@gotza02/sequential-thinking 10000.2.0 → 10000.2.2

package/dist/utils.js

@@ -1,214 +1,362 @@
-import { spawn } from 'child_process';
-import * as path from 'path';
-import * as fs from 'fs';
-import * as dns from 'dns/promises';
-import { URL } from 'url';
+import { spawn } from 'node:child_process';
+import * as path from 'node:path';
+import * as fs from 'node:fs';
+import * as dns from 'node:dns/promises';
+import { URL } from 'node:url';
 import chalk from 'chalk';
-// ============= Command Injection Protection =============
+// ==========================================
+// Constants & Configuration
+// ==========================================
+const CONFIG = {
+    COMMAND_TIMEOUT: 60_000,
+    MAX_BUFFER: 5 * 1024 * 1024,
+    MAX_PATTERN_LENGTH: 500,
+    MAX_QUANTIFIERS: 20,
+    MAX_LOCKS: 1000,
+    DNS_TIMEOUT: 5_000,
+    MAX_INPUT_LENGTH: 10_000,
+    RETRY: {
+        MAX_RETRIES: 3,
+        BASE_DELAY: 1000,
+        BACKOFF_MULTIPLIER: 2,
+    },
+};
 /**
- * Shell metacharacters that could enable command injection
- * Blocking these prevents command chaining like: cmd; rm -rf /
+ * Shell metacharacters that could enable command injection.
+ * Using character class to avoid regex complexity issues.
  */
-const SHELL_METACHARACTERS = /[;|&`$()<>\{\}\[\]\*\?~]|\$\{[^}]*\}|\\x[0-9a-fA-F]{2}|\$[a-zA-Z_][a-zA-Z0-9_]*/gu;
+const SHELL_METACHARACTERS = /[;|&`$()<>\{\}\[\]\*\?~]/;
 /**
- * Whitelist of safe commands that can be executed
- * Commands must be explicitly allowed for security
+ * Whitelist of safe commands. Consider loading from config file for flexibility.
  */
 const SAFE_COMMANDS = new Set([
-    // Common development tools
     'ls', 'cd', 'pwd', 'cat', 'head', 'tail', 'grep', 'find',
     'echo', 'printf', 'wc', 'sort', 'uniq', 'cut', 'awk', 'sed',
-    // Build tools
     'npm', 'pnpm', 'yarn', 'bun', 'python', 'python3', 'node', 'deno',
     'make', 'cmake', 'cargo', 'go', 'rustc', 'gcc', 'g++', 'clang',
-    // Git
-    'git',
-    // File operations (safe ones)
-    'cp', 'mv', 'mkdir', 'touch', 'rm', 'rmdir',
-    // System info (read-only)
+    'git', 'cp', 'mv', 'mkdir', 'touch', 'rm', 'rmdir',
     'df', 'du', 'free', 'uname', 'which', 'whereis', 'type',
-    // Network diagnostics
     'ping', 'traceroute', 'nslookup', 'curl', 'wget', 'ssh',
-    // Text editors
     'vi', 'vim', 'nano', 'code',
-    // Archive tools
     'tar', 'gzip', 'gunzip', 'zip', 'unzip',
-    // Permissions (read-only checks)
     'test', 'stat', 'file',
 ]);
-/**
- * Detect dangerous shell metacharacters in command string
- */
-function hasShellMetacharacters(command) {
-    return SHELL_METACHARACTERS.test(command);
+const DANGEROUS_PATTERNS = [
+    /rm\s+-[rf]+\s*([/~]|\.{2,})/i, // rm -rf patterns
+    /mkfs/i, // Filesystem formatting
+    /\bdd\s+if=/i, // Direct disk write
+    /chmod\s+0+/, // Remove permissions
+    /chown\s+-R\s+root:/, // Recursive ownership
+    /fdisk/i, // Partition tools
+    />\s*\/dev\/\w+/, // Device writes
+    /(?:curl|wget)\s+.*\|\s*(?:sh|bash|zsh)/i, // Pipe to shell
+    /base64\s+-[di].*\|/i, // Decode pipes
+    /eval\s*\(/i, // Eval
+    /\$\([^)]*\)/, // Command substitution
+    /`[^`]*`/, // Backtick substitution
+    /\$\{[^}]*\}/, // Variable expansion
+];
+// ==========================================
+// Custom Error Classes
+// ==========================================
+export class SecurityError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = 'SecurityError';
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+export class ValidationError extends Error {
+    field;
+    constructor(message, field) {
+        super(message);
+        this.field = field;
+        this.name = 'ValidationError';
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+export class TimeoutError extends Error {
+    timeout;
+    constructor(message, timeout) {
+        super(message);
+        this.timeout = timeout;
+        this.name = 'TimeoutError';
+        Error.captureStackTrace(this, this.constructor);
+    }
 }
 /**
- * Parse command string into command and arguments safely
- * This prevents shell injection by avoiding shell interpretation
+ * Robust command parser supporting quotes and escapes.
