npm - @arcis/node - Versions diffs - 1.4.3 → 1.4.4 - Mend

@arcis/node 1.4.3 → 1.4.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/README.md +11 -3
package/dist/cli/arcis.d.ts +23 -0
package/dist/cli/arcis.d.ts.map +1 -0
package/dist/cli/arcis.js +312 -0
package/dist/cli/arcis.js.map +1 -0
package/dist/cli/arcis.mjs +309 -0
package/dist/cli/arcis.mjs.map +1 -0
package/dist/core/constants.d.ts +1 -1
package/dist/core/constants.d.ts.map +1 -1
package/dist/core/index.js +4 -1
package/dist/core/index.js.map +1 -1
package/dist/core/index.mjs +4 -1
package/dist/core/index.mjs.map +1 -1
package/dist/core/types.d.ts +11 -0
package/dist/core/types.d.ts.map +1 -1
package/dist/index.js +253 -141
package/dist/index.js.map +1 -1
package/dist/index.mjs +253 -141
package/dist/index.mjs.map +1 -1
package/dist/logging/index.js.map +1 -1
package/dist/logging/index.mjs.map +1 -1
package/dist/middleware/bot-detection.d.ts.map +1 -1
package/dist/middleware/csrf.d.ts.map +1 -1
package/dist/middleware/index.js +224 -3
package/dist/middleware/index.js.map +1 -1
package/dist/middleware/index.mjs +224 -3
package/dist/middleware/index.mjs.map +1 -1
package/dist/middleware/main.d.ts.map +1 -1
package/dist/sanitizers/index.d.ts +2 -1
package/dist/sanitizers/index.d.ts.map +1 -1
package/dist/sanitizers/index.js +213 -145
package/dist/sanitizers/index.js.map +1 -1
package/dist/sanitizers/index.mjs +213 -146
package/dist/sanitizers/index.mjs.map +1 -1
package/dist/sanitizers/sanitize.d.ts +13 -0
package/dist/sanitizers/sanitize.d.ts.map +1 -1
package/dist/stores/index.js.map +1 -1
package/dist/stores/index.mjs.map +1 -1
package/dist/telemetry/client.d.ts +3 -0
package/dist/telemetry/client.d.ts.map +1 -1
package/dist/telemetry/types.d.ts +12 -0
package/dist/telemetry/types.d.ts.map +1 -1
package/dist/validation/index.js.map +1 -1
package/dist/validation/index.mjs.map +1 -1
package/package.json +4 -1

package/dist/logging/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AA8PO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACrRA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.js","sourcesContent":["/*\n @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n /\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n /* Default maximum input size (1MB) /\n DEFAULT_MAX_SIZE: 1_000_000,\n /* Maximum recursion depth for nested objects /\n MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n /* Default window size (1 minute) /\n DEFAULT_WINDOW_MS: 60_000,\n /* Default max requests per window /\n DEFAULT_MAX_REQUESTS: 100,\n /* Default HTTP status code for rate limited responses /\n DEFAULT_STATUS_CODE: 429,\n /* Default error message /\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n /* Minimum window size (1 second) /\n MIN_WINDOW_MS: 1_000,\n /* Maximum window size (24 hours) /\n MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n /* Default Content Security Policy /\n DEFAULT_CSP: [\n \"default-src 'self'\",\n \"script-src 'self'\",\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n ].join('; '),\n /* Default HSTS max age (1 year in seconds) /\n HSTS_MAX_AGE: 31_536_000,\n /* Default X-Frame-Options value /\n FRAME_OPTIONS: 'DENY' as const,\n /* Default X-Content-Type-Options value /\n CONTENT_TYPE_OPTIONS: 'nosniff',\n /* Default Referrer-Policy value /\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\n /* Default Permissions-Policy value /\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n /* Default Cache-Control value for security /\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/\n Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n /\nexport const XSS_PATTERNS = [\n /* Script tags (ReDoS-safe version) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* javascript: protocol (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /** vbscript: protocol /\n /vbscript\\s:/gi,\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute /\n /(?:[\\s/])on\\w+\\s=/gi,\n /** iframe tags /\n /<iframe/gi,\n /* object tags /\n /<object/gi,\n /* embed tags /\n /<embed/gi,\n /* data: URIs (only dangerous ones, avoid false positives) /\n /(?:^\|[\\s\"'=])data:/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* SVG with onload /\n /<svg[^>]onload/gi,\n /** form tags — phishing/credential harvesting via action= redirection /\n /<form[\\s>]/gi,\n /* meta tags — http-equiv refresh redirects or CSP bypass /\n /<meta[\\s>]/gi,\n /* base href hijacking — redirects all relative URLs to attacker domain /\n /<base[\\s>]/gi,\n /* link tag injection — stylesheet or preload CSRF attacks /\n /<link[\\s>]/gi,\n] as const;\n\n/\n Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n /\nexport const XSS_REMOVE_PATTERNS = [\n /* Full script blocks (content + tags) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* Standalone/unclosed script tags /\n /<script[^>]>/gi,\n /** style — CSS expression() and behavior: attacks (IE-era but still relevant) /\n /<style[^>]>[\\s\\S]?<\\/style>/gi,\n /<style[^>]/gi,\n /** iframe — full block and partial/unclosed /\n /<iframe[^>]>[\\s\\S]?<\\/iframe>/gi,\n /<iframe[^>]/gi,\n /** object — full block and partial/unclosed /\n /<object[^>]>[\\s\\S]?<\\/object>/gi,\n /<object[^>]/gi,\n /** embed tags /\n /<embed[^>]/gi,\n /** SVG with inline event handlers /\n /<svg[^>]onload[^>]>/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* Event handlers with quoted values: onclick=\"...\", onerror='...' /\n /(?:[\\s/])on\\w+\\s=\\s[\"'][^\"'][\"']/gi,\n /** Event handlers with unquoted values: onload=value /\n /(?:[\\s/])on\\w+\\s=\\s[^\\s>]/gi,\n /** javascript: and vbscript: protocols (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /vbscript\\s:/gi,\n /* data: URIs with HTML/script content /\n /data\\s:\\stext\\/html[^>\\s]/gi,\n /** form tag injection — phishing via action= redirection /\n /<form[\\s>][^>]/gi,\n /** meta tag injection — http-equiv refresh or CSP bypass /\n /<meta[\\s>][^>]/gi,\n /** base href hijacking /\n /<base[\\s>][^>]/gi,\n /** link tag injection — stylesheet or preload attacks /\n /<link[\\s>][^>]/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n /** SQL keywords /\n /(\\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|TRUNCATE\|EXEC\|EXECUTE)\\b)/gi,\n /* SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) /\n /(--\|\\/\\\|\\\\/\|#)/g,\n /* SQL statement separators /\n /(;\|\\\|\\\|\|&&)/g,\n /* Boolean injection: OR 1=1 /\n /\\bOR\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) /\n /\\bOR\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bOR\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Boolean injection: AND 1=1 /\n /\\bAND\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) /\n /\\bAND\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bAND\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Time-based blind: SLEEP() /\n /\\bSLEEP\\s\$\\s\\d+\\s\$/gi,\n /** Time-based blind: BENCHMARK() /\n /\\bBENCHMARK\\s\\(/gi,\n /** Time-based blind: PostgreSQL pg_sleep() /\n /\\bpg_sleep\\s\\(/gi,\n /** Time-based blind: MSSQL WAITFOR DELAY /\n /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n /* Unix path traversal /\n /\\.\\.\\//g,\n /* Windows path traversal /\n /\\.\\.\\\\/g,\n /* URL-encoded traversal (%2e%2e) /\n /%2e%2e/gi,\n /* Double URL-encoded traversal (%252e) /\n /%252e/gi,\n /* Mixed encoding: ..%2F /\n /\\.\\.%2F/gi,\n /* Mixed encoding: %2e./ and .%2e/ /\n /%2e\\.[\\\\/]/gi,\n /\\.%2e[\\\\/]/gi,\n /* Fully URL-encoded: %2e%2e%2f /\n /%2e%2e%2f/gi,\n /* Double URL-encoded forward slash: %252f /\n /%252f/gi,\n /* Dotdotslash bypass: ....// or ....\\\\ /\n /\\.{2,}[/\\\\]{2,}/g,\n /* Null byte injection in paths /\n /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n /\n Shell metacharacters that enable command chaining/substitution.\n * Bare ( and ) are excluded — they appear in common legitimate values\n * (function calls in code fields, math expressions, etc.).\n * Command substitution is caught by the $( combined pattern below.\n * NOTE: ';', '&', '\|' may appear in legitimate URL query strings\n * and Markdown; consider disabling command checking (command: false)\n * for fields that intentionally allow those characters.\n /\n /[;&\|`]/g,\n /* Command substitution: $( ... ) — matched as a pair to reduce false positives /\n /\\$\\(/g,\n /* URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR /\n /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/\n Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n \n Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n /\nexport const DANGEROUS_PROTO_KEYS = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n '__definegetter__',\n '__definesetter__',\n '__lookupgetter__',\n '__lookupsetter__',\n]);\n\n/* MongoDB operators to block /\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n // Comparison\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n // Logical\n '$and', '$or', '$not', '$nor',\n // Element / evaluation\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n // Array\n '$elemMatch', '$all', '$size',\n // JavaScript execution (critical)\n '$function', '$accumulator',\n // Aggregation pipeline operators (injectable via $lookup etc.)