@bquery/bquery 1.4.0 → 1.6.0

package/dist/sanitize-Bs2dkMby.js

@@ -0,0 +1,313 @@
+var T = "bquery-sanitizer", U = /* @__PURE__ */ new Set([
+  "a",
+  "abbr",
+  "address",
+  "article",
+  "aside",
+  "b",
+  "bdi",
+  "bdo",
+  "blockquote",
+  "br",
+  "button",
+  "caption",
+  "cite",
+  "code",
+  "col",
+  "colgroup",
+  "data",
+  "dd",
+  "del",
+  "details",
+  "dfn",
+  "div",
+  "dl",
+  "dt",
+  "em",
+  "figcaption",
+  "figure",
+  "footer",
+  "form",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "header",
+  "hgroup",
+  "hr",
+  "i",
+  "img",
+  "input",
+  "ins",
+  "kbd",
+  "label",
+  "legend",
+  "li",
+  "main",
+  "mark",
+  "nav",
+  "ol",
+  "optgroup",
+  "option",
+  "p",
+  "picture",
+  "pre",
+  "progress",
+  "q",
+  "rp",
+  "rt",
+  "ruby",
+  "s",
+  "samp",
+  "section",
+  "select",
+  "small",
+  "source",
+  "span",
+  "strong",
+  "sub",
+  "summary",
+  "sup",
+  "table",
+  "tbody",
+  "td",
+  "textarea",
+  "tfoot",
+  "th",
+  "thead",
+  "time",
+  "tr",
+  "u",
+  "ul",
+  "var",
+  "wbr"
+]), S = /* @__PURE__ */ new Set([
+  "script",
+  "iframe",
+  "frame",
+  "frameset",
+  "object",
+  "embed",
+  "applet",
+  "link",
+  "meta",
+  "style",
+  "base",
+  "template",
+  "math",
+  "svg",
+  "foreignobject",
+  "noscript"
+]), O = /* @__PURE__ */ new Set([
+  "document",
+  "window",
+  "location",
+  "top",
+  "self",
+  "parent",
+  "frames",
+  "history",
+  "navigator",
+  "screen",
+  "alert",
+  "confirm",
+  "prompt",
+  "eval",
+  "function",
+  "cookie",
+  "domain",
+  "referrer",
+  "body",
+  "head",
+  "forms",
+  "images",
+  "links",
+  "scripts",
+  "children",
+  "parentnode",
+  "firstchild",
+  "lastchild",
+  "innerhtml",
+  "outerhtml",
+  "textcontent"
+]), F = /* @__PURE__ */ new Set([
+  "alt",
+  "class",
+  "dir",
+  "height",
+  "hidden",
+  "href",
+  "id",
+  "lang",
+  "loading",
+  "name",
+  "rel",
+  "role",
+  "src",
+  "srcset",
+  "tabindex",
+  "target",
+  "title",
+  "type",
+  "width",
+  "aria-*"
+]), W = [
+  "on",
+  "formaction",
+  "xlink:",
+  "xmlns:"
+], k = [
+  "javascript:",
+  "data:",
+  "vbscript:",
+  "file:"
+], z = (e, t, r) => {
+  const a = e.toLowerCase();
+  for (const l of W) if (a.startsWith(l)) return !1;
+  return r && a.startsWith("data-") || a.startsWith("aria-") ? !0 : t.has(a);
+}, M = (e) => {
+  const t = e.toLowerCase().trim();
+  return !O.has(t);
+}, P = (e) => e.replace(/[\u0000-\u001F\u007F]+/g, "").replace(/[\u200B-\u200D\uFEFF\u2028\u2029]+/g, "").replace(/\\u[\da-fA-F]{4}/g, "").replace(/\s+/g, "").toLowerCase(), L = (e) => {
+  const t = P(e);
+  for (const r of k) if (t.startsWith(r)) return !1;
+  return !0;
+}, q = (e) => {
+  const t = e.split(",");
+  for (const r of t) {
+    const a = r.trim().split(/\s+/)[0];
+    if (a && !L(a)) return !1;
+  }
+  return !0;
+}, I = (e) => {
+  try {
+    const t = e.trim();
+    if (t.startsWith("//")) return !0;
+    const r = t.toLowerCase();
+    return /^[a-z][a-z0-9+.-]*:/i.test(t) && !r.startsWith("http://") && !r.startsWith("https://") ? !0 : !r.startsWith("http://") && !r.startsWith("https://") ? !1 : typeof window > "u" || !window.location ? !0 : new URL(t, window.location.href).origin !== window.location.origin;
+  } catch {
+    return !0;
+  }
+}, V = (e) => new DOMParser().parseFromString(e, "text/html"), A = (e) => {
+  const t = (typeof e == "string" ? e : String(e ?? "")).trim(), r = document.createDocumentFragment();
+  if (t.length === 0) return r;
+  if (!(t.includes("<") || t.includes(">")))
+    return r.appendChild(document.createTextNode(t)), r;
+  const a = V(t).body;
+  if (!a) return r;
+  for (; a.firstChild; ) r.appendChild(a.firstChild);
+  return r;
+}, f = (e, t = {}) => {
+  const { allowTags: r = [], allowAttributes: a = [], allowDataAttributes: l = !0, stripAllTags: x = !1 } = t, H = new Set([...U, ...r.map((n) => n.toLowerCase())].filter((n) => !S.has(n))), _ = /* @__PURE__ */ new Set([...F, ...a.map((n) => n.toLowerCase())]), c = A(e);
+  if (x) return c.textContent ?? "";
+  const g = document.createTreeWalker(c, NodeFilter.SHOW_ELEMENT), p = [];
+  for (; g.nextNode(); ) {
+    const n = g.currentNode, i = n.tagName.toLowerCase();
+    if (S.has(i)) {
+      p.push(n);
+      continue;
+    }
+    if (!H.has(i)) {
+      p.push(n);
+      continue;
+    }
+    const u = [];
+    for (const o of Array.from(n.attributes)) {
+      const s = o.name.toLowerCase();
+      if (!z(s, _, l)) {
+        u.push(o.name);
+        continue;
+      }
+      if ((s === "id" || s === "name") && !M(o.value)) {
+        u.push(o.name);
+        continue;
+      }
+      if ((s === "href" || s === "src" || s === "action") && !L(o.value)) {
+        u.push(o.name);
+        continue;
+      }
+      s === "srcset" && !q(o.value) && u.push(o.name);
+    }
+    for (const o of u) n.removeAttribute(o);
+    if (i === "a") {
+      const o = n.getAttribute("href"), s = n.getAttribute("target")?.toLowerCase() === "_blank", D = o && I(o);
+      if (s || D) {
+        const y = n.getAttribute("rel"), m = new Set(y ? y.split(/\s+/).filter(Boolean) : []);
+        m.add("noopener"), m.add("noreferrer"), n.setAttribute("rel", Array.from(m).join(" "));
+      }
+    }
+  }
+  for (const n of p) n.remove();
+  const w = (n) => {
+    const i = document.createElement("div");
+    return i.appendChild(n.cloneNode(!0)), i.innerHTML;
+  }, b = w(c), v = w(A(b));
+  return b !== v ? c.textContent ?? "" : v;
+}, R = /* @__PURE__ */ Symbol("bquery.trusted-html.brand"), h = /* @__PURE__ */ Symbol("bquery.trusted-html"), j = (e) => e, B = (e) => {
+  const t = String(e);
+  return Object.freeze({
+    [R]: !0,
+    [h]: t,
+    toString: () => t
+  });
+}, $ = (e) => typeof e == "object" && e !== null && R in e && h in e, X = (e) => e[h], E = 1024, C = 8192, K = (e = 16) => {
+  if (!Number.isInteger(e) || e < 1) throw new RangeError("generateNonce length must be a positive integer");
+  if (e > E) throw new RangeError(`generateNonce length must not exceed ${E}`);
+  if (typeof globalThis.crypto > "u" || typeof globalThis.crypto.getRandomValues != "function") throw new Error("generateNonce requires crypto.getRandomValues (not available in this environment)");
+  if (typeof globalThis.btoa != "function") throw new Error("generateNonce requires btoa (not available in this environment)");
+  const t = new Uint8Array(e);
+  globalThis.crypto.getRandomValues(t);
+  let r = "";
+  for (let a = 0; a < t.length; a += C) {
+    const l = t.subarray(a, Math.min(a + C, t.length));
+    r += String.fromCharCode(...l);
+  }
+  return globalThis.btoa(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}, Q = (e) => {
+  if (typeof document > "u") return !1;
+  const t = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
+  return t ? (t.getAttribute("content") ?? "").includes(e) : !1;
+}, d = null, N = !1, Y = () => typeof window < "u" && typeof window.trustedTypes < "u", G = () => {
+  if (d) return d;
+  if (N || typeof window > "u") return null;
+  const e = window;
+  if (!e.trustedTypes) return null;
+  N = !0;
+  try {
+    return d = e.trustedTypes.createPolicy(T, { createHTML: (t) => f(t) }), d;
+  } catch (t) {
+    const r = t instanceof Error ? t.message : String(t);
+    return console.warn(`bQuery: Could not create Trusted Types policy "${T}": ${r}`), null;
+  }
+}, Z = (e) => {
+  const t = G();
+  return t ? t.createHTML(e) : f(e);
+}, J = (e, t = {}) => j(f(e, t)), ee = (e) => {
+  const t = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#x27;",
+    "`": "&#x60;"
+  };
+  return e.replace(/[&<>"'`]/g, (r) => t[r]);
+}, te = (e) => f(e, { stripAllTags: !0 });
+export {
+  G as a,
+  Q as c,
+  B as d,
+  X as f,
+  Z as i,
+  $ as l,
+  J as n,
+  Y as o,
+  te as r,
+  K as s,
+  ee as t,
+  j as u
+};
+
+//# sourceMappingURL=sanitize-Bs2dkMby.js.map

