@virusis/api-client 0.1.16 → 0.1.19

package/dist/generated/models/access-token-i-data-result.d.ts

@@ -0,0 +1,4 @@
+import type { AccessTokenIDataResult as __AccessTokenIDataResult } from "../index.js";
+export declare const AccessTokenIDataResult: __AccessTokenIDataResult;
+export type AccessTokenIDataResult = __AccessTokenIDataResult;
+export type accessTokenIDataResult = __AccessTokenIDataResult;

package/dist/generated/models/access-token-i-data-result.js

@@ -0,0 +1 @@
+export const AccessTokenIDataResult = {};

package/dist/generated/models/access-token.d.ts

@@ -0,0 +1,4 @@
+import type { AccessToken as __AccessToken } from "../index.js";
+export declare const AccessToken: __AccessToken;
+export type AccessToken = __AccessToken;
+export type accessToken = __AccessToken;

package/dist/generated/models/access-token.js

@@ -0,0 +1 @@
+export const AccessToken = {};

package/dist/generated/models/application-click-event-batch-dto.d.ts

@@ -0,0 +1,4 @@
+import type { ApplicationClickEventBatchDto as __ApplicationClickEventBatchDto } from "../index.js";
+export declare const ApplicationClickEventBatchDto: __ApplicationClickEventBatchDto;
+export type ApplicationClickEventBatchDto = __ApplicationClickEventBatchDto;
+export type applicationClickEventBatchDto = __ApplicationClickEventBatchDto;

package/dist/generated/models/application-click-event-batch-dto.js

@@ -0,0 +1 @@
+export const ApplicationClickEventBatchDto = {};

package/dist/generated/models/application-click-event-create-dto.d.ts

@@ -0,0 +1,4 @@
+import type { ApplicationClickEventCreateDto as __ApplicationClickEventCreateDto } from "../index.js";
+export declare const ApplicationClickEventCreateDto: __ApplicationClickEventCreateDto;
+export type ApplicationClickEventCreateDto = __ApplicationClickEventCreateDto;
+export type applicationClickEventCreateDto = __ApplicationClickEventCreateDto;

package/dist/generated/models/application-click-event-create-dto.js

@@ -0,0 +1 @@
+export const ApplicationClickEventCreateDto = {};

package/dist/generated/models/feedback-category-dto-list-i-data-result.d.ts

@@ -0,0 +1,4 @@
+import type { FeedbackCategoryDtoListIDataResult as __FeedbackCategoryDtoListIDataResult } from "../index.js";
+export declare const FeedbackCategoryDtoListIDataResult: __FeedbackCategoryDtoListIDataResult;
+export type FeedbackCategoryDtoListIDataResult = __FeedbackCategoryDtoListIDataResult;
+export type feedbackCategoryDtoListIDataResult = __FeedbackCategoryDtoListIDataResult;

package/dist/generated/models/feedback-category-dto-list-i-data-result.js

@@ -0,0 +1 @@
+export const FeedbackCategoryDtoListIDataResult = {};

package/dist/generated/models/feedback-category-dto.d.ts

@@ -0,0 +1,4 @@
+import type { FeedbackCategoryDto as __FeedbackCategoryDto } from "../index.js";
+export declare const FeedbackCategoryDto: __FeedbackCategoryDto;
+export type FeedbackCategoryDto = __FeedbackCategoryDto;
+export type feedbackCategoryDto = __FeedbackCategoryDto;

package/dist/generated/models/feedback-category-dto.js

@@ -0,0 +1 @@
+export const FeedbackCategoryDto = {};

