@tellescope/sdk 1.250.2 → 1.252.0

package/lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js

@@ -0,0 +1,148 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitize_user_html_xss_tests = void 0;
+var utilities_1 = require("@tellescope/utilities");
+// Regression test for F-0013 / F-0014 (pattern 06 — XSS via dangerouslySetInnerHTML).
+// sanitize_user_html is the canonical render-time sanitizer that replaced remove_script_tags
+// at every dangerouslySetInnerHTML sink. This asserts it neutralizes XSS vectors (incl. encoded /
+// whitespace / mixed-case / iframe-srcdoc bypass variants) while preserving legitimate
+// customization HTML (tables, headings, lists, links, images, inline styles).
+//
+// Pure-function test — no Session needed. Runs as part of the main suite and standalone:
+//   ./build_cjs.sh && cd packages/public/sdk && node -r dotenv/config lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js
+var fail = function (msg) { throw new Error(msg); };
+var has_no_executable_vector = function (out) {
+    var o = out.toLowerCase();
+    // A handler smuggled into an attribute VALUE (e.g. title="&lt;img onerror=...&gt;") is inert
+    // text — strip quoted values before checking for *live* on*= attributes to avoid false positives.
+    var withoutValues = o.replace(/"[^"]*"/g, '""').replace(/'[^']*'/g, "''");
+    return !/\son[a-z]+\s*=/.test(withoutValues) // no live on*= event-handler attribute
+        && !o.includes('javascript:') // dropped schemes never appear in safe output
+        && !o.includes('vbscript:')
+        && !o.includes('<script') // literal dangerous tags (encoded &lt;script is fine)
+        && !o.includes('<iframe')
+        && !o.includes('<svg')
+        && !o.includes('<math')
+        && !o.includes('<object')
+        && !o.includes('<embed')
+        && !o.includes('<form')
+        && !o.includes('<noscript')
+        && !o.includes('<template');
+};
+var sanitize_user_html_xss_tests = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var xssPayloads, _i, xssPayloads_1, _a, name_1, payload, out, clobber, heading, table, list, link, img, dataimg, fmt, mixed;
+    return __generator(this, function (_b) {
+        console.log("Running F-0013/F-0014 sanitize_user_html XSS regression tests");
+        xssPayloads = [
+            ['img onerror', "<img src=x onerror=\"alert(document.domain)\">"],
+            ['svg onload', "<svg onload=\"alert(1)\"></svg>"],
+            ['svg animate onbegin', "<svg><animate onbegin=\"alert(1)\" attributeName=\"x\" dur=\"1s\"></svg>"],
+            ['details ontoggle', "<details open ontoggle=\"alert(1)\"></details>"],
+            ['input onfocus autofocus', "<input autofocus onfocus=\"alert(1)\">"],
+            ['body onpageshow', "<body onpageshow=\"alert(1)\">"],
+            ['a javascript scheme', "<a href=\"javascript:alert(1)\">x</a>"],
+            ['a javascript entity-encoded', "<a href=\"jav&#x09;ascript:alert(1)\">x</a>"],
+            ['iframe javascript src', "<iframe src=\"javascript:alert(1)\"></iframe>"],
+            ['iframe srcdoc nested', "<iframe srcdoc=\"<img src=x onerror=alert(1)>\"></iframe>"],
+            ['script tag', "<script>alert(1)</script>"],
+            ['onerror newline before =', "<img src=x onerror\n=\"alert(1)\">"],
+            ['onerror mixed case', "<IMG SRC=x OnErRoR=\"alert(1)\">"],
+            ['marquee onstart', "<marquee onstart=\"alert(1)\">x</marquee>"],
+            // mutation / namespace confusion — svg/math/noscript/template must be stripped
+            ['mathml mglyph style mxss', "<math><mtext><table><mglyph><style><!--</style><img src=x onerror=alert(1)>"],
+            ['svg foreignObject', "<svg><foreignObject><img src=x onerror=alert(1)></foreignObject></svg>"],
+            ['noscript context confusion', "<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">"],
+            ['template content', "<template><img src=x onerror=alert(1)></template>"],
+            // comment / CDATA confusion
+            ['comment confusion', "<!--><img src=x onerror=alert(1)>-->"],
