAC,EAAE,WAAW,EAAE,CAAC;IACtB,4DAA4D;IAC5D,IAAI,CAAC,EAAE,WAAW,EAAE,CAAC;IACrB,mEAAmE;IACnE,aAAa,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IACjC,qDAAqD;IACrD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wDAAwD;IACxD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,kBAAkB,KAAK,IAAI,CAAC;CAChF;AA4JD;;;;;;;;;;;GAWG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,kBAAkB,CAmD1D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,oBAAyB,GAAG,cAAc,CAgDhF"}

package/dist/middleware/cookies.d.ts

@@ -0,0 +1,48 @@
+/**
+ * @module @arcis/node/middleware/cookies
+ * Secure cookie defaults middleware
+ */
+import type { RequestHandler } from 'express';
+/** Cookie security configuration */
+export interface SecureCookieOptions {
+    /** Force HttpOnly on all cookies. Default: true */
+    httpOnly?: boolean;
+    /** Force Secure flag (HTTPS only). Default: true in production, false in dev */
+    secure?: boolean;
+    /** SameSite attribute. Default: 'Lax' */
+    sameSite?: 'Strict' | 'Lax' | 'None' | false;
+    /** Override Path attribute. Default: undefined (keep original) */
+    path?: string;
+}
+/**
+ * Enforce secure defaults on a Set-Cookie header value.
+ */
+export declare function enforceSecureCookie(cookieStr: string, options: Required<Omit<SecureCookieOptions, 'path'>> & {
+    path?: string;
+}): string;
+/**
+ * Create middleware that enforces secure cookie defaults.
+ *
+ * Intercepts Set-Cookie headers and adds missing security attributes:
+ * - HttpOnly: prevents JavaScript access (XSS cookie theft)
+ * - Secure: cookies only sent over HTTPS
+ * - SameSite: CSRF protection
+ *
+ * @param options - Cookie security configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Enforce defaults on all cookies
+ * app.use(secureCookieDefaults());
+ *
+ * @example
+ * // Strict SameSite for sensitive apps
+ * app.use(secureCookieDefaults({ sameSite: 'Strict' }));
+ */
+export declare function secureCookieDefaults(options?: SecureCookieOptions): RequestHandler;
+/**
+ * Alias for secureCookieDefaults
+ * @see secureCookieDefaults
+ */
+export declare const createSecureCookies: typeof secureCookieDefaults;
+//# sourceMappingURL=cookies.d.ts.map

package/dist/middleware/cookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cookies.d.ts","sourceRoot":"","sources":["../../src/middleware/cookies.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,oCAAoC;AACpC,MAAM,WAAW,mBAAmB;IAClC,mDAAmD;IACnD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,gFAAgF;IAChF,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,yCAAyC;IACzC,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,CAAC;IAC7C,kEAAkE;IAClE,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAUD;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,GACvE,MAAM,CA4CR;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE,mBAAwB,GAAG,cAAc,CA0BtF;AAED;;;GAGG;AACH,eAAO,MAAM,mBAAmB,6BAAuB,CAAC"}

