@zero-transfer/sftp 0.4.7 → 0.4.8

package/dist/index.cjs

@@ -60,6 +60,7 @@ __export(sftp_exports, {
   copyBetween: () => copyBetween,
   createAtomicDeployPlan: () => createAtomicDeployPlan,
   createBandwidthThrottle: () => createBandwidthThrottle,
+  createDefaultRetryPolicy: () => createDefaultRetryPolicy,
   createLocalProviderFactory: () => createLocalProviderFactory,
   createMemoryProviderFactory: () => createMemoryProviderFactory,
   createOAuthTokenSecretSource: () => createOAuthTokenSecretSource,
@@ -96,8 +97,10 @@ __export(sftp_exports, {
   parseRemoteManifest: () => parseRemoteManifest,
   redactCommand: () => redactCommand,
   redactConnectionProfile: () => redactConnectionProfile,
+  redactErrorForLogging: () => redactErrorForLogging,
   redactObject: () => redactObject,
   redactSecretSource: () => redactSecretSource,
+  redactUrlForLogging: () => redactUrlForLogging,
   redactValue: () => redactValue,
   resolveConnectionProfileSecrets: () => resolveConnectionProfileSecrets,
   resolveOpenSshHost: () => resolveOpenSshHost,
@@ -118,6 +121,68 @@ module.exports = __toCommonJS(sftp_exports);
 // src/client/ZeroTransfer.ts
 var import_node_events = require("events");
 
+// src/logging/redaction.ts
+var REDACTED = "[REDACTED]";
+var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
+var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
+var URL_KEY_PATTERN = /(?:url|uri|href)$/i;
+function isSensitiveKey(key) {
+  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
+}
+function redactCommand(command) {
+  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
+    return `${commandName.toUpperCase()} ${REDACTED}`;
+  });
+}
+function redactValue(value) {
+  if (typeof value === "string") {
+    return redactCommand(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => redactValue(item));
+  }
+  if (value !== null && typeof value === "object") {
+    return redactObject(value);
+  }
+  return value;
+}
+function redactObject(input) {
+  return Object.fromEntries(
+    Object.entries(input).map(([key, value]) => {
+      if (isSensitiveKey(key)) {
+        return [key, REDACTED];
+      }
+      if (URL_KEY_PATTERN.test(key) && typeof value === "string") {
+        return [key, redactUrlForLogging(value)];
+      }
+      return [key, redactValue(value)];
+    })
+  );
+}
+function redactUrlForLogging(url) {
+  let parsed;
+  try {
+    parsed = typeof url === "string" ? new URL(url) : url;
+  } catch {
+    return REDACTED;
+  }
+  const origin = parsed.host.length > 0 ? `${parsed.protocol}//${parsed.host}` : parsed.protocol;
+  const query = parsed.search.length > 0 ? `?${REDACTED}` : "";
+  return `${origin}${parsed.pathname}${query}`;
+}
+function redactErrorForLogging(error) {
+  if (error !== null && typeof error === "object") {
+    const candidate = error;
+    if (typeof candidate.toJSON === "function") {
+      return redactObject(candidate.toJSON());
+    }
+  }
+  if (error instanceof Error) {
+    return redactObject({ message: error.message, name: error.name });
+  }
+  return { message: redactValue(typeof error === "string" ? error : String(error)) };
+}
+
 // src/errors/ZeroTransferError.ts
 var ZeroTransferError = class extends Error {
   /** Stable machine-readable error code. */
@@ -159,6 +224,11 @@ var ZeroTransferError = class extends Error {
   /**
    * Serializes the error into a plain object suitable for logs or API responses.
    *
+   * `details` and `command` are passed through secret redaction so serialized
+   * errors never leak credentials, signed URLs, or raw protocol commands. The
+   * live {@link ZeroTransferError.details | details} property stays unredacted
+   * for programmatic consumers.
+   *
    * @returns A JSON-safe object containing public structured error fields.
    */
   toJSON() {
@@ -168,12 +238,12 @@ var ZeroTransferError = class extends Error {
       message: this.message,
       protocol: this.protocol,
       host: this.host,
-      command: this.command,
+      command: this.command === void 0 ? void 0 : redactCommand(this.command),
       ftpCode: this.ftpCode,
       sftpCode: this.sftpCode,
       path: this.path,
       retryable: this.retryable,
-      details: this.details
+      details: this.details === void 0 ? void 0 : redactObject(this.details)
     };
   }
 };
@@ -696,15 +766,20 @@ var ProviderRegistry = class {
 var TransferClient = class {
   /** Provider registry used by this client. */
   registry;
+  /** Execution defaults applied when call sites omit their own values. */
+  defaults;
   logger;
   /**
    * Creates a transfer client without opening any provider connections.
    *
-   * @param options - Optional registry, provider factories, and logger.
+   * @param options - Optional registry, provider factories, logger, and execution defaults.
    */
   constructor(options = {}) {
     this.registry = options.registry ?? new ProviderRegistry();
     this.logger = options.logger ?? noopLogger;
+    if (options.defaults !== void 0) {
+      this.defaults = { ...options.defaults };
+    }
     for (const provider of options.providers ?? []) {
       this.registry.register(provider);
     }
@@ -1277,18 +1352,25 @@ var TransferEngine = class {
       for (let attemptNumber = 1; attemptNumber <= maxAttempts; attemptNumber += 1) {
         this.throwIfAborted(abortScope.signal, job);
         const attemptStartedAt = this.now();
+        const attemptScope = createAttemptScope(
+          abortScope.signal,
+          options.timeout,
+          job,
+          attemptNumber
+        );
         const context = this.createExecutionContext(
           job,
           attemptNumber,
           attemptStartedAt,
           options,
-          abortScope.signal,
+          attemptScope.signal,
           (bytesTransferred) => {
             latestBytesTransferred = bytesTransferred;
-          }
+          },
+          attemptScope.notifyProgress
         );
         try {
-          const result = await runExecutor(executor, context, abortScope.signal, job);
+          const result = await runExecutor(executor, context, attemptScope.signal, job);
           context.throwIfAborted();
           latestBytesTransferred = result.bytesTransferred;
           const completedAt = this.now();
@@ -1306,16 +1388,27 @@ var TransferEngine = class {
             summarizeError(error)
           );
           attempts.push(attempt);
-          if (error instanceof AbortError || error instanceof TimeoutError) {
+          if (error instanceof AbortError || abortScope.signal?.aborted === true) {
             throw error;
           }
-          const retryInput = { attempt: attemptNumber, error, job };
+          const retryInput = {
+            attempt: attemptNumber,
+            elapsedMs: Math.max(0, completedAt.getTime() - startedAt.getTime()),
+            error,
+            job
+          };
           const shouldRetry = attemptNumber < maxAttempts && (options.retry?.shouldRetry?.(retryInput) ?? isRetryable(error));
           if (shouldRetry) {
             options.retry?.onRetry?.(retryInput);
+            const delayMs = normalizeDelayMs(options.retry?.getDelayMs?.(retryInput));
+            if (delayMs > 0) {
+              await sleepWithAbort(delayMs, abortScope.signal, job);
+            }
             continue;
           }
           throw createTransferFailure(job, error, attempts);
+        } finally {
+          attemptScope.dispose();
         }
       }
       throw createTransferFailure(job, void 0, attempts);
@@ -1323,12 +1416,13 @@ var TransferEngine = class {
       abortScope.dispose();
     }
   }
-  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred) {
+  createExecutionContext(job, attempt, startedAt, options, signal, updateBytesTransferred, notifyProgress) {
     const context = {
       attempt,
       job,
       reportProgress: (bytesTransferred, totalBytes) => {
         this.throwIfAborted(signal, job);
+        notifyProgress();
         updateBytesTransferred(bytesTransferred);
         const progressInput = {
           bytesTransferred,
@@ -1397,6 +1491,96 @@ function createAbortScope(parentSignal, timeout, job) {
     signal: controller.signal
   };
 }
+function createAttemptScope(parentSignal, timeout, job, attempt) {
+  const attemptTimeoutMs = normalizeTimeoutMs(timeout?.attemptTimeoutMs);
+  const stallTimeoutMs = normalizeTimeoutMs(timeout?.stallTimeoutMs);
+  if (attemptTimeoutMs === void 0 && stallTimeoutMs === void 0) {
+    const scope = {
+      dispose: () => void 0,
+      notifyProgress: () => void 0
+    };
+    if (parentSignal !== void 0) scope.signal = parentSignal;
+    return scope;
+  }
+  const controller = new AbortController();
+  const retryable = timeout?.retryable ?? true;
+  const abortFromParent = () => controller.abort(parentSignal?.reason);
+  if (parentSignal?.aborted === true) {
+    abortFromParent();
+  } else {
+    parentSignal?.addEventListener("abort", abortFromParent, { once: true });
+  }
+  const attemptTimer = attemptTimeoutMs === void 0 ? void 0 : setTimeout(() => {
+    controller.abort(
+      new TimeoutError({
+        details: { attempt, attemptTimeoutMs, jobId: job.id, operation: job.operation },
+        message: `Transfer attempt ${String(attempt)} timed out after ${String(attemptTimeoutMs)}ms: ${job.id}`,
+        retryable
+      })
+    );
+  }, attemptTimeoutMs);
+  let stallTimer;
+  const armStallWatchdog = () => {
+    if (stallTimeoutMs === void 0 || controller.signal.aborted) return;
+    if (stallTimer !== void 0) clearTimeout(stallTimer);
+    stallTimer = setTimeout(() => {
+      controller.abort(
+        new TimeoutError({
+          details: { attempt, jobId: job.id, operation: job.operation, stallTimeoutMs },
+          message: `Transfer attempt ${String(attempt)} stalled (no progress for ${String(stallTimeoutMs)}ms): ${job.id}`,
+          retryable
+        })
+      );
+    }, stallTimeoutMs);
+  };
+  armStallWatchdog();
+  return {
+    dispose: () => {
+      if (attemptTimer !== void 0) clearTimeout(attemptTimer);
+      if (stallTimer !== void 0) clearTimeout(stallTimer);
+      parentSignal?.removeEventListener("abort", abortFromParent);
+    },
+    notifyProgress: armStallWatchdog,
+    signal: controller.signal
+  };
+}
+function sleepWithAbort(delayMs, signal, job) {
+  return new Promise((resolve, reject) => {
+    if (signal === void 0) {
+      setTimeout(resolve, delayMs);
+      return;
+    }
+    if (signal.aborted) {
+      reject(toAbortFailure(signal, job));
+      return;
+    }
+    const rejectAbort = () => {
+      clearTimeout(timer);
+      reject(toAbortFailure(signal, job));
+    };
+    const timer = setTimeout(() => {
+      signal.removeEventListener("abort", rejectAbort);
+      resolve();
+    }, delayMs);
+    signal.addEventListener("abort", rejectAbort, { once: true });
+  });
+}
+function toAbortFailure(signal, job) {
+  if (signal.reason instanceof ZeroTransferError) {
+    return signal.reason;
+  }
+  return new AbortError({
+    details: { jobId: job.id, operation: job.operation },
+    message: `Transfer job aborted: ${job.id}`,
+    retryable: false
+  });
+}
+function normalizeDelayMs(value) {
+  if (value === void 0 || !Number.isFinite(value) || value <= 0) {
+    return 0;
+  }
+  return Math.floor(value);
+}
 function normalizeTimeoutMs(value) {
   if (value === void 0 || !Number.isFinite(value) || value <= 0) {
     return void 0;
@@ -1565,7 +1749,7 @@ async function runRoute(options) {
     const executor = createProviderTransferExecutor({
       resolveSession: ({ role }) => sessions.get(role)
     });
-    return await engine.execute(job, executor, buildExecuteOptions(options));
+    return await engine.execute(job, executor, buildExecuteOptions(options, client));
   } finally {
     if (destinationSession !== void 0) {
       await destinationSession.disconnect();
@@ -1602,12 +1786,14 @@ function defaultJobId(route, now) {
   const timestamp = (now?.() ?? /* @__PURE__ */ new Date()).getTime();
   return `route:${route.id}:${timestamp.toString(36)}`;
 }
-function buildExecuteOptions(options) {
+function buildExecuteOptions(options, client) {
   const execute = {};
+  const retry = options.retry ?? client.defaults?.retry;
+  const timeout = options.timeout ?? client.defaults?.timeout;
   if (options.signal !== void 0) execute.signal = options.signal;
-  if (options.retry !== void 0) execute.retry = options.retry;
+  if (retry !== void 0) execute.retry = retry;
   if (options.onProgress !== void 0) execute.onProgress = options.onProgress;
-  if (options.timeout !== void 0) execute.timeout = options.timeout;
+  if (timeout !== void 0) execute.timeout = timeout;
   if (options.bandwidthLimit !== void 0) execute.bandwidthLimit = options.bandwidthLimit;
   return execute;
 }
@@ -1664,41 +1850,6 @@ function defaultRouteSuffix(source, destination) {
   return `${source}->${destination}`;
 }
 
