@donotdev/security 0.0.2 → 0.0.4

package/dist/client/HealthMonitor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"HealthMonitor.d.ts","sourceRoot":"","sources":["../../src/client/HealthMonitor.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AAEH,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,UAAU,GAAG,WAAW,CAAC;AAEhE,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAwDD,MAAM,WAAW,mBAAoB,SAAQ,oBAAoB;IAC/D;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;IAC7C,OAAO,CAAC,OAAO,CAA2B;IAC1C;;;;OAIG;IACH,OAAO,CAAC,QAAQ,CAAS;gBAEb,MAAM,GAAE,mBAAwB;IAK5C;;;;OAIG;IACH,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,MAAM,OAAO,CAAC,CAAC,CAAC;IAuClD,qCAAqC;IACrC,IAAI,MAAM,IAAI,YAAY,CAEzB;IAED;;;OAGG;IACG,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC;CAWxC"}
+{"version":3,"file":"HealthMonitor.d.ts","sourceRoot":"","sources":["../../src/client/HealthMonitor.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AAEH,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,UAAU,GAAG,WAAW,CAAC;AAEhE,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AA2DD,MAAM,WAAW,mBAAoB,SAAQ,oBAAoB;IAC/D;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;IAC7C,OAAO,CAAC,OAAO,CAA2B;IAC1C;;;;OAIG;IACH,OAAO,CAAC,QAAQ,CAAS;gBAEb,MAAM,GAAE,mBAAwB;IAK5C;;;;OAIG;IACH,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,MAAM,OAAO,CAAC,CAAC,CAAC;IA2ClD,qCAAqC;IACrC,IAAI,MAAM,IAAI,YAAY,CAEzB;IAED;;;OAGG;IACG,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC;CAWxC"}

package/dist/client/index.d.ts

@@ -1,6 +1,6 @@
 export { HealthMonitor } from './HealthMonitor';
-export type { HealthMonitorConfig, HealthStatus, CircuitBreakerConfig } from './HealthMonitor';
-export type { SecurityContext, AuditEvent, AuditEventType } from '../common/SecurityConfig';
+export type { HealthMonitorConfig, HealthStatus, CircuitBreakerConfig, } from './HealthMonitor';
+export type { SecurityContext, AuditEvent, AuditEventType, } from '../common/SecurityConfig';
 export { AuthHardening } from '../common/AuthHardening';
-export type { AuthHardeningConfig, LockoutResult } from '../common/AuthHardening';
+export type { AuthHardeningConfig, LockoutResult, } from '../common/AuthHardening';
 //# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAG/F,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAG5F,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,oBAAoB,GACrB,MAAM,iBAAiB,CAAC;AAGzB,YAAY,EACV,eAAe,EACf,UAAU,EACV,cAAc,GACf,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,YAAY,EACV,mBAAmB,EACnB,aAAa,GACd,MAAM,yBAAyB,CAAC"}

package/dist/client/index.js

@@ -1 +1 @@
-import{HealthMonitor as o}from"./HealthMonitor";import{AuthHardening as t}from"../common/AuthHardening";export{t as AuthHardening,o as HealthMonitor};
+import{HealthMonitor as t}from"./HealthMonitor";import{AuthHardening as n}from"../common/AuthHardening";export{n as AuthHardening,t as HealthMonitor};

package/dist/common/SecurityConfig.d.ts

@@ -7,5 +7,5 @@
  * @since 0.0.1
  * @author AMBROISE PARK Consulting
  */
-export type { AuditEventType, AuditEvent, SecurityContext, AuthHardeningContext, ServerRateLimitConfig, ServerRateLimitResult, RateLimitBackend } from '@donotdev/core';
+export type { AuditEventType, AuditEvent, SecurityContext, AuthHardeningContext, ServerRateLimitConfig, ServerRateLimitResult, RateLimitBackend, } from '@donotdev/core';
 //# sourceMappingURL=SecurityConfig.d.ts.map

package/dist/common/SecurityConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecurityConfig.d.ts","sourceRoot":"","sources":["../../src/common/SecurityConfig.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,eAAe,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"SecurityConfig.d.ts","sourceRoot":"","sources":["../../src/common/SecurityConfig.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,YAAY,EACV,cAAc,EACd,UAAU,EACV,eAAe,EACf,oBAAoB,EACpB,qBAAqB,EACrB,qBAAqB,EACrB,gBAAgB,GACjB,MAAM,gBAAgB,CAAC"}

package/dist/common/index.d.ts

@@ -1,2 +1,2 @@
-export type { AuditEventType, AuditEvent, SecurityContext } from './SecurityConfig';
+export type { AuditEventType, AuditEvent, SecurityContext, } from './SecurityConfig';
 //# sourceMappingURL=index.d.ts.map

package/dist/common/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/common/index.ts"],"names":[],"mappings":"AAEA,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/common/index.ts"],"names":[],"mappings":"AAEA,YAAY,EACV,cAAc,EACd,UAAU,EACV,eAAe,GAChB,MAAM,kBAAkB,CAAC"}

