@bquery/bquery 1.10.0 → 1.11.0

package/dist/{sanitize-B1V4JswB.js.map → sanitize-DOMkRO9G.js.map}

@@ -1 +1 @@
-{"version":3,"file":"sanitize-B1V4JswB.js","names":[],"sources":["../src/security/constants.ts","../src/security/sanitize-core.ts","../src/security/trusted-html.ts","../src/security/csp.ts","../src/security/trusted-types.ts","../src/security/sanitize.ts"],"sourcesContent":["/**\n * Security constants and safe lists.\n *\n * @module bquery/security\n */\n\n/**\n * Trusted Types policy name.\n */\nexport const POLICY_NAME = 'bquery-sanitizer';\n\n/**\n * Default allowed HTML tags considered safe.\n */\nexport const DEFAULT_ALLOWED_TAGS = new Set([\n  'a',\n  'abbr',\n  'address',\n  'article',\n  'aside',\n  'b',\n  'bdi',\n  'bdo',\n  'blockquote',\n  'br',\n  'button',\n  'caption',\n  'cite',\n  'code',\n  'col',\n  'colgroup',\n  'data',\n  'dd',\n  'del',\n  'details',\n  'dfn',\n  'div',\n  'dl',\n  'dt',\n  'em',\n  'figcaption',\n  'figure',\n  'footer',\n  'form',\n  'h1',\n  'h2',\n  'h3',\n  'h4',\n  'h5',\n  'h6',\n  'header',\n  'hgroup',\n  'hr',\n  'i',\n  'img',\n  'input',\n  'ins',\n  'kbd',\n  'label',\n  'legend',\n  'li',\n  'main',\n  'mark',\n  'nav',\n  'ol',\n  'optgroup',\n  'option',\n  'p',\n  'picture',\n  'pre',\n  'progress',\n  'q',\n  'rp',\n  'rt',\n  'ruby',\n  's',\n  'samp',\n  'section',\n  'select',\n  'small',\n  'source',\n  'span',\n  'strong',\n  'sub',\n  'summary',\n  'sup',\n  'table',\n  'tbody',\n  'td',\n  'textarea',\n  'tfoot',\n  'th',\n  'thead',\n  'time',\n  'tr',\n  'u',\n  'ul',\n  'var',\n  'wbr',\n]);\n\n/**\n * Explicitly dangerous tags that should never be allowed.\n * These are checked even if somehow added to allowTags.\n */\nexport const DANGEROUS_TAGS = new Set([\n  'script',\n  'iframe',\n  'frame',\n  'frameset',\n  'object',\n  'embed',\n  'applet',\n  'link',\n  'meta',\n  'style',\n  'base',\n  'template',\n  // 'slot' is intentionally excluded here so component shadow markup can opt in\n  // via sanitizeHtml(..., { allowTags: ['slot'] }). It remains disallowed by default\n  // for general HTML writes, because DEFAULT_ALLOWED_TAGS does not include it.\n  'math',\n  'svg',\n  'foreignobject',\n  'noscript',\n]);\n\n/**\n * Reserved IDs that could cause DOM clobbering attacks.\n * These are prevented to avoid overwriting global browser objects.\n */\nexport const RESERVED_IDS = new Set([\n  // Global objects\n  'document',\n  'window',\n  'location',\n  'top',\n  'self',\n  'parent',\n  'frames',\n  'history',\n  'navigator',\n  'screen',\n  // Dangerous functions\n  'alert',\n  'confirm',\n  'prompt',\n  'eval',\n  'function',\n  // Document properties\n  'cookie',\n  'domain',\n  'referrer',\n  'body',\n  'head',\n  'forms',\n  'images',\n  'links',\n  'scripts',\n  // DOM traversal properties\n  'children',\n  'parentnode',\n  'firstchild',\n  'lastchild',\n  // Content manipulation\n  'innerhtml',\n  'outerhtml',\n  'textcontent',\n]);\n\n/**\n * Default allowed attributes considered safe.\n * Note: 'style' is excluded by default because inline CSS can be abused for:\n * - UI redressing attacks\n * - Data exfiltration via url() in CSS\n * - CSS injection vectors\n * If you need to allow inline styles, add 'style' to allowAttributes in your\n * sanitizeHtml options, but ensure you implement proper CSS value validation.\n */\nexport const DEFAULT_ALLOWED_ATTRIBUTES = new Set([\n  'alt',\n  'class',\n  'dir',\n  'height',\n  'hidden',\n  'href',\n  'id',\n  'lang',\n  'loading',\n  'name',\n  'rel',\n  'role',\n  'src',\n  'srcset',\n  'tabindex',\n  'target',\n  'title',\n  'type',\n  'width',\n  'aria-*',\n]);\n\n/**\n * Dangerous attribute prefixes to always remove.\n */\nexport const DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];\n\n/**\n * Dangerous URL protocols to block.\n */\nexport const DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];\n","/**\n * Core HTML sanitization logic.\n *\n * @module bquery/security\n * @internal\n */\n\nimport {\n  DANGEROUS_ATTR_PREFIXES,\n  DANGEROUS_PROTOCOLS,\n  DANGEROUS_TAGS,\n  DEFAULT_ALLOWED_ATTRIBUTES,\n  DEFAULT_ALLOWED_TAGS,\n  RESERVED_IDS,\n} from './constants';\nimport type { SanitizeOptions } from './types';\n\n/**\n * Check if an attribute name is allowed.\n * @internal\n */\nconst isAllowedAttribute = (\n  name: string,\n  allowedSet: Set<string>,\n  allowDataAttrs: boolean\n): boolean => {\n  const lowerName = name.toLowerCase();\n\n  // Check dangerous prefixes\n  for (const prefix of DANGEROUS_ATTR_PREFIXES) {\n    if (lowerName.startsWith(prefix)) return false;\n  }\n\n  // Check data attributes\n  if (allowDataAttrs && lowerName.startsWith('data-')) return true;\n\n  // Check aria attributes (allowed by default)\n  if (lowerName.startsWith('aria-')) return true;\n\n  // Check explicit allow list\n  return allowedSet.has(lowerName);\n};\n\n/**\n * Check if an ID/name value could cause DOM clobbering.\n * @internal\n */\nconst isSafeIdOrName = (value: string): boolean => {\n  const lowerValue = value.toLowerCase().trim();\n  return !RESERVED_IDS.has(lowerValue);\n};\n\n/**\n * Normalize URL by removing control characters, whitespace, and Unicode tricks.\n * Enhanced to prevent various bypass techniques.\n * @internal\n */\nconst normalizeUrl = (value: string): string =>\n  value\n    // Remove null bytes and control characters\n    .replace(/[\\u0000-\\u001F\\u007F]+/g, '')\n    // Remove zero-width characters that could hide malicious content\n    .replace(/[\\u200B-\\u200D\\uFEFF\\u2028\\u2029]+/g, '')\n    // Remove escaped Unicode sequences\n    .replace(/\\\\u[\\da-fA-F]{4}/g, '')\n    // Remove whitespace\n    .replace(/\\s+/g, '')\n    // Normalize case\n    .toLowerCase();\n\n/**\n * Check if a URL value is safe.\n * @internal\n */\nconst isSafeUrl = (value: string): boolean => {\n  const normalized = normalizeUrl(value);\n  for (const protocol of DANGEROUS_PROTOCOLS) {\n    if (normalized.startsWith(protocol)) return false;\n  }\n  return true;\n};\n\n/**\n * Check if a srcset attribute value is safe.\n * srcset contains comma-separated entries of \"url [descriptor]\".\n * Each individual URL must be validated.\n * @internal\n */\nconst isSafeSrcset = (value: string): boolean => {\n  const entries = value.split(',');\n  for (const entry of entries) {\n    const url = entry.trim().split(/\\s+/)[0];\n    if (url && !isSafeUrl(url)) return false;\n  }\n  return true;\n};\n\n/**\n * Check if a URL is external (different origin).\n * @internal\n */\nconst isExternalUrl = (url: string): boolean => {\n  try {\n    // Normalize URL by trimming whitespace\n    const trimmedUrl = url.trim();\n\n    // Protocol-relative URLs (//example.com) are always external.\n    // CRITICAL: This check must run before the relative-URL check below;\n    // otherwise, a protocol-relative URL like \"//evil.com\" would be treated\n    // as a non-http(s) relative URL and incorrectly classified as same-origin.\n    // Handling them up front guarantees correct security classification.\n    if (trimmedUrl.startsWith('//')) {\n      return true;\n    }\n\n    // Normalize URL for case-insensitive protocol checks\n    const lowerUrl = trimmedUrl.toLowerCase();\n\n    // Check for non-http(s) protocols which are considered external/special\n    // (mailto:, tel:, ftp:, etc.)\n    const hasProtocol = /^[a-z][a-z0-9+.-]*:/i.test(trimmedUrl);\n    if (hasProtocol && !lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\n      // These are special protocols, not traditional \"external\" links\n      // but we treat them as external for security consistency\n      return true;\n    }\n\n    // Relative URLs are not external\n    if (!lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\n      return false;\n    }\n\n    // In non-browser environments (e.g., Node.js), treat all absolute URLs as external\n    if (typeof window === 'undefined' || !window.location) {\n      return true;\n    }\n\n    const urlObj = new URL(trimmedUrl, window.location.href);\n    return urlObj.origin !== window.location.origin;\n  } catch {\n    // If URL parsing fails, treat as potentially external for safety\n    return true;\n  }\n};\n\n/**\n * Parse an HTML string into a Document using DOMParser.\n * This helper is intentionally separated to make the control-flow around HTML parsing\n * explicit for static analysis tools. It should ONLY be called when the input is\n * known to contain HTML syntax (angle brackets).\n *\n * DOMParser creates an inert document where scripts don't execute, making it safe\n * for parsing untrusted HTML that will subsequently be sanitized.\n *\n * @param htmlContent - A string that is known to contain HTML markup (has < or >)\n * @returns The parsed Document\n * @internal\n */\nconst parseHtmlDocument = (htmlContent: string): Document => {\n  const parser = new DOMParser();\n  // Parse as a full HTML document in an inert context; scripts won't execute\n  return parser.parseFromString(htmlContent, 'text/html');\n};\n\n/**\n * Safely parse HTML string into a DocumentFragment using DOMParser.\n * DOMParser is preferred over innerHTML for security as it creates an inert document\n * where scripts don't execute and provides better static analysis recognition.\n *\n * This function includes input normalization to satisfy static analysis tools:\n * - Coerces input to string and trims whitespace\n * - For plain text (no HTML tags), creates a Text node directly without parsing\n * - Only invokes DOMParser for actual HTML-like content via parseHtmlDocument\n *\n * The separation between plain text handling and HTML parsing is intentional:\n * DOM text that contains no HTML syntax is never fed into an HTML parser,\n * preventing \"DOM text reinterpreted as HTML\" issues.