npm - @character-foundry/character-foundry - Versions diffs - 0.1.6 → 0.1.7 - Mend

@character-foundry/character-foundry 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/image-utils.cjs ADDED Viewed

@@ -0,0 +1,249 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/image-utils.ts
+var image_utils_exports = {};
+__export(image_utils_exports, {
+  DEFAULT_SSRF_POLICY: () => DEFAULT_SSRF_POLICY,
+  countImages: () => countImages,
+  extractDataUrls: () => extractDataUrls,
+  extractImageUrls: () => extractImageUrls,
+  extractRemoteImageUrls: () => extractRemoteImageUrls,
+  filterSafeUrls: () => filterSafeUrls,
+  isSafeForFetch: () => isSafeForFetch,
+  isURLSafe: () => isURLSafe
+});
+module.exports = __toCommonJS(image_utils_exports);
+// ../image-utils/dist/index.js
+function extractImageUrls(text, options = {}) {
+  const {
+    includeMarkdown = true,
+    includeHTML = true,
+    includeBase64 = true
+  } = options;
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  if (includeMarkdown) {
+    const markdownPattern = /!\[([^\]]*)\]\(<?([^>\s)]+)>?(?:\s*=[^)]+)?\)/g;
+    let match;
+    while ((match = markdownPattern.exec(text)) !== null) {
+      const url = match[2]?.trim();
+      if (url && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "markdown",
+          context: match[0]
+        });
+      }
+    }
+  }
+  if (includeHTML) {
+    const htmlQuotedPattern = /<img[^>]+src=["']([^"']+)["'][^>]*>/gi;
+    let match;
+    while ((match = htmlQuotedPattern.exec(text)) !== null) {
+      const url = match[1]?.trim();
+      if (url && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: match[0]
+        });
+      }
+    }
+    const htmlUnquotedPattern = /<img[^>]+src=([^\s"'>]+)[^>]*>/gi;
+    while ((match = htmlUnquotedPattern.exec(text)) !== null) {
+      const url = match[1]?.trim();
+      if (url && !url.startsWith('"') && !url.startsWith("'") && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: match[0]
+        });
+      }
+    }
+    const cssUrlPattern = /url\(["']?([^)"']+)["']?\)/gi;
+    while ((match = cssUrlPattern.exec(text)) !== null) {
+      const url = match[1]?.trim();
+      if (url && (url.startsWith("http://") || url.startsWith("https://")) && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: match[0]
+        });
+      }
+    }
+  }
+  if (includeHTML) {
+    const plainUrlPattern = /(?<![("'])(https?:\/\/[^\s<>"']+\.(?:jpg|jpeg|png|gif|webp|svg|avif|bmp))(?![)"'])/gi;
+    let match;
+    while ((match = plainUrlPattern.exec(text)) !== null) {
+      const url = match[0]?.trim();
+      if (url && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: url
+        });
+      }
+    }
+  }
+  if (includeBase64) {
+    const dataUrlPattern = /data:image\/[^;]+;base64,[A-Za-z0-9+/=]+/g;
+    let match;
+    while ((match = dataUrlPattern.exec(text)) !== null) {
+      const url = match[0];
+      if (!seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "base64"
+        });
+      }
+    }
+  }
+  return results;
+}
+function extractRemoteImageUrls(text) {
+  const all = extractImageUrls(text, { includeBase64: false });
+  return all.filter((img) => /^https?:\/\//i.test(img.url));
+}
+function extractDataUrls(text) {
+  return extractImageUrls(text, {
+    includeMarkdown: false,
+    includeHTML: false,
+    includeBase64: true
+  });
+}
+function countImages(text) {
+  return extractImageUrls(text).length;
+}
+var DEFAULT_SSRF_POLICY = {
+  allowPrivateIPs: false,
+  allowLocalhost: false,
+  blockedDomains: [],
+  allowedDomains: [],
+  allowDataUrls: false
+};
+function isURLSafe(url, policy = {}) {
+  const config = { ...DEFAULT_SSRF_POLICY, ...policy };
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return { safe: false, reason: "Invalid URL format" };
+  }
+  if (parsed.protocol === "data:") {
+    if (!config.allowDataUrls) {
+      return { safe: false, reason: "Data URLs not allowed" };
+    }
+    return { safe: true };
+  }
+  if (!["http:", "https:"].includes(parsed.protocol)) {
+    return {
+      safe: false,
+      reason: `Protocol '${parsed.protocol}' not allowed (only http/https)`
+    };
+  }
+  const hostname = parsed.hostname.toLowerCase();
+  if (config.allowedDomains.length > 0) {
+    const isAllowed = config.allowedDomains.some(
+      (pattern) => matchDomainPattern(hostname, pattern)
+    );
+    if (!isAllowed) {
+      return {
+        safe: false,
+        reason: `Domain '${hostname}' not in allowed list`
+      };
+    }
+  }
+  if (config.blockedDomains.length > 0) {
+    const isBlocked = config.blockedDomains.some(
+      (pattern) => matchDomainPattern(hostname, pattern)
+    );
+    if (isBlocked) {
+      return {
+        safe: false,
+        reason: `Domain '${hostname}' is blocked`
+      };
+    }
+  }
+  if (isLocalhost(hostname) && !config.allowLocalhost) {
+    return { safe: false, reason: "Localhost not allowed" };
+  }
+  if (isPrivateIP(hostname) && !config.allowPrivateIPs) {
+    return { safe: false, reason: "Private IP addresses not allowed" };
+  }
+  return { safe: true };
+}
+function isSafeForFetch(url) {
+  return isURLSafe(url).safe;
+}
+function matchDomainPattern(domain, pattern) {
+  if (domain === pattern) return true;
+  if (pattern.startsWith("*.")) {
+    const suffix = pattern.slice(2);
+    return domain.endsWith("." + suffix);
+  }
+  return false;
+}
+function isLocalhost(hostname) {
+  const lower = hostname.toLowerCase();
+  if (lower === "localhost" || lower === "0.0.0.0" || lower.startsWith("127.")) {
+    return true;
+  }
+  if (lower === "::1" || lower === "[::1]") {
+    return true;
+  }
+  return false;
+}
+function isPrivateIP(hostname) {
+  const lower = hostname.toLowerCase();
+  const parts = hostname.split(".").map(Number);
+  if (parts.length === 4 && parts.every((p) => p >= 0 && p <= 255 && !isNaN(p))) {
+    const [octet1, octet2] = parts;
+    if (octet1 === 10) return true;
+    if (octet1 === 172 && octet2 !== void 0 && octet2 >= 16 && octet2 <= 31)
+      return true;
+    if (octet1 === 192 && octet2 === 168) return true;
+    if (octet1 === 169 && octet2 === 254) return true;
+  }
+  const cleanedHostname = lower.replace(/^\[|\]$/g, "");
+  const ipv6Patterns = [
+    /^f[cd][0-9a-f]{2}:/i,
+    // fc00::/7 (includes both fc and fd ranges)
+    /^fe80:/i
+    // fe80::/10 (link-local)
+  ];
+  for (const pattern of ipv6Patterns) {
+    if (pattern.test(cleanedHostname)) {
+      return true;
+    }
+  }
+  return false;
+}
+function filterSafeUrls(urls, policy) {
+  return urls.filter((url) => isURLSafe(url, policy).safe);
+}
+//# sourceMappingURL=image-utils.cjs.map

