csprefabricate 0.3.1 → 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,41 @@
+# Changelog
+
+## [1.0.0](https://github.com/JamesToohey/csprefabricate/compare/v0.4.0...v1.0.0) (2025-06-02)
+
+
+### ⚠ BREAKING CHANGES
+
+* updates for 1.0 release ([#29](https://github.com/JamesToohey/csprefabricate/issues/29))
+
+### Documentation
+
+* updates for 1.0 release ([#29](https://github.com/JamesToohey/csprefabricate/issues/29)) ([1629ea1](https://github.com/JamesToohey/csprefabricate/commit/1629ea1e415142a54f6bd538832dbca4cdf1f179))
+
+## [0.4.0](https://github.com/JamesToohey/csprefabricate/compare/v0.3.1...v0.4.0) (2025-05-30)
+
+
+### Features
+
+* add baseline CSPs ([#25](https://github.com/JamesToohey/csprefabricate/issues/25)) ([6dd8588](https://github.com/JamesToohey/csprefabricate/commit/6dd858853d143de66979e74ba981844c2b1e28d3))
+
+## [0.3.1](https://github.com/JamesToohey/csprefabricate/compare/v0.3.0...v0.3.1) (2025-05-27)
+
+
+### Bug Fixes
+
+* fix publish command ([#23](https://github.com/JamesToohey/csprefabricate/issues/23)) ([7b537f3](https://github.com/JamesToohey/csprefabricate/commit/7b537f337e20c188a89ddb3dd3f2ab5ddefade04))
+
+## [0.3.0](https://github.com/JamesToohey/csprefabricate/compare/v0.2.3...v0.3.0) (2025-05-26)
+
+
+### Features
+
+* Add warnings for common misconfigurations ([#21](https://github.com/JamesToohey/csprefabricate/issues/21)) ([d47858a](https://github.com/JamesToohey/csprefabricate/commit/d47858a04b777edec738b0f8ead23845795597a5))
+
+## [0.2.3](https://github.com/JamesToohey/csprefabricate/compare/0.2.2...v0.2.3) (2025-05-25)
+
+
+### Bug Fixes
+
+* give release please access to github actions ([#17](https://github.com/JamesToohey/csprefabricate/issues/17)) ([456d933](https://github.com/JamesToohey/csprefabricate/commit/456d933dcbb746943f1f0a921e96a5b54c6055e5))
+* update contributing ([4588b6a](https://github.com/JamesToohey/csprefabricate/commit/4588b6a09731a08121f3a26612147518fbf50b05))

package/README.md

@@ -1,11 +1,11 @@
-# csprefabricate (Work in progress)
+# csprefabricate
 
-**Generate a valid CSP with JavaScript. Built with TypeScript.**
+**Generate a valid CSP with TypeScript.**
 
-Content Security Policies (CSPs) are cumbersome strings that are frusting to work with:
+Content Security Policies (CSPs) are cumbersome strings that are frustrating to work with:
 
 - Fickle syntax
-- Duplicattion when multiple TLDs are required
+- Duplication when multiple TLDs are required
 - Easy to allow insecure configuration
 
 This project aims to make creating useful and secure CSPs a more pleasant experience.
@@ -82,15 +82,19 @@ const cspString = create(csp);
 import {create, Directive, ContentSecurityPolicy} from "csprefabricate";
 
 const csp: ContentSecurityPolicy = {
-    [Directive.DEFAULT_SRC]: ["self"],
-    [Directive.SCRIPT_SRC]: ["self", "*.googletagmanager.com"],
+    [Directive.DEFAULT_SRC]: ["'self'"],
+    [Directive.SCRIPT_SRC]: ["'self'", "*.googletagmanager.com"],
+    [Directive.STYLE_SRC]: ["'self'"],
     [Directive.IMG_SRC]: [
-        "self",
-        "*.google-analytics.com",
+        "'self'",
+        "https://*.google-analytics.com",
         "https://*.googletagmanager.com",
     ],
+    [Directive.OBJECT_SRC]: ["'none'"],
+    [Directive.BASE_URI]: ["'self'"],
+    [Directive.FORM_ACTION]: ["'self'"],
     [Directive.CONNECT_SRC]: [
-        "self",
+        "'self'",
         "https://*.google-analytics.com",
         "https://*.analytics.google.com",
         "https://*.googletagmanager.com",
@@ -98,7 +102,7 @@ const csp: ContentSecurityPolicy = {
 };
 