\n *\n * @internal\n */\nconst parseHtmlSafely = (html: string): DocumentFragment => {\n  // Step 1: Normalize input - coerce to string and trim\n  // This defensive check handles edge cases even though TypeScript says it's a string\n  const normalizedHtml = (typeof html === 'string' ? html : String(html ?? '')).trim();\n\n  // Step 2: Create the fragment that will hold our result\n  const fragment = document.createDocumentFragment();\n\n  // Step 3: Early return for empty input\n  if (normalizedHtml.length === 0) {\n    return fragment;\n  }\n\n  // Step 4: If input contains no angle brackets, it's plain text - no HTML parsing needed.\n  // Plain text is handled as a Text node, never passed to an HTML parser.\n  // This explicitly prevents \"DOM text reinterpreted as HTML\" for purely textual inputs.\n  const containsHtmlSyntax = normalizedHtml.includes('<') || normalizedHtml.includes('>');\n  if (!containsHtmlSyntax) {\n    fragment.appendChild(document.createTextNode(normalizedHtml));\n    return fragment;\n  }\n\n  // Step 5: Input contains HTML syntax - parse it via the dedicated HTML parsing helper.\n  // This separation makes the data-flow explicit: only strings with HTML syntax\n  // are passed to DOMParser, satisfying static analysis requirements.\n  const doc = parseHtmlDocument(normalizedHtml);\n\n  // Move all children from the document body into the fragment.\n  // This avoids interpolating untrusted HTML into an outer wrapper string.\n  const body = doc.body;\n\n  if (!body) {\n    return fragment;\n  }\n\n  while (body.firstChild) {\n    fragment.appendChild(body.firstChild);\n  }\n\n  return fragment;\n};\n\n/**\n * Core sanitization logic (without Trusted Types wrapper).\n * @internal\n */\nexport const sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string => {\n  const {\n    allowTags = [],\n    allowAttributes = [],\n    allowDataAttributes = true,\n    stripAllTags = false,\n  } = options;\n\n  // Build combined allow sets (excluding dangerous tags even if specified)\n  const allowedTags = new Set(\n    [...DEFAULT_ALLOWED_TAGS, ...allowTags.map((t) => t.toLowerCase())].filter(\n      (tag) => !DANGEROUS_TAGS.has(tag)\n    )\n  );\n  const allowedAttrs = new Set([\n    ...DEFAULT_ALLOWED_ATTRIBUTES,\n    ...allowAttributes.map((a) => a.toLowerCase()),\n  ]);\n\n  // Use DOMParser for safe HTML parsing (inert context, no script execution)\n  const fragment = parseHtmlSafely(html);\n\n  if (stripAllTags) {\n    return fragment.textContent ?? '';\n  }\n\n  // Walk the DOM tree\n  const walker = document.createTreeWalker(fragment, NodeFilter.SHOW_ELEMENT);\n\n  const toRemove: Element[] = [];\n\n  while (walker.nextNode()) {\n    const el = walker.currentNode as Element;\n    const tagName = el.tagName.toLowerCase();\n\n    // Remove explicitly dangerous tags even if in allow list\n    if (DANGEROUS_TAGS.has(tagName)) {\n      toRemove.push(el);\n      continue;\n    }\n\n    // Remove disallowed tags entirely\n    if (!allowedTags.has(tagName)) {\n      toRemove.push(el);\n      continue;\n    }\n\n    // Process attributes\n    const attrsToRemove: string[] = [];\n    for (const attr of Array.from(el.attributes)) {\n      const attrName = attr.name.toLowerCase();\n\n      // Check if attribute is allowed\n      if (!isAllowedAttribute(attrName, allowedAttrs, allowDataAttributes)) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Check for DOM clobbering on id and name attributes\n      if ((attrName === 'id' || attrName === 'name') && !isSafeIdOrName(attr.value)) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Validate URL attributes\n      if (\n        (attrName === 'href' || attrName === 'src' || attrName === 'action') &&\n        !isSafeUrl(attr.value)\n      ) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Validate srcset URLs individually\n      if (attrName === 'srcset' && !isSafeSrcset(attr.value)) {\n        attrsToRemove.push(attr.name);\n      }\n    }\n\n    // Remove disallowed attributes\n    for (const attrName of attrsToRemove) {\n      el.removeAttribute(attrName);\n    }\n\n    // Add rel=\"noopener noreferrer\" to external links for security\n    if (tagName === 'a') {\n      const href = el.getAttribute('href');\n      const target = el.getAttribute('target');\n      const hasTargetBlank = target?.toLowerCase() === '_blank';\n      const isExternal = href && isExternalUrl(href);\n\n      // Add security attributes to links opening in new window or external links\n      if (hasTargetBlank || isExternal) {\n        const existingRel = el.getAttribute('rel');\n        const relValues = new Set(existingRel ? existingRel.split(/\\s+/).filter(Boolean) : []);\n\n        // Add noopener and noreferrer\n        relValues.add('noopener');\n        relValues.add('noreferrer');\n\n        el.setAttribute('rel', Array.from(relValues).join(' '));\n      }\n    }\n  }\n\n  // Remove disallowed elements\n  for (const el of toRemove) {\n    el.remove();\n  }\n\n  // Serialize the sanitized fragment to HTML string.\n  // We use a temporary container to get the innerHTML of the fragment.\n  const serializeFragment = (frag: DocumentFragment): string => {\n    const container = document.createElement('div');\n    container.appendChild(frag.cloneNode(true));\n    return container.innerHTML;\n  };\n\n  // Double-parse to prevent mutation XSS (mXSS).\n  // Browsers may normalize HTML during serialization in ways that could create\n  // new dangerous content when re-parsed. By re-parsing the sanitized output\n  // and verifying stability, we ensure the final HTML is safe.\n  const firstPass = serializeFragment(fragment);\n\n  // Re-parse through DOMParser for mXSS detection.\n  // Using DOMParser instead of innerHTML for security.\n  const verifyFragment = parseHtmlSafely(firstPass);\n  const secondPass = serializeFragment(verifyFragment);\n\n  // Verify stability: if content mutates between parses, it indicates mXSS attempt\n  if (firstPass !== secondPass) {\n    // Content mutated during re-parse - potential mXSS detected.\n    // Return safely escaped text content as fallback.\n    return fragment.textContent ?? '';\n  }\n\n  return secondPass;\n};\n","declare const sanitizedHtmlBrand: unique symbol;\nconst trustedHtmlBrand: unique symbol = Symbol('bquery.trusted-html.brand');\nconst TRUSTED_HTML_VALUE = Symbol('bquery.trusted-html');\n\n/**\n * Branded HTML string produced by bQuery's sanitization or escaping template helpers.\n *\n * Values returned from {@link sanitizeHtml} carry sanitized markup. Values returned from\n * {@link safeHtml} preserve the template's static markup while escaping normal interpolations\n * and splicing {@link trusted} fragments verbatim. This brand is not intended for arbitrary\n * strings or manual concatenation outside those helpers.\n */\nexport type SanitizedHtml = string & { readonly [sanitizedHtmlBrand]: true };\n\n/**\n * Marker object that safeHtml can splice into templates without escaping again.\n */\nexport type TrustedHtml = { readonly [trustedHtmlBrand]: true; toString(): string };\n\ntype TrustedHtmlValue = TrustedHtml & { readonly [TRUSTED_HTML_VALUE]: string };\n\n/**\n * Apply the internal {@link SanitizedHtml} brand to helper output.\n *\n * @internal\n */\nexport const toSanitizedHtml = (html: string): SanitizedHtml => html as SanitizedHtml;\n\n/**\n * Mark a sanitized HTML string for verbatim splicing into safeHtml templates.\n *\n * @param html - HTML previously produced by sanitizeHtml, safeHtml, or another trusted bQuery helper\n * @returns Trusted HTML marker object for safeHtml interpolations\n *\n * @example\n * ```ts\n * const badge = trusted(sanitizeHtml('<strong onclick=\"alert(1)\">New</strong>'));\n * const markup = safeHtml`<span>${badge}</span>`;\n * ```\n */\nexport const trusted = (html: SanitizedHtml): TrustedHtml => {\n  const value = String(html);\n  return Object.freeze({\n    [trustedHtmlBrand]: true as const,\n    [TRUSTED_HTML_VALUE]: value,\n    toString: () => value,\n  });\n};\n\n/**\n * Check whether a value is a trusted HTML marker created by trusted().\n *\n * @internal\n */\nexport const isTrustedHtml = (value: unknown): value is TrustedHtml => {\n  return (\n    typeof value === 'object' &&\n    value !== null &&\n    trustedHtmlBrand in value &&\n    TRUSTED_HTML_VALUE in value\n  );\n};\n\n/**\n * Unwrap the raw HTML string stored inside a trusted HTML marker.\n *\n * @internal\n */\nexport const unwrapTrustedHtml = (value: TrustedHtml): string => {\n  return (value as TrustedHtmlValue)[TRUSTED_HTML_VALUE];\n};\n","/**\n * Content Security Policy helpers.\n *\n * @module bquery/security\n */\n\n/** Maximum allowed nonce length to prevent memory issues */\nconst MAX_NONCE_LENGTH = 1024;\n\n/** Chunk size for building strings to avoid argument limit in String.fromCharCode */\nconst CHUNK_SIZE = 8192;\n\n/**\n * Generate a nonce for inline scripts/styles.\n * Use with Content-Security-Policy nonce directives.\n *\n * @param length - Nonce length in bytes (default: 16, max: 1024)\n * @returns Cryptographically random nonce string\n * @throws {Error} If crypto.getRandomValues or btoa are not available\n * @throws {RangeError} If length is invalid (negative, non-integer, or exceeds maximum)\n */\nexport const generateNonce = (length: number = 16): string => {\n  // Validate length parameter\n  if (!Number.isInteger(length) || length < 1) {\n    throw new RangeError('generateNonce length must be a positive integer');\n  }\n  if (length > MAX_NONCE_LENGTH) {\n    throw new RangeError(`generateNonce length must not exceed ${MAX_NONCE_LENGTH}`);\n  }\n\n  // Check for required globals in browser/crypto environments\n  if (\n    typeof globalThis.crypto === 'undefined' ||\n    typeof globalThis.crypto.getRandomValues !