npm - @zero-transfer/sftp - Versions diffs - 0.4.6 → 0.4.8 - Mend

@zero-transfer/sftp 0.4.6 → 0.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.mjs CHANGED Viewed

@@ -1,6 +1,68 @@
 // src/client/ZeroTransfer.ts
 import { EventEmitter } from "events";
+// src/logging/redaction.ts
+var REDACTED = "[REDACTED]";
+var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
+var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
+var URL_KEY_PATTERN = /(?:url|uri|href)$/i;
+function isSensitiveKey(key) {
+  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
+}
+function redactCommand(command) {
+  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
+    return `${commandName.toUpperCase()} ${REDACTED}`;
+  });
+}
+function redactValue(value) {
+  if (typeof value === "string") {
+    return redactCommand(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => redactValue(item));
+  }
+  if (value !== null && typeof value === "object") {
+    return redactObject(value);
+  }
+  return value;
+}
+function redactObject(input) {
+  return Object.fromEntries(
+    Object.entries(input).map(([key, value]) => {
+      if (isSensitiveKey(key)) {
+        return [key, REDACTED];
+      }
+      if (URL_KEY_PATTERN.test(key) && typeof value === "string") {
+        return [key, redactUrlForLogging(value)];
+      }
+      return [key, redactValue(value)];
+    })
+  );
+}
+function redactUrlForLogging(url) {
+  let parsed;
+  try {
+    parsed = typeof url === "string" ? new URL(url) : url;
+  } catch {
+    return REDACTED;
+  }
+  const origin = parsed.host.length > 0 ? `${parsed.protocol}//${parsed.host}` : parsed.protocol;
+  const query = parsed.search.length > 0 ? `?${REDACTED}` : "";
+  return `${origin}${parsed.pathname}${query}`;
+}
+function redactErrorForLogging(error) {
+  if (error !== null && typeof error === "object") {
+    const candidate = error;
+    if (typeof candidate.toJSON === "function") {
+      return redactObject(candidate.toJSON());
+    }
+  }
+  if (error instanceof Error) {
+    return redactObject({ message: error.message, name: error.name });
+  }
+  return { message: redactValue(typeof error === "string" ? error : String(error)) };
+}
 // src/errors/ZeroTransferError.ts
 var ZeroTransferError = class extends Error {
   /** Stable machine-readable error code. */
@@ -42,6 +104,11 @@ var ZeroTransferError = class extends Error {
   /**
    * Serializes the error into a plain object suitable for logs or API responses.
    *
+   * `details` and `command` are passed through secret redaction so serialized
+   * errors never leak credentials, signed URLs, or raw protocol commands. The
+   * live {@link ZeroTransferError.details | details} property stays unredacted
+   * for programmatic consumers.
+   *
    * @returns A JSON-safe object containing public structured error fields.
    */
   toJSON() {
@@ -51,12 +118,12 @@ var ZeroTransferError = class extends Error {
       message: this.message,
       protocol: this.protocol,
       host: this.host,
-      command: this.command,
+      command: this.command === void 0 ? void 0 : redactCommand(this.command),
       ftpCode: this.ftpCode,
       sftpCode: this.sftpCode,
       path: this.path,
       retryable: this.retryable,
-      details: this.details
+      details: this.details === void 0 ? void 0 : redactObject(this.details)
     };
   }
 };
@@ -579,15 +646,20 @@ var ProviderRegistry = class {
 var TransferClient = class {
   /** Provider registry used by this client. */
   registry;
+  /** Execution defaults applied when call sites omit their own values. */
+  defaults;
   logger;
   /**
    * Creates a transfer client without opening any provider connections.
    *
-   * @param options - Optional registry, provider factories, and logger.
+   * @param options - Optional registry, provider factories, logger, and execution defaults.
    */
   constructor(options = {}) {
     this.registry = options.registry ?? new ProviderRegistry();
     this.logger = options.logger ?? noopLogger;
+    if (options.defaults !== void 0) {
+      this.defaults = { ...options.defaults };
+    }
     for (const provider of options.providers ?? []) {
       this.registry.register(provider);
     }
@@ -1160,18 +1232,25 @@ var TransferEngine = class {
       for (let attemptNumber = 1; attemptNumber <= maxAttempts; attemptNumber += 1) {
         this.throwIfAborted(abortScope.signal, job);
         const attemptStartedAt = this.now();
+        const attemptScope = createAttemptScope(
+          abortScope.signal,
+          options.timeout,
+          job,
+          attemptNumber
+        );
         const context = this.createExecutionContext(
           job,
           attemptNumber,
           attemptStartedAt,
           options,
-          abortScope.signal,
+          attemptScope.signal,
           (bytesTransferred) => {
             latestBytesTransferred = bytesTransferred;
-          }
+          },
+          attemptScope.notifyProgress
         );
         try {
-          const result = await runExecutor(executor, context, abortScope.signal, job);
+          const result = await runExecutor(executor, context, attemptScope.signal, job);
           context.throwIfAborted();
           latestBytesTransferred = result.bytesTransferred;
           const completedAt = this.now();
@@ -1189,16 +1268,27 @@ var TransferEngine = class {
             summarizeError(error)
           );
           attempts.push(attempt);
-          if (error instanceof AbortError || error instanceof TimeoutError) {
+          if (error instanceof AbortError || abortScope.signal?.aborted === true) {
             throw error;
           }
-          const retryInput = { attempt: attemptNumber, error, job };
+          const retryInput = {
+            attempt: attemptNumber,
+            elapsedMs: Math.max(0, completedAt.getTime() - startedAt.getTime()),
+            error,
+            job
+          };
           const shouldRetry = attemptNumber < maxAttempts && (options.retry?.shouldRetry?.(retryInput) ?? isRetryable(error));
           if (shouldRetry) {
             options.retry?.onRetry?.(retryInput);
+            const delayMs = normalizeDelayMs(options.retry?.getDelayMs?.(retryInput));
+            if (delayMs > 0) {
+              await sleepWithAbort(delayMs, abortScope.signal, job);
+            }
             continue;
           }
           throw createTransferFailure(job, error, attempts);
+        } finally {
+          attemptScope.dispose();
         }
       }
