@longsightgroup/qti3-core 0.3.0 → 0.5.1

package/README.md

@@ -19,19 +19,96 @@ import { createItemSession, parseQtiXml, validateAssessmentItem } from "@longsig
 
 const parsed = parseQtiXml(xml);
 
-if (parsed.document) {
-  const validation = validateAssessmentItem(parsed.document);
-  const session = createItemSession(parsed.document);
+if (!parsed.ok || !parsed.document) {
+  throw new Error(parsed.diagnostics.map((item) => item.message).join("; "));
+}
+
+const validation = validateAssessmentItem(parsed.document);
+const session = createItemSession(parsed.document);
+
+session.respond("RESPONSE", "A");
+const result = session.score();
+
+console.log(validation.diagnostics);
+console.log(result.outcomes);
+console.log(result.state);
+```
+
+### Candidate-safe delivery XML
+
+High-stakes delivery systems can redact answer-bearing item XML before sending it to
+a browser:
+
+```ts
+import { buildQtiDeliverySafeXml } from "@longsightgroup/qti3-core";
+
+const delivery = buildQtiDeliverySafeXml(authoritativeItemXml);
+
+if (!delivery.ok) {
+  throw new Error(delivery.diagnostics.map((item) => item.message).join("; "));
+}
+
+sendToCandidate(delivery.xml);
+```
+
+Use `buildQtiDeliverySafeXml().ok` for deliverability. The
+`analyzeQtiDeliverySecurity().deliverySafe` flag describes the exact XML being analyzed,
+so it is normally `false` for an authoritative scorable item before redaction and `true`
+only for the redacted output.
+
+The redactor removes correct responses, response and area mappings, outcome lookup
+tables, response/outcome/template declaration default values, response processing, and
+authored feedback subtrees. It also reports secure-delivery v1 blockers such as
+template processing, set-correct-response, and adaptive response processing.
+
+String-range redaction aligns a private XML tag scan to the same stax parse tree used by
+`parseQtiXml`. Alignment failures are reported as `xml.parse` error diagnostics; hosts
+must treat those diagnostics, `parseQtiXml().ok === false`, and
+`buildQtiDeliverySafeXml().ok === false` as non-deliverable. The redacted output is
+re-analyzed before `ok` is returned, but hosts should still treat redacted XML as
+untrusted presentation input.
+
+The scanner adds a second full pass over each XML string. That is acceptable for
+item-scale delivery and scoring, but package-level batch redaction should treat XML
+parsing as a hot path if whole packages are processed repeatedly.
+
+Candidate-safe XML is not a full content audit. It does not remove solution text an
+author wrote directly into the item body, and it does not validate Portable Custom
+Interaction module/config URLs or host runtime policy. If candidates should see item
+point values, expose them intentionally through host metadata or visible item content;
+do not rely on hidden QTI declaration defaults as the presentation channel.
+
+### Server-side scoring
 
-  session.respond("RESPONSE", "A");
-  const result = session.score();
+Use full authoritative item XML on the server and pass only trusted response variables:
 
-  console.log(validation.diagnostics);
-  console.log(result.outcomes);
-  console.log(result.state);
+```ts
+import { scoreQtiItemServerSide } from "@longsightgroup/qti3-core";
+
+const scored = scoreQtiItemServerSide({
+  itemXml: authoritativeItemXml,
+  trustedResponses: { RESPONSE: "A" },
+});
+
+if (!scored.ok) {
+  throw new Error(scored.diagnostics.map((item) => item.message).join("; "));
 }
+
+console.log(scored.score);
+console.log(scored.state);
 ```
 
+This API does not accept restored outcomes or a full prior attempt state, so browser
+submitted `SCORE`, `MAXSCORE`, or similar outcome variables cannot become trusted
+server results. It validates trusted response identifiers and JSON-shaped QTI values,
+then runs response processing. It does not run candidate response-validation policy such
+as required interactions, cardinality limits, or min/max response counts; delivery hosts
+should enforce that policy before accepting a submission or finalizing an attempt.
+
+The delivery redaction and server-scoring APIs are library APIs in `0.5.x`. CLI commands
+for delivery-safe XML generation and server-style scoring are not part of this release
+line yet.
+
 ## Scope
 
 - Parse QTI XML into a typed item model.