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 export { HealthMonitor } from './client/HealthMonitor';
-export type { HealthMonitorConfig, HealthStatus, CircuitBreakerConfig } from './client/HealthMonitor';
-export type { SecurityContext, AuditEvent, AuditEventType } from './common/SecurityConfig';
+export type { HealthMonitorConfig, HealthStatus, CircuitBreakerConfig, } from './client/HealthMonitor';
+export type { SecurityContext, AuditEvent, AuditEventType, } from './common/SecurityConfig';
 export { AuthHardening } from './common/AuthHardening';
-export type { AuthHardeningConfig, LockoutResult } from './common/AuthHardening';
+export type { AuthHardeningConfig, LockoutResult, } from './common/AuthHardening';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EAAE,mBAAmB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAEtG,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAG3F,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EACV,mBAAmB,EACnB,YAAY,EACZ,oBAAoB,GACrB,MAAM,wBAAwB,CAAC;AAEhC,YAAY,EACV,eAAe,EACf,UAAU,EACV,cAAc,GACf,MAAM,yBAAyB,CAAC;AAGjC,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EACV,mBAAmB,EACnB,aAAa,GACd,MAAM,wBAAwB,CAAC"}

package/dist/index.js

@@ -1 +1 @@
-import{HealthMonitor as o}from"./client/HealthMonitor";import{AuthHardening as t}from"./common/AuthHardening";export{t as AuthHardening,o as HealthMonitor};
+import{HealthMonitor as t}from"./client/HealthMonitor";import{AuthHardening as n}from"./common/AuthHardening";export{n as AuthHardening,t as HealthMonitor};

package/dist/server/AnomalyDetector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AnomalyDetector.d.ts","sourceRoot":"","sources":["../../src/server/AnomalyDetector.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,cAAc,GACd,YAAY,GACZ,cAAc,GACd,qBAAqB,CAAC;AAE1B,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;AA8BzF,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAmC;IAC5D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA8B;IACzD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAiB;gBAE/B,UAAU,GAAE,iBAAsB,EAAE,SAAS,CAAC,EAAE,cAAc;IA0B1E;;;;OAIG;IACH,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;IA4BhD,OAAO,CAAC,YAAY;IAUpB,OAAO,CAAC,aAAa;IAQrB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;CAOrD"}
+{"version":3,"file":"AnomalyDetector.d.ts","sourceRoot":"","sources":["../../src/server/AnomalyDetector.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,cAAc,GACd,YAAY,GACZ,cAAc,GACd,qBAAqB,CAAC;AAE1B,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG,CAC3B,IAAI,EAAE,WAAW,EACjB,KAAK,EAAE,MAAM,EACb,MAAM,CAAC,EAAE,MAAM,KACZ,IAAI,CAAC;AA8BV,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAmC;IAC5D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA8B;IACzD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAiB;gBAE/B,UAAU,GAAE,iBAAsB,EAAE,SAAS,CAAC,EAAE,cAAc;IA4B1E;;;;OAIG;IACH,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;IA4BhD,OAAO,CAAC,YAAY;IAepB,OAAO,CAAC,aAAa;IAQrB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;CAOrD"}

package/dist/server/AnomalyDetector.js

@@ -1,2 +1,2 @@
-const l=1e4;class i{counters=new Map;thresholds;onAnomaly;constructor(t={},r){this.thresholds={authFailures:t.authFailures??10,bulkDeletes:t.bulkDeletes??50,bulkReads:t.bulkReads??1e3,bulkExports:t.bulkExports??5,rateLimitExceeded:t.rateLimitExceeded??10,windowMs:t.windowMs??6e4},this.onAnomaly=r??((s,e,o)=>{process.stderr.write(JSON.stringify({level:"warn",service:"dndev-anomaly",type:"anomaly.detected",anomalyType:s,count:e,userId:o,timestamp:new Date().toISOString()})+`
-`)})}record(t,r){const s=`${t}:${r??"__global__"}`,e=Date.now();!this.counters.has(s)&&this.counters.size>=1e4&&this._evictExpired(e);const o=this.counters.get(s)??{count:0,windowStart:e};e-o.windowStart>this.thresholds.windowMs&&(o.count=0,o.windowStart=e),o.count+=1,this.counters.set(s,o);const n=this.getThreshold(t);o.count===n&&this.onAnomaly(t,o.count,r)}getThreshold(t){switch(t){case"auth.failures":return this.thresholds.authFailures;case"bulk.deletes":return this.thresholds.bulkDeletes;case"bulk.reads":return this.thresholds.bulkReads;case"bulk.exports":return this.thresholds.bulkExports;case"rate_limit.exceeded":return this.thresholds.rateLimitExceeded}}_evictExpired(t){for(const[r,s]of this.counters)t-s.windowStart>this.thresholds.windowMs&&this.counters.delete(r)}getCount(t,r){const s=`${t}:${r??"__global__"}`,e=this.counters.get(s);return!e||Date.now()-e.windowStart>this.thresholds.windowMs?0:e.count}}export{i as AnomalyDetector};
+const c=1e4;class l{counters=new Map;thresholds;onAnomaly;constructor(t={},o){this.thresholds={authFailures:t.authFailures??10,bulkDeletes:t.bulkDeletes??50,bulkReads:t.bulkReads??1e3,bulkExports:t.bulkExports??5,rateLimitExceeded:t.rateLimitExceeded??10,windowMs:t.windowMs??6e4},this.onAnomaly=o??((s,e,n)=>{process.stderr.write(JSON.stringify({level:"warn",service:"dndev-anomaly",type:"anomaly.detected",anomalyType:s,count:e,userId:n,timestamp:new Date().toISOString()})+`
+`)})}record(t,o){const s=`${t}:${o??"__global__"}`,e=Date.now();!this.counters.has(s)&&this.counters.size>=1e4&&this._evictExpired(e);const r=this.counters.get(s)??{count:0,windowStart:e};e-r.windowStart>this.thresholds.windowMs&&(r.count=0,r.windowStart=e),r.count+=1,this.counters.set(s,r);const i=this.getThreshold(t);r.count===i&&this.onAnomaly(t,r.count,o)}getThreshold(t){switch(t){case"auth.failures":return this.thresholds.authFailures;case"bulk.deletes":return this.thresholds.bulkDeletes;case"bulk.reads":return this.thresholds.bulkReads;case"bulk.exports":return this.thresholds.bulkExports;case"rate_limit.exceeded":return this.thresholds.rateLimitExceeded}}_evictExpired(t){for(const[o,s]of this.counters)t-s.windowStart>this.thresholds.windowMs&&this.counters.delete(o)}getCount(t,o){const s=`${t}:${o??"__global__"}`,e=this.counters.get(s);return!e||Date.now()-e.windowStart>this.thresholds.windowMs?0:e.count}}export{l as AnomalyDetector};

package/dist/server/AuditLogger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuditLogger.d.ts","sourceRoot":"","sources":["../../src/server/AuditLogger.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAE3D,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC5C,+DAA+D;IAC/D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAClD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2C;IACjE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2C;gBAErD,IAAI,GAAE,kBAAuB;IAqBzC;;;OAGG;IACH,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAUzE"}
+{"version":3,"file":"AuditLogger.d.ts","sourceRoot":"","sources":["../../src/server/AuditLogger.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAE3D,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC5C,+DAA+D;IAC/D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAClD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2C;IACjE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2C;gBAErD,IAAI,GAAE,kBAAuB;IAuBzC;;;OAGG;IACH,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAUzE"}

package/dist/server/AuditLogger.js

@@ -1,2 +1,2 @@
-import{scrubSecrets as s}from"./SecretValidator";class r{service;level;write;constructor(t={}){this.service=t.service??"dndev",this.level=t.level??"info",this.write=t.write??(e=>{let i;try{i=JSON.stringify(e)}catch{i=JSON.stringify({level:e.level,service:e.service,type:e.type,timestamp:e.timestamp,_serializeError:"Audit entry contained non-serializable values"})}process.stdout.write(i+`
-`)})}log(t){const e=s(t),i={level:this.level,service:this.service,...e,timestamp:e.timestamp??new Date().toISOString()};this.write(i)}}export{r as AuditLogger};
+import{scrubSecrets as s}from"./SecretValidator";class c{service;level;write;constructor(t={}){this.service=t.service??"dndev",this.level=t.level??"info",this.write=t.write??(e=>{let i;try{i=JSON.stringify(e)}catch{i=JSON.stringify({level:e.level,service:e.service,type:e.type,timestamp:e.timestamp,_serializeError:"Audit entry contained non-serializable values"})}process.stdout.write(i+`
+`)})}log(t){const e=s(t),i={level:this.level,service:this.service,...e,timestamp:e.timestamp??new Date().toISOString()};this.write(i)}}export{c as AuditLogger};

package/dist/server/AuthHardening.d.ts

@@ -1,3 +1,3 @@
 export { AuthHardening } from '../common/AuthHardening';
-export type { AuthHardeningConfig, LockoutResult } from '../common/AuthHardening';
+export type { AuthHardeningConfig, LockoutResult, } from '../common/AuthHardening';
 //# sourceMappingURL=AuthHardening.d.ts.map

package/dist/server/AuthHardening.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthHardening.d.ts","sourceRoot":"","sources":["../../src/server/AuthHardening.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"AuthHardening.d.ts","sourceRoot":"","sources":["../../src/server/AuthHardening.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,YAAY,EACV,mBAAmB,EACnB,aAAa,GACd,MAAM,yBAAyB,CAAC"}