       throw createTransferFailure(job, void 0, attempts);
@@ -1206,12 +1296,13 @@ var TransferEngine = class {
       abortScope.dispose();
     }
   }
-  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred) {
+  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred, notifyProgress) {
     const context = {
       attempt,
       job,
       reportProgress: (bytesTransferred, totalBytes) => {
         this.throwIfAborted(signal, job);
+        notifyProgress();
         updateBytesTransferred(bytesTransferred);
         const progressInput = {
           bytesTransferred,
@@ -1280,6 +1371,96 @@ function createAbortScope(parentSignal, timeout, job) {
     signal: controller.signal
   };
 }
+function createAttemptScope(parentSignal, timeout, job, attempt) {
+  const attemptTimeoutMs = normalizeTimeoutMs(timeout?.attemptTimeoutMs);
+  const stallTimeoutMs = normalizeTimeoutMs(timeout?.stallTimeoutMs);
+  if (attemptTimeoutMs === void 0 && stallTimeoutMs === void 0) {
+    const scope = {
+      dispose: () => void 0,
+      notifyProgress: () => void 0
+    };
+    if (parentSignal !== void 0) scope.signal = parentSignal;
+    return scope;
+  }
+  const controller = new AbortController();
+  const retryable = timeout?.retryable ?? true;
+  const abortFromParent = () => controller.abort(parentSignal?.reason);
+  if (parentSignal?.aborted === true) {
+    abortFromParent();
+  } else {
+    parentSignal?.addEventListener("abort", abortFromParent, { once: true });
+  }
+  const attemptTimer = attemptTimeoutMs === void 0 ? void 0 : setTimeout(() => {
+    controller.abort(
+      new TimeoutError({
+        details: { attempt, attemptTimeoutMs, jobId: job.id, operation: job.operation },
+        message: `Transfer attempt ${String(attempt)} timed out after ${String(attemptTimeoutMs)}ms: ${job.id}`,
+        retryable
+      })
+    );
+  }, attemptTimeoutMs);
+  let stallTimer;
+  const armStallWatchdog = () => {
+    if (stallTimeoutMs === void 0 || controller.signal.aborted) return;
+    if (stallTimer !== void 0) clearTimeout(stallTimer);
+    stallTimer = setTimeout(() => {
+      controller.abort(
+        new TimeoutError({
+          details: { attempt, jobId: job.id, operation: job.operation, stallTimeoutMs },
+          message: `Transfer attempt ${String(attempt)} stalled (no progress for ${String(stallTimeoutMs)}ms): ${job.id}`,
+          retryable
+        })
+      );
+    }, stallTimeoutMs);
+  };
+  armStallWatchdog();
+  return {
+    dispose: () => {
+      if (attemptTimer !== void 0) clearTimeout(attemptTimer);
+      if (stallTimer !== void 0) clearTimeout(stallTimer);
+      parentSignal?.removeEventListener("abort", abortFromParent);
+    },
+    notifyProgress: armStallWatchdog,
+    signal: controller.signal
+  };
+}
+function sleepWithAbort(delayMs, signal, job) {
+  return new Promise((resolve, reject) => {
+    if (signal === void 0) {
+      setTimeout(resolve, delayMs);
+      return;
+    }
+    if (signal.aborted) {
+      reject(toAbortFailure(signal, job));
+      return;
+    }
+    const rejectAbort = () => {
+      clearTimeout(timer);
+      reject(toAbortFailure(signal, job));
+    };
+    const timer = setTimeout(() => {
+      signal.removeEventListener("abort", rejectAbort);
+      resolve();
+    }, delayMs);
+    signal.addEventListener("abort", rejectAbort, { once: true });
+  });
+}
+function toAbortFailure(signal, job) {
+  if (signal.reason instanceof ZeroTransferError) {
+    return signal.reason;
+  }
+  return new AbortError({
+    details: { jobId: job.id, operation: job.operation },
+    message: `Transfer job aborted: ${job.id}`,
+    retryable: false
+  });
+}
+function normalizeDelayMs(value) {
+  if (value === void 0 || !Number.isFinite(value) || value <= 0) {
+    return 0;
+  }
+  return Math.floor(value);
+}
 function normalizeTimeoutMs(value) {
   if (value === void 0 || !Number.isFinite(value) || value <= 0) {
     return void 0;
@@ -1448,7 +1629,7 @@ async function runRoute(options) {
     const executor = createProviderTransferExecutor({
       resolveSession: ({ role }) => sessions.get(role)
     });
-    return await engine.execute(job, executor, buildExecuteOptions(options));
+    return await engine.execute(job, executor, buildExecuteOptions(options, client));
   } finally {
     if (destinationSession !== void 0) {
       await destinationSession.disconnect();
@@ -1485,12 +1666,14 @@ function defaultJobId(route, now) {
   const timestamp = (now?.() ?? /* @__PURE__ */ new Date()).getTime();
   return `route:${route.id}:${timestamp.toString(36)}`;
 }
-function buildExecuteOptions(options) {
+function buildExecuteOptions(options, client) {
   const execute = {};
+  const retry = options.retry ?? client.defaults?.retry;
+  const timeout = options.timeout ?? client.defaults?.timeout;
   if (options.signal !== void 0) execute.signal = options.signal;
-  if (options.retry !== void 0) execute.retry = options.retry;
+  if (retry !== void 0) execute.retry = retry;
   if (options.onProgress !== void 0) execute.onProgress = options.onProgress;
-  if (options.timeout !== void 0) execute.timeout = options.timeout;
+  if (timeout !== void 0) execute.timeout = timeout;
   if (options.bandwidthLimit !== void 0) execute.bandwidthLimit = options.bandwidthLimit;
   return execute;
 }
@@ -1547,41 +1730,6 @@ function defaultRouteSuffix(source, destination) {
   return `${source}->${destination}`;
 }
-// src/logging/redaction.ts
-var REDACTED = "[REDACTED]";
-var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
-var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
-function isSensitiveKey(key) {
-  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
-}
-function redactCommand(command) {
-  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
-    return `${commandName.toUpperCase()} ${REDACTED}`;
-  });
-}
-function redactValue(value) {
-  if (typeof value === "string") {
-    return redactCommand(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map((item) => redactValue(item));
-  }
-  if (value !== null && typeof value === "object") {
-    return redactObject(value);
-  }
-  return value;
-}
-function redactObject(input) {
-  return Object.fromEntries(
-    Object.entries(input).map(([key, value]) => {
-      if (isSensitiveKey(key)) {
-        return [key, REDACTED];
-      }
-      return [key, redactValue(value)];
-    })
-  );
-}
 // src/profiles/SecretSource.ts
 import { Buffer as Buffer3 } from "buffer";
 import { readFile } from "fs/promises";