package/dist/sanitize-Bs2dkMby.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize-Bs2dkMby.js","names":[],"sources":["../src/security/constants.ts","../src/security/sanitize-core.ts","../src/security/trusted-html.ts","../src/security/csp.ts","../src/security/trusted-types.ts","../src/security/sanitize.ts"],"sourcesContent":["/**\n * Security constants and safe lists.\n *\n * @module bquery/security\n */\n\n/**\n * Trusted Types policy name.\n */\nexport const POLICY_NAME = 'bquery-sanitizer';\n\n/**\n * Default allowed HTML tags considered safe.\n */\nexport const DEFAULT_ALLOWED_TAGS = new Set([\n  'a',\n  'abbr',\n  'address',\n  'article',\n  'aside',\n  'b',\n  'bdi',\n  'bdo',\n  'blockquote',\n  'br',\n  'button',\n  'caption',\n  'cite',\n  'code',\n  'col',\n  'colgroup',\n  'data',\n  'dd',\n  'del',\n  'details',\n  'dfn',\n  'div',\n  'dl',\n  'dt',\n  'em',\n  'figcaption',\n  'figure',\n  'footer',\n  'form',\n  'h1',\n  'h2',\n  'h3',\n  'h4',\n  'h5',\n  'h6',\n  'header',\n  'hgroup',\n  'hr',\n  'i',\n  'img',\n  'input',\n  'ins',\n  'kbd',\n  'label',\n  'legend',\n  'li',\n  'main',\n  'mark',\n  'nav',\n  'ol',\n  'optgroup',\n  'option',\n  'p',\n  'picture',\n  'pre',\n  'progress',\n  'q',\n  'rp',\n  'rt',\n  'ruby',\n  's',\n  'samp',\n  'section',\n  'select',\n  'small',\n  'source',\n  'span',\n  'strong',\n  'sub',\n  'summary',\n  'sup',\n  'table',\n  'tbody',\n  'td',\n  'textarea',\n  'tfoot',\n  'th',\n  'thead',\n  'time',\n  'tr',\n  'u',\n  'ul',\n  'var',\n  'wbr',\n]);\n\n/**\n * Explicitly dangerous tags that should never be allowed.\n * These are checked even if somehow added to allowTags.\n */\nexport const DANGEROUS_TAGS = new Set([\n  'script',\n  'iframe',\n  'frame',\n  'frameset',\n  'object',\n  'embed',\n  'applet',\n  'link',\n  'meta',\n  'style',\n  'base',\n  'template',\n  // 'slot' is intentionally excluded here so component shadow markup can opt in\n  // via sanitizeHtml(..., { allowTags: ['slot'] }). It remains disallowed by default\n  // for general HTML writes, because DEFAULT_ALLOWED_TAGS does not include it.\n  'math',\n  'svg',\n  'foreignobject',\n  'noscript',\n]);\n\n/**\n * Reserved IDs that could cause DOM clobbering attacks.\n * These are prevented to avoid overwriting global browser objects.\n */\nexport const RESERVED_IDS = new Set([\n  // Global objects\n  'document',\n  'window',\n  'location',\n  'top',\n  'self',\n  'parent',\n  'frames',\n  'history',\n  'navigator',\n  'screen',\n  // Dangerous functions\n  'alert',\n  'confirm',\n  'prompt',\n  'eval',\n  'function',\n  // Document properties\n  'cookie',\n  'domain',\n  'referrer',\n  'body',\n  'head',\n  'forms',\n  'images',\n  'links',\n  'scripts',\n  // DOM traversal properties\n  'children',\n  'parentnode',\n  'firstchild',\n  'lastchild',\n  // Content manipulation\n  'innerhtml',\n  'outerhtml',\n  'textcontent',\n]);\n\n/**\n * Default allowed attributes considered safe.\n * Note: 'style' is excluded by default because inline CSS can be abused for:\n * - UI redressing attacks\n * - Data exfiltration via url() in CSS\n * - CSS injection vectors\n * If you need to allow inline styles, add 'style' to allowAttributes in your\n * sanitizeHtml options, but ensure you implement proper CSS value validation.\n */\nexport const DEFAULT_ALLOWED_ATTRIBUTES = new Set([\n  'alt',\n  'class',\n  'dir',\n  'height',\n  'hidden',\n  'href',\n  'id',\n  'lang',\n  'loading',\n  'name',\n  'rel',\n  'role',\n  'src',\n  'srcset',\n  'tabindex',\n  'target',\n  'title',\n  'type',\n  'width',\n  'aria-*',\n]);\n\n/**\n * Dangerous attribute prefixes to always remove.\n */\nexport const DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];\n\n/**\n * Dangerous URL protocols to block.\n */\nexport const DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];\n","/**\n * Core HTML sanitization logic.\n *\n * @module bquery/security\n * @internal\n */\n\nimport {\n  DANGEROUS_ATTR_PREFIXES,\n  DANGEROUS_PROTOCOLS,\n  DANGEROUS_TAGS,\n  DEFAULT_ALLOWED_ATTRIBUTES,\n  DEFAULT_ALLOWED_TAGS,\n  RESERVED_IDS,\n} from './constants';\nimport type { SanitizeOptions } from './types';\n\n/**\n * Check if an attribute name is allowed.\n * @internal\n */\nconst isAllowedAttribute = (\n  name: string,\n  allowedSet: Set<string>,\n  allowDataAttrs: boolean\n): boolean => {\n  const lowerName = name.toLowerCase();\n\n  // Check dangerous prefixes\n  for (const prefix of DANGEROUS_ATTR_PREFIXES) {\n    if (lowerName.startsWith(prefix)) return false;\n  }\n\n  // Check data attributes\n  if (allowDataAttrs && lowerName.startsWith('data-')) return true;\n\n  // Check aria attributes (allowed by default)\n  if (lowerName.startsWith('aria-')) return true;\n\n  // Check explicit allow list\n  return allowedSet.has(lowerName);\n};\n\n/**\n * Check if an ID/name value could cause DOM clobbering.\n * @internal\n */\nconst isSafeIdOrName = (value: string): boolean => {\n  const lowerValue = value.toLowerCase().trim();\n  return !RESERVED_IDS.has(lowerValue);\n};\n\n/**\n * Normalize URL by removing control characters, whitespace, and Unicode tricks.\n * Enhanced to prevent various bypass techniques.\n * @internal\n */\nconst normalizeUrl = (value: string): string =>\n  value\n    // Remove null bytes and control characters\n    .replace(/[\\u0000-\\u001F\\u007F]+/g, '')\n    // Remove zero-width characters that could hide malicious content\n    .replace(/[\\u200B-\\u200D\\uFEFF\\u2028\\u2029]+/g, '')\n    // Remove escaped Unicode sequences\n    .replace(/\\\\u[\\da-fA-F]{4}/g, '')\n    // Remove whitespace\n    .replace(/\\s+/g, '')\n    // Normalize case\n    .toLowerCase();\n\n/**\n * Check if a URL value is safe.\n * @internal\n */\nconst isSafeUrl = (value: string): boolean => {\n  const normalized = normalizeUrl(value);\n  for (const protocol of DANGEROUS_PROTOCOLS) {\n    if (normalized.startsWith(protocol)) return false;\n  }\n  return true;\n};\n\n/**\n * Check if a srcset attribute value is safe.\n * srcset contains comma-separated entries of \"url [descriptor]\".\n * Each individual URL must be validated.\n * @internal\n */\nconst isSafeSrcset = (value: string): boolean => {\n  const entries = value.split(',');\n  for (const entry of entries) {\n    const url = entry.trim().split(/\\s+/)[0];\n    if (url && !isSafeUrl(url)) return false;\n  }\n  return true;\n};\n\n/**\n * Check if a URL is external (different origin).\n * @internal\n */\nconst isExternalUrl = (url: string): boolean => {\n  try {\n    // Normalize URL by trimming whitespace\n    const trimmedUrl = url.trim();\n\n    // Protocol-relative URLs (//example.com) are always external.\n    // CRITICAL: This check must run before the relative-URL check below;\n    // otherwise, a protocol-relative URL like \"//evil.com\" would be treated\n    // as a non-http(s) relative URL and incorrectly classified as same-origin.\n    // Handling them up front guarantees correct security classification.\n    if (trimmedUrl.startsWith('//')) {\n      return true;\n    }\n\n    // Normalize URL for case-insensitive protocol checks\n    const lowerUrl = trimmedUrl.toLowerCase();\n\n    // Check for non-http(s) protocols which are considered external/special\n    // (mailto:, tel:, ftp:, etc.)\n    const hasProtocol = /^[a-z][a-z0-9+.-]*:/i.test(trimmedUrl);\n    if (hasProtocol && !lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\n      // These are special protocols, not traditional \"external\" links\n      // but we treat them as external for security consistency\n      return true;\n    }\n\n    // Relative URLs are not external\n    if (!lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\n      return false;\n    }\n\n    // In non-browser environments (e.g., Node.js), treat all absolute URLs as external\n    if (typeof window === 'undefined' || !window.location) {\n      return true;\n    }\n\n    const urlObj = new URL(trimmedUrl, window.location.href);\n    return urlObj.origin !