@frontmcp/ui 0.5.0

package/src/bundler/sandbox/policy.js

@@ -0,0 +1,238 @@
+"use strict";
+/**
+ * Sandbox Security Policy
+ *
+ * Defines and validates security policies for bundler execution.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityError = void 0;
+exports.validateSource = validateSource;
+exports.validateImports = validateImports;
+exports.validateSize = validateSize;
+exports.mergePolicy = mergePolicy;
+exports.throwOnViolations = throwOnViolations;
+const types_1 = require("../types");
+/**
+ * Patterns that indicate unsafe code.
+ */
+const UNSAFE_PATTERNS = {
+    eval: /\beval\s*\(/g,
+    functionConstructor: /\bnew\s+Function\s*\(/g,
+    dynamicImport: /\bimport\s*\(/g,
+    require: /\brequire\s*\(/g,
+    processEnv: /\bprocess\.env\b/g,
+    globalThis: /\bglobalThis\b/g,
+    windowLocation: /\bwindow\.location\b/g,
+    documentCookie: /\bdocument\.cookie\b/g,
+    innerHTML: /\.innerHTML\s*=/g,
+    outerHTML: /\.outerHTML\s*=/g,
+    document_write: /\bdocument\.write\s*\(/g,
+};
+/**
+ * Validate source code against a security policy.
+ *
+ * @param source - Source code to validate
+ * @param policy - Security policy to enforce
+ * @returns Array of security violations (empty if valid)
+ *
+ * @example
+ * ```typescript
+ * const violations = validateSource(code, DEFAULT_SECURITY_POLICY);
+ * if (violations.length > 0) {
+ *   throw new Error(`Security violations: ${violations.map(v => v.message).join(', ')}`);
+ * }
+ * ```
+ */
+function validateSource(source, policy = types_1.DEFAULT_SECURITY_POLICY) {
+    const violations = [];
+    // Check for eval usage
+    if (policy.noEval !== false) {
+        const evalMatches = [...source.matchAll(UNSAFE_PATTERNS.eval)];
+        for (const match of evalMatches) {
+            violations.push({
+                type: 'eval-usage',
+                message: 'eval() is not allowed for security reasons',
+                location: getLocation(source, match.index ?? 0),
+                value: match[0],
+            });
+        }
+        const fnMatches = [...source.matchAll(UNSAFE_PATTERNS.functionConstructor)];
+        for (const match of fnMatches) {
+            violations.push({
+                type: 'eval-usage',
+                message: 'new Function() is not allowed for security reasons',
+                location: getLocation(source, match.index ?? 0),
+                value: match[0],
+            });
+        }
+    }
+    // Check for dynamic imports
+    if (policy.noDynamicImports !== false) {
+        const matches = [...source.matchAll(UNSAFE_PATTERNS.dynamicImport)];
+        for (const match of matches) {
+            violations.push({
+                type: 'dynamic-import',
+                message: 'Dynamic imports are not allowed for security reasons',
+                location: getLocation(source, match.index ?? 0),
+                value: match[0],
+            });
+        }
+    }
+    // Check for require usage
+    if (policy.noRequire !== false) {
+        const matches = [...source.matchAll(UNSAFE_PATTERNS.require)];
+        for (const match of matches) {
+            violations.push({
+                type: 'require-usage',
+                message: 'require() is not allowed for security reasons',
+                location: getLocation(source, match.index ?? 0),
+                value: match[0],
+            });
+        }
+    }
+    // Validate imports
+    const importViolations = validateImports(source, policy);
+    violations.push(...importViolations);
+    return violations;
+}
+/**
+ * Validate import statements against policy.