package/dist/generated/models/index.d.ts

@@ -1,3 +1,5 @@
+export * from "./access-token.js";
+export * from "./access-token-i-data-result.js";
 export * from "./aggregate-exception.js";
 export * from "./app-state-log.js";
 export * from "./app-state-log-for-table-dto.js";
@@ -9,6 +11,8 @@ export * from "./app-state-log-for-table-filter-data-table-query.js";
 export * from "./app-state-log-i-data-result.js";
 export * from "./app-state-log-list-i-data-result.js";
 export * from "./application.js";
+export * from "./application-click-event-batch-dto.js";
+export * from "./application-click-event-create-dto.js";
 export * from "./application-for-table-dto.js";
 export * from "./application-for-table-dto-list-i-data-result.js";
 export * from "./application-for-table-dto-list-result-filter.js";
@@ -56,6 +60,8 @@ export * from "./device-list-i-data-result.js";
 export * from "./event-attributes.js";
 export * from "./event-info.js";
 export * from "./exception.js";
+export * from "./feedback-category-dto.js";
+export * from "./feedback-category-dto-list-i-data-result.js";
 export * from "./field-attributes.js";
 export * from "./field-info.js";
 export * from "./field-mapping-result-paginate-dto.js";
@@ -135,12 +141,21 @@ export * from "./operation-claim-for-table-filter.js";
 export * from "./operation-claim-for-table-filter-data-table-query.js";
 export * from "./operation-claim-i-data-result.js";
 export * from "./operation-claim-list-i-data-result.js";
+export * from "./otp-generate-result.js";
 export * from "./parameter-attributes.js";
 export * from "./parameter-info.js";
 export * from "./process-scan-scores-request.js";
 export * from "./process-scan-static-result-request.js";
 export * from "./property-attributes.js";
 export * from "./property-info.js";
+export * from "./queue-monitor-workers-response.js";
+export * from "./risk-flag-request-dto.js";
+export * from "./risk-signal-avg-dto.js";
+export * from "./risk-signal-client-dto.js";
+export * from "./risk-signal-counts-dto.js";
+export * from "./risk-signals-dto.js";
+export * from "./risk-state-dto.js";
+export * from "./risk-verify-dto.js";
 export * from "./runtime-field-handle.js";
 export * from "./runtime-method-handle.js";
 export * from "./runtime-type-handle.js";
@@ -487,6 +502,8 @@ export * from "./scan-static-section-for-table-filter.js";
 export * from "./scan-static-section-for-table-filter-data-table-query.js";
 export * from "./scan-static-section-i-data-result.js";
 export * from "./scan-static-section-list-i-data-result.js";
+export * from "./scan-status-dto.js";
+export * from "./scan-status-dto-i-data-result.js";
 export * from "./scan-summary-dto.js";
 export * from "./scan-summary-dto-i-data-result.js";
 export * from "./scan-threat-detection.js";

package/dist/generated/models/index.js

@@ -1,3 +1,5 @@
+export * from "./access-token.js";
+export * from "./access-token-i-data-result.js";
 export * from "./aggregate-exception.js";
 export * from "./app-state-log.js";
 export * from "./app-state-log-for-table-dto.js";
@@ -9,6 +11,8 @@ export * from "./app-state-log-for-table-filter-data-table-query.js";
 export * from "./app-state-log-i-data-result.js";
 export * from "./app-state-log-list-i-data-result.js";
 export * from "./application.js";
+export * from "./application-click-event-batch-dto.js";
+export * from "./application-click-event-create-dto.js";
 export * from "./application-for-table-dto.js";
 export * from "./application-for-table-dto-list-i-data-result.js";
 export * from "./application-for-table-dto-list-result-filter.js";
@@ -56,6 +60,8 @@ export * from "./device-list-i-data-result.js";
 export * from "./event-attributes.js";
 export * from "./event-info.js";
 export * from "./exception.js";
+export * from "./feedback-category-dto.js";
+export * from "./feedback-category-dto-list-i-data-result.js";
 export * from "./field-attributes.js";
 export * from "./field-info.js";
 export * from "./field-mapping-result-paginate-dto.js";
@@ -135,12 +141,21 @@ export * from "./operation-claim-for-table-filter.js";
 export * from "./operation-claim-for-table-filter-data-table-query.js";
 export * from "./operation-claim-i-data-result.js";
 export * from "./operation-claim-list-i-data-result.js";
+export * from "./otp-generate-result.js";
 export * from "./parameter-attributes.js";
 export * from "./parameter-info.js";
 export * from "./process-scan-scores-request.js";
 export * from "./process-scan-static-result-request.js";
 export * from "./property-attributes.js";
 export * from "./property-info.js";
+export * from "./queue-monitor-workers-response.js";
+export * from "./risk-flag-request-dto.js";
+export * from "./risk-signal-avg-dto.js";
+export * from "./risk-signal-client-dto.js";
+export * from "./risk-signal-counts-dto.js";
+export * from "./risk-signals-dto.js";
+export * from "./risk-state-dto.js";
+export * from "./risk-verify-dto.js";
 export * from "./runtime-field-handle.js";
 export * from "./runtime-method-handle.js";
 export * from "./runtime-type-handle.js";
@@ -487,6 +502,8 @@ export * from "./scan-static-section-for-table-filter.js";
 export * from "./scan-static-section-for-table-filter-data-table-query.js";
 export * from "./scan-static-section-i-data-result.js";
 export * from "./scan-static-section-list-i-data-result.js";
+export * from "./scan-status-dto.js";
+export * from "./scan-status-dto-i-data-result.js";
 export * from "./scan-summary-dto.js";
 export * from "./scan-summary-dto-i-data-result.js";
 export * from "./scan-threat-detection.js";

