@tracelane/report 0.1.0-alpha.2 → 0.1.0-alpha.20

package/NOTICE

@@ -10,6 +10,14 @@ This product includes software developed by:
     rrweb-player 1.0.0-alpha.4 (MIT License) — UMD + CSS inlined into report HTML.
 - fflate (https://github.com/101arrowz/fflate) 0.8.x (MIT License) —
     browser gunzip build inlined into report HTML for offline decompression.
+- Google Inc. + Universal Thirst — Fraunces (SIL Open Font License 1.1) —
+    variable serif font, latin charset (normal + italic styles), embedded
+    into report HTML as base64 woff2 inside @font-face rules. Used for the
+    hero headline + section heads. Source: @fontsource-variable/fraunces.
+- Philipp Nurullin + JetBrains — JetBrains Mono (SIL Open Font License 1.1)
+    — variable monospace font, latin charset (normal style only), embedded
+    the same way. Used for all data rows + metadata. Source:
+    @fontsource-variable/jetbrains-mono.
 
 This product is licensed under the Apache License, Version 2.0.
 See the LICENSE file for details.

package/README.md

@@ -1,13 +1,34 @@
+<img src="https://raw.githubusercontent.com/Cubenest/rrweb-stack/main/assets/brand/sub-tracelane.svg" height="40" alt="tracelane">
+
 # @tracelane/report
 
-The self-contained, offline HTML report builder for [`tracelane`](https://github.com/Cubenest/rrweb-stack/tree/main/packages/tracelane-core). Given a captured rrweb event stream plus test metadata, it produces a **single `.html` file** that:
+> The HTML report builder behind tracelane — turns a captured rrweb event stream into a single, self-contained `.html` file that replays offline. No SaaS, no dashboard, no signup.
+
+[![npm](https://img.shields.io/npm/v/@tracelane/report.svg)](https://www.npmjs.com/package/@tracelane/report)
+[![downloads](https://img.shields.io/npm/dw/@tracelane/report.svg)](https://www.npmjs.com/package/@tracelane/report)
+[![license](https://img.shields.io/npm/l/@tracelane/report.svg)](https://github.com/Cubenest/rrweb-stack/blob/main/LICENSE)
+[![CI](https://github.com/Cubenest/rrweb-stack/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/Cubenest/rrweb-stack/actions/workflows/ci.yml)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Cubenest/rrweb-stack/badge)](https://scorecard.dev/viewer/?uri=github.com/Cubenest/rrweb-stack)
+[![types](https://img.shields.io/npm/types/@tracelane/report.svg)](https://www.npmjs.com/package/@tracelane/report)
+[![node](https://img.shields.io/node/v/@tracelane/report.svg)](https://www.npmjs.com/package/@tracelane/report)
+![status: alpha](https://img.shields.io/badge/status-alpha-orange.svg)
+
+The self-contained, offline HTML report builder for [`tracelane`](https://github.com/Cubenest/rrweb-stack). Given a captured rrweb event stream plus test metadata, it produces a **single `.html` file** that:
 
 - opens in any browser, fully offline (no network fetch at view time);
 - embeds the [`rrweb-player`](https://www.npmjs.com/package/rrweb-player) UMD + CSS inline;
 - embeds the events as a gzipped, base64-encoded blob that is decompressed in-page with an inlined [`fflate`](https://github.com/101arrowz/fflate) gunzip;
 - renders console + network panels, a metadata header, and a "Copy as Markdown for AI paste" button.
 
-Not generally intended for direct consumption — depend on a product package (`@tracelane/wdio`) instead.
+**Not generally intended for direct consumption** — depend on a product package (`@tracelane/wdio`) instead. See the [`@tracelane/wdio` README](https://github.com/Cubenest/rrweb-stack/tree/main/packages/tracelane-wdio) for the integration guide.
+## Install
+
+```sh
+npm install @tracelane/report
+```
+
+- **ESM-only.** The package ships `"type": "module"` and a single `import` export — there is no CommonJS entry, so `require('@tracelane/report')` will not work. Use `import { buildReport } from '@tracelane/report'` (or a dynamic `import()` from CJS).
+- **Node >= 22** is required (`engines.node`).
 
 ## Usage
 
@@ -30,12 +51,19 @@ const html = buildReport(events, {
 
 ## Design
 
-See [P1 PRD §F](https://github.com/Cubenest/rrweb-stack/blob/main/prds/compass_artifact_wf-d53d32da-17e9-41b5-bb70-21dd1bf648c6_text_markdown.md) and [ADR-0005](https://github.com/Cubenest/rrweb-stack/blob/main/prds/adrs/0005-p1-failed-only-self-contained-html.md).
-
 - **Player:** `rrweb-player@1.0.0-alpha.4` (upstream). `@posthog/rrweb-player` was the natural lineage match for the `@cubenest/rrweb-core` substrate fork, but every published version pins an unpublished dependency (`@posthog/rrweb-packer@0.0.0`, 404) and is therefore uninstallable. Upstream `rrweb-player` descends from the same rrweb 2.x line (`2.0.0-alpha.x`) that the substrate's `@posthog/rrweb@0.0.34` was forked from (`2.0.0-alpha.17`), so the recorded event shape replays correctly.
 - **Decompression:** the build side uses `@cubenest/rrweb-core`'s `compress()` (fflate gzip); the view side inlines fflate's browser `gunzipSync` for a small (~8 KB) offline decompressor.
 - **Asset inlining:** the player UMD/CSS and the fflate gunzip source are read from `node_modules` at build time (`fs.readFileSync`) — never hand-pasted into source.
 