package/dist/image-utils.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/image-utils.ts","../../image-utils/src/extraction.ts","../../image-utils/src/ssrf.ts"],"sourcesContent":["export * from '@character-foundry/image-utils';\n","/**\n * Image URL Extraction\n *\n * Extracts image URLs from markdown, HTML, and base64 data URLs in text.\n * Used across Federation, Archive, and Architect for image processing.\n */\n\nexport interface ImageExtractionOptions {\n /** Include markdown image syntax `![alt](url)` (default: true) */\n includeMarkdown?: boolean;\n /** Include HTML img tags `<img src=\"url\">` (default: true) */\n includeHTML?: boolean;\n /** Include base64 data URLs `data:image/...;base64,...` (default: true) */\n includeBase64?: boolean;\n}\n\nexport interface ExtractedImage {\n /** The extracted URL or data URL */\n url: string;\n /** Source format where the image was found */\n source: 'markdown' | 'html' | 'base64';\n /** Surrounding context for debugging (optional) */\n context?: string;\n}\n\n/**\n * Extract all image URLs from text.\n *\n * Supports markdown, HTML, and base64 data URLs.\n * Returns deduplicated results.\n *\n * @param text - Text to extract image URLs from\n * @param options - Extraction options\n * @returns Array of extracted images with source information\n *\n * @example\n * ```typescript\n * const text = 'Check out ![portrait](avatar.png) and <img src=\"banner.jpg\">';\n * const images = extractImageUrls(text);\n * // [\n * // { url: 'avatar.png', source: 'markdown' },\n * // { url: 'banner.jpg', source: 'html' }\n * // ]\n * ```\n */\nexport function extractImageUrls(\n text: string,\n options: ImageExtractionOptions = {},\n): ExtractedImage[] {\n const {\n includeMarkdown = true,\n includeHTML = true,\n includeBase64 = true,\n } = options;\n\n const results: ExtractedImage[] = [];\n const seen = new Set<string>();\n\n // Extract markdown images: ![alt](url) or ![alt](<url>) or ![alt](url =dimensions)\n // Supports: standard, angle brackets, and SillyTavern dimension syntax\n if (includeMarkdown) {\n const markdownPattern = /!\\[([^\\]]*)\\]\$<?([^>\\s)]+)>?(?:\\s*=[^)]+)?\$/g;\n let match: RegExpExecArray | null;\n\n while ((match = markdownPattern.exec(text)) !== null) {\n const url = match[2]?.trim();\n if (url && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'markdown',\n context: match[0],\n });\n }\n }\n }\n\n // Extract HTML img tags: <img src=\"url\"> (quoted and unquoted)\n if (includeHTML) {\n // Quoted src\n const htmlQuotedPattern = /<img[^>]+src=[\"']([^\"']+)[\"'][^>]*>/gi;\n let match: RegExpExecArray | null;\n\n while ((match = htmlQuotedPattern.exec(text)) !== null) {\n const url = match[1]?.trim();\n if (url && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: match[0],\n });\n }\n }\n\n // Unquoted src (e.g., <img src=url>)\n const htmlUnquotedPattern = /<img[^>]+src=([^\\s\"'>]+)[^>]*>/gi;\n while ((match = htmlUnquotedPattern.exec(text)) !== null) {\n const url = match[1]?.trim();\n // Skip if it starts with a quote (already handled above)\n if (url && !url.startsWith('\"') && !url.startsWith(\"'\") && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: match[0],\n });\n }\n }\n\n // CSS url() function: url(url), url(\"url\"), url('url')\n // Common in background-image, background, content properties\n const cssUrlPattern = /url\$[\"']?([^)\"']+)[\"']?\$/gi;\n while ((match = cssUrlPattern.exec(text)) !== null) {\n const url = match[1]?.trim();\n // Only include http(s) URLs to avoid CSS variables and relative paths\n if (url && (url.startsWith('http://') || url.startsWith('https://')) && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: match[0],\n });\n }\n }\n }\n\n // Extract plain image URLs (not wrapped in any syntax)\n if (includeHTML) {\n // Plain URLs with image extensions (common on image hosts)\n const plainUrlPattern = /(?<![(\"'])(https?:\\/\\/[^\\s<>\"']+\\.(?:jpg|jpeg|png|gif|webp|svg|avif|bmp))(?![)\"'])/gi;\n let match: RegExpExecArray | null;\n\n while ((match = plainUrlPattern.exec(text)) !== null) {\n const url = match[0]?.trim();\n if (url && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: url,\n });\n }\n }\n }\n\n // Extract base64 data URLs: data:image/...;base64,...\n if (includeBase64) {\n const dataUrlPattern = /data:image\\/[^;]+;base64,[A-Za-z0-9+/=]+/g;\n let match: RegExpExecArray | null;\n\n while ((match = dataUrlPattern.exec(text)) !== null) {\n const url = match[0];\n if (!seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'base64',\n });\n }\n }\n }\n\n return results;\n}\n\n/**\n * Extract only HTTP/HTTPS URLs (excludes data URLs and relative paths).\n *\n * Convenience wrapper around extractImageUrls that filters for remote URLs.\n *\n * @param text - Text to extract URLs from\n * @returns Array of extracted HTTP/HTTPS image URLs\n */\nexport function extractRemoteImageUrls(text: string): ExtractedImage[] {\n const all = extractImageUrls(text, { includeBase64: false });\n return all.filter((img) => /^https?:\\/\\//i.test(img.url));\n}\n\n/**\n * Extract only base64 data URLs.\n *\n * Convenience wrapper around extractImageUrls.\n *\n * @param text - Text to extract data URLs from\n * @returns Array of base64 image data URLs\n */\nexport function extractDataUrls(text: string): ExtractedImage[] {\n return extractImageUrls(text, {\n includeMarkdown: false,\n includeHTML: false,\n includeBase64: true,\n });\n}\n\n/**\n * Count images in text without extracting full details.\n *\n * More efficient than extractImageUrls when you only need the count.\n *\n * @param text - Text to count images in\n * @returns Total number of unique image references\n */\nexport function countImages(text: string): number {\n return extractImageUrls(text).length;\n}\n","/**\n * SSRF (Server-Side Request Forgery) Protection\n *\n * Validates URLs to prevent SSRF attacks.\n * Browser-safe implementation (no Node.js dependencies).\n */\n\nexport interface SSRFPolicy {\n /** Allow private IP addresses (10.x, 172.16-31.x, 192.168.x) (default: false) */\n allowPrivateIPs?: boolean;\n /** Allow localhost/loopback (127.x, ::1) (default: false) */\n allowLocalhost?: boolean;\n /** Blocked domain patterns (e.g., ['internal.company.com', '*.local']) */\n blockedDomains?: string[];\n /** Allowed domain patterns - if provided, ONLY these are allowed */\n allowedDomains?: string[];\n /** Allow data URLs (data:image/...) (default: false) */\n allowDataUrls?: boolean;\n}\n\nexport interface SafetyCheck {\n /** Whether the URL is safe according to policy */\n safe: boolean;\n /** Reason why URL is unsafe (if safe=false) */\n reason?: string;\n}\n\n/**\n * Default SSRF policy - blocks private IPs, localhost, and data URLs.\n */\nexport const DEFAULT_SSRF_POLICY: Required<SSRFPolicy> = {\n allowPrivateIPs: false,\n allowLocalhost: false,\n blockedDomains: [],\n allowedDomains: [],\n allowDataUrls: false,\n};\n\n/**\n * Check if URL is safe to fetch according to SSRF policy.\n *\n * This is the canonical SSRF protection - all apps should use this\n * before fetching external URLs.