+ * State machine implementation for correctness.
  */
 function parseCommand(command) {
-    // Remove leading/trailing whitespace
     const trimmed = command.trim();
-    // Find first space to separate command from arguments
-    const firstSpace = trimmed.indexOf(' ');
-    if (firstSpace === -1) {
-        return { command: trimmed, args: [] };
-    }
-    const cmd = trimmed.slice(0, firstSpace);
-    const argsString = trimmed.slice(firstSpace + 1);
-    // Simple argument splitting (handles quoted strings)
+    if (!trimmed) {
+        throw new ValidationError('Empty command');
+    }
     const args = [];
     let current = '';
-    let inQuotes = false;
-    let quoteChar = '';
-    for (let i = 0; i < argsString.length; i++) {
-        const char = argsString[i];
-        if ((char === '"' || char === "'") && (i === 0 || argsString[i - 1] !== '\\')) {
-            if (!inQuotes) {
-                inQuotes = true;
-                quoteChar = char;
-            }
-            else if (char === quoteChar) {
-                inQuotes = false;
-                quoteChar = '';
+    let inDoubleQuotes = false;
+    let inSingleQuotes = false;
+    let escapeNext = false;
+    for (let i = 0; i < trimmed.length; i++) {
+        const char = trimmed[i];
+        const nextChar = trimmed[i + 1];
+        if (escapeNext) {
+            if (inDoubleQuotes) {
+                // Only specific chars are escapable in double quotes
+                if (char === '"' || char === '\\' || char === '$' || char === '`') {
+                    current += char;
+                }
+                else {
+                    current += '\\' + char;
+                }
             }
             else {
                 current += char;
             }
+            escapeNext = false;
+            continue;
+        }
+        if (char === '\\' && !inSingleQuotes) {
+            escapeNext = true;
+            continue;
         }
-        else if (char === ' ' && !inQuotes) {
+        if (char === "'" && !inDoubleQuotes) {
+            inSingleQuotes = !inSingleQuotes;
+            continue;
+        }
+        if (char === '"' && !inSingleQuotes) {
+            inDoubleQuotes = !inDoubleQuotes;
+            continue;
+        }
+        if (/\s/.test(char) && !inSingleQuotes && !inDoubleQuotes) {
             if (current) {
                 args.push(current);
                 current = '';
             }
+            continue;
         }
-        else {
-            current += char;
-        }
+        current += char;
     }
-    if (current) {
+    if (inSingleQuotes || inDoubleQuotes) {
+        throw new ValidationError('Unclosed quotes in command');
+    }
+    if (escapeNext) {
+        current += '\\';
+    }
+    if (current || args.length === 0) {
         args.push(current);
     }
-    return { command: cmd, args };
+    const [cmd, ...cmdArgs] = args;
+    return { command: cmd, args: cmdArgs };
+}
+function hasShellMetacharacters(command) {
+    return SHELL_METACHARACTERS.test(command);
 }
 /**
- * Validate command against security rules
- * @throws Error if command is unsafe
+ * Validates command against injection attacks.
+ * @throws SecurityError if validation fails
  */
 function validateCommand(command) {
-    // Check for shell metacharacters
     if (hasShellMetacharacters(command)) {
-        throw new Error('Command blocked: Contains shell metacharacters (;|&`$()<>). ' +
-            'These are not allowed for security reasons.');
-    }
-    // Parse command to get base command name
-    const { command: baseCommand } = parseCommand(command);
-    // Check if command is in whitelist
-    if (!SAFE_COMMANDS.has(baseCommand)) {
-        throw new Error(`Command '${baseCommand}' is not in the allowed commands list. ` +
-            `If this command is safe, add it to SAFE_COMMANDS in utils.ts.`);
-    }
-    // Additional checks for potentially dangerous patterns
-    // Using string-based RegExp with proper escaping
-    const dangerousPatterns = [
-        new RegExp('rm\\s+-rf?\\s+([/~]|\\.\\.|\\.$)'), // rm -rf patterns
-        new RegExp('mkfs'), // Filesystem formatting
-        new RegExp('dd\\s+if='), // Direct disk write
-        new RegExp('chmod\\s+000'), // Remove all permissions
-        new RegExp('chown\\s+-R\\s+root:'), // Recursive ownership change
-        new RegExp('fdisk'), // Partition tools
-        new RegExp('>\\s*/dev/\\w+\\s*\\+w'), // Write to device
-        // New patterns:
-        new RegExp('curl\\s+.*\\s*\\|\\s*sh'), // curl | sh
-        new RegExp('wget\\s+.*\\s*\\|\\s*sh'), // wget | sh
-        new RegExp('base64\\s+-d\\s*\\|'), // encoded commands
-        new RegExp('eval\\s*\\('), // eval()
-        new RegExp('\\$\\(\\(.*\\)\\)'), // $() command substitution
-        new RegExp('`.*`'), // backtick substitution
-    ];
-    for (const pattern of dangerousPatterns) {
+        throw new SecurityError('Command contains shell metacharacters (;|&`$()<>). Use programmatic APIs instead.', 'CMD_INJECTION_DETECTED');
+    }
+    const { command: baseCmd } = parseCommand(command);
+    if (!SAFE_COMMANDS.has(baseCmd)) {
+        throw new SecurityError(`Command '${baseCmd}' is not whitelisted. Add to SAFE_COMMANDS if safe.`, 'CMD_NOT_WHITELISTED');
+    }
+    for (const pattern of DANGEROUS_PATTERNS) {
         if (pattern.test(command)) {
-            throw new Error(`Command blocked: Matches dangerous pattern`);
+            throw new SecurityError(`Command matches dangerous pattern: ${pattern.source}`, 'DANGEROUS_PATTERN');
         }
     }
 }
-// export const execAsync = promisify(exec); // Removed simple promisify
 /**
- * Execute a shell command with security protections against command injection.
