@mappoh/nova 0.1.16

package/dist/security/encrypt.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Nova Engine — Encryption
+ *
+ * Web Crypto API wrappers for AES-GCM encryption/decryption,
+ * SHA hashing, HMAC signing, key derivation (PBKDF2),
+ * and secure random generation.
+ */
+export interface EncryptedPayload {
+    /** Base64-encoded ciphertext */
+    ciphertext: string;
+    /** Base64-encoded initialization vector */
+    iv: string;
+    /** Algorithm used */
+    algorithm: string;
+}
+export interface KeyPair {
+    /** Exported public key (JWK) */
+    publicKey: JsonWebKey;
+    /** Exported private key (JWK) */
+    privateKey: JsonWebKey;
+}
+/** Generate a random AES-GCM key. */
+export declare function generateKey(length?: 128 | 192 | 256): Promise<CryptoKey>;
+/** Export a CryptoKey to a JSON Web Key. */
+export declare function exportKey(key: CryptoKey): Promise<JsonWebKey>;
+/** Import a JSON Web Key as a CryptoKey. */
+export declare function importKey(jwk: JsonWebKey, usages?: KeyUsage[]): Promise<CryptoKey>;
+/** Encrypt plaintext with AES-GCM. */
+export declare function encrypt(plaintext: string, key: CryptoKey): Promise<EncryptedPayload>;
+/** Decrypt an AES-GCM encrypted payload. */
+export declare function decrypt(payload: EncryptedPayload, key: CryptoKey): Promise<string>;
+/** Derive an AES key from a password using PBKDF2. */
+export declare function deriveKey(password: string, salt?: string, iterations?: number, keyLength?: 128 | 192 | 256): Promise<{
+    key: CryptoKey;
+    salt: string;
+}>;
+export type HashAlgorithm = 'SHA-1' | 'SHA-256' | 'SHA-384' | 'SHA-512';
+/** Hash a string using the specified algorithm. Returns hex string. */
+export declare function hash(data: string, algorithm?: HashAlgorithm): Promise<string>;
+/** Hash an ArrayBuffer. Returns hex string. */
+export declare function hashBuffer(data: ArrayBuffer, algorithm?: HashAlgorithm): Promise<string>;
+/** Hash a string and return Base64. Useful for SRI/CSP hashes. */
+export declare function hashBase64(data: string, algorithm?: HashAlgorithm): Promise<string>;
+/** Generate an HMAC key. */
+export declare function generateHMACKey(algorithm?: HashAlgorithm): Promise<CryptoKey>;
+/** Sign data with HMAC. Returns base64 signature. */
+export declare function sign(data: string, key: CryptoKey): Promise<string>;
+/** Verify an HMAC signature. */
+export declare function verify(data: string, signature: string, key: CryptoKey): Promise<boolean>;
+/** Generate a cryptographically secure random hex string. */
+export declare function randomHex(bytes?: number): string;
+/** Generate a cryptographically secure random base64 string. */
+export declare function randomBase64(bytes?: number): string;
+/** Generate a UUID v4. */
+export declare function uuid(): string;
+/**
+ * Pre-hash a password before sending to server.
+ * This doesn't replace server-side hashing (bcrypt/argon2)
+ * but prevents the plaintext password from ever hitting the wire.
+ */
+export declare function prehashPassword(password: string, salt: string): Promise<string>;
+/** Constant-time string comparison to prevent timing attacks. */
+export declare function timingSafeEqual(a: string, b: string): boolean;
+//# sourceMappingURL=encrypt.d.ts.map

package/dist/security/encrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../src/security/encrypt.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IACnB,2CAA2C;IAC3C,EAAE,EAAE,MAAM,CAAC;IACX,qBAAqB;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,OAAO;IACtB,gCAAgC;IAChC,SAAS,EAAE,UAAU,CAAC;IACtB,iCAAiC;IACjC,UAAU,EAAE,UAAU,CAAC;CACxB;AAyBD,qCAAqC;AACrC,wBAAsB,WAAW,CAAC,MAAM,GAAE,GAAG,GAAG,GAAG,GAAG,GAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAMnF;AAED,4CAA4C;AAC5C,wBAAsB,SAAS,CAAC,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,CAEnE;AAED,4CAA4C;AAC5C,wBAAsB,SAAS,CAC7B,GAAG,EAAE,UAAU,EACf,MAAM,GAAE,QAAQ,EAA2B,GAC1C,OAAO,CAAC,SAAS,CAAC,CAQpB;AAED,sCAAsC;AACtC,wBAAsB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAY1F;AAED,4CAA4C;AAC5C,wBAAsB,OAAO,CAAC,OAAO,EAAE,gBAAgB,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAOxF;AAID,sDAAsD;AACtD,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,IAAI,CAAC,EAAE,MAAM,EACb,UAAU,GAAE,MAAgB,EAC5B,SAAS,GAAE,GAAG,GAAG,GAAG,GAAG,GAAS,GAC/B,OAAO,CAAC;IAAE,GAAG,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAsB3C;AAID,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAExE,uEAAuE;AACvE,wBAAsB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,GAAE,aAAyB,GAAG,OAAO,CAAC,MAAM,CAAC,CAG9F;AAED,+CAA+C;AAC/C,wBAAsB,UAAU,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,GAAE,aAAyB,GAAG,OAAO,CAAC,MAAM,CAAC,CAGzG;AAED,kEAAkE;AAClE,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,GAAE,aAAyB,GAAG,OAAO,CAAC,MAAM,CAAC,CAGpG;AAID,4BAA4B;AAC5B,wBAAsB,eAAe,CACnC,SAAS,GAAE,aAAyB,GACnC,OAAO,CAAC,SAAS,CAAC,CAMpB;AAED,qDAAqD;AACrD,wBAAsB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAGxE;AAED,gCAAgC;AAChC,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,CAE9F;AAID,6DAA6D;AAC7D,wBAAgB,SAAS,CAAC,KAAK,GAAE,MAAW,GAAG,MAAM,CAIpD;AAED,gEAAgE;AAChE,wBAAgB,YAAY,CAAC,KAAK,GAAE,MAAW,GAAG,MAAM,CAIvD;AAED,0BAA0B;AAC1B,wBAAgB,IAAI,IAAI,MAAM,CAE7B;AAID;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,CAAC,CAEjB;AAID,iEAAiE;AACjE,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAO7D"}

