@zintrust/core 0.1.19 → 0.1.21

package/src/security/Sanitizer.js

@@ -0,0 +1,412 @@
+/**
+ * Input Sanitizer (Character Whitelisting)
+ *
+ * Provides small utilities to remove unwanted characters from user input.
+ *
+ * Important:
+ * - This is NOT a complete SQL injection defense.
+ * - Always use parameterized queries / the ORM / QueryBuilder.
+ *
+ * Use this for:
+ * - Normalizing identifiers (username, slug-ish strings)
+ * - Cleaning phone numbers / numeric strings
+ * - Reducing unexpected characters before storage/logging
+ *
+ * Bulletproof Mode:
+ * - Enabled by default (`bulletproof=true`) for security-critical methods
+ * - Throws SanitizerError instead of returning empty/invalid values
+ * - Validates numeric ranges, leading zeros, type coercion attacks
+ * - ~5-15% performance overhead; disable for performance-critical paths
+ */
+import { ErrorFactory } from '../exceptions/ZintrustError.js';
+const MAX_NUMERIC_INPUT_LEN = 64;
+const MAX_EMAIL_LEN = 254;
+const MAX_NAME_LEN = 200;
+const MAX_PASSWORD_LEN = 256;
+const assertMaxLen = (method, label, value, maxLen) => {
+    if (value.length <= maxLen)
+        return;
+    throw ErrorFactory.createSanitizerError(method, `${label} too long`, value);
+};
+const isEmpty = (value) => {
+    // Preserve legacy semantics: treat 0 and "0" as empty.
+    return (value === null ||
+        value === undefined ||
+        value === false ||
+        value === 0 ||
+        value === '' ||
+        value === '0');
+};
+const toStr = (value) => {
+    return String(value ?? '');
+};
+const stripSpaces = (value) => {
+    return toStr(value).replaceAll(' ', '');
+};
+const sanitize = (value, pattern, stripSpace = false) => {
+    const input = stripSpace ? stripSpaces(value) : toStr(value);
+    return input.replace(pattern, '');
+};
+const isNumericString = (value) => {
+    const trimmed = value.trim();
+    if (trimmed.length === 0)
+        return false;
+    const n = Number(trimmed);
+    return Number.isFinite(n);
+};
+const parseAmount = (value, bulletproof = true) => {
+    if (isEmpty(value))
+        return 0;
+    const cleaned = sanitize(value, /[^0-9.-]/g, true);
+    const num = Number(cleaned);
+    if (bulletproof) {
+        // Handle string edge cases - check original value
+        const str = String(value);
+        const trimmed = str.trim();
+        assertMaxLen('parseAmount', 'Input', trimmed, MAX_NUMERIC_INPUT_LEN);
+        // Reject explicit plus sign prefixes (type confusion)
+        if (trimmed.startsWith('+')) {
+            throw ErrorFactory.createSanitizerError('parseAmount', 'Plus sign not allowed', value);
+        }
+        // Reject "Infinity", "-Infinity", "NaN" explicitly
+        if (/^[+-]?infinity$/i.test(trimmed) || /^nan$/i.test(trimmed)) {
+            throw ErrorFactory.createSanitizerError('parseAmount', 'Non-finite number', value);
+        }
+        // Reject scientific notation (e.g., "1e308", "2.5e10")
+        if (/[eE]/.test(trimmed)) {
+            throw ErrorFactory.createSanitizerError('parseAmount', 'Scientific notation not allowed', value);
+        }
+        assertMaxLen('parseAmount', 'Sanitized numeric', cleaned, MAX_NUMERIC_INPUT_LEN);
+        // Require a strict numeric shape after sanitization (prevents "1-2" -> NaN etc.)
+        if (!/^-?\d+(?:\.\d+)?$/.test(cleaned)) {
+            throw ErrorFactory.createSanitizerError('parseAmount', 'Invalid numeric format', value);
+        }
+        // Reject Infinity, NaN, and overflow attacks
+        if (!Number.isFinite(num)) {
+            throw ErrorFactory.createSanitizerError('parseAmount', 'Non-finite number', value);
+        }
+        if (Math.abs(num) > Number.MAX_SAFE_INTEGER) {
+            throw ErrorFactory.createSanitizerError('parseAmount', 'Number exceeds safe integer range', value);
+        }
+    }
+    return Number.isFinite(num) ? num : 0;
