@revealui/security 0.2.7 → 0.3.0

package/README.md

@@ -9,6 +9,7 @@ Security infrastructure for RevealUI. Provides HTTP security headers, CORS manag
 - You need audit logging for compliance (SOC2, HIPAA)
 - You need GDPR tooling: consent management, data export, breach reporting, anonymization
 - You need field-level encryption or key rotation
+- You need to sanitize untrusted input before rendering (terminal streams, shell args, SQL identifiers)
 
 If you only need session auth (login/logout/password reset), use `@revealui/auth` instead.
 
@@ -83,6 +84,14 @@ Dependencies: `@revealui/contracts`, `@revealui/utils`
 | `InMemoryGDPRStorage` | Class | In-memory GDPR storage for testing |
 | `InMemoryBreachStorage` | Class | In-memory breach storage for testing |
 
+### Input Sanitization
+
+| Export | Type | Purpose |
+|--------|------|---------|
+| `sanitizeTerminalLine` | Function | Strip ANSI escape sequences from untrusted terminal output; preserves SGR color codes, removes CSI/OSC/DCS sequences and C0/C1 control chars |
+
+Used by RevDev Studio's terminal view to neutralize malicious output (e.g. cursor hijacking, title injection) before rendering. Consumers must treat all subprocess stdout/stderr as untrusted.
+
 ## JOSHUA Alignment
 
 - **Hermetic**: Security boundaries are sealed  -  auth checks happen at middleware, never inside business logic

package/dist/index.d.ts

@@ -413,18 +413,6 @@ declare class OAuthClient {
         picture?: string;
     }>;
 }
-/**
- * Hash password with PBKDF2 and random salt
- */
-declare function hashPassword(password: string): Promise<string>;
-/**
- * Verify password against stored hash
- */
-declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
-declare const PasswordHasher: {
-    readonly hash: typeof hashPassword;
-    readonly verify: typeof verifyPassword;
-};
 /**
  * Generate TOTP secret
  */
@@ -1504,4 +1492,120 @@ interface SecurityLogger {
  */
 declare function configureSecurityLogger(logger: SecurityLogger): void;
 
-export { type AlertHandler, type AlertingConfig, AuditAlertHandler, type AuditEvent, type AuditEventType, type AuditQuery, AuditReportGenerator, type AuditSeverity, type AuditStorage, AuditSystem, AuditTrail, type AuthorizationContext, AuthorizationSystem, type BreachStorage, type CORSConfig, CORSManager, CORSPresets, CommonRoles, ConsentManager, type ConsentRecord, type ConsentType, type ContentSecurityPolicyConfig, type CookieConsentConfig, CookieConsentManager, DEFAULT_THRESHOLDS, DataAnonymization, type DataBreach, DataBreachManager, type DataCategory, type DataDeletionRequest, DataDeletionSystem, DataExportSystem, DataMasking, type DataProcessingPurpose, type EncryptedData, type EncryptionConfig, EncryptionSystem, EnvelopeEncryption, FieldEncryption, type GDPRStorage, type HSTSConfig, InMemoryAuditStorage, InMemoryBreachStorage, InMemoryGDPRStorage, KeyRotationManager, LogAlertHandler, OAuthClient, type OAuthConfig, OAuthProviders, PasswordHasher, type Permission, PermissionBuilder, PermissionCache, type PermissionsPolicyConfig, type PersonalDataExport, type Policy, PolicyBuilder, type PolicyCondition, PrivacyPolicyManager, type ReferrerPolicyValue, RequirePermission, RequireRole, type Role, type SecurityAlert, SecurityAlertService, SecurityHeaders, type SecurityHeadersConfig, type SecurityLogger, SecurityPresets, type ThresholdRule, TokenGenerator, TwoFactorAuth, type User, WebhookAlertHandler, audit, authorization, canAccessResource, checkAttributeAccess, configureSecurityLogger, cookieConsentManager, createAuditMiddleware, createAuthorizationMiddleware, createConsentManager, createDataBreachManager, createDataDeletionSystem, createSecurityMiddleware, dataExportSystem, encryption, permissionCache, privacyPolicyManager, setRateLimitHeaders, signAuditEntry, verifyAuditEntry };
+/**
+ * Input-sanitization primitives for untrusted strings heading into a
+ * control-sequence-sensitive sink (terminal, URL, HTML, shell, etc.).
