@bquery/bquery 1.2.0 → 1.3.0

package/dist/security/sanitize.d.ts

@@ -1,40 +1,12 @@
 /**
- * Security utilities for HTML sanitization, CSP compatibility, and Trusted Types.
+ * Security utilities for HTML sanitization.
  * All DOM writes are sanitized by default to prevent XSS attacks.
  *
  * @module bquery/security
  */
-/**
- * Sanitizer configuration options.
- */
-export interface SanitizeOptions {
-    /** Allow these additional tags (default: none) */
-    allowTags?: string[];
-    /** Allow these additional attributes (default: none) */
-    allowAttributes?: string[];
-    /** Allow data-* attributes (default: true) */
-    allowDataAttributes?: boolean;
-    /** Strip all tags and return plain text (default: false) */
-    stripAllTags?: boolean;
-}
-/** Trusted Types policy interface */
-interface TrustedTypePolicy {
-    createHTML: (input: string) => TrustedHTML;
-}
-/** Trusted HTML type placeholder for environments without Trusted Types */
-interface TrustedHTML {
-    toString(): string;
-}
-/**
- * Check if Trusted Types API is available.
- * @returns True if Trusted Types are supported
- */
-export declare const isTrustedTypesSupported: () => boolean;
-/**
- * Get or create the bQuery Trusted Types policy.
- * @returns The Trusted Types policy or null if unsupported
- */
-export declare const getTrustedTypesPolicy: () => TrustedTypePolicy | null;
+import type { SanitizeOptions } from './types';
+export { generateNonce } from './csp';
+export { isTrustedTypesSupported } from './trusted-types';
 /**
  * Sanitize HTML string, removing dangerous elements and attributes.
  * Uses Trusted Types when available for CSP compliance.
@@ -50,14 +22,6 @@ export declare const getTrustedTypesPolicy: () => TrustedTypePolicy | null;
  * ```
  */
 export declare const sanitizeHtml: (html: string, options?: SanitizeOptions) => string;
-/**
- * Create a Trusted HTML value for use with Trusted Types-enabled sites.
- * Falls back to regular string when Trusted Types are unavailable.
- *
- * @param html - The HTML string to wrap
- * @returns Trusted HTML value or sanitized string
- */
-export declare const createTrustedHtml: (html: string) => TrustedHTML | string;
 /**
  * Escape HTML entities to prevent XSS.
  * Use this for displaying user content as text.
@@ -79,21 +43,5 @@ export declare const escapeHtml: (text: string) => string;
  * @returns Plain text content
  */
 export declare const stripTags: (html: string) => string;
-/**
- * Generate a nonce for inline scripts/styles.
- * Use with Content-Security-Policy nonce directives.
- *
- * @param length - Nonce length (default: 16)
- * @returns Cryptographically random nonce string
- */
-export declare const generateNonce: (length?: number) => string;
-/**
- * Check if a CSP header is present with specific directive.
- * Useful for feature detection and fallback strategies.
- *
- * @param directive - The CSP directive to check (e.g., 'script-src')
- * @returns True if the directive appears to be enforced
- */
-export declare const hasCSPDirective: (directive: string) => boolean;
-export {};
+export type { SanitizeOptions } from './types';
 //# sourceMappingURL=sanitize.d.ts.map

package/dist/security/sanitize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,wDAAwD;IACxD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,8CAA8C;IAC9C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4DAA4D;IAC5D,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAsBD,qCAAqC;AACrC,UAAU,iBAAiB;IACzB,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,CAAC;CAC5C;AAED,2EAA2E;AAC3E,UAAU,WAAW;IACnB,QAAQ,IAAI,MAAM,CAAC;CACpB;AAKD;;;GAGG;AACH,eAAO,MAAM,uBAAuB,QAAO,OAE1C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAAO,iBAAiB,GAAG,IAgB5D,CAAC;AAmbF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,EAAE,UAAS,eAAoB,KAAG,MAE1E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,WAAW,GAAG,MAM9D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,MAUzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,MAAM,KAAG,MAExC,CAAC;AAMF;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GAAI,SAAQ,MAAW,KAAG,MAOnD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,WAAW,MAAM,KAAG,OAQnD,CAAC"}
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AACtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,EAAE,UAAS,eAAoB,KAAG,MAE1E,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,MAUzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,MAAM,KAAG,MAExC,CAAC;AAEF,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}

package/dist/security/trusted-types.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Trusted Types helpers for CSP compatibility.
+ *
+ * @module bquery/security
+ */
+import type { TrustedHTML, TrustedTypePolicy } from './types';
+/**
+ * Check if Trusted Types API is available.
+ * @returns True if Trusted Types are supported
+ */
+export declare const isTrustedTypesSupported: () => boolean;
+/**
+ * Get or create the bQuery Trusted Types policy.
+ * @returns The Trusted Types policy or null if unsupported
+ */
+export declare const getTrustedTypesPolicy: () => TrustedTypePolicy | null;
+/**
+ * Create a Trusted HTML value for use with Trusted Types-enabled sites.
+ * Falls back to regular string when Trusted Types are unavailable.
+ *
+ * @param html - The HTML string to wrap
+ * @returns Trusted HTML value or sanitized string
+ */
+export declare const createTrustedHtml: (html: string) => TrustedHTML | string;
+//# sourceMappingURL=trusted-types.d.ts.map

package/dist/security/trusted-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-types.d.ts","sourceRoot":"","sources":["../../src/security/trusted-types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAsB,MAAM,SAAS,CAAC;AAQlF;;;GAGG;AACH,eAAO,MAAM,uBAAuB,QAAO,OAK1C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAAO,iBAAiB,GAAG,IAsB5D,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,WAAW,GAAG,MAM9D,CAAC"}

package/dist/security/types.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Security types for sanitization, CSP compatibility, and Trusted Types.
+ *
+ * @module bquery/security
+ */
+/**
+ * Sanitizer configuration options.
