@mappoh/nova 0.1.16

package/dist/security/rbac.js

@@ -0,0 +1,164 @@
+/**
+ * Nova Engine — Role-Based Access Control (RBAC)
+ *
+ * Permissions, roles, role hierarchies, resource-level guards,
+ * and UI visibility control. Works standalone or with the
+ * Nova router for route-level access control.
+ */
+/** Create an RBAC instance. */
+export function createRBAC(options) {
+    const { denyByDefault = true, onDenied, } = options;
+    const roleMap = new Map();
+    let userRoles = new Set(options.userRoles ?? []);
+    const changeListeners = new Set();
+    const visibilityCleanups = [];
+    // Index roles
+    for (const role of options.roles) {
+        roleMap.set(role.name, role);
+    }
+    function notifyChange() {
+        for (const listener of changeListeners)
+            listener();
+    }
+    /** Resolve all permissions for a role, including inherited ones. */
+    function resolvePermissions(roleName, visited = new Set()) {
+        if (visited.has(roleName))
+            return []; // Prevent circular inheritance
+        visited.add(roleName);
+        const role = roleMap.get(roleName);
+        if (!role)
+            return [];
+        const permissions = [...role.permissions];
+        // Resolve inherited permissions
+        if (role.inherits) {
+            for (const parentName of role.inherits) {
+                permissions.push(...resolvePermissions(parentName, visited));
+            }
+        }
+        return permissions;
+    }
+    /** Get all permissions for current user across all roles. */
+    function getAllPermissions() {
+        const permissions = [];
+        for (const roleName of userRoles) {
+            permissions.push(...resolvePermissions(roleName));
+        }
+        return permissions;
+    }
+    /** Check if a permission matches a resource/action query. */
+    function matchesPermission(perm, resource, action, context) {
+        // Wildcard resource
+        const resourceMatch = perm.resource === '*'
+            || perm.resource === resource
+            // Hierarchical: 'admin.*' matches 'admin.settings'
+            || (perm.resource.endsWith('.*') && resource.startsWith(perm.resource.slice(0, -1)));
+        if (!resourceMatch)
+            return false;
+        // Wildcard action
+        const actionMatch = perm.action === '*' || perm.action === action;
+        if (!actionMatch)
+            return false;
+        // Condition check
+        if (perm.condition && context) {
+            return perm.condition(context);
+        }
+        return true;
+    }
+    const instance = {
+        can(resource, action, context) {
+            const permissions = getAllPermissions();
+            const allowed = permissions.some(p => matchesPermission(p, resource, action, context));
+            if (!allowed && denyByDefault) {
+                onDenied?.(resource, action);
+                return false;
+            }
+            return allowed || !denyByDefault;
+        },
+        canAll(checks) {
+            return checks.every(c => instance.can(c.resource, c.action));
+        },
+        canAny(checks) {
+            return checks.some(c => instance.can(c.resource, c.action));
+        },
+        setRoles(roles) {
+            userRoles = new Set(roles);
+            notifyChange();
+        },
+        addRole(role) {
+            userRoles.add(role);
+            notifyChange();
+        },
+        removeRole(role) {
+            userRoles.delete(role);
+            notifyChange();
+        },
+        getRoles() {
+            return [...userRoles];
+        },
+        getPermissions() {
+            return getAllPermissions();
+        },
+        defineRole(role) {
+            roleMap.set(role.name, role);
+            notifyChange();
+        },
+        removeRoleDefinition(name) {
+            roleMap.delete(name);
+            userRoles.delete(name);
+            notifyChange();
+        },
+        guard(resource, action, fn) {
+            if (instance.can(resource, action))
+                return fn();
+            return undefined;
+        },
+        async guardAsync(resource, action, fn) {
+            if (instance.can(resource, action))
+                return fn();
+            return undefined;
+        },
+        routeGuard(resource, action) {
+            return () => instance.can(resource, action);
+        },
+        onChange(handler) {
+            changeListeners.add(handler);
+            return () => changeListeners.delete(handler);
+        },
+        bindVisibility(element, resource, action) {
+            const el = element;
+            function update() {
+                el.style.display = instance.can(resource, action) ? '' : 'none';
+            }
+            update();
+            const unsub = instance.onChange(update);
+            const cleanup = () => {
+                unsub();
+                el.style.display = '';
+            };
+            visibilityCleanups.push(cleanup);
+            return cleanup;
+        },
+    };
+    return instance;
+}
+// --- Utility: Permission string parser ---
+/**
+ * Parse a permission string like "posts:write" or "admin.*:*"
+ * into a Permission object.
