@atlascrew/apparatus 0.9.0

package/dist/persistence/tarpit-state.js

@@ -0,0 +1,47 @@
+import { readFileSync } from "node:fs";
+import { mkdir, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { logger } from "../logger.js";
+function isPersistedEntry(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return false;
+    const candidate = value;
+    return typeof candidate.ip === "string" && Number.isFinite(candidate.trappedAt);
+}
+export function loadTarpitStateSync(statePath) {
+    if (!statePath) {
+        return [];
+    }
+    try {
+        const raw = readFileSync(statePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (Array.isArray(parsed)) {
+            return parsed.filter(isPersistedEntry);
+        }
+        if (parsed && typeof parsed === "object" && Array.isArray(parsed.entries)) {
+            return parsed.entries.filter(isPersistedEntry);
+        }
+        return [];
+    }
+    catch (error) {
+        if (error?.code !== "ENOENT") {
+            logger.warn({ statePath, error: error?.message }, "Tarpit state load failed; continuing with in-memory store");
+        }
+        return [];
+    }
+}
+export async function writeTarpitState(statePath, entries) {
+    if (!statePath) {
+        return true;
+    }
+    try {
+        await mkdir(path.dirname(statePath), { recursive: true });
+        await writeFile(statePath, `${JSON.stringify({ entries }, null, 2)}\n`, "utf8");
+        return true;
+    }
+    catch (error) {
+        logger.warn({ statePath, error: error?.message }, "Tarpit state persist failed; keeping data in memory");
+        return false;
+    }
+}
+//# sourceMappingURL=tarpit-state.js.map

package/dist/persistence/tarpit-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tarpit-state.js","sourceRoot":"","sources":["../../src/persistence/tarpit-state.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAOtC,SAAS,gBAAgB,CAAC,KAAc;IACpC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9E,MAAM,SAAS,GAAG,KAA6B,CAAC;IAChD,OAAO,OAAO,SAAS,CAAC,EAAE,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;AACpF,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACjD,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACD,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAE1C,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YACxB,OAAO,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QAED,IAAI,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAE,MAAkC,CAAC,OAAO,CAAC,EAAE,CAAC;YACrG,OAAQ,MAAiC,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC/E,CAAC;QAED,OAAO,EAAE,CAAC;IACd,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QAClB,IAAI,KAAK,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,2DAA2D,CAAC,CAAC;QACnH,CAAC;QACD,OAAO,EAAE,CAAC;IACd,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB,EAAE,OAA+B;IACrF,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACD,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,SAAS,CAAC,SAAS,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAChF,OAAO,IAAI,CAAC;IAChB,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,qDAAqD,CAAC,CAAC;QACzG,OAAO,KAAK,CAAC;IACjB,CAAC;AACL,CAAC"}

package/dist/persistence/webhook-store.js

@@ -0,0 +1,69 @@
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { logger } from "../logger.js";
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isPersistedWebhook(value) {
+    if (!isRecord(value))
+        return false;
+    if (typeof value.id !== "string")
+        return false;
+    if (typeof value.timestamp !== "string")
+        return false;
+    if (typeof value.method !== "string")
+        return false;
+    if (!isRecord(value.headers))
+        return false;
+    if (!isRecord(value.query))
+        return false;
+    if (typeof value.ip !== "string")
+        return false;
+    return true;
+}
+function parseWebhookStore(payload) {
+    const hooksObject = isRecord(payload) && isRecord(payload.hooks)
+        ? payload.hooks
+        : isRecord(payload)
+            ? payload
+            : {};
+    const parsed = {};
+    for (const [hookId, entries] of Object.entries(hooksObject)) {
+        if (!Array.isArray(entries))
+            continue;
+        parsed[hookId] = entries.filter(isPersistedWebhook);
+    }
+    return parsed;
+}
+export async function loadWebhookStore(storePath) {
+    if (!storePath) {
+        return {};
+    }
+    try {
+        const raw = await readFile(storePath, "utf8");
+        return parseWebhookStore(JSON.parse(raw));
+    }
+    catch (error) {
+        if (error?.code === "ENOENT") {
+            return {};
+        }
+        logger.warn({ storePath, error: error?.message }, "Webhook store load failed; continuing with in-memory store");
+        return {};
+    }
+}
+export async function writeWebhookStore(storePath, store) {
+    if (!storePath) {
+        return true;
+    }
+    try {
+        await mkdir(path.dirname(storePath), { recursive: true });
+        const payload = JSON.stringify({ hooks: store }, null, 2);
+        await writeFile(storePath, `${payload}\n`, "utf8");
+        return true;
+    }
+    catch (error) {
+        logger.warn({ storePath, error: error?.message }, "Webhook store persist failed; keeping data in memory");
+        return false;
+    }
+}
+//# sourceMappingURL=webhook-store.js.map

