craftclose 0.1.0

package/dist/security/action-allowlist.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Action Allowlist — Controls which config files can be read/written
+ * and enforces confirmation for destructive operations.
+ */
+export declare class ActionAllowlist {
+    private readonly allowedFiles;
+    private readonly confirmDestructive;
+    constructor(opts?: {
+        allowedFiles?: string[];
+        confirmDestructive?: boolean;
+    });
+    /** Check if a config file is on the allowlist. */
+    isFileAllowed(filename: string): boolean;
+    /** Check if an action is destructive and requires confirmation. */
+    isDestructive(action: string): boolean;
+    /** Whether destructive actions need confirmation. */
+    requiresConfirmation(action: string): boolean;
+    /** Get the full set of allowed files. */
+    getAllowedFiles(): ReadonlySet<string>;
+}
+//# sourceMappingURL=action-allowlist.d.ts.map

package/dist/security/action-allowlist.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-allowlist.d.ts","sourceRoot":"","sources":["../../src/security/action-allowlist.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAwBH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAc;IAC3C,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAU;gBAEjC,IAAI,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;QAAC,kBAAkB,CAAC,EAAE,OAAO,CAAA;KAAE;IAK5E,kDAAkD;IAClD,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAKxC,mEAAmE;IACnE,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAItC,qDAAqD;IACrD,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAI7C,yCAAyC;IACzC,eAAe,IAAI,WAAW,CAAC,MAAM,CAAC;CAGvC"}

package/dist/security/action-allowlist.js

@@ -0,0 +1,54 @@
+"use strict";
+/**
+ * Action Allowlist — Controls which config files can be read/written
+ * and enforces confirmation for destructive operations.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ActionAllowlist = void 0;
+/** Default config files that are safe to read/edit */
+const DEFAULT_ALLOWED_FILES = new Set([
+    "server.properties",
+    "bukkit.yml",
+    "spigot.yml",
+    "paper-global.yml",
+    "paper-world-defaults.yml",
+    "purpur.yml",
+    "config/paper-global.yml",
+    "config/paper-world-defaults.yml",
+]);
+/** Actions considered destructive and requiring confirmation */
+const DESTRUCTIVE_ACTIONS = new Set([
+    "restart",
+    "stop",
+    "delete_file",
+    "write_config",
+    "restore_backup",
+    "clear_world",
+]);
+class ActionAllowlist {
+    allowedFiles;
+    confirmDestructive;
+    constructor(opts) {
+        this.allowedFiles = new Set(opts?.allowedFiles ?? DEFAULT_ALLOWED_FILES);
+        this.confirmDestructive = opts?.confirmDestructive ?? true;
+    }
+    /** Check if a config file is on the allowlist. */
+    isFileAllowed(filename) {
+        const normalized = filename.replace(/\\/g, "/").replace(/^\.\//, "");
+        return this.allowedFiles.has(normalized);
+    }
+    /** Check if an action is destructive and requires confirmation. */
+    isDestructive(action) {
+        return DESTRUCTIVE_ACTIONS.has(action);
+    }
+    /** Whether destructive actions need confirmation. */
+    requiresConfirmation(action) {
+        return this.confirmDestructive && this.isDestructive(action);
+    }
+    /** Get the full set of allowed files. */
+    getAllowedFiles() {
+        return this.allowedFiles;
+    }
+}
+exports.ActionAllowlist = ActionAllowlist;
+//# sourceMappingURL=action-allowlist.js.map