 const cspString = create(csp);
-// "default-src 'self'; script-src 'self' *.googletagmanager.com; img-src 'self' *.google-analytics.com https://*.googletagmanager.com; connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com;"
+// "default-src 'self'; script-src 'self' *.googletagmanager.com; style-src 'self'; img-src 'self' https://*.google-analytics.com https://*.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com;"
 ```
 
 ### Example 3: Using TLD Expansion for Multiple Domains
@@ -114,6 +118,22 @@ const cspString = create(csp);
 // "img-src 'self' *.example.com *.example.co.uk *.example.net;"
 ```
 
-## Future
+## Baseline Recommended CSPs
+
+You can quickly generate a recommended Content Security Policy for common use cases using built-in baselines.
 
-- Generate baseline recommended CSPs (for example, Google Analytics)
+Available Baselines:
+
+- BASELINE_STRICT_CSP
+- GOOGLE_ANALYTICS_CSP
+- GOOGLE_ANALYTICS_WITH_SIGNALS_CSP
+
+### Google Analytics Baseline CSP
+
+Allow Google Analytics and Tag Manager:
+
+```typescript
+import {create, Baseline} from "csprefabricate";
+
+const cspString = create(Baseline.GOOGLE_ANALYTICS_CSP);
+```

package/dist/baseline.d.ts

@@ -0,0 +1,8 @@
+import { ContentSecurityPolicy } from "./types";
+export declare const BASELINE_STRICT_CSP: ContentSecurityPolicy;
+/**
+ * Google Analytics Content Security Policy based on the official guidelines.
+ * https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
+ */
+export declare const GOOGLE_ANALYTICS_CSP: ContentSecurityPolicy;
+export declare const GOOGLE_ANALYTICS_WITH_SIGNALS_CSP: ContentSecurityPolicy;