@@ -1963,11 +2111,11 @@ import {
 import path from "path";
 // src/utils/path.ts
-var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n]/;
+var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n\0]/;
 function assertSafeFtpArgument(value, label = "path") {
   if (UNSAFE_FTP_ARGUMENT_PATTERN.test(value)) {
     throw new ConfigurationError({
-      message: `Unsafe FTP ${label}: CR and LF characters are not allowed`,
+      message: `Unsafe FTP ${label}: CR, LF, and NUL characters are not allowed`,
       retryable: false,
       details: {
         label
@@ -3269,7 +3417,6 @@ function expandAlgorithms(values) {
 }
 // src/profiles/importers/FileZillaImporter.ts
-import { Buffer as Buffer6 } from "buffer";
 function importFileZillaSites(xml) {
   const events = tokenizeXml(xml);
   if (events.length === 0) {
@@ -3285,7 +3432,6 @@ function importFileZillaSites(xml) {
   const folderNamePending = [];
   let inServer = false;
   let serverFields = {};
-  let serverPasswordEncoding;
   let activeTag;
   let captureFolderName = false;
   for (const event of events) {
@@ -3298,13 +3444,9 @@ function importFileZillaSites(xml) {
       if (event.name === "Server") {
         inServer = true;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         continue;
       }
       activeTag = event.name;
-      if (event.name === "Pass" && inServer) {
-        serverPasswordEncoding = event.attributes["encoding"];
-      }
       if (event.name === "Name" && !inServer && folderNamePending.length > 0) {
         captureFolderName = true;
       }
@@ -3330,7 +3472,7 @@ function importFileZillaSites(xml) {
       }
       if (event.name === "Server") {
         const folder = folderStack.filter((segment) => segment !== "");
-        const result = buildSiteFromFields(serverFields, serverPasswordEncoding);
+        const result = buildSiteFromFields(serverFields);
         if (result.kind === "site") {
           sites.push({ ...result.site, folder });
         } else {
@@ -3342,7 +3484,6 @@ function importFileZillaSites(xml) {
         }
         inServer = false;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         activeTag = void 0;
         continue;
       }
@@ -3351,7 +3492,7 @@ function importFileZillaSites(xml) {
   }
   return { sites, skipped };
 }
-function buildSiteFromFields(fields, passwordEncoding) {
+function buildSiteFromFields(fields) {
   const name = (fields["Name"] ?? fields["Host"] ?? "Untitled").trim();
   const host = (fields["Host"] ?? "").trim();
   if (host === "") return { kind: "skipped", name };
@@ -3370,18 +3511,9 @@ function buildSiteFromFields(fields, passwordEncoding) {
   }
   const user = fields["User"]?.trim();
   if (user !== void 0 && user !== "") profile.username = { value: user };
-  let password;
   const rawPass = fields["Pass"];
-  if (rawPass !== void 0 && rawPass !== "") {
-    if (passwordEncoding === "base64") {
-      password = Buffer6.from(rawPass, "base64").toString("utf8");
-    } else {
-      password = rawPass;
-    }
-    if (password !== void 0 && password !== "") profile.password = { value: password };
-  }
-  const site = { name, profile };
-  if (password !== void 0) site.password = password;
+  const hasStoredPassword = rawPass !== void 0 && rawPass !== "";
+  const site = { hasStoredPassword, name, profile };
   const logonText = fields["Logontype"];
   if (logonText !== void 0) {
     const logonType = Number.parseInt(logonText.trim(), 10);
@@ -3624,6 +3756,62 @@ function mapFtp550(details) {
   return new PermissionDeniedError(details);
 }
+// src/transfers/createDefaultRetryPolicy.ts
+var DEFAULT_MAX_ATTEMPTS = 4;
+var DEFAULT_BASE_DELAY_MS = 250;
+var DEFAULT_MAX_DELAY_MS = 3e4;
+var DEFAULT_MAX_ELAPSED_MS = 3e5;
+function createDefaultRetryPolicy(options = {}) {
+  const maxAttempts = normalizePositiveInteger(options.maxAttempts, DEFAULT_MAX_ATTEMPTS);
+  const baseDelayMs = normalizeNonNegative(options.baseDelayMs, DEFAULT_BASE_DELAY_MS);
+  const maxDelayMs = normalizeNonNegative(options.maxDelayMs, DEFAULT_MAX_DELAY_MS);
+  const maxElapsedMs = normalizeNonNegative(options.maxElapsedMs, DEFAULT_MAX_ELAPSED_MS);
+  const random = options.random ?? Math.random;
+  return {
+    getDelayMs(input) {
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0) {
+        return retryAfterMs;
+      }
+      const exponentialMs = baseDelayMs * 2 ** (input.attempt - 1);
+      const cappedMs = Math.min(maxDelayMs, exponentialMs);
+      return Math.floor(random() * cappedMs);
+    },
+    maxAttempts,
+    shouldRetry(input) {
+      if (!(input.error instanceof ZeroTransferError) || !input.error.retryable) {
+        return false;
+      }
+      if (input.elapsedMs >= maxElapsedMs) {
+        return false;
+      }
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0 && input.elapsedMs + retryAfterMs > maxElapsedMs) {
+        return false;
+      }
+      return true;
+    }
+  };
+}
+function readRetryAfterMs(error) {
+  if (!(error instanceof ZeroTransferError)) return void 0;
+  const value = error.details?.["retryAfterMs"];
+  if (typeof value !== "number" || !Number.isFinite(value) || value < 0) return void 0;
+  return Math.floor(value);
+}
+function normalizePositiveInteger(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 1) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+function normalizeNonNegative(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 0) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
 // src/transfers/TransferPlan.ts
 function createTransferPlan(input) {
   const plan = {
@@ -3721,8 +3909,8 @@ var TransferQueue = class {
     this.concurrency = normalizeConcurrency(options.concurrency);
     this.defaultExecutor = options.executor;
     this.resolveExecutor = options.resolveExecutor;
-    this.retry = options.retry;
-    this.timeout = options.timeout;
+    this.retry = options.retry ?? options.client?.defaults?.retry;
+    this.timeout = options.timeout ?? options.client?.defaults?.timeout;
     this.bandwidthLimit = options.bandwidthLimit;
     this.onProgress = options.onProgress;
     this.onReceipt = options.onReceipt;
@@ -4799,12 +4987,12 @@ function isMainModule(importMetaUrl) {
 }
 // src/providers/native/sftp/NativeSftpProvider.ts
-import { Buffer as Buffer21 } from "buffer";
+import { Buffer as Buffer20 } from "buffer";
 import { createHash as createHash3, createPrivateKey } from "crypto";
 import { createConnection } from "net";
 // src/protocols/ssh/binary/SshDataWriter.ts
-import { Buffer as Buffer7 } from "buffer";
