@arcis/node 1.5.2 → 1.6.0

package/dist/index.d.ts

@@ -46,9 +46,11 @@ export type { MethodAllowlistOptions } from './middleware/method-allowlist';
 export { massAssign } from './middleware/mass-assign';
 export type { MassAssignOptions } from './middleware/mass-assign';
 export { protectLogin, protectSignup, protectApi } from './middleware/protect';
-export type { ProtectLoginOptions, ProtectSignupOptions, ProtectApiOptions, } from './middleware/protect';
+export type { ProtectLoginOptions, ProtectSignupOptions, ProtectApiOptions, CorrelationOptions, } from './middleware/protect';
 export { graphqlGuard } from './middleware/graphql';
 export type { GraphqlGuardMiddlewareOptions } from './middleware/graphql';
+export { CorrelationWindow } from './middleware/correlation';
+export type { CorrelationEvent, CorrelationDetections, CorrelationWindowOptions, } from './middleware/correlation';
 export { inspectGraphqlQuery, detectGraphqlAbuse, } from './sanitizers/graphql';
 export type { GraphqlGuardOptions, GraphqlGuardResult, GraphqlViolation, } from './sanitizers/graphql';
 export { Guards } from './guards';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAK5C,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACtG,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACrG,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,iCAAiC,CAAC;AACzC,YAAY,EAAE,6BAA6B,EAAE,MAAM,iCAAiC,CAAC;AACrF,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,YAAY,EACV,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,YAAY,EACV,0BAA0B,EAC1B,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,YAAY,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACtD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAC/E,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,iBAAiB,GAClB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,YAAY,EAAE,6BAA6B,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAClC,YAAY,EACV,YAAY,EACZ,WAAW,EACX,cAAc,EACd,YAAY,EACZ,cAAc,EACd,sBAAsB,EACtB,wBAAwB,EACxB,4BAA4B,EAC5B,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC/E,YAAY,EACV,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,0BAA0B,GAC3B,MAAM,gCAAgC,CAAC;AAKxC,OAAO,EACL,cAAc,EACd,cAAc,EACd,eAAe,GAChB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,uBAAuB,GACxB,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,2BAA2B,EAC3B,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACnG,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAKjH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACzE,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAKtF,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAKlD,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAK/E,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACzE,YAAY,EACV,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAK9D,YAAY,EAEV,YAAY,EACZ,aAAa,EACb,eAAe,EAEf,eAAe,EACf,cAAc,EACd,UAAU,EACV,UAAU,EAEV,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EAErB,aAAa,EACb,WAAW,EAEX,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,eAAe,EAEf,UAAU,EACV,UAAU,EAEV,mBAAmB,EACnB,SAAS,GACV,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,kBAAkB,GACnB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,uBAAuB,EACvB,sBAAsB,EACtB,SAAS,EACT,aAAa,GACd,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,YAAY,EAAE,mBAAmB,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC5F,YAAY,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAG7F,YAAY,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAGzE,YAAY,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC5D,YAAY,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AACxF,YAAY,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AACrG,YAAY,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC/F,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AACxG,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAK5F,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AAKvB,OAAO,EACL,KAAK,EACL,UAAU,EACV,OAAO,EACP,SAAS,EACT,UAAU,EACV,MAAM,EACN,OAAO,GACR,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAKH,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAK5C,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAC7E,OAAO,EAAE,wBAAwB,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACtE,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAC9E,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACtG,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACtE,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AACrG,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,iCAAiC,CAAC;AACzC,YAAY,EAAE,6BAA6B,EAAE,MAAM,iCAAiC,CAAC;AACrF,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