@marslanmustafa/input-shield 0.1.0

package/dist/chunk-WACGX73I.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/validators/presets.ts"],"names":[],"mappings":";;;AAsBO,SAAS,iBAAiB,IAAA,EAAgC;AAC/D,EAAA,OAAO,eAAA,GACJ,KAAA,CAAM,UAAU,EAChB,GAAA,CAAI,CAAC,CAAA,CACL,GAAA,CAAI,EAAE,CAAA,CACN,aAAY,CACZ,WAAA,CAAY,EAAE,WAAA,EAAa,QAAA,EAAU,CAAA,CACrC,YAAA,EAAa,CACb,QAAA,CAAS,IAAI,CAAA;AAClB;AAMO,SAAS,iBAAA,CAAkB,IAAA,EAAc,SAAA,GAAY,MAAA,EAA0B;AACpF,EAAA,OAAO,eAAA,EAAgB,CACpB,KAAA,CAAM,SAAS,CAAA,CACf,IAAI,CAAC,CAAA,CACL,GAAA,CAAI,GAAG,CAAA,CACP,WAAA,GACA,WAAA,CAAY,EAAE,WAAA,EAAa,QAAA,EAAU,CAAA,CACrC,QAAO,CACP,YAAA,EAAa,CACb,QAAA,CAAS,IAAI,CAAA;AAClB;AAOO,SAAS,YAAY,IAAA,EAAgC;AAC1D,EAAA,OAAO,eAAA,GACJ,KAAA,CAAM,KAAK,EACX,GAAA,CAAI,EAAE,CAAA,CACN,GAAA,CAAI,GAAG,CAAA,CACP,aAAY,CACZ,MAAA,GACA,WAAA,CAAY,EAAE,aAAa,OAAA,EAAS,CAAA,CACpC,QAAA,CAAS,IAAI,CAAA;AAClB;AAOO,SAAS,gBAAA,CAAiB,IAAA,EAAc,SAAA,GAAY,SAAA,EAA6B;AACtF,EAAA,OAAO,iBAAgB,CACpB,KAAA,CAAM,SAAS,CAAA,CACf,IAAI,CAAC,CAAA,CACL,GAAA,CAAI,GAAI,EACR,WAAA,EAAY,CACZ,MAAA,EAAO,CACP,SAAS,IAAI,CAAA;AAClB;AAOO,SAAS,oBAAoB,IAAA,EAAgC;AAClE,EAAA,OAAO,eAAA,EAAgB,CACpB,KAAA,CAAM,cAAc,EACpB,GAAA,CAAI,CAAC,CAAA,CACL,GAAA,CAAI,GAAG,CAAA,CACP,MAAA,EAAO,CACP,SAAS,IAAI,CAAA;AAClB","file":"chunk-WACGX73I.mjs","sourcesContent":["/**\n * presets.ts\n *\n * Ready-to-use validators for the most common field types.\n * Zero config — import and call.\n *\n * All presets are pre-configured InputShieldValidator instances.\n * You can also use them as a starting point and extend with .custom():\n *\n *   import { usernameValidator } from 'input-shield/presets';\n *   // They're factories, so each call gives a fresh instance:\n *   const myValidator = usernameValidator().custom(t => t === 'admin', 'custom', 'reserved name');\n */\n\nimport { createValidator } from './builder.js';\nimport type { ValidationResult } from '../types.js';\n\n/**\n * Username / display name.\n * 3–30 chars, no profanity, strict gibberish detection, no spam.\n * Repeated words allowed (e.g. \"John John\" as a nickname).\n */\nexport function validateUsername(text: string): ValidationResult {\n  return createValidator()\n    .field('Username')\n    .min(3)\n    .max(30)\n    .noProfanity()\n    .noGibberish({ sensitivity: 'strict' })\n    .noLowQuality()\n    .validate(text);\n}\n\n/**\n * Short text / name fields (product name, company name, form title).\n * 2–100 chars, no profanity, normal gibberish, no spam.\n */\nexport function validateShortText(text: string, fieldName = 'Name'): ValidationResult {\n  return createValidator()\n    .field(fieldName)\n    .min(2)\n    .max(100)\n    .noProfanity()\n    .noGibberish({ sensitivity: 'normal' })\n    .noSpam()\n    .noLowQuality()\n    .validate(text);\n}\n\n/**\n * Bio / description / about me.\n * 10–300 chars, no profanity, no spam, loose gibberish (allows natural language).\n * Repeated words NOT flagged (natural in prose).\n */\nexport function validateBio(text: string): ValidationResult {\n  return createValidator()\n    .field('Bio')\n    .min(10)\n    .max(300)\n    .noProfanity()\n    .noSpam()\n    .noGibberish({ sensitivity: 'loose' })\n    .validate(text);\n}\n\n/**\n * Long-form text (comment, review, feedback).\n * 5–2000 chars, no profanity, no spam. No gibberish check\n * (long text can contain intentional fragments, code, etc.)\n */\nexport function validateLongText(text: string, fieldName = 'Message'): ValidationResult {\n  return createValidator()\n    .field(fieldName)\n    .min(5)\n    .max(2000)\n    .noProfanity()\n    .noSpam()\n    .validate(text);\n}\n\n/**\n * Search query input.\n * 1–200 chars, no spam URLs (but allows short/fragmentary text).\n * Does NOT flag gibberish (code snippets, SKUs, part numbers are valid queries).\n */\nexport function validateSearchQuery(text: string): ValidationResult {\n  return createValidator()\n    .field('Search query')\n    .min(1)\n    .max(200)\n    .noSpam()\n    .validate(text);\n}\n"]}