- * Uses spawn() instead of exec() to avoid shell interpretation.
- *
- * @param command - The command string to execute
- * @param options - Execution options (timeout, maxBuffer)
- * @returns Promise with stdout and stderr
- * @throws Error if command contains shell metacharacters or is not whitelisted
+ * Execute command securely using spawn (no shell interpretation).
  */
-export function execAsync(command, options = {}) {
+export async function execAsync(command, options = {}) {
+    validateCommand(command);
+    const { command: cmd, args } = parseCommand(command);
+    const timeout = options.timeout ?? CONFIG.COMMAND_TIMEOUT;
+    const maxBuffer = options.maxBuffer ?? CONFIG.MAX_BUFFER;
     return new Promise((resolve, reject) => {
-        try {
-            // Validate command for security
-            validateCommand(command);
-        }
-        catch (error) {
-            return reject(error);
-        }
-        const timeout = options.timeout || 60000; // Default 60s timeout
-        const maxBuffer = options.maxBuffer || 1024 * 1024 * 5; // Default 5MB buffer
-        // Parse command into parts
-        const { command: cmd, args } = parseCommand(command);
-        // Use spawn instead of exec to avoid shell interpretation
+        const startTime = performance.now();
         const child = spawn(cmd, args, {
             timeout,
+            cwd: options.cwd,
+            env: { ...process.env, ...options.env },
+            stdio: ['ignore', 'pipe', 'pipe'],
+            detached: false,
         });
         let stdout = '';
         let stderr = '';
+        let stdoutLength = 0;
+        let stderrLength = 0;
+        let killed = false;
+        const kill = (signal = 'SIGTERM') => {
+            if (!killed && !child.killed) {
+                killed = true;
+                child.kill(signal);
+            }
+        };
+        // Buffer limits to prevent memory exhaustion
         child.stdout?.on('data', (data) => {
-            stdout += data.toString();
+            if (stdoutLength + data.length > maxBuffer) {
+                kill();
+                reject(new SecurityError('Stdout exceeded maxBuffer', 'BUFFER_OVERFLOW'));
+                return;
+            }
+            stdout += data.toString('utf-8');
+            stdoutLength += data.length;
         });
         child.stderr?.on('data', (data) => {
-            stderr += data.toString();
+            if (stderrLength + data.length > maxBuffer) {
+                kill();
+                reject(new SecurityError('Stderr exceeded maxBuffer', 'BUFFER_OVERFLOW'));
+                return;
+            }
+            stderr += data.toString('utf-8');
+            stderrLength += data.length;
         });
-        child.on('error', (error) => {
+        const errorHandler = (error) => {
+            kill('SIGKILL');
             reject(error);
-        });
-        child.on('close', (code) => {
-            if (code !== 0) {
+        };
+        child.on('error', errorHandler);
+        child.on('close', (code, signal) => {
+            const executionTime = Math.round(performance.now() - startTime);
+            if (signal) {
+                reject(new Error(`Command terminated by signal ${signal}`));
+            }
+            else if (code !== 0) {
                 const error = new Error(`Command failed with exit code ${code}`);
                 error.stdout = stdout;
                 error.stderr = stderr;
-                error.exitCode = code;
+                error.exitCode = code ?? -1;
+                error.executionTime = executionTime;
                 reject(error);
             }
             else {
-                resolve({ stdout, stderr });
+                resolve({
+                    stdout,
+                    stderr,
+                    exitCode: code ?? 0,
+                    executionTime,
+                });
             }
         });
     });
 }
+// ==========================================
+// Synchronization Primitives
+// ==========================================
 export class AsyncMutex {
-    mutex = Promise.resolve();
-    lock() {
-        let unlock = () => { };
-        const nextLock = new Promise(resolve => {
-            unlock = resolve;
+    queue = [];
+    locked = false;
+    async acquire() {
+        if (!this.locked) {
+            this.locked = true;
+            return () => this.release();
+        }
+        return new Promise((resolve) => {
+            this.queue.push(() => resolve(() => this.release()));
         });
-        // The caller waits for the previous lock to release
-        const willLock = this.mutex.then(() => unlock);
-        // The next caller will wait for this lock to release
