@zero-transfer/sdk 0.4.6 → 0.4.8

package/dist/index.mjs

@@ -1,6 +1,68 @@
 // src/client/ZeroTransfer.ts
 import { EventEmitter } from "events";
 
+// src/logging/redaction.ts
+var REDACTED = "[REDACTED]";
+var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
+var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
+var URL_KEY_PATTERN = /(?:url|uri|href)$/i;
+function isSensitiveKey(key) {
+  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
+}
+function redactCommand(command) {
+  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
+    return `${commandName.toUpperCase()} ${REDACTED}`;
+  });
+}
+function redactValue(value) {
+  if (typeof value === "string") {
+    return redactCommand(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => redactValue(item));
+  }
+  if (value !== null && typeof value === "object") {
+    return redactObject(value);
+  }
+  return value;
+}
+function redactObject(input) {
+  return Object.fromEntries(
+    Object.entries(input).map(([key, value]) => {
+      if (isSensitiveKey(key)) {
+        return [key, REDACTED];
+      }
+      if (URL_KEY_PATTERN.test(key) && typeof value === "string") {
+        return [key, redactUrlForLogging(value)];
+      }
+      return [key, redactValue(value)];
+    })
+  );
+}
+function redactUrlForLogging(url) {
+  let parsed;
+  try {
+    parsed = typeof url === "string" ? new URL(url) : url;
+  } catch {
+    return REDACTED;
+  }
+  const origin = parsed.host.length > 0 ? `${parsed.protocol}//${parsed.host}` : parsed.protocol;
+  const query = parsed.search.length > 0 ? `?${REDACTED}` : "";
+  return `${origin}${parsed.pathname}${query}`;
+}
+function redactErrorForLogging(error) {
+  if (error !== null && typeof error === "object") {
+    const candidate = error;
+    if (typeof candidate.toJSON === "function") {
+      return redactObject(candidate.toJSON());
+    }
+  }
+  if (error instanceof Error) {
+    return redactObject({ message: error.message, name: error.name });
+  }
+  return { message: redactValue(typeof error === "string" ? error : String(error)) };
+}
+
 // src/errors/ZeroTransferError.ts
 var ZeroTransferError = class extends Error {
   /** Stable machine-readable error code. */
@@ -42,6 +104,11 @@ var ZeroTransferError = class extends Error {
   /**
    * Serializes the error into a plain object suitable for logs or API responses.
    *
+   * `details` and `command` are passed through secret redaction so serialized
+   * errors never leak credentials, signed URLs, or raw protocol commands. The
+   * live {@link ZeroTransferError.details | details} property stays unredacted
+   * for programmatic consumers.
+   *
    * @returns A JSON-safe object containing public structured error fields.
    */
   toJSON() {
@@ -51,12 +118,12 @@ var ZeroTransferError = class extends Error {
       message: this.message,
       protocol: this.protocol,
       host: this.host,
-      command: this.command,
+      command: this.command === void 0 ? void 0 : redactCommand(this.command),
       ftpCode: this.ftpCode,
       sftpCode: this.sftpCode,
       path: this.path,
       retryable: this.retryable,
-      details: this.details
+      details: this.details === void 0 ? void 0 : redactObject(this.details)
     };
   }
 };
@@ -579,15 +646,20 @@ var ProviderRegistry = class {
 var TransferClient = class {
   /** Provider registry used by this client. */
   registry;
+  /** Execution defaults applied when call sites omit their own values. */
+  defaults;
   logger;
   /**
    * Creates a transfer client without opening any provider connections.
    *
-   * @param options - Optional registry, provider factories, and logger.
+   * @param options - Optional registry, provider factories, logger, and execution defaults.
    */
   constructor(options = {}) {
     this.registry = options.registry ?? new ProviderRegistry();
     this.logger = options.logger ?? noopLogger;
+    if (options.defaults !== void 0) {
+      this.defaults = { ...options.defaults };
+    }
     for (const provider of options.providers ?? []) {
       this.registry.register(provider);
     }
@@ -1160,18 +1232,25 @@ var TransferEngine = class {
       for (let attemptNumber = 1; attemptNumber <= maxAttempts; attemptNumber += 1) {
         this.throwIfAborted(abortScope.signal, job);
         const attemptStartedAt = this.now();
+        const attemptScope = createAttemptScope(
+          abortScope.signal,
+          options.timeout,
+          job,
+          attemptNumber
+        );
         const context = this.createExecutionContext(
           job,
           attemptNumber,
           attemptStartedAt,
           options,
-          abortScope.signal,
+          attemptScope.signal,
           (bytesTransferred) => {
             latestBytesTransferred = bytesTransferred;
-          }
+          },
+          attemptScope.notifyProgress
         );
         try {
-          const result = await runExecutor(executor, context, abortScope.signal, job);
+          const result = await runExecutor(executor, context, attemptScope.signal, job);
           context.throwIfAborted();
           latestBytesTransferred = result.bytesTransferred;
           const completedAt = this.now();
@@ -1189,16 +1268,27 @@ var TransferEngine = class {
             summarizeError(error)
           );
           attempts.push(attempt);
-          if (error instanceof AbortError || error instanceof TimeoutError) {
+          if (error instanceof AbortError || abortScope.signal?.aborted === true) {
             throw error;
           }
-          const retryInput = { attempt: attemptNumber, error, job };
+          const retryInput = {
+            attempt: attemptNumber,
+            elapsedMs: Math.max(0, completedAt.getTime() - startedAt.getTime()),
+            error,
+            job
+          };
           const shouldRetry = attemptNumber < maxAttempts && (options.retry?.shouldRetry?.(retryInput) ?? isRetryable(error));
           if (shouldRetry) {
             options.retry?.onRetry?.(retryInput);
+            const delayMs = normalizeDelayMs(options.retry?.getDelayMs?.(retryInput));
+            if (delayMs > 0) {
+              await sleepWithAbort(delayMs, abortScope.signal, job);
+            }
             continue;
           }
           throw createTransferFailure(job, error, attempts);
+        } finally {
+          attemptScope.dispose();
         }
       }
       throw createTransferFailure(job, void 0, attempts);
@@ -1206,12 +1296,13 @@ var TransferEngine = class {
       abortScope.dispose();
     }
   }
