@safeaccess/inline 0.1.1 → 0.1.2

package/tests/accessors/formats/ini-accessor.test.ts

@@ -0,0 +1,186 @@
+import { describe, expect, it } from 'vitest';
+import { IniAccessor } from '../../../src/accessors/formats/ini-accessor.js';
+import { DotNotationParser } from '../../../src/core/dot-notation-parser.js';
+import { SecurityGuard } from '../../../src/security/security-guard.js';
+import { SecurityParser } from '../../../src/security/security-parser.js';
+import { InvalidFormatException } from '../../../src/exceptions/invalid-format-exception.js';
+
+function makeParser(secParser?: SecurityParser): DotNotationParser {
+    return new DotNotationParser(new SecurityGuard(), secParser ?? new SecurityParser());
+}
+
+describe(IniAccessor.name, () => {
+    it('parses flat key=value pairs', () => {
+        const a = new IniAccessor(makeParser()).from('name=Alice\nage=30');
+        expect(a.get('name')).toBe('Alice');
+        expect(a.get('age')).toBe(30);
+    });
+
+    it('parses sections as nested keys', () => {
+        const a = new IniAccessor(makeParser()).from('[db]\nhost=localhost\nport=5432');
+        expect(a.get('db.host')).toBe('localhost');
+        expect(a.get('db.port')).toBe(5432);
+    });
+
+    it('throws InvalidFormatException for non-string input', () => {
+        expect(() => new IniAccessor(makeParser()).from(null)).toThrow(InvalidFormatException);
+    });
+
+    it('throws InvalidFormatException for number input', () => {
+        expect(() => new IniAccessor(makeParser()).from(42)).toThrow(InvalidFormatException);
+    });
+
+    it('skips comment lines starting with #', () => {
+        const a = new IniAccessor(makeParser()).from('# comment\nkey=value');
+        expect(a.has('# comment')).toBe(false);
+        expect(a.get('key')).toBe('value');
+    });
+
+    it('skips comment lines starting with ;', () => {
+        const a = new IniAccessor(makeParser()).from('; comment\nkey=value');
+        expect(a.get('key')).toBe('value');
+    });
+
+    it('skips blank lines', () => {
+        const a = new IniAccessor(makeParser()).from('\nkey=value\n');
+        expect(a.get('key')).toBe('value');
+    });
+
+    it('casts true, yes, on to boolean true', () => {
+        const a = new IniAccessor(makeParser()).from('a=true\nb=yes\nc=on');
+        expect(a.get('a')).toBe(true);
+        expect(a.get('b')).toBe(true);
+        expect(a.get('c')).toBe(true);
+    });
+
+    it('casts false, no, off, none to boolean false', () => {
+        const a = new IniAccessor(makeParser()).from('a=false\nb=no\nc=off\nd=none');
+        expect(a.get('a')).toBe(false);
+        expect(a.get('b')).toBe(false);
+        expect(a.get('c')).toBe(false);
+        expect(a.get('d')).toBe(false);
+    });
+
+    it('casts null and empty string to null', () => {
+        const a = new IniAccessor(makeParser()).from('a=null\nb=');
+        expect(a.get('a')).toBeNull();
+        expect(a.get('b')).toBeNull();
+    });
+
+    it('strips surrounding double quotes', () => {
+        const a = new IniAccessor(makeParser()).from('msg="hello world"');
+        expect(a.get('msg')).toBe('hello world');
+    });
+
+    it('strips surrounding single quotes', () => {
+        const a = new IniAccessor(makeParser()).from("msg='hello world'");
+        expect(a.get('msg')).toBe('hello world');
+    });
+
+    it('casts integer values', () => {
+        const a = new IniAccessor(makeParser()).from('port=3306');
+        expect(a.get('port')).toBe(3306);
+    });
+
+    it('casts float values', () => {
+        const a = new IniAccessor(makeParser()).from('ratio=3.14');
+        expect(a.get('ratio')).toBe(3.14);
+    });
+
+    it('skips lines without = sign', () => {
+        const a = new IniAccessor(makeParser()).from('badline\nkey=value');