+ *
+ * @param source - Source code to check
+ * @param policy - Security policy
+ * @returns Array of import violations
+ */
+function validateImports(source, policy = types_1.DEFAULT_SECURITY_POLICY) {
+    const violations = [];
+    // Extract import statements
+    const importPattern = /import\s+(?:(?:\{[^}]*\}|[\w*]+)\s+from\s+)?['"]([^'"]+)['"]/g;
+    const imports = [];
+    let match;
+    while ((match = importPattern.exec(source)) !== null) {
+        imports.push({ module: match[1], index: match.index });
+    }
+    // Also check for require-style imports that might slip through
+    const requirePattern = /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    while ((match = requirePattern.exec(source)) !== null) {
+        imports.push({ module: match[1], index: match.index });
+    }
+    for (const imp of imports) {
+        // Check blocked imports first
+        if (policy.blockedImports) {
+            for (const blocked of policy.blockedImports) {
+                if (blocked.test(imp.module)) {
+                    violations.push({
+                        type: 'blocked-import',
+                        message: `Import '${imp.module}' is blocked by security policy`,
+                        location: getLocation(source, imp.index),
+                        value: imp.module,
+                    });
+                    break;
+                }
+            }
+        }
+        // Check if import is in allowed list
+        if (policy.allowedImports && policy.allowedImports.length > 0) {
+            const isAllowed = policy.allowedImports.some((pattern) => pattern.test(imp.module));
+            if (!isAllowed) {
+                // Check if already reported as blocked
+                const alreadyBlocked = violations.some((v) => v.type === 'blocked-import' && v.value === imp.module);
+                if (!alreadyBlocked) {
+                    violations.push({
+                        type: 'disallowed-import',
+                        message: `Import '${imp.module}' is not in the allowed imports list`,
+                        location: getLocation(source, imp.index),
+                        value: imp.module,
+                    });
+                }
+            }
+        }
+    }
+    return violations;
+}
+/**
+ * Validate bundle size against policy.
+ *
+ * @param size - Bundle size in bytes
+ * @param policy - Security policy
+ * @returns Violation if size exceeds limit, undefined otherwise
+ */
+function validateSize(size, policy = types_1.DEFAULT_SECURITY_POLICY) {
+    const maxSize = policy.maxBundleSize ?? types_1.DEFAULT_SECURITY_POLICY.maxBundleSize ?? 512000;
+    if (size > maxSize) {
+        return {
+            type: 'size-exceeded',
+            message: `Bundle size (${formatBytes(size)}) exceeds maximum allowed (${formatBytes(maxSize)})`,
+            value: String(size),
+        };
+    }
+    return undefined;
+}
+/**
+ * Create a merged security policy with defaults.
+ *
+ * @param userPolicy - User-provided policy overrides
+ * @returns Merged policy with defaults
+ */
+function mergePolicy(userPolicy) {
+    if (!userPolicy) {
+        return { ...types_1.DEFAULT_SECURITY_POLICY };
+    }
+    return {
+        allowedImports: userPolicy.allowedImports ?? types_1.DEFAULT_SECURITY_POLICY.allowedImports,
+        blockedImports: userPolicy.blockedImports ?? types_1.DEFAULT_SECURITY_POLICY.blockedImports,
+        maxBundleSize: userPolicy.maxBundleSize ?? types_1.DEFAULT_SECURITY_POLICY.maxBundleSize,
+        maxTransformTime: userPolicy.maxTransformTime ?? types_1.DEFAULT_SECURITY_POLICY.maxTransformTime,
+        noEval: userPolicy.noEval ?? types_1.DEFAULT_SECURITY_POLICY.noEval,
+        noDynamicImports: userPolicy.noDynamicImports ?? types_1.DEFAULT_SECURITY_POLICY.noDynamicImports,
+        noRequire: userPolicy.noRequire ?? types_1.DEFAULT_SECURITY_POLICY.noRequire,
+        allowedGlobals: userPolicy.allowedGlobals ?? types_1.DEFAULT_SECURITY_POLICY.allowedGlobals,
+    };
+}
+/**
+ * Get line and column from source index.
+ */
+function getLocation(source, index) {
+    const lines = source.slice(0, index).split('\n');
+    return {
+        line: lines.length,
+        column: lines[lines.length - 1].length + 1,
+    };
+}
+/**
+ * Format bytes to human-readable string.
+ */
+function formatBytes(bytes) {
+    if (bytes < 1024)
+        return `${bytes} B`;
+    if (bytes < 1024 * 1024)
+        return `${(bytes / 1024).toFixed(1)} KB`;
+    return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+}
+/**
+ * Security error thrown when policy is violated.
