@renderify/security 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Web LLM
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,57 @@
+# @renderify/security
+
+![Node CI](https://github.com/webllm/renderify/workflows/CI/badge.svg)
+![npm](https://img.shields.io/npm/v/@renderify/security.svg)
+![license](https://img.shields.io/npm/l/@renderify/security)
+
+Security policy engine for Renderify RuntimePlan execution.
+
+`@renderify/security` validates plans, capabilities, module sources, and runtime source code before execution.
+
+## Install
+
+```bash
+pnpm add @renderify/security @renderify/ir
+# or
+npm i @renderify/security @renderify/ir
+```
+
+## Main API
+
+- `DefaultSecurityChecker`
+- `listSecurityProfiles()`
+- `getSecurityProfilePolicy(profile)`
+- Types: `RuntimeSecurityPolicy`, `SecurityCheckResult`, `RuntimeSecurityProfile`
+
+## Profiles
+
+- `strict`
+- `balanced` (default)
+- `relaxed`
+
+## Quick Start
+
+```ts
+import { DefaultSecurityChecker } from "@renderify/security";
+
+const checker = new DefaultSecurityChecker();
+checker.initialize({ profile: "strict" });
+
+const result = await checker.checkPlan(plan);
+if (!result.safe) {
+  console.error(result.issues);
+}
+```
+
+## What It Checks
+
+- Blocked HTML tags and tree limits
+- Allowed module specifiers and network hosts
+- Execution profile limits and capability quotas
+- Runtime source module constraints
+- Spec version and module manifest requirements
+
+## Notes
+
+- `checkPlan()` is async.
+- Use policy overrides via `initialize({ profile, overrides })` for environment-specific constraints.

package/dist/security.cjs.js

@@ -0,0 +1,582 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  DefaultSecurityChecker: () => DefaultSecurityChecker,
+  getSecurityProfilePolicy: () => getSecurityProfilePolicy,
+  listSecurityProfiles: () => listSecurityProfiles
+});
+module.exports = __toCommonJS(src_exports);
+var import_ir = require("@renderify/ir");
+var SECURITY_PROFILE_POLICIES = {
+  strict: {
+    blockedTags: ["script", "iframe", "object", "embed", "link", "meta"],
+    maxTreeDepth: 8,
+    maxNodeCount: 250,
+    allowInlineEventHandlers: false,
+    allowedModules: ["/", "npm:"],
+    allowedNetworkHosts: ["ga.jspm.io", "cdn.jspm.io"],
+    allowArbitraryNetwork: false,
+    allowedExecutionProfiles: [
+      "standard",
+      "isolated-vm",
+      "sandbox-worker",
+      "sandbox-iframe"
+    ],
+    maxTransitionsPerPlan: 40,
+    maxActionsPerTransition: 20,
+    maxAllowedImports: 80,
+    maxAllowedExecutionMs: 5e3,
+    maxAllowedComponentInvocations: 120,
+    allowRuntimeSourceModules: true,
+    maxRuntimeSourceBytes: 2e4,
+    supportedSpecVersions: [import_ir.DEFAULT_RUNTIME_PLAN_SPEC_VERSION],
+    requireSpecVersion: true,
+    requireModuleManifestForBareSpecifiers: true,
+    requireModuleIntegrity: true,
+    allowDynamicSourceImports: false,
+    sourceBannedPatternStrings: [
+      "\\beval\\s*\\(",
+      "\\bnew\\s+Function\\b",
+      "\\bfetch\\s*\\(",
+      "\\bXMLHttpRequest\\b",
+      "\\bWebSocket\\b",
+      "\\bimportScripts\\b",
+      "\\bdocument\\s*\\.\\s*cookie\\b",
+      "\\blocalStorage\\b",
+      "\\bsessionStorage\\b",
+      "\\bindexedDB\\b",
+      "\\bnavigator\\s*\\.\\s*sendBeacon\\b",
+      "\\bchild_process\\b",
+      "\\bprocess\\s*\\.\\s*env\\b"
+    ],
+    maxSourceImportSpecifiers: 30
+  },
+  balanced: {
+    blockedTags: ["script", "iframe", "object", "embed", "link", "meta"],
+    maxTreeDepth: 12,
+    maxNodeCount: 500,
+    allowInlineEventHandlers: false,
+    allowedModules: ["/", "npm:"],
+    allowedNetworkHosts: ["ga.jspm.io", "cdn.jspm.io"],
