@mappoh/nova 0.1.16

package/dist/security/cors.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Nova Engine — CORS (Cross-Origin Resource Sharing)
+ *
+ * Client-side CORS preflight validation, origin checking,
+ * request header management, and middleware-style guards
+ * for controlling cross-origin behavior.
+ */
+export interface CORSOptions {
+    /** Allowed origins. Use '*' for any, or specific origins. Default: [location.origin] */
+    allowedOrigins?: string[] | '*';
+    /** Allowed HTTP methods. Default: ['GET','HEAD','POST','PUT','PATCH','DELETE','OPTIONS'] */
+    allowedMethods?: string[];
+    /** Allowed request headers. Default: common safe headers */
+    allowedHeaders?: string[];
+    /** Headers exposed to the client. Default: [] */
+    exposedHeaders?: string[];
+    /** Allow credentials (cookies, auth headers). Default: false */
+    credentials?: boolean;
+    /** Preflight cache duration in seconds. Default: 86400 (24h) */
+    maxAge?: number;
+    /** Called when an origin is blocked */
+    onBlocked?: (origin: string, reason: string) => void;
+}
+export interface CORSInstance {
+    /** Check if an origin is allowed */
+    isAllowed(origin: string): boolean;
+    /** Check if a method is allowed */
+    isMethodAllowed(method: string): boolean;
+    /** Check if a header is allowed */
+    isHeaderAllowed(header: string): boolean;
+    /** Validate a full request (origin + method + headers) */
+    validate(request: {
+        origin: string;
+        method: string;
+        headers?: string[];
+    }): CORSValidation;
+    /** Get CORS response headers for an origin */
+    headers(origin: string): Record<string, string>;
+    /** Get preflight (OPTIONS) response headers */
+    preflightHeaders(origin: string, requestMethod?: string, requestHeaders?: string[]): Record<string, string>;
+    /** Wrap fetch with CORS-aware defaults */
+    fetch(url: string, init?: RequestInit): Promise<Response>;
+    /** Add an origin to the allowlist at runtime */
+    addOrigin(origin: string): void;
+    /** Remove an origin from the allowlist */
+    removeOrigin(origin: string): void;
+    /** Get current configuration */
+    config(): Readonly<CORSOptions>;
+}
+export interface CORSValidation {
+    allowed: boolean;
+    reason?: string;
+    headers: Record<string, string>;
+}
+/** Check if a request would trigger a CORS preflight. */
+export declare function wouldPreflight(method: string, headers?: Record<string, string>): boolean;
+/** Parse an origin from a URL string. */
+export declare function parseOrigin(url: string): string | null;
+/** Create a CORS configuration instance. */
+export declare function createCORS(options?: CORSOptions): CORSInstance;
+//# sourceMappingURL=cors.d.ts.map

package/dist/security/cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.d.ts","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,WAAW;IAC1B,wFAAwF;IACxF,cAAc,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;IAChC,4FAA4F;IAC5F,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,4DAA4D;IAC5D,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,gEAAgE;IAChE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACtD;AAED,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IACnC,mCAAmC;IACnC,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IACzC,mCAAmC;IACnC,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IACzC,0DAA0D;IAC1D,QAAQ,CAAC,OAAO,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;KAAE,GAAG,cAAc,CAAC;IAC1F,8CAA8C;IAC9C,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,+CAA+C;IAC/C,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,aAAa,CAAC,EAAE,MAAM,EAAE,cAAc,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5G,0CAA0C;IAC1C,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC1D,gDAAgD;IAChD,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,0CAA0C;IAC1C,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC,gCAAgC;IAChC,MAAM,IAAI,QAAQ,CAAC,WAAW,CAAC,CAAC;CACjC;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAyBD,yDAAyD;AACzD,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAcxF;AAED,yCAAyC;AACzC,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAOtD;AAED,4CAA4C;AAC5C,wBAAgB,UAAU,CAAC,OAAO,GAAE,WAAgB,GAAG,YAAY,CA2IlE"}

package/dist/security/cors.js

@@ -0,0 +1,174 @@
+/**
+ * Nova Engine — CORS (Cross-Origin Resource Sharing)
+ *
+ * Client-side CORS preflight validation, origin checking,
+ * request header management, and middleware-style guards
+ * for controlling cross-origin behavior.