+};
+const alphanumeric = (value) => {
+    if (isEmpty(value))
+        return '';
+    return sanitize(value, /[^A-Za-z0-9]/g, true);
+};
+const alphanumericDotDash = (value) => {
+    if (isEmpty(value))
+        return '';
+    return sanitize(value, /[^A-Za-z0-9\-.]/g, true);
+};
+const validateNonNegativeNumericStringPreSanitization = (trimmed, value) => {
+    assertMaxLen('nonNegativeNumericStringOrNull', 'Input', trimmed, MAX_NUMERIC_INPUT_LEN);
+    // Reject explicit plus sign prefixes (type confusion)
+    if (trimmed.startsWith('+')) {
+        throw ErrorFactory.createSanitizerError('nonNegativeNumericStringOrNull', 'Plus sign not allowed', value);
+    }
+    // Reject scientific notation before sanitization can mask it
+    if (/[eE]/.test(trimmed)) {
+        throw ErrorFactory.createSanitizerError('nonNegativeNumericStringOrNull', 'Scientific notation not allowed', value);
+    }
+};
+const validateNonNegativeNumericStringPostSanitization = (da, value) => {
+    assertMaxLen('nonNegativeNumericStringOrNull', 'Sanitized numeric', da, MAX_NUMERIC_INPUT_LEN);
+    // Strict shape: allow optional leading '-' and optional fractional part.
+    if (!/^-?\d+(?:\.\d+)?$/.test(da)) {
+        throw ErrorFactory.createSanitizerError('nonNegativeNumericStringOrNull', 'Invalid numeric format', value);
+    }
+    // For integers (no decimal point), validate leading zeros
+    if (da.includes('.')) {
+        // For decimals, only check overflow
+        const num = Number(da);
+        if (Math.abs(num) > Number.MAX_SAFE_INTEGER) {
+            throw ErrorFactory.createSanitizerError('nonNegativeNumericStringOrNull', 'Number exceeds safe integer range', value);
+        }
+    }
+    else {
+        const numericId = Number.parseInt(da, 10);
+        if (!Number.isFinite(numericId) ||
+            numericId < 0 ||
+            numericId > Number.MAX_SAFE_INTEGER ||
+            numericId.toString() !== da) {
+            throw ErrorFactory.createSanitizerError('nonNegativeNumericStringOrNull', 'Invalid numeric format (leading zeros, overflow, or type mismatch)', value);
+        }
+    }
+};
+const nonNegativeNumericStringOrNull = (value, bulletproof = true) => {
+    if (isEmpty(value))
+        return 0;
+    const raw = stripSpaces(value);
+    if (bulletproof) {
+        const trimmed = raw.trim();
+        validateNonNegativeNumericStringPreSanitization(trimmed, value);
+    }
+    const da = raw.replaceAll(/[^0-9\-.]/g, '');
+    const numeric = isNumericString(da);
+    if (numeric && Number(da) < 0)
+        return 0;
+    if (!numeric) {
+        return null;
+    }
+    if (bulletproof) {
+        validateNonNegativeNumericStringPostSanitization(da, value);
+    }
+    return da;
+};
+const digitsOnly = (value, bulletproof = true) => {
+    // Special handling for '0' string
+    if (value === '0') {
+        if (bulletproof) {
+            throw ErrorFactory.createSanitizerError('digitsOnly', 'Invalid numeric ID (zero, negative, overflow, or leading zeros)', value);
+        }
+        return '0';
+    }
+    if (isEmpty(value))
+        return '';
+    const da = sanitize(value, /\D/g);
+    if (bulletproof) {
+        assertMaxLen('digitsOnly', 'Sanitized numeric', da, 16);
+        // After removing non-digits, check if result is empty
+        if (da.length === 0) {
+            throw ErrorFactory.createSanitizerError('digitsOnly', 'Empty result after removing non-digits', value);
+        }
+        // Check for special characters that get stripped (like +)
+        const str = String(value);
+        if (/^[+-]/.test(str.trim())) {
+            throw ErrorFactory.createSanitizerError('digitsOnly', 'Invalid numeric ID (starts with +/- sign)', value);
+        }
+        const numericId = Number.parseInt(da, 10);
+        if (!Number.isFinite(numericId) ||
+            numericId <= 0 ||