+ */
+export interface SanitizeOptions {
+    /** Allow these additional tags (default: none) */
+    allowTags?: string[];
+    /** Allow these additional attributes (default: none) */
+    allowAttributes?: string[];
+    /** Allow data-* attributes (default: true) */
+    allowDataAttributes?: boolean;
+    /** Strip all tags and return plain text (default: false) */
+    stripAllTags?: boolean;
+}
+/** Window interface extended with Trusted Types */
+export interface TrustedTypesWindow extends Window {
+    trustedTypes?: {
+        createPolicy: (name: string, rules: {
+            createHTML?: (input: string) => string;
+        }) => TrustedTypePolicy;
+        isHTML?: (value: unknown) => boolean;
+    };
+}
+/** Trusted Types policy interface */
+export interface TrustedTypePolicy {
+    createHTML: (input: string) => TrustedHTML;
+}
+/** Trusted HTML type placeholder for environments without Trusted Types */
+export interface TrustedHTML {
+    toString(): string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/security/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/security/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,wDAAwD;IACxD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,8CAA8C;IAC9C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4DAA4D;IAC5D,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,mDAAmD;AACnD,MAAM,WAAW,kBAAmB,SAAQ,MAAM;IAChD,YAAY,CAAC,EAAE;QACb,YAAY,EAAE,CACZ,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE;YAAE,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAA;SAAE,KAC9C,iBAAiB,CAAC;QACvB,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC;KACtC,CAAC;CACH;AAED,qCAAqC;AACrC,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,CAAC;CAC5C;AAED,2EAA2E;AAC3E,MAAM,WAAW,WAAW;IAC1B,QAAQ,IAAI,MAAM,CAAC;CACpB"}

package/dist/security.es.mjs

@@ -1,285 +1,58 @@
-const w = "bquery-sanitizer";
-let u = null;
-const F = () => typeof window.trustedTypes < "u", C = () => {
-  if (u) return u;
+import { b as u, P as i } from "./sanitize-1FBEPAFH.js";
+import { e as h, s as b, s as N, a as C } from "./sanitize-1FBEPAFH.js";
+const s = 1024, a = 8192, p = (t = 16) => {
+  if (!Number.isInteger(t) || t < 1)
+    throw new RangeError("generateNonce length must be a positive integer");
+  if (t > s)
+    throw new RangeError(`generateNonce length must not exceed ${s}`);
+  if (typeof globalThis.crypto > "u" || typeof globalThis.crypto.getRandomValues != "function")
+    throw new Error(
+      "generateNonce requires crypto.getRandomValues (not available in this environment)"
+    );
+  if (typeof globalThis.btoa != "function")
+    throw new Error("generateNonce requires btoa (not available in this environment)");
+  const e = new Uint8Array(t);
+  globalThis.crypto.getRandomValues(e);
+  let r = "";
+  for (let n = 0; n < e.length; n += a) {
+    const l = e.subarray(n, Math.min(n + a, e.length));
+    r += String.fromCharCode(...l);
+  }
+  return globalThis.btoa(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}, y = (t) => {
+  if (typeof document > "u")
+    return !1;
+  const e = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
+  return e ? (e.getAttribute("content") ?? "").includes(t) : !1;
+};
+let o = null, c = !1;
+const g = () => typeof window < "u" && typeof window.trustedTypes < "u", d = () => {
+  if (o) return o;
+  if (c || typeof window > "u") return null;
   const t = window;
   if (!t.trustedTypes) return null;
+  c = !0;
   try {
-    return u = t.trustedTypes.createPolicy(w, {
-      createHTML: (e) => m(e)
-    }), u;
-  } catch {
-    return console.warn(`bQuery: Could not create Trusted Types policy "${w}"`), null;
+    return o = t.trustedTypes.createPolicy(i, {
+      createHTML: (e) => u(e)
+    }), o;
+  } catch (e) {
+    const r = e instanceof Error ? e.message : String(e);
+    return console.warn(`bQuery: Could not create Trusted Types policy "${i}": ${r}`), null;
   }
-}, E = /* @__PURE__ */ new Set([
-  "a",
-  "abbr",
-  "address",
-  "article",
-  "aside",
-  "b",
-  "bdi",
-  "bdo",
-  "blockquote",
-  "br",
-  "button",
-  "caption",
-  "cite",
-  "code",
-  "col",
-  "colgroup",
-  "data",
-  "dd",
-  "del",
-  "details",
-  "dfn",
-  "div",
-  "dl",
-  "dt",
-  "em",
-  "figcaption",
-  "figure",
-  "footer",
-  "form",
-  "h1",
-  "h2",
-  "h3",
-  "h4",
-  "h5",
-  "h6",
-  "header",
-  "hgroup",
-  "hr",
-  "i",
-  "img",
-  "input",
-  "ins",
-  "kbd",
-  "label",
-  "legend",
-  "li",
-  "main",
-  "mark",
-  "nav",
-  "ol",
-  "optgroup",
-  "option",
-  "p",
-  "picture",
-  "pre",
-  "progress",
-  "q",
-  "rp",
-  "rt",
-  "ruby",
-  "s",
-  "samp",
-  "section",
-  "select",
-  "small",
-  "source",
-  "span",
-  "strong",
-  "sub",
-  "summary",
-  "sup",
-  "table",
-  "tbody",
-  "td",
-  "textarea",
-  "tfoot",
-  "th",
-  "thead",
-  "time",
-  "tr",
-  "u",
-  "ul",
-  "var",
-  "wbr"
-]), b = /* @__PURE__ */ new Set([
-  "script",
-  "iframe",
-  "frame",
-  "frameset",
-  "object",
-  "embed",
-  "applet",
-  "link",
-  "meta",
-  "style",
-  "base",
-  "template",
-  "slot",
-  "math",
-  "svg",
-  "foreignobject",
-  "noscript"
-]), v = /* @__PURE__ */ new Set([
-  // Global objects
-  "document",
-  "window",
-  "location",
-  "top",
-  "self",
-  "parent",
-  "frames",
-  "history",
-  "navigator",
-  "screen",
-  // Dangerous functions
-  "alert",
-  "confirm",
-  "prompt",
-  "eval",
-  "Function",
-  // Document properties
-  "cookie",
-  "domain",
-  "referrer",
-  "body",
-  "head",
-  "forms",
-  "images",
-  "links",
-  "scripts",
-  // DOM traversal properties
-  "children",
-  "parentNode",
-  "firstChild",
-  "lastChild",
-  // Content manipulation
-  "innerHTML",
-  "outerHTML",
-  "textContent"
-]), N = /* @__PURE__ */ new Set([
-  "alt",
-  "class",
-  "dir",
-  "height",
-  "hidden",
-  "href",
-  "id",
-  "lang",
-  "loading",
-  "name",
-  "rel",
-  "role",
-  "src",
-  "srcset",
-  "style",
-  "tabindex",
-  "target",
-  "title",
-  "type",
-  "width",
-  "aria-*"
-]), x = ["on", "formaction", "xlink:", "xmlns:"], R = ["javascript:", "data:", "vbscript:", "file:"], O = (t, e, o) => {
-  const s = t.toLowerCase();
-  for (const i of x)
-    if (s.startsWith(i)) return !1;