package/dist/server/DndevSecurity.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"DndevSecurity.d.ts","sourceRoot":"","sources":["../../src/server/DndevSecurity.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,KAAK,EAAE,iBAAiB,EAAE,cAAc,EAAe,MAAM,mBAAmB,CAAC;AACxF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,oBAAoB,EAAE,gBAAgB,EAAyB,MAAM,0BAA0B,CAAC;AAE3I,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oEAAoE;IACpE,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,+EAA+E;IAC/E,IAAI,CAAC,EAAE,mBAAmB,CAAC;IAC3B,6CAA6C;IAC7C,OAAO,CAAC,EAAE,iBAAiB,GAAG;QAAE,SAAS,CAAC,EAAE,cAAc,CAAA;KAAE,CAAC;IAC7D,qDAAqD;IACrD,SAAS,CAAC,EAAE,eAAe,EAAE,CAAC;IAC9B,qDAAqD;IACrD,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B;;;;;;;;;;;;OAYG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,qBAAa,aAAc,YAAW,eAAe;IACnD,4CAA4C;IAC5C,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,oFAAoF;IACpF,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC;IACvC,2DAA2D;IAC3D,QAAQ,CAAC,YAAY,EAAE,YAAY,GAAG,IAAI,CAAC;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,aAAa,GAAG,oBAAoB,CAAC;IAC7D,2DAA2D;IAC3D,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,6DAA6D;IAC7D,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,2FAA2F;IAC3F,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAmB;IACtD,sFAAsF;IACtF,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAwB;IAC5D,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAwB;gBAE/C,MAAM,GAAE,mBAAwB;IAkC5C;;OAEG;IACH,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,IAAI;IAKjD;;;;;OAKG;IACG,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAsB7E,gFAAgF;IAChF,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;IAK9E,8DAA8D;IAC9D,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;IAK9E;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAMxC;IAEH,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;CASnD"}
+{"version":3,"file":"DndevSecurity.d.ts","sourceRoot":"","sources":["../../src/server/DndevSecurity.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,KAAK,EACV,iBAAiB,EACjB,cAAc,EAEf,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EACV,eAAe,EACf,UAAU,EACV,oBAAoB,EACpB,gBAAgB,EAEjB,MAAM,0BAA0B,CAAC;AAElC,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oEAAoE;IACpE,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,+EAA+E;IAC/E,IAAI,CAAC,EAAE,mBAAmB,CAAC;IAC3B,6CAA6C;IAC7C,OAAO,CAAC,EAAE,iBAAiB,GAAG;QAAE,SAAS,CAAC,EAAE,cAAc,CAAA;KAAE,CAAC;IAC7D,qDAAqD;IACrD,SAAS,CAAC,EAAE,eAAe,EAAE,CAAC;IAC9B,qDAAqD;IACrD,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B;;;;;;;;;;;;OAYG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,qBAAa,aAAc,YAAW,eAAe;IACnD,4CAA4C;IAC5C,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,oFAAoF;IACpF,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC;IACvC,2DAA2D;IAC3D,QAAQ,CAAC,YAAY,EAAE,YAAY,GAAG,IAAI,CAAC;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,aAAa,GAAG,oBAAoB,CAAC;IAC7D,2DAA2D;IAC3D,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,6DAA6D;IAC7D,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,2FAA2F;IAC3F,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAmB;IACtD,sFAAsF;IACtF,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAwB;IAC5D,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAwB;gBAE/C,MAAM,GAAE,mBAAwB;IAwC5C;;OAEG;IACH,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,IAAI;IAKjD;;;;;OAKG;IACG,cAAc,CAClB,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,GAAG,OAAO,GAC1B,OAAO,CAAC,IAAI,CAAC;IAuBhB,gFAAgF;IAChF,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1C,IAAI,EAAE,CAAC,EACP,SAAS,EAAE,MAAM,EAAE,GAClB,CAAC;IAKJ,8DAA8D;IAC9D,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1C,IAAI,EAAE,CAAC,EACP,SAAS,EAAE,MAAM,EAAE,GAClB,CAAC;IAKJ;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAOtC;IAEL,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;CASnD"}

package/dist/server/DndevSecurity.js

@@ -1 +1 @@
-import{AuditLogger as o}from"./AuditLogger";import{DndevRateLimiter as c}from"./RateLimiter";import{PiiEncryptor as s}from"./PiiEncryptor";import{AuthHardening as d}from"./AuthHardening";import{AnomalyDetector as m}from"./AnomalyDetector";import{PrivacyManager as p}from"./PrivacyManager";class r{auditLogger;rateLimiter;piiEncryptor;authHardening;anomalyDetector;privacyManager;_rateLimitBackend;_backendWriteConfig;_backendReadConfig;constructor(t={}){if(this.auditLogger=new o(t.logger),this.rateLimiter=new c(t.rateLimit),t.piiSecret&&!t.piiSalt)throw new Error("[dndev/security] DndevSecurity: PII encryption requires both piiSecret and piiSalt configuration. Provide a per-deployment unique salt stored in your secret manager.");this.piiEncryptor=t.piiSecret&&t.piiSalt?new s(t.piiSecret,t.piiSalt):null,this.authHardening=new d(t.auth),this.anomalyDetector=new m(t.anomaly,t.anomaly?.onAnomaly),this.privacyManager=new p(t.retention),this._rateLimitBackend=t.rateLimitBackend;const i=(t.rateLimit?.writes?.durationSeconds??60)*1e3,e=(t.rateLimit?.reads?.durationSeconds??60)*1e3;this._backendWriteConfig={maxAttempts:t.rateLimit?.writes?.points??100,windowMs:i,blockDurationMs:i},this._backendReadConfig={maxAttempts:t.rateLimit?.reads?.points??500,windowMs:e,blockDurationMs:e}}audit(t){this.auditLogger.log(t)}async checkRateLimit(t,i){if(this._rateLimitBackend){const e=i==="write"?this._backendWriteConfig:this._backendReadConfig,a=await this._rateLimitBackend.check(t,e);if(!a.allowed){this.anomalyDetector.record("rate_limit.exceeded",t);const n=a.blockRemainingSeconds??"a few";throw new Error(`Rate limit exceeded. Try again in ${n} seconds.`)}return}try{await this.rateLimiter.check(t,i)}catch(e){throw this.anomalyDetector.record("rate_limit.exceeded",t),e}}encryptPii(t,i){return!this.piiEncryptor||i.length===0?t:this.piiEncryptor.encryptFields(t,i)}decryptPii(t,i){return!this.piiEncryptor||i.length===0?t:this.piiEncryptor.decryptFields(t,i)}static VALID_ANOMALY_TYPES=new Set(["auth.failures","bulk.deletes","bulk.reads","bulk.exports","rate_limit.exceeded"]);recordAnomaly(t,i){if(!r.VALID_ANOMALY_TYPES.has(t))throw new Error(`[dndev/security] DndevSecurity: unknown anomaly type "${t}". Valid types: ${[...r.VALID_ANOMALY_TYPES].join(", ")}`);this.anomalyDetector.record(t,i)}}export{r as DndevSecurity};
+import{AuditLogger as o}from"./AuditLogger";import{DndevRateLimiter as s}from"./RateLimiter";import{PiiEncryptor as c}from"./PiiEncryptor";import{AuthHardening as d}from"./AuthHardening";import{AnomalyDetector as m}from"./AnomalyDetector";import{PrivacyManager as l}from"./PrivacyManager";class i{auditLogger;rateLimiter;piiEncryptor;authHardening;anomalyDetector;privacyManager;_rateLimitBackend;_backendWriteConfig;_backendReadConfig;constructor(t={}){if(this.auditLogger=new o(t.logger),this.rateLimiter=new s(t.rateLimit),t.piiSecret&&!t.piiSalt)throw new Error("[dndev/security] DndevSecurity: PII encryption requires both piiSecret and piiSalt configuration. Provide a per-deployment unique salt stored in your secret manager.");this.piiEncryptor=t.piiSecret&&t.piiSalt?new c(t.piiSecret,t.piiSalt):null,this.authHardening=new d(t.auth),this.anomalyDetector=new m(t.anomaly,t.anomaly?.onAnomaly),this.privacyManager=new l(t.retention),this._rateLimitBackend=t.rateLimitBackend;const e=(t.rateLimit?.writes?.durationSeconds??60)*1e3,r=(t.rateLimit?.reads?.durationSeconds??60)*1e3;this._backendWriteConfig={maxAttempts:t.rateLimit?.writes?.points??100,windowMs:e,blockDurationMs:e},this._backendReadConfig={maxAttempts:t.rateLimit?.reads?.points??500,windowMs:r,blockDurationMs:r}}audit(t){this.auditLogger.log(t)}async checkRateLimit(t,e){if(this._rateLimitBackend){const r=e==="write"?this._backendWriteConfig:this._backendReadConfig,a=await this._rateLimitBackend.check(t,r);if(!a.allowed){this.anomalyDetector.record("rate_limit.exceeded",t);const n=a.blockRemainingSeconds??"a few";throw new Error(`Rate limit exceeded. Try again in ${n} seconds.`)}return}try{await this.rateLimiter.check(t,e)}catch(r){throw this.anomalyDetector.record("rate_limit.exceeded",t),r}}encryptPii(t,e){return!this.piiEncryptor||e.length===0?t:this.piiEncryptor.encryptFields(t,e)}decryptPii(t,e){return!this.piiEncryptor||e.length===0?t:this.piiEncryptor.decryptFields(t,e)}static VALID_ANOMALY_TYPES=new Set(["auth.failures","bulk.deletes","bulk.reads","bulk.exports","rate_limit.exceeded"]);recordAnomaly(t,e){if(!i.VALID_ANOMALY_TYPES.has(t))throw new Error(`[dndev/security] DndevSecurity: unknown anomaly type "${t}". Valid types: ${[...i.VALID_ANOMALY_TYPES].join(", ")}`);this.anomalyDetector.record(t,e)}}export{i as DndevSecurity};