package/dist/baseline.js

@@ -0,0 +1,245 @@
+import { Directive } from "./types";
+// List of supported domains for Google Signals from https://www.google.com/supported_domains
+const googleSupportedTLDs = [
+    ".com",
+    ".ad",
+    ".ae",
+    ".com.af",
+    ".com.ag",
+    ".al",
+    ".am",
+    ".co.ao",
+    ".com.ar",
+    ".as",
+    ".at",
+    ".com.au",
+    ".az",
+    ".ba",
+    ".com.bd",
+    ".be",
+    ".bf",
+    ".bg",
+    ".com.bh",
+    ".bi",
+    ".bj",
+    ".com.bn",
+    ".com.bo",
+    ".com.br",
+    ".bs",
+    ".bt",
+    ".co.bw",
+    ".by",
+    ".com.bz",
+    ".ca",
+    ".cd",
+    ".cf",
+    ".cg",
+    ".ch",
+    ".ci",
+    ".co.ck",
+    ".cl",
+    ".cm",
+    ".cn",
+    ".com.co",
+    ".co.cr",
+    ".com.cu",
+    ".cv",
+    ".com.cy",
+    ".cz",
+    ".de",
+    ".dj",
+    ".dk",
+    ".dm",
+    ".com.do",
+    ".dz",
+    ".com.ec",
+    ".ee",
+    ".com.eg",
+    ".es",
+    ".com.et",
+    ".fi",
+    ".com.fj",
+    ".fm",
+    ".fr",
+    ".ga",
+    ".ge",
+    ".gg",
+    ".com.gh",
+    ".com.gi",
+    ".gl",
+    ".gm",
+    ".gr",
+    ".com.gt",
+    ".gy",
+    ".com.hk",
+    ".hn",
+    ".hr",
+    ".ht",
+    ".hu",
+    ".co.id",
+    ".ie",
+    ".co.il",
+    ".im",
+    ".co.in",
+    ".iq",
+    ".is",
+    ".it",
+    ".je",
+    ".com.jm",
+    ".jo",
+    ".co.jp",
+    ".co.ke",
+    ".com.kh",
+    ".ki",
+    ".kg",
+    ".co.kr",
+    ".com.kw",
+    ".kz",
+    ".la",
+    ".com.lb",
+    ".li",
+    ".lk",
+    ".co.ls",
+    ".lt",
+    ".lu",
+    ".lv",
+    ".com.ly",
+    ".co.ma",
+    ".md",
+    ".me",
+    ".mg",
+    ".mk",
+    ".ml",
+    ".com.mm",
+    ".mn",
+    ".com.mt",
+    ".mu",
+    ".mv",
+    ".mw",
+    ".com.mx",
+    ".com.my",
+    ".co.mz",
+    ".com.na",
+    ".com.ng",
+    ".com.ni",
+    ".ne",
+    ".nl",
+    ".no",
+    ".com.np",
+    ".nr",
+    ".nu",
+    ".co.nz",
+    ".com.om",
+    ".com.pa",
+    ".com.pe",
+    ".com.pg",
+    ".com.ph",
+    ".com.pk",
+    ".pl",
+    ".pn",
+    ".com.pr",
+    ".ps",
+    ".pt",
+    ".com.py",
+    ".com.qa",
+    ".ro",
+    ".ru",
+    ".rw",
+    ".com.sa",
+    ".com.sb",
+    ".sc",
+    ".se",
+    ".com.sg",
+    ".sh",
+    ".si",
+    ".sk",
+    ".com.sl",
+    ".sn",
+    ".so",
+    ".sm",
+    ".sr",
+    ".st",
+    ".com.sv",
+    ".td",
+    ".tg",
+    ".co.th",
+    ".com.tj",
+    ".tl",
+    ".tm",
+    ".tn",
+    ".to",
+    ".com.tr",
+    ".tt",
+    ".com.tw",
+    ".co.tz",
+    ".com.ua",
+    ".co.ug",
+    ".co.uk",
+    ".com.uy",
+    ".co.uz",
+    ".com.vc",
+    ".co.ve",
+    ".co.vi",
+    ".com.vn",
+    ".vu",
+    ".ws",
+    ".rs",
+    ".co.za",
+    ".co.zm",
+    ".co.zw",
+    ".cat",
+];
+export const BASELINE_STRICT_CSP = {
+    [Directive.DEFAULT_SRC]: ["'self'"],
+    [Directive.SCRIPT_SRC]: ["'self'"],
+    [Directive.STYLE_SRC]: ["'self'"],
+    [Directive.IMG_SRC]: ["'self'"],
+    [Directive.OBJECT_SRC]: ["'none'"],
+    [Directive.BASE_URI]: ["'self'"],
+    [Directive.FORM_ACTION]: ["'self'"],
+};
+/**
+ * Google Analytics Content Security Policy based on the official guidelines.
+ * https://developers.google.com/tag-platform/security/guides/csp#google_analytics_4_google_analytics
+ */
+export const GOOGLE_ANALYTICS_CSP = {
+    ...BASELINE_STRICT_CSP,
+    [Directive.DEFAULT_SRC]: ["'self'"],
+    [Directive.SCRIPT_SRC]: ["'self'", "*.googletagmanager.com"],
+    [Directive.IMG_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.googletagmanager.com",
+    ],
+    [Directive.CONNECT_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.analytics.google.com",
+        "https://*.googletagmanager.com",
+    ],
+};
+export const GOOGLE_ANALYTICS_WITH_SIGNALS_CSP = {
+    ...BASELINE_STRICT_CSP,
+    ...GOOGLE_ANALYTICS_CSP,
+    [Directive.IMG_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.googletagmanager.com",
+        "https://*.g.doubleclick.net",
+        "https://*.google.com",
+        { "https://*.google.": googleSupportedTLDs },
+    ],
+    [Directive.CONNECT_SRC]: [
+        "'self'",
+        "https://*.google-analytics.com",
+        "https://*.googletagmanager.com",
+        "https://*.g.doubleclick.net",
+        "https://pagead2.googlesyndication.com",
+        { "https://*.google": googleSupportedTLDs },
+    ],
+    [Directive.FRAME_SRC]: [
+        "'self'",
+        "https://td.doubleclick.net",
+        "https://www.googletagmanager.com",
+    ],
+};