 ## License
 
-Apache 2.0. The inlined rrweb player and fflate remain MIT-licensed; see NOTICE.
+Apache 2.0. The inlined rrweb player and fflate remain MIT-licensed; see [NOTICE](https://github.com/Cubenest/rrweb-stack/blob/main/packages/tracelane-report/NOTICE).
+
+## Related packages
+
+- [`@tracelane/cli`](https://github.com/Cubenest/rrweb-stack/tree/main/packages/tracelane-cli) — wires the recorder into your test runners (WebdriverIO and Playwright; Cypress on the roadmap).
+- [`@tracelane/wdio`](https://github.com/Cubenest/rrweb-stack/tree/main/packages/tracelane-wdio) — the WebdriverIO integration that captures sessions and calls this builder on failure.
+- [`@tracelane/playwright`](https://github.com/Cubenest/rrweb-stack/tree/main/packages/tracelane-playwright) — the Playwright integration.
+- [`@tracelane/core`](https://github.com/Cubenest/rrweb-stack/tree/main/packages/tracelane-core) — the capture engine (rrweb event stream + `compress()`).
+
+See the [CHANGELOG](https://github.com/Cubenest/rrweb-stack/blob/main/packages/tracelane-report/CHANGELOG.md) for release history.

package/dist/_security/detectors/insecure-cookies.d.ts

@@ -0,0 +1,4 @@
+import type { SecurityFinding } from '../index.js';
+import type { ResponseMeta } from '../response-meta.js';
+export declare function detectInsecureCookies(metas: readonly ResponseMeta[]): SecurityFinding[];
+//# sourceMappingURL=insecure-cookies.d.ts.map

package/dist/_security/detectors/insecure-cookies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-cookies.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/insecure-cookies.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAY,MAAM,aAAa,CAAC;AAC7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAQxD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,SAAS,YAAY,EAAE,GAAG,eAAe,EAAE,CAuBvF"}

package/dist/_security/detectors/insecure-cookies.js

@@ -0,0 +1,32 @@
+const FLAGS = [
+    { key: 'secure', label: 'Secure', severity: 'medium' },
+    { key: 'httpOnly', label: 'HttpOnly', severity: 'low' },
+    { key: 'sameSite', label: 'SameSite', severity: 'low' },
+];
+export function detectInsecureCookies(metas) {
+    const out = [];
+    const seen = new Set();
+    for (const m of metas) {
+        for (const c of m.setCookies) {
+            for (const f of FLAGS) {
+                if (c[f.key])
+                    continue;
+                const id = `insecure-cookie:${c.name}:${f.label}`;
+                if (seen.has(id))
+                    continue;
+                seen.add(id);
+                out.push({
+                    id,
+                    signal: 'insecure-cookie',
+                    severity: f.severity,
+                    title: `Cookie '${c.name}' missing ${f.label}`,
+                    detail: `Set-Cookie '${c.name}' did not set the ${f.label} attribute.`,
+                    evidence: `${c.name}:${f.label}`,
+                    advisory: true,
+                });
+            }
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=insecure-cookies.js.map

package/dist/_security/detectors/insecure-cookies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-cookies.js","sourceRoot":"","sources":["../../../src/_security/detectors/insecure-cookies.ts"],"names":[],"mappings":"AAGA,MAAM,KAAK,GAAqF;IAC9F,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE;IACtD,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE;IACvD,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE;CACxD,CAAC;AAEF,MAAM,UAAU,qBAAqB,CAAC,KAA8B;IAClE,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;oBAAE,SAAS;gBACvB,MAAM,EAAE,GAAG,mBAAmB,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;gBAClD,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBAAE,SAAS;gBAC3B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC;oBACP,EAAE;oBACF,MAAM,EAAE,iBAAiB;oBACzB,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,KAAK,EAAE,WAAW,CAAC,CAAC,IAAI,aAAa,CAAC,CAAC,KAAK,EAAE;oBAC9C,MAAM,EAAE,eAAe,CAAC,CAAC,IAAI,qBAAqB,CAAC,CAAC,KAAK,aAAa;oBACtE,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE;oBAChC,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/detectors/missing-headers.d.ts

