@hyperfrontend/project-scope 0.2.2 → 0.2.3

package/heuristics/framework/index.esm.js

@@ -9,6 +9,7 @@ import { join as join$1 } from 'node:path';
 import { createError } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
 import { existsSync, readFileSync, statSync, lstatSync, readdirSync } from 'node:fs';
 import { min } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/math/index.esm.js';
+import { isSafePath } from '../../_shared/core/fs/guard/index.esm.js';
 import { isDirectory, exists } from '../../_shared/core/fs/stat/index.esm.js';
 import { join } from '../../_shared/core/path/join/index.esm.js';
 import { createCache } from '../../_shared/core/cache/index.esm.js';
@@ -199,7 +200,7 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/heuristics/index.cjs.js

@@ -11,7 +11,9 @@ const index_cjs_js$5 = require('../_dependencies/@hyperfrontend/immutable-api-ut
 const index_cjs_js$1 = require('../_dependencies/@hyperfrontend/logging/index.cjs.js');
 const index_cjs_js$6 = require('../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.cjs.js');
 const index_cjs_js$8 = require('../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/math/index.cjs.js');
+const { isSafePath } = require('../_shared/core/fs/guard/index.cjs.js');
 const { isFile, isDirectory, exists } = require('../_shared/core/fs/stat/index.cjs.js');
+const { isWithinRoot } = require('../_shared/core/path/confine/index.cjs.js');
 const { join } = require('../_shared/core/path/join/index.cjs.js');
 const { createCache } = require('../_shared/core/cache/index.cjs.js');
 const { matchGlobPattern } = require('../_shared/core/patterns/glob/index.cjs.js');
@@ -203,6 +205,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!node_fs.existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -231,7 +236,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {
@@ -440,6 +445,10 @@ function resolveImportPath(importPath, fromFile, projectPath, extensions) {
     }
     const fromDir = node_path.dirname(fromFile);
     const absolutePath = node_path.resolve(fromDir, importPath);
+    // why: An import string comes from untrusted source code; reject targets that escape the project root before any stat, so a hostile `../../etc/passwd` can't probe the filesystem.
+    if (!isWithinRoot(projectPath, absolutePath)) {
+        return null;
+    }
     if (exists(absolutePath)) {
         if (isFile(absolutePath)) {
             return node_path.relative(projectPath, absolutePath);

package/heuristics/index.esm.js

@@ -1,15 +1,17 @@
-import { join as join$1, relative, dirname, resolve } from 'node:path';
+import { join as join$1, normalize, sep, resolve, relative, dirname } from 'node:path';
 import { createMap } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/map/index.esm.js';
 import { freeze, entries, keys, defineProperties, values } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/object/index.esm.js';
 import { createSet } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/set/index.esm.js';
-import { existsSync, readFileSync, statSync, lstatSync, readdirSync } from 'node:fs';
+import { existsSync, readFileSync, statSync, lstatSync, readdirSync, realpathSync } from 'node:fs';
 import { isArray } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/array/index.esm.js';
 import { error, warn, log, info, debug } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/console/index.esm.js';
 import { stringify, parse } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/json/index.esm.js';
 import { createLogger } from '../_dependencies/@hyperfrontend/logging/index.esm.js';
 import { createError } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
 import { min, round } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/math/index.esm.js';
+import { isSafePath } from '../_shared/core/fs/guard/index.esm.js';
 import { isFile, isDirectory, exists } from '../_shared/core/fs/stat/index.esm.js';
+import { isWithinRoot } from '../_shared/core/path/confine/index.esm.js';
 import { join } from '../_shared/core/path/join/index.esm.js';
 import { createCache } from '../_shared/core/cache/index.esm.js';
 import { matchGlobPattern } from '../_shared/core/patterns/glob/index.esm.js';
@@ -201,6 +203,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -229,7 +234,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {
@@ -438,6 +443,10 @@ function resolveImportPath(importPath, fromFile, projectPath, extensions) {
     }
     const fromDir = dirname(fromFile);
     const absolutePath = resolve(fromDir, importPath);
+    // why: An import string comes from untrusted source code; reject targets that escape the project root before any stat, so a hostile `../../etc/passwd` can't probe the filesystem.
+    if (!isWithinRoot(projectPath, absolutePath)) {
+        return null;
+    }
     if (exists(absolutePath)) {
         if (isFile(absolutePath)) {
             return relative(projectPath, absolutePath);