\n *\n * @param url - URL to validate\n * @param policy - SSRF policy (uses defaults if not provided)\n * @returns Safety check result with reason if unsafe\n *\n * @example\n * ```typescript\n * const check = isURLSafe('http://10.0.0.1/secret');\n * if (!check.safe) {\n * console.error('Unsafe URL:', check.reason);\n * }\n * ```\n */\nexport function isURLSafe(\n url: string,\n policy: SSRFPolicy = {},\n): SafetyCheck {\n const config = { ...DEFAULT_SSRF_POLICY, ...policy };\n\n // Parse URL\n let parsed: URL;\n try {\n parsed = new URL(url);\n } catch {\n return { safe: false, reason: 'Invalid URL format' };\n }\n\n // Check protocol\n if (parsed.protocol === 'data:') {\n if (!config.allowDataUrls) {\n return { safe: false, reason: 'Data URLs not allowed' };\n }\n return { safe: true };\n }\n\n if (!['http:', 'https:'].includes(parsed.protocol)) {\n return {\n safe: false,\n reason: `Protocol '${parsed.protocol}' not allowed (only http/https)`,\n };\n }\n\n const hostname = parsed.hostname.toLowerCase();\n\n // Check allowed domains (whitelist)\n if (config.allowedDomains.length > 0) {\n const isAllowed = config.allowedDomains.some((pattern) =>\n matchDomainPattern(hostname, pattern),\n );\n if (!isAllowed) {\n return {\n safe: false,\n reason: `Domain '${hostname}' not in allowed list`,\n };\n }\n }\n\n // Check blocked domains (blacklist)\n if (config.blockedDomains.length > 0) {\n const isBlocked = config.blockedDomains.some((pattern) =>\n matchDomainPattern(hostname, pattern),\n );\n if (isBlocked) {\n return {\n safe: false,\n reason: `Domain '${hostname}' is blocked`,\n };\n }\n }\n\n // Check localhost\n if (isLocalhost(hostname) && !config.allowLocalhost) {\n return { safe: false, reason: 'Localhost not allowed' };\n }\n\n // Check private IPs\n if (isPrivateIP(hostname) && !config.allowPrivateIPs) {\n return { safe: false, reason: 'Private IP addresses not allowed' };\n }\n\n return { safe: true };\n}\n\n/**\n * Quick check if URL is safe with default policy.\n *\n * Convenience wrapper for common case.\n *\n * @param url - URL to validate\n * @returns true if safe, false otherwise\n */\nexport function isSafeForFetch(url: string): boolean {\n return isURLSafe(url).safe;\n}\n\n/**\n * Match domain against pattern (supports wildcards).\n *\n * @example\n * ```typescript\n * matchDomainPattern('api.github.com', '*.github.com') // true\n * matchDomainPattern('github.com', '*.github.com') // false\n * matchDomainPattern('github.com', 'github.com') // true\n * ```\n */\nfunction matchDomainPattern(domain: string, pattern: string): boolean {\n // Exact match\n if (domain === pattern) return true;\n\n // Wildcard match - only matches subdomains, not the base domain\n if (pattern.startsWith('*.')) {\n const suffix = pattern.slice(2);\n return domain.endsWith('.' + suffix);\n }\n\n return false;\n}\n\n/**\n * Check if hostname is localhost/loopback.\n */\nfunction isLocalhost(hostname: string): boolean {\n const lower = hostname.toLowerCase();\n\n // IPv4 loopback\n if (lower === 'localhost' || lower === '0.0.0.0' || lower.startsWith('127.')) {\n return true;\n }\n\n // IPv6 loopback\n if (lower === '::1' || lower === '[::1]') {\n return true;\n }\n\n return false;\n}\n\n/**\n * Check if hostname is a private IP address.\n *\n * Checks for:\n * - 10.0.0.0/8\n * - 172.16.0.0/12\n * - 192.168.0.0/16\n * - Link-local: 169.254.0.0/16 (includes AWS metadata endpoint)\n * - IPv6 private ranges\n */\nfunction isPrivateIP(hostname: string): boolean {\n const lower = hostname.toLowerCase();\n\n // IPv4 private ranges\n const parts = hostname.split('.').map(Number);\n\n if (\n parts.length === 4 &&\n parts.every((p) => p >= 0 && p <= 255 && !isNaN(p))\n ) {\n const [octet1, octet2] = parts;\n\n // 10.0.0.0/8\n if (octet1 === 10) return true;\n\n // 172.16.0.0/12\n if (octet1 === 172 && octet2 !== undefined && octet2 >= 16 && octet2 <= 31)\n return true;\n\n // 192.168.0.0/16\n if (octet1 === 192 && octet2 === 168) return true;\n\n // 169.254.0.0/16 (link-local) - includes AWS metadata endpoint\n if (octet1 === 169 && octet2 === 254) return true;\n }\n\n // IPv6 private ranges using regex patterns\n // Strip brackets if present (URL parser adds them: [fc00::1])\n const cleanedHostname = lower.replace(/^\\[|\\]$/g, '');\n\n const ipv6Patterns = [\n /^f[cd][0-9a-f]{2}:/i, // fc00::/7 (includes both fc and fd ranges)\n /^fe80:/i, // fe80::/10 (link-local)\n ];\n\n for (const pattern of ipv6Patterns) {\n if (pattern.test(cleanedHostname)) {\n return true;\n }\n }\n\n return false;\n}\n\n/**\n * Filter array of URLs, keeping only safe ones.\n *\n * @param urls - Array of URLs to filter\n * @param policy - SSRF policy\n * @returns Array of safe URLs\n */\nexport function filterSafeUrls(\n urls: string[],\n policy?: SSRFPolicy,\n): string[] {\n return urls.filter((url) => isURLSafe(url, policy).safe);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;;AC6CO,SAAS,iBACd,MACA,UAAkC,CAAC,GACjB;AAClB,QAAM;IACJ,kBAAkB;IAClB,cAAc;IACd,gBAAgB;EAClB,IAAI;AAEJ,QAAM,UAA4B,CAAC;AACnC,QAAM,OAAO,oBAAI,IAAY;AAI7B,MAAI,iBAAiB;AACnB,UAAM,kBAAkB;AACxB,QAAI;AAEJ,YAAQ,QAAQ,gBAAgB,KAAK,IAAI,OAAO,MAAM;AACpD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAC3B,UAAI,OAAO,CAAC,KAAK,IAAI,GAAG,GAAG;AACzB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;EACF;AAGA,MAAI,aAAa;AAEf,UAAM,oBAAoB;AAC1B,QAAI;AAEJ,YAAQ,QAAQ,kBAAkB,KAAK,IAAI,OAAO,MAAM;AACtD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAC3B,UAAI,OAAO,CAAC,KAAK,IAAI,GAAG,GAAG;AACzB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;AAGA,UAAM,sBAAsB;AAC5B,YAAQ,QAAQ,oBAAoB,KAAK,IAAI,OAAO,MAAM;AACxD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAE3B,UAAI,OAAO,CAAC,IAAI,WAAW,GAAG,KAAK,CAAC,IAAI,WAAW,GAAG,KAAK,CAAC,KAAK,IAAI,GAAG,GAAG;AACzE,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;AAIA,UAAM,gBAAgB;AACtB,YAAQ,QAAQ,cAAc,KAAK,IAAI,OAAO,MAAM;AAClD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAE3B,UAAI,QAAQ,IAAI,WAAW,SAAS,KAAK,IAAI,WAAW,UAAU,MAAM,CAAC,KAAK,IAAI,GAAG,GAAG;AACtF,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;EACF;AAGA,MAAI,aAAa;AAEf,UAAM,kBAAkB;AACxB,QAAI;AAEJ,YAAQ,QAAQ,gBAAgB,KAAK,IAAI,OAAO,MAAM;AACpD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAC3B,UAAI,OAAO,CAAC,KAAK,IAAI,GAAG,GAAG;AACzB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS;QACX,CAAC;MACH;IACF;EACF;AAGA,MAAI,eAAe;AACjB,UAAM,iBAAiB;AACvB,QAAI;AAEJ,YAAQ,QAAQ,eAAe,KAAK,IAAI,OAAO,MAAM;AACnD,YAAM,MAAM,MAAM,CAAC;AACnB,UAAI,CAAC,KAAK,IAAI,GAAG,GAAG;AAClB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;QACV,CAAC;MACH;IACF;EACF;AAEA,SAAO;AACT;AAUO,SAAS,uBAAuB,MAAgC;AACrE,QAAM,MAAM,iBAAiB,MAAM,EAAE,eAAe,MAAM,CAAC;AAC3D,SAAO,IAAI,OAAO,CAAC,QAAQ,gBAAgB,KAAK,IAAI,GAAG,CAAC;AAC1D;AAUO,SAAS,gBAAgB,MAAgC;AAC9D,SAAO,iBAAiB,MAAM;IAC5B,iBAAiB;IACjB,aAAa;IACb,eAAe;EACjB,CAAC;AACH;AAUO,SAAS,YAAY,MAAsB;AAChD,SAAO,iBAAiB,IAAI,EAAE;AAChC;AC/KO,IAAM,sBAA4C;EACvD,iBAAiB;EACjB,gBAAgB;EAChB,gBAAgB,CAAC;EACjB,gBAAgB,CAAC;EACjB,eAAe;AACjB;AAoBO,SAAS,UACd,KACA,SAAqB,CAAC,GACT;AACb,QAAM,SAAS,EAAE,GAAG,qBAAqB,GAAG,OAAO;AAGnD,MAAI;AACJ,MAAI;AACF,aAAS,IAAI,IAAI,GAAG;EACtB,QAAQ;AACN,WAAO,EAAE,MAAM,OAAO,QAAQ,qBAAqB;EACrD;AAGA,MAAI,OAAO,aAAa,SAAS;AAC/B,QAAI,CAAC,OAAO,eAAe;AACzB,aAAO,EAAE,MAAM,OAAO,QAAQ,wBAAwB;IACxD;AACA,WAAO,EAAE,MAAM,KAAK;EACtB;AAEA,MAAI,CAAC,CAAC,SAAS,QAAQ,EAAE,SAAS,OAAO,QAAQ,GAAG;AAClD,WAAO;MACL,MAAM;MACN,QAAQ,aAAa,OAAO,QAAQ;IACtC;EACF;AAEA,QAAM,WAAW,OAAO,SAAS,YAAY;AAG7C,