package/dist/security/encrypt.js

@@ -0,0 +1,129 @@
+/**
+ * Nova Engine — Encryption
+ *
+ * Web Crypto API wrappers for AES-GCM encryption/decryption,
+ * SHA hashing, HMAC signing, key derivation (PBKDF2),
+ * and secure random generation.
+ */
+// --- Helpers ---
+function toBase64(buffer) {
+    return btoa(String.fromCharCode(...new Uint8Array(buffer)));
+}
+function fromBase64(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    return bytes.buffer;
+}
+function encode(text) {
+    return new TextEncoder().encode(text);
+}
+function decode(buffer) {
+    return new TextDecoder().decode(buffer);
+}
+// --- AES-GCM Symmetric Encryption ---
+/** Generate a random AES-GCM key. */
+export async function generateKey(length = 256) {
+    return crypto.subtle.generateKey({ name: 'AES-GCM', length }, true, ['encrypt', 'decrypt']);
+}
+/** Export a CryptoKey to a JSON Web Key. */
+export async function exportKey(key) {
+    return crypto.subtle.exportKey('jwk', key);
+}
+/** Import a JSON Web Key as a CryptoKey. */
+export async function importKey(jwk, usages = ['encrypt', 'decrypt']) {
+    return crypto.subtle.importKey('jwk', jwk, { name: 'AES-GCM' }, true, usages);
+}
+/** Encrypt plaintext with AES-GCM. */
+export async function encrypt(plaintext, key) {
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: iv }, key, encode(plaintext));
+    return {
+        ciphertext: toBase64(ciphertext),
+        iv: toBase64(iv.buffer),
+        algorithm: 'AES-GCM',
+    };
+}
+/** Decrypt an AES-GCM encrypted payload. */
+export async function decrypt(payload, key) {
+    const plaintext = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: new Uint8Array(fromBase64(payload.iv)) }, key, fromBase64(payload.ciphertext));
+    return decode(plaintext);
+}
+// --- Key Derivation (PBKDF2) ---
+/** Derive an AES key from a password using PBKDF2. */
+export async function deriveKey(password, salt, iterations = 100_000, keyLength = 256) {
+    const saltBytes = salt
+        ? new Uint8Array(fromBase64(salt))
+        : crypto.getRandomValues(new Uint8Array(16));
+    const baseKey = await crypto.subtle.importKey('raw', encode(password), 'PBKDF2', false, ['deriveKey']);
+    const derivedKey = await crypto.subtle.deriveKey({ name: 'PBKDF2', salt: saltBytes, iterations, hash: 'SHA-256' }, baseKey, { name: 'AES-GCM', length: keyLength }, true, ['encrypt', 'decrypt']);
+    return { key: derivedKey, salt: toBase64(saltBytes.buffer) };
+}
+/** Hash a string using the specified algorithm. Returns hex string. */
+export async function hash(data, algorithm = 'SHA-256') {
+    const digest = await crypto.subtle.digest(algorithm, encode(data));
+    return Array.from(new Uint8Array(digest), b => b.toString(16).padStart(2, '0')).join('');
+}
+/** Hash an ArrayBuffer. Returns hex string. */
+export async function hashBuffer(data, algorithm = 'SHA-256') {
+    const digest = await crypto.subtle.digest(algorithm, data);
+    return Array.from(new Uint8Array(digest), b => b.toString(16).padStart(2, '0')).join('');
+}
+/** Hash a string and return Base64. Useful for SRI/CSP hashes. */
+export async function hashBase64(data, algorithm = 'SHA-256') {
+    const digest = await crypto.subtle.digest(algorithm, encode(data));
+    return toBase64(digest);
+}
+// --- HMAC ---
+/** Generate an HMAC key. */
+export async function generateHMACKey(algorithm = 'SHA-256') {
+    return crypto.subtle.generateKey({ name: 'HMAC', hash: algorithm }, true, ['sign', 'verify']);
+}
+/** Sign data with HMAC. Returns base64 signature. */
+export async function sign(data, key) {
+    const signature = await crypto.subtle.sign('HMAC', key, encode(data));
+    return toBase64(signature);
+}
+/** Verify an HMAC signature. */
+export async function verify(data, signature, key) {
+    return crypto.subtle.verify('HMAC', key, fromBase64(signature), encode(data));
+}
+// --- Random Generation ---
+/** Generate a cryptographically secure random hex string. */
+export function randomHex(bytes = 32) {
+    const buf = new Uint8Array(bytes);
+    crypto.getRandomValues(buf);
+    return Array.from(buf, b => b.toString(16).padStart(2, '0')).join('');
+}
+/** Generate a cryptographically secure random base64 string. */
+export function randomBase64(bytes = 32) {
+    const buf = new Uint8Array(bytes);
+    crypto.getRandomValues(buf);
+    return toBase64(buf.buffer);
+}
+/** Generate a UUID v4. */
+export function uuid() {
+    return crypto.randomUUID();
+}
+// --- Password Hashing (client-side pre-hash) ---
+/**
+ * Pre-hash a password before sending to server.
+ * This doesn't replace server-side hashing (bcrypt/argon2)
+ * but prevents the plaintext password from ever hitting the wire.
+ */
+export async function prehashPassword(password, salt) {
+    return hash(`${salt}:${password}`, 'SHA-256');
+}
+// --- Constant-Time Comparison ---
+/** Constant-time string comparison to prevent timing attacks. */
+export function timingSafeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+    }
+    return result === 0;
+}
+//# sourceMappingURL=encrypt.js.map