package/dist/helpers.js

@@ -45,7 +45,12 @@ export function warnOnCspIssues(csp, overrides = {}) {
     const options = { ...DEFAULT_WARNINGS, ...overrides };
     // 1. Overly permissive: * in script-src, style-src, etc.
     if (options.overlyPermissive) {
-        [Directive.SCRIPT_SRC, Directive.STYLE_SRC, Directive.IMG_SRC, Directive.CONNECT_SRC].forEach(directive => {
+        [
+            Directive.SCRIPT_SRC,
+            Directive.STYLE_SRC,
+            Directive.IMG_SRC,
+            Directive.CONNECT_SRC,
+        ].forEach((directive) => {
             const rules = csp[directive];
             if (Array.isArray(rules) && rules.includes("*")) {
                 console.warn(`[CSPrefabricate] Overly permissive: '*' found in ${directive}`);
@@ -54,7 +59,11 @@ export function warnOnCspIssues(csp, overrides = {}) {
     }
     // 2. Missing important directives
     if (options.missingDirectives) {
-        [Directive.OBJECT_SRC, Directive.BASE_URI, Directive.FORM_ACTION].forEach(directive => {
+        [
+            Directive.OBJECT_SRC,
+            Directive.BASE_URI,
+            Directive.FORM_ACTION,
+        ].forEach((directive) => {
             if (!(directive in csp)) {
                 console.warn(`[CSPrefabricate] Missing recommended directive: ${directive}`);
             }
@@ -62,7 +71,7 @@ export function warnOnCspIssues(csp, overrides = {}) {
     }
     // 3. Unsafe inline
     if (options.unsafeInline) {
-        [Directive.SCRIPT_SRC, Directive.STYLE_SRC].forEach(directive => {
+        [Directive.SCRIPT_SRC, Directive.STYLE_SRC].forEach((directive) => {
             const rules = csp[directive];
             if (Array.isArray(rules) && rules.includes("'unsafe-inline'")) {
                 console.warn(`[CSPrefabricate] 'unsafe-inline' found in ${directive}`);
@@ -73,7 +82,8 @@ export function warnOnCspIssues(csp, overrides = {}) {
     if (options.missingNonceOrHash) {
         const rules = csp[Directive.SCRIPT_SRC];
         if (Array.isArray(rules) && rules.includes("'unsafe-inline'")) {
-            const hasNonceOrHash = rules.some((r) => typeof r === "string" && (r.startsWith("'nonce-") || r.startsWith("'sha")));
+            const hasNonceOrHash = rules.some((r) => typeof r === "string" &&
+                (r.startsWith("'nonce-") || r.startsWith("'sha")));
             if (!hasNonceOrHash) {
                 console.warn(`[CSPrefabricate] 'unsafe-inline' in script-src without nonce or hash`);
             }
@@ -81,7 +91,7 @@ export function warnOnCspIssues(csp, overrides = {}) {
     }
     // 5. Permitting data: in img-src or media-src
     if (options.dataUri) {
-        [Directive.IMG_SRC, Directive.MEDIA_SRC].forEach(directive => {
+        [Directive.IMG_SRC, Directive.MEDIA_SRC].forEach((directive) => {
             const rules = csp[directive];
             if (Array.isArray(rules) && rules.includes("data:")) {
                 console.warn(`[CSPrefabricate] 'data:' allowed in ${directive}`);

package/dist/index.d.ts

@@ -1,3 +1,6 @@
-import { ContentSecurityPolicy, Directive } from "./types";
+import { Directive } from "./types";
 import { create } from "./utils";
-export { create, Directive, ContentSecurityPolicy };
+import * as Baseline from "./baseline";
+export { Baseline };
+export { create, Directive };
+export type { ContentSecurityPolicy } from "./types";

package/dist/index.js

@@ -1,3 +1,5 @@
 import { Directive } from "./types";
 import { create } from "./utils";
+import * as Baseline from "./baseline";
+export { Baseline };
 export { create, Directive };