@@ -0,0 +1,4 @@
+import type { SecurityFinding } from '../index.js';
+import type { ResponseMeta } from '../response-meta.js';
+export declare function detectMissingHeaders(metas: readonly ResponseMeta[]): SecurityFinding[];
+//# sourceMappingURL=missing-headers.d.ts.map

package/dist/_security/detectors/missing-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-headers.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/missing-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAY,MAAM,aAAa,CAAC;AAC7D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAcxD,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,SAAS,YAAY,EAAE,GAAG,eAAe,EAAE,CAoBtF"}

package/dist/_security/detectors/missing-headers.js

@@ -0,0 +1,36 @@
+const HEADERS = [
+    { name: 'content-security-policy', severity: 'high', label: 'Content-Security-Policy' },
+    {
+        name: 'strict-transport-security',
+        severity: 'medium',
+        label: 'Strict-Transport-Security (HSTS)',
+    },
+    { name: 'x-frame-options', severity: 'medium', label: 'X-Frame-Options' },
+    { name: 'x-content-type-options', severity: 'medium', label: 'X-Content-Type-Options' },
+    { name: 'referrer-policy', severity: 'low', label: 'Referrer-Policy' },
+];
+export function detectMissingHeaders(metas) {
+    const main = metas.find((m) => m.isMainDocument);
+    if (!main)
+        return [];
+    // HTTPS gate: header/HSTS checks are moot + noisy on non-HTTPS (localhost/non-prod).
+    if (!main.url.startsWith('https://'))
+        return [];
+    const present = new Set(main.presentSecurityHeaders.map((h) => h.toLowerCase()));
+    const out = [];
+    for (const h of HEADERS) {
+        if (present.has(h.name))
+            continue;
+        out.push({
+            id: `missing-security-header:${h.name}`,
+            signal: 'missing-security-header',
+            severity: h.severity,
+            title: `Missing ${h.label} header`,
+            detail: `The main document response did not set the ${h.label} header.`,
+            evidence: h.name,
+            advisory: true,
+        });
+    }
+    return out;
+}
+//# sourceMappingURL=missing-headers.js.map

package/dist/_security/detectors/missing-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-headers.js","sourceRoot":"","sources":["../../../src/_security/detectors/missing-headers.ts"],"names":[],"mappings":"AAGA,MAAM,OAAO,GAA0D;IACrE,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,yBAAyB,EAAE;IACvF;QACE,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;KAC1C;IACD,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACzE,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACvF,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE;CACvE,CAAC;AAEF,MAAM,UAAU,oBAAoB,CAAC,KAA8B;IACjE,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IACjD,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IACrB,qFAAqF;IACrF,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YAAE,SAAS;QAClC,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,2BAA2B,CAAC,CAAC,IAAI,EAAE;YACvC,MAAM,EAAE,yBAAyB;YACjC,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,KAAK,EAAE,WAAW,CAAC,CAAC,KAAK,SAAS;YAClC,MAAM,EAAE,8CAA8C,CAAC,CAAC,KAAK,UAAU;YACvE,QAAQ,EAAE,CAAC,CAAC,IAAI;YAChB,QAAQ,EAAE,IAAI;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/detectors/mixed-content.d.ts

@@ -0,0 +1,5 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+import type { SecurityFinding } from '../index.js';
+import type { ResponseMeta } from '../response-meta.js';
+export declare function detectMixedContent(events: readonly eventWithTime[], metas: readonly ResponseMeta[]): SecurityFinding[];
+//# sourceMappingURL=mixed-content.d.ts.map

package/dist/_security/detectors/mixed-content.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mixed-content.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/mixed-content.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AA0CxD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,SAAS,aAAa,EAAE,EAChC,KAAK,EAAE,SAAS,YAAY,EAAE,GAC7B,eAAe,EAAE,CA8BnB"}

package/dist/_security/detectors/mixed-content.js

@@ -0,0 +1,74 @@
+import { collectRoots, walk } from '../serialized-dom.js';
+/**
+ * Walks rrweb serialized DOM snapshots for subresource-loading attributes that
+ * point at `http://` on an HTTPS page — the mixed-content risk. Re-sourced from
+ * the DOM (like reverse-tabnabbing) because the capture layer only emits a
+ * `[tracelane.sec]` meta for the MAIN DOCUMENT, so subresource URLs never reach
+ * the meta stream. The HTTPS gate comes from the main-document meta.
+ *
+ * Scope (kept tight to limit false positives for the MVP):
+ *   - the `src` attribute on ANY element (img, script, iframe, video, audio,
+ *     source, …),
+ *   - the `href` attribute ONLY on a `<link>` whose `rel` actually fetches a
+ *     subresource (stylesheet/preload/icon/…). A `<link rel="canonical">` or
+ *     `<a href>` is a navigation/metadata hint, not a subresource, so it is NOT
+ *     flagged.
+ *   - `srcset` is not parsed.
+ * Dedupes by url; advisory, never an audit result.
+ */
+// `<link rel>` values that actually fetch a resource over the wire (so an
+// `http://` href is genuine mixed content). Excludes metadata/hint rels like
+// canonical, alternate, author, license, and the connection-only hints
+// dns-prefetch/preconnect (which establish a connection but load no content).
+const SUBRESOURCE_LINK_RELS = new Set([
+    'stylesheet',
+    'preload',
+    'modulepreload',
+    'prefetch',
+    'prerender',
+    'icon',
+    'manifest',
+]);
+function linkLoadsSubresource(rel) {
+    if (typeof rel !== 'string')
+        return false;
+    return rel
+        .toLowerCase()
+        .split(/\s+/)
+        .some((token) => SUBRESOURCE_LINK_RELS.has(token));
+}
+export function detectMixedContent(events, metas) {
+    const main = metas.find((mt) => mt.isMainDocument);
+    // Mixed content is only meaningful on an HTTPS page.
+    if (!main || !main.url.startsWith('https://'))
+        return [];
+    const out = [];
+    const seen = new Set();
+    for (const root of collectRoots(events)) {
+        for (const n of walk(root)) {
+            if (n.type !== 2)
+                continue;
+            const attrs = n.attributes ?? {};
+            const tag = n.tagName?.toLowerCase();
+            const urls = [attrs.src];
+            if (tag === 'link' && linkLoadsSubresource(attrs.rel))
+                urls.push(attrs.href);
+            for (const u of urls) {
+                if (typeof u !== 'string' || !u.startsWith('http://') || seen.has(u))
+                    continue;
+                seen.add(u);
+                out.push({
+                    id: `mixed-content:${u}`,
+                    signal: 'mixed-content',
+                    severity: 'high',
+                    title: 'Mixed content (HTTP resource on an HTTPS page)',
+                    detail: `An HTTP resource (${u}) was loaded by the HTTPS page ${main.url}.`,
+                    evidence: u,
+                    advisory: true,
+                });
+            }
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=mixed-content.js.map