package/dist/middleware/cors.d.ts

@@ -0,0 +1,65 @@
+/**
+ * @module @arcis/node/middleware/cors
+ * Safe CORS middleware with secure defaults
+ */
+import type { RequestHandler } from 'express';
+/** CORS configuration options */
+export interface CorsOptions {
+    /**
+     * Allowed origins. Can be:
+     * - A string: exact match (e.g., 'https://example.com')
+     * - An array: whitelist of allowed origins
+     * - A RegExp: pattern match (use with care)
+     * - A function: custom validation `(origin) => boolean`
+     * - `true`: reflect the request origin (DANGEROUS — only for dev)
+     *
+     * Default: none (no origin allowed). You must explicitly set this.
+     */
+    origin: string | string[] | RegExp | ((origin: string) => boolean) | true;
+    /** Allowed HTTP methods. Default: ['GET', 'HEAD', 'PUT', 'PATCH', 'POST', 'DELETE'] */
+    methods?: string[];
+    /** Allowed headers. Default: ['Content-Type', 'Authorization'] */
+    allowedHeaders?: string[];
+    /** Headers exposed to the browser. Default: [] */
+    exposedHeaders?: string[];
+    /** Allow credentials (cookies, authorization headers). Default: false */
+    credentials?: boolean;
+    /** Preflight cache duration in seconds. Default: 600 (10 minutes) */
+    maxAge?: number;
+    /** Respond to preflight with 204 (no content). Default: true */
+    preflightContinue?: boolean;
+}
+/**
+ * Create safe CORS middleware.
+ *
+ * Unlike permissive CORS libraries, this enforces secure defaults:
+ * - No wildcard `*` when credentials are enabled
+ * - `null` origin is always blocked
+ * - `Vary: Origin` is always set for proper caching
+ * - You must explicitly configure allowed origins
+ *
+ * @param options - CORS configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Allow a single origin
+ * app.use(safeCors({ origin: 'https://myapp.com' }));
+ *
+ * @example
+ * // Allow multiple origins with credentials
+ * app.use(safeCors({
+ *   origin: ['https://myapp.com', 'https://admin.myapp.com'],
+ *   credentials: true,
+ * }));
+ *
+ * @example
+ * // Development: allow all (NOT for production)
+ * app.use(safeCors({ origin: true }));
+ */
+export declare function safeCors(options: CorsOptions): RequestHandler;
+/**
+ * Alias for safeCors
+ * @see safeCors
+ */
+export declare const createCors: typeof safeCors;
+//# sourceMappingURL=cors.d.ts.map

package/dist/middleware/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/middleware/cors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,iCAAiC;AACjC,MAAM,WAAW,WAAW;IAC1B;;;;;;;;;OASG;IACH,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,MAAM,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,GAAG,IAAI,CAAC;IAE1E,uFAAuF;IACvF,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB,kEAAkE;IAClE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAE1B,kDAAkD;IAClD,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAE1B,yEAAyE;IACzE,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB,qEAAqE;IACrE,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAqCD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,QAAQ,CAAC,OAAO,EAAE,WAAW,GAAG,cAAc,CAsD7D;AAED;;;GAGG;AACH,eAAO,MAAM,UAAU,iBAAW,CAAC"}