\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n /* Replacement text for redacted values /\n REPLACEMENT: '[REDACTED]',\n /* Truncation indicator /\n TRUNCATED: '[TRUNCATED]',\n /* Max depth indicator /\n MAX_DEPTH: '[MAX_DEPTH]',\n /* Default max message length /\n DEFAULT_MAX_LENGTH: 10_000,\n /* Default sensitive keys to redact /\n SENSITIVE_KEYS: new Set([\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n 'credentials', 'x-api-key', 'x-auth-token',\n ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n /\n Email regex pattern.\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n * leading/trailing dots, and other common invalid forms.\n /\n EMAIL: /^[^\\s@.][^\\s@](?:\\.[^\\s@.][^\\s@])@[^\\s@]+\\.[^\\s@]+$/,\n /*\n URL regex pattern.\n * Only allows http:// and https:// — explicitly rejects javascript:,\n * data:, vbscript:, and other dangerous URI schemes.\n /\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]$/,\n /** UUID regex pattern (v4) /\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n /* Generic error message (production) /\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\n /* Input too large error /\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n /* Validation error messages /\n VALIDATION: {\n REQUIRED: (field: string) => `${field} is required`,\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/\n @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n /\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n silent: 4,\n};\n\n/\n Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n /\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n const {\n redactKeys = [],\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n redactPatterns = [],\n level: minLevel = 'debug',\n } = options;\n\n const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n // Combine default and custom keys (lowercase for case-insensitive matching)\n const allRedactKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...redactKeys.map(k => k.toLowerCase()),\n ]);\n\n /\n Redact sensitive data from an object recursively.\n /\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n\n if (typeof obj === 'string') {\n return redactString(obj, maxLength, redactPatterns);\n }\n\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allRedactKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n /\n Log a message at the specified level.\n /\n function log(level: string, message: string, data?: unknown): void {\n // Early exit: skip all work if message level is below minimum\n const levelNum = LOG_LEVELS[level] ?? 0;\n if (levelNum < minLevelNum) return;\n\n const entry: Record<string, unknown> = {\n timestamp: new Date().toISOString(),\n level,\n message: redactString(message, maxLength, redactPatterns),\n };\n\n if (data !== undefined) {\n entry.data = redact(data);\n }\n\n console.log(JSON.stringify(entry));\n }\n\n return {\n log,\n info: (msg: string, data?: unknown) => log('info', msg, data),\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\n error: (msg: string, data?: unknown) => log('error', msg, data),\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\n };\n}\n\n/\n Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n /\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n let safe = str\n .replace(/[\\r\\n\\t]/g, ' ')\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n // Apply custom redaction patterns\n for (const pattern of patterns) {\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n }\n\n // Truncate if too long\n if (safe.length > maxLength) {\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n }\n\n return safe;\n}\n\n/\n Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n /\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n const allKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...sensitiveKeys.map(k => k.toLowerCase()),\n ]);\n\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n return redact;\n}\n\n/\n Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}
1	+ {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";;;AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAiQO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACxRA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.js","sourcesContent":["/*\n @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n /\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n /* Default maximum input size (1MB) /\n DEFAULT_MAX_SIZE: 1_000_000,\n /* Maximum recursion depth for nested objects /\n MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n /* Default window size (1 minute) /\n DEFAULT_WINDOW_MS: 60_000,\n /* Default max requests per window /\n DEFAULT_MAX_REQUESTS: 100,\n /* Default HTTP status code for rate limited responses /\n DEFAULT_STATUS_CODE: 429,\n /* Default error message /\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n /* Minimum window size (1 second) /\n MIN_WINDOW_MS: 1_000,\n /* Maximum window size (24 hours) /\n MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n /* Default Content Security Policy /\n DEFAULT_CSP: [\n \"default-src 'self'\",\n \"script-src 'self'\",\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n ].join('; '),\n /* Default HSTS max age (1 year in seconds) /\n HSTS_MAX_AGE: 31_536_000,\n /* Default X-Frame-Options value /\n FRAME_OPTIONS: 'DENY' as const,\n /* Default X-Content-Type-Options value /\n CONTENT_TYPE_OPTIONS: 'nosniff',\n /* Default Referrer-Policy value /\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\n /* Default Permissions-Policy value /\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n /* Default Cache-Control value for security /\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/\n Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n /\nexport const XSS_PATTERNS = [\n /* Script tags (ReDoS-safe version) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* javascript: protocol (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /** vbscript: protocol /\n /vbscript\\s:/gi,\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute /\n /(?:[\\s/])on\\w+\\s=/gi,\n /** iframe tags /\n /<iframe/gi,\n /* object tags /\n /<object/gi,\n /* embed tags /\n /<embed/gi,\n /* data: URIs (only dangerous ones, avoid false positives) /\n /(?:^\|[\\s\"'=])data:/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* SVG with onload /\n /<svg[^>]onload/gi,\n /** form tags — phishing/credential harvesting via action= redirection /\n /<form[\\s>]/gi,\n /* meta tags — http-equiv refresh redirects or CSP bypass /\n /<meta[\\s>]/gi,\n /* base href hijacking — redirects all relative URLs to attacker domain /\n /<base[\\s>]/gi,\n /* link tag injection — stylesheet or preload CSRF attacks /\n /<link[\\s>]/gi,\n /* style tag — CSS expression() / behavior: / IE-era attacks. Mirrors\n * Python's xss-style-tag from packages/core/patterns.json. /\n /<style[\\s>]/gi,\n] as const;\n\n/\n Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n /\nexport const XSS_REMOVE_PATTERNS = [\n /* Full script blocks (content + tags) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* Standalone/unclosed script tags /\n /<script[^>]>/gi,\n /** style — CSS expression() and behavior: attacks (IE-era but still relevant) /\n /<style[^>]>[\\s\\S]?<\\/style>/gi,\n /<style[^>]/gi,\n /** iframe — full block and partial/unclosed /\n /<iframe[^>]>[\\s\\S]?<\\/iframe>/gi,\n /<iframe[^>]/gi,\n /** object — full block and partial/unclosed /\n /<object[^>]>[\\s\\S]?<\\/object>/gi,\n /<object[^>]/gi,\n /** embed tags /\n /<embed[^>]/gi,\n /** SVG with inline event handlers /\n /<svg[^>]onload[^>]>/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* Event handlers with quoted values: onclick=\"...\", onerror='...' /\n /(?:[\\s/])on\\w+\\s=\\s[\"'][^\"'][\"']/gi,\n /** Event handlers with unquoted values: onload=value /\n /(?:[\\s/])on\\w+\\s=\\s[^\\s>]/gi,\n /** javascript: and vbscript: protocols (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /vbscript\\s:/gi,\n /* data: URIs with HTML/script content /\n /data\\s:\\stext\\/html[^>\\s]/gi,\n /** form tag injection — phishing via action= redirection /\n /<form[\\s>][^>]/gi,\n /** meta tag injection — http-equiv refresh or CSP bypass /\n /<meta[\\s>][^>]/gi,\n /** base href hijacking /\n /<base[\\s>][^>]/gi,\n /** link tag injection — stylesheet or preload attacks /\n /<link[\\s>][^>]/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n /** SQL keywords /\n /(\\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|TRUNCATE\|EXEC\|EXECUTE)\\b)/gi,\n /* SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) /\n /(--\|\\/\\\|\\\\/\|#)/g,\n /* SQL statement separators /\n /(;\|\\\|\\\|\|&&)/g,\n /* Boolean injection: OR 1=1 /\n /\\bOR\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) /\n /\\bOR\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bOR\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Boolean injection: AND 1=1 /\n /\\bAND\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) /\n /\\bAND\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bAND\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Time-based blind: SLEEP() /\n /\\bSLEEP\\s\$\\s\\d+\\s\$/gi,\n /** Time-based blind: BENCHMARK() /\n /\\bBENCHMARK\\s\\(/gi,\n /** Time-based blind: PostgreSQL pg_sleep() /\n /\\bpg_sleep\\s\\(/gi,\n /** Time-based blind: MSSQL WAITFOR DELAY /\n /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n /* Unix path traversal /\n /\\.