package/dist/utils.js

@@ -1,4 +1,4 @@
-import { formatRule, isValidDirective, warnOnCspIssues } from "./helpers";
+import { formatRule, isValidDirective, warnOnCspIssues, } from "./helpers";
 export const processRules = (rules) => {
     // Flatten and deduplicate rules
     const seen = new Set();
@@ -36,7 +36,8 @@ export const create = (obj, warningOptions) => {
         .map(([directive, rules]) => {
         if (Array.isArray(rules)) {
             // Filter out non-string/object values at runtime
-            const filtered = rules.filter((r) => typeof r === "string" || (typeof r === "object" && r !== null));
+            const filtered = rules.filter((r) => typeof r === "string" ||
+                (typeof r === "object" && r !== null));
             const processed = processRules(filtered);
             return processed ? `${directive} ${processed}` : `${directive}`;
         }

package/package.json

@@ -1,8 +1,55 @@
 {
     "name": "csprefabricate",
-    "version": "0.3.1",
+    "version": "1.0.0",
+    "description": "Generate valid and secure Content Security Policies (CSP) with TypeScript.",
+    "keywords": [
+        "csp",
+        "content-security-policy",
+        "security",
+        "web-security",
+        "xss-protection",
+        "typescript"
+    ],
+    "homepage": "https://github.com/jamestoohey/csprefabricate#readme",
+    "bugs": {
+        "url": "https://github.com/jamestoohey/csprefabricate/issues"
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/jamestoohey/csprefabricate.git"
+    },
+    "license": "MIT",
+    "author": {
+        "name": "James Toohey",
+        "url": "https://github.com/jamestoohey"
+    },
     "packageManager": "yarn@4.5.3",
     "type": "module",
+    "exports": {
+        ".": {
+            "types": "./dist/index.d.ts",
+            "import": "./dist/index.js"
+        }
+    },
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "files": [
+        "dist/",
+        "README.md",
+        "LICENSE",
+        "CHANGELOG.md"
+    ],
+    "scripts": {
+        "build": "tsc --project tsconfig.build.json",
+        "functional-test": "yarn build && tsx --test src/test/functional/functional.test.js",
+        "lint": "eslint .",
+        "pack": "npm pack",
+        "prepack": "yarn typecheck && yarn test && yarn build",
+        "prepublish": "yarn version check",
+        "test": "tsx --test src/test/**/*test.ts",
+        "test:watch": "tsx --test --watch src/test/**/*test.ts",
+        "typecheck": "tsc --noEmit"
+    },
     "devDependencies": {
         "@tsconfig/node-lts": "^22.0.1",
         "@types/node": "^22.13.5",
@@ -14,18 +61,7 @@
         "tsx": "^4.19.3",
         "typescript": "^5.7.3"
     },
-    "main": "dist/index.js",
-    "files": [
-        "dist/"
-    ],
-    "scripts": {
-        "build": "tsc --project tsconfig.build.json",
-        "pack": "npm pack",
-        "prepack": "yarn typecheck && yarn test && yarn build",
-        "prettier": "prettier . --write",
-        "prepublish": "yarn version check",
-        "test": "tsx --test src/test/**/*test.ts",
-        "typecheck": "tsc --noEmit",
-        "lint": "eslint ."
+    "engines": {
+        "node": ">=18"
     }
 }

package/dist/test/helpers.test.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/test/helpers.test.js