+ */
+class SecurityError extends Error {
+    violations;
+    constructor(message, violations) {
+        super(message);
+        this.name = 'SecurityError';
+        this.violations = violations;
+    }
+}
+exports.SecurityError = SecurityError;
+/**
+ * Throw if any violations exist.
+ *
+ * @param violations - Array of violations to check
+ * @throws SecurityError if violations exist
+ */
+function throwOnViolations(violations) {
+    if (violations.length > 0) {
+        const message = violations.map((v) => v.message).join('; ');
+        throw new SecurityError(`Security policy violation: ${message}`, violations);
+    }
+}
+//# sourceMappingURL=policy.js.map

package/src/bundler/sandbox/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../../src/bundler/sandbox/policy.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAqCH,wCAyDC;AASD,0CAqDC;AASD,oCAeC;AAQD,kCAeC;AAyCD,8CAKC;AAtPD,oCAAmD;AAEnD;;GAEG;AACH,MAAM,eAAe,GAAG;IACtB,IAAI,EAAE,cAAc;IACpB,mBAAmB,EAAE,wBAAwB;IAC7C,aAAa,EAAE,gBAAgB;IAC/B,OAAO,EAAE,iBAAiB;IAC1B,UAAU,EAAE,mBAAmB;IAC/B,UAAU,EAAE,iBAAiB;IAC7B,cAAc,EAAE,uBAAuB;IACvC,cAAc,EAAE,uBAAuB;IACvC,SAAS,EAAE,kBAAkB;IAC7B,SAAS,EAAE,kBAAkB;IAC7B,cAAc,EAAE,yBAAyB;CAC1C,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,SAAgB,cAAc,CAAC,MAAc,EAAE,SAAyB,+BAAuB;IAC7F,MAAM,UAAU,GAAwB,EAAE,CAAC;IAE3C,uBAAuB;IACvB,IAAI,MAAM,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAC5B,MAAM,WAAW,GAAG,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC;QAC/D,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;YAChC,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,4CAA4C;gBACrD,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;gBAC/C,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;aAChB,CAAC,CAAC;QACL,CAAC;QAED,MAAM,SAAS,GAAG,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,mBAAmB,CAAC,CAAC,CAAC;QAC5E,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;YAC9B,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,YAAY;gBAClB,OAAO,EAAE,oDAAoD;gBAC7D,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;gBAC/C,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,IAAI,MAAM,CAAC,gBAAgB,KAAK,KAAK,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC,CAAC;QACpE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,gBAAgB;gBACtB,OAAO,EAAE,sDAAsD;gBAC/D,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;gBAC/C,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,CAAC,SAAS,KAAK,KAAK,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,+CAA+C;gBACxD,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;gBAC/C,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;aAChB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzD,UAAU,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC;IAErC,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,MAAc,EAAE,SAAyB,+BAAuB;IAC9F,MAAM,UAAU,GAAwB,EAAE,CAAC;IAE3C,4BAA4B;IAC5B,MAAM,aAAa,GAAG,+DAA+D,CAAC;IACtF,MAAM,OAAO,GAA6C,EAAE,CAAC;IAE7D,IAAI,KAAK,CAAC;IACV,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACrD,OAAO,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,+DAA+D;IAC/D,MAAM,cAAc,GAAG,uCAAuC,CAAC;IAC/D,OAAO,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtD,OAAO,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,8BAA8B;QAC9B,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;gBAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC7B,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,gBAAgB;wBACtB,OAAO,EAAE,WAAW,GAAG,CAAC,MAAM,iCAAiC;wBAC/D,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC;wBACxC,KAAK,EAAE,GAAG,CAAC,MAAM;qBAClB,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,IAAI,MAAM,CAAC,cAAc,