@arcis/node 1.4.3 → 1.4.4

package/dist/cli/arcis.mjs

@@ -0,0 +1,309 @@
+#!/usr/bin/env node
+import { spawnSync } from 'child_process';
+import { readFileSync } from 'fs';
+import { dirname, resolve } from 'path';
+import { fileURLToPath } from 'url';
+
+var USE_COLOR = !process.env.NO_COLOR && process.stdout.isTTY === true;
+function c(text, ...codes) {
+  if (!USE_COLOR) return text;
+  return codes.join("") + text + "\x1B[0m";
+}
+var BOLD = "\x1B[1m";
+var DIM = "\x1B[2m";
+var GREEN = "\x1B[32m";
+var YELLOW = "\x1B[33m";
+var CYAN = "\x1B[36m";
+var RED = "\x1B[31m";
+function getInstalledVersion() {
+  try {
+    const here = fileURLToPath(import.meta.url);
+    let dir = dirname(here);
+    for (let i = 0; i < 6; i++) {
+      try {
+        const raw = readFileSync(resolve(dir, "package.json"), "utf-8");
+        const pkg = JSON.parse(raw);
+        if (pkg.name === "@arcis/node" && pkg.version) {
+          return pkg.version;
+        }
+      } catch {
+      }
+      const parent = resolve(dir, "..");
+      if (parent === dir) break;
+      dir = parent;
+    }
+  } catch {
+  }
+  return "?";
+}
+async function fetchLatestVersion() {
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), 5e3);
+    try {
+      const resp = await fetch("https://registry.npmjs.org/@arcis/node", {
+        headers: { Accept: "application/json" },
+        signal: controller.signal
+      });
+      if (!resp.ok) return null;
+      const data = await resp.json();
+      return data["dist-tags"]?.latest ?? null;
+    } finally {
+      clearTimeout(timer);
+    }
+  } catch {
+    return null;
+  }
+}
+function parseVersion(v) {
+  const parts = v.split(".");
+  const out = [];
+  for (const p of parts) {
+    if (!/^\d+$/.test(p)) return null;
+    out.push(Number(p));
+  }
+  return out;
+}
+function versionCompare(a, b) {
+  const len = Math.max(a.length, b.length);
+  for (let i = 0; i < len; i++) {
+    const x = a[i] ?? 0;
+    const y = b[i] ?? 0;
+    if (x < y) return -1;
+    if (x > y) return 1;
+  }
+  return 0;
+}
+function hasPythonArcis() {
+  const probes = [
+    { cmd: "arcis", args: ["--version"] },
+    { cmd: "python", args: ["-m", "arcis.cli", "--version"] },
+    { cmd: "python3", args: ["-m", "arcis.cli", "--version"] }
+  ];
+  for (const p of probes) {
+    try {
+      const result = spawnSync(p.cmd, p.args, {
+        stdio: ["ignore", "ignore", "ignore"],
+        timeout: 3e3,
+        shell: process.platform === "win32"
+      });
+      if (result.status === 0) return true;
+    } catch {
+    }
+  }
+  return false;
+}
+function forwardToPython(args) {
+  const candidates = [
+    { cmd: "arcis", args },
+    { cmd: "python", args: ["-m", "arcis.cli", ...args] },
+    { cmd: "python3", args: ["-m", "arcis.cli", ...args] }
+  ];
+  for (const cand of candidates) {
+    const result = spawnSync(cand.cmd, cand.args, {
+      stdio: "inherit",
+      shell: process.platform === "win32"
+    });
+    if (result.error) continue;
+    process.exit(result.status ?? 0);
+  }
+  console.error(
+    c("arcis: could not invoke the Python CLI. Install with:", RED, BOLD)
+  );
+  console.error("  pip install arcis");
+  process.exit(127);
+}
+function printCatalog(verbose) {
+  const ver = getInstalledVersion();
+  console.log();
+  console.log(`  ${c("Arcis", BOLD, CYAN)}  ${c(`v${ver}`, DIM)}  ${c("(node)", DIM)}`);
+  console.log(c("  Zero-dep security middleware + scanners.", DIM));
+  console.log();
+  console.log(c("  Commands", BOLD));
+  const rows = [
+    [
+      "scan",
+      "Send live attack payloads to a running app.",
+      "arcis scan http://localhost:8000 --route POST:/echo --field q"
+    ],
+    [
+      "audit",
+      "Static-analyse Python / JS / TS source for unsafe patterns.",
+      "arcis audit ."
+    ],
+    [
+      "sca",
+      "Match installed dependencies against the supply-chain threat DB.",
+      "arcis sca ."
+    ],
+    ["update", "Check npm for a newer @arcis/node release.", "arcis update --apply"]
+  ];
+  for (const [name, desc, example] of rows) {
+    console.log(`    ${c(name.padEnd(8), BOLD, GREEN)} ${desc}`);
+    if (verbose) {
+      console.log(`             ${c(example, DIM)}`);
+    }
+  }
+  console.log();
+  console.log(c("  Discovery", BOLD));
+  console.log(`    ${c("--list", BOLD, CYAN).padEnd(24)} Show this catalog (verbose).`);
+  console.log(
+    `    ${c("<cmd> --help", BOLD, CYAN).padEnd(24)} Show full flags for that command.`
+  );
+  console.log();
+  console.log(c("  Note", BOLD));
+  console.log(
+    `    scan/audit/sca delegate to the Python CLI (canonical impl).`
+  );
+  console.log(`    Install once with:  ${c("pip install arcis", GREEN)}`);
+  console.log();
+}
+async function updateCommand(args) {
+  const apply = args.includes("--apply");
+  const check = args.includes("--check");
+  const yes = args.includes("--yes") || args.includes("-y");
+  const current = getInstalledVersion();
+  const latest = await fetchLatestVersion();
+  if (check) {
+    if (latest === null) {
+      console.error("arcis: could not reach npm to check for updates");
+      process.exitCode = 2;
+      return;
+    }
+    const cur2 = parseVersion(current);
+    const lat2 = parseVersion(latest);
+    if (!cur2 || !lat2 || versionCompare(cur2, lat2) >= 0) {
+      console.log(`@arcis/node ${current} is up-to-date`);
+      process.exitCode = 0;
+      return;
+    }
+    console.error(`@arcis/node ${current} is outdated; latest is ${latest}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log();
+  console.log(c("  @arcis/node update check", BOLD, CYAN));
+  console.log(c("  Source: https://registry.npmjs.org/@arcis/node", DIM));
+  console.log();
+  if (latest === null) {
+    console.log(`    Installed   @arcis/node ${current}`);
+    console.log(
+      `    Latest      ${c("? unreachable", YELLOW)}  ${c("(network error or npm down)", DIM)}`
+    );
+    console.log();
+    console.log(c("  Try again later, or run 'npm view @arcis/node version' directly.", DIM));
+    console.log();
+    process.exitCode = 2;
+    return;
+  }
+  const cur = parseVersion(current);
+  const lat = parseVersion(latest);
+  if (!cur || !lat) {
+    console.log(
+      `    Installed   @arcis/node ${current}  ${c("(pre-release or unparseable)", DIM)}`
+    );
+    console.log(`    Latest      @arcis/node ${latest}`);
+    console.log();
+    console.log(c("  Skipping comparison \u2014 manually decide.", DIM));
+    console.log();
+    process.exitCode = 0;
+    return;
+  }
+  if (versionCompare(cur, lat) >= 0) {
+    console.log(`    Installed   @arcis/node ${current}`);
+    console.log(`    Latest      @arcis/node ${latest}`);
+    console.log();
+    console.log(c("  You are on the latest version.", BOLD, GREEN));
+    console.log();
+    process.exitCode = 0;