\\.\\//g,\n /* Windows path traversal /\n /\\.\\.\\\\/g,\n /* URL-encoded traversal (%2e%2e) /\n /%2e%2e/gi,\n /* Double URL-encoded traversal (%252e) /\n /%252e/gi,\n /* Mixed encoding: ..%2F /\n /\\.\\.%2F/gi,\n /* Mixed encoding: %2e./ and .%2e/ /\n /%2e\\.[\\\\/]/gi,\n /\\.%2e[\\\\/]/gi,\n /* Fully URL-encoded: %2e%2e%2f /\n /%2e%2e%2f/gi,\n /* Double URL-encoded forward slash: %252f /\n /%252f/gi,\n /* Dotdotslash bypass: ....// or ....\\\\ /\n /\\.{2,}[/\\\\]{2,}/g,\n /* Null byte injection in paths /\n /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n /\n Shell metacharacters that enable command chaining/substitution.\n * Bare ( and ) are excluded — they appear in common legitimate values\n * (function calls in code fields, math expressions, etc.).\n * Command substitution is caught by the $( combined pattern below.\n * NOTE: ';', '&', '\|' may appear in legitimate URL query strings\n * and Markdown; consider disabling command checking (command: false)\n * for fields that intentionally allow those characters.\n /\n /[;&\|`]/g,\n /* Command substitution: $( ... ) — matched as a pair to reduce false positives /\n /\\$\\(/g,\n /* URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR /\n /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/\n Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n \n Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n /\nexport const DANGEROUS_PROTO_KEYS = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n '__definegetter__',\n '__definesetter__',\n '__lookupgetter__',\n '__lookupsetter__',\n]);\n\n/* MongoDB operators to block /\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n // Comparison\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n // Logical\n '$and', '$or', '$not', '$nor',\n // Element / evaluation\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n // Array\n '$elemMatch', '$all', '$size',\n // JavaScript execution (critical)\n '$function', '$accumulator',\n // Aggregation pipeline operators (injectable via $lookup etc.)\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n /* Replacement text for redacted values /\n REPLACEMENT: '[REDACTED]',\n /* Truncation indicator /\n TRUNCATED: '[TRUNCATED]',\n /* Max depth indicator /\n MAX_DEPTH: '[MAX_DEPTH]',\n /* Default max message length /\n DEFAULT_MAX_LENGTH: 10_000,\n /* Default sensitive keys to redact /\n SENSITIVE_KEYS: new Set([\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n 'credentials', 'x-api-key', 'x-auth-token',\n ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n /\n Email regex pattern.\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n * leading/trailing dots, and other common invalid forms.\n /\n EMAIL: /^[^\\s@.][^\\s@](?:\\.[^\\s@.][^\\s@])@[^\\s@]+\\.[^\\s@]+$/,\n /*\n URL regex pattern.\n * Only allows http:// and https:// — explicitly rejects javascript:,\n * data:, vbscript:, and other dangerous URI schemes.\n /\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]$/,\n /** UUID regex pattern (v4) /\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n /* Generic error message (production) /\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\n /* Input too large error /\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n /* Validation error messages /\n VALIDATION: {\n REQUIRED: (field: string) => `${field} is required`,\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/\n @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n /\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n silent: 4,\n};\n\n/\n Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n /\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n const {\n redactKeys = [],\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n redactPatterns = [],\n level: minLevel = 'debug',\n } = options;\n\n const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n // Combine default and custom keys (lowercase for case-insensitive matching)\n const allRedactKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...redactKeys.map(k => k.toLowerCase()),\n ]);\n\n /\n Redact sensitive data from an object recursively.\n /\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n\n if (typeof obj === 'string') {\n return redactString(obj, maxLength, redactPatterns);\n }\n\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allRedactKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n /\n Log a message at the specified level.\n /\n function log(level: string, message: string, data?: unknown): void {\n // Early exit: skip all work if message level is below minimum\n const levelNum = LOG_LEVELS[level] ?? 0;\n if (levelNum < minLevelNum) return;\n\n const entry: Record<string, unknown> = {\n timestamp: new Date().toISOString(),\n level,\n message: redactString(message, maxLength, redactPatterns),\n };\n\n if (data !== undefined) {\n entry.data = redact(data);\n }\n\n console.log(JSON.stringify(entry));\n }\n\n return {\n log,\n info: (msg: string, data?: unknown) => log('info', msg, data),\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\n error: (msg: string, data?: unknown) => log('error', msg, data),\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\n };\n}\n\n/\n Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n /\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n let safe = str\n .replace(/[\\r\\n\\t]/g, ' ')\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n // Apply custom redaction patterns\n for (const pattern of patterns) {\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n }\n\n // Truncate if too long\n if (safe.length > maxLength) {\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n }\n\n return safe;\n}\n\n/\n Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n /\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n const allKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...sensitiveKeys.map(k => k.toLowerCase()),\n ]);\n\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n return redact;\n}\n\n/\n Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}

package/dist/logging/index.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AA8PO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACrRA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.mjs","sourcesContent":["/*\n @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n /\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n /* Default maximum input size (1MB) /\n DEFAULT_MAX_SIZE: 1_000_000,\n /* Maximum recursion depth for nested objects /\n MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n /* Default window size (1 minute) /\n DEFAULT_WINDOW_MS: 60_000,\n /* Default max requests per window /\n DEFAULT_MAX_REQUESTS: 100,\n /* Default HTTP status code for rate limited responses /\n DEFAULT_STATUS_CODE: 429,\n /* Default error message /\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n /* Minimum window size (1 second) /\n MIN_WINDOW_MS: 1_000,\n /* Maximum window size (24 hours) /\n MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n /* Default Content Security Policy /\n DEFAULT_CSP: [\n \"default-src 'self'\",\n \"script-src 'self'\",\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n ].join('; '),\n /* Default HSTS max age (1 year in seconds) /\n HSTS_MAX_AGE: 31_536_000,\n /* Default X-Frame-Options value /\n FRAME_OPTIONS: 'DENY' as const,\n /* Default X-Content-Type-Options value /\n CONTENT_TYPE_OPTIONS: 'nosniff',\n /* Default Referrer-Policy value /\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\n /* Default Permissions-Policy value /\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n /* Default Cache-Control value for security /\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/\n Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n /\nexport const XSS_PATTERNS = [\n /* Script tags (ReDoS-safe version) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* javascript: protocol (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /** vbscript: protocol /\n /vbscript\\s:/gi,\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute /\n /(?:[\\s/])on\\w+\\s=/gi,\n /** iframe tags /\n /<iframe/gi,\n /* object tags /\n /<object/gi,\n /* embed tags /\n /<embed/gi,\n /* data: URIs (only dangerous ones, avoid false positives) /\n /(?:^\|[\\s\"'=])data:/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* SVG with onload /\n /<svg[^>]onload/gi,\n /** form tags — phishing/credential harvesting via action= redirection /\n /<form[\\s>]/gi,\n /* meta tags — http-equiv refresh redirects or CSP bypass /\n /<meta[\\s>]/gi,\n /* base href hijacking — redirects all relative URLs to attacker domain /\n /<base[\\s>]/gi,\n /* link tag injection — stylesheet or preload CSRF attacks /\n /<link[\\s>]/gi,\n] as const;\n\n/\n Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n /\nexport const XSS_REMOVE_PATTERNS = [\n /* Full script blocks (content + tags) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* Standalone/unclosed script tags /\n /<script[^>]>/gi,\n /** style — CSS expression() and behavior: attacks (IE-era but still relevant) /\n /<style[^>]>[\\s\\S]?