@kya-os/consent 0.1.0

package/dist/schemas/modes.schemas.js

@@ -0,0 +1,107 @@
+"use strict";
+/**
+ * Consent Mode Schemas
+ *
+ * Zod validation schemas for auth mode configurations.
+ *
+ * @module @kya-os/consent/schemas/modes
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ModeConfigsSchema = exports.IDVConfigSchema = exports.PasskeyConfigSchema = exports.QRCodeConfigSchema = exports.OTPConfigSchema = exports.MagicLinkConfigSchema = exports.OAuthConfigSchema = exports.CredentialsConfigSchema = exports.AuthModeSchema = void 0;
+const zod_1 = require("zod");
+const modes_types_1 = require("../types/modes.types");
+/**
+ * Auth Mode Schema
+ */
+exports.AuthModeSchema = zod_1.z.enum([
+    modes_types_1.AUTH_MODES.CONSENT_ONLY,
+    modes_types_1.AUTH_MODES.CREDENTIALS,
+    modes_types_1.AUTH_MODES.OAUTH,
+    modes_types_1.AUTH_MODES.MAGIC_LINK,
+    modes_types_1.AUTH_MODES.OTP,
+    modes_types_1.AUTH_MODES.QR_CODE,
+    modes_types_1.AUTH_MODES.PASSKEY,
+    modes_types_1.AUTH_MODES.IDV,
+]);
+/**
+ * Credentials Config Schema
+ */
+exports.CredentialsConfigSchema = zod_1.z.object({
+    usernameLabel: zod_1.z.string().max(100).optional(),
+    usernamePlaceholder: zod_1.z.string().max(200).optional(),
+    passwordLabel: zod_1.z.string().max(100).optional(),
+    passwordPlaceholder: zod_1.z.string().max(200).optional(),
+    showRememberMe: zod_1.z.boolean().optional(),
+    showForgotPassword: zod_1.z.boolean().optional(),
+    forgotPasswordUrl: zod_1.z.string().url().optional(),
+});
+/**
+ * OAuth Config Schema
+ */
+exports.OAuthConfigSchema = zod_1.z.object({
+    providerId: zod_1.z.string().max(100).optional(),
+    providerName: zod_1.z.string().max(100).optional(),
+    buttonText: zod_1.z.string().max(100).optional(),
+});
+/**
+ * Magic Link Config Schema
+ */
+exports.MagicLinkConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().optional(),
+    emailLabel: zod_1.z.string().max(100).optional(),
+    emailPlaceholder: zod_1.z.string().max(200).optional(),
+    buttonText: zod_1.z.string().max(100).optional(),
+    resendCooldown: zod_1.z.number().int().min(30).max(600).optional(),
+});
+/**
+ * OTP Config Schema
+ */
+exports.OTPConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().optional(),
+    phoneLabel: zod_1.z.string().max(100).optional(),
+    phonePlaceholder: zod_1.z.string().max(200).optional(),
+    instructions: zod_1.z.string().max(500).optional(),
+    digits: zod_1.z.union([zod_1.z.literal(4), zod_1.z.literal(6), zod_1.z.literal(8)]).optional(),
+    resendCooldown: zod_1.z.number().int().min(30).max(600).optional(),
+});
+/**
+ * QR Code Config Schema
+ */
+exports.QRCodeConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().optional(),
+    instructions: zod_1.z.string().max(500).optional(),
+    size: zod_1.z.number().int().min(100).max(500).optional(),
+    showManualEntry: zod_1.z.boolean().optional(),
+});
+/**
+ * Passkey Config Schema
+ */
+exports.PasskeyConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().optional(),
+    instructions: zod_1.z.string().max(500).optional(),
+    buttonText: zod_1.z.string().max(100).optional(),
+    showCompatibilityInfo: zod_1.z.boolean().optional(),
+});
+/**
+ * IDV Config Schema
+ */
+exports.IDVConfigSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean().optional(),
+    providerName: zod_1.z.string().max(100).optional(),
+    verificationType: zod_1.z.enum(["document", "selfie", "both"]).optional(),
+    instructions: zod_1.z.string().max(500).optional(),
+    estimatedTime: zod_1.z.string().max(50).optional(),
+});
+/**
+ * Mode Configs Schema
+ */
+exports.ModeConfigsSchema = zod_1.z.object({
+    credentials: exports.CredentialsConfigSchema.optional(),
+    oauth: exports.OAuthConfigSchema.optional(),
+    magicLink: exports.MagicLinkConfigSchema.optional(),
+    otp: exports.OTPConfigSchema.optional(),
+    qrCode: exports.QRCodeConfigSchema.optional(),
+    passkey: exports.PasskeyConfigSchema.optional(),
+    idv: exports.IDVConfigSchema.optional(),
+});
+//# sourceMappingURL=modes.schemas.js.map