+    return;
+  }
+  console.log(`    Installed   @arcis/node ${current}`);
+  console.log(
+    `    Latest      ${c(`@arcis/node ${latest}`, BOLD)}  ${c("(update available)", YELLOW)}`
+  );
+  console.log();
+  console.log(c("  Run to upgrade", BOLD));
+  console.log(`    ${c("npm install @arcis/node@latest", GREEN)}`);
+  console.log();
+  if (!apply) {
+    console.log(c("  Or rerun: 'arcis update --apply' to upgrade in place.", DIM));
+    console.log();
+    process.exitCode = 1;
+    return;
+  }
+  if (!yes && process.stdin.isTTY) {
+    process.stdout.write("Upgrade now? [y/N] ");
+    const response = await new Promise((res) => {
+      process.stdin.once("data", (chunk) => res(chunk.toString().trim().toLowerCase()));
+    });
+    if (!response.startsWith("y")) {
+      process.exitCode = 1;
+      return;
+    }
+  }
+  const npmCmd = process.platform === "win32" ? "npm.cmd" : "npm";
+  console.log(`  $ ${npmCmd} install @arcis/node@latest`);
+  const result = spawnSync(npmCmd, ["install", "@arcis/node@latest"], {
+    stdio: "inherit"
+  });
+  process.exitCode = result.status ?? 1;
+}
+async function main() {
+  const args = process.argv.slice(2);
+  if (args.length === 0) {
+    printCatalog(false);
+    process.exit(0);
+  }
+  const arg0 = args[0];
+  if (arg0 === "--list" || arg0 === "-l") {
+    printCatalog(true);
+    process.exit(0);
+  }
+  if (arg0 === "-h" || arg0 === "--help") {
+    printCatalog(false);
+    console.log(c("  Run 'arcis <command> --help' for full flags.", DIM));
+    console.log();
+    process.exit(0);
+  }
+  if (arg0 === "-V" || arg0 === "--version") {
+    console.log(getInstalledVersion());
+    process.exit(0);
+  }
+  if (arg0 === "update") {
+    await updateCommand(args.slice(1));
+    return;
+  }
+  if (arg0 === "scan" || arg0 === "audit" || arg0 === "sca") {
+    if (!hasPythonArcis()) {
+      console.error(
+        c(
+          `arcis: '${arg0}' is implemented by the Python CLI. Install with:`,
+          YELLOW,
+          BOLD
+        )
+      );
+      console.error("  pip install arcis");
+      console.error();
+      console.error(c("Why: scan/audit/sca rely on Python's threat-DB and rule data.", DIM));
+      console.error(
+        c(
+          "@arcis/node implements the middleware + dashboard upload \u2014 see the docs.",
+          DIM
+        )
+      );
+      process.exit(127);
+    }
+    forwardToPython(args);
+    return;
+  }
+  console.error(`arcis: unknown command '${arg0}'`);
+  console.error("Run 'arcis --list' for available commands.");
+  process.exit(1);
+}
+main().catch((err) => {
+  console.error(c(`arcis: unexpected error: ${err}`, RED));
+  process.exit(1);
+});
+//# sourceMappingURL=arcis.mjs.map
+//# sourceMappingURL=arcis.mjs.map

package/dist/cli/arcis.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/cli/arcis.ts"],"names":["cur","lat"],"mappings":";;;;;;AA6BA,IAAM,YACJ,CAAC,OAAA,CAAQ,IAAI,QAAA,IAAY,OAAA,CAAQ,OAAO,KAAA,KAAU,IAAA;AAEpD,SAAS,CAAA,CAAE,SAAiB,KAAA,EAAyB;AACnD,EAAA,IAAI,CAAC,WAAW,OAAO,IAAA;AACvB,EAAA,OAAO,KAAA,CAAM,IAAA,CAAK,EAAE,CAAA,GAAI,IAAA,GAAO,SAAA;AACjC;AAEA,IAAM,IAAA,GAAO,SAAA;AACb,IAAM,GAAA,GAAM,SAAA;AACZ,IAAM,KAAA,GAAQ,UAAA;AACd,IAAM,MAAA,GAAS,UAAA;AACf,IAAM,IAAA,GAAO,UAAA;AACb,IAAM,GAAA,GAAM,UAAA;AAIZ,SAAS,mBAAA,GAA8B;AAGrC,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA;AAE1C,IAAA,IAAI,GAAA,GAAM,QAAQ,IAAI,CAAA;AACtB,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,EAAG,CAAA,EAAA,EAAK;AAC1B,MAAA,IAAI;AACF,QAAA,MAAM,MAAM,YAAA,CAAa,OAAA,CAAQ,GAAA,EAAK,cAAc,GAAG,OAAO,CAAA;AAC9D,QAAA,MAAM,GAAA,GAAM,IAAA,CAAK,KAAA,CAAM,GAAG,CAAA;AAC1B,QAAA,IAAI,GAAA,CAAI,IAAA,KAAS,aAAA,IAAiB,GAAA,CAAI,OAAA,EAAS;AAC7C,UAAA,OAAO,GAAA,CAAI,OAAA;AAAA,QACb;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AACA,MAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,GAAA,EAAK,IAAI,CAAA;AAChC,MAAA,IAAI,WAAW,GAAA,EAAK;AACpB,MAAA,GAAA,GAAM,MAAA;AAAA,IACR;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AACA,EAAA,OAAO,GAAA;AACT;AAMA,eAAe,kBAAA,GAA6C;AAC1D,EAAA,IAAI;AACF,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,QAAQ,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,GAAK,CAAA;AACxD,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,GAAO,MAAM,KAAA,CAAM,wCAAA,EAA0C;AAAA,QACjE,OAAA,EAAS,EAAE,MAAA,EAAQ,kBAAA,EAAmB;AAAA,QACtC,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AACD,MAAA,IAAI,CAAC,IAAA,CAAK,EAAA,EAAI,OAAO,IAAA;AACrB,MAAA,MAAM,IAAA,GAAQ,MAAM,IAAA,CAAK,IAAA,EAAK;AAC9B,MAAA,OAAO,IAAA,CAAK,WAAW,CAAA,EAAG,MAAA,IAAU,IAAA;AAAA,IACtC,CAAA,SAAE;AACA,MAAA,YAAA,CAAa,KAAK,CAAA;AAAA,IACpB;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAEA,SAAS,aAAa,CAAA,EAA4B;AAChD,EAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA;AACzB,EAAA,MAAM,MAAgB,EAAC;AACvB,EAAA,KAAA,MAAW,KAAK,KAAA,EAAO;AACrB,IAAA,IAAI,CAAC,OAAA,CAAQ,IAAA,CAAK,CAAC,GAAG,OAAO,IAAA;AAC7B,IAAA,GAAA,CAAI,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA;AAAA,EACpB;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,cAAA,CAAe,GAAa,CAAA,EAAqB;AACxD,EAAA,MAAM,MAAM,IAAA,CAAK,GAAA,CAAI,CAAA,CAAE,MAAA,EAAQ,EAAE,MAAM,CAAA;AACvC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,EAAK,CAAA,EAAA,EAAK;AAC5B,IAAA,MAAM,CAAA,GAAI,CAAA,CAAE,CAAC,CAAA,IAAK,CAAA;AAClB,IAAA,MAAM,CAAA,GAAI,CAAA,CAAE,CAAC,CAAA,IAAK,CAAA;AAClB,IAAA,IAAI,CAAA,GAAI,GAAG,OAAO,EAAA;AAClB,IAAA,IAAI,CAAA,GAAI,GAAG,OAAO,CAAA;AAAA,EACpB;AACA,EAAA,OAAO,CAAA;AACT;AAIA,SAAS,cAAA,GAA0B;AAGjC,EAAA,MAAM,MAAA,GAAiD;AAAA,IACrD,EAAE,GAAA,EAAK,OAAA,EAAS,IAAA,EAAM,CAAC,WAAW,CAAA,EAAE;AAAA,IACpC,EAAE,KAAK,QAAA,EAAU,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,WAAW,CAAA,EAAE;AAAA,IACxD,EAAE,KAAK,SAAA,EAAW,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,WAAW,CAAA;AAAE,GAC3D;AACA,EAAA,KAAA,MAAW,KAAK,MAAA,EAAQ;AACtB,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,SAAA,CAAU,CAAA,CAAE,GAAA,EAAK,EAAE,IAAA,EAAM;AAAA,QACtC,KAAA,EAAO,CAAC,QAAA,EAAU,QAAA,EAAU,QAAQ,CAAA;AAAA,QACpC,OAAA,EAAS,GAAA;AAAA,QACT,KAAA,EAAO,QAAQ,QAAA,KAAa;AAAA,OAC7B,CAAA;AACD,MAAA,IAAI,MAAA,CAAO,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAAA,IAClC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AAEA,SAAS,gBAAgB,IAAA,EAAuB;AAI9C,EAAA,MAAM,UAAA,GAAqD;AAAA,IACzD,EAAE,GAAA,EAAK,OAAA,EAAS,IAAA,EAAK;AAAA,IACrB,EAAE,KAAK,QAAA,EAAU,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,GAAG,IAAI,CAAA,EAAE;AAAA,IACpD,EAAE,KAAK,SAAA,EAAW,IAAA,EAAM,CAAC,IAAA,EAAM,WAAA,EAAa,GAAG,IAAI,CAAA;AAAE,GACvD;AACA,EAAA,KAAA,MAAW,QAAQ,UAAA,EAAY;AAC7B,IAAA,MAAM,MAAA,GAAS,SAAA,CAAU,IAAA,CAAK,GAAA,EAAK,KAAK,IAAA,EAAM;AAAA,MAC5C,KAAA,EAAO,SAAA;AAAA,MACP,KAAA,EAAO,QAAQ,QAAA,KAAa;AAAA,KAC7B,CAAA;AACD,IAAA,IAAI,OAAO,KAAA,EAAO;AAClB,IAAA,OAAA,CAAQ,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,CAAC,CAAA;AAAA,EACjC;AACA,EAAA,OAAA,CAAQ,KAAA;AAAA,IACN,CAAA,CAAE,uDAAA,EAAyD,GAAA,EAAK,IAAI;AAAA,GACtE;AACA,EAAA,OAAA,CAAQ,MAAM,qBAAqB,CAAA;AACnC,EAAA,OAAA,CAAQ,KAAK,GAAG,CAAA;AAClB;AAIA,SAAS,aAAa,OAAA,EAAwB;AAC5C,EAAA,MAAM,MAAM,mBAAA,EAAoB;AAChC,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,IAAI,CAAA,EAAA,EAAK,CAAA,CAAE,SAAS,IAAA,EAAM,IAAI,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,IAAI,GAAG,CAAA,CAAA,EAAI,GAAG,CAAC,CAAA,EAAA,EAAK,EAAE,QAAA,EAAU,GAAG,CAAC,CAAA,CAAE,CAAA;AACpF,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,4CAAA,EAA8C,GAAG,CAAC,CAAA;AAChE,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,YAAA,EAAc,IAAI,CAAC,CAAA;AACjC,EAAA,MAAM,IAAA,GAAwC;AAAA,IAC5C;AAAA,MACE,MAAA;AAAA,MACA,6CAAA;AAAA,MACA;AAAA,KACF;AAAA,IACA;AAAA,MACE,OAAA;AAAA,MACA,6DAAA;AAAA,MACA;AAAA,KACF;AAAA,IACA;AAAA,MACE,KAAA;AAAA,MACA,kEAAA;AAAA,MACA;AAAA,KACF;AAAA,IACA,CAAC,QAAA,EAAU,4CAAA,EAA8C,sBAAsB;AAAA,GACjF;AACA,EAAA,KAAA,MAAW,CAAC,IAAA,EAAM,IAAA,EAAM,OAAO,KAAK,IAAA,EAAM;AACxC,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,IAAA,EAAO,CAAA,CAAE,IAAA,CAAK,MAAA,CAAO,CAAC,CAAA,EAAG,IAAA,EAAM,KAAK,CAAC,CAAA,CAAA,EAAI,IAAI,CAAA,CAAE,CAAA;AAC3D,IAAA,IAAI,OAAA,EAAS;AACX,MAAA,OAAA,CAAQ,IAAI,CAAA,aAAA,EAAgB,CAAA,CAAE,OAAA,EAAS,GAAG,CAAC,CAAA,CAAE,CAAA;AAAA,IAC/C;AAAA,EACF;AACA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,aAAA,EAAe,IAAI,CAAC,CAAA;AAClC,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,IAAA,EAAO,CAAA,CAAE,QAAA,EAAU,IAAA,EAAM,IAAI,CAAA,CAAE,MAAA,CAAO,EAAE,CAAC,CAAA,6BAAA,CAA+B,CAAA;AACpF,EAAA,OAAA,CAAQ,GAAA;AAAA,IACN,CAAA,IAAA,EAAO,EAAE,cAAA,EAAgB,IAAA,EAAM,IAAI,CAAA,CAAE,MAAA,CAAO,EAAE,CAAC,CAAA,kCAAA;AAAA,GACjD;AACA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,QAAA,EAAU,IAAI,CAAC,CAAA;AAC7B,EAAA,OAAA,CAAQ,GAAA;AAAA,IACN,CAAA,+DAAA;AAAA,GACF;AACA,EAAA,OAAA,CAAQ,IAAI,CAAA,wBAAA,EAA2B,CAAA,CAAE,mBAAA,EAAqB,KAAK,CAAC,CAAA,CAAE,CAAA;AACtE,EAAA,OAAA,CAAQ,GAAA,EAAI;AACd;AAIA,eAAe,cAAc,IAAA,EAA+B;AAM1D,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA;AACrC,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA;AACrC,EAAA,MAAM,MAAM,IAAA,CAAK,QAAA,CAAS,OAAO,CAAA,IAAK,IAAA,CAAK,SAAS,IAAI,CAAA;AAExD,EAAA,MAAM,UAAU,mBAAA,EAAoB;AACpC,EAAA,MAAM,MAAA,GAAS,MAAM,kBAAA,EAAmB;AAExC,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,IAAI,WAAW,IAAA,EAAM;AACnB,MAAA,OAAA,CAAQ,MAAM,iDAAiD,CAAA;AAC/D,MAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,MAAA;AAAA,IACF;AACA,IAAA,MAAMA,IAAAA,GAAM,aAAa,OAAO,CAAA;AAChC,IAAA,MAAMC,IAAAA,GAAM,aAAa,MAAM,CAAA;AAC/B,IAAA,IAAI,CAACD,QAAO,CAACC,IAAAA,IAAO,eAAeD,IAAAA,EAAKC,IAAG,KAAK,CAAA,EAAG;AACjD,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,YAAA,EAAe,OAAO,CAAA,cAAA,CAAgB,CAAA;AAClD,MAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,MAAA;AAAA,IACF;AACA,IAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,YAAA,EAAe,OAAO,CAAA,wBAAA,EAA2B,MAAM,CAAA,CAAE,CAAA;AACvE,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,4BAAA,EAA8B,IAAA,EAAM,IAAI,CAAC,CAAA;AACvD,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,kDAAA,EAAoD,GAAG,CAAC,CAAA;AACtE,EAAA,OAAA,CAAQ,GAAA,EAAI;AAEZ,EAAA,IAAI,WAAW,IAAA,EAAM;AACnB,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,OAAO,CAAA,CAAE,CAAA;AACpD,IAAA,OAAA,CAAQ,GAAA;AAAA,MACN,CAAA,gBAAA,EAAmB,EAAE,eAAA,EAAiB,MAAM,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,6BAAA,EAA+B,GAAG,CAAC,CAAA;AAAA,KACzF;AACA,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,oEAAA,EAAsE,GAAG,CAAC,CAAA;AACxF,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,GAAA,GAAM,aAAa,OAAO,CAAA;AAChC,EAAA,MAAM,GAAA,GAAM,aAAa,MAAM,CAAA;AAC/B,EAAA,IAAI,CAAC,GAAA,IAAO,CAAC,GAAA,EAAK;AAChB,IAAA,OAAA,CAAQ,GAAA;AAAA,MACN,+BAA+B,OAAO,CAAA,EAAA,EAAK,CAAA,CAAE,8BAAA,EAAgC,GAAG,CAAC,CAAA;AAAA,KACnF;AACA,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,MAAM,CAAA,CAAE,CAAA;AACnD,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,+CAAA,EAA4C,GAAG,CAAC,CAAA;AAC9D,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,cAAA,CAAe,GAAA,EAAK,GAAG,CAAA,IAAK,CAAA,EAAG;AACjC,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,OAAO,CAAA,CAAE,CAAA;AACpD,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,MAAM,CAAA,CAAE,CAAA;AACnD,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,kCAAA,EAAoC,IAAA,EAAM,KAAK,CAAC,CAAA;AAC9D,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,4BAAA,EAA+B,OAAO,CAAA,CAAE,CAAA;AACpD,EAAA,OAAA,CAAQ,GAAA;AAAA,IACN,CAAA,gBAAA,EAAmB,CAAA,CAAE,CAAA,YAAA,EAAe,MAAM,CAAA,CAAA,EAAI,IAAI,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,oBAAA,EAAsB,MAAM,CAAC,CAAA;AAAA,GACzF;AACA,EAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,kBAAA,EAAoB,IAAI,CAAC,CAAA;AACvC,EAAA,OAAA,CAAQ,IAAI,CAAA,IAAA,EAAO,CAAA,CAAE,gCAAA,EAAkC,KAAK,CAAC,CAAA,CAAE,CAAA;AAC/D,EAAA,OAAA,CAAQ,GAAA,EAAI;AAEZ,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,yDAAA,EAA2D,GAAG,CAAC,CAAA;AAC7E,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,CAAC,GAAA,IAAO,OAAA,CAAQ,KAAA,CAAM,KAAA,EAAO;AAC/B,IAAA,OAAA,CAAQ,MAAA,CAAO,MAAM,qBAAqB,CAAA;AAC1C,IAAA,MAAM,QAAA,GAAW,MAAM,IAAI,OAAA,CAAgB,CAAC,GAAA,KAAQ;AAClD,MAAA,OAAA,CAAQ,KAAA,CAAM,IAAA,CAAK,MAAA,EAAQ,CAAC,KAAA,KAAkB,GAAA,CAAI,KAAA,CAAM,QAAA,EAAS,CAAE,IAAA,EAAK,CAAE,WAAA,EAAa,CAAC,CAAA;AAAA,IAC1F,CAAC,CAAA;AACD,IAAA,IAAI,CAAC,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,EAAG;AAC7B,MAAA,OAAA,CAAQ,QAAA,GAAW,CAAA;AACnB,MAAA;AAAA,IACF;AAAA,EACF;AAEA,EAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,QAAA,KAAa,OAAA,GAAU,SAAA,GAAY,KAAA;AAC1D,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,IAAA,EAAO,MAAM,CAAA,2BAAA,CAA6B,CAAA;AACtD,EAAA,MAAM,SAAS,SAAA,CAAU,MAAA,EAAQ,CAAC,SAAA,EAAW,oBAAoB,CAAA,EAAG;AAAA,IAClE,KAAA,EAAO;AAAA,GACR,CAAA;AACD,EAAA,OAAA,CAAQ,QAAA,GAAW,OAAO,MAAA,IAAU,CAAA;AACtC;AAIA,eAAe,IAAA,GAAsB;AACnC,EAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA;AAEjC,EAAA,IAAI,IAAA,CAAK,WAAW,CAAA,EAAG;AACrB,IAAA,YAAA,CAAa,KAAK,CAAA;AAClB,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,MAAM,IAAA,GAAO,KAAK,CAAC,CAAA;AAEnB,EAAA,IAAI,IAAA,KAAS,QAAA,IAAY,IAAA,KAAS,IAAA,EAAM;AACtC,IAAA,YAAA,CAAa,IAAI,CAAA;AACjB,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,IAAA,KAAS,QAAA,EAAU;AACtC,IAAA,YAAA,CAAa,KAAK,CAAA;AAClB,IAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAE,gDAAA,EAAkD,GAAG,CAAC,CAAA;AACpE,IAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,IAAA,KAAS,WAAA,EAAa;AACzC,IAAA,OAAA,CAAQ,GAAA,CAAI,qBAAqB,CAAA;AACjC,IAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,EAChB;AAEA,EAAA,IAAI,SAAS,QAAA,EAAU;AACrB,IAAA,MAAM,aAAA,CAAc,IAAA,CAAK,KAAA,CAAM,CAAC,CAAC,CAAA;AACjC,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,IAAA,KAAS,MAAA,IAAU,IAAA,KAAS,OAAA,IAAW,SAAS,KAAA,EAAO;AACzD,IAAA,IAAI,CAAC,gBAAe,EAAG;AACrB,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN,CAAA;AAAA,UACE,WAAW,IAAI,CAAA,iDAAA,CAAA;AAAA,UACf,MAAA;AAAA,UACA;AAAA;AACF,OACF;AACA,MAAA,OAAA,CAAQ,MAAM,qBAAqB,CAAA;AACnC,MAAA,OAAA,CAAQ,KAAA,EAAM;AACd,MAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,CAAE,+DAAA,EAAiE,GAAG,CAAC,CAAA;AACrF,MAAA,OAAA,CAAQ,KAAA;AAAA,QACN,CAAA;AAAA,UACE,+EAAA;AAAA,UACA;AAAA;AACF,OACF;AACA,MAAA,OAAA,CAAQ,KAAK,GAAG,CAAA;AAAA,IAClB;AACA,IAAA,eAAA,CAAgB,IAAI,CAAA;AACpB,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,wBAAA,EAA2B,IAAI,CAAA,CAAA,CAAG,CAAA;AAChD,EAAA,OAAA,CAAQ,MAAM,4CAA4C,CAAA;AAC1D,EAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAChB;AAEA,IAAA,EAAK,CAAE,KAAA,CAAM,CAAC,GAAA,KAAQ;AACpB,EAAA,OAAA,CAAQ,MAAM,CAAA,CAAE,CAAA,yBAAA,EAA4B,GAAG,CAAA,CAAA,EAAI,GAAG,CAAC,CAAA;AACvD,EAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAChB,CAAC,CAAA","file":"arcis.mjs","sourcesContent":["#!