-// src/logging/redaction.ts
-var REDACTED = "[REDACTED]";
-var SENSITIVE_KEY_PATTERN = /(?:password|passphrase|privatekey|token|secret|username|user)$/i;
-var SECRET_COMMAND_PATTERN = /^(PASS|USER|ACCT)\s+(.+)$/i;
-function isSensitiveKey(key) {
-  return SENSITIVE_KEY_PATTERN.test(key.replace(/[_-]/g, ""));
-}
-function redactCommand(command) {
-  return command.replace(SECRET_COMMAND_PATTERN, (_fullMatch, commandName) => {
-    return `${commandName.toUpperCase()} ${REDACTED}`;
-  });
-}
-function redactValue(value) {
-  if (typeof value === "string") {
-    return redactCommand(value);
-  }
-  if (Array.isArray(value)) {
-    return value.map((item) => redactValue(item));
-  }
-  if (value !== null && typeof value === "object") {
-    return redactObject(value);
-  }
-  return value;
-}
-function redactObject(input) {
-  return Object.fromEntries(
-    Object.entries(input).map(([key, value]) => {
-      if (isSensitiveKey(key)) {
-        return [key, REDACTED];
-      }
-      return [key, redactValue(value)];
-    })
-  );
-}
-
 // src/profiles/SecretSource.ts
 var import_node_buffer2 = require("buffer");
 var import_promises = require("fs/promises");
@@ -2070,11 +2221,11 @@ var import_promises2 = require("fs/promises");
 var import_node_path2 = __toESM(require("path"));
 
 // src/utils/path.ts
-var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n]/;
+var UNSAFE_FTP_ARGUMENT_PATTERN = /[\r\n\0]/;
 function assertSafeFtpArgument(value, label = "path") {
   if (UNSAFE_FTP_ARGUMENT_PATTERN.test(value)) {
     throw new ConfigurationError({
-      message: `Unsafe FTP ${label}: CR and LF characters are not allowed`,
+      message: `Unsafe FTP ${label}: CR, LF, and NUL characters are not allowed`,
       retryable: false,
       details: {
         label
@@ -3376,7 +3527,6 @@ function expandAlgorithms(values) {
 }
 
