@arcis/node 1.3.0 → 1.4.2

package/README.md

@@ -8,7 +8,7 @@
 
 Part of the [Arcis](https://github.com/Gagancm/arcis) ecosystem with implementations for Node.js, Python, and Go.
 
-**17 attack vectors handled. 970+ tests. Zero dependencies.**
+**45+ security flaws covered. 1,264+ tests. Zero dependencies.**
 
 ## Installation
 

package/dist/core/{index.d.mts → constants.d.ts}

@@ -1,69 +1,14 @@
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from '../types-BOkx5YJc.mjs';
-import 'express';
-
-/**
- * @module @arcis/node/core/errors
- * Custom error classes for Arcis
- */
-/**
- * Base class for all Arcis errors
- */
-declare class ArcisError extends Error {
-    readonly statusCode: number;
-    readonly code: string;
-    /** Whether the error message is safe to expose to API clients. */
-    readonly expose: boolean;
-    constructor(message: string, statusCode?: number, code?: string);
-}
-/**
- * Error thrown when input validation fails
- */
-declare class ValidationError extends ArcisError {
-    readonly errors: string[];
-    constructor(errors: string[]);
-}
-
-/**
- * Error thrown when rate limit is exceeded
- */
-declare class RateLimitError extends ArcisError {
-    readonly retryAfter: number;
-    constructor(message: string, retryAfter: number);
-}
-/**
- * Error thrown when input is too large
- */
-declare class InputTooLargeError extends ArcisError {
-    readonly maxSize: number;
-    readonly actualSize: number;
-    constructor(maxSize: number, actualSize: number);
-}
-/**
- * Error thrown when security threat is detected
- */
-declare class SecurityThreatError extends ArcisError {
-    readonly threatType: string;
-    readonly pattern: string;
-    constructor(threatType: string, pattern: string);
-}
-/**
- * Error thrown when sanitization fails
- */
-declare class SanitizationError extends ArcisError {
-    constructor(message: string);
-}
-
 /**
  * @module @arcis/node/core/constants
  * Named constants for Arcis - no magic numbers
  */
-declare const INPUT: {
+export declare const INPUT: {
     /** Default maximum input size (1MB) */
     readonly DEFAULT_MAX_SIZE: 1000000;
     /** Maximum recursion depth for nested objects */
     readonly MAX_RECURSION_DEPTH: 10;
 };
-declare const RATE_LIMIT: {
+export declare const RATE_LIMIT: {
     /** Default window size (1 minute) */
     readonly DEFAULT_WINDOW_MS: 60000;
     /** Default max requests per window */
@@ -77,7 +22,7 @@ declare const RATE_LIMIT: {
     /** Maximum window size (24 hours) */
     readonly MAX_WINDOW_MS: 86400000;
 };
-declare const HEADERS: {
+export declare const HEADERS: {
     /** Default Content Security Policy */
     readonly DEFAULT_CSP: string;
     /** Default HSTS max age (1 year in seconds) */
@@ -97,10 +42,17 @@ declare const HEADERS: {
  * Detection patterns — used to flag whether a string contains XSS payloads.
  * Must stay in sync with XSS_REMOVE_PATTERNS below.
  */
-declare const XSS_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
-declare const SQL_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
-declare const PATH_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
-declare const COMMAND_PATTERNS: readonly [RegExp, RegExp, RegExp];
+export declare const XSS_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+/**
+ * Removal patterns — used by sanitizeXss() to strip dangerous content.
+ * More targeted than XSS_PATTERNS: each pattern captures the full dangerous
+ * substring (tag, attribute + value, protocol) so it can be replaced safely.
+ * Must stay in sync with XSS_PATTERNS above.
+ */
+export declare const XSS_REMOVE_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const SQL_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const PATH_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const COMMAND_PATTERNS: readonly [RegExp, RegExp, RegExp];
 /**
  * Prototype pollution keys to block.
  * Stored lowercase — always compare with key.toLowerCase().
@@ -112,10 +64,10 @@ declare const COMMAND_PATTERNS: readonly [RegExp, RegExp, RegExp];
  * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)
  * - __lookupGetter__/__lookupSetter__: legacy property introspection
  */
-declare const DANGEROUS_PROTO_KEYS: Set<string>;
+export declare const DANGEROUS_PROTO_KEYS: Set<string>;
 /** MongoDB operators to block */
-declare const NOSQL_DANGEROUS_KEYS: Set<string>;
-declare const REDACTION: {
+export declare const NOSQL_DANGEROUS_KEYS: Set<string>;
+export declare const REDACTION: {
     /** Replacement text for redacted values */
     readonly REPLACEMENT: "[REDACTED]";
     /** Truncation indicator */
@@ -127,7 +79,7 @@ declare const REDACTION: {
     /** Default sensitive keys to redact */
     readonly SENSITIVE_KEYS: Set<string>;
 };
-declare const VALIDATION: {
+export declare const VALIDATION: {
     /**
      * Email regex pattern.
      * Rejects consecutive dots in local part (e.g. test..foo@example.com),
@@ -143,7 +95,7 @@ declare const VALIDATION: {
     /** UUID regex pattern (v4) */
     readonly UUID: RegExp;
 };
-declare const ERRORS: {
+export declare const ERRORS: {
     /** Generic error message (production) */
     readonly INTERNAL_SERVER_ERROR: "Internal Server Error";
     /** Input too large error */
@@ -165,6 +117,5 @@ declare const ERRORS: {
         readonly MAX_ITEMS: (field: string, max: number) => string;
     };
 };
-declare const BLOCKED: "[BLOCKED]";
-
-export { ArcisError, ValidationError as ArcisValidationError, BLOCKED, COMMAND_PATTERNS, DANGEROUS_PROTO_KEYS, ERRORS, HEADERS, INPUT, InputTooLargeError, NOSQL_DANGEROUS_KEYS, PATH_PATTERNS, RATE_LIMIT, REDACTION, RateLimitError, SQL_PATTERNS, SanitizationError, SecurityThreatError, VALIDATION, XSS_PATTERNS };
+export declare const BLOCKED: "[BLOCKED]";
+//# sourceMappingURL=constants.d.ts.map