package/dist/security/encrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../../src/security/encrypt.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAkBH,kBAAkB;AAElB,SAAS,QAAQ,CAAC,MAAmB;IACnC,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,KAAK,CAAC,MAAM,CAAC;AACtB,CAAC;AAED,SAAS,MAAM,CAAC,IAAY;IAC1B,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,MAAM,CAAC,MAAmB;IACjC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,uCAAuC;AAEvC,qCAAqC;AACrC,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,SAA0B,GAAG;IAC7D,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAC9B,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAC3B,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;AACJ,CAAC;AAED,4CAA4C;AAC5C,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAc;IAC5C,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC7C,CAAC;AAED,4CAA4C;AAC5C,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,GAAe,EACf,SAAqB,CAAC,SAAS,EAAE,SAAS,CAAC;IAE3C,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,IAAI,EACJ,MAAM,CACP,CAAC;AACJ,CAAC;AAED,sCAAsC;AACtC,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,SAAiB,EAAE,GAAc;IAC7D,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,EAAkB,EAAE,EAC3C,GAAG,EACH,MAAM,CAAC,SAAS,CAAiB,CAClC,CAAC;IACF,OAAO;QACL,UAAU,EAAE,QAAQ,CAAC,UAAU,CAAC;QAChC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,MAAqB,CAAC;QACtC,SAAS,EAAE,SAAS;KACrB,CAAC;AACJ,CAAC;AAED,4CAA4C;AAC5C,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAyB,EAAE,GAAc;IACrE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,IAAI,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC,CAAiB,EAAE,EAC/E,GAAG,EACH,UAAU,CAAC,OAAO,CAAC,UAAU,CAAiB,CAC/C,CAAC;IACF,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC;AAC3B,CAAC;AAED,kCAAkC;AAElC,sDAAsD;AACtD,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,IAAa,EACb,aAAqB,OAAO,EAC5B,YAA6B,GAAG;IAEhC,MAAM,SAAS,GAAG,IAAI;QACpB,CAAC,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAClC,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IAE/C,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC3C,KAAK,EACL,MAAM,CAAC,QAAQ,CAAiB,EAChC,QAAQ,EACR,KAAK,EACL,CAAC,WAAW,CAAC,CACd,CAAC;IAEF,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC9C,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,SAAyB,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,EAChF,OAAO,EACP,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,EACtC,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;IAEF,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,CAAC,SAAS,CAAC,MAAqB,CAAC,EAAE,CAAC;AAC9E,CAAC;AAMD,uEAAuE;AACvE,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,IAAY,EAAE,YAA2B,SAAS;IAC3E,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAiB,CAAC,CAAC;IACnF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC3F,CAAC;AAED,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAiB,EAAE,YAA2B,SAAS;IACtF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC3F,CAAC;AAED,kEAAkE;AAClE,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAY,EAAE,YAA2B,SAAS;IACjF,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAiB,CAAC,CAAC;IACnF,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1B,CAAC;AAED,eAAe;AAEf,4BAA4B;AAC5B,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,YAA2B,SAAS;IAEpC,OAAO,MAAM,CAAC,MAAM,CAAC,WAAW,CAC9B,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;AACJ,CAAC;AAED,qDAAqD;AACrD,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,IAAY,EAAE,GAAc;IACrD,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAiB,CAAC,CAAC;IACtF,OAAO,QAAQ,CAAC,SAAS,CAAC,CAAC;AAC7B,CAAC;AAED,gCAAgC;AAChC,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAY,EAAE,SAAiB,EAAE,GAAc;IAC1E,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,UAAU,CAAC,SAAS,CAAiB,EAAE,MAAM,CAAC,IAAI,CAAiB,CAAC,CAAC;AAChH,CAAC;AAED,4BAA4B;AAE5B,6DAA6D;AAC7D,MAAM,UAAU,SAAS,CAAC,QAAgB,EAAE;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACxE,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,YAAY,CAAC,QAAgB,EAAE;IAC7C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,0BAA0B;AAC1B,MAAM,UAAU,IAAI;IAClB,OAAO,MAAM,CAAC,UAAU,EAAE,CAAC;AAC7B,CAAC;AAED,kDAAkD;AAElD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,IAAY;IAEZ,OAAO,IAAI,CAAC,GAAG,IAAI,IAAI,QAAQ,EAAE,EAAE,SAAS,CAAC,CAAC;AAChD,CAAC;AAED,mCAAmC;AAEnC,iEAAiE;AACjE,MAAM,UAAU,eAAe,CAAC,CAAS,EAAE,CAAS;IAClD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACtB,CAAC"}