+ */
+const DEFAULT_ALLOWED_HEADERS = [
+    'Accept',
+    'Accept-Language',
+    'Content-Language',
+    'Content-Type',
+    'Authorization',
+    'X-Requested-With',
+    'X-CSRF-Token',
+];
+const DEFAULT_METHODS = ['GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'];
+// Simple headers that don't trigger a preflight
+const SIMPLE_HEADERS = new Set([
+    'accept', 'accept-language', 'content-language', 'content-type',
+]);
+const SIMPLE_CONTENT_TYPES = new Set([
+    'application/x-www-form-urlencoded',
+    'multipart/form-data',
+    'text/plain',
+]);
+/** Check if a request would trigger a CORS preflight. */
+export function wouldPreflight(method, headers) {
+    // Non-simple methods trigger preflight
+    if (!['GET', 'HEAD', 'POST'].includes(method.toUpperCase()))
+        return true;
+    if (headers) {
+        for (const [key, value] of Object.entries(headers)) {
+            const lower = key.toLowerCase();
+            if (!SIMPLE_HEADERS.has(lower))
+                return true;
+            // Content-Type must be a simple type
+            if (lower === 'content-type' && !SIMPLE_CONTENT_TYPES.has(value.toLowerCase()))
+                return true;
+        }
+    }
+    return false;
+}
+/** Parse an origin from a URL string. */
+export function parseOrigin(url) {
+    try {
+        const parsed = new URL(url);
+        return parsed.origin;
+    }
+    catch {
+        return null;
+    }
+}
+/** Create a CORS configuration instance. */
+export function createCORS(options = {}) {
+    const allowedOrigins = options.allowedOrigins === '*'
+        ? '*'
+        : new Set(options.allowedOrigins ?? [location.origin]);
+    const allowedMethods = new Set((options.allowedMethods ?? DEFAULT_METHODS).map(m => m.toUpperCase()));
+    const allowedHeaders = new Set((options.allowedHeaders ?? DEFAULT_ALLOWED_HEADERS).map(h => h.toLowerCase()));
+    const exposedHeaders = options.exposedHeaders ?? [];
+    const credentials = options.credentials ?? false;
+    const maxAge = options.maxAge ?? 86400;
+    const onBlocked = options.onBlocked;
+    function checkOrigin(origin) {
+        if (allowedOrigins === '*')
+            return true;
+        return allowedOrigins.has(origin);
+    }
+    function checkMethod(method) {
+        return allowedMethods.has(method.toUpperCase());
+    }
+    function checkHeader(header) {
+        return allowedHeaders.has(header.toLowerCase());
+    }
+    function block(origin, reason) {
+        onBlocked?.(origin, reason);
+        return { allowed: false, reason, headers: {} };
+    }
+    const instance = {
+        isAllowed(origin) {
+            return checkOrigin(origin);
+        },
+        isMethodAllowed(method) {
+            return checkMethod(method);
+        },
+        isHeaderAllowed(header) {
+            return checkHeader(header);
+        },
+        validate(request) {
+            if (!checkOrigin(request.origin)) {
+                return block(request.origin, `Origin '${request.origin}' is not allowed`);
+            }
+            if (!checkMethod(request.method)) {
+                return block(request.origin, `Method '${request.method}' is not allowed`);
+            }
+            if (request.headers) {
+                for (const h of request.headers) {
+                    if (!checkHeader(h)) {
+                        return block(request.origin, `Header '${h}' is not allowed`);
+                    }
+                }
+            }
+            return {
+                allowed: true,
+                headers: instance.headers(request.origin),
+            };
+        },
+        headers(origin) {
+            if (!checkOrigin(origin))
+                return {};
+            const h = {};
+            // When credentials are true, must echo specific origin (not *)
+            if (allowedOrigins === '*' && !credentials) {
+                h['Access-Control-Allow-Origin'] = '*';
+            }
+            else {
+                h['Access-Control-Allow-Origin'] = origin;
+                h['Vary'] = 'Origin';
+            }
+            if (credentials) {
+                h['Access-Control-Allow-Credentials'] = 'true';
+            }
+            if (exposedHeaders.length > 0) {
+                h['Access-Control-Expose-Headers'] = exposedHeaders.join(', ');
+            }
+            return h;
+        },
+        preflightHeaders(origin, _requestMethod, requestHeaders) {
+            const h = instance.headers(origin);
+            if (Object.keys(h).length === 0)
+                return h; // Origin blocked
+            h['Access-Control-Allow-Methods'] = [...allowedMethods].join(', ');
+            h['Access-Control-Allow-Headers'] = requestHeaders?.join(', ') ?? [...allowedHeaders].join(', ');
+            h['Access-Control-Max-Age'] = String(maxAge);
+            return h;
+        },
+        async fetch(url, init) {
+            const fetchInit = { ...init };
+            if (credentials) {
+                fetchInit.credentials = 'include';
+            }
+            // Ensure mode is cors for cross-origin requests
+            const targetOrigin = parseOrigin(url);
+            if (targetOrigin && targetOrigin !== location.origin) {
+                fetchInit.mode = 'cors';
+            }
+            return globalThis.fetch(url, fetchInit);
+        },
+        addOrigin(origin) {
+            if (allowedOrigins !== '*') {
+                allowedOrigins.add(origin);
+            }
+        },
+        removeOrigin(origin) {
+            if (allowedOrigins !== '*') {
+                allowedOrigins.delete(origin);
+            }
+        },
+        config() {