-  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred) {
+  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred, notifyProgress) {
     const context = {
       attempt,
       job,
       reportProgress: (bytesTransferred, totalBytes) => {
         this.throwIfAborted(signal, job);
+        notifyProgress();
         updateBytesTransferred(bytesTransferred);
         const progressInput = {
           bytesTransferred,
@@ -1280,6 +1371,96 @@ function createAbortScope(parentSignal, timeout, job) {
     signal: controller.signal
   };
 }
+function createAttemptScope(parentSignal, timeout, job, attempt) {
+  const attemptTimeoutMs = normalizeTimeoutMs(timeout?.attemptTimeoutMs);
+  const stallTimeoutMs = normalizeTimeoutMs(timeout?.stallTimeoutMs);
+  if (attemptTimeoutMs === void 0 && stallTimeoutMs === void 0) {
+    const scope = {
+      dispose: () => void 0,
+      notifyProgress: () => void 0
+    };
+    if (parentSignal !== void 0) scope.signal = parentSignal;
+    return scope;
+  }
+  const controller = new AbortController();
+  const retryable = timeout?.retryable ?? true;
+  const abortFromParent = () => controller.abort(parentSignal?.reason);
+  if (parentSignal?.aborted === true) {
+    abortFromParent();
+  } else {
+    parentSignal?.addEventListener("abort", abortFromParent, { once: true });
+  }
+  const attemptTimer = attemptTimeoutMs === void 0 ? void 0 : setTimeout(() => {
+    controller.abort(
+      new TimeoutError({
+        details: { attempt, attemptTimeoutMs, jobId: job.id, operation: job.operation },
+        message: `Transfer attempt ${String(attempt)} timed out after ${String(attemptTimeoutMs)}ms: ${job.id}`,
+        retryable
+      })
+    );
+  }, attemptTimeoutMs);
+  let stallTimer;
+  const armStallWatchdog = () => {
+    if (stallTimeoutMs === void 0 || controller.signal.aborted) return;
+    if (stallTimer !== void 0) clearTimeout(stallTimer);
+    stallTimer = setTimeout(() => {
+      controller.abort(
+        new TimeoutError({
+          details: { attempt, jobId: job.id, operation: job.operation, stallTimeoutMs },
+          message: `Transfer attempt ${String(attempt)} stalled (no progress for ${String(stallTimeoutMs)}ms): ${job.id}`,
+          retryable
+        })
+      );
+    }, stallTimeoutMs);
+  };
+  armStallWatchdog();
+  return {
+    dispose: () => {
+      if (attemptTimer !== void 0) clearTimeout(attemptTimer);
+      if (stallTimer !== void 0) clearTimeout(stallTimer);
+      parentSignal?.removeEventListener("abort", abortFromParent);
+    },
+    notifyProgress: armStallWatchdog,
+    signal: controller.signal
+  };
+}
+function sleepWithAbort(delayMs, signal, job) {
+  return new Promise((resolve, reject) => {
+    if (signal === void 0) {
+      setTimeout(resolve, delayMs);
+      return;
+    }
+    if (signal.aborted) {
+      reject(toAbortFailure(signal, job));
+      return;
+    }
+    const rejectAbort = () => {
+      clearTimeout(timer);
+      reject(toAbortFailure(signal, job));
+    };
+    const timer = setTimeout(() => {
+      signal.removeEventListener("abort", rejectAbort);
+      resolve();
+    }, delayMs);
+    signal.addEventListener("abort", rejectAbort, { once: true });
+  });
+}
+function toAbortFailure(signal, job) {
+  if (signal.reason instanceof ZeroTransferError) {
+    return signal.reason;
+  }
+  return new AbortError({
+    details: { jobId: job.id, operation: job.operation },
+    message: `Transfer job aborted: ${job.id}`,
+    retryable: false
+  });
+}
+function normalizeDelayMs(value) {
+  if (value === void 0 || !Number.isFinite(value) || value <= 0) {
+    return 0;
+  }
+  return Math.floor(value);
+}
 function normalizeTimeoutMs(value) {
   if (value === void 0 || !Number.isFinite(value) || value <= 0) {
     return void 0;
@@ -1448,7 +1629,7 @@ async function runRoute(options) {
     const executor = createProviderTransferExecutor({
       resolveSession: ({ role }) => sessions.get(role)
     });
-    return await engine.execute(job, executor, buildExecuteOptions(options));
+    return await engine.execute(job, executor, buildExecuteOptions(options, client));
   } finally {
     if (destinationSession !== void 0) {
       await destinationSession.disconnect();
@@ -1485,12 +1666,14 @@ function defaultJobId(route, now) {
   const timestamp = (now?.() ?? /* @__PURE__ */ new Date()).getTime();
   return `route:${route.id}:${timestamp.toString(36)}`;
 }
-function buildExecuteOptions(options) {
+function buildExecuteOptions(options, client) {
   const execute = {};
+  const retry = options.retry ?? client.defaults?.retry;
+  const timeout = options.timeout ?? client.defaults?.timeout;
   if (options.signal !== void 0) execute.signal = options.signal;
-  if (options.retry !== void 0) execute.retry = options.retry;
+  if (retry !== void 0) execute.retry = retry;
   if (options.onProgress !== void 0) execute.onProgress = options.onProgress;
-  if (options.timeout !== void 0) execute.timeout = options.timeout;
+  if (timeout !== void 0) execute.timeout = timeout;
   if (options.bandwidthLimit !== void 0) execute.bandwidthLimit = options.bandwidthLimit;
   return execute;
 }
@@ -1547,41 +1730,6 @@ function defaultRouteSuffix(source, destination) {
   return `${source}->${destination}`;
 }
 
-// src/logging/redaction.ts
-var REDACTED = "[REDACTED]";
-var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
-var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
-function isSensitiveKey(key) {
-  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
-}
-function redactCommand(command) {
-  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
-    return `${commandName.toUpperCase()} ${REDACTED}`;
-  });
-}
-function redactValue(value) {
-  if (typeof value === "string") {
-    return redactCommand(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map((item) => redactValue(item));
-  }
-  if (value !== null && typeof value === "object") {
-    return redactObject(value);
-  }
-  return value;
-}
-function redactObject(input) {
-  return Object.fromEntries(
-    Object.entries(input).map(([key, value]) => {
-      if (isSensitiveKey(key)) {
-        return [key, REDACTED];
-      }
-      return [key, redactValue(value)];
-    })
-  );
-}
-
 // src/profiles/SecretSource.ts
 import { Buffer as Buffer3 } from "buffer";
 import { readFile } from "fs/promises";
@@ -2005,11 +2153,11 @@ async function resolveTlsSecretSource(source, options) {
 }
 
 // src/utils/path.ts
-var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n]/;