package/dist/persistence/webhook-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webhook-store.js","sourceRoot":"","sources":["../../src/persistence/webhook-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AActC,SAAS,QAAQ,CAAC,KAAc;IAC5B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAc;IACtC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/C,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACnD,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACzC,IAAI,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC/C,OAAO,IAAI,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAgB;IACvC,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC;QAC5D,CAAC,CAAC,OAAO,CAAC,KAAK;QACf,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;YACf,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,EAAE,CAAC;IAEb,MAAM,MAAM,GAA0B,EAAE,CAAC;IACzC,KAAK,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;YAAE,SAAS;QACtC,MAAM,CAAC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAAiB;IACpD,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAC9C,OAAO,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QAClB,IAAI,KAAK,EAAE,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC3B,OAAO,EAAE,CAAC;QACd,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,4DAA4D,CAAC,CAAC;QAChH,OAAO,EAAE,CAAC;IACd,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,SAAiB,EAAE,KAA4B;IACnF,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACD,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC1D,MAAM,SAAS,CAAC,SAAS,EAAE,GAAG,OAAO,IAAI,EAAE,MAAM,CAAC,CAAC;QACnD,OAAO,IAAI,CAAC;IAChB,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QAClB,MAAM,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,sDAAsD,CAAC,CAAC;QAC1G,OAAO,KAAK,CAAC;IACjB,CAAC;AACL,CAAC"}

package/dist/proxy.js

@@ -0,0 +1,28 @@
+import axios from "axios";
+import { logger } from "./logger.js";
+export async function proxyHandler(req, res) {
+    const targetUrl = req.query.url;
+    if (!targetUrl) {
+        return res.status(400).json({ error: "Missing 'url' query parameter" });
+    }
+    try {
+        const response = await axios({
+            method: req.method,
+            url: targetUrl,
+            headers: req.headers,
+            data: req.body,
+            validateStatus: () => true, // Accept all status codes
+            timeout: 5000 // 5s timeout to prevent hanging
+        });
+        res.status(response.status).set(response.headers).send(response.data);
+    }
+    catch (error) {
+        logger.error({ err: error.message, url: targetUrl }, "Proxy request failed");
+        res.status(502).json({
+            error: "Proxy request failed",
+            message: error.message,
+            code: error.code
+        });
+    }
+}
+//# sourceMappingURL=proxy.js.map

package/dist/proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy.js","sourceRoot":"","sources":["../src/proxy.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAY,EAAE,GAAa;IAC1D,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,GAAa,CAAC;IAE1C,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,IAAI,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC;YACzB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,GAAG,EAAE,SAAS;YACd,OAAO,EAAE,GAAG,CAAC,OAAc;YAC3B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,0BAA0B;YACtD,OAAO,EAAE,IAAI,CAAC,gCAAgC;SACjD,CAAC,CAAC;QAEH,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC1E,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QAClB,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,OAAO,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,sBAAsB,CAAC,CAAC;QAC7E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACjB,KAAK,EAAE,sBAAsB;YAC7B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,IAAI,EAAE,KAAK,CAAC,IAAI;SACnB,CAAC,CAAC;IACP,CAAC;AACL,CAAC"}