+        expect(a.has('badline')).toBe(false);
+    });
+
+    it('parses multiple sections', () => {
+        const a = new IniAccessor(makeParser()).from('[app]\nname=MyApp\n[db]\nhost=localhost');
+        expect(a.get('app.name')).toBe('MyApp');
+        expect(a.get('db.host')).toBe('localhost');
+    });
+
+    it('error message from from() includes the actual typeof data', () => {
+        expect(() => new IniAccessor(makeParser()).from(42)).toThrow(/number/);
+    });
+
+    it('preserves existing section keys when section header appears twice', () => {
+        const a = new IniAccessor(makeParser()).from('[db]\nhost=localhost\n[db]\nport=5432');
+        expect(a.get('db.host')).toBe('localhost');
+        expect(a.get('db.port')).toBe(5432);
+    });
+
+    it('trims whitespace from key names and raw values', () => {
+        const a = new IniAccessor(makeParser()).from('  name  =  Alice  ');
+        expect(a.get('name')).toBe('Alice');
+    });
+
+    it('parses section with underscored name', () => {
+        const a = new IniAccessor(makeParser()).from('[my_section]\nkey=val');
+        expect(a.get('my_section.key')).toBe('val');
+    });
+
+    it('does not strip double quotes when only one side is present', () => {
+        const a = new IniAccessor(makeParser()).from('key=hello"');
+        expect(a.get('key')).toBe('hello"');
+    });
+
+    it('does not strip single quotes when only one side is present', () => {
+        const a = new IniAccessor(makeParser()).from("key=hello'");
+        expect(a.get('key')).toBe("hello'");
+    });
+
+    it('does not strip double quotes when value starts without quote', () => {
+        const a = new IniAccessor(makeParser()).from('key="hello');
+        expect(a.get('key')).toBe('"hello');
+    });
+
+    it('does not strip single quotes when value starts without quote', () => {
+        const a = new IniAccessor(makeParser()).from("key='hello");
+        expect(a.get('key')).toBe("'hello");
+    });
+
+    it('does not cast string with trailing non-digit characters as integer', () => {
+        const a = new IniAccessor(makeParser()).from('version=3.0-beta');
+        expect(typeof a.get('version')).toBe('string');
+    });
+
+    it('does not cast string with leading non-digit chars as integer', () => {
+        const a = new IniAccessor(makeParser()).from('version=v42');
+        expect(typeof a.get('version')).toBe('string');
+    });
+
+    it('does not cast a version string like 3.1.4 as float', () => {
+        const a = new IniAccessor(makeParser()).from('ver=3.1.4');
+        expect(typeof a.get('ver')).toBe('string');
+    });
+
+    it('casts "yes" to boolean true', () => {
+        const a = new IniAccessor(makeParser()).from('flag=yes');
+        expect(a.get('flag')).toBe(true);
+    });
+
+    it('casts "no" to boolean false', () => {
+        const a = new IniAccessor(makeParser()).from('flag=no');
+        expect(a.get('flag')).toBe(false);
+    });
+
+    it('casts "none" to boolean false', () => {
+        const a = new IniAccessor(makeParser()).from('flag=none');
+        expect(a.get('flag')).toBe(false);
+    });
+
+    it('does not treat key=value containing [brackets] as section header', () => {
+        const a = new IniAccessor(makeParser()).from('key=value[brackets]\nother=1');
+        expect(a.get('key')).toBe('value[brackets]');
+        expect(a.get('other')).toBe(1);
+    });
+
+    it('casts a two-digit integer before decimal point to float', () => {
+        const a = new IniAccessor(makeParser()).from('ratio=10.5');
+        expect(a.get('ratio')).toBe(10.5);
+    });
+
+    it('casts negative float with two-digit integer part correctly', () => {
+        const a = new IniAccessor(makeParser()).from('offset=-12.75');
+        expect(a.get('offset')).toBe(-12.75);
+    });
+});