-  return o && s.startsWith("data-") || s.startsWith("aria-") ? !0 : e.has(s);
-}, U = (t) => {
-  const e = t.toLowerCase().trim();
-  return !v.has(e);
-}, W = (t) => t.replace(/[\u0000-\u001F\u007F]+/g, "").replace(/[\u200B-\u200D\uFEFF\u2028\u2029]+/g, "").replace(/\\u[\da-fA-F]{4}/g, "").replace(/\s+/g, "").toLowerCase(), _ = (t) => {
-  const e = W(t);
-  for (const o of R)
-    if (e.startsWith(o)) return !1;
-  return !0;
-}, D = (t) => {
-  try {
-    const e = t.trim();
-    if (e.startsWith("//"))
-      return !0;
-    const o = e.toLowerCase();
-    return /^[a-z][a-z0-9+.-]*:/i.test(e) && !o.startsWith("http://") && !o.startsWith("https://") ? !0 : !o.startsWith("http://") && !o.startsWith("https://") ? !1 : typeof window > "u" || !window.location ? !0 : new URL(e, window.location.href).origin !== window.location.origin;
-  } catch {
-    return !0;
-  }
-}, m = (t, e = {}) => {
-  const {
-    allowTags: o = [],
-    allowAttributes: s = [],
-    allowDataAttributes: i = !0,
-    stripAllTags: T = !1
-  } = e, y = new Set(
-    [...E, ...o.map((r) => r.toLowerCase())].filter(
-      (r) => !b.has(r)
-    )
-  ), A = /* @__PURE__ */ new Set([
-    ...N,
-    ...s.map((r) => r.toLowerCase())
-  ]), c = document.createElement("template");
-  if (c.innerHTML = t, T)
-    return c.content.textContent ?? "";
-  const h = document.createTreeWalker(c.content, NodeFilter.SHOW_ELEMENT), d = [];
-  for (; h.nextNode(); ) {
-    const r = h.currentNode, p = r.tagName.toLowerCase();
-    if (b.has(p)) {
-      d.push(r);
-      continue;
-    }
-    if (!y.has(p)) {
-      d.push(r);
-      continue;
-    }
-    const l = [];
-    for (const n of Array.from(r.attributes)) {
-      const a = n.name.toLowerCase();
-      if (!O(a, A, i)) {
-        l.push(n.name);
-        continue;
-      }
-      if ((a === "id" || a === "name") && !U(n.value)) {
-        l.push(n.name);
-        continue;
-      }
-      (a === "href" || a === "src" || a === "srcset") && !_(n.value) && l.push(n.name);
-    }
-    for (const n of l)
-      r.removeAttribute(n);
-    if (p === "a") {
-      const n = r.getAttribute("href"), L = r.getAttribute("target")?.toLowerCase() === "_blank", S = n && D(n);
-      if (L || S) {
-        const g = r.getAttribute("rel"), f = new Set(
-          g ? g.split(/\s+/).filter(Boolean) : []
-        );
-        f.add("noopener"), f.add("noreferrer"), r.setAttribute("rel", Array.from(f).join(" "));
-      }
-    }
-  }
-  for (const r of d)
-    r.remove();
-  return c.innerHTML;
-}, k = (t, e = {}) => m(t, e), H = (t) => {
-  const e = C();
-  return e ? e.createHTML(t) : k(t);
-}, P = (t) => {
-  const e = {
-    "&": "&amp;",
-    "<": "&lt;",
-    ">": "&gt;",
-    '"': "&quot;",
-    "'": "&#x27;",
-    "`": "&#x60;"
-  };
-  return t.replace(/[&<>"'`]/g, (o) => e[o]);
-}, M = (t) => m(t, { stripAllTags: !0 }), z = (t = 16) => {
-  const e = new Uint8Array(t);
-  return crypto.getRandomValues(e), btoa(String.fromCharCode(...e)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-}, j = (t) => {
-  const e = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
-  return e ? (e.getAttribute("content") ?? "").includes(t) : !1;
+}, m = (t) => {
+  const e = d();
+  return e ? e.createHTML(t) : u(t);
 };
 export {
-  H as createTrustedHtml,
-  P as escapeHtml,
-  z as generateNonce,
-  C as getTrustedTypesPolicy,
-  j as hasCSPDirective,
-  F as isTrustedTypesSupported,
-  k as sanitize,
-  k as sanitizeHtml,
-  M as stripTags
+  m as createTrustedHtml,
+  h as escapeHtml,
+  p as generateNonce,
+  d as getTrustedTypesPolicy,
+  y as hasCSPDirective,
+  g as isTrustedTypesSupported,
+  b as sanitize,
+  N as sanitizeHtml,
+  C as stripTags
 };
 //# sourceMappingURL=security.es.mjs.map

package/dist/security.es.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"security.es.mjs","sources":["../src/security/sanitize.ts"],"sourcesContent":["/**\r\n * Security utilities for HTML sanitization, CSP compatibility, and Trusted Types.\r\n * All DOM writes are sanitized by default to prevent XSS attacks.\r\n *\r\n * @module bquery/security\r\n */\r\n\r\n// ============================================================================\r\n// Types\r\n// ============================================================================\r\n\r\n/**\r\n * Sanitizer configuration options.\r\n */\r\nexport interface SanitizeOptions {\r\n  /** Allow these additional tags (default: none) */\r\n  allowTags?: string[];\r\n  /** Allow these additional attributes (default: none) */\r\n  allowAttributes?: string[];\r\n  /** Allow data-* attributes (default: true) */\r\n  allowDataAttributes?: boolean;\r\n  /** Strip all tags and return plain text (default: false) */\r\n  stripAllTags?: boolean;\r\n}\r\n\r\n/**\r\n * Trusted Types policy name.\r\n */\r\nconst POLICY_NAME = 'bquery-sanitizer';\r\n\r\n// ============================================================================\r\n// Trusted Types Support\r\n// ============================================================================\r\n\r\n/** Window interface extended with Trusted Types */\r\ninterface TrustedTypesWindow extends Window {\r\n  trustedTypes?: {\r\n    createPolicy: (\r\n      name: string,\r\n      rules: { createHTML?: (input: string) => string }\r\n    ) => TrustedTypePolicy;\r\n    isHTML?: (value: unknown) => boolean;\r\n  };\r\n}\r\n\r\n/** Trusted Types policy interface */\r\ninterface TrustedTypePolicy {\r\n  createHTML: (input: string) => TrustedHTML;\r\n}\r\n\r\n/** Trusted HTML type placeholder for environments without Trusted Types */\r\ninterface TrustedHTML {\r\n  toString(): string;\r\n}\r\n\r\n/** Cached Trusted Types policy */\r\nlet cachedPolicy: TrustedTypePolicy | null = null;\r\n\r\n/**\r\n * Check if Trusted Types API is available.\r\n * @returns True if Trusted Types are supported\r\n */\r\nexport const isTrustedTypesSupported = (): boolean => {\r\n  return typeof (window as TrustedTypesWindow).trustedTypes !== 'undefined';\r\n};\r\n\r\n/**\r\n * Get or create the bQuery Trusted Types policy.