-        this.mutex = nextLock;
-        return willLock;
+    }
+    release() {
+        if (this.queue.length > 0) {
+            const next = this.queue.shift();
+            next();
+        }
+        else {
+            this.locked = false;
+        }
     }
     async dispatch(fn) {
-        const unlock = await this.lock();
+        const release = await this.acquire();
         try {
             return await Promise.resolve(fn());
         }
         finally {
-            unlock();
+            release();
+        }
+    }
+}
+export class FileLock {
+    locks = new Map();
+    queue = new Map();
+    maxLocks;
+    constructor(maxLocks = CONFIG.MAX_LOCKS) {
+        this.maxLocks = maxLocks;
+    }
+    async acquire(filePath, timeout = 5000) {
+        const absolutePath = path.resolve(filePath);
+        if (this.locks.has(absolutePath)) {
+            // Wait for existing lock with timeout
+            await this.waitForLock(absolutePath, timeout);
+        }
+        if (this.locks.size >= this.maxLocks) {
+            this.cleanupStaleLocks();
+        }
+        this.locks.set(absolutePath, {
+            acquiredAt: Date.now(),
+            timeout,
+            resolve: () => { }, // Placeholder
+        });
+        return {
+            release: () => {
+                this.release(absolutePath);
+            },
+        };
+    }
+    waitForLock(filePath, timeout) {
+        return new Promise((resolve, reject) => {
+            const timer = setTimeout(() => {
+                reject(new TimeoutError(`Timeout acquiring lock for ${filePath}`, timeout));
+            }, timeout);
+            if (!this.queue.has(filePath)) {
+                this.queue.set(filePath, []);
+            }
+            this.queue.get(filePath).push(() => {
+                clearTimeout(timer);
+                resolve();
+            });
+        });
+    }
+    release(filePath) {
+        this.locks.delete(filePath);
+        const waiting = this.queue.get(filePath);
+        if (waiting?.length) {
+            const next = waiting.shift();
+            next();
+            if (waiting.length === 0) {
+                this.queue.delete(filePath);
+            }
         }
     }
+    cleanupStaleLocks() {
+        const now = Date.now();
+        const staleThreshold = 30_000; // 30 seconds
+        for (const [filePath, info] of this.locks.entries()) {
+            if (now - info.acquiredAt > info.timeout + staleThreshold) {
+                this.locks.delete(filePath);
+                this.queue.delete(filePath);
+            }
+        }
+    }
+    getLockCount() {
+        return this.locks.size;
+    }
+    getQueueCount() {
+        return Array.from(this.queue.values()).reduce((sum, arr) => sum + arr.length, 0);
+    }
 }
+export const fileLock = new FileLock();
+// ==========================================
+// Validation Utilities
+// ==========================================
 export function validatePath(requestedPath) {
-    // Special case for current directory to avoid resolution issues in restricted environments
     if (requestedPath === '.' || requestedPath === './' || !requestedPath) {
         return fs.realpathSync(process.cwd());
     }
@@ -216,268 +364,325 @@ export function validatePath(requestedPath) {
     let absolutePath;
     let rootDir;
     try {
-        // Use realpath to resolve symlinks, which is common in environments like Termux
         absolutePath = fs.realpathSync(resolvedPath);
         rootDir = fs.realpathSync(process.cwd());
     }
     catch (e) {
-        // If file doesn't exist yet, we can't get realpath, so fallback to resolved path
+        // File doesn't exist yet, use resolved path
         absolutePath = resolvedPath;
         rootDir = path.resolve(process.cwd());
     }
-    if (!absolutePath.startsWith(rootDir) || (absolutePath.length > rootDir.length && absolutePath[rootDir.length] !== path.sep)) {
-        throw new Error(`Access denied: Path '${requestedPath}' (resolved to '${absolutePath}') is outside the project root '${rootDir}'.`);
+    // Ensure path is within project root (prevent directory traversal)
+    const relative = path.relative(rootDir, absolutePath);
+    if (relative.startsWith('..') || relative.startsWith('\\..')) {
+        throw new SecurityError(`Path '${requestedPath}' is outside project root`, 'PATH_TRAVERSAL');
     }
     return absolutePath;
 }
-function isPrivateIP(ip) {
-    // Remove brackets if present (IPv6 literals in hostnames)
-    const cleanIp = ip.replace(/^\[|\]$/g, '');
-    // IPv4 check
-    const parts = cleanIp.split('.').map(Number);
-    if (parts.length === 4) {
-        if (parts[0] === 127)
-            return true;