package/tests/accessors/{json-accessor.test.ts → formats/json-accessor.test.ts}

@@ -1,9 +1,9 @@
 import { describe, expect, it } from 'vitest';
-import { JsonAccessor } from '../../src/accessors/formats/json-accessor.js';
-import { DotNotationParser } from '../../src/core/dot-notation-parser.js';
-import { InvalidFormatException } from '../../src/exceptions/invalid-format-exception.js';
-import { PathNotFoundException } from '../../src/exceptions/path-not-found-exception.js';
-import { ReadonlyViolationException } from '../../src/exceptions/readonly-violation-exception.js';
+import { JsonAccessor } from '../../../src/accessors/formats/json-accessor.js';
+import { DotNotationParser } from '../../../src/core/dot-notation-parser.js';
+import { InvalidFormatException } from '../../../src/exceptions/invalid-format-exception.js';
+import { PathNotFoundException } from '../../../src/exceptions/path-not-found-exception.js';
+import { ReadonlyViolationException } from '../../../src/exceptions/readonly-violation-exception.js';
 
 function makeAccessor(): JsonAccessor {
     return new JsonAccessor(new DotNotationParser());
@@ -142,7 +142,7 @@ describe(`${JsonAccessor.name} > getRaw`, () => {
 });
 
 describe(`${JsonAccessor.name} > parse non-object JSON`, () => {
-    // Kills line 51:13/44/62 — `typeof decoded !== 'object' || decoded === null` check
+    // Kills line 51:13/44/62 - `typeof decoded !== 'object' || decoded === null` check
     // JSON.parse('null') returns null → should return {}
     it('returns empty object when JSON decodes to null', () => {
         const accessor = makeAccessor().from('null');

package/tests/accessors/formats/ndjson-accessor.test.ts

@@ -0,0 +1,49 @@
+import { describe, expect, it } from 'vitest';
+import { NdjsonAccessor } from '../../../src/accessors/formats/ndjson-accessor.js';
+import { DotNotationParser } from '../../../src/core/dot-notation-parser.js';
+import { SecurityGuard } from '../../../src/security/security-guard.js';
+import { SecurityParser } from '../../../src/security/security-parser.js';
+import { InvalidFormatException } from '../../../src/exceptions/invalid-format-exception.js';
+
+function makeParser(secParser?: SecurityParser): DotNotationParser {
+    return new DotNotationParser(new SecurityGuard(), secParser ?? new SecurityParser());
+}
+
+describe(NdjsonAccessor.name, () => {
+    it('parses two NDJSON lines', () => {
+        const a = new NdjsonAccessor(makeParser()).from('{"id":1}\n{"id":2}');
+        expect(a.get('0.id')).toBe(1);
+        expect(a.get('1.id')).toBe(2);
+    });
+
+    it('throws InvalidFormatException for non-string input', () => {
+        expect(() => new NdjsonAccessor(makeParser()).from(null)).toThrow(InvalidFormatException);
+    });
+
+    it('throws InvalidFormatException for number input', () => {
+        expect(() => new NdjsonAccessor(makeParser()).from(42)).toThrow(InvalidFormatException);
+    });
+
+    it('returns empty object for blank-only input', () => {
+        const a = new NdjsonAccessor(makeParser()).from('   \n  \n');
+        expect(a.all()).toEqual({});
+    });
+
+    it('skips blank lines between valid lines', () => {
+        const a = new NdjsonAccessor(makeParser()).from('{"id":1}\n\n{"id":2}');
+        expect(a.get('0.id')).toBe(1);
+        expect(a.get('1.id')).toBe(2);
+    });
+
+    it('throws InvalidFormatException for malformed JSON line', () => {
+        expect(() => new NdjsonAccessor(makeParser()).from('{"ok":1}\n{not valid}')).toThrow(
+            InvalidFormatException,
+        );
+    });
+
+    it('error message contains the failing line number', () => {
+        expect(() => new NdjsonAccessor(makeParser()).from('{"ok":1}\n{not valid}')).toThrow(
+            /line 2/,
+        );
+    });
+});

