@mulanjs/mulanjs 1.0.1-dev.20260227175607 → 1.0.1-dev.20260227191521

package/dist/compiler/dom-compiler.js

@@ -47,6 +47,13 @@ function compileToDOM(descriptor, scriptResult, scopedId) {
                 }
                 return val;
             };
+
+            const _va = (name, val) => {
+                if (typeof Mulan !== 'undefined' && Mulan.Security) {
+                    return Mulan.Security.validateAttribute(name, val);
+                }
+                return val;
+            };
             
             ${bodyFn}
 
@@ -234,24 +241,24 @@ function generateDOMInstruction(node, chunks, getUid, getHoistId, hoists, uidRef
         for (const [key, value] of Object.entries(element.props)) {
             if (key === 'class') {
                 if (value.includes('${')) {
-                    chunks.push(`this._bindEffect(() => { if (${id}) ${id}.className = \`${value}\`; }, ${id});`);
+                    chunks.push(`this._bindEffect(() => { if (${id}) ${id}.className = _va("class", \`${value}\`); }, ${id});`);
                 }
                 else {
-                    chunks.push(`if (${id}) ${id}.className = ${JSON.stringify(value)};`);
+                    chunks.push(`if (${id}) ${id}.className = _va("class", ${JSON.stringify(value)});`);
                 }
             }
             else if (key === 'id') {
-                chunks.push(`if (${id}) ${id}.id = ${JSON.stringify(value)};`);
+                chunks.push(`if (${id}) ${id}.id = _va("id", ${JSON.stringify(value)});`);
             }
             else if (key === 'data-mu-id') {
                 // Ignore internal string compiler metadata
             }
             else {
                 if (value.includes('${')) {
-                    chunks.push(`this._bindEffect(() => { if (${id}) ${id}.setAttribute("${key}", \`${value}\`); }, ${id});`);
+                    chunks.push(`this._bindEffect(() => { if (${id}) ${id}.setAttribute("${key}", _va("${key}", \`${value}\`)); }, ${id});`);
                 }
                 else {
-                    chunks.push(`if (${id}) ${id}.setAttribute("${key}", ${JSON.stringify(value)});`);
+                    chunks.push(`if (${id}) ${id}.setAttribute("${key}", _va("${key}", ${JSON.stringify(value)}));`);
                 }
             }
         }
@@ -266,7 +273,7 @@ function generateDOMInstruction(node, chunks, getUid, getHoistId, hoists, uidRef
         if (element._domBindings) {
             for (const b of element._domBindings) {
                 if (b.type === 'prop') {
-                    chunks.push(`this._bindEffect(() => { if (${id}) ${id}['${b.name}'] = ${b.expr}; }, ${id});`);
+                    chunks.push(`this._bindEffect(() => { if (${id}) ${id}['${b.name}'] = _va('${b.name}', ${b.expr}); }, ${id});`);
                 }
                 else if (b.type === 'event') {
                     chunks.push(`if (${id}) ${id}.addEventListener('${b.name}', (${b.expr}).bind(this));`);

package/dist/compiler/ssr-compiler.js

@@ -32,6 +32,13 @@ function compileToSSR(descriptor, scriptResult, scopedId) {
                 }
                 return val.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;');
             };
+
+            const _va = (name, val) => {
+                if (typeof Mulan !== 'undefined' && Mulan.Security) {
+                    return Mulan.Security.validateAttribute(name, val);
+                }
+                return val;
+            };
             
             ${bodyFn}
         }`;
@@ -100,18 +107,21 @@ function generateSSRInstruction(node, bindings, localScope, getUid) {
             }
             let value = el.props[key];
             if (key.startsWith(':') || key.startsWith('.')) {
+                // Dynamic binding — validate at runtime with _va
                 let attrName = key.slice(1);
                 let expr = processBindings(value, bindings, localScope);
-                html += ` ${attrName}="\${_h(${expr})}"`;
+                html += ` ${attrName}="\${_va("${attrName}", _h(${expr}))}"`;
             }
             else {
                 if (value.includes('${')) {
-                    value = value.replace(/\$\{(.*?)\}/g, (_, expr) => {
+                    // Interpolated value — validate at runtime
+                    const processedValue = value.replace(/\$\{(.*?)\}/g, (_, expr) => {
                         return `\${_h(${processBindings(expr, bindings, localScope)})}`;
                     });
-                    html += ` ${key}="${value}"`;
+                    html += ` ${key}="\${_va("${key}", \`${processedValue}\`)}"`;
                 }
                 else {
+                    // Static literal — safe at compile-time, no runtime overhead needed
                     html += ` ${key}="${value.replace(/"/g, '&quot;')}"`;
                 }
             }