+    allowArbitraryNetwork: false,
+    allowedExecutionProfiles: [
+      "standard",
+      "isolated-vm",
+      "sandbox-worker",
+      "sandbox-iframe"
+    ],
+    maxTransitionsPerPlan: 100,
+    maxActionsPerTransition: 50,
+    maxAllowedImports: 200,
+    maxAllowedExecutionMs: 15e3,
+    maxAllowedComponentInvocations: 500,
+    allowRuntimeSourceModules: true,
+    maxRuntimeSourceBytes: 8e4,
+    supportedSpecVersions: [import_ir.DEFAULT_RUNTIME_PLAN_SPEC_VERSION],
+    requireSpecVersion: true,
+    requireModuleManifestForBareSpecifiers: true,
+    requireModuleIntegrity: false,
+    allowDynamicSourceImports: false,
+    sourceBannedPatternStrings: [
+      "\\beval\\s*\\(",
+      "\\bnew\\s+Function\\b",
+      "\\bfetch\\s*\\(",
+      "\\bXMLHttpRequest\\b",
+      "\\bWebSocket\\b",
+      "\\bimportScripts\\b",
+      "\\bdocument\\s*\\.\\s*cookie\\b",
+      "\\blocalStorage\\b",
+      "\\bsessionStorage\\b",
+      "\\bchild_process\\b"
+    ],
+    maxSourceImportSpecifiers: 120
+  },
+  relaxed: {
+    blockedTags: ["script", "iframe", "object", "embed"],
+    maxTreeDepth: 24,
+    maxNodeCount: 2e3,
+    allowInlineEventHandlers: true,
+    allowedModules: [
+      "/",
+      "npm:",
+      "https://ga.jspm.io/",
+      "https://cdn.jspm.io/"
+    ],
+    allowedNetworkHosts: ["ga.jspm.io", "cdn.jspm.io", "esm.sh", "unpkg.com"],
+    allowArbitraryNetwork: true,
+    allowedExecutionProfiles: [
+      "standard",
+      "isolated-vm",
+      "sandbox-worker",
+      "sandbox-iframe"
+    ],
+    maxTransitionsPerPlan: 400,
+    maxActionsPerTransition: 150,
+    maxAllowedImports: 1e3,
+    maxAllowedExecutionMs: 6e4,
+    maxAllowedComponentInvocations: 4e3,
+    allowRuntimeSourceModules: true,
+    maxRuntimeSourceBytes: 2e5,
+    supportedSpecVersions: [import_ir.DEFAULT_RUNTIME_PLAN_SPEC_VERSION],
+    requireSpecVersion: false,
+    requireModuleManifestForBareSpecifiers: false,
+    requireModuleIntegrity: false,
+    allowDynamicSourceImports: true,
+    sourceBannedPatternStrings: ["\\bchild_process\\b"],
+    maxSourceImportSpecifiers: 500
+  }
+};
+var DEFAULT_SECURITY_PROFILE = "balanced";
+function listSecurityProfiles() {
+  return Object.keys(SECURITY_PROFILE_POLICIES);
+}
+function getSecurityProfilePolicy(profile) {
+  return clonePolicy(SECURITY_PROFILE_POLICIES[profile]);
+}
+var DefaultSecurityChecker = class {
+  policy = getSecurityProfilePolicy(
+    DEFAULT_SECURITY_PROFILE
+  );
+  profile = DEFAULT_SECURITY_PROFILE;
+  initialize(input) {
+    const normalized = normalizeInitializationInput(input);
+    const profile = normalized.profile ?? DEFAULT_SECURITY_PROFILE;
+    const basePolicy = getSecurityProfilePolicy(profile);
+    this.policy = {
+      ...basePolicy,
+      ...normalized.overrides,
+      blockedTags: normalized.overrides?.blockedTags ?? basePolicy.blockedTags,
+      allowedModules: normalized.overrides?.allowedModules ?? basePolicy.allowedModules,
+      allowedNetworkHosts: normalized.overrides?.allowedNetworkHosts ?? basePolicy.allowedNetworkHosts,
+      allowedExecutionProfiles: normalized.overrides?.allowedExecutionProfiles ?? basePolicy.allowedExecutionProfiles,
+      supportedSpecVersions: normalized.overrides?.supportedSpecVersions ?? basePolicy.supportedSpecVersions,
+      sourceBannedPatternStrings: normalized.overrides?.sourceBannedPatternStrings ?? basePolicy.sourceBannedPatternStrings
+    };
+    this.profile = profile;
+  }
+  getPolicy() {
+    return { ...this.policy };
+  }
+  getProfile() {
+    return this.profile;
+  }
+  async checkPlan(plan) {
+    const issues = [];
+    const diagnostics = [];
