@vulcn/plugin-payloads 0.2.1 → 0.3.0

package/dist/index.d.cts

@@ -2,36 +2,60 @@ import { z } from 'zod';
 import { RuntimePayload, VulcnPlugin } from '@vulcn/engine';
 
 /**
- * Built-in security payloads
- * Curated, tested, fast defaults for common vulnerability categories
+ * PayloadBox Loader
+ *
+ * Fetches payloads from PayloadsAllTheThings GitHub repository.
+ * This is the primary payload source for Vulcn — community-curated,
+ * battle-tested payloads from the largest security payload collection.
+ *
+ * Supports short aliases for convenience:
+ *   xss, sqli, xxe, cmd, redirect, traversal
  */
 
 /**
- * Built-in payloads - curated, tested, fast defaults
+ * Canonical PayloadBox type names (as they appear in PayloadsAllTheThings)
  */
-declare const BUILTIN_PAYLOADS: Record<string, RuntimePayload>;
-
+type PayloadBoxType = "xss" | "sql-injection" | "xxe" | "command-injection" | "open-redirect" | "path-traversal";
 /**
- * PayloadBox Loader
- * Fetches payloads from PayloadsAllTheThings GitHub repository
+ * Get all available payload type names (canonical)
  */
-
+declare function getPayloadBoxTypes(): PayloadBoxType[];
 /**
- * Supported PayloadBox types
+ * Get all short aliases
  */
-type PayloadBoxType = "xss" | "sql-injection" | "xxe" | "command-injection" | "open-redirect" | "path-traversal";
+declare function getAliases(): Record<string, PayloadBoxType>;
 /**
- * Get available PayloadBox types
+ * Resolve a user-provided name to a canonical PayloadBox type.
+ *
+ * Accepts:
+ *   "xss"              → "xss"
+ *   "sqli"             → "sql-injection"
+ *   "sql-injection"    → "sql-injection"
+ *   "cmd"              → "command-injection"
+ *
+ * Returns null if the name doesn't match any known type.
  */
-declare function getPayloadBoxTypes(): PayloadBoxType[];
+declare function resolvePayloadType(name: string): PayloadBoxType | null;
 /**
- * Load payloads from PayloadBox
+ * Check if a name resolves to a valid PayloadBox type
+ */
+declare function isValidPayloadName(name: string): boolean;
+/**
+ * Get description for a payload type
+ */
+declare function getDescription(type: PayloadBoxType): string;
+/**
+ * Load payloads from PayloadBox.
  *
- * @param type - PayloadBox type (xss, sql-injection, etc.)
- * @param limit - Maximum number of payloads to include
- * @param fetchFn - Fetch function to use (for testing/DI)
+ * Accepts both canonical names and short aliases:
+ *   loadPayloadBox("xss")     → fetches XSS payloads
+ *   loadPayloadBox("sqli")    → fetches SQL injection payloads
  */
-declare function loadPayloadBox(type: string, limit?: number, fetchFn?: typeof fetch): Promise<RuntimePayload>;
+declare function loadPayloadBox(name: string, limit?: number, fetchFn?: typeof fetch): Promise<RuntimePayload>;
+/**
+ * Clear PayloadBox cache
+ */
+declare function clearPayloadBoxCache(): void;
 
 /**
  * File Loader
@@ -51,10 +75,12 @@ declare function loadFromFile(filePath: string): Promise<RuntimePayload[]>;
  * @vulcn/plugin-payloads
  * Official payload loader plugin for Vulcn
  *
- * Provides:
- * - Built-in payloads (XSS, SQLi, SSRF, XXE, etc.)
- * - PayloadBox loader (PayloadsAllTheThings)
- * - Custom file loader (YAML/JSON)
+ * Payload sources (in order of priority):
+ * 1. PayloadBox — community-curated payloads from PayloadsAllTheThings (default)
+ * 2. Custom files — expert-provided YAML/JSON payload files
+ *
+ * Short aliases for payload types:
+ *   xss, sqli, xxe, cmd, redirect, traversal
  */
 