package/heuristics/project-type/index.cjs.js

@@ -11,6 +11,7 @@ const index_cjs_js = require('../../_dependencies/@hyperfrontend/immutable-api-u
 const index_cjs_js$1 = require('../../_dependencies/@hyperfrontend/logging/index.cjs.js');
 const index_cjs_js$6 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.cjs.js');
 const index_cjs_js$7 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/map/index.cjs.js');
+const { isSafePath } = require('../../_shared/core/fs/guard/index.cjs.js');
 const { isDirectory, exists } = require('../../_shared/core/fs/stat/index.cjs.js');
 const { join } = require('../../_shared/core/path/join/index.cjs.js');
 const { createCache } = require('../../_shared/core/cache/index.cjs.js');
@@ -201,7 +202,7 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/heuristics/project-type/index.esm.js

@@ -9,6 +9,7 @@ import { createSet } from '../../_dependencies/@hyperfrontend/immutable-api-util
 import { createLogger } from '../../_dependencies/@hyperfrontend/logging/index.esm.js';
 import { createError } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
 import { createMap } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/map/index.esm.js';
+import { isSafePath } from '../../_shared/core/fs/guard/index.esm.js';
 import { isDirectory, exists } from '../../_shared/core/fs/stat/index.esm.js';
 import { join } from '../../_shared/core/path/join/index.esm.js';
 import { createCache } from '../../_shared/core/cache/index.esm.js';
@@ -199,7 +200,7 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/index.cjs.js

@@ -15,9 +15,11 @@ const index_cjs_js$8 = require('./_dependencies/@hyperfrontend/immutable-api-uti
 const index_cjs_js$9 = require('./_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/number/index.cjs.js');
 const node_util = require('node:util');
 const node_os = require('node:os');
+const { isSafePath } = require('./_shared/core/fs/guard/index.cjs.js');
 const { getFileStat, isFile, isDirectory, isSymlink, exists } = require('./_shared/core/fs/stat/index.cjs.js');
-const { join, joinPosix } = require('./_shared/core/path/join/index.cjs.js');
 const { normalizePath, normalizeToForwardSlashes, normalizeToNative, removeTrailingSlash, ensureTrailingSlash } = require('./_shared/core/path/normalize/index.cjs.js');
+const { isWithinRoot } = require('./_shared/core/path/confine/index.cjs.js');
+const { join, joinPosix } = require('./_shared/core/path/join/index.cjs.js');
 const { resolvePath, resolveFromWorkspace, resolveRealPath, relativePath, joinPath, isAbsolute, offsetFromRoot } = require('./_shared/core/path/resolve/index.cjs.js');
 const { pathSegments, getBasename, getDirname, getExtension, getFileNameWithoutExtension, parsePath } = require('./_shared/core/path/segments/index.cjs.js');
 const { createStructuredError, createConfigError, createFsError, createParseError, createValidationError } = require('./_shared/core/errors/structured-errors/index.cjs.js');
@@ -270,6 +272,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!node_fs.existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -296,6 +301,9 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileBuffer(filePath) {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!node_fs.existsSync(filePath)) {
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
     }
@@ -322,7 +330,7 @@ function readFileBuffer(filePath) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {
@@ -354,6 +362,9 @@ function readFileIfExists(filePath, encoding = 'utf-8') {
  * ```
  */
 function readJsonFile(filePath, options) {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!node_fs.existsSync(filePath)) {
         if (options && 'default' in options) {
             fsLogger.debug('JSON file not found, using default', { path: filePath });
@@ -393,7 +404,7 @@ function readJsonFile(filePath, options) {
  * ```
  */
 function readJsonFileIfExists(filePath) {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {
@@ -1172,6 +1183,10 @@ function resolveImportPath(importPath, fromFile, projectPath, extensions) {
     }
     const fromDir = node_path.dirname(fromFile);
     const absolutePath = node_path.resolve(fromDir, importPath);
+    // why: An import string comes from untrusted source code; reject targets that escape the project root before any stat, so a hostile `../../etc/passwd` can't probe the filesystem.
+    if (!isWithinRoot(projectPath, absolutePath)) {
+        return null;
+    }
     if (exists(absolutePath)) {
         if (isFile(absolutePath)) {
             return node_path.relative(projectPath, absolutePath);