+ */
+export function parsePermission(str) {
+    const [resource, action = '*'] = str.split(':');
+    return { resource, action };
+}
+/**
+ * Create a role from a simple list of permission strings.
+ * e.g., defineSimpleRole('editor', ['posts:read', 'posts:write', 'comments:*'])
+ */
+export function defineSimpleRole(name, permissions, inherits) {
+    return {
+        name,
+        permissions: permissions.map(parsePermission),
+        inherits,
+    };
+}
+//# sourceMappingURL=rbac.js.map

package/dist/security/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","sourceRoot":"","sources":["../../src/security/rbac.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAgEH,+BAA+B;AAC/B,MAAM,UAAU,UAAU,CAAC,OAAoB;IAC7C,MAAM,EACJ,aAAa,GAAG,IAAI,EACpB,QAAQ,GACT,GAAG,OAAO,CAAC;IAEZ,MAAM,OAAO,GAAG,IAAI,GAAG,EAAgB,CAAC;IACxC,IAAI,SAAS,GAAG,IAAI,GAAG,CAAS,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IACzD,MAAM,eAAe,GAAG,IAAI,GAAG,EAAc,CAAC;IAC9C,MAAM,kBAAkB,GAAsB,EAAE,CAAC;IAEjD,cAAc;IACd,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,SAAS,YAAY;QACnB,KAAK,MAAM,QAAQ,IAAI,eAAe;YAAE,QAAQ,EAAE,CAAC;IACrD,CAAC;IAED,oEAAoE;IACpE,SAAS,kBAAkB,CAAC,QAAgB,EAAE,UAAU,IAAI,GAAG,EAAU;QACvE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO,EAAE,CAAC,CAAC,+BAA+B;QACrE,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEtB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI;YAAE,OAAO,EAAE,CAAC;QAErB,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;QAE1C,gCAAgC;QAChC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,KAAK,MAAM,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACvC,WAAW,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YAC/D,CAAC;QACH,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,6DAA6D;IAC7D,SAAS,iBAAiB;QACxB,MAAM,WAAW,GAAiB,EAAE,CAAC;QACrC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,WAAW,CAAC,IAAI,CAAC,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,6DAA6D;IAC7D,SAAS,iBAAiB,CACxB,IAAgB,EAChB,QAAgB,EAChB,MAAc,EACd,OAAiC;QAEjC,oBAAoB;QACpB,MAAM,aAAa,GAAG,IAAI,CAAC,QAAQ,KAAK,GAAG;eACtC,IAAI,CAAC,QAAQ,KAAK,QAAQ;YAC7B,mDAAmD;eAChD,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEvF,IAAI,CAAC,aAAa;YAAE,OAAO,KAAK,CAAC;QAEjC,kBAAkB;QAClB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC;QAClE,IAAI,CAAC,WAAW;YAAE,OAAO,KAAK,CAAC;QAE/B,kBAAkB;QAClB,IAAI,IAAI,CAAC,SAAS,IAAI,OAAO,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAiB;QAC7B,GAAG,CAAC,QAAgB,EAAE,MAAc,EAAE,OAAiC;YACrE,MAAM,WAAW,GAAG,iBAAiB,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,iBAAiB,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;YAEvF,IAAI,CAAC,OAAO,IAAI,aAAa,EAAE,CAAC;gBAC9B,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBAC7B,OAAO,KAAK,CAAC;YACf,CAAC;YAED,OAAO,OAAO,IAAI,CAAC,aAAa,CAAC;QACnC,CAAC;QAED,MAAM,CAAC,MAAmD;YACxD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/D,CAAC;QAED,MAAM,CAAC,MAAmD;YACxD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,CAAC;QAED,QAAQ,CAAC,KAAe;YACtB,SAAS,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;YAC3B,YAAY,EAAE,CAAC;QACjB,CAAC;QAED,OAAO,CAAC,IAAY;YAClB,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACpB,YAAY,EAAE,CAAC;QACjB,CAAC;QAED,UAAU,CAAC,IAAY;YACrB,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACvB,YAAY,EAAE,CAAC;QACjB,CAAC;QAED,QAAQ;YACN,OAAO,CAAC,GAAG,SAAS,CAAC,CAAC;QACxB,CAAC;QAED,cAAc;YACZ,OAAO,iBAAiB,EAAE,CAAC;QAC7B,CAAC;QAED,UAAU,CAAC,IAAU;YACnB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YAC7B,YAAY,EAAE,CAAC;QACjB,CAAC;QAED,oBAAoB,CAAC,IAAY;YAC/B,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACrB,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACvB,YAAY,EAAE,CAAC;QACjB,CAAC;QAED,KAAK,CAAI,QAAgB,EAAE,MAAc,EAAE,EAAW;YACpD,IAAI,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC;gBAAE,OAAO,EAAE,EAAE,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,KAAK,CAAC,UAAU,CAAI,QAAgB,EAAE,MAAc,EAAE,EAAoB;YACxE,IAAI,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC;gBAAE,OAAO,EAAE,EAAE,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,UAAU,CAAC,QAAgB,EAAE,MAAc;YACzC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC9C,CAAC;QAED,QAAQ,CAAC,OAAmB;YAC1B,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC;QAED,cAAc,CAAC,OAAgB,EAAE,QAAgB,EAAE,MAAc;YAC/D,MAAM,EAAE,GAAG,OAAsB,CAAC;YAElC,SAAS,MAAM;gBACb,EAAE,CAAC,KAAK,CAAC,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;YAClE,CAAC;YAED,MAAM,EAAE,CAAC;YACT,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAExC,MAAM,OAAO,GAAG,GAAG,EAAE;gBACnB,KAAK,EAAE,CAAC;gBACR,EAAE,CAAC,KAAK,CAAC,OAAO,GAAG,EAAE,CAAC;YACxB,CAAC,CAAC;YAEF,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACjC,OAAO,OAAO,CAAC;QACjB,CAAC;KACF,CAAC;IAEF,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,4CAA4C;AAE5C;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY,EAAE,WAAqB,EAAE,QAAmB;IACvF,OAAO;QACL,IAAI;QACJ,WAAW,EAAE,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC;QAC7C,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/security/sanitize.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Nova Engine — Input Sanitization
+ *
+ * HTML sanitizer with tag/attribute allowlists, URL validation,
+ * and text cleaning utilities. Zero dependencies — uses the
+ * browser's native DOMParser for safe HTML parsing.