package/dist/_security/detectors/mixed-content.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mixed-content.js","sourceRoot":"","sources":["../../../src/_security/detectors/mixed-content.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;;;;;;;;;;;;;;;GAgBG;AAEH,0EAA0E;AAC1E,6EAA6E;AAC7E,uEAAuE;AACvE,8EAA8E;AAC9E,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,YAAY;IACZ,SAAS;IACT,eAAe;IACf,UAAU;IACV,WAAW;IACX,MAAM;IACN,UAAU;CACX,CAAC,CAAC;AAEH,SAAS,oBAAoB,CAAC,GAAY;IACxC,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,GAAG;SACP,WAAW,EAAE;SACb,KAAK,CAAC,KAAK,CAAC;SACZ,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AACvD,CAAC;AACD,MAAM,UAAU,kBAAkB,CAChC,MAAgC,EAChC,KAA8B;IAE9B,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC;IACnD,qDAAqD;IACrD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,EAAE,CAAC;IAEzD,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC;gBAAE,SAAS;YAC3B,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC;YACrC,MAAM,IAAI,GAAc,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACpC,IAAI,GAAG,KAAK,MAAM,IAAI,oBAAoB,CAAC,KAAK,CAAC,GAAG,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC7E,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;oBAAE,SAAS;gBAC/E,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;gBACZ,GAAG,CAAC,IAAI,CAAC;oBACP,EAAE,EAAE,iBAAiB,CAAC,EAAE;oBACxB,MAAM,EAAE,eAAe;oBACvB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,gDAAgD;oBACvD,MAAM,EAAE,qBAAqB,CAAC,kCAAkC,IAAI,CAAC,GAAG,GAAG;oBAC3E,QAAQ,EAAE,CAAC;oBACX,QAAQ,EAAE,IAAI;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/detectors/reverse-tabnabbing.d.ts

@@ -0,0 +1,10 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+import type { SecurityFinding } from '../index.js';
+/**
+ * Walks rrweb serialized DOM snapshots (FullSnapshot trees + IncrementalSnapshot
+ * `adds`) for `<a target="_blank">` links lacking a `rel` of `noopener`/
+ * `noreferrer` — the classic reverse-tabnabbing risk. Pure over plain serialized
+ * node objects; no DOM API. Dedupes by href; advisory, never an audit result.
+ */
+export declare function detectReverseTabnabbing(events: readonly eventWithTime[]): SecurityFinding[];
+//# sourceMappingURL=reverse-tabnabbing.d.ts.map

package/dist/_security/detectors/reverse-tabnabbing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reverse-tabnabbing.d.ts","sourceRoot":"","sources":["../../../src/_security/detectors/reverse-tabnabbing.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AASnD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,eAAe,EAAE,CA0B3F"}