MAAI,OAAO,eAAe,SAAS,GAAG;AACpC,UAAM,YAAY,OAAO,eAAe;MAAK,CAAC,YAC5C,mBAAmB,UAAU,OAAO;IACtC;AACA,QAAI,CAAC,WAAW;AACd,aAAO;QACL,MAAM;QACN,QAAQ,WAAW,QAAQ;MAC7B;IACF;EACF;AAGA,MAAI,OAAO,eAAe,SAAS,GAAG;AACpC,UAAM,YAAY,OAAO,eAAe;MAAK,CAAC,YAC5C,mBAAmB,UAAU,OAAO;IACtC;AACA,QAAI,WAAW;AACb,aAAO;QACL,MAAM;QACN,QAAQ,WAAW,QAAQ;MAC7B;IACF;EACF;AAGA,MAAI,YAAY,QAAQ,KAAK,CAAC,OAAO,gBAAgB;AACnD,WAAO,EAAE,MAAM,OAAO,QAAQ,wBAAwB;EACxD;AAGA,MAAI,YAAY,QAAQ,KAAK,CAAC,OAAO,iBAAiB;AACpD,WAAO,EAAE,MAAM,OAAO,QAAQ,mCAAmC;EACnE;AAEA,SAAO,EAAE,MAAM,KAAK;AACtB;AAUO,SAAS,eAAe,KAAsB;AACnD,SAAO,UAAU,GAAG,EAAE;AACxB;AAYA,SAAS,mBAAmB,QAAgB,SAA0B;AAEpE,MAAI,WAAW,QAAS,QAAO;AAG/B,MAAI,QAAQ,WAAW,IAAI,GAAG;AAC5B,UAAM,SAAS,QAAQ,MAAM,CAAC;AAC9B,WAAO,OAAO,SAAS,MAAM,MAAM;EACrC;AAEA,SAAO;AACT;AAKA,SAAS,YAAY,UAA2B;AAC9C,QAAM,QAAQ,SAAS,YAAY;AAGnC,MAAI,UAAU,eAAe,UAAU,aAAa,MAAM,WAAW,MAAM,GAAG;AAC5E,WAAO;EACT;AAGA,MAAI,UAAU,SAAS,UAAU,SAAS;AACxC,WAAO;EACT;AAEA,SAAO;AACT;AAYA,SAAS,YAAY,UAA2B;AAC9C,QAAM,QAAQ,SAAS,YAAY;AAGnC,QAAM,QAAQ,SAAS,MAAM,GAAG,EAAE,IAAI,MAAM;AAE5C,MACE,MAAM,WAAW,KACjB,MAAM,MAAM,CAAC,MAAM,KAAK,KAAK,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,GAClD;AACA,UAAM,CAAC,QAAQ,MAAM,IAAI;AAGzB,QAAI,WAAW,GAAI,QAAO;AAG1B,QAAI,WAAW,OAAO,WAAW,UAAa,UAAU,MAAM,UAAU;AACtE,aAAO;AAGT,QAAI,WAAW,OAAO,WAAW,IAAK,QAAO;AAG7C,QAAI,WAAW,OAAO,WAAW,IAAK,QAAO;EAC/C;AAIA,QAAM,kBAAkB,MAAM,QAAQ,YAAY,EAAE;AAEpD,QAAM,eAAe;IACnB;;IACA;;EACF;AAEA,aAAW,WAAW,cAAc;AAClC,QAAI,QAAQ,KAAK,eAAe,GAAG;AACjC,aAAO;IACT;EACF;AAEA,SAAO;AACT;AASO,SAAS,eACd,MACA,QACU;AACV,SAAO,KAAK,OAAO,CAAC,QAAQ,UAAU,KAAK,MAAM,EAAE,IAAI;AACzD;","names":[]}

package/dist/image-utils.d.cts ADDED Viewed

@@ -0,0 +1,136 @@
+/**
+ * Image URL Extraction
+ *
+ * Extracts image URLs from markdown, HTML, and base64 data URLs in text.
+ * Used across Federation, Archive, and Architect for image processing.
+ */
+export interface ImageExtractionOptions {
+	/** Include markdown image syntax `![alt](url)` (default: true) */
+	includeMarkdown?: boolean;
+	/** Include HTML img tags `<img src="url">` (default: true) */
+	includeHTML?: boolean;
+	/** Include base64 data URLs `data:image/...;base64,...` (default: true) */
+	includeBase64?: boolean;
+}
+export interface ExtractedImage {
+	/** The extracted URL or data URL */
+	url: string;
+	/** Source format where the image was found */
+	source: "markdown" | "html" | "base64";
+	/** Surrounding context for debugging (optional) */
+	context?: string;
+}
+/**
+ * Extract all image URLs from text.
+ *
+ * Supports markdown, HTML, and base64 data URLs.
+ * Returns deduplicated results.
+ *
+ * @param text - Text to extract image URLs from
+ * @param options - Extraction options
+ * @returns Array of extracted images with source information
+ *
+ * @example
+ * ```typescript
+ * const text = 'Check out ![portrait](avatar.png) and <img src="banner.jpg">';
+ * const images = extractImageUrls(text);
+ * // [
+ * //   { url: 'avatar.png', source: 'markdown' },
+ * //   { url: 'banner.jpg', source: 'html' }
+ * // ]
+ * ```
+ */
+export declare function extractImageUrls(text: string, options?: ImageExtractionOptions): ExtractedImage[];
+/**
+ * Extract only HTTP/HTTPS URLs (excludes data URLs and relative paths).
+ *
+ * Convenience wrapper around extractImageUrls that filters for remote URLs.
+ *
+ * @param text - Text to extract URLs from
+ * @returns Array of extracted HTTP/HTTPS image URLs
+ */
+export declare function extractRemoteImageUrls(text: string): ExtractedImage[];
+/**
+ * Extract only base64 data URLs.
+ *
+ * Convenience wrapper around extractImageUrls.
+ *
+ * @param text - Text to extract data URLs from
+ * @returns Array of base64 image data URLs
+ */
+export declare function extractDataUrls(text: string): ExtractedImage[];
+/**
+ * Count images in text without extracting full details.
+ *
+ * More efficient than extractImageUrls when you only need the count.
+ *
+ * @param text - Text to count images in
+ * @returns Total number of unique image references
+ */
+export declare function countImages(text: string): number;
+/**
+ * SSRF (Server-Side Request Forgery) Protection
+ *
+ * Validates URLs to prevent SSRF attacks.
+ * Browser-safe implementation (no Node.js dependencies).
+ */
+export interface SSRFPolicy {
+	/** Allow private IP addresses (10.x, 172.16-31.x, 192.168.x) (default: false) */
+	allowPrivateIPs?: boolean;
+	/** Allow localhost/loopback (127.x, ::1) (default: false) */
+	allowLocalhost?: boolean;
+	/** Blocked domain patterns (e.g., ['internal.company.com', '*.local']) */
+	blockedDomains?: string[];
+	/** Allowed domain patterns - if provided, ONLY these are allowed */
+	allowedDomains?: string[];
+	/** Allow data URLs (data:image/...) (default: false) */
+	allowDataUrls?: boolean;
+}
+export interface SafetyCheck {
+	/** Whether the URL is safe according to policy */
+	safe: boolean;
+	/** Reason why URL is unsafe (if safe=false) */
+	reason?: string;
+}
+/**
+ * Default SSRF policy - blocks private IPs, localhost, and data URLs.
+ */
+export declare const DEFAULT_SSRF_POLICY: Required<SSRFPolicy>;
+/**
+ * Check if URL is safe to fetch according to SSRF policy.
+ *
+ * This is the canonical SSRF protection - all apps should use this
+ * before fetching external URLs.
+ *
+ * @param url - URL to validate
+ * @param policy - SSRF policy (uses defaults if not provided)
+ * @returns Safety check result with reason if unsafe
+ *
+ * @example
+ * ```typescript
+ * const check = isURLSafe('http://10.0.0.1/secret');
+ * if (!check.safe) {
+ *   console.error('Unsafe URL:', check.reason);
+ * }
+ * ```
+ */
+export declare function isURLSafe(url: string, policy?: SSRFPolicy): SafetyCheck;
+/**
+ * Quick check if URL is safe with default policy.
+ *
+ * Convenience wrapper for common case.
+ *
+ * @param url - URL to validate
+ * @returns true if safe, false otherwise
+ */
+export declare function isSafeForFetch(url: string): boolean;
+/**
+ * Filter array of URLs, keeping only safe ones.
+ *
+ * @param urls - Array of URLs to filter
+ * @param policy - SSRF policy
+ * @returns Array of safe URLs
+ */
+export declare function filterSafeUrls(urls: string[], policy?: SSRFPolicy): string[];
+export {};

package/dist/image-utils.d.ts ADDED Viewed

@@ -0,0 +1,136 @@
+/**
+ * Image URL Extraction
+ *
+ * Extracts image URLs from markdown, HTML, and base64 data URLs in text.
+ * Used across Federation, Archive, and Architect for image processing.
+ */
+export interface ImageExtractionOptions {
+	/** Include markdown image syntax `![alt](url)` (default: true) */
+	includeMarkdown?: boolean;
+	/** Include HTML img tags `<img src="url">` (default: true) */
+	includeHTML?: boolean;
+	/** Include base64 data URLs `data:image/...;base64,...` (default: true) */
+	includeBase64?: boolean;
+}
+export interface ExtractedImage {
+	/** The extracted URL or data URL */
+	url: string;
+	/** Source format where the image was found */
+	source: "markdown" | "html" | "base64";
+	/** Surrounding context for debugging (optional) */
+	context?: string;
+}
+/**
+ * Extract all image URLs from text.