package/dist/delivery-security.d.ts

@@ -0,0 +1,26 @@
+import type { QtiDiagnostic, QtiSourceLocation } from "./types.js";
+export type QtiDeliverySecurityFindingKind = "forbidden-delivery-element" | "unsupported-secure-delivery-element" | "unsupported-adaptive-response-processing";
+export interface QtiDeliverySecurityFinding {
+    kind: QtiDeliverySecurityFindingKind;
+    qtiName: string;
+    localName: string;
+    message: string;
+    source?: QtiSourceLocation | undefined;
+}
+export interface QtiDeliverySecurityAnalysis {
+    diagnostics: QtiDiagnostic[];
+    findings: QtiDeliverySecurityFinding[];
+    /** True when this exact XML contains no known answer/scoring/feedback delivery leaks. */
+    deliverySafe: boolean;
+    /** True when secure-delivery redaction can be attempted for this XML. */
+    secureDeliverySupported: boolean;
+}
+export interface QtiDeliverySafeXmlResult {
+    ok: boolean;
+    diagnostics: QtiDiagnostic[];
+    analysis: QtiDeliverySecurityAnalysis;
+    xml?: string | undefined;
+}
+export declare function analyzeQtiDeliverySecurity(xml: string): QtiDeliverySecurityAnalysis;
+export declare function buildQtiDeliverySafeXml(xml: string): QtiDeliverySafeXmlResult;
+//# sourceMappingURL=delivery-security.d.ts.map

package/dist/delivery-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delivery-security.d.ts","sourceRoot":"","sources":["../src/delivery-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AA0BnE,MAAM,MAAM,8BAA8B,GACtC,4BAA4B,GAC5B,qCAAqC,GACrC,0CAA0C,CAAC;AAE/C,MAAM,WAAW,0BAA0B;IACzC,IAAI,EAAE,8BAA8B,CAAC;IACrC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,iBAAiB,GAAG,SAAS,CAAC;CACxC;AAED,MAAM,WAAW,2BAA2B;IAC1C,WAAW,EAAE,aAAa,EAAE,CAAC;IAC7B,QAAQ,EAAE,0BAA0B,EAAE,CAAC;IACvC,yFAAyF;IACzF,YAAY,EAAE,OAAO,CAAC;IACtB,yEAAyE;IACzE,uBAAuB,EAAE,OAAO,CAAC;CAClC;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,OAAO,CAAC;IACZ,WAAW,EAAE,aAAa,EAAE,CAAC;IAC7B,QAAQ,EAAE,2BAA2B,CAAC;IACtC,GAAG,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC1B;AAED,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,2BAA2B,CAGnF;AAkED,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,wBAAwB,CAuC7E"}

package/dist/delivery-security.js

@@ -0,0 +1,213 @@
+import { descendants, parseXmlTree } from "./xml.js";
+const FORBIDDEN_DELIVERY_ELEMENT_NAMES = new Set([
+    "correct-response",
+    "mapping",
+    "area-mapping",
+    "match-table",
+    "interpolation-table",
+    "response-processing",
+    "feedback-inline",
+    "feedback-block",
+    "modal-feedback",
+]);
+const UNSUPPORTED_SECURE_DELIVERY_ELEMENT_NAMES = new Set([
+    "template-processing",
+    "set-correct-response",
+]);
+const DEFAULT_VALUE_DECLARATION_ELEMENT_NAMES = new Set([
+    "response-declaration",
+    "outcome-declaration",
+    "template-declaration",
+]);
+export function analyzeQtiDeliverySecurity(xml) {
+    const parsed = parseDeliveryXml(xml);
+    return analyzeParsedDeliveryXml(parsed);
+}
+function analyzeParsedDeliveryXml(parsed) {
+    const diagnostics = [...parsed.diagnostics];
+    const findings = [];
+    if (parsed.root) {
+        const nodes = [parsed.root, ...descendants(parsed.root, () => true)];
+        for (const node of nodes) {
+            const normalizedName = normalizedQtiElementName(node.localName);
+            if (isForbiddenDeliveryElement(node, normalizedName)) {
+                findings.push({
+                    kind: "forbidden-delivery-element",
+                    qtiName: node.name,
+                    localName: node.localName,
+                    message: `${node.name} exposes answer keys, scoring, mapping, feedback, or solution information during delivery.`,
+                    source: node.source,
+                });
+            }
+            if (UNSUPPORTED_SECURE_DELIVERY_ELEMENT_NAMES.has(normalizedName)) {
+                findings.push({
+                    kind: "unsupported-secure-delivery-element",
+                    qtiName: node.name,
+                    localName: node.localName,