+    const planSpecVersion = (0, import_ir.resolveRuntimePlanSpecVersion)(plan.specVersion);
+    const moduleManifest = plan.moduleManifest;
+    if (this.policy.requireSpecVersion && (typeof plan.specVersion !== "string" || plan.specVersion.trim().length === 0)) {
+      issues.push("Runtime plan specVersion is required by policy");
+    }
+    if (!this.policy.supportedSpecVersions.includes(planSpecVersion)) {
+      issues.push(
+        `Runtime plan specVersion ${planSpecVersion} is not supported by policy`
+      );
+    }
+    if (moduleManifest) {
+      issues.push(...this.checkModuleManifest(moduleManifest));
+    }
+    if (this.policy.requireModuleManifestForBareSpecifiers) {
+      issues.push(...await this.checkManifestCoverage(plan, moduleManifest));
+    }
+    const capabilityResult = this.checkCapabilities(
+      plan.capabilities,
+      moduleManifest
+    );
+    issues.push(...capabilityResult.issues);
+    diagnostics.push(...capabilityResult.diagnostics);
+    let nodeCount = 0;
+    const walk = (node, depth) => {
+      nodeCount += 1;
+      if (depth > this.policy.maxTreeDepth) {
+        issues.push(
+          `Node depth ${depth} exceeds maximum ${this.policy.maxTreeDepth}`
+        );
+      }
+      if (node.type === "element") {
+        const normalizedTag = node.tag.toLowerCase();
+        if (this.policy.blockedTags.includes(normalizedTag)) {
+          issues.push(`Blocked tag detected: <${normalizedTag}>`);
+        }
+        if (node.props) {
+          for (const key of Object.keys(node.props)) {
+            if (!this.policy.allowInlineEventHandlers && /^on[A-Z]|^on[a-z]/.test(key)) {
+              issues.push(`Inline event handler is not allowed: ${key}`);
+            }
+          }
+        }
+      }
+      if (node.type === "component") {
+        const componentSpecifier = this.resolveManifestSpecifier(
+          node.module,
+          moduleManifest
+        );
+        const componentResult = this.checkModuleSpecifier(componentSpecifier);
+        issues.push(...componentResult.issues);
+      }
+      if (node.type === "text") {
+        return;
+      }
+      for (const child of node.children ?? []) {
+        walk(child, depth + 1);
+      }
+    };
+    walk(plan.root, 0);
+    if (nodeCount > this.policy.maxNodeCount) {
+      issues.push(
+        `Node count ${nodeCount} exceeds maximum ${this.policy.maxNodeCount}`
+      );
+    }
+    const importSpecifiers = plan.imports ?? [];
+    for (const specifier of importSpecifiers) {
+      const effectiveSpecifier = this.resolveManifestSpecifier(
+        specifier,
+        moduleManifest
+      );
+      const importCheck = this.checkModuleSpecifier(effectiveSpecifier);
+      issues.push(...importCheck.issues);
+    }
+    if (plan.state) {
+      issues.push(...this.checkStateModel(plan.state));
+    }
+    if (plan.source) {
+      issues.push(
+        ...await this.checkRuntimeSource(plan.source, moduleManifest)
+      );
+    }
+    for (const issue of issues) {
+      diagnostics.push({
+        level: "error",
+        code: "SECURITY_POLICY_VIOLATION",
+        message: issue
+      });
+    }
+    return {
+      safe: issues.length === 0,
+      issues,
+      diagnostics
+    };
+  }
+  checkModuleSpecifier(specifier) {
+    const issues = [];
+    const diagnostics = [];
+    if (specifier.includes("..")) {
+      issues.push(
+        `Path traversal is not allowed in module specifier: ${specifier}`
+      );
+    }
+    const isUrl = this.isUrl(specifier);
+    if (isUrl) {
+      const parsedUrl = new URL(specifier);
+      if (!this.policy.allowArbitraryNetwork && !this.policy.allowedNetworkHosts.includes(parsedUrl.host)) {