package/dist/security/index.d.ts

@@ -0,0 +1,21 @@
+export { createCSRF } from './csrf';
+export type { CSRFOptions, CSRFInstance } from './csrf';
+export { createCSP, CSPPresets } from './csp';
+export type { CSPDirective, CSPValue, CSPBuilder } from './csp';
+export { createRateLimiter, createRateLimitGroup, RateLimitError } from './rate-limit';
+export type { RateLimitOptions, RateLimitStrategy, RateLimiter, RateLimitGroup } from './rate-limit';
+export { generateKey, exportKey, importKey, encrypt, decrypt, deriveKey, hash, hashBuffer, hashBase64, generateHMACKey, sign, verify, randomHex, randomBase64, uuid, prehashPassword, timingSafeEqual, } from './encrypt';
+export type { EncryptedPayload, KeyPair, HashAlgorithm } from './encrypt';
+export { sanitize, stripTags, escapeHTML, sanitizeURL, cleanInput, sanitizeFilename, detectXSS } from './sanitize';
+export type { SanitizeOptions } from './sanitize';
+export { createSession } from './session';
+export type { SessionOptions, SessionData, SessionInstance } from './session';
+export { createRBAC, parsePermission, defineSimpleRole } from './rbac';
+export type { Permission, Role, RBACOptions, RBACInstance } from './rbac';
+export { createSecureStore } from './secure-store';
+export type { SecureStoreOptions, SecureStoreInstance } from './secure-store';
+export { generateSRI, generateSRIFromBuffer, generateSRIFromURL, createSecureScript, createSecureStylesheet, verifySRI, enforceAllSRI, } from './sri';
+export type { SRIAlgorithm, SRIOptions, SRIHash } from './sri';
+export { createCORS, wouldPreflight, parseOrigin } from './cors';
+export type { CORSOptions, CORSInstance, CORSValidation } from './cors';
+//# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAExD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,OAAO,CAAC;AAC9C,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,OAAO,CAAC;AAEhE,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AACvF,YAAY,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAErG,OAAO,EACL,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EACnD,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EACvC,eAAe,EAAE,IAAI,EAAE,MAAM,EAC7B,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,eAAe,GAChE,MAAM,WAAW,CAAC;AACnB,YAAY,EAAE,gBAAgB,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAE1E,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACnH,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC1C,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAE9E,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AACvE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AAE1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,YAAY,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAE9E,OAAO,EACL,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EACtD,kBAAkB,EAAE,sBAAsB,EAC1C,SAAS,EAAE,aAAa,GACzB,MAAM,OAAO,CAAC;AACf,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC;AAE/D,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACjE,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,QAAQ,CAAC"}

package/dist/security/index.js

@@ -0,0 +1,11 @@
+export { createCSRF } from './csrf';
+export { createCSP, CSPPresets } from './csp';
+export { createRateLimiter, createRateLimitGroup, RateLimitError } from './rate-limit';
+export { generateKey, exportKey, importKey, encrypt, decrypt, deriveKey, hash, hashBuffer, hashBase64, generateHMACKey, sign, verify, randomHex, randomBase64, uuid, prehashPassword, timingSafeEqual, } from './encrypt';
+export { sanitize, stripTags, escapeHTML, sanitizeURL, cleanInput, sanitizeFilename, detectXSS } from './sanitize';
+export { createSession } from './session';
+export { createRBAC, parsePermission, defineSimpleRole } from './rbac';
+export { createSecureStore } from './secure-store';
+export { generateSRI, generateSRIFromBuffer, generateSRIFromURL, createSecureScript, createSecureStylesheet, verifySRI, enforceAllSRI, } from './sri';
+export { createCORS, wouldPreflight, parseOrigin } from './cors';
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGpC,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,OAAO,CAAC;AAG9C,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGvF,OAAO,EACL,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,OAAO,EACnD,SAAS,EAAE,IAAI,EAAE,UAAU,EAAE,UAAU,EACvC,eAAe,EAAE,IAAI,EAAE,MAAM,EAC7B,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,eAAe,GAChE,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAGnH,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAG1C,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAGvE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AAGnD,OAAO,EACL,WAAW,EAAE,qBAAqB,EAAE,kBAAkB,EACtD,kBAAkB,EAAE,sBAAsB,EAC1C,SAAS,EAAE,aAAa,GACzB,MAAM,OAAO,CAAC;AAGf,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC"}