package/dist/ratelimit.js

@@ -0,0 +1,32 @@
+const WINDOW_MS = 60 * 1000; // 1 minute
+const MAX_REQUESTS = 10;
+const ipHits = new Map();
+export function rateLimitHandler(req, res) {
+    const ip = req.ip || "unknown";
+    const now = Date.now();
+    let record = ipHits.get(ip);
+    // Clean up expired or create new
+    if (!record || now > record.resetAt) {
+        record = { count: 0, resetAt: now + WINDOW_MS };
+        ipHits.set(ip, record);
+    }
+    record.count++;
+    const remaining = Math.max(0, MAX_REQUESTS - record.count);
+    const resetInSeconds = Math.ceil((record.resetAt - now) / 1000);
+    res.setHeader("X-RateLimit-Limit", MAX_REQUESTS);
+    res.setHeader("X-RateLimit-Remaining", remaining);
+    res.setHeader("X-RateLimit-Reset", resetInSeconds);
+    if (record.count > MAX_REQUESTS) {
+        return res.status(429).json({
+            error: "Too Many Requests",
+            message: `Rate limit of ${MAX_REQUESTS} requests per minute exceeded. Try again in ${resetInSeconds} seconds.`
+        });
+    }
+    res.json({
+        message: "Request accepted",
+        limit: MAX_REQUESTS,
+        remaining,
+        resetInSeconds
+    });
+}
+//# sourceMappingURL=ratelimit.js.map

package/dist/ratelimit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ratelimit.js","sourceRoot":"","sources":["../src/ratelimit.ts"],"names":[],"mappings":"AAEA,MAAM,SAAS,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AACxC,MAAM,YAAY,GAAG,EAAE,CAAC;AACxB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA8C,CAAC;AAErE,MAAM,UAAU,gBAAgB,CAAC,GAAY,EAAE,GAAa;IACxD,MAAM,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,SAAS,CAAC;IAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,IAAI,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAE5B,iCAAiC;IACjC,IAAI,CAAC,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,SAAS,EAAE,CAAC;QAChD,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,CAAC,KAAK,EAAE,CAAC;IAEf,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,YAAY,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC3D,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;IAEhE,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,YAAY,CAAC,CAAC;IACjD,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,SAAS,CAAC,CAAC;IAClD,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;IAEnD,IAAI,MAAM,CAAC,KAAK,GAAG,YAAY,EAAE,CAAC;QAC9B,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACxB,KAAK,EAAE,mBAAmB;YAC1B,OAAO,EAAE,iBAAiB,YAAY,+CAA+C,cAAc,WAAW;SACjH,CAAC,CAAC;IACP,CAAC;IAED,GAAG,CAAC,IAAI,CAAC;QACL,OAAO,EAAE,kBAAkB;QAC3B,KAAK,EAAE,YAAY;QACnB,SAAS;QACT,cAAc;KACjB,CAAC,CAAC;AACP,CAAC"}