\r\n * @returns The Trusted Types policy or null if unsupported\r\n */\r\nexport const getTrustedTypesPolicy = (): TrustedTypePolicy | null => {\r\n  if (cachedPolicy) return cachedPolicy;\r\n\r\n  const win = window as TrustedTypesWindow;\r\n  if (!win.trustedTypes) return null;\r\n\r\n  try {\r\n    cachedPolicy = win.trustedTypes.createPolicy(POLICY_NAME, {\r\n      createHTML: (input: string) => sanitizeHtmlCore(input),\r\n    });\r\n    return cachedPolicy;\r\n  } catch {\r\n    // Policy may already exist or be blocked by CSP\r\n    console.warn(`bQuery: Could not create Trusted Types policy \"${POLICY_NAME}\"`);\r\n    return null;\r\n  }\r\n};\r\n\r\n// ============================================================================\r\n// Default Safe Lists\r\n// ============================================================================\r\n\r\n/**\r\n * Default allowed HTML tags considered safe.\r\n */\r\nconst DEFAULT_ALLOWED_TAGS = new Set([\r\n  'a',\r\n  'abbr',\r\n  'address',\r\n  'article',\r\n  'aside',\r\n  'b',\r\n  'bdi',\r\n  'bdo',\r\n  'blockquote',\r\n  'br',\r\n  'button',\r\n  'caption',\r\n  'cite',\r\n  'code',\r\n  'col',\r\n  'colgroup',\r\n  'data',\r\n  'dd',\r\n  'del',\r\n  'details',\r\n  'dfn',\r\n  'div',\r\n  'dl',\r\n  'dt',\r\n  'em',\r\n  'figcaption',\r\n  'figure',\r\n  'footer',\r\n  'form',\r\n  'h1',\r\n  'h2',\r\n  'h3',\r\n  'h4',\r\n  'h5',\r\n  'h6',\r\n  'header',\r\n  'hgroup',\r\n  'hr',\r\n  'i',\r\n  'img',\r\n  'input',\r\n  'ins',\r\n  'kbd',\r\n  'label',\r\n  'legend',\r\n  'li',\r\n  'main',\r\n  'mark',\r\n  'nav',\r\n  'ol',\r\n  'optgroup',\r\n  'option',\r\n  'p',\r\n  'picture',\r\n  'pre',\r\n  'progress',\r\n  'q',\r\n  'rp',\r\n  'rt',\r\n  'ruby',\r\n  's',\r\n  'samp',\r\n  'section',\r\n  'select',\r\n  'small',\r\n  'source',\r\n  'span',\r\n  'strong',\r\n  'sub',\r\n  'summary',\r\n  'sup',\r\n  'table',\r\n  'tbody',\r\n  'td',\r\n  'textarea',\r\n  'tfoot',\r\n  'th',\r\n  'thead',\r\n  'time',\r\n  'tr',\r\n  'u',\r\n  'ul',\r\n  'var',\r\n  'wbr',\r\n]);\r\n\r\n/**\r\n * Explicitly dangerous tags that should never be allowed.\r\n * These are checked even if somehow added to allowTags.\r\n */\r\nconst DANGEROUS_TAGS = new Set([\r\n  'script',\r\n  'iframe',\r\n  'frame',\r\n  'frameset',\r\n  'object',\r\n  'embed',\r\n  'applet',\r\n  'link',\r\n  'meta',\r\n  'style',\r\n  'base',\r\n  'template',\r\n  'slot',\r\n  'math',\r\n  'svg',\r\n  'foreignobject',\r\n  'noscript',\r\n]);\r\n\r\n/**\r\n * Reserved IDs that could cause DOM clobbering attacks.\r\n * These are prevented to avoid overwriting global browser objects.\r\n */\r\nconst RESERVED_IDS = new Set([\r\n  // Global objects\r\n  'document',\r\n  'window',\r\n  'location',\r\n  'top',\r\n  'self',\r\n  'parent',\r\n  'frames',\r\n  'history',\r\n  'navigator',\r\n  'screen',\r\n  // Dangerous functions\r\n  'alert',\r\n  'confirm',\r\n  'prompt',\r\n  'eval',\r\n  'Function',\r\n  // Document properties\r\n  'cookie',\r\n  'domain',\r\n  'referrer',\r\n  'body',\r\n  'head',\r\n  'forms',\r\n  'images',\r\n  'links',\r\n  'scripts',\r\n  // DOM traversal properties\r\n  'children',\r\n  'parentNode',\r\n  'firstChild',\r\n  'lastChild',\r\n  // Content manipulation\r\n  'innerHTML',\r\n  'outerHTML',\r\n  'textContent',\r\n]);\r\n\r\n/**\r\n * Default allowed attributes considered safe.\r\n */\r\nconst DEFAULT_ALLOWED_ATTRIBUTES = new Set([\r\n  'alt',\r\n  'class',\r\n  'dir',\r\n  'height',\r\n  'hidden',\r\n  'href',\r\n  'id',\r\n  'lang',\r\n  'loading',\r\n  'name',\r\n  'rel',\r\n  'role',\r\n  'src',\r\n  'srcset',\r\n  'style',\r\n  'tabindex',\r\n  'target',\r\n  'title',\r\n  'type',\r\n  'width',\r\n  'aria-*',\r\n]);\r\n\r\n/**\r\n * Dangerous attribute prefixes to always remove.\r\n */\r\nconst DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];\r\n\r\n/**\r\n * Dangerous URL protocols to block.\r\n */\r\nconst DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];\r\n\r\n// ============================================================================\r\n// Core Sanitization\r\n// ============================================================================\r\n\r\n/**\r\n * Check if an attribute name is allowed.\r\n * @internal\r\n */\r\nconst isAllowedAttribute = (\r\n  name: string,\r\n  allowedSet: Set<string>,\r\n  allowDataAttrs: boolean\r\n): boolean => {\r\n  const lowerName = name.toLowerCase();\r\n\r\n  // Check dangerous prefixes\r\n  for (const prefix of DANGEROUS_ATTR_PREFIXES) {\r\n    if (lowerName.startsWith(prefix)) return false;\r\n  }\r\n\r\n  // Check data attributes\r\n  if (allowDataAttrs && lowerName.startsWith('data-')) return true;\r\n\r\n  // Check aria attributes (allowed by default)\r\n  if (lowerName.startsWith('aria-')) return true;\r\n\r\n  // Check explicit allow list\r\n  return allowedSet.has(lowerName);\r\n};\r\n\r\n/**\r\n * Check if an ID/name value could cause DOM clobbering.\r\n * @internal\r\n */\r\nconst isSafeIdOrName = (value: string): boolean => {\r\n  const lowerValue = value.toLowerCase().trim();\r\n  return !RESERVED_IDS.has(lowerValue);\r\n};\r\n\r\n/**\r\n * Normalize URL by removing control characters, whitespace, and Unicode tricks.\r\n * Enhanced to prevent various bypass techniques.\r\n * @internal\r\n */\r\nconst normalizeUrl = (value: string): string =>\r\n  value\r\n    // Remove null bytes and control characters\r\n    .replace(/[\\u0000-\\u001F\\u007F]+/g, '')\r\n    // Remove zero-width characters that could hide malicious content\r\n    .replace(/[\\u200B-\\u200D\\uFEFF\\u2028\\u2029]+/g, '')\r\n    // Remove escaped Unicode sequences\r\n    .replace(/\\\\u[\\da-fA-F]{4}/g, '')\r\n    // Remove whitespace\r\n    .replace(/\\s+/g, '')\r\n    // Normalize case\r\n    .toLowerCase();\r\n\r\n/**\r\n * Check if a URL value is safe.\r\n * @internal\r\n */\r\nconst isSafeUrl = (value: string): boolean => {\r\n  const normalized = normalizeUrl(value);\r\n  for (const protocol of DANGEROUS_PROTOCOLS) {\r\n    if (normalized.startsWith(protocol)) return false;\r\n  }\r\n  return true;\r\n};\r\n\r\n/**\r\n * Check if a URL is external (different origin).\r\n * @internal\r\n */\r\nconst isExternalUrl = (url: string): boolean => {\r\n  try {\r\n    // Normalize URL by trimming whitespace\r\n    const trimmedUrl = url.trim();\r\n    \r\n    // Protocol-relative URLs (//example.com) are always external.