+var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n\0]/;
 function assertSafeFtpArgument(value, label = "path") {
   if (UNSAFE_FTP_ARGUMENT_PATTERN.test(value)) {
     throw new ConfigurationError({
-      message: `Unsafe FTP ${label}: CR and LF characters are not allowed`,
+      message: `Unsafe FTP ${label}: CR, LF, and NUL characters are not allowed`,
       retryable: false,
       details: {
         label
@@ -2971,38 +3119,53 @@ async function expectCompletion(control, command, path2) {
   const response = await control.sendCommand(command);
   assertPathCommandSucceeded(response, command, path2, control.providerId);
 }
-async function readPassiveDataCommand(control, command, path2, options = {}) {
-  const dataConnection = await openPassiveDataCommand(control, command, path2, options);
+async function readPassiveLinesCommand(control, command, path2, onLine) {
+  const dataConnection = await openPassiveDataCommand(control, command, path2);
   try {
-    const payload = await collectPassiveData(
-      dataConnection,
-      control.operationTimeoutMs,
-      path2,
-      control.providerId
-    );
+    const failure = await consumePassiveLines(dataConnection, control.operationTimeoutMs, {
+      command,
+      onLine,
+      path: path2,
+      providerId: control.providerId
+    });
     const finalResponse = await control.readFinalResponse({
       command,
       operation: "data command completion",
       path: path2
     });
     assertPathCommandSucceeded(finalResponse, command, path2, control.providerId);
-    return payload;
+    if (failure !== void 0) throw failure;
   } catch (error) {
     dataConnection.close();
     throw error;
   }
 }
 async function readDirectoryEntries(control, path2) {
+  const entries = [];
+  const collectEntry = (entry) => {
+    if (entry.name === "." || entry.name === "..") return;
+    entries.push(entry);
+  };
   try {
-    const payload2 = await readPassiveDataCommand(control, `MLSD ${path2}`, path2);
-    return parseMlsdList(payload2.toString("utf8"), path2);
+    await readPassiveLinesCommand(control, `MLSD ${path2}`, path2, (rawLine) => {
+      const line = rawLine.trimEnd();
+      if (line.length === 0) return;
+      collectEntry(parseMlsdLine(line, path2));
+    });
+    return entries;
   } catch (error) {
     if (!isUnsupportedFtpCommandError(error, "MLSD")) {
       throw error;
     }
   }
-  const payload = await readPassiveDataCommand(control, `LIST ${path2}`, path2);
-  return parseUnixList(payload.toString("utf8"), path2);
+  entries.length = 0;
+  const now = /* @__PURE__ */ new Date();
+  await readPassiveLinesCommand(control, `LIST ${path2}`, path2, (rawLine) => {
+    const line = rawLine.trimEnd();
+    if (line.length === 0 || line.toLowerCase().startsWith("total ")) return;
+    collectEntry(parseUnixListLine(line, path2, now));
+  });
+  return entries;
 }
 async function openPassiveDataCommand(control, command, path2, options = {}) {
   const offset = normalizeOptionalByteCount(options.offset, "offset", path2);
@@ -3175,22 +3338,58 @@ function openPassiveDataConnection(endpoint, timeoutMs, path2, control) {
     }
   };
 }
-async function collectPassiveData(dataConnection, timeoutMs, path2, providerId) {
-  const chunks = [];
+var MAX_LIST_LINE_BYTES = 64 * 1024;
+async function consumePassiveLines(dataConnection, timeoutMs, input) {
+  let carry = Buffer4.alloc(0);
+  let failure;
   const clearIdleTimeout = setSocketTimeout(dataConnection.socket, timeoutMs, {
     host: dataConnection.endpoint.host,
     operation: "passive data transfer",
-    path: path2,
-    providerId
+    path: input.path,
+    providerId: input.providerId
   });
+  const overlongLineFailure = () => new ParseError({
+    details: { command: input.command, limitBytes: MAX_LIST_LINE_BYTES, path: input.path },
+    message: `FTP listing line exceeded ${String(MAX_LIST_LINE_BYTES)} bytes for ${input.command}`,
+    retryable: false
+  });
+  const emit = (lineBytes) => {
+    if (failure !== void 0) return;
+    let end = lineBytes.length;
+    if (end > 0 && lineBytes[end - 1] === 13) end -= 1;
+    if (end === 0) return;
+    if (end > MAX_LIST_LINE_BYTES) {
+      failure = overlongLineFailure();
+      return;
+    }
+    try {
+      input.onLine(lineBytes.toString("utf8", 0, end));
+    } catch (error) {
+      failure = error instanceof Error ? error : new Error(String(error));
+    }
+  };
   try {
     for await (const chunk of dataConnection.socket) {
-      chunks.push(Buffer4.from(chunk));
+      if (failure !== void 0) continue;
+      const data = carry.length > 0 ? Buffer4.concat([carry, chunk]) : chunk;
+      let start = 0;
+      let newline = data.indexOf(10, start);
+      while (newline !== -1) {
+        emit(data.subarray(start, newline));
+        start = newline + 1;
+        newline = data.indexOf(10, start);
+      }
+      carry = Buffer4.from(data.subarray(start));
+      if (carry.length > MAX_LIST_LINE_BYTES && failure === void 0) {
+        failure = overlongLineFailure();
+      }
+      if (failure !== void 0) carry = Buffer4.alloc(0);
     }
+    if (carry.length > 0) emit(carry);
   } finally {
     clearIdleTimeout();
   }
-  return Buffer4.concat(chunks);
+  return failure;
 }
 async function* createPassiveReadSource(control, dataConnection, command, path2, range, request) {
   let bytesEmitted = 0;
@@ -3439,6 +3638,13 @@ function createTlsPinnedFingerprints(profile) {
   if (pinnedFingerprint256 === void 0) {
     return void 0;
   }
+  if (profile.tls?.rejectUnauthorized === false) {
+    throw new ConfigurationError({
+      message: "FTPS tls.pinnedFingerprint256 cannot be combined with rejectUnauthorized: false; pin verification runs after the TLS handshake, so chain validation must stay enabled. For self-signed certificates supply tls.ca instead of disabling validation.",
+      protocol: FTPS_PROVIDER_ID,
+      retryable: false
+    });
+  }
   const fingerprints = Array.isArray(pinnedFingerprint256) ? pinnedFingerprint256 : [pinnedFingerprint256];
   if (fingerprints.length === 0) {
     throw new ConfigurationError({
@@ -5410,6 +5616,7 @@ import { Buffer as Buffer13 } from "buffer";
 import { randomBytes as randomBytes2 } from "crypto";
 var MIN_PADDING_LENGTH = 4;
 var MIN_PACKET_LENGTH = 1 + MIN_PADDING_LENGTH;
+var MAX_SSH_PACKET_LENGTH = 256 * 1024;
 function encodeSshTransportPacket(payload, options = {}) {
   const body = Buffer13.from(payload);
   const blockSize = normalizeBlockSize(options.blockSize ?? 8);
@@ -5487,6 +5694,14 @@ var SshTransportPacketFramer = class {