package/dist/security/rate-limit.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Nova Engine — Client-Side Rate Limiting
+ *
+ * Token bucket, sliding window, and fixed window algorithms
+ * for throttling API calls, form submissions, and user actions.
+ */
+export type RateLimitStrategy = 'token-bucket' | 'sliding-window' | 'fixed-window';
+export interface RateLimitOptions {
+    /** Max requests allowed in the window. Default: 10 */
+    limit: number;
+    /** Window duration in milliseconds. Default: 60000 (1 minute) */
+    window?: number;
+    /** Strategy to use. Default: 'sliding-window' */
+    strategy?: RateLimitStrategy;
+    /** Token bucket refill rate (tokens per second). Default: limit / (window / 1000) */
+    refillRate?: number;
+    /** Called when rate limit is exceeded */
+    onLimited?: (retryAfter: number) => void;
+    /** Key for per-action rate limiting */
+    key?: string;
+}
+export interface RateLimiter {
+    /** Check if action is allowed without consuming a token */
+    canProceed(): boolean;
+    /** Attempt to consume a token. Returns true if allowed, false if limited */
+    attempt(): boolean;
+    /** Get remaining attempts in current window */
+    remaining(): number;
+    /** Get milliseconds until next token/window reset */
+    retryAfter(): number;
+    /** Reset the limiter */
+    reset(): void;
+    /** Wrap an async function with rate limiting */
+    wrap<T>(fn: () => Promise<T>): Promise<T>;
+    /** Destroy the limiter and clear timers */
+    destroy(): void;
+}
+export interface RateLimitGroup {
+    /** Get or create a limiter for a key */
+    get(key: string): RateLimiter;
+    /** Check if a key is currently limited */
+    isLimited(key: string): boolean;
+    /** Reset all limiters */
+    resetAll(): void;
+    /** Destroy all limiters */
+    destroy(): void;
+}
+/** Error thrown when rate limit is exceeded. */
+export declare class RateLimitError extends Error {
+    readonly retryAfter: number;
+    constructor(retryAfter: number);
+}
+/** Create a rate limiter instance. */
+export declare function createRateLimiter(options: RateLimitOptions): RateLimiter;
+/** Create a group of rate limiters keyed by action/resource. */
+export declare function createRateLimitGroup(defaults: Omit<RateLimitOptions, 'key'>): RateLimitGroup;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/security/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,MAAM,iBAAiB,GAAG,cAAc,GAAG,gBAAgB,GAAG,cAAc,CAAC;AAEnF,MAAM,WAAW,gBAAgB;IAC/B,sDAAsD;IACtD,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iDAAiD;IACjD,QAAQ,CAAC,EAAE,iBAAiB,CAAC;IAC7B,qFAAqF;IACrF,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yCAAyC;IACzC,SAAS,CAAC,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,IAAI,CAAC;IACzC,uCAAuC;IACvC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,2DAA2D;IAC3D,UAAU,IAAI,OAAO,CAAC;IACtB,4EAA4E;IAC5E,OAAO,IAAI,OAAO,CAAC;IACnB,+CAA+C;IAC/C,SAAS,IAAI,MAAM,CAAC;IACpB,qDAAqD;IACrD,UAAU,IAAI,MAAM,CAAC;IACrB,wBAAwB;IACxB,KAAK,IAAI,IAAI,CAAC;IACd,gDAAgD;IAChD,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAC1C,2CAA2C;IAC3C,OAAO,IAAI,IAAI,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,wCAAwC;IACxC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,WAAW,CAAC;IAC9B,0CAA0C;IAC1C,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAChC,yBAAyB;IACzB,QAAQ,IAAI,IAAI,CAAC;IACjB,2BAA2B;IAC3B,OAAO,IAAI,IAAI,CAAC;CACjB;AAmMD,gDAAgD;AAChD,qBAAa,cAAe,SAAQ,KAAK;IACvC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;gBAChB,UAAU,EAAE,MAAM;CAK/B;AAED,sCAAsC;AACtC,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,gBAAgB,GAAG,WAAW,CAkBxE;AAED,gEAAgE;AAChE,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,GACtC,cAAc,CA2BhB"}