package/dist/server/PiiEncryptor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"PiiEncryptor.d.ts","sourceRoot":"","sources":["../../src/server/PiiEncryptor.ts"],"names":[],"mappings":"AAmCA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B;;;;;OAKG;gBACS,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;IAexC;;;OAGG;IACH,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAWlC;;;;OAIG;IACH,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IA8BnC;;;OAGG;IACH,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;IAYjF;;;;OAIG;IACH,OAAO,CAAC,WAAW;IAgBnB,gFAAgF;IAChF,OAAO,IAAI,IAAI;IAIf,iDAAiD;IACjD,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI;IAIxB;;;;OAIG;IACH,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;CAYlF"}
+{"version":3,"file":"PiiEncryptor.d.ts","sourceRoot":"","sources":["../../src/server/PiiEncryptor.ts"],"names":[],"mappings":"AAmCA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B;;;;;OAKG;gBACS,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;IAiBxC;;;OAGG;IACH,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAWlC;;;;OAIG;IACH,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IAgCnC;;;OAGG;IACH,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7C,IAAI,EAAE,CAAC,EACP,SAAS,EAAE,MAAM,EAAE,GAClB,CAAC;IAYJ;;;;OAIG;IACH,OAAO,CAAC,WAAW;IAgBnB,gFAAgF;IAChF,OAAO,IAAI,IAAI;IAIf,iDAAiD;IACjD,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI;IAIxB;;;;OAIG;IACH,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7C,IAAI,EAAE,CAAC,EACP,SAAS,EAAE,MAAM,EAAE,GAClB,CAAC;CAYL"}