== 'function'\n  ) {\n    throw new Error(\n      'generateNonce requires crypto.getRandomValues (not available in this environment)'\n    );\n  }\n  if (typeof globalThis.btoa !== 'function') {\n    throw new Error('generateNonce requires btoa (not available in this environment)');\n  }\n\n  const array = new Uint8Array(length);\n  globalThis.crypto.getRandomValues(array);\n\n  // Build string in chunks to avoid argument limit in String.fromCharCode\n  let binaryString = '';\n  for (let i = 0; i < array.length; i += CHUNK_SIZE) {\n    const chunk = array.subarray(i, Math.min(i + CHUNK_SIZE, array.length));\n    binaryString += String.fromCharCode(...chunk);\n  }\n\n  return globalThis.btoa(binaryString).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=/g, '');\n};\n\n/**\n * Check if a CSP header is present with specific directive.\n * Useful for feature detection and fallback strategies.\n *\n * @param directive - The CSP directive to check (e.g., 'script-src')\n * @returns True if the directive appears to be enforced\n */\nexport const hasCSPDirective = (directive: string): boolean => {\n  // Guard for non-DOM environments (SSR, tests, etc.)\n  if (typeof document === 'undefined') {\n    return false;\n  }\n\n  // Check meta tag\n  const meta = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\n  if (meta) {\n    const content = meta.getAttribute('content') ?? '';\n    return content.includes(directive);\n  }\n  return false;\n};\n","/**\n * Trusted Types helpers for CSP compatibility.\n *\n * @module bquery/security\n */\n\nimport { POLICY_NAME } from './constants';\nimport { sanitizeHtmlCore } from './sanitize-core';\nimport type { TrustedHTML, TrustedTypePolicy, TrustedTypesWindow } from './types';\n\n/** Cached Trusted Types policy */\nlet cachedPolicy: TrustedTypePolicy | null = null;\n\n/** Whether policy initialization has been attempted (to avoid retry spam) */\nlet policyInitAttempted = false;\n\n/**\n * Check if Trusted Types API is available.\n * @returns True if Trusted Types are supported\n */\nexport const isTrustedTypesSupported = (): boolean => {\n  return (\n    typeof window !== 'undefined' &&\n    typeof (window as TrustedTypesWindow).trustedTypes !== 'undefined'\n  );\n};\n\n/**\n * Get or create the bQuery Trusted Types policy.\n * @returns The Trusted Types policy or null if unsupported\n */\nexport const getTrustedTypesPolicy = (): TrustedTypePolicy | null => {\n  if (cachedPolicy) return cachedPolicy;\n  if (policyInitAttempted) return null;\n\n  if (typeof window === 'undefined') return null;\n\n  const win = window as TrustedTypesWindow;\n  if (!win.trustedTypes) return null;\n\n  policyInitAttempted = true;\n\n  try {\n    cachedPolicy = win.trustedTypes.createPolicy(POLICY_NAME, {\n      createHTML: (input: string) => sanitizeHtmlCore(input),\n    });\n    return cachedPolicy;\n  } catch (error) {\n    // Policy may already exist or be blocked by CSP\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    console.warn(`bQuery: Could not create Trusted Types policy \"${POLICY_NAME}\": ${errorMessage}`);\n    return null;\n  }\n};\n\n/**\n * Create a Trusted HTML value for use with Trusted Types-enabled sites.\n * Falls back to regular string when Trusted Types are unavailable.\n *\n * @param html - The HTML string to wrap\n * @returns Trusted HTML value or sanitized string\n */\nexport const createTrustedHtml = (html: string): TrustedHTML | string => {\n  const policy = getTrustedTypesPolicy();\n  if (policy) {\n    return policy.createHTML(html);\n  }\n  return sanitizeHtmlCore(html);\n};\n","/**\n * Security utilities for HTML sanitization.\n * All DOM writes are sanitized by default to prevent XSS attacks.\n *\n * @module bquery/security\n */\n\nimport { sanitizeHtmlCore } from './sanitize-core';\nimport { toSanitizedHtml } from './trusted-html';\nimport type { SanitizedHtml } from './trusted-html';\nimport type { SanitizeOptions } from './types';\nexport { generateNonce } from './csp';\nexport { isTrustedTypesSupported } from './trusted-types';\nexport { trusted } from './trusted-html';\nexport type { SanitizedHtml, TrustedHtml } from './trusted-html';\n\n/**\n * Sanitize HTML string, removing dangerous elements and attributes.\n * Uses Trusted Types when available for CSP compliance.\n *\n * @param html - The HTML string to sanitize\n * @param options - Sanitization options\n * @returns Sanitized HTML string\n *\n * @example\n * ```ts\n * const safe = sanitizeHtml('<div onclick=\"alert(1)\">Hello</div>');\n * // Returns: '<div>Hello</div>'\n * ```\n */\nexport const sanitizeHtml = (html: string, options: SanitizeOptions = {}): SanitizedHtml => {\n  return toSanitizedHtml(sanitizeHtmlCore(html, options));\n};\n\n/**\n * Escape HTML entities to prevent XSS.\n * Use this for displaying user content as text.\n *\n * @param text - The text to escape\n * @returns Escaped HTML string\n *\n * @example\n * ```ts\n * escapeHtml('<script>alert(1)</script>');\n * // Returns: '&lt;script&gt;alert(1)&lt;/script&gt;'\n * ```\n */\nexport const escapeHtml = (text: string): string => {\n  const escapeMap: Record<string, string> = {\n    '&': '&amp;',\n    '<': '&lt;',\n    '>': '&gt;',\n    '\"': '&quot;',\n    \"'\": '&#x27;',\n    '`': '&#x60;',\n  };\n  return text.replace(/[&<>\"'`]/g, (char) => escapeMap[char]);\n};\n\n/**\n * Strip all HTML tags and return plain text.\n *\n * @param html - The HTML string to strip\n * @returns Plain text content\n */\nexport const stripTags = (html: string): string => {\n  return sanitizeHtmlCore(html, { stripAllTags: true });\n};\n\nexport type { SanitizeOptions } from './types';\n"],"mappings":"AASA,IAAa,IAAc,oBAKd,IAAuB,oBAAI,IAAI;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAMY,IAAiB,oBAAI,IAAI;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAIA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAMY,IAAe,oBAAI,IAAI;AAAA,EAElC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;CACD,GAWY,IAA6B,oBAAI,IAAI;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAKY,IAA0B;AAAA,EAAC;AAAA,EAAM;AAAA,EAAc;AAAA,EAAU;GAKzD,IAAsB;AAAA,EAAC;AAAA,EAAe;AAAA,EAAS;AAAA,EAAa;GC7LnE,IAAA,CACJ,GACA,GACA,MACY;AACZ,QAAM,IAAY,EAAK,YAAA;AAGvB,aAAW,KAAU,EACnB,KAAI,EAAU,WAAW,CAAA,EAAS,QAAO;AAO3C,SAHI,KAAkB,EAAU,WAAW,OAAA,KAGvC,EAAU,WAAW,OAAA,IAAiB,KAGnC,EAAW,IAAI,CAAA;GAOlB,IAAA,CAAkB,MAA2B;AACjD,QAAM,IAAa,EAAM,YAAA,EAAc,KAAA;AACvC,SAAO,CAAC,EAAa,IAAI,CAAA;GAQrB,IAAA,CAAgB,MACpB,EAEG,QAAQ,2BAA2B,EAAA,EAEnC,QAAQ,uCAAuC,EAAA,EAE/C,QAAQ,qBAAqB,EAAA,EAE7B,QAAQ,QAAQ,EAAA,EAEhB,YAAA,GAMC,IAAA,CAAa,MAA2B;AAC5C,QAAM,IAAa,EAAa,CAAA;AAChC,aAAW,KAAY,EACrB,KAAI,EAAW,WAAW,CAAA,EAAW,QAAO;AAE9C,SAAO;GASH,IAAA,CAAgB,MAA2B;AAC/C,QAAM,IAAU,EAAM,MAAM,GAAA;AAC5B,aAAW,KAAS,GAAS;AAC3B,UAAM,IAAM,EAAM,KAAA,EAAO,MAAM,KAAA,EAAO,CAAA;AACtC,QAAI,KAAO,CAAC,EAAU,CAAA,EAAM,QAAO;AAAA;AAErC,SAAO;GAOH,IAAA,CAAiB,MAAyB;AAC9C,MAAI;AAEF,UAAM,IAAa,EAAI,KAAA;AAOvB,QAAI,EAAW,WAAW,IAAA,EACxB,QAAO;AAIT,UAAM,IAAW,EAAW,YAAA;AAK5B,WADoB,uBAAuB,KAAK,CAAA,KAC7B,CAAC,EAAS,WAAW,SAAA,KAAc,CAAC,EAAS,WAAW,UAAA,IAGlE,KAIL,CAAC,EAAS,WAAW,SAAA,KAAc,CAAC,EAAS,WAAW,UAAA,IACnD,KAIL,OAAO,SAAW,OAAe,CAAC,OAAO,WACpC,KAGM,IAAI,IAAI,GAAY,OAAO,SAAS,IAAA,EACrC,WAAW,OAAO,SAAS;AAAA,UACnC;AAEN,WAAO;AAAA;GAiBL,IAAA,CAAqB,MACV,IAAI,UAAA,EAEL,gBAAgB,GAAa,WAAA,GAmBvC,IAAA,CAAmB,MAAmC;AAG1D,QAAM,KAAkB,OAAO,KAAS,WAAW,IAAO,OAAO,KAAQ,EAAA,GAAK,KAAA,GAGxE,IAAW,SAAS,uBAAA;AAG1B,MAAI,EAAe,WAAW,EAC5B,QAAO;AAOT,MAAI,EADuB,EAAe,SAAS,GAAA,KAAQ,EAAe,SAAS,GAAA;AAEjF,WAAA,EAAS,YAAY,SAAS,eAAe,CAAA,CAAe,GACrD;AAUT,QAAM,IAJM,EAAkB,CAAA,EAIb;AAEjB,MAAI,CAAC,EACH,QAAO;AAGT,SAAO,EAAK,aACV,CAAA,EAAS,YAAY,EAAK,UAAA;AAG5B,SAAO;GAOI,IAAA,CAAoB,GAAc,IAA2B,CAAA,MAAe;AACvF,QAAM,EACJ,WAAA,IAAY,CAAA,GACZ,iBAAA,IAAkB,CAAA,GAClB,qBAAA,IAAsB,IACtB,cAAA,IAAe,GAAA,IACb,GAGE,IAAc,IAAI,IACtB,CAAC,GAAG,GAAsB,GAAG,EAAU,IAAA,CAAK,MAAM,EAAE,YAAA,CAAa,CAAC,EAAE,OAAA,CACjE,MAAQ,CAAC,EAAe,IAAI,CAAA,CAAI,CAClC,GAEG,IAAe,oBAAI,IAAI,CAC3B,GAAG,GACH,GAAG,EAAgB,IAAA,CAAK,MAAM,EAAE,YAAA,CAAa,CAAC,CAC/C,GAGK,IAAW,EAAgB,CAAA;AAEjC,MAAI,EACF,QAAO,EAAS,eAAe;AAIjC,QAAM,IAAS,SAAS,iBAAiB,GAAU,WAAW,YAAA,GAExD,IAAsB,CAAA;AAE5B,SAAO,EAAO,SAAA,KAAY;AACxB,UAAM,IAAK,EAAO,aACZ,IAAU,EAAG,QAAQ,YAAA;AAG3B,QAAI,EAAe,IAAI,CAAA,GAAU;AAC/B,MAAA,EAAS,KAAK,CAAA;AACd;AAAA;AAIF,QAAI,CAAC,EAAY,IAAI,CAAA,GAAU;AAC7B,MAAA,EAAS,KAAK,CAAA;AACd;AAAA;AAIF,UAAM,IAA0B,CAAA;AAChC,eAAW,KAAQ,MAAM,KAAK,EAAG,UAAA,GAAa;AAC5C,YAAM,IAAW,EAAK,KAAK,YAAA;AAG3B,UAAI,CAAC,EAAmB,GAAU,GAAc,CAAA,GAAsB;AACpE,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,WAAK,MAAa,QAAQ,MAAa,WAAW,CAAC,EAAe,EAAK,KAAA,GAAQ;AAC7E,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,WACG,MAAa,UAAU,MAAa,SAAS,MAAa,aAC3D,CAAC,EAAU,EAAK,KAAA,GAChB;AACA,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,MAAI,MAAa,YAAY,CAAC,EAAa,EAAK,KAAA,KAC9C,EAAc,KAAK,EAAK,IAAA;AAAA;AAK5B,eAAW,KAAY,EACrB,CAAA,EAAG,gBAAgB,CAAA;AAIrB,QAAI,MAAY,KAAK;AACnB,YAAM,IAAO,EAAG,aAAa,MAAA,GAEvB,IADS,EAAG,aAAa,QAAA,GACA,YAAA,MAAkB,UAC3C,IAAa,KAAQ,EAAc,CAAA;AAGzC,UAAI,KAAkB,GAAY;AAChC,cAAM,IAAc,EAAG,aAAa,KAAA,GAC9B,IAAY,IAAI,IAAI,IAAc,EAAY,MAAM,KAAA,EAAO,OAAO,OAAA,IAAW,CAAA,CAAE;AAGrF,QAAA,EAAU,IAAI,UAAA,GACd,EAAU,IAAI,YAAA,GAEd,EAAG,aAAa,OAAO,MAAM,KAAK,CAAA,EAAW,KAAK,GAAA,CAAI;AAAA;;;AAM5D,aAAW,KAAM,EACf,CAAA,EAAG,OAAA;AAKL,QAAM,IAAA,CAAqB,MAAmC;AAC5D,UAAM,IAAY,SAAS,cAAc,KAAA;AACzC,WAAA,EAAU,YAAY,EAAK,UAAU,EAAA,CAAK,GACnC,EAAU;AAAA,KAOb,IAAY,EAAkB,CAAA,GAK9B,IAAa,EADI,EAAgB,CAAA,CAAU;AAIjD,SAAI,MAAc,IAGT,EAAS,eAAe,KAG1B;GCzWH,IAAkC,uBAAO,2BAAA,GACzC,IAAqB,uBAAO,qBAAA,GAwBrB,IAAA,CAAmB,MAAgC,GAcnD,IAAA,CAAW,MAAqC;AAC3D,QAAM,IAAQ,OAAO,CAAA;AACrB,SAAO,OAAO,OAAO;AAAA,KAClB,CAAA,GAAmB;AAAA,KACnB,CAAA,GAAqB;AAAA,IACtB,UAAA,MAAgB;AAAA,GACjB;GAQU,IAAA,CAAiB,MAE1B,OAAO,KAAU,YACjB,MAAU,QACV,KAAoB,KACpB,KAAsB,GASb,IAAA,CAAqB,MACxB,EAA2B,CAAA,GC9D/B,IAAmB,MAGnB,IAAa,MAWN,IAAA,CAAiB,IAAiB,OAAe;AAE5D,MAAI,CAAC,OAAO,UAAU,CAAA,KAAW,IAAS,EACxC,OAAM,IAAI,WAAW,iDAAA;AAEvB,MAAI,IAAS,EACX,OAAM,IAAI,WAAW,wCAAwC,CAAA,EAAA;AAI/D,MACE,OAAO,WAAW,SAAW,OAC7B,OAAO,WAAW,OAAO,mBAAoB,WAE7C,OAAM,IAAI,MACR,mFAAA;AAGJ,MAAI,OAAO,WAAW,QAAS,WAC7B,OAAM,IAAI,MAAM,iEAAA;AAGlB,QAAM,IAAQ,IAAI,WAAW,CAAA;AAC7B,aAAW,OAAO,gBAAgB,CAAA;AAGlC,MAAI,IAAe;AACnB,WAAS,IAAI,GAAG,IAAI,EAAM,QAAQ,KAAK,GAAY;AACjD,UAAM,IAAQ,EAAM,SAAS,GAAG,KAAK,IAAI,IAAI,GAAY,EAAM,MAAA,CAAO;AACtE,IAAA,KAAgB,OAAO,aAAa,GAAG,CAAA;AAAA;AAGzC,SAAO,WAAW,KAAK,CAAA,EAAc,QAAQ,OAAO,GAAA,EAAK,QAAQ,OAAO,GAAA,EAAK,QAAQ,MAAM,EAAA;GAUhF,IAAA,CAAmB,MAA+B;AAE7D,MAAI,OAAO,WAAa,IACtB,QAAO;AAIT,QAAM,IAAO,SAAS,cAAc,4CAAA;AACpC,SAAI,KACc,EAAK,aAAa,SAAA,KAAc,IACjC,SAAS,CAAA,IAEnB;GChEL,IAAyC,MAGzC,IAAsB,IAMb,IAAA,MAET,OAAO,SAAW,OAClB,OAAQ,OAA8B,eAAiB,KAQ9C,IAAA,MAAwD;AACnE,MAAI,EAAc,QAAO;AAGzB,MAFI,KAEA,OAAO,SAAW,IAAa,QAAO;AAE1C,QAAM,IAAM;AACZ,MAAI,CAAC,EAAI,aAAc,QAAO;AAE9B,EAAA,IAAsB;AAEtB,MAAI;AACF,WAAA,IAAe,EAAI,aAAa,aAAa,GAAa,EACxD,YAAA,CAAa,MAAkB,EAAiB,CAAA,EAAM,CACvD,GACM;AAAA,WACA,GAAO;AAEd,UAAM,IAAe,aAAiB,QAAQ,EAAM,UAAU,OAAO,CAAA;AACrE,mBAAQ,KAAK,kDAAkD,CAAA,MAAiB,CAAA,EAAA,GACzE;AAAA;GAWE,IAAA,CAAqB,MAAuC;AACvE,QAAM,IAAS,EAAA;AACf,SAAI,IACK,EAAO,WAAW,CAAA,IAEpB,EAAiB,CAAA;GCrCb,IAAA,CAAgB,GAAc,IAA2B,CAAA,MAC7D,EAAgB,EAAiB,GAAM,CAAA,CAAQ,GAgB3C,KAAA,CAAc,MAAyB;AAClD,QAAM,IAAoC;AAAA,IACxC,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA;AAEP,SAAO,EAAK,QAAQ,aAAA,CAAc,MAAS,EAAU,CAAA,CAAA;GAS1C,KAAA,CAAa,MACjB,EAAiB,GAAM,EAAE,cAAc,GAAA,CAAM"}