package/dist/security/action-allowlist.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-allowlist.js","sourceRoot":"","sources":["../../src/security/action-allowlist.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,sDAAsD;AACtD,MAAM,qBAAqB,GAAwB,IAAI,GAAG,CAAC;IACzD,mBAAmB;IACnB,YAAY;IACZ,YAAY;IACZ,kBAAkB;IAClB,0BAA0B;IAC1B,YAAY;IACZ,yBAAyB;IACzB,iCAAiC;CAClC,CAAC,CAAC;AAEH,gEAAgE;AAChE,MAAM,mBAAmB,GAAwB,IAAI,GAAG,CAAC;IACvD,SAAS;IACT,MAAM;IACN,aAAa;IACb,cAAc;IACd,gBAAgB;IAChB,aAAa;CACd,CAAC,CAAC;AAEH,MAAa,eAAe;IACT,YAAY,CAAc;IAC1B,kBAAkB,CAAU;IAE7C,YAAY,IAAgE;QAC1E,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,YAAY,IAAI,qBAAqB,CAAC,CAAC;QACzE,IAAI,CAAC,kBAAkB,GAAG,IAAI,EAAE,kBAAkB,IAAI,IAAI,CAAC;IAC7D,CAAC;IAED,kDAAkD;IAClD,aAAa,CAAC,QAAgB;QAC5B,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACrE,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,mEAAmE;IACnE,aAAa,CAAC,MAAc;QAC1B,OAAO,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACzC,CAAC;IAED,qDAAqD;IACrD,oBAAoB,CAAC,MAAc;QACjC,OAAO,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/D,CAAC;IAED,yCAAyC;IACzC,eAAe;QACb,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;CACF;AA7BD,0CA6BC"}

package/dist/security/audit-log.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Audit Log — Records security-relevant actions for review.
+ * Writes structured JSON entries to an append-only log file.
+ */
+export interface AuditEntry {
+    timestamp: string;
+    action: string;
+    server?: string;
+    detail: string;
+    allowed: boolean;
+}
+export declare class AuditLog {
+    private readonly logPath;
+    private readonly entries;
+    constructor(logPath?: string);
+    /** Record an action to the audit log */
+    record(action: string, detail: string, allowed: boolean, server?: string): void;
+    /** Get recent in-memory entries. */
+    getRecent(limit?: number): AuditEntry[];
+    private flush;
+}
+//# sourceMappingURL=audit-log.d.ts.map

package/dist/security/audit-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.d.ts","sourceRoot":"","sources":["../../src/security/audit-log.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAoB;gBAEhC,OAAO,GAAE,MAAmC;IAUxD,wCAAwC;IACxC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;IAY/E,oCAAoC;IACpC,SAAS,CAAC,KAAK,GAAE,MAAW,GAAG,UAAU,EAAE;IAI3C,OAAO,CAAC,KAAK;CAOd"}

package/dist/security/audit-log.js

@@ -0,0 +1,49 @@
+"use strict";
+/**
+ * Audit Log — Records security-relevant actions for review.
+ * Writes structured JSON entries to an append-only log file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLog = void 0;
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+class AuditLog {
+    logPath;
+    entries = [];
+    constructor(logPath = "./craftclose-audit.jsonl") {
+        this.logPath = logPath;
+        // Ensure directory exists
+        try {
+            (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(this.logPath), { recursive: true });
+        }
+        catch {
+            // Directory already exists or is current dir
+        }
+    }
+    /** Record an action to the audit log */
+    record(action, detail, allowed, server) {
+        const entry = {
+            timestamp: new Date().toISOString(),
+            action,
+            server,
+            detail,
+            allowed,
+        };
+        this.entries.push(entry);
+        this.flush(entry);
+    }
+    /** Get recent in-memory entries. */
+    getRecent(limit = 50) {
+        return this.entries.slice(-limit);
+    }
+    flush(entry) {
+        try {
+            (0, node_fs_1.appendFileSync)(this.logPath, JSON.stringify(entry) + "\n", "utf-8");
+        }
+        catch {
+            // Best-effort — don't crash if log write fails
+        }
+    }
+}
+exports.AuditLog = AuditLog;
+//# sourceMappingURL=audit-log.js.map