+                    message: `${node.name} is not supported by secure delivery redaction v1.`,
+                    source: node.source,
+                });
+            }
+        }
+        if (parseXmlBoolean(parsed.root.attributes.adaptive) === true &&
+            nodes.some((node) => normalizedQtiElementName(node.localName) === "response-processing")) {
+            findings.push({
+                kind: "unsupported-adaptive-response-processing",
+                qtiName: parsed.root.name,
+                localName: parsed.root.localName,
+                message: "Adaptive response processing requires server-side item materialization before secure delivery.",
+                source: parsed.root.source,
+            });
+        }
+    }
+    diagnostics.push(...findings.map(findingToDiagnostic));
+    const parseOk = parsed.diagnostics.every((diagnostic) => diagnostic.severity !== "error");
+    return {
+        diagnostics,
+        findings,
+        deliverySafe: parseOk && !findings.some((finding) => finding.kind === "forbidden-delivery-element"),
+        secureDeliverySupported: parseOk &&
+            !findings.some((finding) => finding.kind === "unsupported-secure-delivery-element" ||
+                finding.kind === "unsupported-adaptive-response-processing"),
+    };
+}
+export function buildQtiDeliverySafeXml(xml) {
+    const parsed = parseDeliveryXml(xml);
+    const analysis = analyzeParsedDeliveryXml(parsed);
+    if (!analysis.secureDeliverySupported) {
+        return {
+            ok: false,
+            diagnostics: analysis.diagnostics,
+            analysis,
+        };
+    }
+    if (!parsed.root) {
+        return {
+            ok: false,
+            diagnostics: parsed.diagnostics,
+            analysis,
+        };
+    }
+    const redactionRanges = readRedactionRanges([
+        parsed.root,
+        ...descendants(parsed.root, () => true),
+    ]);
+    const redactedXml = removeSourceRanges(xml, redactionRanges);
+    const redactedAnalysis = analyzeQtiDeliverySecurity(redactedXml);
+    if (!redactedAnalysis.deliverySafe) {
+        return {
+            ok: false,
+            diagnostics: [...analysis.diagnostics, ...redactedAnalysis.diagnostics],
+            analysis: redactedAnalysis,
+        };
+    }
+    return {
+        ok: true,
+        xml: redactedXml,
+        diagnostics: redactedAnalysis.diagnostics,
+        analysis: redactedAnalysis,
+    };
+}
+function parseDeliveryXml(xml) {
+    let parsed;
+    try {
+        parsed = parseXmlTree(xml);
+    }
+    catch (error) {
+        return {
+            root: undefined,
+            diagnostics: [
+                {
+                    code: "xml.parse",
+                    severity: "error",
+                    message: error instanceof Error ? error.message : String(error),
+                },
+            ],
+        };
+    }
+    const diagnostics = parsed.errors.map((error) => ({
+        code: "xml.parse",
+        severity: "error",
+        message: error.message,
+    }));
+    if (!parsed.root) {
+        diagnostics.push({
+            code: "xml.empty",
+            severity: "error",
+            message: "No XML root element was found.",
+        });
+    }
+    return { root: parsed.root, diagnostics };
+}
+function normalizedQtiElementName(localName) {
+    const lower = localName.toLowerCase();
+    return lower.startsWith("qti-") ? lower.slice("qti-".length) : lower;
+}
+function parseXmlBoolean(value) {
+    if (value === undefined)
+        return undefined;
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "true" || normalized === "1")
+        return true;
+    if (normalized === "false" || normalized === "0")
+        return false;
+    return undefined;
+}
+function isForbiddenDeliveryElement(node, normalizedName = normalizedQtiElementName(node.localName)) {
+    if (FORBIDDEN_DELIVERY_ELEMENT_NAMES.has(normalizedName))
+        return true;
+    return (normalizedName === "default-value" &&
+        DEFAULT_VALUE_DECLARATION_ELEMENT_NAMES.has(normalizedQtiElementName(node.parent?.localName ?? "")));