 // src/profiles/importers/FileZillaImporter.ts
-var import_node_buffer5 = require("buffer");
 function importFileZillaSites(xml) {
   const events = tokenizeXml(xml);
   if (events.length === 0) {
@@ -3392,7 +3542,6 @@ function importFileZillaSites(xml) {
   const folderNamePending = [];
   let inServer = false;
   let serverFields = {};
-  let serverPasswordEncoding;
   let activeTag;
   let captureFolderName = false;
   for (const event of events) {
@@ -3405,13 +3554,9 @@ function importFileZillaSites(xml) {
       if (event.name === "Server") {
         inServer = true;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         continue;
       }
       activeTag = event.name;
-      if (event.name === "Pass" && inServer) {
-        serverPasswordEncoding = event.attributes["encoding"];
-      }
       if (event.name === "Name" && !inServer && folderNamePending.length > 0) {
         captureFolderName = true;
       }
@@ -3437,7 +3582,7 @@ function importFileZillaSites(xml) {
       }
       if (event.name === "Server") {
         const folder = folderStack.filter((segment) => segment !== "");
-        const result = buildSiteFromFields(serverFields, serverPasswordEncoding);
+        const result = buildSiteFromFields(serverFields);
         if (result.kind === "site") {
           sites.push({ ...result.site, folder });
         } else {
@@ -3449,7 +3594,6 @@ function importFileZillaSites(xml) {
         }
         inServer = false;
         serverFields = {};
-        serverPasswordEncoding = void 0;
         activeTag = void 0;
         continue;
       }
@@ -3458,7 +3602,7 @@ function importFileZillaSites(xml) {
   }
   return { sites, skipped };
 }
-function buildSiteFromFields(fields, passwordEncoding) {
+function buildSiteFromFields(fields) {
   const name = (fields["Name"] ?? fields["Host"] ?? "Untitled").trim();
   const host = (fields["Host"] ?? "").trim();
   if (host === "") return { kind: "skipped", name };
@@ -3477,18 +3621,9 @@ function buildSiteFromFields(fields, passwordEncoding) {
   }
   const user = fields["User"]?.trim();
   if (user !== void 0 && user !== "") profile.username = { value: user };
-  let password;
   const rawPass = fields["Pass"];
-  if (rawPass !== void 0 && rawPass !== "") {
-    if (passwordEncoding === "base64") {
-      password = import_node_buffer5.Buffer.from(rawPass, "base64").toString("utf8");
-    } else {
-      password = rawPass;
-    }
-    if (password !== void 0 && password !== "") profile.password = { value: password };
-  }
-  const site = { name, profile };
-  if (password !== void 0) site.password = password;
+  const hasStoredPassword = rawPass !== void 0 && rawPass !== "";
+  const site = { hasStoredPassword, name, profile };
   const logonText = fields["Logontype"];
   if (logonText !== void 0) {
     const logonType = Number.parseInt(logonText.trim(), 10);
@@ -3731,6 +3866,62 @@ function mapFtp550(details) {
   return new PermissionDeniedError(details);
 }
 
+// src/transfers/createDefaultRetryPolicy.ts
+var DEFAULT_MAX_ATTEMPTS = 4;
+var DEFAULT_BASE_DELAY_MS = 250;
+var DEFAULT_MAX_DELAY_MS = 3e4;
+var DEFAULT_MAX_ELAPSED_MS = 3e5;
+function createDefaultRetryPolicy(options = {}) {
+  const maxAttempts = normalizePositiveInteger(options.maxAttempts, DEFAULT_MAX_ATTEMPTS);
+  const baseDelayMs = normalizeNonNegative(options.baseDelayMs, DEFAULT_BASE_DELAY_MS);
+  const maxDelayMs = normalizeNonNegative(options.maxDelayMs, DEFAULT_MAX_DELAY_MS);
+  const maxElapsedMs = normalizeNonNegative(options.maxElapsedMs, DEFAULT_MAX_ELAPSED_MS);
+  const random = options.random ?? Math.random;
+  return {
+    getDelayMs(input) {
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0) {
+        return retryAfterMs;
+      }
+      const exponentialMs = baseDelayMs * 2 ** (input.attempt - 1);
+      const cappedMs = Math.min(maxDelayMs, exponentialMs);
+      return Math.floor(random() * cappedMs);
+    },
+    maxAttempts,
+    shouldRetry(input) {
+      if (!(input.error instanceof ZeroTransferError) || !input.error.retryable) {
+        return false;
+      }
+      if (input.elapsedMs >= maxElapsedMs) {
+        return false;
+      }
+      const retryAfterMs = readRetryAfterMs(input.error);
+      if (retryAfterMs !== void 0 && input.elapsedMs + retryAfterMs > maxElapsedMs) {
+        return false;
+      }
+      return true;
+    }
+  };
+}
+function readRetryAfterMs(error) {
+  if (!(error instanceof ZeroTransferError)) return void 0;
+  const value = error.details?.["retryAfterMs"];
+  if (typeof value !== "number" || !Number.isFinite(value) || value < 0) return void 0;
+  return Math.floor(value);
+}
+function normalizePositiveInteger(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 1) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+function normalizeNonNegative(value, fallback) {
+  if (value === void 0 || !Number.isFinite(value) || value < 0) {
+    return fallback;
+  }
+  return Math.floor(value);
+}
+
 // src/transfers/TransferPlan.ts
 function createTransferPlan(input) {
   const plan = {
@@ -3828,8 +4019,8 @@ var TransferQueue = class {
     this.concurrency = normalizeConcurrency(options.concurrency);
     this.defaultExecutor = options.executor;
     this.resolveExecutor = options.resolveExecutor;
-    this.retry = options.retry;
-    this.timeout = options.timeout;
+    this.retry = options.retry ?? options.client?.defaults?.retry;
+    this.timeout = options.timeout ?? options.client?.defaults?.timeout;
     this.bandwidthLimit = options.bandwidthLimit;
     this.onProgress = options.onProgress;
     this.onReceipt = options.onReceipt;
@@ -4906,12 +5097,12 @@ function isMainModule(importMetaUrl) {
 }
 
 // src/providers/native/sftp/NativeSftpProvider.ts
-var import_node_buffer20 = require("buffer");
+var import_node_buffer19 = require("buffer");
 var import_node_crypto9 = require("crypto");
 var import_node_net = require("net");
 
 // src/protocols/ssh/binary/SshDataWriter.ts
-var import_node_buffer6 = require("buffer");
+var import_node_buffer5 = require("buffer");
 var MAX_UINT32 = 4294967295;
 var MAX_UINT64 = (1n << 64n) - 1n;
 var SshDataWriter = class {
@@ -4919,7 +5110,7 @@ var SshDataWriter = class {
   length = 0;
   writeByte(value) {
     this.assertByte(value, "byte");
-    const chunk = import_node_buffer6.Buffer.alloc(1);
+    const chunk = import_node_buffer5.Buffer.alloc(1);
     chunk.writeUInt8(value, 0);
     return this.push(chunk);
   }
@@ -4927,7 +5118,7 @@ var SshDataWriter = class {
     return this.writeByte(value ? 1 : 0);
   }
   writeBytes(value) {
-    return this.push(import_node_buffer6.Buffer.from(value));
+    return this.push(import_node_buffer5.Buffer.from(value));
   }
   writeUint32(value) {
     if (!Number.isInteger(value) || value < 0 || value > MAX_UINT32) {
@@ -4937,7 +5128,7 @@ var SshDataWriter = class {
         retryable: false
       });
     }
-    const chunk = import_node_buffer6.Buffer.alloc(4);
+    const chunk = import_node_buffer5.Buffer.alloc(4);
     chunk.writeUInt32BE(value, 0);
     return this.push(chunk);
   }
@@ -4949,12 +5140,12 @@ var SshDataWriter = class {
         retryable: false
       });
     }
-    const chunk = import_node_buffer6.Buffer.alloc(8);
+    const chunk = import_node_buffer5.Buffer.alloc(8);
     chunk.writeBigUInt64BE(value, 0);
     return this.push(chunk);
   }
   writeString(value, encoding = "utf8") {
-    const payload = typeof value === "string" ? import_node_buffer6.Buffer.from(value, encoding) : import_node_buffer6.Buffer.from(value);
+    const payload = typeof value === "string" ? import_node_buffer5.Buffer.from(value, encoding) : import_node_buffer5.Buffer.from(value);
     this.writeUint32(payload.length);
     return this.push(payload);
   }
@@ -4976,7 +5167,7 @@ var SshDataWriter = class {
     return this.writeString(values.join(","), "ascii");
   }
   toBuffer() {
-    return import_node_buffer6.Buffer.concat(this.chunks, this.length);
+    return import_node_buffer5.Buffer.concat(this.chunks, this.length);
   }
   push(chunk) {
     this.chunks.push(chunk);
@@ -4994,23 +5185,23 @@ var SshDataWriter = class {
   }
 };
 function normalizePositiveMpint(value) {
-  const input = import_node_buffer6.Buffer.from(value);
+  const input = import_node_buffer5.Buffer.from(value);
   let offset = 0;
   while (offset < input.length && input[offset] === 0) {
     offset += 1;
   }
   if (offset >= input.length) {
-    return import_node_buffer6.Buffer.alloc(0);
+    return import_node_buffer5.Buffer.alloc(0);
   }
   const stripped = input.subarray(offset);
   if ((stripped[0] & 128) === 128) {
-    return import_node_buffer6.Buffer.concat([import_node_buffer6.Buffer.from([0]), stripped]);
+    return import_node_buffer5.Buffer.concat([import_node_buffer5.Buffer.from([0]), stripped]);
   }
   return stripped;
 }
 