package/dist/redteam.js

@@ -0,0 +1,442 @@
+import { request } from "undici";
+const PAYLOADS = {
+    xss: [
+        "<script>alert(1)</script>",
+        "javascript:alert(1)",
+        "<img src=x onerror=alert(1)>",
+        "<svg onload=alert(1)>",
+        "<body onload=alert('XSS')>",
+        "<iframe src=javascript:alert('XSS')>",
+        "<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">",
+    ],
+    sqli: [
+        "' OR '1'='1",
+        "UNION SELECT 1,2,3--",
+        "admin' --",
+        "1' OR '1'='1",
+        "1 UNION SELECT NULL,username,password FROM users--",
+        "1' AND SLEEP(5)--",
+        "1;DROP TABLE users--",
+        "1' AND 1=CONVERT(int,@@version)--",
+        "'/**/OR/**/'1'='1",
+        "' oR '1'='1",
+        "admin'--",
+    ],
+    pathtraversal: [
+        "../../etc/passwd",
+        "..\\windows\\win.ini",
+        "%2e%2e%2f%2e%2e%2fetc%2fpasswd",
+        "....//....//....//etc/passwd",
+        "../../etc/passwd%00.txt",
+    ],
+    cmdinjection: [
+        "; cat /etc/passwd",
+        "| whoami",
+        "$(whoami)",
+        "; whoami",
+        "; ls -la",
+        "| id",
+        "`whoami`",
+        "$(cat /etc/passwd)",
+        "; sleep 5",
+        "& whoami",
+        "&& ls",
+        "|| cat /etc/passwd",
+        ";WhOaMi",
+        ";w''hoami",
+        ";${IFS}whoami",
+    ],
+    nosqli: [
+        '{"$$gt": ""}',
+        '{"$$ne": null}',
+        '{"username":{"$$ne":null},"password":{"$$ne":null}}'
+    ],
+    business_logic: [
+        '{"codes":["SAVE10","SAVE20","SAVE30"]}',
+        '{"item_id":123,"quantity":-5}',
+        '{"amount":999999}',
+        '{"from":"victim","to":"attacker","points":999999}'
+    ],
+    api_abuse: [
+        '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><user><name>&xxe;</name></user>',
+        "http://169.254.169.254/latest/meta-data/",
+        '{"username":"test","password":"test","isAdmin":true}',
+        "query IntrospectionQuery { __schema { types { name } } }"
+    ]
+};
+const FUZZER_BLOCKED_STATUS_CODES = new Set([403, 406, 429, 500, 502, 503]);
+const VALIDATE_BLOCKED_STATUS_CODES = new Set([403, 406, 500]); // Preserve legacy validate endpoint behavior.
+const SUPPORTED_METHODS = new Set(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]);
+const BODY_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+const MAX_BODY_PREVIEW_CHARS = 8_000;
+const MAX_RESPONSE_CAPTURE_BYTES = 64 * 1024;
+const MAX_OUTBOUND_BODY_BYTES = 256 * 1024;
+const DEFAULT_TIMEOUT_MS = 5_000;
+const MIN_TIMEOUT_MS = 250;
+const MAX_TIMEOUT_MS = 20_000;
+const DEFAULT_ALLOWED_FUZZER_HOSTS = new Set(["localhost", "127.0.0.1", "::1"]);
+function isPlainObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isStringRecord(value) {
+    if (!isPlainObject(value))
+        return false;
+    return Object.values(value).every((entry) => typeof entry === "string");
+}
+function isPrimitiveRecord(value) {
+    if (!isPlainObject(value))
+        return false;
+    return Object.values(value).every((entry) => {
+        return typeof entry === "string" || typeof entry === "number" || typeof entry === "boolean";
+    });
+}
+function normalizeMethod(method) {
+    if (typeof method !== "string" || method.trim().length === 0) {
+        return "GET";
+    }
+    const normalized = method.trim().toUpperCase();
+    return SUPPORTED_METHODS.has(normalized) ? normalized : null;
+}
+function normalizeTimeout(timeoutMs) {
+    if (typeof timeoutMs !== "number" || Number.isNaN(timeoutMs)) {
+        return DEFAULT_TIMEOUT_MS;
+    }
+    return Math.max(MIN_TIMEOUT_MS, Math.min(MAX_TIMEOUT_MS, Math.floor(timeoutMs)));
+}
+function classifyFuzzerBlockedStatus(status) {
+    return FUZZER_BLOCKED_STATUS_CODES.has(status);
+}
+function classifyValidateBlockedStatus(status) {
+    return VALIDATE_BLOCKED_STATUS_CODES.has(status);
+}
+function buildPreview(bodyText) {
+    if (bodyText.length <= MAX_BODY_PREVIEW_CHARS)
+        return bodyText;
+    return `${bodyText.slice(0, MAX_BODY_PREVIEW_CHARS)}\n...[truncated]`;
+}
+function normalizeResponseHeaders(headers) {
+    const normalized = {};
+    for (const [key, value] of Object.entries(headers)) {