package/dist/server/PiiEncryptor.js

@@ -1 +1 @@
-import{createCipheriv as l,createDecipheriv as u,randomBytes as y,scryptSync as g}from"node:crypto";const f="aes-256-gcm",m=32,i=12,d=16,o="dnpii1:";class E{key;constructor(t,e){if(!t||t.length<32)throw new Error("[dndev/security] PiiEncryptor: secret must be at least 32 characters");if(!e||e.length<8)throw new Error("[dndev/security] PiiEncryptor: salt is required and must be at least 8 characters. Use a per-deployment secret stored in your secret manager \u2014 never a hard-coded value.");this.key=g(t,e,m,{N:65536,r:8,p:1})}encrypt(t){const e=y(i),r=l(f,this.key,e),s=Buffer.concat([r.update(t,"utf8"),r.final()]),n=r.getAuthTag();return`${o}${e.toString("hex")}:${n.toString("hex")}:${s.toString("hex")}`}decrypt(t){const e=(t.startsWith(o)?t.slice(o.length):t).split(":");if(e.length!==3)throw new Error("[dndev/security] PiiEncryptor: invalid ciphertext format");const[r,s,n]=e,c=Buffer.from(r,"hex"),h=Buffer.from(s,"hex"),p=Buffer.from(n,"hex");if(c.length!==i)throw new Error(`[dndev/security] PiiEncryptor: invalid IV length ${c.length}, expected ${i}`);if(h.length!==d)throw new Error(`[dndev/security] PiiEncryptor: invalid auth tag length ${h.length}, expected ${d}`);const a=u(f,this.key,c);return a.setAuthTag(h),a.update(p).toString("utf8")+a.final("utf8")}encryptFields(t,e){if(e.length===0)return t;const r={...t};for(const s of e){const n=r[s];typeof n=="string"&&(r[s]=this.encrypt(n))}return r}isEncrypted(t){if(t.startsWith(o))return!0;const e=t.split(":");if(e.length!==3)return!1;const[r,s]=e,n=/^[0-9a-f]+$/i;return r.length===i*2&&s.length===d*2&&n.test(r)&&n.test(s)}dispose(){this.key.fill(0)}[Symbol.dispose](){this.dispose()}decryptFields(t,e){if(e.length===0)return t;const r={...t};for(const s of e){const n=r[s];typeof n=="string"&&this.isEncrypted(n)&&(r[s]=this.decrypt(n))}return r}}export{E as PiiEncryptor};
+import{createCipheriv as y,createDecipheriv as u,randomBytes as g,scryptSync as E}from"node:crypto";const d="aes-256-gcm",v=32,i=12,a=16,o="dnpii1:";class w{key;constructor(t,r){if(!t||t.length<32)throw new Error("[dndev/security] PiiEncryptor: secret must be at least 32 characters");if(!r||r.length<8)throw new Error("[dndev/security] PiiEncryptor: salt is required and must be at least 8 characters. Use a per-deployment secret stored in your secret manager \u2014 never a hard-coded value.");this.key=E(t,r,v,{N:65536,r:8,p:1})}encrypt(t){const r=g(i),e=y(d,this.key,r),s=Buffer.concat([e.update(t,"utf8"),e.final()]),n=e.getAuthTag();return`${o}${r.toString("hex")}:${n.toString("hex")}:${s.toString("hex")}`}decrypt(t){const e=(t.startsWith(o)?t.slice(o.length):t).split(":");if(e.length!==3)throw new Error("[dndev/security] PiiEncryptor: invalid ciphertext format");const[s,n,l]=e,c=Buffer.from(s,"hex"),h=Buffer.from(n,"hex"),p=Buffer.from(l,"hex");if(c.length!==i)throw new Error(`[dndev/security] PiiEncryptor: invalid IV length ${c.length}, expected ${i}`);if(h.length!==a)throw new Error(`[dndev/security] PiiEncryptor: invalid auth tag length ${h.length}, expected ${a}`);const f=u(d,this.key,c);return f.setAuthTag(h),f.update(p).toString("utf8")+f.final("utf8")}encryptFields(t,r){if(r.length===0)return t;const e={...t};for(const s of r){const n=e[s];typeof n=="string"&&(e[s]=this.encrypt(n))}return e}isEncrypted(t){if(t.startsWith(o))return!0;const r=t.split(":");if(r.length!==3)return!1;const[e,s]=r,n=/^[0-9a-f]+$/i;return e.length===i*2&&s.length===a*2&&n.test(e)&&n.test(s)}dispose(){this.key.fill(0)}[Symbol.dispose](){this.dispose()}decryptFields(t,r){if(r.length===0)return t;const e={...t};for(const s of r){const n=e[s];typeof n=="string"&&this.isEncrypted(n)&&(e[s]=this.decrypt(n))}return e}}export{w as PiiEncryptor};

package/dist/server/PrivacyManager.js

@@ -1 +1 @@
-class c{policies;constructor(e=[]){this.policies=e}async eraseUser(e){if(e.collections.length===0)throw new Error("[dndev/security] eraseUser: collections array is empty. Provide at least one collection to erase user data from. A no-op erasure silently violates GDPR Art. 17.");const r=[],t=[];for(const s of e.collections)try{await e.deleteUserData(s,e.userId),r.push(s)}catch(o){t.push({collection:s,message:o instanceof Error?o.message:String(o)})}return{erased:r,errors:t}}shouldPurge(e,r){const t=this.policies.find(n=>n.collection===e);if(!t||t.days===0)return!1;if(!r)throw new Error(`[dndev/security] shouldPurge: missing dateIso for collection "${e}". Expected ISO 8601 string. Cannot determine if document should be purged.`);const s=new Date(r).getTime();if(isNaN(s))throw new Error(`[dndev/security] shouldPurge: invalid dateIso "${r}" for collection "${e}". Expected ISO 8601 string. Cannot determine if document should be purged.`);const o=Date.now()-s,i=t.days*24*60*60*1e3;return o>i}getPolicies(){return this.policies}}export{c as PrivacyManager};
+class a{policies;constructor(e=[]){this.policies=e}async eraseUser(e){if(e.collections.length===0)throw new Error("[dndev/security] eraseUser: collections array is empty. Provide at least one collection to erase user data from. A no-op erasure silently violates GDPR Art. 17.");const r=[],s=[];for(const o of e.collections)try{await e.deleteUserData(o,e.userId),r.push(o)}catch(t){s.push({collection:o,message:t instanceof Error?t.message:String(t)})}return{erased:r,errors:s}}shouldPurge(e,r){const s=this.policies.find(n=>n.collection===e);if(!s||s.days===0)return!1;if(!r)throw new Error(`[dndev/security] shouldPurge: missing dateIso for collection "${e}". Expected ISO 8601 string. Cannot determine if document should be purged.`);const o=new Date(r).getTime();if(isNaN(o))throw new Error(`[dndev/security] shouldPurge: invalid dateIso "${r}" for collection "${e}". Expected ISO 8601 string. Cannot determine if document should be purged.`);const t=Date.now()-o,i=s.days*24*60*60*1e3;return t>i}getPolicies(){return this.policies}}export{a as PrivacyManager};