package/dist/security/audit-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../src/security/audit-log.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,qCAAoD;AACpD,yCAAoC;AAUpC,MAAa,QAAQ;IACF,OAAO,CAAS;IAChB,OAAO,GAAiB,EAAE,CAAC;IAE5C,YAAY,UAAkB,0BAA0B;QACtD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,0BAA0B;QAC1B,IAAI,CAAC;YACH,IAAA,mBAAS,EAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;QAC/C,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,MAAM,CAAC,MAAc,EAAE,MAAc,EAAE,OAAgB,EAAE,MAAe;QACtE,MAAM,KAAK,GAAe;YACxB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,MAAM;YACN,MAAM;YACN,MAAM;YACN,OAAO;SACR,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACzB,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACpB,CAAC;IAED,oCAAoC;IACpC,SAAS,CAAC,QAAgB,EAAE;QAC1B,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;IACpC,CAAC;IAEO,KAAK,CAAC,KAAiB;QAC7B,IAAI,CAAC;YACH,IAAA,wBAAc,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QACtE,CAAC;QAAC,MAAM,CAAC;YACP,+CAA+C;QACjD,CAAC;IACH,CAAC;CACF;AAvCD,4BAuCC"}

package/dist/security/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Security module barrel export.
+ */
+export { PathJail, PathJailError } from "./path-jail.js";
+export { RconFilter, RconFilterError } from "./rcon-filter.js";
+export { InputSanitizer, SanitizeError } from "./input-sanitizer.js";
+export { AuditLog } from "./audit-log.js";
+export type { AuditEntry } from "./audit-log.js";
+export { ActionAllowlist } from "./action-allowlist.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC1C,YAAY,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/security/index.js

@@ -0,0 +1,20 @@
+"use strict";
+/**
+ * Security module barrel export.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ActionAllowlist = exports.AuditLog = exports.SanitizeError = exports.InputSanitizer = exports.RconFilterError = exports.RconFilter = exports.PathJailError = exports.PathJail = void 0;
+var path_jail_js_1 = require("./path-jail.js");
+Object.defineProperty(exports, "PathJail", { enumerable: true, get: function () { return path_jail_js_1.PathJail; } });
+Object.defineProperty(exports, "PathJailError", { enumerable: true, get: function () { return path_jail_js_1.PathJailError; } });
+var rcon_filter_js_1 = require("./rcon-filter.js");
+Object.defineProperty(exports, "RconFilter", { enumerable: true, get: function () { return rcon_filter_js_1.RconFilter; } });
+Object.defineProperty(exports, "RconFilterError", { enumerable: true, get: function () { return rcon_filter_js_1.RconFilterError; } });
+var input_sanitizer_js_1 = require("./input-sanitizer.js");
+Object.defineProperty(exports, "InputSanitizer", { enumerable: true, get: function () { return input_sanitizer_js_1.InputSanitizer; } });
+Object.defineProperty(exports, "SanitizeError", { enumerable: true, get: function () { return input_sanitizer_js_1.SanitizeError; } });
+var audit_log_js_1 = require("./audit-log.js");
+Object.defineProperty(exports, "AuditLog", { enumerable: true, get: function () { return audit_log_js_1.AuditLog; } });
+var action_allowlist_js_1 = require("./action-allowlist.js");
+Object.defineProperty(exports, "ActionAllowlist", { enumerable: true, get: function () { return action_allowlist_js_1.ActionAllowlist; } });
+//# sourceMappingURL=index.js.map

package/dist/security/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAEH,+CAAyD;AAAhD,wGAAA,QAAQ,OAAA;AAAE,6GAAA,aAAa,OAAA;AAChC,mDAA+D;AAAtD,4GAAA,UAAU,OAAA;AAAE,iHAAA,eAAe,OAAA;AACpC,2DAAqE;AAA5D,oHAAA,cAAc,OAAA;AAAE,mHAAA,aAAa,OAAA;AACtC,+CAA0C;AAAjC,wGAAA,QAAQ,OAAA;AAEjB,6DAAwD;AAA/C,sHAAA,eAAe,OAAA"}