-        if (parts[0] === 10)
-            return true;
-        if (parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31)
-            return true;
-        if (parts[0] === 192 && parts[1] === 168)
-            return true;
-        if (parts[0] === 0)
-            return true;
+function isPrivateIPv4(ip) {
+    const parts = ip.split('.').map(Number);
+    if (parts.length !== 4 || parts.some(p => isNaN(p) || p < 0 || p > 255)) {
         return false;
     }
-    // IPv6 check
-    // Normalize: remove leading/trailing colons and convert to lowercase
-    const normalized = cleanIp.toLowerCase();
-    // Loopback: ::1, 0:0:0:0:0:0:0:1
-    if (normalized === '::1' || normalized === '::' || normalized.replace(/:0/g, ':').replace(/^0+/, '') === '::1')
+    const [a, b, c] = parts;
+    return (a === 127 || // Loopback
+        a === 10 || // Private 10/8
+        (a === 172 && b >= 16 && b <= 31) || // Private 172.16/12
+        (a === 192 && b === 168) || // Private 192.168/16
+        a === 0 || // Current network
+        (a === 169 && b === 254) // Link-local
+    );
+}
+function isPrivateIPv6(ip) {
+    const normalized = ip.toLowerCase().replace(/^\[|\]$/g, '');
+    // Loopback
+    if (normalized === '::1' || normalized === '0:0:0:0:0:0:0:1')
         return true;
-    // Private/Link-local ranges
+    // Unique Local (fc00::/7)
     if (normalized.startsWith('fc') || normalized.startsWith('fd'))
-        return true; // Unique Local
-    if (normalized.startsWith('fe80'))
-        return true; // Link Local
-    if (normalized.startsWith('::ffff:7f') || normalized.startsWith('::ffff:10.') || normalized.startsWith('::ffff:192.168.'))
-        return true; // IPv4-mapped private
+        return true;
+    // Link Local (fe80::/10)
+    if (normalized.startsWith('fe8') || normalized.startsWith('fe9') ||
+        normalized.startsWith('fea') || normalized.startsWith('feb'))
+        return true;
+    // IPv4-mapped IPv6
+    if (normalized.startsWith('::ffff:')) {
+        const ipv4Part = normalized.slice(7);
+        return isPrivateIPv4(ipv4Part);
+    }
     return false;
 }
 export async function validatePublicUrl(urlString) {
-    const parsed = new URL(urlString);
+    let parsed;
+    try {
+        parsed = new URL(urlString);
+    }
+    catch {
+        throw new ValidationError('Invalid URL format');
+    }
     if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
-        throw new Error('Invalid protocol. Only http and https are allowed.');
+        throw new SecurityError('Only HTTP/HTTPS protocols allowed', 'INVALID_PROTOCOL');
+    }
+    // Check for IP literals
+    if (isPrivateIPv4(parsed.hostname)) {
+        throw new SecurityError(`Private IPv4 address not allowed: ${parsed.hostname}`, 'PRIVATE_IP');
     }
-    // 1. Direct check for IP literals in hostname
-    if (isPrivateIP(parsed.hostname)) {
-        throw new Error(`Access denied: Host '${parsed.hostname}' is a private IP`);
+    if (isPrivateIPv6(parsed.hostname)) {
+        throw new SecurityError(`Private IPv6 address not allowed: ${parsed.hostname}`, 'PRIVATE_IP');
     }
-    // 2. Resolve and check all resulting IPs
+    // DNS resolution check with timeout
     try {
-        const addresses = await dns.lookup(parsed.hostname, { all: true });
+        const addresses = await Promise.race([
+            dns.lookup(parsed.hostname, { all: true }),
+            new Promise((_, reject) => setTimeout(() => reject(new TimeoutError('DNS lookup timeout', CONFIG.DNS_TIMEOUT)), CONFIG.DNS_TIMEOUT)),
+        ]);
         for (const addr of addresses) {
-            if (isPrivateIP(addr.address)) {
-                throw new Error(`Access denied: Host '${parsed.hostname}' resolves to private IP ${addr.address}`);
+            if (isPrivateIPv4(addr.address) || isPrivateIPv6(addr.address)) {
+                throw new SecurityError(`Host resolves to private IP: ${addr.address}`, 'DNS_PRIVATE_IP');
             }
         }
     }
     catch (error) {
-        // If it's the specific access denied error, rethrow
-        if (error instanceof Error && error.message.startsWith('Access denied')) {
+        if (error instanceof SecurityError)
             throw error;
-        }
-        // Ignore other DNS errors, let fetch handle them
+        // Ignore other DNS errors, let actual fetch handle them
     }
 }
 class Logger {
     level;
-    constructor() {
-        this.level = process.env.LOG_LEVEL || 'info';
-    }
-    shouldLog(lvl) {
-        const levels = ['debug', 'info', 'warn', 'error'];
-        return levels.indexOf(lvl) >= levels.indexOf(this.level);
+    useColors;
+    output;
+    static LEVELS = ['debug', 'info', 'warn', 'error'];