 /**
@@ -62,49 +88,32 @@ declare function loadFromFile(filePath: string): Promise<RuntimePayload[]>;
  */
 declare const configSchema: z.ZodObject<{
     /**
-     * Include built-in payloads (default: true)
-     */
-    builtin: z.ZodDefault<z.ZodBoolean>;
-    /**
-     * Specific built-in payload names to include (if not all)
-     */
-    include: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    /**
-     * Built-in payload names to exclude
-     */
-    exclude: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    /**
-     * PayloadBox types to fetch from PayloadsAllTheThings
-     * e.g., ["xss", "sql-injection", "xxe"]
+     * Payload types to load from PayloadsAllTheThings.
+     * Accepts short aliases: xss, sqli, xxe, cmd, redirect, traversal
+     * @example ["xss", "sqli"]
      */
-    payloadbox: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    types: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     /**
-     * Limit per PayloadBox type
+     * Maximum payloads per type (default 50)
      */
-    payloadboxLimit: z.ZodDefault<z.ZodNumber>;
+    limit: z.ZodDefault<z.ZodNumber>;
     /**
      * Custom payload files to load (YAML/JSON)
      */
     files: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, "strip", z.ZodTypeAny, {
-    builtin: boolean;
-    payloadboxLimit: number;
-    include?: string[] | undefined;
-    exclude?: string[] | undefined;
-    payloadbox?: string[] | undefined;
+    limit: number;
+    types?: string[] | undefined;
     files?: string[] | undefined;
 }, {
-    builtin?: boolean | undefined;
-    include?: string[] | undefined;
-    exclude?: string[] | undefined;
-    payloadbox?: string[] | undefined;
-    payloadboxLimit?: number | undefined;
+    types?: string[] | undefined;
+    limit?: number | undefined;
     files?: string[] | undefined;
 }>;
 type PayloadsPluginConfig = z.infer<typeof configSchema>;
 /**
- * Payloads Plugin - loads payloads from various sources
+ * Payloads Plugin
  */
 declare const plugin: VulcnPlugin;
 
-export { BUILTIN_PAYLOADS, type PayloadsPluginConfig, plugin as default, getPayloadBoxTypes, loadFromFile, loadFromFiles, loadPayloadBox };
+export { type PayloadsPluginConfig, clearPayloadBoxCache, plugin as default, getAliases, getDescription, getPayloadBoxTypes, isValidPayloadName, loadFromFile, loadFromFiles, loadPayloadBox, resolvePayloadType };

package/dist/index.d.ts

@@ -2,36 +2,60 @@ import { z } from 'zod';
 import { RuntimePayload, VulcnPlugin } from '@vulcn/engine';
 
 /**
- * Built-in security payloads
- * Curated, tested, fast defaults for common vulnerability categories
+ * PayloadBox Loader
+ *
+ * Fetches payloads from PayloadsAllTheThings GitHub repository.
+ * This is the primary payload source for Vulcn — community-curated,
+ * battle-tested payloads from the largest security payload collection.
+ *
+ * Supports short aliases for convenience:
+ *   xss, sqli, xxe, cmd, redirect, traversal
  */
 
 /**
- * Built-in payloads - curated, tested, fast defaults
+ * Canonical PayloadBox type names (as they appear in PayloadsAllTheThings)
  */
-declare const BUILTIN_PAYLOADS: Record<string, RuntimePayload>;
-
+type PayloadBoxType = "xss" | "sql-injection" | "xxe" | "command-injection" | "open-redirect" | "path-traversal";
 /**
- * PayloadBox Loader
- * Fetches payloads from PayloadsAllTheThings GitHub repository
+ * Get all available payload type names (canonical)
  */
-
+declare function getPayloadBoxTypes(): PayloadBoxType[];
 /**
- * Supported PayloadBox types
+ * Get all short aliases
  */
-type PayloadBoxType = "xss" | "sql-injection" | "xxe" | "command-injection" | "open-redirect" | "path-traversal";
+declare function getAliases(): Record<string, PayloadBoxType>;
 /**
- * Get available PayloadBox types
+ * Resolve a user-provided name to a canonical PayloadBox type.
+ *
+ * Accepts:
+ *   "xss"              → "xss"
+ *   "sqli"             → "sql-injection"
+ *   "sql-injection"    → "sql-injection"
+ *   "cmd"              → "command-injection"
+ *
+ * Returns null if the name doesn't match any known type.
  */
-declare function getPayloadBoxTypes(): PayloadBoxType[];
+declare function resolvePayloadType(name: string): PayloadBoxType | null;
 /**
- * Load payloads from PayloadBox
+ * Check if a name resolves to a valid PayloadBox type
+ */
+declare function isValidPayloadName(name: string): boolean;
+/**
+ * Get description for a payload type
+ */
+declare function getDescription(type: PayloadBoxType): string;
+/**
+ * Load payloads from PayloadBox.
  *
- * @param type - PayloadBox type (xss, sql-injection, etc.)
- * @param limit - Maximum number of payloads to include
- * @param fetchFn - Fetch function to use (for testing/DI)
+ * Accepts both canonical names and short aliases:
+ *   loadPayloadBox("xss")     → fetches XSS payloads
+ *   loadPayloadBox("sqli")    → fetches SQL injection payloads
  */
-declare function loadPayloadBox(type: string, limit?: number, fetchFn?: typeof fetch): Promise<RuntimePayload>;
+declare function loadPayloadBox(name: string, limit?: number, fetchFn?: typeof fetch): Promise<RuntimePayload>;
+/**
+ * Clear PayloadBox cache
+ */
+declare function clearPayloadBoxCache(): void;
 