 // src/protocols/ssh/binary/SshDataReader.ts
-var import_node_buffer7 = require("buffer");
+var import_node_buffer6 = require("buffer");
 var SshDataReader = class {
   constructor(source) {
     this.source = source;
@@ -5036,18 +5227,18 @@ var SshDataReader = class {
     this.ensureAvailable(length, "bytes");
     const data = this.source.subarray(this.offset, this.offset + length);
     this.offset += length;
-    return import_node_buffer7.Buffer.from(data);
+    return import_node_buffer6.Buffer.from(data);
   }
   readUint32() {
     this.ensureAvailable(4, "uint32");
-    const buffer = import_node_buffer7.Buffer.from(this.source);
+    const buffer = import_node_buffer6.Buffer.from(this.source);
     const value = buffer.readUInt32BE(this.offset);
     this.offset += 4;
     return value;
   }
   readUint64() {
     this.ensureAvailable(8, "uint64");
-    const buffer = import_node_buffer7.Buffer.from(this.source);
+    const buffer = import_node_buffer6.Buffer.from(this.source);
     const value = buffer.readBigUInt64BE(this.offset);
     this.offset += 8;
     return value;
@@ -5057,7 +5248,7 @@ var SshDataReader = class {
     this.ensureAvailable(length, "string");
     const data = this.source.subarray(this.offset, this.offset + length);
     this.offset += length;
-    return import_node_buffer7.Buffer.from(data);
+    return import_node_buffer6.Buffer.from(data);
   }
   readUtf8String() {
     return this.readString().toString("utf8");
@@ -5412,7 +5603,7 @@ function buildKiRequest(args) {
 }
 
 // src/protocols/ssh/auth/SshPublickeyCredentialBuilder.ts
-var import_node_buffer8 = require("buffer");
+var import_node_buffer7 = require("buffer");
 var import_node_crypto2 = require("crypto");
 var ED25519_RAW_KEY_LENGTH = 32;
 var ED25519_SPKI_PREFIX_LENGTH = 12;
@@ -5430,7 +5621,7 @@ function buildPublickeyCredential(options) {
       return {
         algorithmName: "ssh-ed25519",
         publicKeyBlob,
-        sign: (data) => (0, import_node_crypto2.sign)(null, import_node_buffer8.Buffer.from(data), privateKey),
+        sign: (data) => (0, import_node_crypto2.sign)(null, import_node_buffer7.Buffer.from(data), privateKey),
         type: "publickey",
         username
       };
@@ -5448,7 +5639,7 @@ function buildPublickeyCredential(options) {
       return {
         algorithmName,
         publicKeyBlob,
-        sign: (data) => (0, import_node_crypto2.sign)(hash, import_node_buffer8.Buffer.from(data), privateKey),
+        sign: (data) => (0, import_node_crypto2.sign)(hash, import_node_buffer7.Buffer.from(data), privateKey),
         type: "publickey",
         username
       };
@@ -5461,7 +5652,7 @@ function buildPublickeyCredential(options) {
 }
 function base64UrlToMpint(value) {
   const padded = value.replace(/-/g, "+").replace(/_/g, "/");
-  const buffer = import_node_buffer8.Buffer.from(padded, "base64");
+  const buffer = import_node_buffer7.Buffer.from(padded, "base64");
   return buffer;
 }
 function createInvalidKeyError(message) {
@@ -5587,7 +5778,7 @@ function encodeSshChannelClose(recipientChannel) {
 }
 
 // src/protocols/ssh/connection/SshSessionChannel.ts
-var import_node_buffer9 = require("buffer");
+var import_node_buffer8 = require("buffer");
 var INITIAL_WINDOW_SIZE = 256 * 1024;
 var MAX_PACKET_SIZE = 32 * 1024;
 var WINDOW_REFILL_THRESHOLD = 64 * 1024;
@@ -5745,7 +5936,7 @@ var SshSessionChannel = class {
         this.remoteWindowRemaining,
         this.remoteMaxPacketSize
       );
-      const chunk = import_node_buffer9.Buffer.from(data.subarray(offset, offset + chunkSize));
+      const chunk = import_node_buffer8.Buffer.from(data.subarray(offset, offset + chunkSize));
       this.transport.sendPayload(
         encodeSshChannelData({ data: chunk, recipientChannel: this.remoteChannelId })
       );
@@ -6007,10 +6198,10 @@ var SshConnectionManager = class {
 };
 
 // src/protocols/ssh/transport/SshTransportConnection.ts
-var import_node_buffer17 = require("buffer");
+var import_node_buffer16 = require("buffer");
 
 // src/protocols/ssh/transport/SshTransportHandshake.ts
-var import_node_buffer15 = require("buffer");
+var import_node_buffer14 = require("buffer");
 
 // src/protocols/ssh/transport/SshAlgorithmNegotiation.ts
 var DEFAULT_SSH_ALGORITHM_PREFERENCES = {
@@ -6172,12 +6363,12 @@ function parseSshIdentificationLine(line) {
 }
 
 // src/protocols/ssh/transport/SshKexInit.ts
-var import_node_buffer10 = require("buffer");
+var import_node_buffer9 = require("buffer");
 var import_node_crypto3 = require("crypto");
 var SSH_MSG_KEXINIT = 20;
 var KEXINIT_COOKIE_LENGTH = 16;
 function encodeSshKexInitMessage(options) {
-  const cookie = options.cookie === void 0 ? (0, import_node_crypto3.randomBytes)(KEXINIT_COOKIE_LENGTH) : import_node_buffer10.Buffer.from(options.cookie);
+  const cookie = options.cookie === void 0 ? (0, import_node_crypto3.randomBytes)(KEXINIT_COOKIE_LENGTH) : import_node_buffer9.Buffer.from(options.cookie);
   if (cookie.length !== KEXINIT_COOKIE_LENGTH) {
     throw new ConfigurationError({
       details: { actualLength: cookie.length, expectedLength: KEXINIT_COOKIE_LENGTH },
@@ -6247,12 +6438,12 @@ function decodeSshKexInitMessage(payload) {
 }
 