+ *
+ * Supports markdown, HTML, and base64 data URLs.
+ * Returns deduplicated results.
+ *
+ * @param text - Text to extract image URLs from
+ * @param options - Extraction options
+ * @returns Array of extracted images with source information
+ *
+ * @example
+ * ```typescript
+ * const text = 'Check out ![portrait](avatar.png) and <img src="banner.jpg">';
+ * const images = extractImageUrls(text);
+ * // [
+ * //   { url: 'avatar.png', source: 'markdown' },
+ * //   { url: 'banner.jpg', source: 'html' }
+ * // ]
+ * ```
+ */
+export declare function extractImageUrls(text: string, options?: ImageExtractionOptions): ExtractedImage[];
+/**
+ * Extract only HTTP/HTTPS URLs (excludes data URLs and relative paths).
+ *
+ * Convenience wrapper around extractImageUrls that filters for remote URLs.
+ *
+ * @param text - Text to extract URLs from
+ * @returns Array of extracted HTTP/HTTPS image URLs
+ */
+export declare function extractRemoteImageUrls(text: string): ExtractedImage[];
+/**
+ * Extract only base64 data URLs.
+ *
+ * Convenience wrapper around extractImageUrls.
+ *
+ * @param text - Text to extract data URLs from
+ * @returns Array of base64 image data URLs
+ */
+export declare function extractDataUrls(text: string): ExtractedImage[];
+/**
+ * Count images in text without extracting full details.
+ *
+ * More efficient than extractImageUrls when you only need the count.
+ *
+ * @param text - Text to count images in
+ * @returns Total number of unique image references
+ */
+export declare function countImages(text: string): number;
+/**
+ * SSRF (Server-Side Request Forgery) Protection
+ *
+ * Validates URLs to prevent SSRF attacks.
+ * Browser-safe implementation (no Node.js dependencies).
+ */
+export interface SSRFPolicy {
+	/** Allow private IP addresses (10.x, 172.16-31.x, 192.168.x) (default: false) */
+	allowPrivateIPs?: boolean;
+	/** Allow localhost/loopback (127.x, ::1) (default: false) */
+	allowLocalhost?: boolean;
+	/** Blocked domain patterns (e.g., ['internal.company.com', '*.local']) */
+	blockedDomains?: string[];
+	/** Allowed domain patterns - if provided, ONLY these are allowed */
+	allowedDomains?: string[];
+	/** Allow data URLs (data:image/...) (default: false) */
+	allowDataUrls?: boolean;
+}
+export interface SafetyCheck {
+	/** Whether the URL is safe according to policy */
+	safe: boolean;
+	/** Reason why URL is unsafe (if safe=false) */
+	reason?: string;
+}
+/**
+ * Default SSRF policy - blocks private IPs, localhost, and data URLs.
+ */
+export declare const DEFAULT_SSRF_POLICY: Required<SSRFPolicy>;
+/**
+ * Check if URL is safe to fetch according to SSRF policy.
+ *
+ * This is the canonical SSRF protection - all apps should use this
+ * before fetching external URLs.
+ *
+ * @param url - URL to validate
+ * @param policy - SSRF policy (uses defaults if not provided)
+ * @returns Safety check result with reason if unsafe
+ *
+ * @example
+ * ```typescript
+ * const check = isURLSafe('http://10.0.0.1/secret');
+ * if (!check.safe) {
+ *   console.error('Unsafe URL:', check.reason);
+ * }
+ * ```
+ */
+export declare function isURLSafe(url: string, policy?: SSRFPolicy): SafetyCheck;
+/**
+ * Quick check if URL is safe with default policy.
+ *
+ * Convenience wrapper for common case.
+ *
+ * @param url - URL to validate
+ * @returns true if safe, false otherwise
+ */
+export declare function isSafeForFetch(url: string): boolean;
+/**
+ * Filter array of URLs, keeping only safe ones.
+ *
+ * @param urls - Array of URLs to filter
+ * @param policy - SSRF policy
+ * @returns Array of safe URLs
+ */
+export declare function filterSafeUrls(urls: string[], policy?: SSRFPolicy): string[];
+export {};

package/dist/image-utils.js ADDED Viewed

@@ -0,0 +1,226 @@
+// ../image-utils/dist/index.js
+function extractImageUrls(text, options = {}) {
+  const {
+    includeMarkdown = true,
+    includeHTML = true,
+    includeBase64 = true
+  } = options;
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  if (includeMarkdown) {
+    const markdownPattern = /!\[([^\]]*)\]\(<?([^>\s)]+)>?(?:\s*=[^)]+)?\)/g;
+    let match;
+    while ((match = markdownPattern.exec(text)) !== null) {
+      const url = match[2]?.trim();
+      if (url && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "markdown",
+          context: match[0]
+        });
+      }
+    }
+  }
+  if (includeHTML) {
+    const htmlQuotedPattern = /<img[^>]+src=["']([^"']+)["'][^>]*>/gi;
+    let match;
+    while ((match = htmlQuotedPattern.exec(text)) !== null) {
+      const url = match[1]?.trim();
+      if (url && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: match[0]
+        });
+      }
+    }
+    const htmlUnquotedPattern = /<img[^>]+src=([^\s"'>]+)[^>]*>/gi;
+    while ((match = htmlUnquotedPattern.exec(text)) !== null) {
+      const url = match[1]?.trim();
+      if (url && !url.startsWith('"') && !url.startsWith("'") && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: match[0]
+        });
+      }
+    }
+    const cssUrlPattern = /url\(["']?([^)"']+)["']?\)/gi;
+    while ((match = cssUrlPattern.exec(text)) !== null) {
+      const url = match[1]?.trim();
+      if (url && (url.startsWith("http://") || url.startsWith("https://")) && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: match[0]
+        });
+      }
+    }
+  }
+  if (includeHTML) {
+    const plainUrlPattern = /(?<![("'])(https?:\/\/[^\s<>"']+\.(?:jpg|jpeg|png|gif|webp|svg|avif|bmp))(?![)"'])/gi;
+    let match;
+    while ((match = plainUrlPattern.exec(text)) !== null) {
+      const url = match[0]?.trim();
+      if (url && !seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "html",
+          context: url
+        });
+      }
+    }
+  }
+  if (includeBase64) {
+    const dataUrlPattern = /data:image\/[^;]+;base64,[A-Za-z0-9+/=]+/g;
+    let match;
+    while ((match = dataUrlPattern.exec(text)) !== null) {
+      const url = match[0];
+      if (!seen.has(url)) {
+        seen.add(url);
+        results.push({
+          url,
+          source: "base64"
+        });
+      }
+    }
+  }
+  return results;
+}
+function extractRemoteImageUrls(text) {
+  const all = extractImageUrls(text, { includeBase64: false });
+  return all.filter((img) => /^https?:\/\//i.test(img.url));
+}
+function extractDataUrls(text) {
+  return extractImageUrls(text, {
+    includeMarkdown: false,
+    includeHTML: false,
+    includeBase64: true
+  });
+}
+function countImages(text) {
+  return extractImageUrls(text).length;
+}
+var DEFAULT_SSRF_POLICY = {
+  allowPrivateIPs: false,
+  allowLocalhost: false,
+  blockedDomains: [],
+  allowedDomains: [],
+  allowDataUrls: false
+};
+function isURLSafe(url, policy = {}) {
+  const config = { ...DEFAULT_SSRF_POLICY, ...policy };
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return { safe: false, reason: "Invalid URL format" };