+}
+function findingToDiagnostic(finding) {
+    const code = diagnosticCodeForFinding(finding.kind);
+    return {
+        code,
+        severity: "error",
+        message: finding.message,
+        path: finding.source?.path,
+        source: finding.source,
+    };
+}
+function diagnosticCodeForFinding(kind) {
+    if (kind === "forbidden-delivery-element")
+        return "delivery.forbiddenElement";
+    if (kind === "unsupported-adaptive-response-processing") {
+        return "delivery.unsupportedAdaptiveResponseProcessing";
+    }
+    return "delivery.unsupportedSecureDelivery";
+}
+function readRedactionRanges(nodes) {
+    const ranges = nodes.flatMap((node) => {
+        if (!isForbiddenDeliveryElement(node))
+            return [];
+        const endOffset = node.sourceRange.endOffset;
+        if (node.sourceRange.startOffset < 0 || endOffset === undefined)
+            return [];
+        return [{ startOffset: node.sourceRange.startOffset, endOffset }];
+    });
+    return mergeSourceRanges(ranges);
+}
+function mergeSourceRanges(ranges) {
+    const sorted = [...ranges].sort((left, right) => left.startOffset - right.startOffset);
+    const merged = [];
+    for (const range of sorted) {
+        const last = merged.at(-1);
+        if (last && range.startOffset <= last.endOffset) {
+            last.endOffset = Math.max(last.endOffset, range.endOffset);
+            continue;
+        }
+        merged.push({ ...range });
+    }
+    return merged;
+}
+function removeSourceRanges(xml, ranges) {
+    let output = "";
+    let cursor = 0;
+    for (const range of ranges) {
+        output += xml.slice(cursor, range.startOffset);
+        cursor = range.endOffset;
+    }
+    return output + xml.slice(cursor);
+}
+//# sourceMappingURL=delivery-security.js.map

package/dist/delivery-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delivery-security.js","sourceRoot":"","sources":["../src/delivery-security.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAgB,MAAM,UAAU,CAAC;AAEnE,MAAM,gCAAgC,GAAG,IAAI,GAAG,CAAC;IAC/C,kBAAkB;IAClB,SAAS;IACT,cAAc;IACd,aAAa;IACb,qBAAqB;IACrB,qBAAqB;IACrB,iBAAiB;IACjB,gBAAgB;IAChB,gBAAgB;CACjB,CAAC,CAAC;AAEH,MAAM,yCAAyC,GAAG,IAAI,GAAG,CAAC;IACxD,qBAAqB;IACrB,sBAAsB;CACvB,CAAC,CAAC;AAEH,MAAM,uCAAuC,GAAG,IAAI,GAAG,CAAC;IACtD,sBAAsB;IACtB,qBAAqB;IACrB,sBAAsB;CACvB,CAAC,CAAC;AA+BH,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACrC,OAAO,wBAAwB,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,wBAAwB,CAAC,MAGjC;IACC,MAAM,WAAW,GAAG,CAAC,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAiC,EAAE,CAAC;IAElD,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;QACrE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,cAAc,GAAG,wBAAwB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAChE,IAAI,0BAA0B,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;gBACrD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,4BAA4B;oBAClC,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,4FAA4F;oBACjH,MAAM,EAAE,IAAI,CAAC,MAAM;iBACpB,CAAC,CAAC;YACL,CAAC;YACD,IAAI,yCAAyC,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,CAAC;gBAClE,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,qCAAqC;oBAC3C,OAAO,EAAE,IAAI,CAAC,IAAI;oBAClB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,OAAO,EAAE,GAAG,IAAI,CAAC,IAAI,oDAAoD;oBACzE,MAAM,EAAE,IAAI,CAAC,MAAM;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,IACE,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,IAAI;YACzD,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,qBAAqB,CAAC,EACxF,CAAC;YACD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,0CAA0C;gBAChD,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI;gBACzB,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS;gBAChC,OAAO,EACL,gGAAgG;gBAClG,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM;aAC3B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC;IACvD,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAE1F,OAAO;QACL,WAAW;QACX,QAAQ;QACR,YAAY,EACV,