+ *
+ * Scope: call these at the point a string crosses into a sink that parses
+ * control bytes. Do not pre-sanitize at data ingress — sanitize for the
+ * output context, where the threat model is concrete.
+ */
+/**
+ * Sanitize a string destined for a terminal banner / welcome sink.
+ * Preserves SGR colour + attribute escapes, strips every other control
+ * byte and ANSI sequence family.
+ *
+ * Why: untrusted ANSI is a known terminal-escape-injection surface
+ * (cursor hijack, window-title rewrite, OSC-8 hyperlink spoofing). Use
+ * this for any string the app writes to a terminal that did not come
+ * directly from a trusted PTY.
+ */
+declare function sanitizeTerminalLine(input: string): string;
+type ShellDialect = 'posix' | 'cmd' | 'powershell';
+/**
+ * Quote an untrusted string so it traverses a shell as a single literal
+ * argv token, with no metacharacter interpretation.
+ *
+ * Use this only when a real shell is unavoidable. For local `spawn()`
+ * calls, pass an argv array instead and skip shell parsing entirely.
+ *
+ * @param arg   - The untrusted value to embed.
+ * @param shell - `'posix'` (default) for sh/bash/zsh, `'cmd'` for
+ *                Windows cmd.exe, `'powershell'` for PowerShell.
+ * @throws If `arg` contains a NUL byte (which every shell treats as an
+ *         argument terminator — no safe encoding exists).
+ */
+declare function escapeShellArg(arg: string, shell?: ShellDialect): string;
+/**
+ * Quote + escape a Postgres identifier for safe interpolation into raw
+ * SQL. Returns `"name"`, with embedded double-quotes doubled.
+ *
+ * Throws on empty input, NUL bytes, or anything over 63 bytes — the
+ * three failure modes where silent acceptance would produce a
+ * syntactically valid but semantically wrong query.
+ *
+ * Prefer Drizzle's `sql.identifier()` for compile-time-known names;
+ * reach for this only when the identifier truly has to flow through
+ * user input or runtime configuration.
+ */
+declare function escapeSqlIdentifier(identifier: string): string;
+type UrlContext = 'link' | 'image';
+/**
+ * Return `true` if the URL is safe to render in the given context.
+ *
+ * - `link` (default): http(s), mailto:, tel:, fragment, relative path.
+ * - `image`: same as link, plus `data:image/…` for inline base64 images.
+ *
+ * Blocks `javascript:` / `vbscript:` / non-image `data:`, including
+ * leading-whitespace evasions (` javascript:…`) and mixed-case
+ * (`JaVaScRiPt:…`). Unknown schemes are blocked by default — allow-list,
+ * not deny-list.
+ */
+declare function isSafeUrl(url: string, context?: UrlContext): boolean;
+/**
+ * Sanitize a URL for rendering. Returns the trimmed input if safe,
+ * otherwise `'#'` — a harmless anchor that renders without navigation.
+ */
+declare function sanitizeUrl(url: string, context?: UrlContext): string;
+interface SanitizeHtmlOptions {
+    /** Additional tag names allowed on top of the default set. Lower-case. */
+    readonly extraTags?: readonly string[];
+    /** Additional per-tag attributes, keyed by lower-case tag name. */
+    readonly extraAttrs?: Readonly<Record<string, readonly string[]>>;
+}
+/**
+ * Sanitize an untrusted HTML string against a tag + attribute allow-list.
+ *
+ * Safe to render the result via `dangerouslySetInnerHTML` or direct
+ * `innerHTML=`. Known-dangerous containers (script, style, iframe, etc.)