== window.location.origin;\n  } catch {\n    // If URL parsing fails, treat as potentially external for safety\n    return true;\n  }\n};\n\n/**\n * Parse an HTML string into a Document using DOMParser.\n * This helper is intentionally separated to make the control-flow around HTML parsing\n * explicit for static analysis tools. It should ONLY be called when the input is\n * known to contain HTML syntax (angle brackets).\n *\n * DOMParser creates an inert document where scripts don't execute, making it safe\n * for parsing untrusted HTML that will subsequently be sanitized.\n *\n * @param htmlContent - A string that is known to contain HTML markup (has < or >)\n * @returns The parsed Document\n * @internal\n */\nconst parseHtmlDocument = (htmlContent: string): Document => {\n  const parser = new DOMParser();\n  // Parse as a full HTML document in an inert context; scripts won't execute\n  return parser.parseFromString(htmlContent, 'text/html');\n};\n\n/**\n * Safely parse HTML string into a DocumentFragment using DOMParser.\n * DOMParser is preferred over innerHTML for security as it creates an inert document\n * where scripts don't execute and provides better static analysis recognition.\n *\n * This function includes input normalization to satisfy static analysis tools:\n * - Coerces input to string and trims whitespace\n * - For plain text (no HTML tags), creates a Text node directly without parsing\n * - Only invokes DOMParser for actual HTML-like content via parseHtmlDocument\n *\n * The separation between plain text handling and HTML parsing is intentional:\n * DOM text that contains no HTML syntax is never fed into an HTML parser,\n * preventing \"DOM text reinterpreted as HTML\" issues.\n *\n * @internal\n */\nconst parseHtmlSafely = (html: string): DocumentFragment => {\n  // Step 1: Normalize input - coerce to string and trim\n  // This defensive check handles edge cases even though TypeScript says it's a string\n  const normalizedHtml = (typeof html === 'string' ? html : String(html ?? '')).trim();\n\n  // Step 2: Create the fragment that will hold our result\n  const fragment = document.createDocumentFragment();\n\n  // Step 3: Early return for empty input\n  if (normalizedHtml.length === 0) {\n    return fragment;\n  }\n\n  // Step 4: If input contains no angle brackets, it's plain text - no HTML parsing needed.\n  // Plain text is handled as a Text node, never passed to an HTML parser.\n  // This explicitly prevents \"DOM text reinterpreted as HTML\" for purely textual inputs.\n  const containsHtmlSyntax = normalizedHtml.includes('<') || normalizedHtml.includes('>');\n  if (!containsHtmlSyntax) {\n    fragment.appendChild(document.createTextNode(normalizedHtml));\n    return fragment;\n  }\n\n  // Step 5: Input contains HTML syntax - parse it via the dedicated HTML parsing helper.\n  // This separation makes the data-flow explicit: only strings with HTML syntax\n  // are passed to DOMParser, satisfying static analysis requirements.\n  const doc = parseHtmlDocument(normalizedHtml);\n\n  // Move all children from the document body into the fragment.\n  // This avoids interpolating untrusted HTML into an outer wrapper string.\n  const body = doc.body;\n\n  if (!body) {\n    return fragment;\n  }\n\n  while (body.firstChild) {\n    fragment.appendChild(body.firstChild);\n  }\n\n  return fragment;\n};\n\n/**\n * Core sanitization logic (without Trusted Types wrapper).\n * @internal\n */\nexport const sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string => {\n  const {\n    allowTags = [],\n    allowAttributes = [],\n    allowDataAttributes = true,\n    stripAllTags = false,\n  } = options;\n\n  // Build combined allow sets (excluding dangerous tags even if specified)\n  const allowedTags = new Set(\n    [...DEFAULT_ALLOWED_TAGS, ...allowTags.map((t) => t.toLowerCase())].filter(\n      (tag) => !DANGEROUS_TAGS.has(tag)\n    )\n  );\n  const allowedAttrs = new Set([\n    ...DEFAULT_ALLOWED_ATTRIBUTES,\n    ...allowAttributes.map((a) => a.toLowerCase()),\n  ]);\n\n  // Use DOMParser for safe HTML parsing (inert context, no script execution)\n  const fragment = parseHtmlSafely(html);\n\n  if (stripAllTags) {\n    return fragment.textContent ?? '';\n  }\n\n  // Walk the DOM tree\n  const walker = document.createTreeWalker(fragment, NodeFilter.SHOW_ELEMENT);\n\n  const toRemove: Element[] = [];\n\n  while (walker.nextNode()) {\n    const el = walker.currentNode as Element;\n    const tagName = el.tagName.toLowerCase();\n\n    // Remove explicitly dangerous tags even if in allow list\n    if (DANGEROUS_TAGS.has(tagName)) {\n      toRemove.push(el);\n      continue;\n    }\n\n    // Remove disallowed tags entirely\n    if (!allowedTags.has(tagName)) {\n      toRemove.push(el);\n      continue;\n    }\n\n    // Process attributes\n    const attrsToRemove: string[] = [];\n    for (const attr of Array.from(el.attributes)) {\n      const attrName = attr.name.toLowerCase();\n\n      // Check if attribute is allowed\n      if (!isAllowedAttribute(attrName, allowedAttrs, allowDataAttributes)) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Check for DOM clobbering on id and name attributes\n      if ((attrName === 'id' || attrName === 'name') && !isSafeIdOrName(attr.value)) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Validate URL attributes\n      if (\n        (attrName === 'href' || attrName === 'src' || attrName === 'action') &&\n        !isSafeUrl(attr.value)\n      ) {\n        attrsToRemove.push(attr.name);\n        continue;\n      }\n\n      // Validate srcset URLs individually\n      if (attrName === 'srcset' && !isSafeSrcset(attr.value)) {\n        attrsToRemove.push(attr.name);\n      }\n    }\n\n    // Remove disallowed attributes\n    for (const attrName of attrsToRemove) {\n      el.removeAttribute(attrName);\n    }\n\n    // Add rel=\"noopener noreferrer\" to external links for security\n    if (tagName === 'a') {\n      const href = el.getAttribute('href');\n      const target = el.getAttribute('target');\n      const hasTargetBlank = target?.toLowerCase() === '_blank';\n      const isExternal = href && isExternalUrl(href);\n\n      // Add security attributes to links opening in new window or external links\n      if (hasTargetBlank || isExternal) {\n        const existingRel = el.getAttribute('rel');\n        const relValues = new Set(existingRel ? existingRel.split(/\\s+/).filter(Boolean) : []);\n\n        // Add noopener and noreferrer\n        relValues.add('noopener');\n        relValues.add('noreferrer');\n\n        el.setAttribute('rel', Array.from(relValues).join(' '));\n      }\n    }\n  }\n\n  // Remove disallowed elements\n  for (const el of toRemove) {\n    el.remove();\n  }\n\n  // Serialize the sanitized fragment to HTML string.\n  // We use a temporary container to get the innerHTML of the fragment.\n  const serializeFragment = (frag: DocumentFragment): string => {\n    const container = document.createElement('div');\n    container.appendChild(frag.cloneNode(true));\n    return container.innerHTML;\n  };\n\n  // Double-parse to prevent mutation XSS (mXSS).\n  // Browsers may normalize HTML during serialization in ways that could create\n  // new dangerous content when re-parsed. By re-parsing the sanitized output\n  // and verifying stability, we ensure the final HTML is safe.\n  const firstPass = serializeFragment(fragment);\n\n  // Re-parse through DOMParser for mXSS detection.\n  // Using DOMParser instead of innerHTML for security.