package/dist/email.cjs

@@ -0,0 +1,48 @@
+'use strict';
+
+var chunk67CBN3U4_cjs = require('./chunk-67CBN3U4.cjs');
+
+// src/email.ts
+function stripHtml(html) {
+  const styleUrls = [];
+  const urlPattern = /url\(["']?(https?:\/\/[^"')]+)["']?\)/gi;
+  let urlMatch;
+  while ((urlMatch = urlPattern.exec(html)) !== null) {
+    styleUrls.push(urlMatch[1]);
+  }
+  return [
+    html.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, " ").replace(/<script[^>]*>[\s\S]*?<\/script>/gi, " ").replace(/<a[^>]+href=["']([^"']+)["'][^>]*>/gi, " $1 ").replace(/<\/(p|div|li|td|th|h[1-6]|blockquote)>/gi, " ").replace(/<br\s*\/?>/gi, " ").replace(/<[^>]+>/g, "").replace(/&#(\d+);/g, (_, code) => String.fromCharCode(Number(code))).replace(/&#x([0-9a-f]+);/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&nbsp;/gi, " ").replace(/&amp;/gi, "&").replace(/&lt;/gi, "<").replace(/&gt;/gi, ">").replace(/&quot;/gi, '"').replace(/&apos;/gi, "'"),
+    // Append extracted style URLs so spam detector sees them
+    ...styleUrls
+  ].join(" ").replace(/\s+/g, " ").trim();
+}
+function validateMailContent(mail, validator) {
+  const v = validator ?? chunk67CBN3U4_cjs.createValidator().field("Email content").min(1).max(5e4).noProfanity().noSpam();
+  const fields = [];
+  if (mail.subject) {
+    fields.push({ key: "subject", value: mail.subject });
+  }
+  if (mail.text) {
+    fields.push({ key: "text", value: mail.text });
+  }
+  if (mail.html) {
+    fields.push({ key: "html", value: stripHtml(mail.html) });
+  }
+  for (const { key, value } of fields) {
+    const result = v.validate(value);
+    if (!result.isValid) {
+      return {
+        isValid: false,
+        field: key,
+        reason: result.reason,
+        message: result.message
+      };
+    }
+  }
+  return { isValid: true };
+}
+
+exports.stripHtml = stripHtml;
+exports.validateMailContent = validateMailContent;
+//# sourceMappingURL=email.cjs.map
+//# sourceMappingURL=email.cjs.map