+ * are dropped with their contents; unknown tags are unwrapped; every
+ * `on*` event-handler attribute is stripped; URL attributes (`href`,
+ * `src`, `cite`) are filtered through `isSafeUrl`.
+ *
+ * For Lexical / markdown render paths — sanitize at the sink.
+ */
+declare function sanitizeHtml(input: string, options?: SanitizeHtmlOptions): string;
+declare const REDACTED: "[REDACTED]";
+/**
+ * `true` if `key` names a class of value that must never reach a log.
+ * Match is case-insensitive substring so variants like `userApiKey`,
+ * `X-API-KEY`, `apikey`, `sessionId` all resolve to the same class.
+ */
+declare function isSensitiveLogKey(key: string): boolean;
+/**
+ * Scrub inline secret shapes (JWT, Bearer headers, provider API keys)
+ * from an arbitrary string — for log messages, error messages, and
+ * anything else that may have been concatenated from untrusted sources.
+ * Returns the original string if nothing matched.
+ */
+declare function redactSecretsInString(input: string): string;
+/**
+ * Decide the safe form of a single log field.
+ *
+ * - If `key` is sensitive: returns `REDACTED` regardless of value shape.
+ * - If `value` is a string: returns it with inline secret shapes scrubbed.
+ * - Otherwise: returns `value` unchanged. Nested objects/arrays are the
+ *   caller's responsibility — use `redactLogContext` to walk a tree.
+ */
+declare function redactLogField(key: string, value: unknown): unknown;
+/**
+ * Recursively redact a log context object. Walks plain objects and
+ * arrays; leaves Dates, Errors, Maps, Sets, typed arrays, and other
+ * non-plain objects untouched (stringifying them is the logger's job).
+ *
+ * Depth is capped at 8 to avoid pathological payloads — deeper levels
+ * are replaced with `REDACTED` rather than recursed into.
+ */
+declare function redactLogContext<T>(obj: T): T;
+
+export { type AlertHandler, type AlertingConfig, AuditAlertHandler, type AuditEvent, type AuditEventType, type AuditQuery, AuditReportGenerator, type AuditSeverity, type AuditStorage, AuditSystem, AuditTrail, type AuthorizationContext, AuthorizationSystem, type BreachStorage, type CORSConfig, CORSManager, CORSPresets, CommonRoles, ConsentManager, type ConsentRecord, type ConsentType, type ContentSecurityPolicyConfig, type CookieConsentConfig, CookieConsentManager, DEFAULT_THRESHOLDS, DataAnonymization, type DataBreach, DataBreachManager, type DataCategory, type DataDeletionRequest, DataDeletionSystem, DataExportSystem, DataMasking, type DataProcessingPurpose, type EncryptedData, type EncryptionConfig, EncryptionSystem, EnvelopeEncryption, FieldEncryption, type GDPRStorage, type HSTSConfig, InMemoryAuditStorage, InMemoryBreachStorage, InMemoryGDPRStorage, KeyRotationManager, LogAlertHandler, OAuthClient, type OAuthConfig, OAuthProviders, type Permission, PermissionBuilder, PermissionCache, type PermissionsPolicyConfig, type PersonalDataExport, type Policy, PolicyBuilder, type PolicyCondition, PrivacyPolicyManager, REDACTED, type ReferrerPolicyValue, RequirePermission, RequireRole, type Role, type SanitizeHtmlOptions, type SecurityAlert, SecurityAlertService, SecurityHeaders, type SecurityHeadersConfig, type SecurityLogger, SecurityPresets, type ShellDialect, type ThresholdRule, TokenGenerator, TwoFactorAuth, type