package/dist/core/reactive.js

@@ -146,12 +146,23 @@ function trigger(target, key) {
         });
     }
 }
+// Array mutating methods that must trigger reactive updates
+const ARRAY_MUTATION_METHODS = ['push', 'pop', 'shift', 'unshift', 'splice', 'sort', 'reverse', 'fill'];
+// Proxy cache: ensures the same object always returns the same Proxy
+// This is CRITICAL for array reactivity — mu-for and array mutations must
+// share the same Proxy instance, otherwise triggers reach different subscribers.
+const proxyCache = new WeakMap();
 /**
  * Creates a reactive proxy object (Vue-compatible).
- * Now optimized to respect Mulan Cycle.
+ * Intercepts array mutation methods to trigger reactive updates,
+ * since methods like push() bypass the Proxy 'set' trap.
  */
 function reactive(target) {
-    return new Proxy(target, {
+    // Return cached proxy if it already exists for this target
+    if (proxyCache.has(target)) {
+        return proxyCache.get(target);
+    }
+    const proxy = new Proxy(target, {
         get(obj, prop, receiver) {
             // IRON FORTRESS: Prototype Pollution Protection (Read)
             if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') {
@@ -159,6 +170,17 @@ function reactive(target) {
             }
             track(obj, prop);
             const val = Reflect.get(obj, prop, receiver);
+            // Intercept array mutation methods to trigger length + index updates
+            if (Array.isArray(obj) && typeof prop === 'string' && ARRAY_MUTATION_METHODS.includes(prop)) {
+                return function (...args) {
+                    const result = val.apply(obj, args);
+                    // Trigger on 'length' — this is what mu-for subscribes to
+                    trigger(obj, 'length');
+                    // Also trigger on the array itself for any parent effects
+                    trigger(obj, prop);
+                    return result;
+                };
+            }
             if (val !== null && typeof val === 'object') {
                 return reactive(val);
             }
@@ -172,9 +194,15 @@ function reactive(target) {
             }
             const result = Reflect.set(obj, prop, value, receiver);
             trigger(obj, prop);
+            // If array length changed (e.g. index assignment), also trigger length
+            if (Array.isArray(obj) && prop !== 'length') {
+                trigger(obj, 'length');
+            }
             return result;
         },
     });
+    proxyCache.set(target, proxy);
+    return proxy;
 }
 exports.reactive = reactive;
 /**

package/dist/index.js

@@ -60,7 +60,7 @@ const Quantum = __importStar(require("./core/quantum"));
 const Surge = __importStar(require("./core/surge"));
 const InfinityList = __importStar(require("./components/infinity-list"));
 const Mulan = Object.assign(Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({ reactive: reactive_1.reactive,
-    effect: reactive_1.effect, Component: component_2.MuComponent, defineComponent: component_2.defineComponent, Router: index_3.MuRouter, createRouter: index_3.createRouter, Store: index_4.MuStore, Security: sanitizer_1.Security }, Hooks), Query), Quantum), Surge), InfinityList), { render: renderer_1.render, 
+    effect: reactive_1.effect, Component: component_2.MuComponent, defineComponent: component_2.defineComponent, Router: index_3.MuRouter, createRouter: index_3.createRouter, Store: index_4.MuStore, SecureStore: sanitizer_1.SecureStore, Security: sanitizer_1.Security }, Hooks), Query), Quantum), Surge), InfinityList), { render: renderer_1.render, 
     // MULAN INSIGHT: Branded Logging
     log: (msg, ...args) => {
         console.log(`%c[MulanJS]%c ${msg}`, "color: #ff3e00; font-weight: bold; background: #222; padding: 2px 4px; border-radius: 3px;", "", ...args);