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,MAAM,SAAS,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;YACpF,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,uCAAuC;gBACvC,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,gBAAgB,IAAI,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC,MAAM,CAAC,CAAC;gBACrG,IAAI,CAAC,cAAc,EAAE,CAAC;oBACpB,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,mBAAmB;wBACzB,OAAO,EAAE,WAAW,GAAG,CAAC,MAAM,sCAAsC;wBACpE,QAAQ,EAAE,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC;wBACxC,KAAK,EAAE,GAAG,CAAC,MAAM;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,YAAY,CAC1B,IAAY,EACZ,SAAyB,+BAAuB;IAEhD,MAAM,OAAO,GAAG,MAAM,CAAC,aAAa,IAAI,+BAAuB,CAAC,aAAa,IAAI,MAAM,CAAC;IAExF,IAAI,IAAI,GAAG,OAAO,EAAE,CAAC;QACnB,OAAO;YACL,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,gBAAgB,WAAW,CAAC,IAAI,CAAC,8BAA8B,WAAW,CAAC,OAAO,CAAC,GAAG;YAC/F,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC;SACpB,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,UAAoC;IAC9D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,GAAG,+BAAuB,EAAE,CAAC;IACxC,CAAC;IAED,OAAO;QACL,cAAc,EAAE,UAAU,CAAC,cAAc,IAAI,+BAAuB,CAAC,cAAc;QACnF,cAAc,EAAE,UAAU,CAAC,cAAc,IAAI,+BAAuB,CAAC,cAAc;QACnF,aAAa,EAAE,UAAU,CAAC,aAAa,IAAI,+BAAuB,CAAC,aAAa;QAChF,gBAAgB,EAAE,UAAU,CAAC,gBAAgB,IAAI,+BAAuB,CAAC,gBAAgB;QACzF,MAAM,EAAE,UAAU,CAAC,MAAM,IAAI,+BAAuB,CAAC,MAAM;QAC3D,gBAAgB,EAAE,UAAU,CAAC,gBAAgB,IAAI,+BAAuB,CAAC,gBAAgB;QACzF,SAAS,EAAE,UAAU,CAAC,SAAS,IAAI,+BAAuB,CAAC,SAAS;QACpE,cAAc,EAAE,UAAU,CAAC,cAAc,IAAI,+BAAuB,CAAC,cAAc;KACpF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,MAAc,EAAE,KAAa;IAChD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjD,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,MAAM;QAClB,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC;KAC3C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,GAAG,IAAI;QAAE,OAAO,GAAG,KAAK,IAAI,CAAC;IACtC,IAAI,KAAK,GAAG,IAAI,GAAG,IAAI;QAAE,OAAO,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAClE,OAAO,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAa,aAAc,SAAQ,KAAK;IAC7B,UAAU,CAAsB;IAEzC,YAAY,OAAe,EAAE,UAA+B;QAC1D,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AARD,sCAQC;AAED;;;;;GAKG;AACH,SAAgB,iBAAiB,CAAC,UAA+B;IAC/D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,MAAM,IAAI,aAAa,CAAC,8BAA8B,OAAO,EAAE,EAAE,UAAU,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC","sourcesContent":["/**\n * Sandbox Security Policy\n *\n * Defines and validates security policies for bundler execution.\n *\n * @packageDocumentation\n */\n\nimport type { SecurityPolicy, SecurityViolation } from '../types';\nimport { DEFAULT_SECURITY_POLICY } from '../types';\n\n/**\n * Patterns that indicate unsafe code.\n */\nconst UNSAFE_PATTERNS = {\n  eval: /\\beval\\s*\\(/g,\n  functionConstructor: /\\bnew\\s+Function\\s*\\(/g,\n  dynamicImport: /\\bimport\\s*\\(/g,\n  require: /\\brequire\\s*\\(/g,\n  processEnv: /\\bprocess\\.env\\b/g,\n  globalThis: /\\bglobalThis\\b/g,\n  windowLocation: /\\bwindow\\.location\\b/g,\n  documentCookie: /\\bdocument\\.cookie\\b/g,\n  innerHTML: /\\.innerHTML\\s*=/g,\n  outerHTML: /\\.outerHTML\\s*=/g,\n  document_write: /\\bdocument\\.write\\s*\\(/g,\n};\n\n/**\n * Validate source code against a security policy.\n *\n * @param source - Source code to validate\n * @param policy - Security policy to enforce\n * @returns Array of security violations (empty if valid)\n *\n * @example\n * ```typescript\n * const violations = validateSource(code, DEFAULT_SECURITY_POLICY);\n * if (violations.length > 0) {\n *   throw new Error(`Security violations: ${violations.map(v => v.message).join(', ')}`);\n * }\n * ```\n */\nexport function validateSource(source: string, policy: SecurityPolicy = DEFAULT_SECURITY_POLICY): SecurityViolation[] {\n  const violations: SecurityViolation[] = [];\n\n  // Check for eval usage\n  if (policy.noEval !