\n  const verifyFragment = parseHtmlSafely(firstPass);\n  const secondPass = serializeFragment(verifyFragment);\n\n  // Verify stability: if content mutates between parses, it indicates mXSS attempt\n  if (firstPass !== secondPass) {\n    // Content mutated during re-parse - potential mXSS detected.\n    // Return safely escaped text content as fallback.\n    return fragment.textContent ?? '';\n  }\n\n  return secondPass;\n};\n","declare const sanitizedHtmlBrand: unique symbol;\r\nconst trustedHtmlBrand: unique symbol = Symbol('bquery.trusted-html.brand');\r\nconst TRUSTED_HTML_VALUE = Symbol('bquery.trusted-html');\r\n\r\n/**\r\n * Branded HTML string produced by bQuery's sanitization or escaping template helpers.\r\n *\r\n * Values returned from {@link sanitizeHtml} carry sanitized markup. Values returned from\r\n * {@link safeHtml} preserve the template's static markup while escaping normal interpolations\r\n * and splicing {@link trusted} fragments verbatim. This brand is not intended for arbitrary\r\n * strings or manual concatenation outside those helpers.\r\n */\r\nexport type SanitizedHtml = string & { readonly [sanitizedHtmlBrand]: true };\r\n\r\n/**\r\n * Marker object that safeHtml can splice into templates without escaping again.\r\n */\r\nexport type TrustedHtml = { readonly [trustedHtmlBrand]: true; toString(): string };\r\n\r\ntype TrustedHtmlValue = TrustedHtml & { readonly [TRUSTED_HTML_VALUE]: string };\r\n\r\n/**\r\n * Apply the internal {@link SanitizedHtml} brand to helper output.\r\n *\r\n * @internal\r\n */\r\nexport const toSanitizedHtml = (html: string): SanitizedHtml => html as SanitizedHtml;\r\n\r\n/**\r\n * Mark a sanitized HTML string for verbatim splicing into safeHtml templates.\r\n *\r\n * @param html - HTML previously produced by sanitizeHtml, safeHtml, or another trusted bQuery helper\r\n * @returns Trusted HTML marker object for safeHtml interpolations\r\n *\r\n * @example\r\n * ```ts\r\n * const badge = trusted(sanitizeHtml('<strong onclick=\"alert(1)\">New</strong>'));\r\n * const markup = safeHtml`<span>${badge}</span>`;\r\n * ```\r\n */\r\nexport const trusted = (html: SanitizedHtml): TrustedHtml => {\r\n  const value = String(html);\r\n  return Object.freeze({\r\n    [trustedHtmlBrand]: true as const,\r\n    [TRUSTED_HTML_VALUE]: value,\r\n    toString: () => value,\r\n  });\r\n};\r\n\r\n/**\r\n * Check whether a value is a trusted HTML marker created by trusted().\r\n *\r\n * @internal\r\n */\r\nexport const isTrustedHtml = (value: unknown): value is TrustedHtml => {\r\n  return (\r\n    typeof value === 'object' &&\r\n    value !== null &&\r\n    trustedHtmlBrand in value &&\r\n    TRUSTED_HTML_VALUE in value\r\n  );\r\n};\r\n\r\n/**\r\n * Unwrap the raw HTML string stored inside a trusted HTML marker.\r\n *\r\n * @internal\r\n */\r\nexport const unwrapTrustedHtml = (value: TrustedHtml): string => {\r\n  return (value as TrustedHtmlValue)[TRUSTED_HTML_VALUE];\r\n};\r\n","/**\n * Content Security Policy helpers.\n *\n * @module bquery/security\n */\n\n/** Maximum allowed nonce length to prevent memory issues */\nconst MAX_NONCE_LENGTH = 1024;\n\n/** Chunk size for building strings to avoid argument limit in String.fromCharCode */\nconst CHUNK_SIZE = 8192;\n\n/**\n * Generate a nonce for inline scripts/styles.\n * Use with Content-Security-Policy nonce directives.\n *\n * @param length - Nonce length in bytes (default: 16, max: 1024)\n * @returns Cryptographically random nonce string\n * @throws {Error} If crypto.getRandomValues or btoa are not available\n * @throws {RangeError} If length is invalid (negative, non-integer, or exceeds maximum)\n */\nexport const generateNonce = (length: number = 16): string => {\n  // Validate length parameter\n  if (!Number.isInteger(length) || length < 1) {\n    throw new RangeError('generateNonce length must be a positive integer');\n  }\n  if (length > MAX_NONCE_LENGTH) {\n    throw new RangeError(`generateNonce length must not exceed ${MAX_NONCE_LENGTH}`);\n  }\n\n  // Check for required globals in browser/crypto environments\n  if (\n    typeof globalThis.crypto === 'undefined' ||\n    typeof globalThis.crypto.getRandomValues !== 'function'\n  ) {\n    throw new Error(\n      'generateNonce requires crypto.getRandomValues (not available in this environment)'\n    );\n  }\n  if (typeof globalThis.btoa !== 'function') {\n    throw new Error('generateNonce requires btoa (not available in this environment)');\n  }\n\n  const array = new Uint8Array(length);\n  globalThis.crypto.getRandomValues(array);\n\n  // Build string in chunks to avoid argument limit in String.fromCharCode\n  let binaryString = '';\n  for (let i = 0; i < array.length; i += CHUNK_SIZE) {\n    const chunk = array.subarray(i, Math.min(i + CHUNK_SIZE, array.length));\n    binaryString += String.fromCharCode(...chunk);\n  }\n\n  return globalThis.btoa(binaryString).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=/g, '');\n};\n\n/**\n * Check if a CSP header is present with specific directive.\n * Useful for feature detection and fallback strategies.\n *\n * @param directive - The CSP directive to check (e.g., 'script-src')\n * @returns True if the directive appears to be enforced\n */\nexport const hasCSPDirective = (directive: string): boolean => {\n  // Guard for non-DOM environments (SSR, tests, etc.)\n  if (typeof document === 'undefined') {\n    return false;\n  }\n\n  // Check meta tag\n  const meta = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\n  if (meta) {\n    const content = meta.getAttribute('content') ?? '';\n    return content.includes(directive);\n  }\n  return false;\n};\n","/**\n * Trusted Types helpers for CSP compatibility.\n *\n * @module bquery/security\n */\n\nimport { POLICY_NAME } from './constants';\nimport { sanitizeHtmlCore } from './sanitize-core';\nimport type { TrustedHTML, TrustedTypePolicy, TrustedTypesWindow } from './types';\n\n/** Cached Trusted Types policy */\nlet cachedPolicy: TrustedTypePolicy | null = null;\n\n/** Whether policy initialization has been attempted (to avoid retry spam) */\nlet policyInitAttempted = false;\n\n/**\n * Check if Trusted Types API is available.\n * @returns True if Trusted Types are supported\n */\nexport const isTrustedTypesSupported = (): boolean => {\n  return (\n    typeof window !== 'undefined' &&\n    typeof (window as TrustedTypesWindow).trustedTypes !== 'undefined'\n  );\n};\n\n/**\n * Get or create the bQuery Trusted Types policy.\n * @returns The Trusted Types policy or null if unsupported\n */\nexport const getTrustedTypesPolicy = (): TrustedTypePolicy | null => {\n  if (cachedPolicy) return cachedPolicy;\n  if (policyInitAttempted) return null;\n\n  if (typeof window === 'undefined') return null;\n\n  const win = window as TrustedTypesWindow;\n  if (!win.trustedTypes) return null;\n\n  policyInitAttempted = true;\n\n  try {\n    cachedPolicy = win.trustedTypes.createPolicy(POLICY_NAME, {\n      createHTML: (input: string) => sanitizeHtmlCore(input),\n    });\n    return cachedPolicy;\n  } catch (error) {\n    // Policy may already exist or be blocked by CSP\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    console.warn(`bQuery: Could not create Trusted Types policy \"${POLICY_NAME}\": ${errorMessage}`);\n    return null;\n  }\n};\n\n/**\n * Create a Trusted HTML value for use with Trusted Types-enabled sites.\n * Falls back to regular string when Trusted Types are unavailable.\n *\n * @param html - The HTML string to wrap\n * @returns Trusted HTML value or sanitized string\n */\nexport const createTrustedHtml = (html: string): TrustedHTML | string => {\n  const policy = getTrustedTypesPolicy();\n  if (policy) {\n    return policy.createHTML(html);\n  }\n  return sanitizeHtmlCore(html);\n};\n","/**\r\n * Security utilities for HTML sanitization.