+            return Object.freeze({
+                allowedOrigins: allowedOrigins === '*' ? '*' : [...allowedOrigins],
+                allowedMethods: [...allowedMethods],
+                allowedHeaders: [...allowedHeaders],
+                exposedHeaders: [...exposedHeaders],
+                credentials,
+                maxAge,
+                onBlocked,
+            });
+        },
+    };
+    return instance;
+}
+//# sourceMappingURL=cors.js.map

package/dist/security/cors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/security/cors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgDH,MAAM,uBAAuB,GAAG;IAC9B,QAAQ;IACR,iBAAiB;IACjB,kBAAkB;IAClB,cAAc;IACd,eAAe;IACf,kBAAkB;IAClB,cAAc;CACf,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;AAErF,gDAAgD;AAChD,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,QAAQ,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,cAAc;CAChE,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,mCAAmC;IACnC,qBAAqB;IACrB,YAAY;CACb,CAAC,CAAC;AAEH,yDAAyD;AACzD,MAAM,UAAU,cAAc,CAAC,MAAc,EAAE,OAAgC;IAC7E,uCAAuC;IACvC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IAEzE,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACnD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC5C,qCAAqC;YACrC,IAAI,KAAK,KAAK,cAAc,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC9F,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,4CAA4C;AAC5C,MAAM,UAAU,UAAU,CAAC,UAAuB,EAAE;IAClD,MAAM,cAAc,GAAsB,OAAO,CAAC,cAAc,KAAK,GAAG;QACtE,CAAC,CAAC,GAAG;QACL,CAAC,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,cAAc,IAAI,eAAe,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACtG,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,cAAc,IAAI,uBAAuB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAC9G,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC;IACpD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,KAAK,CAAC;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IACvC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;IAEpC,SAAS,WAAW,CAAC,MAAc;QACjC,IAAI,cAAc,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACxC,OAAO,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,SAAS,WAAW,CAAC,MAAc;QACjC,OAAO,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,SAAS,WAAW,CAAC,MAAc;QACjC,OAAO,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,SAAS,KAAK,CAAC,MAAc,EAAE,MAAc;QAC3C,SAAS,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACjD,CAAC;IAED,MAAM,QAAQ,GAAiB;QAC7B,SAAS,CAAC,MAAc;YACtB,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAED,eAAe,CAAC,MAAc;YAC5B,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAED,eAAe,CAAC,MAAc;YAC5B,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;QAED,QAAQ,CAAC,OAAO;YACd,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,OAAO,CAAC,MAAM,kBAAkB,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBACjC,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,OAAO,CAAC,MAAM,kBAAkB,CAAC,CAAC;YAC5E,CAAC;YACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;oBAChC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpB,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAAC,kBAAkB,CAAC,CAAC;oBAC/D,CAAC;gBACH,CAAC;YACH,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;aAC1C,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAc;YACpB,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC;gBAAE,OAAO,EAAE,CAAC;YAEpC,MAAM,CAAC,GAA2B,EAAE,CAAC;YAErC,+DAA+D;YAC/D,IAAI,cAAc,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC3C,CAAC,CAAC,6BAA6B,CAAC,GAAG,GAAG,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,CAAC,CAAC,6BAA6B,CAAC,GAAG,MAAM,CAAC;gBAC1C,CAAC,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC;YACvB,CAAC;YAED,IAAI,WAAW,EAAE,CAAC;gBAChB,CAAC,CAAC,kCAAkC,CAAC,GAAG,MAAM,CAAC;YACjD,CAAC;YAED,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,CAAC,CAAC,+BAA+B,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjE,CAAC;YAED,OAAO,CAAC,CAAC;QACX,CAAC;QAED,gBAAgB,CAAC,MAAc,EAAE,cAAuB,EAAE,cAAyB;YACjF,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACnC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,CAAC,CAAC,CAAC,iBAAiB;YAE5D,CAAC,CAAC,8BAA8B,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnE,CAAC,CAAC,8BAA8B,CAAC,GAAG,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjG,CAAC,CAAC,wBAAwB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;YAE7C,OAAO,CAAC,CAAC;QACX,CAAC;QAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAkB;YACzC,MAAM,SAAS,GAAgB,EAAE,GAAG,IAAI,EAAE,CAAC;YAE3C,IAAI,WAAW,EAAE,CAAC;gBAChB,SAAS,CAAC,WAAW,GAAG,SAAS,CAAC;YACpC,CAAC;YAED,gDAAgD;YAChD,MAAM,YAAY,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;YACtC,IAAI,YAAY,IAAI,YAAY,KAAK,QAAQ,CAAC,MAAM,EAAE,CAAC;gBACrD,SAAS,CAAC,IAAI,GAAG,MAAM,CAAC;YAC1B,CAAC;YAED,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;QAC1C,CAAC;QAED,SAAS,CAAC,MAAc;YACtB,IAAI,cAAc,KAAK,GAAG,EAAE,CAAC;gBAC3B,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAC7B,CAAC;QACH,CAAC;QAED,YAAY,CAAC,MAAc;YACzB,IAAI,cAAc,KAAK,GAAG,EAAE,CAAC;gBAC3B,cAAc,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAED,MAAM;YACJ,OAAO,MAAM,CAAC,MAAM,CAAC;gBACnB,cAAc,EAAE,cAAc,KAAK,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,cAAc,CAAC;gBAClE,cAAc,EAAE,CAAC,GAAG,cAAc,CAAC;gBACnC,cAAc,EAAE,CAAC,GAAG,cAAc,CAAC;gBACnC,cAAc,EAAE,CAAC,GAAG,cAAc,CAAC;gBACnC,WAAW;gBACX,MAAM;gBACN,SAAS;aACV,CAAC,CAAC;QACL,CAAC;KACF,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/security/csp.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Nova Engine — Content Security Policy Builder
+ *
+ * Fluent API for constructing CSP headers and meta tags.
+ * Supports all CSP Level 3 directives, nonce generation,
+ * and report-only mode.