 // src/protocols/ssh/transport/SshKexCurve25519.ts
-var import_node_buffer11 = require("buffer");
+var import_node_buffer10 = require("buffer");
 var import_node_crypto4 = require("crypto");
 var SSH_MSG_KEX_ECDH_INIT = 30;
 var SSH_MSG_KEX_ECDH_REPLY = 31;
 var X25519_PUBLIC_KEY_LENGTH = 32;
-var X25519_SPKI_PREFIX = import_node_buffer11.Buffer.from("302a300506032b656e032100", "hex");
+var X25519_SPKI_PREFIX = import_node_buffer10.Buffer.from("302a300506032b656e032100", "hex");
 function createCurve25519Ephemeral() {
   const { privateKey, publicKey } = (0, import_node_crypto4.generateKeyPairSync)("x25519");
   const encodedPublicKey = exportX25519PublicKeyRaw(publicKey);
@@ -6297,7 +6488,7 @@ function exportX25519PublicKeyRaw(publicKey) {
 }
 function importX25519PublicKeyRaw(raw) {
   const normalized = normalizeX25519PublicKey(raw, "server");
-  const der = import_node_buffer11.Buffer.concat([X25519_SPKI_PREFIX, normalized]);
+  const der = import_node_buffer10.Buffer.concat([X25519_SPKI_PREFIX, normalized]);
   return (0, import_node_crypto4.createPublicKey)({
     format: "der",
     key: der,
@@ -6305,7 +6496,7 @@ function importX25519PublicKeyRaw(raw) {
   });
 }
 function normalizeX25519PublicKey(value, label) {
-  const key = import_node_buffer11.Buffer.from(value);
+  const key = import_node_buffer10.Buffer.from(value);
   if (key.length !== X25519_PUBLIC_KEY_LENGTH) {
     throw new ConfigurationError({
       details: { keyLength: key.length, label },
@@ -6318,7 +6509,7 @@ function normalizeX25519PublicKey(value, label) {
 }
 
 // src/protocols/ssh/transport/SshKeyDerivation.ts
-var import_node_buffer12 = require("buffer");
+var import_node_buffer11 = require("buffer");
 var import_node_crypto5 = require("crypto");
 function deriveSshSessionKeys(input) {
   const hashAlgorithm = resolveKexHashAlgorithm(input.kexAlgorithm);
@@ -6340,7 +6531,7 @@ function deriveSshSessionKeys(input) {
     input.negotiatedAlgorithms.encryptionServerToClient,
     input.negotiatedAlgorithms.macServerToClient
   );
-  const sharedSecret = import_node_buffer12.Buffer.from(input.sharedSecret);
+  const sharedSecret = import_node_buffer11.Buffer.from(input.sharedSecret);
   return {
     clientToServer: {
       encryptionKey: deriveMaterial(
@@ -6390,21 +6581,21 @@ function computeCurve25519ExchangeHash(input, hashAlgorithm) {
 }
 function deriveMaterial(sharedSecret, exchangeHash, sessionId, letter, length, hashAlgorithm) {
   if (length <= 0) {
-    return import_node_buffer12.Buffer.alloc(0);
+    return import_node_buffer11.Buffer.alloc(0);
   }
   const result = [];
   const first2 = (0, import_node_crypto5.createHash)(hashAlgorithm).update(
     new SshDataWriter().writeMpint(sharedSecret).writeBytes(exchangeHash).writeByte(letter.charCodeAt(0)).writeBytes(sessionId).toBuffer()
   ).digest();
   result.push(first2);
-  while (import_node_buffer12.Buffer.concat(result).length < length) {
-    const previous = import_node_buffer12.Buffer.concat(result);
+  while (import_node_buffer11.Buffer.concat(result).length < length) {
+    const previous = import_node_buffer11.Buffer.concat(result);
     const next = (0, import_node_crypto5.createHash)(hashAlgorithm).update(
       new SshDataWriter().writeMpint(sharedSecret).writeBytes(exchangeHash).writeBytes(previous).toBuffer()
     ).digest();
     result.push(next);
   }
-  return import_node_buffer12.Buffer.concat(result).subarray(0, length);
+  return import_node_buffer11.Buffer.concat(result).subarray(0, length);
 }
 function resolveKexHashAlgorithm(kexAlgorithm) {
   if (kexAlgorithm === "curve25519-sha256" || kexAlgorithm === "curve25519-sha256@libssh.org") {
@@ -6492,20 +6683,21 @@ function decodeSshNewKeysMessage(payload) {
 }
 
 // src/protocols/ssh/transport/SshTransportPacket.ts
-var import_node_buffer13 = require("buffer");
+var import_node_buffer12 = require("buffer");
 var import_node_crypto6 = require("crypto");
 var MIN_PADDING_LENGTH = 4;
 var MIN_PACKET_LENGTH = 1 + MIN_PADDING_LENGTH;
+var MAX_SSH_PACKET_LENGTH = 256 * 1024;
 function encodeSshTransportPacket(payload, options = {}) {
-  const body = import_node_buffer13.Buffer.from(payload);
+  const body = import_node_buffer12.Buffer.from(payload);
   const blockSize = normalizeBlockSize(options.blockSize ?? 8);
   let paddingLength = MIN_PADDING_LENGTH;
   while ((1 + body.length + paddingLength + 4) % blockSize !== 0) {
     paddingLength += 1;
   }
-  const padding = options.randomPadding === false ? import_node_buffer13.Buffer.alloc(paddingLength) : (0, import_node_crypto6.randomBytes)(paddingLength);
+  const padding = options.randomPadding === false ? import_node_buffer12.Buffer.alloc(paddingLength) : (0, import_node_crypto6.randomBytes)(paddingLength);
   const packetLength = 1 + body.length + paddingLength;
-  const frame = import_node_buffer13.Buffer.alloc(4 + packetLength);
+  const frame = import_node_buffer12.Buffer.alloc(4 + packetLength);
   frame.writeUInt32BE(packetLength, 0);
   frame.writeUInt8(paddingLength, 4);
   body.copy(frame, 5);
@@ -6513,7 +6705,7 @@ function encodeSshTransportPacket(payload, options = {}) {
   return frame;
 }
 function decodeSshTransportPacket(frame) {
-  const bytes = import_node_buffer13.Buffer.from(frame);
+  const bytes = import_node_buffer12.Buffer.from(frame);
   if (bytes.length < 4 + MIN_PACKET_LENGTH) {
     throw new ParseError({
       details: { length: bytes.length },
@@ -6567,12 +6759,20 @@ function decodeSshTransportPacket(frame) {
   };
 }
 var SshTransportPacketFramer = class {
-  pending = import_node_buffer13.Buffer.alloc(0);
+  pending = import_node_buffer12.Buffer.alloc(0);
   push(chunk) {
-    this.pending = import_node_buffer13.Buffer.concat([this.pending, import_node_buffer13.Buffer.from(chunk)]);
+    this.pending = import_node_buffer12.Buffer.concat([this.pending, import_node_buffer12.Buffer.from(chunk)]);
     const packets = [];
     while (this.pending.length >= 4) {
       const packetLength = this.pending.readUInt32BE(0);
+      if (packetLength > MAX_SSH_PACKET_LENGTH) {
+        throw new ParseError({
+          details: { maxPacketLength: MAX_SSH_PACKET_LENGTH, packetLength },
+          message: "SSH transport packet length exceeds the maximum accepted size",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       const frameLength = 4 + packetLength;
       if (this.pending.length < frameLength) {
         break;
@@ -6588,8 +6788,8 @@ var SshTransportPacketFramer = class {
   }
   /** Returns and clears any bytes buffered but not yet part of a complete packet. */
   takeRemainingBytes() {
-    const remaining = import_node_buffer13.Buffer.from(this.pending);
-    this.pending = import_node_buffer13.Buffer.alloc(0);
+    const remaining = import_node_buffer12.Buffer.from(this.pending);
+    this.pending = import_node_buffer12.Buffer.alloc(0);
     return remaining;
   }
 };
@@ -6606,10 +6806,10 @@ function normalizeBlockSize(blockSize) {
 }
 