+import { Buffer as Buffer6 } from "buffer";
 var MAX_UINT32 = 4294967295;
 var MAX_UINT64 = (1n << 64n) - 1n;
 var SshDataWriter = class {
@@ -4812,7 +5000,7 @@ var SshDataWriter = class {
   length = 0;
   writeByte(value) {
     this.assertByte(value, "byte");
-    const chunk = Buffer7.alloc(1);
+    const chunk = Buffer6.alloc(1);
     chunk.writeUInt8(value, 0);
     return this.push(chunk);
   }
@@ -4820,7 +5008,7 @@ var SshDataWriter = class {
     return this.writeByte(value ? 1 : 0);
   }
   writeBytes(value) {
-    return this.push(Buffer7.from(value));
+    return this.push(Buffer6.from(value));
   }
   writeUint32(value) {
     if (!Number.isInteger(value) || value < 0 || value > MAX_UINT32) {
@@ -4830,7 +5018,7 @@ var SshDataWriter = class {
         retryable: false
       });
     }
-    const chunk = Buffer7.alloc(4);
+    const chunk = Buffer6.alloc(4);
     chunk.writeUInt32BE(value, 0);
     return this.push(chunk);
   }
@@ -4842,12 +5030,12 @@ var SshDataWriter = class {
         retryable: false
       });
     }
-    const chunk = Buffer7.alloc(8);
+    const chunk = Buffer6.alloc(8);
     chunk.writeBigUInt64BE(value, 0);
     return this.push(chunk);
   }
   writeString(value, encoding = "utf8") {
-    const payload = typeof value === "string" ? Buffer7.from(value, encoding) : Buffer7.from(value);
+    const payload = typeof value === "string" ? Buffer6.from(value, encoding) : Buffer6.from(value);
     this.writeUint32(payload.length);
     return this.push(payload);
   }
@@ -4869,7 +5057,7 @@ var SshDataWriter = class {
     return this.writeString(values.join(","), "ascii");
   }
   toBuffer() {
-    return Buffer7.concat(this.chunks, this.length);
+    return Buffer6.concat(this.chunks, this.length);
   }
   push(chunk) {
     this.chunks.push(chunk);
@@ -4887,23 +5075,23 @@ var SshDataWriter = class {
   }
 };
 function normalizePositiveMpint(value) {
-  const input = Buffer7.from(value);
+  const input = Buffer6.from(value);
   let offset = 0;
   while (offset < input.length && input[offset] === 0) {
     offset += 1;
   }
   if (offset >= input.length) {
-    return Buffer7.alloc(0);
+    return Buffer6.alloc(0);
   }
   const stripped = input.subarray(offset);
   if ((stripped[0] & 128) === 128) {
-    return Buffer7.concat([Buffer7.from([0]), stripped]);
+    return Buffer6.concat([Buffer6.from([0]), stripped]);
   }
   return stripped;
 }
 // src/protocols/ssh/binary/SshDataReader.ts
-import { Buffer as Buffer8 } from "buffer";
+import { Buffer as Buffer7 } from "buffer";
 var SshDataReader = class {
   constructor(source) {
     this.source = source;
@@ -4929,18 +5117,18 @@ var SshDataReader = class {
     this.ensureAvailable(length, "bytes");
     const data = this.source.subarray(this.offset, this.offset + length);
     this.offset += length;
-    return Buffer8.from(data);
+    return Buffer7.from(data);
   }
   readUint32() {
     this.ensureAvailable(4, "uint32");
-    const buffer = Buffer8.from(this.source);
+    const buffer = Buffer7.from(this.source);
     const value = buffer.readUInt32BE(this.offset);
     this.offset += 4;
     return value;
   }
   readUint64() {
     this.ensureAvailable(8, "uint64");
-    const buffer = Buffer8.from(this.source);
+    const buffer = Buffer7.from(this.source);
     const value = buffer.readBigUInt64BE(this.offset);
     this.offset += 8;
     return value;
@@ -4950,7 +5138,7 @@ var SshDataReader = class {
     this.ensureAvailable(length, "string");
     const data = this.source.subarray(this.offset, this.offset + length);
     this.offset += length;
-    return Buffer8.from(data);
+    return Buffer7.from(data);
   }
   readUtf8String() {
     return this.readString().toString("utf8");
@@ -5305,7 +5493,7 @@ function buildKiRequest(args) {
 }
 // src/protocols/ssh/auth/SshPublickeyCredentialBuilder.ts
-import { Buffer as Buffer9 } from "buffer";
+import { Buffer as Buffer8 } from "buffer";
 import { createPublicKey, sign as cryptoSign } from "crypto";
 var ED25519_RAW_KEY_LENGTH = 32;
 var ED25519_SPKI_PREFIX_LENGTH = 12;
@@ -5323,7 +5511,7 @@ function buildPublickeyCredential(options) {
       return {
         algorithmName: "ssh-ed25519",
         publicKeyBlob,
-        sign: (data) => cryptoSign(null, Buffer9.from(data), privateKey),
+        sign: (data) => cryptoSign(null, Buffer8.from(data), privateKey),
         type: "publickey",
         username
       };
@@ -5341,7 +5529,7 @@ function buildPublickeyCredential(options) {
       return {
         algorithmName,
         publicKeyBlob,
-        sign: (data) => cryptoSign(hash, Buffer9.from(data), privateKey),
+        sign: (data) => cryptoSign(hash, Buffer8.from(data), privateKey),
         type: "publickey",
         username
       };
@@ -5354,7 +5542,7 @@ function buildPublickeyCredential(options) {
 }
 function base64UrlToMpint(value) {
   const padded = value.replace(/-/g, "+").replace(/_/g, "/");
-  const buffer = Buffer9.from(padded, "base64");
+  const buffer = Buffer8.from(padded, "base64");
   return buffer;
 }
 function createInvalidKeyError(message) {
@@ -5480,7 +5668,7 @@ function encodeSshChannelClose(recipientChannel) {
 }
 // src/protocols/ssh/connection/SshSessionChannel.ts
-import { Buffer as Buffer10 } from "buffer";
+import { Buffer as Buffer9 } from "buffer";
 var INITIAL_WINDOW_SIZE = 256 * 1024;
 var MAX_PACKET_SIZE = 32 * 1024;
 var WINDOW_REFILL_THRESHOLD = 64 * 1024;
@@ -5638,7 +5826,7 @@ var SshSessionChannel = class {
         this.remoteWindowRemaining,
         this.remoteMaxPacketSize
       );
-      const chunk = Buffer10.from(data.subarray(offset, offset + chunkSize));
+      const chunk = Buffer9.from(data.subarray(offset, offset + chunkSize));
       this.transport.sendPayload(
         encodeSshChannelData({ data: chunk, recipientChannel: this.remoteChannelId })
       );
@@ -5900,10 +6088,10 @@ var SshConnectionManager = class {
 };
 // src/protocols/ssh/transport/SshTransportConnection.ts
-import { Buffer as Buffer18 } from "buffer";
+import { Buffer as Buffer17 } from "buffer";
 // src/protocols/ssh/transport/SshTransportHandshake.ts
-import { Buffer as Buffer16 } from "buffer";
+import { Buffer as Buffer15 } from "buffer";
 // src/protocols/ssh/transport/SshAlgorithmNegotiation.ts
 var DEFAULT_SSH_ALGORITHM_PREFERENCES = {
@@ -6065,12 +6253,12 @@ function parseSshIdentificationLine(line) {
 }
 // src/protocols/ssh/transport/SshKexInit.ts
-import { Buffer as Buffer11 } from "buffer";
+import { Buffer as Buffer10 } from "buffer";