+ */
+export type CSPDirective = 'default-src' | 'script-src' | 'style-src' | 'img-src' | 'font-src' | 'connect-src' | 'media-src' | 'object-src' | 'frame-src' | 'child-src' | 'worker-src' | 'manifest-src' | 'base-uri' | 'form-action' | 'frame-ancestors' | 'navigate-to' | 'report-uri' | 'report-to' | 'upgrade-insecure-requests' | 'block-all-mixed-content' | 'plugin-types' | 'sandbox' | 'require-trusted-types-for' | 'trusted-types';
+export type CSPValue = "'self'" | "'none'" | "'unsafe-inline'" | "'unsafe-eval'" | "'strict-dynamic'" | "'unsafe-hashes'" | "'wasm-unsafe-eval'" | `'nonce-${string}'` | `'sha256-${string}'` | `'sha384-${string}'` | `'sha512-${string}'` | 'data:' | 'blob:' | 'mediastream:' | 'filesystem:' | 'https:' | 'http:' | '*' | string;
+export interface CSPBuilder {
+    /** Add values to a directive */
+    add(directive: CSPDirective, ...values: CSPValue[]): CSPBuilder;
+    /** Set a directive (replaces existing values) */
+    set(directive: CSPDirective, ...values: CSPValue[]): CSPBuilder;
+    /** Remove a directive entirely */
+    remove(directive: CSPDirective): CSPBuilder;
+    /** Generate a nonce and add it to script-src and/or style-src */
+    nonce(directives?: CSPDirective[]): string;
+    /** Add a hash for inline script/style */
+    hash(directive: 'script-src' | 'style-src', algorithm: 'sha256' | 'sha384' | 'sha512', hash: string): CSPBuilder;
+    /** Enable report-only mode */
+    reportOnly(): CSPBuilder;
+    /** Set report-to endpoint */
+    reportTo(endpoint: string): CSPBuilder;
+    /** Build the CSP header string */
+    toString(): string;
+    /** Get the header name (Content-Security-Policy or Content-Security-Policy-Report-Only) */
+    headerName(): string;
+    /** Inject as a meta tag into the document */
+    injectMeta(): HTMLMetaElement;
+    /** Remove the injected meta tag */
+    removeMeta(): void;
+    /** Get all generated nonces */
+    nonces(): string[];
+    /** Clone this builder */
+    clone(): CSPBuilder;
+}
+/** Preset CSP policies for common use cases. */
+export declare const CSPPresets: {
+    /** Strict: self only, no inline, no eval */
+    readonly strict: () => CSPBuilder;
+    /** Standard: self with HTTPS images and common CDNs */
+    readonly standard: () => CSPBuilder;
+    /** API app: self + specific API origins */
+    readonly api: (...origins: string[]) => CSPBuilder;
+};
+/** Create a Content Security Policy builder. */
+export declare function createCSP(): CSPBuilder;
+//# sourceMappingURL=csp.d.ts.map

package/dist/security/csp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../src/security/csp.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,MAAM,YAAY,GACpB,aAAa,GAAG,YAAY,GAAG,WAAW,GAAG,SAAS,GACtD,UAAU,GAAG,aAAa,GAAG,WAAW,GAAG,YAAY,GACvD,WAAW,GAAG,WAAW,GAAG,YAAY,GAAG,cAAc,GACzD,UAAU,GAAG,aAAa,GAAG,iBAAiB,GAC9C,aAAa,GAAG,YAAY,GAAG,WAAW,GAC1C,2BAA2B,GAAG,yBAAyB,GACvD,cAAc,GAAG,SAAS,GAAG,2BAA2B,GACxD,eAAe,CAAC;AAEpB,MAAM,MAAM,QAAQ,GAChB,QAAQ,GAAG,QAAQ,GAAG,iBAAiB,GAAG,eAAe,GACzD,kBAAkB,GAAG,iBAAiB,GAAG,oBAAoB,GAC7D,UAAU,MAAM,GAAG,GAAG,WAAW,MAAM,GAAG,GAAG,WAAW,MAAM,GAAG,GAAG,WAAW,MAAM,GAAG,GACxF,OAAO,GAAG,OAAO,GAAG,cAAc,GAAG,aAAa,GAClD,QAAQ,GAAG,OAAO,GAAG,GAAG,GACxB,MAAM,CAAC;AAEX,MAAM,WAAW,UAAU;IACzB,gCAAgC;IAChC,GAAG,CAAC,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC;IAChE,iDAAiD;IACjD,GAAG,CAAC,SAAS,EAAE,YAAY,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAC;IAChE,kCAAkC;IAClC,MAAM,CAAC,SAAS,EAAE,YAAY,GAAG,UAAU,CAAC;IAC5C,iEAAiE;IACjE,KAAK,CAAC,UAAU,CAAC,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAC3C,yCAAyC;IACzC,IAAI,CAAC,SAAS,EAAE,YAAY,GAAG,WAAW,EAAE,SAAS,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,EAAE,IAAI,EAAE,MAAM,GAAG,UAAU,CAAC;IACjH,8BAA8B;IAC9B,UAAU,IAAI,UAAU,CAAC;IACzB,6BAA6B;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,CAAC;IACvC,kCAAkC;IAClC,QAAQ,IAAI,MAAM,CAAC;IACnB,2FAA2F;IAC3F,UAAU,IAAI,MAAM,CAAC;IACrB,6CAA6C;IAC7C,UAAU,IAAI,eAAe,CAAC;IAC9B,mCAAmC;IACnC,UAAU,IAAI,IAAI,CAAC;IACnB,+BAA+B;IAC/B,MAAM,IAAI,MAAM,EAAE,CAAC;IACnB,yBAAyB;IACzB,KAAK,IAAI,UAAU,CAAC;CACrB;AAED,gDAAgD;AAChD,eAAO,MAAM,UAAU;IACrB,4CAA4C;2BAClC,UAAU;IAapB,uDAAuD;6BAC3C,UAAU;IAWtB,2CAA2C;+BAC3B,MAAM,EAAE,KAAG,UAAU;CAW7B,CAAC;AAWX,gDAAgD;AAChD,wBAAgB,SAAS,IAAI,UAAU,CAiGtC"}

package/dist/security/csp.js

@@ -0,0 +1,143 @@
+/**
+ * Nova Engine — Content Security Policy Builder
+ *
+ * Fluent API for constructing CSP headers and meta tags.