     const packets = [];
     while (this.pending.length >= 4) {
       const packetLength = this.pending.readUInt32BE(0);
+      if (packetLength > MAX_SSH_PACKET_LENGTH) {
+        throw new ParseError({
+          details: { maxPacketLength: MAX_SSH_PACKET_LENGTH, packetLength },
+          message: "SSH transport packet length exceeds the maximum accepted size",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       const frameLength = 4 + packetLength;
       if (this.pending.length < frameLength) {
         break;
@@ -5964,14 +6179,35 @@ var SshTransportHandshake = class {
     return { outbound };
   }
 };
+var MAX_IDENTIFICATION_LINE_BYTES = 8192;
+var MAX_PRE_IDENTIFICATION_LINES = 1024;
 var SshIdentificationAccumulator = class {
   pending = Buffer15.alloc(0);
+  bannerLineCount = 0;
   push(chunk) {
     this.pending = Buffer15.concat([this.pending, Buffer15.from(chunk)]);
     const bannerLines = [];
     while (true) {
       const lfIndex = this.pending.indexOf(10);
-      if (lfIndex < 0) break;
+      if (lfIndex < 0) {
+        if (this.pending.length > MAX_IDENTIFICATION_LINE_BYTES) {
+          throw new ProtocolError({
+            details: { limitBytes: MAX_IDENTIFICATION_LINE_BYTES },
+            message: "SSH identification line exceeds the maximum accepted length",
+            protocol: "sftp",
+            retryable: false
+          });
+        }
+        break;
+      }
+      if (lfIndex > MAX_IDENTIFICATION_LINE_BYTES) {
+        throw new ProtocolError({
+          details: { limitBytes: MAX_IDENTIFICATION_LINE_BYTES },
+          message: "SSH identification line exceeds the maximum accepted length",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       const lineText = trimLineEndings(this.pending.subarray(0, lfIndex + 1).toString("ascii"));
       const remainder = Buffer15.from(this.pending.subarray(lfIndex + 1));
       this.pending = remainder;
@@ -5979,6 +6215,15 @@ var SshIdentificationAccumulator = class {
         this.pending = Buffer15.alloc(0);
         return { bannerLines, identLine: lineText, remainder };
       }
+      this.bannerLineCount += 1;
+      if (this.bannerLineCount > MAX_PRE_IDENTIFICATION_LINES) {
+        throw new ProtocolError({
+          details: { limitLines: MAX_PRE_IDENTIFICATION_LINES },
+          message: "SSH server sent too many pre-identification banner lines",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       bannerLines.push(lineText);
     }
     return { bannerLines, remainder: Buffer15.alloc(0) };
@@ -6116,6 +6361,14 @@ var SshTransportPacketUnprotector = class {
         this.framePendingRaw = Buffer16.from(this.framePendingRaw.subarray(this.blockLength));
         this.framePartialDecrypted = this.decipher ? Buffer16.from(this.decipher.update(firstBlock)) : Buffer16.from(firstBlock);
         const packetLength = this.framePartialDecrypted.readUInt32BE(0);
+        if (packetLength > MAX_SSH_PACKET_LENGTH) {
+          throw new ProtocolError({
+            details: { maxPacketLength: MAX_SSH_PACKET_LENGTH, packetLength },
+            message: "SSH encrypted packet length exceeds the maximum accepted size",
+            protocol: "sftp",
+            retryable: false
+          });
+        }
         const remaining = 4 + packetLength - this.blockLength + this.macLength;
         if (remaining < 0) {
           throw new ProtocolError({
@@ -6739,6 +6992,7 @@ function decodeSftpAttributesFromReader(reader) {
 
 // src/protocols/sftp/v3/SftpPacket.ts
 import { Buffer as Buffer18 } from "buffer";
+var MAX_SFTP_PACKET_LENGTH = 256 * 1024;
 var SFTP_PACKET_TYPE = {
   ATTRS: 105,
   CLOSE: 4,
@@ -6798,6 +7052,13 @@ var SftpPacketFramer = class {
     const packets = [];
     while (this.pending.length >= 4) {
       const bodyLength = this.pending.readUInt32BE(0);
+      if (bodyLength > MAX_SFTP_PACKET_LENGTH) {
+        throw new ParseError({
+          details: { bodyLength, maxPacketLength: MAX_SFTP_PACKET_LENGTH },
+          message: "SFTP packet length exceeds the maximum accepted size",
+          retryable: false
+        });
+      }
       const frameLength = 4 + bodyLength;
       if (this.pending.length < frameLength) {
         break;
@@ -7399,7 +7660,7 @@ function buildNativeSftpCapabilities(maxConcurrency) {
 var NATIVE_SFTP_PROVIDER_CAPABILITIES = buildNativeSftpCapabilities(
   NATIVE_SFTP_DEFAULT_MAX_CONCURRENCY
 );
-function createNativeSftpProviderFactory(options = {}) {
+function createSftpProviderFactory(options = {}) {
   validateNativeSftpOptions(options);
   const capabilities = buildNativeSftpCapabilities(
     options.maxConcurrency ?? NATIVE_SFTP_DEFAULT_MAX_CONCURRENCY
@@ -8058,6 +8319,26 @@ function validateNativeSftpOptions(options) {
 
 // src/providers/web/httpInternals.ts
 import { Buffer as Buffer21 } from "buffer";
+function assertHttpsEnforced(input) {
+  if (input.enforceHttps && !input.secure) {
+    throw new ConfigurationError({
+      details: { provider: input.providerId },
+      message: `Provider "${input.providerId}" is configured with enforceHttps but its transport is cleartext http; set secure: true (or drop enforceHttps to explicitly accept cleartext)`,
+      retryable: false
+    });
+  }
+}
+var cleartextWarnedKeys = /* @__PURE__ */ new Set();
+function warnCleartextCredentials(input) {
+  if (!input.hasCredentials) return;
+  const key = `${input.providerId}:${input.host}`;
+  if (cleartextWarnedKeys.has(key)) return;
+  cleartextWarnedKeys.add(key);
+  process.emitWarning(
+    `Provider "${input.providerId}" is sending credentials to ${input.host} over cleartext http; use https or set enforceHttps to block this`,
+    { code: "ZERO_TRANSFER_CLEARTEXT_CREDENTIALS", type: "SecurityWarning" }
+  );
+}
 function buildBaseUrl(profile, options) {
   const protocol = options.secure ? "https:" : "http:";
   const portSegment = profile.port !== void 0 ? `:${profile.port}` : "";
@@ -8105,18 +8386,19 @@ async function dispatchRequest(options, url, init) {
       signal: controller.signal
     });
   } catch (error) {
+    const safeUrl = redactUrlForLogging(url);
     if (controller.signal.aborted && upstreamSignal?.aborted !== true) {
       throw new TimeoutError({
         cause: error,
-        details: { timeoutMs: options.timeoutMs, url: url.toString() },
-        message: `HTTP request to ${url.toString()} timed out after ${String(options.timeoutMs)}ms`,
+        details: { timeoutMs: options.timeoutMs, url: safeUrl },
+        message: `HTTP request to ${safeUrl} timed out after ${String(options.timeoutMs)}ms`,
