@signaltree/core 5.1.1 → 5.1.3

package/dist/lib/performance/update-engine.js

@@ -0,0 +1,188 @@
+import { isSignal } from '@angular/core';
+import { DiffEngine, ChangeType } from './diff-engine.js';
+import { PathIndex } from './path-index.js';
+
+class OptimizedUpdateEngine {
+  pathIndex;
+  diffEngine;
+  constructor(tree) {
+    this.pathIndex = new PathIndex();
+    this.diffEngine = new DiffEngine();
+    this.pathIndex.buildFromTree(tree);
+  }
+  update(tree, updates, options = {}) {
+    const startTime = performance.now();
+    const diffOptions = {};
+    if (options.maxDepth !== undefined) diffOptions.maxDepth = options.maxDepth;
+    if (options.ignoreArrayOrder !== undefined) diffOptions.ignoreArrayOrder = options.ignoreArrayOrder;
+    if (options.equalityFn !== undefined) diffOptions.equalityFn = options.equalityFn;
+    const diff = this.diffEngine.diff(tree, updates, diffOptions);
+    if (diff.changes.length === 0) {
+      return {
+        changed: false,
+        duration: performance.now() - startTime,
+        changedPaths: []
+      };
+    }
+    const patches = this.createPatches(diff.changes);
+    const sortedPatches = this.sortPatches(patches);
+    const result = options.batch ? this.batchApplyPatches(tree, sortedPatches, options.batchSize) : this.applyPatches(tree, sortedPatches);
+    const duration = performance.now() - startTime;
+    return {
+      changed: true,
+      duration,
+      changedPaths: result.appliedPaths,
+      stats: {
+        totalPaths: diff.changes.length,
+        optimizedPaths: patches.length,
+        batchedUpdates: result.batchCount
+      }
+    };
+  }
+  rebuildIndex(tree) {
+    this.pathIndex.clear();
+    this.pathIndex.buildFromTree(tree);
+  }
+  getIndexStats() {
+    return this.pathIndex.getStats();
+  }
+  createPatches(changes) {
+    const patches = [];
+    const processedPaths = new Set();
+    for (const change of changes) {
+      const pathStr = change.path.join('.');
+      let skipPath = false;
+      for (const processed of processedPaths) {
+        if (pathStr.startsWith(processed + '.')) {
+          skipPath = true;
+          break;
+        }
+      }
+      if (skipPath) {
+        continue;
+      }
+      const patch = this.createPatch(change);
+      patches.push(patch);
+      processedPaths.add(pathStr);
+      if (change.type === ChangeType.REPLACE && typeof change.value === 'object') {
+        processedPaths.add(pathStr);
+      }
+    }
+    return patches;
+  }
+  createPatch(change) {
+    return {
+      type: change.type,
+      path: change.path,
+      value: change.value,
+      oldValue: change.oldValue,
+      priority: this.calculatePriority(change),
+      signal: this.pathIndex.get(change.path)
+    };
+  }
+  calculatePriority(change) {
+    let priority = 0;
+    priority += (10 - change.path.length) * 10;
+    if (change.path.some(p => typeof p === 'number')) {
+      priority -= 20;
+    }
+    if (change.type === ChangeType.REPLACE) {
+      priority += 30;
+    }
+    return priority;
+  }
+  sortPatches(patches) {
+    return patches.sort((a, b) => {
+      if (a.priority !== b.priority) {
+        return b.priority - a.priority;
+      }
+      return a.path.length - b.path.length;
+    });
+  }
+  applyPatches(tree, patches) {
+    const appliedPaths = [];
+    let updateCount = 0;
+    for (const patch of patches) {
+      if (this.applyPatch(patch, tree)) {
+        appliedPaths.push(patch.path.join('.'));
+        updateCount++;
+      }
+    }
+    return {
+      appliedPaths,
+      updateCount,
+      batchCount: 1
+    };
+  }
+  batchApplyPatches(tree, patches, batchSize = 50) {
+    const batches = [];
+    for (let i = 0; i < patches.length; i += batchSize) {
+      batches.push(patches.slice(i, i + batchSize));
+    }
+    const appliedPaths = [];
+    let updateCount = 0;
+    for (const currentBatch of batches) {
+      for (const patch of currentBatch) {
+        if (this.applyPatch(patch, tree)) {
+          appliedPaths.push(patch.path.join('.'));
+          updateCount++;
+        }
+      }
+    }
+    return {
+      appliedPaths,
+      updateCount,
+      batchCount: batches.length
+    };
+  }
+  applyPatch(patch, tree) {
+    try {
+      if (patch.signal && isSignal(patch.signal) && 'set' in patch.signal) {
+        const currentValue = patch.signal();
+        if (this.isEqual(currentValue, patch.value)) {
+          return false;
+        }
+        patch.signal.set(patch.value);
+        if (patch.type === ChangeType.ADD && patch.value !== undefined) {
+          this.pathIndex.set(patch.path, patch.signal);
+        }
+        return true;
+      }
+      let current = tree;
+      for (let i = 0; i < patch.path.length - 1; i++) {
+        const key = patch.path[i];
+        current = current[key];
+        if (!current || typeof current !== 'object') {
+          return false;
+        }
+      }
+      const lastKey = patch.path[patch.path.length - 1];
+      if (this.isEqual(current[lastKey], patch.value)) {
+        return false;
+      }
+      current[lastKey] = patch.value;
+      return true;
+    } catch (error) {
+      console.error(`Failed to apply patch at ${patch.path.join('.')}:`, error);
+      return false;
+    }
+  }
+  isEqual(a, b) {
+    if (a === b) {
+      return true;
+    }
+    if (typeof a !== typeof b) {
+      return false;
+    }
+    if (typeof a !== 'object' || a === null || b === null) {
+      return false;
+    }
+    try {
+      return JSON.stringify(a) === JSON.stringify(b);
+    } catch {
+      return false;
+    }
+  }
+}
+
+export { OptimizedUpdateEngine };