 // src/protocols/ssh/transport/SshHostKeyVerification.ts
-var import_node_buffer14 = require("buffer");
+var import_node_buffer13 = require("buffer");
 var import_node_crypto7 = require("crypto");
 var ED25519_RAW_KEY_LENGTH2 = 32;
-var ED25519_SPKI_PREFIX = import_node_buffer14.Buffer.from("302a300506032b6570032100", "hex");
+var ED25519_SPKI_PREFIX = import_node_buffer13.Buffer.from("302a300506032b6570032100", "hex");
 function verifySshHostKeySignature(input) {
   const { algorithmName, publicKey } = parseHostKey(input.hostKeyBlob);
   const { signatureAlgorithm, signatureBytes } = parseSignatureBlob(input.signatureBlob);
@@ -6622,9 +6822,9 @@ function verifySshHostKeySignature(input) {
     });
   }
   const verified = verifySignature({
-    data: import_node_buffer14.Buffer.from(input.exchangeHash),
+    data: import_node_buffer13.Buffer.from(input.exchangeHash),
     publicKey,
-    signature: import_node_buffer14.Buffer.from(signatureBytes),
+    signature: import_node_buffer13.Buffer.from(signatureBytes),
     signatureAlgorithm
   });
   if (!verified) {
@@ -6653,7 +6853,7 @@ function parseHostKey(blob) {
           retryable: false
         });
       }
-      const spki = import_node_buffer14.Buffer.concat([ED25519_SPKI_PREFIX, raw]);
+      const spki = import_node_buffer13.Buffer.concat([ED25519_SPKI_PREFIX, raw]);
       return {
         algorithmName,
         publicKey: (0, import_node_crypto7.createPublicKey)({ format: "der", key: spki, type: "spki" })
@@ -6759,37 +6959,37 @@ function verifySignature(input) {
 function rsaPublicKeyFromComponents(e, n) {
   const eDer = encodeAsn1Integer(e);
   const nDer = encodeAsn1Integer(n);
-  const rsaPublicKeyDer = encodeAsn1Sequence(import_node_buffer14.Buffer.concat([nDer, eDer]));
-  const bitStringContent = import_node_buffer14.Buffer.concat([import_node_buffer14.Buffer.from([0]), rsaPublicKeyDer]);
-  const bitString = import_node_buffer14.Buffer.concat([
-    import_node_buffer14.Buffer.from([3]),
+  const rsaPublicKeyDer = encodeAsn1Sequence(import_node_buffer13.Buffer.concat([nDer, eDer]));
+  const bitStringContent = import_node_buffer13.Buffer.concat([import_node_buffer13.Buffer.from([0]), rsaPublicKeyDer]);
+  const bitString = import_node_buffer13.Buffer.concat([
+    import_node_buffer13.Buffer.from([3]),
     encodeAsn1Length(bitStringContent.length),
     bitStringContent
   ]);
-  const algoId = import_node_buffer14.Buffer.from("300d06092a864886f70d010101 0500".replace(/\s+/g, ""), "hex");
-  const spki = encodeAsn1Sequence(import_node_buffer14.Buffer.concat([algoId, bitString]));
+  const algoId = import_node_buffer13.Buffer.from("300d06092a864886f70d010101 0500".replace(/\s+/g, ""), "hex");
+  const spki = encodeAsn1Sequence(import_node_buffer13.Buffer.concat([algoId, bitString]));
   return (0, import_node_crypto7.createPublicKey)({ format: "der", key: spki, type: "spki" });
 }
 function encodeAsn1Integer(value) {
   let body = value;
   while (body.length > 1 && body[0] === 0) body = body.subarray(1);
   if (body.length > 0 && (body[0] & 128) !== 0) {
-    body = import_node_buffer14.Buffer.concat([import_node_buffer14.Buffer.from([0]), body]);
+    body = import_node_buffer13.Buffer.concat([import_node_buffer13.Buffer.from([0]), body]);
   }
-  return import_node_buffer14.Buffer.concat([import_node_buffer14.Buffer.from([2]), encodeAsn1Length(body.length), body]);
+  return import_node_buffer13.Buffer.concat([import_node_buffer13.Buffer.from([2]), encodeAsn1Length(body.length), body]);
 }
 function encodeAsn1Sequence(content) {
-  return import_node_buffer14.Buffer.concat([import_node_buffer14.Buffer.from([48]), encodeAsn1Length(content.length), content]);
+  return import_node_buffer13.Buffer.concat([import_node_buffer13.Buffer.from([48]), encodeAsn1Length(content.length), content]);
 }
 function encodeAsn1Length(length) {
-  if (length < 128) return import_node_buffer14.Buffer.from([length]);
+  if (length < 128) return import_node_buffer13.Buffer.from([length]);
   const bytes = [];
   let n = length;
   while (n > 0) {
     bytes.unshift(n & 255);
     n >>>= 8;
   }
-  return import_node_buffer14.Buffer.from([128 | bytes.length, ...bytes]);
+  return import_node_buffer13.Buffer.from([128 | bytes.length, ...bytes]);
 }
 var ECDSA_OID_BY_CURVE = {
   nistp256: "06082a8648ce3d030107",
@@ -6810,15 +7010,15 @@ function ecdsaPublicKeyFromPoint(curveIdentifier, point) {
       retryable: false
     });
   }
-  const algoIdContent = import_node_buffer14.Buffer.from(ECDSA_ALGORITHM_OID_HEX + oidHex, "hex");
+  const algoIdContent = import_node_buffer13.Buffer.from(ECDSA_ALGORITHM_OID_HEX + oidHex, "hex");
   const algoId = encodeAsn1Sequence(algoIdContent);
-  const bitStringContent = import_node_buffer14.Buffer.concat([import_node_buffer14.Buffer.from([0]), point]);
-  const bitString = import_node_buffer14.Buffer.concat([
-    import_node_buffer14.Buffer.from([3]),
+  const bitStringContent = import_node_buffer13.Buffer.concat([import_node_buffer13.Buffer.from([0]), point]);
+  const bitString = import_node_buffer13.Buffer.concat([
+    import_node_buffer13.Buffer.from([3]),
     encodeAsn1Length(bitStringContent.length),
     bitStringContent
   ]);
-  const spki = encodeAsn1Sequence(import_node_buffer14.Buffer.concat([algoId, bitString]));
+  const spki = encodeAsn1Sequence(import_node_buffer13.Buffer.concat([algoId, bitString]));
   return (0, import_node_crypto7.createPublicKey)({ format: "der", key: spki, type: "spki" });
 }
 function sshEcdsaSignatureToDer(sshSignature) {
@@ -6827,7 +7027,7 @@ function sshEcdsaSignatureToDer(sshSignature) {
   const s = reader.readMpint();
   const rDer = encodeAsn1Integer(r);
   const sDer = encodeAsn1Integer(s);
-  return encodeAsn1Sequence(import_node_buffer14.Buffer.concat([rDer, sDer]));
+  return encodeAsn1Sequence(import_node_buffer13.Buffer.concat([rDer, sDer]));
 }
 