== false) {\n    const evalMatches = [...source.matchAll(UNSAFE_PATTERNS.eval)];\n    for (const match of evalMatches) {\n      violations.push({\n        type: 'eval-usage',\n        message: 'eval() is not allowed for security reasons',\n        location: getLocation(source, match.index ?? 0),\n        value: match[0],\n      });\n    }\n\n    const fnMatches = [...source.matchAll(UNSAFE_PATTERNS.functionConstructor)];\n    for (const match of fnMatches) {\n      violations.push({\n        type: 'eval-usage',\n        message: 'new Function() is not allowed for security reasons',\n        location: getLocation(source, match.index ?? 0),\n        value: match[0],\n      });\n    }\n  }\n\n  // Check for dynamic imports\n  if (policy.noDynamicImports !== false) {\n    const matches = [...source.matchAll(UNSAFE_PATTERNS.dynamicImport)];\n    for (const match of matches) {\n      violations.push({\n        type: 'dynamic-import',\n        message: 'Dynamic imports are not allowed for security reasons',\n        location: getLocation(source, match.index ?? 0),\n        value: match[0],\n      });\n    }\n  }\n\n  // Check for require usage\n  if (policy.noRequire !== false) {\n    const matches = [...source.matchAll(UNSAFE_PATTERNS.require)];\n    for (const match of matches) {\n      violations.push({\n        type: 'require-usage',\n        message: 'require() is not allowed for security reasons',\n        location: getLocation(source, match.index ?? 0),\n        value: match[0],\n      });\n    }\n  }\n\n  // Validate imports\n  const importViolations = validateImports(source, policy);\n  violations.push(...importViolations);\n\n  return violations;\n}\n\n/**\n * Validate import statements against policy.\n *\n * @param source - Source code to check\n * @param policy - Security policy\n * @returns Array of import violations\n */\nexport function validateImports(source: string, policy: SecurityPolicy = DEFAULT_SECURITY_POLICY): SecurityViolation[] {\n  const violations: SecurityViolation[] = [];\n\n  // Extract import statements\n  const importPattern = /import\\s+(?:(?:\\{[^}]*\\}|[\\w*]+)\\s+from\\s+)?['\"]([^'\"]+)['\"]/g;\n  const imports: Array<{ module: string; index: number }> = [];\n\n  let match;\n  while ((match = importPattern.exec(source)) !== null) {\n    imports.push({ module: match[1], index: match.index });\n  }\n\n  // Also check for require-style imports that might slip through\n  const requirePattern = /require\\s*\\(\\s*['\"]([^'\"]+)['\"]\\s*\\)/g;\n  while ((match = requirePattern.exec(source)) !== null) {\n    imports.push({ module: match[1], index: match.index });\n  }\n\n  for (const imp of imports) {\n    // Check blocked imports first\n    if (policy.blockedImports) {\n      for (const blocked of policy.blockedImports) {\n        if (blocked.test(imp.module)) {\n          violations.push({\n            type: 'blocked-import',\n            message: `Import '${imp.module}' is blocked by security policy`,\n            location: getLocation(source, imp.index),\n            value: imp.module,\n          });\n          break;\n        }\n      }\n    }\n\n    // Check if import is in allowed list\n    if (policy.allowedImports && policy.allowedImports.length > 0) {\n      const isAllowed = policy.allowedImports.some((pattern) => pattern.test(imp.module));\n      if (!isAllowed) {\n        // Check if already reported as blocked\n        const alreadyBlocked = violations.some((v) => v.type === 'blocked-import' && v.value === imp.module);\n        if (!alreadyBlocked) {\n          violations.push({\n            type: 'disallowed-import',\n            message: `Import '${imp.module}' is not in the allowed imports list`,\n            location: getLocation(source, imp.index),\n            value: imp.module,\n          });\n        }\n      }\n    }\n  }\n\n  return violations;\n}\n\n/**\n * Validate bundle size against policy.