@character-foundry/character-foundry 0.4.2-dev.1765942273 → 0.4.2-dev.1765997746

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/dist/charx.cjs +13 -34
  2. package/dist/charx.cjs.map +1 -1
  3. package/dist/charx.js +13 -34
  4. package/dist/charx.js.map +1 -1
  5. package/dist/exporter.cjs +32 -36
  6. package/dist/exporter.cjs.map +1 -1
  7. package/dist/exporter.js +32 -36
  8. package/dist/exporter.js.map +1 -1
  9. package/dist/federation.cjs +104 -36
  10. package/dist/federation.cjs.map +1 -1
  11. package/dist/federation.d.cts +35 -0
  12. package/dist/federation.d.ts +35 -0
  13. package/dist/federation.js +104 -36
  14. package/dist/federation.js.map +1 -1
  15. package/dist/index.cjs +32 -36
  16. package/dist/index.cjs.map +1 -1
  17. package/dist/index.js +32 -36
  18. package/dist/index.js.map +1 -1
  19. package/dist/loader.cjs +99 -13
  20. package/dist/loader.cjs.map +1 -1
  21. package/dist/loader.d.cts +14 -0
  22. package/dist/loader.d.ts +14 -0
  23. package/dist/loader.js +99 -13
  24. package/dist/loader.js.map +1 -1
  25. package/dist/normalizer.cjs.map +1 -1
  26. package/dist/normalizer.js.map +1 -1
  27. package/dist/png.cjs.map +1 -1
  28. package/dist/png.js.map +1 -1
  29. package/dist/schemas.cjs +5 -5
  30. package/dist/schemas.cjs.map +1 -1
  31. package/dist/schemas.js +5 -5
  32. package/dist/schemas.js.map +1 -1
  33. package/dist/voxta.cjs +19 -2
  34. package/dist/voxta.cjs.map +1 -1
  35. package/dist/voxta.js +19 -2
  36. package/dist/voxta.js.map +1 -1
  37. package/package.json +5 -5
package/dist/charx.cjs CHANGED
@@ -868,36 +868,6 @@ var SAFE_ASSET_TYPES = /* @__PURE__ */ new Set([
868
868
  "data",
869
869
  "unknown"
870
870
  ]);
871
- var SAFE_EXTENSIONS = /* @__PURE__ */ new Set([
872
- // Images
873
- "png",
874
- "jpg",
875
- "jpeg",
876
- "webp",
877
- "gif",
878
- "avif",
879
- "svg",
880
- "bmp",
881
- "ico",
882
- // Audio
883
- "mp3",
884
- "wav",
885
- "ogg",
886
- "flac",
887
- "m4a",
888
- "aac",
889
- "opus",
890
- // Video
891
- "mp4",
892
- "webm",
893
- "avi",
894
- "mov",
895
- "mkv",
896
- // Data
897
- "json",
898
- "txt",
899
- "bin"
900
- ]);
901
871
  function getCharxCategory(mimetype) {
902
872
  if (mimetype.startsWith("image/")) return "images";
903
873
  if (mimetype.startsWith("audio/")) return "audio";
@@ -913,11 +883,20 @@ function sanitizeAssetType(type) {
913
883
  return sanitized || "custom";
914
884
  }
915
885
  function sanitizeExtension(ext) {
916
- const normalized = ext.replace(/^\./, "").toLowerCase().replace(/[^a-z0-9]/g, "");
917
- if (SAFE_EXTENSIONS.has(normalized)) {
918
- return normalized;
886
+ const normalized = ext.trim().replace(/^\./, "").toLowerCase();
887
+ if (!normalized) {
888
+ throw new Error("Invalid asset extension: empty extension");
889
+ }
890
+ if (normalized.length > 64) {
891
+ throw new Error(`Invalid asset extension: too long (${normalized.length} chars)`);
892
+ }
893
+ if (normalized.includes("/") || normalized.includes("\\") || normalized.includes("\0")) {
894
+ throw new Error("Invalid asset extension: path separators are not allowed");
895
+ }
896
+ if (!/^[a-z0-9][a-z0-9._-]*$/.test(normalized)) {
897
+ throw new Error(`Invalid asset extension: "${ext}"`);
919
898
  }
920
- return "bin";
899
+ return normalized;
921
900
  }
922
901
  function sanitizeName(name, ext) {
923
902
  let safeName = name;