package/dist/server/RateLimiter.js

@@ -1 +1 @@
-const d=1e4;class o{store=new Map;async increment(t,s){const e=Date.now(),i=this.store.get(t);return!i||e-i.windowStart>s?(!i&&this.store.size>=1e4&&this._evictExpired(e),this.store.set(t,{count:1,windowStart:e,windowMs:s}),1):(i.count+=1,i.count)}async reset(t){this.store.delete(t)}_evictExpired(t){for(const[s,e]of this.store)t-e.windowStart>e.windowMs&&this.store.delete(s)}}class a{backend;writes;reads;constructor(t={}){this.backend=t.backend??new o,this.writes={points:t.writes?.points??100,durationSeconds:t.writes?.durationSeconds??60},this.reads={points:t.reads?.points??500,durationSeconds:t.reads?.durationSeconds??60}}async check(t,s){const e=s==="write"?this.writes:this.reads,i=e.durationSeconds*1e3,n=await this.backend.increment(`${s}:${t}`,i);if(n>e.points)throw new Error(`Rate limit exceeded: ${n}/${e.points} ${s} requests in ${e.durationSeconds}s`)}}export{a as DndevRateLimiter,o as MemoryRateLimitStorageBackend};
+const c=1e4;class o{store=new Map;async increment(t,s){const e=Date.now(),n=this.store.get(t);return!n||e-n.windowStart>s?(!n&&this.store.size>=1e4&&this._evictExpired(e),this.store.set(t,{count:1,windowStart:e,windowMs:s}),1):(n.count+=1,n.count)}async reset(t){this.store.delete(t)}_evictExpired(t){for(const[s,e]of this.store)t-e.windowStart>e.windowMs&&this.store.delete(s)}}class d{backend;writes;reads;constructor(t={}){this.backend=t.backend??new o,this.writes={points:t.writes?.points??100,durationSeconds:t.writes?.durationSeconds??60},this.reads={points:t.reads?.points??500,durationSeconds:t.reads?.durationSeconds??60}}async check(t,s){const e=s==="write"?this.writes:this.reads,n=e.durationSeconds*1e3,i=await this.backend.increment(`${s}:${t}`,n);if(i>e.points)throw new Error(`Rate limit exceeded: ${i}/${e.points} ${s} requests in ${e.durationSeconds}s`)}}export{d as DndevRateLimiter,o as MemoryRateLimitStorageBackend};

package/dist/server/SecretValidator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"SecretValidator.d.ts","sourceRoot":"","sources":["../../src/server/SecretValidator.ts"],"names":[],"mappings":"AAqCA;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAsBpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAmBnE"}
+{"version":3,"file":"SecretValidator.d.ts","sourceRoot":"","sources":["../../src/server/SecretValidator.ts"],"names":[],"mappings":"AAsCA;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAwBpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAmBnE"}

package/dist/server/SecretValidator.js

@@ -1 +1 @@
-const i=[/password\s*[:=]\s*\S+/gi,/secret\s*[:=]\s*\S+/gi,/api[_-]?key\s*[:=]\s*\S+/gi,/token\s*[:=]\s*\S+/gi,/bearer\s+[A-Za-z0-9\-._~+/]+=*/gi,/-----BEGIN .+?-----/g,/sk_live_[A-Za-z0-9]+/g,/sk_test_[A-Za-z0-9]+/g,/ghp_[A-Za-z0-9]{36,}/g,/gho_[A-Za-z0-9]{36,}/g,/AKIA[A-Z0-9]{16}/g,/xox[bpsa]-[A-Za-z0-9\-]+/g,/glpat-[A-Za-z0-9\-_]{20,}/g],n=/password|passwd|secret|token|apikey|api_key|credential|private_key|access_key|\bauth\b/i;function a(e){if(typeof e=="string"){let t=e;for(const r of i)t=t.replace(r,"[REDACTED]");return t}if(Array.isArray(e))return e.map(a);if(e!==null&&typeof e=="object"){const t={};for(const[r,s]of Object.entries(e))t[r]=n.test(r)?"[REDACTED]":a(s);return t}return e}function o(e,t){let r,s;try{s=JSON.stringify(e),r=JSON.stringify(a(e))}catch{throw new Error(`[dndev/security] assertNoSecrets: cannot serialize value in "${t}". Non-serializable values cannot be verified for secrets. Audit the object manually.`)}if(r!==s)throw new Error(`[dndev/security] Secret detected in ${t}. Aborting to prevent credential leak.`)}export{o as assertNoSecrets,a as scrubSecrets};
+const n=[/password\s*[:=]\s*\S+/gi,/secret\s*[:=]\s*\S+/gi,/api[_-]?key\s*[:=]\s*\S+/gi,/token\s*[:=]\s*\S+/gi,/bearer\s+[A-Za-z0-9\-._~+/]+=*/gi,/-----BEGIN .+?-----/g,/sk_live_[A-Za-z0-9]+/g,/sk_test_[A-Za-z0-9]+/g,/ghp_[A-Za-z0-9]{36,}/g,/gho_[A-Za-z0-9]{36,}/g,/AKIA[A-Z0-9]{16}/g,/xox[bpsa]-[A-Za-z0-9\-]+/g,/glpat-[A-Za-z0-9\-_]{20,}/g],a=/password|passwd|secret|token|apikey|api_key|credential|private_key|access_key|\bauth\b/i;function i(e){if(typeof e=="string"){let t=e;for(const r of n)t=t.replace(r,"[REDACTED]");return t}if(Array.isArray(e))return e.map(i);if(e!==null&&typeof e=="object"){const t={};for(const[r,s]of Object.entries(e))t[r]=a.test(r)?"[REDACTED]":i(s);return t}return e}function o(e,t){let r,s;try{s=JSON.stringify(e),r=JSON.stringify(i(e))}catch{throw new Error(`[dndev/security] assertNoSecrets: cannot serialize value in "${t}". Non-serializable values cannot be verified for secrets. Audit the object manually.`)}if(r!==s)throw new Error(`[dndev/security] Secret detected in ${t}. Aborting to prevent credential leak.`)}export{o as assertNoSecrets,i as scrubSecrets};