+ */
+export interface SanitizeOptions {
+    /** Allowed HTML tags. Default: common safe tags */
+    allowedTags?: string[];
+    /** Allowed attributes per tag. '*' key applies to all tags */
+    allowedAttributes?: Record<string, string[]>;
+    /** Allowed URL schemes. Default: ['http', 'https', 'mailto'] */
+    allowedSchemes?: string[];
+    /** Allow data: URIs for images. Default: false */
+    allowDataUrls?: boolean;
+    /** Strip all HTML (return plain text). Default: false */
+    stripAll?: boolean;
+    /** Max output length. Default: unlimited */
+    maxLength?: number;
+    /** Custom tag transformer */
+    transformTag?: (tag: string, attribs: Record<string, string>) => {
+        tag: string;
+        attribs: Record<string, string>;
+    } | null;
+}
+/** Sanitize HTML string, removing dangerous tags and attributes. */
+export declare function sanitize(html: string, options?: SanitizeOptions): string;
+/** Strip all HTML tags, returning plain text. */
+export declare function stripTags(html: string): string;
+/** Escape a string for safe use in HTML content. */
+export declare function escapeHTML(text: string): string;
+/** Validate and sanitize a URL. Returns null if unsafe. */
+export declare function sanitizeURL(url: string, options?: {
+    allowedSchemes?: string[];
+    allowDataUrls?: boolean;
+}): string | null;
+/** Clean user input: trim, collapse whitespace, remove control chars. */
+export declare function cleanInput(text: string): string;
+/** Sanitize a filename: remove path traversal, special chars. */
+export declare function sanitizeFilename(name: string): string;
+/** Check if a string contains potential XSS payloads. */
+export declare function detectXSS(input: string): boolean;
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/security/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,eAAe;IAC9B,mDAAmD;IACnD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,8DAA8D;IAC9D,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,gEAAgE;IAChE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,kDAAkD;IAClD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6BAA6B;IAC7B,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GAAG,IAAI,CAAC;CAC1H;AAyJD,oEAAoE;AACpE,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,GAAE,eAAoB,GAAG,MAAM,CA0B5E;AAED,iDAAiD;AACjD,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAI9C;AAED,oDAAoD;AACpD,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAO/C;AAED,2DAA2D;AAC3D,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;IAAE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,aAAa,CAAC,EAAE,OAAO,CAAA;CAAE,GAC/D,MAAM,GAAG,IAAI,CAKf;AAED,yEAAyE;AACzE,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAS/C;AAED,iEAAiE;AACjE,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAcrD;AAED,yDAAyD;AACzD,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAgBhD"}

package/dist/security/sanitize.js

@@ -0,0 +1,230 @@
+/**
+ * Nova Engine — Input Sanitization
+ *
+ * HTML sanitizer with tag/attribute allowlists, URL validation,
+ * and text cleaning utilities. Zero dependencies — uses the
+ * browser's native DOMParser for safe HTML parsing.
+ */
+const DEFAULT_ALLOWED_TAGS = [
+    'a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd', 'del', 'details',
+    'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr',
+    'i', 'img', 'ins', 'kbd', 'li', 'mark', 'ol', 'p', 'pre', 'q',
+    's', 'samp', 'small', 'span', 'strong', 'sub', 'summary', 'sup',
+    'table', 'tbody', 'td', 'th', 'thead', 'time', 'tr', 'u', 'ul', 'var',
+];
+const DEFAULT_ALLOWED_ATTRIBUTES = {
+    '*': ['class', 'id', 'title', 'lang', 'dir'],
+    'a': ['href', 'target', 'rel'],
+    'img': ['src', 'alt', 'width', 'height', 'loading'],
+    'blockquote': ['cite'],
+    'q': ['cite'],
+    'time': ['datetime'],
+    'ol': ['start', 'type'],
+    'td': ['colspan', 'rowspan'],
+    'th': ['colspan', 'rowspan', 'scope'],
+    'details': ['open'],
+};
+const DEFAULT_SCHEMES = ['http', 'https', 'mailto'];
+const DANGEROUS_PROTOCOLS = ['javascript', 'vbscript', 'data'];
+function getScheme(url) {
+    const match = url.match(/^([a-zA-Z][a-zA-Z0-9+.-]*):/);
+    return match ? match[1].toLowerCase() : null;
+}
+function isURLSafe(url, allowedSchemes, allowDataUrls) {
+    const trimmed = url.trim().toLowerCase();
+    // Block javascript: and vbscript: regardless of encoding
+    for (const proto of DANGEROUS_PROTOCOLS) {
+        if (proto === 'data' && allowDataUrls)
+            continue;
+        // Check for obfuscation: j = j, j = j, etc.