package/dist/schemas/modes.schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"modes.schemas.js","sourceRoot":"","sources":["../../src/schemas/modes.schemas.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEH,6BAAwB;AACxB,sDAAkD;AAElD;;GAEG;AACU,QAAA,cAAc,GAAG,OAAC,CAAC,IAAI,CAAC;IACnC,wBAAU,CAAC,YAAY;IACvB,wBAAU,CAAC,WAAW;IACtB,wBAAU,CAAC,KAAK;IAChB,wBAAU,CAAC,UAAU;IACrB,wBAAU,CAAC,GAAG;IACd,wBAAU,CAAC,OAAO;IAClB,wBAAU,CAAC,OAAO;IAClB,wBAAU,CAAC,GAAG;CACf,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,uBAAuB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC9C,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC7C,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACnD,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC7C,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACnD,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IACtC,kBAAkB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC1C,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CAC/C,CAAC,CAAC;AAMH;;GAEG;AACU,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC1C,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC5C,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;CAC3C,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,qBAAqB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5C,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC1C,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAChD,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC1C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;CAC7D,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,eAAe,GAAG,OAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC1C,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAChD,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC5C,MAAM,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtE,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;CAC7D,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IACzC,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC5C,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IACnD,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACxC,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC5C,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC1C,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,eAAe,GAAG,OAAC,CAAC,MAAM,CAAC;IACtC,OAAO,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC/B,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC5C,gBAAgB,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnE,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC5C,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC7C,CAAC,CAAC;AAIH;;GAEG;AACU,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,WAAW,EAAE,+BAAuB,CAAC,QAAQ,EAAE;IAC/C,KAAK,EAAE,yBAAiB,CAAC,QAAQ,EAAE;IACnC,SAAS,EAAE,6BAAqB,CAAC,QAAQ,EAAE;IAC3C,GAAG,EAAE,uBAAe,CAAC,QAAQ,EAAE;IAC/B,MAAM,EAAE,0BAAkB,CAAC,QAAQ,EAAE;IACrC,OAAO,EAAE,2BAAmB,CAAC,QAAQ,EAAE;IACvC,GAAG,EAAE,uBAAe,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC"}