\n *\n * @param size - Bundle size in bytes\n * @param policy - Security policy\n * @returns Violation if size exceeds limit, undefined otherwise\n */\nexport function validateSize(\n  size: number,\n  policy: SecurityPolicy = DEFAULT_SECURITY_POLICY,\n): SecurityViolation | undefined {\n  const maxSize = policy.maxBundleSize ?? DEFAULT_SECURITY_POLICY.maxBundleSize ?? 512000;\n\n  if (size > maxSize) {\n    return {\n      type: 'size-exceeded',\n      message: `Bundle size (${formatBytes(size)}) exceeds maximum allowed (${formatBytes(maxSize)})`,\n      value: String(size),\n    };\n  }\n\n  return undefined;\n}\n\n/**\n * Create a merged security policy with defaults.\n *\n * @param userPolicy - User-provided policy overrides\n * @returns Merged policy with defaults\n */\nexport function mergePolicy(userPolicy?: Partial<SecurityPolicy>): SecurityPolicy {\n  if (!userPolicy) {\n    return { ...DEFAULT_SECURITY_POLICY };\n  }\n\n  return {\n    allowedImports: userPolicy.allowedImports ?? DEFAULT_SECURITY_POLICY.allowedImports,\n    blockedImports: userPolicy.blockedImports ?? DEFAULT_SECURITY_POLICY.blockedImports,\n    maxBundleSize: userPolicy.maxBundleSize ?? DEFAULT_SECURITY_POLICY.maxBundleSize,\n    maxTransformTime: userPolicy.maxTransformTime ?? DEFAULT_SECURITY_POLICY.maxTransformTime,\n    noEval: userPolicy.noEval ?? DEFAULT_SECURITY_POLICY.noEval,\n    noDynamicImports: userPolicy.noDynamicImports ?? DEFAULT_SECURITY_POLICY.noDynamicImports,\n    noRequire: userPolicy.noRequire ?? DEFAULT_SECURITY_POLICY.noRequire,\n    allowedGlobals: userPolicy.allowedGlobals ?? DEFAULT_SECURITY_POLICY.allowedGlobals,\n  };\n}\n\n/**\n * Get line and column from source index.\n */\nfunction getLocation(source: string, index: number): { line: number; column: number } {\n  const lines = source.slice(0, index).split('\\n');\n  return {\n    line: lines.length,\n    column: lines[lines.length - 1].length + 1,\n  };\n}\n\n/**\n * Format bytes to human-readable string.\n */\nfunction formatBytes(bytes: number): string {\n  if (bytes < 1024) return `${bytes} B`;\n  if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;\n  return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;\n}\n\n/**\n * Security error thrown when policy is violated.\n */\nexport class SecurityError extends Error {\n  readonly violations: SecurityViolation[];\n\n  constructor(message: string, violations: SecurityViolation[]) {\n    super(message);\n    this.name = 'SecurityError';\n    this.violations = violations;\n  }\n}\n\n/**\n * Throw if any violations exist.\n *\n * @param violations - Array of violations to check\n * @throws SecurityError if violations exist\n */\nexport function throwOnViolations(violations: SecurityViolation[]): void {\n  if (violations.length > 0) {\n    const message = violations.map((v) => v.message).join('; ');\n    throw new SecurityError(`Security policy violation: ${message}`, violations);\n  }\n}\n"]}

package/src/bundler/types.d.ts

@@ -0,0 +1,347 @@
+/**
+ * Bundler Types
+ *
+ * Type definitions for the in-memory bundler system.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Source type for bundler input.
+ */
+export type SourceType = 'jsx' | 'tsx' | 'mdx' | 'html' | 'auto';
+/**
+ * Output format for bundles.