package/tests/accessors/formats/object-accessor.test.ts

@@ -0,0 +1,172 @@
+import { describe, expect, it } from 'vitest';
+import { ObjectAccessor } from '../../../src/accessors/formats/object-accessor.js';
+import { DotNotationParser } from '../../../src/core/dot-notation-parser.js';
+import { SecurityGuard } from '../../../src/security/security-guard.js';
+import { SecurityParser } from '../../../src/security/security-parser.js';
+import { InvalidFormatException } from '../../../src/exceptions/invalid-format-exception.js';
+import { SecurityException } from '../../../src/exceptions/security-exception.js';
+
+function makeParser(secParser?: SecurityParser): DotNotationParser {
+    return new DotNotationParser(new SecurityGuard(), secParser ?? new SecurityParser());
+}
+
+describe(ObjectAccessor.name, () => {
+    it('accepts a plain object', () => {
+        const a = new ObjectAccessor(makeParser()).from({ name: 'Alice' });
+        expect(a.get('name')).toBe('Alice');
+    });
+
+    it('throws InvalidFormatException for string input', () => {
+        expect(() => new ObjectAccessor(makeParser()).from('string')).toThrow(
+            InvalidFormatException,
+        );
+    });
+
+    it('throws InvalidFormatException for null input', () => {
+        expect(() => new ObjectAccessor(makeParser()).from(null)).toThrow(InvalidFormatException);
+    });
+
+    it('throws InvalidFormatException for array input', () => {
+        expect(() => new ObjectAccessor(makeParser()).from([1, 2, 3])).toThrow(
+            InvalidFormatException,
+        );
+    });
+
+    it('throws InvalidFormatException with "array" in message for array input', () => {
+        expect(() => new ObjectAccessor(makeParser()).from([])).toThrow(/array/);
+    });
+
+    it('resolves nested paths', () => {
+        const a = new ObjectAccessor(makeParser()).from({ user: { name: 'Bob' } });
+        expect(a.get('user.name')).toBe('Bob');
+    });
+
+    it('handles nested arrays of objects', () => {
+        const a = new ObjectAccessor(makeParser()).from({ items: [{ id: 1 }, { id: 2 }] });
+        expect(a.get('items')).toEqual([{ id: 1 }, { id: 2 }]);
+    });
+
+    it('throws SecurityException when depth exceeds the limit', () => {
+        const secParser = new SecurityParser({ maxDepth: 1 });
+        const parser = makeParser(secParser);
+        expect(() => new ObjectAccessor(parser).from({ a: { b: { c: 1 } } })).toThrow(
+            SecurityException,
+        );
+    });
+
+    it('does not throw for objects within the depth limit', () => {
+        const secParser = new SecurityParser({ maxDepth: 5 });
+        const parser = makeParser(secParser);
+        expect(() => new ObjectAccessor(parser).from({ a: { b: { c: 1 } } })).not.toThrow();
+    });
+
+    it('throws SecurityException for deeply nested arrays exceeding depth', () => {
+        const secParser = new SecurityParser({ maxDepth: 0 });
+        const parser = makeParser(secParser);
+        expect(() => new ObjectAccessor(parser).from({ items: [{ id: 1 }] })).toThrow(
+            SecurityException,
+        );
+    });
+
+    it('handles nested arrays of primitives without throwing', () => {
+        const a = new ObjectAccessor(makeParser()).from({ tags: ['a', 'b', 'c'] });
+        expect(a.get('tags')).toEqual(['a', 'b', 'c']);
+    });
+
+    it('preserves null values in object', () => {
+        const a = new ObjectAccessor(makeParser()).from({ key: null });
+        expect(a.get('key')).toBeNull();
+    });
+
+    it('handles array of objects at root level', () => {