 import { randomBytes } from "crypto";
 var SSH_MSG_KEXINIT = 20;
 var KEXINIT_COOKIE_LENGTH = 16;
 function encodeSshKexInitMessage(options) {
-  const cookie = options.cookie === void 0 ? randomBytes(KEXINIT_COOKIE_LENGTH) : Buffer11.from(options.cookie);
+  const cookie = options.cookie === void 0 ? randomBytes(KEXINIT_COOKIE_LENGTH) : Buffer10.from(options.cookie);
   if (cookie.length !== KEXINIT_COOKIE_LENGTH) {
     throw new ConfigurationError({
       details: { actualLength: cookie.length, expectedLength: KEXINIT_COOKIE_LENGTH },
@@ -6140,12 +6328,12 @@ function decodeSshKexInitMessage(payload) {
 }
 // src/protocols/ssh/transport/SshKexCurve25519.ts
-import { Buffer as Buffer12 } from "buffer";
+import { Buffer as Buffer11 } from "buffer";
 import { createPublicKey as createPublicKey2, diffieHellman, generateKeyPairSync } from "crypto";
 var SSH_MSG_KEX_ECDH_INIT = 30;
 var SSH_MSG_KEX_ECDH_REPLY = 31;
 var X25519_PUBLIC_KEY_LENGTH = 32;
-var X25519_SPKI_PREFIX = Buffer12.from("302a300506032b656e032100", "hex");
+var X25519_SPKI_PREFIX = Buffer11.from("302a300506032b656e032100", "hex");
 function createCurve25519Ephemeral() {
   const { privateKey, publicKey } = generateKeyPairSync("x25519");
   const encodedPublicKey = exportX25519PublicKeyRaw(publicKey);
@@ -6190,7 +6378,7 @@ function exportX25519PublicKeyRaw(publicKey) {
 }
 function importX25519PublicKeyRaw(raw) {
   const normalized = normalizeX25519PublicKey(raw, "server");
-  const der = Buffer12.concat([X25519_SPKI_PREFIX, normalized]);
+  const der = Buffer11.concat([X25519_SPKI_PREFIX, normalized]);
   return createPublicKey2({
     format: "der",
     key: der,
@@ -6198,7 +6386,7 @@ function importX25519PublicKeyRaw(raw) {
   });
 }
 function normalizeX25519PublicKey(value, label) {
-  const key = Buffer12.from(value);
+  const key = Buffer11.from(value);
   if (key.length !== X25519_PUBLIC_KEY_LENGTH) {
     throw new ConfigurationError({
       details: { keyLength: key.length, label },
@@ -6211,7 +6399,7 @@ function normalizeX25519PublicKey(value, label) {
 }
 // src/protocols/ssh/transport/SshKeyDerivation.ts
-import { Buffer as Buffer13 } from "buffer";
+import { Buffer as Buffer12 } from "buffer";
 import { createHash } from "crypto";
 function deriveSshSessionKeys(input) {
   const hashAlgorithm = resolveKexHashAlgorithm(input.kexAlgorithm);
@@ -6233,7 +6421,7 @@ function deriveSshSessionKeys(input) {
     input.negotiatedAlgorithms.encryptionServerToClient,
     input.negotiatedAlgorithms.macServerToClient
   );
-  const sharedSecret = Buffer13.from(input.sharedSecret);
+  const sharedSecret = Buffer12.from(input.sharedSecret);
   return {
     clientToServer: {
       encryptionKey: deriveMaterial(
@@ -6283,21 +6471,21 @@ function computeCurve25519ExchangeHash(input, hashAlgorithm) {
 }
 function deriveMaterial(sharedSecret, exchangeHash, sessionId, letter, length, hashAlgorithm) {
   if (length <= 0) {
-    return Buffer13.alloc(0);
+    return Buffer12.alloc(0);
   }
   const result = [];
   const first2 = createHash(hashAlgorithm).update(
     new SshDataWriter().writeMpint(sharedSecret).writeBytes(exchangeHash).writeByte(letter.charCodeAt(0)).writeBytes(sessionId).toBuffer()
   ).digest();
   result.push(first2);
-  while (Buffer13.concat(result).length < length) {
-    const previous = Buffer13.concat(result);
+  while (Buffer12.concat(result).length < length) {
+    const previous = Buffer12.concat(result);
     const next = createHash(hashAlgorithm).update(
       new SshDataWriter().writeMpint(sharedSecret).writeBytes(exchangeHash).writeBytes(previous).toBuffer()
     ).digest();
     result.push(next);
   }
-  return Buffer13.concat(result).subarray(0, length);
+  return Buffer12.concat(result).subarray(0, length);
 }
 function resolveKexHashAlgorithm(kexAlgorithm) {
   if (kexAlgorithm === "curve25519-sha256" || kexAlgorithm === "curve25519-sha256@libssh.org") {
@@ -6385,20 +6573,21 @@ function decodeSshNewKeysMessage(payload) {
 }
 // src/protocols/ssh/transport/SshTransportPacket.ts
-import { Buffer as Buffer14 } from "buffer";
+import { Buffer as Buffer13 } from "buffer";
 import { randomBytes as randomBytes2 } from "crypto";
 var MIN_PADDING_LENGTH = 4;
 var MIN_PACKET_LENGTH = 1 + MIN_PADDING_LENGTH;
+var MAX_SSH_PACKET_LENGTH = 256 * 1024;
 function encodeSshTransportPacket(payload, options = {}) {
-  const body = Buffer14.from(payload);
+  const body = Buffer13.from(payload);
   const blockSize = normalizeBlockSize(options.blockSize ?? 8);
   let paddingLength = MIN_PADDING_LENGTH;
   while ((1 + body.length + paddingLength + 4) % blockSize !== 0) {
     paddingLength += 1;
   }
-  const padding = options.randomPadding === false ? Buffer14.alloc(paddingLength) : randomBytes2(paddingLength);
+  const padding = options.randomPadding === false ? Buffer13.alloc(paddingLength) : randomBytes2(paddingLength);
   const packetLength = 1 + body.length + paddingLength;
-  const frame = Buffer14.alloc(4 + packetLength);
+  const frame = Buffer13.alloc(4 + packetLength);
   frame.writeUInt32BE(packetLength, 0);
   frame.writeUInt8(paddingLength, 4);
   body.copy(frame, 5);
@@ -6406,7 +6595,7 @@ function encodeSshTransportPacket(payload, options = {}) {
   return frame;
 }
 function decodeSshTransportPacket(frame) {
-  const bytes = Buffer14.from(frame);
+  const bytes = Buffer13.from(frame);
   if (bytes.length < 4 + MIN_PACKET_LENGTH) {
     throw new ParseError({
       details: { length: bytes.length },
@@ -6460,12 +6649,20 @@ function decodeSshTransportPacket(frame) {
   };
 }
 var SshTransportPacketFramer = class {
-  pending = Buffer14.alloc(0);
+  pending = Buffer13.alloc(0);
   push(chunk) {
-    this.pending = Buffer14.concat([this.pending, Buffer14.from(chunk)]);
+    this.pending = Buffer13.concat([this.pending, Buffer13.from(chunk)]);
     const packets = [];
     while (this.pending.length >= 4) {
       const packetLength = this.pending.readUInt32BE(0);
+      if (packetLength > MAX_SSH_PACKET_LENGTH) {
+        throw new ParseError({
+          details: { maxPacketLength: MAX_SSH_PACKET_LENGTH, packetLength },
+          message: "SSH transport packet length exceeds the maximum accepted size",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       const frameLength = 4 + packetLength;
       if (this.pending.length < frameLength) {
         break;
@@ -6481,8 +6678,8 @@ var SshTransportPacketFramer = class {
   }
   /** Returns and clears any bytes buffered but not yet part of a complete packet. */
   takeRemainingBytes() {