package/dist/security/rate-limit.js

@@ -0,0 +1,222 @@
+/**
+ * Nova Engine — Client-Side Rate Limiting
+ *
+ * Token bucket, sliding window, and fixed window algorithms
+ * for throttling API calls, form submissions, and user actions.
+ */
+class TokenBucketLimiter {
+    tokens;
+    lastRefill;
+    maxTokens;
+    refillRate;
+    onLimited;
+    constructor(limit, refillRate, onLimited) {
+        this.maxTokens = limit;
+        this.tokens = limit;
+        this.refillRate = refillRate;
+        this.lastRefill = Date.now();
+        this.onLimited = onLimited;
+    }
+    refill() {
+        const now = Date.now();
+        const elapsed = (now - this.lastRefill) / 1000;
+        this.tokens = Math.min(this.maxTokens, this.tokens + elapsed * this.refillRate);
+        this.lastRefill = now;
+    }
+    canProceed() {
+        this.refill();
+        return this.tokens >= 1;
+    }
+    attempt() {
+        this.refill();
+        if (this.tokens >= 1) {
+            this.tokens -= 1;
+            return true;
+        }
+        const retry = this.retryAfter();
+        this.onLimited?.(retry);
+        return false;
+    }
+    remaining() {
+        this.refill();
+        return Math.floor(this.tokens);
+    }
+    retryAfter() {
+        if (this.tokens >= 1)
+            return 0;
+        return Math.ceil((1 - this.tokens) / this.refillRate * 1000);
+    }
+    reset() {
+        this.tokens = this.maxTokens;
+        this.lastRefill = Date.now();
+    }
+    async wrap(fn) {
+        if (!this.attempt()) {
+            throw new RateLimitError(this.retryAfter());
+        }
+        return fn();
+    }
+    destroy() {
+        this.reset();
+    }
+}
+class SlidingWindowLimiter {
+    timestamps = [];
+    limit;
+    window;
+    onLimited;
+    constructor(limit, windowMs, onLimited) {
+        this.limit = limit;
+        this.window = windowMs;
+        this.onLimited = onLimited;
+    }
+    prune() {
+        const cutoff = Date.now() - this.window;
+        while (this.timestamps.length > 0 && this.timestamps[0] < cutoff) {
+            this.timestamps.shift();
+        }
+    }
+    canProceed() {
+        this.prune();
+        return this.timestamps.length < this.limit;
+    }
+    attempt() {
+        this.prune();
+        if (this.timestamps.length < this.limit) {
+            this.timestamps.push(Date.now());
+            return true;
+        }
+        const retry = this.retryAfter();
+        this.onLimited?.(retry);
+        return false;
+    }
+    remaining() {
+        this.prune();
+        return Math.max(0, this.limit - this.timestamps.length);
+    }
+    retryAfter() {
+        this.prune();
+        if (this.timestamps.length < this.limit)
+            return 0;
+        return Math.max(0, this.timestamps[0] + this.window - Date.now());
+    }
+    reset() {
+        this.timestamps = [];
+    }
+    async wrap(fn) {
+        if (!this.attempt()) {
+            throw new RateLimitError(this.retryAfter());
+        }
+        return fn();
+    }
+    destroy() {
+        this.reset();
+    }
+}
+class FixedWindowLimiter {
+    count = 0;
+    windowStart;
+    limit;
+    window;
+    onLimited;
+    constructor(limit, windowMs, onLimited) {
+        this.limit = limit;
+        this.window = windowMs;
+        this.windowStart = Date.now();
+        this.onLimited = onLimited;
+    }
+    checkWindow() {
+        const now = Date.now();
+        if (now - this.windowStart >= this.window) {
+            this.count = 0;
+            this.windowStart = now;
+        }
+    }
+    canProceed() {
+        this.checkWindow();
+        return this.count < this.limit;
+    }
+    attempt() {
+        this.checkWindow();
+        if (this.count < this.limit) {
+            this.count++;
+            return true;
+        }
+        const retry = this.retryAfter();
+        this.onLimited?.(retry);
+        return false;
+    }
+    remaining() {
+        this.checkWindow();
+        return Math.max(0, this.limit - this.count);
+    }
+    retryAfter() {
+        this.checkWindow();
+        if (this.count < this.limit)
+            return 0;
+        return Math.max(0, this.windowStart + this.window - Date.now());
+    }
+    reset() {
+        this.count = 0;
+        this.windowStart = Date.now();
+    }
+    async wrap(fn) {
+        if (!this.attempt()) {
+            throw new RateLimitError(this.retryAfter());
+        }
+        return fn();
+    }
+    destroy() {
+        this.reset();
+    }
+}
+/** Error thrown when rate limit is exceeded. */
+export class RateLimitError extends Error {
+    retryAfter;
+    constructor(retryAfter) {
+        super(`Rate limit exceeded. Retry after ${retryAfter}ms`);
+        this.name = 'RateLimitError';
+        this.retryAfter = retryAfter;
+    }
+}
+/** Create a rate limiter instance. */
+export function createRateLimiter(options) {
+    const { limit, window: windowMs = 60_000, strategy = 'sliding-window', refillRate, onLimited, } = options;
+    switch (strategy) {
+        case 'token-bucket':
+            return new TokenBucketLimiter(limit, refillRate ?? limit / (windowMs / 1000), onLimited);
+        case 'fixed-window':
+            return new FixedWindowLimiter(limit, windowMs, onLimited);
+        case 'sliding-window':
+        default:
+            return new SlidingWindowLimiter(limit, windowMs, onLimited);
+    }
+}
+/** Create a group of rate limiters keyed by action/resource. */
+export function createRateLimitGroup(defaults) {
+    const limiters = new Map();
+    return {
+        get(key) {
+            let limiter = limiters.get(key);
+            if (!limiter) {
+                limiter = createRateLimiter({ ...defaults, key });
+                limiters.set(key, limiter);
+            }
+            return limiter;
+        },
+        isLimited(key) {
+            const limiter = limiters.get(key);
+            return limiter ? !limiter.canProceed() : false;
+        },
+        resetAll() {
+            for (const limiter of limiters.values())
+                limiter.reset();
+        },
+        destroy() {
+            for (const limiter of limiters.values())
+                limiter.destroy();
+            limiters.clear();
+        },
+    };
+}
+//# sourceMappingURL=rate-limit.js.map