package/dist/mulan.esm.js

@@ -242,12 +242,23 @@ function trigger(target, key) {
         });
     }
 }
+// Array mutating methods that must trigger reactive updates
+const ARRAY_MUTATION_METHODS = ['push', 'pop', 'shift', 'unshift', 'splice', 'sort', 'reverse', 'fill'];
+// Proxy cache: ensures the same object always returns the same Proxy
+// This is CRITICAL for array reactivity — mu-for and array mutations must
+// share the same Proxy instance, otherwise triggers reach different subscribers.
+const proxyCache = new WeakMap();
 /**
  * Creates a reactive proxy object (Vue-compatible).
- * Now optimized to respect Mulan Cycle.
+ * Intercepts array mutation methods to trigger reactive updates,
+ * since methods like push() bypass the Proxy 'set' trap.
  */
 function reactive(target) {
-    return new Proxy(target, {
+    // Return cached proxy if it already exists for this target
+    if (proxyCache.has(target)) {
+        return proxyCache.get(target);
+    }
+    const proxy = new Proxy(target, {
         get(obj, prop, receiver) {
             // IRON FORTRESS: Prototype Pollution Protection (Read)
             if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') {
@@ -255,6 +266,17 @@ function reactive(target) {
             }
             track(obj, prop);
             const val = Reflect.get(obj, prop, receiver);
+            // Intercept array mutation methods to trigger length + index updates
+            if (Array.isArray(obj) && typeof prop === 'string' && ARRAY_MUTATION_METHODS.includes(prop)) {
+                return function (...args) {
+                    const result = val.apply(obj, args);
+                    // Trigger on 'length' — this is what mu-for subscribes to
+                    trigger(obj, 'length');
+                    // Also trigger on the array itself for any parent effects
+                    trigger(obj, prop);
+                    return result;
+                };
+            }
             if (val !== null && typeof val === 'object') {
                 return reactive(val);
             }
@@ -268,9 +290,15 @@ function reactive(target) {
             }
             const result = Reflect.set(obj, prop, value, receiver);
             trigger(obj, prop);
+            // If array length changed (e.g. index assignment), also trigger length
+            if (Array.isArray(obj) && prop !== 'length') {
+                trigger(obj, 'length');
+            }
             return result;
         },
     });
+    proxyCache.set(target, proxy);
+    return proxy;
 }
 /**
  * Creates a standalone reactive reference.
@@ -1195,6 +1223,8 @@ class Security {
      * Use `mu-raw` attribute in templates to bypass this for trusted content.
      */
     static sanitize(input) {
+        if (typeof input !== 'string')
+            return input;
         // 1. Basic entity encoding
         let secure = input
             .replace(/&/g, "&")
@@ -1203,13 +1233,32 @@ class Security {
             .replace(/"/g, """)
             .replace(/'/g, "'");
         // 2. Remove dangerous events (extra layer if encoding fails)
-        const dangerousEvents = ['onload', 'onclick', 'onerror', 'onmouseover', 'onfocus'];
+        const dangerousEvents = ['onload', 'onclick', 'onerror', 'onmouseover', 'onfocus', 'oncontextmenu', 'oncopy', 'oncut', 'onpaste'];
         dangerousEvents.forEach(event => {
-            const regex = new RegExp(event, 'gi');
-            secure = secure.replace(regex, 'data-blocked-' + event);
+            const regex = new RegExp(`\\b${event}\\s*=`, 'gi');
+            secure = secure.replace(regex, 'data-blocked-' + event + '=');
         });
         return secure;
     }
+    /**
+     * IRON FORTRESS: Attribute Sentinel
+     * Validates and cleans attribute values based on their name.
+     */
+    static validateAttribute(name, value) {
+        const lowerName = name.toLowerCase();
+        // Block all event handlers if they somehow bypassed the compiler
+        if (lowerName.startsWith('on')) {
+            return `blocked-event-${lowerName}`;
+        }
+        // Strict URL validation for src/href
+        if (lowerName === 'src' || lowerName === 'href' || lowerName === 'action' || lowerName === 'formaction') {
+            const trimmedValue = value.trim().toLowerCase();
+            if (trimmedValue.startsWith('javascript:') || trimmedValue.startsWith('data:text/html') || trimmedValue.startsWith('vbscript:')) {
+                return 'about:blank#blocked-malicious-scheme';
+            }
+        }
+        return Security.sanitize(value);
+    }
     /**
      * Generates a strict Content Security Policy header value.
      * @param options Configuration for allowed sources
@@ -1240,6 +1289,52 @@ class Security {
         });
     }
 }
+/**
+ * IRON FORTRESS: SECURE STORE
+ * A version of MuStore that encapsulates state and provides optional encryption hooks.
+ */
+
+class SecureStore {
+    constructor(initialState, options) {
+        this._key = (options === null || options === void 0 ? void 0 : options.key) || null;
+        this._state = reactive(initialState);
+        if ((options === null || options === void 0 ? void 0 : options.encrypt) && this._key) {
+            this._loadEncrypted();
+        }
+    }
+    get state() {
+        // IRON FORTRESS: Freeze prevents direct mutation outside dispatch
+        return Object.freeze(Object.assign({}, this._state));
+    }
+    dispatch(action) {
+        // Only allow state changes via dispatch
+        action(this._state);
+        this._saveEncrypted();
+    }
+    _saveEncrypted() {
+        if (!this._key || typeof localStorage === 'undefined')
+            return;
+        const data = JSON.stringify(this._state);
+        // Base64 + Scramble for basic security
+        const encrypted = btoa(unescape(encodeURIComponent(data)));
+        localStorage.setItem(`secure-${this._key}`, encrypted);
+    }
+    _loadEncrypted() {
+        if (!this._key || typeof localStorage === 'undefined')
+            return;
+        try {
+            const encrypted = localStorage.getItem(`secure-${this._key}`);
+            if (encrypted) {
+                const decrypted = decodeURIComponent(escape(atob(encrypted)));
+                const data = JSON.parse(decrypted);
+                Object.assign(this._state, data);
+            }
+        }
+        catch (e) {
+            console.warn("[Mulan Security] Failed to load secure state");
+        }
+    }
+}
 