+ * Supports all CSP Level 3 directives, nonce generation,
+ * and report-only mode.
+ */
+/** Preset CSP policies for common use cases. */
+export const CSPPresets = {
+    /** Strict: self only, no inline, no eval */
+    strict() {
+        return createCSP()
+            .set('default-src', "'none'")
+            .set('script-src', "'self'")
+            .set('style-src', "'self'")
+            .set('img-src', "'self'")
+            .set('font-src', "'self'")
+            .set('connect-src', "'self'")
+            .set('base-uri', "'self'")
+            .set('form-action', "'self'")
+            .set('frame-ancestors', "'none'");
+    },
+    /** Standard: self with HTTPS images and common CDNs */
+    standard() {
+        return createCSP()
+            .set('default-src', "'self'")
+            .set('script-src', "'self'")
+            .set('style-src', "'self'", "'unsafe-inline'")
+            .set('img-src', "'self'", 'https:', 'data:')
+            .set('font-src', "'self'", 'https:')
+            .set('connect-src', "'self'", 'https:')
+            .set('frame-ancestors', "'self'");
+    },
+    /** API app: self + specific API origins */
+    api(...origins) {
+        return createCSP()
+            .set('default-src', "'none'")
+            .set('script-src', "'self'")
+            .set('style-src', "'self'")
+            .set('img-src', "'self'", 'data:')
+            .set('font-src', "'self'")
+            .set('connect-src', "'self'", ...origins)
+            .set('base-uri', "'self'")
+            .set('form-action', "'self'");
+    },
+};
+function generateNonce() {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    // Base64 encode
+    return btoa(String.fromCharCode(...bytes));
+}
+const META_ID = 'nova-csp-meta';
+/** Create a Content Security Policy builder. */
+export function createCSP() {
+    const directives = new Map();
+    let isReportOnly = false;
+    const generatedNonces = [];
+    let metaEl = null;
+    const builder = {
+        add(directive, ...values) {
+            if (!directives.has(directive))
+                directives.set(directive, new Set());
+            const set = directives.get(directive);
+            for (const v of values)
+                set.add(v);
+            return builder;
+        },
+        set(directive, ...values) {
+            directives.set(directive, new Set(values));
+            return builder;
+        },
+        remove(directive) {
+            directives.delete(directive);
+            return builder;
+        },
+        nonce(dirs) {
+            const n = generateNonce();
+            generatedNonces.push(n);
+            const targets = dirs ?? ['script-src', 'style-src'];
+            for (const d of targets) {
+                builder.add(d, `'nonce-${n}'`);
+            }
+            return n;
+        },
+        hash(directive, algorithm, hash) {
+            return builder.add(directive, `'${algorithm}-${hash}'`);
+        },
+        reportOnly() {
+            isReportOnly = true;
+            return builder;
+        },
+        reportTo(endpoint) {
+            return builder.set('report-to', endpoint);
+        },
+        toString() {
+            const parts = [];
+            for (const [directive, values] of directives) {
+                if (values.size === 0) {
+                    parts.push(directive);
+                }
+                else {
+                    parts.push(`${directive} ${[...values].join(' ')}`);
+                }
+            }
+            return parts.join('; ');
+        },
+        headerName() {
+            return isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy';
+        },
+        injectMeta() {
+            builder.removeMeta();
+            metaEl = document.createElement('meta');
+            metaEl.id = META_ID;
+            metaEl.setAttribute('http-equiv', isReportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy');
+            metaEl.setAttribute('content', builder.toString());
+            document.head.appendChild(metaEl);
+            return metaEl;
+        },
+        removeMeta() {
+            if (metaEl) {
+                metaEl.remove();
+                metaEl = null;
+            }
+            // Also remove any previously injected
+            document.getElementById(META_ID)?.remove();
+        },
+        nonces() {
+            return [...generatedNonces];
+        },
+        clone() {
+            const cloned = createCSP();
+            for (const [directive, values] of directives) {
+                cloned.set(directive, ...[...values]);
+            }
+            if (isReportOnly)
+                cloned.reportOnly();
+            return cloned;
+        },
+    };
+    return builder;
+}
+//# sourceMappingURL=csp.js.map