+  }
+  if (parsed.protocol === "data:") {
+    if (!config.allowDataUrls) {
+      return { safe: false, reason: "Data URLs not allowed" };
+    }
+    return { safe: true };
+  }
+  if (!["http:", "https:"].includes(parsed.protocol)) {
+    return {
+      safe: false,
+      reason: `Protocol '${parsed.protocol}' not allowed (only http/https)`
+    };
+  }
+  const hostname = parsed.hostname.toLowerCase();
+  if (config.allowedDomains.length > 0) {
+    const isAllowed = config.allowedDomains.some(
+      (pattern) => matchDomainPattern(hostname, pattern)
+    );
+    if (!isAllowed) {
+      return {
+        safe: false,
+        reason: `Domain '${hostname}' not in allowed list`
+      };
+    }
+  }
+  if (config.blockedDomains.length > 0) {
+    const isBlocked = config.blockedDomains.some(
+      (pattern) => matchDomainPattern(hostname, pattern)
+    );
+    if (isBlocked) {
+      return {
+        safe: false,
+        reason: `Domain '${hostname}' is blocked`
+      };
+    }
+  }
+  if (isLocalhost(hostname) && !config.allowLocalhost) {
+    return { safe: false, reason: "Localhost not allowed" };
+  }
+  if (isPrivateIP(hostname) && !config.allowPrivateIPs) {
+    return { safe: false, reason: "Private IP addresses not allowed" };
+  }
+  return { safe: true };
+}
+function isSafeForFetch(url) {
+  return isURLSafe(url).safe;
+}
+function matchDomainPattern(domain, pattern) {
+  if (domain === pattern) return true;
+  if (pattern.startsWith("*.")) {
+    const suffix = pattern.slice(2);
+    return domain.endsWith("." + suffix);
+  }
+  return false;
+}
+function isLocalhost(hostname) {
+  const lower = hostname.toLowerCase();
+  if (lower === "localhost" || lower === "0.0.0.0" || lower.startsWith("127.")) {
+    return true;
+  }
+  if (lower === "::1" || lower === "[::1]") {
+    return true;
+  }
+  return false;
+}
+function isPrivateIP(hostname) {
+  const lower = hostname.toLowerCase();
+  const parts = hostname.split(".").map(Number);
+  if (parts.length === 4 && parts.every((p) => p >= 0 && p <= 255 && !isNaN(p))) {
+    const [octet1, octet2] = parts;
+    if (octet1 === 10) return true;
+    if (octet1 === 172 && octet2 !== void 0 && octet2 >= 16 && octet2 <= 31)
+      return true;
+    if (octet1 === 192 && octet2 === 168) return true;
+    if (octet1 === 169 && octet2 === 254) return true;
+  }
+  const cleanedHostname = lower.replace(/^\[|\]$/g, "");
+  const ipv6Patterns = [
+    /^f[cd][0-9a-f]{2}:/i,
+    // fc00::/7 (includes both fc and fd ranges)
+    /^fe80:/i
+    // fe80::/10 (link-local)
+  ];
+  for (const pattern of ipv6Patterns) {
+    if (pattern.test(cleanedHostname)) {
+      return true;
+    }
+  }
+  return false;
+}
+function filterSafeUrls(urls, policy) {
+  return urls.filter((url) => isURLSafe(url, policy).safe);
+}
+export {
+  DEFAULT_SSRF_POLICY,
+  countImages,
+  extractDataUrls,
+  extractImageUrls,
+  extractRemoteImageUrls,
+  filterSafeUrls,
+  isSafeForFetch,
+  isURLSafe
+};
+//# sourceMappingURL=image-utils.js.map

package/dist/image-utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../image-utils/src/extraction.ts","../../image-utils/src/ssrf.ts"],"sourcesContent":["/**\n * Image URL Extraction\n *\n * Extracts image URLs from markdown, HTML, and base64 data URLs in text.\n * Used across Federation, Archive, and Architect for image processing.\n */\n\nexport interface ImageExtractionOptions {\n /** Include markdown image syntax `![alt](url)` (default: true) */\n includeMarkdown?: boolean;\n /** Include HTML img tags `<img src=\"url\">` (default: true) */\n includeHTML?: boolean;\n /** Include base64 data URLs `data:image/...;base64,...` (default: true) */\n includeBase64?: boolean;\n}\n\nexport interface ExtractedImage {\n /** The extracted URL or data URL */\n url: string;\n /** Source format where the image was found */\n source: 'markdown' | 'html' | 'base64';\n /** Surrounding context for debugging (optional) */\n context?: string;\n}\n\n/**\n * Extract all image URLs from text.\n *\n * Supports markdown, HTML, and base64 data URLs.\n * Returns deduplicated results.\n *\n * @param text - Text to extract image URLs from\n * @param options - Extraction options\n * @returns Array of extracted images with source information\n *\n * @example\n * ```typescript\n * const text = 'Check out ![portrait](avatar.png) and <img src=\"banner.jpg\">';\n * const images = extractImageUrls(text);\n * // [\n * // { url: 'avatar.png', source: 'markdown' },\n * // { url: 'banner.jpg', source: 'html' }\n * // ]\n * ```\n */\nexport function extractImageUrls(\n text: string,\n options: ImageExtractionOptions = {},\n): ExtractedImage[] {\n const {\n includeMarkdown = true,\n includeHTML = true,\n includeBase64 = true,\n } = options;\n\n const results: ExtractedImage[] = [];\n const seen = new Set<string>();\n\n // Extract markdown images: ![alt](url) or ![alt](<url>) or ![alt](url =dimensions)\n // Supports: standard, angle brackets, and SillyTavern dimension syntax\n if (includeMarkdown) {\n const markdownPattern = /!\\[([^\\]]*)\\]\$<?([^>\\s)]+)>?(?:\\s*=[^)]+)?\$/g;\n let match: RegExpExecArray | null;\n\n while ((match = markdownPattern.exec(text)) !== null) {\n const url = match[2]?.trim();\n if (url && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'markdown',\n context: match[0],\n });\n }\n }\n }\n\n // Extract HTML img tags: <img src=\"url\"> (quoted and unquoted)\n if (includeHTML) {\n // Quoted src\n const htmlQuotedPattern = /<img[^>]+src=[\"']([^\"']+)[\"'][^>]*>/gi;\n let match: RegExpExecArray | null;\n\n while ((match = htmlQuotedPattern.exec(text)) !== null) {\n const url = match[1]?.trim();\n if (url && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: match[0],\n });\n }\n }\n\n // Unquoted src (e.g., <img src=url>)\n const htmlUnquotedPattern = /<img[^>]+src=([^\\s\"'>]+)[^>]*>/gi;\n while ((match = htmlUnquotedPattern.exec(text)) !== null) {\n const url = match[1]?.trim();\n // Skip if it starts with a quote (already handled above)\n if (url && !url.startsWith('\"') && !url.startsWith(\"'\") && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: match[0],\n });\n }\n }\n\n // CSS url() function: url(url), url(\"url\"), url('url')\n // Common in background-image, background, content properties\n const cssUrlPattern = /url\$[\"']?([^)\"']+)[\"']?\$/gi;\n while ((match = cssUrlPattern.exec(text)) !== null) {\n const url = match[1]?.trim();\n // Only include http(s) URLs to avoid CSS variables and relative paths\n if (url && (url.startsWith('http://') || url.startsWith('https://')) && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: match[0],\n });\n }\n }\n }\n\n // Extract plain image URLs (not wrapped in any syntax)\n if (includeHTML) {\n // Plain URLs with image extensions (common on image hosts)\n const plainUrlPattern = /(?<![(\"'])(https?:\\/\\/[^\\s<>\"']+\\.