@@ -1,123 +0,0 @@
-import { describe, it, beforeEach, after } from "node:test";
-import assert from "node:assert";
-import { formatRule, isValidDirective, warnOnCspIssues } from "../helpers";
-import { Directive } from "../types";
-void describe("Helpers tests", () => {
-    void describe("isValidDirective", () => {
-        void it("Returns true if directive is valid", () => {
-            assert.strictEqual(isValidDirective(Directive.BASE_URI), true);
-            assert.strictEqual(isValidDirective("default-src"), true);
-        });
-        void it("Returns false if directive is invalid", () => {
-            assert.strictEqual(isValidDirective("some-src"), false);
-        });
-    });
-    void describe("formatRule", () => {
-        void it("Formats special rules with single quotes", () => {
-            assert.strictEqual(formatRule("self"), `'self'`);
-        });
-        void it("Returns non-special rules", () => {
-            assert.strictEqual(formatRule("google.com"), `google.com`);
-        });
-    });
-    void describe("warnOnCspIssues", () => {
-        let warnings = [];
-        const originalWarn = console.warn;
-        void beforeEach(() => {
-            warnings = [];
-            console.warn = (msg) => { warnings.push(msg); };
-        });
-        void after(() => {
-            console.warn = originalWarn;
-        });
-        void it("Warns on overly permissive *", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["*"]
-            };
-            warnOnCspIssues(csp);
-            assert(warnings.some(w => w.includes("Overly permissive")));
-        });
-        void it("Warns on missing important directives", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["'self'"]
-            };
-            warnOnCspIssues(csp);
-            assert(warnings.some(w => w.includes("Missing recommended directive: object-src")));
-            assert(warnings.some(w => w.includes("Missing recommended directive: base-uri")));
-            assert(warnings.some(w => w.includes("Missing recommended directive: form-action")));
-        });
-        void it("Warns on 'unsafe-inline' in script-src", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["'unsafe-inline'"]
-            };
-            warnOnCspIssues(csp);
-            assert(warnings.some(w => w.includes("'unsafe-inline' found in script-src")));
-        });
-        void it("Warns on 'unsafe-inline' in script-src without nonce or hash", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["'unsafe-inline'"]
-            };
-            warnOnCspIssues(csp);
-            assert(warnings.some(w => w.includes("'unsafe-inline' in script-src without nonce or hash")));
-        });
-        void it("Does not warn if nonce is present with 'unsafe-inline'", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["'unsafe-inline'", "'nonce-abc'"]
-            };
-            warnOnCspIssues(csp);
-            assert(!warnings.some(w => w.includes("without nonce or hash")));
-        });
-        void it("Does not warn if hash is present with 'unsafe-inline'", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["'unsafe-inline'", "'sha256-xyz'"]
-            };
-            warnOnCspIssues(csp);
-            assert(!warnings.some(w => w.includes("without nonce or hash")));
-        });
-        void it("Warns on data: in img-src", () => {
-            const csp = {
-                [Directive.IMG_SRC]: ["data:"]
-            };
-            warnOnCspIssues(csp);
-            assert(warnings.some(w => w.includes("'data:' allowed in img-src")));
-        });
-        void it("Respects warning options to opt out of specific warnings", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["*"]
-            };
-            const opts = { overlyPermissive: false };
-            warnOnCspIssues(csp, opts);
-            assert(!warnings.some(w => w.includes("Overly permissive")));
-        });
-        void it("Does not warn if all warnings are disabled", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["*"],
-                [Directive.IMG_SRC]: ["data:"]
-            };
-            const opts = {
-                overlyPermissive: false,
-                missingDirectives: false,
-                unsafeInline: false,
-                missingNonceOrHash: false,
-                dataUri: false
-            };
-            warnOnCspIssues(csp, opts);
-            assert.strictEqual(warnings.length, 0);
-        });
-        void it("Warns only for enabled warnings", () => {
-            const csp = {
-                [Directive.SCRIPT_SRC]: ["*", "'unsafe-inline'"],
-                [Directive.IMG_SRC]: ["data:"]
-            };
-            const opts = {
-                overlyPermissive: false,
-                missingDirectives: false,
-                unsafeInline: true
-            };
-            warnOnCspIssues(csp, opts);
-            assert(warnings.some(w => w.includes("'unsafe-inline' found in script-src")));
-            assert(!warnings.some(w => w.includes("Overly permissive")));
-            assert(!warnings.some(w => w.includes("Missing recommended directive")));
-        });
-    });
-});

package/dist/test/utils.test.d.ts

@@ -1 +0,0 @@
-export {};