package/dist/email.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/email.ts"],"names":["createValidator"],"mappings":";;;;;AAkCO,SAAS,UAAU,IAAA,EAAsB;AAI9C,EAAA,MAAM,YAAsB,EAAC;AAC7B,EAAA,MAAM,UAAA,GAAa,yCAAA;AACnB,EAAA,IAAI,QAAA;AACJ,EAAA,OAAA,CAAQ,QAAA,GAAW,UAAA,CAAW,IAAA,CAAK,IAAI,OAAO,IAAA,EAAM;AAClD,IAAA,SAAA,CAAU,IAAA,CAAK,QAAA,CAAS,CAAC,CAAC,CAAA;AAAA,EAC5B;AAEA,EAAA,OAAO;AAAA,IACL,IAAA,CAEG,OAAA,CAAQ,iCAAA,EAAmC,GAAG,EAE9C,OAAA,CAAQ,mCAAA,EAAqC,GAAG,CAAA,CAEhD,QAAQ,sCAAA,EAAwC,MAAM,CAAA,CAGtD,OAAA,CAAQ,4CAA4C,GAAG,CAAA,CACvD,OAAA,CAAQ,cAAA,EAAgB,GAAG,CAAA,CAE3B,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA,CAGtB,OAAA,CAAQ,WAAA,EAAa,CAAC,GAAG,IAAA,KAAS,MAAA,CAAO,YAAA,CAAa,MAAA,CAAO,IAAI,CAAC,CAAC,CAAA,CACnE,OAAA,CAAQ,mBAAA,EAAqB,CAAC,CAAA,EAAG,GAAA,KAAQ,OAAO,YAAA,CAAa,QAAA,CAAS,GAAA,EAAK,EAAE,CAAC,CAAC,CAAA,CAE/E,OAAA,CAAQ,UAAA,EAAY,GAAG,CAAA,CACvB,OAAA,CAAQ,SAAA,EAAW,GAAG,CAAA,CACtB,OAAA,CAAQ,QAAA,EAAU,GAAG,EACrB,OAAA,CAAQ,QAAA,EAAU,GAAG,CAAA,CACrB,QAAQ,UAAA,EAAY,GAAG,CAAA,CACvB,OAAA,CAAQ,YAAY,GAAG,CAAA;AAAA;AAAA,IAE1B,GAAG;AAAA,GACL,CACG,KAAK,GAAG,CAAA,CACR,QAAQ,MAAA,EAAQ,GAAG,EACnB,IAAA,EAAK;AACV;AAoCO,SAAS,mBAAA,CACd,MACA,SAAA,EACsB;AAEtB,EAAA,MAAM,CAAA,GAAI,SAAA,IAAaA,iCAAA,EAAgB,CACpC,MAAM,eAAe,CAAA,CACrB,GAAA,CAAI,CAAC,EACL,GAAA,CAAI,GAAK,CAAA,CACT,WAAA,GACA,MAAA,EAAO;AAEV,EAAA,MAAM,SAAqE,EAAC;AAE5E,EAAA,IAAI,KAAK,OAAA,EAAS;AAChB,IAAA,MAAA,CAAO,KAAK,EAAE,GAAA,EAAK,WAAW,KAAA,EAAO,IAAA,CAAK,SAAS,CAAA;AAAA,EACrD;AACA,EAAA,IAAI,KAAK,IAAA,EAAM;AACb,IAAA,MAAA,CAAO,KAAK,EAAE,GAAA,EAAK,QAAQ,KAAA,EAAO,IAAA,CAAK,MAAM,CAAA;AAAA,EAC/C;AACA,EAAA,IAAI,KAAK,IAAA,EAAM;AAEb,IAAA,MAAA,CAAO,IAAA,CAAK,EAAE,GAAA,EAAK,MAAA,EAAQ,OAAO,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA,EAAG,CAAA;AAAA,EAC1D;AAEA,EAAA,KAAA,MAAW,EAAE,GAAA,EAAK,KAAA,EAAM,IAAK,MAAA,EAAQ;AACnC,IAAA,MAAM,MAAA,GAAS,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAC/B,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,GAAA;AAAA,QACP,QAAQ,MAAA,CAAO,MAAA;AAAA,QACf,SAAS,MAAA,CAAO;AAAA,OAClB;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACzB","file":"email.cjs","sourcesContent":["/**\n * email.ts  (exported as '@marslanmustafa/input-shield/email')\n *\n * Email-specific validation utilities.\n *\n * WHY THIS EXISTS:\n *   Nodemailer (and every other mail library) has zero content validation.\n *   Email bodies are almost always HTML — raw input-shield validators\n *   running on HTML strings will miss profanity/spam hidden inside tags,\n *   encoded as HTML entities, or buried in href attributes.\n *\n * WHAT THIS PROVIDES:\n *   - stripHtml()          → clean HTML → plain text for validation\n *   - validateMailContent() → validate a full Nodemailer mail options object\n */\n\nimport { createValidator, InputShieldValidator } from './validators/builder.js';\n\n// ─── HTML Stripper ────────────────────────────────────────────────────────────\n\n/**\n * Strip HTML and decode entities — producing clean plain text for validation.\n *\n * Handles the following attack vectors:\n *   - Tags wrapping profanity:   <b>f*ck</b>         → \"f*ck\"\n *   - Split-tag evasion:         <s>f</s><s>uck</s>  → \"f uck\" → skeleton → \"fuck\"\n *   - Decimal entities:          &#102;&#117;&#99;&#107; → \"fuck\"\n *   - Hex entities:              &#x66;&#x75;&#x63;&#x6B; → \"fuck\"\n *   - Spam URLs in href:         <a href=\"https://spam.com\">click</a> → includes URL\n *   - Hidden CSS/scripts:        <style> and <script> blocks removed entirely\n *\n * @param html - Raw HTML string (e.g. Nodemailer `html` field)\n * @returns Plain text safe to pass to any input-shield validator\n */\nexport function stripHtml(html: string): string {\n  // Step 0: Extract ALL url() values from inline styles FIRST, before tags are stripped.\n  // This catches: style=\"background:url(https://tracker.spam.com/pixel)\"\n  // If we strip tags first, the URL inside the style attribute is lost forever.\n  const styleUrls: string[] = [];\n  const urlPattern = /url\\([\"']?(https?:\\/\\/[^\"')]+)[\"']?\\)/gi;\n  let urlMatch: RegExpExecArray | null;\n  while ((urlMatch = urlPattern.exec(html)) !== null) {\n    styleUrls.push(urlMatch[1]);\n  }\n\n  return [\n    html\n      // Remove <style> blocks entirely — CSS can visually hide text\n      .replace(/<style[^>]*>[\\s\\S]*?<\\/style>/gi, ' ')\n      // Remove <script> blocks entirely\n      .replace(/<script[^>]*>[\\s\\S]*?<\\/script>/gi, ' ')\n      // Extract href values — link text may be clean but href is spam\n      .replace(/<a[^>]+href=[\"']([^\"']+)[\"'][^>]*>/gi, ' $1 ')\n      // Preserve word boundaries at block-level closing tags\n      // Without this: <p>free</p><p>money</p> → \"freemoney\" (breaks \\b)\n      .replace(/<\\/(p|div|li|td|th|h[1-6]|blockquote)>/gi, ' ')\n      .replace(/<br\\s*\\/?>/gi, ' ')\n      // Strip all remaining tags\n      .replace(/<[^>]+>/g, '')\n      // Decode numeric entities BEFORE named (order matters)\n      // &#102; → \"f\",  &#x66; → \"f\"\n      .replace(/&#(\\d+);/g, (_, code) => String.fromCharCode(Number(code)))\n      .replace(/&#x([0-9a-f]+);/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)))\n      // Decode named entities\n      .replace(/&nbsp;/gi, ' ')\n      .replace(/&amp;/gi, '&')\n      .replace(/&lt;/gi, '<')\n      .replace(/&gt;/gi, '>')\n      .replace(/&quot;/gi, '\"')\n      .replace(/&apos;/gi, \"'\"),\n    // Append extracted style URLs so spam detector sees them\n    ...styleUrls,\n  ]\n    .join(' ')\n    .replace(/\\s+/g, ' ')\n    .trim();\n}\n\n// ─── Mail content validator ───────────────────────────────────────────────────\n\nexport interface MailContent {\n  /** Email subject line */\n  subject?: string;\n  /** Plain text body */\n  text?: string;\n  /** HTML body — will be stripped before validation */\n  html?: string;\n}\n\nexport type MailValidationResult =\n  | { isValid: true }\n  | { isValid: false; field: 'subject' | 'text' | 'html'; reason: string; message: string };\n\n/**\n * Validate a Nodemailer mail options object before passing to sendMail().\n *\n * Strips HTML from the `html` field automatically.\n * Validates subject, text, and html fields independently.\n *\n * @param mail     - The mail content to validate (subset of Nodemailer's MailOptions)\n * @param validator - Optional custom validator. Defaults to noProfanity + noSpam.\n *\n * @example\n * const result = validateMailContent({\n *   subject: 'Hello',\n *   html: '<p>Your order is confirmed.</p>',\n * });\n * if (!result.isValid) {\n *   throw new Error(result.message); // never reaches sendMail()\n * }\n * await transporter.sendMail({ ...mailOptions });\n */\nexport function validateMailContent(\n  mail: MailContent,\n  validator?: InputShieldValidator\n): MailValidationResult {\n  // Default validator: profanity + spam, generous length limits for email\n  const v = validator ?? createValidator()\n    .field('Email content')\n    .min(1)\n    .max(50000)\n    .noProfanity()\n    .noSpam();\n\n  const fields: Array<{ key: 'subject' | 'text' | 'html'; value: string }> = [];\n\n  if (mail.subject) {\n    fields.push({ key: 'subject', value: mail.subject });\n  }\n  if (mail.text) {\n    fields.push({ key: 'text', value: mail.text });\n  }\n  if (mail.html) {\n    // Strip HTML before validating — this is the critical step\n    fields.push({ key: 'html', value: stripHtml(mail.html) });\n  }\n\n  for (const { key, value } of fields) {\n    const result = v.validate(value);\n    if (!result.isValid) {\n      return {\n        isValid: false,\n        field: key,\n        reason: result.reason,\n        message: result.message,\n      };\n    }\n  }\n\n  return { isValid: true };\n}"]}