<\\/style>/gi,\n /<style[^>]/gi,\n /** iframe — full block and partial/unclosed /\n /<iframe[^>]>[\\s\\S]?<\\/iframe>/gi,\n /<iframe[^>]/gi,\n /** object — full block and partial/unclosed /\n /<object[^>]>[\\s\\S]?<\\/object>/gi,\n /<object[^>]/gi,\n /** embed tags /\n /<embed[^>]/gi,\n /** SVG with inline event handlers /\n /<svg[^>]onload[^>]>/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* Event handlers with quoted values: onclick=\"...\", onerror='...' /\n /(?:[\\s/])on\\w+\\s=\\s[\"'][^\"'][\"']/gi,\n /** Event handlers with unquoted values: onload=value /\n /(?:[\\s/])on\\w+\\s=\\s[^\\s>]/gi,\n /** javascript: and vbscript: protocols (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /vbscript\\s:/gi,\n /* data: URIs with HTML/script content /\n /data\\s:\\stext\\/html[^>\\s]/gi,\n /** form tag injection — phishing via action= redirection /\n /<form[\\s>][^>]/gi,\n /** meta tag injection — http-equiv refresh or CSP bypass /\n /<meta[\\s>][^>]/gi,\n /** base href hijacking /\n /<base[\\s>][^>]/gi,\n /** link tag injection — stylesheet or preload attacks /\n /<link[\\s>][^>]/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n /** SQL keywords /\n /(\\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|TRUNCATE\|EXEC\|EXECUTE)\\b)/gi,\n /* SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) /\n /(--\|\\/\\\|\\\\/\|#)/g,\n /* SQL statement separators /\n /(;\|\\\|\\\|\|&&)/g,\n /* Boolean injection: OR 1=1 /\n /\\bOR\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) /\n /\\bOR\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bOR\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Boolean injection: AND 1=1 /\n /\\bAND\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) /\n /\\bAND\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bAND\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Time-based blind: SLEEP() /\n /\\bSLEEP\\s\$\\s\\d+\\s\$/gi,\n /** Time-based blind: BENCHMARK() /\n /\\bBENCHMARK\\s\\(/gi,\n /** Time-based blind: PostgreSQL pg_sleep() /\n /\\bpg_sleep\\s\\(/gi,\n /** Time-based blind: MSSQL WAITFOR DELAY /\n /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n /* Unix path traversal /\n /\\.\\.\\//g,\n /* Windows path traversal /\n /\\.\\.\\\\/g,\n /* URL-encoded traversal (%2e%2e) /\n /%2e%2e/gi,\n /* Double URL-encoded traversal (%252e) /\n /%252e/gi,\n /* Mixed encoding: ..%2F /\n /\\.\\.%2F/gi,\n /* Mixed encoding: %2e./ and .%2e/ /\n /%2e\\.[\\\\/]/gi,\n /\\.%2e[\\\\/]/gi,\n /* Fully URL-encoded: %2e%2e%2f /\n /%2e%2e%2f/gi,\n /* Double URL-encoded forward slash: %252f /\n /%252f/gi,\n /* Dotdotslash bypass: ....// or ....\\\\ /\n /\\.{2,}[/\\\\]{2,}/g,\n /* Null byte injection in paths /\n /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n /\n Shell metacharacters that enable command chaining/substitution.\n * Bare ( and ) are excluded — they appear in common legitimate values\n * (function calls in code fields, math expressions, etc.).\n * Command substitution is caught by the $( combined pattern below.\n * NOTE: ';', '&', '\|' may appear in legitimate URL query strings\n * and Markdown; consider disabling command checking (command: false)\n * for fields that intentionally allow those characters.\n /\n /[;&\|`]/g,\n /* Command substitution: $( ... ) — matched as a pair to reduce false positives /\n /\\$\\(/g,\n /* URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR /\n /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/\n Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n \n Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n /\nexport const DANGEROUS_PROTO_KEYS = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n '__definegetter__',\n '__definesetter__',\n '__lookupgetter__',\n '__lookupsetter__',\n]);\n\n/* MongoDB operators to block /\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n // Comparison\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n // Logical\n '$and', '$or', '$not', '$nor',\n // Element / evaluation\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n // Array\n '$elemMatch', '$all', '$size',\n // JavaScript execution (critical)\n '$function', '$accumulator',\n // Aggregation pipeline operators (injectable via $lookup etc.)\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n /* Replacement text for redacted values /\n REPLACEMENT: '[REDACTED]',\n /* Truncation indicator /\n TRUNCATED: '[TRUNCATED]',\n /* Max depth indicator /\n MAX_DEPTH: '[MAX_DEPTH]',\n /* Default max message length /\n DEFAULT_MAX_LENGTH: 10_000,\n /* Default sensitive keys to redact /\n SENSITIVE_KEYS: new Set([\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n 'credentials', 'x-api-key', 'x-auth-token',\n ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n /\n Email regex pattern.\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n * leading/trailing dots, and other common invalid forms.\n /\n EMAIL: /^[^\\s@.][^\\s@](?:\\.[^\\s@.][^\\s@])@[^\\s@]+\\.[^\\s@]+$/,\n /*\n URL regex pattern.\n * Only allows http:// and https:// — explicitly rejects javascript:,\n * data:, vbscript:, and other dangerous URI schemes.\n /\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]$/,\n /** UUID regex pattern (v4) /\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n /* Generic error message (production) /\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\n /* Input too large error /\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n /* Validation error messages /\n VALIDATION: {\n REQUIRED: (field: string) => `${field} is required`,\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/\n @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n /\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n silent: 4,\n};\n\n/\n Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n /\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n const {\n redactKeys = [],\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n redactPatterns = [],\n level: minLevel = 'debug',\n } = options;\n\n const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n // Combine default and custom keys (lowercase for case-insensitive matching)\n const allRedactKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...redactKeys.map(k => k.toLowerCase()),\n ]);\n\n /\n Redact sensitive data from an object recursively.\n /\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n\n if (typeof obj === 'string') {\n return redactString(obj, maxLength, redactPatterns);\n }\n\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allRedactKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n /\n Log a message at the specified level.\n /\n function log(level: string, message: string, data?: unknown): void {\n // Early exit: skip all work if message level is below minimum\n const levelNum = LOG_LEVELS[level] ?? 0;\n if (levelNum < minLevelNum) return;\n\n const entry: Record<string, unknown> = {\n timestamp: new Date().toISOString(),\n level,\n message: redactString(message, maxLength, redactPatterns),\n };\n\n if (data !== undefined) {\n entry.data = redact(data);\n }\n\n console.log(JSON.stringify(entry));\n }\n\n return {\n log,\n info: (msg: string, data?: unknown) => log('info', msg, data),\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\n error: (msg: string, data?: unknown) => log('error', msg, data),\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\n };\n}\n\n/\n Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n /\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n let safe = str\n .replace(/[\\r\\n\\t]/g, ' ')\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n // Apply custom redaction patterns\n for (const pattern of patterns) {\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n }\n\n // Truncate if too long\n if (safe.length > maxLength) {\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n }\n\n return safe;\n}\n\n/\n Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n /\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n const allKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...sensitiveKeys.map(k => k.toLowerCase()),\n ]);\n\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n return redact;\n}\n\n/\n Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}