+{"version":3,"file":"sanitize-DOMkRO9G.js","names":[],"sources":["../src/security/constants.ts","../src/security/sanitize-core.ts","../src/security/trusted-html.ts","../src/security/csp.ts","../src/security/trusted-types.ts","../src/security/sanitize.ts"],"sourcesContent":["/**\n * Security constants and safe lists.\n *\n * @module bquery/security\n */\n\n/**\n * Trusted Types policy name.\n */\nexport const POLICY_NAME = 'bquery-sanitizer';\n\n/**\n * Default allowed HTML tags considered safe.\n */\nexport const DEFAULT_ALLOWED_TAGS = new Set([\n  'a',\n  'abbr',\n  'address',\n  'article',\n  'aside',\n  'b',\n  'bdi',\n  'bdo',\n  'blockquote',\n  'br',\n  'button',\n  'caption',\n  'cite',\n  'code',\n  'col',\n  'colgroup',\n  'data',\n  'dd',\n  'del',\n  'details',\n  'dfn',\n  'div',\n  'dl',\n  'dt',\n  'em',\n  'figcaption',\n  'figure',\n  'footer',\n  'form',\n  'h1',\n  'h2',\n  'h3',\n  'h4',\n  'h5',\n  'h6',\n  'header',\n  'hgroup',\n  'hr',\n  'i',\n  'img',\n  'input',\n  'ins',\n  'kbd',\n  'label',\n  'legend',\n  'li',\n  'main',\n  'mark',\n  'nav',\n  'ol',\n  'optgroup',\n  'option',\n  'p',\n  'picture',\n  'pre',\n  'progress',\n  'q',\n  'rp',\n  'rt',\n  'ruby',\n  's',\n  'samp',\n  'section',\n  'select',\n  'small',\n  'source',\n  'span',\n  'strong',\n  'sub',\n  'summary',\n  'sup',\n  'table',\n  'tbody',\n  'td',\n  'textarea',\n  'tfoot',\n  'th',\n  'thead',\n  'time',\n  'tr',\n  'u',\n  'ul',\n  'var',\n  'wbr',\n]);\n\n/**\n * Explicitly dangerous tags that should never be allowed.\n * These are checked even if somehow added to allowTags.\n */\nexport const DANGEROUS_TAGS = new Set([\n  'script',\n  'iframe',\n  'frame',\n  'frameset',\n  'object',\n  'embed',\n  'applet',\n  'link',\n  'meta',\n  'style',\n  'base',\n  'template',\n  // 'slot' is intentionally excluded here so component shadow markup can opt in\n  // via sanitizeHtml(..., { allowTags: ['slot'] }). It remains disallowed by default\n  // for general HTML writes, because DEFAULT_ALLOWED_TAGS does not include it.\n  'math',\n  'svg',\n  'foreignobject',\n  'noscript',\n]);\n\n/**\n * Reserved IDs that could cause DOM clobbering attacks.\n * These are prevented to avoid overwriting global browser objects.\n */\nexport const RESERVED_IDS = new Set([\n  // Global objects\n  'document',\n  'window',\n  'location',\n  'top',\n  'self',\n  'parent',\n  'frames',\n  'history',\n  'navigator',\n  'screen',\n  // Dangerous functions\n  'alert',\n  'confirm',\n  'prompt',\n  'eval',\n  'function',\n  // Document properties\n  'cookie',\n  'domain',\n  'referrer',\n  'body',\n  'head',\n  'forms',\n  'images',\n  'links',\n  'scripts',\n  // DOM traversal properties\n  'children',\n  'parentnode',\n  'firstchild',\n  'lastchild',\n  // Content manipulation\n  'innerhtml',\n  'outerhtml',\n  'textcontent',\n]);\n\n/**\n * Default allowed attributes considered safe.\n * Note: 'style' is excluded by default because inline CSS can be abused for:\n * - UI redressing attacks\n * - Data exfiltration via url() in CSS\n * - CSS injection vectors\n * If you need to allow inline styles, add 'style' to allowAttributes in your\n * sanitizeHtml options, but ensure you implement proper CSS value validation.\n */\nexport const DEFAULT_ALLOWED_ATTRIBUTES = new Set([\n  'alt',\n  'class',\n  'dir',\n  'height',\n  'hidden',\n  'href',\n  'id',\n  'lang',\n  'loading',\n  'name',\n  'rel',\n  'role',\n  'src',\n  'srcset',\n  'tabindex',\n  'target',\n  'title',\n  'type',\n  'width',\n  'aria-*',\n]);\n\n/**\n * Dangerous attribute prefixes to always remove.\n */\nexport const DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];\n\n/**\n * Dangerous URL protocols to block.\n */\nexport const DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];\n","/**\n * Core HTML sanitization logic.\n *\n * @module bquery/security\n * @internal\n */\n\nimport {\n  DANGEROUS_ATTR_PREFIXES,\n  DANGEROUS_PROTOCOLS,\n  DANGEROUS_TAGS,\n  DEFAULT_ALLOWED_ATTRIBUTES,\n  DEFAULT_ALLOWED_TAGS,\n  RESERVED_IDS,\n} from './constants';\nimport type { SanitizeOptions } from './types';\n\n/**\n * Check if an attribute name is allowed.\n * @internal\n */\nconst isAllowedAttribute = (\n  name: string,\n  allowedSet: Set<string>,\n  allowDataAttrs: boolean\n): boolean => {\n  const lowerName = name.toLowerCase();\n\n  // Check dangerous prefixes\n  for (const prefix of DANGEROUS_ATTR_PREFIXES) {\n    if (lowerName.startsWith(prefix)) return false;\n  }\n\n  // Check data attributes\n  if (allowDataAttrs && lowerName.startsWith('data-')) return true;\n\n  // Check aria attributes (allowed by default)\n  if (lowerName.startsWith('aria-')) return true;\n\n  // Check explicit allow list\n  return allowedSet.has(lowerName);\n};\n\n/**\n * Check if an ID/name value could cause DOM clobbering.\n * @internal\n */\nconst isSafeIdOrName = (value: string): boolean => {\n  const lowerValue = value.toLowerCase().trim();\n  return !RESERVED_IDS.has(lowerValue);\n};\n\n/**\n * Normalize URL by removing control characters, whitespace, and Unicode tricks.\n * Enhanced to prevent various bypass techniques.\n * @internal\n */\nconst normalizeUrl = (value: string): string =>\n  value\n    // Remove null bytes and control characters\n    .replace(/[\\u0000-\\u001F\\u007F]+/g, '')\n    // Remove zero-width characters that could hide malicious content\n    .replace(/[\\u200B-\\u200D\\uFEFF\\u2028\\u2029]+/g, '')\n    // Remove escaped Unicode sequences\n    .replace(/\\\\u[\\da-fA-F]{4}/g, '')\n    // Remove whitespace\n    .replace(/\\s+/g, '')\n    // Normalize case\n    .toLowerCase();\n\n/**\n * Check if a URL value is safe.\n * @internal\n */\nconst isSafeUrl = (value: string): boolean => {\n  const normalized = normalizeUrl(value);\n  for (const protocol of DANGEROUS_PROTOCOLS) {\n    if (normalized.startsWith(protocol)) return false;\n  }\n  return true;\n};\n\n/**\n * Check if a srcset attribute value is safe.\n * srcset contains comma-separated entries of \"url [descriptor]\".\n * Each individual URL must be validated.\n * @internal\n */\nconst isSafeSrcset = (value: string): boolean => {\n  const entries = value.split(',');\n  for (const entry of entries) {\n    const url = entry.trim().split(/\\s+/)[0];\n    if (url && !isSafeUrl(url)) return false;\n  }\n  return true;\n};\n\n/**\n * Check if a URL is external (different origin).\n * @internal\n */\nconst isExternalUrl = (url: string): boolean => {\n  try {\n    // Normalize URL by trimming whitespace\n    const trimmedUrl = url.trim();\n\n    // Protocol-relative URLs (//example.com) are always external.\n    // CRITICAL: This check must run before the relative-URL check below;\n    // otherwise, a protocol-relative URL like \"//evil.com\" would be treated\n    // as a non-http(s) relative URL and incorrectly classified as same-origin.\n    // Handling them up front guarantees correct security classification.\n    if (trimmedUrl.startsWith('//')) {\n      return true;\n    }\n\n    // Normalize URL for case-insensitive protocol checks\n    const lowerUrl = trimmedUrl.toLowerCase();\n\n    // Check for non-http(s) protocols which are considered external/special\n    // (mailto:, tel:, ftp:, etc.)\n    const hasProtocol = /^[a-z][a-z0-9+.-]*:/i.test(trimmedUrl);\n    if (hasProtocol && !lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\n      // These are special protocols, not traditional \"external\" links\n      // but we treat them as external for security consistency\n      return true;\n    }\n\n    // Relative URLs are not external\n    if (!lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\n      return false;\n    }\n\n    // In non-browser environments (e.g., Node.js), treat all absolute URLs as external\n    if (typeof window === 'undefined' || !window.location) {\n      return true;\n    }\n\n    const urlObj = new URL(trimmedUrl, window.location.href);\n    return urlObj.origin !== window.location.origin;\n  } catch {\n    // If URL parsing fails, treat as potentially external for safety\n    return true;\n  }\n};\n\n/**\n * Parse an HTML string into a Document using DOMParser.\n * This helper is intentionally separated to make the control-flow around HTML parsing\n * explicit for static analysis tools. It should ONLY be called when the input is\n * known to contain HTML syntax (angle brackets).