@plasius/images 1.0.0

package/dist/validators/svgValidator.js

@@ -0,0 +1,139 @@
+import { DOMParser, XMLSerializer } from "@xmldom/xmldom";
+export function sanitiseSVG(svgText, options) {
+    const strippedTags = [];
+    const strippedAttributes = [];
+    const parser = new DOMParser({
+        onError: (level, msg) => {
+            switch (level) {
+                case "warning":
+                    break;
+                default:
+                    throw new Error(msg);
+            }
+        },
+    });
+    const serializer = new XMLSerializer();
+    const doc = parser.parseFromString(svgText, "image/svg+xml");
+    function cleanNode(node) {
+        // TODO: optionally sanitize <style> elements and inline style attributes
+        if (node === null)
+            return;
+        if (node.nodeType === 8 /* Comment */ && !options.allowComments) {
+            node.parentNode?.removeChild(node);
+            return;
+        }
+        if (node.nodeType === 1 /* Element */) {
+            const el = node;
+            const tagName = el.tagName.toLowerCase();
+            // Strip <style> elements entirely
+            if (tagName === "style") {
+                strippedTags.push(tagName);
+                node.parentNode?.removeChild(node);
+                return;
+            }
+            if (!options.allowedTags.includes(tagName) &&
+                !options.allowUnknownElements) {
+                strippedTags.push(tagName);
+                node.parentNode?.removeChild(node);
+                return;
+            }
+            // Clean attributes
+            const allowedAttrs = options.allowedAttributes["*"] || [];
+            const toRemove = [];
+            for (const attr of Array.from(el.attributes)) {
+                const attrName = attr.name.toLowerCase();
+                if (attrName.startsWith("on")) {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                    continue;
+                }
+                if (attrName === "xlink:href" || attrName === "xmlns:xlink") {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                    continue;
+                }
+                if (attrName === "style") {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                    continue;
+                }
+                if (!allowedAttrs.includes(attr.name) &&
+                    !options.allowUnknownAttributes) {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                }
+            }
+            toRemove.forEach((attrName) => el.removeAttribute(attrName));
+        }
+        // Recursively clean children
+        const children = Array.from(node.childNodes);
+        children.forEach((child) => cleanNode(child));
+    }
+    cleanNode(doc.documentElement);
+    return {
+        svg: serializer.serializeToString(doc),
+        audit: { strippedTags, strippedAttributes },
+    };
+}
+export function validateSvgAvatar(buffer) {
+    const svgText = buffer.toString("utf8");
+    const { svg: cleanSvg } = sanitiseSVG(svgText, {
+        allowedTags: [
+            "svg",
+            "g",
+            "rect",
+            "circle",
+            "ellipse",
+            "line",
+            "polygon",
+            "polyline",
+            "path",
+            "text",
+            "title",
+            "desc",
+        ],
+        allowedAttributes: {
+            "*": [
+                "width",
+                "height",
+                "viewBox",
+                "xmlns",
+                "transform",
+                "x",
+                "y",
+                "cx",
+                "cy",
+                "r",
+                "rx",
+                "ry",
+                "x1",
+                "y1",
+                "x2",
+                "y2",
+                "points",
+                "d",
+                "fill",
+                "stroke",
+                "stroke-width",
+                "font-family",
+                "font-size",
+                "text-anchor",
+            ],
+        },
+        allowComments: false,
+        allowUnknownElements: false,
+        allowUnknownAttributes: false,
+    });
+    const cleanBuffer = Buffer.from(cleanSvg, "utf8");
+    // Basic sanity checks
+    if (cleanBuffer.length > 256 * 1024) {
+        throw new Error("SVG too large (max 256 KB)");
+    }
+    return Promise.resolve({
+        width: 0, // SVG is scalable, can’t guarantee pixel dimensions
+        height: 0,
+        format: "svg",
+        size: cleanBuffer.length,
+        safeBuffer: cleanBuffer,
+    });
+}