package/dist/middleware/csrf.d.ts

@@ -0,0 +1,109 @@
+/**
+ * @module @arcis/node/middleware/csrf
+ * CSRF (Cross-Site Request Forgery) protection middleware
+ *
+ * Implements the double-submit cookie pattern:
+ * 1. Server sets a CSRF token in a cookie
+ * 2. Client must send the same token in a header or form field
+ * 3. Middleware rejects requests where cookie token !== header/field token
+ *
+ * This works because an attacker's cross-origin form submission will include
+ * the cookie automatically, but cannot read it (same-origin policy) to set
+ * the matching header.
+ */
+import type { Request, Response, NextFunction, RequestHandler } from 'express';
+/** CSRF protection configuration */
+export interface CsrfOptions {
+    /** Cookie name for the CSRF token. Default: '_csrf' */
+    cookieName?: string;
+    /** Header name to check for the token. Default: 'x-csrf-token' */
+    headerName?: string;
+    /** Form field name to check for the token. Default: '_csrf' */
+    fieldName?: string;
+    /** Token byte length (hex-encoded = 2x chars). Default: 32 */
+    tokenLength?: number;
+    /** HTTP methods to protect. Default: ['POST', 'PUT', 'PATCH', 'DELETE'] */
+    protectedMethods?: string[];
+    /** Paths to exclude from CSRF checks (e.g., webhook endpoints) */
+    excludePaths?: string[];
+    /**
+     * Per-request skip function. If it returns true, CSRF check is skipped
+     * for that request. Useful for API key auth or signed webhooks.
+     *
+     * @example
+     * skipCsrf: (req) => Boolean(req.headers['x-api-key'])
+     */
+    skipCsrf?: (req: Request) => boolean;
+    /**
+     * Use the __Host- cookie prefix for stronger cookie security.
+     * When enabled, the browser enforces: Secure=true, no Domain, Path=/.
+     * This prevents CSRF cookie theft across subdomains.
+     * Default: false
+     */
+    useHostPrefix?: boolean;
+    /** Cookie options */
+    cookie?: {
+        /** Cookie path. Default: '/' */
+        path?: string;
+        /** HttpOnly — set false so client JS can read it for headers. Default: false */
+        httpOnly?: boolean;
+        /** Secure flag (HTTPS only). Default: true in production */
+        secure?: boolean;
+        /** SameSite attribute. Default: 'Lax' */
+        sameSite?: 'Strict' | 'Lax' | 'None';
+        /** Cookie domain */
+        domain?: string;
+    };
+    /** Custom error handler when CSRF validation fails */
+    onError?: (req: Request, res: Response, next: NextFunction) => void;
+}
+/**
+ * Generate a cryptographically random CSRF token.
+ *
+ * @param length - Byte length (output is hex, so 2x chars). Default: 32
+ * @returns Hex-encoded random token
+ *
+ * @example
+ * const token = generateCsrfToken(); // 64 hex chars
+ */
+export declare function generateCsrfToken(length?: number): string;
+/**
+ * Validate that two CSRF tokens match using constant-time comparison.
+ *
+ * @param cookieToken - Token from the cookie
+ * @param requestToken - Token from the header or form field
+ * @returns true if tokens match
+ */
+export declare function validateCsrfToken(cookieToken: string, requestToken: string): boolean;
+/**
+ * Create CSRF protection middleware using double-submit cookie pattern.
+ *
+ * For safe methods (GET, HEAD, OPTIONS), sets a CSRF token cookie if not present.
+ * For unsafe methods (POST, PUT, PATCH, DELETE), validates the token.
+ *
+ * @param options - CSRF configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Basic usage
+ * app.use(csrfProtection());
+ *
+ * @example
+ * // Exclude webhook paths
+ * app.use(csrfProtection({
+ *   excludePaths: ['/api/webhooks/stripe', '/api/webhooks/github']
+ * }));
+ *
+ * @example
+ * // Client-side: read cookie + set header
+ * const token = document.cookie.match(/_csrf=([^;]+)/)?.[1];
+ * fetch('/api/data', {
+ *   method: 'POST',
+ *   headers: { 'X-CSRF-Token': token },
+ *   credentials: 'same-origin'
+ * });
+ */
+export declare function csrfProtection(options?: CsrfOptions): RequestHandler;
+/** Alias for csrfProtection */
+export declare const createCsrf: typeof csrfProtection;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/middleware/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/middleware/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,oCAAoC;AACpC,MAAM,WAAW,WAAW;IAC1B,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACrC;;;;;OAKG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,qBAAqB;IACrB,MAAM,CAAC,EAAE;QACP,gCAAgC;QAChC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,gFAAgF;QAChF,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,4DAA4D;QAC5D,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,yCAAyC;QACzC,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,oBAAoB;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,sDAAsD;IACtD,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,IAAI,CAAC;CACrE;AAUD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAE7D;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAUpF;AAyBD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,WAAgB,GAAG,cAAc,CAmFxE;AA6CD,+BAA+B;AAC/B,eAAO,MAAM,UAAU,uBAAiB,CAAC"}