+    static COLORS = {
+        debug: chalk.gray,
+        info: chalk.blue,
+        warn: chalk.yellow,
+        error: chalk.red,
+    };
+    constructor(options = {}) {
+        this.level = options.level ?? process.env.LOG_LEVEL ?? 'info';
+        this.useColors = options.useColors ?? chalk.level > 0;
+        this.output = options.output ?? 'stderr';
+    }
+    shouldLog(level) {
+        return Logger.LEVELS.indexOf(level) >= Logger.LEVELS.indexOf(this.level);
+    }
+    formatMessage(level, msg) {
+        const timestamp = new Date().toISOString();
+        const prefix = `[${timestamp}] [${level.toUpperCase()}]`;
+        return this.useColors ? Logger.COLORS[level](prefix) + ` ${msg}` : `${prefix} ${msg}`;
+    }
+    print(level, msg, ...args) {
+        if (!this.shouldLog(level))
+            return;
+        const output = this.output === 'stdout' ? console.log : console.error;
+        const formatted = this.formatMessage(level, msg);
+        if (args.length > 0) {
+            output(formatted, ...args);
+        }
+        else {
+            output(formatted);
+        }
     }
     debug(msg, ...args) {
-        if (this.shouldLog('debug'))
-            console.error(chalk.gray(`[DEBUG] ${msg}`), ...args);
+        this.print('debug', msg, ...args);
     }
     info(msg, ...args) {
-        if (this.shouldLog('info'))
-            console.error(chalk.blue(`[INFO] ${msg}`), ...args);
+        this.print('info', msg, ...args);
     }
     warn(msg, ...args) {
-        if (this.shouldLog('warn'))
-            console.error(chalk.yellow(`[WARN] ${msg}`), ...args);
+        this.print('warn', msg, ...args);
     }
     error(msg, ...args) {
-        if (this.shouldLog('error'))
-            console.error(chalk.red(`[ERROR] ${msg}`), ...args);
+        this.print('error', msg, ...args);
+    }
+    setLevel(level) {
+        this.level = level;
     }
 }
 export const logger = new Logger();
-// ============= ReDoS Protection =============
+// ==========================================
+// ReDoS Protection
+// ==========================================
 /**
- * Patterns that could cause ReDoS (Regular Expression Denial of Service)
- * These patterns contain nested quantifiers or catastrophic backtracking risks
- * Using RegExp constructor to avoid escaping issues
+ * ReDoS vulnerability patterns - detect nested quantifiers in regex patterns
+ * These patterns check if a regex pattern string contains dangerous nested quantifiers
  */
 const REDOS_PATTERNS = [
-    new RegExp('\\\\(\\\\.\\\\[\\\\*\\\\+\\\\]\\\\)\\\\1'), // Nested quantifiers
-    new RegExp('\\\\(\\\\[\\\\*\\\\+\\\\]\\\\[\\\\*\\\\+\\\\]\\\\)'), // Nested quantifiers
-    new RegExp('\\\\(\\\\[a-z\\\\]\\\\+\\\\)\\\\+'), // Ambiguous nested quantifiers
-    new RegExp('\\\\(\\\\[\\\\^\\\\s\\\\]\\\\+\\\\)\\\\+\\\\$'), // End-anchored
-    new RegExp('\\\\(\\\\d\\\\+\\\\)\\\\+\\\\$'), // End-anchored digits
+    /\([^)]*[*+][^)]*\)[*+]/, // Group with quantifier followed by quantifier: (a+)+, (.*)*
+    /\([^)]*\{[^}]+\}[^)]*\)[*+]/, // Group with {n} followed by quantifier
+    /\([^)]*[*+][^)]*\)\{[^}]+\}/, // Group with quantifier followed by {n}
+    /\(\[.*?\][*+]\)[*+]/, // Character class with quantifier in group followed by quantifier
 ];
-/**
- * Maximum regex pattern length to prevent overly complex patterns
- */
-const MAX_PATTERN_LENGTH = 500;
-/**
- * Maximum number of quantifiers allowed in a regex pattern
- */
-const MAX_QUANTIFIERS = 20;
-/**
- * Validate a regex pattern for ReDoS vulnerabilities
- * @throws Error if pattern is unsafe
- */
+export class ReDoSError extends SecurityError {
+    constructor(message) {
+        super(message, 'REDOS_DETECTED');
+    }
+}
 export function validateRegexPattern(pattern) {
-    // Check pattern length
-    if (pattern.length > MAX_PATTERN_LENGTH) {
-        throw new Error(`Regex pattern too long (${pattern.length} chars). Maximum is ${MAX_PATTERN_LENGTH}.`);
+    if (pattern.length > CONFIG.MAX_PATTERN_LENGTH) {
+        throw new ReDoSError(`Pattern exceeds ${CONFIG.MAX_PATTERN_LENGTH} characters`);
     }
-    // Count quantifiers to detect complex patterns
-    const quantifierCount = (pattern.match(/[*+?{]/g) || []).length;
-    if (quantifierCount > MAX_QUANTIFIERS) {
-        throw new Error(`Regex pattern contains too many quantifiers (${quantifierCount}). Maximum is ${MAX_QUANTIFIERS}.`);
+    const quantifiers = (pattern.match(/[*+?{]/g) || []).length;
+    if (quantifiers > CONFIG.MAX_QUANTIFIERS) {
+        throw new ReDoSError(`Pattern contains too many quantifiers (${quantifiers})`);
     }
-    // Check for known ReDoS patterns
+    // Check known ReDoS patterns
     for (const redosPattern of REDOS_PATTERNS) {