+            ['cdata confusion', "<![CDATA[<img src=x onerror=alert(1)>]]>"],
+            // markup smuggled inside an attribute value must stay inert
+            ['markup inside attr value', "<img src=\"x\" alt=\"<script>alert(1)</script>\">"],
+            // protocol obfuscation
+            ['vbscript scheme', "<a href=\"vbscript:msgbox(1)\">x</a>"],
+            ['data text/html href', "<a href=\"data:text/html,<script>alert(1)</script>\">x</a>"],
+            ['javascript decimal entity', "<a href=\"&#74;avascript:alert(1)\">x</a>"],
+            ['javascript newline entity', "<a href=\"jav&#x0A;ascript:alert(1)\">x</a>"],
+        ];
+        for (_i = 0, xssPayloads_1 = xssPayloads; _i < xssPayloads_1.length; _i++) {
+            _a = xssPayloads_1[_i], name_1 = _a[0], payload = _a[1];
+            out = (0, utilities_1.sanitize_user_html)(payload);
+            if (!has_no_executable_vector(out))
+                fail("XSS not neutralized [".concat(name_1, "] -> ").concat(out));
+        }
+        clobber = (0, utilities_1.sanitize_user_html)("<a id=\"x\" name=\"getElementById\">link</a><img name=\"y\">");
+        if (/\b(id|name)\s*=/.test(clobber))
+            fail("id/name not stripped (DOM clobbering): ".concat(clobber));
+        heading = (0, utilities_1.sanitize_user_html)("<h1>Welcome</h1><h3 style=\"color:#333\">Sub</h3>");
+        if (!(heading.includes('<h1>') && heading.includes('<h3') && heading.toLowerCase().includes('color')))
+            fail("headings/style stripped: ".concat(heading));
+        table = (0, utilities_1.sanitize_user_html)("<table><thead><tr><th>H</th></tr></thead><tbody><tr><td style=\"padding:4px\" colspan=\"2\">cell</td></tr></tbody></table>");
+        if (!(table.includes('<table') && table.includes('<td') && table.includes('colspan')))
+            fail("table stripped: ".concat(table));
+        list = (0, utilities_1.sanitize_user_html)("<ul><li>a</li></ul><ol start=\"3\"><li>c</li></ol>");
+        if (!(list.includes('<ul') && list.includes('<li') && list.includes('<ol')))
+            fail("list stripped: ".concat(list));
+        link = (0, utilities_1.sanitize_user_html)("<a href=\"https://example.com\">link</a>");
+        if (!link.includes('href="https://example.com"'))
+            fail("safe link stripped: ".concat(link));
+        if (!link.toLowerCase().includes('noopener'))
+            fail("external link not hardened: ".concat(link));
+        img = (0, utilities_1.sanitize_user_html)("<img src=\"https://cdn.example.com/a.png\" alt=\"pic\" width=\"200\">");
+        if (!(img.includes('src="https://cdn.example.com/a.png"') && img.includes('alt="pic"')))
+            fail("http image stripped: ".concat(img));
+        dataimg = (0, utilities_1.sanitize_user_html)("<img src=\"data:image/png;base64,iVBORw0KGgo=\">");
+        if (!dataimg.includes('data:image/png'))
+            fail("data: image stripped: ".concat(dataimg));
+        fmt = (0, utilities_1.sanitize_user_html)("<p><strong>b</strong> <em>i</em> <span style=\"font-size:14px\">s</span></p><blockquote>q</blockquote>");
+        if (!(fmt.includes('<strong>') && fmt.includes('<span') && fmt.toLowerCase().includes('font-size')))
+            fail("formatting stripped: ".concat(fmt));
+        mixed = (0, utilities_1.sanitize_user_html)("<p>Hello <b>name</b></p><img src=x onerror=\"steal()\">");
+        if (!(mixed.includes('<b>name</b>') && !/\son[a-z]+\s*=/.test(mixed.toLowerCase())))
+            fail("mixed content not handled: ".concat(mixed));
+        console.log("✅ F-0013/F-0014 sanitize_user_html XSS regression tests passed");
+        return [2 /*return*/];
+    });
+}); };
+exports.sanitize_user_html_xss_tests = sanitize_user_html_xss_tests;
+if (require.main === module) {
+    (0, exports.sanitize_user_html_xss_tests)()
+        .then(function () { console.log("✅ suite completed"); process.exit(0); })
+        .catch(function (err) { console.error("❌ suite failed:", err); process.exit(1); });
+}
+//# sourceMappingURL=F-0013-sanitize-user-html.test.js.map