\r\n    // CRITICAL: This check must run before the relative-URL check below;\r\n    // otherwise, a protocol-relative URL like \"//evil.com\" would be treated\r\n    // as a non-http(s) relative URL and incorrectly classified as same-origin.\r\n    // Handling them up front guarantees correct security classification.\r\n    if (trimmedUrl.startsWith('//')) {\r\n      return true;\r\n    }\r\n    \r\n    // Normalize URL for case-insensitive protocol checks\r\n    const lowerUrl = trimmedUrl.toLowerCase();\r\n    \r\n    // Check for non-http(s) protocols which are considered external/special\r\n    // (mailto:, tel:, ftp:, etc.)\r\n    const hasProtocol = /^[a-z][a-z0-9+.-]*:/i.test(trimmedUrl);\r\n    if (hasProtocol && !lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\r\n      // These are special protocols, not traditional \"external\" links\r\n      // but we treat them as external for security consistency\r\n      return true;\r\n    }\r\n    \r\n    // Relative URLs are not external\r\n    if (!lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\r\n      return false;\r\n    }\r\n    \r\n    // In non-browser environments (e.g., Node.js), treat all absolute URLs as external\r\n    if (typeof window === 'undefined' || !window.location) {\r\n      return true;\r\n    }\r\n    \r\n    const urlObj = new URL(trimmedUrl, window.location.href);\r\n    return urlObj.origin !== window.location.origin;\r\n  } catch {\r\n    // If URL parsing fails, treat as potentially external for safety\r\n    return true;\r\n  }\r\n};\r\n\r\n/**\r\n * Core sanitization logic (without Trusted Types wrapper).\r\n * @internal\r\n */\r\nconst sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string => {\r\n  const {\r\n    allowTags = [],\r\n    allowAttributes = [],\r\n    allowDataAttributes = true,\r\n    stripAllTags = false,\r\n  } = options;\r\n\r\n  // Build combined allow sets (excluding dangerous tags even if specified)\r\n  const allowedTags = new Set(\r\n    [...DEFAULT_ALLOWED_TAGS, ...allowTags.map((t) => t.toLowerCase())].filter(\r\n      (tag) => !DANGEROUS_TAGS.has(tag)\r\n    )\r\n  );\r\n  const allowedAttrs = new Set([\r\n    ...DEFAULT_ALLOWED_ATTRIBUTES,\r\n    ...allowAttributes.map((a) => a.toLowerCase()),\r\n  ]);\r\n\r\n  // Use template for parsing\r\n  const template = document.createElement('template');\r\n  template.innerHTML = html;\r\n\r\n  if (stripAllTags) {\r\n    return template.content.textContent ?? '';\r\n  }\r\n\r\n  // Walk the DOM tree\r\n  const walker = document.createTreeWalker(template.content, NodeFilter.SHOW_ELEMENT);\r\n\r\n  const toRemove: Element[] = [];\r\n\r\n  while (walker.nextNode()) {\r\n    const el = walker.currentNode as Element;\r\n    const tagName = el.tagName.toLowerCase();\r\n\r\n    // Remove explicitly dangerous tags even if in allow list\r\n    if (DANGEROUS_TAGS.has(tagName)) {\r\n      toRemove.push(el);\r\n      continue;\r\n    }\r\n\r\n    // Remove disallowed tags entirely\r\n    if (!allowedTags.has(tagName)) {\r\n      toRemove.push(el);\r\n      continue;\r\n    }\r\n\r\n    // Process attributes\r\n    const attrsToRemove: string[] = [];\r\n    for (const attr of Array.from(el.attributes)) {\r\n      const attrName = attr.name.toLowerCase();\r\n\r\n      // Check if attribute is allowed\r\n      if (!isAllowedAttribute(attrName, allowedAttrs, allowDataAttributes)) {\r\n        attrsToRemove.push(attr.name);\r\n        continue;\r\n      }\r\n\r\n      // Check for DOM clobbering on id and name attributes\r\n      if ((attrName === 'id' || attrName === 'name') && !isSafeIdOrName(attr.value)) {\r\n        attrsToRemove.push(attr.name);\r\n        continue;\r\n      }\r\n\r\n      // Validate URL attributes\r\n      if (\r\n        (attrName === 'href' || attrName === 'src' || attrName === 'srcset') &&\r\n        !isSafeUrl(attr.value)\r\n      ) {\r\n        attrsToRemove.push(attr.name);\r\n      }\r\n    }\r\n\r\n    // Remove disallowed attributes\r\n    for (const attrName of attrsToRemove) {\r\n      el.removeAttribute(attrName);\r\n    }\r\n\r\n    // Add rel=\"noopener noreferrer\" to external links for security\r\n    if (tagName === 'a') {\r\n      const href = el.getAttribute('href');\r\n      const target = el.getAttribute('target');\r\n      const hasTargetBlank = target?.toLowerCase() === '_blank';\r\n      const isExternal = href && isExternalUrl(href);\r\n\r\n      // Add security attributes to links opening in new window or external links\r\n      if (hasTargetBlank || isExternal) {\r\n        const existingRel = el.getAttribute('rel');\r\n        const relValues = new Set(\r\n          existingRel ? existingRel.split(/\\s+/).filter(Boolean) : []\r\n        );\r\n        \r\n        // Add noopener and noreferrer\r\n        relValues.add('noopener');\r\n        relValues.add('noreferrer');\r\n        \r\n        el.setAttribute('rel', Array.from(relValues).join(' '));\r\n      }\r\n    }\r\n  }\r\n\r\n  // Remove disallowed elements\r\n  for (const el of toRemove) {\r\n    el.remove();\r\n  }\r\n\r\n  return template.innerHTML;\r\n};\r\n\r\n// ============================================================================\r\n// Public API\r\n// ============================================================================\r\n\r\n/**\r\n * Sanitize HTML string, removing dangerous elements and attributes.\r\n * Uses Trusted Types when available for CSP compliance.\r\n *\r\n * @param html - The HTML string to sanitize\r\n * @param options - Sanitization options\r\n * @returns Sanitized HTML string\r\n *\r\n * @example\r\n * ```ts\r\n * const safe = sanitizeHtml('<div onclick=\"alert(1)\">Hello</div>');\r\n * // Returns: '<div>Hello</div>'\r\n * ```\r\n */\r\nexport const sanitizeHtml = (html: string, options: SanitizeOptions = {}): string => {\r\n  return sanitizeHtmlCore(html, options);\r\n};\r\n\r\n/**\r\n * Create a Trusted HTML value for use with Trusted Types-enabled sites.\r\n * Falls back to regular string when Trusted Types are unavailable.\r\n *\r\n * @param html - The HTML string to wrap\r\n * @returns Trusted HTML value or sanitized string\r\n */\r\nexport const createTrustedHtml = (html: string): TrustedHTML | string => {\r\n  const policy = getTrustedTypesPolicy();\r\n  if (policy) {\r\n    return policy.createHTML(html);\r\n  }\r\n  return sanitizeHtml(html);\r\n};\r\n\r\n/**\r\n * Escape HTML entities to prevent XSS.