+            numericId > Number.MAX_SAFE_INTEGER ||
+            numericId.toString() !== da) {
+            throw ErrorFactory.createSanitizerError('digitsOnly', 'Invalid numeric ID (zero, negative, overflow, or leading zeros)', value);
+        }
+    }
+    return da.replaceAll(' ', '');
+};
+const validateDecimalStringPreSanitization = (trimmed, value) => {
+    assertMaxLen('decimalString', 'Input', trimmed, MAX_NUMERIC_INPUT_LEN);
+    // Reject explicit plus/minus prefixes and scientific notation (type confusion)
+    if (/^[+-]/.test(trimmed)) {
+        throw ErrorFactory.createSanitizerError('decimalString', 'Signed values not allowed', value);
+    }
+    if (/[eE]/.test(trimmed)) {
+        throw ErrorFactory.createSanitizerError('decimalString', 'Scientific notation not allowed', value);
+    }
+};
+const validateDecimalStringPostSanitization = (result, cleaned, value) => {
+    assertMaxLen('decimalString', 'Sanitized numeric', cleaned, MAX_NUMERIC_INPUT_LEN);
+    if (result.length === 0) {
+        throw ErrorFactory.createSanitizerError('decimalString', 'Empty result after sanitization', value);
+    }
+    if (!/^\d+(?:\.\d+)?$/.test(result)) {
+        throw ErrorFactory.createSanitizerError('decimalString', 'Invalid decimal format', value);
+    }
+    const num = Number(result);
+    if (!Number.isFinite(num)) {
+        throw ErrorFactory.createSanitizerError('decimalString', 'Non-numeric decimal value', value);
+    }
+    if (Math.abs(num) > Number.MAX_SAFE_INTEGER) {
+        throw ErrorFactory.createSanitizerError('decimalString', 'Decimal value exceeds safe range', value);
+    }
+};
+const decimalString = (value, bulletproof = true) => {
+    if (isEmpty(value))
+        return '';
+    if (bulletproof) {
+        const trimmed = String(value).trim();
+        validateDecimalStringPreSanitization(trimmed, value);
+    }
+    // Allow only valid decimal format: digits and at most one decimal point
+    const cleaned = sanitize(value, /[^0-9.]/g);
+    const parts = cleaned.split('.');
+    // Bulletproof mode: reject multiple decimal points rather than merging.
+    // Legacy/unsafe mode: normalize by keeping the first decimal point.
+    let result;
+    if (parts.length > 2) {
+        result = bulletproof ? '' : `${parts[0]}.${parts.slice(1).join('')}`;
+    }
+    else {
+        result = cleaned;
+    }
+    if (bulletproof) {
+        validateDecimalStringPostSanitization(result, cleaned, value);
+    }
+    return result;
+};
+const numericDotOnly = (value) => {
+    if (isEmpty(value))
+        return '';
+    return sanitize(value, /[^0-9.]/g);
+};
+const createBasicSanitizers = () => {
+    return {
+        parseAmount,
+        alphanumeric,
+        alphanumericDotDash,
+        nonNegativeNumericStringOrNull,
+        digitsOnly,
+        decimalString,
+        numericDotOnly,
+    };
+};
+const addressTextSanitizer = (value) => {
+    if (isEmpty(value))
+        return '';
+    return sanitize(value, /[^A-Za-z0-9\-.@+, _]/g);
+};
+const emailLikeSanitizer = (value) => {
+    if (isEmpty(value))
+        return '';
+    return sanitize(value, /[^A-Za-z0-9\-.@+_]/g);
+};
+const emailSanitizer = (value, bulletproof = true) => {
+    if (isEmpty(value))
+        return '';
+    const result = sanitize(value, /[^A-Za-z0-9\-.@_]/g);
+    if (bulletproof) {
+        const trimmed = result.trim();
+        assertMaxLen('email', 'Email', trimmed, MAX_EMAIL_LEN);
+        if (trimmed.length === 0) {
+            throw ErrorFactory.createSanitizerError('email', 'Empty result after sanitization', value);
+        }
+        if (!trimmed.includes('@')) {
+            throw ErrorFactory.createSanitizerError('email', 'Missing @ symbol in email', value);
+        }
+        // Basic validation: something@something
+        const parts = trimmed.split('@');