,YAAY,EACV,kBAAkB,EAClB,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAC5D,YAAY,EACV,0BAA0B,EAC1B,6BAA6B,GAC9B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAChE,YAAY,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAC5E,OAAO,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AACtD,YAAY,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAC/E,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,YAAY,EAAE,6BAA6B,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,YAAY,EACV,gBAAgB,EAChB,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GACnB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EACV,mBAAmB,EACnB,kBAAkB,EAClB,gBAAgB,GACjB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAClC,YAAY,EACV,YAAY,EACZ,WAAW,EACX,cAAc,EACd,YAAY,EACZ,cAAc,EACd,sBAAsB,EACtB,wBAAwB,EACxB,4BAA4B,EAC5B,gBAAgB,GACjB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,gCAAgC,CAAC;AAC/E,YAAY,EACV,uBAAuB,EACvB,iBAAiB,EACjB,iBAAiB,EACjB,0BAA0B,GAC3B,MAAM,gCAAgC,CAAC;AAKxC,OAAO,EACL,cAAc,EACd,cAAc,EACd,eAAe,GAChB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACtE,OAAO,EAAE,eAAe,EAAE,sBAAsB,EAAE,MAAM,sBAAsB,CAAC;AAC/E,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACjF,OAAO,EACL,qBAAqB,EACrB,uBAAuB,GACxB,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,2BAA2B,EAC3B,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/E,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AACvF,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AACnG,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACjG,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAKjH,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACzE,OAAO,EAAE,YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAKtF,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzD,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAKlD,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAK/E,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACzE,YAAY,EACV,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,mBAAmB,CAAC;AAK3B,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAK9D,YAAY,EAEV,YAAY,EACZ,aAAa,EACb,eAAe,EAEf,eAAe,EACf,cAAc,EACd,UAAU,EACV,UAAU,EAEV,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,eAAe,EACf,qBAAqB,EAErB,aAAa,EACb,WAAW,EAEX,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,eAAe,EAEf,UAAU,EACV,UAAU,EAEV,mBAAmB,EACnB,SAAS,GACV,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EACL,gBAAgB,EAChB,eAAe,EACf,kBAAkB,GACnB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,uBAAuB,EACvB,sBAAsB,EACtB,SAAS,EACT,aAAa,GACd,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,YAAY,EAAE,mBAAmB,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAC5F,YAAY,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAG7F,YAAY,EAAE,eAAe,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAGzE,YAAY,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC5D,YAAY,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,YAAY,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AACxF,YAAY,EAAE,oBAAoB,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AACrG,YAAY,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC/F,YAAY,EAAE,WAAW,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AACxG,YAAY,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,YAAY,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnD,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAK5F,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,cAAc,EACd,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AAKvB,OAAO,EACL,KAAK,EACL,UAAU,EACV,OAAO,EACP,SAAS,EACT,UAAU,EACV,MAAM,EACN,OAAO,GACR,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -165,7 +165,16 @@ var SQL_PATTERNS = [
   /** Time-based blind: PostgreSQL pg_sleep() */
   /\bpg_sleep\s*\(/gi,
   /** Time-based blind: MSSQL WAITFOR DELAY */
-  /\bWAITFOR\s+DELAY\b/gi
+  /\bWAITFOR\s+DELAY\b/gi,
+  /**
+   * Oracle DBMS_* stdlib packages used for time-based blind SQLi
+   * (DBMS_LOCK.SLEEP, DBMS_PIPE.RECEIVE_MESSAGE) and other Oracle
+   * abuse paths. No legitimate user input contains these. Mirrors
+   * `sqli-oracle-dbms-packages` in packages/core/patterns.json —
+   * improvements.md §1.1.e Q3. Must stay in sync until Node
+   * migrates to patterns.json-at-runtime (planned v1.7).
+   */
+  /\bDBMS_(?:LOCK|PIPE|UTILITY|XSLPROCESSOR|JAVA|OUTPUT|SCHEDULER)\b/gi
 ];
 var PATH_PATTERNS = [
   /** Unix path traversal */
@@ -203,6 +212,15 @@ var COMMAND_PATTERNS = [
   /[;&|`]/g,
   /** Command substitution: $( ... ) — matched as a pair to reduce false positives */
   /\$\(/g,
+  /**
+   * POSIX shell IFS-substitution: ${IFS} or ${IFS%??}.