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,4BAA4B,CAAC;QACvF,uBAAuB,EACrB,OAAO;YACP,CAAC,QAAQ,CAAC,IAAI,CACZ,CAAC,OAAO,EAAE,EAAE,CACV,OAAO,CAAC,IAAI,KAAK,qCAAqC;gBACtD,OAAO,CAAC,IAAI,KAAK,0CAA0C,CAC9D;KACJ,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,GAAW;IACjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IAClD,IAAI,CAAC,QAAQ,CAAC,uBAAuB,EAAE,CAAC;QACtC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,mBAAmB,CAAC;QAC1C,MAAM,CAAC,IAAI;QACX,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC;KACxC,CAAC,CAAC;IACH,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC7D,MAAM,gBAAgB,GAAG,0BAA0B,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,gBAAgB,CAAC,YAAY,EAAE,CAAC;QACnC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,WAAW,EAAE,CAAC,GAAG,QAAQ,CAAC,WAAW,EAAE,GAAG,gBAAgB,CAAC,WAAW,CAAC;YACvE,QAAQ,EAAE,gBAAgB;SAC3B,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,GAAG,EAAE,WAAW;QAChB,WAAW,EAAE,gBAAgB,CAAC,WAAW;QACzC,QAAQ,EAAE,gBAAgB;KAC3B,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW;IAInC,IAAI,MAAuC,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,IAAI,EAAE,SAAS;YACf,WAAW,EAAE;gBACX;oBACE,IAAI,EAAE,WAAW;oBACjB,QAAQ,EAAE,OAAO;oBACjB,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAChE;aACF;SACF,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAoB,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,KAAK,CAAC,OAAO;KACvB,CAAC,CAAC,CAAC;IACJ,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACjB,WAAW,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,WAAW;YACjB,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,gCAAgC;SAC1C,CAAC,CAAC;IACL,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,wBAAwB,CAAC,SAAiB;IACjD,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;IACtC,OAAO,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AACvE,CAAC;AAED,SAAS,eAAe,CAAC,KAAyB;IAChD,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC7D,IAAI,UAAU,KAAK,OAAO,IAAI,UAAU,KAAK,GAAG;QAAE,OAAO,KAAK,CAAC;IAC/D,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,0BAA0B,CACjC,IAAa,EACb,cAAc,GAAG,wBAAwB,CAAC,IAAI,CAAC,SAAS,CAAC;IAEzD,IAAI,gCAAgC,CAAC,GAAG,CAAC,cAAc,CAAC;QAAE,OAAO,IAAI,CAAC;IACtE,OAAO,CACL,cAAc,KAAK,eAAe;QAClC,uCAAuC,CAAC,GAAG,CACzC,wBAAwB,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,IAAI,EAAE,CAAC,CACvD,CACF,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAmC;IAC9D,MAAM,IAAI,GAAG,wBAAwB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACpD,OAAO;QACL,IAAI;QACJ,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE,IAAI;QAC1B,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;AACJ,CAAC;AAED,SAAS,wBAAwB,CAAC,IAAoC;IACpE,IAAI,IAAI,KAAK,4BAA4B;QAAE,OAAO,2BAA2B,CAAC;IAC9E,IAAI,IAAI,KAAK,0CAA0C,EAAE,CAAC;QACxD,OAAO,gDAAgD,CAAC;IAC1D,CAAC;IACD,OAAO,oCAAoC,CAAC;AAC9C,CAAC;AAOD,SAAS,mBAAmB,CAAC,KAAgB;IAC3C,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC;QACjD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC;QAC7C,IAAI,IAAI,CAAC,WAAW,CAAC,WAAW,GAAG,CAAC,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,EAAE,CAAC;QAC3E,OAAO,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,SAAS,EAAE,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IACH,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAwB;IACjD,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC;IACvF,MAAM,MAAM,GAAqB,EAAE,CAAC;IACpC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,IAAI,IAAI,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YAChD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;YAC3D,SAAS;QACX,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,KAAK,EAAE,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAW,EAAE,MAAwB;IAC/D,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;QAC/C,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,OAAO,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC"}

package/dist/index.d.ts

@@ -1,9 +1,11 @@
 export { createCatalogSupportResolution, type QtiCatalogSupportResolution, type QtiCatalogSupportResolutionOptions, type QtiResolvedCatalogReference, type QtiResolvedCatalogSupport, } from "./catalog.js";