package/dist/core/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/core/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,eAAO,MAAM,KAAK;IAChB,uCAAuC;;IAEvC,iDAAiD;;CAEzC,CAAC;AAKX,eAAO,MAAM,UAAU;IACrB,qCAAqC;;IAErC,sCAAsC;;IAEtC,0DAA0D;;IAE1D,4BAA4B;;IAE5B,qCAAqC;;IAErC,qCAAqC;;CAE7B,CAAC;AAKX,eAAO,MAAM,OAAO;IAClB,sCAAsC;;IAUtC,+CAA+C;;IAE/C,oCAAoC;;IAEpC,2CAA2C;;IAE3C,oCAAoC;;IAEpC,uCAAuC;;IAEvC,+CAA+C;;CAEvC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,YAAY,2HA6Bf,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,2JAkCtB,CAAC;AAKX,eAAO,MAAM,YAAY,mHAyBf,CAAC;AAKX,eAAO,MAAM,aAAa,mGAsBhB,CAAC;AAKX,eAAO,MAAM,gBAAgB,mCAenB,CAAC;AAMX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,aAQ/B,CAAC;AAEH,iCAAiC;AACjC,eAAO,MAAM,oBAAoB,aAc/B,CAAC;AAKH,eAAO,MAAM,SAAS;IACpB,2CAA2C;;IAE3C,2BAA2B;;IAE3B,0BAA0B;;IAE1B,iCAAiC;;IAEjC,uCAAuC;;CAS/B,CAAC;AAKX,eAAO,MAAM,UAAU;IACrB;;;;OAIG;;IAEH;;;;OAIG;;IAEH,8BAA8B;;CAEtB,CAAC;AAKX,eAAO,MAAM,MAAM;IACjB,yCAAyC;;IAEzC,4BAA4B;wCACD,MAAM;IACjC,gCAAgC;;mCAEZ,MAAM;uCACF,MAAM,QAAQ,MAAM;qCACtB,MAAM,OAAO,MAAM;qCACnB,MAAM,OAAO,MAAM;oCACpB,MAAM,OAAO,MAAM;oCACnB,MAAM,OAAO,MAAM;yCACd,MAAM;wCACP,MAAM;sCACR,MAAM;uCACL,MAAM;uCACN,MAAM,UAAU,OAAO,EAAE;oCAC5B,MAAM,OAAO,MAAM;oCACnB,MAAM,OAAO,MAAM;;CAEhC,CAAC;AAKX,eAAO,MAAM,OAAO,EAAG,WAAoB,CAAC"}