UrlContext, type User, WebhookAlertHandler, audit, authorization, canAccessResource, checkAttributeAccess, configureSecurityLogger, cookieConsentManager, createAuditMiddleware, createAuthorizationMiddleware, createConsentManager, createDataBreachManager, createDataDeletionSystem, createSecurityMiddleware, dataExportSystem, encryption, escapeShellArg, escapeSqlIdentifier, isSafeUrl, isSensitiveLogKey, permissionCache, privacyPolicyManager, redactLogContext, redactLogField, redactSecretsInString, sanitizeHtml, sanitizeTerminalLine, sanitizeUrl, setRateLimitHeaders, signAuditEntry, verifyAuditEntry };

package/dist/index.js

@@ -321,44 +321,6 @@ var OAuthClient = class {
     return response.json();
   }
 };
-var PH_ITERATIONS = 1e5;
-var PH_KEY_LENGTH = 64;
-var PH_DIGEST = "sha512";
-async function hashPassword(password) {
-  const { pbkdf2, randomBytes: rb } = await import("crypto");
-  const salt = rb(16).toString("hex");
-  return new Promise((resolve, reject) => {
-    pbkdf2(password, salt, PH_ITERATIONS, PH_KEY_LENGTH, PH_DIGEST, (err, derivedKey) => {
-      if (err) reject(err);
-      else resolve(`${salt}:${derivedKey.toString("hex")}`);
-    });
-  });
-}
-async function verifyPassword(password, storedHash) {
-  const { pbkdf2, timingSafeEqual: tse } = await import("crypto");
-  const [salt, hash] = storedHash.split(":");
-  if (!(salt && hash)) {
-    return false;
-  }
-  return new Promise((resolve, reject) => {
-    pbkdf2(password, salt, PH_ITERATIONS, PH_KEY_LENGTH, PH_DIGEST, (err, derivedKey) => {
-      if (err) reject(err);
-      else {
-        const derived = Buffer.from(derivedKey.toString("hex"), "utf-8");
-        const expected = Buffer.from(hash, "utf-8");
-        if (derived.length !== expected.length) {
-          resolve(false);
-        } else {
-          resolve(tse(derived, expected));
-        }
-      }
-    });
-  });
-}
-var PasswordHasher = {
-  hash: hashPassword,
-  verify: verifyPassword
-};
 function base32Encode(buffer) {
   const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
   let result = "";
@@ -2224,6 +2186,340 @@ function setRateLimitHeaders(response, limit, remaining, reset) {
   response.headers.set("X-RateLimit-Remaining", remaining.toString());
   response.headers.set("X-RateLimit-Reset", reset.toString());
 }
+
+// src/sanitize.ts
+import { defaultTreeAdapter, parseFragment, serialize } from "parse5";
+var ANY_TERMINAL_ESCAPE = /\x1b\](?:[^\x07\x1b]*)(?:\x07|\x1b\\)?|\x1b[PX^_](?:[^\x1b]*)(?:\x1b\\)?|\x1b\[[0-?]*[ -/]*[@-~]|\x1b.|\x1b/g;
+var SGR_CSI = /^\x1b\[[0-?]*[ -/]*m$/;
+var DISALLOWED_TERMINAL_CONTROL = /[\x00-\x08\x0b\x0c\x0e-\x1a\x1c-\x1f\x7f]/g;
+function sanitizeTerminalLine(input) {
+  const stripped = input.replace(
+    ANY_TERMINAL_ESCAPE,
+    (match) => SGR_CSI.test(match) ? match : ""
+  );
+  return stripped.replace(DISALLOWED_TERMINAL_CONTROL, "");
+}
+function escapePosix(arg) {
+  return `'${arg.replace(/'/g, `'\\''`)}'`;
+}
+function escapeCmd(arg) {
+  const quoted = `"${arg.replace(/"/g, '""')}"`;
+  return quoted.replace(/([&|<>^()%!])/g, "^$1");
+}
+function escapePowerShell(arg) {
+  return `'${arg.replace(/'/g, `''`)}'`;
+}
+function escapeShellArg(arg, shell = "posix") {
+  if (arg.includes("\0")) {