+   * Attackers use this to inject spaces past metacharacter filters
+   * in payloads like `;cat${IFS}/etc/passwd`. Mirrors
+   * `cmdi-ifs-bypass` in packages/core/patterns.json — improvements.md
+   * §1.1.e Q5. Must stay in sync until Node migrates to
+   * patterns.json-at-runtime (planned v1.7).
+   */
+  /\$\{IFS(?:%[^}]*)?\}/g,
   /** URL-encoded control characters (%00-%0F): null, tab, vtab, formfeed, LF, CR */
   /%0[0-9a-f]/gi
 ];
@@ -1147,6 +1165,40 @@ function detectHeaderInjection(input) {
 }
 
 // src/sanitizers/sanitize.ts
+function multiDecode(value, maxPasses = 4) {
+  for (let i = 0; i < maxPasses; i++) {
+    const prev = value;
+    try {
+      value = decodeURIComponent(value);
+    } catch {
+    }
+    value = htmlEntityDecode(value);
+    if (value === prev) break;
+  }
+  return value;
+}
+function htmlEntityDecode(s) {
+  s = s.replace(/&#(\d+);/g, (_m, n) => {
+    const code = parseInt(n, 10);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  s = s.replace(/&#x([0-9a-fA-F]+);/g, (_m, h) => {
+    const code = parseInt(h, 16);
+    return Number.isFinite(code) && code >= 0 && code <= 1114111 ? String.fromCodePoint(code) : _m;
+  });
+  const named = {
+    "&lt;": "<",
+    "&gt;": ">",
+    "&amp;": "&",
+    "&quot;": '"',
+    "&apos;": "'",
+    "&nbsp;": " "
+  };
+  for (const [entity, ch] of Object.entries(named)) {
+    s = s.split(entity).join(ch);
+  }
+  return s;
+}
 function sanitizeString(value, options = {}) {
   if (typeof value !== "string") return value;
   const maxSize = options.maxSize ?? INPUT.DEFAULT_MAX_SIZE;
@@ -1154,7 +1206,8 @@ function sanitizeString(value, options = {}) {
     throw new InputTooLargeError(maxSize, value.length);
   }
   const reject = options.mode === "reject";
-  let result = value;
+  let result = value.normalize("NFKC");
+  result = multiDecode(result);
   if (options.sql !== false) {
     if (reject) {
       if (detectSql(result)) {
@@ -1601,7 +1654,9 @@ function encodeForCss(value) {
 var DEFAULTS = {
   maxDepth: 10,
   maxLength: 1e4,
-  blockIntrospection: true
+  blockIntrospection: true,
+  maxAliases: 50,
+  blockFragmentCycles: true
 };
 var INTROSPECTION_PATTERN = /\b__(schema|type|typeKind|directive)\b/;
 function computeDepth(query) {
@@ -1618,22 +1673,87 @@ function computeDepth(query) {
   }
   return max;
 }
+var ALIAS_PATTERN = /\b([a-zA-Z_][a-zA-Z0-9_]*)\s*:\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+var FRAGMENT_DEF_PATTERN = /\bfragment\s+([a-zA-Z_][a-zA-Z0-9_]*)\s+on\s+[a-zA-Z_][a-zA-Z0-9_]*\s*\{/g;
+var FRAGMENT_SPREAD_PATTERN = /\.\.\.\s*([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+function countAliases(query) {
+  let n = 0;
+  ALIAS_PATTERN.lastIndex = 0;
+  while (ALIAS_PATTERN.exec(query) !== null) n++;
+  return n;
+}
+function hasFragmentCycle(query) {
+  const deps = /* @__PURE__ */ new Map();
+  FRAGMENT_DEF_PATTERN.lastIndex = 0;
+  let match;
+  while ((match = FRAGMENT_DEF_PATTERN.exec(query)) !== null) {
+    const name = match[1];
+    const bodyStart = match.index + match[0].length;
+    let depth = 1;
+    let i = bodyStart;
+    while (i < query.length && depth > 0) {
+      const ch = query[i];
+      if (ch === "{") depth++;
+      else if (ch === "}") depth--;