+        issues.push(`Network host is not in allowlist: ${parsedUrl.host}`);
+      }
+    } else {
+      const allowed = this.policy.allowedModules.length === 0 || this.policy.allowedModules.some(
+        (prefix) => specifier.startsWith(prefix)
+      );
+      if (!allowed) {
+        issues.push(`Module specifier is not in allowlist: ${specifier}`);
+      }
+    }
+    for (const issue of issues) {
+      diagnostics.push({
+        level: "error",
+        code: "SECURITY_MODULE_REJECTED",
+        message: issue
+      });
+    }
+    return {
+      safe: issues.length === 0,
+      issues,
+      diagnostics
+    };
+  }
+  checkCapabilities(capabilities, moduleManifest) {
+    const issues = [];
+    const diagnostics = [];
+    const requestedHosts = capabilities.networkHosts ?? [];
+    if (!this.policy.allowArbitraryNetwork) {
+      for (const host of requestedHosts) {
+        if (!this.policy.allowedNetworkHosts.includes(host)) {
+          issues.push(`Requested network host is not allowed: ${host}`);
+        }
+      }
+    }
+    const requestedModules = capabilities.allowedModules ?? [];
+    for (const moduleSpecifier of requestedModules) {
+      const effectiveSpecifier = this.resolveManifestSpecifier(
+        moduleSpecifier,
+        moduleManifest
+      );
+      const checkResult = this.checkModuleSpecifier(effectiveSpecifier);
+      issues.push(...checkResult.issues);
+      if (this.policy.requireModuleManifestForBareSpecifiers && this.isBareSpecifier(moduleSpecifier) && !moduleManifest?.[moduleSpecifier]) {
+        issues.push(
+          `Missing moduleManifest entry for bare specifier: ${moduleSpecifier}`
+        );
+      }
+    }
+    if (capabilities.executionProfile !== void 0 && !this.policy.allowedExecutionProfiles.includes(
+      capabilities.executionProfile
+    )) {
+      issues.push(
+        `Requested executionProfile ${capabilities.executionProfile} is not allowed`
+      );
+    }
+    if (typeof capabilities.maxImports === "number" && capabilities.maxImports > this.policy.maxAllowedImports) {
+      issues.push(
+        `Requested maxImports ${capabilities.maxImports} exceeds policy limit ${this.policy.maxAllowedImports}`
+      );
+    }
+    if (typeof capabilities.maxExecutionMs === "number" && capabilities.maxExecutionMs > this.policy.maxAllowedExecutionMs) {
+      issues.push(
+        `Requested maxExecutionMs ${capabilities.maxExecutionMs} exceeds policy limit ${this.policy.maxAllowedExecutionMs}`
+      );
+    }
+    if (typeof capabilities.maxComponentInvocations === "number" && capabilities.maxComponentInvocations > this.policy.maxAllowedComponentInvocations) {
+      issues.push(
+        `Requested maxComponentInvocations ${capabilities.maxComponentInvocations} exceeds policy limit ${this.policy.maxAllowedComponentInvocations}`
+      );
+    }
+    for (const issue of issues) {
+      diagnostics.push({
+        level: "error",
+        code: "SECURITY_CAPABILITY_REJECTED",
+        message: issue
+      });
+    }
+    return {
+      safe: issues.length === 0,
+      issues,
+      diagnostics
+    };
+  }
+  checkStateModel(state) {
+    const issues = [];
+    const transitions = state.transitions ?? {};
+    const transitionEntries = Object.entries(transitions);
+    if (transitionEntries.length > this.policy.maxTransitionsPerPlan) {
+      issues.push(
+        `Transition count ${transitionEntries.length} exceeds maximum ${this.policy.maxTransitionsPerPlan}`
+      );
+    }
+    for (const [eventType, actions] of transitionEntries) {