package/lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"F-0013-sanitize-user-html.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0013-sanitize-user-html.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,mDAA0D;AAE1D,sFAAsF;AACtF,6FAA6F;AAC7F,kGAAkG;AAClG,uFAAuF;AACvF,8EAA8E;AAC9E,EAAE;AACF,yFAAyF;AACzF,yIAAyI;AAEzI,IAAM,IAAI,GAAG,UAAC,GAAW,IAAO,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAA,CAAC,CAAC,CAAA;AAEtD,IAAM,wBAAwB,GAAG,UAAC,GAAW;IAC3C,IAAM,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAC3B,6FAA6F;IAC7F,kGAAkG;IAClG,IAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAA;IAC3E,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAG,uCAAuC;WAC/E,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAc,8CAA8C;WACtF,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;WACxB,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAkB,sDAAsD;WAC9F,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;WACtB,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;WACnB,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;WACpB,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;WACtB,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;WACrB,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;WACpB,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;WACxB,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACjC,CAAC,CAAA;AAEM,IAAM,4BAA4B,GAAG;;;QAC1C,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAA;QAEtE,WAAW,GAAuB;YACtC,CAAC,aAAa,EAAE,gDAA8C,CAAC;YAC/D,CAAC,YAAY,EAAE,iCAA+B,CAAC;YAC/C,CAAC,qBAAqB,EAAE,0EAAoE,CAAC;YAC7F,CAAC,kBAAkB,EAAE,gDAA8C,CAAC;YACpE,CAAC,yBAAyB,EAAE,wCAAsC,CAAC;YACnE,CAAC,iBAAiB,EAAE,gCAA8B,CAAC;YACnD,CAAC,qBAAqB,EAAE,uCAAqC,CAAC;YAC9D,CAAC,6BAA6B,EAAE,6CAA2C,CAAC;YAC5E,CAAC,uBAAuB,EAAE,+CAA6C,CAAC;YACxE,CAAC,sBAAsB,EAAE,2DAAyD,CAAC;YACnF,CAAC,YAAY,EAAE,2BAA2B,CAAC;YAC3C,CAAC,0BAA0B,EAAE,oCAAkC,CAAC;YAChE,CAAC,oBAAoB,EAAE,kCAAgC,CAAC;YACxD,CAAC,iBAAiB,EAAE,2CAAyC,CAAC;YAC9D,+EAA+E;YAC/E,CAAC,0BAA0B,EAAE,6EAA6E,CAAC;YAC3G,CAAC,mBAAmB,EAAE,wEAAwE,CAAC;YAC/F,CAAC,4BAA4B,EAAE,iEAA+D,CAAC;YAC/F,CAAC,kBAAkB,EAAE,mDAAmD,CAAC;YACzE,4BAA4B;YAC5B,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;YAC7D,CAAC,iBAAiB,EAAE,0CAA0C,CAAC;YAC/D,4DAA4D;YAC5D,CAAC,0BAA0B,EAAE,mDAA+C,CAAC;YAC7E,uBAAuB;YACvB,CAAC,iBAAiB,EAAE,sCAAoC,CAAC;YACzD,CAAC,qBAAqB,EAAE,4DAA0D,CAAC;YACnF,CAAC,2BAA2B,EAAE,2CAAyC,CAAC;YACxE,CAAC,2BAA2B,EAAE,6CAA2C,CAAC;SAC3E,CAAA;QACD,WAAyC,EAAX,2BAAW,EAAX,yBAAW,EAAX,IAAW,EAAE;YAAhC,sBAAe,EAAd,cAAI,EAAE,OAAO,QAAA;YACjB,GAAG,GAAG,IAAA,8BAAkB,EAAC,OAAO,CAAC,CAAA;YACvC,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC;gBAAE,IAAI,CAAC,+BAAwB,MAAI,kBAAQ,GAAG,CAAE,CAAC,CAAA;SACpF;QAGK,OAAO,GAAG,IAAA,8BAAkB,EAAC,8DAAwD,CAAC,CAAA;QAC5F,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,IAAI,CAAC,iDAA0C,OAAO,CAAE,CAAC,CAAA;QAGxF,OAAO,GAAG,IAAA,8BAAkB,EAAC,mDAAiD,CAAC,CAAA;QACrF,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAAE,IAAI,CAAC,mCAA4B,OAAO,CAAE,CAAC,CAAA;QAE5I,KAAK,GAAG,IAAA,8BAAkB,EAAC,4HAAwH,CAAC,CAAA;QAC1J,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAAE,IAAI,CAAC,0BAAmB,KAAK,CAAE,CAAC,CAAA;QAEjH,IAAI,GAAG,IAAA,8BAAkB,EAAC,oDAAkD,CAAC,CAAA;QACnF,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAAE,IAAI,CAAC,yBAAkB,IAAI,CAAE,CAAC,CAAA;QAErG,IAAI,GAAG,IAAA,8BAAkB,EAAC,0CAAwC,CAAC,CAAA;QACzE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC;YAAE,IAAI,CAAC,8BAAuB,IAAI,CAAE,CAAC,CAAA;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,IAAI,CAAC,sCAA+B,IAAI,CAAE,CAAC,CAAA;QAEnF,GAAG,GAAG,IAAA,8BAAkB,EAAC,uEAAiE,CAAC,CAAA;QACjG,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,qCAAqC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAAE,IAAI,CAAC,+BAAwB,GAAG,CAAE,CAAC,CAAA;QAEtH,OAAO,GAAG,IAAA,8BAAkB,EAAC,kDAAgD,CAAC,CAAA;QACpF,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAAE,IAAI,CAAC,gCAAyB,OAAO,CAAE,CAAC,CAAA;QAE3E,GAAG,GAAG,IAAA,8BAAkB,EAAC,wGAAsG,CAAC,CAAA;QACtI,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAAE,IAAI,CAAC,+BAAwB,GAAG,CAAE,CAAC,CAAA;QAElI,KAAK,GAAG,IAAA,8BAAkB,EAAC,yDAAuD,CAAC,CAAA;QACzF,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;YAAE,IAAI,CAAC,qCAA8B,KAAK,CAAE,CAAC,CAAA;QAEhI,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAA;;;KAC9E,CAAA;AAtEY,QAAA,4BAA4B,gCAsExC;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,IAAA,oCAA4B,GAAE;SAC3B,IAAI,CAAC,cAAQ,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC;SACjE,KAAK,CAAC,UAAC,GAAG,IAAO,OAAO,CAAC,KAAK,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC,CAAA;CAC9E"}