package/dist/middleware/error-handler.d.ts

@@ -0,0 +1,43 @@
+/**
+ * @module @arcis/node/middleware/error-handler
+ * Production-safe error handler middleware
+ */
+import type { Request, Response, NextFunction } from 'express';
+import type { ErrorHandlerOptions } from '../core/types';
+/**
+ * Check if an error message contains sensitive infrastructure details.
+ */
+export declare function containsSensitiveInfo(message: string): boolean;
+/**
+ * Create Express error handler that hides sensitive details in production.
+ *
+ * Prevents information leakage by:
+ * - Hiding stack traces in production
+ * - Hiding error messages unless explicitly exposed
+ * - Scrubbing database errors, connection strings, and internal IPs
+ *
+ * @param options - Error handler configuration (or boolean for isDev)
+ * @returns Express error handling middleware
+ *
+ * @example
+ * // Production mode (default) - hides error details
+ * app.use(errorHandler());
+ *
+ * @example
+ * // Development mode - shows error details and stack traces
+ * app.use(errorHandler({ isDev: true }));
+ *
+ * @example
+ * // With custom logger
+ * app.use(errorHandler({
+ *   isDev: false,
+ *   logger: arcis.logger()
+ * }));
+ */
+export declare function errorHandler(options?: ErrorHandlerOptions | boolean): (err: Error, req: Request, res: Response, next: NextFunction) => void;
+/**
+ * Alias for errorHandler
+ * @see errorHandler
+ */
+export declare const createErrorHandler: typeof errorHandler;
+//# sourceMappingURL=error-handler.d.ts.map

package/dist/middleware/error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-handler.d.ts","sourceRoot":"","sources":["../../src/middleware/error-handler.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE/D,OAAO,KAAK,EAAE,mBAAmB,EAAa,MAAM,eAAe,CAAC;AAyBpE;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAmB,GAAG,OAAe,GAC7C,CAAC,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,IAAI,CA2DvE;AAED;;;GAGG;AACH,eAAO,MAAM,kBAAkB,qBAAe,CAAC"}

package/dist/middleware/headers.d.ts

@@ -0,0 +1,29 @@
+/**
+ * @module @arcis/node/middleware/headers
+ * Security headers middleware
+ */
+import type { RequestHandler } from 'express';
+import type { HeaderOptions } from '../core/types';
+/**
+ * Create Express middleware for security headers.
+ * Sets CSP, HSTS, X-Frame-Options, and other security headers.
+ *
+ * @param options - Header configuration
+ * @returns Express middleware
+ *
+ * @example
+ * app.use(createHeaders());
+ *
+ * @example
+ * app.use(createHeaders({
+ *   frameOptions: 'SAMEORIGIN',
+ *   contentSecurityPolicy: "default-src 'self'"
+ * }));
+ */
+export declare function createHeaders(options?: HeaderOptions): RequestHandler;
+/**
+ * Alias for createHeaders
+ * @see createHeaders
+ */
+export declare const securityHeaders: typeof createHeaders;
+//# sourceMappingURL=headers.d.ts.map

package/dist/middleware/headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/middleware/headers.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,KAAK,EAAE,aAAa,EAAe,MAAM,eAAe,CAAC;AAEhE;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,aAAkB,GAAG,cAAc,CAwHzE;AAED;;;GAGG;AACH,eAAO,MAAM,eAAe,sBAAgB,CAAC"}

package/dist/middleware/hpp.d.ts

@@ -0,0 +1,56 @@
+/**
+ * @module @arcis/node/middleware/hpp
+ * HTTP Parameter Pollution (HPP) protection middleware
+ *
+ * Normalizes duplicate query and body parameters to their last value,
+ * preventing attackers from bypassing validation by repeating parameters.
+ *
+ * Attack example:
+ *   GET /search?role=user&role=admin
+ *   Without HPP: req.query.role = ['user', 'admin']
+ *   With HPP:    req.query.role = 'admin'  (last value wins)
+ *
+ * Originals are preserved in req.queryPolluted / req.bodyPolluted
+ * for logging or auditing without blocking the request.
+ */
+import type { RequestHandler } from 'express';
+/** HPP protection configuration */
+export interface HppOptions {
+    /**
+     * Parameters that legitimately accept arrays and should not be normalized.
+     * Example: ['tags', 'ids', 'filter']
+     */
+    whitelist?: string[];
+    /** Normalize duplicate query string parameters. Default: true */
+    checkQuery?: boolean;
+    /** Normalize duplicate body parameters. Default: true */
+    checkBody?: boolean;
+}
+/**
+ * HTTP Parameter Pollution protection middleware.
+ *
+ * Normalizes duplicate query/body parameters to a single value (last wins).
+ * Whitelisted parameters are allowed to remain as arrays.
+ *
+ * @param options - HPP configuration
+ * @returns Express middleware
+ *
+ * @example
+ * // Basic — normalize all duplicates
+ * app.use(hpp());
+ *
+ * @example
+ * // Allow arrays for specific params (e.g., tag filters, IDs)
+ * app.use(hpp({ whitelist: ['tags', 'ids'] }));
+ *
+ * @example
+ * // Inspect what was removed (for logging)
+ * app.use((req, res, next) => {
+ *   const polluted = (req as any).queryPolluted;
+ *   if (Object.keys(polluted).length) logger.warn('HPP detected', polluted);
+ *   next();
+ * });
+ */
+export declare function hpp(options?: HppOptions): RequestHandler;
+export declare const createHpp: typeof hpp;
+//# sourceMappingURL=hpp.d.ts.map