package/dist/security/escape.d.ts

@@ -0,0 +1,114 @@
+/**
+ * HTML/JS Escape Utilities
+ *
+ * XSS prevention utilities for rendering user content safely.
+ *
+ * @module @kya-os/consent/security/escape
+ */
+/**
+ * Escape HTML special characters to prevent XSS
+ *
+ * Converts characters that have special meaning in HTML to their
+ * entity equivalents, making them safe to insert into HTML content.
+ *
+ * @param text - The text to escape
+ * @returns HTML-safe string
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("xss")</script>')
+ * // Returns: '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'
+ * ```
+ */
+export declare function escapeHtml(text: string): string;
+/**
+ * Escape text for use in HTML attributes
+ *
+ * More comprehensive escaping than escapeHtml, including backticks
+ * and equals signs which can be dangerous in attribute contexts.
+ *
+ * @param value - The value to escape
+ * @returns Attribute-safe string
+ *
+ * @example
+ * ```typescript
+ * escapeAttr('value" onclick="alert(1)')
+ * // Returns: 'value&quot; onclick&#x3D;&quot;alert(1)'
+ * ```
+ */
+export declare function escapeAttr(value: string): string;
+/**
+ * Escape text for use in JavaScript strings
+ *
+ * Uses JSON.stringify to properly escape all special characters
+ * that could break out of a JavaScript string context.
+ *
+ * @param text - The text to escape
+ * @returns JS-safe string (without surrounding quotes)
+ *
+ * @example
+ * ```typescript
+ * escapeJs('hello\nworld')
+ * // Returns: '"hello\\nworld"' (with quotes from JSON.stringify)
+ * ```
+ */
+export declare function escapeJs(text: string): string;
+/**
+ * Escape text for use in JavaScript, returning value without quotes
+ *
+ * @param text - The text to escape
+ * @returns JS-safe string content (without surrounding quotes)
+ *
+ * @example
+ * ```typescript
+ * escapeJsValue('hello\nworld')
+ * // Returns: 'hello\\nworld'
+ * ```
+ */
+export declare function escapeJsValue(text: string): string;
+/**
+ * Escape URL for use in href or src attributes
+ *
+ * Only allows http, https, and mailto protocols. Returns empty
+ * string for dangerous protocols like javascript:.
+ *
+ * @param url - The URL to escape
+ * @returns Safe URL or empty string
+ *
+ * @example
+ * ```typescript
+ * escapeUrl('javascript:alert(1)')
+ * // Returns: ''
+ *
+ * escapeUrl('https://example.com/?q=test')
+ * // Returns: 'https://example.com/?q=test'
+ * ```
+ */
+export declare function escapeUrl(url: string | undefined): string;
+/**
+ * Create a safe HTML string from template literals
+ *
+ * Automatically escapes interpolated values while preserving
+ * the template structure.
+ *
+ * @param strings - Template literal strings
+ * @param values - Interpolated values to escape
+ * @returns Safe HTML string
+ *
+ * @example
+ * ```typescript
+ * const userInput = '<script>alert("xss")</script>';
+ * const html = safeHtml`<div>${userInput}</div>`;
+ * // Returns: '<div>&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</div>'
+ * ```
+ */
+export declare function safeHtml(strings: TemplateStringsArray, ...values: unknown[]): string;
+/**
+ * Create a safe attribute value from template literals
+ *
+ * @param strings - Template literal strings
+ * @param values - Interpolated values to escape
+ * @returns Safe attribute string
+ */
+export declare function safeAttr(strings: TemplateStringsArray, ...values: unknown[]): string;
+//# sourceMappingURL=escape.d.ts.map

package/dist/security/escape.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"escape.d.ts","sourceRoot":"","sources":["../../src/security/escape.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAsBH;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/C;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAGhD;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG7C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAKlD;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CA8BzD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,QAAQ,CACtB,OAAO,EAAE,oBAAoB,EAC7B,GAAG,MAAM,EAAE,OAAO,EAAE,GACnB,MAAM,CASR;AAED;;;;;;GAMG;AACH,wBAAgB,QAAQ,CACtB,OAAO,EAAE,oBAAoB,EAC7B,GAAG,MAAM,EAAE,OAAO,EAAE,GACnB,MAAM,CASR"}