/usr/bin/env node\n/**\n * @arcis/node — `arcis` CLI dispatcher.\n *\n * Surface (mirrors the Python CLI's discovery layer):\n *\n *   arcis              → catalog\n *   arcis --list       → catalog with examples\n *   arcis --help / -h  → catalog + run-cmd hint\n *   arcis --version / -V\n *   arcis update [--apply] [--check]\n *   arcis scan / audit / sca → forward to Python `arcis` if on PATH,\n *                              else print install hint\n *\n * Why we delegate scan/audit/sca to Python rather than re-implementing:\n * the threat database, audit rules, and attack-payload catalog are\n * Python-side data files. Maintaining two copies means drift; one\n * canonical CLI + a thin Node forwarder is simpler. The Node binary\n * exists primarily so users who installed `@arcis/node` from npm get\n * the same `arcis update` / discovery UX as Python users.\n */\n\nimport { spawnSync } from \"node:child_process\";\nimport { readFileSync } from \"node:fs\";\nimport { dirname, resolve } from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\n\n// ── ANSI helpers ─────────────────────────────────────────────────────\n\nconst USE_COLOR =\n  !process.env.NO_COLOR && process.stdout.isTTY === true;\n\nfunction c(text: string, ...codes: string[]): string {\n  if (!USE_COLOR) return text;\n  return codes.join(\"\") + text + \"\\x1b[0m\";\n}\n\nconst BOLD = \"\\x1b[1m\";\nconst DIM = \"\\x1b[2m\";\nconst GREEN = \"\\x1b[32m\";\nconst YELLOW = \"\\x1b[33m\";\nconst CYAN = \"\\x1b[36m\";\nconst RED = \"\\x1b[31m\";\n\n// ── Version + npm registry helpers ───────────────────────────────────\n\nfunction getInstalledVersion(): string {\n  // Read the package.json that ships with this build so we report the\n  // actual installed version, not whatever was hardcoded.\n  try {\n    const here = fileURLToPath(import.meta.url);\n    // Walk up to find the package root (contains package.json).\n    let dir = dirname(here);\n    for (let i = 0; i < 6; i++) {\n      try {\n        const raw = readFileSync(resolve(dir, \"package.json\"), \"utf-8\");\n        const pkg = JSON.parse(raw) as { name?: string; version?: string };\n        if (pkg.name === \"@arcis/node\" && pkg.version) {\n          return pkg.version;\n        }\n      } catch {\n        // climb\n      }\n      const parent = resolve(dir, \"..\");\n      if (parent === dir) break;\n      dir = parent;\n    }\n  } catch {\n    // ignore\n  }\n  return \"?\";\n}\n\ninterface NpmRegistryResponse {\n  \"dist-tags\"?: { latest?: string };\n}\n\nasync function fetchLatestVersion(): Promise<string | null> {\n  try {\n    const controller = new AbortController();\n    const timer = setTimeout(() => controller.abort(), 5_000);\n    try {\n      const resp = await fetch(\"https://registry.npmjs.org/@arcis/node\", {\n        headers: { Accept: \"application/json\" },\n        signal: controller.signal,\n      });\n      if (!resp.ok) return null;\n      const data = (await resp.json()) as NpmRegistryResponse;\n      return data[\"dist-tags\"]?.latest ?? null;\n    } finally {\n      clearTimeout(timer);\n    }\n  } catch {\n    return null;\n  }\n}\n\nfunction parseVersion(v: string): number[] | null {\n  const parts = v.split(\".\");\n  const out: number[] = [];\n  for (const p of parts) {\n    if (!/^\\d+$/.test(p)) return null;\n    out.push(Number(p));\n  }\n  return out;\n}\n\nfunction versionCompare(a: number[], b: number[]): number {\n  const len = Math.max(a.length, b.length);\n  for (let i = 0; i < len; i++) {\n    const x = a[i] ?? 0;\n    const y = b[i] ?? 0;\n    if (x < y) return -1;\n    if (x > y) return 1;\n  }\n  return 0;\n}\n\n// ── Python forwarder ─────────────────────────────────────────────────\n\nfunction hasPythonArcis(): boolean {\n  // Check both `arcis` (Windows: arcis.exe) and `python -m arcis.cli` so\n  // users who have the Python package installed but not on PATH still work.\n  const probes: Array<{ cmd: string; args: string[] }> = [\n    { cmd: \"arcis\", args: [\"--version\"] },\n    { cmd: \"python\", args: [\"-m\", \"arcis.cli\", \"--version\"] },\n    { cmd: \"python3\", args: [\"-m\", \"arcis.cli\", \"--version\"] },\n  ];\n  for (const p of probes) {\n    try {\n      const result = spawnSync(p.cmd, p.args, {\n        stdio: [\"ignore\", \"ignore\", \"ignore\"],\n        timeout: 3000,\n        shell: process.platform === \"win32\",\n      });\n      if (result.status === 0) return true;\n    } catch {\n      // try next\n    }\n  }\n  return false;\n}\n\nfunction forwardToPython(args: string[]): never {\n  // Try `arcis` first, fall back to `python -m arcis.cli`. Mirror exit\n  // code so CI scripts using the Node CLI get the same behavior they'd\n  // get from the Python CLI.\n  const candidates: Array<{ cmd: string; args: string[] }> = [\n    { cmd: \"arcis\", args },\n    { cmd: \"python\", args: [\"-m\", \"arcis.cli\", ...args] },\n    { cmd: \"python3\", args: [\"-m\", \"arcis.cli\", ...args] },\n  ];\n  for (const cand of candidates) {\n    const result = spawnSync(cand.cmd, cand.args, {\n      stdio: \"inherit\",\n      shell: process.platform === \"win32\",\n    });\n    if (result.error) continue;\n    process.exit(result.status ?? 0);\n  }\n  console.error(\n    c(\"arcis: could not invoke the Python CLI. Install with:\", RED, BOLD),\n  );\n  console.error(\"  pip install arcis\");\n  process.exit(127);\n}\n\n// ── Catalog ──────────────────────────────────────────────────────────\n\nfunction printCatalog(verbose: boolean): void {\n  const ver = getInstalledVersion();\n  console.log();\n  console.log(`  ${c(\"Arcis\", BOLD, CYAN)}  ${c(`v${ver}`, DIM)}  ${c(\"(node)\", DIM)}`);\n  console.log(c(\"  Zero-dep security middleware + scanners.\", DIM));\n  console.log();\n  console.log(c(\"  Commands\", BOLD));\n  const rows: Array<[string, string, string]> = [\n    [\n      \"scan\",\n      \"Send live attack payloads to a running app.\",\n      \"arcis scan http://localhost:8000 --route POST:/echo --field q\",\n    ],\n    [\n      \"audit\",\n      \"Static-analyse Python / JS / TS source for unsafe patterns.\",\n      \"arcis audit .\",\n    ],\n    [\n      \"sca\",\n      \"Match installed dependencies against the supply-chain threat DB.