package/dist/test/utils.test.js

@@ -1,108 +0,0 @@
-import { describe, it, afterEach, mock, beforeEach } from "node:test";
-import assert from "node:assert";
-import { create, processRules } from "../utils";
-import { Directive } from "../types";
-void describe("Utils tests", () => {
-    let mockWarn;
-    const originalWarn = console.warn;
-    void beforeEach(() => {
-        mockWarn = mock.method(console, "warn", () => { });
-    });
-    void afterEach(() => {
-        console.warn = originalWarn;
-    });
-    void describe("processRules", () => {
-        void it("Processes rules provided as an array of strings (simple)", () => {
-            const rules = ["self", "*.google.com", "*.google.com.au"];
-            assert.strictEqual(processRules(rules), `'self' *.google.com *.google.com.au`);
-        });
-        void it("Processes rules provided a complex list of tlds", () => {
-            const rules = ["self", { "*.google": [".com", ".com.au"] }];
-            assert.strictEqual(processRules(rules), `'self' *.google.com *.google.com.au`);
-        });
-    });
-    void describe("create", () => {
-        void it("Formats a CSP string with all rules", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["self"],
-                [Directive.SCRIPT_SRC]: ["self", "js.example.com"],
-                [Directive.STYLE_SRC]: ["self", "css.example.com"],
-                [Directive.IMG_SRC]: [
-                    "self",
-                    { "*.google": [".com", ".com.au"] },
-                ],
-                [Directive.CONNECT_SRC]: ["self"],
-                [Directive.FONT_SRC]: ["self", "font.example.com"],
-                [Directive.OBJECT_SRC]: ["none"],
-                [Directive.MEDIA_SRC]: ["self", "media.example.com"],
-                [Directive.FRAME_SRC]: ["self"],
-                [Directive.SANDBOX]: ["allow-scripts"],
-                [Directive.REPORT_URI]: ["/my-report-uri"],
-                [Directive.CHILD_SRC]: ["self"],
-                [Directive.FORM_ACTION]: ["self"],
-                [Directive.FRAME_ANCESTORS]: ["none"],
-                [Directive.PLUGIN_TYPES]: ["application/pdf"],
-                [Directive.BASE_URI]: ["self"],
-                [Directive.REPORT_TO]: ["myGroupName"],
-                [Directive.WORKER_SRC]: ["none"],
-                [Directive.MANIFEST_SRC]: ["none"],
-                [Directive.PREFETCH_SRC]: ["none"],
-                [Directive.NAVIGATE_TO]: ["example.com"],
-                [Directive.REQUIRE_TRUSTED_TYPES_FOR]: ["script"],
-                [Directive.TRUSTED_TYPES]: ["none"],
-                [Directive.UPGRADE_INSECURE_REQUESTS]: null,
-                [Directive.BLOCK_ALL_MIXED_CONTENT]: null,
-            };
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "default-src 'self'; script-src 'self' js.example.com; style-src 'self' css.example.com; img-src 'self' *.google.com *.google.com.au; connect-src 'self'; font-src 'self' font.example.com; object-src 'none'; media-src 'self' media.example.com; frame-src 'self'; sandbox allow-scripts; report-uri /my-report-uri; child-src 'self'; form-action 'self'; frame-ancestors 'none'; plugin-types application/pdf; base-uri 'self'; report-to myGroupName; worker-src 'none'; manifest-src 'none'; prefetch-src 'none'; navigate-to example.com; require-trusted-types-for script; trusted-types 'none'; upgrade-insecure-requests; block-all-mixed-content;");
-        });
-        void it("Ignores invalid directives", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["self"],
-                // @ts-expect-error deliberate testing of invalid directive
-                ["invalid-directive"]: ["self"],
-                [Directive.IMG_SRC]: ["my.domain.com"]
-            };
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "default-src 'self'; img-src my.domain.com;");
-        });
-        void it("Calls warning helper when invoked", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["self"],
-            };
-            create(csp);
-            assert.equal(mockWarn.mock.calls.length, 3);
-            const args = mockWarn.mock.calls.map((call) => call.arguments);
-            assert.equal(args[0][0], "[CSPrefabricate] Missing recommended directive: object-src");
-            assert.equal(args[1][0], "[CSPrefabricate] Missing recommended directive: base-uri");
-            assert.equal(args[2][0], "[CSPrefabricate] Missing recommended directive: form-action");
-        });
-    });
-    void describe("Edge cases", () => {
-        void it("Handles empty rules array", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: [],
-            };
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "default-src;");
-        });
-        void it("Handles completely empty policy object", () => {
-            const csp = {};
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "");
-        });
-        void it("Handles duplicate rules in an array", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["self", "self", "example.com", "example.com"],
-            };
-            const cspString = create(csp);
-            assert.strictEqual(cspString, "default-src 'self' example.com;");
-        });
-        void it("Ignores non-string, non-object values in rules array at runtime", () => {
-            const csp = {
-                [Directive.DEFAULT_SRC]: ["self", 123, false, null, undefined],
-            };
-            assert.doesNotThrow(() => create(csp));
-        });
-    });
-});