package/index.esm.js

@@ -1,4 +1,4 @@
-import { join as join$1, posix, normalize, sep, isAbsolute as isAbsolute$1, relative, resolve, basename, dirname, extname, parse as parse$1 } from 'node:path';
+import { join as join$1, normalize, sep, resolve, posix, isAbsolute as isAbsolute$1, relative, basename, dirname, extname, parse as parse$1 } from 'node:path';
 import { dateNow, createDate } from './_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/date/index.esm.js';
 import { existsSync, readFileSync, statSync, lstatSync, mkdirSync, readdirSync, rmSync, realpathSync, writeFileSync, mkdtempSync, unlinkSync, rmdirSync, chmodSync, readlinkSync } from 'node:fs';
 import { isArray, from } from './_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/array/index.esm.js';
@@ -13,9 +13,11 @@ import { min, round, max } from './_dependencies/@hyperfrontend/immutable-api-ut
 import { parseInt, parseFloat } from './_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/number/index.esm.js';
 import { parseArgs } from 'node:util';
 import { tmpdir, platform, arch } from 'node:os';
+import { isSafePath } from './_shared/core/fs/guard/index.esm.js';
 import { getFileStat, isFile, isDirectory, isSymlink, exists } from './_shared/core/fs/stat/index.esm.js';
-import { join, joinPosix } from './_shared/core/path/join/index.esm.js';
 import { normalizePath, normalizeToForwardSlashes, normalizeToNative, removeTrailingSlash, ensureTrailingSlash } from './_shared/core/path/normalize/index.esm.js';
+import { isWithinRoot } from './_shared/core/path/confine/index.esm.js';
+import { join, joinPosix } from './_shared/core/path/join/index.esm.js';
 import { resolvePath, resolveFromWorkspace, resolveRealPath, relativePath, joinPath, isAbsolute, offsetFromRoot } from './_shared/core/path/resolve/index.esm.js';
 import { pathSegments, getBasename, getDirname, getExtension, getFileNameWithoutExtension, parsePath } from './_shared/core/path/segments/index.esm.js';
 import { createStructuredError, createConfigError, createFsError, createParseError, createValidationError } from './_shared/core/errors/structured-errors/index.esm.js';
@@ -268,6 +270,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -294,6 +299,9 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileBuffer(filePath) {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!existsSync(filePath)) {
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
     }
@@ -320,7 +328,7 @@ function readFileBuffer(filePath) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {
@@ -352,6 +360,9 @@ function readFileIfExists(filePath, encoding = 'utf-8') {
  * ```
  */
 function readJsonFile(filePath, options) {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!existsSync(filePath)) {
         if (options && 'default' in options) {
             fsLogger.debug('JSON file not found, using default', { path: filePath });
@@ -391,7 +402,7 @@ function readJsonFile(filePath, options) {
  * ```
  */
 function readJsonFileIfExists(filePath) {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {
@@ -1170,6 +1181,10 @@ function resolveImportPath(importPath, fromFile, projectPath, extensions) {
     }
     const fromDir = dirname(fromFile);
     const absolutePath = resolve(fromDir, importPath);
+    // why: An import string comes from untrusted source code; reject targets that escape the project root before any stat, so a hostile `../../etc/passwd` can't probe the filesystem.
+    if (!isWithinRoot(projectPath, absolutePath)) {
+        return null;
+    }
     if (exists(absolutePath)) {
         if (isFile(absolutePath)) {
             return relative(projectPath, absolutePath);