-    const remaining = Buffer14.from(this.pending);
-    this.pending = Buffer14.alloc(0);
+    const remaining = Buffer13.from(this.pending);
+    this.pending = Buffer13.alloc(0);
     return remaining;
   }
 };
@@ -6499,10 +6696,10 @@ function normalizeBlockSize(blockSize) {
 }
 // src/protocols/ssh/transport/SshHostKeyVerification.ts
-import { Buffer as Buffer15 } from "buffer";
+import { Buffer as Buffer14 } from "buffer";
 import { createHash as createHash2, createPublicKey as createPublicKey3, verify as cryptoVerify } from "crypto";
 var ED25519_RAW_KEY_LENGTH2 = 32;
-var ED25519_SPKI_PREFIX = Buffer15.from("302a300506032b6570032100", "hex");
+var ED25519_SPKI_PREFIX = Buffer14.from("302a300506032b6570032100", "hex");
 function verifySshHostKeySignature(input) {
   const { algorithmName, publicKey } = parseHostKey(input.hostKeyBlob);
   const { signatureAlgorithm, signatureBytes } = parseSignatureBlob(input.signatureBlob);
@@ -6515,9 +6712,9 @@ function verifySshHostKeySignature(input) {
     });
   }
   const verified = verifySignature({
-    data: Buffer15.from(input.exchangeHash),
+    data: Buffer14.from(input.exchangeHash),
     publicKey,
-    signature: Buffer15.from(signatureBytes),
+    signature: Buffer14.from(signatureBytes),
     signatureAlgorithm
   });
   if (!verified) {
@@ -6546,7 +6743,7 @@ function parseHostKey(blob) {
           retryable: false
         });
       }
-      const spki = Buffer15.concat([ED25519_SPKI_PREFIX, raw]);
+      const spki = Buffer14.concat([ED25519_SPKI_PREFIX, raw]);
       return {
         algorithmName,
         publicKey: createPublicKey3({ format: "der", key: spki, type: "spki" })
@@ -6652,37 +6849,37 @@ function verifySignature(input) {
 function rsaPublicKeyFromComponents(e, n) {
   const eDer = encodeAsn1Integer(e);
   const nDer = encodeAsn1Integer(n);
-  const rsaPublicKeyDer = encodeAsn1Sequence(Buffer15.concat([nDer, eDer]));
-  const bitStringContent = Buffer15.concat([Buffer15.from([0]), rsaPublicKeyDer]);
-  const bitString = Buffer15.concat([
-    Buffer15.from([3]),
+  const rsaPublicKeyDer = encodeAsn1Sequence(Buffer14.concat([nDer, eDer]));
+  const bitStringContent = Buffer14.concat([Buffer14.from([0]), rsaPublicKeyDer]);
+  const bitString = Buffer14.concat([
+    Buffer14.from([3]),
     encodeAsn1Length(bitStringContent.length),
     bitStringContent
   ]);
-  const algoId = Buffer15.from("300d06092a864886f70d010101 0500".replace(/\s+/g, ""), "hex");
-  const spki = encodeAsn1Sequence(Buffer15.concat([algoId, bitString]));
+  const algoId = Buffer14.from("300d06092a864886f70d010101 0500".replace(/\s+/g, ""), "hex");
+  const spki = encodeAsn1Sequence(Buffer14.concat([algoId, bitString]));
   return createPublicKey3({ format: "der", key: spki, type: "spki" });
 }
 function encodeAsn1Integer(value) {
   let body = value;
   while (body.length > 1 && body[0] === 0) body = body.subarray(1);
   if (body.length > 0 && (body[0] & 128) !== 0) {
-    body = Buffer15.concat([Buffer15.from([0]), body]);
+    body = Buffer14.concat([Buffer14.from([0]), body]);
   }
-  return Buffer15.concat([Buffer15.from([2]), encodeAsn1Length(body.length), body]);
+  return Buffer14.concat([Buffer14.from([2]), encodeAsn1Length(body.length), body]);
 }
 function encodeAsn1Sequence(content) {
-  return Buffer15.concat([Buffer15.from([48]), encodeAsn1Length(content.length), content]);
+  return Buffer14.concat([Buffer14.from([48]), encodeAsn1Length(content.length), content]);
 }
 function encodeAsn1Length(length) {
-  if (length < 128) return Buffer15.from([length]);
+  if (length < 128) return Buffer14.from([length]);
   const bytes = [];
   let n = length;
   while (n > 0) {
     bytes.unshift(n & 255);
     n >>>= 8;
   }
-  return Buffer15.from([128 | bytes.length, ...bytes]);
+  return Buffer14.from([128 | bytes.length, ...bytes]);
 }
 var ECDSA_OID_BY_CURVE = {
   nistp256: "06082a8648ce3d030107",
@@ -6703,15 +6900,15 @@ function ecdsaPublicKeyFromPoint(curveIdentifier, point) {
       retryable: false
     });
   }
-  const algoIdContent = Buffer15.from(ECDSA_ALGORITHM_OID_HEX + oidHex, "hex");
+  const algoIdContent = Buffer14.from(ECDSA_ALGORITHM_OID_HEX + oidHex, "hex");
   const algoId = encodeAsn1Sequence(algoIdContent);
-  const bitStringContent = Buffer15.concat([Buffer15.from([0]), point]);
-  const bitString = Buffer15.concat([
-    Buffer15.from([3]),
+  const bitStringContent = Buffer14.concat([Buffer14.from([0]), point]);
+  const bitString = Buffer14.concat([
+    Buffer14.from([3]),
     encodeAsn1Length(bitStringContent.length),
     bitStringContent
   ]);
-  const spki = encodeAsn1Sequence(Buffer15.concat([algoId, bitString]));
+  const spki = encodeAsn1Sequence(Buffer14.concat([algoId, bitString]));
   return createPublicKey3({ format: "der", key: spki, type: "spki" });
 }
 function sshEcdsaSignatureToDer(sshSignature) {
@@ -6720,7 +6917,7 @@ function sshEcdsaSignatureToDer(sshSignature) {
   const s = reader.readMpint();
   const rDer = encodeAsn1Integer(r);
   const sDer = encodeAsn1Integer(s);
-  return encodeAsn1Sequence(Buffer15.concat([rDer, sDer]));
+  return encodeAsn1Sequence(Buffer14.concat([rDer, sDer]));
 }
 // src/protocols/ssh/transport/SshTransportHandshake.ts
@@ -6752,7 +6949,7 @@ var SshTransportHandshake = class {
   serverIdentification;
   /** Creates the first outbound bytes (client identification line). */
   createInitialClientBytes() {
-    return Buffer16.from(`${this.clientIdentificationLine}\r
+    return Buffer15.from(`${this.clientIdentificationLine}\r
 `, "ascii");
   }
   /**
@@ -6776,7 +6973,7 @@ var SshTransportHandshake = class {
       }
       return { outbound };
     }
-    return this.pushServerBytesWithPhase(outbound, Buffer16.from(chunk));
+    return this.pushServerBytesWithPhase(outbound, Buffer15.from(chunk));
   }
   getServerBannerLines() {
     return this.identificationLines;
@@ -6830,12 +7027,12 @@ var SshTransportHandshake = class {
           clientKexInitPayload: this.clientKexInitPayload,
           clientPublicKey: this.pendingCurve25519.publicKey,
           negotiatedAlgorithms,
-          serverHostKey: Buffer16.alloc(0),
+          serverHostKey: Buffer15.alloc(0),
           serverIdentification: (this.serverIdentification ?? missingServerIdentificationError()).raw,
-          serverKexInitPayload: Buffer16.from(packet.payload),
-          serverPublicKey: Buffer16.alloc(0),
-          serverSignature: Buffer16.alloc(0),
-          sharedSecret: Buffer16.alloc(0)
+          serverKexInitPayload: Buffer15.from(packet.payload),