package/dist/security/input-sanitizer.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Input Sanitizer — Cleans user-provided strings before use in
+ * shell commands, RCON commands, or API calls.
+ */
+export declare class InputSanitizer {
+    /**
+     * Sanitize a string for use as an RCON command argument.
+     * Strips dangerous characters and enforces length limit.
+     */
+    static rcon(input: string): string;
+    /**
+     * Sanitize a string for use in a shell command argument.
+     * Strips dangerous characters and enforces length limit.
+     */
+    static shell(input: string): string;
+    /**
+     * Sanitize a player name. Minecraft names are 3-16 alphanumeric + underscore.
+     */
+    static playerName(input: string): string;
+    /**
+     * Sanitize a server name. Alphanumeric, hyphens, underscores, dots.
+     */
+    static serverName(input: string): string;
+    /**
+     * Validate a string contains only safe log-query characters.
+     */
+    static logQuery(input: string): string;
+}
+export declare class SanitizeError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=input-sanitizer.d.ts.map

package/dist/security/input-sanitizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-sanitizer.d.ts","sourceRoot":"","sources":["../../src/security/input-sanitizer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAWH,qBAAa,cAAc;IACzB;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAQlC;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAQnC;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAWxC;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAWxC;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;CAMvC;AAED,qBAAa,aAAc,SAAQ,KAAK;gBAC1B,OAAO,EAAE,MAAM;CAI5B"}

package/dist/security/input-sanitizer.js

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * Input Sanitizer — Cleans user-provided strings before use in
+ * shell commands, RCON commands, or API calls.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SanitizeError = exports.InputSanitizer = void 0;
+/** Max length for any single input string */
+const MAX_INPUT_LENGTH = 1024;
+/** Characters that must never appear in RCON commands */
+const RCON_DANGEROUS = /[;&|`$(){}[\]<>!\\]/g;
+/** Characters that must never appear in shell arguments */
+const SHELL_DANGEROUS = /[;&|`$(){}[\]<>!\\'"\n\r\t]/g;
+class InputSanitizer {
+    /**
+     * Sanitize a string for use as an RCON command argument.
+     * Strips dangerous characters and enforces length limit.
+     */
+    static rcon(input) {
+        if (typeof input !== "string") {
+            throw new SanitizeError("Input must be a string");
+        }
+        const trimmed = input.trim().slice(0, MAX_INPUT_LENGTH);
+        return trimmed.replace(RCON_DANGEROUS, "");
+    }
+    /**
+     * Sanitize a string for use in a shell command argument.
+     * Strips dangerous characters and enforces length limit.
+     */
+    static shell(input) {
+        if (typeof input !== "string") {
+            throw new SanitizeError("Input must be a string");
+        }
+        const trimmed = input.trim().slice(0, MAX_INPUT_LENGTH);
+        return trimmed.replace(SHELL_DANGEROUS, "");
+    }
+    /**
+     * Sanitize a player name. Minecraft names are 3-16 alphanumeric + underscore.
+     */
+    static playerName(input) {
+        if (typeof input !== "string") {
+            throw new SanitizeError("Input must be a string");
+        }
+        const cleaned = input.trim().replace(/[^a-zA-Z0-9_]/g, "");
+        if (cleaned.length < 3 || cleaned.length > 16) {
+            throw new SanitizeError(`Invalid player name: ${input}`);
+        }
+        return cleaned;
+    }
+    /**
+     * Sanitize a server name. Alphanumeric, hyphens, underscores, dots.
+     */
+    static serverName(input) {
+        if (typeof input !== "string") {
+            throw new SanitizeError("Input must be a string");
+        }
+        const cleaned = input.trim().replace(/[^a-zA-Z0-9._-]/g, "");
+        if (cleaned.length === 0 || cleaned.length > 64) {
+            throw new SanitizeError(`Invalid server name: ${input}`);
+        }
+        return cleaned;
+    }
+    /**
+     * Validate a string contains only safe log-query characters.
+     */
+    static logQuery(input) {
+        if (typeof input !== "string") {
+            throw new SanitizeError("Input must be a string");
+        }
+        return input.trim().slice(0, MAX_INPUT_LENGTH);
+    }
+}
+exports.InputSanitizer = InputSanitizer;
+class SanitizeError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "SanitizeError";
+    }
+}
+exports.SanitizeError = SanitizeError;
+//# sourceMappingURL=input-sanitizer.js.map