\",\n      \"arcis sca .\",\n    ],\n    [\"update\", \"Check npm for a newer @arcis/node release.\", \"arcis update --apply\"],\n  ];\n  for (const [name, desc, example] of rows) {\n    console.log(`    ${c(name.padEnd(8), BOLD, GREEN)} ${desc}`);\n    if (verbose) {\n      console.log(`             ${c(example, DIM)}`);\n    }\n  }\n  console.log();\n  console.log(c(\"  Discovery\", BOLD));\n  console.log(`    ${c(\"--list\", BOLD, CYAN).padEnd(24)} Show this catalog (verbose).`);\n  console.log(\n    `    ${c(\"<cmd> --help\", BOLD, CYAN).padEnd(24)} Show full flags for that command.`,\n  );\n  console.log();\n  console.log(c(\"  Note\", BOLD));\n  console.log(\n    `    scan/audit/sca delegate to the Python CLI (canonical impl).`,\n  );\n  console.log(`    Install once with:  ${c(\"pip install arcis\", GREEN)}`);\n  console.log();\n}\n\n// ── Update command ───────────────────────────────────────────────────\n\nasync function updateCommand(args: string[]): Promise<void> {\n  // Note: this function uses `process.exitCode = N; return;` rather than\n  // `process.exit(N)` because the fetch() call leaves an internal undici\n  // handle open momentarily on Windows, and process.exit() during that\n  // window throws a libuv assertion on stderr. exitCode + return lets\n  // Node drain handles cleanly before exit.\n  const apply = args.includes(\"--apply\");\n  const check = args.includes(\"--check\");\n  const yes = args.includes(\"--yes\") || args.includes(\"-y\");\n\n  const current = getInstalledVersion();\n  const latest = await fetchLatestVersion();\n\n  if (check) {\n    if (latest === null) {\n      console.error(\"arcis: could not reach npm to check for updates\");\n      process.exitCode = 2;\n      return;\n    }\n    const cur = parseVersion(current);\n    const lat = parseVersion(latest);\n    if (!cur || !lat || versionCompare(cur, lat) >= 0) {\n      console.log(`@arcis/node ${current} is up-to-date`);\n      process.exitCode = 0;\n      return;\n    }\n    console.error(`@arcis/node ${current} is outdated; latest is ${latest}`);\n    process.exitCode = 1;\n    return;\n  }\n\n  console.log();\n  console.log(c(\"  @arcis/node update check\", BOLD, CYAN));\n  console.log(c(\"  Source: https://registry.npmjs.org/@arcis/node\", DIM));\n  console.log();\n\n  if (latest === null) {\n    console.log(`    Installed   @arcis/node ${current}`);\n    console.log(\n      `    Latest      ${c(\"? unreachable\", YELLOW)}  ${c(\"(network error or npm down)\", DIM)}`,\n    );\n    console.log();\n    console.log(c(\"  Try again later, or run 'npm view @arcis/node version' directly.\", DIM));\n    console.log();\n    process.exitCode = 2;\n    return;\n  }\n\n  const cur = parseVersion(current);\n  const lat = parseVersion(latest);\n  if (!cur || !lat) {\n    console.log(\n      `    Installed   @arcis/node ${current}  ${c(\"(pre-release or unparseable)\", DIM)}`,\n    );\n    console.log(`    Latest      @arcis/node ${latest}`);\n    console.log();\n    console.log(c(\"  Skipping comparison — manually decide.\", DIM));\n    console.log();\n    process.exitCode = 0;\n    return;\n  }\n\n  if (versionCompare(cur, lat) >= 0) {\n    console.log(`    Installed   @arcis/node ${current}`);\n    console.log(`    Latest      @arcis/node ${latest}`);\n    console.log();\n    console.log(c(\"  You are on the latest version.\", BOLD, GREEN));\n    console.log();\n    process.exitCode = 0;\n    return;\n  }\n\n  console.log(`    Installed   @arcis/node ${current}`);\n  console.log(\n    `    Latest      ${c(`@arcis/node ${latest}`, BOLD)}  ${c(\"(update available)\", YELLOW)}`,\n  );\n  console.log();\n  console.log(c(\"  Run to upgrade\", BOLD));\n  console.log(`    ${c(\"npm install @arcis/node@latest\", GREEN)}`);\n  console.log();\n\n  if (!apply) {\n    console.log(c(\"  Or rerun: 'arcis update --apply' to upgrade in place.\", DIM));\n    console.log();\n    process.exitCode = 1;\n    return;\n  }\n\n  if (!yes && process.stdin.isTTY) {\n    process.stdout.write(\"Upgrade now? [y/N] \");\n    const response = await new Promise<string>((res) => {\n      process.stdin.once(\"data\", (chunk: Buffer) => res(chunk.toString().trim().toLowerCase()));\n    });\n    if (!response.startsWith(\"y\")) {\n      process.exitCode = 1;\n      return;\n    }\n  }\n\n  const npmCmd = process.platform === \"win32\" ? \"npm.cmd\" : \"npm\";\n  console.log(`  $ ${npmCmd} install @arcis/node@latest`);\n  const result = spawnSync(npmCmd, [\"install\", \"@arcis/node@latest\"], {\n    stdio: \"inherit\",\n  });\n  process.exitCode = result.status ?? 1;\n}\n\n// ── Main ─────────────────────────────────────────────────────────────\n\nasync function main(): Promise<void> {\n  const args = process.argv.slice(2);\n\n  if (args.length === 0) {\n    printCatalog(false);\n    process.exit(0);\n  }\n\n  const arg0 = args[0];\n\n  if (arg0 === \"--list\" || arg0 === \"-l\") {\n    printCatalog(true);\n    process.exit(0);\n  }\n\n  if (arg0 === \"-h\" || arg0 === \"--help\") {\n    printCatalog(false);\n    console.log(c(\"  Run 'arcis <command> --help' for full flags.\", DIM));\n    console.log();\n    process.exit(0);\n  }\n\n  if (arg0 === \"-V\" || arg0 === \"--version\") {\n    console.log(getInstalledVersion());\n    process.exit(0);\n  }\n\n  if (arg0 === \"update\") {\n    await updateCommand(args.slice(1));\n    return;\n  }\n\n  if (arg0 === \"scan\" || arg0 === \"audit\" || arg0 === \"sca\") {\n    if (!hasPythonArcis()) {\n      console.error(\n        c(\n          `arcis: '${arg0}' is implemented by the Python CLI. Install with:`,\n          YELLOW,\n          BOLD,\n        ),\n      );\n      console.error(\"  pip install arcis\");\n      console.error();\n      console.error(c(\"Why: scan/audit/sca rely on Python's threat-DB and rule data.\", DIM));\n      console.error(\n        c(\n          \"@arcis/node implements the middleware + dashboard upload — see the docs.\",\n          DIM,\n        ),\n      );\n      process.exit(127);\n    }\n    forwardToPython(args);\n    return;\n  }\n\n  console.error(`arcis: unknown command '${arg0}'`);\n  console.error(\"Run 'arcis --list' for available commands.\");\n  process.exit(1);\n}\n\nmain().catch((err) => {\n  console.error(c(`arcis: unexpected error: ${err}`, RED));\n  process.exit(1);\n});\n"]}

package/dist/core/constants.d.ts

@@ -42,7 +42,7 @@ export declare const HEADERS: {
  * Detection patterns — used to flag whether a string contains XSS payloads.
  * Must stay in sync with XSS_REMOVE_PATTERNS below.
  */
-export declare const XSS_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
+export declare const XSS_PATTERNS: readonly [RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp, RegExp];
 /**
  * Removal patterns — used by sanitizeXss() to strip dangerous content.