package/dist-cjs/detectFormat.d.ts

@@ -0,0 +1,2 @@
+export declare function detectFormat(buffer: Buffer): "jpeg" | "png" | "webp" | "svg" | undefined;
+//# sourceMappingURL=detectFormat.d.ts.map

package/dist-cjs/detectFormat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"detectFormat.d.ts","sourceRoot":"","sources":["../src/detectFormat.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAC1B,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,KAAK,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,CAyB7C"}

package/dist-cjs/detectFormat.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectFormat = detectFormat;
+function detectFormat(buffer) {
+    if (buffer[0] === 0xff && buffer[1] === 0xd8) {
+        return "jpeg";
+    }
+    if (buffer[0] === 0x89 &&
+        buffer[1] === 0x50 &&
+        buffer[2] === 0x4e &&
+        buffer[3] === 0x47) {
+        return "png";
+    }
+    if (buffer.slice(0, 4).toString() === "RIFF" &&
+        buffer.slice(8, 12).toString() === "WEBP") {
+        return "webp";
+    }
+    const header = buffer.slice(0, 1000).toString("utf8").toLowerCase();
+    if (header.includes("<svg")) {
+        return "svg";
+    }
+    return undefined;
+}

package/dist-cjs/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./validators/index.js";
+//# sourceMappingURL=index.d.ts.map

package/dist-cjs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,uBAAuB,CAAC"}

package/dist-cjs/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./validators/index.js"), exports);

package/dist-cjs/parse/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./parseJpeg.js";
+export * from "./parsePng.js";
+export * from "./parseSVG.js";
+export * from "./parseWebp.js";
+//# sourceMappingURL=index.d.ts.map

package/dist-cjs/parse/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/parse/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,cAAc,gBAAgB,CAAC"}

package/dist-cjs/parse/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./parseJpeg.js"), exports);
+__exportStar(require("./parsePng.js"), exports);
+__exportStar(require("./parseSVG.js"), exports);
+__exportStar(require("./parseWebp.js"), exports);

package/dist-cjs/parse/parseJpeg.d.ts

@@ -0,0 +1,5 @@
+export declare function parseJpeg(buffer: Buffer): {
+    width: number;
+    height: number;
+};
+//# sourceMappingURL=parseJpeg.d.ts.map

package/dist-cjs/parse/parseJpeg.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseJpeg.d.ts","sourceRoot":"","sources":["../../src/parse/parseJpeg.ts"],"names":[],"mappings":"AAAA,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAqB3E"}

package/dist-cjs/parse/parseJpeg.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseJpeg = parseJpeg;
+function parseJpeg(buffer) {
+    let offset = 2;
+    while (offset < buffer.length) {
+        if (buffer[offset] !== 0xff) {
+            throw new Error("Invalid JPEG marker");
+        }
+        const marker = buffer[offset + 1];
+        const length = buffer.readUInt16BE(offset + 2);
+        // SOF0 (baseline), SOF2 (progressive)
+        if (marker === 0xc0 || marker === 0xc2) {
+            const height = buffer.readUInt16BE(offset + 5);
+            const width = buffer.readUInt16BE(offset + 7);
+            return { width, height };
+        }
+        offset += 2 + length;
+    }
+    throw new Error("JPEG SOF marker not found");
+}

package/dist-cjs/parse/parsePng.d.ts

@@ -0,0 +1,5 @@
+export declare function parsePng(buffer: Buffer): {
+    width: number;
+    height: number;
+};
+//# sourceMappingURL=parsePng.d.ts.map

package/dist-cjs/parse/parsePng.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parsePng.d.ts","sourceRoot":"","sources":["../../src/parse/parsePng.ts"],"names":[],"mappings":"AAAA,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,CAKA"}

package/dist-cjs/parse/parsePng.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePng = parsePng;
+function parsePng(buffer) {
+    // IHDR chunk is at byte 8+8 = 16
+    const width = buffer.readUInt32BE(16);
+    const height = buffer.readUInt32BE(20);
+    return { width, height };
+}