+export { analyzeQtiDeliverySecurity, buildQtiDeliverySafeXml, type QtiDeliverySafeXmlResult, type QtiDeliverySecurityAnalysis, type QtiDeliverySecurityFinding, type QtiDeliverySecurityFindingKind, } from "./delivery-security.js";
 export { parseQtiXml } from "./parser.js";
+export { scoreQtiItemServerSide, type QtiServerScoringInput, type QtiServerScoringResponseInput, type QtiServerScoringResult, } from "./server-scoring.js";
 export { createTextToSpeechTraversal, parseQtiDataSsml, validateQtiDataSsmlMetadata, type QtiDataSsml, type QtiDataSsmlBreak, type QtiDataSsmlBreakStrength, type QtiDataSsmlParseResult, type QtiDataSsmlPhoneme, type QtiDataSsmlProsody, type QtiDataSsmlSayAs, type QtiDataSsmlSub, type QtiTextToSpeechSegment, type QtiTextToSpeechSegmentKind, type QtiTextToSpeechTraversal, } from "./tts.js";
 export { assertQtiAttemptStateV1, createItemSession, isQtiAttemptStateV1, visibleModalFeedback, type QtiCustomOperatorContext, type QtiCustomOperatorHandler, type QtiCustomOperatorRegistry, type QtiItemSession, type QtiItemSessionOptions, } from "./session.js";
 export { deprecatedInteractionSupport, elementSupport, getInteractionSupport, interactionNameToType, interactionSupport, processingSupport, } from "./support.js";
 export { validateAssessmentItem } from "./validation.js";
 export type { QtiAssessmentItem, QtiAttemptStatus, QtiAttemptStateV1, QtiCatalog, QtiCatalogCard, QtiCatalogCardEntry, QtiCatalogFileHref, QtiCatalogHtmlContent, QtiCatalogInfo, QtiCatalogReference, QtiChoice, QtiChoiceRole, QtiContentNode, QtiDiagnostic, QtiDocument, QtiElementSupport, QtiInteractionElementSupport, QtiInteraction, QtiInteractionType, QtiMediaSource, QtiMediaTrack, QtiModalFeedback, QtiObjectAsset, QtiParseResult, QtiProcessingElementSupport, QtiPortableCustomDefinition, QtiPortableCustomInteractionModule, QtiPortableCustomInteractionModules, QtiPortableCustomStateValue, QtiPortableCustomVariableBinding, QtiResponseBranch, QtiScoreResult, QtiSupportStatus, QtiTemplateDeclaration, QtiTemplateBranch, QtiTemplateProcessing, QtiTemplateRule, QtiValidationResult, QtiValue, } from "./types.js";
-export { qtiScalarToString, qtiValueToIdentifierList, qtiValueToString, qtiValueToStringList, unknownToDisplayString, } from "./value-format.js";
+export { isQtiPortableCustomStateValue, isQtiValue, qtiScalarToString, qtiValueToIdentifierList, qtiValueToString, qtiValueToStringList, readQtiPortableCustomStateValue, readQtiJsonValue, unknownToDisplayString, } from "./value-format.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAC9B,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,2BAA2B,EAChC,KAAK,yBAAyB,GAC/B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,EAC3B,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,EAC3B,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,sBAAsB,EAC3B,KAAK,0BAA0B,EAC/B,KAAK,wBAAwB,GAC9B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,uBAAuB,EACvB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,cAAc,EACnB,KAAK,qBAAqB,GAC3B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,4BAA4B,EAC5B,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,YAAY,EACV,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,mBAAmB,EACnB,SAAS,EACT,aAAa,EACb,cAAc,EACd,aAAa,EACb,WAAW,EACX,iBAAiB,EACjB,4BAA4B,EAC5B,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,kCAAkC,EAClC,mCAAmC,EACnC,2BAA2B,EAC3B,gCAAgC,EAChC,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,sBAAsB,EACtB,iBAAiB,EACjB,qBAAqB,EACrB,eAAe,EACf,mBAAmB,EACnB,QAAQ,GACT,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EACxB,gBAAgB,EAChB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,EAC9B,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,2BAA2B,EAChC,KAAK,yBAAyB,GAC/B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,0BAA0B,EAC1B,uBAAuB,EACvB,KAAK,wBAAwB,EAC7B,KAAK,2BAA2B,EAChC,KAAK,0BAA0B,EAC/B,KAAK,8BAA8B,GACpC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,sBAAsB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,6BAA6B,EAClC,