+        if (parts.length !== 2 || parts[0].length === 0 || parts[1].length === 0) {
+            throw ErrorFactory.createSanitizerError('email', 'Invalid email format', value);
+        }
+    }
+    return result;
+};
+const messageTextSanitizer = (value) => {
+    if (isEmpty(value))
+        return '';
+    return sanitize(value, /[^A-Za-z0-9\-.@+_&$%!,()? ]/g);
+};
+const nameTextSanitizer = (value, bulletproof = true) => {
+    if (isEmpty(value))
+        return '';
+    const result = sanitize(value, /[^A-Za-z0-9 .]/g);
+    if (bulletproof) {
+        const trimmed = result.trim();
+        assertMaxLen('nameText', 'Name', trimmed, MAX_NAME_LEN);
+        if (trimmed.length === 0) {
+            throw ErrorFactory.createSanitizerError('nameText', 'Empty or whitespace-only result', value);
+        }
+        // Names should have at least one letter
+        if (!/[A-Za-z]/.test(trimmed)) {
+            throw ErrorFactory.createSanitizerError('nameText', 'Name must contain at least one letter', value);
+        }
+    }
+    return result;
+};
+const wordCharsAndSpacesSanitizer = (value) => {
+    if (isEmpty(value))
+        return '';
+    return sanitize(value, /[^A-Za-z0-9_\s]/g);
+};
+const safePasswordCharsSanitizer = (value, bulletproof = true) => {
+    if (isEmpty(value))
+        return '';
+    const result = sanitize(value, /[^!@#$%&*/\sA-Za-z0-9_]/g);
+    if (bulletproof) {
+        const trimmed = result.trim();
+        assertMaxLen('safePasswordChars', 'Password', trimmed, MAX_PASSWORD_LEN);
+        if (trimmed.length === 0) {
+            throw ErrorFactory.createSanitizerError('safePasswordChars', 'Empty result after sanitization', value);
+        }
+    }
+    return result;
+};
+const createTextSanitizers = () => {
+    return {
+        addressText: addressTextSanitizer,
+        emailLike: emailLikeSanitizer,
+        email: emailSanitizer,
+        messageText: messageTextSanitizer,
+        nameText: nameTextSanitizer,
+        wordCharsAndSpaces: wordCharsAndSpacesSanitizer,
+        safePasswordChars: safePasswordCharsSanitizer,
+    };
+};
+const createSpecializedSanitizers = () => {
+    const ipAddressText = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9:.]/g);
+    };
+    const alphaNumericColonDash = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9:-]/g);
+    };
+    const dateSlash = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^0-9/]/g);
+    };
+    const lowercaseAlphanumeric = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9]/g).toLowerCase();
+    };
+    const uppercaseAlphanumeric = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9]/g).toUpperCase();
+    };
+    const alphanumericNoSpaces = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9 ]/g, true);
+    };
+    const dateSlashNoSpaces = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^0-9/]/g, true);
+    };
+    // Legacy naming was misleading; this is closer to a "uuid/token safe" whitelist.
+    const uuidTokenSafe = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9\-=]/g, true);
+    };
+    // Base64url-like (plus "=") token whitelisting.
+    const tokenSafe = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9\-=_]/g, true);
+    };
+    const keyLike = (value) => {
+        if (isEmpty(value))
+            return '';
+        return sanitize(value, /[^A-Za-z0-9\-:. ]/g, true);
+    };
+    return {
+        ipAddressText,
+        alphaNumericColonDash,
+        dateSlash,
+        lowercaseAlphanumeric,
+        uppercaseAlphanumeric,
+        alphanumericNoSpaces,
+        dateSlashNoSpaces,
+        uuidTokenSafe,
+        tokenSafe,
+        keyLike,
+    };
+};
+export const createSanitizer = () => {
+    return Object.freeze({
+        ...createBasicSanitizers(),
+        ...createTextSanitizers(),
+        ...createSpecializedSanitizers(),
+    });
+};
+export const Sanitizer = createSanitizer();