package/dist/email.d.cts

@@ -0,0 +1,71 @@
+import { I as InputShieldValidator } from './builder-C10YQjbV.cjs';
+
+/**
+ * email.ts  (exported as '@marslanmustafa/input-shield/email')
+ *
+ * Email-specific validation utilities.
+ *
+ * WHY THIS EXISTS:
+ *   Nodemailer (and every other mail library) has zero content validation.
+ *   Email bodies are almost always HTML — raw input-shield validators
+ *   running on HTML strings will miss profanity/spam hidden inside tags,
+ *   encoded as HTML entities, or buried in href attributes.
+ *
+ * WHAT THIS PROVIDES:
+ *   - stripHtml()          → clean HTML → plain text for validation
+ *   - validateMailContent() → validate a full Nodemailer mail options object
+ */
+
+/**
+ * Strip HTML and decode entities — producing clean plain text for validation.
+ *
+ * Handles the following attack vectors:
+ *   - Tags wrapping profanity:   <b>f*ck</b>         → "f*ck"
+ *   - Split-tag evasion:         <s>f</s><s>uck</s>  → "f uck" → skeleton → "fuck"
+ *   - Decimal entities:          &#102;&#117;&#99;&#107; → "fuck"
+ *   - Hex entities:              &#x66;&#x75;&#x63;&#x6B; → "fuck"
+ *   - Spam URLs in href:         <a href="https://spam.com">click</a> → includes URL
+ *   - Hidden CSS/scripts:        <style> and <script> blocks removed entirely
+ *
+ * @param html - Raw HTML string (e.g. Nodemailer `html` field)
+ * @returns Plain text safe to pass to any input-shield validator
+ */
+declare function stripHtml(html: string): string;
+interface MailContent {
+    /** Email subject line */
+    subject?: string;
+    /** Plain text body */
+    text?: string;
+    /** HTML body — will be stripped before validation */
+    html?: string;
+}
+type MailValidationResult = {
+    isValid: true;
+} | {
+    isValid: false;
+    field: 'subject' | 'text' | 'html';
+    reason: string;
+    message: string;
+};
+/**
+ * Validate a Nodemailer mail options object before passing to sendMail().
+ *
+ * Strips HTML from the `html` field automatically.
+ * Validates subject, text, and html fields independently.
+ *
+ * @param mail     - The mail content to validate (subset of Nodemailer's MailOptions)
+ * @param validator - Optional custom validator. Defaults to noProfanity + noSpam.
+ *
+ * @example
+ * const result = validateMailContent({
+ *   subject: 'Hello',
+ *   html: '<p>Your order is confirmed.</p>',
+ * });
+ * if (!result.isValid) {
+ *   throw new Error(result.message); // never reaches sendMail()
+ * }
+ * await transporter.sendMail({ ...mailOptions });
+ */
+declare function validateMailContent(mail: MailContent, validator?: InputShieldValidator): MailValidationResult;
+
+export { type MailContent, type MailValidationResult, stripHtml, validateMailContent };

package/dist/email.d.ts

@@ -0,0 +1,71 @@
+import { I as InputShieldValidator } from './builder-C10YQjbV.js';
+
+/**
+ * email.ts  (exported as '@marslanmustafa/input-shield/email')
+ *
+ * Email-specific validation utilities.
+ *
+ * WHY THIS EXISTS:
+ *   Nodemailer (and every other mail library) has zero content validation.
+ *   Email bodies are almost always HTML — raw input-shield validators
+ *   running on HTML strings will miss profanity/spam hidden inside tags,
+ *   encoded as HTML entities, or buried in href attributes.
+ *
+ * WHAT THIS PROVIDES:
+ *   - stripHtml()          → clean HTML → plain text for validation
+ *   - validateMailContent() → validate a full Nodemailer mail options object
+ */
+
+/**
+ * Strip HTML and decode entities — producing clean plain text for validation.
+ *
+ * Handles the following attack vectors:
+ *   - Tags wrapping profanity:   <b>f*ck</b>         → "f*ck"
+ *   - Split-tag evasion:         <s>f</s><s>uck</s>  → "f uck" → skeleton → "fuck"
+ *   - Decimal entities:          &#102;&#117;&#99;&#107; → "fuck"
+ *   - Hex entities:              &#x66;&#x75;&#x63;&#x6B; → "fuck"
+ *   - Spam URLs in href:         <a href="https://spam.com">click</a> → includes URL
+ *   - Hidden CSS/scripts:        <style> and <script> blocks removed entirely
+ *
+ * @param html - Raw HTML string (e.g. Nodemailer `html` field)
+ * @returns Plain text safe to pass to any input-shield validator
+ */
+declare function stripHtml(html: string): string;
+interface MailContent {
+    /** Email subject line */
+    subject?: string;
+    /** Plain text body */
+    text?: string;
+    /** HTML body — will be stripped before validation */
+    html?: string;
+}
+type MailValidationResult = {
+    isValid: true;
+} | {
+    isValid: false;
+    field: 'subject' | 'text' | 'html';
+    reason: string;
+    message: string;
+};
+/**
+ * Validate a Nodemailer mail options object before passing to sendMail().
+ *
+ * Strips HTML from the `html` field automatically.
+ * Validates subject, text, and html fields independently.
+ *
+ * @param mail     - The mail content to validate (subset of Nodemailer's MailOptions)
+ * @param validator - Optional custom validator. Defaults to noProfanity + noSpam.
+ *
+ * @example
+ * const result = validateMailContent({
+ *   subject: 'Hello',
+ *   html: '<p>Your order is confirmed.</p>',
+ * });
+ * if (!result.isValid) {
+ *   throw new Error(result.message); // never reaches sendMail()
+ * }
+ * await transporter.sendMail({ ...mailOptions });
+ */
+declare function validateMailContent(mail: MailContent, validator?: InputShieldValidator): MailValidationResult;
+
+export { type MailContent, type MailValidationResult, stripHtml, validateMailContent };