         if (redosPattern.test(pattern)) {
-            throw new Error(`Regex pattern contains a known ReDoS vulnerability pattern. ` +
-                `Please simplify your regex or contact maintainers.`);
+            throw new ReDoSError(`Pattern matches known ReDoS structure: ${redosPattern.source}`);
         }
     }
-    // Test the regex with a timeout to catch catastrophic backtracking
+    // Test with timeout using Web Workers or setImmediate to not block
+    testRegexPerformance(pattern);
+}
+function testRegexPerformance(pattern) {
+    let regex;
     try {
-        const regex = new RegExp(pattern, 'g');
-        const testString = 'a'.repeat(100); // 100 chars
-        // Use a timeout to catch slow patterns
-        const startTime = Date.now();
-        const TEST_TIMEOUT = 100; // 100ms max
-        let iterations = 0;
-        const MAX_ITERATIONS = 1000;
-        while (regex.exec(testString) !== null && iterations < MAX_ITERATIONS) {
-            iterations++;
-            if (Date.now() - startTime > TEST_TIMEOUT) {
-                throw new Error(`Regex pattern causes catastrophic backtracking. ` +
-                    `Please simplify your pattern.`);
-            }
-        }
+        regex = new RegExp(pattern, 'g');
     }
-    catch (error) {
-        if (error instanceof Error && error.message.includes('catastrophic')) {
-            throw error;
+    catch (e) {
+        throw new ValidationError(`Invalid regex syntax: ${e}`);
+    }
+    // Simple backtracking test with exponential string
+    const testStrings = [
+        'a'.repeat(20) + (pattern.includes('(') ? 'b' : ''), // Quick fail
+        'a'.repeat(50), // Potential backtracking target
+    ];
+    for (const testStr of testStrings) {
+        const start = performance.now();
+        try {
+            regex.lastIndex = 0;
+            regex.test(testStr);
+            regex.exec(testStr);
+        }
+        catch {
+            // Syntax errors already caught
+        }
+        if (performance.now() - start > 100) {
+            throw new ReDoSError(`Pattern performance too slow (potential ReDoS)`);
         }
-        // Other regex errors are fine (like invalid syntax) - let them propagate
     }
 }
-/**
- * Create a RegExp object with ReDoS protection
- * @param pattern - The regex pattern
- * @param flags - Regex flags (g, i, m, etc.)
- * @returns Safe RegExp object
- * @throws Error if pattern is unsafe
- */
 export function createSafeRegex(pattern, flags) {
     validateRegexPattern(pattern);
     return new RegExp(pattern, flags);
 }
+// ==========================================
+// HTTP Utilities
+// ==========================================
 export const DEFAULT_HEADERS = {
     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36',
     'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8',
     'Accept-Language': 'en-US,en;q=0.9',
+    'Accept-Encoding': 'gzip, deflate, br',
 };
-export async function fetchWithRetry(url, options = {}, retries = 3, backoff = 1000) {
+export async function fetchWithRetry(url, options = {}) {
+    const retries = options.retries ?? CONFIG.RETRY.MAX_RETRIES;
+    let backoff = options.backoff ?? CONFIG.RETRY.BASE_DELAY;
+    if (options.validateUrl !== false) {
+        await validatePublicUrl(url);
+    }
     const fetchOptions = {
         ...options,
-        headers: { ...DEFAULT_HEADERS, ...options.headers }
+        headers: {
+            ...DEFAULT_HEADERS,
+            ...options.headers,
+        },
     };
-    try {
-        const response = await fetch(url, fetchOptions);
-        if (response.status === 429 && retries > 0) {
-            const retryAfter = response.headers.get('Retry-After');
-            const waitTime = retryAfter ? parseInt(retryAfter) * 1000 : backoff;
-            await new Promise(resolve => setTimeout(resolve, waitTime));
-            return fetchWithRetry(url, options, retries - 1, backoff * 2);
-        }
-        if (!response.ok && retries > 0 && response.status >= 500) {
-            await new Promise(resolve => setTimeout(resolve, backoff));
-            return fetchWithRetry(url, options, retries - 1, backoff * 2);
+    let lastError;
+    for (let attempt = 0; attempt <= retries; attempt++) {
+        try {
+            const response = await fetch(url, fetchOptions);
+            if (response.status === 429 && attempt < retries) {
+                const retryAfter = response.headers.get('Retry-After');
+                const delay = retryAfter ? parseInt(retryAfter, 10) * 1000 : backoff;
+                await sleep(delay);
+                backoff *= CONFIG.RETRY.BACKOFF_MULTIPLIER;
+                continue;
+            }