package/dist/security/input-sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"input-sanitizer.js","sourceRoot":"","sources":["../../src/security/input-sanitizer.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,6CAA6C;AAC7C,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAE9B,yDAAyD;AACzD,MAAM,cAAc,GAAG,sBAAsB,CAAC;AAE9C,2DAA2D;AAC3D,MAAM,eAAe,GAAG,8BAA8B,CAAC;AAEvD,MAAa,cAAc;IACzB;;;OAGG;IACH,MAAM,CAAC,IAAI,CAAC,KAAa;QACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,aAAa,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAC;QACxD,OAAO,OAAO,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,KAAa;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,aAAa,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAC;QACxD,OAAO,OAAO,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAa;QAC7B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,aAAa,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QAC3D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC9C,MAAM,IAAI,aAAa,CAAC,wBAAwB,KAAK,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAa;QAC7B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,aAAa,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;QAC7D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAChD,MAAM,IAAI,aAAa,CAAC,wBAAwB,KAAK,EAAE,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,KAAa;QAC3B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,MAAM,IAAI,aAAa,CAAC,wBAAwB,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,gBAAgB,CAAC,CAAC;IACjD,CAAC;CACF;AA9DD,wCA8DC;AAED,MAAa,aAAc,SAAQ,KAAK;IACtC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AALD,sCAKC"}

package/dist/security/path-jail.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Path Jail — Restricts file access to the Minecraft server directory.
+ * Prevents path traversal attacks via .. or symlinks.
+ */
+export declare class PathJail {
+    private readonly root;
+    constructor(serverRoot: string);
+    /**
+     * Returns the resolved absolute path if it is inside the jail.
+     * Throws if the path escapes the server root.
+     */
+    resolve(untrustedPath: string): string;
+    /**
+     * Same as resolve, but also follows symlinks and verifies the real path
+     * is still inside the jail. Use for read operations on existing files.
+     */
+    resolveReal(untrustedPath: string): string;
+    /** Check if a path is inside the jail without throwing. */
+    isAllowed(untrustedPath: string): boolean;
+    getRoot(): string;
+}
+export declare class PathJailError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=path-jail.d.ts.map

package/dist/security/path-jail.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-jail.d.ts","sourceRoot":"","sources":["../../src/security/path-jail.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;gBAElB,UAAU,EAAE,MAAM;IAI9B;;;OAGG;IACH,OAAO,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;IAetC;;;OAGG;IACH,WAAW,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;IAmB1C,2DAA2D;IAC3D,SAAS,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO;IASzC,OAAO,IAAI,MAAM;CAGlB;AAED,qBAAa,aAAc,SAAQ,KAAK;gBAC1B,OAAO,EAAE,MAAM;CAI5B"}