\r\n * All DOM writes are sanitized by default to prevent XSS attacks.\r\n *\r\n * @module bquery/security\r\n */\r\n\r\nimport { sanitizeHtmlCore } from './sanitize-core';\r\nimport { toSanitizedHtml } from './trusted-html';\r\nimport type { SanitizedHtml } from './trusted-html';\r\nimport type { SanitizeOptions } from './types';\r\nexport { generateNonce } from './csp';\r\nexport { isTrustedTypesSupported } from './trusted-types';\r\nexport { trusted } from './trusted-html';\r\nexport type { SanitizedHtml, TrustedHtml } from './trusted-html';\r\n\r\n/**\r\n * Sanitize HTML string, removing dangerous elements and attributes.\r\n * Uses Trusted Types when available for CSP compliance.\r\n *\r\n * @param html - The HTML string to sanitize\r\n * @param options - Sanitization options\r\n * @returns Sanitized HTML string\r\n *\r\n * @example\r\n * ```ts\r\n * const safe = sanitizeHtml('<div onclick=\"alert(1)\">Hello</div>');\r\n * // Returns: '<div>Hello</div>'\r\n * ```\r\n */\r\nexport const sanitizeHtml = (html: string, options: SanitizeOptions = {}): SanitizedHtml => {\r\n  return toSanitizedHtml(sanitizeHtmlCore(html, options));\r\n};\r\n\r\n/**\r\n * Escape HTML entities to prevent XSS.\r\n * Use this for displaying user content as text.\r\n *\r\n * @param text - The text to escape\r\n * @returns Escaped HTML string\r\n *\r\n * @example\r\n * ```ts\r\n * escapeHtml('<script>alert(1)</script>');\r\n * // Returns: '&lt;script&gt;alert(1)&lt;/script&gt;'\r\n * ```\r\n */\r\nexport const escapeHtml = (text: string): string => {\r\n  const escapeMap: Record<string, string> = {\r\n    '&': '&amp;',\r\n    '<': '&lt;',\r\n    '>': '&gt;',\r\n    '\"': '&quot;',\r\n    \"'\": '&#x27;',\r\n    '`': '&#x60;',\r\n  };\r\n  return text.replace(/[&<>\"'`]/g, (char) => escapeMap[char]);\r\n};\r\n\r\n/**\r\n * Strip all HTML tags and return plain text.\r\n *\r\n * @param html - The HTML string to strip\r\n * @returns Plain text content\r\n */\r\nexport const stripTags = (html: string): string => {\r\n  return sanitizeHtmlCore(html, { stripAllTags: true });\r\n};\r\n\r\nexport type { SanitizeOptions } from './types';\r\n"],"mappings":"AASA,IAAa,IAAc,oBAKd,IAAuB,oBAAI,IAAI;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAMY,IAAiB,oBAAI,IAAI;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAIA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAMY,IAAe,oBAAI,IAAI;AAAA,EAElC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;CACD,GAWY,IAA6B,oBAAI,IAAI;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;CACD,GAKY,IAA0B;AAAA,EAAC;AAAA,EAAM;AAAA,EAAc;AAAA,EAAU;GAKzD,IAAsB;AAAA,EAAC;AAAA,EAAe;AAAA,EAAS;AAAA,EAAa;GC7LnE,IAAA,CACJ,GACA,GACA,MACY;AACZ,QAAM,IAAY,EAAK,YAAA;AAGvB,aAAW,KAAU,EACnB,KAAI,EAAU,WAAW,CAAA,EAAS,QAAO;AAO3C,SAHI,KAAkB,EAAU,WAAW,OAAA,KAGvC,EAAU,WAAW,OAAA,IAAiB,KAGnC,EAAW,IAAI,CAAA;GAOlB,IAAA,CAAkB,MAA2B;AACjD,QAAM,IAAa,EAAM,YAAA,EAAc,KAAA;AACvC,SAAO,CAAC,EAAa,IAAI,CAAA;GAQrB,IAAA,CAAgB,MACpB,EAEG,QAAQ,2BAA2B,EAAA,EAEnC,QAAQ,uCAAuC,EAAA,EAE/C,QAAQ,qBAAqB,EAAA,EAE7B,QAAQ,QAAQ,EAAA,EAEhB,YAAA,GAMC,IAAA,CAAa,MAA2B;AAC5C,QAAM,IAAa,EAAa,CAAA;AAChC,aAAW,KAAY,EACrB,KAAI,EAAW,WAAW,CAAA,EAAW,QAAO;AAE9C,SAAO;GASH,IAAA,CAAgB,MAA2B;AAC/C,QAAM,IAAU,EAAM,MAAM,GAAA;AAC5B,aAAW,KAAS,GAAS;AAC3B,UAAM,IAAM,EAAM,KAAA,EAAO,MAAM,KAAA,EAAO,CAAA;AACtC,QAAI,KAAO,CAAC,EAAU,CAAA,EAAM,QAAO;AAAA;AAErC,SAAO;GAOH,IAAA,CAAiB,MAAyB;AAC9C,MAAI;AAEF,UAAM,IAAa,EAAI,KAAA;AAOvB,QAAI,EAAW,WAAW,IAAA,EACxB,QAAO;AAIT,UAAM,IAAW,EAAW,YAAA;AAK5B,WADoB,uBAAuB,KAAK,CAAA,KAC7B,CAAC,EAAS,WAAW,SAAA,KAAc,CAAC,EAAS,WAAW,UAAA,IAGlE,KAIL,CAAC,EAAS,WAAW,SAAA,KAAc,CAAC,EAAS,WAAW,UAAA,IACnD,KAIL,OAAO,SAAW,OAAe,CAAC,OAAO,WACpC,KAGM,IAAI,IAAI,GAAY,OAAO,SAAS,IAAA,EACrC,WAAW,OAAO,SAAS;AAAA,UACnC;AAEN,WAAO;AAAA;GAiBL,IAAA,CAAqB,MACV,IAAI,UAAA,EAEL,gBAAgB,GAAa,WAAA,GAmBvC,IAAA,CAAmB,MAAmC;AAG1D,QAAM,KAAkB,OAAO,KAAS,WAAW,IAAO,OAAO,KAAQ,EAAA,GAAK,KAAA,GAGxE,IAAW,SAAS,uBAAA;AAG1B,MAAI,EAAe,WAAW,EAC5B,QAAO;AAOT,MAAI,EADuB,EAAe,SAAS,GAAA,KAAQ,EAAe,SAAS,GAAA;AAEjF,WAAA,EAAS,YAAY,SAAS,eAAe,CAAA,CAAe,GACrD;AAUT,QAAM,IAJM,EAAkB,CAAA,EAIb;AAEjB,MAAI,CAAC,EACH,QAAO;AAGT,SAAO,EAAK,aACV,CAAA,EAAS,YAAY,EAAK,UAAA;AAG5B,SAAO;GAOI,IAAA,CAAoB,GAAc,IAA2B,CAAA,MAAe;AACvF,QAAM,EACJ,WAAA,IAAY,CAAA,GACZ,iBAAA,IAAkB,CAAA,GAClB,qBAAA,IAAsB,IACtB,cAAA,IAAe,GAAA,IACb,GAGE,IAAc,IAAI,IACtB,CAAC,GAAG,GAAsB,GAAG,EAAU,IAAA,CAAK,MAAM,EAAE,YAAA,CAAa,CAAC,EAAE,OAAA,CACjE,MAAQ,CAAC,EAAe,IAAI,CAAA,CAAI,CAClC,GAEG,IAAe,oBAAI,IAAI,CAC3B,GAAG,GACH,GAAG,EAAgB,IAAA,CAAK,MAAM,EAAE,YAAA,CAAa,CAAC,CAC/C,GAGK,IAAW,EAAgB,CAAA;AAEjC,MAAI,EACF,QAAO,EAAS,eAAe;AAIjC,QAAM,IAAS,SAAS,iBAAiB,GAAU,WAAW,YAAA,GAExD,IAAsB,CAAA;AAE5B,SAAO,EAAO,SAAA,KAAY;AACxB,UAAM,IAAK,EAAO,aACZ,IAAU,EAAG,QAAQ,YAAA;AAG3B,QAAI,EAAe,IAAI,CAAA,GAAU;AAC/B,MAAA,EAAS,KAAK,CAAA;AACd;AAAA;AAIF,QAAI,CAAC,EAAY,IAAI,CAAA,GAAU;AAC7B,MAAA,EAAS,KAAK,CAAA;AACd;AAAA;AAIF,UAAM,IAA0B,CAAA;AAChC,eAAW,KAAQ,MAAM,KAAK,EAAG,UAAA,GAAa;AAC5C,YAAM,IAAW,EAAK,KAAK,YAAA;AAG3B,UAAI,CAAC,EAAmB,GAAU,GAAc,CAAA,GAAsB;AACpE,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,WAAK,MAAa,QAAQ,MAAa,WAAW,CAAC,EAAe,EAAK,KAAA,GAAQ;AAC7E,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,WACG,MAAa,UAAU,MAAa,SAAS,MAAa,aAC3D,CAAC,EAAU,EAAK,KAAA,GAChB;AACA,QAAA,EAAc,KAAK,EAAK,IAAA;AACxB;AAAA;AAIF,MAAI,MAAa,YAAY,CAAC,EAAa,EAAK,KAAA,KAC9C,EAAc,KAAK,EAAK,IAAA;AAAA;AAK5B,eAAW,KAAY,EACrB,CAAA,EAAG,gBAAgB,CAAA;AAIrB,QAAI,MAAY,KAAK;AACnB,YAAM,IAAO,EAAG,aAAa,MAAA,GAEvB,IADS,EAAG,aAAa,QAAA,GACA,YAAA,MAAkB,UAC3C,IAAa,KAAQ,EAAc,CAAA;AAGzC,UAAI,KAAkB,GAAY;AAChC,cAAM,IAAc,EAAG,aAAa,KAAA,GAC9B,IAAY,IAAI,IAAI,IAAc,EAAY,MAAM,KAAA,EAAO,OAAO,OAAA,IAAW,CAAA,CAAE;AAGrF,QAAA,EAAU,IAAI,UAAA,GACd,EAAU,IAAI,YAAA,GAEd,EAAG,aAAa,OAAO,MAAM,KAAK,CAAA,EAAW,KAAK,GAAA,CAAI;AAAA;;;AAM5D,aAAW,KAAM,EACf,CAAA,EAAG,OAAA;AAKL,QAAM,IAAA,CAAqB,MAAmC;AAC5D,UAAM,IAAY,SAAS,cAAc,KAAA;AACzC,WAAA,EAAU,YAAY,EAAK,UAAU,EAAA,CAAK,GACnC,EAAU;AAAA,KAOb,IAAY,EAAkB,CAAA,GAK9B,IAAa,EADI,EAAgB,CAAA,CAAU;AAIjD,SAAI,MAAc,IAGT,EAAS,eAAe,KAG1B;GCzWH,IAAkC,uBAAO,2BAAA,GACzC,IAAqB,uBAAO,qBAAA,GAwBrB,IAAA,CAAmB,MAAgC,GAcnD,IAAA,CAAW,MAAqC;AAC3D,QAAM,IAAQ,OAAO,CAAA;AACrB,SAAO,OAAO,OAAO;AAAA,KAClB,CAAA,GAAmB;AAAA,KACnB,CAAA,GAAqB;AAAA,IACtB,UAAA,MAAgB;AAAA,GACjB;GAQU,IAAA,CAAiB,MAE1B,OAAO,KAAU,YACjB,MAAU,QACV,KAAoB,KACpB,KAAsB,GASb,IAAA,CAAqB,MACxB,EAA2B,CAAA,GC9D/B,IAAmB,MAGnB,IAAa,MAWN,IAAA,CAAiB,IAAiB,OAAe;AAE5D,MAAI,CAAC,OAAO,UAAU,CAAA,KAAW,IAAS,EACxC,OAAM,IAAI,WAAW,iDAAA;AAEvB,MAAI,IAAS,EACX,OAAM,IAAI,WAAW,wCAAwC,CAAA,EAAA;AAI/D,MACE,OAAO,WAAW,SAAW,OAC7B,OAAO,WAAW,OAAO,mBAAoB,WAE7C,OAAM,IAAI,MACR,mFAAA;AAGJ,MAAI,OAAO,WAAW,QAAS,WAC7B,OAAM,IAAI,MAAM,iEAAA;AAGlB,QAAM,IAAQ,IAAI,WAAW,CAAA;AAC7B,aAAW,OAAO,gBAAgB,CAAA;AAGlC,MAAI,IAAe;AACnB,WAAS,IAAI,GAAG,IAAI,EAAM,QAAQ,KAAK,GAAY;AACjD,UAAM,IAAQ,EAAM,SAAS,GAAG,KAAK,IAAI,IAAI,GAAY,EAAM,MAAA,CAAO;AACtE,IAAA,KAAgB,OAAO,aAAa,GAAG,CAAA;AAAA;AAGzC,SAAO,WAAW,KAAK,CAAA,EAAc,QAAQ,OAAO,GAAA,EAAK,QAAQ,OAAO,GAAA,EAAK,QAAQ,MAAM,EAAA;GAUhF,IAAA,CAAmB,MAA+B;AAE7D,MAAI,OAAO,WAAa,IACtB,QAAO;AAIT,QAAM,IAAO,SAAS,cAAc,4CAAA;AACpC,SAAI,KACc,EAAK,aAAa,SAAA,KAAc,IACjC,SAAS,CAAA,IAEnB;GChEL,IAAyC,MAGzC,IAAsB,IAMb,IAAA,MAET,OAAO,SAAW,OAClB,OAAQ,OAA8B,eAAiB,KAQ9C,IAAA,MAAwD;AACnE,MAAI,EAAc,QAAO;AAGzB,MAFI,KAEA,OAAO,SAAW,IAAa,QAAO;AAE1C,QAAM,IAAM;AACZ,MAAI,CAAC,EAAI,aAAc,QAAO;AAE9B,EAAA,IAAsB;AAEtB,MAAI;AACF,WAAA,IAAe,EAAI,aAAa,aAAa,GAAa,EACxD,YAAA,CAAa,MAAkB,EAAiB,CAAA,EAAM,CACvD,GACM;AAAA,WACA,GAAO;AAEd,UAAM,IAAe,aAAiB,QAAQ,EAAM,UAAU,OAAO,CAAA;AACrE,mBAAQ,KAAK,kDAAkD,CAAA,MAAiB,CAAA,EAAA,GACzE;AAAA;GAWE,IAAA,CAAqB,MAAuC;AACvE,QAAM,IAAS,EAAA;AACf,SAAI,IACK,EAAO,WAAW,CAAA,IAEpB,EAAiB,CAAA;GCrCb,IAAA,CAAgB,GAAc,IAA2B,CAAA,MAC7D,EAAgB,EAAiB,GAAM,CAAA,CAAQ,GAgB3C,KAAA,CAAc,MAAyB;AAClD,QAAM,IAAoC;AAAA,IACxC,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA;AAEP,SAAO,EAAK,QAAQ,aAAA,CAAc,MAAS,EAAU,CAAA,CAAA;GAS1C,KAAA,CAAa,MACjB,EAAiB,GAAM,EAAE,cAAc,GAAA,CAAM"}