package/dist/security/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../src/security/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA+CH,MAAM,kBAAkB;IACd,MAAM,CAAS;IACf,UAAU,CAAS;IACV,SAAS,CAAS;IAClB,UAAU,CAAS;IACnB,SAAS,CAAgC;IAE1D,YAAY,KAAa,EAAE,UAAkB,EAAE,SAAwC;QACrF,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC;QACvB,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAEO,MAAM;QACZ,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;QAC/C,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,GAAG,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QAChF,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC;IACxB,CAAC;IAED,UAAU;QACR,IAAI,CAAC,MAAM,EAAE,CAAC;QACd,OAAO,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO;QACL,IAAI,CAAC,MAAM,EAAE,CAAC;QACd,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACrB,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAChC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS;QACP,IAAI,CAAC,MAAM,EAAE,CAAC;QACd,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAED,UAAU;QACR,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;QAC/B,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IAC/D,CAAC;IAED,KAAK;QACH,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,EAAoB;QAChC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;IAED,OAAO;QACL,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;CACF;AAED,MAAM,oBAAoB;IAChB,UAAU,GAAa,EAAE,CAAC;IACjB,KAAK,CAAS;IACd,MAAM,CAAS;IACf,SAAS,CAAgC;IAE1D,YAAY,KAAa,EAAE,QAAgB,EAAE,SAAwC;QACnF,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,QAAQ,CAAC;QACvB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAEO,KAAK;QACX,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QACxC,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,MAAM,EAAE,CAAC;YACjE,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,UAAU;QACR,IAAI,CAAC,KAAK,EAAE,CAAC;QACb,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC;IAC7C,CAAC;IAED,OAAO;QACL,IAAI,CAAC,KAAK,EAAE,CAAC;QACb,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACjC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAChC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS;QACP,IAAI,CAAC,KAAK,EAAE,CAAC;QACb,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IAC1D,CAAC;IAED,UAAU;QACR,IAAI,CAAC,KAAK,EAAE,CAAC;QACb,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,KAAK;QACH,IAAI,CAAC,UAAU,GAAG,EAAE,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,EAAoB;QAChC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;IAED,OAAO;QACL,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;CACF;AAED,MAAM,kBAAkB;IACd,KAAK,GAAG,CAAC,CAAC;IACV,WAAW,CAAS;IACX,KAAK,CAAS;IACd,MAAM,CAAS;IACf,SAAS,CAAgC;IAE1D,YAAY,KAAa,EAAE,QAAgB,EAAE,SAAwC;QACnF,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,QAAQ,CAAC;QACvB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC9B,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAEO,WAAW;QACjB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1C,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;YACf,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC;QACzB,CAAC;IACH,CAAC;IAED,UAAU;QACR,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACjC,CAAC;IAED,OAAO;QACL,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,IAAI,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QAChC,IAAI,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS;QACP,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,CAAC;IAED,UAAU;QACR,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,IAAI,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,KAAK;QACH,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;QACf,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,EAAoB;QAChC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;IAED,OAAO;QACL,IAAI,CAAC,KAAK,EAAE,CAAC;IACf,CAAC;CACF;AAED,gDAAgD;AAChD,MAAM,OAAO,cAAe,SAAQ,KAAK;IAC9B,UAAU,CAAS;IAC5B,YAAY,UAAkB;QAC5B,KAAK,CAAC,oCAAoC,UAAU,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,sCAAsC;AACtC,MAAM,UAAU,iBAAiB,CAAC,OAAyB;IACzD,MAAM,EACJ,KAAK,EACL,MAAM,EAAE,QAAQ,GAAG,MAAM,EACzB,QAAQ,GAAG,gBAAgB,EAC3B,UAAU,EACV,SAAS,GACV,GAAG,OAAO,CAAC;IAEZ,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,cAAc;YACjB,OAAO,IAAI,kBAAkB,CAAC,KAAK,EAAE,UAAU,IAAI,KAAK,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,EAAE,SAAS,CAAC,CAAC;QAC3F,KAAK,cAAc;YACjB,OAAO,IAAI,kBAAkB,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QAC5D,KAAK,gBAAgB,CAAC;QACtB;YACE,OAAO,IAAI,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,oBAAoB,CAClC,QAAuC;IAEvC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAEhD,OAAO;QACL,GAAG,CAAC,GAAW;YACb,IAAI,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAChC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,iBAAiB,CAAC,EAAE,GAAG,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;gBAClD,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAC7B,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,SAAS,CAAC,GAAW;YACnB,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAClC,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;QACjD,CAAC;QAED,QAAQ;YACN,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,MAAM,EAAE;gBAAE,OAAO,CAAC,KAAK,EAAE,CAAC;QAC3D,CAAC;QAED,OAAO;YACL,KAAK,MAAM,OAAO,IAAI,QAAQ,CAAC,MAAM,EAAE;gBAAE,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3D,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/security/rbac.d.ts