1	+ {"version":3,"sources":["../../src/core/constants.ts","../../src/logging/redactor.ts"],"names":[],"mappings":";AAQO,IAAM,KAAA,GAAQ;AAAA,EAED;AAAA,EAElB,mBAAA,EAAqB;AACvB,CAAA;AAiQO,IAAM,SAAA,GAAY;AAAA;AAAA,EAEvB,WAAA,EAAa,YAAA;AAAA;AAAA,EAEb,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,SAAA,EAAW,aAAA;AAAA;AAAA,EAEX,kBAAA,EAAoB,GAAA;AAAA;AAAA,EAEpB,cAAA,sBAAoB,GAAA,CAAI;AAAA,IACtB,UAAA;AAAA,IAAY,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,QAAA;AAAA,IAAU,OAAA;AAAA,IAAS,QAAA;AAAA,IAChD,SAAA;AAAA,IAAW,QAAA;AAAA,IAAU,MAAA;AAAA,IAAQ,eAAA;AAAA,IAAiB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,IAAA;AAAA,IAAM,KAAA;AAAA,IAAO,iBAAA;AAAA,IAAmB,aAAA;AAAA,IAC9C,YAAA;AAAA,IAAc,cAAA;AAAA,IAAgB,aAAA;AAAA,IAAe,eAAA;AAAA,IAC7C,cAAA;AAAA,IAAgB,QAAA;AAAA,IAAU,KAAA;AAAA,IAAO,SAAA;AAAA,IAAW,QAAA;AAAA,IAC5C,aAAA;AAAA,IAAe,WAAA;AAAA,IAAa;AAAA,GAC7B;AACH,CAAA;;;ACxRA,IAAM,UAAA,GAAqC;AAAA,EACzC,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO,CAAA;AAAA,EACP,MAAA,EAAQ;AACV,CAAA;AAiBO,SAAS,gBAAA,CAAiB,OAAA,GAAsB,EAAC,EAAe;AACrE,EAAA,MAAM;AAAA,IACJ,aAAa,EAAC;AAAA,IACd,YAAY,SAAA,CAAU,kBAAA;AAAA,IACtB,iBAAiB,EAAC;AAAA,IAClB,OAAO,QAAA,GAAW;AAAA,GACpB,GAAI,OAAA;AAEJ,EAAA,MAAM,WAAA,GAAc,UAAA,CAAW,QAAQ,CAAA,IAAK,CAAA;AAG5C,EAAA,MAAM,aAAA,uBAAoB,GAAA,CAAI;AAAA,IAC5B,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,UAAA,CAAW,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GACvC,CAAA;AAKD,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAE9C,IAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,MAAA,OAAO,YAAA,CAAa,GAAA,EAAK,SAAA,EAAW,cAAc,CAAA;AAAA,IACpD;AAEA,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AACxC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAKA,EAAA,SAAS,GAAA,CAAI,KAAA,EAAe,OAAA,EAAiB,IAAA,EAAsB;AAEjE,IAAA,MAAM,QAAA,GAAW,UAAA,CAAW,KAAK,CAAA,IAAK,CAAA;AACtC,IAAA,IAAI,WAAW,WAAA,EAAa;AAE5B,IAAA,MAAM,KAAA,GAAiC;AAAA,MACrC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,KAAA;AAAA,MACA,OAAA,EAAS,YAAA,CAAa,OAAA,EAAS,SAAA,EAAW,cAAc;AAAA,KAC1D;AAEA,IAAA,IAAI,SAAS,MAAA,EAAW;AACtB,MAAA,KAAA,CAAM,IAAA,GAAO,OAAO,IAAI,CAAA;AAAA,IAC1B;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,SAAA,CAAU,KAAK,CAAC,CAAA;AAAA,EACnC;AAEA,EAAA,OAAO;AAAA,IACL,GAAA;AAAA,IACA,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,MAAM,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,MAAA,EAAQ,KAAK,IAAI,CAAA;AAAA,IAC5D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI,CAAA;AAAA,IAC9D,OAAO,CAAC,GAAA,EAAa,SAAmB,GAAA,CAAI,OAAA,EAAS,KAAK,IAAI;AAAA,GAChE;AACF;AAMA,SAAS,YAAA,CAAa,GAAA,EAAa,SAAA,EAAmB,QAAA,EAA4B;AAIhF,EAAA,IAAI,IAAA,GAAO,IACR,OAAA,CAAQ,WAAA,EAAa,GAAG,CAAA,CACxB,OAAA,CAAQ,8CAA8C,EAAE,CAAA;AAG3D,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,IAAA,IAAA,GAAO,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,SAAA,CAAU,WAAW,CAAA;AAAA,EACpD;AAGA,EAAA,IAAI,IAAA,CAAK,SAAS,SAAA,EAAW;AAC3B,IAAA,IAAA,GAAO,KAAK,SAAA,CAAU,CAAA,EAAG,SAAS,CAAA,GAAI,CAAA,GAAA,EAAM,UAAU,SAAS,CAAA,CAAA;AAAA,EACjE;AAEA,EAAA,OAAO,IAAA;AACT;AAQO,SAAS,cAAA,CAAe,aAAA,GAA0B,EAAC,EAA8B;AACtF,EAAA,MAAM,OAAA,uBAAc,GAAA,CAAI;AAAA,IACtB,GAAG,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAAA,IACtC,GAAG,aAAA,CAAc,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,aAAa;AAAA,GAC1C,CAAA;AAED,EAAA,SAAS,MAAA,CAAO,GAAA,EAAc,KAAA,GAAQ,CAAA,EAAY;AAChD,IAAA,IAAI,KAAA,GAAQ,KAAA,CAAM,mBAAA,EAAqB,OAAO,SAAA,CAAU,SAAA;AACxD,IAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,GAAA;AAC9C,IAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,GAAA;AAEpC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,MAAA,OAAO,IAAI,GAAA,CAAI,CAAA,IAAA,KAAQ,OAAO,IAAA,EAAM,KAAA,GAAQ,CAAC,CAAC,CAAA;AAAA,IAChD;AAEA,IAAA,MAAM,SAAkC,EAAC;AACzC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,GAA8B,CAAA,EAAG;AACzE,MAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAClC,QAAA,MAAA,CAAO,GAAG,IAAI,SAAA,CAAU,WAAA;AAAA,MAC1B,CAAA,MAAO;AACL,QAAA,MAAA,CAAO,GAAG,CAAA,GAAI,MAAA,CAAO,KAAA,EAAO,QAAQ,CAAC,CAAA;AAAA,MACvC;AAAA,IACF;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,MAAA;AACT;AAMO,IAAM,OAAA,GAAU","file":"index.mjs","sourcesContent":["/*\n @module @arcis/node/core/constants\n * Named constants for Arcis - no magic numbers\n /\n\n// =============================================================================\n// INPUT LIMITS\n// =============================================================================\nexport const INPUT = {\n /* Default maximum input size (1MB) /\n DEFAULT_MAX_SIZE: 1_000_000,\n /* Maximum recursion depth for nested objects /\n MAX_RECURSION_DEPTH: 10,\n} as const;\n\n// =============================================================================\n// RATE LIMITING\n// =============================================================================\nexport const RATE_LIMIT = {\n /* Default window size (1 minute) /\n DEFAULT_WINDOW_MS: 60_000,\n /* Default max requests per window /\n DEFAULT_MAX_REQUESTS: 100,\n /* Default HTTP status code for rate limited responses /\n DEFAULT_STATUS_CODE: 429,\n /* Default error message /\n DEFAULT_MESSAGE: 'Too many requests, please try again later.',\n /* Minimum window size (1 second) /\n MIN_WINDOW_MS: 1_000,\n /* Maximum window size (24 hours) /\n MAX_WINDOW_MS: 86_400_000,\n} as const;\n\n// =============================================================================\n// SECURITY HEADERS\n// =============================================================================\nexport const HEADERS = {\n /* Default Content Security Policy /\n DEFAULT_CSP: [\n \"default-src 'self'\",\n \"script-src 'self'\",\n \"style-src 'self' 'unsafe-inline'\",\n \"img-src 'self' data: https:\",\n \"font-src 'self'\",\n \"object-src 'none'\",\n \"frame-ancestors 'none'\",\n ].join('; '),\n /* Default HSTS max age (1 year in seconds) /\n HSTS_MAX_AGE: 31_536_000,\n /* Default X-Frame-Options value /\n FRAME_OPTIONS: 'DENY' as const,\n /* Default X-Content-Type-Options value /\n CONTENT_TYPE_OPTIONS: 'nosniff',\n /* Default Referrer-Policy value /\n REFERRER_POLICY: 'strict-origin-when-cross-origin',\n /* Default Permissions-Policy value /\n PERMISSIONS_POLICY: 'geolocation=(), microphone=(), camera=()',\n /* Default Cache-Control value for security /\n CACHE_CONTROL: 'no-store, no-cache, must-revalidate, proxy-revalidate',\n} as const;\n\n// =============================================================================\n// XSS PATTERNS (ReDoS-safe)\n// =============================================================================\n\n/\n Detection patterns — used to flag whether a string contains XSS payloads.\n * Must stay in sync with XSS_REMOVE_PATTERNS below.\n /\nexport const XSS_PATTERNS = [\n /* Script tags (ReDoS-safe version) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* javascript: protocol (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /** vbscript: protocol /\n /vbscript\\s:/gi,\n /** Event handlers (onclick, onerror, etc.) — any separator before attribute /\n /(?:[\\s/])on\\w+\\s=/gi,\n /** iframe tags /\n /<iframe/gi,\n /* object tags /\n /<object/gi,\n /* embed tags /\n /<embed/gi,\n /* data: URIs (only dangerous ones, avoid false positives) /\n /(?:^\|[\\s\"'=])data:/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* SVG with onload /\n /<svg[^>]onload/gi,\n /** form tags — phishing/credential harvesting via action= redirection /\n /<form[\\s>]/gi,\n /* meta tags — http-equiv refresh redirects or CSP bypass /\n /<meta[\\s>]/gi,\n /* base href hijacking — redirects all relative URLs to attacker domain /\n /<base[\\s>]/gi,\n /* link tag injection — stylesheet or preload CSRF attacks /\n /<link[\\s>]/gi,\n /* style tag — CSS expression() / behavior: / IE-era attacks. Mirrors\n * Python's xss-style-tag from packages/core/patterns.json. /\n /<style[\\s>]/gi,\n] as const;\n\n/\n Removal patterns — used by sanitizeXss() to strip dangerous content.\n * More targeted than XSS_PATTERNS: each pattern captures the full dangerous\n * substring (tag, attribute + value, protocol) so it can be replaced safely.\n * Must stay in sync with XSS_PATTERNS above.\n /\nexport const XSS_REMOVE_PATTERNS = [\n /* Full script blocks (content + tags) /\n /<script[^>]>[\\s\\S]?<\\/script>/gi,\n /* Standalone/unclosed script tags /\n /<script[^>]>/gi,\n /** style — CSS expression() and behavior: attacks (IE-era but still relevant) /\n /<style[^>]>[\\s\\S]?<\\/style>/gi,\n /<style[^>]/gi,\n /** iframe — full block and partial/unclosed /\n /<iframe[^>]>[\\s\\S]?<\\/iframe>/gi,\n /<iframe[^>]/gi,\n /** object — full block and partial/unclosed /\n /<object[^>]>[\\s\\S]?<\\/object>/gi,\n /<object[^>]/gi,\n /** embed tags /\n /<embed[^>]/gi,\n /** SVG with inline event handlers /\n /<svg[^>]onload[^>]>/gi,\n /* URL-encoded script tags /\n /%3Cscript/gi,\n /* Event handlers with quoted values: onclick=\"...