+        const decoded = trimmed.replace(/&#x?[0-9a-f]+;?/gi, '').replace(/\s+/g, '');
+        if (decoded.startsWith(proto + ':'))
+            return false;
+    }
+    const scheme = getScheme(trimmed);
+    if (!scheme)
+        return true; // Relative URL — safe
+    if (allowDataUrls && scheme === 'data') {
+        // Only allow image data URIs
+        return trimmed.startsWith('data:image/');
+    }
+    return allowedSchemes.includes(scheme);
+}
+function sanitizeNode(node, opts, output) {
+    if (node.nodeType === Node.TEXT_NODE) {
+        output.push(escapeText(node.textContent ?? ''));
+        return;
+    }
+    if (node.nodeType !== Node.ELEMENT_NODE)
+        return;
+    const el = node;
+    const tag = el.tagName.toLowerCase();
+    // Skip disallowed tags but process their children
+    if (!opts.allowedTags.includes(tag)) {
+        for (const child of el.childNodes) {
+            sanitizeNode(child, opts, output);
+        }
+        return;
+    }
+    // Collect allowed attributes
+    const attribs = {};
+    const globalAllowed = opts.allowedAttributes['*'] ?? [];
+    const tagAllowed = opts.allowedAttributes[tag] ?? [];
+    const allowed = new Set([...globalAllowed, ...tagAllowed]);
+    for (const attr of el.attributes) {
+        const name = attr.name.toLowerCase();
+        if (!allowed.has(name))
+            continue;
+        let value = attr.value;
+        // Validate URLs in href/src/cite
+        if (['href', 'src', 'cite'].includes(name)) {
+            if (!isURLSafe(value, opts.allowedSchemes, opts.allowDataUrls))
+                continue;
+        }
+        // Force rel="noopener noreferrer" on target="_blank" links
+        if (tag === 'a' && name === 'target' && value === '_blank') {
+            attribs['rel'] = 'noopener noreferrer';
+        }
+        attribs[name] = value;
+    }
+    // Custom transform
+    if (opts.transformTag) {
+        const result = opts.transformTag(tag, attribs);
+        if (result === null)
+            return; // Drop element and children
+        // Use transformed tag/attribs
+        const attrStr = Object.entries(result.attribs)
+            .map(([k, v]) => ` ${escapeAttrName(k)}="${escapeAttrValue(v)}"`)
+            .join('');
+        output.push(`<${result.tag}${attrStr}>`);
+        for (const child of el.childNodes) {
+            sanitizeNode(child, opts, output);
+        }
+        if (!isVoidElement(result.tag))
+            output.push(`</${result.tag}>`);
+        return;
+    }
+    const attrStr = Object.entries(attribs)
+        .map(([k, v]) => ` ${escapeAttrName(k)}="${escapeAttrValue(v)}"`)
+        .join('');
+    output.push(`<${tag}${attrStr}>`);
+    for (const child of el.childNodes) {
+        sanitizeNode(child, opts, output);
+    }
+    if (!isVoidElement(tag))
+        output.push(`</${tag}>`);
+}
+function isVoidElement(tag) {
+    return ['br', 'hr', 'img', 'input', 'meta', 'link', 'area', 'base', 'col', 'embed', 'source', 'track', 'wbr'].includes(tag);
+}
+function escapeText(text) {
+    return text
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+}
+function escapeAttrValue(value) {
+    return value
+        .replace(/&/g, '&amp;')
+        .replace(/"/g, '&quot;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+}
+function escapeAttrName(name) {
+    return name.replace(/[^a-zA-Z0-9_-]/g, '');
+}
+/** Sanitize HTML string, removing dangerous tags and attributes. */
+export function sanitize(html, options = {}) {
+    if (options.stripAll)
+        return stripTags(html);
+    const parser = new DOMParser();
+    const doc = parser.parseFromString(`<div>${html}</div>`, 'text/html');
+    const root = doc.body.firstElementChild;
+    if (!root)
+        return '';
+    const output = [];
+    const opts = {
+        allowedTags: options.allowedTags ?? DEFAULT_ALLOWED_TAGS,
+        allowedAttributes: { ...DEFAULT_ALLOWED_ATTRIBUTES, ...options.allowedAttributes },
+        allowedSchemes: options.allowedSchemes ?? DEFAULT_SCHEMES,
+        allowDataUrls: options.allowDataUrls ?? false,