+      i++;
+    }
+    const bodyEnd = depth === 0 ? i - 1 : i;
+    const body = query.slice(bodyStart, bodyEnd);
+    const spreads = /* @__PURE__ */ new Set();
+    FRAGMENT_SPREAD_PATTERN.lastIndex = 0;
+    let sm;
+    while ((sm = FRAGMENT_SPREAD_PATTERN.exec(body)) !== null) {
+      spreads.add(sm[1]);
+    }
+    deps.set(name, spreads);
+  }
+  if (deps.size === 0) return false;
+  const WHITE = 0;
+  const GRAY = 1;
+  const BLACK = 2;
+  const color = /* @__PURE__ */ new Map();
+  for (const name of deps.keys()) color.set(name, WHITE);
+  function visit(name) {
+    if (color.get(name) === GRAY) return true;
+    if (color.get(name) === BLACK) return false;
+    if (!deps.has(name)) return false;
+    color.set(name, GRAY);
+    for (const child of deps.get(name)) {
+      if (visit(child)) return true;
+    }
+    color.set(name, BLACK);
+    return false;
+  }
+  for (const name of deps.keys()) {
+    if (visit(name)) return true;
+  }
+  return false;
+}
 function inspectGraphqlQuery(query, options = {}) {
   const maxDepth = options.maxDepth ?? DEFAULTS.maxDepth;
   const maxLength = options.maxLength ?? DEFAULTS.maxLength;
   const blockIntrospection = options.blockIntrospection ?? DEFAULTS.blockIntrospection;
+  const maxAliases = options.maxAliases ?? DEFAULTS.maxAliases;
+  const blockFragmentCycles = options.blockFragmentCycles ?? DEFAULTS.blockFragmentCycles;
   const length = query.length;
   const depth = computeDepth(query);
+  const aliases = countAliases(query);
   if (depth > maxDepth) {
-    return { blocked: true, reason: "depth", depth, length };
+    return { blocked: true, reason: "depth", depth, length, aliases };
   }
   if (blockIntrospection && INTROSPECTION_PATTERN.test(query)) {
-    return { blocked: true, reason: "introspection", depth, length };
+    return { blocked: true, reason: "introspection", depth, length, aliases };
+  }
+  if (aliases > maxAliases) {
+    return { blocked: true, reason: "aliases", depth, length, aliases };
+  }
+  if (blockFragmentCycles && hasFragmentCycle(query)) {
+    return { blocked: true, reason: "fragment_cycle", depth, length, aliases };
   }
   if (length > maxLength) {
-    return { blocked: true, reason: "length", depth, length };
+    return { blocked: true, reason: "length", depth, length, aliases };
   }
-  return { blocked: false, depth, length };
+  return { blocked: false, depth, length, aliases };
 }
 function detectGraphqlAbuse(query, options) {
   if (typeof query !== "string" || query.length === 0) return false;
@@ -9969,6 +10089,46 @@ function signupProtection(options = {}) {
 }
 
 // src/middleware/protect.ts
+function getClientIp(req) {
+  const xff = req?.headers?.["x-forwarded-for"] ?? req?.headers?.["X-Forwarded-For"];
+  if (typeof xff === "string" && xff.length > 0) {
+    const first = xff.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  if (typeof req?.ip === "string") return req.ip;
+  const remote = req?.socket?.remoteAddress;
+  return typeof remote === "string" ? remote : "";
+}
+function correlationMiddleware(opts) {
+  const vector = opts.vector ?? "request";
+  const usernameField = opts.usernameField ?? "username";
+  const statusCode = opts.statusCode ?? 429;