\", onerror='...' /\n /(?:[\\s/])on\\w+\\s=\\s[\"'][^\"'][\"']/gi,\n /** Event handlers with unquoted values: onload=value /\n /(?:[\\s/])on\\w+\\s=\\s[^\\s>]/gi,\n /** javascript: and vbscript: protocols (allow optional spaces before colon) /\n /javascript\\s:/gi,\n /vbscript\\s:/gi,\n /* data: URIs with HTML/script content /\n /data\\s:\\stext\\/html[^>\\s]/gi,\n /** form tag injection — phishing via action= redirection /\n /<form[\\s>][^>]/gi,\n /** meta tag injection — http-equiv refresh or CSP bypass /\n /<meta[\\s>][^>]/gi,\n /** base href hijacking /\n /<base[\\s>][^>]/gi,\n /** link tag injection — stylesheet or preload attacks /\n /<link[\\s>][^>]/gi,\n] as const;\n\n// =============================================================================\n// SQL INJECTION PATTERNS\n// =============================================================================\nexport const SQL_PATTERNS = [\n /** SQL keywords /\n /(\\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|UNION\|ALTER\|CREATE\|TRUNCATE\|EXEC\|EXECUTE)\\b)/gi,\n /* SQL comments: ANSI (--), C-style (slash-star ... star-slash), MySQL (#) /\n /(--\|\\/\\\|\\\\/\|#)/g,\n /* SQL statement separators /\n /(;\|\\\|\\\|\|&&)/g,\n /* Boolean injection: OR 1=1 /\n /\\bOR\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: OR 'a'='a' or OR \"a\"=\"a\" (including mixed quotes) /\n /\\bOR\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bOR\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Boolean injection: AND 1=1 /\n /\\bAND\\s+\\d+\\s=\\s\\d+/gi,\n /* Boolean injection: AND 'a'='a' or AND \"a\"=\"a\" (including mixed quotes) /\n /\\bAND\\s+(['\"])[^'\"]\\1\\s=\\s(['\"])[^'\"]\\2/gi,\n /\\bAND\\s+('[^']'\|\"[^\"]\")\\s=\\s('[^']'\|\"[^\"]\")/gi,\n /* Time-based blind: SLEEP() /\n /\\bSLEEP\\s\$\\s\\d+\\s\$/gi,\n /** Time-based blind: BENCHMARK() /\n /\\bBENCHMARK\\s\\(/gi,\n /** Time-based blind: PostgreSQL pg_sleep() /\n /\\bpg_sleep\\s\\(/gi,\n /** Time-based blind: MSSQL WAITFOR DELAY /\n /\\bWAITFOR\\s+DELAY\\b/gi,\n] as const;\n\n// =============================================================================\n// PATH TRAVERSAL PATTERNS\n// =============================================================================\nexport const PATH_PATTERNS = [\n /* Unix path traversal /\n /\\.\\.\\//g,\n /* Windows path traversal /\n /\\.\\.\\\\/g,\n /* URL-encoded traversal (%2e%2e) /\n /%2e%2e/gi,\n /* Double URL-encoded traversal (%252e) /\n /%252e/gi,\n /* Mixed encoding: ..%2F /\n /\\.\\.%2F/gi,\n /* Mixed encoding: %2e./ and .%2e/ /\n /%2e\\.[\\\\/]/gi,\n /\\.%2e[\\\\/]/gi,\n /* Fully URL-encoded: %2e%2e%2f /\n /%2e%2e%2f/gi,\n /* Double URL-encoded forward slash: %252f /\n /%252f/gi,\n /* Dotdotslash bypass: ....// or ....\\\\ /\n /\\.{2,}[/\\\\]{2,}/g,\n /* Null byte injection in paths /\n /\\0/g,\n] as const;\n\n// =============================================================================\n// COMMAND INJECTION PATTERNS\n// =============================================================================\nexport const COMMAND_PATTERNS = [\n /\n Shell metacharacters that enable command chaining/substitution.\n * Bare ( and ) are excluded — they appear in common legitimate values\n * (function calls in code fields, math expressions, etc.).\n * Command substitution is caught by the $( combined pattern below.\n * NOTE: ';', '&', '\|' may appear in legitimate URL query strings\n * and Markdown; consider disabling command checking (command: false)\n * for fields that intentionally allow those characters.\n /\n /[;&\|`]/g,\n /* Command substitution: $( ... ) — matched as a pair to reduce false positives /\n /\\$\\(/g,\n /* URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR /\n /%0[0-9a-f]/gi,\n] as const;\n\n// =============================================================================\n// DANGEROUS KEYS\n// =============================================================================\n\n/\n Prototype pollution keys to block.\n * Stored lowercase — always compare with key.toLowerCase().\n \n Includes:\n * - __proto__: direct prototype assignment\n * - constructor: access to constructor.prototype chain\n * - prototype: direct prototype property\n * - __defineGetter__/__defineSetter__: legacy property definition (can override getters/setters)\n * - __lookupGetter__/__lookupSetter__: legacy property introspection\n /\nexport const DANGEROUS_PROTO_KEYS = new Set([\n '__proto__',\n 'constructor',\n 'prototype',\n '__definegetter__',\n '__definesetter__',\n '__lookupgetter__',\n '__lookupsetter__',\n]);\n\n/* MongoDB operators to block /\nexport const NOSQL_DANGEROUS_KEYS = new Set([\n // Comparison\n '$gt', '$gte', '$lt', '$lte', '$ne', '$eq', '$in', '$nin',\n // Logical\n '$and', '$or', '$not', '$nor',\n // Element / evaluation\n '$exists', '$type', '$regex', '$where', '$expr', '$mod', '$text', '$jsonSchema',\n // Array\n '$elemMatch', '$all', '$size',\n // JavaScript execution (critical)\n '$function', '$accumulator',\n // Aggregation pipeline operators (injectable via $lookup etc.)\n '$lookup', '$match', '$project', '$group', '$sort', '$limit', '$skip',\n '$unwind', '$addFields', '$replaceRoot',\n]);\n\n// =============================================================================\n// REDACTION\n// =============================================================================\nexport const REDACTION = {\n /* Replacement text for redacted values /\n REPLACEMENT: '[REDACTED]',\n /* Truncation indicator /\n TRUNCATED: '[TRUNCATED]',\n /* Max depth indicator /\n MAX_DEPTH: '[MAX_DEPTH]',\n /* Default max message length /\n DEFAULT_MAX_LENGTH: 10_000,\n /* Default sensitive keys to redact /\n SENSITIVE_KEYS: new Set([\n 'password', 'passwd', 'pwd', 'secret', 'token', 'apikey',\n 'api_key', 'apiKey', 'auth', 'authorization', 'credit_card',\n 'creditcard', 'cc', 'ssn', 'social_security', 'private_key',\n 'privateKey', 'access_token', 'accessToken', 'refresh_token',\n 'refreshToken', 'bearer', 'jwt', 'session', 'cookie',\n 'credentials', 'x-api-key', 'x-auth-token',\n ]),\n} as const;\n\n// =============================================================================\n// VALIDATION PATTERNS\n// =============================================================================\nexport const VALIDATION = {\n /\n Email regex pattern.\n * Rejects consecutive dots in local part (e.g. test..foo@example.com),\n * leading/trailing dots, and other common invalid forms.\n /\n EMAIL: /^[^\\s@.][^\\s@](?:\\.[^\\s@.][^\\s@])@[^\\s@]+\\.[^\\s@]+$/,\n /*\n URL regex pattern.\n * Only allows http:// and https:// — explicitly rejects javascript:,\n * data:, vbscript:, and other dangerous URI schemes.\n /\n URL: /^https?:\\/\\/[^\\s/$.?#][^\\s]$/,\n /** UUID regex pattern (v4) /\n UUID: /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,\n} as const;\n\n// =============================================================================\n// ERROR MESSAGES\n// =============================================================================\nexport const ERRORS = {\n /* Generic error message (production) /\n INTERNAL_SERVER_ERROR: 'Internal Server Error',\n /* Input too large error /\n INPUT_TOO_LARGE: (maxSize: number) => `Input exceeds maximum size of ${maxSize} bytes`,\n /* Validation error messages /\n VALIDATION: {\n REQUIRED: (field: string) => `${field} is required`,\n INVALID_TYPE: (field: string, type: string) => `${field} must be a ${type}`,\n MIN_LENGTH: (field: string, min: number) => `${field} must be at least ${min} characters`,\n MAX_LENGTH: (field: string, max: number) => `${field} must be at most ${max} characters`,\n MIN_VALUE: (field: string, min: number) => `${field} must be at least ${min}`,\n MAX_VALUE: (field: string, max: number) => `${field} must be at most ${max}`,\n INVALID_FORMAT: (field: string) => `${field} format is invalid`,\n INVALID_EMAIL: (field: string) => `${field} must be a valid email`,\n INVALID_URL: (field: string) => `${field} must be a valid URL`,\n INVALID_UUID: (field: string) => `${field} must be a valid UUID`,\n INVALID_ENUM: (field: string, values: unknown[]) => `${field} must be one of: ${values.join(', ')}`,\n MIN_ITEMS: (field: string, min: number) => `${field} must have at least ${min} items`,\n MAX_ITEMS: (field: string, max: number) => `${field} must have at most ${max} items`,\n },\n} as const;\n\n// =============================================================================\n// BLOCKED TEXT (for sanitizer replacements)\n// =============================================================================\nexport const BLOCKED = '[BLOCKED]' as const;\n","/\n @module @arcis/node/logging/redactor\n * Safe logging with PII/secret redaction\n /\n\nimport { REDACTION, INPUT } from '../core/constants';\nimport type { LogOptions, SafeLogger } from '../core/types';\n\nconst LOG_LEVELS: Record<string, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n silent: 4,\n};\n\n/\n Create a safe logger that redacts sensitive data and prevents log injection.\n * \n * @param options - Logger configuration\n * @returns SafeLogger instance\n * \n * @example\n * const logger = createSafeLogger();\n * logger.info('User login', { email: 'user@test.com', password: 'secret' });\n * // Logs: { \"email\": \"user@test.com\", \"password\": \"[REDACTED]\" }\n * \n * @example\n * // With custom redact keys\n * const logger = createSafeLogger({ redactKeys: ['customToken', 'internalId'] });\n /\nexport function createSafeLogger(options: LogOptions = {}): SafeLogger {\n const {\n redactKeys = [],\n maxLength = REDACTION.DEFAULT_MAX_LENGTH,\n redactPatterns = [],\n level: minLevel = 'debug',\n } = options;\n\n const minLevelNum = LOG_LEVELS[minLevel] ?? 0;\n\n // Combine default and custom keys (lowercase for case-insensitive matching)\n const allRedactKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...redactKeys.map(k => k.toLowerCase()),\n ]);\n\n /\n Redact sensitive data from an object recursively.\n /\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n\n if (typeof obj === 'string') {\n return redactString(obj, maxLength, redactPatterns);\n }\n\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allRedactKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n /\n Log a message at the specified level.