+        transformTag: options.transformTag,
+    };
+    for (const child of root.childNodes) {
+        sanitizeNode(child, opts, output);
+    }
+    let result = output.join('');
+    if (options.maxLength && result.length > options.maxLength) {
+        result = result.slice(0, options.maxLength);
+    }
+    return result;
+}
+/** Strip all HTML tags, returning plain text. */
+export function stripTags(html) {
+    const parser = new DOMParser();
+    const doc = parser.parseFromString(html, 'text/html');
+    return doc.body.textContent ?? '';
+}
+/** Escape a string for safe use in HTML content. */
+export function escapeHTML(text) {
+    return text
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+/** Validate and sanitize a URL. Returns null if unsafe. */
+export function sanitizeURL(url, options) {
+    const schemes = options?.allowedSchemes ?? DEFAULT_SCHEMES;
+    const allowData = options?.allowDataUrls ?? false;
+    if (!isURLSafe(url, schemes, allowData))
+        return null;
+    return url.trim();
+}
+/** Clean user input: trim, collapse whitespace, remove control chars. */
+export function cleanInput(text) {
+    return text
+        .trim()
+        // Remove zero-width chars and control chars (except newline, tab)
+        .replace(/[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F-\u009F\u200B-\u200D\uFEFF]/g, '')
+        // Collapse multiple spaces to one
+        .replace(/[ \t]+/g, ' ')
+        // Collapse multiple newlines to two
+        .replace(/\n{3,}/g, '\n\n');
+}
+/** Sanitize a filename: remove path traversal, special chars. */
+export function sanitizeFilename(name) {
+    return name
+        // Remove path traversal
+        .replace(/\.\./g, '')
+        // Remove path separators
+        .replace(/[/\\]/g, '')
+        // Remove null bytes
+        .replace(/\0/g, '')
+        // Remove special characters except dash, underscore, dot
+        .replace(/[^a-zA-Z0-9._-]/g, '_')
+        // Remove leading dots (hidden files)
+        .replace(/^\.+/, '')
+        // Limit length
+        .slice(0, 255);
+}
+/** Check if a string contains potential XSS payloads. */
+export function detectXSS(input) {
+    const lower = input.toLowerCase().replace(/\s+/g, '');
+    const patterns = [
+        /<script/i,
+        /javascript:/i,
+        /vbscript:/i,
+        /on\w+\s*=/i,
+        /expression\s*\(/i,
+        /url\s*\(\s*['"]?\s*javascript/i,
+        /<iframe/i,
+        /<object/i,
+        /<embed/i,
+        /<form/i,
+        /&#x?[0-9a-f]+;/i,
+    ];
+    return patterns.some(p => p.test(lower) || p.test(input));
+}
+//# sourceMappingURL=sanitize.js.map

package/dist/security/sanitize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAmBH,MAAM,oBAAoB,GAAG;IAC3B,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS;IACpE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI;IACjE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG;IAC7D,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK;IAC/D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK;CACtE,CAAC;AAEF,MAAM,0BAA0B,GAA6B;IAC3D,GAAG,EAAE,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC;IAC5C,GAAG,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC;IAC9B,KAAK,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC;IACnD,YAAY,EAAE,CAAC,MAAM,CAAC;IACtB,GAAG,EAAE,CAAC,MAAM,CAAC;IACb,MAAM,EAAE,CAAC,UAAU,CAAC;IACpB,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC;IACvB,IAAI,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;IAC5B,IAAI,EAAE,CAAC,SAAS,EAAE,SAAS,EAAE,OAAO,CAAC;IACrC,SAAS,EAAE,CAAC,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;AAEpD,MAAM,mBAAmB,GAAG,CAAC,YAAY,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;AAE/D,SAAS,SAAS,CAAC,GAAW;IAC5B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAA;IACtD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/C,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,cAAwB,EAAE,aAAsB;IAC9E,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAEzC,yDAAyD;IACzD,KAAK,MAAM