package/dist/lib/security/security-validator.js

@@ -0,0 +1,121 @@
+const DANGEROUS_KEYS = ['__proto__', 'constructor', 'prototype'];
+const HTML_TAG_PATTERN = /<[^>]*>/g;
+const DANGEROUS_HTML_PATTERNS = [/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, /on\w+\s*=/gi, /javascript:/gi, /<iframe\b/gi, /<object\b/gi, /<embed\b/gi];
+class SecurityValidator {
+  config;
+  dangerousKeys;
+  constructor(config = {}) {
+    this.config = {
+      preventPrototypePollution: config.preventPrototypePollution ?? true,
+      preventXSS: config.preventXSS ?? false,
+      preventFunctions: config.preventFunctions ?? true,
+      customDangerousKeys: config.customDangerousKeys ?? [],
+      onSecurityEvent: config.onSecurityEvent ?? (() => {}),
+      sanitizationMode: config.sanitizationMode ?? 'strict'
+    };
+    this.dangerousKeys = new Set([...DANGEROUS_KEYS, ...this.config.customDangerousKeys]);
+  }
+  validateKey(key) {
+    if (!this.config.preventPrototypePollution) {
+      return;
+    }
+    if (this.dangerousKeys.has(key)) {
+      const event = {
+        type: 'dangerous-key-blocked',
+        key,
+        reason: `Dangerous key "${key}" blocked to prevent prototype pollution`,
+        timestamp: Date.now()
+      };
+      this.config.onSecurityEvent(event);
+      throw new Error(`[SignalTree Security] Dangerous key "${key}" is not allowed. ` + `This key can lead to prototype pollution attacks. ` + `Blocked keys: ${Array.from(this.dangerousKeys).join(', ')}`);
+    }
+  }
+  validateValue(value) {
+    if (this.config.preventFunctions && typeof value === 'function') {
+      const event = {
+        type: 'function-value-blocked',
+        value,
+        reason: 'Function values are not allowed - state must be serializable',
+        timestamp: Date.now()
+      };
+      this.config.onSecurityEvent(event);
+      throw new Error(`[SignalTree Security] Function values are not allowed in state trees. ` + `Functions cannot be serialized, breaking features like time-travel, ` + `persistence, debugging, and SSR. ` + `\n\nTo fix this:` + `\n  - Store function references outside the tree` + `\n  - Use method names (strings) and a function registry` + `\n  - Use computed signals for derived values` + `\n\nBlocked value: ${value.toString().substring(0, 100)}...`);
+    }
+    if (!this.config.preventXSS || typeof value !== 'string') {
+      return value;
+    }
+    let hasDangerousPattern = false;
+    for (const pattern of DANGEROUS_HTML_PATTERNS) {
+      pattern.lastIndex = 0;
+      if (pattern.test(value)) {
+        hasDangerousPattern = true;
+        break;
+      }
+    }
+    if (hasDangerousPattern) {
+      const event = {
+        type: 'xss-attempt-blocked',
+        value,
+        reason: 'Dangerous HTML pattern detected and sanitized',
+        timestamp: Date.now()
+      };
+      this.config.onSecurityEvent(event);
+      return this.sanitize(value);
+    }
+    return this.sanitize(value);
+  }
+  sanitize(value) {
+    if (this.config.sanitizationMode === 'strict') {
+      let sanitized = value;
+      for (const pattern of DANGEROUS_HTML_PATTERNS) {
+        pattern.lastIndex = 0;
+        sanitized = sanitized.replace(pattern, '');
+      }
+      return sanitized.replace(HTML_TAG_PATTERN, '');
+    } else {
+      let sanitized = value;
+      for (const pattern of DANGEROUS_HTML_PATTERNS) {
+        pattern.lastIndex = 0;
+        sanitized = sanitized.replace(pattern, '');
+      }
+      return sanitized;
+    }
+  }
+  validateKeyValue(key, value) {
+    this.validateKey(key);
+    return this.validateValue(value);
+  }
+  isDangerousKey(key) {
+    return this.dangerousKeys.has(key);
+  }
+  getConfig() {
+    return {
+      ...this.config
+    };
+  }
+}
+const SecurityPresets = {
+  strict: () => new SecurityValidator({
+    preventPrototypePollution: true,
+    preventXSS: true,
+    preventFunctions: true,
+    sanitizationMode: 'strict'
+  }),
+  standard: () => new SecurityValidator({
+    preventPrototypePollution: true,
+    preventXSS: false,
+    preventFunctions: true
+  }),
+  permissive: () => new SecurityValidator({
+    preventPrototypePollution: true,
+    preventXSS: false,
+    preventFunctions: false
+  }),
+  disabled: () => new SecurityValidator({
+    preventPrototypePollution: false,
+    preventXSS: false,
+    preventFunctions: false
+  })
+};
+
+export { SecurityPresets, SecurityValidator };