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.d.ts

@@ -0,0 +1,2 @@
+export declare const prototype_pollution_tests: () => Promise<void>;
+//# sourceMappingURL=F-0016-prototype-pollution.test.d.ts.map

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"F-0016-prototype-pollution.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0016-prototype-pollution.test.ts"],"names":[],"mappings":"AAWA,eAAO,MAAM,yBAAyB,qBAgCrC,CAAA"}

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js

@@ -0,0 +1,88 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prototype_pollution_tests = void 0;
+var utilities_1 = require("@tellescope/utilities");
+// Regression test for F-0016 (pattern 17 — prototype pollution).
+// add_value_for_dotted_key must NOT write through __proto__/constructor/prototype path segments
+// (which would pollute Object.prototype process-wide), while still performing legitimate dotted assignment.
+//
+// Pure-function test — no Session needed. Runs in the main suite and standalone:
+//   ./build_cjs.sh && cd packages/public/sdk && node -r dotenv/config lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js
+var fail = function (msg) { throw new Error(msg); };
+var prototype_pollution_tests = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var leakedA, leakedB, leakedC, obj, flat;
+    return __generator(this, function (_a) {
+        console.log("Running F-0016 prototype-pollution regression tests");
+        // 1. __proto__ path must not pollute Object.prototype
+        (0, utilities_1.add_value_for_dotted_key)({ insurance: {} }, 'insurance.__proto__.__pp_a__', 'polluted');
+        leakedA = {}.__pp_a__;
+        delete Object.prototype.__pp_a__; // clean up regardless, so a failure here can't contaminate the rest of the suite
+        if (leakedA !== undefined)
+            fail('Object.prototype polluted via __proto__ path');
+        // 2. constructor.prototype path must not pollute
+        (0, utilities_1.add_value_for_dotted_key)({ insurance: {} }, 'insurance.constructor.prototype.__pp_b__', 'polluted');
+        leakedB = {}.__pp_b__;
+        delete Object.prototype.__pp_b__;
+        if (leakedB !== undefined)
+            fail('Object.prototype polluted via constructor.prototype path');
+        // 3. a leading __proto__ segment must not pollute either
+        (0, utilities_1.add_value_for_dotted_key)({}, '__proto__.__pp_c__', 'polluted');
+        leakedC = {}.__pp_c__;
+        delete Object.prototype.__pp_c__;
+        if (leakedC !== undefined)
+            fail('Object.prototype polluted via leading __proto__ segment');
+        obj = { a: { b: {} } };
+        (0, utilities_1.add_value_for_dotted_key)(obj, 'a.b.c', 42);
+        if (obj.a.b.c !== 42)
+            fail('legitimate dotted assignment broke');
+        flat = {};
+        (0, utilities_1.add_value_for_dotted_key)(flat, 'name', 'ok');
+        if (flat.name !== 'ok')
+            fail('single-key assignment broke');
+        console.log("✅ F-0016 prototype-pollution regression tests passed");
+        return [2 /*return*/];
+    });
+}); };
+exports.prototype_pollution_tests = prototype_pollution_tests;
+if (require.main === module) {
+    (0, exports.prototype_pollution_tests)()
+        .then(function () { console.log("✅ suite completed"); process.exit(0); })
+        .catch(function (err) { console.error("❌ suite failed:", err); process.exit(1); });
+}
+//# sourceMappingURL=F-0016-prototype-pollution.test.js.map