package/dist/core/errors.d.ts

@@ -0,0 +1,53 @@
+/**
+ * @module @arcis/node/core/errors
+ * Custom error classes for Arcis
+ */
+/**
+ * Base class for all Arcis errors
+ */
+export declare class ArcisError extends Error {
+    readonly statusCode: number;
+    readonly code: string;
+    /** Whether the error message is safe to expose to API clients. */
+    readonly expose: boolean;
+    constructor(message: string, statusCode?: number, code?: string);
+}
+/**
+ * Error thrown when input validation fails
+ */
+export declare class ValidationError extends ArcisError {
+    readonly errors: string[];
+    constructor(errors: string[]);
+}
+/** Alias for ValidationError (backwards compatibility) */
+export { ValidationError as ArcisValidationError };
+/**
+ * Error thrown when rate limit is exceeded
+ */
+export declare class RateLimitError extends ArcisError {
+    readonly retryAfter: number;
+    constructor(message: string, retryAfter: number);
+}
+/**
+ * Error thrown when input is too large
+ */
+export declare class InputTooLargeError extends ArcisError {
+    readonly maxSize: number;
+    readonly actualSize: number;
+    constructor(maxSize: number, actualSize: number);
+}
+/**
+ * Error thrown when security threat is detected
+ */
+export declare class SecurityThreatError extends ArcisError {
+    readonly threatType: string;
+    readonly pattern: string;
+    constructor(threatType: string, pattern: string);
+}
+/**
+ * Error thrown when sanitization fails
+ */
+export declare class SanitizationError extends ArcisError {
+    constructor(message: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/core/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/core/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC,SAAgB,UAAU,EAAE,MAAM,CAAC;IACnC,SAAgB,IAAI,EAAE,MAAM,CAAC;IAC7B,kEAAkE;IAClE,SAAgB,MAAM,EAAE,OAAO,CAAC;gBAEpB,OAAO,EAAE,MAAM,EAAE,UAAU,SAAM,EAAE,IAAI,SAAgB;CAcpE;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,UAAU;IAC7C,SAAgB,MAAM,EAAE,MAAM,EAAE,CAAC;gBAErB,MAAM,EAAE,MAAM,EAAE;CAK7B;AAED,0DAA0D;AAC1D,OAAO,EAAE,eAAe,IAAI,oBAAoB,EAAE,CAAC;AAEnD;;GAEG;AACH,qBAAa,cAAe,SAAQ,UAAU;IAC5C,SAAgB,UAAU,EAAE,MAAM,CAAC;gBAEvB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAKhD;AAED;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,UAAU;IAChD,SAAgB,OAAO,EAAE,MAAM,CAAC;IAChC,SAAgB,UAAU,EAAE,MAAM,CAAC;gBAEvB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAMhD;AAED;;GAEG;AACH,qBAAa,mBAAoB,SAAQ,UAAU;IACjD,SAAgB,UAAU,EAAE,MAAM,CAAC;IACnC,SAAgB,OAAO,EAAE,MAAM,CAAC;gBAEpB,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAMhD;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM;CAI5B"}