+        if (value === undefined)
+            continue;
+        normalized[key] = Array.isArray(value) ? value.join(", ") : value;
+    }
+    return normalized;
+}
+function normalizeHost(hostname) {
+    return hostname.trim().toLowerCase().replace(/^\[/, "").replace(/\]$/, "");
+}
+function isLoopbackIpv4Host(hostname) {
+    const match = hostname.match(/^127\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+    if (!match)
+        return false;
+    return match.slice(1).every((octet) => {
+        const value = Number(octet);
+        return Number.isInteger(value) && value >= 0 && value <= 255;
+    });
+}
+function configuredAllowedFuzzerHosts() {
+    const allowed = new Set(DEFAULT_ALLOWED_FUZZER_HOSTS);
+    const raw = process.env.APPARATUS_FUZZER_ALLOWED_TARGETS;
+    if (!raw)
+        return allowed;
+    for (const candidate of raw.split(",")) {
+        const normalized = normalizeHost(candidate);
+        if (normalized.length > 0) {
+            allowed.add(normalized);
+        }
+    }
+    return allowed;
+}
+function isAllowedFuzzerTargetHost(hostname) {
+    const normalized = normalizeHost(hostname);
+    if (normalized.startsWith("::ffff:"))
+        return false;
+    if (normalized.includes(":") && normalized !== "::1")
+        return false;
+    if (isLoopbackIpv4Host(normalized))
+        return true;
+    return configuredAllowedFuzzerHosts().has(normalized);
+}
+function normalizePath(pathValue) {
+    const trimmed = pathValue.trim();
+    if (trimmed.length === 0)
+        return "/echo";
+    if (/^https?:\/\//i.test(trimmed) || trimmed.startsWith("//")) {
+        return null;
+    }
+    return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+}
+function buildDefaultTarget(req) {
+    const port = req.socket.localPort;
+    if (typeof port === "number" && port > 0) {
+        return `${req.protocol}://127.0.0.1:${port}`;
+    }
+    return `${req.protocol}://127.0.0.1`;
+}
+function hasContentTypeHeader(headers) {
+    return Object.keys(headers).some((key) => key.toLowerCase() === "content-type");
+}
+async function readResponsePreview(body) {
+    if (!body) {
+        return { bodyPreview: "", bodyBytes: 0, truncated: false };
+    }
+    const chunks = [];
+    let totalBytes = 0;
+    let truncated = false;
+    for await (const chunk of body) {
+        const buffer = Buffer.from(chunk);
+        const remaining = MAX_RESPONSE_CAPTURE_BYTES - Math.min(totalBytes, MAX_RESPONSE_CAPTURE_BYTES);
+        if (remaining > 0) {
+            chunks.push(buffer.length <= remaining ? buffer : buffer.subarray(0, remaining));
+        }
+        totalBytes += buffer.length;
+        if (totalBytes >= MAX_RESPONSE_CAPTURE_BYTES) {
+            truncated = true;
+            break;
+        }
+    }
+    const previewText = Buffer.concat(chunks).toString("utf8");
+    const bodyPreview = buildPreview(previewText);
+    const readableBody = body;
+    if (truncated && typeof readableBody?.destroy === "function") {
+        readableBody.destroy();
+    }
+    return {
+        bodyPreview,
+        bodyBytes: totalBytes,
+        truncated,
+    };
+}
+function normalizeUpstreamError(error) {
+    const rawCode = isPlainObject(error) && typeof error.code === "string" ? error.code : "";
+    if (rawCode === "UND_ERR_HEADERS_TIMEOUT" || rawCode === "UND_ERR_BODY_TIMEOUT") {
+        return { code: "upstream_timeout", message: "Upstream request timed out." };
+    }
+    if (rawCode === "ENOTFOUND") {
+        return { code: "dns_resolution_failed", message: "Target hostname could not be resolved." };
+    }
+    if (rawCode === "ECONNREFUSED") {
+        return { code: "connection_refused", message: "Target refused the connection." };
+    }
+    return { code: "upstream_request_failed", message: "Upstream request failed." };
+}
+export async function redTeamFuzzerRunHandler(req, res) {
+    if (!isPlainObject(req.body)) {
+        return res.status(400).json({ error: "Invalid payload. Expected JSON object body." });
+    }
+    const payload = req.body;
+    const rawTarget = payload.target;
+    if (rawTarget !== undefined && (typeof rawTarget !== "string" || rawTarget.trim().length === 0)) {