\r\n * Use this for displaying user content as text.\r\n *\r\n * @param text - The text to escape\r\n * @returns Escaped HTML string\r\n *\r\n * @example\r\n * ```ts\r\n * escapeHtml('<script>alert(1)</script>');\r\n * // Returns: '&lt;script&gt;alert(1)&lt;/script&gt;'\r\n * ```\r\n */\r\nexport const escapeHtml = (text: string): string => {\r\n  const escapeMap: Record<string, string> = {\r\n    '&': '&amp;',\r\n    '<': '&lt;',\r\n    '>': '&gt;',\r\n    '\"': '&quot;',\r\n    \"'\": '&#x27;',\r\n    '`': '&#x60;',\r\n  };\r\n  return text.replace(/[&<>\"'`]/g, (char) => escapeMap[char]);\r\n};\r\n\r\n/**\r\n * Strip all HTML tags and return plain text.\r\n *\r\n * @param html - The HTML string to strip\r\n * @returns Plain text content\r\n */\r\nexport const stripTags = (html: string): string => {\r\n  return sanitizeHtmlCore(html, { stripAllTags: true });\r\n};\r\n\r\n// ============================================================================\r\n// CSP Helpers\r\n// ============================================================================\r\n\r\n/**\r\n * Generate a nonce for inline scripts/styles.\r\n * Use with Content-Security-Policy nonce directives.\r\n *\r\n * @param length - Nonce length (default: 16)\r\n * @returns Cryptographically random nonce string\r\n */\r\nexport const generateNonce = (length: number = 16): string => {\r\n  const array = new Uint8Array(length);\r\n  crypto.getRandomValues(array);\r\n  return btoa(String.fromCharCode(...array))\r\n    .replace(/\\+/g, '-')\r\n    .replace(/\\//g, '_')\r\n    .replace(/=/g, '');\r\n};\r\n\r\n/**\r\n * Check if a CSP header is present with specific directive.\r\n * Useful for feature detection and fallback strategies.\r\n *\r\n * @param directive - The CSP directive to check (e.g., 'script-src')\r\n * @returns True if the directive appears to be enforced\r\n */\r\nexport const hasCSPDirective = (directive: string): boolean => {\r\n  // Check meta tag\r\n  const meta = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\r\n  if (meta) {\r\n    const content = meta.getAttribute('content') ?? '';\r\n    return content.includes(directive);\r\n  }\r\n  return false;\r\n};\r\n"],"names":["POLICY_NAME","cachedPolicy","isTrustedTypesSupported","getTrustedTypesPolicy","win","input","sanitizeHtmlCore","DEFAULT_ALLOWED_TAGS","DANGEROUS_TAGS","RESERVED_IDS","DEFAULT_ALLOWED_ATTRIBUTES","DANGEROUS_ATTR_PREFIXES","DANGEROUS_PROTOCOLS","isAllowedAttribute","name","allowedSet","allowDataAttrs","lowerName","prefix","isSafeIdOrName","value","lowerValue","normalizeUrl","isSafeUrl","normalized","protocol","isExternalUrl","url","trimmedUrl","lowerUrl","html","options","allowTags","allowAttributes","allowDataAttributes","stripAllTags","allowedTags","t","tag","allowedAttrs","a","template","walker","toRemove","el","tagName","attrsToRemove","attr","attrName","href","hasTargetBlank","isExternal","existingRel","relValues","sanitizeHtml","createTrustedHtml","policy","escapeHtml","text","escapeMap","char","stripTags","generateNonce","length","array","hasCSPDirective","directive","meta"],"mappings":"AA4BA,MAAMA,IAAc;AA4BpB,IAAIC,IAAyC;AAMtC,MAAMC,IAA0B,MAC9B,OAAQ,OAA8B,eAAiB,KAOnDC,IAAwB,MAAgC;AACnE,MAAIF,EAAc,QAAOA;AAEzB,QAAMG,IAAM;AACZ,MAAI,CAACA,EAAI,aAAc,QAAO;AAE9B,MAAI;AACF,WAAAH,IAAeG,EAAI,aAAa,aAAaJ,GAAa;AAAA,MACxD,YAAY,CAACK,MAAkBC,EAAiBD,CAAK;AAAA,IAAA,CACtD,GACMJ;AAAA,EACT,QAAQ;AAEN,mBAAQ,KAAK,kDAAkDD,CAAW,GAAG,GACtE;AAAA,EACT;AACF,GASMO,wBAA2B,IAAI;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAMKC,wBAAqB,IAAI;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAMKC,wBAAmB,IAAI;AAAA;AAAA,EAE3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAKKC,wBAAiC,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAKKC,IAA0B,CAAC,MAAM,cAAc,UAAU,QAAQ,GAKjEC,IAAsB,CAAC,eAAe,SAAS,aAAa,OAAO,GAUnEC,IAAqB,CACzBC,GACAC,GACAC,MACY;AACZ,QAAMC,IAAYH,EAAK,YAAA;AAGvB,aAAWI,KAAUP;AACnB,QAAIM,EAAU,WAAWC,CAAM,EAAG,QAAO;AAO3C,SAHIF,KAAkBC,EAAU,WAAW,OAAO,KAG9CA,EAAU,WAAW,OAAO,IAAU,KAGnCF,EAAW,IAAIE,CAAS;AACjC,GAMME,IAAiB,CAACC,MAA2B;AACjD,QAAMC,IAAaD,EAAM,YAAA,EAAc,KAAA;AACvC,SAAO,CAACX,EAAa,IAAIY,CAAU;AACrC,GAOMC,IAAe,CAACF,MACpBA,EAEG,QAAQ,2BAA2B,EAAE,EAErC,QAAQ,uCAAuC,EAAE,EAEjD,QAAQ,qBAAqB,EAAE,EAE/B,QAAQ,QAAQ,EAAE,EAElB,YAAA,GAMCG,IAAY,CAACH,MAA2B;AAC5C,QAAMI,IAAaF,EAAaF,CAAK;AACrC,aAAWK,KAAYb;AACrB,QAAIY,EAAW,WAAWC,CAAQ,EAAG,QAAO;AAE9C,SAAO;AACT,GAMMC,IAAgB,CAACC,MAAyB;AAC9C,MAAI;AAEF,UAAMC,IAAaD,EAAI,KAAA;AAOvB,QAAIC,EAAW,WAAW,IAAI;AAC5B,aAAO;AAIT,UAAMC,IAAWD,EAAW,YAAA;AAK5B,WADoB,uBAAuB,KAAKA,CAAU,KACvC,CAACC,EAAS,WAAW,SAAS,KAAK,CAACA,EAAS,WAAW,UAAU,IAG5E,KAIL,CAACA,EAAS,WAAW,SAAS,KAAK,CAACA,EAAS,WAAW,UAAU,IAC7D,KAIL,OAAO,SAAW,OAAe,CAAC,OAAO,WACpC,KAGM,IAAI,IAAID,GAAY,OAAO,SAAS,IAAI,EACzC,WAAW,OAAO,SAAS;AAAA,EAC3C,QAAQ;AAEN,WAAO;AAAA,EACT;AACF,GAMMtB,IAAmB,CAACwB,GAAcC,IAA2B,OAAe;AAChF,QAAM;AAAA,IACJ,WAAAC,IAAY,CAAA;AAAA,IACZ,iBAAAC,IAAkB,CAAA;AAAA,IAClB,qBAAAC,IAAsB;AAAA,IACtB,cAAAC,IAAe;AAAA,EAAA,IACbJ,GAGEK,IAAc,IAAI;AAAA,IACtB,CAAC,GAAG7B,GAAsB,GAAGyB,EAAU,IAAI,CAACK,MAAMA,EAAE,aAAa,CAAC,EAAE;AAAA,MAClE,CAACC,MAAQ,CAAC9B,EAAe,IAAI8B,CAAG;AAAA,IAAA;AAAA,EAClC,GAEIC,wBAAmB,IAAI;AAAA,IAC3B,GAAG7B;AAAA,IACH,GAAGuB,EAAgB,IAAI,CAACO,MAAMA,EAAE,aAAa;AAAA,EAAA,CAC9C,GAGKC,IAAW,SAAS,cAAc,UAAU;AAGlD,MAFAA,EAAS,YAAYX,GAEjBK;AACF,WAAOM,EAAS,QAAQ,eAAe;AAIzC,QAAMC,IAAS,SAAS,iBAAiBD,EAAS,SAAS,WAAW,YAAY,GAE5EE,IAAsB,CAAA;AAE5B,SAAOD,EAAO,cAAY;AACxB,UAAME,IAAKF,EAAO,aACZG,IAAUD,EAAG,QAAQ,YAAA;AAG3B,QAAIpC,EAAe,IAAIqC,CAAO,GAAG;AAC/B,MAAAF,EAAS,KAAKC,CAAE;AAChB;AAAA,IACF;AAGA,QAAI,CAACR,EAAY,IAAIS,CAAO,GAAG;AAC7B,MAAAF,EAAS,KAAKC,CAAE;AAChB;AAAA,IACF;AAGA,UAAME,IAA0B,CAAA;AAChC,eAAWC,KAAQ,MAAM,KAAKH,EAAG,UAAU,GAAG;AAC5C,YAAMI,IAAWD,EAAK,KAAK,YAAA;AAG3B,UAAI,CAAClC,EAAmBmC,GAAUT,GAAcL,CAAmB,GAAG;AACpE,QAAAY,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,WAAKC,MAAa,QAAQA,MAAa,WAAW,CAAC7B,EAAe4B,EAAK,KAAK,GAAG;AAC7E,QAAAD,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,OACGC,MAAa,UAAUA,MAAa,SAASA,MAAa,aAC3D,CAACzB,EAAUwB,EAAK,KAAK,KAErBD,EAAc,KAAKC,EAAK,IAAI;AAAA,IAEhC;AAGA,eAAWC,KAAYF;AACrB,MAAAF,EAAG,gBAAgBI,CAAQ;AAI7B,QAAIH,MAAY,KAAK;AACnB,YAAMI,IAAOL,EAAG,aAAa,MAAM,GAE7BM,IADSN,EAAG,aAAa,QAAQ,GACR,YAAA,MAAkB,UAC3CO,IAAaF,KAAQvB,EAAcuB,CAAI;AAG7C,UAAIC,KAAkBC,GAAY;AAChC,cAAMC,IAAcR,EAAG,aAAa,KAAK,GACnCS,IAAY,IAAI;AAAA,UACpBD,IAAcA,EAAY,MAAM,KAAK,EAAE,OAAO,OAAO,IAAI,CAAA;AAAA,QAAC;AAI5D,QAAAC,EAAU,IAAI,UAAU,GACxBA,EAAU,IAAI,YAAY,GAE1BT,EAAG,aAAa,OAAO,MAAM,KAAKS,CAAS,EAAE,KAAK,GAAG,CAAC;AAAA,MACxD;AAAA,IACF;AAAA,EACF;AAGA,aAAWT,KAAMD;AACf,IAAAC,EAAG,OAAA;AAGL,SAAOH,EAAS;AAClB,GAoBaa,IAAe,CAACxB,GAAcC,IAA2B,OAC7DzB,EAAiBwB,GAAMC,CAAO,GAU1BwB,IAAoB,CAACzB,MAAuC;AACvE,QAAM0B,IAASrD,EAAA;AACf,SAAIqD,IACKA,EAAO,WAAW1B,CAAI,IAExBwB,EAAaxB,CAAI;AAC1B,GAea2B,IAAa,CAACC,MAAyB;AAClD,QAAMC,IAAoC;AAAA,IACxC,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EAAA;AAEP,SAAOD,EAAK,QAAQ,aAAa,CAACE,MAASD,EAAUC,CAAI,CAAC;AAC5D,GAQaC,IAAY,CAAC/B,MACjBxB,EAAiBwB,GAAM,EAAE,cAAc,IAAM,GAczCgC,IAAgB,CAACC,IAAiB,OAAe;AAC5D,QAAMC,IAAQ,IAAI,WAAWD,CAAM;AACnC,gBAAO,gBAAgBC,CAAK,GACrB,KAAK,OAAO,aAAa,GAAGA,CAAK,CAAC,EACtC,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,MAAM,EAAE;AACrB,GASaC,IAAkB,CAACC,MAA+B;AAE7D,QAAMC,IAAO,SAAS,cAAc,4CAA4C;AAChF,SAAIA,KACcA,EAAK,aAAa,SAAS,KAAK,IACjC,SAASD,CAAS,IAE5B;AACT;"}
+{"version":3,"file":"security.es.mjs","sources":["../src/security/csp.ts","../src/security/trusted-types.ts"],"sourcesContent":["/**\n * Content Security Policy helpers.\n *\n * @module bquery/security\n */\n\n/** Maximum allowed nonce length to prevent memory issues */\nconst MAX_NONCE_LENGTH = 1024;\n\n/** Chunk size for building strings to avoid argument limit in String.fromCharCode */\nconst CHUNK_SIZE = 8192;\n\n/**\n * Generate a nonce for inline scripts/styles.\n * Use with Content-Security-Policy nonce directives.\n *\n * @param length - Nonce length in bytes (default: 16, max: 1024)\n * @returns Cryptographically random nonce string\n * @throws {Error} If crypto.getRandomValues or btoa are not available\n * @throws {RangeError} If length is invalid (negative, non-integer, or exceeds maximum)\n */\nexport const generateNonce = (length: number = 16): string => {\n  // Validate length parameter\n  if (!Number.isInteger(length) || length < 1) {\n    throw new RangeError('generateNonce length must be a positive integer');\n  }\n  if (length > MAX_NONCE_LENGTH) {\n    throw new RangeError(`generateNonce length must not exceed ${MAX_NONCE_LENGTH}`);\n  }\n\n  // Check for required globals in browser/crypto environments\n  if (\n    typeof globalThis.crypto === 'undefined' ||\n    typeof globalThis.crypto.getRandomValues !== 'function'\n  ) {\n    throw new Error(\n      'generateNonce requires crypto.getRandomValues (not available in this environment)'\n    );\n  }\n  if (typeof globalThis.btoa !== 'function') {\n    throw new Error('generateNonce requires btoa (not available in this environment)');\n  }\n\n  const array = new Uint8Array(length);\n  globalThis.crypto.getRandomValues(array);\n\n  // Build string in chunks to avoid argument limit in String.fromCharCode\n  let binaryString = '';\n  for (let i = 0; i < array.length; i += CHUNK_SIZE) {\n    const chunk = array.subarray(i, Math.min(i + CHUNK_SIZE, array.length));\n    binaryString += String.fromCharCode(...chunk);\n  }\n\n  return globalThis.btoa(binaryString).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=/g, '');\n};\n\n/**\n * Check if a CSP header is present with specific directive.\n * Useful for feature detection and fallback strategies.\n *\n * @param directive - The CSP directive to check (e.g., 'script-src')\n * @returns True if the directive appears to be enforced\n */\nexport const hasCSPDirective = (directive: string): boolean => {\n  // Guard for non-DOM environments (SSR, tests, etc.)\n  if (typeof document === 'undefined') {\n    return false;\n  }\n\n  // Check meta tag\n  const meta = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\n  if (meta) {\n    const content = meta.getAttribute('content') ?? '';\n    return content.includes(directive);\n  }\n  return false;\n};\n","/**\n * Trusted Types helpers for CSP compatibility.\n *\n * @module bquery/security\n */\n\nimport { POLICY_NAME } from './constants';\nimport { sanitizeHtmlCore } from './sanitize-core';\nimport type { TrustedHTML, TrustedTypePolicy, TrustedTypesWindow } from './types';\n\n/** Cached Trusted Types policy */\nlet cachedPolicy: TrustedTypePolicy | null = null;\n\n/** Whether policy initialization has been attempted (to avoid retry spam) */\nlet policyInitAttempted = false;\n\n/**\n * Check if Trusted Types API is available.\n * @returns True if Trusted Types are supported\n */\nexport const isTrustedTypesSupported = (): boolean => {\n  return (\n    typeof window !== 'undefined' &&\n    typeof (window as TrustedTypesWindow).trustedTypes !== 'undefined'\n  );\n};\n\n/**\n * Get or create the bQuery Trusted Types policy.\n * @returns The Trusted Types policy or null if unsupported\n */\nexport const getTrustedTypesPolicy = (): TrustedTypePolicy | null => {\n  if (cachedPolicy) return cachedPolicy;\n  if (policyInitAttempted) return null;\n\n  if (typeof window === 'undefined') return null;\n\n  const win = window as TrustedTypesWindow;\n  if (!win.trustedTypes) return null;\n\n  policyInitAttempted = true;\n\n  try {\n    cachedPolicy = win.trustedTypes.createPolicy(POLICY_NAME, {\n      createHTML: (input: string) => sanitizeHtmlCore(input),\n    });\n    return cachedPolicy;\n  } catch (error) {\n    // Policy may already exist or be blocked by CSP\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    console.warn(`bQuery: Could not create Trusted Types policy \"${POLICY_NAME}\": ${errorMessage}`);\n    return null;\n  }\n};\n\n/**\n * Create a Trusted HTML value for use with Trusted Types-enabled sites.\n * Falls back to regular string when Trusted Types are unavailable.