+        const a = new ObjectAccessor(makeParser()).from({ list: [{ x: 1 }, { x: 2 }] });
+        expect(a.get('list')).toEqual([{ x: 1 }, { x: 2 }]);
+    });
+
+    it('handles nested array of arrays', () => {
+        const a = new ObjectAccessor(makeParser()).from({
+            matrix: [
+                [1, 2],
+                [3, 4],
+            ],
+        });
+        expect(a.get('matrix')).toEqual([
+            [1, 2],
+            [3, 4],
+        ]);
+    });
+
+    it('throws SecurityException at exactly maxDepth+1 nesting (strict=false so objectToRecord guard fires)', () => {
+        const secParser = new SecurityParser({ maxDepth: 2 });
+        const parser = makeParser(secParser);
+        expect(() =>
+            new ObjectAccessor(parser).strict(false).from({ a: { b: { c: { d: 1 } } } }),
+        ).toThrow(SecurityException);
+    });
+
+    it('does not throw at exactly maxDepth nesting (strict=false)', () => {
+        const secParser = new SecurityParser({ maxDepth: 2 });
+        const parser = makeParser(secParser);
+        expect(() =>
+            new ObjectAccessor(parser).strict(false).from({ a: { b: { c: 1 } } }),
+        ).not.toThrow();
+    });
+
+    it('throws SecurityException at exactly maxDepth+1 in nested array-of-objects (strict=false)', () => {
+        const secParser = new SecurityParser({ maxDepth: 1 });
+        const parser = makeParser(secParser);
+        expect(() => new ObjectAccessor(parser).strict(false).from({ items: [{ id: 1 }] })).toThrow(
+            SecurityException,
+        );
+    });
+
+    it('throws SecurityException when nested array of arrays exceeds depth (strict=false)', () => {
+        const secParser = new SecurityParser({ maxDepth: 0 });
+        const parser = makeParser(secParser);
+        expect(() => new ObjectAccessor(parser).strict(false).from({ matrix: [[1, 2]] })).toThrow(
+            SecurityException,
+        );
+    });
+
+    it('security exception message contains depth value', () => {
+        const secParser = new SecurityParser({ maxDepth: 0 });
+        const parser = makeParser(secParser);
+        expect(() => new ObjectAccessor(parser).from({ a: { b: 1 } })).toThrow(/depth/i);
+    });
+
+    it('does not throw convertArrayValues at exactly maxDepth (> not >=)', () => {
+        const secParser = new SecurityParser({ maxDepth: 1 });
+        const parser = makeParser(secParser);
+        expect(() =>
+            new ObjectAccessor(parser).strict(false).from({ items: [1, 2, 3] }),
+        ).not.toThrow();
+    });
+
+    it('handles null values inside an array correctly', () => {
+        const a = new ObjectAccessor(makeParser()).from({ items: [null, 1, 'text'] });
+        const items = a.get('items') as unknown[];
+        expect(items[0]).toBeNull();
+        expect(items[1]).toBe(1);
+        expect(items[2]).toBe('text');
+    });
+
+    it('handles array-of-arrays with primitives and does not throw at valid depth', () => {
+        const a = new ObjectAccessor(makeParser()).from({
+            matrix: [
+                [1, 2],
+                [3, 4],
+            ],
+        });
+        const matrix = a.get('matrix') as unknown[][];
+        expect(matrix[0]).toEqual([1, 2]);
+        expect(matrix[1]).toEqual([3, 4]);
+    });
+
+    it('throws when deeply nested arrays exceed maxDepth in convertArrayValues', () => {
+        const secParser = new SecurityParser({ maxDepth: 1 });
+        const parser = makeParser(secParser);
+        expect(() => new ObjectAccessor(parser).strict(false).from({ items: [[1, 2]] })).toThrow(
+            SecurityException,
+        );
+    });
+});