package/src/security/TokenRevocation.d.ts

@@ -0,0 +1,7 @@
+type AuthorizationHeader = string | string[] | undefined;
+export declare const TokenRevocation: Readonly<{
+    revoke(header: AuthorizationHeader): string | null;
+    isRevoked(token: string): boolean;
+}>;
+export default TokenRevocation;
+//# sourceMappingURL=TokenRevocation.d.ts.map

package/src/security/TokenRevocation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenRevocation.d.ts","sourceRoot":"","sources":["../../../src/security/TokenRevocation.ts"],"names":[],"mappings":"AAGA,KAAK,mBAAmB,GAAG,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC;AAsCzD,eAAO,MAAM,eAAe;mBACX,mBAAmB,GAAG,MAAM,GAAG,IAAI;qBASjC,MAAM,GAAG,OAAO;EAUjC,CAAC;AAEH,eAAe,eAAe,CAAC"}

package/src/security/TokenRevocation.js

@@ -0,0 +1,57 @@
+import { securityConfig } from '../config/security.js';
+import { JwtManager } from './JwtManager.js';
+const revokedTokens = new Map();
+const defaultTtlMs = Math.max(securityConfig.jwt.expiresIn * 1000, 60_000);
+const getBearerToken = (header) => {
+    const value = Array.isArray(header) ? header[0] : header;
+    if (typeof value !== 'string')
+        return null;
+    const [scheme, token] = value.trim().split(' ');
+    if (scheme.toLowerCase() !== 'bearer')
+        return null;
+    if (typeof token !== 'string' || token.trim() === '')
+        return null;
+    return token;
+};
+const cleanupExpired = () => {
+    const now = Date.now();
+    for (const [token, expiresAt] of revokedTokens.entries()) {
+        if (expiresAt <= now) {
+            revokedTokens.delete(token);
+        }
+    }
+};
+const resolveExpiryMs = (token) => {
+    try {
+        const payload = JwtManager.create().decode(token);
+        if (typeof payload.exp === 'number' && Number.isFinite(payload.exp)) {
+            return payload.exp * 1000;
+        }
+    }
+    catch {
+        // ignore decode errors; fallback to default TTL
+    }
+    return Date.now() + defaultTtlMs;
+};
+export const TokenRevocation = Object.freeze({
+    revoke(header) {
+        const token = getBearerToken(header);
+        if (token === null)
+            return null;
+        cleanupExpired();
+        revokedTokens.set(token, resolveExpiryMs(token));
+        return token;
+    },
+    isRevoked(token) {
+        cleanupExpired();
+        const expiresAt = revokedTokens.get(token);
+        if (expiresAt === undefined)
+            return false;
+        if (expiresAt <= Date.now()) {
+            revokedTokens.delete(token);
+            return false;
+        }
+        return true;
+    },
+});
+export default TokenRevocation;

package/src/security/XssProtection.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"XssProtection.d.ts","sourceRoot":"","sources":["../../../src/security/XssProtection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA6SH;;GAEG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,OAAO,KAAG,MAGzC,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAChC,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,cAO1B,CAAC"}
+{"version":3,"file":"XssProtection.d.ts","sourceRoot":"","sources":["../../../src/security/XssProtection.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AA0WH;;GAEG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,OAAO,KAAG,MAGzC,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IAC/B,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;IACjC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAChC,UAAU,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAAC;CAClC;AAED;;;;GAIG;AACH,eAAO,MAAM,aAAa,EAAE,cAO1B,CAAC"}