package/dist/generated/models/otp-generate-result.d.ts

@@ -0,0 +1,4 @@
+import type { OtpGenerateResult as __OtpGenerateResult } from "../index.js";
+export declare const OtpGenerateResult: __OtpGenerateResult;
+export type OtpGenerateResult = __OtpGenerateResult;
+export type otpGenerateResult = __OtpGenerateResult;

package/dist/generated/models/otp-generate-result.js

@@ -0,0 +1 @@
+export const OtpGenerateResult = {};

package/dist/generated/models/queue-monitor-workers-response.d.ts

@@ -0,0 +1,4 @@
+import type { QueueMonitorWorkersResponse as __QueueMonitorWorkersResponse } from "../index.js";
+export declare const QueueMonitorWorkersResponse: __QueueMonitorWorkersResponse;
+export type QueueMonitorWorkersResponse = __QueueMonitorWorkersResponse;
+export type queueMonitorWorkersResponse = __QueueMonitorWorkersResponse;

package/dist/generated/models/queue-monitor-workers-response.js

@@ -0,0 +1 @@
+export const QueueMonitorWorkersResponse = {};

package/dist/generated/models/risk-flag-request-dto.d.ts

@@ -0,0 +1,4 @@
+import type { RiskFlagRequestDto as __RiskFlagRequestDto } from "../index.js";
+export declare const RiskFlagRequestDto: __RiskFlagRequestDto;
+export type RiskFlagRequestDto = __RiskFlagRequestDto;
+export type riskFlagRequestDto = __RiskFlagRequestDto;

package/dist/generated/models/risk-flag-request-dto.js

@@ -0,0 +1 @@
+export const RiskFlagRequestDto = {};

package/dist/generated/models/risk-signal-avg-dto.d.ts

@@ -0,0 +1,4 @@
+import type { RiskSignalAvgDto as __RiskSignalAvgDto } from "../index.js";
+export declare const RiskSignalAvgDto: __RiskSignalAvgDto;
+export type RiskSignalAvgDto = __RiskSignalAvgDto;
+export type riskSignalAvgDto = __RiskSignalAvgDto;

package/dist/generated/models/risk-signal-avg-dto.js

@@ -0,0 +1 @@
+export const RiskSignalAvgDto = {};

package/dist/generated/models/risk-signal-client-dto.d.ts

@@ -0,0 +1,4 @@
+import type { RiskSignalClientDto as __RiskSignalClientDto } from "../index.js";
+export declare const RiskSignalClientDto: __RiskSignalClientDto;
+export type RiskSignalClientDto = __RiskSignalClientDto;
+export type riskSignalClientDto = __RiskSignalClientDto;

package/dist/generated/models/risk-signal-client-dto.js

@@ -0,0 +1 @@
+export const RiskSignalClientDto = {};

package/dist/generated/models/risk-signal-counts-dto.d.ts

@@ -0,0 +1,4 @@
+import type { RiskSignalCountsDto as __RiskSignalCountsDto } from "../index.js";
+export declare const RiskSignalCountsDto: __RiskSignalCountsDto;
+export type RiskSignalCountsDto = __RiskSignalCountsDto;
+export type riskSignalCountsDto = __RiskSignalCountsDto;

package/dist/generated/models/risk-signal-counts-dto.js

@@ -0,0 +1 @@
+export const RiskSignalCountsDto = {};

package/dist/generated/models/risk-signals-dto.d.ts

@@ -0,0 +1,4 @@
+import type { RiskSignalsDto as __RiskSignalsDto } from "../index.js";
+export declare const RiskSignalsDto: __RiskSignalsDto;
+export type RiskSignalsDto = __RiskSignalsDto;
+export type riskSignalsDto = __RiskSignalsDto;

package/dist/generated/models/risk-signals-dto.js

@@ -0,0 +1 @@
+export const RiskSignalsDto = {};