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,EAC3B,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,EAC3B,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,sBAAsB,EAC3B,KAAK,0BAA0B,EAC/B,KAAK,wBAAwB,GAC9B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,uBAAuB,EACvB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,cAAc,EACnB,KAAK,qBAAqB,GAC3B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,4BAA4B,EAC5B,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACzD,YAAY,EACV,iBAAiB,EACjB,gBAAgB,EAChB,iBAAiB,EACjB,UAAU,EACV,cAAc,EACd,mBAAmB,EACnB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,mBAAmB,EACnB,SAAS,EACT,aAAa,EACb,cAAc,EACd,aAAa,EACb,WAAW,EACX,iBAAiB,EACjB,4BAA4B,EAC5B,cAAc,EACd,kBAAkB,EAClB,cAAc,EACd,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,EAC3B,kCAAkC,EAClC,mCAAmC,EACnC,2BAA2B,EAC3B,gCAAgC,EAChC,iBAAiB,EACjB,cAAc,EACd,gBAAgB,EAChB,sBAAsB,EACtB,iBAAiB,EACjB,qBAAqB,EACrB,eAAe,EACf,mBAAmB,EACnB,QAAQ,GACT,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,6BAA6B,EAC7B,UAAU,EACV,iBAAiB,EACjB,wBAAwB,EACxB,gBAAgB,EAChB,oBAAoB,EACpB,+BAA+B,EAC/B,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}

package/dist/index.js

@@ -1,8 +1,10 @@
 export { createCatalogSupportResolution, } from "./catalog.js";
+export { analyzeQtiDeliverySecurity, buildQtiDeliverySafeXml, } from "./delivery-security.js";
 export { parseQtiXml } from "./parser.js";
+export { scoreQtiItemServerSide, } from "./server-scoring.js";
 export { createTextToSpeechTraversal, parseQtiDataSsml, validateQtiDataSsmlMetadata, } from "./tts.js";
 export { assertQtiAttemptStateV1, createItemSession, isQtiAttemptStateV1, visibleModalFeedback, } from "./session.js";
 export { deprecatedInteractionSupport, elementSupport, getInteractionSupport, interactionNameToType, interactionSupport, processingSupport, } from "./support.js";
 export { validateAssessmentItem } from "./validation.js";
-export { qtiScalarToString, qtiValueToIdentifierList, qtiValueToString, qtiValueToStringList, unknownToDisplayString, } from "./value-format.js";
+export { isQtiPortableCustomStateValue, isQtiValue, qtiScalarToString, qtiValueToIdentifierList, qtiValueToString, qtiValueToStringList, readQtiPortableCustomStateValue, readQtiJsonValue, unknownToDisplayString, } from "./value-format.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,GAK/B,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,GAY5B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,uBAAuB,EACvB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,GAMrB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,4BAA4B,EAC5B,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AA0CzD,OAAO,EACL,iBAAiB,EACjB,wBAAwB,EACxB,gBAAgB,EAChB,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,8BAA8B,GAK/B,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,0BAA0B,EAC1B,uBAAuB,GAKxB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EACL,sBAAsB,GAIvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,2BAA2B,EAC3B,gBAAgB,EAChB,2BAA2B,GAY5B,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,uBAAuB,EACvB,iBAAiB,EACjB,mBAAmB,EACnB,oBAAoB,GAMrB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,4BAA4B,EAC5B,cAAc,EACd,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AA0CzD,OAAO,EACL,6BAA6B,EAC7B,UAAU,EACV,iBAAiB,EACjB,wBAAwB,EACxB,gBAAgB,EAChB,oBAAoB,EACpB,+BAA+B,EAC/B,gBAAgB,EAChB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC"}

package/dist/parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAuBV,cAAc,EAkBf,MAAM,YAAY,CAAC;AAkBpB,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAgDvD"}
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAuBV,cAAc,EAkBf,MAAM,YAAY,CAAC;AAkBpB,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,cAAc,CAoDvD"}

package/dist/parser.js

@@ -24,6 +24,9 @@ export function parseQtiXml(xml) {
             message: error.message,
         });
     }
+    if (tree.errors.length > 0) {
+        return { ok: false, diagnostics };
+    }
     if (!tree.root) {
         diagnostics.push({
             code: "xml.empty",