package/dist/middleware/hpp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hpp.d.ts","sourceRoot":"","sources":["../../src/middleware/hpp.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,mCAAmC;AACnC,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,iEAAiE;IACjE,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,yDAAyD;IACzD,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,GAAG,CAAC,OAAO,GAAE,UAAe,GAAG,cAAc,CAwD5D;AAED,eAAO,MAAM,SAAS,YAAM,CAAC"}

package/dist/middleware/index.d.ts

@@ -1,3 +1,16 @@
-export { g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from '../index-BAhgn9V2.js';
-import '../types-BOkx5YJc.js';
-import 'express';
+/**
+ * @module @arcis/node/middleware
+ * All middleware for Arcis
+ */
+export { arcis, arcisFunction } from './main';
+export { default } from './main';
+export { createRateLimiter, rateLimit } from './rate-limit';
+export { createSlidingWindowLimiter } from './rate-limit-sliding';
+export { createTokenBucketLimiter } from './rate-limit-token';
+export { createHeaders, securityHeaders } from './headers';
+export { errorHandler, createErrorHandler } from './error-handler';
+export { safeCors, createCors } from './cors';
+export { secureCookieDefaults, createSecureCookies, enforceSecureCookie } from './cookies';
+export { botProtection, detectBot } from './bot-detection';
+export { csrfProtection, createCsrf, generateCsrfToken, validateCsrfToken } from './csrf';
+//# sourceMappingURL=index.d.ts.map

package/dist/middleware/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAGjC,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC5D,OAAO,EAAE,0BAA0B,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC3D,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AACnE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AAC3F,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC"}

package/dist/middleware/index.js

@@ -1606,12 +1606,14 @@ function getRequestToken(req, headerName, fieldName) {
   return void 0;
 }
 function csrfProtection(options = {}) {
-  const cookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const baseCookieName = options.cookieName ?? DEFAULTS.cookieName;
+  const cookieName = options.useHostPrefix ? `__Host-${baseCookieName}` : baseCookieName;
   const headerName = options.headerName ?? DEFAULTS.headerName;
   const fieldName = options.fieldName ?? DEFAULTS.fieldName;
   const tokenLength = options.tokenLength ?? DEFAULTS.tokenLength;
   const protectedMethods = options.protectedMethods ?? [...DEFAULTS.protectedMethods];
   const excludePaths = options.excludePaths ?? [];
+  const skipCsrf = options.skipCsrf;
   const isProduction = process.env.NODE_ENV === "production";
   const cookieOpts = {
     path: options.cookie?.path ?? "/",
@@ -1631,6 +1633,9 @@ function csrfProtection(options = {}) {
   const protectedSet = new Set(protectedMethods.map((m) => m.toUpperCase()));
   return (req, res, next) => {
     const method = req.method.toUpperCase();
+    if (skipCsrf && skipCsrf(req)) {
+      return next();
+    }
     const requestPath = req.path || req.url;
     if (excludePaths.some((p) => requestPath === p || requestPath.startsWith(p + "/"))) {
       return next();