package/dist/security/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/security/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW,qBAAqB,CAAC;AAE9C;;GAEG;AACH,eAAO,MAAM,oBAAoB,aAqF/B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc,aAkBzB,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,YAAY,aAqCvB,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,aAqBrC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,uBAAuB,UAA2C,CAAC;AAEhF;;GAEG;AACH,eAAO,MAAM,mBAAmB,UAAiD,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/security/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW,qBAAqB,CAAC;AAE9C;;GAEG;AACH,eAAO,MAAM,oBAAoB,aAqF/B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc,aAoBzB,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,YAAY,aAqCvB,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,aAqBrC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,uBAAuB,UAA2C,CAAC;AAEhF;;GAEG;AACH,eAAO,MAAM,mBAAmB,UAAiD,CAAC"}

package/dist/security/index.d.ts

@@ -4,7 +4,9 @@
  * @module bquery/security
  */
 export { generateNonce, hasCSPDirective } from './csp';
-export { escapeHtml, sanitizeHtml as sanitize, sanitizeHtml, stripTags } from './sanitize';
+export { escapeHtml, sanitizeHtml as sanitize, sanitizeHtml, stripTags, } from './sanitize';
+export { trusted } from './trusted-html';
 export { createTrustedHtml, getTrustedTypesPolicy, isTrustedTypesSupported } from './trusted-types';
-export type { SanitizeOptions } from './types';
+export type { SanitizedHtml, TrustedHtml } from './trusted-html';
+export type { SanitizeOptions } from './sanitize';
 //# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,YAAY,IAAI,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAC3F,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AACpG,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACvD,OAAO,EACL,UAAU,EACV,YAAY,IAAI,QAAQ,EACxB,YAAY,EACZ,SAAS,GACV,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AACpG,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AACjE,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC"}