         retryable: true
       });
     }
     throw new ConnectionError({
       cause: error,
-      details: { url: url.toString() },
-      message: `HTTP request to ${url.toString()} failed`,
+      details: { url: safeUrl },
+      message: `HTTP request to ${safeUrl} failed`,
       retryable: true
     });
   } finally {
@@ -8148,8 +8430,48 @@ function formatRangeHeader(offset, length) {
   const end = offset + length - 1;
   return `bytes=${String(offset)}-${String(end)}`;
 }
-function mapResponseError(response, path2) {
-  const details = { path: path2, status: response.status, statusText: response.statusText };
+var ERROR_BODY_EXCERPT_LIMIT = 2048;
+async function readErrorBodyExcerpt(response) {
+  try {
+    const text = await response.text();
+    if (text.length === 0) return void 0;
+    return text.length > ERROR_BODY_EXCERPT_LIMIT ? `${text.slice(0, ERROR_BODY_EXCERPT_LIMIT)}... [truncated]` : text;
+  } catch {
+    return void 0;
+  }
+}
+function parseRetryAfterMs(value, now = Date.now) {
+  if (value === null) return void 0;
+  const trimmed = value.trim();
+  if (trimmed.length === 0) return void 0;
+  if (/^\d+$/.test(trimmed)) {
+    const seconds = Number.parseInt(trimmed, 10);
+    return Number.isFinite(seconds) ? seconds * 1e3 : void 0;
+  }
+  if (!/[A-Za-z]/.test(trimmed)) return void 0;
+  const retryAt = Date.parse(trimmed);
+  if (Number.isNaN(retryAt)) return void 0;
+  return Math.max(0, retryAt - now());
+}
+async function mapResponseErrorWithBody(response, path2) {
+  return mapResponseError(response, path2, await readErrorBodyExcerpt(response));
+}
+function mapResponseError(response, path2, bodyExcerpt) {
+  const details = {
+    path: path2,
+    status: response.status,
+    statusText: response.statusText
+  };
+  if (bodyExcerpt !== void 0) details["body"] = bodyExcerpt;
+  if (response.status === 429 || response.status === 503) {
+    const retryAfterMs = parseRetryAfterMs(response.headers.get("retry-after"));
+    if (retryAfterMs !== void 0) details["retryAfterMs"] = retryAfterMs;
+    return new ConnectionError({
+      details,
+      message: response.status === 429 ? `HTTP request for ${path2} was rate limited (429)` : `HTTP service unavailable for ${path2} (503)`,
+      retryable: true
+    });
+  }
   if (response.status === 401) {
     return new AuthenticationError({
       details,
@@ -8181,14 +8503,54 @@ async function* webStreamToAsyncIterable(body) {
   const reader = body.getReader();
   try {
     while (true) {
-      const { done, value } = await reader.read();
-      if (done) break;
-      if (value !== void 0) yield value;
+      let result;
+      try {
+        result = await reader.read();
+      } catch (error) {
+        if (error instanceof ZeroTransferError) throw error;
+        throw new ConnectionError({
+          cause: error,
+          message: "HTTP response stream was interrupted before completion",
+          retryable: true
+        });
+      }
+      if (result.done) break;
+      if (result.value !== void 0) yield result.value;
     }
   } finally {
     reader.releaseLock();
   }
 }
+function asyncIterableToReadableStream(source, onChunk) {
+  const iterator = source[Symbol.asyncIterator]();
+  return new ReadableStream({
+    async pull(controller) {
+      try {
+        const next = await iterator.next();
+        if (next.done === true) {
+          controller.close();
+          return;
+        }
+        const chunk = next.value;
+        if (chunk.byteLength === 0) {
+          return;
+        }
+        controller.enqueue(chunk);
+        onChunk(chunk);
+      } catch (error) {
+        controller.error(error);
+      }
+    },
+    async cancel(reason) {
+      if (typeof iterator.return === "function") {
+        try {
+          await iterator.return(reason);
+        } catch {
+        }
+      }
+    }
+  });
+}
 function secretToString2(value) {
   if (typeof value === "string") return value;
   if (value instanceof Uint8Array || Buffer21.isBuffer(value)) {
@@ -11797,6 +12159,7 @@ function createHttpProviderFactory(options = {}) {
   const secure = options.secure ?? id === "https";
   const basePath = options.basePath ?? "";
   const fetchImpl = options.fetch ?? globalThis.fetch;
+  assertHttpsEnforced({ enforceHttps: options.enforceHttps ?? false, providerId: id, secure });
   if (typeof fetchImpl !== "function") {
     throw new ConfigurationError({
       message: "Global fetch is unavailable; supply HttpProviderOptions.fetch explicitly",
@@ -11846,6 +12209,13 @@ var HttpProvider = class {
   id;
   capabilities;
   async connect(profile) {
+    if (!this.internals.secure) {
+      warnCleartextCredentials({
+        hasCredentials: profile.username !== void 0 || profile.password !== void 0,
+        host: profile.host,
+        providerId: this.internals.id
+      });
+    }
     const headers = { ...this.internals.defaultHeaders };
     if (profile.username !== void 0) {
       const username = await resolveSecret(profile.username);
@@ -11904,7 +12274,7 @@ var HttpFileSystem = class {
       method: "HEAD"
     });
     if (!response.ok) {
-      throw mapResponseError(response, normalized);
+      throw await mapResponseErrorWithBody(response, normalized);
     }
     return responseToStat(response, normalized);
   }
@@ -11929,12 +12299,12 @@ var HttpTransferOperations = class {
     if (request.signal !== void 0) requestInit.signal = request.signal;
     const response = await dispatchRequest(this.options, url, requestInit);
     if (!response.ok && response.status !== 206) {
-      throw mapResponseError(response, normalized);
+      throw await mapResponseErrorWithBody(response, normalized);
     }
     const body = response.body;
     if (body === null) {
       throw new ConnectionError({
-        message: `HTTP response had no body for ${url.toString()}`,
+        message: `HTTP response had no body for ${redactUrlForLogging(url)}`,
         retryable: true
       });
     }
@@ -11992,7 +12362,8 @@ function createWebDavProviderFactory(options = {}) {
   const secure = options.secure ?? false;
   const basePath = options.basePath ?? "";
   const fetchImpl = options.fetch ?? globalThis.fetch;
-  const uploadStreaming = options.uploadStreaming ?? "when-known-size";
+  const uploadStreaming = options.uploadStreaming ?? "always";
+  assertHttpsEnforced({ enforceHttps: options.enforceHttps ?? false, providerId: id, secure });
   if (typeof fetchImpl !== "function") {
     throw new ConfigurationError({
       message: "Global fetch is unavailable; supply WebDavProviderOptions.fetch explicitly",