\n *\n * DOMParser creates an inert document where scripts don't execute, making it safe\n * for parsing untrusted HTML that will subsequently be sanitized.\n *\n * @param htmlContent - A string that is known to contain HTML markup (has < or >)\n * @returns The parsed Document\n * @internal\n */\nconst parseHtmlDocument = (htmlContent: string): Document => {\n  const parser = new DOMParser();\n  // Parse as a full HTML document in an inert context; scripts won't execute\n  return parser.parseFromString(htmlContent, 'text/html');\n};\n\n/**\n * Safely parse HTML string into a DocumentFragment using DOMParser.\n * DOMParser is preferred over innerHTML for security as it creates an inert document\n * where scripts don't execute and provides better static analysis recognition.\n *\n * This function includes input normalization to satisfy static analysis tools:\n * - Coerces input to string and trims whitespace\n * - For plain text (no HTML tags), creates a Text node directly without parsing\n * - Only invokes DOMParser for actual HTML-like content via parseHtmlDocument\n *\n * The separation between plain text handling and HTML parsing is intentional:\n * DOM text that contains no HTML syntax is never fed into an HTML parser,\n * preventing \"DOM text reinterpreted as HTML\" issues.\n *\n * @internal\n */\nconst parseHtmlSafely = (html: string): DocumentFragment => {\n  // Step 1: Normalize input - coerce to string and trim\n  // This defensive check handles edge cases even though TypeScript says it's a string\n  const normalizedHtml = (typeof html === 'string' ? html : String(html ?? '')).trim();\n\n  // Step 2: Create the fragment that will hold our result\n  const fragment = document.createDocumentFragment();\n\n  // Step 3: Early return for empty input\n  if (normalizedHtml.length === 0) {\n    return fragment;\n  }\n\n  // Step 4: If input contains no angle brackets, it's plain text - no HTML parsing needed.\n  // Plain text is handled as a Text node, never passed to an HTML parser.\n  // This explicitly prevents \"DOM text reinterpreted as HTML\" for purely textual inputs.\n  const containsHtmlSyntax = normalizedHtml.includes('<') || normalizedHtml.includes('>');\n  if (!containsHtmlSyntax) {\n    fragment.appendChild(document.createTextNode(normalizedHtml));\n    return fragment;\n  }\n\n  // Step 5: Input contains HTML syntax - parse it via the dedicated HTML parsing helper.\n  // This separation makes the data-flow explicit: only strings with HTML syntax\n  // are passed to DOMParser, satisfying static analysis requirements.\n  const doc = parseHtmlDocument(normalizedHtml);\n\n  // Move all children from the document body into the fragment.\n  // This avoids interpolating untrusted HTML into an outer wrapper string.\n  const body = doc.body;\n\n  if (!body) {\n    return fragment;\n  }\n\n  while (body.firstChild) {\n    fragment.appendChild(body.firstChild);\n  }\n\n  return fragment;\n};\n\n/**\n * Core sanitization logic (without Trusted Types wrapper).\n * @internal\n */\nexport const sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string => {\n  const {\n    allowTags = [],\n    allowAttributes = [],\n    allowDataAttributes = true,\n    stripAllTags = false,\n  } = options;\n\n  // Build combined allow sets (excluding dangerous tags even if specified)\n  const allowedTags = new Set(\n    [...DEFAULT_ALLOWED_TAGS, ...allowTags.map((t) => t.toLowerCase())].filter(\n      (tag) => !DANGEROUS_TAGS.has(tag)\n    )\n  );\n  const allowedAttrs = new Set([\n    ...DEFAULT_ALLOWED_ATTRIBUTES,\n    ...allowAttributes.map((a) => a.toLowerCase()),\n  ]);\n\n  // Use DOMParser for safe HTML parsing (inert context, no script execution)\n  const fragment = parseHtmlSafely(html);\n\n  if (stripAllTags) {\n    return fragment.textContent ?? '';\n  }\n\n  // Walk the DOM tree\n  const walker = document.createTreeWalker(fragment, NodeFilter.SHOW_ELEMENT);\n\n  const toRemove: Element[] = [];\n\n  while (walker.nextNode()) {\n    const el = walker.currentNode as Element;\n    const tagName = el.tagName.toLowerCase();\n\n    // Remove explicitly dangerous tags even if in allow list\n    if (DANGEROUS_TAGS.has(tagName)) {\n      toRemove.push(el);\n      continue;\n    }\n\n    // Remove disallowed tags entirely\n    if (!allowedTags.has(tagName)) {\n      toRemove.push(el);\n      continue;\n    }\n\n    // Process attributes\n    const attrsToRemove: string[] = [];\n    for (const attr of Array.from(el.attributes)) {\n      const attrName = attr.name.toLowerCase();\n\n      // Check if attribute is allowed\n      if (!isAllowedAttribute(attrName, allowedAttrs, allowDataAttributes)) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Check for DOM clobbering on id and name attributes\n      if ((attrName === 'id' || attrName === 'name') && !isSafeIdOrName(attr.value)) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Validate URL attributes\n      if (\n        (attrName === 'href' || attrName === 'src' || attrName === 'action') &&\n        !isSafeUrl(attr.value)\n      ) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Validate srcset URLs individually\n      if (attrName === 'srcset' && !isSafeSrcset(attr.value)) {\n        attrsToRemove.push(attr.name);\n      }\n    }\n\n    // Remove disallowed attributes\n    for (const attrName of attrsToRemove) {\n      el.removeAttribute(attrName);\n    }\n\n    // Add rel=\"noopener noreferrer\" to external links for security\n    if (tagName === 'a') {\n      const href = el.getAttribute('href');\n      const target = el.getAttribute('target');\n      const hasTargetBlank = target?.toLowerCase() === '_blank';\n      const isExternal = href && isExternalUrl(href);\n\n      // Add security attributes to links opening in new window or external links\n      if (hasTargetBlank || isExternal) {\n        const existingRel = el.getAttribute('rel');\n        const relValues = new Set(existingRel ? existingRel.split(/\\s+/).filter(Boolean) : []);\n\n        // Add noopener and noreferrer\n        relValues.add('noopener');\n        relValues.add('noreferrer');\n\n        el.setAttribute('rel', Array.from(relValues).join(' '));\n      }\n    }\n  }\n\n  // Remove disallowed elements\n  for (const el of toRemove) {\n    el.remove();\n  }\n\n  // Serialize the sanitized fragment to HTML string.\n  // We use a temporary container to get the innerHTML of the fragment.\n  const serializeFragment = (frag: DocumentFragment): string => {\n    const container = document.createElement('div');\n    container.appendChild(frag.cloneNode(true));\n    return container.innerHTML;\n  };\n\n  // Double-parse to prevent mutation XSS (mXSS).\n  // Browsers may normalize HTML during serialization in ways that could create\n  // new dangerous content when re-parsed. By re-parsing the sanitized output\n  // and verifying stability, we ensure the final HTML is safe.\n  const firstPass = serializeFragment(fragment);\n\n  // Re-parse through DOMParser for mXSS detection.\n  // Using DOMParser instead of innerHTML for security.\n  const verifyFragment = parseHtmlSafely(firstPass);\n  const secondPass = serializeFragment(verifyFragment);\n\n  // Verify stability: if content mutates between parses, it indicates mXSS attempt\n  if (firstPass !== secondPass) {\n    // Content mutated during re-parse - potential mXSS detected.\n    // Return safely escaped text content as fallback.\n    return fragment.textContent ?? '';\n  }\n\n  return secondPass;\n};\n","declare const sanitizedHtmlBrand: unique symbol;\nconst trustedHtmlBrand: unique symbol = Symbol('bquery.trusted-html.brand');\nconst TRUSTED_HTML_VALUE = Symbol('bquery.trusted-html');\n\n/**\n * Branded HTML string produced by bQuery's sanitization or escaping template helpers.\n *\n * Values returned from {@link sanitizeHtml} carry sanitized markup. Values returned from\n * {@link safeHtml} preserve the template's static markup while escaping normal interpolations\n * and splicing {@link trusted} fragments verbatim. This brand is not intended for arbitrary\n * strings or manual concatenation outside those helpers.\n */\nexport type SanitizedHtml = string & { readonly [sanitizedHtmlBrand]: true };\n\n/**\n * Marker object that safeHtml can splice into templates without escaping again.\n */\nexport type TrustedHtml = { readonly [trustedHtmlBrand]: true; toString(): string };\n\ntype TrustedHtmlValue = TrustedHtml & { readonly [TRUSTED_HTML_VALUE]: string };\n\n/**\n * Apply the internal {@link SanitizedHtml} brand to helper output.\n *\n * @internal\n */\nexport const toSanitizedHtml = (html: string): SanitizedHtml => html as SanitizedHtml;\n\n/**\n * Mark a sanitized HTML string for verbatim splicing into safeHtml templates.\n *\n * @param html - HTML previously produced by sanitizeHtml, safeHtml, or another trusted bQuery helper\n * @returns Trusted HTML marker object for safeHtml interpolations\n *\n * @example\n * ```ts\n * const badge = trusted(sanitizeHtml('<strong onclick=\"alert(1)\">New</strong>'));\n * const markup = safeHtml`<span>${badge}</span>`;\n * ```\n */\nexport const trusted = (html: SanitizedHtml): TrustedHtml => {\n  const value = String(html);\n  return Object.freeze({\n    [trustedHtmlBrand]: true as const,\n    [TRUSTED_HTML_VALUE]: value,\n    toString: () => value,\n  });\n};\n\n/**\n * Check whether a value is a trusted HTML marker created by trusted().\n *\n * @internal\n */\nexport const isTrustedHtml = (value: unknown): value is TrustedHtml => {\n  return (\n    typeof value === 'object' &&\n    value !== null &&\n    trustedHtmlBrand in value &&\n    TRUSTED_HTML_VALUE in value\n  );\n};\n\n/**\n * Unwrap the raw HTML string stored inside a trusted HTML marker.