  * More targeted than XSS_PATTERNS: each pattern captures the full dangerous

package/dist/core/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/core/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,eAAO,MAAM,KAAK;IAChB,uCAAuC;;IAEvC,iDAAiD;;CAEzC,CAAC;AAKX,eAAO,MAAM,UAAU;IACrB,qCAAqC;;IAErC,sCAAsC;;IAEtC,0DAA0D;;IAE1D,4BAA4B;;IAE5B,qCAAqC;;IAErC,qCAAqC;;CAE7B,CAAC;AAKX,eAAO,MAAM,OAAO;IAClB,sCAAsC;;IAUtC,+CAA+C;;IAE/C,oCAAoC;;IAEpC,2CAA2C;;IAE3C,oCAAoC;;IAEpC,uCAAuC;;IAEvC,+CAA+C;;CAEvC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,YAAY,2HA6Bf,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,2KAqCtB,CAAC;AAKX,eAAO,MAAM,YAAY,mHAyBf,CAAC;AAKX,eAAO,MAAM,aAAa,mGAsBhB,CAAC;AAKX,eAAO,MAAM,gBAAgB,mCAenB,CAAC;AAMX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,aAQ/B,CAAC;AAEH,iCAAiC;AACjC,eAAO,MAAM,oBAAoB,aAc/B,CAAC;AAKH,eAAO,MAAM,SAAS;IACpB,2CAA2C;;IAE3C,2BAA2B;;IAE3B,0BAA0B;;IAE1B,iCAAiC;;IAEjC,uCAAuC;;CAS/B,CAAC;AAKX,eAAO,MAAM,UAAU;IACrB;;;;OAIG;;IAEH;;;;OAIG;;IAEH,8BAA8B;;CAEtB,CAAC;AAKX,eAAO,MAAM,MAAM;IACjB,yCAAyC;;IAEzC,4BAA4B;wCACD,MAAM;IACjC,gCAAgC;;mCAEZ,MAAM;uCACF,MAAM,QAAQ,MAAM;qCACtB,MAAM,OAAO,MAAM;qCACnB,MAAM,OAAO,MAAM;oCACpB,MAAM,OAAO,MAAM;oCACnB,MAAM,OAAO,MAAM;yCACd,MAAM;wCACP,MAAM;sCACR,MAAM;uCACL,MAAM;uCACN,MAAM,UAAU,OAAO,EAAE;oCAC5B,MAAM,OAAO,MAAM;oCACnB,MAAM,OAAO,MAAM;;CAEhC,CAAC;AAKX,eAAO,MAAM,OAAO,EAAG,WAAoB,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/core/constants.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,eAAO,MAAM,KAAK;IAChB,uCAAuC;;IAEvC,iDAAiD;;CAEzC,CAAC;AAKX,eAAO,MAAM,UAAU;IACrB,qCAAqC;;IAErC,sCAAsC;;IAEtC,0DAA0D;;IAE1D,4BAA4B;;IAE5B,qCAAqC;;IAErC,qCAAqC;;CAE7B,CAAC;AAKX,eAAO,MAAM,OAAO;IAClB,sCAAsC;;IAUtC,+CAA+C;;IAE/C,oCAAoC;;IAEpC,2CAA2C;;IAE3C,oCAAoC;;IAEpC,uCAAuC;;IAEvC,+CAA+C;;CAEvC,CAAC;AAMX;;;GAGG;AACH,eAAO,MAAM,YAAY,mIAgCf,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,2KAqCtB,CAAC;AAKX,eAAO,MAAM,YAAY,mHAyBf,CAAC;AAKX,eAAO,MAAM,aAAa,mGAsBhB,CAAC;AAKX,eAAO,MAAM,gBAAgB,mCAenB,CAAC;AAMX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,aAQ/B,CAAC;AAEH,iCAAiC;AACjC,eAAO,MAAM,oBAAoB,aAc/B,CAAC;AAKH,eAAO,MAAM,SAAS;IACpB,2CAA2C;;IAE3C,2BAA2B;;IAE3B,0BAA0B;;IAE1B,iCAAiC;;IAEjC,uCAAuC;;CAS/B,CAAC;AAKX,eAAO,MAAM,UAAU;IACrB;;;;OAIG;;IAEH;;;;OAIG;;IAEH,8BAA8B;;CAEtB,CAAC;AAKX,eAAO,MAAM,MAAM;IACjB,yCAAyC;;IAEzC,4BAA4B;wCACD,MAAM;IACjC,gCAAgC;;mCAEZ,MAAM;uCACF,MAAM,QAAQ,MAAM;qCACtB,MAAM,OAAO,MAAM;qCACnB,MAAM,OAAO,MAAM;oCACpB,MAAM,OAAO,MAAM;oCACnB,MAAM,OAAO,MAAM;yCACd,MAAM;wCACP,MAAM;sCACR,MAAM;uCACL,MAAM;uCACN,MAAM,UAAU,OAAO,EAAE;oCAC5B,MAAM,OAAO,MAAM;oCACnB,MAAM,OAAO,MAAM;;CAEhC,CAAC;AAKX,eAAO,MAAM,OAAO,EAAG,WAAoB,CAAC"}

package/dist/core/index.js

@@ -73,7 +73,10 @@ var XSS_PATTERNS = [
   /** base href hijacking — redirects all relative URLs to attacker domain */
   /<base[\s>]/gi,
   /** link tag injection — stylesheet or preload CSRF attacks */
-  /<link[\s>]/gi
+  /<link[\s>]/gi,
+  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors
+   *  Python's xss-style-tag from packages/core/patterns.json. */
+  /<style[\s>]/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */

package/dist/core/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA;AACF;AAkDO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA,oBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA,OAAA;AAAA;AAAA,EAEA;AACF;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,aAAA;AAAA;AAAA,EAElE,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;ACxUhB,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF","file":"index.js","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n  /** form tags — phishing/credential harvesting via action= redirection */\n  /<form[\\s>]/gi,\n  /** meta tags — http-equiv refresh redirects or CSP bypass */\n  /<meta[\\s>]/gi,\n  /** base href hijacking — redirects all relative URLs to attacker domain */\n  /<base[\\s>]/gi,\n  /** link tag injection — stylesheet or preload CSRF attacks */\n  /<link[\\s>]/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** style — CSS expression() and behavior: attacks (IE-era but still relevant) */\n  /<style[^>]*>[\\s\\S]*?<\\/style>/gi,\n  /<style[^>]*/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n  /** form tag injection — phishing via action= redirection */\n  /<form[\\s>][^>]*/gi,\n  /** meta tag injection — http-equiv refresh or CSP bypass */\n  /<meta[\\s>][^>]*/gi,\n  /** base href hijacking */\n  /<base[\\s>][^>]*/gi,\n  /** link tag injection — stylesheet or preload attacks */\n  /<link[\\s>][^>]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */\n  /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/core/errors\n * Custom error classes for Arcis\n */\n\n/**\n * Base class for all Arcis errors\n */\nexport class ArcisError extends Error {\n  public readonly statusCode: number;\n  public readonly code: string;\n  /** Whether the error message is safe to expose to API clients. */\n  public readonly expose: boolean;\n\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\n    super(message);\n    this.name = 'ArcisError';\n    this.statusCode = statusCode;\n    this.code = code;\n    // Client errors (4xx) have controlled messages — safe to expose.\n    // Server errors (5xx) may contain internal details — hide by default.\n    this.expose = statusCode < 500;\n\n    // Maintains proper stack trace for where error was thrown (V8 engines)\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, this.constructor);\n    }\n  }\n}\n\n/**\n * Error thrown when input validation fails\n */\nexport class ValidationError extends ArcisError {\n  public readonly errors: string[];\n\n  constructor(errors: string[]) {\n    super('Validation failed', 400, 'VALIDATION_ERROR');\n    this.name = 'ValidationError';\n    this.errors = errors;\n  }\n}\n\n/** Alias for ValidationError (backwards compatibility) */\nexport { ValidationError as ArcisValidationError };\n\n/**\n * Error thrown when rate limit is exceeded\n */\nexport class RateLimitError extends ArcisError {\n  public readonly retryAfter: number;\n\n  constructor(message: string, retryAfter: number) {\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\n    this.name = 'RateLimitError';\n    this.retryAfter = retryAfter;\n  }\n}\n\n/**\n * Error thrown when input is too large\n */\nexport class InputTooLargeError extends ArcisError {\n  public readonly maxSize: number;\n  public readonly actualSize: number;\n\n  constructor(maxSize: number, actualSize: number) {\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\n    this.name = 'InputTooLargeError';\n    this.maxSize = maxSize;\n    this.actualSize = actualSize;\n  }\n}\n\n/**\n * Error thrown when security threat is detected\n */\nexport class SecurityThreatError extends ArcisError {\n  public readonly threatType: string;\n  public readonly pattern: string;\n\n  constructor(threatType: string, pattern: string) {\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\n    this.name = 'SecurityThreatError';\n    this.threatType = threatType;\n    this.pattern = pattern;\n  }\n}\n\n/**\n * Error thrown when sanitization fails\n */\nexport class SanitizationError extends ArcisError {\n  constructor(message: string) {\n    super(message, 400, 'SANITIZATION_ERROR');\n    this.name = 'SanitizationError';\n  }\n}\n"]}
+{"version":3,"sources":["../../src/core/constants.ts","../../src/core/errors.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA;AAAA,EAEnB,gBAAA,EAAkB,GAAA;AAAA;AAAA,EAElB,mBAAA,EAAqB;AACvB;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA,EAExB,iBAAA,EAAmB,GAAA;AAAA;AAAA,EAEnB,oBAAA,EAAsB,GAAA;AAAA;AAAA,EAEtB,mBAAA,EAAqB,GAAA;AAAA;AAAA,EAErB,eAAA,EAAiB,4CAAA;AAAA;AAAA,EAEjB,aAAA,EAAe,GAAA;AAAA;AAAA,EAEf,aAAA,EAAe;AACjB;AAKO,IAAM,OAAA,GAAU;AAAA;AAAA,EAErB,WAAA,EAAa;AAAA,IACX,oBAAA;AAAA,IACA,mBAAA;AAAA,IACA,kCAAA;AAAA,IACA,6BAAA;AAAA,IACA,iBAAA;AAAA,IACA,mBAAA;AAAA,IACA;AAAA,GACF,CAAE,KAAK,IAAI,CAAA;AAAA;AAAA,EAEX,YAAA,EAAc,OAAA;AAAA;AAAA,EAEd,aAAA,EAAe,MAAA;AAAA;AAAA,EAEf,oBAAA,EAAsB,SAAA;AAAA;AAAA,EAEtB,eAAA,EAAiB,iCAAA;AAAA;AAAA,EAEjB,kBAAA,EAAoB,0CAAA;AAAA;AAAA,EAEpB,aAAA,EAAe;AACjB;AAUO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,mCAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA,gBAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,sBAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA;AAAA,EAGA;AACF;AAkDO,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,qFAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA,cAAA;AAAA;AAAA,EAEA,wBAAA;AAAA;AAAA,EAEA,8CAAA;AAAA,EACA,oDAAA;AAAA;AAAA,EAEA,yBAAA;AAAA;AAAA,EAEA,+CAAA;AAAA,EACA,qDAAA;AAAA;AAAA,EAEA,2BAAA;AAAA;AAAA,EAEA,oBAAA;AAAA;AAAA,EAEA,mBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,aAAA,GAAgB;AAAA;AAAA,EAE3B,SAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,UAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,WAAA;AAAA;AAAA,EAEA,cAAA;AAAA,EACA,cAAA;AAAA;AAAA,EAEA,aAAA;AAAA;AAAA,EAEA,SAAA;AAAA;AAAA,EAEA,kBAAA;AAAA;AAAA,EAEA;AACF;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAU9B,SAAA;AAAA;AAAA,EAEA,OAAA;AAAA;AAAA,EAEA;AACF;AAiBO,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA,EAC1C,WAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC;AAGM,IAAM,oBAAA,uBAA2B,GAAA,CAAI;AAAA;AAAA,EAE1C,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,KAAA;AAAA,EAAO,MAAA;AAAA;AAAA,EAEnD,MAAA;AAAA,EAAQ,KAAA;AAAA,EAAO,MAAA;AAAA,EAAQ,MAAA;AAAA;AAAA,EAEvB,SAAA;AAAA,EAAW,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,MAAA;AAAA,EAAQ,OAAA;AAAA,EAAS,aAAA;AAAA;AAAA,EAElE,YAAA;AAAA,EAAc,MAAA;AAAA,EAAQ,OAAA;AAAA;AAAA,EAEtB,WAAA;AAAA,EAAa,cAAA;AAAA;AAAA,EAEb,SAAA;AAAA,EAAW,QAAA;AAAA,EAAU,UAAA;AAAA,EAAY,QAAA;AAAA,EAAU,OAAA;AAAA,EAAS,QAAA;AAAA,EAAU,OAAA;AAAA,EAC9D,SAAA;AAAA,EAAW,YAAA;AAAA,EAAc;AAC3B,CAAC;AAKM,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH;AAKO,IAAM,UAAA,GAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxB,KAAA,EAAO,wDAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,GAAA,EAAK,+BAAA;AAAA;AAAA,EAEL,IAAA,EAAM;AACR;AAKO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,qBAAA,EAAuB,uBAAA;AAAA;AAAA,EAEvB,eAAA,EAAiB,CAAC,OAAA,KAAoB,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA;AAAA;AAAA,EAE9E,UAAA,EAAY;AAAA,IACV,QAAA,EAAU,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,YAAA,CAAA;AAAA,IACrC,cAAc,CAAC,KAAA,EAAe,SAAiB,CAAA,EAAG,KAAK,cAAc,IAAI,CAAA,CAAA;AAAA,IACzE,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC5E,YAAY,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,WAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,qBAAqB,GAAG,CAAA,CAAA;AAAA,IAC3E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,oBAAoB,GAAG,CAAA,CAAA;AAAA,IAC1E,cAAA,EAAgB,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,kBAAA,CAAA;AAAA,IAC3C,aAAA,EAAe,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,sBAAA,CAAA;AAAA,IAC1C,WAAA,EAAa,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,oBAAA,CAAA;AAAA,IACxC,YAAA,EAAc,CAAC,KAAA,KAAkB,CAAA,EAAG,KAAK,CAAA,qBAAA,CAAA;AAAA,IACzC,YAAA,EAAc,CAAC,KAAA,EAAe,MAAA,KAAsB,CAAA,EAAG,KAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,IACjG,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,uBAAuB,GAAG,CAAA,MAAA,CAAA;AAAA,IAC7E,WAAW,CAAC,KAAA,EAAe,QAAgB,CAAA,EAAG,KAAK,sBAAsB,GAAG,CAAA,MAAA;AAAA;AAEhF;AAKO,IAAM,OAAA,GAAU;;;AC3UhB,IAAM,UAAA,GAAN,cAAyB,KAAA,CAAM;AAAA,EAMpC,WAAA,CAAY,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK,OAAO,aAAA,EAAe;AACnE,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,YAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AAGZ,IAAA,IAAA,CAAK,SAAS,UAAA,GAAa,GAAA;AAG3B,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,IAChD;AAAA,EACF;AACF;AAKO,IAAM,eAAA,GAAN,cAA8B,UAAA,CAAW;AAAA,EAG9C,YAAY,MAAA,EAAkB;AAC5B,IAAA,KAAA,CAAM,mBAAA,EAAqB,KAAK,kBAAkB,CAAA;AAClD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACZ,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AACF;AAQO,IAAM,cAAA,GAAN,cAA6B,UAAA,CAAW;AAAA,EAG7C,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,qBAAqB,CAAA;AACzC,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,kBAAA,GAAN,cAAiC,UAAA,CAAW;AAAA,EAIjD,WAAA,CAAY,SAAiB,UAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,CAAA,8BAAA,EAAiC,OAAO,CAAA,MAAA,CAAA,EAAU,GAAA,EAAK,iBAAiB,CAAA;AAC9E,IAAA,IAAA,CAAK,IAAA,GAAO,oBAAA;AACZ,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AACf,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAKO,IAAM,mBAAA,GAAN,cAAkC,UAAA,CAAW;AAAA,EAIlD,WAAA,CAAY,YAAoB,OAAA,EAAiB;AAC/C,IAAA,KAAA,CAAM,sCAAA,EAAwC,KAAK,iBAAiB,CAAA;AACpE,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAClB,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,UAAA,CAAW;AAAA,EAChD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAA,EAAS,KAAK,oBAAoB,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF","file":"index.js","sourcesContent":["/**\n * @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n */\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n  /** Default maximum input size (1MB) */\n  DEFAULT_MAX_SIZE: 1_000_000,\n  /** Maximum recursion depth for nested objects */\n  MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n  /** Default window size (1 minute) */\n  DEFAULT_WINDOW_MS: 60_000,\n  /** Default max requests per window */\n  DEFAULT_MAX_REQUESTS: 100,\n  /** Default HTTP status code for rate limited responses */\n  DEFAULT_STATUS_CODE: 429,\n  /** Default error message */\n  DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n  /** Minimum window size (1 second) */\n  MIN_WINDOW_MS: 1_000,\n  /** Maximum window size (24 hours) */\n  MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n  /** Default Content Security Policy */\n  DEFAULT_CSP: [\n    \"default-src 'self'\",\n    \"script-src 'self'\",\n    \"style-src 'self' 'unsafe-inline'\",\n    \"img-src 'self' data: https:\",\n    \"font-src 'self'\",\n    \"object-src 'none'\",\n    \"frame-ancestors 'none'\",\n  ].join('; '),\n  /** Default HSTS max age (1 year in seconds) */\n  HSTS_MAX_AGE: 31_536_000,\n  /** Default X-Frame-Options value */\n  FRAME_OPTIONS: 'DENY' as const,\n  /** Default X-Content-Type-Options value */\n  CONTENT_TYPE_OPTIONS: 'nosniff',\n  /** Default Referrer-Policy value */\n  REFERRER_POLICY: 'strict-origin-when-cross-origin',\n  /** Default Permissions-Policy value */\n  PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n  /** Default Cache-Control value for security */\n  CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/**\n * Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n */\nexport const XSS_PATTERNS = [\n  /** Script tags (ReDoS-safe version) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** javascript: protocol (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /** vbscript: protocol */\n  /vbscript\\s*:/gi,\n  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */\n  /(?:[\\s/])on\\w+\\s*=/gi,\n  /** iframe tags */\n  /<iframe/gi,\n  /** object tags */\n  /<object/gi,\n  /** embed tags */\n  /<embed/gi,\n  /** data: URIs (only dangerous ones, avoid false positives) */\n  /(?:^|[\\s\"'=])data:/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** SVG with onload */\n  /<svg[^>]*onload/gi,\n  /** form tags — phishing/credential harvesting via action= redirection */\n  /<form[\\s>]/gi,\n  /** meta tags — http-equiv refresh redirects or CSP bypass */\n  /<meta[\\s>]/gi,\n  /** base href hijacking — redirects all relative URLs to attacker domain */\n  /<base[\\s>]/gi,\n  /** link tag injection — stylesheet or preload CSRF attacks */\n  /<link[\\s>]/gi,\n  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors\n   *  Python's xss-style-tag from packages/core/patterns.json. */\n  /<style[\\s>]/gi,\n] as const;\n\n/**\n * Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n */\nexport const XSS_REMOVE_PATTERNS = [\n  /** Full script blocks (content + tags) */\n  /<script[^>]*>[\\s\\S]*?<\\/script>/gi,\n  /** Standalone/unclosed script tags */\n  /<script[^>]*>/gi,\n  /** style — CSS expression() and behavior: attacks (IE-era but still relevant) */\n  /<style[^>]*>[\\s\\S]*?<\\/style>/gi,\n  /<style[^>]*/gi,\n  /** iframe — full block and partial/unclosed */\n  /<iframe[^>]*>[\\s\\S]*?<\\/iframe>/gi,\n  /<iframe[^>]*/gi,\n  /** object — full block and partial/unclosed */\n  /<object[^>]*>[\\s\\S]*?<\\/object>/gi,\n  /<object[^>]*/gi,\n  /** embed tags */\n  /<embed[^>]*/gi,\n  /** SVG with inline event handlers */\n  /<svg[^>]*onload[^>]*>/gi,\n  /** URL-encoded script tags */\n  /%3Cscript/gi,\n  /** Event handlers with quoted values: onclick=\"...\", onerror='...' */\n  /(?:[\\s/])on\\w+\\s*=\\s*[\"'][^\"']*[\"']/gi,\n  /** Event handlers with unquoted values: onload=value */\n  /(?:[\\s/])on\\w+\\s*=\\s*[^\\s>]*/gi,\n  /** javascript: and vbscript: protocols (allow optional spaces before colon) */\n  /javascript\\s*:/gi,\n  /vbscript\\s*:/gi,\n  /** data: URIs with HTML/script content */\n  /data\\s*:\\s*text\\/html[^>\\s]*/gi,\n  /** form tag injection — phishing via action= redirection */\n  /<form[\\s>][^>]*/gi,\n  /** meta tag injection — http-equiv refresh or CSP bypass */\n  /<meta[\\s>][^>]*/gi,\n  /** base href hijacking */\n  /<base[\\s>][^>]*/gi,\n  /** link tag injection — stylesheet or preload attacks */\n  /<link[\\s>][^>]*/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n  /** SQL keywords */\n  /(\\b(SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER|CREATE|TRUNCATE|EXEC|EXECUTE)\\b)/gi,\n  /** SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) */\n  /(--|\\/\\*|\\*\\/|#)/g,\n  /** SQL statement separators */\n  /(;|\\|\\||&&)/g,\n  /** Boolean injection: OR 1=1 */\n  /\\bOR\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) */\n  /\\bOR\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bOR\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Boolean injection: AND 1=1 */\n  /\\bAND\\s+\\d+\\s*=\\s*\\d+/gi,\n  /** Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) */\n  /\\bAND\\s+(['\"])[^'\"]*\\1\\s*=\\s*(['\"])[^'\"]*\\2/gi,\n  /\\bAND\\s+('[^']*'|\"[^\"]*\")\\s*=\\s*('[^']*'|\"[^\"]*\")/gi,\n  /** Time-based blind: SLEEP() */\n  /\\bSLEEP\\s*\\(\\s*\\d+\\s*\\)/gi,\n  /** Time-based blind: BENCHMARK() */\n  /\\bBENCHMARK\\s*\\(/gi,\n  /** Time-based blind: PostgreSQL pg_sleep() */\n  /\\bpg_sleep\\s*\\(/gi,\n  /** Time-based blind: MSSQL WAITFOR DELAY */\n  /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n  /** Unix path traversal */\n  /\\.