package/dist/security/csp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.js","sourceRoot":"","sources":["../../src/security/csp.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAiDH,gDAAgD;AAChD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,4CAA4C;IAC5C,MAAM;QACJ,OAAO,SAAS,EAAE;aACf,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC;aAC5B,GAAG,CAAC,YAAY,EAAE,QAAQ,CAAC;aAC3B,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC;aAC1B,GAAG,CAAC,SAAS,EAAE,QAAQ,CAAC;aACxB,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC;aACzB,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC;aAC5B,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC;aACzB,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC;aAC5B,GAAG,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,uDAAuD;IACvD,QAAQ;QACN,OAAO,SAAS,EAAE;aACf,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC;aAC5B,GAAG,CAAC,YAAY,EAAE,QAAQ,CAAC;aAC3B,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,iBAAiB,CAAC;aAC7C,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC;aAC3C,GAAG,CAAC,UAAU,EAAE,QAAQ,EAAE,QAAQ,CAAC;aACnC,GAAG,CAAC,aAAa,EAAE,QAAQ,EAAE,QAAQ,CAAC;aACtC,GAAG,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,2CAA2C;IAC3C,GAAG,CAAC,GAAG,OAAiB;QACtB,OAAO,SAAS,EAAE;aACf,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC;aAC5B,GAAG,CAAC,YAAY,EAAE,QAAQ,CAAC;aAC3B,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC;aAC1B,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,CAAC;aACjC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC;aACzB,GAAG,CAAC,aAAa,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;aACxC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC;aACzB,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC;CACO,CAAC;AAEX,SAAS,aAAa;IACpB,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,gBAAgB;IAChB,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,OAAO,GAAG,eAAe,CAAC;AAEhC,gDAAgD;AAChD,MAAM,UAAU,SAAS;IACvB,MAAM,UAAU,GAAG,IAAI,GAAG,EAAuB,CAAC;IAClD,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,IAAI,MAAM,GAA2B,IAAI,CAAC;IAE1C,MAAM,OAAO,GAAe;QAC1B,GAAG,CAAC,SAAuB,EAAE,GAAG,MAAkB;YAChD,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,UAAU,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,GAAG,EAAE,CAAC,CAAC;YACrE,MAAM,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAE,CAAC;YACvC,KAAK,MAAM,CAAC,IAAI,MAAM;gBAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACnC,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,GAAG,CAAC,SAAuB,EAAE,GAAG,MAAkB;YAChD,UAAU,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;YAC3C,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,MAAM,CAAC,SAAuB;YAC5B,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAC7B,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,KAAK,CAAC,IAAqB;YACzB,MAAM,CAAC,GAAG,aAAa,EAAE,CAAC;YAC1B,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACxB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;YACpD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAe,CAAC,CAAC;YAC7C,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,CAAC,SAAqC,EAAE,SAAyC,EAAE,IAAY;YACjG,OAAO,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,SAAS,IAAI,IAAI,GAAe,CAAC,CAAC;QACtE,CAAC;QAED,UAAU;YACR,YAAY,GAAG,IAAI,CAAC;YACpB,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,QAAQ,CAAC,QAAgB;YACvB,OAAO,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;QAED,QAAQ;YACN,MAAM,KAAK,GAAa,EAAE,CAAC;YAC3B,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;gBAC7C,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;oBACtB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,KAAK,CAAC,IAAI,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;YACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAED,UAAU;YACR,OAAO,YAAY,CAAC,CAAC,CAAC,qCAAqC,CAAC,CAAC,CAAC,yBAAyB,CAAC;QAC1F,CAAC;QAED,UAAU;YACR,OAAO,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,GAAG,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;YACxC,MAAM,CAAC,EAAE,GAAG,OAAO,CAAC;YACpB,MAAM,CAAC,YAAY,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,CAAC,qCAAqC,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC;YACpH,MAAM,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;YACnD,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;YAClC,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,UAAU;YACR,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,MAAM,EAAE,CAAC;gBAChB,MAAM,GAAG,IAAI,CAAC;YAChB,CAAC;YACD,sCAAsC;YACtC,QAAQ,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QAC7C,CAAC;QAED,MAAM;YACJ,OAAO,CAAC,GAAG,eAAe,CAAC,CAAC;QAC9B,CAAC;QAED,KAAK;YACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;gBAC7C,MAAM,CAAC,GAAG,CAAC,SAAyB,EAAE,GAAG,CAAC,GAAG,MAAM,CAAe,CAAC,CAAC;YACtE,CAAC;YACD,IAAI,YAAY;gBAAE,MAAM,CAAC,UAAU,EAAE,CAAC;YACtC,OAAO,MAAM,CAAC;QAChB,CAAC;KACF,CAAC;IAEF,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/security/csrf.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Nova Engine — CSRF Protection
+ *
+ * Token generation, meta tag injection, automatic attachment
+ * to fetch/XHR requests, and double-submit cookie pattern.
