@scenarist/core 0.3.1 → 0.3.2

package/dist/adapters/in-memory-state-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"in-memory-state-manager.d.ts","sourceRoot":"","sources":["../../src/adapters/in-memory-state-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAMrE;;;;;;GAMG;AACH,qBAAa,oBAAqB,YAAW,YAAY;IACvD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA8C;IAEtE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO;IAUzC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI;IAyBtD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAI/C,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAI3B,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAgB7D,OAAO,CAAC,oBAAoB;IAS5B,OAAO,CAAC,cAAc;IA0CtB,OAAO,CAAC,cAAc;CA6BvB;AAED;;;GAGG;AACH,eAAO,MAAM,0BAA0B,QAAO,YAE7C,CAAC"}
+{"version":3,"file":"in-memory-state-manager.d.ts","sourceRoot":"","sources":["../../src/adapters/in-memory-state-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAcrE;;;;;;GAMG;AACH,qBAAa,oBAAqB,YAAW,YAAY;IACvD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAA8C;IAEtE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO;IAUzC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI;IAyBtD,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAI/C,KAAK,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI;IAI3B,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAgB7D,OAAO,CAAC,oBAAoB;IAS5B,OAAO,CAAC,cAAc;IA6CtB,OAAO,CAAC,cAAc;CA8BvB;AAED;;;GAGG;AACH,eAAO,MAAM,0BAA0B,QAAO,YAE7C,CAAC"}

package/dist/adapters/in-memory-state-manager.js

@@ -1,5 +1,12 @@
 const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 const isDangerousKey = (key) => DANGEROUS_KEYS.has(key);
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 /**
  * In-memory implementation of StateManager port.
  * Fast, single-process state storage for stateful mocks.
@@ -80,21 +87,24 @@ export class InMemoryStateManager {
             });
             return;
         }
+        // Get or create nested object for this path segment
         // eslint-disable-next-line security/detect-object-injection -- Guarded by isDangerousKey and Object.hasOwn
         const existingValue = Object.hasOwn(obj, key) ? obj[key] : undefined;
-        if (typeof existingValue !== "object" ||
-            existingValue === null ||
-            Array.isArray(existingValue)) {
+        // Determine target: use existing record OR create new empty object
+        const target = isRecord(existingValue)
+            ? existingValue
+            : {};
+        // If we created a new object, assign it to the parent
+        if (!isRecord(existingValue)) {
             Object.defineProperty(obj, key, {
-                value: {},
+                value: target,
                 writable: true,
                 enumerable: true,
                 configurable: true,
             });
         }
-        // eslint-disable-next-line security/detect-object-injection -- Guarded by isDangerousKey, Object.hasOwn, and Object.defineProperty
-        const nested = obj[key];
-        this.setNestedValue(nested, path.slice(1), value);
+        // Recurse to next path segment
+        this.setNestedValue(target, path.slice(1), value);
     }
     getNestedValue(obj, path) {
         const key = path[0];
@@ -111,7 +121,8 @@ export class InMemoryStateManager {
         if (path.length === 1) {
             return value;
         }
-        if (typeof value !== "object" || value === null || Array.isArray(value)) {
+        // Use type guard for proper type narrowing instead of assertion
+        if (!isRecord(value)) {
             return undefined;
         }
         return this.getNestedValue(value, path.slice(1));

package/dist/domain/deep-equals.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deep-equals.d.ts","sourceRoot":"","sources":["../../src/domain/deep-equals.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,eAAO,MAAM,UAAU,GAAI,GAAG,OAAO,EAAE,GAAG,OAAO,KAAG,OAoEnD,CAAC"}
+{"version":3,"file":"deep-equals.d.ts","sourceRoot":"","sources":["../../src/domain/deep-equals.ts"],"names":[],"mappings":"AAQA;;;;;;;;;GASG;AACH,eAAO,MAAM,UAAU,GAAI,GAAG,OAAO,EAAE,GAAG,OAAO,KAAG,OA+DnD,CAAC"}