package/dist/core/index.d.ts

@@ -1,170 +1,8 @@
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from '../types-BOkx5YJc.js';
-import 'express';
-
 /**
- * @module @arcis/node/core/errors
- * Custom error classes for Arcis
+ * @module @arcis/node/core
+ * Core types, constants, and errors for Arcis
  */
-/**
- * Base class for all Arcis errors
- */
-declare class ArcisError extends Error {
-    readonly statusCode: number;
-    readonly code: string;
-    /** Whether the error message is safe to expose to API clients. */
-    readonly expose: boolean;
-    constructor(message: string, statusCode?: number, code?: string);
-}
-/**
- * Error thrown when input validation fails
- */
-declare class ValidationError extends ArcisError {
-    readonly errors: string[];
-    constructor(errors: string[]);
-}
-
-/**
- * Error thrown when rate limit is exceeded
- */
-declare class RateLimitError extends ArcisError {
-    readonly retryAfter: number;
-    constructor(message: string, retryAfter: number);
-}
-/**
- * Error thrown when input is too large
- */
-declare class InputTooLargeError extends ArcisError {
-    readonly maxSize: number;
-    readonly actualSize: number;
-    constructor(maxSize: number, actualSize: number);
-}
-/**
- * Error thrown when security threat is detected
- */
-declare class SecurityThreatError extends ArcisError {
-    readonly threatType: string;
-    readonly pattern: string;
-    constructor(threatType: string, pattern: string);
-}
-/**
- * Error thrown when sanitization fails
- */
-declare class SanitizationError extends ArcisError {
-    constructor(message: string);
-}
-
-/**
- * @module @arcis/node/core/constants
- * Named constants for Arcis - no magic numbers
- */
-declare const INPUT: {
-    /** Default maximum input size (1MB) */
-    readonly DEFAULT_MAX_SIZE: 1000000;
-    /** Maximum recursion depth for nested objects */
-    readonly MAX_RECURSION_DEPTH: 10;
-};
-declare const RATE_LIMIT: {
-    /** Default window size (1 minute) */
-    readonly DEFAULT_WINDOW_MS: 60000;
-    /** Default max requests per window */
-    readonly DEFAULT_MAX_REQUESTS: 100;
-    /** Default HTTP status code for rate limited responses */
-    readonly DEFAULT_STATUS_CODE: 429;
-    /** Default error message */
-    readonly DEFAULT_MESSAGE: "Too many requests, please try again later.";
-    /** Minimum window size (1 second) */
-    readonly MIN_WINDOW_MS: 1000;
-    /** Maximum window size (24 hours) */
-    readonly MAX_WINDOW_MS: 86400000;
-};
-declare const HEADERS: {
-    /** Default Content Security Policy */
-    readonly DEFAULT_CSP: string;
-    /** Default HSTS max age (1 year in seconds) */
-    readonly HSTS_MAX_AGE: 31536000;
-    /** Default X-Frame-Options value */
-    readonly FRAME_OPTIONS: "DENY";
-    /** Default X-Content-Type-Options value */
-    readonly CONTENT_TYPE_OPTIONS: "nosniff";
-    /** Default Referrer-Policy value */
-    readonly REFERRER_POLICY: "strict-origin-when-cross-origin";
-    /** Default Permissions-Policy value */
-    readonly PERMISSIONS_POLICY: "geolocation=(), microphone=(), camera=()";
-    /** Default Cache-Control value for security */
-    readonly CACHE_CONTROL: "no-store, no-cache, must-revalidate, proxy-revalidate";
-};
-/**
- * Detection patterns — used to flag whether a string contains XSS payloads.
- * Must stay in sync with XSS_REMOVE_PATTERNS below.
- */
-declare const XSS_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
-declare const SQL_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
-declare const PATH_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
-declare const COMMAND_PATTERNS: readonly [RegExp, RegExp, RegExp];
-/**
- * Prototype pollution keys to block.