 /**
  * File Loader
@@ -51,10 +75,12 @@ declare function loadFromFile(filePath: string): Promise<RuntimePayload[]>;
  * @vulcn/plugin-payloads
  * Official payload loader plugin for Vulcn
  *
- * Provides:
- * - Built-in payloads (XSS, SQLi, SSRF, XXE, etc.)
- * - PayloadBox loader (PayloadsAllTheThings)
- * - Custom file loader (YAML/JSON)
+ * Payload sources (in order of priority):
+ * 1. PayloadBox — community-curated payloads from PayloadsAllTheThings (default)
+ * 2. Custom files — expert-provided YAML/JSON payload files
+ *
+ * Short aliases for payload types:
+ *   xss, sqli, xxe, cmd, redirect, traversal
  */
 
 /**
@@ -62,49 +88,32 @@ declare function loadFromFile(filePath: string): Promise<RuntimePayload[]>;
  */
 declare const configSchema: z.ZodObject<{
     /**
-     * Include built-in payloads (default: true)
-     */
-    builtin: z.ZodDefault<z.ZodBoolean>;
-    /**
-     * Specific built-in payload names to include (if not all)
-     */
-    include: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    /**
-     * Built-in payload names to exclude
-     */
-    exclude: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    /**
-     * PayloadBox types to fetch from PayloadsAllTheThings
-     * e.g., ["xss", "sql-injection", "xxe"]
+     * Payload types to load from PayloadsAllTheThings.
+     * Accepts short aliases: xss, sqli, xxe, cmd, redirect, traversal
+     * @example ["xss", "sqli"]
      */
-    payloadbox: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    types: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
     /**
-     * Limit per PayloadBox type
+     * Maximum payloads per type (default 50)
      */
-    payloadboxLimit: z.ZodDefault<z.ZodNumber>;
+    limit: z.ZodDefault<z.ZodNumber>;
     /**
      * Custom payload files to load (YAML/JSON)
      */
     files: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, "strip", z.ZodTypeAny, {
-    builtin: boolean;
-    payloadboxLimit: number;
-    include?: string[] | undefined;
-    exclude?: string[] | undefined;
-    payloadbox?: string[] | undefined;
+    limit: number;
+    types?: string[] | undefined;
     files?: string[] | undefined;
 }, {
-    builtin?: boolean | undefined;
-    include?: string[] | undefined;
-    exclude?: string[] | undefined;
-    payloadbox?: string[] | undefined;
-    payloadboxLimit?: number | undefined;
+    types?: string[] | undefined;
+    limit?: number | undefined;
     files?: string[] | undefined;
 }>;
 type PayloadsPluginConfig = z.infer<typeof configSchema>;
 /**
- * Payloads Plugin - loads payloads from various sources
+ * Payloads Plugin
  */
 declare const plugin: VulcnPlugin;
 
-export { BUILTIN_PAYLOADS, type PayloadsPluginConfig, plugin as default, getPayloadBoxTypes, loadFromFile, loadFromFiles, loadPayloadBox };
+export { type PayloadsPluginConfig, clearPayloadBoxCache, plugin as default, getAliases, getDescription, getPayloadBoxTypes, isValidPayloadName, loadFromFile, loadFromFiles, loadPayloadBox, resolvePayloadType };