package/dist/generated/models/risk-state-dto.d.ts

@@ -0,0 +1,4 @@
+import type { RiskStateDto as __RiskStateDto } from "../index.js";
+export declare const RiskStateDto: __RiskStateDto;
+export type RiskStateDto = __RiskStateDto;
+export type riskStateDto = __RiskStateDto;

package/dist/generated/models/risk-state-dto.js

@@ -0,0 +1 @@
+export const RiskStateDto = {};

package/dist/generated/models/risk-verify-dto.d.ts

@@ -0,0 +1,4 @@
+import type { RiskVerifyDto as __RiskVerifyDto } from "../index.js";
+export declare const RiskVerifyDto: __RiskVerifyDto;
+export type RiskVerifyDto = __RiskVerifyDto;
+export type riskVerifyDto = __RiskVerifyDto;

package/dist/generated/models/risk-verify-dto.js

@@ -0,0 +1 @@
+export const RiskVerifyDto = {};

package/dist/generated/models/scan-status-dto-i-data-result.d.ts

@@ -0,0 +1,4 @@
+import type { ScanStatusDtoIDataResult as __ScanStatusDtoIDataResult } from "../index.js";
+export declare const ScanStatusDtoIDataResult: __ScanStatusDtoIDataResult;
+export type ScanStatusDtoIDataResult = __ScanStatusDtoIDataResult;
+export type scanStatusDtoIDataResult = __ScanStatusDtoIDataResult;

package/dist/generated/models/scan-status-dto-i-data-result.js

@@ -0,0 +1 @@
+export const ScanStatusDtoIDataResult = {};

package/dist/generated/models/scan-status-dto.d.ts

@@ -0,0 +1,4 @@
+import type { ScanStatusDto as __ScanStatusDto } from "../index.js";
+export declare const ScanStatusDto: __ScanStatusDto;
+export type ScanStatusDto = __ScanStatusDto;
+export type scanStatusDto = __ScanStatusDto;

package/dist/generated/models/scan-status-dto.js

@@ -0,0 +1 @@
+export const ScanStatusDto = {};

package/dist/index.d.ts

@@ -5,3 +5,4 @@ export * from "./generated/models/index.js";
 export * from "./rx.js";
 export * from "./container.js";
 export * from "./base-models.js";
+export * as security from "./security/index.js";

package/dist/index.js

@@ -5,3 +5,4 @@ export * from "./generated/models/index.js";
 export * from "./rx.js";
 export * from "./container.js";
 export * from "./base-models.js";
+export * as security from "./security/index.js";