package/dist/domain/deep-equals.js

@@ -1,3 +1,10 @@
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 /**
  * Deep equality comparison for values.
  *
@@ -42,8 +49,8 @@ export const deepEquals = (a, b) => {
     if (Array.isArray(a) !== Array.isArray(b)) {
         return false;
     }
-    // Handle objects
-    if (typeof a === "object" && typeof b === "object") {
+    // Handle objects (use type guard instead of type assertion)
+    if (isRecord(a) && isRecord(b)) {
         const aKeys = Object.keys(a);
         const bKeys = Object.keys(b);
         if (aKeys.length !== bKeys.length) {

package/dist/domain/path-extraction.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"path-extraction.d.ts","sourceRoot":"","sources":["../../src/domain/path-extraction.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAM/D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC1B,SAAS,kBAAkB,EAC3B,MAAM,MAAM,KACX,OAyBF,CAAC"}
+{"version":3,"file":"path-extraction.d.ts","sourceRoot":"","sources":["../../src/domain/path-extraction.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAc/D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC1B,SAAS,kBAAkB,EAC3B,MAAM,MAAM,KACX,OAyBF,CAAC"}

package/dist/domain/path-extraction.js

@@ -1,5 +1,12 @@
 const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 const isDangerousKey = (key) => DANGEROUS_KEYS.has(key);
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 /**
  * Extracts a value from HttpRequestContext based on a path expression.
  *
@@ -55,8 +62,8 @@ const traversePath = (obj, path) => {
     if (path.length === 0) {
         return obj;
     }
-    // Guard: Can only traverse objects
-    if (typeof obj !== "object" || obj === null || Array.isArray(obj)) {
+    // Guard: Can only traverse objects - use type guard for proper narrowing
+    if (!isRecord(obj)) {
         return undefined;
     }
     const key = path[0];
@@ -68,9 +75,8 @@ const traversePath = (obj, path) => {
     if (!Object.hasOwn(obj, key)) {
         return undefined;
     }
-    const record = obj;
     // eslint-disable-next-line security/detect-object-injection -- Key validated by Object.hasOwn and isDangerousKey guard
-    const value = record[key];
+    const value = obj[key];
     // Recursively traverse remaining path
     return traversePath(value, path.slice(1));
 };

package/dist/domain/response-selector.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"response-selector.d.ts","sourceRoot":"","sources":["../../src/domain/response-selector.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAiB3B;;GAEG;AACH,KAAK,6BAA6B,GAAG;IACnC,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,GACjC,UAAS,6BAAkC,KAC1C,gBAuQF,CAAC"}
+{"version":3,"file":"response-selector.d.ts","sourceRoot":"","sources":["../../src/domain/response-selector.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,gBAAgB,EAChB,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAyB3B;;GAEG;AACH,KAAK,6BAA6B,GAAG;IACnC,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,GACjC,UAAS,6BAAkC,KAC1C,gBAwQF,CAAC"}