- * Stored lowercase — always compare with key.toLowerCase().
- *
- * Includes:
- * - __proto__: direct prototype assignment
- * - constructor: access to constructor.prototype chain
- * - prototype: direct prototype property
- * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)
- * - __lookupGetter__/__lookupSetter__: legacy property introspection
- */
-declare const DANGEROUS_PROTO_KEYS: Set<string>;
-/** MongoDB operators to block */
-declare const NOSQL_DANGEROUS_KEYS: Set<string>;
-declare const REDACTION: {
-    /** Replacement text for redacted values */
-    readonly REPLACEMENT: "[REDACTED]";
-    /** Truncation indicator */
-    readonly TRUNCATED: "[TRUNCATED]";
-    /** Max depth indicator */
-    readonly MAX_DEPTH: "[MAX_DEPTH]";
-    /** Default max message length */
-    readonly DEFAULT_MAX_LENGTH: 10000;
-    /** Default sensitive keys to redact */
-    readonly SENSITIVE_KEYS: Set<string>;
-};
-declare const VALIDATION: {
-    /**
-     * Email regex pattern.
-     * Rejects consecutive dots in local part (e.g. test..foo@example.com),
-     * leading/trailing dots, and other common invalid forms.
-     */
-    readonly EMAIL: RegExp;
-    /**
-     * URL regex pattern.
-     * Only allows http:// and https:// — explicitly rejects javascript:,
-     * data:, vbscript:, and other dangerous URI schemes.
-     */
-    readonly URL: RegExp;
-    /** UUID regex pattern (v4) */
-    readonly UUID: RegExp;
-};
-declare const ERRORS: {
-    /** Generic error message (production) */
-    readonly INTERNAL_SERVER_ERROR: "Internal Server Error";
-    /** Input too large error */
-    readonly INPUT_TOO_LARGE: (maxSize: number) => string;
-    /** Validation error messages */
-    readonly VALIDATION: {
-        readonly REQUIRED: (field: string) => string;
-        readonly INVALID_TYPE: (field: string, type: string) => string;
-        readonly MIN_LENGTH: (field: string, min: number) => string;
-        readonly MAX_LENGTH: (field: string, max: number) => string;
-        readonly MIN_VALUE: (field: string, min: number) => string;
-        readonly MAX_VALUE: (field: string, max: number) => string;
-        readonly INVALID_FORMAT: (field: string) => string;
-        readonly INVALID_EMAIL: (field: string) => string;
-        readonly INVALID_URL: (field: string) => string;
-        readonly INVALID_UUID: (field: string) => string;
-        readonly INVALID_ENUM: (field: string, values: unknown[]) => string;
-        readonly MIN_ITEMS: (field: string, min: number) => string;
-        readonly MAX_ITEMS: (field: string, max: number) => string;
-    };
-};
-declare const BLOCKED: "[BLOCKED]";
-
-export { ArcisError, ValidationError as ArcisValidationError, BLOCKED, COMMAND_PATTERNS, DANGEROUS_PROTO_KEYS, ERRORS, HEADERS, INPUT, InputTooLargeError, NOSQL_DANGEROUS_KEYS, PATH_PATTERNS, RATE_LIMIT, REDACTION, RateLimitError, SQL_PATTERNS, SanitizationError, SecurityThreatError, VALIDATION, XSS_PATTERNS };
+export type { ArcisOptions, ArcisFunction, ArcisMiddleware, SanitizeOptions, SanitizeResult, ThreatInfo, ThreatType, RateLimitOptions, RateLimitStore, RateLimitEntry, RateLimitResult, RateLimiterMiddleware, HeaderOptions, HstsOptions, ValidationConfig, ValidationSchema, FieldValidator, ValidationResult, ValidationError, LogOptions, SafeLogger, ErrorHandlerOptions, HttpError, } from './types';
+export { INPUT, RATE_LIMIT, HEADERS, XSS_PATTERNS, SQL_PATTERNS, PATH_PATTERNS, COMMAND_PATTERNS, DANGEROUS_PROTO_KEYS, NOSQL_DANGEROUS_KEYS, REDACTION, VALIDATION, ERRORS, BLOCKED, } from './constants';
+export { ArcisError, ValidationError as ArcisValidationError, RateLimitError, InputTooLargeError, SecurityThreatError, SanitizationError, } from './errors';
+//# sourceMappingURL=index.d.ts.map