+        return res.status(400).json({ error: "target must be a non-empty string when provided." });
+    }
+    const target = rawTarget?.trim() || buildDefaultTarget(req);
+    let targetUrl;
+    try {
+        targetUrl = new URL(target);
+    }
+    catch {
+        return res.status(400).json({ error: "target must be a valid URL." });
+    }
+    if (targetUrl.protocol !== "http:" && targetUrl.protocol !== "https:") {
+        return res.status(400).json({ error: "target protocol must be http or https." });
+    }
+    if (!isAllowedFuzzerTargetHost(targetUrl.hostname)) {
+        return res.status(400).json({
+            error: "target hostname is not allowed. Use localhost/127.0.0.1 or configure APPARATUS_FUZZER_ALLOWED_TARGETS.",
+        });
+    }
+    if (payload.path !== undefined && typeof payload.path !== "string") {
+        return res.status(400).json({ error: "path must be a string when provided." });
+    }
+    const path = normalizePath(payload.path ?? "/echo");
+    if (!path) {
+        return res.status(400).json({ error: "path must be a relative path and cannot include a scheme or host." });
+    }
+    const method = normalizeMethod(payload.method);
+    if (!method) {
+        return res.status(400).json({ error: `Unsupported method. Supported: ${Array.from(SUPPORTED_METHODS).join(", ")}` });
+    }
+    if (payload.headers !== undefined && !isStringRecord(payload.headers)) {
+        return res.status(400).json({ error: "headers must be an object of string values." });
+    }
+    if (payload.query !== undefined && !isPrimitiveRecord(payload.query)) {
+        return res.status(400).json({ error: "query must be an object with string/number/boolean values." });
+    }
+    const timeoutMs = normalizeTimeout(payload.timeoutMs);
+    const headers = { ...(payload.headers ?? {}) };
+    const runUrl = new URL(path, targetUrl);
+    if (payload.query) {
+        for (const [key, value] of Object.entries(payload.query)) {
+            runUrl.searchParams.set(key, String(value));
+        }
+    }
+    let outboundBody;
+    if (BODY_METHODS.has(method) && payload.body !== undefined) {
+        if (typeof payload.body === "string") {
+            outboundBody = payload.body;
+        }
+        else {
+            outboundBody = JSON.stringify(payload.body);
+            if (!hasContentTypeHeader(headers)) {
+                headers["Content-Type"] = "application/json";
+            }
+        }
+    }
+    if (outboundBody && Buffer.byteLength(outboundBody, "utf8") > MAX_OUTBOUND_BODY_BYTES) {
+        return res.status(400).json({ error: `body exceeds maximum size of ${MAX_OUTBOUND_BODY_BYTES} bytes.` });
+    }
+    const startedAt = Date.now();
+    try {
+        const upstream = await request(runUrl.toString(), {
+            method,
+            headers,
+            body: outboundBody,
+            headersTimeout: timeoutMs,
+            bodyTimeout: timeoutMs,
+        });
+        let preview = {
+            bodyPreview: "",
+            bodyBytes: 0,
+            truncated: false,
+        };
+        try {
+            preview = await readResponsePreview(upstream.body);
+        }
+        catch {
+            // Preserve upstream status/headers even if preview capture fails.
+            preview = {
+                bodyPreview: "",
+                bodyBytes: 0,
+                truncated: false,
+            };
+        }
+        const durationMs = Date.now() - startedAt;
+        const status = upstream.statusCode;
+        return res.json({
+            request: {
+                method,
+                url: runUrl.toString(),
+                timeoutMs,
+                hasBody: outboundBody !== undefined,
+            },
+            response: {
+                status,
+                blocked: classifyFuzzerBlockedStatus(status),
+                durationMs,
+                headers: normalizeResponseHeaders(upstream.headers),
+                // When truncated, this is bytes observed before capture stopped (lower bound of full body size).
+                bodyBytes: preview.bodyBytes,
+                bodyPreview: preview.bodyPreview,