package/dist/email.mjs

@@ -0,0 +1,45 @@
+import { createValidator } from './chunk-ADGSP522.mjs';
+
+// src/email.ts
+function stripHtml(html) {
+  const styleUrls = [];
+  const urlPattern = /url\(["']?(https?:\/\/[^"')]+)["']?\)/gi;
+  let urlMatch;
+  while ((urlMatch = urlPattern.exec(html)) !== null) {
+    styleUrls.push(urlMatch[1]);
+  }
+  return [
+    html.replace(/<style[^>]*>[\s\S]*?<\/style>/gi, " ").replace(/<script[^>]*>[\s\S]*?<\/script>/gi, " ").replace(/<a[^>]+href=["']([^"']+)["'][^>]*>/gi, " $1 ").replace(/<\/(p|div|li|td|th|h[1-6]|blockquote)>/gi, " ").replace(/<br\s*\/?>/gi, " ").replace(/<[^>]+>/g, "").replace(/&#(\d+);/g, (_, code) => String.fromCharCode(Number(code))).replace(/&#x([0-9a-f]+);/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16))).replace(/&nbsp;/gi, " ").replace(/&amp;/gi, "&").replace(/&lt;/gi, "<").replace(/&gt;/gi, ">").replace(/&quot;/gi, '"').replace(/&apos;/gi, "'"),
+    // Append extracted style URLs so spam detector sees them
+    ...styleUrls
+  ].join(" ").replace(/\s+/g, " ").trim();
+}
+function validateMailContent(mail, validator) {
+  const v = validator ?? createValidator().field("Email content").min(1).max(5e4).noProfanity().noSpam();
+  const fields = [];
+  if (mail.subject) {
+    fields.push({ key: "subject", value: mail.subject });
+  }
+  if (mail.text) {
+    fields.push({ key: "text", value: mail.text });
+  }
+  if (mail.html) {
+    fields.push({ key: "html", value: stripHtml(mail.html) });
+  }
+  for (const { key, value } of fields) {
+    const result = v.validate(value);
+    if (!result.isValid) {
+      return {
+        isValid: false,
+        field: key,
+        reason: result.reason,
+        message: result.message
+      };
+    }
+  }
+  return { isValid: true };
+}
+
+export { stripHtml, validateMailContent };
+//# sourceMappingURL=email.mjs.map
+//# sourceMappingURL=email.mjs.map