+  const message = opts.message ?? "Suspicious request pattern detected.";
+  return function(req, res, next) {
+    const ip = getClientIp(req);
+    if (!ip) return next();
+    const route = opts.route ?? (req.path || req.url || "/");
+    const username = req?.body?.[usernameField];
+    const distinctValue = typeof username === "string" && username.length > 0 ? username : void 0;
+    const detections = opts.window.record(
+      ip,
+      vector,
+      route,
+      req.method || "GET",
+      distinctValue
+    );
+    if (detections.scanner || detections.credentialStuffing || detections.raceWindow) {
+      res.status(statusCode).json({
+        error: message,
+        scanner: detections.scanner,
+        credential_stuffing: detections.credentialStuffing,
+        race_window: detections.raceWindow
+      });
+      return;
+    }
+    next();
+  };
+}
 function resolve(override, defaults) {
   if (override === false) return null;
   if (override === void 0) return defaults;
@@ -9988,6 +10148,11 @@ function protectLogin(options = {}) {
   if (csrf) middlewares.push(csrfProtection(csrf));
   const sanitize = resolve(options.sanitize, {});
   if (sanitize) middlewares.push(createSanitizer(sanitize));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "login", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 function protectSignup(options = {}) {
@@ -10004,6 +10169,11 @@ function protectSignup(options = {}) {
   if (sanitize) middlewares.push(createSanitizer(sanitize));
   const signup = resolve(options.signup, {});
   if (signup) middlewares.push(signupProtection(signup));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "signup", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 function protectApi(options = {}) {
@@ -10014,6 +10184,11 @@ function protectApi(options = {}) {
   if (cors) middlewares.push(safeCors(cors));
   const sanitize = resolve(options.sanitize, {});
   if (sanitize) middlewares.push(createSanitizer(sanitize));
+  if (options.correlation) {
+    middlewares.push(
+      correlationMiddleware({ vector: "api", ...options.correlation })
+    );
+  }
   return middlewares;
 }
 
@@ -10021,7 +10196,9 @@ function protectApi(options = {}) {
 var DEFAULT_MESSAGES = {
   depth: "Query exceeds maximum nesting depth",
   length: "Query exceeds maximum length",
-  introspection: "Introspection queries are disabled"
+  introspection: "Introspection queries are disabled",
+  aliases: "Query exceeds maximum alias count (alias-bomb protection)",
+  fragment_cycle: "Query contains a cyclic fragment definition"
 };
 function extractQuery(req) {
   const bodyQuery = typeof req.body === "object" && req.body !== null ? req.body.query : void 0;
@@ -10057,6 +10234,186 @@ function graphqlGuard(options = {}) {
   };
 }
 
+// src/middleware/correlation.ts
+var EMPTY_DETECTIONS = Object.freeze({
+  scanner: false,
+  credentialStuffing: false,
+  raceWindow: false,
+  distinctVectors: 0,
+  distinctValues: 0,
+  requestsInWindow: 0
+});
+function normalizePair(a, b) {
+  return a < b ? `${a}
${b}` : `${b}
${a}`;
+}
+var CorrelationWindow = class {
+  constructor(options = {}) {
+    // Map iteration order in JS is insertion order, so re-inserting on
+    // access gives us LRU behaviour without a separate linked list.