package/dist/_security/detectors/reverse-tabnabbing.js

@@ -0,0 +1,44 @@
+import { collectRoots, walk } from '../serialized-dom.js';
+function relIsSafe(rel) {
+    if (typeof rel !== 'string')
+        return false;
+    const tokens = rel.toLowerCase().split(/\s+/);
+    return tokens.includes('noopener') || tokens.includes('noreferrer');
+}
+/**
+ * Walks rrweb serialized DOM snapshots (FullSnapshot trees + IncrementalSnapshot
+ * `adds`) for `<a target="_blank">` links lacking a `rel` of `noopener`/
+ * `noreferrer` — the classic reverse-tabnabbing risk. Pure over plain serialized
+ * node objects; no DOM API. Dedupes by href; advisory, never an audit result.
+ */
+export function detectReverseTabnabbing(events) {
+    const roots = collectRoots(events);
+    const out = [];
+    const seen = new Set();
+    for (const root of roots) {
+        for (const n of walk(root)) {
+            if (n.type !== 2 || n.tagName?.toLowerCase() !== 'a')
+                continue;
+            const attrs = n.attributes ?? {};
+            const target = typeof attrs.target === 'string' ? attrs.target.toLowerCase() : '';
+            if (target !== '_blank' || relIsSafe(attrs.rel))
+                continue;
+            const href = typeof attrs.href === 'string' ? attrs.href : '(no href)';
+            const id = `reverse-tabnabbing:${href}`;
+            if (seen.has(id))
+                continue;
+            seen.add(id);
+            out.push({
+                id,
+                signal: 'reverse-tabnabbing',
+                severity: 'medium',
+                title: 'Reverse tabnabbing risk (target="_blank" without rel="noopener")',
+                detail: `An <a target="_blank"> link (${href}) is missing rel="noopener"/"noreferrer".`,
+                evidence: href,
+                advisory: true,
+            });
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=reverse-tabnabbing.js.map

package/dist/_security/detectors/reverse-tabnabbing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reverse-tabnabbing.js","sourceRoot":"","sources":["../../../src/_security/detectors/reverse-tabnabbing.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAE1D,SAAS,SAAS,CAAC,GAAY;IAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;AACtE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,MAAgC;IACtE,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,WAAW,EAAE,KAAK,GAAG;gBAAE,SAAS;YAC/D,MAAM,KAAK,GAAG,CAAC,CAAC,UAAU,IAAI,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,OAAO,KAAK,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,IAAI,MAAM,KAAK,QAAQ,IAAI,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC1D,MAAM,IAAI,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC;YACvE,MAAM,EAAE,GAAG,sBAAsB,IAAI,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBAAE,SAAS;YAC3B,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACb,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE;gBACF,MAAM,EAAE,oBAAoB;gBAC5B,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,kEAAkE;gBACzE,MAAM,EAAE,gCAAgC,IAAI,2CAA2C;gBACvF,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/index.d.ts

@@ -0,0 +1,29 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+import { type Suppression } from './suppress.js';
+export type { Suppression };
+/** console.error prefix the capture layer uses for privacy-safe response metadata. */
+export declare const SEC_CONSOLE_PREFIX = "[tracelane.sec]";
+/** rrweb Custom event tag the capture layer uses for privacy-safe response metadata. */
+export declare const SEC_EVENT_TAG = "tracelane.sec";
+export type SecuritySignal = 'missing-security-header' | 'mixed-content' | 'insecure-cookie' | 'reverse-tabnabbing';
+export type Severity = 'low' | 'medium' | 'high';
+export interface SecurityFinding {
+    /** stable id, e.g. `${signal}:${evidence}` */
+    readonly id: string;
+    readonly signal: SecuritySignal;
+    readonly severity: Severity;
+    readonly title: string;
+    readonly detail: string;
+    readonly evidence: string;
+    /** framing invariant — always true; these are advisory, not audit results */
+    readonly advisory: true;
+}
+/**
+ * Derive advisory security-hygiene findings from a captured event stream.
+ * Pure + total: never throws (a failing detector contributes nothing). Findings
+ * are advisory only — NOT a security audit/scan/guarantee.
+ */
+export declare function analyze(events: readonly eventWithTime[], opts?: {
+    suppress?: readonly Suppression[];
+}): SecurityFinding[];
+//# sourceMappingURL=index.d.ts.map

package/dist/_security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/_security/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAO1D,OAAO,EAAE,KAAK,WAAW,EAAqB,MAAM,eAAe,CAAC;AAEpE,YAAY,EAAE,WAAW,EAAE,CAAC;AAE5B,sFAAsF;AACtF,eAAO,MAAM,kBAAkB,oBAAoB,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,aAAa,kBAAkB,CAAC;AAE7C,MAAM,MAAM,cAAc,GACtB,yBAAyB,GACzB,eAAe,GACf,iBAAiB,GACjB,oBAAoB,CAAC;AAEzB,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEjD,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,6EAA6E;IAC7E,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC;CACzB;AAYD;;;;GAIG;AACH,wBAAgB,OAAO,CACrB,MAAM,EAAE,SAAS,aAAa,EAAE,EAChC,IAAI,GAAE;IAAE,QAAQ,CAAC,EAAE,SAAS,WAAW,EAAE,CAAA;CAAO,GAC/C,eAAe,EAAE,CAanB"}