(?:jpg|jpeg|png|gif|webp|svg|avif|bmp))(?![)\"'])/gi;\n let match: RegExpExecArray | null;\n\n while ((match = plainUrlPattern.exec(text)) !== null) {\n const url = match[0]?.trim();\n if (url && !seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'html',\n context: url,\n });\n }\n }\n }\n\n // Extract base64 data URLs: data:image/...;base64,...\n if (includeBase64) {\n const dataUrlPattern = /data:image\\/[^;]+;base64,[A-Za-z0-9+/=]+/g;\n let match: RegExpExecArray | null;\n\n while ((match = dataUrlPattern.exec(text)) !== null) {\n const url = match[0];\n if (!seen.has(url)) {\n seen.add(url);\n results.push({\n url,\n source: 'base64',\n });\n }\n }\n }\n\n return results;\n}\n\n/**\n * Extract only HTTP/HTTPS URLs (excludes data URLs and relative paths).\n *\n * Convenience wrapper around extractImageUrls that filters for remote URLs.\n *\n * @param text - Text to extract URLs from\n * @returns Array of extracted HTTP/HTTPS image URLs\n */\nexport function extractRemoteImageUrls(text: string): ExtractedImage[] {\n const all = extractImageUrls(text, { includeBase64: false });\n return all.filter((img) => /^https?:\\/\\//i.test(img.url));\n}\n\n/**\n * Extract only base64 data URLs.\n *\n * Convenience wrapper around extractImageUrls.\n *\n * @param text - Text to extract data URLs from\n * @returns Array of base64 image data URLs\n */\nexport function extractDataUrls(text: string): ExtractedImage[] {\n return extractImageUrls(text, {\n includeMarkdown: false,\n includeHTML: false,\n includeBase64: true,\n });\n}\n\n/**\n * Count images in text without extracting full details.\n *\n * More efficient than extractImageUrls when you only need the count.\n *\n * @param text - Text to count images in\n * @returns Total number of unique image references\n */\nexport function countImages(text: string): number {\n return extractImageUrls(text).length;\n}\n","/**\n * SSRF (Server-Side Request Forgery) Protection\n *\n * Validates URLs to prevent SSRF attacks.\n * Browser-safe implementation (no Node.js dependencies).\n */\n\nexport interface SSRFPolicy {\n /** Allow private IP addresses (10.x, 172.16-31.x, 192.168.x) (default: false) */\n allowPrivateIPs?: boolean;\n /** Allow localhost/loopback (127.x, ::1) (default: false) */\n allowLocalhost?: boolean;\n /** Blocked domain patterns (e.g., ['internal.company.com', '*.local']) */\n blockedDomains?: string[];\n /** Allowed domain patterns - if provided, ONLY these are allowed */\n allowedDomains?: string[];\n /** Allow data URLs (data:image/...) (default: false) */\n allowDataUrls?: boolean;\n}\n\nexport interface SafetyCheck {\n /** Whether the URL is safe according to policy */\n safe: boolean;\n /** Reason why URL is unsafe (if safe=false) */\n reason?: string;\n}\n\n/**\n * Default SSRF policy - blocks private IPs, localhost, and data URLs.\n */\nexport const DEFAULT_SSRF_POLICY: Required<SSRFPolicy> = {\n allowPrivateIPs: false,\n allowLocalhost: false,\n blockedDomains: [],\n allowedDomains: [],\n allowDataUrls: false,\n};\n\n/**\n * Check if URL is safe to fetch according to SSRF policy.\n *\n * This is the canonical SSRF protection - all apps should use this\n * before fetching external URLs.\n *\n * @param url - URL to validate\n * @param policy - SSRF policy (uses defaults if not provided)\n * @returns Safety check result with reason if unsafe\n *\n * @example\n * ```typescript\n * const check = isURLSafe('http://10.0.0.1/secret');\n * if (!check.safe) {\n * console.error('Unsafe URL:', check.reason);\n * }\n * ```\n */\nexport function isURLSafe(\n url: string,\n policy: SSRFPolicy = {},\n): SafetyCheck {\n const config = { ...DEFAULT_SSRF_POLICY, ...policy };\n\n // Parse URL\n let parsed: URL;\n try {\n parsed = new URL(url);\n } catch {\n return { safe: false, reason: 'Invalid URL format' };\n }\n\n // Check protocol\n if (parsed.protocol === 'data:') {\n if (!config.allowDataUrls) {\n return { safe: false, reason: 'Data URLs not allowed' };\n }\n return { safe: true };\n }\n\n if (!['http:', 'https:'].includes(parsed.protocol)) {\n return {\n safe: false,\n reason: `Protocol '${parsed.protocol}' not allowed (only http/https)`,\n };\n }\n\n const hostname = parsed.hostname.toLowerCase();\n\n // Check allowed domains (whitelist)\n if (config.allowedDomains.length > 0) {\n const isAllowed = config.allowedDomains.some((pattern) =>\n matchDomainPattern(hostname, pattern),\n );\n if (!isAllowed) {\n return {\n safe: false,\n reason: `Domain '${hostname}' not in allowed list`,\n };\n }\n }\n\n // Check blocked domains (blacklist)\n if (config.blockedDomains.length > 0) {\n const isBlocked = config.blockedDomains.some((pattern) =>\n matchDomainPattern(hostname, pattern),\n );\n if (isBlocked) {\n return {\n safe: false,\n reason: `Domain '${hostname}' is blocked`,\n };\n }\n }\n\n // Check localhost\n if (isLocalhost(hostname) && !config.allowLocalhost) {\n return { safe: false, reason: 'Localhost not allowed' };\n }\n\n // Check private IPs\n if (isPrivateIP(hostname) && !config.allowPrivateIPs) {\n return { safe: false, reason: 'Private IP addresses not allowed' };\n }\n\n return { safe: true };\n}\n\n/**\n * Quick check if URL is safe with default policy.\n *\n * Convenience wrapper for common case.\n *\n * @param url - URL to validate\n * @returns true if safe, false otherwise\n */\nexport function isSafeForFetch(url: string): boolean {\n return isURLSafe(url).safe;\n}\n\n/**\n * Match domain against pattern (supports wildcards).\n *\n * @example\n * ```typescript\n * matchDomainPattern('api.github.com', '*.github.com') // true\n * matchDomainPattern('github.com', '*.github.com') // false\n * matchDomainPattern('github.com', 'github.com') // true\n * ```\n */\nfunction matchDomainPattern(domain: string, pattern: string): boolean {\n // Exact match\n if (domain === pattern) return true;\n\n // Wildcard match - only matches subdomains, not the base domain\n if (pattern.startsWith('*.')) {\n const suffix = pattern.slice(2);\n return domain.endsWith('.' + suffix);\n }\n\n return false;\n}\n\n/**\n * Check if hostname is localhost/loopback.\n */\nfunction isLocalhost(hostname: string): boolean {\n const lower = hostname.toLowerCase();\n\n // IPv4 loopback\n if (lower === 'localhost' || lower === '0.0.0.0' || lower.startsWith('127.')) {\n return true;\n }\n\n // IPv6 loopback\n if (lower === '::1' || lower === '[::1]') {\n return true;\n }\n\n return false;\n}\n\n/**\n * Check if hostname is a private IP address.\n *\n * Checks for:\n * - 10.0.0.0/8\n * - 172.16.0.0/12\n * - 192.168.0.0/16\n * - Link-local: 169.254.0.0/16 (includes AWS metadata endpoint)\n * - IPv6 private ranges\n */\nfunction isPrivateIP(hostname: string): boolean {\n const lower = hostname.toLowerCase();\n\n // IPv4 private ranges\n const parts = hostname.split('.').map(Number);\n\n if (\n parts.length === 4 &&\n parts.every((p) => p >= 0 && p <= 255 && !isNaN(p))\n ) {\n const [octet1, octet2] = parts;\n\n // 10.0.0.0/8\n if (octet1 === 10) return true;\n\n // 172.16.0.0/12\n if (octet1 === 172 && octet2 !