\n *\n * @internal\n */\nexport const unwrapTrustedHtml = (value: TrustedHtml): string => {\n  return (value as TrustedHtmlValue)[TRUSTED_HTML_VALUE];\n};\n","/**\n * Content Security Policy helpers.\n *\n * @module bquery/security\n */\n\n/** Maximum allowed nonce length to prevent memory issues */\nconst MAX_NONCE_LENGTH = 1024;\n\n/** Chunk size for building strings to avoid argument limit in String.fromCharCode */\nconst CHUNK_SIZE = 8192;\n\n/**\n * Generate a nonce for inline scripts/styles.\n * Use with Content-Security-Policy nonce directives.\n *\n * @param length - Nonce length in bytes (default: 16, max: 1024)\n * @returns Cryptographically random nonce string\n * @throws {Error} If crypto.getRandomValues or btoa are not available\n * @throws {RangeError} If length is invalid (negative, non-integer, or exceeds maximum)\n */\nexport const generateNonce = (length: number = 16): string => {\n  // Validate length parameter\n  if (!Number.isInteger(length) || length < 1) {\n    throw new RangeError('generateNonce length must be a positive integer');\n  }\n  if (length > MAX_NONCE_LENGTH) {\n    throw new RangeError(`generateNonce length must not exceed ${MAX_NONCE_LENGTH}`);\n  }\n\n  // Check for required globals in browser/crypto environments\n  if (\n    typeof globalThis.crypto === 'undefined' ||\n    typeof globalThis.crypto.getRandomValues !== 'function'\n  ) {\n    throw new Error(\n      'generateNonce requires crypto.getRandomValues (not available in this environment)'\n    );\n  }\n  if (typeof globalThis.btoa !== 'function') {\n    throw new Error('generateNonce requires btoa (not available in this environment)');\n  }\n\n  const array = new Uint8Array(length);\n  globalThis.crypto.getRandomValues(array);\n\n  // Build string in chunks to avoid argument limit in String.fromCharCode\n  let binaryString = '';\n  for (let i = 0; i < array.length; i += CHUNK_SIZE) {\n    const chunk = array.subarray(i, Math.min(i + CHUNK_SIZE, array.length));\n    binaryString += String.fromCharCode(...chunk);\n  }\n\n  return globalThis.btoa(binaryString).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=/g, '');\n};\n\n/**\n * Check if a CSP header is present with specific directive.\n * Useful for feature detection and fallback strategies.\n *\n * @param directive - The CSP directive to check (e.g., 'script-src')\n * @returns True if the directive appears to be enforced\n */\nexport const hasCSPDirective = (directive: string): boolean => {\n  // Guard for non-DOM environments (SSR, tests, etc.)\n  if (typeof document === 'undefined') {\n    return false;\n  }\n\n  // Check meta tag\n  const meta = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\n  if (meta) {\n    const content = meta.getAttribute('content') ?? '';\n    return content.includes(directive);\n  }\n  return false;\n};\n","/**\n * Trusted Types helpers for CSP compatibility.\n *\n * @module bquery/security\n */\n\nimport { POLICY_NAME } from './constants';\nimport { sanitizeHtmlCore } from './sanitize-core';\nimport type { TrustedHTML, TrustedTypePolicy, TrustedTypesWindow } from './types';\n\n/** Cached Trusted Types policy */\nlet cachedPolicy: TrustedTypePolicy | null = null;\n\n/** Whether policy initialization has been attempted (to avoid retry spam) */\nlet policyInitAttempted = false;\n\n/**\n * Check if Trusted Types API is available.\n * @returns True if Trusted Types are supported\n */\nexport const isTrustedTypesSupported = (): boolean => {\n  return (\n    typeof window !== 'undefined' &&\n    typeof (window as TrustedTypesWindow).trustedTypes !== 'undefined'\n  );\n};\n\n/**\n * Get or create the bQuery Trusted Types policy.\n * @returns The Trusted Types policy or null if unsupported\n */\nexport const getTrustedTypesPolicy = (): TrustedTypePolicy | null => {\n  if (cachedPolicy) return cachedPolicy;\n  if (policyInitAttempted) return null;\n\n  if (typeof window === 'undefined') return null;\n\n  const win = window as TrustedTypesWindow;\n  if (!win.trustedTypes) return null;\n\n  policyInitAttempted = true;\n\n  try {\n    cachedPolicy = win.trustedTypes.createPolicy(POLICY_NAME, {\n      createHTML: (input: string) => sanitizeHtmlCore(input),\n    });\n    return cachedPolicy;\n  } catch (error) {\n    // Policy may already exist or be blocked by CSP\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    console.warn(`bQuery: Could not create Trusted Types policy \"${POLICY_NAME}\": ${errorMessage}`);\n    return null;\n  }\n};\n\n/**\n * Create a Trusted HTML value for use with Trusted Types-enabled sites.\n * Falls back to regular string when Trusted Types are unavailable.\n *\n * @param html - The HTML string to wrap\n * @returns Trusted HTML value or sanitized string\n */\nexport const createTrustedHtml = (html: string): TrustedHTML | string => {\n  const policy = getTrustedTypesPolicy();\n  if (policy) {\n    return policy.createHTML(html);\n  }\n  return sanitizeHtmlCore(html);\n};\n","/**\n * Security utilities for HTML sanitization.\n * All DOM writes are sanitized by default to prevent XSS attacks.\n *\n * @module bquery/security\n */\n\nimport { sanitizeHtmlCore } from './sanitize-core';\nimport { toSanitizedHtml } from './trusted-html';\nimport type { SanitizedHtml } from './trusted-html';\nimport type { SanitizeOptions } from './types';\nexport { generateNonce } from './csp';\nexport { isTrustedTypesSupported } from './trusted-types';\nexport { trusted } from './trusted-html';\nexport type { SanitizedHtml, TrustedHtml } from './trusted-html';\n\n/**\n * Sanitize HTML string, removing dangerous elements and attributes.\n * Uses Trusted Types when available for CSP compliance.\n *\n * @param html - The HTML string to sanitize\n * @param options - Sanitization options\n * @returns Sanitized HTML string\n *\n * @example\n * ```ts\n * const safe = sanitizeHtml('<div onclick=\"alert(1)\">Hello</div>');\n * // Returns: '<div>Hello</div>'\n * ```\n */\nexport const sanitizeHtml = (html: string, options: SanitizeOptions = {}): SanitizedHtml => {\n  return toSanitizedHtml(sanitizeHtmlCore(html, options));\n};\n\n/**\n * Escape HTML entities to prevent XSS.\n * Use this for displaying user content as text.\n *\n * @param text - The text to escape\n * @returns Escaped HTML string\n *\n * @example\n * ```ts\n * escapeHtml('<script>alert(1)</script>');\n * // Returns: '&lt;script&gt;alert(1)&lt;/script&gt;'\n * ```\n */\nexport const escapeHtml = (text: string): string => {\n  const escapeMap: Record<string, string> = {\n    '&': '&amp;',\n    '<': '&lt;',\n    '>': '&gt;',\n    '\"': '&quot;',\n    \"'\": '&#x27;',\n    '`': '&#x60;',\n  };\n  return text.replace(/[&<>\"'`]/g, (char) => escapeMap[char]);\n};\n\n/**\n * Strip all HTML tags and return plain text.\n *\n * @param html - The HTML string to strip\n * @returns Plain text content\n */\nexport const stripTags = (html: string): string => {\n  return sanitizeHtmlCore(html, { stripAllTags: true });\n};\n\nexport type { SanitizeOptions } from './types';\n"],"mappings":"AASA,IAAa,IAAc,oBAKd,IAAuB,oBAAI,IAAI;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAMY,IAAiB,oBAAI,IAAI;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAIA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAMY,IAAe,oBAAI,IAAI;AAAA,EAElC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;CACD,GAWY,IAA6B,oBAAI,IAAI;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAKY,IAA0B;AAAA,EAAC;AAAA,EAAM;AAAA,EAAc;AAAA,EAAU;GAKzD,IAAsB;AAAA,EAAC;AAAA,EAAe;AAAA,EAAS;AAAA,EAAa;GC7LnE,IAAA,CACJ,GACA,GACA,MACY;AACZ,QAAM,IAAY,EAAK,YAAA;AAGvB,aAAW,KAAU,EACnB,KAAI,EAAU,WAAW,CAAA,EAAS,QAAO;AAO3C,SAHI,KAAkB,EAAU,WAAW,OAAA,KAGvC,EAAU,WAAW,OAAA,IAAiB,KAGnC,EAAW,IAAI,CAAA;GAOlB,IAAA,CAAkB,MAA2B;AACjD,QAAM,IAAa,EAAM,YAAA,EAAc,KAAA;AACvC,SAAO,CAAC,EAAa,IAAI,CAAA;GAQrB,IAAA,CAAgB,MACpB,EAEG,QAAQ,2BAA2B,EAAA,EAEnC,QAAQ,uCAAuC,EAAA,EAE/C,QAAQ,qBAAqB,EAAA,EAE7B,QAAQ,QAAQ,EAAA,EAEhB,YAAA,GAMC,IAAA,CAAa,MAA2B;AAC5C,QAAM,IAAa,EAAa,CAAA;AAChC,aAAW,KAAY,EACrB,KAAI,EAAW,WAAW,CAAA,EAAW,QAAO;AAE9C,SAAO;GASH,IAAA,CAAgB,MAA2B;AAC/C,QAAM,IAAU,EAAM,MAAM,GAAA;AAC5B,aAAW,KAAS,GAAS;AAC3B,UAAM,IAAM,EAAM,KAAA,EAAO,MAAM,KAAA,EAAO,CAAA;AACtC,QAAI,KAAO,CAAC,EAAU,CAAA,EAAM,QAAO;AAAA;AAErC,SAAO;GAOH,IAAA,CAAiB,MAAyB;AAC9C,MAAI;AAEF,UAAM,IAAa,EAAI,KAAA;AAOvB,QAAI,EAAW,WAAW,IAAA,EACxB,QAAO;AAIT,UAAM,IAAW,EAAW,YAAA;AAK5B,WADoB,uBAAuB,KAAK,CAAA,KAC7B,CAAC,EAAS,WAAW,SAAA,KAAc,CAAC,EAAS,WAAW,UAAA,IAGlE,KAIL,CAAC,EAAS,WAAW,SAAA,KAAc,CAAC,EAAS,WAAW,UAAA,IACnD,KAIL,OAAO,SAAW,OAAe,CAAC,OAAO,WACpC,KAIF,IADY,IAAI,GAAY,OAAO,SAAS,IAAA,EACrC,WAAW,OAAO,SAAS;AAAA,UACnC;AAEN,WAAO;AAAA;GAiBL,IAAA,CAAqB,MAGlB,IAFY,UAAA,EAEL,gBAAgB,GAAa,WAAA,GAmBvC,IAAA,CAAmB,MAAmC;AAG1D,QAAM,KAAkB,OAAO,KAAS,WAAW,IAAO,OAAO,KAAQ,EAAA,GAAK,KAAA,GAGxE,IAAW,SAAS,uBAAA;AAG1B,MAAI,EAAe,WAAW,EAC5B,QAAO;AAOT,MAAI,EADuB,EAAe,SAAS,GAAA,KAAQ,EAAe,SAAS,GAAA;AAEjF,WAAA,EAAS,YAAY,SAAS,eAAe,CAAA,CAAe,GACrD;AAUT,QAAM,IAJM,EAAkB,CAAA,EAIb;AAEjB,MAAI,CAAC,EACH,QAAO;AAGT,SAAO,EAAK,aACV,CAAA,EAAS,YAAY,EAAK,UAAA;AAG5B,SAAO;GAOI,IAAA,CAAoB,GAAc,IAA2B,CAAA,MAAe;AACvF,QAAM,EACJ,WAAA,IAAY,CAAA,GACZ,iBAAA,IAAkB,CAAA,GAClB,qBAAA,IAAsB,IACtB,cAAA,IAAe,GAAA,IACb,GAGE,IAAc,IAAI,IACtB,CAAC,GAAG,GAAsB,GAAG,EAAU,IAAA,CAAK,MAAM,EAAE,YAAA,CAAa,CAAC,EAAE,OAAA,CACjE,MAAQ,CAAC,EAAe,IAAI,CAAA,CAAI,CAClC,GAEG,IAAe,oBAAI,IAAI,CAC3B,GAAG,GACH,GAAG,EAAgB,IAAA,CAAK,MAAM,EAAE,YAAA,CAAa,CAAC,CAC/C,GAGK,IAAW,EAAgB,CAAA;AAEjC,MAAI,EACF,QAAO,EAAS,eAAe;AAIjC,QAAM,IAAS,SAAS,iBAAiB,GAAU,WAAW,YAAA,GAExD,IAAsB,CAAA;AAE5B,SAAO,EAAO,SAAA,KAAY;AACxB,UAAM,IAAK,EAAO,aACZ,IAAU,EAAG,QAAQ,YAAA;AAG3B,QAAI,EAAe,IAAI,CAAA,GAAU;AAC/B,MAAA,EAAS,KAAK,CAAA;AACd;AAAA;AAIF,QAAI,CAAC,EAAY,IAAI,CAAA,GAAU;AAC7B,MAAA,EAAS,KAAK,CAAA;AACd;AAAA;AAIF,UAAM,IAA0B,CAAA;AAChC,eAAW,KAAQ,MAAM,KAAK,EAAG,UAAA,GAAa;AAC5C,YAAM,IAAW,EAAK,KAAK,YAAA;AAG3B,UAAI,CAAC,EAAmB,GAAU,GAAc,CAAA,GAAsB;AACpE,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