package/dist/rx.d.ts

@@ -36,6 +36,15 @@ export declare function createAllClients(cfg: ApiClientConfig, baseUrl?: string,
     DevicesClient: ClientCtors.DevicesClient;
     DevicesService: ClientCtors.DevicesClient;
     devicesService: ClientCtors.DevicesClient;
+    DiagnosticsClient: ClientCtors.DiagnosticsClient;
+    DiagnosticsService: ClientCtors.DiagnosticsClient;
+    diagnosticsService: ClientCtors.DiagnosticsClient;
+    FeedbacksClient: ClientCtors.FeedbacksClient;
+    FeedbacksService: ClientCtors.FeedbacksClient;
+    feedbacksService: ClientCtors.FeedbacksClient;
+    ApiClient: ClientCtors.ApiClient;
+    ApiService: ClientCtors.ApiClient;
+    apiService: ClientCtors.ApiClient;
     InteractionTrackersClient: ClientCtors.InteractionTrackersClient;
     InteractionTrackersService: ClientCtors.InteractionTrackersClient;
     interactionTrackersService: ClientCtors.InteractionTrackersClient;
@@ -54,6 +63,9 @@ export declare function createAllClients(cfg: ApiClientConfig, baseUrl?: string,
     OperationClaimsClient: ClientCtors.OperationClaimsClient;
     OperationClaimsService: ClientCtors.OperationClaimsClient;
     operationClaimsService: ClientCtors.OperationClaimsClient;
+    PortalClient: ClientCtors.PortalClient;
+    PortalService: ClientCtors.PortalClient;
+    portalService: ClientCtors.PortalClient;
     QueueMonitorClient: ClientCtors.QueueMonitorClient;
     QueueMonitorService: ClientCtors.QueueMonitorClient;
     queueMonitorService: ClientCtors.QueueMonitorClient;
@@ -63,6 +75,9 @@ export declare function createAllClients(cfg: ApiClientConfig, baseUrl?: string,
     HealthClient: ClientCtors.HealthClient;
     HealthService: ClientCtors.HealthClient;
     healthService: ClientCtors.HealthClient;
+    RiskClient: ClientCtors.RiskClient;
+    RiskService: ClientCtors.RiskClient;
+    riskService: ClientCtors.RiskClient;
     ScanApiBusSourcesClient: ClientCtors.ScanApiBusSourcesClient;
     ScanApiBusSourcesService: ClientCtors.ScanApiBusSourcesClient;
     scanApiBusSourcesService: ClientCtors.ScanApiBusSourcesClient;
@@ -183,9 +198,6 @@ export declare function createAllClients(cfg: ApiClientConfig, baseUrl?: string,
     ScanVisibilityTypesClient: ClientCtors.ScanVisibilityTypesClient;
     ScanVisibilityTypesService: ClientCtors.ScanVisibilityTypesClient;
     scanVisibilityTypesService: ClientCtors.ScanVisibilityTypesClient;
-    ApiClient: ClientCtors.ApiClient;
-    ApiService: ClientCtors.ApiClient;
-    apiService: ClientCtors.ApiClient;
     InternalClient: ClientCtors.InternalClient;
     InternalService: ClientCtors.InternalClient;
     internalService: ClientCtors.InternalClient;
@@ -263,6 +275,15 @@ export declare function createAllRxClients(cfg: ApiClientConfig, baseUrl?: strin
     DevicesClient: Rxified<ClientCtors.DevicesClient>;
     DevicesService: Rxified<ClientCtors.DevicesClient>;
     devicesService: Rxified<ClientCtors.DevicesClient>;
+    DiagnosticsClient: Rxified<ClientCtors.DiagnosticsClient>;
+    DiagnosticsService: Rxified<ClientCtors.DiagnosticsClient>;
+    diagnosticsService: Rxified<ClientCtors.DiagnosticsClient>;
+    FeedbacksClient: Rxified<ClientCtors.FeedbacksClient>;
+    FeedbacksService: Rxified<ClientCtors.FeedbacksClient>;
+    feedbacksService: Rxified<ClientCtors.FeedbacksClient>;
+    ApiClient: Rxified<ClientCtors.ApiClient>;
+    ApiService: Rxified<ClientCtors.ApiClient>;
+    apiService: Rxified<ClientCtors.ApiClient>;
     InteractionTrackersClient: Rxified<ClientCtors.InteractionTrackersClient>;
     InteractionTrackersService: Rxified<ClientCtors.InteractionTrackersClient>;
     interactionTrackersService: Rxified<ClientCtors.InteractionTrackersClient>;
@@ -281,6 +302,9 @@ export declare function createAllRxClients(cfg: ApiClientConfig, baseUrl?: strin
     OperationClaimsClient: Rxified<ClientCtors.OperationClaimsClient>;
     OperationClaimsService: Rxified<ClientCtors.OperationClaimsClient>;
     operationClaimsService: Rxified<ClientCtors.OperationClaimsClient>;
+    PortalClient: Rxified<ClientCtors.PortalClient>;
+    PortalService: Rxified<ClientCtors.PortalClient>;
+    portalService: Rxified<ClientCtors.PortalClient>;
     QueueMonitorClient: Rxified<ClientCtors.QueueMonitorClient>;
     QueueMonitorService: Rxified<ClientCtors.QueueMonitorClient>;
     queueMonitorService: Rxified<ClientCtors.QueueMonitorClient>;
@@ -290,6 +314,9 @@ export declare function createAllRxClients(cfg: ApiClientConfig, baseUrl?: strin
     HealthClient: Rxified<ClientCtors.HealthClient>;
     HealthService: Rxified<ClientCtors.HealthClient>;
     healthService: Rxified<ClientCtors.HealthClient>;
+    RiskClient: Rxified<ClientCtors.RiskClient>;
+    RiskService: Rxified<ClientCtors.RiskClient>;
+    riskService: Rxified<ClientCtors.RiskClient>;
     ScanApiBusSourcesClient: Rxified<ClientCtors.ScanApiBusSourcesClient>;
     ScanApiBusSourcesService: Rxified<ClientCtors.ScanApiBusSourcesClient>;
     scanApiBusSourcesService: Rxified<ClientCtors.ScanApiBusSourcesClient>;
@@ -410,9 +437,6 @@ export declare function createAllRxClients(cfg: ApiClientConfig, baseUrl?: strin
     ScanVisibilityTypesClient: Rxified<ClientCtors.ScanVisibilityTypesClient>;
     ScanVisibilityTypesService: Rxified<ClientCtors.ScanVisibilityTypesClient>;
     scanVisibilityTypesService: Rxified<ClientCtors.ScanVisibilityTypesClient>;
-    ApiClient: Rxified<ClientCtors.ApiClient>;
-    ApiService: Rxified<ClientCtors.ApiClient>;
-    apiService: Rxified<ClientCtors.ApiClient>;
     InternalClient: Rxified<ClientCtors.InternalClient>;
     InternalService: Rxified<ClientCtors.InternalClient>;
     internalService: Rxified<ClientCtors.InternalClient>;