package/dist/core/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,YAAY,EAEV,YAAY,EACZ,aAAa,EACb,eAAe,EAEf,eAAe,EACf,cAAc,EACd,UAAU,EACV,UAAU,EAEV,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EAErB,aAAa,EACb,WAAW,EAEX,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,eAAe,EAEf,UAAU,EACV,UAAU,EAEV,mBAAmB,EACnB,SAAS,GACV,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,KAAK,EACL,UAAU,EACV,OAAO,EACP,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,gBAAgB,EAChB,oBAAoB,EACpB,oBAAoB,EACpB,SAAS,EACT,UAAU,EACV,MAAM,EACN,OAAO,GACR,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,UAAU,EACV,eAAe,IAAI,oBAAoB,EACvC,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,UAAU,CAAC"}

package/dist/core/index.js

@@ -65,7 +65,15 @@ var XSS_PATTERNS = [
   /** URL-encoded script tags */
   /%3Cscript/gi,
   /** SVG with onload */
-  /<svg[^>]*onload/gi
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */
@@ -129,8 +137,8 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
-  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
-  /%0[ad]/gi
+  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
+  /%0[0-9a-f]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",

package/dist/core/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA;AACF;AAuCO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA,oBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA,OAAA;AAAA;AAAA,EAEA;AACF;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,aAAA;AAAA;AAAA,EAElE,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;ACrThB,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF","file":"index.js","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded newline/carriage-return injection (%0a, %0d) */\n  /%0[ad]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/core/errors\n * Custom error classes for Arcis\n */\n\n/**\n * Base class for all Arcis errors\n */\nexport class ArcisError extends Error {\n  public readonly statusCode: number;\n  public readonly code: string;\n  /** Whether the error message is safe to expose to API clients. */\n  public readonly expose: boolean;\n\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\n    super(message);\n    this.name = 'ArcisError';\n    this.statusCode = statusCode;\n    this.code = code;\n    // Client errors (4xx) have controlled messages — safe to expose.\n    // Server errors (5xx) may contain internal details — hide by default.\n    this.expose = statusCode < 500;\n\n    // Maintains proper stack trace for where error was thrown (V8 engines)\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, this.constructor);\n    }\n  }\n}\n\n/**\n * Error thrown when input validation fails\n */\nexport class ValidationError extends ArcisError {\n  public readonly errors: string[];\n\n  constructor(errors: string[]) {\n    super('Validation failed', 400, 'VALIDATION_ERROR');\n    this.name = 'ValidationError';\n    this.errors = errors;\n  }\n}\n\n/** Alias for ValidationError (backwards compatibility) */\nexport { ValidationError as ArcisValidationError };\n\n/**\n * Error thrown when rate limit is exceeded\n */\nexport class RateLimitError extends ArcisError {\n  public readonly retryAfter: number;\n\n  constructor(message: string, retryAfter: number) {\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\n    this.name = 'RateLimitError';\n    this.retryAfter = retryAfter;\n  }\n}\n\n/**\n * Error thrown when input is too large\n */\nexport class InputTooLargeError extends ArcisError {\n  public readonly maxSize: number;\n  public readonly actualSize: number;\n\n  constructor(maxSize: number, actualSize: number) {\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\n    this.name = 'InputTooLargeError';\n    this.maxSize = maxSize;\n    this.actualSize = actualSize;\n  }\n}\n\n/**\n * Error thrown when security threat is detected\n */\nexport class SecurityThreatError extends ArcisError {\n  public readonly threatType: string;\n  public readonly pattern: string;\n\n  constructor(threatType: string, pattern: string) {\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\n    this.name = 'SecurityThreatError';\n    this.threatType = threatType;\n    this.pattern = pattern;\n  }\n}\n\n/**\n * Error thrown when sanitization fails\n */\nexport class SanitizationError extends ArcisError {\n  constructor(message: string) {\n    super(message, 400, 'SANITIZATION_ERROR');\n    this.name = 'SanitizationError';\n  }\n}\n"]}