+          serverPublicKey: Buffer15.alloc(0),
+          serverSignature: Buffer15.alloc(0),
+          sharedSecret: Buffer15.alloc(0)
         };
         continue;
       }
@@ -6943,24 +7140,54 @@ var SshTransportHandshake = class {
     return { outbound };
   }
 };
+var MAX_IDENTIFICATION_LINE_BYTES = 8192;
+var MAX_PRE_IDENTIFICATION_LINES = 1024;
 var SshIdentificationAccumulator = class {
-  pending = Buffer16.alloc(0);
+  pending = Buffer15.alloc(0);
+  bannerLineCount = 0;
   push(chunk) {
-    this.pending = Buffer16.concat([this.pending, Buffer16.from(chunk)]);
+    this.pending = Buffer15.concat([this.pending, Buffer15.from(chunk)]);
     const bannerLines = [];
     while (true) {
       const lfIndex = this.pending.indexOf(10);
-      if (lfIndex < 0) break;
+      if (lfIndex < 0) {
+        if (this.pending.length > MAX_IDENTIFICATION_LINE_BYTES) {
+          throw new ProtocolError({
+            details: { limitBytes: MAX_IDENTIFICATION_LINE_BYTES },
+            message: "SSH identification line exceeds the maximum accepted length",
+            protocol: "sftp",
+            retryable: false
+          });
+        }
+        break;
+      }
+      if (lfIndex > MAX_IDENTIFICATION_LINE_BYTES) {
+        throw new ProtocolError({
+          details: { limitBytes: MAX_IDENTIFICATION_LINE_BYTES },
+          message: "SSH identification line exceeds the maximum accepted length",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       const lineText = trimLineEndings(this.pending.subarray(0, lfIndex + 1).toString("ascii"));
-      const remainder = Buffer16.from(this.pending.subarray(lfIndex + 1));
+      const remainder = Buffer15.from(this.pending.subarray(lfIndex + 1));
       this.pending = remainder;
       if (lineText.startsWith("SSH-")) {
-        this.pending = Buffer16.alloc(0);
+        this.pending = Buffer15.alloc(0);
         return { bannerLines, identLine: lineText, remainder };
       }
+      this.bannerLineCount += 1;
+      if (this.bannerLineCount > MAX_PRE_IDENTIFICATION_LINES) {
+        throw new ProtocolError({
+          details: { limitLines: MAX_PRE_IDENTIFICATION_LINES },
+          message: "SSH server sent too many pre-identification banner lines",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       bannerLines.push(lineText);
     }
-    return { bannerLines, remainder: Buffer16.alloc(0) };
+    return { bannerLines, remainder: Buffer15.alloc(0) };
   }
 };
 function trimLineEndings(value) {
@@ -6988,7 +7215,7 @@ function missingPendingKeyExchangeError() {
 }
 // src/protocols/ssh/transport/SshTransportProtection.ts
-import { Buffer as Buffer17 } from "buffer";
+import { Buffer as Buffer16 } from "buffer";
 import {
   createCipheriv,
   createDecipheriv,
@@ -7050,7 +7277,7 @@ var SshTransportPacketProtector = class {
     );
     const encrypted = this.cipher === void 0 ? clearPacket : this.cipher.update(clearPacket);
     this.sequenceNumber = this.sequenceNumber + 1 >>> 0;
-    return Buffer17.concat([encrypted, mac]);
+    return Buffer16.concat([encrypted, mac]);
   }
 };
 var SshTransportPacketUnprotector = class {
@@ -7076,7 +7303,7 @@ var SshTransportPacketUnprotector = class {
   sequenceNumber;
   // Streaming framing state for pushBytes()
   framePartialDecrypted;
-  framePendingRaw = Buffer17.alloc(0);
+  framePendingRaw = Buffer16.alloc(0);
   frameRemainingNeeded;
   getSequenceNumber() {
     return this.sequenceNumber;
@@ -7086,15 +7313,23 @@ var SshTransportPacketUnprotector = class {
    * Maintains internal framing state across calls - pass each `data` event chunk directly.
    */
   pushBytes(chunk) {
-    this.framePendingRaw = Buffer17.concat([this.framePendingRaw, chunk]);
+    this.framePendingRaw = Buffer16.concat([this.framePendingRaw, chunk]);
     const results = [];
     while (true) {
       if (this.framePartialDecrypted === void 0) {
         if (this.framePendingRaw.length < this.blockLength) break;
         const firstBlock = this.framePendingRaw.subarray(0, this.blockLength);
-        this.framePendingRaw = Buffer17.from(this.framePendingRaw.subarray(this.blockLength));
-        this.framePartialDecrypted = this.decipher ? Buffer17.from(this.decipher.update(firstBlock)) : Buffer17.from(firstBlock);
+        this.framePendingRaw = Buffer16.from(this.framePendingRaw.subarray(this.blockLength));
+        this.framePartialDecrypted = this.decipher ? Buffer16.from(this.decipher.update(firstBlock)) : Buffer16.from(firstBlock);
         const packetLength = this.framePartialDecrypted.readUInt32BE(0);
+        if (packetLength > MAX_SSH_PACKET_LENGTH) {
+          throw new ProtocolError({
+            details: { maxPacketLength: MAX_SSH_PACKET_LENGTH, packetLength },
+            message: "SSH encrypted packet length exceeds the maximum accepted size",
+            protocol: "sftp",
+            retryable: false
+          });
+        }
         const remaining = 4 + packetLength - this.blockLength + this.macLength;
         if (remaining < 0) {
           throw new ProtocolError({
@@ -7110,9 +7345,9 @@ var SshTransportPacketUnprotector = class {
       if (this.framePendingRaw.length < needed) break;
       const encryptedRest = this.framePendingRaw.subarray(0, needed - this.macLength);
       const receivedMac = this.framePendingRaw.subarray(needed - this.macLength, needed);
-      this.framePendingRaw = Buffer17.from(this.framePendingRaw.subarray(needed));
-      const decryptedRest = encryptedRest.length > 0 ? this.decipher ? Buffer17.from(this.decipher.update(encryptedRest)) : Buffer17.from(encryptedRest) : Buffer17.alloc(0);
-      const clearPacket = Buffer17.concat([this.framePartialDecrypted, decryptedRest]);
+      this.framePendingRaw = Buffer16.from(this.framePendingRaw.subarray(needed));
+      const decryptedRest = encryptedRest.length > 0 ? this.decipher ? Buffer16.from(this.decipher.update(encryptedRest)) : Buffer16.from(encryptedRest) : Buffer16.alloc(0);
+      const clearPacket = Buffer16.concat([this.framePartialDecrypted, decryptedRest]);
       const expectedMac = computeMac(
         this.macAlgorithm,
         this.options.keys.macKey,
@@ -7135,7 +7370,7 @@ var SshTransportPacketUnprotector = class {
     return results;
   }
   unprotectPayload(packet) {
-    const frame = Buffer17.from(packet);
+    const frame = Buffer16.from(packet);
     if (frame.length < this.macLength) {
       throw new ProtocolError({
         details: { length: frame.length, macLength: this.macLength },