package/dist-cjs/parse/parseSVG.d.ts

@@ -0,0 +1,5 @@
+export declare function parseSvg(buffer: Buffer): {
+    width: number;
+    height: number;
+};
+//# sourceMappingURL=parseSVG.d.ts.map

package/dist-cjs/parse/parseSVG.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseSVG.d.ts","sourceRoot":"","sources":["../../src/parse/parseSVG.ts"],"names":[],"mappings":"AAAA,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,CA0BA"}

package/dist-cjs/parse/parseSVG.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseSvg = parseSvg;
+function parseSvg(buffer) {
+    const text = buffer.toString("utf8");
+    const matchViewBox = /viewBox\s*=\s*"([^"]+)"/i.exec(text);
+    const matchWidth = /width\s*=\s*"(\d+)(px)?"/i.exec(text);
+    const matchHeight = /height\s*=\s*"(\d+)(px)?"/i.exec(text);
+    let width;
+    let height;
+    if (matchWidth && matchHeight) {
+        width = parseInt(matchWidth[1], 10);
+        height = parseInt(matchHeight[1], 10);
+    }
+    else if (matchViewBox) {
+        const parts = matchViewBox[1].split(/\s+/);
+        if (parts.length === 4) {
+            width = parseFloat(parts[2]);
+            height = parseFloat(parts[3]);
+        }
+    }
+    if (!width || !height) {
+        throw new Error("Could not determine SVG dimensions");
+    }
+    return { width, height };
+}

package/dist-cjs/parse/parseWebp.d.ts

@@ -0,0 +1,5 @@
+export declare function parseWebp(buffer: Buffer): {
+    width: number;
+    height: number;
+};
+//# sourceMappingURL=parseWebp.d.ts.map

package/dist-cjs/parse/parseWebp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseWebp.d.ts","sourceRoot":"","sources":["../../src/parse/parseWebp.ts"],"names":[],"mappings":"AAAA,wBAAgB,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG;IACzC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,CAeA"}

package/dist-cjs/parse/parseWebp.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseWebp = parseWebp;
+function parseWebp(buffer) {
+    const chunkHeader = buffer.slice(12, 16).toString();
+    if (chunkHeader === "VP8X") {
+        const width = 1 + buffer.readUIntLE(24, 3);
+        const height = 1 + buffer.readUIntLE(27, 3);
+        return { width, height };
+    }
+    else if (chunkHeader === "VP8 ") {
+        // Simple lossless: parse frame header
+        const width = buffer.readUInt16LE(26) & 0x3fff;
+        const height = buffer.readUInt16LE(28) & 0x3fff;
+        return { width, height };
+    }
+    else {
+        throw new Error("Unsupported WEBP chunk type: " + chunkHeader);
+    }
+}

package/dist-cjs/validators/avatarValidator.d.ts

@@ -0,0 +1,9 @@
+export interface ImageValidationResult {
+    width: number;
+    height: number;
+    format: string;
+    size: number;
+    safeBuffer: Buffer;
+}
+export declare function validateAvatarImage(buffer: Buffer): Promise<ImageValidationResult>;
+//# sourceMappingURL=avatarValidator.d.ts.map

package/dist-cjs/validators/avatarValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"avatarValidator.d.ts","sourceRoot":"","sources":["../../src/validators/avatarValidator.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,qBAAqB,CAAC,CA0DhC"}