\n /\n function log(level: string, message: string, data?: unknown): void {\n // Early exit: skip all work if message level is below minimum\n const levelNum = LOG_LEVELS[level] ?? 0;\n if (levelNum < minLevelNum) return;\n\n const entry: Record<string, unknown> = {\n timestamp: new Date().toISOString(),\n level,\n message: redactString(message, maxLength, redactPatterns),\n };\n\n if (data !== undefined) {\n entry.data = redact(data);\n }\n\n console.log(JSON.stringify(entry));\n }\n\n return {\n log,\n info: (msg: string, data?: unknown) => log('info', msg, data),\n warn: (msg: string, data?: unknown) => log('warn', msg, data),\n error: (msg: string, data?: unknown) => log('error', msg, data),\n debug: (msg: string, data?: unknown) => log('debug', msg, data),\n };\n}\n\n/\n Redact a string value.\n * Removes newlines (log injection prevention), applies patterns, and truncates.\n /\nfunction redactString(str: string, maxLength: number, patterns: RegExp[]): string {\n // Remove newlines/tabs (log injection prevention) and genuine control characters.\n // Only strip C0/C1 control chars and null bytes — preserve all printable Unicode\n // (CJK, Cyrillic, Arabic, etc.) so multilingual content isn't silently lost.\n let safe = str\n .replace(/[\\r\\n\\t]/g, ' ')\n .replace(/[\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F\\x80-\\x9F]/g, '');\n\n // Apply custom redaction patterns\n for (const pattern of patterns) {\n safe = safe.replace(pattern, REDACTION.REPLACEMENT);\n }\n\n // Truncate if too long\n if (safe.length > maxLength) {\n safe = safe.substring(0, maxLength) + `...${REDACTION.TRUNCATED}`;\n }\n\n return safe;\n}\n\n/\n Create a redactor function for custom use.\n * \n * @param sensitiveKeys - Keys to redact\n * @returns Redactor function\n /\nexport function createRedactor(sensitiveKeys: string[] = []): (obj: unknown) => unknown {\n const allKeys = new Set([\n ...Array.from(REDACTION.SENSITIVE_KEYS),\n ...sensitiveKeys.map(k => k.toLowerCase()),\n ]);\n\n function redact(obj: unknown, depth = 0): unknown {\n if (depth > INPUT.MAX_RECURSION_DEPTH) return REDACTION.MAX_DEPTH;\n if (obj === null \|\| obj === undefined) return obj;\n if (typeof obj !== 'object') return obj;\n\n if (Array.isArray(obj)) {\n return obj.map(item => redact(item, depth + 1));\n }\n\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(obj as Record<string, unknown>)) {\n if (allKeys.has(key.toLowerCase())) {\n result[key] = REDACTION.REPLACEMENT;\n } else {\n result[key] = redact(value, depth + 1);\n }\n }\n return result;\n }\n\n return redact;\n}\n\n/\n Alias for createSafeLogger\n * @see createSafeLogger\n */\nexport const safeLog = createSafeLogger;\n"]}

package/dist/middleware/bot-detection.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"bot-detection.d.ts","sourceRoot":"","sources":["../../src/middleware/bot-detection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAgB,cAAc,EAAE,MAAM,SAAS,CAAC;AAM/E,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,QAAQ,GACR,YAAY,GACZ,YAAY,GACZ,SAAS,GACT,WAAW,GACX,SAAS,GACT,OAAO,CAAC;AAEZ,MAAM,WAAW,kBAAkB;IACjC,mDAAmD;IACnD,KAAK,EAAE,OAAO,CAAC;IACf,mBAAmB;IACnB,QAAQ,EAAE,WAAW,CAAC;IACtB,0DAA0D;IAC1D,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,4BAA4B;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,yFAAyF;IACzF,KAAK,CAAC,EAAE,WAAW,EAAE,CAAC;IACtB,4DAA4D;IAC5D,IAAI,CAAC,EAAE,WAAW,EAAE,CAAC;IACrB,mEAAmE;IACnE,aAAa,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IACjC,qDAAqD;IACrD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wDAAwD;IACxD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,kBAAkB,KAAK,IAAI,CAAC;CAChF;AA4JD;;;;;;;;;;;GAWG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,kBAAkB,CA8D1D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,oBAAyB,GAAG,cAAc,~~CAgDhF~~"}
1	+ {"version":3,"file":"bot-detection.d.ts","sourceRoot":"","sources":["../../src/middleware/bot-detection.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAgB,cAAc,EAAE,MAAM,SAAS,CAAC;AAM/E,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,QAAQ,GACR,YAAY,GACZ,YAAY,GACZ,SAAS,GACT,WAAW,GACX,SAAS,GACT,OAAO,CAAC;AAEZ,MAAM,WAAW,kBAAkB;IACjC,mDAAmD;IACnD,KAAK,EAAE,OAAO,CAAC;IACf,mBAAmB;IACnB,QAAQ,EAAE,WAAW,CAAC;IACtB,0DAA0D;IAC1D,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,4BAA4B;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,kCAAkC;IAClC,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,oBAAoB;IACnC,yFAAyF;IACzF,KAAK,CAAC,EAAE,WAAW,EAAE,CAAC;IACtB,4DAA4D;IAC5D,IAAI,CAAC,EAAE,WAAW,EAAE,CAAC;IACrB,mEAAmE;IACnE,aAAa,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IACjC,qDAAqD;IACrD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,wDAAwD;IACxD,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,4EAA4E;IAC5E,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,kBAAkB,KAAK,IAAI,CAAC;CAChF;AA4JD;;;;;;;;;;;GAWG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,OAAO,GAAG,kBAAkB,CA8D1D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,oBAAyB,GAAG,cAAc,CA+DhF"}

package/dist/middleware/csrf.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/middleware/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,oCAAoC;AACpC,MAAM,WAAW,WAAW;IAC1B,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACrC;;;;;OAKG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,qBAAqB;IACrB,MAAM,CAAC,EAAE;QACP,gCAAgC;QAChC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,gFAAgF;QAChF,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,4DAA4D;QAC5D,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,yCAAyC;QACzC,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,oBAAoB;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,sDAAsD;IACtD,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,IAAI,CAAC;IACpE;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAUD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAE7D;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAQpF;AAsBD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,WAAgB,GAAG,cAAc,~~CAyFxE~~;AAsDD,+BAA+B;AAC/B,eAAO,MAAM,UAAU,uBAAiB,CAAC"}
1	+ {"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/middleware/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,oCAAoC;AACpC,MAAM,WAAW,WAAW;IAC1B,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kEAAkE;IAClE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8DAA8D;IAC9D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,2EAA2E;IAC3E,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,kEAAkE;IAClE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;;;OAMG;IACH,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;IACrC;;;;;OAKG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,qBAAqB;IACrB,MAAM,CAAC,EAAE;QACP,gCAAgC;QAChC,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,gFAAgF;QAChF,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,4DAA4D;QAC5D,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,yCAAyC;QACzC,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;QACrC,oBAAoB;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,sDAAsD;IACtD,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,KAAK,IAAI,CAAC;IACpE;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAUD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAE7D;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAQpF;AAsBD;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,cAAc,CAAC,OAAO,GAAE,WAAgB,GAAG,cAAc,CAiGxE;AAsDD,+BAA+B;AAC/B,eAAO,MAAM,UAAU,uBAAiB,CAAC"}

package/dist/middleware/index.js CHANGED Viewed

@@ -44,6 +44,39 @@ var HEADERS = {
   /** Default Cache-Control value for security */
   CACHE_CONTROL: "no-store, no-cache, must-revalidate, proxy-revalidate"
 };
+var XSS_PATTERNS = [
+  /** Script tags (ReDoS-safe version) */
+  /<script[^>]*>[\s\S]*?<\/script>/gi,
+  /** javascript: protocol (allow optional spaces before colon) */
+  /javascript\s*:/gi,
+  /** vbscript: protocol */
+  /vbscript\s*:/gi,
+  /** Event handlers (onclick, onerror, etc.) — any separator before attribute */
+  /(?:[\s/])on\w+\s*=/gi,
+  /** iframe tags */
+  /<iframe/gi,
+  /** object tags */
+  /<object/gi,
+  /** embed tags */
+  /<embed/gi,
+  /** data: URIs (only dangerous ones, avoid false positives) */
+  /(?:^|[\s"'=])data:/gi,
+  /** URL-encoded script tags */
+  /%3Cscript/gi,
+  /** SVG with onload */
+  /<svg[^>]*onload/gi,
+  /** form tags — phishing/credential harvesting via action= redirection */
+  /<form[\s>]/gi,
+  /** meta tags — http-equiv refresh redirects or CSP bypass */
+  /<meta[\s>]/gi,
+  /** base href hijacking — redirects all relative URLs to attacker domain */
+  /<base[\s>]/gi,
+  /** link tag injection — stylesheet or preload CSRF attacks */
+  /<link[\s>]/gi,
+  /** style tag — CSS expression() / behavior: / IE-era attacks. Mirrors
+   *  Python's xss-style-tag from packages/core/patterns.json. */
+  /<style[\s>]/gi
+];
 var XSS_REMOVE_PATTERNS = [
   /** Full script blocks (content + tags) */
   /<script[^>]*>[\s\S]*?<\/script>/gi,