+    throw new Error("escapeShellArg: NUL byte in argument \u2014 no shell can represent it");
+  }
+  switch (shell) {
+    case "posix":
+      return escapePosix(arg);
+    case "cmd":
+      return escapeCmd(arg);
+    case "powershell":
+      return escapePowerShell(arg);
+    default: {
+      const _exhaustive = shell;
+      throw new Error(`escapeShellArg: unknown shell dialect ${String(_exhaustive)}`);
+    }
+  }
+}
+var MAX_PG_IDENTIFIER_BYTES = 63;
+function escapeSqlIdentifier(identifier) {
+  if (identifier === "") {
+    throw new Error("escapeSqlIdentifier: identifier must not be empty");
+  }
+  if (identifier.includes("\0")) {
+    throw new Error("escapeSqlIdentifier: identifier contains NUL byte");
+  }
+  const byteLength = Buffer.byteLength(identifier, "utf8");
+  if (byteLength > MAX_PG_IDENTIFIER_BYTES) {
+    throw new Error(
+      `escapeSqlIdentifier: identifier exceeds ${MAX_PG_IDENTIFIER_BYTES}-byte limit (got ${byteLength} bytes) \u2014 Postgres silently truncates longer names`
+    );
+  }
+  return `"${identifier.split('"').join('""')}"`;
+}
+var SAFE_LINK_PROTOCOLS = /^(?:https?:|mailto:|tel:|#|\/)/i;
+var SAFE_IMAGE_DATA_URI = /^data:image\//i;
+var DANGEROUS_SCRIPT_PROTOCOL = /^(?:javascript|vbscript):/i;
+var ANY_DATA_URI = /^data:/i;
+function isSafeUrl(url, context = "link") {
+  const trimmed = url.trim();
+  if (trimmed === "" || trimmed === "#") {
+    return true;
+  }
+  if (context === "image" && SAFE_IMAGE_DATA_URI.test(trimmed)) {
+    return true;
+  }
+  if (ANY_DATA_URI.test(trimmed)) {
+    return false;
+  }
+  if (DANGEROUS_SCRIPT_PROTOCOL.test(trimmed)) {
+    return false;
+  }
+  if (SAFE_LINK_PROTOCOLS.test(trimmed) || !trimmed.includes(":")) {
+    return true;
+  }
+  return false;
+}
+function sanitizeUrl(url, context = "link") {
+  return isSafeUrl(url, context) ? url.trim() : "#";
+}
+var DEFAULT_ALLOWED_TAGS = /* @__PURE__ */ new Set([
+  "a",
+  "b",
+  "blockquote",
+  "br",
+  "code",
+  "div",
+  "em",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "hr",
+  "i",
+  "img",
+  "li",
+  "ol",
+  "p",
+  "pre",
+  "s",
+  "span",
+  "strong",
+  "sub",
+  "sup",
+  "table",
+  "tbody",
+  "td",
+  "tfoot",
+  "th",
+  "thead",
+  "tr",
+  "u",
+  "ul"
+]);
+var DANGEROUS_CONTAINER_TAGS = /* @__PURE__ */ new Set([
+  "applet",
+  "base",
+  "body",
+  "embed",
+  "form",
+  "frame",
+  "frameset",
+  "head",
+  "html",
+  "iframe",
+  "input",
+  "link",
+  "math",
+  "meta",
+  "noembed",
+  "noframes",
+  "noscript",
+  "object",
+  "script",
+  "select",
+  "style",
+  "svg",
+  "template",
+  "textarea",
+  "title",
+  "xml"
+]);
+var GLOBAL_ATTRS = /* @__PURE__ */ new Set(["class", "id", "title", "lang", "dir"]);
+var PER_TAG_ATTRS = {
+  a: /* @__PURE__ */ new Set(["href", "target", "rel", "name"]),
+  img: /* @__PURE__ */ new Set(["src", "alt", "width", "height", "loading"]),
+  td: /* @__PURE__ */ new Set(["colspan", "rowspan", "align", "valign"]),
+  th: /* @__PURE__ */ new Set(["colspan", "rowspan", "align", "valign", "scope"]),
+  ol: /* @__PURE__ */ new Set(["start", "reversed", "type"]),
+  li: /* @__PURE__ */ new Set(["value"]),
+  code: /* @__PURE__ */ new Set(["data-language"]),
+  pre: /* @__PURE__ */ new Set(["data-language"]),