package/dist/security/sanitize.d.ts

@@ -4,9 +4,12 @@
  *
  * @module bquery/security
  */
+import type { SanitizedHtml } from './trusted-html';
 import type { SanitizeOptions } from './types';
 export { generateNonce } from './csp';
 export { isTrustedTypesSupported } from './trusted-types';
+export { trusted } from './trusted-html';
+export type { SanitizedHtml, TrustedHtml } from './trusted-html';
 /**
  * Sanitize HTML string, removing dangerous elements and attributes.
  * Uses Trusted Types when available for CSP compliance.
@@ -21,7 +24,7 @@ export { isTrustedTypesSupported } from './trusted-types';
  * // Returns: '<div>Hello</div>'
  * ```
  */
-export declare const sanitizeHtml: (html: string, options?: SanitizeOptions) => string;
+export declare const sanitizeHtml: (html: string, options?: SanitizeOptions) => SanitizedHtml;
 /**
  * Escape HTML entities to prevent XSS.
  * Use this for displaying user content as text.

package/dist/security/sanitize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AACtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,EAAE,UAAS,eAAoB,KAAG,MAE1E,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,MAUzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,MAAM,KAAG,MAExC,CAAC;AAEF,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AACtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AACzC,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAEjE;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,EAAE,UAAS,eAAoB,KAAG,aAE1E,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,MAUzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,MAAM,KAAG,MAExC,CAAC;AAEF,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}

package/dist/security/trusted-html.d.ts

@@ -0,0 +1,53 @@
+declare const sanitizedHtmlBrand: unique symbol;
+declare const trustedHtmlBrand: unique symbol;
+/**
+ * Branded HTML string produced by bQuery's sanitization or escaping template helpers.
+ *
+ * Values returned from {@link sanitizeHtml} carry sanitized markup. Values returned from
+ * {@link safeHtml} preserve the template's static markup while escaping normal interpolations
+ * and splicing {@link trusted} fragments verbatim. This brand is not intended for arbitrary
+ * strings or manual concatenation outside those helpers.
+ */
+export type SanitizedHtml = string & {
+    readonly [sanitizedHtmlBrand]: true;
+};
+/**
+ * Marker object that safeHtml can splice into templates without escaping again.
+ */
+export type TrustedHtml = {
+    readonly [trustedHtmlBrand]: true;
+    toString(): string;
+};
+/**
+ * Apply the internal {@link SanitizedHtml} brand to helper output.
+ *
+ * @internal
+ */
+export declare const toSanitizedHtml: (html: string) => SanitizedHtml;
+/**
+ * Mark a sanitized HTML string for verbatim splicing into safeHtml templates.
+ *
+ * @param html - HTML previously produced by sanitizeHtml, safeHtml, or another trusted bQuery helper
+ * @returns Trusted HTML marker object for safeHtml interpolations
+ *
+ * @example
+ * ```ts
+ * const badge = trusted(sanitizeHtml('<strong onclick="alert(1)">New</strong>'));
+ * const markup = safeHtml`<span>${badge}</span>`;
+ * ```
+ */
+export declare const trusted: (html: SanitizedHtml) => TrustedHtml;
+/**
+ * Check whether a value is a trusted HTML marker created by trusted().
+ *
+ * @internal
+ */
+export declare const isTrustedHtml: (value: unknown) => value is TrustedHtml;
+/**
+ * Unwrap the raw HTML string stored inside a trusted HTML marker.
+ *
+ * @internal
+ */
+export declare const unwrapTrustedHtml: (value: TrustedHtml) => string;
+export {};
+//# sourceMappingURL=trusted-html.d.ts.map

package/dist/security/trusted-html.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-html.d.ts","sourceRoot":"","sources":["../../src/security/trusted-html.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,kBAAkB,EAAE,OAAO,MAAM,CAAC;AAChD,QAAA,MAAM,gBAAgB,EAAE,OAAO,MAA4C,CAAC;AAG5E;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG;IAAE,QAAQ,CAAC,CAAC,kBAAkB,CAAC,EAAE,IAAI,CAAA;CAAE,CAAC;AAE7E;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG;IAAE,QAAQ,CAAC,CAAC,gBAAgB,CAAC,EAAE,IAAI,CAAC;IAAC,QAAQ,IAAI,MAAM,CAAA;CAAE,CAAC;AAIpF;;;;GAIG;AACH,eAAO,MAAM,eAAe,GAAI,MAAM,MAAM,KAAG,aAAsC,CAAC;AAEtF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,OAAO,GAAI,MAAM,aAAa,KAAG,WAO7C,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,aAAa,GAAI,OAAO,OAAO,KAAG,KAAK,IAAI,WAOvD,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,GAAI,OAAO,WAAW,KAAG,MAEtD,CAAC"}

package/dist/security.es.mjs

@@ -1,58 +1,13 @@
-import { b as u, P as i } from "./sanitize-Cxvxa-DX.js";
-import { e as h, s as b, s as N, a as C } from "./sanitize-Cxvxa-DX.js";
-const s = 1024, a = 8192, p = (t = 16) => {
-  if (!Number.isInteger(t) || t < 1)
-    throw new RangeError("generateNonce length must be a positive integer");
-  if (t > s)
-    throw new RangeError(`generateNonce length must not exceed ${s}`);
-  if (typeof globalThis.crypto > "u" || typeof globalThis.crypto.getRandomValues != "function")
-    throw new Error(
-      "generateNonce requires crypto.getRandomValues (not available in this environment)"
-    );
-  if (typeof globalThis.btoa != "function")
-    throw new Error("generateNonce requires btoa (not available in this environment)");
-  const e = new Uint8Array(t);
-  globalThis.crypto.getRandomValues(e);
-  let r = "";
-  for (let n = 0; n < e.length; n += a) {
-    const l = e.subarray(n, Math.min(n + a, e.length));
-    r += String.fromCharCode(...l);
-  }
-  return globalThis.btoa(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-}, y = (t) => {
-  if (typeof document > "u")
-    return !1;
-  const e = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
-  return e ? (e.getAttribute("content") ?? "").includes(t) : !1;
-};
-let o = null, c = !1;
-const g = () => typeof window < "u" && typeof window.trustedTypes < "u", d = () => {
-  if (o) return o;
-  if (c || typeof window > "u") return null;
-  const t = window;
-  if (!t.trustedTypes) return null;
-  c = !0;
-  try {
-    return o = t.trustedTypes.createPolicy(i, {
-      createHTML: (e) => u(e)
-    }), o;
-  } catch (e) {
-    const r = e instanceof Error ? e.message : String(e);
-    return console.warn(`bQuery: Could not create Trusted Types policy "${i}": ${r}`), null;
-  }
-}, m = (t) => {
-  const e = d();
-  return e ? e.createHTML(t) : u(t);
-};
+import { a as e, c as t, d as a, i as r, n as i, o as p, r as o, s as c, t as d } from "./sanitize-Bs2dkMby.js";
 export {
-  m as createTrustedHtml,
-  h as escapeHtml,
-  p as generateNonce,
-  d as getTrustedTypesPolicy,
-  y as hasCSPDirective,
-  g as isTrustedTypesSupported,
-  b as sanitize,
-  N as sanitizeHtml,
-  C as stripTags
+  r as createTrustedHtml,
+  d as escapeHtml,
+  c as generateNonce,
+  e as getTrustedTypesPolicy,
+  t as hasCSPDirective,
+  p as isTrustedTypesSupported,
+  i as sanitize,
+  i as sanitizeHtml,
+  o as stripTags,
+  a as trusted
 };
-//# sourceMappingURL=security.es.mjs.map

package/dist/store/define-store.d.ts

@@ -24,5 +24,5 @@ import type { Store, StoreDefinition } from './types';
  * counter.increment();
  * ```
  */
-export declare const defineStore: <S extends Record<string, unknown>, G extends Record<string, unknown> = Record<string, never>, A extends Record<string, (...args: unknown[]) => unknown> = Record<string, never>>(id: string, definition: Omit<StoreDefinition<S, G, A>, "id">) => (() => Store<S, G, A>);
+export declare const defineStore: <S extends Record<string, unknown>, G extends Record<string, unknown> = Record<string, never>, A extends Record<string, (...args: any[]) => any> = Record<string, never>>(id: string, definition: Omit<StoreDefinition<S, G, A>, "id">) => (() => Store<S, G, A>);
 //# sourceMappingURL=define-store.d.ts.map