package/dist/security/escape.js

@@ -0,0 +1,202 @@
+"use strict";
+/**
+ * HTML/JS Escape Utilities
+ *
+ * XSS prevention utilities for rendering user content safely.
+ *
+ * @module @kya-os/consent/security/escape
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.escapeHtml = escapeHtml;
+exports.escapeAttr = escapeAttr;
+exports.escapeJs = escapeJs;
+exports.escapeJsValue = escapeJsValue;
+exports.escapeUrl = escapeUrl;
+exports.safeHtml = safeHtml;
+exports.safeAttr = safeAttr;
+/**
+ * HTML entities to escape
+ */
+const HTML_ESCAPE_MAP = {
+    "&": "&",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#x27;",
+};
+/**
+ * Additional characters to escape in attributes
+ */
+const ATTR_ESCAPE_MAP = {
+    ...HTML_ESCAPE_MAP,
+    "`": "&#x60;",
+    "=": "&#x3D;",
+};
+/**
+ * Escape HTML special characters to prevent XSS
+ *
+ * Converts characters that have special meaning in HTML to their
+ * entity equivalents, making them safe to insert into HTML content.
+ *
+ * @param text - The text to escape
+ * @returns HTML-safe string
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("xss")</script>')
+ * // Returns: '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'
+ * ```
+ */
+function escapeHtml(text) {
+    if (!text)
+        return "";
+    return text.replace(/[&<>"']/g, (char) => HTML_ESCAPE_MAP[char] ?? char);
+}
+/**
+ * Escape text for use in HTML attributes
+ *
+ * More comprehensive escaping than escapeHtml, including backticks
+ * and equals signs which can be dangerous in attribute contexts.
+ *
+ * @param value - The value to escape
+ * @returns Attribute-safe string
+ *
+ * @example
+ * ```typescript
+ * escapeAttr('value" onclick="alert(1)')
+ * // Returns: 'value&quot; onclick&#x3D;&quot;alert(1)'
+ * ```
+ */
+function escapeAttr(value) {
+    if (!value)
+        return "";
+    return value.replace(/[&<>"'`=]/g, (char) => ATTR_ESCAPE_MAP[char] ?? char);
+}
+/**
+ * Escape text for use in JavaScript strings
+ *
+ * Uses JSON.stringify to properly escape all special characters
+ * that could break out of a JavaScript string context.
+ *
+ * @param text - The text to escape
+ * @returns JS-safe string (without surrounding quotes)
+ *
+ * @example
+ * ```typescript
+ * escapeJs('hello\nworld')
+ * // Returns: '"hello\\nworld"' (with quotes from JSON.stringify)
+ * ```
+ */
+function escapeJs(text) {
+    if (!text)
+        return '""';
+    return JSON.stringify(text);
+}
+/**
+ * Escape text for use in JavaScript, returning value without quotes
+ *
+ * @param text - The text to escape
+ * @returns JS-safe string content (without surrounding quotes)
+ *
+ * @example
+ * ```typescript
+ * escapeJsValue('hello\nworld')
+ * // Returns: 'hello\\nworld'
+ * ```
+ */
+function escapeJsValue(text) {
+    if (!text)
+        return "";
+    // JSON.stringify adds quotes, remove them
+    const escaped = JSON.stringify(text);
+    return escaped.slice(1, -1);
+}
+/**
+ * Escape URL for use in href or src attributes
+ *
+ * Only allows http, https, and mailto protocols. Returns empty
+ * string for dangerous protocols like javascript:.
+ *
+ * @param url - The URL to escape
+ * @returns Safe URL or empty string
+ *
+ * @example
+ * ```typescript
+ * escapeUrl('javascript:alert(1)')
+ * // Returns: ''
+ *
+ * escapeUrl('https://example.com/?q=test')
+ * // Returns: 'https://example.com/?q=test'
+ * ```
+ */
+function escapeUrl(url) {
+    if (!url)
+        return "";
+    // Check for dangerous protocols
+    const lowerUrl = url.toLowerCase().trim();
+    if (lowerUrl.startsWith("javascript:") ||
+        lowerUrl.startsWith("data:") ||
+        lowerUrl.startsWith("vbscript:") ||
+        lowerUrl.startsWith("file:")) {
+        return "";
+    }
+    // Try to parse as URL to validate
+    try {
+        const parsed = new URL(url);
+        if (!["http:", "https:", "mailto:"].includes(parsed.protocol)) {
+            return "";
+        }
+    }
+    catch {
+        // If it's a relative URL, that's okay
+        if (!url.startsWith("/") && !url.startsWith("#") && !url.startsWith("?")) {
+            // Absolute URL that failed to parse - unsafe
+            return "";
+        }
+    }
+    // Escape any HTML characters in the URL (but not = or ` which are safe in URLs)
+    return escapeHtml(url);
+}
+/**
+ * Create a safe HTML string from template literals
+ *
+ * Automatically escapes interpolated values while preserving
+ * the template structure.
+ *
+ * @param strings - Template literal strings
+ * @param values - Interpolated values to escape
+ * @returns Safe HTML string
+ *
+ * @example
+ * ```typescript
+ * const userInput = '<script>alert("xss")</script>';
+ * const html = safeHtml`<div>${userInput}</div>`;
+ * // Returns: '<div>&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</div>'
+ * ```
+ */
+function safeHtml(strings, ...values) {
+    let result = strings[0] ?? "";
+    for (let i = 0; i < values.length; i++) {
+        const value = values[i];
+        const escaped = value === null || value === undefined ? "" : escapeHtml(String(value));
+        result += escaped + (strings[i + 1] ?? "");
+    }
+    return result;
+}
+/**
+ * Create a safe attribute value from template literals
+ *
+ * @param strings - Template literal strings
+ * @param values - Interpolated values to escape
+ * @returns Safe attribute string
+ */
+function safeAttr(strings, ...values) {
+    let result = strings[0] ?? "";
+    for (let i = 0; i < values.length; i++) {
+        const value = values[i];
+        const escaped = value === null || value === undefined ? "" : escapeAttr(String(value));
+        result += escaped + (strings[i + 1] ?? "");
+    }
+    return result;
+}
+//# sourceMappingURL=escape.js.map