 // src/protocols/ssh/transport/SshTransportHandshake.ts
@@ -6859,7 +7059,7 @@ var SshTransportHandshake = class {
   serverIdentification;
   /** Creates the first outbound bytes (client identification line). */
   createInitialClientBytes() {
-    return import_node_buffer15.Buffer.from(`${this.clientIdentificationLine}\r
+    return import_node_buffer14.Buffer.from(`${this.clientIdentificationLine}\r
 `, "ascii");
   }
   /**
@@ -6883,7 +7083,7 @@ var SshTransportHandshake = class {
       }
       return { outbound };
     }
-    return this.pushServerBytesWithPhase(outbound, import_node_buffer15.Buffer.from(chunk));
+    return this.pushServerBytesWithPhase(outbound, import_node_buffer14.Buffer.from(chunk));
   }
   getServerBannerLines() {
     return this.identificationLines;
@@ -6937,12 +7137,12 @@ var SshTransportHandshake = class {
           clientKexInitPayload: this.clientKexInitPayload,
           clientPublicKey: this.pendingCurve25519.publicKey,
           negotiatedAlgorithms,
-          serverHostKey: import_node_buffer15.Buffer.alloc(0),
+          serverHostKey: import_node_buffer14.Buffer.alloc(0),
           serverIdentification: (this.serverIdentification ?? missingServerIdentificationError()).raw,
-          serverKexInitPayload: import_node_buffer15.Buffer.from(packet.payload),
-          serverPublicKey: import_node_buffer15.Buffer.alloc(0),
-          serverSignature: import_node_buffer15.Buffer.alloc(0),
-          sharedSecret: import_node_buffer15.Buffer.alloc(0)
+          serverKexInitPayload: import_node_buffer14.Buffer.from(packet.payload),
+          serverPublicKey: import_node_buffer14.Buffer.alloc(0),
+          serverSignature: import_node_buffer14.Buffer.alloc(0),
+          sharedSecret: import_node_buffer14.Buffer.alloc(0)
         };
         continue;
       }
@@ -7050,24 +7250,54 @@ var SshTransportHandshake = class {
     return { outbound };
   }
 };
+var MAX_IDENTIFICATION_LINE_BYTES = 8192;
+var MAX_PRE_IDENTIFICATION_LINES = 1024;
 var SshIdentificationAccumulator = class {
-  pending = import_node_buffer15.Buffer.alloc(0);
+  pending = import_node_buffer14.Buffer.alloc(0);
+  bannerLineCount = 0;
   push(chunk) {
-    this.pending = import_node_buffer15.Buffer.concat([this.pending, import_node_buffer15.Buffer.from(chunk)]);
+    this.pending = import_node_buffer14.Buffer.concat([this.pending, import_node_buffer14.Buffer.from(chunk)]);
     const bannerLines = [];
     while (true) {
       const lfIndex = this.pending.indexOf(10);
-      if (lfIndex < 0) break;
+      if (lfIndex < 0) {
+        if (this.pending.length > MAX_IDENTIFICATION_LINE_BYTES) {
+          throw new ProtocolError({
+            details: { limitBytes: MAX_IDENTIFICATION_LINE_BYTES },
+            message: "SSH identification line exceeds the maximum accepted length",
+            protocol: "sftp",
+            retryable: false
+          });
+        }
+        break;
+      }
+      if (lfIndex > MAX_IDENTIFICATION_LINE_BYTES) {
+        throw new ProtocolError({
+          details: { limitBytes: MAX_IDENTIFICATION_LINE_BYTES },
+          message: "SSH identification line exceeds the maximum accepted length",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       const lineText = trimLineEndings(this.pending.subarray(0, lfIndex + 1).toString("ascii"));
-      const remainder = import_node_buffer15.Buffer.from(this.pending.subarray(lfIndex + 1));
+      const remainder = import_node_buffer14.Buffer.from(this.pending.subarray(lfIndex + 1));
       this.pending = remainder;
       if (lineText.startsWith("SSH-")) {
-        this.pending = import_node_buffer15.Buffer.alloc(0);
+        this.pending = import_node_buffer14.Buffer.alloc(0);
         return { bannerLines, identLine: lineText, remainder };
       }
+      this.bannerLineCount += 1;
+      if (this.bannerLineCount > MAX_PRE_IDENTIFICATION_LINES) {
+        throw new ProtocolError({
+          details: { limitLines: MAX_PRE_IDENTIFICATION_LINES },
+          message: "SSH server sent too many pre-identification banner lines",
+          protocol: "sftp",
+          retryable: false
+        });
+      }
       bannerLines.push(lineText);
     }
-    return { bannerLines, remainder: import_node_buffer15.Buffer.alloc(0) };
+    return { bannerLines, remainder: import_node_buffer14.Buffer.alloc(0) };
   }
 };
 function trimLineEndings(value) {
@@ -7095,7 +7325,7 @@ function missingPendingKeyExchangeError() {
 }
 
 // src/protocols/ssh/transport/SshTransportProtection.ts
-var import_node_buffer16 = require("buffer");
+var import_node_buffer15 = require("buffer");
 var import_node_crypto8 = require("crypto");
 function createSshTransportProtectionContext(input) {
   return {
@@ -7152,7 +7382,7 @@ var SshTransportPacketProtector = class {
     );
     const encrypted = this.cipher === void 0 ? clearPacket : this.cipher.update(clearPacket);
     this.sequenceNumber = this.sequenceNumber + 1 >>> 0;
-    return import_node_buffer16.Buffer.concat([encrypted, mac]);
+    return import_node_buffer15.Buffer.concat([encrypted, mac]);
   }
 };
 var SshTransportPacketUnprotector = class {
@@ -7178,7 +7408,7 @@ var SshTransportPacketUnprotector = class {
   sequenceNumber;
   // Streaming framing state for pushBytes()
   framePartialDecrypted;
-  framePendingRaw = import_node_buffer16.Buffer.alloc(0);
+  framePendingRaw = import_node_buffer15.Buffer.alloc(0);
   frameRemainingNeeded;
   getSequenceNumber() {
     return this.sequenceNumber;
@@ -7188,15 +7418,23 @@ var SshTransportPacketUnprotector = class {
    * Maintains internal framing state across calls - pass each `data` event chunk directly.
    */
   pushBytes(chunk) {
-    this.framePendingRaw = import_node_buffer16.Buffer.concat([this.framePendingRaw, chunk]);
+    this.framePendingRaw = import_node_buffer15.Buffer.concat([this.framePendingRaw, chunk]);
     const results = [];
     while (true) {
       if (this.framePartialDecrypted === void 0) {
         if (this.framePendingRaw.length < this.blockLength) break;
         const firstBlock = this.framePendingRaw.subarray(0, this.blockLength);
-        this.framePendingRaw = import_node_buffer16.Buffer.from(this.framePendingRaw.subarray(this.blockLength));
-        this.framePartialDecrypted = this.decipher ? import_node_buffer16.Buffer.from(this.decipher.update(firstBlock)) : import_node_buffer16.Buffer.from(firstBlock);
+        this.framePendingRaw = import_node_buffer15.Buffer.from(this.framePendingRaw.subarray(this.blockLength));
+        this.framePartialDecrypted = this.decipher ? import_node_buffer15.Buffer.from(this.decipher.update(firstBlock)) : import_node_buffer15.Buffer.from(firstBlock);
         const packetLength = this.framePartialDecrypted.readUInt32BE(0);
+        if (packetLength > MAX_SSH_PACKET_LENGTH) {
+          throw new ProtocolError({
+            details: { maxPacketLength: MAX_SSH_PACKET_LENGTH, packetLength },
+            message: "SSH encrypted packet length exceeds the maximum accepted size",
+            protocol: "sftp",
+            retryable: false
+          });
+        }
         const remaining = 4 + packetLength - this.blockLength + this.macLength;
         if (remaining < 0) {
           throw new ProtocolError({
@@ -7212,9 +7450,9 @@ var SshTransportPacketUnprotector = class {
       if (this.framePendingRaw.length < needed) break;
       const encryptedRest = this.framePendingRaw.subarray(0, needed - this.macLength);
       const receivedMac = this.framePendingRaw.subarray(needed - this.macLength, needed);
-      this.framePendingRaw = import_node_buffer16.Buffer.from(this.framePendingRaw.subarray(needed));
-      const decryptedRest = encryptedRest.length > 0 ? this.decipher ? import_node_buffer16.Buffer.from(this.decipher.update(encryptedRest)) : import_node_buffer16.Buffer.from(encryptedRest) : import_node_buffer16.Buffer.alloc(0);
-      const clearPacket = import_node_buffer16.Buffer.concat([this.framePartialDecrypted, decryptedRest]);
+      this.framePendingRaw = import_node_buffer15.Buffer.from(this.framePendingRaw.subarray(needed));
+      const decryptedRest = encryptedRest.length > 0 ? this.decipher ? import_node_buffer15.Buffer.from(this.decipher.update(encryptedRest)) : import_node_buffer15.Buffer.from(encryptedRest) : import_node_buffer15.Buffer.alloc(0);
+      const clearPacket = import_node_buffer15.Buffer.concat([this.framePartialDecrypted, decryptedRest]);
       const expectedMac = computeMac(
         this.macAlgorithm,
         this.options.keys.macKey,
@@ -7237,7 +7475,7 @@ var SshTransportPacketUnprotector = class {
     return results;
   }
   unprotectPayload(packet) {
-    const frame = import_node_buffer16.Buffer.from(packet);
+    const frame = import_node_buffer15.Buffer.from(packet);
     if (frame.length < this.macLength) {
       throw new ProtocolError({
         details: { length: frame.length, macLength: this.macLength },
@@ -7378,10 +7616,10 @@ function resolveMacLength(encryptionAlgorithm, macAlgorithm) {
 }
 function computeMac(macAlgorithm, macKey, sequence, packet, macLength) {
   if (macLength === 0) {
-    return import_node_buffer16.Buffer.alloc(0);
+    return import_node_buffer15.Buffer.alloc(0);
   }
   const hashName = macAlgorithm === "hmac-sha2-512" ? "sha512" : "sha256";
-  const sequenceBuffer = import_node_buffer16.Buffer.alloc(4);
+  const sequenceBuffer = import_node_buffer15.Buffer.alloc(4);
   sequenceBuffer.writeUInt32BE(sequence >>> 0, 0);
   return (0, import_node_crypto8.createHmac)(hashName, macKey).update(sequenceBuffer).update(packet).digest().subarray(0, macLength);
 }
@@ -7588,7 +7826,7 @@ var SshTransportConnection = class {
    */
   sendPayload(payload) {
     this.assertConnected();
-    const frame = this.protector.protectPayload(import_node_buffer17.Buffer.from(payload));
+    const frame = this.protector.protectPayload(import_node_buffer16.Buffer.from(payload));
     this.socket.write(frame);
     this.resetKeepaliveTimer();
   }
@@ -7746,7 +7984,7 @@ function parseDisconnectPayload(payload) {
 }
 