+ */
+export type OutputFormat = 'iife' | 'esm' | 'cjs';
+/**
+ * Options for bundling source code.
+ */
+export interface BundleOptions {
+    /**
+     * Source code to bundle.
+     */
+    source: string;
+    /**
+     * Source type (jsx, tsx, mdx, html, or auto).
+     * @default 'auto'
+     */
+    sourceType?: SourceType;
+    /**
+     * Output format.
+     * @default 'iife'
+     */
+    format?: OutputFormat;
+    /**
+     * Minify output code.
+     * @default false
+     */
+    minify?: boolean;
+    /**
+     * Generate source maps.
+     * @default false
+     */
+    sourceMaps?: boolean | 'inline';
+    /**
+     * External modules (not bundled).
+     * @default ['react', 'react-dom']
+     */
+    externals?: string[];
+    /**
+     * JSX configuration.
+     */
+    jsx?: {
+        /**
+         * JSX runtime mode.
+         * @default 'automatic'
+         */
+        runtime?: 'automatic' | 'classic';
+        /**
+         * Import source for automatic runtime.
+         * @default 'react'
+         */
+        importSource?: string;
+    };
+    /**
+     * Security policy for bundling.
+     */
+    security?: SecurityPolicy;
+    /**
+     * Target environment.
+     * @default 'es2020'
+     */
+    target?: string;
+    /**
+     * Global variable name for IIFE format.
+     * @default 'Widget'
+     */
+    globalName?: string;
+    /**
+     * Cache key override. If not provided, computed from source hash.
+     */
+    cacheKey?: string;
+    /**
+     * Skip cache lookup.
+     * @default false
+     */
+    skipCache?: boolean;
+}
+/**
+ * Options specifically for SSR bundling.
+ */
+export interface SSRBundleOptions extends BundleOptions {
+    /**
+     * Context data to inject during SSR.
+     */
+    context?: Record<string, unknown>;
+    /**
+     * Component export name to render.
+     * @default 'default'
+     */
+    componentExport?: string;
+    /**
+     * Whether to include hydration script.
+     * @default false
+     */
+    includeHydration?: boolean;
+}
+/**
+ * Result of a bundle operation.
+ */
+export interface BundleResult {
+    /**
+     * Bundled/transformed code.
+     */
+    code: string;
+    /**
+     * Content hash of the bundle.
+     */
+    hash: string;
+    /**
+     * Whether result was served from cache.
+     */
+    cached: boolean;
+    /**
+     * Bundle size in bytes.
+     */
+    size: number;
+    /**
+     * Source map (if generated).
+     */
+    map?: string;
+    /**
+     * Performance metrics.
+     */
+    metrics: BundleMetrics;
+    /**
+     * Detected or specified source type.
+     */
+    sourceType: SourceType;
+    /**
+     * Output format used.
+     */
+    format: OutputFormat;
+}
+/**
+ * Performance metrics for bundling.
+ */
+export interface BundleMetrics {
+    /**
+     * Time to transform source (ms).
+     */
+    transformTime: number;
+    /**
+     * Time to bundle (ms).
+     */
+    bundleTime: number;
+    /**
+     * Total processing time (ms).
+     */
+    totalTime: number;
+    /**
+     * Cache lookup time (ms).
+     */
+    cacheTime?: number;
+}
+/**
+ * Result of SSR rendering.
+ */
+export interface SSRResult extends BundleResult {
+    /**
+     * Rendered HTML output.
+     */
+    html: string;
+    /**
+     * Hydration script (if included).
+     */
+    hydrationScript?: string;
+    /**
+     * SSR-specific metrics.
+     */
+    ssrMetrics: {
+        /**
+         * Time to render component (ms).
+         */
+        renderTime: number;
+    };
+}
+/**
+ * Security policy for bundler execution.
+ */
+export interface SecurityPolicy {
+    /**
+     * Allowed import patterns (regex).
+     * @default [/^react/, /^@frontmcp\/ui/]
+     */
+    allowedImports?: RegExp[];
+    /**
+     * Blocked import patterns (regex).