package/dist/security/escape.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"escape.js","sourceRoot":"","sources":["../../src/security/escape.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAqCH,gCAGC;AAiBD,gCAGC;AAiBD,4BAGC;AAcD,sCAKC;AAoBD,8BA8BC;AAmBD,4BAYC;AASD,4BAYC;AAvMD;;GAEG;AACH,MAAM,eAAe,GAA2B;IAC9C,GAAG,EAAE,OAAO;IACZ,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,QAAQ;IACb,GAAG,EAAE,QAAQ;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAA2B;IAC9C,GAAG,eAAe;IAClB,GAAG,EAAE,QAAQ;IACb,GAAG,EAAE,QAAQ;CACd,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,SAAgB,UAAU,CAAC,IAAY;IACrC,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,OAAO,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;AAC3E,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,UAAU,CAAC,KAAa;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,OAAO,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;AAC9E,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,QAAQ,CAAC,IAAY;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,aAAa,CAAC,IAAY;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,0CAA0C;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,SAAS,CAAC,GAAuB;IAC/C,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IAEpB,gCAAgC;IAChC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;IAC1C,IACE,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;QAClC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;QAC5B,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAC;QAChC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,EAC5B,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9D,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;QACtC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACzE,6CAA6C;YAC7C,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,gFAAgF;IAChF,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,QAAQ,CACtB,OAA6B,EAC7B,GAAG,MAAiB;IAEpB,IAAI,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,OAAO,GACX,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzE,MAAM,IAAI,OAAO,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,QAAQ,CACtB,OAA6B,EAC7B,GAAG,MAAiB;IAEpB,IAAI,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACxB,MAAM,OAAO,GACX,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACzE,MAAM,IAAI,OAAO,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/security/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Consent Security Utilities
+ *
+ * XSS prevention and input validation utilities.
+ *
+ * @module @kya-os/consent/security
+ */
+export * from "./escape";
+export * from "./validators";
+//# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,cAAc,UAAU,CAAC;AACzB,cAAc,cAAc,CAAC"}

package/dist/security/index.js

@@ -0,0 +1,26 @@
+"use strict";
+/**
+ * Consent Security Utilities
+ *
+ * XSS prevention and input validation utilities.
+ *
+ * @module @kya-os/consent/security
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./escape"), exports);
+__exportStar(require("./validators"), exports);
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;AAEH,2CAAyB;AACzB,+CAA6B"}