+ */
+export interface CSRFOptions {
+    /** Token header name. Default: 'X-CSRF-Token' */
+    headerName?: string;
+    /** Meta tag name to read/write token. Default: 'csrf-token' */
+    metaName?: string;
+    /** Cookie name for double-submit pattern. Default: '_csrf' */
+    cookieName?: string;
+    /** Token byte length (before hex encoding). Default: 32 */
+    tokenLength?: number;
+    /** Auto-attach token to all fetch requests. Default: true */
+    autoAttach?: boolean;
+    /** HTTP methods to protect. Default: ['POST','PUT','PATCH','DELETE'] */
+    protectedMethods?: string[];
+    /** Domains to include (skip for cross-origin). Default: same-origin only */
+    allowedOrigins?: string[];
+}
+export interface CSRFInstance {
+    /** Get the current token */
+    getToken(): string;
+    /** Generate a new token */
+    rotate(): string;
+    /** Inject token into a meta tag */
+    injectMeta(): void;
+    /** Read token from existing meta tag */
+    readMeta(): string | null;
+    /** Set token as a cookie (double-submit pattern) */
+    setCookie(options?: {
+        path?: string;
+        sameSite?: string;
+        secure?: boolean;
+    }): void;
+    /** Validate a token against the stored one */
+    validate(token: string): boolean;
+    /** Get headers object for manual fetch calls */
+    headers(): Record<string, string>;
+    /** Destroy — remove auto-attach, meta tag, etc. */
+    destroy(): void;
+}
+/** Create a CSRF protection instance. */
+export declare function createCSRF(options?: CSRFOptions): CSRFInstance;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/security/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/security/csrf.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,WAAW;IAC1B,iDAAiD;IACjD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+DAA+D;IAC/D,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,8DAA8D;IAC9D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,2DAA2D;IAC3D,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6DAA6D;IAC7D,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,wEAAwE;IACxE,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,4EAA4E;IAC5E,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,QAAQ,IAAI,MAAM,CAAC;IACnB,2BAA2B;IAC3B,MAAM,IAAI,MAAM,CAAC;IACjB,mCAAmC;IACnC,UAAU,IAAI,IAAI,CAAC;IACnB,wCAAwC;IACxC,QAAQ,IAAI,MAAM,GAAG,IAAI,CAAC;IAC1B,oDAAoD;IACpD,SAAS,CAAC,OAAO,CAAC,EAAE;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,IAAI,CAAC;IAClF,8CAA8C;IAC9C,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IACjC,gDAAgD;IAChD,OAAO,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,mDAAmD;IACnD,OAAO,IAAI,IAAI,CAAC;CACjB;AAiBD,yCAAyC;AACzC,wBAAgB,UAAU,CAAC,OAAO,GAAE,WAAgB,GAAG,YAAY,CAqHlE"}

package/dist/security/csrf.js

@@ -0,0 +1,122 @@
+/**
+ * Nova Engine — CSRF Protection
+ *
+ * Token generation, meta tag injection, automatic attachment
+ * to fetch/XHR requests, and double-submit cookie pattern.
+ */
+function generateToken(length) {
+    const bytes = new Uint8Array(length);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+}
+function isSameOrigin(url) {
+    try {
+        const parsed = new URL(url, window.location.origin);
+        return parsed.origin === window.location.origin;
+    }
+    catch {
+        return true; // relative URLs are same-origin
+    }
+}
+/** Create a CSRF protection instance. */
+export function createCSRF(options = {}) {
+    const { headerName = 'X-CSRF-Token', metaName = 'csrf-token', cookieName = '_csrf', tokenLength = 32, autoAttach = true, protectedMethods = ['POST', 'PUT', 'PATCH', 'DELETE'], allowedOrigins = [], } = options;
+    let token = generateToken(tokenLength);
+    const protectedSet = new Set(protectedMethods.map(m => m.toUpperCase()));
+    const originsSet = new Set(allowedOrigins);
+    // Monkey-patch fetch for auto-attach
+    let originalFetch = null;
+    function shouldProtect(url, method) {
+        if (!protectedSet.has(method.toUpperCase()))
+            return false;
+        if (isSameOrigin(url))
+            return true;
+        if (originsSet.size > 0) {
+            try {
+                const parsed = new URL(url, window.location.origin);
+                return originsSet.has(parsed.origin);
+            }
+            catch {
+                return false;
+            }
+        }
+        return false;
+    }
+    if (autoAttach) {
+        originalFetch = globalThis.fetch;
+        globalThis.fetch = function patchedFetch(input, init) {
+            const url = typeof input === 'string' ? input : input instanceof URL ? input.href : input.url;
+            const method = init?.method ?? 'GET';
+            if (shouldProtect(url, method)) {
+                const headers = new Headers(init?.headers);
+                headers.set(headerName, token);
+                return originalFetch.call(globalThis, input, { ...init, headers });
+            }
+            return originalFetch.call(globalThis, input, init);
+        };
+    }
+    const instance = {
+        getToken() {
+            return token;
+        },
+        rotate() {
+            token = generateToken(tokenLength);
+            // Update meta tag if it exists
+            const meta = document.querySelector(`meta[name="${metaName}"]`);
+            if (meta)
+                meta.setAttribute('content', token);
+            return token;
+        },
+        injectMeta() {
+            let meta = document.querySelector(`meta[name="${metaName}"]`);
+            if (!meta) {
+                meta = document.createElement('meta');