package/dist/security/path-jail.js

@@ -0,0 +1,73 @@
+"use strict";
+/**
+ * Path Jail — Restricts file access to the Minecraft server directory.
+ * Prevents path traversal attacks via .. or symlinks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PathJailError = exports.PathJail = void 0;
+const node_path_1 = require("node:path");
+const node_fs_1 = require("node:fs");
+class PathJail {
+    root;
+    constructor(serverRoot) {
+        this.root = (0, node_path_1.resolve)(serverRoot);
+    }
+    /**
+     * Returns the resolved absolute path if it is inside the jail.
+     * Throws if the path escapes the server root.
+     */
+    resolve(untrustedPath) {
+        // Normalize and resolve against root
+        const candidate = (0, node_path_1.isAbsolute)(untrustedPath)
+            ? (0, node_path_1.resolve)(untrustedPath)
+            : (0, node_path_1.resolve)(this.root, untrustedPath);
+        // Check the resolved path is under root
+        const rel = (0, node_path_1.relative)(this.root, candidate);
+        if (rel.startsWith("..") || (0, node_path_1.isAbsolute)(rel)) {
+            throw new PathJailError(`Path escapes server root: ${untrustedPath}`);
+        }
+        return candidate;
+    }
+    /**
+     * Same as resolve, but also follows symlinks and verifies the real path
+     * is still inside the jail. Use for read operations on existing files.
+     */
+    resolveReal(untrustedPath) {
+        const candidate = this.resolve(untrustedPath);
+        let real;
+        try {
+            real = (0, node_fs_1.realpathSync)(candidate);
+        }
+        catch {
+            // File doesn't exist yet — resolved path check is sufficient
+            return candidate;
+        }
+        const rel = (0, node_path_1.relative)(this.root, real);
+        if (rel.startsWith("..") || (0, node_path_1.isAbsolute)(rel)) {
+            throw new PathJailError(`Symlink escapes server root: ${untrustedPath} → ${real}`);
+        }
+        return real;
+    }
+    /** Check if a path is inside the jail without throwing. */
+    isAllowed(untrustedPath) {
+        try {
+            this.resolve(untrustedPath);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    getRoot() {
+        return this.root;
+    }
+}
+exports.PathJail = PathJail;
+class PathJailError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "PathJailError";
+    }
+}
+exports.PathJailError = PathJailError;
+//# sourceMappingURL=path-jail.js.map

package/dist/security/path-jail.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-jail.js","sourceRoot":"","sources":["../../src/security/path-jail.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,yCAA0D;AAC1D,qCAAuC;AAEvC,MAAa,QAAQ;IACF,IAAI,CAAS;IAE9B,YAAY,UAAkB;QAC5B,IAAI,CAAC,IAAI,GAAG,IAAA,mBAAO,EAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,aAAqB;QAC3B,qCAAqC;QACrC,MAAM,SAAS,GAAG,IAAA,sBAAU,EAAC,aAAa,CAAC;YACzC,CAAC,CAAC,IAAA,mBAAO,EAAC,aAAa,CAAC;YACxB,CAAC,CAAC,IAAA,mBAAO,EAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAEtC,wCAAwC;QACxC,MAAM,GAAG,GAAG,IAAA,oBAAQ,EAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC3C,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAA,sBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,aAAa,CAAC,6BAA6B,aAAa,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;OAGG;IACH,WAAW,CAAC,aAAqB;QAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAE9C,IAAI,IAAY,CAAC;QACjB,IAAI,CAAC;YACH,IAAI,GAAG,IAAA,sBAAY,EAAC,SAAS,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,6DAA6D;YAC7D,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,GAAG,GAAG,IAAA,oBAAQ,EAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;QACtC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAA,sBAAU,EAAC,GAAG,CAAC,EAAE,CAAC;YAC5C,MAAM,IAAI,aAAa,CAAC,gCAAgC,aAAa,MAAM,IAAI,EAAE,CAAC,CAAC;QACrF,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,2DAA2D;IAC3D,SAAS,CAAC,aAAqB;QAC7B,IAAI,CAAC;YACH,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;CACF;AA9DD,4BA8DC;AAED,MAAa,aAAc,SAAQ,KAAK;IACtC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AALD,sCAKC"}

package/dist/security/rcon-filter.d.ts

@@ -0,0 +1,24 @@
+/**
+ * RCON Filter — Blocks dangerous console commands before they reach the server.
+ * Prevents accidental or malicious execution of destructive commands.
+ */
+export declare class RconFilter {
+    private readonly blocked;
+    constructor(extraBlocked?: string[]);
+    /**
+     * Check if a command is allowed.
+     * Returns true if the command can be sent to RCON.
+     */
+    isAllowed(command: string): boolean;
+    /**
+     * Validate and return the command if allowed.
+     * Throws RconFilterError if the command is blocked.
+     */
+    validate(command: string): string;
+    /** Get the full set of blocked commands. */
+    getBlocked(): ReadonlySet<string>;
+}
+export declare class RconFilterError extends Error {
+    constructor(message: string);
+}
+//# sourceMappingURL=rcon-filter.d.ts.map