+{"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA;AACF;AA+CO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA,oBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA,OAAA;AAAA;AAAA,EAEA;AACF;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,aAAA;AAAA;AAAA,EAElE,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;ACrUhB,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF","file":"index.js","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n  /** form tags — phishing/credential harvesting via action= redirection */\n  /<form[\\s>]/gi,\n  /** meta tags — http-equiv refresh redirects or CSP bypass */\n  /<meta[\\s>]/gi,\n  /** base href hijacking — redirects all relative URLs to attacker domain */\n  /<base[\\s>]/gi,\n  /** link tag injection — stylesheet or preload CSRF attacks */\n  /<link[\\s>]/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n  /** form tag injection — phishing via action= redirection */\n  /<form[\\s>][^>]*/gi,\n  /** meta tag injection — http-equiv refresh or CSP bypass */\n  /<meta[\\s>][^>]*/gi,\n  /** base href hijacking */\n  /<base[\\s>][^>]*/gi,\n  /** link tag injection — stylesheet or preload attacks */\n  /<link[\\s>][^>]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */\n  /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/core/errors\n * Custom error classes for Arcis\n */\n\n/**\n * Base class for all Arcis errors\n */\nexport class ArcisError extends Error {\n  public readonly statusCode: number;\n  public readonly code: string;\n  /** Whether the error message is safe to expose to API clients. */\n  public readonly expose: boolean;\n\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\n    super(message);\n    this.name = 'ArcisError';\n    this.statusCode = statusCode;\n    this.code = code;\n    // Client errors (4xx) have controlled messages — safe to expose.\n    // Server errors (5xx) may contain internal details — hide by default.\n    this.expose = statusCode < 500;\n\n    // Maintains proper stack trace for where error was thrown (V8 engines)\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, this.constructor);\n    }\n  }\n}\n\n/**\n * Error thrown when input validation fails\n */\nexport class ValidationError extends ArcisError {\n  public readonly errors: string[];\n\n  constructor(errors: string[]) {\n    super('Validation failed', 400, 'VALIDATION_ERROR');\n    this.name = 'ValidationError';\n    this.errors = errors;\n  }\n}\n\n/** Alias for ValidationError (backwards compatibility) */\nexport { ValidationError as ArcisValidationError };\n\n/**\n * Error thrown when rate limit is exceeded\n */\nexport class RateLimitError extends ArcisError {\n  public readonly retryAfter: number;\n\n  constructor(message: string, retryAfter: number) {\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\n    this.name = 'RateLimitError';\n    this.retryAfter = retryAfter;\n  }\n}\n\n/**\n * Error thrown when input is too large\n */\nexport class InputTooLargeError extends ArcisError {\n  public readonly maxSize: number;\n  public readonly actualSize: number;\n\n  constructor(maxSize: number, actualSize: number) {\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\n    this.name = 'InputTooLargeError';\n    this.maxSize = maxSize;\n    this.actualSize = actualSize;\n  }\n}\n\n/**\n * Error thrown when security threat is detected\n */\nexport class SecurityThreatError extends ArcisError {\n  public readonly threatType: string;\n  public readonly pattern: string;\n\n  constructor(threatType: string, pattern: string) {\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\n    this.name = 'SecurityThreatError';\n    this.threatType = threatType;\n    this.pattern = pattern;\n  }\n}\n\n/**\n * Error thrown when sanitization fails\n */\nexport class SanitizationError extends ArcisError {\n  constructor(message: string) {\n    super(message, 400, 'SANITIZATION_ERROR');\n    this.name = 'SanitizationError';\n  }\n}\n"]}

package/dist/core/index.mjs

@@ -63,7 +63,15 @@ var XSS_PATTERNS = [
   /** URL-encoded script tags */
   /%3Cscript/gi,
   /** SVG with onload */
-  /<svg[^>]*onload/gi
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */
@@ -127,8 +135,8 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
-  /** URL-encoded newline/carriage-return injection (%0a, %0d) */
-  /%0[ad]/gi
+  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
+  /%0[0-9a-f]/gi
 ];
 var DANGEROUS_PROTO_KEYS = /* @__PURE__ */ new Set([
   "__proto__",