package/src/security/XssProtection.js

@@ -27,30 +27,51 @@ const escapeHtml = (text) => {
 /**
  * Sanitize HTML by removing dangerous tags and attributes
  */
-const sanitizeHtml = (html) => {
-    if (typeof html !== 'string') {
-        return '';
-    }
+const MAX_SANITIZE_LOOPS = 50;
+function removeScripts(input) {
     // Remove script tags and content (loop until stable to avoid incomplete multi-character sanitization)
-    let sanitized = html;
-    let prevScriptSanitized;
+    let sanitized = input;
+    let prevSanitized;
+    let loopCount = 0;
     do {
-        prevScriptSanitized = sanitized;
+        prevSanitized = sanitized;
         sanitized = sanitized.replaceAll(/<script\b[\s\S]*?<\/script[^<]*?>/gi, '');
-    } while (sanitized !== prevScriptSanitized);
+        loopCount++;
+    } while (sanitized !== prevSanitized && loopCount < MAX_SANITIZE_LOOPS);
+    if (loopCount >= MAX_SANITIZE_LOOPS) {
+        Logger.warn('[XSS] Sanitization loop limit reached (script removal)');
+        return ''; // Fail safe: return empty string if attack detected
+    }
+    return sanitized;
+}
+function removeDangerousTags(input) {
     // Remove iframe, object, embed, and base tags
+    let sanitized = input;
     sanitized = sanitized.replaceAll(/<(?:iframe|object|embed|base)\b[\s\S]*?>/gi, '');
     sanitized = sanitized.replaceAll(/<\/(?:iframe|object|embed|base)>/gi, '');
+    return sanitized;
+}
+function removeEventHandlers(input) {
     // Remove event handlers (on*). Re-apply until stable to avoid incomplete multi-character sanitization.
-    let previousSanitized;
+    let sanitized = input;
+    let prevSanitized;
+    let loopCount = 0;
     do {
-        previousSanitized = sanitized;
+        prevSanitized = sanitized;
         sanitized = sanitized.replaceAll(/\bon\w+\s*=\s*(?:'[^']*'|"[^"]*"|`[^`]*`|[^\s>]*)/gi, '');
-    } while (sanitized !== previousSanitized);
+        loopCount++;
+    } while (sanitized !== prevSanitized && loopCount < MAX_SANITIZE_LOOPS);
+    if (loopCount >= MAX_SANITIZE_LOOPS) {
+        Logger.warn('[XSS] Sanitization loop limit reached (event handler removal)');
+        return '';
+    }
+    return sanitized;
+}
+function stripDangerousUrlAttributes(input) {
     // Remove dangerous protocols in URL-bearing attributes.
     // This uses the same protocol normalization logic as encodeHref to prevent obfuscations like:
     //   href="jav&#x61;script:..." or href="java\nscript:..." or href="%6a%61..."
-    sanitized = sanitized.replaceAll(/(\s)(href|src|action|formaction|xlink:href)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi, (match, _leadingWhitespace, _attributeName, doubleQuotedValue, singleQuotedValue, unquotedValue) => {
+    return input.replaceAll(/(\s)(href|src|action|formaction|xlink:href)\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi, (match, _leadingWhitespace, _attributeName, doubleQuotedValue, singleQuotedValue, unquotedValue) => {
         const rawValue = doubleQuotedValue ?? singleQuotedValue ?? unquotedValue ?? '';
         const protocolCheck = normalizeHrefForProtocolCheck(rawValue);
         // Allow relative URLs and fragments.
@@ -92,19 +113,46 @@ const sanitizeHtml = (html) => {
         // Otherwise, keep the attribute (e.g. relative-like values without a scheme).
         return match;
     });
+}
+function removeStyles(input) {
     // Remove style tags and style attributes with potentially dangerous content
+    let sanitized = input;
     let prevSanitized;
+    let loopCount = 0;
     do {
         prevSanitized = sanitized;
         sanitized = sanitized.replaceAll(/<style\b[\s\S]*?<\/style>/gi, '');
-    } while (sanitized !== prevSanitized);
+        loopCount++;
+    } while (sanitized !== prevSanitized && loopCount < MAX_SANITIZE_LOOPS);
+    if (loopCount >= MAX_SANITIZE_LOOPS) {
+        Logger.warn('[XSS] Sanitization loop limit reached (style removal)');
+        return '';
+    }
     sanitized = sanitized.replaceAll(/\bstyle\s*=\s*(?:'[^']*'|"[^"]*"|[^\s>]*)/gi, '');
+    return sanitized;
+}
+function sanitizeHtml(html) {
+    if (typeof html !== 'string') {
+        return '';
+    }
+    let sanitized = html;
+    sanitized = removeScripts(sanitized);
+    if (!sanitized)
+        return '';
+    sanitized = removeDangerousTags(sanitized);
+    sanitized = removeEventHandlers(sanitized);
+    if (!sanitized)
+        return '';
+    sanitized = stripDangerousUrlAttributes(sanitized);
+    sanitized = removeStyles(sanitized);
+    if (!sanitized)
+        return '';
     // Remove form elements
     sanitized = sanitized.replaceAll(/<form\b[\s\S]*?<\/form>/gi, '');
     // Remove object and embed tags
     sanitized = sanitized.replaceAll(/<(?:object|embed|applet|meta|link|base)\b[\s\S]*?>/gi, '');
     return sanitized.trim();
-};
+}
 /**
  * Encode URI component to prevent injection in URLs
  */