package/tests/accessors/formats/xml-accessor.test.ts

@@ -0,0 +1,162 @@
+import { describe, expect, it } from 'vitest';
+import { XmlAccessor } from '../../../src/accessors/formats/xml-accessor.js';
+import { DotNotationParser } from '../../../src/core/dot-notation-parser.js';
+import { SecurityGuard } from '../../../src/security/security-guard.js';
+import { SecurityParser } from '../../../src/security/security-parser.js';
+import { InvalidFormatException } from '../../../src/exceptions/invalid-format-exception.js';
+import { SecurityException } from '../../../src/exceptions/security-exception.js';
+
+function makeParser(secParser?: SecurityParser): DotNotationParser {
+    return new DotNotationParser(new SecurityGuard(), secParser ?? new SecurityParser());
+}
+
+describe(XmlAccessor.name, () => {
+    it('throws InvalidFormatException for non-string input', () => {
+        expect(() => new XmlAccessor(makeParser()).from(null)).toThrow(InvalidFormatException);
+    });
+
+    it('throws InvalidFormatException for number input', () => {
+        expect(() => new XmlAccessor(makeParser()).from(42)).toThrow(InvalidFormatException);
+    });
+
+    it('throws SecurityException for DOCTYPE declarations (XXE prevention)', () => {
+        const xml = '<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root/>';
+        expect(() => new XmlAccessor(makeParser()).from(xml)).toThrow(SecurityException);
+    });
+
+    it('throws SecurityException for DOCTYPE regardless of case', () => {
+        const xml = '<!doctype foo><root/>';
+        expect(() => new XmlAccessor(makeParser()).from(xml)).toThrow(SecurityException);
+    });
+
+    it('parses a simple XML element', () => {
+        const a = new XmlAccessor(makeParser()).from('<root><name>Alice</name></root>');
+        expect(a.get('name')).toBe('Alice');
+    });
+
+    it('parses sibling elements under the root', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<root><name>Alice</name><age>30</age></root>',
+        );
+        expect(a.get('name')).toBe('Alice');
+        expect(a.get('age')).toBe('30');
+    });
+
+    it('parses nested XML elements', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<root><user><name>Alice</name></user></root>',
+        );
+        expect(a.get('user.name')).toBe('Alice');
+    });
+
+    it('throws InvalidFormatException for completely unparseable XML', () => {
+        expect(() => new XmlAccessor(makeParser()).from('not xml at all !@#')).toThrow(
+            InvalidFormatException,
+        );
+    });
+
+    it('returns empty object for self-closing root element', () => {
+        const a = new XmlAccessor(makeParser()).from('<root/>');
+        expect(a.all()).toEqual({});
+    });
+
+    it('merges duplicate sibling tags into an array', () => {
+        const a = new XmlAccessor(makeParser()).from('<root><item>a</item><item>b</item></root>');
+        const items = a.get('item');
+        expect(Array.isArray(items)).toBe(true);
+        expect((items as unknown[]).length).toBe(2);
+    });
+
+    it('parses with XML declaration header', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<?xml version="1.0"?><root><key>value</key></root>',
+        );
+        expect(a.get('key')).toBe('value');
+    });
+
+    it('throws SecurityException when XML depth exceeds the limit', () => {
+        const secParser = new SecurityParser({ maxDepth: 1 });
+        const parser = makeParser(secParser);
+        const xml = '<root><a><b><c>deep</c></b></a></root>';
+        expect(() => new XmlAccessor(parser).from(xml)).toThrow(SecurityException);
+    });
+
+    it('parses deeply nested elements correctly', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<root><level1><level2><value>deep</value></level2></level1></root>',
+        );
+        expect(a.get('level1.level2.value')).toBe('deep');
+    });
+
+    it('parses an element with plain text content', () => {
+        const a = new XmlAccessor(makeParser()).from('<root><text>hello world</text></root>');
+        expect(a.get('text')).toBe('hello world');
+    });
+
+    it('merges three duplicate sibling tags into an array of 3', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<root><item>a</item><item>b</item><item>c</item></root>',
+        );
+        const items = a.get('item') as unknown[];
+        expect(Array.isArray(items)).toBe(true);
+        expect(items.length).toBe(3);
+        expect(items[2]).toBe('c');
+    });
+
+    it('parses self-closing child element as empty string text', () => {
+        const a = new XmlAccessor(makeParser()).from('<root><empty/><name>Alice</name></root>');
+        expect(a.get('name')).toBe('Alice');
+    });
+
+    it('parses multiple different child elements', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<root><first>1</first><second>2</second><third>3</third></root>',
+        );
+        expect(a.get('first')).toBe('1');
+        expect(a.get('second')).toBe('2');
+        expect(a.get('third')).toBe('3');
+    });
+
+    it('returns empty object for root with only whitespace content', () => {
+        const a = new XmlAccessor(makeParser()).from('<root>   </root>');
+        expect(a.all()).toEqual({});
+    });
+
+    it('returns nested structure for complex XML', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<root><user><name>Alice</name><role>admin</role></user></root>',
+        );
+        expect(a.get('user.name')).toBe('Alice');
+        expect(a.get('user.role')).toBe('admin');
+    });
+
+    it('returns plain string value when child has only text content', () => {
+        const a = new XmlAccessor(makeParser()).from('<root><title>Hello World</title></root>');
+        expect(typeof a.get('title')).toBe('string');
+        expect(a.get('title')).toBe('Hello World');
+    });
+
+    it('builds an array when the same tag appears 4 times', () => {
+        const a = new XmlAccessor(makeParser()).from(
+            '<root><k>1</k><k>2</k><k>3</k><k>4</k></root>',
+        );
+        const k = a.get('k') as unknown[];
+        expect(Array.isArray(k)).toBe(true);
+        expect(k.length).toBe(4);
+        expect(k[3]).toBe('4');
+    });
+
+    it('throws SecurityException when opening-tag count exceeds SecurityParser.maxKeys (getMaxKeys flows to XmlParser.maxElements)', () => {
+        const secParser = new SecurityParser({ maxKeys: 2 });
+        const parser = makeParser(secParser);
+        const xml = '<root>' + '<item>x</item>'.repeat(3) + '</root>';
+        expect(() => new XmlAccessor(parser).from(xml)).toThrow(SecurityException);
+    });
+
+    it('does not throw when opening-tag count is within SecurityParser.maxKeys', () => {
+        const secParser = new SecurityParser({ maxKeys: 10 });
+        const parser = makeParser(secParser);
+        const xml = '<root>' + '<item>x</item>'.repeat(3) + '</root>';
+        expect(() => new XmlAccessor(parser).from(xml)).not.toThrow();
+    });
+});