+            if (!response.ok && response.status >= 500 && attempt < retries) {
+                await sleep(backoff);
+                backoff *= CONFIG.RETRY.BACKOFF_MULTIPLIER;
+                continue;
+            }
+            return response;
         }
-        return response;
-    }
-    catch (error) {
-        if (retries > 0) {
-            await new Promise(resolve => setTimeout(resolve, backoff));
-            return fetchWithRetry(url, options, retries - 1, backoff * 2);
+        catch (error) {
+            lastError = error instanceof Error ? error : new Error(String(error));
+            if (attempt < retries) {
+                await sleep(backoff);
+                backoff *= CONFIG.RETRY.BACKOFF_MULTIPLIER;
+            }
         }
-        throw error;
     }
+    throw lastError ?? new Error('Fetch failed after all retries');
 }
-export async function withRetry(fn, maxRetries = 3, baseDelay = 100) {
-    let lastError;
+export async function withRetry(fn, options = {}) {
+    const maxRetries = options.maxRetries ?? 3;
+    const baseDelay = options.baseDelay ?? 100;
     for (let i = 0; i < maxRetries; i++) {
         try {
             return await fn();
         }
         catch (error) {
-            lastError = error;
-            // Don't retry on certain errors
-            if (error.code === 'ENOENT' || error.code === 'EACCES' || error.code === 'EPERM') {
-                throw error;
+            const err = error instanceof Error ? error : new Error(String(error));
+            if (options.shouldRetry && !options.shouldRetry(err)) {
+                throw err;
             }
-            if (i < maxRetries - 1) {
-                const delay = baseDelay * Math.pow(2, i);
-                console.warn(`[Retry] Attempt ${i + 1} failed, retrying in ${delay}ms...`);
-                await new Promise(resolve => setTimeout(resolve, delay));
+            if (err instanceof SecurityError ||
+                err.code === 'ENOENT' ||
+                err.code === 'EACCES') {
+                throw err;
             }
-        }
-    }
-    throw lastError;
-}
-export class FileLock {
-    locks = new Map();
-    async acquire(filePath, timeout = 5000) {
-        const startTime = Date.now();
-        while (this.locks.has(filePath)) {
-            if (Date.now() - startTime > timeout) {
-                throw new Error(`Timeout acquiring lock for ${filePath}`);
+            if (i === maxRetries - 1) {
+                throw err;
             }
-            await new Promise(resolve => setTimeout(resolve, 10));
+            const delay = baseDelay * Math.pow(2, i);
+            options.onRetry?.(err, i + 1);
+            await sleep(delay);
         }
-        this.locks.set(filePath, true);
-        return {
-            release: () => {
-                this.locks.delete(filePath);
-            }
-        };
     }
+    throw new Error('Unreachable');
 }
-export const fileLock = new FileLock();
-export function sanitizeInput(input, maxLength = 10000) {
+function sleep(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+}
+export function sanitizeInput(input, options = {}) {
+    const config = {
+        maxLength: CONFIG.MAX_INPUT_LENGTH,
+        removeNull: true,
+        trim: true,
+        ...options,
+    };
     if (typeof input !== 'string') {
         return '';
     }
-    // Trim whitespace
-    let sanitized = input.trim();
-    // Limit length
-    if (sanitized.length > maxLength) {
-        sanitized = sanitized.substring(0, maxLength);
+    let sanitized = input;
+    if (config.trim) {
+        sanitized = sanitized.trim();
+    }
+    if (config.removeNull) {
+        sanitized = sanitized.replace(/\x00/g, '');
+    }
+    if (config.allowedPattern) {
+        sanitized = sanitized.replace(config.allowedPattern, '');
+    }
+    // Normalize Unicode to prevent homograph attacks
+    try {
+        sanitized = sanitized.normalize('NFC');
+    }
+    catch {
+        // Invalid UTF-16 sequences, return empty or partial
+        sanitized = sanitized.replace(/[\uDC00-\uDFFF]/g, '').replace(/[\uD800-\uDBFF](?![\uDC00-\uDFFF])/g, '');
+        sanitized = sanitized.normalize('NFC');
+    }
+    if (sanitized.length > config.maxLength) {
+        sanitized = sanitized.substring(0, config.maxLength);
     }
-    // Remove null bytes
-    sanitized = sanitized.replace(/\x00/g, '');
-    // Normalize unicode (prevent homograph attacks)
-    sanitized = sanitized.normalize('NFC');
     return sanitized;
 }
+// ==========================================
+// Exports
+// ==========================================
+export { CONFIG, SAFE_COMMANDS, parseCommand, isPrivateIPv4, isPrivateIPv6, Logger, };