package/dist/email.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/email.ts"],"names":[],"mappings":";;;AAkCO,SAAS,UAAU,IAAA,EAAsB;AAI9C,EAAA,MAAM,YAAsB,EAAC;AAC7B,EAAA,MAAM,UAAA,GAAa,yCAAA;AACnB,EAAA,IAAI,QAAA;AACJ,EAAA,OAAA,CAAQ,QAAA,GAAW,UAAA,CAAW,IAAA,CAAK,IAAI,OAAO,IAAA,EAAM;AAClD,IAAA,SAAA,CAAU,IAAA,CAAK,QAAA,CAAS,CAAC,CAAC,CAAA;AAAA,EAC5B;AAEA,EAAA,OAAO;AAAA,IACL,IAAA,CAEG,OAAA,CAAQ,iCAAA,EAAmC,GAAG,EAE9C,OAAA,CAAQ,mCAAA,EAAqC,GAAG,CAAA,CAEhD,QAAQ,sCAAA,EAAwC,MAAM,CAAA,CAGtD,OAAA,CAAQ,4CAA4C,GAAG,CAAA,CACvD,OAAA,CAAQ,cAAA,EAAgB,GAAG,CAAA,CAE3B,OAAA,CAAQ,UAAA,EAAY,EAAE,CAAA,CAGtB,OAAA,CAAQ,WAAA,EAAa,CAAC,GAAG,IAAA,KAAS,MAAA,CAAO,YAAA,CAAa,MAAA,CAAO,IAAI,CAAC,CAAC,CAAA,CACnE,OAAA,CAAQ,mBAAA,EAAqB,CAAC,CAAA,EAAG,GAAA,KAAQ,OAAO,YAAA,CAAa,QAAA,CAAS,GAAA,EAAK,EAAE,CAAC,CAAC,CAAA,CAE/E,OAAA,CAAQ,UAAA,EAAY,GAAG,CAAA,CACvB,OAAA,CAAQ,SAAA,EAAW,GAAG,CAAA,CACtB,OAAA,CAAQ,QAAA,EAAU,GAAG,EACrB,OAAA,CAAQ,QAAA,EAAU,GAAG,CAAA,CACrB,QAAQ,UAAA,EAAY,GAAG,CAAA,CACvB,OAAA,CAAQ,YAAY,GAAG,CAAA;AAAA;AAAA,IAE1B,GAAG;AAAA,GACL,CACG,KAAK,GAAG,CAAA,CACR,QAAQ,MAAA,EAAQ,GAAG,EACnB,IAAA,EAAK;AACV;AAoCO,SAAS,mBAAA,CACd,MACA,SAAA,EACsB;AAEtB,EAAA,MAAM,CAAA,GAAI,SAAA,IAAa,eAAA,EAAgB,CACpC,MAAM,eAAe,CAAA,CACrB,GAAA,CAAI,CAAC,EACL,GAAA,CAAI,GAAK,CAAA,CACT,WAAA,GACA,MAAA,EAAO;AAEV,EAAA,MAAM,SAAqE,EAAC;AAE5E,EAAA,IAAI,KAAK,OAAA,EAAS;AAChB,IAAA,MAAA,CAAO,KAAK,EAAE,GAAA,EAAK,WAAW,KAAA,EAAO,IAAA,CAAK,SAAS,CAAA;AAAA,EACrD;AACA,EAAA,IAAI,KAAK,IAAA,EAAM;AACb,IAAA,MAAA,CAAO,KAAK,EAAE,GAAA,EAAK,QAAQ,KAAA,EAAO,IAAA,CAAK,MAAM,CAAA;AAAA,EAC/C;AACA,EAAA,IAAI,KAAK,IAAA,EAAM;AAEb,IAAA,MAAA,CAAO,IAAA,CAAK,EAAE,GAAA,EAAK,MAAA,EAAQ,OAAO,SAAA,CAAU,IAAA,CAAK,IAAI,CAAA,EAAG,CAAA;AAAA,EAC1D;AAEA,EAAA,KAAA,MAAW,EAAE,GAAA,EAAK,KAAA,EAAM,IAAK,MAAA,EAAQ;AACnC,IAAA,MAAM,MAAA,GAAS,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAC/B,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,GAAA;AAAA,QACP,QAAQ,MAAA,CAAO,MAAA;AAAA,QACf,SAAS,MAAA,CAAO;AAAA,OAClB;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACzB","file":"email.mjs","sourcesContent":["/**\n * email.ts  (exported as '@marslanmustafa/input-shield/email')\n *\n * Email-specific validation utilities.\n *\n * WHY THIS EXISTS:\n *   Nodemailer (and every other mail library) has zero content validation.\n *   Email bodies are almost always HTML — raw input-shield validators\n *   running on HTML strings will miss profanity/spam hidden inside tags,\n *   encoded as HTML entities, or buried in href attributes.\n *\n * WHAT THIS PROVIDES:\n *   - stripHtml()          → clean HTML → plain text for validation\n *   - validateMailContent() → validate a full Nodemailer mail options object\n */\n\nimport { createValidator, InputShieldValidator } from './validators/builder.js';\n\n// ─── HTML Stripper ────────────────────────────────────────────────────────────\n\n/**\n * Strip HTML and decode entities — producing clean plain text for validation.\n *\n * Handles the following attack vectors:\n *   - Tags wrapping profanity:   <b>f*ck</b>         → \"f*ck\"\n *   - Split-tag evasion:         <s>f</s><s>uck</s>  → \"f uck\" → skeleton → \"fuck\"\n *   - Decimal entities:          &#102;&#117;&#99;&#107; → \"fuck\"\n *   - Hex entities:              &#x66;&#x75;&#x63;&#x6B; → \"fuck\"\n *   - Spam URLs in href:         <a href=\"https://spam.com\">click</a> → includes URL\n *   - Hidden CSS/scripts:        <style> and <script> blocks removed entirely\n *\n * @param html - Raw HTML string (e.g. Nodemailer `html` field)\n * @returns Plain text safe to pass to any input-shield validator\n */\nexport function stripHtml(html: string): string {\n  // Step 0: Extract ALL url() values from inline styles FIRST, before tags are stripped.\n  // This catches: style=\"background:url(https://tracker.spam.com/pixel)\"\n  // If we strip tags first, the URL inside the style attribute is lost forever.\n  const styleUrls: string[] = [];\n  const urlPattern = /url\\([\"']?(https?:\\/\\/[^\"')]+)[\"']?\\)/gi;\n  let urlMatch: RegExpExecArray | null;\n  while ((urlMatch = urlPattern.exec(html)) !== null) {\n    styleUrls.push(urlMatch[1]);\n  }\n\n  return [\n    html\n      // Remove <style> blocks entirely — CSS can visually hide text\n      .replace(/<style[^>]*>[\\s\\S]*?<\\/style>/gi, ' ')\n      // Remove <script> blocks entirely\n      .replace(/<script[^>]*>[\\s\\S]*?<\\/script>/gi, ' ')\n      // Extract href values — link text may be clean but href is spam\n      .replace(/<a[^>]+href=[\"']([^\"']+)[\"'][^>]*>/gi, ' $1 ')\n      // Preserve word boundaries at block-level closing tags\n      // Without this: <p>free</p><p>money</p> → \"freemoney\" (breaks \\b)\n      .replace(/<\\/(p|div|li|td|th|h[1-6]|blockquote)>/gi, ' ')\n      .replace(/<br\\s*\\/?>/gi, ' ')\n      // Strip all remaining tags\n      .replace(/<[^>]+>/g, '')\n      // Decode numeric entities BEFORE named (order matters)\n      // &#102; → \"f\",  &#x66; → \"f\"\n      .replace(/&#(\\d+);/g, (_, code) => String.fromCharCode(Number(code)))\n      .replace(/&#x([0-9a-f]+);/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)))\n      // Decode named entities\n      .replace(/&nbsp;/gi, ' ')\n      .replace(/&amp;/gi, '&')\n      .replace(/&lt;/gi, '<')\n      .replace(/&gt;/gi, '>')\n      .replace(/&quot;/gi, '\"')\n      .replace(/&apos;/gi, \"'\"),\n    // Append extracted style URLs so spam detector sees them\n    ...styleUrls,\n  ]\n    .join(' ')\n    .replace(/\\s+/g, ' ')\n    .trim();\n}\n\n// ─── Mail content validator ───────────────────────────────────────────────────\n\nexport interface MailContent {\n  /** Email subject line */\n  subject?: string;\n  /** Plain text body */\n  text?: string;\n  /** HTML body — will be stripped before validation */\n  html?: string;\n}\n\nexport type MailValidationResult =\n  | { isValid: true }\n  | { isValid: false; field: 'subject' | 'text' | 'html'; reason: string; message: string };\n\n/**\n * Validate a Nodemailer mail options object before passing to sendMail().\n *\n * Strips HTML from the `html` field automatically.\n * Validates subject, text, and html fields independently.\n *\n * @param mail     - The mail content to validate (subset of Nodemailer's MailOptions)\n * @param validator - Optional custom validator. Defaults to noProfanity + noSpam.\n *\n * @example\n * const result = validateMailContent({\n *   subject: 'Hello',\n *   html: '<p>Your order is confirmed.</p>',\n * });\n * if (!result.isValid) {\n *   throw new Error(result.message); // never reaches sendMail()\n * }\n * await transporter.sendMail({ ...mailOptions });\n */\nexport function validateMailContent(\n  mail: MailContent,\n  validator?: InputShieldValidator\n): MailValidationResult {\n  // Default validator: profanity + spam, generous length limits for email\n  const v = validator ?? createValidator()\n    .field('Email content')\n    .min(1)\n    .max(50000)\n    .noProfanity()\n    .noSpam();\n\n  const fields: Array<{ key: 'subject' | 'text' | 'html'; value: string }> = [];\n\n  if (mail.subject) {\n    fields.push({ key: 'subject', value: mail.subject });\n  }\n  if (mail.text) {\n    fields.push({ key: 'text', value: mail.text });\n  }\n  if (mail.html) {\n    // Strip HTML before validating — this is the critical step\n    fields.push({ key: 'html', value: stripHtml(mail.html) });\n  }\n\n  for (const { key, value } of fields) {\n    const result = v.validate(value);\n    if (!result.isValid) {\n      return {\n        isValid: false,\n        field: key,\n        reason: result.reason,\n        message: result.message,\n      };\n    }\n  }\n\n  return { isValid: true };\n}"]}