+      if (actions.length > this.policy.maxActionsPerTransition) {
+        issues.push(
+          `Transition ${eventType} has ${actions.length} actions which exceeds maximum ${this.policy.maxActionsPerTransition}`
+        );
+      }
+      for (const action of actions) {
+        issues.push(...this.checkAction(eventType, action));
+      }
+    }
+    return issues;
+  }
+  async checkRuntimeSource(source, moduleManifest) {
+    const issues = [];
+    if (!this.policy.allowRuntimeSourceModules) {
+      issues.push("Runtime source modules are disabled by policy");
+      return issues;
+    }
+    const sourceBytes = typeof TextEncoder !== "undefined" ? new TextEncoder().encode(source.code).length : source.code.length;
+    if (sourceBytes > this.policy.maxRuntimeSourceBytes) {
+      issues.push(
+        `Runtime source size ${sourceBytes} exceeds maximum ${this.policy.maxRuntimeSourceBytes} bytes`
+      );
+    }
+    const sourceImports = await this.parseSourceImports(source.code);
+    if (sourceImports.length > this.policy.maxSourceImportSpecifiers) {
+      issues.push(
+        `Runtime source import count ${sourceImports.length} exceeds maximum ${this.policy.maxSourceImportSpecifiers}`
+      );
+    }
+    for (const sourceImport of sourceImports) {
+      const effectiveSpecifier = this.resolveManifestSpecifier(
+        sourceImport,
+        moduleManifest
+      );
+      const importCheck = this.checkModuleSpecifier(effectiveSpecifier);
+      issues.push(...importCheck.issues);
+      if (this.policy.requireModuleManifestForBareSpecifiers && this.isBareSpecifier(sourceImport) && !moduleManifest?.[sourceImport]) {
+        issues.push(
+          `Runtime source bare import requires manifest entry: ${sourceImport}`
+        );
+      }
+    }
+    if (!this.policy.allowDynamicSourceImports && /\bimport\s*\(/.test(source.code)) {
+      issues.push("Runtime source dynamic import() is disabled by policy");
+    }
+    for (const patternText of this.policy.sourceBannedPatternStrings) {
+      let pattern;
+      try {
+        pattern = new RegExp(patternText, "i");
+      } catch {
+        continue;
+      }
+      if (pattern.test(source.code)) {
+        issues.push(`Runtime source contains blocked pattern: ${patternText}`);
+      }
+    }
+    return issues;
+  }
+  checkModuleManifest(moduleManifest) {
+    const issues = [];
+    for (const [specifier, descriptor] of Object.entries(moduleManifest)) {
+      if (specifier.trim().length === 0) {
+        issues.push("moduleManifest contains an empty specifier key");
+        continue;
+      }
+      if (descriptor.resolvedUrl.trim().length === 0) {
+        issues.push(`moduleManifest entry has empty resolvedUrl: ${specifier}`);
+      }
+      if (this.policy.requireModuleIntegrity && this.isUrl(descriptor.resolvedUrl) && (!descriptor.integrity || descriptor.integrity.trim().length === 0)) {
+        issues.push(
+          `moduleManifest entry requires integrity for remote module: ${specifier}`
+        );
+      }
+      const resolvedCheck = this.checkModuleSpecifier(descriptor.resolvedUrl);
+      issues.push(...resolvedCheck.issues);
+    }
+    return issues;
+  }
+  async checkManifestCoverage(plan, moduleManifest) {
+    const issues = [];
+    const requiredSpecifiers = /* @__PURE__ */ new Set();
+    const imports = plan.imports ?? [];
+    for (const specifier of imports) {
+      if (this.isBareSpecifier(specifier)) {
+        requiredSpecifiers.add(specifier);
+      }
+    }
+    for (const specifier of plan.capabilities.allowedModules ?? []) {
+      if (this.isBareSpecifier(specifier)) {
+        requiredSpecifiers.add(specifier);