package/tests/accessors/formats/yaml-accessor.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, it } from 'vitest';
+import { YamlAccessor } from '../../../src/accessors/formats/yaml-accessor.js';
+import { DotNotationParser } from '../../../src/core/dot-notation-parser.js';
+import { SecurityGuard } from '../../../src/security/security-guard.js';
+import { SecurityParser } from '../../../src/security/security-parser.js';
+import { InvalidFormatException } from '../../../src/exceptions/invalid-format-exception.js';
+
+function makeParser(secParser?: SecurityParser): DotNotationParser {
+    return new DotNotationParser(new SecurityGuard(), secParser ?? new SecurityParser());
+}
+
+describe(YamlAccessor.name, () => {
+    it('parses a valid YAML string', () => {
+        const a = new YamlAccessor(makeParser()).from('name: Alice\nage: 30');
+        expect(a.get('name')).toBe('Alice');
+        expect(a.get('age')).toBe(30);
+    });
+
+    it('throws InvalidFormatException for non-string input', () => {
+        expect(() => new YamlAccessor(makeParser()).from(null)).toThrow(InvalidFormatException);
+    });
+
+    it('throws InvalidFormatException for number input', () => {
+        expect(() => new YamlAccessor(makeParser()).from(42)).toThrow(InvalidFormatException);
+    });
+
+    it('resolves a nested path', () => {
+        const a = new YamlAccessor(makeParser()).from('user:\n  name: Bob');
+        expect(a.get('user.name')).toBe('Bob');
+    });
+
+    it('returns null for a missing path', () => {
+        const a = new YamlAccessor(makeParser()).from('key: value');
+        expect(a.get('missing')).toBeNull();
+    });
+});