+    this.buckets = /* @__PURE__ */ new Map();
+    const {
+      windowSeconds = 60,
+      maxIps = 1e4,
+      maxEventsPerIp = 200,
+      scannerDistinctVectors = 3,
+      scannerMinRequests = 20,
+      credentialStuffingDistinctValues = 10,
+      raceWindowMs = 200,
+      racePairs
+    } = options;
+    if (windowSeconds <= 0) throw new Error("windowSeconds must be > 0");
+    if (maxIps < 1) throw new Error("maxIps must be >= 1");
+    if (maxEventsPerIp < 1) throw new Error("maxEventsPerIp must be >= 1");
+    this.windowSeconds = windowSeconds;
+    this.maxIps = maxIps;
+    this.maxEventsPerIp = maxEventsPerIp;
+    this.scannerDistinctVectors = scannerDistinctVectors;
+    this.scannerMinRequests = scannerMinRequests;
+    this.csDistinctValues = credentialStuffingDistinctValues;
+    this.raceWindowSeconds = raceWindowMs / 1e3;
+    this.racePairKeys = /* @__PURE__ */ new Set();
+    this.racePairTuples = [];
+    if (racePairs) {
+      for (const [a, b] of racePairs) {
+        const key = normalizePair(a, b);
+        if (!this.racePairKeys.has(key)) {
+          this.racePairKeys.add(key);
+          const sorted = a < b ? [a, b] : [b, a];
+          this.racePairTuples.push(sorted);
+        }
+      }
+    }
+  }
+  record(ip, vector, route, method = "GET", distinctValue, now) {
+    if (!ip) return EMPTY_DETECTIONS;
+    const ts = now ?? Date.now() / 1e3;
+    const event = {
+      timestamp: ts,
+      vector,
+      route,
+      method,
+      distinctValue
+    };
+    let bucket = this.buckets.get(ip);
+    if (bucket === void 0) {
+      bucket = { events: [] };
+      this.buckets.set(ip, bucket);
+      while (this.buckets.size > this.maxIps) {
+        const oldest = this.buckets.keys().next().value;
+        if (oldest === void 0) break;
+        this.buckets.delete(oldest);
+      }
+    } else {
+      this.buckets.delete(ip);
+      this.buckets.set(ip, bucket);
+    }
+    bucket.events.push(event);
+    this.evictStale(bucket, ts);
+    return this.evaluate(bucket, route);
+  }
+  detectScanner(ip, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    return this.isScanner(bucket);
+  }
+  detectCredentialStuffing(ip, route, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    return this.isCredentialStuffing(bucket, route);
+  }
+  detectRaceWindow(ip, routePair, now) {
+    const bucket = this.buckets.get(ip);
+    if (bucket === void 0) return false;
+    this.evictStale(bucket, now ?? Date.now() / 1e3);
+    const sorted = routePair[0] < routePair[1] ? routePair : [routePair[1], routePair[0]];
+    return this.racePairInBucket(bucket, sorted);
+  }
+  reset(ip) {
+    if (ip === void 0) {
+      this.buckets.clear();
+    } else {
+      this.buckets.delete(ip);
+    }
+  }
+  stats() {
+    let events = 0;
+    for (const b of this.buckets.values()) events += b.events.length;
+    return { trackedIps: this.buckets.size, eventsInWindow: events };
+  }
+  // -------------------------------------------------------- internals
+  evictStale(bucket, now) {
+    const cutoff = now - this.windowSeconds;
+    let drop = 0;
+    while (drop < bucket.events.length && bucket.events[drop].timestamp < cutoff) {
+      drop++;
+    }
+    if (drop > 0) bucket.events.splice(0, drop);
+    if (bucket.events.length > this.maxEventsPerIp) {
+      bucket.events.splice(0, bucket.events.length - this.maxEventsPerIp);
+    }
+  }
+  evaluate(bucket, route) {
+    const vectors = /* @__PURE__ */ new Set();
+    const values = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) {
+      vectors.add(e.vector);
+      if (e.route === route && e.distinctValue !== void 0) {
+        values.add(e.distinctValue);
+      }
+    }
+    return {
+      scanner: this.isScanner(bucket),
+      credentialStuffing: this.isCredentialStuffing(bucket, route),
+      raceWindow: this.isRaceAny(bucket),