,WAAK,MAAa,QAAQ,MAAa,WAAW,CAAC,EAAe,EAAK,KAAA,GAAQ;AAC7E,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,WACG,MAAa,UAAU,MAAa,SAAS,MAAa,aAC3D,CAAC,EAAU,EAAK,KAAA,GAChB;AACA,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,MAAI,MAAa,YAAY,CAAC,EAAa,EAAK,KAAA,KAC9C,EAAc,KAAK,EAAK,IAAA;AAAA;AAK5B,eAAW,KAAY,EACrB,CAAA,EAAG,gBAAgB,CAAA;AAIrB,QAAI,MAAY,KAAK;AACnB,YAAM,IAAO,EAAG,aAAa,MAAA,GAEvB,IADS,EAAG,aAAa,QAAA,GACA,YAAA,MAAkB,UAC3C,IAAa,KAAQ,EAAc,CAAA;AAGzC,UAAI,KAAkB,GAAY;AAChC,cAAM,IAAc,EAAG,aAAa,KAAA,GAC9B,IAAY,IAAI,IAAI,IAAc,EAAY,MAAM,KAAA,EAAO,OAAO,OAAA,IAAW,CAAA,CAAE;AAGrF,QAAA,EAAU,IAAI,UAAA,GACd,EAAU,IAAI,YAAA,GAEd,EAAG,aAAa,OAAO,MAAM,KAAK,CAAA,EAAW,KAAK,GAAA,CAAI;AAAA;;;AAM5D,aAAW,KAAM,EACf,CAAA,EAAG,OAAA;AAKL,QAAM,IAAA,CAAqB,MAAmC;AAC5D,UAAM,IAAY,SAAS,cAAc,KAAA;AACzC,WAAA,EAAU,YAAY,EAAK,UAAU,EAAA,CAAK,GACnC,EAAU;AAAA,KAOb,IAAY,EAAkB,CAAA,GAK9B,IAAa,EADI,EAAgB,CAAA,CACF;AAGrC,SAAI,MAAc,IAGT,EAAS,eAAe,KAG1B;GCzWH,IAAkC,uBAAO,2BAAA,GACzC,IAAqB,uBAAO,qBAAA,GAwBrB,IAAA,CAAmB,MAAgC,GAcnD,IAAA,CAAW,MAAqC;AAC3D,QAAM,IAAQ,OAAO,CAAA;AACrB,SAAO,OAAO,OAAO;AAAA,KAClB,CAAA,GAAmB;AAAA,KACnB,CAAA,GAAqB;AAAA,IACtB,UAAA,MAAgB;AAAA,GACjB;GAQU,IAAA,CAAiB,MAE1B,OAAO,KAAU,YACjB,MAAU,QACV,KAAoB,KACpB,KAAsB,GASb,IAAA,CAAqB,MACxB,EAA2B,CAAA,GC9D/B,IAAmB,MAGnB,IAAa,MAWN,IAAA,CAAiB,IAAiB,OAAe;AAE5D,MAAI,CAAC,OAAO,UAAU,CAAA,KAAW,IAAS,EACxC,OAAM,IAAI,WAAW,iDAAA;AAEvB,MAAI,IAAS,EACX,OAAM,IAAI,WAAW,wCAAwC,CAAA,EAAA;AAI/D,MACE,OAAO,WAAW,SAAW,OAC7B,OAAO,WAAW,OAAO,mBAAoB,WAE7C,OAAM,IAAI,MACR,mFAAA;AAGJ,MAAI,OAAO,WAAW,QAAS,WAC7B,OAAM,IAAI,MAAM,iEAAA;AAGlB,QAAM,IAAQ,IAAI,WAAW,CAAA;AAC7B,aAAW,OAAO,gBAAgB,CAAA;AAGlC,MAAI,IAAe;AACnB,WAAS,IAAI,GAAG,IAAI,EAAM,QAAQ,KAAK,GAAY;AACjD,UAAM,IAAQ,EAAM,SAAS,GAAG,KAAK,IAAI,IAAI,GAAY,EAAM,MAAA,CAAO;AACtE,IAAA,KAAgB,OAAO,aAAa,GAAG,CAAA;AAAA;AAGzC,SAAO,WAAW,KAAK,CAAA,EAAc,QAAQ,OAAO,GAAA,EAAK,QAAQ,OAAO,GAAA,EAAK,QAAQ,MAAM,EAAA;GAUhF,IAAA,CAAmB,MAA+B;AAE7D,MAAI,OAAO,WAAa,IACtB,QAAO;AAIT,QAAM,IAAO,SAAS,cAAc,4CAAA;AACpC,SAAI,KACc,EAAK,aAAa,SAAA,KAAc,IACjC,SAAS,CAAA,IAEnB;GChEL,IAAyC,MAGzC,IAAsB,IAMb,IAAA,MAET,OAAO,SAAW,OAClB,OAAQ,OAA8B,eAAiB,KAQ9C,IAAA,MAAwD;AACnE,MAAI,EAAc,QAAO;AAGzB,MAFI,KAEA,OAAO,SAAW,IAAa,QAAO;AAE1C,QAAM,IAAM;AACZ,MAAI,CAAC,EAAI,aAAc,QAAO;AAE9B,EAAA,IAAsB;AAEtB,MAAI;AACF,WAAA,IAAe,EAAI,aAAa,aAAa,GAAa,EACxD,YAAA,CAAa,MAAkB,EAAiB,CAAA,EAAM,CACvD,GACM;AAAA,WACA,GAAO;AAEd,UAAM,IAAe,aAAiB,QAAQ,EAAM,UAAU,OAAO,CAAA;AACrE,mBAAQ,KAAK,kDAAkD,CAAA,MAAiB,CAAA,EAAA,GACzE;AAAA;GAWE,IAAA,CAAqB,MAAuC;AACvE,QAAM,IAAS,EAAA;AACf,SAAI,IACK,EAAO,WAAW,CAAA,IAEpB,EAAiB,CAAA;GCrCb,IAAA,CAAgB,GAAc,IAA2B,CAAA,MAC7D,EAAgB,EAAiB,GAAM,CAAA,CAAQ,GAgB3C,KAAA,CAAc,MAAyB;AAClD,QAAM,IAAoC;AAAA,IACxC,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA;AAEP,SAAO,EAAK,QAAQ,aAAA,CAAc,MAAS,EAAU,CAAA,CAAA;GAS1C,KAAA,CAAa,MACjB,EAAiB,GAAM,EAAE,cAAc,GAAA,CAAM"}

package/dist/security.es.mjs

@@ -1,4 +1,4 @@
-import { a as e, c as t, d as a, i as r, n as i, o as p, r as o, s as c, t as d } from "./sanitize-B1V4JswB.js";
+import { a as e, c as t, d as a, i as r, n as i, o as p, r as o, s as c, t as d } from "./sanitize-DOMkRO9G.js";
 export {
   r as createTrustedHtml,
   d as escapeHtml,

package/dist/server/create-server.d.ts

@@ -0,0 +1,25 @@
+import type { CreateServerOptions, ServerApp, ServerWebSocketSession } from './types';
+/**
+ * Returns `true` when the request is a WebSocket upgrade handshake.
+ */
+export declare const isWebSocketRequest: (request: Request) => boolean;
+/**
+ * Type guard for values returned by `handleWebSocket()`.
+ */
+export declare const isServerWebSocketSession: (value: unknown) => value is ServerWebSocketSession;
+/**
+ * Create a lightweight, Express-inspired request pipeline for SSR-aware
+ * backends without introducing runtime dependencies.
+ *
+ * @example
+ * ```ts
+ * import { createServer } from '@bquery/bquery/server';
+ *
+ * const app = createServer();
+ * app.get('/health', (ctx) => ctx.json({ ok: true }));
+ *
+ * const response = await app.handle('/health');
+ * ```
+ */
+export declare const createServer: (options?: CreateServerOptions) => ServerApp;
+//# sourceMappingURL=create-server.d.ts.map

package/dist/server/create-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,mBAAmB,EACnB,SAAS,EAkBT,sBAAsB,EACvB,MAAM,SAAS,CAAC;AA+PjB;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,OA0BrD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wBAAwB,GAAI,OAAO,OAAO,KAAG,KAAK,IAAI,sBAYlE,CAAC;AA8NF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,GAAI,UAAS,mBAAwB,KAAG,SAgMhE,CAAC"}

package/dist/server/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Lightweight backend helpers for bQuery.js.
+ *
+ * Provides an Express-inspired middleware and routing layer that stays
+ * dependency-free, tree-shakeable, and SSR-aware.
+ *
+ * @module bquery/server
+ */
+export { createServer, isServerWebSocketSession, isWebSocketRequest } from './create-server';
+export type { CreateServerOptions, ServerApp, ServerContext, ServerHandler, ServerResult, ServerHtmlResponseInit, ServerMiddleware, ServerNext, ServerQuery, ServerRenderResponseOptions, ServerRequestInit, ServerResponseInit, ServerRoute, ServerWebSocketConnection, ServerWebSocketData, ServerWebSocketHandlerSet, ServerWebSocketMiddleware, ServerWebSocketNext, ServerWebSocketPeer, ServerWebSocketRouteHandler, ServerWebSocketSession, } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAC7F,YAAY,EACV,mBAAmB,EACnB,SAAS,EACT,aAAa,EACb,aAAa,EACb,YAAY,EACZ,sBAAsB,EACtB,gBAAgB,EAChB,UAAU,EACV,WAAW,EACX,2BAA2B,EAC3B,iBAAiB,EACjB,kBAAkB,EAClB,WAAW,EACX,yBAAyB,EACzB,mBAAmB,EACnB,yBAAyB,EACzB,yBAAyB,EACzB,mBAAmB,EACnB,mBAAmB,EACnB,2BAA2B,EAC3B,sBAAsB,GACvB,MAAM,SAAS,CAAC"}

package/dist/server/types.d.ts

@@ -0,0 +1,396 @@
+import type { RenderOptions } from '../ssr/index';
+import type { BindingContext } from '../view/index';
+/**
+ * Repeated query parameters are represented as arrays.
+ */
+export interface ServerQuery {
+    [key: string]: string | string[] | undefined;
+}
+/**
+ * Lightweight request input accepted by `handle()`.
+ */
+export interface ServerRequestInit {
+    /**
+     * Request URL or path.
+     *
+     * Relative paths are resolved against `CreateServerOptions.baseUrl`.
+     */
+    url: string | URL;
+    /**
+     * HTTP method.
+     * @default 'GET'
+     */
+    method?: string;
+    /**
+     * Request headers.
+     */
+    headers?: HeadersInit;
+    /**
+     * Optional request body.
+     */
+    body?: BodyInit | null;
+}
+/**
+ * Shared response options used by server helpers.
+ */
+export interface ServerResponseInit extends ResponseInit {
+    headers?: HeadersInit;
+}
+/**
+ * HTML response options.
+ */
+export interface ServerHtmlResponseInit extends ServerResponseInit {
+    /**
+     * When `true`, the HTML string is assumed to be already safe and is returned
+     * without additional sanitization.
+     * @default false
+     */
+    trusted?: boolean;
+}
+/**
+ * SSR response options.
+ */
+export interface ServerRenderResponseOptions extends RenderOptions {
+    /**
+     * HTTP status to use for the response.
+     * @default 200
+     */
+    status?: number;
+    /**
+     * Additional response headers.
+     */
+    headers?: HeadersInit;
+}
+/**
+ * Binary/text payloads accepted by server-side WebSocket peers and sessions.
+ *
+ * Use this for raw frames sent through `socket.send(...)`.
+ */
+export type ServerWebSocketData = string | Blob | ArrayBufferLike | ArrayBufferView;
+/**
+ * Minimal runtime WebSocket peer shape consumed by server-side WebSocket sessions.
+ */
+export interface ServerWebSocketPeer {
+    /**
+     * Negotiated sub-protocol, when available.
+     */
+    protocol?: string;
+    /**
+     * Current readyState, when the runtime exposes it.
+     */
+    readyState?: number;
+    /**
+     * Remote URL, when the runtime exposes it.
+     */
+    url?: string;
+    /**
+     * Send a raw payload to the connected peer.
+     */
+    send(data: ServerWebSocketData): void;
+    /**
+     * Close the connection.
+     */
+    close(code?: number, reason?: string): void;
+}
+/**
+ * Wrapped WebSocket connection exposed to route handlers.
+ */
+export interface ServerWebSocketConnection extends ServerWebSocketPeer {
+    /**
+     * Serialize a value with `JSON.stringify()` and send it to the peer.
+     */
+    sendJson(data: unknown): void;
+}
+/**
+ * Request/response context passed through the server pipeline.
+ */
+export interface ServerContext {
+    /**
+     * Normalized `Request` instance.
+     */
+    request: Request;
+    /**
+     * Parsed URL for the current request.
+     */
+    url: URL;
+    /**
+     * Uppercase HTTP method.
+     */
+    method: string;
+    /**
+     * Pathname without query string.
+     */
+    path: string;
+    /**
+     * Route params captured from `:param` path segments.
+     */
+    params: Record<string, string>;
+    /**
+     * Parsed query object. Repeated keys become arrays.
+     */
+    query: ServerQuery;
+    /**
+     * Per-request mutable state bag for middleware communication.
+     */
+    state: Record<string, unknown>;
+    /**
+     * Create a raw `Response`.
+     *
+     * @example
+     * ```ts
+     * return ctx.response('Created', { status: 201 });
+     * ```
+     */
+    response(body?: BodyInit | null, init?: ServerResponseInit): Response;
+    /**
+     * Create a plain-text response.
+     *
+     * @example
+     * ```ts
+     * return ctx.text('ok');
+     * ```
+     */
+    text(body: string, init?: ServerResponseInit): Response;
+    /**
+     * Create a sanitized HTML response by default.
+     *
+     * @example
+     * ```ts
+     * return ctx.html('<h1>Hello</h1>');
+     * ```
+     */
+    html(body: string, init?: ServerHtmlResponseInit): Response;
+    /**
+     * Create a JSON response.