package/dist/domain/response-selector.js

@@ -6,6 +6,13 @@ import { createStateResponseResolver } from "./state-response-resolver.js";
 import { deepEquals } from "./deep-equals.js";
 import { noOpLogger } from "../adapters/index.js";
 import { LogCategories, LogEvents } from "./log-events.js";
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
 const SPECIFICITY_RANGES = {
     MATCH_CRITERIA_BASE: 100,
     SEQUENCE_FALLBACK: 1,
@@ -139,6 +146,7 @@ export const createResponseSelector = (options = {}) => {
                         state: currentState,
                         params: mockWithParams.params || {},
                     };
+                    // eslint-disable-next-line @typescript-eslint/consistent-type-assertions -- applyTemplates preserves structure; input ScenaristResponse → output ScenaristResponse
                     finalResponse = applyTemplates(response, templateData);
                 }
                 // Apply afterResponse.setState to mutate state for subsequent requests
@@ -393,15 +401,14 @@ const matchesState = (stateCriteria, testId, stateManager) => {
  * Non-string values are converted to strings before matching.
  */
 const matchesBody = (requestBody, criteriaBody) => {
-    // If request has no body, can't match
-    if (!requestBody || typeof requestBody !== "object") {
+    // If request has no body, can't match - use type guard for proper narrowing
+    if (!isRecord(requestBody)) {
         return false;
     }
-    const body = requestBody;
     // Check all required fields exist in request body with matching values
     for (const [key, criteriaValue] of Object.entries(criteriaBody)) {
         // eslint-disable-next-line security/detect-object-injection -- Key from Object.entries iteration
-        const requestValue = body[key];
+        const requestValue = requestBody[key];
         // Convert to string for matching (type coercion like headers/query)
         const stringValue = requestValue == null ? "" : String(requestValue);
         if (!matchesValue(stringValue, criteriaValue)) {
@@ -461,21 +468,30 @@ const matchesValue = (requestValue, criteriaValue) => {
     if (criteriaValue == null) {
         return requestValue === "";
     }
-    const strategyValue = criteriaValue;
-    if (strategyValue.equals !== undefined) {
-        return requestValue === String(strategyValue.equals);
+    // After ruling out string, RegExp, number, boolean, null - remaining must be object strategy
+    if (!isRecord(criteriaValue)) {
+        return false;
     }
-    if (strategyValue.contains !== undefined) {
-        return requestValue.includes(String(strategyValue.contains));
+    if (criteriaValue.equals !== undefined) {
+        return requestValue === String(criteriaValue.equals);
     }
-    if (strategyValue.startsWith !== undefined) {
-        return requestValue.startsWith(String(strategyValue.startsWith));
+    if (criteriaValue.contains !== undefined) {
+        return requestValue.includes(String(criteriaValue.contains));
     }
-    if (strategyValue.endsWith !== undefined) {
-        return requestValue.endsWith(String(strategyValue.endsWith));
+    if (criteriaValue.startsWith !== undefined) {
+        return requestValue.startsWith(String(criteriaValue.startsWith));
     }
-    if (strategyValue.regex !== undefined) {
-        return matchesRegex(requestValue, strategyValue.regex);
+    if (criteriaValue.endsWith !== undefined) {
+        return requestValue.endsWith(String(criteriaValue.endsWith));
+    }
+    if (criteriaValue.regex !== undefined && isRecord(criteriaValue.regex)) {
+        const regex = criteriaValue.regex;
+        if (typeof regex.source === "string") {
+            return matchesRegex(requestValue, {
+                source: regex.source,
+                flags: typeof regex.flags === "string" ? regex.flags : undefined,
+            });
+        }
     }
     return false;
 };

package/dist/domain/scenario-manager.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scenario-manager.d.ts","sourceRoot":"","sources":["../../src/domain/scenario-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAwC3B;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,GAAI,6DAMnC;IACD,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,KAAK,EAAE,aAAa,CAAC;IACrB,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,KAAG,eAwHH,CAAC"}
+{"version":3,"file":"scenario-manager.d.ts","sourceRoot":"","sources":["../../src/domain/scenario-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,aAAa,EACb,eAAe,EACf,YAAY,EACZ,MAAM,EACP,MAAM,mBAAmB,CAAC;AAwC3B;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,qBAAqB,GAAI,6DAMnC;IACD,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,KAAK,EAAE,aAAa,CAAC;IACrB,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,KAAG,eA+HH,CAAC"}