package/dist-cjs/validators/avatarValidator.js

@@ -0,0 +1,57 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateAvatarImage = validateAvatarImage;
+const sharp_1 = __importDefault(require("sharp"));
+const svgValidator_js_1 = require("./svgValidator.js");
+async function validateAvatarImage(buffer) {
+    const metadata = await (0, sharp_1.default)(buffer).metadata();
+    const format = metadata.format;
+    if (!format) {
+        throw new Error("Unsupported or unknown image format");
+    }
+    const width = metadata.width;
+    const height = metadata.height;
+    if (!width || !height) {
+        throw new Error("Could not determine image dimensions");
+    }
+    if (width < 64 || height < 64) {
+        throw new Error("Image too small (min 64x64)");
+    }
+    if (width > 2048 || height > 2048) {
+        throw new Error("Image too large (max 2048x2048)");
+    }
+    const targetFormat = "png"; // common safe web format
+    let safeBuffer;
+    if (format === "svg") {
+        const svgText = buffer.toString("utf8");
+        const svgValidation = await (0, svgValidator_js_1.validateSvgAvatar)(Buffer.from(svgText, "utf-8"));
+        safeBuffer = await (0, sharp_1.default)(svgValidation.safeBuffer)
+            .resize({
+            width: Math.min(width, 2048),
+            height: Math.min(height, 2048),
+            fit: "inside",
+        })
+            .toFormat(targetFormat)
+            .toBuffer();
+    }
+    else {
+        safeBuffer = await (0, sharp_1.default)(buffer)
+            .resize({
+            width: Math.min(width, 2048),
+            height: Math.min(height, 2048),
+            fit: "inside",
+        })
+            .toFormat(targetFormat, { quality: 90 })
+            .toBuffer();
+    }
+    return {
+        width,
+        height,
+        format,
+        size: buffer.length,
+        safeBuffer,
+    };
+}

package/dist-cjs/validators/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./svgValidator.js";
+export * from "./avatarValidator.js";
+//# sourceMappingURL=index.d.ts.map

package/dist-cjs/validators/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/validators/index.ts"],"names":[],"mappings":"AAAA,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC"}

package/dist-cjs/validators/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./svgValidator.js"), exports);
+__exportStar(require("./avatarValidator.js"), exports);

package/dist-cjs/validators/svgValidator.d.ts

@@ -0,0 +1,18 @@
+import type { ImageValidationResult } from "./avatarValidator.js";
+export declare function sanitiseSVG(svgText: string, options: {
+    allowedTags: string[];
+    allowedAttributes: {
+        "*": string[];
+    };
+    allowComments: boolean;
+    allowUnknownElements: boolean;
+    allowUnknownAttributes: boolean;
+}): {
+    svg: string;
+    audit: {
+        strippedTags: string[];
+        strippedAttributes: string[];
+    };
+};
+export declare function validateSvgAvatar(buffer: Buffer): Promise<ImageValidationResult>;
+//# sourceMappingURL=svgValidator.d.ts.map

package/dist-cjs/validators/svgValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"svgValidator.d.ts","sourceRoot":"","sources":["../../src/validators/svgValidator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAIlE,wBAAgB,WAAW,CACzB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE;IACP,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,iBAAiB,EAAE;QAAE,GAAG,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IACrC,aAAa,EAAE,OAAO,CAAC;IACvB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,sBAAsB,EAAE,OAAO,CAAC;CACjC,GACA;IACD,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE;QAAE,YAAY,EAAE,MAAM,EAAE,CAAC;QAAC,kBAAkB,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;CACjE,CA+FA;AAED,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,qBAAqB,CAAC,CAkEhC"}