package/dist/security/validators.d.ts

@@ -0,0 +1,98 @@
+/**
+ * Security Validators
+ *
+ * Input validation utilities for secure rendering.
+ *
+ * @module @kya-os/consent/security/validators
+ */
+/**
+ * Validate that a string is a valid hex color
+ *
+ * Only accepts 6-digit hex colors with # prefix.
+ *
+ * @param color - Color string to validate
+ * @returns The color if valid, undefined otherwise
+ *
+ * @example
+ * ```typescript
+ * validateColor('#2563EB') // Returns '#2563EB'
+ * validateColor('2563EB')  // Returns undefined
+ * validateColor('#fff')    // Returns undefined (3-digit not allowed)
+ * ```
+ */
+export declare function validateColor(color: string | undefined): string | undefined;
+/**
+ * Validate that a string is a valid URL
+ *
+ * Only accepts http and https protocols.
+ *
+ * @param url - URL string to validate
+ * @returns The URL if valid, undefined otherwise
+ *
+ * @example
+ * ```typescript
+ * validateUrl('https://example.com')    // Returns 'https://example.com'
+ * validateUrl('javascript:alert(1)')    // Returns undefined
+ * validateUrl('ftp://files.example.com') // Returns undefined
+ * ```
+ */
+export declare function validateUrl(url: string | undefined): string | undefined;
+/**
+ * Validate that a string is a valid email address
+ *
+ * Uses a simple but effective email pattern.
+ *
+ * @param email - Email string to validate
+ * @returns The email if valid, undefined otherwise
+ */
+export declare function validateEmail(email: string | undefined): string | undefined;
+/**
+ * Validate that a string is a valid DID
+ *
+ * @param did - DID string to validate
+ * @returns The DID if valid, undefined otherwise
+ */
+export declare function validateDid(did: string | undefined): string | undefined;
+/**
+ * Validate that a string contains no control characters
+ *
+ * @param text - Text to validate
+ * @returns The text if valid, undefined otherwise
+ */
+export declare function validateNoControlChars(text: string | undefined): string | undefined;
+/**
+ * Validate and sanitize a string for display
+ *
+ * Removes control characters and trims whitespace.
+ *
+ * @param text - Text to sanitize
+ * @param maxLength - Maximum allowed length
+ * @returns Sanitized text or undefined if invalid
+ */
+export declare function sanitizeDisplayText(text: string | undefined, maxLength?: number): string | undefined;
+/**
+ * Validate that a string is alphanumeric with underscores only
+ *
+ * Useful for field names and identifiers.
+ *
+ * @param text - Text to validate
+ * @returns The text if valid, undefined otherwise
+ */
+export declare function validateIdentifier(text: string | undefined): string | undefined;
+/**
+ * Check if a value is a safe integer within range
+ *
+ * @param value - Value to check
+ * @param min - Minimum value (inclusive)
+ * @param max - Maximum value (inclusive)
+ * @returns True if valid
+ */
+export declare function isValidInteger(value: unknown, min?: number, max?: number): value is number;
+/**
+ * Validate a CSRF token format
+ *
+ * @param token - Token to validate
+ * @returns The token if valid, undefined otherwise
+ */
+export declare function validateCSRFToken(token: string | undefined): string | undefined;
+//# sourceMappingURL=validators.d.ts.map

package/dist/security/validators.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../../src/security/validators.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAS3E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAavE;AAED;;;;;;;GAOG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAU3E;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CA0BvE;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAWnF;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,GAAG,SAAS,EACxB,SAAS,SAAM,GACd,MAAM,GAAG,SAAS,CAcpB;AAED;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAQ/E;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,OAAO,EACd,GAAG,SAA0B,EAC7B,GAAG,SAA0B,GAC5B,KAAK,IAAI,MAAM,CAKjB;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAc/E"}