+  blockquote: /* @__PURE__ */ new Set(["cite"])
+};
+var URL_ATTRS = {
+  href: "link",
+  src: "image",
+  cite: "link"
+};
+function sanitizeHtml(input, options) {
+  const allowedTags = new Set(DEFAULT_ALLOWED_TAGS);
+  if (options?.extraTags) {
+    for (const t of options.extraTags) allowedTags.add(t.toLowerCase());
+  }
+  const extraAttrs = options?.extraAttrs ?? {};
+  const fragment = parseFragment(input);
+  filterChildren(fragment, allowedTags, extraAttrs);
+  return serialize(fragment);
+}
+function filterChildren(parent, allowedTags, extraAttrs) {
+  const kept = [];
+  for (const node of parent.childNodes) {
+    const next = filterNode(node, allowedTags, extraAttrs);
+    for (const n of next) {
+      n.parentNode = parent;
+      kept.push(n);
+    }
+  }
+  parent.childNodes = kept;
+}
+function filterNode(node, allowedTags, extraAttrs) {
+  if (defaultTreeAdapter.isElementNode(node)) {
+    const tag = node.tagName.toLowerCase();
+    if (DANGEROUS_CONTAINER_TAGS.has(tag)) {
+      return [];
+    }
+    filterChildren(node, allowedTags, extraAttrs);
+    if (!allowedTags.has(tag)) {
+      return node.childNodes.slice();
+    }
+    node.attrs = filterAttrs(tag, node.attrs, extraAttrs);
+    hardenAnchor(tag, node);
+    return [node];
+  }
+  if (defaultTreeAdapter.isTextNode(node)) {
+    return [node];
+  }
+  return [];
+}
+function filterAttrs(tag, attrs, extraAttrs) {
+  const tagAttrs = PER_TAG_ATTRS[tag];
+  const extraForTag = extraAttrs[tag];
+  const out = [];
+  for (const attr of attrs) {
+    const name = attr.name.toLowerCase();
+    if (name.startsWith("on")) continue;
+    if (name === "style") continue;
+    if (name === "srcdoc") continue;
+    if (name === "xmlns" || name.startsWith("xmlns:")) continue;
+    if (name.includes(":")) continue;
+    const allowed = GLOBAL_ATTRS.has(name) || tagAttrs?.has(name) || extraForTag?.includes(name) || name.startsWith("data-") || name.startsWith("aria-");
+    if (!allowed) continue;
+    if (name in URL_ATTRS) {
+      const context = URL_ATTRS[name];
+      if (context === void 0 || !isSafeUrl(attr.value, context)) continue;
+      out.push({ ...attr, name, value: attr.value.trim() });
+      continue;
+    }
+    out.push({ ...attr, name });
+  }
+  return out;
+}
+function hardenAnchor(tag, node) {
+  if (tag !== "a") return;
+  const target = node.attrs.find((a) => a.name === "target");
+  if (!target || target.value !== "_blank") return;
+  const rel = node.attrs.find((a) => a.name === "rel");
+  const tokens = new Set((rel?.value ?? "").split(/\s+/).filter(Boolean));
+  tokens.add("noopener");
+  tokens.add("noreferrer");
+  const merged = Array.from(tokens).join(" ");
+  if (rel) {
+    rel.value = merged;
+  } else {
+    node.attrs.push({ name: "rel", value: merged });
+  }
+}
+var REDACTED = "[REDACTED]";
+var SENSITIVE_KEY_SUBSTRINGS = [
+  "password",
+  "passwd",
+  "pwd",
+  "secret",
+  "token",
+  "apikey",
+  "authorization",
+  "cookie",
+  "session",
+  "privatekey",
+  "encryptedkey",
+  "creditcard",
+  "cardnumber",
+  "cvv",
+  "cvc",
+  "ssn"
+];
+var NON_ALNUM = /[^a-z0-9]/g;
+var SECRET_VALUE_PATTERNS = [
+  // JWT (header.payload.signature) — base64url segments, min lengths keep
+  // this from matching arbitrary dotted identifiers.