package/dist/_security/index.js

@@ -0,0 +1,36 @@
+import { detectInsecureCookies } from './detectors/insecure-cookies.js';
+import { detectMissingHeaders } from './detectors/missing-headers.js';
+import { detectMixedContent } from './detectors/mixed-content.js';
+import { detectReverseTabnabbing } from './detectors/reverse-tabnabbing.js';
+import { scrapeResponseMeta } from './response-meta.js';
+import { applySuppressions } from './suppress.js';
+/** console.error prefix the capture layer uses for privacy-safe response metadata. */
+export const SEC_CONSOLE_PREFIX = '[tracelane.sec]';
+/** rrweb Custom event tag the capture layer uses for privacy-safe response metadata. */
+export const SEC_EVENT_TAG = 'tracelane.sec';
+const SEVERITY_RANK = { high: 0, medium: 1, low: 2 };
+function safe(fn, fallback) {
+    try {
+        return fn();
+    }
+    catch {
+        return fallback;
+    }
+}
+/**
+ * Derive advisory security-hygiene findings from a captured event stream.
+ * Pure + total: never throws (a failing detector contributes nothing). Findings
+ * are advisory only — NOT a security audit/scan/guarantee.
+ */
+export function analyze(events, opts = {}) {
+    const metas = safe(() => scrapeResponseMeta(events), []);
+    const findings = [
+        ...safe(() => detectMissingHeaders(metas), []),
+        ...safe(() => detectMixedContent(events, metas), []),
+        ...safe(() => detectInsecureCookies(metas), []),
+        ...safe(() => detectReverseTabnabbing(events), []),
+    ];
+    const kept = applySuppressions(findings, opts.suppress ?? []);
+    return [...kept].sort((a, b) => SEVERITY_RANK[a.severity] - SEVERITY_RANK[b.severity] || a.signal.localeCompare(b.signal));
+}
+//# sourceMappingURL=index.js.map

package/dist/_security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/_security/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,iCAAiC,CAAC;AACxE,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAClE,OAAO,EAAE,uBAAuB,EAAE,MAAM,mCAAmC,CAAC;AAE5E,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAoB,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAIpE,sFAAsF;AACtF,MAAM,CAAC,MAAM,kBAAkB,GAAG,iBAAiB,CAAC;AAEpD,wFAAwF;AACxF,MAAM,CAAC,MAAM,aAAa,GAAG,eAAe,CAAC;AAsB7C,MAAM,aAAa,GAA6B,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAE/E,SAAS,IAAI,CAAI,EAAW,EAAE,QAAW;IACvC,IAAI,CAAC;QACH,OAAO,EAAE,EAAE,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,OAAO,CACrB,MAAgC,EAChC,OAA8C,EAAE;IAEhD,MAAM,KAAK,GAAG,IAAI,CAAiB,GAAG,EAAE,CAAC,kBAAkB,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAsB;QAClC,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,oBAAoB,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QACjE,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,kBAAkB,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC;QACvE,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,qBAAqB,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;QAClE,GAAG,IAAI,CAAoB,GAAG,EAAE,CAAC,uBAAuB,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;KACtE,CAAC;IACF,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAC9D,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CACnB,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CAC5F,CAAC;AACJ,CAAC"}

package/dist/_security/response-meta.d.ts

@@ -0,0 +1,28 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+/**
+ * Privacy-safe response metadata recovered from a `tracelane.sec` Custom event.
+ * Carries only header NAMES (never values), per-cookie flag presence
+ * booleans, and the cookie name — never header values or cookie values.
+ */
+export interface ResponseMeta {
+    url: string;
+    status: number;
+    isMainDocument: boolean;
+    /** lowercased header NAMES that were present (never values) */
+    presentSecurityHeaders: string[];
+    /** per-cookie flag presence (never names/values beyond the cookie name) */
+    setCookies: {
+        name: string;
+        secure: boolean;
+        httpOnly: boolean;
+        sameSite: boolean;
+    }[];
+}
+/**
+ * Read privacy-safe response metadata out of the rrweb Custom events the
+ * capture layer injects (tag `tracelane.sec`, payload = the meta object).
+ * Replaces the old console-scrape channel, which raced navigation. Malformed
+ * payloads are skipped.
+ */
+export declare function scrapeResponseMeta(events: readonly eventWithTime[]): ResponseMeta[];
+//# sourceMappingURL=response-meta.d.ts.map

package/dist/_security/response-meta.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-meta.d.ts","sourceRoot":"","sources":["../../src/_security/response-meta.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAG1D;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,OAAO,CAAC;IACxB,+DAA+D;IAC/D,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC,2EAA2E;IAC3E,UAAU,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,EAAE,CAAC;CACvF;AAkCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,YAAY,EAAE,CASnF"}