\\.\\//g,\n  /** Windows path traversal */\n  /\\.\\.\\\\/g,\n  /** URL-encoded traversal (%2e%2e) */\n  /%2e%2e/gi,\n  /** Double URL-encoded traversal (%252e) */\n  /%252e/gi,\n  /** Mixed encoding: ..%2F */\n  /\\.\\.%2F/gi,\n  /** Mixed encoding: %2e./ and .%2e/ */\n  /%2e\\.[\\\\/]/gi,\n  /\\.%2e[\\\\/]/gi,\n  /** Fully URL-encoded: %2e%2e%2f */\n  /%2e%2e%2f/gi,\n  /** Double URL-encoded forward slash: %252f */\n  /%252f/gi,\n  /** Dotdotslash bypass: ....// or ....\\\\ */\n  /\\.{2,}[/\\\\]{2,}/g,\n  /** Null byte injection in paths */\n  /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n  /**\n   * Shell metacharacters that enable command chaining/substitution.\n   * Bare ( and ) are excluded — they appear in common legitimate values\n   * (function calls in code fields, math expressions, etc.).\n   * Command substitution is caught by the $( combined pattern below.\n   * NOTE: ';', '&', '|' may appear in legitimate URL query strings\n   * and Markdown; consider disabling command checking (command: false)\n   * for fields that intentionally allow those characters.\n   */\n  /[;&|`]/g,\n  /** Command substitution: $( ... ) — matched as a pair to reduce false positives */\n  /\\$\\(/g,\n  /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */\n  /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/**\n * Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n *\n * Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n */\nexport const DANGEROUS_PROTO_KEYS = new Set([\n  '__proto__',\n  'constructor',\n  'prototype',\n  '__definegetter__',\n  '__definesetter__',\n  '__lookupgetter__',\n  '__lookupsetter__',\n]);\n\n/** MongoDB operators to block */\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n  // Comparison\n  '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n  // Logical\n  '$and', '$or', '$not', '$nor',\n  // Element / evaluation\n  '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n  // Array\n  '$elemMatch', '$all', '$size',\n  // JavaScript execution (critical)\n  '$function', '$accumulator',\n  // Aggregation pipeline operators (injectable via $lookup etc.)\n  '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n  '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n  /** Replacement text for redacted values */\n  REPLACEMENT: '[REDACTED]',\n  /** Truncation indicator */\n  TRUNCATED: '[TRUNCATED]',\n  /** Max depth indicator */\n  MAX_DEPTH: '[MAX_DEPTH]',\n  /** Default max message length */\n  DEFAULT_MAX_LENGTH: 10_000,\n  /** Default sensitive keys to redact */\n  SENSITIVE_KEYS: new Set([\n    'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n    'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n    'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n    'privateKey', 'access_token', 'accessToken', 'refresh_token',\n    'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n    'credentials', 'x-api-key', 'x-auth-token',\n  ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n  /**\n   * Email regex pattern.\n   * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n   * leading/trailing dots, and other common invalid forms.\n   */\n  EMAIL: /^[^\\s@.][^\\s@]*(?:\\.[^\\s@.][^\\s@]*)*@[^\\s@]+\\.[^\\s@]+$/,\n  /**\n   * URL regex pattern.\n   * Only allows http:// and https:// — explicitly rejects javascript:,\n   * data:, vbscript:, and other dangerous URI schemes.\n   */\n  URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]*$/,\n  /** UUID regex pattern (v4) */\n  UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n  /** Generic error message (production) */\n  INTERNAL_SERVER_ERROR: 'Internal Server Error',\n  /** Input too large error */\n  INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n  /** Validation error messages */\n  VALIDATION: {\n    REQUIRED: (field: string) => `${field} is required`,\n    INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n    MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n    MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n    MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n    MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n    INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n    INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n    INVALID_URL: (field: string) => `${field} must be a valid URL`,\n    INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n    INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n    MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n    MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n  },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/**\n * @module @arcis/node/core/errors\n * Custom error classes for Arcis\n */\n\n/**\n * Base class for all Arcis errors\n */\nexport class ArcisError extends Error {\n  public readonly statusCode: number;\n  public readonly code: string;\n  /** Whether the error message is safe to expose to API clients. */\n  public readonly expose: boolean;\n\n  constructor(message: string, statusCode = 500, code = 'ARCIS_ERROR') {\n    super(message);\n    this.name = 'ArcisError';\n    this.statusCode = statusCode;\n    this.code = code;\n    // Client errors (4xx) have controlled messages — safe to expose.\n    // Server errors (5xx) may contain internal details — hide by default.\n    this.expose = statusCode < 500;\n\n    // Maintains proper stack trace for where error was thrown (V8 engines)\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, this.constructor);\n    }\n  }\n}\n\n/**\n * Error thrown when input validation fails\n */\nexport class ValidationError extends ArcisError {\n  public readonly errors: string[];\n\n  constructor(errors: string[]) {\n    super('Validation failed', 400, 'VALIDATION_ERROR');\n    this.name = 'ValidationError';\n    this.errors = errors;\n  }\n}\n\n/** Alias for ValidationError (backwards compatibility) */\nexport { ValidationError as ArcisValidationError };\n\n/**\n * Error thrown when rate limit is exceeded\n */\nexport class RateLimitError extends ArcisError {\n  public readonly retryAfter: number;\n\n  constructor(message: string, retryAfter: number) {\n    super(message, 429, 'RATE_LIMIT_EXCEEDED');\n    this.name = 'RateLimitError';\n    this.retryAfter = retryAfter;\n  }\n}\n\n/**\n * Error thrown when input is too large\n */\nexport class InputTooLargeError extends ArcisError {\n  public readonly maxSize: number;\n  public readonly actualSize: number;\n\n  constructor(maxSize: number, actualSize: number) {\n    super(`Input exceeds maximum size of ${maxSize} bytes`, 413, 'INPUT_TOO_LARGE');\n    this.name = 'InputTooLargeError';\n    this.maxSize = maxSize;\n    this.actualSize = actualSize;\n  }\n}\n\n/**\n * Error thrown when security threat is detected\n */\nexport class SecurityThreatError extends ArcisError {\n  public readonly threatType: string;\n  public readonly pattern: string;\n\n  constructor(threatType: string, pattern: string) {\n    super('Request blocked for security reasons', 400, 'SECURITY_THREAT');\n    this.name = 'SecurityThreatError';\n    this.threatType = threatType;\n    this.pattern = pattern;\n  }\n}\n\n/**\n * Error thrown when sanitization fails\n */\nexport class SanitizationError extends ArcisError {\n  constructor(message: string) {\n    super(message, 400, 'SANITIZATION_ERROR');\n    this.name = 'SanitizationError';\n  }\n}\n"]}

package/dist/core/index.mjs

@@ -71,7 +71,10 @@ var XSS_PATTERNS = [
   /** base href hijacking — redirects all relative URLs to attacker domain */
   /<base[\s>]/gi,
   /** link tag injection — stylesheet or preload CSRF attacks */
-  /<link[\s>]/gi
+  /<link[\s>]/gi,
+  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors
+   *  Python's xss-style-tag from packages/core/patterns.json. */
+  /<style[\s>]/gi
 ];
 var SQL_PATTERNS = [
   /** SQL keywords */