,KAAK,IAAI,mBAAmB,EAAE,CAAC;QACxC,IAAI,KAAK,KAAK,MAAM,IAAI,aAAa;YAAE,SAAS;QAChD,sDAAsD;QACtD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC7E,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;IACpD,CAAC;IAED,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC,CAAC,sBAAsB;IAChD,IAAI,aAAa,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACvC,6BAA6B;QAC7B,OAAO,OAAO,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,YAAY,CACnB,IAAU,EACV,IAGC,EACD,MAAgB;IAEhB,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC,YAAY;QAAE,OAAO;IAEhD,MAAM,EAAE,GAAG,IAAe,CAAC;IAC3B,MAAM,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;IAErC,kDAAkD;IAClD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,KAAK,MAAM,KAAK,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;YAClC,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,OAAO;IACT,CAAC;IAED,6BAA6B;IAC7B,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,aAAa,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IACxD,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,aAAa,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC;IAE3D,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEjC,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAEvB,iCAAiC;QACjC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,cAAc,EAAE,IAAI,CAAC,aAAa,CAAC;gBAAE,SAAS;QAC3E,CAAC;QAED,2DAA2D;QAC3D,IAAI,GAAG,KAAK,GAAG,IAAI,IAAI,KAAK,QAAQ,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC3D,OAAO,CAAC,KAAK,CAAC,GAAG,qBAAqB,CAAC;QACzC,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;IACxB,CAAC;IAED,mBAAmB;IACnB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QACtB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC/C,IAAI,MAAM,KAAK,IAAI;YAAE,OAAO,CAAC,4BAA4B;QACzD,8BAA8B;QAC9B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC;aAC3C,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,KAAK,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC;aAChE,IAAI,CAAC,EAAE,CAAC,CAAC;QACZ,MAAM,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,GAAG,GAAG,OAAO,GAAG,CAAC,CAAC;QACzC,KAAK,MAAM,KAAK,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;YAClC,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;QAChE,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC;SACpC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,cAAc,CAAC,CAAC,CAAC,KAAK,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC;SAChE,IAAI,CAAC,EAAE,CAAC,CAAC;IAEZ,MAAM,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,OAAO,GAAG,CAAC,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;QAClC,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,aAAa,CAAC,GAAW;IAChC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC9H,CAAC;AAED,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI;SACR,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,KAAK;SACT,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,oEAAoE;AACpE,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,UAA2B,EAAE;IAClE,IAAI,OAAO,CAAC,QAAQ;QAAE,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC;IAE7C,MAAM,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;IAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,QAAQ,IAAI,QAAQ,EAAE,WAAW,CAAC,CAAC;IACtE,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IAErB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,IAAI,GAAG;QACX,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,oBAAoB;QACxD,iBAAiB,EAAE,EAAE,GAAG,0BAA0B,EAAE,GAAG,OAAO,CAAC,iBAAiB,EAAE;QAClF,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,eAAe;QACzD,aAAa,EAAE,OAAO,CAAC,aAAa,IAAI,KAAK;QAC7C,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC;IAEF,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7B,IAAI,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;QAC3D,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,iDAAiD;AACjD,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,MAAM,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;IAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,GAAG,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;AACpC,