package/dist/_security/response-meta.js

@@ -0,0 +1,50 @@
+import { EventType } from '@cubenest/rrweb-core';
+import { SEC_EVENT_TAG } from './index.js';
+function isCookieFlags(c) {
+    if (!c || typeof c !== 'object')
+        return false;
+    const k = c;
+    return (typeof k.name === 'string' &&
+        typeof k.secure === 'boolean' &&
+        typeof k.httpOnly === 'boolean' &&
+        typeof k.sameSite === 'boolean');
+}
+/**
+ * Full structural validation of a `tracelane.sec` Custom-event payload, including
+ * array ELEMENT types. A page can't forge a Node-side Custom event, but a
+ * shape-malformed object (e.g. `presentSecurityHeaders: [123]` or
+ * `setCookies: [{}]`) must still be rejected to honor the "malformed payloads
+ * are skipped" contract and protect downstream consumers from runtime errors.
+ */
+function isResponseMeta(parsed) {
+    if (!parsed || typeof parsed !== 'object')
+        return false;
+    const m = parsed;
+    return (typeof m.url === 'string' &&
+        typeof m.status === 'number' &&
+        typeof m.isMainDocument === 'boolean' &&
+        Array.isArray(m.presentSecurityHeaders) &&
+        m.presentSecurityHeaders.every((h) => typeof h === 'string') &&
+        Array.isArray(m.setCookies) &&
+        m.setCookies.every(isCookieFlags));
+}
+/**
+ * Read privacy-safe response metadata out of the rrweb Custom events the
+ * capture layer injects (tag `tracelane.sec`, payload = the meta object).
+ * Replaces the old console-scrape channel, which raced navigation. Malformed
+ * payloads are skipped.
+ */
+export function scrapeResponseMeta(events) {
+    const out = [];
+    for (const e of events) {
+        if (e.type !== EventType.Custom)
+            continue;
+        const data = e.data;
+        if (data.tag !== SEC_EVENT_TAG)
+            continue;
+        if (isResponseMeta(data.payload))
+            out.push(data.payload);
+    }
+    return out;
+}
+//# sourceMappingURL=response-meta.js.map

package/dist/_security/response-meta.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-meta.js","sourceRoot":"","sources":["../../src/_security/response-meta.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAEjD,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAiB3C,SAAS,aAAa,CAAC,CAAU;IAC/B,IAAI,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC9C,MAAM,CAAC,GAAG,CAA4B,CAAC;IACvC,OAAO,CACL,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;QAC1B,OAAO,CAAC,CAAC,MAAM,KAAK,SAAS;QAC7B,OAAO,CAAC,CAAC,QAAQ,KAAK,SAAS;QAC/B,OAAO,CAAC,CAAC,QAAQ,KAAK,SAAS,CAChC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,cAAc,CAAC,MAAe;IACrC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,CAAC,GAAG,MAAiC,CAAC;IAC5C,OAAO,CACL,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ;QAC5B,OAAO,CAAC,CAAC,cAAc,KAAK,SAAS;QACrC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB,CAAC;QACvC,CAAC,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;QAC5D,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC;QAC3B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,aAAa,CAAC,CAClC,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAgC;IACjE,MAAM,GAAG,GAAmB,EAAE,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,MAAM;YAAE,SAAS;QAC1C,MAAM,IAAI,GAAG,CAAC,CAAC,IAA4C,CAAC;QAC5D,IAAI,IAAI,CAAC,GAAG,KAAK,aAAa;YAAE,SAAS;QACzC,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/_security/serialized-dom.d.ts

@@ -0,0 +1,20 @@
+import type { eventWithTime } from '@cubenest/rrweb-core';
+/**
+ * Minimal shape of an rrweb serialized DOM node. `type === 2` is an Element.
+ * Pure plain-object view — no DOM API, no rrweb internals beyond this shape.
+ */
+export interface SNode {
+    type?: number;
+    tagName?: string;
+    attributes?: Record<string, unknown>;
+    childNodes?: SNode[];
+}
+/** Depth-first walk: yields `node`, then recurses into `childNodes`. */
+export declare function walk(node: SNode | undefined): Generator<SNode>;
+/**
+ * Collect serialized-DOM roots from a captured event stream: the `data.node`
+ * tree of each FullSnapshot plus each `data.adds[].node` from an
+ * IncrementalSnapshot mutation. Shared by the DOM-walking detectors.
+ */
+export declare function collectRoots(events: readonly eventWithTime[]): SNode[];
+//# sourceMappingURL=serialized-dom.d.ts.map

package/dist/_security/serialized-dom.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialized-dom.d.ts","sourceRoot":"","sources":["../../src/_security/serialized-dom.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;;GAGG;AACH,MAAM,WAAW,KAAK;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,UAAU,CAAC,EAAE,KAAK,EAAE,CAAC;CACtB;AAED,wEAAwE;AACxE,wBAAiB,IAAI,CAAC,IAAI,EAAE,KAAK,GAAG,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAI/D;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE,GAAG,KAAK,EAAE,CAatE"}

package/dist/_security/serialized-dom.js

@@ -0,0 +1,32 @@
+import { EventType } from '@cubenest/rrweb-core';
+/** Depth-first walk: yields `node`, then recurses into `childNodes`. */
+export function* walk(node) {
+    if (!node)
+        return;
+    yield node;
+    for (const child of node.childNodes ?? [])
+        yield* walk(child);
+}
+/**
+ * Collect serialized-DOM roots from a captured event stream: the `data.node`
+ * tree of each FullSnapshot plus each `data.adds[].node` from an
+ * IncrementalSnapshot mutation. Shared by the DOM-walking detectors.
+ */
+export function collectRoots(events) {
+    const roots = [];
+    for (const e of events) {
+        if (e.type === EventType.FullSnapshot) {
+            roots.push(e.data.node);
+        }
+        else if (e.type === EventType.IncrementalSnapshot) {
+            const adds = e.data.adds;
+            if (Array.isArray(adds)) {
+                for (const a of adds)
+                    if (a.node)
+                        roots.push(a.node);
+            }
+        }
+    }
+    return roots;
+}
+//# sourceMappingURL=serialized-dom.js.map