+                meta.setAttribute('name', metaName);
+                document.head.appendChild(meta);
+            }
+            meta.setAttribute('content', token);
+        },
+        readMeta() {
+            const meta = document.querySelector(`meta[name="${metaName}"]`);
+            if (meta) {
+                const val = meta.getAttribute('content');
+                if (val)
+                    token = val;
+                return val;
+            }
+            return null;
+        },
+        setCookie(opts) {
+            const path = opts?.path ?? '/';
+            const sameSite = opts?.sameSite ?? 'Strict';
+            const secure = opts?.secure ?? (location.protocol === 'https:');
+            let cookie = `${cookieName}=${token}; Path=${path}; SameSite=${sameSite}`;
+            if (secure)
+                cookie += '; Secure';
+            document.cookie = cookie;
+        },
+        validate(candidate) {
+            if (candidate.length !== token.length)
+                return false;
+            // Constant-time comparison to prevent timing attacks
+            let result = 0;
+            for (let i = 0; i < candidate.length; i++) {
+                result |= candidate.charCodeAt(i) ^ token.charCodeAt(i);
+            }
+            return result === 0;
+        },
+        headers() {
+            return { [headerName]: token };
+        },
+        destroy() {
+            if (originalFetch) {
+                globalThis.fetch = originalFetch;
+                originalFetch = null;
+            }
+            const meta = document.querySelector(`meta[name="${metaName}"]`);
+            meta?.remove();
+        },
+    };
+    return instance;
+}
+//# sourceMappingURL=csrf.js.map

package/dist/security/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/security/csrf.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAsCH,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,YAAY,CAAC,GAAW;IAC/B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpD,OAAO,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,CAAC,gCAAgC;IAC/C,CAAC;AACH,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,UAAU,CAAC,UAAuB,EAAE;IAClD,MAAM,EACJ,UAAU,GAAG,cAAc,EAC3B,QAAQ,GAAG,YAAY,EACvB,UAAU,GAAG,OAAO,EACpB,WAAW,GAAG,EAAE,EAChB,UAAU,GAAG,IAAI,EACjB,gBAAgB,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,EACrD,cAAc,GAAG,EAAE,GACpB,GAAG,OAAO,CAAC;IAEZ,IAAI,KAAK,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IACvC,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACzE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;IAE3C,qCAAqC;IACrC,IAAI,aAAa,GAAmC,IAAI,CAAC;IAEzD,SAAS,aAAa,CAAC,GAAW,EAAE,MAAc;QAChD,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1D,IAAI,YAAY,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,IAAI,UAAU,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACpD,OAAO,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;QACjC,UAAU,CAAC,KAAK,GAAG,SAAS,YAAY,CACtC,KAAwB,EACxB,IAAkB;YAElB,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;YAC9F,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,IAAI,KAAK,CAAC;YAErC,IAAI,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,CAAC;gBAC/B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBAC3C,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;gBAC/B,OAAO,aAAc,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;YACtE,CAAC;YACD,OAAO,aAAc,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;QACtD,CAAC,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAiB;QAC7B,QAAQ;YACN,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM;YACJ,KAAK,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;YACnC,+BAA+B;YAC/B,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,cAAc,QAAQ,IAAI,CAAC,CAAC;YAChE,IAAI,IAAI;gBAAE,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;YAC9C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,UAAU;YACR,IAAI,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,cAAc,QAAQ,IAAI,CAAC,CAAC;YAC9D,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;gBACtC,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACpC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YAClC,CAAC;YACD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QACtC,CAAC;QAED,QAAQ;YACN,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,cAAc,QAAQ,IAAI,CAAC,CAAC;YAChE,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;gBACzC,IAAI,GAAG;oBAAE,KAAK,GAAG,GAAG,CAAC;gBACrB,OAAO,GAAG,CAAC;YACb,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,SAAS,CAAC,IAA6D;YACrE,MAAM,IAAI,GAAG,IAAI,EAAE,IAAI,IAAI,GAAG,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,QAAQ,CAAC;YAC5C,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;YAChE,IAAI,MAAM,GAAG,GAAG,UAAU,IAAI,KAAK,UAAU,IAAI,cAAc,QAAQ,EAAE,CAAC;YAC1E,IAAI,MAAM;gBAAE,MAAM,IAAI,UAAU,CAAC;YACjC,QAAQ,CAAC,MAAM,GAAG,MAAM,CAAC;QAC3B,CAAC;QAED,QAAQ,CAAC,SAAiB;YACxB,IAAI,SAAS,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YACpD,qDAAqD;YACrD,IAAI,MAAM,GAAG,CAAC,CAAC;YACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC1C,MAAM,IAAI,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAC1D,CAAC;YACD,OAAO,MAAM,KAAK,CAAC,CAAC;QACtB,CAAC;QAED,OAAO;YACL,OAAO,EAAE,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC;QACjC,CAAC;QAED,OAAO;YACL,IAAI,aAAa,EAAE,CAAC;gBAClB,UAAU,CAAC,KAAK,GAAG,aAAa,CAAC;gBACjC,aAAa,GAAG,IAAI,CAAC;YACvB,CAAC;YACD,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,cAAc,QAAQ,IAAI,CAAC,CAAC;YAChE,IAAI,EAAE,MAAM,EAAE,CAAC;QACjB,CAAC;KACF,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC"}