+      }
+    }
+    walkNodes(plan.root, (node) => {
+      if (node.type === "component" && this.isBareSpecifier(node.module)) {
+        requiredSpecifiers.add(node.module);
+      }
+    });
+    for (const sourceImport of await this.parseSourceImports(
+      plan.source?.code ?? ""
+    )) {
+      if (this.isBareSpecifier(sourceImport)) {
+        requiredSpecifiers.add(sourceImport);
+      }
+    }
+    for (const specifier of requiredSpecifiers) {
+      if (!moduleManifest?.[specifier]) {
+        issues.push(
+          `Missing moduleManifest entry for bare specifier: ${specifier}`
+        );
+      }
+    }
+    return issues;
+  }
+  resolveManifestSpecifier(specifier, moduleManifest) {
+    const descriptor = moduleManifest?.[specifier];
+    if (!descriptor || descriptor.resolvedUrl.trim().length === 0) {
+      return specifier;
+    }
+    return descriptor.resolvedUrl;
+  }
+  async parseSourceImports(code) {
+    if (code.trim().length === 0) {
+      return [];
+    }
+    return (0, import_ir.collectRuntimeSourceImports)(code);
+  }
+  isBareSpecifier(specifier) {
+    return !specifier.startsWith("./") && !specifier.startsWith("../") && !specifier.startsWith("/") && !specifier.startsWith("http://") && !specifier.startsWith("https://") && !specifier.startsWith("data:") && !specifier.startsWith("blob:");
+  }
+  checkAction(eventType, action) {
+    const issues = [];
+    if (!(0, import_ir.isSafePath)(action.path)) {
+      issues.push(`Unsafe action path in ${eventType}: ${action.path}`);
+    }
+    if (action.type === "increment" && typeof action.by === "number" && !Number.isFinite(action.by)) {
+      issues.push(`Invalid increment value for ${eventType}: ${action.by}`);
+    }
+    if (action.type === "set" || action.type === "push") {
+      const value = action.value;
+      if ((0, import_ir.isRuntimeValueFromPath)(value)) {
+        const source = value.$from;
+        const allowedPrefix = source.startsWith("state.") || source.startsWith("event.") || source.startsWith("context.") || source.startsWith("vars.");
+        if (!allowedPrefix) {
+          issues.push(`Unsupported value source in ${eventType}: ${source}`);
+        }
+        if (!(0, import_ir.isSafePath)(source.replace(/^(state|event|context|vars)\./, ""))) {
+          issues.push(`Unsafe value source path in ${eventType}: ${source}`);
+        }
+      }
+    }
+    return issues;
+  }
+  isUrl(specifier) {
+    try {
+      const parsed = new URL(specifier);
+      return parsed.protocol === "http:" || parsed.protocol === "https:";
+    } catch {
+      return false;
+    }
+  }
+};
+function clonePolicy(policy) {
+  return {
+    ...policy,
+    blockedTags: [...policy.blockedTags],
+    allowedModules: [...policy.allowedModules],
+    allowedNetworkHosts: [...policy.allowedNetworkHosts],
+    allowedExecutionProfiles: [...policy.allowedExecutionProfiles],
+    supportedSpecVersions: [...policy.supportedSpecVersions],
+    sourceBannedPatternStrings: [...policy.sourceBannedPatternStrings]
+  };
+}
+function walkNodes(node, visitor) {
+  visitor(node);
+  if (node.type === "text") {
+    return;
+  }
+  for (const child of node.children ?? []) {
+    walkNodes(child, visitor);
+  }
+}
+function normalizeInitializationInput(input) {
+  if (!input) {
+    return {};
+  }
+  if (isSecurityInitializationOptions(input)) {
+    return input;
+  }
+  return {
+    overrides: input
+  };
+}
+function isSecurityInitializationOptions(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    return false;
+  }
+  return "profile" in value || "overrides" in value;
+}
+//# sourceMappingURL=security.cjs.js.map