package/nx/index.cjs.js

@@ -10,6 +10,7 @@ const index_cjs_js = require('../_dependencies/@hyperfrontend/immutable-api-util
 const index_cjs_js$1 = require('../_dependencies/@hyperfrontend/logging/index.cjs.js');
 const index_cjs_js$6 = require('../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.cjs.js');
 const index_cjs_js$7 = require('../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/map/index.cjs.js');
+const { isSafePath } = require('../_shared/core/fs/guard/index.cjs.js');
 const { isDirectory, exists } = require('../_shared/core/fs/stat/index.cjs.js');
 const { join } = require('../_shared/core/path/join/index.cjs.js');
 
@@ -197,7 +198,7 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {
@@ -221,7 +222,7 @@ function readFileIfExists(filePath, encoding = 'utf-8') {
  * ```
  */
 function readJsonFileIfExists(filePath) {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/nx/index.esm.js

@@ -8,6 +8,7 @@ import { createSet } from '../_dependencies/@hyperfrontend/immutable-api-utils/b
 import { createLogger } from '../_dependencies/@hyperfrontend/logging/index.esm.js';
 import { createError } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
 import { createMap } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/map/index.esm.js';
+import { isSafePath } from '../_shared/core/fs/guard/index.esm.js';
 import { isDirectory, exists } from '../_shared/core/fs/stat/index.esm.js';
 import { join } from '../_shared/core/path/join/index.esm.js';
 
@@ -195,7 +196,7 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {
@@ -219,7 +220,7 @@ function readFileIfExists(filePath, encoding = 'utf-8') {
  * ```
  */
 function readJsonFileIfExists(filePath) {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hyperfrontend/project-scope",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Codebase analysis, project topology detection, and virtual file system utilities for Node.js projects.",
   "exports": {
     "./package.json": "./package.json",

package/project/config/index.cjs.js

@@ -11,6 +11,7 @@ const index_cjs_js$6 = require('../../_dependencies/@hyperfrontend/immutable-api
 const index_cjs_js$3 = require('../../_dependencies/@hyperfrontend/logging/index.cjs.js');
 const index_cjs_js$7 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.cjs.js');
 const index_cjs_js$8 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/number/index.cjs.js');
+const { isSafePath } = require('../../_shared/core/fs/guard/index.cjs.js');
 const { isDirectory, exists } = require('../../_shared/core/fs/stat/index.cjs.js');
 const { createConfigError } = require('../../_shared/core/errors/structured-errors/index.cjs.js');
 const { createCache } = require('../../_shared/core/cache/index.cjs.js');
@@ -202,6 +203,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!node_fs.existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -230,7 +234,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/project/config/index.esm.js

@@ -9,6 +9,7 @@ import { stringify, parse } from '../../_dependencies/@hyperfrontend/immutable-a
 import { createLogger } from '../../_dependencies/@hyperfrontend/logging/index.esm.js';
 import { createError } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
 import { parseInt, parseFloat } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/number/index.esm.js';
+import { isSafePath } from '../../_shared/core/fs/guard/index.esm.js';
 import { isDirectory, exists } from '../../_shared/core/fs/stat/index.esm.js';
 import { createConfigError } from '../../_shared/core/errors/structured-errors/index.esm.js';
 import { createCache } from '../../_shared/core/cache/index.esm.js';
@@ -200,6 +201,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -228,7 +232,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/project/index.cjs.js