package/dist/server/index.d.ts

@@ -1,16 +1,16 @@
 export { AuditLogger } from './AuditLogger';
 export type { AuditLoggerOptions } from './AuditLogger';
 export { DndevRateLimiter, MemoryRateLimitStorageBackend } from './RateLimiter';
-export type { RateLimitStorageBackend, RateLimiterOptions, RateLimitWindow } from './RateLimiter';
+export type { RateLimitStorageBackend, RateLimiterOptions, RateLimitWindow, } from './RateLimiter';
 export { PiiEncryptor } from './PiiEncryptor';
 export { AuthHardening } from './AuthHardening';
 export type { AuthHardeningConfig, LockoutResult } from './AuthHardening';
 export { AnomalyDetector } from './AnomalyDetector';
-export type { AnomalyThresholds, AnomalyHandler, AnomalyType } from './AnomalyDetector';
+export type { AnomalyThresholds, AnomalyHandler, AnomalyType, } from './AnomalyDetector';
 export { PrivacyManager } from './PrivacyManager';
-export type { RetentionPolicy, ErasureRequest, ErasureResult } from './PrivacyManager';
+export type { RetentionPolicy, ErasureRequest, ErasureResult, } from './PrivacyManager';
 export { scrubSecrets, assertNoSecrets } from './SecretValidator';
 export { DndevSecurity } from './DndevSecurity';
 export type { DndevSecurityConfig } from './DndevSecurity';
-export type { SecurityContext, AuditEvent, AuditEventType, RateLimitBackend, ServerRateLimitConfig, ServerRateLimitResult, AuthHardeningContext } from '../common/SecurityConfig';
+export type { SecurityContext, AuditEvent, AuditEventType, RateLimitBackend, ServerRateLimitConfig, ServerRateLimitResult, AuthHardeningContext, } from '../common/SecurityConfig';
 //# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,YAAY,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,6BAA6B,EAAE,MAAM,eAAe,CAAC;AAChF,YAAY,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAElG,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAE1E,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAExF,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEvF,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAElE,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAG3D,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,cAAc,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,0BAA0B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,YAAY,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,6BAA6B,EAAE,MAAM,eAAe,CAAC;AAChF,YAAY,EACV,uBAAuB,EACvB,kBAAkB,EAClB,eAAe,GAChB,MAAM,eAAe,CAAC;AAEvB,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAE1E,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,YAAY,EACV,iBAAiB,EACjB,cAAc,EACd,WAAW,GACZ,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,YAAY,EACV,eAAe,EACf,cAAc,EACd,aAAa,GACd,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAElE,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAG3D,YAAY,EACV,eAAe,EACf,UAAU,EACV,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,0BAA0B,CAAC"}

package/dist/server/index.js

@@ -1 +1 @@
-import{AuditLogger as r}from"./AuditLogger";import{DndevRateLimiter as a,MemoryRateLimitStorageBackend as e}from"./RateLimiter";import{PiiEncryptor as t}from"./PiiEncryptor";import{AuthHardening as o}from"./AuthHardening";import{AnomalyDetector as s}from"./AnomalyDetector";import{PrivacyManager as i}from"./PrivacyManager";import{scrubSecrets as m,assertNoSecrets as c}from"./SecretValidator";import{DndevSecurity as n}from"./DndevSecurity";export{s as AnomalyDetector,r as AuditLogger,o as AuthHardening,a as DndevRateLimiter,n as DndevSecurity,e as MemoryRateLimitStorageBackend,t as PiiEncryptor,i as PrivacyManager,c as assertNoSecrets,m as scrubSecrets};
+import{AuditLogger as o}from"./AuditLogger";import{DndevRateLimiter as m,MemoryRateLimitStorageBackend as a}from"./RateLimiter";import{PiiEncryptor as p}from"./PiiEncryptor";import{AuthHardening as f}from"./AuthHardening";import{AnomalyDetector as x}from"./AnomalyDetector";import{PrivacyManager as g}from"./PrivacyManager";import{scrubSecrets as y,assertNoSecrets as u}from"./SecretValidator";import{DndevSecurity as v}from"./DndevSecurity";export{x as AnomalyDetector,o as AuditLogger,f as AuthHardening,m as DndevRateLimiter,v as DndevSecurity,a as MemoryRateLimitStorageBackend,p as PiiEncryptor,g as PrivacyManager,u as assertNoSecrets,y as scrubSecrets};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@donotdev/security",
-  "version": "0.0.2",
+  "version": "0.0.4",
   "private": false,
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",
@@ -28,7 +28,7 @@
   },
   "dependencies": {},
   "peerDependencies": {
-    "@donotdev/core": "^0.0.25"
+    "@donotdev/core": "^0.0.27"
   },
   "files": [
     "dist",