+      distinctVectors: vectors.size,
+      distinctValues: values.size,
+      requestsInWindow: bucket.events.length
+    };
+  }
+  isScanner(bucket) {
+    if (bucket.events.length < this.scannerMinRequests) return false;
+    const vectors = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) vectors.add(e.vector);
+    return vectors.size >= this.scannerDistinctVectors;
+  }
+  isCredentialStuffing(bucket, route) {
+    const values = /* @__PURE__ */ new Set();
+    for (const e of bucket.events) {
+      if (e.route === route && e.distinctValue !== void 0) {
+        values.add(e.distinctValue);
+      }
+    }
+    return values.size >= this.csDistinctValues;
+  }
+  racePairInBucket(bucket, sorted) {
+    const [a, b] = sorted;
+    const aTs = [];
+    const bTs = [];
+    for (const e of bucket.events) {
+      if (e.route === a) aTs.push(e.timestamp);
+      else if (e.route === b) bTs.push(e.timestamp);
+    }
+    if (aTs.length === 0 || bTs.length === 0) return false;
+    let ai = 0;
+    let bi = 0;
+    while (ai < aTs.length && bi < bTs.length) {
+      const diff = aTs[ai] - bTs[bi];
+      if (Math.abs(diff) <= this.raceWindowSeconds) return true;
+      if (diff < 0) ai++;
+      else bi++;
+    }
+    return false;
+  }
+  isRaceAny(bucket) {
+    for (const pair of this.racePairTuples) {
+      if (this.racePairInBucket(bucket, pair)) return true;
+    }
+    return false;
+  }
+};
+
 // src/sanitizers/prompt-injection.ts
 var SIGNATURES = [
   // --- HIGH severity: clear override / jailbreak attempts ---
@@ -10186,6 +10543,47 @@ var SIGNATURES = [
     severity: "medium",
     description: "ROT13 / Caesar-cipher decode hint"
   },
+  // ── V32: AI agent toolcall injection (improvements.md §1.2) ────────
+  // Modern LLM agents (Claude tool-use, OpenAI function-calling,
+  // ReAct loops) read tool definitions from the system prompt and
+  // JSON-shaped requests from the model. A malicious user can embed
+  // those shapes in their input to make the host think they invoked
+  // a tool, or to trick the model into echoing a synthesized
+  // tool_call that the runtime then executes.
+  //
+  // Narrow patterns — match the literal JSON keys and inline
+  // tool-name shapes. Won't false-positive on plain English text
+  // discussing tools.
+  {
+    rule: "agent-toolcall-marker",
+    pattern: /"(?:tool_call|function_call|call_tool|tool_use|toolUse)"\s*:\s*\{/i,
+    severity: "high",
+    description: 'Injected agent tool-call JSON shape (e.g. {"tool_call":{...}})'
+  },
+  {
+    rule: "agent-tool-name-spoof",
+    pattern: /"name"\s*:\s*"(?:exec|shell|run_command|system|bash|cmd|python|eval|read_file|write_file|delete_file)"/i,
+    severity: "high",
+    description: "Forged tool-name attempting privileged tool invocation"
+  },
+  {
+    rule: "agent-tool-result-marker",
+    pattern: /"(?:tool_result|function_result|tool_output)"\s*:\s*[\{\["]/i,
+    severity: "high",
+    description: "Injected fake tool-result block (trick agent into trusting fabricated output)"
+  },
+  {
+    rule: "ansi-escape-sequence",
+    pattern: /\x1b\[/,
+    severity: "medium",
+    description: "ANSI escape sequence (terminal hijack / output spoofing on CLI agents)"
+  },
+  {
+    rule: "claude-tool-use-tags",
+    pattern: /<\/?\s*(?:tool_use|tool_result|invoke|function_calls?|parameter)\b/i,
+    severity: "high",
+    description: "Claude/OpenAI tool-use XML-style tag forgery"
+  },
   // --- LOW severity: ambiguous but worth flagging in strict mode ---
   {
     rule: "from-now-on",
@@ -10742,6 +11140,7 @@ function createRedisStore(options) {
 exports.ArcisError = ArcisError;
 exports.ArcisValidationError = ValidationError;
 exports.BLOCKED = BLOCKED;
+exports.CorrelationWindow = CorrelationWindow;
 exports.ERRORS = ERRORS;
 exports.Guards = Guards;
 exports.HEADERS = HEADERS;