@@ -11,6 +11,7 @@ const index_cjs_js$6 = require('../_dependencies/@hyperfrontend/immutable-api-ut
 const index_cjs_js$3 = require('../_dependencies/@hyperfrontend/logging/index.cjs.js');
 const index_cjs_js$7 = require('../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.cjs.js');
 const index_cjs_js$8 = require('../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/number/index.cjs.js');
+const { isSafePath } = require('../_shared/core/fs/guard/index.cjs.js');
 const { isDirectory, exists } = require('../_shared/core/fs/stat/index.cjs.js');
 const { join } = require('../_shared/core/path/join/index.cjs.js');
 const { createConfigError } = require('../_shared/core/errors/structured-errors/index.cjs.js');
@@ -203,6 +204,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!node_fs.existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -231,7 +235,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/project/index.esm.js

@@ -9,6 +9,7 @@ import { stringify, parse as parse$1 } from '../_dependencies/@hyperfrontend/imm
 import { createLogger } from '../_dependencies/@hyperfrontend/logging/index.esm.js';
 import { createError } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
 import { parseInt, parseFloat } from '../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/number/index.esm.js';
+import { isSafePath } from '../_shared/core/fs/guard/index.esm.js';
 import { isDirectory, exists } from '../_shared/core/fs/stat/index.esm.js';
 import { join } from '../_shared/core/path/join/index.esm.js';
 import { createConfigError } from '../_shared/core/errors/structured-errors/index.esm.js';
@@ -201,6 +202,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -229,7 +233,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/project/package/index.cjs.js

@@ -9,6 +9,7 @@ const node_fs = require('node:fs');
 const index_cjs_js$4 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/console/index.cjs.js');
 const index_cjs_js$1 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/set/index.cjs.js');
 const index_cjs_js$2 = require('../../_dependencies/@hyperfrontend/logging/index.cjs.js');
+const { isSafePath } = require('../../_shared/core/fs/guard/index.cjs.js');
 const { exists } = require('../../_shared/core/fs/stat/index.cjs.js');
 const { join } = require('../../_shared/core/path/join/index.cjs.js');
 const { createConfigError } = require('../../_shared/core/errors/structured-errors/index.cjs.js');
@@ -198,6 +199,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!node_fs.existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -226,7 +230,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/project/package/index.esm.js

@@ -7,6 +7,7 @@ import { existsSync, readFileSync } from 'node:fs';
 import { error, warn, log, info, debug } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/console/index.esm.js';
 import { createSet } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/set/index.esm.js';
 import { createLogger } from '../../_dependencies/@hyperfrontend/logging/index.esm.js';
+import { isSafePath } from '../../_shared/core/fs/guard/index.esm.js';
 import { exists } from '../../_shared/core/fs/stat/index.esm.js';
 import { join } from '../../_shared/core/path/join/index.esm.js';
 import { createConfigError } from '../../_shared/core/errors/structured-errors/index.esm.js';
@@ -196,6 +197,9 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileContent(filePath, encoding = 'utf-8') {
+    if (!isSafePath(filePath)) {
+        throw createFileSystemError(`Unsafe file path: ${filePath}`, 'FS_READ_ERROR', { path: filePath, operation: 'read' });
+    }
     if (!existsSync(filePath)) {
         fsLogger.debug('File not found', { path: filePath });
         throw createFileSystemError(`File not found: ${filePath}`, 'FS_NOT_FOUND', { path: filePath, operation: 'read' });
@@ -224,7 +228,7 @@ function readFileContent(filePath, encoding = 'utf-8') {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/project/root/index.cjs.js

@@ -9,6 +9,7 @@ const index_cjs_js$2 = require('../../_dependencies/@hyperfrontend/immutable-api
 const index_cjs_js = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/set/index.cjs.js');
 const index_cjs_js$1 = require('../../_dependencies/@hyperfrontend/logging/index.cjs.js');
 const index_cjs_js$6 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.cjs.js');
+const { isSafePath } = require('../../_shared/core/fs/guard/index.cjs.js');
 const { exists } = require('../../_shared/core/fs/stat/index.cjs.js');
 const { join } = require('../../_shared/core/path/join/index.cjs.js');
 