package/dist/_security/serialized-dom.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serialized-dom.js","sourceRoot":"","sources":["../../src/_security/serialized-dom.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAcjD,wEAAwE;AACxE,MAAM,SAAS,CAAC,CAAC,IAAI,CAAC,IAAuB;IAC3C,IAAI,CAAC,IAAI;QAAE,OAAO;IAClB,MAAM,IAAI,CAAC;IACX,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,IAAI,EAAE;QAAE,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,MAAgC;IAC3D,MAAM,KAAK,GAAY,EAAE,CAAC;IAC1B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,YAAY,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAE,CAAC,CAAC,IAAwB,CAAC,IAAI,CAAC,CAAC;QAC/C,CAAC;aAAM,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,mBAAmB,EAAE,CAAC;YACpD,MAAM,IAAI,GAAI,CAAC,CAAC,IAAsC,CAAC,IAAI,CAAC;YAC5D,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,KAAK,MAAM,CAAC,IAAI,IAAI;oBAAE,IAAI,CAAC,CAAC,IAAI;wBAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/_security/suppress.d.ts

@@ -0,0 +1,7 @@
+import type { SecurityFinding, SecuritySignal } from './index.js';
+export interface Suppression {
+    signal?: SecuritySignal;
+    evidence?: string;
+}
+export declare function applySuppressions(findings: readonly SecurityFinding[], rules: readonly Suppression[]): SecurityFinding[];
+//# sourceMappingURL=suppress.d.ts.map

package/dist/_security/suppress.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"suppress.d.ts","sourceRoot":"","sources":["../../src/_security/suppress.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAElE,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,SAAS,eAAe,EAAE,EACpC,KAAK,EAAE,SAAS,WAAW,EAAE,GAC5B,eAAe,EAAE,CAWnB"}

package/dist/_security/suppress.js

@@ -0,0 +1,8 @@
+export function applySuppressions(findings, rules) {
+    if (rules.length === 0)
+        return [...findings];
+    return findings.filter((f) => !rules.some((r) => (r.signal !== undefined || r.evidence !== undefined) &&
+        (r.signal === undefined || r.signal === f.signal) &&
+        (r.evidence === undefined || r.evidence === f.evidence)));
+}
+//# sourceMappingURL=suppress.js.map

package/dist/_security/suppress.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"suppress.js","sourceRoot":"","sources":["../../src/_security/suppress.ts"],"names":[],"mappings":"AAOA,MAAM,UAAU,iBAAiB,CAC/B,QAAoC,EACpC,KAA6B;IAE7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;IAC7C,OAAO,QAAQ,CAAC,MAAM,CACpB,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,KAAK,CAAC,IAAI,CACT,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC;QACpD,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,CAAC;QACjD,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ,CAAC,CAC1D,CACJ,CAAC;AACJ,CAAC"}

package/dist/assets.d.ts

@@ -16,4 +16,24 @@ export declare function loadPlayerCss(): string;
  * pako for consistency with `@cubenest/rrweb-core`'s fflate-based `compress()`.
  */
 export declare function loadFflateGunzipSource(): string;
+/**
+ * Fraunces Variable (weight axis 100-900, latin charset, normal style).
+ * SIL OFL-1.1 — credited in NOTICE. ~36 KB raw → ~49 KB base64.
+ */
+export declare function loadFrauncesNormal(): string;
+/**
+ * Fraunces Variable (weight axis 100-900, latin charset, italic style).
+ * Same package + license as the normal weight; ~45 KB raw → ~60 KB base64.
+ * Used for the headline's emphasized clause and the section heads.
+ */
+export declare function loadFrauncesItalic(): string;
+/**
+ * JetBrains Mono Variable (weight axis 100-800, latin charset, normal style).
+ * SIL OFL-1.1 — credited in NOTICE. ~40 KB raw → ~54 KB base64.
+ *
+ * Italic intentionally NOT loaded — the data rows (console + network + meta
+ * strip + timestamps) never use italics, so the second 43 KB italic woff2
+ * would add weight to every report for no design benefit.
+ */
+export declare function loadJetBrainsMonoNormal(): string;
 //# sourceMappingURL=assets.d.ts.map

package/dist/assets.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assets.d.ts","sourceRoot":"","sources":["../src/assets.ts"],"names":[],"mappings":"AAqDA;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAE/C"}
+{"version":3,"file":"assets.d.ts","sourceRoot":"","sources":["../src/assets.ts"],"names":[],"mappings":"AAuDA;;;;GAIG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED;;;GAGG;AACH,wBAAgB,aAAa,IAAI,MAAM,CAEtC;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,IAAI,MAAM,CAE/C;AA8BD;;;GAGG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,CAE3C;AAED;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,CAKhD"}