package/src/seeders/SeederDiscovery.d.ts

@@ -0,0 +1,5 @@
+export declare const SeederDiscovery: Readonly<{
+    resolveDir(projectRoot: string, dir: string): string;
+    listSeederFiles(dir: string): string[];
+}>;
+//# sourceMappingURL=SeederDiscovery.d.ts.map

package/src/seeders/SeederDiscovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SeederDiscovery.d.ts","sourceRoot":"","sources":["../../../src/seeders/SeederDiscovery.ts"],"names":[],"mappings":"AAQA,eAAO,MAAM,eAAe;4BACF,MAAM,OAAO,MAAM,GAAG,MAAM;yBAI/B,MAAM,GAAG,MAAM,EAAE;EAQtC,CAAC"}

package/src/seeders/SeederDiscovery.js

@@ -0,0 +1,21 @@
+import fs from '../node-singletons/fs.js';
+import * as path from '../node-singletons/path.js';
+const isSeederFile = (file) => {
+    if (file.endsWith('.d.ts'))
+        return false;
+    return file.endsWith('.ts') || file.endsWith('.js');
+};
+export const SeederDiscovery = Object.freeze({
+    resolveDir(projectRoot, dir) {
+        return path.resolve(projectRoot, dir);
+    },
+    listSeederFiles(dir) {
+        if (!fs.existsSync(dir))
+            return [];
+        const files = fs.readdirSync(dir);
+        return files
+            .filter(isSeederFile)
+            .sort((a, b) => a.localeCompare(b))
+            .map((f) => path.join(dir, f));
+    },
+});

package/src/seeders/SeederLoader.d.ts

@@ -0,0 +1,5 @@
+import type { LoadedSeeder } from '../seeders/types';
+export declare const SeederLoader: Readonly<{
+    load(filePath: string): Promise<LoadedSeeder>;
+}>;
+//# sourceMappingURL=SeederLoader.d.ts.map

package/src/seeders/SeederLoader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SeederLoader.d.ts","sourceRoot":"","sources":["../../../src/seeders/SeederLoader.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAiB,MAAM,iBAAiB,CAAC;AAwDnE,eAAO,MAAM,YAAY;mBACF,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;EA0BnD,CAAC"}