package/dist/domain/scenario-manager.js

@@ -40,7 +40,13 @@ export const createScenarioManager = ({ registry, store, stateManager, sequenceT
             const validationResult = ScenaristScenarioSchema.safeParse(definition);
             if (!validationResult.success) {
                 const errorMessages = validationResult.error.issues.map((err) => `${err.path.join(".")}: ${err.message}`);
-                const scenarioId = definition?.id || "<unknown>";
+                // Extract id safely without type assertion - definition failed validation so type is untrusted
+                const scenarioId = typeof definition === "object" &&
+                    definition !== null &&
+                    "id" in definition &&
+                    typeof definition.id === "string"
+                    ? definition.id
+                    : "<unknown>";
                 throw createScenarioValidationError(scenarioId, errorMessages);
             }
             const existing = registry.get(definition.id);

package/dist/domain/template-replacement.d.ts

@@ -2,6 +2,10 @@
  * Applies templates to a value.
  * Replaces {{state.key}} and {{params.key}} patterns with actual values.
  *
+ * Note: This function preserves the structure of the input value.
+ * Callers passing typed objects (like ScenaristResponse) can safely
+ * cast the return value back to the input type.
+ *
  * @param value - Value to apply templates to (string, object, array, or primitive)
  * @param templateData - Object containing state and params for template replacement.
  *                       Can be flat object (backward compatible) or { state: {...}, params: {...} }

package/dist/domain/template-replacement.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"template-replacement.d.ts","sourceRoot":"","sources":["../../src/domain/template-replacement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,eAAO,MAAM,cAAc,GACzB,OAAO,OAAO,EACd,cAAc,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KACpC,OA+DF,CAAC"}
+{"version":3,"file":"template-replacement.d.ts","sourceRoot":"","sources":["../../src/domain/template-replacement.ts"],"names":[],"mappings":"AAgBA;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GACzB,OAAO,OAAO,EACd,cAAc,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KACpC,OA+DF,CAAC"}

package/dist/domain/template-replacement.js

@@ -1,7 +1,25 @@
+/**
+ * Type guard to check if a value is a plain object (Record).
+ * Used to properly narrow types after typeof checks.
+ */
+const isRecord = (value) => {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+/**
+ * Security: Check if a property key could cause prototype pollution.
+ * @see https://github.com/citypaul/scenarist/security/code-scanning
+ */
+const isDangerousKey = (key) => {
+    return key === "__proto__" || key === "constructor" || key === "prototype";
+};
 /**
  * Applies templates to a value.
  * Replaces {{state.key}} and {{params.key}} patterns with actual values.
  *
+ * Note: This function preserves the structure of the input value.
+ * Callers passing typed objects (like ScenaristResponse) can safely
+ * cast the return value back to the input type.
+ *
  * @param value - Value to apply templates to (string, object, array, or primitive)
  * @param templateData - Object containing state and params for template replacement.
  *                       Can be flat object (backward compatible) or { state: {...}, params: {...} }
@@ -86,10 +104,18 @@ const resolveTemplatePath = (templateData, prefix, path) => {
         if (Array.isArray(current) && segment === "length") {
             return current.length;
         }
-        // Traverse object
-        const record = current;
-        // eslint-disable-next-line security/detect-object-injection -- Segment from split() iteration
-        current = record[segment];
+        // Traverse object - use type guard for proper narrowing
+        if (!isRecord(current)) {
+            return undefined;
+        }
+        // Security: Prevent prototype pollution attacks
+        // @see https://github.com/citypaul/scenarist/security/code-scanning/165
+        if (isDangerousKey(segment) || !Object.hasOwn(current, segment)) {
+            return undefined;
+        }
+        // nosemgrep: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop
+        // eslint-disable-next-line security/detect-object-injection -- Segment validated by isDangerousKey and Object.hasOwn checks above
+        current = current[segment];
         // Guard: Return undefined if property doesn't exist
         if (current === undefined) {
             return undefined;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@scenarist/core",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "description": "Internal: Hexagonal architecture core for scenario-based testing with MSW",
   "author": "Paul Hammond (citypaul) <paul@packsoftware.co.uk>",
   "license": "MIT",