@@ -12044,6 +12415,13 @@ var WebDavProvider = class {
   id;
   capabilities;
   async connect(profile) {
+    if (!this.internals.secure) {
+      warnCleartextCredentials({
+        hasCredentials: profile.username !== void 0 || profile.password !== void 0,
+        host: profile.host,
+        providerId: this.internals.id
+      });
+    }
     const headers = { ...this.internals.defaultHeaders };
     if (profile.username !== void 0) {
       const username = await resolveSecret(profile.username);
@@ -12098,7 +12476,7 @@ var WebDavFileSystem = class {
       method: "PROPFIND"
     });
     if (!response.ok && response.status !== 207) {
-      throw mapResponseError(response, normalized);
+      throw await mapResponseErrorWithBody(response, normalized);
     }
     const body = await response.text();
     const entries = parsePropfindResponses(body, this.options.baseUrl);
@@ -12112,7 +12490,7 @@ var WebDavFileSystem = class {
       method: "PROPFIND"
     });
     if (!response.ok && response.status !== 207) {
-      throw mapResponseError(response, normalized);
+      throw await mapResponseErrorWithBody(response, normalized);
     }
     const body = await response.text();
     const entries = parsePropfindResponses(body, this.options.baseUrl);
@@ -12157,12 +12535,12 @@ var WebDavTransferOperations = class {
     if (request.signal !== void 0) init.signal = request.signal;
     const response = await dispatchRequest(this.options, url, init);
     if (!response.ok && response.status !== 206) {
-      throw mapResponseError(response, normalized);
+      throw await mapResponseErrorWithBody(response, normalized);
     }
     const body = response.body;
     if (body === null) {
       throw new ConnectionError({
-        message: `WebDAV response had no body for ${url.toString()}`,
+        message: `WebDAV response had no body for ${redactUrlForLogging(url)}`,
         retryable: true
       });
     }
@@ -12206,7 +12584,7 @@ var WebDavTransferOperations = class {
       if (request.signal !== void 0) init2.signal = request.signal;
       const response2 = await dispatchRequest(this.options, url, init2);
       if (!response2.ok) {
-        throw mapResponseError(response2, normalized);
+        throw await mapResponseErrorWithBody(response2, normalized);
       }
       request.reportProgress(buffered.byteLength, buffered.byteLength);
       const result2 = {
@@ -12242,7 +12620,7 @@ var WebDavTransferOperations = class {
     if (request.signal !== void 0) init.signal = request.signal;
     const response = await dispatchRequest(this.options, url, init);
     if (!response.ok) {
-      throw mapResponseError(response, normalized);
+      throw await mapResponseErrorWithBody(response, normalized);
     }
     const result = {
       bytesTransferred,
@@ -12268,36 +12646,6 @@ async function collectChunks6(source) {
   }
   return out;
 }
-function asyncIterableToReadableStream(source, onChunk) {
-  const iterator = source[Symbol.asyncIterator]();
-  return new ReadableStream({
-    async pull(controller) {
-      try {
-        const next = await iterator.next();
-        if (next.done === true) {
-          controller.close();
-          return;
-        }
-        const chunk = next.value;
-        if (chunk.byteLength === 0) {
-          return;
-        }
-        controller.enqueue(chunk);
-        onChunk(chunk);
-      } catch (error) {
-        controller.error(error);
-      }
-    },
-    async cancel(reason) {
-      if (typeof iterator.return === "function") {
-        try {
-          await iterator.return(reason);
-        } catch {
-        }
-      }
-    }
-  });
-}
 function parsePropfindResponses(xml, baseUrl) {
   const entries = [];
   const responseRegex = /<(?:[a-zA-Z0-9-]+:)?response\b[^>]*>([\s\S]*?)<\/(?:[a-zA-Z0-9-]+:)?response>/gi;
@@ -12390,11 +12738,12 @@ import { join as joinPath4 } from "path";
 
 // src/providers/web/awsSigv4.ts
 import { createHash as createHash4, createHmac as createHmac3 } from "crypto";
+var UNSIGNED_PAYLOAD = "UNSIGNED-PAYLOAD";
 function signSigV4(input) {
   const now = input.now ?? /* @__PURE__ */ new Date();
   const amzDate = formatAmzDate(now);
   const dateStamp = amzDate.slice(0, 8);
-  const payloadHash = input.body !== void 0 ? sha256Hex(input.body) : sha256Hex(new Uint8Array());
+  const payloadHash = input.unsignedPayload === true ? UNSIGNED_PAYLOAD : input.body !== void 0 ? sha256Hex(input.body) : sha256Hex(new Uint8Array());
   input.headers["host"] = input.url.host;
   input.headers["x-amz-date"] = amzDate;
   input.headers["x-amz-content-sha256"] = payloadHash;
@@ -12675,7 +13024,7 @@ var S3FileSystem = class {
     url.searchParams.set("delimiter", "/");
     if (prefix.length > 0) url.searchParams.set("prefix", prefix);
     const response = await s3Fetch(this.options, "GET", url);
-    if (!response.ok) throw mapResponseError(response, normalized);
+    if (!response.ok) throw await mapResponseErrorWithBody(response, normalized);
     const body = await response.text();
     return parseListObjectsV2(body, prefix);
   }
@@ -12683,7 +13032,7 @@ var S3FileSystem = class {
     const normalized = normalizeRemotePath(path2);
     const url = buildObjectUrl(this.options, normalized);
     const response = await s3Fetch(this.options, "HEAD", url);
-    if (!response.ok) throw mapResponseError(response, normalized);
+    if (!response.ok) throw await mapResponseErrorWithBody(response, normalized);
     const stat = {
       exists: true,
       name: basenameRemotePath(normalized),
@@ -12723,12 +13072,12 @@ var S3TransferOperations = class {
       extraHeaders: headers
     });
     if (!response.ok && response.status !== 206) {
-      throw mapResponseError(response, normalized);
+      throw await mapResponseErrorWithBody(response, normalized);
     }
     const body = response.body;
     if (body === null) {
       throw new ConnectionError({
-        message: `S3 response had no body for ${url.toString()}`,
+        message: `S3 response had no body for ${redactUrlForLogging(url)}`,
         retryable: true
       });
     }
@@ -12764,19 +13113,33 @@ var S3TransferOperations = class {
     }
     return this.writeSingleShot(request, normalized);
   }
+  /**
+   * Single PUT upload used when multipart is disabled. Streams the body with
+   * a declared `Content-Length` (signed as `UNSIGNED-PAYLOAD`) when the
+   * caller knows the total size; S3 requires a length up front, so only
+   * unknown-size payloads fall back to buffering the content in memory.