package/dist/index.cjs

@@ -0,0 +1,81 @@
+'use strict';
+
+var chunkKVXEPETW_cjs = require('./chunk-KVXEPETW.cjs');
+var chunk67CBN3U4_cjs = require('./chunk-67CBN3U4.cjs');
+
+
+
+Object.defineProperty(exports, "validateBio", {
+  enumerable: true,
+  get: function () { return chunkKVXEPETW_cjs.validateBio; }
+});
+Object.defineProperty(exports, "validateLongText", {
+  enumerable: true,
+  get: function () { return chunkKVXEPETW_cjs.validateLongText; }
+});
+Object.defineProperty(exports, "validateSearchQuery", {
+  enumerable: true,
+  get: function () { return chunkKVXEPETW_cjs.validateSearchQuery; }
+});
+Object.defineProperty(exports, "validateShortText", {
+  enumerable: true,
+  get: function () { return chunkKVXEPETW_cjs.validateShortText; }
+});
+Object.defineProperty(exports, "validateUsername", {
+  enumerable: true,
+  get: function () { return chunkKVXEPETW_cjs.validateUsername; }
+});
+Object.defineProperty(exports, "InputShieldValidator", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.InputShieldValidator; }
+});
+Object.defineProperty(exports, "containsProfanity", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.containsProfanity; }
+});
+Object.defineProperty(exports, "containsSpam", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.containsSpam; }
+});
+Object.defineProperty(exports, "createValidator", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.createValidator; }
+});
+Object.defineProperty(exports, "getMatchedProfanityPattern", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.getMatchedProfanityPattern; }
+});
+Object.defineProperty(exports, "hasExcessiveSymbols", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.hasExcessiveSymbols; }
+});
+Object.defineProperty(exports, "hasLowAlphabetRatio", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.hasLowAlphabetRatio; }
+});
+Object.defineProperty(exports, "hasRepeatedContentWords", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.hasRepeatedContentWords; }
+});
+Object.defineProperty(exports, "hasRepeatingChars", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.hasRepeatingChars; }
+});
+Object.defineProperty(exports, "isGibberish", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.isGibberish; }
+});
+Object.defineProperty(exports, "isLowEffortExact", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.isLowEffortExact; }
+});
+Object.defineProperty(exports, "toSkeleton", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.toSkeleton; }
+});
+Object.defineProperty(exports, "toStructural", {
+  enumerable: true,
+  get: function () { return chunk67CBN3U4_cjs.toStructural; }
+});
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"index.cjs"}