package/dist/security/index.d.ts

@@ -0,0 +1,4 @@
+export type { InputPolicyKind, ThreatType, ThreatDetail, InputSecurityResult, InputSecurityPolicy, } from "./input-security-policy.js";
+export { sanitize, detect } from "./input-security-service.js";
+export { validatePath, validateAbsoluteUrl, sanitizeBody, sanitizeFormDataFileName, sanitizeHeaderValue, } from "./request-sanitizer.js";
+export type { SanitizeBodyResult } from "./request-sanitizer.js";

package/dist/security/index.js

@@ -0,0 +1,2 @@
+export { sanitize, detect } from "./input-security-service.js";
+export { validatePath, validateAbsoluteUrl, sanitizeBody, sanitizeFormDataFileName, sanitizeHeaderValue, } from "./request-sanitizer.js";

package/dist/security/input-security-policy.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Input Security Policy types for the API client.
+ * Aligned with VirusProof-main Core InputPolicyKind.
+ */
+export type InputPolicyKind = "scanName" | "url" | "ip" | "sha256" | "sha1" | "md5" | "email" | "freeTextShort" | "freeTextLong" | "scanDisplayName" | "otp" | "captchaToken" | "password" | "enum" | "date" | "fileName" | "routeSegment" | "queryText" | "headerValue" | "guid" | "scanMode" | "engineIdsJson" | "analysisIdsJson" | "workerPayload" | "jsonPayload";
+export type ThreatType = "xss" | "sql-injection" | "nosql-injection" | "ssti" | "command-injection" | "path-traversal" | "log-injection" | "header-injection" | "ssrf" | "prototype-pollution";
+export interface ThreatDetail {
+    type: ThreatType;
+    severity: "low" | "medium" | "high" | "critical";
+    message: string;
+}
+export interface InputSecurityResult {
+    sanitized: string;
+    modified: boolean;
+    blocked: boolean;
+    detectedThreats: ThreatDetail[];
+}
+export interface InputSecurityPolicy {
+    kind: InputPolicyKind;
+    maxLength: number;
+    sanitizerChain: ThreatType[];
+    blockOnDetection: boolean;
+}

package/dist/security/input-security-policy.js

@@ -0,0 +1,5 @@
+/**
+ * Input Security Policy types for the API client.
+ * Aligned with VirusProof-main Core InputPolicyKind.
+ */
+export {};

package/dist/security/input-security-service.d.ts

@@ -0,0 +1,3 @@
+import type { InputPolicyKind, InputSecurityResult, ThreatDetail } from "./input-security-policy.js";
+export declare function sanitize(kind: InputPolicyKind, value: string | null | undefined, fieldName?: string): InputSecurityResult;
+export declare function detect(kind: InputPolicyKind, value: string): ThreatDetail[];