+   */
   async writeSingleShot(request, normalized) {
     const url = buildObjectUrl(this.options, normalized);
-    const buffered = await collectChunks7(request.content);
+    const totalBytes = request.totalBytes;
+    if (typeof totalBytes !== "number" || totalBytes < 0) {
+      const buffered = await collectChunks7(request.content);
+      return this.singleShotFromBuffer(request, normalized, buffered);
+    }
+    let bytesTransferred = 0;
+    const stream = asyncIterableToReadableStream(request.content, (chunk) => {
+      bytesTransferred += chunk.byteLength;
+      request.reportProgress(bytesTransferred, totalBytes);
+    });
     const response = await s3Fetch(this.options, "PUT", url, {
       ...request.signal !== void 0 ? { signal: request.signal } : {},
-      body: buffered,
-      extraHeaders: { "content-type": "application/octet-stream" }
+      extraHeaders: { "content-type": "application/octet-stream" },
+      streamBody: { content: stream, contentLength: totalBytes }
     });
-    if (!response.ok) throw mapResponseError(response, normalized);
-    request.reportProgress(buffered.byteLength, buffered.byteLength);
+    if (!response.ok) throw await mapResponseErrorWithBody(response, normalized);
     const result = {
-      bytesTransferred: buffered.byteLength,
-      totalBytes: buffered.byteLength
+      bytesTransferred,
+      totalBytes
     };
     const etag = response.headers.get("etag");
     if (etag !== null) result.checksum = etag;
@@ -12840,7 +13203,7 @@ var S3TransferOperations = class {
         ...request.signal !== void 0 ? { signal: request.signal } : {},
         extraHeaders: { "content-type": "application/octet-stream" }
       });
-      if (!initiateResponse.ok) throw mapResponseError(initiateResponse, normalized);
+      if (!initiateResponse.ok) throw await mapResponseErrorWithBody(initiateResponse, normalized);
       const initiateBody = await initiateResponse.text();
       const initiated = innerText(initiateBody, "UploadId");
       if (initiated === void 0 || initiated === "") {
@@ -12879,7 +13242,7 @@ var S3TransferOperations = class {
           body: partBytes.bytes
         });
         if (!partResponse.ok) {
-          throw mapResponseError(partResponse, normalized);
+          throw await mapResponseErrorWithBody(partResponse, normalized);
         }
         const partEtag = partResponse.headers.get("etag");
         if (partEtag === null) {
@@ -12935,7 +13298,7 @@ var S3TransferOperations = class {
       if (resumeStore === void 0) {
         await abortMultipart(this.options, objectUrl, uploadId).catch(() => void 0);
       }
-      throw mapResponseError(completeResponse, normalized);
+      throw await mapResponseErrorWithBody(completeResponse, normalized);
     }
     if (resumeStore !== void 0) await resumeStore.clear(resumeKey);
     const completeBody = await completeResponse.text();
@@ -12954,7 +13317,7 @@ var S3TransferOperations = class {
       body: buffered,
       extraHeaders: { "content-type": "application/octet-stream" }
     });
-    if (!response.ok) throw mapResponseError(response, normalized);
+    if (!response.ok) throw await mapResponseErrorWithBody(response, normalized);
     request.reportProgress(buffered.byteLength, buffered.byteLength);
     const result = {
       bytesTransferred: buffered.byteLength,
@@ -12972,6 +13335,8 @@ async function s3Fetch(options, method, url, fetchOptions = {}) {
   };
   if (fetchOptions.body !== void 0) {
     headers["content-length"] = String(fetchOptions.body.byteLength);
+  } else if (fetchOptions.streamBody !== void 0) {
+    headers["content-length"] = String(fetchOptions.streamBody.contentLength);
   }
   signSigV4({
     accessKeyId: options.accessKeyId,
@@ -12982,10 +13347,16 @@ async function s3Fetch(options, method, url, fetchOptions = {}) {
     service: options.service,
     url,
     ...fetchOptions.body !== void 0 ? { body: fetchOptions.body } : {},
+    ...fetchOptions.streamBody !== void 0 ? { unsignedPayload: true } : {},
     ...options.sessionToken !== void 0 ? { sessionToken: options.sessionToken } : {}
   });
   const init = { headers, method };
-  if (fetchOptions.body !== void 0) init.body = fetchOptions.body;
+  if (fetchOptions.body !== void 0) {
+    init.body = fetchOptions.body;
+  } else if (fetchOptions.streamBody !== void 0) {
+    init.body = fetchOptions.streamBody.content;
+    init.duplex = "half";
+  }
   if (fetchOptions.signal !== void 0) init.signal = fetchOptions.signal;
   const controller = new AbortController();
   const upstreamSignal = init.signal ?? null;
@@ -13003,10 +13374,11 @@ async function s3Fetch(options, method, url, fetchOptions = {}) {
   try {
     return await options.fetch(url.toString(), { ...init, signal: controller.signal });
   } catch (error) {
+    const safeUrl = redactUrlForLogging(url);
     throw new ConnectionError({
       cause: error,
-      details: { url: url.toString() },
-      message: `S3 request to ${url.toString()} failed`,
+      details: { url: safeUrl },
+      message: `S3 request to ${safeUrl} failed`,
       retryable: true
     });
   } finally {
@@ -13173,7 +13545,7 @@ function getBuiltinCapabilityMatrix() {
       label: "FTPS"
     },
     {
-      capabilities: createNativeSftpProviderFactory().capabilities,
+      capabilities: createSftpProviderFactory().capabilities,
       id: "sftp",
       label: "SFTP"
     },
@@ -13474,7 +13846,6 @@ function expandAlgorithms(values) {
 }
 
 // src/profiles/importers/FileZillaImporter.ts
-import { Buffer as Buffer26 } from "buffer";
 function importFileZillaSites(xml) {
   const events = tokenizeXml(xml);
   if (events.length === 0) {
@@ -13490,7 +13861,6 @@ function importFileZillaSites(xml) {
   const folderNamePending = [];
   let inServer = false;
   let serverFields = {};
-  let serverPasswordEncoding;
   let activeTag;
   let captureFolderName = false;
   for (const event of events) {
@@ -13503,13 +13873,9 @@ function importFileZillaSites(xml) {
       if (event.name === "Server") {
         inServer = true;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         continue;
       }
       activeTag = event.name;
-      if (event.name === "Pass" && inServer) {
-        serverPasswordEncoding = event.attributes["encoding"];
-      }
       if (event.name === "Name" && !inServer && folderNamePending.length > 0) {
         captureFolderName = true;
       }
@@ -13535,7 +13901,7 @@ function importFileZillaSites(xml) {
       }
       if (event.name === "Server") {
         const folder = folderStack.filter((segment) => segment !== "");
-        const result = buildSiteFromFields(serverFields, serverPasswordEncoding);
+        const result = buildSiteFromFields(serverFields);
         if (result.kind === "site") {
           sites.push({ ...result.site, folder });
         } else {
@@ -13547,7 +13913,6 @@ function importFileZillaSites(xml) {
         }
         inServer = false;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         activeTag = void 0;
         continue;
       }
@@ -13556,7 +13921,7 @@ function importFileZillaSites(xml) {
   }
   return { sites, skipped };
 }
-function buildSiteFromFields(fields, passwordEncoding) {
+function buildSiteFromFields(fields) {
   const name = (fields["Name"] ?? fields["Host"] ?? "Untitled").trim();
   const host = (fields["Host"] ?? "").trim();
   if (host === "") return { kind: "skipped", name };
@@ -13575,18 +13940,9 @@ function buildSiteFromFields(fields, passwordEncoding) {
   }
   const user = fields["User"]?.trim();
   if (user !== void 0 && user !== "") profile.username = { value: user };
-  let password;
   const rawPass = fields["Pass"];
-  if (rawPass !== void 0 && rawPass !== "") {