package/dist/index.d.cts

@@ -0,0 +1,217 @@
+import { V as ValidationResult, G as GibberishSensitivity } from './builder-C10YQjbV.cjs';
+export { F as FailReason, I as InputShieldValidator, a as ValidationOptions, c as createValidator } from './builder-C10YQjbV.cjs';
+
+/**
+ * presets.ts
+ *
+ * Ready-to-use validators for the most common field types.
+ * Zero config — import and call.
+ *
+ * All presets are pre-configured InputShieldValidator instances.
+ * You can also use them as a starting point and extend with .custom():
+ *
+ *   import { usernameValidator } from 'input-shield/presets';
+ *   // They're factories, so each call gives a fresh instance:
+ *   const myValidator = usernameValidator().custom(t => t === 'admin', 'custom', 'reserved name');
+ */
+
+/**
+ * Username / display name.
+ * 3–30 chars, no profanity, strict gibberish detection, no spam.
+ * Repeated words allowed (e.g. "John John" as a nickname).
+ */
+declare function validateUsername(text: string): ValidationResult;
+/**
+ * Short text / name fields (product name, company name, form title).
+ * 2–100 chars, no profanity, normal gibberish, no spam.
+ */
+declare function validateShortText(text: string, fieldName?: string): ValidationResult;
+/**
+ * Bio / description / about me.
+ * 10–300 chars, no profanity, no spam, loose gibberish (allows natural language).
+ * Repeated words NOT flagged (natural in prose).
+ */
+declare function validateBio(text: string): ValidationResult;
+/**
+ * Long-form text (comment, review, feedback).
+ * 5–2000 chars, no profanity, no spam. No gibberish check
+ * (long text can contain intentional fragments, code, etc.)
+ */
+declare function validateLongText(text: string, fieldName?: string): ValidationResult;
+/**
+ * Search query input.
+ * 1–200 chars, no spam URLs (but allows short/fragmentary text).
+ * Does NOT flag gibberish (code snippets, SKUs, part numbers are valid queries).
+ */
+declare function validateSearchQuery(text: string): ValidationResult;
+
+/**
+ * normalize.ts
+ *
+ * THREE-STAGE normalization pipeline.
+ * This is THE most important file in the package.
+ *
+ * Stage 1 — Unicode NFKC:
+ *   Collapses compatibility variants before anything else.
+ *   "Ａ" (fullwidth) → "A", "fi" (ligature) → "fi", "𝐅" (math bold) → "F"
+ *   This also handles bidirectional control characters and zero-width spaces.
+ *
+ * Stage 2 — Homoglyph map:
+ *   Catches Cyrillic/Greek/Armenian lookalikes that survive NFKC.
+ *   "о" (U+043E Cyrillic) → "o", "а" (U+0430 Cyrillic) → "a"
+ *   This is the CVE-2025-27611 class of bypass — NFKC alone doesn't fix it.
+ *
+ * Stage 3 — Leet-speak map:
+ *   Classic ASCII substitutions: "3" → "e", "@" → "a", "$" → "s", etc.
+ *   Runs LAST so homoglyphs don't interfere with leet detection.
+ *
+ * Result: "P.0.r.n" → "porn", "ſhit" → "shit", "аss" (Cyrillic а) → "ass"
+ *
+ * IMPORTANT: This output is ONLY for pattern matching — never display it.
+ * Always return error messages that reference the original input.
+ */
+/**
+ * Produce a "skeleton" string for pattern matching ONLY.
+ *
+ * Pipeline:
+ *   raw → NFKC → stripSeparators → homoglyph → lowercase → leet → strip non-alpha → collapse spaces
+ *
+ * @param t - Raw input string
+ * @returns Normalized string safe for regex pattern matching
+ */
+declare function toSkeleton(t: string): string;
+/**
+ * Lightweight normalization for structural checks (length, symbol ratio).
+ * Does NOT apply leet/homoglyph maps — just trims and normalizes whitespace.
+ * Preserves symbols so hasExcessiveSymbols() works correctly.
+ */
+declare function toStructural(t: string): string;
+
+/**
+ * profanity.ts
+ *
+ * Profanity detection. All patterns run against the skeleton (toSkeleton()),
+ * meaning they automatically handle:
+ *   - Leet-speak:     "f4ck", "@ss", "sh!t"
+ *   - Homoglyphs:     "fuсk" (Cyrillic с), "аss" (Cyrillic а)
+ *   - Separator dots: "f.u.c.k", "s-h-i-t"
+ *   - Fullwidth:      "ｆｕｃｋ"
+ *   - Repeated chars: "fuuuuck", "shhhhit"
+ *
+ * Pattern design:
+ *   - Use \b word boundaries so "classic" doesn't match "ass"
+ *   - Use + quantifiers to catch character stretching ("fuuuuck")
+ *   - Cover plurals and -er/-ing forms (shits, bitch, bitching)
+ */
+/**
+ * Returns true if the skeleton of `text` matches any profanity pattern.
+ * Always check skeleton — never raw — so bypasses don't work.
+ */
+declare function containsProfanity(text: string): boolean;
+/**
+ * Returns the specific pattern that matched, or null.
+ * Useful for debug logging (never expose to users directly).
+ */
+declare function getMatchedProfanityPattern(text: string): RegExp | null;
+
+/**
+ * spam.ts
+ *
+ * Spam detection.
+ *
+ * CRITICAL DESIGN DECISION:
+ *   URL and domain patterns MUST run on the raw (or NFKC-only) text.
+ *   If you normalize first (stripping dots, slashes, colons), URLs become
+ *   undetectable. "https://spam.com" → after skeleton → "httpsspamcom" which
+ *   no URL regex can match.
+ *
+ *   So: keyword spam runs on skeleton (catches leet evasion),
+ *       URL/domain spam runs on NFKC-normalized raw text only.
+ */
+/**
+ * Returns true if text contains spam keywords (checked on skeleton)
+ * or URLs/domains (checked on NFKC-only normalized text).
+ */
+declare function containsSpam(text: string): boolean;
+
+/**
+ * gibberish.ts
+ *
+ * Gibberish / keyboard-mash detection with a configurable sensitivity scale.
+ *
+ * Why sensitivity levels?
+ *   "Strict" mode is needed for display names & usernames.
+ *   "Loose" mode prevents false positives on:
+ *     - Polish names:        "Krzysztof", "Szczepański"
+ *     - Technical strings:   "kubectl", "nginx", "src"
+ *     - Abbreviations:       "HVAC", "VLSI"
+ *     - Short legitimate words like "nth", "gym", "lynx"
+ *
+ * Heuristics used (layered by sensitivity):
+ *   LOOSE:  7+ consonants in a row (obvious keyboard mash only)
+ *   NORMAL: 6+ consonants in a row OR vowel ratio < 10% on words ≥ 8 chars
+ *   STRICT: 5+ consonants in a row OR vowel ratio < 15% on words ≥ 6 chars
+ *           OR no vowels at all on words ≥ 4 chars
+ *
+ * All checks run on the skeleton so leet/homoglyphs are already resolved.
+ */
+
+/**
+ * Returns true if any word in the text looks like gibberish.
+ *
+ * Filters out very short words (< 4 chars) before applying heuristics
+ * to prevent false positives on "by", "mr", "st", "nth", etc.
+ */
+declare function isGibberish(text: string, sensitivity?: GibberishSensitivity): boolean;
+/**
+ * Returns true if the text contains 5+ of the same character consecutively.
+ * e.g. "aaaaaaa", "!!!!!!", "heeeeey" (5 e's)
+ * Runs on skeleton so leet chars are already resolved.
+ */
+declare function hasRepeatingChars(text: string): boolean;
+
+/**
+ * structure.ts
+ *
+ * Structural quality checks. These run on the NFKC-normalized original text
+ * (not the full skeleton), because they're measuring the *shape* of the input
+ * (symbol density, letter presence) — not its semantic content.
+ *
+ * Running these on the skeleton would give wrong results because the skeleton
+ * strips ALL symbols, making everything look clean structurally.
+ */
+/**
+ * Returns true if more than 40% of characters are symbols
+ * (not letters, digits, or whitespace).
+ *
+ * Short strings (< 5 chars) are excluded — too noisy to judge.
+ * e.g. "!!??@@##" → 100% symbols → flagged
+ *      "Hello!!"  → 22% symbols → pass
+ */
+declare function hasExcessiveSymbols(text: string): boolean;
+/**
+ * Returns true if fewer than 20% of characters are letters AND
+ * there are fewer than 3 total letter characters.
+ *
+ * This catches strings like "123 456", "--- ---", "42", "!2!"
+ * but allows legitimate short inputs like "QA", "IT", "Go".
+ *
+ * Both conditions must be true to avoid false positives.
+ */
+declare function hasLowAlphabetRatio(text: string): boolean;
+/**
+ * Detects repeated *content* words (length > 3).
+ * Stop words ("the", "and", "for") are excluded to avoid false positives
+ * in natural English sentences.
+ *
+ * Flags only when 2+ distinct content words appear more than once.
+ * "the cat sat on the mat" → 0 repeated content words → pass
+ * "cat cat cat dog dog"    → "cat" repeated, "dog" repeated → flag
+ */
+declare function hasRepeatedContentWords(text: string): boolean;
+/**
+ * Returns true if the skeleton of `text` exactly matches a known low-effort phrase.
+ */
+declare function isLowEffortExact(skeletonText: string): boolean;
+
+export { GibberishSensitivity, ValidationResult, containsProfanity, containsSpam, getMatchedProfanityPattern, hasExcessiveSymbols, hasLowAlphabetRatio, hasRepeatedContentWords, hasRepeatingChars, isGibberish, isLowEffortExact, toSkeleton, toStructural, validateBio, validateLongText, validateSearchQuery, validateShortText, validateUsername };