+     *
+     * @example
+     * ```ts
+     * return ctx.json({ ok: true });
+     * ```
+     */
+    json(data: unknown, init?: ServerResponseInit): Response;
+    /**
+     * Create a redirect response.
+     *
+     * @example
+     * ```ts
+     * return ctx.redirect('/login', 302);
+     * ```
+     */
+    redirect(location: string | URL, status?: number): Response;
+    /**
+     * Render a bQuery SSR template into an HTML response.
+     *
+     * @example
+     * ```ts
+     * return ctx.render('<h1 bq-text="title"></h1>', { title: 'Dashboard' });
+     * ```
+     */
+    render(template: string, data: BindingContext, options?: ServerRenderResponseOptions): Response;
+    /**
+     * `true` when the incoming request is a WebSocket upgrade handshake.
+     */
+    isWebSocketRequest: boolean;
+}
+/**
+ * Final request handler.
+ */
+export interface ServerHandler {
+    (context: ServerContext): Response | Promise<Response>;
+}
+/**
+ * WebSocket route lifecycle callbacks.
+ */
+export interface ServerWebSocketHandlerSet<TReceive = unknown> {
+    /**
+     * Requested sub-protocols for the handshake.
+     */
+    protocols?: string | string[];
+    /**
+     * Additional handshake headers used by compatible runtimes.
+     */
+    headers?: HeadersInit;
+    /**
+     * Deserialize incoming WebSocket messages.
+     *
+     * Defaults to JSON.parse for string payloads with a raw-string fallback.
+     */
+    deserialize?: (event: MessageEvent) => TReceive;
+    /**
+     * Called after the runtime accepts the upgrade.
+     */
+    onOpen?: (socket: ServerWebSocketConnection, context: ServerContext) => void | Promise<void>;
+    /**
+     * Called for each incoming message after deserialization.
+     */
+    onMessage?: (data: TReceive, socket: ServerWebSocketConnection, context: ServerContext, event: MessageEvent) => void | Promise<void>;
+    /**
+     * Called when the connection closes.
+     */
+    onClose?: (event: CloseEvent, socket: ServerWebSocketConnection, context: ServerContext) => void | Promise<void>;
+    /**
+     * Called when the runtime reports a socket error.
+     */
+    onError?: (event: Event, socket: ServerWebSocketConnection, context: ServerContext) => void | Promise<void>;
+}
+/**
+ * WebSocket route definition or per-request factory.
+ */
+export type ServerWebSocketRouteHandler<TReceive = unknown> = ServerWebSocketHandlerSet<TReceive> | ((context: ServerContext) => ServerWebSocketHandlerSet<TReceive> | Promise<ServerWebSocketHandlerSet<TReceive>>);
+/**
+ * Runtime-agnostic WebSocket session returned by `handleWebSocket()`.
+ */
+export interface ServerWebSocketSession {
+    /**
+     * Request context captured during route matching and middleware execution.
+     */
+    context: ServerContext;
+    /**
+     * Normalized requested sub-protocols.
+     */
+    protocols: string[];
+    /**
+     * Additional handshake headers requested by the route.
+     */
+    headers?: HeadersInit;
+    /**
+     * Notify the session that the runtime accepted the connection.
+     */
+    open(socket: ServerWebSocketPeer): Promise<void>;
+    /**
+     * Deliver an incoming message event to the session.
+     */
+    message(socket: ServerWebSocketPeer, event: MessageEvent): Promise<void>;
+    /**
+     * Notify the session about a close event.
+     */
+    close(socket: ServerWebSocketPeer, event: CloseEvent): Promise<void>;
+    /**
+     * Notify the session about a socket error.
+     */
+    error(socket: ServerWebSocketPeer, event: Event): Promise<void>;
+}
+/**
+ * Result type used by middleware and WebSocket handling.
+ */
+export type ServerResult = Response | ServerWebSocketSession | null;
+/**
+ * Middleware continuation callback.
+ */
+export interface ServerNext {
+    (): Promise<Response>;
+}
+/**
+ * Express-inspired middleware for request pipelines.
+ */
+export interface ServerMiddleware {
+    (context: ServerContext, next: ServerNext): Response | Promise<Response>;
+}
+/**
+ * WebSocket middleware continuation callback.
+ */
+export interface ServerWebSocketNext {
+    (): Promise<ServerResult>;
+}
+/**
+ * Middleware used by WebSocket routes.
+ */
+export interface ServerWebSocketMiddleware {
+    (context: ServerContext, next: ServerWebSocketNext): ServerResult | Promise<ServerResult>;
+}
+/**
+ * Route definition used by `add()`.
+ */
+export interface ServerRoute {
+    /**
+     * Route path. Supports static segments, `:params`, and terminal `*`.
+     */
+    path: string;
+    /**
+     * One or many HTTP methods. Omit for "all methods".
+     */
+    method?: string | string[];
+    /**
+     * Optional route-scoped middleware.
+     */
+    middlewares?: ServerMiddleware[];
+    /**
+     * Final route handler.
+     */
+    handler: ServerHandler;
+}
+/**
+ * Configures a server instance.
+ */
+export interface CreateServerOptions {
+    /**
+     * Base URL used to resolve relative request paths.
+     * @default 'http://localhost'
+     */
+    baseUrl?: string;
+    /**
+     * Global middleware applied to every request.
+     */
+    middlewares?: ServerMiddleware[];
+    /**
+     * Custom 404 handler.
+     */
+    notFound?: ServerHandler;
+    /**
+     * Custom error handler.
+     */
+    onError?: (error: unknown, context: ServerContext) => Response | Promise<Response>;
+}
+/**
+ * Express-inspired app-like server handle.
+ */
+export interface ServerApp {
+    /**
+     * Register global middleware.
+     */
+    use(middleware: ServerMiddleware): ServerApp;
+    /**
+     * Add a fully specified route.
+     */
+    add(route: ServerRoute): ServerApp;
+    /**
+     * Register a GET route.
+     */
+    get(path: string, handler: ServerHandler, middlewares?: ServerMiddleware[]): ServerApp;
+    /**
+     * Register a POST route.
+     */
+    post(path: string, handler: ServerHandler, middlewares?: ServerMiddleware[]): ServerApp;
+    /**
+     * Register a PUT route.
+     */
+    put(path: string, handler: ServerHandler, middlewares?: ServerMiddleware[]): ServerApp;
+    /**
+     * Register a PATCH route.
+     */
+    patch(path: string, handler: ServerHandler, middlewares?: ServerMiddleware[]): ServerApp;
+    /**
+     * Register a DELETE route.
+     */
+    delete(path: string, handler: ServerHandler, middlewares?: ServerMiddleware[]): ServerApp;
+    /**
+     * Register a route that matches any method.
+     */
+    all(path: string, handler: ServerHandler, middlewares?: ServerMiddleware[]): ServerApp;
+    /**
+     * Register a WebSocket route.
+     */
+    ws<TReceive = unknown>(path: string, handler: ServerWebSocketRouteHandler<TReceive>, middlewares?: ServerWebSocketMiddleware[]): ServerApp;
+    /**
+     * Handle a normalized request.
+     */
+    handle(input: Request | string | URL | ServerRequestInit): Promise<Response>;
+    /**
+     * Resolve a WebSocket upgrade request into a runtime-agnostic session.
+     *
+     * Returns `null` when the request is not a WebSocket handshake or no matching
+     * WebSocket route exists. Middleware may also short-circuit with a `Response`.
+     */
+    handleWebSocket(input: Request | string | URL | ServerRequestInit): Promise<ServerResult>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/server/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/server/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEpD;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;CAC9C;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;IAElB;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IAEtB;;OAEG;IACH,IAAI,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,YAAY;IACtD,OAAO,CAAC,EAAE,WAAW,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,kBAAkB;IAChE;;;;OAIG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,2BAA4B,SAAQ,aAAa;IAChE;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;CACvB;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,IAAI,GAAG,eAAe,GAAG,eAAe,CAAC;AAEpF;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,IAAI,CAAC,IAAI,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAEtC;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7C;AAED;;GAEG;AACH,MAAM,WAAW,yBAA0B,SAAQ,mBAAmB;IACpE;;OAEG;IACH,QAAQ,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,OAAO,EAAE,OAAO,CAAC;IAEjB;;OAEG;IACH,GAAG,EAAE,GAAG,CAAC;IAET;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE/B;;OAEG;IACH,KAAK,EAAE,WAAW,CAAC;IAEnB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAE/B;;;;;;;OAOG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,GAAG,IAAI,EAAE,IAAI,CAAC,EAAE,kBAAkB,GAAG,QAAQ,CAAC;IAEtE;;;;;;;OAOG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,kBAAkB,GAAG,QAAQ,CAAC;IAExD;;;;;;;OAOG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,sBAAsB,GAAG,QAAQ,CAAC;IAE5D;;;;;;;OAOG;IACH,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,kBAAkB,GAAG,QAAQ,CAAC;IAEzD;;;;;;;OAOG;IACH,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC;IAE5D;;;;;;;OAOG;IACH,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,cAAc,EACpB,OAAO,CAAC,EAAE,2BAA2B,GACpC,QAAQ,CAAC;IAEZ;;OAEG;IACH,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,CAAC,OAAO,EAAE,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACxD;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB,CAAC,QAAQ,GAAG,OAAO;IAC3D;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAE9B;;OAEG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IAEtB;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,KAAK,EAAE,YAAY,KAAK,QAAQ,CAAC;IAEhD;;OAEG;IACH,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,yBAAyB,EAAE,OAAO,EAAE,aAAa,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE7F;;OAEG;IACH,SAAS,CAAC,EAAE,CACV,IAAI,EAAE,QAAQ,EACd,MAAM,EAAE,yBAAyB,EACjC,OAAO,EAAE,aAAa,EACtB,KAAK,EAAE,YAAY,KAChB,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1B;;OAEG;IACH,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,yBAAyB,EACjC,OAAO,EAAE,aAAa,KACnB,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE1B;;OAEG;IACH,OAAO,CAAC,EAAE,CACR,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,yBAAyB,EACjC,OAAO,EAAE,aAAa,KACnB,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,MAAM,2BAA2B,CAAC,QAAQ,GAAG,OAAO,IACtD,yBAAyB,CAAC,QAAQ,CAAC,GACnC,CAAC,CACC,OAAO,EAAE,aAAa,KACnB,yBAAyB,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,yBAAyB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAE7F;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC;;OAEG;IACH,OAAO,EAAE,aAAa,CAAC;IAEvB;;OAEG;IACH,SAAS,EAAE,MAAM,EAAE,CAAC;IAEpB;;OAEG;IACH,OAAO,CAAC,EAAE,WAAW,CAAC;IAEtB;;OAEG;IACH,IAAI,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjD;;OAEG;IACH,OAAO,CAAC,MAAM,EAAE,mBAAmB,EAAE,KAAK,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzE;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,mBAAmB,EAAE,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAErE;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,mBAAmB,EAAE,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjE;AAED;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,sBAAsB,GAAG,IAAI,CAAC;AAEpE;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,CAAC,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,UAAU,GAAG,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC1E;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,IAAI,OAAO,CAAC,YAAY,CAAC,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,CAAC,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,mBAAmB,GAAG,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;CAC3F;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAE3B;;OAEG;IACH,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IAEjC;;OAEG;IACH,OAAO,EAAE,aAAa,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,WAAW,CAAC,EAAE,gBAAgB,EAAE,CAAC;IAEjC;;OAEG;IACH,QAAQ,CAAC,EAAE,aAAa,CAAC;IAEzB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,aAAa,KAAK,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;CACpF;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,GAAG,CAAC,UAAU,EAAE,gBAAgB,GAAG,SAAS,CAAC;IAE7C;;OAEG;IACH,GAAG,CAAC,KAAK,EAAE,WAAW,GAAG,SAAS,CAAC;IAEnC;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAC;IAEvF;;OAEG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAC;IAExF;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAC;IAEvF;;OAEG;IACH,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAC;IAEzF;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAC;IAE1F;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAC;IAEvF;;OAEG;IACH,EAAE,CAAC,QAAQ,GAAG,OAAO,EACnB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,2BAA2B,CAAC,QAAQ,CAAC,EAC9C,WAAW,CAAC,EAAE,yBAAyB,EAAE,GACxC,SAAS,CAAC;IAEb;;OAEG;IACH,MAAM,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,GAAG,GAAG,iBAAiB,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE7E;;;;;OAKG;IACH,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,GAAG,GAAG,iBAAiB,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;CAC3F"}