+                bodyTruncated: preview.truncated,
+            },
+        });
+    }
+    catch (error) {
+        const durationMs = Date.now() - startedAt;
+        const normalizedError = normalizeUpstreamError(error);
+        return res.json({
+            request: {
+                method,
+                url: runUrl.toString(),
+                timeoutMs,
+                hasBody: outboundBody !== undefined,
+            },
+            response: {
+                status: null,
+                blocked: true,
+                durationMs,
+                error: normalizedError.message,
+                errorCode: normalizedError.code,
+                headers: {},
+                bodyBytes: 0,
+                bodyPreview: "",
+                bodyTruncated: false,
+            },
+        });
+    }
+}
+export async function redTeamValidateHandler(req, res) {
+    const queryTarget = req.query.target;
+    if (queryTarget !== undefined && typeof queryTarget !== "string") {
+        return res.status(400).json({ error: "target query parameter must be a string when provided." });
+    }
+    const targetBase = queryTarget?.trim() || buildDefaultTarget(req);
+    let targetBaseUrl;
+    try {
+        targetBaseUrl = new URL(targetBase);
+    }
+    catch {
+        return res.status(400).json({ error: "target must be a valid URL." });
+    }
+    if (targetBaseUrl.protocol !== "http:" && targetBaseUrl.protocol !== "https:") {
+        return res.status(400).json({ error: "target protocol must be http or https." });
+    }
+    if (!isAllowedFuzzerTargetHost(targetBaseUrl.hostname)) {
+        return res.status(400).json({
+            error: "target hostname is not allowed. Use localhost/127.0.0.1 or configure APPARATUS_FUZZER_ALLOWED_TARGETS.",
+        });
+    }
+    const queryPath = req.query.path;
+    if (queryPath !== undefined && typeof queryPath !== "string") {
+        return res.status(400).json({ error: "path query parameter must be a string when provided." });
+    }
+    const targetPath = normalizePath(queryPath ?? "/echo");
+    if (!targetPath) {
+        return res.status(400).json({ error: "path must be a relative path and cannot include a scheme or host." });
+    }
+    const method = normalizeMethod(req.query.method);
+    if (!method) {
+        return res.status(400).json({ error: `Unsupported method. Supported: ${Array.from(SUPPORTED_METHODS).join(", ")}` });
+    }
+    const results = [];
+    // Helper to test a payload
+    const testPayload = async (category, payload) => {
+        const url = new URL(targetPath, targetBaseUrl);
+        // Inject into Query Param "q"
+        url.searchParams.set("q", payload);
+        try {
+            const start = Date.now();
+            const { statusCode } = await request(url.toString(), {
+                method,
+                // Also inject into headers for good measure
+                headers: {
+                    "X-Payload": payload,
+                    "User-Agent": `RedTeam/1.0 (${category})`
+                }
+            });
+            const duration = Date.now() - start;
+            return {
+                category,
+                payload,
+                status: statusCode,
+                blocked: classifyValidateBlockedStatus(statusCode), // Preserve legacy validate semantics.
+                duration
+            };
+        }
+        catch (e) {
+            return {
+                category,
+                payload,
+                error: e.message,
+                blocked: true // Connection reset/timeout usually counts as "blocked" by network/WAF
+            };
+        }
+    };
+    // Run tests
+    for (const [category, payloads] of Object.entries(PAYLOADS)) {
+        for (const payload of payloads) {
+            results.push(await testPayload(category, payload));
+        }
+    }
+    res.json({
+        target: targetBase + targetPath,
+        summary: {
+            total: results.length,
+            blocked: results.filter(r => r.blocked).length,
+            passed: results.filter(r => !r.blocked).length
+        },
+        details: results
+    });
+}
+//# sourceMappingURL=redteam.js.map