@@ -0,0 +1,84 @@
+/**
+ * Nova Engine — Role-Based Access Control (RBAC)
+ *
+ * Permissions, roles, role hierarchies, resource-level guards,
+ * and UI visibility control. Works standalone or with the
+ * Nova router for route-level access control.
+ */
+export interface Permission {
+    /** Resource identifier (e.g., 'users', 'posts', 'admin.settings') */
+    resource: string;
+    /** Action (e.g., 'read', 'write', 'delete', '*') */
+    action: string;
+    /** Optional condition function for dynamic checks */
+    condition?: (context: Record<string, unknown>) => boolean;
+}
+export interface Role {
+    /** Role identifier */
+    name: string;
+    /** Permissions granted to this role */
+    permissions: Permission[];
+    /** Parent roles to inherit from */
+    inherits?: string[];
+}
+export interface RBACOptions {
+    /** Role definitions */
+    roles: Role[];
+    /** Current user's role(s) */
+    userRoles?: string[];
+    /** Deny-first: deny unless explicitly allowed. Default: true */
+    denyByDefault?: boolean;
+    /** Called when permission is denied */
+    onDenied?: (resource: string, action: string) => void;
+}
+export interface RBACInstance {
+    /** Check if current user can perform action on resource */
+    can(resource: string, action: string, context?: Record<string, unknown>): boolean;
+    /** Check multiple permissions (all must pass) */
+    canAll(checks: Array<{
+        resource: string;
+        action: string;
+    }>): boolean;
+    /** Check multiple permissions (any must pass) */
+    canAny(checks: Array<{
+        resource: string;
+        action: string;
+    }>): boolean;
+    /** Set the current user's roles */
+    setRoles(roles: string[]): void;
+    /** Add a role to the current user */
+    addRole(role: string): void;
+    /** Remove a role from the current user */
+    removeRole(role: string): void;
+    /** Get the current user's roles */
+    getRoles(): string[];
+    /** Get all permissions for the current user (resolved with inheritance) */
+    getPermissions(): Permission[];
+    /** Add a new role definition */
+    defineRole(role: Role): void;
+    /** Remove a role definition */
+    removeRoleDefinition(name: string): void;
+    /** Guard a function — only executes if permitted */
+    guard<T>(resource: string, action: string, fn: () => T): T | undefined;
+    /** Guard an async function */
+    guardAsync<T>(resource: string, action: string, fn: () => Promise<T>): Promise<T | undefined>;
+    /** Create a route guard function compatible with Nova Router */
+    routeGuard(resource: string, action: string): () => boolean;
+    /** Subscribe to role/permission changes */
+    onChange(handler: () => void): () => void;
+    /** Show/hide DOM elements based on permission */
+    bindVisibility(element: Element, resource: string, action: string): () => void;
+}
+/** Create an RBAC instance. */
+export declare function createRBAC(options: RBACOptions): RBACInstance;
+/**
+ * Parse a permission string like "posts:write" or "admin.*:*"
+ * into a Permission object.
+ */
+export declare function parsePermission(str: string): Permission;
+/**
+ * Create a role from a simple list of permission strings.
+ * e.g., defineSimpleRole('editor', ['posts:read', 'posts:write', 'comments:*'])
+ */
+export declare function defineSimpleRole(name: string, permissions: string[], inherits?: string[]): Role;
+//# sourceMappingURL=rbac.d.ts.map

package/dist/security/rbac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../../src/security/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,UAAU;IACzB,qEAAqE;IACrE,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;IACf,qDAAqD;IACrD,SAAS,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC;CAC3D;AAED,MAAM,WAAW,IAAI;IACnB,sBAAsB;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,WAAW;IAC1B,uBAAuB;IACvB,KAAK,EAAE,IAAI,EAAE,CAAC;IACd,6BAA6B;IAC7B,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,gEAAgE;IAChE,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,uCAAuC;IACvC,QAAQ,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACvD;AAED,MAAM,WAAW,YAAY;IAC3B,2DAA2D;IAC3D,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC;IAClF,iDAAiD;IACjD,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,OAAO,CAAC;IACrE,iDAAiD;IACjD,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,GAAG,OAAO,CAAC;IACrE,mCAAmC;IACnC,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAChC,qCAAqC;IACrC,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,0CAA0C;IAC1C,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,mCAAmC;IACnC,QAAQ,IAAI,MAAM,EAAE,CAAC;IACrB,2EAA2E;IAC3E,cAAc,IAAI,UAAU,EAAE,CAAC;IAC/B,gCAAgC;IAChC,UAAU,CAAC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,+BAA+B;IAC/B,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACzC,oDAAoD;IACpD,KAAK,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;IACvE,8BAA8B;IAC9B,UAAU,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC;IAC9F,gEAAgE;IAChE,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,OAAO,CAAC;IAC5D,2CAA2C;IAC3C,QAAQ,CAAC,OAAO,EAAE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC;IAC1C,iDAAiD;IACjD,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,MAAM,IAAI,CAAC;CAChF;AAED,+BAA+B;AAC/B,wBAAgB,UAAU,CAAC,OAAO,EAAE,WAAW,GAAG,YAAY,CA2K7D;AAID;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAGvD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,GAAG,IAAI,CAM/F"}