\n *\n * @param html - The HTML string to wrap\n * @returns Trusted HTML value or sanitized string\n */\nexport const createTrustedHtml = (html: string): TrustedHTML | string => {\n  const policy = getTrustedTypesPolicy();\n  if (policy) {\n    return policy.createHTML(html);\n  }\n  return sanitizeHtmlCore(html);\n};\n"],"names":["MAX_NONCE_LENGTH","CHUNK_SIZE","generateNonce","length","array","binaryString","i","chunk","hasCSPDirective","directive","meta","cachedPolicy","policyInitAttempted","isTrustedTypesSupported","getTrustedTypesPolicy","win","POLICY_NAME","input","sanitizeHtmlCore","error","errorMessage","createTrustedHtml","html","policy"],"mappings":";;AAOA,MAAMA,IAAmB,MAGnBC,IAAa,MAWNC,IAAgB,CAACC,IAAiB,OAAe;AAE5D,MAAI,CAAC,OAAO,UAAUA,CAAM,KAAKA,IAAS;AACxC,UAAM,IAAI,WAAW,iDAAiD;AAExE,MAAIA,IAASH;AACX,UAAM,IAAI,WAAW,wCAAwCA,CAAgB,EAAE;AAIjF,MACE,OAAO,WAAW,SAAW,OAC7B,OAAO,WAAW,OAAO,mBAAoB;AAE7C,UAAM,IAAI;AAAA,MACR;AAAA,IAAA;AAGJ,MAAI,OAAO,WAAW,QAAS;AAC7B,UAAM,IAAI,MAAM,iEAAiE;AAGnF,QAAMI,IAAQ,IAAI,WAAWD,CAAM;AACnC,aAAW,OAAO,gBAAgBC,CAAK;AAGvC,MAAIC,IAAe;AACnB,WAASC,IAAI,GAAGA,IAAIF,EAAM,QAAQE,KAAKL,GAAY;AACjD,UAAMM,IAAQH,EAAM,SAASE,GAAG,KAAK,IAAIA,IAAIL,GAAYG,EAAM,MAAM,CAAC;AACtE,IAAAC,KAAgB,OAAO,aAAa,GAAGE,CAAK;AAAA,EAC9C;AAEA,SAAO,WAAW,KAAKF,CAAY,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,MAAM,EAAE;AAC/F,GASaG,IAAkB,CAACC,MAA+B;AAE7D,MAAI,OAAO,WAAa;AACtB,WAAO;AAIT,QAAMC,IAAO,SAAS,cAAc,4CAA4C;AAChF,SAAIA,KACcA,EAAK,aAAa,SAAS,KAAK,IACjC,SAASD,CAAS,IAE5B;AACT;ACjEA,IAAIE,IAAyC,MAGzCC,IAAsB;AAMnB,MAAMC,IAA0B,MAEnC,OAAO,SAAW,OAClB,OAAQ,OAA8B,eAAiB,KAQ9CC,IAAwB,MAAgC;AACnE,MAAIH,EAAc,QAAOA;AAGzB,MAFIC,KAEA,OAAO,SAAW,IAAa,QAAO;AAE1C,QAAMG,IAAM;AACZ,MAAI,CAACA,EAAI,aAAc,QAAO;AAE9B,EAAAH,IAAsB;AAEtB,MAAI;AACF,WAAAD,IAAeI,EAAI,aAAa,aAAaC,GAAa;AAAA,MACxD,YAAY,CAACC,MAAkBC,EAAiBD,CAAK;AAAA,IAAA,CACtD,GACMN;AAAA,EACT,SAASQ,GAAO;AAEd,UAAMC,IAAeD,aAAiB,QAAQA,EAAM,UAAU,OAAOA,CAAK;AAC1E,mBAAQ,KAAK,kDAAkDH,CAAW,MAAMI,CAAY,EAAE,GACvF;AAAA,EACT;AACF,GASaC,IAAoB,CAACC,MAAuC;AACvE,QAAMC,IAAST,EAAA;AACf,SAAIS,IACKA,EAAO,WAAWD,CAAI,IAExBJ,EAAiBI,CAAI;AAC9B;"}

package/dist/store/create-store.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Store creation logic.
+ */
+import type { Store, StoreDefinition } from './types';
+/**
+ * Creates a reactive store with state, getters, and actions.
+ *
+ * @template S - State type
+ * @template G - Getters type
+ * @template A - Actions type
+ * @param definition - Store definition
+ * @returns The reactive store instance
+ */
+export declare const createStore: <S extends Record<string, unknown>, G extends Record<string, unknown> = Record<string, never>, A extends Record<string, (...args: any[]) => any> = Record<string, never>>(definition: StoreDefinition<S, G, A>) => Store<S, G, A>;
+//# sourceMappingURL=create-store.d.ts.map

package/dist/store/create-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-store.d.ts","sourceRoot":"","sources":["../../src/store/create-store.ts"],"names":[],"mappings":"AAAA;;GAEG;AAaH,OAAO,KAAK,EAAW,KAAK,EAAE,eAAe,EAAmB,MAAM,SAAS,CAAC;AAGhF;;;;;;;;GAQG;AACH,eAAO,MAAM,WAAW,GACtB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEzD,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEzE,YAAY,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,KACnC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAsSf,CAAC"}

package/dist/store/define-store.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Store factory helpers.
+ */
+import type { Store, StoreDefinition } from './types';
+/**
+ * Creates a store factory that returns the store instance.
+ *
+ * The store is lazily created on first call and cached in the global store
+ * registry. Subsequent calls return the same instance. After calling
+ * `destroyStore(id)`, the next factory call will create a fresh store.
+ *
+ * @param id - Store identifier
+ * @param definition - Store definition without id
+ * @returns A function that returns the store instance
+ *
+ * @example
+ * ```ts
+ * const useCounter = defineStore('counter', {
+ *   state: () => ({ count: 0 }),
+ *   actions: { increment() { this.count++; } },
+ * });
+ *
+ * const counter = useCounter();
+ * counter.increment();
+ * ```
+ */
+export declare const defineStore: <S extends Record<string, unknown>, G extends Record<string, unknown> = Record<string, never>, A extends Record<string, (...args: unknown[]) => unknown> = Record<string, never>>(id: string, definition: Omit<StoreDefinition<S, G, A>, "id">) => (() => Store<S, G, A>);
+//# sourceMappingURL=define-store.d.ts.map

package/dist/store/define-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"define-store.d.ts","sourceRoot":"","sources":["../../src/store/define-store.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,WAAW,GACtB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACzD,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEjF,IAAI,MAAM,EACV,YAAY,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,KAC/C,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAUvB,CAAC"}

package/dist/store/devtools.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Devtools integration for stores.
+ * @internal
+ */
+declare global {
+    interface Window {
+        __BQUERY_DEVTOOLS__?: {
+            stores: Map<string, unknown>;
+            onStoreCreated?: (id: string, store: unknown) => void;
+            onStateChange?: (id: string, state: unknown) => void;
+        };
+    }
+}
+export type DevtoolsHook = {
+    stores: Map<string, unknown>;
+    onStoreCreated?: (id: string, store: unknown) => void;
+    onStateChange?: (id: string, state: unknown) => void;
+};
+export declare const registerDevtoolsStore: (id: string, store: unknown) => void;
+export declare const unregisterDevtoolsStore: (id: string) => void;
+export declare const notifyDevtoolsStateChange: (id: string, state: unknown) => void;
+//# sourceMappingURL=devtools.d.ts.map

package/dist/store/devtools.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"devtools.d.ts","sourceRoot":"","sources":["../../src/store/devtools.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,mBAAmB,CAAC,EAAE;YACpB,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC7B,cAAc,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;YACtD,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;SACtD,CAAC;KACH;CACF;AAED,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7B,cAAc,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IACtD,aAAa,CAAC,EAAE,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;CACtD,CAAC;AAUF,eAAO,MAAM,qBAAqB,GAAI,IAAI,MAAM,EAAE,OAAO,OAAO,KAAG,IAKlE,CAAC;AAEF,eAAO,MAAM,uBAAuB,GAAI,IAAI,MAAM,KAAG,IAGpD,CAAC;AAEF,eAAO,MAAM,yBAAyB,GAAI,IAAI,MAAM,EAAE,OAAO,OAAO,KAAG,IAGtE,CAAC"}