@@ -681,6 +714,20 @@ function sanitizeXss(input, collectThreats = false, htmlEncode = false) {
   }
   return value;
 }
+function detectXss(input) {
+  if (typeof input !== "string") return false;
+  if (/\s+on\w+\s*=/i.test(input)) return true;
+  if (/javascript\s*:/i.test(input)) return true;
+  if (/vbscript\s*:/i.test(input)) return true;
+  if (/data\s*:\s*text\/html/i.test(input)) return true;
+  for (const pattern of XSS_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
 // src/sanitizers/sql.ts
 function sanitizeSql(input, collectThreats = false) {
@@ -764,6 +811,17 @@ function sanitizePath(input, collectThreats = false) {
   }
   return value;
 }
+function detectPathTraversal(input) {
+  if (typeof input !== "string") return false;
+  const normalized = input.normalize("NFKC");
+  for (const pattern of PATH_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(normalized)) {
+      return true;
+    }
+  }
+  return false;
+}
 // src/sanitizers/command.ts
 function sanitizeCommand(input, collectThreats = false) {
@@ -809,6 +867,60 @@ function detectCommandInjection(input) {
   return false;
 }
+// src/sanitizers/ssti.ts
+var SSTI_DETECT_PATTERNS = [
+  /** Jinja2 / Twig / Nunjucks: {{ ... }} */
+  /\{\{.*?\}\}/g,
+  /** Freemarker / Thymeleaf / Spring EL: ${ ... } */
+  /\$\{.*?\}/g,
+  /** ERB / EJS: <%= ... %> or <% ... %> */
+  /<%[=\-]?.*?%>/gs,
+  /** Pug / Jade / Slim: #{ ... } */
+  /#\{.*?\}/g,
+  /** Python dunder sandbox escape */
+  /__(?:class|mro|subclasses|globals|builtins|import)__/gi,
+  /** Jinja2 config leak: {{config.X}} or {{config['X']}} */
+  /\{\{\s*config[.\[]/gi,
+  /** Jinja2 built-in objects */
+  /\{\{\s*(?:self|request|lipsum|cycler|joiner|namespace|range)\b/gi
+];
+function detectSsti(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of SSTI_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
+// src/sanitizers/xxe.ts
+var XXE_DETECT_PATTERNS = [
+  /** DOCTYPE declaration */
+  /<!DOCTYPE\b/gi,
+  /** ENTITY declaration */
+  /<!ENTITY\b/gi,
+  /** SYSTEM keyword with URI */
+  /\bSYSTEM\s+["']/gi,
+  /** PUBLIC keyword with URI */
+  /\bPUBLIC\s+["']/gi,
+  /** Parameter entity reference (%entity;) */
+  /%\s*\w+\s*;/g,
+  /** CDATA section (often used to smuggle payloads) */
+  /<!\[CDATA\[/gi
+];
+function detectXxe(input) {
+  if (typeof input !== "string") return false;
+  for (const pattern of XXE_DETECT_PATTERNS) {
+    pattern.lastIndex = 0;
+    if (pattern.test(input)) {
+      return true;
+    }
+  }
+  return false;
+}
 // src/sanitizers/sanitize.ts
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
@@ -878,9 +990,73 @@ function sanitizeObjectDepth(obj, options, depth) {
   }
   return result;
 }
+function scanThreats(data, depth = 0) {
+  if (depth > INPUT.MAX_RECURSION_DEPTH) return null;
+  if (data && typeof data === "object" && !Array.isArray(data)) {
+    for (const key of Object.keys(data)) {
+      const lower = key.toLowerCase();
+      if (DANGEROUS_PROTO_KEYS.has(lower)) {
+        return { vector: "prototype", rule: "prototype/match", matchedPattern: key };
+      }
+      if (NOSQL_DANGEROUS_KEYS.has(key)) {
+        return { vector: "nosql", rule: "nosql/match", matchedPattern: key };
+      }
+      const inner = scanThreats(data[key], depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (Array.isArray(data)) {
+    for (const item of data) {
+      const inner = scanThreats(item, depth + 1);
+      if (inner) return inner;
+    }
+    return null;
+  }
+  if (typeof data !== "string") return null;
+  const sample = data.slice(0, 80);
+  if (detectXss(data)) {
+    return { vector: "xss", rule: "xss/match", matchedPattern: sample };
+  }
+  if (detectSsti(data)) {
+    return { vector: "ssti", rule: "ssti/match", matchedPattern: sample };
+  }
+  if (detectXxe(data)) {
+    return { vector: "xxe", rule: "xxe/match", matchedPattern: sample };
+  }
+  if (detectSql(data)) {
+    return { vector: "sql", rule: "sql/match", matchedPattern: sample };
+  }
+  if (detectPathTraversal(data)) {
+    return { vector: "path", rule: "path/match", matchedPattern: sample };
+  }
+  if (detectCommandInjection(data)) {
+    return { vector: "command", rule: "command/match", matchedPattern: sample };
+  }
+  return null;
+}
 function createSanitizer(options = {}) {
-  return (req, _res, next) => {
+  return (req, res, next) => {
     try {
+      if (options.block) {
+        const hit = scanThreats(req.body) || scanThreats(req.query) || scanThreats(req.params) || scanThreats(req.path);
+        if (hit) {
+          req.__arcis = {
+            vector: hit.vector,
+            rule: hit.rule,
+            severity: "high",
+            matchedPattern: hit.matchedPattern,
+            reason: `${hit.vector} pattern detected in request`,
+            decision: "deny"
+          };
+          res.status(403).json({
+            error: "Request blocked for security reasons",
+            code: "SECURITY_THREAT",
+            vector: hit.vector
+          });
+          return;
+        }
+      }
       if (req.body && typeof req.body === "object") {
         req.body = sanitizeObject(req.body, options);
       }
@@ -1380,11 +1556,16 @@ var MAX_BATCH_SIZE = 500;
 var DEFAULT_FLUSH_INTERVAL_MS = 5e3;
 var MIN_FLUSH_INTERVAL_MS = 500;
 var FLUSH_TIMEOUT_MS = 1e4;
+var DEFAULT_MAX_QUEUE_SIZE = 1e4;
 var TelemetryClient = class {
   constructor(options) {
     this.queue = [];
     this.flushing = false;
     this.closed = false;
+    // Counts events dropped since the last successful flush. Resets to 0
+    // each flush so onQueueOverflow callbacks see "drops in this window"
+    // rather than a monotonic lifetime counter.
+    this.droppedSinceLastFlush = 0;
     if (!options.endpoint || typeof options.endpoint !== "string") {
       throw new TypeError("TelemetryClient: `endpoint` is required");
     }
@@ -1400,8 +1581,14 @@ var TelemetryClient = class {
       options.flushIntervalMs ?? DEFAULT_FLUSH_INTERVAL_MS,
       MIN_FLUSH_INTERVAL_MS
     );
+    this.maxQueueSize = Math.max(
+      options.maxQueueSize ?? DEFAULT_MAX_QUEUE_SIZE,
+      this.batchSize
+    );
     this.onError = options.onError ?? (() => {
     });
+    this.onQueueOverflow = options.onQueueOverflow ?? (() => {
+    });
     this.startTimer();
   }
   /**
@@ -1411,6 +1598,15 @@ var TelemetryClient = class {
   record(event) {
     if (this.closed) return;
     this.queue.push(event);
+    if (this.queue.length > this.maxQueueSize) {
+      const drop = this.queue.length - this.maxQueueSize;
+      this.queue.splice(0, drop);
+      this.droppedSinceLastFlush += drop;
+      try {
+        this.onQueueOverflow(this.droppedSinceLastFlush);
+      } catch {
+      }
+    }
     if (this.queue.length >= this.batchSize) {
       void this.flush();
     }
@@ -1427,6 +1623,7 @@ var TelemetryClient = class {
     try {
       const batch = this.queue.splice(0, this.batchSize);
       await this.send(batch);
+      this.droppedSinceLastFlush = 0;
     } catch (err) {
       this.safeNotify(err);
     } finally {
@@ -1571,7 +1768,10 @@ function arcis(options = {}) {
     cleanupFns.push(() => rateLimiter.close());
   }
   if (options.sanitize !== false) {
-    const sanitizeOpts = typeof options.sanitize === "object" ? options.sanitize : {};
+    const sanitizeOpts = typeof options.sanitize === "object" ? { ...options.sanitize } : {};
+    if (options.block && sanitizeOpts.block === void 0) {
+      sanitizeOpts.block = true;
+    }
     const sanitizer = createSanitizer(sanitizeOpts);
     middlewares.push(telemetryClient ? tapSanitizerThreats(sanitizer) : sanitizer);
   }
@@ -2098,6 +2298,13 @@ function botProtection(options = {}) {
       return next();
     }
     if (denySet.has(result.category)) {
+      req.__arcis = {
+        vector: "bot",
+        rule: `bot/${result.category.toLowerCase()}`,
+        severity: "medium",
+        reason: result.name ? `Bot detected: ${result.name}` : "Bot detected",
+        decision: "deny"
+      };
       if (onDetected) {
         return onDetected(req, res, result);
       }
@@ -2105,6 +2312,13 @@ function botProtection(options = {}) {
       return;
     }
     if (defaultAction === "deny") {
+      req.__arcis = {
+        vector: "bot",
+        rule: "bot/uncategorized",
+        severity: "medium",
+        reason: "Uncategorized bot under defaultAction=deny",
+        decision: "deny"
+      };
       if (onDetected) {
         return onDetected(req, res, result);
       }
@@ -2158,7 +2372,14 @@ function csrfProtection(options = {}) {
     sameSite: options.cookie?.sameSite ?? "Lax",
     domain: options.cookie?.domain
   };
-  const defaultOnError = (_req, res, _next) => {
+  const defaultOnError = (req, res, _next) => {
+    req.__arcis = {
+      vector: "csrf",
+      rule: "csrf/token-mismatch",
+      severity: "high",
+      reason: "CSRF token missing or invalid",
+      decision: "deny"
+    };
     res.status(403).json({
       error: "CSRF token validation failed",
       message: "Invalid or missing CSRF token. Include the token from the cookie in the X-CSRF-Token header."