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,IAAI;SACR,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,WAAW,CACzB,GAAW,EACX,OAAgE;IAEhE,MAAM,OAAO,GAAG,OAAO,EAAE,cAAc,IAAI,eAAe,CAAC;IAC3D,MAAM,SAAS,GAAG,OAAO,EAAE,aAAa,IAAI,KAAK,CAAC;IAClD,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,IAAI;SACR,IAAI,EAAE;QACP,kEAAkE;SACjE,OAAO,CAAC,2EAA2E,EAAE,EAAE,CAAC;QACzF,kCAAkC;SACjC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC;QACxB,oCAAoC;SACnC,OAAO,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,OAAO,IAAI;QACT,wBAAwB;SACvB,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QACrB,yBAAyB;SACxB,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;QACtB,oBAAoB;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QACnB,yDAAyD;SACxD,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC;QACjC,qCAAqC;SACpC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QACpB,eAAe;SACd,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG;QACf,UAAU;QACV,cAAc;QACd,YAAY;QACZ,YAAY;QACZ,kBAAkB;QAClB,gCAAgC;QAChC,UAAU;QACV,UAAU;QACV,SAAS;QACT,QAAQ;QACR,iBAAiB;KAClB,CAAC;IACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAC5D,CAAC"}

package/dist/security/secure-store.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Nova Engine — Secure Storage
+ *
+ * Encrypted localStorage/sessionStorage wrapper using AES-GCM.
+ * All values are encrypted at rest with a derived key from a
+ * user-provided passphrase or auto-generated key.
+ */
+export interface SecureStoreOptions {
+    /** Passphrase for key derivation. If omitted, generates a random key. */
+    passphrase?: string;
+    /** Storage key prefix. Default: 'nova_secure' */
+    prefix?: string;
+    /** Use sessionStorage (true) or localStorage (false). Default: false */
+    sessionOnly?: boolean;
+    /** PBKDF2 iterations for key derivation. Default: 100000 */
+    iterations?: number;
+    /** Key length in bits. Default: 256 */
+    keyLength?: 128 | 192 | 256;
+    /** Auto-expire entries after ms. Default: 0 (no expiry) */
+    defaultTTL?: number;
+}
+export interface SecureStoreInstance {
+    /** Initialize the store (must be called before get/set). */
+    init(): Promise<void>;
+    /** Store an encrypted value. */
+    set<T>(key: string, value: T, ttl?: number): Promise<void>;
+    /** Retrieve and decrypt a value. */
+    get<T>(key: string): Promise<T | null>;
+    /** Check if a key exists and is not expired. */
+    has(key: string): boolean;
+    /** Remove a key. */
+    remove(key: string): void;
+    /** Clear all secure store entries. */
+    clear(): void;
+    /** List all keys (without prefix). */
+    keys(): string[];
+    /** Get number of stored entries. */
+    size(): number;
+    /** Destroy — clear keys from memory. */
+    destroy(): void;
+}
+/** Create an encrypted storage instance. */
+export declare function createSecureStore(options?: SecureStoreOptions): SecureStoreInstance;
+//# sourceMappingURL=secure-store.d.ts.map

package/dist/security/secure-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-store.d.ts","sourceRoot":"","sources":["../../src/security/secure-store.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,WAAW,kBAAkB;IACjC,yEAAyE;IACzE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,wEAAwE;IACxE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,SAAS,CAAC,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;IAC5B,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,4DAA4D;IAC5D,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IACtB,gCAAgC;IAChC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3D,oCAAoC;IACpC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IACvC,gDAAgD;IAChD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC1B,oBAAoB;IACpB,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,sCAAsC;IACtC,KAAK,IAAI,IAAI,CAAC;IACd,sCAAsC;IACtC,IAAI,IAAI,MAAM,EAAE,CAAC;IACjB,oCAAoC;IACpC,IAAI,IAAI,MAAM,CAAC;IACf,wCAAwC;IACxC,OAAO,IAAI,IAAI,CAAC;CACjB;AAsBD,4CAA4C;AAC5C,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,kBAAuB,GAAG,mBAAmB,CA8LvF"}