-    if (passwordEncoding === "base64") {
-      password = Buffer26.from(rawPass, "base64").toString("utf8");
-    } else {
-      password = rawPass;
-    }
-    if (password !== void 0 && password !== "") profile.password = { value: password };
-  }
-  const site = { name, profile };
-  if (password !== void 0) site.password = password;
+  const hasStoredPassword = rawPass !== void 0 && rawPass !== "";
+  const site = { hasStoredPassword, name, profile };
   const logonText = fields["Logontype"];
   if (logonText !== void 0) {
     const logonType = Number.parseInt(logonText.trim(), 10);
@@ -13907,6 +14263,62 @@ function openTcpSocket(host, port, timeoutMs) {
   });
 }
 
+// src/transfers/createDefaultRetryPolicy.ts
+var DEFAULT_MAX_ATTEMPTS = 4;
+var DEFAULT_BASE_DELAY_MS = 250;
+var DEFAULT_MAX_DELAY_MS = 3e4;
+var DEFAULT_MAX_ELAPSED_MS = 3e5;
+function createDefaultRetryPolicy(options = {}) {
+  const maxAttempts = normalizePositiveInteger(options.maxAttempts, DEFAULT_MAX_ATTEMPTS);
+  const baseDelayMs = normalizeNonNegative(options.baseDelayMs, DEFAULT_BASE_DELAY_MS);
+  const maxDelayMs = normalizeNonNegative(options.maxDelayMs, DEFAULT_MAX_DELAY_MS);
+  const maxElapsedMs = normalizeNonNegative(options.maxElapsedMs, DEFAULT_MAX_ELAPSED_MS);
+  const random = options.random ?? Math.random;
+  return {
+    getDelayMs(input) {
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0) {
+        return retryAfterMs;
+      }
+      const exponentialMs = baseDelayMs * 2 ** (input.attempt - 1);
+      const cappedMs = Math.min(maxDelayMs, exponentialMs);
+      return Math.floor(random() * cappedMs);
+    },
+    maxAttempts,
+    shouldRetry(input) {
+      if (!(input.error instanceof ZeroTransferError) || !input.error.retryable) {
+        return false;
+      }
+      if (input.elapsedMs >= maxElapsedMs) {
+        return false;
+      }
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0 && input.elapsedMs + retryAfterMs > maxElapsedMs) {
+        return false;
+      }
+      return true;
+    }
+  };
+}
+function readRetryAfterMs(error) {
+  if (!(error instanceof ZeroTransferError)) return void 0;
+  const value = error.details?.["retryAfterMs"];
+  if (typeof value !== "number" || !Number.isFinite(value) || value < 0) return void 0;
+  return Math.floor(value);
+}
+function normalizePositiveInteger(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 1) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+function normalizeNonNegative(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 0) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+
 // src/transfers/TransferPlan.ts
 function createTransferPlan(input) {
   const plan = {
@@ -14004,8 +14416,8 @@ var TransferQueue = class {
     this.concurrency = normalizeConcurrency(options.concurrency);
     this.defaultExecutor = options.executor;
     this.resolveExecutor = options.resolveExecutor;
-    this.retry = options.retry;
-    this.timeout = options.timeout;
+    this.retry = options.retry ?? options.client?.defaults?.retry;
+    this.timeout = options.timeout ?? options.client?.defaults?.timeout;
     this.bandwidthLimit = options.bandwidthLimit;
     this.onProgress = options.onProgress;
     this.onReceipt = options.onReceipt;
@@ -15405,6 +15817,7 @@ async function dispatchWebhook(options) {
   return { attempts: attempt, delivered: false, status: lastStatus };
 }
 function createWebhookAuditLog(options) {
+  validateTarget(options.target);
   return {
     list: () => Promise.resolve([]),
     record: async (entry) => {
@@ -15427,6 +15840,24 @@ function validateTarget(target) {
       retryable: false
     });
   }
+  let parsed;
+  try {
+    parsed = new URL(target.url);
+  } catch (error) {
+    throw new ConfigurationError({
+      cause: error,
+      details: { url: target.url },
+      message: "Webhook target url must be an absolute URL",
+      retryable: false
+    });
+  }
+  if (parsed.protocol === "https:") return;
+  if (parsed.protocol === "http:" && target.allowInsecureUrl === true) return;
+  throw new ConfigurationError({
+    details: { protocol: parsed.protocol, url: target.url },
+    message: parsed.protocol === "http:" ? "Webhook target url must use https; set allowInsecureUrl: true to permit cleartext http delivery" : `Webhook target url must use https, got "${parsed.protocol}"`,
+    retryable: false
+  });
 }
 function normalizeRetry(retry) {
   return {
@@ -15463,6 +15894,26 @@ var ApprovalRejectedError = class _ApprovalRejectedError extends ZeroTransferErr
   }
   request;
 };
+var ApprovalTimeoutError = class _ApprovalTimeoutError extends ZeroTransferError {
+  /**
+   * Creates an approval timeout error.
+   *
+   * @param request - The approval request that timed out while pending.
+   * @param timeoutMs - Configured timeout window in milliseconds.
+   */
+  constructor(request, timeoutMs) {
+    super({
+      code: "approval_timeout",
+      details: { approvalId: request.id, routeId: request.routeId, timeoutMs },
+      message: `Approval "${request.id}" for route "${request.routeId}" timed out after ${String(timeoutMs)}ms`,
+      retryable: false
+    });
+    this.request = request;
+    Object.setPrototypeOf(this, _ApprovalTimeoutError.prototype);
+    this.name = "ApprovalTimeoutError";
+  }
+  request;
+};
 var ApprovalRegistry = class {
   requests = /* @__PURE__ */ new Map();
   pending = /* @__PURE__ */ new Map();
@@ -15588,9 +16039,27 @@ function createApprovalGate(options) {
     };
     if (input.signal.aborted) onAbort();
     input.signal.addEventListener("abort", onAbort);
+    let timeoutTimer;
+    const timeoutMs = options.timeoutMs;
+    const pendingPromises = [settled];
+    if (timeoutMs !== void 0) {
+      pendingPromises.push(
+        new Promise((_resolve, reject) => {
+          timeoutTimer = setTimeout(() => {
+            const current = options.registry.get(approvalId) ?? request;
+            reject(new ApprovalTimeoutError(current, timeoutMs));
+            if (current.status === "pending") {
+              settled.catch(() => void 0);
+              options.registry.reject(approvalId, { reason: "timeout" }, now());
+            }
+          }, timeoutMs);
+        })
+      );
+    }
     try {
-      await settled;
+      await Promise.race(pendingPromises);
     } finally {
+      if (timeoutTimer !== void 0) clearTimeout(timeoutTimer);
       input.signal.removeEventListener("abort", onAbort);
     }
     return options.runner(input);
@@ -15962,6 +16431,7 @@ export {
   AbortError,
   ApprovalRegistry,
   ApprovalRejectedError,
+  ApprovalTimeoutError,
   AuthenticationError,
   AuthorizationError,
   CLASSIC_PROVIDER_IDS,
@@ -16011,6 +16481,7 @@ export {
   createAtomicDeployPlan,
   createAzureBlobProviderFactory,
   createBandwidthThrottle,
+  createDefaultRetryPolicy,
   createDropboxProviderFactory,
   createFileSystemS3MultipartResumeStore,
   createFtpProviderFactory,
@@ -16023,7 +16494,6 @@ export {
   createLocalProviderFactory,
   createMemoryProviderFactory,
   createMemoryS3MultipartResumeStore,
-  createNativeSftpProviderFactory,
   createOAuthTokenSecretSource,
   createOneDriveProviderFactory,
   createOutboxRoute,
@@ -16033,7 +16503,7 @@ export {
   createRemoteBrowser,
   createRemoteManifest,
   createS3ProviderFactory,
-  createNativeSftpProviderFactory as createSftpProviderFactory,
+  createSftpProviderFactory,
   createSyncPlan,
   createTransferClient,
   createTransferJobsFromPlan,
@@ -16081,8 +16551,10 @@ export {
   parseUnixListLine,
   redactCommand,
   redactConnectionProfile,
+  redactErrorForLogging,
   redactObject,
   redactSecretSource,
+  redactUrlForLogging,
   redactValue,
   resolveConnectionProfileSecrets,
   resolveOpenSshHost,