package/dist/security/input-security-service.js

@@ -0,0 +1,153 @@
+/**
+ * Lightweight client-side input security service.
+ * NOT authoritative — server is the trust boundary.
+ * This provides early rejection and UX feedback.
+ */
+// ─── Pattern definitions ────────────────────────────────────────
+const XSS_PATTERNS = [
+    /<script\b/i,
+    /javascript\s*:/i,
+    /on(?:load|error|click|mouse|focus|blur|change|submit)\s*=/i,
+    /<\s*(?:iframe|object|embed|svg|math|form|input)\b/i,
+    /expression\s*\(/i,
+];
+const SQL_PATTERNS = [
+    /'\s*(?:OR|AND)\s+.+?(?:=|--|;)/i,
+    /;\s*(?:DROP|ALTER|DELETE|INSERT|UPDATE|EXEC)\b/i,
+    /\bUNION\s+(?:ALL\s+)?SELECT\b/i,
+    /\b(?:WAITFOR\s+DELAY|BENCHMARK\s*\(|SLEEP\s*\()/i,
+    /\bINFORMATION_SCHEMA\b/i,
+    /\b(?:OrderBy|Where|FromSqlRaw|ExecuteSqlRaw)\s*\(/i,
+];
+const NOSQL_PATTERNS = [
+    /\$\s*(?:ne|gt|gte|lt|lte|in|nin|exists|regex|where|or|and)\b/i,
+    /\{\s*"\$/,
+];
+const SSTI_PATTERNS = [/\{\{.*?\}\}/, /\$\{.*?\}/, /\{%.*?%\}/];
+const CMD_PATTERNS = [
+    /[;&|`]/,
+    /\$\(/,
+    /\b(?:whoami|cat|wget|curl|bash|sh|rm|nc)\b/i,
+];
+const PATH_PATTERNS = [
+    /\.\.[/\\]/,
+    /%2e%2e[%2f%5c/\\]/i,
+    /%00/,
+    /\x00/,
+];
+const CRLF_PATTERN = /[\r\n]/;
+const CONTROL_CHARS = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/;
+const PROTOTYPE_POLLUTION_PATTERNS = [
+    /"__proto__"\s*:/,
+    /"constructor"\s*:/,
+    /"prototype"\s*:/,
+    /__proto__/,
+];
+const SSRF_PATTERNS = [
+    /^(?:javascript|data|file|vbscript|ftp|gopher|dict|ldap):/i,
+    /:\/\/(?:localhost|127\.0\.0\.1|\[::1\])/i,
+    /:\/\/169\.254\.169\.254/,
+    /:\/\/100\.100\.100\.200/,
+    /:\/\/metadata\.google\.internal/i,
+    /:\/\/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/,
+    /:\/\/172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}/,
+    /:\/\/192\.168\.\d{1,3}\.\d{1,3}/,
+    /:\/\/[^/]*@/, // user:pass@host
+];
+const POLICIES = {
+    scanName: { maxLength: 128, block: true, checks: ["xss", "sql-injection", "command-injection", "ssti", "path-traversal", "log-injection", "header-injection"] },
+    url: { maxLength: 2048, block: true, checks: ["xss", "command-injection", "path-traversal", "header-injection", "ssrf"] },
+    ip: { maxLength: 45, block: true, checks: ["command-injection", "log-injection"] },
+    sha256: { maxLength: 64, block: true, checks: ["xss", "sql-injection", "command-injection", "path-traversal", "log-injection"] },
+    sha1: { maxLength: 40, block: true, checks: ["xss", "sql-injection", "command-injection", "path-traversal", "log-injection"] },
+    md5: { maxLength: 32, block: true, checks: ["xss", "sql-injection", "command-injection", "path-traversal", "log-injection"] },
+    email: { maxLength: 254, block: true, checks: ["xss", "sql-injection", "command-injection", "header-injection"] },
+    freeTextShort: { maxLength: 256, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal", "log-injection", "header-injection"] },
+    freeTextLong: { maxLength: 5000, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal", "log-injection", "header-injection"] },
+    scanDisplayName: { maxLength: 512, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal", "log-injection", "header-injection"] },
+    otp: { maxLength: 10, block: true, checks: ["sql-injection", "header-injection"] },
+    captchaToken: { maxLength: 4096, block: false, checks: [] },
+    password: { maxLength: 256, block: false, checks: [] },
+    enum: { maxLength: 64, block: true, checks: ["sql-injection", "command-injection", "log-injection"] },
+    date: { maxLength: 32, block: true, checks: ["sql-injection", "command-injection"] },
+    fileName: { maxLength: 255, block: true, checks: ["path-traversal", "command-injection", "xss", "log-injection"] },
+    routeSegment: { maxLength: 256, block: true, checks: ["path-traversal", "sql-injection", "command-injection", "header-injection"] },
+    queryText: { maxLength: 512, block: false, checks: ["xss", "sql-injection", "nosql-injection", "ssti", "command-injection", "path-traversal"] },
+    headerValue: { maxLength: 8192, block: true, checks: ["header-injection", "log-injection"] },
+    guid: { maxLength: 36, block: true, checks: ["sql-injection", "log-injection"] },