package/dist/store/define-store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"define-store.d.ts","sourceRoot":"","sources":["../../src/store/define-store.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,WAAW,GACtB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACzD,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEjF,IAAI,MAAM,EACV,YAAY,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,KAC/C,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAUvB,CAAC"}
+{"version":3,"file":"define-store.d.ts","sourceRoot":"","sources":["../../src/store/define-store.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,WAAW,GACtB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEzD,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEzE,IAAI,MAAM,EACV,YAAY,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,KAC/C,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAUvB,CAAC"}

package/dist/store/mapping.d.ts

@@ -24,5 +24,5 @@ export declare const mapGetters: <G extends Record<string, unknown>, K extends k
  * @param keys - Action keys to map
  * @returns Object with mapped actions
  */
-export declare const mapActions: <A extends Record<string, (...args: unknown[]) => unknown>, K extends keyof A>(store: A, keys: K[]) => Pick<A, K>;
+export declare const mapActions: <A extends Record<string, (...args: any[]) => any>, K extends keyof A>(store: A, keys: K[]) => Pick<A, K>;
 //# sourceMappingURL=mapping.d.ts.map

package/dist/store/mapping.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mapping.d.ts","sourceRoot":"","sources":["../../src/store/mapping.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,QAAQ,GAAI,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,MAAM,CAAC,EAC3E,OAAO,CAAC,EACR,MAAM,CAAC,EAAE,KACR,IAAI,CAAC,CAAC,EAAE,CAAC,CAWX,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,GAAI,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,MAAM,CAAC,EAC7E,OAAO,CAAC,EACR,MAAM,CAAC,EAAE,KACR,IAAI,CAAC,CAAC,EAAE,CAAC,CAWX,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,GACrB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,EACzD,CAAC,SAAS,MAAM,CAAC,EAEjB,OAAO,CAAC,EACR,MAAM,CAAC,EAAE,KACR,IAAI,CAAC,CAAC,EAAE,CAAC,CASX,CAAC"}
+{"version":3,"file":"mapping.d.ts","sourceRoot":"","sources":["../../src/store/mapping.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,QAAQ,GAAI,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,MAAM,CAAC,EAC3E,OAAO,CAAC,EACR,MAAM,CAAC,EAAE,KACR,IAAI,CAAC,CAAC,EAAE,CAAC,CAWX,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,GAAI,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC,SAAS,MAAM,CAAC,EAC7E,OAAO,CAAC,EACR,MAAM,CAAC,EAAE,KACR,IAAI,CAAC,CAAC,EAAE,CAAC,CAWX,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,UAAU,GAErB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,EACjD,CAAC,SAAS,MAAM,CAAC,EAEjB,OAAO,CAAC,EACR,MAAM,CAAC,EAAE,KACR,IAAI,CAAC,CAAC,EAAE,CAAC,CASX,CAAC"}

package/dist/store/persisted.d.ts

@@ -9,5 +9,5 @@ import type { Store, StoreDefinition } from './types';
  * @param storageKey - Optional custom storage key
  * @returns The reactive store instance
  */
-export declare const createPersistedStore: <S extends Record<string, unknown>, G extends Record<string, unknown> = Record<string, never>, A extends Record<string, (...args: unknown[]) => unknown> = Record<string, never>>(definition: StoreDefinition<S, G, A>, storageKey?: string) => Store<S, G, A>;
+export declare const createPersistedStore: <S extends Record<string, unknown>, G extends Record<string, unknown> = Record<string, never>, A extends Record<string, (...args: any[]) => any> = Record<string, never>>(definition: StoreDefinition<S, G, A>, storageKey?: string) => Store<S, G, A>;
 //# sourceMappingURL=persisted.d.ts.map

package/dist/store/persisted.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"persisted.d.ts","sourceRoot":"","sources":["../../src/store/persisted.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAC/B,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EACzD,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,OAAO,EAAE,KAAK,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEjF,YAAY,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EACpC,aAAa,MAAM,KAClB,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAuCf,CAAC"}
+{"version":3,"file":"persisted.d.ts","sourceRoot":"","sources":["../../src/store/persisted.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAEtD;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAC/B,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEzD,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAEzE,YAAY,eAAe,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EACpC,aAAa,MAAM,KAClB,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAuCf,CAAC"}

package/dist/store/types.d.ts

@@ -17,8 +17,8 @@ export type Getters<S, G> = {
  * The `this` context includes state, getters, and other actions.
  */
 export type Actions<S, G, A> = {
-    [K in keyof A]: A[K] extends (...args: infer P) => infer R ? (this: S & G & A, ...args: P) => R : never;
-};
+    [K in keyof A]: A[K];
+} & ThisType<S & G & A>;
 /**
  * Store definition for createStore.
  */

package/dist/store/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/store/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,MAAM,YAAY,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;AAEtC;;GAEG;AACH,MAAM,MAAM,OAAO,CAAC,CAAC,EAAE,CAAC,IAAI;KACzB,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;CAC/C,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI;KAC5B,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,KAAK,MAAM,CAAC,GACtD,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,KAAK,CAAC,GAClC,KAAK;CACV,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,CACzB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAE3D,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IACvE;IACF,2CAA2C;IAC3C,EAAE,EAAE,MAAM,CAAC;IACX,6BAA6B;IAC7B,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC;IACvB,uBAAuB;IACvB,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACxB,qBAAqB;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,IAAI,CAAC;AAEpD;;GAEG;AACH,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,KAAK,IAAI,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,MAAM,KAAK,CACf,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAEjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,IAC/C,CAAC,GACH,CAAC,GACD,CAAC,GAAG;IACF,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,MAAM,EAAE,MAAM,IAAI,CAAC;IACnB,iCAAiC;IACjC,UAAU,EAAE,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC;IACzD,wDAAwD;IACxD,MAAM,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;IACzC;;;;OAIG;IACH,UAAU,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;IAC7C,mDAAmD;IACnD,MAAM,EAAE,CAAC,CAAC;CACX,CAAC;AAEJ;;GAEG;AACH,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,OAAO,IAAI,CAAC,OAAO,EAAE;IAE/C,KAAK,EAAE,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAE5B,OAAO,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;CACzC,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/store/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,MAAM,MAAM,YAAY,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;AAEtC;;GAEG;AACH,MAAM,MAAM,OAAO,CAAC,CAAC,EAAE,CAAC,IAAI;KACzB,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;CAC/C,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI;KAC5B,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;CACrB,GAAG,QAAQ,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;AAExB;;GAEG;AACH,MAAM,MAAM,eAAe,CACzB,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC3D,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAE3D,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IACvE;IACF,2CAA2C;IAC3C,EAAE,EAAE,MAAM,CAAC;IACX,6BAA6B;IAC7B,KAAK,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC;IACvB,uBAAuB;IACvB,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACxB,qBAAqB;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,eAAe,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,KAAK,IAAI,CAAC;AAEpD;;GAEG;AACH,MAAM,MAAM,UAAU,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,KAAK,IAAI,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,MAAM,KAAK,CACf,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAEjC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,IAC/C,CAAC,GACH,CAAC,GACD,CAAC,GAAG;IACF,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,MAAM,EAAE,MAAM,IAAI,CAAC;IACnB,iCAAiC;IACjC,UAAU,EAAE,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC;IACzD,wDAAwD;IACxD,MAAM,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;IACzC;;;;OAIG;IACH,UAAU,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;IAC7C,mDAAmD;IACnD,MAAM,EAAE,CAAC,CAAC;CACX,CAAC;AAEJ;;GAEG;AACH,MAAM,MAAM,WAAW,CAAC,CAAC,GAAG,OAAO,IAAI,CAAC,OAAO,EAAE;IAE/C,KAAK,EAAE,KAAK,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAE5B,OAAO,EAAE,eAAe,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;CACzC,KAAK,OAAO,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC"}