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"F-0016-prototype-pollution.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0016-prototype-pollution.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,mDAAgE;AAEhE,iEAAiE;AACjE,gGAAgG;AAChG,4GAA4G;AAC5G,EAAE;AACF,iFAAiF;AACjF,0IAA0I;AAE1I,IAAM,IAAI,GAAG,UAAC,GAAW,IAAO,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAA,CAAC,CAAC,CAAA;AAE/C,IAAM,yBAAyB,GAAG;;;QACvC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;QAElE,sDAAsD;QACtD,IAAA,oCAAwB,EAAC,EAAE,SAAS,EAAE,EAAE,EAAS,EAAE,8BAA8B,EAAE,UAAU,CAAC,CAAA;QACxF,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA,CAAC,iFAAiF;QAC3H,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,8CAA8C,CAAC,CAAA;QAE/E,iDAAiD;QACjD,IAAA,oCAAwB,EAAC,EAAE,SAAS,EAAE,EAAE,EAAS,EAAE,0CAA0C,EAAE,UAAU,CAAC,CAAA;QACpG,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA;QACzC,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,0DAA0D,CAAC,CAAA;QAE3F,yDAAyD;QACzD,IAAA,oCAAwB,EAAC,EAAS,EAAE,oBAAoB,EAAE,UAAU,CAAC,CAAA;QAC/D,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA;QACzC,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,yDAAyD,CAAC,CAAA;QAGpF,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAS,CAAA;QACnC,IAAA,oCAAwB,EAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,CAAA;QAC1C,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE;YAAE,IAAI,CAAC,oCAAoC,CAAC,CAAA;QAG1D,IAAI,GAAG,EAAS,CAAA;QACtB,IAAA,oCAAwB,EAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;QAC5C,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI;YAAE,IAAI,CAAC,6BAA6B,CAAC,CAAA;QAE3D,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;;;KACpE,CAAA;AAhCY,QAAA,yBAAyB,6BAgCrC;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,IAAA,iCAAyB,GAAE;SACxB,IAAI,CAAC,cAAQ,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC;SACjE,KAAK,CAAC,UAAC,GAAG,IAAO,OAAO,CAAC,KAAK,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC,CAAA;CAC9E"}

package/lib/cjs/tests/api_tests/set_fields_order_templates.test.d.ts

@@ -0,0 +1,6 @@
+import { Session } from "../../sdk";
+export declare const set_fields_order_templates_tests: ({ sdk, sdkNonAdmin }: {
+    sdk: Session;
+    sdkNonAdmin: Session;
+}) => Promise<void>;
+//# sourceMappingURL=set_fields_order_templates.test.d.ts.map

package/lib/cjs/tests/api_tests/set_fields_order_templates.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"set_fields_order_templates.test.d.ts","sourceRoot":"","sources":["../../../../src/tests/api_tests/set_fields_order_templates.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAoOnC,eAAO,MAAM,gCAAgC;SACd,OAAO;iBAAe,OAAO;mBAK3D,CAAA"}