+    scanMode: { maxLength: 16, block: true, checks: ["sql-injection", "command-injection", "log-injection"] },
+    engineIdsJson: { maxLength: 4096, block: true, checks: ["nosql-injection", "sql-injection", "xss", "command-injection", "log-injection", "prototype-pollution"] },
+    analysisIdsJson: { maxLength: 8192, block: true, checks: ["nosql-injection", "sql-injection", "xss", "command-injection", "log-injection", "prototype-pollution"] },
+    workerPayload: { maxLength: 65536, block: true, checks: ["sql-injection", "nosql-injection", "command-injection", "xss", "ssti", "log-injection", "header-injection", "prototype-pollution"] },
+    jsonPayload: { maxLength: 65536, block: false, checks: ["sql-injection", "nosql-injection", "xss", "ssti", "command-injection", "log-injection", "prototype-pollution"] },
+};
+// ─── Core logic ─────────────────────────────────────────────────
+function checkPatterns(input, type) {
+    const patterns = type === "xss" ? XSS_PATTERNS
+        : type === "sql-injection" ? SQL_PATTERNS
+            : type === "nosql-injection" ? NOSQL_PATTERNS
+                : type === "ssti" ? SSTI_PATTERNS
+                    : type === "command-injection" ? CMD_PATTERNS
+                        : type === "path-traversal" ? PATH_PATTERNS
+                            : type === "log-injection" ? [CRLF_PATTERN]
+                                : type === "header-injection" ? [CRLF_PATTERN, CONTROL_CHARS]
+                                    : type === "ssrf" ? SSRF_PATTERNS
+                                        : type === "prototype-pollution" ? PROTOTYPE_POLLUTION_PATTERNS
+                                            : [];
+    for (const p of patterns) {
+        if (p.test(input)) {
+            return {
+                type,
+                severity: type === "sql-injection" || type === "command-injection" || type === "ssrf" || type === "prototype-pollution" ? "critical" : "high",
+                message: `${type} pattern detected`,
+            };
+        }
+    }
+    return null;
+}
+export function sanitize(kind, value, fieldName = "") {
+    if (!value) {
+        return { sanitized: value ?? "", modified: false, blocked: false, detectedThreats: [] };
+    }
+    const policy = POLICIES[kind];
+    let current = value.trim();
+    let modified = false;
+    // Max length
+    if (current.length > policy.maxLength) {
+        current = current.slice(0, policy.maxLength);
+        modified = true;
+    }
+    // CR/LF sanitize for all
+    if (CRLF_PATTERN.test(current)) {
+        current = current.replace(/[\r\n]/g, " ");
+        modified = true;
+    }
+    if (CONTROL_CHARS.test(current)) {
+        current = current.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+        modified = true;
+    }
+    // Run checks
+    const threats = [];
+    for (const check of policy.checks) {
+        const threat = checkPatterns(current, check);
+        if (threat)
+            threats.push(threat);
+    }
+    const blocked = policy.block && threats.length > 0;
+    return {
+        sanitized: blocked ? "" : current,
+        modified: modified || current !== value,
+        blocked,
+        detectedThreats: threats,
+    };
+}
+export function detect(kind, value) {
+    const policy = POLICIES[kind];
+    const threats = [];
+    for (const check of policy.checks) {
+        const threat = checkPatterns(value, check);
+        if (threat)
+            threats.push(threat);
+    }
+    return threats;
+}

package/dist/security/request-sanitizer.d.ts

@@ -0,0 +1,18 @@
+import type { InputSecurityResult } from "./input-security-policy.js";
+export declare function validatePath(path: string): {
+    safe: boolean;
+    sanitized: string;
+};
+export declare function validateAbsoluteUrl(url: string, trustedHosts: string[]): {
+    safe: boolean;
+    reason?: string;
+};
+export interface SanitizeBodyResult {
+    body: Record<string, unknown>;
+    modified: boolean;
+    blocked: boolean;
+    threats: InputSecurityResult[];
+}
+export declare function sanitizeBody(body: Record<string, unknown>, depth?: number, visited?: WeakSet<object>): SanitizeBodyResult;
+export declare function sanitizeFormDataFileName(filename: string): string;
+export declare function sanitizeHeaderValue(value: string): string;