+  /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/g,
+  // Bearer <token> in header-style strings.
+  /\b[Bb]earer\s+[A-Za-z0-9._~+/-]{16,}=*/g,
+  // OpenAI: sk-…, sk-proj-…, sk-svcacct-…
+  /\bsk-(?:proj-|svcacct-)?[A-Za-z0-9_-]{20,}/g,
+  // Stripe secret + restricted keys.
+  /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{20,}/g,
+  // Stripe webhook signing secret.
+  /\bwhsec_[A-Za-z0-9]{20,}/g,
+  // AWS access key id.
+  /\bAKIA[0-9A-Z]{16}\b/g,
+  // GitHub classic PAT (36+ char suffix) and fine-grained token.
+  /\bghp_[A-Za-z0-9]{20,}/g,
+  /\bgithub_pat_[A-Za-z0-9_]{20,}/g
+];
+function isSensitiveLogKey(key) {
+  const normalised = key.toLowerCase().replace(NON_ALNUM, "");
+  for (const needle of SENSITIVE_KEY_SUBSTRINGS) {
+    if (normalised.includes(needle)) return true;
+  }
+  return false;
+}
+function redactSecretsInString(input) {
+  let out = input;
+  for (const pattern of SECRET_VALUE_PATTERNS) {
+    out = out.replace(pattern, REDACTED);
+  }
+  return out;
+}
+function redactLogField(key, value) {
+  if (isSensitiveLogKey(key)) {
+    return REDACTED;
+  }
+  if (typeof value === "string") {
+    return redactSecretsInString(value);
+  }
+  return value;
+}
+var MAX_REDACT_DEPTH = 8;
+function redactLogContext(obj) {
+  return walk(obj, 0);
+}
+function isPlainObject(v) {
+  if (v === null || typeof v !== "object") return false;
+  const proto = Object.getPrototypeOf(v);
+  return proto === Object.prototype || proto === null;
+}
+function walk(value, depth) {
+  if (depth >= MAX_REDACT_DEPTH) {
+    return isPlainObject(value) || Array.isArray(value) ? REDACTED : value;
+  }
+  if (typeof value === "string") {
+    return redactSecretsInString(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => walk(item, depth + 1));
+  }
+  if (isPlainObject(value)) {
+    const out = {};
+    for (const [k, v] of Object.entries(value)) {
+      if (isSensitiveLogKey(k)) {
+        out[k] = REDACTED;
+      } else {
+        out[k] = walk(v, depth + 1);
+      }
+    }
+    return out;
+  }
+  return value;
+}
 export {
   AuditAlertHandler,
   AuditReportGenerator,
@@ -2251,11 +2547,11 @@ export {
   LogAlertHandler,
   OAuthClient,
   OAuthProviders,
-  PasswordHasher,
   PermissionBuilder,
   PermissionCache,
   PolicyBuilder,
   PrivacyPolicyManager,
+  REDACTED,
   RequirePermission,
   RequireRole,
   SecurityAlertService,
@@ -2278,8 +2574,18 @@ export {
   createSecurityMiddleware,
   dataExportSystem,
   encryption,
+  escapeShellArg,
+  escapeSqlIdentifier,
+  isSafeUrl,
+  isSensitiveLogKey,
   permissionCache,
   privacyPolicyManager,
+  redactLogContext,
+  redactLogField,
+  redactSecretsInString,
+  sanitizeHtml,
+  sanitizeTerminalLine,
+  sanitizeUrl,
   setRateLimitHeaders,
   signAuditEntry,
   verifyAuditEntry

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "@revealui/security",
-  "version": "0.2.7",
+  "version": "0.3.0",
   "description": "Security infrastructure for RevealUI - headers, CORS, RBAC/ABAC, encryption, audit, GDPR",
   "license": "MIT",
   "dependencies": {
-    "@revealui/contracts": "1.3.7",
+    "parse5": "^8.0.0",
+    "@revealui/contracts": "1.4.0",
     "@revealui/utils": "0.3.4"
   },
   "devDependencies": {