== undefined && octet2 >= 16 && octet2 <= 31)\n return true;\n\n // 192.168.0.0/16\n if (octet1 === 192 && octet2 === 168) return true;\n\n // 169.254.0.0/16 (link-local) - includes AWS metadata endpoint\n if (octet1 === 169 && octet2 === 254) return true;\n }\n\n // IPv6 private ranges using regex patterns\n // Strip brackets if present (URL parser adds them: [fc00::1])\n const cleanedHostname = lower.replace(/^\\[|\\]$/g, '');\n\n const ipv6Patterns = [\n /^f[cd][0-9a-f]{2}:/i, // fc00::/7 (includes both fc and fd ranges)\n /^fe80:/i, // fe80::/10 (link-local)\n ];\n\n for (const pattern of ipv6Patterns) {\n if (pattern.test(cleanedHostname)) {\n return true;\n }\n }\n\n return false;\n}\n\n/**\n * Filter array of URLs, keeping only safe ones.\n *\n * @param urls - Array of URLs to filter\n * @param policy - SSRF policy\n * @returns Array of safe URLs\n */\nexport function filterSafeUrls(\n urls: string[],\n policy?: SSRFPolicy,\n): string[] {\n return urls.filter((url) => isURLSafe(url, policy).safe);\n}\n"],"mappings":";AA6CO,SAAS,iBACd,MACA,UAAkC,CAAC,GACjB;AAClB,QAAM;IACJ,kBAAkB;IAClB,cAAc;IACd,gBAAgB;EAClB,IAAI;AAEJ,QAAM,UAA4B,CAAC;AACnC,QAAM,OAAO,oBAAI,IAAY;AAI7B,MAAI,iBAAiB;AACnB,UAAM,kBAAkB;AACxB,QAAI;AAEJ,YAAQ,QAAQ,gBAAgB,KAAK,IAAI,OAAO,MAAM;AACpD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAC3B,UAAI,OAAO,CAAC,KAAK,IAAI,GAAG,GAAG;AACzB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;EACF;AAGA,MAAI,aAAa;AAEf,UAAM,oBAAoB;AAC1B,QAAI;AAEJ,YAAQ,QAAQ,kBAAkB,KAAK,IAAI,OAAO,MAAM;AACtD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAC3B,UAAI,OAAO,CAAC,KAAK,IAAI,GAAG,GAAG;AACzB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;AAGA,UAAM,sBAAsB;AAC5B,YAAQ,QAAQ,oBAAoB,KAAK,IAAI,OAAO,MAAM;AACxD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAE3B,UAAI,OAAO,CAAC,IAAI,WAAW,GAAG,KAAK,CAAC,IAAI,WAAW,GAAG,KAAK,CAAC,KAAK,IAAI,GAAG,GAAG;AACzE,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;AAIA,UAAM,gBAAgB;AACtB,YAAQ,QAAQ,cAAc,KAAK,IAAI,OAAO,MAAM;AAClD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAE3B,UAAI,QAAQ,IAAI,WAAW,SAAS,KAAK,IAAI,WAAW,UAAU,MAAM,CAAC,KAAK,IAAI,GAAG,GAAG;AACtF,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS,MAAM,CAAC;QAClB,CAAC;MACH;IACF;EACF;AAGA,MAAI,aAAa;AAEf,UAAM,kBAAkB;AACxB,QAAI;AAEJ,YAAQ,QAAQ,gBAAgB,KAAK,IAAI,OAAO,MAAM;AACpD,YAAM,MAAM,MAAM,CAAC,GAAG,KAAK;AAC3B,UAAI,OAAO,CAAC,KAAK,IAAI,GAAG,GAAG;AACzB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;UACR,SAAS;QACX,CAAC;MACH;IACF;EACF;AAGA,MAAI,eAAe;AACjB,UAAM,iBAAiB;AACvB,QAAI;AAEJ,YAAQ,QAAQ,eAAe,KAAK,IAAI,OAAO,MAAM;AACnD,YAAM,MAAM,MAAM,CAAC;AACnB,UAAI,CAAC,KAAK,IAAI,GAAG,GAAG;AAClB,aAAK,IAAI,GAAG;AACZ,gBAAQ,KAAK;UACX;UACA,QAAQ;QACV,CAAC;MACH;IACF;EACF;AAEA,SAAO;AACT;AAUO,SAAS,uBAAuB,MAAgC;AACrE,QAAM,MAAM,iBAAiB,MAAM,EAAE,eAAe,MAAM,CAAC;AAC3D,SAAO,IAAI,OAAO,CAAC,QAAQ,gBAAgB,KAAK,IAAI,GAAG,CAAC;AAC1D;AAUO,SAAS,gBAAgB,MAAgC;AAC9D,SAAO,iBAAiB,MAAM;IAC5B,iBAAiB;IACjB,aAAa;IACb,eAAe;EACjB,CAAC;AACH;AAUO,SAAS,YAAY,MAAsB;AAChD,SAAO,iBAAiB,IAAI,EAAE;AAChC;AC/KO,IAAM,sBAA4C;EACvD,iBAAiB;EACjB,gBAAgB;EAChB,gBAAgB,CAAC;EACjB,gBAAgB,CAAC;EACjB,eAAe;AACjB;AAoBO,SAAS,UACd,KACA,SAAqB,CAAC,GACT;AACb,QAAM,SAAS,EAAE,GAAG,qBAAqB,GAAG,OAAO;AAGnD,MAAI;AACJ,MAAI;AACF,aAAS,IAAI,IAAI,GAAG;EACtB,QAAQ;AACN,WAAO,EAAE,MAAM,OAAO,QAAQ,qBAAqB;EACrD;AAGA,MAAI,OAAO,aAAa,SAAS;AAC/B,QAAI,CAAC,OAAO,eAAe;AACzB,aAAO,EAAE,MAAM,OAAO,QAAQ,wBAAwB;IACxD;AACA,WAAO,EAAE,MAAM,KAAK;EACtB;AAEA,MAAI,CAAC,CAAC,SAAS,QAAQ,EAAE,SAAS,OAAO,QAAQ,GAAG;AAClD,WAAO;MACL,MAAM;MACN,QAAQ,aAAa,OAAO,QAAQ;IACtC;EACF;AAEA,QAAM,WAAW,OAAO,SAAS,YAAY;AAG7C,MAAI,OAAO,eAAe,SAAS,GAAG;AACpC,UAAM,YAAY,OAAO,eAAe;MAAK,CAAC,YAC5C,mBAAmB,UAAU,OAAO;IACtC;AACA,QAAI,CAAC,WAAW;AACd,aAAO;QACL,MAAM;QACN,QAAQ,WAAW,QAAQ;MAC7B;IACF;EACF;AAGA,MAAI,OAAO,eAAe,SAAS,GAAG;AACpC,UAAM,YAAY,OAAO,eAAe;MAAK,CAAC,YAC5C,mBAAmB,UAAU,OAAO;IACtC;AACA,QAAI,WAAW;AACb,aAAO;QACL,MAAM;QACN,QAAQ,WAAW,QAAQ;MAC7B;IACF;EACF;AAGA,MAAI,YAAY,QAAQ,KAAK,CAAC,OAAO,gBAAgB;AACnD,WAAO,EAAE,MAAM,OAAO,QAAQ,wBAAwB;EACxD;AAGA,MAAI,YAAY,QAAQ,KAAK,CAAC,OAAO,iBAAiB;AACpD,WAAO,EAAE,MAAM,OAAO,QAAQ,mCAAmC;EACnE;AAEA,SAAO,EAAE,MAAM,KAAK;AACtB;AAUO,SAAS,eAAe,KAAsB;AACnD,SAAO,UAAU,GAAG,EAAE;AACxB;AAYA,SAAS,mBAAmB,QAAgB,SAA0B;AAEpE,MAAI,WAAW,QAAS,QAAO;AAG/B,MAAI,QAAQ,WAAW,IAAI,GAAG;AAC5B,UAAM,SAAS,QAAQ,MAAM,CAAC;AAC9B,WAAO,OAAO,SAAS,MAAM,MAAM;EACrC;AAEA,SAAO;AACT;AAKA,SAAS,YAAY,UAA2B;AAC9C,QAAM,QAAQ,SAAS,YAAY;AAGnC,MAAI,UAAU,eAAe,UAAU,aAAa,MAAM,WAAW,MAAM,GAAG;AAC5E,WAAO;EACT;AAGA,MAAI,UAAU,SAAS,UAAU,SAAS;AACxC,WAAO;EACT;AAEA,SAAO;AACT;AAYA,SAAS,YAAY,UAA2B;AAC9C,QAAM,QAAQ,SAAS,YAAY;AAGnC,QAAM,QAAQ,SAAS,MAAM,GAAG,EAAE,IAAI,MAAM;AAE5C,MACE,MAAM,WAAW,KACjB,MAAM,MAAM,CAAC,MAAM,KAAK,KAAK,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC,GAClD;AACA,UAAM,CAAC,QAAQ,MAAM,IAAI;AAGzB,QAAI,WAAW,GAAI,QAAO;AAG1B,QAAI,WAAW,OAAO,WAAW,UAAa,UAAU,MAAM,UAAU;AACtE,aAAO;AAGT,QAAI,WAAW,OAAO,WAAW,IAAK,QAAO;AAG7C,QAAI,WAAW,OAAO,WAAW,IAAK,QAAO;EAC/C;AAIA,QAAM,kBAAkB,MAAM,QAAQ,YAAY,EAAE;AAEpD,QAAM,eAAe;IACnB;;IACA;;EACF;AAEA,aAAW,WAAW,cAAc;AAClC,QAAI,QAAQ,KAAK,eAAe,GAAG;AACjC,aAAO;IACT;EACF;AAEA,SAAO;AACT;AASO,SAAS,eACd,MACA,QACU;AACV,SAAO,KAAK,OAAO,CAAC,QAAQ,UAAU,KAAK,MAAM,EAAE,IAAI;AACzD;","names":[]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@character-foundry/character-foundry",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Universal TypeScript library for AI character card formats",
   "type": "module",
   "exports": {
@@ -124,6 +124,16 @@
         "default": "./dist/media.cjs"
       }
     },
+    "./image-utils": {
+      "import": {
+        "types": "./dist/image-utils.d.ts",
+        "default": "./dist/image-utils.js"
+      },
+      "require": {
+        "types": "./dist/image-utils.d.cts",
+        "default": "./dist/image-utils.cjs"
+      }
+    },
     "./federation": {
       "import": {
         "types": "./dist/federation.d.ts",
@@ -184,16 +194,17 @@
     "tsup": "^8.5.1",
     "typescript": "^5.3.0",
     "@character-foundry/core": "^0.1.3",
+    "@character-foundry/charx": "^0.0.7",
     "@character-foundry/schemas": "^0.2.2",
     "@character-foundry/png": "^0.0.6",
-    "@character-foundry/charx": "^0.0.7",
-    "@character-foundry/lorebook": "^0.0.3",
-    "@character-foundry/loader": "^0.1.10",
     "@character-foundry/voxta": "^0.1.13",
+    "@character-foundry/lorebook": "^0.0.3",
     "@character-foundry/exporter": "^0.1.4",
     "@character-foundry/normalizer": "^0.1.5",
+    "@character-foundry/loader": "^0.1.10",
     "@character-foundry/tokenizers": "^0.1.3",
     "@character-foundry/media": "^0.1.3",
+    "@character-foundry/image-utils": "^0.1.0",
     "@character-foundry/federation": "^0.5.2",
     "@character-foundry/app-framework": "^0.2.2"
   },