+     * @default [/^fs/, /^net/, /^child_process/, /^os/, /^path/]
+     */
+    blockedImports?: RegExp[];
+    /**
+     * Maximum bundle size in bytes.
+     * @default 512000 (500KB)
+     */
+    maxBundleSize?: number;
+    /**
+     * Maximum transform time in ms.
+     * @default 5000 (5s)
+     */
+    maxTransformTime?: number;
+    /**
+     * Block eval() and Function() usage.
+     * @default true
+     */
+    noEval?: boolean;
+    /**
+     * Block dynamic imports.
+     * @default true
+     */
+    noDynamicImports?: boolean;
+    /**
+     * Block require() usage.
+     * @default true
+     */
+    noRequire?: boolean;
+    /**
+     * Allowed global variables.
+     * @default ['console', 'Math', 'JSON', 'Date', 'Array', 'Object', 'String', 'Number', 'Boolean', 'Promise', 'Map', 'Set', 'WeakMap', 'WeakSet', 'Symbol', 'Reflect', 'Proxy', 'Error', 'TypeError', 'RangeError', 'parseInt', 'parseFloat', 'isNaN', 'isFinite', 'encodeURI', 'encodeURIComponent', 'decodeURI', 'decodeURIComponent', 'setTimeout', 'clearTimeout', 'setInterval', 'clearInterval']
+     */
+    allowedGlobals?: string[];
+}
+/**
+ * Security violation details.
+ */
+export interface SecurityViolation {
+    /**
+     * Type of violation.
+     */
+    type: 'blocked-import' | 'disallowed-import' | 'eval-usage' | 'dynamic-import' | 'require-usage' | 'size-exceeded' | 'timeout' | 'blocked-global';
+    /**
+     * Human-readable message.
+     */
+    message: string;
+    /**
+     * Location in source (if available).
+     */
+    location?: {
+        line: number;
+        column: number;
+    };
+    /**
+     * Offending pattern/value.
+     */
+    value?: string;
+}
+/**
+ * Configuration options for creating a bundler instance.
+ */
+export interface BundlerOptions {
+    /**
+     * Default security policy.
+     */
+    defaultSecurity?: SecurityPolicy;
+    /**
+     * Cache configuration.
+     */
+    cache?: {
+        /**
+         * Maximum number of cached entries.
+         * @default 100
+         */
+        maxSize?: number;
+        /**
+         * TTL for cache entries in ms.
+         * @default 300000 (5 minutes)
+         */
+        ttl?: number;
+        /**
+         * Disable caching entirely.
+         * @default false
+         */
+        disabled?: boolean;
+    };
+    /**
+     * Enable verbose logging.
+     * @default false
+     */
+    verbose?: boolean;
+    /**
+     * Custom esbuild options.
+     */
+    esbuildOptions?: Record<string, unknown>;
+}
+/**
+ * Cache entry for bundled results.
+ */
+export interface CacheEntry {
+    /**
+     * Bundle result.
+     */
+    result: BundleResult;
+    /**
+     * Creation timestamp.
+     */
+    createdAt: number;
+    /**
+     * Last access timestamp.
+     */
+    lastAccessedAt: number;
+    /**
+     * Access count.
+     */
+    accessCount: number;
+}
+/**
+ * Context for transform operations.
+ */
+export interface TransformContext {
+    /**
+     * Source type being transformed.
+     */
+    sourceType: SourceType;
+    /**
+     * File path (for source maps).
+     */
+    filename?: string;
+    /**
+     * Source code.
+     */
+    source: string;
+    /**
+     * Active security policy.
+     */
+    security: SecurityPolicy;
+}
+/**
+ * Default security policy.
+ */
+export declare const DEFAULT_SECURITY_POLICY: SecurityPolicy;
+/**
+ * Default bundle options.
+ */
+export declare const DEFAULT_BUNDLE_OPTIONS: Required<Pick<BundleOptions, 'sourceType' | 'format' | 'minify' | 'sourceMaps' | 'externals' | 'jsx' | 'target' | 'globalName' | 'skipCache'>>;
+/**
+ * Default bundler options.
+ */
+export declare const DEFAULT_BUNDLER_OPTIONS: Required<BundlerOptions>;