@@ -171,7 +172,7 @@ createScopedLogger('project-scope:fs');
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/project/root/index.esm.js

@@ -7,6 +7,7 @@ import { freeze, entries, keys, values } from '../../_dependencies/@hyperfronten
 import { createSet } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/set/index.esm.js';
 import { createLogger } from '../../_dependencies/@hyperfrontend/logging/index.esm.js';
 import { createError } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
+import { isSafePath } from '../../_shared/core/fs/guard/index.esm.js';
 import { exists } from '../../_shared/core/fs/stat/index.esm.js';
 import { join } from '../../_shared/core/path/join/index.esm.js';
 
@@ -169,7 +170,7 @@ createScopedLogger('project-scope:fs');
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/project/traversal/index.cjs.js

@@ -9,6 +9,7 @@ const index_cjs_js$1 = require('../../_dependencies/@hyperfrontend/logging/index
 const node_path = require('node:path');
 const node_fs = require('node:fs');
 const index_cjs_js$6 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.cjs.js');
+const { isSafePath } = require('../../_shared/core/fs/guard/index.cjs.js');
 const { isDirectory } = require('../../_shared/core/fs/stat/index.cjs.js');
 const { matchGlobPattern } = require('../../_shared/core/patterns/glob/index.cjs.js');
 
@@ -196,7 +197,7 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/project/traversal/index.esm.js

@@ -7,6 +7,7 @@ import { createLogger } from '../../_dependencies/@hyperfrontend/logging/index.e
 import { join } from 'node:path';
 import { existsSync, readFileSync, statSync, lstatSync, readdirSync } from 'node:fs';
 import { createError } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/error/index.esm.js';
+import { isSafePath } from '../../_shared/core/fs/guard/index.esm.js';
 import { isDirectory } from '../../_shared/core/fs/stat/index.esm.js';
 import { matchGlobPattern } from '../../_shared/core/patterns/glob/index.esm.js';
 
@@ -194,7 +195,7 @@ function createFileSystemError(message, code, context) {
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {

package/tech/backend/index.cjs.js

@@ -10,6 +10,7 @@ const index_cjs_js$3 = require('../../_dependencies/@hyperfrontend/immutable-api
 const index_cjs_js = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/set/index.cjs.js');
 const index_cjs_js$1 = require('../../_dependencies/@hyperfrontend/logging/index.cjs.js');
 const index_cjs_js$7 = require('../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/math/index.cjs.js');
+const { isSafePath } = require('../../_shared/core/fs/guard/index.cjs.js');
 const { exists } = require('../../_shared/core/fs/stat/index.cjs.js');
 const { collectAllDependencies, parseVersionString } = require('../../_shared/tech/shared-utils/detector-helpers/index.cjs.js');
 
@@ -172,7 +173,7 @@ createScopedLogger('project-scope:fs');
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!node_fs.existsSync(filePath)) {
+    if (!isSafePath(filePath) || !node_fs.existsSync(filePath)) {
         return null;
     }
     try {

package/tech/backend/index.esm.js

@@ -8,6 +8,7 @@ import { error, warn, log, info, debug } from '../../_dependencies/@hyperfronten
 import { createSet } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/set/index.esm.js';
 import { createLogger } from '../../_dependencies/@hyperfrontend/logging/index.esm.js';
 import { min } from '../../_dependencies/@hyperfrontend/immutable-api-utils/built-in-copy/math/index.esm.js';
+import { isSafePath } from '../../_shared/core/fs/guard/index.esm.js';
 import { exists } from '../../_shared/core/fs/stat/index.esm.js';
 import { collectAllDependencies, parseVersionString } from '../../_shared/tech/shared-utils/detector-helpers/index.esm.js';
 
@@ -170,7 +171,7 @@ createScopedLogger('project-scope:fs');
  * ```
  */
 function readFileIfExists(filePath, encoding = 'utf-8') {
-    if (!existsSync(filePath)) {
+    if (!isSafePath(filePath) || !existsSync(filePath)) {
         return null;
     }
     try {