 // src/protocols/sftp/v3/SftpSession.ts
-var import_node_buffer19 = require("buffer");
+var import_node_buffer18 = require("buffer");
 
 // src/protocols/sftp/v3/SftpAttributes.ts
 var SFTP_ATTR_FLAG = {
@@ -7819,7 +8057,8 @@ function decodeSftpAttributesFromReader(reader) {
 }
 
 // src/protocols/sftp/v3/SftpPacket.ts
-var import_node_buffer18 = require("buffer");
+var import_node_buffer17 = require("buffer");
+var MAX_SFTP_PACKET_LENGTH = 256 * 1024;
 var SFTP_PACKET_TYPE = {
   ATTRS: 105,
   CLOSE: 4,
@@ -7850,7 +8089,7 @@ var SFTP_PACKET_TYPE = {
   WRITE: 6
 };
 function decodeSftpPacket(frame) {
-  const bytes = import_node_buffer18.Buffer.from(frame);
+  const bytes = import_node_buffer17.Buffer.from(frame);
   if (bytes.length < 5) {
     throw new ParseError({
       details: { length: bytes.length },
@@ -7873,12 +8112,19 @@ function decodeSftpPacket(frame) {
   };
 }
 var SftpPacketFramer = class {
-  pending = import_node_buffer18.Buffer.alloc(0);
+  pending = import_node_buffer17.Buffer.alloc(0);
   push(chunk) {
-    this.pending = import_node_buffer18.Buffer.concat([this.pending, import_node_buffer18.Buffer.from(chunk)]);
+    this.pending = import_node_buffer17.Buffer.concat([this.pending, import_node_buffer17.Buffer.from(chunk)]);
     const packets = [];
     while (this.pending.length >= 4) {
       const bodyLength = this.pending.readUInt32BE(0);
+      if (bodyLength > MAX_SFTP_PACKET_LENGTH) {
+        throw new ParseError({
+          details: { bodyLength, maxPacketLength: MAX_SFTP_PACKET_LENGTH },
+          message: "SFTP packet length exceeds the maximum accepted size",
+          retryable: false
+        });
+      }
       const frameLength = 4 + bodyLength;
       if (this.pending.length < frameLength) {
         break;
@@ -8333,7 +8579,7 @@ var SftpSession = class {
    * serializes concurrent calls so byte ordering is preserved.
    */
   sendRaw(encodedMessage, requestId) {
-    const frame = import_node_buffer19.Buffer.alloc(4 + encodedMessage.length);
+    const frame = import_node_buffer18.Buffer.alloc(4 + encodedMessage.length);
     frame.writeUInt32BE(encodedMessage.length, 0);
     encodedMessage.copy(frame, 4);
     this.channel.sendData(frame).catch((err) => {
@@ -8876,9 +9122,9 @@ function buildNativePublickeyCredential(profile, username) {
   const passphrase = profile.ssh?.passphrase;
   try {
     const privateKey = (0, import_node_crypto9.createPrivateKey)({
-      key: import_node_buffer20.Buffer.isBuffer(keyMaterial) ? keyMaterial : keyMaterial,
+      key: import_node_buffer19.Buffer.isBuffer(keyMaterial) ? keyMaterial : keyMaterial,
       ...passphrase === void 0 ? {} : {
-        passphrase: import_node_buffer20.Buffer.isBuffer(passphrase) ? passphrase : passphrase
+        passphrase: import_node_buffer19.Buffer.isBuffer(passphrase) ? passphrase : passphrase
       }
     });
     return buildPublickeyCredential({ privateKey, username });
@@ -9005,12 +9251,12 @@ function normalizeNativeHostKeyPins(value) {
     const trimmed = pin.trim();
     const hex = trimmed.replace(/:/g, "");
     if (hex.length === 64 && /^[a-f0-9]+$/i.test(hex)) {
-      normalized.add(import_node_buffer20.Buffer.from(hex, "hex").toString("base64").replace(/=+$/g, ""));
+      normalized.add(import_node_buffer19.Buffer.from(hex, "hex").toString("base64").replace(/=+$/g, ""));
       continue;
     }
     const bare = trimmed.startsWith("SHA256:") ? trimmed.slice("SHA256:".length) : trimmed;
     const padded = bare.length % 4 === 0 ? bare : `${bare}${"=".repeat(4 - bare.length % 4)}`;
-    normalized.add(import_node_buffer20.Buffer.from(padded, "base64").toString("base64").replace(/=+$/g, ""));
+    normalized.add(import_node_buffer19.Buffer.from(padded, "base64").toString("base64").replace(/=+$/g, ""));
   }
   return normalized;
 }
@@ -9020,7 +9266,7 @@ function parseNativeKnownHosts(source) {
   const entries = [];
   let sawNonEmpty = false;
   for (const value of sources) {
-    const text = import_node_buffer20.Buffer.isBuffer(value) ? value.toString("utf8") : String(value);
+    const text = import_node_buffer19.Buffer.isBuffer(value) ? value.toString("utf8") : String(value);
     if (text.length === 0) continue;
     sawNonEmpty = true;
     entries.push(...parseKnownHosts(text));
@@ -9093,7 +9339,7 @@ function requireNativeSftpUsername(profile) {
 }
 function resolveNativeSftpTextSecret(value) {
   if (value === void 0) return void 0;
-  const text = import_node_buffer20.Buffer.isBuffer(value) ? value.toString("utf8") : value;
+  const text = import_node_buffer19.Buffer.isBuffer(value) ? value.toString("utf8") : value;
   if (text.length === 0) return void 0;
   return text;
 }
@@ -9168,6 +9414,7 @@ function validateNativeSftpOptions(options) {
   copyBetween,
   createAtomicDeployPlan,
   createBandwidthThrottle,
+  createDefaultRetryPolicy,
   createLocalProviderFactory,
   createMemoryProviderFactory,
   createOAuthTokenSecretSource,
@@ -9204,8 +9451,10 @@ function validateNativeSftpOptions(options) {
   parseRemoteManifest,
   redactCommand,
   redactConnectionProfile,
+  redactErrorForLogging,
   redactObject,
   redactSecretSource,
+  redactUrlForLogging,
   redactValue,
   resolveConnectionProfileSecrets,
   resolveOpenSshHost,