@@ -7276,10 +7511,10 @@ function resolveMacLength(encryptionAlgorithm, macAlgorithm) {
 }
 function computeMac(macAlgorithm, macKey, sequence, packet, macLength) {
   if (macLength === 0) {
-    return Buffer17.alloc(0);
+    return Buffer16.alloc(0);
   }
   const hashName = macAlgorithm === "hmac-sha2-512" ? "sha512" : "sha256";
-  const sequenceBuffer = Buffer17.alloc(4);
+  const sequenceBuffer = Buffer16.alloc(4);
   sequenceBuffer.writeUInt32BE(sequence >>> 0, 0);
   return createHmac2(hashName, macKey).update(sequenceBuffer).update(packet).digest().subarray(0, macLength);
 }
@@ -7486,7 +7721,7 @@ var SshTransportConnection = class {
    */
   sendPayload(payload) {
     this.assertConnected();
-    const frame = this.protector.protectPayload(Buffer18.from(payload));
+    const frame = this.protector.protectPayload(Buffer17.from(payload));
     this.socket.write(frame);
     this.resetKeepaliveTimer();
   }
@@ -7644,7 +7879,7 @@ function parseDisconnectPayload(payload) {
 }
 // src/protocols/sftp/v3/SftpSession.ts
-import { Buffer as Buffer20 } from "buffer";
+import { Buffer as Buffer19 } from "buffer";
 // src/protocols/sftp/v3/SftpAttributes.ts
 var SFTP_ATTR_FLAG = {
@@ -7717,7 +7952,8 @@ function decodeSftpAttributesFromReader(reader) {
 }
 // src/protocols/sftp/v3/SftpPacket.ts
-import { Buffer as Buffer19 } from "buffer";
+import { Buffer as Buffer18 } from "buffer";
+var MAX_SFTP_PACKET_LENGTH = 256 * 1024;
 var SFTP_PACKET_TYPE = {
   ATTRS: 105,
   CLOSE: 4,
@@ -7748,7 +7984,7 @@ var SFTP_PACKET_TYPE = {
   WRITE: 6
 };
 function decodeSftpPacket(frame) {
-  const bytes = Buffer19.from(frame);
+  const bytes = Buffer18.from(frame);
   if (bytes.length < 5) {
     throw new ParseError({
       details: { length: bytes.length },
@@ -7771,12 +8007,19 @@ function decodeSftpPacket(frame) {
   };
 }
 var SftpPacketFramer = class {
-  pending = Buffer19.alloc(0);
+  pending = Buffer18.alloc(0);
   push(chunk) {
-    this.pending = Buffer19.concat([this.pending, Buffer19.from(chunk)]);
+    this.pending = Buffer18.concat([this.pending, Buffer18.from(chunk)]);
     const packets = [];
     while (this.pending.length >= 4) {
       const bodyLength = this.pending.readUInt32BE(0);
+      if (bodyLength > MAX_SFTP_PACKET_LENGTH) {
+        throw new ParseError({
+          details: { bodyLength, maxPacketLength: MAX_SFTP_PACKET_LENGTH },
+          message: "SFTP packet length exceeds the maximum accepted size",
+          retryable: false
+        });
+      }
       const frameLength = 4 + bodyLength;
       if (this.pending.length < frameLength) {
         break;
@@ -8231,7 +8474,7 @@ var SftpSession = class {
    * serializes concurrent calls so byte ordering is preserved.
    */
   sendRaw(encodedMessage, requestId) {
-    const frame = Buffer20.alloc(4 + encodedMessage.length);
+    const frame = Buffer19.alloc(4 + encodedMessage.length);
     frame.writeUInt32BE(encodedMessage.length, 0);
     encodedMessage.copy(frame, 4);
     this.channel.sendData(frame).catch((err) => {
@@ -8378,7 +8621,7 @@ function buildNativeSftpCapabilities(maxConcurrency) {
 var NATIVE_SFTP_PROVIDER_CAPABILITIES = buildNativeSftpCapabilities(
   NATIVE_SFTP_DEFAULT_MAX_CONCURRENCY
 );
-function createNativeSftpProviderFactory(options = {}) {
+function createSftpProviderFactory(options = {}) {
   validateNativeSftpOptions(options);
   const capabilities = buildNativeSftpCapabilities(
     options.maxConcurrency ?? NATIVE_SFTP_DEFAULT_MAX_CONCURRENCY
@@ -8774,9 +9017,9 @@ function buildNativePublickeyCredential(profile, username) {
   const passphrase = profile.ssh?.passphrase;
   try {
     const privateKey = createPrivateKey({
-      key: Buffer21.isBuffer(keyMaterial) ? keyMaterial : keyMaterial,
+      key: Buffer20.isBuffer(keyMaterial) ? keyMaterial : keyMaterial,
       ...passphrase === void 0 ? {} : {
-        passphrase: Buffer21.isBuffer(passphrase) ? passphrase : passphrase
+        passphrase: Buffer20.isBuffer(passphrase) ? passphrase : passphrase
       }
     });
     return buildPublickeyCredential({ privateKey, username });
@@ -8903,12 +9146,12 @@ function normalizeNativeHostKeyPins(value) {
     const trimmed = pin.trim();
     const hex = trimmed.replace(/:/g, "");
     if (hex.length === 64 && /^[a-f0-9]+$/i.test(hex)) {
-      normalized.add(Buffer21.from(hex, "hex").toString("base64").replace(/=+$/g, ""));
+      normalized.add(Buffer20.from(hex, "hex").toString("base64").replace(/=+$/g, ""));
       continue;
     }
     const bare = trimmed.startsWith("SHA256:") ? trimmed.slice("SHA256:".length) : trimmed;
     const padded = bare.length % 4 === 0 ? bare : `${bare}${"=".repeat(4 - bare.length % 4)}`;
-    normalized.add(Buffer21.from(padded, "base64").toString("base64").replace(/=+$/g, ""));
+    normalized.add(Buffer20.from(padded, "base64").toString("base64").replace(/=+$/g, ""));
   }
   return normalized;
 }
@@ -8918,7 +9161,7 @@ function parseNativeKnownHosts(source) {
   const entries = [];
   let sawNonEmpty = false;
   for (const value of sources) {
-    const text = Buffer21.isBuffer(value) ? value.toString("utf8") : String(value);
+    const text = Buffer20.isBuffer(value) ? value.toString("utf8") : String(value);
     if (text.length === 0) continue;
     sawNonEmpty = true;
     entries.push(...parseKnownHosts(text));
@@ -8991,7 +9234,7 @@ function requireNativeSftpUsername(profile) {
 }
 function resolveNativeSftpTextSecret(value) {
   if (value === void 0) return void 0;
-  const text = Buffer21.isBuffer(value) ? value.toString("utf8") : value;
+  const text = Buffer20.isBuffer(value) ? value.toString("utf8") : value;
   if (text.length === 0) return void 0;
   return text;
 }
@@ -9065,16 +9308,16 @@ export {
   copyBetween,
   createAtomicDeployPlan,
   createBandwidthThrottle,
+  createDefaultRetryPolicy,
   createLocalProviderFactory,
   createMemoryProviderFactory,
-  createNativeSftpProviderFactory,
   createOAuthTokenSecretSource,
   createPooledTransferClient,
   createProgressEvent,
   createProviderTransferExecutor,
   createRemoteBrowser,
   createRemoteManifest,
-  createNativeSftpProviderFactory as createSftpProviderFactory,
+  createSftpProviderFactory,
   createSyncPlan,
   createTransferClient,
   createTransferJobsFromPlan,
@@ -9102,8 +9345,10 @@ export {
   parseRemoteManifest,
   redactCommand,
   redactConnectionProfile,
+  redactErrorForLogging,
   redactObject,
   redactSecretSource,
+  redactUrlForLogging,
   redactValue,
   resolveConnectionProfileSecrets,
   resolveOpenSshHost,