package/dist-cjs/validators/svgValidator.js

@@ -0,0 +1,143 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitiseSVG = sanitiseSVG;
+exports.validateSvgAvatar = validateSvgAvatar;
+const xmldom_1 = require("@xmldom/xmldom");
+function sanitiseSVG(svgText, options) {
+    const strippedTags = [];
+    const strippedAttributes = [];
+    const parser = new xmldom_1.DOMParser({
+        onError: (level, msg) => {
+            switch (level) {
+                case "warning":
+                    break;
+                default:
+                    throw new Error(msg);
+            }
+        },
+    });
+    const serializer = new xmldom_1.XMLSerializer();
+    const doc = parser.parseFromString(svgText, "image/svg+xml");
+    function cleanNode(node) {
+        // TODO: optionally sanitize <style> elements and inline style attributes
+        if (node === null)
+            return;
+        if (node.nodeType === 8 /* Comment */ && !options.allowComments) {
+            node.parentNode?.removeChild(node);
+            return;
+        }
+        if (node.nodeType === 1 /* Element */) {
+            const el = node;
+            const tagName = el.tagName.toLowerCase();
+            // Strip <style> elements entirely
+            if (tagName === "style") {
+                strippedTags.push(tagName);
+                node.parentNode?.removeChild(node);
+                return;
+            }
+            if (!options.allowedTags.includes(tagName) &&
+                !options.allowUnknownElements) {
+                strippedTags.push(tagName);
+                node.parentNode?.removeChild(node);
+                return;
+            }
+            // Clean attributes
+            const allowedAttrs = options.allowedAttributes["*"] || [];
+            const toRemove = [];
+            for (const attr of Array.from(el.attributes)) {
+                const attrName = attr.name.toLowerCase();
+                if (attrName.startsWith("on")) {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                    continue;
+                }
+                if (attrName === "xlink:href" || attrName === "xmlns:xlink") {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                    continue;
+                }
+                if (attrName === "style") {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                    continue;
+                }
+                if (!allowedAttrs.includes(attr.name) &&
+                    !options.allowUnknownAttributes) {
+                    toRemove.push(attr.name);
+                    strippedAttributes.push(`${tagName}.${attr.name}`);
+                }
+            }
+            toRemove.forEach((attrName) => el.removeAttribute(attrName));
+        }
+        // Recursively clean children
+        const children = Array.from(node.childNodes);
+        children.forEach((child) => cleanNode(child));
+    }
+    cleanNode(doc.documentElement);
+    return {
+        svg: serializer.serializeToString(doc),
+        audit: { strippedTags, strippedAttributes },
+    };
+}
+function validateSvgAvatar(buffer) {
+    const svgText = buffer.toString("utf8");
+    const { svg: cleanSvg } = sanitiseSVG(svgText, {
+        allowedTags: [
+            "svg",
+            "g",
+            "rect",
+            "circle",
+            "ellipse",
+            "line",
+            "polygon",
+            "polyline",
+            "path",
+            "text",
+            "title",
+            "desc",
+        ],
+        allowedAttributes: {
+            "*": [
+                "width",
+                "height",
+                "viewBox",
+                "xmlns",
+                "transform",
+                "x",
+                "y",
+                "cx",
+                "cy",
+                "r",
+                "rx",
+                "ry",
+                "x1",
+                "y1",
+                "x2",
+                "y2",
+                "points",
+                "d",
+                "fill",
+                "stroke",
+                "stroke-width",
+                "font-family",
+                "font-size",
+                "text-anchor",
+            ],
+        },
+        allowComments: false,
+        allowUnknownElements: false,
+        allowUnknownAttributes: false,
+    });
+    const cleanBuffer = Buffer.from(cleanSvg, "utf8");
+    // Basic sanity checks
+    if (cleanBuffer.length > 256 * 1024) {
+        throw new Error("SVG too large (max 256 KB)");
+    }
+    return Promise.resolve({
+        width: 0, // SVG is scalable, can’t guarantee pixel dimensions
+        height: 0,
+        format: "svg",
+        size: cleanBuffer.length,
+        safeBuffer: cleanBuffer,
+    });
+}

package/docs/adrs/adr-0001-images-package-scope.md

@@ -0,0 +1,21 @@
+# ADR-0001: Standalone @plasius/images Package Scope
+
+- Date: 2026-02-11
+- Status: Accepted
+
+## Context
+
+This package was previously maintained as a workspace-only module inside
+`plasius-ltd-site`. External consumers and remote builds require it to be
+installable from npm without monorepo-local links.
+
+## Decision
+
+Move `@plasius/images` to a standalone root package with independent build,
+test, governance, CI, and publish workflows.
+
+## Consequences
+
+- The package can be versioned and released independently.
+- `plasius-ltd-site` and other repositories can depend on npm-published versions.
+- Build and lint rules must no longer rely on monorepo-relative tsconfig paths.