package/dist/security/rcon-filter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rcon-filter.d.ts","sourceRoot":"","sources":["../../src/security/rcon-filter.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAqBH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;gBAE1B,YAAY,CAAC,EAAE,MAAM,EAAE;IASnC;;;OAGG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAcnC;;;OAGG;IACH,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM;IAOjC,4CAA4C;IAC5C,UAAU,IAAI,WAAW,CAAC,MAAM,CAAC;CAGlC;AAED,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B"}

package/dist/security/rcon-filter.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * RCON Filter — Blocks dangerous console commands before they reach the server.
+ * Prevents accidental or malicious execution of destructive commands.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RconFilterError = exports.RconFilter = void 0;
+/** Default commands that are always blocked */
+const DEFAULT_BLOCKED = new Set([
+    "stop",
+    "restart",
+    "op",
+    "deop",
+    "ban",
+    "ban-ip",
+    "pardon",
+    "pardon-ip",
+    "kick",
+    "whitelist",
+    "save-off",
+    "debug",
+    "reload",
+    "reload confirm",
+    "rl",
+]);
+class RconFilter {
+    blocked;
+    constructor(extraBlocked) {
+        this.blocked = new Set(DEFAULT_BLOCKED);
+        if (extraBlocked) {
+            for (const cmd of extraBlocked) {
+                this.blocked.add(cmd.toLowerCase());
+            }
+        }
+    }
+    /**
+     * Check if a command is allowed.
+     * Returns true if the command can be sent to RCON.
+     */
+    isAllowed(command) {
+        const normalized = command.trim().toLowerCase();
+        if (!normalized)
+            return false;
+        // Check exact match first
+        if (this.blocked.has(normalized))
+            return false;
+        // Check if the base command (first word) is blocked
+        const base = normalized.split(/\s+/)[0];
+        if (this.blocked.has(base))
+            return false;
+        return true;
+    }
+    /**
+     * Validate and return the command if allowed.
+     * Throws RconFilterError if the command is blocked.
+     */
+    validate(command) {
+        if (!this.isAllowed(command)) {
+            throw new RconFilterError(`Blocked RCON command: ${command.trim()}`);
+        }
+        return command.trim();
+    }
+    /** Get the full set of blocked commands. */
+    getBlocked() {
+        return this.blocked;
+    }
+}
+exports.RconFilter = RconFilter;
+class RconFilterError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "RconFilterError";
+    }
+}
+exports.RconFilterError = RconFilterError;
+//# sourceMappingURL=rcon-filter.js.map

package/dist/security/rcon-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rcon-filter.js","sourceRoot":"","sources":["../../src/security/rcon-filter.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,+CAA+C;AAC/C,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,MAAM;IACN,SAAS;IACT,IAAI;IACJ,MAAM;IACN,KAAK;IACL,QAAQ;IACR,QAAQ;IACR,WAAW;IACX,MAAM;IACN,WAAW;IACX,UAAU;IACV,OAAO;IACP,QAAQ;IACR,gBAAgB;IAChB,IAAI;CACL,CAAC,CAAC;AAEH,MAAa,UAAU;IACJ,OAAO,CAAc;IAEtC,YAAY,YAAuB;QACjC,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,CAAC;QACxC,IAAI,YAAY,EAAE,CAAC;YACjB,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;gBAC/B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,OAAe;QACvB,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAChD,IAAI,CAAC,UAAU;YAAE,OAAO,KAAK,CAAC;QAE9B,0BAA0B;QAC1B,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QAE/C,oDAAoD;QACpD,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QAEzC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACH,QAAQ,CAAC,OAAe;QACtB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,eAAe,CAAC,yBAAyB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;IACxB,CAAC;IAED,4CAA4C;IAC5C,UAAU;QACR,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;CACF;AA7CD,gCA6CC;AAED,MAAa,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AALD,0CAKC"}