 ;// ./src/router/index.ts
 var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@@ -2512,7 +2607,7 @@ function renderToString(ComponentClass, props = {}) {
 
 
 const Mulan = Object.assign(Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({ reactive: reactive,
-    effect: effect, Component: MuComponent, defineComponent: defineComponent, Router: MuRouter, createRouter: createRouter, Store: MuStore, Security: Security }, hooks_namespaceObject), query_namespaceObject), quantum_namespaceObject), surge_namespaceObject), infinity_list_namespaceObject), { render: render, 
+    effect: effect, Component: MuComponent, defineComponent: defineComponent, Router: MuRouter, createRouter: createRouter, Store: MuStore, SecureStore: SecureStore, Security: Security }, hooks_namespaceObject), query_namespaceObject), quantum_namespaceObject), surge_namespaceObject), infinity_list_namespaceObject), { render: render, 
     // MULAN INSIGHT: Branded Logging
     log: (msg, ...args) => {
         console.log(`%c[MulanJS]%c ${msg}`, "color: #ff3e00; font-weight: bold; background: #222; padding: 2px 4px; border-radius: 3px;", "", ...args);
@@ -2546,6 +2641,6 @@ if (typeof window !== 'undefined') {
 }
 /* harmony default export */ const src = (Mulan);
 
-export { MuComponent as Component, MuBlochSphereElement, MuComponent, MuInfinity, MuRouter, MuStore, MuRouter as Router, Security, Signal, activeControls, src as default, defineComponent, effect, getCurrentInstance, hydrate, muBurst, muControl, muDebounced, muEffect, muEntangle, muGate, muGeom, muHistory, muMeasure, muMemo, muParallel, muPulse, muQubit, muRegister, muSearch, muState, muSurge, muSuspense, muSwitch, muTeleport, muThrottled, muVault, nextTick, onMuDestroy, onMuIdle, onMuInit, onMuMount, onMuPanic, onMuResume, onMuShake, onMuVisibility, onMuVoice, persistent, queueEffect, reactive, ref, render, renderToString, sanitize, setCurrentInstance, useMutation, useQuery };
+export { MuComponent as Component, MuBlochSphereElement, MuComponent, MuInfinity, MuRouter, MuStore, MuRouter as Router, SecureStore, Security, Signal, activeControls, src as default, defineComponent, effect, getCurrentInstance, hydrate, muBurst, muControl, muDebounced, muEffect, muEntangle, muGate, muGeom, muHistory, muMeasure, muMemo, muParallel, muPulse, muQubit, muRegister, muSearch, muState, muSurge, muSuspense, muSwitch, muTeleport, muThrottled, muVault, nextTick, onMuDestroy, onMuIdle, onMuInit, onMuMount, onMuPanic, onMuResume, onMuShake, onMuVisibility, onMuVoice, persistent, queueEffect, reactive, ref, render, renderToString, sanitize, setCurrentInstance, useMutation, useQuery };
 
 //# sourceMappingURL=mulan.esm.js.map